Giters

dmauser / opnazure

This template allows you to deploy an OPNsense Firewall Azure VM using the opnsense-bootsrtap installation method

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

waagent service not running after projet deployment

fraktury opened this issue · comments

commented

Bonjour,

I deployed the model "Existing VNET + OPNsense with two NICs (Untrusted/Trusted)" and everything went very well. After the various automated steps, I can access the Opnsense interface but on the Azure console it is indicated that the agent is not communicating.
By connecting in SSH here is what I have:

service waagent status

waagent is not running

service waagent start

Starting waagent.
env: python: No such file or directory
/etc/rc.d/waagent: WARNING: failed to start waagent

Avant d'approfondir les recherches, est-ce-que quelqu'un a déjà rencontré le problème? Pendant l'installation (phase de configuration), l'agent semblait bien communiquer

Regards
Bailleul Matthieu

commented

Currently working on this issue.

commented

Fixed in the new version.
This issue will be automatically closed once the fix get merged to master.

commented

Hello,
Many thanks for your work. Unfortunately, I had to advance on the old version. Do you have a little procedure on how to make the agent communicate on an already deployed instance?
Regards,

commented

@fraktury, here is the list of changes I had to do:

  • Install latest version of WALinuxAgent (2.4.0.2), it's done in configureopnsense.sh script (from line 57 until 62) you can check the change here:

    opnazure/scripts/configureopnsense.sh

    Line 57 in c5ee9bc

    # Add Azure waagent
  • Python2 it's no longer supported and was removed from OPNsense. I had to add a symbolic link for python 3 (line 65):

    opnazure/scripts/configureopnsense.sh

    Line 65 in c5ee9bc

    ln -s /usr/local/bin/python3.8 /usr/local/bin/python
  • There is a static route been added somewhere that breaks the communication with the local gateway of Trusted interface which was blocking the WALinuxAgent communication. I added a startup script to keep removing this broken route (from line 72 until 77):

    opnazure/scripts/configureopnsense.sh

    Line 72 in c5ee9bc

    # Remove wrong route at initialization
  • By default OPNsense doesn't force the traffic coming from one interface to be returned using the same interface. It was breaking Azure Load Balancer for Active-Active scenario and also the communication to WALinuxAgent. To fix this problem I had to do the following steps:
    • Create a Gateway in OPNsense for Trusted Nic in config.xml (line 652 ultil 664):

      opnazure/scripts/config.xml

      Line 652 in c5ee9bc

      <gateways>
    • Disable Anti-lockout rules because it was been applied before the Firewall Rules that requires "reply-to" (line 221):

      opnazure/scripts/config.xml

      Line 221 in c5ee9bc

      <noantilockout>1</noantilockout>
    • Created a Firewall rule for Trusted nic with reply-to using Trusted nic gateway created above to force the reply of an Azure Internal Load balancer to the right nic (line 350 until 376):

      opnazure/scripts/config.xml

      Line 350 in c5ee9bc

      <rule>

Those were all the changes I had to do to make WALinuxAgent to work with OPNsense. It also fix a communication with Azure Load Balancer.

CC: @dmauser