Bug 1748382

Summary: Add puppetmaster service in firewalld to keep the entry persistent across reboots in RHUI 3.0.
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Subhash Mane <smane>
Component: RHUAAssignee: RHUI Bug List <rhui-bugs>
Status: CLOSED NOTABUG QA Contact: Radek Bíba <rbiba>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.0.7CC: carl, mminar
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-13 15:13:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Subhash Mane 2019-09-03 13:34:29 UTC
Description of problem:

- Add puppetmaster service in firewalld to keep the entry persistent across reboots in RHUI 3.0.

Version-Release number of selected component (if applicable):

- rhui-installer-3.0.2-1.el7ui.noarch
- Red Hat Enterprise Linux Server release 7.6 (Maipo)

How reproducible: 100%

Steps to Reproduce:

1. On RHUA 3.0+ run "rhui-installer".

2. Verify "# iptables -L":
ACCEPT     tcp  --  anywhere             anywhere             multiport ports 8140 /* 110 allow puppet access */

3. Verify "# firewall-cmd --list-all" which does not have the puppetmaster service listed.

4. Reboot RHUA

5. Verify "# iptables -L" the rule is lost.

Actual results:

- After executing "rhui-installer" the iptables rule for puppetmaster service is added to RHUA (3.0+) on RHEL 7. But after the reboot iptable rule for puppetmaster service is lost. 

Expected results:

-  puppetmaster service should be added to firewalld upon executing  "rhui-installer" so that it is persistent across reboots in RHUI 3.0.

Additional info:

Comment 2 Martin Minar 2019-11-13 15:13:50 UTC
There is a chapter in Administration Guide - Chapter 3. Prerequisites for Installing Red Hat Update Infrastructure - https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/3.1/html-single/system_administrators_guide/index#prerequisites - that contains table with list of a ports that has to be opened and port 8140 is there. It is not a responsibility of rhui-installer to set these firewalld rules.

Comment 3 Carl George 2019-11-18 14:18:02 UTC
Martin, if it is not the responsibility of rhui-installer to allow those ports, then why is it creating iptables rules?  If it's going to do it, do it correctly with firewalld so it's persistent.

Comment 4 Martin Minar 2019-11-18 14:48:45 UTC
You are right that it's not optimal. There is - historically - a lot of puppet modules involved in rhui-installer run, most of them are unchanged puppetlabs forge version where we just want a part of the functionality. A lot of them is not updated any more. We are trying to purge/update/fix them whenever we encounter these during work rhui-installer issues, but we don't plan a total overhaul any time soon for this version of RHUI.
That is also one of the reasons why that prerequisite table of ports exist in documentation.