One or more resource dependency cycles detected in graph

Question

One or more resource dependency cycles detected in graph

rayderua opened this issue 4 years ago · comments

Hi there! :)

I try to configure the puppet according to the instructions with pre/post classes and got cycles error when firewall_multi is used.

example

class wrappers::firewall {

  include firewall
  include wrappers::firewall::pre
  include wrappers::firewall::post

  Firewall {
    before  => Class['wrappers::firewall::post'],
    require => Class['wrappers::firewall::pre'],
  }
}

class wrappers::firewall::pre {

  Firewall { require => undef }
  Firewall_Multi  { require => undef } # not sure if this is needed here
  
  firewall { '001 default ipv4': action => 'accept', proto => 'all', iniface => 'lo' }
  firewall { '002 default ipv4': action => 'accept', proto => 'all', state => ['RELATED', 'ESTABLISHED'] }

  firewall { '003 default ipv4': action => 'accept', proto => 'tcp', dport => 22, source => ['192.168.0.0/16', '10.0.0.0/8'] }
  # firewall_multi { '003 default ipv4': action => 'accept', proto => 'tcp', dport => 22, source => ['192.168.0.0/16', '10.0.0.0/8'] }
}

class wrappers::firewall::post {

  $chains = {
    'INPUT:filter:IPv4'   => { 'purge' => true, 'policy' => 'drop' },
    'FORWARD:filter:IPv4' => { 'purge' => true, 'policy' => 'drop' },
    'OUTPUT:filter:IPv4'  => { 'purge' => true, 'policy' => 'accept' },
  }
  ensure_resources('firewallchain', $chains)
}

node default {
  include wrappers::firewall
}

with 003 default ipv4 via firewall all works fine (with only first source 192.168, but is okay for puppetlabs-firewall)

But when I replaced 003 defautl ipv4 rules to firewall_multi., puppet is failed on second run (unimportant lines deleted):

root@~# puppet agent -t
Info: Applying configuration version '1589390879'
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall[001 default ipv4]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall[002 default ipv4]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall_multi[003 default ipv4]/Firewall[003 default ipv4 from 192.168.0.0/16]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall_multi[003 default ipv4]/Firewall[003 default ipv4 from 10.0.0.0/8]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Post/Firewallchain[INPUT:filter:IPv4]/policy: policy changed 'accept' to 'drop' (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Post/Firewallchain[FORWARD:filter:IPv4]/policy: policy changed 'accept' to 'drop' (corrective)
Notice: Applied catalog in 2.88 seconds

root@~# puppet agent -t
Info: Applying configuration version '1589390891'
Error: Found 1 dependency cycle:
(Firewall[003 default ipv4 from 10.0.0.0/8] => Class[Wrappers::Firewall::Post] => Firewallchain[INPUT:filter:IPv4] => Firewall[003 default ipv4 from 10.0.0.0/8])\nCycle graph written to /etc/puppetlabs/graphs/cycles.dot.
Error: Failed to apply catalog: One or more resource dependency cycles detected in graph

root@~#

All tested on empty firewall:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

I would be grateful for the help in solving the problem (I'm still not completely sure that the problem is in the module)

Alex Harvey · Answer 1 · Sun Jan 24 2021 22:45:54 GMT+0800 (China Standard Time)

I never saw this before. Did you sort this out?

rayderua · Answer 2 · Thu Jan 28 2021 07:11:28 GMT+0800 (China Standard Time)

Unfortunately, I didn't have time to research the problem.
I wrote custom class, which parses multi sources/dests and generates single rules.

rayderua · Answer 3 · Thu Feb 18 2021 00:25:10 GMT+0800 (China Standard Time)

@alexharv074 Hi
I think problem is there: https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/type/firewall.rb#L21-L25
I can't explain why firewall_multi not working, but i found temporary solution for this, create default chain and jump into them

class wrappers::firewall {

  include firewall
  include wrappers::firewall::pre
  include wrappers::firewall::post

  Firewall {
    before  => Class['wrappers::firewall::post'],
    require => Class['wrappers::firewall::pre']
  }

}

class wrappers::firewall::pre {

  Firewall { require => undef }

  firewallchain { 'system-input-default:filter:IPv4': ensure => present, purge   => true }

  firewall        { '001 default ipv4': chain => 'system-input-default', action => 'accept', proto => 'all', iniface => 'lo' }
  firewall        { '002 default ipv4': chain => 'system-input-default', action => 'accept', proto => 'all', state => ['RELATED', 'ESTABLISHED'] }
  firewall_multi  { '003 default ipv4': chain => 'system-input-default', action => 'accept', dport => 22, source => ['10.0.0.0/8', '172.31.255.0/24', '192.168.0.0/16'] }

}

class wrappers::firewall::post {

  firewall { '100 jump to system-input-default':
    chain   => 'INPUT',
    proto   => 'all',
    jump    => 'system-input-default',
    before  => Firewallchain['INPUT:filter:IPv4']
  }

  $chains = {
    'INPUT:filter:IPv4'   => { 'purge' => true, 'policy' => 'drop' },
    'FORWARD:filter:IPv4' => { 'purge' => true, 'policy' => 'drop' },
    'OUTPUT:filter:IPv4'  => { 'purge' => true, 'policy' => 'accept' },
  }

  ensure_resources('firewallchain', $chains)
}```