search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.23k stars 5.49k forks source link

firewalld execution module not listing interface #40639

Closed ikogan closed 6 years ago

ikogan commented 7 years ago

Description of Issue/Question

When running the firewalld.list_zones module, none of the zones seems to have interfaces defined while running firewall-cmd --zone=${zone} --list-interfaces shows interfaces. This creates a problem when running the firewalld.present state as it tries to set the interface every time.

Setup

Rather than paste the sls itself, since it depends a lot on Pillar data, here's the output of salt 'ipa-*' state.show_sls saltenv=Development:

ipa-1:
    ----------
    private:
        ----------
        __env__:
            Development
        __sls__:
            firewall.firewalld
        cmd:
            |_
              ----------
              name:
                  firewall-cmd --reload
            |_
              ----------
              onchanges:
                  |_
                    ----------
                    firewalld:
                        private
            - run
            |_
              ----------
              order:
                  10002
        firewalld:
            |_
              ----------
              name:
                  internal
            |_
              ----------
              interfaces:
                  - ens19
            |_
              ----------
              services:
                  - cockpit
                  - freeipa-ldap
                  - dhcpv6-client
                  - freeipa-replication
                  - freeipa-ldaps
                  - ssh
                  - dns
                  - freeipa-trust
            - present
            |_
              ----------
              order:
                  10003
    public:
        ----------
        __env__:
            Development
        __sls__:
            firewall.firewalld
        cmd:
            |_
              ----------
              name:
                  firewall-cmd --reload
            |_
              ----------
              onchanges:
                  |_
                    ----------
                    firewalld:
                        public
            - run
            |_
              ----------
              order:
                  10000
        firewalld:
            |_
              ----------
              name:
                  FedoraServer
            |_
              ----------
              interfaces:
                  - ens18
            |_
              ----------
              services:
                  - cockpit
                  - freeipa-ldap
                  - dhcpv6-client
                  - freeipa-replication
                  - freeipa-ldaps
                  - ssh
                  - dns
                  - freeipa-trust
            - present
            |_
              ----------
              order:
                  10001
ipa-2:
    ----------
    private:
        ----------
        __env__:
            Development
        __sls__:
            firewall.firewalld
        cmd:
            |_
              ----------
              name:
                  firewall-cmd --reload
            |_
              ----------
              onchanges:
                  |_
                    ----------
                    firewalld:
                        private
            - run
            |_
              ----------
              order:
                  10002
        firewalld:
            |_
              ----------
              name:
                  internal
            |_
              ----------
              interfaces:
                  - ens19
            |_
              ----------
              services:
                  - cockpit
                  - freeipa-ldap
                  - dhcpv6-client
                  - freeipa-replication
                  - freeipa-ldaps
                  - ssh
                  - dns
                  - freeipa-trust
            - present
            |_
              ----------
              order:
                  10003
    public:
        ----------
        __env__:
            Development
        __sls__:
            firewall.firewalld
        cmd:
            |_
              ----------
              name:
                  firewall-cmd --reload
            |_
              ----------
              onchanges:
                  |_
                    ----------
                    firewalld:
                        public
            - run
            |_
              ----------
              order:
                  10000
        firewalld:
            |_
              ----------
              name:
                  FedoraServer
            |_
              ----------
              interfaces:
                  - ens18
            |_
              ----------
              services:
                  - cockpit
                  - freeipa-ldap
                  - dhcpv6-client
                  - freeipa-replication
                  - freeipa-ldaps
                  - ssh
                  - dns
                  - freeipa-trust
            - present
            |_
              ----------
              order:
                  10001

Steps to Reproduce Issue

  1. salt '*' firewalld.list_zones
  2. firewall-cmd --zone=${zone} --list-interfaces

Notice that the zone ${zone} in the output of (1) has no interfaces. On a standard Fedora install with no firewall changes, FedoraServer should list all of the physical interfaces on the box. On a standard CentOS install, it should be public. On my machines this runs as follows:

salt --log-level=debug 'ipa-1' firewalld.list_zones:

