Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(20096) Support systemd on Fedora 15 and up #145

Merged
merged 1 commit into from
Apr 13, 2013
Merged

(20096) Support systemd on Fedora 15 and up #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions lib/puppet/util/firewall.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,11 @@ def persist_iptables(proto)
end
end

# Fedora 15 and newer use systemd for to persist iptable rules
if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'Fedora' && Facter.value(:operatingsystemrelease).to_i >= 15
os_key = 'Fedora'
end

cmd = case os_key.to_sym
when :RedHat
case proto.to_sym
Expand All @@ -160,6 +165,13 @@ def persist_iptables(proto)
when :IPv6
%w{/sbin/service ip6tables save}
end
when :Fedora
case proto.to_sym
when :IPv4
%w{/usr/libexec/iptables.init save}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't seem to have this file on Fedora 18 ... does it need a package to be installed to work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems iptables was removed in favor of firewalld in Fedora 18. Would it make sense to say Fedora 18 and up are unsupported until a firewalld provider is implemented? I'd be happy to work on a pull request for that and amend this one so it will fail on Fedora 18+.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ecbypi well, firewalld drives iptables I see. Hmm. Perhaps the module should disable firewalld, I see things should work without it - and I'm not sure if firewalld adds complete and utter coverage of iptables functionality. Some users would want to tap very specific options, and I don't think firewalld exposes them all - unless you use --direct which allows you to pass through iptables commands directly - but they look like they aren't even persisted. Damn Fedora messing with stuff :-).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ecbypi looks like that missing executable is provided with 'iptables-services' - the path is different as well, its '/usr/libexec/iptables/iptables.init' ... I think this is the rough path I would take until someone does something about a firewalld provider: a) shutdown firewalld stop it from starting b) install iptables-services c) purge and override the firewalld stuff in favour of whats in puppet.

I mean, it still works - and it gives people ongoing continuity if they already have firewall rules in puppet when they go to Fedora 18 (well, really I'm more worried about the majority moving to rhel7 here obviously).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ecbypi anyway, this isn't helping getting your patched merged. I think with this new knowledge I'd prefer to add the path variant for Fedora 18 until this is sorted. Bonus points if you wanted to do the other stuff, but at least sort out the path variant for now so people can 'manually' sort themselves out. Right now we already have other issues with Fedora 18 (conntrack module for example) so until they are sorted those users are blocked anyway.

when :IPv6
%w{/usr/libexec/ip6tables.init save}
end
when :Debian
case proto.to_sym
when :IPv4, :IPv6
Expand Down
13 changes: 13 additions & 0 deletions spec/unit/puppet/util/firewall_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,21 @@

it 'should exec for RedHat identified from osfamily' do
Facter.fact(:osfamily).stubs(:value).returns('RedHat')
Facter.fact(:operatingsystem).stubs(:value).returns('RedHat')

subject.expects(:execute).with(%w{/sbin/service iptables save})
subject.persist_iptables(proto)
end

it 'should exec for systemd if running Fedora 15 or greater' do
Facter.fact(:osfamily).stubs(:value).returns('RedHat')
Facter.fact(:operatingsystem).stubs(:value).returns('Fedora')
Facter.fact(:operatingsystemrelease).stubs(:value).returns('15')

subject.expects(:execute).with(%w{/usr/libexec/iptables.init save})
subject.persist_iptables(proto)
end

it 'should exec for CentOS identified from operatingsystem' do
Facter.fact(:osfamily).stubs(:value).returns(nil)
Facter.fact(:operatingsystem).stubs(:value).returns('CentOS')
Expand All @@ -110,6 +121,8 @@

it 'should raise a warning when exec fails' do
Facter.fact(:osfamily).stubs(:value).returns('RedHat')
Facter.fact(:operatingsystem).stubs(:value).returns('RedHat')

subject.expects(:execute).with(%w{/sbin/service iptables save}).
raises(Puppet::ExecutionFailure, 'some error')
subject.expects(:warning).with('Unable to persist firewall rules: some error')
Expand Down