(MODULES-6136) Add zone property of CT target.

[rwf14f]

Adds support for zone property of the CT target.

[sheenaajay]

Thanks for submitting the PR @rwf14f .

[sheenaajay]

We can remove the updates to the REFERENCE.md file.
Puppet stringify feature will add the updates to the file.

[rwf14f]

I've used puppet stringify to update the file, but if you want I can revert the change.

[sheenaajay]

Thats great.Thank you.

[sheenaajay]

@rwf14f Could you please rebase with the latest changes from master. So I can run the acceptance tests too. Thank you.

[sheenaajay]

The testcases are failing on redhat6 platform.Could you please check the failures.
12:01:40 29) firewall attribute testing, happy path attributes test set log_uid 12:01:40 Failure/Error: apply_manifest(pp, catch_failures: true) 12:01:40 Beaker::Host::CommandFailure: 12:01:40 Host 'yxau81r2ebnqang.delivery.puppetlabs.net' exited with 6 running: 12:01:40 puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.eFXU67 12:01:40 Last 10 lines of output were: 12:01:40 Notice: /Stage[main]/Main/Firewall[1001 EF - set_dscp_class]/ensure: created 12:01:40 Info: Class[Main]: Unscheduling all events on Class[Main] 12:01:40 Error: Execution of '/sbin/iptables -I PREROUTING 1 -t raw -p all -j CT --zone 4000 -m comment --comment 1100 - ct_target tests - zone' returned 2: iptables v1.4.7: unknown option --zone'
12:01:40 Try iptables -h' or 'iptables --help' for more information. 12:01:40 Error: /Stage[main]/Main/Firewall[1100 - ct_target tests - zone]/ensure: change from 'absent' to 'present' failed: Execution of '/sbin/iptables -I PREROUTING 1 -t raw -p all -j CT --zone 4000 -m comment --comment 1100 - ct_target tests - zone' returned 2: iptables v1.4.7: unknown option --zone'
12:01:40 Try iptables -h' or 'iptables --help' for more information. 12:01:40 Notice: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/iptables]: Dependency Firewall[1100 - ct_target tests - zone] has failures: true 12:01:40 Warning: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/iptables]: Skipping because of failed dependencies 12:01:40 Warning: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/ip6tables]: Skipping because of failed dependencies 12:01:40 Notice: Applied catalog in 7.78 seconds 12:01:40 <img width="1192" alt="Screen Shot 2019-08-13 at 12 11 42" src="https://user-images.githubusercontent.com/20660680/62937147-a40b7f00-bdc3-11e9-9b12-0e2e41224c27.png">

[rwf14f]

That could be a problem. I believe the conntrack zones were introduced in kernel 2.6.34, Redhat 6 is still using 2.6.32 which makes this a feature which wouldn't be available on Redhat 6. Does the firewall module have a mechanism to exclude certain features for specific OS / kernel versions ?
Or is it possible to add this restriction to the documentation and exclude the tests on RH6 systems ?

[lionce]

Hello @rwf14f ,

You can skip those specific tests from execution on redhat6. As an example, you can check firewall_attributes_ipv6_happy_path_spec. Please let us know if you need any help!

Cheers!

[rwf14f]

If I read firewall_attributes_ipv6_happy_path_spec correctly, this disables all IPv6 tests on RH5/6 and SLES. I don't think doing this for the IPv4 tests as well is a good idea, so I've separated the zone tests into its own describe block. As this is not covered by the standard travis tests, can you please run your full acceptance test suite to see if this works ?

[sheenaajay]

@rwf14f Sure.Ran the full test suite.And its failing on the following two OS Oracle7-64 and SLES 11-64,with the following error
Error: Execution of '/usr/sbin/ip6tables -I PREROUTING 1 --wait -t raw -p all -j CT --zone 4000 -m comment --comment 1101 - ct_target tests - zone' returned 1: ip6tables: Operation not supported.
12:25:44 Error: /Stage[main]/Main/Firewall[1101 - ct_target tests - zone]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/sbin/ip6tables -I PREROUTING 1 --wait -t raw -p all -j CT --zone 4000 -m comment --comment 1101 - ct_target tests - zone' returned 1: ip6tables: Operation not supported.

[rwf14f]

Can you send me the os facts for those OS (full hash please) ?

[sheenaajay]

@rwf14f Sure

facter os
{
architecture => "x86_64",
family => "RedHat",
hardware => "x86_64",
name => "OracleLinux",
release => {
full => "7.2",
major => "7",
minor => "2"
},
selinux => {
config_mode => "enforcing",
current_mode => "enforcing",
enabled => true,
enforced => true,
policy_version => "28"
}
}

facter os
{
architecture => "x86_64",
family => "Suse",
hardware => "x86_64",
name => "SLES",
release => {
full => "12.1",
major => "12",
minor => "1"
},
selinux => {
enabled => false
}
}

[rwf14f]

The latest changes should prevent the CT target tests to run on Oracle and Suse Linux.
Can you please run the test suite again ?

[sheenaajay]

@rwf14f It shows the same failure. Hopefully, that will work. Thank you.

Could you please try the following variable host_inventory['facter']['os']['name']
An example below
(host_inventory['facter']['os']['name'] == 'OracleLinux')) || ((host_inventory['facter']['os']['name'] == 'Suse') && host_inventory['facter']['os']['release']['major'] == '11')

[rwf14f]

I've updated the tests, I'm a bit puzzled about SLES though. According to the facts in #852 (comment), the family is Suse and the name is SLES, but all the tests use sles as family and in #852 (comment) Suse is used as name.
Looking at the acceptance tests again, I'm wondering whether it would be better to move the test for the CT target to firewall_attributes_exceptions_spec.rb and firewall_attributes_ipv6_exceptions_spec.rb as well.

Can you run the test suite again ?

[sheenaajay]

@rwf14f All good.The test suites are running clean.Thank you for submitting the PR.