[Pkg-utopia-maintainers] Bug#945459: Daemon fails to start in container due to nf_conntrack permissions
Maciej Delmanowski
drybjed at gmail.com
Mon Nov 25 09:13:34 GMT 2019
Package: firewalld
Version: 0.6.3-5
Severity: important
Tags: upstream
Dear Maintainer,
On Debian Buster, when the 'firewalld' package is installed in an unprivileged
LXC container, the daemon fails to start due to not being able to load the
'nf_conntrack' kernel module. This makes the 'firewalld' service unusable in
that environment. The problem is in the logic used by the 'firewalld' service
itself, not in the system configuration.
This issue is known to the upstream:
https://github.com/firewalld/firewalld/issues/519
The fix implemented by the upstream:
https://github.com/firewalld/firewalld/commit/cef1e52af87508f90ab541fb02464ab3a1410ec5
Since this is not a security issue, and the service works fine outside of the
restricted environment, I'm not sure if the fix can be implemented in the
'firewalld' package included in Debian Buster. Perhaps this could be used as
a good argument for providing the 'firewalld' package with included fix via
the buster-backports repository.
Best Regards,
Maciej Delmanowski
-- System Information:
Debian Release: 10.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firewalld depends on:
ii dbus 1.12.16-1
ii gir1.2-glib-2.0 1.58.3-2
ii init-system-helpers 1.56+nmu1
ii iptables 1.8.2-4
ii policykit-1 0.105-25
ii python3 3.7.3-1
ii python3-dbus 1.2.8-3
ii python3-gi 3.30.4-1
pn python3-slip-dbus <none>
Versions of packages firewalld recommends:
pn ipset <none>
firewalld suggests no packages.
More information about the Pkg-utopia-maintainers
mailing list