Mercurial > repos > other > Puppet

comparison modules/firewall/manifests/linux/redhat.pp @ 478:adf6fe9bbc17

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update Puppet modules to latest versions
author IBBoard <dev@ibboard.co.uk>
date Thu, 29 Aug 2024 18:47:29 +0100
parents 66c406eec60d
children
comparison
equal deleted inserted replaced
477:21f6add30502 478:adf6fe9bbc17
30 # This is disabled for RedHat/CentOS 8+. 30 # This is disabled for RedHat/CentOS 8+.
31 # 31 #
32 # @api private 32 # @api private
33 # 33 #
34 class firewall::linux::redhat ( 34 class firewall::linux::redhat (
35 $ensure = running, 35 Enum[running, stopped, 'running', 'stopped'] $ensure = running,
36 $ensure_v6 = undef, 36 Optional[Enum[running, stopped, 'running', 'stopped']] $ensure_v6 = undef,
37 $enable = true, 37 Variant[Boolean, String[1]] $enable = true,
38 $enable_v6 = undef, 38 Optional[Variant[Boolean, String[1]]] $enable_v6 = undef,
39 $service_name = $firewall::params::service_name, 39 Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name,
40 $service_name_v6 = $firewall::params::service_name_v6, 40 Optional[String[1]] $service_name_v6 = $firewall::params::service_name_v6,
41 $package_name = $firewall::params::package_name, 41 Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name,
42 $package_ensure = $firewall::params::package_ensure, 42 Enum[present, latest, 'present', 'latest'] $package_ensure = $firewall::params::package_ensure,
43 $sysconfig_manage = $firewall::params::sysconfig_manage, 43 Boolean $sysconfig_manage = $firewall::params::sysconfig_manage,
44 ) inherits ::firewall::params { 44 Boolean $firewalld_manage = $firewall::params::firewalld_manage,
45 ) inherits firewall::params {
45 $_ensure_v6 = pick($ensure_v6, $ensure) 46 $_ensure_v6 = pick($ensure_v6, $ensure)
46 $_enable_v6 = pick($enable_v6, $enable) 47 $_enable_v6 = pick($enable_v6, $enable)
47 48
48 # RHEL 7 / CentOS 7 and later and Fedora 15 and later require the iptables-services 49 # RHEL 7 / CentOS 7 and later and Fedora 15 and later require the iptables-services
49 # package, which provides the /usr/libexec/iptables/iptables.init used by 50 # package, which provides the /usr/libexec/iptables/iptables.init used by
50 # lib/puppet/util/firewall.rb. 51 # lib/puppet/util/firewall.rb.
51 if ($::operatingsystem != 'Amazon') 52 if ($facts['os']['name'] != 'Amazon') {
52 and (($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0) 53 if $firewalld_manage {
53 or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0)) { 54 service { 'firewalld':
54 service { 'firewalld': 55 ensure => stopped,
55 ensure => stopped, 56 enable => false,
56 enable => false, 57 before => [Package[$package_name], Service[$service_name]],
57 before => [Package[$package_name], Service[$service_name]], 58 }
58 } 59 }
59 } 60 }
60 61
61 # in RHEL 8 / CentOS 8 nftables provides a replacement iptables cli 62 # in RHEL 8 / CentOS 8 nftables provides a replacement iptables cli
62 # but there is no nftables specific for ipv6 so throw a warning 63 # but there is no nftables specific for ipv6 so throw a warning
63 if !$service_name_v6 and ($ensure_v6 or $enable_v6) { 64 if !$service_name_v6 and ($ensure_v6 or $enable_v6) {
64 warning('No v6 service available, $ensure_v6 and $enable_v6 are ignored') 65 warning('No v6 service available, $ensure_v6 and $enable_v6 are ignored')
65 } 66 }
66 67
67 if $package_name { 68 if $package_name {
68 ensure_packages($package_name, { 69 stdlib::ensure_packages($package_name, {
69 'ensure' => $package_ensure, 70 'ensure' => $package_ensure,
70 'before' => Service[$service_name] } 71 'before' => Service[$service_name] }
71 ) 72 )
72 } 73 }
73 74
74 if ($::operatingsystem != 'Amazon') 75 if ($facts['os']['name'] != 'Amazon') {
75 and (($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
76 or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0)) {
77 if $ensure == 'running' { 76 if $ensure == 'running' {
77 $running_command = ['/usr/bin/systemctl', 'daemon-reload']
78
78 exec { '/usr/bin/systemctl daemon-reload': 79 exec { '/usr/bin/systemctl daemon-reload':
80 command => $running_command,
79 require => Package[$package_name], 81 require => Package[$package_name],
80 before => Service[$service_name, $service_name_v6], 82 before => Service[$service_name, $service_name_v6],
81 subscribe => Package[$package_name], 83 subscribe => Package[$package_name],
82 refreshonly => true, 84 refreshonly => true,
83 } 85 }
84 } 86 }
85 } 87 }
86 88
87 if ($::operatingsystem == 'Amazon') and (versioncmp($::operatingsystemmajrelease, '4') >= 0) 89 if ($facts['os']['name'] == 'Amazon') and (versioncmp($facts['os']['release']['major'], '4') >= 0)
88 or ($::operatingsystem == 'Amazon') and (versioncmp($::operatingsystemmajrelease, '2') >= 0) { 90 or ($facts['os']['name'] == 'Amazon') and (versioncmp($facts['os']['release']['major'], '2') >= 0) {
89 service { $service_name: 91 service { $service_name:
90 ensure => $ensure, 92 ensure => $ensure,
91 enable => $enable, 93 enable => $enable,
92 hasstatus => true, 94 hasstatus => true,
93 provider => systemd, 95 provider => systemd,
129 group => 'root', 131 group => 'root',
130 mode => '0600', 132 mode => '0600',
131 } 133 }
132 } 134 }
133 135
134 # Before puppet 4, the autobefore on the firewall type does not work - therefore
135 # we need to keep this workaround here
136 if versioncmp($::puppetversion, '4.0') <= 0 {
137 File<| title == "/etc/sysconfig/${service_name}" |> -> Service<| title == $service_name |>
138 File<| title == "/etc/sysconfig/${service_name_v6}" |> -> Service<| title == $service_name_v6 |>
139 }
140
141 # Redhat 7 selinux user context for /etc/sysconfig/iptables is set to system_u 136 # Redhat 7 selinux user context for /etc/sysconfig/iptables is set to system_u
142 # Redhat 7 selinux type context for /etc/sysconfig/iptables is set to system_conf_t 137 # Redhat 7 selinux type context for /etc/sysconfig/iptables is set to system_conf_t
143 case $::selinux { 138 case $facts['os']['selinux']['enabled'] {
144 #lint:ignore:quoted_booleans 139 #lint:ignore:quoted_booleans
145 'true',true: { 140 'true',true: {
146 case $::operatingsystem { 141 case $facts['os']['name'] {
142 'RedHat': {
143 case $facts['os']['release']['full'] {
144 /^7\..*/: {
145 $seluser = 'unconfined_u'
146 $seltype = 'system_conf_t'
147 }
148 default : {
149 $seluser = 'system_u'
150 $seltype = 'system_conf_t'
151 }
152 }
153
154 File<| title == "/etc/sysconfig/${service_name}" |> { seluser => $seluser, seltype => $seltype }
155 File<| title == "/etc/sysconfig/${service_name_v6}" |> { seluser => $seluser, seltype => $seltype }
156 }
147 'CentOS': { 157 'CentOS': {
148 case $::operatingsystemrelease { 158 case $facts['os']['release']['full'] {
149 /^5\..*/: {
150 $seluser = 'system_u'
151 $seltype = 'etc_t'
152 }
153
154 /^6\..*/: { 159 /^6\..*/: {
155 $seluser = 'unconfined_u' 160 $seluser = 'unconfined_u'
156 $seltype = 'system_conf_t' 161 $seltype = 'system_conf_t'
157 } 162 }
158 163
159 /^7\..*/: { 164 /^7\..*/: {
160 $seluser = 'system_u' 165 $seluser = 'system_u'
161 $seltype = 'system_conf_t' 166 $seltype = 'system_conf_t'
167 }
168
169 /^8\..*/: {
170 $seluser = 'system_u'
171 $seltype = 'etc_t'
172 }
173
174 /^9\..*/: {
175 $seluser = 'system_u'
176 $seltype = 'etc_t'
162 } 177 }
163 178
164 default : { 179 default : {
165 $seluser = 'unconfined_u' 180 $seluser = 'unconfined_u'
166 $seltype = 'etc_t' 181 $seltype = 'etc_t'