search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
99 stars 150 forks source link

RHEL 7 - error when enabling firewalld when firewalld is masked #192

Open james-stocks opened 6 years ago

james-stocks commented 6 years ago

Cookbook version

v2.6.3

Chef-client version

Chef Development Kit Version: 2.5.3
chef-client version: 13.8.5
delivery version: master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks version: 6.3.1
kitchen version: 1.20.0
inspec version: 1.51.21

Platform Details

RHEL 7 instance on EC2, using CIS Red Hat Enterprise Linux 7 Benchmark v2.1.1.1 AMI

Scenario:

Applying this cookbook. On this image, firewalld is masked.

Steps to Reproduce:

Simply including include_recipe 'firewall'

Expected Result:

cookbook completes with firewalld enabled. If the service is already present but masked; the cookbook should unmask it

Actual Result:

Error appears:

       [2018-03-13T14:55:17+00:00] ERROR: Running exception handlers
       Running handlers complete
       [2018-03-13T14:55:17+00:00] ERROR: Exception handlers complete
       Chef Client failed. 12 resources updated in 01 minutes 17 seconds
       [2018-03-13T14:55:17+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2018-03-13T14:55:17+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-03-13T14:55:17+00:00] ERROR: firewall[default] (firewall::default line 22) had an error: Mixlib::ShellOut::ShellCommandFailed: service[firewalld] (/tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb line 161) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
       ---- Begin output of /bin/systemctl --system enable firewalld ----
       STDOUT:
       STDERR: Failed to execute operation: Cannot send after transport endpoint shutdown
       ---- End output of /bin/systemctl --system enable firewalld ----
       Ran /bin/systemctl --system enable firewalld returned 1
       [2018-03-13T14:55:17+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Converge failed on instance <rhel7-rhel-7>.  Please see .kitchen/logs/rhel7-rhel-7.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

Workaround:

Log onto the instance and unmask the service ( systemctl unmask firewalld )

james-stocks commented 6 years ago

I think this is an issue lower down in Chef and not a bug with this cookbook, because I can reproduce the error by directly working with the service resource (outside of this cookbook)...

[root@machine cookbooks]# /opt/chef/bin/chef-apply -e "service 'firewalld' do action :enable end"
Recipe: (chef-apply cookbook)::(chef-apply recipe)
  * service[firewalld] action enable

    ================================================================================
    Error executing action `enable` on resource 'service[firewalld]'
    ================================================================================

    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    Expected process to exit with [0], but received '1'
    ---- Begin output of /bin/systemctl --system enable firewalld ----
    STDOUT:
    STDERR: Failed to execute operation: Cannot send after transport endpoint shutdown
    ---- End output of /bin/systemctl --system enable firewalld ----
    Ran /bin/systemctl --system enable firewalld returned 1

    Resource Declaration:
    ---------------------
    # In /tmp/recipe-temporary-file20180314-3307-1fmeg5o

      1: service 'firewalld' do action :enable end

    Compiled Resource:
    ------------------
    # Declared in /tmp/recipe-temporary-file20180314-3307-1fmeg5o:1:in `run_chef_recipe'

    service("firewalld") do
      action [:enable]
      default_guard_interpreter :default
      service_name "firewalld"
      enabled nil
      running nil
      masked nil
      pattern "firewalld"
      declared_type :service
      cookbook_name "(chef-apply cookbook)"
      recipe_name "(chef-apply recipe)"
    end

    System Info:
    ------------
    chef_version=13.8.5
    platform=redhat
    platform_version=7.4
    ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
    program_name=/opt/chef/bin/chef-apply
    executable=/opt/chef/bin/chef-apply

[2018-03-14T15:14:08+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2018-03-14T15:14:08+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2018-03-14T15:14:08+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: service[firewalld] ((chef-apply cookbook)::(chef-apply recipe) line 1) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of /bin/systemctl --system enable firewalld ----
STDOUT:
STDERR: Failed to execute operation: Cannot send after transport endpoint shutdown
---- End output of /bin/systemctl --system enable firewalld ----
Ran /bin/systemctl --system enable firewalld returned 1
[root@machine cookbooks]#

Applying the :unmask action like this before running the recipe will allow it to succeed...

service 'firewalld` do
  action :unmask
end

...but this service resource cannot be used anywhere in libraries/provider_firewall_firewalld.rb, it just throws the same error. Applying this resource outside of libraries/provider_firewall_firewalld.rb (e.g. at this line: https://github.com/chef-cookbooks/firewall/blob/master/recipes/default.rb#L21 ) will unmask the service and allow the recipe to complete; but that is not an acceptable workaround since it bypasses the firewall provider.