and is Serverspec:Type:Host really correct

moved it to spec/spec_helper_acceptance.rb and it passes now

can i get a review for https://github.com/voxpupuli/puppet-openssl/pull/166 please?

Hi - I have a requirement to configure firewalld to allow access for specific hosts to ssh, block all other access via ssh, and allow all other access to the host on whatever port. Digging around on the internet I found a set of rich rules which appear to do what I want; firewall-cmd --zone=public --add-rich-rule ‘rule source address=<IP> port port=“22” protocol=“tcp” accept’ firewall-cmd --zone=public --add-rich-rule ‘rule priority=“30000” port port=“22" protocol=“tcp” reject’ firewall-cmd --zone=public --add-rich-rule ‘rule priority=“32767" protocol=“tcp” accept’ firewall-cmd --zone=public --add-rich-rule ‘rule priority=“32767" protocol=“udp” accept’ the firewalld module in the forge is great - however the rich rule module does not seem to have a priority option. I was going to code some exec statements for the items requiring priority but I suspect that this will not work as the rules will not be in the puppet catalog and as a result the command which init’s firewalld with its purge rich rules will simply remove the rules applied via exec (and we end up with the rules being removed / applied in a vicious cycle). Any suggestions ???

first idea: Don't use the legact firewalld but switch to nftables

second: you can probably order rules by their name (I assume they are ordered alphabetically, but I'm not 100% sure)

Thanks …. I was hoping to be able to use the same code on CentOS 7 (which I dont think supports nftables). I think priorities were added to firewalld in order to support ordering as I dont think the rules have names as such. I’ll see if I can figure out how to get nftables working

@Alex Fisher yoyo. didn't you once hack a systemd dropin that adds an execstartpost so the unit waits until the service is actually up?

Probably better to have a separate unit to wait for a service in that case - like the wait-online "service" that exists

that would work as well, yes

mhm maybe that wasn't afisher but ewoud

should be simple enough wrapper around

wait_for

or

nc

maybe.. depends on a service though

yeah it was something like that

were you asking about an example? 🙂

yeah. I was looking for one that was posted here in the past

I think that was just an infinite loop around nc to check when a tcp port is open

something like this I guess

!

might need to be escaped properly

ah.. nc will block.. so should be

nc -z

Luckily there is no systemd on FreeBSD so nobody would blame me for

/bin/bash

😄

latest versions removed

-z

from nc sadluke

hmm.. how come? that was the main purpose of

nc

!

dont mix the openbsd and the gnu nc

uhh... with msync... I'm putting a new file under moduleroot and

bundle exec msync update --offline

isn't copying it... what am I missing? I swear this has worked before.

does it end with .erb

@bastelfreak I'm not worthy...

🙂

I am having a bad day. Now I'm seeing acceptance test failures only for centos 7 and only in some of my modules:

Failed to set locale, defaulting to C
  Loaded plugins: fastestmirror, ovl
  Examining /var/tmp/yum-root-8G7ppP/puppet7-release-el-7.noarch.rpm: puppet7-release-7.0.0-14.el7.noarch
  /var/tmp/yum-root-8G7ppP/puppet7-release-el-7.noarch.rpm: does not update installed package.
  Error: Nothing to do