Merge branch 'master' into beta

This commit is contained in:
Darko Poljak 2020-12-21 19:29:24 +01:00
commit f39a2ba975
19 changed files with 381 additions and 45 deletions

View file

@ -70,6 +70,11 @@ case "$("$__explorer/os")" in
macosx) macosx)
sw_vers -productVersion sw_vers -productVersion
;; ;;
freebsd)
# Apparently uname -r is not a reliable way to get the patch level.
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
freebsd-version
;;
*bsd|solaris) *bsd|solaris)
uname -r uname -r
;; ;;

View file

@ -0,0 +1,104 @@
cdist-type__debian_backports(7)
===============================
NAME
----
cdist-type__apt_backports - Install backports
DESCRIPTION
-----------
This singleton type installs backports for the current OS release.
It aborts if backports are not supported for the specified OS or
no version codename could be fetched (like Debian unstable).
The package index will be automatically updated if required.
It supports backports from following OSes:
- Debian
- Devuan
- Ubuntu
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
Represents the state of the backports repository. ``present`` or
``absent``, defaults to ``present``.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
mirror
The mirror to fetch the backports from. Will defaults to the generic
mirror of the current OS.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
BOOLEAN PARAMETERS
------------------
None.
MESSAGES
--------
None.
EXAMPLES
--------
.. code-block:: sh
# setup the backports
__apt_backports
__apt_backports --state absent
__apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
# install a backports package
# currently for the buster release backports
require="__apt_backports" __package_apt wireguard \
--target-release buster-backports
ABORTS
------
Aborts if the detected os is not Debian.
Aborts if no distribuition codename could be detected. This is common for the
unstable distribution, but there is no backports repository for it already.
CAVEATS
-------
For Ubuntu, it setup all componenents for the backports repository: ``main``,
``restricted``, ``universe`` and ``multiverse``. The user may not want to
install proprietary packages, which will only be installed if the user
explicitly uses the backports target-release. The user may change this behavior
to install backports packages without the need of explicitly select it.
SEE ALSO
--------
`Official Debian Backports site <https://backports.debian.org/>`_
:strong:`cdist-type__apt_source`\ (7)
AUTHORS
-------
Matthias Stecher <matthiasstecher at gmx.de>
COPYING
-------
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,81 @@
#!/bin/sh -e
# __apt_backports/manifest
#
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Enables/disables backports repository. Utilises __apt_source for it.
#
# Get the distribution codename by /etc/os-release.
# is already executed in a subshell by string substitution
# lsb_release may not be given in all installations
codename_os_release() {
# shellcheck disable=SC1090
. "$__global/explorer/os_release"
printf "%s" "$VERSION_CODENAME"
}
# detect backport distribution
os="$(cat "$__global/explorer/os")"
case "$os" in
debian)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.debian.org/debian/"
;;
devuan)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.devuan.org/merged"
;;
ubuntu)
dist="$( codename_os_release )"
components="main restricted universe multiverse"
mirror="http://archive.ubuntu.com/ubuntu"
;;
*)
printf "Backports for %s are not supported!\n" "$os" >&2
exit 1
;;
esac
# error if no codename given (e.g. on Debian unstable)
if [ -z "$dist" ]; then
printf "No backports for unkown version of distribution %s!\n" "$os" >&2
exit 1
fi
# parameters
state="$(cat "$__object/parameter/state")"
# mirror already set for the os, only override user-values
if [ -f "$__object/parameter/mirror" ]; then
mirror="$(cat "$__object/parameter/mirror")"
fi
# install the given backports repository
__apt_source "${dist}-backports" \
--state "$state" \
--distribution "${dist}-backports" \
--component "$components" \
--uri "$mirror"

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1,2 @@
state
mirror

View file

@ -46,28 +46,29 @@ fi
remove_block() { remove_block() {
cat << DONE cat << DONE
tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX) tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
# preserve ownership and permissions of existing file # preserve ownership and permissions of existing file
if [ -f "$file" ]; then if [ -f $quoted_file ]; then
cp -p "$file" "\$tmpfile" cp -p $quoted_file "\$tmpfile"
fi fi
awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ ' awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
{ {
if (match(\$0,prefix)) { if (\$0 == prefix) {
triggered=1 triggered=1
} }
if (triggered) { if (triggered) {
if (match(\$0,suffix)) { if (\$0 == suffix) {
triggered=0 triggered=0
} }
} else { } else {
print print
} }
}' "$file" > "\$tmpfile" }' $quoted_file > "\$tmpfile"
mv -f "\$tmpfile" "$file" mv -f "\$tmpfile" $quoted_file
DONE DONE
} }
quoted_file="$(quote "$file")"
case "$state_should" in case "$state_should" in
present) present)
if [ "$state_is" = "changed" ]; then if [ "$state_is" = "changed" ]; then
@ -77,7 +78,7 @@ case "$state_should" in
echo add >> "$__messages_out" echo add >> "$__messages_out"
fi fi
cat << DONE cat << DONE
cat >> "$file" << ${__type##*/}_DONE cat >> $quoted_file << '${__type##*/}_DONE'
$(cat "$block") $(cat "$block")
${__type##*/}_DONE ${__type##*/}_DONE
DONE DONE

View file

@ -25,6 +25,9 @@ user
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
dirmode
forwarded to :strong:`__directory` type as mode
mode mode
forwarded to :strong:`__file` type forwarded to :strong:`__file` type

View file

@ -19,6 +19,7 @@ set -eu
user="$(cat "${__object}/parameter/user")" user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")" home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")" primary_group="$(cat "${__object}/explorer/primary_group")"
dirmode="$(cat "${__object}/parameter/dirmode")"
# Create parent directory. Type __directory has flag 'parents', but it # Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not # will leave us with root-owned directory in user home, which is not
@ -36,6 +37,7 @@ export CDIST_ORDER_DEPENDENCY
for dir ; do for dir ; do
__directory "${home}/${dir}" \ __directory "${home}/${dir}" \
--group "${primary_group}" \ --group "${primary_group}" \
--mode "${dirmode}" \
--owner "${user}" --owner "${user}"
done done

View file

@ -0,0 +1 @@
0700

View file

@ -1,3 +1,4 @@
state state
mode mode
source source
dirmode

View file

@ -1,7 +1,4 @@
#!/bin/sh #!/bin/sh
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: iptables # Provides: iptables
# Required-Start: $local_fs $remote_fs # Required-Start: $local_fs $remote_fs
@ -14,34 +11,72 @@
# and saves/restores previous status # and saves/restores previous status
### END INIT INFO ### END INIT INFO
# Originally written by:
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is distributed with cdist and licenced under the
# GNU GPLv3+ WITHOUT ANY WARRANTY.
# Read files and execute the content with the given commands
#
# Arguments:
# 1: Directory
# 2..n: Commands which should be used to execute the file content
gothrough() {
cd "$1" || return
shift
# iterate through all rules and continue if it's not a file
for rule in *; do
[ -f "$rule" ] || continue
echo "Appling iptables rule $rule ..."
# execute it with all commands specificed
ruleparam="$(cat "$rule")"
for cmd in "$@"; do
# Command and Rule should be split.
# shellcheck disable=SC2046
command $cmd $ruleparam
done
done
}
# Shortcut for iptables command to do IPv4 and v6
# only applies to the "reset" target
iptables() {
command iptables "$@"
command ip6tables "$@"
}
basedir=/etc/iptables.d basedir=/etc/iptables.d
status="${basedir}/.pre-start" status4="${basedir}/.pre-start"
status6="${basedir}/.pre-start6"
case $1 in case $1 in
start) start)
# Save status # Save status
iptables-save > "$status" iptables-save > "$status4"
ip6tables-save > "$status6"
# Apply our ruleset # Apply our ruleset
cd "$basedir" || exit gothrough "$basedir" iptables
count="$(find . ! -name . -prune | wc -l)" #gothrough "$basedir/v4" iptables # conflicts with $basedir
gothrough "$basedir/v6" ip6tables
# Only do something if there are rules gothrough "$basedir/all" iptables ip6tables
if [ "$count" -ge 1 ]; then
for rule in *; do
echo "Applying iptables rule $rule ..."
# Rule should be split.
# shellcheck disable=SC2046
iptables $(cat "$rule")
done
fi
;; ;;
stop) stop)
# Restore from status before, if there is something to restore # Restore from status before, if there is something to restore
if [ -f "$status" ]; then if [ -f "$status4" ]; then
iptables-restore < "$status" iptables-restore < "$status4"
fi
if [ -f "$status6" ]; then
ip6tables-restore < "$status6"
fi fi
;; ;;
restart) restart)

View file

@ -10,7 +10,24 @@ DESCRIPTION
----------- -----------
This cdist type deploys an init script that triggers This cdist type deploys an init script that triggers
the configured rules and also re-applies them on the configured rules and also re-applies them on
configuration. configuration. Rules are written from __iptables_rule
into the folder ``/etc/iptables.d/``.
It reads all rules from the base folder as rules for IPv4.
Rules in the subfolder ``v6/`` are IPv6 rules. Rules in
the subfolder ``all/`` are applied to both rule tables. All
files contain the arguments for a single ``iptables`` and/or
``ip6tables`` command.
Rules are applied in the following order:
1. All IPv4 rules
2. All IPv6 rules
2. All rules that should be applied to both tables
The order of the rules that will be applied are definite
from the result the shell glob returns, which should be
alphabetical. If rules must be applied in a special order,
prefix them with a number like ``02-some-rule``.
REQUIRED PARAMETERS REQUIRED PARAMETERS
@ -24,7 +41,7 @@ None
EXAMPLES EXAMPLES
-------- --------
None (__iptables_apply is used by __iptables_rule) None (__iptables_apply is used by __iptables_rule automatically)
SEE ALSO SEE ALSO
@ -35,11 +52,13 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Nico Schottelius <nico-cdist--@--schottelius.org> Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING COPYING
------- -------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it Copyright \(C) 2013 Nico Schottelius.
and/or modify it under the terms of the GNU General Public License as Copyright \(C) 2020 Matthias Stecher.
published by the Free Software Foundation, either version 3 of the You can redistribute it and/or modify it under the terms of the GNU
License, or (at your option) any later version. General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -11,6 +11,10 @@ DESCRIPTION
This cdist type allows you to manage iptable rules This cdist type allows you to manage iptable rules
in a distribution independent manner. in a distribution independent manner.
See :strong:`cdist-type__iptables_apply`\ (7) for the
execution order of these rules. It will be executed
automaticly to apply all rules non-volaite.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
@ -25,6 +29,24 @@ state
'present' or 'absent', defaults to 'present' 'present' or 'absent', defaults to 'present'
BOOLEAN PARAMETERS
------------------
All rules without any of these parameters will be treated like ``--v4`` because
of backward compatibility.
v4
Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be
threaten like ``--all``. Will be the default if nothing else is set.
v6
Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be
threaten like ``--all``.
all
Set the rule for both IPv4 and IPv6. It will be saved separately from the
other rules.
EXAMPLES EXAMPLES
-------- --------
@ -48,6 +70,16 @@ EXAMPLES
--state absent --state absent
# IPv4-only rule for ICMPv4
__iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
# IPv6-only rule for ICMPv6
__iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
# doing something for the dual stack
__iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
__iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
SEE ALSO SEE ALSO
-------- --------
:strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8) :strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8)
@ -56,11 +88,13 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Nico Schottelius <nico-cdist--@--schottelius.org> Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING COPYING
------- -------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it Copyright \(C) 2013 Nico Schottelius.
and/or modify it under the terms of the GNU General Public License as Copyright \(C) 2020 Matthias Stecher.
published by the Free Software Foundation, either version 3 of the You can redistribute it and/or modify it under the terms of the GNU
License, or (at your option) any later version. General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
# #
# 2013 Nico Schottelius (nico-cdist at schottelius.org) # 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -24,12 +25,36 @@ base_dir=/etc/iptables.d
name="$__object_id" name="$__object_id"
state="$(cat "$__object/parameter/state")" state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/v4" ]; then
only_v4="yes"
# $specific_dir is $base_dir
fi
if [ -f "$__object/parameter/v6" ]; then
only_v6="yes"
specific_dir="$base_dir/v6"
fi
# If rules should be set for both protocols
if { [ "$only_v4" = "yes" ] && [ "$only_v6" = "yes" ]; } ||
[ -f "$__object/parameter/all" ]; then
# all to a specific directory
specific_dir="$base_dir/all"
fi
# set rule directory based on if it's the base or subdirectory
rule_dir="${specific_dir:-$base_dir}"
################################################################################ ################################################################################
# Basic setup # Basic setup
# #
__directory "$base_dir" --state present __directory "$base_dir" --state present
# sub-directory if required
if [ "$specific_dir" ]; then
require="__directory/$base_dir" __directory "$specific_dir" --state present
fi
# Have apply do the real job # Have apply do the real job
require="$__object_name" __iptables_apply require="$__object_name" __iptables_apply
@ -37,6 +62,15 @@ require="$__object_name" __iptables_apply
# The rule # The rule
# #
require="__directory/$base_dir" __file "$base_dir/${name}" \ for dir in "$base_dir" "$base_dir/v6" "$base_dir/all"; do
--source "$__object/parameter/rule" \ # defaults to absent except the directory that should contain the file
--state "$state" if [ "$rule_dir" = "$dir" ]; then
curr_state="$state"
else
curr_state="absent"
fi
require="__directory/$rule_dir" __file "$dir/$name" \
--source "$__object/parameter/rule" \
--state "$curr_state"
done

View file

@ -0,0 +1,3 @@
all
v4
v6

View file

@ -75,7 +75,7 @@ execcmd(){
esac esac
if [ -z "${pkg_bootstrapped}" ]; then if [ -z "${pkg_bootstrapped}" ]; then
echo "pkg bootstrap -y >/dev/null 2>&1" echo "ASSUME_ALWAYS_YES=yes pkg bootstrap >/dev/null 2>&1"
fi fi
echo "$_cmd >/dev/null 2>&1" # Silence the output of the command echo "$_cmd >/dev/null 2>&1" # Silence the output of the command

View file

@ -20,7 +20,7 @@
# #
# #
import imp import importlib
import os import os
import sys import sys
import unittest import unittest
@ -37,8 +37,9 @@ for possible_test in os.listdir(base_dir):
suites = [] suites = []
for test_module in test_modules: for test_module in test_modules:
module_parameters = imp.find_module(test_module, [base_dir]) module_spec = importlib.util.find_spec("cdist.test.{}".format(test_module))
module = imp.load_module("cdist.test." + test_module, *module_parameters) module = importlib.util.module_from_spec(module_spec)
module_spec.loader.exec_module(module)
suite = unittest.defaultTestLoader.loadTestsFromModule(module) suite = unittest.defaultTestLoader.loadTestsFromModule(module)
# print("Got suite: " + suite.__str__()) # print("Got suite: " + suite.__str__())

View file

@ -5,6 +5,15 @@ next:
* Core: Add trigger functionality (Nico Schottelius, Darko Poljak) * Core: Add trigger functionality (Nico Schottelius, Darko Poljak)
* Core: Implement core support for python types (Darko Poljak) * Core: Implement core support for python types (Darko Poljak)
6.9.4: 2020-12-21
* Type __package_pkgng_freebsd: Fix bootstrapping pkg (Dennis Camera)
* Core: Deal with deprecated imp in unit tests (Evil Ham)
* Type __iptables: Add IPv6 support (Matthias Stecher)
* Type __block: Fix escaping in here-doc (Matthias Stecher)
* Explorer os_version: Improve FreeBSD support (Evil Ham)
* New type: __apt_backports (Matthias Stecher)
* Type __dot_file: Add dirmode parameter (Mark Verboom)
6.9.3: 2020-12-04 6.9.3: 2020-12-04
* pip install: Add cdist.scan to packages in setup.py (Dennis Camera) * pip install: Add cdist.scan to packages in setup.py (Dennis Camera)