Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(MODULES-6136) Add zone property of CT target. #852

Merged
merged 4 commits into from
Sep 9, 2019

Conversation

rwf14f
Copy link
Contributor

@rwf14f rwf14f commented Aug 1, 2019

Adds support for zone property of the CT target.

@sheenaajay
Copy link
Contributor

Thanks for submitting the PR @rwf14f .

@@ -220,6 +220,8 @@ installed.

* ipvs: The ability to match IP Virtual Server packets.

* ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove the updates to the REFERENCE.md file.
Puppet stringify feature will add the updates to the file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've used puppet stringify to update the file, but if you want I can revert the change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats great.Thank you.

@sheenaajay
Copy link
Contributor

@rwf14f Could you please rebase with the latest changes from master. So I can run the acceptance tests too. Thank you.

Adds support for zone property of CT target.
@sheenaajay
Copy link
Contributor

The testcases are failing on redhat6 platform.Could you please check the failures.
12:01:40 29) firewall attribute testing, happy path attributes test set log_uid 12:01:40 Failure/Error: apply_manifest(pp, catch_failures: true) 12:01:40 Beaker::Host::CommandFailure: 12:01:40 Host 'yxau81r2ebnqang.delivery.puppetlabs.net' exited with 6 running: 12:01:40 puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.eFXU67 12:01:40 Last 10 lines of output were: 12:01:40 Notice: /Stage[main]/Main/Firewall[1001 EF - set_dscp_class]/ensure: created 12:01:40 Info: Class[Main]: Unscheduling all events on Class[Main] 12:01:40 Error: Execution of '/sbin/iptables -I PREROUTING 1 -t raw -p all -j CT --zone 4000 -m comment --comment 1100 - ct_target tests - zone' returned 2: iptables v1.4.7: unknown option --zone'
12:01:40 Try iptables -h' or 'iptables --help' for more information. 12:01:40 Error: /Stage[main]/Main/Firewall[1100 - ct_target tests - zone]/ensure: change from 'absent' to 'present' failed: Execution of '/sbin/iptables -I PREROUTING 1 -t raw -p all -j CT --zone 4000 -m comment --comment 1100 - ct_target tests - zone' returned 2: iptables v1.4.7: unknown option --zone'
12:01:40 Try iptables -h' or 'iptables --help' for more information. 12:01:40 Notice: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/iptables]: Dependency Firewall[1100 - ct_target tests - zone] has failures: true 12:01:40 Warning: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/iptables]: Skipping because of failed dependencies 12:01:40 Warning: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/ip6tables]: Skipping because of failed dependencies 12:01:40 Notice: Applied catalog in 7.78 seconds 12:01:40 <img width="1192" alt="Screen Shot 2019-08-13 at 12 11 42" src="https://user-images.githubusercontent.com/20660680/62937147-a40b7f00-bdc3-11e9-9b12-0e2e41224c27.png">

@rwf14f
Copy link
Contributor Author

rwf14f commented Aug 21, 2019

That could be a problem. I believe the conntrack zones were introduced in kernel 2.6.34, Redhat 6 is still using 2.6.32 which makes this a feature which wouldn't be available on Redhat 6. Does the firewall module have a mechanism to exclude certain features for specific OS / kernel versions ?
Or is it possible to add this restriction to the documentation and exclude the tests on RH6 systems ?

@lionce
Copy link
Contributor

lionce commented Aug 26, 2019

Hello @rwf14f ,

You can skip those specific tests from execution on redhat6. As an example, you can check firewall_attributes_ipv6_happy_path_spec. Please let us know if you need any help!

Cheers!

@rwf14f
Copy link
Contributor Author

rwf14f commented Aug 29, 2019

If I read firewall_attributes_ipv6_happy_path_spec correctly, this disables all IPv6 tests on RH5/6 and SLES. I don't think doing this for the IPv4 tests as well is a good idea, so I've separated the zone tests into its own describe block. As this is not covered by the standard travis tests, can you please run your full acceptance test suite to see if this works ?

@sheenaajay
Copy link
Contributor

@rwf14f Sure.Ran the full test suite.And its failing on the following two OS Oracle7-64 and SLES 11-64,with the following error
Error: Execution of '/usr/sbin/ip6tables -I PREROUTING 1 --wait -t raw -p all -j CT --zone 4000 -m comment --comment 1101 - ct_target tests - zone' returned 1: ip6tables: Operation not supported.
12:25:44 Error: /Stage[main]/Main/Firewall[1101 - ct_target tests - zone]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/sbin/ip6tables -I PREROUTING 1 --wait -t raw -p all -j CT --zone 4000 -m comment --comment 1101 - ct_target tests - zone' returned 1: ip6tables: Operation not supported.

@rwf14f
Copy link
Contributor Author

rwf14f commented Sep 3, 2019

Can you send me the os facts for those OS (full hash please) ?

@sheenaajay
Copy link
Contributor

@rwf14f Sure

facter os
{
architecture => "x86_64",
family => "RedHat",
hardware => "x86_64",
name => "OracleLinux",
release => {
full => "7.2",
major => "7",
minor => "2"
},
selinux => {
config_mode => "enforcing",
current_mode => "enforcing",
enabled => true,
enforced => true,
policy_version => "28"
}
}

facter os
{
architecture => "x86_64",
family => "Suse",
hardware => "x86_64",
name => "SLES",
release => {
full => "12.1",
major => "12",
minor => "1"
},
selinux => {
enabled => false
}
}

@rwf14f
Copy link
Contributor Author

rwf14f commented Sep 3, 2019

The latest changes should prevent the CT target tests to run on Oracle and Suse Linux.
Can you please run the test suite again ?

@sheenaajay
Copy link
Contributor

@rwf14f It shows the same failure. Hopefully, that will work. Thank you.

Could you please try the following variable host_inventory['facter']['os']['name']
An example below
(host_inventory['facter']['os']['name'] == 'OracleLinux')) || ((host_inventory['facter']['os']['name'] == 'Suse') && host_inventory['facter']['os']['release']['major'] == '11')

@rwf14f
Copy link
Contributor Author

rwf14f commented Sep 9, 2019

I've updated the tests, I'm a bit puzzled about SLES though. According to the facts in #852 (comment), the family is Suse and the name is SLES, but all the tests use sles as family and in #852 (comment) Suse is used as name.
Looking at the acceptance tests again, I'm wondering whether it would be better to move the test for the CT target to firewall_attributes_exceptions_spec.rb and firewall_attributes_ipv6_exceptions_spec.rb as well.

Can you run the test suite again ?

@sheenaajay
Copy link
Contributor

Screen Shot 2019-09-09 at 15 21 33

@rwf14f All good.The test suites are running clean.Thank you for submitting the PR.

@sheenaajay sheenaajay merged commit 3fc0ae9 into puppetlabs:master Sep 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants