cloud-mu 3.6.10 → 3.6.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Berksfile +2 -3
- data/Berksfile.lock +11 -14
- data/bin/mu-aws-setup +16 -4
- data/bin/mu-configure +2 -1
- data/cloud-mu.gemspec +3 -3
- data/cookbooks/mu-firewall/Berksfile +1 -1
- data/cookbooks/mu-firewall/attributes/default.rb +2 -2
- data/cookbooks/mu-firewall/metadata.rb +3 -3
- data/cookbooks/mu-firewall/recipes/default.rb +11 -2
- data/cookbooks/mu-master/Berksfile +1 -1
- data/cookbooks/mu-master/attributes/default.rb +14 -1
- data/cookbooks/mu-master/files/default/389ds-perl/ASDialogs.pm +173 -0
- data/cookbooks/mu-master/files/default/389ds-perl/AdminMigration.pm +569 -0
- data/cookbooks/mu-master/files/default/389ds-perl/AdminServer.pm +952 -0
- data/cookbooks/mu-master/files/default/389ds-perl/AdminUtil.pm +983 -0
- data/cookbooks/mu-master/files/default/389ds-perl/ConfigDSDialogs.pm +449 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DSCreate.pm +1551 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DSDialogs.pm +233 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DSMigration.pm +1175 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DSUpdate.pm +534 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DSUpdateDialogs.pm +152 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DSUtil.pm +1710 -0
- data/cookbooks/mu-master/files/default/389ds-perl/Dialog.pm +249 -0
- data/cookbooks/mu-master/files/default/389ds-perl/DialogManager.pm +212 -0
- data/cookbooks/mu-master/files/default/389ds-perl/FileConn.pm +461 -0
- data/cookbooks/mu-master/files/default/389ds-perl/Inf.pm +268 -0
- data/cookbooks/mu-master/files/default/389ds-perl/Migration.pm +327 -0
- data/cookbooks/mu-master/files/default/389ds-perl/RegDSDialogs.pm +94 -0
- data/cookbooks/mu-master/files/default/389ds-perl/Resource.pm +137 -0
- data/cookbooks/mu-master/files/default/389ds-perl/Setup.pm +240 -0
- data/cookbooks/mu-master/files/default/389ds-perl/SetupDialogs.pm +243 -0
- data/cookbooks/mu-master/files/default/389ds-perl/SetupLog.pm +82 -0
- data/cookbooks/mu-master/files/default/setCertName.ldif +4 -0
- data/cookbooks/mu-master/libraries/mu.rb +2 -2
- data/cookbooks/mu-master/metadata.rb +1 -1
- data/cookbooks/mu-master/recipes/389ds.rb +71 -32
- data/cookbooks/mu-master/recipes/basepackages.rb +5 -0
- data/cookbooks/mu-master/recipes/default.rb +16 -5
- data/cookbooks/mu-master/recipes/init.rb +36 -3
- data/cookbooks/mu-master/recipes/ssl-certs.rb +6 -0
- data/cookbooks/mu-master/recipes/sssd.rb +85 -62
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +7 -1
- data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +11 -26
- data/cookbooks/mu-master/templates/default/sssd.conf.erb +18 -8
- data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
- data/cookbooks/mu-tools/metadata.rb +0 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +7 -1
- data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +5 -1
- data/cookbooks/nagios/CHANGELOG.md +679 -0
- data/cookbooks/nagios/LICENSE +201 -0
- data/cookbooks/nagios/README.md +340 -0
- data/cookbooks/nagios/attributes/config.rb +163 -0
- data/cookbooks/nagios/attributes/default.rb +204 -0
- data/cookbooks/nagios/libraries/base.rb +311 -0
- data/cookbooks/nagios/libraries/command.rb +68 -0
- data/cookbooks/nagios/libraries/contact.rb +229 -0
- data/cookbooks/nagios/libraries/contactgroup.rb +111 -0
- data/cookbooks/{firewall/recipes/disable_firewall.rb → nagios/libraries/custom_option.rb} +20 -7
- data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
- data/cookbooks/nagios/libraries/default.rb +90 -0
- data/cookbooks/nagios/libraries/helpers.rb +229 -0
- data/cookbooks/nagios/libraries/host.rb +410 -0
- data/cookbooks/nagios/libraries/hostdependency.rb +178 -0
- data/cookbooks/nagios/libraries/hostescalation.rb +170 -0
- data/cookbooks/nagios/libraries/hostgroup.rb +117 -0
- data/cookbooks/nagios/libraries/nagios.rb +277 -0
- data/cookbooks/nagios/libraries/resource.rb +59 -0
- data/cookbooks/nagios/libraries/service.rb +449 -0
- data/cookbooks/nagios/libraries/servicedependency.rb +213 -0
- data/cookbooks/nagios/libraries/serviceescalation.rb +193 -0
- data/cookbooks/nagios/libraries/servicegroup.rb +142 -0
- data/cookbooks/nagios/libraries/timeperiod.rb +159 -0
- data/cookbooks/nagios/libraries/users_helper.rb +54 -0
- data/cookbooks/nagios/metadata.json +44 -0
- data/cookbooks/nagios/metadata.rb +22 -0
- data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
- data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
- data/cookbooks/nagios/recipes/apache.rb +114 -0
- data/cookbooks/nagios/recipes/default.rb +41 -0
- data/cookbooks/nagios/recipes/nginx.rb +114 -0
- data/cookbooks/nagios/recipes/pagerduty.rb +95 -0
- data/cookbooks/nagios/recipes/server.rb +182 -0
- data/cookbooks/nagios/recipes/server_package.rb +85 -0
- data/cookbooks/nagios/recipes/server_source.rb +137 -0
- data/cookbooks/nagios/resources/command.rb +34 -0
- data/cookbooks/nagios/resources/conf.rb +52 -0
- data/cookbooks/nagios/resources/contact.rb +34 -0
- data/cookbooks/nagios/resources/contactgroup.rb +35 -0
- data/cookbooks/nagios/resources/host.rb +35 -0
- data/cookbooks/nagios/resources/hostdependency.rb +35 -0
- data/cookbooks/nagios/resources/hostescalation.rb +36 -0
- data/cookbooks/nagios/resources/hostgroup.rb +35 -0
- data/cookbooks/nagios/resources/resource.rb +34 -0
- data/cookbooks/nagios/resources/service.rb +35 -0
- data/cookbooks/nagios/resources/servicedependency.rb +35 -0
- data/cookbooks/nagios/resources/serviceescalation.rb +35 -0
- data/cookbooks/nagios/resources/servicegroup.rb +35 -0
- data/cookbooks/nagios/resources/timeperiod.rb +35 -0
- data/cookbooks/nagios/templates/apache2.conf.erb +102 -0
- data/cookbooks/nagios/templates/cgi.cfg.erb +266 -0
- data/cookbooks/nagios/templates/commands.cfg.erb +13 -0
- data/cookbooks/nagios/templates/contacts.cfg.erb +37 -0
- data/cookbooks/nagios/templates/hostgroups.cfg.erb +25 -0
- data/cookbooks/nagios/templates/hosts.cfg.erb +15 -0
- data/cookbooks/nagios/templates/htpasswd.users.erb +6 -0
- data/cookbooks/nagios/templates/nagios.cfg.erb +22 -0
- data/cookbooks/nagios/templates/nginx.conf.erb +80 -0
- data/cookbooks/nagios/templates/pagerduty.cgi.erb +185 -0
- data/cookbooks/nagios/templates/resource.cfg.erb +27 -0
- data/cookbooks/nagios/templates/servicedependencies.cfg.erb +15 -0
- data/cookbooks/nagios/templates/servicegroups.cfg.erb +14 -0
- data/cookbooks/nagios/templates/services.cfg.erb +14 -0
- data/cookbooks/nagios/templates/spawn-fcgi.erb +10 -0
- data/cookbooks/nagios/templates/templates.cfg.erb +31 -0
- data/cookbooks/nagios/templates/timeperiods.cfg.erb +13 -0
- data/extras/platform_berksfile_base +3 -3
- data/extras/python_rpm/build.sh +4 -4
- data/extras/python_rpm/muthon.spec +2 -4
- data/extras/vault_tools/export_vaults.sh +11 -1
- data/install/installer +1 -1
- data/modules/mu/kittens.rb +27523 -0
- data/modules/mu/master/ldap.rb +48 -31
- data/modules/mu/master.rb +69 -0
- data/modules/mu/mu.yaml.rb +351 -0
- data/modules/mu/providers/aws/firewall_rule.rb +3 -1
- data/modules/mu/providers/aws.rb +11 -5
- data/modules/mu.rb +5 -4
- metadata +99 -68
- data/cookbooks/firewall/CHANGELOG.md +0 -488
- data/cookbooks/firewall/LICENSE +0 -202
- data/cookbooks/firewall/README.md +0 -366
- data/cookbooks/firewall/TODO.md +0 -6
- data/cookbooks/firewall/attributes/default.rb +0 -5
- data/cookbooks/firewall/attributes/firewalld.rb +0 -8
- data/cookbooks/firewall/attributes/iptables.rb +0 -17
