From ab3e3f1c0c8ddcfbb58a5657bb6641bf2af92005 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 26 Mar 2018 18:08:34 +0200 Subject: [PATCH 01/14] add journald.pp to manage journald.conf --- manifests/init.pp | 9 +++++- manifests/journald.pp | 63 ++++++++++++++++++++++++++++++++++++++ templates/journald.erb | 69 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 manifests/journald.pp create mode 100644 templates/journald.erb diff --git a/manifests/init.pp b/manifests/init.pp index 8921b8d..049db81 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,7 +1,10 @@ # # https://wiki.archlinux.org/index.php/systemd#Service_types # -class systemd($removeipc = 'no') inherits systemd::params { +class systemd( + $manage_journald = false, + $removeipc = 'no', +) inherits systemd::params { Exec { path => '/bin:/sbin:/usr/bin:/usr/sbin', @@ -20,4 +23,8 @@ } include ::systemd::logind + + if ($manage_journald) { + include ::systemd::journald + } } diff --git a/manifests/journald.pp b/manifests/journald.pp new file mode 100644 index 0000000..37a8185 --- /dev/null +++ b/manifests/journald.pp @@ -0,0 +1,63 @@ +class systemd::journald( + $compress = true, + $forward_to_console = false, + $forward_to_kmsg = false, + $forward_to_syslog = true, + $forward_to_wall = true, + $max_file_sec = '1month', + $max_level_console = 'info', + $max_level_kmsg = 'notice', + $max_level_store = 'debug', + $max_level_syslog = 'debug', + $max_level_wall = 'emerg', + $max_retention_sec = undef, + $rate_limit_burst = 1000, + $rate_limit_interval = '30s', + $runtime_keep_free = undef, + $runtime_max_files_ize = undef, + $runtime_max_use = undef, + $seal = true, + $split_mode = 'uid', + $storage = 'auto', + $sync_interval_sec = '5m', + $system_keep_free = undef, + $system_max_file_size = undef, + $system_max_use = undef, + $tty_path = '/dev/console' +) inherits systemd { + + validate_bool($compress, $forward_to_console, $forward_to_kmsg, + $forward_to_syslog, $forward_to_wall, $seal) + + validate_integer($rate_limit_burst) + + validate_re($max_level_console, ['^emerg$', '^alert$', '^crit$', '^err$', + '^warning$', '^notice$', '^info$', '^debug$']) + + validate_re($max_level_kmsg, ['^emerg$', '^alert$', '^crit$', '^err$', + '^warning$', '^notice$', '^info$', '^debug$']) + + validate_re($max_level_store, ['^emerg$', '^alert$', '^crit$', '^err$', + '^warning$', '^notice$', '^info$', '^debug$']) + + validate_re($max_level_syslog, ['^emerg$', '^alert$', '^crit$', '^err$', + '^warning$', '^notice$', '^info$', '^debug$']) + + validate_re($max_level_wall, ['^emerg$', '^alert$', '^crit$', '^err$', + '^warning$', '^notice$', '^info$', '^debug$']) + + file { '/etc/systemd/journald.conf': + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0644', + content => template("${module_name}/journald.erb"), + notify => Exec['restart-systemd-journald'], + } + + exec { 'restart-systemd-journald': + command => 'systemctl restart systemd-journald.service', + refreshonly => true, + } + +} diff --git a/templates/journald.erb b/templates/journald.erb new file mode 100644 index 0000000..c5aa10d --- /dev/null +++ b/templates/journald.erb @@ -0,0 +1,69 @@ +###  puppet managed file +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# See journald.conf(5) for details +<%- + +var_to_systemd_directives = { + 'compress' => 'Compress', + 'forward_to_console' => 'ForwardToConsole', + 'forward_to_kmsg' => 'ForwardToKMsg', + 'forward_to_syslog' => 'ForwardToSyslog', + 'forward_to_wall' => 'ForwardToWall', + 'max_file_sec' => 'MaxFileSec', + 'max_level_console' => 'MaxLevelConsole', + 'max_level_kmsg' => 'MaxLevelKMsg', + 'max_level_store' => 'MaxLevelStore', + 'max_level_syslog' => 'MaxLevelSyslog', + 'max_level_wall' => 'MaxLevelWall', + 'max_retention_sec' => 'MaxRetentionSec', + 'rate_limit_burst' => 'RateLimitBurst', + 'rate_limit_interval' => 'RateLimitInterval', + 'run_time_keep_free' => 'RuntimeKeepFree', + 'run_time_max_file_size' => 'RuntimeMaxFileSize', + 'run_time_max_use' => 'RuntimeMaxUse', + 'seal' => 'Seal', + 'split_mode' => 'SplitMode', + 'storage' => 'Storage', + 'sync_interval_sec' => 