Puppet Tips&Tricks: testing your regsubst replacings
This is part of an ongoing series. Check this for the complete series!
Regular Expressions are important for us. We use them a lot, mostly because it’s such a powerful tool. So our puppet recipes contain several regsubst calls too. One problem is usually that regex can be fairly complex and you’d like a nice way to check it out. After some talk on IRC (#puppet on freenode), monarchus gave me some tips for this. Simply use the interactive Ruby shell, irb, for this.
Now, I wanted to check whether a certain string ended in “:ssl” or not. I tested my regex replacement as follows:
$ irb >> s1="www.kumina.nl:ssl" => "www.kumina.nl:ssl" >> s2="www.kumina.nl" => "www.kumina.nl" >> s1.sub(/.*:(ssl)$/, "\\1") => "ssl" >> s2.sub(/.*:(ssl)$/, "\\1") => "www.kumina.nl" >>
From this I gathered that the resulting regsubst call would be something like this:
if regsubst($name, '.*:(ssl)$', '\1') == "ssl" { ... do stuff ... }
Awesome! Now, if you want to try out a global replace, instead of sub, use gsub.
If you want to use regex in your selector, you can simply use egrep on the commandline, like so:
echo "foo" | egrep "foo|bar"
You can also try it in irb, with the following:
>> a = "foo"
=> "foo"
>> a.match("foo|bar")
=> #
>> b = "beastieboys"
=> "beastieboys"
>> b.match("foo|bar")
=> nil
>>
Hope this helps someone!
DHCP server in Parallels host-only network
While trying to create a Debian preseeding environment in Parallels, I came across the fact that when you enable Mac OS X connection sharing, it starts it’s own dhcp (or rather, bootp) service. If that service recognises another dhcp/bootp server in the network, it bails out and deactivates connection sharing. That last is terribly annoying, since I want to run my own dhcp server from the preseed-provisioning server.
The solution is to run the following script, which makes sure forwarding is enabled in the kernel and in ipfw (the MacOSX firewall). I found a good solution in in an older article on a blog called collectivity. The script is this (host-only network is 10.37.129.0/24 with .1 being my Mac OS X host machine):
#!/bin/sh
DEFROUTE_IF=`/usr/sbin/netstat -rn | /usr/bin/awk '/^default/ {print $6;}'`
NATD=/usr/sbin/natd
NATD_OPTIONS="-log -log_denied -use_sockets -same_ports -interface $DEFROUTE_IF"
IPFW=/sbin/ipfw
LOOPBACK="lo*"
PUBLIC_IF="$DEFROUTE_IF"
PARALLELS_IF=en2
PARALLELS_NET="10.37.129.0/24"
# start natd
$NATD $NATD_OPTIONS
# divert traffic before anything else
$IPFW add 01000 divert natd all from $PARALLELS_NET to any out via $PUBLIC_IF
$IPFW add 01010 divert natd all from any to any in via $PUBLIC_IF
# standard mac os x firewall stuff
$IPFW add 02000 allow ip from any to any via $LOOPBACK
$IPFW add 02010 deny ip from 127.0.0.0/8 to any in
$IPFW add 02020 deny ip from any to 127.0.0.0/8 in
$IPFW add 02030 deny ip from 224.0.0.0/3 to any in
$IPFW add 02040 deny tcp from any to 224.0.0.0/3 in
$IPFW add 02050 allow tcp from any to any out
$IPFW add 02060 allow tcp from any to any established
$IPFW add 02070 allow tcp from any to any dst-port 22 in
$IPFW add 02070 allow ip from any to any dst-port 53 in
$IPFW add 02080 allow tcp from any to any dst-port 80 in
$IPFW add 02090 allow tcp from any to any dst-port 427 in
$IPFW add 02100 allow tcp from any to any dst-port 443 in
$IPFW add 02110 allow tcp from any to any dst-port 5297 in
$IPFW add 02120 allow tcp from any to any dst-port 5298 in
#$IPFW add 03000 allow all from $PARALLELS_NET to any via $PARALLELS_IF in
#$IPFW add 03010 allow all from any to $PARALLELS_NET via $PARALLELS_IF out
$IPFW add 12190 deny tcp from any to any
$IPFW add 65535 allow all from any to any
sysctl -w net.inet.ip.forwarding=1
I run it manually when needed.
