Firewall fails after server migration

v7
migration
firewall

(alex) #1

Hi guys - trying to migrate my nethserver and also prove that i can DR it and am failing miserably… ive had a few goes but am a little out of my depth with the firewall errors so any hints appreciated!.. at this point I have the admin console (980) available although on previous attempts (or perhaps following a reboot which i havent risked yet on this attempt!) it wouldnt start either

Checking using Shorewall 5.0.14.1…
WARNING: Unknown capability (CPU_FANOUT) ignored /etc/shorewall/capabilities (line 20)
WARNING: Unknown capability (NETMAP_TARGET) ignored /etc/shorewall/capabilities (line 62)
WARNING: Unknown capability (NFLOG_SIZE) ignored /etc/shorewall/capabilities (line 66)
WARNING: Unknown capability (RESTORE_WAIT_OPTION) ignored /etc/shorewall/capabilities (line 84)
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
WARNING: Unknown configuration option (BLACKLIST_DEFAULT) ignored /etc/shorewall/shorewall.conf (line 116)
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Checking /etc/shorewall/hosts…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking /etc/shorewall/tcinterfaces…
Checking /etc/shorewall/masq…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/rules…
Checking /etc/shorewall/action.NFQBY for chain NFQBY…
Checking /etc/shorewall/conntrack…
Checking /etc/shorewall/tunnels…
Checking MAC Filtration – Phase 2…
Applying Policies…
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast…
ERROR: Invalid parameter (DROP),Multicast(DROP) /usr/share/shorewall/action.Broadcast (line 1)
from (line EOF)


(Filippo Carletti) #2

You didn’t apply updates.
You should see:
Checking using Shorewall 5.1.10.2...


(alex) #3

thanks Filippo that fixed it … until a reboot when httpd_admin wouldnt come back up which was fixed with reference to one of your posts elsewhere (this error doesnt seem to be spurious because it was observed for 2 separate servers/domains…

[root@cwprod11v02 ~]# /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.conf
AH00526: Syntax error on line 51 of /etc/httpd/admin-conf/httpd.conf:
SSLCertificateChainFile: file ‘/etc/pki/tls/certs/cwprod11v02-chain.crt’ does not exist or is empty

current remaining error is: Account provider generic error: SSSD exit code 1

In view of the fact this (particular) server is only really being used for mail - i may investigate building the nethserver from scratch, re-creating users by hand and then restoring the emails… im not sure how easily this can be accomplished but 2 days of DR testing / migration work isnt giving me the warm feeling i’d hoped for!


(Markus Neuberger) #4

Hi @alpreseidente,

You may try to just uninstall and reinstall your account provider. On uninstall users and groups are exported and may be imported after reinstallation of the account provider:

/usr/share/doc/nethserver-sssd-1.3.6/scripts/import_users /var/lib/nethserver/backup/users.tsv
/usr/share/doc/nethserver-sssd-1.3.6/scripts/import_groups /var/lib/nethserver/backup/groups.tsv

http://docs.nethserver.org/en/v7/accounts.html#local-accounts-provider-uninstallation
http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-sssd.html#account-import-scripts


(alex) #5

thanks Markuz - looking at the GUI im not getting an option to uninstall the accounts provider

image


(Filippo Carletti) #6

I’m sure that we can improve the whole process.
We need detailed reports and logs to try to reproduce the problems.


(alex) #7

thanks Filippo it certainly wasnt a dig! - i will know a lot more about linux by the end of this process which has to be good even if i learn the hard way!


(alex) #8

Markuz i have chosen to unbind and reinstall ldap which has worked. im hoping if i recreate the small set of users that i have a working mail server!


(Markus Neuberger) #9

I meant unbind with uninstall, sorry for the confusing words. As I said you may also import the users via the import script instead of recreating.


(alex) #10

got you Markuz!.. i dont have any file to perform the user import with (on the new server); i checked the backup directly mentioned above and it doesnt hold user.tsv… If there is an option to export the ldap config on the old server I could copy it accross… sorry for the spoon feeding here!


(Markus Neuberger) #11

How many users? Maybe we can think of an import/export script. You may also try restore-config and restore-data again with the updated system.


(alex) #12

its a handful of users so easy enough to do manually … running “restore_config” from the command line (i wish id done that originally - far more informative!) i can see that stephdl php is causing problems… i will fix that from my notes and try “restore_config” again. This makes sense because of the 3 servers i have migrated, the 2 with stephdl repository have had the ldap issues


(Markus Neuberger) #13

Maybe you need to reinstall on the new server with the instructions for NS7 before restore:

https://wiki.nethserver.org/doku.php?id=php-scl#ns7_installation

EDIT: Sorry, I saw you are migrating from 7 to 7 so this shouldn’t be an issue…


(alex) #14

following your ns7_installation link above seems to have completed the restore_config without error and the system looks good… im not sure about the script hanging with “Too few arguments” but i’ll take “Complete!” as a good sign! thanks to you and Filippo for dragging me through this - the lessons ive learnt is fix repositories first and use the command line!


Complete!
Too few arguments.


(alex) #15

as an aside is it ok to take another backup of live server tonight, re-run restore-config (i’ll need to pass it details of the new backup?) and then run restore-data again so as to bring the server to required point in time… OR should i use a fresh install of Nethserver for this recovery… this is largely a mute point because i have clones ready to go but it would be quite slick to have a warm standby DR server that i could just restore config/data onto as and when required?


(Markus Neuberger) #16

Recovery is possible on both, already running server and fresh install…

You may have a look into nethserver-hotsync. It syncs everything to a slave server which can be activated if the master fails.

http://docs.nethserver.org/en/v7/hotsync.html


(alex) #17

youve read my mind Markuz - i will certainly give that a go shortly… thanks again for help here