(SIMP-4477) Add fully qualified paths to startup scripts (#52)

- Fixed bug in which the stunnel systemd pre-exec script failed to execute completely, because one command did not have a fully qualified path. - Reworked stunnel systemd pre-exec scripts to only emit error messages when errors have occurred. - Tweaked workaround for munged /etc/resolv.conf problem in acceptance test. SIMP-4477 #close
simp · Mar 9, 2018 · f99153d · f99153d
1 parent aa7aaa6
commit f99153d
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 14 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -30,7 +30,7 @@ jobs:
     - env: STRICT_VARIABLES=yes TRUSTED_NODE_DATA=yes PUPPET_VERSION="~> 5.0"
 
   include:
-    - stage: spec
+    - stage: check
       rvm: 2.4.1
       env: STRICT_VARIABLES=yes TRUSTED_NODE_DATA=yes PUPPET_VERSION="~> 5"
       script:

diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,10 @@
+* Tue Mar 06 2018 Liz Nemsick <[email protected]> - 6.3.0
+- Fixed bug in which the stunnel systemd pre-exec script failed to
+  execute completely, because one command did not have a fully
+  qualified path.
+- Reworked stunnel systemd pre-exec scripts to only emit error
+  messages when errors have occurred.
+
 * Wed Dec 13 2017 Trevor Vaughan <[email protected]> - 6.3.0
 - Isolated the 'instance' logic away from the 'connection' logic
 - Added a private 'monolithic' class that arranges everything properly for the

diff --git a/spec/acceptance/suites/default/00_instances_spec.rb b/spec/acceptance/suites/default/00_instances_spec.rb
@@ -139,11 +139,6 @@
         ].each do |service|
           on(host, "puppet resource service #{service} ensure=stopped enable=false")
         end
-
-        # There was an issue where the domain fact would cease to exist, causing failures
-        on(host, 'service network restart')
-        # Get rid of stunnels
-        # on(host, "ps aux | grep -ie stunnel | grep -v 'grep' | awk '{print $2}' | xargs --no-run-if-empty kill -9")
       end
     end
   end

diff --git a/spec/acceptance/suites/default/01_connection_spec.rb b/spec/acceptance/suites/default/01_connection_spec.rb
@@ -51,7 +51,7 @@
             reset = yes
           EOF
         }
-        it 'should set up a stunnel process, ripe for killing' do
+        it 'should kill running stunnel process started with old SysV-type init script' do
           create_remote_file(host, '/etc/stunnel/stunnel.conf', minion_stunnel_conf)
           scp_to(host,'spec/expected/legacy_el7_init.txt','/etc/rc.d/init.d/stunnel_legacy')
           on(host, 'mkdir -p /var/run/stunnel')
@@ -61,9 +61,13 @@
           on(host, 'chmod -R go+r /etc/pki/simp-testing/pki')
           on(host, 'chcon -R --type cert_t /etc/pki/simp-testing/pki')
           on(host, '/etc/rc.d/init.d/stunnel_legacy start')
+          pid = on(host, 'cat /var/run/stunnel/stunnel.pid').stdout.strip
+          on(host, "ps -f --pid #{pid}")
 
           apply_manifest_on(host,base_manifest, catch_failures: true)
           apply_manifest_on(host,base_manifest, catch_changes: true)
+          on(host, "ps -f --pid #{pid}", :acceptable_exit_codes => [1])
+          on(host, 'ls /var/run/stunnel/stunnel.pid', :acceptable_exit_codes => [2])
         end
       end
     end
@@ -139,8 +143,20 @@ class { 'selinux': ensure => 'disabled' }
 
       context 'after reboot' do
         it 'should reboot and have selinux disabled' do
+          # There is an issue in which the domain fact ceases to exist after
+          # reboot, because NetworkManager generates an empty /etc/resolv.conf.
+          # To work around this problem, backup /etc/resolv.conf and restore
+          # as needed.
+          on(host,'cp /etc/resolv.conf /etc/resolv.conf.bak')
           host.reboot
 
+          if fact_on(host, 'domain').strip.empty?
+            on(host, 'cp /etc/resolv.conf.bak /etc/resolv.conf')
+            if fact_on(host, 'domain').strip.empty?
+              fail('Cannot determine domain even after restore of /etc/resolv.conf')
+            end
+          end
+
           result = on(host, 'getenforce')
           expect(result.stdout).to include('Disabled')
 
@@ -212,10 +228,16 @@ class { 'selinux': ensure => 'enforcing' }
           on(host, "puppet resource service stunnel ensure=stopped enable=false")
           host.reboot
 
+          if fact_on(host, 'domain').strip.empty?
+            # Restore working resolv.conf, as it has been munged by NetworkManager
+            on(host, 'cp /etc/resolv.conf.bak /etc/resolv.conf')
+            if fact_on(host, 'domain').strip.empty?
+              fail('Cannot determine domain even after restore of /etc/resolv.conf')
+            end
+          end
+
           result = on(host, 'getenforce')
           expect(result.stdout).to include('Enforcing')
-          on(host, "echo domain #{domain} >> /etc/resolv.conf")
-          on(host, "echo search #{domain} >> /etc/resolv.conf")
 
           apply_manifest_on(host,base_manifest, catch_failures: true)
         end

diff --git a/spec/expected/connection/chroot-systemd-pid.txt b/spec/expected/connection/chroot-systemd-pid.txt
@@ -7,7 +7,8 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-ExecStartPre=-/usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/stunnel/var/opt/run/stunnel.pid ; rm /var/stunnel/var/opt/run/stunnel.pid
+ExecStartPre=/bin/bash -c 'if test -f /var/stunnel/var/opt/run/stunnel.pid; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/stunnel/var/opt/run/stunnel.pid; fi'
+ExecStartPre=/usr/bin/rm -f /var/stunnel/var/opt/run/stunnel.pid
 ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
 KillMode=process
 LimitNOFILE=1048576

diff --git a/spec/expected/connection/chroot-systemd.txt b/spec/expected/connection/chroot-systemd.txt
@@ -7,7 +7,8 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-ExecStartPre=-/usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/stunnel/var/run/stunnel/stunnel.pid ; rm /var/stunnel/var/run/stunnel/stunnel.pid
+ExecStartPre=/bin/bash -c 'if test -f /var/stunnel/var/run/stunnel/stunnel.pid; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/stunnel/var/run/stunnel/stunnel.pid; fi'
+ExecStartPre=/usr/bin/rm -f /var/stunnel/var/run/stunnel/stunnel.pid
 ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
 KillMode=process
 LimitNOFILE=1048576

diff --git a/spec/expected/connection/nonchroot-systemd.txt b/spec/expected/connection/nonchroot-systemd.txt
@@ -7,7 +7,8 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-ExecStartPre=-/usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/run/stunnel/stunnel.pid ; rm /var/run/stunnel/stunnel.pid
+ExecStartPre=/bin/bash -c 'if test -f /var/run/stunnel/stunnel.pid; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F /var/run/stunnel/stunnel.pid; fi'
+ExecStartPre=/usr/bin/rm -f /var/run/stunnel/stunnel.pid
 ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
 KillMode=process
 LimitNOFILE=1048576

diff --git a/templates/connection_systemd.erb b/templates/connection_systemd.erb
@@ -8,9 +8,11 @@ Wants=network-online.target
 [Service]
 Type=simple
 <% if @_chroot -%>
-ExecStartPre=-/usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F <%= @_chroot %><%= @_legacy_pid %> ; rm <%= @_chroot %><%= @_legacy_pid %>
+ExecStartPre=/bin/bash -c 'if test -f <%= @_chroot %><%= @_legacy_pid %>; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F <%= @_chroot %><%= @_legacy_pid %>; fi'
+ExecStartPre=/usr/bin/rm -f <%= @_chroot %><%= @_legacy_pid %>
 <% else -%>
-ExecStartPre=-/usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F <%= @_legacy_pid %> ; rm <%= @_chroot %><%= @_legacy_pid %>
+ExecStartPre=/bin/bash -c 'if test -f <%= @_legacy_pid %>; then /usr/bin/pkill -f "stunnel /etc/stunnel/stunnel.conf" -F <%= @_legacy_pid %>; fi'
+ExecStartPre=/usr/bin/rm -f <%= @_legacy_pid %>
 <% end -%>
 ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
 KillMode=process