[MediaWiki-commits] [Gerrit] bacula-dir reads a copy of puppet's private key - change (operations/puppet)

Tue, 08 Jul 2014 02:49:32 -0700 

Alexandros Kosiaris has submitted this change and it was merged.

Change subject: bacula-dir reads a copy of puppet's private key
......................................................................


bacula-dir reads a copy of puppet's private key

Puppet handles the permissions of its private key file aggresively
setting to 600, too restrictive for any other group/user to read it.
Copy it, keep it in sync and set the require permissions for bacula-dir
to be able to read it. This is needed for bacula-dir to reload. The
aggresive handling of permissions might be a change in puppet 3.x

Change-Id: Ibd632a3fd03eea3493b0406e89bfad7e57c74a52
---
M modules/bacula/manifests/director.pp
M modules/bacula/templates/bacula-dir.conf.erb
2 files changed, 20 insertions(+), 1 deletion(-)

Approvals:
  Alexandros Kosiaris: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/bacula/manifests/director.pp 
b/modules/bacula/manifests/director.pp
index 3e5eccd..55f0884 100644
--- a/modules/bacula/manifests/director.pp
+++ b/modules/bacula/manifests/director.pp
@@ -44,6 +44,25 @@
     File <<| tag == "bacula-client-${::fqdn}" |>>
     File <<| tag == "bacula-storage-${::fqdn}" |>>
 
+    # Puppet manages the permissions of its private key file and they are too
+    # restrictive to allow any other user/group to read it. Copy it, keep it in
+    # sync and set the require permissions for bacula-dir to be able to read it
+    exec { 'bacula_cp_private_key':
+        command => "/bin/cp /var/lib/puppet/ssl/private_keys/${::fqdn}.pem > \
+ /var/lib/puppet/ssl/private_keys/bacula-${::fqdn}.pem",
+        unless => "/usr/bin/cmp /var/lib/puppet/ssl/private_keys/${::fqdn}.pem 
> \
+ /var/lib/puppet/ssl/private_keys/bacula-${::fqdn}.pem",
+    }
+
+    file { "/var/lib/puppet/ssl/private_keys/bacula-${::fqdn}.pem":
+        ensure  => present,
+        owner   => 'bacula',
+        group   => 'bacula',
+        mode    => '0400',
+        require => Exec['bacula_cp_private_key'],
+        notify  => Service['bacula-director'],
+    }
+
     file { '/etc/bacula/bacula-dir.conf':
         ensure  => present,
         owner   => root,
diff --git a/modules/bacula/templates/bacula-dir.conf.erb 
b/modules/bacula/templates/bacula-dir.conf.erb
index 2dbe0a7..7380df2 100644
--- a/modules/bacula/templates/bacula-dir.conf.erb
+++ b/modules/bacula/templates/bacula-dir.conf.erb
@@ -16,7 +16,7 @@
     TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem"
     TLS Verify Peer = no
     TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @fqdn %>.pem"
-    TLS Key = "/var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem"
+    TLS Key = "/var/lib/puppet/ssl/private_keys/bacula-<%= @fqdn %>.pem"
     # Heartbeat Interval = 0 #in secs
     # DirAddress =
     # DirSourceAddress =

-- 
To view, visit https://gerrit.wikimedia.org/r/143901
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ibd632a3fd03eea3493b0406e89bfad7e57c74a52
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to