Fix Chef 12 and Debian support

bmhughes commented 4 years ago

Description

Fix missing method in Chef 12. Fixes #107
Enhance Debian/Ubuntu support and replace pre if-up hooks with netfilter-persistent. Should fix #103 and #104.
General robustness improvements.

Issues Resolved

103
104
107

Check List

[x] All tests pass. See https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/TESTING.MD
[x] New functionality includes testing.
[x] New functionality has been documented in the README if applicable
[x] All commits have been signed for the Developer Certificate of Origin. See https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

horazont commented 4 years ago

I’m not sure if we’re using the rule resource incorrectly or whether this is another Chef 12 issue, but while testing whether this branch fixes the Chef 12 incompatibility, we used this code:

iptables_rule 'bridge_forwarding' do
  source 'iptables.erb'
  cookbook_name 'iptables'
  action :create
  chain 'FORWARD'
  match '-i brvpn -o brvpn'
  target 'ACCEPT'
end

and it broke with this error:

  * template[/etc/iptables/rules.v4] action nothing[2020-01-14T08:59:54+00:00] INFO: Processing template[/etc/iptables/rules.v4] action nothing (/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.21.4/lib/chef/dsl/declare_resource.rb line 158)
 (skipped due to action :nothing)
[2020-01-14T08:59:54+00:00] INFO: template[/etc/iptables/rules.v4] sending create action to template[/etc/iptables/rules.v4] (delayed)
  * template[/etc/iptables/rules.v4] action create[2020-01-14T08:59:54+00:00] INFO: Processing template[/etc/iptables/rules.v4] action create (/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.21.4/lib/chef/dsl/declare_resource.rb line 158)

    ================================================================================
    Error executing action `create` on resource 'template[/etc/iptables/rules.v4]'
    ================================================================================

    Chef::Exceptions::FileNotFound
    ------------------------------
    Cookbook 'ch-openvpn-cluster' (0.1.0) does not contain a file at any of these locations:
      templates/ubuntu-16.04/rules.v4.erb
      templates/ubuntu/rules.v4.erb
      templates/default/rules.v4.erb
      templates/rules.v4.erb

    This cookbook _does_ contain: ['/tmp/kitchen/cache/cookbooks/ch-openvpn-cluster/templates/default/bridge.erb','/tmp/kitchen/cache/cookbooks/ch-openvpn-cluster/templates/default/bridge_forwarding.erb']

    Resource Declaration:
    ---------------------
    # In /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.21.4/lib/chef/dsl/declare_resource.rb

    158:         declare_resource(type, name, created_at, run_context: run_context, &resource_attrs_block)
    159:       end

    Compiled Resource:
    ------------------
    # Declared in /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.21.4/lib/chef/dsl/declare_resource.rb:158:in `rescue in edit_resource'

    template("/etc/iptables/rules.v4") do
      action [:nothing]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      source "rules.v4.erb"
      variables {"iptables"=>{"filter"=>{"chains"=>{"INPUT"=>"ACCEPT [0:0]", "FORWARD"=>"ACCEPT [0:0]", "OUTPUT"=>"ACCEPT [0:0]"}, "rules"=>["-A FORWARD -i brvpn -o brvpn -j ACCEPT -m comment --comment \"/etc/iptables/rules.v4\""]}}}
      declared_type :template
      cookbook_name "ch-openvpn-cluster"
      owner nil
      group nil
      mode "0600"
      path "/etc/iptables/rules.v4"
      verifications []
    end

    System Info:
    ------------
    chef_version=12.21.4
    platform=ubuntu
    platform_version=16.04
    ruby=ruby 2.3.4p301 (2017-03-30 revision 58214) [x86_64-linux]
    program_name=chef-client worker: ppid=1519;start=08:58:26;
    executable=/opt/chef/bin/chef-client

We tried with cookbook instead of cookbook_name and with leaving out source and cookbook_name altogether; none of which fixed or changed that error.

bmhughes commented 4 years ago

Ok let me check this out in a bit, I've tested with 12.22.5 and it was working. For some reason it's trying to use the rules file path as the source template.

You shouldn't need to specific cookbook or source unless you want to use a custom template.

bmhughes commented 4 years ago

I can't reproduce that behaviour using Ubuntu 16.04 and that exact chef version, that resource definition works for me. (with cookbook_name corrected to cookbook)

There must be something in the wrapper cookbook that is affecting it, do you experience the same problem with a later Chef version? I'd presume yes from the error. You need to debug how the source is getting changed to rules.v4.erb.

horazont commented 4 years ago

Thanks for testing. I don’t know what the wrapper cookbook could be doing to cause this, but I’m going to try to dig deeper.

In the meantime, I’m pretty sure we can reproduce this problem without using this branch (by using line instead of target/chain, so I guess this is unrelated.

bmhughes commented 4 years ago

That's even stranger if using line works as the template at the end is still the same, it's just how the rule_builder helper method works that changes.

Is a sanitised version of this wrapper available for me to test with? As if there is a subtle issue I'd like to fix it, that said Chef 12 was EOL in April last year so I'd avoid making any major changes based on that.

horazont commented 4 years ago

@bmhughes Makes sense. Please see #110 for my analysis of the issue.

bmhughes commented 4 years ago

Closing this as there is a rewrite being done at #108

chef-cookbooks / iptables