search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
16.68k stars 13.12k forks source link

Firewalld broken due to nftables #293778

Open PABLEXWorld opened 4 months ago

PABLEXWorld commented 4 months ago

Describe the bug

I am unable to run firewalld because nftables' python package appears to be broken: 

[root@nixos:/home/pablexworld]# nixos-rebuild switch
// trimmed for brevity
warning: the following units failed: firewalld.service

× firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/etc/systemd/system/firewalld.service; enabled; preset: enabled)
    Drop-In: /nix/store/a0gq0dvmck0pkg6c8xkixw286iw38iaj-system-units/firewalld.service.d
             └─overrides.conf
     Active: failed (Result: exit-code) since Wed 2024-03-06 10:47:09 -03; 163ms ago
       Docs: man:firewalld(1)
    Process: 280063 ExecStart=/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=1/FAILURE)
   Main PID: 280063 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
        CPU: 274ms

mar 06 10:47:08 nixos (irewalld)[280063]: firewalld.service: Referenced but unset environment variable evaluates to an empty string: FIREWALLD_ARGS
mar 06 10:47:08 nixos systemd[1]: Starting firewalld - dynamic firewall daemon...
mar 06 10:47:09 nixos systemd[1]: firewalld.service: Main process exited, code=exited, status=1/FAILURE
mar 06 10:47:09 nixos systemd[1]: firewalld.service: Failed with result 'exit-code'.
mar 06 10:47:09 nixos systemd[1]: Failed to start firewalld - dynamic firewall daemon.
warning: error(s) occurred while switching to the new configuration

Running firewalld manually reveals the error: 

[root@nixos:/home/pablexworld]# /nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/sbin/firewalld --nofork --nopid --debug
Traceback (most recent call last):
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/bin/.firewalld-wrapped", line 257, in <module>
    main()
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/bin/.firewalld-wrapped", line 252, in main
    startup(args)
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/bin/.firewalld-wrapped", line 204, in startup
    from firewall.server import server
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/lib/python3.11/site-packages/firewall/server/server.py", line 40, in <module>
    from firewall.server.firewalld import FirewallD
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/lib/python3.11/site-packages/firewall/server/firewalld.py", line 30, in <module>
    from firewall.core.fw import Firewall
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/lib/python3.11/site-packages/firewall/core/fw.py", line 34, in <module>
    from firewall.core import nftables
  File "/nix/store/ww72ipydzkrp8mjbmmdsxk473984xbpq-firewalld-2.0.1/lib/python3.11/site-packages/firewall/core/nftables.py", line 35, in <module>
    from nftables.nftables import Nftables
ModuleNotFoundError: No module named 'nftables'

After creating the relevant nix config for my Python environment, I can attest that Python is indeed unable to find the module: 

[nix-shell:~]$ python
Python 3.11.6 (main, Oct  2 2023, 13:45:54) [GCC 12.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nftables
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'nftables'
>>>

Other modules (I tested with termcolor) are working properly.

Steps To Reproduce

Steps to reproduce the behavior:

  1. add to configuration.nix: 
    environment.systemPackages = with pkgs; [
firewalld
];
systemd.packages = with pkgs; [ firewalld ];
services.dbus.packages = with pkgs; [ firewalld ];
systemd.services.firewalld = {
aliases = [ "dbus-org.fedoraproject.FirewallD1.service" ];
wantedBy = [ "multi-user.target" ];
};
  2. sudo nixos-rebuild switch
  3. warning: the following units failed: firewalld.service
  4. python.nix: 
    let
pkgs = import <nixpkgs> {};
in pkgs.mkShell {
packages = [
(pkgs.python3.withPackages (python-pkgs: [
  python-pkgs.nftables
]))
];
}
  5. running nix-shell python.nix and typing import nftables into python yields the error above

Notify maintainers

@Izorkin

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[pablexworld@nixos:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.1-zen1, NixOS, 23.11 (Tapir), 23.11.4835.c8e74c2f83fe`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - channels(root): `"home-manager-23.11.tar.gz, nixos-23.11"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a :+1: reaction to issues you find important.

Izorkin commented 4 months ago

Check with this PR - https://github.com/NixOS/nixpkgs/pull/276123

Izorkin commented 4 months ago

Try to completely rebuild system?

  sudo nixos-rebuild boot -I nixpkgs=/.../nixpkgs

I don't know any other simpler variants.

