From 55609b1d19313165c9a93e931f780f91644a7f57 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Mon, 16 Sep 2024 15:55:51 -0400 Subject: [PATCH 1/2] tier-0: pull in iptables-nft instead of iptables-legacy As per the comment, currently we're pulling in iptables-legacy because for some reason the `iptables` Provides is fulfilled by that instead of iptables-nft. Explicitly name the latter to avoid this. Note in tier-1 we do pull iptables-nft only because it's explicitly named there. --- tier-0/bootc.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tier-0/bootc.yaml b/tier-0/bootc.yaml index a862e6c..d44ee08 100644 --- a/tier-0/bootc.yaml +++ b/tier-0/bootc.yaml @@ -2,6 +2,10 @@ packages: - systemd - bootc + # bootc pulls in podman, which pulls in containers-common, which wants + # `iptables`. Currently that pulls in iptables-legacy. Let's explicitly name + # iptables-nft instead to satisfy it. + - iptables-nft # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk - gdisk xfsprogs e2fsprogs dosfstools From f4eba96aefb5fc62bebfa96e6662e68a3a9d242f Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Mon, 16 Sep 2024 15:57:21 -0400 Subject: [PATCH 2/2] tier-1: drop iptables alternatives hack We only ship iptables-nft, so there's no need to explicitly override the symlinks anymore. To enforce this remains the case, add `iptables-legacy` to the exclusion list. --- tier-1/manifest.yaml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/tier-1/manifest.yaml b/tier-1/manifest.yaml index 420ff54..f367ce6 100644 --- a/tier-1/manifest.yaml +++ b/tier-1/manifest.yaml @@ -67,19 +67,6 @@ postprocess: systemctl preset-all rm -rf /etc/systemd/user/* systemctl --user --global preset-all - # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we - # remove iptables-legacy. This is needed because alternatives don't work - # https://github.com/coreos/fedora-coreos-tracker/issues/677 - # https://github.com/coreos/fedora-coreos-tracker/issues/676 - - | - #!/usr/bin/env bash - set -xeuo pipefail - ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables - ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore - ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save - ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables - ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore - ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253 # https://bugzilla.redhat.com/show_bug.cgi?id=2112857 # https://github.com/coreos/rpm-ostree/issues/3918 @@ -108,3 +95,6 @@ exclude-packages: # Do not use legacy ifcfg config format in NetworkManager # See https://github.com/coreos/fedora-coreos-config/pull/1991 - NetworkManager-initscripts-ifcfg-rh + # Let's not have both legacy and nft versions in the image. Users are free to + # also layer legacy themselves if they want. + - iptables-legacy