majic-ansible-roles Changeset

Changeset - 7b004fce5c8b

Parent rev.

Child rev.

[Not reviewed]

0 3 2

Branko Majic (branko) - 3 years ago 2021-01-12 04:38:20
branko@majic.rs

MAR-160: Added maintenance and maintenance_allowed_hosts parameters to common role:

- Lets the user specify list of hosts for which the incoming
connections should be allowed.
- Defaults are not to limit connectivity.
- Implemented the necessary tests.
- Set-up the base ferm/firewall rules if maintenance mode is enabled.

5 files changed with 106 insertions and 0 deletions:

roles/common/defaults/main.yml

roles/common/molecule/default/group_vars/parameters-optional.yml

roles/common/molecule/default/tests/test_maintenance_from_allowed_client.py

roles/common/molecule/default/tests/test_maintenance_from_disallowed_client.py

roles/common/templates/00-base.conf.j2

0 comments (0 inline, 0 general)

roles/common/defaults/main.yml

➞

Show inline comments

@@ @@ -27,6 +27,8 @@ pip_check_requirements_py3: @@
   - six==1.15.0
   - wheel==0.35.1
 ntp_servers: []
 maintenance: False
 maintenance_allowed_hosts: []
 # Internal use only.
 prompt_colour_mapping:

roles/common/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -51,6 +51,10 @@ ntp_servers: @@
   - "0.debian.pool.ntp.org"
   - "1.debian.pool.ntp.org"
   - "2.debian.pool.ntp.org"
 maintenance: True
 maintenance_allowed_hosts:
   - client1
 # From backup_client role meta dependency.
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/backup_encryption_key') }}"
 backup_server: backup-server

roles/common/molecule/default/tests/test_maintenance_from_allowed_client.py

➞

Show inline comments

@@ new file 100644 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('client-allowed')
 def test_ssh_connectivity(host):
     """
     Test if SSH server is reachable.
     """
     with host.sudo():
         ping = host.run('hping3 -S -p 22 -c 1 %s', 'parameters-mandatory')
         assert ping.rc == 0
         ping = host.run('hping3 -S -p 22 -c 1 %s', 'parameters-optional')
         assert ping.rc == 0
 def test_http_connectivity(host):
     """
     Test if HTTP server is reachable.
     """
     with host.sudo():
         ping = host.run('hping3 -S -p 80 -c 1 %s', 'parameters-mandatory')
         assert ping.rc == 0
         ping = host.run('hping3 -S -p 80 -c 1 %s', 'parameters-optional')
         assert ping.rc == 0

roles/common/molecule/default/tests/test_maintenance_from_disallowed_client.py

➞

Show inline comments

@@ new file 100644 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('client-disallowed')
 def test_ssh_connectivity(host):
     """
     Test if SSH server is reachable.
     """
     with host.sudo():
         ping = host.run('hping3 -S -p 22 -c 1 %s', 'parameters-mandatory')
         assert ping.rc == 0
         ping = host.run('hping3 -S -p 22 -c 1 %s', 'parameters-optional')
         assert ping.rc == 0
 def test_http_connectivity(host):
     """
     Test if HTTP server is reachable.
     """
     with host.sudo():
         ping = host.run('hping3 -S -p 80 -c 1 %s', 'parameters-mandatory')
         assert ping.rc == 0
         ping = host.run('hping3 -S -p 80 -c 1 %s', 'parameters-optional')
         assert ping.rc != 0

roles/common/templates/00-base.conf.j2

➞

Show inline comments

@@ @@ -14,6 +14,10 @@ domain ip { @@
             # Accept some common incoming connections.
             proto icmp icmp-type echo-request ACCEPT;
             proto tcp dport 22 ACCEPT;
 {% if maintenance %}
             # Validate source IP against list of allowed hosts in maintenance mode.
             jump allowed_hosts;
 {% endif %}
+        }
         # The flood chain is used for controlling the rate of the incoming connections.
@@ @@ -32,6 +36,16 @@ domain ip { @@
                 DROP;
+            }
+        }
 {% if maintenance %}
         # Resume processing in case of allowed hosts, drop packets for
         # any other hosts.
         chain allowed_hosts {
             {% for host in maintenance_allowed_hosts %}
             saddr {{ host }} RETURN;
             {% endfor %}
             DROP;
+        }
 {% endif %}
+    }
+}
@@ @@ -55,6 +69,10 @@ domain ip6 { @@
             # Accept some common incoming connections.
             proto icmp icmp-type echo-request ACCEPT;
             proto tcp dport 22 ACCEPT;
 {% if maintenance %}
             # Validate source IP against list of allowed hosts in maintenance mode.
             jump allowed_hosts;
 {% endif %}
+        }
         # The flood chain is used for controlling the rate of the incoming connections.
@@ @@ -73,5 +91,17 @@ domain ip6 { @@
                 DROP;
+            }
+        }
 {% if maintenance %}
         # Resume processing in case of allowed hosts, drop packets for
         # any other hosts.
         chain allowed_hosts {
             {% for host in maintenance_allowed_hosts %}
                 {% if lookup('dig', host + '/AAAA') not in ['NXDOMAIN', ''] %}
             saddr {{ host }} RETURN;
                 {% endif %}
             {% endfor %}
             DROP;
+        }
 {% endif %}
+    }
+}

0 comments (0 inline, 0 general)