-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some fix #23
base: master
Are you sure you want to change the base?
some fix #23
Conversation
* add params blacklist blacklist_defaults tcrules tcrules_defaults
'/usr/bin', | ||
'/sbin', | ||
'/bin', | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should not do that: https://www.puppetcookbook.com/posts/set-global-exec-path.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, of course it is possible. But many modules set a default value for a path because it adds autonomy and versatility to the module.
For example:
https://github.com/voxpupuli/puppet-nginx/blob/master/manifests/service.pp
Imho it’s not bad practice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want autonomy then why not the full path?
But if you clutter all over your modules the same piece of code, something smells.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want autonomy then why not the full path?
The full path will not allow the command to be executed in different environments.
For example:
Ubuntu 20.04:
/usr/sbin/shorewall
Ubuntu 18.04:
/sbin/shorewall
But if you clutter all over your modules the same piece of code, something smells.
It’s true. I do not fully understand why the function exec does not set the default path parameter.
manifests/base.pp
Outdated
@@ -1,8 +1,10 @@ | |||
# base things for shorewall | |||
class shorewall::base { | |||
|
|||
package { 'shorewall': | |||
ensure => $shorewall::ensure_version, | |||
if ! defined(Package['shorewall']) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? What if someone defined 'package{'shorewall': ensure => absent }` somewhere else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It’s not easy question =)
I’m have a problem deploy new node because first time fact shorewall_major_version is empty and define shorewall::rule_section generate wrong config. As a result failed start service shorewall and failed many dependences.
I solved this by breaking the installation into two steps.
-
Install packages shorewall
-
Install class shorewall
Same as:
if ! defined(Package['shorewall']) {
package { [shorewall, shorewall6]: }
}if $shorewall_major_version != '' {
class { 'shorewall': }
}
But if do it, puppet agent result duplicate declaration Package['shorewall']
It’s crutch, but it’s work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah so you rung things twice?
Well you could do the following:
if $shorewall_major_version != '' {
class { 'shorewall': }
} else {
package { [shorewall, shorewall6]: }
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are right, this is a more correct solution. Rolled back the change. Thanks!
manifests/base.pp
Outdated
require => Package['shorewall6'], | ||
} ~> exec{'shorewall6_try': | ||
command => 'shorewall6 try /etc/shorewall6/puppet', | ||
command => 'shorewall6 try /etc/shorewall6', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why? you will not test anymore the right thing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shorewall try search shorewall.conf. In manifest base you declare:
file { '/etc/shorewall6/shorewall6.conf':
shorewall6 try /etc/shorewall6/puppet
return error:
ERROR: /etc/shorewall6/puppet/shorewall6.conf does not exist!
shorewall6 try /etc/shorewall6 work fine for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which version is this?
I get:
# shorewall6 try /etc/shorewall6/
Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall6/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Compiling /etc/shorewall6/zones...
ERROR: No IP zones defined /etc/shorewall6/zones (EOF)
vs.
# shorewall6 try /etc/shorewall6/puppet/
Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall6/puppet/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Compiling /etc/shorewall6/puppet/zones...
Compiling /etc/shorewall6/puppet/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall6/puppet/policy...
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall6/puppet/rules...
Compiling /usr/share/shorewall/action.dropNotSyn for chain dropNotSyn...
Compiling /etc/shorewall6/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.AllowICMPs for chain AllowICMPs...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
Generating Rule Matrix...
Optimizing Ruleset...
Creating ip6tables-restore input...
Shorewall configuration compiled to /var/lib/shorewall6/.reload
Currently-running Configuration Saved to /var/lib/shorewall6/.try
Reloading...
Reloading Shorewall6....
Initializing...
Processing /etc/shorewall6/init ...
Setting up Proxy NDP...
Preparing ip6tables-restore input...
Running /sbin/ip6tables-restore --wait 60...
Processing /etc/shorewall6/start ...
Processing /etc/shorewall6/started ...
done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh..
My solution don’t work on major version 4. I’m fixed this in new commit, thanks.
templates/blrules.erb
Outdated
@@ -7,9 +7,13 @@ | |||
# information. | |||
# | |||
############################################################################### | |||
<% if @whitelists -%> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could just default them to empty, then we would not need that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I’m not understand how it’s work. If whitelist not empty? Right now I am using the whitelist as a list of the protected perimeter networks. If the list is empty, then we do nothing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we make sure that the whitelist parameter must always be an array, then we do not need the wrap with the if that checks if whitelists is set.
If the array is empty, we won't set any whitelist anyways.
This can be achieved with Puppet Data types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right! Reverted.
Thank you! There are a few things, that I will never merge, since I think they are wrong (some conceptually, some changing what the module is doing now.). But if you break things up, we could individually work on the contributions. |
Hi! |
I'm used you module on ubuntu 14.04/16.04/18.04/20.04. |
* fix compatibility with major version 4 * fix some puppet lint
blacklist
blacklist_defaults
tcrules
tcrules_defaults