Merge pull request #24 from jordiprats/master

ubuntu 18.04 support + error cleanup
NTTCom-MS · Apr 30, 2018 · b8902cd · b8902cd
2 parents 3f4c151 + 47788ef
commit b8902cd
Show file tree

Hide file tree

Showing 9 changed files with 76 additions and 26 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,6 @@ junit
 log
 spec/fixtures/
 Gemfile.lock
+/.yardwarns
+/.yardoc
+/doc
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # CHANGELOG
 
+## 0.3.1
+
+* added support for Ubuntu 18.04
+* execshield is no longer an option in sysctl for kernel tuning, starting RHEL7
+* disable bridge netfilter options when br_bridge is not loaded
+
+## 0.3.0
+
+* changed bool2num to use eyp-lib's **bool2number**
+* **INCOMPATIBLE CHANGE**: changed **ipv4_all_rp_filter** and **ipv4_default_rp_filter** from bool to int
+
 ## 0.2.19
 
 * changed default randomize_va_space to 2 for CentOS 6

diff --git a/examples/demo.pp b/examples/demo.pp
@@ -0,0 +1,7 @@
+class { 'sysctl':
+}
+
+sysctl::set { 'vm.swappiness':
+  value => '69',
+  permanent => true,
+}
diff --git a/lib/facter/eyp_sysctl_net_bridge.rb b/lib/facter/eyp_sysctl_net_bridge.rb
@@ -0,0 +1,7 @@
+if File.exists?('/proc/sys/net/bridge') then
+  Facter.add('eyp_sysctl_net_bridge') do
+    setcode do
+      "true"
+    end
+  end
+end
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -13,7 +13,7 @@
               $core_uses_pid                          = true,
               $ipv4_tcp_syncookies                    = true,
               $disable_netfilter_on_bridges           = true,
-              $execshield                             = true,
+              $execshield                             = $sysctl::params::execshield_default,
               $randomize_va_space                     = $sysctl::params::randomize_va_space_default,
               $suid_dumpable                          = false,
               $shmall                                 = '4294967296',
@@ -27,8 +27,8 @@
               $ipv4_default_log_martians              = true,
               $ipv4_all_accept_source_route           = false,
               $ipv4_default_accept_source_route       = false,
-              $ipv4_all_rp_filter                     = true,
-              $ipv4_default_rp_filter                 = true,
+              $ipv4_all_rp_filter                     = '2',
+              $ipv4_default_rp_filter                 = '2',
               $ipv4_all_accept_redirects              = false,
               $ipv4_default_accept_redirects          = false,
               $ipv4_all_secure_redirects              = false,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -8,11 +8,13 @@
       {
         /^[5-6].*$/:
         {
+          $execshield_default=true
           $sysctlreload='sysctl -e -p'
           $randomize_va_space_default='2'
         }
         /^7.*$/:
         {
+          $execshield_default=undef
           $sysctlreload='sysctl -e --system'
           $randomize_va_space_default='1'
         }
@@ -27,8 +29,9 @@
       {
         case $::operatingsystemrelease
         {
-          /^1[46].*$/:
+          /^1[468].*$/:
           {
+            $execshield_default=undef
             $sysctlreload='sysctl -e --system'
             $randomize_va_space_default='1'
           }

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "eyp-sysctl",
-  "version": "0.2.19",
+  "version": "0.3.1",
   "author": "eyp",
   "summary": "configure and manage sysctl",
   "license": "Apache-2.0",
@@ -31,7 +31,7 @@
     },
     {
       "operatingsystem": "Ubuntu",
-      "operatingsystemrelease": [ "14.04", "16.04" ]
+      "operatingsystemrelease": [ "14.04", "16.04", "18.04" ]
     }
   ],
   "requirements": [

diff --git a/spec/acceptance/nodesets/ubuntu18-docker.yml b/spec/acceptance/nodesets/ubuntu18-docker.yml
@@ -0,0 +1,15 @@
+HOSTS:
+  ubuntu-1604-x64:
+    default_apply_opts:
+      order: random
+      strict_variables:
+    platform: ubuntu-18.04-amd64
+    hypervisor : docker
+    image: ubuntu:18.04
+    docker_cmd: '["/sbin/init"]'
+    docker_preserve_image: true
+    docker_image_commands:
+      - 'apt-get install net-tools gcc make tar wget -y'
+CONFIG:
+  type: foss
+  log_level: debug
diff --git a/templates/sysctlbase.erb b/templates/sysctlbase.erb
@@ -3,21 +3,23 @@
 #
 
 # Controls the System Request debugging functionality of the kernel
-kernel.sysrq = <%= scope.function_bool2num([@sysrq]) %>
+kernel.sysrq = <%= scope.function_bool2number([@sysrq]) %>
 
 # Controls whether core dumps will append the PID to the core filename.
 # Useful for debugging multi-threaded applications.
-kernel.core_uses_pid = <%= scope.function_bool2num([@core_uses_pid]) %>
+kernel.core_uses_pid = <%= scope.function_bool2number([@core_uses_pid]) %>
 
 # Controls the use of TCP syncookies
-net.ipv4.tcp_syncookies = <%= scope.function_bool2num([@ipv4_tcp_syncookies]) %>
+net.ipv4.tcp_syncookies = <%= scope.function_bool2number([@ipv4_tcp_syncookies]) %>
 
 <% if @disable_netfilter_on_bridges %>
+  <%- if scope.lookupvar('::eyp_sysctl_net_bridge')=="true" -%>
 # Disable netfilter on bridges.
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 
+  <%- end -%>
 <% end -%>
 # Controls the default maxmimum size of a mesage queue
 kernel.msgmnb = <%= @msgmnb %>
@@ -28,28 +30,30 @@ kernel.shmmax = <%= @shmmax %>
 kernel.shmall = <%= @shmall %>
 
 #kernel
-kernel.exec-shield = <%= scope.function_bool2num([@execshield]) %>
+<% if defined?(@execshield) -%>
+kernel.exec-shield = <%= scope.function_bool2number([@execshield]) %>
+<% end -%>
 kernel.randomize_va_space = <%= @randomize_va_space %>
 
 # to defend against certain types of IPv4 protocol attacks
-net.ipv4.ip_forward = <%= scope.function_bool2num([@ipv4_ip_forward]) %>
-net.ipv4.icmp_echo_ignore_broadcasts = <%= scope.function_bool2num([@ipv4_icmp_echo_ignore_broadcasts]) %>
-net.ipv4.icmp_ignore_bogus_error_responses = <%= scope.function_bool2num([@ipv4_icmp_ignore_bogus_error_responses]) %>
-net.ipv4.conf.all.log_martians = <%= scope.function_bool2num([@ipv4_all_log_martians]) %>
-net.ipv4.conf.default.log_martians = <%= scope.function_bool2num([@ipv4_default_log_martians]) %>
-net.ipv4.conf.all.accept_source_route = <%= scope.function_bool2num([@ipv4_all_accept_source_route]) %>
-net.ipv4.conf.default.accept_source_route = <%= scope.function_bool2num([@ipv4_default_accept_source_route]) %>
-net.ipv4.conf.all.rp_filter = <%= scope.function_bool2num([@ipv4_all_rp_filter]) %>
-net.ipv4.conf.default.rp_filter = <%= scope.function_bool2num([@ipv4_default_rp_filter]) %>
-net.ipv4.conf.all.accept_redirects = <%= scope.function_bool2num([@ipv4_all_accept_redirects]) %>
-net.ipv4.conf.default.accept_redirects = <%= scope.function_bool2num([@ipv4_default_accept_redirects]) %>
-net.ipv4.conf.all.secure_redirects = <%= scope.function_bool2num([@ipv4_all_secure_redirects]) %>
-net.ipv4.conf.default.secure_redirects = <%= scope.function_bool2num([@ipv4_default_secure_redirects]) %>
-net.ipv4.conf.all.send_redirects = <%= scope.function_bool2num([@ipv4_all_send_redirects]) %>
-net.ipv4.conf.default.send_redirects = <%= scope.function_bool2num([@ipv4_default_send_redirects]) %>
+net.ipv4.ip_forward = <%= scope.function_bool2number([@ipv4_ip_forward]) %>
+net.ipv4.icmp_echo_ignore_broadcasts = <%= scope.function_bool2number([@ipv4_icmp_echo_ignore_broadcasts]) %>
+net.ipv4.icmp_ignore_bogus_error_responses = <%= scope.function_bool2number([@ipv4_icmp_ignore_bogus_error_responses]) %>
+net.ipv4.conf.all.log_martians = <%= scope.function_bool2number([@ipv4_all_log_martians]) %>
+net.ipv4.conf.default.log_martians = <%= scope.function_bool2number([@ipv4_default_log_martians]) %>
+net.ipv4.conf.all.accept_source_route = <%= scope.function_bool2number([@ipv4_all_accept_source_route]) %>
+net.ipv4.conf.default.accept_source_route = <%= scope.function_bool2number([@ipv4_default_accept_source_route]) %>
+net.ipv4.conf.all.rp_filter = <%= @ipv4_all_rp_filter %>
+net.ipv4.conf.default.rp_filter = <%= @ipv4_default_rp_filter %>
+net.ipv4.conf.all.accept_redirects = <%= scope.function_bool2number([@ipv4_all_accept_redirects]) %>
+net.ipv4.conf.default.accept_redirects = <%= scope.function_bool2number([@ipv4_default_accept_redirects]) %>
+net.ipv4.conf.all.secure_redirects = <%= scope.function_bool2number([@ipv4_all_secure_redirects]) %>
+net.ipv4.conf.default.secure_redirects = <%= scope.function_bool2number([@ipv4_default_secure_redirects]) %>
+net.ipv4.conf.all.send_redirects = <%= scope.function_bool2number([@ipv4_all_send_redirects]) %>
+net.ipv4.conf.default.send_redirects = <%= scope.function_bool2number([@ipv4_default_send_redirects]) %>
 
 # Restrict core dumps
-fs.suid_dumpable = <%= scope.function_bool2num([@suid_dumpable]) %>
+fs.suid_dumpable = <%= scope.function_bool2number([@suid_dumpable]) %>
 
 <% if @disable_ipv6 -%>