- data/cookbooks/firewall/attributes/ufw.rb +0 -12
- data/cookbooks/firewall/attributes/windows.rb +0 -8
- data/cookbooks/firewall/libraries/helpers.rb +0 -105
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +0 -116
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +0 -72
- data/cookbooks/firewall/libraries/helpers_iptables.rb +0 -112
- data/cookbooks/firewall/libraries/helpers_nftables.rb +0 -170
- data/cookbooks/firewall/libraries/helpers_ufw.rb +0 -142
- data/cookbooks/firewall/libraries/helpers_windows.rb +0 -129
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +0 -179
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +0 -171
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +0 -200
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +0 -200
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +0 -34
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +0 -138
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +0 -126
- data/cookbooks/firewall/libraries/resource_firewall.rb +0 -26
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +0 -52
- data/cookbooks/firewall/metadata.json +0 -40
- data/cookbooks/firewall/metadata.rb +0 -15
- data/cookbooks/firewall/recipes/default.rb +0 -76
- data/cookbooks/firewall/recipes/firewalld.rb +0 -87
- data/cookbooks/firewall/resources/firewalld.rb +0 -28
- data/cookbooks/firewall/resources/firewalld_config.rb +0 -39
- data/cookbooks/firewall/resources/firewalld_helpers.rb +0 -106
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +0 -88
- data/cookbooks/firewall/resources/firewalld_ipset.rb +0 -104
- data/cookbooks/firewall/resources/firewalld_policy.rb +0 -115
- data/cookbooks/firewall/resources/firewalld_service.rb +0 -98
- data/cookbooks/firewall/resources/firewalld_zone.rb +0 -118
- data/cookbooks/firewall/resources/nftables.rb +0 -71
- data/cookbooks/firewall/resources/nftables_rule.rb +0 -113
- data/cookbooks/firewall/templates/default/ufw/default.erb +0 -13
- /data/cookbooks/{firewall → nagios}/chefignore +0 -0
- /data/cookbooks/{firewall → nagios}/renovate.json +0 -0
|
@@ -1,179 +0,0 @@
|
|
|
1
|
-
#
|
|
2
|
-
# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
|
|
3
|
-
# Cookbook:: firewall
|
|
4
|
-
# Resource:: default
|
|
5
|
-
#
|
|
6
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
7
|
-
# you may not use this file except in compliance with the License.
|
|
8
|
-
# You may obtain a copy of the License at
|
|
9
|
-
#
|
|
10
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
|
11
|
-
#
|
|
12
|
-
# Unless required by applicable law or agreed to in writing, software
|
|
13
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
14
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
15
|
-
# See the License for the specific language governing permissions and
|
|
16
|
-
# limitations under the License.
|
|
17
|
-
#
|
|
18
|
-
class Chef
|
|
19
|
-
class Provider::FirewallFirewalld < Chef::Provider::LWRPBase
|
|
20
|
-
include FirewallCookbook::Helpers::Firewalld
|
|
21
|
-
|
|
22
|
-
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
|
|
23
|
-
(node['platform_version'].to_i >= 7 && !node['firewall']['redhat7_iptables']) || (amazon_linux? && !node['firewall']['redhat7_iptables'])
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
def whyrun_supported?
|
|
27
|
-
false
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
action :install do
|
|
31
|
-
return if disabled?(new_resource)
|
|
32
|
-
|
|
33
|
-
firewalld_package = package 'firewalld' do
|
|
34
|
-
action :nothing
|
|
35
|
-
options new_resource.package_options
|
|
36
|
-
end
|
|
37
|
-
firewalld_package.run_action(:install)
|
|
38
|
-
new_resource.updated_by_last_action(firewalld_package.updated_by_last_action?)
