Thanks for the reply. I will take a look at that patch.
I have been trying to accomplish this with defined resources, unfortunately
my particular case isn't working well for that.
Here is my attempt, perhaps anyone has some suggestions?
define myfirewall::accept($proto='tcp', $ports) {
firewall { "100 $name":
source => $name,
proto => $proto,
dport => $ports,
action => 'accept'
}
}
import 'myfirewall'
node 'mynode' {
include myfirewall
$web_servers = ['10.0.0.1','10.0.0.2']
$db_servers = ['10.0.0.3']
myfirewall::accept { $web_servers:
ports => ['80','443'],
}
myfirewall::accept { $db_servers:
proto => 'tcp',
ports => '3306'
}
}
That works great. It allows me to accept certain ports from certain groups
of hosts. You can see the value in this, as I could create node groups and
automatically allow certain ports to certain sources. For example, allow
every machines access to ssh, allow all my app servers and all my db
servers to my db port. Allow all my app servers to some API port, etc...
But, now say I want to a one-off rule on one of those particular hosts
that is already defined, so I add another rule.
myfirewall::accept { '10.0.0.1':
ports => '8888'
}
Error: Duplicate declaration: Myfirewall::Accept[10.0.0.1] is already
declared in file /etc/puppet/manifests/nodes.pp at line 10; cannot
redeclare on node mynode
It will error out here as having a duplicate. I'm trying to figure out how
I can re-write this to make it work, but it appears the puppet dsl only
acts on arrays when they are the name variable and then calls the resource
once for each item in the array, passing that as the name.
So, I suppose right now I need to make my groups better, so they include
all the one-offs and make sure there are no duplicates. Or, I could just
define the one-offs one at a time in each node file.
I appreciate any suggestions.
On Monday, December 3, 2012 4:43:39 PM UTC-5, Terry Z. wrote:
>
> Dusty,
>
> I actually had the same issue and brought this up with Ken Barber at
> PuppetConf. I believe he and several others have looked into this briefly
> but nothing much has come from it. There was a puppet bug report where
> another user had managed to have it take arrays without too much issue:
> http://projects.puppetlabs.com/issues/10116
>
> Unfortunately in my brief testing there was another issue created (it was
> always trying to add/remove a rule if I recall, it's been awhile.)
>
> In the meantime a recommended workaround that works for some use cases is
> using a defined resource to accept the array and then create each firewall
> resource as a result.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/794eo8u39SEJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
