Error when firewall-cmd is not yet available and purging direct rules/chains/passthroughs is turned on

[tcprescott]

I think this issue is similar to #96 but feel free to correct me if I'm wrong.

I'm using version 3.1.7 of puppet-firewalld on CentOS 7.2 with puppet agent version 4.8.0. The puppet master is a CentOS 6.8 box with version 4.4.0 of puppet.

When including the firewalld class and setting purge_direct_rules, purge_direct_chains, and/or purge_direct_passthroughs to true, there are puppet errors that occur.

manifest

 class { "firewalld":
     purge_direct_rules => true,
     purge_direct_chains => true,
     purge_direct_passthroughs => true,
  }

Initial run without firewalld installed yet:

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for server.example.com
Error: /Stage[main]/Firewalld/Firewalld_direct_purge[chain]: Failed to generate additional resources using 'generate': Command firewall_cmd is missing
Error: /Stage[main]/Firewalld/Firewalld_direct_purge[rule]: Failed to generate additional resources using 'generate': Command firewall_cmd is missing
Error: /Stage[main]/Firewalld/Firewalld_direct_purge[passthrough]: Failed to generate additional resources using 'generate': Command firewall_cmd is missing
Info: Applying configuration version '1479150712'
Notice: /Stage[main]/Firewalld/Package[firewalld]/ensure: created
Info: /Stage[main]/Firewalld/Package[firewalld]: Scheduling refresh of Service[firewalld]
Notice: /Stage[main]/Firewalld/Service[firewalld]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Firewalld/Service[firewalld]: Unscheduling refresh on Service[firewalld]
Notice: Applied catalog in 4.53 seconds

This would cause the initial run that installs firewalld to fail. It isn't a huge deal since subsequent runs will work, but we do have some things that trigger if there is an error in a puppet run. We'd like to purge rules so we can ensure output rules are being properly managed.

Thank you for a great module!

[crayfishx]

This is quite possibly very much related to #96 but the smoke tests didn't take into account having purge options set, which causes the generate method to run the provider (again, before the package provider has run)

This is turning a bit chicken and egg, but we should be able to try and implement something along the lines of what we did in #96.

[crayfishx]

I have a fix for this planned and tested, it basically just requires a dependency to be set in the manifest, but this causes a problem I've recently reported as https://tickets.puppetlabs.com/browse/PUP-6922 and is related to #93 - but this will be sorted when I can get around that issue.

[crayfishx]

After fixing my previous issue - the fix I had planned does not work for this issue, as the generate method is evaluated out of the dependancy graph ordering - going to put this off to 3.1.9 to allow some time to develop a proper solution here.

[crayfishx]

@tcprescott I have a proposed fix in the ticket/101_new branch (https://github.com/crayfishx/puppet-firewalld/tree/ticket/101_new) would you be able to smoke test this to see if it works for your use case?