Dusty Doris
2012-Dec-01 18:57 UTC
[Puppet Users] puppetlabs-firewall source array not working as expected
In puppetlabs-firewall it appears that you can provide an array of source ips as defined in types/firewall.rb (desc: An array of source addresses....). However, when I pass in an array of source addresses, it only applies the first address to the ruleset. eg: firewall { ''100 allow web'': dport => ''8080'', source => [''10.0.0.1'', ''10.0.0.2''], action => ''accept'' } If I were to apply that definition above, only the 10.0.0.1 rule would be applied. Is this an error in my assumptions about what it means to accept an array of source addresses? The example giving was source => ''192.168.2.0/24'', which is a CIDR block, not an array. So, perhaps this is just strange wording in the code? This feature would be a great one to have for our workflow. Anyone have any ideas on work arounds? How do others manage complex firewall rules in puppet without a giant node declaration. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/FEhD6P5KsA4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Bezerker
2012-Dec-03 21:43 UTC
[Puppet Users] Re: puppetlabs-firewall source array not working as expected
Dusty, I actually had the same issue and brought this up with Ken Barber at PuppetConf. I believe he and several others have looked into this briefly but nothing much has come from it. There was a puppet bug report where another user had managed to have it take arrays without too much issue: http://projects.puppetlabs.com/issues/10116 Unfortunately in my brief testing there was another issue created (it was always trying to add/remove a rule if I recall, it''s been awhile.) In the meantime a recommended workaround that works for some use cases is using a defined resource to accept the array and then create each firewall resource as a result. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/scsXLh0MKcMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dusty Doris
2012-Dec-03 23:25 UTC
[Puppet Users] Re: puppetlabs-firewall source array not working as expected
Thanks for the reply. I will take a look at that patch. I have been trying to accomplish this with defined resources, unfortunately my particular case isn''t working well for that. Here is my attempt, perhaps anyone has some suggestions? define myfirewall::accept($proto=''tcp'', $ports) { firewall { "100 $name": source => $name, proto => $proto, dport => $ports, action => ''accept'' } } import ''myfirewall'' node ''mynode'' { include myfirewall $web_servers = [''10.0.0.1'',''10.0.0.2''] $db_servers = [''10.0.0.3''] myfirewall::accept { $web_servers: ports => [''80'',''443''], } myfirewall::accept { $db_servers: proto => ''tcp'', ports => ''3306'' } } That works great. It allows me to accept certain ports from certain groups of hosts. You can see the value in this, as I could create node groups and automatically allow certain ports to certain sources. For example, allow every machines access to ssh, allow all my app servers and all my db servers to my db port. Allow all my app servers to some API port, etc... But, now say I want to a one-off rule on one of those particular hosts that is already defined, so I add another rule. myfirewall::accept { ''10.0.0.1'': ports => ''8888'' } Error: Duplicate declaration: Myfirewall::Accept[10.0.0.1] is already declared in file /etc/puppet/manifests/nodes.pp at line 10; cannot redeclare on node mynode It will error out here as having a duplicate. I''m trying to figure out how I can re-write this to make it work, but it appears the puppet dsl only acts on arrays when they are the name variable and then calls the resource once for each item in the array, passing that as the name. So, I suppose right now I need to make my groups better, so they include all the one-offs and make sure there are no duplicates. Or, I could just define the one-offs one at a time in each node file. I appreciate any suggestions. On Monday, December 3, 2012 4:43:39 PM UTC-5, Terry Z. wrote:> > Dusty, > > I actually had the same issue and brought this up with Ken Barber at > PuppetConf. I believe he and several others have looked into this briefly > but nothing much has come from it. There was a puppet bug report where > another user had managed to have it take arrays without too much issue: > http://projects.puppetlabs.com/issues/10116 > > Unfortunately in my brief testing there was another issue created (it was > always trying to add/remove a rule if I recall, it''s been awhile.) > > In the meantime a recommended workaround that works for some use cases is > using a defined resource to accept the array and then create each firewall > resource as a result. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/794eo8u39SEJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Terry Z.
