starred/ServerKit
1
0
Fork 0
mirror of https://github.com/jhd3197/ServerKit.git synced 2026-04-26 08:25:59 +03:00
Code Issues 3 Projects Releases 2 Packages Wiki Activity

[GH-ISSUE #12] Firewall detection broken on Fedora/RHEL #3

New issue
Closed
opened 2026-03-02 11:44:03 +03:00 by kerem · 2 comments
kerem commented 2026-03-02 11:44:03 +03:00
Owner
Copy link

Originally created by @keyxmakerx on GitHub (Feb 1, 2026).
Original GitHub issue: https://github.com/jhd3197/ServerKit/issues/12

Bug Description

Firewall detection silently fails on any non-Debian system. Two root causes: (1) dpkg calls in _check_firewalld() and _check_ufw() are not wrapped in a try/except, so FileNotFoundError on Fedora/RHEL kills the entire method before the binary path fallback check runs. (2) Several firewall-cmd query commands are missing sudo, causing "Authorization failed" when the backend runs as a non-root user. The rule-manipulation commands already use sudo — only the query commands were missed (--state, --get-default-zone, --list-services, --list-ports, --list-rich-rules, --get-zones, --zone= --list-all).
Steps to Reproduce

Deploy ServerKit on Fedora 43 (or any RHEL-based system)
Run the backend as a non-root user (standard systemd deployment)
Open the Firewall panel in the UI

Expected Behavior

Firewall panel detects firewalld, displays current zones and rules, and allows rule management.
Actual Behavior

Panel shows "No firewall detected". API returns {"success": false, "error": "No firewall detected"} on /api/v1/firewall/rules.
Environment

LogTide Version:
Deployment Type: Self-hosted
OS: Fedora 43
Browser (if applicable): Firefox 121
Docker Version (if self-hosted):

Logs/Screenshots

Failed to load rules: Error: No firewall detected
handleResponse https://dnsdashboard.bnuuy.haus/assets/index-DZuh55VW.js:1

Running firewall-cmd as non-root without sudo:

$ firewall-cmd --state
Authorization failed.
Make sure polkit agent is running or run the application as superuser.

Confirmed firewalld is running:

$ sudo firewall-cmd --state
running
Additional Context

The dpkg binary does not exist on Fedora/RHEL. When subprocess.run(['dpkg', ...]) is called without a try/except, it throws FileNotFoundError, which is caught by the outer except Exception block in each method — returning installed: False before the binary path check (os.path.exists('/usr/sbin/firewall-cmd')) ever runs. This affects both _check_firewalld() and _check_ufw(). The missing sudo on query commands is a secondary issue that surfaces once detection is fixed — firewall-cmd requires root on Fedora for all operations, not just rule changes.
Contribution

Originally created by @keyxmakerx on GitHub (Feb 1, 2026). Original GitHub issue: https://github.com/jhd3197/ServerKit/issues/12 Bug Description <!-- A clear and concise description of what the bug is --> Firewall detection silently fails on any non-Debian system. Two root causes: (1) dpkg calls in _check_firewalld() and _check_ufw() are not wrapped in a try/except, so FileNotFoundError on Fedora/RHEL kills the entire method before the binary path fallback check runs. (2) Several firewall-cmd query commands are missing sudo, causing "Authorization failed" when the backend runs as a non-root user. The rule-manipulation commands already use sudo — only the query commands were missed (--state, --get-default-zone, --list-services, --list-ports, --list-rich-rules, --get-zones, --zone=<zone> --list-all). Steps to Reproduce Deploy ServerKit on Fedora 43 (or any RHEL-based system) Run the backend as a non-root user (standard systemd deployment) Open the Firewall panel in the UI Expected Behavior <!-- What you expected to happen --> Firewall panel detects firewalld, displays current zones and rules, and allows rule management. Actual Behavior <!-- What actually happened --> Panel shows "No firewall detected". API returns {"success": false, "error": "No firewall detected"} on /api/v1/firewall/rules. Environment LogTide Version: <!-- e.g., 0.2.3 --> Deployment Type: Self-hosted OS: Fedora 43 Browser (if applicable): Firefox 121 Docker Version (if self-hosted): <!-- e.g., 24.0.7 --> Logs/Screenshots <!-- If applicable, add logs or screenshots to help explain your problem --> Failed to load rules: Error: No firewall detected handleResponse https://dnsdashboard.bnuuy.haus/assets/index-DZuh55VW.js:1 # Running firewall-cmd as non-root without sudo: $ firewall-cmd --state Authorization failed. Make sure polkit agent is running or run the application as superuser. # Confirmed firewalld is running: $ sudo firewall-cmd --state running Additional Context <!-- Add any other context about the problem here --> The dpkg binary does not exist on Fedora/RHEL. When subprocess.run(['dpkg', ...]) is called without a try/except, it throws FileNotFoundError, which is caught by the outer except Exception block in each method — returning installed: False before the binary path check (os.path.exists('/usr/sbin/firewall-cmd')) ever runs. This affects both _check_firewalld() and _check_ufw(). The missing sudo on query commands is a secondary issue that surfaces once detection is fixed — firewall-cmd requires root on Fedora for all operations, not just rule changes. Contribution
kerem 2026-03-02 11:44:03 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-03-02 11:44:03 +03:00
Author
Owner
Copy link

@jhd3197 commented on GitHub (Feb 10, 2026):

I'm going to investigate this issue!

<!-- gh-comment-id:3875788403 --> @jhd3197 commented on GitHub (Feb 10, 2026): I'm going to investigate this issue!
kerem commented 2026-03-02 11:44:03 +03:00
Author
Owner
Copy link

@jhd3197 commented on GitHub (Feb 10, 2026):

@keyxmakerx

Both root causes have been addressed:

1. Exception handling for dpkg on non-Debian systems

The firewall service now uses a centralized PackageManager.is_installed() utility that detects the system's package manager (apt/dnf/yum) and queries accordingly — dpkg -s on Debian-based systems, rpm -q on RHEL/Fedora. All calls are wrapped in try/except FileNotFoundError so a missing binary never crashes the detection flow. Both _check_firewalld() and _check_ufw() also have top-level exception guards that return a safe default instead of propagating errors.

2. Missing sudo on firewall-cmd queries

All subprocess calls in the firewall service now go through a run_privileged() helper that automatically prepends sudo when the process isn't running as root. This covers every command you listed: --state, --get-default-zone, --list-services, --list-ports, --list-rich-rules, --get-zones, and --zone=...--list-all.

CI coverage

We added a multi-distro CI workflow (#16) that runs integration tests on Ubuntu 24.04, Debian, Fedora 41, and Rocky Linux to catch cross-platform issues like this going forward.

These changes are on prod. Would you be able to verify on your Fedora 43?

<!-- gh-comment-id:3880901552 --> @jhd3197 commented on GitHub (Feb 10, 2026): @keyxmakerx Both root causes have been addressed: **1. Exception handling for `dpkg` on non-Debian systems** The firewall service now uses a centralized `PackageManager.is_installed()` utility that detects the system's package manager (`apt`/`dnf`/`yum`) and queries accordingly — `dpkg -s` on Debian-based systems, `rpm -q` on RHEL/Fedora. All calls are wrapped in `try/except FileNotFoundError` so a missing binary never crashes the detection flow. Both `_check_firewalld()` and `_check_ufw()` also have top-level exception guards that return a safe default instead of propagating errors. **2. Missing `sudo` on `firewall-cmd` queries** All subprocess calls in the firewall service now go through a `run_privileged()` helper that automatically prepends `sudo` when the process isn't running as root. This covers every command you listed: `--state`, `--get-default-zone`, `--list-services`, `--list-ports`, `--list-rich-rules`, `--get-zones`, and `--zone=...--list-all`. **CI coverage** We added a multi-distro CI workflow (#16) that runs integration tests on Ubuntu 24.04, Debian, Fedora 41, and Rocky Linux to catch cross-platform issues like this going forward. These changes are on `prod`. Would you be able to verify on your Fedora 43?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
new-ui
agent-v1.0.3
agent-v1.0.2
agent-v1.0.1
agent-v1.0.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ServerKit#3
No description provided.