FAQ
In puppetlabs-firewall it appears that you can provide an array of source
ips as defined in types/firewall.rb (desc: An array of source
addresses....).

However, when I pass in an array of source addresses, it only applies the
first address to the ruleset.

eg:

firewall { '100 allow web':
dport => '8080',
source => ['10.0.0.1', '10.0.0.2'],
action => 'accept'
}

If I were to apply that definition above, only the 10.0.0.1 rule would be
applied.

Is this an error in my assumptions about what it means to accept an array
of source addresses? The example giving was source => '192.168.2.0/24',
which is a CIDR block, not an array. So, perhaps this is just strange
wording in the code?

This feature would be a great one to have for our workflow.

Anyone have any ideas on work arounds? How do others manage complex
firewall rules in puppet without a giant node declaration.

Thanks.


--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/FEhD6P5KsA4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Bezerker at Dec 3, 2012 at 9:43 pm
    Dusty,

    I actually had the same issue and brought this up with Ken Barber at
    PuppetConf. I believe he and several others have looked into this briefly
    but nothing much has come from it. There was a puppet bug report where
    another user had managed to have it take arrays without too much
    issue: http://projects.puppetlabs.com/issues/10116

    Unfortunately in my brief testing there was another issue created (it was
    always trying to add/remove a rule if I recall, it's been awhile.)

    In the meantime a recommended workaround that works for some use cases is
    using a defined resource to accept the array and then create each firewall
    resource as a result.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/scsXLh0MKcMJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Dusty Doris at Dec 3, 2012 at 11:26 pm
    Thanks for the reply. I will take a look at that patch.


    I have been trying to accomplish this with defined resources, unfortunately
    my particular case isn't working well for that.

    Here is my attempt, perhaps anyone has some suggestions?

    define myfirewall::accept($proto='tcp', $ports) {
    firewall { "100 $name":
    source => $name,
    proto => $proto,
    dport => $ports,
    action => 'accept'
    }
    }

    import 'myfirewall'

    node 'mynode' {
    include myfirewall
    $web_servers = ['10.0.0.1','10.0.0.2']
    $db_servers = ['10.0.0.3']

    myfirewall::accept { $web_servers:
    ports => ['80','443'],
    }
    myfirewall::accept { $db_servers:
    proto => 'tcp',
    ports => '3306'
    }
    }

    That works great. It allows me to accept certain ports from certain groups
    of hosts. You can see the value in this, as I could create node groups and
    automatically allow certain ports to certain sources. For example, allow
    every machines access to ssh, allow all my app servers and all my db
    servers to my db port. Allow all my app servers to some API port, etc...

    But, now say I want to a one-off rule on one of those particular hosts
    that is already defined, so I add another rule.

    myfirewall::accept { '10.0.0.1':
    ports => '8888'
    }

    Error: Duplicate declaration: Myfirewall::Accept[10.0.0.1] is already
    declared in file /etc/puppet/manifests/nodes.pp at line 10; cannot
    redeclare on node mynode

    It will error out here as having a duplicate. I'm trying to figure out how
    I can re-write this to make it work, but it appears the puppet dsl only
    acts on arrays when they are the name variable and then calls the resource
    once for each item in the array, passing that as the name.

    So, I suppose right now I need to make my groups better, so they include
    all the one-offs and make sure there are no duplicates. Or, I could just
    define the one-offs one at a time in each node file.

    I appreciate any suggestions.



    On Monday, December 3, 2012 4:43:39 PM UTC-5, Terry Z. wrote:

    Dusty,

    I actually had the same issue and brought this up with Ken Barber at
    PuppetConf. I believe he and several others have looked into this briefly
    but nothing much has come from it. There was a puppet bug report where
    another user had managed to have it take arrays without too much issue:
    http://projects.puppetlabs.com/issues/10116

    Unfortunately in my brief testing there was another issue created (it was
    always trying to add/remove a rule if I recall, it's been awhile.)

    In the meantime a recommended workaround that works for some use cases is
    using a defined resource to accept the array and then create each firewall
    resource as a result.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/794eo8u39SEJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Terry Z. at Dec 4, 2012 at 2:56 pm
    I believe you have stumbled into the same issue I ran into when attempting
    to workaround this with defined resources and unfortunately I had to
    continue using the legacy bobsh-iptables module as a result (which has its
    own inherent issues but at least properly accepts an array in source.)

    It is rather disheartening to see the puppet-firewall module stuck with
    these limitations, but I do understand the difficulty in making this work
    as we expect so it's a trade off.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/yD0KGhayF14J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Dec 16, 2012 at 12:35 am

    On 12/04/2012 03:56 PM, Terry Z. wrote:
    I believe you have stumbled into the same issue I ran into when
    attempting to workaround this with defined resources and unfortunately I
    had to continue using the legacy bobsh-iptables module as a result
    (which has its own inherent issues but at least properly accepts an
    array in source.)

    It is rather disheartening to see the puppet-firewall module stuck with
    these limitations, but I do understand the difficulty in making this
    work as we expect so it's a trade off.
    It's really not that hard to code array support to custom provider, has
    anyone tried it? Maybe if community can fix it, puppetlabs would accept
    pull request?


    --
    Jakov Sosic
    www.srce.unizg.hr

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Dec 4, 2012 at 3:02 pm

    On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris wrote:
    [...] I'm trying to figure out how I can re-write this to make it work,
    but it appears the puppet dsl only acts on arrays when they are the name
    variable and then calls the resource once for each item in the array,
    passing that as the name.

    Yes, that is precisely what Puppet does with arrays given as resource
    titles, and that behavior is triggered *only* by titles.


    So, I suppose right now I need to make my groups better, so they include
    all the one-offs and make sure there are no duplicates. Or, I could just
    define the one-offs one at a time in each node file.

    I appreciate any suggestions.
    One way to look at your issue is that your site-specific data is too
    commingled with your code. That's why you have one-offs in the first
    place. Pull the data together into a class variable somewhere, or even
    externalize it into an Hiera data store. Drive your firewall declarations
    with your data instead of pulling the data along behind.

    More specifically, you can use Puppet hashes or Hiera lookups to
    dynamically adapt your declarations to specific cases (e.g. to choose
    parameter values), or you can use the built-in create_resources() function
    to declare whole resources based on your data. You already know about
    arrays as resource titles and combining that with defined types; those fit
    into the picture, too.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/f_CrWCkUOYEJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Dusty Doris at Dec 4, 2012 at 4:50 pm
    On Tuesday, December 4, 2012 10:02:42 AM UTC-5, jcbollinger wrote:
    On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris wrote:

    [...] I'm trying to figure out how I can re-write this to make it work,
    but it appears the puppet dsl only acts on arrays when they are the name
    variable and then calls the resource once for each item in the array,
    passing that as the name.

    Yes, that is precisely what Puppet does with arrays given as resource
    titles, and that behavior is triggered *only* by titles.


    So, I suppose right now I need to make my groups better, so they include
    all the one-offs and make sure there are no duplicates. Or, I could just
    define the one-offs one at a time in each node file.

    I appreciate any suggestions.
    One way to look at your issue is that your site-specific data is too
    commingled with your code. That's why you have one-offs in the first
    place. Pull the data together into a class variable somewhere, or even
    externalize it into an Hiera data store. Drive your firewall declarations
    with your data instead of pulling the data along behind.

    More specifically, you can use Puppet hashes or Hiera lookups to
    dynamically adapt your declarations to specific cases (e.g. to choose
    parameter values), or you can use the built-in create_resources() function
    to declare whole resources based on your data. You already know about
    arrays as resource titles and combining that with defined types; those fit
    into the picture, too.


    John
    Thanks John. That sounds like some fantastic advice.

    I'm brand new to puppet and still trying to wrap my mind around it. I'd
    love any resources if you have any recommendations (eg: any good books?)



    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jvAAEVjV2kQJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedDec 1, '12 at 6:57p
activeDec 16, '12 at 12:35a
posts7
users4
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase