firewalld_ipset needs an adjunct native type to selectively purge unmanaged resources #236
Comments
|
what do you propose as transition from one version that doesn't support such prefixes, to one that does? |
|
@igalic The current module has a "purge everything" mode that would work via This may need to be a breaking change bump but I'm honestly not sure how people were managing anything complex with this without it since literally renaming an ipset, or removing it from management, would leave it on the system to be persisted by firewalld forever. Basically, the current behavior is unpredictable from a traditional Puppet point of view and this should be fixed but, unfortunately, we have to allow for everything else in the world also mucking about with it by design. This may be a larger issue since this actually persists into all of the different spaces, Either way, we need some pattern matching capabilities so that we can keep other daemons in place. This may even need to be an Array of globs or regexes for safety. |
Currently, the module has two options:
The issue with
1.is that services, such a kubernetes management systems, may lay down ipsets to persist at some point. These need to be persisted over time.The issue with
2.is that, whenever you change your ipsets, you end up with entries that may no longer be valid that remain on your system and that may actually be invalid for firewalld (a mistaken rule).I would suggest two changes. First, I would ensure that all items added to the system by the module be prefixed with something that makes it obvious that it is managed by puppet (something like
pup_mgmtwould work fine.Second, I would allow users to purge but with two modes.
The text was updated successfully, but these errors were encountered: