From c0cbf928c057d299f533a2a8b61bb54cc6ba5974 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 7 Jun 2016 15:26:01 -0400 Subject: refresh_stunnel sometimes doesn't run (#8168). It turns out that in some corner-cases, the script is not called: (1) start the deploy, create files in /var/lib/puppet/stunnel4/config (2) halt puppet before apply finishes (3) re-run deploy in this scenario, next time you run deploy, refresh_stunnel will never get called to populate /etc/stunnel, because the files in /var/lib/puppet/stunnel4/config haven't changed. This problem can be really confusing when it happens. To fix this, we just run refresh_stunnel every, it is pretty fast and the script has more complete logic for what to do than puppet, which has only an asymmetrical view on the situation. Change-Id: I9e5fad1d081c2fe07f3ac8f07cfb87d86b88f7c9 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/stunnel/templates') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 79e874c1..008777bd 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 79e874c1a86ad5c48c4e726a5d4c68bd879ce454 +Subproject commit 008777bd9837c87a8f501f36dbf2bd4f79c8c868 -- cgit v1.2.3 From f4f278ea62751220790dfc7fae58ecdc5756c4b5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 14 Jun 2016 10:02:40 -0400 Subject: update stunnel module for refresh_stunnel fixes Change-Id: I7675dbaba4d896a62dab9fcf4817092ea69f1298 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/stunnel/templates') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 008777bd..421c8e52 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 008777bd9837c87a8f501f36dbf2bd4f79c8c868 +Subproject commit 421c8e527d57fd4d1221dbd341394d954cd38314 -- cgit v1.2.3 From 3aba84e808035a02c35bb64a04daccc5ab03e5db Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 14 Jun 2016 10:46:20 -0400 Subject: Ensure stunnel package, service and default ordering. --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/stunnel/templates') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 421c8e52..4056d79a 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 421c8e527d57fd4d1221dbd341394d954cd38314 +Subproject commit 4056d79a2e07b7178cbbdb1576aa6f5ccd1d9e83 -- cgit v1.2.3 From bf6d0fe1b74910026d577b80e5894f22c6edfde7 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 14 Jun 2016 12:37:10 -0400 Subject: make sure required x509 bits are there before stunnel is started Change-Id: I772c3b6e489e3c1848c45c6bcaa240324fc88928 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/stunnel/templates') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 4056d79a..523612fb 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 4056d79a2e07b7178cbbdb1576aa6f5ccd1d9e83 +Subproject commit 523612fb6daff51837423619f5014e62dc835559 -- cgit v1.2.3 From 7ce3190986cf8e5fe037a7ccd4c1076505b117f4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:41:59 -0400 Subject: remove submodules in preparation for move to subrepos Change-Id: Ia7655153b556337f676e3d909559c4a7306bedd6 --- puppet/modules/stunnel | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/stunnel (limited to 'puppet/modules/stunnel/templates') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel deleted file mode 160000 index 523612fb..00000000 --- a/puppet/modules/stunnel +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 523612fb6daff51837423619f5014e62dc835559 -- cgit v1.2.3 From 04279dd8d1390d61d696d2c14817199304ccd4d8 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:46:21 -0400 Subject: git subrepo clone https://leap.se/git/puppet_stunnel puppet/modules/stunnel subrepo: subdir: "puppet/modules/stunnel" merged: "523612f" upstream: origin: "https://leap.se/git/puppet_stunnel" branch: "master" commit: "523612f" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "1e79595" Change-Id: If384c84c99d9cabc67d2b4b9d7d2fbfa4a47550a --- puppet/modules/stunnel/templates/Debian/default | 13 ++++++ .../stunnel/templates/refresh_stunnel.sh.erb | 22 ++++++++++ puppet/modules/stunnel/templates/service.conf.erb | 47 ++++++++++++++++++++++ 3 files changed, 82 insertions(+) create mode 100644 puppet/modules/stunnel/templates/Debian/default create mode 100644 puppet/modules/stunnel/templates/refresh_stunnel.sh.erb create mode 100644 puppet/modules/stunnel/templates/service.conf.erb (limited to 'puppet/modules/stunnel/templates') diff --git a/puppet/modules/stunnel/templates/Debian/default b/puppet/modules/stunnel/templates/Debian/default new file mode 100644 index 00000000..9e2f4d37 --- /dev/null +++ b/puppet/modules/stunnel/templates/Debian/default @@ -0,0 +1,13 @@ +# /etc/default/stunnel +# Julien LEMOINE +# September 2003 + +# Change to one to enable stunnel automatic startup +ENABLED=<%= scope.lookupvar('stunnel::startboot') %> +FILES="/etc/stunnel/*.conf" +OPTIONS="" + +# Change to one to enable ppp restart scripts +PPP_RESTART=0 + +<%= scope.lookupvar('stunnel::default_extra') %> diff --git a/puppet/modules/stunnel/templates/refresh_stunnel.sh.erb b/puppet/modules/stunnel/templates/refresh_stunnel.sh.erb new file mode 100644 index 00000000..1af0cff7 --- /dev/null +++ b/puppet/modules/stunnel/templates/refresh_stunnel.sh.erb @@ -0,0 +1,22 @@ +#!/bin/sh -x + +for difference in `diff -q /etc/stunnel <%= @stunnel_staging %>/configs | grep differ | awk '{print $2}'` +do + old_config=`basename $difference` + /etc/init.d/stunnel4 stop $(basename $old_config .conf) + rm $difference +done + +for only in `diff -q /etc/stunnel <%= @stunnel_staging %>/configs | grep 'Only in /etc/stunnel:' | awk '{print $4}'` +do + old_config=`basename $only` + /etc/init.d/stunnel4 stop $(basename $only .conf) + rm /etc/stunnel/${only} +done + +cp <%= @stunnel_staging %>/configs/*.conf /etc/stunnel + +/etc/init.d/stunnel4 start + + + diff --git a/puppet/modules/stunnel/templates/service.conf.erb b/puppet/modules/stunnel/templates/service.conf.erb new file mode 100644 index 00000000..47f1c9d2 --- /dev/null +++ b/puppet/modules/stunnel/templates/service.conf.erb @@ -0,0 +1,47 @@ +; templated stunnel configuration file to be used by puppet stunnel module +; NOTE: any changes you make to this file will be overwritten the next time +; puppet runs, please make configuration changes to this service in puppet + +; Global configuration options +<%= 'debug = ' + @debuglevel %> +<%= 'pid = ' + @real_pid %> +<%- %w{chroot setuid setgid service compression}.each do |v| + if has_variable?(v) and instance_variable_get("@#{v}").to_s != "false" -%> +<%= v + " = " + instance_variable_get("@#{v}").to_s %> +<%- + end +end -%> + +; Some performance tunings +<% if @socket.is_a? String -%> +<%= 'socket = ' + @socket %> +<% elsif @socket.is_a? Array -%> +<%= @socket.map { |i| "socket = #{i}" }. join("\n") %> +<% end -%> + +<%- %w{output syslog}.each do |v| + if has_variable?(v) and instance_variable_get("@#{v}").to_s != "false" -%> +<%= v + " = " + instance_variable_get("@#{v}").to_s %> +<%- + end +end -%> + +<%- %w{egd engine enginectrl rndbytes rndfile rndoverwrite}.each do |v| + if has_variable?(v) and instance_variable_get("@#{v}").to_s != "false" -%> +<%= v + " = " + instance_variable_get("@#{v}").to_s %> +<%- + end +end -%> + +; Service-level configuration +<%= '[' + @name + ']' %> +<%- %w{accept connect capath cafile cert ciphers crlpath crlfile delay enginenum exec + execargs failover ident key local oscp ocspflag options protocol protocolauthentication + protocolhost protocolpassword protocolusername pty retry session sslversion stack + timeoutbusy timeoutclose timeoutconnect timeoutidle transparent verify}.each do |v| + if has_variable?(v) and instance_variable_get("@#{v}").to_s != "false" -%> +<%= v + ' = ' + instance_variable_get("@#{v}").to_s %> +<%- + end +end -%> +client = <%= @client ? 'yes' : 'no' %> -- cgit v1.2.3