Occasional error on Shorewall template expand

EddieA · August 6, 2018, 5:31pm

NethServer Version: 7.5
Module: e-smith

Occasionally, not always, I get the following error thrown during a Shorewall template expand:

Jul 29 11:53:15 Nethserver esmith::event[14223]: sh: ss: command not found

It doesn’t appear to cause any issues though.

Here’s a snippet of the log, showing the location of the error:

Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/rules
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/shorewall.conf
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/stoppedrules
Jul 29 11:53:15 Nethserver esmith::event[14223]: sh: ss: command not found
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/tcinterfaces
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/tcpri
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/tunnels

Cheers.

dnutan · August 6, 2018, 7:36pm

I think the message comes from /etc/e-smith/templates/etc/shorewall/stoppedrules/20running_sshd

You could try using the full path to ss (/usr/sbin/ss).
The only difference with the other commands in the same line is the path: /usr/(s)bin
Do you use SELINUX? (kind of a blind shot, found a similar issue on the Internet with other commands)

Questions to devs:

PATH env for the template expansion?

EddieA · August 6, 2018, 10:23pm

Hmmm. Then as the call to “ss” in that snippet is not conditional, why isn’t it happening every time:

Aug  4 11:48:27 Nethserver esmith::event[3365]: expanding /etc/shorewall/rules
Aug  4 11:48:27 Nethserver esmith::event[3365]: expanding /etc/shorewall/shorewall.conf
Aug  4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/stoppedrules
Aug  4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/tcinterfaces
Aug  4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/tcpri
Aug  4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/tunnels

Cheers.

EddieA · August 7, 2018, 12:32am

It looks like it only happens when I have a “signal-event firewall-adjust” as part of a tun-up or tun-down script for an OpenVPN tunnel, which is started and stopped via “systemctl start/stop openvpn-client@config”.

So it will depend on the environment during the “systemctl” command, which is running under root and I would have expected /sbin to be in it’s PATH, even if /usr/sbin isn’t.

[root@Nethserver ~]# ls -l /sbin
lrwxrwxrwx 1 root root 8 Jun 24 16:46 /sbin -> usr/sbin
[root@Nethserver ~]#

Cheers.

filippo_carletti · September 6, 2018, 3:52pm

Expanding a template as an unprivileged user will lead to unpredictable results.
You could probably use sudo with an appropriate configuration in your setup.

EddieA · September 6, 2018, 4:21pm

It’s run by root, via a systemctl start.

Cheers.

filippo_carletti · September 7, 2018, 10:33am

Could you give instructions (or, better, code) on how to reproduce the issue?

EddieA · September 7, 2018, 1:38pm

@filippo_carletti
I have an OpenVPN client configuration, that I start via “systemctl start openvpn-client@<client.conf>”

That configuration contains this: “up /etc/openvpn/LAtunup.sh”

[root@Nethserver ~]# cat /etc/openvpn/LAtunup.sh
#!/bin/bash

ESMITH_DIR=/etc/e-smith/templates-custom/etc/shorewall

echo -e "# Masquerade the VPN tunnel" > $ESMITH_DIR/snat/30vpn
echo -e "MASQUERADE\t-\t$1" >> $ESMITH_DIR/snat/30vpn
echo -e "" >> $ESMITH_DIR/snat/30vpn

echo -e "# Set up the two provider masks" > $ESMITH_DIR/providers/30vpn
echo -e "net\t1\t0x10000\t-\teno1\tdetect\ttrack,balance" >> $ESMITH_DIR/providers/30vpn
echo -e "vpn\t2\t0x20000\t-\t$1\t$5\ttrack,fallback" >> $ESMITH_DIR/providers/30vpn
echo -e "" >> $ESMITH_DIR/providers/30vpn

# Reload the firewall
/sbin/e-smith/signal-event firewall-adjust
[root@Nethserver ~]#

Cheers.