diff options
-rw-r--r-- | .fixtures.yml | 6 | ||||
-rw-r--r-- | lib/puppet/parser/functions/write_package_names.rb | 22 | ||||
-rw-r--r-- | manifests/firewall/post.pp | 51 | ||||
-rw-r--r-- | manifests/firewall/pre.pp | 57 | ||||
-rw-r--r-- | manifests/firewall/rule.pp | 80 | ||||
-rw-r--r-- | manifests/init.pp | 70 | ||||
-rw-r--r-- | manifests/noop.pp | 68 | ||||
-rw-r--r-- | manifests/packages.pp | 54 | ||||
-rw-r--r-- | spec/classes/tripleo_init_spec.rb | 114 |
9 files changed, 521 insertions, 1 deletions
diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..e3ab8f9 --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,6 @@ +fixtures: + repositories: + 'firewall': 'git://github.com/puppetlabs/puppetlabs-firewall.git' + 'stdlib': 'git://github.com/puppetlabs/puppetlabs-stdlib.git' + symlinks: + "tripleo": "#{source_dir}" diff --git a/lib/puppet/parser/functions/write_package_names.rb b/lib/puppet/parser/functions/write_package_names.rb new file mode 100644 index 0000000..8f99674 --- /dev/null +++ b/lib/puppet/parser/functions/write_package_names.rb @@ -0,0 +1,22 @@ +require 'fileutils' + +module Puppet::Parser::Functions + newfunction(:write_package_names, :doc => "Write package names which are managed via this puppet run to a file.") do |arg| + if arg[0].class == String + begin + output_file = arg[0] + packages = catalog.resources.collect { |r| r.title if r.type == 'Package' }.compact + FileUtils.mkdir_p(File.dirname(output_file)) + File.open(output_file, 'w') do |f| + packages.each do |pkg_name| + f.write(pkg_name + "\n") + end + end + rescue JSON::ParserError + raise Puppet::ParseError, "Syntax error: #{arg[0]} is invalid" + end + else + raise Puppet::ParseError, "Syntax error: #{arg[0]} is not a String" + end + end +end diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp new file mode 100644 index 0000000..b76db75 --- /dev/null +++ b/manifests/firewall/post.pp @@ -0,0 +1,51 @@ +# +# Copyright (C) 2015 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::firewall::post +# +# Firewall rules during 'post' Puppet stage +# +# === Parameters: +# +# [*debug*] +# (optional) Set log output to debug output +# Defaults to false +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class tripleo::firewall::post( + $debug = false, + $firewall_settings = {}, +){ + + if $debug { + warning('debug is enabled, the traffic is not blocked.') + } else { + firewall { '998 log all': + proto => 'all', + jump => 'LOG', + } + tripleo::firewall::rule{ '999 drop all': + proto => 'all', + action => 'drop', + extras => $firewall_settings, + } + notice('At this stage, all network traffic is blocked.') + } + +} diff --git a/manifests/firewall/pre.pp b/manifests/firewall/pre.pp new file mode 100644 index 0000000..2d7203a --- /dev/null +++ b/manifests/firewall/pre.pp @@ -0,0 +1,57 @@ +# +# Copyright (C) 2015 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::firewall::pre +# +# Firewall rules during 'pre' Puppet stage +# +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class tripleo::firewall::pre( + $firewall_settings = {}, +){ + + # ensure the correct packages are installed + include ::firewall + + # defaults 'pre' rules + tripleo::firewall::rule{ '000 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + extras => $firewall_settings, + } + + tripleo::firewall::rule{ '001 accept all icmp': + proto => 'icmp', + extras => $firewall_settings, + } + + tripleo::firewall::rule{ '002 accept all to lo interface': + proto => 'all', + iniface => 'lo', + extras => $firewall_settings, + } + + tripleo::firewall::rule{ '003 accept ssh': + port => '22', + extras => $firewall_settings, + } + +} diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp new file mode 100644 index 0000000..02afbc2 --- /dev/null +++ b/manifests/firewall/rule.pp @@ -0,0 +1,80 @@ +# +# Copyright (C) 2015 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Define: tripleo::firewall::rule +# +# Define used to manage IPtables rules. +# +# === Parameters: +# +# [*port*] +# (optional) The port associated to the rule. +# Defaults to undef +# +# [*proto*] +# (optional) The protocol associated to the rule. +# Defaults to 'tcp' +# +# [*action*] +# (optional) The action policy associated to the rule. +# Defaults to 'accept' +# +# [*state*] +# (optional) Array of states associated to the rule.. +# Defaults to ['NEW'] +# +# [*source*] +# (optional) The source IP address associated to the rule. +# Defaults to '0.0.0.0/0' +# +# [*iniface*] +# (optional) The network interface associated to the rule. +# Defaults to undef +# +# [*chain*] +# (optional) The chain associated to the rule. +# Defaults to 'INPUT' +# +# [*extras*] +# (optional) Hash of any puppetlabs-firewall supported parameters. +# Defaults to {} +# +define tripleo::firewall::rule ( + $port = undef, + $proto = 'tcp', + $action = 'accept', + $state = ['NEW'], + $source = '0.0.0.0/0', + $iniface = undef, + $chain = 'INPUT', + $extras = {}, +) { + + $basic = { + 'port' => $port, + 'proto' => $proto, + 'action' => $action, + 'state' => $state, + 'source' => $source, + 'iniface' => $iniface, + 'chain' => $chain, + } + + $rule = merge($basic, $extras) + validate_hash($rule) + + create_resources('firewall', { "${title}" => $rule }) + +} diff --git a/manifests/init.pp b/manifests/init.pp index 9f6d775..cdaf95a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,7 +17,75 @@ # # Installs the system requirements # +# === Parameters: +# +# [*manage_firewall*] +# (optional) Completely enable or disable firewall settings +# (false means disabled, and true means enabled) +# Defaults to false +# +# [*firewall_rules*] +# (optional) Allow to add custom firewall rules +# Should be an hash. +# Default to {} +# +# [*purge_firewall_rules*] +# (optional) Boolean, purge all firewall resources +# Defaults to false +# +# [*firewall_pre_extras*] +# (optional) Allow to add custom parameters to firewall rules (pre stage) +# Should be an hash. +# Default to {} +# +# [*firewall_post_extras*] +# (optional) Allow to add custom parameters to firewall rules (post stage) +# Should be an hash. +# Default to {} +# +class tripleo( + $manage_firewall = false, + $firewall_rules = {}, + $purge_firewall_rules = false, + $firewall_pre_extras = {}, + $firewall_post_extras = {}, +) { + + include ::stdlib + + if $manage_firewall { + + # Only purges IPv4 rules + if $purge_firewall_rules { + resources { 'firewall': + purge => true + } + } + + # anyone can add your own rules + # example with Hiera: + # + # tripleo::firewall::rules: + # '300 allow custom application 1': + # port: 999 + # proto: udp + # action: accept + # '301 allow custom application 2': + # port: 8081 + # proto: tcp + # action: accept + # + create_resources('tripleo::firewall::rule', $firewall_rules) + + ensure_resource('class', 'tripleo::firewall::pre', { + 'firewall_settings' => $firewall_pre_extras, + 'stage' => 'setup', + }) -class tripleo{ + ensure_resource('class', 'tripleo::firewall::post', { + 'stage' => 'runtime', + 'firewall_settings' => $firewall_post_extras, + }) + } } diff --git a/manifests/noop.pp b/manifests/noop.pp new file mode 100644 index 0000000..53da9b9 --- /dev/null +++ b/manifests/noop.pp @@ -0,0 +1,68 @@ +# Copyright 2015 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::noop +# +# Enable noop mode for various Puppet resource types via collectors. +# +# === Parameters: +# [*package*] +# Whether Package resources should be noop. +# Defaults to true +# +# [*file*] +# Whether File resources should be noop. +# Defaults to true +# +# [*service*] +# Whether Service resources should be noop. +# Defaults to true +# +# [*exec*] +# Whether Exec resources should be noop. +# Defaults to true +# +# [*user*] +# Whether User resources should be noop. +# Defaults to true +# +# [*group*] +# Whether Group resources should be noop. +# Defaults to true +# +# [*cron*] +# Whether Cron resources should be noop. +# Defaults to true +# +# +class tripleo::noop ( + $package = true, + $file = true, + $service = true, + $exec = true, + $user = true, + $group = true, + $cron = true, +) { + + Package <| |> { noop => $package} + File <| |> { noop => $file} + Service <| |> { noop => $service} + Exec <| |> { noop => $exec} + User <| |> { noop => $user} + Group <| |> { noop => $group} + Cron <| |> { noop => $cron} + +} diff --git a/manifests/packages.pp b/manifests/packages.pp new file mode 100644 index 0000000..6a5813a --- /dev/null +++ b/manifests/packages.pp @@ -0,0 +1,54 @@ +# Copyright 2015 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::packages +# +# Configure package installation/upgrade defaults. +# +# === Parameters: +# +# [*enable_install*] +# Whether to enable package installation via Puppet. +# Defaults to false +# +# [*enable_upgrade*] +# Upgrades all puppet managed packages to latest. +# Defaults to false +# +class tripleo::packages ( + $enable_install = false, + $enable_upgrade = false, +) { + + if !$enable_install { + case $::osfamily { + 'RedHat': { + Package <| |> { provider => 'norpm' } + } + default: { + warning('enable_install option not supported for this distro.') + } + } + } + + if $enable_upgrade { + if !$enable_install { + fail('Package upgrades require that enable_install be set to true') + } + Package <| |> { ensure => 'latest' } + } + +} + diff --git a/spec/classes/tripleo_init_spec.rb b/spec/classes/tripleo_init_spec.rb new file mode 100644 index 0000000..9f01857 --- /dev/null +++ b/spec/classes/tripleo_init_spec.rb @@ -0,0 +1,114 @@ +# +# Copyright (C) 2015 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo' do + + let :params do + { } + end + + shared_examples_for 'tripleo node' do + + context 'with firewall enabled' do + before :each do + params.merge!( + :manage_firewall => true, + ) + end + + it 'configure basic pre firewall rules' do + is_expected.to contain_firewall('000 accept related established rules').with( + :proto => 'all', + :state => ['RELATED', 'ESTABLISHED'], + :action => 'accept', + ) + is_expected.to contain_firewall('001 accept all icmp').with( + :proto => 'icmp', + :action => 'accept', + :state => ['NEW'], + ) + is_expected.to contain_firewall('002 accept all to lo interface').with( + :proto => 'all', + :iniface => 'lo', + :action => 'accept', + :state => ['NEW'], + ) + is_expected.to contain_firewall('003 accept ssh').with( + :port => '22', + :proto => 'tcp', + :action => 'accept', + :state => ['NEW'], + ) + end + + it 'configure basic post firewall rules' do + is_expected.to contain_firewall('999 drop all').with( + :proto => 'all', + :action => 'drop', + :source => '0.0.0.0/0', + ) + end + end + + context 'with custom firewall rules' do + before :each do + params.merge!( + :manage_firewall => true, + :firewall_rules => { + '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'}, + '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'} + } + ) + end + it 'configure custom firewall rules' do + is_expected.to contain_firewall('300 add custom application 1').with( + :port => '999', + :proto => 'udp', + :action => 'accept', + :state => ['NEW'], + ) + is_expected.to contain_firewall('301 add custom application 2').with( + :port => '8081', + :proto => 'tcp', + :action => 'accept', + :state => ['NEW'], + ) + end + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + it_configures 'tripleo node' + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'tripleo node' + end + +end |