Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/springerpe/chef_pe_network

Cookbook to manage the network (devices and MACs) and iptables FW on the servers
https://github.com/springerpe/chef_pe_network

Last synced: about 2 months ago
JSON representation

Cookbook to manage the network (devices and MACs) and iptables FW on the servers

Host: GitHub
URL: https://github.com/springerpe/chef_pe_network
Owner: SpringerPE
License: other
Created: 2014-08-05T08:57:46.000Z (over 10 years ago)
Default Branch: master
Last Pushed: 2014-09-01T16:28:02.000Z (over 10 years ago)
Last Synced: 2024-04-30T10:25:38.930Z (8 months ago)
Language: Ruby
Size: 282 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

README

        # pe_network-cookbook

Cookbook to control network devices, physical mappings, internet addresses and firewall 

rules on a server. It can read all the attributes from a databag.

Warning, For the moment, this cookbook does not control the GW!

## Supported Platforms

 * Debian

 * Ubuntu

 * Centos

This cookbook does not work in Debian platforms with chef version 11.4

## Attributes

To can define the attributes, or use a databag to read and setup all of them.

For instance, here you see the attribute file of this cookbook:

```

### Main databag attributes

default[:pe_network][:data_bag] = 'network'

default[:pe_network][:bag_name] = node[:hostname]

default[:pe_network][:environment] = node[:chef_environment] ? node[:chef_environment] : "_default"

### Network Definitions

default[:pe_network][:udev] = "/etc/udev/rules.d/70-persistent-net.rules"

default[:pe_network][:network] = {

#

# Linking an IP to a device:

#  'eth0' => {

#      :ip => "192.168.1.2",

#      :network => "192.168.1.0",

#      :mask => "255.255.255.0",

#      :mac => "08:00:27:84:ee:e7",

#      :mtu => "1400",

#      :bcast => "192.168.1.255",

#      :onboot => "yes"

#  },

#

# Forcing the name of a device by the MAC:

#  'eth1' => {

#      :mac => "08:00:27:84:ee:e7"

#  }

}

# Do not run the FW recipe by default

default[:pe_network][:run_fw] = false

### Firewall

default[:pe_network][:firewall][:enabled] = true

default[:pe_network][:firewall][:log] = true

# DROP all input packets by defaut

default[:pe_network][:firewall][:enable_input_drop] = true

# DROP all output packets by defaut

default[:pe_network][:firewall][:enable_output_drop] = false

# Rules

default[:pe_network][:firewall][:rules] = {

   'allow ssh' => {

      :direction => 'in',

      :user => 'root',

      :protocol => 'tcp',

      :source => ['0.0.0.0/0'],

      :dport => '22'

    }

#  '' =>

#     :direction => '',

#     :protocol => '',

#     :user => '',

#     :interface => '',

#     :source => '|['',...]'>',

#     :sport => '',

#     :destination => '|['',...]'>',

#     :dport => '',

#     :env => '',

#     :options => ['disable_env_limit', 'disable_syntax_check', ...]

}

```

All the default value of the attributes are safe and the best way to define the 

parameters is using a databag.

## Usage

The easy way is just use a databag to define the device mappings, ips and firewall rules. 

Be carefull defining the rules on the primary interface ... you can lost the connectivity 

in the middle of the chef convergence. So, you have to create a databag named `network` 

with a file named equal as the node's name. In that file you can define all the attributes 

in json format, for example:

```json

{

    "id": "pe-network-berkshelf",

    "_default": {

        "network": {

           "eth1": {

               "ip": "192.168.1.2",

               "mac": "08:00:27:84:ee:e7",

               "mtu": "1400"

           }

        },

        "firewall": {

            "enabled": true,

            "enable_input_drop": true,

            "enable_output_drop": false,

            "rules": {

                "allow ssh": {

                    "direction": "in",

                    "user": "root",

                    "protocol": "tcp",

                    "source": ["0.0.0.0/0"],

                    "dport": "22"

                },

                "allow web": {

                    "direction": "in",

                    "user": "root",

                    "protocol": "tcp",

                    "source": ["0.0.0.0/0"],

                    "dport": "80"

                }

        }

    }

}

```

The configuration is pretty easy to understand. There are two parts, the first part `network` 

is to define the ifconfig parameters (it also supports Centos and RH):

 * `device` is the only mandatory attribute, the cookbook will assign the IP to it.

 * If there is a `mac`, it will change or create the udev rules to assure the mapping (even if the mac is not found).

 * You can define other attributes like:

     * `mtu`

     * `network`

     * `mask`

     * `bcast` 

In the second part you can define all the firewall rules. You can use chef searchs in the source and destination attributes :

 * 'rule name' =>

     * `direction` => ''  (*mandatory*)

     * `protocol` => '' (*mandatory*)

     * `user` => '' (*mandatory*)

     * `interface` => ''

     * `source` => '|['',...]'>' (*mandatory for `in` rules*)

     * `sport` => ''

     * `destination` => '|['',...]'>' (*mandatory for `out` rules*)

     * `dport` => ''

     * `env` => '',

     * `options` => ['disable_env_limit', 'disable_syntax_check', ...]

You can use chef searchs in the source and destination attributes. More info in the

AFW's home site: https://github.com/jvehent/AFW

To apply the cookbook just include `pe_network` in your node's `run_list`:

```json

{

  "run_list": [

    "recipe[pe_network::default]"

  ]

}

```

## License and Authors

Author:: Jose Riguera Lopez, Springer SBM ()