search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
99 stars 150 forks source link

firewall_rule is not working as expected for ubuntu #162

Closed e21347 closed 7 years ago

e21347 commented 7 years ago

Cookbook version

2.5.4

Chef-client version

Chef DK: 1.3.40 chef-client: 12.19.36 OS: macOS Sierra (10.12.4) & MS Windows 10 x64

Platform Details

Ubuntu 16.04

Scenario:

Add a firewall_rule.

Steps to Reproduce:

File attributes/default.rb

default['firewall']['allow_ssh'] = true

File recipes/default.rb

include_recipe 'firewall'

firewall_rule 'enable web access' do
  port [80, 443]
end

File metadata.rb

depends 'firewall'

user@chefdk:\~$ kitchen converge

or

user@chefdk:\~$ kitchen destroy; kitchen converge

then

user@chefdk:\~$ kitchen login

Expected Result:

vagrant@default-ubuntu-1604:\~$ sudo ufw status

Status: active
...

vagrant@default-ubuntu-1604:~\$ sudo ufw show added

Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow 80,443/tcp

Actual Result:

vagrant@default-ubuntu-1604:\~$ sudo ufw status

Status: active

vagrant@default-ubuntu-1604:\~$ sudo ufw show added

Added user rules (see 'ufw status' for running firewall):
(None)
trappar commented 7 years ago

This appears to be an incompatibility with Chef 13. I tried pinning the Chef version to 12.19.36 (the latest version of Chef 12 currently available) and everything started working once again. It's troubling that this is failing totally silently, and even more troubling that running this on Chef 12 doesn't produce any deprecation warnings. This issue may actually be high priority to the Chef team... I'm not sure how to get the word out though...

martinb3 commented 7 years ago

@trappar @e21347 Have you tried this against the latest cookbook from git? The master branch should be compatible with Chef 13, but I haven't done a release yet as I'm looking for testing feedback. Any feedback would be much appreciated! :)

@e21347 RE: failures on Chef 12 -- our test suites on Chef 12 look very similar to this; they are passing. I went ahead and tried to reproduce this one on the latest master as well, and I see the rules being added (see below). Will you also give the latest master a try? Thanks!

       [2017-04-17T13:21:09+00:00] INFO: file[/etc/default/ufw-chef.rules] updated file contents /etc/default/ufw-chef.rules

         - update content in file /etc/default/ufw-chef.rules from fa85ee to 67eff2
         --- /etc/default/ufw-chef.rules    2017-04-17 13:21:09.941933948 +0000
         +++ /etc/default/.chef-ufw-chef20170417-2487-1brja4d.rules 2017-04-17 13:21:09.965945947 +0000
         @@ -1,2 +1,6 @@
         -# created by chef to allow service to start
         +# position 50
         +ufw allow in on lo to any from any
         +ufw allow in proto tcp to any port 22 from 0.0.0.0/0
         +ufw allow in proto udp to any port 60000:61000 from 0.0.0.0/0
         +ufw allow in proto tcp to any port 443,80 from any

       [2017-04-17T13:21:11+00:00] INFO: Chef Run complete in 8.573116421 seconds

       Running handlers:
       [2017-04-17T13:21:11+00:00] INFO: Running report handlers
       Running handlers complete
       [2017-04-17T13:21:11+00:00] INFO: Report handlers complete
       Chef Client finished, 15/34 resources updated in 09 seconds
       Finished converging <default-ubuntu-1604> (0m11.54s).
-----> Kitchen is finished. (0m14.58s)
➜  firewall git:(master) ✗ kitchen login default-ubuntu-1604
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Mon Apr 17 13:21:00 2017 from 10.0.2.2
vagrant@default-ubuntu-1604:~$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow in on lo
ufw allow 22/tcp
ufw allow 60000:61000/udp
ufw allow 80,443/tcp
vagrant@default-ubuntu-1604:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere on lo             ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
60000:61000/udp            ALLOW       Anywhere
80,443/tcp                 ALLOW       Anywhere
Anywhere (v6) on lo        ALLOW       Anywhere (v6)
80,443/tcp (v6)            ALLOW       Anywhere (v6)
trappar commented 7 years ago

@martinb3 I just tried the newly released 2.6.0 and it looks like it's working fine. Thanks for the quick fix!

martinb3 commented 7 years ago

Great! I'll go ahead and close this. Thanks @trappar!

e21347 commented 7 years ago

@martinb3 v2.6.0 is working as expected. Thanks! Sorry, I didn't get to give master a try before you released 2.6.