Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-11147

firewall : Package[iptables] fails on Fedora 34

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Environment:

      Fedora 34 x86_64

    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 3.1.0
      Puppet Version: puppet-agent-6.24.0-1.fc34.x86_64
      OS Name/Version: Fedora 34

      Due to Fedora packaging splits, the Package[iptables] resource fails as do all uses of the module because of the dependency on that package.

      Desired Behavior:
      Support typical of that with Fedora 33 and earlier.

      Actual Behavior:
      Error: /Stage[main]/Firewall::Linux/Package[iptables]: Could not evaluate: no implicit conversion of Array into Hash

      What Changed:

      Fedora 34 brings a packaging split, and the 'iptables' rpm is going away in Fedora 35. I believe what is necessary is to revise manifests/linux.pp to effectively use Package[['iptables-legacy', 'iptables-utils', 'iptables-services']] instead of Package['iptables'] when on Fedora 34 or later.  So likely new a class parameter and condition for alternate defaults somewhere.

      Evidence:
      $ dnf repoquery --whatobsoletes iptables
      Last metadata expiration check: 0:19:10 ago on Fri 30 Jul 2021 11:22:45 AM EDT.
      iptables-compat-0:1.8.7-8.fc34.x86_64
      iptables-services-0:1.8.7-3.fc34.x86_64
      iptables-services-0:1.8.7-8.fc34.x86_64

      $ rpm -qi iptables-compat | tail -4
      Description :
      This package only exists to help transition iptables users to the new
      package split. It will be removed after one distribution release cycle, please
      do not reference it or depend on it in any way.

      $ dnf repoquery --requires iptables-compat
      Last metadata expiration check: 0:01:18 ago on Fri 30 Jul 2021 11:53:53 AM EDT.
      iptables-legacy = 1.8.7-8.fc34
      iptables-utils = 1.8.7-8.fc34

      As for why the error looks so strange? I think the packaging metadata is highly unusual and is confusing people and dnf (and this module). See https://bugzilla.redhat.com/show_bug.cgi?id=1953178.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jflorian John Florian
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support