Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate existing systems to iptables-nft and remove iptables-legacy #1818

Open
travier opened this issue Oct 24, 2024 · 11 comments
Open

Migrate existing systems to iptables-nft and remove iptables-legacy #1818

travier opened this issue Oct 24, 2024 · 11 comments
Labels
jira for syncing to jira kind/enhancement

Comments

@travier
Copy link
Member

travier commented Oct 24, 2024
edited
Loading

Describe the enhancement

Since #676 (in stable 36.20220505.3.2), we've moved to the nft backend for iptables by default, but as far as I remember / could figure out, we did not update existing systems to it.

We now have proper support for alternatives on ostree based systems (fedora-sysv/chkconfig#135 & #677) so we can use that to migrate users at boot time.

Then we should remove the legacy package.

Unfortunately we can not just drop our manual workaround to migrate systems to the nft backend as they have the same priority set in their alternatives config:

So we'll have to run a script via a systemd unit to do it:

$ sudo alternatives --set iptables /usr/sbin/iptables-nft

As this could potentially be a breaking change, we might want to do it only starting with Fedora 42.

System details

N/A

Additional information

See:
@travier travier mentioned this issue Oct 24, 2024
Closed
@travier
Copy link
Member Author

travier commented Oct 24, 2024

Hum, we'll also likely have to remove / migrate /var/lib/aternatives to /etc/alternatives-admindir/ as this is not part of the change in the PR to chkconfig.

On my Atomic Desktops I also have:

$ ls -alh /var/lib/alternatives
lrwxrwxrwx. 1 root root 26 Sep 21 21:07 /var/lib/alternatives -> ../../usr/lib/alternatives

which apparently got set up on first boot. Will have to investigate.

@travier
Copy link
Member Author

travier commented Oct 24, 2024

On the Atomic Desktops side of things: https://gitlab.com/fedora/ostree/sig/-/issues/51

@travier travier mentioned this issue Oct 25, 2024
Merged
@travier travier added jira for syncing to jira F41 and removed F41 labels Oct 25, 2024
@dustymabe dustymabe added the meeting topics for meetings label Oct 28, 2024
@yasminvalim yasminvalim mentioned this issue Oct 30, 2024
Closed
22 tasks
@c4rt0 c4rt0 mentioned this issue Nov 6, 2024
Closed
24 tasks
@gursewak1997 gursewak1997 removed the meeting topics for meetings label Nov 13, 2024
@travier
Copy link
Member Author

travier commented Nov 13, 2024
edited
Loading

Suggested paths:

Option A:

  • Migrate configs from the old location (/var/lib/alternatives) to the new one (/etc/alternatives-admindir).
  • This is potentially risky as we don't know what users may have stored in this folder, even if in practice, it's very likely that there should be nothing there.

Pseudo bash code:

mv /var/lib/alternatives/* /etc/alternatives-admindir/
rmdir /var/lib/alternatives

Option B:

  • Force migrate iptables to the nft backend (the only command really using alternatives on FCOS).
  • "Migrate" users with no config (empty /var/lib/alternatives).
  • Leave a "permanent" CLHM for users that still have some other configs.
    • Or do nothing and only notify about this in a status mail and let users migrate manually.

Pseudo bash code:

alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft
if /var/lib/alternatives is empty
	rmdir /var/lib/alternatives
else
	write "permanent" CLHM snippet
fi

My preference goes to option B.

@travier
Copy link
Member Author

travier commented Nov 13, 2024

For the Atomic Desktops, I'll probably write a script that removes /var/lib/alternatives if it's a broken symlink or an empty folder and won't migrate anything as we already don't have the legacy backend anymore.

travier added a commit to travier/fedora-coreos-config that referenced this issue Nov 13, 2024
@travier
tests: Add initial alternatives test
484d98b 
This makes sure that the system is setup properly and that the migration
script will do the right thing on older systems.

See: coreos/fedora-coreos-tracker#1818
See: coreos/fedora-coreos-tracker#677
See: https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/
@travier travier mentioned this issue Nov 13, 2024
Open
@travier
Copy link
Member Author

travier commented Nov 13, 2024

I've created https://gitlab.com/fedora/bootc/tracker/-/issues/44 on the bootc side of things.

