[FEATURE] UFW rules not installed on ubuntu20 04 with salt 3001

[JeremyHutchings]

Description
ufw rules (/etc/ufw/applications.d/salt.ufw) are not being installed on ubuntu 20.04 with salt version 3001

Setup
Default Ubuntu 20.04 LTS AWS image, then following the instructions here : https://repo.saltstack.com/#ubuntu

Steps to Reproduce the behaviour

1. Install as per :https://repo.saltstack.com/#ubuntu

root@salt-master:/home/ubuntu# ufw allow salt
ERROR: Could not find a profile matching 'salt'
root@salt-master:/home/ubuntu# salt-master --version
salt-master 3001
root@ip-10-3-1-220:/home/ubuntu# file /etc/ufw/applications.d/salt.ufw
/etc/ufw/applications.d/salt.ufw: cannot open `/etc/ufw/applications.d/salt.ufw' (No such file or directory)

Expected behaviour
That the file /etc/ufw/applications.d/salt.ufw would be created during install

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
           Salt: 3001
 
Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.7.3
      docker-py: Not Installed
          gitdb: 2.0.6
      gitpython: 3.0.7
         Jinja2: 2.10.1
        libgit2: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: Not Installed
   pycryptodome: 3.6.1
         pygit2: Not Installed
         Python: 3.8.2 (default, Apr 27 2020, 15:53:34)
   python-gnupg: 0.4.5
         PyYAML: 5.3.1
          PyZMQ: 18.1.1
          smmap: 2.0.5
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.3.2
 
System Versions:
           dist: ubuntu 20.04 focal
         locale: utf-8
        machine: x86_64
        release: 5.4.0-1009-aws
         system: Linux
        version: Ubuntu 20.04 focal

[krionbsd]

@dmurphy18 do we install salt.ufw by default on Ubuntu20? Could you please help.

[dmurphy18]

We don't, don't see salt.ufw as part of the install for Ubuntu 16.04, 18.04 and 20.04.
But wondering if this could be an issue on Ubuntu 20.04 due to dropping of legacy net-tools and we had to add then back into the install.

If the steps work on Ubuntu 18.04, then that is probably the issue and need to get marked up and associated with issue #57541

[JeremyHutchings]

I installed on an Ubuntu 18.04.4 LTS server today as well (as we have a mix of 20.04 and 18.04 and had to manually create the file on all servers.

I was confused because of this : https://docs.saltstack.com/en/latest/topics/tutorials/firewall.html

[dmurphy18]

@JeremyHutchings Did this used to work for you, if so, can you provide a versions report on the machine that it did work.

The file salt.ufw has not been shipped with Debian or Ubuntu systems that I recall from Salt.
Note: this may have been an oversight.
It is shipped for Redhat family platforms.

Note that the link you provided only discusses Redhat family of platforms (that includes SLES), there is no mention of Debian or Ubuntu support

[JeremyHutchings]

Did this used to work for you, if so, can you provide a versions report on the machine that it did work.

@dmurphy18 I can't, as I have no memory or evidence of it ever working, I've always had to deal with the ports manually. So I expect installing the file on Ubuntu is an oversight.

[dmurphy18]

Changing this to a feature, since you are the first to bring it up in over 5 years.

Add salt.ufw to Debian and Ubuntu packaging similar to it's provision with Redhat and Amazon platform families

[OrangeDog]

Noting that ufw-formula provides an almost identical file as a workaround.

@dmurphy18 just because a bug hasn't been fixed for years doesn't make it not a bug. The documentation says this is supposed to happen, and it's clearly the intent of the source file that it gets installed,

[sagetherage]

this feature has not been assigned and no work has been done for 3001.1 release, and likely would not have been as bugfix releases rarely contain features, but I realize this one is not well defined. Looking to get it assigned in the Magnesium release.

[bryceml]

As far as I can tell, we can just do:

--- debian/salt-master.dirs	2017-12-21 01:12:03.000000000 +0000
+++ salt_3001+ds/debian/salt-master.dirs	2020-07-21 21:51:03.733301693 +0000
@@ -1 +1,2 @@
 /etc/salt/master.d
+/etc/ufw/applications.d
diff -ru debian/salt-master.install salt_3001+ds/debian/salt-master.install
--- debian/salt-master.install	2017-12-21 01:12:03.000000000 +0000
+++ salt_3001+ds/debian/salt-master.install	2020-07-21 21:50:17.497377387 +0000
@@ -1,4 +1,5 @@
 conf/master /etc/salt
+pkg/salt.ufw /etc/ufw/applications.d
 pkg/salt-master.service /lib/systemd/system
 usr/bin/salt
 usr/bin/salt-cp

In each of the debian tarballs. @dmurphy18 does that sound good ? Do we need to rename it to not have the .ufw on the end or is that fine? I think convention is to name the file the same as the package name.

It looks like it would be accurate to the docs if we did it as I have above.

[bryceml]

Changing this to a feature, since you are the first to bring it up in over 5 years.

Add salt.ufw to Debian and Ubuntu packaging similar to it's provision with Redhat and Amazon platform families

I don't see salt.ufw in the spec file or the resulting packages for rhel8. I do see it in the sources folder.

[sagetherage]

This will be in the RC and released with Magnesium saltstack/salt-pack-py3#243

[OrangeDog]

This is missing from the release notes - https://docs.saltstack.com/en/latest/topics/releases/3002.html

[rousku]

This is broken again:

ubuntu@ubuntu:/srv$ sudo ufw allow salt
ERROR: Could not find a profile matching 'salt'

System info:

ubuntu@ubuntu:/etc/ufw/applications.d$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.2 LTS
Release:	22.04
Codename:	jammy
ubuntu@ubuntu:/etc/ufw/applications.d$ dpkg -l salt-master
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=============================================
ii  salt-master    3006.1       amd64        remote manager to administer servers via salt

[dmurphy18]

@rousku This issue has been closed for almost 3 years. Can you open a new issue for it and quote this issue in the new issue, given the old issue concerned classic packaging, and this is happening with 'onedir' packaging on Ubuntu 22.04. Mention my name in the issue, since I don't think you can assign it to me, but mentioning me should get attention and it will be sent my way.