Add --wait to iptables commands

This change adds the --wait flag to the insert/update/delete iptables
actions to prevent failures from occuring when iptables is running
outside of puppet. Previously if a script or a user is running iptables
commands while puppet is running, there may be failures in the firewall
provider if iptables cannot get a lock. By default, iptables will just
fail with an error so using --wait will make it wait until a lock can be
established. The --wait is only added for iptables >= 1.4.20.

Closes-Bug: #1612185
Change-Id: I4f667f61ef986f60441dbac3b440e383cc131451
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 1d7aec510ef9629929d4440f75ceed963e94f5a9..474d3dc6eadb149a3a7f964e3fe606fc1ad6e479 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -602,6 +602,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     resource_map = self.class.instance_variable_get('@resource_map')
     resource_map = munge_resource_map_from_resource(resource_map, resource)
 
+    # Always attempt to wait for a lock for iptables to prevent failures when
+    # puppet is running at the same time something else is managing the rules
+    # note: --wait wasn't added untip iptables version 1.4.20
+    iptables_version = Facter.value('iptables_version')
+    if (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.4.20') >= 0)
+      args << ['--wait']
+    end
+
     resource_list.each do |res|
       resource_value = nil
       if (resource[res]) then

diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
index d7523787f7577851e31da27bf7e65ff84cb496aa..e3bf1dbf85646700891ca883d2e4b769b4cd1aa6 100644 (file)
--- a/spec/fixtures/ip6tables/conversion_hash.rb
+++ b/spec/fixtures/ip6tables/conversion_hash.rb
@@ -46,7 +46,7 @@ HASH_TO_ARGS6 = {
       :source => '::/0',
       :destination => '::/0',
     },
-    :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
+    :args => ['--wait', '-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
   },
   'source_destination_ipv4_no_cidr' => {
     :params => {
@@ -56,7 +56,7 @@ HASH_TO_ARGS6 = {
       :source => '1.1.1.1',
       :destination => '2.2.2.2',
     },
-    :args => ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.2.2.2/32', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv4 no cidr'],
+    :args => ['--wait', '-t', :filter, '-s', '1.1.1.1/32', '-d', '2.2.2.2/32', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv4 no cidr'],
   },
  'source_destination_ipv6_no_cidr' => {
     :params => {
@@ -66,7 +66,7 @@ HASH_TO_ARGS6 = {
       :source => '2001:db8:1234::',
       :destination => '2001:db8:4321::',
     },
-    :args => ['-t', :filter, '-s', '2001:db8:1234::/128', '-d', '2001:db8:4321::/128', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 no cidr'],
+    :args => ['--wait', '-t', :filter, '-s', '2001:db8:1234::/128', '-d', '2001:db8:4321::/128', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 no cidr'],
   },
  'source_destination_ipv6_netmask' => {
     :params => {
@@ -76,7 +76,7 @@ HASH_TO_ARGS6 = {
       :source => '2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
       :destination => '2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
     },
-    :args => ['-t', :filter, '-s', '2001:db8:1234::/48', '-d', '2001:db8:4321::/48', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 netmask'],
+    :args => ['--wait', '-t', :filter, '-s', '2001:db8:1234::/48', '-d', '2001:db8:4321::/48', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 netmask'],
   },
   'frag_ishasmorefrags' => {
     :params => {
@@ -85,7 +85,7 @@ HASH_TO_ARGS6 = {
       :provider => 'ip6tables',
       :table => "filter",
     },
-    :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragmore", "-m", "comment", "--comment", "100 has more fragments"],
+    :args => ['--wait', "-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragmore", "-m", "comment", "--comment", "100 has more fragments"],
   },
   'frag_islastfrag' => {
     :params => {
@@ -94,7 +94,7 @@ HASH_TO_ARGS6 = {
       :provider => 'ip6tables',
       :table => "filter",
     },
-    :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fraglast", "-m", "comment", "--comment", "100 last fragment"],
+    :args => ['--wait', "-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fraglast", "-m", "comment", "--comment", "100 last fragment"],
   },
   'frag_isfirstfrags' => {
     :params => {
@@ -103,7 +103,7 @@ HASH_TO_ARGS6 = {
       :provider => 'ip6tables',
       :table => "filter",
     },
-    :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragfirst", "-m", "comment", "--comment", "100 first fragment"],
+    :args => ['--wait', "-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragfirst", "-m", "comment", "--comment", "100 first fragment"],
   },
   'hop_limit' => {
     :params => {
@@ -112,6 +112,6 @@ HASH_TO_ARGS6 = {
       :provider => 'ip6tables',
       :table => "filter",
     },
-    :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 hop limit", "-m", "hl", "--hl-eq", 255],
+    :args => ['--wait', "-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 hop limit", "-m", "hl", "--hl-eq", 255],
   },
 }