Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate HTTP Port Declarations For Different Bind IPs Produces SELinux Duplicate Resource Declaration Error #120

Closed
kahoffman opened this issue Apr 6, 2019 · 3 comments
Closed

Duplicate HTTP Port Declarations For Different Bind IPs Produces SELinux Duplicate Resource Declaration Error #120

kahoffman opened this issue Apr 6, 2019 · 3 comments

Comments

@kahoffman
Copy link

Affected Module versions/distributions

  • Module version: v2.0.0

How to reproduce (e.g Puppet code you use)

squid::http_port { "192.168.1.1:443":  ssl => true,  }
squid::http_port { "192.168.1.2:443":  ssl => true,  }

What are you seeing

We have a use case of hosting about a dozen different proxy servers with one squid instance. Each server is bound to a different IP with different certs but the same port number. A Selinux::Port resource is declared for every http_port instance. If you have the same port number bound to different ips, this produces a duplicate resource declaration error and a failure to compile.

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Selinux::Port[selinux port squid_port_t 443] is already declared at  (file: <...>/modules/squid/manifests/http_port.pp, line: 54); cannot redeclare (file: <...>/modules/squid/manifests/http_port.pp, line: 54) (file: <...>/modules/squid/manifests/http_port.pp, line: 54, column: 5)

What behavior did you expect instead

The squid module should be able to handle multiple server declarations for the same port on different IPs.
@kahoffman
Copy link
Author

Looking at the code, one possible solution is to add an selinux parameter to http_port & https_port that can be set to true or false. (Default true) That would allow the choice to set the SELinux context for a port declaration. You could then choose not to have it set up at all or set it up for only one instance of a particular port but not the additional instances thus avoiding the duplicate declaration.

@ekohl
Copy link
Member

ekohl commented May 15, 2019

This may be a case for ensure_resource though I wouldn't object to an explicit parameter either.

ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Jun 20, 2019
@ralfbosz
Change the way SELinux is applied for portnumbers
7d5a5aa 
Since duplication was possible, the selinux::port
is now a "ensure_resource". This fixes issue voxpupuli#120
@ralfbosz ralfbosz mentioned this issue Jun 20, 2019
Merged
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Jun 20, 2019
@ralfbosz
Change the way SELinux is applied for portnumbers
7cf2b57 
When declaring serveral http_ports with different
IP's, but the same portnumber a resource conflict
would arise on the selinux-part. Changed the
selinux::port to an "ensure_resource", hence
fixing issue voxpupuli#120.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Jun 24, 2019
@ralfbosz
Change the way SELinux is applied for portnumbers
2393e92 
When declaring serveral http_ports with different
IP's, but the same portnumber a resource conflict
would arise on the selinux-part. Changed the
selinux::port to an "ensure_resource", hence
fixing issue voxpupuli#120.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Jun 24, 2019
@ralfbosz
Change the way SELinux is applied for portnumbers
142fed8 
When declaring serveral http_ports with different
IP's, but the same portnumber a resource conflict
would arise on the selinux-part. Changed the
selinux::port to an "ensure_resource", hence
fixing issue voxpupuli#120.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Jun 25, 2019
@ralfbosz
Use ensure_resource for SELinux port
156ca8f 
When declaring serveral http_ports with different
IP's, but the same portnumber a resource conflict
would arise on the selinux-part. Changed the
selinux::port to an "ensure_resource", hence
fixing issue voxpupuli#120.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Jun 25, 2019
@ralfbosz
Fix SELinux when using same http_port on IP's
13b57a8 
When declaring serveral http_ports with different
IP's, but the same portnumber a resource conflict
would arise on the selinux-part. Changed the
selinux::port to an "ensure_resource", hence
fixing issue voxpupuli#120.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Oct 7, 2019
@ralfbosz
Wrap selinux::ports with ensure_resource to allow duplicates
220eed3 
When declaring serveral http_ports with different
IP's, but the same portnumber a resource conflict
would arise on the selinux-part. Changed the
selinux::port to an "ensure_resource", hence
fixing issue voxpupuli#120.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Feb 5, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
361a42f 
The module is now able to handle multiple server
declarations for the same port on different IPs.
granquet pushed a commit to granquet/puppet-squid that referenced this issue Sep 24, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
13b9f1c 
The module is now able to handle multiple server
declarations for the same port on different IPs.
granquet pushed a commit to granquet/puppet-squid that referenced this issue Sep 24, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
099530f 
The module is now able to handle multiple server
declarations for the same port on different IPs.
granquet pushed a commit to granquet/puppet-squid that referenced this issue Sep 25, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
705428a 
The module is now able to handle multiple server
declarations for the same port on different IPs.
granquet pushed a commit to granquet/puppet-squid that referenced this issue Sep 25, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
e7ad45a 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
5dbbc5b 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
6bf8a60 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
3250ab6 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
dd8383f 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
b408e5f 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
45ff412 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
ee1e906 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
3c53572 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
6c314d0 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
da318b9 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
71a287b 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
dcc0150 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
51caf75 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
715407f 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
6848fdf 
The module is now able to handle multiple server
declarations for the same port on different IPs.
ralfbosz added a commit to ralfbosz/puppet-squid that referenced this issue Sep 28, 2020
@ralfbosz
Workaround for duplicate resource http_port voxpupuli#120
bab2643 
The module is now able to handle multiple server
declarations for the same port on different IPs.
@ekohl
Copy link
Member

ekohl commented Sep 28, 2020

This was solved in #152

@ekohl ekohl closed this as completed Sep 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ekohl @kahoffman