Bug 753507

Summary:	[RFE] ipa-server-install should offer to open necessary firewall ports for you
Product:	Red Hat Enterprise Linux 8	Reporter:	Brian Cook <bcook>
Component:	ansible-freeipa	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.0	CC:	abokovoy, cvantuin, dpal, jgalipea, mkosek, mvarun, nkinder, pasik, pvoborni, rcritten, tscherf
Target Milestone:	rc	Keywords:	FutureFeature
Target Release:	8.2
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ansible-freeipa-0.1.1-1	Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:
Clones:	1353681 (view as bug list)		Environment:
Last Closed:	2019-11-05 21:08:48 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	756082

Description Brian Cook 2011-11-13 00:51:48 UTC

instead of telling user to make sure ports are open, ipa-server-install should offer to open them for you

The following network ports must be open:

		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

Would you like to modify the existing firewall configuration? [Y/n]

Comment 2 Martin Kosek 2011-11-14 08:11:36 UTC

Moving RFE to 6.3.0.

Comment 3 Rob Crittenden 2011-11-15 15:37:23 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2110

Comment 12 Varun Mylaraiah 2019-08-23 11:20:03 UTC

Verified 
# rpm -qa ansible-freeipa
ansible-freeipa-0.1.6-3.el8.noarch

Now rules added to the necessary firewall ports

1) Firewall stopped  before server installation 

Console output:-
On Server
==========
[root@ipaserver1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres>
   Active: inactive (dead)
     Docs: man:firewalld(1)

On Controller
=============
	TASK [ipaserver : Install - Configure firewalld] ***********************************************************
	task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:413
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'/root\n', b'')
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053 `" && echo ansible-tmp-1566554695.0504465-149489153310053="` echo /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053 `" ) && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'ansible-tmp-1566554695.0504465-149489153310053=/root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053\n', b'')
	Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/commands/command.py
	<ipaserver1.test.local> PUT /root/.ansible/tmp/ansible-local-20037rycwt47_/tmpf8p23588 TO /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py
	<ipaserver1.test.local> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 '[ipaserver1.test.local]'
	<ipaserver1.test.local> (0, b'sftp> put /root/.ansible/tmp/ansible-local-20037rycwt47_/tmpf8p23588 /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py\n', b'')
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/ /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'', b'')
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 -tt ipaserver1.test.local '/bin/sh -c '"'"'sudo -H -S -n  -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-bnomccxwebzbhxffkmrghgzgmehcdgdr ; /usr/libexec/platform-python /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
	Escalation succeeded
	<ipaserver1.test.local> (1, b'\r\n{"msg": "non-zero return code", "cmd": ["firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "stdout": "", "stderr": "FirewallD is not running", "rc": 252, "start": "2019-08-23 06:04:55.645419", "end": "2019-08-23 06:04:55.924955", "delta": "0:00:00.279536", "changed": true, "failed": true, "invocation": {"module_args": {"_raw_params": "firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps \\n--add-service=dns --add-service=ntp\\n", "warn": true, "_uses_shell": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\n', b'Shared connection to ipaserver1.test.local closed.\r\n')
	<ipaserver1.test.local> Failed to connect to the host via ssh: Shared connection to ipaserver1.test.local closed.
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/ > /dev/null 2>&1 && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'', b'')
	fatal: [ipaserver1.test.local]: FAILED! => {
		"changed": true,
		"cmd": [
			"firewall-cmd",
			"--permanent",
			"--add-service=freeipa-ldap",
			"--add-service=freeipa-ldaps",
			"--add-service=dns",
			"--add-service=ntp"
		],
		"delta": "0:00:00.279536",
		"end": "2019-08-23 06:04:55.924955",
		"invocation": {
			"module_args": {
				"_raw_params": "firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps \n--add-service=dns --add-service=ntp\n",
				"_uses_shell": false,
				"argv": null,
				"chdir": null,
				"creates": null,
				"executable": null,
				"removes": null,
				"stdin": null,
				"stdin_add_newline": true,
				"strip_empty_ends": true,
				"warn": true
			}
		},
		"msg": "non-zero return code",
		"rc": 252,
		"start": "2019-08-23 06:04:55.645419",
		"stderr": "FirewallD is not running",
		"stderr_lines": [
			"FirewallD is not running"
		],
		"stdout": "",
		"stdout_lines": []
	}

	PLAY RECAP *************************************************************************************************
	ipaserver1.test.local      : ok=35   changed=18   unreachable=0    failed=1    skipped=28   rescued=0    ignored=0   


=====================================================================================

2)Firewall started  before server installation

Console output:-
On Server
==========
[root@ipaserver1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres>
   Active: active (running) since Fri 2019-08-23 06:51:29 EDT; 2min 14s ago
     Docs: man:firewalld(1)
 Main PID: 8251 (firewalld)
    Tasks: 2 (limit: 26213)
   Memory: 21.6M
   CGroup: /system.slice/firewalld.service
           └─8251 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --no>

Aug 23 06:51:28 ipaserver1.test.local systemd[1]: Starting firewalld - dynamic fire>
Aug 23 06:51:29 ipaserver1.test.local systemd[1]: Started firewalld - dynamic firew>
lines 1-12/12 (END)


On Controller
=============

[root@kvm-01-guest29 ~]# ansible-playbook -vv -i inventory/hosts.cluster install-cluster.yml
ansible-playbook 2.8.4
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.6.8 (default, Aug  6 2019, 19:43:07) [GCC 8.3.1 20190507 (Red Hat 8.3.1-4)]
No config file found; using defaults

PLAYBOOK: install-cluster.yml ******************************************************************************
2 plays in install-cluster.yml

PLAY [Install IPA servers] *********************************************************************************

TASK [Gathering Facts] *************************************************************************************
task path: /root/install-cluster.yml:2
ok: [ipaserver1.test.local]
META: ran handlers

TASK [ipaserver : Import variables specific to distribution] ***********************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:4
ok: [ipaserver1.test.local] => (item=/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml) => {"ansible_facts": {"ipaserver_packages": ["@idm:DL1/server"], "ipaserver_packages_adtrust": ["@idm:DL1/adtrust"], "ipaserver_packages_dns": ["@idm:DL1/dns"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml"}

TASK [ipaserver : Install IPA server] **********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:12
included: /usr/share/ansible/roles/ipaserver/tasks/install.yml for ipaserver1.test.local

TASK [ipaserver : Install - Ensure that IPA server packages are installed] *********************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:5
ok: [ipaserver1.test.local] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}

TASK [ipaserver : Install - Ensure that IPA server packages for dns are installed] *************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:10
ok: [ipaserver1.test.local] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}

TASK [ipaserver : Install - Ensure that IPA server packages for adtrust are installed] *********************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:16
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}
*
*
*
*
*

TASK [ipaserver : Install - Setup HTTP] ********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:293
changed: [ipaserver1.test.local] => {"changed": true}

TASK [ipaserver : Install - Setup KRA] *********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:325
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaserver : Install - Setup DNS] *********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:336
changed: [ipaserver1.test.local] => {"changed": true}

TASK [ipaserver : Install - Setup ADTRUST] *****************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:353
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaserver : Install - Set DS password] ***************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:368
changed: [ipaserver1.test.local] => {"changed": true}

TASK [Install - Setup client] ******************************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:385
*
*
*
*
*
TASK [ipaserver : Install - Configure firewalld] ***********************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:413
changed: [ipaserver1.test.local] => {"changed": true, "cmd": ["firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "delta": "0:00:00.369963", "end": "2019-08-23 07:01:44.442069", "rc": 0, "start": "2019-08-23 07:01:44.072106", "stderr": "", "stderr_lines": [], "stdout": "success", "stdout_lines": ["success"]}