PABLEXWorld commented 4 months ago

After hacking things together with callPackage instead of rebuilding the system, the PR got firewalld past this error. Now it's crashing at a later, unrelated stage, and I'll take it from here. Thanks and please get it merged!

devurandom commented 2 months ago

firewalld 2.1.2 seems to depend on python nftables 1.0.9 now, but fails to build:

error: builder for '/nix/store/0zyqqxj730k4cc0hpzppbz2hsxs92hvh-python3.11-nftables-1.0.9.drv' failed with exit code 1;
       last 10 log lines:
       > Using pythonImportsCheckPhase
       > Sourcing python-namespaces-hook
       > Sourcing python-catch-conflicts-hook.sh
       > Running phase: unpackPhase
       > unpacking source archive /nix/store/gppnhpfzmz12f61v729b5x5shj09ja8r-nftables-1.0.9.tar.xz
       > source root is nftables-1.0.9/py
       > setting SOURCE_DATE_EPOCH to timestamp 1697710722 of file nftables-1.0.9/py/Makefile.in
       > Running phase: patchPhase
       > substitute(): ERROR: file 'py/src/nftables.py' does not exist
       > /nix/store/558iw5j1bk7z6wrg8cp96q2rx03jqj1v-stdenv-linux/setup: line 131: pop_var_context: head of shell_variables not a function context
       For full logs, run 'nix log /nix/store/0zyqqxj730k4cc0hpzppbz2hsxs92hvh-python3.11-nftables-1.0.9.drv'.
error: 1 dependencies of derivation '/nix/store/fkc0rn7gw3dskapvmr3a5iyhbchc8i7s-python3-3.11.9-env.drv' failed to build
error: 1 dependencies of derivation '/nix/store/pjpp1ynfpslv368syghw1kfzw2bd6qm9-firewalld-2.1.2.drv' failed to build
[...]
Drakeguard commented 4 weeks ago

if some is still trying to get it work: with the patch from https://github.com/NixOS/nixpkgs/pull/205380 I got it working

diff --git a/pkgs/applications/networking/firewalld/default.nix b/pkgs/applications/networking/firewalld/default.nix
index 0743e7541..15febb321 100644
--- a/pkgs/applications/networking/firewalld/default.nix
+++ b/pkgs/applications/networking/firewalld/default.nix
@@ -12,9 +12,11 @@
 , libnotify
 , libxml2
 , libxslt
+, networkmanager
 , networkmanagerapplet
 , pkg-config
 , python3
+, wrapQtAppsHook
 , wrapGAppsNoGuiHook
 , withGui ? false
 }:
@@ -46,7 +48,8 @@ stdenv.mkDerivation rec {

   postPatch = ''
     substituteInPlace src/firewall/config/__init__.py.in \
-      --replace "/usr/share" "$out/share"
+      --replace "/usr/share" "$out/share" \
+      --replace "/usr/lib/" "$out/lib/"

     for file in config/firewall-{applet,config}.desktop.in; do
       substituteInPlace $file \
@@ -54,13 +57,14 @@ stdenv.mkDerivation rec {
     done
   '' + lib.optionalString withGui ''
     substituteInPlace src/firewall-applet.in \
-      --replace "/usr/bin/nm-connection-editor" "${networkmanagerapplet}/bin/nm-conenction-editor"
+      --replace "/usr/bin/nm-connection-editor" "${networkmanagerapplet}/bin/nm-connection-editor"
   '';

   nativeBuildInputs = [
     autoreconfHook
     docbook_xml_dtd_42
     docbook-xsl-nons
+    gobject-introspection
     glib
     intltool
     libxml2
@@ -68,14 +72,15 @@ stdenv.mkDerivation rec {
     pkg-config
     python3
     python3.pkgs.wrapPython
-  ] ++ lib.optionals withGui [
-    gobject-introspection
     wrapGAppsNoGuiHook
+  ] ++ lib.optionals withGui [
+    wrapQtAppsHook
   ];

   buildInputs = [
     bash
     glib
+    networkmanager
   ] ++ lib.optionals withGui [
     gtk3
     libnotify
@@ -83,9 +88,12 @@ stdenv.mkDerivation rec {
   ];

   dontWrapGApps = true;
+  dontWrapQtApps = true;

-  preFixup = lib.optionalString withGui ''
+  preFixup = ''
     makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
+  '' + lib.optionalString withGui ''
+    makeWrapperArgs+=("''${qtWrapperArgs[@]}")
   '';

   postFixup = ''
@@ -95,10 +103,11 @@ stdenv.mkDerivation rec {
     wrapPythonProgramsIn "$out/share/firewalld/testsuite/python" "$out ${pythonPath}"
   '';

+
   meta = with lib; {
     description = "Firewall daemon with D-Bus interface";
     homepage = "https://github.com/firewalld/firewalld";
+    platforms = platforms.linux;
     license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ ];
   };
-}
+}
\ No newline at end of file
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index f52160e15..7398ec567 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -30525,7 +30525,7 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) Security;
   };

-  firewalld = callPackage ../applications/networking/firewalld { };
+  firewalld = libsForQt5.callPackage ../applications/networking/firewalld { };

   firewalld-gui = firewalld.override { withGui = true; };