Merge pull request #324 from apenney/socket-owner-sles-madness

Ashley Penney · Ashley Penney · commit 15c2ac55e173 · 2014-02-28T14:08:38.000-05:00
Socket owner sles madness
diff --git a/README.markdown b/README.markdown
@@ -362,20 +362,20 @@ Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubun
 
 ##Limitations
 
-While we aim to support as low as Puppet 2.6.x (for now), we recommend installing the latest Puppet version from the Puppetlabs official repos.
+###SLES
 
-Please note, we only aim support for the following distributions and versions - that is, we actually do ongoing system tests on these platforms:
+The `socket` parameter is not supported on SLES.  In this release it will cause
+the catalog to fail with iptables failures, rather than correctly warn you that
+the features are unusable.
 
-* Redhat 5.9 and 6.4
-* Debian 6.0 and 7.0
-* Ubuntu 10.04 and 12.04
+###Oracle Linux 5
 
-If you want a new distribution supported feel free to raise a ticket and we'll consider it. If you want an older revision supported we'll also consider it, but don't get insulted if we reject it. Specifically, we will not consider Redhat 4.x support - its just too old.
+The `socket` and `owner` parameters are unsupported on Oracle Linux 5, when the
+"Unbreakable" kernel is used.  If you switch to the stock Redhat 5 kernel these
+work.   In this release it will cause the catalog to fail with iptables
+failures, rather than correct ly warn you that the features are unusable.
 
-If you really want to get support for your OS we suggest writing any patch fix yourself, and for continual system testing if you can provide a sufficient trusted Veewee template we could consider adding such an OS to our ongoing continuous integration tests.
-
-Also, as this is a 0.x release the API is still in flux and may change. Make sure
-you read the release notes before upgrading.
+###Other
 
 Bugs can be reported using Github Issues:
 
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
@@ -1337,56 +1337,54 @@ class { '::firewall': }
     end
   end
 
-  # RHEL5 does not support -m socket
-  if default['platform'] !~ /el-5/
-    describe 'socket' do
-      context 'true' do
-        it 'applies' do
-          pp = <<-EOS
-            class { '::firewall': }
-            firewall { '585 - test':
-              ensure => present,
-              proto => tcp,
-              port   => '585',
-              action => accept,
-              chain  => 'PREROUTING',
-              table  => 'nat',
-              socket => true,
-            }
-          EOS
+  # RHEL5/SLES does not support -m socket
+  describe 'socket', :unless => (default['platform'] =~ /el-5/ or fact('operatingsystem') == 'SLES') do
+    context 'true' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '585 - test':
+            ensure => present,
+            proto => tcp,
+            port   => '585',
+            action => accept,
+            chain  => 'PREROUTING',
+            table  => 'nat',
+            socket => true,
+          }
+        EOS
 
-          apply_manifest(pp, :catch_failures => true)
-        end
+        apply_manifest(pp, :catch_failures => true)
+      end
 
-        it 'should contain the rule' do
-          shell('iptables-save -t nat') do |r|
-            expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT/)
-          end
+      it 'should contain the rule' do
+        shell('iptables-save -t nat') do |r|
+          expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT/)
         end
       end
+    end
 
-      context 'false' do
-        it 'applies' do
-          pp = <<-EOS
-            class { '::firewall': }
-            firewall { '586 - test':
-              ensure => present,
-              proto => tcp,
-              port   => '586',
-              action => accept,
-              chain  => 'PREROUTING',
-              table  => 'nat',
-              socket => false,
-            }
-          EOS
+    context 'false' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '586 - test':
+            ensure => present,
+            proto => tcp,
+            port   => '586',
+            action => accept,
+            chain  => 'PREROUTING',
+            table  => 'nat',
+            socket => false,
+          }
+        EOS
 
-          apply_manifest(pp, :catch_failures => true)
-        end
+        apply_manifest(pp, :catch_failures => true)
+      end
 
-        it 'should contain the rule' do
-          shell('iptables-save -t nat') do |r|
-            expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT/)
-          end
+      it 'should contain the rule' do
+        shell('iptables-save -t nat') do |r|
+          expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT/)
         end
       end
     end
diff --git a/spec/acceptance/params_spec.rb b/spec/acceptance/params_spec.rb
@@ -20,7 +20,7 @@ def pp(params)
     pm
   end
 
-  it 'test various params', :unless => default['platform'].match(/el-5/) do
+  it 'test various params', :unless => (default['platform'].match(/el-5/) || fact('operatinsystem') == 'SLES') do
     iptables_flush_all_tables
 
     ppm = pp({
diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb
@@ -1,98 +1,96 @@
 require 'spec_helper_acceptance'
 
