Puppet setup firewall rules task failed

antonysavio1111 · July 12, 2020, 3:14am

Hi @Inderpreet, @Ayman ,
My task failed for Puppet setup firewall . The question was not completely clear on its expectation ,ie,it said

Create an inventory file code.pp under /etc/puppetlabs/code/environments/production/manifests directory on
master node i.e on Jump Server. In this inventory file you need to define nodes specific classes which are mentioned below.

since it specified that the node specific classes should be located in code.pp , i added it there.

and for the official.pp , it did not mention what was its purpose

Also create a puppet programming file official.pp under /etc/puppetlabs/code/environments/production/manifests directory
on puppet master node i.e on Jump Server.

so i had to assume that the node resources are to be present here .

But when i did that the task failed stating that the classes are not defined in official.pp , but the task did not say that it should be present in official.pp . Can you guys at least confirm if whether the puppet code is correct and that the issue was that it should have been in the opposite files ?

root@jump_host manifests]# cat official.pp

node 'stapp01.stratos.xfusioncorp.com' {
  include firewall_node1
}

node 'stapp02.stratos.xfusioncorp.com' {
  include firewall_node2
}

node 'stapp03.stratos.xfusioncorp.com' {
  include firewall_node3
}
[root@jump_host manifests]# cat code.pp
class firewall_node1 {
 firewalld_rich_rule { 'Open all incoming connection for 8081/tcp port on App Server 1':
  ensure => present,
  zone   => 'public',
  log => {
    'level' => 'debug',
    'prefix' => 'puppetFirewallD'
  },
  port => {
   'port' => 8081,
   'protocol' => 'tcp'
  },
  action  => 'accept',
 }
}

class firewall_node2 {
 firewalld_rich_rule { 'Open all incoming connection for 5008/tcp port on App Server 1':
  ensure => present,
  zone   => 'public',
  log => {
    'level' => 'debug',
    'prefix' => 'puppetFirewallD'
  },
  port => {
   'port' => 5008,
   'protocol' => 'tcp'
  },
  action  => 'accept',
 }
}

class firewall_node3 {
 firewalld_rich_rule { 'Open all incoming connection for 8091/tcp port on App Server 3':
  ensure => present,
  zone   => 'public',
  log => {
    'level' => 'debug',
    'prefix' => 'puppetFirewallD'
  },
  port => {
   'port' => 8091,
   'protocol' => 'tcp'
  },
  action  => 'accept',
 }
}

After getting the agents to pull it , i was able to confirm the firewall rules were added

antonysavio1111 · July 13, 2020, 9:20pm

Hi @Inderpreet , @Ayman ,
can you please provide an update . thanks

andrzej · July 14, 2020, 9:18am

Files are not correct in code.pp should be node definition and in official.pp class definition.
I had code.pp and news.pp and put in first one node definition as it was requested. As I do not know your question cannot tell for sure.
I used as well different code for puppet so cannot tell you for sure if it works or not. I can give you tip that you should code this much simpler

antonysavio1111 · July 14, 2020, 2:52pm

thanks for the update @andrzej , but if you look at my post , as per the question , it says to add node specific classes to code.pp and does not say anything about official.pp . So is the question not framed correctly ?
And by simpler did you use firewalld_rich_rule or some other firewalld resource ?

andrzej · July 14, 2020, 3:00pm

In my case the question was like:
Create an inventory file site.pp under …
Also create a puppet programming file beta.pp under …
Regarding resources I did not use rich_rule, what for ? They just ask to allow traffic to port…

antonysavio1111 · July 14, 2020, 3:18pm

but shouldnt the zone be set to public ? I found the rich_rule is one of the resources that has an attribute that supports that in the firewalld module and not the firewall module

andrzej · July 14, 2020, 5:08pm

Yes zone has to be public but this does not enforce rich rule

kleansoul · July 20, 2020, 6:46am

@antonysavio1111, I agree!

Question is not clear what file is to be used for. If the inventory file is required to have the class as well then what is the programming file supposed to be used for?

I am looking forward for some clarity on this too! Hope to get a reply from @Inderpreet @kodekloud-support3

antonysavio1111 · July 20, 2020, 2:34pm

Waiting for a response too @kleansoul from @Inderpreet and @Ayman , my task is currently in Failed state

balu.networks7 · July 20, 2020, 3:21pm

@Tej-Singh-Rana @Inderpreet @Ayman @kodekloud-support3

Completely confusing task… Can someone give some ideas to complete this task please?

How to create a separate pp file for node specification and separate pp file for firewall rules?

if we create 2 separate pp file, when we run ‘puppet agent --test’, which pp file will be used?

Really some sample pp files will help here.

andrzej · July 20, 2020, 3:53pm

Yes you should create two separate files one with inventory and one with code. This is actually how it should be set up generally. What else is here so confusing ?

balu.networks7 · July 21, 2020, 4:38am

Can you give some code example, how it should be look like, or a online document to read about this.

Everywhere I am seeing “Pre and post based firewall rules” like this Manage firewall rules

andrzej · July 21, 2020, 8:11am

Please use this one:

francilio · July 22, 2020, 1:33pm

Thank you, @andrzej. This tip was really helpful.

balu.networks7 · July 23, 2020, 3:31am

@francilio Can you please tell me, How you created two pp files?

one for ‘node specific info’ (example node.pp) and another with firewall rules (example rules.pp).

How to tell rules.pp to use nodes specified in node.pp file?

tgp · July 23, 2020, 6:45am

Include the respective class in the node.pp file under the specific nodes.

balu.networks7 · July 23, 2020, 7:35am

@tgp Do we need to specify node specs again in rules.pp file?

I am seeing below error :

root@agent1]# puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Unknown resource type: 'firewalld_rich_rule' (file: /etc/puppetlabs/code/environments/production/manifests/ruls.pp, line: 2, column: 2) on node agent1.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
[root@agent1]#

andrzej · July 23, 2020, 7:44am

No we do not. In inventory file you have to put nodes and include class. In code file you just put puppet code for class.

balu.networks7 · July 23, 2020, 3:58pm

Thanks @andrzej @tgp @antonysavio1111

Finally it’s Successful after 3 days of hard work. Learnt a new concept… Happy now…

Thank you… !!!

antonysavio1111 · July 23, 2020, 7:36pm

Good to hear @balu.networks7 !!