firewalld not working on Fedora 28 (#28) · Issues · las-it-organisation / 32-0-IT instructions and rules / ansible

firewalld not working on Fedora 28

Calling host: las113.las.kit.edu (Fedora 27)

Failing nodes: las118

Summary

All rules that work with the firewalld module do not work with Fedora 28, because the firewalld module depends on python-firewalld and does not work with python3-firewalld as partly documented in the documentation

Steps to reproduce

Try to run the sshd task of the common role

What is the current bug behavior?

The role stops at task common : Open port 22 on Fedora/CentOS

What is the expected correct behaviour?

The role common runs and the firewall opens port 22 for ssh.

Relevant logs and/or screenshots

fatal: [las118.las.kit.edu]: FAILED! => {                          
    "changed": false,                                              
    "module_stderr": "OpenSSH_7.6p1, OpenSSL 1.1.0h-fips  27 Mar 2018\r\ndebug1: Reading configuration data /home/gethmann/.ssh/config\r\ndebug1: /home/gethmann/.ssh/config line 124: Applying options for *\r\ndebug1: /home/gethmann/.ssh/config line 128: Deprecated option \"useroaming\"\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 2: Including file /etc/crypto-policies/back-ends/openssh.config depth 1\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]\r\ndebug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 4 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 25187\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to las118.las.kit.edu closed.\r\n",                                   
    "module_stdout": "\r\nTraceback (most recent call last):\r\n  File \"/tmp/ansible_VyTTtl/ansible_module_firewalld.py\", line 1017, in <module>\r\n    main()\r\n  File \"/tmp/ansible_VyTTtl/ansible_module_firewalld.py\", line 811, in main\r\n    if fw_offline:\r\nNameError: global name 'fw_offline' is not defined\r\n",               
    "msg": "MODULE FAILURE",                                       
    "rc": 1                                                        
}

Possible fixes

Search for other ways (iptables) to open the port. Just as a work-around till Python 3 is supported.

/cc @gethmann

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information