firewalld default_zone needs a existing zone

[posteingang]

We want to bootstrap our server with a firewalld default_zone with the following puppet code:

class { '::firewalld':
  default_zone => 'restricted',
}
firewalld_zone { 'restricted':
  ensure           => present,
  target           => '%%REJECT%%',
  purge_rich_rules => true,
  purge_services   => true,
  purge_ports      => true,
}

...

This produce the following error

Info: Applying configuration version '1492689664'
Notice: /Stage[main]/Profile::Base/Firewalld_zone[restricted]/ensure: created
Info: /Stage[main]/Profile::Base/Firewalld_zone[restricted]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::set_default_zone]/returns: Error: INVALID_ZONE: restricted
Error: 'firewall-cmd --set-default-zone restricted' returned 112 instead of one of [0]
Error: /Stage[main]/Firewalld/Exec[firewalld::set_default_zone]/returns: change from notrun to 0 failed: 'firewall-cmd --set-default-zone restricted' returned 112 instead of one of [0]
Notice: /Stage[main]/Profile::Base/Firewalld_service[Allow SSH]/ensure: created
Info: /Stage[main]/Profile::Base/Firewalld_service[Allow SSH]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 2 events
Info: Class[Firewalld]: Unscheduling all events on Class[Firewalld]
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 7.22 seconds

Puppet creates the zone but did not publish it to firewalld. After a second puppet run, puppet changes the default_zone successfully.
The first problem is there is no requiment for an existing default_zone. I changed this in firewalld/manifests/init.pp (line 174).

    if $default_zone {
      exec { 'firewalld::set_default_zone':
        command   => "firewall-cmd --set-default-zone ${default_zone}",
        unless    => "[ $(firewall-cmd --get-default-zone) == ${default_zone} ]",
        subscribe => Service['firewalld'],
        require   => Firewalld_zone[$default_zone] # <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
      }
    }

The second problem is that firewalld needs to reload to publish a new zone.
I fixed the problem in lib/puppet/provider/firewalld_zone/firewall_cmd.rb (line 25) with a simple reload.

def create
    self.debug("Creating new zone #{@resource[:name]} with target: '#{@resource[:target]}'")
    execute_firewall_cmd(['--new-zone', @resource[:name]], nil)

    self.target=(@resource[:target]) if @resource[:target]
    self.sources=(@resource[:sources]) if @resource[:sources]
    self.interfaces=@resource[:interfaces]
    reload_firewall
end

I am not a dev and maybe the solution is not the right, but it works. :-)
Hopefully someone can fix the issue correctly and push it.

[crayfishx]

@posteingang Thanks for reporting this - I agree with the issue at hand, but I think you are overthinking the solution. firewalld doesn't need to be reloaded after --set-default-zone since it's not a --permanent option like --new-zone is... Since we already notify Exec[firewalld::reload] whenever a zone changes, I think all we need to do is change the dependency on the exec to require the reload, as I've done in #136

We end up with Service['firewalld'] -> Firewalld_zone <||> -> Exec[firewalld::reload] -> Exec[firewalld::set_default_zone]

I've tested this and it seems to bootstrap fine