Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor for v9.0.0 #128

Open
wants to merge 21 commits into
base: main
Choose a base branch
from

Conversation

bmhughes
Copy link
Contributor

@bmhughes bmhughes commented Mar 7, 2021

Description

  • Refactor cookbook
    • Remove legacy code
    • Refactor chain and rule resources
      • Complex logic moved to helper libraries
    • Refactor service resource
      • Add the full set of service actions
      • Create a default configuration to ensure starting on Redhat platform families
    • Refactor package resource
      • Add the full set of package actions
  • All resource unified_mode
  • Rename iptables_packages to iptables_package (old name aliased)

Issues Resolved

  • n/a

Check List

@bmhughes bmhughes force-pushed the refactor-resources-v8 branch from a9cb1bb to 196309b Compare March 7, 2021 18:41
resources/service.rb Outdated Show resolved Hide resolved
@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 7 times, most recently from 3b92322 to 6953438 Compare March 7, 2021 21:11
README.md Outdated Show resolved Hide resolved
@xorima xorima requested review from tas50 and lamont-granquist March 8, 2021 09:29
@xorima
Copy link
Member

xorima commented Mar 8, 2021

I would like this to be reviewed with the thoughts of we will be shortly creating a PR to put this into Chef 17, so I have asked @lamont-granquist as well as @tas50 to review 👍

@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 2 times, most recently from cd06737 to 582968d Compare March 8, 2021 13:17
kitchen.dokken.yml Show resolved Hide resolved
templates/default/iptables-config.erb Outdated Show resolved Hide resolved
Copy link

@detjensrobert detjensrobert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears not to respect the cookbook property and will always use the template from this cookbook instead of a specified one.

Do we want to keep support for C6 since it is EOL?

documentation/iptables_chain.md Outdated Show resolved Hide resolved
Comment on lines +37 to +43
property :table, [Symbol, String],
coerce: proc { |p| p.to_sym },
equal_to: Iptables::Cookbook::Helpers::IPTABLES_TABLE_NAMES,
required: true,
description: 'The table the chain should exist on'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was the default of :filter removed for a reason? We use this default heavily in our wrapper.

@xorima
Copy link
Member

xorima commented Mar 9, 2021

We have to keep support for centos6 on this one, just due to chefs customer base and us wanting to put this in core.

@bmhughes
Copy link
Contributor Author

bmhughes commented Mar 9, 2021

I had some issues with CentOS 6 testing (again!) and wanted to FIO but gathered we'd want to keep it even though it's EoL now.

@bmhughes
Copy link
Contributor Author

bmhughes commented Mar 9, 2021

Thoughts on the table default value? I'd prefer to drop the default and make it required (needs doing for rule as well if so) so that things have to be explicitly set to reduce the setting a rule on the wrong table factor.

But I'll go with the general concensus, the way I do wrapper cookbooks it doesn't matter much to me either way.

@bmhughes
Copy link
Contributor Author

bmhughes commented Mar 9, 2021

This appears not to respect the cookbook property and will always use the template from this cookbook instead of a specified one.

Hmm i'll check this out but it should do, the only change that will effect it is it'll take the setting from the first resource called (service/chain/rule) as I only initialise the template resource if it doesn't already exist. Might refactor that thinking about it but then it'll come down the last resource declaration so i'm not 100% convinced it's actually better either.

@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 2 times, most recently from f657029 to 546dec4 Compare March 9, 2021 21:10
@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 3 times, most recently from 76fc5be to db62e25 Compare May 6, 2021 11:20
Copy link

@detjensrobert detjensrobert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Figured out why our wrapper template was not getting picked up: the cookbook property needs to be set on the _service resource, not just on the _chain and _rule resources. IMO the _service resource should not affect the rules template at all since it does not modify it, and let the first _chain or _rule call create it.

The examples in the documentation for _service do not match what is needed for the service to correctly restart when the template changes. The test cookbook has the delayed_action and manual subscribes, which are not mentioned as needed in the docs at all and are required to work correctly (at least from my testing). Would having the template resource notify the service be better, since that way the user does not have to remember to subscribe to the template?

@bmhughes
Copy link
Contributor Author

bmhughes commented May 27, 2021

Figured out why our wrapper template was not getting picked up: the cookbook property needs to be set on the _service resource, not just on the _chain and _rule resources. IMO the _service resource should not affect the rules template at all since it does not modify it, and let the first _chain or _rule call create it.

The examples in the documentation for _service do not match what is needed for the service to correctly restart when the template changes. The test cookbook has the delayed_action and manual subscribes, which are not mentioned as needed in the docs at all and are required to work correctly (at least from my testing). Would having the template resource notify the service be better, since that way the user does not have to remember to subscribe to the template?

Is this with the current release version of the cookbook or this PR? This is still a WIP so there may well be things missing/incorrect/will change so bear this in mind if you're attempting to use it.

The rulefile template resource is going to be created (and thus take it's source) by the first resource that requires it to exist (via the rulefile_resource_init method), if you create a service resource before a rule or chain then this where the template will be sourced from hence the behaviour you see. The alternative is to update on every resource call which is debatably worse. The service needs the rulefile to exist to start so it has the ability to ensure it is present.

The trouble with adding notifications to these resources internally is that is hard couples them and removes the benefit of pushing everything into resources and removes flexibility for the implementer in their wrapper. How to do this can be added to the documentation for sure, but the overall idea is someone may choose not to do that with their implementation which is why we try to make these resources as abstract as possible.

@ramereth
Copy link

@bmhughes can you please rebase and resolve the conflicts so we can properly review it?

@detjensrobert
Copy link

Is this with the current release version of the cookbook or this PR? This is still a WIP so there may well be things missing/incorrect/will change so bear this in mind if you're attempting to use it.

This was with the current version of this branch.

The rulefile template resource is going to be created (and thus take it's source) by the first resource that requires it to exist (via the rulefile_resource_init method), if you create a service resource before a rule or chain then this where the template will be sourced from hence the behaviour you see. The alternative is to update on every resource call which is debatably worse. The service needs the rulefile to exist to start so it has the ability to ensure it is present.

Ah, I see.

The trouble with adding notifications to these resources internally is that is hard couples them and removes the benefit of pushing everything into resources and removes flexibility for the implementer in their wrapper. How to do this can be added to the documentation for sure, but the overall idea is someone may choose not to do that with their implementation which is why we try to make these resources as abstract as possible.

That does make sense, even if that use case is a bit odd.

@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 7 times, most recently from c8fe094 to 79c8700 Compare May 28, 2021 12:17
@detjensrobert
Copy link

I'm having some trouble with getting the template to restart when the recipe calling iptables_service is not the root recipe in the runlist. Our wrapper cookbooks structure follows this pattern:

node::recipe
  - wrapper_resource
    - wrapper::recipe
      - iptables_service
      - iptables_chain/_rule
    - iptables_chain/_rule

I've created a POC repo that reproduces the problem: https://github.com/detjensrobert/firewall-wrapper-test. Is there something obvious missing with this setup that is preventing the service resource from getting notified?

(testing on C7/C8)

@bmhughes
Copy link
Contributor Author

To be perfectly honest (trying not to sound a complete dick here), there's all sorts of things 'wrong' with that cookbook and the patterns it's following so i'm not completely surprised you're having issues and I'd be surprised if they were anything to do with the iptables cookbook itself.

I'm using this internally with the same wrapper I've used for the last couple of version without issue and without too many changes so I know it does work in practice.

Looking at that example my thoughts are:

  1. Why the 'wrapper' resource at all? Could be all done in a recipe and the abstraction/encapsulation a resource provides has little to no benefit there.
  2. Same above for the resource, if you aren't going to call it multiple times for different cases (which the pattern would suggest not), get rid of it.
  3. Calling a recipe from a resource is just.....wrong.
  4. There's no timer specified to the subscribes, not that it would 100% break the subscription but a bad smell all the same.
  5. From a pure Ruby perspective extending the helpers module into the service resource instance block is messy, you know what the template resource name is going to be, just use that.

@bmhughes
Copy link
Contributor Author

For constrast, my wrapper contains only a set of recipes that:

  1. installs packages
  2. iterates chains ipv4
  3. iterates rules ipv4
  4. iterates chains ipv6
  5. iterates rules ipv6
  6. service ipv4/service ipv6 with relevant subscribes.

Other than those couple of recipes and some methods to set ip_family automatically there's nothing else in the cookbook.

@bmhughes
Copy link
Contributor Author

Also if someone else has 5 can they try the debian 9/ubuntu 1604/1804 tests locally as they pass for me but fall over on actions. It's going to be related to docker/kernel/modules no doubt.

@detjensrobert
Copy link

detjensrobert commented Jun 1, 2021

Also if someone else has 5 can they try the debian 9/ubuntu 1604/1804 tests locally as they pass for me but fall over on actions. It's going to be related to docker/kernel/modules no doubt.

Tests pass here in Vagrant & Openstack 👍

@ramereth
Copy link

@bmhughes I can't replicate the current failures but I suspect it's related to a missing iptables kernel module not being loaded on the host system before docker runs. If you add something like the following it can probably give you some additional feedback:

https://github.com/sous-chefs/percona/blob/6e9d276cde44e96d2e848501d1fd656edc0496f8/.github/workflows/ci.yml#L130-L137

@bmhughes bmhughes changed the title Refactor for v8.0.0 Refactor for v9.0.0 Jun 16, 2021
@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 3 times, most recently from db402ca to 7851cef Compare June 16, 2021 09:30
@tas50
Copy link
Contributor

tas50 commented Aug 14, 2021

@bmhughes Any chance you can get the DCO slapped on here and take a look at the failures in CI?

@bmhughes bmhughes force-pushed the refactor-resources-v8 branch 2 times, most recently from fad716d to 02a5b83 Compare August 16, 2021 12:55
@bmhughes bmhughes force-pushed the refactor-resources-v8 branch from 02a5b83 to 7b64755 Compare August 16, 2021 12:55
@bmhughes bmhughes force-pushed the refactor-resources-v8 branch from 19ec0eb to cc494b3 Compare August 16, 2021 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants