From a407bcdc746e1eed1585ab493ac86705198c5319 Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Mon, 15 Aug 2016 11:01:50 -0600 Subject: [PATCH] Add --wait to iptables commands This change adds the --wait flag to the insert/update/delete iptables actions to prevent failures from occuring when iptables is running outside of puppet. Previously if a script or a user is running iptables commands while puppet is running, there may be failures in the firewall provider if iptables cannot get a lock. By default, iptables will just fail with an error so using --wait will make it wait until a lock can be established. The --wait is only added for iptables >= 1.4.20. --- lib/puppet/provider/firewall/iptables.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index f599faa..22cf398 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -628,6 +628,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir resource_map = self.class.instance_variable_get('@resource_map') resource_map = munge_resource_map_from_resource(resource_map, resource) + # Always attempt to wait for a lock for iptables to prevent failures when + # puppet is running at the same time something else is managing the rules + # note: --wait wasn't added untip iptables version 1.4.20 + iptables_version = Facter.value('iptables_version') + if (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.4.20') >= 0) + args << ['--wait'] + end + resource_list.each do |res| resource_value = nil if (resource[res]) then -- 2.45.2