diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp index d33e7030a..a41b6763a 100644 --- a/manifests/profile/base/logging/fluentd.pp +++ b/manifests/profile/base/logging/fluentd.pp @@ -73,6 +73,11 @@ # (Optional) String. Default log format if not otherwise specified # in a log source definition. # +# [*fluentd_service_user*] +# (Optional) String. Username that will run the fluentd service. +# This will be used to create a systemd drop-in for the fluentd +# service that sets User explicitly. +# # [*service_names*] # (Optional) List of services enabled on the current role. This is used # to obtain per-service configuration information. @@ -91,11 +96,28 @@ class tripleo::profile::base::logging::fluentd ( $fluentd_path_transform = undef, $fluentd_pos_file_path = undef, $fluentd_default_format = undef, + $fluentd_service_user = undef, $service_names = hiera('service_names', []) ) { - if $step >= 4 { include ::fluentd + include ::systemd::systemctl::daemon_reload + + $_fluentd_service_user = pick($fluentd_service_user, + $::fluentd::config_owner, + 'fluentd') + + # don't manage groups for 'root' + $_fluentd_manage_groups = $_fluentd_service_user ? { + 'root' => false, + default => $fluentd_manage_groups, + } + + ::systemd::dropin_file { 'fluentd_user.conf': + unit => "${::fluentd::service_name}.service", + content => template('tripleo/fluentd/fluentd_user.conf.erb'), + } + ~> Service['fluentd'] # Load per-service plugin configuration ::tripleo::profile::base::logging::fluentd::fluentd_service { @@ -104,7 +126,7 @@ class tripleo::profile::base::logging::fluentd ( default_format => $fluentd_default_format } - if $fluentd_manage_groups { + if $_fluentd_manage_groups { # compute a list of all the groups of which the fluentd user # should be a member. $_tmpgroups1 = $service_names.map |$srv| { @@ -117,7 +139,7 @@ class tripleo::profile::base::logging::fluentd ( if !empty($groups) { Package<| tag == 'openstack' |> - -> user { $::fluentd::config_owner: + -> user { $_fluentd_service_user: ensure => present, groups => $groups, membership => 'minimum', @@ -129,7 +151,7 @@ class tripleo::profile::base::logging::fluentd ( if $fluentd_pos_file_path { file { $fluentd_pos_file_path: ensure => 'directory', - owner => $::fluentd::config_owner, + owner => $_fluentd_service_user, group => $::fluentd::config_group, mode => '0750', recurse => true, @@ -208,7 +230,7 @@ class tripleo::profile::base::logging::fluentd ( file {'/etc/fluentd/ca_cert.pem': content => $fluentd_ssl_certificate, - owner => $::fluentd::config_owner, + owner => $_fluentd_service_user, group => $::fluentd::config_group, mode => '0444', } diff --git a/spec/classes/tripleo_profile_base_logging_fluentd_spec.rb b/spec/classes/tripleo_profile_base_logging_fluentd_spec.rb index 8ef008389..55d3e75be 100644 --- a/spec/classes/tripleo_profile_base_logging_fluentd_spec.rb +++ b/spec/classes/tripleo_profile_base_logging_fluentd_spec.rb @@ -28,6 +28,7 @@ describe 'tripleo::profile::base::logging::fluentd' do it 'should do nothing' do is_expected.to_not contain_class('fluentd') + is_expected.to_not contain_class('systemd::systemctl::daemon_reload') is_expected.to_not contain_fluentd__plugin('rubygem-fluent-plugin-add') end end @@ -36,6 +37,7 @@ describe 'tripleo::profile::base::logging::fluentd' do let(:params) { { :step => 4 } } it { is_expected.to contain_class('fluentd') } + it { is_expected.to contain_class('systemd::systemctl::daemon_reload') } it { is_expected.to contain_fluentd__plugin('rubygem-fluent-plugin-add').with( :plugin_provider => 'yum', ) } @@ -54,6 +56,7 @@ describe 'tripleo::profile::base::logging::fluentd' do } } it { is_expected.to contain_class('fluentd') } + it { is_expected.to contain_class('systemd::systemctl::daemon_reload') } it { is_expected.to contain_fluentd__plugin('rubygem-fluent-plugin-add').with( :plugin_provider => 'yum', ) } @@ -129,6 +132,55 @@ describe 'tripleo::profile::base::logging::fluentd' do ) } end + context 'fluentd user and managed groups' do + let(:params) { { + :step => 4, + :fluentd_service_user => 'fluentd', + :fluentd_manage_groups => true, + :fluentd_groups => [ 'fluentd' ] + } } + + it { is_expected.to contain_class('fluentd') } + it { is_expected.to contain_class('systemd::systemctl::daemon_reload') } + it { is_expected.to contain_service('fluentd') } + + it { is_expected.to contain_file('/etc/systemd/system/fluentd.service.d/fluentd_user.conf') + .with( { + :ensure => 'file', + :content => [ "# This file is maintained by puppet.\n[Service]\nUser=fluentd\n" ] + } ) } + + it { is_expected.to contain_service('fluentd') } + it { is_expected.to contain_user('fluentd').with( + :ensure =>'present', + :groups => [ 'fluentd','ceilometer' ], + :membership => 'minimum' + ) } + end + + context 'root user, no matter about groups' do + let(:params) { { + :step => 4, + :fluentd_service_user => 'root', + :fluentd_manage_groups => true, + :fluentd_groups => [ 'fluentd' ] + } } + + it { is_expected.to contain_class('fluentd') } + it { is_expected.to contain_class('systemd::systemctl::daemon_reload') } + it { is_expected.to contain_service('fluentd') } + + it { is_expected.to contain_file('/etc/systemd/system/fluentd.service.d/fluentd_user.conf') + .with( { + :ensure => 'file', + :content => [ "# This file is maintained by puppet.\n[Service]\nUser=root\n" ] + } ) } + + it { is_expected.to contain_service('fluentd') } + it { is_expected.to_not contain_user('fluentd') } + end + + end on_supported_os.each do |os, facts| diff --git a/templates/fluentd/fluentd_user.conf.erb b/templates/fluentd/fluentd_user.conf.erb new file mode 100644 index 000000000..84fa100bf --- /dev/null +++ b/templates/fluentd/fluentd_user.conf.erb @@ -0,0 +1,3 @@ +# This file is maintained by puppet. +[Service] +User=<%= @_fluentd_service_user %>