fbpx

Server Setup

Fix FirewallD in CentOS 7

by , , revisited on


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

FirewallD is already fixed in this commit. You only need to yum update it and/or update to recent kernel by your hosting provider.
The following is just an archive of a previous solution.

If you’ve carelessly updated to CentOS 7.7, high chances are that your FirewallD is now broken.

The breakage happens because FirewallD is trying to be too smart for you.
It now attempts to check whether specific kernel modules are there for its proper function.

However, those checks miserably fail on some non-stock kernels.

Whether you’re using OVH, Linode or many other cloud providers – you might have this sames problem, because those providers all use cut-down kernels where the required modules are present, but being built-in, they are not even present in lsmod listing.

So FirewallD with these kernels does not start, because it fails to see the built-in modules. How do get around that?

One manual solution is generating modules.builtin file specific for your kernel, which will list those modules for FirewalD to see.

However, this needs to be regenerated every time the kernel is upgraded. Who likes manual solutions after all? I know I don’t.

Permanent fix for FirewallD

Here’s a solution that will persist throughout kernel upgrades and doesn’t involve hacking FirewallD code.

In a nutshell, we are going to create a service that starts just before FirewallD and ensures that our modules.builtin is pre-generated for successfull startup of FirewallD.

Create /usr/local/sbin/rebuild-builtin-modules with contents:

#!/bin/bash
# script for creating builtin modules file
MODULES_DIR=/lib/modules/$(uname -r)
mkdir -p ${MODULES_DIR}
# touch ${MODULES_DIR}/modules.{builtin,order}
/bin/truncate --size=0 ${MODULES_DIR}/modules.builtin
/bin/truncate --size=0 ${MODULES_DIR}/modules.order
for i in /sys/module/*; do echo kernel/${i##**/}.ko; done >> ${MODULES_DIR}/modules.builtin
depmod -a

Create /etc/systemd/system/rebuild-builtin-modules.service

[Unit]
Description=Rebuild built-in modules list for loaded kernel
Before=firewalld.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/rebuild-builtin-modules

[Install]
WantedBy=multi-user.target

Now set up permissions and launch things up:

chmod 0644 /etc/systemd/system/rebuild-builtin-modules.service
chmod 0755 /usr/local/sbin/rebuild-builtin-modules
chown root:root /etc/systemd/system/rebuild-builtin-modules.service 
chown root:root  /usr/local/sbin/rebuild-builtin-modules
systemctl enable --now rebuild-builtin-modules.service
/usr/local/sbin/rebuild-builtin-modules
systemctl restart firewalld

Now FirewallD should work, whether you reboot or update kernels, etc. 🙂

  1. ZHOUJiahui

    I have tried,but it doesn’t works.

    Reply
    • Danila Vershinin

      It should have been fixed by CentOS already. Can you see if yum upgrade fixes it for you?

      Reply
  2. Jose M

    It didn’t work for me. I get this error right after trying to execute this line > systemctl enable –now rebuild-builtin-modules.service
    /usr/local/sbin/rebuild-builtin-modules:

    “Failed to execute operation: Unit name rebuild-builtin-modules is not valid.”

    This is a fresh install of CentOS 7.9.2009

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.