tag 871993 + patch thanks The attached patch should fix the serious part of the issue. This is the solution adopted by Fedora folks. It is not ideal but seems like a reasonable compromise. Please consider making a release with this patch in order to fix the currently broken FreedomBox machines.
A proper solution would require changes in systemd (add firewall.target), iptables (iptables.service), firewalld (firewalld.service) and fail2ban (fail2ban.service). -- Sunil
From f702e1eaadef9000e96acbfbba5ca01817382d31 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa <su...@medhas.org> Date: Tue, 28 Nov 2017 17:29:15 +0530 Subject: [PATCH] Fix failure to restart firewalld Signed-off-by: Sunil Mohan Adapa <su...@medhas.org> --- debian/patches/fix-firewalld-restart-issue.patch | 39 ++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 40 insertions(+) create mode 100644 debian/patches/fix-firewalld-restart-issue.patch diff --git a/debian/patches/fix-firewalld-restart-issue.patch b/debian/patches/fix-firewalld-restart-issue.patch new file mode 100644 index 00000000..6c93d612 --- /dev/null +++ b/debian/patches/fix-firewalld-restart-issue.patch @@ -0,0 +1,39 @@ +From: Sunil Mohan Adapa <su...@medhas.org> +Description: Fix issue with failed firewalld restart + + When fail2ban is used along with firewalld (as in FreedomBox systems), + restarting firewalld always fails with the following error: + + > Failed to restart firewalld.service: Transaction contains conflicting jobs + > 'restart' and 'stop' for fail2ban.service. Probably contradicting requirement + > dependencies configured. + + This causes package upgrades on firewalld to always fail (include depedening + packages such as FreedomBox UI). + + Due the way current systemd service file is written, restart of + firewalld.service generates an action to restart fail2ban.service via PartOf= + and stop on fail2ban.service via Conflicts=iptables.service and + PartOf=iptables.service. + + This problem and a potential solution were discussed at + https://lists.freedesktop.org/archives/systemd-devel/2016-March/036010.html + + To workaround the problem, remove iptables.service from PartOf= directive of + the fail2ban's systemd service file. Although this is not an ideal solution but + this causes fewer number of problems and eliminates a critical failure on all + FreedomBox machines. +Origin: http://pkgs.fedoraproject.org/cgit/rpms/fail2ban.git/ +Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1379141 +Forwarded: no +--- a/files/fail2ban.service ++++ b/files/fail2ban.service +@@ -2,7 +2,7 @@ + Description=Fail2Ban Service + Documentation=man:fail2ban(1) + After=network.target iptables.service firewalld.service +-PartOf=iptables.service firewalld.service ++PartOf=firewalld.service + + [Service] + Type=forking diff --git a/debian/patches/series b/debian/patches/series index 72c26109..d5ad65ea 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ deb_path_to_common deb_init_paths deb_manpages_reportbug +fix-firewalld-restart-issue.patch -- 2.11.0
signature.asc
Description: OpenPGP digital signature