@dustymabe
Copy link
Member

dustymabe commented Nov 13, 2024
edited
Loading

My preference goes to option B.

B looks good to me. Though.. I have a few questions:

  • first one is a dumb question:

    • what is the admindir? The man page is a bit lacking detail here.
    • I see that it is different from the altdir, but what is it used for and why do we need to specify it?

  • alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft

    • The current links we create are in /etc/alternatives/. I assume this will update those links?

  • CLHM

    • What would the CLHM say? i.e. it's not clear to me why having files in /var/lib/alternatives will be bad.

@HuijingHei
Copy link
Member

Agree with B.

One more question, shall we update current links to use alternatives command like coreos/fedora-coreos-config#264 ?

@travier
Copy link
Member Author

travier commented Nov 14, 2024

One more question, shall we update current links to use alternatives command like coreos/fedora-coreos-config#264 ?

We can try that but it should use the commands from https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/#_using_alternatives_commands instead / the one I use in my test: coreos/fedora-coreos-config#3253

@travier
Copy link
Member Author

travier commented Nov 14, 2024
edited
Loading

  • first one is a dumb question:

    • what is the admindir? The man page is a bit lacking detail here.

The admindir is the directory where the config for each "alternative" command is stored. On FCOS, you have in /etc/alternatives-admindir/iptables the "config" (priority and which applications to update in sync) for both iptables-legacy and iptables-nft.

  • I see that it is different from the altdir, but what is it used for and why do we need to specify it?
  • alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft

The altdir is used to store the "current state", i.e. the symlink that points to the currently selected alternative for a given command. In this command I'm forcing the admindir explicitly to ignore the empty /var/lib/alternatives one and have it use the config included by default in the right place in F41.

  • The current links we create are in /etc/alternatives/. I assume this will update those links?

Yes, this is what this command does.

  • What would the CLHM say? i.e. it's not clear to me why having files in /var/lib/alternatives will be bad.

As long as there are files in /var/lib/alternatives, the ones from /etc/alternatives-admindir are ignored, so if there are files there, the admin created them manually and has to move them to /etc/alternatives-admindir.

@dustymabe
Copy link
Member

Thanks for explaining. I didn't realize /var/lib/alternatives was the "admindir" for configuration and not actual symlinks like /etc/alternatives is.

travier added a commit to travier/fedora-coreos-config that referenced this issue Nov 15, 2024
@travier
tests: Add initial alternatives test
2ba6b2a 
This makes sure that the system is setup properly and that the migration
script will do the right thing on older systems.

See: coreos/fedora-coreos-tracker#1818
See: coreos/fedora-coreos-tracker#677
See: https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/
travier added a commit to travier/fedora-coreos-config that referenced this issue Nov 18, 2024
@travier
tests: Add initial alternatives test
086b0fa 
This makes sure that the system is setup properly and that the migration
script will do the right thing on older systems.

See: coreos/fedora-coreos-tracker#1818
See: coreos/fedora-coreos-tracker#677
See: https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/
travier added a commit to travier/fedora-coreos-config that referenced this issue Nov 18, 2024
@travier
overlay.d & tests: Add alternatives migration and test
273dbde 
- Add an overlay with the migration logic for alternatives
- Add a test for the migration script

This should make sure that the system is setup properly and that the
migration script will do the right thing on older systems.

See: coreos/fedora-coreos-tracker#1818
See: coreos/fedora-coreos-tracker#677
See: https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/
@travier
Copy link
Member Author

travier commented Feb 17, 2025

To make progress on this one, we either need to merge coreos/fedora-coreos-config#3253 and move on (will be FCOS only) or work on bringing this to the bootc level (would be more generic but would need to make it work for all other variants).

Given that this is kind of part of the transition and most bootc system are not impacted by it, we can carry it in Fedora CoreOS/Atomic/IoT seperately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
jira for syncing to jira kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dustymabe @gursewak1997 @HuijingHei @travier