Bug 1109957 - ansible firewalld module fails
ansible firewalld module fails
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 15.0
x86-64 SUSE Other
: P5 - None : Normal (vote)
: ---
Assigned To: Lars Vogdt
E-mail List
CVSSv2:NVD:CVE-2018-16876:3.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-27 07:36 UTC by Stephan Schöttl
Modified: 2021-05-11 15:35 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
lars.vogdt: needinfo? (maintenance)


Attachments
Example ansible playbook to reproduce the issue (174 bytes, application/x-yaml)
2018-09-27 07:36 UTC, Stephan Schöttl
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Schöttl 2018-09-27 07:36:49 UTC
Created attachment 784433 [details]
Example ansible playbook to reproduce the issue

The firewalld module of ansible fails with "An exception occurred during task execution. To see the full traceback, use -vvv. The error was: NameError: global name 'fw_offline' is not defined". The patch from  https://github.com/ansible/ansible/issues/38161 (backport for ansible 2.5) is not sufficient. From my first analysis /usr/lib/python2.7/site-packages/ansible/modules/system/firewalld.py tries "import firewall.config" which fails because firewall.config is only available for python3 (at least I cannot find it). I am attaching a simple example to reproduce (ansible-playbook firewall.yml).

rpm -q ansible
ansible-2.5.1-lp150.1.1.noarch

cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.0"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.0"
PRETTY_NAME="openSUSE Leap 15.0"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.0"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
Comment 1 Lars Vogdt 2019-03-15 18:37:18 UTC
Looks to me like the issue if fixed in latest ansible 2.7.8 (if you want, try the package from the development repository in systemsmanagement).

@Maintenance: as there are a lot of other fixes included in the latest version, I like to release the 2.7.8 one as maintenance update for 
* openSUSE:Backports:SLE-12/ansible
* openSUSE:Backports:SLE-15:Update/ansible
* openSUSE:Leap:15.0:Update/ansible
* openSUSE:Leap:15.1:Update/ansible
* openSUSE:Leap:42.3:Update/ansible
if you agree.

There are some configuration settings, that are meanwhile marked as "deprecated" and this will result in a warning message once the user executes his ansible playbooks, but I assume that at least the following CVE (and other) fixes are worth this small inconvenience:
* CVE-2018-16876
* CVE-2018-16859
* CVE-2018-10875
* CVE-2018-10855
Comment 2 Marcus Meissner 2019-03-16 07:02:00 UTC
would be fine for me.
Comment 3 Lars Vogdt 2019-03-16 22:28:33 UTC
(In reply to Marcus Meissner from comment #2)
> would be fine for me.

https://build.opensuse.org/request/show/685668 created.

@Maintenance: sorry to disturb, but it's unclear to me when to mark a bug as fixed?

Neither https://en.opensuse.org/Portal:Maintenance nor https://en.opensuse.org/openSUSE:Package_maintenance have any guidance in this direction.
Comment 4 Swamp Workflow Management 2019-03-18 20:50:26 UTC
This is an autogenerated message for OBS integration:
This bug (1109957) was mentioned in
https://build.opensuse.org/request/show/686222 15.0+42.3+Backports:SLE-12+Backports:SLE-15 / ansible
Comment 5 Swamp Workflow Management 2019-04-03 07:10:37 UTC
openSUSE-SU-2019:1125-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1099808,1102126,1109957,1112959,1116587,1118896,1126503
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.7.8-9.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 6 Lars Vogdt 2019-06-05 17:29:52 UTC
closing
Comment 7 Swamp Workflow Management 2019-06-27 10:26:33 UTC
openSUSE-SU-2019:1635-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1109957,1112959,1118896,1126503
CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.8.1-12.1
Comment 8 Swamp Workflow Management 2019-06-27 10:29:14 UTC
openSUSE-SU-2019:1635-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1109957,1112959,1118896,1126503
CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
openSUSE Leap 42.3 (src):    ansible-2.8.1-12.1
openSUSE Leap 15.1 (src):    ansible-2.8.1-lp151.2.3.1
openSUSE Leap 15.0 (src):    ansible-2.8.1-lp150.2.6.1
openSUSE Backports SLE-15 (src):    ansible-2.8.1-bp150.3.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.8.1-12.1
Comment 9 Swamp Workflow Management 2019-08-14 07:16:44 UTC
openSUSE-SU-2019:1858-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1109957,1112959,1118896,1126503
CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
openSUSE Backports SLE-15-SP1 (src):    ansible-2.8.1-bp151.3.3.1
Comment 18 Swamp Workflow Management 2020-11-12 17:20:29 UTC
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.