From f9a2db99ae5db4068b70cc71dbb568c0c0516532 Mon Sep 17 00:00:00 2001 From: Morgan Haskel Date: Wed, 3 Dec 2014 16:11:00 -0500 Subject: [PATCH] MODULES-1309 - Make package and service names configurable This was motivated by a need to make this work on Debian Jessie. --- README.markdown | 8 ++ manifests/init.pp | 10 ++- manifests/linux.pp | 30 ++++--- manifests/linux/archlinux.pp | 22 ++--- manifests/linux/debian.pp | 23 +++-- manifests/linux/redhat.pp | 34 ++++---- manifests/params.pp | 44 ++++++++++ .../classes/firewall_linux_archlinux_spec.rb | 6 ++ .../classes/firewall_linux_debian_spec.rb | 86 +++++++++++++++++-- .../classes/firewall_linux_redhat_spec.rb | 2 + 10 files changed, 208 insertions(+), 57 deletions(-) create mode 100644 manifests/params.pp diff --git a/README.markdown b/README.markdown index be5db82bb..9817faef7 100644 --- a/README.markdown +++ b/README.markdown @@ -311,6 +311,14 @@ Parameter that controls the state of the `iptables` service on your system, allo `ensure` can either be `running` or `stopped`. Default to `running`. +####`package` + +Specify the platform-specific package(s) to install. Defaults defined in `firewall::params`. + +####`service` + +Specify the platform-specific service(s) to start or stop. Defaults defined in `firewall::params`. + ###Type: firewall This type enables you to manage firewall rules within Puppet. diff --git a/manifests/init.pp b/manifests/init.pp index 759f32823..97ed27312 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -12,8 +12,10 @@ # Default: running # class firewall ( - $ensure = running -) { + $ensure = running, + $service_name = $::firewall::params::service_name, + $package_name = $::firewall::params::package_name, +) inherits ::firewall::params { case $ensure { /^(running|stopped)$/: { # Do nothing. @@ -26,7 +28,9 @@ case $::kernel { 'Linux': { class { "${title}::linux": - ensure => $ensure, + ensure => $ensure, + service_name => $service_name, + package_name => $package_name, } } default: { diff --git a/manifests/linux.pp b/manifests/linux.pp index 7c4f3a80b..21ec78479 100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@ -12,8 +12,10 @@ # Default: running # class firewall::linux ( - $ensure = running -) { + $ensure = running, + $service_name = $::firewall::params::service_name, + $package_name = $::firewall::params::package_name, +) inherits ::firewall::params { $enable = $ensure ? { running => true, stopped => false, @@ -27,23 +29,29 @@ 'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos', 'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer': { class { "${title}::redhat": - ensure => $ensure, - enable => $enable, - require => Package['iptables'], + ensure => $ensure, + enable => $enable, + package_name => $package_name, + service_name => $service_name, + require => Package['iptables'], } } 'Debian', 'Ubuntu': { class { "${title}::debian": - ensure => $ensure, - enable => $enable, - require => Package['iptables'], + ensure => $ensure, + enable => $enable, + package_name => $package_name, + service_name => $service_name, + require => Package['iptables'], } } 'Archlinux': { class { "${title}::archlinux": - ensure => $ensure, - enable => $enable, - require => Package['iptables'], + ensure => $ensure, + enable => $enable, + package_name => $package_name, + service_name => $service_name, + require => Package['iptables'], } } default: {} diff --git a/manifests/linux/archlinux.pp b/manifests/linux/archlinux.pp index 546a5a80f..cfe1a691a 100644 --- a/manifests/linux/archlinux.pp +++ b/manifests/linux/archlinux.pp @@ -14,16 +14,18 @@ # Default: true # class firewall::linux::archlinux ( - $ensure = 'running', - $enable = true -) { - service { 'iptables': - ensure => $ensure, - enable => $enable, - hasstatus => true, + $ensure = 'running', + $enable = true, + $service_name = $::firewall::params::service_name, + $package_name = $::firewall::params::package_name, +) inherits ::firewall::params { + if $package_name { + package { $package_name: + ensure => $ensure, + } } - service { 'ip6tables': + service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, @@ -31,11 +33,11 @@ file { '/etc/iptables/iptables.rules': ensure => present, - before => Service['iptables'], + before => Service[$service_name], } file { '/etc/iptables/ip6tables.rules': ensure => present, - before => Service['ip6tables'], + before => Service[$service_name], } } diff --git a/manifests/linux/debian.pp b/manifests/linux/debian.pp index 4d28bc482..9e431082e 100644 --- a/manifests/linux/debian.pp +++ b/manifests/linux/debian.pp @@ -14,31 +14,36 @@ # Default: true # class firewall::linux::debian ( - $ensure = running, - $enable = true -) { - package { 'iptables-persistent': - ensure => present, + $ensure = running, + $enable = true, + $service_name = $::firewall::params::service_name, + $package_name = $::firewall::params::package_name, +) inherits ::firewall::params { + + if $package_name { + package { $package_name: + ensure => present, + } } if($::operatingsystemrelease =~ /^6\./ and $enable == true - and versioncmp($::iptables_persistent_version, '0.5.0') < 0 ) { + and versioncmp($::iptables_persistent_version, '0.5.0') < 0 and ! $service_name) { # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it # we lose idempotency exec { 'iptables-persistent-enable': logoutput => on_failure, command => '/usr/sbin/update-rc.d iptables-persistent enable', unless => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent', - require => Package['iptables-persistent'], + require => Package[$package_name], } } else { # This isn't a real service/daemon. The start action loads rules, so just # needs to be called on system boot. - service { 'iptables-persistent': + service { $service_name: ensure => undef, enable => $enable, hasstatus => true, - require => Package['iptables-persistent'], + require => Package[$package_name], } } } diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp index c808c7e43..b3db4b765 100644 --- a/manifests/linux/redhat.pp +++ b/manifests/linux/redhat.pp @@ -13,28 +13,32 @@ # Default: true # class firewall::linux::redhat ( - $ensure = running, - $enable = true -) { + $ensure = running, + $enable = true, + $service_name = $::firewall::params::service_name, + $package_name = $::firewall::params::package_name, +) inherits ::firewall::params { # RHEL 7 and later and Fedora 15 and later require the iptables-services # package, which provides the /usr/libexec/iptables/iptables.init used by # lib/puppet/util/firewall.rb. - if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0) - or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) { - service { "firewalld": + if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0) + or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) { + service { 'firewalld': ensure => stopped, enable => false, - before => Package['iptables-services'] + before => Package[$package_name], } + } - package { 'iptables-services': - ensure => present, - before => Service['iptables'], + if $package_name { + package { $package_name: + ensure => present, + before => Service[$service_name], } } - service { 'iptables': + service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, @@ -42,9 +46,9 @@ } file { '/etc/sysconfig/iptables': - ensure => present, - owner => 'root', - group => 'root', - mode => '0600', + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', } } diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 000000000..2e8533e1b --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,44 @@ +class firewall::params { + case $::osfamily { + 'RedHat': { + case $::operatingsystem { + 'Archlinux': { + $service_name = ['iptables','ip6tables'] + $package_name = undef + } + 'Fedora': { + if versioncmp($::operatingsystemrelease, '15') >= 0 { + $package_name = 'iptables-services' + } else { + $package_name = undef + } + $service_name = 'iptables' + } + default: { + if versioncmp($::operatingsystemrelease, '7.0') >= 0 { + $package_name = 'iptables-services' + } else { + $package_name = undef + } + $service_name = 'iptables' + } + } + } + 'Debian': { + if $::operatingsystemrelease =~ /^6\./ and