Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hashsize is dynamic and produces errors on large sets #26

Closed
sagepe opened this issue Mar 4, 2020 · 1 comment · Fixed by #27
Closed

hashsize is dynamic and produces errors on large sets #26

sagepe opened this issue Mar 4, 2020 · 1 comment · Fixed by #27

Comments

@sagepe
Copy link
Contributor

sagepe commented Mar 4, 2020
edited
Loading

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 6.13.0
  • Ruby: ruby 2.5.7p206 (2019-10-01 revision 67816) [x86_64-linux]
  • Distribution: Debian 9
  • Module version: 1.2.0

How to reproduce (e.g Puppet code you use)

  file { '/var/lib/ipsets/cn-hk.ipset':
      ensure => file,
      mode   => '0644',
      source => 'puppet:///modules/profiles/ipsets/cn-hk.ipset',
  }

  -> ipset::set { 'cn':
    ensure       => 'present',
    type         => 'hash:net',
    set          => 'file:///var/lib/ipsets/cn-hk.ipset',
    keep_in_sync => true,
  }

  -> firewall { '000 Block CN-HK':
    proto => 'all',
    ipset => 'cn src',
    jump  => 'LOGDROP',
  }

The set created has > 10k networks. This results in the hash size growing. We could set this at the beginning, but as it may vary dynamically this doesn't seem like the correct approach.

What are you seeing

Puppet thinks that the ipset has changed because of the hashsize mismatch and attempts to delete it and recreate it but this fails as it is in-use by the kernel.

What behaviour did you expect instead

Nothing - the contents of the set have not changed but the hashsize has since it was created.

Output log

Notice: /Stage[main]/Profiles::Ipset::Cn/Ipset::Set[cn]/Exec[sync_ipset_cn]/returns: ipset v6.30: Set cannot be destroyed: it is in use by a kernel component
Notice: /Stage[main]/Profiles::Ipset::Cn/Ipset::Set[cn]/Exec[sync_ipset_cn]/returns: ipset v6.30: Error in line 1: Set cannot be created: set with the same name already exists
Error: 'ipset_sync -c '/etc/ipset.d/'    -i cn' returned 1 instead of one of [0]
Error: /Stage[main]/Profiles::Ipset::Cn/Ipset::Set[cn]/Exec[sync_ipset_cn]/returns: change from 'notrun' to ['0'] failed: 'ipset_sync -c '/etc/ipset.d/'    -i cn' returned 1 instead of one of [0] (corrective)
Notice: /Stage[main]/Profiles::Ipset::Cn/Firewall[000 Block CN-HK]: Dependency Exec[sync_ipset_cn] has failures: true

Actual header: Header: family inet hashsize 8192 maxelem 65536

Contents of /etc/ipset.d/cn.hdr: create cn hash:net family inet hashsize 1024 maxelem 65536

Any additional information you'd like to impart

This issue was raised in mighq/puppet-ipset and resolved there.

I have a forked copy of this repository with a branch with the commit from mighq cherry-picked and can confirm that it appears to fix the problem for me.
bastelfreak pushed a commit that referenced this issue Mar 4, 2020
@edausq @bastelfreak
Ignore hashsize to avoid conflicts on large sets
65cdcc1 
ipset hashsize grows dynamically to accommodate very large sets and
could differ from size used during creation. fixes #26
@bastelfreak bastelfreak mentioned this issue Mar 4, 2020
Merged
@bastelfreak
Copy link
Member

thanks for reporting this. I will do a new release shortly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ignore hashsize to avoid conflicts on large sets voxpupuli/puppet-ipset
2 participants
@bastelfreak @sagepe