puppetlabs-firewall module - purging unmanaged firewall chains?
55 views
Skip to first unread message
oogs
Aug 11, 2014, 2:09:31 PM8/11/14
to puppet...@googlegroups.com
Hi,
We (my colleagues and I) have a question about using the purge attribute
in puppetlabs/firewall 1.1.3. Specifically, the per-chain purge
attribute listed here:
https://forge.puppetlabs.com/puppetlabs/firewall#050---2014-02-10
If I have this as my node definition:
node oogs-test01 {
include ::firewall
firewallchain { 'foo:filter:IPv4':
ensure => present,
purge => true,
}
firewallchain { 'bar:filter:IPv4':
ensure => present,
purge => false,
}
}
it should purge any rules for the chain "foo", right? While leaving
"bar" alone. At least, that's what I gather from the type:
oogs@oogs-dev:/etc/puppet-dev/modules/firewall/lib/puppet/type$ grep -A6
purge firewallchain.rb
newparam(:purge, :boolean => true) do
desc <<-EOS
Purge unmanaged firewall rules in this chain
EOS
newvalues(:false, :true)
defaultto :false
end
If I run puppet on my test node, oogs-test01, I get the following:
root@oogs-test01:~# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/iptables_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/mounts.rb
Info: Loading facts in /var/lib/puppet/lib/facter/scst_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/lvm_facters.rb
Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Loading facts in
/var/lib/puppet/lib/facter/postgres_default_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/blockdevice_controller.rb
Info: Loading facts in /var/lib/puppet/lib/facter/oncall.rb
Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/ip6tables_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/nfs_homes.rb
Info: Loading facts in
/var/lib/puppet/lib/facter/iptables_persistent_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/vmwaretools_version.rb
Error: Could not retrieve catalog from remote server: Error 400 on
SERVER: Invalid parameter purge on Firewallchain[foo:filter:IPv4] at
/etc/puppet-dev/manifests/site.pp:5 on node oogs-test01.test.lab
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Has anyone else successfully used the purge attribute for a firewall
chain? If so, can you provide some sample code or point out what's wrong
in ours?
Thanks,
-Chris B.
We (my colleagues and I) have a question about using the purge attribute
in puppetlabs/firewall 1.1.3. Specifically, the per-chain purge
attribute listed here:
https://forge.puppetlabs.com/puppetlabs/firewall#050---2014-02-10
If I have this as my node definition:
node oogs-test01 {
include ::firewall
firewallchain { 'foo:filter:IPv4':
ensure => present,
purge => true,
}
firewallchain { 'bar:filter:IPv4':
ensure => present,
purge => false,
}
}
it should purge any rules for the chain "foo", right? While leaving
"bar" alone. At least, that's what I gather from the type:
oogs@oogs-dev:/etc/puppet-dev/modules/firewall/lib/puppet/type$ grep -A6
purge firewallchain.rb
newparam(:purge, :boolean => true) do
desc <<-EOS
Purge unmanaged firewall rules in this chain
EOS
newvalues(:false, :true)
defaultto :false
end
If I run puppet on my test node, oogs-test01, I get the following:
root@oogs-test01:~# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/iptables_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/mounts.rb
Info: Loading facts in /var/lib/puppet/lib/facter/scst_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/lvm_facters.rb
Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Loading facts in
/var/lib/puppet/lib/facter/postgres_default_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/blockdevice_controller.rb
Info: Loading facts in /var/lib/puppet/lib/facter/oncall.rb
Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/ip6tables_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/nfs_homes.rb
Info: Loading facts in
/var/lib/puppet/lib/facter/iptables_persistent_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/vmwaretools_version.rb
Error: Could not retrieve catalog from remote server: Error 400 on
SERVER: Invalid parameter purge on Firewallchain[foo:filter:IPv4] at
/etc/puppet-dev/manifests/site.pp:5 on node oogs-test01.test.lab
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Has anyone else successfully used the purge attribute for a firewall
chain? If so, can you provide some sample code or point out what's wrong
in ours?
Thanks,
-Chris B.
Hunter Haugen
Aug 11, 2014, 4:33:45 PM8/11/14
to puppet-users
oogs@oogs-dev:/etc/puppet-dev/modules/firewall/lib/puppet/type$ grep -A6 purge firewallchain.rb
newparam(:purge, :boolean => true) do
desc <<-EOS
Purge unmanaged firewall rules in this chain
EOS
newvalues(:false, :true)
defaultto :false
end
I assume oogs-dev is the puppet master?
If I run puppet on my test node, oogs-test01, I get the following:
root@oogs-test01:~# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/iptables_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/mounts.rb
Info: Loading facts in /var/lib/puppet/lib/facter/scst_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/lvm_facters.rb
Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Loading facts in /var/lib/puppet/lib/facter/postgres_default_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/blockdevice_controller.rb
Info: Loading facts in /var/lib/puppet/lib/facter/oncall.rb
Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/ip6tables_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/nfs_homes.rb
Info: Loading facts in /var/lib/puppet/lib/facter/iptables_persistent_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/vmwaretools_version.rb
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter purge on Firewallchain[foo:filter:IPv4] at /etc/puppet-dev/manifests/site.pp:5 on node oogs-test01.test.lab
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
This is an error from the server, so perhaps the type is not reloaded. When types are updated (such as upgrading the firewall module) the puppet master process will still have the old versions loaded in memory until the daemon is restarted. You could try restarting or reloading your puppet master and see if the new types are found.
Oh, and if your puppet master (oogs-dev) is on a puppet environment that has an old version of puppetlabs-firewall, it will still have an old cache of the type even after restarting. You can check this by looking in /var/lib/puppet/lib/puppet/type/firewallchain.rb on the master and seeing if it has the purge attribute. Updating to the latest firewall module in the master's puppet environment and then running `puppet plugin download` on the master might help synchronize that.
oogs
Aug 11, 2014, 4:57:19 PM8/11/14
to puppet...@googlegroups.com
Hi Hunter,
Yes, oogs-dev is the master in this case. This environment also has the
latest version of puppetlabs/firewall. As for the caching issue, the
puppet daemon uses passenger to have multiple copies of the daemon
running simultaneously, and they usually reload every 5-10 minutes.
Running 'puppet agent -t' now produces the same result as it did earlier.
-Chris
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAJaQvGCm9%3D46cYL6zujQvZTmnaHwD9Z9vau4Y5Mv23iWnx2qeg%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAJaQvGCm9%3D46cYL6zujQvZTmnaHwD9Z9vau4Y5Mv23iWnx2qeg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Yes, oogs-dev is the master in this case. This environment also has the
latest version of puppetlabs/firewall. As for the caching issue, the
puppet daemon uses passenger to have multiple copies of the daemon
running simultaneously, and they usually reload every 5-10 minutes.
Running 'puppet agent -t' now produces the same result as it did earlier.
-Chris
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAJaQvGCm9%3D46cYL6zujQvZTmnaHwD9Z9vau4Y5Mv23iWnx2qeg%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAJaQvGCm9%3D46cYL6zujQvZTmnaHwD9Z9vau4Y5Mv23iWnx2qeg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages