Merge pull request #160 from cloudamatic/breakfix_for_upgrades

fix some upgrade-related irritations

.gitlab-ci.yml

@@ -29,13 +29,13 @@ Foodcritic:
   stage: Lint Test
   image: chef/chefdk:latest
   script:
-    - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122
+    - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 -X firewall/*
 
 Foodcritic Deprecations:
   stage: Lint Test
   image: chef/chefdk:latest
   script:
-    - foodcritic cookbooks/ -t deprecated -t chef13 -t chef14 -t chef15
+    - foodcritic cookbooks/ -t deprecated -t chef13 -t chef14 -t chef15 -X cokbooks/firewall/*
 
 ChefSpec:
   stage: Test
@@ -60,9 +60,9 @@ New_Berks:
   script:
     - apt-get -qq update
     - apt-get -qq install git -y
-    - for d in ./cookbooks/*/ ; do (echo && echo "Installing $d" && cd "$d" && berks install); done
-    - for d in ./cookbooks/*/ ; do (echo && echo "Verifying $d" && cd "$d" && berks verify); done
-    - for d in ./cookbooks/*/ ; do (echo && echo "Analyzing $d" && cd "$d" && berks outdated); done
+    - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Installing $d" && cd "cookbooks/$d" && berks install); done
+    - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Verifying $d" && cd "cookbooks/$d" && berks verify); done
+    - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Analyzing $d" && cd "cookbooks/$d" && berks outdated); done
 
 Berks:
   stage: Test
@@ -220,4 +220,4 @@ pages:
     - public
   only:
   - master
-  - gen_docs
+  - gen_docs

Berksfile

@@ -15,4 +15,5 @@ cookbook 'mu-php54'
 cookbook 'mu-tools'
 cookbook 'mu-utility'
 cookbook 'nagios', path: 'cookbooks/nagios'
-#cookbook 's3fs', path: 'cookbooks/s3fs'
+cookbook 'firewall', path: 'cookbooks/firewall'
+#cookbook 's3fs', path: 'cookbooks/s3fs'

bin/mu-upload-chef-artifacts

@@ -30,6 +30,9 @@ if [ -z $MU_CHEF_CACHE ];then
 fi
 manifest="$MU_CHEF_CACHE/mu_manifest"
 berksdir="$HOMEDIR/.berkshelf"
+
+rm -rf "${berksdir}/" # Just... don't trust it to check cache correctly
+
 if [ -z $MU_INSTALLDIR ];then
     MU_INSTALLDIR=/opt/mu
 fi

cloud-mu.gemspec

@@ -17,8 +17,8 @@ end
 
 Gem::Specification.new do |s|
   s.name        = 'cloud-mu'
-  s.version     = '2.0.1'
-  s.date        = '2019-03-01'
+  s.version     = '2.0.2'
+  s.date        = '2019-05-06'
   s.require_paths = ['modules']
   s.required_ruby_version = '>= 2.4'
   s.summary     = "The eGTLabs Mu toolkit for unified cloud deployments"

cookbooks/firewall/.foodcritic

@@ -0,0 +1,3 @@
+~FC001
+~FC019
+~FC085

cookbooks/firewall/CHANGELOG.md

@@ -0,0 +1,295 @@
+firewall Cookbook CHANGELOG
+=======================
+This file is used to list changes made in each version of the firewall cookbook.
+
+## 2.7.0 (2018-12-19)
+
+- Nominal support for Debian 9 (#202)
+
+## 2.6.5 (2018-07-24)
+
+- use platform_family instead of platform to include all rhels
+
+v2.6.4 (2018-07-01)
+-------------------
+* Stop including chef-sugar when it's >= 4.0.0 (#197)
+
+v2.6.3 (2018-02-01)
+-------------------
+* Fix issue with deep merging of hashes and arrays in recent chef release (#185)
+
+v2.6.2 (2017-06-01)
+-------------------
+* Incorrect file checking on Ubuntu, double file write (#173)
+* Added testing on CentOS 6.9
+* Clarify metadata that we're not working on Amazon Linux (#172)
+
+v2.6.1 (2017-04-21)
+-------------------
+* Add recipe to disable firewall (#164)
+
+v2.6.0 (2017-04-17)
+-------------------
+* Initial Chef 13.x support (#160, #159)
+* Allow loopback and icmp, when enabled (#161)
+* Address various newer rubocop and foodcritic complaints
+* Convert rule provider away from DSL (#159)
+
+v2.5.4 (2017-02-13)
+-------------------
+* Update Test Kitchen platforms to the latest
+* Update copyright headers
+* Allow package options to be passed through to the package install for firewall
+* Define policy for Windows Firewall and use the attributes to set desired policy
+
+v2.5.3 (2016-10-26)
+-------------------
+* Don't show firewall resource as updated (#133)
+* Add :off as a valid logging level (#129)
+* Add support for Ubuntu 16.04 (#149)
+
+v2.5.2 (2016-06-02)
+-------------------
+* Don't issue commands when firewalld isn't active (#140)
+* Install iptables-services on CentOS >= 7 (#131)
+* Update Ruby version on Travis for listen gem
+
+v2.5.1 (2016-05-31)
+-------------------
+* Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
+* Fix wrongly ordered conditional for converting ports to strings using port_to_s
+* Fix notify_firewall attribute crashing firewall_rule provider (#130)
+* Add warning if firewall rule opens all traffic (#132)
+* Add ipv6 attribute respect to Ubuntu iptables (#138)
+
+v2.5.0 (2016-03-08)
+-------------------
+* Don't modify parameter for port (#120)
+* Remove a reference to the wrong variable name under windows (#123)
+* Add support for mobile shell default firewall rule (#121)
+* New rubocop rules and style fixes
+* Correct a README.md example for `action :allow`
+
+v2.4.0 (2016-01-28)
+-------------------
+* Expose default iptables ruleset so that raw rules can be used in conjunction
+with rulesets for other tables (#101).
+
+v2.3.1 (2016-01-08)
+-------------------
+* Add raw rule support to the ufw firewall provider (#113).
+
+v2.3.0 (2015-12-23)
+-------------------
+* Refactor logic so that firewall rules don't add a string rule to the firewall
+when their actions run. Just run the action once on the firewall itself. This is
+designed to prevent partial application of rules (#106)
+
+* Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on
+the firewall resource. It was difficult to reason with "disabled false" for some
+complicated recipes using firewall downstream. `disabled` is now deprecated.
+
+* Add proper Windows testing and serverspec tests back into this cookbook.
+
+* Fix the `port_to_s` function so it also works for Windows (#111)
+
+* Fix typo checking action instead of command in iptables helper (#112)
+
+* Remove testing ranges of ports on CentOS 5.x, as it's broken there.
+
+v2.2.0 (2015-11-02)
+-------------------
+Added permanent as default option for RHEL 7 based systems using firewall-cmd.
+This defaults to turned off, but it will be enabled by default on the next major version bump.
+
+v2.1.0 (2015-10-15)
+-------------------
+Minor feature release.
+* Ensure ICMPv6 is open when `['firewall']['allow_established']` is set to true (the default). ICMPv6 is critical for most IPv6 operations.
+
+v2.0.5 (2015-10-05)
+-------------------
+Minor bugfix release.
+* Ensure provider filtering always yields 1 and only 1 provider, #97 & #98
+* Documentation update #96
+
+v2.0.4 (2015-09-23)
+-------------------
+Minor bugfix release.
+* Allow override of filter chain policies, #94
+* Fix foodcrtitic and chefspec errors
+
+v2.0.3 (2015-09-14)
+-------------------
+Minor bugfix release.
+* Fix wrong conditional for firewalld ports, #93
+* Fix ipv6 command logic under iptables, #91
+
+v2.0.2 (2015-09-08)
+-------------------
+* Release with working CI, Chefspec matchers.
+
+v2.0.1 (2015-09-01)
+-------------------
+* Add default related/established rule for iptables
+
+v2.0.0 (2015-08-31)
+-------------------
+* #84, major rewrite:
+  - Allow relative positioning of rules
+  - Use delayed notifications to create one firewall ruleset instead of incremental changes
+  - Remove poise dependency
+* #82 - Introduce Windows firewall support and test-kitchen platform.
+* #73 - Add the option to disable ipv6 commands on iptables
+* #78 - Use Chef-12 style `provides` to address provider mapping issues
+* Rubocop and foodcritic cleanup
+
+v1.6.1 (2015-07-24)
+-------------------
+* #80 - Remove an extra space in port range
+
+v1.6.0 (2015-07-15)
+-------------------
+* #68 - Install firewalld when it does not exist
+* #72 - Fix symbol that was a string, breaking comparisons
+
+v1.5.2 (2015-07-15)
+-------------------
+* #75 - Use correct service in iptables save action, Add serverspec tests for iptables suite
+
+v1.5.1 (2015-07-13)
+-------------------
+* #74 - add :save matcher for Chefspec
+
+v1.5.0 (2015-07-06)
+-------------------
+
+* #70 - Add chef service resource to ensure firewall-related services are enabled/disabled
+*     - Add testing and support for iptables on ubuntu in iptables provider
+
+v1.4.0 (2015-06-30)
+-------------------
+
+* #69 - Support for CentOS/RHEL 5.x
+
+v1.3.0 (2015-06-09)
+-------------------
+* #63 - Add support for protocol numbers
+
+v1.2.0 (2015-05-28)
+-------------------
+* #64 - Support the newer version of poise
+
+v1.1.2 (2015-05-19)
+-------------------
+* #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively.
+      - Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces
+
+v1.1.1 (2015-05-11)
+-------------------
+* #57 - Suppress warning: already initialized constant XXX while Chefspec
+
+v1.1.0 (2015-04-27)
+-------------------
+* #56 - Better ipv6 support for firewalld and iptables
+* #54 - Document raw parameter
+
+v1.0.2 (2015-04-03)
+-------------------
+* #52 - Typo in :masquerade action name
+
+v1.0.1 (2015-03-28)
+-------------------
+* #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands
+
+v1.0.0 (2015-03-25)
+-------------------
+* Major upgrade and rewrite as HWRP using poise
+* Adds support for iptables and firewalld
+* Modernize tests and other files
+* Fix many bugs from ufw defaults to multiport suppot
+
+v0.11.8 (2014-05-20)
+--------------------
+* Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules
+
+
+v0.11.6 (2014-02-28)
+--------------------
+[COOK-4385] - UFW provider is broken
+
+
+v0.11.4 (2014-02-25)
+--------------------
+[COOK-4140] Only notify when a rule is actually added
+
+
+v0.11.2
+-------
+### Bug
+- **[COOK-3615](https://tickets.opscode.com/browse/COOK-3615)** - Install required UFW package on Debian
+
+v0.11.0
+-------
+### Improvement
+- [COOK-2932]: ufw providers work on debian but cannot be used
+
+v0.10.2
+-------
+- [COOK-2250] - improve readme
+
+v0.10.0
+------
+- [COOK-1234] - allow multiple ports per rule
+
+v0.9.2
+------
+- [COOK-1615] - Firewall example docs have incorrect direction syntax
+
+v0.9.0
+------
+The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.
+
+- [COOK-1429] - resolve foodcritic warnings
+
+v0.8.0
+------
+- refactor all resources and providers into LWRPs
+- removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
+- removed :logging action from firewall resource...just set desired level via the log_level attribute
+
+v0.6.0
+------
+- [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
+- Firewall cookbook firewall LWRP needs to support :logging
+
+v0.5.7
+------
+- [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
+- [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules
+
+v0.5.6
+------
+- [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port
+
+v0.5.5
+------
+- [COOK-709] fixed :nothing action for the 'firewall_rule' resource.
+
+v0.5.4
+------
+- [COOK-694] added :reject action to the 'firewall_rule' resource.
+
+v0.5.3
+------
+- [COOK-698] added :reset action to the 'firewall' resource.
+
+v0.5.2
+------
+- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error.
+thanks to Ernad Husremović for the fix.
+
+v0.5.0
+------
+- [COOK-686] create firewall and firewall_rule resources
+- [COOK-687] create UFW providers for all resources

cookbooks/firewall/CONTRIBUTING.md

@@ -0,0 +1,2 @@
+Please refer to
+https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

cookbooks/firewall/MAINTAINERS.md

@@ -0,0 +1,19 @@
+<!-- This is a generated file. Please do not edit directly -->
+
+# Maintainers
+This file lists how this cookbook project is maintained. When making changes to the system, this
+file tells you who needs to review your patch - you need a simple majority of maintainers
+for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
+to not receive a veto from a Lieutenant or the Project Lead.
+
+Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
+for details on the process and how to become a maintainer or the project lead.
+
+# Project Maintainer
+* [Martin Smith](https://github.com/martinb3)
+
+# Maintainers
+* [Jennifer Davis](https://github.com/sigje)
+* [Tim Smith](https://github.com/tas50)
+* [Thom May](https://github.com/thommay)
+* [Martin Smith](https://github.com/martinb3)