如何在 Centos 7 上使用 ansible firewalld 任务打开防火墙端口

How to open firewall port with ansible firewalld task on Centos 7

我的 ansible-playbook 脚本中有一个任务是在远程机器上打开 TCP 端口。但是当我 运行 我的 ansible 剧本时,它会抛出一个错误。但是当我 运行 "firewall-cmd --permanent --zone=public --add-port=1234/tcp""firewalld-cmd --reload" 我可以看到端口被添加到 public 区域。

环境 Ansible 本地:OS x El Capitan Ansible 远程:AWS Centos 7 最低版本 版本:2.1.1.0 远程 python 版本:2.7.5

我的任务

- name: open management console port
  firewalld: port=1234/tcp zone=public permanent=true state=enabled immediate=yes

我遇到的错误

fatal: [X.X.X.X]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_MojhHQ/ansible_module_firewalld.py\", line 605, in <module>\r\n    main()\r\n  File \"/tmp/ansible_MojhHQ/ansible_module_firewalld.py\", line 456, in main\r\n    is_enabled = get_port_enabled_permanent(zone, [port, protocol])\r\n  File \"/tmp/ansible_MojhHQ/ansible_module_firewalld.py\", line 170, in get_port_enabled_permanent\r\n    fw_zone = fw.config().getZoneByName(zone)\r\n  File \"<string>\", line 2, in getZoneByName\r\n  File \"/usr/lib/python2.7/site-packages/slip/dbus/polkit.py\", line 103, in _enable_proxy\r\n    return func(*p, **k)\r\n  File \"<string>\", line 2, in getZoneByName\r\n  File \"/usr/lib/python2.7/site-packages/firewall/client.py\", line 52, in handle_exceptions\r\n    return func(*args, **kwargs)\r\n  File \"/usr/lib/python2.7/site-packages/firewall/client.py\", line 1505, in getZoneByName\r\n    path = dbus_to_python(self.fw_config.getZoneByName(name))\r\n  File \"/usr/lib64/python2.7/site-packages/dbus/proxies.py\", line 70, in __call__\r\n    return self._proxy_method(*args, **keywords)\r\n  File \"/usr/lib/python2.7/site-packages/slip/dbus/proxies.py\", line 50, in __call__\r\n    return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)\r\n  File \"/usr/lib64/python2.7/site-packages/dbus/proxies.py\", line 145, in __call__\r\n    **keywords)\r\n  File \"/usr/lib64/python2.7/site-packages/dbus/connection.py\", line 651, in call_blocking\r\n    message, timeout)\r\ndbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.config: \r\n", "msg": "MODULE FAILURE", "parsed": false}

dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.config 表示存在某种权限错误。该任务可能需要通过 become: yes.

提升其权限

有关详细信息,请参阅 the become documentation

- name: Install firewalld
      yum:
        name: firewalld
        state: latest
      notify:
        - start firewalld
    - name: start firewalld
      service:
        name: firewalld
        state: started
        enabled: yes
      become: yes
    - name: enable 1234
      firewalld:
        zone: public
        port: 1234/tcp
        permanent: true
        state: enabled
      become: yes

这样做。它会起作用