Bug 1650297

Summary: error in configuration prevents the rest from loading
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Dolezal <todoleza>
Component: ipsetAssignee: Stefano Brivio <sbrivio>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: fgiudici, jmaxwell, pasik, sbrivio, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipset-7.1-1.el7 Doc Type: Bug Fix
Doc Text:
.The `ipset` service now ignores invalid configuration entries during startup The `ipset` service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the `ipset` service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.
 Story Points: ---
Clone Of:
: 1683713 (view as bug list) Environment:
Last Closed: 2019-08-06 13:00:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1654714, 1709731    

Description Tomas Dolezal 2018-11-15 18:46:42 UTC 
Description of problem:
Errors in configuration can cause the loading script to stop loading the rest.
This bug is a split of bug 1649877

Version-Release number of selected component (if applicable):
ipset-6.38-3.el7_6.x86_64
ipset-6.38-2.el7.x86_64

How reproducible:
always

Steps to Reproduce:
mkdir /etc/sysconfig/ipset.d/
cat > /etc/sysconfig/ipset.d/a.set <<EOF
create a hash:ip family inet hashsize 1024 maxelem 50
add a 10.20.30.40
EOF
cat > /etc/sysconfig/ipset.d/b.set  <<EOF
create b hash:ip family inet hashsize 1024 maxelem 50
invalid string
add b 10.20.30.41
EOF
cat > /etc/sysconfig/ipset.d/c.set  <<EOF
create c hash:ip family inet hashsize 1024 maxelem 50
add c 10.20.30.42
EOF

systemctl restart ipset
ipset list | egrep Name\|Number
Name: a
Number of entries: 0
Name: b
Number of entries: 0
Name: c
Number of entries: 0
# here there should have been always a 1 entry

echo 'invalid string' > /etc/sysconfig/ipset.d/b.set
systemctl restart ipset
ipset list | egrep Name\|Number
Name: a
Number of entries: 0
# no members and set 'c' is missing

rm /etc/sysconfig/ipset.d/b.set
mkdir /etc/sysconfig/ipset.d/00dir
systemctl restart ipset
ipset list | egrep Name\|Number
Name: a
Number of entries: 1
Name: c
Number of entries: 1

Expected results:
* set members are always present for created sets
* error in file similar to 'b.set' with 'invalid string' does not prevent rest of the sets to be loaded and populated correctly

Additional info:
Comment 10 errata-xmlrpc 2019-08-06 13:00:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2158