EddieA
(Eddie Atherton)
August 6, 2018, 5:31pm
1
NethServer Version: 7.5
Module: e-smith
Occasionally, not always, I get the following error thrown during a Shorewall template expand:
Jul 29 11:53:15 Nethserver esmith::event[14223]: sh: ss: command not found
It doesn’t appear to cause any issues though.
Here’s a snippet of the log, showing the location of the error:
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/rules
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/shorewall.conf
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/stoppedrules
Jul 29 11:53:15 Nethserver esmith::event[14223]: sh: ss: command not found
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/tcinterfaces
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/tcpri
Jul 29 11:53:15 Nethserver esmith::event[14223]: expanding /etc/shorewall/tunnels
Cheers.
dnutan
(Marc)
August 6, 2018, 7:36pm
2
I think the message comes from /etc/e-smith/templates/etc/shorewall/stoppedrules/20running_sshd
You could try using the full path to ss (/usr/sbin/ss
).
The only difference with the other commands in the same line is the path: /usr/(s)bin
Do you use SELINUX? (kind of a blind shot, found a similar issue on the Internet with other commands)
Questions to devs:
PATH env for the template expansion?
EddieA
(Eddie Atherton)
August 6, 2018, 10:23pm
3
Hmmm. Then as the call to “ss” in that snippet is not conditional, why isn’t it happening every time:
Aug 4 11:48:27 Nethserver esmith::event[3365]: expanding /etc/shorewall/rules
Aug 4 11:48:27 Nethserver esmith::event[3365]: expanding /etc/shorewall/shorewall.conf
Aug 4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/stoppedrules
Aug 4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/tcinterfaces
Aug 4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/tcpri
Aug 4 11:48:28 Nethserver esmith::event[3365]: expanding /etc/shorewall/tunnels
Cheers.
EddieA
(Eddie Atherton)
August 7, 2018, 12:32am
4
It looks like it only happens when I have a “signal-event firewall-adjust” as part of a tun-up or tun-down script for an OpenVPN tunnel, which is started and stopped via “systemctl start/stop openvpn-client@config”.
So it will depend on the environment during the “systemctl” command, which is running under root and I would have expected /sbin to be in it’s PATH, even if /usr/sbin isn’t.
[root@Nethserver ~]# ls -l /sbin
lrwxrwxrwx 1 root root 8 Jun 24 16:46 /sbin -> usr/sbin
[root@Nethserver ~]#
Cheers.
Expanding a template as an unprivileged user will lead to unpredictable results.
You could probably use sudo with an appropriate configuration in your setup.
EddieA
(Eddie Atherton)
September 6, 2018, 4:21pm
6
It’s run by root, via a systemctl start.
Cheers.
Could you give instructions (or, better, code) on how to reproduce the issue?
EddieA
(Eddie Atherton)
September 7, 2018, 1:38pm
8
@filippo_carletti
I have an OpenVPN client configuration, that I start via “systemctl start openvpn-client@<client.conf>”
That configuration contains this: “up /etc/openvpn/LAtunup.sh”
[root@Nethserver ~]# cat /etc/openvpn/LAtunup.sh
#!/bin/bash
ESMITH_DIR=/etc/e-smith/templates-custom/etc/shorewall
echo -e "# Masquerade the VPN tunnel" > $ESMITH_DIR/snat/30vpn
echo -e "MASQUERADE\t-\t$1" >> $ESMITH_DIR/snat/30vpn
echo -e "" >> $ESMITH_DIR/snat/30vpn
echo -e "# Set up the two provider masks" > $ESMITH_DIR/providers/30vpn
echo -e "net\t1\t0x10000\t-\teno1\tdetect\ttrack,balance" >> $ESMITH_DIR/providers/30vpn
echo -e "vpn\t2\t0x20000\t-\t$1\t$5\ttrack,fallback" >> $ESMITH_DIR/providers/30vpn
echo -e "" >> $ESMITH_DIR/providers/30vpn
# Reload the firewall
/sbin/e-smith/signal-event firewall-adjust
[root@Nethserver ~]#
Cheers.