search

chr4-cookbooks / iptables-ng

Cookbook to maintain iptables rules and policies on different platforms, respecting the way the os handles these settings.
GNU General Public License v3.0
38 stars 33 forks source link

Manage recipe fails when IPV6 is disabled (CentOS / RHEL) #13

Closed krallin closed 10 years ago

krallin commented 10 years ago

Hi!

When using the cookbook on a CentOS or RHEL host where IPV6 is disabled, the cookbook fails because the init script exists with exit code 6.

Haven't found a workaround yet (though I'm looking), but I just figured I would share this in case there's one.

   ================================================================================
   Error executing action `create` on resource 'ruby_block[restart_iptables]'
   ================================================================================

   Mixlib::ShellOut::ShellCommandFailed
   ------------------------------------
   service[ip6tables] (dynamically defined) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '150'
   ---- Begin output of /sbin/service ip6tables restart ----
   STDOUT: ip6tables: ipv6 is disabled.
   STDERR: 
   ---- End output of /sbin/service ip6tables restart ----
   Ran /sbin/service ip6tables restart returned 150

   Cookbook Trace:
   ---------------
   /tmp/kitchen/cookbooks/iptables-ng/libraries/restart_service.rb:37:in `block in restart_service'
   /tmp/kitchen/cookbooks/iptables-ng/libraries/restart_service.rb:34:in `tap'
   /tmp/kitchen/cookbooks/iptables-ng/libraries/restart_service.rb:34:in `restart_service'
   /tmp/kitchen/cookbooks/iptables-ng/recipes/manage.rb:45:in `block (3 levels) in from_file'
   /tmp/kitchen/cookbooks/iptables-ng/recipes/manage.rb:44:in `each'
   /tmp/kitchen/cookbooks/iptables-ng/recipes/manage.rb:44:in `block (2 levels) in from_file'

   Resource Declaration:
   ---------------------
   # In /tmp/kitchen/cookbooks/iptables-ng/recipes/manage.rb

    38: ruby_block 'restart_iptables' do
    39:   block do
    40:     class Chef::Resource::RubyBlock
    41:       include Iptables::Manage
    42:     end
    43: 
    44:     [4, 6].each do |ip_version|
    45:       restart_service(ip_version)
    46:     end
    47:   end
    48:
chr4 commented 10 years ago

Thanks for reporting! Mmh, maybe it would make sense to be able to set a global ipv6 "disable" flag in an attribute as a workaround.

If someone else has this problem, please +1.

krallin commented 10 years ago

I was thinking about maybe delegating that to an attribute, which would be [4, 6] by default.

Then, the recipe can use the attribute, and people who use that recipe are in charge of setting the attribute correctly.

What do you think?

krallin commented 10 years ago

Note: I'm suggesting that because a host may have IPV4 disabled, and run into the exact same issue : >

chr4 commented 10 years ago

I agree that this is a valid scenario. In case you already implemented an attribute, feel free to file a pull request.

I'd suggest the following:

default['iptables-ng']['enabled_ip_versions'] = [4, 6]
krallin commented 10 years ago

Haven't had time to set it up just yet, I'll try to submit that asap!