From 9826e1bdd4021744d6a21a9080c35559a743cfcf Mon Sep 17 00:00:00 2001 From: Trevor Vaughan Date: Sun, 13 Feb 2022 17:31:39 -0500 Subject: [PATCH 1/2] Support Amazon Linux 2 Closes #22 --- .gitlab-ci.yml | 6 ++ CHANGELOG | 3 + REFERENCE.md | 99 ++++++++++++------- data/os/Amazon.yaml | 2 + metadata.json | 8 +- spec/acceptance/nodesets/amzn2.yml | 23 +++++ .../suites/default/00_default_spec.rb | 2 +- 7 files changed, 108 insertions(+), 35 deletions(-) create mode 100644 data/os/Amazon.yaml create mode 100644 spec/acceptance/nodesets/amzn2.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 00d9a52..f5f2e8b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -356,6 +356,12 @@ pup6.pe-fips: script: - 'BEAKER_fips=yes bundle exec rake beaker:suites[default,default]' +pup6.pe-amzn2: + <<: *pup_6_pe + <<: *acceptance_base + script: + - 'bundle exec rake beaker:suites[default,amzn2]' + pup6.pe-oel: <<: *pup_6_pe <<: *acceptance_base diff --git a/CHANGELOG b/CHANGELOG index e3c14fe..6037f01 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +* Sun Feb 13 2022 Trevor Vaughan - 0.3.1 +- Support Amazon Linux 2 + * Tue Dec 21 2021 Kendall Moore - 0.3.0 - Changed default backend to nftables for RHEL 8 diff --git a/REFERENCE.md b/REFERENCE.md index 3d75f2d..4d13593 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -20,16 +20,30 @@ ## Classes -### `simp_firewalld` +### `simp_firewalld` If you want to override any element not present in the `firewalld` class resource below then you should use Hiera directly on the `firewalld` class. #### Parameters -The following parameters are available in the `simp_firewalld` class. +The following parameters are available in the `simp_firewalld` class: -##### `enable` +* [`enable`](#enable) +* [`complete_reload`](#complete_reload) +* [`lockdown`](#lockdown) +* [`default_zone`](#default_zone) +* [`log_denied`](#log_denied) +* [`firewall_backend`](#firewall_backend) +* [`enable_tidy`](#enable_tidy) +* [`tidy_dirs`](#tidy_dirs) +* [`tidy_prefix`](#tidy_prefix) +* [`tidy_minutes`](#tidy_minutes) +* [`simp_zone_interfaces`](#simp_zone_interfaces) +* [`simp_zone_target`](#simp_zone_target) +* [`package_ensure`](#package_ensure) + +##### `enable` Data type: `Boolean` @@ -41,7 +55,7 @@ Activate the firewalld management capabilties. Default value: `in` -##### `complete_reload` +##### `complete_reload` Data type: `Boolean` @@ -53,7 +67,7 @@ dangerous and this class overrides and disables this capability by default. Default value: ``false`` -##### `lockdown` +##### `lockdown` Data type: `Boolean` @@ -65,7 +79,7 @@ applications. Default value: ``true`` -##### `default_zone` +##### `default_zone` Data type: `String[1]` @@ -80,7 +94,7 @@ only populate ``99_simp`` zone rules. Default value: `'99_simp'` -##### `log_denied` +##### `log_denied` Data type: `Enum['off', 'all','unicast','broadcast','multicast']` @@ -90,7 +104,7 @@ What types of logs to process for denied packets. Default value: `'unicast'` -##### `firewall_backend` +##### `firewall_backend` Data type: `Enum['iptables','nftables']` @@ -98,9 +112,7 @@ Allows you to set the backend that firewalld will use. * Currently set to 'iptables' due to bugs in nftables -Default value: `'iptables'` - -##### `enable_tidy` +##### `enable_tidy` Data type: `Boolean` @@ -108,7 +120,7 @@ Enable the ``Tidy`` resources that help keep the system clean from cruft Default value: ``true`` -##### `tidy_dirs` +##### `tidy_dirs` Data type: `Array[Stdlib::Absolutepath]` @@ -120,7 +132,7 @@ Default value: `[ '/etc/firewalld/services', ]` -##### `tidy_prefix` +##### `tidy_prefix` Data type: `String[1]` @@ -128,7 +140,7 @@ The name match to use for tidying files Default value: `'simp_'` -##### `tidy_minutes` +##### `tidy_minutes` Data type: `Integer[1]` @@ -137,7 +149,7 @@ purposes of tidying. Default value: `10` -##### `simp_zone_interfaces` +##### `simp_zone_interfaces` Data type: `Array[Optional[String[1]]]` @@ -145,7 +157,7 @@ The network interfaces to which the underlying 99_simp zone should apply Default value: `[]` -##### `simp_zone_target` +##### `simp_zone_target` Data type: `Enum['default', 'ACCEPT', 'REJECT', 'DROP']` @@ -153,7 +165,7 @@ The default target for the 99_simp zone Default value: `'DROP'` -##### `package_ensure` +##### `package_ensure` Data type: `String[1]` @@ -163,15 +175,24 @@ Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value ## Defined types -### `simp_firewalld::rule` +### `simp_firewalld::rule` Add firewalld rules with various safety checks #### Parameters -The following parameters are available in the `simp_firewalld::rule` defined type. +The following parameters are available in the `simp_firewalld::rule` defined type: + +* [`trusted_nets`](#trusted_nets) +* [`protocol`](#protocol) +* [`dports`](#dports) +* [`icmp_blocks`](#icmp_blocks) +* [`order`](#order) +* [`apply_to`](#apply_to) +* [`prefix`](#prefix) +* [`zone`](#zone) -##### `trusted_nets` +##### `trusted_nets` Data type: `Simplib::Netlist` @@ -179,13 +200,13 @@ The networks/hosts to which the rule applies Default value: `simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })` -##### `protocol` +##### `protocol` Data type: `Enum['ah', 'esp', 'icmp', 'tcp', 'udp', 'all']` The network protocol to which the rule applies -##### `dports` +##### `dports` Data type: `Optional[Simp_firewalld::DestPort]` @@ -193,7 +214,7 @@ The ports to which the rule applies Default value: ``undef`` -##### `icmp_blocks` +##### `icmp_blocks` Data type: `Optional[Variant[Array[String],String]]` @@ -201,7 +222,7 @@ The ICMP Blocks to which the rule applies Default value: ``undef`` -##### `order` +##### `order` Data type: `Integer[0]` @@ -222,7 +243,7 @@ version of firewalld explicitly supports it. Default value: `11` -##### `apply_to` +##### `apply_to` Data type: `Simp_firewalld::ApplyTo` @@ -235,7 +256,7 @@ The address family to which to apply this rule Default value: `'auto'` -##### `prefix` +##### `prefix` Data type: `Optional[String[1]]` @@ -246,7 +267,7 @@ This will be prepended to all created components Default value: ``undef`` -##### `zone` +##### `zone` Data type: `Optional[String[1]]` @@ -258,21 +279,33 @@ Default value: ``undef`` ## Data types -### `Simp_firewalld::ApplyTo` +### `Simp_firewalld::ApplyTo` Valid families to which rules should apply -Alias of `Enum['ipv4', 'ipv6', 'all', 'auto']` +Alias of -### `Simp_firewalld::DestPort` +```puppet +Enum['ipv4', 'ipv6', 'all', 'auto'] +``` + +### `Simp_firewalld::DestPort` A ``firewalld::rule`` compatible port range or Array -Alias of `Variant[Simplib::Port, Simp_firewalld::PortRange, Array[Variant[Simplib::Port, Simp_firewalld::PortRange]]]` +Alias of + +```puppet +Variant[Simplib::Port, Simp_firewalld::PortRange, Array[Variant[Simplib::Port, Simp_firewalld::PortRange]]] +``` -### `Simp_firewalld::PortRange` +### `Simp_firewalld::PortRange` A firewalld-compatible Port Range -Alias of `Pattern['^([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5]):([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5])$']` +Alias of + +```puppet +Pattern['^([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5]):([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5])$'] +``` diff --git a/data/os/Amazon.yaml b/data/os/Amazon.yaml new file mode 100644 index 0000000..1622796 --- /dev/null +++ b/data/os/Amazon.yaml @@ -0,0 +1,2 @@ +--- +simp_firewalld::firewall_backend: 'iptables' diff --git a/metadata.json b/metadata.json index d14e399..5824af0 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-simp_firewalld", - "version": "0.3.0", + "version": "0.3.1", "author": "SIMP Team", "summary": "SIMP-oriented firewalld management", "license": "Apache-2.0", @@ -27,6 +27,12 @@ } ], "operatingsystem_support": [ + { + "operatingsystem": "Amazon", + "operatingsystemrelease": [ + "2" + ] + }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ diff --git a/spec/acceptance/nodesets/amzn2.yml b/spec/acceptance/nodesets/amzn2.yml new file mode 100644 index 0000000..1368180 --- /dev/null +++ b/spec/acceptance/nodesets/amzn2.yml @@ -0,0 +1,23 @@ +<% + if ENV['BEAKER_HYPERVISOR'] + hypervisor = ENV['BEAKER_HYPERVISOR'] + else + hypervisor = 'vagrant' + end +-%> +HOSTS: + amzn2: + roles: + - default + platform: el-7-x86_64 + box: gbailey/amzn2 + hypervisor: <%= hypervisor %> + +CONFIG: + log_level: verbose + synced_folder : disabled + type: aio + vagrant_memsize: 512 +<% if ENV['BEAKER_PUPPET_COLLECTION'] -%> + puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %> +<% end -%> diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index e96e7e4..41fd036 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -6,7 +6,7 @@ describe "simp_firewalld on #{host}" do let(:default_manifest) { <<-EOS - include 'simp_firewalld' + class { 'simp_firewalld': enable => true } simp_firewalld::rule { 'allow_all_ssh': trusted_nets => ['all'], From fc1618de182d41bfdd73eb9bcd54ab735a53e0bb Mon Sep 17 00:00:00 2001 From: Trevor Vaughan Date: Sat, 26 Mar 2022 19:41:01 -0400 Subject: [PATCH 2/2] Work around upstream bug `puppet-firewalld` needs to have an autorequire on `firewalld_custom_service` if one is declared. Closes #25 --- manifests/rule.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/rule.pp b/manifests/rule.pp index 44b9c12..32f3869 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -281,7 +281,12 @@ service => $_rich_rule_svc, action => 'accept', zone => $_zone, - require => Service['firewalld'], + require => Service['firewalld'] + } + + # Work around bug in puppet-firewalld + if $_rich_rule_svc { + Firewalld_custom_service[$_rich_rule_svc] -> Firewalld_rich_rule[$_unique_name] } } }