linux-system-roles / firewall Goto Github PK

What happened:
TASK [linux-system-roles.firewall : Configure firewall] ************************
failed: [192.168.88.100] (item={'detailed': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"detailed": true}, "msg": "One of service, port, source_port, forward_port, masquerade, rich_rule, source, interface, icmp_block, icmp_block_inversion, target, zone or set_default_zone needs to be set"}

What you expected to happen:
To get a detailed view of my firewall facts

How to reproduce it (as minimally and precisely as possible):

- name: Test tangd_custom_port
  hosts: 192.168.88.100
  vars:
    firewall:
      detailed: true
  tasks:
    - name: get firewall info
      import_role:
        name: linux-system-roles.firewall

Anything else we need to know?:

Environment:

• Firewalld Version (if Fedora based dnf info firewalld or commit hash if developing from git git log -n1 --format=format:"%H"): firewalld-1.0.5-2.fc35.src.rpm
• Firewalld Backend (cat /etc/firewalld/firewalld.conf | grep FirewallBackend): FirewallBackend= nftables
• Ansible Version (ansible --version): ansible [core 2.12.7]
• Firewall System Role Version (if installing from ansible galaxy ansible-galaxy list | grep linux-system-roles.firewall or commit hash if developing from git
  git log -n1 --format=format:"%H"): linux-system-roles-1.20.2-1.fc35.noarch - linux-system-roles.firewall, (unknown version)
• OS (e.g: cat /etc/os-release): Fedora Linux 35 (KDE Plasma)
• Others:

fatal: [/cache/Fedora-Cloud-Base-28-1.1.x86_64.qcow2]: FAILED! => {"changed": false, "failed": true, "msg": "No package python-firewall available."}
	to retry, use: --limit @/tmp/tmp84e78tme/tests/tests_default.retry

The package might only be available for python3 there iirc. See PR #1

As part of the conscious language project, the master branch is to be renamed to the main branch.

Here are the instructions.

1. Rename the master branch to main: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/renaming-a-branch
2. Check this to ensure the default branch has been changed to main: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch - this should keep the github history, as well as updating the default branch configuration and updating any existing PRs

If you use the gh cli (highly recommended) you can use this to check which repos need to be updated:

gh repo list linux-system-roles -L 100 --json name,defaultBranchRef --source | \
  jq --raw-output '.[] | select(.defaultBranchRef.name == "master") | .name'

Thanks.

What happened:
I am running this playbook on a latest RHEL 8.6 image:

- hosts: localhost
  vars:
    # Variables to open the probe port configured in Azure in firewall
    firewall:
      - port: 59999/tcp
        state: enabled
        permanent: true
        runtime: true
  roles:
    - fedora.linux_system_roles.firewall

This results in an error:

TASK [fedora.linux_system_roles.firewall : Configure firewall] *******************************************************************************************************************************
failed: [localhost] (item={'port': '59999/tcp', 'state': 'enabled', 'permanent': True, 'runtime': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"permanent": true, "port": "59999/tcp", "runtime": true, "state": "enabled"}, "msg": "No firewall backend could be imported."}

What you expected to happen:
Port 59999/tcp to be enabled

How to reproduce it (as minimally and precisely as possible):

1. Provision a fresh RHEL 8.6 host.
2. dnf install ansible-core -y
3. ansible-galaxy collection install fedora.linux_system_roles
4. Create playbook.yml with the above playbook.
5. ansible-playbook playbook.yml

Anything else we need to know?:
I tested this against RHEL 8.7 composes too. There tried both with fedora.linux_system_roles.firewall and redhat.rhel_system_roles.firewall - same error.

Environment:

• Firewalld Version (if Fedora based dnf info firewalld or commit hash if developing from git git log -n1 --format=format:"%H"):
  • 0.9.3 Release 13.el8
• Firewalld Backend (cat /etc/firewalld/firewalld.conf | grep FirewallBackend):
  • FirewallBackend=nftables
• Ansible Version (ansible --version)
  • Tested with ansible-core 2.12.2 and ansible-core 2.13.3
• Firewall System Role Version (if installing from ansible galaxy ansible-galaxy list | grep linux-system-roles.firewall or commit hash if developing from git
  git log -n1 --format=format:"%H"):
  • redhat.rhel_system_roles 1.20.0, fedora.linux_system_roles 1.26.1
• OS (e.g: cat /etc/os-release):
  • RHEL 8.6 and 8,7
• Others:
  I found this issue when trying to reproduce another issue reported by my college. He is running RHEL 8.6 and fedora.linux_system_roles.firewall and faced a different error:
  

What would you like to be added:
I would like to add and modify policies in the same way services are modified.

    firewall:
      - policy: test
        priority: -15000
        target: CONTINUE
        ingress-zones: eth1
        egress-zones: eth2
        state: present
        permanent: true

See also: https://firewalld.org/2020/09/policy-objects-introduction

I am trying to place a snmp request from a server and I receive a snmp response from a client IP say "a.b.c.d". But my firewall is blocking that response from a.b.c.d IP it seems. snmp service uses the udp port 161 which I added already to allow this port in firewall rules.

What is happening:

When I place snmp request from a server to test.com, I am getting => Timeout: No Response from test.com
When I take tcpdump logs in server, I could see the response coming in to the server from test.com

But when I stop the firewall service, I can see the snmp response. When firewall is running, I get "Timeout No response".

What could be the issue in my firewall and how can I find/solve this? It would be really helpful if someone helps me with this. Thanks in advance!

What would you like to be added:
Implement Ansible Facts for the Firewall System Role.
Why is this needed:
This feature is needed to provide users information regarding the remote systems that they are connected with using the Firewall System Role.

What would you like to be added:
Need the ability to add/remove an interface by PCI device ID to a zone.

What would you like to be added:

Overwriting of changed directives in /etc/firewalld.conf, instead of deleting firewalld.conf if it is different from the default configuration file.

Why is this needed:

When /etc/firewalld.conf is deleted, comments describing its directives are also removed (see issue #127).

What would you like to be added:
The firewall variable is not ansible-lint compliant:

- name: Test
  hosts: localhost

  tasks:

    - name: Configure Firewall for Web Console
      ansible.builtin.include_role:
        name: linux_system_roles.firewall
      vars:
        firewall:
          service: cockpit
          state: enabled

~/.local/bin/ansible-lint test.yml
WARNING Listing 1 violation(s) that are fatal
var-naming[no-role-prefix]: Variables names from within roles should use firewall_ as a prefix. (vars: firewall)
test.yml:10 Task/Handler: Configure Firewall for Web Console

Read documentation for instructions on how to ignore specific rule violations.

              Rule Violation Summary                     

count tag profile rule associated tags
1 var-naming[no-role-prefix] basic idiom

Failed: 1 failure(s), 0 warning(s) on 1 files. Last profile that met the validation criteria was 'min'.

~/.local/bin/ansible-lint --version
ansible-lint 24.2.0 using ansible-core:2.16.2 ansible-compat:4.1.11 ruamel-yaml:0.18.6 ruamel-yaml-clib:0.2.8

Why is this needed:
Other roles in the collection seems to be compliant with ansible-lint, this makes the behaviour consistent. And it makes user's life easier.

A check expects the firewalld network manager library to always be loaded. This check fails and causes the module to error out when trying to configure iptables on a host.

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: NameError: global name 'nm_is_imported' is not defined
failed: [dso_fire_001] (item={'service': ['ssh', 'http', 'https'], 'state': 'enabled'}) => {"ansible_loop_var": "item", "changed": false, "item": {"service": ["ssh", "http", "https"], "state": "enabled"}, "module_stderr": "Shared connection to 10.254.238.16 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/home/ansible/.ansible/tmp/ansible-tmp-1616521122.719339-79209-241942387082927/AnsiballZ_firewall_lib.py\", line 102, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/ansible/.ansible/tmp/ansible-tmp-1616521122.719339-79209-241942387082927/AnsiballZ_firewall_lib.py\", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/home/ansible/.ansible/tmp/ansible-tmp-1616521122.719339-79209-241942387082927/AnsiballZ_firewall_lib.py\", line 40, in invoke_module\r\n    runpy.run_module(mod_name='ansible_collections.fedora.linux_system_roles.plugins.modules.firewall_lib', init_globals=None, run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\r\n    fname, loader, pkg_name)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\r\n    mod_name, mod_fname, mod_loader, pkg_name)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\r\n    exec code in run_globals\r\n  File \"/tmp/ansible_fedora.linux_system_roles.firewall_lib_payload_NLafnX/ansible_fedora.linux_system_roles.firewall_lib_payload.zip/ansible_collections/fedora/linux_system_roles/plugins/modules/firewall_lib.py\", line 783, in <module>\r\n  File \"/tmp/ansible_fedora.linux_system_roles.firewall_lib_payload_NLafnX/ansible_fedora.linux_system_roles.firewall_lib_payload.zip/ansible_collections/fedora/linux_system_roles/plugins/modules/firewall_lib.py\", line 420, in main\r\nNameError: global name 'nm_is_imported' is not defined\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

What happened:
In one lab from where I'm taking systems from time to time they provide RHEL8 systems with firewalld.service masked by default. Running firewall role on them fails.

Maybe this is not a bug report, maybe it is not even a feature request, but still I though I report it as capability to deal with this might add another bit of resiliency.

# systemctl status firewalld
● firewalld.service
   Loaded: masked (Reason: Unit firewalld.service is masked.)
   Active: inactive (dead)

What you expected to happen:
Given firewall role decided to use firewalld as a provider, it should be able to handle this situation.

How to reproduce it (as minimally and precisely as possible):
I think having this:

# rpm -qa | grep -e iptables -e firewalld | sort
firewalld-0.9.3-13.el8.noarch
firewalld-filesystem-0.9.3-13.el8.noarch
iptables-1.8.4-22.el8.x86_64
iptables-ebtables-1.8.4-22.el8.x86_64
iptables-libs-1.8.4-22.el8.x86_64

and firewalld masked and config like this:

    - role: linux-system-roles.firewall
      vars:
        firewall:
          - service: "RH-Satellite-6"
            state: enabled

Anything else we need to know?:
N/A

Environment:

# yum info firewalld
Updating Subscription Management repositories.
Satellite 6.12 RHEL8                            163 kB/s | 3.0 kB     00:00    
Satellite Maintenance 6.12 RHEL8                443 kB/s | 2.3 kB     00:00    
Installed Packages
Name         : firewalld
Version      : 0.9.3
Release      : 13.el8
Architecture : noarch
Size         : 2.0 M
Source       : firewalld-0.9.3-13.el8.src.rpm
Repository   : @System
From repo    : rhel-8-for-x86_64-baseos-rpms
Summary      : A firewall daemon with D-Bus interface providing a dynamic
             : firewall
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : firewalld is a firewall service daemon that provides a dynamic
             : customizable firewall with a D-Bus interface.

# cat /etc/firewalld/firewalld.conf | grep FirewallBackend
# FirewallBackend
FirewallBackend=nftables

$ ansible --version
ansible [core 2.12.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jenkins/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = /home/jenkins/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, Aug  2 2022, 00:00:00) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
  jinja version = 3.0.3
  libyaml = True

$ ansible-galaxy list | grep linux-system-roles.firewall
- linux-system-roles.firewall, 1.4.0

When using the firewall role only the firewalld service, not nftables, should be running to avoid any conflicts. While it's trivial to disable/mask nftables in a separate task it would be nice to have the role to do the same and thus avoid any risk for issues. Thanks.

When using previous: replaced and check mode, the playbook fails with the following error:

TASK [rhel-system-roles.firewall : Calculate what has changed] ****************
Monday 26 June 2023  12:10:46 +0300 (0:00:00.104)       0:00:12.707 ***********                                      
task path: /usr/share/ansible/roles/rhel-system-roles.firewall/tasks/main.yml:130
fatal: [192.168.122.170]: FAILED! =>                                                                                   
    msg: |-                                                                                                            
        The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'stdout_lines'. 'dict object' has no attribute 'stdout_lines'

        The error appears to be in '/usr/share/ansible/roles/rhel-system-roles.firewall/tasks/main.yml': line 130, column 7, but may
        be elsewhere in the file depending on the exact syntax problem.

        The offending line appears to be:


            - name: Calculate what has changed
              ^ here                                       

Since replacing previous rules causes firewalld restart it is not suitable for most production environments. In case not replacing previous rules the defined configuration may not be what is in use due to local changes or previous playbook runs with different configuration. An organization might be adhering to security standards that require listing or verifying that only certain ports and services are open in firewall.

There should be a way to display differences between currently defined configuation vs currently in-use configuration. Preferably this would be a configurable step during firewall configuration which would show differences as part of a playbook run after configuring firewall. This should also be doable in check mode. Alternatively, a separate playbook or at least a document example should be available to allow organizations avoid reinventing the wheel here.

Thanks.

What happened:

/etc/firewalld/firewalld.conf is resetted, and all default comment are deleted

What you expected to happen:
only parameters are modified

How to reproduce it (as minimally and precisely as possible):

---

- name: "[@@ firewalld @@]"
  ansible.builtin.include_role:
    name: linux-system-roles.firewall
  vars:
    firewall:
      - previous: replaced

      - zone: myownzone
        state: present

      - zone: myownzone
        service: [ssh]
        icmp_block_inversion: true
        icmp_block: [ echo-reply, echo-request ]
        rich_rule: rule family="ipv4" source address="192.168.1.95" service name="zabbix-agent" accept
        state: enabled
        target: "%%REJECT%%"
        permanent: true

      - set_default_zone: myownzone
        permanent: true

# cat /etc/firewalld/firewalld.conf

DefaultZone=myownzone
CleanupOnExit=yes
CleanupModulesOnExit=yes
Lockdown=no
IPv6_rpfilter=yes
IndividualCalls=no
LogDenied=off
FirewallBackend=nftables
FlushAllOnReload=yes
RFC3964_IPv4=yes
AllowZoneDrifting=yes

# cat /etc/firewalld/firewalld.conf.rpmnew
# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld.
# Default: yes
CleanupOnExit=yes

# Clean up kernel modules on exit
# If set to yes or true the firewall related kernel modules will be
# unloaded on exit or stop of firewalld. This might attempt to unload
# modules not originally loaded by firewalld.
# Default: yes
CleanupModulesOnExit=yes
....

why don't you use something like this:

- name: "[firewalld] AllowZoneDrifting=no"
  ansible.builtin.lineinfile:
    path: "/etc/firewalld/firewalld.conf"
    regexp: '^(AllowZoneDrifting=)(.*)'
    line: 'AllowZoneDrifting=no'
    insertafter: '#AllowZoneDrifting='
  notify:
    - reload firewalld

in the current ansible playbook, how to force AllowZoneDrifting=no?

What happened:

In my playbook firewall.yaml I first create a http-alt service, and then enable it in a subsequent task (I think this is the approach that must be taken? I tried to do it all in one but the role didn't seem to like that, and it seemed sensible to me.)

ansible-playbook firewall.yaml -v --check

TASK [linux-system-roles.firewall : Configure firewall] *******************************************************************************************************************************************************************************************************************
changed: [my-host] => (item={'service': 'http', 'state': 'enabled', 'zone': 'public', 'permanent': True}) => {"__firewall_changed": true, "ansible_loop_var": "item", "changed": true, "item": {"permanent": true, "service": "http", "state": "enabled", "zone": "public"}}
changed: [my-host] => (item={'service': 'http-alt', 'state': 'present', 'short': 'HTTP on alternative port', 'port': '8080/tcp', 'permanent': True}) => {"__firewall_changed": true, "ansible_loop_var": "item", "changed": true, "item": {"permanent": true, "port": "8080/tcp", "service": "http-alt", "short": "HTTP on alternative port", "state": "present"}}
failed: [my-host] (item={'service': 'http-alt', 'state': 'enabled', 'zone': 'public', 'permanent': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"permanent": true, "service": "http-alt", "state": "enabled", "zone": "public"}, "msg": "INVALID_SERVICE: http-alt"}

The subsequent task fails because it does not recognise the service created in the previous task.

What you expected to happen:

The task to pass in check mode. I'd be fine even if it had something like the official Ansible documentation suggests:

ignore_errors: "{{ ansible_check_mode }}"

How to reproduce it (as minimally and precisely as possible):

With the following variables in your playbook using this role:

firewall:
  - service: http-alt
    state: present
    short: HTTP on alternative port
    port: 8080/tcp
    permanent: true
  - service: http-alt
    state: enabled
    zone: public
    permanent: true

Anything else we need to know?:

Environment:

• Firewalld Version: 0.9.3
• Firewalld Backend: nftables
• Ansible Version: core 2.15.0
• Firewall System Role Version: 1.4.4
• OS: RHEL 8.8
• Others: the role is installed via ansible-galaxy as the host running Ansible is not RHEL. The managed hosts are.

When using previous: replaced there's a small time window when firewall is being reset and all new connections to the system are rejected. This should be at least documented if it is not feasible to avoid this as applying changes with this approach in production might cause temporary service failures during the operation. Thanks.

What happened:
State is currently mandatory even for parameters it doesn't make sense for it. For example icmp_block_inversion and masquerading and setting the default zone should not require the state being enabled but it does.
What you expected to happen:
Expectation: For example be able to write the yaml to add masquerading to zone dmz WITHOUT having to have state to be set to enabled

How to reproduce it (as minimally and precisely as possible):
N/A
Anything else we need to know?:
N/A

As of version 1.0.1 it is possible to create a zone, however, until firewall is reloaded this zone is non-functional, so it can't be included in a dict with any rules that anticipate using it. I am anticipating that this would be remedied with the functionality of 'immediate' supplied by firewalld but perhaps not. Open to discussion!

For example, our dict might look like;

{"zone":"000_new_zone","state":"present"},{"permanent":"True","target":"ACCEPT","state":"enabled","zone":"000_new_zone"}
{"permanent":"True","source":"1.0.0.0/24","state":"enabled","zone":"000_new_zone"},{"permanent":"True","source":"2.0.0.0/28","state":"enabled","zone":"000_new_zone"}

(The excessive quotes comes from this being an array parameter from Red Hat Satellite which is running the role against target hosts)

So when the role is run, it successfully creates the zones but then will try to move through the rest of the dict and apply sources/services/whatever else to the newly created zone and fail because the zone is still invalid until the daemon is reloaded. Rerunning the role would not work as the failure results in firewall daemon never being reloaded.

So my question is, are we missing something with our intended usage here or is this missing a function such as detecting when a new zone is created and triggering a firewall-cmd --reload before proceeding with the creation of rule sets? Right now though, the role's ability to create zones appears not to be as useful as it could be

What would you like to be added:
I could'nt come up with an easy solution for dynamically overwrite or not overwrite the whole firewall config depending on a boolean.

Why is the variable "previous: replaced" and not "overwrite_config: true|false" (or something like this).
Why is this needed:
I need an easy way to trigger the overwriting of the configuration exernally, without have to manipulate the firewall-list-of-dict.

If I understood the code, at the moment there is just filtered for "replaced" and I could not find the reason for this.

Regards
Markus

What happened:
command: ansible-galaxy role install linux-system-roles.firewall linux-system-roles.kernel_settings

[WARNING]: - linux-system-roles.firewall was NOT installed successfully: Unable
to compare role versions (0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 1.0.0, 1.0.1,
1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2,
1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4,
main) to determine the most recent version due to incompatible version formats.
Please contact the role author to resolve versioning conflicts, or specify an
explicit role version to install.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
Starting galaxy role install process

• downloading role 'firewall', owned by linux-system-roles

What you expected to happen:
no error and role installed

How to reproduce it (as minimally and precisely as possible):
i think it is a major problem that is easy to reproduce with running command:
ansible-galaxy role install linux-system-roles.firewall

Anything else we need to know?:
have tested in my automated environment (gitlab ci) and locally

Environment:
like i mentioned the error comes on local command line and on an gitlab ci that was building a docker image that includes the role.

My team is looking to use this role but a necessary aspect of our setup requires us to limit source by zone, (effectively firewall-cmd --add-source)

Is this functionality a part of the roadmap?

(Alternatively, am I missing something that would allow this kind of configuration which is already in play?)

Any insight appreciated!

What would you like to be added:
I want to manage des protocols of a zone by using this role.

#> firewall-cmd --zone=block --add-protocol=ipv6-icmp

Why is this needed:
For Ipv6 I want to add ipv6-icmp in an easy way.
https://firewalld.org/documentation/zone/options.html#protocol

What would you like to be added:

I would like to run the command like "firewall-cmd --new-ipset=foobar --permanent --type=hash:ip" in a playbook rather than using a command module.

Why is this needed:

The customer requested in the technical support channel.

What happened:
forward_port argument validation does not accept dictionary argument
What you expected to happen:
forward_port functionality to work when using a dictionary argument instead of a string, which is the deprecated format
How to reproduce it (as minimally and precisely as possible):

firewall:
  forward_port:
    - port: [any port]
      proto: [tcp/udp]

Anything else we need to know?:
No

We are currently using this role, and it was noted by one of our admins that firewalld entries that were made manually on a server were not clobbered by this role when run.

We would like to ensure that our firewall definitions as described in the Ansible playbook are accurate with what we would expect to find on the servers.

Is there something that I am missing? Or is this maybe on a future roadmap?

set_default_zone is a valid option, and it's working, but it is not documented in the README.

    firewall:
      # Set default zone
      - set_default_zone: my_zone

The test gives deprecation warnings because it uses the deprecated immediate. We should change it to use runtime instead.

What would you like to be added:
Ability to add user defined services using the Firewall System Role.

Why is this needed:
It's needed because user's may want to be able to add their own services rather than the set of services that Firewalld comes with in its defaults.

What happened: During the MSSQL role, it can optionally call this role to add port 1433/tcp. When adding, it returns the error: No firewall backend could be imported.

What you expected to happen: Successfully add the firewall port

How to reproduce it (as minimally and precisely as possible):

1. Install a minimal RHEL 8.8 VM
2. Install the system roles
3. Clone the latest mssql role to /usr/share/ansible/roles as microsoft.sql-server
4. Clone the latest firewall role to /usr/share/ansible/roles as fedora.linux_system_roles.firewall
5. Run the below playbook

- hosts: localhost
  vars:
    mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true
    mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true
    mssql_accept_microsoft_sql_server_standard_eula: true
    mssql_version: 2019
    mssql_password: "<password>"
    mssql_edition: Evaluation
    mssql_manage_firewall: true
    mssql_ad_configure: true
    mssql_ad_join: false
    mssql_ad_netbios_name: <domain_short>
    mssql_ad_sql_user: "<sql_user>"
    mssql_ad_sql_password: "<sql_password>"
    ad_integration_realm: <domain_fqdn>
    mssql_post_input_sql_content: |-
      USE master;
      IF NOT EXISTS (
        SELECT name FROM sys.server_principals
        WHERE name = '<user>'
      )
      BEGIN
        PRINT 'A <user> login does not exist, creating';
        CREATE LOGIN [<user>] FROM WINDOWS;
        PRINT 'The <user> login created successfully';
      END
      ELSE
      BEGIN
        PRINT 'A <user> login already exists, skipping'
      END
  roles:
    - microsoft.sql-server

