kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update upstream cookbooks

Browse Source
This commit is contained in:
Greg Karékinian
2017-03-20 13:19:10 +00:00
parent bfd2d52ea8
commit bcfd44b923
340 changed files with 12576 additions and 5465 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cookbooks/ufw/.foodcritic Normal file
View File

@@ -0,0 +1 @@
~FC003

15
cookbooks/ufw/CHANGELOG.md
View File

@@ -1,6 +1,21 @@
# ufw Cookbook CHANGELOG
This file is used to list changes made in each version of the ufw cookbook.
## 3.1.0 (2017-03-02)
- Add use of the default['firewall']['allow_ssh'] attribute in the default recipe. Default for this cookbook is set to true, as the default recipe assumed that ssh would be enabled.
## 3.0.0 (2017-03-01)
- Require Chef 12.4 (Depends on firewall which requires Chef 12.4+ at this point)
- Update default to remove installation of ufw which is duplication from firewall cookbook, and remove state changes
- Due to the change in default recipe, bumping major version in case this is breaking change for some.
- Added debian platform as firewall cookbook supports ufw on debian
## 2.0.0 (2016-11-25)
- Add chef_version metadata + remove chef 11 compat
- Replace node.set with node.normal
- Require Chef 12.1
- Fix the recipe to properly converge
## v1.0.0 (12-14-2015)
- Update to use / require the Firewall v2.0.0+ cookbook, which requires Chef 12
- Updated all Opscode references to Chef Software Inc.

10
cookbooks/ufw/MAINTAINERS.md
View File

@@ -1,19 +1,15 @@
<!-- This is a generated file. Please do not edit directly -->
# Maintainers
This file lists how this cookbook project is maintained. When making changes to the system, this
file tells you who needs to review your patch - you need a simple majority of maintainers
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
for details on the process and how to become a maintainer or the project lead.
This file lists how this cookbook project is maintained. When making changes to the system, this file tells you who needs to review your patch - you need a review from an existing maintainer for the cookbook to provide a :+1: on your pull request. Additionally, you need to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD) for details on the process and how to become a maintainer or the project lead.
# Project Maintainer
* [Tim Smith](https://github.com/tas50)
# Maintainers
* [Jennifer Davis](https://github.com/sigje)
* [Sean OMeara](https://github.com/someara)
* [Tim Smith](https://github.com/tas50)
* [Thom May](https://github.com/thommay)

49
cookbooks/ufw/README.md
View File

@@ -1,46 +1,53 @@
# Description
[![Build Status](https://travis-ci.org/chef-cookbooks/ufw.svg?branch=master)](http://travis-ci.org/chef-cookbooks/ufw) [![Cookbook Version](https://img.shields.io/cookbook/v/ufw.svg)](https://supermarket.chef.io/cookbooks/ufw)
Configures Uncomplicated Firewall (ufw) on Ubuntu. Including the `ufw` recipe in a run list means the firewall will be enabled and will deny everything except SSH and ICMP ping by default.
Configures Uncomplicated Firewall (ufw) on Ubuntu and Debian. Including the `ufw` recipe in a run list means the firewall will be enabled and will deny everything except SSH and ICMP ping by default.
Rules may be added to the node by adding them to the `['firewall']['rules']` attributes in roles or on the node directly. The `firewall` cookbook has an LWRP that may be used to apply rules directly from other recipes as well. There is no need to explicitly remove rules, they are reevaluated on changes and reset. Rules are applied in the order of the run list, unless ordering is explictly added.
Rules may be added to the node by adding them to the `['firewall']['rules']` attributes in roles or on the node directly. The `firewall` cookbook has an LWRP that may be used to apply rules directly from other recipes as well. There is no need to explicitly remove rules, they are reevaluated on changes and reset. Rules are applied in the order of the run list, unless ordering is explicitly added.
## Requirements
### Platforms
- Ubuntu
- Debian
### Chef
- Chef 12+
Since this cookbook has an open-ended dependency on 'firewall', users of Chef11 or earlier should pin 'firewall' to '~>0.9' via the caller's metadata. Otherwise 'poise' v2+ will be invoked which is Chef12+ only.
- Chef 12.4+
### Cookbooks
- firewall 2.0+
## Recipes
###default
### default
The `default` recipe looks for the list of firewall rules to apply from the `['firewall']['rules']` attribute added to roles and on the node itself. The list of rules is then applied to the node in the order specified.
###disable
### disable
The `disable` recipe is used if there is a need to disable the existing firewall, perhaps for testing. It disables the ufw firewall even if other ufw recipes attempt to enable it.
If you remove this recipe, the firewall does not get automatically re-enabled. You will need clear the value of the `['firewall']['state']` to force a recalculation of the firewall rules. This can be done with `knife node edit`.
###databag
### databag
The `databag` recipe looks in the `firewall` data bag for to apply firewall rules based on inspecting the runlist for roles and recipe names for keys that map to the data bag items and are applied in the the order specified.
The `databag` recipe calls the `default` recipe after the `['firewall']['rules']` attribute is set to appy the rules, so you may mix roles with databag items if you want (roles apply first, then data bag contents).
The `databag` recipe calls the `default` recipe after the `['firewall']['rules']` attribute is set to apply the rules, so you may mix roles with databag items if you want (roles apply first, then data bag contents).
###recipes
### recipes
The `recipes` recipe applies firewall rules based on inspecting the runlist for recipes that have node[<recipe>]['firewall']['rules'] attributes. These are appended to node['firewall']['rules'] and applied to the node. Cookbooks may define attributes for recipes like so:
The `recipes` recipe applies firewall rules based on inspecting the runlist for recipes that have node[
### attributes/default.rb for test cookbook
<recipe>]['firewall']['rules'] attributes. These are appended to node['firewall']['rules'] and applied to the node. Cookbooks may define attributes for recipes like so:</recipe>
```
#### attributes/default.rb for test cookbook
```ruby
default['test']['firewall']['rules'] = [
{"test"=> {
"port"=> "27901",
@@ -63,16 +70,17 @@ default['test::awesome']['firewall']['rules'] = [
Note that the 'test::awesome' rules are only applied if that specific recipe is in the runlist. Recipe-applied firewall rules are applied after any rules defined in role attributes.
###
### securitylevel
securitylevel The `securitylevel` recipe is used if there are any node['firewall']['securitylevel'] settings that need to be enforced. It is a reference implementation with nothing configured.
The `securitylevel` recipe is used if there are any node['firewall']['securitylevel'] settings that need to be enforced. It is a reference implementation with nothing configured.
## Attributes
Roles and the node may have the `['firewall']['rules']` attribute set. This attribute is a list of hashes, the key will be rule name, the value will be the hash of parameters. Application order is based on run list.
### Example Role
```
```ruby
name "fw_example"
description "Firewall rules for Examples"
override_attributes(
@@ -108,12 +116,15 @@ override_attributes(
)
```
* default['firewall']['allow_ssh'] Opens port 22 for SSH when set to true. Default set to true.
## Data Bags
The `firewall` data bag may be used with the `databag` recipe. It will contain items that map to role names (eg. the 'apache' role will map to the 'apache' item in the 'firewall' data bag). Either roles or recipes may be keys (role[webserver] is 'webserver', recipe[apache2] is 'apache2'). If you have recipe-specific firewall rules, you will need to replace the '::' with '**' (double underscores) (eg. recipe[apache2::mod_ssl] is 'apache2**mod_ssl' in the data bag item).
The items in the data bag will contain a 'rules' array of hashes to apply to the `['firewall']['rules']` attribute.
```
```shell
% knife data bag create firewall
% knife data bag from file firewall examples/data_bags/firewall/apache2.json
% knife data bag from file firewall examples/data_bags/firewall/apache2__mod_ssl.json
@@ -121,7 +132,7 @@ The items in the data bag will contain a 'rules' array of hashes to apply to the
### Example 'firewall' data bag item
```
```javascript
{
"id": "apache2",
"rules": [
@@ -138,12 +149,14 @@ The items in the data bag will contain a 'rules' array of hashes to apply to the
```
## Resources/Providers
The `firewall` cookbook provides the `firewall` and `firewall_rule` LWRPs, for which there is a ufw provider.
## License & Authors
**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))
**Copyright:** 2011-2015, Chef Software, Inc.
**Copyright:** 2011-2014, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");

1
cookbooks/ufw/attributes/default.rb
View File

@@ -1,2 +1,3 @@
default['firewall']['rules'] = []
default['firewall']['securitylevel'] = ''
default['firewall']['allow_ssh'] = true

2
cookbooks/ufw/metadata.json
View File

File diff suppressed because one or more lines are too long

6
cookbooks/ufw/recipes/databag.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Matt Ray <matt@chef.io>
# Cookbook Name:: ufw
# Cookbook:: ufw
# Recipe:: databag
#
# Copyright 2011-2015, Chef Software, Inc.
# Copyright:: 2011-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -51,7 +51,7 @@ rlist.each do |entry|
# add the list of firewall rules to the current list
item = data_bag_item('firewall', entry)
rules = item['rules']
node.set['firewall']['rules'].concat(rules) unless rules.nil?
node.normal['firewall']['rules'].concat(rules) unless rules.nil?
end
# now go apply the rules

113
cookbooks/ufw/recipes/default.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Matt Ray <matt@chef.io>
# Cookbook Name:: ufw
# Cookbook:: ufw
# Recipe:: default
#
# Copyright 2011-2015, Chef Software, Inc.
# Copyright:: 2011-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,73 +18,54 @@
# limitations under the License.
#
package 'ufw'
firewall 'default' do
action :install
end
old_state = node['firewall']['state']
new_state = node['firewall']['rules'].to_s
Chef::Log.debug "Old firewall state:#{old_state}"
Chef::Log.debug "New firewall state:#{new_state}"
# leave this on by default
firewall_rule 'ssh' do
port 22
action :create
only_if { node['firewall']['allow_ssh'] }
end
# check to see if the firewall rules changed.
# the rules are always changed the first run
if old_state == new_state
Chef::Log.info 'Firewall rules unchanged.'
else
Chef::Log.info 'Firewall rules updated.'
node.set['firewall']['state'] = new_state
# drop rules and re-enable
execute 'ufw --force reset'
firewall 'ufw' do
action :install
end
# leave this on by default
firewall_rule 'ssh' do
port 22
action :create
end
node['firewall']['rules'].each do |rule_mash|
Chef::Log.debug "ufw:rule \"#{rule_mash}\""
rule_mash.keys.each do |rule|
Chef::Log.debug "ufw:rule:name \"#{rule}\""
params = rule_mash[rule]
Chef::Log.debug "ufw:rule:parameters \"#{params}\""
Chef::Log.debug "ufw:rule:name #{params['name']}" if params['name']
Chef::Log.debug "ufw:rule:protocol #{params['protocol']}" if params['protocol']
Chef::Log.debug "ufw:rule:direction #{params['direction']}" if params['direction']
Chef::Log.debug "ufw:rule:interface #{params['interface']}" if params['interface']
Chef::Log.debug "ufw:rule:logging #{params['logging']}" if params['logging']
Chef::Log.debug "ufw:rule:port #{params['port']}" if params['port']
Chef::Log.debug "ufw:rule:port_range #{params['port_range']}" if params['port_range']
Chef::Log.debug "ufw:rule:source #{params['source']}" if params['source']
Chef::Log.debug "ufw:rule:destination #{params['destination']}" if params['destination']
Chef::Log.debug "ufw:rule:dest_port #{params['dest_port']}" if params['dest_port']
Chef::Log.debug "ufw:rule:position #{params['position']}" if params['position']
act = params['action']
act ||= 'create'
fail 'ufw: port_range was specified to firewall_rule without protocol' if params['port_range'] && !params['protocol']
Chef::Log.debug "ufw:rule:action :#{act}"
firewall_rule rule do
name params['name'] if params['name']
protocol params['protocol'].to_sym if params['protocol']
direction params['direction'].to_sym if params['direction']
interface params['interface'] if params['interface']
logging params['logging'].to_sym if params['logging']
port params['port'].to_i if params['port']
if params['port_range']
ends = params['port_range'].split('..').map { |d| Integer(d) }
port_range ends[0]..ends[1]
end
source params['source'] if params['source']
destination params['destination'] if params['destination']
dest_port params['dest_port'].to_i if params['dest_port']
position params['position'].to_i if params['position']
action act
node['firewall']['rules'].each do |rule_mash|
Chef::Log.debug "ufw:rule \"#{rule_mash}\""
rule_mash.keys.each do |rule|
Chef::Log.debug "ufw:rule:name \"#{rule}\""
params = rule_mash[rule]
Chef::Log.debug "ufw:rule:parameters \"#{params}\""
Chef::Log.debug "ufw:rule:name #{params['name']}" if params['name']
Chef::Log.debug "ufw:rule:protocol #{params['protocol']}" if params['protocol']
Chef::Log.debug "ufw:rule:direction #{params['direction']}" if params['direction']
Chef::Log.debug "ufw:rule:interface #{params['interface']}" if params['interface']
Chef::Log.debug "ufw:rule:logging #{params['logging']}" if params['logging']
Chef::Log.debug "ufw:rule:port #{params['port']}" if params['port']
Chef::Log.debug "ufw:rule:port_range #{params['port_range']}" if params['port_range']
Chef::Log.debug "ufw:rule:source #{params['source']}" if params['source']
Chef::Log.debug "ufw:rule:destination #{params['destination']}" if params['destination']
Chef::Log.debug "ufw:rule:dest_port #{params['dest_port']}" if params['dest_port']
Chef::Log.debug "ufw:rule:position #{params['position']}" if params['position']
act = params['action']
act ||= 'create'
raise 'ufw: port_range was specified to firewall_rule without protocol' if params['port_range'] && !params['protocol']
Chef::Log.debug "ufw:rule:action :#{act}"
firewall_rule rule do
name params['name'] if params['name']
protocol params['protocol'].to_sym if params['protocol']
direction params['direction'].to_sym if params['direction']
interface params['interface'] if params['interface']
logging params['logging'].to_sym if params['logging']
port params['port'].to_i if params['port']
if params['port_range']
ends = params['port_range'].split('..').map { |d| Integer(d) }
port_range ends[0]..ends[1]
end
source params['source'] if params['source']
destination params['destination'] if params['destination']
dest_port params['dest_port'].to_i if params['dest_port']
position params['position'].to_i if params['position']
action act
end
end
end

4
cookbooks/ufw/recipes/disable.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Matt Ray <matt@chef.io>
# Cookbook Name:: ufw
# Cookbook:: ufw
# Recipe:: disable
#
# Copyright 2011-2015, Chef Software, Inc.
# Copyright:: 2011-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

8
cookbooks/ufw/recipes/recipes.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Matt Ray <matt@chef.io>
# Cookbook Name:: ufw
# Cookbook:: ufw
# Recipe:: recipes
#
# Copyright 2011-2015, Chef Software, Inc.
# Copyright:: 2011-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,14 +27,14 @@ node.expand!.recipes.each do |recipe|
if recipe != cookbook && node[cookbook] && node[cookbook]['firewall'] && node[cookbook]['firewall']['rules']
rules = node[cookbook]['firewall']['rules']
Chef::Log.debug "ufw::recipes:#{cookbook}:rules #{rules}"
node.set['firewall']['rules'].concat(rules) unless rules.nil?
node.normal['firewall']['rules'].concat(rules) unless rules.nil?
end
# get the recipe attributes if there are any
next unless node[recipe] && node[recipe]['firewall'] && node[recipe]['firewall']['rules']
rules = node[recipe]['firewall']['rules']
Chef::Log.debug "ufw::recipes:#{recipe}:rules #{rules}"
node.set['firewall']['rules'].concat(rules) unless rules.nil?
node.normal['firewall']['rules'].concat(rules) unless rules.nil?
end
# now go apply the rules

22
cookbooks/ufw/recipes/securitylevel.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Matt Ray <matt@chef.io>
# Cookbook Name:: ufw
# Cookbook:: ufw
# Recipe:: securitylevel
#
# Copyright 2011-2015, Chef Software, Inc.
# Copyright:: 2011-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,17 +25,17 @@ Chef::Log.info "ufw::securitylevel:#{securitylevel}"
# verify that only 1 "color" security group is applied"
count = node.expand!.roles.count { |role| role =~ /SecurityLevel-(Red|Green|Yellow)/ }
if count > 1
fail Chef::Exceptions::AmbiguousRunlistSpecification, "conflicting SecurityLevel-'color' roles, only 1 may be applied."
raise Chef::Exceptions::AmbiguousRunlistSpecification, "conflicting SecurityLevel-'color' roles, only 1 may be applied."
end
case securitylevel
when 'red'
# put special stuff for red here
when 'yellow'
# put special stuff for red here
when 'green'
# put special stuff for red here
end
# case securitylevel
# when 'red'
# # put special stuff for red here
# when 'yellow'
# # put special stuff for red here
# when 'green'
# # put special stuff for red here
# end
# now go apply the rules
include_recipe 'ufw::default'