Wow! That is a tough one! I honestly do not know.
How about under wiki.ipfire.org - Noteworthy packages with the title of “fcron”?
You can click here to get started:
https://wiki.ipfire.org/pkgs/fcron
Just click the CREATE NOW button.
Wow! That is a tough one! I honestly do not know.
How about under wiki.ipfire.org - Noteworthy packages with the title of “fcron”?
You can click here to get started:
https://wiki.ipfire.org/pkgs/fcron
Just click the CREATE NOW button.
Thanks Jon. That helps.
I don’t have the time to do it now as I am having to work on my mail server as the main disk is starting to fail but I know how to approach it now, when I get round to it.
@bonnietwin I take the offer
Purpose: changing RPF from strict to relaxed when my web server issues a certbot renew
(see Reverse Path Filtering prevents certbot renewal using HTTP-1 acme-challenge - #2 by cfusco for context).
I followed your tutorial almost to the to the letter, with the purpose to execute a script that sets RPF to 2 and then after 15 minutes it reverts to the default. During that window, my webserver is free to issue a certbot renew command.
This is the fcrontab for the fcronuser:
0 0 * * 7 "sudo /home/cfusco/bin/rpf.sh 2"
15 0 * * 7 "sudo /home/cfusco/bin/rpf.sh 1"
This is the script it calls:
#!/bin/bash
###########################################################
# set strictness of Reverse Path Filtering; see RFC 3704, #
# section 2.2: 1, RPF strict; 2, RPF relaxed #
###########################################################
###### Initialization steps ######
LOG="/home/cfusco/bin/log_RPF.txt"
exec 1>>$LOG 2>&1 # write stdout to $LOG, stderr goes to stdout
level=$1 # 1 for strict or 2 for relaxed
##### Functions ######
function run() { # wrapper call for error handling, spins a subshell
cmd_output=$(eval $1)
return_value=$?
[[ $return_value != 0 ]] && echo "Command $1 failed" && echo -e "${cmd_output}" \
|| echo -e "* $1 Output:\n${cmd_output}" "\nCommand $1 succeeded."
return $return_value
}
function logDate() { # log a time stamped message
date=$(date '+%Y-%m-%d %H:%M:%S')
echo -e "\n---\n" "$date" ": $1 \n---"
}
function changeRPF() { # change RPF value
if [[ $level == 1 || $level == 2 ]]; then
sysctl net.ipv4.conf.default.rp_filter=$level
sysctl net.ipv4.conf.all.rp_filter=$level
else
echo "either 1 or 2, instead you entered: "$level
return -1
fi
}
##### Main Routine ######
logDate "Changing RPF strictness"
run "changeRPF"
The error I got in the logs is:
---
2022-09-11 00:00:00 : Changing RPF strictness
---
/home/cfusco/bin/rpf.sh: line 29: sysctl: command not found
/home/cfusco/bin/rpf.sh: line 30: sysctl: command not found
* changeRPF Output:
Command changeRPF failed.
---
2022-09-11 00:15:00 : Changing RPF strictness
---
/home/cfusco/bin/rpf.sh: line 29: sysctl: command not found
/home/cfusco/bin/rpf.sh: line 30: sysctl: command not found
* changeRPF Output:
Command changeRPF failed.
do you have any idea why executing the script, fcronuser cannot find sysctl? It’s not a matter of permission, becase if I run the command as user cfusco, i get
---
2022-09-11 11:27:53 : Changing RPF strictness
---
sysctl: permission denied on key "net.ipv4.conf.default.rp_filter"
sysctl: permission denied on key "net.ipv4.conf.all.rp_filter"
Command changeRPF failed
I am lost here.
Hi @cfusco
Always glad to try and help if I am able to.
In this case I may be able to help. When a system user is created, without a home directory then sometimes the path environment variable for that user does not cover what you want to access. Also I have sometimes found that no matter what I do with a path environment variable cron or fcron refuse to be able to find a binary.
Therefore I always write the cron/fcron binary command with a full path specified.
I would give that a try and see if it solves your issue.
If it doesn’t solve the issue then I will need to test out your script and commands in my vm testbed to obtain a better idea.
Incidentally, I am also using letsencrypt on my network but I currently don’t have a webserver running so I am doing the http-01 challenge with the certbot standalone command and it starts up a webserver just for the challenge and afterwards shuts it down. I don’t have any issues with RPF. My certificates were successfully updated about 10 days ago.
I will eventually put a web server in place for a webmail system and will then be doing the same as you. Will let you know how that goes when I get round to it and if I see the same issue as you have been experiencing.
That you do, and I am extremely grateful for that. Thank you.
You did indeed. It was so obvious, I feel silly not to have connected my brain. It works beautifully now.
That would be great, especially if you post it in that thread. Thank you again.
@bonnietwin I hope you do not mind that I did it. The procedure is correct as I have tested it myself. The text is only occasionally modified just for minor adjustments to a wiki entry style, but feel free to change it as you deem necessary. Thank you for the great tutorial.
No problems at all. I have been strapped for time so haven’t been able to get round to it. Glad you could help.
Just had a look through the new fcron wiki entry you created. It looks great