Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: no parameter named 'ipvs' #19

Closed
rmalenko opened this issue Apr 11, 2019 · 24 comments
Closed

Error: no parameter named 'ipvs' #19

rmalenko opened this issue Apr 11, 2019 · 24 comments

Comments

@rmalenko
Copy link

Hi Alex,
I have got this error after upgrade module

Error: no parameter named 'ipvs' (file: /etc/puppetlabs/code/modules/firewall_multi/manifests/init.pp, line: 257) on Firewall[001 accept all icmp] (file: /etc/puppetlabs/code/modules/firewall_multi/manifests/init.pp, line: 257) on node m

Regards,
Rostyslav
@rmalenko rmalenko changed the title Error: no parameter named 'ipvs' (file: /etc/puppetlabs/code/modules/firewall_multi/manifests/init.pp, line: 257) on Firewall[001 accept all icmp] (file: /etc/puppetlabs/code/modules/firewall_multi/manifests/init.pp, line: 257) on node m Error: no parameter named 'ipvs' Apr 11, 2019
@alex-harvey-z3q
Copy link
Owner

Hi @rmalenko , it looks like you upgraded my module without also updating the upstream puppetlabs/firewall module? See the latest commit here. Let me know if that fixes your issue.

@rmalenko
Copy link
Author

I have cloned just now alexharvey-firewall_multi (v1.13.0)
and upgrade to puppetlabs-firewall (v1.15.3)
but the error still remained

@mrmikeace
Copy link

I have a similar problem - although my error is different:
Server Error: no parameter named 'bytecode'

I have tried using firewall_multi(v1.13.0) with firewall (v1.15.3), and firewall_multi(v1.12.0) with firewall (v1.15.1), same results.

@mrmikeace
Copy link

I even tried v1.11 of firewall_multi and v1.14 of firewall, and received a different error:
no parameter named 'dst_cc'

Very curious.

@alex-harvey-z3q
Copy link
Owner

@rmalenko , @mrmikeace It is curious because I can't reproduce any of these errors. Certainly, bytecode and ipvs are both parameters introduced in very recent versions of the firewall module. The dst_cc was added back in Oct 2017 in firewall v1.9.0. I'll need to know more info such as the version of Puppet you're using, a minimal, complete example for reproducing the error and so on.

@rmalenko
Copy link
Author

rmalenko commented Apr 12, 2019
edited
Loading

Both servers are under Debian 9
puppet --version 6.4.0

site.pp

class firewallmulti (
  Hash[String, Hash] $firewall_multis,
) {
  $firewall_multis.each |$name, $firewall_multi| {
    firewall_multi { $name:
      * => $firewall_multi
    }
  }
}

firewall.yaml

---
classes:
  - firewallmulti
globalwhitelist:
  - 4.15.7.33   # masterofpuppet
  - ...

firewallmulti::firewall_multis:
  "001 accept all icmp":
    proto: "icmp"
    action: "accept"

  "002 accept all to lo interface":
    proto: "all"
    iniface: "lo"
    action: "accept"

  "003 reject local traffic not on loopback interface":
    iniface: "! lo"
    proto: "all"
    destination: "127.0.0.1/8"
    action: "reject"

  "004 accept inbound SSH":
    source:
      - "0.0.0.0/32"
      - "8.3.13.6/32"
    proto: "tcp"
    dport: "22"
    action: "accept"

  "005 Global whitelist":
    proto: "all"
    action: "accept"
    source: "%{alias('globalwhitelist')}"

  "006 accept related established rules":
    proto: "all"
    state: ["RELATED", "ESTABLISHED"]
    action: "accept"

  "999 accept related established rules":
    proto: "all"
    action: "drop"

@alex-harvey-z3q
Copy link
Owner

@rmalenko I still can't reproduce. Ideally I need login access to a box that has this problem. Failing that, can you try running this command for me and sending me the output:

sudo find / -name firewall.rb -exec cksum {} \;

Also show me:

sudo puppet module list

Thanks.

@mrmikeace
Copy link

Terribly sorry but I removed the module and found a different way to solve my problem. It sure looked to me as if the versions of the modules that I thought I was installing were not the versions I downloaded - but I tried this multiple times, and I don't think I would have fatfingered the install the same way for them all. But then again, it was a long week.

@mrmikeace
Copy link

Perhaps there is a way for you to detect the version install of firewall and fail with an error if they are incompatible?

@alex-harvey-z3q
Copy link
Owner

@mrmikeace yeah I kinda think something is broken elsewhere that's causing you to get versions of modules other than the ones you think you're getting. On your suggestion, I would love it if I could query the version of firewall installed and use conditional logic to figure out what has to be done on the fly. I suppose I could use the metadata.json dependencies more specifically although r10k doesn't try to resolve dependencies I don't think. I'll ask around though.

