diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5849732..9e46acc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,8 +1,20 @@ +# The testing matrix considers ruby/puppet versions supported by SIMP and PE: +# +# https://puppet.com/docs/pe/2017.3/overview/component_versions_in_recent_pe_releases.html +# https://puppet.com/misc/puppet-enterprise-lifecycle +# https://puppet.com/docs/pe/2017.3/overview/getting_support_for_pe.html#standard-releases-and-long-term-support-releases +# ------------------------------------------------------------------------------ +# release pup ruby eol +# PE 2016.4 4.7 2.1.9 2018-10 (LTS) +# SIMP6.0.0 4.8 2.1.9 TBD +# PE 2017.2 4.10 2.1.9 2018-02-21 +# PE 2017.3 5.3 2.4.1 2018-07 +# PE 2018.1 ??? ????? ????-?? (LTS) --- .cache_bundler: &cache_bundler cache: untracked: true - # An attempt at caching between runs (ala Travis CI) + # A broad attempt at caching between runs (ala Travis CI) key: "${CI_PROJECT_NAMESPACE}__bundler" paths: - '.vendor' @@ -10,93 +22,188 @@ .setup_bundler_env: &setup_bundler_env before_script: - - '(find .vendor | wc -l) || :' - - bundle || gem install bundler --no-rdoc --no-ri - - rm -rf Gemfile.lock pkg/ - - bundle install --no-binstubs --jobs $(nproc) --path .vendor "${FLAGS[@]}" + - 'echo Files in cache: $(find .vendor | wc -l) || :' + - 'export GEM_HOME=.vendor/gem_install' + - 'export BUNDLE_CACHE_PATH=.vendor/bundler' + - 'declare GEM_BUNDLER_VER=(-v ''~> ${BUNDLER_VERSION:-1.16.0}'')' + - declare GEM_INSTALL=(gem install --no-document) + - declare BUNDLER_INSTALL=(bundle install --no-binstubs --jobs $(nproc) --path=.vendor "${FLAGS[@]}") + - gem list -ie "${GEM_BUNDLE_VER[@]}" --silent bundler || "${GEM_INSTALL[@]}" --local "${GEM_BUNDLE_VER[@]}" bundler || "${GEM_INSTALL[@]}" "${GEM_BUNDLE_VER[@]}" bundler + - 'rm -rf pkg/ || :' + - bundle check || rm -f Gemfile.lock && ("${BUNDLER_INSTALL[@]}" --local || "${BUNDLER_INSTALL[@]}") -.static_tests: &static_tests + +.validation_checks: &validation_checks script: - bundle exec rake syntax - - bundle exec rake lint - bundle exec rake check:dot_underscore - bundle exec rake check:test_file - bundle exec rake pkg:check_version - bundle exec rake pkg:compare_latest_tag - - bundle exec rake spec + - bundle exec rake lint + - bundle exec rake clean - bundle exec puppet module build +.spec_tests: &spec_tests + script: + - bundle exec rake spec + stages: + - validation - unit - acceptance - deploy -# Puppet 4 -puppet-gemfile: +# Puppet 4.7 for PE 2016.4 LTS Support (EOL: 2018-10-21) +# See: https://puppet.com/misc/puppet-enterprise-lifecycle +# -------------------------------------- +pup4_7-validation: + stage: validation + tags: + - docker + image: ruby:2.1 + variables: + PUPPET_VERSION: '~> 4.7.0' + <<: *cache_bundler + <<: *setup_bundler_env + <<: *validation_checks + +pup4_7-unit: + stage: unit + tags: + - docker + image: ruby:2.1 + variables: + PUPPET_VERSION: '~> 4.7.0' + <<: *cache_bundler + <<: *setup_bundler_env + <<: *spec_tests + + +# Puppet 4.8 for SIMP 6.0 + 6.1 support +# -------------------------------------- +pup4_8-validation: + stage: validation + tags: + - docker + image: ruby:2.1 + variables: + PUPPET_VERSION: '~> 4.8.0' + <<: *cache_bundler + <<: *setup_bundler_env + <<: *validation_checks + +pup4_8-unit: stage: unit tags: - docker - image: ruby:2.1.9 + image: ruby:2.1 + variables: + PUPPET_VERSION: '~> 4.8.0' <<: *cache_bundler <<: *setup_bundler_env - <<: *static_tests + <<: *spec_tests + -# For PE LTS Support +# Puppet 4.10 for PE 2017.2 support (EOL:2018-02-21) # See: https://puppet.com/misc/puppet-enterprise-lifecycle -puppet-4.7: +# -------------------------------------- +pup4_10-validation: + stage: validation + tags: + - docker + image: ruby:2.1 + variables: + PUPPET_VERSION: '~> 4.10.0' + <<: *cache_bundler + <<: *setup_bundler_env + <<: *validation_checks + +pup4_10-unit: stage: unit tags: - docker - image: ruby:2.1.9 + image: ruby:2.1 variables: - PUPPET_VERSION: '4.7' + PUPPET_VERSION: '~> 4.10.0' <<: *cache_bundler <<: *setup_bundler_env - <<: *static_tests + <<: *spec_tests -puppet-5: + +# Puppet 5.3 for PE 2017.3 support (EOL: 2018-07) +# See: https://puppet.com/misc/puppet-enterprise-lifecycle +# -------------------------------------- +pup5_3-validation: + stage: validation + tags: + - docker + image: ruby:2.4 + variables: + PUPPET_VERSION: '~> 5.3.0' + <<: *cache_bundler + <<: *setup_bundler_env + <<: *validation_checks + +pup5_3-unit: stage: unit tags: - docker image: ruby:2.4 variables: - PUPPET_VERSION: '5.0' + PUPPET_VERSION: '~> 5.3.0' <<: *cache_bundler <<: *setup_bundler_env - <<: *static_tests + <<: *spec_tests allow_failure: true -default: - stage: acceptance + +# Keep an eye on the latest puppet 5 +# ---------------------------------- +pup5_latest-validation: + stage: validation tags: - - beaker + - docker + image: ruby:2.4 + variables: + PUPPET_VERSION: '~> 5.0' <<: *cache_bundler <<: *setup_bundler_env + <<: *validation_checks + allow_failure: true + +pup5_latest-unit: + stage: unit + tags: + - docker + image: ruby:2.4 variables: - PUPPET_VERSION: '4.10' - script: - - bundle exec rake beaker:suites[default] + PUPPET_VERSION: '~> 5.0' + <<: *cache_bundler + <<: *setup_bundler_env + <<: *spec_tests + allow_failure: true -default-fips: + +default: stage: acceptance tags: - beaker <<: *cache_bundler <<: *setup_bundler_env variables: - BEAKER_fips: 'yes' PUPPET_VERSION: '4.10' script: - bundle exec rake beaker:suites[default] -default-latest: +default-fips: stage: acceptance tags: - beaker <<: *cache_bundler <<: *setup_bundler_env variables: - PUPPET_VERSION: '5.0.0' + BEAKER_fips: 'yes' + PUPPET_VERSION: '4.10' script: - bundle exec rake beaker:suites[default] - allow_failure: true diff --git a/.travis.yml b/.travis.yml index e40063c..05da391 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,3 @@ -# The testing matrix considers ruby/puppet versions supported by SIMP and PE: # ------------------------------------------------------------------------------ # release pup ruby eol # PE 2016.4 4.7 2.1.9 TBD (LTS) @@ -13,6 +12,7 @@ sudo: false bundler_args: --without development system_tests --path .vendor + notifications: email: false @@ -26,7 +26,6 @@ before_install: jobs: allow_failures: - # https://tickets.puppetlabs.com/browse/PUP-8418 - env: STRICT_VARIABLES=yes TRUSTED_NODE_DATA=yes PUPPET_VERSION="~> 5.0" include: @@ -67,7 +66,7 @@ jobs: script: - bundle exec rake spec - # This needs to be last since we have an acceptance test + - stage: deploy rvm: 2.4.1 script: diff --git a/CHANGELOG b/CHANGELOG index e509b12..b7a9984 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,12 @@ +* Tue Apr 03 2018 Nick Miller - 6.3.1 +- Added two new parameters to the stunnel::instance define: + - systemd_wantedby: sent to the WantedBy systemd unit install directive + - systemd_requiredby: sent to the RequiredBy systemd unit install directive + - These should allow ordering during boot. For example, if you have NFS set up + over stunnel, you want stunnel to start before NFS. +- Fixed the systemd startup scripts to properly pre-create the PID directory if + required + * Tue Mar 27 2018 Trevor Vaughan - 6.3.0 - Ensure init.d script is absent if systemd system because puppet was finding it and running it and setting permissions on root to diff --git a/manifests/config.pp b/manifests/config.pp index e1a542b..237f935 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -168,6 +168,7 @@ # $_legacy_pid is used to kill the old stunnel process set up from a previous # version of this module. It should be set to $_pid, unless $_pid is unset. $on_systemd = 'systemd' in $facts['init_systems'] + if $pid =~ Undef { if $on_systemd { $_foreground = true @@ -182,7 +183,7 @@ $_legacy_pid = $pid } - if $_pid { + if $_pid and !$on_systemd { $_stunnel_piddir = File[dirname($_pid)] ensure_resource('file', dirname($_pid), { @@ -212,10 +213,12 @@ } if $_chroot !~ Undef { - # $chroot should never be undef here, or just '/'. if $_chroot in ['/',''] { fail("stunnel: \$chroot should not be root ('/')") } + if $_chroot =~ /^\/var\/run/ { + fail("stunnel: \$chroot cannot be under /var/run") + } # The _chroot directory file { $_chroot: diff --git a/manifests/instance.pp b/manifests/instance.pp index d2c3755..ac6e132 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -143,6 +143,10 @@ # # @param pid Leave undef if no PID is desired. Default on systemd systems. # +# @param systemd_wantedby Systemd services or targets that want stunnel +# +# @param systemd_requiredby Systemd services or targets that require stunnel +# # All other configuration options can be found in the stunnel man pages # @see stunnel.conf(5) # @see stunnel.conf(8) @@ -194,11 +198,11 @@ define stunnel::instance( Stunnel::Connect $connect, Variant[Simplib::Port, Simplib::Host::Port] $accept, + Simplib::Netlist $trusted_nets = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }), Boolean $firewall = simplib::lookup('simp_options::firewall', { 'default_value' => false }), Boolean $haveged = simplib::lookup('simp_options::haveged', { 'default_value' => true }), Boolean $tcpwrappers = simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }), - Variant[Enum['simp'],Boolean] $pki = simplib::lookup('simp_options::pki', { 'default_value' => false }), Stdlib::Absolutepath $app_pki_dir = "/etc/pki/simp_apps/stunnel_${name}/x509", Stdlib::Absolutepath $app_pki_external_source = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }), @@ -255,11 +259,15 @@ Optional[Integer] $timeout_close = undef, Optional[Integer] $timeout_connect = undef, Optional[Integer] $timeout_idle = undef, - Integer $verify = 2 + Integer $verify = 2, + Optional[Array[String]] $systemd_wantedby = undef, + Optional[Array[String]] $systemd_requiredby = undef, ){ $_safe_name = regsubst($name, '(/|\s)', '__') $_dport = split(to_string($accept),':')[-1] + $_on_systemd = 'systemd' in $facts['init_systems'] + stunnel::instance::reserve_port { $_dport: } if $haveged { include '::haveged' } @@ -310,7 +318,7 @@ $_chroot = undef } - if !$pid and ( 'systemd' in $facts['init_systems'] ) { + if !$pid and $_on_systemd { $_foreground = true $_pid = $pid } else { @@ -336,6 +344,13 @@ } if $_chroot { + if $_chroot in ['/',''] { + fail("stunnel: \$chroot should not be root ('/')") + } + if $_chroot =~ /^\/var\/run/ { + fail("stunnel: \$chroot cannot be under /var/run") + } + if $_pid { $_stunnel_pid_dirname = dirname("${_chroot}/${_pid}") @@ -348,17 +363,19 @@ before => File[$_chroot] } - ensure_resource('file', $_stunnel_pid_dirname, - { - 'ensure' => 'directory', - 'owner' => $setuid, - 'group' => $setgid, - 'mode' => '0644', - 'seluser' => 'system_u', - 'selrole' => 'object_r', - 'seltype' => $_stunnel_chroot_seltype - } - ) + unless $_on_systemd { + ensure_resource('file', $_stunnel_pid_dirname, + { + 'ensure' => 'directory', + 'owner' => $setuid, + 'group' => $setgid, + 'mode' => '0644', + 'seluser' => 'system_u', + 'selrole' => 'object_r', + 'seltype' => $_stunnel_chroot_seltype + } + ) + } } else { $_stunnel_piddir = undef @@ -447,18 +464,20 @@ if $_pid { $_stunnel_piddir = File[dirname($_pid)] - # The selinux context settings are ignored if SELinux is disabled - ensure_resource('file', dirname($_pid), - { - 'ensure' => 'directory', - 'owner' => $setuid, - 'group' => $setgid, - 'mode' => '0644', - 'seluser' => 'system_u', - 'selrole' => 'object_r', - 'seltype' => 'stunnel_var_run_t', - } - ) + unless $_on_systemd { + # The selinux context settings are ignored if SELinux is disabled + ensure_resource('file', dirname($_pid), + { + 'ensure' => 'directory', + 'owner' => $setuid, + 'group' => $setgid, + 'mode' => '0644', + 'seluser' => 'system_u', + 'selrole' => 'object_r', + 'seltype' => 'stunnel_var_run_t', + } + ) + } } else { $_stunnel_piddir = undef } @@ -485,7 +504,7 @@ } } - if 'systemd' in $facts['init_systems'] { + if $_on_systemd { $_service_file = "/etc/systemd/system/stunnel_managed_by_puppet_${_safe_name}.service" file { $_service_file: ensure => 'present', @@ -497,7 +516,6 @@ } elsif 'sysv' in $facts['init_systems'] { $_service_file = "/etc/rc.d/init.d/stunnel_managed_by_puppet_${_safe_name}" - file { $_service_file: ensure => 'present', owner => 'root', diff --git a/metadata.json b/metadata.json index d8c8c40..1c080be 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-stunnel", - "version": "6.3.0", + "version": "6.3.1", "author": "SIMP Team", "summary": "manages stunnel with PKI support", "license": "Apache-2.0", diff --git a/spec/defines/instance_spec.rb b/spec/defines/instance_spec.rb index 73313ec..f1bdadc 100644 --- a/spec/defines/instance_spec.rb +++ b/spec/defines/instance_spec.rb @@ -1,53 +1,5 @@ require 'spec_helper' -$el7_non_chroot = <= 7 let(:service_file) { File.read('spec/expected/instance/nonchroot-systemd.txt') } + let(:stunnel_conf) { File.read('spec/expected/instance/non_chroot_el7_stunnel.conf.txt') } it { is_expected.to contain_file('/etc/stunnel/stunnel_managed_by_puppet_nfs.conf') \ - .with_content($el7_non_chroot) } + .with_content(stunnel_conf) } it { is_expected.to create_file('/etc/systemd/system/stunnel_managed_by_puppet_nfs.service') \ .with_content(service_file)} else let(:service_file) { File.read('spec/expected/instance/nonchroot-init.txt') } + let(:stunnel_conf) { File.read('spec/expected/instance/non_chroot_el6_stunnel.conf.txt') } it { is_expected.to contain_file('/etc/stunnel/stunnel_managed_by_puppet_nfs.conf') \ - .with_content($el6_non_chroot) } + .with_content(stunnel_conf) } it { is_expected.to create_file('/etc/rc.d/init.d/stunnel_managed_by_puppet_nfs') \ .with_content(service_file)} end @@ -240,6 +194,22 @@ end end + context 'with systemd dependencies' do + let(:params) {{ + connect: [2049], + accept: 20490, + systemd_wantedby: ['nfs.service'], + systemd_requiredby: ['nfs-server.service'] + }} + + if os_facts[:os][:release][:major].to_i >= 7 + it { is_expected.to create_file('/etc/systemd/system/stunnel_managed_by_puppet_nfs.service') \ + .with_content(/WantedBy=nfs.service/) \ + .with_content(/RequiredBy=nfs-server.service/) + } + end + end + context 'on an unsupported OS' do let(:params) {{ connect: [2049], diff --git a/spec/expected/connection/chroot-systemd-pid.txt b/spec/expected/connection/chroot-systemd-pid.txt index 6e0f4cc..d64a58f 100644 --- a/spec/expected/connection/chroot-systemd-pid.txt +++ b/spec/expected/connection/chroot-systemd-pid.txt @@ -7,10 +7,14 @@ Wants=network-online.target [Service] Type=simple +PIDFile=/var/opt/run/stunnel.pid +ExecStartPre=-/usr/bin/mkdir -p /var/opt/run +ExecStartPre=/usr/bin/chown stunnel:stunnel /var/opt/run ExecStartPre=/bin/bash -c 'if test -f /var/stunnel/var/opt/run/stunnel.pid; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/stunnel/var/opt/run/stunnel.pid; fi' ExecStartPre=/usr/bin/rm -f /var/stunnel/var/opt/run/stunnel.pid ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/spec/expected/connection/chroot-systemd.txt b/spec/expected/connection/chroot-systemd.txt index ade8b3c..76160c1 100644 --- a/spec/expected/connection/chroot-systemd.txt +++ b/spec/expected/connection/chroot-systemd.txt @@ -7,10 +7,14 @@ Wants=network-online.target [Service] Type=simple +PIDFile=/var/run/stunnel/stunnel.pid +ExecStartPre=-/usr/bin/mkdir -p /var/run/stunnel +ExecStartPre=/usr/bin/chown stunnel:stunnel /var/run/stunnel ExecStartPre=/bin/bash -c 'if test -f /var/stunnel/var/run/stunnel/stunnel.pid; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/stunnel/var/run/stunnel/stunnel.pid; fi' ExecStartPre=/usr/bin/rm -f /var/stunnel/var/run/stunnel/stunnel.pid ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/spec/expected/connection/nonchroot-systemd.txt b/spec/expected/connection/nonchroot-systemd.txt index 9f9ce21..e12a3a9 100644 --- a/spec/expected/connection/nonchroot-systemd.txt +++ b/spec/expected/connection/nonchroot-systemd.txt @@ -7,10 +7,14 @@ Wants=network-online.target [Service] Type=simple +PIDFile=/var/run/stunnel/stunnel.pid +ExecStartPre=-/usr/bin/mkdir -p /var/run/stunnel +ExecStartPre=/usr/bin/chown stunnel:stunnel /var/run/stunnel ExecStartPre=/bin/bash -c 'if test -f /var/run/stunnel/stunnel.pid; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/run/stunnel/stunnel.pid; fi' ExecStartPre=/usr/bin/rm -f /var/run/stunnel/stunnel.pid ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/spec/expected/instance/chroot-sel-systemd.txt b/spec/expected/instance/chroot-sel-systemd.txt index db8a00d..b9b33c5 100644 --- a/spec/expected/instance/chroot-sel-systemd.txt +++ b/spec/expected/instance/chroot-sel-systemd.txt @@ -9,6 +9,7 @@ Wants=network-online.target Type=simple ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel_managed_by_puppet_sel.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/spec/expected/instance/chroot-systemd.txt b/spec/expected/instance/chroot-systemd.txt index 4fb5c9e..b5b0fdf 100644 --- a/spec/expected/instance/chroot-systemd.txt +++ b/spec/expected/instance/chroot-systemd.txt @@ -9,6 +9,7 @@ Wants=network-online.target Type=simple ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel_managed_by_puppet_nfs.