Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate existing systems to iptables-nft and remove iptables-legacy #1818

Open
travier opened this issue Oct 24, 2024 · 6 comments
Open

Migrate existing systems to iptables-nft and remove iptables-legacy #1818

travier opened this issue Oct 24, 2024 · 6 comments
Labels
jira for syncing to jira kind/enhancement

Comments

@travier
Copy link
Member

travier commented Oct 24, 2024

Describe the enhancement

Since #676 (in stable 36.20220505.3.2), we've moved to the nft backend for iptables by default, but as far as I remember / could figure out, we did not update existing systems to it.

We now have proper support for alternatives on ostree based systems (fedora-sysv/chkconfig#135 & #677) so we can use that to migrate users at boot time.

Then we should remove the legacy package.

Unfortunately we can not just drop our manual workaround to migrate systems to the nft backend as they have the same priority set in their alternatives config:

So we'll have to run a script via a systemd unit to do it:

$ sudo alternatives --set iptables /usr/sbin/iptables-nft

As this could potentially be a breaking change, we might want to do it only starting with Fedora 42.

System details

N/A

Additional information

See:

@travier
Copy link
Member Author

travier commented Oct 24, 2024

Hum, we'll also likely have to remove / migrate /var/lib/aternatives to /etc/alternatives-admindir/ as this is not part of the change in the PR to chkconfig.

On my Atomic Desktops I also have:

$ ls -alh /var/lib/alternatives
lrwxrwxrwx. 1 root root 26 Sep 21 21:07 /var/lib/alternatives -> ../../usr/lib/alternatives

which apparently got set up on first boot. Will have to investigate.

@travier
Copy link
Member Author

travier commented Oct 24, 2024

On the Atomic Desktops side of things: https://gitlab.com/fedora/ostree/sig/-/issues/51

@travier
Copy link
Member Author

travier commented Nov 13, 2024

Suggested paths:

Option A:

  • Migrate configs from the old location (/var/lib/alternatives) to the new one (/etc/alternatives-admindir).
  • This is potentially risky as we don't know what users may have stored in this folder, even if in practice, it's very likely that there should be nothing there.

Pseudo bash code:

mv /var/lib/alternatives/* /etc/alternatives-admindir/
rmdir /var/lib/alternatives

Option B:

  • Force migrate iptables to the nft backend (the only command really using alternatives on FCOS).
  • "Migrate" users with no config (empty /var/lib/alternatives).
  • Leave a "permanent" CLHM for users that still have some other configs.
    • Or do nothing and only notify about this in a status mail and let users migrate manually.

Pseudo bash code:

alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft
if /var/lib/alternatives is empty
	rmdir /var/lib/alternatives
else
	write "permanent" CLHM snippet
fi

My preference goes to option B.

@travier
Copy link
Member Author

travier commented Nov 13, 2024

For the Atomic Desktops, I'll probably write a script that removes /var/lib/alternatives if it's a broken symlink or an empty folder and won't migrate anything as we already don't have the legacy backend anymore.

travier added a commit to travier/fedora-coreos-config that referenced this issue Nov 13, 2024
This makes sure that the system is setup properly and that the migration
script will do the right thing on older systems.

See: coreos/fedora-coreos-tracker#1818
See: coreos/fedora-coreos-tracker#677
See: https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/
@travier
Copy link
Member Author

travier commented Nov 13, 2024

I've created https://gitlab.com/fedora/bootc/tracker/-/issues/44 on the bootc side of things.

@dustymabe
Copy link
Member

dustymabe commented Nov 13, 2024

My preference goes to option B.

B looks good to me. Though.. I have a few questions:

  • first one is a dumb question:

    • what is the admindir? The man page is a bit lacking detail here.
    • I see that it is different from the altdir, but what is it used for and why do we need to specify it?
  • alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft

    • The current links we create are in /etc/alternatives/. I assume this will update those links?
  • CLHM

    • What would the CLHM say? i.e. it's not clear to me why having files in /var/lib/alternatives will be bad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
jira for syncing to jira kind/enhancement
Projects
None yet
Development

No branches or pull requests

3 participants