disable_firewall is not idempotent on Windows

[zanecodes]

Cookbook version

2.6.2

Chef-client version

12.18.31

Platform Details

Windows Server 2012 R2 Datacenter in Microsoft Azure

Scenario:

Running disable_firewall more than once causes a chef failure

Steps to Reproduce:

include_recipe 'firewall::disable_firewall'

Run chef-client on the machine more than once.

Expected Result:

Firewall is disabled on the first run, no action is taken on the second run.

Actual Result:

Mixlib::ShellOut::ShellCommandFailed: firewall[default] (firewall::disable_firewall line 21) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of netsh advfirewall show currentprofile ----
STDOUT: An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.
STDERR: 
---- End output of netsh advfirewall show currentprofile ----
Ran netsh advfirewall show currentprofile returned 1
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7-universal-mingw32/lib/mixlib/shellout.rb:289:in `invalid!'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7-universal-mingw32/lib/mixlib/shellout.rb:276:in `error!'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/mixin/shell_out.rb:99:in `shell_out!'
c:/chef/cache/cookbooks/firewall/libraries/helpers_windows.rb:20:in `active?'
c:/chef/cache/cookbooks/firewall/libraries/provider_firewall_windows.rb:100:in `action_disable'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:145:in `run_action'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource.rb:622:in `run_action'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:69:in `run_action'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in `block (2 levels) in converge'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in `each'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in `block in converge'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/resource_list.rb:94:in `block in execute_each_resource'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:114:in `call_iterator_block'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:103:in `iterate'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/resource_list.rb:92:in `execute_each_resource'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:96:in `converge'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:670:in `block in converge'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:665:in `catch'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:665:in `converge'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:704:in `converge_and_save'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:284:in `run'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:277:in `run_with_graceful_exit_option'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:253:in `block in run_chef_client'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/local_mode.rb:44:in `with_server_connectivity'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:236:in `run_chef_client'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:427:in `run_application'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:59:in `run'
C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/bin/chef-client:26:in `<top (required)>'
C:/opscode/chef/bin/chef-client:68:in `load'
C:/opscode/chef/bin/chef-client:68:in `<main>'

[martinb3]

Hi there -- did the firewall service get stopped outside Chef?

We do this to disable it:

netsh advfirewall set currentprofile state off

And this to check to see if it's disabled (we look for /^State\sON/):

netsh advfirewall show currentprofile

[zanecodes]

Disabling the firewall on Windows appears to not only turn it off but also stop and disable the Windows Firewall service.

[martinb3]

Hmm, I agree. I'll have to see why our current testing didn't catch this scenario.

[zanecodes]

Microsoft recommends against disabling the Firewall service. This also causes Remote Desktop and WinRM sessions to be disconnected, and blocks new connections until a reboot occurs, which causes Test Kitchen runs to fail, making it tricky to test this scenario.

As far as testing this goes, this could help, since it's an issue with idempotency and not, strictly speaking, with the cookbook functionality. Thanks for the extraordinarily quick replies!