Skip to content

fix: skip firewalld port config when firewalld is not running#1

Draft
Copilot wants to merge 2 commits into
dev-v2from
copilot/check-firewalld-status
Draft

fix: skip firewalld port config when firewalld is not running#1
Copilot wants to merge 2 commits into
dev-v2from
copilot/check-firewalld-status

Conversation

Copy link
Copy Markdown

Copilot AI commented May 9, 2026

On openEuler, firewalld is installed by default but not started. NewFirewallClient() was selecting firewalld purely based on binary presence (cmd.Which), causing any subsequent firewall-cmd invocation to trigger D-Bus socket activation — starting firewalld and applying port rules without user intent.

Changes

  • agent/utils/firewall/client.go: In NewFirewallClient(), after detecting the firewalld binary, check if the service is actually running via controller.CheckActive("firewalld") before returning a firewalld client. If not active, fall through to iptables. Check errors are logged at debug level.
// Before: binary presence alone selected firewalld
if firewalld {
    return client.NewFirewalld()
}

// After: also verify the service is running
if firewalld {
    isActive, err := controller.CheckActive("firewalld")
    if err != nil {
        global.LOG.Debugf("failed to check firewalld active status: %v", err)
    }
    if isActive {
        return client.NewFirewalld()
    }
}

This aligns the agent with the existing behavior in core/utils/firewall/firewall.go, which already gates firewall-cmd calls behind a running-state check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jiangtj jiangtj

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiangtj