Error executing action `restart` on resource 'service[iptables]'

Question

Error executing action `restart` on resource 'service[iptables]'

Closed this issue 7 years ago · 2 comments

Deleted user commented 7 years ago

Cookbook version

2.6.2

Chef-client version

13.2.20

Platform Details

CentOS release 6.9 (Final)

# iptables --version
iptables v1.4.7

cookbook

firewall 'default' do
    action :install
end
firewall_rule 'mysql' do
    port      3306
    protocol  :tcp
    position  0
    command   :allow
end

# cat /etc/sysconfig/iptables
# position 0
-A INPUT -p tcp -m tcp -m multiport --dports 22 -m comment --comment "ssh" -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 3306 -m comment --comment "mysql" -j ACCEPT
# position 1
*filter
# position 2
:INPUT DROP
# position 3
:FORWARD DROP
# position 4
:OUTPUT ACCEPT
# position 100
COMMIT

# service iptables restart
iptables: Applying firewall rules: iptables-restore: line 2 failed
                                                           [FAILED]

Chef Output

--- /etc/sysconfig/ip6tables	2017-08-01 21:48:03.091009003 -0400
==> mysql:
==> mysql: +++ /etc/sysconfig/.chef-ip6tables20170801-5056-m44out	2017-08-01 21:48:57.155009002 -0400
==> mysql:
==> mysql: @@ -1,2 +1,14 @@
==> mysql:
==> mysql: -# created by chef to allow service to start
==> mysql:
==> mysql: +# position 0
==> mysql:
==> mysql: +-A INPUT -p tcp -m tcp -m multiport --dports 22 -m comment --comment "ssh" -j ACCEPT
==> mysql:
==> mysql:       +-A INPUT -p tcp -m tcp -m multiport --dports 3306 -m comment --comment "mysql" -j ACCEPT
==> mysql:       +# position 1
==> mysql:       +*filter
==> mysql:       +# position 2
==> mysql:       +:INPUT DROP
==> mysql:       +# position 3
==> mysql:       +:FORWARD DROP
==> mysql:       +# position 4
==> mysql:       +:OUTPUT ACCEPT
==> mysql:       +# position 100
==> mysql:       +COMMIT
==> mysql:
==> mysql:       - restore selinux security context
==> mysql:
==> mysql: [2017-08-01T21:48:57-04:00] INFO: firewall[default] sending restart action to service[iptables] (delayed)
==> mysql:   * service[iptables] action restart
==> mysql:
==> mysql:
==> mysql:
==> mysql: ================================================================================
==> mysql:
==> mysql: Error executing action `restart` on resource 'service[iptables]'
==> mysql:
==> mysql: ================================================================================
==> mysql:
==> mysql:
==> mysql:
==> mysql:
==> mysql: Mixlib::ShellOut::ShellCommandFailed
==> mysql:
==> mysql: ------------------------------------
==> mysql:
==> mysql:     Expected process to exit with [0], but received '1'
==> mysql:     ---- Begin output of /sbin/service iptables start ----
==> mysql:     STDOUT: iptables: Applying firewall rules: [FAILED]
==> mysql:     STDERR: iptables-restore: line 2 failed
==> mysql:     ---- End output of /sbin/service iptables start ----
==> mysql:     Ran /sbin/service iptables start returned 1
==> mysql:
==> mysql:     Resource Declaration:
==> mysql:     ---------------------
==> mysql:     # In /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb
==> mysql:
==> mysql:     153:         iptables_service = service name do
==> mysql:     154:           action :nothing
==> mysql:     155:         end
==> mysql:     156:       end
==> mysql:
==> mysql:     Compiled Resource:
==> mysql:     ------------------
==> mysql:     # Declared in /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb:153:in `rescue in lookup_or_create_service'
==> mysql:
==> mysql:     service("iptables") do
==> mysql:       action [:nothing]
==> mysql:       default_guard_interpreter :default
==> mysql:       service_name "iptables"
==> mysql:       enabled nil
==> mysql:       running nil
==> mysql:       masked nil
==> mysql:       pattern "iptables"
==> mysql:       declared_type :service
==> mysql:       cookbook_name "mysql-drupal"
==> mysql:     end
==> mysql:
==> mysql:     System Info:
==> mysql:     ------------
==> mysql:     chef_version=13.2.20
==> mysql:     platform=centos
==> mysql:     platform_version=6.9
==> mysql:     ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
==> mysql:     program_name=chef-client worker: ppid=5051;start=21:47:50;
==> mysql:     executable=/opt/chef/bin/chef-client
==> mysql:
==> mysql: [2017-08-01T21:48:58-04:00] INFO: firewall[default] sending restart action to service[ip6tables] (delayed)
==> mysql:   * service[ip6tables] action restart
==> mysql:

Answer 1 · 2017-08-04T13:20:55.000Z

Hi there -- if you put position 0, you're putting your rule ahead of the *filter table declaration. You probably don't want to do that, unless you're trying to make a rule for another table, like *nat or *mangle. The default position, when omitted, is 50. If you don't need to jump ahead and insert special things inside the file containing rules, you should probably leave it at the default.

You can see the existing file and positions at https://github.com/chef-cookbooks/firewall/blob/master/attributes/iptables.rb#L6-L12.

This mechanism you're running into is the first thing described under "iptables considerations" in the README.md as well: https://github.com/chef-cookbooks/firewall#iptables-considerations

Answer 2 · 2017-08-04T14:33:56.000Z

Thanks. I'll close this issue.