1733999 – firewall-cmd: command not found

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1733999 - firewall-cmd: command not found

Summary: firewall-cmd: command not found

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Garver
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-29 12:26 UTC by dlovison
Modified:	2020-02-10 14:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-10 14:06:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description dlovison 2019-07-29 12:26:37 UTC

Description of problem:
-bash: firewall-cmd: command not found

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.7 (Maipo)

How reproducible:
Red Hat Enterprise Linux Server release 7.7 (Maipo)
redhat-release-server-7.7-10.el7.x86_64

Steps to Reproduce:
1.firewall-cmd
2.
3.

Actual results:
-bash: firewall-cmd: command not found

Expected results:
usage: see firewall-cmd man page
No option specified.

Additional info:
It was working in the previous 77 image.

Comment 2 Eric Garver 2019-07-29 13:44:44 UTC

(In reply to dlovison from comment #0)
> Description of problem:
> -bash: firewall-cmd: command not found

Can you verify firewalld is installed? What do the following commands yield?

  # yum info firewalld
  # which firewall-cmd

Comment 4 dlovison 2019-07-29 13:55:26 UTC

[cloud-user@tmp-dlovison-rhel7rc3 ~]$ yum info firewalld
Failed to set locale, defaulting to C
Loaded plugins: search-disabled-repos
beaker-AppStream                                                                                                 | 2.8 kB  00:00:00     
beaker-BaseOS                                                                                                    | 2.3 kB  00:00:00     
(1/4): beaker-BaseOS/group_gz                                                                                    | 5.8 kB  00:00:00     
(2/4): beaker-AppStream/group_gz                                                                                 | 103 kB  00:00:00     
(3/4): beaker-BaseOS/primary                                                                                     | 997 kB  00:00:00     
(4/4): beaker-AppStream/primary                                                                                  | 2.0 MB  00:00:01     
beaker-AppStream                                                                                                              5229/5229
beaker-BaseOS                                                                                                                 4715/4715
Available Packages
Name        : firewalld
Arch        : noarch
Version     : 0.6.3
Release     : 2.el7
Size        : 441 k
Repo        : beaker-AppStream
Summary     : A firewall daemon with D-Bus interface providing a dynamic firewall
URL         : http://www.firewalld.org
License     : GPLv2+
Description : firewalld is a firewall service daemon that provides a dynamic customizable
            : firewall with a D-Bus interface.

[cloud-user@tmp-dlovison-rhel7rc3 ~]$ which firewall-cmd
/usr/bin/which: no firewall-cmd in (/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/cloud-user/.local/bin:/home/cloud-user/bin)

Comment 5 Eric Garver 2019-07-29 14:15:07 UTC

(In reply to dlovison from comment #4)
[..]
> [cloud-user@tmp-dlovison-rhel7rc3 ~]$ which firewall-cmd
> /usr/bin/which: no firewall-cmd in
> (/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/cloud-user/.local/
> bin:/home/cloud-user/bin)

It should exist at /usr/bin/firewall-cmd. It's part of the firewalld package so it should be there. What happens if you reinstall firewalld?

  # yum reinstall firewalld

Comment 6 dlovison 2019-07-29 14:29:57 UTC

[root@tmp-dlovison-rhel7rc3 cloud-user]# yum reinstall firewalld
Failed to set locale, defaulting to C
Loaded plugins: search-disabled-repos
No Match for argument: firewalld
beaker-AppStream                                                                                                 | 2.8 kB  00:00:00     
beaker-BaseOS                                                                                                    | 2.3 kB  00:00:00     
(1/4): beaker-BaseOS/group_gz                                                                                    | 5.8 kB  00:00:00     
(2/4): beaker-AppStream/group_gz                                                                                 | 103 kB  00:00:00     
(3/4): beaker-BaseOS/primary                                                                                     | 997 kB  00:00:00     
(4/4): beaker-AppStream/primary                                                                                  | 2.0 MB  00:00:01     
beaker-AppStream                                                                                                              5229/5229
beaker-BaseOS                                                                                                                 4715/4715
Package(s) firewalld available, but not installed.
Error: Nothing to do


----------


[root@tmp-dlovison-rhel7rc3 cloud-user]# yum install firewalld
Failed to set locale, defaulting to C
Loaded plugins: search-disabled-repos
Resolving Dependencies
--> Running transaction check
---> Package firewalld.noarch 0:0.6.3-2.el7 will be installed
--> Processing Dependency: python-firewall = 0.6.3-2.el7 for package: firewalld-0.6.3-2.el7.noarch
--> Processing Dependency: firewalld-filesystem = 0.6.3-2.el7 for package: firewalld-0.6.3-2.el7.noarch
............
Installed:
  firewalld.noarch 0:0.6.3-2.el7                                                                                                        

Dependency Installed:
  ebtables.x86_64 0:2.0.10-16.el7              firewalld-filesystem.noarch 0:0.6.3-2.el7        ipset.x86_64 0:7.1-1.el7               
  ipset-libs.x86_64 0:7.1-1.el7                python-firewall.noarch 0:0.6.3-2.el7             python-slip.noarch 0:0.4.0-4.el7       
  python-slip-dbus.noarch 0:0.4.0-4.el7       

Complete!


