diff --git a/cdist/conf/explorer/os_version b/cdist/conf/explorer/os_version
index a7b1d3bc..3b02dedd 100755
--- a/cdist/conf/explorer/os_version
+++ b/cdist/conf/explorer/os_version
@@ -70,6 +70,11 @@ case "$("$__explorer/os")" in
macosx)
sw_vers -productVersion
;;
+ freebsd)
+ # Apparently uname -r is not a reliable way to get the patch level.
+ # See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
+ freebsd-version
+ ;;
*bsd|solaris)
uname -r
;;
diff --git a/cdist/conf/type/__apt_backports/man.rst b/cdist/conf/type/__apt_backports/man.rst
new file mode 100644
index 00000000..7036fb84
--- /dev/null
+++ b/cdist/conf/type/__apt_backports/man.rst
@@ -0,0 +1,104 @@
+cdist-type__debian_backports(7)
+===============================
+
+NAME
+----
+cdist-type__apt_backports - Install backports
+
+
+DESCRIPTION
+-----------
+This singleton type installs backports for the current OS release.
+It aborts if backports are not supported for the specified OS or
+no version codename could be fetched (like Debian unstable).
+
+The package index will be automatically updated if required.
+
+It supports backports from following OSes:
+
+- Debian
+- Devuan
+- Ubuntu
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+ Represents the state of the backports repository. ``present`` or
+ ``absent``, defaults to ``present``.
+
+ Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
+
+mirror
+ The mirror to fetch the backports from. Will defaults to the generic
+ mirror of the current OS.
+
+ Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
+
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+MESSAGES
+--------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+ # setup the backports
+ __apt_backports
+ __apt_backports --state absent
+ __apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
+
+ # install a backports package
+ # currently for the buster release backports
+ require="__apt_backports" __package_apt wireguard \
+ --target-release buster-backports
+
+
+ABORTS
+------
+Aborts if the detected os is not Debian.
+
+Aborts if no distribuition codename could be detected. This is common for the
+unstable distribution, but there is no backports repository for it already.
+
+
+CAVEATS
+-------
+For Ubuntu, it setup all componenents for the backports repository: ``main``,
+``restricted``, ``universe`` and ``multiverse``. The user may not want to
+install proprietary packages, which will only be installed if the user
+explicitly uses the backports target-release. The user may change this behavior
+to install backports packages without the need of explicitly select it.
+
+
+SEE ALSO
+--------
+`Official Debian Backports site `_
+
+:strong:`cdist-type__apt_source`\ (7)
+
+
+AUTHORS
+-------
+Matthias Stecher
+
+
+COPYING
+-------
+Copyright \(C) 2020 Matthias Stecher. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/cdist/conf/type/__apt_backports/manifest b/cdist/conf/type/__apt_backports/manifest
new file mode 100755
index 00000000..bc47d8de
--- /dev/null
+++ b/cdist/conf/type/__apt_backports/manifest
@@ -0,0 +1,81 @@
+#!/bin/sh -e
+# __apt_backports/manifest
+#
+# 2020 Matthias Stecher (matthiasstecher at gmx.de)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+# Enables/disables backports repository. Utilises __apt_source for it.
+#
+
+
+# Get the distribution codename by /etc/os-release.
