Page MenuHomePhabricator
Create Task
Maniphest T373637

services using libnet-dns-perl can't use nftables as firewall provider
Closed, ResolvedPublic
Actions

Description

status quo:

A service that happens to use the libnet-dns-perl Debian package can't be switched from ferm / iptables to nftables as the firewall::provider.

example services affected: VRTS, mailman3 where the package is pulled in by spamassassin.

root cause:

If firewall::provider is set to nftables there is code that removes ferm/iptables and related packages.

This also removes libnet-dns-perl though.

effect:

If there is other puppet code that installs spamassassin or pulls in libnet-dns-perl in other ways, packages get installed and removed again on every single puppet run.

Services can't switch to nftables as firewall provider.

desired fix:

Some way to configure that this package is still needed while also being able to switch the firewall provider.

Details

SubjectRepoBranchLines +/-
Don't uninstall libnet-dns-perl when moving from ferm to nftablesoperations/puppetproduction+2 -1
Customize query in gerrit

Related Objects

Event Timeline

Dzahn created this task.Aug 29 2024, 8:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2024, 8:11 PM
Dzahn updated the task description. (Show Details)Aug 29 2024, 8:12 PM
Dzahn added a comment.EditedAug 29 2024, 8:19 PM

example:

https://puppet-compiler.wmflabs.org/output/1055495/3785/vrts1001.eqiad.wmnet/change.vrts1001.eqiad.wmnet.err

would be caused by

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1055495

MoritzMuehlenhoff claimed this task.Sep 2 2024, 1:41 PM
MoritzMuehlenhoff triaged this task as Medium priority.
MoritzMuehlenhoff subscribed.

I'll look into a fix

gerritbot added a comment.Sep 3 2024, 3:04 PM

Change #1070273 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Don't uninstall libnet-dns-perl when moving from ferm to nftables

https://gerrit.wikimedia.org/r/1070273

gerritbot added a project: Patch-For-Review.Sep 3 2024, 3:04 PM
LSobanski moved this task from Incoming to Consultation on the collaboration-services board.Sep 4 2024, 9:05 AM
eoghan mentioned this in T373980: Hosts using nftables are not reachable via ssh from alert[12]002. Reboot needed..Sep 5 2024, 3:42 PM
gerritbot added a comment.Sep 10 2024, 7:07 AM

Change #1070273 merged by Muehlenhoff:

[operations/puppet@production] Don't uninstall libnet-dns-perl when moving from ferm to nftables

https://gerrit.wikimedia.org/r/1070273

MoritzMuehlenhoff closed this task as Resolved.Sep 10 2024, 7:29 AM

Should be fixed with the merge of https://gerrit.wikimedia.org/r/1070273

Maintenance_bot removed a project: Patch-For-Review.Sep 10 2024, 7:30 AM
MoritzMuehlenhoff mentioned this in T371575: puppet package install cycle with firewall::service, ferm/nftables and libnet-dns-perl.Sep 10 2024, 7:30 AM
MoritzMuehlenhoff merged a task: T371575: puppet package install cycle with firewall::service, ferm/nftables and libnet-dns-perl.
MoritzMuehlenhoff added subscribers: SLyngshede-WMF, LSobanski, eoghan.
Dzahn added a comment.Sep 10 2024, 4:57 PM

Thank you for the fix! Obviously I had forgotten I reported the same thing twice:)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits