Bug 2120709

Summary: Use firewall role to configure firewall for SQL Server
Product: Red Hat Enterprise Linux 9 Reporter: Sergei Petrosian <spetrosi>
Component: ansible-collection-microsoft-sqlAssignee: Sergei Petrosian <spetrosi>
Status: CLOSED ERRATA QA Contact: Daniel Yeisley <dyeisley>
Severity: unspecified Docs Contact: Alexandra Nikandrova <anikandr>
Priority: unspecified    
Version: 9.1CC: gfialova, lmanasko
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ansible-collection-microsoft-sql-1.2.3-1.el9 Doc Type: Enhancement
Doc Text:
The RN description for this BZ is covered as part of BZ#2066337. link: https://bugzilla.redhat.com/show_bug.cgi?id=2066337
 Story Points: ---
Clone Of:
: 2120714 (view as bug list) Environment:
Last Closed: 2022-11-15 10:29:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2120714, 2129334    
Deadline: 2022-08-29   

Description Sergei Petrosian 2022-08-23 15:06:58 UTC 
Description of problem:
The microsoft.sql.server role must use the firewall role to automate fireall configuration.

Actual results:
Previously, users needed to configure firewall themselves.

Expected results:
Usesrs provide special variables like `mssql_firewall_configure: true` and `mssql_ha_firewall_configure: true` to make the role 

Additional info:
Fixed in https://github.com/linux-system-roles/mssql/pull/77
Comment 1 Daniel Yeisley 2022-08-30 20:58:03 UTC 
I installed two systems with RHEL-9.1.0-20220830.1 and started the firewall service. I added port 6776 required by the restraint harness.

[root@isvqe-01 ~]# firewall-cmd --list-ports
6776/tcp

The following ansible-collection rpm is installed. 
[root@isvqe-01 Certification]# rpm -qa | grep ansible-collection
ansible-collection-microsoft-sql-1.2.3-1.el9.noarch

The is the yml I used. 
[root@isvqe-01 Certification]# cat site-ha.yml 

---
- hosts: all
  vars:
        ha_cluster_enable_repos: no
        mssql_version: 2019
        mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true
        mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true
        mssql_accept_microsoft_sql_server_standard_eula: true
        mssql_password: redhat123!
        mssql_edition: Developer
        mssql_enable_sql_agent: true
        mssql_install_fts: true
        mssql_ha_configure: true
        mssql_manage_firewall: true
        mssql_ha_listener_port: 5022
        mssql_ha_cert_name: mssql_cert
        mssql_ha_master_key_password: "redhat123!"
        mssql_ha_private_key_password: "redhat123!"
        mssql_ha_reset_cert: false
        mssql_ha_endpoint_name: hadr_endpoint
        mssql_ha_ag_name: ag1
        mssql_ha_db_names:
          - ds2
        mssql_ha_login: hacluster
        mssql_ha_login_password: "redhat123!"
        mssql_ha_hacluster_password: "redhat123!"
        mssql_ha_cluster_run_role: true
        mssql_ha_virtual_ip: 192.168.100.201
        ha_cluster_cluster_name: isvqe-cluster
        ha_cluster_hacluster_password: "redhat123!"
        ha_cluster_cluster_properties:
          - attrs:
            - name: cluster-recheck-interval
              value: 2min
            - name: start-failure-is-fatal
              value: true
            - name: stonith-enabled
              value: false
        ha_cluster_resource_primitives:
          - id: mydummy
            agent: ocf:pacemaker:Dummy
          - id: ag_cluster
            agent: ocf:mssql:ag
            instance_attrs:
              - attrs:
                - name: ag_name
                  value: "ag1"
            meta_attrs:
              - attrs:
                - name: failure-timeout
                  value: 80s
          - id: virtualip
            agent: ocf:heartbeat:IPaddr2
            instance_attrs:
              - attrs:
                - name: ip
                  value: 192.168.100.201
            operations:
              - action: monitor
                attrs:
                  - name: interval
                    value: 30s
        ha_cluster_resource_clones:
          - resource_id: ag_cluster
            promotable: yes
            meta_attrs:
              - attrs:
                - name: notify
                  value: true
        ha_cluster_constraints_colocation:
          - resource_leader:
              id: ag_cluster-clone
              role: Promoted
            resource_follower:
              id: virtualip
            options:
              - name: score
                value: INFINITY
        ha_cluster_constraints_order:
          - resource_first:
              id: ag_cluster-clone
              action: promote
            resource_then:
              id: virtualip
              action: start

  roles:
         - role: microsoft.sql.server

I executed my script which created a 2-node cluster using the ansible roles and then executed my test harness against it. 

I saw no issues and the sql server port was added to the firewall.

[root@isvqe-01 Certification]# firewall-cmd --list-ports
1229/tcp 1433/tcp 5022/tcp 6776/tcp
Comment 3 Fedora Update System 2022-09-04 22:45:36 UTC 
FEDORA-2022-c8843968db has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2022-11-15 10:29:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-collection-microsoft-sql bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8154