ASDPLNG-38 Add ncsa/puppet-profile_firewall to control_repo
Add v1.0.2 of ncsa/puppet-profile_firewall Update puppetlabs/firewall from 2.5.0 to 3.0.0 Add data/role/puppet-master.yaml to set profile_firewall::ignores heira data so that docker firewall rules are not removed from puppet masters Include profile_firewall in base.pp
This commit is contained in:
parent
f092060060
commit
5f67b1f0c8
@ -16,7 +16,7 @@ mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.1', git: 'https://github.c
|
||||
# mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony'
|
||||
mod 'ncsa/profile_dns_cache', tag: 'v1.0.0', git: 'https://github.com/ncsa/puppet-profile_dns_cache'
|
||||
# mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email'
|
||||
mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall'
|
||||
mod 'ncsa/profile_firewall', tag: 'v1.0.2', git: 'https://github.com/ncsa/puppet-profile_firewall'
|
||||
mod 'ncsa/profile_monitoring', tag: 'v0.1.5', git: 'https://github.com/ncsa/puppet-profile_monitoring'
|
||||
mod 'ncsa/profile_motd', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_motd'
|
||||
mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access'
|
||||
@ -33,8 +33,7 @@ mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegra
|
||||
# mod 'puppet/rsyslog', '5.0.1'
|
||||
# mod 'puppetlabs/apt', '7.3.0'
|
||||
mod 'puppetlabs/concat', '6.4.0'
|
||||
mod 'puppetlabs/firewall', '2.5.0'
|
||||
#mod 'puppetlabs-firewall', '2.8.0'
|
||||
mod 'puppetlabs/firewall', '3.0.0'
|
||||
# mod 'puppetlabs/inifile', '4.1.0'
|
||||
# mod 'puppetlabs/mailalias_core', '1.0.6'
|
||||
mod 'puppetlabs/stdlib', '6.3.0'
|
||||
|
13
data/role/puppet_master.yaml
Normal file
13
data/role/puppet_master.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
profile_firewall::ignores:
|
||||
DOCKER:filter:IPv4: "*"
|
||||
DOCKER-ISOLATION-STAGE-1:filter:IPv4: "*"
|
||||
DOCKER-ISOLATION-STAGE-2:filter:IPv4: "*"
|
||||
DOCKER-USER:filter:IPv4: "*"
|
||||
FORWARD:filter:IPv4: ["docker", "DOCKER", "-o"]
|
||||
DOCKER:nat:IPv4: "*"
|
||||
PREROUTING:nat:IPv4: "-m addrtype --dst-type LOCAL -j DOCKER"
|
||||
POSTROUTING:nat:IPv4: ["172.17", "172.18", "172.19"]
|
||||
OUTPUT:nat:IPv4: "-d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER"
|
||||
|
||||
profile_firewall::purge_all: false
|
@ -6,6 +6,7 @@ class profile::base {
|
||||
include ::profile_allow_ssh_from_bastion
|
||||
include ::profile_dns_cache
|
||||
# include ::profile_email
|
||||
include ::profile_firewall
|
||||
include ::profile_monitoring
|
||||
include ::profile_motd
|
||||
include ::profile_pam_access
|
||||
|
Loading…
Reference in New Issue
Block a user