Migrate existing systems to `iptables-nft` and remove `iptables-legacy`

[travier]

Describe the enhancement

Since https://github.com/coreos/fedora-coreos-tracker/issues/676 (in stable 36.20220505.3.2), we've moved to the nft backend for iptables by default, but as far as I remember / could figure out, we did not update existing systems to it.

We now have proper support for alternatives on ostree based systems (https://github.com/fedora-sysv/chkconfig/pull/135 & https://github.com/coreos/fedora-coreos-tracker/issues/677) so we can use that to migrate users at boot time.

Then we should remove the legacy package.

Unfortunately we can not just drop our manual workaround to migrate systems to the nft backend as they have the same priority set in their alternatives config:

• https://src.fedoraproject.org/rpms/iptables/blob/rawhide/f/iptables.spec#_278
• https://src.fedoraproject.org/rpms/iptables/blob/rawhide/f/iptables.spec#_330

So we'll have to run a script via a systemd unit to do it:

$ sudo alternatives --set iptables /usr/sbin/iptables-nft

As this could potentially be a breaking change, we might want to do it only starting with Fedora 42.

System details

N/A

Additional information

See:

• Original Change Request in Fedora: https://fedoraproject.org/wiki/Changes/iptables-nft-default
• Issue tracking the move to nft as default in FCOS: https://github.com/coreos/fedora-coreos-tracker/issues/676
• Original issue with alternatives not working: https://github.com/coreos/fedora-coreos-tracker/issues/677

[travier]

Hum, we'll also likely have to remove / migrate /var/lib/aternatives to /etc/alternatives-admindir/ as this is not part of the change in the PR to chkconfig.

On my Atomic Desktops I also have:

$ ls -alh /var/lib/alternatives
lrwxrwxrwx. 1 root root 26 Sep 21 21:07 /var/lib/alternatives -> ../../usr/lib/alternatives

which apparently got set up on first boot. Will have to investigate.

[travier]

On the Atomic Desktops side of things: https://gitlab.com/fedora/ostree/sig/-/issues/51

[travier]

Suggested paths:

Option A:

• Migrate configs from the old location (/var/lib/alternatives) to the new one (/etc/alternatives-admindir).
• This is potentially risky as we don't know what users may have stored in this folder, even if in practice, it's very likely that there should be nothing there.

Pseudo bash code:

mv /var/lib/alternatives/* /etc/alternatives-admindir/
rmdir /var/lib/alternatives

Option B:

• Force migrate iptables to the nft backend (the only command really using alternatives on FCOS).
• "Migrate" users with no config (empty /var/lib/alternatives).
• Leave a "permanent" CLHM for users that still have some other configs.
  • Or do nothing and only notify about this in a status mail and let users migrate manually.

Pseudo bash code:

alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft
if /var/lib/alternatives is empty
    rmdir /var/lib/alternatives
else
    write "permanent" CLHM snippet
fi

My preference goes to option B.

[travier]

For the Atomic Desktops, I'll probably write a script that removes /var/lib/alternatives if it's a broken symlink or an empty folder and won't migrate anything as we already don't have the legacy backend anymore.

[travier]

I've created https://gitlab.com/fedora/bootc/tracker/-/issues/44 on the bootc side of things.

[dustymabe]

My preference goes to option B.

B looks good to me. Though.. I have a few questions:

• first one is a dumb question:

  • what is the admindir? The man page is a bit lacking detail here.
  • I see that it is different from the altdir, but what is it used for and why do we need to specify it?

• alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft

  • The current links we create are in /etc/alternatives/. I assume this will update those links?

• CLHM

  • What would the CLHM say? i.e. it's not clear to me why having files in /var/lib/alternatives will be bad.

[HuijingHei]

Agree with B.

One more question, shall we update current links to use alternatives command like https://github.com/coreos/fedora-coreos-config/pull/264 ?

[travier]

One more question, shall we update current links to use alternatives command like coreos/fedora-coreos-config#264 ?

We can try that but it should use the commands from https://docs.fedoraproject.org/en-US/fedora-coreos/alternatives/#_using_alternatives_commands instead / the one I use in my test: https://github.com/coreos/fedora-coreos-config/pull/3253

[travier]

• first one is a dumb question:

  • what is the admindir? The man page is a bit lacking detail here.

The admindir is the directory where the config for each "alternative" command is stored. On FCOS, you have in /etc/alternatives-admindir/iptables the "config" (priority and which applications to update in sync) for both iptables-legacy and iptables-nft.

• I see that it is different from the altdir, but what is it used for and why do we need to specify it?
  • alternatives --admindir /etc/alternatives-admindir --set iptables /usr/sbin/iptables-nft

The altdir is used to store the "current state", i.e. the symlink that points to the currently selected alternative for a given command. In this command I'm forcing the admindir explicitly to ignore the empty /var/lib/alternatives one and have it use the config included by default in the right place in F41.

• The current links we create are in /etc/alternatives/. I assume this will update those links?

Yes, this is what this command does.

• What would the CLHM say? i.e. it's not clear to me why having files in /var/lib/alternatives will be bad.

As long as there are files in /var/lib/alternatives, the ones from /etc/alternatives-admindir are ignored, so if there are files there, the admin created them manually and has to move them to /etc/alternatives-admindir.

[dustymabe]

Thanks for explaining. I didn't realize /var/lib/alternatives was the "admindir" for configuration and not actual symlinks like /etc/alternatives is.