diff --git a/manifests/privsep.pp b/manifests/privsep.pp new file mode 100644 index 0000000..6958ffc --- /dev/null +++ b/manifests/privsep.pp @@ -0,0 +1,59 @@ +# == Define: oslo::privsep +# +# Configure oslo_privsep options +# +# This resource configures Oslo privilege separator resources for an OpenStack service. +# It will manage the [privsep_${entrypoint}] section in the given config resource. +# +# === Parameters: +# +# [*entrypoint*] +# (Required) Privsep entrypoint. (string value) +# Defaults to $name. +# +# [*config*] +# (Required) Configuration file to manage. (string value) +# +# [*user*] +# (Optional) User that the privsep daemon should run as. (string value) +# Defaults to $::os_service_default. +# +# [*group*] +# (Optional) Group that the privsep daemon should run as. (string value) +# Defaults to $::os_service_default. +# +# [*capabilities*] +# (Optional) List of Linux capabilities retained by the privsep daemon. (list value) +# Defaults to $::os_service_default. +# +# [*helper_command*] +# (Optional) Command to invoke to start the privsep daemon if not using the "fork" method. +# If not specified, a default is generated using "sudo privsep-helper" and arguments designed to +# recreate the current configuration. This command must accept suitable --privsep_context +# and --privsep_sock_path arguments. +# Defaults to $::os_service_default. +# +# == Examples +# +# oslo::privsep { 'osbrick': +# config => 'nova_config' +# } +# +define oslo::privsep ( + $config, + $entrypoint = $name, + $user = $::os_service_default, + $group = $::os_service_default, + $capabilities = $::os_service_default, + $helper_command = $::os_service_default, +) { + + $privsep_options = { + "privsep_${entrypoint}/user" => { value => $user }, + "privsep_${entrypoint}/group" => { value => $group }, + "privsep_${entrypoint}/capabilities" => { value => $capabilities }, + "privsep_${entrypoint}/helper_command" => { value => $helper_command }, + } + + create_resources($config, $privsep_options) +} diff --git a/releasenotes/notes/add_oslo_privsep-3f125445bce8b431.yaml b/releasenotes/notes/add_oslo_privsep-3f125445bce8b431.yaml new file mode 100644 index 0000000..eb15dac --- /dev/null +++ b/releasenotes/notes/add_oslo_privsep-3f125445bce8b431.yaml @@ -0,0 +1,4 @@ +--- +features: + - Add oslo::privsep define to configure privsep_${entrypoint} section + of given config resource. diff --git a/spec/defines/oslo_privsep_spec.rb b/spec/defines/oslo_privsep_spec.rb new file mode 100644 index 0000000..8aaecf7 --- /dev/null +++ b/spec/defines/oslo_privsep_spec.rb @@ -0,0 +1,53 @@ +require 'spec_helper' + +describe 'oslo::privsep' do + + let (:title) { 'osbrick' } + + let :params do + { :config => 'keystone_config' } + end + + shared_examples 'oslo-privsep' do + + context 'with default parameters' do + it 'configure oslo_privsep default params' do + is_expected.to contain_keystone_config('privsep_osbrick/user').with_value('') + is_expected.to contain_keystone_config('privsep_osbrick/group').with_value('') + is_expected.to contain_keystone_config('privsep_osbrick/capabilities').with_value('') + is_expected.to contain_keystone_config('privsep_osbrick/helper_command').with_value('') + end + end + + context 'with overridden parameters' do + before do + params.merge!({ + :user => 'keystone', + :group => 'keystone', + :capabilities => [], + :helper_command => 'sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf', + }) + end + + it 'configures oslo_privsep section' do + is_expected.to contain_keystone_config('privsep_osbrick/user').with_value('keystone') + is_expected.to contain_keystone_config('privsep_osbrick/group').with_value('keystone') + is_expected.to contain_keystone_config('privsep_osbrick/capabilities').with_value([]) + is_expected.to contain_keystone_config('privsep_osbrick/helper_command').with_value('sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf') + end + end + + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + + it_behaves_like 'oslo-privsep' + end + end +end