Comments (15)
What is the output of firewall-cmd --get-active-zones
on that controller, please?
from trinityx.
There you go:
[root@QLB-master01 configuration]# firewall-cmd --get-active-zones
public
interfaces: ens9 eth0
My cfg file:
# Network Interfaces
FWD_PUBLIC_IF="eth0"
FWD_TRUSTED_IF="ens9"
And the configure.sh output:
----->>> Installing packages: /root/trinityx/configuration/controller/firewalld.pkglist <<<-----
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
* base: mirrors.noction.com
* elrepo: ftp.nluug.nl
* epel: nl.mirror.babylon.network
* extras: nl.mirror.babylon.network
* updates: linux.cs.uu.nl
Package firewalld-0.3.9-14.el7.noarch already installed and latest version
Nothing to do
----->>> Running post script: /root/trinityx/configuration/controller/firewalld.sh <<<-----
[ info ] Starting firewalld
[ info ] Assigning interfaces: eth0 -> Public
success
success
[ info ] Assigning interfaces: ens9 -> Trusted
success
success
[ info ] Enabling NAT on the public zone
success
success
[ info ] Enabling HTTPS on the public zone
success
success
[ info ] Reloading firewalld
success
from trinityx.
OK, will look into that.
from trinityx.
Actually I missed an important bit of information in your logs: for some reason the interface ens9
is in the public zone, instead of being in the trusted zone!
Another strange thing is that normally on the clean install the firewalld package isn't installed yet. But your output says that it's already there. Was that a reinstall?
Finally, is that the correct log file? I'm asking because I'm having lots of issues with firewalld, and one of them is that it doesn't start properly and rejects the interface configuration. What I see from the output of firewall-cmd seems to indicate that it's what happened, but the log that you're showing me contradicts this.
from trinityx.
We shpuld not add interfaces to trusted zone, but add network ranges
instead. Forking fine in (pre-)production.
On Aug 12, 2016 2:51 PM, "jflf-CV" [email protected] wrote:
Actually I missed an important bit of information in your logs: for some
reason the interface ens9 is in the public zone, instead of being in the
trusted zone!Another strange thing is that normally on the clean install the firewalld
package isn't installed yet. But your output says that it's already there.
Was that a reinstall?Finally, is that the correct log file? I'm asking because I'm having lots
of issues with firewalld, and one of them is that it doesn't start properly
and rejects the interface configuration. What I see from the output of
firewall-cmd seems to indicate that it's what happened, but the log that
you're showing me contradicts this.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#50 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFvTCG6Fqr1TQKG7JECjmr92pA344Ilnks5qfGw7gaJpZM4Ji1IM
.
from trinityx.
Out of the top of my head, Quentin told me in person that there was an issue with his configuration file that caused the problem. Hasn't reappeared since, closing the ticket.
from trinityx.
Just had it again.
Maybe caused by just rebooting after configure.sh ?
from trinityx.
No it's caused by the internal nic not being in the trusted zone
--permanent doesn't work for zone changes you have to add ZONE=trusted in
the ifcfg-dev script
Same issue with dns on the controllers after a reboot network manager
overwrites the search and nameserver config
On 9 Sep 2016 12:03, "quentinleburel" [email protected] wrote:
Just had it again.
Maybe caused by just rebooting after configure.sh ?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#50 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AN3qSxKX7nHBzacB8Zs8xsdFbYALqwOoks5qoT0FgaJpZM4Ji1IM
.
from trinityx.
yeah but our controller.cfg was properly configured. so I assume something goes wrong in the configure.sh. Maybe --permanent missing in the script ?
from trinityx.
Permanent is in the script. It just doesn't do anything
On 12 Sep 2016 08:56, "quentinleburel" [email protected] wrote:
yeah but our controller.cfg was properly configured. so I assume something
goes wrong in the configure.sh. Maybe --permanent missing in the script ?—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#50 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AN3qS0jA-KxnQiBBGCTvXeCcWvXNFPlLks5qpQWigaJpZM4Ji1IM
.
from trinityx.
The problem is a bit more complicated. There is the permanent setting in the script, but it seems to be lost after a reboot. It's as if firewalld
didn't respect its own permanent settings:
# firewall-cmd --get-active-zones
public
interfaces: eth0 eth1 eth2
# firewall-cmd --permanent --list-all-zones
...
public (default, active)
interfaces: eth2
sources:
services: dhcpv6-client https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
trusted (active)
interfaces: eth0 eth1
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
# firewall-cmd --list-all-zones
...
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
I had seen the issue before but I haven't gotten yet deeper into it. I'll do that and update that thread.
from trinityx.
Interference from NetworkManager:
https://bugzilla.redhat.com/show_bug.cgi?id=1112742
from trinityx.
you can "fix" this by changing
firewall-cmd --zone=trusted --change-interface=${i} --permanent
to
append_line /etc/sysconfig/network-scripts/ifcfg-${i} ZONE=trusted
from trinityx.
Fixes ready for further testing before a pull request:
git clone -b network_issues https://github.com/jflf-CV/trinityX.git
from trinityx.
Not an issue any more in c19d7fe
from trinityx.
Related Issues (20)
- release life cycle HOT 2
- Patch in `/etc/firewalld/direct.xml` for PXE booting issues not applied on c2
- Typo in release notes for Release 11 HOT 1
- zabbix_api import in zabbix_conf.py clashes with Ansible zabbix modules HOT 1
- SELINUX error HOT 1
- Openstack integration
- No ubuntu at all? HOT 14
- docs.clustervision down? HOT 2
- Regarding sensu repository inside the controller.yml HOT 5
- Missing hwloc-plugins, libhugetlbfs, moreutils, perl(IPC::Run) on RHEL9 HOT 3
- obol command not in PATH of root user HOT 1
- named listens on all interfaces (internal and external) HOT 4
- Issue regarding prepare.sh, ansible and matching python version HOT 3
- SELinux | prepare.sh vs ansible HOT 2
- SLURM filepath issue HOT 5
- python venv never created HOT 3
- LUNA2 role filepath issue HOT 2
- Missing python package breaks luna2 installation HOT 4
- sssd role assumes ldap package is installed HOT 16
- luna2 wants dhcpd.service but dhcp isn't being configured correclty HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trinityx.