From: adrianiurca Date: Mon, 23 Nov 2020 22:32:10 +0000 (+0200) Subject: change hashlimit_htable_size to a lower value and add policycoreutils X-Git-Tag: v2.8.0~8^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=3ddd5a9aa6a8c828b7f673a8c5d21f1c12332c20;p=puppet-modules%2Fpuppetlabs-firewall.git change hashlimit_htable_size to a lower value and add policycoreutils --- diff --git a/.travis.yml b/.travis.yml index b3aa075..7c031db 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ before_install: - gem --version - bundle -v script: - - 'SIMPLECOV=yes bundle exec rake $CHECK' + - "SIMPLECOV=yes bundle exec rake $CHECK" bundler_args: --without system_tests rvm: - 2.5.7 @@ -27,103 +27,94 @@ stages: jobs: fast_finish: true include: - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_ub_6]'" - - "bundle exec rake 'litmus:install_agent[puppet6]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_ub_6]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: env: PLATFORMS=travis_ub_6_puppet6 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_ub_5]'" - - "bundle exec rake 'litmus:install_agent[puppet5]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_ub_5]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: env: PLATFORMS=travis_ub_5_puppet5 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_deb]'" - - "bundle exec rake 'litmus:install_agent[puppet5]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_deb]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: env: PLATFORMS=travis_deb_puppet5 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_el7]'" - - "bundle exec rake 'litmus:install_agent[puppet5]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_el7]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: env: PLATFORMS=travis_el7_puppet5 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_el8]'" - - "bundle exec rake 'litmus:install_agent[puppet5]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_el8]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: + dist: xenial env: PLATFORMS=travis_el8_puppet5 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_deb]'" - - "bundle exec rake 'litmus:install_agent[puppet6]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_deb]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: env: PLATFORMS=travis_deb_puppet6 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_el7]'" - - "bundle exec rake 'litmus:install_agent[puppet6]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_el7]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: env: PLATFORMS=travis_el7_puppet6 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - before_script: - - "bundle exec rake 'litmus:provision_list[travis_el8]'" - - "bundle exec rake 'litmus:install_agent[puppet6]'" - - "bundle exec rake litmus:install_module" + - before_script: + - "bundle exec rake 'litmus:provision_list[travis_el8]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake 'litmus:install_module'" bundler_args: + dist: xenial env: PLATFORMS=travis_el8_puppet6 rvm: 2.5.7 script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - - - env: CHECK="check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop syntax lint metadata_lint" + - env: CHECK="check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop syntax lint metadata_lint" stage: static - - - env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec + - env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec rvm: 2.4.5 stage: spec - - - env: PUPPET_GEM_VERSION="~> 6.0" CHECK=parallel_spec + - env: PUPPET_GEM_VERSION="~> 6.0" CHECK=parallel_spec rvm: 2.5.7 stage: spec branches: diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index 426c500..867c356 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -1316,7 +1316,7 @@ describe 'firewall basics', docker: true do hashlimit_name => 'upto', hashlimit_upto => '16/sec', hashlimit_burst => '640', - hashlimit_htable_size => '1310000', + hashlimit_htable_size => '1000000', hashlimit_htable_max => '320000', hashlimit_htable_expire => '36000000', action => accept, @@ -1335,7 +1335,7 @@ describe 'firewall basics', docker: true do end end it 'hashlimit_upto is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1310000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length + expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length end end diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb index 263ce70..4dc141c 100644 --- a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb @@ -376,7 +376,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do hashlimit_name => 'upto-ip6', hashlimit_upto => '16/sec', hashlimit_burst => '640', - hashlimit_htable_size => '1310000', + hashlimit_htable_size => '1000000', hashlimit_htable_max => '320000', hashlimit_htable_expire => '36000000', action => accept, @@ -434,7 +434,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) end it 'hashlimit_name set to "upto-ip6"' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1310000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length + expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length end it 'match_mark is set' do expect(result.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable}) diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index ebd43a9..03a9aae 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -9,6 +9,7 @@ describe 'puppet resource firewall command' do config = run_shell('puppet config print config').stdout run_shell("sed -i -e \'s/^templatedir.*$//\' #{config}") run_shell('echo export LC_ALL=C > ~/.bashrc') + run_shell('echo export PATH="/opt/puppetlabs/bin:$PATH" > ~/.bashrc') run_shell('source ~/.bashrc') end diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb index 532d532..204955c 100644 --- a/spec/spec_helper_acceptance_local.rb +++ b/spec/spec_helper_acceptance_local.rb @@ -7,48 +7,59 @@ end def iptables_flush_all_tables ['filter', 'nat', 'mangle', 'raw'].each do |t| - expect(run_shell("iptables -t #{t} -F").stderr).to eq('') + expect(LitmusHelper.instance.run_shell("iptables -t #{t} -F").stderr).to eq('') end end def ip6tables_flush_all_tables ['filter', 'mangle'].each do |t| - expect(run_shell("ip6tables -t #{t} -F").stderr).to eq('') + expect(LitmusHelper.instance.run_shell("ip6tables -t #{t} -F").stderr).to eq('') end end def install_iptables - run_shell('iptables -V') + LitmusHelper.instance.run_shell('iptables -V') rescue if os[:family] == 'redhat' - run_shell('yum install iptables-services -y') + LitmusHelper.instance.run_shell('yum install iptables-services -y') else - run_shell('apt-get install iptables -y') + LitmusHelper.instance.run_shell('apt-get install iptables -y') end end def iptables_version install_iptables - x = run_shell('iptables -V') + x = LitmusHelper.instance.run_shell('iptables -V') x.stdout.split(' ')[1][1..-1] end def pre_setup - run_shell('mkdir -p /lib/modules/`uname -r`') - run_shell('depmod -a') + LitmusHelper.instance.run_shell('mkdir -p /lib/modules/`uname -r`') + LitmusHelper.instance.run_shell('depmod -a') end def update_profile_file - run_shell("sed -i '/mesg n/c\\test -t 0 && mesg n || true' ~/.profile") - run_shell("sed -i '/mesg n || true/c\\test -t 0 && mesg n || true' ~/.profile") + LitmusHelper.instance.run_shell("sed -i '/mesg n/c\\test -t 0 && mesg n || true' ~/.profile") + LitmusHelper.instance.run_shell("sed -i '/mesg n || true/c\\test -t 0 && mesg n || true' ~/.profile") end def fetch_os_name - @facter_os_name ||= run_shell('facter os.name').stdout.delete("\n").downcase + @facter_os_name ||= LitmusHelper.instance.run_shell('facter os.name').stdout.delete("\n").downcase end RSpec.configure do |c| c.before :suite do + if fetch_os_name == 'centos' && os[:release].to_i == 8 + pp = <<-PUPPETCODE + package { 'iptables-services': + ensure => 'latest', + } + package { 'policycoreutils': + ensure => 'latest', + } + PUPPETCODE + LitmusHelper.instance.apply_manifest(pp) + end if os[:family] == 'debian' && os[:release].to_i == 10 pp = <<-PUPPETCODE package { 'net-tools':