From 83a1f108c2b7df3e8c3bc5c7918e2a8612e83d0b Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 7 Sep 2019 19:15:46 +0200 Subject: [PATCH] Try to retire the site module: move sysctl to base --- modules/base/manifests/procps.pp | 7 +++++++ modules/{site => base}/manifests/sysctl.pp | 5 +++-- modules/debian_org/manifests/init.pp | 8 ++++---- modules/debian_org/manifests/radvd.pp | 4 ++-- modules/huge_mem/manifests/init.pp | 4 ++-- modules/site/manifests/init.pp | 6 ------ 6 files changed, 18 insertions(+), 16 deletions(-) create mode 100644 modules/base/manifests/procps.pp rename modules/{site => base}/manifests/sysctl.pp (83%) diff --git a/modules/base/manifests/procps.pp b/modules/base/manifests/procps.pp new file mode 100644 index 000000000..748c76d33 --- /dev/null +++ b/modules/base/manifests/procps.pp @@ -0,0 +1,7 @@ +# This class defines the procps service which is notified by base::sysctl +class base::procps { + service { 'procps': + hasstatus => false, + status => '/bin/true', + } +} diff --git a/modules/site/manifests/sysctl.pp b/modules/base/manifests/sysctl.pp similarity index 83% rename from modules/site/manifests/sysctl.pp rename to modules/base/manifests/sysctl.pp index b9e343479..3cee048a1 100644 --- a/modules/site/manifests/sysctl.pp +++ b/modules/base/manifests/sysctl.pp @@ -1,5 +1,6 @@ -define site::sysctl ($key='', $value='', $target='Linux', $ensure = present) { - include site +define base::sysctl ($key='', $value='', $target='Linux', $ensure = present) { + include base::procps + case $ensure { present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} } absent: {} diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp index 6e0ea3193..02c8c7ace 100644 --- a/modules/debian_org/manifests/init.pp +++ b/modules/debian_org/manifests/init.pp @@ -240,14 +240,14 @@ class debian_org { # set mmap_min_addr to 4096 to mitigate # Linux NULL-pointer dereference exploits - site::sysctl { 'mmap_min_addr': + base::sysctl { 'mmap_min_addr': ensure => absent } - site::sysctl { 'perf_event_paranoid': + base::sysctl { 'perf_event_paranoid': key => 'kernel.perf_event_paranoid', value => '2', } - site::sysctl { 'puppet-vfs_cache_pressure': + base::sysctl { 'puppet-vfs_cache_pressure': key => 'vm.vfs_cache_pressure', value => '10', } @@ -338,7 +338,7 @@ class debian_org { # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html - site::sysctl { 'unprivileged_bpf_disabled': + base::sysctl { 'unprivileged_bpf_disabled': key => 'kernel.unprivileged_bpf_disabled', value => '1', } diff --git a/modules/debian_org/manifests/radvd.pp b/modules/debian_org/manifests/radvd.pp index 29be0ed86..d783b705c 100644 --- a/modules/debian_org/manifests/radvd.pp +++ b/modules/debian_org/manifests/radvd.pp @@ -1,9 +1,9 @@ class debian_org::radvd { - site::sysctl { 'dsa-accept-ra-default': + base::sysctl { 'dsa-accept-ra-default': key => 'net.ipv6.conf.default.accept_ra', value => 0, } - site::sysctl { 'dsa-accept-ra-all': + base::sysctl { 'dsa-accept-ra-all': key => 'net.ipv6.conf.all.accept_ra', value => 0, } diff --git a/modules/huge_mem/manifests/init.pp b/modules/huge_mem/manifests/init.pp index 2cbfc1852..938303492 100644 --- a/modules/huge_mem/manifests/init.pp +++ b/modules/huge_mem/manifests/init.pp @@ -3,11 +3,11 @@ class huge_mem { # so filtering needs to happen here. if $::hostname in [grnet-node01,grnet-node02] { - site::sysctl { 'puppet-vm_dirty_bytes': + base::sysctl { 'puppet-vm_dirty_bytes': key => 'vm.dirty_bytes', value => '1073741824', } - site::sysctl { 'puppet-vm_dirty_background_bytes': + base::sysctl { 'puppet-vm_dirty_background_bytes': key => 'vm.dirty_background_bytes', value => '268435456', } diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp index 2f9dc6941..dc9b9479b 100644 --- a/modules/site/manifests/init.pp +++ b/modules/site/manifests/init.pp @@ -4,10 +4,4 @@ class site { $nodeinfo = nodeinfo($::fqdn) $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose') $roles = hiera('roles') - - service { 'procps': - hasstatus => false, - status => '/bin/true', - } - } -- 2.20.1