I am quite new to Puppet and I am having some problems with the Puppet Config for one of our hosts running Puppet Agent.
We are using Ubuntu 20.04 and Puppet CE 7.12.1 on all systems.
On our Puppet Server (Hostname: puppet
), I am trying to write the Puppet config for our host eb-web
(which is running a Puppet Agent).
I would like to configure UFW (Uncomplicated Firewall) (https://help.ubuntu.com/community/UFW) on eb-web
using the Puppet Module kogitoapp/ufw
version 1.0.3 (https://forge.puppet.com/modules/kogitoapp/ufw) to allow through HTTP traffic.
Our Puppet Server is configured to use Hiera to hold our facts. So far I have created the following configuration files:
File: /etc/puppetlabs/code/environments/production/hiera.yaml
version: 5
defaults:
# The default value for "datadir" is "data" under the same directory as the hiera.yaml
# file (this file)
hierarchy:
- name: "Per-node data (yaml version)"
path: "nodes/%{::trusted.certname}.yaml"
- name: "Per-role data"
path: "roles/%{::role}"
- name: "Other YAML hierarchy levels"
paths:
- "common.yaml"
File: /etc/puppetlabs/code/environments/production/data/common.yaml
# empty at the moment
File:
/etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
hiera_include('roles')
}
File: /etc/puppetlabs/code/environments/production/data/nodes/eb-web.evolvedbinary.com.yaml
roles:
- roles::www
ufw::ufw_rule:
name: 'Allow HTTP'
action: allow
to_ports_app: 80
proto: tcp
File: /etc/puppetlabs/code/environments/production/modules/roles/manifests/www.pp
class roles::www {
include profiles::ufw
# include profiles::nginx
}
File: /etc/puppetlabs/code/environments/production/modules/profiles/manifests/ufw.pp
class profiles::ufw {
class{ '::ufw': }
}
I have also installed the ufw module on the Puppet Server by running:
sudo /opt/puppetlabs/bin/puppet module install kogitoapp-ufw --version 1.0.3
If I now switch to the eb-web
host and try and ask the Puppet Agent to apply the config from the Puppet Server by running:
sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test
Then I see the following output which I think is showing that everything was applied:
ubuntu@eb-web:~$ sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for eb-web.evolvedbinary.com
Info: Applying configuration version '1639003464'
Notice: Applied catalog in 0.60 seconds
ubuntu@eb-web:~$
After this if I check: sudo ufw status
, it seems to indicate that port 80 for HTTP has NOT been configured by Puppet:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
“Update (20-Dec-2021)”
After trying a solution to this issue, I got this working, however, I made a mistake and added the rules into the ufw.pp file
, this was not the way right way I wanted to do this. After taking the rules out of the ufw.pp
file and just having them in the eb-web.evolvedbinary.com.yaml
file the ufw port 80
is now being rejected. I have tried using status: enable
and status: allow
, I have also tried ensure: present
, along with trying other combinations that I cannot remember 100%, all with in the eb-web.evolvedbinary.com.yaml
file. The ufw.pp
file currently looks like:
class profiles::ufw {
class{ 'ufw':
}
}
And the eb-web.evolvedbinary.com.yaml
file looks like:
---
roles:
- roles::www
ufw::rule:
'Allow HTTP':
action: allow
to_ports_app: 80
proto: tcp
include nginx:
nginx::nginx_server:
'www.evolvedbinary.com':
ssl: true
www_root: '/var/www/www.evolvedbinary.com'
I am not seeing any errors when I run sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test
on the eb-web
host (puppet agent) however, when I run sudo ufw status
I see:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere # allow_puppet
80 REJECT Anywhere # Allow HTTP
22 (v6) ALLOW Anywhere (v6) # allow_puppet
80 (v6) REJECT Anywhere (v6) # Allow HTTP
I am not sure how I can enable port 80 using hiera
within the eb-web.evolvedbianry.com.yaml
file.
Can someone help me figure out how to configure UFW using Puppet please?
3
Answers
After some time spent trying to work this out and going back and fourth with why this was not working. I finaly relised my mistake in the
eb-web.evolvedbinary.com.yaml
. I needed to addinclude ufw
and also changeufw::rule
toufw::rules
. After these these changes where done port 80 is now working. Theeb-web.evolvedbinary.com.yaml
file now looks like:The first thing would be to look at the examples on the Puppet forge https://forge.puppet.com/modules/kogitoapp/ufw#basic and I’d probably put hiera to one side for the time being to make debugging easier.
Try putting this in
/etc/puppetlabs/code/environments/production/modules/profiles/manifests/ufw.pp
This Hiera data …
… appears to be an attempt to declare an instance of the module’s
ufw_rule
resource type within your hiera data. You cannot declare resources that way (and that resource type is a plugin type whose name isufw_rule
, notufw::ufw_rule
). Resource declarations go in your manifests. For example, you might put this inprofiles/manifests/ufw.pp
:Hiera’s most prominent use is in providing data for class (but not resource) parameters, and some classes use this to support indirect resource declaration. You generally put data representing one or more resources into a class parameter, and then declaring that class results in it declaring the resources so described. The
ufw
class you are using provides this option via its parameterrules
(note spelling), which expects data in the form of a hash of hashes with resource name keys at the outer level and resource name / value mappings forufw_rule
resources at the inner level. If you want to make use of that, then the data would be structured like this:Of course, you can also assign parameter values directly in your class declarations, as your other answer demonstrates, but this requires using resource-like class declarations. Resource-like class declarations should be avoided wherever possible. Prefer
include
,require
, orcontain
for declaring classes.