kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Initial Chef repository

Browse Source
This commit is contained in:
Greg Karékinian
2015-07-21 19:45:23 +02:00
parent 7e5401fc71
commit ee4079fa85
1151 changed files with 185163 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
cookbooks/ufw/CHANGELOG.md Normal file
View File

@@ -0,0 +1,30 @@
ufw Cookbook CHANGELOG
======================
This file is used to list changes made in each version of the ufw cookbook.
v0.7.4
------
No change. Version bump for toolchain
v0.7.2
------
Updating metadata to depend on firewall >= 0.9
v0.7.0
------
[COOK-3592] - allow source ports to be defined as a range in ufw
v0.6.4
------
### Bug
- **[COOK-3316](https://tickets.opscode.com/browse/COOK-3316)** - Fix README.md example
v0.6.2
------
### Bug
- [COOK-2487]: when setting a node attribute you must specify the precedence
- [COOK-2982]: ufw cookbook has foodcritic failures

144
cookbooks/ufw/README.md Normal file
View File

@@ -0,0 +1,144 @@
Description
===========
Configures Uncomplicated Firewall (ufw) on Ubuntu. Including the `ufw` recipe in a run list means the firewall will be enabled and will deny everything except SSH and ICMP ping by default.
Rules may be added to the node by adding them to the `['firewall']['rules']` attributes in roles or on the node directly. The `firewall` cookbook has an LWRP that may be used to apply rules directly from other recipes as well. There is no need to explicitly remove rules, they are reevaluated on changes and reset. Rules are applied in the order of the run list, unless ordering is explictly added.
Requirements
============
Tested with Ubuntu 10.04 and 11.04.
Recipes
=======
default
-------
The `default` recipe looks for the list of firewall rules to apply from the `['firewall']['rules']` attribute added to roles and on the node itself. The list of rules is then applied to the node in the order specified.
disable
-------
The `disable` recipe is used if there is a need to disable the existing firewall, perhaps for testing. It disables the ufw firewall even if other ufw recipes attempt to enable it.
If you remove this recipe, the firewall does not get automatically re-enabled. You will need clear the value of the `['firewall']['state']` to force a recalculation of the firewall rules. This can be done with `knife node edit`.
databag
-------
The `databag` recipe looks in the `firewall` data bag for to apply firewall rules based on inspecting the runlist for roles and recipe names for keys that map to the data bag items and are applied in the the order specified.
The `databag` recipe calls the `default` recipe after the `['firewall']['rules']` attribute is set to appy the rules, so you may mix roles with databag items if you want (roles apply first, then data bag contents).
recipes
-------
The `recipes` recipe applies firewall rules based on inspecting the runlist for recipes that have node[<recipe>]['firewall']['rules'] attributes. These are appended to node['firewall']['rules'] and applied to the node. Cookbooks may define attributes for recipes like so:
# attributes/default.rb for test cookbook
default['test']['firewall']['rules'] = [
{"test"=> {
"port"=> "27901",
"protocol"=> "udp"
}
}
]
default['test::awesome']['firewall']['rules'] = [
{"awesome"=> {
"port"=> "99427",
"protocol"=> "udp"
}
},
{"awesome2"=> {
"port"=> "99428"
}
}
]
Note that the 'test::awesome' rules are only applied if that specific recipe is in the runlist. Recipe-applied firewall rules are applied after any rules defined in role attributes.
securitylevel
-------------
The `securitylevel` recipe is used if there are any node['firewall']['securitylevel'] settings that need to be enforced. It is a reference implementation with nothing configured.
Attributes
==========
Roles and the node may have the `['firewall']['rules']` attribute set. This attribute is a list of hashes, the key will be rule name, the value will be the hash of parameters. Application order is based on run list.
# Example Role
name "fw_example"
description "Firewall rules for Examples"
override_attributes(
"firewall" => {
"rules" => [
{"tftp" => {}},
{"http" => {
"port" => "80"
}
},
{"block tomcat from 192.168.1.0/24" => {
"port" => "8080",
"source" => "192.168.1.0/24",
"action" => "deny"
}
},
{"Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469" => {
"protocol" => "udp",
"port" => "5469",
"source" => "1.2.3.4",
"destination" => "1.2.3.5",
"dest_port" => "5469"
}
},
{"allow to tcp ports 8000-8010 from 192.168.1.0/24" => {
"port_range" => "8000..8010",
"source" => "192.168.1.0/24",
"protocol" => "tcp" //protocol is mandatory when using port ranges
}
}
]
}
)
Data Bags
=========
The `firewall` data bag may be used with the `databag` recipe. It will contain items that map to role names (eg. the 'apache' role will map to the 'apache' item in the 'firewall' data bag). Either roles or recipes may be keys (role[webserver] is 'webserver', recipe[apache2] is 'apache2'). If you have recipe-specific firewall rules, you will need to replace the '::' with '__' (double underscores) (eg. recipe[apache2::mod_ssl] is 'apache2__mod_ssl' in the data bag item).
The items in the data bag will contain a 'rules' array of hashes to apply to the `['firewall']['rules']` attribute.
% knife data bag create firewall
% knife data bag from file firewall examples/data_bags/firewall/apache2.json
% knife data bag from file firewall examples/data_bags/firewall/apache2__mod_ssl.json
# Example 'firewall' data bag item
{
"id": "apache2",
"rules": [
{"http": {
"port": "80"
}},
{"block http from 192.168.1.0/24": {
"port": "80",
"source": "192.168.1.0/24",
"action": "deny"
}}
]
}
Resources/Providers
===================
The `firewall` cookbook provides the `firewall` and `firewall_rule` LWRPs, for which there is a ufw provider.
License and Author
==================
Author:: Matt Ray (<matt@opscode.com>)
Copyright:: 2011 Opscode, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

2
cookbooks/ufw/attributes/default.rb Normal file
View File

@@ -0,0 +1,2 @@
default['firewall']['rules'] = []
default['firewall']['securitylevel'] = ""

40
cookbooks/ufw/metadata.json Normal file
View File

File diff suppressed because one or more lines are too long

21
cookbooks/ufw/metadata.rb Normal file
View File

@@ -0,0 +1,21 @@
name "ufw"
maintainer "Opscode, Inc."
maintainer_email "matt@opscode.com"
license "Apache 2.0"
description "Installs/Configures ufw"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version "0.7.4"
depends "firewall", ">= 0.9"
%w{ ubuntu }.each do |os|
supports os
end
attribute "firewall/rules",
:display_name => "List of firewall rules for the node.",
:description => "List of firewall rules for the node. Possibly set by node, roles or data bags.",
:type => "array"
attribute "firewall/securitylevel",
:display_name => "Security level of the node.",
:description => "Security level of the node, may be set by node, roles or environment."

58
cookbooks/ufw/recipes/databag.rb Normal file
View File

@@ -0,0 +1,58 @@
#
# Author:: Matt Ray <matt@opscode.com>
# Cookbook Name:: ufw
# Recipe:: databag
#
# Copyright 2011, Opscode, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#flatten the run_list to just the names of the roles and recipes in order
def run_list_names(run_list)
names = []
run_list.each do |entry|
Chef::Log.debug "ufw::databag:run_list_names+name: #{entry.name}"
if entry.name.index('::') #cookbook::recipe
names.push(entry.name.sub('::', '__'))
else
names.push(entry.name)
end
if entry.role?
rol = search(:role, "name:#{entry.name}")[0]
names.concat(run_list_names(rol.run_list))
end
end
Chef::Log.debug "ufw::databag:run_list_names+names: #{names}"
return names
end
rlist = run_list_names(node.run_list)
rlist.uniq!
Chef::Log.debug "ufw::databag:rlist: #{rlist}"
fw_db = data_bag('firewall')
Chef::Log.debug "ufw::databag:firewall:#{fw_db}"
rlist.each do |entry|
Chef::Log.debug "ufw::databag: \"#{entry}\""
if fw_db.member?(entry)
#add the list of firewall rules to the current list
item = data_bag_item('firewall', entry)
rules = item['rules']
node.set['firewall']['rules'].concat(rules) unless rules.nil?
end
end
#now go apply the rules
include_recipe "ufw::default"

90
cookbooks/ufw/recipes/default.rb Normal file
View File

@@ -0,0 +1,90 @@
#
# Author:: Matt Ray <matt@opscode.com>
# Cookbook Name:: ufw
# Recipe:: default
#
# Copyright 2011, Opscode, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package "ufw"
old_state = node['firewall']['state']
new_state = node['firewall']['rules'].to_s
Chef::Log.debug "Old firewall state:#{old_state}"
Chef::Log.debug "New firewall state:#{new_state}"
#check to see if the firewall rules changed.
#the rules are always changed the first run
if old_state == new_state
Chef::Log.info "Firewall rules unchanged."
else
Chef::Log.info "Firewall rules updated."
node.set['firewall']['state'] = new_state
#drop rules and re-enable
execute "ufw --force reset"
firewall "ufw" do
action :enable
end
#leave this on by default
firewall_rule "ssh" do
port 22
action :allow
end
node['firewall']['rules'].each do |rule_mash|
Chef::Log.debug "ufw:rule \"#{rule_mash}\""
rule_mash.keys.each do |rule|
Chef::Log.debug "ufw:rule:name \"#{rule}\""
params = rule_mash[rule]
Chef::Log.debug "ufw:rule:parameters \"#{params}\""
Chef::Log.debug "ufw:rule:name #{params['name']}" if params['name']
Chef::Log.debug "ufw:rule:protocol #{params['protocol']}" if params['protocol']
Chef::Log.debug "ufw:rule:direction #{params['direction']}" if params['direction']
Chef::Log.debug "ufw:rule:interface #{params['interface']}" if params['interface']
Chef::Log.debug "ufw:rule:logging #{params['logging']}" if params['logging']
Chef::Log.debug "ufw:rule:port #{params['port']}" if params['port']
Chef::Log.debug "ufw:rule:port_range #{params['port_range']}" if params['port_range']
Chef::Log.debug "ufw:rule:source #{params['source']}" if params['source']
Chef::Log.debug "ufw:rule:destination #{params['destination']}" if params['destination']
Chef::Log.debug "ufw:rule:dest_port #{params['dest_port']}" if params['dest_port']
Chef::Log.debug "ufw:rule:position #{params['position']}" if params['position']
act = params['action']
act ||= "allow"
raise "ufw: port_range was specified to firewall_rule without protocol" if params['port_range'] && !params['protocol']
Chef::Log.debug "ufw:rule:action :#{act}"
firewall_rule rule do
name params['name'] if params['name']
protocol params['protocol'].to_sym if params['protocol']
direction params['direction'].to_sym if params['direction']
interface params['interface'] if params['interface']
logging params['logging'].to_sym if params['logging']
port params['port'].to_i if params['port']
if params['port_range']
ends = params['port_range'].split('..').map{|d| Integer(d)}
port_range ends[0]..ends[1]
end
source params['source'] if params['source']
destination params['destination'] if params['destination']
dest_port params['dest_port'].to_i if params['dest_port']
position params['position'].to_i if params['position']
action act
end
end
end
end

23
cookbooks/ufw/recipes/disable.rb Normal file
View File

@@ -0,0 +1,23 @@
#
# Author:: Matt Ray <matt@opscode.com>
# Cookbook Name:: ufw
# Recipe:: disable
#
# Copyright 2011, Opscode, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
firewall "ufw" do
action :disable
end

41
cookbooks/ufw/recipes/recipes.rb Normal file
View File

@@ -0,0 +1,41 @@
#
# Author:: Matt Ray <matt@opscode.com>
# Cookbook Name:: ufw
# Recipe:: recipes
#
# Copyright 2011, Opscode, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# expand and parse the node's runlist for recipes and find attributes of the form node[<recipe>]['firewall']['rules']
# append them to the node['firewall']['rules'] array attribute
node.expand!.recipes.each do |recipe|
Chef::Log.debug "ufw::recipes: #{recipe}"
cookbook = recipe.split('::')[0]
#get the cookbook attributes if there are any
if recipe != cookbook and node[cookbook] and node[cookbook]['firewall'] and node[cookbook]['firewall']['rules']
rules = node[cookbook]['firewall']['rules']
Chef::Log.debug "ufw::recipes:#{cookbook}:rules #{rules}"
node.set['firewall']['rules'].concat(rules) unless rules.nil?
end
#get the recipe attributes if there are any
if node[recipe] and node[recipe]['firewall'] and node[recipe]['firewall']['rules']
rules = node[recipe]['firewall']['rules']
Chef::Log.debug "ufw::recipes:#{recipe}:rules #{rules}"
node.set['firewall']['rules'].concat(rules) unless rules.nil?
end
end
#now go apply the rules
include_recipe "ufw::default"

41
cookbooks/ufw/recipes/securitylevel.rb Normal file
View File

@@ -0,0 +1,41 @@
#
# Author:: Matt Ray <matt@opscode.com>
# Cookbook Name:: ufw
# Recipe:: securitylevel
#
# Copyright 2011, Opscode, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
securitylevel = node['firewall']['securitylevel']
Chef::Log.info "ufw::securitylevel:#{securitylevel}"
#verify that only 1 "color" security group is applied"
count = node.expand!.roles.count {|role| role =~ /SecurityLevel-(Red|Green|Yellow)/ }
if count > 1
raise Chef::Exceptions::AmbiguousRunlistSpecification, "conflicting SecurityLevel-'color' roles, only 1 may be applied."
end
case securitylevel
when 'red'
#put special stuff for red here
when 'yellow'
#put special stuff for red here
when 'green'
#put special stuff for red here
end
#now go apply the rules
include_recipe "ufw::default"