Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10859

puppetlabs/firewall : Spurious warnings in caching

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Environment:

      OS family = RedHat
      OS level major = 8

    • Template:
      MODULES Bug Template
    • Acceptance Criteria:
      Hide

      Installing Firewall with on a minimal CentOS 8 system with iptables not yet installed should not present warnings.

      Show
      Installing Firewall with on a minimal CentOS 8 system with iptables not yet installed should not present warnings.
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Module Version: 2.4.0 - 2.7.0
      Puppet Version: 6.17.0
      OS Name/Version: CentOS 8

      We're containing the Firewall class in a wrapper class that provides some customizations and associate that class with nodes via an ENC. This has worked well in CentOS 7 but now that we are trying out CentOS 8 we are getting warnings during the cache-building stage. This appears to be due to CentOS 8 not installing the iptables package by default. With new systems then we get the spurious warnings below before our code executes, such that we cannot quell them and that even on a successful install admins will see these warnings on initial install.

      A workaround would be to ensure iptables is installed before Puppet is run, but this is less than ideal.

      The Firewall module should ensure iptables and iptables-services are installed and the MyFW module does ensure these dependencies are met. However it is too late for the caching stage which executes previously.

      Desired Behavior:

      Installing Firewall with on a minimal CentOS 8 system should not present warnings.

      Since the step generating the warning appears to be to save the current state of iptables rules, perhaps if `iptables-save` does not exist, there is no need to save the state, and therefore no need to warn.

      Actual Behavior:

      Info: Loading facts
      Info: Caching catalog for <host>
      Error: /Stage[main]/MyFW::Firewall/Firewallchain[INPUT:filter:IPv4]: Failed to generate additional resources using 'generate': Command iptables_save is missing
      Error: /Stage[main]/MyFW::Firewall/Firewallchain[FORWARD:filter:IPv4]: Failed to generate additional resources using 'generate': Command iptables_save is missing
      Error: /Stage[main]/MyFW::Firewall/Firewallchain[OUTPUT:filter:IPv4]: Failed to generate additional resources using 'generate': Command iptables_save is missing
      Info: Applying configuration version '1604417103'
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            dleske Drew Leske
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support