From 18718c8fe8a0f7274361cedafedcd541b5b1b349 Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Mon, 20 Jul 2020 09:41:11 +0200 Subject: [PATCH 1/8] Added running autoyast in first stage for firewall --- src/lib/autoinstall/autosetup_helpers.rb | 8 ++++++++ src/lib/autoinstall/clients/inst_autosetup.rb | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb index 0fa6c335b..5506369f4 100644 --- a/src/lib/autoinstall/autosetup_helpers.rb +++ b/src/lib/autoinstall/autosetup_helpers.rb @@ -197,6 +197,14 @@ def profile_checker Y2Autoinstallation::XmlChecks.instance end + # Invokes autoyast setup for firewall + def autosetup_firewall + return if !Yast::Profile.current["firewall"] + + log.info("Importing Firewall settings from AY profile") + Yast::WFM.CallFunction("firewall_auto", ["Import", Yast::Profile.current["firewall"]]) + end + private def utf8_supported? diff --git a/src/lib/autoinstall/clients/inst_autosetup.rb b/src/lib/autoinstall/clients/inst_autosetup.rb index 6ed580793..1a94776f8 100644 --- a/src/lib/autoinstall/clients/inst_autosetup.rb +++ b/src/lib/autoinstall/clients/inst_autosetup.rb @@ -365,6 +365,11 @@ def main end end + # + # Run firewall configuration according to the profile + # + autosetup_firewall + # Results of imported values semantic check. return :abort unless AutoInstall.valid_imported_values From a1d8e0809c7ecfd74805a48e07d4d92517614a63 Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Mon, 20 Jul 2020 09:43:21 +0200 Subject: [PATCH 2/8] Updated changelog --- package/autoyast2.changes | 7 +++++++ package/autoyast2.spec | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/package/autoyast2.changes b/package/autoyast2.changes index 9994fc29c..8204ede22 100644 --- a/package/autoyast2.changes +++ b/package/autoyast2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Aug 13 07:04:06 UTC 2020 - Michal Filka + +- bsc#1173624 + - Run firewall configuration in first stage +- 4.3.35 + ------------------------------------------------------------------- Tue Aug 11 10:13:57 CEST 2020 - schubi@suse.de diff --git a/package/autoyast2.spec b/package/autoyast2.spec index 98365f1f7..109d59c7a 100644 --- a/package/autoyast2.spec +++ b/package/autoyast2.spec @@ -22,7 +22,7 @@ %endif Name: autoyast2 -Version: 4.3.34 +Version: 4.3.35 Release: 0 Summary: YaST2 - Automated Installation License: GPL-2.0-only From 324c5c7bfd457880d0723aebf989c5c13e44c71b Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Tue, 28 Jul 2020 09:43:05 +0200 Subject: [PATCH 3/8] Improved firewall import first stage call --- src/lib/autoinstall/autosetup_helpers.rb | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb index 5506369f4..4dddc11ee 100644 --- a/src/lib/autoinstall/autosetup_helpers.rb +++ b/src/lib/autoinstall/autosetup_helpers.rb @@ -200,13 +200,34 @@ def profile_checker # Invokes autoyast setup for firewall def autosetup_firewall return if !Yast::Profile.current["firewall"] + return if need_second_stage_run? log.info("Importing Firewall settings from AY profile") Yast::WFM.CallFunction("firewall_auto", ["Import", Yast::Profile.current["firewall"]]) + + Yast::Profile.remove_sections("firewall") end private + # Checks whether we need to run second stage handling + def need_second_stage_run? + Yast.import "Linuxrc" + + profile = Yast::Profile.current + + # We have a problem when + # 1) running remote installation + # 2) second stage was requested + # 3) firewall was configured (somehow) and started via AY profile we can expect that + # ssh / vnc port can be blocked. + remote_installer = Yast::Linuxrc.usessh || Yast::Linuxrc.vnc + second_stage_required = profile.dig("general", "mode", "second_stage") + firewall_enabled = profile["firewall"].fetch("enable_firewall", false) + + remote_installer && second_stage_required && firewall_enabled + end + def utf8_supported? (Yast::UI.GetDisplayInfo || {}).fetch("HasFullUtf8Support", true) end From efcca2f75018984ce7a108d891f54cf68d01803f Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Fri, 31 Jul 2020 08:34:34 +0200 Subject: [PATCH 4/8] Special handling for exceptional second stage cases --- src/lib/autoinstall/autosetup_helpers.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb index 4dddc11ee..ea68358af 100644 --- a/src/lib/autoinstall/autosetup_helpers.rb +++ b/src/lib/autoinstall/autosetup_helpers.rb @@ -200,12 +200,22 @@ def profile_checker # Invokes autoyast setup for firewall def autosetup_firewall return if !Yast::Profile.current["firewall"] - return if need_second_stage_run? + + if need_second_stage_run? + # in some cases we need to postpone firewall configuration to the second stage + # we also have to guarantee that firewall is not blocking second stage in this case + fw_orig = Yast::Profile.current["firewall"] + Yast::Profile.current["firewall"] = { "enable_firewall" => false } + end log.info("Importing Firewall settings from AY profile") Yast::WFM.CallFunction("firewall_auto", ["Import", Yast::Profile.current["firewall"]]) - Yast::Profile.remove_sections("firewall") + if fw_orig + Yast::Profile.current["firewall"] = fw_orig + else + Yast::Profile.remove_sections("firewall") + end end private From 82f5d7f2a01d148f03d399ecf15c14a0ead39f7e Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Tue, 11 Aug 2020 10:30:40 +0200 Subject: [PATCH 5/8] Some polishing --- src/lib/autoinstall/autosetup_helpers.rb | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb index ea68358af..1d9a8c247 100644 --- a/src/lib/autoinstall/autosetup_helpers.rb +++ b/src/lib/autoinstall/autosetup_helpers.rb @@ -201,21 +201,14 @@ def profile_checker def autosetup_firewall return if !Yast::Profile.current["firewall"] - if need_second_stage_run? - # in some cases we need to postpone firewall configuration to the second stage - # we also have to guarantee that firewall is not blocking second stage in this case - fw_orig = Yast::Profile.current["firewall"] - Yast::Profile.current["firewall"] = { "enable_firewall" => false } - end + # in some cases we need to postpone firewall configuration to the second stage + # we also have to guarantee that firewall is not blocking second stage in this case + firewall_section = need_second_stage_run? ? { "enable_firewall" => false } : Yast::Profile.current["firewall"] log.info("Importing Firewall settings from AY profile") - Yast::WFM.CallFunction("firewall_auto", ["Import", Yast::Profile.current["firewall"]]) + Yast::WFM.CallFunction("firewall_auto", ["Import", firewall_section]) - if fw_orig - Yast::Profile.current["firewall"] = fw_orig - else - Yast::Profile.remove_sections("firewall") - end + Yast::Profile.remove_sections("firewall") if !need_second_stage_run? end private From 19910af62cdc2f64c0328eeda6bac38f86e5dcaa Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Tue, 11 Aug 2020 10:38:20 +0200 Subject: [PATCH 6/8] Happy rubocop --- src/lib/autoinstall/autosetup_helpers.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb index 1d9a8c247..fce1bdd46 100644 --- a/src/lib/autoinstall/autosetup_helpers.rb +++ b/src/lib/autoinstall/autosetup_helpers.rb @@ -203,7 +203,11 @@ def autosetup_firewall # in some cases we need to postpone firewall configuration to the second stage # we also have to guarantee that firewall is not blocking second stage in this case - firewall_section = need_second_stage_run? ? { "enable_firewall" => false } : Yast::Profile.current["firewall"] + firewall_section = if need_second_stage_run? + { "enable_firewall" => false } + else + Yast::Profile.current["firewall"] + end log.info("Importing Firewall settings from AY profile") Yast::WFM.CallFunction("firewall_auto", ["Import", firewall_section]) From