Whitelist the nagios server for denyhosts to prevent it from stupidly blocking Nagios SSH checks

Fixes #49
2012-09-10 00:40:26 -07:00 · 2012-09-10 00:40:26 -07:00 · 79dc1e6cfc
parent 8c12e26655
commit 79dc1e6cfc
5 changed files with 48 additions and 12 deletions
--- a/.blimpignore
+++ b/.blimpignore
@ -1,3 +1,4 @@
 modules/mysql/spec
 modules/firewall/spec
 modules/stdlib/spec
+*.deb
--- a/features/security.feature
+++ b/features/security.feature
@ -0,0 +1,13 @@
+Feature: Secure hosts
+
+
+  Scenario: Ensure the Nagios host is never blocked
+
+    On OSUOSL managed hosts the "denyhosts" package is installed and sometimes
+    the Nagios host (140.211.15.121) can be accidentally blacklisted by the
+    program.
+
+    Given I have an empty Linux machine
+    And I have included the Jenkins base module
+    When I provision the host
+    Then the Nagios server should be whitelisted for denyhosts
--- a/features/step_definitions/security_steps.rb
+++ b/features/step_definitions/security_steps.rb
@ -0,0 +1,7 @@
+Then /^the Nagios server should be whitelisted for denyhosts$/ do
+  whitelist_exists = vm.ssh_into('test -f /var/lib/denyhosts/allowed-hosts')
+  expect(whitelist_exists).to be(true)
+
+  server_whitelisted = vm.ssh_into('grep "140.211.15.121" /var/lib/denyhosts/allowed-hosts')
+  expect(server_whitelisted).to be(true)
+end
--- a/modules/base/manifests/denyhosts.pp
+++ b/modules/base/manifests/denyhosts.pp
@ -0,0 +1,15 @@
+#
+# Ensure consistent denyhosts settings across all machines
+#
+
+class base::denyhosts {
+  file {
+    '/var/lib/denyhosts' :
+      ensure => directory;
+
+    '/var/lib/denyhosts/allowed-hosts' :
+      ensure  => present,
+      require => File['/var/lib/denyhosts'],
+      content => "140.211.15.121";
+  }
+}
--- a/modules/base/manifests/init.pp
+++ b/modules/base/manifests/init.pp
@ -6,13 +6,6 @@
 #   not be loaded on every machine, then it should go elsewhere

 class base {
-  include autoupdate
-  include jenkins-dns
-  include sshd
-  include sudo
-  include stdlib
-  include users-core
-
  # Unfortunately this module only supports Ubuntu
  if ($operatingsystem == 'Ubuntu') {
    include nagios::client
@ -33,11 +26,18 @@ class base {
    'base::post' :
      stage => 'post';

-    'packages::git' :  ;
-    'packages::wget':  ;
-    'packages::ruby':  ;
-    'packages::hiera': ;
-    'packages::puppet': ;
+    ['autoupdate',
+     'base::denyhosts',
+     'jenkins-dns',
+     'sshd',
+     'sudo',
+     'stdlib',
+     'users-core',
+     'packages::git',
+     'packages::wget',
+     'packages::hiera',
+     'packages::ruby',
+     'packages::puppet'] : ;

    'ntp' :
      ensure   => running,