fix(systemd): verify firewalld is responsive to dbus

Resolves: RHEL-77738
2025-05-19 16:16:52 -04:00 · 2025-05-19 16:16:52 -04:00 · 764cecf3ab
commit 764cecf3ab
parent 2318128cf3
4 changed files with 71 additions and 1 deletions
--- a/0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch
+++ b/0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch
@ -0,0 +1,39 @@
+From b5ed698e4393089a55f0e81d6b687c27affaca1a Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 4 Mar 2025 12:04:44 -0500
+Subject: [PATCH 27/31] v2.4.0: fix(systemd): verify firewalld is responsive to
+ dbus
+
+`systemctl start firewalld` will return as soon as firewalld claims the
+well-known bus name. However, this is too early. Signal handlers, etc.
+may not have been setup. To verify firewalld has completed its startup
+and entered the GLib mainloop use ExecStartPost to check that it's
+responsive to dbus calls. The ExecStartPost will block until its gets a
+response or times out (dbus default is 20s). On the firewalld side, the
+dbus call is buffered until the GLib mainloop handles it.
+
+This fixes a race where a `systemctl reload` immediately after a start
+could hit a timing window during which the signal handlers have not yet
+been setup, thus killing firewalld.
+
+Fixes: RHEL-77738
+(cherry picked from commit 4ddfe5672e3a51e1c081b410144155553f256e91)
+---
+ config/firewalld.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/firewalld.service.in b/config/firewalld.service.in
+index b757a08f28dc..1c6b8f4d78dc 100644
+--- a/config/firewalld.service.in
+++ b/config/firewalld.service.in
+@@ -10,6 +10,7 @@ Documentation=man:firewalld(1)
+ [Service]
+ EnvironmentFile=-/etc/sysconfig/firewalld
+ ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS
+ExecStartPost=@bindir@/firewall-cmd --state
+ ExecReload=/bin/kill -HUP $MAINPID
+ # supress to log debug and error output also to /var/log/messages
+ StandardOutput=null
+-- 
+2.48.1
+
--- a/0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch
+++ b/0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch
@ -0,0 +1,25 @@
+From b61048559be0995beee05a5d61958a13f7bf1bb5 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 4 Mar 2025 12:10:46 -0500
+Subject: [PATCH 28/31] v2.4.0: fix(systemd): remove unnecessary comment
+
+(cherry picked from commit ad6f103e1d656d263116ef0178c08792e32aac84)
+---
+ config/firewalld.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/firewalld.service.in b/config/firewalld.service.in
+index 1c6b8f4d78dc..cd7f772b8581 100644
+--- a/config/firewalld.service.in
+++ b/config/firewalld.service.in
+@@ -12,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/firewalld
+ ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS
+ ExecStartPost=@bindir@/firewall-cmd --state
+ ExecReload=/bin/kill -HUP $MAINPID
+-# supress to log debug and error output also to /var/log/messages
+ StandardOutput=null
+ StandardError=null
+ Type=dbus
+-- 
+2.48.1
+
--- a/firewalld.service
+++ b/firewalld.service
@ -6,6 +6,7 @@ After=syslog.target
 Type=forking
 EnvironmentFile=-/etc/sysconfig/firewalld
 ExecStart=/usr/sbin/firewalld $FIREWALLD_ARGS
+ExecStartPost=/usr/bin/firewall-cmd --state
 ExecReload=/usr/bin/firewall-cmd --reload

 [Install]
--- a/firewalld.spec
+++ b/firewalld.spec
@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 1.3.4
-Release: 11%{?dist}
+Release: 12%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
@ -31,6 +31,8 @@ Patch23: 0023-v2.2.0-fix-service-update-highest-port-number-for-ce.patch
 Patch24: 0024-v2.2.0-feat-service-x-rootd-file-server.patch
 Patch25: 0025-v2.3.0-test-functions-fix-iptables-normalization-for.patch
 Patch26: 0026-v2.4.0-test-add-scale-keyword-to-scale-tests.patch
+Patch27: 0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch
+Patch28: 0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch
 BuildArch: noarch
 BuildRequires: autoconf
 BuildRequires: automake
@ -254,6 +256,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
 %{_mandir}/man1/firewall-config*.1*

 %changelog
+* Mon May 19 2025 Eric Garver <egarver@redhat.com> - 1.3.4-12
+- fix(systemd): verify firewalld is responsive to dbus
+
 * Mon May 19 2025 Eric Garver <egarver@redhat.com> - 1.3.4-11
 - test: add scale keyword to scale tests