Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-5191

firewall : Validation prior to application of dependencies causes hard fail

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall, supported
    • Environment:

      CentOS 7 client/server

    • Template:
      MODULES Bug Template
    • Epic Link:
    • Team:
      Modules
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 1.9.0
      Puppet Version: 3.8.7
      OS Name/Version: CentOS 7

      When applying a catalog the defines a firewall resource that uses a hostname rather than an IP address and that has a dependency on a class that configures the resolution of the hostname, the catalog will compile but it will fail to apply because the host_to_ip lookup of the hostname fails during the validation step and the class that configures the resolution of the hostname is never applied.

      /tmp/myapp/:

      # manifests/init.pp
      class myapp {
        include myapp::iptables
      }
      

      # manifests/iptables.pp
      class myapp::iptables {
        firewall { '60 dummy rules that passes validation':
          chain       => 'OUTPUT',
          action      => 'ACCEPT',
          destination => '1.1.1.1',
          proto       => 'tcp',
          dport       => ['443'],
          require     => Class['resolv'],
        }
       
        firewall { '60 myapp rule that fails validation':
          chain       => 'OUTPUT',
          action      => 'ACCEPT',
          destination => 'myapp.mydomain.com',
          proto       => 'tcp',
          dport       => ['443'],
          require     => Class['resolv'],
        }
      }
      

      /tmp/resolv/:

      # manifests/init.pp
      class resolv {
        contain resolv::file
      }
      

      # manifests/file.pp
      class resolv::file {
        file { '/etc/resolv.conf':
          ensure  => file,
          owner   => 'root',
          group   => 'root',
          mode    => '0644',
          content => template('resolv/resolv.conf.erb'),
        }
      }
      

      # templates/resolv.conf.erb
      nameserver 192.168.1.1
      

      An alternate /tmp/resolv/manifests/init.pp:

      class resolv {
        host {
          'myapp.mydomain.com':  ip => '192.168.1.3';
        }
      }
      

      sudo puppet apply --modulepath=/tmp -e "include myapp" --noop -d

      Desired Behavior:

      Notice: Compiled catalog for test-node in environment production in 0.35 seconds
      Notice: /Stage[main]/Main/Node[test-node]/Firewall[60 dummy rules that passes validation]/ensure: created
      Notice: /Stage[main]/Main/Node[test-node]/Firewall[60 myapp rule that fails validation]/ensure: created
      Notice: Finished catalog run in 4.14 seconds
      

      Actual Behavior:

      Notice: Compiled catalog for test-node in environment production in 0.35 seconds
      Debug: /Firewall[60 dummy rule that passes validation]: [validate]
      Debug: Reraising host_to_ip failed for myapp.mydomain.com, exception no address for myapp.mydomain.com
      Error: Parameter destination failed on Firewall[60 myapp rules that fails validation]: host_to_ip failed for myapp.mydomain.com, exception no address for myapp.mydomain.com at /tmp/myapp/manifests/iptables.pp:18
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            i1369875 Oscar TG
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support