Can't seem to run this first time

[rgill3003]

I get this on every puppet run:

Error: Failed to apply catalog: Command firewall_cmd is missing

a manual install of firewalld, start it and then a puppet run makes this issue disappear and move on, creating my firewall rules, even though i've declared

class { '::firewalld': } in my manifest (which by default should install, and start firewalld)

Anyone got any ideas?

[crayfishx]

You say a manual install of firewalld.... What OS are you running on and where is the firewall-cmd binary located when you see this issue?

[rgill3003]

I'm actually on rhel 7.3 - shiny and new, using version 0.4.3.2-8.el7 and from that very server (after installing firewalld manually:
which firewall-cmd /usr/bin/firewall-cmd
When i see this issue firewall-cmd is nowhere since it isn't installed (which I was hoping declaring
class { '::firewalld': }
in my manifest would do - it's just that it seems to ignore that declaration and not install it and not start it - just goes ahead and tries to create my rules.

[crayfishx]

Ah, you are running puppet on a system that doesn't actually have firewalld installed yet? - That's not a use case we've come across yet as the distro has firewalld already installed - although I've not tested this on 7.3 yet...... interesting dilema... the problem is that to solve #90 we added functionality in #91 to test the status of the firewalld service at initiation, so before the package provider has had a chance to do it's thing - I must admit I (and everyone else) didn't spot the use case that this might break if you dont yet have firewalld.

It's a valid issue though, so I'll accept it and try and engineer a solution soon.... thanks for reporting it.

[rgill3003]

yeap - great - thanks very much for that. It does actually come as standard on 7.3 distro but when testing modules like this I always like to make sure everything runs first time seamlessly from the base case that it's totally absent. Just makes sure it's not relying on some element which might not be present in a particular scenario.....Thanks again!

[crayfishx]

Yep - agreed - it may be an unusual scenario, but it's a valid one that the module should take care of.

[crayfishx]

@rgill3003 I also note that it ships with firewalld 0.4, since I haven't tested against that yet it (RH 7.2 shipped with 0.3) would be nice to know if everything works as expected and they haven't changed any API settings that effect the module.... if you could ping me and let me know I'd appreciate it

[crayfishx]

@rgill3003 #97 is my proposed fix for this.... my smoke tests so far look good....

[root@localhost ~]# service firewalld stop ; yum -y remove firewalld ; rm -rf /etc/firewalld
...
[root@localhost ~]# puppet apply /vagrant/tests/test.pp
Notice: Compiled catalog for localhost.localdomain in environment production in 1.48 seconds
Notice: /Stage[main]/Firewalld/Package[firewalld]/ensure: created
Notice: /Stage[main]/Firewalld/Service[firewalld]/ensure: ensure changed 'stopped' to 'running'
Notice: /Stage[main]/Firewalld/Firewalld_port[xPort 80 for opencpu]/ensure: created
Notice: /Stage[main]/Main/Firewalld_zone[restricted]/ensure: created
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 2 events
Notice: Applied catalog in 4.53 seconds

[rgill3003]

great! let me know when i can give it a go. Other than that so far it generates the rich rules fine. However One thing i'm trying to do is add the option to log packet drops (its the reason i upgraded to 7.3 in the first place) - according to redhat's technote the thing to do its:

firewall-cmd --set-log-denied=all

but annoyingly this doesn't work, so i've a case opened with Redhat. In any case though once i get the definitive method from RH there won't yet be a way to incorporate the setting into the puppet module?

[crayfishx]

Currently that option is not configurable in the module - if you raise a separate issue with details (once Redhat have confirmed the case) then we would be happy to add the functionality - or submit a PR yourself if you feel up to it :)

[rgill3003]

OK - Thanks - i'll give it a crack!

[crayfishx]

@rgill3003 This issue was fixed in 3.1.7, FYI

[rgill3003]

Thanks – I can’t seem to get that Tag though – even tried deleting the current project and tried remirroring and it only downloads up to tag 3.1.6 – don’t suppose you know if that’s a problem your end or mine?

From: Craig Dunn [mailto:notifications@github.com]
Sent: 09 November 2016 10:35
To: crayfishx/puppet-firewalld
Cc: Gill, Richard; Mention
Subject: Re: [crayfishx/puppet-firewalld] Can't seem to run this first time (#96)

@rgill3003https://github.com/rgill3003 This issue was fixed in 3.1.7, FYI

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com//issues/96#issuecomment-259383188, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AWLs_9VBAcZzzXNEdyyr_DK-MssOIzsZks5q8aHcgaJpZM4KpgfQ.

This email (including any attachment) may contain confidential and/ or legally privileged information. If you are not the intended recipient, please notify us on +44(0)1202 292333 ext. 30033 and destroy it and any copies. Unauthorised access, use, disclosure, storage or copying of this email is not permitted and, unless you are the intended recipient, you are not entitled to rely on it in any way. Any opinions expressed in this email are those of the individual sending it and not necessarily those of LV=.

This email is believed to be free of any virus or other defect. However, communication by email cannot be guaranteed to be free from defect, error free or secure. If you choose to communicate with us by email you must realise that there can be no guarantee of privacy and you should carry out your own security checks before opening any email or attachment. LV= accepts no liability for any loss or damage which may be caused by any lack of privacy, software viruses or other defect.

LV= reserves the right to monitor and inspect any email (including any attachment) sent to and/or from LV= for reasons of security and for monitoring internal compliance with our office policies. LV= may use email monitoring or blocking software at its discretion. You are responsible for ensuring that any email you send is appropriate and within the bounds of the law.

LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly Society Limited and LV= and Liverpool Victoria are trading styles of the Liverpool Victoria group of companies. The registered office address for all LV= companies is County Gates, Bournemouth, BH1 2NF. Information about the LV= group of companies can be found via this link www.lv.com/legal/lvcompanieshttp://www.lv.com/legal/lvcompanies/

[crayfishx]

Craigs-MBP:firewalld-clean craigdunn$ git push origin --tags
Counting objects: 1, done.
Writing objects: 100% (1/1), 154 bytes | 0 bytes/s, done.
Total 1 (delta 0), reused 0 (delta 0)
To git@github.com:crayfishx/puppet-firewalld
 * [new tag]         3.1.7 -> 3.1.7

.... ahem.... oops, sorry :-)

[crayfishx]

Should be ok now ;)

[rgill3003]

Haha! Thanks!!

From: Craig Dunn [mailto:notifications@github.com]
Sent: 09 November 2016 13:53
To: crayfishx/puppet-firewalld
Cc: Gill, Richard; Mention
Subject: Re: [crayfishx/puppet-firewalld] Can't seem to run this first time (#96)

Should be ok now ;)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com//issues/96#issuecomment-259419427, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AWLs_7U6PDqg8If89z-7n66mvD-iOwwIks5q8dA4gaJpZM4KpgfQ.

This email (including any attachment) may contain confidential and/ or legally privileged information. If you are not the intended recipient, please notify us on +44(0)1202 292333 ext. 30033 and destroy it and any copies. Unauthorised access, use, disclosure, storage or copying of this email is not permitted and, unless you are the intended recipient, you are not entitled to rely on it in any way. Any opinions expressed in this email are those of the individual sending it and not necessarily those of LV=.

This email is believed to be free of any virus or other defect. However, communication by email cannot be guaranteed to be free from defect, error free or secure. If you choose to communicate with us by email you must realise that there can be no guarantee of privacy and you should carry out your own security checks before opening any email or attachment. LV= accepts no liability for any loss or damage which may be caused by any lack of privacy, software viruses or other defect.

LV= reserves the right to monitor and inspect any email (including any attachment) sent to and/or from LV= for reasons of security and for monitoring internal compliance with our office policies. LV= may use email monitoring or blocking software at its discretion. You are responsible for ensuring that any email you send is appropriate and within the bounds of the law.

LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly Society Limited and LV= and Liverpool Victoria are trading styles of the Liverpool Victoria group of companies. The registered office address for all LV= companies is County Gates, Bournemouth, BH1 2NF. Information about the LV= group of companies can be found via this link www.lv.com/legal/lvcompanieshttp://www.lv.com/legal/lvcompanies/