search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
99 stars 150 forks source link

Error executing action `restart` on resource 'service[iptables]' #176

Closed ghost closed 7 years ago

ghost commented 7 years ago

Cookbook version

2.6.2

Chef-client version

13.2.20

Platform Details

CentOS release 6.9 (Final)

# iptables --version
iptables v1.4.7

cookbook 

firewall 'default' do
    action :install
end
firewall_rule 'mysql' do
    port      3306
    protocol  :tcp
    position  0
    command   :allow
end
# cat /etc/sysconfig/iptables
# position 0
-A INPUT -p tcp -m tcp -m multiport --dports 22 -m comment --comment "ssh" -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 3306 -m comment --comment "mysql" -j ACCEPT
# position 1
*filter
# position 2
:INPUT DROP
# position 3
:FORWARD DROP
# position 4
:OUTPUT ACCEPT
# position 100
COMMIT
# service iptables restart
iptables: Applying firewall rules: iptables-restore: line 2 failed
                                                           [FAILED]

Chef Output

--- /etc/sysconfig/ip6tables    2017-08-01 21:48:03.091009003 -0400
==> mysql:
==> mysql: +++ /etc/sysconfig/.chef-ip6tables20170801-5056-m44out   2017-08-01 21:48:57.155009002 -0400
==> mysql:
==> mysql: @@ -1,2 +1,14 @@
==> mysql:
==> mysql: -# created by chef to allow service to start
==> mysql:
==> mysql: +# position 0
==> mysql:
==> mysql: +-A INPUT -p tcp -m tcp -m multiport --dports 22 -m comment --comment "ssh" -j ACCEPT
==> mysql:
==> mysql:       +-A INPUT -p tcp -m tcp -m multiport --dports 3306 -m comment --comment "mysql" -j ACCEPT
==> mysql:       +# position 1
==> mysql:       +*filter
==> mysql:       +# position 2
==> mysql:       +:INPUT DROP
==> mysql:       +# position 3
==> mysql:       +:FORWARD DROP
==> mysql:       +# position 4
==> mysql:       +:OUTPUT ACCEPT
==> mysql:       +# position 100
==> mysql:       +COMMIT
==> mysql:
==> mysql:       - restore selinux security context
==> mysql:
==> mysql: [2017-08-01T21:48:57-04:00] INFO: firewall[default] sending restart action to service[iptables] (delayed)
==> mysql:   * service[iptables] action restart
==> mysql:
==> mysql:
==> mysql:
==> mysql: ================================================================================
==> mysql:
==> mysql: Error executing action `restart` on resource 'service[iptables]'
==> mysql:
==> mysql: ================================================================================
==> mysql:
==> mysql:
==> mysql:
==> mysql:
==> mysql: Mixlib::ShellOut::ShellCommandFailed
==> mysql:
==> mysql: ------------------------------------
==> mysql:
==> mysql:     Expected process to exit with [0], but received '1'
==> mysql:     ---- Begin output of /sbin/service iptables start ----
==> mysql:     STDOUT: iptables: Applying firewall rules: [FAILED]
==> mysql:     STDERR: iptables-restore: line 2 failed
==> mysql:     ---- End output of /sbin/service iptables start ----
==> mysql:     Ran /sbin/service iptables start returned 1
==> mysql:
==> mysql:     Resource Declaration:
==> mysql:     ---------------------
==> mysql:     # In /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb
==> mysql:
==> mysql:     153:         iptables_service = service name do
==> mysql:     154:           action :nothing
==> mysql:     155:         end
==> mysql:     156:       end
==> mysql:
==> mysql:     Compiled Resource:
==> mysql:     ------------------
==> mysql:     # Declared in /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb:153:in `rescue in lookup_or_create_service'
==> mysql:
==> mysql:     service("iptables") do
==> mysql:       action [:nothing]
==> mysql:       default_guard_interpreter :default
==> mysql:       service_name "iptables"
==> mysql:       enabled nil
==> mysql:       running nil
==> mysql:       masked nil
==> mysql:       pattern "iptables"
==> mysql:       declared_type :service
==> mysql:       cookbook_name "mysql-drupal"
==> mysql:     end
==> mysql:
==> mysql:     System Info:
==> mysql:     ------------
==> mysql:     chef_version=13.2.20
==> mysql:     platform=centos
==> mysql:     platform_version=6.9
==> mysql:     ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
==> mysql:     program_name=chef-client worker: ppid=5051;start=21:47:50;
==> mysql:     executable=/opt/chef/bin/chef-client
==> mysql:
==> mysql: [2017-08-01T21:48:58-04:00] INFO: firewall[default] sending restart action to service[ip6tables] (delayed)
==> mysql:   * service[ip6tables] action restart
==> mysql:
martinb3 commented 7 years ago

Hi there -- if you put position 0, you're putting your rule ahead of the *filter table declaration. You probably don't want to do that, unless you're trying to make a rule for another table, like *nat or *mangle. The default position, when omitted, is 50. If you don't need to jump ahead and insert special things inside the file containing rules, you should probably leave it at the default.

You can see the existing file and positions at https://github.com/chef-cookbooks/firewall/blob/master/attributes/iptables.rb#L6-L12.

This mechanism you're running into is the first thing described under "iptables considerations" in the README.md as well: https://github.com/chef-cookbooks/firewall#iptables-considerations

ghost commented 7 years ago

Thanks. I'll close this issue.