RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2120714 - Use firewall role to configure firewall for SQL Server
Summary: Use firewall role to configure firewall for SQL Server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ansible-collection-microsoft-sql
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sergei Petrosian
QA Contact: Daniel Yeisley
Alexandra Nikandrova
URL:
Whiteboard:
Depends On: 2120709
Blocks: 2129334
TreeView+ depends on / blocked
 
Reported: 2022-08-23 15:13 UTC by Sergei Petrosian
Modified: 2022-11-08 10:47 UTC (History)
3 users (show)

Fixed In Version: ansible-collection-microsoft-sql-1.2.3-1.el8
Doc Type: Enhancement
Doc Text:
The RN description for this BZ is covered as part of BZ#2066338. link: https://bugzilla.redhat.com/show_bug.cgi?id=2066338
Clone Of: 2120709
: 2129334 (view as bug list)
Environment:
Last Closed: 2022-11-08 09:47:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-132018 0 None None None 2022-08-23 15:16:53 UTC
Red Hat Product Errata RHBA-2022:7597 0 None None None 2022-11-08 09:47:35 UTC

Description Sergei Petrosian 2022-08-23 15:13:37 UTC 
+++ This bug was initially created as a clone of Bug #2120709 +++

Description of problem:
The microsoft.sql.server role must use the firewall role to automate fireall configuration.

Actual results:
Previously, users needed to configure firewall themselves.

Expected results:
Usesrs provide special variables like `mssql_firewall_configure: true` and `mssql_ha_firewall_configure: true` to make the role 

Additional info:
Fixed in https://github.com/linux-system-roles/mssql/pull/77
Comment 1 Daniel Yeisley 2022-08-29 20:32:21 UTC 
It took me a few attempts, but it looks like this is working.

I had to start by enabling the firewalld service and adding port 6776. That's the port that the restraint harness uses for synchronization. Without that my test would stop functioning because the nodes couldn't talk to each other.

[root@isvqe-01 ~]# rpm -qa | grep ansible-collection
ansible-collection-microsoft-sql-1.2.3-1.el8.noarch

I used the following yml.

[root@isvqe-01 ~]# cat site.yml 
---
    - hosts: all
      vars:
        mssql_version: 2019
        mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true
        mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true
        mssql_accept_microsoft_sql_server_standard_eula: true
        mssql_password: redhat123!
        mssql_edition: Developer
        mssql_enable_sql_agent: true
        mssql_install_fts: true
        mssql_enable_ha: true
      roles:
         - role: microsoft.sql.server

[root@isvqe-01 ~]# cat site-ha.yml 

---
- hosts: all
  vars:
        ha_cluster_enable_repos: no
        mssql_version: 2019
        mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true
        mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true
        mssql_accept_microsoft_sql_server_standard_eula: true
        mssql_password: redhat123!
        mssql_edition: Developer
        mssql_enable_sql_agent: true
        mssql_install_fts: true
        mssql_ha_configure: true
        mssql_manage_firewall: true
        mssql_ha_listener_port: 5022
        mssql_ha_cert_name: mssql_cert
        mssql_ha_master_key_password: "redhat123!"
        mssql_ha_private_key_password: "redhat123!"
        mssql_ha_reset_cert: false
        mssql_ha_endpoint_name: hadr_endpoint
        mssql_ha_ag_name: ag1
        mssql_ha_db_names:
          - ds2
        mssql_ha_login: hacluster
        mssql_ha_login_password: "redhat123!"
        mssql_ha_hacluster_password: "redhat123!"
        mssql_ha_cluster_run_role: true
        mssql_ha_virtual_ip: 192.168.100.201
        ha_cluster_cluster_name: isvqe-cluster
        ha_cluster_hacluster_password: "redhat123!"
        ha_cluster_cluster_properties:
          - attrs:
            - name: cluster-recheck-interval
              value: 2min
            - name: start-failure-is-fatal
              value: true
            - name: stonith-enabled
              value: false
        ha_cluster_resource_primitives:
          - id: mydummy
            agent: ocf:pacemaker:Dummy
          - id: ag_cluster
            agent: ocf:mssql:ag
            instance_attrs:
              - attrs:
                - name: ag_name
                  value: "ag1"
            meta_attrs:
              - attrs:
                - name: failure-timeout
                  value: 80s
          - id: virtualip
            agent: ocf:heartbeat:IPaddr2
            instance_attrs:
              - attrs:
                - name: ip
                  value: 192.168.100.201
            operations:
              - action: monitor
                attrs:
                  - name: interval
                    value: 30s
        ha_cluster_resource_clones:
          - resource_id: ag_cluster
            promotable: yes
            meta_attrs:
              - attrs:
                - name: notify
                  value: true
        ha_cluster_constraints_colocation:
          - resource_leader:
              id: ag_cluster-clone
              role: Promoted
            resource_follower:
              id: virtualip
            options:
              - name: score
                value: INFINITY
        ha_cluster_constraints_order:
          - resource_first:
              id: ag_cluster-clone
              action: promote
            resource_then:
              id: virtualip
              action: start
        firewall:
          - port: 6776/tcp
            state: enabled
            permanent: true
            runtime: true

  roles:
         - role: microsoft.sql.server


I ran my test as usual and checked firewall ports afterwards. Port 1433 was there. 

[root@isvqe-01 ~]# firewall-cmd --list-ports 
1229/tcp 1433/tcp 5022/tcp 6776/tcp
Comment 8 errata-xmlrpc 2022-11-08 09:47:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-collection-microsoft-sql bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7597
Note You need to log in before you can comment on or make changes to this bug.