firewall icon indicating copy to clipboard operation
firewall copied to clipboard
verified publisher icon sous-chefs

Disable firewall on Windows

Open stenio123 opened this issue 9 years ago • 9 comments

Cookbook version

firewall 2.5.2 [Version of the cookbook where you are encountering the issue]

Chef-client version

12.8.1 [Version of chef-client in your environment]

Platform Details

Windows 2012 r2 [Operating system distribution and release version. Cloud provider if running in the cloud]

Scenario:

[What you are trying to achieve and you can't?] Disabling firewall on windows using

  firewall 'default' do
    action :disable
  end

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]

  1. Create a cookbook wrapper doing "chef generate cookbook firewall-wrapper"
  2. Update Berksfile, include_recipe firewall on the default recipe
  3. Add this to default recipe
  firewall 'default' do
    action :disable
  end
  1. If you have a way to test on Windows 2012r2, update your .kitchen.yml to point to it
  2. Run kitchen converge and see error

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?] Successful kitchen run, all ports open on windows

Actual Result:

Kitchen converge fails with message
-----> Starting Kitchen (v1.7.1)
-----> Converging <disable-firewall-windows-2012r2>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 4.3.2...
       Removing non-cookbook files before transfer
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)

       Transferring files to <disable-firewall-windows-2012r2>
       Starting Chef Client, version 12.10.24
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Failed to complete #converge action: [HTTPClient::KeepAliveDisconnected: ]
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

kitchen.log:


I, [2016-06-03T14:14:25.106937 #78457]  INFO -- Kitchen: -----> Starting Kitchen (v1.7.1)
I, [2016-06-03T14:14:27.740273 #78457]  INFO -- Kitchen: -----> Converging <disable-firewall-windows-2012r2>...
E, [2016-06-03T14:15:54.418152 #78457] ERROR -- Kitchen: ------Exception-------
E, [2016-06-03T14:15:54.418198 #78457] ERROR -- Kitchen: Class: Kitchen::ActionFailed
E, [2016-06-03T14:15:54.418214 #78457] ERROR -- Kitchen: Message: Failed to complete #converge action: [HTTPClient::KeepAliveDisconnected: ]
E, [2016-06-03T14:15:54.418228 #78457] ERROR -- Kitchen: ---Nested Exception---
E, [2016-06-03T14:15:54.418270 #78457] ERROR -- Kitchen: Class: HTTPClient::KeepAliveDisconnected
E, [2016-06-03T14:15:54.418282 #78457] ERROR -- Kitchen: Message: HTTPClient::KeepAliveDisconnected: 
E, [2016-06-03T14:15:54.418293 #78457] ERROR -- Kitchen: ------Backtrace-------
E, [2016-06-03T14:15:54.418304 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:795:in `block in parse_header'
E, [2016-06-03T14:15:54.418316 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:91:in `block in timeout'
E, [2016-06-03T14:15:54.418328 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:in `call'
E, [2016-06-03T14:15:54.418339 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:in `timeout'
E, [2016-06-03T14:15:54.418351 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:788:in `parse_header'
E, [2016-06-03T14:15:54.418363 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:771:in `read_header'
E, [2016-06-03T14:15:54.418375 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:547:in `get_header'
E, [2016-06-03T14:15:54.418386 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1294:in `do_get_header'
E, [2016-06-03T14:15:54.418398 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1241:in `do_get_block'
E, [2016-06-03T14:15:54.418409 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1021:in `block in do_request'
E, [2016-06-03T14:15:54.418421 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1134:in `rescue in protect_keep_alive_disconnected'
E, [2016-06-03T14:15:54.418433 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1128:in `protect_keep_alive_disconnected'
E, [2016-06-03T14:15:54.418444 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1016:in `do_request'
E, [2016-06-03T14:15:54.418457 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:858:in `request'
E, [2016-06-03T14:15:54.418513 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:761:in `post'
E, [2016-06-03T14:15:54.418526 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/http/transport.rb:189:in `send_request'
E, [2016-06-03T14:15:54.418538 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:489:in `send_message'
E, [2016-06-03T14:15:54.418550 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:299:in `cleanup_command'
E, [2016-06-03T14:15:54.418562 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:201:in `ensure in run_command'
E, [2016-06-03T14:15:54.418573 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:201:in `run_command'
E, [2016-06-03T14:15:54.418585 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/command_executor.rb:96:in `run_cmd'
E, [2016-06-03T14:15:54.418608 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/command_executor.rb:128:in `run_powershell_script'
E, [2016-06-03T14:15:54.418622 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:220:in `execute_with_exit_code'
E, [2016-06-03T14:15:54.418635 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:101:in `execute'
E, [2016-06-03T14:15:54.418647 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/provisioner/base.rb:73:in `block in call'
E, [2016-06-03T14:15:54.418659 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/base.rb:86:in `initialize'
E, [2016-06-03T14:15:54.418670 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:419:in `new'
E, [2016-06-03T14:15:54.418682 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:419:in `create_new_connection'
E, [2016-06-03T14:15:54.418693 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:73:in `connection'
E, [2016-06-03T14:15:54.418746 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/provisioner/base.rb:66:in `call'
E, [2016-06-03T14:15:54.418759 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:373:in `block in converge_action'
E, [2016-06-03T14:15:54.418771 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:513:in `call'
E, [2016-06-03T14:15:54.418782 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:513:in `synchronize_or_call'
E, [2016-06-03T14:15:54.418794 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:478:in `block in action'
E, [2016-06-03T14:15:54.418805 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/benchmark.rb:279:in `measure'
E, [2016-06-03T14:15:54.418816 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:477:in `action'
E, [2016-06-03T14:15:54.418828 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:369:in `converge_action'
E, [2016-06-03T14:15:54.418839 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:348:in `block in transition_to'
E, [2016-06-03T14:15:54.418851 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:347:in `each'
E, [2016-06-03T14:15:54.418863 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:347:in `transition_to'
E, [2016-06-03T14:15:54.418874 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:138:in `converge'
E, [2016-06-03T14:15:54.418917 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/command.rb:176:in `public_send'
E, [2016-06-03T14:15:54.418929 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/command.rb:176:in `block (2 levels) in run_action'
E, [2016-06-03T14:15:54.418941 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/logging-2.1.0/lib/logging/diagnostic_context.rb:450:in `call'
E, [2016-06-03T14:15:54.418959 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/logging-2.1.0/lib/logging/diagnostic_context.rb:450:in `block in create_with_logging_context'
E, [2016-06-03T14:15:54.418972 #78457] ERROR -- Kitchen: ----------------------

stenio123 avatar Jun 03 '16 19:06 stenio123

Hi there,

we are running into the same issue here. If we just define the following block on a recipe for windows:

# disable platform default firewall
firewall 'default' do
  action :disable
end

It fails. If we add the following code:

# defaults
firewall 'default'
# disable platform default firewall
firewall 'default' do
  action :disable
end

it completes, BUT, it runs the defaults (enable, start) before the (disable) on every chef-client run. We understand this is not the most idempotent/ideal scenario.

We also tried with the following code

firewall 'default' do
  enabled false
end

and then the recipe does nothing.

warp3r avatar Jun 03 '16 21:06 warp3r

Thank you @warp3r ... I tried, copying and pasting what you wrote but still getting error

------Exception------- Class: Kitchen::ActionFailed

Message: Failed to complete #converge action: [HTTPClient::KeepAliveDisconnected: ]

Please see .kitchen/logs/kitchen.log for more details Also try running kitchen diagnose --all for configuration

stenio123 avatar Jun 04 '16 12:06 stenio123

This seems to be an issue where disabling the firewall service also disables test-kitchen's ability to execute WinRM commands on the instance. I'm unfortunately not knowledgeable enough to know the best way to disable the firewall while still preserving connectivity.

I'd be happy to fix the implementation if someone is willing to walk through the proper steps in this issue.

martinb3 avatar Jun 06 '16 13:06 martinb3

I tried disabling the MpsSvc Windows service using Chef resource but also didn't work. In the end had to resort to powershell, this is what my disable recipe looks like:

case node['platform']
when 'centos'
  firewall 'default' do
    action :disable
  end
when 'windows'
  powershell_script 'Keeps MpsSvc running but disables firewall' do
    code <<-EOH
      NetSh Advfirewall set allprofiles state off
    EOH
  end
else
  raise 'This OS is not supported.'
end

stenio123 avatar Jun 06 '16 14:06 stenio123

i'm also having this issue, I get a WinRM error immediately after disabling the firewall...

kalapakim avatar Jun 23 '16 15:06 kalapakim

@stenio123 -- we're currently doing NetSh Advfirewall set currentprofile state off which I would think is probably equivalent to what you're doing, but just for the current firewall. It seems like the biggest difference is that we're also disabling the service after:

        service 'MpsSvc' do
          action [:disable, :stop]
        end

Is this the wrong thing to do on Windows? I'd love some feedback from folks here using Windows. Thanks!

martinb3 avatar Oct 26 '16 08:10 martinb3

When I run

firewall 'default' do
    action :disable
end

on Ubuntu where a previous version had enable the ufw firewall, I would expect it to be then disabled. However while there's no error, ufw is still enabled (active) after running chef-client.

databu avatar Jul 14 '17 10:07 databu

@baltar Please open a separate issue; this issue is specifically about the Windows provider and deciding what to do.

martinb3 avatar Jul 14 '17 11:07 martinb3

The issue here appears to be in

      def active?
        @active ||= begin
          cmd = shell_out!('netsh advfirewall show currentprofile')
          cmd.stdout =~ /^State\sON/
        end
      end

The def action_disable disables the Windows service, and the check to see if it is active requires it to be running.

My vote would be to only call disable! and to not stop or disable the windows service. This would allow the check to work.

djcoster avatar Dec 03 '19 22:12 djcoster