Tarkblog The personal writings of Caleb and Annie Tennis

Baby Tennis’ Room

Baby Tennis’ Room has been almost done for a while. I finally got around to framing and hanging the last of the pictures over the weekend.

10 Days

Brew at the Zoo is in 10 days! Tickets are still available.

In other news, we’ve been working on some home improvements; fixing up Baby Tennis’ room and new living room furniture. Pictures forthcoming.

Better iptables handling with chef

I don’t care for the iptables handling provided in the opscode cookbook, so I rolled my own:

define :iptables_rule, :action => :create, :table => nil, :chain => nil, :extra => nil, :target => "ACCEPT", :source => nil, :dest => nil,
 :proto => nil, :if_in => nil, :if_out => nil do
 
  include_recipe "iptables"
 
  if(params[:action] == :create)
 
    table = params[:table] ? "-t #{params[:table]}" : ""
    target = "-j " + params[:target] 
 
    source = params[:source] ?  "-s #{params[:source]}" : ""
    dest   = params[:dest]   ?  "-d #{params[:dest]}" : ""
    proto  = params[:proto]  ?  "-p #{params[:proto]}" : ""
    if_in  = params[:if_in]  ?  "-i #{params[:if_in]}" : ""
    if_out = params[:if_out] ?  "-o #{params[:if_out]}" : ""
 
    cmd = "/sbin/iptables -A #{params[:chain]} #{table} #{if_in} #{if_out} #{source} #{dest} #{proto} #{target} #{params[:extra]}"
    cmd < < " -m comment --comment \"Chef Rule: #{params[:name]}\""
 
    execute "create-iptables-rule-#{params[:name]}" do
      command cmd
      not_if "/sbin/iptables -S #{params[:chain]} #{table} | /bin/grep \"Chef Rule: #{params[:name]}\""
      notifies :save, resources("service[iptables]")
    end
 
  end
 
end

You want to create an iptables port forwarding rule on the fly? No problem, do this in one of your recipes:

   iptables_rule "my-rule" do
      table "nat"
      chain "PREROUTING"
      dest "10.0.0.1"
      proto "tcp"
      if_in "eth0"
      target "DNAT"
      extra "--dport 80 --to 10.0.0.2:80"
    end

This handles the magic sauce for you. The trick is that is uses iptables comments to add a comment tag based on the name of the rule. Then, next time it runs, it can see that there is already a rule what that comment name, and as such, it won't re-run the definition.

In addition, I also notify the "iptables" service to "save". This is Gentoo specific (I don't think it works on other platforms?). Since "save" isn't a standard action, you need to make sure your service supports it:

service "iptables" do
  supports :save => true, :reload => true
  action [ :enable, :start ]
end

And as well, somewhere in a library in your cookbook:

 
class Chef
  class Provider
    class Service
      class Gentoo
        def action_save
          run_command(:command => "#{@init_command} save")
        end
      end
    end
  end
end

This definition could use some work - it very well could be provider/resource-ified and make into a first class chef built-in. In addition, it needs a :modify and :delete action..those are exercises left to the reader.

Brew at the Zoo

Tickets for the 6th Annual Brew at the Zoo went on sale this morning! I got mine this morning. Bought tickets for my parents, too.

Stoked!

Checking in on your chef nodes

If you are running a chef server with multiple client nodes, you probably have these nodes checking in periodically via chef-client – either in daemon mode or via a cron job.

If you’re like me, from time you time you may turn off chef-client on a node while you’re testing something out. Or maybe you are using EC2 and you have to spin nodes down and up periodically. Either way, it would be nice to have a place you can go and take a quick look at when your nodes have last checked in to the chef server, so you can get an idea if something has gone wrong with one of them.

The beauty of this is that it’s incredibly easy. All of the info you need is stored right in the couchdb backend. Let me show you how I did it.