Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewalld::zone purge_ports not purging unmanaged by puppet permanent ports #360

Open
kecurnow opened this issue Dec 12, 2023 · 0 comments

Comments

@kecurnow
Copy link

kecurnow commented Dec 12, 2023

When managing the Linux host firewall, I expected when the purge_XXXX settings were set to true, that all the "permanent" configurations would be wiped and only what was setup in puppet to be "recreated" .

However, I am finding that is not happening. I am attempting to manage the standard "default" zone public. The module will add/remove services/ports that are specified in the puppet configuration. If I manually, from the Linux command line, add a new permanent port ... puppet never sees/removes it.

I am managing this module with hiera files. I started with layered hiera & ended up with it all in one hiera file with the same results. Hiera config file below.

The following are the steps & output showing what I saw. Do I have a misconfiguration or misunderstanding of what should happen?

BEFORE

firewall-cmd --list-all

 public (active)
   target: default
   icmp-block-inversion: no
   interfaces: eth0
   sources: 
   services: cockpit https ssh
   ports: 10050/tcp
   protocols: 
   forward: no
   masquerade: no
   forward-ports: 
   source-ports: 
   icmp-blocks: timestamp-reply timestamp-request

Adding new permanent port 8080

firewall-cmd --zone=public --permanent --add-port=8080/tcp && firewall-cmd --reload && firewall-cmd --list-all

 success
 success
 public (active)
   target: default
   icmp-block-inversion: no
   interfaces: eth0
   sources:
   services: cockpit https ssh
   ports: 10050/tcp 8080/tcp
   protocols:
   forward: no
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks: timestamp-reply timestamp-request
   rich rules:

AFTER ... expecting puppet to remove port 8080

puppet agent -t --environment feature_base_linux --no-noop

Info: Refreshing CA certificate
Info: CA certificate is unmodified, using existing CA certificate
Info: Refreshing CRL
Info: CRL is unmodified, using existing CRL
Info: Using environment 'feature_base_linux'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetclient.example.com
Info: Applying configuration version 'puppetserver-feature_base_linux-5855711b892'
Notice: Applied catalog in 11.56 seconds

Port 8080 is still there

firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit https ssh
  ports: 10050/tcp 8080/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks: timestamp-reply timestamp-request
  rich rules:

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: Server v2023.4.0 / Agent 8.2.0
  • Ruby: 3.2.2
  • Distribution: RHEL 8.8
  • Module version: 5.0.0

How to reproduce (e.g Puppet code you use)

puppet agent -t

What are you seeing

Seeing all ports before and after puppet run
/bin/firewall-cmd --zone=public --list-ports
8080/tcp 10050/tcp

What behaviour did you expect instead

10050/tcp

Output log

from puppet agent -t -d

Debug: Executing: '/bin/systemctl is-active -- firewalld'
Debug: Executing: '/bin/systemctl is-enabled -- firewalld'
Debug: Puppet::Type::Firewalld_port::ProviderFirewall_cmd: Executing --state command - current value
Debug: Executing: '/bin/firewall-cmd --state'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --query-port 10050/tcp'
Notice: /Stage[main]/Firewalld/Firewalld_port[print-api]/ensure: current_value 'absent', should be 'present' (noop)                                                                                               
Debug: /Stage[main]/Firewalld/Firewalld_port[print-api]: The container Class[Firewalld] will propagate my refresh event                                                                                           
Info: /Stage[main]/Firewalld/Firewalld_port[print-api]: Scheduling refresh of Class[Firewalld::Reload]
Debug: Prefetching firewall_cmd resources for firewalld_service
Debug: Executing: '/bin/firewall-cmd --permanent --get-services'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: /Stage[main]/Firewalld/Firewalld_service[dhcpv6-client]: Nothing to manage: no ensure and the resource doesn't exist                                                                                       
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: /Stage[main]/Firewalld/Firewalld_service[dhcp]: Nothing to manage: no ensure and the resource doesn't exist                                                                                                
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Notice: Class[Firewalld]: Would have triggered 'refresh' from 1 event
Debug: Class[Firewalld]: The container Stage[main] will propagate my refresh event
Notice: Class[Firewalld::Reload]: Would have triggered 'refresh' from 1 event
Info: Class[Firewalld::Reload]: Scheduling refresh of Exec[firewalld::reload]
Debug: /Stage[main]/Firewalld::Reload/Exec[firewalld::reload]: 'firewall-cmd --reload' won't be executed because of failed check 'refreshonly'                                                                    
Notice: /Stage[main]/Firewalld::Reload/Exec[firewalld::reload]: Would have triggered 'refresh' from 1 event                                                                                                       
Debug: /Stage[main]/Firewalld::Reload/Exec[firewalld::reload]: The container Class[Firewalld::Reload] will propagate my refresh event                                                                             
Notice: Class[Firewalld::Reload]: Would have triggered 'refresh' from 1 event
Debug: Class[Firewalld::Reload]: The container Stage[main] will propagate my refresh event
Debug: /Stage[main]/Firewalld::Reload::Complete/Exec[firewalld::complete-reload]: 'firewall-cmd --complete-reload' won't be executed because of failed check 'refreshonly'           

Any additional information you'd like to impart

Puppet configuration

---
firewalld::zone:
  public:
    ensure: present
    target: 'default'
    icmp_blocks: ['timestamp-reply','timestamp-request']
    purge_rich_rules: true
    purge_services: true
    purge_ports: true
firewalld::services:
  'ssh':
    ensure: present
    service: ssh
    zone: public
  'cockpit':
    ensure: present
    service: cockpit
    zone: public
  'dhcpv6-client':
    ensure: absent
    service: dhcpv6-client
    zone: public
  'dhcp':
    ensure: absent
    service: dhcp
    zone: public
  'https':
    ensure: present
    service: https
    zone: public
firewalld::ports:
  'Zabbix':
    ensure: present
    port: 10050
    protocol: 'tcp'
    zone: public

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant