update 0.1.9 issues with firewalld

[thaylin]

It seems the update for 0.1.9 introduced a default disabling of firewalld. This I believe is bad form. Modules should not disable major security features of the machine on its own, particularly one that is forward facing such as the firewall, as default.

In addition as a practical matter the update breaks puppet applies on any system that is already managing firewalld with a duplicate declaration error. There does not seem to be a way to turn off this error that I know, even with disabling this feature. I have locked my repo to 0.1.8 so puppet can run, even though I cannot take advantage of the previous patch to the controller ID.

[geekgogie]

Hi @thaylin

You have the option to disable it. In fact, this process is how it works in our install-cc. You can review the file here http://www.severalnines.com/downloads/cmon/install-cc .

    if [[ $dist = "redhat" ]]; then
        [[ -z $use_existing_mysql ]] && $chkconfig
        setenforce 0
        sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config &>/dev/null
        cat << EOF
=> NOTE: Stopping and disabling firewall...manually re-enable and add rules if required.
Required ports to be opened, http://support.severalnines.com/entries/22654676-Firewall-ports-
EOF
        if [[ $systemd == 1 ]]; then
            systemctl stop firewalld
            systemctl disable firewalld
        else
            service iptables stop
            chkconfig iptables off
        fi
    fi

It is a limitation because the CC is built of a complex management for open source databases and it's not intended to manage the OS security, as that is a case-to-case basis. That's why if you read the docs it is mentioned that if you are able to setup your security, then you can set this to false. I don't think that is a security issue. The user has to know the software itself on how to use it.

[thaylin]

I do not have an option of disabling it, the issue is not not that I can disable the action to disable firewalld, the issue is that the service call

service { 'firewalld': ensure => stopped, enable => false }

Is now duplicated

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Service[firewalld] is already declared at (file: /etc/puppetlabs/code/environments/lib_master/modules/firewalld/manifests/init.pp, line: 78); cannot redeclare (file: /etc/puppetlabs/code/environments/lib_master/modules/clustercontrol/manifests/init.pp, line: 135) (file: /etc/puppetlabs/code/environments/lib_master/modules/clustercontrol/manifests/init.pp, line: 135, column: 7) on node clustercontrol.lib.ncsu.edu
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

    class { 'clustercontrol':
        is_controller => true,
        mysql_root_password => $mysql_root_password,
        mysql_cmon_password => $cmonpassowrd,
        mysql_cmon_root_password => $mysql_root_password,
        api_token => $cmonapi,
        ssh_user => 'root',
        disable_firewall => false,            
        ssh_port => '1024',
        modulepath => '/etc/puppetlabs/code/environments/lib_master/modules/clustercontrol/',
        use_repo => false,
    }

You could potentially get around this by having the service call also in an if statement that is only processed if disable_firewall => true.

[geekgogie]

Hi @thaylin

Thanks you're right. I missed that one there. I'll fix that.

[geekgogie]

Fix and added now. We've updated our documentation as well as we won't touch/leave current configuration when disable_firewall and disable_os_sec_module are false.