You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Permanent drift ("correction") when running "puppet agent -tv"
Expected Behavior
No permanent drift ("correction") should be happening when running "puppet agent -tv"
Steps to Reproduce
Steps to reproduce the behavior:
Go to '...'
Click on '....'
Environment
$ puppetserver --version
puppetserver version: 7.9.5
// On client node:
$ puppet --version
7.32.1
mod 'puppetlabs-firewall', '8.0.3'
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
$ uname -a
Linux myhostname.local 6.2.0-1016-aws #16~22.04.1-Ubuntu SMP Sun Nov 5 20:08:16 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Additional Context
I have permanent drift ("corrective" actions applied) for IPtables rule. Code example:
firewall { '999 drop all unknown tcp rsyslog':
ensure => 'present',
protocol => 'iptables',
chain => 'INPUT',
proto => 'tcp',
source => '0.0.0.0/0',
dport => ['20514:20516'],
jump => 'drop',
}
When i run "iptables-save" i see next:
# Generated by iptables-save v1.8.7 on Tue Aug 20 11:21:17 2024
*filter
:INPUT ACCEPT [2163984655:124490745956]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11519292341:11241169407864]
........................
-A INPUT -p tcp -m multiport --dports 20514:20516 -m comment --comment "999 drop all unknown tcp rsyslog" -j DROP
COMMIT
# Completed on Tue Aug 20 11:21:17 2024
Then i run "puppet agent -tv":
$ puppet agent -tv
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet7.local:8140 (10.7.155.5)
Info: Caching catalog for myhostname.local
Info: Applying configuration version '1724152921'
Notice: /Stage[main]/Sink_forward/Firewall[999 drop all unknown tcp rsyslog]/source: source changed to '0.0.0.0/0' (corrective)
Notice: firewall[999 drop all unknown tcp rsyslog]: Updating: Updating Rule '999 drop all unknown tcp rsyslog' with {:name=>"999 drop all unknown tcp rsyslog", :ensure=>"present", :protocol=>"iptables", :chain=>"INPUT", :source=>nil, :proto=>"tcp", :dport=>["20514:20516"], :jump=>"DROP", :table=>"filter"}
Notice: firewall[999 drop all unknown tcp rsyslog]: Updating: Ensuring changes to '999 drop all unknown tcp rsyslog' persist
Notice: firewall[999 drop all unknown tcp rsyslog]: Updating: Finished in 0.076291 seconds
Notice: Applied catalog in 49.85 seconds
But after this "corrective" action IPtable rule is still the same:
-A INPUT -p tcp -m multiport --dports 20514:20516 -m comment --comment "999 drop all unknown tcp rsyslog" -j DROP
I tried to delete it via:
iptables -L INPUT --line-numbers
.......
242 DROP tcp -- anywhere anywhere multiport dports 20514:20516 /* 999 drop all unknown tcp rsyslog */
iptables -D INPUT 242
Then i run again "puppet agent -tv":
$ puppet agent -tv
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet7.local:8140 (10.7.155.5)
Info: Caching catalog for myhostname.local
Info: Applying configuration version '1724153234'
Notice: /Stage[main]/Sink_forward/Firewall[999 drop all unknown tcp rsyslog]/ensure: defined 'ensure' as 'present' (corrective)
Notice: firewall[999 drop all unknown tcp rsyslog]: Creating: Creating Rule '999 drop all unknown tcp rsyslog' with {:name=>"999 drop all unknown tcp rsyslog", :ensure=>"present", :protocol=>"iptables", :chain=>"INPUT", :source=>nil, :proto=>"tcp", :dport=>["20514:20516"], :jump=>"DROP", :table=>"filter"}
Notice: firewall[999 drop all unknown tcp rsyslog]: Creating: Ensuring changes to '999 drop all unknown tcp rsyslog' persist
Notice: firewall[999 drop all unknown tcp rsyslog]: Creating: Finished in 0.081846 seconds
Notice: Applied catalog in 48.72 seconds
But in the end IPtable rule is the same:
-A INPUT -p tcp -m multiport --dports 20514:20516 -m comment --comment "999 drop all unknown tcp rsyslog" -j DROP
And every time Puppet agent runs in PuppetBoard we see "drift".
The text was updated successfully, but these errors were encountered:
Describe the Bug
Permanent drift ("correction") when running "puppet agent -tv"
Expected Behavior
No permanent drift ("correction") should be happening when running "puppet agent -tv"
Steps to Reproduce
Steps to reproduce the behavior:
Environment
Additional Context
I have permanent drift ("corrective" actions applied) for IPtables rule. Code example:
When i run "iptables-save" i see next:
Then i run "puppet agent -tv":
But after this "corrective" action IPtable rule is still the same:
I tried to delete it via:
Then i run again "puppet agent -tv":
But in the end IPtable rule is the same:
And every time Puppet agent runs in PuppetBoard we see "drift".
The text was updated successfully, but these errors were encountered: