RHEL 6.6 /etc/sysconfig/iptables missing

Latest response

I just attempted changing install media on an existing RHEL 6.5 kickstart to RHEL 6.6 and it would appear that the /etc/sysconfig/iptables file is no longer generated during install.

Is this desired behaviour? It results in the iptables service 'start' failing with exit code 6 on first boot.

I have found a bug raised in Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1161682

Also have reference to multiple people seeing this issue in CentOS 6.6
http://lists.centos.org/pipermail/centos/2014-November/147702.html

Can anyone advise what process/script/package is responsible for /etc/sysconfig/iptables creation? (Bugzilla suggests Anaconda, can anyone confirm?)

PS
Log in to join the conversation

Responses

PS Guru 6494 points
5 February 2015 1:32 AM

I suspect it may be to do with this change in anaconda:

Tue Aug 12 2014 Brian C. Lane <bcl@redhat.com> - 13.21.225-1
- Don't force installation of authconfig, chkconfig, or system-config-firewall.
(clumens)
Resolves: rhbz#1123481

The anaconda.log is showing that it can't execute lokkit (as per Bugzilla).

-edit-

If you view this bug
https://bugzilla.redhat.com/show_bug.cgi?id=1132983

It confirms that the packages that were pulled were:

authconfig
system-config-firewall-base

Which I suspect is why iptables is failing with minimal installs in RHEL 6.6.

Can someone from Red Hat take another look at this?

james.radtke@siriusxm.com's picture Guru 6863 points
5 February 2015 1:45 AM

The way I would check for a package that owns a file

# yum whatprovides /etc/sysconfig/iptables 
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.es.its.nyu.edu
 * epel: mirror.cogentco.com
 * extras: mirror.cc.columbia.edu
 * updates: mirrors.lga7.us.voxel.net
No Matches found

So - on to the next thing... I looked at one of my PXE/kickstart servers I had built and noticed I had a Red Hat 6.5 install. I unpackaged the anaconda package in a temp location and looked for an iptables or firewall package. Sure enough usr/lib/anaconda. Now - I'm still a newb with Python, but this snippet seems to be the culprit


# cp anaconda-13.21.215-1.el6.x86_64.rpm /var/tmp && cd /var/tmp
# rpm2cpio anaconda-13.21.215-1.el6.x86_64.rpm | cpio -idmv
# grep -A20 iptables usr/lib/anaconda/firewall.py
            if not os.path.exists("%s/etc/sysconfig/iptables" %(instPath,)):
                iutil.execWithRedirect("/usr/sbin/lokkit", args,
                                       root=instPath, stdout="/dev/null",
                                       stderr="/dev/null")
            else:
                log.error("would have run %s", args)
        except RuntimeError, msg:
            log.error ("lokkit run failed: %s", msg)
        except OSError as e:
            log.error ("lokkit run failed: %s", e.strerror)
        else:
            f = open(instPath +
                     '/etc/sysconfig/system-config-firewall', 'w')
            f.write("# system-config-firewall config written out by anaconda\n\n")
            for arg in args[3:]:
                f.write("%s\n" %(arg,))
            f.close()

I'll have to download a 6.6 ISO to see if there is some difference.

PS Guru 6494 points
5 February 2015 2:26 AM

Cheers James, I came to the same conclusion regarding what created the file as rpm -qf suggested it wasn't owned by an RPM.

I suspect the code you have pasted will be the same between 6.5 / 6.6 and it's the lack of 'lokkit' command at this stage of the installation that is causing the failure. I am going to explicitly include

system-config-firewall-base

in my next test build to see if this resolves the issue (it contains lokkit).

$ rpm -qf $(which lokkit)
system-config-firewall-base-1.2.27-5.el6.noarch
PS Guru 6494 points
5 February 2015 3:18 AM

Have confirmed that adding system-config-firewall-base package resolves the issue. It appears the package dependency changes in anaconda have broken the RHEL 6.6 minimal install.

rhn-support-mflitter's picture Red Hat Guru 1638 points
5 February 2015 10:55 AM

HI PixelDrift,
Thank you for starting this discussion. You should be made aware that there is another issue related to this problem in SELinux. That is documented in kickstart with "selinux --disabled" does not disable SELinux on RHEL 6.6.

Both issues have the same cause and the bugzilla entry has been flagged as high priority.

Best Regards,
Mark

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.