CentOS 7.1 with iptables. Systemd unit file is not created.

xdrus commented 8 years ago

Error description

Attempt to use the cookbook on CentOS 7.1 with iptables is failed with an error:

         * firewall[default] action install
           - install iptables and enable/start services
         * yum_package[iptables] action install (up to date)
         * file[create empty /etc/sysconfig/iptables] action create (skipped due to not_if)
         * service[iptables] action enable

           ================================================================================
           Error executing action `enable` on resource 'service[iptables]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '1'
           ---- Begin output of /bin/systemctl enable iptables ----
           STDOUT: 
           STDERR: Failed to issue method call: No such file or directory
           ---- End output of /bin/systemctl enable iptables ----
           Ran /bin/systemctl enable iptables returned 1

           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb

            52:           service svc do
            53:             action [:enable, :start]
            54:           end
            55:         end

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb:52:in `block (3 levels) in <class:FirewallIptables>'

           service("iptables") do
             action [:enable, :start]
             supports {:restart=>nil, :reload=>nil, :status=>nil}
             retries 0
             retry_delay 2
             default_guard_interpreter :default
             service_name "iptables"
             pattern "iptables"
             declared_type :service
             cookbook_name "vpn-server"
           end

       Recipe: sysctl::default
         * ruby_block[save-sysctl-params] action run
           - execute the ruby block save-sysctl-params
         * template[/etc/sysctl.d/99-chef-attributes.conf] action create (up to date)

       Running handlers:
       [2016-04-11T17:53:50+00:00] ERROR: Running exception handlers
       Running handlers complete
       [2016-04-11T17:53:50+00:00] ERROR: Exception handlers complete
       Chef Client failed. 4 resources updated in 24 seconds
       [2016-04-11T17:53:50+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2016-04-11T17:53:50+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2016-04-11T17:53:50+00:00] ERROR: service[iptables] (/tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb line 52) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
       ---- Begin output of /bin/systemctl enable iptables ----
       STDOUT: 
       STDERR: Failed to issue method call: No such file or directory
       ---- End output of /bin/systemctl enable iptables ----
       Ran /bin/systemctl enable iptables returned 1
       [2016-04-11T17:53:52+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Content of /tmp/kitchen/cache/chef-stacktrace.out:

Generated at 2016-04-11 17:53:50 +0000
Mixlib::ShellOut::ShellCommandFailed: service[iptables] (/tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb line 52) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of /bin/systemctl enable iptables ----
STDOUT: 
STDERR: Failed to issue method call: No such file or directory
---- End output of /bin/systemctl enable iptables ----
Ran /bin/systemctl enable iptables returned 1
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/mixlib-shellout-2.2.6/lib/mixlib/shellout.rb:289:in `invalid!'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/mixlib-shellout-2.2.6/lib/mixlib/shellout.rb:276:in `error!'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/mixin/shell_out.rb:56:in `shell_out!'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/provider/service/systemd.rb:118:in `enable_service'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/provider/service.rb:83:in `block in action_enable'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/mixin/why_run.rb:52:in `add_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/provider.rb:175:in `converge_by'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/provider/service.rb:82:in `action_enable'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/provider.rb:144:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource.rb:596:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/runner.rb:73:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/runner.rb:105:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/runner.rb:105:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/runner.rb:105:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/resource_list.rb:84:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/resource_collection/resource_list.rb:82:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/runner.rb:104:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:668:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:663:in `catch'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:663:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:702:in `converge_and_save'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:280:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:270:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:258:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:258:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:223:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:211:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:445:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:435:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:435:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:424:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:58:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/bin/chef-client:26:in `<top (required)>'
/opt/chef/bin/chef-client:50:in `load'
/opt/chef/bin/chef-client:50:in `<main>'

Configuration:

attributes/default.rb:

default['firewall']['redhat7_iptables'] = true
default['firewall']['iptables']['defaults'][:ruleset] = {
  '*filter' => 1,
  ':INPUT ACCEPT' => 2,
  ':FORWARD ACCEPT' => 3,
  ':OUTPUT ACCEPT' => 4,
  'COMMIT_FILTER' => 100,
  '*nat' => 101,
  ':PREROUTING ACCEPT' => 102,
  ':POSTROUTING ACCEPT' => 103,
  ':OUTPUT ACCEPT' => 104,
  ':INPUT ACCEPT' => 105,
  'COMMIT_NAT' => 200
}

recipes/default.rb:

### Firewall
firewall 'default' do
    ipv6_enabled    false
    action          :install
end
### NAT
firewall_rule "postroute151" do
    raw "-A POSTROUTING -s 10.0.0.0/9 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT"
    position 151
end
firewall_rule "postroute152" do
    raw "-A POSTROUTING -s 10.0.0.0/9 -o eth0 -j MASQUERADE"
    position 152
end

metadata.rb:

depends 'firewall', '~> 2.5.0'

uname -a:

Linux vpn-server-centos-71 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

chef-solo -v

Chef: 12.8.1

systemctl list-unit-files --no-pager | grep iptables returns empty list.
cat /etc/sysconfig/iptables:

# created by chef to allow service to start

martinb3 commented 8 years ago

Hi there -- we're using the packages from each OS for these providers. Is systemd able to start and stop iptables outside of Chef?

alexanderBendo commented 8 years ago

Same issue here. The problem is that in RHEL/CentOS 7 the service unit file for iptables is provided by the package iptables-services but the cookbook installs just iptables. Installing such package solves the problem.

martinb3 commented 8 years ago

I'm unable to reproduce the same output in CentOS 7.2. I get a successful converge, and:

# systemctl list-unit-files --no-pager | grep iptables
iptables.service                            enabled
# uname -a
Linux iptables-centos-72 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
# chef-solo -v
Chef: 12.8.1

Can you confirm what packages you have installed?

# rpm -qa | grep iptab
iptables-1.4.21-16.el7.x86_64
iptables-services-1.4.21-16.el7.x86_64

I wonder if there's a difference/bug in CentOS 7.1 and 7.2?

martinb3 commented 8 years ago

Same on CentOS 7.1:

# systemctl list-unit-files --no-pager | grep iptables
iptables.service                            enabled
# uname -a
Linux iptables-centos-71 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
# chef-solo -v
Chef: 12.8.1

Packages:

# rpm -qa | grep iptab
iptables-services-1.4.21-16.el7.x86_64
iptables-1.4.21-16.el7.x86_64

alexanderBendo commented 8 years ago

Here's what I have.

Before chef-run

# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
# sudo rpm -qa | grep iptab
iptables-1.4.21-16.el7.x86_64
# uname -a
Linux default-centos-7 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

After chef-run

# sudo rpm -qa | grep iptab
iptables-1.4.21-16.el7.x86_64

This box was created using the default CentOS minimal install. I checked the .iso and indeed it does not include the package iptables-services

# ls Packages|grep iptab
iptables-1.4.21-16.el7.x86_64.rpm

I run yum update just in case but it still does not install iptables-services.

martinb3 commented 8 years ago

@alexanderBendo If you install the iptables-services package, does it fix the issue? We may just be missing that.

alexanderBendo commented 8 years ago

@martinb3 yes, that solves the issue.

martinb3 commented 8 years ago

Could you give master a try and let us know if it fixes your issue? Thanks!

alexanderBendo commented 8 years ago

@martinb3 It works. Thank you very much!

martinb3 commented 8 years ago

Great! I'll do a release shortly.

sous-chefs / firewall

CentOS 7.1 with iptables. Systemd unit file is not created. #131

Error description

Configuration: