Bug 1894488

Summary:	[RFE] Support for firewalld zone in ipaserver and ipareplica roles
Product:	Red Hat Enterprise Linux 8	Reporter:	Thomas Woerner <twoerner>
Component:	ansible-freeipa	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.4	CC:	mvarun, ndehadra, pcech, pvoborni
Target Milestone:	rc	Keywords:	FutureFeature, RFE
Target Release:	8.0	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ansible-freeipa-0.3.0-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-18 15:51:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1894575

Description Thomas Woerner 2020-11-04 11:10:56 UTC

Add support for firewalld zone to ipaserver and ipareplica roles.

The new variables ipa[server,replica]_firewalld_zone have been added to
be able to set the zone in which the needed services for IPA are enabled.

New tasks have been added to check if the zone is available in the runtime
and also permamanet environment.

The code to enable firewalld has been moved out of thee
ipa[server,replica]_install_packages blocks to make sure that the firewalld
service is also enabled if the package is already installed.

Fixes: issue #177 (How to set up firewalld zones?)

Upstream PR: https://github.com/freeipa/ansible-freeipa/pull/389/

Comment 9 Varun Mylaraiah 2020-12-11 10:53:26 UTC

Verified
ansible-freeipa-0.3.1-1.el8.noarch


Master
=======
2020-12-11T09:37:31+0000 ansible_freeipa_tests/test_idm_deploy_master.py::TestMasterFirewalldZone::test_install_master_with_firewalld_zone 
2020-12-11T09:37:31+0000 -------------------------------- live log call ---------------------------------
2020-12-11T09:37:31+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--permanent', '--new-zone=LAN']
2020-12-11T09:37:31+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--permanent', '--zone=LAN', '--add-service=ssh']
2020-12-11T09:37:31+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--reload']
2020-12-11T09:37:32+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO WRITE inventory/server.hosts
2020-12-11T09:37:32+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO PUT install-server.yaml
2020-12-11T09:37:32+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/server.hosts', 'install-server.yaml']
2020-12-11T09:45:55+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--list-all', '--zone=LAN']
2020-12-11T09:45:55+0000 PASSED                                                                   [100%]


Replica
========
2020-12-11T09:07:50+0000 ansible_freeipa_tests/test_idm_deploy_replica.py::TestReplicaFirewalldZone::test_replica_with_firewalld_zone 
2020-12-11T09:07:50+0000 -------------------------------- live log call ---------------------------------
2020-12-11T09:07:50+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['ipactl', 'status']
2020-12-11T09:07:50+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO WRITE inventory/master.hosts
2020-12-11T09:07:50+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO PUT install-server.yaml
2020-12-11T09:07:50+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/master.hosts', 'install-server.yaml']
2020-12-11T09:15:44+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['ipactl', 'status']
2020-12-11T09:15:46+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--permanent', '--new-zone=LAN']
2020-12-11T09:15:47+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--permanent', '--zone=LAN', '--add-service=ssh']
2020-12-11T09:15:47+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['firewall-cmd', '--reload']
2020-12-11T09:15:47+0000 [pytest_multihost.host.Host.replica1.ParamikoTransport] INFO RUN ['firewall-cmd', '--permanent', '--new-zone=LAN']
2020-12-11T09:15:48+0000 [pytest_multihost.host.Host.replica1.ParamikoTransport] INFO RUN ['firewall-cmd', '--permanent', '--zone=LAN', '--add-service=ssh']
2020-12-11T09:15:48+0000 [pytest_multihost.host.Host.replica1.ParamikoTransport] INFO RUN ['firewall-cmd', '--reload']
2020-12-11T09:15:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO WRITE inventory/replicas.hosts
2020-12-11T09:15:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO PUT install-replicas.yaml
2020-12-11T09:15:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/replicas.hosts', 'install-replicas.yaml']
2020-12-11T09:21:14+0000 [pytest_multihost.host.Host.replica1.ParamikoTransport] INFO RUN ['firewall-cmd', '--list-all', '--zone=LAN']
2020-12-11T09:21:14+0000 PASSED          


Based on the test result, marking the bug VERIFIED.

Comment 11 errata-xmlrpc 2021-05-18 15:51:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1860