[opensuse-autoinstall] Disabling FW during installation of SLES12
Hi list, when doing an autoyast installation of SLES12 the firewall is active at the end of stage 2 but no interface is assigned to any zone blocking SSH access until the firewall is stopped or the newly installed server is rebooted (we do not need the firewall in our environment). This is different then in SLES11 and earlier versions where at the end of stage 2 the firewall is not active. Is there a way to have the firewall automatically stopped at the end of Stage 2 in SLES12 as well? Thanks in advance Frieder Mit freundlichen Grüßen Dr. Frieder Schmidt Principal Technical Specialist Lead Architect Infrastructure Solutions Micro Focus Location: Nördlicher Zubringer 9-11, 40470 Düsseldorf, Germany Tel.: +49 (0)211 - 5631 3760 Mobile: +49 (0)173 5876 677 ( tel:01735876666 ) Fax.: +49 (0)211 - 5631 3769 e-mail: Frieder.Schmidt@microfocus.com PLEASE NOTE: This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, distribution or other use by anyone else is strictly prohibited. If you are not an intended recipient, please contact the sender and delete all copies. Thank you. Attachmate Group Germany GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 202401 (AG München) -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
Hi Frieder,
I think this should be possible with
<firewall>
...
Hi Thomas, that is exactly what I have in my xml file and if I reboot the server it comes up without the FW. The problem is that I need to access the console of the server (either to stop the firewall or to reboot it) before I can SSH into the box. With SLES11 this was different. At the end of stage2 Autoyast would ensure that the configuration of the newly installaed server was activated., i.e the firewall was active during the installation but not at the end of stage 2. SSH access was possible as soon as the installation was completed. SLES12 does not seem to do the same thing here. Not sure if this is autoyast or maybe systemd. Thanks and regads, Frieder Mit freundlichen Grüßen Dr. Frieder Schmidt Principal Technical Specialist Lead Architect Infrastructure Solutions Micro Focus Location: Nördlicher Zubringer 9-11, 40470 Düsseldorf, Germany Tel.: +49 (0)211 - 5631 3760 Mobile: +49 (0)173 5876 677 ( tel:01735876666 ) Fax.: +49 (0)211 - 5631 3769 e-mail: Frieder.Schmidt@microfocus.com PLEASE NOTE: This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, distribution or other use by anyone else is strictly prohibited. If you are not an intended recipient, please contact the sender and delete all copies. Thank you. Attachmate Group Germany GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 202401 (AG München)
05.09.17 11:26 >>> Hi Frieder,
I think this should be possible with
<firewall>
...
Hi Frieder!
The problem is that I need to access the console of the server (either to stop the firewall or to reboot it) before I can SSH into the box.
Hm, I'm not quite sure if I fully understand the problem. Sounds like the firewall is disabled, but not stopped, so either stopping it manually or rebooting the server stops it. Had that once, when I missed the start_firewall part and only had enable_firewall set to false. As far as I can see from /var/log/YaST2/y2log on a newly installed server the firewall is disabled and stopped very early. This happens while our server still has its DHCP-based IP configuration (static IP is configured via ask-list in the initial stage). What we have in addition to the firewall section is <firewall>no</firewall> for each network interface, perhaps this is something you might want to check. But anyway, on our servers SuSEfirewall2 is completely disabled and inactive after auto-install. Maybe your whole <firewall> section is in the wrong level of autoyast.xml... Ours is between <profile></profile> and not in <general> or anywhere else. Greetz, Zimo -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
Hi Thomas,
Hm, I'm not quite sure if I fully understand the problem.
Sounds like the firewall is disabled, but not stopped, so either stopping it manually or rebooting the server stops it.
Your understanding is correct! More precisely - once the installation is finished the status of the firewall service is "active (exited)" and I have either to issue systemctl stop SuSEfirewall2 or to reboot to really get rid of the FW.
Maybe your whole <firewall> section is in the wrong level of autoyast.xml... Ours is between <profile></profile> and not in <general> or anywhere else.
From my installedSystem.xml:
:
</classes>
<firewall>
What we have in addition to the firewall section is <firewall>no</firewall> for each network interface, perhaps this is something you might want to check.
Gave it a shot and it did not make any difference :(
As far as I can see from /var/log/YaST2/y2log on a newly installed server the firewall is disabled and stopped very early.
