New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure firewalld is not attempted on el6 #97
Conversation
@glenjamin What version of chef was this one? I'd like to debug it further if possible. |
This was seen on a few versions between I've been unable to find any documentation that indicates how chef selects providers - I added some debug logging into the node block, and it appeared to be based on first-matching. |
We're testing against 12.4.1, and I haven't seen this one. I'd like to fix the bug in chef proper, if that's where the problem is. There was definitely a bug in Chef 12.4.0 where the block was never called, so you would have seen the problem on that version for sure. |
Could you give me a specific Chef version and distro/version you saw it on, so I could test that? |
I saw this on at least centos 6.6 on azure (open logic) running chef 12.4.1 My initial manual chef-client run correctly selected iptables, but future chef runs and chef-service runs across the estate started failing. I patched the cookbook with logging of platform version in both the iptables and firewalld provider, and saw only the firewalld provider log "6.6" before beginning its install. I applied the attached fix to our chef server by uploading the fork and am no longer seeing any issue. |
Reading the comment in https://github.com/chef/chef/blob/master/lib/chef/provider_resolver.rb indicates that the selected provider is load order dependent Is there ever a scenario where firewalld should be selected when platform version is less than 7? If not then I believe this patch is valid, and ensures firewalld will not be considered for auto-selection on older systems. |
Hi @glenjamin -- yes, I agree that this would be a valid fix; I was hoping we could understand why it doesn't already work though. I'd like to report the bug upstream if chef isn't behaving correctly. I'll open a separate issue for it... |
Ensure firewalld is not attempted on el6
I think the key phrase is this one:
https://github.com/chef/chef/blob/master/lib/chef/provider_resolver.rb#L44 Unless you explicitly load the files in the order you want then you're at the mercy of whatever require_all magic chef uses - which presumably is not strictly defined to be equivalent cross-platform. |
I believe chef should also choose providers with blocks before providers without those. That bug I linked was actually about 12.4.0 not doing that, and then they fixed it -- chef/chef#3593. Specifically, check out this comment from one of the core chef developers:
He goes on to suggest the same solution you've contributed:
But I still think there's a bug in core chef somewhere, based on that comment. |
Cheers for the links, definitely sounds like a bug in the more general case then!
|
Ensure all of the distros/versions and provides blocks yield exactly one provider, no more. RE: sous-chefs#97, sous-chefs#98.
I'm seeing an issue were chef provider selection appears to be non-deterministic, depending on whether the
firewalld
oriptables
provider is checked first.This resulted in
firewalld
trying to install on EL6 machines.The included patch ensures that there is no overlap in provider selection.