Disable firewall on Windows

[stenio123]

Cookbook version

firewall 2.5.2
[Version of the cookbook where you are encountering the issue]

Chef-client version

12.8.1
[Version of chef-client in your environment]

Platform Details

Windows 2012 r2
[Operating system distribution and release version. Cloud provider if running in the cloud]

Scenario:

[What you are trying to achieve and you can't?]
Disabling firewall on windows using

  firewall 'default' do
    action :disable
  end

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]

1. Create a cookbook wrapper doing "chef generate cookbook firewall-wrapper"
2. Update Berksfile, include_recipe firewall on the default recipe
3. Add this to default recipe

  firewall 'default' do
    action :disable
  end

1. If you have a way to test on Windows 2012r2, update your .kitchen.yml to point to it
2. Run kitchen converge and see error

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?]
Successful kitchen run, all ports open on windows

Actual Result:

Kitchen converge fails with message
-----> Starting Kitchen (v1.7.1)
-----> Converging <disable-firewall-windows-2012r2>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 4.3.2...
       Removing non-cookbook files before transfer
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)

       Transferring files to <disable-firewall-windows-2012r2>
       Starting Chef Client, version 12.10.24
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Failed to complete #converge action: [HTTPClient::KeepAliveDisconnected: ]
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

kitchen.log:


I, [2016-06-03T14:14:25.106937 #78457]  INFO -- Kitchen: -----> Starting Kitchen (v1.7.1)
I, [2016-06-03T14:14:27.740273 #78457]  INFO -- Kitchen: -----> Converging <disable-firewall-windows-2012r2>...
E, [2016-06-03T14:15:54.418152 #78457] ERROR -- Kitchen: ------Exception-------
E, [2016-06-03T14:15:54.418198 #78457] ERROR -- Kitchen: Class: Kitchen::ActionFailed
E, [2016-06-03T14:15:54.418214 #78457] ERROR -- Kitchen: Message: Failed to complete #converge action: [HTTPClient::KeepAliveDisconnected: ]
E, [2016-06-03T14:15:54.418228 #78457] ERROR -- Kitchen: ---Nested Exception---
E, [2016-06-03T14:15:54.418270 #78457] ERROR -- Kitchen: Class: HTTPClient::KeepAliveDisconnected
E, [2016-06-03T14:15:54.418282 #78457] ERROR -- Kitchen: Message: HTTPClient::KeepAliveDisconnected: 
E, [2016-06-03T14:15:54.418293 #78457] ERROR -- Kitchen: ------Backtrace-------
E, [2016-06-03T14:15:54.418304 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:795:in `block in parse_header'
E, [2016-06-03T14:15:54.418316 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:91:in `block in timeout'
E, [2016-06-03T14:15:54.418328 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:in `call'
E, [2016-06-03T14:15:54.418339 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:in `timeout'
E, [2016-06-03T14:15:54.418351 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:788:in `parse_header'
E, [2016-06-03T14:15:54.418363 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:771:in `read_header'
E, [2016-06-03T14:15:54.418375 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient/session.rb:547:in `get_header'
E, [2016-06-03T14:15:54.418386 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1294:in `do_get_header'
E, [2016-06-03T14:15:54.418398 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1241:in `do_get_block'
E, [2016-06-03T14:15:54.418409 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1021:in `block in do_request'
E, [2016-06-03T14:15:54.418421 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1134:in `rescue in protect_keep_alive_disconnected'
E, [2016-06-03T14:15:54.418433 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1128:in `protect_keep_alive_disconnected'
E, [2016-06-03T14:15:54.418444 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:1016:in `do_request'
E, [2016-06-03T14:15:54.418457 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:858:in `request'
E, [2016-06-03T14:15:54.418513 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.2/lib/httpclient.rb:761:in `post'
E, [2016-06-03T14:15:54.418526 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/http/transport.rb:189:in `send_request'
E, [2016-06-03T14:15:54.418538 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:489:in `send_message'
E, [2016-06-03T14:15:54.418550 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:299:in `cleanup_command'
E, [2016-06-03T14:15:54.418562 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:201:in `ensure in run_command'
E, [2016-06-03T14:15:54.418573 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/winrm_service.rb:201:in `run_command'
E, [2016-06-03T14:15:54.418585 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/command_executor.rb:96:in `run_cmd'
E, [2016-06-03T14:15:54.418608 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.7.3/lib/winrm/command_executor.rb:128:in `run_powershell_script'
E, [2016-06-03T14:15:54.418622 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:220:in `execute_with_exit_code'
E, [2016-06-03T14:15:54.418635 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:101:in `execute'
E, [2016-06-03T14:15:54.418647 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/provisioner/base.rb:73:in `block in call'
E, [2016-06-03T14:15:54.418659 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/base.rb:86:in `initialize'
E, [2016-06-03T14:15:54.418670 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:419:in `new'
E, [2016-06-03T14:15:54.418682 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:419:in `create_new_connection'
E, [2016-06-03T14:15:54.418693 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/transport/winrm.rb:73:in `connection'
E, [2016-06-03T14:15:54.418746 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/provisioner/base.rb:66:in `call'
E, [2016-06-03T14:15:54.418759 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:373:in `block in converge_action'
E, [2016-06-03T14:15:54.418771 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:513:in `call'
E, [2016-06-03T14:15:54.418782 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:513:in `synchronize_or_call'
E, [2016-06-03T14:15:54.418794 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:478:in `block in action'
E, [2016-06-03T14:15:54.418805 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/2.1.0/benchmark.rb:279:in `measure'
E, [2016-06-03T14:15:54.418816 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:477:in `action'
E, [2016-06-03T14:15:54.418828 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:369:in `converge_action'
E, [2016-06-03T14:15:54.418839 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:348:in `block in transition_to'
E, [2016-06-03T14:15:54.418851 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:347:in `each'
E, [2016-06-03T14:15:54.418863 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:347:in `transition_to'
E, [2016-06-03T14:15:54.418874 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/instance.rb:138:in `converge'
E, [2016-06-03T14:15:54.418917 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/command.rb:176:in `public_send'
E, [2016-06-03T14:15:54.418929 #78457] ERROR -- Kitchen: /Users/stenio.ferreira/.chefdk/gem/ruby/2.1.0/gems/test-kitchen-1.7.1/lib/kitchen/command.rb:176:in `block (2 levels) in run_action'
E, [2016-06-03T14:15:54.418941 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/logging-2.1.0/lib/logging/diagnostic_context.rb:450:in `call'
E, [2016-06-03T14:15:54.418959 #78457] ERROR -- Kitchen: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/logging-2.1.0/lib/logging/diagnostic_context.rb:450:in `block in create_with_logging_context'
E, [2016-06-03T14:15:54.418972 #78457] ERROR -- Kitchen: ----------------------

[warp3r]

Hi there,

we are running into the same issue here. If we just define the following block on a recipe for windows:

# disable platform default firewall
firewall 'default' do
  action :disable
end

It fails. If we add the following code:

# defaults
firewall 'default'
# disable platform default firewall
firewall 'default' do
  action :disable
end

it completes, BUT, it runs the defaults (enable, start) before the (disable) on every chef-client run. We understand this is not the most idempotent/ideal scenario.

We also tried with the following code

firewall 'default' do
  enabled false
end

and then the recipe does nothing.

[stenio123]

Thank you @warp3r ... I tried, copying and pasting what you wrote but still getting error

------Exception-------
Class: Kitchen::ActionFailed

Message: Failed to complete #converge action: [HTTPClient::KeepAliveDisconnected: ]

Please see .kitchen/logs/kitchen.log for more details
Also try running kitchen diagnose --all for configuration

[martinb3]

This seems to be an issue where disabling the firewall service also disables test-kitchen's ability to execute WinRM commands on the instance. I'm unfortunately not knowledgeable enough to know the best way to disable the firewall while still preserving connectivity.

I'd be happy to fix the implementation if someone is willing to walk through the proper steps in this issue.

[stenio123]

I tried disabling the MpsSvc Windows service using Chef resource but also didn't work. In the end had to resort to powershell, this is what my disable recipe looks like:

case node['platform']
when 'centos'
  firewall 'default' do
    action :disable
  end
when 'windows'
  powershell_script 'Keeps MpsSvc running but disables firewall' do
    code <<-EOH
      NetSh Advfirewall set allprofiles state off
    EOH
  end
else
  raise 'This OS is not supported.'
end

[kalapakim]

i'm also having this issue, I get a WinRM error immediately after disabling the firewall...

[martinb3]

@stenio123 -- we're currently doing NetSh Advfirewall set currentprofile state off which I would think is probably equivalent to what you're doing, but just for the current firewall. It seems like the biggest difference is that we're also disabling the service after:

        service 'MpsSvc' do
          action [:disable, :stop]
        end

Is this the wrong thing to do on Windows? I'd love some feedback from folks here using Windows. Thanks!

[databu]

When I run

firewall 'default' do
    action :disable
end

on Ubuntu where a previous version had enable the ufw firewall, I would expect it to be then disabled. However while there's no error, ufw is still enabled (active) after running chef-client.

[martinb3]

@baltar Please open a separate issue; this issue is specifically about the Windows provider and deciding what to do.

[djcoster]

The issue here appears to be in

      def active?
        @active ||= begin
          cmd = shell_out!('netsh advfirewall show currentprofile')
          cmd.stdout =~ /^State\sON/
        end
      end

The def action_disable disables the Windows service, and the check to see if it is active requires it to be running.

My vote would be to only call disable! and to not stop or disable the windows service. This would allow the check to work.