Migration to NS8 another try

After my first try to migrate in Apr 22 failed, I’m about to try it again.
My first Question is:
I want to migrate to the nethsecurity Firewall on a different hardware. I was able to migrate the firewall already. so waht do I have to do now so the current nethserver 7 uses the new frewall istad the built in?

Second::
I tried to start over with the migration and want to unistall the migration tool. When trying this I’ll get this popup sitting forever. So I cant uninstall the miration tool.

image
How can I manualy uninstall it?

I assume you were using Nethserver 7 as firewall with 2 or more network interfaces. After the firewall services are migrated (and disabled), it should be possible to just use 1 green interface on NethServer 7 and setting the NethSecurity as gateway.

Does it work on CLI?

yum remove nethserver-ns8-migration

yum install nethserver-ns8-migration

Maybe you also need to revert the migration on NS7 to be able to start over: nethserver-ns8-migration — NethServer 7 documentation
This will reenable the services on NS7.

So it makes no sens to put the mailserver and the webserver in a dmz? Just have all the services in the LAN segment and use portforwading on the firewall?

after reinstall the migration tool I get the same error as just before:

Traceback (most recent call last):
  File "/usr/sbin/ns8-join", line 200, in <module>
    subprocess.run(['/sbin/e-smith/signal-event', 'nethserver-ns8-migration-save'], check=True)
  File "/usr/lib64/python3.6/subprocess.py", line 438, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/sbin/e-smith/signal-event', 'nethserver-ns8-migration-save']' returned non-zero exit status 1.

Sorry, I just explained the easiest way without knowing about a DMZ.

A DMZ makes sense if you want to use it.
In this case you could just keep the 2 interfaces in the Nethserver 7, then you get a DMZ between NethSecurity and the NethServer 7.
Don’t forget to set the NS7 red interfaces gateway to NethSecurity.

I think it’s installed, just following command didn’t work, you could try on CLI:

signal-event nethserver-ns8-migration-save

next error is:

Error retrieving apps to migrate

in the Log I find:

Dec  6 14:18:47  systemd: Starting WireGuard via wg-quick(8) for ns8...
Dec  6 14:18:47 wg-quick: [#] ip link add ns8 type wireguard
Dec  6 14:18:47 wg-quick: [#] wg setconf ns8 /dev/fd/63
Dec  6 14:18:47 wg-quick: [#] ip -4 address add 10.5.5.8 dev ns8
Dec  6 14:18:47 wg-quick: [#] ip link set mtu 1420 up dev ns8
Dec  6 14:18:47 wg-quick: [#] ip -4 route add 10.5.5.0/24 dev ns8
Dec  6 14:18:47 wg-quick: RTNETLINK answers: File exists
Dec  6 14:18:47 wg-quick: [#] ip link delete dev ns8
Dec  6 14:18:47 systemd: wg-quick@ns8.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Dec  6 14:18:47 systemd: Failed to start WireGuard via wg-quick(8) for ns8.
Dec  6 14:18:47 systemd: Unit wg-quick@ns8.service entered failed state.
Dec  6 14:18:47 systemd: wg-quick@ns8.service failed.
Dec  6 14:18:47 systemd: Starting WireGuard via wg-quick(8) for ns8...
Dec  6 14:18:47 wg-quick: [#] ip link add ns8 type wireguard
Dec  6 14:18:47 wg-quick: [#] wg setconf ns8 /dev/fd/63
Dec  6 14:18:47 wg-quick: [#] ip -4 address add 10.5.5.8 dev ns8
Dec  6 14:18:47 wg-quick: [#] ip link set mtu 1420 up dev ns8
Dec  6 14:18:47 wg-quick: [#] ip -4 route add 10.5.5.0/24 dev ns8
Dec  6 14:18:47 wg-quick: RTNETLINK answers: File exists
Dec  6 14:18:47 wg-quick: [#] ip link delete dev ns8
Dec  6 14:18:47 systemd: wg-quick@ns8.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Dec  6 14:18:47 systemd: Failed to start WireGuard via wg-quick(8) for ns8.
Dec  6 14:18:47 systemd: Unit wg-quick@ns8.service entered failed state.
Dec  6 14:18:47 systemd: wg-quick@ns8.service failed.

Wireguard is not starting because of an invalid argument.

Please check /etc/wireguard/ns8.conf.

