Zone attribute change breaks compatibility with Oracle 8 & 9 (probably RHEL 8 & 9 as well)

[rolffujino]

🗣️ Foreword

The change to the cookbook in v6.3.5 by adding --zone options to all firewall-cmd commands, conflicts with the --direct option and causes it to error out.

👻 Brief Description

      ================================================================================
       Error executing action `restart` on resource 'firewall[default]'
       ================================================================================
       
       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '2'
       ---- Begin output of firewall-cmd --zone=drop --direct --add-rule ipv4 filter INPUT 50 -i lo -m comment --comment 'allow loopback' -j ACCEPT ----
       STDOUT: 
       STDERR: usage: see firewall-cmd man page
       --zone is an invalid option with --direct
       ---- End output of firewall-cmd --zone=drop --direct --add-rule ipv4 filter INPUT 50 -i lo -m comment --comment 'allow loopback' -j ACCEPT ----
       Ran firewall-cmd --zone=drop --direct --add-rule ipv4 filter INPUT 50 -i lo -m comment --comment 'allow loopback' -j ACCEPT returned 2
       
       Cookbook Trace: (most recent call first)
       ----------------------------------------
       /tmp/kitchen/cache/cookbooks/firewall/libraries/helpers_firewalld.rb:12:in `firewalld_rule!'
       /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:108:in `block (2 levels) in <class:FirewallFirewalld>'
       /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:107:in `each'
       /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:107:in `block in <class:FirewallFirewalld>'

🥞 Cookbook version

6.3.5+

👩‍🍳 Chef-Infra Version

18.3.0

🎩 Platform details

Oracle Linux 8
Oracle Linux 9

Most likely:
RHEL 8
RHEL 9

Steps To Reproduce

Try and deploy firewall rules on Oracle Linux 8 or 9.

🚓 Expected behavior

No errors and running the same as v6.3.4

[breisig]

This is a HUGE issue!!! Without this being fixed, it prevents you from using this cookbook [Using Rocky Linux 9.4] Especially if there is no workaround.

[breisig]

I tried downgrading to v6.3.4 and it still fails. Any workaround?

[rolffujino]

@breisig how are you applying v6.3.4?
For example, are you running that version against a cleanly created VM or are you rerunning the cookbook with a different version lock against an already failing VM?
If you are rerunning against an already failed VM, I would recommend purging the existing ACLs and firewall files like direct.xml to make sure the zone option is not being applied anywhere.

Also double check the Chef cache to see if the template it wants to apply actually contains the --zone option.

[breisig]

What I did was download the firewall code from git and checkout the 6.3.4 branch and uploaded it to Chef. I installed a FRESH Rocky Linux 9.4 linux VM with the latest updates applied and bootstrapped the server with the following recipe

# enable platform default firewall
firewall 'default' do
  action :install
  log_level :off
end

# open standard ssh port 
firewall_rule 'ssh' do
  port     22
  command  :allow
  action :create
end

And it fails with the initial bootstrap of the server

Error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '2'
     ---- Begin output of firewall-cmd --zone=drop --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT ----
     STDOUT:
     STDERR: usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page
     --zone is an invalid option with --direct
     ---- End output of firewall-cmd --zone=drop --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT ----
     Ran firewall-cmd --zone=drop --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT returned 2

And I still get the error.

[rolffujino]

@breisig sorry for being pedantic, need to double/sanity check.

When you bootstrap a VM, near the beginning, after possibly the installation of the client, you get a list of cookbooks and the versions that are being deployed/applied, please paste that into a comment.
This is to confirm it isn't still deploying a newer version of the cookbook that is stored on the Chef Server, because the operation you explained above, doesn't make it seem to me that you are actually locking the firewall cookbook version.

In version 6.3.4 of the firewall cookbook and earlier there is no --zone in the code used to generate the rule, it was only added after that.
https://github.com/sous-chefs/firewall/blob/6.3.4/libraries/provider_firewall_firewalld.rb

[breisig]

Sorry, I should of seen this. The newer cookbook was still around which the recipe defaulted to use it. I deleted it and now it work wth 6.3.4, Again, this is just a workaround.

[rolffujino]

@breisig it happens mate, that is why it is always a good idea to double/sanity check.

Tbh after some looking at the code, I see the following that needs to be changed:

• The firewall_rule resource needs to make the zone attribute optional and no default value. (libraries/resource_firewall_rule.rb)
• Then the command generation needs to have an if/else statement that tests whether zone is empty, if not empty use --zone, else use --direct

If I have time, I will try and submit a PR.