chef-cookbooks / iptables

Development repository for Chef Cookbook iptables
https://supermarket.chef.io/cookbooks/iptables
Apache License 2.0
102 stars 141 forks source link

Can we move the iptables-rebuild script into a ruby library? #67

Closed lamont-granquist closed 3 years ago

lamont-granquist commented 8 years ago

@thommay @tas50 @iennae am I missing something here? Does this have to be an external command API for some reason?

It seems like we drop the file on the filesystem and then only ever execute it from this cookbook -- we could move it to a library and then ruby_block it and i can't see what would change (other than we could properly use shell_out! and avoid shebang-hell and maybe write a real resource for what it does?)

lamont-granquist commented 8 years ago

even if we turn it into a resource, we can also most likely leave a chef-client override-run-list script in its place (i think we'd need to do that since wiring up chef-apply/chef-solo/chef-zolo to the cookbook store where the iptables cookbook is would be fraught with peril).

tas50 commented 8 years ago

I suspect this was something that made sense to someone back in the day. At this point it seems like we should be doing it via a library.

iennae commented 8 years ago

+1 to library.

lamont-granquist commented 8 years ago

need to replace system with shell_out! everywhere

tas50 commented 7 years ago

I’m adding the Type: Jump In GitHub label to this issue. This is a great issue for someone to get their feet wet with and we’d love a PR to resolves the issue.

bmhughes commented 5 years ago

I'm going to take a crack at this in the next few weeks once I get a bit of quiet time but having had a quick look through to see what would be involved (not much to just go to a library from what I can see) I'm wondering if there is any need to actually keep the individual rules files at all?

I'm thinking the rule(6) resources could be refactored to use accumulator patterns to generate the overall rule files instead of the current method, which would have the benefit that any out of scope rules would be implicitly removed rather than having to do it explicitly with :disable. (Maybe there should still be a way to use the current behaviour as well though?)

Obviously this would be a big behaviour change so would probably be a major version increment so I wanted to see if it was something worth pursuing or not first.

bmhughes commented 5 years ago

Got this working pretty well now as an accumulated template in the rule resources to create the persistent rule files directly.

Got some tidying up and chefspec/kitchen/documentation to do so unless anything catches fire shortly I should have a PR ready by the end of this week hopefully.

xorima commented 3 years ago

Closing as we have the accumulator pattern on this cookbook now, please re-open if there are still changes we want to see done (Or open a new ticket?)