From a28c3aedab31ebe89eba5f54fb1c59288bb9ae83 Mon Sep 17 00:00:00 2001 From: Dan Carley Date: Fri, 1 Mar 2013 18:55:32 +0000 Subject: [PATCH] (GH-134) Autorequire iptables related packages autorequires from firewall and firewallchain resources to iptables and iptables-persistent packages, when the appropriate provider is selected and the packages are managed in the catalog. This will prevent failed rule creation and persistence on fresh nodes where the packages may not be pre-installed. --- lib/puppet/type/firewall.rb | 24 +++++++++++++-- lib/puppet/type/firewallchain.rb | 16 ++++++++++ spec/unit/puppet/type/firewall_spec.rb | 34 +++++++++++++++++++++ spec/unit/puppet/type/firewallchain_spec.rb | 29 ++++++++++++++++++ 4 files changed, 100 insertions(+), 3 deletions(-) diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index ce0f377f2..4f9ee4f27 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -16,9 +16,16 @@ This type provides the capability to manage firewall rules within puppet. - **Autorequires:** If Puppet is managing the iptables or ip6tables chains - specified in the `chain` or `jump` parameters, the firewall resource - will autorequire those firewallchain resources. + **Autorequires:** + + If Puppet is managing the iptables or ip6tables chains specified in the + `chain` or `jump` parameters, the firewall resource will autorequire + those firewallchain resources. + + If Puppet is managing the iptables or iptables-persistent packages, and + the provider is iptables or ip6tables, the firewall resource will + autorequire those packages to ensure that any required binaries are + installed. EOS feature :rate_limiting, "Rate limiting features." @@ -569,6 +576,17 @@ def should_to_s(value) reqs end + # Classes would be a better abstraction, pending: + # http://projects.puppetlabs.com/issues/19001 + autorequire(:package) do + case value(:provider) + when :iptables, :ip6tables + %w{iptables iptables-persistent} + else + [] + end + end + validate do debug("[validate]") diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb index 7eade4bc8..2ed1e5b1e 100644 --- a/lib/puppet/type/firewallchain.rb +++ b/lib/puppet/type/firewallchain.rb @@ -16,6 +16,11 @@ Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it. + + **Autorequires:** + If Puppet is managing the iptables or iptables-persistent packages, and + the provider is iptables_chain, the firewall resource will autorequire + those packages to ensure that any required binaries are installed. EOS feature :iptables_chain, "The provider provides iptables chain features." @@ -100,6 +105,17 @@ end end + # Classes would be a better abstraction, pending: + # http://projects.puppetlabs.com/issues/19001 + autorequire(:package) do + case value(:provider) + when :iptables_chain + %w{iptables iptables-persistent} + else + [] + end + end + validate do debug("[validate]") diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb index d0a02a386..4ed4dcb95 100755 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -496,4 +496,38 @@ lambda { @resource[:pkttype] = 'not valid' }.should raise_error(Puppet::Error) end end + + describe 'autorequire packages' do + [:iptables, :ip6tables].each do |provider| + it "provider #{provider} should autorequire package iptables" do + @resource[:provider] = provider + @resource[:provider].should == provider + package = Puppet::Type.type(:package).new(:name => 'iptables') + catalog = Puppet::Resource::Catalog.new + catalog.add_resource @resource + catalog.add_resource package + rel = @resource.autorequire[0] + rel.source.ref.should == package.ref + rel.target.ref.should == @resource.ref + end + + it "provider #{provider} should autorequire packages iptables and iptables-persistent" do + @resource[:provider] = provider + @resource[:provider].should == provider + packages = [ + Puppet::Type.type(:package).new(:name => 'iptables'), + Puppet::Type.type(:package).new(:name => 'iptables-persistent') + ] + catalog = Puppet::Resource::Catalog.new + catalog.add_resource @resource + packages.each do |package| + catalog.add_resource package + end + packages.zip(@resource.autorequire) do |package, rel| + rel.source.ref.should == package.ref + rel.target.ref.should == @resource.ref + end + end + end + end end diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb index e9679275b..de0035ea4 100755 --- a/spec/unit/puppet/type/firewallchain_spec.rb +++ b/spec/unit/puppet/type/firewallchain_spec.rb @@ -104,4 +104,33 @@ end + describe 'autorequire packages' do + it "provider iptables_chain should autorequire package iptables" do + resource[:provider].should == :iptables_chain + package = Puppet::Type.type(:package).new(:name => 'iptables') + catalog = Puppet::Resource::Catalog.new + catalog.add_resource resource + catalog.add_resource package + rel = resource.autorequire[0] + rel.source.ref.should == package.ref + rel.target.ref.should == resource.ref + end + + it "provider iptables_chain should autorequire packages iptables and iptables-persistent" do + resource[:provider].should == :iptables_chain + packages = [ + Puppet::Type.type(:package).new(:name => 'iptables'), + Puppet::Type.type(:package).new(:name => 'iptables-persistent') + ] + catalog = Puppet::Resource::Catalog.new + catalog.add_resource resource + packages.each do |package| + catalog.add_resource package + end + packages.zip(resource.autorequire) do |package, rel| + rel.source.ref.should == package.ref + rel.target.ref.should == resource.ref + end + end + end end