0

Here's an example of the code I use to start my NTP service on CentOS 7.9:

import pexpect
from getpass import getpass

commands = ["sudo systemctl start ntpd",
            "sudo firewall-cmd --zone=public --add-port=123/udp",
            "sudo firewall-cmd --zone=public --add-service=ntp", ]
for c in commands:
    _, exitstatus = pexpect.run(c,
                                events={"(?i)password": getpass() + "\r"},
                                withexitstatus=True)
    if exitstatus != 0:
        raise RuntimeError("Could not execute command {0}".format(c))

I mixed the order of the commands and tested the script against several Cisco IOS devices (shutting down everything in between), but regardless of what I started or opened first, everything worked fine (as long as I ran all the commands).

While I have contingency code to make sure the NTP port and service are shut before exiting, I want to start the service first, because if it fails, the firewall is not modified.

Does anyone know of any reason why systemctl cannot be run before firewall-cmd, or vice-versa?

Rob G
  • 673
  • 3
  • 10
  • ? Just set firewall to permanent and start firewall on startup and start ntpd on startup. Why would you do it manually? `because if it fails, the firewall is not modified.` if it fails, there's nothing there, so if it fails you will have two open ports with nothing listening. And it's not like you assume a service will fail, you configure a system and it continues to work. – KamilCuk Jan 25 '22 at 08:18
  • @KamilCuk I know that. However, in my use-case, I cannot assume the `ntp` service (or any service) is installed on a machine, and I cannot have a service running or ports open until needed. My question is, "Is there any reason why `systemctl` cannot be run before `firewall-cmd`"? – Rob G Jan 25 '22 at 10:24

0 Answers0