We have a puppet module (v3.6.2 as we're using it for Satellite 6)
The module works as expected, except when adding multiple sources to a zone. It will add the zone and then add one souce, then error out trying to add the second source to the zone with the message:
INVALID_ZONE: backup
Running the module a second time successfully adds sources 2 and 3.
The zone is being created successfully and the firewalld reload is triggering, but it's almost as if it doesn't finish the reload as it doesn't see the newly added "backup" zone as being valid for the second and third sources.
Module Code:
class firewalld(
$enabled = true,
$package_name = 'firewalld',
$service_name = 'firewalld',
$config_dir = '/etc/firewalld',
$zone_create = [],
$zone_remove = [],
$zone_set_default = '',
$zone_add_source = hiera_hash('firewalld::zone_add_source', { }),
$zone_add_service = hiera_hash('firewalld::zone_add_service', { }))
{
if $enabled {
$service_ensure = 'running'
$service_enable = true
$package_ensure = 'present'
$config_ensure = 'present'
Package["$package_name"] -> File["$config_dir"]
File["$config_dir"] -> Service["$service_name"]
} else {
$service_ensure = 'stopped'
$service_enable = false
$package_ensure = 'absent'
$config_ensure = 'absent'
Service["$service_name"] -> File["$config_dir"]
File["$config_dir"] -> Package["$package_name"]
}
package { "$package_name":
ensure => $package_ensure,
}
file { "$config_dir":
ensure => $config_ensure,
force => true,
}
service { "$service_name":
ensure => $service_ensure,
enable => $service_enable,
hasrestart => true,
hasstatus => true,
}
exec { 'firewalld_reload':
onlyif => 'systemctl -q is-enabled firewalld.service',
path => '/bin:/usr/bin:/sbin:/usr/sbin',
# command => "systemctl restart firewalld.service",
command => "firewall-cmd --reload",
refreshonly => true,
}
define firewalld_zone_create() {
exec { "firewalld_zone_create_${name}":
path => '/bin:/usr/bin:/sbin:/usr/sbin',
command => "firewall-cmd --permanent --new-zone=${name}",
unless => "firewall-cmd --permanent --get-zones | grep -qw ${name}",
notify => Exec['firewalld_reload'],
require => Service['firewalld'],
}
}
define firewalld_zone_add_source($zone, $source) {
exec { "firewalld_${zone}_add_source_${source}":
path => '/bin:/usr/bin:/sbin:/usr/sbin',
command => "firewall-cmd --permanent --zone=${zone} --add-source=${source}",
unless => "firewall-cmd -q --permanent --zone=${zone} --query-source=${source}",
notify => Exec['firewalld_reload'],
require => Service['firewalld'],
}
}
if $enabled {
firewalld_zone_create{ $zone_create: } -> firewalld_zone_set_default_zone{ $zone_set_default: }
create_resources('firewalld_zone_add_service', $zone_add_service)
create_resources('firewalld_zone_add_source', $zone_add_source)
}
}
I've cut out the sections defining adding ports/targets etc as it's quite long.
The input I'm using is
class { 'firewalld':
enabled => true,
zone_create => ['zone1', 'mgmt', 'backup'],
zone_add_service => {
'001' => { 'zone' => 'mgmt', 'service' => 'ssh' },
},
zone_add_source => {
'001' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.x/24' },
'002' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.x/24' },
'003' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.0/24' },
'004' => { 'zone' => 'backup', 'source' => 'IP.1.x.x/24' },
'005' => { 'zone' => 'backup', 'source' => 'IP.2.x.0/24' },
'006' => { 'zone' => 'backup', 'source' => 'IP.3.x.0/24' },
},
zone_set_default => 'zone1',
}
I've changed the subnets and zone names for security purposes.
If anyone could please advise on why this behaviour is occurring and how to resolve it, I'd greatly appreciate it.
Note: I've tried both a firewall-cmd --reload and a systemctl restart firewalld.service and get the same result.
Cheers, Amelia
it seems like creating zones should be done before adding sources, so declare this dependency as a resource reference: