search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.31k stars 276 forks source link

Installation of PF fails on RHEL "Failed to open /usr/local/pf/conf/pf.conf: No such file or directory at /usr/local/pf/lib/pf/CHI/db.pm line 29." #6730

Closed hisashiyamaguchi closed 2 years ago

hisashiyamaguchi commented 2 years ago

I'm trying to install PF on my RHEL instance EC2, and getting an error. Here comes the steps that I've been doing. If someone gave me any workarounds of which, that would be great.

$ sudo yum -y update
$ sudo yum -y upgrade
$ sudo yum install kernel-devel-$(uname -r)
$ sudo yum localinstall http://packetfence.org/downloads/PacketFence/RHEL8/packetfence-release-11.1.el8.noarch.rpm
$ sudo yum install --enablerepo=packetfence packetfence

  Running scriptlet: haproxy-2.2.14-1.1.x86_64                                                                                                                               282/283
  Running scriptlet: packetfence-11.1.0-20211126091156.418699991.0008.maintenance~11.1.el8.x86_64                                                                            283/283
Created symlink /etc/systemd/system/mariadb.service → /dev/null.
Unit libvirtd.service does not exist, proceeding anyway.
Created symlink /etc/systemd/system/libvirtd.service → /dev/null.
Creating pf user
Adding pf user to app groups

  Installing       : packetfence-11.1.0-20211126091156.418699991.0008.maintenance~11.1.el8.x86_64                                                                            283/283
  Running scriptlet: packetfence-11.1.0-20211126091156.418699991.0008.maintenance~11.1.el8.x86_64                                                                            283/283

Adding PacketFence config startup script
packetfence-config service will be started later
Disabling emergency error logging to the console
Failed to open /usr/local/pf/conf/pf.conf: No such file or directory at /usr/local/pf/lib/pf/CHI/db.pm line 29.
module pf::cmd::pf::fixpermissions cannot be loaded
Cannot open /usr/local/pf/conf/pf.conf at /usr/local/pf/lib/pf/CHI/db.pm line 29.
Compilation failed in require at /usr/local/pf/lib/pf/CHI.pm line 42.
BEGIN failed--compilation aborted at /usr/local/pf/lib/pf/CHI.pm line 42.
Compilation failed in require at /usr/local/pf/lib/pf/util.pm line 51.
BEGIN failed--compilation aborted at /usr/local/pf/lib/pf/util.pm line 51.
Compilation failed in require at /usr/local/pf/lib/pf/cmd/pf/fixpermissions.pm line 45.
BEGIN failed--compilation aborted at /usr/local/pf/lib/pf/cmd/pf/fixpermissions.pm line 45.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Load.pm line 77.
Can't locate pf/cmd/pf/fixpermissions in @INC (@INC contains: /usr/local/pf/lib /usr/local/pf/lib_perl/lib/perl5/x86_64-linux-thread-multi /usr/local/pf/lib_perl/lib/perl5 /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/share/perl5/vendor_perl/Module/Load.pm line 77.

Usage:
    pfcmd <command> [options]

     Commands
      cache                       | manage the cache subsystem
      checkup                     | perform a sanity checkup and report any problems
      class                       | view security event classes
      configreload                | reload the configution
      connectionprofileconfig     | query/modify connection profile configuration parameters
      fingerbank                  | Fingerbank related commands
      fixpermissions              | fix permissions on pf tree
      floatingnetworkdeviceconfig | query/modify floating network devices configuration parameters
      generatedomainconfig        | generate the domain configuration
      generatemariadbconfig       | generate the MariaDB configuration
      generatemonitconfig         | generate the monit configuration
      generatesyslogconfig        | generate the syslog configuration
      help                        | show help for pfcmd commands
      import                      | bulk import of information into the database
      ipmachistory                | IP/MAC history
      locationhistorymac          | Switch/Port history
      locationhistoryswitch       | Switch/Port history
      networkconfig               | query/modify network configuration parameters
      node                        | manipulate node entries
      pfconfig                    | interact with pfconfig
      pfcron                      | run pfcron tasks
      pfqueue                     | query/modify pfqueue tasks and counters
      reload                      | rebuild fingerprint or security events tables without restart
      service                     | start/stop/restart and get PF daemon status
      schedule                    | Nessus scan scheduling
      switchconfig                | query/modify switches.conf configuration parameters
      version                     | output version information
      security_event              | manipulate security events
      security_eventconfig        | query/modify security_events.conf configuration parameters
      tenant                      | manipulate tenants

    Please view "pfcmd help <command>" for details on each option

Restarting journald to enable persistent logging
Setting packetfence.target as the default systemd target.
Removed /etc/systemd/system/default.target.
Created symlink /etc/systemd/system/default.target → /etc/systemd/system/packetfence.target.
Install the monitoring scripts signing key
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 976D5928E3A28334: public key "Inverse Inc. (Monitoring Scripts) <info@inverse.ca>" imported
gpg: Total number processed: 1
gpg:               imported: 1
make: Circular conf/ssl/server.key <- conf/ssl/server.key dependency dropped.
openssl genrsa -out /usr/local/pf/conf/ssl/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..............................................................................+++++
e is 65537 (0x010001)
make: Circular conf/ssl/server.crt <- conf/ssl/server.crt dependency dropped.
openssl req -new -x509 -days 365 \
-out /usr/local/pf/conf/ssl/server.crt \
-key /usr/local/pf/conf/ssl/server.key \
-config /usr/local/pf/conf/openssl.cnf
Can't load /root/.rnd into RNG
140493085460288:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/root/.rnd
make: Circular conf/ssl/server.pem <- conf/ssl/server.pem dependency dropped.
cat conf/ssl/server.crt conf/ssl/server.key > conf/ssl/server.pem
Building default RADIUS certificates...
openssl dhparam -out dh -2 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................................................+........................................+..............................................................................................................................................................................................+.....................................................................................................................................................................................+..........................................................................................................................................................................+..............................................................................+.....................................................................................................................................................................................................................................................................................+..................................................................................................++*++*++*++*
openssl req -new  -out server.csr -nodes -keyout server.key -config ./server.cnf
Generating a RSA private key
....................................................................................................+++++
...............................................+++++
writing new private key to 'server.key'
-----
chmod go+r server.key
openssl req -new -x509 -keyout ca.key -out ca.pem \
    -days '1825' -config ./ca.cnf
Generating a RSA private key
...........................+++++
.......+++++
writing new private key to 'ca.key'
-----
chmod g+r ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 30 21:20:36 2021 GMT
            Not After : Nov 29 21:20:36 2026 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = Example Server Certificate
            emailAddress              = admin@example.org
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://www.example.com/example_ca.crl

Certificate is to be certified until Nov 29 21:20:36 2026 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:'whatever' -passout pass:'whatever'
chmod g+r server.p12
openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever'
chmod g+r server.pem
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a RSA private key
...................................+++++
...............+++++
writing new private key to 'client.key'
-----
chmod g+r client.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Nov 30 21:20:36 2021 GMT
            Not After : Jan 29 21:20:36 2022 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = user@example.org
            emailAddress              = user@example.org
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://www.example.com/example_ca.crl

Certificate is to be certified until Jan 29 21:20:36 2022 GMT (60 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:'whatever' -passout pass:'whatever'
chmod g+r client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin pass:'whatever' -passout pass:'whatever'
chmod g+r client.pem
cp client.pem 'user@example.org'.pem
Touch pf.conf because it doesnt exist
Disabling SELinux...
net.ipv4.ip_forward = 1
Restarting rsyslogd
/var/tmp/rpm-tmp.d9pGD3: line 116: /usr/bin/firewall-cmd: No such file or directory
Failed to disable unit: Unit file firewalld.service does not exist.
Created symlink /etc/systemd/system/packetfence-base.target.wants/packetfence-mariadb.service → /usr/lib/systemd/system/packetfence-mariadb.service.
Created symlink /etc/systemd/system/packetfence-base.target.wants/packetfence-redis-cache.service → /usr/lib/systemd/system/packetfence-redis-cache.service.
Created symlink /etc/systemd/system/packetfence-base.target.wants/packetfence-config.service → /usr/lib/systemd/system/packetfence-config.service.
Created symlink /etc/systemd/system/packetfence.target.wants/packetfence-httpd.admin_dispatcher.service → /usr/lib/systemd/system/packetfence-httpd.admin_dispatcher.service.
Created symlink /etc/systemd/system/packetfence.target.wants/packetfence-haproxy-admin.service → /usr/lib/systemd/system/packetfence-haproxy-admin.service.
Created symlink /etc/systemd/system/packetfence.target.wants/packetfence-iptables.service → /usr/lib/systemd/system/packetfence-iptables.service.
Created symlink /etc/systemd/system/packetfence-base.target.wants/packetfence-tracking-config.path → /usr/lib/systemd/system/packetfence-tracking-config.path.
warning: %post(packetfence-11.1.0-20211126091156.418699991.0008.maintenance~11.1.el8.x86_64) scriptlet failed, signal 2

Error in POSTIN scriptlet in rpm package packetfence
  Running scriptlet: libwbclient-4.14.5-2.el8.x86_64                                                                                                                         283/283
  Running scriptlet: httpd-2.4.37-43.module+el8.5.0+13064+c4b14997.x86_64                                                                                                    283/283
  Running scriptlet: MariaDB-server-10.5.12-1.el8.x86_64                                                                                                                     283/283
  Running scriptlet: openldap-ltb-2.4.45-5.1.x86_64                                                                                                                          283/283
  Running scriptlet: packetfence-11.1.0-20211126091156.418699991.0008.maintenance~11.1.el8.x86_64                                                                            283/283
[/usr/lib/tmpfiles.d/radiusd.conf:1] Line references path below legacy directory /var/run/, updating /var/run/radiusd → /run/radiusd; please update the tmpfiles.d/ drop-in file accordingly.
julsemaan commented 2 years ago

From this output, it looks like /usr/bin/firewall-cmd doesn't exist in the RHEL image on AWS

To be sure its the case, could you retry your install as-is but right after deploying the image and before installing, run:

yum install firewalld

It looks like we assume firewalld is installed (because it must be on the official RHEL8 image)

julsemaan commented 2 years ago

confirmed with @hisashiyamaguchi that installing firewalld before PF works so I'll add it as an explicit dependency since we currently assume its installed on all RHEL8 boxes