From 43e1002bccd26131c9036cb3f15253bbbc695514 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Rzepecki?= Date: Mon, 21 Dec 2015 16:04:07 +0100 Subject: [PATCH 1/4] Add systemd support [delivers #110502712] --- files/default/systemd/logshipper.service | 13 +++++++++++++ libraries/conjur_helper_methods.rb | 2 ++ recipes/_install_logshipper_systemd.rb | 13 +++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 files/default/systemd/logshipper.service create mode 100644 recipes/_install_logshipper_systemd.rb diff --git a/files/default/systemd/logshipper.service b/files/default/systemd/logshipper.service new file mode 100644 index 0000000..ea18d1f --- /dev/null +++ b/files/default/systemd/logshipper.service @@ -0,0 +1,13 @@ +[Unit] +Description=Conjur log shipping service +Documentation=https://developer.conjur.net +RequiresOverridable=rsyslog.service + +[Service] +ExecStart=/usr/sbin/logshipper -n /var/run/logshipper +Restart=always +User=logshipper +Group=conjur + +[Install] +WantedBy=rsyslog.target diff --git a/libraries/conjur_helper_methods.rb b/libraries/conjur_helper_methods.rb index 503e3d5..0b5090d 100644 --- a/libraries/conjur_helper_methods.rb +++ b/libraries/conjur_helper_methods.rb @@ -9,6 +9,8 @@ module ConjurDetect def self.detect_init if test 'x', '/sbin/runit' 'runit' + elsif test 'x', '/usr/bin/systemctl' + 'systemd' else 'upstart' end diff --git a/recipes/_install_logshipper_systemd.rb b/recipes/_install_logshipper_systemd.rb new file mode 100644 index 0000000..428f945 --- /dev/null +++ b/recipes/_install_logshipper_systemd.rb @@ -0,0 +1,13 @@ +cookbook_file '/etc/systemd/system/logshipper.service' do + source 'systemd/logshipper.service' + owner 'root' + group 'root' + mode '0755' +end + +bash 'enable and run logshipper' do + code """ + systemctl enable logshipper + systemctl start logshipper + """ +end From 801a4b8909891d8ccedf74280ad7b316568d563e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Rzepecki?= Date: Mon, 21 Dec 2015 16:07:13 +0100 Subject: [PATCH 2/4] Update metadata and Changelog --- CHANGELOG.md | 12 ++++++++++++ metadata.rb | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce9094c..6aafbfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 0.3.0 + +* Systemd support + +# 0.2.3 + +* Updated EL repository URL + +# 0.2.2 + +* Add a timeout in pubkey fetcher to prevent lockout when Conjur is unreachable + # 0.2.1 * Lower nslcd's idle_timelimit to one second diff --git a/metadata.rb b/metadata.rb index f0ecb4c..b61fce2 100644 --- a/metadata.rb +++ b/metadata.rb @@ -3,7 +3,7 @@ maintainer_email 'support@conjur.net' license 'MIT License' description 'Installs/Configures conjur' -version '0.2.2' +version '0.3.0' recipe "conjur::install", "Installs Conjur base packages and configuration, suitable for a foundation image." @@ -11,6 +11,6 @@ depends "yum" depends "sshd-service" -%w(ubuntu).each do |platform| +%w(ubuntu centos).each do |platform| supports platform end From c677026a724d7a269e1c1cbaad8fd051afd2d0fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Rzepecki?= Date: Mon, 21 Dec 2015 16:22:17 +0100 Subject: [PATCH 3/4] More robust package build --- Rakefile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Rakefile b/Rakefile index 136d0e7..e8726a3 100644 --- a/Rakefile +++ b/Rakefile @@ -10,11 +10,14 @@ end desc "Package cookbooks into a chef-solo tarball" task :package => :vendor do + `rm -rf vendor/cookbooks/conjur` `mkdir -p vendor/cookbooks/conjur` - `cp -r metadata.rb Berksfile Berksfile.lock CHANGELOG.md chefignore README.md attributes recipes spec vendor/cookbooks/conjur` - version=`git describe --tags`.strip + `cp -r metadata.rb Berksfile Berksfile.lock CHANGELOG.md chefignore \ + README.md attributes recipes files templates libraries \ + vendor/cookbooks/conjur` + version=`git describe --tags --dirty`.strip Dir.chdir 'vendor' tarball = "conjur-#{version}.tar.gz" puts "Building cookbook tarball #{tarball}" - `tar czf ../#{tarball} cookbooks` + `tar czv --numeric-owner --owner=0 --group=root --mode=og+r -f ../#{tarball} cookbooks` end From 98f83858e6105d594b29ad1f1606f422e90cfcfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Rzepecki?= Date: Mon, 21 Dec 2015 17:58:09 +0100 Subject: [PATCH 4/4] Rearrange rsyslog and logshipper deps in systemd Also, create the fifo on demand, with correct security context. Finally works. --- files/default/systemd/logshipper.service | 9 +++++++-- recipes/_install_logshipper_systemd.rb | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/files/default/systemd/logshipper.service b/files/default/systemd/logshipper.service index ea18d1f..cfdec51 100644 --- a/files/default/systemd/logshipper.service +++ b/files/default/systemd/logshipper.service @@ -1,13 +1,18 @@ [Unit] Description=Conjur log shipping service Documentation=https://developer.conjur.net -RequiresOverridable=rsyslog.service +Wants=rsyslog.service +Before=rsyslog.service [Service] +ExecStartPre=-/bin/rm /var/run/logshipper +ExecStartPre=/bin/mkfifo --context --mode 0460 /var/run/logshipper +ExecStartPre=/bin/chown logshipper /var/run/logshipper ExecStart=/usr/sbin/logshipper -n /var/run/logshipper Restart=always User=logshipper Group=conjur +PermissionsStartOnly=true [Install] -WantedBy=rsyslog.target +RequiredBy=rsyslog.service diff --git a/recipes/_install_logshipper_systemd.rb b/recipes/_install_logshipper_systemd.rb index 428f945..58aa461 100644 --- a/recipes/_install_logshipper_systemd.rb +++ b/recipes/_install_logshipper_systemd.rb @@ -2,12 +2,12 @@ source 'systemd/logshipper.service' owner 'root' group 'root' - mode '0755' + mode '0644' end bash 'enable and run logshipper' do code """ systemctl enable logshipper - systemctl start logshipper + systemctl restart rsyslog """ end