Puppet users - Dec 2012 - puppetlabs-firewall source array not working as expected

In puppetlabs-firewall it appears that you can provide an array of source 
ips as defined in types/firewall.rb (desc: An array of source 
addresses....).

However, when I pass in an array of source addresses, it only applies the 
first address to the ruleset.

eg:

  firewall { ''100 allow web'':
    dport => ''8080'',
    source => [''10.0.0.1'', ''10.0.0.2''],
    action => ''accept''
  }

If I were to apply that definition above, only the 10.0.0.1 rule would be 
applied.

Is this an error in my assumptions about what it means to accept an array 
of source addresses?  The example giving was source =>
''192.168.2.0/24'',
which is a CIDR block, not an array.  So, perhaps this is just strange 
wording in the code?

This feature would be a great one to have for our workflow.

Anyone have any ideas on work arounds?  How do others manage complex 
firewall rules in puppet without a giant node declaration.

Thanks.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/FEhD6P5KsA4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Dusty,

I actually had the same issue and brought this up with Ken Barber at 
PuppetConf.  I believe he and several others have looked into this briefly 
but nothing much has come from it.  There was a puppet bug report where 
another user had managed to have it take arrays without too much 
issue: http://projects.puppetlabs.com/issues/10116

Unfortunately in my brief testing there was another issue created (it was 
always trying to add/remove a rule if I recall, it''s been awhile.)

In the meantime a recommended workaround that works for some use cases is 
using a defined resource to accept the array and then create each firewall 
resource as a result.  

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/scsXLh0MKcMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for the reply.  I will take a look at that patch. 


I have been trying to accomplish this with defined resources, unfortunately 
my particular case isn''t working well for that.

Here is my attempt, perhaps anyone has some suggestions?

define myfirewall::accept($proto=''tcp'', $ports) {
  firewall { "100 $name":
    source => $name,
    proto => $proto,
    dport => $ports,
    action => ''accept''
  }
}

import ''myfirewall''

node ''mynode'' {
  include myfirewall
  $web_servers = [''10.0.0.1'',''10.0.0.2'']
  $db_servers  = [''10.0.0.3'']

  myfirewall::accept { $web_servers: 
    ports  => [''80'',''443''],
  }
  myfirewall::accept { $db_servers:
    proto => ''tcp'',
    ports => ''3306''
  }
}

That works great.  It allows me to accept certain ports from certain groups 
of hosts.  You can see the value in this, as I could create node groups and 
automatically allow certain ports to certain sources.  For example, allow 
every machines access to ssh, allow all my app servers and all my db 
servers to my db port.  Allow all my app servers to some API port, etc...

But, now  say I want to a one-off rule on one of those particular hosts 
that is already defined, so I add another rule.

  myfirewall::accept { ''10.0.0.1'':
    ports => ''8888''
  }

Error: Duplicate declaration: Myfirewall::Accept[10.0.0.1] is already 
declared in file /etc/puppet/manifests/nodes.pp at line 10; cannot 
redeclare on node mynode

It will error out here as having a duplicate.  I''m trying to figure out
how
I can re-write this to make it work, but it appears the puppet dsl only 
acts on arrays when they are the name variable and then calls the resource 
once for each item in the array, passing that as the name.

So, I suppose right now I need to make my groups better, so they include 
all the one-offs and make sure there are no duplicates.  Or, I could just 
define the one-offs one at a time in each node file.

I appreciate any suggestions.




On Monday, December 3, 2012 4:43:39 PM UTC-5, Terry Z.
wrote:
>
> Dusty,
>
> I actually had the same issue and brought this up with Ken Barber at 
> PuppetConf.  I believe he and several others have looked into this briefly 
> but nothing much has come from it.  There was a puppet bug report where 
> another user had managed to have it take arrays without too much issue: 
> http://projects.puppetlabs.com/issues/10116
>
> Unfortunately in my brief testing there was another issue created (it was 
> always trying to add/remove a rule if I recall, it''s been awhile.)
>
> In the meantime a recommended workaround that works for some use cases is 
> using a defined resource to accept the array and then create each firewall 
> resource as a result.  
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/794eo8u39SEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I believe you have stumbled into the same issue I ran into when attempting 
to workaround this with defined resources and unfortunately I had to 
continue using the legacy bobsh-iptables module as a result (which has its 
own inherent issues but at least properly accepts an array in source.)

It is rather disheartening to see the puppet-firewall module stuck with 
these limitations, but I do understand the difficulty in making this work 
as we expect so it''s a trade off.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/yD0KGhayF14J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris
wrote:
>
> [...]  I''m trying to figure out how I can re-write this to make it
work,
> but it appears the puppet dsl only acts on arrays when they are the name 
> variable and then calls the resource once for each item in the array, 
> passing that as the name.
>

Yes, that is precisely what Puppet does with arrays given as resource 
titles, and that behavior is triggered *only* by titles.

 
>
> So, I suppose right now I need to make my groups better, so they include 
> all the one-offs and make sure there are no duplicates.  Or, I could just 
> define the one-offs one at a time in each node file.
>
> I appreciate any suggestions.
>
>
One way to look at your issue is that your site-specific data is too 
commingled with your code.  That''s why you have one-offs in the first 
place.  Pull the data together into a class variable somewhere, or even 
externalize it into an Hiera data store.  Drive your firewall declarations 
with your data instead of pulling the data along behind.

More specifically, you can use Puppet hashes or Hiera lookups to 
dynamically adapt your declarations to specific cases (e.g. to choose 
parameter values), or you can use the built-in create_resources() function 
to declare whole resources based on your data.  You already know about 
arrays as resource titles and combining that with defined types; those fit 
into the picture, too.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/f_CrWCkUOYEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tuesday, December 4, 2012 10:02:42 AM UTC-5, jcbollinger wrote:
>
>
> On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris wrote:
>>
>> [...]  I''m trying to figure out how I can re-write this to
make it work,
>> but it appears the puppet dsl only acts on arrays when they are the
name
>> variable and then calls the resource once for each item in the array, 
>> passing that as the name.
>>
>
>
> Yes, that is precisely what Puppet does with arrays given as resource 
> titles, and that behavior is triggered *only* by titles.
>
>  
>
>>
>> So, I suppose right now I need to make my groups better, so they
include
>> all the one-offs and make sure there are no duplicates.  Or, I could
just
>> define the one-offs one at a time in each node file.
>>
>> I appreciate any suggestions.
>>
>>
>
> One way to look at your issue is that your site-specific data is too 
> commingled with your code.  That''s why you have one-offs in the
first
> place.  Pull the data together into a class variable somewhere, or even 
> externalize it into an Hiera data store.  Drive your firewall declarations 
> with your data instead of pulling the data along behind.
>
> More specifically, you can use Puppet hashes or Hiera lookups to 
> dynamically adapt your declarations to specific cases (e.g. to choose 
> parameter values), or you can use the built-in create_resources() function 
> to declare whole resources based on your data.  You already know about 
> arrays as resource titles and combining that with defined types; those fit 
> into the picture, too.
>
>
> John
>
Thanks John.  That sounds like some fantastic advice. 

I''m brand new to puppet and still trying to wrap my mind around it. 
I''d
love any resources if you have any recommendations (eg: any good books?)



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/jvAAEVjV2kQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 12/04/2012 03:56 PM, Terry Z. wrote:
> I believe you have stumbled into the same issue I ran into when
> attempting to workaround this with defined resources and unfortunately I
> had to continue using the legacy bobsh-iptables module as a result
> (which has its own inherent issues but at least properly accepts an
> array in source.)
>
> It is rather disheartening to see the puppet-firewall module stuck with
> these limitations, but I do understand the difficulty in making this
> work as we expect so it''s a trade off.
It''s really not that hard to code array support to custom provider, has
anyone tried it? Maybe if community can fix it, puppetlabs would accept 
pull request?


-- 
Jakov Sosic
www.srce.unizg.hr

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.