Nmcli is not working in Kickstart script

centos7kickstartnetworkmanagerrhel7

I have the following commands in a Kickstart post-install script:

firewall-offline-cmd --new-zone=management
firewall-offline-cmd --zone=management --add-service=ssh --add-service=snmp
firewall-offline-cmd --zone=management --change-interface=eth1
nmcli device modify eth1 connection.zone management

From my reading it seems that firewalld can't make these changes when NetworkManager is in the picture, so I added in the nmcli command to change the zone. But it is not taking effect. After the install is complete and the server reboots, the interface remains in the default zone. After that I can then run the nmcli command and it will take effect.

I can't find anything online about this problem, except maybe this article, but it's behind a paywall.

Best Answer

I've run into this issue as well. I got around it with this hack:

echo 'ZONE=management' >> /etc/sysconfig/network-scripts/ifcfg-eth1

I'd prefer something more elegant but have settled on that for the time being.

Related Solutions

Kickstart CentOS 6 prompting for TCP/IP with network set to DHCP

The Configure TCP/IP prompt will always display if DHCP fails for any reason. Try specifying the specific ethernet interface you want to use with --device=ethX.

I ran into this issue on a machine that was set up to DHCP from eth2 and my standard kickstart config used eth0.

Linux – Using Firewall-cmd to create address specific restrictions in centos 7

I searched for the answer but I found many questions related to my own without answers.

After much study, I came around with a workaround. Here is what i did

I Added the interface to the public zone

then

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.x/x" service name="ssh" log prefix="ssh" level="info" accept' 
sudo firewall-cmd --reload

Note: The source address could be a range. Just specify the network mask

Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip.

Any better solution please add.

Best Answer

Related Solutions

Kickstart CentOS 6 prompting for TCP/IP with network set to DHCP

Linux – Using Firewall-cmd to create address specific restrictions in centos 7

Related Topic