You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When managing the Linux host firewall, I expected when the purge_XXXX settings were set to true, that all the "permanent" configurations would be wiped and only what was setup in puppet to be "recreated" .
However, I am finding that is not happening. I am attempting to manage the standard "default" zone public. The module will add/remove services/ports that are specified in the puppet configuration. If I manually, from the Linux command line, add a new permanent port ... puppet never sees/removes it.
I am managing this module with hiera files. I started with layered hiera & ended up with it all in one hiera file with the same results. Hiera config file below.
The following are the steps & output showing what I saw. Do I have a misconfiguration or misunderstanding of what should happen?
BEFORE
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit https ssh
ports: 10050/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks: timestamp-reply timestamp-request
Info: Refreshing CA certificate
Info: CA certificate is unmodified, using existing CA certificate
Info: Refreshing CRL
Info: CRL is unmodified, using existing CRL
Info: Using environment 'feature_base_linux'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetclient.example.com
Info: Applying configuration version 'puppetserver-feature_base_linux-5855711b892'
Notice: Applied catalog in 11.56 seconds
Port 8080 is still there
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit https ssh
ports: 10050/tcp 8080/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks: timestamp-reply timestamp-request
rich rules:
Affected Puppet, Ruby, OS and module versions/distributions
Puppet: Server v2023.4.0 / Agent 8.2.0
Ruby: 3.2.2
Distribution: RHEL 8.8
Module version: 5.0.0
How to reproduce (e.g Puppet code you use)
puppet agent -t
What are you seeing
Seeing all ports before and after puppet run /bin/firewall-cmd --zone=public --list-ports 8080/tcp 10050/tcp
What behaviour did you expect instead
10050/tcp
Output log
from puppet agent -t -d
Debug: Executing: '/bin/systemctl is-active -- firewalld'
Debug: Executing: '/bin/systemctl is-enabled -- firewalld'
Debug: Puppet::Type::Firewalld_port::ProviderFirewall_cmd: Executing --state command - current value
Debug: Executing: '/bin/firewall-cmd --state'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --query-port 10050/tcp'
Notice: /Stage[main]/Firewalld/Firewalld_port[print-api]/ensure: current_value 'absent', should be 'present' (noop)
Debug: /Stage[main]/Firewalld/Firewalld_port[print-api]: The container Class[Firewalld] will propagate my refresh event
Info: /Stage[main]/Firewalld/Firewalld_port[print-api]: Scheduling refresh of Class[Firewalld::Reload]
Debug: Prefetching firewall_cmd resources for firewalld_service
Debug: Executing: '/bin/firewall-cmd --permanent --get-services'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: /Stage[main]/Firewalld/Firewalld_service[dhcpv6-client]: Nothing to manage: no ensure and the resource doesn't exist
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Debug: /Stage[main]/Firewalld/Firewalld_service[dhcp]: Nothing to manage: no ensure and the resource doesn't exist
Debug: Executing: '/bin/firewall-cmd --permanent --zone public --list-services'
Notice: Class[Firewalld]: Would have triggered 'refresh' from 1 event
Debug: Class[Firewalld]: The container Stage[main] will propagate my refresh event
Notice: Class[Firewalld::Reload]: Would have triggered 'refresh' from 1 event
Info: Class[Firewalld::Reload]: Scheduling refresh of Exec[firewalld::reload]
Debug: /Stage[main]/Firewalld::Reload/Exec[firewalld::reload]: 'firewall-cmd --reload' won't be executed because of failed check 'refreshonly'
Notice: /Stage[main]/Firewalld::Reload/Exec[firewalld::reload]: Would have triggered 'refresh' from 1 event
Debug: /Stage[main]/Firewalld::Reload/Exec[firewalld::reload]: The container Class[Firewalld::Reload] will propagate my refresh event
Notice: Class[Firewalld::Reload]: Would have triggered 'refresh' from 1 event
Debug: Class[Firewalld::Reload]: The container Stage[main] will propagate my refresh event
Debug: /Stage[main]/Firewalld::Reload::Complete/Exec[firewalld::complete-reload]: 'firewall-cmd --complete-reload' won't be executed because of failed check 'refreshonly'
When managing the Linux host firewall, I expected when the purge_XXXX settings were set to true, that all the "permanent" configurations would be wiped and only what was setup in puppet to be "recreated" .
However, I am finding that is not happening. I am attempting to manage the standard "default" zone public. The module will add/remove services/ports that are specified in the puppet configuration. If I manually, from the Linux command line, add a new permanent port ... puppet never sees/removes it.
I am managing this module with hiera files. I started with layered hiera & ended up with it all in one hiera file with the same results. Hiera config file below.
The following are the steps & output showing what I saw. Do I have a misconfiguration or misunderstanding of what should happen?
BEFORE
firewall-cmd --list-all
Adding new permanent port 8080
firewall-cmd --zone=public --permanent --add-port=8080/tcp && firewall-cmd --reload && firewall-cmd --list-all
AFTER ... expecting puppet to remove port 8080
puppet agent -t --environment feature_base_linux --no-noop
Port 8080 is still there
firewall-cmd --list-all
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
puppet agent -t
What are you seeing
Seeing all ports before and after puppet run
/bin/firewall-cmd --zone=public --list-ports
8080/tcp 10050/tcp
What behaviour did you expect instead
10050/tcp
Output log
from puppet agent -t -d
Any additional information you'd like to impart
Puppet configuration
The text was updated successfully, but these errors were encountered: