Skip to content

Commit

Permalink
Merge pull request #246 from traylenator/deb11
Browse files Browse the repository at this point in the history 
Accept on Debian 11 nftables::set will fail
  • Loading branch information
@traylenator
traylenator authored Jun 27, 2024
2 parents 8442942 + 8bc8fe9 commit 1331dc3
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 5 deletions.
5 changes: 0 additions & 5 deletions spec/acceptance/all_rules_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,11 +99,6 @@ class { 'nftables':
include nftables::rules::out::ssdp
include nftables::services::dhcpv6_client
include nftables::services::openafs_client
nftables::set{'my_test_set':
type => 'ipv4_addr',
elements => ['192.168.0.1', '10.0.0.2'],
table => ['inet-filter', 'ip-nat'],
}
$config_path = $facts['os']['family'] ? {
'Archlinux' => '/etc/nftables.conf',
'Debian' => '/etc/nftables.conf',
Expand Down
75 changes: 75 additions & 0 deletions spec/acceptance/set_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'nftables class' do
context 'configure an nftables set' do
it 'works idempotently with no errors' do

Check warning on line 7 in spec/acceptance/set_spec.rb

View workflow job for this annotation

GitHub Actions / Puppet / Puppet 8 - Debian 11 

nftables class configure an nftables set works idempotently with no errors

Failure/Error: apply_manifest(pp, catch_failures: true)
Beaker::Host::CommandFailure:
  Host 'debian11-64-puppet8.example.com' exited with 6 running:
   puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest_103708764.pHfI3u.pp
  Last 10 lines of output were:
  	Jun 27 10:37:01 debian11-64-puppet8.example.com systemd[1]: Reloaded nftables.
  	Jun 27 10:37:04 debian11-64-puppet8.example.com systemd[1]: Reloading nftables.
  	Jun 27 10:37:04 debian11-64-puppet8.example.com systemd[1]: Reloaded nftables.
  	Jun 27 10:37:11 debian11-64-puppet8.example.com systemd[1]: Reloading nftables.
  	Jun 27 10:37:11 debian11-64-puppet8.example.com systemd[1]: nftables.service: Control process exited, code=dumped, status=11/SEGV
  	Jun 27 10:37:11 debian11-64-puppet8.example.com systemd[1]: Reload failed for nftables.
  	
  	Info: Class[Nftables]: Unscheduling all events on Class[Nftables]
  	Info: Stage[main]: Unscheduling all events on Stage[main]
  	�[mNotice: Applied catalog in 1.06 seconds

Check warning on line 7 in spec/acceptance/set_spec.rb

View workflow job for this annotation

GitHub Actions / Puppet / Puppet 7 - Debian 11 

nftables class configure an nftables set works idempotently with no errors

Failure/Error: apply_manifest(pp, catch_failures: true)
Beaker::Host::CommandFailure:
  Host 'debian11-64-puppet7.example.com' exited with 6 running:
   puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest_103648690.W7WpsU.pp
  Last 10 lines of output were:
  	Jun 27 10:36:41 debian11-64-puppet7.example.com systemd[1]: Reloaded nftables.
  	Jun 27 10:36:44 debian11-64-puppet7.example.com systemd[1]: Reloading nftables.
  	Jun 27 10:36:44 debian11-64-puppet7.example.com systemd[1]: Reloaded nftables.
  	Jun 27 10:36:51 debian11-64-puppet7.example.com systemd[1]: Reloading nftables.
  	Jun 27 10:36:51 debian11-64-puppet7.example.com systemd[1]: nftables.service: Control process exited, code=dumped, status=11/SEGV
  	Jun 27 10:36:51 debian11-64-puppet7.example.com systemd[1]: Reload failed for nftables.
  	
  	Info: Class[Nftables]: Unscheduling all events on Class[Nftables]
  	Info: Stage[main]: Unscheduling all events on Stage[main]
  	�[mNotice: Applied catalog in 1.02 seconds
pending 'Debian 11 bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063690' if (fact('os.family') == 'Debian') && (fact('os.release.major') == '11')
pp = <<-EOS
# default mask of firewalld service fails if service is not installed.
# https://tickets.puppetlabs.com/browse/PUP-10814
# Disable all default rules and include below explicitly
class { 'nftables':
firewalld_enable => false,
out_ntp => false,
out_http => false,
out_https => false,
out_icmp => false,
in_ssh => false,
in_icmp => false,
}
nftables::set{'my_test_set':
type => 'ipv4_addr',
elements => ['192.168.0.1', '10.0.0.2'],
table => ['inet-filter', 'ip-nat'],
}
$config_path = $facts['os']['family'] ? {
'Archlinux' => '/etc/nftables.conf',
'Debian' => '/etc/nftables.conf',
default => '/etc/sysconfig/nftables.conf',
}
$nft_path = $facts['os']['family'] ? {
'Archlinux' => '/usr/bin/nft',
default => '/usr/sbin/nft',
}
# nftables cannot be started in docker so replace service with a validation only.
systemd::dropin_file{"zzz_docker_nft.conf":
ensure => present,
unit => "nftables.service",
content => [
"[Service]",
"ExecStart=",
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
"ExecReload=",
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
"",
].join("\n"),
notify => Service["nftables"],
}
EOS
# Run it twice and test for idempotency
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end

describe package('nftables') do
it { is_expected.to be_installed }
end

describe service('nftables') do
it {
is_expected.to be_enabled
is_expected.to be_running
}
end

describe file('/etc/nftables/puppet.nft', '/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
it { is_expected.to be_file }
end

describe file('/etc/nftables/puppet') do
it { is_expected.to be_directory }
end
end
end

0 comments on commit 1331dc3

Please sign in to comment.