From 6f4464ec56ad215320107f4603190c11e487f3ca Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 31 May 2016 15:39:59 -0400 Subject: Reduce check_mk timeouts (#7807). check_mk operations can take a long time (such as when doing a re-inventory using "check_mk -II") when multiple hosts are down. This decreases the connect timeout to 5 seconds. Change-Id: I1eac5f14bad2afc2ffc4cbf8c950c24b052a0d6e --- puppet/modules/site_check_mk/templates/use_ssh.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk index 55269536..25f951e0 100644 --- a/puppet/modules/site_check_mk/templates/use_ssh.mk +++ b/puppet/modules/site_check_mk/templates/use_ssh.mk @@ -1,6 +1,6 @@ # http://mathias-kettner.de/checkmk_datasource_programs.html datasource_programs = [ <% @nagios_hosts.sort.each do |name,config| %> - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%=config['ssh_port']%> <%=config['domain_internal']%> check_mk_agent", [ "<%=config['domain_internal']%>" ], ),<%- end -%> + ( "ssh -o ConnectTimeout=5 -l root -i /etc/check_mk/.ssh/id_rsa -p <%=config['ssh_port']%> <%=config['domain_internal']%> check_mk_agent", [ "<%=config['domain_internal']%>" ], ),<%- end -%> ] -- cgit v1.2.3 From 31c7e54c86622d71c735ef18448d3977a6c59713 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 31 May 2016 13:45:36 -0400 Subject: Disable puppet-agent daemon from running. The agent wakes up every two minutes and tries to connect to the default server, failing with a certificate warning. We don't use the agent, so we can safely disable it (#8032) Change-Id: I707f42b59205993325431aba283552b1b73a0ad1 --- puppet/modules/site_config/manifests/default.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 256de1a1..9bc8c30d 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -7,8 +7,9 @@ class site_config::default { include site_config::params include site_config::setup - # default class, used by all hosts + service { 'puppet': ensure => stopped } + # default class, used by all hosts include lsb, git # configure sysctl parameters -- cgit v1.2.3 From f2e8c437e6899c970ed8ab4ab4e85d333d6e2cf2 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 1 Jun 2016 13:08:38 -0700 Subject: ensure soledad server has access to x509::variables --- puppet/modules/soledad/manifests/server.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 8674f421..6cf806d0 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -17,6 +17,7 @@ class soledad::server { $sources = hiera('sources') + include x509::variables include site_config::x509::cert include site_config::x509::key include site_config::x509::ca -- cgit v1.2.3 From 94cc1ff3368cbf5ebd0a38dc04bc7236e0e90900 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 2 Jun 2016 12:42:10 -0400 Subject: Fix opendkim milter location (#8163). The unix socket method for connecting to the milter was incorrectly reverted, this puts it back to how it should be. Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2 --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index c269946b..e743118e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -69,10 +69,10 @@ class site_postfix::mx { value => '$alias_maps'; # setup clamav and opendkim on smtpd 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl,inet:localhost:8891'; + value => 'unix:/run/clamav/milter.ctl,unix:/run/opendkim/opendkim.sock'; # setup opendkim for smtp (non-smtpd) outgoing mail 'non_smtpd_milters': - value => 'inet:localhost:8891'; + value => 'unix:/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; # Make sure that the right values are set, these could be set to different -- cgit v1.2.3 From 88d3a09a87c483ccde6517063d4a34756272c0f0 Mon Sep 17 00:00:00 2001 From: Christoph Kluenter Date: Mon, 6 Jun 2016 10:14:50 +0200 Subject: debian packages don't know AllowSupplementaryGroups if this is set in the config, the deamons do not start anymore. From the debian changelog: clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium * Import new Upstream. * Drop AllowSupplementaryGroups option which is default now (Closes: #822444). --- puppet/modules/clamav/templates/clamav-milter.conf.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb index 9bf7099e..50b4c620 100644 --- a/puppet/modules/clamav/templates/clamav-milter.conf.erb +++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb @@ -4,7 +4,6 @@ FixStaleSocket true User clamav MilterSocketGroup clamav MilterSocketMode 666 -AllowSupplementaryGroups true ReadTimeout 120 Foreground false PidFile /var/run/clamav/clamav-milter.pid -- cgit v1.2.3 From 462975799b9c130285761958d040b71f0ab1ac9b Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 26 May 2016 11:50:33 -0700 Subject: fix typo that prevented common.ENV.json from being loaded. closes #7697 --- platform.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform.rb b/platform.rb index 1e19a2a9..61fb50ce 100644 --- a/platform.rb +++ b/platform.rb @@ -45,7 +45,7 @@ Leap::Platform.define do :node_config => 'nodes/#{arg}.json', # input config files, environmentally scoped - :common_env_config => 'commmon.#{arg}.json', + :common_env_config => 'common.#{arg}.json', :provider_env_config => 'provider.#{arg}.json', :service_env_config => 'services/#{arg[0]}.#{arg[1]}.json', :tag_env_config => 'tags/#{arg[0]}.#{arg[1]}.json', -- cgit v1.2.3 From 2055ae4ae2e780dec0b73b6233e1785ec6409546 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 3 Jun 2016 12:02:09 -0700 Subject: auto run bundler when needed for site_static --- puppet/modules/site_static/manifests/location.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index d116de2f..ab2b7494 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -23,6 +23,19 @@ define site_static::location($path, $format, $source) { } } + if ($format == 'rack') { + # Run bundler if there is a Gemfile + exec { 'bundler_update': + cwd => $file_path, + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"', + unless => '/usr/bin/bundle check --path vendor/bundle', + onlyif => 'test -f Gemfile', + user => 'www-data', + timeout => 600, + require => [Class['bundler::install'], Class['site_config::ruby::dev']]; + } + } + vcsrepo { $file_path: ensure => present, force => true, -- cgit v1.2.3 From a0bd7c33d4d2968d9824fd4613c701c94a91c2cc Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 7 Jun 2016 15:26:01 -0400 Subject: refresh_stunnel sometimes doesn't run (#8168). It turns out that in some corner-cases, the script is not called: (1) start the deploy, create files in /var/lib/puppet/stunnel4/config (2) halt puppet before apply finishes (3) re-run deploy in this scenario, next time you run deploy, refresh_stunnel will never get called to populate /etc/stunnel, because the files in /var/lib/puppet/stunnel4/config haven't changed. This problem can be really confusing when it happens. To fix this, we just run refresh_stunnel every, it is pretty fast and the script has more complete logic for what to do than puppet, which has only an asymmetrical view on the situation. Change-Id: I9e5fad1d081c2fe07f3ac8f07cfb87d86b88f7c9 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 79e874c1..008777bd 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 79e874c1a86ad5c48c4e726a5d4c68bd879ce454 +Subproject commit 008777bd9837c87a8f501f36dbf2bd4f79c8c868 -- cgit v1.2.3 From 5e3c2f821dec68d2fd61454e495b8ffb6e0d2dcf Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 14 Jun 2016 10:02:40 -0400 Subject: update stunnel module for refresh_stunnel fixes Change-Id: I7675dbaba4d896a62dab9fcf4817092ea69f1298 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 008777bd..421c8e52 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 008777bd9837c87a8f501f36dbf2bd4f79c8c868 +Subproject commit 421c8e527d57fd4d1221dbd341394d954cd38314 -- cgit v1.2.3 From 4a9be045411e43534df0aec4289d64f4129c52d2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 14 Jun 2016 10:46:20 -0400 Subject: Ensure stunnel package, service and default ordering. --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 421c8e52..4056d79a 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 421c8e527d57fd4d1221dbd341394d954cd38314 +Subproject commit 4056d79a2e07b7178cbbdb1576aa6f5ccd1d9e83 -- cgit v1.2.3 From 25cdee309d4ad749d633c8b4d5bf7e65f83fb75b Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 14 Jun 2016 12:37:10 -0400 Subject: make sure required x509 bits are there before stunnel is started Change-Id: I772c3b6e489e3c1848c45c6bcaa240324fc88928 --- puppet/modules/site_stunnel/manifests/client.pp | 6 +++++- puppet/modules/site_stunnel/manifests/servers.pp | 6 +++++- puppet/modules/stunnel | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index c9e034f1..de9febd4 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -39,7 +39,11 @@ define site_stunnel::client ( debuglevel => $debuglevel, sslversion => 'TLSv1', syslog => 'no', - output => $logfile; + output => $logfile, + require => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; } # define the log files so that we can purge the diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index e76d1e9d..3dc5dce6 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -39,7 +39,11 @@ define site_stunnel::servers ( debuglevel => $debuglevel, sslversion => 'TLSv1', syslog => 'no', - output => $logfile; + output => $logfile, + require => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; } # allow incoming connections on $accept_port diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 4056d79a..523612fb 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 4056d79a2e07b7178cbbdb1576aa6f5ccd1d9e83 +Subproject commit 523612fb6daff51837423619f5014e62dc835559 -- cgit v1.2.3 From 8532c9656eba93a10601421089502e39aa23b753 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 14 Jun 2016 12:51:08 -0400 Subject: switch to two-space soft tabs to fix lint error Change-Id: Ic12b243b195e40482a70dd70219212c3697899ba --- puppet/modules/site_stunnel/manifests/client.pp | 7 +++---- puppet/modules/site_stunnel/manifests/servers.pp | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index de9febd4..7c431c50 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -40,10 +40,9 @@ define site_stunnel::client ( sslversion => 'TLSv1', syslog => 'no', output => $logfile, - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + require => [ Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; } # define the log files so that we can purge the diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index 3dc5dce6..37aaf5a6 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -40,10 +40,9 @@ define site_stunnel::servers ( sslversion => 'TLSv1', syslog => 'no', output => $logfile, - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + require => [ Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; } # allow incoming connections on $accept_port -- cgit v1.2.3 From f2cc9926bcc0d72c8c490583b5eed712a869c4d2 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 16 Jun 2016 11:39:11 -0400 Subject: Fix matching for cleanup check. The onlyif check was incorrectly specified in the original implementation in commit id: 15b83d88dcedab496a19cef57f11c5c8e091dd4a this inverts it so it is properly detected. Change-Id: I531e206fff1ca61780adcd195e1f917011e50fb4 --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e743118e..0b760eb4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -96,7 +96,7 @@ class site_postfix::mx { # access the opendkim milter socket (#8020) exec { 'unset_cleanup_chroot': command => '/usr/sbin/postconf -F "cleanup/unix/chroot=n"', - onlyif => '/usr/sbin/postconf -h -F "cleanup/unix/chroot" | egrep -q ^n', + onlyif => '/usr/sbin/postconf -h -F "cleanup/unix/chroot" | egrep -qv ^n', notify => Service['postfix'], require => File['/etc/postfix/master.cf'] } -- cgit v1.2.3 From 7becc465d726a1dbc1733db5c02c343cdac53d15 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 16 Jun 2016 12:24:01 -0400 Subject: Disable the Trace method (#8195) The Trace method is enabled because of the Apache module, but it is not the default in Debian, and it should not be enabled, for more information see the following: https://www.kb.cert.org/vuls/id/867593 Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268 --- puppet/modules/site_apache/files/conf.d/security | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security index a5ae5bdc..fdcf6270 100644 --- a/puppet/modules/site_apache/files/conf.d/security +++ b/puppet/modules/site_apache/files/conf.d/security @@ -45,8 +45,8 @@ ServerSignature Off # # Set to one of: On | Off | extended # -#TraceEnable Off -TraceEnable On +TraceEnable Off +#TraceEnable On # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. -- cgit v1.2.3