puppetlabs-firefall breaks down on parsing Kubespray/Calico iptables rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Medium
|
Jiří Stránský |
Bug Description
Deployment goes fine including deploying step 2 of external_
Error: Failed to apply catalog: Parser error: keys (4) and values (8) count mismatch on line: -A cali-PREROUTING -m comment --comment \"cali:
y accepted packet.\" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
I've also seen:
Error: Failed to apply catalog: Parser error: keys (6) and values (8) count mismatch on line: -A KUBE-SERVICES ! -s 10.233.64.0/18 -d 10.233.0.1/32 -p tcp -m comment --comment \"default/
cluster IP\" -m tcp --dport 443 -j KUBE-MARK-MASQ
More complete puppet output:
fatal: [192.168.24.6]: FAILED! => {
"(outputs.
"exception: connect failed",
"Warning: Facter: Fact resolution fact='systemd_
String, Array, Hash], but was Symbol",
"Warning: Undefined variable 'deploy_
" (file & line not available)",
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib:
t/modules/
" (at /etc/puppet/
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib:
etc/puppet/
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib:
pet/modules/
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib:
et/modules/
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Pattern[]. There is further documentation for validate_legacy function in the README. at [\"/etc/
tp/manifests/
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib:
ppet/modules/
"Warning: ModuleLoader: module 'timezone' has unresolved dependencies - it will only see those that are resolved. Use 'puppet module list --tree' to see information about modules",
"Warning: ModuleLoader: module 'ssh' has unresolved dependencies - it will only see those that are resolved. Use 'puppet module list --tree' to see information about modules",
"Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib:
t/modules/
"Error: Failed to apply catalog: Parser error: keys (6) and values (8) count mismatch on line: -A KUBE-SERVICES ! -s 10.233.64.0/18 -d 10.233.0.1/32 -p tcp -m comment --comment \"default/
cluster IP\" -m tcp --dport 443 -j KUBE-MARK-MASQ",
"Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/
"Notice: Scope(Class[
"Notice: Compiled catalog for overcloud-
"Notice: /Stage[
"Notice: /Stage[
"Notice: /Stage[
],
"failed_
}
If i recall, the puppet-firewall needs comments in a specific format so it doesn't stomp on them. Either no comments or it has to fit in the "\d+: <comment>" format. Or something to that effect.