Ask Your Question
2

Is it possible to include a parameterized class in all nodes, but override the parameters in some cases?

asked 2013-01-09 21:37:34 -0500

zacharyalexstern gravatar image

Currently we use puppet to manage iptables.

We pull in a list of all the IPs of all our servers from puppetdb, using the puppetdb-query module, and then dump them into an iptables config which is pushed out to all of our servers. This way, all of our servers can talk to all of our other servers, but block connections from other computers on the same network. (We are using a public cloud solution, so this is necessary.)

Additionally the iptables class is parameterized to allow the opening of specific ports publicly, e.g. http, https, and whatever else we ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
2

answered 2013-01-10 13:15:07 -0500

llowder gravatar image

If you are using puppet 3 you can take advantage of the databindings by setting up your hierarchy to include hostname, certname, or fqdn, for example:

:hierarchy
 - "%{hostname}"
 - common

You can also use some sort of custom fact if you would need the same settings applied to say, a cluster of machines (this is what I do, using a custom fact named node_id that will be either the hostname of the node or something identifying which cluster the node belongs to for the web or app server nodes)

Example:

#server1.yaml
---
iptables::someparam: 'somevalue'

and

#server2.yaml
---
iptables::someparam: 'someothervalue ...
(more)
edit flag offensive delete link more

Comments

We aren't using hiera yet, but when we are, I'll look into this. For the time being I need to find an alternate solution using just plain puppet.

zacharyalexstern gravatar imagezacharyalexstern ( 2013-01-10 13:28:18 -0500 )edit
1

Using just plain puppet, only way I know would be to manually add the class to each node with the appropriate params.

llowder gravatar imagellowder ( 2013-01-10 13:50:16 -0500 )edit
0

answered 2013-02-28 18:53:44 -0500

Ancillas gravatar image

updated 2013-02-28 21:12:43 -0500

It seems like you need a base class to make sure that iptables is installed and configured, and then a defined type for adding iptables rules.

You might have a defined type like this

iptables::allow(
  $port,
  $source,
) {
  if ! is_numeric($port) {
    fail('$port must be numeric')
  }

  if ! is_ip_address($source) {
    fail('$source must be an IP address')
  }

  # Do the work to open the firewall from $source to $port
}

It would be very much like using the puppetlabs-apt module.

In the class where you call iptables::allow, you could fetch your collection from puppetdb, and pass an array of IPs to iptables ... (more)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2013-01-09 21:37:34 -0500

Seen: 425 times

Last updated: Feb 28 '13