Support for RHEL/CentOS 8
Closed this issue · 1 comments
cf-sewe commented
On RHEL/CentOS 8 with fail2ban version 0.10.4, the fail2ban puppet module does not work anymore. It seems the whole /etc/fail2ban/jail.conf is not touched by Puppet fail2ban.
the most basic configuration, where I simply would like to enable the ssh jail, does not work anymore.
Also fail2ban recommends now to change a jail.local instead of the system provided jail.conf file.
A custom jail (nginx-cplace) is successfully added and initialized.
Debug: /Package[fail2ban]: Provider dnf does not support features targetable; not managing attribute command
Debug: /Service[fail2ban]: Provider systemd does not support features configurable_timeout; not managing attribute timeout
Info: Applying configuration version '[Fix fail2ban](http://collaborationFactory/ops-puppet-internal/tree/f79264b30752c4143736a1fc58de71b6c3bf270e)'
Debug: /Stage[main]/Fail2ban/Anchor[fail2ban::begin]/before: before to Class[Fail2ban::Install]
Debug: /Stage[main]/Fail2ban::Install/before: before to Class[Fail2ban::Config]
Debug: /Stage[main]/Fail2ban::Config/notify: notify to Class[Fail2ban::Service]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.dir]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.dir]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Service/before: before to Anchor[fail2ban::end]
Debug: /Stage[main]/Profile::Fw/Firewall[010 accept SSH]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Adding autorequire relationship with User[root]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]: Adding autorequire relationship with User[root]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]: Adding autorequire relationship with User[root]
Debug: Executing: '/usr/bin/rpm -q fail2ban --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n'
Debug: Executing: '/usr/bin/rpm -q fail2ban --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n --whatprovides'
Debug: Package[fail2ban](provider=dnf): Ensuring => present
Debug: Executing: '/usr/bin/dnf -d 0 -e 1 -y install fail2ban'
Notice: /Stage[main]/Fail2ban::Install/Package[fail2ban]/ensure: created (corrective)
Debug: /Package[fail2ban]: The container Class[Fail2ban::Install] will propagate my refresh event
Debug: Class[Fail2ban::Install]: The container Stage[main] will propagate my refresh event
Info: Computing checksum on file /etc/fail2ban/jail.d/00-firewalld.conf
Info: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Filebucketed /etc/fail2ban/jail.d/00-firewalld.conf to puppet with sum ea523e49f854737b3f3c8dbf612ae764
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Removing existing file for replacement with absent
Notice: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/ensure: removed (corrective)
Info: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Scheduling refresh of Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: The container Class[Fail2ban::Config] will propagate my refresh event
Debug: Class[Fail2ban::Config]: The container Stage[main] will propagate my refresh event
Info: Class[Fail2ban::Config]: Scheduling refresh of Class[Fail2ban::Service]
Info: Class[Fail2ban::Service]: Scheduling refresh of Service[fail2ban]
Debug: Executing: '/usr/bin/systemctl is-active -- fail2ban'
Debug: Executing: '/usr/bin/systemctl is-enabled -- fail2ban'
Debug: Executing: '/usr/bin/systemctl show --property=NeedDaemonReload -- fail2ban'
Debug: Executing: '/usr/bin/systemctl unmask -- fail2ban'
Debug: Executing: '/usr/bin/systemctl start -- fail2ban'
Debug: Executing: '/usr/bin/systemctl is-enabled -- fail2ban'
Debug: Executing: '/usr/bin/systemctl unmask -- fail2ban'
Debug: Executing: '/usr/bin/systemctl enable -- fail2ban'
Notice: /Stage[main]/Fail2ban::Service/Service[fail2ban]/ensure: ensure changed 'stopped' to 'running' (corrective)
Debug: /Service[fail2ban]: The container Class[Fail2ban::Service] will propagate my refresh event
Info: /Service[fail2ban]: Unscheduling refresh on Service[fail2ban]
Debug: Class[Fail2ban::Service]: The container Stage[main] will propagate my refresh event
LSB System Info:
lsbdistrelease | 8.0.1905
lsbdistid | CentOS
lsbdistdescription | CentOS Linux release 8.0.1905 (Core)
lsbdistcodename | Core
cf-sewe commented
Ok I added this part (which is of course documented already) and now it works.
But maybe the module can still adjust to the recommendation from fail2ban, to perform changes only in jail.local file :)
fail2ban::config_file_template: "fail2ban/%{::lsbdistcodename}/etc/fail2ban/jail.conf.epp"
(on centos7 i didnt add that due to not available lsb tools on my system, and it still worked)