2012-Dec-04 14:56 UTC
[Puppet Users] Re: puppetlabs-firewall source array not working as expected
I believe you have stumbled into the same issue I ran into when attempting to workaround this with defined resources and unfortunately I had to continue using the legacy bobsh-iptables module as a result (which has its own inherent issues but at least properly accepts an array in source.) It is rather disheartening to see the puppet-firewall module stuck with these limitations, but I do understand the difficulty in making this work as we expect so it''s a trade off. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/yD0KGhayF14J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Dec-04 15:02 UTC
[Puppet Users] Re: puppetlabs-firewall source array not working as expected
On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris wrote:> > [...] I''m trying to figure out how I can re-write this to make it work, > but it appears the puppet dsl only acts on arrays when they are the name > variable and then calls the resource once for each item in the array, > passing that as the name. >Yes, that is precisely what Puppet does with arrays given as resource titles, and that behavior is triggered *only* by titles.> > So, I suppose right now I need to make my groups better, so they include > all the one-offs and make sure there are no duplicates. Or, I could just > define the one-offs one at a time in each node file. > > I appreciate any suggestions. > >One way to look at your issue is that your site-specific data is too commingled with your code. That''s why you have one-offs in the first place. Pull the data together into a class variable somewhere, or even externalize it into an Hiera data store. Drive your firewall declarations with your data instead of pulling the data along behind. More specifically, you can use Puppet hashes or Hiera lookups to dynamically adapt your declarations to specific cases (e.g. to choose parameter values), or you can use the built-in create_resources() function to declare whole resources based on your data. You already know about arrays as resource titles and combining that with defined types; those fit into the picture, too. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/f_CrWCkUOYEJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dusty Doris
2012-Dec-04 16:50 UTC
[Puppet Users] Re: puppetlabs-firewall source array not working as expected
On Tuesday, December 4, 2012 10:02:42 AM UTC-5, jcbollinger wrote:> > > On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris wrote: >> >> [...] I''m trying to figure out how I can re-write this to make it work, >> but it appears the puppet dsl only acts on arrays when they are the name >> variable and then calls the resource once for each item in the array, >> passing that as the name. >> > > > Yes, that is precisely what Puppet does with arrays given as resource > titles, and that behavior is triggered *only* by titles. > > > >> >> So, I suppose right now I need to make my groups better, so they include >> all the one-offs and make sure there are no duplicates. Or, I could just >> define the one-offs one at a time in each node file. >> >> I appreciate any suggestions. >> >> > > One way to look at your issue is that your site-specific data is too > commingled with your code. That''s why you have one-offs in the first > place. Pull the data together into a class variable somewhere, or even > externalize it into an Hiera data store. Drive your firewall declarations > with your data instead of pulling the data along behind. > > More specifically, you can use Puppet hashes or Hiera lookups to > dynamically adapt your declarations to specific cases (e.g. to choose > parameter values), or you can use the built-in create_resources() function > to declare whole resources based on your data. You already know about > arrays as resource titles and combining that with defined types; those fit > into the picture, too. > > > John >Thanks John. That sounds like some fantastic advice. I''m brand new to puppet and still trying to wrap my mind around it. I''d love any resources if you have any recommendations (eg: any good books?) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jvAAEVjV2kQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jakov Sosic
2012-Dec-16 00:35 UTC
Re: [Puppet Users] Re: puppetlabs-firewall source array not working as expected
On 12/04/2012 03:56 PM, Terry Z. wrote:> I believe you have stumbled into the same issue I ran into when > attempting to workaround this with defined resources and unfortunately I > had to continue using the legacy bobsh-iptables module as a result > (which has its own inherent issues but at least properly accepts an > array in source.) > > It is rather disheartening to see the puppet-firewall module stuck with > these limitations, but I do understand the difficulty in making this > work as we expect so it''s a trade off.It''s really not that hard to code array support to custom provider, has anyone tried it? Maybe if community can fix it, puppetlabs would accept pull request? -- Jakov Sosic www.srce.unizg.hr -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.