执行chef-client时从数组中删除项目

时间:2016-09-15 18:31:32

标签: ruby chef-recipe recipe

我正在使用firewalld cookbook,并且难以重写提供程序代码以排除数组中缺少的子网。以下是当前firewalld提供程序代码的外观。有人可以帮忙吗?

use_inline_resources

action :add do
e = execute "add port #{new_resource.name} to zone" do
not_if "firewall-cmd #{zone} --query-rich-rule=\"#{rich_rule}\"
command(<<-EOC)
firewall-cmd #{zone} --add-rich-rule="#{rich_rule}"
firewall-cmd --permanent #{zone} --add-rich-rule="#{rich_rule}"
EOC
end
new_resource.updated_by_last_action(e.updated_by_last_action?)
end

action :remove do
e = execute "remove port #{new_resource.name} from zone" do
only_if "firewall-cmd #{zone} --query-rich-rule=\"#{rich_rule}\""
command(<<-EOC)
firewall-cmd #{zone} --remove-rich-rule="#{rich_rule}"
firewall-cmd --permanent #{zone} --remove-rich-rule="#{rich_rule}"
EOC
end
new_resource.updated_by_last_action(e.updated_by_last_action?)
end

def zone
new_resource.zone ? "--zone=#{new_resource.zone}" : ''
end 

def rich_rule
cmd = "rule "
cmd += "family='#{new_resource.family}' " if new_resource.family
cmd += "source address='#{new_resource.source_address}' " if        new_resource.source_address
cmd += "destination address='#{new_resource.destination_address}' " if new_resource.destination_address
cmd += "service name='#{new_resource.service_name}' " if new_resource.service_name
cmd += "port port='#{new_resource.port_number}' protocol='#{new_resource.port_protocol}' " if new_resource.port_number
cmd += "log " if new_resource.log_prefix || new_resource.log_level || new_resource.limit_value
cmd += "prefix='#{new_resource.log_prefix}' " if new_resource.log_prefix
cmd += "level='#{new_resource.log_level}' " if new_resource.log_level
cmd += "limit value='#{new_resource.limit_value}' " if new_resource.limit_value
cmd += new_resource.firewall_action if new_resource.firewall_action
cmd end

我的食谱目前看起来像这样

node['cookbook']['iptables']['subnets'].each do |firewall|
  firewalld_rich_rule firewall do
     zone firewall["public"]
     family firewall["ipv4"]
     source_address firewall
     firewall_action firewall["accept"]
     action :add
     end
  end

我的属性目前看起来像这样

default["cookbook"]["iptables"]["subnets"] = ["172.16.2.0/24","192.168.1.1/24","10.10.10.0/24"]

代码目前正在按预期工作。换句话说,当我运行cookbook时,它会在属性数组中填充带有子网的firewalld。但是,当我删除其中一个子网并运行cookbook时,它不会删除已排除的子网。有没有办法写这个,它会自动删除不在数组中的任何富规则子网?

0 个答案:

没有答案
相关问题
最新问题