[MODULES-5191] firewall : Validation prior to application of dependencies causes hard fail - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Normal
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: firewall, supported
Labels:
- puppetlabs-firewall
Environment:

CentOS 7 client/server

Template:
MODULES Bug Template customfield_10700 199510
Epic Link:
Firewall Next
Team:
Modules
Method Found:
Needs Assessment

QA Risk Assessment:
Needs Assessment

Description

Basic Info
Module Version: 1.9.0
Puppet Version: 3.8.7
OS Name/Version: CentOS 7

When applying a catalog the defines a firewall resource that uses a hostname rather than an IP address and that has a dependency on a class that configures the resolution of the hostname, the catalog will compile but it will fail to apply because the host_to_ip lookup of the hostname fails during the validation step and the class that configures the resolution of the hostname is never applied.

/tmp/myapp/:

# manifests/init.pp

class myapp {

  include myapp::iptables

# manifests/iptables.pp

class myapp::iptables {

  firewall { '60 dummy rules that passes validation':

    chain       => 'OUTPUT',

    action      => 'ACCEPT',

    destination => '1.1.1.1',

    proto       => 'tcp',

    dport       => ['443'],

    require     => Class['resolv'],

  firewall { '60 myapp rule that fails validation':

    chain       => 'OUTPUT',

    action      => 'ACCEPT',

    destination => 'myapp.mydomain.com',

    proto       => 'tcp',

    dport       => ['443'],

    require     => Class['resolv'],

/tmp/resolv/:

# manifests/init.pp

class resolv {

  contain resolv::file

# manifests/file.pp

class resolv::file {

  file { '/etc/resolv.conf':

    ensure  => file,

    owner   => 'root',

    group   => 'root',

    mode    => '0644',

    content => template('resolv/resolv.conf.erb'),

# templates/resolv.conf.erb

nameserver 192.168.1.1

An alternate /tmp/resolv/manifests/init.pp:

class resolv {

  host {

    'myapp.mydomain.com':  ip => '192.168.1.3';

sudo puppet apply --modulepath=/tmp -e "include myapp" --noop -d

Desired Behavior:

Notice: Compiled catalog for test-node in environment production in 0.35 seconds

Notice: /Stage[main]/Main/Node[test-node]/Firewall[60 dummy rules that passes validation]/ensure: created

Notice: /Stage[main]/Main/Node[test-node]/Firewall[60 myapp rule that fails validation]/ensure: created

Notice: Finished catalog run in 4.14 seconds

Actual Behavior:

Notice: Compiled catalog for test-node in environment production in 0.35 seconds

Debug: /Firewall[60 dummy rule that passes validation]: [validate]

Debug: Reraising host_to_ip failed for myapp.mydomain.com, exception no address for myapp.mydomain.com

Error: Parameter destination failed on Firewall[60 myapp rules that fails validation]: host_to_ip failed for myapp.mydomain.com, exception no address for myapp.mydomain.com at /tmp/myapp/manifests/iptables.pp:18

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Oscar TG

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2017/07/07 8:44 PM

Updated:: 2018/09/05 2:15 AM