我有一台 Red Hat 8 服务器。我曾经在firewall-cmd --permanent --zone=public --add-service=https服务器上启用了到服务器的公共流量。当我 时systemctl start firewalld,它按预期工作。但是,每隔 10 分钟左右,守护进程就会停止。我自己没有这样做,所以我假设 的其他部分systemd正在这样做。以下是 的输出journalctl --unit firewalld --pager-end。值得注意的是,启动和停止之间的时间有时超过 10 分钟,因此无论发生什么,都不会每 10 分钟精确发生一次:
Dec 27 22:12:53 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 27 22:12:53 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 27 22:12:53 my.server.domain firewalld[165220]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please conside>
Dec 27 22:38:50 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 27 22:38:50 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 27 22:38:50 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Dec 27 23:16:34 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 27 23:16:34 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 27 23:16:35 my.server.domain firewalld[486273]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please conside>
Dec 27 23:38:49 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 27 23:38:50 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 27 23:38:50 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Dec 28 02:59:38 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 28 02:59:39 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 28 02:59:39 my.server.domain firewalld[1607080]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consid>
Dec 28 03:08:50 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 28 03:08:51 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 28 03:08:51 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Dec 28 03:29:19 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 28 03:29:19 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 28 03:29:19 my.server.domain firewalld[1760864]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consid>
Dec 28 03:38:49 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 28 03:38:49 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 28 03:38:49 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
为什么会发生这种情况?我该如何确保它firewalld始终保持活跃?
答案1
我发现调试此问题最有用的工具是journalctl --pager-end --output with-unit。它为您提供所有单元的输出,但单元生成的每个日志都有标签。然后,当我搜索防火墙停止的日志时,我发现了以下内容:
Wed 2022-12-28 18:38:49 AEDT my.domain init.scope[1]: Stopping firewalld - dynamic firewall daemon...
Wed 2022-12-28 18:38:50 AEDT my.domain init.scope[1]: firewalld.service: Succeeded.
Wed 2022-12-28 18:38:50 AEDT my.domain init.scope[1]: Stopped firewalld - dynamic firewall daemon.
Wed 2022-12-28 18:38:50 AEDT my.domain puppet.service[2003956]: (/Stage[main]/Firewall::Linux::Redhat/Service[firewalld]/ensure) ensure changed 'running' to 'stopped' (corrective)
所以发生的事情是puppet安装了它,它试图定期“纠正”我对防火墙的更改,我想象使用类似这样的配方:https://www.puppetcookbook.com/posts/ensure-service-is-stopped.html。
因此,我能够使用 解决我的问题systemctl disable puppet && systemctl stop puppet。