From e0e3bc3478b3b7ca1afe24ff7e44dbdfa384ea44 Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 25 Apr 2016 16:52:54 -0300 Subject: Fix shorewall not starting with systemd (#8044) Shorewall in jessie doesn't come with a proper unit file, and as a result, it doesn't properly start with systemd. To solve this, we provide the systemd unit file that comes with stretch, add a systemd submodule that provides the exec resources needed for when systemd units or configuration files are changed Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b --- .gitmodules | 3 +++ .../site_shorewall/files/Debian/shorewall.service | 23 ++++++++++++++++++++++ .../modules/site_shorewall/manifests/defaults.pp | 16 +++++++++++++-- puppet/modules/systemd | 1 + 4 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_shorewall/files/Debian/shorewall.service create mode 160000 puppet/modules/systemd diff --git a/.gitmodules b/.gitmodules index 7005b770..051117f8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -91,3 +91,6 @@ [submodule "puppet/modules/check_mk"] path = puppet/modules/check_mk url = https://leap.se/git/puppet_check_mk +[submodule "puppet/modules/systemd"] + path = puppet/modules/systemd + url = https://leap.se/git/puppet_systemd diff --git a/puppet/modules/site_shorewall/files/Debian/shorewall.service b/puppet/modules/site_shorewall/files/Debian/shorewall.service new file mode 100644 index 00000000..ec250ef1 --- /dev/null +++ b/puppet/modules/site_shorewall/files/Debian/shorewall.service @@ -0,0 +1,23 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep +# +[Unit] +Description=Shorewall IPv4 firewall +Wants=network-online.target +After=network-online.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall +StandardOutput=syslog +ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall $OPTIONS stop +ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS + +[Install] +WantedBy=basic.target diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 8f56ac42..ceb17868 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -47,6 +47,18 @@ class site_shorewall::defaults { ensure => installed } + include ::systemd + file { '/etc/systemd/system/shorewall.service': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/site_shorewall/Debian/shorewall.service', + require => Package['shorewall'], + notify => Service['shorewall'], + } ~> + Exec['systemctl-daemon-reload'] + augeas { # stop instead of clear firewall on shutdown 'shorewall_SAFESTOP': @@ -54,14 +66,14 @@ class site_shorewall::defaults { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', require => Package['shorewall'], - notify => Service[shorewall]; + notify => Service['shorewall']; # require that the interface exist 'shorewall_REQUIRE_INTERFACE': changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', require => Package['shorewall'], - notify => Service[shorewall]; + notify => Service['shorewall']; # configure shorewall-init 'shorewall-init': changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall', diff --git a/puppet/modules/systemd b/puppet/modules/systemd new file mode 160000 index 00000000..6d47fd49 --- /dev/null +++ b/puppet/modules/systemd @@ -0,0 +1 @@ +Subproject commit 6d47fd4999fe03eba6fb11c4490dcbb90d937900 -- cgit v1.2.3