1406929 - Kickstart for Ubuntu 16.04 fail with iptables_save error

Status: RESOLVED FIXED

(Infrastructure & Operations :: RelOps: Puppet, task)

Description

[Dragos Crisan [:dragrom]]

Thu Oct 05 16:12:47 -0700 2017 /Stage[main]/Main/Resources[firewall] (err): Failed to generate additional resources using 'generate': Command iptables_save is missing

Comment 1

[Dragos Crisan [:dragrom]]

Attachment: Bug_1406929_Install_iptables_to_Ubuntu.patch

Added iptables packages to Ubuntu 16

Comment 2

[:dhouse]

Comment on attachment 8916964 [details] [diff] [review]
Bug_1406929_Install_iptables_to_Ubuntu.patch

++

Comment 3

[Jake Watkins [:dividehex]]

Comment on attachment 8916964 [details] [diff] [review]
Bug_1406929_Install_iptables_to_Ubuntu.patch

Review of attachment 8916964 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine except this breaks the 12.04 hosts in scl3.  Please see inline comments.

::: modules/packages/manifests/iptables.pp
@@ +22,5 @@
> +        Ubuntu: {
> +            # Install iptables on Ubuntu
> +            case $::operatingsystemrelease {
> +                # Segregate by operatingsystem release, to make sure not break something in Ubunu 12.04
> +                # In the future we can install iptables package in Ubuntu 12.04  

TWS but more importantly, you need to handle 12.04 because there are currently a lot of talos-linux64-ix hosts in scl3 that are running 12.04 and have iptables enabled.  This would cause all those to fail their puppet runs. I would suggest adding a case for 12.04 with just a comment stating 12.04 does not have a problems having the firewall puppet module install iptables therefore this workaround is not needed.

Comment 4

[Dragos Crisan [:dragrom]]

Attachment: Bug_1406929_Install_iptables_to_Ubuntu.patch

Added iptables and iptables-persistent packages to Ubuntu 12.04 and Ubuntu 16.04

Comment 5

[Dragos Crisan [:dragrom]]

Attachment: Bug_1406929_Install_iptables_to_Ubuntu.patch

Added iptables and iptables-persistent to Ubuntu 16.04
Added a case for Ubuntu 12.04, with a comment that mention no action need to be done

Comment 6

[:dhouse]

I kickstarted 299 and then applied this iptables patch, then I added the fw profile. No problems and the firewall rules were applied.
I kickstarted 298 with this iptables patch and the fw profile at the same time. However, it looks like puppet tries to apply the fw profile first and so it fails to find iptables (since it is not installed yet). So I think we need to put a require of iptables into the fw module.

Comment 7

[Dragos Crisan [:dragrom]]

(In reply to Dave House [:dhouse] from comment #6)
> I kickstarted 299 and then applied this iptables patch, then I added the fw
> profile. No problems and the firewall rules were applied.
> I kickstarted 298 with this iptables patch and the fw profile at the same
> time. However, it looks like puppet tries to apply the fw profile first and
iptables patch need to be applyed into production, to install iptables at kickstart. The iptables package is called in site.pp.
> so it fails to find iptables (since it is not installed yet). So I think we
> need to put a require of iptables into the fw module.

Comment 8

[Dragos Crisan [:dragrom]]

Comment on attachment 8917278 [details] [diff] [review]
Bug_1406929_Install_iptables_to_Ubuntu.patch

 https://hg.mozilla.org/build/puppet/rev/9079510c67dff708ce180f8ea01f5837bc6023cb

Comment 9

[Dragos Crisan [:dragrom]]

Tested on t-linux64-xe-297.test.releng.mdc1.mozilla.com and everything gone fine