2 # Cookbook Name:: networking
5 # Copyright 2010, OpenStreetMap Foundation.
6 # Copyright 2009, Opscode, Inc.
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
12 # https://www.apache.org/licenses/LICENSE-2.0
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
21 # * node[:networking][:nameservers]
31 "renderer" => "networkd",
38 node[:networking][:interfaces].each do |name, interface|
39 if interface[:interface]
40 network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
41 network_packages |= ["ifenslave"] if interface[:bond]
43 if interface[:role] && (role = node[:networking][:roles][interface[:role]])
44 if role[interface[:family]]
45 node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
46 node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
49 node.normal[:networking][:interfaces][name][:metric] = role[:metric]
50 node.normal[:networking][:interfaces][name][:zone] = role[:zone]
53 prefix = node[:networking][:interfaces][name][:prefix]
55 node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
56 node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
58 if node[:networking][:netplan]
59 if interface[:interface] =~ /^(.*)\.(\d+)$/
60 deviceplan = netplan["network"]["vlans"][interface[:interface]] = {
61 "id" => Regexp.last_match(2).to_i,
62 "link" => Regexp.last_match(1),
67 elsif interface[:bond]
68 deviceplan = netplan["network"]["bonds"][interface[:interface]] = {
72 "interfaces" => interface[:bond][:slaves].to_a,
73 "mode" => interface[:bond][:mode] || "active-backup",
74 "primary" => interface[:bond][:slaves].first,
75 "mii-monitor-interval" => interface[:bond][:miimon] || 100,
76 "down-delay" => interface[:bond][:downdelay] || 200,
77 "up-delay" => interface[:bond][:updelay] || 200
80 deviceplan["transmit-hash-policy"] = interface[:bond][:xmithashpolicy] if interface[:bond][:xmithashpolicy]
81 deviceplan["lacp-rate"] = interface[:bond][:lacprate] if interface[:bond][:lacprate]
83 deviceplan = netplan["network"]["ethernets"][interface[:interface]] = {
90 deviceplan["addresses"].push("#{interface[:address]}/#{prefix}")
92 if interface[:gateway]
93 if interface[:family] == "inet"
94 default_route = "0.0.0.0/0"
95 elsif interface[:family] == "inet6"
96 default_route = "::/0"
99 deviceplan["routes"].push(
100 "to" => default_route,
101 "via" => interface[:gateway],
102 "metric" => interface[:metric],
108 node.rm(:networking, :interfaces, name)
112 if node[:networking][:netplan]
115 file "/etc/netplan/01-netcfg.yaml" do
119 netplan["network"]["bonds"].each_value do |bond|
120 bond["interfaces"].each do |interface|
121 netplan["network"]["ethernets"][interface] ||= { "accept-ra" => false }
125 netplan["network"]["vlans"].each_value do |vlan|
126 unless vlan["link"] =~ /^bond\d+$/
127 netplan["network"]["ethernets"][vlan["link"]] ||= { "accept-ra" => false }
131 file "/etc/netplan/99-chef.yaml" do
135 content YAML.dump(netplan)
138 service "networking" do
142 file "/etc/network/interfaces" do
146 package "ifupdown" do
150 package network_packages
152 template "/etc/network/interfaces" do
153 source "interfaces.erb"
160 execute "hostname" do
162 command "/bin/hostname -F /etc/hostname"
165 template "/etc/hostname" do
166 source "hostname.erb"
170 notifies :run, "execute[hostname]"
173 template "/etc/hosts" do
180 unless node[:networking][:nameservers].empty?
181 link "/etc/resolv.conf" do
184 to "/run/resolvconf/resolv.conf"
185 only_if { File.symlink?("/etc/resolv.conf") }
188 template "/etc/resolv.conf" do
189 source "resolv.conf.erb"
196 node.interfaces(:role => :internal) do |interface|
197 if interface[:gateway] && interface[:gateway] != interface[:address]
198 search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
199 next unless gateway[:openvpn]
201 gateway[:openvpn][:tunnels].each_value do |tunnel|
202 if tunnel[:peer][:address] # ~FC023
203 route tunnel[:peer][:address] do
204 netmask "255.255.255.255"
205 gateway interface[:gateway]
206 device interface[:interface]
210 next unless tunnel[:peer][:networks]
212 tunnel[:peer][:networks].each do |network|
213 route network[:address] do
214 netmask network[:netmask]
215 gateway interface[:gateway]
216 device interface[:interface]
226 search(:node, "networking:interfaces").collect do |n|
227 next if n[:fqdn] == node[:fqdn]
229 n.interfaces.each do |interface|
230 next unless interface[:role] == "external" && interface[:zone]
232 zones[interface[:zone]] ||= {}
233 zones[interface[:zone]][interface[:family]] ||= []
234 zones[interface[:zone]][interface[:family]] << interface[:address]
240 template "/etc/default/shorewall" do
241 source "shorewall-default.erb"
245 notifies :restart, "service[shorewall]"
248 template "/etc/shorewall/shorewall.conf" do
249 source "shorewall.conf.erb"
253 notifies :restart, "service[shorewall]"
256 template "/etc/shorewall/zones" do
257 source "shorewall-zones.erb"
261 variables :type => "ipv4"
262 notifies :restart, "service[shorewall]"
265 template "/etc/shorewall/interfaces" do
266 source "shorewall-interfaces.erb"
270 notifies :restart, "service[shorewall]"
273 template "/etc/shorewall/hosts" do
274 source "shorewall-hosts.erb"
278 variables :zones => zones
279 notifies :restart, "service[shorewall]"
282 template "/etc/shorewall/conntrack" do
283 source "shorewall-conntrack.erb"
287 notifies :restart, "service[shorewall]"
288 only_if { node[:networking][:firewall][:raw] }
291 template "/etc/shorewall/policy" do
292 source "shorewall-policy.erb"
296 notifies :restart, "service[shorewall]"
299 template "/etc/shorewall/rules" do
300 source "shorewall-rules.erb"
304 variables :family => "inet"
305 notifies :restart, "service[shorewall]"
308 service "shorewall" do
309 action [:enable, :start]
310 supports :restart => true
311 status_command "shorewall status"
314 template "/etc/logrotate.d/shorewall" do
315 source "logrotate.shorewall.erb"
319 variables :name => "shorewall"
322 firewall_rule "limit-icmp-echo" do
328 dest_ports "echo-request"
329 rate_limit "s:1/sec:5"
332 %w[ucl ams bm].each do |zone|
333 firewall_rule "accept-openvpn-#{zone}" do
338 dest_ports "1194:1197"
339 source_ports "1194:1197"
343 if node[:roles].include?("gateway")
344 template "/etc/shorewall/masq" do
345 source "shorewall-masq.erb"
349 notifies :restart, "service[shorewall]"
352 file "/etc/shorewall/masq" do
354 notifies :restart, "service[shorewall]"
358 unless node.interfaces(:family => :inet6).empty?
361 template "/etc/default/shorewall6" do
362 source "shorewall-default.erb"
366 notifies :restart, "service[shorewall6]"
369 template "/etc/shorewall6/shorewall6.conf" do
370 source "shorewall6.conf.erb"
374 notifies :restart, "service[shorewall6]"
377 template "/etc/shorewall6/zones" do
378 source "shorewall-zones.erb"
382 variables :type => "ipv6"
383 notifies :restart, "service[shorewall6]"
386 template "/etc/shorewall6/interfaces" do
387 source "shorewall6-interfaces.erb"
391 notifies :restart, "service[shorewall6]"
394 template "/etc/shorewall6/hosts" do
395 source "shorewall6-hosts.erb"
399 variables :zones => zones
400 notifies :restart, "service[shorewall6]"
403 template "/etc/shorewall6/conntrack" do
404 source "shorewall-conntrack.erb"
408 notifies :restart, "service[shorewall6]"
409 only_if { node[:networking][:firewall][:raw] }
412 template "/etc/shorewall6/policy" do
413 source "shorewall-policy.erb"
417 notifies :restart, "service[shorewall6]"
420 template "/etc/shorewall6/rules" do
421 source "shorewall-rules.erb"
425 variables :family => "inet6"
426 notifies :restart, "service[shorewall6]"
429 service "shorewall6" do
430 action [:enable, :start]
431 supports :restart => true
432 status_command "shorewall6 status"
435 template "/etc/logrotate.d/shorewall6" do
436 source "logrotate.shorewall.erb"
440 variables :name => "shorewall6"
443 firewall_rule "limit-icmp6-echo" do
449 dest_ports "echo-request"
450 rate_limit "s:1/sec:5"
454 firewall_rule "accept-http" do
460 rate_limit node[:networking][:firewall][:http_rate_limit]
461 connection_limit node[:networking][:firewall][:http_connection_limit]
464 firewall_rule "accept-https" do
470 rate_limit node[:networking][:firewall][:http_rate_limit]
471 connection_limit node[:networking][:firewall][:http_connection_limit]