+# is already executed in a subshell by string substitution
+# lsb_release may not be given in all installations
+codename_os_release() {
+ # shellcheck disable=SC1090
+ . "$__global/explorer/os_release"
+ printf "%s" "$VERSION_CODENAME"
+}
+
+# detect backport distribution
+os="$(cat "$__global/explorer/os")"
+case "$os" in
+ debian)
+ dist="$( codename_os_release )"
+ components="main"
+ mirror="http://deb.debian.org/debian/"
+ ;;
+ devuan)
+ dist="$( codename_os_release )"
+ components="main"
+ mirror="http://deb.devuan.org/merged"
+ ;;
+ ubuntu)
+ dist="$( codename_os_release )"
+ components="main restricted universe multiverse"
+ mirror="http://archive.ubuntu.com/ubuntu"
+ ;;
+
+ *)
+ printf "Backports for %s are not supported!\n" "$os" >&2
+ exit 1
+ ;;
+esac
+
+# error if no codename given (e.g. on Debian unstable)
+if [ -z "$dist" ]; then
+ printf "No backports for unkown version of distribution %s!\n" "$os" >&2
+ exit 1
+fi
+
+
+# parameters
+state="$(cat "$__object/parameter/state")"
+
+# mirror already set for the os, only override user-values
+if [ -f "$__object/parameter/mirror" ]; then
+ mirror="$(cat "$__object/parameter/mirror")"
+fi
+
+
+# install the given backports repository
+__apt_source "${dist}-backports" \
+ --state "$state" \
+ --distribution "${dist}-backports" \
+ --component "$components" \
+ --uri "$mirror"
diff --git a/cdist/conf/type/__apt_backports/parameter/default/state b/cdist/conf/type/__apt_backports/parameter/default/state
new file mode 100644
index 00000000..e7f6134f
--- /dev/null
+++ b/cdist/conf/type/__apt_backports/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/cdist/conf/type/__apt_backports/parameter/optional b/cdist/conf/type/__apt_backports/parameter/optional
new file mode 100644
index 00000000..4b05c235
--- /dev/null
+++ b/cdist/conf/type/__apt_backports/parameter/optional
@@ -0,0 +1,2 @@
+state
+mirror
diff --git a/cdist/conf/type/__apt_backports/singleton b/cdist/conf/type/__apt_backports/singleton
new file mode 100644
index 00000000..e69de29b
diff --git a/cdist/conf/type/__block/gencode-remote b/cdist/conf/type/__block/gencode-remote
index 1f5cc033..7a1f4064 100755
--- a/cdist/conf/type/__block/gencode-remote
+++ b/cdist/conf/type/__block/gencode-remote
@@ -46,28 +46,29 @@ fi
remove_block() {
cat << DONE
-tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
+tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
# preserve ownership and permissions of existing file
-if [ -f "$file" ]; then
- cp -p "$file" "\$tmpfile"
+if [ -f $quoted_file ]; then
+ cp -p $quoted_file "\$tmpfile"
fi
-awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
+awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
{
- if (match(\$0,prefix)) {
+ if (\$0 == prefix) {
triggered=1
}
if (triggered) {
- if (match(\$0,suffix)) {
+ if (\$0 == suffix) {
triggered=0
}
} else {
print
}
-}' "$file" > "\$tmpfile"
-mv -f "\$tmpfile" "$file"
+}' $quoted_file > "\$tmpfile"
+mv -f "\$tmpfile" $quoted_file
DONE
}
+quoted_file="$(quote "$file")"
case "$state_should" in
present)
if [ "$state_is" = "changed" ]; then
@@ -77,7 +78,7 @@ case "$state_should" in
echo add >> "$__messages_out"
fi
cat << DONE
-cat >> "$file" << ${__type##*/}_DONE
+cat >> $quoted_file << '${__type##*/}_DONE'
$(cat "$block")
${__type##*/}_DONE
DONE
diff --git a/cdist/conf/type/__dot_file/man.rst b/cdist/conf/type/__dot_file/man.rst
index ae65eb95..ba7621a1 100644
--- a/cdist/conf/type/__dot_file/man.rst
+++ b/cdist/conf/type/__dot_file/man.rst
@@ -25,6 +25,9 @@ user
OPTIONAL PARAMETERS
-------------------
+dirmode
+ forwarded to :strong:`__directory` type as mode
+
mode
forwarded to :strong:`__file` type
diff --git a/cdist/conf/type/__dot_file/manifest b/cdist/conf/type/__dot_file/manifest
index 5e4957e5..02dadf05 100755
--- a/cdist/conf/type/__dot_file/manifest