Digging through my y2log file I see many commands to disable the firewall bot not a single one to stop it. 2017-09-05 19:01:58 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:06 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:06 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:07 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:07 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:07 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:08 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:08 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:08 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:09 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:02:09 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:05:31 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:05:34 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:05:34 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:06:08 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:06:09 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:06:23 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:06:47 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:08:17 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:08:18 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:08:18 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:08:22 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` 2017-09-05 19:08:22 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` To the contrary - close to the end of the log (there are only some more 50 lines) the firewall gets started explicitly 2017-09-05 19:08:30 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl show SuSEfirewall2.service --property=Id --property=MainPID --property=Description --pro perty=LoadState --property=ActiveState --property=SubState --property=UnitFileState --property=FragmentPath ` 2017-09-05 19:08:30 <1> server1(3030) [Ruby] modules/Service.rb:140 Starting service 'SuSEfirewall2' 2017-09-05 19:08:30 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl show SuSEfirewall2.service --property=Id --property=MainPID --property=Description --pro perty=LoadState --property=ActiveState --property=SubState --property=UnitFileState --property=FragmentPath ` 2017-09-05 19:08:30 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl start SuSEfirewall2.service ` 2017-09-05 19:08:31 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl show SuSEfirewall2.service --property=Id --property=MainPID --property=Description --pro perty=LoadState --property=ActiveState --property=SubState --property=UnitFileState --property=FragmentPath ` 2017-09-05 19:08:31 <1> server1(3030) [Ruby] clients/inst_oes_postconfig.rb:1950 SuSEfirewall2 started I am really wondering what is causing this ... Thanks and regards, Frieder -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
Good afternoon! :]
Digging through my y2log file I see many commands to disable the firewall bot not a single one to stop it. ... 2017-09-05 19:01:58 <1> server1(3030) [Ruby] yast2/systemd_unit.rb:122 `systemctl disable SuSEfirewall2.service ` To the contrary - close to the end of the log (there are only some more 50 lines) the firewall gets started explicitly
What I see in y2log is this:
2017-09-05 11:47:22 <1> bla-srv(3041) [Ruby] network/susefirewall.rb:197 Firewall service is not enabled
2017-09-05 11:47:22 <1> bla-srv (3041) [Ruby] network/susefirewall.rb:211 Checking firewall status...
2017-09-05 11:47:22 <2> bla-srv (3041) [Ruby] modules/Service.rb:448 [DEPRECATION] `Status' in "/usr/share/YaST2/lib/network/susefirewall.rb:212:in `IsStarted'" is deprecated; use `active?` instead
2017-09-05 11:47:22 <1> bla-srv (3041) [Ruby] yast2/systemd_unit.rb:122 `systemctl show SuSEfirewall2.service --property=Id --property=MainPID --property=Description --property=LoadState --property=ActiveState --property=SubState --property=UnitFileState --property=FragmentPath `
2017-09-05 11:47:22 <1> bla-srv (3041) [Ruby] network/susefirewall.rb:216 Firewall service is stopped
So I think I have to correct myself, looks like the FW isn't even started in the first place (instead of being stopped).
Another thought: despite being disabled our firewall is configured by several
I am really wondering what is causing this ...
To be honest, I don't have a clue... :/ Maybe it's got something to do with "clients/inst_oes_postconfig.rb" . Since we are not using OES I can't tell, but I don't find any calls to this module in our logs. Perhaps some step during the installation of OES requires the FW to be started even though you disabled it. BTW Our installation basis is the SLES12 SP 2 DVD-image. Regards, Zimo -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
Hello,
you can set this in the firewall block of the autoyast file.
<firewall>
…
…
...
Am 05.09.2017 um 10:45 schrieb Frieder Schmidt
: Hi list,
when doing an autoyast installation of SLES12 the firewall is active at the end of stage 2 but no interface is assigned to any zone blocking SSH access until the firewall is stopped or the newly installed server is rebooted (we do not need the firewall in our environment).
This is different then in SLES11 and earlier versions where at the end of stage 2 the firewall is not active.
Is there a way to have the firewall automatically stopped at the end of Stage 2 in SLES12 as well?
Thanks in advance Frieder
Mit freundlichen Grüßen
Dr. Frieder Schmidt Principal Technical Specialist Lead Architect Infrastructure Solutions Micro Focus
Location: Nördlicher Zubringer 9-11, 40470 Düsseldorf, Germany Tel.: +49 (0)211 - 5631 3760 Mobile: +49 (0)173 5876 677 ( tel:01735876666 ) Fax.: +49 (0)211 - 5631 3769 e-mail: Frieder.Schmidt@microfocus.com
PLEASE NOTE: This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, distribution or other use by anyone else is strictly prohibited. If you are not an intended recipient, please contact the sender and delete all copies. Thank you.
Attachmate Group Germany GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 202401 (AG München)
-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
participants (3)
-
Frieder Schmidt
-
Rieß Norman
-
Thomas.Zimolong@bmi.bund.de