a4abf48c0d7f9272782049f8cd4bd4fac2baf2c1 Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Thu, 13 Aug 2020 08:21:02 +0200 Subject: [PATCH 7/8] Updated testsuite --- test/lib/autosetup_helpers_test.rb | 41 +++++++++++++++++++++++++ test/lib/clients/inst_autosetup_test.rb | 5 +++ 2 files changed, 46 insertions(+) diff --git a/test/lib/autosetup_helpers_test.rb b/test/lib/autosetup_helpers_test.rb index 5b64d9c89..66f0c72b3 100755 --- a/test/lib/autosetup_helpers_test.rb +++ b/test/lib/autosetup_helpers_test.rb @@ -242,6 +242,47 @@ class DummyClient < Yast::Client end + describe "#autosetup_firewall" do + let(:profile) { firewall_section } + let(:firewall_section) { { "firewall" => { "default_zone" => "external" } } } + + before(:each) do + Yast::Profile.current = profile + Yast::AutoinstConfig.main + + allow(Yast::WFM).to receive(:CallFunction).with("firewall_auto", anything) + end + + context "when a firewall section is present in the profile" do + context "when no second stage run is needed" do + before(:each) do + allow(client).to receive(:need_second_stage_run?).and_return(false) + end + + it "removes the firewall section from the profile" do + client.autosetup_firewall + expect(Yast::Profile.current.keys).to_not include("firewall") + end + end + + context "when second stage run is needed" do + before(:each) do + allow(client).to receive(:need_second_stage_run?).and_return(true) + end + + it "does not remove the firewall section from the profile" do + client.autosetup_firewall + expect(Yast::Profile.current.keys).to include("firewall") + end + + it "does not corrupt the profile" do + client.autosetup_firewall + expect(Yast::Profile.current).to eql profile + end + end + end + end + describe "#autosetup_network" do let(:profile) { networking_section } let(:networking_section) { { "networking" => { "setup_before_proposal" => true } } } diff --git a/test/lib/clients/inst_autosetup_test.rb b/test/lib/clients/inst_autosetup_test.rb index 3be23edd9..e25628de1 100644 --- a/test/lib/clients/inst_autosetup_test.rb +++ b/test/lib/clients/inst_autosetup_test.rb @@ -81,6 +81,11 @@ subject.main end + it "sets up the firewall configuration" do + expect(subject).to receive(:autosetup_firewall) + subject.main + end + it "sets up the partitioning schema" do expect(Yast::AutoinstStorage).to receive(:Import).and_return(true) expect(Yast::AutoinstStorage).to receive(:Write).and_return(true) From 8cbe94c0b7bbb7781164e1bafdcca479103aa0fe Mon Sep 17 00:00:00 2001 From: Michal Filka Date: Thu, 13 Aug 2020 09:13:30 +0200 Subject: [PATCH 8/8] Small polishing --- src/lib/autoinstall/autosetup_helpers.rb | 2 +- test/lib/autosetup_helpers_test.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb index fce1bdd46..d10688100 100644 --- a/src/lib/autoinstall/autosetup_helpers.rb +++ b/src/lib/autoinstall/autosetup_helpers.rb @@ -230,7 +230,7 @@ def need_second_stage_run? # ssh / vnc port can be blocked. remote_installer = Yast::Linuxrc.usessh || Yast::Linuxrc.vnc second_stage_required = profile.dig("general", "mode", "second_stage") - firewall_enabled = profile["firewall"].fetch("enable_firewall", false) + firewall_enabled = profile.dig("firewall", "enable_firewall") remote_installer && second_stage_required && firewall_enabled end diff --git a/test/lib/autosetup_helpers_test.rb b/test/lib/autosetup_helpers_test.rb index 66f0c72b3..d6c9b4da0 100755 --- a/test/lib/autosetup_helpers_test.rb +++ b/test/lib/autosetup_helpers_test.rb @@ -243,8 +243,8 @@ class DummyClient < Yast::Client end describe "#autosetup_firewall" do - let(:profile) { firewall_section } - let(:firewall_section) { { "firewall" => { "default_zone" => "external" } } } + let(:profile) { { "firewall" => firewall_section } } + let(:firewall_section) { { "default_zone" => "external" } } before(:each) do Yast::Profile.current = profile