|
|
39
|
-
|
|
40
|
-
unless ::File.exist?(firewalld_rules_filename)
|
|
41
|
-
rules_file = lookup_or_create_rulesfile
|
|
42
|
-
rules_file.content '# created by chef to allow service to start'
|
|
43
|
-
rules_file.run_action(:create)
|
|
44
|
-
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
|
45
|
-
end
|
|
46
|
-
|
|
47
|
-
firewalld_service = lookup_or_create_service
|
|
48
|
-
[:enable, :start].each do |a|
|
|
49
|
-
firewalld_service.run_action(a)
|
|
50
|
-
new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
|
|
51
|
-
end
|
|
52
|
-
end
|
|
53
|
-
|
|
54
|
-
action :restart do
|
|
55
|
-
return if disabled?(new_resource)
|
|
56
|
-
|
|
57
|
-
# ensure it's initialized
|
|
58
|
-
new_resource.rules({}) unless new_resource.rules
|
|
59
|
-
new_resource.rules['firewalld'] = {} unless new_resource.rules['firewalld']
|
|
60
|
-
|
|
61
|
-
# this populates the hash of rules from firewall_rule resources
|
|
62
|
-
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
|
63
|
-
firewall_rules.each do |firewall_rule|
|
|
64
|
-
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
|
65
|
-
|
|
66
|
-
ip_versions(firewall_rule).each do |ip_version|
|
|
67
|
-
# build rules to apply with weight
|
|
68
|
-
k = "firewall-cmd --zone=#{firewall_rule.zone} --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
|
|
69
|
-
v = firewall_rule.position
|
|
70
|
-
|
|
71
|
-
# unless we're adding them for the first time.... bail out.
|
|
72
|
-
next if new_resource.rules['firewalld'].key?(k) && new_resource.rules['firewalld'][k] == v
|
|
73
|
-
new_resource.rules['firewalld'][k] = v
|
|
74
|
-
|
|
75
|
-
# If persistent rules is enabled (default) make sure we add a permanent rule at the same time
|
|
76
|
-
perm_rules = node && node['firewall'] && node['firewall']['firewalld'] && node['firewall']['firewalld']['permanent']
|
|
77
|
-
if firewall_rule.permanent || perm_rules
|
|
78
|
-
k = "firewall-cmd --zone=#{firewall_rule.zone} --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
|
|
79
|
-
new_resource.rules['firewalld'][k] = v
|
|
80
|
-
end
|
|
81
|
-
end
|
|
82
|
-
end
|
|
83
|
-
|
|
84
|
-
# ensure a file resource exists with the current firewalld rules
|
|
85
|
-
rules_file = lookup_or_create_rulesfile
|
|
86
|
-
rules_file.content build_rule_file(new_resource.rules['firewalld'])
|
|
87
|
-
rules_file.run_action(:create)
|
|
88
|
-
|
|
89
|
-
# ensure the service is running without waiting.
|
|
90
|
-
firewalld_service = lookup_or_create_service
|
|
91
|
-
[:enable, :start].each do |a|
|
|
92
|
-
firewalld_service.run_action(a)
|
|
93
|
-
new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
|
|
94
|
-
end
|
|
95
|
-
|
|
96
|
-
# mark updated if we changed the zone
|
|
97
|
-
unless firewalld_default_zone?(new_resource.enabled_zone)
|
|
98
|
-
firewalld_default_zone!(new_resource.enabled_zone)
|
|
99
|
-
new_resource.updated_by_last_action(true)
|
|
100
|
-
end
|
|
101
|
-
|
|
102
|
-
# if the file was changed, load new ruleset
|
|
103
|
-
return unless rules_file.updated_by_last_action?
|
|
104
|
-
firewalld_flush!
|
|
105
|
-
# TODO: support logging
|
|
106
|
-
|
|
107
|
-
new_resource.rules['firewalld'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
|
108
|
-
firewalld_rule!(cmd)
|
|
109
|
-
end
|
|
110
|
-
|
|
111
|
-
new_resource.updated_by_last_action(true)
|
|
112
|
-
end
|
|
113
|
-
|
|
114
|
-
action :disable do
|
|
115
|
-
return if disabled?(new_resource)
|
|
116
|
-
|
|
117
|
-
if firewalld_active?
|
|
118
|
-
firewalld_flush!
|
|
119
|
-
firewalld_default_zone!(new_resource.disabled_zone)
|
|
120
|
-
new_resource.updated_by_last_action(true)
|
|
121
|
-
end
|
|
122
|
-
|
|
123
|
-
# ensure the service is stopped without waiting.
|
|
124
|
-
firewalld_service = lookup_or_create_service
|
|
125
|
-
[:disable, :stop].each do |a|
|
|
126
|
-
firewalld_service.run_action(a)
|
|
127
|
-
new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
|
|
128
|
-
end
|
|
129
|
-
|
|
130
|
-
rules_file = lookup_or_create_rulesfile
|
|
131
|
-
rules_file.content '# created by chef to allow service to start'
|
|
132
|
-
rules_file.run_action(:create)
|
|
133
|
-
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
|
134
|
-
end
|
|
135
|
-
|
|
136
|
-
action :flush do
|
|
137
|
-
return if disabled?(new_resource)
|
|
138
|
-
return unless firewalld_active?
