Categories: cloudOCIscripts

OCI Linux and opening firewall ports with bootstrap

This is just a short post but something I was struggling to figure out.

I wanted to open port 80 while starting up OCI Linux 7.8 instance and was using cloud-init portion what you have in the advanced section when creating a compute instance.

Initially I had this in the bootstrap configuration:

#!/bin/bash
sudo yum install httpd wget php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo -y
sudo systemctl enable httpd
sudo systemctl restart httpd
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --reload

But no matter what I did, nothing after yum command was executed! I noticed following line in /var/log/messages for cloud-init, after it was done with installing packages:

Oct 23 16:54:07 instance-20201023-1246 cloud-init: ERROR:dbus.proxies:Introspect error on :1.4:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

After searching I found following note, which mentions that in some cases SELinux might prevent automatic firewall configuration! I was then looking on two different options, either disable SELinux or if you don’t want to disable it, then you can follow the steps in the above note.

I changed my bootstrap script to be as:

#!/bin/bash
yum install httpd wget php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo -y
systemctl stop firewalld
firewall-offline-cmd --add-service=https
firewall-offline-cmd --add-service=http
systemctl start firewalld
systemctl enable httpd.service
systemctl restart httpd.service

And there you go! I could access my web server without issues after this modification.

* Initially I used sudo firewall-cmd –permanent –add-service=http in my first command but was highlighted the actual command should be without permanent option as that comes into play only after reboot!

Simo

Recent Posts

Autonomous Database Audit Logs to Logging Service Part 1

I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…

3 weeks ago

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

2 months ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

3 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

7 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

7 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

7 months ago