Вопросы Теги

firewalld puppet module unable to add multiple sources error: INVALID ZONE on second source

We have a puppet module (v3.6.2 as we're using it for Satellite 6)

The module works as expected, except when adding multiple sources to a zone. It will add the zone and then add one souce, then error out trying to add the second source to the zone with the message:

INVALID_ZONE: backup

Running the module a second time successfully adds sources 2 and 3.

The zone is being created successfully and the firewalld reload is triggering, but it's almost as if it doesn't finish the reload as it doesn't see the newly added "backup" zone as being valid for the second and third sources.

Module Code:

class firewalld(
    $enabled = true,
    $package_name = 'firewalld',
    $service_name = 'firewalld',
    $config_dir = '/etc/firewalld',
    $zone_create = [],
    $zone_remove = [],
    $zone_set_default = '',
    $zone_add_source = hiera_hash('firewalld::zone_add_source', { }),
    $zone_add_service = hiera_hash('firewalld::zone_add_service', { }))
{

    if $enabled {
        $service_ensure = 'running'
        $service_enable = true
        $package_ensure = 'present'
        $config_ensure = 'present'
        Package["$package_name"] -> File["$config_dir"]
        File["$config_dir"] -> Service["$service_name"]
    } else {
        $service_ensure = 'stopped'
        $service_enable = false
        $package_ensure = 'absent'
        $config_ensure = 'absent'
        Service["$service_name"] -> File["$config_dir"]
        File["$config_dir"] -> Package["$package_name"]
    }

    package { "$package_name":
        ensure => $package_ensure,
    }

    file { "$config_dir":
        ensure => $config_ensure,
        force  => true,
    }

    service { "$service_name":
        ensure     => $service_ensure,
        enable     => $service_enable,
        hasrestart => true,
        hasstatus  => true,
    }

    exec { 'firewalld_reload':
        onlyif      => 'systemctl -q is-enabled firewalld.service',
        path        => '/bin:/usr/bin:/sbin:/usr/sbin',
        # command     => "systemctl restart firewalld.service",
        command     => "firewall-cmd --reload",
        refreshonly => true,
    }

    define firewalld_zone_create() {
        exec { "firewalld_zone_create_${name}":
            path    => '/bin:/usr/bin:/sbin:/usr/sbin',
            command => "firewall-cmd --permanent --new-zone=${name}",
            unless  => "firewall-cmd --permanent --get-zones | grep -qw ${name}",
            notify  => Exec['firewalld_reload'],
            require => Service['firewalld'],
        }
    }

    define firewalld_zone_add_source($zone, $source) {
        exec { "firewalld_${zone}_add_source_${source}":
            path    => '/bin:/usr/bin:/sbin:/usr/sbin',
            command => "firewall-cmd --permanent --zone=${zone} --add-source=${source}",
            unless  => "firewall-cmd -q --permanent --zone=${zone} --query-source=${source}",
            notify  => Exec['firewalld_reload'],
            require => Service['firewalld'],
        }
    }

    if $enabled {
        firewalld_zone_create{ $zone_create: } -> firewalld_zone_set_default_zone{ $zone_set_default: }
        create_resources('firewalld_zone_add_service', $zone_add_service)
        create_resources('firewalld_zone_add_source', $zone_add_source)
    }
}

I've cut out the sections defining adding ports/targets etc as it's quite long.

The input I'm using is

class { 'firewalld':
    enabled          => true,
    zone_create      => ['zone1', 'mgmt', 'backup'],
    zone_add_service => {
        '001' => { 'zone' => 'mgmt', 'service' => 'ssh' },
    },
    zone_add_source  => {
        '001' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.x/24' },
        '002' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.x/24' },
        '003' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.0/24' },
        '004' => { 'zone' => 'backup', 'source' => 'IP.1.x.x/24' },
        '005' => { 'zone' => 'backup', 'source' => 'IP.2.x.0/24' },
        '006' => { 'zone' => 'backup', 'source' => 'IP.3.x.0/24' },
    },
    zone_set_default => 'zone1',
}

I've changed the subnets and zone names for security purposes.

If anyone could please advise on why this behaviour is occurring and how to resolve it, I'd greatly appreciate it.

Note: I've tried both a firewall-cmd --reload and a systemctl restart firewalld.service and get the same result.

Cheers, Амелия

1
задан 6 September 2016 в 12:46
1 ответ

похоже, что нужно создать зоны перед добавлением источников, поэтому объявите эту зависимость как ссылку на ресурс: 

define firewalld_zone_add_source($zone, $source) {
    exec { "firewalld_${zone}_add_source_${source}":
        path    => '/bin:/usr/bin:/sbin:/usr/sbin',
        command => "firewall-cmd --permanent --zone=${zone} --add-source=${source}",
        unless  => "firewall-cmd -q --permanent --zone=${zone} --query-source=${source}",
        notify  => Exec['firewalld_reload'],
        require => Service['firewalld'],
        require => Exec['firewalld_zone_create_${zone}'], # <- run after zone create
    }
}
0
ответ дан 4 December 2019 в 05:55

Теги

Похожие вопросы