Here’s a thread about a fixed bug, maybe it helps to analyze the issue:

when I try the command
ip a s dev ns8
the answer is

Device “ns8” does not exist.

but there is a interface br0.66:
br0.66@br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 5e:b3:d8:9d:d2:81 brd ff:ff:ff:ff:ff:ff
inet 10.5.5.2/24 brd 10.5.5.255 scope global br0.66
valid_lft forever preferred_lft forever
inet6 fe80::be24:11ff:feee:a2b5/64 scope link
valid_lft forever preferred_lft forever

The interface should be created when wireguard starts correctly.

Please check the migration tool configuration on NS7

config show ns8

and also the config file:

cat /etc/wireguard/ns8.conf

There seems to be an error preventing wireguard to start.

You may want to read nethserver-ns8-migration — NethServer 7 documentation for more details about how the migration tool works.

ok, now the wiereguard starts but then there is a timeout.

Error connecting to NS8
Traceback (most recent call last):
File “/usr/lib64/python3.6/urllib/request.py”, line 1349, in do_open
encode_chunked=req.has_header(‘Transfer-encoding’))
File “/usr/lib64/python3.6/http/client.py”, line 1254, in request
self._send_request(method, url, body, headers, encode_chunked)
File “/usr/lib64/python3.6/http/client.py”, line 1300, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File “/usr/lib64/python3.6/http/client.py”, line 1249, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File “/usr/lib64/python3.6/http/client.py”, line 1036, in _send_output
self.send(msg)
File “/usr/lib64/python3.6/http/client.py”, line 974, in send
self.connect()
File “/usr/lib64/python3.6/http/client.py”, line 946, in connect
(self.host,self.port), self.timeout, self.source_address)
File “/usr/lib64/python3.6/socket.py”, line 724, in create_connection
raise err
File “/usr/lib64/python3.6/socket.py”, line 713, in create_connection
sock.connect(sa)
TimeoutError: [Errno 110] Connection timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/sbin/ns8-join”, line 223, in
update_routes_response = call(api_endpoint, “update-routes”, payload[‘token’], update_routes_request, False)
File “/usr/sbin/ns8-join”, line 47, in call
post = request.urlopen(req, context=ctx)
File “/usr/lib64/python3.6/urllib/request.py”, line 223, in urlopen
return opener.open(url, data, timeout)
File “/usr/lib64/python3.6/urllib/request.py”, line 526, in open
response = self._open(req, data)
File “/usr/lib64/python3.6/urllib/request.py”, line 544, in _open
‘_open’, req)
File “/usr/lib64/python3.6/urllib/request.py”, line 504, in _call_chain
result = func(*args)
File “/usr/lib64/python3.6/urllib/request.py”, line 1377, in http_open
return self.do_open(http.client.HTTPConnection, req)
File “/usr/lib64/python3.6/urllib/request.py”, line 1351, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 110] Connection timed out>

OK, so we’re one step further. Now we need to make the wireguard connection work.

Usually NS8 has wireguard IP 10.5.4.1 and the NS7 to migrate has 10.5.4.2.
I assume it’s not possible to ping 10.5.4.1 from NS7 or 10.5.4.2 from NS8.

I could reproduce the error, this time it was a missing DNS entry of the NS8.

Please check the config files of both sides.

Here’s my /etc/wireguard/ns8.conf on NS7:

[Interface]
Address = 10.5.4.2
PrivateKey = MASKED

[Peer]
PublicKey = MASKED
AllowedIPs = 10.5.4.0/24
Endpoint = ns8rockytest.ns8test.com:55820

Here the NS8 /etc/wireguard/wg0.conf:

[Interface]
Address = 10.5.4.1/32
ListenPort = 55820
PrivateKey = MASKED

[Peer]
PublicKey = MASKED
AllowedIPs = 10.5.4.2/32
PersistentKeepalive = 25

It’s also possible to check the connection on both sides using

wg

In my case the “Endpoint” on NS7 couldn’t be resolved by DNS. After adding a DNS entry and restarting wireguard using

systemctl restart wg-quick@ns8

the ping worked.

Please also check if the “AllowedIPs” are matching to the other sides IP.

Thank you so much for your help. The mgration is underway right now.
There was some kind of mismatch with the wireguard IPs. After a reboot suddenly the right IPs where in place and now it seems to work.

I had it working already in the moprning but the disk was to small so I had to restart and it took almost the whole day to get it running again.

I had to install the images on my proxmox a couple of times. One time I forgot to add a nic so after booting the first time there was no admin interface. Even when I reconfigured the nic in proxmox the admin Interface did not start :frowning:

Luckily I dont have to do it often :slight_smile:

1 Like