From c1000371edc07c7ef74b261f4bdb5d4cbb27b223 Mon Sep 17 00:00:00 2001 From: Lukas Bezdicka Date: Thu, 7 Jan 2016 11:36:19 +0100 Subject: [PATCH] Bump non openstack modules to their latest masters Update apache to a78617b1919f44ab32fb88219783d836a77db148 a78617b1919f44ab32fb88219783d836a77db148 Merge pull request #1308 from mpolenchuk/master ca5e7e5dd3b727352da7ca5328305188987d3db7 Merge pull request #1311 from occelebi/ssl 5ab89d9220b0995426db15d6b4156789ba919599 Merge pull request #1313 from jewjitsu/fix_indent bb456f1abf1a6a77d14fd37cbc500c77204e9559 Merge pull request #1310 from occelebi/proxy 12b695ab82c9a344e87d3f73b4dae1864cb90dac the custom fragment needs to be indented two spaces so that it lines up with the rest of the configuration a38918431c0e3d41cd8f6031fab564398215d477 Merge pull request #1309 from occelebi/domain 2a6085929cba0ca4be759ea4d514143dced11dac Merge pull request #1305 from jasonhancock/bug-el7-module-dir e825422b0080e66b32cd05ed51b5ccae69325c74 EL7 uses conf.modules.d directory for modules. 0ab0e393f0e7254bc28f69b624cf212f120a254c Support the mod_ssl SSLProxyVerify directive 7db484aacbebba67a879b195d83bfc604c619daf Add ProxyPreserveHost off mode explicitly f001dfb231f41aac73d97a7878eb29c9e4880c24 Support ProxPassReverseCookieDomain directive (mod_proxy) 05437c0b6e4dd084b2336565aa13a8d152f97071 Merge pull request #1306 from quixoten/request_headers_order 6b8aa3ae30d5033b88d57eae622a8bfef91f1bf8 Put headers and request headers before proxy cf84e97e6a75dfaa9195d98b0917bfd2168badd8 Merge pull request #1304 from roidelapluie/vhost-directory-proxy-provider 5ed3dbe93bda0b8c066ee6f712b6b78a9ef0810f Merge pull request #1301 from timogoebel/fix_rewrite_validation e6837d8a5e8f481295fe1a45d9d1a6bd950c4028 Add X-Forwarded-For into log_formats defaults 57d18900ae86c27f224c3e72b69b81ac17c8a79d Merge pull request #1307 from bmjen/fix-fastcgi e90496f9671333eec2ffb1eeb1afe7bbdfc27059 (maint) fixes fastcgi tests on ubuntu lucid 407af7b70d90ef2897d062bf00ca11f78cd25608 Support proxy provider for vhost directories 704b3e1b401384515c40630d0248d65455493c75 Merge pull request #1303 from bmjen/fix-fastcgi 2e15018dd24d74c78a50a9483cf39b791f3ff7ec (maint) fixes the fastcgi test for debian and older ubuntu releases 791c20f33518245c691739aa06880cbe5cfb832b Merge pull request #1302 from pabelanger/temp/testing aae1a6664efc200640eccd203db6831dd57f8d71 Limit fastcgi testing to Debian osfamily 963597dd55f95e47a31597b4df0db83ea5b21186 Merge pull request #1300 from pabelanger/temp/pcci-centos 530adf44da90a5d7438f13fa797afddc0da60ac6 Skip fastcgi acceptance testing for Centos 7 924511e1b1ceef79cd06a4833f883534dd48c125 fix validation error when empty array is passed as rewrites parameter cdd81dbf3463c73e6abfaf937f929821baff73dd Merge pull request #1299 from pabelanger/temp/typo af214ea39edca965c1ba481f6287759e63112afd Fix syntax error with versioncmp Change-Id: I819ddd8114356ca8b35d5d35a53a1be01356feca Update firewall to 9df7e883be758f8f340c720ef7d7022f10c4d842 9df7e883be758f8f340c720ef7d7022f10c4d842 Merge pull request #596 from bmjen/fix-ci b738536f50770ad5eeacf56fe47f376087bb8871 (maint) fixes acceptance tests 79eeb807b27e395795c06191f7ea32f6430cfa39 Merge pull request #595 from bmjen/fix-ci 0d9fdd3788b383260364ece5f8fd7d88630e3023 (maint) fixes typo in firewall acceptance test. 8f8b66ccd8b266c5157f6d9018e253fc6ba4a68a Merge pull request #594 from mentat/fix_ci_bug f9e5adac831f9cc0d9c9ec78c579dcd885469e32 Fix for CI acceptance fail. 65b8916924688a47b0c20723f333c732b653e88c Merge pull request #593 from mlosapio/feature/log-uid 703b63b08c2d93e0aa653da30d515ec9e3e0f684 Adding in log_uid boolean for LOG 170ecd183b6154ea6b095fc375f72635f49870f1 Merge pull request #579 from maxvozeler/fix/chain_f_fix b52b0eb96209b29c349d79a4fc8ca5d5acbf2eb2 Fix handling of chain names that contain -f e6830af827a9271bd9dfa928eee6129c48e4cb01 Merge pull request #592 from puppetlabs/1.7.x 71c659faf38d5e0cf19cfc16bb690b4c450fbd2a Merge pull request #580 from tphoney/release_1.7.2 ca8efac15b505e82c70b22f9d0496837be5c34fe Merge pull request #591 from jonnytpuppet/1.7.x_rel_prep_ci_fixes d3d44ae54a352179c856bcfdcfc40049c03f93db Updated logic to debian manifest file 0379c4e9311ad6355ba909f7a57c9ac8a6ff12f5 (MAINT) - Commented out CLUSTERIP tests as there are suspicions that the ipt module is causing system reboots. 8289fc53aa1c5170a4c70aa35dbc7e5176064bf6 Unit test fixes ef6bd3daddfc8d652d6aa2ce86630d0d123950f0 More file renames 5661b28fc5dbffcd2895fc12b6e79a8d05dca87b Rename internal custom nodeset files 758d0a2248bf121cfee83fcc974cbd08d67c2f07 Further nodeset changes from internal CI dd275c3e3a4b340a297827c716653148c975d476 Added nodeset files for internal Puppet CI. 1ad639746bf77d304494dc77bc5fa473ddb18dbb Merge pull request #590 from jonnytpuppet/fact_variable_fix 4a9bdb4fe535d1cbba412782358dc4e133ba8b82 Updated logic to debian manifest file e7f3937e8af90ecd451537a05c8cfea6a6e42fb4 Merge pull request #589 from DavidS/modules-2866-add-sctp 3756b4cb2b17cd1686bd82593e58f29dba4d3e9a Add: sctp-protocol to "proto"-Parameter d33d0eb66d0b36ad9feecd2ade42f76a581612a1 Merge pull request #588 from jonnytpuppet/hang_fix2 3370e766244bbf3b2685922662d56fbea0ef7551 (MAINT) - Commented out CLUSTERIP tests as there are suspicions that the ipt module is causing system reboots. 6ac58405d79cd8db42c003ba683f526c0df75043 Merge pull request #587 from jonnytpuppet/unit_test_fix d27d72f312a32533ef5be15333731816c9bf5178 Unit test fixes 118e282eee877c4b9c1d4da89bd9ff49a73d933f Merge pull request #586 from jonnytpuppet/hang_fix2 bbf8d20f92760e697fd12a98c796cdc9e5065b9c More file renames c036d5ebaed29d48b3a6993e31d42ebad209bff5 Merge pull request #585 from jonnytpuppet/hang_fix2 823c8c72621130031c294ff769b5677aa13cca91 Rename internal custom nodeset files 1ac12fc3047ae5680affbbd9fcbb7793ade314d9 Merge pull request #584 from jonnytpuppet/hang_fix2 2a088c0fa65ab77752306c6123276025240d1402 Further nodeset changes from internal CI badb2bd268fa2871359af78fbf3ab14344d35639 Merge pull request #582 from jonnytpuppet/hang_fix 03d708e15ef12a08a4259d1efe7004d31e93df3a Added nodeset files for internal Puppet CI. e17524df9a026b5fa74dea4c6252533bd5bf68a7 release prep 1.7.2 Change-Id: Ibbe28dc5f3a38c48cd982ea80d992ab3f521df6e Update fluentd to ddc5f0e4c6c53d15f0cbd34f74bfaa91a0fb299f ddc5f0e4c6c53d15f0cbd34f74bfaa91a0fb299f Merge pull request #1 from EmilienM/file/fullpath 31fde18d4910a87f4e54e58501361df1364e74f0 Manage td-agent.conf file with a fully qualified path Change-Id: I8ca655e322a23a714fed6ddf62cef86b95ea2309 Update mongodb to 3bcfc75229c4faffe5ccfe9caf1278a54ef0f7cc 3bcfc75229c4faffe5ccfe9caf1278a54ef0f7cc Merge pull request #237 from erikanderson/normalize_template_spacing 38ceb81e36bbbb844039e12fb8aebb43cb2cef0d Merge pull request #232 from GoozeyX/squashed_forpull 2537fc4dc770c1e1a46567691aa7e7f76961fb52 added yum proxy options 9b9f7571aed4401197437659b31d8d5ac3849e4e Normalize spacing in template Change-Id: I89cf252016e3ccfb794afdf378f5d7561fc967d3 Update mysql to 5e7b999615bf99cc307b570c3eb27610d08df3c7 5e7b999615bf99cc307b570c3eb27610d08df3c7 Merge pull request #784 from vicinus/master 3a49209a6f7f4df98e304840ef147e5496fc780f ensure if service restart to wait till mysql is up 58a55ade47cac1f4dc102f422408c0252a204cd0 Merge pull request #789 from elconas/fix_mysql576_pull_rebase3 7efc93c3c5b9c9f7893a2914e4249e85a8879407 Fixed new mysql_datadir provider on CentOS for MySQl 5.7.6 compatibility 45419fde6d7da5aa8914dcc3fc4629384c9db9e1 Merge pull request #787 from obi11235/master c353259fd95e58ef3ef4b2955294e2186b46efa2 Merge pull request #769 from gabriel403/master 681d4f856fd1ccda1a6152fdb6622f110827431b Ubuntu vivid should use systemd not upstart 3a29c5e5524024df72c3152022640a5e369faf86 Fixing error when disabling service management and the service does not exist 51950bf2d11b071cff21bf86379e245fd08f2070 Merge pull request #786 from DavidS/fix-576-rebase-of-763 bdf4d0f52dfc244d10bbd5b67efb791a39520ed2 Fixed MySQL 5.7.6++ compatibility 60393f7d4a42d96e67436249b940a2374bffbe77 Merge branch '3.6.x' into 'master' f06cc1269c0da682292d46e275d6da6442e73556 Merge pull request #572 from sharumpe/ticket/MODULES-1337-MariaDB_for_OpenSuSE_13.1 85e49164ad1173a37c222fe31f9b1e3f053965ef Merge pull request #780 from tphoney/release_3.6.2 9e2de7f36786c479d89e4ed5b5d3282b807f2d50 3.6.2 release prep 3a6a6c63580a71058aef74176d461547a3f0a660 Checking major release instead of specific release per @cmurphy. 47c1eb7386dcc39ac06b5947574ac07237b7a82c Merging with upstream changes from https://github.com/puppetlabs/puppetlabs-mysql.git d095721d7059aab4cf73a0f5a816b0ecd92ca5bd Update changelog 542c43eda5cbeecad814ad06fce2b006a2b5364e Improved user validation and munging 1d824777237a6b28884ee411750ebd8a24dc8d77 Merge pull request #756 from bmjen/3.6.1_prep f63b7d1f259206e7a721202dd7f9f59926c7d987 updates to 3.6.1 prep 58bb3b92d88cb9ec7d901db1f4336fa8c8aa507d Merge pull request #755 from mhaskel/3.6.1-prep f4b49f2c3582ed05b7f1556c2c1448acb8dd3912 3.6.1 prep daa4b625820f938d3e7a6ecc1ea77b5797110e33 Merge pull request #754 from mhaskel/ff_to_master d6bdd4cb3e00641acccd28faa522ef1ad4f38ce2 Compatibility with PE 3.3 9d5816ad5c338efe575adce51434b91ba654e6f1 Fixes improper use of function 'warn' in backup manifest of server. 54540324ea580ba711ea28b7de447485486f6ac1 Using mariadb in OpenSuSE >= 13.1. Change-Id: I15dcc1ba2f19ba78a6de71b2a58cff0f66e08adc Update rabbitmq to 67b9acc9a37faf2e15eae686e6b17642f82bdc40 67b9acc9a37faf2e15eae686e6b17642f82bdc40 Merge pull request #420 from nibalizer/style 47ab06a091e056390ac1de68b7c020828b7130a4 Minor style cleanup 5f428e92f1d956c5ad37bb7dec81306feb92df94 Merge pull request #404 from BashtonLtd/master ee9359963ce64d5ecd87b40044d68ef56d8fa546 Merge pull request #406 from br0ch0n/fix_apt_update 0f35f259c84927f7ed79ae2797c8e81be1074fba Merge pull request #410 from ericpfisher/better-error-for-non-string-value de9d5143eb558fa03d6bf401d1a62d4d7d9bf7d3 Merge pull request #412 from madAndroid/MODULES-2815-federation-upstream-fix 10fcb9d0cc85cf6d88a94aff987f978ba3209a0d Merge pull request #419 from nibalizer/install_helper b4f635f359e9e1f8f1bb7cd91d5279e2624e82b7 Use puppetlabs install_helper 28b5af1c130fd1964d8af7fefa45ae6d8988e645 don't process line if it's a federated upstream queue c013d165eb46f72b86b840c9484d9f5fda7870d3 Better error when definition value is not a string 56659fcb3ffdd10a9516de3e3de14a7b5e95306d Fixing pinning for apt on Debian based distros 995768b7cfa6b0b778152f6bbd8a374f15b6f520 MODULES-2645 add apt::update requirement Change-Id: I330752b365866ba01e654db47b3f8be2272114e4 Update haproxy to 8b7f2765f18222821d6ec2967e088522e4d64197 8b7f2765f18222821d6ec2967e088522e4d64197 Merge pull request #203 from antaflos/support-maps af870391c1b5d45c41c018369e6d2546528b5233 Merge pull request #200 from jpadams/master 866ffbe903e1d6c9d486f3e00d27765c91c9d05c Remove ssl-hello-chk from default options 1224651ebafc0176f70855fcd9a91225fc71b0ae Fix determining $haproxy::config_dir in haproxy::instance 65ea4481f9611a242b38e776955adf3593e59ea8 Add support for managing map files 92b97f0c9532c1f6d5cf9a1358f68c75cf367cb0 Merge pull request #208 from arteal/patch-1 75e4abf34ae95393d84a24cfe14a48d4d0456730 Merge pull request #209 from puppetlabs/1.3.x 6a003d490718a93533cfdd8c57e13d6b669661f3 Merge pull request #207 from tlimoncelli/validate_hash_options 43af8e5213aff72ea2e2831d189a4014c002ec85 Fix port parameter name on haproxy::peer defined type 1f0b8552d47fb1ef04c4be7457b0b7e6ac82d905 Merge pull request #206 from tphoney/release_1.3.1 9b8ccedcad1af831bff268eba5e345627cfe81b3 1.3.1 release prep 478b02904533ef84ee8d960d736828312273fed4 Validate global_options and defaults_options. Change-Id: Ia9af5ec68a46c184281a0683c566d948428200da --- Puppetfile | 14 +- apache/README.md | 10 +- apache/manifests/params.pp | 5 +- apache/manifests/vhost.pp | 78 ++++---- apache/spec/acceptance/apache_ssl_spec.rb | 11 +- apache/spec/acceptance/class_spec.rb | 22 +-- apache/spec/acceptance/default_mods_spec.rb | 30 +-- apache/spec/acceptance/mod_dav_svn_spec.rb | 15 +- apache/spec/acceptance/mod_deflate_spec.rb | 20 +- apache/spec/acceptance/mod_mime_spec.rb | 20 +- .../spec/acceptance/mod_negotiation_spec.rb | 32 +--- apache/spec/acceptance/mod_pagespeed_spec.rb | 23 +-- apache/spec/acceptance/mod_passenger_spec.rb | 14 +- apache/spec/acceptance/mod_php_spec.rb | 32 +--- apache/spec/acceptance/mod_proxy_html_spec.rb | 14 +- apache/spec/acceptance/mod_security_spec.rb | 30 +-- apache/spec/acceptance/prefork_worker_spec.rb | 18 +- apache/spec/acceptance/version.rb | 3 +- apache/spec/acceptance/vhost_spec.rb | 51 ++++- apache/spec/classes/mod/security_spec.rb | 2 +- apache/spec/defines/vhost_spec.rb | 45 ++++- apache/templates/httpd.conf.erb | 3 + apache/templates/vhost/_custom_fragment.erb | 2 +- apache/templates/vhost/_directories.erb | 2 +- apache/templates/vhost/_proxy.erb | 9 +- apache/templates/vhost/_sslproxy.erb | 3 + firewall/CHANGELOG.md | 5 + firewall/README.markdown | 8 +- .../lib/puppet/provider/firewall/ip6tables.rb | 5 +- .../lib/puppet/provider/firewall/iptables.rb | 7 +- firewall/lib/puppet/type/firewall.rb | 16 +- firewall/manifests/linux/debian.pp | 2 +- firewall/metadata.json | 4 +- .../acceptance/firewall_clusterip_spec.rb | 94 +++++----- firewall/spec/acceptance/firewall_spec.rb | 41 ++++ .../nodesets/new/aio/redhat-6-64mda.yml | 28 +++ .../nodesets/new/aio/redhat-7-64mda.yml | 28 +++ .../nodesets/new/aio/ubuntu-1404-64mda.yml | 28 +++ .../nodesets/new/pe/centos-5-64mda.yml | 27 +++ .../nodesets/new/pe/centos-6-64mda.yml | 27 +++ .../nodesets/new/pe/centos-7-64mda.yml | 27 +++ .../nodesets/new/pe/debian-6-64mda.yml | 27 +++ .../nodesets/new/pe/debian-7-64mda.yml | 27 +++ .../nodesets/new/pe/oracle-6-64mda.yml | 27 +++ .../nodesets/new/pe/oracle-7-64mda.yml | 27 +++ .../nodesets/new/pe/redhat-5-64mda.yml | 27 +++ .../nodesets/new/pe/redhat-6-64mda.yml | 27 +++ .../nodesets/new/pe/redhat-7-64mda.yml | 27 +++ .../nodesets/new/pe/scientific-5-64mda.yml | 27 +++ .../nodesets/new/pe/scientific-6-64mda.yml | 27 +++ .../nodesets/new/pe/scientific-7-64mda.yml | 27 +++ .../nodesets/new/pe/sles-10-64mda.yml | 27 +++ .../nodesets/new/pe/sles-11-64mda.yml | 27 +++ .../nodesets/new/pe/sles-12-64mda.yml | 27 +++ .../nodesets/new/pe/ubuntu-1004-64mda.yml | 27 +++ .../nodesets/new/pe/ubuntu-1204-64mda.yml | 27 +++ .../nodesets/new/pe/ubuntu-1404-64mda.yml | 27 +++ .../spec/fixtures/iptables/conversion_hash.rb | 8 + .../classes/firewall_linux_redhat_spec.rb | 45 +++-- fluentd/manifests/install.pp | 4 +- haproxy/CHANGELOG.md | 5 + haproxy/README.md | 83 ++++++++- haproxy/examples/init.pp | 1 - haproxy/manifests/backend.pp | 1 - haproxy/manifests/init.pp | 23 ++- haproxy/manifests/install.pp | 9 - haproxy/manifests/instance.pp | 18 +- haproxy/manifests/listen.pp | 1 - haproxy/manifests/mapfile.pp | 62 +++++++ haproxy/metadata.json | 4 +- haproxy/spec/classes/haproxy_spec.rb | 132 +++++++++++++ haproxy/spec/defines/backend_spec.rb | 2 +- haproxy/spec/defines/listen_spec.rb | 22 +-- haproxy/spec/defines/mapfile_spec.rb | 48 +++++ haproxy/templates/haproxy_mapfile.erb | 18 ++ mongodb/CHANGELOG.md | 4 + mongodb/README.md | 9 + mongodb/manifests/globals.pp | 4 + mongodb/manifests/repo.pp | 9 +- mongodb/manifests/repo/yum.pp | 11 +- mongodb/spec/classes/repo_spec.rb | 26 +++ mongodb/templates/mongodb.conf.2.6.erb | 8 +- mysql/CHANGELOG.md | 5 + mysql/README.md | 14 ++ mysql/lib/puppet/provider/mysql.rb | 41 +++- .../puppet/provider/mysql_datadir/mysql.rb | 70 +++++++ mysql/lib/puppet/provider/mysql_user/mysql.rb | 36 +++- mysql/lib/puppet/type/mysql_datadir.rb | 30 +++ mysql/manifests/params.pp | 36 +++- mysql/manifests/server/installdb.pp | 18 +- mysql/manifests/server/service.pp | 26 ++- mysql/metadata.json | 4 +- mysql/spec/classes/mysql_server_spec.rb | 14 +- .../puppet/provider/mysql_user/mysql_spec.rb | 175 +++++++++++++++++- rabbitmq/Gemfile | 3 +- .../rabbitmq_exchange/rabbitmqadmin.rb | 1 + rabbitmq/lib/puppet/type/rabbitmq_policy.rb | 2 +- rabbitmq/manifests/init.pp | 11 +- rabbitmq/manifests/install.pp | 2 + rabbitmq/manifests/repo/apt.pp | 5 +- rabbitmq/spec/classes/rabbitmq_spec.rb | 5 +- rabbitmq/spec/spec_helper_acceptance.rb | 14 +- 102 files changed, 1893 insertions(+), 463 deletions(-) create mode 100644 firewall/spec/acceptance/nodesets/new/aio/redhat-6-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/aio/redhat-7-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/aio/ubuntu-1404-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/centos-5-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/centos-6-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/centos-7-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/debian-6-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/debian-7-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/oracle-6-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/oracle-7-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/redhat-5-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/redhat-6-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/redhat-7-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/scientific-5-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/scientific-6-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/scientific-7-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/sles-10-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/sles-11-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/sles-12-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/ubuntu-1004-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/ubuntu-1204-64mda.yml create mode 100644 firewall/spec/acceptance/nodesets/new/pe/ubuntu-1404-64mda.yml create mode 100644 haproxy/manifests/mapfile.pp create mode 100644 haproxy/spec/defines/mapfile_spec.rb create mode 100644 haproxy/templates/haproxy_mapfile.erb create mode 100644 mysql/lib/puppet/provider/mysql_datadir/mysql.rb create mode 100644 mysql/lib/puppet/type/mysql_datadir.rb diff --git a/Puppetfile b/Puppetfile index d05ca9f6d..038233899 100644 --- a/Puppetfile +++ b/Puppetfile @@ -3,7 +3,7 @@ mod 'aodh', :git => 'https://github.com/openstack/puppet-aodh.git' mod 'apache', - :commit => '13797dadb81b99bd16375ef2d15edd9976edf326', + :commit => 'a78617b1919f44ab32fb88219783d836a77db148', :git => 'https://github.com/puppetlabs/puppetlabs-apache.git' mod 'aviator', @@ -55,11 +55,11 @@ mod 'elasticsearch', :git => 'https://github.com/elastic/puppet-elasticsearch.git' mod 'firewall', - :commit => '1b6cc9192150d9521cc70301d0452daf189a63f7', + :commit => '9df7e883be758f8f340c720ef7d7022f10c4d842', :git => 'https://github.com/puppetlabs/puppetlabs-firewall.git' mod 'fluentd', - :commit => 'b462da7d1c6290afba38fd7e64226990ecf795c7', + :commit => 'ddc5f0e4c6c53d15f0cbd34f74bfaa91a0fb299f', :git => 'https://github.com/soylent/konstantin-fluentd.git' mod 'galera', @@ -83,7 +83,7 @@ mod 'gnocchi', :git => 'https://github.com/openstack/puppet-gnocchi.git' mod 'haproxy', - :commit => 'a1cd826990bb7e5d015418b679755aa6606ec13b', + :commit => '8b7f2765f18222821d6ec2967e088522e4d64197', :git => 'https://github.com/puppetlabs/puppetlabs-haproxy.git' mod 'heat', @@ -147,11 +147,11 @@ mod 'module-data', :git => 'https://github.com/ripienaar/puppet-module-data.git' mod 'mongodb', - :commit => 'a5d6e5d36fb1007534bca85fd277a678e6c5a2ee', + :commit => '3bcfc75229c4faffe5ccfe9caf1278a54ef0f7cc', :git => 'https://github.com/puppetlabs/puppetlabs-mongodb.git' mod 'mysql', - :commit => '7daa2979ef41545e9c9a3fbf7c670f2a7927afba', + :commit => '5e7b999615bf99cc307b570c3eb27610d08df3c7', :git => 'https://github.com/puppetlabs/puppetlabs-mysql.git' mod 'n1k_vsm', @@ -203,7 +203,7 @@ mod 'qpid', :git => 'https://github.com/dprince/puppet-qpid' mod 'rabbitmq', - :commit => '3d74c2d77bd482f59ea919e54d24589487221702', + :commit => '67b9acc9a37faf2e15eae686e6b17642f82bdc40', :git => 'https://github.com/puppetlabs/puppetlabs-rabbitmq.git' mod 'redis', diff --git a/apache/README.md b/apache/README.md index 57ba525bf..b0ea212a4 100644 --- a/apache/README.md +++ b/apache/README.md @@ -2260,13 +2260,13 @@ apache::vhost { 'site.name.fdqn': { 'path' => '/f', 'url' => 'http://backend-f/', 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1']}, { 'path' => '/g', 'url' => 'http://backend-g/', - 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}], }, + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, ], } ~~~ `reverse_urls` is optional and can be an array or a string. It is useful when used with `mod_proxy_balancer`. -`reverse_cookies` is optional and is used to set ProxyPassReverseCookiePath. +`reverse_cookies` is optional and is used to set ProxyPassReverseCookiePath and/or ProxyPassReverseCookieDomain. `params` is an optional parameter. It allows to provide the ProxyPass key=value parameters (Connection settings). `setenv` is optional and is an array to set environment variables for the proxy directive, for details see http://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings @@ -2561,7 +2561,7 @@ The `directories` parameter within the `apache::vhost` class passes an array of The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys. -The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file. +The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'proxy', 'location', 'directorymatch', 'filesmatch', 'proxymatch' or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file. General `directories` usage looks something like @@ -3174,6 +3174,10 @@ Sets the [SSLVerifyDepth](http://httpd.apache.org/docs/current/mod/mod_ssl.html# } ~~~ +##### `ssl_proxy_verify` + +Sets the [SSLProxyVerify](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify) directive, which configures certificate verification of the remote server when a proxy is configured to forward requests to a remote SSL server. Defaults to 'undef'. + ##### `ssl_proxy_machine_cert` Sets the [SSLProxyMachineCertificateFile](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers. This file should be a concatenation of the PEM-encoded certificate files in order of preference. Defaults to 'undef'. diff --git a/apache/manifests/params.pp b/apache/manifests/params.pp index 9e8cad39b..ab6c0d1e8 100644 --- a/apache/manifests/params.pp +++ b/apache/manifests/params.pp @@ -62,7 +62,10 @@ $server_root = '/etc/httpd' $conf_dir = "${httpd_dir}/conf" $confd_dir = "${httpd_dir}/conf.d" - $mod_dir = "${httpd_dir}/conf.d" + $mod_dir = $::apache::version::distrelease ? { + '7' => "${httpd_dir}/conf.modules.d", + default => "${httpd_dir}/conf.d", + } $mod_enable_dir = undef $vhost_dir = "${httpd_dir}/conf.d" $vhost_enable_dir = undef diff --git a/apache/manifests/vhost.pp b/apache/manifests/vhost.pp index 7e48317a8..df271a98f 100644 --- a/apache/manifests/vhost.pp +++ b/apache/manifests/vhost.pp @@ -25,6 +25,7 @@ $ssl_honorcipherorder = undef, $ssl_verify_client = undef, $ssl_verify_depth = undef, + $ssl_proxy_verify = undef, $ssl_proxy_check_peer_cn = undef, $ssl_proxy_check_peer_name = undef, $ssl_proxy_machine_cert = undef, @@ -158,7 +159,9 @@ validate_bool($ssl_proxyengine) if $rewrites { validate_array($rewrites) - validate_hash($rewrites[0]) + unless empty($rewrites) { + validate_hash($rewrites[0]) + } } # Input validation begins @@ -234,6 +237,10 @@ validate_string($docroot) } + if $ssl_proxy_verify { + validate_re($ssl_proxy_verify,'^(none|optional|require|optional_no_ca)$',"${ssl_proxy_verify} is not permitted for ssl_proxy_verify. Allowed values are 'none', 'optional', 'require' or 'optional_no_ca'.") + } + if $ssl_proxy_check_peer_cn { validate_re($ssl_proxy_check_peer_cn,'(^on$|^off$)',"${ssl_proxy_check_peer_cn} is not permitted for ssl_proxy_check_peer_cn. Allowed values are 'on' or 'off'.") } @@ -674,6 +681,26 @@ } } + # Template uses: + # - $headers + if $headers and ! empty($headers) { + concat::fragment { "${name}-header": + target => "${priority_real}${filename}.conf", + order => 140, + content => template('apache/vhost/_header.erb'), + } + } + + # Template uses: + # - $request_headers + if $request_headers and ! empty($request_headers) { + concat::fragment { "${name}-requestheader": + target => "${priority_real}${filename}.conf", + order => 150, + content => template('apache/vhost/_requestheader.erb'), + } + } + # Template uses: # - $proxy_dest # - $proxy_pass @@ -683,7 +710,7 @@ if $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match { concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", - order => 140, + order => 160, content => template('apache/vhost/_proxy.erb'), } } @@ -693,7 +720,7 @@ if $rack_base_uris { concat::fragment { "${name}-rack": target => "${priority_real}${filename}.conf", - order => 150, + order => 170, content => template('apache/vhost/_rack.erb'), } } @@ -703,7 +730,7 @@ if $passenger_base_uris { concat::fragment { "${name}-passenger_uris": target => "${priority_real}${filename}.conf", - order => 155, + order => 175, content => template('apache/vhost/_passenger_base_uris.erb'), } } @@ -724,7 +751,7 @@ if ($redirect_source and $redirect_dest) or ($redirectmatch_status and $redirectmatch_regexp and $redirectmatch_dest) { concat::fragment { "${name}-redirect": target => "${priority_real}${filename}.conf", - order => 160, + order => 180, content => template('apache/vhost/_redirect.erb'), } } @@ -738,7 +765,7 @@ if $rewrites or $rewrite_rule { concat::fragment { "${name}-rewrite": target => "${priority_real}${filename}.conf", - order => 170, + order => 190, content => template('apache/vhost/_rewrite.erb'), } } @@ -749,7 +776,7 @@ if ( $scriptalias or $scriptaliases != [] ) { concat::fragment { "${name}-scriptalias": target => "${priority_real}${filename}.conf", - order => 180, + order => 200, content => template('apache/vhost/_scriptalias.erb'), } } @@ -759,7 +786,7 @@ if $serveraliases and ! empty($serveraliases) { concat::fragment { "${name}-serveralias": target => "${priority_real}${filename}.conf", - order => 190, + order => 210, content => template('apache/vhost/_serveralias.erb'), } } @@ -770,7 +797,7 @@ if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) { concat::fragment { "${name}-setenv": target => "${priority_real}${filename}.conf", - order => 200, + order => 220, content => template('apache/vhost/_setenv.erb'), } } @@ -796,20 +823,21 @@ if $ssl { concat::fragment { "${name}-ssl": target => "${priority_real}${filename}.conf", - order => 210, + order => 230, content => template('apache/vhost/_ssl.erb'), } } # Template uses: # - $ssl_proxyengine + # - $ssl_proxy_verify # - $ssl_proxy_check_peer_cn # - $ssl_proxy_check_peer_name # - $ssl_proxy_machine_cert if $ssl_proxyengine { concat::fragment { "${name}-sslproxy": target => "${priority_real}${filename}.conf", - order => 210, + order => 230, content => template('apache/vhost/_sslproxy.erb'), } } @@ -825,7 +853,7 @@ if $auth_kerb { concat::fragment { "${name}-auth_kerb": target => "${priority_real}${filename}.conf", - order => 210, + order => 230, content => template('apache/vhost/_auth_kerb.erb'), } } @@ -837,7 +865,7 @@ if $suphp_engine == 'on' { concat::fragment { "${name}-suphp": target => "${priority_real}${filename}.conf", - order => 220, + order => 240, content => template('apache/vhost/_suphp.erb'), } } @@ -848,7 +876,7 @@ if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) { concat::fragment { "${name}-php": target => "${priority_real}${filename}.conf", - order => 220, + order => 240, content => template('apache/vhost/_php.erb'), } } @@ -858,29 +886,9 @@ # - $php_admin_flags if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) { concat::fragment { "${name}-php_admin": - target => "${priority_real}${filename}.conf", - order => 230, - content => template('apache/vhost/_php_admin.erb'), - } - } - - # Template uses: - # - $headers - if $headers and ! empty($headers) { - concat::fragment { "${name}-header": - target => "${priority_real}${filename}.conf", - order => 240, - content => template('apache/vhost/_header.erb'), - } - } - - # Template uses: - # - $request_headers - if $request_headers and ! empty($request_headers) { - concat::fragment { "${name}-requestheader": target => "${priority_real}${filename}.conf", order => 250, - content => template('apache/vhost/_requestheader.erb'), + content => template('apache/vhost/_php_admin.erb'), } } diff --git a/apache/spec/acceptance/apache_ssl_spec.rb b/apache/spec/acceptance/apache_ssl_spec.rb index ccf65c727..254a3c35a 100644 --- a/apache/spec/acceptance/apache_ssl_spec.rb +++ b/apache/spec/acceptance/apache_ssl_spec.rb @@ -1,13 +1,6 @@ require 'spec_helper_acceptance' require_relative './version.rb' -case fact('osfamily') -when 'RedHat' - vhostd = '/etc/httpd/conf.d' -when 'Debian' - vhostd = '/etc/apache2/sites-available' -end - describe 'apache ssl' do describe 'ssl parameters' do @@ -28,7 +21,7 @@ class { 'apache': apply_manifest(pp, :catch_failures => true) end - describe file("#{vhostd}/15-default-ssl.conf") do + describe file("#{$vhost_dir}/15-default-ssl.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } @@ -74,7 +67,7 @@ class { 'apache': apply_manifest(pp, :catch_failures => true) end - describe file("#{vhostd}/25-test_ssl.conf") do + describe file("#{$vhost_dir}/25-test_ssl.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } diff --git a/apache/spec/acceptance/class_spec.rb b/apache/spec/acceptance/class_spec.rb index 47b0d36fa..0e797b61d 100644 --- a/apache/spec/acceptance/class_spec.rb +++ b/apache/spec/acceptance/class_spec.rb @@ -1,21 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache class' do - case fact('osfamily') - when 'RedHat' - package_name = 'httpd' - service_name = 'httpd' - when 'Debian' - package_name = 'apache2' - service_name = 'apache2' - when 'FreeBSD' - package_name = 'apache24' - service_name = 'apache24' - when 'Gentoo' - package_name = 'www-servers/apache' - service_name = 'apache2' - end - context 'default parameters' do it 'should work with no errors' do pp = <<-EOS @@ -27,11 +13,11 @@ class { 'apache': } expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero end - describe package(package_name) do + describe package($package_name) do it { is_expected.to be_installed } end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end @@ -80,7 +66,7 @@ class { 'apache': apply_manifest(pp, :catch_changes => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end diff --git a/apache/spec/acceptance/default_mods_spec.rb b/apache/spec/acceptance/default_mods_spec.rb index c2d6a8c26..8cfc531b1 100644 --- a/apache/spec/acceptance/default_mods_spec.rb +++ b/apache/spec/acceptance/default_mods_spec.rb @@ -1,19 +1,5 @@ require 'spec_helper_acceptance' - -case fact('osfamily') -when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - servicename = 'httpd' -when 'Debian' - mod_dir = '/etc/apache2/mods-available' - servicename = 'apache2' -when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - servicename = 'apache24' -when 'Gentoo' - mod_dir = '/etc/apache2/modules.d' - servicename = 'apache2' -end +require_relative './version.rb' describe 'apache::default_mods class' do describe 'no default mods' do @@ -30,7 +16,7 @@ class { 'apache': expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } end end @@ -56,12 +42,12 @@ class { 'apache': end # Are these the same? - describe service(servicename) do + describe service($service_name) do it { is_expected.not_to be_running } end - describe "service #{servicename}" do + describe "service #{$service_name}" do it 'should not be running' do - shell("pidof #{servicename}", {:acceptable_exit_codes => 1}) + shell("pidof #{$service_name}", {:acceptable_exit_codes => 1}) end end end @@ -94,7 +80,7 @@ class { 'apache': expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } end end @@ -112,11 +98,11 @@ class { 'apache': default_mods => false } expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } end - describe file("#{mod_dir}/zz_auth_basic.load") do + describe file("#{$mod_dir}/zz_auth_basic.load") do it { is_expected.to be_file } end end diff --git a/apache/spec/acceptance/mod_dav_svn_spec.rb b/apache/spec/acceptance/mod_dav_svn_spec.rb index 10c9b77d7..e4092d03a 100644 --- a/apache/spec/acceptance/mod_dav_svn_spec.rb +++ b/apache/spec/acceptance/mod_dav_svn_spec.rb @@ -1,22 +1,17 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::dav_svn class', :unless => (fact('operatingsystem') == 'OracleLinux' and fact('operatingsystemmajrelease') == '7') do case fact('osfamily') when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' if fact('operatingsystemmajrelease') == '6' or fact('operatingsystemmajrelease') == '10.04' or fact('operatingsystemrelease') == '10.04' authz_svn_load_file = 'dav_svn_authz_svn.load' else authz_svn_load_file = 'authz_svn.load' end when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' authz_svn_load_file = 'dav_svn_authz_svn.load' when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' authz_svn_load_file = 'dav_svn_authz_svn.load' end @@ -29,12 +24,12 @@ class { 'apache': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/dav_svn.load") do + describe file("#{$mod_dir}/dav_svn.load") do it { is_expected.to contain "LoadModule dav_svn_module" } end end @@ -50,12 +45,12 @@ class { 'apache::mod::dav_svn': apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/#{authz_svn_load_file}") do + describe file("#{$mod_dir}/#{authz_svn_load_file}") do it { is_expected.to contain "LoadModule authz_svn_module" } end end diff --git a/apache/spec/acceptance/mod_deflate_spec.rb b/apache/spec/acceptance/mod_deflate_spec.rb index 3b505bdbf..c1ee4d384 100644 --- a/apache/spec/acceptance/mod_deflate_spec.rb +++ b/apache/spec/acceptance/mod_deflate_spec.rb @@ -1,21 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::deflate class' do - case fact('osfamily') - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - when 'Gentoo' - mod_dir = '/etc/apache2/modules.d' - service_name = 'apache2' - end - context "default deflate config" do it 'succeeds in puppeting deflate' do pp= <<-EOS @@ -25,12 +11,12 @@ class { 'apache': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/deflate.conf") do + describe file("#{$mod_dir}/deflate.conf") do it { is_expected.to contain "AddOutputFilterByType DEFLATE text/html text/plain text/xml" } it { is_expected.to contain "AddOutputFilterByType DEFLATE text/css" } it { is_expected.to contain "AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript" } diff --git a/apache/spec/acceptance/mod_mime_spec.rb b/apache/spec/acceptance/mod_mime_spec.rb index e47360b5e..ead76adc1 100644 --- a/apache/spec/acceptance/mod_mime_spec.rb +++ b/apache/spec/acceptance/mod_mime_spec.rb @@ -1,21 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::mime class' do - case fact('osfamily') - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - when 'Gentoo' - mod_dir = '/etc/apache2/modules.d' - service_name = 'apache2' - end - context "default mime config" do it 'succeeds in puppeting mime' do pp= <<-EOS @@ -25,12 +11,12 @@ class { 'apache': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/mime.conf") do + describe file("#{$mod_dir}/mime.conf") do it { is_expected.to contain "AddType application/x-compress .Z" } it { is_expected.to contain "AddHandler type-map var\n" } it { is_expected.to contain "AddType text/html .shtml\n" } diff --git a/apache/spec/acceptance/mod_negotiation_spec.rb b/apache/spec/acceptance/mod_negotiation_spec.rb index 48eb896b6..142b412ad 100644 --- a/apache/spec/acceptance/mod_negotiation_spec.rb +++ b/apache/spec/acceptance/mod_negotiation_spec.rb @@ -1,25 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::negotiation class' do - case fact('osfamily') - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - vhost_dir = '/usr/local/etc/apache24/Vhosts' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - when 'Gentoo' - vhost_dir = '/etc/apache2/vhosts.d' - mod_dir = '/etc/apache2/modules.d' - service_name = 'apache2' - end - context "default negotiation config" do it 'succeeds in puppeting negotiation' do pp= <<-EOS @@ -29,12 +11,12 @@ class { '::apache::mod::negotiation': } apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/negotiation.conf") do + describe file("#{$mod_dir}/negotiation.conf") do it { should contain "LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW ForceLanguagePriority Prefer Fallback" } end - describe service(service_name) do + describe service($service_name) do it { should be_enabled } it { should be_running } end @@ -51,11 +33,11 @@ class { '::apache::mod::negotiation': apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/negotiation.conf") do + describe file("#{$mod_dir}/negotiation.conf") do it { should contain "ForceLanguagePriority Prefer" } end - describe service(service_name) do + describe service($service_name) do it { should be_enabled } it { should be_running } end @@ -72,11 +54,11 @@ class { '::apache::mod::negotiation': apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/negotiation.conf") do + describe file("#{$mod_dir}/negotiation.conf") do it { should contain "LanguagePriority en es" } end - describe service(service_name) do + describe service($service_name) do it { should be_enabled } it { should be_running } end diff --git a/apache/spec/acceptance/mod_pagespeed_spec.rb b/apache/spec/acceptance/mod_pagespeed_spec.rb index f8060a167..ab50a54d0 100644 --- a/apache/spec/acceptance/mod_pagespeed_spec.rb +++ b/apache/spec/acceptance/mod_pagespeed_spec.rb @@ -1,25 +1,6 @@ require 'spec_helper_acceptance' describe 'apache::mod::pagespeed class' do - case fact('osfamily') - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - vhost_dir = '/usr/local/etc/apache24/Vhosts' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - when 'Gentoo' - vhost_dir = '/etc/apache2/vhosts.d' - mod_dir = '/etc/apache2/modules.d' - service_name = 'apache2' - end - context "default pagespeed config" do it 'succeeds in puppeting pagespeed' do pp= <<-EOS @@ -66,12 +47,12 @@ class { 'apache::mod::pagespeed': apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/pagespeed.conf") do + describe file("#{$mod_dir}/pagespeed.conf") do it { is_expected.to contain "AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html" } it { is_expected.to contain "ModPagespeedEnableFilters remove_comments" } it { is_expected.to contain "ModPagespeedDisableFilters extend_cache" } diff --git a/apache/spec/acceptance/mod_passenger_spec.rb b/apache/spec/acceptance/mod_passenger_spec.rb index df9cd9e13..88c8aff32 100644 --- a/apache/spec/acceptance/mod_passenger_spec.rb +++ b/apache/spec/acceptance/mod_passenger_spec.rb @@ -1,12 +1,12 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::passenger class' do case fact('osfamily') when 'Debian' - service_name = 'apache2' mod_dir = '/etc/apache2/mods-available/' - conf_file = "#{mod_dir}passenger.conf" - load_file = "#{mod_dir}zpassenger.load" + conf_file = "#{$mod_dir}/passenger.conf" + load_file = "#{$mod_dir}/zpassenger.load" case fact('operatingsystem') when 'Ubuntu' @@ -46,10 +46,8 @@ rackapp_user = 'www-data' rackapp_group = 'www-data' when 'RedHat' - service_name = 'httpd' - mod_dir = '/etc/httpd/conf.d/' - conf_file = "#{mod_dir}passenger.conf" - load_file = "#{mod_dir}zpassenger.load" + conf_file = "#{$mod_dir}/passenger.conf" + load_file = "#{$mod_dir}/zpassenger.load" # sometimes installs as 3.0.12, sometimes as 3.0.19 - so just check for the stable part passenger_root = '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.1' passenger_ruby = '/usr/bin/ruby' @@ -98,7 +96,7 @@ class { 'apache::mod::passenger': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end diff --git a/apache/spec/acceptance/mod_php_spec.rb b/apache/spec/acceptance/mod_php_spec.rb index a42f52373..a5529851f 100644 --- a/apache/spec/acceptance/mod_php_spec.rb +++ b/apache/spec/acceptance/mod_php_spec.rb @@ -1,25 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::php class' do - case fact('osfamily') - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - vhost_dir = '/usr/local/etc/apache24/Vhosts' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - when 'Gentoo' - vhost_dir = '/etc/apache2/vhosts.d' - mod_dir = '/etc/apache2/modules.d' - service_name = 'apache2' - end - context "default php config" do it 'succeeds in puppeting php' do pp= <<-EOS @@ -40,12 +22,12 @@ class { 'apache::mod::php': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/php5.conf") do + describe file("#{$mod_dir}/php5.conf") do it { is_expected.to contain "DirectoryIndex index.php" } end @@ -83,12 +65,12 @@ class { 'apache::mod::php': apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{vhost_dir}/25-php.example.com.conf") do + describe file("#{$vhost_dir}/25-php.example.com.conf") do it { is_expected.to contain " php_flag display_errors on" } it { is_expected.to contain " php_value include_path .:/usr/share/pear:/usr/bin/php" } it { is_expected.to contain " php_admin_flag engine on" } @@ -116,7 +98,7 @@ class {'apache::mod::php': apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/php5.conf") do + describe file("#{$mod_dir}/php5.conf") do it { should contain "# somecontent" } end end @@ -135,7 +117,7 @@ class {'apache::mod::php': apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/php5.conf") do + describe file("#{$mod_dir}/php5.conf") do it { should contain "# somecontent" } end end diff --git a/apache/spec/acceptance/mod_proxy_html_spec.rb b/apache/spec/acceptance/mod_proxy_html_spec.rb index 840ea563f..3e1158691 100644 --- a/apache/spec/acceptance/mod_proxy_html_spec.rb +++ b/apache/spec/acceptance/mod_proxy_html_spec.rb @@ -1,17 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::proxy_html class' do - case fact('osfamily') - when 'Debian' - service_name = 'apache2' - when 'RedHat' - service_name = 'httpd' - when 'FreeBSD' - service_name = 'apache24' - when 'Gentoo' - service_name = 'apache2' - end - context "default proxy_html config" do if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ it 'adds epel' do @@ -33,7 +23,7 @@ class { 'apache::mod::proxy_html': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end diff --git a/apache/spec/acceptance/mod_security_spec.rb b/apache/spec/acceptance/mod_security_spec.rb index 4fcf0f551..75f417588 100644 --- a/apache/spec/acceptance/mod_security_spec.rb +++ b/apache/spec/acceptance/mod_security_spec.rb @@ -1,17 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::security class', :unless => (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise' or fact('lsbdistcodename') == 'wheezy')) do - case fact('osfamily') - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - package_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - package_name = 'httpd' - end - context "default mod_security config" do if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ it 'adds epel' do @@ -54,16 +44,16 @@ class { 'apache::mod::security': } end end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe package(package_name) do + describe package($package_name) do it { is_expected.to be_installed } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end @@ -100,12 +90,12 @@ class { 'apache::mod::security': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end @@ -152,12 +142,12 @@ class { 'apache::mod::security': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end @@ -208,12 +198,12 @@ class { 'apache::mod::security': } apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do + describe service($service_name) do it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end diff --git a/apache/spec/acceptance/prefork_worker_spec.rb b/apache/spec/acceptance/prefork_worker_spec.rb index 234b6acef..7ba13950d 100644 --- a/apache/spec/acceptance/prefork_worker_spec.rb +++ b/apache/spec/acceptance/prefork_worker_spec.rb @@ -1,15 +1,5 @@ require 'spec_helper_acceptance' - -case fact('osfamily') -when 'RedHat' - servicename = 'httpd' -when 'Debian' - servicename = 'apache2' -when 'FreeBSD' - servicename = 'apache24' -when 'Gentoo' - servicename = 'apache2' -end +require_relative './version.rb' case fact('osfamily') when 'FreeBSD' @@ -29,7 +19,7 @@ class { 'apache': end end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } it { is_expected.to be_enabled } end @@ -52,7 +42,7 @@ class { 'apache': end end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } it { is_expected.to be_enabled } end @@ -74,7 +64,7 @@ class { 'apache': end end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } it { is_expected.to be_enabled } end diff --git a/apache/spec/acceptance/version.rb b/apache/spec/acceptance/version.rb index 117e23d9f..88cf509b7 100644 --- a/apache/spec/acceptance/version.rb +++ b/apache/spec/acceptance/version.rb @@ -5,7 +5,6 @@ case _osfamily when 'RedHat' $confd_dir = '/etc/httpd/conf.d' - $mod_dir = '/etc/httpd/conf.d' $conf_file = '/etc/httpd/conf/httpd.conf' $ports_file = '/etc/httpd/conf/ports.conf' $vhost_dir = '/etc/httpd/conf.d' @@ -19,8 +18,10 @@ if (_operatingsystem == 'Fedora' and _operatingsystemrelease >= 18) or (_operatingsystem != 'Fedora' and _operatingsystemrelease >= 7) $apache_version = '2.4' + $mod_dir = '/etc/httpd/conf.modules.d' else $apache_version = '2.2' + $mod_dir = '/etc/httpd/conf.d' end when 'Debian' $confd_dir = '/etc/apache2/conf.d' diff --git a/apache/spec/acceptance/vhost_spec.rb b/apache/spec/acceptance/vhost_spec.rb index a51ab5822..9d5306b28 100644 --- a/apache/spec/acceptance/vhost_spec.rb +++ b/apache/spec/acceptance/vhost_spec.rb @@ -1325,18 +1325,57 @@ class { 'apache': } end end - # So what does this work on? - if default['platform'] !~ /^(debian-(6|7)|el-(5|6|7))/ + # Limit testing to Debian, since Centos does not have fastcgi package. + case fact('osfamily') + when 'Debian' describe 'fastcgi' do it 'applies cleanly' do pp = <<-EOS - if ($::operatingsystem == 'Ubuntu' and versioncpm($::operatingsystemrelease, '10.04' >= 0)) { + unless $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '12.04') >= 0 { + $_os = $::operatingsystem + + if $_os == 'Ubuntu' { + $_location = "http://archive.ubuntu.com/" + $_security_location = "http://archive.ubuntu.com/" + $_release = $::lsbdistcodename + $_release_security = "${_release}-security" + $_repos = "main universe multiverse" + } else { + $_location = "http://httpredir.debian.org/debian/" + $_security_location = "http://security.debian.org/" + $_release = $::lsbdistcodename + $_release_security = "${_release}/updates" + $_repos = "main contrib non-free" + } + include ::apt - apt::ppa { 'multiverse': - before => Class['Apache::Mod::Fastcgi'], + apt::source { "${_os}_${_release}": + location => $_location, + release => $_release, + repos => $_repos, + include_src => false, + } + + apt::source { "${_os}_${_release}-updates": + location => $_location, + release => "${_release}-updates", + repos => $_repos, + include_src => false, + } + + apt::source { "${_os}_${_release}-security": + location => $_security_location, + release => $_release_security, + repos => $_repos, + include_src => false, } } + EOS + #apt-get update may not run clean here. Should be OK. + apply_manifest(pp, :catch_failures => false) + + pp2 = <<-EOS class { 'apache': } class { 'apache::mod::fastcgi': } host { 'test.server': ip => '127.0.0.1' } @@ -1347,7 +1386,7 @@ class { 'apache::mod::fastcgi': } fastcgi_dir => '/tmp/fast', } EOS - apply_manifest(pp, :catch_failures => true) + apply_manifest(pp2, :catch_failures => true, :acceptable_exit_codes => [0, 2]) end describe file("#{$vhost_dir}/25-test.server.conf") do diff --git a/apache/spec/classes/mod/security_spec.rb b/apache/spec/classes/mod/security_spec.rb index 93f751ee4..ba0bb2f71 100644 --- a/apache/spec/classes/mod/security_spec.rb +++ b/apache/spec/classes/mod/security_spec.rb @@ -28,7 +28,7 @@ ) } it { should contain_package('mod_security_crs') } it { should contain_file('security.conf').with( - :path => '/etc/httpd/conf.d/security.conf' + :path => '/etc/httpd/conf.modules.d/security.conf' ) } it { should contain_file('/etc/httpd/modsecurity.d').with( :ensure => 'directory', diff --git a/apache/spec/defines/vhost_spec.rb b/apache/spec/defines/vhost_spec.rb index 9dd563a9c..98d70239a 100644 --- a/apache/spec/defines/vhost_spec.rb +++ b/apache/spec/defines/vhost_spec.rb @@ -154,6 +154,7 @@ 'ssl_verify_depth' => '3', 'ssl_options' => '+ExportCertData', 'ssl_openssl_conf_cmd' => 'DHParameters "foo.pem"', + 'ssl_proxy_verify' => 'require', 'ssl_proxy_check_peer_cn' => 'on', 'ssl_proxy_check_peer_name' => 'on', 'ssl_proxyengine' => true, @@ -187,6 +188,10 @@ 'provider' => 'files', 'require' => 'all granted', }, + { + 'path' => '*', + 'provider' => 'proxy', + }, { 'path' => '/var/www/files/indexed_directory', 'directoryindex' => 'disabled', 'options' => ['Indexes','FollowSymLinks','MultiViews'], @@ -219,10 +224,16 @@ 'path' => '/a', 'url' => 'http://backend-a/', 'keywords' => ['noquery', 'interpolate'], - 'reverse_cookies' => [{ - 'path' => '/a', - 'url' => 'http://backend-a/', - }], + 'reverse_cookies' => [ + { + 'path' => '/a', + 'url' => 'http://backend-a/', + }, + { + 'domain' => 'foo', + 'url' => 'http://foo', + } + ], 'params' => { 'retry' => '0', 'timeout' => '5' @@ -390,6 +401,8 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-itk') } it { is_expected.to contain_concat__fragment('rspec.example.com-fallbackresource') } it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( :content => /^\s+Require valid-user$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( @@ -425,6 +438,8 @@ /noquery interpolate/) } it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( /ProxyPassReverseCookiePath\s+\/a\s+http:\/\//) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassReverseCookieDomain\s+foo\s+http:\/\/foo/) } it { is_expected.to contain_concat__fragment('rspec.example.com-rack') } it { is_expected.to contain_concat__fragment('rspec.example.com-redirect') } it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite') } @@ -776,6 +791,18 @@ end end # access logs describe 'validation' do + let :default_facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end context 'bad ensure' do let :params do { @@ -876,6 +903,16 @@ let :facts do default_facts end it { expect { is_expected.to compile }.to raise_error } end + context 'empty rewrites' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'rewrites' => [], + } + end + let :facts do default_facts end + it { is_expected.to compile } + end context 'bad suexec_user_group' do let :params do { diff --git a/apache/templates/httpd.conf.erb b/apache/templates/httpd.conf.erb index cc6998b9b..9c854cfc3 100644 --- a/apache/templates/httpd.conf.erb +++ b/apache/templates/httpd.conf.erb @@ -77,6 +77,9 @@ LogFormat "%{Referer}i -> %U" referer <% unless @log_formats.has_key?('agent') -%> LogFormat "%{User-agent}i" agent <% end -%> +<% unless @log_formats.has_key?('forwarded') -%> +LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded +<% end -%> <% if @log_formats and !@log_formats.empty? -%> <%- @log_formats.sort.each do |nickname,format| -%> LogFormat "<%= format -%>" <%= nickname %> diff --git a/apache/templates/vhost/_custom_fragment.erb b/apache/templates/vhost/_custom_fragment.erb index 973964655..35c264adb 100644 --- a/apache/templates/vhost/_custom_fragment.erb +++ b/apache/templates/vhost/_custom_fragment.erb @@ -1,5 +1,5 @@ <% if @custom_fragment -%> ## Custom fragment -<%= @custom_fragment %> + <%= @custom_fragment %> <% end -%> diff --git a/apache/templates/vhost/_directories.erb b/apache/templates/vhost/_directories.erb index c95fda5a1..49a9bd901 100644 --- a/apache/templates/vhost/_directories.erb +++ b/apache/templates/vhost/_directories.erb @@ -17,7 +17,7 @@ <%- end -%> <%- end -%> <%- if directory['path'] and directory['path'] != '' -%> - <%- if directory['provider'] and directory['provider'].match('(directory|location|files)') -%> + <%- if directory['provider'] and directory['provider'].match('(directory|location|files|proxy)') -%> <%- if /^(.*)match$/ =~ directory['provider'] -%> <%- provider = $1.capitalize + 'Match' -%> <%- else -%> diff --git a/apache/templates/vhost/_proxy.erb b/apache/templates/vhost/_proxy.erb index 3f94af911..16a889cb4 100644 --- a/apache/templates/vhost/_proxy.erb +++ b/apache/templates/vhost/_proxy.erb @@ -5,6 +5,8 @@ <%- end -%> <% if @proxy_preserve_host -%> ProxyPreserveHost On +<% else -%> + ProxyPreserveHost Off <%- end -%> <% if @proxy_error_override -%> ProxyErrorOverride On @@ -20,7 +22,12 @@ > <%- if not proxy['reverse_cookies'].nil? -%> <%- Array(proxy['reverse_cookies']).each do |reverse_cookies| -%> - ProxyPassReverseCookiePath <%= reverse_cookies['path'] %> <%= reverse_cookies['url'] %> + <%- if reverse_cookies['path'] -%> + ProxyPassReverseCookiePath <%= reverse_cookies['path'] %> <%= reverse_cookies['url'] %> + <%- end -%> + <%- if reverse_cookies['domain'] -%> + ProxyPassReverseCookieDomain <%= reverse_cookies['domain'] %> <%= reverse_cookies['url'] %> + <%- end -%> <%- end -%> <%- end -%> <%- if proxy['reverse_urls'].nil? -%> diff --git a/apache/templates/vhost/_sslproxy.erb b/apache/templates/vhost/_sslproxy.erb index e58d52d0b..568d9d1d0 100644 --- a/apache/templates/vhost/_sslproxy.erb +++ b/apache/templates/vhost/_sslproxy.erb @@ -2,6 +2,9 @@ # SSL Proxy directives SSLProxyEngine On + <%- if @ssl_proxy_verify -%> + SSLProxyVerify <%= @ssl_proxy_verify %> + <%- end -%> <%- if @ssl_proxy_check_peer_cn -%> SSLProxyCheckPeerCN <%= @ssl_proxy_check_peer_cn %> <%- end -%> diff --git a/firewall/CHANGELOG.md b/firewall/CHANGELOG.md index 7de1bb151..9c6044bc5 100644 --- a/firewall/CHANGELOG.md +++ b/firewall/CHANGELOG.md @@ -1,3 +1,8 @@ +## Supported Release 1.7.2 +###Summary + +Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. + ##2015-08-25 - Supported Release 1.7.1 ###Summary diff --git a/firewall/README.markdown b/firewall/README.markdown index 0a0807f23..0b74b8128 100644 --- a/firewall/README.markdown +++ b/firewall/README.markdown @@ -404,12 +404,12 @@ This type enables you to manage firewall rules within Puppet. * `ip6tables`: Ip6tables type provider * Required binaries: `ip6tables-save`, `ip6tables`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. **Autorequires:** @@ -453,6 +453,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `log_prefix`: The ability to add prefixes to log messages. +* `log_uid`: The ability to log the userid of the process which generated the packet. + * `mark`: The ability to match or set the netfilter mark value associated with the packet. * `mask`: The ability to match recent rules based on the ipv4 mask. @@ -590,6 +592,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `log_prefix`: When combined with `jump => 'LOG'` specifies the log prefix to use when logging. Requires the `log_prefix` feature. +* `log_uid`: The ability to log the userid of the process which generated the packet. + * `mask`: Sets the mask to use when `recent` is enabled. Requires the `mask` feature. * `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying '31' will not match on months that do not have a 31st day; the same goes for 28- or 29-day February. diff --git a/firewall/lib/puppet/provider/firewall/ip6tables.rb b/firewall/lib/puppet/provider/firewall/ip6tables.rb index 51d0399d3..78ad24def 100644 --- a/firewall/lib/puppet/provider/firewall/ip6tables.rb +++ b/firewall/lib/puppet/provider/firewall/ip6tables.rb @@ -15,6 +15,7 @@ has_feature :reject_type has_feature :log_level has_feature :log_prefix + has_feature :log_uid has_feature :mark has_feature :mss has_feature :tcp_flags @@ -91,6 +92,7 @@ def self.iptables_save(*args) :limit => "-m limit --limit", :log_level => "--log-level", :log_prefix => "--log-prefix", + :log_uid => "--log-uid", :mask => "--mask", :match_mark => "-m mark --mark", :name => "-m comment --comment", @@ -150,6 +152,7 @@ def self.iptables_save(*args) :ishasmorefrags, :islastfrag, :isfirstfrag, + :log_uid, :rsource, :rdest, :reap, @@ -220,7 +223,7 @@ def self.iptables_save(*args) :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone] end diff --git a/firewall/lib/puppet/provider/firewall/iptables.rb b/firewall/lib/puppet/provider/firewall/iptables.rb index e6c11e535..1b7beb3de 100644 --- a/firewall/lib/puppet/provider/firewall/iptables.rb +++ b/firewall/lib/puppet/provider/firewall/iptables.rb @@ -20,6 +20,7 @@ has_feature :reject_type has_feature :log_level has_feature :log_prefix + has_feature :log_uid has_feature :mark has_feature :mss has_feature :tcp_flags @@ -75,6 +76,7 @@ :limit => "-m limit --limit", :log_level => "--log-level", :log_prefix => "--log-prefix", + :log_uid => "--log-uid", :mac_source => ["-m mac --mac-source", "--mac-source"], :mask => '--mask', :match_mark => "-m mark --mark", @@ -140,6 +142,7 @@ :checksum_fill, :clamp_mss_to_pmtu, :isfragment, + :log_uid, :random, :rdest, :reap, @@ -255,7 +258,7 @@ def munge_resource_map_from_resource(resource_map_original, compare) :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, - :log_level, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, + :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone ] @@ -371,7 +374,7 @@ def self.rule_to_hash(line, table, counter) # -f requires special matching: # only replace those -f that are not followed by an l to # distinguish between -f and the '-f' inside of --tcp-flags. - values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true') + values = values.sub(/\s-f(?!l)(?=.*--comment)/, ' -f true') else values = values.sub(/#{resource_map[bool]}/, "#{resource_map[bool]} true") end diff --git a/firewall/lib/puppet/type/firewall.rb b/firewall/lib/puppet/type/firewall.rb index 72a67f971..213fedf02 100644 --- a/firewall/lib/puppet/type/firewall.rb +++ b/firewall/lib/puppet/type/firewall.rb @@ -42,6 +42,7 @@ feature :reject_type, "The ability to control reject messages" feature :log_level, "The ability to control the log level" feature :log_prefix, "The ability to add prefixes to log messages" + feature :log_uid, "Add UIDs to log messages" feature :mark, "Match or Set the netfilter mark value associated with the packet" feature :mss, "Match a given TCP MSS value or range." feature :tcp_flags, "The ability to match on particular TCP flag settings" @@ -368,7 +369,7 @@ def should_to_s(value) *tcp*. EOS - newvalues(*[:tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :all].collect do |proto| + newvalues(*[:tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :all].collect do |proto| [proto, "! #{proto}".to_sym] end.flatten) defaultto "tcp" @@ -570,6 +571,15 @@ def should_to_s(value) EOS end + newproperty(:log_uid, :required_features => :log_uid) do + desc <<-EOS + When combined with jump => "LOG" specifies the uid of the process making + the connection. + EOS + + newvalues(:true, :false) + end + # ICMP matching property newproperty(:icmp, :required_features => :icmp_match) do desc <<-EOS @@ -1488,9 +1498,9 @@ def insync?(is) end end - if value(:log_prefix) || value(:log_level) + if value(:log_prefix) || value(:log_level) || value(:log_uid) unless value(:jump).to_s == "LOG" - self.fail "Parameter log_prefix and log_level require jump => LOG" + self.fail "Parameter log_prefix, log_level and log_uid require jump => LOG" end end diff --git a/firewall/manifests/linux/debian.pp b/firewall/manifests/linux/debian.pp index d7941e21d..a24d3ab16 100644 --- a/firewall/manifests/linux/debian.pp +++ b/firewall/manifests/linux/debian.pp @@ -32,7 +32,7 @@ } } - if($::operatingsystemrelease =~ /^6\./ and $enable == true + if($::operatingsystemrelease =~ /^6\./ and $enable == true and $::iptables_persistent_version and versioncmp($::iptables_persistent_version, '0.5.0') < 0) { # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it # we lose idempotency diff --git a/firewall/metadata.json b/firewall/metadata.json index e1ac5e0fc..af0e78f50 100644 --- a/firewall/metadata.json +++ b/firewall/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-firewall", - "version": "1.7.1", + "version": "1.7.2", "author": "Puppet Labs", "summary": "Manages Firewalls such as iptables", "license": "Apache-2.0", @@ -72,7 +72,7 @@ "requirements": [ { "name": "pe", - "version_requirement": ">= 3.0.0 < 2015.3.0" + "version_requirement": ">= 3.0.0 < 2015.4.0" }, { "name": "puppet", diff --git a/firewall/spec/acceptance/firewall_clusterip_spec.rb b/firewall/spec/acceptance/firewall_clusterip_spec.rb index bdd601745..03fbd906c 100644 --- a/firewall/spec/acceptance/firewall_clusterip_spec.rb +++ b/firewall/spec/acceptance/firewall_clusterip_spec.rb @@ -1,45 +1,49 @@ -require 'spec_helper_acceptance' - -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') - end - - # SLES doesn't have the CLUSTERIP module - if default['platform'] !~ /sles/ - describe 'clusterip' do - context 'cluster ipv4 test' do - it 'applies' do - pending("MODULES-2124 should be resolved for clusterip RHEL7 support") if default['platform'] =~ /el-7/ - pp = <<-EOS - class { '::firewall': } - firewall { - '830 - clusterip test': - chain => 'FORWARD', - jump => 'CLUSTERIP', - destination => '1.1.1.1', - iniface => 'eth0', - clusterip_new => true, - clusterip_hashmode => "sourceip", - clusterip_clustermac => "01:00:5E:00:00:00", - clusterip_total_nodes => "2", - clusterip_local_node => "1", - clusterip_hash_init => "1337", - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - pending("MODULES-2124 should be resolved for clusterip RHEL7 support") if default['platform'] =~ /el-7/ - shell('iptables-save') do |r| - expect(r.stdout).to match(/-A FORWARD -d (1.1.1.1\/32|1.1.1.1) -i eth0 -p tcp -m comment --comment "830 - clusterip test" -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:00 --total-nodes 2 --local-node 1 --hash-init 1337/) - end - end - end - end - end -end + +# These tests have been commented out, as there are suspicions that the clusterIP ipt module is causing system reboots. + + +# require 'spec_helper_acceptance' + +# describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do + +# before(:all) do +# shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') +# shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +# end + +# # SLES doesn't have the CLUSTERIP module +# if default['platform'] !~ /sles/ +# describe 'clusterip' do +# context 'cluster ipv4 test' do +# it 'applies' do +# pending("MODULES-2124 should be resolved for clusterip RHEL7 support") if default['platform'] =~ /el-7/ +# pp = <<-EOS +# class { '::firewall': } +# firewall { +# '830 - clusterip test': +# chain => 'FORWARD', +# jump => 'CLUSTERIP', +# destination => '1.1.1.1', +# iniface => 'eth0', +# clusterip_new => true, +# clusterip_hashmode => "sourceip", +# clusterip_clustermac => "01:00:5E:00:00:00", +# clusterip_total_nodes => "2", +# clusterip_local_node => "1", +# clusterip_hash_init => "1337", +# } +# EOS + +# apply_manifest(pp, :catch_failures => true) +# end + +# it 'should contain the rule' do +# pending("MODULES-2124 should be resolved for clusterip RHEL7 support") if default['platform'] =~ /el-7/ +# shell('iptables-save') do |r| +# expect(r.stdout).to match(/-A FORWARD -d (1.1.1.1\/32|1.1.1.1) -i eth0 -p tcp -m comment --comment "830 - clusterip test" -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:00 --total-nodes 2 --local-node 1 --hash-init 1337/) +# end +# end +# end +# end +# end +# end diff --git a/firewall/spec/acceptance/firewall_spec.rb b/firewall/spec/acceptance/firewall_spec.rb index 4b3a43887..def7d178c 100644 --- a/firewall/spec/acceptance/firewall_spec.rb +++ b/firewall/spec/acceptance/firewall_spec.rb @@ -2330,6 +2330,47 @@ class { '::firewall': } end end + context 'log_uid is true' do + it 'adds the rule' do + pp = <<-EOS + class { '::firewall': } + firewall { '700 - test log_uid': + chain => 'OUTPUT', + jump => 'LOG', + log_uid => true, + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(/-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j LOG --log-uid/) + end + end + + it 'removes the rule' do + pp = <<-EOS + class { '::firewall': } + firewall { '700 - test log_uid': + chain => 'OUTPUT', + jump => 'LOG', + log_uid => false, + ensure => absent, + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should not contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to_not match(/-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j --log-uid/) + end + end + end + context 'comment containing "-A "' do it 'adds the rule' do pp = <<-EOS diff --git a/firewall/spec/acceptance/nodesets/new/aio/redhat-6-64mda.yml b/firewall/spec/acceptance/nodesets/new/aio/redhat-6-64mda.yml new file mode 100644 index 000000000..9e63eebc7 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/aio/redhat-6-64mda.yml @@ -0,0 +1,28 @@ +--- +HOSTS: + redhat-6-x86_64-agent: + roles: + - agent + - default + platform: el-6-x86_64 + template: redhat-6-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + type: aio + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/aio/redhat-7-64mda.yml b/firewall/spec/acceptance/nodesets/new/aio/redhat-7-64mda.yml new file mode 100644 index 000000000..b9c352be3 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/aio/redhat-7-64mda.yml @@ -0,0 +1,28 @@ +--- +HOSTS: + redhat-7-x86_64-agent: + roles: + - agent + - default + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + type: aio + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/aio/ubuntu-1404-64mda.yml b/firewall/spec/acceptance/nodesets/new/aio/ubuntu-1404-64mda.yml new file mode 100644 index 000000000..9029d26f6 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/aio/ubuntu-1404-64mda.yml @@ -0,0 +1,28 @@ +--- +HOSTS: + ubuntu-1404-agent: + roles: + - agent + - default + platform: ubuntu-14.04-amd64 + template: Delivery/Quality Assurance/Templates/vCloud/ubuntu-1404-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + type: aio + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/centos-5-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/centos-5-64mda.yml new file mode 100644 index 000000000..ba6c23c91 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/centos-5-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + centos-5-x86_64-agent: + roles: + - agent + - default + platform: el-5-x86_64 + template: Delivery/Quality Assurance/Templates/vCloud/centos-5-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 diff --git a/firewall/spec/acceptance/nodesets/new/pe/centos-6-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/centos-6-64mda.yml new file mode 100644 index 000000000..e97e73fde --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/centos-6-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + centos-6-x86_64-agent: + roles: + - agent + - default + platform: el-6-x86_64 + template: Delivery/Quality Assurance/Templates/vCloud/centos-6-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 diff --git a/firewall/spec/acceptance/nodesets/new/pe/centos-7-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/centos-7-64mda.yml new file mode 100644 index 000000000..056b52d30 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/centos-7-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + centos-7-x86_64-agent: + roles: + - agent + - default + platform: el-7-x86_64 + template: centos-7-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 diff --git a/firewall/spec/acceptance/nodesets/new/pe/debian-6-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/debian-6-64mda.yml new file mode 100644 index 000000000..3101a5a8e --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/debian-6-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + debian-6-amd64-agent: + roles: + - agent + - default + platform: debian-6-amd64 + template: debian-6-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 diff --git a/firewall/spec/acceptance/nodesets/new/pe/debian-7-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/debian-7-64mda.yml new file mode 100644 index 000000000..4ebf914ac --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/debian-7-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + debian-7-amd64-agent: + roles: + - agent + - default + platform: debian-7-amd64 + template: debian-7-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/oracle-6-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/oracle-6-64mda.yml new file mode 100644 index 000000000..58e0fc076 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/oracle-6-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + oracle-6-x86_64-agent: + roles: + - agent + - default + platform: el-6-x86_64 + template: oracle-6-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/oracle-7-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/oracle-7-64mda.yml new file mode 100644 index 000000000..157d81452 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/oracle-7-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + oracle-7-x86_64-agent: + roles: + - agent + - default + platform: el-7-x86_64 + template: oracle-7-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/redhat-5-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/redhat-5-64mda.yml new file mode 100644 index 000000000..56e45f5af --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/redhat-5-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + redhat-5-x86_64-agent: + roles: + - agent + - default + platform: el-5-x86_64 + template: redhat-5-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/redhat-6-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/redhat-6-64mda.yml new file mode 100644 index 000000000..a41c585d8 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/redhat-6-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + redhat-6-x86_64-agent: + roles: + - agent + - default + platform: el-6-x86_64 + template: redhat-6-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/redhat-7-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/redhat-7-64mda.yml new file mode 100644 index 000000000..6ed476b74 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/redhat-7-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + redhat-7-x86_64-agent: + roles: + - agent + - default + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/scientific-5-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/scientific-5-64mda.yml new file mode 100644 index 000000000..4ae3e43bd --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/scientific-5-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + scientific-5-x86_64-agent: + roles: + - agent + - default + platform: el-5-x86_64 + template: scientific-5-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/scientific-6-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/scientific-6-64mda.yml new file mode 100644 index 000000000..0c9457f24 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/scientific-6-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + scientific-6-x86_64-agent: + roles: + - agent + - default + platform: el-6-x86_64 + template: scientific-6-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/scientific-7-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/scientific-7-64mda.yml new file mode 100644 index 000000000..80692bff1 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/scientific-7-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + scientific-7-x86_64-agent: + roles: + - agent + - default + platform: el-7-x86_64 + template: scientific-7-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/sles-10-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/sles-10-64mda.yml new file mode 100644 index 000000000..5761d8ded --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/sles-10-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + sles-10-x86_64-agent: + roles: + - agent + - default + platform: sles-10-x86_64 + template: sles-10-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/sles-11-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/sles-11-64mda.yml new file mode 100644 index 000000000..660c72f38 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/sles-11-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + sles-11-x86_64-agent: + roles: + - agent + - default + platform: sles-11-x86_64 + template: sles-11-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/sles-12-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/sles-12-64mda.yml new file mode 100644 index 000000000..0e7884cd3 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/sles-12-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + sles-12-x86_64-agent: + roles: + - agent + - default + platform: sles-12-x86_64 + template: sles-12-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1004-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1004-64mda.yml new file mode 100644 index 000000000..0baeba857 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1004-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + ubuntu-1004-agent: + roles: + - agent + - default + platform: ubuntu-10.04-amd64 + template: ubuntu-1004-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1204-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1204-64mda.yml new file mode 100644 index 000000000..d8c293192 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1204-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + ubuntu-1204-agent: + roles: + - agent + - default + platform: ubuntu-12.04-amd64 + template: Delivery/Quality Assurance/Templates/vCloud/ubuntu-1204-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1404-64mda.yml b/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1404-64mda.yml new file mode 100644 index 000000000..c53683da8 --- /dev/null +++ b/firewall/spec/acceptance/nodesets/new/pe/ubuntu-1404-64mda.yml @@ -0,0 +1,27 @@ +--- +HOSTS: + ubuntu-1404-agent: + roles: + - agent + - default + platform: ubuntu-14.04-amd64 + template: Delivery/Quality Assurance/Templates/vCloud/ubuntu-1404-x86_64 + hypervisor: vcloud + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: vcloud +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ + ssh: + timeout: 600 \ No newline at end of file diff --git a/firewall/spec/fixtures/iptables/conversion_hash.rb b/firewall/spec/fixtures/iptables/conversion_hash.rb index ac9ba9a96..bbdff8cc8 100644 --- a/firewall/spec/fixtures/iptables/conversion_hash.rb +++ b/firewall/spec/fixtures/iptables/conversion_hash.rb @@ -573,6 +573,14 @@ :clamp_mss_to_pmtu => true, }, }, + 'mangled_chain_name_with_-f' => { + :line => '-A foo-filter -p tcp -m comment --comment "068 chain name containing -f" -j ACCEPT', + :params => { + :name => '068 chain name containing -f', + :action => 'accept', + :chain => 'foo-filter', + }, + }, } # This hash is for testing converting a hash to an argument line. diff --git a/firewall/spec/unit/classes/firewall_linux_redhat_spec.rb b/firewall/spec/unit/classes/firewall_linux_redhat_spec.rb index 8feecf4a7..036488a74 100644 --- a/firewall/spec/unit/classes/firewall_linux_redhat_spec.rb +++ b/firewall/spec/unit/classes/firewall_linux_redhat_spec.rb @@ -1,5 +1,27 @@ require 'spec_helper' +RSpec.shared_examples "ensures iptables service" do + context 'default' do + it { should contain_service('iptables').with( + :ensure => 'running', + :enable => 'true' + )} + end + + context 'ensure => stopped' do + let(:params) {{ :ensure => 'stopped' }} + it { should contain_service('iptables').with( + :ensure => 'stopped' + )} + end + context 'enable => false' do + let(:params) {{ :enable => 'false' }} + it { should contain_service('iptables').with( + :enable => 'false' + )} + end +end + describe 'firewall::linux::redhat', :type => :class do %w{RedHat CentOS Fedora}.each do |os| oldreleases = (os == 'Fedora' ? ['14'] : ['6.5']) @@ -15,6 +37,8 @@ it { should_not contain_service('firewalld') } it { should_not contain_package('iptables-services') } + + it_behaves_like "ensures iptables service" end end @@ -36,27 +60,8 @@ :ensure => 'present', :before => 'Service[iptables]' )} - end - end - describe 'ensure' do - context 'default' do - it { should contain_service('iptables').with( - :ensure => 'running', - :enable => 'true' - )} - end - context 'ensure => stopped' do - let(:params) {{ :ensure => 'stopped' }} - it { should contain_service('iptables').with( - :ensure => 'stopped' - )} - end - context 'enable => false' do - let(:params) {{ :enable => 'false' }} - it { should contain_service('iptables').with( - :enable => 'false' - )} + it_behaves_like "ensures iptables service" end end end diff --git a/fluentd/manifests/install.pp b/fluentd/manifests/install.pp index e5e859774..df95821f5 100644 --- a/fluentd/manifests/install.pp +++ b/fluentd/manifests/install.pp @@ -12,7 +12,7 @@ } -> file { $fluentd::config_file: - ensure => present, - content => file('fluentd/td-agent.conf'), + ensure => present, + source => 'puppet:///modules/fluentd/td-agent.conf', } } diff --git a/haproxy/CHANGELOG.md b/haproxy/CHANGELOG.md index 1e73caba4..fbd006385 100644 --- a/haproxy/CHANGELOG.md +++ b/haproxy/CHANGELOG.md @@ -1,3 +1,8 @@ +## Supported Release 1.3.1 +###Summary + +Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. + ## 2015-07-15 - Supported Release 1.3.0 ### Summary This release adds puppet 4 support, and adds the ability to specify the order diff --git a/haproxy/README.md b/haproxy/README.md index 6f696e5bd..4ab5e00a7 100644 --- a/haproxy/README.md +++ b/haproxy/README.md @@ -15,6 +15,7 @@ * [Set up a frontend service](#set-up-a-frontend-service) * [Set up a backend service](#set-up-a-backend-service) * [Configure multiple haproxy instances on one machine](#configure-multiple-haproxy-instances-on-one-machine) + * [Manage a map file](#manage-a-map-file) 5. [Reference - An under-the-hood peek at what the module is doing and how](#reference) 6. [Limitations - OS compatibility, etc.](#limitations) 7. [Development - Guide for contributing to the module](#development) @@ -138,7 +139,6 @@ haproxy::listen { 'puppet00': options => { 'option' => [ 'tcplog', - 'ssl-hello-chk', ], 'balance' => 'roundrobin', }, @@ -155,7 +155,6 @@ haproxy::listen { 'puppet00': options => { 'option' => [ 'tcplog', - 'ssl-hello-chk', ], 'balance' => 'roundrobin', }, @@ -280,7 +279,6 @@ haproxy::backend { 'puppet00': options => { 'option' => [ 'tcplog', - 'ssl-hello-chk', ], 'balance' => 'roundrobin', }, @@ -294,7 +292,6 @@ haproxy::backend { 'puppet00': options => [ { 'option' => [ 'tcplog', - 'ssl-hello-chk', ] }, { 'balance' => 'roundrobin' }, @@ -380,6 +377,44 @@ The second uses a custom package. ipaddress => $::ipaddress, ports => '9900', } + +### Manage a map file + +~~~puppet +haproxy::mapfile { 'domains-to-backends': + ensure => 'present', + mappings => [ + { 'app01.example.com' => 'bk_app01' }, + { 'app02.example.com' => 'bk_app02' }, + { 'app03.example.com' => 'bk_app03' }, + { 'app04.example.com' => 'bk_app04' }, + 'app05.example.com bk_app05', + 'app06.example.com bk_app06', + ], +} +~~~ + +This creates a file `/etc/haproxy/domains-to-backends.map` containing the mappings specified in the `mappings` array. + +The map file can then be used in a frontend to map `Host:` values to backends, implementing name-based virtual hosting: + +``` +frontend ft_allapps + [...] + use_backend %[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,bk_default)] +``` + +Or expressed using `haproxy::frontend`: + +~~~puppet +haproxy::frontend { 'ft_allapps': + ipaddress => '0.0.0.0', + ports => '80', + mode => 'http', + options => { + 'use_backend' => '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,bk_default)]' + } +} ~~~ ##Reference @@ -410,6 +445,7 @@ The second uses a custom package. * [`haproxy::peer`](#define-haproxypeer): Creates server entries within a peers entry in haproxy.cfg. * [`haproxy::instance`](#define-instance): Creates multiple instances of haproxy on the same machine. * [`haproxy::instance_service`](#define-instanceservice): Example of one way to prepare environment for haproxy::instance. +* [`haproxy::mapfile`](#define-haproxymapfile): Manages an HAProxy [map file](https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map). ####Private defines @@ -507,6 +543,8 @@ Main class, includes all other classes. * `service_options`: Contents for the `/etc/defaults/haproxy` file on Debian. Defaults to "ENABLED=1\n" on Debian, and is ignored on other systems. +* `config_dir`: Path to the directory in which the main configuration file `haproxy.cfg` resides. Will also be used for storing any managed map files (see [`haproxy::mapfile`](#define-haproxymapfile). Default depends on platform. + #### Define: `haproxy::balancermember` Configures a service inside a listening or backend service configuration block in haproxy.cfg. @@ -668,7 +706,7 @@ Sets up a peer entry inside the peers configuration block in haproxy.cfg. * `peers_name`: *Required.* Specifies the peer in which to add the load balancer. Valid options: a string containing the name of an HAProxy peer. -* `ports`: *Required.* Specifies the port on which the load balancer sends connections to peers. Valid options: a string containing a port number. +* `port`: *Required.* Specifies the port on which the load balancer sends connections to peers. Valid options: a string containing a port number. * `server_names`: *Required unless the `collect_exported` parameter of your `haproxy::peers` resource is set to `true`.* Sets the name of the peer server as listed in the peers configuration block. Valid options: a string or an array. If you pass an array, it must contain the same number of elements as the array you pass to `ipaddresses`. Puppet pairs up the elements from both arrays and creates a peer for each pair of values. Default: the value of the `$::hostname` fact. @@ -754,7 +792,40 @@ Path to the template init.d script that will start/restart/reload this instance. * `haproxy_unit_template`: Path to the template systemd service unit definition that will start/restart/reload this instance. -##Limitations +#### Define: `haproxy::mapfile` + +Manages an HAProxy [map file](https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map). A map allows to map data in input to other data on output. This is especially useful for efficiently mapping domain names to backends, thus effectively implementing name-based virtual hosting. A map file contains one key + value per line. These key-value pairs are specified in the `mappings` array. + +This article on the HAProxy blog gives a nice overview of the use case: http://blog.haproxy.com/2015/01/26/web-application-name-to-backend-mapping-in-haproxy/ + +##### Parameters + +* `namevar`: The namevar of the defined resource type is the filename of the map file (without any extension), relative to the `haproxy::config_dir` directory. A '.map' extension is added automatically. + +* `mappings`: An array of mappings for this map file. Array elements may be Hashes with a single key-value pair each (preferably) or simple Strings. Default: `[]`. Example: + + ```puppet + mappings => [ + { 'app01.example.com' => 'bk_app01' }, + { 'app02.example.com' => 'bk_app02' }, + { 'app03.example.com' => 'bk_app03' }, + { 'app04.example.com' => 'bk_app04' }, + 'app05.example.com bk_app05', + 'app06.example.com bk_app06', + ] + ``` + +* `ensure`: The state of the underlying file resource, either 'present' or 'absent'. Default: 'present' + +* `owner`: The owner of the underlying file resource. Defaut: 'root' + +* `group`: The group of the underlying file resource. Defaut: 'root' + +* `mode`: The mode of the underlying file resource. Defaut: '0644' + +* `instances`: Array of names of managed HAproxy instances to notify (restart/reload) when the map file is updated. This is so that the same map file can be used with multiple HAproxy instances (if multiple instances are used). Default: `[ 'haproxy' ]` + +## Limitations This module is tested and officially supported on the following platforms: diff --git a/haproxy/examples/init.pp b/haproxy/examples/init.pp index 77590ac87..30fbd8358 100644 --- a/haproxy/examples/init.pp +++ b/haproxy/examples/init.pp @@ -50,7 +50,6 @@ options => { 'option' => [ 'tcplog', - 'ssl-hello-chk', ], 'balance' => 'roundrobin', }, diff --git a/haproxy/manifests/backend.pp b/haproxy/manifests/backend.pp index 054a40cf2..7cd9abd8d 100644 --- a/haproxy/manifests/backend.pp +++ b/haproxy/manifests/backend.pp @@ -54,7 +54,6 @@ $options = { 'option' => [ 'tcplog', - 'ssl-hello-chk' ], 'balance' => 'roundrobin' }, diff --git a/haproxy/manifests/init.pp b/haproxy/manifests/init.pp index 80697ae32..15493af8f 100644 --- a/haproxy/manifests/init.pp +++ b/haproxy/manifests/init.pp @@ -54,17 +54,22 @@ # or add options without having to recreate the entire hash. Defaults to # false, but will default to true in future releases. # -#[*restart_command*] +# [*restart_command*] # Command to use when restarting the on config changes. # Passed directly as the 'restart' parameter to the service resource. # Defaults to undef i.e. whatever the service default is. # -#[*custom_fragment*] -# Allows arbitrary HAProxy configuration to be passed through to support -# additional configuration not available via parameters, or to short-circute -# the defined resources such as haproxy::listen when an operater would rather -# just write plain configuration. Accepts a string (ie, output from the -# template() function). Defaults to undef +# [*custom_fragment*] +# Allows arbitrary HAProxy configuration to be passed through to support +# additional configuration not available via parameters, or to short-circute +# the defined resources such as haproxy::listen when an operater would rather +# just write plain configuration. Accepts a string (ie, output from the +# template() function). Defaults to undef +# +# [*config_dir*] +# Path to the directory in which the main configuration file `haproxy.cfg` +# resides. Will also be used for storing any managed map files (see +# `haproxy::mapfile`). Default depends on platform. # # === Examples # @@ -107,6 +112,7 @@ $merge_options = $haproxy::params::merge_options, $restart_command = undef, $custom_fragment = undef, + $config_dir = $haproxy::params::config_dir, $config_file = $haproxy::params::config_file, # Deprecated @@ -123,6 +129,8 @@ validate_bool($service_manage) validate_bool($merge_options) validate_string($service_options) + validate_hash($global_options, $defaults_options) + validate_absolute_path($config_dir) # NOTE: These deprecating parameters are implemented in this class, # not in haproxy::instance. haproxy::instance is new and therefore @@ -161,6 +169,7 @@ defaults_options => $defaults_options, restart_command => $restart_command, custom_fragment => $custom_fragment, + config_dir => $config_dir, config_file => $config_file, merge_options => $merge_options, service_options => $service_options, diff --git a/haproxy/manifests/install.pp b/haproxy/manifests/install.pp index 53d6c5691..3ee846d81 100644 --- a/haproxy/manifests/install.pp +++ b/haproxy/manifests/install.pp @@ -14,13 +14,4 @@ } } - # Create default configuration directory, gentoo portage does not create it - if $::osfamily == 'Gentoo' { - file { '/etc/haproxy': - ensure => directory, - owner => 'root', - group => 'root', - require => Package[$haproxy::package_name] - } - } } diff --git a/haproxy/manifests/instance.pp b/haproxy/manifests/instance.pp index 469ca0914..35421e3d8 100644 --- a/haproxy/manifests/instance.pp +++ b/haproxy/manifests/instance.pp @@ -143,6 +143,7 @@ $defaults_options = undef, $restart_command = undef, $custom_fragment = undef, + $config_dir = undef, $config_file = undef, $merge_options = $haproxy::params::merge_options, $service_options = $haproxy::params::service_options, @@ -160,8 +161,9 @@ # Therefore, we "include haproxy::params" for any parameters we need. include haproxy::params - $_global_options = pick($global_options, $haproxy::params::global_options, []) - $_defaults_options = pick($defaults_options, $haproxy::params::defaults_options, []) + $_global_options = pick($global_options, $haproxy::params::global_options) + $_defaults_options = pick($defaults_options, $haproxy::params::defaults_options) + validate_hash($_global_options,$_defaults_options) # Determine instance_name based on: # single-instance hosts: haproxy @@ -177,17 +179,23 @@ # single-instance hosts: use defaults # multi-instance hosts: use templates if $config_file != undef { - $_config_dir = undef $_config_file = $config_file } else { if $instance_name == 'haproxy' { - $_config_dir = $haproxy::params::config_dir $_config_file = $haproxy::params::config_file } else { - $_config_dir = inline_template($haproxy::params::config_dir_tmpl) $_config_file = inline_template($haproxy::params::config_file_tmpl) } } + if $config_dir != undef { + $_config_dir = $config_dir + } else { + if $instance_name == 'haproxy' { + $_config_dir = $haproxy::params::config_dir + } else { + $_config_dir = inline_template($haproxy::params::config_dir_tmpl) + } + } haproxy::config { $title: instance_name => $instance_name, diff --git a/haproxy/manifests/listen.pp b/haproxy/manifests/listen.pp index ecff498ab..bc447e3c4 100644 --- a/haproxy/manifests/listen.pp +++ b/haproxy/manifests/listen.pp @@ -84,7 +84,6 @@ $options = { 'option' => [ 'tcplog', - 'ssl-hello-chk' ], 'balance' => 'roundrobin' }, diff --git a/haproxy/manifests/mapfile.pp b/haproxy/manifests/mapfile.pp new file mode 100644 index 000000000..62c193dca --- /dev/null +++ b/haproxy/manifests/mapfile.pp @@ -0,0 +1,62 @@ +# == Define Resource Type: haproxy::mapfile +# +# Manage an HAProxy map file as documented in +# https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map +# A map file contains one key + value per line. These key-value pairs are +# specified in the `mappings` array. +# +# === Parameters +# +# [*name*] +# The namevar of the defined resource type is the filename of the map file +# (without any extension), relative to the `haproxy::config_dir` directory. +# A '.map' extension will be added automatically. +# +# [*mappings*] +# An array of mappings for this map file. Array elements may be Hashes with a +# single key-value pair each (preferably) or simple Strings. Default: `[]` +# +# [*ensure*] +# The state of the underlying file resource, either 'present' or 'absent'. +# Default: 'present' +# +# [*owner*] +# The owner of the underlying file resource. Defaut: 'root' +# +# [*group*] +# The group of the underlying file resource. Defaut: 'root' +# +# [*mode*] +# The mode of the underlying file resource. Defaut: '0644' +# +# [*instances*] +# Array of managed HAproxy instance names to notify (restart/reload) when the +# map file is updated. This is so that the same map file can be used with +# multiple HAproxy instances. Default: `[ 'haproxy' ]` +# +define haproxy::mapfile ( + $mappings = [], + $ensure = 'present', + $owner = 'root', + $group = 'root', + $mode = '0644', + $instances = [ 'haproxy' ], +) { + $mapfile_name = $title + + validate_re($ensure, '^present|absent$', "Haproxy::Mapfile[${mapfile_name}]: '${ensure}' is not supported for ensure. Allowed values are 'present' and 'absent'.") + validate_array($mappings) + validate_array($instances) + + $_instances = flatten($instances) + + file { "haproxy_mapfile_${mapfile_name}": + ensure => $ensure, + owner => $owner, + group => $group, + mode => $mode, + content => template('haproxy/haproxy_mapfile.erb'), + path => "${haproxy::config_dir}/${mapfile_name}.map", + notify => Haproxy::Service[$_instances], + } +} diff --git a/haproxy/metadata.json b/haproxy/metadata.json index 4379cca3e..44e154176 100644 --- a/haproxy/metadata.json +++ b/haproxy/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-haproxy", - "version": "1.3.0", + "version": "1.3.1", "author": "Puppet Labs", "summary": "Configures HAProxy servers and manages the configuration of backend member servers.", "license": "Apache-2.0", @@ -59,7 +59,7 @@ "requirements": [ { "name": "pe", - "version_requirement": ">= 3.0.0 < 2015.3.0" + "version_requirement": ">= 3.0.0 < 2015.4.0" }, { "name": "puppet", diff --git a/haproxy/spec/classes/haproxy_spec.rb b/haproxy/spec/classes/haproxy_spec.rb index d68e61e7b..14d44d2a8 100644 --- a/haproxy/spec/classes/haproxy_spec.rb +++ b/haproxy/spec/classes/haproxy_spec.rb @@ -463,6 +463,138 @@ end end end + + describe 'when overriding global and defaults options with user-supplied overrides and additions' do + # For testing the merging functionality we restrict ourselves to + # Debian OS family so that we don't have to juggle different sets of + # global_options and defaults_options (like for FreeBSD). + ['Debian' ].each do |osfamily| + context "on #{osfamily} family operatingsystems" do + let(:facts) do + { :osfamily => osfamily }.merge default_facts + end + let(:contents) { param_value(catalogue, 'concat::fragment', 'haproxy-haproxy-base', 'content').split("\n") } + let(:params) do + { + 'merge_options' => false, + 'global_options' => { + 'log-send-hostname' => '', + 'chroot' => '/srv/haproxy-chroot', + 'stats' => [ + 'socket /var/lib/haproxy/admin.sock mode 660 level admin', + 'timeout 30s' + ] + }, + 'defaults_options' => { + 'mode' => 'http', + 'option' => [ + 'abortonclose', + 'logasap', + 'dontlognull', + 'httplog', + 'http-server-close', + 'forwardfor except 127.0.0.1', + ], + 'timeout' => [ + 'connect 5s', + 'client 1m', + 'server 1m', + 'check 7s', + ] + }, + } + end + it 'should manage a custom chroot directory' do + subject.should contain_file('/srv/haproxy-chroot').with( + 'ensure' => 'directory' + ) + end + it 'should contain global and defaults sections' do + contents.should include('global') + contents.should include('defaults') + end + it 'should send hostname with log in global options' do + contents.should include(' log-send-hostname ') + end + it 'should enable admin stats and stats timeout in global options' do + contents.should include(' stats socket /var/lib/haproxy/admin.sock mode 660 level admin') + contents.should include(' stats timeout 30s') + end + it 'should set mode http in default options' do + contents.should include(' mode http') + end + it 'should not set the global parameter "maxconn"' do + contents.should_not include(' maxconn 4000') + end + it 'should set various options in defaults, removing the "redispatch" option' do + contents.should_not include(' option redispatch') + contents.should include(' option abortonclose') + contents.should include(' option logasap') + contents.should include(' option dontlognull') + contents.should include(' option httplog') + contents.should include(' option http-server-close') + contents.should include(' option forwardfor except 127.0.0.1') + end + it 'should set timeouts in defaults, removing the "http-request 10s" and "queue 1m" timeout' do + contents.should_not include(' timeout http-request 10s') + contents.should_not include(' timeout queue 1m') + contents.should include(' timeout connect 5s') + contents.should include(' timeout check 7s') + contents.should include(' timeout client 1m') + contents.should include(' timeout server 1m') + end + end + end + end + + describe 'when specifying global_options with arrays instead of hashes' do + # For testing input validation we restrict ourselves to + # Debian OS family so that we don't have to juggle different sets of + # global_options and defaults_options (like for FreeBSD). + ['Debian' ].each do |osfamily| + context "on #{osfamily} family operatingsystems" do + let(:facts) do + { :osfamily => osfamily }.merge default_facts + end + let(:contents) { param_value(catalogue, 'concat::fragment', 'haproxy-haproxy-base', 'content').split("\n") } + let(:params) do + { + 'merge_options' => true, + 'global_options' => [ 'log-send-hostname', 'chroot /srv/haproxy-chroot' ] + } + end + it 'should raise error' do + expect { catalogue }.to raise_error Puppet::Error, /is not a Hash/ + end + end + end + end + describe 'when specifying defaults_options with arrays instead of hashes' do + # For testing input validation we restrict ourselves to + # Debian OS family so that we don't have to juggle different sets of + # global_options and defaults_options (like for FreeBSD). + ['Debian' ].each do |osfamily| + context "on #{osfamily} family operatingsystems" do + let(:facts) do + { :osfamily => osfamily }.merge default_facts + end + let(:contents) { param_value(catalogue, 'concat::fragment', 'haproxy-haproxy-base', 'content').split("\n") } + let(:params) do + { + 'merge_options' => true, + 'defaults_options' => [ + 'mode http', + 'timeout connect 5s', + 'timeout client 1m' + ] + } + end + it 'should raise error' do + expect { catalogue }.to raise_error Puppet::Error, /is not a Hash/ + end + end + end + end end context 'on unsupported operatingsystems' do diff --git a/haproxy/spec/defines/backend_spec.rb b/haproxy/spec/defines/backend_spec.rb index ef1a1fbdd..2318f68ac 100644 --- a/haproxy/spec/defines/backend_spec.rb +++ b/haproxy/spec/defines/backend_spec.rb @@ -16,7 +16,7 @@ it { should contain_concat__fragment('haproxy-bar_backend_block').with( 'order' => '20-bar-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nbackend bar\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nbackend bar\n balance roundrobin\n option tcplog\n" ) } end diff --git a/haproxy/spec/defines/listen_spec.rb b/haproxy/spec/defines/listen_spec.rb index 5a291cd44..90b94f743 100644 --- a/haproxy/spec/defines/listen_spec.rb +++ b/haproxy/spec/defines/listen_spec.rb @@ -22,7 +22,7 @@ it { should contain_concat__fragment('haproxy-croy_listen_block').with( 'order' => '20-croy-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten croy\n bind 1.1.1.1:18140 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten croy\n bind 1.1.1.1:18140 \n balance roundrobin\n option tcplog\n" ) } end # C9940 @@ -41,7 +41,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind 23.23.23.23:80 \n bind 23.23.23.23:443 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind 23.23.23.23:80 \n bind 23.23.23.23:443 \n balance roundrobin\n option tcplog\n" ) } end # C9940 @@ -57,7 +57,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind 23.23.23.23:80 \n bind 23.23.23.23:443 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind 23.23.23.23:80 \n bind 23.23.23.23:443 \n balance roundrobin\n option tcplog\n" ) } end # C9962 @@ -73,7 +73,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n balance roundrobin\n option tcplog\n" ) } end # C9963 @@ -117,7 +117,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind some-hostname:80 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind some-hostname:80 \n balance roundrobin\n option tcplog\n" ) } end context "when a * is passed for ip address" do @@ -132,7 +132,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind *:80 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind *:80 \n balance roundrobin\n option tcplog\n" ) } end context "when a bind parameter hash is passed" do @@ -146,7 +146,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind 10.0.0.1:333 ssl crt public.puppetlabs.com\n bind 192.168.122.1:8082 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind 10.0.0.1:333 ssl crt public.puppetlabs.com\n bind 192.168.122.1:8082 \n balance roundrobin\n option tcplog\n" ) } end context "when a ports parameter and a bind parameter are passed" do @@ -203,7 +203,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind 1.1.1.1:80 the options go here\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind 1.1.1.1:80 the options go here\n balance roundrobin\n option tcplog\n" ) } end context "when bind parameter is used without ipaddress parameter" do @@ -217,7 +217,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind 1.1.1.1:80 \n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind 1.1.1.1:80 \n balance roundrobin\n option tcplog\n" ) } end @@ -237,7 +237,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy\n bind :443,:8443 ssl crt public.puppetlabs.com no-sslv3\n bind fd@${FD_APP1} \n bind 1.1.1.1:80 \n bind 2.2.2.2:8000-8010 ssl crt public.puppetlabs.com\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy\n bind :443,:8443 ssl crt public.puppetlabs.com no-sslv3\n bind fd@${FD_APP1} \n bind 1.1.1.1:80 \n bind 2.2.2.2:8000-8010 ssl crt public.puppetlabs.com\n balance roundrobin\n option tcplog\n" ) } end context "when bind parameter is used with ip addresses that sort wrong lexigraphically" do @@ -259,7 +259,7 @@ it { should contain_concat__fragment('haproxy-apache_listen_block').with( 'order' => '20-apache-00', 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "\nlisten apache\n bind :443,:8443 ssl crt public.puppetlabs.com no-sslv3\n bind fd@${FD_APP1} \n bind 1.1.1.1:80 \n bind 2.2.2.2:8000-8010 ssl crt public.puppetlabs.com\n bind 8.252.206.99:80 name input99\n bind 8.252.206.100:80 name input100\n bind 8.252.206.101:80 name input101\n bind 10.1.3.21:80 name input21\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" + 'content' => "\nlisten apache\n bind :443,:8443 ssl crt public.puppetlabs.com no-sslv3\n bind fd@${FD_APP1} \n bind 1.1.1.1:80 \n bind 2.2.2.2:8000-8010 ssl crt public.puppetlabs.com\n bind 8.252.206.99:80 name input99\n bind 8.252.206.100:80 name input100\n bind 8.252.206.101:80 name input101\n bind 10.1.3.21:80 name input21\n balance roundrobin\n option tcplog\n" ) } end diff --git a/haproxy/spec/defines/mapfile_spec.rb b/haproxy/spec/defines/mapfile_spec.rb new file mode 100644 index 000000000..f7b58ba68 --- /dev/null +++ b/haproxy/spec/defines/mapfile_spec.rb @@ -0,0 +1,48 @@ +require 'spec_helper' + +describe 'haproxy::mapfile' do + let(:pre_condition) { 'include haproxy' } + let(:title) { 'domains-to-backends' } + let(:facts) do + { + :ipaddress => '1.1.1.1', + :osfamily => 'Redhat', + :concat_basedir => '/dne', + } + end + context "map domains to backends" do + let(:params) do + { + :ensure => 'present', + :mappings => [ + { 'app01.example.com' => 'bk_app01' }, + { 'app02.example.com' => 'bk_app02' }, + { 'app03.example.com' => 'bk_app03' }, + { 'app04.example.com' => 'bk_app04' }, + 'app05.example.com bk_app05', + 'app06.example.com bk_app06', + ], + :instances => [ 'haproxy' ], + } + end + + it { should contain_file('haproxy_mapfile_domains-to-backends').that_notifies('Haproxy::Service[haproxy]') } + it { should contain_file('haproxy_mapfile_domains-to-backends').with( + 'path' => '/etc/haproxy/domains-to-backends.map', + 'ensure' => 'present', + 'content' => "# HAProxy map file \"domains-to-backends\"\n# Managed by Puppet\n\napp01.example.com bk_app01\napp02.example.com bk_app02\napp03.example.com bk_app03\napp04.example.com bk_app04\napp05.example.com bk_app05\napp06.example.com bk_app06\n" ) } + end + + context "fail if a non-array is supplied for mappings" do + let(:params) do + { + :ensure => 'present', + :mappings => { 'foo' => 'bar' }, + } + end + + it 'should raise error' do + expect { catalogue }.to raise_error Puppet::Error, /is not an Array/ + end + end +end diff --git a/haproxy/templates/haproxy_mapfile.erb b/haproxy/templates/haproxy_mapfile.erb new file mode 100644 index 000000000..bfc21f7d4 --- /dev/null +++ b/haproxy/templates/haproxy_mapfile.erb @@ -0,0 +1,18 @@ +# HAProxy map file "<%= @mapfile_name -%>" +# Managed by Puppet + +<%# Iterate over array elements; If element is a Hash sort it by its keys, -%> +<%# just in case, then output each key-value pair. If element is a String -%> +<%# then simply output the String value. Fail if the array contains anything -%> +<%# other than Hashes or Strings. -%> +<%- @mappings.each do |mapping| -%> +<%- if mapping.is_a?(Hash) -%> +<%- mapping.sort.map do |key, val| -%> +<%= key -%> <%= val %> +<%- end -%> +<%- elsif mapping.is_a?(String) -%> +<%= mapping %> +<%- else -%> +<% scope.function_fail(["Haproxy::Mapfile[#{@mapfile_name}]: $mappings array must contain only Hashes or Strings"]) -%> +<%- end -%> +<%- end -%> diff --git a/mongodb/CHANGELOG.md b/mongodb/CHANGELOG.md index 57530a055..218d0e911 100644 --- a/mongodb/CHANGELOG.md +++ b/mongodb/CHANGELOG.md @@ -1,3 +1,7 @@ +## Unreleased +### Summary +- support setting a proxy for yum repositories with or without user/password authentication + ## 2015-06-22 - Release 0.11.0 ### Summary diff --git a/mongodb/README.md b/mongodb/README.md index 44fc3ee4a..5753fa888 100644 --- a/mongodb/README.md +++ b/mongodb/README.md @@ -232,6 +232,15 @@ the module will use the default for your OS distro. This setting can be used to override the default MongoDB repository location. If not specified, the module will use the default repository for your OS distro. +#####`repo_proxy` +This will allow you to set a proxy for your repository in case you are behind a corporate firewall. Currently this is only supported with yum repositories + +#####`proxy_username` +This sets the username for the proxyserver, should authentication be required + +#####`proxy_password` +This sets the password for the proxyserver, should authentication be required + ####Class: mongodb::server Most of the parameters manipulate the mongod.conf file. diff --git a/mongodb/manifests/globals.pp b/mongodb/manifests/globals.pp index 5bb33b9c5..85f418b0b 100644 --- a/mongodb/manifests/globals.pp +++ b/mongodb/manifests/globals.pp @@ -27,6 +27,9 @@ $manage_package_repo = undef, $manage_package = undef, + $repo_proxy = undef, + $proxy_username = undef, + $proxy_password = undef, $repo_location = undef, $use_enterprise_repo = undef, @@ -39,6 +42,7 @@ class { '::mongodb::repo': ensure => present, repo_location => $repo_location, + proxy => $repo_proxy, } } } diff --git a/mongodb/manifests/repo.pp b/mongodb/manifests/repo.pp index e117ecc5e..70b6f6c97 100644 --- a/mongodb/manifests/repo.pp +++ b/mongodb/manifests/repo.pp @@ -1,8 +1,11 @@ # PRIVATE CLASS: do not use directly class mongodb::repo ( - $ensure = $mongodb::params::ensure, - $version = $mongodb::params::version, - $repo_location = undef, + $ensure = $mongodb::params::ensure, + $version = $mongodb::params::version, + $repo_location = undef, + $proxy = undef, + $proxy_username = undef, + $proxy_password = undef, ) inherits mongodb::params { case $::osfamily { 'RedHat', 'Linux': { diff --git a/mongodb/manifests/repo/yum.pp b/mongodb/manifests/repo/yum.pp index cc033327f..6046e9a3e 100644 --- a/mongodb/manifests/repo/yum.pp +++ b/mongodb/manifests/repo/yum.pp @@ -5,10 +5,13 @@ if($::mongodb::repo::ensure == 'present' or $::mongodb::repo::ensure == true) { yumrepo { 'mongodb': - descr => $::mongodb::repo::description, - baseurl => $::mongodb::repo::location, - gpgcheck => '0', - enabled => '1', + descr => $::mongodb::repo::description, + baseurl => $::mongodb::repo::location, + gpgcheck => '0', + enabled => '1', + proxy => $::mongodb::repo::proxy, + proxy_username => $::mongodb::repo::proxy_username, + proxy_password => $::mongodb::repo::proxy_password, } Yumrepo['mongodb'] -> Package<|tag == 'mongodb'|> } diff --git a/mongodb/spec/classes/repo_spec.rb b/mongodb/spec/classes/repo_spec.rb index ef8b11377..eeb093740 100644 --- a/mongodb/spec/classes/repo_spec.rb +++ b/mongodb/spec/classes/repo_spec.rb @@ -29,4 +29,30 @@ } end + context 'when yumrepo has a proxy set' do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + } + end + let :params do + { + :proxy => 'http://proxy-server:8080', + :proxy_username => 'proxyuser1', + :proxy_password => 'proxypassword1', + } + end + it { + is_expected.to contain_class('mongodb::repo::yum') + } + it do + should contain_yumrepo('mongodb').with({ + 'enabled' => '1', + 'proxy' => 'http://proxy-server:8080', + 'proxy_username' => 'proxyuser1', + 'proxy_password' => 'proxypassword1', + }) + end + end end diff --git a/mongodb/templates/mongodb.conf.2.6.erb b/mongodb/templates/mongodb.conf.2.6.erb index 293f8099a..0f1775562 100644 --- a/mongodb/templates/mongodb.conf.2.6.erb +++ b/mongodb/templates/mongodb.conf.2.6.erb @@ -1,6 +1,6 @@ -# mongo.conf - generated from Puppet +#mongo.conf - generated from Puppet -# System Log +#System Log <% if @logpath -%> systemLog.path: <%= @logpath %> @@ -80,7 +80,7 @@ security.javascriptEnabled: <%= @noscripting %> <% end -%> -# Net +#Net <% if @ipv6 -%> net.ipv6=<%= @ipv6 %> <% end -%> @@ -111,7 +111,7 @@ replication.replSetName: <%= @replset %> replication.oplogSizeMB: <%= @oplog_size %> <% end -%> -# Sharding +#Sharding <% if @configsvr -%> sharding.clusterRole: configsvr <% end -%> diff --git a/mysql/CHANGELOG.md b/mysql/CHANGELOG.md index 5cbe10369..00dd4635e 100644 --- a/mysql/CHANGELOG.md +++ b/mysql/CHANGELOG.md @@ -1,3 +1,8 @@ +## Supported Release 3.6.2 +###Summary + +Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. + ## 2015-09-22 - Supported Release 3.6.1 ### Summary This is a security and bugfix release that fixes incorrect username truncation in the munge for the mysql_user type, incorrect function used in `mysql::server::backup` and fixes compatibility issues with PE 3.3.x. diff --git a/mysql/README.md b/mysql/README.md index 9961d6d4d..e0d767177 100644 --- a/mysql/README.md +++ b/mysql/README.md @@ -85,6 +85,8 @@ replicate-do-db = base1 replicate-do-db = base2 ~~~ +To implement version specific parameters you can use [mysqld-5.5] syntax which is only read by MySQL version 5.5. This allows one config for different versions of MySQL. + ### Creating a database To use `mysql::db` to create a database with a user and assign some privileges: @@ -181,6 +183,7 @@ mysql::db { 'mydb': #### Private classes * `mysql::server::install`: Installs packages. +* `mysql::server::installdb`: Implements setup of mysqld data directory (e.g. /var/lib/mysql) * `mysql::server::config`: Configures MYSQL. * `mysql::server::service`: Manages service. * `mysql::server::account_security`: Deletes default MySQL accounts. @@ -805,6 +808,17 @@ The name of the MySQL plugin to manage. The library file name. +#### `mysql_datadir` + +Initializes the MySQL data directory with version specific code. Pre MySQL 5.7.6 +it uses mysql_install_db. After MySQL 5.7.6 it uses mysqld --initialize-insecure. + +Insecure initialization is needed, as mysqld version 5.7 introduced "secure by default" mode. +This means MySQL generates a random password and writes it to STDOUT. This means puppet +can never accesss the database server afterwards, as no credencials are available. + +This type is an internal type and should not be called directly. + ### Facts #### `mysql_version` diff --git a/mysql/lib/puppet/provider/mysql.rb b/mysql/lib/puppet/provider/mysql.rb index 9b34ca00e..cf76f13af 100644 --- a/mysql/lib/puppet/provider/mysql.rb +++ b/mysql/lib/puppet/provider/mysql.rb @@ -2,7 +2,12 @@ class Puppet::Provider::Mysql < Puppet::Provider # Without initvars commands won't work. initvars + + # Make sure we find mysqld on CentOS + ENV['PATH']=ENV['PATH'] + ':/usr/libexec' + commands :mysql => 'mysql' + commands :mysqld => 'mysqld' commands :mysqladmin => 'mysqladmin' # Optional defaults file @@ -13,7 +18,41 @@ def self.defaults_file nil end end - + + def self.mysqld_type + # find the mysql "dialect" like mariadb / mysql etc. + mysqld_version_string.scan(/\s\(mariadb/i) { return "mariadb" } + mysqld_version_string.scan(/\s\(mysql/i) { return "mysql" } + mysqld_version_string.scan(/\s\(percona/i) { return "percona" } + nil + end + + def mysqld_type + self.class.mysqld_type + end + + def self.mysqld_version_string + # we cache the result ... + return @mysqld_version_string unless @mysqld_version_string.nil? + @mysqld_version_string = mysqld(['-V'].compact) + return @mysqld_version_string + end + + def mysqld_version_string + self.class.mysqld_version_string + end + + def self.mysqld_version + # note: be prepared for '5.7.6-rc-log' etc results + # versioncmp detects 5.7.6-log to be newer then 5.7.6 + # this is why we need the trimming. + mysqld_version_string.scan(/\d+\.\d+\.\d+/).first unless mysqld_version_string.nil? + end + + def mysqld_version + self.class.mysqld_version + end + def defaults_file self.class.defaults_file end diff --git a/mysql/lib/puppet/provider/mysql_datadir/mysql.rb b/mysql/lib/puppet/provider/mysql_datadir/mysql.rb new file mode 100644 index 000000000..c90d9753c --- /dev/null +++ b/mysql/lib/puppet/provider/mysql_datadir/mysql.rb @@ -0,0 +1,70 @@ +require File.expand_path(File.join(File.dirname(__FILE__), '..', 'mysql')) +Puppet::Type.type(:mysql_datadir).provide(:mysql, :parent => Puppet::Provider::Mysql) do + + desc 'manage data directories for mysql instances' + + initvars + + # Make sure we find mysqld on CentOS + ENV['PATH']=ENV['PATH'] + ':/usr/libexec' + + commands :mysqld => 'mysqld' + commands :mysql_install_db => 'mysql_install_db' + + def create + name = @resource[:name] + insecure = @resource.value(:insecure) || true + defaults_extra_file = @resource.value(:defaults_extra_file) + user = @resource.value(:user) || "mysql" + basedir = @resource.value(:basedir) || "/usr" + datadir = @resource.value(:datadir) || @resource[:name] + + unless defaults_extra_file.nil? + if File.exist?(defaults_extra_file) + defaults_extra_file="--defaults-extra-file=#{defaults_extra_file}" + else + raise ArgumentError, "Defaults-extra-file #{defaults_extra_file} is missing" + end + end + + if insecure == true + initialize="--initialize-insecure" + else + initialize="--initialize" + end + + if mysqld_version.nil? + debug("Installing MySQL data directory with mysql_install_db --basedir=#{basedir} #{defaults_extra_file} --datadir=#{datadir} --user=#{user}") + mysql_install_db(["--basedir=#{basedir}",defaults_extra_file, "--datadir=#{datadir}", "--user=#{user}"].compact) + else + if mysqld_type == "mysql" and Puppet::Util::Package.versioncmp(mysqld_version, '5.7.6') >= 0 + debug("Initializing MySQL data directory >= 5.7.6 with 'mysqld #{defaults_extra_file} #{initialize} --basedir=#{basedir} --datadir=#{datadir} --user=#{user}'") + mysqld([defaults_extra_file,initialize,"--basedir=#{basedir}","--datadir=#{datadir}", "--user=#{user}", "--log_error=/var/tmp/mysqld_initialize.log"].compact) + else + debug("Installing MySQL data directory with mysql_install_db --basedir=#{basedir} #{defaults_extra_file} --datadir=#{datadir} --user=#{user}") + mysql_install_db(["--basedir=#{basedir}",defaults_extra_file, "--datadir=#{datadir}", "--user=#{user}"].compact) + end + end + + exists? + end + + def destroy + name = @resource[:name] + raise ArgumentError, "ERROR: Resource can not be removed" + end + + def exists? + datadir = @resource[:datadir] + File.directory?("#{datadir}/mysql") + end + + ## + ## MySQL datadir properties + ## + + # Generates method for all properties of the property_hash + mk_resource_methods + +end + diff --git a/mysql/lib/puppet/provider/mysql_user/mysql.rb b/mysql/lib/puppet/provider/mysql_user/mysql.rb index 4ba194b7b..bc4014f41 100644 --- a/mysql/lib/puppet/provider/mysql_user/mysql.rb +++ b/mysql/lib/puppet/provider/mysql_user/mysql.rb @@ -12,7 +12,16 @@ def self.instances # To reduce the number of calls to MySQL we collect all the properties in # one big swoop. users.collect do |name| - query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, /*!50706 AUTHENTICATION_STRING AS */ PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'" + if mysqld_version.nil? + ## Default ... + query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'" + else + if mysqld_type == "mysql" and Puppet::Util::Package.versioncmp(mysqld_version, '5.7.6') >= 0 + query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, AUTHENTICATION_STRING, PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'" + else + query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'" + end + end @max_user_connections, @max_connections_per_hour, @max_queries_per_hour, @max_updates_per_hour, @password, @plugin = mysql([defaults_file, "-NBe", query].compact).split(/\s/) @@ -51,7 +60,11 @@ def create # Use CREATE USER to be compatible with NO_AUTO_CREATE_USER sql_mode # This is also required if you want to specify a authentication plugin if !plugin.nil? - mysql([defaults_file, '-e', "CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}'"].compact) + if plugin == 'sha256_password' and !password_hash.nil? + mysql([defaults_file, '-e', "CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS '#{password_hash}'"].compact) + else + mysql([defaults_file, '-e', "CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}'"].compact) + end @property_hash[:ensure] = :present @property_hash[:plugin] = plugin else @@ -89,7 +102,24 @@ def exists? def password_hash=(string) merged_name = self.class.cmd_user(@resource[:name]) - mysql([defaults_file, '-e', "SET PASSWORD FOR #{merged_name} = '#{string}'"].compact) + + # We have a fact for the mysql version ... + if mysqld_version.nil? + # default ... if mysqld_version does not work + mysql([defaults_file, '-e', "SET PASSWORD FOR #{merged_name} = '#{string}'"].compact) + else + # Version >= 5.7.6 (many password related changes) + if mysqld_type == "mysql" and Puppet::Util::Package.versioncmp(mysqld_version, '5.7.6') >= 0 + if string.match(/^\*/) + mysql([defaults_file, '-e', "ALTER USER #{merged_name} IDENTIFIED WITH mysql_native_password AS '#{string}'"].compact) + else + raise ArgumentError, "Only mysql_native_password (*ABCD...XXX) hashes are supported" + end + else + # older versions + mysql([defaults_file, '-e', "SET PASSWORD FOR #{merged_name} = '#{string}'"].compact) + end + end password_hash == string ? (return true) : (return false) end diff --git a/mysql/lib/puppet/type/mysql_datadir.rb b/mysql/lib/puppet/type/mysql_datadir.rb new file mode 100644 index 000000000..156b82766 --- /dev/null +++ b/mysql/lib/puppet/type/mysql_datadir.rb @@ -0,0 +1,30 @@ +Puppet::Type.newtype(:mysql_datadir) do + @doc = 'Manage MySQL datadirs with mysql_install_db OR mysqld (5.7.6 and above).' + + ensurable + + autorequire(:package) { 'mysql-server' } + + newparam(:datadir, :namevar => true) do + desc "The datadir name" + end + + newparam(:basedir) do + desc 'The basedir name, default /usr.' + newvalues(/^\//) + end + + newparam(:user) do + desc 'The user for the directory default mysql (name, not uid).' + end + + newparam(:defaults_extra_file) do + desc "MySQL defaults-extra-file with absolute path (*.cnf)." + newvalues(/^\/.*\.cnf$/) + end + + newparam(:insecure, :boolean => true) do + desc "Insecure initialization (needed for 5.7.6++)." + end + +end diff --git a/mysql/manifests/params.pp b/mysql/manifests/params.pp index 998cad401..a85187b3b 100644 --- a/mysql/manifests/params.pp +++ b/mysql/manifests/params.pp @@ -96,9 +96,17 @@ 'Suse': { case $::operatingsystem { 'OpenSuSE': { - $client_package_name = 'mysql-community-server-client' - $server_package_name = 'mysql-community-server' - $basedir = '/usr' + if versioncmp( $::operatingsystemmajrelease, '13' ) >= 0 { + $client_package_name = 'mariadb-client' + $server_package_name = 'mariadb' + # First service start fails if this is set. Runs fine without + # it being set, in any case. Leaving it as-is for the mysql. + $basedir = undef + } else { + $client_package_name = 'mysql-community-server-client' + $server_package_name = 'mysql-community-server' + $basedir = '/usr' + } } 'SLES','SLED': { if versioncmp($::operatingsystemrelease, '12') >= 0 { @@ -351,7 +359,11 @@ case $::operatingsystem { 'Ubuntu': { - $server_service_provider = upstart + if versioncmp($::operatingsystemmajrelease, '14.10') > 0 { + $server_service_provider = 'systemd' + } else { + $server_service_provider = 'upstart' + } } default: { $server_service_provider = undef @@ -368,6 +380,21 @@ 'log-error' => $mysql::params::log_error, 'socket' => $mysql::params::socket, }, + 'mysqld-5.0' => { + 'myisam-recover' => 'BACKUP', + }, + 'mysqld-5.1' => { + 'myisam-recover' => 'BACKUP', + }, + 'mysqld-5.5' => { + 'myisam-recover' => 'BACKUP', + }, + 'mysqld-5.6' => { + 'myisam-recover-options' => 'BACKUP', + }, + 'mysqld-5.7' => { + 'myisam-recover-options' => 'BACKUP', + }, 'mysqld' => { 'basedir' => $mysql::params::basedir, 'bind-address' => '127.0.0.1', @@ -378,7 +405,6 @@ 'max_allowed_packet' => '16M', 'max_binlog_size' => '100M', 'max_connections' => '151', - 'myisam_recover' => 'BACKUP', 'pid-file' => $mysql::params::pidfile, 'port' => '3306', 'query_cache_limit' => '1M', diff --git a/mysql/manifests/server/installdb.pp b/mysql/manifests/server/installdb.pp index de4772e6a..78e08f521 100644 --- a/mysql/manifests/server/installdb.pp +++ b/mysql/manifests/server/installdb.pp @@ -10,21 +10,21 @@ $config_file = $mysql::server::config_file if $mysql::server::manage_config_file { - $install_db_args = "--basedir=${basedir} --defaults-extra-file=${config_file} --datadir=${datadir} --user=${mysqluser}" + $_config_file=$config_file } else { - $install_db_args = "--basedir=${basedir} --datadir=${datadir} --user=${mysqluser}" + $_config_file=undef } - exec { 'mysql_install_db': - command => "mysql_install_db ${install_db_args}", - creates => "${datadir}/mysql", - logoutput => on_failure, - path => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin', - require => Package['mysql-server'], + mysql_datadir { $datadir: + ensure => 'present', + datadir => $datadir, + basedir => $basedir, + user => $mysqluser, + defaults_extra_file => $_config_file, } if $mysql::server::restart { - Exec['mysql_install_db'] { + Mysql_datadir[$datadir] { notify => Class['mysql::server::service'], } } diff --git a/mysql/manifests/server/service.pp b/mysql/manifests/server/service.pp index 6b9a05395..b9289cf0a 100644 --- a/mysql/manifests/server/service.pp +++ b/mysql/manifests/server/service.pp @@ -26,11 +26,13 @@ } } - service { 'mysqld': - ensure => $service_ensure, - name => $mysql::server::service_name, - enable => $mysql::server::real_service_enabled, - provider => $mysql::server::service_provider, + if $mysql::server::real_service_manage { + service { 'mysqld': + ensure => $service_ensure, + name => $mysql::server::service_name, + enable => $mysql::server::real_service_enabled, + provider => $mysql::server::service_provider, + } } # only establish ordering between service and package if @@ -47,4 +49,18 @@ File['mysql-config-file'] -> Service['mysqld'] } + if $mysql::server::override_options and $mysql::server::override_options['mysqld'] and $mysql::server::override_options['mysqld']['socket'] { + $mysqlsocket = $mysql::server::override_options['mysqld']['socket'] + } else { + $mysqlsocket = $options['mysqld']['socket'] + } + + exec { 'wait_for_mysql_socket_to_open': + command => "test -S ${mysqlsocket}", + unless => "test -S ${mysqlsocket}", + tries => '3', + try_sleep => '10', + require => Service['mysqld'], + path => '/bin:/usr/bin', + } } diff --git a/mysql/metadata.json b/mysql/metadata.json index 9bb1bb127..523e2ee72 100644 --- a/mysql/metadata.json +++ b/mysql/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-mysql", - "version": "3.6.1", + "version": "3.6.2", "author": "Puppet Labs", "summary": "Installs, configures, and manages the MySQL service.", "license": "Apache-2.0", @@ -70,7 +70,7 @@ "requirements": [ { "name": "pe", - "version_requirement": ">= 3.0.0 < 2015.3.0" + "version_requirement": ">= 3.0.0 < 2015.4.0" }, { "name": "puppet", diff --git a/mysql/spec/classes/mysql_server_spec.rb b/mysql/spec/classes/mysql_server_spec.rb index 0625895ee..6f682888a 100644 --- a/mysql/spec/classes/mysql_server_spec.rb +++ b/mysql/spec/classes/mysql_server_spec.rb @@ -43,7 +43,7 @@ end context 'with datadir overridden' do let(:params) {{ :override_options => { 'mysqld' => { 'datadir' => '/tmp' }} }} - it { is_expected.to contain_exec('mysql_install_db') } + it { is_expected.to contain_mysql_datadir('/tmp') } end end @@ -68,6 +68,18 @@ :ensure => :stopped }) end + context 'with package_manage set to true' do + let(:params) {{ :package_manage => true }} + it { is_expected.to contain_package('mysql-server') } + end + context 'with package_manage set to false' do + let(:params) {{ :package_manage => false }} + it { is_expected.not_to contain_package('mysql-server') } + end + context 'with datadir overridden' do + let(:params) {{ :override_options => { 'mysqld' => { 'datadir' => '/tmp' }} }} + it { is_expected.to contain_mysql_datadir('/tmp') } + end end context 'with log-error overridden' do let(:params) {{ :override_options => { 'mysqld' => { 'log-error' => '/tmp/error.log' }} }} diff --git a/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb b/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb index aec759334..7eff67fec 100644 --- a/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb +++ b/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb @@ -1,6 +1,47 @@ require 'spec_helper' describe Puppet::Type.type(:mysql_user).provider(:mysql) do + + # Output of mysqld -V + mysql_version_string_hash = { + 'mysql-5.5' => + { + :version => '5.5.46', + :string => '/usr/sbin/mysqld Ver 5.5.46-log for Linux on x86_64 (MySQL Community Server (GPL))', + :mysql_type => 'mysql', + }, + 'mysql-5.6' => + { + :version => '5.6.27', + :string => '/usr/sbin/mysqld Ver 5.6.27 for Linux on x86_64 (MySQL Community Server (GPL))', + :mysql_type => 'mysql', + }, + 'mysql-5.7.1' => + { + :version => '5.7.1', + :string => '/usr/sbin/mysqld Ver 5.7.1 for Linux on x86_64 (MySQL Community Server (GPL))', + :mysql_type => 'mysql', + }, + 'mysql-5.7.6' => + { + :version => '5.7.8', + :string => '/usr/sbin/mysqld Ver 5.7.8-rc for Linux on x86_64 (MySQL Community Server (GPL))', + :mysql_type => 'mysql', + }, + 'mariadb-10.0' => + { + :version => '10.0.21', + :string => '/usr/sbin/mysqld Ver 10.0.21-MariaDB for Linux on x86_64 (MariaDB Server)', + :mysql_type => 'mariadb', + }, + 'percona-5.5' => + { + :version => '5.5.39', + :string => 'mysqld Ver 5.5.39-36.0-55 for Linux on x86_64 (Percona XtraDB Cluster (GPL), Release rel36.0, Revision 824, WSREP version 25.11, wsrep_25.11.r4023)', + :mysql_type => 'percona', + }, + } + let(:defaults_file) { '--defaults-extra-file=/root/.my.cnf' } let(:newhash) { '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5' } @@ -35,19 +76,72 @@ # Set up the stubs for an instances call. Facter.stubs(:value).with(:root_home).returns('/root') Facter.stubs(:value).with(:mysql_version).returns('5.6.24') + provider.class.instance_variable_set(:@mysqld_version_string, '5.6.24') Puppet::Util.stubs(:which).with('mysql').returns('/usr/bin/mysql') + Puppet::Util.stubs(:which).with('mysqld').returns('/usr/sbin/mysqld') File.stubs(:file?).with('/root/.my.cnf').returns(true) provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns('joe@localhost') - provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, /*!50706 AUTHENTICATION_STRING AS */ PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = 'joe@localhost'"]).returns('10 10 10 10 *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4') + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = 'joe@localhost'"]).returns('10 10 10 10 *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4') end let(:instance) { provider.class.instances.first } describe 'self.instances' do - it 'returns an array of users' do + it 'returns an array of users MySQL 5.5' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.5'][:string]) + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns(raw_users) + parsed_users.each do |user| + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') + end + + usernames = provider.class.instances.collect {|x| x.name } + expect(parsed_users).to match_array(usernames) + end + it 'returns an array of users MySQL 5.6' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.6'][:string]) + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns(raw_users) + parsed_users.each do |user| + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') + end + + usernames = provider.class.instances.collect {|x| x.name } + expect(parsed_users).to match_array(usernames) + end + it 'returns an array of users MySQL >= 5.7.0 < 5.7.6' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.7.1'][:string]) + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns(raw_users) + parsed_users.each do |user| + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') + end + + usernames = provider.class.instances.collect {|x| x.name } + expect(parsed_users).to match_array(usernames) + end + it 'returns an array of users MySQL >= 5.7.6' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.7.6'][:string]) + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns(raw_users) + parsed_users.each do |user| + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, AUTHENTICATION_STRING, PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') + end + + usernames = provider.class.instances.collect {|x| x.name } + expect(parsed_users).to match_array(usernames) + end + it 'returns an array of users mariadb 10.0' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mariadb-10.0'][:string]) + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns(raw_users) + parsed_users.each do |user| + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') + end + + usernames = provider.class.instances.collect {|x| x.name } + expect(parsed_users).to match_array(usernames) + end + it 'returns an array of users percona 5.5' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['percona-5.5'][:string]) provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT CONCAT(User, '@',Host) AS User FROM mysql.user"]).returns(raw_users) parsed_users.each do |user| - provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, /*!50706 AUTHENTICATION_STRING AS */ PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') + provider.class.stubs(:mysql).with([defaults_file, '-NBe', "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{user}'"]).returns('10 10 10 10 ') end usernames = provider.class.instances.collect {|x| x.name } @@ -55,6 +149,19 @@ end end + describe 'mysql version and type detection' do + mysql_version_string_hash.each do |name,line| + version=line[:version] + string=line[:string] + mysql_type=line[:mysql_type] + it "detects type '#{mysql_type}' with version '#{version}'" do + provider.class.instance_variable_set(:@mysqld_version_string, string) + expect(provider.mysqld_version).to eq(version) + expect(provider.mysqld_type).to eq(mysql_type) + end + end + end + describe 'self.prefetch' do it 'exists' do provider.class.instances @@ -85,6 +192,30 @@ end end + describe 'self.mysqld_version' do + it 'queries mysql if unset' do + provider.class.instance_variable_set(:@mysqld_version_string, nil) + provider.class.expects(:mysqld).with(['-V']) + expect(provider.mysqld_version).to be_nil + end + it 'returns 5.7.6 for "mysqld Ver 5.7.6 for Linux on x86_64 (MySQL Community Server (GPL))"' do + provider.class.instance_variable_set(:@mysqld_version_string, 'mysqld Ver 5.7.6 for Linux on x86_64 (MySQL Community Server (GPL))') + expect(provider.mysqld_version).to eq '5.7.6' + end + it 'returns 5.7.6 for "mysqld Ver 5.7.6-rc for Linux on x86_64 (MySQL Community Server (GPL))"' do + provider.class.instance_variable_set(:@mysqld_version_string, 'mysqld Ver 5.7.6-rc for Linux on x86_64 (MySQL Community Server (GPL))') + expect(provider.mysqld_version).to eq '5.7.6' + end + it 'detects >= 5.7.6 for 5.7.7-log' do + provider.class.instance_variable_set(:@mysqld_version_string, 'mysqld Ver 5.7.7-log for Linux on x86_64 (MySQL Community Server (GPL))') + expect(Puppet::Util::Package.versioncmp(provider.mysqld_version, '5.7.6')).to be >= 0 + end + it 'detects < 5.7.6 for 5.7.5-log' do + provider.class.instance_variable_set(:@mysqld_version_string, 'mysqld Ver 5.7.5-log for Linux on x86_64 (MySQL Community Server (GPL))') + expect(Puppet::Util::Package.versioncmp(provider.mysqld_version, '5.7.6')).to be < 0 + end + end + describe 'self.defaults_file' do it 'sets --defaults-extra-file' do File.stubs(:file?).with('/root/.my.cnf').returns(true) @@ -103,7 +234,43 @@ end describe 'password_hash=' do - it 'changes the hash' do + it 'changes the hash mysql 5.5' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.5'][:string]) + provider.expects(:mysql).with([defaults_file, '-e', "SET PASSWORD FOR 'joe'@'localhost' = '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5'"]).returns('0') + + provider.expects(:password_hash).returns('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + provider.password_hash=('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + end + it 'changes the hash mysql 5.6' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.6'][:string]) + provider.expects(:mysql).with([defaults_file, '-e', "SET PASSWORD FOR 'joe'@'localhost' = '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5'"]).returns('0') + + provider.expects(:password_hash).returns('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + provider.password_hash=('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + end + it 'changes the hash mysql < 5.7.6' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.7.1'][:string]) + provider.expects(:mysql).with([defaults_file, '-e', "SET PASSWORD FOR 'joe'@'localhost' = '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5'"]).returns('0') + + provider.expects(:password_hash).returns('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + provider.password_hash=('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + end + it 'changes the hash MySQL >= 5.7.6' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.7.6'][:string]) + provider.expects(:mysql).with([defaults_file, '-e', "ALTER USER 'joe'@'localhost' IDENTIFIED WITH mysql_native_password AS '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5'"]).returns('0') + + provider.expects(:password_hash).returns('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + provider.password_hash=('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + end + it 'changes the hash mariadb-10.0' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mariadb-10.0'][:string]) + provider.expects(:mysql).with([defaults_file, '-e', "SET PASSWORD FOR 'joe'@'localhost' = '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5'"]).returns('0') + + provider.expects(:password_hash).returns('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + provider.password_hash=('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') + end + it 'changes the hash percona-5.5' do + provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['percona-5.5'][:string]) provider.expects(:mysql).with([defaults_file, '-e', "SET PASSWORD FOR 'joe'@'localhost' = '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5'"]).returns('0') provider.expects(:password_hash).returns('*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF5') diff --git a/rabbitmq/Gemfile b/rabbitmq/Gemfile index 2b1b7cd8d..275bb9a35 100644 --- a/rabbitmq/Gemfile +++ b/rabbitmq/Gemfile @@ -27,7 +27,8 @@ group :system_tests do else gem 'beaker-rspec', :require => false end - gem 'serverspec', :require => false + gem 'serverspec', :require => false + gem 'beaker-puppet_install_helper', :require => false end diff --git a/rabbitmq/lib/puppet/provider/rabbitmq_exchange/rabbitmqadmin.rb b/rabbitmq/lib/puppet/provider/rabbitmq_exchange/rabbitmqadmin.rb index 583b7bc60..663b2f0c7 100644 --- a/rabbitmq/lib/puppet/provider/rabbitmq_exchange/rabbitmqadmin.rb +++ b/rabbitmq/lib/puppet/provider/rabbitmq_exchange/rabbitmqadmin.rb @@ -38,6 +38,7 @@ def self.all_exchanges(vhost) self.run_with_retries { rabbitmqctl('-q', 'list_exchanges', '-p', vhost, 'name', 'type', 'internal', 'durable', 'auto_delete', 'arguments') }.split(/\n/).each do |exchange| + next if exchange =~ /^federation:/ exchanges.push(exchange) end exchanges diff --git a/rabbitmq/lib/puppet/type/rabbitmq_policy.rb b/rabbitmq/lib/puppet/type/rabbitmq_policy.rb index 8b796d21c..4427934ae 100644 --- a/rabbitmq/lib/puppet/type/rabbitmq_policy.rb +++ b/rabbitmq/lib/puppet/type/rabbitmq_policy.rb @@ -72,7 +72,7 @@ def validate_definition(definition) end definition.each do |k,v| unless [String].include?(v.class) - raise ArgumentError, "Invalid definition" + raise ArgumentError, "Invalid definition, value #{v} is not a string" end end if definition['ha-mode'] == 'exactly' diff --git a/rabbitmq/manifests/init.pp b/rabbitmq/manifests/init.pp index 2bde1ec98..4bca59666 100644 --- a/rabbitmq/manifests/init.pp +++ b/rabbitmq/manifests/init.pp @@ -190,16 +190,19 @@ if $manage_repos != false { case $::osfamily { - 'RedHat', 'SUSE': - { include '::rabbitmq::repo::rhel' } + 'RedHat', 'SUSE': { + include '::rabbitmq::repo::rhel' + } 'Debian': { class { '::rabbitmq::repo::apt' : key_source => $package_gpg_key, key_content => $key_content, } + $package_require = Class['apt::update'] + } + default: { + $package_require = undef } - default: - { } } } diff --git a/rabbitmq/manifests/install.pp b/rabbitmq/manifests/install.pp index f2df83aa0..476c4e1bf 100644 --- a/rabbitmq/manifests/install.pp +++ b/rabbitmq/manifests/install.pp @@ -5,6 +5,7 @@ $package_ensure = $rabbitmq::package_ensure $package_name = $rabbitmq::package_name $package_provider = $rabbitmq::package_provider + $package_require = $rabbitmq::package_require $package_source = $rabbitmq::real_package_source package { 'rabbitmq-server': @@ -12,6 +13,7 @@ name => $package_name, provider => $package_provider, notify => Class['rabbitmq::service'], + require => $package_require, } if $package_source { diff --git a/rabbitmq/manifests/repo/apt.pp b/rabbitmq/manifests/repo/apt.pp index 0902e2c28..e9553fba3 100644 --- a/rabbitmq/manifests/repo/apt.pp +++ b/rabbitmq/manifests/repo/apt.pp @@ -32,10 +32,11 @@ } if $pin != '' { - validate_re($pin, '\d\d\d') + validate_re($pin, '\d{1,4}') apt::pin { 'rabbitmq': - packages => 'rabbitmq-server', + packages => '*', priority => $pin, + origin => 'www.rabbitmq.com', } } } diff --git a/rabbitmq/spec/classes/rabbitmq_spec.rb b/rabbitmq/spec/classes/rabbitmq_spec.rb index c65b44e8f..d9f7be036 100644 --- a/rabbitmq/spec/classes/rabbitmq_spec.rb +++ b/rabbitmq/spec/classes/rabbitmq_spec.rb @@ -1189,8 +1189,9 @@ ) } it { should contain_apt__pin('rabbitmq').with( - 'packages' => 'rabbitmq-server', - 'priority' => '700' + 'packages' => '*', + 'priority' => '700', + 'origin' => 'www.rabbitmq.com' ) } end diff --git a/rabbitmq/spec/spec_helper_acceptance.rb b/rabbitmq/spec/spec_helper_acceptance.rb index 4c52dee15..91ea40335 100644 --- a/rabbitmq/spec/spec_helper_acceptance.rb +++ b/rabbitmq/spec/spec_helper_acceptance.rb @@ -1,17 +1,9 @@ require 'beaker-rspec' +require 'beaker/puppet_install_helper' -UNSUPPORTED_PLATFORMS = [] +run_puppet_install_helper -unless ENV['RS_PROVISION'] == 'no' or ENV['BEAKER_provision'] == 'no' - if hosts.first.is_pe? - install_pe - else - install_puppet - end - hosts.each do |host| - on hosts, "mkdir -p #{host['distmoduledir']}" - end -end +UNSUPPORTED_PLATFORMS = [] RSpec.configure do |c| # Project root