Add the management of limits.conf file. (#44)

Author: bschonec

README.md

@@ -4,7 +4,7 @@ Manage user and group limits via Puppet
 
 This module manages the limits of the PAM module pam_limits.
 
-It creates files in `/etc/security/limits.d` and does not manage the file `/etc/security/limits.conf`
+It creates files in `/etc/security/limits.d` and optionally manages the file `/etc/security/limits.conf`
 
 ## How to use
 
@@ -23,7 +23,12 @@ It creates files in `/etc/security/limits.d` and does not manage the file `/etc/
 
 * `purge_limits_d_dir` (Boolean, default: true) Whether or not to purge the limits.d directory
 * `manage_limits_d_dir` (Boolean, default: true) Whether or not to manage the limits.d directory
+* `manage_limits_file` (Boolean, default: false) Whether or not to manage the /etc/security/limits.conf file.
+* `limits_file` (String, default: /etc/security/limits.conf) The name of the limits file to be managed.
 * `limits_dir`: (String) The location of the limits.d directory
+* `limits_file_owner`: (String, default: root) The owner of the ${limits_file} file.
+* `limits_file_group`: (String, default: root) The group of the ${limits_file} file.
+* `limits_file_mode`: (String, defaul: '0644') The file mode of the ${limits_file} file.
 * `entries`: (Hash) A hash of limits entries, keys should be the name and the value as a hash made up of;
   * `ensure`: (String, default present) Values can be absent or present
   * `user`: (String) The user that the limit applies to

data/Debian.yaml

@@ -0,0 +1,3 @@
+---
+
+limits::limits_template: 'limits.conf.ubuntu'

data/RedHat/9.yaml

@@ -0,0 +1,3 @@
+---
+
+limits::limits_template: 'limits.conf.rhel9'

data/common.yaml

@@ -7,3 +7,14 @@ limits::entries: {}
 limits::limits_dir: /etc/security/limits.d
 limits::manage_limits_d_dir: true
 limits::purge_limits_d_dir: true
+
+limits::limits_file: /etc/security/limits.conf
+limits::manage_limits_file: false
+limits::limits_file_owner: 'root'
+limits::limits_file_group: 'root'
+limits::limits_file_mode: '0644'
+
+# We'll use a generic limits.conf template file (which came from RHEL7)
+# until a specific tempalte for each OS and/or major OS version
+# is supplied.
+limits::limits_template: 'generic'

hiera.yaml

@@ -4,5 +4,18 @@ defaults:
   datadir: data
   data_hash: yaml_data
 hierarchy:
+
+  - name: "osfamily/major release"
+    paths:
+        # Used to distinguish between Debian and Ubuntu
+      - "os/%{facts.os.name}/%{facts.os.release.major}.yaml"
+      - "os/%{facts.os.family}/%{facts.os.release.major}.yaml"
+
+  - name: "osfamily"
+    paths:
+      - "os/%{facts.os.name}.yaml"
+      - "os/%{facts.os.family}.yaml"
+
   - name: "common"
     path: "common.yaml"
+

manifests/init.pp

@@ -1,10 +1,34 @@
 # == Class: limits
+# @summary Manage user and group limits via Puppet
+#
+# This module manages the limits of the PAM module pam_limits.
+#
+# @example
+#   include limits
+#
+# @param limits_file_owner
+# The owner of the limits.conf file.
+#
+# @param limits_file_group
+# The group of the limits.conf file.
+#
+# @param limits_file_mode
+# The mode of the limits.conf file.
+#
+# @param limits_template
+# The name of the template to use for ${limits_file
 #
 class limits (
   Hash    $entries,
   String  $limits_dir,
   Boolean $manage_limits_d_dir,
   Boolean $purge_limits_d_dir,
+  String  $limits_file                = $limits::limits_file,
+  Boolean $manage_limits_file         = false,
+  String[1] $limits_file_owner        = $limits::limits_file_owner,
+  String[1] $limits_file_group        = $limits::limits_file_group,
+  String[1] $limits_file_mode         = $limits::limits_file_mode,
+  Optional[String] $limits_template   = $limits::limits_template,
 ) {
   if $manage_limits_d_dir {
     file { $limits_dir:
@@ -17,6 +41,16 @@
     }
   }
 
+  if $manage_limits_file {
+    file { $limits_file:
+      ensure  => 'file',
+      owner   => $limits_file_owner,
+      group   => $limits_file_group,
+      mode    => $limits_file_mode,
+      content => template("limits/${limits_template}.erb"),
+    }
+  }
+
   $entries.each | String $e_name, Hash $e_params | {
     limits::limits { $e_name:
       * => $e_params,

spec/classes/init_spec.rb

@@ -26,6 +26,10 @@
             'purge'   => true
           )
         end
+
+        it do
+          is_expected.not_to contain_file('/etc/security/limits.conf')
+        end
       end
 
       describe 'with purge_limits_d_dir set to false' do
@@ -56,6 +60,23 @@
 
         it { is_expected.not_to contain_file('/etc/security/limits.d') }
       end
+
+      describe 'with manage_limits_file set to true' do
+        let :params do
+          {
+            manage_limits_file: true
+          }
+        end
+
+        it do
+          is_expected.to contain_file('/etc/security/limits.conf').with(
+            'ensure' => 'file',
+            'owner'  => 'root',
+            'group'  => 'root',
+            'mode'   => '0644'
+          )
+        end
+      end
     end
   end
 end

templates/generic.erb

@@ -0,0 +1,52 @@
+#  This file is managed by Puppet.  Do not edit!
+#
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file

templates/limits.conf.debian.erb

@@ -0,0 +1,58 @@
+#  This file is managed by Puppet.  Do not edit!
+#
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#        - NOTE: group and wildcard limits are not applied to root.
+#          To apply a limit to the root user, <domain> must be
+#          the literal username root.
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#        - chroot - change root to directory (Debian-specific)
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#root            hard    core            100000
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#ftp             -       chroot          /ftp
+#@student        -       maxlogins       4
+
+# End of file

templates/limits.conf.rhel9.erb

@@ -0,0 +1,63 @@
+#  This file is managed by Puppet.  Do not edit!
+#
+# /etc/security/limits.conf
+#
+#This file sets the resource limits for the users logged in via PAM.
+#It does not affect resource limits of the system services.
+#
+#Also note that configuration files in /etc/security/limits.d directory,
+#which are read in alphabetical order, override the settings in this
+#file in case the domain is the same or more specific.
+#That means, for example, that setting a limit for wildcard domain here
+#can be overridden with a wildcard setting in a config file in the
+#subdirectory, but a user specific setting here can be overridden only
+#with a user specific setting in the subdirectory.
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file