puppet-vault icon indicating copy to clipboard operation
puppet-vault copied to clipboard

Published 20 hours ago verified publisher icon jsok

[WIP] Fix outdated systemd config parameter

Open zados opened this issue 7 years ago • 5 comments

SUMMARY

Capabilities is succeeded by AmbientCapabilities in Systemd. Debian 9 on 4.9.0-4-amd64 running systemd 232-25+deb9u1 displays:

[/etc/systemd/system/vault.service:21] Support for option Capabilities= has been removed and it is ignored

Therefore it is not possible to start the Systemd service with mlock support enabled: systemd[4092]: vault.service: Failed at step SECUREBITS spawning /usr/local/bin/vault: Operation not permitted vault.service: Main process exited, code=exited, status=213/SECUREBITS

TESTS/SPECS

This has change been tested on my local vault server. The service starts and Vault is confirming that mlock. vault[18669]: Mlock: supported: true, enabled: true

zados avatar Oct 18 '17 14:10 zados

Thanks for picking this up.

Looking at the systemd changelog this rename occurred on release 229.

However we can't just blindly update the option name since some users may not be on a recent enough version of systemd! This change will require either a manual flag or some more intelligent detection of systemd version, e.g. something like https://github.com/camptocamp/puppet-systemd/blob/master/lib/facter/systemd.rb#L40

As for testing, it will require actual puppet-rspec tests rather than a "works on my machine" kind of thing.

systemd 229

  • A new service setting AmbientCapabilities= has been added. It allows configuration of additional Linux process capabilities that are passed to the activated processes. This is only available on very recent kernels.

systemd 230

  • The Capabilities= unit file setting has been removed (it is ignored for backwards compatibility). AmbientCapabilities= and CapabilityBoundingSet= should be used instead.

jsok avatar Oct 18 '17 20:10 jsok

However we can't just blindly update the option name since some users may not be on a recent enough version of systemd!

I agree.

I will see if I can write a something to mitigate this.

As for testing, it will require actual puppet-rspec tests rather than a "works on my machine" kind of thing.

This we will need then definitely!

zados avatar Oct 19 '17 07:10 zados

I think the integration test is broken, as it only does apply on a single manifest. Therefore the fact systemd_version is never imported. I tried it on my live system and it worked. As I have literally no experience with Travis and rspec. Is there a way to include the fact?

zados avatar Oct 23 '17 11:10 zados

Any idea if this will be merged?

maartenschalekamp avatar Dec 07 '18 07:12 maartenschalekamp

@maartenschalekamp you're welcome to branch off it and make the necessary fixes.

jsok avatar Dec 07 '18 10:12 jsok