I have a puppet module to manage firewalld, including creating the /etc/firewalld dir and adding the custom services xml files to /etc/firewalld/services/
The dependency ordering for enabled="true" is
Package["$package_name"] -> File['/etc/firewalld'] -> Service["$service_name"]
and then on the service add function I have
define firewalld_zone_add_service($zone, $service) {
exec { "firewalld_${zone}_add_service_${service}":
path => '/bin:/usr/bin:/sbin:/usr/sbin',
command => "firewall-cmd --permanent --zone=${zone} --add-service=${service}",
unless => "firewall-cmd -q --permanent --zone=${zone} --query-service=${service}",
notify => Exec['firewalld_reload'],
require => [ Exec["firewalld_zone_create_$zone"],
File['/etc/firewalld'],
File['/etc/firewalld/services/networker.xml'],
File['/etc/firewalld/services/snmpd.xml'],
]
}
This all works fine, but when I set it to enabled="false" it fails. The ordering is the reverse:
Service["$service_name"] -> File['/etc/firewalld'] -> Package["$package_name"]
This returns an error as the removal of the /etc/firewalld directory also removes the services files and I get a file not found error when it trues to set $file_ensure = 'absent'
If I try and set the ordering so the files are removed before the directory, I get a dependency loop error
Service["$service_name"] -> File['networker'] -> File['snmpd'] -> File['/etc/firewalld'] -> Package["$package_name"]
So my questions is, how do I manage this loop? Is there a way to ignore $file_ensure for enabled="false" so it doesn't try and set anything if the directory removal also removes the managed configuration files.
Thank you.
↧