Grokbase Groups Puppet puppet-users November 2012
FAQ
Hi everyone,

I am working now to introduce the puppet firewall module to our environment.

On the first run, all our rules are deployed on the server with no errors.

However, on subsequent runs, even without changing rules, I get errors like
the following:

The iptables provider can not handle attribute proto.....i get multiple
errors but the rules work if I stop iptables and clear the
/etc/sysconfig/iptables file.

I have turned purging on for the firewall resource, but it seems like the
resource is not actually purging all rules before running. ( resources {
'firewall': purge => 'true', }

I am running puppet 3.0.1 and have grabbed the latest puppet firewall
module from github.

Thanks,
Chuck

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/RuHfbwhb5FAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jeff McCune at Nov 20, 2012 at 9:36 pm

    On Tue, Nov 20, 2012 at 4:09 PM, gilbertc777 wrote:
    Hi everyone,

    I am working now to introduce the puppet firewall module to our environment.

    On the first run, all our rules are deployed on the server with no errors.

    However, on subsequent runs, even without changing rules, I get errors like
    the following:

    The iptables provider can not handle attribute proto.....i get multiple
    errors but the rules work if I stop iptables and clear the
    /etc/sysconfig/iptables file.
    I'm having difficulty understanding the nature of the problem, could
    you run the agent with --verbose and --debug turned on and paste the
    full output? This will help us troubleshoot the problem more
    efficiently.

    -Jeff

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Charles Gilbert at Nov 20, 2012 at 10:51 pm
    Hi Jeff,

    Let me try to clarify as the node is on a disconnected network and I am not
    able to transmit logs from it.

    If I stop iptables, delete everything in the file, and then run the
    firewall rules on the server, all the rules are applied with no errors.

    However, when I trigger another run of puppet, on that same node after the
    rules have been added, the puppet run fails with errors in regards to the
    iptables provider can not handle fields like proto, log_level etc that had
    worked on first run. It seems to me that we need to flush all rules and
    then the class should execute to apply the firewall rules. To flush the
    rules, I set the resources purge true for firewall.

    Not really sure if this clarified anything. When I ran debug myself, I
    did not see the purge actually execute as I would expect.
    On Tue, Nov 20, 2012 at 4:35 PM, Jeff McCune wrote:
    On Tue, Nov 20, 2012 at 4:09 PM, gilbertc777 wrote:
    Hi everyone,

    I am working now to introduce the puppet firewall module to our
    environment.
    On the first run, all our rules are deployed on the server with no errors.
    However, on subsequent runs, even without changing rules, I get errors like
    the following:

    The iptables provider can not handle attribute proto.....i get multiple
    errors but the rules work if I stop iptables and clear the
    /etc/sysconfig/iptables file.
    I'm having difficulty understanding the nature of the problem, could
    you run the agent with --verbose and --debug turned on and paste the
    full output? This will help us troubleshoot the problem more
    efficiently.

    -Jeff

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Nov 20, 2012 at 11:11 pm

    On 11/20/2012 11:51 PM, Charles Gilbert wrote:
    Hi Jeff,

    Let me try to clarify as the node is on a disconnected network and I am
    not able to transmit logs from it.

    If I stop iptables, delete everything in the file, and then run the
    firewall rules on the server, all the rules are applied with no errors.

    However, when I trigger another run of puppet, on that same node after
    the rules have been added, the puppet run fails with errors in regards
    to the iptables provider can not handle fields like proto, log_level etc
    that had worked on first run. It seems to me that we need to flush all
    rules and then the class should execute to apply the firewall rules. To
    flush the rules, I set the resources purge true for firewall.

    Not really sure if this clarified anything. When I ran debug myself,
    I did not see the purge actually execute as I would expect.
    Shouldn't purge only remove rules that added and not managed by puppet?


    --
    Jakov Sosic
    www.srce.unizg.hr

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Charles Gilbert at Nov 20, 2012 at 11:28 pm
    That may be the case. I am relatively new to puppet and am still getting
    used to some of the features. Does what I describe ring a bell to anyone
    though?
    On Tue, Nov 20, 2012 at 6:11 PM, Jakov Sosic wrote:
    On 11/20/2012 11:51 PM, Charles Gilbert wrote:

    Hi Jeff,

    Let me try to clarify as the node is on a disconnected network and I am
    not able to transmit logs from it.

    If I stop iptables, delete everything in the file, and then run the
    firewall rules on the server, all the rules are applied with no errors.

    However, when I trigger another run of puppet, on that same node after
    the rules have been added, the puppet run fails with errors in regards
    to the iptables provider can not handle fields like proto, log_level etc
    that had worked on first run. It seems to me that we need to flush all
    rules and then the class should execute to apply the firewall rules. To
    flush the rules, I set the resources purge true for firewall.

    Not really sure if this clarified anything. When I ran debug myself,
    I did not see the purge actually execute as I would expect.
    Shouldn't purge only remove rules that added and not managed by puppet?


    --
    Jakov Sosic
    www.srce.unizg.hr


    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@**
    googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>.
    For more options, visit this group at http://groups.google.com/**
    group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
    .
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Charles Gilbert at Nov 20, 2012 at 11:42 pm
    For what its worth:

    This seems to resemble my problem:
    http://projects.puppetlabs.com/issues/16675

    I will attempt to track this to see if any changes get pushed.
    On Tue, Nov 20, 2012 at 6:28 PM, Charles Gilbert wrote:

    That may be the case. I am relatively new to puppet and am still getting
    used to some of the features. Does what I describe ring a bell to anyone
    though?

    On Tue, Nov 20, 2012 at 6:11 PM, Jakov Sosic wrote:
    On 11/20/2012 11:51 PM, Charles Gilbert wrote:

    Hi Jeff,

    Let me try to clarify as the node is on a disconnected network and I am
    not able to transmit logs from it.

    If I stop iptables, delete everything in the file, and then run the
    firewall rules on the server, all the rules are applied with no errors.

    However, when I trigger another run of puppet, on that same node after
    the rules have been added, the puppet run fails with errors in regards
    to the iptables provider can not handle fields like proto, log_level etc
    that had worked on first run. It seems to me that we need to flush all
    rules and then the class should execute to apply the firewall rules. To
    flush the rules, I set the resources purge true for firewall.

    Not really sure if this clarified anything. When I ran debug myself,
    I did not see the purge actually execute as I would expect.
    Shouldn't purge only remove rules that added and not managed by puppet?


    --
    Jakov Sosic
    www.srce.unizg.hr


    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@**
    googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>.
    For more options, visit this group at http://groups.google.com/**
    group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
    .
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 20, '12 at 9:09p
activeNov 20, '12 at 11:42p
posts6
users3
websitepuppetlabs.com

3 users in discussion

Charles Gilbert: 4 posts Jeff McCune: 1 post Jakov Sosic: 1 post

Content

People

Support

Translate

site design / logo © 2022 Grokbase