From dbf847829885044e018422e4635738c288b61f7e Mon Sep 17 00:00:00 2001 From: Brian Schonecker Date: Mon, 20 Mar 2023 15:01:54 -0400 Subject: [PATCH] Add the management of limits.conf file. --- README.md | 7 +++- data/Debian.yaml | 3 ++ data/RedHat/9.yaml | 3 ++ data/common.yaml | 11 ++++++ hiera.yaml | 13 +++++++ manifests/init.pp | 34 +++++++++++++++++ spec/classes/init_spec.rb | 21 +++++++++++ templates/generic.erb | 52 ++++++++++++++++++++++++++ templates/limits.conf.debian.erb | 58 +++++++++++++++++++++++++++++ templates/limits.conf.rhel9.erb | 63 ++++++++++++++++++++++++++++++++ 10 files changed, 264 insertions(+), 1 deletion(-) create mode 100644 data/Debian.yaml create mode 100644 data/RedHat/9.yaml create mode 100644 templates/generic.erb create mode 100644 templates/limits.conf.debian.erb create mode 100644 templates/limits.conf.rhel9.erb diff --git a/README.md b/README.md index 70aa0c2..cd1f4a4 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Manage user and group limits via Puppet This module manages the limits of the PAM module pam_limits. -It creates files in `/etc/security/limits.d` and does not manage the file `/etc/security/limits.conf` +It creates files in `/etc/security/limits.d` and optionally manages the file `/etc/security/limits.conf` ## How to use @@ -23,7 +23,12 @@ It creates files in `/etc/security/limits.d` and does not manage the file `/etc/ * `purge_limits_d_dir` (Boolean, default: true) Whether or not to purge the limits.d directory * `manage_limits_d_dir` (Boolean, default: true) Whether or not to manage the limits.d directory +* `manage_limits_file` (Boolean, default: false) Whether or not to manage the /etc/security/limits.conf file. +* `limits_file` (String, default: /etc/security/limits.conf) The name of the limits file to be managed. * `limits_dir`: (String) The location of the limits.d directory +* `limits_file_owner`: (String, default: root) The owner of the ${limits_file} file. +* `limits_file_group`: (String, default: root) The group of the ${limits_file} file. +* `limits_file_mode`: (String, defaul: '0644') The file mode of the ${limits_file} file. * `entries`: (Hash) A hash of limits entries, keys should be the name and the value as a hash made up of; * `ensure`: (String, default present) Values can be absent or present * `user`: (String) The user that the limit applies to diff --git a/data/Debian.yaml b/data/Debian.yaml new file mode 100644 index 0000000..c6ad502 --- /dev/null +++ b/data/Debian.yaml @@ -0,0 +1,3 @@ +--- + +limits::limits_template: 'limits.conf.ubuntu' diff --git a/data/RedHat/9.yaml b/data/RedHat/9.yaml new file mode 100644 index 0000000..59eabd0 --- /dev/null +++ b/data/RedHat/9.yaml @@ -0,0 +1,3 @@ +--- + +limits::limits_template: 'limits.conf.rhel9' diff --git a/data/common.yaml b/data/common.yaml index a1c7009..3638cec 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -7,3 +7,14 @@ limits::entries: {} limits::limits_dir: /etc/security/limits.d limits::manage_limits_d_dir: true limits::purge_limits_d_dir: true + +limits::limits_file: /etc/security/limits.conf +limits::manage_limits_file: false +limits::limits_file_owner: 'root' +limits::limits_file_group: 'root' +limits::limits_file_mode: '0644' + +# We'll use a generic limits.conf template file (which came from RHEL7) +# until a specific tempalte for each OS and/or major OS version +# is supplied. +limits::limits_template: 'generic' diff --git a/hiera.yaml b/hiera.yaml index 49a6e6a..57ed8da 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -4,5 +4,18 @@ defaults: datadir: data data_hash: yaml_data hierarchy: + + - name: "osfamily/major release" + paths: + # Used to distinguish between Debian and Ubuntu + - "os/%{facts.os.name}/%{facts.os.release.major}.yaml" + - "os/%{facts.os.family}/%{facts.os.release.major}.yaml" + + - name: "osfamily" + paths: + - "os/%{facts.os.name}.yaml" + - "os/%{facts.os.family}.yaml" + - name: "common" path: "common.yaml" + diff --git a/manifests/init.pp b/manifests/init.pp index e1e6c24..3da7cb8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,10 +1,34 @@ # == Class: limits +# @summary Manage user and group limits via Puppet +# +# This module manages the limits of the PAM module pam_limits. +# +# @example +# include limits +# +# @param limits_file_owner +# The owner of the limits.conf file. +# +# @param limits_file_group +# The group of the limits.conf file. +# +# @param limits_file_mode +# The mode of the limits.conf file. +# +# @param limits_template +# The name of the template to use for ${limits_file # class limits ( Hash $entries, String $limits_dir, Boolean $manage_limits_d_dir, Boolean $purge_limits_d_dir, + String $limits_file = $limits::limits_file, + Boolean $manage_limits_file = false, + String[1] $limits_file_owner = $limits::limits_file_owner, + String[1] $limits_file_group = $limits::limits_file_group, + String[1] $limits_file_mode = $limits::limits_file_mode, + Optional[String] $limits_template = $limits::limits_template, ) { if $manage_limits_d_dir { file { $limits_dir: @@ -17,6 +41,16 @@ } } + if $manage_limits_file { + file { $limits_file: + ensure => 'file', + owner => $limits_file_owner, + group => $limits_file_group, + mode => $limits_file_mode, + content => template("limits/${limits_template}.erb"), + } + } + $entries.each | String $e_name, Hash $e_params | { limits::limits { $e_name: * => $e_params, diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4c65432..7318f1f 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -26,6 +26,10 @@ 'purge' => true ) end + + it do + is_expected.not_to contain_file('/etc/security/limits.conf') + end end describe 'with purge_limits_d_dir set to false' do @@ -56,6 +60,23 @@ it { is_expected.not_to contain_file('/etc/security/limits.d') } end + + describe 'with manage_limits_file set to true' do + let :params do + { + manage_limits_file: true + } + end + + it do + is_expected.to contain_file('/etc/security/limits.conf').with( + 'ensure' => 'file', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644' + ) + end + end end end end diff --git a/templates/generic.erb b/templates/generic.erb new file mode 100644 index 0000000..ac8bb03 --- /dev/null +++ b/templates/generic.erb @@ -0,0 +1,52 @@ +# This file is managed by Puppet. Do not edit! +# +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# +# +# + +#* soft core 0 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#@student - maxlogins 4 + +# End of file diff --git a/templates/limits.conf.debian.erb b/templates/limits.conf.debian.erb new file mode 100644 index 0000000..8802167 --- /dev/null +++ b/templates/limits.conf.debian.erb @@ -0,0 +1,58 @@ +# This file is managed by Puppet. Do not edit! +# +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# + +#* soft core 0 +#root hard core 100000 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#ftp - chroot /ftp +#@student - maxlogins 4 + +# End of file diff --git a/templates/limits.conf.rhel9.erb b/templates/limits.conf.rhel9.erb new file mode 100644 index 0000000..cf0d27a --- /dev/null +++ b/templates/limits.conf.rhel9.erb @@ -0,0 +1,63 @@ +# This file is managed by Puppet. Do not edit! +# +# /etc/security/limits.conf +# +#This file sets the resource limits for the users logged in via PAM. +#It does not affect resource limits of the system services. +# +#Also note that configuration files in /etc/security/limits.d directory, +#which are read in alphabetical order, override the settings in this +#file in case the domain is the same or more specific. +#That means, for example, that setting a limit for wildcard domain here +#can be overridden with a wildcard setting in a config file in the +#subdirectory, but a user specific setting here can be overridden only +#with a user specific setting in the subdirectory. +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# +# +# + +#* soft core 0 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#@student - maxlogins 4 + +# End of file