[BlueOnyx:22033] Re: base-sitestats-scripts breaking servers
Michael Stauber
mstauber at blueonyx.it
Thu May 10 18:37:24 -05 2018
Hi Dan,
> We have had two major outages of our final BlueOnyx server in the last
> month. Both happened while the server was being patched.
I'm sorry to hear that, Dan.
> We have identified the issue as due to post install scripts in the
> following packages...
> - base-sitestats-scripts-2.1-1BX01.el6.noarch.rpm
> - base-sitestats-scripts-2.1-1BX02.el6.noarch.rpm.
>
> These packages appear to have a post install script that runs `iptables
> --flush`, clearing the configs, saving the new configs and then
> restarting iptables.
That is correct. On install that RPM sets up the IPTables traffic
accounting rules that gather the network usage statistics. We don't out
of the box support custom IPTables rules, as these will always in one
way or other conflict with the IPTables traffic accounting rules.
But we do have provisions in there that deal with the APF firewall. If
base-sitestats-scripts detects the directory /etc/apf (even if it's
empty) it will not flush the firewall rules.
So let us do two things:
On your end please create /etc/apf ("mkdir /etc/apf") and that will
prevent from future base-sitetstats-scripts updates from messing with
your custom firewall rules.
On our end I'll see to it that the RPM in question will only set up,
flush and restart IPTables the first time when base-sitetstats-scripts
is installed and it'll no longer do so on RPM updates.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list