FS#49101 - [ufw] update renders some servers unreachable
Attached to Project:
Community Packages
Opened by John (graysky) - Tuesday, 26 April 2016, 19:28 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 07 May 2016, 14:17 GMT
Opened by John (graysky) - Tuesday, 26 April 2016, 19:28 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 07 May 2016, 14:17 GMT
|
Details
Upon updating from 0.34-1 to 0.35-1, the user created rules
mentioned below (excerpt from pacman.log) are removed rather
than copied into their new location which breaks the ability
of hasty updates to connect via ssh. In order to do so,
users will have to reconfigure the ufw on the box (see the
wiki) enabling sshd access before rebooting. Failure to do
this will lock them out of the box which is a horrible
scenario for remote admins.
The package should either clearly warn users this will be happening at a minimum. warning: /usr/lib/ufw/user6.rules saved as /usr/lib/ufw/user6.rules.pacsave warning: /usr/lib/ufw/user.rules saved as /usr/lib/ufw/user.rules.pacsave Additional info: * package version(s) 0.35-1 Steps to reproduce: Have a functional setup on a previous version and update to 0.35-1 |
This task depends upon
Closed by Doug Newgard (Scimmia)
Saturday, 07 May 2016, 14:17 GMT
Reason for closing: Fixed
Additional comments about closing: post-upgrade message added
Saturday, 07 May 2016, 14:17 GMT
Reason for closing: Fixed
Additional comments about closing: post-upgrade message added
/usr/lib/ufw/user.rules.pacsave --> /etc/ufw/user.rules
/usr/lib/ufw/user6.rules.pacsave --> /etc/ufw/user6.rules
What is packaging policy about simply doing this automatically on updates? In other words, if no data loss will be experienced, why not simply move the edited files from /u/l/u to /e/u automatically?
Arch's normal policy is to put a message in the post install and you are expected to read it and act on it. You are absolutely correct that a warning is required.
>>>
>>> IMPORTANT UFW UPGRADE NOTICE
>>> ----------------------------
>>> Version 0.35 has moved several config files.
>>> You may need to copy your versions of the files
>>> to the new location.
>>> /usr/lib/ufw/user.rules.pacsave -> /etc/ufw/user.rules
>>> /usr/lib/ufw/user6.rules.pacsave -> /etc/ufw/user6.rules
>>>
I will ask around if this is a news-worthy item.
Not doing so effectively leaves a ticking time bomb for users that could result in locking them out of the box (remote access no longer allowed).