From 1f80157878303054814dd88f35b60b4f2ba522b7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 23 Apr 2014 10:51:55 -0400 Subject: update platform version number for 0.5.1 Change-Id: I7d13d9395cd70b4de6fa7c6d5a9e5132d995ade1 --- platform.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform.rb b/platform.rb index 689c58b7..07fa80a1 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ # Leap::Platform.define do - self.version = "0.4.0" + self.version = "0.5.1" self.compatible_cli = "1.5.0".."1.99" # -- cgit v1.2.3 From 98227ad8da45544ef97cb8647c377f399672a4a0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 12:04:20 -0400 Subject: update indentation to be standard Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c --- .../site_openvpn/manifests/server_config.pp | 144 ++++++++++----------- 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index b1f4997c..03cf9394 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -60,12 +60,12 @@ define site_openvpn::server_config( concat { "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File['/etc/openvpn'], - notify => Exec['restart_openvpn']; + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Exec['restart_openvpn']; } if $tls_remote != undef { @@ -79,99 +79,99 @@ define site_openvpn::server_config( openvpn::option { "ca ${openvpn_configname}": - key => 'ca', - value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", - server => $openvpn_configname; + key => 'ca', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", + server => $openvpn_configname; "cert ${openvpn_configname}": - key => 'cert', - value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", + key => 'cert', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": - key => 'key', - value => "${x509::variables::keys}/${site_config::params::cert_name}.key", - server => $openvpn_configname; + key => 'key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", + server => $openvpn_configname; "dh ${openvpn_configname}": - key => 'dh', - value => '/etc/openvpn/keys/dh.pem', - server => $openvpn_configname; + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; "tls-cipher ${openvpn_configname}": - key => 'tls-cipher', - value => $config['tls-cipher'], - server => $openvpn_configname; + key => 'tls-cipher', + value => $config['tls-cipher'], + server => $openvpn_configname; "auth ${openvpn_configname}": - key => 'auth', - value => $config['auth'], - server => $openvpn_configname; + key => 'auth', + value => $config['auth'], + server => $openvpn_configname; "cipher ${openvpn_configname}": - key => 'cipher', - value => $config['cipher'], - server => $openvpn_configname; + key => 'cipher', + value => $config['cipher'], + server => $openvpn_configname; "dev ${openvpn_configname}": - key => 'dev', - value => 'tun', - server => $openvpn_configname; + key => 'dev', + value => 'tun', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": - key => 'duplicate-cn', - server => $openvpn_configname; + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive ${openvpn_configname}": - key => 'keepalive', - value => $config['keepalive'], - server => $openvpn_configname; + key => 'keepalive', + value => $config['keepalive'], + server => $openvpn_configname; "local ${openvpn_configname}": - key => 'local', - value => $local, - server => $openvpn_configname; + key => 'local', + value => $local, + server => $openvpn_configname; "mute ${openvpn_configname}": - key => 'mute', - value => '5', - server => $openvpn_configname; + key => 'mute', + value => '5', + server => $openvpn_configname; "mute-replay-warnings ${openvpn_configname}": - key => 'mute-replay-warnings', - server => $openvpn_configname; + key => 'mute-replay-warnings', + server => $openvpn_configname; "management ${openvpn_configname}": - key => 'management', - value => $management, - server => $openvpn_configname; + key => 'management', + value => $management, + server => $openvpn_configname; "proto ${openvpn_configname}": - key => 'proto', - value => $proto, - server => $openvpn_configname; + key => 'proto', + value => $proto, + server => $openvpn_configname; "push1 ${openvpn_configname}": - key => 'push', - value => $push, - server => $openvpn_configname; + key => 'push', + value => $push, + server => $openvpn_configname; "push2 ${openvpn_configname}": - key => 'push', - value => '"redirect-gateway def1"', - server => $openvpn_configname; + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; "script-security ${openvpn_configname}": - key => 'script-security', - value => '2', - server => $openvpn_configname; + key => 'script-security', + value => '2', + server => $openvpn_configname; "server ${openvpn_configname}": - key => 'server', - value => $server, - server => $openvpn_configname; + key => 'server', + value => $server, + server => $openvpn_configname; "status ${openvpn_configname}": - key => 'status', - value => '/var/run/openvpn-status 10', - server => $openvpn_configname; + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; "status-version ${openvpn_configname}": - key => 'status-version', - value => '3', - server => $openvpn_configname; + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology ${openvpn_configname}": - key => 'topology', - value => 'subnet', - server => $openvpn_configname; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; # no need for server-up.sh right now #"up $openvpn_configname": # key => 'up', # value => '/etc/openvpn/server-up.sh', # server => $openvpn_configname; "verb ${openvpn_configname}": - key => 'verb', - value => '3', - server => $openvpn_configname; + key => 'verb', + value => '3', + server => $openvpn_configname; } } -- cgit v1.2.3 From b5245481bbc1fddfd1b8e6d97e8a07a20d35de6b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 12:05:11 -0400 Subject: make sure concat fragments are put together before the openvpn service is run, otherwise the openvpn service is restarted before config files are deployed (#4154) Change-Id: Ide38615714c1978bb90237986baea530c54153c3 --- puppet/modules/site_openvpn/manifests/server_config.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 03cf9394..3e0ee1a6 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -65,6 +65,7 @@ define site_openvpn::server_config( mode => 644, warn => true, require => File['/etc/openvpn'], + before => Service['openvpn'], notify => Exec['restart_openvpn']; } -- cgit v1.2.3 From 18ae83d105bfa5c173d00d2fb17b0b72d42205bc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 13:10:25 -0400 Subject: change stunnel::service to 'subscribe' instead of 'require' the X509 cert/key. This has the same effect of 'require' because both make sure that the mentioned resource(s) will be applied before this resource, but subscribe will cause this resource to refresh anytime the subscribed resources change (#4342) Change-Id: I9470bb36f135b821b67a1da70c472d7687b08718 --- puppet/modules/site_stunnel/manifests/clients.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 837665a3..b75c9ac3 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -22,7 +22,7 @@ define site_stunnel::clients ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, - require => [ + subscribe => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; -- cgit v1.2.3 From 0a9bcf49adab7120849806e4c6408d3f2887e09a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 13:58:40 -0400 Subject: tor: provide a default 'nickname' (something like "rabbitLKJYW23695JGLKJ" where rabbit is the node name). Stop shipping a static 'family' and instead provide a comma separated list of node tor nicknames. (#5220) Change-Id: I479f460ab230ad440f72c78dc6362983387ce12a --- provider_base/services/tor.json | 4 +++- puppet/modules/site_tor/manifests/init.pp | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index ae4da46d..7d9c6d34 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,6 +1,8 @@ { "tor": { "bandwidth_rate": 6550, - "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten" + "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", + "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", + "family": "= nodes[:service => 'tor'].field('tor.nickname').join(',')" } } diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 02368a0e..e62cb12d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -7,6 +7,7 @@ class site_tor { $tor_type = $tor['type'] $nickname = $tor['nickname'] $contact_emails = join($tor['contacts'],', ') + $family = $tor['family'] $address = hiera('ip_address') @@ -16,7 +17,7 @@ class site_tor { address => $address, contact_info => obfuscate_email($contact_emails), bandwidth_rate => $bandwidth_rate, - my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', + my_family => $family } if ( $tor_type == 'exit'){ -- cgit v1.2.3 From 1a26bc28e2db27fdd73db7e05f3efc4f6019d970 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 14:37:50 -0400 Subject: create a /var/run/tapicero directory, owned by tapicero:tacpiero to hold the pid file (#5577) Change-Id: I2144e3d8c0ee18254fe3822098c87b2a8c57c2ce --- puppet/modules/tapicero/manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 743e8a84..cac74597 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -56,6 +56,13 @@ class tapicero { group => 'tapicero', require => User['tapicero']; + # for pid file + '/var/run/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero'] + ## ## TAPICERO CONFIG ## @@ -117,7 +124,7 @@ class tapicero { enable => true, hasstatus => true, hasrestart => true, - require => File['/etc/init.d/tapicero']; + require => [ File['/etc/init.d/tapicero'], File['/var/run/tapicero'] ]; } } -- cgit v1.2.3 From 640c63ef377abe7a4461ab417c27057313613830 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 14:55:46 -0400 Subject: initial firewall: allow port 22 by default. This is the most common port that sshd will be listening to in a default setup. This needs to be allowed so that you can have a different port configured in the hiera and not get locked out during deployment (#5119) Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b --- puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index 524ae308..928a2b31 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -5,6 +5,7 @@ :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT @@ -13,6 +14,7 @@ -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT -- cgit v1.2.3 From b9369292cb19f97aafaaaac9f89bf2374487936b Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 18 Apr 2014 12:59:59 +0200 Subject: bring service_levels into webapp config - #5527 including the default_service_level --- provider_base/services/webapp.json | 2 ++ puppet/modules/site_webapp/templates/config.yml.erb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 29c0cbf9..6b746fe4 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -12,6 +12,8 @@ "allow_limited_certs": "= provider.service.allow_limited_bandwidth", "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth", "allow_anonymous_certs": "= provider.service.allow_anonymous", + "default_service_level": "= provider.service.default_service_level", + "service_levels": "= provider.service.levels", "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 98f8564e..aa8ac6ab 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -15,3 +15,5 @@ production: limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" minimum_client_version: "<%= @webapp['client_version']['min'] %>" + default_service_level: "<%= @webapp['default_service_level'] %>" + service_levels: "<%= @webapp['service_levels'].inspect %>" -- cgit v1.2.3 From de4b44f723f71aac8cab1b7480c79de0b6c24bcf Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 29 Apr 2014 14:27:27 +0200 Subject: require json so we can use it to dumpt the service levels --- puppet/modules/site_webapp/templates/config.yml.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index aa8ac6ab..6461c5e8 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,4 @@ +<%- require 'json' -%> <%- cert_options = @webapp['client_certificates'] -%> production: admins: <%= @webapp['admins'].inspect %> @@ -16,4 +17,4 @@ production: unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" minimum_client_version: "<%= @webapp['client_version']['min'] %>" default_service_level: "<%= @webapp['default_service_level'] %>" - service_levels: "<%= @webapp['service_levels'].inspect %>" + service_levels: <%= @webapp['service_levels'].to_json %> -- cgit v1.2.3 From 9574bf2b8a87d32f799c80bf37818d62be6b7c15 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 15:08:32 -0400 Subject: nagios: make the check_procs tests for leap_mx and soledad be much more specific, to avoid catching unrelated processes (#5327) Change-Id: I63ffcd644a85137708712daac671b92898c70b7e --- puppet/modules/site_check_mk/manifests/agent/mx.pp | 2 +- puppet/modules/site_check_mk/manifests/agent/soledad.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 35a4e9a5..1e370125 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -8,7 +8,7 @@ class site_check_mk::agent::mx { # local nagios plugin checks via mrpe file_line { 'Leap_MX_Procs': - line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx', + line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap_mx.log\'', path => '/etc/check_mk/mrpe.cfg'; } diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp index cbae81fe..512d1a3d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -7,7 +7,7 @@ class site_check_mk::agent::soledad { # local nagios plugin checks via mrpe file_line { 'Soledad_Procs': - line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad', + line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application\'', path => '/etc/check_mk/mrpe.cfg'; } -- cgit v1.2.3 From e3e44973d6290a0228375135adf88d3271fc4242 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Apr 2014 14:39:15 -0400 Subject: block DNS traffic at the OpenVPN gateway (#4164) There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177 --- puppet/modules/site_shorewall/manifests/eip.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7109b770..13f831b6 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -68,6 +68,22 @@ class site_shorewall::eip { destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; + + 'block_eip_dns_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + protocol => 'udp', + destinationport => 'domain', + order => 300; + + 'block_eip_dns_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + protocol => 'tcp', + destinationport => 'domain', + order => 301; } # create dnat rule for each port -- cgit v1.2.3 From da775cb3379384c675887076a608566a5053efad Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Apr 2014 17:49:32 -0400 Subject: fix missing semicolon, causing syntax error Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f --- puppet/modules/tapicero/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index cac74597..af1a96ac 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -61,7 +61,7 @@ class tapicero { ensure => directory, owner => 'tapicero', group => 'tapicero', - require => User['tapicero'] + require => User['tapicero']; ## ## TAPICERO CONFIG -- cgit v1.2.3 From c334061df623e3806c544598195eb93a805a91ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 2 May 2014 16:24:00 -0400 Subject: fix incorrect shorewall parameter name 'protocol', should be 'proto' Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 13f831b6..8fbba658 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -73,7 +73,7 @@ class site_shorewall::eip { action => 'REJECT', source => 'eip', destination => 'net', - protocol => 'udp', + proto => 'udp', destinationport => 'domain', order => 300; @@ -81,7 +81,7 @@ class site_shorewall::eip { action => 'REJECT', source => 'eip', destination => 'net', - protocol => 'tcp', + proto => 'tcp', destinationport => 'domain', order => 301; } -- cgit v1.2.3 From f63f302980d638633f0bdb1146f9d8a75e9eaed2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 16:32:28 -0400 Subject: install openvpn from wheezy-backports, this will bring in openvpn 2.3, which will provide us with proper ipv6 support Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07 --- puppet/modules/site_apt/manifests/preferences/openvpn.pp | 9 +++++++++ puppet/modules/site_openvpn/manifests/init.pp | 7 ++++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_apt/manifests/preferences/openvpn.pp diff --git a/puppet/modules/site_apt/manifests/preferences/openvpn.pp b/puppet/modules/site_apt/manifests/preferences/openvpn.pp new file mode 100644 index 00000000..c7ddae25 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/openvpn.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::openvpn { + + apt::preferences_snippet { 'openvpn': + package => 'openvpn', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7aec0faa..5f49450d 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -168,9 +168,14 @@ class site_openvpn { include site_shorewall::eip + # In wheezy, we need the openvpn backport to get the 2.3 version of + # openvpn which has proper ipv6 support + include site_apt::preferences::openvpn + package { 'openvpn': - ensure => installed; + ensure => installed, + require => Class['site_apt::preferences::openvpn']; } service { -- cgit v1.2.3 From 0265eb952691ee91405201836e19384ac2087507 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 16:33:02 -0400 Subject: set the ipv6 configuration options on the server some important things to note: We are hard-coding the pushing of the ipv6 route '2000::/3' and configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a reserved ipv6 prefix that is used for documentation purposes only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html), and the route being pushed redirects all internet-bound traffic. When LEAP fully supports ipv6, these network values should be turned into variables, but for now, to make sure we are blocking any clients that have functional ipv6, this will work. Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5 --- puppet/modules/site_openvpn/manifests/server_config.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 3e0ee1a6..cbc5f68e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -111,6 +111,9 @@ define site_openvpn::server_config( key => 'dev', value => 'tun', server => $openvpn_configname; + "tun-ipv6 ${openvpn_configname}": + key => 'tun-ipv6', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": key => 'duplicate-cn', server => $openvpn_configname; @@ -145,6 +148,10 @@ define site_openvpn::server_config( key => 'push', value => '"redirect-gateway def1"', server => $openvpn_configname; + "push-ipv6 ${openvpn_configname}": + key => 'push', + value => '"route-ipv6 2000::/3"', + server => $openvpn_configname; "script-security ${openvpn_configname}": key => 'script-security', value => '2', @@ -153,6 +160,10 @@ define site_openvpn::server_config( key => 'server', value => $server, server => $openvpn_configname; + "server-ipv6 ${openvpn_configname}": + key => 'server-ipv6', + value => '2001:db8:123::/64', + server => $openvpn_configname; "status ${openvpn_configname}": key => 'status', value => '/var/run/openvpn-status 10', -- cgit v1.2.3 From 0eff66a4bcf68b51c57493c0a80e0f3813476733 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 16:37:01 -0400 Subject: Change the initial firewall to subscribe to the rule file to be able to trigger changes, make the default ipv6 firewall subscribe to shorewall6, if it exists, and finally reject all outgoing IPv6 packets. All of this will complete the platform-side of route IPv6 through OpenVPN gateway, and block it. (Feature #4163) Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810 --- puppet/modules/site_config/manifests/initial_firewall.pp | 4 +++- puppet/modules/site_config/templates/ipv6firewall_up.rules.erb | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 51cceb31..93cfb847 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + subscribe => File['/etc/network/ipv4firewall_up.rules'], require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status', + subscribe => File['/etc/network/ipv6firewall_up.rules'], require => File['/etc/network/ipv6firewall_up.rules']; } } diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb index e7fae52e..e2c92524 100644 --- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -3,5 +3,6 @@ :INPUT DROP [24:1980] :FORWARD DROP [0:0] :OUTPUT DROP [14:8030] +-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT # Completed on Tue Aug 20 12:19:43 2013 -- cgit v1.2.3 From 87129e91899c64c8374ae139d6e1bdcd5af6a407 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 18:11:03 -0400 Subject: add the tun-ipv6 configuration to the eip-service (#4163) Change-Id: I4781f0c3e1c74f5a45217a4d631603fa1a622fd6 --- provider_base/services/openvpn.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 04e19aa2..090afcd6 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -23,7 +23,8 @@ "tls-cipher": "DHE-RSA-AES128-SHA", "auth": "SHA1", "cipher": "AES-128-CBC", - "keepalive": "10 30" + "keepalive": "10 30", + "tun-ipv6": true } } } -- cgit v1.2.3 From ae50675e9095750cee9810237fb6b9f60030dae4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 18:11:31 -0400 Subject: update cipher configuration for openvpn to use the IANA name, due to deprecation warning: 2014-05-06 18:10:23,594 - INFO - L#826 : leap.openvpn:outReceived() - Tue May 6 18:10:23 2014 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA' Change-Id: I159b26604993d38806fcb7c2ed8f6de8138999f7 --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 090afcd6..3776aedb 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -20,7 +20,7 @@ "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil", "configuration": { - "tls-cipher": "DHE-RSA-AES128-SHA", + "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", "auth": "SHA1", "cipher": "AES-128-CBC", "keepalive": "10 30", -- cgit v1.2.3 From a980840e5752296c772ec079bbfc0ecb2c3d331f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 7 May 2014 13:32:00 -0400 Subject: openvpn package resource needs to be ensure => latest to accommodate upgrades Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 5f49450d..b6331f12 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -174,7 +174,7 @@ class site_openvpn { package { 'openvpn': - ensure => installed, + ensure => latest, require => Class['site_apt::preferences::openvpn']; } -- cgit v1.2.3 From 071547967cc00acf18bf68b78e350131017852b9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 8 May 2014 14:35:20 -0400 Subject: add known issues, making this the canonical place, which we will bring over to the website, when necessary (#4373) Change-Id: I296dd9d3cee1b84bd141cbf63ccaecea24916cc1 --- README.