'SyncIntervalSec', + 'system_keep_free' => 'SystemKeepFree', + 'system_max_file_size' => 'SystemMaxFileSize', + 'system_max_use' => 'SystemMaxUse', + 'tty_path' => 'TTYPath', +} + +-%> + +[Journal] +<% + all_var_names = %w(compress forward_to_console forward_to_kmsg + forward_to_syslog forward_to_wall max_file_sec max_level_console + max_level_kmsg max_level_store max_level_syslog max_level_wall + max_retention_sec rate_limit_burst rate_limit_interval + run_time_keep_free run_time_max_file_size run_time_max_use seal + split_mode storage sync_interval_sec system_keep_free + system_max_file_size system_max_use tty_path) + + bool_var_names = %w(compress forward_to_console forward_to_kmsg + forward_to_syslog forward_to_wall seal) + +all_var_names.each do | variableName | -%> +<%- if scope[variableName].to_s != 'undef' and !scope[variableName].nil? + if bool_var_names.include? variableName + myvalue = scope.function_bool2yesno([scope[variableName]]) + elsif scope[variableName].is_a?(Array) + next if scope[variableName].empty? + myvalue = scope[variableName].join(' ') + else + myvalue = scope[variableName] + end +-%> +<%= var_to_systemd_directives[variableName] -%>=<%= myvalue %> +<%- end -%> +<% end -%> From 142d69499accd25dffae47c7127e728d0450e3b1 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Thu, 29 Mar 2018 16:06:37 +0200 Subject: [PATCH 02/14] new parameter: $manage_logind --- manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 049db81..15b2e78 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,6 +3,7 @@ # class systemd( $manage_journald = false, + $manage_logind = true, $removeipc = 'no', ) inherits systemd::params { @@ -22,7 +23,9 @@ refreshonly => true, } - include ::systemd::logind + if ($manage_logind) { + include ::systemd::logind + } if ($manage_journald) { include ::systemd::journald From d8645786b8df04de7d20cf67b7674744643a0ab6 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 14:22:15 +0200 Subject: [PATCH 03/14] =?UTF-8?q?reorganitzaci=C3=B3=20journald?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 4 ++ README.md | 32 +++++++++++++- manifests/init.pp | 16 +++---- manifests/journald.pp | 80 ++++++++++++++++------------------- manifests/journald/config.pp | 41 ++++++++++++++++++ manifests/journald/service.pp | 19 +++++++++ metadata.json | 2 +- templates/journald.erb | 65 ++++++++++++++-------------- 8 files changed, 171 insertions(+), 88 deletions(-) create mode 100644 manifests/journald/config.pp create mode 100644 manifests/journald/service.pp diff --git a/CHANGELOG.md b/CHANGELOG.md index a3847a7..5d50284 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CHANGELOG +## 0.1.42 + +* Add journald under puppet management - thanks to [fraenki](https://github.com/fraenki) for this [PR-84](https://github.com/NTTCom-MS/eyp-systemd/pull/84), it have been marged with some changes using [PR-81](https://github.com/NTTCom-MS/eyp-systemd/pull/81) + ## 0.1.41 * changed default setting **kill_user_processes** to false, it was breaking compatibility on some systems diff --git a/README.md b/README.md index 6caf056..412c686 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,36 @@ base class for systemd reload management * **suspend_key_ignore_inhibited**: (default: false) * **user_tasks_max**: (default: 33%') +#### systemd::journald + +systemd-journald is a system service that collects and stores logging data + +* **compress**: If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system. It can also be set to a number of bytes to specify the compression threshold directly. Suffixes like K, M, and G can be used to specify larger units. (default: true) +* **forward_to_console**: (default: false) +* **forward_to_kmsg**: (default: false) +* **forward_to_syslog**: (default: true) +* **forward_to_wall**: (default: true) +* **max_file_sec**: (default: 1month) +* **max_level_console**: (default: info) +* **max_level_kmsg**: (default: notice) +* **max_level_store**: (default: debug) +* **max_level_syslog**: (default: debug) +* **max_level_wall**: (default: emerg) +* **max_retention_sec**: (default: undef) +* **rate_limit_burst**: (default: 1000) +* **rate_limit_interval**: (default: 30s) +* **runtime_keep_free**: (default: undef) +* **runtime_max_files_size**: (default: undef) +* **runtime_max_use**: (default: undef) +* **seal**: If enabled (the default), and a sealing key is available (as created by journalctl(1)'s --setup-keys command), Forward Secure Sealing (FSS) for all persistent journal files is enabled (default: true) +* **split_mode**: (default: uid) +* **storage**: Controls where to store journal data. One of "volatile", "persistent", "auto" and "none" (default: auto) +* **sync_interval_sec**: (default: 5m) +* **system_keep_free**: (default: undef) +* **system_max_file_size**: (default: undef) +* **system_max_use**: (default: undef) +* **tty_path**: (default: /dev/console) + ### defines #### systemd::service @@ -373,7 +403,7 @@ have some test to check both presence and absence of any feature ### Contributing -1. Fork it +1. Fork it using the development fork: [jordiprats/eyp-systemd](https://github.com/jordiprats/eyp-systemd) 2. Create your feature branch (`git checkout -b my-new-feature`) 3. Commit your changes (`git commit -am 'Added some feature'`) 4. Push to the branch (`git push origin my-new-feature`) diff --git a/manifests/init.pp b/manifests/init.pp index 15b2e78..7917153 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,11 +1,10 @@ # # https://wiki.archlinux.org/index.php/systemd#Service_types # -class systemd( - $manage_journald = false, - $manage_logind = true, - $removeipc = 'no', -) inherits systemd::params { +class systemd ( + $manage_logind = true, + $removeipc = 'no', + ) inherits systemd::params { Exec { path => '/bin:/sbin:/usr/bin:/usr/sbin', @@ -23,11 +22,6 @@ refreshonly => true, } - if ($manage_logind) { - include ::systemd::logind - } + include ::systemd::logind - if ($manage_journald) { - include ::systemd::journald - } } diff --git a/manifests/journald.pp b/manifests/journald.pp index 37a8185..7712bb0 100644 --- a/manifests/journald.pp +++ b/manifests/journald.pp @@ -1,32 +1,37 @@ -class systemd::journald( - $compress = true, - $forward_to_console = false, - $forward_to_kmsg = false, - $forward_to_syslog = true, - $forward_to_wall = true, - $max_file_sec = '1month', - $max_level_console = 'info', - $max_level_kmsg = 'notice', - $max_level_store = 'debug', - $max_level_syslog = 'debug', - $max_level_wall = 'emerg', - $max_retention_sec = undef, - $rate_limit_burst = 1000, - $rate_limit_interval = '30s', - $runtime_keep_free = undef, - $runtime_max_files_ize = undef, - $runtime_max_use = undef, - $seal = true, - $split_mode = 'uid', - $storage = 'auto', - $sync_interval_sec = '5m', - $system_keep_free = undef, - $system_max_file_size = undef, - $system_max_use = undef, - $tty_path = '/dev/console' -) inherits systemd { - - validate_bool($compress, $forward_to_console, $forward_to_kmsg, +class systemd::journald ( + $manage_service = true, + $manage_docker_service = true, + $service_ensure = 'running', + $service_enable = true, + $compress = true, + $forward_to_console = false, + $forward_to_kmsg = false, + $forward_to_syslog = true, + $forward_to_wall = true, + $max_file_sec = '1month', + $max_level_console = 'info', + $max_level_kmsg = 'notice', + $max_level_store = 'debug', + $max_level_syslog = 'debug', + $max_level_wall = 'emerg', + $max_retention_sec = undef, + $rate_limit_burst = 1000, + $rate_limit_interval = '30s', + $runtime_keep_free = undef, + $runtime_max_files_size = undef, + $runtime_max_use = undef, + $seal = true, + $seal_interval = '30s', + $split_mode = 'uid', + $storage = 'auto', + $sync_interval_sec = '5m', + $system_keep_free = undef, + $system_max_file_size = undef, + $system_max_use = undef, + $tty_path = '/dev/console' + ) inherits systemd::params { + + validate_bool($forward_to_console, $forward_to_kmsg, $forward_to_syslog, $forward_to_wall, $seal) validate_integer($rate_limit_burst) @@ -46,18 +51,7 @@ validate_re($max_level_wall, ['^emerg$', '^alert$', '^crit$', '^err$', '^warning$', '^notice$', '^info$', '^debug$']) - file { '/etc/systemd/journald.conf': - ensure => 'present', - owner => 'root', - group => 'root', - mode => '0644', - content => template("${module_name}/journald.erb"), - notify => Exec['restart-systemd-journald'], - } - - exec { 'restart-systemd-journald': - command => 'systemctl restart systemd-journald.service', - refreshonly => true, - } - + class { '::systemd::journald::config': } ~> + class { '::systemd::journald::service': } -> + Class['::systemd::journald'] } diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp new file mode 100644 index 0000000..7f8df39 --- /dev/null +++ b/manifests/journald/config.pp @@ -0,0 +1,41 @@ +class systemd::journald::config inherits systemd::journald { + + file { '/etc/systemd/journald.conf': + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0644', + content => template("${module_name}/journald.erb"), + } + + if($seal) + { + # FSS + # chmod 2755 /var/log/journal/ + # [root@centos7 ~]# ls -ld /var/log/journal/ + # drwxr-sr-x+ 3 root systemd-journal 46 Apr 11 11:34 /var/log/journal/ + # [root@centos7 ~]# journalctl --interval=30s --setup-keys + + file { '/var/log/journal': + ensure => 'directory', + owner => 'root', + group => 'systemd-journal', + mode => '2755', + require => File['/etc/systemd/journald.conf'], + } + + exec { 'stop systemd-journald service for keys manipulation': + command => 'bash -c \'systemctl stop systemd-journald; echo\'', + unless => 'journalctl --verify 2>&1 | grep PASS', + require => File['/var/log/journal'], + } + + exec { 'setup FSS keys': + command => inline_template('bash -c \'systemctl stop systemd-journald; journalctl --interval =<% = @seal_interval %> --setup-keys\''), + unless => 'journalctl --verify 2>&1 | grep PASS', + require => Exec['stop systemd-journald service for keys manipulation'], + } + } + + +} diff --git a/manifests/journald/service.pp b/manifests/journald/service.pp new file mode 100644 index 0000000..3903aeb --- /dev/null +++ b/manifests/journald/service.pp @@ -0,0 +1,19 @@ +class systemd::journald::service inherits systemd::journald { + + $is_docker_container_var=getvar('::eyp_docker_iscontainer') + $is_docker_container=str2bool($is_docker_container_var) + + if( $is_docker_container==false or + $systemd::journald::manage_docker_service) + { + if($systemd::journald::manage_service) + { + service { 'systemd-journald': + ensure => $systemd::journald::service_ensure, + enable => $systemd::journald::service_enable, + hasstatus => true, + hasrestart => true, + } + } + } +} diff --git a/metadata.json b/metadata.json index 6136e65..5ad4a72 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "eyp-systemd", - "version": "0.1.41", + "version": "0.1.42", "author": "eyp", "summary": "management of systemd services, services dropins, sockets and timers", "license": "Apache-2.0", diff --git a/templates/journald.erb b/templates/journald.erb index c5aa10d..b478494 100644 --- a/templates/journald.erb +++ b/templates/journald.erb @@ -11,47 +11,48 @@ <%- var_to_systemd_directives = { - 'compress' => 'Compress', - 'forward_to_console' => 'ForwardToConsole', - 'forward_to_kmsg' => 'ForwardToKMsg', - 'forward_to_syslog' => 'ForwardToSyslog', - 'forward_to_wall' => 'ForwardToWall', - 'max_file_sec' => 'MaxFileSec', - 'max_level_console' => 'MaxLevelConsole', - 'max_level_kmsg' => 'MaxLevelKMsg', - 'max_level_store' => 'MaxLevelStore', - 'max_level_syslog' => 'MaxLevelSyslog', - 'max_level_wall' => 'MaxLevelWall', - 'max_retention_sec' => 'MaxRetentionSec', - 'rate_limit_burst' => 'RateLimitBurst', - 'rate_limit_interval' => 'RateLimitInterval', - 'run_time_keep_free' => 'RuntimeKeepFree', + 'compress' => 'Compress', + 'forward_to_console' => 'ForwardToConsole', + 'forward_to_kmsg' => 'ForwardToKMsg', + 'forward_to_syslog' => 'ForwardToSyslog', + 'forward_to_wall' => 'ForwardToWall', + 'max_file_sec' => 'MaxFileSec', + 'max_level_console' => 'MaxLevelConsole', + 'max_level_kmsg' => 'MaxLevelKMsg', + 'max_level_store' => 'MaxLevelStore', + 'max_level_syslog' => 'MaxLevelSyslog', + 'max_level_wall' => 'MaxLevelWall', + 'max_retention_sec' => 'MaxRetentionSec', + 'rate_limit_burst' => 'RateLimitBurst', + 'rate_limit_interval' => 'RateLimitInterval', + 