Anything else we need to know?:
This was also tested using the version of rhel-system-roles.firewall that's included in the package rhel-system-roles.noarch
I also tried setting SELinux to permissive, but it did not change the error message

Environment:

• Firewalld Version: 0.9.3
• Firewalld Backend: FirewallBackend=nftables
• Ansible Version: ansible [core 2.14.2]
• Firewall System Role Version: f5a6d46
• OS: Red Hat Enterprise Linux 8.8 (Ootpa)
• Others:

Full error message:

failed: [localhost] (item={'port': '1433/tcp', 'state': 'enabled', 'permanent': True, 'runtime': True}) => {"ansible_loop_var": "item", "changed": false, "item": {"permanent": true, "port": "1433/tcp", "runtime": true, "state": "enabled"}, "msg": "No firewall backend could be imported."}

Hi

Galaxy has the last import of this role 2 yrs ago:
https://galaxy.ansible.com/linux-system-roles/firewall

Could you please update Galaxy? I had issues with the role from Galaxy and they are already fixed here in Github.

Thanks & br
Thomas

What happened:

Job synchronization to remote container fails due to symlink: firewall/tests/roles/linux-system-roles.firewall

(This is also the case for other modules like "linux-system-roles/cockpit")

What you expected to happen:

no errors when syncing the module to the execution container.

How to reproduce it (as minimally and precisely as possible):

1. add module in roles/requirements.yaml
2. use simple 'ping' playbook
3. run using 'container groups'

Anything else we need to know?:

PLAY [Prepare data, dispatch job in isolated environment.] *********************

TASK [Output job the playbook is running for] **********************************
Thursday 30 December 2021 14:06:12 +0000 (0:00:00.061) 0:00:00.061 *****
ok: [awx-job-3706] => { "msg": "Checking on job 3706" }

TASK [synchronize job environment with isolated host] **************************
Thursday 30 December 2021 14:06:13 +0000 (0:00:00.154) 0:00:00.215 *****
skipping: [awx-job-3706]

TASK [synchronize job environment with remote job container] *******************
Thursday 30 December 2021 14:06:13 +0000 (0:00:00.111) 0:00:00.327 ***** ockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit") failed: Too many levels of symbolic links (40)\nrsync: readlink_stat("/tmp/bwrap_3706_44k_vvzf/awx_3706_4ugdg34u/requirements_roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall") failed: Too many levels of symbolic links (40)\ncommand terminated wifatal: [awx-job-3706]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --copy-links --archive --blocking-io --rsh=$RSH --out-format=<>%i %n%L /tmp/bwrap_3706_44k_vvzf/awx_3706_4ugdg34u awx-job-3706:/tmp/bwrap_3706_44k_vvzf", "msg": "Flag --config has been deprecated, use --kubeconfig instead\nrsync: readlink_stat("/tmp/bwrap_3706_44k_vvzf/awx_3706_4ugdg34u/requirements_roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit/tests/roles/linux-system-roles.cockpit") failed: Too many levels of symbolic links (40)\nrsync: readlink_stat("/tmp/bwrap_3706_44k_vvzf/awx_3706_4ugdg34u/requirements_roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall/tests/roles/linux-system-roles.firewall") failed: Too many levels of symbolic links (40)\ncommand terminated with exit code 23\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1179) [sender=3.1.2]\n", "rc": 23} PLAY RECAP *********************************************************************
awx-job-3706 : ok=1 changed=0 unreachable=0 failed=1 skipped=1 rescued=0 ignored=0

Environment:

• Ansible Version ansible 2.9.17
• Firewall System Role Version 1.0.1
• OS RHEL 7.9