Custom spin rc.local startup problem

[heethen]

Hello,
I'm making my own customized Fedora livecd (as a part of my dissertation) using livecd-tools. I've managed to get a quite a bit of work done, but now I'm stuck. I've copied a script called iptables.sh on the livecd like this (code from the kickstart file):

Code:

%post --nochroot
cp /home/heethen/iptables.sh $INSTALL_ROOT/usr/sbin/iptables.sh
%end

That works fine, the file is copied. But I need to execute this script everytime the livecd boots. So I've created the rc.local file using the kickstart:

Code:

cat >> /etc/rc.d/rc.local << FOE
#!/bin/sh

/usr/sbin/iptables.sh

exit 0
FOE

chmod +x /etc/rc.d/rc.local
chmod +x /usr/sbin/iptables.sh

The rc.local is sucessfully created, but it isn't being run on startup. What am I doing wrong?

Any help would be greatly appreciated. Please tell me if any further information needs to be provided. Thank you.

P.S.I've even tried to create systemd service file /etc/systemd/system/iptabservice.service that executes my script ExecStart=/usr/sbin/iptables.sh - to no avail.)

[jpollard]

There are two possible issues -
1) your rc.local file doesn't appear to run it. Create it, yes, but what is supposed to actually run it?
2) rc.local runs at an indeterminate time after boot. If the network has not been activated, then the script can do nothing (no devices initialized) and thus ignoring any changes.

If you are using NetworkManager, it may/can override whatever your script tries to do. Normally the script that initializes the firewall is /etc/sysconfig/iptables (for IPv4) and /etc/sysconfig/ip6tables. These will replace whatever you do, during network startup or restart (networkmanager can reinitilize networks at the drop of a hat/disconnect or a wireless disconnect/failure).

[heethen]

Thank you for your response.

1) Well, when I run the rc.local file manually after the boot, it works fine. I also have a line in it that creates a file so I could see if it ran at all. This "test file" is not being created at startup so it looks like the rc.local file is not being run at all.

2) The /lib/systemd/system/rc-local.service file contains After=network.target directive so I assumed it is waiting for a network to be activated.

The iptables.sh script (I gave it a rather confusing name basically downloads a whitelist of ip adresses using wget, parses them and configures iptables accordingly to allow access to these addresses and blocks anything else.

[jpollard]

That may only happen if NetworkManager-wait-online.service is also enabled.

It also doesn't address the issue of NetworkManager reinitializing a network, which will not use your script.

The best way is likely to be replacing the /etc/sysconfig/iptables file BEFORE the network is initialized.

[heethen]

Thank you, I will look into this NetworkManager business. However, it seems to be working now, the script is successfully executed by /etc/systemd/system/iptabservice.service on startup (it shows in /var/log/messages), although I didn't change anything. I will test it further to see if it is reliable.

However, rc.local is still not working. Granted, I don't seem to need it now that the other way (sytemd service file) is working. But it still baffles me.

[JakeR]

Quote:

Originally Posted by jpollard

The best way is likely to be replacing the /etc/sysconfig/iptables file BEFORE the network is initialized.

Look at this thread http://forums.fedoraforum.org/showthread.php?t=276921

%post --nochroot is before network startup it does not work...