Replies: 6 comments · 8 replies
-
|
files:
"$(nftables_common.sysconfig_path)$(nftables_common.nft_config)"
---> Think it is missing `/`, eg:
"$(nftables_common.sysconfig_path)/$(nftables_common.nft_config)"
comment => "Service config for nftables",
perms => mog("0600","root","root"),
copy_from =>
secure_cp("$(nftables_common.f)/default/$(nftables_common.nft_config)",
"@(g.policyhosts)"),
action => fix_and_log,
classes => if_repaired("nft_restart_needed");
…On 05/08/2024 18:19, ajy2 wrote:
Greetings, (Long time lurker, first time poster/code writer)
I've recently attended a recent "Agent is in" episode <https://
cfengine.com/blog/2024/the-agent-is-in-episode-39/> and had some great
off-episode commentary with Nick (and others). I'm to the point that I
can readily understand and do on my own. So now, I need some code-
specific help.
Problem: We're trying to revamp some NFTables tasks to get the following
to happen, in sequence. (This gets so far and then doesn't execute any
methods):
1. Place files where we want them.
2. If those promises end up replacing/updating files, set appropriate
classes to run nft's check functionality.
3. If the command promiser in item 2 returns without error, go to the
appropriate method and do what we want re: start, restart, etc.
Nick's advice was to use depends_on to influence normal ordering. My
original attack on this was passing/referencing classes between bundles
(or using namespace) was how I was going to do this -- but I'm still
stuck regardless of method.
As you look at the code below, there are similar modules for things like
ipset/iptables that I didn't include. So, if you see some different
styles of code between the top "firewall(config) stanza and proceeding
stuff, that would be why.
|bundle agent firewall(config) { meta: "purpose" string => "High-level
promise bundle to abstract firewall policy application."; classes:
"bundle__firewall_$(config)" expression => "any", scope => "namespace";
"bundle__firewall" expression => "any", scope => "namespace"; methods:
el9:: "Apply nftables config $(config)" comment => "Apply nftables
firewall config $(config)", usebundle => nftables_main("$(config)"); }
bundle agent nftables_main(config) { methods: "nftables_common"
usebundle => nftables_common; "nftables_config" usebundle =>
nftables_config("$(config)"); "nftables_check" usebundle =>
nftables_check; "nftables_actions" usebundle => nftables_actions; }
bundle common nftables_common { classes: "firewalld_active" expression
=> returnszero("/bin/systemctl -q is-active firewalld","useshell");
"firewalld_enabled" expression => returnszero("/bin/systemctl -q is-
enabled firewalld","useshell"); "install_nftables" expression =>
islessthan("$(nftables_count)", "1"); "nftables_active" expression =>
returnszero("/bin/systemctl -q is-active nftables", "useshell");
"nftables_enabled" expression => returnszero("/bin/systemctl -q is-
enabled nftables", "useshell"); "nftables_systemd_failed" expression =>
returnszero("/bin/systemctl -q is-failed nftables", "useshell");
"nftables_reload_failed" expression => returnszero("/bin/systemctl
status nftables | /bin/grep Process | /bin/grep -i fail", "useshell");
"required_files_present" expression => "any", ifvarclass =>
filesexist(@(nft_file_require)); vars: "f" string => "$(g.f)/firewall";
"nftables_count" int => length(packagesmatching("nftables", ".*", ".*",
".*")); "nft_addin_path" string => "/etc/nftables.d/"; "nft_addin_rules"
string => "addin.nft"; "nft_base_rules" slist => { "ipsets.nft",
"standard.nft", "zz_deny.nft" }; "nft_config" string => "nftables.conf";
"nft_filepath" string => "/etc/nftables/"; "nft_file_require" slist =>
{ "/etc/sysconfig/nftables.conf", "/etc/nftables/ipsets.nft", "/etc/
nftables/standard.nft", "/etc/nftables/zz_deny.nft" }; "sysconfig_path"
string => "/etc/sysconfig/"; } bundle agent nftables_config(config)
{ files: el9:: "$(nftables_common.nft_addin_path)." comment => "Create
and ensure permissions on $(this.promiser)", perms => mog("0750",
"root", "root"), create => "true", action => fix_and_log, classes =>
if_repaired("nft_restart_needed");
"$(nftables_common.sysconfig_path)$(nftables_common.nft_config)" comment
=> "Service config for nftables", perms => mog("0600","root","root"),
copy_from => secure_cp("$(nftables_common.f)/default/
$(nftables_common.nft_config)", "@(g.policyhosts)"), action =>
fix_and_log, classes => if_repaired("nft_restart_needed");
"$(nftables_common.nft_filepath)$(nftables_common.nft_base_rules)"
comment => "Base firewall for nftables", perms =>
mog("0600","root","root"), copy_from => secure_cp("$(nftables_common.f)/
default/$(nftables_common.nft_base_rules)", "@(g.policyhosts)"), action
=> fix_and_log, classes => if_repaired("nft_reload_needed");
"$(nftables_common.nft_addin_path)$(nftables_common.nft_addin_rules)"
comment => "Addin firewall rules for nftables", handle =>
"addin_file_copy", perms => mog("0600","root","root"), copy_from =>
secure_cp("$(nftables_common.f)/$(config)/
$(nftables_common.nft_addin_rules)", "@(g.policyhosts)"), action =>
fix_and_log, classes => if_repaired("nft_reload_needed"); packages:
el9:: install_nftables:: "nftables" policy => "present", package_module
=> yum; } bundle agent nftables_check { commands: el9.
(nft_reload_needed|nft_restart_needed|nftables_reload_failed|
nftables_systemd_failed):: "/usr/sbin/nft -c -f /etc/sysconfig/
nftables.conf" contain => in_shell_and_silent, handle => "check_syntax",
classes => results("namespace", "nft_syntax_ok"); methods:
el9.nft_syntax_ok_repaired:: "nftables_actions" usebundle =>
nftables_actions, depends_on => { "check_syntax" }; } bundle agent
nftables_actions { methods: el9.firewalld_active:: "firewalld" usebundle
=> standard_services("firewalld", "stop"); el9.firewalld_enabled::
"firewalld" usebundle => standard_services("firewalld", "disable");
el9.!(nftables_enabled|nftables_active):: "nftables_start" usebundle =>
standard_services("nftables", "start"); "nftables_enable" usebundle =>
standard_services("nftables", "enable"); el9.nft_syntax_ok_repaired.
(nft_restart_needed|nftables_systemd_failed):: "nftables_restart"
usebundle => standard_services("nftables", "restart");
el9.nft_syntax_ok_repaired.(nft_reload_needed|nftables_reload_failed)::
"nftables_reload" usebundle => standard_services("nftables", "reload");
reports: el9:: "nft_syntax_ok_repaired is available and set" ifvarclass
=> "nft_syntax_ok_repaired"; "nftables files installed; will attempt
start on next run" ifvarclass => "nft_syntax_ok_repaired.!
require_files_present"; "nftables service successfully started or
restarted with $(config)" ifvarclass => "nft_syntax_ok_repaired.
(nft_reload_needed|nft_restart_needed)"; "nftables service failed or
syntax invalid" ifvarclass => "!nft_syntax_ok_repaired.
(nftables_reload_failed|nftables_systemd_failed)"; } |
—
Reply to this email directly, view it on GitHub <https://github.com/
cfengine/core#5595>, or unsubscribe <https://github.com/
notifications/unsubscribe-auth/
AADJKB7MDOALQIBIWQ6T42DZP6Q2NAVCNFSM6AAAAABMAT3QFWVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXGAYTKMJRGM>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
--
Bas van der Vlies
| High Performance Computing & Visualization | SURF| Science Park 140 |
1098 XG Amsterdam
| T +31 (0) 20 800 1300 | ***@***.*** | www.surf.nl |
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the eyes @basvandervlies. The variable sysconfig_path in the common bundle has the trailing slash. So, this should enumerate to "/etc/sysconfig/nftables.conf" as writtten. This file is placed correctly at present with the variables from above:
|
Beta Was this translation helpful? Give feedback.
-
|
I missed that one :-(. What I usually do is that global classes are in capitals and bundle classes lowercase. Then it for clear for me and my colleagues to read. Is just I suggestion. But just to ask none of the bundle are executed? Just be sure is |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the style feedback there -- something we definitely need to look at.
|
Beta Was this translation helpful? Give feedback.
-
Well, I dunno that I would exactly call it advice, but yes, you can use
Your sure the bundles are not running from looking at verbose logs? I would check the verbose logs to see if the bundles are getting run or not. You could also add additional reports that are similar to your policy: |
Beta Was this translation helpful? Give feedback.
-
|
Hi Nick,
|
Beta Was this translation helpful? Give feedback.
-
|
There is a lot to load into my internal parser there, let's focus on one specific promise. Which is the first promise you are expecting to trigger that is not triggereing? This one? |
Beta Was this translation helpful? Give feedback.
-
|
The crux: In bundle nftables_actions: As written, none of the method promisers fire off except for firewalld (it's enabled and/or running). At this point, I think it's down to the evaluation of the class guards. Hopefully the verbose output is useful in illustrating that. My brain hurts looking at debug/verbose :). So, let's focus on: |
Beta Was this translation helpful? Give feedback.
-
|
You can add in reports for these contexts to see what is or isn't in context. First, you can simply report under that same context, but you can add some additional reports to see what is or isn't in context What do you see emitted? |
Beta Was this translation helpful? Give feedback.
-
|
@ayoustic As an Enterprise user, we can take this to https://support.northern.tech if you wish, just open a ticket and we can continue there. Else we can continue here (which possibly other people might appreciate). |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @nickanderson. Is it possible to work on this via a ticket and then update this post with the solution so as not to spam folks? (If we close this thread, can I append it later?) |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, pretty sure we can still comment on answered topics and stuff. |
Beta Was this translation helpful? Give feedback.
-
|
Alright -- I found an interesting combination helped out here:
`
I am probably wrong on something above. However, whatever I did with those two changes did the trick. I'm continuing to test all the scenarios we need for this to go to prod. I'll update if I have other information for those that may find this. Feedback welcome on my observations. (or fallacies) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the detailed response here. This sounds like something that begs a simple example case and possibly some clarification in the docs. By "order of conditionals" do you mean order of classes in a single expression or order of individual promises? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Greetings, (Long time lurker, first time poster/code writer)
I've recently attended a recent "Agent is in" episode and had some great off-episode commentary with Nick (and others). I'm to the point that I can readily understand and do on my own. So now, I need some code-specific help.
Problem: We're trying to revamp some NFTables tasks to get the following to happen, in sequence. (This gets so far and then doesn't execute any methods):
Nick's
advicesuggestion of a workaround was to use depends_on to influence normal ordering. My original attack on this was passing/referencing classes between bundles (or using namespace) was how I was going to do this -- but I'm still stuck regardless of method.As you look at the code below, there are similar modules for things like ipset/iptables that I didn't include. So, if you see some different styles of code between the top "firewall(config) stanza and proceeding stuff, that would be why.
Beta Was this translation helpful? Give feedback.
All reactions