How to Use Rescue Mode, Firewall locked out in PROXMOX

Rescue Mode allows you to check the health of your Dedicated Server’s hardware and connect to it via SSH to perform different troubleshooting tasks; a few of which are:

Launch an fsck/e2fsck
Access the file system
Fix misconfigurations
Backup data
Check hardware devices

Prerequisites

Booting in Rescue Mode

Log in to the OVHcloud Manager and select the server in question under “Dedicated servers” on the left-hand sidebar. On the “Server status” page, click Modify next to “Boot”. From the pop-up menu, select the Boot in rescue mode option and then select rescue64-pro from the “Rescue available” drop-down menu.

After changing the boot setting, click the Actions button in the top-right corner and select Restart . The server is now in Rescue Mode.

Next, you will receive an email that contains new credentials to access the server via SSH. The email will also contain a link to a web interface from which you can perform various hardware tests. For more information about this, please check out the Performing a Hardware Check section of this article.

Note: If you do not see the email within five minutes of rebooting your server, please check your Spam folder.

When you are finished working in Rescue Mode, return to the OVHcloud Manager in your browser, change the “Boot” option back to “Boot from the hard disk” and then restart your server.

Mounting the Partition

To SSH into your server use the login credentials that were received via email. For more information regarding SSH, please check out our Getting Started with SSH article.

Once connected, locate the storage device for your Dedicated server, then mount it to the Rescue Mode environment.

Examples of the standard naming convention for different storage are:

  • /dev/sdX for SCSI and SATA devices
  • /dev/nvmeXnX for NVMe devices
  • /dev/mdX for RAID devices

Note: Please keep in mind that by default the storage for the Dedicated server is configured to use RAID 1 (mirroring), so the device address will be: /dev/mdX.
Additionally, if during the installation of the operating system you opted out of using RAID, then the device address (e.g. /dev/sdX) and the partition will need to be mounted.

To view the storage devices that your server has, use the parted utility. Below is an example of the command and it’s output:

server# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 150G 0 loop
loop1 7:1 0 300G 0 loop
loop2 7:2 0 250G 0 loop
loop3 7:3 0 500G 0 loop
loop4 7:4 0 200G 0 loop
sda 8:0 0 1.8T 0 disk
├─sda1 8:1 0 1004.5K 0 part
├─sda2 8:2 0 1.8T 0 part
│ └─md2 9:2 0 1.8T 0 raid1 /
└─sda3 8:3 0 2G 0 part [SWAP]
sdb 8:16 0 1.8T 0 disk
├─sdb1 8:17 0 1004.5K 0 part
├─sdb2 8:18 0 1.8T 0 part
│ └─md2 9:2 0 1.8T 0 raid1 /
└─sdb3 8:19 0 2G 0 part [SWAP]

As per the output, the server is equipped with two SCSI disks (/dev/sda & /dev/sdb) in a software RAID configuration (/dev/md2).

After identifying the storage device, create a root directory within the /mnt directory, then use the mount command to add it to the Rescue Mode environment:

Also you can mount in root folder, use this command mkdir /mnt/root and add all in /mnt/root. Also you can use with no root folder in /mnt/.

Mount command:

mount /dev/md2 /mnt/

Lastly, navigate to the newly mounted device:

cd /mnt/

You now have access to the entire file system.

chroot

Although you can edit the files in the /mnt/ directory, certain commands require root privileges on the system that is installed on the disk. Thus, change the apparent root directory to the directory in which we stored our files using the following command:

chroot /mnt/

You can now run commands on your server in Rescue Mode.

You can mask the service what prevent it from starting.

ln -s /dev/null /etc/systemd/system/pve-firewall.service

But remember to remove the mask it after fixing your issue, otherwise future package upgrades of pve-firewall will fail and you’ll break your installation.

unlink /etc/systemd/system/pve-firewall.service
or

systemctl unmask pve-firewall.service