versioncmp($::iptables_persistent_version, '0.5.0') < 0 { + $service_name = undef + $package_name = 'iptables-persistent' + } elsif $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8.0') >= 0 { + $service_name = 'netfilter-persistent' + $package_name = 'netfilter-persistent' + } else { + $service_name = 'iptables-persistent' + $package_name = 'iptables-persistent' + } + } + default: { + $package_name = undef + $service_name = 'iptables' + } + } +} diff --git a/spec/unit/classes/firewall_linux_archlinux_spec.rb b/spec/unit/classes/firewall_linux_archlinux_spec.rb index 954d9ee10..cf5b19b0f 100644 --- a/spec/unit/classes/firewall_linux_archlinux_spec.rb +++ b/spec/unit/classes/firewall_linux_archlinux_spec.rb @@ -1,6 +1,12 @@ require 'spec_helper' describe 'firewall::linux::archlinux', :type => :class do + let(:facts) do + { + :osfamily => 'RedHat', + :operatingsystem => 'Archlinux' + } + end it { should contain_service('iptables').with( :ensure => 'running', :enable => 'true' diff --git a/spec/unit/classes/firewall_linux_debian_spec.rb b/spec/unit/classes/firewall_linux_debian_spec.rb index 98285b642..f78174355 100644 --- a/spec/unit/classes/firewall_linux_debian_spec.rb +++ b/spec/unit/classes/firewall_linux_debian_spec.rb @@ -1,19 +1,87 @@ require 'spec_helper' describe 'firewall::linux::debian', :type => :class do - it { should contain_package('iptables-persistent').with( - :ensure => 'present' - )} - it { should contain_service('iptables-persistent').with( - :ensure => nil, - :enable => 'true', - :require => 'Package[iptables-persistent]' - )} + context "Debian 7" do + let(:facts) {{ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '7.0' + }} + it { should contain_package('iptables-persistent').with( + :ensure => 'present' + )} + it { should contain_service('iptables-persistent').with( + :ensure => nil, + :enable => 'true', + :require => 'Package[iptables-persistent]' + )} + end - context 'enable => false' do + context 'deb7 enable => false' do + let(:facts) {{ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '7.0' + }} let(:params) {{ :enable => 'false' }} it { should contain_service('iptables-persistent').with( :enable => 'false' )} end + + context "Debian 8" do + let(:facts) {{ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => 'jessie/sid' + }} + it { should contain_package('netfilter-persistent').with( + :ensure => 'present' + )} + it { should contain_service('netfilter-persistent').with( + :ensure => nil, + :enable => 'true', + :require => 'Package[netfilter-persistent]' + )} + end + + context 'deb8 enable => false' do + let(:facts) {{ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => 'jessie/sid' + }} + let(:params) {{ :enable => 'false' }} + it { should contain_service('netfilter-persistent').with( + :enable => 'false' + )} + end + + context "Debian 8, alt operatingsystem" do + let(:facts) {{ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '8.0' + }} + it { should contain_package('netfilter-persistent').with( + :ensure => 'present' + )} + it { should contain_service('netfilter-persistent').with( + :ensure => nil, + :enable => 'true', + :require => 'Package[netfilter-persistent]' + )} + end + + context 'deb8, alt operatingsystem, enable => false' do + let(:facts) {{ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '8.0' + }} + let(:params) {{ :enable => 'false' }} + it { should contain_service('netfilter-persistent').with( + :enable => 'false' + )} + end end diff --git a/spec/unit/classes/firewall_linux_redhat_spec.rb b/spec/unit/classes/firewall_linux_redhat_spec.rb index 9ffab4444..8feecf4a7 100644 --- a/spec/unit/classes/firewall_linux_redhat_spec.rb +++ b/spec/unit/classes/firewall_linux_redhat_spec.rb @@ -8,6 +8,7 @@ oldreleases.each do |osrel| context "os #{os} and osrel #{osrel}" do let(:facts) {{ + :osfamily => 'RedHat', :operatingsystem => os, :operatingsystemrelease => osrel }} @@ -20,6 +21,7 @@ newreleases.each do |osrel| context "os #{os} and osrel #{osrel}" do let(:facts) {{ + :osfamily => 'RedHat', :operatingsystem => os, :operatingsystemrelease => osrel }}