fail2ban Chef 17 compatibility

[djessich]

For me fail2ban service does not reload on Chef 17. See the following output:

Recipe: fail2ban::default
         * service[fail2ban] action restart
           - restart service service[fail2ban]
         * service[fail2ban] action reload

           ================================================================================
           Error executing action `reload` on resource 'service[fail2ban]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '1'
           ---- Begin output of ["/bin/systemctl", "--system", "reload", "fail2ban"] ----
           STDOUT: 
           STDERR: Job for fail2ban.service failed.
           See "systemctl status fail2ban.service" and "journalctl -xe" for details.
           ---- End output of ["/bin/systemctl", "--system", "reload", "fail2ban"] ----
           Ran ["/bin/systemctl", "--system", "reload", "fail2ban"] returned 1

           Resource Declaration:
           ---------------------
           # In /opt/kitchen/cache/cookbooks/fail2ban/recipes/default.rb

            93: service 'fail2ban' do
            94:   supports [status: true, restart: true]
            95:   action [:enable, :start] if platform_family?('rhel', 'amazon', 'fedora')
            96:   action [:enable] if platform_family?('debian', 'suse')
            97: end

           Compiled Resource:
           ------------------
           # Declared in /opt/kitchen/cache/cookbooks/fail2ban/recipes/default.rb:93:in `from_file'

           service("fail2ban") do
             action [:enable]
             updated true
             default_guard_interpreter :default
             declared_type :service
             cookbook_name "fail2ban"
             recipe_name "default"
             supports {{:status=>true, :restart=>true}=>true}
             service_name "fail2ban"
             running true
             enabled true
             masked false
           end

           System Info:
           ------------
           chef_version=17.10.0
           platform=debian
           platform_version=10
           ruby=ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux]
           program_name=/opt/cinc/bin/cinc-client
           executable=/opt/cinc/bin/cinc-client

[djessich]

After digging around with the issue, it seems the problem is as follows: Service resource for fail2ban is notified with action restart (delayed timing), so the service is restarted at the end of the Chef Client run. Unfortunately reload action is notified for fail2ban service resource, directly after restart action was notified by using fail2ban_jail resource. This introduces a something like a race condition, as the service may not be ready to accept connections after the restart.

I think it would be good to change the notified action to from within fail2ban_jail resource to :restart or to allow the cookbook user to specify the action via custom resource properties (as symbol type).

BTW: When using :reload action from within this cookbook, the service resource should explicitly declare it to be supported using supports property.

[PowerKiKi]

@djessich have you found a workaround for this issue ?

[djessich]

@PowerKiKi No, I haven't found a workaround or solution yet.

[PowerKiKi]

My workaround for now is to specify :restart, even though :reload would be the more efficient option. So something like that:

notifies :restart, 'service[fail2ban]'