search

linux-system-roles / firewall

Configure firewalld and system-config-firewall
https://linux-system-roles.github.io/firewall/
GNU General Public License v2.0
57 stars 32 forks source link

No firewall backend could be imported. #169

Closed JasonN3 closed 1 year ago

JasonN3 commented 1 year ago

What happened: During the MSSQL role, it can optionally call this role to add port 1433/tcp. When adding, it returns the error: No firewall backend could be imported.

What you expected to happen: Successfully add the firewall port

How to reproduce it (as minimally and precisely as possible):

  1. Install a minimal RHEL 8.8 VM
  2. Install the system roles
  3. Clone the latest mssql role to /usr/share/ansible/roles as microsoft.sql-server
  4. Clone the latest firewall role to /usr/share/ansible/roles as fedora.linux_system_roles.firewall
  5. Run the below playbook 
    - hosts: localhost
vars:
mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true
mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true
mssql_accept_microsoft_sql_server_standard_eula: true
mssql_version: 2019
mssql_password: "<password>"
mssql_edition: Evaluation
mssql_manage_firewall: true
mssql_ad_configure: true
mssql_ad_join: false
mssql_ad_netbios_name: <domain_short>
mssql_ad_sql_user: "<sql_user>"
mssql_ad_sql_password: "<sql_password>"
ad_integration_realm: <domain_fqdn>
mssql_post_input_sql_content: |-
  USE master;
  IF NOT EXISTS (
    SELECT name FROM sys.server_principals
    WHERE name = '<user>'
  )
  BEGIN
    PRINT 'A <user> login does not exist, creating';
    CREATE LOGIN [<user>] FROM WINDOWS;
    PRINT 'The <user> login created successfully';
  END
  ELSE
  BEGIN
    PRINT 'A <user> login already exists, skipping'
  END
roles:
- microsoft.sql-server

Anything else we need to know?: This was also tested using the version of rhel-system-roles.firewall that's included in the package rhel-system-roles.noarch I also tried setting SELinux to permissive, but it did not change the error message

Environment:

Full error message:

failed: [localhost] (item={'port': '1433/tcp', 'state': 'enabled', 'permanent': True, 'runtime': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"permanent": true, "port": "1433/tcp", "runtime": true, "state": "enabled"}, "msg": "No firewall backend could be imported."}
richm commented 1 year ago

Can you provide the log? I'd like to see the firewall section of the logs to see if it is installing packages and, if so, which packages were installed

JasonN3 commented 1 year ago

Here's the log starting when it calls this role:

TASK [Open the TCP port 1433] ****************************************************************************************************************************************************

TASK [fedora.linux_system_roles.firewall : Setup firewalld] **********************************************************************************************************************
included: /usr/share/ansible/roles/fedora.linux_system_roles.firewall/tasks/firewalld.yml for localhost

TASK [fedora.linux_system_roles.firewall : Ensure ansible_facts used by role] ****************************************************************************************************
skipping: [localhost]

TASK [fedora.linux_system_roles.firewall : Install firewalld] ********************************************************************************************************************
ok: [localhost]

TASK [fedora.linux_system_roles.firewall : Collect service facts] ****************************************************************************************************************
skipping: [localhost]

TASK [fedora.linux_system_roles.firewall : Attempt to stop and disable conflicting services] *************************************************************************************
skipping: [localhost] => (item=nftables) 
skipping: [localhost] => (item=iptables) 
skipping: [localhost] => (item=ufw) 
skipping: [localhost]

TASK [fedora.linux_system_roles.firewall : Unmask firewalld service] *************************************************************************************************************
ok: [localhost]

TASK [fedora.linux_system_roles.firewall : Enable and start firewalld service] ***************************************************************************************************
ok: [localhost]

TASK [fedora.linux_system_roles.firewall : Check if previous replaced is defined] ************************************************************************************************
ok: [localhost]

TASK [fedora.linux_system_roles.firewall : Get config files, checksums before and remove] ****************************************************************************************
skipping: [localhost]

TASK [fedora.linux_system_roles.firewall : Tell firewall module it is able to report changed] ************************************************************************************
skipping: [localhost]

TASK [fedora.linux_system_roles.firewall : Configure firewall] *******************************************************************************************************************
failed: [localhost] (item={'port': '1433/tcp', 'state': 'enabled', 'permanent': True, 'runtime': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"permanent": true, "port": "1433/tcp", "runtime": true, "state": "enabled"}, "msg": "No firewall backend could be imported."}
richm commented 1 year ago

ah - this is the "must use explicit -c local against localhost or modules won't be found" - see https://access.redhat.com/solutions/6726561

JasonN3 commented 1 year ago

That resolved it. I did an explicit inventory file that specified ansible_connection=local for localhost and it was able to add the rule. Is it possible to add a warning to ansible itself to warn about that situation since the error message is not helpful and it sounds like it affects more than just this role? I can submit a BZ if you think it's worth it

richm commented 1 year ago

That resolved it. I did an explicit inventory file that specified ansible_connection=local for localhost and it was able to add the rule. Is it possible to add a warning to ansible itself to warn about that situation since the error message is not helpful and it sounds like it affects more than just this role?

It affects every ansible module that uses a python library that isn't provided by the modular python used by the ansible command.

I can submit a BZ if you think it's worth it

Sure - please submit a BZ