cloud-mu 2.0.1 → 2.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +2 -1
- data/bin/mu-upload-chef-artifacts +3 -0
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/firewall/CHANGELOG.md +295 -0
- data/cookbooks/firewall/CONTRIBUTING.md +2 -0
- data/cookbooks/firewall/MAINTAINERS.md +19 -0
- data/cookbooks/firewall/README.md +339 -0
- data/cookbooks/firewall/attributes/default.rb +5 -0
- data/cookbooks/firewall/attributes/firewalld.rb +1 -0
- data/cookbooks/firewall/attributes/iptables.rb +17 -0
- data/cookbooks/firewall/attributes/ufw.rb +12 -0
- data/cookbooks/firewall/attributes/windows.rb +8 -0
- data/cookbooks/firewall/libraries/helpers.rb +100 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
- data/cookbooks/firewall/libraries/matchers.rb +30 -0
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
- data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
- data/cookbooks/firewall/metadata.json +1 -0
- data/cookbooks/firewall/recipes/default.rb +80 -0
- data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
- data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
- data/cookbooks/mu-firewall/metadata.rb +1 -1
- data/cookbooks/mu-master/recipes/default.rb +3 -1
- data/cookbooks/mu-master/recipes/init.rb +3 -1
- data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
- data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
- data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
- data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
- data/cookbooks/mu-tools/recipes/eks.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
- data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
- data/environments/dev.json +1 -1
- data/environments/prod.json +1 -1
- data/modules/mu/cleanup.rb +4 -0
- data/modules/mu/clouds/aws/container_cluster.rb +3 -0
- data/modules/mu/clouds/aws/role.rb +14 -2
- data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
- data/modules/mu/clouds/aws.rb +30 -14
- data/modules/mu.rb +4 -0
- metadata +30 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0703ebefd7fa57346e99f8e85e1a663d9b5355ff4ed0fc6f24950a502dc93a25
|
4
|
+
data.tar.gz: 289aea9a9ca2fbb881722066babb163d53bf16ed3b0cd5827a3f229289034779
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: db2ac2b6e630dc7fcf06b91cc4bfd7e3b126c91c50250298b667d66e1c5a715dace2830bae9869ebd6ee251ea2f23d1b1f4d3d61a816a92e4b32e3b708653ef9
|
7
|
+
data.tar.gz: 9ab809e33c1e1ab6299a36272f674964cdaa1c325c55cfdfb4354262e2b9479ab51ea669be7121400408047e254dae47aeecb8abcbe34c61ea41a61a1740032a
|
data/Berksfile
CHANGED
data/cloud-mu.gemspec
CHANGED
@@ -17,8 +17,8 @@ end
|
|
17
17
|
|
18
18
|
Gem::Specification.new do |s|
|
19
19
|
s.name = 'cloud-mu'
|
20
|
-
s.version = '2.0.
|
21
|
-
s.date = '2019-
|
20
|
+
s.version = '2.0.2'
|
21
|
+
s.date = '2019-05-06'
|
22
22
|
s.require_paths = ['modules']
|
23
23
|
s.required_ruby_version = '>= 2.4'
|
24
24
|
s.summary = "The eGTLabs Mu toolkit for unified cloud deployments"
|
@@ -0,0 +1,295 @@
|
|
1
|
+
firewall Cookbook CHANGELOG
|
2
|
+
=======================
|
3
|
+
This file is used to list changes made in each version of the firewall cookbook.