|
|
139
|
-
|
|
140
|
-
firewalld_flush!
|
|
141
|
-
new_resource.updated_by_last_action(true)
|
|
142
|
-
|
|
143
|
-
rules_file = lookup_or_create_rulesfile
|
|
144
|
-
rules_file.content '# created by chef to allow service to start'
|
|
145
|
-
rules_file.run_action(:create)
|
|
146
|
-
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
|
147
|
-
end
|
|
148
|
-
|
|
149
|
-
action :save do
|
|
150
|
-
return if disabled?(new_resource)
|
|
151
|
-
return if firewalld_all_rules_permanent!
|
|
152
|
-
|
|
153
|
-
firewalld_save!
|
|
154
|
-
new_resource.updated_by_last_action(true)
|
|
155
|
-
end
|
|
156
|
-
|
|
157
|
-
def lookup_or_create_service
|
|
158
|
-
begin
|
|
159
|
-
firewalld_service = Chef.run_context.resource_collection.find(service: 'firewalld')
|
|
160
|
-
rescue
|
|
161
|
-
firewalld_service = service 'firewalld' do
|
|
162
|
-
action :nothing
|
|
163
|
-
end
|
|
164
|
-
end
|
|
165
|
-
firewalld_service
|
|
166
|
-
end
|
|
167
|
-
|
|
168
|
-
def lookup_or_create_rulesfile
|
|
169
|
-
begin
|
|
170
|
-
firewalld_file = Chef.run_context.resource_collection.find(file: firewalld_rules_filename)
|
|
171
|
-
rescue
|
|
172
|
-
firewalld_file = file firewalld_rules_filename do
|
|
173
|
-
action :nothing
|
|
174
|
-
end
|
|
175
|
-
end
|
|
176
|
-
firewalld_file
|
|
177
|
-
end
|
|
178
|
-
end
|
|
179
|
-
end
|
|
@@ -1,171 +0,0 @@
|
|
|
1
|
-
#
|
|
2
|
-
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
|
3
|
-
# Cookbook:: firewall
|
|
4
|
-
# Resource:: default
|
|
5
|
-
#
|
|
6
|
-
# Copyright:: 2011-2019, Chef Software, Inc.
|
|
7
|
-
#
|
|
8
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
9
|
-
# you may not use this file except in compliance with the License.
|
|
10
|
-
# You may obtain a copy of the License at
|
|
11
|
-
#
|
|
12
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
|
13
|
-
#
|
|
14
|
-
# Unless required by applicable law or agreed to in writing, software
|
|
15
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
16
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
17
|
-
# See the License for the specific language governing permissions and
|
|
18
|
-
# limitations under the License.
|
|
19
|
-
#
|
|
20
|
-
class Chef
|
|
21
|
-
class Provider::FirewallIptables < Chef::Provider::LWRPBase
|
|
22
|
-
include FirewallCookbook::Helpers
|
|
23
|
-
include FirewallCookbook::Helpers::Iptables
|
|
24
|
-
|
|
25
|
-
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
|
|
26
|
-
(node['platform_version'].to_i < 7 && !amazon_linux?) || node['platform_version'].to_i >= 8 || node['firewall']['redhat7_iptables']
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
def whyrun_supported?
|
|
30
|
-
false
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
action :install do
|
|
34
|
-
return if disabled?(new_resource)
|
|
35
|
-
|
|
36
|
-
# Ensure the package is installed
|
|
37
|
-
iptables_packages(new_resource).each do |p|
|
|
38
|
-
iptables_pkg = package p do
|
|
39
|
-
action :nothing
|
|
40
|
-
end
|
|
41
|
-
iptables_pkg.run_action(:install)
|
|
42
|
-
new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
|
|
43
|
-
end
|
|
44
|
-
|
|
45
|
-
iptables_commands(new_resource).each do |svc|
|
|
46
|
-
# must create empty file for service to start
|
|
47
|
-
unless ::File.exist?("/etc/sysconfig/#{svc}")
|
|
48
|
-
# must create empty file for service to start
|
|
49
|
-
iptables_file = lookup_or_create_rulesfile(svc)
|
|
50
|
-
iptables_file.content '# created by chef to allow service to start'
|
|
51
|
-
iptables_file.run_action(:create)
|
|
52
|
-
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
|
53
|
-
end
|
|
54
|
-
|
|
55
|
-
iptables_service = lookup_or_create_service(svc)
|
|
56
|
-
[:enable, :start].each do |a|
|
|
57
|
-
iptables_service.run_action(a)
|
|
58
|
-
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
59
|
-
end
|
|
60
|
-
end
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
action :restart do
|
|
64
|
-
return if disabled?(new_resource)
|
|
65
|
-
|
|
66
|
-
# prints all the firewall rules
|
|
67
|
-
log_iptables(new_resource)
|
|
68
|
-
|
|
69
|
-
# ensure it's initialized
|
|
70
|
-
new_resource.rules({}) unless new_resource.rules
|
|
71
|
-
ensure_default_rules_exist(node, new_resource)
|
|
72
|
-
|
|
73
|
-
# this populates the hash of rules from firewall_rule resources
|
|
74
|
-
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
|
75
|
-
firewall_rules.each do |firewall_rule|
|
|
76
|
-
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
|
77
|
-
|
|
78
|
-
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
|
79
|
-
%w(ip6tables)
|
|
80
|
-
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
|
81
|
-
%w(iptables)
|
|
82
|
-
else # or not specific
|
|
83
|
-
%w(iptables ip6tables)
|
|
84
|
-
end
|
|
85
|
-
|
|
86
|
-
types.each do |iptables_type|
|
|
87
|
-
# build rules to apply with weight
|
|
88
|
-
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
|
89
|
-
v = firewall_rule.position
|
|
90
|
-
|
|
91
|
-
# unless we're adding them for the first time.... bail out.
|
|
92
|
-
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
|
93
|
-
new_resource.rules[iptables_type][k] = v
|
|
94
|
-
end
|
|
95
|
-
end
|
|
96
|
-
|
|
97
|
-
iptables_commands(new_resource).each do |iptables_type|
|
|
98
|
-
# this takes the commands in each hash entry and builds a rule file
|
|
99
|
-
iptables_file = lookup_or_create_rulesfile(iptables_type)
|
|
100
|
-
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
|
101
|
-
iptables_file.run_action(:create)
|
|
102
|
-
|
|
103
|
-
# if the file was unchanged, skip loop iteration, otherwise restart iptables
|
|
104
|
-
next unless iptables_file.updated_by_last_action?
|
|
105
|
-
|
|
106
|
-
iptables_service = lookup_or_create_service(iptables_type)
|
|
107
|
-
iptables_service.run_action(:restart)
|
|
108
|
-
new_resource.updated_by_last_action(true)
|
|
109
|
-
end
|
|
110
|
-
end
|
|
111
|
-
|
|
112
|
-
action :disable do
|
|
113
|
-
return if disabled?(new_resource)
|
|
114
|
-
|
|
115
|
-
iptables_flush!(new_resource)
|
|
116
|
-
iptables_default_allow!(new_resource)
|
|
117
|
-
new_resource.updated_by_last_action(true)
|
|
118
|
-
|
|
119
|
-
iptables_commands(new_resource).each do |svc|
|
|
120
|
-
iptables_service = lookup_or_create_service(svc)
|
|
121
|
-
[:disable, :stop].each do |a|
|
|
122
|
-
iptables_service.run_action(a)
|
|
123
|
-
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
124
|
-
end
|
|
125
|
-
|
|
126
|
-
# must create empty file for service to start
|
|
127
|
-
iptables_file = lookup_or_create_rulesfile(svc)
|
|
128
|
-
iptables_file.content '# created by chef to allow service to start'
|
|
129
|
-
iptables_file.run_action(:create)
|
|
130
|
-
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
|
131
|
-
end
|
|
132
|
-
end
|
|
133
|
-
|
|
134
|
-
action :flush do
|
|
135
|
-
return if disabled?(new_resource)
|
|
136
|
-
|
|
137
|
-
iptables_flush!(new_resource)
|
|
138
|
-
new_resource.updated_by_last_action(true)
|
|
139
|
-
|
|
140
|
-
iptables_commands(new_resource).each do |svc|
|
|
141
|
-
# must create empty file for service to start
|
|
142
|
-
iptables_file = lookup_or_create_rulesfile(svc)
|
|
143
|
-
iptables_file.content '# created by chef to allow service to start'
|
|
144
|
-
iptables_file.run_action(:create)
|
|
145
|
-
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
|
146
|
-
end
|
|
147
|
-
end
|
|
148
|
-
|
|
149
|
-
def lookup_or_create_service(name)
|
|
150
|
-
begin
|
|
151
|
-
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
|
152
|
-
rescue
|
|
153
|
-
iptables_service = service name do
|
|
154
|
-
action :nothing
|
|
155
|
-
end
|
|
156
|
-
end
|
|
157
|
-
iptables_service
|
|
158
|
-
end
|
|
159
|
-
|
|
160
|
-
def lookup_or_create_rulesfile(name)
