modules/fail2ban/manifests/init.pp - Issue 29364214: Issue 2487 - Introduce fail2ban module

Delta Between Two Patch Sets: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)

Left Patch Set: Created Nov. 24, 2016, 3:09 p.m.

Right Patch Set: For comment 22 and 23 Created Dec. 2, 2016, 2:22 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 # == Class: fail2ban	1 # == Class: fail2ban

2 #	2 #

3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.	3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.

4 #	4 #

5 # == Parameters:	5 # == Parameters:

6 #	6 #

7 # [jail_config]	7 # [jails]

8 # Adds jail.local to the default configuration of fail2ban	8 # Provisions a jail.local adjacent to the default configuration.
f.nicolaisen 2016/11/25 15:09:09 Unnecessary white space at end of line. Unnecessary white space at end of line.
	9 # By default entries will have the following parameters:

	10 # 'enabled' => 'true',

	11 # 'port' => 'all',

	12 # 'maxretry' => 6,

	13 # 'banaction' => 'iptables-allports',

	14 # 'bantime' => 3600,

	15 #

	16 # For the default banaction iptables-allports, the port parameter

	17 # is not used and only set here for documentation purposes. Note

	18 # that if 'banaction' is set to iptables-multiport, it requires that

	19 # the 'port' parameter contains one or more comma-separated ports or protocols .

9 #	20 #

10 # [package]	21 # [package]

11 # Overwrite the default package options, to fine-tune the target version (i.e.	22 # Overwrite the default package options, to fine-tune the target version (i.e.

12 # ensure => 'latest') or remove Fluentd (ensure => 'absent' or 'purged')	23 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
mathias 2016/11/24 16:08:48 Fluentd? Fluentd? f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Fluentd? Acknowledged.
13 #	24 #

14 # [service]	25 # [service]

15 # Overwrite the default service options.	26 # Overwrite the default service options.

16 #	27 #

17 # [filters]	28 # [filters]

18 # Adds adittional filters to the filters.d folder	29 # Adds adittional filters to the filters.d folder.

	30 #

19 # === Examples:	31 # === Examples:

20 #	32 #

21 # class {'fail2ban':	33 # class {'fail2ban':

22 # package => {ensure => 'present',},	34 # package => {ensure => 'present',},

23 # service => {},	35 # service => {},

24 # jail_config => {	36 # jails => {

25 # 'wordpress' => {	37 # 'CVE-2013-0235' => {

26 # logpath => '/var/log/nginx/access.log',	38 # 'logpath' => '/var/log/nginx/access_log_hg',
f.nicolaisen 2016/11/25 15:09:09 Unnecessary white spaces at end of line. Unnecessary white spaces at end of line.
27 # }	39 # 'banaction' => 'iptables-multiport',

28 # },	40 # 'port' => 'https, http',

29 # filters => {	41 # }

30 # 'wordpress' => {	42 # },

31 # failregex => [	43 # filters => {

32 # » '^<HOST>.\"WordPress\/.',	44 # 'CVE-2013-0235' => {

33 # » ],	45 # regexes => [

34 # }	46 # » '^<HOST>.\"WordPress\/.',

35 # },	47 # » ],

36 # }	48 # }
mathias 2016/11/24 16:08:48 The example code is not properly indented. Also it The example code is not properly indented. Also it should follow the same style practices as regular code within this repository. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > The example code is not properly indented. Also it should follow the same style > practices as regular code within this repository. Acknowledged.
	49 # },

	50 # }

	51 #

37 class fail2ban (	52 class fail2ban (

38 $package = {},	53 $package = hiera('fail2ban::package', {}),
mathias 2016/11/24 16:08:48 Please make sure to wrap all default arguments acc Please make sure to wrap all default arguments according to this pattern: $parameter = hiera('class::parameter', $default), This emulates Puppet 3 behavior and allows for i.e. designating parameter values as global keys within Hiera. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Please make sure to wrap all default arguments according to this pattern: > $parameter = hiera('class::parameter', $default), > > This emulates Puppet 3 behavior and allows for i.e. designating parameter values > as global keys within Hiera. Acknowledged.
39 $service = {},	54 $service = hiera('fail2ban::service', {}),

40 $jail_config = {},	55 $jails = hiera('fail2ban::jails', {}),

41 $filters = {},	56 $filters = hiera('fail2ban::filters', {}),

42 ) {	57 ) {

43	58

44 include stdlib	59 include stdlib

45	60

	61 $jail_default = {

	62 'enabled' => 'true',

	63 'port' => 'all',

	64 'maxretry' => 6,

	65 'banaction' => 'iptables-allports',

	66 'bantime' => 3600,

	67 }

	68

46 ensure_resource('package', $title, $package)	69 ensure_resource('package', $title, $package)

47	70

48 # Used as default $ensure parameter for most resources below

49 $ensure = getparam(Package[$title], 'ensure') ? {	71 $ensure = getparam(Package[$title], 'ensure') ? {

50 /^(absent\|purged\|held)$/ => 'absent',	72 /^(absent\|purged)$/ => 'absent',
mathias 2016/11/24 16:08:48 By now I wouldn't consider a "held" package as "ab By now I wouldn't consider a "held" package as "absent" any more. Usually one would mark a package that way if there is a customized local version available. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > By now I wouldn't consider a "held" package as "absent" any more. Usually one > would mark a package that way if there is a customized local version available. Acknowledged.
51 default => 'present',	73 default => 'present',

52 }	74 }

53	75

54 # Service resources don't properly support the concept of absence	76 if ($ensure == 'present') {

55 if ($ensure == 'present') or ($service['ensure'] != undef) {
mathias 2016/11/24 16:08:48 Why checking for $service['ensure'] being defined? Why checking for $service['ensure'] being defined? Shouldn't the default be totally fine? f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Why checking for $service['ensure'] being defined? Shouldn't the default be > totally fine? Acknowledged.
56	77

57 ensure_resource('service', $title, $service)	78 ensure_resource('service', $title, merge({

	79 hasrestart => true,

	80 hasstatus => true,

	81 }, $service))

	82

58 # See modules/fail2ban/manifests/filter.pp	83 # See modules/fail2ban/manifests/filter.pp

59 create_resources('fail2ban::filter', $filters)	84 create_resources('fail2ban::filter', $filters)

60	85
f.nicolaisen 2016/11/25 15:09:09 Unnecessary white spaces here. Unnecessary white spaces here.
61 # According to the docs one can also enable filters that are	86 file {'/etc/fail2ban/jail.local':

62 # already in there, so the config file should be done appart.	87 ensure => present,
mathias 2016/11/24 16:08:48 I don't really get this point, but I assume you me I don't really get this point, but I assume you meant "separately" when you wrote "appart"? f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > I don't really get this point, but I assume you meant "separately" when you > wrote "appart"? Acknowledged.
63 if jail_config != undef {	88 group => 'root',
mathias 2016/11/24 16:08:48 The $jail_config defaults to an empty hash, so I d The $jail_config defaults to an empty hash, so I doubt that this condition makes much sense here. Especially not if this "magic" with undef is not intended and/or documented accordingly. f.lopez 2016/11/25 15:13:49 One can have filters without activating them, so y Show quoted text On 2016/11/24 16:08:48, mathias wrote: > The $jail_config defaults to an empty hash, so I doubt that this condition makes > much sense here. Especially not if this "magic" with undef is not intended > and/or documented accordingly. One can have filters without activating them, so you can still create filters without activating them.
64 file {'/etc/fail2ban/jail.local':	89 mode => '0644',

65 ensure => present,	90 owner => 'root',

66 group => 'root',	91 content => template("fail2ban/jail.erb"),

67 mode => '0644',	92 notify => Service['fail2ban'],

68 owner => 'root',	93 require => Package['fail2ban'],

69 content => template("fail2ban/jail.erb"),

70 notify => Service[$title],

71 }

72 }	94 }

73	95
f.nicolaisen 2016/11/25 15:09:09 Unnecessary white spaces here. Unnecessary white spaces here.
	96 Package[$title] -> File['/etc/fail2ban/jail.local']

74 Service[$title] <~ Package[$title]	97 Service[$title] <~ Package[$title]
mathias 2016/11/24 16:08:48 Usually package updates imply reloading/restarting Usually package updates imply reloading/restarting the associated service (if any), hence I am not sure if one would want to notify the service resource here (rather than just declaring an order relationship). f.lopez 2016/11/25 15:13:49 Notify is a kind of relation, but I agree that whe Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Usually package updates imply reloading/restarting the associated service (if > any), hence I am not sure if one would want to notify the service resource here > (rather than just declaring an order relationship). Notify is a kind of relation, but I agree that when the package is updated or installed is handles that part, I'm removing this.
75 }	98 }

76	99

77 Package[$title] -> File['/etc/fail2ban/jail.local']	100 }
mathias 2016/11/24 16:08:48 Since the file resource is just declared under cer Since the file resource is just declared under certain circumstances, the dependency on the package can trigger an error if denoted in this fashion and position. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Since the file resource is just declared under certain circumstances, the > dependency on the package can trigger an error if denoted in this fashion and > position. Acknowledged.
78	101

79

80 }

LEFT	RIGHT