Add support for opening puppetdb port in firewall

2012-09-17 17:06:48 -07:00 · 2012-09-17 17:06:48 -07:00 · b80866ebef
commit b80866ebef
parent 5b2f504865
4 changed files with 63 additions and 9 deletions
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 name 'cprice404-puppetdb'
-version '0.1.0'
+version '0.1.1'
 source 'git://github.com/cprice-puppet/puppetlabs-puppetdb.git'
 author 'Puppet Labs'
 description 'PuppetDB resource types'
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -14,19 +14,34 @@
 class puppetdb::params {
    # TODO: need to condition this based on whether we are a PE install or not

-
    $ssl_listen_address    = $::clientcert
    $ssl_listen_port       = 8081

    $database          = 'postgres'

    # The remaining database settings are not used for an embedded database
-    $database_host     = 'localhost'
-    $database_port     = '5432'
-    $database_name     = 'puppetdb'
-    $database_username = 'puppetdb'
-    $database_password = 'puppetdb'
+    $database_host          = 'localhost'
+    $database_port          = '5432'
+    $database_name          = 'puppetdb'
+    $database_username      = 'puppetdb'
+    $database_password      = 'puppetdb'

-    $gc_interval       = 60
-    $confdir           = '/etc/puppetdb/conf.d'
+    # TODO: figure out a way to make this not platform-specific
+    $manage_redhat_firewall = true
+
+    $gc_interval            = 60
+    $confdir                = '/etc/puppetdb/conf.d'
+
+    case $::osfamily {
+      'RedHat': {
+        $firewall_supported       = true
+        $persist_firewall_command = '/sbin/iptables-save > /etc/sysconfig/iptables'
+      }
+
+      'Debian': {
+        $firewall_supported       = false
+        # TODO: not exactly sure yet what the right thing to do for Debian/Ubuntu is.
+        #$persist_firewall_command = '/sbin/iptables-save > /etc/iptables/rules.v4'
+      }
+    }
 }
--- a/manifests/server.pp
+++ b/manifests/server.pp
@ -41,6 +41,14 @@
 #                            (defaults to `puppetdb`; ignored for `embedded` db)
 #   ['database_name']      - The name of the database instance to connect to.
 #                            (defaults to `puppetdb`; ignored for `embedded` db)
+#   ['manage_redhat_firewall'] - boolean indicating whether or not the module
+#                            should open a port in the firewall on redhat-based
+#                            systems.  Defaults to `true`.  This parameter is
+#                            likely to change in future versions.  Possible
+#                            changes include support for non-RedHat systems and
+#                            finer-grained control over the firewall rule
+#                            (currently, it simply opens up the postgres port to
+#                            all TCP connections).
 #   ['confdir']            - The puppetdb configuration directory; defaults to
 #                            `/etc/puppetdb/conf.d`.
 #
@ -65,6 +73,7 @@ class puppetdb::server(
    $database_username       = $puppetdb::params::database_username,
    $database_password       = $puppetdb::params::database_password,
    $database_name           = $puppetdb::params::database_name,
+    $manage_redhat_firewall  = $puppetdb::params::manage_redhat_firewall,
    $confdir                 = $puppetdb::params::confdir,
    $gc_interval             = $puppetdb::params::gc_interval,
 ) inherits puppetdb::params {
@ -74,6 +83,11 @@ class puppetdb::server(
        notify => Service['puppetdb'],
    }

+    class { 'puppetdb::server::firewall':
+        port                   => $ssl_listen_port,
+        manage_redhat_firewall => $manage_redhat_firewall,
+    }
+
    class { 'puppetdb::server::database_ini':
        database                => $database,
        database_host           => $database_host,
@ -98,6 +112,7 @@ class puppetdb::server(
    }

    Package['puppetdb'] ->
+        Class['puppetdb::server::firewall'] ->
        Class['puppetdb::server::database_ini'] ->
        Class['puppetdb::server::jetty_ini'] ->
        Service['puppetdb']
--- a/manifests/server/firewall.pp
+++ b/manifests/server/firewall.pp
@ -0,0 +1,24 @@
+class puppetdb::server::firewall(
+    $port                   = $puppetdb::params::ssl_listen_port,
+    $manage_redhat_firewall = $puppetdb::params::manage_redhat_firewall,
+) inherits puppetdb::params {
+  # TODO: figure out a way to make this not platform-specific; debian and ubuntu
+  # have an out-of-the-box firewall configuration that seems trickier to manage.
+  # TODO: the firewall module should be able to handle this itself
+  if ($manage_redhat_firewall and $firewall_supported) {
+      exec { "persist-firewall":
+        command => $persist_firewall_command,
+        refreshonly => true,
+      }
+
+      Firewall {
+        notify => Exec["persist-firewall"]
+      }
+
+      firewall { "${port} accept - puppetdb":
+        port => $port,
+        proto => 'tcp',
+        action => 'accept',
+      }
+  }
+}