|
|
161
|
-
begin
|
|
162
|
-
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
|
163
|
-
rescue
|
|
164
|
-
iptables_file = file "/etc/sysconfig/#{name}" do
|
|
165
|
-
action :nothing
|
|
166
|
-
end
|
|
167
|
-
end
|
|
168
|
-
iptables_file
|
|
169
|
-
end
|
|
170
|
-
end
|
|
171
|
-
end
|
|
@@ -1,200 +0,0 @@
|
|
|
1
|
-
#
|
|
2
|
-
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
|
3
|
-
# Cookbook:: firewall
|
|
4
|
-
# Resource:: default
|
|
5
|
-
#
|
|
6
|
-
# Copyright:: 2011-2019, Chef Software, Inc.
|
|
7
|
-
#
|
|
8
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
9
|
-
# you may not use this file except in compliance with the License.
|
|
10
|
-
# You may obtain a copy of the License at
|
|
11
|
-
#
|
|
12
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
|
13
|
-
#
|
|
14
|
-
# Unless required by applicable law or agreed to in writing, software
|
|
15
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
16
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
17
|
-
# See the License for the specific language governing permissions and
|
|
18
|
-
# limitations under the License.
|
|
19
|
-
#
|
|
20
|
-
class Chef
|
|
21
|
-
class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase
|
|
22
|
-
include FirewallCookbook::Helpers
|
|
23
|
-
include FirewallCookbook::Helpers::Iptables
|
|
24
|
-
|
|
25
|
-
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
|
|
26
|
-
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
|
|
27
|
-
node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
def whyrun_supported?
|
|
31
|
-
false
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
action :install do
|
|
35
|
-
return if disabled?(new_resource)
|
|
36
|
-
|
|
37
|
-
# Ensure the package is installed
|
|
38
|
-
pkg = package 'iptables-persistent' do
|
|
39
|
-
action :nothing
|
|
40
|
-
end
|
|
41
|
-
pkg.run_action(:install)
|
|
42
|
-
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
|
43
|
-
|
|
44
|
-
rule_files = %w(rules.v4)
|
|
45
|
-
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
|
46
|
-
rule_files.each do |svc|
|
|
47
|
-
next if ::File.exist?("/etc/iptables/#{svc}")
|
|
48
|
-
|
|
49
|
-
# must create empty file for service to start
|
|
50
|
-
f = lookup_or_create_rulesfile(svc)
|
|
51
|
-
f.content '# created by chef to allow service to start'
|
|
52
|
-
f.run_action(:create)
|
|
53
|
-
|
|
54
|
-
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
55
|
-
end
|
|
56
|
-
|
|
57
|
-
iptables_service = lookup_or_create_service('netfilter-persistent')
|
|
58
|
-
[:enable, :start].each do |act|
|
|
59
|
-
# iptables-persistent isn't a real service
|
|
60
|
-
iptables_service.status_command 'true'
|
|
61
|
-
|
|
62
|
-
iptables_service.run_action(act)
|
|
63
|
-
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
action :restart do
|
|
68
|
-
return if disabled?(new_resource)
|
|
69
|
-
|
|
70
|
-
# prints all the firewall rules
|
|
71
|
-
log_iptables(new_resource)
|
|
72
|
-
|
|
73
|
-
# ensure it's initialized
|
|
74
|
-
new_resource.rules({}) unless new_resource.rules
|
|
75
|
-
ensure_default_rules_exist(node, new_resource)
|
|
76
|
-
|
|
77
|
-
# this populates the hash of rules from firewall_rule resources
|
|
78
|
-
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
|
79
|
-
firewall_rules.each do |firewall_rule|
|
|
80
|
-
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
|
81
|
-
|
|
82
|
-
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
|
83
|
-
%w(ip6tables)
|
|
84
|
-
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
|
85
|
-
%w(iptables)
|
|
86
|
-
else # or not specific
|
|
87
|
-
%w(iptables ip6tables)
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
types.each do |iptables_type|
|
|
91
|
-
# build rules to apply with weight
|
|
92
|
-
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
|
93
|
-
v = firewall_rule.position
|
|
94
|
-
|
|
95
|
-
# unless we're adding them for the first time.... bail out.
|
|
96
|
-
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
|
97
|
-
new_resource.rules[iptables_type][k] = v
|
|
98
|
-
end
|
|
99
|
-
end
|
|
100
|
-
|
|
101
|
-
restart_service = false
|
|
102
|
-
|
|
103
|
-
rule_files = %w(iptables)
|
|
104
|
-
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
|
|
105
|
-
|
|
106
|
-
rule_files.each do |iptables_type|
|
|
107
|
-
iptables_filename = if iptables_type == 'ip6tables'
|
|
108
|
-
'/etc/iptables/rules.v6'
|
|
109
|
-
else
|
|
110
|
-
'/etc/iptables/rules.v4'
|
|
111
|
-
end
|
|
112
|
-
|
|
113
|
-
# ensure a file resource exists with the current iptables rules
|
|
114
|
-
begin
|
|
115
|
-
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
|
116
|
-
rescue
|
|
117
|
-
iptables_file = file iptables_filename do
|
|
118
|
-
action :nothing
|
|
119
|
-
end
|
|
120
|
-
end
|
|
121
|
-
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
|
122
|
-
iptables_file.run_action(:create)
|
|
123
|
-
|
|
124
|
-
# if the file was changed, restart iptables
|
|
125
|
-
restart_service = true if iptables_file.updated_by_last_action?
|
|
126
|
-
end
|
|
127
|
-
|
|
128
|
-
if restart_service
|
|
129
|
-
service_affected = service 'netfilter-persistent' do
|
|
130
|
-
action :nothing
|
|
131
|
-
end
|
|
132
|
-
service_affected.run_action(:restart)
|
|
133
|
-
new_resource.updated_by_last_action(true)
|
|
134
|
-
end
|
|
135
|
-
end
|
|
136
|
-
|
|
137
|
-
action :disable do
|
|
138
|
-
return if disabled?(new_resource)
|
|
139
|
-
|
|
140
|
-
iptables_flush!(new_resource)
|
|
141
|
-
iptables_default_allow!(new_resource)
|
|
142
|
-
new_resource.updated_by_last_action(true)
|
|
143
|
-
|
|
144
|
-
iptables_service = lookup_or_create_service('netfilter-persistent')
|
|
145
|
-
[:disable, :stop].each do |act|
|
|
146
|
-
iptables_service.run_action(act)
|
|
147
|
-
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
148
|
-
end
|
|
149
|
-
|
|
150
|
-
%w(rules.v4 rules.v6).each do |svc|
|
|
151
|
-
# must create empty file for service to start
|
|
152
|
-
f = lookup_or_create_rulesfile(svc)
|
|
153
|
-
f.content '# created by chef to allow service to start'
|
|
154
|
-
f.run_action(:create)
|
|
155
|
-
|
|
156
|
-
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
157
|
-
end
|
|
158
|
-
end
|
|
159
|
-
|
|
160
|
-
action :flush do
|
|
161
|
-
return if disabled?(new_resource)
|
|
162
|
-
|
|
163
|
-
iptables_flush!(new_resource)
|
|
164
|
-
new_resource.updated_by_last_action(true)
|
|
165
|
-
|
|
166
|
-
rule_files = %w(rules.v4)
|
|
167
|
-
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
|
168
|
-
rule_files.each do |svc|
|
|
169
|
-
# must create empty file for service to start
|
|
170
|
-
f = lookup_or_create_rulesfile(svc)
|
|
171
|
-
f.content '# created by chef to allow service to start'
|
|
172
|
-
f.run_action(:create)
|
|
173
|
-
|
|
174
|
-
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
175
|
-
end
|
|
176
|
-
end
|
|
177
|
-
|
|
178
|
-
def lookup_or_create_service(name)
|
|
179
|
-
begin
|
|
180
|
-
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
|
181
|
-
rescue
|
|
182
|
-
iptables_service = service name do
|
|
183
|
-
action :nothing
|
|
184
|
-
end
|
|
185
|
-
end
|
|
186
|
-
iptables_service
|
|
187
|
-
end
|
|
188
|
-
|
|
189
|
-
def lookup_or_create_rulesfile(name)
|
|
190
|
-
begin
|
|
191
|
-
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
|
192
|
-
rescue
|
|
193
|
-
iptables_file = file "/etc/iptables/#{name}" do
|
|
194
|
-
action :nothing
|
|
195
|
-
end
|
|
196
|
-
end
|
|
197
|
-
iptables_file
|
|
198
|
-
end
|
|
199
|
-
end
|
|
200
|
-
end
|