+++ b/cdist/conf/type/__dot_file/manifest
@@ -19,6 +19,7 @@ set -eu
user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")"
+dirmode="$(cat "${__object}/parameter/dirmode")"
# Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not
@@ -36,6 +37,7 @@ export CDIST_ORDER_DEPENDENCY
for dir ; do
__directory "${home}/${dir}" \
--group "${primary_group}" \
+ --mode "${dirmode}" \
--owner "${user}"
done
diff --git a/cdist/conf/type/__dot_file/parameter/default/dirmode b/cdist/conf/type/__dot_file/parameter/default/dirmode
new file mode 100644
index 00000000..e9745d1f
--- /dev/null
+++ b/cdist/conf/type/__dot_file/parameter/default/dirmode
@@ -0,0 +1 @@
+0700
diff --git a/cdist/conf/type/__dot_file/parameter/optional b/cdist/conf/type/__dot_file/parameter/optional
index ccab9fa6..9f7f83fb 100644
--- a/cdist/conf/type/__dot_file/parameter/optional
+++ b/cdist/conf/type/__dot_file/parameter/optional
@@ -1,3 +1,4 @@
state
mode
source
+dirmode
diff --git a/cdist/conf/type/__iptables_apply/files/init-script b/cdist/conf/type/__iptables_apply/files/init-script
index d9c79ef7..e42017ae 100644
--- a/cdist/conf/type/__iptables_apply/files/init-script
+++ b/cdist/conf/type/__iptables_apply/files/init-script
@@ -1,7 +1,4 @@
#!/bin/sh
-# Nico Schottelius
-# Zürisee, Mon Sep 2 18:38:27 CEST 2013
-#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $remote_fs
@@ -14,34 +11,72 @@
# and saves/restores previous status
### END INIT INFO
+# Originally written by:
+# Nico Schottelius
+# Zürisee, Mon Sep 2 18:38:27 CEST 2013
+#
+# 2013 Nico Schottelius (nico-cdist at schottelius.org)
+# 2020 Matthias Stecher (matthiasstecher at gmx.de)
+#
+# This file is distributed with cdist and licenced under the
+# GNU GPLv3+ WITHOUT ANY WARRANTY.
+
+
+# Read files and execute the content with the given commands
+#
+# Arguments:
+# 1: Directory
+# 2..n: Commands which should be used to execute the file content
+gothrough() {
+ cd "$1" || return
+ shift
+
+ # iterate through all rules and continue if it's not a file
+ for rule in *; do
+ [ -f "$rule" ] || continue
+ echo "Appling iptables rule $rule ..."
+
+ # execute it with all commands specificed
+ ruleparam="$(cat "$rule")"
+ for cmd in "$@"; do
+ # Command and Rule should be split.
+ # shellcheck disable=SC2046
+ command $cmd $ruleparam
+ done
+ done
+}
+
+# Shortcut for iptables command to do IPv4 and v6
+# only applies to the "reset" target
+iptables() {
+ command iptables "$@"
+ command ip6tables "$@"
+}
basedir=/etc/iptables.d
-status="${basedir}/.pre-start"
+status4="${basedir}/.pre-start"
+status6="${basedir}/.pre-start6"
case $1 in
start)
# Save status
- iptables-save > "$status"
+ iptables-save > "$status4"
+ ip6tables-save > "$status6"
# Apply our ruleset
- cd "$basedir" || exit
- count="$(find . ! -name . -prune | wc -l)"
-
- # Only do something if there are rules
- if [ "$count" -ge 1 ]; then
- for rule in *; do
- echo "Applying iptables rule $rule ..."
- # Rule should be split.
- # shellcheck disable=SC2046
- iptables $(cat "$rule")
- done
- fi
+ gothrough "$basedir" iptables
+ #gothrough "$basedir/v4" iptables # conflicts with $basedir
+ gothrough "$basedir/v6" ip6tables
+ gothrough "$basedir/all" iptables ip6tables
;;
stop)
# Restore from status before, if there is something to restore
- if [ -f "$status" ]; then
- iptables-restore < "$status"
+ if [ -f "$status4" ]; then
+ iptables-restore < "$status4"
+ fi
+ if [ -f "$status6" ]; then
+ ip6tables-restore < "$status6"
fi
;;
restart)
diff --git a/cdist/conf/type/__iptables_apply/man.rst b/cdist/conf/type/__iptables_apply/man.rst
index 76e1f6bf..3bef92cc 100644
--- a/cdist/conf/type/__iptables_apply/man.rst
+++ b/cdist/conf/type/__iptables_apply/man.rst
@@ -10,7 +10,24 @@ DESCRIPTION
-----------
This cdist type deploys an init script that triggers
the configured rules and also re-applies them on
-configuration.
