Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewalld task is not idempotent for adding ports #179

Closed
okapia opened this issue Apr 21, 2021 · 6 comments · Fixed by #199
Closed

firewalld task is not idempotent for adding ports #179

okapia opened this issue Apr 21, 2021 · 6 comments · Fixed by #199
Assignees
@Akasurde
Labels
has_pr verified This issue has been verified/reproduced by maintainer

Comments

@okapia
Copy link

okapia commented Apr 21, 2021

SUMMARY

I'm using the firewalld: task with the port: option. The first time this is run on a host, it works fine. However on any later or subsequent runs, I get an error: ERROR: Exception caught: org.fedoraproject.FirewallD1.Exception: ALREADY_ENABLED: 'xxxxx:tcp' already in 'public' Permanent and Non-Permanent(immediate) operation

This violates idempotency which is really the whole point of ansible.

Aside from port:, I'm using permanent: yes, immediate: yes, state: enabled, and zone: public.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

ansible.posix.firewalld

ANSIBLE VERSION
ansible 2.10.8

python version = 3.6.8 (default, Mar  9 2021, 15:28:46) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5.0.1)]
CONFIGURATION

Problem verified from a plain pip install ansible in a venv and just the minimal task so with zero config. Otherwise I'm not permitted to publish internal paths on the Internet so no full dump.

OS / ENVIRONMENT

Oracle Linux 8.3 which is a RHEL 8 clone.

STEPS TO REPRODUCE
- name: Enable ports in firewall
  firewalld:
    port: "{{ item }}"
    permanent: yes
    immediate: yes
    state: enabled
    zone: public
  loop: [ whatever/tcp ]
  become: yes

And run this TWICE

EXPECTED RESULTS

Expected results of the second run to be changed: false, failed: false

ACTUAL RESULTS
"msg": "ERROR: Exception caught: org.fedoraproject.FirewallD1.Exception: ALREADY_ENABLED: 'myport:tcp' already in 'public' Permanent and Non-Permanent(immediate) operation"
@Akasurde
Copy link
Member

Akasurde commented Jun 2, 2021
edited
Loading

@okapia Thanks for reporting this issue.

Could you please report the firewalld version installed?

I am able to reproduce this on

# rpm -qa |grep firewalld
firewalld-filesystem-0.9.3-1.el8.noarch
firewalld-0.9.3-1.el8.noarch

and not on

firewalld-filesystem-0.8.2-2.el8.noarch
firewalld-0.8.2-2.el8.noarch

@Akasurde
Copy link
Member

Akasurde commented Jun 2, 2021

needs_info

@michalskrivanek michalskrivanek mentioned this issue Jun 2, 2021
Closed
@okapia
Copy link
Author

okapia commented Jun 2, 2021

I had the issue with 0.8.2-2.0.1.el8. The machine has been upgraded from 8.3 to 8.4 just last week so now runs 0.8.2-6.0.1.el8. But I just checked again and I still see the issue. I don't know if there's anything Oracle Linux specific in those version numbers like the additional .0.1 but I suppose there might be.

Akasurde added a commit to Akasurde/ansible.posix that referenced this issue Jun 3, 2021
@Akasurde
firewalld: Ensure idempotency
4514d78 
Use APIs like ``query*`` instead of ``get*``.

Fixes: ansible-collections#179

Signed-off-by: Abhijeet Kasurde <[email protected]>
@Akasurde Akasurde mentioned this issue Jun 3, 2021
Merged
@Akasurde
Copy link
Member

Akasurde commented Jun 3, 2021

@okapia Could you please verify #199 and let me know? Thanks in advance.

resolved_by_pr #199

@Akasurde Akasurde self-assigned this Jun 3, 2021
@Akasurde Akasurde added has_pr verified This issue has been verified/reproduced by maintainer labels Jun 3, 2021
@mwperina
Copy link

mwperina commented Jun 3, 2021

As this is a regression, it should really be backported also to Ansible 2.9.z

@Akasurde
Copy link
Member

Akasurde commented Jun 3, 2021

@mwperina module works after downgrading to Firewalld 0.8.2. also, Ansible 2.9 release is frozen and only open for critical security fixes.

Akasurde added a commit to Akasurde/ansible.posix that referenced this issue Jun 4, 2021
@Akasurde
firewalld: Ensure idempotency
d426143 
Use APIs like ``query*`` instead of ``get*``.

Fixes: ansible-collections#179

Signed-off-by: Abhijeet Kasurde <[email protected]>
Akasurde added a commit to Akasurde/ansible.posix that referenced this issue Jun 4, 2021
@Akasurde
firewalld: Ensure idempotency
07fe3a9 
Use APIs like ``query*`` instead of ``get*``.

Fixes: ansible-collections#179

Signed-off-by: Abhijeet Kasurde <[email protected]>
aminvakil pushed a commit to aminvakil/ansible.posix that referenced this issue Jun 11, 2021
@Akasurde @aminvakil
firewalld: Ensure idempotency
8351193 
Use APIs like ``query*`` instead of ``get*``.

Fixes: ansible-collections#179

Signed-off-by: Abhijeet Kasurde <[email protected]>
@Akasurde Akasurde mentioned this issue Jun 14, 2021
Merged
Akasurde added a commit to Akasurde/ansible that referenced this issue Jun 14, 2021
@Akasurde
[bp-2.9] firewalld: Ensure idempotency
09aca5d 
Fixes: ansible-collections/ansible.posix#179

Signed-off-by: Abhijeet Kasurde <[email protected]>
relrod pushed a commit to ansible/ansible that referenced this issue Jun 14, 2021
@Akasurde
[bp-2.9] firewalld: Ensure idempotency (#74992)
4acad22 
Fixes: ansible-collections/ansible.posix#179

Signed-off-by: Abhijeet Kasurde <[email protected]>
@renovate renovate bot mentioned this issue Aug 25, 2021
Merged
1 task
@renovate renovate bot mentioned this issue Apr 19, 2022
Merged
1 task
This was referenced Aug 19, 2022
Closed
Closed
This was referenced Sep 14, 2022
Closed
Closed
@renovate-tests renovate-tests mentioned this issue Nov 24, 2022
Open
1 task
ColonelPanics added a commit to openflighthpc/openflight-kubernetes-multinode that referenced this issue Jan 30, 2023
@ColonelPanics
Tweak how firewall MAC add works (see body)
c412471 
When running an apply via flight profile for multiple nodes, the playbook
ends up getting a bit confused with all the add MAC -> reload loops
going at once. To circurmvent this I've tweaked it to add all MACs
permanently to firewall then do a reload. This seems to reduce the
likelihood of an error occuring.

Relevant link - ansible-collections/ansible.posix#179
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Akasurde Akasurde

Labels
has_pr verified This issue has been verified/reproduced by maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

firewalld: Ensure idempotency Akasurde/ansible.posix
3 participants
@okapia @Akasurde @mwperina