[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Including configuration from '/etc/salt/master.d/foreman.conf'
[DEBUG   ] Reading configuration from /etc/salt/master.d/foreman.conf
[DEBUG   ] Including configuration from '/etc/salt/master.d/gaea.conf'
[DEBUG   ] Reading configuration from /etc/salt/master.d/gaea.conf
[DEBUG   ] Including configuration from '/etc/salt/master.d/reactor.conf'
[DEBUG   ] Reading configuration from /etc/salt/master.d/reactor.conf
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: foreman.gaea.mythicnet.org
[DEBUG   ] Missing configuration file: /root/.saltrc
[DEBUG   ] Configuration file path: /etc/salt/master
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Including configuration from '/etc/salt/master.d/foreman.conf'
[DEBUG   ] Reading configuration from /etc/salt/master.d/foreman.conf
[DEBUG   ] Including configuration from '/etc/salt/master.d/gaea.conf'
[DEBUG   ] Reading configuration from /etc/salt/master.d/gaea.conf
[DEBUG   ] Including configuration from '/etc/salt/master.d/reactor.conf'
[DEBUG   ] Reading configuration from /etc/salt/master.d/reactor.conf
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: foreman.gaea.mythicnet.org
[DEBUG   ] Missing configuration file: /root/.saltrc
[DEBUG   ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'foreman.gaea.mythicnet.org_master', 'tcp://127.0.0.1:4506', 'clear')
[DEBUG   ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] LazyLoaded local_cache.get_load
[DEBUG   ] Reading minion list from /var/cache/salt/master/jobs/1f/988eccf8e1948aa78917cc6c40bc0f413896f5bf4ecb469e0b8966c7e9073d/.minions.p
[DEBUG   ] get_iter_returns for jid 20170411131911104224 sent to set(['ipa-freyr.gaea.mythicnet.org']) will timeout at 13:19:16.111071
[DEBUG   ] jid 20170411131911104224 return from ipa-freyr.gaea.mythicnet.org
[DEBUG   ] LazyLoaded nested.output
[DEBUG   ] jid 20170411131911104224 found all minions set(['ipa-freyr.gaea.mythicnet.org'])
ipa-1:
    ----------
    FedoraServer:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
             cockpit ssh dhcpv6-client freeipa-replication freeipa-ldap freeipa-ldaps freeipa-trust dns
        source-ports:
        sources:
        target:
             default
    FedoraWorkstation:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
             1025-65535/udp 1025-65535/tcp
        protocols:
        rich rules:
        services:
             dhcpv6-client ssh samba-client
        source-ports:
        sources:
        target:
             default
    block:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
        source-ports:
        sources:
        target:
             %%REJECT%%
    dmz:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
             ssh
        source-ports:
        sources:
        target:
             default
    drop:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
        source-ports:
        sources:
        target:
             DROP
    external:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             yes
        ports:
        protocols:
        rich rules:
        services:
             ssh
        source-ports:
        sources:
        target:
             default
    home:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
             ssh mdns samba-client dhcpv6-client
        source-ports:
        sources:
        target:
             default
    internal:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
             ssh dhcpv6-client cockpit freeipa-replication freeipa-ldap freeipa-ldaps freeipa-trust dns
        source-ports:
        sources:
        target:
             default
    public:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
             ssh mdns dhcpv6-client
        source-ports:
        sources:
        target:
             default
    trusted:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
        source-ports:
        sources:
        target:
             ACCEPT
    work:
        ----------
        forward-ports:
        icmp-block-inversion:
             no
        icmp-blocks:
        interfaces:
        masquerade:
             no
        ports:
        protocols:
        rich rules:
        services:
             ssh mdns dhcpv6-client
        source-ports:
        sources:
        target:
             default

Debug log from the minion:

2017-04-11 13:19:19,329 [salt.minion      ][INFO    ][15002] User sudo_user Executing command firewalld.list_zones with jid 20170411131911104224
2017-04-11 13:19:19,329 [salt.minion      ][DEBUG   ][15002] Command details {'tgt_type': 'glob', 'jid': '20170411131911104224', 'tgt': 'ipa-1', 'ret': '', 'user': 'sudo_user', 'arg': [], 'fun': 'firewalld.list_zones'}
2017-04-11 13:19:19,339 [salt.minion      ][INFO    ][15064] Starting a new job with PID 15064
2017-04-11 13:19:19,341 [salt.utils.lazy  ][DEBUG   ][15064] LazyLoaded firewalld.list_zones
2017-04-11 13:19:19,342 [salt.utils.lazy  ][DEBUG   ][15064] LazyLoaded direct_call.get
2017-04-11 13:19:19,343 [salt.loader.salt.int.module.cmdmod][INFO    ][15064] Executing command '/bin/firewall-cmd --list-all-zones --permanent' in directory '/root'
2017-04-11 13:19:19,886 [salt.loader.salt.int.module.cmdmod][DEBUG   ][15064] stdout: FedoraServer
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit ssh dhcpv6-client freeipa-replication freeipa-ldap freeipa-ldaps freeipa-trust dns
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

FedoraWorkstation
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh samba-client
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client cockpit freeipa-replication freeipa-ldap freeipa-ldaps freeipa-trust dns
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
2017-04-11 13:19:19,887 [salt.minion      ][DEBUG   ][15064] Minion return retry timer set to 10 seconds (randomized)
2017-04-11 13:19:19,887 [salt.minion      ][INFO    ][15064] Returning information for job: 20170411131911104224

firewall-cmd --zone=FedoraServer --list-interfaces:

ens18

Versions Report

Version report from the master:

Salt Version:
           Salt: 2016.11.3

Dependency Versions:
           cffi: 1.6.0
       cherrypy: 3.2.2
       dateutil: 1.5
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.5 (default, Nov  6 2016, 00:28:07)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: 0.9.0
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.3.1611 Core
        machine: x86_64
        release: 3.10.0-514.10.2.el7.x86_64
         system: Linux
        version: CentOS Linux 7.3.1611 Core

Version report from ipa-1:

Salt Version:
           Salt: 2016.11.3

Dependency Versions:
           cffi: 1.7.0
       cherrypy: Not Installed
       dateutil: 2.6.0
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8.1
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.25.1
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.13 (default, Jan 12 2017, 17:59:37)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.4.2
            ZMQ: 4.1.4

System Versions:
           dist: fedora 25 Twenty Five
        machine: x86_64
        release: 4.10.8-200.fc25.x86_64
         system: Linux
        version: Fedora 25 Twenty Five

Firewalld version: 0.4.4.4

Looking at the log, it looks like because the interfaces aren't made permanent explicitly when adding them, they're not returned when running the list commands with --permanent. Even running firewall-cmd --runtime-to-permanent doesn't do it. If I try to manually add the interface to the firewall with --permanent, it mentions that the interface is under the control of NetworkManager and attempting to list the interface with --permanent doesn't work even after that. This seems to be a reasonable hint as to why --permanent, when used with interfaces, doesn't actually apply.

Is it possible to do something different with interfaces than the way they're being looked for now?

gtmanfred commented 7 years ago

It looks like we just provide whatever information --list-all-zone returns.

@dmyerscough it looks like you wrote this module initially and @cmercier you have been doing some work in here recently. Would yall have any insight into why the interfaces were not showing up?

It might be worthwhile to write up a bunch of list- functions, and then tie them all together in the list_zones function.

Thanks, Daniel

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.