From 660b86328f695d2024a76d3c617651eed955c7b6 Mon Sep 17 00:00:00 2001 From: Kevin Heseler Date: Wed, 18 Oct 2017 16:49:56 +0200 Subject: [PATCH 1/2] Add fact for systemd version and fact to check systemd version --- lib/facter/systemd.rb | 13 ++++ manifests/config.pp | 1 + spec/classes/vault_spec.rb | 128 +++++++++++++++++++++++++++++++----- templates/vault.systemd.erb | 8 +++ 4 files changed, 134 insertions(+), 16 deletions(-) create mode 100644 lib/facter/systemd.rb diff --git a/lib/facter/systemd.rb b/lib/facter/systemd.rb new file mode 100644 index 00000000..a1e3ba01 --- /dev/null +++ b/lib/facter/systemd.rb @@ -0,0 +1,13 @@ +# Fact: systemd_version +# +# Purpose: +# Determine the version of systemd installed +# +# Resolution: +# Check the output of systemctl --version + +Facter.add(:systemd_version) do + setcode do + Facter::Util::Resolution.exec("systemctl --version")[/[0-9]+(\.[0-9]+)*/].to_i + end +end diff --git a/manifests/config.pp b/manifests/config.pp index 593173dd..9db454b2 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -80,6 +80,7 @@ } } 'systemd': { + $systemd_version = $::systemd_version file { '/etc/systemd/system/vault.service': ensure => file, owner => 'root', diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb index c797b3a6..14d2f6b0 100644 --- a/spec/classes/vault_spec.rb +++ b/spec/classes/vault_spec.rb @@ -390,7 +390,10 @@ :architecture => 'x86_64', :kernel => 'Linux', }} - context 'includes systemd init script' do + context 'includes systemd init script with systemd_version < 229' do + let(:facts) {{ + :systemd_version => 228 + }} it { is_expected.to contain_file('/etc/systemd/system/vault.service') .with_mode('0644') @@ -409,6 +412,50 @@ .with_content(/NoNewPrivileges=yes/) } end + context 'includes systemd init script with systemd_version = 229' do + let(:facts) {{ + :systemd_version => 229 + }} + it { + is_expected.to contain_file('/etc/systemd/system/vault.service') + .with_mode('0644') + .with_ensure('file') + .with_owner('root') + .with_group('root') + .with_notify('Exec[systemd-reload]') + .with_content(/^# vault systemd unit file/) + .with_content(/^User=vault$/) + .with_content(/^Group=vault$/) + .with_content(/Environment=GOMAXPROCS=3/) + .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) + .with_content(/SecureBits=keep-caps/) + .with_content(/AmbientCapabilities=CAP_IPC_LOCK/) + .with_content(/CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK/) + .with_content(/NoNewPrivileges=yes/) + } + end + context 'includes systemd init script with systemd_version > 229' do + let(:facts) {{ + :systemd_version => 230 + }} + it { + is_expected.to contain_file('/etc/systemd/system/vault.service') + .with_mode('0644') + .with_ensure('file') + .with_owner('root') + .with_group('root') + .with_notify('Exec[systemd-reload]') + .with_content(/^# vault systemd unit file/) + .with_content(/^User=vault$/) + .with_content(/^Group=vault$/) + .with_content(/Environment=GOMAXPROCS=3/) + .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) + .with_content(/SecureBits=keep-caps/) + .with_content(/AmbientCapabilities=CAP_IPC_LOCK/) + .with_content(/CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK/) + .with_content(/NoNewPrivileges=yes/) + } + end context 'service with non-default options' do let(:params) {{ :bin_dir => '/opt/bin', @@ -459,6 +506,7 @@ .with_content(/^Group=vault$/) .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) .without_content(/SecureBits=keep-caps/) + .without_content(/AmbientCapabilities=CAP_IPC_LOCK/) .without_content(/Capabilities=CAP_IPC_LOCK\+ep/) .with_content(/CapabilityBoundingSet=CAP_SYSLOG/) .with_content(/NoNewPrivileges=yes/) @@ -651,23 +699,70 @@ :architecture => 'x86_64', :kernel => 'Linux', }} - context 'includes systemd init script' do + context 'includes systemd init script with systemd_version < 229' do + let(:facts) {{ + :systemd_version => 228 + }} it { is_expected.to contain_file('/etc/systemd/system/vault.service') - .with_mode('0644') - .with_ensure('file') - .with_owner('root') - .with_group('root') - .with_notify('Exec[systemd-reload]') - .with_content(/^# vault systemd unit file/) - .with_content(/^User=vault$/) - .with_content(/^Group=vault$/) - .with_content(/Environment=GOMAXPROCS=3/) - .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) - .with_content(/SecureBits=keep-caps/) - .with_content(/Capabilities=CAP_IPC_LOCK\+ep/) - .with_content(/CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK/) - .with_content(/NoNewPrivileges=yes/) + .with_mode('0644') + .with_ensure('file') + .with_owner('root') + .with_group('root') + .with_notify('Exec[systemd-reload]') + .with_content(/^# vault systemd unit file/) + .with_content(/^User=vault$/) + .with_content(/^Group=vault$/) + .with_content(/Environment=GOMAXPROCS=3/) + .