"Stdin: is not a tty" error message

144 views
Skip to first unread message

dkam

unread,
Aug 22, 2011, 3:16:50 AM8/22/11
to babushka_app
Hello Babushka people,
I'm building my first babushka dep, the goal is to have several
hosts added to an iptables rule. The number of hosts and their IP
addresses are grabbed from a Linode API call, so I wanted to loop
through them and check they're in the appropriate chain and if not,
drop the whole chain and add all the hosts.

met? {
list_hosts.each do |h|
sudo("iptables -n -L mychain | grep
'ACCEPT.*all.*#{get_internal_ip(h)}'")
end
}
meet {
sudo("iptables -F mychain")

list_hosts.each do |h|
sudo("iptables -I mychain -i eth0 -s #{get_internal_ip(h)} -j
ACCEPT")
end

sudo("iptables -A mychain -s 192.168.0.0/16 -j REJECT")
}

However - the met? method is failing with the following message :

$ sudo su - root -c "iptables -n -L booko | grep
'ACCEPT.*all.*192.168.131.119'" {
stdin: is not a tty
} ✗ shell command failed


Any idea what's wrong with my method or suggestions on a better way to
achieve my goal?

Thanks,
Dan

Ben Hoskings

unread,
Aug 22, 2011, 5:19:31 AM8/22/11
to babush...@googlegroups.com

On 22/08/2011, at 5:16 PM, dkam wrote:

> met? {
> list_hosts.each do |h|
> sudo("iptables -n -L mychain | grep
> 'ACCEPT.*all.*#{get_internal_ip(h)}'")
> end
> }

Array#each returns the array itself, which is always a truthy value, so met? will always pass. You want list_hosts.all?.

> meet {
> sudo("iptables -F mychain")
>
> list_hosts.each do |h|
> sudo("iptables -I mychain -i eth0 -s #{get_internal_ip(h)} -j
> ACCEPT")
> end
>
> sudo("iptables -A mychain -s 192.168.0.0/16 -j REJECT")
> }

The final call here setting up the REJECT rule isn't being checked in the met? block. It looks like it should be in a separate dep to me.

Also, instead of flushing and re-adding every item to the chain, you could add only the missing items. Then the dep is met if the list of missing items is empty.

I realised Array#collapse could be improved to help with this, so I just patched it; `babushka babushka` to update:

https://github.com/benhoskings/babushka/commit/83dfafdb6356fe08a6343e41fdc6cdf7bd238594

Anyhow, this is how I'd write it:

dep 'internal hosts allowed' do
def missing_hosts
list_hosts - sudo("iptables -n -L mychain").
split("\n").
collapse(/^ACCEPT\s+[^\d]+([\d\.]+)\s+.*/, '\1')
end
met? {
missing_hosts.empty?
}
meet {
missing_hosts.each {|h|
sudo "iptables -I mychain -i eth0 -s #{get_internal_ip(h)} -j ACCEPT"
}
}
end

That's kind of pseudocode because you'd have to map the hosts through #get_internal_ip and I'm not sure about the details of your setup, but it's a start.


> However - the met? method is failing with the following message :
>
> $ sudo su - root -c "iptables -n -L booko | grep
> 'ACCEPT.*all.*192.168.131.119'" {
> stdin: is not a tty
> } ✗ shell command failed

Not sure about this. Are your deps online anywhere?

—Ben

Dan Milne

unread,
Aug 22, 2011, 8:12:31 AM8/22/11
to babush...@googlegroups.com
Thanks very much Ben - results of your suggestions are here: https://github.com/dkam/babushka-deps/blob/master/iptables.rb

There's still some stuff in there I copy and pasted from https://github.com/jasonl/babushka-deps/blob/master/iptables.rb which I need to remove, but it's coming along nicely.

Cheers,
Dan

> --
> To post, email babush...@googlegroups.com
> To unsubscribe, email babushka_app...@googlegroups.com
> ~
> http://babushka.me
> http://github.com/benhoskings/babushka
> http://groups.google.com/group/babushka_app

--
Dan Milne d...@nmilne.com
http://da.nmilne.com/
http://booko.com.au/

Reply all
Reply to author
Forward
0 new messages