----------


[cloud-user@tmp-dlovison-rhel7rc3 ~]$ which firewall-cmd
/usr/bin/firewall-cmd


----------


Why the tool is not installed by default? Are there any reason why it was removed ?

Comment 7 Tomas Dolezal 2019-07-29 14:41:04 UTC

(In reply to dlovison from comment #6)
> Why the tool is not installed by default? Are there any reason why it was
> removed ?
As I saw previously that you were using cloud-init, could you revise any configuration you have for the daemon present in the hypervisor environment? My check in rhel-guest-image for 7.7 shown the package presence. Also Core packages group requires the package. I believe that enabling logs persistence and/or extended logging might show why and when the package got removed.

Does /var/log/yum.log contain anything?

Comment 8 dlovison 2019-07-29 14:44:46 UTC

My image base image was: RHEL-7.7-20190723.1-Server-x86_64

[root@tmp-dlovison-rhel7rc3 cloud-user]# cat /var/log/yum.log | grep firewall
Jul 29 10:26:56 Installed: firewalld-filesystem-0.6.3-2.el7.noarch
Jul 29 10:26:56 Installed: python-firewall-0.6.3-2.el7.noarch
Jul 29 10:26:56 Installed: firewalld-0.6.3-2.el7.noarch

Comment 9 Eric Garver 2019-07-29 15:41:15 UTC

(In reply to dlovison from comment #8)
> My image base image was: RHEL-7.7-20190723.1-Server-x86_64
> 
> [root@tmp-dlovison-rhel7rc3 cloud-user]# cat /var/log/yum.log | grep firewall
> Jul 29 10:26:56 Installed: firewalld-filesystem-0.6.3-2.el7.noarch
> Jul 29 10:26:56 Installed: python-firewall-0.6.3-2.el7.noarch
> Jul 29 10:26:56 Installed: firewalld-0.6.3-2.el7.noarch

It was installed. Maybe something horrible happened during cloud-init that caused the binary to be removed. At any rate, it's clear there is no firewalld bug here.

Are you able to reproduce this?

Comment 10 dlovison 2019-07-29 16:00:27 UTC

Yes. Create a fresh image from RHEL-7.7-20190723.1-Server-x86_64 and

$ ssh -i jdg-jenkins cloud-user.150.170
The authenticity of host '10.0.150.170 (10.0.150.170)' can't be established.
ECDSA key fingerprint is SHA256:PNTr5ZJ8eaV0ioURvSZI0TQ/HM1FWaYCRAi5Uz0Mi4Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.150.170' (ECDSA) to the list of known hosts.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[cloud-user@bug-1733999 ~]$ which firewall-cmd
/usr/bin/which: no firewall-cmd in (/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/cloud-user/.local/bin:/home/cloud-user/bin)
[cloud-user@bug-1733999 ~]$

Comment 11 Eric Garver 2019-07-29 19:20:10 UTC

(In reply to dlovison from comment #10)
> Yes. Create a fresh image from RHEL-7.7-20190723.1-Server-x86_64 and
> 
> $ ssh -i jdg-jenkins cloud-user.150.170
> The authenticity of host '10.0.150.170 (10.0.150.170)' can't be established.
> ECDSA key fingerprint is SHA256:PNTr5ZJ8eaV0ioURvSZI0TQ/HM1FWaYCRAi5Uz0Mi4Y.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '10.0.150.170' (ECDSA) to the list of known hosts.
> -bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such
> file or directory
> [cloud-user@bug-1733999 ~]$ which firewall-cmd
> /usr/bin/which: no firewall-cmd in
> (/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/cloud-user/.local/
> bin:/home/cloud-user/bin)
> [cloud-user@bug-1733999 ~]$

I'm not familiar with using cloud-init. Can you share the steps you're using to reproduce?
Please attach any relevant log files; yum, cloud-init, etc.

Comment 12 dlovison 2019-07-29 19:23:27 UTC

1) Open https://rhos-d.infra.prod.upshift.rdu2.redhat.com/dashboard/project/instances/
2) Search the image RHEL-7.7-20190723.1-Server-x86_64
3) Create the instance
4) Login using ssh
5) Type: which firewall-cmd

Those are the steps.

Comment 15 Eric Garver 2020-02-10 14:06:23 UTC

There is insufficient information to reproduce this. It appears something happened after cloud-init that caused firewalld to be removed from the system. There is nothing actionable on firewalld's side.

Furthermore this is reported against RHEL-7, but RHEL-8 repos (BaseOS, AppStream) are in use.

Note You need to log in before you can comment on or make changes to this bug.