OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Rumor »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - Rumor

Pages: [1]
1
24.1 Legacy Series / Re: Cron doesn't run any scheduled job
« on: May 25, 2024, 09:53:38 pm »
Yep, that job is created if you click the 'update schedule' tab in ACME settings. Apart from that, I have other manually added jobs and all of them were not working. I just started my investigation from the ACME job that was first on the list.

2
24.1 Legacy Series / Re: Cron doesn't run any scheduled job
« on: May 25, 2024, 08:00:20 pm »
julsssark, I use the os-acme-client plugin to generate certificates for my domains and that job auto-renews them (they are valid only for 3 months).

3
24.1 Legacy Series / Re: Cron doesn't run any scheduled job
« on: May 25, 2024, 06:15:47 pm »
Problem FIXED. It's almost a story for the movie ))
The 'permission denied' reason was that the opnsense/service/configd_ctl.py is a python file which shebang runs /usr/local/bin/python3 but the /usr/local/bin folder lost its all/world permission (it had rwxr-x---) because of my misconfigured ansible script that has installed some stuff under the /bin folder earlier. So because of this, /usr/local/bin/python3 was unaccessible for all non-wheel users and silently failed for them when executing .py scripts.

Thank you for directing me with this mystery, @Ben S!

4
24.1 Legacy Series / Re: Cron doesn't run any scheduled job
« on: May 25, 2024, 05:20:03 pm »
Yes, all intermediate folders are readable by all:

Code: [Select]
# ls -ld / /usr /usr/local /usr/local/sbin /usr/local/opnsense /usr/local/opnsense/service /usr/local/sbin/configctl /usr/local/opnsense/service/configd_ctl.py
drwxr-xr-x  21 root  wheel  1024 May 24 21:53 /
drwxr-xr-x  13 root  wheel   512 Apr  2 15:52 /usr
drwxr-xr-x  17 root  wheel   512 Apr  2 15:55 /usr/local
drwxr-xr-x  11 root  wheel   512 Apr  2 15:55 /usr/local/opnsense
drwxr-xr-x   6 root  wheel   512 May 21 22:27 /usr/local/opnsense/service
-rwxr-xr-x   1 root  wheel  6081 May 21 10:49 /usr/local/opnsense/service/configd_ctl.py
drwxr-xr-x   2 root  wheel  2560 May 21 22:27 /usr/local/sbin
lrwxr-xr-x   1 root  wheel    34 May 21 10:50 /usr/local/sbin/configctl -> ../opnsense/service/configd_ctl.py

5
24.1 Legacy Series / Re: Cron doesn't run any scheduled job
« on: May 25, 2024, 02:58:15 pm »
Thanks for the quick response.

The 'crontab -l -u nobody' shows the ../cron/nobody content, thanks.

When I tried 'su -m nobody -c 'configctl acmeclient cron-auto-renew'' it gave me '/usr/local/sbin/configctl: Permission denied' although both /usr/local/sbin/configctl and ../opnsense/service/configd_ctl.py that it reference are readable for public:

Code: [Select]
lrwxr-xr-x  1 root  wheel  34 May 21 10:50 /usr/local/sbin/configctl -> ../opnsense/service/configd_ctl.py
-rwxr-xr-x  1 root  wheel  6081 May 21 10:49 /usr/local/opnsense/service/configd_ctl.py

I tried to grant nobody access to that file:
Code: [Select]
setfacl -m u:nobody:rx /usr/local/sbin/configctl
but got: acl_get_file() failed: Operation not supported

6
24.1 Legacy Series / Cron doesn't run any scheduled job
« on: May 25, 2024, 12:06:06 pm »
I've scratched my head with this problem so need your help (I`m quite a noob with freebsd but learning).
OPNsense 24.1.7_4-amd64
FreeBSD 13.2-RELEASE-p11

Problem: none of my custom jobs (system->settings->cron) are run no matter what I tried.

Description:
The cron daemon auto-starts and runs any OPNsense jobs with no problem (see it in backend logs):
Code: [Select]
# service cron status
cron is running as pid 7636.

# ps ax | grep
 7636  -  Ss      0:00.00 /usr/sbin/cron -s

I've added a new custom job on the system->settings->cron page to run every midnight:
   0   0   *   *   *   AcmeClient Cronjob for Certificate AutoRenewal   Renew ACME

of course, I clicked the Apply button so the cron changes are reflected/logged in system->log files->backed:
Code: [Select]
2024-05-25T12:50:27 Debug configd.py OPNsense/Cron generated //var/cron/tabs/nobody
2024-05-25T12:50:27 Notice configd.py generate template container OPNsense/Cron
2024-05-25T12:50:27 Notice configd.py [1541edde-25f0-4024-9ea3-bb6e7bc58af8] generate template OPNsense/Cron

and this job is successfully added to /var/cron/tabs/nobody:
Code: [Select]
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
# User-defined crontab files can be loaded via /etc/cron.d
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    command
# Origin/Description: AcmeClient/AcmeClient Cronjob for Certificate AutoRenewal
0   0   *   *   *   /usr/local/sbin/configctl -d 'acmeclient cron-auto-renew'

