1

I'm using ansible to configure firewalld.

The lineinfile module has a validate parameter, which I'd like to use to validate my config.

I tried this:

- name: config firewalld
  become: true
  ansible.builtin.lineinfile:
    path: /etc/firewalld/firewalld.conf
    regexp: "^#?FirewallBackend"
    line: "FirewallBackend=iptables"
    state: present
    validate: firewall-cmd --check-config         # <--------------

But I get an ansible error:

validate must contain %s: firewall-cmd --check-config

That's because it's expecting the path to the file (%s).

I consulted the docs for --check-config to find a way to specify the config file's path, but couldn't find anything.

Is there a way to do this? I could run a raw sudo firewall-cmd --check-config, but I'm hoping there's a native ansible way to do this.

lonix
  • 14,255
  • 23
  • 85
  • 176
  • 1
    I suspect this is not possible, so I added a feature request to [the repo](https://github.com/firewalld/firewalld/issues/1126). Please upvote it if you also want this functionality. – lonix May 21 '23 at 01:07
  • 2
    You can also apply a scenario for [more complex validations](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#complex-configuration-validation) – Zeitounator May 21 '23 at 06:34

1 Answers1

0

From detail on the repo, looks like this isn't possible to do cleanly with ansible. So here's a workaround:

- name: modify config
  become: true
    # ...
  register: result1

- name: modify config
  become: true
    # ...
  register: result2

- name: modify config
  become: true
    # ...
  register: result3

- name: validate config
  become: true
  command: firewall-cmd --check-config              
  when: result1 is changed or result2 is changed or result3 is changed
  notify: "reload firewalld"
lonix
  • 14,255
  • 23
  • 85
  • 176