From 8c7114f2a375ef0f2dfeb6da3c96ef0cdb0c55e7 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 20 Dec 2012 11:36:42 +0200 Subject: [PATCH 01/50] Added install target to Makefile --- Makefile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index b59d825..4e26f8b 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,17 @@ -MODULES = $(shell find */manifests/init.pp | sed -e 's/^\([^\/]*\).*/\1/') -MANIFESTS = $(shell find . -name \*.pp) +MODULES := $(shell find */manifests/init.pp | sed -e 's/^\([^\/]*\).*/\1/') +MANIFESTS := $(shell find . -name \*.pp) +MODULESDIR := /etc/puppet/modules-$(shell date +%Y-%m-%d) +TARFLAGS = --owner=root --group=root --mode g-w,o=g --exclude=.git --exclude=rdoc all: puppet-modules.tar.gz puppet-modules.tar.gz: $(MODULES) LICENSE CREDITS Makefile.inc - umask 022 ; tar zcvf $@ --owner=root --group=root \ - --mode g-w,o=g --exclude=.git --exclude=rdoc $^ + umask 022 ; tar zcvf $@ $(TARFLAGS) $^ + +install: $(MODULES) LICENSE CREDITS Makefile.inc + @umask 022 ; mkdir -p $(MODULESDIR) && \ + tar cf - $(TARFLAGS) $^ | tar xvf - -C $(MODULESDIR) check: @which puppet > /dev/null 2>&1 || ( \ From 864ca3a897a82da510a0c1177a5d63d1eefeb9a4 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 14 Jan 2013 12:49:25 +0200 Subject: [PATCH 02/50] Fixed munin log paths and permissions for EPEL packages --- munin/manifests/init.pp | 11 +++++------ munin/templates/munin-node.conf.erb | 11 +++++------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/munin/manifests/init.pp b/munin/manifests/init.pp index b760e1f..45e0044 100644 --- a/munin/manifests/init.pp +++ b/munin/manifests/init.pp @@ -249,12 +249,11 @@ class munin::server { require => File["/var/cache/munin"], } - file { [ "/var/log/munin/munin-cgi-graph.log", - "/var/log/munin/munin-cgi-html.log", ]: - ensure => present, - mode => "0664", - owner => "munin", - group => $apache::sslserver::group, + file { "/var/log/munin": + ensure => directory, + mode => "0775", + owner => $apache::sslserver::user, + group => "munin", require => Package["munin"], } file { "/etc/logrotate.d/munin-cgi": diff --git a/munin/templates/munin-node.conf.erb b/munin/templates/munin-node.conf.erb index d743c6a..e8ccad9 100644 --- a/munin/templates/munin-node.conf.erb +++ b/munin/templates/munin-node.conf.erb @@ -3,11 +3,15 @@ # log_level 4 +<% if ['CentOS','Fedora','RedHat'].index(operatingsystem) -%> +log_file /var/log/munin-node/munin-node.log +<% else -%> log_file /var/log/munin/munin-node.log +<% end -%> pid_file /var/run/munin/munin-node.pid background 1 -setseid 1 +setsid 1 user root <% if operatingsystem == "OpenBSD" -%> @@ -15,10 +19,8 @@ group wheel <% else -%> group root <% end -%> -setsid yes # Regexps for files to ignore - ignore_file ~$ ignore_file \.bak$ ignore_file %$ @@ -29,7 +31,6 @@ ignore_file \.pod$ # Set this if the client doesn't report the correct hostname when # telnetting to localhost, port 4949 # -#host_name ppc3.fedora.redhat.com host_name <%= homename %> # A list of addresses that are allowed to connect. This must be a @@ -41,8 +42,6 @@ allow <%= munin_allow %> # Which address to bind to; host <%= ipaddress %> -# host 127.0.0.1 # And which port port 4949 - From 2fb5e236732d680cc7316a121ba65390977ba635 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 14 Jan 2013 14:40:01 +0200 Subject: [PATCH 03/50] Fixed permissions in munin-cgi.logrotate.erb --- munin/templates/munin-cgi.logrotate.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/munin/templates/munin-cgi.logrotate.erb b/munin/templates/munin-cgi.logrotate.erb index 63df851..94384c4 100644 --- a/munin/templates/munin-cgi.logrotate.erb +++ b/munin/templates/munin-cgi.logrotate.erb @@ -4,7 +4,7 @@ rotate 7 compress notifempty - create 0664 munin <%= scope.lookupvar('apache::sslserver::group') %> + create 0640 <%= scope.lookupvar('apache::sslserver::user') %> munin } /var/log/munin/munin-cgi-html.log { @@ -13,5 +13,5 @@ rotate 7 compress notifempty - create 0664 munin <%= scope.lookupvar('apache::sslserver::group') %> + create 0640 <%= scope.lookupvar('apache::sslserver::user') %> munin } From 963f1d1bfc2256f122dccffa58f486892c6957be Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 15 Jan 2013 12:51:44 +0200 Subject: [PATCH 04/50] Added temporary fix for broken munin-node logrotate config --- munin/files/munin-node.logrotate | 9 +++++++++ munin/manifests/init.pp | 13 +++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 munin/files/munin-node.logrotate diff --git a/munin/files/munin-node.logrotate b/munin/files/munin-node.logrotate new file mode 100644 index 0000000..2a12c07 --- /dev/null +++ b/munin/files/munin-node.logrotate @@ -0,0 +1,9 @@ +/var/log/munin-node/munin-node.log { + daily + missingok + rotate 7 + compress + copytruncate + notifempty + create 644 root root +} diff --git a/munin/manifests/init.pp b/munin/manifests/init.pp index 45e0044..bc7db4c 100644 --- a/munin/manifests/init.pp +++ b/munin/manifests/init.pp @@ -61,6 +61,19 @@ class munin::node { notify => Service["munin-node"], } + # Temporary fix for broken config + case $::operatingsystem { + "centos","fedora","redhat": { + file { "/etc/logrotate.d/munin-node": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/munin/munin-node.logrotate", + } + } + } + } From 738a1ae59aade8bd0086eb0222c0df24e30d07a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 16 Jan 2013 10:22:22 +0200 Subject: [PATCH 05/50] Fixed depency error from dns::server. --- dns/manifests/init.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index 0555f1b..3ec2b94 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -360,17 +360,21 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], if $zonedir != "" { if !defined(File["${dns::server::chroot}${zonedir}"]) { file { "${dns::server::chroot}${zonedir}": - ensure => directory, - mode => $role ? { + ensure => directory, + mode => $role ? { "master" => "0750", default => "0770", }, - owner => "root", - group => $dns::server::group, - before => $role ? { + owner => "root", + group => $dns::server::group, + before => $role ? { "master" => File["${dns::server::chroot}${zonedir}/db.${zonefile}"], default => undef, }, + require => $::operatingsystem ? { + "openbsd" => undef, + default => Package["bind"], + }, } } } From eddce9a14862cad925a01e30c423c07c37322fa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 16 Jan 2013 10:35:39 +0200 Subject: [PATCH 06/50] Fixed tftp::server for CentOS and RHEL 6 --- tftp/manifests/init.pp | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/tftp/manifests/init.pp b/tftp/manifests/init.pp index 42f770c..1ff8dc6 100644 --- a/tftp/manifests/init.pp +++ b/tftp/manifests/init.pp @@ -39,24 +39,31 @@ class tftp::server { } case $::operatingsystem { - debian,fedora,ubuntu: { - file { "/var/lib/tftpboot": - ensure => link, - target => "/srv/tftpboot", - force => true, - require => File["/srv/tftpboot"], + "debian","fedora","ubuntu": { + $tftpdir = "/var/lib/tftpboot" + } + "centos","redhat": { + case $::operatingsystemrelease { + /^[45]\./: { + $tftpdir = "/tftpboot" + } + default: { + $tftpdir = "/var/lib/tftpboot" + } } } default: { - file { "/tftpboot": - ensure => link, - target => "/srv/tftpboot", - force => true, - require => File["/srv/tftpboot"], - } + $tftpdir = "/tftpboot" } } + file { $tftpdir: + ensure => link, + target => "/srv/tftpboot", + force => true, + require => File["/srv/tftpboot"], + } + if "${selinux}" == "true" { selinux::manage_fcontext { "/srv/tftpboot(/.*)?": type => "tftpdir_t", From 3caa081766a3714a5aa237a56e9587fef56c1bc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 17 Jan 2013 09:02:25 +0200 Subject: [PATCH 07/50] Added rpmfusion signing keys for Fedora 18. --- yum/files/keys/rpmfusion-free-fedora-18.key | 30 +++++++++++++++++++ .../keys/rpmfusion-nonfree-fedora-18.key | 30 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 yum/files/keys/rpmfusion-free-fedora-18.key create mode 100644 yum/files/keys/rpmfusion-nonfree-fedora-18.key diff --git a/yum/files/keys/rpmfusion-free-fedora-18.key b/yum/files/keys/rpmfusion-free-fedora-18.key new file mode 100644 index 0000000..2c97922 --- /dev/null +++ b/yum/files/keys/rpmfusion-free-fedora-18.key @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.18 (GNU/Linux) + +mQINBE80KI8BEADWbPfx0Ql0Rip3+SZ3k+/Yw/gXBH7GdwLhnwwFjEDJfBHdUFkR +1GHQtKH7qtdyqASkPRfGQqBoDY49jssrgv4FIh9nrE8u1HpN5YhVNT0zbvGORKiS +01U75N7FjgKR+8/deUo1MBFdy7vsfvL2obW6FE5y1Lr9QRaLfVN+C9rPDB6ITcak +VIqvL2jKa//YzIZ0JYlYumbGyhuV0fDrSmkOTruXBgtATO1DtwlCsMshp9sMT+8L +W2BAURtR1yVEnXy1YEVhdkdDuX/DAbZhWdz5swAQaPEr6GVByXfwDB8Fe8D/0RUo +BQG2KBc8JqQF5HSDz5rdlKZ20U6VyR1Ihl9G3l26CWdF1iTljUHl8FIDRv+WefbJ +rvBO76mAilBnl0NCHM2AR4npvIlN8/Dd84q1Ti0OW/QugKMECelMO0ykYVYVUmwr +JUGKuSe3wxuW813N3VEaYOmhx6P+x5X3yKuKo8O1+duJZGPDV94veY6f3JijgA2j +s0pgxIjUzJ8C09z0P+vLKwtVo4VMPqhBhxk1bcrUT4t8QGtQHuS7IwXYQqd32xTM +kBrbFqegPO7dOzOLmw52o9fgHwRxL1owgYzn3uYXCzgnQYKdGgzX9QrlkuhgqLY8 +G7SR6FDdONGFE1s+looZpV/bHf2MKKLUQEUPkdIS46oRxKUNsxyAn5QZDwARAQAB +tFNSUE0gRnVzaW9uIGZyZWUgcmVwb3NpdG9yeSBmb3IgRmVkb3JhICgxOCkgPHJw +bWZ1c2lvbi1idWlsZHN5c0BsaXN0cy5ycG1mdXNpb24ub3JnPokCOAQTAQIAIgUC +TzQojwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQNjOZFJguCnyGBxAA +x4hWU52Si0/bx9TzCCjsPmuMXb6b+0wUtqRfKtsCmRmOPUok2d1/XkyX7hJ7XHV7 +bkV+pab0ohL7DWj1Y9mRJeG6X9yRi45vP52DoWkOpoMOV9LDivsQ3BfYwxb7NriF +cI8Gq5Qec7M8JqLVk91Fve4h97rOSZlNIZfoybVOC0lpFeT6n3J/YYb1HMUtn/cu +YwOCpvWrn6/FS6bO7jCGEidogAZkGkEAKUBOD9PbiWe+Od439a7j/PzxU795nvPt +nfDab52zXxv4dCHBxcP3cyjC83+23QvMlkJkPF3J74atIP78jEcb45e8SuCTL/4W +gQBaW3RqDr5CvIuksb6dDeWGzq8+214lvrCI4kQH3RWgbS4xi+a9OdicPWtnFF68 +/ORsbFMIvMXFT5Zmhpx28OlALryiYTL9jkwqMP1S0q3JgfT4adrruc4/C/MrN1aQ +xh3wbfqT7xB0/GWKojjgRpsZ56fMUmaB2AwwlwBSpxqHTqCSkJOl1jQuvv+pNMAz +/qNooUzu9Z1kPDKtDYl0dK9kUHw5vkXn2MjOXFGLBMoXbDxxzbgJMR45/L/jCK3Q +8Cko+IaW14lSoiyQVoAikCfizAnAV+08dp/a4UK2haZd+/Xl7dKDpNSnQhOTQCoL +BpbgafmDVWWbv10cPHFCfq29RBpAaQwck2WFNF39nR8= +=53Ne +-----END PGP PUBLIC KEY BLOCK----- diff --git a/yum/files/keys/rpmfusion-nonfree-fedora-18.key b/yum/files/keys/rpmfusion-nonfree-fedora-18.key new file mode 100644 index 0000000..203ed26 --- /dev/null +++ b/yum/files/keys/rpmfusion-nonfree-fedora-18.key @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.18 (GNU/Linux) + +mQINBE80KM8BEADL982y29MH1JB8tjaglrY1H08bHAZqkeg+fsrPnk5PokXuNiK8 +9i5iMRklyHTlLJRFen8OupJ+laXAnIhzH3CBaSU4vBw0PvvhdvtTEkVe5nEIiWON +ptkAYsXzFMT6ZD0tM1ef3DB2l00g+rf9ySEqBpRhP1ccLwtVFSRJk3vMWgs1SAi8 +M7gdrEm07d1rNK4umB4UkOvJMe87Hd63sMF6PCfSkXDPEF9Pe+tltNNvPdA/dWO3 +3QY1o4NU4m0Dwh2NWNj9YKxjSGkYzOmDslSccXkeJJKySWYmHPwiIvt5nMuSXlOi +F9eNSXqMQb0qLcKJWMBovTgJWMR9CTgEtU7lAXafzZ4ePJY5uNFJ4F86slFkjgpN +DZZGFJNhDUz6TpixwxrYPV8hiUqLUlatcFrpn5vjTZpsw8gELSGCjeojI7R0qkmq +T6atgrZbLn3aJAPtOV4aVJgO2s1ATSrZWGVUAzQ+98dZM9Ys/N9EFxip6jeabwri +3AivulncY6k6XhKroQp2DTtupXB+nN+aGxaz+o2InuTJ83YaB1Zz6uU924gsHiyj +/VU7hJ4RTJq1DEhTZJ9YYqPT3fkQgA5UIebpwQhMMkWq4/YO/d/QdUAhXNJr8eDP +1VsJe13Wu8Q9I4Nlr8kWZczDnUcDipu2hpuSPDtSuEuMdO6nRyXMw9XTWQARAQAB +tFZSUE0gRnVzaW9uIG5vbmZyZWUgcmVwb3NpdG9yeSBmb3IgRmVkb3JhICgxOCkg +PHJwbWZ1c2lvbi1idWlsZHN5c0BsaXN0cy5ycG1mdXNpb24ub3JnPokCOAQTAQIA +IgUCTzQozwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQkM4JS+MbMMok +oA//TC+/0+qslxOVmGdWtZoDvndwRTnCATWiH4UoKLlyCG9DaWZMjle3Pt85bEzZ +/cWaIzy6zZHxuYKZ8rHElhloBx8WARVPl+DRNcV4AFXMuNNckKu82YKE3Ti/G/PL +42RpT/qgR7bgdAeru3KGMBd6Qq8iroUmqzshlEdYF4i+jXOQiD629XuzsqDw4IxZ +zN6/NPgFduy6z9t4NN4lu329H+JBQHfb7TR4lh3liqcKInF0y9XOKFxzgUXahr23 +WWeSKboebHsdRtmoySYk6zAV45LOck+frzqD9qEiVysGeuw1eSFHjRMT+0TVsAoH +Bot5RoyYkF/zw9bUikCJQJ+c+gOs6EXIQO1HVdgpNRjJj3901dvaBcDpI6OX6eQP +IBLqbN6Es/uZhB4yclpHyuHQcKDnawyh5fe+5BEm4jPB9AcbvawBLrMxZMAoQVjq +zqnCkAoo66/OYeBEZYtSXRxw8VV2p0yMkZcR1IpRNYBNcnLDqFZLLJeRCYMR2UDa +hoYgIX/6t9UD0HjjBRQUlHtq9NDR3LOspmbaX39yd3dPlLbrgV5ALGD11NYvB8YG +bDI/13D5K6Ti2VgArxZqv4HOWkHwkOlUl4KnkVXTdUZDefzo6ix5sObV54l9zbaJ +FNy46lt3bTn8oI9PEsxrxC7VUXgOH3kg2G07IytyWy0FJB8= +=+k17 +-----END PGP PUBLIC KEY BLOCK----- From 486608104664c7abfc8c776e91d52b2ecc3a3ab2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 17 Jan 2013 09:17:28 +0200 Subject: [PATCH 08/50] Fixed netcat for Fedora 18. --- netcat/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/netcat/manifests/init.pp b/netcat/manifests/init.pp index a490272..b0661ec 100644 --- a/netcat/manifests/init.pp +++ b/netcat/manifests/init.pp @@ -7,6 +7,10 @@ class netcat { package { "netcat": name => $::operatingsystem ? { "ubuntu" => "netcat", + "fedora" => $::operatingsystemrelease ? { + /^1[0-7]/ => "nc", + default => "nmap-ncat", + }, default => "nc", }, ensure => present, From dfe28aa71a55e681258d9b069c75060addd4dfe4 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 17 Jan 2013 10:57:49 +0200 Subject: [PATCH 09/50] Changed top level Makefile to assume all directories are modules --- Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 4e26f8b..e39605f 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,4 @@ - -MODULES := $(shell find */manifests/init.pp | sed -e 's/^\([^\/]*\).*/\1/') +MODULES := $(shell find * -type d -prune) MANIFESTS := $(shell find . -name \*.pp) MODULESDIR := /etc/puppet/modules-$(shell date +%Y-%m-%d) TARFLAGS = --owner=root --group=root --mode g-w,o=g --exclude=.git --exclude=rdoc From d030bd2d78dedc1dca32c5b34f60010a9fd236a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 17 Jan 2013 11:16:15 +0200 Subject: [PATCH 10/50] Fixed network::hostname for Fedora 18. --- network/manifests/init.pp | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/network/manifests/init.pp b/network/manifests/init.pp index f112715..d4af18f 100644 --- a/network/manifests/init.pp +++ b/network/manifests/init.pp @@ -73,7 +73,23 @@ class network::hostname { group => "root", } } - "centos","redhat","fedora": { + "fedora": { + if $::operatingsystemrelease > 17 { + file { "/etc/hostname": + ensure => present, + content => "${homename}\n", + mode => "0644", + owner => "root", + group => "root", + } + } else { + augeas { "set-hostname": + context => "/files/etc/sysconfig/network", + changes => "set HOSTNAME ${homename}", + } + } + } + "centos","redhat": { augeas { "set-hostname": context => "/files/etc/sysconfig/network", changes => "set HOSTNAME ${homename}", From b5a9073efbff7c1e05eb2cbe425dcc41cc271f6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 17 Jan 2013 11:17:51 +0200 Subject: [PATCH 11/50] Fixed firewall module for Fedora 18. --- firewall/manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp index 0f0ed9d..489e753 100644 --- a/firewall/manifests/init.pp +++ b/firewall/manifests/init.pp @@ -111,6 +111,13 @@ class firewall::common::iptables { } $ip6states = versioncmp($::kernelversion, "2.6.20") + if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 { + package { "firewalld": + ensure => absent, + before => Package["iptables"], + } + } + package { "iptables": ensure => installed, name => $::operatingsystem ? { @@ -119,7 +126,8 @@ class firewall::common::iptables { "debian" => [ "iptables", "iptables-persistent" ], "fedora" => $::operatingsystemrelease ? { /^1[0-5]/ => [ "iptables", "iptables-ipv6" ], - default => "iptables", + /^1[6-7]/ => "iptables", + default => [ "iptables", "iptables-services" ], }, "ubuntu" => [ "iptables", "iptables-persistent" ], }, From 0019d10f1feea9e911c714acbe3948cf0d248224 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 17 Jan 2013 11:47:04 +0200 Subject: [PATCH 12/50] Fixed rsyslog restart for Fedora 18. Service cannot be stopped with systemctl or service command anymore. --- syslog/manifests/init.pp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/syslog/manifests/init.pp b/syslog/manifests/init.pp index 635c989..61c457d 100644 --- a/syslog/manifests/init.pp +++ b/syslog/manifests/init.pp @@ -175,16 +175,20 @@ class syslog::client::rsyslog { } service { "rsyslog": - ensure => running, - enable => true, - start => $::operatingsystem ? { + ensure => running, + enable => true, + start => $::operatingsystem ? { "openbsd" => $::operatingsystemrelease ? { /4\.[1-8]/ => "pkill syslogd; /usr/local/sbin/rsyslogd -c 4 -x -i /var/run/syslog.pid", default => undef, }, default => undef, }, - require => File["/var/log/all.log"], + hasrestart => $::operatingsystem ? { + "fedora" => true, + default => false, + }, + require => File["/var/log/all.log"], } if $::operatingsystem == "OpenBSD" and $::operatingsystemrelease !~ /4\.[1-8]/ { From 57443597cab736db1596208ed829d83589808d90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 17 Jan 2013 14:57:45 +0200 Subject: [PATCH 13/50] Added ipaddress to host_aliases in ssh::known_hosts. --- ssh/manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp index 68cfab0..c47a78d 100644 --- a/ssh/manifests/init.pp +++ b/ssh/manifests/init.pp @@ -16,7 +16,10 @@ class ssh::known_hosts { ensure => present, type => rsa, key => $sshrsakey, - host_aliases => inline_template("<%= homename.split('.')[0] %>"), + host_aliases => [ + inline_template("<%= homename.split('.')[0] %>"), + $::ipaddress, + ], require => File["/etc/ssh/ssh_known_hosts"], } From 8196bc7c405f1899fe894f091aa45392db78a53c Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Sat, 19 Jan 2013 18:17:28 +0200 Subject: [PATCH 14/50] Added OpenBSD support for sasl module --- sasl/manifests/init.pp | 87 +++++++++++++++++++++++++++++++----------- 1 file changed, 64 insertions(+), 23 deletions(-) diff --git a/sasl/manifests/init.pp b/sasl/manifests/init.pp index e0da7a3..20df9ca 100644 --- a/sasl/manifests/init.pp +++ b/sasl/manifests/init.pp @@ -8,10 +8,14 @@ class sasl::client { "ubuntu" => "sasl2-bin", default => "cyrus-sasl", }, + flavor => $::operatingsystem ? { + "openbsd" => "ldap", + default => undef, + }, ensure => installed, } - if $kerberos_realm { + if $kerberos_realm and $::operatingsystem != "OpenBSD" { package { "cyrus-sasl-gssapi": name => $::operatingsystem ? { "ubuntu" => "libsasl2-modules-gssapi-mit", @@ -32,7 +36,7 @@ class sasl::client { # default. Supported mechanisms include pam, ldap and kerberos5. # # For ldap authentication, see ldap::client for required global variables. -# +# class sasl::saslauthd { require sasl::client @@ -41,27 +45,48 @@ class sasl::saslauthd { "","pam": { } "ldap": { include ldap::client - - augeas { "set-saslauthd-mech": - context => "/files/etc/sysconfig/saslauthd", - changes => "set MECH ldap", - notify => Service["saslauthd"], + + case $::operatingsystem { + "centos","fedora","redhat": { + augeas { "set-saslauthd-mech": + context => "/files/etc/sysconfig/saslauthd", + changes => "set MECH ldap", + notify => Service["saslauthd"], + } + } + "openbsd": { + Service["saslauthd"] { + start => "/usr/local/sbin/saslauthd -a ldap", + } + } } - + file { "/etc/saslauthd.conf": ensure => present, - mode => 0644, - owner => "root", - group => "root", + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, content => template("sasl/saslauthd.conf.ldap.erb"), - notify => Service["saslauthd"], + notify => Service["saslauthd"], } } "kerberos5": { - augeas { "set-saslauthd-mech": - context => "/files/etc/sysconfig/saslauthd", - changes => "set MECH kerberos5", - notify => Service["saslauthd"], + case $::operatingsystem { + "centos","fedora","redhat": { + augeas { "set-saslauthd-mech": + context => "/files/etc/sysconfig/saslauthd", + changes => "set MECH kerberos5", + notify => Service["saslauthd"], + } + } + "openbsd": { + Service["saslauthd"] { + start => "/usr/local/sbin/saslauthd -a kerberos5", + } + } } } default: { @@ -78,13 +103,16 @@ class sasl::saslauthd { ensure => present, mode => "0644", owner => "root", - group => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, require => Exec["generate-sasldb2"], before => Service["saslauthd"], } exec { "generate-sasldb2": command => "saslpasswd2 -d foobar ; true", - path => "/bin:/usr/bin:/sbin:/usr/sbin", + path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin", creates => "/etc/sasldb2", } @@ -104,10 +132,20 @@ class sasl::saslauthd { # define sasl::saslauthd::service() { - case $architecture { - "i386": { $libdir = "/usr/lib/sasl2" } - "x86_64": { $libdir = "/usr/lib64/sasl2" } - default: { fail("Unknown architecture ${architecture}") } + case $::operatingsystem { + "centos","fedora","redhat": { + case $::architecture { + "i386": { $libdir = "/usr/lib/sasl2" } + "x86_64": { $libdir = "/usr/lib64/sasl2" } + default: { fail("Unknown architecture ${::architecture}") } + } + } + "openbsd": { + $libdir = "/usr/local/lib/sasl2" + } + default: { + fail("sasl not supported on ${::operatingsystem}") + } } file { "${libdir}/${name}.conf": @@ -118,7 +156,10 @@ define sasl::saslauthd::service() { "puppet:///modules/sasl/service.conf", ], mode => "0644", owner => "root", - group => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, require => Service["saslauthd"], } From 7ee51d6f4c4bed8adc9559ef6337597021db8ad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 22 Jan 2013 15:47:36 +0200 Subject: [PATCH 15/50] Added "chkconfig --add" to httpsd service. --- apache/manifests/redhat.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp index 178ef45..45f3390 100644 --- a/apache/manifests/redhat.pp +++ b/apache/manifests/redhat.pp @@ -176,7 +176,13 @@ class apache::redhat::sslserver { mode => "0755", owner => "root", group => "root", - before => Service["httpsd"], + notify => Exec["chkconfig --add httpsd"], + } + exec { "chkconfig --add httpsd": + user => "root", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + refreshonly => true, + before => Service["httpsd"], } } } From b10de9c0b2d1ec72a0423f57db7484e780a46ca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 23 Jan 2013 10:06:32 +0200 Subject: [PATCH 16/50] Fixed apache module loading for Fedora 18. --- apache/templates/httpsd.conf.erb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/templates/httpsd.conf.erb b/apache/templates/httpsd.conf.erb index 1b9c659..d6710fe 100644 --- a/apache/templates/httpsd.conf.erb +++ b/apache/templates/httpsd.conf.erb @@ -145,6 +145,9 @@ MaxRequestsPerChild 0 # Example: # LoadModule foo_module modules/mod_foo.so # +<% if operatingsystem == 'Fedora' and operatingsystemrelease > 17 -%> +Include conf.modules.d/*.conf +<% else -%> LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so @@ -199,6 +202,7 @@ LoadModule mem_cache_module modules/mod_mem_cache.so <% end -%> LoadModule cgi_module modules/mod_cgi.so LoadModule version_module modules/mod_version.so +<% end -%> # # The following modules are not loaded by default: From 936499737c85b069df06d35b9975bdf2c18950f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 23 Jan 2013 11:12:05 +0200 Subject: [PATCH 17/50] Fixed operatingsystemrelease comparison from httpsd.conf. --- apache/templates/httpsd.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/templates/httpsd.conf.erb b/apache/templates/httpsd.conf.erb index d6710fe..5b90945 100644 --- a/apache/templates/httpsd.conf.erb +++ b/apache/templates/httpsd.conf.erb @@ -145,7 +145,7 @@ MaxRequestsPerChild 0 # Example: # LoadModule foo_module modules/mod_foo.so # -<% if operatingsystem == 'Fedora' and operatingsystemrelease > 17 -%> +<% if operatingsystem == 'Fedora' and operatingsystemrelease.to_i > 17 -%> Include conf.modules.d/*.conf <% else -%> LoadModule auth_basic_module modules/mod_auth_basic.so From aaeb20ca1355cde9ea448acd779c437af439d3bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 23 Jan 2013 11:40:23 +0200 Subject: [PATCH 18/50] Added support for certificate authentication to ldap::server. --- ldap/templates/slapd.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb index ac54d77..4db5924 100644 --- a/ldap/templates/slapd.conf.erb +++ b/ldap/templates/slapd.conf.erb @@ -42,7 +42,7 @@ moduleload <%= name %>.la TLSCertificateFile <%= scope.lookupvar('ssl::certs') %>/slapd.crt TLSCertificateKeyFile <%= scope.lookupvar('ssl::private') %>/slapd.key TLSCACertificatePath <%= scope.lookupvar('ldap::server::config') %>/cacerts -TLSVerifyClient never +TLSVerifyClient try # include database configs include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf From b94a2e8d11f1abae5eb732200dfb270b7d8f1383 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 23 Jan 2013 13:12:18 +0200 Subject: [PATCH 19/50] Enabled listening of IPv6 interfaces from dns::server. --- dns/files/named.conf.options | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dns/files/named.conf.options b/dns/files/named.conf.options index b683553..8708dc0 100644 --- a/dns/files/named.conf.options +++ b/dns/files/named.conf.options @@ -1,7 +1,7 @@ options { listen-on { any; }; - listen-on-v6 { none; }; + listen-on-v6 { any; }; allow-query { any; }; allow-recursion { trusted; }; From 02a834f9da513a7af14ba09a13da0cc529ee6373 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 23 Jan 2013 15:37:35 +0200 Subject: [PATCH 20/50] Added ec2_public_ipv4 to host_aliases in ssh::known_hosts --- ssh/manifests/init.pp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp index c47a78d..166fdef 100644 --- a/ssh/manifests/init.pp +++ b/ssh/manifests/init.pp @@ -12,14 +12,19 @@ class ssh::known_hosts { }, } + $shortname = inline_template("<%= homename.split('.')[0] %>") + + if $::ec2_public_ipv4 { + $aliases = [ $shortname, $::ipaddress, $::ec2_public_ipv4 ] + } else { + $aliases = [ $shortname, $::ipaddress ] + } + @@sshkey { $homename: ensure => present, type => rsa, key => $sshrsakey, - host_aliases => [ - inline_template("<%= homename.split('.')[0] %>"), - $::ipaddress, - ], + host_aliases => $aliases, require => File["/etc/ssh/ssh_known_hosts"], } From 299f5a11fac6b005fafe5b37e5200387fa3451d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 23 Jan 2013 16:43:05 +0200 Subject: [PATCH 21/50] Initial version of merge function. --- util/lib/puppet/parser/functions/merge.rb | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 util/lib/puppet/parser/functions/merge.rb diff --git a/util/lib/puppet/parser/functions/merge.rb b/util/lib/puppet/parser/functions/merge.rb new file mode 100644 index 0000000..ab5e841 --- /dev/null +++ b/util/lib/puppet/parser/functions/merge.rb @@ -0,0 +1,20 @@ +module Puppet::Parser::Functions + newfunction(:merge, :type => :rvalue) do |args| + + if args.length < 2 + raise Puppet::ParseError, ("merge(): wrong number of arguments (#{args.length}; must be at least 2)") + end + + ret = [] + args.each do |arg| + next if arg == "" + if arg.is_a?(Array) + ret.concat(arg) + else + ret.concat([arg]) + end + end + ret + + end +end From 3d26fe78149a75adf677c391fddd3f597c0f3926 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 23 Jan 2013 17:12:21 +0200 Subject: [PATCH 22/50] Use merge() for host_aliases in ssh::known_hosts --- ssh/manifests/init.pp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp index 166fdef..a8947b9 100644 --- a/ssh/manifests/init.pp +++ b/ssh/manifests/init.pp @@ -12,13 +12,10 @@ class ssh::known_hosts { }, } - $shortname = inline_template("<%= homename.split('.')[0] %>") - - if $::ec2_public_ipv4 { - $aliases = [ $shortname, $::ipaddress, $::ec2_public_ipv4 ] - } else { - $aliases = [ $shortname, $::ipaddress ] - } + $aliases = merge(inline_template("<%= homename.split('.')[0] %>"), + $::ipaddress, + $::ipaddress6, + $::ec2_public_ipv4) @@sshkey { $homename: ensure => present, From 18af82f97fe2057ea0a7f1c8962f184c4b239cb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 23 Jan 2013 17:51:03 +0200 Subject: [PATCH 23/50] Fixed Apache ssl.conf for Fedora 18. --- apache/templates/ssl.conf.erb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apache/templates/ssl.conf.erb b/apache/templates/ssl.conf.erb index 5e644f4..54d7f21 100644 --- a/apache/templates/ssl.conf.erb +++ b/apache/templates/ssl.conf.erb @@ -3,7 +3,7 @@ LoadModule ssl_module modules/mod_ssl.so Listen 443 -<% if ['CentOS','RedHat'].index(operatingsystem) or operatingsystem == 'Fedora' -%> +<% if ['Fedora','CentOS','RedHat'].index(operatingsystem) -%> ## ## SSL Global Context ## @@ -30,11 +30,13 @@ SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 +<% unless operatingsystem == 'Fedora' and operatingsystemrelease.to_i > 17 -%> # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex default +<% end -%> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. From 5924caabe1fe8bc709056225be0d99e0f37ae70a Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 24 Jan 2013 12:16:22 +0200 Subject: [PATCH 24/50] Added dependency on authconfig package to kerberos, ldap and pam modules Fixes #2. --- kerberos/manifests/init.pp | 4 +++- ldap/manifests/init.pp | 8 +++++--- pam/manifests/init.pp | 10 ++++++++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/kerberos/manifests/init.pp b/kerberos/manifests/init.pp index 25c41f0..650f4ab 100644 --- a/kerberos/manifests/init.pp +++ b/kerberos/manifests/init.pp @@ -74,6 +74,8 @@ class kerberos::client { # class kerberos::auth { + include pam::common + include kerberos::client $kdclist = inline_template('<%= kerberos_kdc.join(" ") -%>') @@ -86,7 +88,7 @@ class kerberos::auth { path => "/bin:/usr/bin:/sbin:/usr/sbin", unless => "egrep '^USEKERBEROS=yes\$' /etc/sysconfig/authconfig", before => Class["kerberos::client"], - require => Package["pam_krb5"], + require => Package["authconfig", "pam_krb5"], } } default: { diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index e14c9fc..4f1e731 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -14,6 +14,8 @@ # class ldap::auth inherits ldap::client { + include pam::common + tag("bootstrap") $ldap_uri = inline_template('<%= ldap_server.join(" ") -%>') @@ -31,7 +33,7 @@ class ldap::auth inherits ldap::client { before => [ Augeas["nslcd-conf"], Augeas["pam-ldap-conf"], File["/etc/openldap/ldap.conf"], ], - require => Package["nss-pam-ldapd"], + require => Package["authconfig", "nss-pam-ldapd"], } augeas { "nslcd-conf": changes => [ "set pagesize 500", @@ -69,7 +71,7 @@ class ldap::auth inherits ldap::client { unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"', before => [ Augeas["pam-ldap-conf"], File["/etc/openldap/ldap.conf"], ], - require => Package["nss_ldap"], + require => Package["authconfig", "nss_ldap"], } augeas { "pam-ldap-conf": context => "/files/etc/ldap.conf", @@ -100,7 +102,7 @@ class ldap::auth inherits ldap::client { path => "/bin:/usr/bin:/sbin:/usr/sbin", unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"', before => Augeas["sssd-conf"], - require => [ Package["sssd"], Package["pam_ldap"], ], + require => Package["authconfig", "sssd", "pam_ldap"], } augeas { "sssd-conf": changes => [ diff --git a/pam/manifests/init.pp b/pam/manifests/init.pp index 6fd7ee7..7006104 100644 --- a/pam/manifests/init.pp +++ b/pam/manifests/init.pp @@ -4,6 +4,11 @@ class pam::common { case $::operatingsystem { + "centos","redhat","fedora": { + package { "authconfig": + ensure => installed, + } + } "ubuntu": { package { "libpam-runtime": ensure => installed, @@ -28,8 +33,9 @@ class pam::mkhomedir { case $::operatingsystem { "centos","redhat","fedora": { exec { "authconfig --enablemkhomedir --update": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => "egrep '^USEMKHOMEDIR=yes\$' /etc/sysconfig/authconfig", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + unless => "egrep '^USEMKHOMEDIR=yes\$' /etc/sysconfig/authconfig", + require => Package["authconfig"], } } "ubuntu": { From 3a40b11a620284fd9d278969929de12ebbbf7fac Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 24 Jan 2013 13:00:20 +0200 Subject: [PATCH 25/50] Added fix for mod_wsgi socket path on CentOS/RedHat/Fedora --- apache/files/mod_wsgi.conf | 2 ++ apache/manifests/init.pp | 7 +++++++ 2 files changed, 9 insertions(+) create mode 100644 apache/files/mod_wsgi.conf diff --git a/apache/files/mod_wsgi.conf b/apache/files/mod_wsgi.conf new file mode 100644 index 0000000..c74e96a --- /dev/null +++ b/apache/files/mod_wsgi.conf @@ -0,0 +1,2 @@ +LoadModule wsgi_module modules/mod_wsgi.so +WSGISocketPrefix /var/run/mod_wsgi/wsgi diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index 07fcbb6..7a6ec23 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -674,8 +674,15 @@ class apache::mod::wsgi { } "centos","redhat","fedora": { apache::configfile { "wsgi.conf": + source => "puppet:///modules/apache/mod_wsgi.conf", require => Package["mod_wsgi"], } + file { "/var/run/mod_wsgi": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } } default: { fail("Apache module not supported in ${::operatingsystem}.") From 1f760fa70a64163c669c765afce78e8402dacce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 24 Jan 2013 17:33:13 +0200 Subject: [PATCH 26/50] Initial version of motd module. --- motd/files/empty | 0 motd/manifests/init.pp | 29 +++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 motd/files/empty create mode 100644 motd/manifests/init.pp diff --git a/motd/files/empty b/motd/files/empty new file mode 100644 index 0000000..e69de29 diff --git a/motd/manifests/init.pp b/motd/manifests/init.pp new file mode 100644 index 0000000..3df5908 --- /dev/null +++ b/motd/manifests/init.pp @@ -0,0 +1,29 @@ + +# Deploy motd file to server +# +class motd { + + case $::operatingsystem { + "ubuntu": { + package { "update-motd": + ensure => absent, + } + } + } + + file { "/etc/motd": + ensure => present, + source => [ + "puppet:///files/motd/motd.${::homename}", + "puppet:///files/motd/motd", + "puppet:///modules/motd/empty", + ], + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + } + +} From 946faaf085f0a17dcde8273c234150f54e726827 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Sat, 26 Jan 2013 13:07:55 +0200 Subject: [PATCH 27/50] Fixed firewall module for Fedora 18 when firewall-config package is installed. --- firewall/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp index 489e753..bccfb4f 100644 --- a/firewall/manifests/init.pp +++ b/firewall/manifests/init.pp @@ -112,6 +112,10 @@ class firewall::common::iptables { $ip6states = versioncmp($::kernelversion, "2.6.20") if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 { + package { "firewall-config": + ensure => absent, + before => Package["firewalld"], + } package { "firewalld": ensure => absent, before => Package["iptables"], From 42360e66e81a117cd20e08a0724d1664f48bca2d Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Sat, 2 Feb 2013 21:55:18 +0200 Subject: [PATCH 28/50] Added seltype for http log directories --- apache/manifests/redhat.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp index 45f3390..eba1b58 100644 --- a/apache/manifests/redhat.pp +++ b/apache/manifests/redhat.pp @@ -74,11 +74,12 @@ define apache::redhat::site($aliases, $root, $redirect) { } file { "/srv/www/log/http/${site_fqdn}": - ensure => directory, - mode => "0755", - owner => root, - group => root, - before => File[$site_conf], + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + seltype => "httpd_log_t", + before => File[$site_conf], } } } From 3704a86d5093d5a05649cbf13aa5e2fab798e64b Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Sat, 2 Feb 2013 21:57:59 +0200 Subject: [PATCH 29/50] Added seltype for auth_credentials.php in vsroom module --- vsroom/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/vsroom/manifests/init.pp b/vsroom/manifests/init.pp index 8fec5c2..cc27a58 100644 --- a/vsroom/manifests/init.pp +++ b/vsroom/manifests/init.pp @@ -40,6 +40,7 @@ class vsroom::collab { mode => "0660", owner => "collab", group => "collab", + seltype => "httpd_sys_rw_content_t", source => "${vsroom::common::htdocs}/common/auth_credentials.php", require => [ File["/srv/wikis/collab/htdocs"], From 68ac64b13f4687bcc87c594097fab52501ba7991 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 31 Jan 2013 20:53:08 +0200 Subject: [PATCH 30/50] Added 'first' parameter to apache::sslsite When set to true, ensures the site configuration is loaded first, thus becoming the default virtual host when NameVirtualHost (and SNI) is used. --- apache/manifests/debian.pp | 12 +++++++++--- apache/manifests/init.pp | 7 ++++++- apache/manifests/redhat.pp | 12 +++++++++--- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp index 41e6181..2cefa81 100644 --- a/apache/manifests/debian.pp +++ b/apache/manifests/debian.pp @@ -180,7 +180,8 @@ class apache::debian::sslserver inherits apache::debian::common { } -define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) { +define apache::debian::sslsite($first, $ipaddr, $root, + $ssl_cert, $ssl_key, $ssl_chain) { if $name == "default" { $site_fqdn = $homename @@ -253,8 +254,13 @@ define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) } } - $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf" - $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.d" + if $first == true { + $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf" + $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d" + } else { + $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf" + $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d" + } file { $site_conf: ensure => present, diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index 7a6ec23..cbfea9b 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -248,6 +248,9 @@ class apache::sslserver::listen { # # $name: # FQDN of virtual host. +# $first: +# Bool for whether this is the first (default) vhost +# when using NameVirtualHost. Defaults to false. # $ipaddr: # IP address of virtual host. Defaults to _default_. # $root: @@ -267,7 +270,7 @@ class apache::sslserver::listen { # ssl_key => "puppet:///path/to/www.example.com.key", # } # -define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") { +define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") { include apache::sslserver::listen @@ -275,6 +278,7 @@ define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", "debian","ubuntu": { $apache_ssldir = "/etc/ssl" apache::debian::sslsite { $name: + first => $first, ipaddr => $ipaddr, root => $root, ssl_cert => $ssl_cert, @@ -286,6 +290,7 @@ define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", "centos","redhat","fedora": { $apache_ssldir = "/etc/pki/tls" apache::redhat::sslsite { $name: + first => $first, ipaddr => $ipaddr, root => $root, ssl_cert => $ssl_cert, diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp index eba1b58..023efe5 100644 --- a/apache/manifests/redhat.pp +++ b/apache/manifests/redhat.pp @@ -219,7 +219,8 @@ class apache::redhat::sslserver { } -define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) { +define apache::redhat::sslsite($first, $ipaddr, $root, + $ssl_cert, $ssl_key, $ssl_chain) { if $name == "default" { $site_fqdn = $homename @@ -293,8 +294,13 @@ define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) } } - $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf" - $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d" + if $first == true { + $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf" + $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d" + } else { + $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf" + $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d" + } file { $site_conf: ensure => present, From 93f029a4a3532ba0f01f98ba2871747d92177a89 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 31 Jan 2013 21:01:41 +0200 Subject: [PATCH 31/50] Fixed paths in apache::debian::sslsite --- apache/manifests/debian.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp index 2cefa81..c05721e 100644 --- a/apache/manifests/debian.pp +++ b/apache/manifests/debian.pp @@ -255,11 +255,11 @@ define apache::debian::sslsite($first, $ipaddr, $root, } if $first == true { - $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf" - $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d" + $site_conf = "/etc/apache2/sites-enabled/00-${site_fqdn}-ssl.conf" + $site_confdir = "/etc/apache2/sites-enabled/00-${site_fqdn}-ssl.d" } else { - $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf" - $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d" + $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf" + $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.d" } file { $site_conf: From 603df85ceacfc51b1b20719f9019820b13c0d5f4 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 4 Feb 2013 14:27:14 +0200 Subject: [PATCH 32/50] Added init script for abusehelper botnets $abusehelper_botnets is an array of botnet paths to be started at boot, for example: $abusehelper_botnets = ["/var/lib/ah2/botnet1", "/var/lib/ah2/botnet2"] --- abusehelper/files/botnet.init | 81 ++++++++++++++++++++++ abusehelper/manifests/init.pp | 41 ++++++++++- abusehelper/templates/botnet.sysconfig.erb | 2 + 3 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 abusehelper/files/botnet.init create mode 100644 abusehelper/templates/botnet.sysconfig.erb diff --git a/abusehelper/files/botnet.init b/abusehelper/files/botnet.init new file mode 100644 index 0000000..c22784c --- /dev/null +++ b/abusehelper/files/botnet.init @@ -0,0 +1,81 @@ +#!/bin/sh + +# chkconfig: 2345 85 60 +# description: AbuseHelper botnets +# processname: botnet + +### BEGIN INIT INFO +# Provides: botnet +# Required-Start: $local_fs $network $syslog +# Should-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: AbuseHelper botnets +# Description: AbuseHelper botnets +### END INIT INFO + +if [ $(id -u) != "0" ]; then + echo "This script must be run with root privileges." && exit 1 +fi + +if [ -s /etc/default/botnet ]; then + . /etc/default/botnet +elif [ -s /etc/sysconfig/botnet ]; then + . /etc/sysconfig/botnet +fi + +if [ -z "${BOTUSER}" ]; then + echo "$0: no BOTUSER defined" + exit 1 +fi + +if [ -z "${BOTNETS}" ]; then + echo "$0: no BOTNETS defined" + exit 1 +fi + +start_botnets() { + for botnet in ${BOTNETS}; do + echo -n "${botnet}: " + test -d ${botnet} || { echo "No such directory."; continue; } + su -s /bin/sh - ${BOTUSER} \ + -c "umask 007 ; cd ${botnet} && botnet start ." + done +} + +stop_botnets() { + for botnet in ${BOTNETS}; do + echo -n "${botnet}: " + test -d ${botnet} || { echo "No such directory."; continue; } + su -s /bin/sh - ${BOTUSER} \ + -c "umask 007 ; cd ${botnet} && botnet stop ." + done +} + +restart_botnets() { + for botnet in ${BOTNETS}; do + echo -n "${botnet}: " + test -d ${botnet} || { echo "No such directory."; continue; } + su -s /bin/sh - ${BOTUSER} \ + -c "umask 007 ; cd ${botnet} && botnet restart ." + done +} + +case "$1" in + start) + start_botnets + ;; + stop) + stop_botnets + ;; + restart) + restart_botnets + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 diff --git a/abusehelper/manifests/init.pp b/abusehelper/manifests/init.pp index f9bb072..11a6626 100644 --- a/abusehelper/manifests/init.pp +++ b/abusehelper/manifests/init.pp @@ -1,4 +1,12 @@ -# Install abusehelper from svn. +# Install abusehelper. +# +# === Global variables +# +# $abusehelper_botnets +# Array of botnet paths to start at boot. +# +# $abusehelper_user +# User botnets run as. Defaults to 'abusehel'. # class abusehelper { @@ -105,4 +113,35 @@ class abusehelper { } } + if !$abusehelper_user { + $abusehelper_user = "abusehel" + } + + if $abusehelper_botnets { + file { "/etc/init.d/botnet": + ensure => present, + mode => "0755", + owner => "root", + group => "root", + source => "puppet:///modules/abusehelper/botnet.init", + before => Service["botnet"], + } + file { "/etc/sysconfig/botnet": + ensure => present, + name => $::operatingsystem ? { + "debian" => "/etc/default/botnet", + "ubuntu" => "/etc/default/botnet", + default => "/etc/sysconfig/botnet", + }, + mode => "0644", + owner => "root", + group => "root", + content => template("abusehelper/botnet.sysconfig.erb"), + before => Service["botnet"], + } + service { "botnet": + enable => true, + } + } + } diff --git a/abusehelper/templates/botnet.sysconfig.erb b/abusehelper/templates/botnet.sysconfig.erb new file mode 100644 index 0000000..e1dc5d6 --- /dev/null +++ b/abusehelper/templates/botnet.sysconfig.erb @@ -0,0 +1,2 @@ +BOTUSER="<%= abusehelper_user %>" +BOTNETS="<%= abusehelper_botnets.join(" ") %>" From cf86b4c652676dee3e6283644fa4fa2b05a7cfe7 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 4 Feb 2013 15:01:00 +0200 Subject: [PATCH 33/50] Properly enable botnet service --- abusehelper/manifests/init.pp | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/abusehelper/manifests/init.pp b/abusehelper/manifests/init.pp index 11a6626..2db1f5d 100644 --- a/abusehelper/manifests/init.pp +++ b/abusehelper/manifests/init.pp @@ -118,14 +118,6 @@ class abusehelper { } if $abusehelper_botnets { - file { "/etc/init.d/botnet": - ensure => present, - mode => "0755", - owner => "root", - group => "root", - source => "puppet:///modules/abusehelper/botnet.init", - before => Service["botnet"], - } file { "/etc/sysconfig/botnet": ensure => present, name => $::operatingsystem ? { @@ -139,6 +131,26 @@ class abusehelper { content => template("abusehelper/botnet.sysconfig.erb"), before => Service["botnet"], } + + file { "/etc/init.d/botnet": + ensure => present, + mode => "0755", + owner => "root", + group => "root", + source => "puppet:///modules/abusehelper/botnet.init", + notify => Exec["add-service-botnet"], + } + exec { "add-service-botnet": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => $::operatingsystem ? { + "debian" => "update-rc.d botnet defaults", + "ubuntu" => "update-rc.d botnet defaults", + default => "chkconfig --add botnet", + }, + refreshonly => true, + before => Service["botnet"], + } + service { "botnet": enable => true, } From f1004b8027f60d1af97395f45e6f3135d43e237a Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 4 Feb 2013 16:06:00 +0200 Subject: [PATCH 34/50] Updated rails version number to 2.3.16 on CentOS 6 Run 'gem cleanup' and restart puppetmaster after puppet run to remove the old version. --- ruby/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ruby/manifests/init.pp b/ruby/manifests/init.pp index 18d25d0..c50dd44 100644 --- a/ruby/manifests/init.pp +++ b/ruby/manifests/init.pp @@ -52,7 +52,7 @@ class ruby::rails { } else { require ruby::rubygems package { "rubygem-rails": - ensure => "2.3.15", + ensure => "2.3.16", name => "rails", provider => "gem", } From 47f614031fc800ec0d758fe7bfca2fb2d5a43d9e Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Tue, 5 Feb 2013 12:35:21 +0000 Subject: [PATCH 35/50] Generate CA certificate database from file /etc/openldap/ca-certificates.crt --- ldap/manifests/init.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 4f1e731..45a16b9 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -436,6 +436,22 @@ class ldap::server { notify => Service["slapd"], } + file { "/etc/openldap/cacerts": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + require => Package["openldap-server"], + } + exec { "populate-etc-openldap-cacerts": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "csplit /etc/openldap/ca-certificates.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0", + cwd => "/etc/openldap/cacerts", + onlyif => "find /etc/openldap/cacerts ! -newer /etc/openldap/ca-certificates.crt | egrep '.*' || [ -z \"`ls /etc/openldap/cacerts`\" ]", + require => File["/etc/openldap/cacerts"], + before => Service["slapd"], + } + file { "slapd.conf": ensure => present, path => "${config}/slapd.conf", From 6ab334fa625c4815fee3f5bd6f75ea8a7098a8ee Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Tue, 5 Feb 2013 12:56:14 +0000 Subject: [PATCH 36/50] Run slaptest to validate configuration files before (re)starting slapd service. --- ldap/manifests/init.pp | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 45a16b9..a28ee40 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -365,7 +365,7 @@ class ldap::server { command => "usermod -a -G ssl-cert openldap", unless => "id -n -G openldap | grep '\\bssl-cert\\b'", require => Package["openldap-server"], - before => Service["slapd"], + before => Exec["slaptest"], } } "fedora": { @@ -424,7 +424,7 @@ class ldap::server { default => "root", }, require => Package["openldap-server"], - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "${ssl::private}/slapd.key": ensure => present, @@ -433,7 +433,7 @@ class ldap::server { owner => "root", group => $group, require => Package["openldap-server"], - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "/etc/openldap/cacerts": @@ -449,7 +449,7 @@ class ldap::server { cwd => "/etc/openldap/cacerts", onlyif => "find /etc/openldap/cacerts ! -newer /etc/openldap/ca-certificates.crt | egrep '.*' || [ -z \"`ls /etc/openldap/cacerts`\" ]", require => File["/etc/openldap/cacerts"], - before => Service["slapd"], + before => Exec["slaptest"], } file { "slapd.conf": @@ -459,7 +459,7 @@ class ldap::server { mode => "0640", owner => "root", group => $group, - notify => Service["slapd"], + notify => Exec["slaptest"], require => Package["openldap-server"], } file { "${config}/slapd.conf.d": @@ -484,7 +484,7 @@ class ldap::server { mode => "0644", owner => "root", group => "root", - notify => Service["slapd"], + notify => Exec["slaptest"], require => Package["openldap-server"], } } @@ -495,12 +495,20 @@ class ldap::server { mode => "0644", owner => "root", group => "root", - notify => Service["slapd"], + notify => Exec["slaptest"], require => Package["openldap-server"], } } } + exec { "slaptest": + command => "slaptest", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + refreshonly => true, + require => File["${config}/slapd.conf.d"], + notify => Service["slapd"], + } + service { "slapd": name => $service_name, start => $::operatingsystem ? { @@ -509,7 +517,7 @@ class ldap::server { }, ensure => running, enable => true, - require => Package ["openldap-server"] + require => Package["openldap-server"] } if $ldap_datadir { @@ -578,7 +586,7 @@ class ldap::server { path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, require => File["${config}/slapd.conf.d"], - notify => Service["slapd"], + notify => Exec["slaptest"], } ldap::server::schema { [ "core", "cosine", "ppolicy", ]: idx => 10, @@ -590,13 +598,13 @@ class ldap::server { owner => "root", group => $group, require => Exec["generate-slapd-database-config"], - notify => Service["slapd"], + notify => Exec["slaptest"], } exec { "generate-slapd-database-config": command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \\; > ${config}/slapd.conf.d/database.conf", path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, - notify => Service["slapd"], + notify => Exec["slaptest"], } } @@ -654,7 +662,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu mode => "0640", owner => "root", group => $ldap::server::group, - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "${ldap::server::config}/slapd.conf.d/index.${name}.conf": @@ -665,7 +673,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu mode => "0640", owner => "root", group => $ldap::server::group, - notify => Service["slapd"], + notify => Exec["slaptest"], } file { "/srv/ldap/${name}": @@ -690,7 +698,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu }, seltype => "slapd_db_t", require => File["/srv/ldap/${name}"], - before => Service["slapd"], + before => Exec["slaptest"], } } From 11d7479ca81f55bafe97417627f0db7e1528dc90 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Tue, 5 Feb 2013 13:52:52 +0000 Subject: [PATCH 37/50] Remove CA certificate database creation code for now. --- ldap/manifests/init.pp | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index a28ee40..220ed3f 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -436,22 +436,6 @@ class ldap::server { notify => Exec["slaptest"], } - file { "/etc/openldap/cacerts": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - require => Package["openldap-server"], - } - exec { "populate-etc-openldap-cacerts": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - command => "csplit /etc/openldap/ca-certificates.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0", - cwd => "/etc/openldap/cacerts", - onlyif => "find /etc/openldap/cacerts ! -newer /etc/openldap/ca-certificates.crt | egrep '.*' || [ -z \"`ls /etc/openldap/cacerts`\" ]", - require => File["/etc/openldap/cacerts"], - before => Exec["slaptest"], - } - file { "slapd.conf": ensure => present, path => "${config}/slapd.conf", From f7298b567117616ecede5c2eb1c3e5c53b65c8e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 6 Feb 2013 09:23:27 +0200 Subject: [PATCH 38/50] Fixed SELinux context from apache logrotate script in Fedora. --- apache/manifests/init.pp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index 7a6ec23..d525281 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -81,9 +81,16 @@ class apache::common { group => "root", seltype => "httpd_rotatelogs_exec_t", } - selinux::manage_fcontext { "/usr/local/sbin/www-logrotate.sh": - type => "httpd_rotatelogs_exec_t", - before => File["/usr/local/sbin/www-logrotate.sh"], + if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 { + selinux::manage_fcontext { "/usr/sbin/www-logrotate.sh": + type => "httpd_rotatelogs_exec_t", + before => File["/usr/local/sbin/www-logrotate.sh"], + } + } else { + selinux::manage_fcontext { "/usr/local/sbin/www-logrotate.sh": + type => "httpd_rotatelogs_exec_t", + before => File["/usr/local/sbin/www-logrotate.sh"], + } } cron { "www-logrotate": From 6bacdd65ee2124fb79a8b2711a885f6bb0686c29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 6 Feb 2013 10:31:46 +0200 Subject: [PATCH 39/50] Fixed SELinux context from munin cache directory for use with munin cgi scripts. --- munin/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/munin/manifests/init.pp b/munin/manifests/init.pp index bc7db4c..431ae5b 100644 --- a/munin/manifests/init.pp +++ b/munin/manifests/init.pp @@ -244,11 +244,11 @@ class munin::server { mode => "0775", owner => "munin", group => $apache::sslserver::group, - seltype => "httpd_munin_rw_content_t", + seltype => "httpd_sys_rw_content_t", require => Package["munin"], } selinux::manage_fcontext { "/var/cache/munin(/.*)?": - type => "httpd_munin_rw_content_t", + type => "httpd_sys_rw_content_t", before => File["/var/cache/munin"], } mount { "/var/cache/munin": From a1b6379b9a0699394e47818857e515c25749a0fe Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 7 Feb 2013 10:50:37 +0000 Subject: [PATCH 40/50] Use database name for Base DN in replication. Works better in multi DB LDAP configuration. --- ldap/templates/slapd-database.conf.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ldap/templates/slapd-database.conf.erb b/ldap/templates/slapd-database.conf.erb index 8711540..32d4125 100644 --- a/ldap/templates/slapd-database.conf.erb +++ b/ldap/templates/slapd-database.conf.erb @@ -40,7 +40,7 @@ syncrepl rid=2 provider=<%= master %> type=refreshAndPersist retry="10 10 60 +" - searchbase="<%= ldap_basedn %>" + searchbase="<%= name %>" filter="(objectClass=*)" scope="sub" sizelimit=500000 @@ -48,7 +48,7 @@ syncrepl rid=2 schemachecking="off" bindmethod="simple" tls_reqcert="never" - binddn="uid=replicator,cn=config,<%= ldap_basedn %>" + binddn="uid=replicator,cn=config,<%= name %>" credentials="<%= syncpw %>" updateref <%= master %> <% end -%> From 933a2fce34539633a3f285e36a5f648cd150e6d3 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 7 Feb 2013 14:05:39 +0200 Subject: [PATCH 41/50] Updated Moin version to 1.9.6 in wiki/Makefile --- wiki/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wiki/Makefile b/wiki/Makefile index 84864ae..8302049 100644 --- a/wiki/Makefile +++ b/wiki/Makefile @@ -4,7 +4,7 @@ GWIKIBRANCH = default GWIKISOURCE = https://bitbucket.org/clarifiednetworks/graphingwiki/get/$(GWIKIBRANCH).tar.gz GWIKITARGET = graphingwiki-$(GWIKIBRANCH)-$(TIMESTAMP).tar.gz -MOINVERSION = 1.9.4 +MOINVERSION = 1.9.6 MOINSOURCE = http://static.moinmo.in/files/moin-$(MOINVERSION).tar.gz MOINTARGET = moin-$(MOINVERSION).tar.gz From d23e9995d6ae910a11e029d531713e7a661eded5 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 7 Feb 2013 12:26:24 +0000 Subject: [PATCH 42/50] Introduce configurable rid ("Replica ID"?) per database. This is needed for multi DB replication. --- ldap/manifests/init.pp | 11 ++++++++++- ldap/templates/slapd-database.conf.erb | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 220ed3f..ac90b62 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -611,6 +611,9 @@ class ldap::server { # Password for uid=replicator,cn=config,${name} user on master. # Only needed for slave databases. # +# $rid: +# Replica ID. Must be unique per replica per database. +# # $moduleoptions: # Options for overlay modules. # @@ -620,10 +623,16 @@ class ldap::server { # moduleoptions => [ "smbkrb5pwd-enable=samba", ] # } # -define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $moduleoptions = []) { +define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $rid = "", $moduleoptions = []) { include ldap::server + if $rid == "" { + $rid_real = fqdn_rand(999) + } else { + $rid_real = $rid + } + file { "${ldap::server::config}/slapd.conf.d/db.${name}.conf": ensure => present, content => template("ldap/slapd-database.conf.erb"), diff --git a/ldap/templates/slapd-database.conf.erb b/ldap/templates/slapd-database.conf.erb index 32d4125..bea1fb8 100644 --- a/ldap/templates/slapd-database.conf.erb +++ b/ldap/templates/slapd-database.conf.erb @@ -29,14 +29,14 @@ overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 -# The database directory MUST exist prior to running slapd AND +# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /srv/ldap/<%= name %> <% if master != "" -%> # replication -syncrepl rid=2 +syncrepl rid=<%= rid_real %> provider=<%= master %> type=refreshAndPersist retry="10 10 60 +" From e31b70b74948522867b72de89bbe526a985e039b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Fri, 8 Feb 2013 08:53:52 +0200 Subject: [PATCH 43/50] Fixed SELinux contexts from git data directories. --- git/manifests/init.pp | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/git/manifests/init.pp b/git/manifests/init.pp index fc16834..42009c1 100644 --- a/git/manifests/init.pp +++ b/git/manifests/init.pp @@ -33,10 +33,11 @@ class git::server { if $git_datadir { file { $git_datadir: - ensure => directory, - mode => "0755", - owner => "root", - group => "root", + ensure => directory, + mode => "0755", + owner => "root", + seltype => "git_system_content_t", + group => "root", } file { "/srv/git": ensure => link, @@ -49,20 +50,13 @@ class git::server { mode => "0755", owner => "root", group => "root", - seltype => "httpd_sys_content_t", } } - if "${selinux}" == "true" { - selinux::manage_fcontext { "/srv/git(/.*)?": - type => "httpd_sys_content_t", - before => File["/srv/git"], - } - if $git_datadir { - selinux::manage_fcontext { "${git_datadir}(/.*)?": - type => "httpd_sys_content_t", - before => File[$git_datadir], - } + if $git_datadir { + selinux::manage_fcontext { "${git_datadir}(/.*)?": + type => "git_system_content_t", + before => File[$git_datadir], } } From 2e6f13d0d688f9688102a22160537f85804419a0 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Sat, 9 Feb 2013 01:47:35 +0200 Subject: [PATCH 44/50] Added selinux::restorecond for managing restorecond service --- selinux/files/restorecond.conf | 8 ++++++++ selinux/manifests/init.pp | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 selinux/files/restorecond.conf diff --git a/selinux/files/restorecond.conf b/selinux/files/restorecond.conf new file mode 100644 index 0000000..58b723a --- /dev/null +++ b/selinux/files/restorecond.conf @@ -0,0 +1,8 @@ +/etc/services +/etc/resolv.conf +/etc/samba/secrets.tdb +/etc/mtab +/var/run/utmp +/var/log/wtmp +/root/* +/root/.ssh/* diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp index 76e57f2..13cd8e1 100644 --- a/selinux/manifests/init.pp +++ b/selinux/manifests/init.pp @@ -92,6 +92,34 @@ class selinux::tools { } +# Enable restorecond service. +# +class selinux::restorecond { + + if $::selinux == "true" { + file { "/etc/selinux/restorecond.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + seltype => "selinux_config_t", + source => [ + "puppet:///files/selinux/restorecond.conf.${homename}", + "puppet:///files/selinux/restorecond.conf", + "puppet:///modules/selinux/restorecond.conf", + ], + notify => Service["restorecond"], + } + + service { "restorecond": + ensure => running, + enable => true, + } + } + +} + + # Set SELinux boolean value # # === Parameters From e47e3fec213304ed347292b0c9969a542f66c45f Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Sat, 9 Feb 2013 02:01:19 +0200 Subject: [PATCH 45/50] Fixed slaptest exec path for OpenBSD --- ldap/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index ac90b62..902caa8 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -487,7 +487,7 @@ class ldap::server { exec { "slaptest": command => "slaptest", - path => "/bin:/usr/bin:/sbin:/usr/sbin", + path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin", refreshonly => true, require => File["${config}/slapd.conf.d"], notify => Service["slapd"], From 798596315e4988336f4f8a5b6247fb9d1525f502 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Mon, 11 Feb 2013 14:16:31 +0000 Subject: [PATCH 46/50] Support for per FQDN common files from Puppet fileserver. --- sendmail/manifests/init.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp index 134981d..054d872 100644 --- a/sendmail/manifests/init.pp +++ b/sendmail/manifests/init.pp @@ -263,6 +263,7 @@ class sendmail::server inherits sendmail::common { default => "/etc/aliases", }, source => [ + "puppet:///files/mail/aliases.${fqdn}", "puppet:///files/mail/aliases", "puppet:///modules/sendmail/aliases", ], @@ -279,6 +280,7 @@ class sendmail::server inherits sendmail::common { file { "/etc/mail/access": ensure => present, source => [ + "puppet:///files/mail/access.${fqdn}", "puppet:///files/mail/access", "puppet:///modules/sendmail/empty", ], @@ -297,6 +299,7 @@ class sendmail::server inherits sendmail::common { file { "/etc/mail/genericstable": ensure => present, source => [ + "puppet:///files/mail/genericstable.${fqdn}", "puppet:///files/mail/genericstable", "puppet:///modules/sendmail/empty", ], @@ -315,6 +318,7 @@ class sendmail::server inherits sendmail::common { file { "/etc/mail/mailertable": ensure => present, source => [ + "puppet:///files/mail/mailertable.${fqdn}", "puppet:///files/mail/mailertable", "puppet:///modules/sendmail/empty", ], @@ -333,6 +337,7 @@ class sendmail::server inherits sendmail::common { file { "/etc/mail/virtusertable": ensure => present, source => [ + "puppet:///files/mail/virtusertable.${fqdn}", "puppet:///files/mail/virtusertable", "puppet:///modules/sendmail/empty", ], @@ -351,6 +356,7 @@ class sendmail::server inherits sendmail::common { file { "/etc/mail/local-host-names": ensure => present, source => [ + "puppet:///files/mail/local-host-names.${fqdn}", "puppet:///files/mail/local-host-names", "puppet:///modules/sendmail/local-host-names", ], From a568b5cfc5a57d0cfd3061dfa72bcdb7ccff856d Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Mon, 11 Feb 2013 15:10:13 +0000 Subject: [PATCH 47/50] Puppet module's own local-host-names doesn't make much sense? Use empty file instead. --- sendmail/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp index 054d872..9cf5c98 100644 --- a/sendmail/manifests/init.pp +++ b/sendmail/manifests/init.pp @@ -358,7 +358,7 @@ class sendmail::server inherits sendmail::common { source => [ "puppet:///files/mail/local-host-names.${fqdn}", "puppet:///files/mail/local-host-names", - "puppet:///modules/sendmail/local-host-names", + "puppet:///modules/sendmail/empty", ], mode => "0644", owner => "root", From 9132b47705b6607a63a3cabec410680a5695266b Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 12 Feb 2013 13:10:10 +0200 Subject: [PATCH 48/50] Initial version of logwatch module --- logwatch/manifests/init.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 logwatch/manifests/init.pp diff --git a/logwatch/manifests/init.pp b/logwatch/manifests/init.pp new file mode 100644 index 0000000..0dbca0b --- /dev/null +++ b/logwatch/manifests/init.pp @@ -0,0 +1,16 @@ +# Install logwatch. +# +class logwatch { + + case $::kernel { + "linux": { + package { "logwatch": + ensure => installed, + } + } + default: { + fail("logwatch not supported on ${::kernel}") + } + } + +} From bc7f2837c77f3d9333b952b9b20e406628b8a20c Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 14 Feb 2013 16:45:16 +0200 Subject: [PATCH 49/50] Updated rails version number to 2.3.17 on CentOS 6 --- ruby/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ruby/manifests/init.pp b/ruby/manifests/init.pp index c50dd44..4803523 100644 --- a/ruby/manifests/init.pp +++ b/ruby/manifests/init.pp @@ -52,7 +52,7 @@ class ruby::rails { } else { require ruby::rubygems package { "rubygem-rails": - ensure => "2.3.16", + ensure => "2.3.17", name => "rails", provider => "gem", } From f17eacf99a727b5767b0b2dfda81474fef7569fe Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Sat, 23 Feb 2013 22:52:11 +0200 Subject: [PATCH 50/50] Added README on compiling nodejs for etherpad-lite --- etherpadlite/README.CentOS | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 etherpadlite/README.CentOS diff --git a/etherpadlite/README.CentOS b/etherpadlite/README.CentOS new file mode 100644 index 0000000..5f94827 --- /dev/null +++ b/etherpadlite/README.CentOS @@ -0,0 +1,6 @@ +yum install v8-devel openssl-devel zlib-devel +mkdir /usr/local/src/nodejs && cd /usr/local/src/nodejs +wget http://nodejs.org/dist/node-latest.tar.gz +tar xzvf node-latest.tar.gz && cd node-v* +./configure --shared-v8 --shared-openssl --shared-zlib +make install