One or more resource dependency cycles detected in graph
rayderua opened this issue · comments
Hi there! :)
I try to configure the puppet according to the instructions with pre/post classes and got cycles error when firewall_multi is used.
example
class wrappers::firewall {
include firewall
include wrappers::firewall::pre
include wrappers::firewall::post
Firewall {
before => Class['wrappers::firewall::post'],
require => Class['wrappers::firewall::pre'],
}
}
class wrappers::firewall::pre {
Firewall { require => undef }
Firewall_Multi { require => undef } # not sure if this is needed here
firewall { '001 default ipv4': action => 'accept', proto => 'all', iniface => 'lo' }
firewall { '002 default ipv4': action => 'accept', proto => 'all', state => ['RELATED', 'ESTABLISHED'] }
firewall { '003 default ipv4': action => 'accept', proto => 'tcp', dport => 22, source => ['192.168.0.0/16', '10.0.0.0/8'] }
# firewall_multi { '003 default ipv4': action => 'accept', proto => 'tcp', dport => 22, source => ['192.168.0.0/16', '10.0.0.0/8'] }
}
class wrappers::firewall::post {
$chains = {
'INPUT:filter:IPv4' => { 'purge' => true, 'policy' => 'drop' },
'FORWARD:filter:IPv4' => { 'purge' => true, 'policy' => 'drop' },
'OUTPUT:filter:IPv4' => { 'purge' => true, 'policy' => 'accept' },
}
ensure_resources('firewallchain', $chains)
}
node default {
include wrappers::firewall
}
with 003 default ipv4 via firewall
all works fine (with only first source 192.168, but is okay for puppetlabs-firewall)
But when I replaced 003 defautl ipv4
rules to firewall_multi., puppet is failed on second run (unimportant lines deleted):
root@~# puppet agent -t
Info: Applying configuration version '1589390879'
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall[001 default ipv4]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall[002 default ipv4]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall_multi[003 default ipv4]/Firewall[003 default ipv4 from 192.168.0.0/16]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Pre/Firewall_multi[003 default ipv4]/Firewall[003 default ipv4 from 10.0.0.0/8]/ensure: created (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Post/Firewallchain[INPUT:filter:IPv4]/policy: policy changed 'accept' to 'drop' (corrective)
Notice: /Stage[main]/Wrappers::Firewall::Post/Firewallchain[FORWARD:filter:IPv4]/policy: policy changed 'accept' to 'drop' (corrective)
Notice: Applied catalog in 2.88 seconds
root@~# puppet agent -t
Info: Applying configuration version '1589390891'
Error: Found 1 dependency cycle:
(Firewall[003 default ipv4 from 10.0.0.0/8] => Class[Wrappers::Firewall::Post] => Firewallchain[INPUT:filter:IPv4] => Firewall[003 default ipv4 from 10.0.0.0/8])\nCycle graph written to /etc/puppetlabs/graphs/cycles.dot.
Error: Failed to apply catalog: One or more resource dependency cycles detected in graph
root@~#
All tested on empty firewall:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
I would be grateful for the help in solving the problem (I'm still not completely sure that the problem is in the module)
I never saw this before. Did you sort this out?
Unfortunately, I didn't have time to research the problem.
I wrote custom class, which parses multi sources/dests and generates single rules.
@alexharv074 Hi
I think problem is there: https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/type/firewall.rb#L21-L25
I can't explain why firewall_multi not working, but i found temporary solution for this, create default chain and jump into them
class wrappers::firewall {
include firewall
include wrappers::firewall::pre
include wrappers::firewall::post
Firewall {
before => Class['wrappers::firewall::post'],
require => Class['wrappers::firewall::pre']
}
}
class wrappers::firewall::pre {
Firewall { require => undef }
firewallchain { 'system-input-default:filter:IPv4': ensure => present, purge => true }
firewall { '001 default ipv4': chain => 'system-input-default', action => 'accept', proto => 'all', iniface => 'lo' }
firewall { '002 default ipv4': chain => 'system-input-default', action => 'accept', proto => 'all', state => ['RELATED', 'ESTABLISHED'] }
firewall_multi { '003 default ipv4': chain => 'system-input-default', action => 'accept', dport => 22, source => ['10.0.0.0/8', '172.31.255.0/24', '192.168.0.0/16'] }
}
class wrappers::firewall::post {
firewall { '100 jump to system-input-default':
chain => 'INPUT',
proto => 'all',
jump => 'system-input-default',
before => Firewallchain['INPUT:filter:IPv4']
}
$chains = {
'INPUT:filter:IPv4' => { 'purge' => true, 'policy' => 'drop' },
'FORWARD:filter:IPv4' => { 'purge' => true, 'policy' => 'drop' },
'OUTPUT:filter:IPv4' => { 'purge' => true, 'policy' => 'accept' },
}
ensure_resources('firewallchain', $chains)
}```