firewalld prevents PXE boot about trinityx HOT 15 CLOSED

What is the output of firewall-cmd --get-active-zones on that controller, please?

from trinityx.

There you go:

[root@QLB-master01 configuration]# firewall-cmd --get-active-zones
public
  interfaces: ens9 eth0

My cfg file:

# Network Interfaces
FWD_PUBLIC_IF="eth0"
FWD_TRUSTED_IF="ens9"

And the configure.sh output:

 ----->>>  Installing packages: /root/trinityx/configuration/controller/firewalld.pkglist  <<<-----
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
 * base: mirrors.noction.com
 * elrepo: ftp.nluug.nl
 * epel: nl.mirror.babylon.network
 * extras: nl.mirror.babylon.network
 * updates: linux.cs.uu.nl
Package firewalld-0.3.9-14.el7.noarch already installed and latest version
Nothing to do
 ----->>>  Running post script: /root/trinityx/configuration/controller/firewalld.sh  <<<-----
[ info ]   Starting firewalld
[ info ]   Assigning interfaces: eth0 -> Public
success
success
[ info ]   Assigning interfaces: ens9 -> Trusted
success
success
[ info ]   Enabling NAT on the public zone
success
success
[ info ]   Enabling HTTPS on the public zone
success
success
[ info ]   Reloading firewalld
success

from trinityx.

OK, will look into that.

from trinityx.

Actually I missed an important bit of information in your logs: for some reason the interface ens9 is in the public zone, instead of being in the trusted zone!

Another strange thing is that normally on the clean install the firewalld package isn't installed yet. But your output says that it's already there. Was that a reinstall?

Finally, is that the correct log file? I'm asking because I'm having lots of issues with firewalld, and one of them is that it doesn't start properly and rejects the interface configuration. What I see from the output of firewall-cmd seems to indicate that it's what happened, but the log that you're showing me contradicts this.

from trinityx.

We shpuld not add interfaces to trusted zone, but add network ranges
instead. Forking fine in (pre-)production.

On Aug 12, 2016 2:51 PM, "jflf-CV" [email protected] wrote:

Actually I missed an important bit of information in your logs: for some
reason the interface ens9 is in the public zone, instead of being in the
trusted zone!

Another strange thing is that normally on the clean install the firewalld
package isn't installed yet. But your output says that it's already there.
Was that a reinstall?

Finally, is that the correct log file? I'm asking because I'm having lots
of issues with firewalld, and one of them is that it doesn't start properly
and rejects the interface configuration. What I see from the output of
firewall-cmd seems to indicate that it's what happened, but the log that
you're showing me contradicts this.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#50 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFvTCG6Fqr1TQKG7JECjmr92pA344Ilnks5qfGw7gaJpZM4Ji1IM
.

from trinityx.

Out of the top of my head, Quentin told me in person that there was an issue with his configuration file that caused the problem. Hasn't reappeared since, closing the ticket.

from trinityx.

Just had it again.

Maybe caused by just rebooting after configure.sh ?

from trinityx.

No it's caused by the internal nic not being in the trusted zone
--permanent doesn't work for zone changes you have to add ZONE=trusted in
the ifcfg-dev script

Same issue with dns on the controllers after a reboot network manager
overwrites the search and nameserver config

On 9 Sep 2016 12:03, "quentinleburel" [email protected] wrote:

Just had it again.

Maybe caused by just rebooting after configure.sh ?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#50 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AN3qSxKX7nHBzacB8Zs8xsdFbYALqwOoks5qoT0FgaJpZM4Ji1IM
.

from trinityx.

yeah but our controller.cfg was properly configured. so I assume something goes wrong in the configure.sh. Maybe --permanent missing in the script ?

from trinityx.

Permanent is in the script. It just doesn't do anything

On 12 Sep 2016 08:56, "quentinleburel" [email protected] wrote:

yeah but our controller.cfg was properly configured. so I assume something
goes wrong in the configure.sh. Maybe --permanent missing in the script ?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#50 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AN3qS0jA-KxnQiBBGCTvXeCcWvXNFPlLks5qpQWigaJpZM4Ji1IM
.

from trinityx.

The problem is a bit more complicated. There is the permanent setting in the script, but it seems to be lost after a reboot. It's as if firewalld didn't respect its own permanent settings:

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth1 eth2

# firewall-cmd --permanent --list-all-zones
...
public (default, active)
  interfaces: eth2
  sources: 
  services: dhcpv6-client https ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

trusted (active)
  interfaces: eth0 eth1
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
...

# firewall-cmd --list-all-zones
...
public (default, active)
  interfaces: eth0 eth1 eth2
  sources: 
  services: dhcpv6-client https ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
...

I had seen the issue before but I haven't gotten yet deeper into it. I'll do that and update that thread.

from trinityx.

Interference from NetworkManager:

https://bugzilla.redhat.com/show_bug.cgi?id=1112742

from trinityx.

you can "fix" this by changing
firewall-cmd --zone=trusted --change-interface=${i} --permanent

to

append_line /etc/sysconfig/network-scripts/ifcfg-${i} ZONE=trusted

from trinityx.

Fixes ready for further testing before a pull request:

git clone -b network_issues https://github.com/jflf-CV/trinityX.git

from trinityx.

Not an issue any more in c19d7fe

from trinityx.