Ask Your Question
0

Disabled service won't start and apply config properly (firewalld)

asked 2015-09-10 16:13:13 -0500

RCMMike gravatar image

I'm trying to make sure a firewall - in this case, firewalld, via the crayfishx/firewalld module - is enabled and starts before I configure it.

class common::firewall inherits common {
    service { 'firewalld':
        enable => true,
        ensure => running,
        before => Firewalld_zone['public'],
    } 
    firewalld_zone { 'public':
        ensure => present,
        target => '%%REJECT%%',
        purge_rich_rules => true,
        purge_services => true,
        before => Firewalld_service['Allow SSH'],
        require => Service['firewalld'],
    }
    firewalld_service { 'Allow SSH':
        ensure => present,
        zone => 'public',
        service => 'ssh',
        require => Service['firewalld'],
    }
}

However, if the service on the node is disabled or stopped via systemctl before the manifest is run, I end up with this..

Error: /Stage[main]/Common::Firewall/Firewalld_zone[public]: Failed to generate additional resources using 'generate': Execution of '/bin/firewall-cmd --permanent --get-zones' returned 252: FirewallD is not running
Info: Applying configuration version '1441918176'
...
Debug: Executing '/bin/systemctl is-active firewalld'
Debug: Executing '/bin/systemctl is-enabled firewalld'
Debug: Executing '/bin/systemctl start firewalld'
Debug: Executing '/bin/systemctl is-enabled firewalld'
Notice: /Stage[main]/Common::Firewall/Service[firewalld]/ensure: ensure changed 'stopped' to 'running'
Debug: /Stage[main]/Common::Firewall/Service[firewalld]: The container Class[Common::Firewall] will propagate my refresh event
Info: /Stage[main]/Common::Firewall/Service[firewalld]: Unscheduling refresh on Service[firewalld]
Debug: Executing '/bin/firewall-cmd --permanent --get-zones'
Debug: Executing '/bin/firewall-cmd --permanent --zone=public --get-target'
Debug: Executing '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: Class[Common::Firewall]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 39925060

The first time through, it throws an error trying to get firewalld running, but does get it at least running on this trip.

If I rerun the agent after that...

Debug: /Stage[main]/Common::Firewall/Service[firewalld]/before: requires Firewalld_zone[public]
Debug: /Stage[main]/Common::Firewall/Firewalld_zone[public]/require: requires Service[firewalld]
Debug: /Stage[main]/Common::Firewall/Firewalld_zone[public]/before: requires Firewalld_service[Allow SSH]
Debug: /Stage[main]/Common::Firewall/Firewalld_service[Allow SSH]/require: requires Service[firewalld]
Debug: Executing '/bin/firewall-cmd --permanent --get-zones'
Debug: Executing '/bin/firewall-cmd --permanent --zone=public --list-rich-rules'
Debug: Executing '/bin/firewall-cmd --permanent --get-zones'
Debug: /Stage[main]/Common::Firewall/Firewalld_zone[public]: not purging puppet controlled service ssh
Debug: Executing '/bin/firewall-cmd --permanent --zone=public --list-services'

...it does finally apply the rules on the now-running service. But again, if I stop the service, it happens again on the next go around.

What am I doing wrong? Is it supposed to just try to apply the changes on the next go-around?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2015-09-11 09:14:48 -0500

updated 2015-09-11 09:15:20 -0500

in the first section try adding the zone to service :

  class common::firewall inherits common {
    service { 'firewalld':
        enable => true,
        ensure => running,
        zone    => 'public',
        before => Firewalld_zone['public'],
    }
edit flag offensive delete link more
0

answered 2015-09-11 10:57:56 -0500

GregLarkin gravatar image

I don't see anything wrong with your code in terms of the dependency ordering, but there are extra require attributes that can be omitted. I'd like to know if the code below works any differently. Technically, it shouldn't, but if it does, please post back here.

class common::firewall inherits common {
    service { 'firewalld':
        enable => true,
        ensure => running,
        before => Firewalld_zone['public'],
    } 
    firewalld_zone { 'public':
        ensure => present,
        target => '%%REJECT%%',
        purge_rich_rules => true,
        purge_services => true,
        before => Firewalld_service['Allow SSH'],
    }
    firewalld_service { 'Allow SSH':
        ensure => present,
        zone => 'public',
        service => 'ssh',
    }
}
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-09-10 16:13:13 -0500

Seen: 461 times

Last updated: Sep 11 '15