On May 22, 2009, at 10:26 PM, Kelsey Hightower wrote:
>
> Puppet::Type.newtype(:tcpwrapper) do
> @doc = "Manages tcpwarppers hosts.allow and hosts.deny entries.
> The entry will be placed in /etc/host.allow when 'allow => true'
> or 'deny => false'
> The entry will be placed in /etc/host.deny when 'deny => true' or
> 'allow => false'
> Default action is to append the entry to /etc/host.allow
>
> Examples::
>
> tcpwrapper { ALL:
> allow => true,
> daemon => \"ALL\",
> except_daemon => [vsftpd, sshd]
> host => \"ALL\"
> except_host => [cracker.domainname.com, 24.123.45.12],
> }
>
> tcpwrapper { vsftpd:
> allow => true,
> daemon => sshd,
> host => [192.168.1.22, 72.13.2.34, trusted.domain.com],
> spawn => '/bin/echo $(/bin/date) access from %h >> /var/
> log/ftp-access.log'
> }
>
> tcpwrapper { vsftpd:
> deny => true,
> daemon => sshd,
> host => [24.123.45.12, cracker.domain.com],
> twist => '/bin/echo \"Access to %d has been denied for $a
> \"'
> }
> "
>
> ensurable
>
> newparam(:name) do
> desc "The name of the resource"
> end
>
> newparam(:allow) do
> desc "Whether to allow access. Line will be appened to /etc/
> hosts.allow"
> end
>
> newparam(:deny) do
> desc "Whether to deny access. Line will be appened to /etc/
> hosts.deny"
> end
It seems like it makes more sense to have a single parameter;
something like:
tcpwrapper { foo: ensure => allowed, ... }
>
> newparam(:file) do
> desc "The file to examine (and possibly modify) for the acl"
> end
>
> newparam(:line) do
> desc "The acl to add or remove"
> end
How is this actually used? Your examples don't cover it.
>
> newproperty(:daemon, :array_matching => :all) do
> desc "A list of one or more service daemons"
> end
>
> newproperty(:host, :array_matching => :all) do
> desc "A list of one or more hostnames, ipaddresses, or
> networks"
> end
>
> newproperty(:spawn) do
> desc "Child process to be launched in the background"
> end
>
> newproperty(:twist) do
> desc "Command to run in place of the requested service"
> end
>
> newproperty(:except_daemon, :array_matching => :all) do
> desc "A list of one or more daemons to exclude from wildcard
> matches"
> end
>
> newproperty(:except_host, :array_matching => :all) do
> desc "A list of one or more hostnames, ipaddresses, or
> networks to exclude from wildcard matches"
> end
The basic model seems correct. One problem, because of Puppet's
resource uniqueness requirements at this point, is that you could only
ever have one rule about a given service. That is, you couldn't do:
tcpwrapper { foo: host => 'one.domain.com', ensure => allowed }
tcpwrapper { foo: host => 'two.domain.com', ensure => denied }
Puppet would see this as a conflict.
--
The conception of two people living together for twenty-five years
without having a cross word suggests a lack of spirit only to be
admired in sheep. --Alan Patrick Herbert
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