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) + .with_content(/SecureBits=keep-caps/) + .with_content(/Capabilities=CAP_IPC_LOCK\+ep/) + .with_content(/CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK/) + .with_content(/NoNewPrivileges=yes/) + } + end + context 'includes systemd init script with systemd_version = 229' do + let(:facts) {{ + :systemd_version => 229 + }} + it { + is_expected.to contain_file('/etc/systemd/system/vault.service') + .with_mode('0644') + .with_ensure('file') + .with_owner('root') + .with_group('root') + .with_notify('Exec[systemd-reload]') + .with_content(/^# vault systemd unit file/) + .with_content(/^User=vault$/) + .with_content(/^Group=vault$/) + .with_content(/Environment=GOMAXPROCS=3/) + .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) + .with_content(/SecureBits=keep-caps/) + .with_content(/AmbientCapabilities=CAP_IPC_LOCK/) + .with_content(/CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK/) + .with_content(/NoNewPrivileges=yes/) + } + end + context 'includes systemd init script with systemd_version > 229' do + let(:facts) {{ + :systemd_version => 230 + }} + it { + is_expected.to contain_file('/etc/systemd/system/vault.service') + .with_mode('0644') + .with_ensure('file') + .with_owner('root') + .with_group('root') + .with_notify('Exec[systemd-reload]') + .with_content(/^# vault systemd unit file/) + .with_content(/^User=vault$/) + .with_content(/^Group=vault$/) + .with_content(/Environment=GOMAXPROCS=3/) + .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) + .with_content(/SecureBits=keep-caps/) + .with_content(/AmbientCapabilities=CAP_IPC_LOCK/) + .with_content(/CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK/) + .with_content(/NoNewPrivileges=yes/) } end context 'service with non-default options' do @@ -721,6 +816,7 @@ .with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}) .without_content(/SecureBits=keep-caps/) .without_content(/Capabilities=CAP_IPC_LOCK\+ep/) + .without_content(/AmbientCapabilities=CAP_IPC_LOCK/) .with_content(/CapabilityBoundingSet=CAP_SYSLOG/) .with_content(/NoNewPrivileges=yes/) } diff --git a/templates/vault.systemd.erb b/templates/vault.systemd.erb index 883cf9f6..484b52c6 100644 --- a/templates/vault.systemd.erb +++ b/templates/vault.systemd.erb @@ -23,7 +23,15 @@ CapabilityBoundingSet=CAP_SYSLOG NoNewPrivileges=yes <% else -%> SecureBits=keep-caps +<<<<<<< HEAD +<% if @facts['systemd_version'] > 229 -%> +======= +<% if scope['::systemd_version'] > 229 -%> +>>>>>>> ca14090... fixup +AmbientCapabilities=CAP_IPC_LOCK +<% else -%> Capabilities=CAP_IPC_LOCK+ep +<% end -%> CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK NoNewPrivileges=yes <% end -%> From 807f297593bada74c4bc82609c901a1b28493606 Mon Sep 17 00:00:00 2001 From: Kevin Heseler Date: Fri, 20 Oct 2017 09:51:09 +0200 Subject: [PATCH 2/2] Add check if systemd is used on system --- lib/facter/systemd.rb | 1 + manifests/config.pp | 2 +- manifests/init.pp | 1 + manifests/params.pp | 3 +++ templates/vault.systemd.erb | 6 +----- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/facter/systemd.rb b/lib/facter/systemd.rb index a1e3ba01..275360ee 100644 --- a/lib/facter/systemd.rb +++ b/lib/facter/systemd.rb @@ -7,6 +7,7 @@ # Check the output of systemctl --version Facter.add(:systemd_version) do + confine :systemd => true setcode do Facter::Util::Resolution.exec("systemctl --version")[/[0-9]+(\.[0-9]+)*/].to_i end diff --git a/manifests/config.pp b/manifests/config.pp index 9db454b2..898e28fc 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -80,7 +80,7 @@ } } 'systemd': { - $systemd_version = $::systemd_version + $systemd_version = $::vault::params::systemd_version file { '/etc/systemd/system/vault.service': ensure => file, owner => 'root', diff --git a/manifests/init.pp b/manifests/init.pp index 626eb12e..d90c7fb9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -96,6 +96,7 @@ $version = $::vault::params::version, $os = $::vault::params::os, $arch = $::vault::params::arch, + $systemd_version = $::vault::params::systemd_version, $extra_config = {}, ) inherits ::vault::params { diff --git a/manifests/params.pp b/manifests/params.pp index b7f1e6e3..2db9d588 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -53,12 +53,14 @@ case $::lsbdistcodename { /(jessie|stretch|sid|xenial|yakketi|zesty)/: { $service_provider = 'systemd' + $systemd_version = $facts['systemd_version'] } /(trusty|vivid)/: { $service_provider = 'upstart' } default: { $service_provider = 'systemd' + $systemd_version = $facts['systemd_version'] warning("Module ${module_name} is not supported on '${::lsbdistcodename}'") } } @@ -68,6 +70,7 @@ $service_provider = 'redhat' } else { $service_provider = 'systemd' + $systemd_version = $facts['systemd_version'] } } default: { diff --git a/templates/vault.systemd.erb b/templates/vault.systemd.erb index 484b52c6..8e29f13d 100644 --- a/templates/vault.systemd.erb +++ b/templates/vault.systemd.erb @@ -23,11 +23,7 @@ CapabilityBoundingSet=CAP_SYSLOG NoNewPrivileges=yes <% else -%> SecureBits=keep-caps -<<<<<<< HEAD -<% if @facts['systemd_version'] > 229 -%> -======= -<% if scope['::systemd_version'] > 229 -%> ->>>>>>> ca14090... fixup +<% if scope['vault::systemd_version'] > 229 -%> AmbientCapabilities=CAP_IPC_LOCK <% else -%> Capabilities=CAP_IPC_LOCK+ep