|
4
|
+
|
5
|
+
## 2.7.0 (2018-12-19)
|
6
|
+
|
7
|
+
- Nominal support for Debian 9 (#202)
|
8
|
+
|
9
|
+
## 2.6.5 (2018-07-24)
|
10
|
+
|
11
|
+
- use platform_family instead of platform to include all rhels
|
12
|
+
|
13
|
+
v2.6.4 (2018-07-01)
|
14
|
+
-------------------
|
15
|
+
* Stop including chef-sugar when it's >= 4.0.0 (#197)
|
16
|
+
|
17
|
+
v2.6.3 (2018-02-01)
|
18
|
+
-------------------
|
19
|
+
* Fix issue with deep merging of hashes and arrays in recent chef release (#185)
|
20
|
+
|
21
|
+
v2.6.2 (2017-06-01)
|
22
|
+
-------------------
|
23
|
+
* Incorrect file checking on Ubuntu, double file write (#173)
|
24
|
+
* Added testing on CentOS 6.9
|
25
|
+
* Clarify metadata that we're not working on Amazon Linux (#172)
|
26
|
+
|
27
|
+
v2.6.1 (2017-04-21)
|
28
|
+
-------------------
|
29
|
+
* Add recipe to disable firewall (#164)
|
30
|
+
|
31
|
+
v2.6.0 (2017-04-17)
|
32
|
+
-------------------
|
33
|
+
* Initial Chef 13.x support (#160, #159)
|
34
|
+
* Allow loopback and icmp, when enabled (#161)
|
35
|
+
* Address various newer rubocop and foodcritic complaints
|
36
|
+
* Convert rule provider away from DSL (#159)
|
37
|
+
|
38
|
+
v2.5.4 (2017-02-13)
|
39
|
+
-------------------
|
40
|
+
* Update Test Kitchen platforms to the latest
|
41
|
+
* Update copyright headers
|
42
|
+
* Allow package options to be passed through to the package install for firewall
|
43
|
+
* Define policy for Windows Firewall and use the attributes to set desired policy
|
44
|
+
|
45
|
+
v2.5.3 (2016-10-26)
|
46
|
+
-------------------
|
47
|
+
* Don't show firewall resource as updated (#133)
|
48
|
+
* Add :off as a valid logging level (#129)
|
49
|
+
* Add support for Ubuntu 16.04 (#149)
|
50
|
+
|
51
|
+
v2.5.2 (2016-06-02)
|
52
|
+
-------------------
|
53
|
+
* Don't issue commands when firewalld isn't active (#140)
|
54
|
+
* Install iptables-services on CentOS >= 7 (#131)
|
55
|
+
* Update Ruby version on Travis for listen gem
|
56
|
+
|
57
|
+
v2.5.1 (2016-05-31)
|
58
|
+
-------------------
|
59
|
+
* Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
|
60
|
+
* Fix wrongly ordered conditional for converting ports to strings using port_to_s
|
61
|
+
* Fix notify_firewall attribute crashing firewall_rule provider (#130)
|
62
|
+
* Add warning if firewall rule opens all traffic (#132)
|
63
|
+
* Add ipv6 attribute respect to Ubuntu iptables (#138)
|
64
|
+
|
65
|
+
v2.5.0 (2016-03-08)
|
66
|
+
-------------------
|
67
|
+
* Don't modify parameter for port (#120)
|
68
|
+
* Remove a reference to the wrong variable name under windows (#123)
|
69
|
+
* Add support for mobile shell default firewall rule (#121)
|
70
|
+
* New rubocop rules and style fixes
|
71
|
+
* Correct a README.md example for `action :allow`
|
72
|
+
|
73
|
+
v2.4.0 (2016-01-28)
|
74
|
+
-------------------
|
75
|
+
* Expose default iptables ruleset so that raw rules can be used in conjunction
|
76
|
+
with rulesets for other tables (#101).
|
77
|
+
|
78
|
+
v2.3.1 (2016-01-08)
|
79
|
+
-------------------
|
80
|
+
* Add raw rule support to the ufw firewall provider (#113).
|
81
|
+
|
82
|
+
v2.3.0 (2015-12-23)
|
83
|
+
-------------------
|
84
|
+
* Refactor logic so that firewall rules don't add a string rule to the firewall
|
85
|
+
when their actions run. Just run the action once on the firewall itself. This is
|
86
|
+
designed to prevent partial application of rules (#106)
|
87
|
+
|
88
|
+
* Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on
|
89
|
+
the firewall resource. It was difficult to reason with "disabled false" for some
|
90
|
+
complicated recipes using firewall downstream. `disabled` is now deprecated.
|
91
|
+
|
92
|
+
* Add proper Windows testing and serverspec tests back into this cookbook.
|
93
|
+
|
94
|
+
* Fix the `port_to_s` function so it also works for Windows (#111)
|
95
|
+
|
96
|
+
* Fix typo checking action instead of command in iptables helper (#112)
|
97
|
+
|
98
|
+
* Remove testing ranges of ports on CentOS 5.x, as it's broken there.
|
99
|
+
|
100
|
+
v2.2.0 (2015-11-02)
|
101
|
+
-------------------
|
102
|
+
Added permanent as default option for RHEL 7 based systems using firewall-cmd.
|
103
|
+
This defaults to turned off, but it will be enabled by default on the next major version bump.
|
104
|
+
|
105
|
+
v2.1.0 (2015-10-15)
|
106
|
+
-------------------
|
107
|
+
Minor feature release.
|
108
|
+
* Ensure ICMPv6 is open when `['firewall']['allow_established']` is set to true (the default). ICMPv6 is critical for most IPv6 operations.
|
109
|
+
|
110
|
+
v2.0.5 (2015-10-05)
|
111
|
+
-------------------
|
112
|
+
Minor bugfix release.
