Puppet users - Nov 2012 - Puppet firewall module only works on first clean run on a machine

Hi everyone,

I am working now to introduce the puppet firewall module to our environment.

On the first run, all our rules are deployed on the server with no errors.

However, on subsequent runs, even without changing rules, I get errors like 
the following:

The iptables provider can not handle attribute proto.....i get multiple 
errors but the rules work if I stop iptables and clear the 
/etc/sysconfig/iptables file.

I have turned purging on for the firewall resource, but it seems like the 
resource is not actually purging all rules before running. ( resources { 
''firewall'': purge => ''true'', }

I am running puppet 3.0.1 and have grabbed the latest puppet firewall 
module from github.

Thanks,
Chuck

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/RuHfbwhb5FAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Nov 20, 2012 at 4:09 PM, gilbertc777 <gilbertc777@gmail.com>
wrote:
> Hi everyone,
>
> I am working now to introduce the puppet firewall module to our
environment.
>
> On the first run, all our rules are deployed on the server with no errors.
>
> However, on subsequent runs, even without changing rules, I get errors like
> the following:
>
> The iptables provider can not handle attribute proto.....i get multiple
> errors but the rules work if I stop iptables and clear the
> /etc/sysconfig/iptables file.
I''m having difficulty understanding the nature of the problem, could
you run the agent with --verbose and --debug turned on and paste the
full output?  This will help us troubleshoot the problem more
efficiently.

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Jeff,

Let me try to clarify as the node is on a disconnected network and I am not
able to transmit logs from it.

If I stop iptables, delete everything in the file, and then run the
firewall rules on the server, all the rules are applied with no errors.

However, when I trigger another run of puppet, on that same node after the
rules have been added, the puppet run fails with errors in regards to the
iptables provider can not handle fields like proto, log_level etc that had
worked on first run.  It seems to me that we need to flush all rules and
then the class should execute to apply the firewall rules. To flush the
rules, I set the resources purge true for firewall.

 Not really sure if this clarified anything.  When I ran debug myself, I
did not see the purge actually execute as I would expect.

On Tue, Nov 20, 2012 at 4:35 PM, Jeff McCune <jeff@puppetlabs.com> wrote:
> On Tue, Nov 20, 2012 at 4:09 PM, gilbertc777 <gilbertc777@gmail.com>
> wrote:
> > Hi everyone,
> >
> > I am working now to introduce the puppet firewall module to our
> environment.
> >
> > On the first run, all our rules are deployed on the server with no
> errors.
> >
> > However, on subsequent runs, even without changing rules, I get errors
> like
> > the following:
> >
> > The iptables provider can not handle attribute proto.....i get
multiple
> > errors but the rules work if I stop iptables and clear the
> > /etc/sysconfig/iptables file.
>
> I''m having difficulty understanding the nature of the problem,
could
> you run the agent with --verbose and --debug turned on and paste the
> full output?  This will help us troubleshoot the problem more
> efficiently.
>
> -Jeff
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 11/20/2012 11:51 PM, Charles Gilbert wrote:
> Hi Jeff,
>
> Let me try to clarify as the node is on a disconnected network and I am
> not able to transmit logs from it.
>
> If I stop iptables, delete everything in the file, and then run the
> firewall rules on the server, all the rules are applied with no errors.
>
> However, when I trigger another run of puppet, on that same node after
> the rules have been added, the puppet run fails with errors in regards
> to the iptables provider can not handle fields like proto, log_level etc
> that had worked on first run.  It seems to me that we need to flush all
> rules and then the class should execute to apply the firewall rules. To
> flush the rules, I set the resources purge true for firewall.
>
>   Not really sure if this clarified anything.  When I ran debug myself,
> I did not see the purge actually execute as I would expect.
Shouldn''t purge only remove rules that added and not managed by puppet?


-- 
Jakov Sosic
www.srce.unizg.hr

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

That may be the case.  I am relatively new to puppet and am still getting
used to some of the features.  Does what I describe ring a bell to anyone
though?

On Tue, Nov 20, 2012 at 6:11 PM, Jakov Sosic <jsosic@srce.hr> wrote:
> On 11/20/2012 11:51 PM, Charles Gilbert wrote:
>
>> Hi Jeff,
>>
>> Let me try to clarify as the node is on a disconnected network and I am
>> not able to transmit logs from it.
>>
>> If I stop iptables, delete everything in the file, and then run the
>> firewall rules on the server, all the rules are applied with no errors.
>>
>> However, when I trigger another run of puppet, on that same node after
>> the rules have been added, the puppet run fails with errors in regards
>> to the iptables provider can not handle fields like proto, log_level
etc
>> that had worked on first run.  It seems to me that we need to flush all
>> rules and then the class should execute to apply the firewall rules. To
>> flush the rules, I set the resources purge true for firewall.
>>
>>   Not really sure if this clarified anything.  When I ran debug myself,
>> I did not see the purge actually execute as I would expect.
>>
>
> Shouldn''t purge only remove rules that added and not managed by
puppet?
>
>
> --
> Jakov Sosic
> www.srce.unizg.hr
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users+unsubscribe@**
> googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>.
> For more options, visit this group at http://groups.google.com/**
>
group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
> .
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

For what its worth:

This seems to resemble my problem:
http://projects.puppetlabs.com/issues/16675

I will attempt to track this to see if any changes get pushed.

On Tue, Nov 20, 2012 at 6:28 PM, Charles Gilbert
<gilbertc777@gmail.com>wrote:
> That may be the case.  I am relatively new to puppet and am still getting
> used to some of the features.  Does what I describe ring a bell to anyone
> though?
>
>
> On Tue, Nov 20, 2012 at 6:11 PM, Jakov Sosic <jsosic@srce.hr> wrote:
>
>> On 11/20/2012 11:51 PM, Charles Gilbert wrote:
>>
>>> Hi Jeff,
>>>
>>> Let me try to clarify as the node is on a disconnected network and
I am
>>> not able to transmit logs from it.
>>>
>>> If I stop iptables, delete everything in the file, and then run the
>>> firewall rules on the server, all the rules are applied with no
errors.
>>>
>>> However, when I trigger another run of puppet, on that same node
after
>>> the rules have been added, the puppet run fails with errors in
regards
>>> to the iptables provider can not handle fields like proto,
log_level etc
>>> that had worked on first run.  It seems to me that we need to flush
all
>>> rules and then the class should execute to apply the firewall
rules. To
>>> flush the rules, I set the resources purge true for firewall.
>>>
>>>   Not really sure if this clarified anything.  When I ran debug
myself,
>>> I did not see the purge actually execute as I would expect.
>>>
>>
>> Shouldn''t purge only remove rules that added and not managed
by puppet?
>>
>>
>> --
>> Jakov Sosic
>> www.srce.unizg.hr
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@**
>> googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>.
>> For more options, visit this group at http://groups.google.com/**
>>
group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
>> .
>>
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.