diff options
author | Micah Anderson <micah@leap.se> | 2014-05-22 16:38:28 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2014-05-22 16:38:28 -0400 |
commit | 6100b6ded99241f10e7fb12c13a0820fda084912 (patch) | |
tree | 863a9120010f32fdae304af94cd102c1da5096a6 | |
parent | 327d5c934e408f90011d7949b89ab01fed88998e (diff) | |
parent | a622e49c5df2150049afb6f6ed47177537b7e6da (diff) |
Merge branch 'develop' (0.5.1)0.5.1
Change-Id: I4e9d845f9758232f4da0d4bfbf785e52982b825b
29 files changed, 295 insertions, 172 deletions
@@ -30,18 +30,68 @@ To capture the log, you can copy from the console, or run `leap --log FILE` or e Visit https://leap.se/en/docs/get-involved/communication for details on how to contact the developers. -More Information -================ +Known issues +============ -Changelog +The following issues are known to be there in 0.5.1: + +CouchDB Sync +------------ +You can't deploy new couchdb nodes after one or more have been deployed. Make *sure* that you configure and deploy all your couchdb nodes when first creating your provider. The problem is that we dont not have a clean way of adding couch nodes after initial creation of the databases, so any nodes added after result in improperly synchronized data. See Bug [#5601](https://leap.se/code/issues/5601) for more information. + +Service separation +------------------ + +. You can't deploy all services to one single node. You need at least to seperate the mx and the webapp node. The reason is because they both use haproxy to query the couch db, and haproxy still doesn't have a way to split up its config files in a .d directory (see: https://leap.se/code/issues/3839) + +User setup and ssh +------------------ + +. if you aren't using a single ssh key, but have different ones, you will need to define the following at the top of your ~/.ssh/config: + HostName <ip address> + IdentityFile <path to identity file> + + (see: https://leap.se/code/issues/2946 and https://leap.se/code/issues/3002) + +. If the ssh host key changes, you need to run node init again (see: https://leap.se/en/docs/platform/guide#Working.with.SSH) + +. At the moment, only ECDSA ssh host keys are supported. If you get the following error: `= FAILED ssh-keyscan: no hostkey alg (must be missing an ecdsa public host key)` then you should confirm that you have the following line defined in your server's **/etc/ssh/sshd_config**: `HostKey /etc/ssh/ssh_host_ecdsa_key`. If that file doesn't exist, run `ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""` in order to create it. If you made a change to your sshd_config, then you need to run `/etc/init.d/ssh restart` (see: https://leap.se/code/issues/2373) + +. To remove an admin's access to your servers, please remove the directory for that user under the `users/` subdirectory in your provider directory and then remove that user's ssh keys from files/ssh/authorized_keys. When finished you *must* run a `leap deploy` to update that information on the servers. + +. At the moment, it is only possible to add an admin who will have access to all LEAP servers (see: https://leap.se/code/issues/2280) + +. leap add-user --self allows only one key - if you run that command twice with different keys, you will just replace the key with the second key. To add a second key, add it manually to files/ssh/authorized_keys (see: https://leap.se/code/issues/866) + + +Deploying --------- +. If you have any errors during a run, please try to deploy again as this often solves non-deterministic issues that were not uncovered in our testing. Please re-deploy with `leap -v2 deploy` to get more verbose logs and capture the complete output to provide to us for debugging. + +. If when deploying your debian mirror fails for some reason, network anomoly or the mirror itself is out of date, then platform deployment will not succeed properly. Check the mirror is up and try to deploy again when it is resolved (see: https://leap.se/code/issues/1091) + +. Deployment gives 'error: in `%`: too few arguments (ArgumentError)' - this is because you attempted to do a deploy before initializing a node, please initialize the node first and then do a deploy afterwards (see: https://leap.se/code/issues/2550) + +. This release has no ability to custom configure apt sources or proxies (see: https://leap.se/code/issues/1971) + +. When running a deploy at a verbosity level of 2 and above, you will notice puppet deprecation warnings, these are known and we are working on fixing them + +Special Environments +-------------------- + +. When deploying to OpenStack release "nova" or newer, you will need to do an initial deploy, then when it has finished run `leap facts update` and then deploy again (see: https://leap.se/code/issues/3020) + + +Changelog +========= + For a changelog of the current branch: git log Authors and Credits ------------------- +=================== See contributors: @@ -49,6 +99,6 @@ See contributors: Copyright/License ------------------ +================= Read LICENSE diff --git a/bin/run_tests b/bin/run_tests index 9102c325..526aa83a 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -288,6 +288,16 @@ def assert_running(process) end # +# runs the specified command, failing on a non-zero exit status. +# +def assert_run(command) + output = `#{command}` + if $?.exitstatus != 0 + fail "Error running `#{command}`:\n#{output}" + end +end + +# # Custom test runner in order to modify the output. # class LeapRunner < MiniTest::Unit diff --git a/platform.rb b/platform.rb index 689c58b7..d36cb3af 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ # Leap::Platform.define do - self.version = "0.4.0" + self.version = "0.5.2" self.compatible_cli = "1.5.0".."1.99" # @@ -27,12 +27,16 @@ Leap::Platform.define do # input config files :common_config => 'common.json', :provider_config => 'provider.json', - :provider_env_config => 'provider.#{arg}.json', :secrets_config => 'secrets.json', :node_config => 'nodes/#{arg}.json', :service_config => 'services/#{arg}.json', :tag_config => 'tags/#{arg}.json', + # input config files, environmentally scoped + :provider_env_config => 'provider.#{arg}.json', + :service_env_config => 'services/#{arg[0]}.#{arg[1]}.json', + :tag_env_config => 'tags/#{arg[0]}.#{arg[1]}.json', + # input templates :provider_json_template => 'files/service-definitions/provider.json.erb', :eip_service_json_template => 'files/service-definitions/#{arg}/eip-service.json.erb', diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 3e055e9a..be8ae484 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -14,7 +14,7 @@ hsh['api_version'] = "1" hsh['api_uri'] = ["https://", api.domain, ':', api.port].join - hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' + hsh['ca_cert_uri'] = 'https://' + webapp.domain + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) hsh.dump_json diff --git a/provider_base/provider.json b/provider_base/provider.json index fa69318b..743964ee 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -15,12 +15,18 @@ "default_language": "en", "enrollment_policy": "open", "service": { - "levels": [ - // bandwidth limit is in Bytes, storage limit is in MB. - {"id": 1, "name": "free", "storage":50}, - {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]}, - {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]} - ], + // bandwidth limit is in Bytes, storage limit is in MB. + // for example: + // "levels": { + // "1": {"name": "free", "description":"Limited service, but without cost to you.", "storage":50}, + // "2": {"name": "basic", "description":"The standard package.", "storage":1000, "rate": {"USD":5}}, + // "3": {"name": "pro", "description":"Extra storage for power users." , "storage":10000, "rate": {"USD":10}} + // } + "levels": { + "1": { + "name": "free", "description": "Please donate." + } + }, "default_service_level": 1, "bandwidth_limit": 102400, "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?", diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 04e19aa2..090afcd6 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -23,7 +23,8 @@ "tls-cipher": "DHE-RSA-AES128-SHA", "auth": "SHA1", "cipher": "AES-128-CBC", - "keepalive": "10 30" + "keepalive": "10 30", + "tun-ipv6": true } } } diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index ae4da46d..fc365a19 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,6 +1,8 @@ { "tor": { "bandwidth_rate": 6550, - "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten" + "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", + "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", + "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')" } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 29c0cbf9..bbb52094 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,6 +1,7 @@ { "webapp": { "admins": [], + "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": { "username": "= global.services[:couchdb].couch.users[:webapp].username", @@ -12,6 +13,8 @@ "allow_limited_certs": "= provider.service.allow_limited_bandwidth", "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth", "allow_anonymous_certs": "= provider.service.allow_anonymous", + "default_service_level": "= provider.service.default_service_level", + "service_levels": "= provider.service.levels", "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, @@ -39,7 +42,7 @@ }, "service_type": "public_service", "api": { - "domain": "= 'api.' + domain.full_suffix", + "domain": "= 'api.' + webapp.domain", "port": 4430 }, "nickserver": { @@ -52,15 +55,15 @@ "port": 6425 }, "dns": { - "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]" + "aliases": "= [domain.full, webapp.domain, api.domain, nickserver.domain]" }, "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", - "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", - "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_cert": "= file [:commercial_cert, webapp.domain]", + "commercial_key": "= file [:commercial_key, webapp.domain]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } } diff --git a/puppet/modules/site_apt/manifests/preferences/openvpn.pp b/puppet/modules/site_apt/manifests/preferences/openvpn.pp new file mode 100644 index 00000000..c7ddae25 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/openvpn.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::openvpn { + + apt::preferences_snippet { 'openvpn': + package => 'openvpn', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp new file mode 100644 index 00000000..132a6e24 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::rsyslog { + + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0 rsyslog*', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } +} diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp new file mode 100644 index 00000000..6da964f9 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::unbound { + + apt::preferences_snippet { 'unbound': + package => 'libunbound* unbound*', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Class['unbound::package']; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 35a4e9a5..1e370125 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -8,7 +8,7 @@ class site_check_mk::agent::mx { # local nagios plugin checks via mrpe file_line { 'Leap_MX_Procs': - line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx', + line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap_mx.log\'', path => '/etc/check_mk/mrpe.cfg'; } diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp index cbae81fe..512d1a3d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -7,7 +7,7 @@ class site_check_mk::agent::soledad { # local nagios plugin checks via mrpe file_line { 'Soledad_Procs': - line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad', + line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application\'', path => '/etc/check_mk/mrpe.cfg'; } diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 3d7b9206..1b8bd1a2 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -10,16 +10,16 @@ class site_config::caching_resolver { # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the # configuration file + include site_apt::preferences::unbound + file { + # cleanup from how we used to do it '/etc/unbound/conf.d': - ensure => directory, - owner => root, group => root, mode => '0755', - require => Package['unbound']; + force => true, + ensure => absent; '/etc/unbound/conf.d/placeholder': - ensure => present, - content => '', - owner => root, group => root, mode => '0644'; + ensure => absent; } class { 'unbound': @@ -39,4 +39,10 @@ class site_config::caching_resolver { } } } + + concat::fragment { 'unbound glob include': + target => $unbound::params::config, + content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n", + order => 10 + } } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7e421a21..c7352857 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -27,6 +27,9 @@ class site_config::default { if $::ec2_instance_id { include site_config::dhclient } + if $::virtual == 'virtualbox' { + include site_config::dhclient + } # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 51cceb31..93cfb847 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + subscribe => File['/etc/network/ipv4firewall_up.rules'], require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status', + subscribe => File['/etc/network/ipv6firewall_up.rules'], require => File['/etc/network/ipv6firewall_up.rules']; } } diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index d3abeca1..26c65f02 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,20 +1,6 @@ class site_config::syslog { - # we need to pull in rsyslog from the leap repository until it is availbale in - # wheezy-backports - apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog*', - priority => '999', - pin => 'release o=leap.se', - before => Class['rsyslog::install'] - } - - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] - } + include site_apt::preferences::rsyslog class { 'rsyslog::client': log_remote => false, diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index 524ae308..928a2b31 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -5,6 +5,7 @@ :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT @@ -13,6 +14,7 @@ -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb index e7fae52e..e2c92524 100644 --- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -3,5 +3,6 @@ :INPUT DROP [24:1980] :FORWARD DROP [0:0] :OUTPUT DROP [14:8030] +-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT # Completed on Tue Aug 20 12:19:43 2013 diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7aec0faa..b6331f12 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -168,9 +168,14 @@ class site_openvpn { include site_shorewall::eip + # In wheezy, we need the openvpn backport to get the 2.3 version of + # openvpn which has proper ipv6 support + include site_apt::preferences::openvpn + package { 'openvpn': - ensure => installed; + ensure => latest, + require => Class['site_apt::preferences::openvpn']; } service { diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c74fb509..c1367a33 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,82 +3,48 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/conf.d/vpn_limited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } } - - # this is an unfortunate way to get around the fact that the version of - # unbound we are working with does not accept a wildcard include directive - # (/etc/unbound/conf.d/*), when it does, these line definitions should - # go away and instead the caching_resolver should be configured to - # include: /etc/unbound/conf.d/* - - file_line { - 'add_unlimited_tcp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_unlimited_udp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_tcp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_udp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - } - } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index b1f4997c..97cf2842 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -60,12 +60,13 @@ define site_openvpn::server_config( concat { "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File['/etc/openvpn'], - notify => Exec['restart_openvpn']; + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + before => Service['openvpn'], + notify => Exec['restart_openvpn']; } if $tls_remote != undef { @@ -77,101 +78,116 @@ define site_openvpn::server_config( } } + # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization". + if $proto == 'tcp' { + openvpn::option { + "tcp-nodelay ${openvpn_configname}": + key => 'tcp-nodelay', + server => $openvpn_configname; + } + } + openvpn::option { "ca ${openvpn_configname}": - key => 'ca', - value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", - server => $openvpn_configname; + key => 'ca', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", + server => $openvpn_configname; "cert ${openvpn_configname}": - key => 'cert', - value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", + key => 'cert', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": - key => 'key', - value => "${x509::variables::keys}/${site_config::params::cert_name}.key", - server => $openvpn_configname; + key => 'key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", + server => $openvpn_configname; "dh ${openvpn_configname}": - key => 'dh', - value => '/etc/openvpn/keys/dh.pem', - server => $openvpn_configname; + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; "tls-cipher ${openvpn_configname}": - key => 'tls-cipher', - value => $config['tls-cipher'], - server => $openvpn_configname; + key => 'tls-cipher', + value => $config['tls-cipher'], + server => $openvpn_configname; "auth ${openvpn_configname}": - key => 'auth', - value => $config['auth'], - server => $openvpn_configname; + key => 'auth', + value => $config['auth'], + server => $openvpn_configname; "cipher ${openvpn_configname}": - key => 'cipher', - value => $config['cipher'], - server => $openvpn_configname; + key => 'cipher', + value => $config['cipher'], + server => $openvpn_configname; "dev ${openvpn_configname}": - key => 'dev', - value => 'tun', - server => $openvpn_configname; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "tun-ipv6 ${openvpn_configname}": + key => 'tun-ipv6', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": - key => 'duplicate-cn', - server => $openvpn_configname; + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive ${openvpn_configname}": - key => 'keepalive', - value => $config['keepalive'], - server => $openvpn_configname; + key => 'keepalive', + value => $config['keepalive'], + server => $openvpn_configname; "local ${openvpn_configname}": - key => 'local', - value => $local, - server => $openvpn_configname; + key => 'local', + value => $local, + server => $openvpn_configname; "mute ${openvpn_configname}": - key => 'mute', - value => '5', - server => $openvpn_configname; + key => 'mute', + value => '5', + server => $openvpn_configname; "mute-replay-warnings ${openvpn_configname}": - key => 'mute-replay-warnings', - server => $openvpn_configname; + key => 'mute-replay-warnings', + server => $openvpn_configname; "management ${openvpn_configname}": - key => 'management', - value => $management, - server => $openvpn_configname; + key => 'management', + value => $management, + server => $openvpn_configname; "proto ${openvpn_configname}": - key => 'proto', - value => $proto, - server => $openvpn_configname; + key => 'proto', + value => $proto, + server => $openvpn_configname; "push1 ${openvpn_configname}": - key => 'push', - value => $push, - server => $openvpn_configname; + key => 'push', + value => $push, + server => $openvpn_configname; "push2 ${openvpn_configname}": - key => 'push', - value => '"redirect-gateway def1"', - server => $openvpn_configname; + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; + "push-ipv6 ${openvpn_configname}": + key => 'push', + value => '"route-ipv6 2000::/3"', + server => $openvpn_configname; "script-security ${openvpn_configname}": - key => 'script-security', - value => '2', - server => $openvpn_configname; + key => 'script-security', + value => '1', + server => $openvpn_configname; "server ${openvpn_configname}": - key => 'server', - value => $server, - server => $openvpn_configname; + key => 'server', + value => $server, + server => $openvpn_configname; + "server-ipv6 ${openvpn_configname}": + key => 'server-ipv6', + value => '2001:db8:123::/64', + server => $openvpn_configname; "status ${openvpn_configname}": - key => 'status', - value => '/var/run/openvpn-status 10', - server => $openvpn_configname; + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; "status-version ${openvpn_configname}": - key => 'status-version', - value => '3', - server => $openvpn_configname; + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology ${openvpn_configname}": - key => 'topology', - value => 'subnet', - server => $openvpn_configname; - # no need for server-up.sh right now - #"up $openvpn_configname": - # key => 'up', - # value => '/etc/openvpn/server-up.sh', - # server => $openvpn_configname; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; "verb ${openvpn_configname}": - key => 'verb', - value => '3', - server => $openvpn_configname; + key => 'verb', + value => '3', + server => $openvpn_configname; } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7109b770..8fbba658 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -68,6 +68,22 @@ class site_shorewall::eip { destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; + + 'block_eip_dns_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'domain', + order => 300; + + 'block_eip_dns_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'domain', + order => 301; } # create dnat rule for each port diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 91a4a7a9..4f6d895f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -6,7 +6,7 @@ class site_static { if (member($formats, 'amber')) { include site_config::ruby::dev - rubygems::gem{'amber': } + rubygems::gem{'amber-0.3.0': } } create_resources(site_static::domain, $domains) diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 837665a3..b75c9ac3 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -22,7 +22,7 @@ define site_stunnel::clients ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, - require => [ + subscribe => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 02368a0e..e62cb12d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -7,6 +7,7 @@ class site_tor { $tor_type = $tor['type'] $nickname = $tor['nickname'] $contact_emails = join($tor['contacts'],', ') + $family = $tor['family'] $address = hiera('ip_address') @@ -16,7 +17,7 @@ class site_tor { address => $address, contact_info => obfuscate_email($contact_emails), bandwidth_rate => $bandwidth_rate, - my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', + my_family => $family } if ( $tor_type == 'exit'){ diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 98f8564e..6461c5e8 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,4 @@ +<%- require 'json' -%> <%- cert_options = @webapp['client_certificates'] -%> production: admins: <%= @webapp['admins'].inspect %> @@ -15,3 +16,5 @@ production: limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" minimum_client_version: "<%= @webapp['client_version']['min'] %>" + default_service_level: "<%= @webapp['default_service_level'] %>" + service_levels: <%= @webapp['service_levels'].to_json %> diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 743e8a84..af1a96ac 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -56,6 +56,13 @@ class tapicero { group => 'tapicero', require => User['tapicero']; + # for pid file + '/var/run/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero']; + ## ## TAPICERO CONFIG ## @@ -117,7 +124,7 @@ class tapicero { enable => true, hasstatus => true, hasrestart => true, - require => File['/etc/init.d/tapicero']; + require => [ File['/etc/init.d/tapicero'], File['/var/run/tapicero'] ]; } } diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 955857dc..e0b0339d 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -57,4 +57,9 @@ class Network < LeapTest end end + def test_03_Is_shorewall_running? + assert_run('/sbin/shorewall status') + pass + end + end |