From b33dd048d270894a4ef577c329be6c53b39e9e08 Mon Sep 17 00:00:00 2001 From: Nageswara Nandigam <84482346+nagworld9@users.noreply.github.com> Date: Fri, 27 Dec 2024 16:00:36 -0800 Subject: [PATCH] logging missing firewall rules reason (#3283) * firewall logging * ignore rule update --------- Co-authored-by: Norberto Arrieta --- azurelinuxagent/ga/firewall_manager.py | 7 ++++++- azurelinuxagent/ga/update.py | 2 +- .../tests/agent_persist_firewall/agent_persist_firewall.py | 3 ++- tests_e2e/tests/lib/agent_log.py | 7 ++++--- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/azurelinuxagent/ga/firewall_manager.py b/azurelinuxagent/ga/firewall_manager.py index deed1ab6b..5a30823a7 100644 --- a/azurelinuxagent/ga/firewall_manager.py +++ b/azurelinuxagent/ga/firewall_manager.py @@ -186,6 +186,7 @@ def _execute_delete_command(self, command): def check(self): missing_rules = [] existing_rules = [] + missing_rules_reasons = [] for rule, command in self._get_commands(self._get_check_command_option()): try: @@ -194,6 +195,10 @@ def check(self): except CommandError as e: if e.returncode == 1: # rule does not exist missing_rules.append(rule) + # Issue: Even though the drop rule exists, the agent perceives it as missing when checking all rules. + # This might occur because we mark the rule as missing due to the same error code being returned for other reasons. + # So logging the error message to understand the reason for the rule being marked as missing. + missing_rules_reasons.append(e.stderr) else: raise @@ -201,7 +206,7 @@ def check(self): return True if len(existing_rules) > 0: # some rules are present, but not all - raise FirewallStateError("The following rules are missing: {0}".format(missing_rules)) + raise FirewallStateError("The following rules are missing: {0} due to: {1}".format(missing_rules, missing_rules_reasons)) return False diff --git a/azurelinuxagent/ga/update.py b/azurelinuxagent/ga/update.py index 1296cfa00..7ab191010 100644 --- a/azurelinuxagent/ga/update.py +++ b/azurelinuxagent/ga/update.py @@ -1151,7 +1151,7 @@ def _initialize_firewall(wire_server_address): firewall_manager.setup() event.info(WALAEventOperation.Firewall, "Created firewall rules for Azure Fabric:\n{0}", firewall_manager.get_state()) except FirewallStateError as e: - event.warn(WALAEventOperation.Firewall, "The firewall rules for Azure Fabric are not setup correctly (the environment thread will fix it): {0}", ustr(e)) + event.warn(WALAEventOperation.Firewall, "The firewall rules for Azure Fabric are not setup correctly (the environment thread will fix it): {0}. Current state:\n{1}", ustr(e), firewall_manager.get_state()) # # Ensure firewall rules are persisted across reboots diff --git a/tests_e2e/tests/agent_persist_firewall/agent_persist_firewall.py b/tests_e2e/tests/agent_persist_firewall/agent_persist_firewall.py index 83166091c..261b6ad13 100644 --- a/tests_e2e/tests/agent_persist_firewall/agent_persist_firewall.py +++ b/tests_e2e/tests/agent_persist_firewall/agent_persist_firewall.py @@ -89,9 +89,10 @@ def get_ignore_error_rules(self) -> List[Dict[str, Any]]: # 2024-07-30T23:36:35.705717Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT DNS']), will reset them. # 2024-07-30T23:37:23.612352Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT']), will reset them. # 2024-07-30T23:38:11.083028Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['DROP']), will reset them. + # 2024-12-27T19:42:51.531056Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT'] due to: ['']), will reset them # { - 'message': r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \[('ACCEPT DNS'|'ACCEPT'|'DROP'|, )+\]\), will reset them.", + 'message': r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \[('ACCEPT DNS'|'ACCEPT'|'DROP'|, )+\] due to.*\), will reset them.", 'if': lambda r: r.level == "WARNING" } ] diff --git a/tests_e2e/tests/lib/agent_log.py b/tests_e2e/tests/lib/agent_log.py index 69b9c953b..691e8a345 100644 --- a/tests_e2e/tests/lib/agent_log.py +++ b/tests_e2e/tests/lib/agent_log.py @@ -330,13 +330,14 @@ def get_errors(self) -> List[AgentLogRecord]: # 2024-08-02T21:44:44.330727Z WARNING ExtHandler ExtHandler The firewall rules for Azure Fabric are not setup correctly (the environment thread will fix it): The following rules are missing: ['ACCEPT DNS'] # 2024-08-08T22:05:26.561896Z WARNING EnvHandler ExtHandler The firewall is not configured correctly. The following rules are missing: ['ACCEPT DNS']. Will reset it. # 2024-09-16T15:50:12.473500Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT DNS']), will reset them. - # + # 2024-12-27T19:42:03.895387Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT DNS'] due to: ['']), will reset them. + # 2024-12-27T19:38:14.093727Z WARNING EnvHandler ExtHandler The firewall is not configured correctly. The following rules are missing: ['ACCEPT DNS'] due to: ['iptables: Bad rule (does a matching rule exist in that chain?).\n']. Will reset it. { 'message': r"(The firewall rules for Azure Fabric are not setup correctly \(the environment thread will fix it\): The following rules are missing: \['ACCEPT DNS'\])" "|" - r"(The firewall is not configured correctly. The following rules are missing: \['ACCEPT DNS'\]. Will reset it.)" + r"(The firewall is not configured correctly. The following rules are missing: \['ACCEPT DNS'\].* Will reset it.)" "|" - r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \['ACCEPT DNS'\]\), will reset them.", + r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \['ACCEPT DNS'\]\).* will reset them.", 'if': lambda r: r.level == "WARNING" }, # TODO: The Daemon has not been updated on Azure Linux 3; remove this message when it is.