Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-5191

firewall : Validation prior to application of dependencies causes hard fail

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • firewall, supported
    • CentOS 7 client/server

    • Needs Assessment

    Description

      Basic Info
      Module Version: 1.9.0
      Puppet Version: 3.8.7
      OS Name/Version: CentOS 7

      When applying a catalog the defines a firewall resource that uses a hostname rather than an IP address and that has a dependency on a class that configures the resolution of the hostname, the catalog will compile but it will fail to apply because the host_to_ip lookup of the hostname fails during the validation step and the class that configures the resolution of the hostname is never applied.

      /tmp/myapp/:

      # manifests/init.pp
      class myapp {
        include myapp::iptables
      }
      

      # manifests/iptables.pp
      class myapp::iptables {
        firewall { '60 dummy rules that passes validation':
          chain       => 'OUTPUT',
          action      => 'ACCEPT',
          destination => '1.1.1.1',
          proto       => 'tcp',
          dport       => ['443'],
          require     => Class['resolv'],
        }
       
        firewall { '60 myapp rule that fails validation':
          chain       => 'OUTPUT',
          action      => 'ACCEPT',
          destination => 'myapp.mydomain.com',
          proto       => 'tcp',
          dport       => ['443'],
          require     => Class['resolv'],
        }
      }
      

      /tmp/resolv/:

      # manifests/init.pp
      class resolv {
        contain resolv::file
      }
      

      # manifests/file.pp
      class resolv::file {
        file { '/etc/resolv.conf':
          ensure  => file,
          owner   => 'root',
          group   => 'root',
          mode    => '0644',
          content => template('resolv/resolv.conf.erb'),
        }
      }
      

      # templates/resolv.conf.erb
      nameserver 192.168.1.1
      

      An alternate /tmp/resolv/manifests/init.pp:

      class resolv {
        host {
          'myapp.mydomain.com':  ip => '192.168.1.3';
        }
      }
      

      sudo puppet apply --modulepath=/tmp -e "include myapp" --noop -d

      Desired Behavior:

      Notice: Compiled catalog for test-node in environment production in 0.35 seconds
      Notice: /Stage[main]/Main/Node[test-node]/Firewall[60 dummy rules that passes validation]/ensure: created
      Notice: /Stage[main]/Main/Node[test-node]/Firewall[60 myapp rule that fails validation]/ensure: created
      Notice: Finished catalog run in 4.14 seconds
      

      Actual Behavior:

      Notice: Compiled catalog for test-node in environment production in 0.35 seconds
      Debug: /Firewall[60 dummy rule that passes validation]: [validate]
      Debug: Reraising host_to_ip failed for myapp.mydomain.com, exception no address for myapp.mydomain.com
      Error: Parameter destination failed on Firewall[60 myapp rules that fails validation]: host_to_ip failed for myapp.mydomain.com, exception no address for myapp.mydomain.com at /tmp/myapp/manifests/iptables.pp:18
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            i1369875 Oscar TG
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Zendesk Support