'run_time_keep_free' => 'RuntimeKeepFree', 'run_time_max_file_size' => 'RuntimeMaxFileSize', - 'run_time_max_use' => 'RuntimeMaxUse', - 'seal' => 'Seal', - 'split_mode' => 'SplitMode', - 'storage' => 'Storage', - 'sync_interval_sec' => 'SyncIntervalSec', - 'system_keep_free' => 'SystemKeepFree', - 'system_max_file_size' => 'SystemMaxFileSize', - 'system_max_use' => 'SystemMaxUse', - 'tty_path' => 'TTYPath', + 'run_time_max_use' => 'RuntimeMaxUse', + 'seal' => 'Seal', + 'split_mode' => 'SplitMode', + 'storage' => 'Storage', + 'sync_interval_sec' => 'SyncIntervalSec', + 'system_keep_free' => 'SystemKeepFree', + 'system_max_file_size' => 'SystemMaxFileSize', + 'system_max_use' => 'SystemMaxUse', + 'tty_path' => 'TTYPath', } -%> [Journal] <% - all_var_names = %w(compress forward_to_console forward_to_kmsg - forward_to_syslog forward_to_wall max_file_sec max_level_console - max_level_kmsg max_level_store max_level_syslog max_level_wall - max_retention_sec rate_limit_burst rate_limit_interval - run_time_keep_free run_time_max_file_size run_time_max_use seal - split_mode storage sync_interval_sec system_keep_free - system_max_file_size system_max_use tty_path) + all_var_names = %w( compress forward_to_console forward_to_kmsg + forward_to_syslog forward_to_wall max_file_sec + max_level_console max_level_kmsg max_level_store + max_level_syslog max_level_wall max_retention_sec + rate_limit_burst rate_limit_interval run_time_keep_free + run_time_max_file_size run_time_max_use seal + split_mode storage sync_interval_sec system_keep_free + system_max_file_size system_max_use tty_path) bool_var_names = %w(compress forward_to_console forward_to_kmsg - forward_to_syslog forward_to_wall seal) + forward_to_syslog forward_to_wall seal) all_var_names.each do | variableName | -%> <%- if scope[variableName].to_s != 'undef' and !scope[variableName].nil? From 6f865577b7915c28c568dccfee6f0aea4ef1a531 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 16:43:19 +0200 Subject: [PATCH 04/14] =?UTF-8?q?prova=20lla=C3=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 412c686..206f550 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# systemd ![status ready](https://img.shields.io/badge/status-ready-brightgreen.svg) ![doc completed](https://img.shields.io/badge/doc-completed-brightgreen.svg) +# systemd 🎗️ #### Table of Contents From b80d4a642262b57b49f662957bc02bdbad4dc7c2 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 16:47:09 +0200 Subject: [PATCH 05/14] nota seal_interval --- README.md | 1 + manifests/journald/config.pp | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 206f550..6b10fa2 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,7 @@ systemd-journald is a system service that collects and stores logging data * **runtime_max_files_size**: (default: undef) * **runtime_max_use**: (default: undef) * **seal**: If enabled (the default), and a sealing key is available (as created by journalctl(1)'s --setup-keys command), Forward Secure Sealing (FSS) for all persistent journal files is enabled (default: true) +* **seal_interval**: Time interval for changing the FSS sealing key (default: 30s) * **split_mode**: (default: uid) * **storage**: Controls where to store journal data. One of "volatile", "persistent", "auto" and "none" (default: auto) * **sync_interval_sec**: (default: 5m) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 7f8df39..df4b135 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -31,7 +31,7 @@ } exec { 'setup FSS keys': - command => inline_template('bash -c \'systemctl stop systemd-journald; journalctl --interval =<% = @seal_interval %> --setup-keys\''), + command => inline_template('bash -c \'journalctl --interval =<% = @seal_interval %> --setup-keys > /var/log/journal/.secret\''), unless => 'journalctl --verify 2>&1 | grep PASS', require => Exec['stop systemd-journald service for keys manipulation'], } From 1eea110029e271313172d5db697a8e10f0a9d08a Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 16:47:54 +0200 Subject: [PATCH 06/14] topscope variable --- manifests/journald/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index df4b135..92c14f4 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -8,7 +8,7 @@ content => template("${module_name}/journald.erb"), } - if($seal) + if($systemd::journald::seal) { # FSS # chmod 2755 /var/log/journal/ From 99ab7a16f31c056e41595fba4e7b0804c73c9e62 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 16:51:39 +0200 Subject: [PATCH 07/14] typo --- manifests/journald/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 92c14f4..9846074 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -31,7 +31,7 @@ } exec { 'setup FSS keys': - command => inline_template('bash -c \'journalctl --interval =<% = @seal_interval %> --setup-keys > /var/log/journal/.secret\''), + command => inline_template('bash -c \'journalctl --interval =<%= @seal_interval %> --setup-keys > /var/log/journal/.secret\''), unless => 'journalctl --verify 2>&1 | grep PASS', require => Exec['stop systemd-journald service for keys manipulation'], } From 4c605a6ce9e0de0a47d40ed51c58d8701bd9b4c5 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 16:58:46 +0200 Subject: [PATCH 08/14] exec path --- manifests/journald/config.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 9846074..6612712 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -1,5 +1,9 @@ class systemd::journald::config inherits systemd::journald { + Exec { + path => '/bin:/sbin:/usr/bin:/usr/sbin', + } + file { '/etc/systemd/journald.conf': ensure => 'present', owner => 'root', From fc5a236208ca30c859b1ffaccf6c79b0dbf79fa0 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 17:34:00 +0200 Subject: [PATCH 09/14] bugfix interval --- manifests/journald/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 6612712..4f99188 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -35,7 +35,7 @@ } exec { 'setup FSS keys': - command => inline_template('bash -c \'journalctl --interval =<%= @seal_interval %> --setup-keys > /var/log/journal/.secret\''), + command => inline_template('bash -c \'journalctl --interval=<%= @seal_interval %> --setup-keys > /var/log/journal/.secret\''), unless => 'journalctl --verify 2>&1 | grep PASS', require => Exec['stop systemd-journald service for keys manipulation'], } From f39737678f0f8d95ffae31fe45994c98ad19c8fd Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 17:38:54 +0200 Subject: [PATCH 10/14] prova --- manifests/journald/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 4f99188..64ede5c 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -35,7 +35,7 @@ } exec { 'setup FSS keys': - command => inline_template('bash -c \'journalctl --interval=<%= @seal_interval %> --setup-keys > /var/log/journal/.secret\''), + command => inline_template('journalctl --interval=<%= @seal_interval %> --setup-keys > /var/log/journal/.secret'), unless => 'journalctl --verify 2>&1 | grep PASS', require => Exec['stop systemd-journald service for keys manipulation'], } From 7be4f36aedac0e0ea06c9a448fddd6d7cd22c3e9 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 18:00:04 +0200 Subject: [PATCH 11/14] afegit pkill --- manifests/journald/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 64ede5c..cea7961 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -29,7 +29,7 @@ } exec { 'stop systemd-journald service for keys manipulation': - command => 'bash -c \'systemctl stop systemd-journald; echo\'', + command => 'bash -c \'systemctl stop systemd-journald; pkill systemd-journald; echo\'', unless => 'journalctl --verify 2>&1 | grep PASS', require => File['/var/log/journal'], } From 582497fa28d9f0e4c0eaa6b2355f691c87918bb3 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 18:34:22 +0200 Subject: [PATCH 12/14] fora generacio keys --- manifests/journald/config.