Alexandros Kosiaris has submitted this change and it was merged. Change subject: bacula-dir reads a copy of puppet's private key ......................................................................
bacula-dir reads a copy of puppet's private key Puppet handles the permissions of its private key file aggresively setting to 600, too restrictive for any other group/user to read it. Copy it, keep it in sync and set the require permissions for bacula-dir to be able to read it. This is needed for bacula-dir to reload. The aggresive handling of permissions might be a change in puppet 3.x Change-Id: Ibd632a3fd03eea3493b0406e89bfad7e57c74a52 --- M modules/bacula/manifests/director.pp M modules/bacula/templates/bacula-dir.conf.erb 2 files changed, 20 insertions(+), 1 deletion(-) Approvals: Alexandros Kosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp index 3e5eccd..55f0884 100644 --- a/modules/bacula/manifests/director.pp +++ b/modules/bacula/manifests/director.pp @@ -44,6 +44,25 @@ File <<| tag == "bacula-client-${::fqdn}" |>> File <<| tag == "bacula-storage-${::fqdn}" |>> + # Puppet manages the permissions of its private key file and they are too + # restrictive to allow any other user/group to read it. Copy it, keep it in + # sync and set the require permissions for bacula-dir to be able to read it + exec { 'bacula_cp_private_key': + command => "/bin/cp /var/lib/puppet/ssl/private_keys/${::fqdn}.pem > \ + /var/lib/puppet/ssl/private_keys/bacula-${::fqdn}.pem", + unless => "/usr/bin/cmp /var/lib/puppet/ssl/private_keys/${::fqdn}.pem > \ + /var/lib/puppet/ssl/private_keys/bacula-${::fqdn}.pem", + } + + file { "/var/lib/puppet/ssl/private_keys/bacula-${::fqdn}.pem": + ensure => present, + owner => 'bacula', + group => 'bacula', + mode => '0400', + require => Exec['bacula_cp_private_key'], + notify => Service['bacula-director'], + } + file { '/etc/bacula/bacula-dir.conf': ensure => present, owner => root, diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb index 2dbe0a7..7380df2 100644 --- a/modules/bacula/templates/bacula-dir.conf.erb +++ b/modules/bacula/templates/bacula-dir.conf.erb @@ -16,7 +16,7 @@ TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem" TLS Verify Peer = no TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @fqdn %>.pem" - TLS Key = "/var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem" + TLS Key = "/var/lib/puppet/ssl/private_keys/bacula-<%= @fqdn %>.pem" # Heartbeat Interval = 0 #in secs # DirAddress = # DirSourceAddress = -- To view, visit https://gerrit.wikimedia.org/r/143901 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibd632a3fd03eea3493b0406e89bfad7e57c74a52 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits