From 597a16ca8bc52ac74daa957c64ec805146e3b93c Mon Sep 17 00:00:00 2001 From: Bernard Bondos Date: Wed, 22 Mar 2023 22:07:22 +0100 Subject: [PATCH 1/2] Add optional parameter to select file in limits_dir for saving and allow managing multiple settings in one file. Switches file content management to puppetlabs-concat. --- .fixtures.yml | 7 + README.md | 1 + manifests/limits.pp | 30 ++- metadata.json | 8 + spec/acceptance/limits_spec.rb | 53 ++++- spec/defines/limits_spec.rb | 420 ++++++++++++++++++++++++++++++--- templates/limits.erb | 3 - 7 files changed, 480 insertions(+), 42 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 9853717..96cfbd9 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,3 +1,10 @@ fixtures: + repositories: + stdlib: + repo: https://github.com/puppetlabs/puppetlabs-stdlib.git + ref: 4.13.1 + concat: + repo: https://github.com/puppetlabs/puppetlabs-concat.git + ref: v7.3.0 symlinks: limits: "#{source_dir}" diff --git a/README.md b/README.md index 70aa0c2..43f5a8d 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ It creates files in `/etc/security/limits.d` and does not manage the file `/etc/ * `hard`: (Integer) the hard value * `soft`: (Integer) the soft value * `both`: (Integer) the value of both soft and hard + * `target`: (String) Optional name of file in `limits_dir` to set limit settings to. Will ignore other file naming logic when provided. ### Using hiera diff --git a/manifests/limits.pp b/manifests/limits.pp index 03242d0..33da671 100644 --- a/manifests/limits.pp +++ b/manifests/limits.pp @@ -7,6 +7,7 @@ # $hard - hard limit # $soft - soft limit # $both - set both limits (-) +# $target - name of file in `limits::limits_dir` directory the settings will be applied. If provided, title with `.conf` extension will be not be used as target file. # # Example: # limits::limits{'*/nofile': @@ -15,6 +16,10 @@ # } # limits::limits{'root/nofile': both => 1234; } # +# Example of multiple settings in single file +# limits::limits{'root/nofile': both => 1234, target => '01-root.conf' } +# limits::limits{'root/nproc': both => 1234, target => '01-root.conf' } +# # Manages: # limit file in limits.d with the values provided define limits::limits ( @@ -24,6 +29,7 @@ Variant[Integer,String,Undef] $hard = undef, Variant[Integer,String,Undef] $soft = undef, Variant[Integer,String,Undef] $both = undef, + Optional[String] $target = undef, ) { include limits @@ -47,7 +53,9 @@ default => $limit_type, } - if $title =~ /\.conf$/ { + if $target { + $target_file = "${limits::limits_dir}/${target}" + } elsif $title =~ /\.conf$/ { $target_file = "${limits::limits_dir}/${title}" } else { if $real_user == '*' { @@ -57,10 +65,22 @@ } } - file { $target_file: - ensure => $ensure, - owner => 'root', - group => 'root', + if (!defined(Concat[$target_file])) { + concat { $target_file: + ensure => $ensure, + owner => 'root', + group => 'root', + } + + concat::fragment { "top_${target_file}": + target => $target_file, + content => "# Managed by Puppet\n\n# ", + order => '01', + } + } + + concat::fragment { "${real_user}_${real_type}": + target => $target_file, content => template('limits/limits.erb'), } } diff --git a/metadata.json b/metadata.json index 9013009..1f512e6 100644 --- a/metadata.json +++ b/metadata.json @@ -57,5 +57,13 @@ } ], "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.13.1 < 9.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 7.3.0 < 8.0.0" + } ] } diff --git a/spec/acceptance/limits_spec.rb b/spec/acceptance/limits_spec.rb index 5a699aa..9def51f 100644 --- a/spec/acceptance/limits_spec.rb +++ b/spec/acceptance/limits_spec.rb @@ -35,7 +35,58 @@ describe file('/etc/security/limits.d/user_nofile.conf') do it { is_expected.to be_file } - it { is_expected.to contain 'user - nofile 12345' } + it { is_expected.to contain "# Managed by Puppet\n\n# \nuser - nofile 12345" } + end + end + + context 'with target specified managed file' do + it 'create a puppet managed file' do + pp = <<-PP + limits::limits { 'item': + user => 'user', + limit_type => 'nofile', + both => 12345, + target => '00-item.conf' + } + PP + + # Run it twice and test for idempotency + apply_manifest(pp, catch_failures: true) + expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero + end + + describe file('/etc/security/limits.d/00-item.conf') do + it { is_expected.to be_file } + it { is_expected.to contain "# Managed by Puppet\n\n# \nuser - nofile 12345" } + end + end + + context 'with multiple target specified managed limit' do + it 'create a puppet managed file' do + pp = <<-PP + limits::limits { 'item': + user => 'user', + limit_type => 'nofile', + both => 12345, + target => '00-item.conf' + } + + limits::limits { 'item2': + user => 'other_user', + limit_type => 'nproc', + both => 54321, + target => '00-item.conf' + } + PP + + # Run it twice and test for idempotency + apply_manifest(pp, catch_failures: true) + expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero + end + + describe file('/etc/security/limits.d/00-item.conf') do + it { is_expected.to be_file } + it { is_expected.to contain "# Managed by Puppet\n\n# \nuser - nofile 12345\nother_user - nproc 54321\n" } end end end diff --git a/spec/defines/limits_spec.rb b/spec/defines/limits_spec.rb index 18275d5..2c690e0 100644 --- a/spec/defines/limits_spec.rb +++ b/spec/defines/limits_spec.rb @@ -38,11 +38,65 @@ } it { - is_expected.to contain_file(filename).with( - 'ensure' => 'present', - 'content' => "# Managed by Puppet\n\n# \nusername hard nofile 16384\nusername soft nofile 16384\n", - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_file('/etc/security/limits.d').with( + path: '/etc/security/limits.d', + ensure: 'directory', + owner: 'root', + group: 'root', + force: true, + purge: true, + recurse: true + ) + } + + it { + is_expected.to contain_concat(filename).with( + name: filename, + path: filename + ) + } + + it { + is_expected.to contain_concat__fragment('top_/etc/security/limits.d/username_nofile.conf').with( + name: 'top_/etc/security/limits.d/username_nofile.conf', + target: filename, + content: "# Managed by Puppet\n\n# ", + order: '01' + ) + } + + it { + is_expected.to contain_concat__fragment('username_nofile').with( + name: 'username_nofile', + target: filename, + content: "username hard nofile 16384\nusername soft nofile 16384\n", + order: '10' + ) + } + + it { + is_expected.to contain_concat_fragment('top_/etc/security/limits.d/username_nofile.conf').with( + name: 'top_/etc/security/limits.d/username_nofile.conf', + target: filename, + order: '01', + content: "# Managed by Puppet\n\n# " + ) + } + + it { + is_expected.to contain_concat_fragment('username_nofile').with( + name: 'username_nofile', + target: filename, + order: '10', + content: "username hard nofile 16384\nusername soft nofile 16384\n" + ) + } + + it { + is_expected.to contain_concat_file(filename).with( + path: filename, + owner: 'root', + group: 'root' ) } end @@ -61,11 +115,65 @@ } it { - is_expected.to contain_file(filename).with( - 'ensure' => 'present', - 'content' => "# Managed by Puppet\n\n# \nusername hard nofile 16384\nusername soft nofile 16384\n", - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_file('/etc/security/limits.d').with( + path: '/etc/security/limits.d', + ensure: 'directory', + owner: 'root', + group: 'root', + force: true, + purge: true, + recurse: true + ) + } + + it { + is_expected.to contain_concat(filename).with( + name: filename, + path: filename + ) + } + + it { + is_expected.to contain_concat__fragment('top_/etc/security/limits.d/username_nofile.conf').with( + name: 'top_/etc/security/limits.d/username_nofile.conf', + target: filename, + content: "# Managed by Puppet\n\n# ", + order: '01' + ) + } + + it { + is_expected.to contain_concat__fragment('username_nofile').with( + name: 'username_nofile', + target: filename, + content: "username hard nofile 16384\nusername soft nofile 16384\n", + order: '10' + ) + } + + it { + is_expected.to contain_concat_fragment('top_/etc/security/limits.d/username_nofile.conf').with( + name: 'top_/etc/security/limits.d/username_nofile.conf', + target: filename, + order: '01', + content: "# Managed by Puppet\n\n# " + ) + } + + it { + is_expected.to contain_concat_fragment('username_nofile').with( + name: 'username_nofile', + target: filename, + order: '10', + content: "username hard nofile 16384\nusername soft nofile 16384\n" + ) + } + + it { + is_expected.to contain_concat_file(filename).with( + path: filename, + owner: 'root', + group: 'root' ) } end @@ -82,10 +190,9 @@ end it { - is_expected.to contain_file(filename).with( - 'ensure' => 'absent', - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_concat_file(filename).with( + path: filename, + ensure: 'absent' ) } end @@ -100,10 +207,9 @@ end it { - is_expected.to contain_file(filename).with( - 'ensure' => 'absent', - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_concat_file(filename).with( + path: filename, + ensure: 'absent' ) } end @@ -129,11 +235,151 @@ } it { - is_expected.to contain_file(filename).with( - 'ensure' => 'present', - 'content' => "# Managed by Puppet\n\n# \nusername - nofile 16384\n", - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_file('/etc/security/limits.d').with( + path: '/etc/security/limits.d', + ensure: 'directory', + owner: 'root', + group: 'root', + force: true, + purge: true, + recurse: true + ) + } + + it { + is_expected.to contain_concat(filename).with( + name: filename, + path: filename + ) + } + + it { + is_expected.to contain_concat__fragment('top_/etc/security/limits.d/username_nofile.conf').with( + name: 'top_/etc/security/limits.d/username_nofile.conf', + target: filename, + content: "# Managed by Puppet\n\n# ", + order: '01' + ) + } + + it { + is_expected.to contain_concat__fragment('username_nofile').with( + name: 'username_nofile', + target: filename, + content: "username - nofile 16384\n", + order: '10' + ) + } + + it { + is_expected.to contain_concat_fragment('top_/etc/security/limits.d/username_nofile.conf').with( + name: 'top_/etc/security/limits.d/username_nofile.conf', + target: filename, + order: '01', + content: "# Managed by Puppet\n\n# " + ) + } + + it { + is_expected.to contain_concat_fragment('username_nofile').with( + name: 'username_nofile', + target: filename, + order: '10', + content: "username - nofile 16384\n" + ) + } + + it { + is_expected.to contain_concat_file(filename).with( + path: filename, + owner: 'root', + group: 'root' + ) + } + end + + context 'when creating a limits entry with target file name specified' do + let(:title) { 'username_nofile.conf' } + let :params do + { + user: 'username', + limit_type: 'nofile', + ensure: 'present', + both: 16_384, + target: '99-service.conf' + } + end + + it { + is_expected.to contain_limits__limits('username_nofile.conf').with( + user: 'username', + limit_type: 'nofile', + ensure: 'present', + both: 16_384, + target: '99-service.conf' + ) + } + + it { + is_expected.to contain_file('/etc/security/limits.d').with( + path: '/etc/security/limits.d', + ensure: 'directory', + owner: 'root', + group: 'root', + force: true, + purge: true, + recurse: true + ) + } + + it { + is_expected.to contain_concat('/etc/security/limits.d/99-service.conf').with( + name: '/etc/security/limits.d/99-service.conf', + path: '/etc/security/limits.d/99-service.conf' + ) + } + + it { + is_expected.to contain_concat__fragment('top_/etc/security/limits.d/99-service.conf').with( + name: 'top_/etc/security/limits.d/99-service.conf', + target: '/etc/security/limits.d/99-service.conf', + content: "# Managed by Puppet\n\n# ", + order: '01' + ) + } + + it { + is_expected.to contain_concat__fragment('username_nofile').with( + name: 'username_nofile', + target: '/etc/security/limits.d/99-service.conf', + content: "username - nofile 16384\n", + order: '10' + ) + } + + it { + is_expected.to contain_concat_fragment('top_/etc/security/limits.d/99-service.conf').with( + name: 'top_/etc/security/limits.d/99-service.conf', + target: '/etc/security/limits.d/99-service.conf', + order: '01', + content: "# Managed by Puppet\n\n# " + ) + } + + it { + is_expected.to contain_concat_fragment('username_nofile').with( + name: 'username_nofile', + target: '/etc/security/limits.d/99-service.conf', + order: '10', + content: "username - nofile 16384\n" + ) + } + + it { + is_expected.to contain_concat_file('/etc/security/limits.d/99-service.conf').with( + path: '/etc/security/limits.d/99-service.conf', + owner: 'root', + group: 'root' ) } end @@ -151,11 +397,65 @@ it { is_expected.to compile.with_all_deps } it { - is_expected.to contain_file('/etc/security/limits.d/default_nofile.conf').with( - 'ensure' => 'present', - 'content' => "# Managed by Puppet\n\n# \n* - nofile 16384\n", - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_file('/etc/security/limits.d').with( + path: '/etc/security/limits.d', + ensure: 'directory', + owner: 'root', + group: 'root', + force: true, + purge: true, + recurse: true + ) + } + + it { + is_expected.to contain_concat('/etc/security/limits.d/default_nofile.conf').with( + name: '/etc/security/limits.d/default_nofile.conf', + path: '/etc/security/limits.d/default_nofile.conf' + ) + } + + it { + is_expected.to contain_concat__fragment('top_/etc/security/limits.d/default_nofile.conf').with( + name: 'top_/etc/security/limits.d/default_nofile.conf', + target: '/etc/security/limits.d/default_nofile.conf', + content: "# Managed by Puppet\n\n# ", + order: '01' + ) + } + + it { + is_expected.to contain_concat__fragment('*_nofile').with( + name: '*_nofile', + target: '/etc/security/limits.d/default_nofile.conf', + content: "* - nofile 16384\n", + order: '10' + ) + } + + it { + is_expected.to contain_concat_fragment('top_/etc/security/limits.d/default_nofile.conf').with( + name: 'top_/etc/security/limits.d/default_nofile.conf', + target: '/etc/security/limits.d/default_nofile.conf', + order: '01', + content: "# Managed by Puppet\n\n# " + ) + } + + it { + is_expected.to contain_concat_fragment('*_nofile').with( + name: '*_nofile', + target: '/etc/security/limits.d/default_nofile.conf', + order: '10', + content: "* - nofile 16384\n" + ) + } + + it { + is_expected.to contain_concat_file('/etc/security/limits.d/default_nofile.conf').with( + path: '/etc/security/limits.d/default_nofile.conf', + owner: 'root', + group: 'root' ) } end @@ -169,11 +469,65 @@ end it { - is_expected.to contain_file('/etc/security/limits.d/root_nofile.conf').with( - 'ensure' => 'present', - 'content' => "# Managed by Puppet\n\n# \nroot hard nofile 12345\n", - 'owner' => 'root', - 'group' => 'root' + is_expected.to contain_file('/etc/security/limits.d').with( + path: '/etc/security/limits.d', + ensure: 'directory', + owner: 'root', + group: 'root', + force: true, + purge: true, + recurse: true + ) + } + + it { + is_expected.to contain_concat('/etc/security/limits.d/root_nofile.conf').with( + name: '/etc/security/limits.d/root_nofile.conf', + path: '/etc/security/limits.d/root_nofile.conf' + ) + } + + it { + is_expected.to contain_concat__fragment('top_/etc/security/limits.d/root_nofile.conf').with( + name: 'top_/etc/security/limits.d/root_nofile.conf', + target: '/etc/security/limits.d/root_nofile.conf', + content: "# Managed by Puppet\n\n# ", + order: '01' + ) + } + + it { + is_expected.to contain_concat__fragment('root_nofile').with( + name: 'root_nofile', + target: '/etc/security/limits.d/root_nofile.conf', + content: "root hard nofile 12345\n", + order: '10' + ) + } + + it { + is_expected.to contain_concat_fragment('top_/etc/security/limits.d/root_nofile.conf').with( + name: 'top_/etc/security/limits.d/root_nofile.conf', + target: '/etc/security/limits.d/root_nofile.conf', + order: '01', + content: "# Managed by Puppet\n\n# " + ) + } + + it { + is_expected.to contain_concat_fragment('root_nofile').with( + name: 'root_nofile', + target: '/etc/security/limits.d/root_nofile.conf', + order: '10', + content: "root hard nofile 12345\n" + ) + } + + it { + is_expected.to contain_concat_file('/etc/security/limits.d/root_nofile.conf').with( + path: '/etc/security/limits.d/root_nofile.conf', + owner: 'root', + group: 'root' ) } end diff --git a/templates/limits.erb b/templates/limits.erb index 4ea650f..aff9a8e 100644 --- a/templates/limits.erb +++ b/templates/limits.erb @@ -1,6 +1,3 @@ -# Managed by Puppet - -# <% if @both then -%> <%= "%-12s" % @real_user %> - <%= "%-14s" % @real_type %> <%= @both %> <% else -%> From e54d73caad8828437558a01b59e983fd07554d73 Mon Sep 17 00:00:00 2001 From: Bernard Bondos Date: Sun, 30 Apr 2023 12:42:21 +0200 Subject: [PATCH 2/2] remove stdlib from module dependencies --- metadata.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/metadata.json b/metadata.json index 1f512e6..65fb42c 100644 --- a/metadata.json +++ b/metadata.json @@ -57,10 +57,6 @@ } ], "dependencies": [ - { - "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.13.1 < 9.0.0" - }, { "name": "puppetlabs/concat", "version_requirement": ">= 7.3.0 < 8.0.0"