[BUG] ufw rules not installed on Ubuntu 22.04

[rousku]

Description
ufw rules (/etc/ufw/applications.d/salt.ufw) are not being installed on ubuntu 22.04 with salt version 3006.1

Setup
Followed these instructions to install Major onedir version of salt-master.

Please be as specific as possible and give set-up details.

• on-prem machine
• VM Virtualbox
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior

ubuntu@ubuntu:/srv$ sudo ufw allow salt
ERROR: Could not find a profile matching 'salt'

Expected behavior
sudo ufw allow salt should run without errors

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
          Salt: 3006.1
 
Python Version:
        Python: 3.10.11 (main, May  5 2023, 02:31:54) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
        relenv: 0.12.3
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: ubuntu 22.04.2 jammy
        locale: utf-8
       machine: x86_64
       release: 5.19.0-45-generic
        system: Linux
       version: Ubuntu 22.04.2 jammy

Additional context

ubuntu@ubuntu:~$ ls /etc/ufw/applications.d/
cups  openssh-server

Maybe related to #57712

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[rousku]

Ping @dmurphy18

[dmurphy18]

The new packaging using GitHub Actions broke salt.ufw usage. It needs to be corrected.
The old classic packaging debian/ubuntu spec has been broken apart and only a single line is preserved, incorrectly I believe, will dig in on conf changes too

And files such as salt-minion.upstart.rhel6 should have been deleted long ago

[dmurphy18]

Closing since associated PR #64926 is merged.

[rousku]

Still broken: #64926 (comment)

[dmurphy18]

PR #64926 did not fix the issue, the salt.ufw is being installed into
/etc/ufw/applications.d/salt-master/salt.ufw
when it should be
/etc/ufw/applications.d/salt.ufw

[dmurphy18]

Interestingly with classic Salt 3005.2 package, install of salt-master or salt-minion does not result in the installation of salt.ufw under /etc. Checking earlier versions of classic Salt.
Latest versions of classic Salt 3005, 3004, 3003 and 3002 do not install salt.ufw, thought they did, so this might be a mute point given that even the classic packages didn't install salt.ufw, why should the onedir based Salt do so.

From the salt-master.install for Salt 3002, the original file

  1 #! /usr/bin/dh-exec
  2 
  3 conf/master /etc/salt
  4 pkg/salt-master.service /lib/systemd/system
  5 pkg/salt.ufw => etc/ufw/applications.d/salt-master
  6 usr/bin/salt
  7 usr/bin/salt-cp
  8 usr/bin/salt-key
  9 usr/bin/salt-master
 10 usr/bin/salt-run
 11 usr/bin/salt-unity

shows that the original intention was /etc/ufw/applications.d/salt-master for salt.ufw, but the actual salt.ufw file contents are

  1 # Install into /etc/ufw/applications.d/ and run 'ufw app update' to add salt
  2 # firewall rules to systems with UFW.  Activate with 'ufw allow salt'
  3 [Salt]
  4 title=salt
  5 description=fast and powerful configuration management and remote execution
  6 ports=4505,4506/tcp

which suggests it should be /etc/ufw/applications.d/ and have been doing it wrong for several releases (since 2015), if installing salt.ufw did work.

So decided to try this with Debian's own Salt packages on Debian 10, using

salt-master:
  Installed: 2018.3.4+dfsg1-6+deb10u3
  Candidate: 2018.3.4+dfsg1-6+deb10u3
  Version table:
 *** 2018.3.4+dfsg1-6+deb10u3 500
        500 http://deb.debian.org/debian buster/main amd64 Packages
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
        100 /var/lib/dpkg/status
root@tdeb10:/home/david#

and installing salt-master did not result in installing salt.ufw either.

Tried Debian 11, and Debian's Salt and same result, no salt.ufw

root@tdeb11:/home/david# apt-cache policy salt-master
salt-master:
  Installed: 3002.6+dfsg1-4+deb11u1
  Candidate: 3002.6+dfsg1-4+deb11u1
  Version table:
 *** 3002.6+dfsg1-4+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
root@tdeb11:/home/david# 

[dmurphy18]

Working to correct have salt.ufw in correct location, directory /etc/ufw/applications.d

[dmurphy18]

@rousku So given classic packaging has been doing it the same way for over a decade and no complaints, revisiting what the classic packages installed and they installed salt-master into directory /etc/ufw/applications.d

root@david-VirtualBox:/home/david# cat /etc/ufw/applications.d/salt-master 
# Install into /etc/ufw/applications.d/ and run 'ufw app update' to add salt
# firewall rules to systems with UFW.  Activate with 'ufw allow salt, but a file label
[Salt]
title=salt
description=fast and powerful configuration management and remote execution
ports=4505,4506/tcp
root@david-VirtualBox:/home/david#

and the command ufw allow salt functions correctly, hence there was never a file salt.ufw installed, but a file labeled salt-master. Hence over-reacted in the first PR to your issue and will adjust the current PR under development to produce the same outcome as classic packaging in the interests of backwards compatibility and no surprises

root@david-VirtualBox:/home/david# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
root@david-VirtualBox:/home/david# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
4505,4506/tcp (Salt)       ALLOW IN    Anywhere                  
4505,4506/tcp (Salt (v6))  ALLOW IN    Anywhere (v6)             

[dmurphy18]

closing this since additional PRs are now merged