On May 27, 2009, at 10:06 PM, Kelsey Hightower wrote:
>
> On May 26, 11:38 pm, Luke Kanies <[email protected]> wrote:
>> On May 22, 2009, at 10:26 PM, Kelsey Hightower wrote:
>>
>>
>>
>>
>>
>>
>>
>>> Puppet::Type.newtype(:tcpwrapper) do
>>> @doc = "Manages tcpwarppers hosts.allow and hosts.deny entries.
>>> The entry will be placed in /etc/host.allow when 'allow => true'
>>> or 'deny => false'
>>> The entry will be placed in /etc/host.deny when 'deny => true' or
>>> 'allow => false'
>>> Default action is to append the entry to /etc/host.allow
>>
>>> Examples::
>>
>>> tcpwrapper { ALL:
>>> allow => true,
>>> daemon => \"ALL\",
>>> except_daemon => [vsftpd, sshd]
>>> host => \"ALL\"
>>> except_host => [cracker.domainname.com, 24.123.45.12],
>>> }
>>
>>> tcpwrapper { vsftpd:
>>> allow => true,
>>> daemon => sshd,
>>> host => [192.168.1.22, 72.13.2.34, trusted.domain.com],
>>> spawn => '/bin/echo $(/bin/date) access from %h >> /var/
>>> log/ftp-access.log'
>>> }
>>
>>> tcpwrapper { vsftpd:
>>> deny => true,
>>> daemon => sshd,
>>> host => [24.123.45.12, cracker.domain.com],
>>> twist => '/bin/echo \"Access to %d has been denied for
>>> $a
>>> \"'
>>> }
>>> "
>>
>>> ensurable
>>
>>> newparam(:name) do
>>> desc "The name of the resource"
>>> end
>>
>>> newparam(:allow) do
>>> desc "Whether to allow access. Line will be appened to /etc/
>>> hosts.allow"
>>> end
>>
>>> newparam(:deny) do
>>> desc "Whether to deny access. Line will be appened to /etc/
>>> hosts.deny"
>>> end
>>
>> It seems like it makes more sense to have a single parameter;
>> something like:
>>
>> tcpwrapper { foo: ensure => allowed, ... }
>>
>>
>>
>>> newparam(:file) do
>>> desc "The file to examine (and possibly modify) for the acl"
>>> end
>>
>>> newparam(:line) do
>>> desc "The acl to add or remove"
>>> end
>>
>> How is this actually used? Your examples don't cover it.
>>
>>
>
>
> I agree. So in this case, ensure would replace both 'file' and 'line'
> parameters?
>
> My original thought was to use the allow and deny parameters to help
> decide what file to write the 'line' to. Because of the uniqueness
> requirements, allow and deny acls would be written to either
> host.allow or host.deny.
>
> If I understand this correctly, the 'newproperty' statements should be
> used to create the 'line' that will then be inserted into the 'file'
> via the provider?
I'd say that 'line' is redundant - isn't the whole point of this type
that you're providing the content for that line, but in a semantic way?
The provider's job should be to convert all of this semantic
information into the appropriate line in the appropriate file,
understanding formatting information and all that.
>
>>
>>
>>
>>> newproperty(:daemon, :array_matching => :all) do
>>> desc "A list of one or more service daemons"
>>> end
>>
>>> newproperty(:host, :array_matching => :all) do
>>> desc "A list of one or more hostnames, ipaddresses, or
>>> networks"
>>> end
>>
>>> newproperty(:spawn) do
>>> desc "Child process to be launched in the background"
>>> end
>>
>>> newproperty(:twist) do
>>> desc "Command to run in place of the requested service"
>>> end
>>
>>> newproperty(:except_daemon, :array_matching => :all) do
>>> desc "A list of one or more daemons to exclude from wildcard
>>> matches"
>>> end
>>
>>> newproperty(:except_host, :array_matching => :all) do
>>> desc "A list of one or more hostnames, ipaddresses, or
>>> networks to exclude from wildcard matches"
>>> end
>>
>> The basic model seems correct. One problem, because of Puppet's
>> resource uniqueness requirements at this point, is that you could
>> only
>> ever have one rule about a given service. That is, you couldn't do:
>>
>> tcpwrapper { foo: host => 'one.domain.com', ensure => allowed }
>> tcpwrapper { foo: host => 'two.domain.com', ensure => denied }
>>
>> Puppet would see this as a conflict.
>>
>> --
>> The conception of two people living together for twenty-five years
>> without having a cross word suggests a lack of spirit only to be
>> admired in sheep. --Alan Patrick Herbert
>> ---------------------------------------------------------------------
>> Luke Kanies |http://reductivelabs.com|http://madstop.com
> >
--
Don't tell me how hard you work. Tell me how much you get done.
-- James Ling
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
