Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MODULES-1309 - Make package and service names configurable #436

Merged
merged 1 commit into from
Dec 3, 2014
Merged

MODULES-1309 - Make package and service names configurable #436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,14 @@ Parameter that controls the state of the `iptables` service on your system, allo

`ensure` can either be `running` or `stopped`. Default to `running`.

####`package`

Specify the platform-specific package(s) to install. Defaults defined in `firewall::params`.

####`service`

Specify the platform-specific service(s) to start or stop. Defaults defined in `firewall::params`.

###Type: firewall

This type enables you to manage firewall rules within Puppet.
Expand Down
10 changes: 7 additions & 3 deletions manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@
# Default: running
#
class firewall (
$ensure = running
) {
$ensure = running,
$service_name = $::firewall::params::service_name,
$package_name = $::firewall::params::package_name,
) inherits ::firewall::params {
case $ensure {
/^(running|stopped)$/: {
# Do nothing.
Expand All @@ -26,7 +28,9 @@
case $::kernel {
'Linux': {
class { "${title}::linux":
ensure => $ensure,
ensure => $ensure,
service_name => $service_name,
package_name => $package_name,
}
}
default: {
Expand Down
30 changes: 19 additions & 11 deletions manifests/linux.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@
# Default: running
#
class firewall::linux (
$ensure = running
) {
$ensure = running,
$service_name = $::firewall::params::service_name,
$package_name = $::firewall::params::package_name,
) inherits ::firewall::params {
$enable = $ensure ? {
running => true,
stopped => false,
Expand All @@ -27,23 +29,29 @@
'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos',
'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer': {
class { "${title}::redhat":
ensure => $ensure,
enable => $enable,
require => Package['iptables'],
ensure => $ensure,
enable => $enable,
package_name => $package_name,
service_name => $service_name,
require => Package['iptables'],
}
}
'Debian', 'Ubuntu': {
class { "${title}::debian":
ensure => $ensure,
enable => $enable,
require => Package['iptables'],
ensure => $ensure,
enable => $enable,
package_name => $package_name,
service_name => $service_name,
require => Package['iptables'],
}
}
'Archlinux': {
class { "${title}::archlinux":
ensure => $ensure,
enable => $enable,
require => Package['iptables'],
ensure => $ensure,
enable => $enable,
package_name => $package_name,
service_name => $service_name,
require => Package['iptables'],
}
}
default: {}
Expand Down
22 changes: 12 additions & 10 deletions manifests/linux/archlinux.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,28 +14,30 @@
# Default: true
#
class firewall::linux::archlinux (
$ensure = 'running',
$enable = true
) {
service { 'iptables':
ensure => $ensure,
enable => $enable,
hasstatus => true,
$ensure = 'running',
$enable = true,
$service_name = $::firewall::params::service_name,
$package_name = $::firewall::params::package_name,
) inherits ::firewall::params {
if $package_name {
package { $package_name:
ensure => $ensure,
}
}

service { 'ip6tables':
service { $service_name:
ensure => $ensure,
enable => $enable,
hasstatus => true,
}

file { '/etc/iptables/iptables.rules':
ensure => present,
before => Service['iptables'],
before => Service[$service_name],
}

file { '/etc/iptables/ip6tables.rules':
ensure => present,
before => Service['ip6tables'],
before => Service[$service_name],
}
}
23 changes: 14 additions & 9 deletions manifests/linux/debian.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,31 +14,36 @@
# Default: true
#
class firewall::linux::debian (
$ensure = running,
$enable = true
) {
package { 'iptables-persistent':
ensure => present,
$ensure = running,
$enable = true,
$service_name = $::firewall::params::service_name,
$package_name = $::firewall::params::package_name,
) inherits ::firewall::params {

if $package_name {
package { $package_name:
ensure => present,
}
}

if($::operatingsystemrelease =~ /^6\./ and $enable == true
and versioncmp($::iptables_persistent_version, '0.5.0') < 0 ) {
and versioncmp($::iptables_persistent_version, '0.5.0') < 0 and ! $service_name) {
# This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
# we lose idempotency
exec { 'iptables-persistent-enable':
logoutput => on_failure,
command => '/usr/sbin/update-rc.d iptables-persistent enable',
unless => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
require => Package['iptables-persistent'],
require => Package[$package_name],
}
} else {
# This isn't a real service/daemon. The start action loads rules, so just
# needs to be called on system boot.
service { 'iptables-persistent':
service { $service_name:
ensure => undef,
enable => $enable,
hasstatus => true,
require => Package['iptables-persistent'],
require => Package[$package_name],
}
}
}
34 changes: 19 additions & 15 deletions manifests/linux/redhat.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,38 +13,42 @@
# Default: true
#
class firewall::linux::redhat (
$ensure = running,
$enable = true
) {
$ensure = running,
$enable = true,
$service_name = $::firewall::params::service_name,
$package_name = $::firewall::params::package_name,
) inherits ::firewall::params {

