No firewall backend could be imported issue on RHEL 8.6, 8.7

[spetrosi]

What happened: I am running this playbook on a latest RHEL 8.6 image:

- hosts: localhost
  vars:
    # Variables to open the probe port configured in Azure in firewall
    firewall:
      - port: 59999/tcp
        state: enabled
        permanent: true
        runtime: true
  roles:
    - fedora.linux_system_roles.firewall

This results in an error:

TASK [fedora.linux_system_roles.firewall : Configure firewall] *******************************************************************************************************************************
failed: [localhost] (item={'port': '59999/tcp', 'state': 'enabled', 'permanent': True, 'runtime': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"permanent": true, "port": "59999/tcp", "runtime": true, "state": "enabled"}, "msg": "No firewall backend could be imported."}

What you expected to happen: Port 59999/tcp to be enabled

How to reproduce it (as minimally and precisely as possible):

1. Provision a fresh RHEL 8.6 host.
2. dnf install ansible-core -y
3. ansible-galaxy collection install fedora.linux_system_roles
4. Create playbook.yml with the above playbook.
5. ansible-playbook playbook.yml

Anything else we need to know?: I tested this against RHEL 8.7 composes too. There tried both with fedora.linux_system_roles.firewall and redhat.rhel_system_roles.firewall - same error.

Environment:

• Firewalld Version (if Fedora based dnf info firewalld or commit hash if developing from git git log -n1 --format=format:"%H"):
  • 0.9.3 Release 13.el8
• Firewalld Backend (cat /etc/firewalld/firewalld.conf | grep FirewallBackend):
  • FirewallBackend=nftables
• Ansible Version (ansible --version)
  • Tested with ansible-core 2.12.2 and ansible-core 2.13.3
• Firewall System Role Version (if installing from ansible galaxy ansible-galaxy list | grep linux-system-roles.firewall or commit hash if developing from git git log -n1 --format=format:"%H"):
  • redhat.rhel_system_roles 1.20.0, fedora.linux_system_roles 1.26.1
• OS (e.g: cat /etc/os-release):
  • RHEL 8.6 and 8,7
• Others: I found this issue when trying to reproduce another issue reported by my college. He is running RHEL 8.6 and fedora.linux_system_roles.firewall and faced a different error:

[richm]

I've been trying to reproduce without using hosts localhost - I'm using tox -e qemu-ansible-core-2.13 -- --image-name rhel-8 - I cannot reproduce - so perhaps it has something to do with using localhost? If so, then please see https://access.redhat.com/solutions/6726561

Resolution

Choose one of the options below to workaround the issue:

    Create an inventory file that lists localhost with the ansible_connection=local option.
        For example, an inventory file with:
            localhost  ansible_connection=local
        Run ansible-playbook and specify that this inventory file should be used:
            ansible-playbook -i inventory <playbook>

    Create an inventory file that lists localhost.
        Note that this will result in ansible-playbook connecting to the localhost over SSH with SSH key authentication, which must have previously been configured.
        For example, an inventory file with:
            localhost
        Run ansible-playbook and specify that this inventory file should be used:
            ansible-playbook -i inventory <playbook>

    Use implicit localhost, with the ansible_python_interpreter variable set to use platform-python
        For example:
            ansible-playbook  <playbook>  -e 'ansible_python_interpreter=/usr/libexec/platform-python'

Root Cause

    RHEL 8.6 uses Ansible Core 2.12 to support RHEL System Roles. Ansible Core 2.12 utilizes Python 3.8 which does not contain all of the required Python modules (for example the blivet module for the storage RHEL System Role).

And - RHEL 8.7 uses Ansible Core 2.13 which uses python 3.9 which has the same python library/module problem.

[spetrosi]

True @richm, it was the localhost issue for me. I am not able to reproduce the issue with dbus then. I'll get back to ms folks for more info.