 # RHEL5 does not support -m socket
-if default['platform'] !~ /el-5/
-  describe 'firewall socket property' do
-    before :all do
-      iptables_flush_all_tables
-    end
+describe 'firewall socket property', :unless => (default['platform'] =~ /el-5/ || fact('operatingsystem') == 'SLES') do
+  before :all do
+    iptables_flush_all_tables
+  end
 
-    shared_examples "is idempotent" do |value, line_match|
-      it "changes the value to #{value}" do
-        pp = <<-EOS
-            class { '::firewall': }
-            firewall { '598 - test':
-              ensure => present,
-              proto  => 'tcp',
-              chain  => 'PREROUTING',
-              table  => 'raw',
-              #{value}
-            }
-        EOS
+  shared_examples "is idempotent" do |value, line_match|
+    it "changes the value to #{value}" do
+      pp = <<-EOS
+          class { '::firewall': }
+          firewall { '598 - test':
+            ensure => present,
+            proto  => 'tcp',
+            chain  => 'PREROUTING',
+            table  => 'raw',
+            #{value}
+          }
+      EOS
 
-        apply_manifest(pp, :catch_failures => true)
-        apply_manifest(pp, :catch_changes => true)
+      apply_manifest(pp, :catch_failures => true)
+      apply_manifest(pp, :catch_changes => true)
 
-        shell('iptables-save -t raw') do |r|
-          expect(r.stdout).to match(/#{line_match}/)
-        end
+      shell('iptables-save -t raw') do |r|
+        expect(r.stdout).to match(/#{line_match}/)
       end
     end
-    shared_examples "doesn't change" do |value, line_match|
-      it "doesn't change the value to #{value}" do
-        pp = <<-EOS
-            class { '::firewall': }
-            firewall { '598 - test':
-              ensure => present,
-              proto  => 'tcp',
-              chain  => 'PREROUTING',
-              table  => 'raw',
-              #{value}
-            }
-        EOS
+  end
+  shared_examples "doesn't change" do |value, line_match|
+    it "doesn't change the value to #{value}" do
+      pp = <<-EOS
+          class { '::firewall': }
+          firewall { '598 - test':
+            ensure => present,
+            proto  => 'tcp',
+            chain  => 'PREROUTING',
+            table  => 'raw',
+            #{value}
+          }
+      EOS
 
-        apply_manifest(pp, :catch_changes => true)
+      apply_manifest(pp, :catch_changes => true)
 
-        shell('iptables-save -t raw') do |r|
-          expect(r.stdout).to match(/#{line_match}/)
-        end
+      shell('iptables-save -t raw') do |r|
+        expect(r.stdout).to match(/#{line_match}/)
       end
     end
+  end
 
-    describe 'adding a rule' do
-      context 'when unset' do
-        before :all do
-          iptables_flush_all_tables
-        end
-        it_behaves_like 'is idempotent', '', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+  describe 'adding a rule' do
+    context 'when unset' do
+      before :all do
+        iptables_flush_all_tables
       end
-      context 'when set to true' do
-        before :all do
-          iptables_flush_all_tables
-        end
-        it_behaves_like 'is idempotent', 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+      it_behaves_like 'is idempotent', '', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+    end
+    context 'when set to true' do
+      before :all do
+        iptables_flush_all_tables
       end
-      context 'when set to false' do
-        before :all do
-          iptables_flush_all_tables
-        end
-        it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+      it_behaves_like 'is idempotent', 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+    end
+    context 'when set to false' do
+      before :all do
+        iptables_flush_all_tables
       end
+      it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
     end
-    describe 'editing a rule' do
-      context 'when unset or false' do
-        before :each do
-          iptables_flush_all_tables
-          shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
-        end
-        context 'and current value is false' do
-          it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
-        end
-        context 'and current value is true' do
-          it_behaves_like "is idempotent", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
-        end
+  end
+  describe 'editing a rule' do
+    context 'when unset or false' do
+      before :each do
+        iptables_flush_all_tables
+        shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
+      end
+      context 'and current value is false' do
+        it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+      end
+      context 'and current value is true' do
+        it_behaves_like "is idempotent", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+      end
+    end
+    context 'when set to true' do
+      before :each do
+        iptables_flush_all_tables
+        shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
+      end
+      context 'and current value is false' do
+        it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
       end
-      context 'when set to true' do
-        before :each do
-          iptables_flush_all_tables
-          shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
-        end
-        context 'and current value is false' do
-          it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
-        end
-        context 'and current value is true' do
-          it_behaves_like "doesn't change", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
-        end
+      context 'and current value is true' do
+        it_behaves_like "doesn't change", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
       end
     end
   end
