Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 753507

Summary: [RFE] ipa-server-install should offer to open necessary firewall ports for you
Product: Red Hat Enterprise Linux 8 Reporter: Brian Cook <bcook>
Component: ansible-freeipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: abokovoy, cvantuin, dpal, jgalipea, mkosek, mvarun, nkinder, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.2Flags: dpal: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ansible-freeipa-0.1.1-1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1353681 (view as bug list) Environment:
Last Closed: 2019-11-05 21:08:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 756082    

Description Brian Cook 2011-11-13 00:51:48 UTC 
instead of telling user to make sure ports are open, ipa-server-install should offer to open them for you

The following network ports must be open:

		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

Would you like to modify the existing firewall configuration? [Y/n]
Comment 2 Martin Kosek 2011-11-14 08:11:36 UTC 
Moving RFE to 6.3.0.
Comment 3 Rob Crittenden 2011-11-15 15:37:23 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2110
Comment 12 Varun Mylaraiah 2019-08-23 11:20:03 UTC 
Verified 
# rpm -qa ansible-freeipa
ansible-freeipa-0.1.6-3.el8.noarch

Now rules added to the necessary firewall ports

1) Firewall stopped  before server installation 

Console output:-
On Server
==========
[root@ipaserver1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres>
   Active: inactive (dead)
     Docs: man:firewalld(1)

On Controller
=============
	TASK [ipaserver : Install - Configure firewalld] ***********************************************************
	task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:413
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'/root\n', b'')
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053 `" && echo ansible-tmp-1566554695.0504465-149489153310053="` echo /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053 `" ) && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'ansible-tmp-1566554695.0504465-149489153310053=/root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053\n', b'')
	Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/commands/command.py
	<ipaserver1.test.local> PUT /root/.ansible/tmp/ansible-local-20037rycwt47_/tmpf8p23588 TO /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py
	<ipaserver1.test.local> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 '[ipaserver1.test.local]'
	<ipaserver1.test.local> (0, b'sftp> put /root/.ansible/tmp/ansible-local-20037rycwt47_/tmpf8p23588 /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py\n', b'')
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/ /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'', b'')
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 -tt ipaserver1.test.local '/bin/sh -c '"'"'sudo -H -S -n  -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-bnomccxwebzbhxffkmrghgzgmehcdgdr ; /usr/libexec/platform-python /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
	Escalation succeeded
	<ipaserver1.test.local> (1, b'\r\n{"msg": "non-zero return code", "cmd": ["firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "stdout": "", "stderr": "FirewallD is not running", "rc": 252, "start": "2019-08-23 06:04:55.645419", "end": "2019-08-23 06:04:55.924955", "delta": "0:00:00.279536", "changed": true, "failed": true, "invocation": {"module_args": {"_raw_params": "firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps \\n--add-service=dns --add-service=ntp\\n", "warn": true, "_uses_shell": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\n', b'Shared connection to ipaserver1.test.local closed.\r\n')
	<ipaserver1.test.local> Failed to connect to the host via ssh: Shared connection to ipaserver1.test.local closed.
	<ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None
	<ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/ > /dev/null 2>&1 && sleep 0'"'"''
	<ipaserver1.test.local> (0, b'', b'')
	fatal: [ipaserver1.test.local]: FAILED! => {
		"changed": true,
		"cmd": [
			"firewall-cmd",
			"--permanent",
			"--add-service=freeipa-ldap",
			"--add-service=freeipa-ldaps",
			"--add-service=dns",
			"--add-service=ntp"
		],
		"delta": "0:00:00.279536",
		"end": "2019-08-23 06:04:55.924955",
		"invocation": {
			"module_args": {
				"_raw_params": "firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps \n--add-service=dns --add-service=ntp\n",
				"_uses_shell": false,
				"argv": null,
				"chdir": null,
				"creates": null,
				"executable": null,
				"removes": null,
				"stdin": null,
				"stdin_add_newline": true,
				"strip_empty_ends": true,
				"warn": true
			}
		},
		"msg": "non-zero return code",
		"rc": 252,
		"start": "2019-08-23 06:04:55.645419",
		"stderr": "FirewallD is not running",
		"stderr_lines": [
			"FirewallD is not running"
		],
		"stdout": "",
		"stdout_lines": []
	}

