Change customizations.firewall to append items instead of replace
To maintain consistency with the other options this changes firewall to combine the existing settings from the image template with the settings from the blueprint. Also updated the docs, added a new test for it, and sorted the output for consistency. (cherry picked from commit3e08389a0f
) (cherry picked from commit9d48aa4d92
)
This commit is contained in:
parent
36ba09345b
commit
4b87dc09d0
@ -297,6 +297,9 @@ the port:protocol format::
|
|||||||
|
|
||||||
Numeric ports, or their names from ``/etc/services`` can be used in the ``ports`` enabled/disabled lists.
|
Numeric ports, or their names from ``/etc/services`` can be used in the ``ports`` enabled/disabled lists.
|
||||||
|
|
||||||
|
The blueprint settings extend any existing settings in the image templates, so if ``sshd`` is
|
||||||
|
already enabled it will extend the list of ports with the ones listed by the blueprint.
|
||||||
|
|
||||||
If the distribution uses ``firewalld`` you can specify services listed by ``firewall-cmd --get-services``
|
If the distribution uses ``firewalld`` you can specify services listed by ``firewall-cmd --get-services``
|
||||||
in a ``customizations.firewall.services`` section::
|
in a ``customizations.firewall.services`` section::
|
||||||
|
|
||||||
@ -304,7 +307,7 @@ in a ``customizations.firewall.services`` section::
|
|||||||
enabled = ["ftp", "ntp", "dhcp"]
|
enabled = ["ftp", "ntp", "dhcp"]
|
||||||
disabled = ["telnet"]
|
disabled = ["telnet"]
|
||||||
|
|
||||||
Note that these are different from the names in ``/etc/services``, and only ``enabled`` is supported.
|
Remember that the ``firewall.services`` are different from the names in ``/etc/services``.
|
||||||
|
|
||||||
Both are optional, if they are not used leave them out or set them to an empty list ``[]``. If you
|
Both are optional, if they are not used leave them out or set them to an empty list ``[]``. If you
|
||||||
only want the default firewall setup this section can be omitted from the blueprint.
|
only want the default firewall setup this section can be omitted from the blueprint.
|
||||||
|
@ -298,9 +298,9 @@ def firewall_cmd(line, settings):
|
|||||||
|
|
||||||
# Do not override firewall --disabled
|
# Do not override firewall --disabled
|
||||||
if ks.handler.firewall.enabled != False and settings:
|
if ks.handler.firewall.enabled != False and settings:
|
||||||
ks.handler.firewall.ports = settings["ports"]
|
ks.handler.firewall.ports = sorted(set(settings["ports"] + ks.handler.firewall.ports))
|
||||||
ks.handler.firewall.services = settings["enabled"]
|
ks.handler.firewall.services = sorted(set(settings["enabled"] + ks.handler.firewall.services))
|
||||||
ks.handler.firewall.remove_services = settings["disabled"]
|
ks.handler.firewall.remove_services = sorted(set(settings["disabled"] + ks.handler.firewall.remove_services))
|
||||||
|
|
||||||
# Converting back to a string includes a comment, return just the keyboard line
|
# Converting back to a string includes a comment, return just the keyboard line
|
||||||
return str(ks.handler.firewall).splitlines()[-1]
|
return str(ks.handler.firewall).splitlines()[-1]
|
||||||
|
@ -435,20 +435,25 @@ disabled = ["telnet"]
|
|||||||
self.assertEqual(firewall_cmd("firewall --enabled",
|
self.assertEqual(firewall_cmd("firewall --enabled",
|
||||||
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
||||||
"enabled": [], "disabled": []}),
|
"enabled": [], "disabled": []}),
|
||||||
"firewall --enabled --port=22:tcp,80:tcp,imap:tcp,53:tcp,53:udp")
|
"firewall --enabled --port=22:tcp,53:tcp,53:udp,80:tcp,imap:tcp")
|
||||||
self.assertEqual(firewall_cmd("firewall --enabled",
|
self.assertEqual(firewall_cmd("firewall --enabled",
|
||||||
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
||||||
"enabled": ["ftp", "ntp", "dhcp"], "disabled": []}),
|
"enabled": ["ftp", "ntp", "dhcp"], "disabled": []}),
|
||||||
"firewall --enabled --port=22:tcp,80:tcp,imap:tcp,53:tcp,53:udp --service=ftp,ntp,dhcp")
|
"firewall --enabled --port=22:tcp,53:tcp,53:udp,80:tcp,imap:tcp --service=dhcp,ftp,ntp")
|
||||||
self.assertEqual(firewall_cmd("firewall --enabled",
|
self.assertEqual(firewall_cmd("firewall --enabled",
|
||||||
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
||||||
"enabled": ["ftp", "ntp", "dhcp"], "disabled": ["telnet"]}),
|
"enabled": ["ftp", "ntp", "dhcp"], "disabled": ["telnet"]}),
|
||||||
"firewall --enabled --port=22:tcp,80:tcp,imap:tcp,53:tcp,53:udp --service=ftp,ntp,dhcp --remove-service=telnet")
|
"firewall --enabled --port=22:tcp,53:tcp,53:udp,80:tcp,imap:tcp --service=dhcp,ftp,ntp --remove-service=telnet")
|
||||||
# Make sure that --disabled overrides setting ports and services
|
# Make sure that --disabled overrides setting ports and services
|
||||||
self.assertEqual(firewall_cmd("firewall --disabled",
|
self.assertEqual(firewall_cmd("firewall --disabled",
|
||||||
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
{"ports": ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"],
|
||||||
"enabled": ["ftp", "ntp", "dhcp"], "disabled": ["telnet"]}),
|
"enabled": ["ftp", "ntp", "dhcp"], "disabled": ["telnet"]}),
|
||||||
"firewall --disabled")
|
"firewall --disabled")
|
||||||
|
# Make sure that ports includes any existing settings from the firewall command
|
||||||
|
self.assertEqual(firewall_cmd("firewall --enabled --port=8080:tcp --service=dns --remove-service=ftp",
|
||||||
|
{"ports": ["80:tcp"],
|
||||||
|
"enabled": ["ntp"], "disabled": ["telnet"]}),
|
||||||
|
"firewall --enabled --port=8080:tcp,80:tcp --service=dns,ntp --remove-service=ftp,telnet")
|
||||||
|
|
||||||
def test_get_services(self):
|
def test_get_services(self):
|
||||||
"""Test get_services function"""
|
"""Test get_services function"""
|
||||||
|
@ -538,7 +538,7 @@ ports = ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"]
|
|||||||
self.assertEqual(ks.handler.firewall.remove_services, [])
|
self.assertEqual(ks.handler.firewall.remove_services, [])
|
||||||
|
|
||||||
ks = self._blueprint_to_ks(blueprint2_data)
|
ks = self._blueprint_to_ks(blueprint2_data)
|
||||||
self.assertEqual(ks.handler.firewall.ports, ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"])
|
self.assertEqual(ks.handler.firewall.ports, ["22:tcp", "53:tcp", "53:udp", "80:tcp", "imap:tcp"])
|
||||||
self.assertEqual(ks.handler.firewall.services, [])
|
self.assertEqual(ks.handler.firewall.services, [])
|
||||||
self.assertEqual(ks.handler.firewall.remove_services, [])
|
self.assertEqual(ks.handler.firewall.remove_services, [])
|
||||||
|
|
||||||
@ -553,7 +553,7 @@ disabled = ["telnet"]
|
|||||||
"""
|
"""
|
||||||
ks = self._blueprint_to_ks(blueprint_data)
|
ks = self._blueprint_to_ks(blueprint_data)
|
||||||
self.assertEqual(ks.handler.firewall.ports, [])
|
self.assertEqual(ks.handler.firewall.ports, [])
|
||||||
self.assertEqual(ks.handler.firewall.services, ["ftp", "ntp", "dhcp"])
|
self.assertEqual(ks.handler.firewall.services, ["dhcp", "ftp", "ntp"])
|
||||||
self.assertEqual(ks.handler.firewall.remove_services, ["telnet"])
|
self.assertEqual(ks.handler.firewall.remove_services, ["telnet"])
|
||||||
|
|
||||||
def test_firewall(self):
|
def test_firewall(self):
|
||||||
@ -569,8 +569,8 @@ enabled = ["ftp", "ntp", "dhcp"]
|
|||||||
disabled = ["telnet"]
|
disabled = ["telnet"]
|
||||||
"""
|
"""
|
||||||
ks = self._blueprint_to_ks(blueprint_data)
|
ks = self._blueprint_to_ks(blueprint_data)
|
||||||
self.assertEqual(ks.handler.firewall.ports, ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"])
|
self.assertEqual(ks.handler.firewall.ports, ["22:tcp", "53:tcp", "53:udp", "80:tcp", "imap:tcp"])
|
||||||
self.assertEqual(ks.handler.firewall.services, ["ftp", "ntp", "dhcp"])
|
self.assertEqual(ks.handler.firewall.services, ["dhcp", "ftp", "ntp"])
|
||||||
self.assertEqual(ks.handler.firewall.remove_services, ["telnet"])
|
self.assertEqual(ks.handler.firewall.remove_services, ["telnet"])
|
||||||
|
|
||||||
def test_services(self):
|
def test_services(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user