将 duritong/puppet-shorewall 与 Puppet 和 Hiera 一起使用无法按预期工作

Using duritong/puppet-shorewall with Puppet and Hiera does not work as expected

我正在尝试将此模块与 puppet 一起使用:https://github.com/duritong/puppet-shorewall

按照示例,我使规则生效

node xy {
    class{'config::site_shorewall':
      startup => "0"  # create shorewall ruleset but don't startup
  }
    shorewall::rule {
        'incoming-ssh': source => 'all', destination => '$FW',  action  => 'SSH(ACCEPT)', order => 200;
        'incoming-puppetmaster': source => 'all', destination => '$FW',  action  => 'Puppetmaster(ACCEPT)', order => 300;
        'incoming-imap': source => 'all', destination => '$FW',  action  => 'IMAP(ACCEPT)', order => 300;
        'incoming-smtp': source => 'all', destination => '$FW',  action  => 'SMTP(ACCEPT)', order => 300;
    }
}

现在我想把它打包到 hiera 中。通过一些研究,我在这里找到了如何将不同变量转换为 hiera 哈希的解释:http://puppetlunch.com/puppet/hiera.html

现在,当原始示例转换为 hiera 时,如果我没有记错的话,它应该是这样的(hiera 中只有 2 个示例):

---                                                                                                                    
classes:
  - shorewall

shorewall::rule:
    incoming-ssh:
        source:   'all'
        destination: '$FW'
        action:   'SSH(ACCEPT)'
        order:    '200'
    incoming-puppetmaster:
        source:     'all'
        destination:    '$FW'
        action:     'Puppetmaster(ACCEPT)'
        order:      200

配置文件中除了页眉和页脚外没有数据可能是什么问题?

猫/etc/shorewall/puppet/rules

#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://shorewall.net/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

在 Hiera 中为资源建模只是完成了一半。您必须指示 Puppet 将此数据转换回实际资源。

$data = hiera('shorewall::rule', {})
create_resources('shorewall::rule', $data)

关键是 create_resources function.

您不应使用 shorewall::rule 作为您的 Hiera 密钥的名称,这会产生误导。使用与实际语法不相似的名称,例如

shorewall_rules:
    incoming-ssh:
       ...

并且在清单中

$data = hiera('shorewall_rules', {})