fix: unmask firewalld on run, disable conflicting services

[BrennanPaciorek]

Enhancement: Role will now always attempt to unmask on role execution

add variable 'firewall_disable_conflicting_services' to give the option of disabling of known conflicting services

• Set to false by default

Update README to document the following behavior of the system role:

• linux-system-roles.firewall will attempt to install, unmask, and enable firewalld

• linux-system-roles.firewall can attempt to disable directly conflicting services to firewalld

  • and that is enabled by setting the variable 'firewall_disable_conflicting_services' to true
  • list of conflicting services present in vars/main.yml

  test cases for these changes in tests/tests_default.yml

Reason: role currently fails if firewalld was masked on run conflicting services have the potential to cause errors on role run

• set to false by default due to runtime overhead associated with disabling conflicting services. An example of where this overhead may be a problem is our integration tests that have no need to use the feature.
• Reason for specific implementation - ansible.builtin.service module fails when run to manage services that are not installed on the system, causing errors. While ignoring errors is a potential solution, it seemed like an improper solution as it would not be able to differentiate between an installed service that failing to be stopped and disabled vs a disable that failed due to not being installed.

Result:

• role no longer fails if firewalld is masked
• users have the option to disable conflicting services (iptables.service, nftables.service, ufw.service respectively)

Issue Tracker Tickets (Jira or BZ if any):

• Addresses GitHub Issues: #103, #136

[codecov[bot]]

Codecov Report

Patch and project coverage have no change.

Comparison is base (156614e) 53.62% compared to head (a586d09) 53.62%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #154 +/- ## ======================================= Coverage 53.62% 53.62% ======================================= Files 2 2 Lines 800 800 ======================================= Hits 429 429 Misses 371 371 ``` | Flag | Coverage Δ | | |---|---|---| | sanity | `?` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=linux-system-roles#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

[BrennanPaciorek]

This may have become too complex to be just a bug fix, but if we are disabling nftables, I figured it would make sense to disable all known conflicting services and make it an argument for the role to reduce overhead in the cases where doing so is not necessary.

I can additionally separate the two fixes into separate PRs if necessary.

[richm]

This may have become too complex to be just a bug fix, but if we are disabling nftables, I figured it would make sense to disable all known conflicting services and make it an argument for the role to reduce overhead in the cases where doing so is not necessary.

I can additionally separate the two fixes into separate PRs if necessary.

I think it's fine to have a single pr

[richm]

[citest]

[richm]

[citest]

[richm]

We need to move the test from tests_default.yml - that test is only intended to run the role with no parameters. If you can alter another test, please do, otherwise, we will require a new test file.

[BrennanPaciorek]

We need to move the test from tests_default.yml - that test is only intended to run the role with no parameters. If you can alter another test, please do, otherwise, we will require a new test file.

Done. (new test file created, tests_default.yml reverted)

[richm]

[citest]