OCI Linux and opening firewall ports with bootstrap

This is just a short post but something I was struggling to figure out.

I wanted to open port 80 while starting up OCI Linux 7.8 instance and was using cloud-init portion what you have in the advanced section when creating a compute instance.

Initially I had this in the bootstrap configuration:

#!/bin/bash
sudo yum install httpd wget php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo -y
sudo systemctl enable httpd
sudo systemctl restart httpd
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --reload

But no matter what I did, nothing after yum command was executed! I noticed following line in /var/log/messages for cloud-init, after it was done with installing packages:

Oct 23 16:54:07 instance-20201023-1246 cloud-init: ERROR:dbus.proxies:Introspect error on :1.4:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

After searching I found following note, which mentions that in some cases SELinux might prevent automatic firewall configuration! I was then looking on two different options, either disable SELinux or if you don’t want to disable it, then you can follow the steps in the above note.

I changed my bootstrap script to be as:

#!/bin/bash
yum install httpd wget php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo -y
systemctl stop firewalld
firewall-offline-cmd --add-service=https
firewall-offline-cmd --add-service=http
systemctl start firewalld
systemctl enable httpd.service
systemctl restart httpd.service

And there you go! I could access my web server without issues after this modification.

* Initially I used sudo firewall-cmd –permanent –add-service=http in my first command but was highlighted the actual command should be without permanent option as that comes into play only after reboot!