Description of problem:

When i run ansible-playbook for upgrade cluster from 3.7 to 3.9 , recieved error: 

# ansible-playbook --check -i /etc/ansible/hosts-concept /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade.yml

...

TASK [Set fact os_firewall_use_firewalld FALSE for iptables] **************************************************************************************************************************************************
fatal: [ocp1.avp.ru]: FAILED! => {"msg": "The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Set fact os_firewall_use_firewalld FALSE for iptables\n    ^ here\n"}
fatal: [ocp2.avp.ru]: FAILED! => {"msg": "The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Set fact os_firewall_use_firewalld FALSE for iptables\n    ^ here\n"}
fatal: [ocp3.avp.ru]: FAILED! => {"msg": "The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Set fact os_firewall_use_firewalld FALSE for iptables\n    ^ here\n"}
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade.retry

PLAY RECAP ****************************************************************************************************************************************************************************************************
localhost                  : ok=12   changed=0    unreachable=0    failed=0   
ocp1.avp.ru                : ok=23   changed=1    unreachable=0    failed=1   
ocp2.avp.ru                : ok=21   changed=1    unreachable=0    failed=1   
ocp3.avp.ru                : ok=21   changed=1    unreachable=0    failed=1   



Failure summary:


  1. Hosts:    ocp1.avp.ru, ocp2.avp.ru, ocp3.avp.ru
     Play:     Ensure firewall is not switched during upgrade
     Task:     Set fact os_firewall_use_firewalld FALSE for iptables
     Message:  The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).
               Make sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable
               
               The error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may
               be elsewhere in the file depending on the exact syntax problem.
               
               The offending line appears to be:
               
               
                 - name: Set fact os_firewall_use_firewalld FALSE for iptables
                   ^ here



and if run command systemctl status iptables on nodes, then return:


[root@ocp1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Ср 2018-04-25 15:08:37 MSK; 2h 1min ago
  Process: 59033 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 59357 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 59357 (code=exited, status=0/SUCCESS)
   Memory: 0B
   CGroup: /system.slice/iptables.service

апр 25 15:08:36 ocp1.avp.ru systemd[1]: Starting IPv4 firewall with iptables...
апр 25 15:08:37 ocp1.avp.ru iptables.init[59357]: iptables: Applying firewall rules: [  OK  ]
апр 25 15:08:37 ocp1.avp.ru systemd[1]: Started IPv4 firewall with iptables.



Need help to resolve this.

Thank you.