@alex-harvey-z3q
Copy link
Owner

I should add- I've maintained this module for about 3 years and it's the first time anyone ever reported an issue like this- so it also seems strange that 2 people are reporting the same issue, but I haven't really changed anything.

@alex-harvey-z3q
Copy link
Owner

@rmalenko any update here?

@aqueos
Copy link

aqueos commented Apr 17, 2019

hello,

same issue there with
└─┬ puppetlabs-firewall (v1.15.3)
└── puppetlabs-stdlib (v5.1.0)
└─┬ alexharvey-firewall_multi (v1.13.0)
└── puppetlabs-firewall (v1.15.3)

GUEST:root@puppet2018:[~]: puppet status
{
"is_alive": true,
"version": "5.5.13"
}

GUEST:root@puppet2018:[~]: puppet module uninstall --force puppetlabs-firewall
Notice: Preparing to uninstall 'puppetlabs-firewall' ...
Removed 'puppetlabs-firewall' (v1.15.3) from /etc/puppetlabs/code/environments/production/modules

GUEST:root@puppet2018:[~]: puppet module install puppetlabs-firewall
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ puppetlabs-firewall (v1.15.3)
└── puppetlabs-stdlib (v5.1.0)

GUEST:root@puppet2018:[~]: puppet module uninstall --force alexharvey/firewall_multi
Notice: Preparing to uninstall 'alexharvey-firewall_multi' ...
Removed 'alexharvey-firewall_multi' (v1.13.0) from /etc/puppetlabs/code/environments/production/modules

GUEST:root@puppet2018:[~]: puppet module install alexharvey/firewall_multi
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ alexharvey-firewall_multi (v1.13.0)
└── puppetlabs-firewall (v1.15.3)

and then if i puppetrun on the client after a rm -Rf /opt/puppetlabs/puppet/cache , it gives me

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'bytecode' (file: /etc/puppetlabs/code/environments/production/modules/firewall_multi/manifests/init.pp, line: 257) on Firewall[003 accepter le 35k] (file: /etc/puppetlabs/code/environments/production/modules/firewall_multi/manifests/init.pp, line: 257) on node xxxxx

it only works if i comment bytecode and ipvs in
/etc/puppetlabs/code/environments/production/modules/firewall_multi/manifests/init.pp

best regards,
Ghislain.

@alex-harvey-z3q
Copy link
Owner

@aqueos thanks for the info. Is it possible for you to send me the output of the command I requested above, on your Puppet Master:

sudo find / -name firewall.rb -exec cksum {} \;

My theory is the Forge is sending an incorrect version of the firewall module and that command will help me understand what's going on.

@alex-harvey-z3q
Copy link
Owner

@aqueos , @rmalenko , @mrmikeace this is what I have:

[root@centos-72-x64 ~]# puppet module list
/etc/puppetlabs/code/environments/production/modules
├── puppetlabs-firewall (v1.15.3)
└── puppetlabs-stdlib (v5.2.0)
/etc/puppetlabs/code/modules
└── alexharvey-firewall_multi (v1.13.0)
/opt/puppetlabs/puppet/modules (no modules installed)

Test manifest:

# cat /tmp/apply_manifest.pp.hG9EfT 
firewall_multi { '100 allow http and https access':
  source => [
    '10.0.10.0/24',
    '10.0.12.0/24',
  ],
  destination => [
    '10.2.0.0/24',
    '10.3.0.0/24',
  ],
  dport  => [80, 443],
  proto  => tcp,
  action => accept,
}

Checksums on files from the firewall module:

[root@centos-72-x64 ~]# find / -name firewall.rb -exec cksum {} \; 
610376651 1053 /etc/puppetlabs/code/environments/production/modules/firewall/lib/puppet/provider/firewall.rb
1288071036 59528 /etc/puppetlabs/code/environments/production/modules/firewall/lib/puppet/type/firewall.rb
1912409296 8315 /etc/puppetlabs/code/environments/production/modules/firewall/lib/puppet/util/firewall.rb

Bytecode and ipvs strings in the firewall module files:

[root@centos-72-x64 ~]# find / -name firewall.rb -exec grep -nE 'bytecode|ipvs' {} \;
72:  feature :ipvs, 'Packet belongs to an IP Virtual Server connection'
1742:  newproperty(:bytecode, required_features: :iptables) do
1749:  newproperty(:ipvs, required_features: :ipvs) do

Applying my test manifest:

centos-72-x64 23:21:52$ puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.hG9EfT                                                                 
  Info: Loading facts                                                                                                                                             
  Info: Loading facts                                                                                                                                             
  Notice: Compiled catalog for centos-72-x64 in environment production in 0.16 seconds                                                                            
  Info: Applying configuration version '1555507314'                                                                                                                    
  Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.10.0/24 to 10.2.0.0/24]/ensure: created
  Warning: Firewall[100 allow http and https access from 10.0.10.0/24 to 10.2.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:  
  Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.10.0/24 to 10.3.0.0/24]/ensure: created
  Warning: Firewall[100 allow http and https access from 10.0.10.0/24 to 10.3.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:                                                                                                                              
  Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.12.0/24 to 10.2.0.0/24]/ensure: created
  Warning: Firewall[100 allow http and https access from 10.0.12.0/24 to 10.2.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:                                                                                                                              
  Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.12.0/24 to 10.3.0.0/24]/ensure: created 
  Warning: Firewall[100 allow http and https access from 10.0.12.0/24 to 10.3.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:                                                                                                                              
  Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml                                                                                             
  Notice: Applied catalog in 1.74 seconds

@aqueos
Copy link

aqueos commented Apr 17, 2019 via email

alex-harvey-z3q added a commit that referenced this issue Apr 17, 2019
@alex-harvey-z3q
Add Rspec test for Issue #19
3834361 
Pinning firewall to published version in .fixtures.yml, and adds an
Rspec test to actually use the new feature "bytecode". This commit just
shows I've failed to reproduce Issue #19. See discussion in Issues.
@alex-harvey-z3q
Copy link
Owner

I'm pretty confused, and I've tried a few more things and I still can't reproduce the issue or understand how it could possibly occur.

For what it's worth, I just added this Rspec test showing that I can actually use the bytecode feature in the version on master.

Without being able to log in to a broken box it's quite hard for me to know. I'm going to talk to the guys in Puppet tomorrow in the Forge team to see if they have any clues.

@aqueos , what version of Linux are you using?

@eimlav
Copy link

eimlav commented Apr 18, 2019

Hi @rmalenko. I would recommend trying out the steps outlined here. I have encountered an issue like this before with a different module and the steps outlined in the previously linked guide were able to fix the issue.

Basically what I believe is happening is that the old firewall type is being cached in the environment and by applying the above fix, Puppet will regenerate all the types thus removing any old ones that have persisted. Let us know how you get on with this! :)

@alex-harvey-z3q
Copy link
Owner

cc @aqueos

@aqueos
Copy link

aqueos commented Apr 18, 2019

generating environment isolation seems to have cured the problem.
I only have ONE environment so wtf ?? but that solved it.

i do not have a clue about what that did but now it works.

@eimlav
Copy link

eimlav commented Apr 18, 2019

@aqueos Great to hear! If you're using r10k it might be worth taking a look at this recent change which will run generate types during deployments.

@alex-harvey-z3q
Copy link
Owner

Thanks for looking at this @eimlav , I assume that also will resolve your problems @rmalenko , @mrmikeace ? I'll close this now and feel free to reopen if there's still an issue. Also, I'll update the README about this considering that firewall/firewall_multi are sensitive to this "environment bleeding" problem.

alex-harvey-z3q added a commit that referenced this issue Apr 21, 2019
@alex-harvey-z3q
Issue_19 Add Rspec test
e5abfd2 
Pinning firewall to published version in .fixtures.yml, and adds an
Rspec test to actually use the new feature "bytecode". This commit just
shows I've failed to reproduce Issue #19. See discussion in Issues.
alex-harvey-z3q added a commit that referenced this issue Apr 21, 2019
@alex-harvey-z3q
Version 1.13.1
0a1d553 
More defensive after Issue #19.
alex-harvey-z3q added a commit that referenced this issue Apr 21, 2019
@alex-harvey-z3q
Version 1.13.1
38cbf7d 
More defensive after Issue #19.
@alex-harvey-z3q
Copy link
Owner

@aqueos , @rmalenko , @eimlav I have made a few enhancements here:

  • There is a troubleshooting section in README here.
  • Metadata.json now specifically refers to the firewall version required. But I think that only helps if you're using librarian-puppet, which actually resolves dependencies for you.

@rmalenko
Copy link
Author

@alexharv074
Thank you a lot.
I would like to confirm. After upgrade (v1.13.0 -> v1.13.2) I have no issue

Excuse me, unfortunately, I hadn't time to answer.

@alex-harvey-z3q alex-harvey-z3q mentioned this issue May 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rmalenko @alex-harvey-z3q @aqueos @eimlav @mrmikeace