Foreman Discovery Image (v4.1) fails to download zips via TFTP

Problem:
Foreman Discovery Image v4.1 booted via PXE fails to download extensions (fdi.zips boot parameter). Reason - firewalld service is enabled and has no exception for tftp client (curl in this fdi.zips case). I have tried to mask firewalld service but faced issues with DBUS later on. It worked fine with CentOS 7 based FDI images.
Expected outcome:
Working extensions (fdi.zips) with latest FDI image.
Foreman and Proxy versions:
Foreman version 3.3.1
Foreman proxy versions 2.4.1, 2.4.0, 3.3.1
Foreman Discovery Image version 4.1.0
Foreman and Proxy plugin versions:
foreman_discovery plugin version 21.0.5 (according to package)

Distribution and version:
CentOS 7.9.2009
Other relevant data:

I wonder if we should always disable firewall on FDI. At the same time, why would FDI’s firewall block download of zip file? Connections opened from that FDI should be always allowed, right? Can you be also more specific regarding the DBUS issue you encountered? cc @lstejska

According to tcpdump (in smart proxy side), TFTP server receives request from FDI and sends data back. But FDI packet filter drops those packets out. Disabling firewalld via SSH after FDI is up helps. I’ll send more information as soon I’ll get a server to test on.

1 Like

tcpdump output on smart-proxy side. When firewalld is enabled (default state)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:23:56.600485 IP 192.168.219.139.46087 > 192.168.0.20.tftp:  62 RRQ "extensions/fditools.zip" octet tsize 0 blksize 512 timeout 6
13:23:56.601524 IP 192.168.0.20.57956 > 192.168.219.139.46087: UDP, length 35
13:23:56.601642 IP 192.168.219.139 > 192.168.0.20: ICMP host 192.168.219.139 unreachable - admin prohibited filter, length 71
13:24:03.808358 IP 192.168.219.139.46087 > 192.168.0.20.tftp:  62 RRQ "extensions/fditools.zip" octet tsize 0 blksize 512 timeout 6
13:24:03.809388 IP 192.168.0.20.60321 > 192.168.219.139.46087: UDP, length 35
13:24:03.809781 IP 192.168.219.139 > 192.168.0.20: ICMP host 192.168.219.139 unreachable - admin prohibited filter, length 71
13:24:10.815795 IP 192.168.219.139.46087 > 192.168.0.20.tftp:  62 RRQ "extensions/fditools.zip" octet tsize 0 blksize 512 timeout 6
13:24:10.816724 IP 192.168.0.20.59205 > 192.168.219.139.46087: UDP, length 35
13:24:10.816968 IP 192.168.219.139 > 192.168.0.20: ICMP host 192.168.219.139 unreachable - admin prohibited filter, length 71
13:24:17.823506 IP 192.168.219.139.46087 > 192.168.0.20.tftp:  62 RRQ "extensions/fditools.zip" octet tsize 0 blksize 512 timeout 6
13:24:17.824836 IP 192.168.0.20.56562 > 192.168.219.139.46087: UDP, length 35
13:24:17.825192 IP 192.168.219.139 > 192.168.0.20: ICMP host 192.168.219.139 unreachable - admin prohibited filter, length 71
13:24:24.831030 IP 192.168.219.139.46087 > 192.168.0.20.tftp:  62 RRQ "extensions/fditools.zip" octet tsize 0 blksize 512 timeout 6
13:24:24.832296 IP 192.168.0.20.45724 > 192.168.219.139.46087: UDP, length 35
13:24:24.832589 IP 192.168.219.139 > 192.168.0.20: ICMP host 192.168.219.139 unreachable - admin prohibited filter, length 71
13:24:31.838602 IP 192.168.219.139.46087 > 192.168.0.20.tftp:  62 RRQ "extensions/fditools.zip" octet tsize 0 blksize 512 timeout 6

Adding a screenshot of FDI screen with D-Bus issue and whole log file.


logfile.log (454.9 KB)

Hard to reproduce not always FDI goes into this state. Interesting thing is that root password is not set (event it has fdi.rootpw set) and SSH daemon is not started.

Confirming that the issue with the zip extension is reproducible on the latest version of FDI.

Added to our backlog https://issues.redhat.com/browse/SAT-27042

Please ignore issue with D-Bus. This happens when our fdi extensions (scripts) takes longer time than 120 seconds. Increasing fdi.nmwait helps. Also workaround for firewalld issue is adding systemd.mask=firewalld.service in kernel cmd line.