chr4-cookbooks / iptables-ng

Cookbook to maintain iptables rules and policies on different platforms, respecting the way the os handles these settings.
GNU General Public License v3.0
38 stars 32 forks source link

Issue on debian 8 #55

Closed jenssegers closed 9 years ago

jenssegers commented 9 years ago

Hi I'm currently getting the following error message on debian:

  * apt_package[ufw] action remove

    ================================================================================
    Error executing action `remove` on resource 'apt_package[ufw]'
    ================================================================================

    Chef::Exceptions::Package
    -------------------------
    ufw has no candidate in the apt-cache

    Resource Declaration:
    ---------------------
    # In /root/chef-solo/cookbooks-2/iptables-ng/recipes/install.rb

     27: package 'ufw' do
     28:   action :remove
     29:   only_if { node['platform_family'] == 'debian' }
     30: end
     31: 

    Compiled Resource:
    ------------------
    # Declared in /root/chef-solo/cookbooks-2/iptables-ng/recipes/install.rb:27:in `from_file'

    apt_package("ufw") do
      action [:remove]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      package_name "ufw"
      declared_type :package
      cookbook_name :"iptables-ng"
      recipe_name "install"
      only_if { #code block }
    end
jenssegers commented 9 years ago

That was weird; I ran an apt-update and it got fixed. Maybe I had a bad apt cache?

chr4 commented 9 years ago

Thanks for reporting! Which version of Debian are you using? I checked stable/ oldstable/ testing/ unstable and in all releases the package is available (https://packages.debian.org/jessie/ufw). Does the problem persist after running apt-get update?

rbowlby commented 8 years ago

I'm seeing this issue as well.

Interestingly, it only occurs on a packer chef-client run (aws). It does not happen locally within test-kitchen. Both are Ubuntu 12. Further, it only happens in packer on the second converge (packer making use of a previous packer image). I've tried apt-get update to no avail.

atimonin commented 7 years ago

for me it happens every time on a fresh install (Debian 8.7) after running manually apt-get update it goes away

atimonin commented 7 years ago

It looks like i've found the root cause: on a fresh install apt cache is not knowing about all packages. When iptables-ng tryes to remove ufw asks apt to do it, but apt doesn't know such a package - error raised. The simple fix will be to set "ignore falure true" when deleting ufw.

chr4 commented 7 years ago

Mmh, to me, this looks like an issue of the underlying system - an uninitialized apt. My current thought is, that this should be either fixed on the OS level, or in an initializing-and-configuring-apt-wrapper-cookbook. Ignoring the error here might have other implications.. What are your thoughts?

atimonin commented 7 years ago

Well, about apt I think it's doing all well: if package is not known it's surely an error whether you want to add it or remove.

Fixing on the OS level? I think on distribution level, but problematic because of a large variety of distributions... Moreover if I'll be a maintainer I'll surely will regret it: base system should be small enough.

In my special case I surely may run apt-get update just before iptables-ng and all will be OK, but to me it's a kind of a kludge: why I must do it? I never used and don't plan to use UFW, all packages that I need are known to apt. And if somebody will add UFW after iptables-ng? And this is quite logical to add UFW after iptables-ng (well, a stupid case maybe...).

To my mind in this case looking into comments I see that ufw may cause problems (maybe not?). So failure to remove UFW package should be a warning, not a fatal error. The other point of view: if I try to remove a package just for safety and remove fails I usually don't bother much.

chr4 commented 7 years ago

On a "normal" system, apt-cache should be up-to-date. I'd be interessted in knowning the use-case where a partial-up-to-date apt cache is beneficial (small systems, containers)? Especially, since this cookbook relies on apt to install iptables and iptables-restore on Debian and Ubuntu.

ufw is removed, because it's incompatible to this cookbook and firewall rules would be messed up severly in case you use both at the same time.

I'm considering ignoring the failure of purging ufw if:

Money question here could be: When ufw is installed, can it be removed with apt-get purge correctly, even if the apt-cache is not up-to-date?