From 5f67b1f0c8cf6d16132d131eed38577bf9973219 Mon Sep 17 00:00:00 2001 From: bsper2 Date: Thu, 11 Mar 2021 11:52:53 -0700 Subject: [PATCH] ASDPLNG-38 Add ncsa/puppet-profile_firewall to control_repo Add v1.0.2 of ncsa/puppet-profile_firewall Update puppetlabs/firewall from 2.5.0 to 3.0.0 Add data/role/puppet-master.yaml to set profile_firewall::ignores heira data so that docker firewall rules are not removed from puppet masters Include profile_firewall in base.pp --- Puppetfile | 5 ++--- data/role/puppet_master.yaml | 13 +++++++++++++ site-modules/profile/manifests/base.pp | 1 + 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 data/role/puppet_master.yaml diff --git a/Puppetfile b/Puppetfile index c0de1ee..4db5750 100644 --- a/Puppetfile +++ b/Puppetfile @@ -16,7 +16,7 @@ mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.1', git: 'https://github.c # mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony' mod 'ncsa/profile_dns_cache', tag: 'v1.0.0', git: 'https://github.com/ncsa/puppet-profile_dns_cache' # mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email' -mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall' +mod 'ncsa/profile_firewall', tag: 'v1.0.2', git: 'https://github.com/ncsa/puppet-profile_firewall' mod 'ncsa/profile_monitoring', tag: 'v0.1.5', git: 'https://github.com/ncsa/puppet-profile_monitoring' mod 'ncsa/profile_motd', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_motd' mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access' @@ -33,8 +33,7 @@ mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegra # mod 'puppet/rsyslog', '5.0.1' # mod 'puppetlabs/apt', '7.3.0' mod 'puppetlabs/concat', '6.4.0' -mod 'puppetlabs/firewall', '2.5.0' -#mod 'puppetlabs-firewall', '2.8.0' +mod 'puppetlabs/firewall', '3.0.0' # mod 'puppetlabs/inifile', '4.1.0' # mod 'puppetlabs/mailalias_core', '1.0.6' mod 'puppetlabs/stdlib', '6.3.0' diff --git a/data/role/puppet_master.yaml b/data/role/puppet_master.yaml new file mode 100644 index 0000000..825abf4 --- /dev/null +++ b/data/role/puppet_master.yaml @@ -0,0 +1,13 @@ +--- +profile_firewall::ignores: + DOCKER:filter:IPv4: "*" + DOCKER-ISOLATION-STAGE-1:filter:IPv4: "*" + DOCKER-ISOLATION-STAGE-2:filter:IPv4: "*" + DOCKER-USER:filter:IPv4: "*" + FORWARD:filter:IPv4: ["docker", "DOCKER", "-o"] + DOCKER:nat:IPv4: "*" + PREROUTING:nat:IPv4: "-m addrtype --dst-type LOCAL -j DOCKER" + POSTROUTING:nat:IPv4: ["172.17", "172.18", "172.19"] + OUTPUT:nat:IPv4: "-d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" + +profile_firewall::purge_all: false diff --git a/site-modules/profile/manifests/base.pp b/site-modules/profile/manifests/base.pp index 8b42c88..faa2619 100644 --- a/site-modules/profile/manifests/base.pp +++ b/site-modules/profile/manifests/base.pp @@ -6,6 +6,7 @@ class profile::base { include ::profile_allow_ssh_from_bastion include ::profile_dns_cache # include ::profile_email + include ::profile_firewall include ::profile_monitoring include ::profile_motd include ::profile_pam_access