I'm also having trouble migrating from nodes.pp to an enc. I'm sure there's
documentation out there, but either I can't find it, or I can't properly
wrap my head around it. If someone responds with a basic "here's how to
migrate nodes.pp data into Foreman with some examples", that'd be really
cool.
Regarding your second issue with the puppetlabs-firewall module, you'll
need to put the puppetlabs-firewall module in your "modules" directory,
then specify firewall types in either an existing class or it's own
firewall class. Here's an example where I put it in its own class:
···
--------------------------------------------------------------------
# = Class: my_fw
#
# This lays out the "base" firewall rules that are applied to a client
#
# == Parameters:
#
# None
#
# == Actions:
#
# Applies firewall rules, and does so in numerical order based on the
comment name. So a rule that starts with 001 will apple before 002.
# To see all the possible settings, look in the puppetlabs-firewall module
files under
# /etc/puppet//lib/puppet/provider/{firewall,firewallchain}/*.rb
#
# Note any other specific classes can be called (rules for Web server, ssh
server, etc), but as it currently sits, this class must be called as it
calls other necessary functions other than just firewall rules (e.g. makes
tables persistent, does cleanup, etc).
#
# If any additional rules will be added to this class, they all need to
start between 000 and 010.
# For logging rules, anything from 900-999
#
# == Requires:
#
# puppetlabs-firewall module
# https://github.com/puppetlabs/puppetlabs-firewall
#
# post and pre classes, even though they are not currently used.
# Should be fixed at some point.
#
# == Sample Usage:
#
# See code for examples
#
class my_fw {
include my_fw::pre
include my_fw::post
firewallchain { 'INPUT:filter:IPv4':
policy => 'drop',
}
firewallchain { 'FORWARD:filter:IPv4':
policy => 'drop',
}
firewall { '002 Set loopback to accept':
chain => 'INPUT',
iniface => 'lo',
action => accept,
proto => 'all',
}
firewall { '003 Allow established traffic through':
chain => 'INPUT',
state => ['ESTABLISHED', 'RELATED'],
action => accept,
proto => 'all',
}
firewall { '005 allow puppetmaster to connect':
#chain => 'SERVICES',
action => 'accept',
proto => 'tcp',
dport => '8139',
}
firewall { '006 Drop broadcasts and such':
action => 'drop',
destination => '224.0.0.1/32',
proto => 'all',
}
firewall { '900 log what we are about to drop':
jump => 'LOG',
log_level => '6',
log_prefix => '[IPTABLES] dropped ',
proto => 'all',
}
exec { 'persist-firewall':
command => $operatingsystem ? {
"debian" => '/sbin/iptables-save >
/etc/iptables/rules.v4',
/(RedHat|CentOS)/ => '/sbin/iptables-save >
/etc/sysconfig/iptables',
},
refreshonly => true,
require => File['etc_iptables'],
}
file {'etc_iptables':
path => '/etc/iptables',
ensure => directory,
}
Firewall {
notify => Exec['persist-firewall'],
before => Class['my_fw::post'],
require => Class['my_fw::pre'],
}
Firewallchain {
notify => Exec['persist-firewall'],
}
# Purge unmanaged firewall resources
#
# This will clear any existing rules, and make sure that only rules
# defined in puppet exist on the machine
resources { "firewall":
purge => true
}
}
or if you wanted, you could add rules to an existing class. I added the
following into my ssh::server::config class
class ssh::server::config {
#
# "other ssh config stuff goes here"
#
firewall { '011 allow ssh to connect':
#chain => 'SERVICES',
action => 'accept',
proto => 'tcp',
dport => '22',
source => '129.79.214.128/26',
}
firewall { '012 allow ssh to connect':
#chain => 'SERVICES',
action => 'accept',
proto => 'tcp',
dport => '22',
source => '129.79.49.27',
}
firewall { '013 allow ssh to connect':
#chain => 'SERVICES',
action => 'accept',
proto => 'tcp',
dport => '22',
source => '129.79.49.45/30',
}
}
Either way, when using the firewall module in the above fashion, you just
make sure you add the classes to your host in foreman, and the client will
get the rules…no additional parameters need to be added via Foreman. Also
note that in order to use the firewallchain types, use the module from
github, as the v0.4 from puppetforge doesn’t yet have that feature.
P.S. it anyone wants to critique my code for the better, please do.
On Tuesday, February 7, 2012 3:20:09 PM UTC-5, Christian McHugh wrote:
Hi all,
I’ve recently started testing out foreman. It looks great and really
unifies bunches of disparate bits.
But I am running into troubles attempting to use it as an ENC. I’ve
got a node definition of:
node ‘puppettest.cas.unt.edu’ inherits adnode {
$sshd_allowed_users = [“testuser testuser2”]
include ssh-cas
include mcollective::client
sudo::conf { 'test':
content => "testuser ALL=(ALL) ALL",
}
firewall { "500 allow apache":
port => "80",
action => "accept",
}
}
So this node inherits another definition. I suppose the foreman
equivalent is hostgroups, great.
I can also add the mcollective::client class to the host in foreman,
no problem.
My issues are the other bits. I’ve tried setting "sshd_allowed_users"
and “$sshd_allowed_users” as smart variables and as host parameters,
and while I can see them in the yaml output, puppet does not seem to
act on them. I also do not know how I would define the sudo parameter.
Must my modules be rewritten to handle a foreman specific method of
parameter/variable passing?
Additionally, the firewall module (from puppetlabs:
http://forge.puppetlabs.com/puppetlabs/firewall ) is not a standard
class, so I have no idea how I might put that into a foreman host
definition. Any thoughts?
