Can we move the iptables-rebuild script into a ruby library?

Question

Can we move the iptables-rebuild script into a ruby library?

lamont-granquist opened this issue 8 years ago · comments

@thommay @tas50 @iennae am I missing something here? Does this have to be an external command API for some reason?

It seems like we drop the file on the filesystem and then only ever execute it from this cookbook -- we could move it to a library and then ruby_block it and i can't see what would change (other than we could properly use shell_out! and avoid shebang-hell and maybe write a real resource for what it does?)

Lamont Granquist · Answer 1 · Thu Oct 20 2016 05:32:16 GMT+0800 (China Standard Time)

even if we turn it into a resource, we can also most likely leave a chef-client override-run-list script in its place (i think we'd need to do that since wiring up chef-apply/chef-solo/chef-zolo to the cookbook store where the iptables cookbook is would be fraught with peril).

Tim Smith · Answer 2 · Thu Oct 20 2016 09:40:30 GMT+0800 (China Standard Time)

I suspect this was something that made sense to someone back in the day. At this point it seems like we should be doing it via a library.

Jennifer Davis · Answer 3 · Thu Oct 20 2016 12:20:49 GMT+0800 (China Standard Time)

+1 to library.

Lamont Granquist · Answer 4 · Tue Oct 25 2016 02:53:58 GMT+0800 (China Standard Time)

need to replace system with shell_out! everywhere

Tim Smith · Answer 5 · Sat Sep 09 2017 11:49:37 GMT+0800 (China Standard Time)

I’m adding the Type: Jump In GitHub label to this issue. This is a great issue for someone to get their feet wet with and we’d love a PR to resolves the issue.

Ben Hughes · Answer 6 · Thu Jan 10 2019 22:27:36 GMT+0800 (China Standard Time)

I'm going to take a crack at this in the next few weeks once I get a bit of quiet time but having had a quick look through to see what would be involved (not much to just go to a library from what I can see) I'm wondering if there is any need to actually keep the individual rules files at all?

I'm thinking the rule(6) resources could be refactored to use accumulator patterns to generate the overall rule files instead of the current method, which would have the benefit that any out of scope rules would be implicitly removed rather than having to do it explicitly with :disable. (Maybe there should still be a way to use the current behaviour as well though?)

Obviously this would be a big behaviour change so would probably be a major version increment so I wanted to see if it was something worth pursuing or not first.

Ben Hughes · Answer 7 · Wed Feb 06 2019 05:41:19 GMT+0800 (China Standard Time)

Got this working pretty well now as an accumulated template in the rule resources to create the persistent rule files directly.

Got some tidying up and chefspec/kitchen/documentation to do so unless anything catches fire shortly I should have a PR ready by the end of this week hopefully.

Jason Field · Answer 8 · Sun Dec 20 2020 19:59:31 GMT+0800 (China Standard Time)

Closing as we have the accumulator pattern on this cookbook now, please re-open if there are still changes we want to see done (Or open a new ticket?)