2 # Cookbook Name:: networking
5 # Copyright 2010, OpenStreetMap Foundation.
6 # Copyright 2009, Opscode, Inc.
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
12 # https://www.apache.org/licenses/LICENSE-2.0
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
21 # * node[:networking][:nameservers]
31 "renderer" => "networkd",
38 node[:networking][:interfaces].each do |name, interface|
39 if interface[:interface]
40 network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
41 network_packages |= ["ifenslave"] if interface[:bond]
43 if interface[:role] && (role = node[:networking][:roles][interface[:role]])
44 if role[interface[:family]]
45 node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
46 node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
49 node.normal[:networking][:interfaces][name][:metric] = role[:metric]
50 node.normal[:networking][:interfaces][name][:zone] = role[:zone]
53 prefix = node[:networking][:interfaces][name][:prefix]
55 node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
56 node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
58 if node[:networking][:netplan]
59 deviceplan = if interface[:interface] =~ /^(.*)\.(\d+)$/
60 netplan["network"]["vlans"][interface[:interface]] ||= {
61 "id" => Regexp.last_match(2).to_i,
62 "link" => Regexp.last_match(1),
67 elsif interface[:interface] =~ /^bond\d+$/
68 netplan["network"]["bonds"][interface[:interface]] ||= {
74 netplan["network"]["ethernets"][interface[:interface]] ||= {
81 deviceplan["addresses"].push("#{interface[:address]}/#{prefix}")
84 deviceplan["interfaces"] = interface[:bond][:slaves].to_a
86 deviceplan["parameters"] = {
87 "mode" => interface[:bond][:mode] || "active-backup",
88 "primary" => interface[:bond][:slaves].first,
89 "mii-monitor-interval" => interface[:bond][:miimon] || 100,
90 "down-delay" => interface[:bond][:downdelay] || 200,
91 "up-delay" => interface[:bond][:updelay] || 200
94 deviceplan["parameters"]["transmit-hash-policy"] = interface[:bond][:xmithashpolicy] if interface[:bond][:xmithashpolicy]
95 deviceplan["parameters"]["lacp-rate"] = interface[:bond][:lacprate] if interface[:bond][:lacprate]
98 if interface[:gateway]
99 if interface[:family] == "inet"
100 default_route = "0.0.0.0/0"
101 elsif interface[:family] == "inet6"
102 default_route = "::/0"
105 deviceplan["routes"].push(
106 "to" => default_route,
107 "via" => interface[:gateway],
108 "metric" => interface[:metric],
114 node.rm(:networking, :interfaces, name)
118 if node[:networking][:netplan]
121 file "/etc/netplan/01-netcfg.yaml" do
125 netplan["network"]["bonds"].each_value do |bond|
126 bond["interfaces"].each do |interface|
127 netplan["network"]["ethernets"][interface] ||= { "accept-ra" => false }
131 netplan["network"]["vlans"].each_value do |vlan|
132 unless vlan["link"] =~ /^bond\d+$/
133 netplan["network"]["ethernets"][vlan["link"]] ||= { "accept-ra" => false }
137 file "/etc/netplan/99-chef.yaml" do
141 content YAML.dump(netplan)
144 service "networking" do
148 file "/etc/network/interfaces" do
152 package "ifupdown" do
156 package network_packages
158 template "/etc/network/interfaces" do
159 source "interfaces.erb"
166 execute "hostname" do
168 command "/bin/hostname -F /etc/hostname"
171 template "/etc/hostname" do
172 source "hostname.erb"
176 notifies :run, "execute[hostname]"
179 template "/etc/hosts" do
186 unless node[:networking][:nameservers].empty?
187 link "/etc/resolv.conf" do
190 to "/run/resolvconf/resolv.conf"
191 only_if { File.symlink?("/etc/resolv.conf") }
194 template "/etc/resolv.conf" do
195 source "resolv.conf.erb"
202 node.interfaces(:role => :internal) do |interface|
203 if interface[:gateway] && interface[:gateway] != interface[:address]
204 search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
205 next unless gateway[:openvpn]
207 gateway[:openvpn][:tunnels].each_value do |tunnel|
208 if tunnel[:peer][:address] # ~FC023
209 route tunnel[:peer][:address] do
210 netmask "255.255.255.255"
211 gateway interface[:gateway]
212 device interface[:interface]
216 next unless tunnel[:peer][:networks]
218 tunnel[:peer][:networks].each do |network|
219 route network[:address] do
220 netmask network[:netmask]
221 gateway interface[:gateway]
222 device interface[:interface]
232 search(:node, "networking:interfaces").collect do |n|
233 next if n[:fqdn] == node[:fqdn]
235 n.interfaces.each do |interface|
236 next unless interface[:role] == "external" && interface[:zone]
238 zones[interface[:zone]] ||= {}
239 zones[interface[:zone]][interface[:family]] ||= []
240 zones[interface[:zone]][interface[:family]] << interface[:address]
246 template "/etc/default/shorewall" do
247 source "shorewall-default.erb"
251 notifies :restart, "service[shorewall]"
254 template "/etc/shorewall/shorewall.conf" do
255 source "shorewall.conf.erb"
259 notifies :restart, "service[shorewall]"
262 template "/etc/shorewall/zones" do
263 source "shorewall-zones.erb"
267 variables :type => "ipv4"
268 notifies :restart, "service[shorewall]"
271 template "/etc/shorewall/interfaces" do
272 source "shorewall-interfaces.erb"
276 notifies :restart, "service[shorewall]"
279 template "/etc/shorewall/hosts" do
280 source "shorewall-hosts.erb"
284 variables :zones => zones
285 notifies :restart, "service[shorewall]"
288 template "/etc/shorewall/conntrack" do
289 source "shorewall-conntrack.erb"
293 notifies :restart, "service[shorewall]"
294 only_if { node[:networking][:firewall][:raw] }
297 template "/etc/shorewall/policy" do
298 source "shorewall-policy.erb"
302 notifies :restart, "service[shorewall]"
305 template "/etc/shorewall/rules" do
306 source "shorewall-rules.erb"
310 variables :family => "inet"
311 notifies :restart, "service[shorewall]"
314 service "shorewall" do
315 action [:enable, :start]
316 supports :restart => true
317 status_command "shorewall status"
320 template "/etc/logrotate.d/shorewall" do
321 source "logrotate.shorewall.erb"
325 variables :name => "shorewall"
328 firewall_rule "limit-icmp-echo" do
334 dest_ports "echo-request"
335 rate_limit "s:1/sec:5"
338 %w[ucl ams bm].each do |zone|
339 firewall_rule "accept-openvpn-#{zone}" do
344 dest_ports "1194:1197"
345 source_ports "1194:1197"
349 if node[:roles].include?("gateway")
350 template "/etc/shorewall/masq" do
351 source "shorewall-masq.erb"
355 notifies :restart, "service[shorewall]"
358 file "/etc/shorewall/masq" do
360 notifies :restart, "service[shorewall]"
364 unless node.interfaces(:family => :inet6).empty?
367 template "/etc/default/shorewall6" do
368 source "shorewall-default.erb"
372 notifies :restart, "service[shorewall6]"
375 template "/etc/shorewall6/shorewall6.conf" do
376 source "shorewall6.conf.erb"
380 notifies :restart, "service[shorewall6]"
383 template "/etc/shorewall6/zones" do
384 source "shorewall-zones.erb"
388 variables :type => "ipv6"
389 notifies :restart, "service[shorewall6]"
392 template "/etc/shorewall6/interfaces" do
393 source "shorewall6-interfaces.erb"
397 notifies :restart, "service[shorewall6]"
400 template "/etc/shorewall6/hosts" do
401 source "shorewall6-hosts.erb"
405 variables :zones => zones
406 notifies :restart, "service[shorewall6]"
409 template "/etc/shorewall6/conntrack" do
410 source "shorewall-conntrack.erb"
414 notifies :restart, "service[shorewall6]"
415 only_if { node[:networking][:firewall][:raw] }
418 template "/etc/shorewall6/policy" do
419 source "shorewall-policy.erb"
423 notifies :restart, "service[shorewall6]"
426 template "/etc/shorewall6/rules" do
427 source "shorewall-rules.erb"
431 variables :family => "inet6"
432 notifies :restart, "service[shorewall6]"
435 service "shorewall6" do
436 action [:enable, :start]
437 supports :restart => true
438 status_command "shorewall6 status"
441 template "/etc/logrotate.d/shorewall6" do
442 source "logrotate.shorewall.erb"
446 variables :name => "shorewall6"
449 firewall_rule "limit-icmp6-echo" do
455 dest_ports "echo-request"
456 rate_limit "s:1/sec:5"
460 firewall_rule "accept-http" do
466 rate_limit node[:networking][:firewall][:http_rate_limit]
467 connection_limit node[:networking][:firewall][:http_connection_limit]
470 firewall_rule "accept-https" do
476 rate_limit node[:networking][:firewall][:http_rate_limit]
477 connection_limit node[:networking][:firewall][:http_connection_limit]