	PLAY RECAP *************************************************************************************************
	ipaserver1.test.local      : ok=35   changed=18   unreachable=0    failed=1    skipped=28   rescued=0    ignored=0   


=====================================================================================

2)Firewall started  before server installation

Console output:-
On Server
==========
[root@ipaserver1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres>
   Active: active (running) since Fri 2019-08-23 06:51:29 EDT; 2min 14s ago
     Docs: man:firewalld(1)
 Main PID: 8251 (firewalld)
    Tasks: 2 (limit: 26213)
   Memory: 21.6M
   CGroup: /system.slice/firewalld.service
           └─8251 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --no>

Aug 23 06:51:28 ipaserver1.test.local systemd[1]: Starting firewalld - dynamic fire>
Aug 23 06:51:29 ipaserver1.test.local systemd[1]: Started firewalld - dynamic firew>
lines 1-12/12 (END)


On Controller
=============

[root@kvm-01-guest29 ~]# ansible-playbook -vv -i inventory/hosts.cluster install-cluster.yml
ansible-playbook 2.8.4
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.6.8 (default, Aug  6 2019, 19:43:07) [GCC 8.3.1 20190507 (Red Hat 8.3.1-4)]
No config file found; using defaults

PLAYBOOK: install-cluster.yml ******************************************************************************
2 plays in install-cluster.yml

PLAY [Install IPA servers] *********************************************************************************

TASK [Gathering Facts] *************************************************************************************
task path: /root/install-cluster.yml:2
ok: [ipaserver1.test.local]
META: ran handlers

TASK [ipaserver : Import variables specific to distribution] ***********************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:4
ok: [ipaserver1.test.local] => (item=/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml) => {"ansible_facts": {"ipaserver_packages": ["@idm:DL1/server"], "ipaserver_packages_adtrust": ["@idm:DL1/adtrust"], "ipaserver_packages_dns": ["@idm:DL1/dns"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml"}

TASK [ipaserver : Install IPA server] **********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:12
included: /usr/share/ansible/roles/ipaserver/tasks/install.yml for ipaserver1.test.local

TASK [ipaserver : Install - Ensure that IPA server packages are installed] *********************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:5
ok: [ipaserver1.test.local] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}

TASK [ipaserver : Install - Ensure that IPA server packages for dns are installed] *************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:10
ok: [ipaserver1.test.local] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}

TASK [ipaserver : Install - Ensure that IPA server packages for adtrust are installed] *********************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:16
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}
*
*
*
*
*

TASK [ipaserver : Install - Setup HTTP] ********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:293
changed: [ipaserver1.test.local] => {"changed": true}

TASK [ipaserver : Install - Setup KRA] *********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:325
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaserver : Install - Setup DNS] *********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:336
changed: [ipaserver1.test.local] => {"changed": true}

TASK [ipaserver : Install - Setup ADTRUST] *****************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:353
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaserver : Install - Set DS password] ***************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:368
changed: [ipaserver1.test.local] => {"changed": true}

TASK [Install - Setup client] ******************************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:385
*
*
*
*
*
TASK [ipaserver : Install - Configure firewalld] ***********************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:413
changed: [ipaserver1.test.local] => {"changed": true, "cmd": ["firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "delta": "0:00:00.369963", "end": "2019-08-23 07:01:44.442069", "rc": 0, "start": "2019-08-23 07:01:44.072106", "stderr": "", "stderr_lines": [], "stdout": "success", "stdout_lines": ["success"]}

TASK [ipaserver : Install - Configure firewalld runtime] ***************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:425
changed: [ipaserver1.test.local] => {"changed": true, "cmd": ["firewall-cmd", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "delta": "0:00:00.436310", "end": "2019-08-23 07:01:45.342103", "rc": 0, "start": "2019-08-23 07:01:44.905793", "stderr": "", "stderr_lines": [], "stdout": "success", "stdout_lines": ["success"]}

TASK [ipaserver : Uninstall IPA server] ********************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:16
skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}
META: ran handlers
META: ran handlers

PLAY [Install IPA replicas] ********************************************************************************

TASK [Gathering Facts] *************************************************************************************
task path: /root/install-cluster.yml:10
ok: [ipareplica2.test.local]
META: ran handlers

TASK [ipareplica : Import variables specific to distribution] **********************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:4
ok: [ipareplica2.test.local] => (item=/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml) => {"ansible_facts": {"ipareplica_packages": ["@idm:DL1/server"], "ipareplica_packages_adtrust": ["@idm:DL1/adtrust"], "ipareplica_packages_dns": ["@idm:DL1/dns"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml"}

TASK [ipareplica : Install IPA replica] ********************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:12
included: /usr/share/ansible/roles/ipareplica/tasks/install.yml for ipareplica2.test.local
*
*
*
*
*
TASK [ipareplica : Install - Setup DNS] ********************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:672
changed: [ipareplica2.test.local] => {"changed": true}

TASK [ipareplica : Install - Setup adtrust] ****************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:696
skipping: [ipareplica2.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipareplica : Install - Enable IPA] *******************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:718
changed: [ipareplica2.test.local] => {"changed": true}

TASK [ipareplica : Install - Cleanup root IPA cache] *******************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:735
ok: [ipareplica2.test.local] => {"changed": false, "path": "/root/.ipa_cache", "state": "absent"}

TASK [ipareplica : Uninstall IPA replica] ******************************************************************
task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:16
skipping: [ipareplica2.test.local] => {"changed": false, "skip_reason": "Conditional result was False"}
META: ran handlers
META: ran handlers

PLAY RECAP *************************************************************************************************
ipareplica2.test.local     : ok=51   changed=37   unreachable=0    failed=0    skipped=26   rescued=0    ignored=0   
ipaserver1.test.local      : ok=37   changed=20   unreachable=0    failed=0    skipped=29   rescued=0    ignored=0
Comment 15 errata-xmlrpc 2019-11-05 21:08:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3418
Comment 16 Varun Mylaraiah 2020-03-20 12:52:14 UTC 
Automated test console output:
===============================

Version:
ansible-freeipa-0.1.8-3.el8.noarch
 
2020-03-20T11:56:06 ansible_freeipa_tests/test_idm_deploy_master.py::TestMaster30::test_with_firewalld_stop 
2020-03-20T11:56:06 [1m-------------------------------- live log call ---------------------------------[0m
2020-03-20T11:56:06 [paramiko.transport] [32mINFO[0m Connected (version 2.0, client OpenSSH_8.0)
2020-03-20T11:56:06 [paramiko.transport] [32mINFO[0m Authentication (publickey) successful!
2020-03-20T11:56:06 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'stop', 'firewalld']
2020-03-20T11:56:07 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'status', 'firewalld']
2020-03-20T11:56:07 [paramiko.transport] [32mINFO[0m Connected (version 2.0, client OpenSSH_8.0)
2020-03-20T11:56:07 [paramiko.transport] [32mINFO[0m Authentication (publickey) successful!
2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m WRITE inventory/server.hosts
2020-03-20T11:56:07 [paramiko.transport.sftp] [32mINFO[0m [chan 0] Opened sftp connection (server version 3)
2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m PUT install-server.yaml
2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/server.hosts', 'install-server.yaml']
2020-03-20T12:05:57 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipactl', 'status']
2020-03-20T12:06:00 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kinit', 'admin']
2020-03-20T12:06:00 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipa', 'server-role-show', 'master.ipadomain.test', 'DNS server']
2020-03-20T12:06:04 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'status', 'firewalld']
2020-03-20T12:06:04 [32mPASSED[0m[36m [ 10%][0m