+configuration. Rules are written from __iptables_rule
+into the folder ``/etc/iptables.d/``.
+
+It reads all rules from the base folder as rules for IPv4.
+Rules in the subfolder ``v6/`` are IPv6 rules. Rules in
+the subfolder ``all/`` are applied to both rule tables. All
+files contain the arguments for a single ``iptables`` and/or
+``ip6tables`` command.
+
+Rules are applied in the following order:
+1. All IPv4 rules
+2. All IPv6 rules
+2. All rules that should be applied to both tables
+
+The order of the rules that will be applied are definite
+from the result the shell glob returns, which should be
+alphabetical. If rules must be applied in a special order,
+prefix them with a number like ``02-some-rule``.
REQUIRED PARAMETERS
@@ -24,7 +41,7 @@ None
EXAMPLES
--------
-None (__iptables_apply is used by __iptables_rule)
+None (__iptables_apply is used by __iptables_rule automatically)
SEE ALSO
@@ -35,11 +52,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius
+Matthias Stecher
COPYING
-------
-Copyright \(C) 2013 Nico Schottelius. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
+Copyright \(C) 2013 Nico Schottelius.
+Copyright \(C) 2020 Matthias Stecher.
+You can redistribute it and/or modify it under the terms of the GNU
+General Public License as published by the Free Software Foundation,
+either version 3 of the License, or (at your option) any later version.
diff --git a/cdist/conf/type/__iptables_rule/man.rst b/cdist/conf/type/__iptables_rule/man.rst
index 92d8859f..afb71e01 100644
--- a/cdist/conf/type/__iptables_rule/man.rst
+++ b/cdist/conf/type/__iptables_rule/man.rst
@@ -11,6 +11,10 @@ DESCRIPTION
This cdist type allows you to manage iptable rules
in a distribution independent manner.
+See :strong:`cdist-type__iptables_apply`\ (7) for the
+execution order of these rules. It will be executed
+automaticly to apply all rules non-volaite.
+
REQUIRED PARAMETERS
-------------------
@@ -25,6 +29,24 @@ state
'present' or 'absent', defaults to 'present'
+BOOLEAN PARAMETERS
+------------------
+All rules without any of these parameters will be treated like ``--v4`` because
+of backward compatibility.
+
+v4
+ Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be
+ threaten like ``--all``. Will be the default if nothing else is set.
+
+v6
+ Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be
+ threaten like ``--all``.
+
+all
+ Set the rule for both IPv4 and IPv6. It will be saved separately from the
+ other rules.
+
+
EXAMPLES
--------
@@ -48,6 +70,16 @@ EXAMPLES
--state absent
+ # IPv4-only rule for ICMPv4
+ __iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
+ # IPv6-only rule for ICMPv6
+ __iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
+
+ # doing something for the dual stack
+ __iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
+ __iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
+
+
SEE ALSO
--------
:strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8)
@@ -56,11 +88,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius
+Matthias Stecher
COPYING
-------
-Copyright \(C) 2013 Nico Schottelius. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
+Copyright \(C) 2013 Nico Schottelius.
+Copyright \(C) 2020 Matthias Stecher.
+You can redistribute it and/or modify it under the terms of the GNU
+General Public License as published by the Free Software Foundation,
+either version 3 of the License, or (at your option) any later version.
diff --git a/cdist/conf/type/__iptables_rule/manifest b/cdist/conf/type/__iptables_rule/manifest
index ed78787f..d4394c25 100755
--- a/cdist/conf/type/__iptables_rule/manifest
+++ b/cdist/conf/type/__iptables_rule/manifest
@@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
+# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
@@ -24,12 +25,36 @@ base_dir=/etc/iptables.d
name="$__object_id"
state="$(cat "$__object/parameter/state")"
+if [ -f "$__object/parameter/v4" ]; then
+ only_v4="yes"
+ # $specific_dir is $base_dir
+fi
+if [ -f "$__object/parameter/v6" ]; then
+ only_v6="yes"
+ specific_dir="$base_dir/v6"
+fi
+# If rules should be set for both protocols
+if { [ "$only_v4" = "yes" ] && [ "$only_v6" = "yes" ]; } ||
+ [ -f "$__object/parameter/all" ]; then
+
+ # all to a specific directory
+ specific_dir="$base_dir/all"
+fi
+
+# set rule directory based on if it's the base or subdirectory
+rule_dir="${specific_dir:-$base_dir}"
+
################################################################################
# Basic setup
#
__directory "$base_dir" --state present
+# sub-directory if required
+if [ "$specific_dir" ]; then
+ require="__directory/$base_dir" __directory "$specific_dir" --state present
+fi
+
# Have apply do the real job
require="$__object_name" __iptables_apply
@@ -37,6 +62,15 @@ require="$__object_name" __iptables_apply
# The rule
#
-require="__directory/$base_dir" __file "$base_dir/${name}" \
- --source "$__object/parameter/rule" \
- --state "$state"
+for dir in "$base_dir" "$base_dir/v6" "$base_dir/all"; do
+ # defaults to absent except the directory that should contain the file
+ if [ "$rule_dir" = "$dir" ]; then
+ curr_state="$state"
+ else
+ curr_state="absent"
+ fi
+
+ require="__directory/$rule_dir" __file "$dir/$name" \
+ --source "$__object/parameter/rule" \
+ --state "$curr_state"
+done
diff --git a/cdist/conf/type/__iptables_rule/parameter/boolean b/cdist/conf/type/__iptables_rule/parameter/boolean
new file mode 100644
index 00000000..76882272
--- /dev/null
+++ b/cdist/conf/type/__iptables_rule/parameter/boolean
@@ -0,0 +1,3 @@
+all
+v4
+v6
diff --git a/cdist/conf/type/__package_pkgng_freebsd/gencode-remote b/cdist/conf/type/__package_pkgng_freebsd/gencode-remote
index b5944177..05ba4cb2 100755
--- a/cdist/conf/type/__package_pkgng_freebsd/gencode-remote
+++ b/cdist/conf/type/__package_pkgng_freebsd/gencode-remote
@@ -75,7 +75,7 @@ execcmd(){
esac
if [ -z "${pkg_bootstrapped}" ]; then
- echo "pkg bootstrap -y >/dev/null 2>&1"
+ echo "ASSUME_ALWAYS_YES=yes pkg bootstrap >/dev/null 2>&1"
fi
echo "$_cmd >/dev/null 2>&1" # Silence the output of the command
diff --git a/cdist/test/__main__.py b/cdist/test/__main__.py
index c8c7df3b..8049c752 100644
--- a/cdist/test/__main__.py
+++ b/cdist/test/__main__.py
@@ -20,7 +20,7 @@
#
#
-import imp
+import importlib
import os
import sys
import unittest
@@ -37,8 +37,9 @@ for possible_test in os.listdir(base_dir):
suites = []
for test_module in test_modules:
- module_parameters = imp.find_module(test_module, [base_dir])
- module = imp.load_module("cdist.test." + test_module, *module_parameters)
+ module_spec = importlib.util.find_spec("cdist.test.{}".format(test_module))
+ module = importlib.util.module_from_spec(module_spec)
+ module_spec.loader.exec_module(module)
suite = unittest.defaultTestLoader.loadTestsFromModule(module)
# print("Got suite: " + suite.__str__())
diff --git a/docs/changelog b/docs/changelog
index 21828964..763fde04 100644
--- a/docs/changelog
+++ b/docs/changelog
@@ -5,6 +5,15 @@ next:
* Core: Add trigger functionality (Nico Schottelius, Darko Poljak)
* Core: Implement core support for python types (Darko Poljak)
+6.9.4: 2020-12-21
+ * Type __package_pkgng_freebsd: Fix bootstrapping pkg (Dennis Camera)
+ * Core: Deal with deprecated imp in unit tests (Evil Ham)
+ * Type __iptables: Add IPv6 support (Matthias Stecher)
+ * Type __block: Fix escaping in here-doc (Matthias Stecher)
+ * Explorer os_version: Improve FreeBSD support (Evil Ham)
+ * New type: __apt_backports (Matthias Stecher)
+ * Type __dot_file: Add dirmode parameter (Mark Verboom)
+
6.9.3: 2020-12-04
* pip install: Add cdist.scan to packages in setup.py (Dennis Camera)