|
113
|
+
* Ensure provider filtering always yields 1 and only 1 provider, #97 & #98
|
114
|
+
* Documentation update #96
|
115
|
+
|
116
|
+
v2.0.4 (2015-09-23)
|
117
|
+
-------------------
|
118
|
+
Minor bugfix release.
|
119
|
+
* Allow override of filter chain policies, #94
|
120
|
+
* Fix foodcrtitic and chefspec errors
|
121
|
+
|
122
|
+
v2.0.3 (2015-09-14)
|
123
|
+
-------------------
|
124
|
+
Minor bugfix release.
|
125
|
+
* Fix wrong conditional for firewalld ports, #93
|
126
|
+
* Fix ipv6 command logic under iptables, #91
|
127
|
+
|
128
|
+
v2.0.2 (2015-09-08)
|
129
|
+
-------------------
|
130
|
+
* Release with working CI, Chefspec matchers.
|
131
|
+
|
132
|
+
v2.0.1 (2015-09-01)
|
133
|
+
-------------------
|
134
|
+
* Add default related/established rule for iptables
|
135
|
+
|
136
|
+
v2.0.0 (2015-08-31)
|
137
|
+
-------------------
|
138
|
+
* #84, major rewrite:
|
139
|
+
- Allow relative positioning of rules
|
140
|
+
- Use delayed notifications to create one firewall ruleset instead of incremental changes
|
141
|
+
- Remove poise dependency
|
142
|
+
* #82 - Introduce Windows firewall support and test-kitchen platform.
|
143
|
+
* #73 - Add the option to disable ipv6 commands on iptables
|
144
|
+
* #78 - Use Chef-12 style `provides` to address provider mapping issues
|
145
|
+
* Rubocop and foodcritic cleanup
|
146
|
+
|
147
|
+
v1.6.1 (2015-07-24)
|
148
|
+
-------------------
|
149
|
+
* #80 - Remove an extra space in port range
|
150
|
+
|
151
|
+
v1.6.0 (2015-07-15)
|
152
|
+
-------------------
|
153
|
+
* #68 - Install firewalld when it does not exist
|
154
|
+
* #72 - Fix symbol that was a string, breaking comparisons
|
155
|
+
|
156
|
+
v1.5.2 (2015-07-15)
|
157
|
+
-------------------
|
158
|
+
* #75 - Use correct service in iptables save action, Add serverspec tests for iptables suite
|
159
|
+
|
160
|
+
v1.5.1 (2015-07-13)
|
161
|
+
-------------------
|
162
|
+
* #74 - add :save matcher for Chefspec
|
163
|
+
|
164
|
+
v1.5.0 (2015-07-06)
|
165
|
+
-------------------
|
166
|
+
|
167
|
+
* #70 - Add chef service resource to ensure firewall-related services are enabled/disabled
|
168
|
+
* - Add testing and support for iptables on ubuntu in iptables provider
|
169
|
+
|
170
|
+
v1.4.0 (2015-06-30)
|
171
|
+
-------------------
|
172
|
+
|
173
|
+
* #69 - Support for CentOS/RHEL 5.x
|
174
|
+
|
175
|
+
v1.3.0 (2015-06-09)
|
176
|
+
-------------------
|
177
|
+
* #63 - Add support for protocol numbers
|
178
|
+
|
179
|
+
v1.2.0 (2015-05-28)
|
180
|
+
-------------------
|
181
|
+
* #64 - Support the newer version of poise
|
182
|
+
|
183
|
+
v1.1.2 (2015-05-19)
|
184
|
+
-------------------
|
185
|
+
* #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively.
|
186
|
+
- Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces
|
187
|
+
|
188
|
+
v1.1.1 (2015-05-11)
|
189
|
+
-------------------
|
190
|
+
* #57 - Suppress warning: already initialized constant XXX while Chefspec
|
191
|
+
|
192
|
+
v1.1.0 (2015-04-27)
|
193
|
+
-------------------
|
194
|
+
* #56 - Better ipv6 support for firewalld and iptables
|
195
|
+
* #54 - Document raw parameter
|
196
|
+
|
197
|
+
v1.0.2 (2015-04-03)
|
198
|
+
-------------------
|
199
|
+
* #52 - Typo in :masquerade action name
|
200
|
+
|
201
|
+
v1.0.1 (2015-03-28)
|
202
|
+
-------------------
|
203
|
+
* #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands
|
204
|
+
|
205
|
+
v1.0.0 (2015-03-25)
|
206
|
+
-------------------
|
207
|
+
* Major upgrade and rewrite as HWRP using poise
|
208
|
+
* Adds support for iptables and firewalld
|
209
|
+
* Modernize tests and other files
|
210
|
+
* Fix many bugs from ufw defaults to multiport suppot
|
211
|
+
|
212
|
+
v0.11.8 (2014-05-20)
|
213
|
+
--------------------
|
214
|
+
* Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules
|
215
|
+
|
216
|
+
|
217
|
+
v0.11.6 (2014-02-28)
|
218
|
+
--------------------
|
219
|
+
[COOK-4385] - UFW provider is broken
|
220
|
+
|
221
|
+
|
222
|
+
v0.11.4 (2014-02-25)
|
223
|
+
--------------------
|
224
|
+
[COOK-4140] Only notify when a rule is actually added
|
225
|
+
|
226
|
+
|
227
|
+
v0.11.2
|
228
|
+
-------
|
229
|
+
### Bug
|
230
|
+
- **[COOK-3615](https://tickets.opscode.com/browse/COOK-3615)** - Install required UFW package on Debian
|
231
|
+
|
232
|
+
v0.11.0
|
233
|
+
-------
|
234
|
+
### Improvement
|
235
|
+
- [COOK-2932]: ufw providers work on debian but cannot be used
|
236
|
+
|
237
|
+
v0.10.2
|
238
|
+
-------
|
239
|
+
- [COOK-2250] - improve readme
|
240
|
+
|
241
|
+
v0.10.0
|
242
|
+
------
|
243
|
+
- [COOK-1234] - allow multiple ports per rule
|
244
|
+
|
245
|
+
v0.9.2
|
246
|
+
------
|
247
|
+
- [COOK-1615] - Firewall example docs have incorrect direction syntax
|
248
|
+
|
249
|
+
v0.9.0
|
250
|
+
------
|
251
|
+
The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.
|
252
|
+
|
253
|
+
- [COOK-1429] - resolve foodcritic warnings
|
254
|
+
|
255
|
+
v0.8.0
|
256
|
+
------
|
257
|
+
- refactor all resources and providers into LWRPs
|
258
|
+
- removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
|
259
|
+
- removed :logging action from firewall resource...just set desired level via the log_level attribute
|
260
|
+
|
261
|
+
v0.6.0
|
262
|
+
------
|
263
|
+
- [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
|
264
|
+
- Firewall cookbook firewall LWRP needs to support :logging
|
265
|
+
|
266
|
+
v0.5.7
|
267
|
+
------
|
268
|
+
- [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
|
269
|
+
- [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules
|
270
|
+
|
271
|
+
v0.5.6
|
272
|
+
------
|
273
|
+
- [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port
|
274
|
+
|
275
|
+
v0.5.5
|
276
|
+
------
|
277
|
+
- [COOK-709] fixed :nothing action for the 'firewall_rule' resource.
|
278
|
+
|
279
|
+
v0.5.4
|
280
|
+
------
|
281
|
+
- [COOK-694] added :reject action to the 'firewall_rule' resource.
|
282
|
+
|
283
|
+
v0.5.3
|
284
|
+
------
|
285
|
+
- [COOK-698] added :reset action to the 'firewall' resource.
|
286
|
+
|
287
|
+
v0.5.2
|
288
|
+
------
|
289
|
+
- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error.
|
290
|
+
thanks to Ernad Husremović for the fix.
|
291
|
+
|
292
|
+
v0.5.0
|
293
|
+
------
|
294
|
+
- [COOK-686] create firewall and firewall_rule resources
|
295
|
+
- [COOK-687] create UFW providers for all resources
|
@@ -0,0 +1,19 @@
|
|
1
|
+
<!-- This is a generated file. Please do not edit directly -->
|
2
|
+
|
3
|
+
# Maintainers
|
4
|
+
This file lists how this cookbook project is maintained. When making changes to the system, this
|
5
|
+
file tells you who needs to review your patch - you need a simple majority of maintainers
|
6
|
+
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
|
7
|
+
to not receive a veto from a Lieutenant or the Project Lead.
|
8
|
+
|
9
|
+
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
|
10
|
+
for details on the process and how to become a maintainer or the project lead.
|
11
|
+
|
12
|
+
# Project Maintainer
|
13
|
+
* [Martin Smith](https://github.com/martinb3)
|
14
|
+
|
15
|
+
# Maintainers
|
16
|
+
* [Jennifer Davis](https://github.com/sigje)
|
17
|
+
* [Tim Smith](https://github.com/tas50)
|
18
|
+
* [Thom May](https://github.com/thommay)
|
19
|
+
* [Martin Smith](https://github.com/martinb3)
|