puppet-puppetboard
puppet-puppetboard copied to clipboard
voxpupuli
Add proper SELinux context and setup appropriate booleans
Pull Request (PR) description
This should fix issues with SELinux and allow usage in enforcing mode. It works, but as I am not a SELinux expert, permissions for puppetboard and venv files should be reviewed to check if something is missing/permissions should be more restrictive.
Another issue is best practice for certificate path in single node mode - with SELinux enforcing mode Puppetboard can't read files with context puppet_etc_t (and it should be like this) . In my environment I fixed with this snippet
file {
default:
require => Class['puppet'],
notify => Service['httpd'],
;
'/etc/pki/tls/certs/puppet_server_ca.pem':
mode => '0644',
source => 'file:///etc/puppetlabs/puppet/ssl/certs/ca.pem',
;
'/etc/pki/tls/certs/puppet_server_cert.pem':
mode => '0644',
source => "file:///etc/puppetlabs/puppet/ssl/certs/${networking['fqdn']}.pem",
;
'/etc/pki/tls/private/puppet_server_key.pem':
owner => 'puppetboard',
mode => '0400',
source => "file:///etc/puppetlabs/puppet/ssl/private_keys/${networking['fqdn']}.pem",
;
}
But probably it is not the best solution, so where should certificates go? /etc/puppetboard/ssl?
This Pull Request (PR) fixes the following issues
Fixes #336 Fixes #365
Checks fails because CI can't find PostgreSQL 11 packages in the repositories and PuppetDB install fails, this is due to puppetlabs/puppetlabs-puppetdb#379 and puppetlabs/puppetlabs-puppetdb#396 because the failed checks installed puppetlabs-puppetdb v7.14.0
#388 allowed python 7.x module, this uses a more recent stdlib, so using latest puppetdb module should be possible
@d1nuc0m please rebase against our latest master branch to get rid of the python version commit.
Done, with a bit of tinkering as I also needed to edit metadata.json to add SELinux module.
Regarding tests (IRC), what could/should I add?
@bastelfreak