]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/networking/recipes/default.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Convert firewall_rule to a resource
[chef.git] / cookbooks / networking / recipes / default.rb
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index f56689d46d4929c49c6256b806ef97a293c4be44..c195251e6803b7fdf3ff65492ada07020759ace8 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -1,9 +1,9 @@
 #
 #
-# Cookbook Name:: networking
+# Cookbook:: networking
 # Recipe:: default
 #
 # Recipe:: default
 #
-# Copyright 2010, OpenStreetMap Foundation.
-# Copyright 2009, Opscode, Inc.
+# Copyright:: 2010, OpenStreetMap Foundation.
+# Copyright:: 2009, Opscode, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,7 +23,7 @@
 require "ipaddr"
 require "yaml"
 
 require "ipaddr"
 require "yaml"
 
-network_packages = []
+package "netplan.io"
 
 netplan = {
   "network" => {
 
 netplan = {
   "network" => {
@@ -37,211 +37,236 @@ netplan = {
 
 node[:networking][:interfaces].each do |name, interface|
   if interface[:interface]
 
 node[:networking][:interfaces].each do |name, interface|
   if interface[:interface]
-    network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
-    network_packages |= ["ifenslave"] if interface[:bond]
-
     if interface[:role] && (role = node[:networking][:roles][interface[:role]])
       if role[interface[:family]]
     if interface[:role] && (role = node[:networking][:roles][interface[:role]])
       if role[interface[:family]]
-        node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
-        node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+        node.default[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
+        node.default[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+        node.default[:networking][:interfaces][name][:routes] = role[interface[:family]][:routes]
       end
 
       end
 
-      node.normal[:networking][:interfaces][name][:metric] = role[:metric]
-      node.normal[:networking][:interfaces][name][:zone] = role[:zone]
+      node.default[:networking][:interfaces][name][:metric] = role[:metric]
+      node.default[:networking][:interfaces][name][:zone] = role[:zone]
     end
 
     end
 
-    prefix = node[:networking][:interfaces][name][:prefix]
-
-    node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
-    node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
-
-    if node[:networking][:netplan]
-      deviceplan = if interface[:interface] =~ /^(.*)\.(\d+)$/
-                     netplan["network"]["vlans"][interface[:interface]] ||= {
-                       "id" => Regexp.last_match(2).to_i,
-                       "link" => Regexp.last_match(1),
-                       "accept-ra" => false,
-                       "addresses" => [],
-                       "routes" => []
-                     }
-                   elsif interface[:interface] =~ /^bond\d+$/
-                     netplan["network"]["bonds"][interface[:interface]] ||= {
-                       "accept-ra" => false,
-                       "addresses" => [],
-                       "routes" => []
-                     }
-                   else
-                     netplan["network"]["ethernets"][interface[:interface]] ||= {
-                       "accept-ra" => false,
-                       "addresses" => [],
-                       "routes" => []
-                     }
-                   end
+    if interface[:address]
+      prefix = node[:networking][:interfaces][name][:prefix]
+
+      node.default[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
+      node.default[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+    end
 
 
+    interface = node[:networking][:interfaces][name]
+
+    deviceplan = if interface[:interface] =~ /^(.*)\.(\d+)$/
+                   netplan["network"]["vlans"][interface[:interface]] ||= {
+                     "id" => Regexp.last_match(2).to_i,
+                     "link" => Regexp.last_match(1),
+                     "accept-ra" => false,
+                     "addresses" => [],
+                     "routes" => []
+                   }
+                 elsif interface[:interface] =~ /^bond\d+$/
+                   netplan["network"]["bonds"][interface[:interface]] ||= {
+                     "accept-ra" => false,
+                     "addresses" => [],
+                     "routes" => []
+                   }
+                 else
+                   netplan["network"]["ethernets"][interface[:interface]] ||= {
+                     "accept-ra" => false,
+                     "addresses" => [],
+                     "routes" => []
+                   }
+                 end
+
+    if interface[:address]
       deviceplan["addresses"].push("#{interface[:address]}/#{prefix}")
       deviceplan["addresses"].push("#{interface[:address]}/#{prefix}")
+    end
 
 
-      if interface[:bond]
-        deviceplan["interfaces"] = interface[:bond][:slaves].to_a
+    if interface[:mtu]
+      deviceplan["mtu"] = interface[:mtu]
+    end
 
 
-        deviceplan["parameters"] = {
-          "mode" => interface[:bond][:mode] || "active-backup",
-          "primary" => interface[:bond][:slaves].first,
-          "mii-monitor-interval" => interface[:bond][:miimon] || 100,
-          "down-delay" => interface[:bond][:downdelay] || 200,
-          "up-delay" => interface[:bond][:updelay] || 200
-        }
+    if interface[:bond]
+      deviceplan["interfaces"] = interface[:bond][:slaves].to_a
 
 
-        deviceplan["parameters"]["transmit-hash-policy"] = interface[:bond][:xmithashpolicy] if interface[:bond][:xmithashpolicy]
-        deviceplan["parameters"]["lacp-rate"] = interface[:bond][:lacprate] if interface[:bond][:lacprate]
-      end
+      deviceplan["parameters"] = {
+        "mode" => interface[:bond][:mode] || "active-backup",
+        "primary" => interface[:bond][:slaves].first,
+        "mii-monitor-interval" => interface[:bond][:miimon] || 100,
+        "down-delay" => interface[:bond][:downdelay] || 200,
+        "up-delay" => interface[:bond][:updelay] || 200
+      }
 
 
-      if interface[:gateway]
-        if interface[:family] == "inet"
-          default_route = "0.0.0.0/0"
-        elsif interface[:family] == "inet6"
-          default_route = "::/0"
-        end
+      deviceplan["parameters"]["transmit-hash-policy"] = interface[:bond][:xmithashpolicy] if interface[:bond][:xmithashpolicy]
+      deviceplan["parameters"]["lacp-rate"] = interface[:bond][:lacprate] if interface[:bond][:lacprate]
+    end
 
 
+    if interface[:gateway]
+      if interface[:family] == "inet"
+        default_route = "0.0.0.0/0"
+      elsif interface[:family] == "inet6"
+        default_route = "::/0"
+      end
+
+      deviceplan["routes"].push(
+        "to" => default_route,
+        "via" => interface[:gateway],
+        "metric" => interface[:metric],
+        "on-link" => true
+      )
+
+      # This ordering relies on systemd-networkd adding routes
+      # in reverse order and will need moving before the previous
+      # route once that is fixed:
+      #
+      # https://github.com/systemd/systemd/issues/5430
+      # https://github.com/systemd/systemd/pull/10938
+      if interface[:family] == "inet6" &&
+         !interface[:network].include?(interface[:gateway]) &&
+         !IPAddr.new("fe80::/64").include?(interface[:gateway])
         deviceplan["routes"].push(
         deviceplan["routes"].push(
-          "to" => default_route,
-          "via" => interface[:gateway],
-          "metric" => interface[:metric],
-          "on-link" => true
+          "to" => interface[:gateway],
+          "scope" => "link"
         )
         )
+      end
 
 
-        # This ordering relies on systemd-networkd adding routes
-        # in reverse order and will need moving before the previous
-        # route once that is fixed:
-        #
-        # https://github.com/systemd/systemd/issues/5430
-        # https://github.com/systemd/systemd/pull/10938
-        if interface[:family] == "inet6" &&
-           !interface[:network].include?(interface[:gateway]) &&
-           !IPAddr.new("fe80::/64").include?(interface[:gateway])
-          deviceplan["routes"].push(
-            "to" => interface[:gateway],
-            "scope" => "link"
-          )
+      if interface[:role] == "internal" && interface[:gateway] != interface[:address]
+        search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
+          next unless gateway[:openvpn]
+
+          gateway[:openvpn][:tunnels].each_value do |tunnel|
+            if tunnel[:peer][:address]
+              deviceplan["routes"].push(
+                "to" => "#{tunnel[:peer][:address]}/32",
+                "via" => interface[:gateway]
+              )
+
+              route tunnel[:peer][:address] do
+                netmask "255.255.255.255"
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+
+            next unless tunnel[:peer][:networks]
+
+            tunnel[:peer][:networks].each do |network|
+              prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix
+
+              deviceplan["routes"].push(
+                "to" => "#{network[:address]}/#{prefix}",
+                "via" => interface[:gateway]
+              )
+
+              route network[:address] do
+                netmask network[:netmask]
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+          end
         end
       end
     end
         end
       end
     end
-  else
-    node.rm(:networking, :interfaces, name)
-  end
-end
 
 
-if node[:networking][:netplan]
-  package "netplan.io"
+    if interface[:routes]
+      interface[:routes].each do |to, parameters|
+        route = {
+          "to" => to
+        }
 
 
-  file "/etc/netplan/01-netcfg.yaml" do
-    action :delete
-  end
+        route["type"] = parameters[:type] if parameters[:type]
+        route["via"] = parameters[:via] if parameters[:via]
+        route["metric"] = parameters[:metric] if parameters[:metric]
 
 
-  netplan["network"]["bonds"].each_value do |bond|
-    bond["interfaces"].each do |interface|
-      netplan["network"]["ethernets"][interface] ||= { "accept-ra" => false }
+        deviceplan["routes"].push(route)
+      end
     end
     end
+  else
+    node.rm(:networking, :interfaces, name)
   end
   end
+end
 
 
-  netplan["network"]["vlans"].each_value do |vlan|
-    unless vlan["link"] =~ /^bond\d+$/
-      netplan["network"]["ethernets"][vlan["link"]] ||= { "accept-ra" => false }
-    end
+netplan["network"]["bonds"].each_value do |bond|
+  bond["interfaces"].each do |interface|
+    netplan["network"]["ethernets"][interface] ||= { "accept-ra" => false }
   end
   end
+end
 
 
-  file "/etc/netplan/99-chef.yaml" do
-    owner "root"
-    group "root"
-    mode 0o644
-    content YAML.dump(netplan)
+netplan["network"]["vlans"].each_value do |vlan|
+  unless vlan["link"] =~ /^bond\d+$/
+    netplan["network"]["ethernets"][vlan["link"]] ||= { "accept-ra" => false }
   end
   end
+end
 
 
-  service "networking" do
-    action :disable
-  end
+file "/etc/netplan/01-netcfg.yaml" do
+  action :delete
+end
 
 
-  file "/etc/network/interfaces" do
-    action :delete
-  end
+file "/etc/netplan/50-cloud-init.yaml" do
+  action :delete
+end
 
 
-  package "ifupdown" do
-    action :purge
-  end
-else
-  package network_packages
+file "/etc/netplan/99-chef.yaml" do
+  owner "root"
+  group "root"
+  mode "644"
+  content YAML.dump(netplan)
+end
 
 
-  template "/etc/network/interfaces" do
-    source "interfaces.erb"
-    owner "root"
-    group "root"
-    mode 0o644
-  end
+package "cloud-init" do
+  action :purge
 end
 
 end
 
-execute "hostname" do
+ohai "reload-hostname" do
   action :nothing
   action :nothing
-  command "/bin/hostname -F /etc/hostname"
+  plugin "hostname"
 end
 
 end
 
-template "/etc/hostname" do
-  source "hostname.erb"
-  owner "root"
-  group "root"
-  mode 0o644
-  notifies :run, "execute[hostname]"
+execute "hostnamectl-set-hostname" do
+  command "hostnamectl set-hostname #{node[:networking][:hostname]}"
+  notifies :reload, "ohai[reload-hostname]"
+  not_if { ENV.key?("TEST_KITCHEN") || node[:hostnamectl][:static_hostname] == node[:networking][:hostname] }
 end
 
 template "/etc/hosts" do
   source "hosts.erb"
   owner "root"
   group "root"
 end
 
 template "/etc/hosts" do
   source "hosts.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
+  not_if { ENV["TEST_KITCHEN"] }
 end
 
 end
 
-unless node[:networking][:nameservers].empty?
-  link "/etc/resolv.conf" do
-    action :delete
-    link_type :symbolic
-    to "/run/resolvconf/resolv.conf"
-    only_if { File.symlink?("/etc/resolv.conf") }
-  end
-
-  template "/etc/resolv.conf" do
-    source "resolv.conf.erb"
-    owner "root"
-    group "root"
-    mode 0o644
-  end
+service "systemd-resolved" do
+  action [:enable, :start]
 end
 
 end
 
-node.interfaces(:role => :internal) do |interface|
-  if interface[:gateway] && interface[:gateway] != interface[:address]
-    search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
-      next unless gateway[:openvpn]
-
-      gateway[:openvpn][:tunnels].each_value do |tunnel|
-        if tunnel[:peer][:address] # ~FC023
-          route tunnel[:peer][:address] do
-            netmask "255.255.255.255"
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
+directory "/etc/systemd/resolved.conf.d" do
+  owner "root"
+  group "root"
+  mode "755"
+end
 
 
-        next unless tunnel[:peer][:networks]
+template "/etc/systemd/resolved.conf.d/99-chef.conf" do
+  source "resolved.conf.erb"
+  owner "root"
+  group "root"
+  mode "644"
+  notifies :restart, "service[systemd-resolved]", :immediately
+end
 
 
-        tunnel[:peer][:networks].each do |network|
-          route network[:address] do
-            netmask network[:netmask]
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-      end
-    end
+if node[:filesystem][:by_mountpoint][:"/etc/resolv.conf"]
+  mount "/etc/resolv.conf" do
+    action :umount
+    device node[:filesystem][:by_mountpoint][:"/etc/resolv.conf"][:devices].first
   end
 end
 
   end
 end
 
+link "/etc/resolv.conf" do
+  to "../run/systemd/resolve/stub-resolv.conf"
+end
+
 zones = {}
 
 search(:node, "networking:interfaces").collect do |n|
 zones = {}
 
 search(:node, "networking:interfaces").collect do |n|
@@ -262,7 +287,7 @@ template "/etc/default/shorewall" do
   source "shorewall-default.erb"
   owner "root"
   group "root"
   source "shorewall-default.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   notifies :restart, "service[shorewall]"
 end
 
   notifies :restart, "service[shorewall]"
 end
 
@@ -270,7 +295,7 @@ template "/etc/shorewall/shorewall.conf" do
   source "shorewall.conf.erb"
   owner "root"
   group "root"
   source "shorewall.conf.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   notifies :restart, "service[shorewall]"
 end
 
   notifies :restart, "service[shorewall]"
 end
 
@@ -278,7 +303,7 @@ template "/etc/shorewall/zones" do
   source "shorewall-zones.erb"
   owner "root"
   group "root"
   source "shorewall-zones.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   variables :type => "ipv4"
   notifies :restart, "service[shorewall]"
 end
   variables :type => "ipv4"
   notifies :restart, "service[shorewall]"
 end
@@ -287,7 +312,7 @@ template "/etc/shorewall/interfaces" do
   source "shorewall-interfaces.erb"
   owner "root"
   group "root"
   source "shorewall-interfaces.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   notifies :restart, "service[shorewall]"
 end
 
   notifies :restart, "service[shorewall]"
 end
 
@@ -295,7 +320,7 @@ template "/etc/shorewall/hosts" do
   source "shorewall-hosts.erb"
   owner "root"
   group "root"
   source "shorewall-hosts.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   variables :zones => zones
   notifies :restart, "service[shorewall]"
 end
   variables :zones => zones
   notifies :restart, "service[shorewall]"
 end
@@ -304,7 +329,7 @@ template "/etc/shorewall/conntrack" do
   source "shorewall-conntrack.erb"
   owner "root"
   group "root"
   source "shorewall-conntrack.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   notifies :restart, "service[shorewall]"
   only_if { node[:networking][:firewall][:raw] }
 end
   notifies :restart, "service[shorewall]"
   only_if { node[:networking][:firewall][:raw] }
 end
@@ -313,19 +338,25 @@ template "/etc/shorewall/policy" do
   source "shorewall-policy.erb"
   owner "root"
   group "root"
   source "shorewall-policy.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   notifies :restart, "service[shorewall]"
 end
 
 template "/etc/shorewall/rules" do
   notifies :restart, "service[shorewall]"
 end
 
 template "/etc/shorewall/rules" do
+  action :nothing
   source "shorewall-rules.erb"
   owner "root"
   group "root"
   source "shorewall-rules.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   variables :family => "inet"
   notifies :restart, "service[shorewall]"
 end
 
   variables :family => "inet"
   notifies :restart, "service[shorewall]"
 end
 
+notify_group "shorewall-rules" do
+  action :run
+  notifies :create, "template[/etc/shorewall/rules]"
+end
+
 service "shorewall" do
   action [:enable, :start]
   supports :restart => true
 service "shorewall" do
   action [:enable, :start]
   supports :restart => true
@@ -336,7 +367,7 @@ template "/etc/logrotate.d/shorewall" do
   source "logrotate.shorewall.erb"
   owner "root"
   group "root"
   source "logrotate.shorewall.erb"
   owner "root"
   group "root"
-  mode 0o644
+  mode "644"
   variables :name => "shorewall"
 end
 
   variables :name => "shorewall"
 end
 
@@ -366,7 +397,7 @@ if node[:roles].include?("gateway")
     source "shorewall-masq.erb"
     owner "root"
     group "root"
     source "shorewall-masq.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[shorewall]"
   end
 else
     notifies :restart, "service[shorewall]"
   end
 else
@@ -383,7 +414,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall-default.erb"
     owner "root"
     group "root"
     source "shorewall-default.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[shorewall6]"
   end
 
     notifies :restart, "service[shorewall6]"
   end
 
@@ -391,7 +422,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall6.conf.erb"
     owner "root"
     group "root"
     source "shorewall6.conf.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[shorewall6]"
   end
 
     notifies :restart, "service[shorewall6]"
   end
 
@@ -399,7 +430,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall-zones.erb"
     owner "root"
     group "root"
     source "shorewall-zones.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     variables :type => "ipv6"
     notifies :restart, "service[shorewall6]"
   end
     variables :type => "ipv6"
     notifies :restart, "service[shorewall6]"
   end
@@ -408,7 +439,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall6-interfaces.erb"
     owner "root"
     group "root"
     source "shorewall6-interfaces.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[shorewall6]"
   end
 
     notifies :restart, "service[shorewall6]"
   end
 
@@ -416,7 +447,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall6-hosts.erb"
     owner "root"
     group "root"
     source "shorewall6-hosts.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     variables :zones => zones
     notifies :restart, "service[shorewall6]"
   end
     variables :zones => zones
     notifies :restart, "service[shorewall6]"
   end
@@ -425,7 +456,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall-conntrack.erb"
     owner "root"
     group "root"
     source "shorewall-conntrack.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[shorewall6]"
     only_if { node[:networking][:firewall][:raw] }
   end
     notifies :restart, "service[shorewall6]"
     only_if { node[:networking][:firewall][:raw] }
   end
@@ -434,19 +465,25 @@ unless node.interfaces(:family => :inet6).empty?
     source "shorewall-policy.erb"
     owner "root"
     group "root"
     source "shorewall-policy.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     notifies :restart, "service[shorewall6]"
   end
 
   template "/etc/shorewall6/rules" do
     notifies :restart, "service[shorewall6]"
   end
 
   template "/etc/shorewall6/rules" do
+    action :nothing
     source "shorewall-rules.erb"
     owner "root"
     group "root"
     source "shorewall-rules.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     variables :family => "inet6"
     notifies :restart, "service[shorewall6]"
   end
 
     variables :family => "inet6"
     notifies :restart, "service[shorewall6]"
   end
 
+  notify_group "shorewall6-rules" do
+    action :run
+    notifies :create, "template[/etc/shorewall6/rules]"
+  end
+
   service "shorewall6" do
     action [:enable, :start]
     supports :restart => true
   service "shorewall6" do
     action [:enable, :start]
     supports :restart => true
@@ -457,7 +494,7 @@ unless node.interfaces(:family => :inet6).empty?
     source "logrotate.shorewall.erb"
     owner "root"
     group "root"
     source "logrotate.shorewall.erb"
     owner "root"
     group "root"
-    mode 0o644
+    mode "644"
     variables :name => "shorewall6"
   end
 
     variables :name => "shorewall6"
   end
 
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.