Firewalld problem when deployed via Ansible on AWS
Posted: 2018/05/11 13:47:04
Hi,
I am running an Ansible Playbook to deploy LAMP stack on CentOS in AWS. It is working perfectly when I am running it against local (Virtualbox VM) CentOS instance, but it is failing on Firewalld when I am deploying in on to CentOS (standard CentOS AMI) in AWS.
The error I am experiencing in AWS:
And even if login as root I am not able to start it (the same error appears).
In my Ansible playbook, as a first thing I am disabling SELinux, then perform system upgrade, install packages:
Then in common task:
And then it is failing on "Enable the firewall port 80 for Apache" because firewall is not running:
To fix that I have to reboot AWS VM. As I mentioned earlier I don't have that issue when deploying to the local CentOS instance. Both AWS and local instances are running on the same CentOS version: CentOS Linux release 7.5.1804 (Core) Any ideas?
I am running an Ansible Playbook to deploy LAMP stack on CentOS in AWS. It is working perfectly when I am running it against local (Virtualbox VM) CentOS instance, but it is failing on Firewalld when I am deploying in on to CentOS (standard CentOS AMI) in AWS.
The error I am experiencing in AWS:
Code: Select all
May 11 13:17:53 ip-.eu-west-1.compute.internal systemd[1]: Starting firewalld - dynamic firewall daemon...
May 11 13:17:53 ip-.eu-west-1.compute.internal firewalld[26503]: ERROR: Exception DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.42" is not allowed to own the service "org.fedoraproject.FirewallD1" due to security ...onfiguration file
May 11 13:17:53 ip-.eu-west-1.compute.internal systemd[1]: Started firewalld - dynamic firewall daemon.
In my Ansible playbook, as a first thing I am disabling SELinux, then perform system upgrade, install packages:
Code: Select all
- name: Apply for common configuration to all the nodes
hosts: all
become: true
become_method: sudo
roles:
- common
- web
- db
- php70
- sshd
Code: Select all
- name: SELinux to enforcing
command: /sbin/setenforce 0
- name: Keep SELinux disabled after reboot
lineinfile:
dest: /etc/selinux/config
regexp: '^#?SELINUX=enforcing'
line: 'SELINUX=permissive'
backrefs: yes
state: present
- name: Upgrade all packages
package:
name: "*"
state: latest
- name: Install nano, git, etc
package:
name:
- git
- nano
- curl
- wget
- gcc
- kernel-devel
- vim
- man
- unzip
- mc
- firewalld
state: present
Code: Select all
- name: Start firewalld
service:
name: firewalld
state: started
enabled: yes
- name: Enable the firewall port 80 for Apache
firewalld:
port: 80/tcp
state: enabled
immediate: yes
permanent: true
- name: Enable the firewall port 443 for Apache
firewalld:
port: 443/tcp
state: enabled
immediate: yes
permanent: true