yum upgrades for production use, this is the repository for you.
Active subscription is required.
FirewallD is already fixed in this commit. You only need to yum update it and/or update to recent kernel by your hosting provider.
The following is just an archive of a previous solution.
If you’ve carelessly updated to CentOS 7.7, high chances are that your FirewallD is now broken.
The breakage happens because FirewallD is trying to be too smart for you.
It now attempts to check whether specific kernel modules are there for its proper function.
However, those checks miserably fail on some non-stock kernels.
Whether you’re using OVH, Linode or many other cloud providers – you might have this sames problem, because those providers all use cut-down kernels where the required modules are present, but being built-in, they are not even present in lsmod listing.
So FirewallD with these kernels does not start, because it fails to see the built-in modules. How do get around that?
One manual solution is generating modules.builtin file specific for your kernel, which will list those modules for FirewalD to see.
However, this needs to be regenerated every time the kernel is upgraded. Who likes manual solutions after all? I know I don’t.
Permanent fix for FirewallD
Here’s a solution that will persist throughout kernel upgrades and doesn’t involve hacking FirewallD code.
In a nutshell, we are going to create a service that starts just before FirewallD and ensures that our modules.builtin is pre-generated for successfull startup of FirewallD.
Create /usr/local/sbin/rebuild-builtin-modules with contents:
#!/bin/bash
# script for creating builtin modules file
MODULES_DIR=/lib/modules/$(uname -r)
mkdir -p ${MODULES_DIR}
# touch ${MODULES_DIR}/modules.{builtin,order}
/bin/truncate --size=0 ${MODULES_DIR}/modules.builtin
/bin/truncate --size=0 ${MODULES_DIR}/modules.order
for i in /sys/module/*; do echo kernel/${i##**/}.ko; done >> ${MODULES_DIR}/modules.builtin
depmod -a
Create /etc/systemd/system/rebuild-builtin-modules.service
[Unit]
Description=Rebuild built-in modules list for loaded kernel
Before=firewalld.service
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/rebuild-builtin-modules
[Install]
WantedBy=multi-user.target
Now set up permissions and launch things up:
chmod 0644 /etc/systemd/system/rebuild-builtin-modules.service
chmod 0755 /usr/local/sbin/rebuild-builtin-modules
chown root:root /etc/systemd/system/rebuild-builtin-modules.service
chown root:root /usr/local/sbin/rebuild-builtin-modules
systemctl enable --now rebuild-builtin-modules.service
/usr/local/sbin/rebuild-builtin-modules
systemctl restart firewalld
Now FirewallD should work, whether you reboot or update kernels, etc. 🙂
ZHOUJiahui
I have tried,but it doesn’t works.
Danila Vershinin
It should have been fixed by CentOS already. Can you see if
yum upgradefixes it for you?Jose M
It didn’t work for me. I get this error right after trying to execute this line > systemctl enable –now rebuild-builtin-modules.service
/usr/local/sbin/rebuild-builtin-modules:
“Failed to execute operation: Unit name rebuild-builtin-modules is not valid.”
This is a fresh install of CentOS 7.9.2009