Comments (5)
apatik
commented on June 26, 2024
On the system in question (or an equivalent one set up for testing), can you verify that prior to the puppet code you posted being run, firewall-cmd --permanent --get-services does not list the xrdp service (you may need to comment that code out and run the rest of it if this is a service puppet is installing)? While you're at it, check the running config too with firewall-cmd --get-services
If you can confirm that it doesn't appear, and your proposed workaround does work where the current implementation doesn't, I can refactor the code to do that in the next few days.
from puppet-firewalld.
edgester
commented on June 26, 2024
I can confirm the error when the the xrdp service did not exist beforehand. Note that try-firewall.pp only contains the code block from my original comment. Here are the commands that I ran and the output:
# firewall-cmd --permanent --remove-service xrdp
success
# rm -f /etc/firewalld/services/xrdp.xml
# systemctl restart firewalld
# firewall-cmd --permanent --get-services | grep -i rdp
# firewall-cmd --get-services | grep -i rdp
# puppet apply ./try-firewall.pp
Notice: Compiled catalog for linux.example.com in environment production in 0.47 seconds
Notice: /Stage[main]/Main/Firewalld::Custom_service[XRDP service]/File[/etc/firewalld/services/xrdp.xml]/ensure: created
Notice: /Stage[main]/Main/Firewalld::Custom_service[XRDP service]/Exec[firewalld::custom_service::reload-XRDP service]: Triggered 'refresh' from 1 events
Error: Execution of '/bin/firewall-cmd --permanent --new-service xrdp' returned 26: Error: NAME_CONFLICT: xrdp
Error: /Stage[main]/Main/Firewalld::Custom_service[XRDP service]/Firewalld_custom_service[xrdp]/ensure: change from absent to present failed: Execution of '/bin/firewall-cmd --permanent --new-service xrdp' returned 26: Error: NAME_CONFLICT: xrdp
Notice: /Stage[main]/Main/Firewalld_service[Allow XRDP from the public zone]/ensure: created
Notice: Finished catalog run in 6.54 seconds
from puppet-firewalld.
apatik
commented on June 26, 2024
Thanks for the log, it perfectly identifies the issue. Your proposed fix is essentially correct, however your optional step 2 wouldn't work, as it's valid to create a custom service that overrides a built-in one (e.g. declare a custom service for SSH that uses a different port than the predefined one), and doing nothing if the service name appears in the active config would be wrong, as FirewallD would continue using the old service until something else triggered a reload (which may not happen automatically, depending on what else is in the catalog). That being said, it's an easy fix. I'll have a pull request in later today for this.
from puppet-firewalld.
apatik
commented on June 26, 2024
Pull request opened, it's in crayfishx's hands now.
from puppet-firewalld.
edgester
commented on June 26, 2024
Thanks for the pull request and explaining firewalld better.
from puppet-firewalld.
Related Issues (20)
- RHEL 8 - Error: COMMAND_FAILED: 'python-nftables' failed HOT 12
- FEATURE REQUEST: Hiera support for firewalld_custom_services
- firewalld_rich_rule needs to autorequire firewalld_custom_service on `service`
- firewalld_rich_rule should not permit both masqerade true and action parameters
- enable ping/icmp for ipv6? HOT 1
- [Feature] Validate zone sources arguments (only support IP addresses)
- [4.4.0] AllowZoneDrifting must be igored on RHEL9
- Upgrade compatibility to <8.0.0? HOT 1
- Rich rule purging isn't idempotent, or isn't saving, or similar HOT 6
- [4.5.1] add support for Puppet 8
- Ignore some rules not defined in puppet e.g, Fail2ban
- Dependency Problem - puppetlabs-stdlib HOT 1
- add support for debian based OS
- Proposal: Archive this module HOT 1
- [4.5.1] detect and filter overlapped IP's on firewalld_ipset HOT 6
- [5.0.0] icmp_block_inversion setting for zone is unkown. HOT 3
- firewalld::zone purge_ports not purging unmanaged by puppet permanent ports
- firewalld_zone doesn't autorequire consumed firewalld_ipset elements
- Server Error: no parameter named 'icmp_block_inversion' HOT 3
- Firewalld rich rules purged every time when priority enabled
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-firewalld.