/spec/acceptance/all_rules_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

cfcafde5

Steve Traylen

require 'spec_helper_acceptance'

2

3

describe 'nftables class' do

4

  context 'configure all nftables rules' do

5

    it 'works idempotently with no errors' do

6

      pp = <<-EOS

7

      # default mask of firewalld service fails if service is not installed.

8

      # https://tickets.puppetlabs.com/browse/PUP-10814

9

      # Disable all default rules and include below explicitly

10

      class { 'nftables':

11

        firewalld_enable => false,

12

        out_ntp          => false,

13

        out_http         => false,

14

        out_https        => false,

15

        out_icmp         => false,

16

        in_ssh           => false,

17

        in_icmp          => false,

18

19

      include nftables::rules::icmp

20

      include nftables::rules::dns

21

      include nftables::rules::node_exporter

22

      include nftables::rules::nfs3

23

      include nftables::rules::ssh

24

      include nftables::rules::dhcpv6_client

25

      include nftables::rules::afs3_callback

26

      include nftables::rules::ospf

27

      include nftables::rules::http

28

      include nftables::rules::puppet

29

      include nftables::rules::icinga2

30

      include nftables::rules::tor

31

      include nftables::rules::ospf3

32

      include nftables::rules::ceph_mon

33

      include nftables::rules::smtp_submission

34

      include nftables::rules::https

35

      include nftables::rules::nfs

36

      include nftables::rules::smtps

37

      include nftables::rules::smtp

38

      include nftables::rules::ceph

39

      include nftables::rules::out::postgres

40

      include nftables::rules::out::icmp

41

      include nftables::rules::out::dns

42

      include nftables::rules::out::nfs3

43

      include nftables::rules::out::ssh

44

      include nftables::rules::out::kerberos

45

      include nftables::rules::out::dhcpv6_client

46

      include nftables::rules::out::ospf

47

      include nftables::rules::out::openafs_client

48

      include nftables::rules::out::http

49

      include nftables::rules::out::ssh::remove

50

      class{'nftables::rules::out::puppet':

52

cfcafde5

Steve Traylen

53

      include nftables::rules::out::all

54

      include nftables::rules::out::tor

55

      include nftables::rules::out::ospf3

56

      include nftables::rules::out::mysql

57

      include nftables::rules::out::ceph_client

58

      include nftables::rules::out::https

59

      include nftables::rules::out::dhcp

60

      include nftables::rules::out::nfs

61

      include nftables::rules::out::smtp

62

      include nftables::rules::out::chrony

63

      include nftables::rules::out::wireguard

64

      include nftables::rules::wireguard

65

      include nftables::services::dhcpv6_client

66

      include nftables::services::openafs_client

67

      # nftables cannot be started in docker so replace service with a validation only.

68

      systemd::dropin_file{"zzz_docker_nft.conf":

69

        ensure  => present,

70

        unit    => "nftables.service",

71

        content => [

72

          "[Service]",

73

          "ExecStart=",

74

          "ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",

75

          "ExecReload=",

76

          "ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",

77

"",

78

          ].join("\n"),

79

        notify  => Service["nftables"],

80

81

      # Puppet 5 only to ensure ordering.

82

      Class['systemd::systemctl::daemon_reload'] -> Service['nftables']

83

EOS

84

      # Run it twice and test for idempotency

85

      apply_manifest(pp, catch_failures: true)

86

      apply_manifest(pp, catch_changes: true)

87

end

88

89

    describe package('nftables') do

90

      it { is_expected.to be_installed }

91

end

92

93

    describe service('nftables') do

94

      it { is_expected.to be_running }

95

      it { is_expected.to be_enabled }

96

end

97

98

    describe file('/etc/nftables/puppet.nft') do

99

      it { is_expected.to be_file }

100

end

101

102

    describe file('/etc/systemd/system/nftables.service.d/puppet_nft.conf') do

103

      it { is_expected.to be_file }

104

end

105

106

    describe file('/etc/nftables/puppet') do

107

      it { is_expected.to be_directory }

108

end

109

end

110

end

Projet

Général

Profil

puppet nftables

root / spec / acceptance / all_rules_spec.rb @ 04176b0e