dust-deploy 0.13.6 → 0.13.7
Sign up to get free protection for your applications and to get access to all the features.
- data/changelog.md +8 -0
- data/lib/dust/recipes/iptables.rb +62 -78
- data/lib/dust/recipes/zabbix_agent.rb +11 -3
- data/lib/dust/server.rb +32 -0
- data/lib/dust/version.rb +1 -1
- metadata +2 -2
data/changelog.md
CHANGED
@@ -1,6 +1,14 @@
|
|
1
1
|
Changelog
|
2
2
|
=============
|
3
3
|
|
4
|
+
0.13.7
|
5
|
+
------------
|
6
|
+
|
7
|
+
- introduces @node.package_min_version? to check if a package is at least version x.
|
8
|
+
supports apt, rpm, pacman so far
|
9
|
+
- improves iptables recipe (using iptables-restore now on all systems)
|
10
|
+
|
11
|
+
|
4
12
|
0.13.6
|
5
13
|
------------
|
6
14
|
|
@@ -17,21 +17,22 @@ class Iptables < Recipe
|
|
17
17
|
@tables['ipv6']['mangle'] = [ 'INPUT', 'OUTPUT', 'FORWARD', 'PREROUTING', 'POSTROUTING' ]
|
18
18
|
@tables['ipv6']['raw'] = [ 'OUTPUT', 'PREROUTING' ]
|
19
19
|
|
20
|
-
|
21
20
|
return unless install
|
22
21
|
|
22
|
+
# remove iptables scripts from old dust versions
|
23
|
+
remove_old_scripts
|
24
|
+
|
23
25
|
[4, 6].each do |v|
|
24
26
|
@script = ''
|
25
27
|
@ip_version = v
|
26
28
|
|
27
29
|
@node.messages.add("generating ipv#{@ip_version} rules\n")
|
28
30
|
|
29
|
-
clear_all
|
30
31
|
populate_rule_defaults
|
31
32
|
generate_all_rules
|
32
33
|
|
33
34
|
deploy_script
|
34
|
-
apply_rules
|
35
|
+
apply_rules if @options.restart?
|
35
36
|
end
|
36
37
|
end
|
37
38
|
|
@@ -48,20 +49,20 @@ class Iptables < Recipe
|
|
48
49
|
# install iptables
|
49
50
|
def install
|
50
51
|
return false unless @node.install_package 'iptables'
|
52
|
+
return false unless @node.install_package 'iptables-persistent' if @node.uses_apt?
|
51
53
|
return false unless @node.install_package 'iptables-ipv6' if @node.uses_rpm? and not @node.is_fedora?
|
52
54
|
true
|
53
55
|
end
|
54
56
|
|
55
|
-
#
|
56
|
-
|
57
|
-
|
57
|
+
# TODO: remove soon
|
58
|
+
# remove rules from old iptables recipe
|
59
|
+
def remove_old_scripts
|
60
|
+
files = [ '/etc/iptables', '/etc/ip6tables',
|
61
|
+
'/etc/network/if-pre-up.d/iptables',
|
62
|
+
'/etc/network/if-pre-up.d/ip6tables' ]
|
58
63
|
|
59
|
-
|
60
|
-
|
61
|
-
@script << "--flush --table #{table}\n"
|
62
|
-
|
63
|
-
# delete all custom chains
|
64
|
-
@script << "--delete-chain --table #{table}\n" unless @node.uses_rpm?
|
64
|
+
files.each do |file|
|
65
|
+
@node.rm(file) if @node.file_exists?(file, :quiet => true)
|
65
66
|
end
|
66
67
|
end
|
67
68
|
|
@@ -84,7 +85,7 @@ class Iptables < Recipe
|
|
84
85
|
# generates all iptables rules
|
85
86
|
def generate_all_rules
|
86
87
|
@tables['ipv' + @ip_version.to_s].each do |table, chains|
|
87
|
-
@script << "*#{table}\n"
|
88
|
+
@script << "*#{table}\n"
|
88
89
|
set_chain_policies table
|
89
90
|
generate_rules_for_table table
|
90
91
|
end
|
@@ -98,12 +99,7 @@ class Iptables < Recipe
|
|
98
99
|
# build in chains
|
99
100
|
@tables['ipv' + @ip_version.to_s][table].each do |chain|
|
100
101
|
policy = get_chain_policy table, chain
|
101
|
-
|
102
|
-
if @node.uses_rpm?
|
103
|
-
@script << ":#{chain.upcase} #{policy} [0:0]\n"
|
104
|
-
else
|
105
|
-
@script << "--table #{table} --policy #{chain.upcase} #{policy}\n"
|
106
|
-
end
|
102
|
+
@script << ":#{chain.upcase} #{policy} [0:0]\n"
|
107
103
|
end
|
108
104
|
|
109
105
|
# custom chains
|
@@ -121,11 +117,7 @@ class Iptables < Recipe
|
|
121
117
|
end
|
122
118
|
next unless chain_used_in_table
|
123
119
|
|
124
|
-
|
125
|
-
@script << ":#{chain.upcase} - [0:0]\n"
|
126
|
-
else
|
127
|
-
@script << "--table #{table} --new-chain #{chain.upcase}\n"
|
128
|
-
end
|
120
|
+
@script << ":#{chain.upcase} - [0:0]\n"
|
129
121
|
end
|
130
122
|
end
|
131
123
|
|
@@ -158,7 +150,7 @@ class Iptables < Recipe
|
|
158
150
|
msg.ok
|
159
151
|
end
|
160
152
|
end
|
161
|
-
@script << "COMMIT\n"
|
153
|
+
@script << "COMMIT\n"
|
162
154
|
end
|
163
155
|
|
164
156
|
def get_rules_for_table rules, table
|
@@ -195,7 +187,7 @@ class Iptables < Recipe
|
|
195
187
|
# map r[key] = value to '--key value'
|
196
188
|
r.each do |k, v|
|
197
189
|
next if k == 'ip-version' # skip ip-version, since its not iptables option
|
198
|
-
next if k == 'table'
|
190
|
+
next if k == 'table' # iptables-restore takes table argument with *table
|
199
191
|
|
200
192
|
with_dashes[k] = r[k].map do |v|
|
201
193
|
value = v.to_s
|
@@ -251,82 +243,74 @@ class Iptables < Recipe
|
|
251
243
|
def deploy_script
|
252
244
|
target = get_target
|
253
245
|
|
254
|
-
|
255
|
-
|
246
|
+
# create directory if not existend
|
247
|
+
@node.mkdir(File.dirname(target)) unless @node.dir_exists?(File.dirname(target), :quiet => true)
|
256
248
|
|
257
249
|
# overwrite openwrt firewall configuration
|
258
250
|
# and only use our script
|
259
251
|
if @node.uses_opkg?
|
260
252
|
@node.write '/etc/config/firewall',
|
261
|
-
"config include\n\toption path /etc/
|
262
|
-
|
253
|
+
"config include\n\toption path /etc/firewall.sh\n"
|
254
|
+
|
255
|
+
workaround_script = '/etc/firewall.sh'
|
256
|
+
|
257
|
+
# iptables-persistent < version 0.5.1 doesn't support ipv6
|
258
|
+
# so doing a workaround
|
259
|
+
elsif @node.uses_apt?
|
260
|
+
# check if iptables-persistent is new enough
|
261
|
+
unless @node.package_min_version?('iptables-persistent', '0.5.1', :quiet => true)
|
262
|
+
@node.messages.add('iptables-persistent too old (< 0.5.1), using workaround').warning
|
263
|
+
workaround_script = '/etc/network/if-pre-up.d/iptables'
|
264
|
+
end
|
263
265
|
end
|
264
266
|
|
265
|
-
|
267
|
+
if workaround_script
|
268
|
+
msg = @node.messages.add("deploying workaround script to #{workaround_script}", :indent => 2)
|
269
|
+
msg.parse_result(@node.write(workaround_script,
|
270
|
+
"#!/bin/sh\n\n" +
|
271
|
+
"iptables-restore < #{target}\n" +
|
272
|
+
"ip6tables-restore < #{target}\n", :quiet => true))
|
266
273
|
|
267
|
-
|
268
|
-
|
274
|
+
@node.chmod('0700', workaround_script, :indent => 2)
|
275
|
+
|
276
|
+
if @node.uses_apt?
|
277
|
+
# deactivate iptables-persistent initscript
|
278
|
+
msg = @node.messages.add('deactivating iptables-persistent initscript', :indent => 2)
|
279
|
+
msg.parse_result(@node.exec('update-rc.d iptables-persistent remove')[:exit_code])
|
280
|
+
end
|
269
281
|
else
|
270
|
-
@node.
|
282
|
+
@node.autostart_service('iptables-persistent') if @node.uses_apt?
|
271
283
|
end
|
272
|
-
end
|
273
|
-
|
274
|
-
# put dust comment at the beginning of the file
|
275
|
-
def prepend_header
|
276
|
-
@script.insert 0, "#!/bin/sh\n" unless @node.uses_rpm?
|
277
|
-
@script.insert 0, "# automatically generated by dust\n\n"
|
278
|
-
end
|
279
284
|
|
280
|
-
|
281
|
-
|
282
|
-
@script.gsub! /^/, "#{cmd_path} " unless @node.uses_rpm?
|
285
|
+
@node.write(target, @script, :quiet => true)
|
286
|
+
@node.chmod('0600', target)
|
283
287
|
end
|
284
288
|
|
285
289
|
# apply newly pushed rules
|
286
290
|
def apply_rules
|
287
|
-
|
288
|
-
|
291
|
+
msg = @node.messages.add("applying ipv#{@ip_version} rules")
|
292
|
+
msg.parse_result(@node.exec("#{get_cmd}-restore < #{get_target}")[:exit_code])
|
293
|
+
end
|
289
294
|
|
290
|
-
|
291
|
-
|
295
|
+
# set the target file depending on distribution
|
296
|
+
def get_target
|
297
|
+
if @node.uses_apt?
|
298
|
+
target = "/etc/iptables/rules.v#{@ip_version}"
|
292
299
|
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
end
|
297
|
-
end
|
300
|
+
elsif @node.uses_rpm?
|
301
|
+
target = "/etc/sysconfig/iptables" if @ip_version == 4
|
302
|
+
target = "/etc/sysconfig/ip6tables" if @ip_version == 6
|
298
303
|
|
299
|
-
|
300
|
-
|
301
|
-
|
302
|
-
msg = @node.messages.add("saving ipv#{@ip_version} rules")
|
303
|
-
msg.parse_result(@node.exec("/etc/init.d/#{cmd} save")[:exit_code])
|
304
|
+
else
|
305
|
+
target = "/etc/iptables-rules.ipt" if @ip_version == 4
|
306
|
+
target = "/etc/ip6tables-rules.ipt" if @ip_version == 6
|
304
307
|
end
|
305
|
-
end
|
306
308
|
|
307
|
-
# set the target file depending on distribution
|
308
|
-
def get_target
|
309
|
-
target = "/etc/#{cmd}"
|
310
|
-
target = "/etc/network/if-pre-up.d/#{cmd}" if @node.uses_apt?
|
311
|
-
target = "/etc/sysconfig/#{cmd}" if @node.uses_rpm?
|
312
309
|
target
|
313
310
|
end
|
314
311
|
|
315
|
-
def
|
312
|
+
def get_cmd
|
316
313
|
return 'iptables' if @ip_version == 4
|
317
314
|
return 'ip6tables' if @ip_version == 6
|
318
315
|
end
|
319
|
-
|
320
|
-
def cmd_path
|
321
|
-
# get full iptables/ip6tables path using which
|
322
|
-
ret = @node.exec("which #{cmd}")
|
323
|
-
return ret[:stdout].chomp if ret[:exit_code] == 0
|
324
|
-
|
325
|
-
# PATH is not set correctly when executing stuff via ssh on openwrt
|
326
|
-
# thus returning full path manually
|
327
|
-
return "/usr/sbin/#{cmd}" if @node.uses_opkg?
|
328
|
-
|
329
|
-
# if nothing was found, just use "iptables" resp. "ip6tables"
|
330
|
-
return cmd
|
331
|
-
end
|
332
316
|
end
|
@@ -88,12 +88,20 @@ class ZabbixAgent < Recipe
|
|
88
88
|
'UserParameter' => []
|
89
89
|
}
|
90
90
|
|
91
|
-
if @node.
|
91
|
+
if @node.dir_exists?('/var/run/zabbix-agent', :quiet => true)
|
92
92
|
defaults['PidFile'] ||= '/var/run/zabbix-agent/zabbix_agentd.pid'
|
93
|
-
|
94
|
-
elsif @node.uses_emerge? or @node.uses_rpm?
|
93
|
+
elsif @node.dir_exists?('/var/run/zabbix', :quiet => true)
|
95
94
|
defaults['PidFile'] ||= '/var/run/zabbix/zabbix_agentd.pid'
|
95
|
+
else
|
96
|
+
defaults['PidFile'] ||= '/var/run/zabbix_agentd.pid'
|
97
|
+
end
|
98
|
+
|
99
|
+
if @node.dir_exists?('/var/log/zabbix-agent', :quiet => true)
|
100
|
+
defaults['LogFile'] ||= '/var/log/zabbix-agent/zabbix_agentd.log'
|
101
|
+
elsif @node.dir_exists?('/var/log/zabbix', :quiet => true)
|
96
102
|
defaults['LogFile'] ||= '/var/log/zabbix/zabbix_agentd.log'
|
103
|
+
else
|
104
|
+
defaults['LogFile'] ||= '/var/log/zabbix_agentd.log'
|
97
105
|
end
|
98
106
|
|
99
107
|
defaults
|
data/lib/dust/server.rb
CHANGED
@@ -339,6 +339,34 @@ module Dust
|
|
339
339
|
msg.parse_result(package_installed?(package, :quiet => true))
|
340
340
|
end
|
341
341
|
|
342
|
+
# check if installed package is at least version min_version
|
343
|
+
def package_min_version?(package, min_version, options = {})
|
344
|
+
msg = messages.add("checking if #{package} is at least version #{min_version}", options)
|
345
|
+
return msg.failed unless package_installed?(package, :quiet => true)
|
346
|
+
|
347
|
+
if uses_apt?
|
348
|
+
v = exec("dpkg --list |grep #{package}")[:stdout].chomp
|
349
|
+
elsif uses_rpm?
|
350
|
+
v = exec("rpm -q #{package}")[:stdout].chomp
|
351
|
+
elsif uses_pacman?
|
352
|
+
v = exec("pacman -Q #{package}")[:stdout].chomp
|
353
|
+
else
|
354
|
+
return msg.failed('os not supported')
|
355
|
+
end
|
356
|
+
|
357
|
+
# convert version numbers to arrays
|
358
|
+
current_version = v.to_s.split(/[-. ]/ ).select {|j| j =~ /^[0-9]+$/ }
|
359
|
+
min_version = min_version.to_s.split(/[-. ]/ ).select {|j| j =~ /^[0-9]+$/ }
|
360
|
+
|
361
|
+
# compare
|
362
|
+
min_version.each_with_index do |i, pos|
|
363
|
+
break unless current_version[pos]
|
364
|
+
return msg.failed if i.to_i < current_version[pos].to_i
|
365
|
+
end
|
366
|
+
|
367
|
+
msg.ok
|
368
|
+
end
|
369
|
+
|
342
370
|
def remove_package package, options = {}
|
343
371
|
options = default_options.merge options
|
344
372
|
|
@@ -541,6 +569,10 @@ module Dust
|
|
541
569
|
options = default_options.merge options
|
542
570
|
|
543
571
|
msg = messages.add("checking if file #{file} exists", options)
|
572
|
+
|
573
|
+
# don't treat directories as files
|
574
|
+
return msg.failed if dir_exists?(file, :quiet => true)
|
575
|
+
|
544
576
|
msg.parse_result(exec("test -e #{file}")[:exit_code])
|
545
577
|
end
|
546
578
|
|
data/lib/dust/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dust-deploy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.13.
|
4
|
+
version: 0.13.7
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2012-06-
|
12
|
+
date: 2012-06-14 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: json
|