Problem:
Foreman Discovery Image v4.1 booted via PXE fails to download extensions (fdi.zips boot parameter). Reason - firewalld service is enabled and has no exception for tftp client (curl in this fdi.zips case). I have tried to mask firewalld service but faced issues with DBUS later on. It worked fine with CentOS 7 based FDI images. Expected outcome:
Working extensions (fdi.zips) with latest FDI image. Foreman and Proxy versions:
Foreman version 3.3.1
Foreman proxy versions 2.4.1, 2.4.0, 3.3.1
Foreman Discovery Image version 4.1.0 Foreman and Proxy plugin versions:
foreman_discovery plugin version 21.0.5 (according to package)
Distribution and version:
CentOS 7.9.2009 Other relevant data:
I wonder if we should always disable firewall on FDI. At the same time, why would FDI’s firewall block download of zip file? Connections opened from that FDI should be always allowed, right? Can you be also more specific regarding the DBUS issue you encountered? cc @lstejska
According to tcpdump (in smart proxy side), TFTP server receives request from FDI and sends data back. But FDI packet filter drops those packets out. Disabling firewalld via SSH after FDI is up helps. I’ll send more information as soon I’ll get a server to test on.
Hard to reproduce not always FDI goes into this state. Interesting thing is that root password is not set (event it has fdi.rootpw set) and SSH daemon is not started.
Please ignore issue with D-Bus. This happens when our fdi extensions (scripts) takes longer time than 120 seconds. Increasing fdi.nmwait helps. Also workaround for firewalld issue is adding systemd.mask=firewalld.service in kernel cmd line.