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/spec/expected/instance/non_chroot_el6_stunnel.conf.txt b/spec/expected/instance/non_chroot_el6_stunnel.conf.txt new file mode 100644 index 0000000..05f6012 --- /dev/null +++ b/spec/expected/instance/non_chroot_el6_stunnel.conf.txt @@ -0,0 +1,19 @@ +setgid = stunnel +setuid = stunnel +debug = err +syslog = no +pid = /var/run/stunnel/stunnel_managed_by_puppet_nfs.pid +engine = auto +[nfs] +connect = 2049 +accept = 20490 +client = no +failover = rr +key = /etc/pki/simp_apps/stunnel_nfs/x509/private/foo.example.com.pem +cert = /etc/pki/simp_apps/stunnel_nfs/x509/public/foo.example.com.pub +CAfile = /etc/pki/simp_apps/stunnel_nfs/x509/cacerts/cacerts.pem +CRLpath = /etc/pki/simp_apps/stunnel_nfs/x509/crl +ciphers = HIGH:-SSLv2 +verify = 2 +delay = no +retry = no diff --git a/spec/expected/instance/non_chroot_el7_stunnel.conf.txt b/spec/expected/instance/non_chroot_el7_stunnel.conf.txt new file mode 100644 index 0000000..f8128fe --- /dev/null +++ b/spec/expected/instance/non_chroot_el7_stunnel.conf.txt @@ -0,0 +1,23 @@ +setgid = stunnel +setuid = stunnel +debug = err +syslog = no +foreground = yes +pid = +engine = auto +fips = yes +[nfs] +connect = 2049 +accept = 20490 +client = no +failover = rr +key = /etc/pki/simp_apps/stunnel_nfs/x509/private/foo.example.com.pem +cert = /etc/pki/simp_apps/stunnel_nfs/x509/public/foo.example.com.pub +CAfile = /etc/pki/simp_apps/stunnel_nfs/x509/cacerts/cacerts.pem +CRLpath = /etc/pki/simp_apps/stunnel_nfs/x509/crl +ciphers = HIGH:-SSLv2 +verify = 2 +delay = no +retry = no +renegotiation = yes +reset = yes diff --git a/spec/expected/instance/nonchroot-systemd.txt b/spec/expected/instance/nonchroot-systemd.txt index 4fb5c9e..b5b0fdf 100644 --- a/spec/expected/instance/nonchroot-systemd.txt +++ b/spec/expected/instance/nonchroot-systemd.txt @@ -9,6 +9,7 @@ Wants=network-online.target Type=simple ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel_managed_by_puppet_nfs.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/templates/connection_systemd.erb b/templates/connection_systemd.erb index 9aebe97..409571b 100644 --- a/templates/connection_systemd.erb +++ b/templates/connection_systemd.erb @@ -7,6 +7,11 @@ Wants=network-online.target [Service] Type=simple +<% if @_pid -%> +PIDFile=<%= @_pid %> +ExecStartPre=-/usr/bin/mkdir -p <%= File.dirname(@_pid) %> +ExecStartPre=/usr/bin/chown <%= @setuid %>:<%= @setgid %> <%= File.dirname(@_pid) %> +<% end -%> <% if @_chroot -%> ExecStartPre=/bin/bash -c 'if test -f <%= @_chroot %><%= @_legacy_pid %>; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F <%= @_chroot %><%= @_legacy_pid %>; fi' ExecStartPre=/usr/bin/rm -f <%= @_chroot %><%= @_legacy_pid %> @@ -16,6 +21,7 @@ ExecStartPre=/usr/bin/rm -f <%= @_legacy_pid %> <% end -%> ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure diff --git a/templates/instance_systemd.erb b/templates/instance_systemd.erb index a6d613b..ebdc440 100644 --- a/templates/instance_systemd.erb +++ b/templates/instance_systemd.erb @@ -7,11 +7,27 @@ Wants=network-online.target [Service] Type=simple +<% if @_pid -%> +PIDFile=<%= @_pid %> +ExecStartPre=-/usr/bin/mkdir -p <%= File.dirname(@_pid) %> +ExecStartPre=/usr/bin/chown <%= @setuid %>:<%= @setgid %> <%= File.dirname(@_pid) %> +<% end -%> ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel_managed_by_puppet_<%= @_safe_name %>.conf KillMode=process +PrivateTmp=yes LimitNOFILE=1048576 LimitNPROC=infinity Restart=on-failure [Install] WantedBy=multi-user.target +<% if @systemd_wantedby -%> +<% @systemd_wantedby.each do |wanted| -%> +WantedBy=<%= wanted %> +<% end -%> +<% end -%> +<% if @systemd_requiredby -%> +<% @systemd_requiredby.each do |required| -%> +RequiredBy=<%= required %> +<% end -%> +<% end -%>