oVirt cockpit intstallation Enforce firewalld status ERROR

Question

I'm trying to deploy a self-hosted oVirt on Centos Stream as per https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_cockpit_web_interface/

However, I'm getting following error during VM deployment

[ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce firewalld status]
[ ERROR ] fatal: [localhost]: FAILED! => {"msg": "The conditional check 'firewalld_s.status.SubState != 'running' or firewalld_s.status.LoadState == 'masked'' failed. The error was: error while evaluating conditional (firewalld_s.status.SubState != 'running' or firewalld_s.status.LoadState == 'masked'): 'dict object' has no attribute 'SubState'\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/pre_checks/validate_firewalld.yml': line 8, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n register: firewalld_s\n - name: Enforce firewalld status\n ^ here\n"}

Firewalld is up and running on the host Centos:

public zone
Interfaces eno1
Service TCP UDP 
ssh 
22
dhcpv6-client   
546
cockpit 
9090
nfs 
2049
nfs3    
2049
2049
rpc-bind    
111
111
mountd  
20048
20048
ovirt-imageio   
54322
ovirt-storageconsole    
55863, 39543
ovirt-vmconsole 
2223
Additional ports    2049, 80, 443, 54323, 6442, 9696, 6100, 2222, 16514, 111, 5900-6923, 49152-49215, 6081, 53, 35357   2049, 7410, 161, 53, 123

and

libvirt zone
Interfaces virbr0
Service TCP UDP 
dhcp    
67
dhcpv6  
547
dns 
53
53
ssh 
22
tftp    
69
oVirt   
7777
ovirt-imageio   
54322
ovirt-storageconsole    
55863, 39543
ovirt-vmconsole 
2223

Please help me to find a direction to dig in to resolve this issue

Answer 1

While not not a full resolution, bypassing the checks as suggested by this Reddit post worked for me when executed on the deploying node: https://www.reddit.com/r/ovirt/comments/kigha8/hosted_engine_fails_at_enforce_firewalld_status/ .

Pasted from u/fhallberg on Reddit:

mv /usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/pre_checks/validate_firewalld.yml /root

mv /usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/pre_checks/validate_services_status.yml root

Answer 2

you are probably missing zone public like below

1st. Enable OR unmask service

sudo systemctl enable --now cockpit.socket
#OR
sudo systemctl unmask cockpit.socket

2nd. Add firewall exception

sudo firewall-cmd --permanent --zone=public --add-service=cockpit
sudo firewall-cmd --reload