# RHEL 7 and later and Fedora 15 and later require the iptables-services
# package, which provides the /usr/libexec/iptables/iptables.init used by
# lib/puppet/util/firewall.rb.
if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
service { "firewalld":
if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
service { 'firewalld':
ensure => stopped,
enable => false,
before => Package['iptables-services']
before => Package[$package_name],
}
}

package { 'iptables-services':
ensure => present,
before => Service['iptables'],
if $package_name {
package { $package_name:
ensure => present,
before => Service[$service_name],
}
}

service { 'iptables':
service { $service_name:
ensure => $ensure,
enable => $enable,
hasstatus => true,
require => File['/etc/sysconfig/iptables'],
}

file { '/etc/sysconfig/iptables':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
}
}
44 changes: 44 additions & 0 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
class firewall::params {
case $::osfamily {
'RedHat': {
case $::operatingsystem {
'Archlinux': {
$service_name = ['iptables','ip6tables']
$package_name = undef
}
'Fedora': {
if versioncmp($::operatingsystemrelease, '15') >= 0 {
$package_name = 'iptables-services'
} else {
$package_name = undef
}
$service_name = 'iptables'
}
default: {
if versioncmp($::operatingsystemrelease, '7.0') >= 0 {
$package_name = 'iptables-services'
} else {
$package_name = undef
}
$service_name = 'iptables'
}
}
}
'Debian': {
if $::operatingsystemrelease =~ /^6\./ and versioncmp($::iptables_persistent_version, '0.5.0') < 0 {
$service_name = undef
$package_name = 'iptables-persistent'
} elsif $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8.0') >= 0 {
$service_name = 'netfilter-persistent'
$package_name = 'netfilter-persistent'
} else {
$service_name = 'iptables-persistent'
$package_name = 'iptables-persistent'
}
}
default: {
$package_name = undef
$service_name = 'iptables'
}
}
}
6 changes: 6 additions & 0 deletions spec/unit/classes/firewall_linux_archlinux_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
require 'spec_helper'

describe 'firewall::linux::archlinux', :type => :class do
let(:facts) do
{
:osfamily => 'RedHat',
:operatingsystem => 'Archlinux'
}
end
it { should contain_service('iptables').with(
:ensure => 'running',
:enable => 'true'
Expand Down
86 changes: 77 additions & 9 deletions spec/unit/classes/firewall_linux_debian_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,87 @@
require 'spec_helper'

describe 'firewall::linux::debian', :type => :class do
it { should contain_package('iptables-persistent').with(
:ensure => 'present'
)}
it { should contain_service('iptables-persistent').with(
:ensure => nil,
:enable => 'true',
:require => 'Package[iptables-persistent]'
)}
context "Debian 7" do
let(:facts) {{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '7.0'
}}
it { should contain_package('iptables-persistent').with(
:ensure => 'present'
)}
it { should contain_service('iptables-persistent').with(
:ensure => nil,
:enable => 'true',
:require => 'Package[iptables-persistent]'
)}
end

context 'enable => false' do
context 'deb7 enable => false' do
let(:facts) {{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '7.0'
}}
let(:params) {{ :enable => 'false' }}
it { should contain_service('iptables-persistent').with(
:enable => 'false'
)}
end

context "Debian 8" do
let(:facts) {{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => 'jessie/sid'
}}
it { should contain_package('netfilter-persistent').with(
:ensure => 'present'
)}
it { should contain_service('netfilter-persistent').with(
:ensure => nil,
:enable => 'true',
:require => 'Package[netfilter-persistent]'
)}
end

context 'deb8 enable => false' do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need an additional and similiar test case for:

context 'jessie/sid'
let(:facts) {{
    :operatingsystemrelease => 'jessie/testing',
    etc., . . . 
}}

Also, not seeing this in complete context, but would it make sense to also test this for enable => true as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

enable defaults to true so we don't need a separate case for that.

Test case for jessie/sid added below

let(:facts) {{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => 'jessie/sid'
}}
let(:params) {{ :enable => 'false' }}
it { should contain_service('netfilter-persistent').with(
:enable => 'false'
)}
end

context "Debian 8, alt operatingsystem" do
let(:facts) {{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '8.0'
}}
it { should contain_package('netfilter-persistent').with(
:ensure => 'present'
)}
it { should contain_service('netfilter-persistent').with(
:ensure => nil,
:enable => 'true',
:require => 'Package[netfilter-persistent]'
)}
end

context 'deb8, alt operatingsystem, enable => false' do
let(:facts) {{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '8.0'
}}
let(:params) {{ :enable => 'false' }}
it { should contain_service('netfilter-persistent').with(
:enable => 'false'
)}
end
end
Loading