Firewalld problem when deployed via Ansible on AWS

Support for security such as Firewalls and securing linux
horizn
Posts: 7
Joined: 2016/02/25 15:28:33

Firewalld problem when deployed via Ansible on AWS

Postby horizn » 2018/05/11 13:47:04

Hi,
I am running an Ansible Playbook to deploy LAMP stack on CentOS in AWS. It is working perfectly when I am running it against local (Virtualbox VM) CentOS instance, but it is failing on Firewalld when I am deploying in on to CentOS (standard CentOS AMI) in AWS.

The error I am experiencing in AWS:

Code: Select all

May 11 13:17:53 ip-.eu-west-1.compute.internal systemd[1]: Starting firewalld - dynamic firewall daemon...
May 11 13:17:53 ip-.eu-west-1.compute.internal firewalld[26503]: ERROR: Exception DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.42" is not allowed to own the service "org.fedoraproject.FirewallD1" due to security ...onfiguration file
May 11 13:17:53 ip-.eu-west-1.compute.internal systemd[1]: Started firewalld - dynamic firewall daemon.

And even if login as root I am not able to start it (the same error appears).

In my Ansible playbook, as a first thing I am disabling SELinux, then perform system upgrade, install packages:

Code: Select all

- name: Apply for common configuration to all the nodes
  hosts: all
  become: true
  become_method: sudo

  roles:
   - common
   - web
   - db
   - php70
   - sshd


Then in common task:

Code: Select all

- name: SELinux to enforcing
  command: /sbin/setenforce 0

- name: Keep SELinux disabled after reboot
  lineinfile:
    dest: /etc/selinux/config
    regexp: '^#?SELINUX=enforcing'
    line: 'SELINUX=permissive'
    backrefs: yes
    state: present

- name: Upgrade all packages
  package:
    name: "*"
    state: latest

- name: Install nano, git, etc
  package:
    name:
      - git
      - nano
      - curl
      - wget
      - gcc
      - kernel-devel
      - vim
      - man
      - unzip
      - mc
      - firewalld
    state: present


And then it is failing on "Enable the firewall port 80 for Apache" because firewall is not running:

Code: Select all

- name: Start firewalld
  service:
    name: firewalld
    state: started
    enabled: yes

- name: Enable the firewall port 80 for Apache
  firewalld:
    port: 80/tcp
    state: enabled
    immediate: yes
    permanent: true

- name: Enable the firewall port 443 for Apache
  firewalld:
    port: 443/tcp
    state: enabled
    immediate: yes
    permanent: true


To fix that I have to reboot AWS VM. As I mentioned earlier I don't have that issue when deploying to the local CentOS instance. Both AWS and local instances are running on the same CentOS version: CentOS Linux release 7.5.1804 (Core) Any ideas?