TASK [ipaserver : Install - Configure firewalld runtime] ***************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:425
changed: [ipaserver1.test.local] => {"changed": true, "cmd": ["firewall-cmd", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "delta": "0:00:00.436310", "end": "2019-08-23 07:01:45.342103", "rc": 0, "start": "2019-08-23 07:01:44.905793", "stderr": "", "stderr_lines": [], "stdout": "success", "stdout_lines": ["success"]}

TASK [ipaserver : Uninstall IPA server] ********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:16
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}
META: ran handlers
META: ran handlers

PLAY [Install IPA replicas] ********************************************************************************

TASK [Gathering Facts] *************************************************************************************
task path: /root/install-cluster.yml:10
ok: [ipareplica2.test.local]
META: ran handlers

TASK [ipareplica : Import variables specific to distribution] **********************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:4
ok: [ipareplica2.test.local] => (item=/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml) => {"ansible_facts": {"ipareplica_packages": ["@idm:DL1/server"], "ipareplica_packages_adtrust": ["@idm:DL1/adtrust"], "ipareplica_packages_dns": ["@idm:DL1/dns"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml"}

TASK [ipareplica : Install IPA replica] ********************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:12
included: /usr/share/ansible/roles/ipareplica/tasks/install.yml for ipareplica2.test.local
*
*
*
*
*
TASK [ipareplica : Install - Setup DNS] ********************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:672
changed: [ipareplica2.test.local] => {"changed": true}

TASK [ipareplica : Install - Setup adtrust] ****************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:696
skipping: [ipareplica2.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipareplica : Install - Enable IPA] *******************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:718
changed: [ipareplica2.test.local] => {"changed": true}

TASK [ipareplica : Install - Cleanup root IPA cache] *******************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:735
ok: [ipareplica2.test.local] => {"changed": false, "path": "/root/.ipa_cache", "state": "absent"}

TASK [ipareplica : Uninstall IPA replica] ******************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:16
skipping: [ipareplica2.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}
META: ran handlers
META: ran handlers

PLAY RECAP *************************************************************************************************
ipareplica2.test.local     : ok=51   changed=37   unreachable=0    failed=0    skipped=26   rescued=0    ignored=0   
ipaserver1.test.local      : ok=37   changed=20   unreachable=0    failed=0    skipped=29   rescued=0    ignored=0

Comment 15 errata-xmlrpc 2019-11-05 21:08:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3418

Comment 16 Varun Mylaraiah 2020-03-20 12:52:14 UTC

Automated test console output:
===============================

Version:
ansible-freeipa-0.1.8-3.el8.noarch
 
2020-03-20T11:56:06 ansible_freeipa_tests/test_idm_deploy_master.py::TestMaster30::test_with_firewalld_stop 
2020-03-20T11:56:06 [1m-------------------------------- live log call ---------------------------------[0m
2020-03-20T11:56:06 [paramiko.transport] [32mINFO[0m Connected (version 2.0, client OpenSSH_8.0)
2020-03-20T11:56:06 [paramiko.transport] [32mINFO[0m Authentication (publickey) successful!
2020-03-20T11:56:06 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'stop', 'firewalld']
2020-03-20T11:56:07 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'status', 'firewalld']
2020-03-20T11:56:07 [paramiko.transport] [32mINFO[0m Connected (version 2.0, client OpenSSH_8.0)
2020-03-20T11:56:07 [paramiko.transport] [32mINFO[0m Authentication (publickey) successful!
2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m WRITE inventory/server.hosts
2020-03-20T11:56:07 [paramiko.transport.sftp] [32mINFO[0m [chan 0] Opened sftp connection (server version 3)
2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m PUT install-server.yaml
2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/server.hosts', 'install-server.yaml']
2020-03-20T12:05:57 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipactl', 'status']
2020-03-20T12:06:00 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kinit', 'admin']
2020-03-20T12:06:00 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipa', 'server-role-show', 'master.ipadomain.test', 'DNS server']
2020-03-20T12:06:04 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'status', 'firewalld']
2020-03-20T12:06:04 [32mPASSED[0m[36m [ 10%][0m