[WIP] Fix outdated systemd config parameter #91
Conversation
|
Thanks for picking this up. Looking at the systemd changelog this rename occurred on release 229. However we can't just blindly update the option name since some users may not be on a recent enough version of systemd! As for testing, it will require actual puppet-rspec tests rather than a "works on my machine" kind of thing. systemd 229
systemd 230
|
I agree. I will see if I can write a something to mitigate this.
This we will need then definitely! |
| context 'includes systemd init script' do | ||
| context 'includes systemd init script with systemd_version < 229' do | ||
| let(:facts) {{ | ||
| :systemd_version => 228 |
There was a problem hiding this comment.
Some funky indentation in all the :facts blocks you've added, can you de-dent to match.
templates/vault.systemd.erb
Outdated
| @@ -23,7 +23,11 @@ CapabilityBoundingSet=CAP_SYSLOG | |||
| NoNewPrivileges=yes | |||
| <% else -%> | |||
| SecureBits=keep-caps | |||
| <% if scope['::systemd_version'] > 229 -%> | |||
There was a problem hiding this comment.
There's something up here looking at the test failures on Travis.
I'm not sure if the confine is working as expected.
error during compilation: Evaluation Error: Error while evaluating a Function Call, Failed to parse template vault/vault.systemd.erb:
Filepath: /home/travis/build/jsok/puppet-vault/spec/fixtures/modules/vault/templates/vault.systemd.erb
Line: 26
Detail: undefined method `>' for nil:NilClass
There was a problem hiding this comment.
Yeah I am still on it. Just using Travis to test it.
zados
changed the title
|
I think the integration test is broken, as it only does apply on a single manifest. Therefore the fact systemd_version is never imported. I tried it on my live system and it worked. As I have literally no experience with Travis and rspec. Is there a way to include the fact? |
|
Any idea if this will be merged? |
|
@maartenschalekamp you're welcome to branch off it and make the necessary fixes. |
SUMMARY
Capabilities is succeeded by AmbientCapabilities in Systemd. Debian 9 on 4.9.0-4-amd64 running systemd 232-25+deb9u1 displays:
[/etc/systemd/system/vault.service:21] Support for option Capabilities= has been removed and it is ignoredTherefore it is not possible to start the Systemd service with mlock support enabled:
systemd[4092]: vault.service: Failed at step SECUREBITS spawning /usr/local/bin/vault: Operation not permitted vault.service: Main process exited, code=exited, status=213/SECUREBITSTESTS/SPECS
This has change been tested on my local vault server. The service starts and Vault is confirming that mlock.
vault[18669]: Mlock: supported: true, enabled: true