Interfaces are not always set to zones correctly when configuring firewalld twice
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kayobe |
New
|
Undecided
|
Unassigned | ||
Bug Description
What happened:
Command: kayobe overcloud host configure -t firewall -l storage[0]
The command is run twice. First time is fine, second time I added admin_oc but no change was made.
Ansible says "Changed ens3 to zone admin_oc":
TASK [firewalld : Set firewalld zones for network interfaces] *******
changed: [alex-mn-
ansible_loop_var: item
invocation:
module_args:
icmp_block: null
icmp_
immediate: false
interface: ens3
masquerade: null
offline: true
permanent: true
port: null
port_forward: null
protocol: null
rich_rule: null
service: null
source: null
state: enabled
target: null
timeout: 0
zone: admin_oc
item: admin_oc
msg: Permanent operation, Changed ens3 to zone admin_oc
Host says ens3 is still part of default "trusted" zone
sudo firewall-cmd --get-active-zones
internal
interfaces: vxlan3223.101
storage
interfaces: vxlan3223.105
storage_mgmt
interfaces: vxlan3223.106
trusted
interfaces: ens3 vxlan3223
Env is Antelope/Rocky 9
| Alex Welsh (alex-welsh) wrote | #1 |
Multiple bug reports exist regarding interaction between firewalld, NetworkManager, zones, and interfaces [1][2][3] but they seem to focus on either the configuration being maintained after reboots or the 'offline' option. I've tested both and neither seem to have any effect here.
[1] https:/
[2] https:/
[3] https:/