我们有一个木偶模块(v3.6.2,因为我们正在使用它的卫星6)
除了将多个源添加到区域时,该模块按预期工作。 它将添加该区域,然后添加一个源,然后错误地尝试将第二个源添加到区域与消息:
INVALID_ZONE: backup 第二次运行模块成功添加源2和3。
该区域正在成功创build,并且正在触发firewalld重新加载,但几乎没有完成重新加载,因为它不会将新添加的“备份”区域视为对第二个和第三个源有效。
模块代码:
class firewalld( $enabled = true, $package_name = 'firewalld', $service_name = 'firewalld', $config_dir = '/etc/firewalld', $zone_create = [], $zone_remove = [], $zone_set_default = '', $zone_add_source = hiera_hash('firewalld::zone_add_source', { }), $zone_add_service = hiera_hash('firewalld::zone_add_service', { })) { if $enabled { $service_ensure = 'running' $service_enable = true $package_ensure = 'present' $config_ensure = 'present' Package["$package_name"] -> File["$config_dir"] File["$config_dir"] -> Service["$service_name"] } else { $service_ensure = 'stopped' $service_enable = false $package_ensure = 'absent' $config_ensure = 'absent' Service["$service_name"] -> File["$config_dir"] File["$config_dir"] -> Package["$package_name"] } package { "$package_name": ensure => $package_ensure, } file { "$config_dir": ensure => $config_ensure, force => true, } service { "$service_name": ensure => $service_ensure, enable => $service_enable, hasrestart => true, hasstatus => true, } exec { 'firewalld_reload': onlyif => 'systemctl -q is-enabled firewalld.service', path => '/bin:/usr/bin:/sbin:/usr/sbin', # command => "systemctl restart firewalld.service", command => "firewall-cmd --reload", refreshonly => true, } define firewalld_zone_create() { exec { "firewalld_zone_create_${name}": path => '/bin:/usr/bin:/sbin:/usr/sbin', command => "firewall-cmd --permanent --new-zone=${name}", unless => "firewall-cmd --permanent --get-zones | grep -qw ${name}", notify => Exec['firewalld_reload'], require => Service['firewalld'], } } define firewalld_zone_add_source($zone, $source) { exec { "firewalld_${zone}_add_source_${source}": path => '/bin:/usr/bin:/sbin:/usr/sbin', command => "firewall-cmd --permanent --zone=${zone} --add-source=${source}", unless => "firewall-cmd -q --permanent --zone=${zone} --query-source=${source}", notify => Exec['firewalld_reload'], require => Service['firewalld'], } } if $enabled { firewalld_zone_create{ $zone_create: } -> firewalld_zone_set_default_zone{ $zone_set_default: } create_resources('firewalld_zone_add_service', $zone_add_service) create_resources('firewalld_zone_add_source', $zone_add_source) } }
我已经删除了定义添加端口/目标等部分,因为它很长。
我正在使用的input是
class { 'firewalld': enabled => true, zone_create => ['zone1', 'mgmt', 'backup'], zone_add_service => { '001' => { 'zone' => 'mgmt', 'service' => 'ssh' }, }, zone_add_source => { '001' => { 'zone' => 'mgmt', 'source' => 'INT.xxx/24' }, '002' => { 'zone' => 'mgmt', 'source' => 'INT.xxx/24' }, '003' => { 'zone' => 'mgmt', 'source' => 'INT.xx0/24' }, '004' => { 'zone' => 'backup', 'source' => 'IP.1.xx/24' }, '005' => { 'zone' => 'backup', 'source' => 'IP.2.x.0/24' }, '006' => { 'zone' => 'backup', 'source' => 'IP.3.x.0/24' }, }, zone_set_default => 'zone1', }
为了安全起见,我更改了子网和区域名称。
如果有人可以请告知为什么这种行为正在发生,以及如何解决它,我将不胜感激。
注意:我已经尝试了firewall-cmd –reload和systemctl restart firewalld.service,并得到相同的结果。
干杯,阿米莉亚
好像创build区域应该在添加源代码之前完成,所以将此依赖项声明为资源引用:
define firewalld_zone_add_source($zone, $source) { exec { "firewalld_${zone}_add_source_${source}": path => '/bin:/usr/bin:/sbin:/usr/sbin', command => "firewall-cmd --permanent --zone=${zone} --add-source=${source}", unless => "firewall-cmd -q --permanent --zone=${zone} --query-source=${source}", notify => Exec['firewalld_reload'], require => Service['firewalld'], require => Exec['firewalld_zone_create_${zone}'], # <- run after zone create } }