[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T371575

puppet package install cycle with firewall::service, ferm/nftables and libnet-dns-perl
Closed, DuplicatePublic
Actions

Description

When using firewall::service and nftables as the firewall provider, ferm and packages installed by it are being removed by puppet.

This isn't an issue as long as libnet-dns-perl isn't installed by something else.

But some hosts, like lists and vrts install libnet-dns-perl for other unrelated reasons.

For example on lists, it's pulled in by spamd/spamassassin.

If such a host is switched to nftables there is a package installation cycle. On every single puppet run, libnet-dns-perl and with it spamd/spamassassin packages as well (!) get removed.

Then on the next run they get installed again.

Noticed by one of the "puppet change on every run" monitoring alerts.

The code that removes the package seems to be this directly in the ferm class:

class ferm (
    Wmflib::Ensure $ensure ='present'
) {
    # @resolve requires libnet-dns-perl
    package { ['iptables', 'libnet-dns-perl']:
        ensure => stdlib::ensure($ensure, package),
    }

In class firewall the whole ferm class is absented when ferm is not the firewall provider.

class firewall (
    Firewall::Provider $provider = 'none',
) {
    unless $provider == 'none' {
        class { 'ferm': # lint:ignore:wmf_styleguide
            ensure => stdlib::ensure($provider == 'ferm'),
        }

Needs a fix one way or another. Patches or just comments very welcome!

Related Objects

Event Timeline

Dzahn created this task.Aug 1 2024, 2:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 1 2024, 2:11 AM
Dzahn added a comment.Aug 1 2024, 2:12 AM

Also more of a reminder and note to self. And wanted to share things I noticed while working on switching all our services to nftables which is T370677 and I thought infra foundations will like :)

Dzahn added a subscriber: eoghan.Aug 1 2024, 2:12 AM

@eoghan fyi, this is why puppet is disabled currently on lists1004. it does come from our change [https://gerrit.wikimedia.org/r/c/operations/puppet/+/1055492 gerrit:1055492] when we switched lists to nftables.

Also totally fine with just reverting that if this doesn't turn out to be simple enough to fix.

Dzahn updated the task description. (Show Details)Aug 2 2024, 5:47 PM
Dzahn updated the task description. (Show Details)
Dzahn updated the task description. (Show Details)Aug 2 2024, 6:02 PM
SLyngshede-WMF claimed this task.Aug 5 2024, 2:33 PM
SLyngshede-WMF triaged this task as Low priority.
LSobanski moved this task from Incoming to Consultation on the collaboration-services board.Aug 6 2024, 7:02 AM
LSobanski subscribed.
MoritzMuehlenhoff subscribed.Sep 10 2024, 7:30 AM

This is a duplicate of T373637 (resolved as of this morning), I'm merging the task into it.

MoritzMuehlenhoff closed this task as a duplicate of T373637: services using libnet-dns-perl can't use nftables as firewall provider.Sep 10 2024, 7:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits