Error: no parameter named 'ipvs'
Closed this issue · 24 comments
Hi Alex,
I have got this error after upgrade module
Error: no parameter named 'ipvs' (file: /etc/puppetlabs/code/modules/firewall_multi/manifests/init.pp, line: 257) on Firewall[001 accept all icmp] (file: /etc/puppetlabs/code/modules/firewall_multi/manifests/init.pp, line: 257) on node m
Regards,
Rostyslav
I have cloned just now alexharvey-firewall_multi (v1.13.0)
and upgrade to puppetlabs-firewall (v1.15.3)
but the error still remained
I have a similar problem - although my error is different:
Server Error: no parameter named 'bytecode'
I have tried using firewall_multi(v1.13.0) with firewall (v1.15.3), and firewall_multi(v1.12.0) with firewall (v1.15.1), same results.
I even tried v1.11 of firewall_multi and v1.14 of firewall, and received a different error:
no parameter named 'dst_cc'
Very curious.
@rmalenko , @mrmikeace It is curious because I can't reproduce any of these errors. Certainly, bytecode and ipvs are both parameters introduced in very recent versions of the firewall module. The dst_cc was added back in Oct 2017 in firewall v1.9.0. I'll need to know more info such as the version of Puppet you're using, a minimal, complete example for reproducing the error and so on.
Both servers are under Debian 9
puppet --version 6.4.0
site.pp
class firewallmulti (
Hash[String, Hash] $firewall_multis,
) {
$firewall_multis.each |$name, $firewall_multi| {
firewall_multi { $name:
* => $firewall_multi
}
}
}
firewall.yaml
---
classes:
- firewallmulti
globalwhitelist:
- 4.15.7.33 # masterofpuppet
- ...
firewallmulti::firewall_multis:
"001 accept all icmp":
proto: "icmp"
action: "accept"
"002 accept all to lo interface":
proto: "all"
iniface: "lo"
action: "accept"
"003 reject local traffic not on loopback interface":
iniface: "! lo"
proto: "all"
destination: "127.0.0.1/8"
action: "reject"
"004 accept inbound SSH":
source:
- "0.0.0.0/32"
- "8.3.13.6/32"
proto: "tcp"
dport: "22"
action: "accept"
"005 Global whitelist":
proto: "all"
action: "accept"
source: "%{alias('globalwhitelist')}"
"006 accept related established rules":
proto: "all"
state: ["RELATED", "ESTABLISHED"]
action: "accept"
"999 accept related established rules":
proto: "all"
action: "drop"
@rmalenko I still can't reproduce. Ideally I need login access to a box that has this problem. Failing that, can you try running this command for me and sending me the output:
sudo find / -name firewall.rb -exec cksum {} \;
Also show me:
sudo puppet module list
Thanks.
Terribly sorry but I removed the module and found a different way to solve my problem. It sure looked to me as if the versions of the modules that I thought I was installing were not the versions I downloaded - but I tried this multiple times, and I don't think I would have fatfingered the install the same way for them all. But then again, it was a long week.
Perhaps there is a way for you to detect the version install of firewall and fail with an error if they are incompatible?
@mrmikeace yeah I kinda think something is broken elsewhere that's causing you to get versions of modules other than the ones you think you're getting. On your suggestion, I would love it if I could query the version of firewall installed and use conditional logic to figure out what has to be done on the fly. I suppose I could use the metadata.json dependencies more specifically although r10k doesn't try to resolve dependencies I don't think. I'll ask around though.
I should add- I've maintained this module for about 3 years and it's the first time anyone ever reported an issue like this- so it also seems strange that 2 people are reporting the same issue, but I haven't really changed anything.
@rmalenko any update here?
hello,
same issue there with
└─┬ puppetlabs-firewall (v1.15.3)
└── puppetlabs-stdlib (v5.1.0)
└─┬ alexharvey-firewall_multi (v1.13.0)
└── puppetlabs-firewall (v1.15.3)
GUEST:root@puppet2018:[~]: puppet status
{
"is_alive": true,
"version": "5.5.13"
}
GUEST:root@puppet2018:[~]: puppet module uninstall --force puppetlabs-firewall
Notice: Preparing to uninstall 'puppetlabs-firewall' ...
Removed 'puppetlabs-firewall' (v1.15.3) from /etc/puppetlabs/code/environments/production/modules
GUEST:root@puppet2018:[~]: puppet module install puppetlabs-firewall
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ puppetlabs-firewall (v1.15.3)
└── puppetlabs-stdlib (v5.1.0)
GUEST:root@puppet2018:[~]: puppet module uninstall --force alexharvey/firewall_multi
Notice: Preparing to uninstall 'alexharvey-firewall_multi' ...
Removed 'alexharvey-firewall_multi' (v1.13.0) from /etc/puppetlabs/code/environments/production/modules
GUEST:root@puppet2018:[~]: puppet module install alexharvey/firewall_multi
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ alexharvey-firewall_multi (v1.13.0)
└── puppetlabs-firewall (v1.15.3)
and then if i puppetrun on the client after a rm -Rf /opt/puppetlabs/puppet/cache , it gives me
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'bytecode' (file: /etc/puppetlabs/code/environments/production/modules/firewall_multi/manifests/init.pp, line: 257) on Firewall[003 accepter le 35k] (file: /etc/puppetlabs/code/environments/production/modules/firewall_multi/manifests/init.pp, line: 257) on node xxxxx
it only works if i comment bytecode and ipvs in
/etc/puppetlabs/code/environments/production/modules/firewall_multi/manifests/init.pp
best regards,
Ghislain.
@aqueos thanks for the info. Is it possible for you to send me the output of the command I requested above, on your Puppet Master:
sudo find / -name firewall.rb -exec cksum {} \;
My theory is the Forge is sending an incorrect version of the firewall module and that command will help me understand what's going on.
@aqueos , @rmalenko , @mrmikeace this is what I have:
[root@centos-72-x64 ~]# puppet module list
/etc/puppetlabs/code/environments/production/modules
├── puppetlabs-firewall (v1.15.3)
└── puppetlabs-stdlib (v5.2.0)
/etc/puppetlabs/code/modules
└── alexharvey-firewall_multi (v1.13.0)
/opt/puppetlabs/puppet/modules (no modules installed)
Test manifest:
# cat /tmp/apply_manifest.pp.hG9EfT
firewall_multi { '100 allow http and https access':
source => [
'10.0.10.0/24',
'10.0.12.0/24',
],
destination => [
'10.2.0.0/24',
'10.3.0.0/24',
],
dport => [80, 443],
proto => tcp,
action => accept,
}Checksums on files from the firewall module:
[root@centos-72-x64 ~]# find / -name firewall.rb -exec cksum {} \;
610376651 1053 /etc/puppetlabs/code/environments/production/modules/firewall/lib/puppet/provider/firewall.rb
1288071036 59528 /etc/puppetlabs/code/environments/production/modules/firewall/lib/puppet/type/firewall.rb
1912409296 8315 /etc/puppetlabs/code/environments/production/modules/firewall/lib/puppet/util/firewall.rb
Bytecode and ipvs strings in the firewall module files:
[root@centos-72-x64 ~]# find / -name firewall.rb -exec grep -nE 'bytecode|ipvs' {} \;
72: feature :ipvs, 'Packet belongs to an IP Virtual Server connection'
1742: newproperty(:bytecode, required_features: :iptables) do
1749: newproperty(:ipvs, required_features: :ipvs) do
Applying my test manifest:
centos-72-x64 23:21:52$ puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.hG9EfT
Info: Loading facts
Info: Loading facts
Notice: Compiled catalog for centos-72-x64 in environment production in 0.16 seconds
Info: Applying configuration version '1555507314'
Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.10.0/24 to 10.2.0.0/24]/ensure: created
Warning: Firewall[100 allow http and https access from 10.0.10.0/24 to 10.2.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:
Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.10.0/24 to 10.3.0.0/24]/ensure: created
Warning: Firewall[100 allow http and https access from 10.0.10.0/24 to 10.3.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:
Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.12.0/24 to 10.2.0.0/24]/ensure: created
Warning: Firewall[100 allow http and https access from 10.0.12.0/24 to 10.2.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:
Notice: /Stage[main]/Main/Firewall_multi[100 allow http and https access]/Firewall[100 allow http and https access from 10.0.12.0/24 to 10.3.0.0/24]/ensure: created
Warning: Firewall[100 allow http and https access from 10.0.12.0/24 to 10.3.0.0/24](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/
iptables/iptables.init save' returned 1:
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 1.74 seconds
I'm pretty confused, and I've tried a few more things and I still can't reproduce the issue or understand how it could possibly occur.
For what it's worth, I just added this Rspec test showing that I can actually use the bytecode feature in the version on master.
Without being able to log in to a broken box it's quite hard for me to know. I'm going to talk to the guys in Puppet tomorrow in the Forge team to see if they have any clues.
@aqueos , what version of Linux are you using?
Hi @rmalenko. I would recommend trying out the steps outlined here. I have encountered an issue like this before with a different module and the steps outlined in the previously linked guide were able to fix the issue.
Basically what I believe is happening is that the old firewall type is being cached in the environment and by applying the above fix, Puppet will regenerate all the types thus removing any old ones that have persisted. Let us know how you get on with this! :)
cc @aqueos
generating environment isolation seems to have cured the problem.
I only have ONE environment so wtf ?? but that solved it.
i do not have a clue about what that did but now it works.
@aqueos Great to hear! If you're using r10k it might be worth taking a look at this recent change which will run generate types during deployments.
Thanks for looking at this @eimlav , I assume that also will resolve your problems @rmalenko , @mrmikeace ? I'll close this now and feel free to reopen if there's still an issue. Also, I'll update the README about this considering that firewall/firewall_multi are sensitive to this "environment bleeding" problem.
@aqueos , @rmalenko , @eimlav I have made a few enhancements here:
- There is a troubleshooting section in README here.
- Metadata.json now specifically refers to the firewall version required. But I think that only helps if you're using librarian-puppet, which actually resolves dependencies for you.
@alexharv074
Thank you a lot.
I would like to confirm. After upgrade (v1.13.0 -> v1.13.2) I have no issue
Excuse me, unfortunately, I hadn't time to answer.