dust-deploy 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +1 -0
- data/bin/dust +1 -1
- data/changelog.md +36 -9
- data/lib/dust/recipes/etc_hosts.rb +4 -2
- data/lib/dust/recipes/iptables.rb +29 -46
- data/lib/dust/recipes/ssh_authorized_keys.rb +1 -0
- data/lib/dust/server.rb +2 -2
- data/lib/dust/version.rb +1 -1
- metadata +3 -3
data/README.md
CHANGED
|
@@ -203,6 +203,7 @@ almost all functions understand the quiet=true and indend=integer arguments
|
|
|
203
203
|
#### get_system_users quiet=false
|
|
204
204
|
#### package_installed? packages, quiet=false, indent=1
|
|
205
205
|
#### install_package package, quiet=false, indent=1, env=""
|
|
206
|
+
#### remove_package package, quiet=false, indent=1
|
|
206
207
|
#### update_repos quiet=false, indent=1
|
|
207
208
|
#### system_update quiet=false, indent=1
|
|
208
209
|
#### uses_apt? quiet=false, indent=1
|
data/bin/dust
CHANGED
|
@@ -10,7 +10,7 @@ require 'dust'
|
|
|
10
10
|
module Dust
|
|
11
11
|
class Deploy < Thor::Runner
|
|
12
12
|
|
|
13
|
-
default_task :
|
|
13
|
+
default_task :list
|
|
14
14
|
|
|
15
15
|
desc 'deploy [server.yaml] [--filter key=value,value2] [--recipes recipe1 recipe2] [--proxy host:port]',
|
|
16
16
|
'deploy all recipes to the node(s) specified in server.yaml or to all nodes defined in ./nodes/'
|
data/changelog.md
CHANGED
|
@@ -1,6 +1,23 @@
|
|
|
1
1
|
Changelog
|
|
2
2
|
=============
|
|
3
3
|
|
|
4
|
+
0.2.2
|
|
5
|
+
------------
|
|
6
|
+
|
|
7
|
+
- iptables will now sort rules before applying. thus enabling you to set the order of the rules.
|
|
8
|
+
|
|
9
|
+
recipes:
|
|
10
|
+
iptables:
|
|
11
|
+
forward:
|
|
12
|
+
1invalid: { match: state, state: INVALID, jump: DROP }
|
|
13
|
+
2valid: { jump: ACCEPT }
|
|
14
|
+
|
|
15
|
+
- removed all predefined iptables rules, you have (and can) do anything by yourself now
|
|
16
|
+
- small fixes and improvements for iptables recipes
|
|
17
|
+
- if you dont specify a chain, it will be set to ACCEPT per default
|
|
18
|
+
- dust list is now the default when launching dust without an argument
|
|
19
|
+
|
|
20
|
+
|
|
4
21
|
0.2.1
|
|
5
22
|
------------
|
|
6
23
|
|
|
@@ -12,13 +29,17 @@ fixes small iptables issue when using --jump REDIRECT and --to-port
|
|
|
12
29
|
|
|
13
30
|
heavily refactors iptables recipe. you HAVE to adapt your iptables settings. new usage:
|
|
14
31
|
|
|
15
|
-
recipe:
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
32
|
+
recipe:
|
|
33
|
+
iptables:
|
|
34
|
+
input:
|
|
35
|
+
ssh: { dport: 22, match: state, state: NEW }
|
|
36
|
+
http: { dport: [ 80, 443 ], match: state, state: NEW }
|
|
37
|
+
spoof-protection:
|
|
38
|
+
in-interface: eth0
|
|
39
|
+
source: [ 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 ]
|
|
40
|
+
jump: DROP
|
|
41
|
+
output:
|
|
42
|
+
drop-everything: { jump: DROP }
|
|
22
43
|
|
|
23
44
|
every iptables long option is allowed, it tries to automatically detect whether to use iptables, ip6tables or both.
|
|
24
45
|
known issues: --to-destination is not checked for ipv4/ipv6, because it might include port numbers.
|
|
@@ -26,6 +47,12 @@ default jump target ist ACCEPT
|
|
|
26
47
|
|
|
27
48
|
basic rules are added automatically, see iptables.rb for more information.
|
|
28
49
|
|
|
50
|
+
**known issue:** the order of your rules is not enforced, due to hashes by definition not having an order, and using arrays would mess up inheritance. thus, be careful and doublecheck if rules are correctly interpreted when making statements that require a specific ordering of the rules, like the following:
|
|
51
|
+
|
|
52
|
+
forward:
|
|
53
|
+
invalid: { match: state, state: INVALID, jump: DROP }
|
|
54
|
+
valid: { jump: ACCEPT }
|
|
55
|
+
|
|
29
56
|
|
|
30
57
|
0.1.8
|
|
31
58
|
------------
|
|
@@ -33,8 +60,8 @@ basic rules are added automatically, see iptables.rb for more information.
|
|
|
33
60
|
adds recipe for making sure packages are _uninstalled_
|
|
34
61
|
usage:
|
|
35
62
|
|
|
36
|
-
recipes:
|
|
37
|
-
|
|
63
|
+
recipes:
|
|
64
|
+
remove_packages: [ package1, package2, ... ]
|
|
38
65
|
|
|
39
66
|
|
|
40
67
|
0.1.7
|
|
@@ -3,11 +3,13 @@ class EtcHosts < Thor
|
|
|
3
3
|
def deploy node, daemon, options
|
|
4
4
|
template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
|
|
5
5
|
|
|
6
|
-
return unless node.package_installed?('dnsmasq')
|
|
7
6
|
node.scp("#{template_path}/hosts", '/etc/hosts')
|
|
8
7
|
|
|
9
8
|
# restart dns service
|
|
10
|
-
|
|
9
|
+
if options.restart? and daemon.is_a? String
|
|
10
|
+
node.package_installed? daemon
|
|
11
|
+
node.restart_service daemon if options.restart?
|
|
12
|
+
end
|
|
11
13
|
end
|
|
12
14
|
end
|
|
13
15
|
|
|
@@ -36,51 +36,26 @@ class Iptables < Thor
|
|
|
36
36
|
|
|
37
37
|
# default policy for chains
|
|
38
38
|
if node.uses_apt? true or node.uses_emerge? true
|
|
39
|
-
iptables_script += "-P INPUT DROP\n"
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
39
|
+
iptables_script += rules['input'] ? "-P INPUT DROP\n" : "-P INPUT ACCEPT\n"
|
|
40
|
+
iptables_script += rules['output'] ? "-P OUTPUT DROP\n" : "-P OUTPUT ACCEPT\n"
|
|
41
|
+
iptables_script += rules['forward'] ? "-P FORWARD DROP\n" : "-P FORWARD ACCEPT\n"
|
|
42
|
+
|
|
43
|
+
iptables_script += "-F\n"
|
|
43
44
|
iptables_script += "-F -t nat\n" if ipv4
|
|
44
45
|
iptables_script += "-X\n"
|
|
45
46
|
|
|
46
47
|
elsif node.uses_rpm? true
|
|
47
|
-
iptables_script += "*filter\n"
|
|
48
|
-
":INPUT DROP [0:0]\n" +
|
|
49
|
-
":FORWARD DROP [0:0]\n" +
|
|
50
|
-
":OUTPUT DROP [0:0]\n"
|
|
51
|
-
end
|
|
52
|
-
|
|
53
|
-
# allow localhost
|
|
54
|
-
iptables_script += "-A INPUT -i lo -j ACCEPT\n"
|
|
55
|
-
|
|
56
|
-
# drop invalid packets
|
|
57
|
-
iptables_script += "-A INPUT -m state --state INVALID -j DROP\n"
|
|
58
|
-
|
|
59
|
-
# allow related packets
|
|
60
|
-
iptables_script += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
|
|
61
|
-
|
|
62
|
-
# drop tcp packets with the syn bit set if the tcp connection is already established
|
|
63
|
-
iptables_script += "-A INPUT -p tcp --tcp-flags SYN SYN -m state --state ESTABLISHED -j DROP\n" # if ipv4
|
|
64
|
-
|
|
65
|
-
# drop icmp timestamps
|
|
66
|
-
iptables_script += "-A INPUT -p icmp --icmp-type timestamp-request -j DROP\n" if ipv4
|
|
67
|
-
iptables_script += "-A INPUT -p icmp --icmp-type timestamp-reply -j DROP\n" if ipv4
|
|
68
|
-
|
|
69
|
-
# allow other icmp packets
|
|
70
|
-
iptables_script += "-A INPUT -p icmpv6 -j ACCEPT\n" if ipv6
|
|
71
|
-
iptables_script += "-A INPUT -p icmp -j ACCEPT\n"
|
|
48
|
+
iptables_script += "*filter\n"
|
|
72
49
|
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
# allow related outgoing packets
|
|
78
|
-
iptables_script += "-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
|
|
50
|
+
iptables_script += rules['input'] ? ":INPUT DROP [0:0]\n" : ":INPUT ACCEPT [0:0]\n"
|
|
51
|
+
iptables_script += rules['output'] ? ":OUTPUT DROP [0:0]\n" : ":OUTPUT ACCEPT [0:0]\n"
|
|
52
|
+
iptables_script += rules['forward'] ? ":FORWARD DROP [0:0]\n" : ":FORWARD ACCEPT [0:0]\n"
|
|
53
|
+
end
|
|
79
54
|
|
|
80
55
|
# map rules to iptables strings
|
|
81
56
|
rules.each do |chain, chain_rules|
|
|
82
57
|
::Dust.print_msg "#{::Dust.pink}#{chain.upcase}#{::Dust.none}\n", 2
|
|
83
|
-
chain_rules.each do |name, rule|
|
|
58
|
+
chain_rules.sort.each do |name, rule|
|
|
84
59
|
# set default variables
|
|
85
60
|
rule['jump'] ||= ['ACCEPT']
|
|
86
61
|
|
|
@@ -100,13 +75,6 @@ class Iptables < Thor
|
|
|
100
75
|
end
|
|
101
76
|
end
|
|
102
77
|
|
|
103
|
-
# deny the rest incoming
|
|
104
|
-
iptables_script += "-A INPUT -p tcp -j REJECT --reject-with tcp-reset\n"
|
|
105
|
-
iptables_script += "-A INPUT -j REJECT --reject-with icmp-port-unreachable\n" if ipv4
|
|
106
|
-
|
|
107
|
-
# allow everything out
|
|
108
|
-
iptables_script += "-A OUTPUT -j ACCEPT\n"
|
|
109
|
-
|
|
110
78
|
# put commit statement for rpm machines
|
|
111
79
|
iptables_script += "COMMIT\n" if node.uses_rpm? true
|
|
112
80
|
|
|
@@ -160,7 +128,7 @@ class Iptables < Thor
|
|
|
160
128
|
# check if source and destination ip (if given)
|
|
161
129
|
# are valid ips for this ip version
|
|
162
130
|
def check_ipversion rule, ipv
|
|
163
|
-
['source', 'destination', 'to-source'].each do |attr|
|
|
131
|
+
['source', 'src', 'destination', 'dest', 'to-source'].each do |attr|
|
|
164
132
|
if rule[attr]
|
|
165
133
|
rule[attr].each do |addr|
|
|
166
134
|
return false unless IPAddress(addr).send "ipv#{ipv}?"
|
|
@@ -178,8 +146,18 @@ class Iptables < Thor
|
|
|
178
146
|
result = []
|
|
179
147
|
|
|
180
148
|
r.each do |k, v|
|
|
181
|
-
# skip ip-version, since its not iptables option
|
|
182
|
-
with_dashes[k] = r[k].map
|
|
149
|
+
next if k == 'ip-version' # skip ip-version, since its not iptables option
|
|
150
|
+
with_dashes[k] = r[k].map do |v|
|
|
151
|
+
value = v.to_s
|
|
152
|
+
if value.start_with? '!', '! '
|
|
153
|
+
# map '--key ! value' to '! --key value'
|
|
154
|
+
value.slice! '!'
|
|
155
|
+
value.lstrip!
|
|
156
|
+
"! --#{k} #{value}"
|
|
157
|
+
else
|
|
158
|
+
"--#{k} #{value}"
|
|
159
|
+
end
|
|
160
|
+
end
|
|
183
161
|
end
|
|
184
162
|
with_dashes.values.each { |a| result = result.combine a }
|
|
185
163
|
|
|
@@ -192,6 +170,11 @@ class Iptables < Thor
|
|
|
192
170
|
# shift to the end
|
|
193
171
|
r = r.sort_by { |x| if x.include? '--jump' then 1 else -1 end }
|
|
194
172
|
r = r.sort_by { |x| if x.include? '--to-port' then 1 else -1 end }
|
|
173
|
+
r = r.sort_by { |x| if x.include? '--to-destination' then 1 else -1 end }
|
|
174
|
+
r = r.sort_by { |x| if x.include? '--to-source' then 1 else -1 end }
|
|
175
|
+
r = r.sort_by { |x| if x.include? '--ttl-set' then 1 else -1 end }
|
|
176
|
+
r = r.sort_by { |x| if x.include? '--clamp-mss-to-pmtu' then 1 else -1 end }
|
|
177
|
+
r = r.sort_by { |x| if x.include? '--reject-with' then 1 else -1 end }
|
|
195
178
|
sorted.push r
|
|
196
179
|
end
|
|
197
180
|
|
|
@@ -15,6 +15,7 @@ class SshAuthorizedKeys < Thor
|
|
|
15
15
|
|
|
16
16
|
# create the authorized_keys hash for this user
|
|
17
17
|
ssh_users.each do |ssh_user|
|
|
18
|
+
users[ssh_user]['name'] ||= ssh_user
|
|
18
19
|
::Dust.print_msg "adding user #{users[ssh_user]['name']}", 2
|
|
19
20
|
users[ssh_user]['keys'].each do |key|
|
|
20
21
|
authorized_keys += "#{key}"
|
data/lib/dust/server.rb
CHANGED
|
@@ -199,14 +199,14 @@ module Dust
|
|
|
199
199
|
end
|
|
200
200
|
end
|
|
201
201
|
|
|
202
|
-
def remove_package package, quiet=false, indent=1
|
|
202
|
+
def remove_package package, quiet=false, indent=1
|
|
203
203
|
return Dust.print_ok "package #{package} not installed", indent + 1 unless package_installed? package, true
|
|
204
204
|
|
|
205
205
|
Dust.print_msg("removing #{package}", indent + 1) unless quiet
|
|
206
206
|
if uses_apt? true
|
|
207
207
|
Dust.print_result exec("DEBIAN_FRONTEND=noninteractive aptitude purge -y #{package}")[:exit_code], quiet
|
|
208
208
|
elsif uses_emerge? true
|
|
209
|
-
Dust.print_result exec("
|
|
209
|
+
Dust.print_result exec("emerge --unmerge #{package}")[:exit_code], quiet
|
|
210
210
|
elsif uses_rpm? true
|
|
211
211
|
Dust.print_result exec("yum erase -y #{package}")[:exit_code], quiet
|
|
212
212
|
else
|
data/lib/dust/version.rb
CHANGED
metadata
CHANGED
|
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
|
5
5
|
segments:
|
|
6
6
|
- 0
|
|
7
7
|
- 2
|
|
8
|
-
-
|
|
9
|
-
version: 0.2.
|
|
8
|
+
- 2
|
|
9
|
+
version: 0.2.2
|
|
10
10
|
platform: ruby
|
|
11
11
|
authors:
|
|
12
12
|
- kris kechagia
|
|
@@ -14,7 +14,7 @@ autorequire:
|
|
|
14
14
|
bindir: bin
|
|
15
15
|
cert_chain: []
|
|
16
16
|
|
|
17
|
-
date: 2012-01-
|
|
17
|
+
date: 2012-01-05 00:00:00 +01:00
|
|
18
18
|
default_executable:
|
|
19
19
|
dependencies:
|
|
20
20
|
- !ruby/object:Gem::Dependency
|