Question 98288 in Nginx Question posted in
The official documentation can be found here.

How do I configure Ubuntu UFW through Puppet? – Nginx

I am quite new to Puppet and I am having some problems with the Puppet Config for one of our hosts running Puppet Agent.
We are using Ubuntu 20.04 and Puppet CE 7.12.1 on all systems.

On our Puppet Server (Hostname: puppet), I am trying to write the Puppet config for our host eb-web (which is running a Puppet Agent).
I would like to configure UFW (Uncomplicated Firewall) (https://help.ubuntu.com/community/UFW) on eb-web using the Puppet Module kogitoapp/ufw version 1.0.3 (https://forge.puppet.com/modules/kogitoapp/ufw) to allow through HTTP traffic.

Our Puppet Server is configured to use Hiera to hold our facts. So far I have created the following configuration files:
File: /etc/puppetlabs/code/environments/production/hiera.yaml

version: 5
defaults:
  # The default value for "datadir" is "data" under the same directory as the hiera.yaml
  # file (this file)
hierarchy:
  - name: "Per-node data (yaml version)"
    path: "nodes/%{::trusted.certname}.yaml"
  - name: "Per-role data"
    path: "roles/%{::role}"
  - name: "Other YAML hierarchy levels"
    paths:
      - "common.yaml"

File: /etc/puppetlabs/code/environments/production/data/common.yaml

# empty at the moment

File:
/etc/puppetlabs/code/environments/production/manifests/site.pp

node default {
  hiera_include('roles')
}

File: /etc/puppetlabs/code/environments/production/data/nodes/eb-web.evolvedbinary.com.yaml

roles:
   - roles::www

ufw::ufw_rule:
  name: 'Allow HTTP'
  action: allow
  to_ports_app: 80
  proto: tcp

File: /etc/puppetlabs/code/environments/production/modules/roles/manifests/www.pp

class roles::www {
    include profiles::ufw
    # include profiles::nginx
}

File: /etc/puppetlabs/code/environments/production/modules/profiles/manifests/ufw.pp

class profiles::ufw {
  class{ '::ufw': }
}

I have also installed the ufw module on the Puppet Server by running:

sudo /opt/puppetlabs/bin/puppet module install kogitoapp-ufw --version 1.0.3

If I now switch to the eb-web host and try and ask the Puppet Agent to apply the config from the Puppet Server by running:

sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test

Then I see the following output which I think is showing that everything was applied:

ubuntu@eb-web:~$ sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for eb-web.evolvedbinary.com
Info: Applying configuration version '1639003464'
Notice: Applied catalog in 0.60 seconds
ubuntu@eb-web:~$

After this if I check: sudo ufw status, it seems to indicate that port 80 for HTTP has NOT been configured by Puppet:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)

“Update (20-Dec-2021)”

After trying a solution to this issue, I got this working, however, I made a mistake and added the rules into the ufw.pp file, this was not the way right way I wanted to do this. After taking the rules out of the ufw.pp file and just having them in the eb-web.evolvedbinary.com.yaml file the ufw port 80 is now being rejected. I have tried using status: enable and status: allow , I have also tried ensure: present , along with trying other combinations that I cannot remember 100%, all with in the eb-web.evolvedbinary.com.yaml file. The ufw.pp file currently looks like:

class profiles::ufw {
  class{ 'ufw':
 } 
}

And the eb-web.evolvedbinary.com.yaml file looks like:

---
roles:
   - roles::www
ufw::rule:
  'Allow HTTP':
    action: allow
    to_ports_app: 80
    proto: tcp
include nginx:
nginx::nginx_server:
   'www.evolvedbinary.com':
   ssl: true
   www_root: '/var/www/www.evolvedbinary.com'

I am not seeing any errors when I run sudo /opt/puppetlabs/bin/puppet agent --no-daemonize --test on the eb-web host (puppet agent) however, when I run sudo ufw status I see:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                   # allow_puppet
80                         REJECT      Anywhere                   # Allow HTTP
22 (v6)                    ALLOW       Anywhere (v6)              # allow_puppet
80 (v6)                    REJECT      Anywhere (v6)              # Allow HTTP

I am not sure how I can enable port 80 using hiera within the eb-web.evolvedbianry.com.yaml file.

Can someone help me figure out how to configure UFW using Puppet please?

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    After some time spent trying to work this out and going back and fourth with why this was not working. I finaly relised my mistake in the eb-web.evolvedbinary.com.yaml. I needed to add include ufw and also change ufw::rule to ufw::rules. After these these changes where done port 80 is now working. The eb-web.evolvedbinary.com.yaml file now looks like:

    ---
roles:
   - roles::www
include ufw:
ufw::rules:
   'Allow HTTP':
      action: allow
      to_ports_app: 80
      proto: tcp
include nginx:
nginx::nginx_server:
   'www.evolvedbinary.com':
   ssl: true
   www_root: '/var/www/www.evolvedbinary.com'

  2. 0

    The first thing would be to look at the examples on the Puppet forge https://forge.puppet.com/modules/kogitoapp/ufw#basic and I’d probably put hiera to one side for the time being to make debugging easier.

    Try putting this in /etc/puppetlabs/code/environments/production/modules/profiles/manifests/ufw.pp

    class profiles::ufw {
  class {'ufw':
    rules => {
      'Allow HTTP' => {
        'action'       => 'allow',
        'to_ports_app' => 80,
        'proto         => 'tcp',
      },
    }
  }
}
    Login or Signup to reply.
  3. 0

    This Hiera data …

    ufw::ufw_rule:
  name: 'Allow HTTP'
  action: allow
  to_ports_app: 80
  proto: tcp

    … appears to be an attempt to declare an instance of the module’s ufw_rule resource type within your hiera data. You cannot declare resources that way (and that resource type is a plugin type whose name is ufw_rule, not ufw::ufw_rule). Resource declarations go in your manifests. For example, you might put this in profiles/manifests/ufw.pp:

    ufw_rule { 'Allow HTTP':
  action       => 'allow',
  to_ports_app => 80,
  proto        => 'tcp',
}

    Hiera’s most prominent use is in providing data for class (but not resource) parameters, and some classes use this to support indirect resource declaration. You generally put data representing one or more resources into a class parameter, and then declaring that class results in it declaring the resources so described. The ufw class you are using provides this option via its parameter rules (note spelling), which expects data in the form of a hash of hashes with resource name keys at the outer level and resource name / value mappings for ufw_rule resources at the inner level. If you want to make use of that, then the data would be structured like this:

    ufw::rules:
  'Allow HTTP':
    action: allow
    to_ports_app: 80
    proto: tcp

    Of course, you can also assign parameter values directly in your class declarations, as your other answer demonstrates, but this requires using resource-like class declarations. Resource-like class declarations should be avoided wherever possible. Prefer include, require, or contain for declaring classes.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search