My other discoveries:
* the /var/log/cron folder doesn't exist while 'google' says it should and contains the cron logs. Don't know whether is true but still.
* crontab -l outputs only jobs from /var/cron/tabs/root but none from /nobody:
Code: [Select]
# crontab -l
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
#minute hour    mday    month   wday    command
1       *       *       *       *       (/usr/local/sbin/configctl -d syslog archive) > /dev/null
2       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 sshlockout) > /dev/null
3       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 virusprot) > /dev/null
4       *       *       *       *       (/usr/local/etc/rc.expireaccounts) > /dev/null
*/4     *       *       *       *       (/usr/local/sbin/ping_hosts.sh) > /dev/null
0       22      *       *       *       (/usr/local/sbin/configctl -d firmware changelog cron) > /dev/null
0       */24    *       *       *       (/usr/local/etc/rc.syshook.d/backup/20-rrd) > /dev/null
1       3       1       *       *       (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
*       *       *       *       *       (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null

Problem:
No matter what schedule I set for this job, or added other jobs that do other stuff, even if they run every minute (*/1 * * * *) - none of these custom jobs are run.
But the job is successfully run manually via configctl <command> <subcommand>!
And seems these custom jobs didn't work from the beginning (my opnsesne was installed couple months ago) because one of my jobs was checking firmware updates and I never saw the 'new version' notification shown to me when I logged in into opnsese web UI.

I.e. I've tried to add other custom jobs at ->Cron page, change their schedule to run on specific time or recurrent - they are not run nor found in the Backend logs by any keyword.
Then I added the 'shutdown host' job that runs a custom actions script to shutdown the host and .... it didn't run.
I also tried to restart the cron service, restart the opnsense host, read opnsense github issues, reddit channel, this forum, google, etc. - no luck.

It's f...ng magic that just doesn't work.

7
General Discussion / Re: [os-caddy] Handle HTTPS and SSH traffic together
« on: April 06, 2024, 10:48:21 am »
Thank you for the reference, I've missed that 'TCP/UDP support' notice.

I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.

8
General Discussion / [os-caddy] Handle HTTPS and SSH traffic together
« on: April 05, 2024, 11:52:30 pm »
Hi,

Newcomer to OPNSense and Caddy plugin for my homelab, so bear with me, please. Googles, searched this and Caddy forums with no luck.

What I have: opnsense 24.1.4 (with web UI on 4433 port), os-caddy 1.5.2 on 443 port, both reside on the same host 192.168.1.1.

What I need:
1) add/expose a mydomain.tld from OPNSense's Unbound to my home network which (domain) will point to my intranet IP with a real server (RealServer below).
2) when someone opens https://<mydomain.tld> he should be redirected to RealServer:port.
3) when someone SSH to mydomain.tld:22 he should eventually SSH to RealServer:22.
4) nice to have: if someone reaches mydomain.tld:any_port_except_443 he should reach the same RealServer:any_port_except_443

What I did:
OPNSense:
* add mydomain.tld to Unbound and point it out to 192.168.1.1 so the caddy will route its requests.
Caddy:
* add the mydomain.tld to domains tab and a handler for it to proxify mydomain.tld:443 to RealServer:port.

So far so good, if I open https://mydomain.tld I indeed received the RealServer:port web page.

The problem is with SSH (22) TCP port which isn't HTTP and doesn't auto-handled by caddy. I was trying to add the second same domain (caddy/Domains tab) but with Reverse Proxy Port=22 and a corresponding handler to RealServer:22 but that didn't help (SSH connection was successful but I've connected to my OPNSesne box instead of RealServer since mydomain.tld points to 192.168.1.1 in Unbound).

So the question, how to define a single reverse proxy domain and multiple handlers for https and tcp source ports pointing to the same destination server but different ports?
Ideally, if I could define one handler to proxify mydomain.tld:443 -> RealServer:someport and another 'wildcard' handler mydomain.tld:anyport -> RealServer:anyport, but if I will need to define a handler per specific port explicitly I could live with it.

I've found that Caddy has the Layer4 app which seems fullfils my needs to proxify TCP traffic but os-caddy isn't built with it and doesn't support it so it's kinda a hard way I would like to ommit for now.

@Monviech, your help will be very appreciated. Thanks for the plugin a lot, BTW.

9
24.1 Legacy Series / Unbound: umount: /var/unbound/lib: not a file system root directory
« on: March 15, 2024, 09:32:16 pm »
With every OPNsense reboot the following unbound-related errors appear in opnsense logs:
Code: [Select]
2024-03-15T00:15:22 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: /var/unbound/lib: not a file system root directory'
2024-03-15T00:15:22 Error opnsense /usr/local/sbin/pluginctl: The command '/bin/kill -'TERM' '39073''(pid:/var/run/unbound.pid) returned exit code '1', the output was 'kill: 39073: No such process'
2024-03-15T00:15:22 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (execute task : unbound_configure_do(1))
2024-03-15T00:15:22 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (1)

If I reboot the unbound service manually the following errors appear in the log:
Code: [Select]
2024-03-15T22:02:01 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/mount -r -t nullfs '/lib' '/var/unbound/lib'' returned exit code '1', the output was 'mount_nullfs: /var/unbound/lib: Resource deadlock avoided'
2024-03-15T22:02:01 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: unmount of /var/unbound/lib failed: Device busy'

Unbound is working correctly and the /var/unbound/lib folder is mounted/present on the host.

It's a very fresh OPNsense 24.1.3_1-amd64 installation. I've googled and searched this forum for these errors with no luck.
Is there anything I can do to get rid of them?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2