search

linux-system-roles / firewall

Configure firewalld and system-config-firewall
https://linux-system-roles.github.io/firewall/
GNU General Public License v2.0
57 stars 32 forks source link

when firewalld.service is masked, firewall role fails #103

Closed jhutar closed 1 year ago

jhutar commented 2 years ago

What happened: In one lab from where I'm taking systems from time to time they provide RHEL8 systems with firewalld.service masked by default. Running firewall role on them fails.

Maybe this is not a bug report, maybe it is not even a feature request, but still I though I report it as capability to deal with this might add another bit of resiliency.

# systemctl status firewalld
● firewalld.service
   Loaded: masked (Reason: Unit firewalld.service is masked.)
   Active: inactive (dead)

What you expected to happen: Given firewall role decided to use firewalld as a provider, it should be able to handle this situation.

How to reproduce it (as minimally and precisely as possible): I think having this:

# rpm -qa | grep -e iptables -e firewalld | sort
firewalld-0.9.3-13.el8.noarch
firewalld-filesystem-0.9.3-13.el8.noarch
iptables-1.8.4-22.el8.x86_64
iptables-ebtables-1.8.4-22.el8.x86_64
iptables-libs-1.8.4-22.el8.x86_64

and firewalld masked and config like this:

    - role: linux-system-roles.firewall
      vars:
        firewall:
          - service: "RH-Satellite-6"
            state: enabled

Anything else we need to know?: N/A

Environment:

# yum info firewalld
Updating Subscription Management repositories.
Satellite 6.12 RHEL8                            163 kB/s | 3.0 kB     00:00    
Satellite Maintenance 6.12 RHEL8                443 kB/s | 2.3 kB     00:00    
Installed Packages
Name         : firewalld
Version      : 0.9.3
Release      : 13.el8
Architecture : noarch
Size         : 2.0 M
Source       : firewalld-0.9.3-13.el8.src.rpm
Repository   : @System
From repo    : rhel-8-for-x86_64-baseos-rpms
Summary      : A firewall daemon with D-Bus interface providing a dynamic
             : firewall
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : firewalld is a firewall service daemon that provides a dynamic
             : customizable firewall with a D-Bus interface.
# cat /etc/firewalld/firewalld.conf | grep FirewallBackend
# FirewallBackend
FirewallBackend=nftables
$ ansible --version
ansible [core 2.12.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jenkins/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = /home/jenkins/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, Aug  2 2022, 00:00:00) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
  jinja version = 3.0.3
  libyaml = True
$ ansible-galaxy list | grep linux-system-roles.firewall
- linux-system-roles.firewall, 1.4.0
richm commented 2 years ago

Sounds like a bug. Is there a workaround?

jhutar commented 2 years ago

Yep, workaround is to systemctl unmask firewalld.service before triggering linux-system-roles.firewall role, so really nothing too serious.