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index cea7961..615db81 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -28,17 +28,17 @@ require => File['/etc/systemd/journald.conf'], } - exec { 'stop systemd-journald service for keys manipulation': - command => 'bash -c \'systemctl stop systemd-journald; pkill systemd-journald; echo\'', - unless => 'journalctl --verify 2>&1 | grep PASS', - require => File['/var/log/journal'], - } - - exec { 'setup FSS keys': - command => inline_template('journalctl --interval=<%= @seal_interval %> --setup-keys > /var/log/journal/.secret'), - unless => 'journalctl --verify 2>&1 | grep PASS', - require => Exec['stop systemd-journald service for keys manipulation'], - } + # exec { 'stop systemd-journald service for keys manipulation': + # command => 'bash -c \'systemctl stop systemd-journald; pkill systemd-journald; echo\'', + # unless => 'journalctl --verify 2>&1 | grep PASS', + # require => File['/var/log/journal'], + # } + # + # exec { 'setup FSS keys': + # command => inline_template('journalctl --interval=<%= @seal_interval %> --setup-keys > /var/log/journal/.secret'), + # unless => 'journalctl --verify 2>&1 | grep PASS', + # require => Exec['stop systemd-journald service for keys manipulation'], + # } } From 29de6897d48ddb22047961cbef3cb5f8020c275b Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 18:39:01 +0200 Subject: [PATCH 13/14] fora seal interval --- README.md | 1 - manifests/journald.pp | 1 - manifests/journald/config.pp | 16 +--------------- 3 files changed, 1 insertion(+), 17 deletions(-) diff --git a/README.md b/README.md index 6b10fa2..206f550 100644 --- a/README.md +++ b/README.md @@ -283,7 +283,6 @@ systemd-journald is a system service that collects and stores logging data * **runtime_max_files_size**: (default: undef) * **runtime_max_use**: (default: undef) * **seal**: If enabled (the default), and a sealing key is available (as created by journalctl(1)'s --setup-keys command), Forward Secure Sealing (FSS) for all persistent journal files is enabled (default: true) -* **seal_interval**: Time interval for changing the FSS sealing key (default: 30s) * **split_mode**: (default: uid) * **storage**: Controls where to store journal data. One of "volatile", "persistent", "auto" and "none" (default: auto) * **sync_interval_sec**: (default: 5m) diff --git a/manifests/journald.pp b/manifests/journald.pp index 7712bb0..9a0659c 100644 --- a/manifests/journald.pp +++ b/manifests/journald.pp @@ -21,7 +21,6 @@ $runtime_max_files_size = undef, $runtime_max_use = undef, $seal = true, - $seal_interval = '30s', $split_mode = 'uid', $storage = 'auto', $sync_interval_sec = '5m', diff --git a/manifests/journald/config.pp b/manifests/journald/config.pp index 615db81..117d121 100644 --- a/manifests/journald/config.pp +++ b/manifests/journald/config.pp @@ -14,7 +14,7 @@ if($systemd::journald::seal) { - # FSS + # TODO: FSS interval # chmod 2755 /var/log/journal/ # [root@centos7 ~]# ls -ld /var/log/journal/ # drwxr-sr-x+ 3 root systemd-journal 46 Apr 11 11:34 /var/log/journal/ @@ -27,19 +27,5 @@ mode => '2755', require => File['/etc/systemd/journald.conf'], } - - # exec { 'stop systemd-journald service for keys manipulation': - # command => 'bash -c \'systemctl stop systemd-journald; pkill systemd-journald; echo\'', - # unless => 'journalctl --verify 2>&1 | grep PASS', - # require => File['/var/log/journal'], - # } - # - # exec { 'setup FSS keys': - # command => inline_template('journalctl --interval=<%= @seal_interval %> --setup-keys > /var/log/journal/.secret'), - # unless => 'journalctl --verify 2>&1 | grep PASS', - # require => Exec['stop systemd-journald service for keys manipulation'], - # } } - - } From 45f5df329c411ec5b01cc83bacea3559dcb75bf0 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Wed, 11 Apr 2018 18:39:59 +0200 Subject: [PATCH 14/14] nota changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d50284..b248981 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## 0.1.42 -* Add journald under puppet management - thanks to [fraenki](https://github.com/fraenki) for this [PR-84](https://github.com/NTTCom-MS/eyp-systemd/pull/84), it have been marged with some changes using [PR-81](https://github.com/NTTCom-MS/eyp-systemd/pull/81) +* Add journald under puppet management - thanks to [fraenki](https://github.com/fraenki) for this [PR-84](https://github.com/NTTCom-MS/eyp-systemd/pull/84), it have been marged with some changes using [PR-87](https://github.com/NTTCom-MS/eyp-systemd/pull/87) ## 0.1.41