firewalld module configuration issue

35 views
Skip to first unread message

Jean Berthold

unread,
Aug 28, 2019, 4:34:45 PM8/28/19
to Puppet Users
Hello everyone,

’m currently learning about Puppet and I can’t see where is the error in my configuration…


I tested The following module to manage the CentOS firewall, firewalld.

I

 

Ok, following the instructions in the webpage: https://forge.puppet.com/crayfishx/firewalld

 

I installed themodule on the server (without special configuration)

I included the following configuration on my node :

 

[root@srv-eldpupet-02 manifests]# cat site.pp

node 'centos7-dev01.xxxx.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.

include snmp

include firewalld

 

firewalld_service { 'Close dhcpv6-client':

  ensure  => 'absent',

  service => 'dhcpv6-client',

  zone    => 'public',

}

[root@srv-eldpupet-02 manifests]#

 

This configuration works correctly, the snmp service/package and the firewalld service/package are installed.

And the service « dhcpv6-client is deactivated correctly, so the firewalld_service function correctly.

 

Now, following the documentation, if I try to use the « firewall_port » instruction, I have the following error on the client and the configuration defined for firewalld_port is not applied :

 

è Don’t work !!!

 

firewalld_port { 'Open port 161 in the public zone':

  ensure   => 'present',

  zone     => 'public',

  port     => '161',

  protocol => 'tcp',

}

 

è (Ffor opening the port dedicated to snmp…)

 

 

With this configuration, I have the following error on my client :

 

[root@centos7-dev01 ~]# puppet agent -tv

Info: Using configured environment 'production'

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Retrieving locales

Info: Loading facts

Info: Caching catalog for centos7-dev01.eldora.local

Info: Applying configuration version '1566830315'

/opt/puppetlabs/puppet/cache/lib/puppet/type/firewalld_zone.rb:148: warning: key :port is duplicated and overwritten on line 150

Info: Redefining firewalld_service in Puppet::Type

Info: Redefining firewalld_port in Puppet::Type

Error: Execution of '/usr/bin/firewall-cmd --permanent --zone public --add-port /' returned 102: Error: INVALID_PORT

Error: /Stage[main]/Main/Node[centos7-dev01.eldora.local]/Firewalld_port[Open port 161 in the public zone]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/bin/firewall-cmd --permanent --zone public --add-port /' returned 102: Error: INVALID_PORT

Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Dependency Firewalld_port[Open port 161 in the public zone] has failures: true

Warning: /Stage[main]/Firewalld/Exec[firewalld::reload]: Skipping because of failed dependencies

Notice: Applied catalog in 1.85 seconds

[root@centos7-dev01 ~]#

 

 

When the « firewalld_service » instruction works without more configuration, the « firewall_port » instruction fail due to « failed dependencies »…

I’m sure this is a newbie question… but I don’t find any documentation about that error !

 

When I try to open the port by command line, no problem:

 

[root@centos7-dev01 ~]# firewall-cmd --zone=public --add-port=161/udp --permanent

success

[root@centos7-dev01 ~]# firewall-cmd --zone=public --add-port=161/tcp --permanent

success

[root@centos7-dev01 ~]#

 

Is there something to configure in the module itself before using « firewalld_port » instruction ?

 

By advance, thanks for your help and have a nice day !

 

Jean

A Manzer

unread,
Aug 29, 2019, 4:28:26 PM8/29/19
to Puppet Users
Don't worry too much about the "Failed Dependency"; that's a red-herring in this case.  It's not saying that you missed some configuration, it's saying that firewalld::reload class failed because something it was dependent on (the port) failed.

Looks like the fix should be easy: your code has the port number quoted as a string.  The documentation says that it should be an integer.  Take the quotes off your port value, and give it another shot.

Jean Berthold

unread,
Aug 30, 2019, 2:05:05 PM8/30/19
to Puppet Users
Hello A Manzer and thank you for your suggesion,

I tried to remove the quotes but no more success...

root@srv-eldpupet-02 manifests]# cat site.pp

node 'centos7-dev01.xxx.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.
include snmp
include firewalld
include 'add_user'
 
firewalld_service { 'Close dhcpv6-client':
  ensure  => 'present',

  service => 'dhcpv6-client',
  zone    => 'public',
}

 
firewalld_port { 'Open port 161 in the public zone':

  ensure   => 'present',
  zone     => 'public',

  port     => 161,
  protocol => 'udp',
}
The output on the node:

[root@centos7-dev01 ~]# puppet agent -tv
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for centos7-dev01.xxxx.local
Info: Applying configuration version '1567171673'

/opt/puppetlabs/puppet/cache/lib/puppet/type/firewalld_zone.rb:148: warning: key :port is duplicated and overwritten on line 150
Info: Redefining firewalld_service in Puppet::Type
Info: Redefining firewalld_port in Puppet::Type
Error: /Stage[main]/Main/Node[centos7-dev01.xxx.local]/Firewalld_port[Open port 161 in the public zone]: Could not evaluate: no implicit conversion of String into Integer

Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Dependency Firewalld_port[Open port 161 in the public zone] has failures: true
Warning: /Stage[main]/Firewalld/Exec[firewalld::reload]: Skipping because of failed dependencies
Notice: Applied catalog in 1.10 seconds
[root@centos7-dev01 ~]#

Again the message about conversion of String into Integer...
I followed the syntax given in the documentation...

Thanks again !

Bart-Jan Vrielink

unread,
Aug 31, 2019, 11:19:19 AM8/31/19
to puppet...@googlegroups.com

Hello,


I believe 'port' should be a hash that consist of 'port' and 'protocol' parameters:


    Example:
   
        firewalld_port {'Open port 8080 in the public Zone':


            ensure => 'present',
            zone   => 'public',

            port   => {
              'port' => 8080,
              'protocol' => 'tcp',
            },
        }
  }

The documentation for this module is confusing on this point, but in the source code I see that it only accept hashes, like shown in the 'parameters' part of the documentation for firewalld_port (https://forge.puppet.com/crayfishx/firewalld#parameters-6)



Info:Redefining firewalld_port inPuppet::Type

Error:/Stage[main]/Main/Node[centos7-dev01.xxx.local]/Firewalld_port[Open port 161in the public zone]:Couldnot evaluate:noimplicit conversion of StringintoInteger
Notice:/Stage[main]/Firewalld/Exec[firewalld::reload]:DependencyFirewalld_port[Open port 161in the public zone] has failures:true

Warning:/Stage[main]/Firewalld/Exec[firewalld::reload]:Skipping because of failed dependencies
Notice:Applied catalog in1.10 seconds
[root@centos7-dev01 ~]#

Again the message about conversion of String into Integer...
I followed the syntax given in the documentation...

Thanks again !








Le mercredi 28 août 2019 22:34:45 UTC+2, Jean Berthold a écrit :
Hello everyone,

’m currently learning about Puppet and I can’t see where is the error in my configuration…


I tested The following module to manage the CentOS firewall, firewalld.

I

 

Ok, following the instructions in the webpage: https://forge.puppet.com/crayfishx/firewalld

 

I installed themodule on the server (without special configuration)

I included the following configuration on my node :

 

[root@srv-eldpupet-02 manifests]# cat site.pp

node 'centos7-dev01.xxxx.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.

include snmp

include firewalld

 

firewalld_service { 'Close dhcpv6-client':

  ensure  => 'absent',

  service => 'dhcpv6-client',

  zone    => 'public',

}

[root@srv-eldpupet-02 manifests]#

 

This configuration works correctly, the snmp service/package and the firewalld service/package are installed.

And the service « dhcpv6-client is deactivated correctly, so the firewalld_service function correctly.

 

Now, following the documentation, if I try to use the « firewall_port » instruction, I have the following error on the client and the configuration defined for firewalld_port is not applied :

 

èDon’t work !!!

 

firewalld_port { 'Open port 161 in the public zone':

  ensure   => 'present',

  zone     => 'public',

  port     => '161',

  protocol => 'tcp',

}

 

è(Ffor opening the port dedicated to snmp…)


--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/782b0f68-6dbb-4606-9661-dd3c9a131fef%40googlegroups.com.

Jean Berthold

unread,
Sep 2, 2019, 5:37:17 AM9/2/19
to Puppet Users
Hello Bart-Jan,

Exactly what I need, great thanks !

my mistake was to not look in the module code...
The syntax is given here:

[root@srv-eldpupet-02 type]# pwd
/etc/puppetlabs/code/environments/production/modules/firewalld/lib/puppet/type
[root@srv-eldpupet-02 type]# cat firewalld_port.rb
require 'puppet'

Puppet::Type.newtype(:firewalld_port) do

  @doc =%q{Assigns a port to a specific firewalld zone.
    firewalld_port will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this


    Example:

        firewalld_port {'Open port 8080 in the public Zone':
            ensure => 'present',
            zone   => 'public',
            port   => {
              'port' => 8080,
              'protocol' => 'tcp',
            },
        }

Thanks again and have a nice day !

Jean
To unsubscribe from this group and stop receiving emails from it, send an email to puppet...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages