Changeset - b1675b47ba12
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 5 months ago 2023-11-29 20:51:02
branko@majic.rs
MAR-189: Disable the legacy iptables tools by effectively renaming them:

- Somewhat more forceful but better way to deal with ferm in Bullseye
explicitly using the legacy tools for some unspecified compatibility
reasons.
- Renders the tools unusable because the calling name has
changed (they are all symlinks to the same file).
- Not necessarily required on Debian Buster, but it also won't cause
any damage there either.
2 files changed with 42 insertions and 9 deletions:
roles/common/molecule/default/tests/test_default.py
31
roles/common/tasks/main.yml
11
9
0 comments (0 inline, 0 general)
roles/common/molecule/default/tests/test_default.py
Show inline comments
 
@@ -438,3 +438,34 @@ def test_pipreqcheck_script_output(host, environment, config_directory):
 
    assert len(report.stdout.split("\n")) == expected_line_count
 
    assert expected_warning_message in report.stdout
 
    assert expected_package_diff in report.stdout
 

			




	
	
	
		
 

			




	
	
	
		
 
@pytest.mark.parametrize('binary_default_path', [

			




	
	
	
		
 
    '/usr/sbin/iptables-legacy',

			




	
	
	
		
 
    '/usr/sbin/iptables-legacy-save',

			




	
	
	
		
 
    '/usr/sbin/iptables-legacy-restore',

			




	
	
	
		
 
    '/usr/sbin/ip6tables-legacy',

			




	
	
	
		
 
    '/usr/sbin/ip6tables-legacy-save',

			




	
	
	
		
 
    '/usr/sbin/ip6tables-legacy-restore',

			




	
	
	
		
 
])

			




	
	
	
		
 
def test_legacy_iptables_diversions(host, binary_default_path):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Tests if diversions have been put in place for the legacy iptables

			




	
	
	
		
 
    tools (prevents newer ferm versions from locating and using them).

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    binary_default = host.file(binary_default_path)

			




	
	
	
		
 
    binary_diversion = host.file(binary_default_path + '.original')

			




	
	
	
		
 
    dpkg_divert = host.run('dpkg-divert --list %s', binary_default_path)

			




	
	
	
		
 

			




	
	
	
		
 
    assert dpkg_divert.rc == 0

			




	
	
	
		
 
    assert binary_default_path in dpkg_divert.stdout

			




	
	
	
		
 

			




	
	
	
		
 
    assert not binary_default.exists

			




	
	
	
		
 

			




	
	
	
		
 
    # These binaries are all symlinks to a singular tool that behaves

			




	
	
	
		
 
    # differently based on calling name.

			




	
	
	
		
 
    assert binary_diversion.is_symlink

			




	
	
	
		
 
    assert binary_diversion.user == 'root'

			




	
	
	
		
 
    assert binary_diversion.group == 'root'

			




	
	
	
		
 
    assert binary_diversion.mode == 0o777

			




        

    


    
    

    

        

                

                    roles/common/tasks/main.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -180,21 +180,23 @@

			




	
	
	
		
 
  command: "/usr/sbin/update-ca-certificates --fresh"

			




	
	
	
		
 
  when: deploy_ca_certificates_result.changed

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up diversions for legacy iptables tools (prevents ferm from locating and using them)

			




	
	
	
		
 
  command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"

			




	
	
	
		
 
  register: "iptables_legacy_divert"

			




	
	
	
		
 
  changed_when: "'Adding' in iptables_legacy_divert.stdout"

			




	
	
	
		
 
  with_items:

			




	
	
	
		
 
    - "/usr/sbin/iptables-legacy"

			




	
	
	
		
 
    - "/usr/sbin/iptables-legacy-restore"

			




	
	
	
		
 
    - "/usr/sbin/iptables-legacy-save"

			




	
	
	
		
 
    - "/usr/sbin/ip6tables-legacy"

			




	
	
	
		
 
    - "/usr/sbin/ip6tables-legacy-restore"

			




	
	
	
		
 
    - "/usr/sbin/ip6tables-legacy-save"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install ferm (for firewall management)

			




	
	
	
		
 
  apt:

			




	
	
	
		
 
    name: ferm

			




	
	
	
		
 
    state: present

			




	
	
	
		
 

			




	
	
	
		
 
- name: Prevent ferm from using legacy iptables tools

			




	
	
	
		
 
  lineinfile:

			




	
	
	
		
 
    path: "/usr/sbin/ferm"

			




	
	
	
		
 
    regexp: "legacy_name.*="

			




	
	
	
		
 
    line: "        my $legacy_name = $1 . '-do-not-use-legacy-' . $2;"

			




	
	
	
		
 
    state: present

			




	
	
	
		
 
  notify:

			




	
	
	
		
 
    - Restart ferm

			




	
	
	
		
 

			




	
	
	
		
 
- name: Configure ferm init script coniguration file

			




	
	
	
		
 
  copy:

			




	
	
	
		
 
    src: "ferm"

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.