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7c253f62..297c2720 100644 --- a/README.md +++ b/README.md @@ -30,18 +30,68 @@ To capture the log, you can copy from the console, or run `leap --log FILE` or e Visit https://leap.se/en/docs/get-involved/communication for details on how to contact the developers. -More Information -================ +Known issues +============ -Changelog +The following issues are known to be there in 0.5.1: + +CouchDB Sync +------------ +You can't deploy new couchdb nodes after one or more have been deployed. Make *sure* that you configure and deploy all your couchdb nodes when first creating your provider. The problem is that we dont not have a clean way of adding couch nodes after initial creation of the databases, so any nodes added after result in improperly synchronized data. See Bug [#5601](https://leap.se/code/issues/5601) for more information. + +Service separation +------------------ + +. You can't deploy all services to one single node. You need at least to seperate the mx and the webapp node. The reason is because they both use haproxy to query the couch db, and haproxy still doesn't have a way to split up its config files in a .d directory (see: https://leap.se/code/issues/3839) + +User setup and ssh +------------------ + +. if you aren't using a single ssh key, but have different ones, you will need to define the following at the top of your ~/.ssh/config: + HostName + IdentityFile + + (see: https://leap.se/code/issues/2946 and https://leap.se/code/issues/3002) + +. If the ssh host key changes, you need to run node init again (see: https://leap.se/en/docs/platform/guide#Working.with.SSH) + +. At the moment, only ECDSA ssh host keys are supported. If you get the following error: `= FAILED ssh-keyscan: no hostkey alg (must be missing an ecdsa public host key)` then you should confirm that you have the following line defined in your server's **/etc/ssh/sshd_config**: `HostKey /etc/ssh/ssh_host_ecdsa_key`. If that file doesn't exist, run `ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""` in order to create it. If you made a change to your sshd_config, then you need to run `/etc/init.d/ssh restart` (see: https://leap.se/code/issues/2373) + +. To remove an admin's access to your servers, please remove the directory for that user under the `users/` subdirectory in your provider directory and then remove that user's ssh keys from files/ssh/authorized_keys. When finished you *must* run a `leap deploy` to update that information on the servers. + +. At the moment, it is only possible to add an admin who will have access to all LEAP servers (see: https://leap.se/code/issues/2280) + +. leap add-user --self allows only one key - if you run that command twice with different keys, you will just replace the key with the second key. To add a second key, add it manually to files/ssh/authorized_keys (see: https://leap.se/code/issues/866) + + +Deploying --------- +. If you have any errors during a run, please try to deploy again as this often solves non-deterministic issues that were not uncovered in our testing. Please re-deploy with `leap -v2 deploy` to get more verbose logs and capture the complete output to provide to us for debugging. + +. If when deploying your debian mirror fails for some reason, network anomoly or the mirror itself is out of date, then platform deployment will not succeed properly. Check the mirror is up and try to deploy again when it is resolved (see: https://leap.se/code/issues/1091) + +. Deployment gives 'error: in `%`: too few arguments (ArgumentError)' - this is because you attempted to do a deploy before initializing a node, please initialize the node first and then do a deploy afterwards (see: https://leap.se/code/issues/2550) + +. This release has no ability to custom configure apt sources or proxies (see: https://leap.se/code/issues/1971) + +. When running a deploy at a verbosity level of 2 and above, you will notice puppet deprecation warnings, these are known and we are working on fixing them + +Special Environments +-------------------- + +. When deploying to OpenStack release "nova" or newer, you will need to do an initial deploy, then when it has finished run `leap facts update` and then deploy again (see: https://leap.se/code/issues/3020) + + +Changelog +========= + For a changelog of the current branch: git log Authors and Credits ------------------- +=================== See contributors: @@ -49,6 +99,6 @@ See contributors: Copyright/License ------------------ +================= Read LICENSE -- cgit v1.2.3 From a3f923e66b05ffc12037b239995f463f81ea229d Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 13 May 2014 02:14:37 -0700 Subject: added simple shorewall whitebox test (close #5649) --- bin/run_tests | 10 ++++++++++ tests/white-box/network.rb | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/bin/run_tests b/bin/run_tests index 9102c325..526aa83a 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -287,6 +287,16 @@ def assert_running(process) assert pgrep(process).any?, "No running process for #{process}" end +# +# runs the specified command, failing on a non-zero exit status. +# +def assert_run(command) + output = `#{command}` + if $?.exitstatus != 0 + fail "Error running `#{command}`:\n#{output}" + end +end + # # Custom test runner in order to modify the output. # diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 955857dc..e0b0339d 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -57,4 +57,9 @@ class Network < LeapTest end end + def test_03_Is_shorewall_running? + assert_run('/sbin/shorewall status') + pass + end + end -- cgit v1.2.3 From 3ef044034b51d992d6952a9c6b9d16cba16abc30 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 13 May 2014 02:22:05 -0700 Subject: openvpn server config: script-security should be "1", since we don't need "2"; add tcp-nodelay to tcp servers. --- puppet/modules/site_openvpn/manifests/server_config.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index cbc5f68e..97cf2842 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -78,6 +78,15 @@ define site_openvpn::server_config( } } + # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization". + if $proto == 'tcp' { + openvpn::option { + "tcp-nodelay ${openvpn_configname}": + key => 'tcp-nodelay', + server => $openvpn_configname; + } + } + openvpn::option { "ca ${openvpn_configname}": key => 'ca', @@ -154,7 +163,7 @@ define site_openvpn::server_config( server => $openvpn_configname; "script-security ${openvpn_configname}": key => 'script-security', - value => '2', + value => '1', server => $openvpn_configname; "server ${openvpn_configname}": key => 'server', @@ -176,11 +185,6 @@ define site_openvpn::server_config( key => 'topology', value => 'subnet', server => $openvpn_configname; - # no need for server-up.sh right now - #"up $openvpn_configname": - # key => 'up', - # value => '/etc/openvpn/server-up.sh', - # server => $openvpn_configname; "verb ${openvpn_configname}": key => 'verb', value => '3', -- cgit v1.2.3 From 89fac280079e4fd1eb9a4491a06a2dd549cee32b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 May 2014 19:04:17 -0400 Subject: Revert "update cipher configuration for openvpn to use the IANA name" This reverts commit ae50675e9095750cee9810237fb6b9f60030dae4. Older openssl implementations (wheezy, android, others) aren't able to parse this newer string, so reverting to the deprecated name until we are sure the support is there --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 3776aedb..090afcd6 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -20,7 +20,7 @@ "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil", "configuration": { - "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", + "tls-cipher": "DHE-RSA-AES128-SHA", "auth": "SHA1", "cipher": "AES-128-CBC", "keepalive": "10 30", -- cgit v1.2.3 From f83d6e635448d5c96be18b4d926cc99ba879bd93 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 14 May 2014 10:34:45 +0200 Subject: use hash for provider service levels We want to access service levels by means of the id stored in the user record. With a hash we don't have to loop through all elements to find the one with a given id and still can use arbitrary strings and do not rely on the order of the array. Also it's the format the webapp is expecting right now. --- provider_base/provider.json | 10 +++++----- puppet/modules/site_webapp/templates/config.yml.erb | 3 +-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index fa69318b..aa7d0513 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -15,12 +15,12 @@ "default_language": "en", "enrollment_policy": "open", "service": { - "levels": [ + "levels": { // bandwidth limit is in Bytes, storage limit is in MB. - {"id": 1, "name": "free", "storage":50}, - {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]}, - {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]} - ], + "1": {"name": "free", "storage":50}, + "2": {"name": "basic", "storage":1000, "rate": ["tba"]}, + "3": {"name": "pro", "storage":10000, "rate": ["tba"]} + }, "default_service_level": 1, "bandwidth_limit": 102400, "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?", diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 6461c5e8..aa8ac6ab 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,4 +1,3 @@ -<%- require 'json' -%> <%- cert_options = @webapp['client_certificates'] -%> production: admins: <%= @webapp['admins'].inspect %> @@ -17,4 +16,4 @@ production: unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" minimum_client_version: "<%= @webapp['client_version']['min'] %>" default_service_level: "<%= @webapp['default_service_level'] %>" - service_levels: <%= @webapp['service_levels'].to_json %> + service_levels: "<%= @webapp['service_levels'].inspect %>" -- cgit v1.2.3 From 439b7c49d3de20f33ce0a61b42fedde3fc65f2eb Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 14 May 2014 10:49:22 +0200 Subject: revert accidental change to webapp config template --- puppet/modules/site_webapp/templates/config.yml.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index aa8ac6ab..6461c5e8 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,4 @@ +<%- require 'json' -%> <%- cert_options = @webapp['client_certificates'] -%> production: admins: <%= @webapp['admins'].inspect %> @@ -16,4 +17,4 @@ production: unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" minimum_client_version: "<%= @webapp['client_version']['min'] %>" default_service_level: "<%= @webapp['default_service_level'] %>" - service_levels: "<%= @webapp['service_levels'].inspect %>" + service_levels: <%= @webapp['service_levels'].to_json %> -- cgit v1.2.3 From 6c6f7c5053ea83a67b4d4308aeb2fc339c7325b2 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 12 May 2014 18:56:25 +0200 Subject: change rsyslog pin from leaps debian repo to backports (fixes #5533) --- puppet/modules/site_config/manifests/syslog.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index d3abeca1..8eac4242 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,16 +1,7 @@ class site_config::syslog { - # we need to pull in rsyslog from the leap repository until it is availbale in - # wheezy-backports - apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog*', - priority => '999', - pin => 'release o=leap.se', - before => Class['rsyslog::install'] - } - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0', + package => 'libestr0 librelp0 rsyslog*', priority => '999', pin => 'release a=wheezy-backports', before => Class['rsyslog::install'] -- cgit v1.2.3 From 6e6b140941eb1c38f3541afbbe18d56a65baacab Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 17 May 2014 02:53:47 -0700 Subject: static: pin amber version to 0.3.0 --- puppet/modules/site_static/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 91a4a7a9..4f6d895f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -6,7 +6,7 @@ class site_static { if (member($formats, 'amber')) { include site_config::ruby::dev - rubygems::gem{'amber': } + rubygems::gem{'amber-0.3.0': } } create_resources(site_static::domain, $domains) -- cgit v1.2.3 From c0e52b84f79fc0ec636daf91e1fc6b61cc49fb2d Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 17 May 2014 18:15:57 -0700 Subject: fix bug with empty tor families --- provider_base/services/tor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 7d9c6d34..fc365a19 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -3,6 +3,6 @@ "bandwidth_rate": 6550, "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", - "family": "= nodes[:service => 'tor'].field('tor.nickname').join(',')" + "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')" } } -- cgit v1.2.3 From 1ea643b6741f41bfd90969d91f384060df98c8ae Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 20 May 2014 13:56:02 -0700 Subject: changed the default service levels to be more minimal, because it is currently impossible to entirely overwrite the service.levels hash. --- provider_base/provider.json | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index aa7d0513..743964ee 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -15,11 +15,17 @@ "default_language": "en", "enrollment_policy": "open", "service": { + // bandwidth limit is in Bytes, storage limit is in MB. + // for example: + // "levels": { + // "1": {"name": "free", "description":"Limited service, but without cost to you.", "storage":50}, + // "2": {"name": "basic", "description":"The standard package.", "storage":1000, "rate": {"USD":5}}, + // "3": {"name": "pro", "description":"Extra storage for power users." , "storage":10000, "rate": {"USD":10}} + // } "levels": { - // bandwidth limit is in Bytes, storage limit is in MB. - "1": {"name": "free", "storage":50}, - "2": {"name": "basic", "storage":1000, "rate": ["tba"]}, - "3": {"name": "pro", "storage":10000, "rate": ["tba"]} + "1": { + "name": "free", "description": "Please donate." + } }, "default_service_level": 1, "bandwidth_limit": 102400, -- cgit v1.2.3 From 3919bf8ebb78c07c6c3e067ab2f87f933df8c126 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 20 May 2014 13:48:23 -0700 Subject: add support for webapp on subdomain --- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/services/webapp.json | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 3e055e9a..be8ae484 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -14,7 +14,7 @@ hsh['api_version'] = "1" hsh['api_uri'] = ["https://", api.domain, ':', api.port].join - hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' + hsh['ca_cert_uri'] = 'https://' + webapp.domain + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) hsh.dump_json diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 6b746fe4..bbb52094 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,6 +1,7 @@ { "webapp": { "admins": [], + "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": { "username": "= global.services[:couchdb].couch.users[:webapp].username", @@ -41,7 +42,7 @@ }, "service_type": "public_service", "api": { - "domain": "= 'api.' + domain.full_suffix", + "domain": "= 'api.' + webapp.domain", "port": 4430 }, "nickserver": { @@ -54,15 +55,15 @@ "port": 6425 }, "dns": { - "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]" + "aliases": "= [domain.full, webapp.domain, api.domain, nickserver.domain]" }, "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", - "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", - "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_cert": "= file [:commercial_cert, webapp.domain]", + "commercial_key": "= file [:commercial_key, webapp.domain]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } } -- cgit v1.2.3 From 0755757cd57679a946631411163eb61010215cb5 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 20 May 2014 23:34:55 -0700 Subject: added support for environmentally scoped services and tags, when using latest leap_cli. --- platform.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/platform.rb b/platform.rb index 07fa80a1..d36cb3af 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ # Leap::Platform.define do - self.version = "0.5.1" + self.version = "0.5.2" self.compatible_cli = "1.5.0".."1.99" # @@ -27,12 +27,16 @@ Leap::Platform.define do # input config files :common_config => 'common.json', :provider_config => 'provider.json', - :provider_env_config => 'provider.#{arg}.json', :secrets_config => 'secrets.json', :node_config => 'nodes/#{arg}.json', :service_config => 'services/#{arg}.json', :tag_config => 'tags/#{arg}.json', + # input config files, environmentally scoped + :provider_env_config => 'provider.#{arg}.json', + :service_env_config => 'services/#{arg[0]}.#{arg[1]}.json', + :tag_env_config => 'tags/#{arg[0]}.#{arg[1]}.json', + # input templates :provider_json_template => 'files/service-definitions/provider.json.erb', :eip_service_json_template => 'files/service-definitions/#{arg}/eip-service.json.erb', -- cgit v1.2.3 From ba13b08cd06010dd8cd172d0e3b5b296f9981edf Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 20 May 2014 11:42:26 +0200 Subject: fix resolv.conf on virtualbox virtualbox sends the domain with the dhcp-answer. If the wrong domain ends up in /etc/resolv.conf bigcouch fails. --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7e421a21..c7352857 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -27,6 +27,9 @@ class site_config::default { if $::ec2_instance_id { include site_config::dhclient } + if $::virtual == 'virtualbox' { + include site_config::dhclient + } # configure /etc/resolv.conf include site_config::resolvconf -- cgit v1.2.3 From b503e655271d755baa4ac51861c25ed5a7872b14 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 12:14:28 -0400 Subject: Move rsyslog preferences snippet to site_apt::preferences::rsyslog, to group it with the other preferences snippets Change-Id: I83928c6b82cd6218a80c95475729cb57f146ff85 --- puppet/modules/site_apt/manifests/preferences/rsyslog.pp | 9 +++++++++ puppet/modules/site_config/manifests/syslog.pp | 7 +------ 2 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 puppet/modules/site_apt/manifests/preferences/rsyslog.pp diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp new file mode 100644 index 00000000..132a6e24 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::rsyslog { + + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0 rsyslog*', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } +} diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 8eac4242..26c65f02 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,11 +1,6 @@ class site_config::syslog { - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0 rsyslog*', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] - } + include site_apt::preferences::rsyslog class { 'rsyslog::client': log_remote => false, -- cgit v1.2.3 From 5c973c39473c29fe3231a46b58c485c899fb3022 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 12:19:04 -0400 Subject: Install wheezy-backports version of unbound, this is necessary to solve #2328 Change-Id: Ie28de8d3f7a8c8cf52ce30365379a476d48dc88b --- puppet/modules/site_apt/manifests/preferences/unbound.pp | 10 ++++++++++ puppet/modules/site_config/manifests/caching_resolver.pp | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/unbound.pp diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp new file mode 100644 index 00000000..6232fa10 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::unbound { + + apt::preferences_snippet { 'unbound': + package => 'libunbound unbound*', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Class['unbound::package']; + } + +} diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 3d7b9206..590551b0 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -10,6 +10,8 @@ class site_config::caching_resolver { # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the # configuration file + include site_apt::preferences::unbound + file { '/etc/unbound/conf.d': ensure => directory, -- cgit v1.2.3 From 4c4f8fd55a3d4a9e08ebaf8881b04ada931db007 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 12:20:42 -0400 Subject: lint cleanup of site_config::caching_resolver Change-Id: I3f6a4db26e064a520a08822cf23fc3288b31af62 --- puppet/modules/site_apt/manifests/preferences/unbound.pp | 2 +- puppet/modules/site_config/manifests/caching_resolver.pp | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp index 6232fa10..6da964f9 100644 --- a/puppet/modules/site_apt/manifests/preferences/unbound.pp +++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp @@ -1,7 +1,7 @@ class site_apt::preferences::unbound { apt::preferences_snippet { 'unbound': - package => 'libunbound unbound*', + package => 'libunbound* unbound*', release => "${::lsbdistcodename}-backports", priority => 999, before => Class['unbound::package']; diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 590551b0..b37cf775 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -14,14 +14,18 @@ class site_config::caching_resolver { file { '/etc/unbound/conf.d': - ensure => directory, - owner => root, group => root, mode => '0755', + ensure => directory, + owner => root, + group => root, + mode => '0755', require => Package['unbound']; '/etc/unbound/conf.d/placeholder': ensure => present, content => '', - owner => root, group => root, mode => '0644'; + owner => root, + group => root, + mode => '0644'; } class { 'unbound': -- cgit v1.2.3 From a622e49c5df2150049afb6f6ed47177537b7e6da Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 15:21:06 -0400 Subject: Implement #2328: unbound.conf: content changed on every puppetrun This is done by using the include glob capability that is in the wheezy-backports and newer unbound to include the /etc/unbound/unbound.conf.d/* config files. To do this, we need to transition from our /etc/unbound/conf.d directory structure to use the one that the debian package uses. This allows us to clean up the rather ugly way we were configuring the resolver before. Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c --- .../site_config/manifests/caching_resolver.pp | 20 ++++---- puppet/modules/site_openvpn/manifests/resolver.pp | 58 +++++----------------- 2 files changed, 22 insertions(+), 56 deletions(-) diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index b37cf775..1b8bd1a2 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -13,19 +13,13 @@ class site_config::caching_resolver { include site_apt::preferences::unbound file { + # cleanup from how we used to do it '/etc/unbound/conf.d': - ensure => directory, - owner => root, - group => root, - mode => '0755', - require => Package['unbound']; + force => true, + ensure => absent; '/etc/unbound/conf.d/placeholder': - ensure => present, - content => '', - owner => root, - group => root, - mode => '0644'; + ensure => absent; } class { 'unbound': @@ -45,4 +39,10 @@ class site_config::caching_resolver { } } } + + concat::fragment { 'unbound glob include': + target => $unbound::params::config, + content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n", + order => 10 + } } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c74fb509..c1367a33 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,82 +3,48 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/conf.d/vpn_limited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } } - - # this is an unfortunate way to get around the fact that the version of - # unbound we are working with does not accept a wildcard include directive - # (/etc/unbound/conf.d/*), when it does, these line definitions should - # go away and instead the caching_resolver should be configured to - # include: /etc/unbound/conf.d/* - - file_line { - 'add_unlimited_tcp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_unlimited_udp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_tcp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_udp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - } - } -- cgit v1.2.3