I'm using puppetlabs/firewall with Puppet 2.7.2, and for the most part it's
working great. I have this in my sites.pp, which I took from this list
sometime ago, to save firewall rules to disk when they're changed:
# Always persist firewall rules
if ($kernel == 'Linux') {
exec { 'persist-firewall':
command => 'service iptables save',
refreshonly => true,
}
Firewall {
notify => Exec['persist-firewall'],
before => Class['firewall::post'],
require => Class['firewall::pre'],
}
Firewallchain {
notify => Exec['persist-firewall'],
}
resources {'firewall': purge => true}
}
One issue I have run into, is that any node using a class that includes
Firewall resources *must* also have the Firewall class, or there will be a
missing dependency for Class['firewall::pre']. I would prefer that the
firewall is orthogonal to a class: a node can be deployed without the
firewall class, and if the firewall is ever enabled, it will be configured
properly. This is very useful to me when incrementally bringing critical
production infrastructure under puppet management.
I've thought of a number of solutions. Most of them involve the use of 'if
defined( class_name )', which has its own repercussions:
- Define a use_firewall guard parameter
- Move all Firewall resources into the firewall module as sub-classes
- Conditionally exec persist-firewall based on if the firewall class is
loaded (how?)
I would love to here about "the right way" to do something like this.
Cheers,
-David Arroyo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
