Bug 6957 - SuSEfirewall2 firewall backend is broken on SLE 12 when running tl-setup through SSH
Summary: SuSEfirewall2 firewall backend is broken on SLE 12 when running tl-setup thro...
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server Installer (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Henrik Andersson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-21 13:20 CEST by Karl Mikaelsson
Modified: 2019-11-26 12:46 CET (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2017-04-21 13:20:05 CEST 
When installing ThinLinc on Suse Linux Enterprise 12, you get this message in /var/log/tlsetup.log:

> 2017-04-21 10:49:07,976: No supported firewall backend detected.

SuSEfirewall2 is the firewall system used by SLE12. The lack of support for this firewall backend means that you can't set up ThinLinc clusters without manually configuring the firewall on each machine. We ought to support it to provide a better out-of-box experience for Suse users.

/var/log/vsmserver.log:
> 2017-04-21 12:37:01 WARNING vsmserver: Timeout getting load from VSM Agent lab-132.lkpg.cendio.se:904, marking as down
Comment 1 Karl Mikaelsson cendio 2017-04-25 15:01:27 CEST 
This fails:

 ssh root@machine /opt/thinlinc/sbin/tl-setup

> 2017-04-25 14:54:01,927: No supported firewall backend detected.

This works:

 ssh root@machine
 # /opt/thinlinc/sbin/tl-setup

> 2017-04-25 14:54:36,227: Detected firewall backend FirewallBackendSuse

The only thing differing in tl-setup output is the Firewall configuration.
Comment 2 Peter Åstrand cendio 2017-04-26 10:04:54 CEST 
The problem comes from the fact that tl-setup executes "/sbin/SuSEfirewall2 status", but this command requires a pty:

$ ssh root@dhcp-254-34 /sbin/SuSEfirewall2 status
Password: 
(empty output)

$ ssh -t root@dhcp-254-34 /sbin/SuSEfirewall2 status
Password: 
### iptables filter ###
Chain INPUT (policy DROP 0 packets, 0 bytes)
...
Note You need to log in before you can comment on or make changes to this bug.