modules/nginx/manifests/init.pp - Issue 29321355: Issue 2600 - Normalize ownership and priviliges for Nginx logs

Delta Between Two Patch Sets: modules/nginx/manifests/init.pp

Issue 29321355: Issue 2600 - Normalize ownership and priviliges for Nginx logs (Closed)

Left Patch Set: Created July 3, 2015, 12:22 p.m.

Right Patch Set: Apply 80 character line length formatting Created July 13, 2015, 1:23 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 class nginx (	1 class nginx (

2 $worker_processes = $nginx::params::worker_processes,	2 $worker_processes = $nginx::params::worker_processes,

3 $worker_connections = $nginx::params::worker_connections,	3 $worker_connections = $nginx::params::worker_connections,

4 $ssl_session_cache = $nginx::params::ssl_session_cache	4 $ssl_session_cache = $nginx::params::ssl_session_cache

5 ) inherits nginx::params {	5 ) inherits nginx::params {

6	6

7 apt::source {'nginx':	7 apt::source {'nginx':

8 location => "http://nginx.org/packages/ubuntu",	8 location => "http://nginx.org/packages/ubuntu",

9 repos => "nginx",	9 repos => "nginx",

10 key => "7BD9BF62",	10 key => "7BD9BF62",

11 key_source => "http://nginx.org/keys/nginx_signing.key"	11 key_source => "http://nginx.org/keys/nginx_signing.key"

12 }	12 }

13	13

14 # Ensures that nginx is not installed from the Ubuntu sources	14 # Ensures that nginx is not installed from the Ubuntu sources

15 package {'nginx-common':	15 package {'nginx-common':

16 ensure => purged,	16 ensure => purged,

17 before => Package['nginx']	17 before => Package['nginx']

18 }	18 }

19	19

20 package {'nginx':	20 package {'nginx':

21 ensure => '1.8.0-1~precise',	21 ensure => '1.8.0-1~precise',

22 require => Apt::Source['nginx']	22 require => Apt::Source['nginx']

23 }	23 }

24	24

25 File {	25 File {

26 owner => root,	26 owner => root,

27 group => root,	27 group => root,

28 mode => 0644,	28 mode => 0644,

29 }	29 }

	30

	31 Exec {

	32 path => '/usr/bin:/bin',

	33 logoutput => 'on_failure',

	34 }

	35

30	36

31 file {'/etc/nginx/nginx.conf':	37 file {'/etc/nginx/nginx.conf':

32 content => template('nginx/nginx.conf.erb'),	38 content => template('nginx/nginx.conf.erb'),

33 require => Package['nginx'],	39 require => Package['nginx'],

34 notify => Service['nginx']	40 notify => Service['nginx']

35 }	41 }

36	42

37 file {'/etc/nginx/sites-available':	43 file {'/etc/nginx/sites-available':

38 ensure => directory,	44 ensure => directory,

39 require => Package['nginx']	45 require => Package['nginx']

(...skipping 72 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
112 require => File["/etc/nginx/sites-available/${domain}"],	118 require => File["/etc/nginx/sites-available/${domain}"],

113 content => template('nginx/logrotate.erb')	119 content => template('nginx/logrotate.erb')

114 }	120 }

115 }	121 }

116	122

117 file {'/etc/logrotate.d/nginx':	123 file {'/etc/logrotate.d/nginx':

118 source => 'puppet:///modules/nginx/logrotate',	124 source => 'puppet:///modules/nginx/logrotate',

119 require => Package['nginx']	125 require => Package['nginx']

120 }	126 }

121	127

122 exec {"set_logfiles_owner_and_permissions":	128 $find_cmd_base = [

123 command => '/bin/chown www-data.adm /var/log/nginx/* && /bin/chmod 0640 /var /log/nginx/*',	129 'find', '/var/log/nginx',
mathias 2015/07/03 13:51:04 Except for intermediate fixes, please do not use s Except for intermediate fixes, please do not use shell commands - especially not with logic operators (&&). By the way, there's no need to make the chmod dependent on a successful chown here. Why not just creating two exec's? Also, the asterisk wildcard can very well lead to more issues; it may expand to either unrecognized sub-directories or, altogether, in a too long command line. What about `find /var/log/nginx -mindepth 1 ... -exec ...`? And please take the user from $nginx::params::user (the group can remain hard-coded). Have a look at the shellquote() function at https://docs.puppetlabs.com/references/latest/function.html#shellquote - it's the best way to integrate parameters (like the user name) with your command. Fred 2015/07/06 16:11:52 Acknowledged. Show quoted text On 2015/07/03 13:51:04, mathias wrote: > Except for intermediate fixes, please do not use shell commands - especially not > with logic operators (&&). By the way, there's no need to make the chmod > dependent on a successful chown here. Why not just creating two exec's? > > Also, the asterisk wildcard can very well lead to more issues; it may expand to > either unrecognized sub-directories or, altogether, in a too long command line. > What about `find /var/log/nginx -mindepth 1 ... -exec ...`? > > And please take the user from $nginx::params::user (the group can remain > hard-coded). Have a look at the shellquote() function at > https://docs.puppetlabs.com/references/latest/function.html#shellquote - it's > the best way to integrate parameters (like the user name) with your command. Acknowledged.
124 # this should all be provided by package nginx:	130 '-mindepth', '1', '-maxdepth', '1', '-type', 'f',

125 # require => [File['/var/log/nginx'], User['www-data'], Group['adm']]	131 ]
mathias 2015/07/03 13:51:04 This comment is both wrong (neither User['www-data This comment is both wrong (neither User['www-data'] nor Group['adm'] is provided by Package['nginx']) and unnecessary. The require parameter below should say enough. Fred 2015/07/06 16:11:52 Acknowledged. Show quoted text On 2015/07/03 13:51:04, mathias wrote: > This comment is both wrong (neither User['www-data'] nor Group['adm'] is > provided by Package['nginx']) and unnecessary. The require parameter below > should say enough. Acknowledged.
126 require => Package['nginx']	132
mathias 2015/07/03 13:51:04 Please always use trailing commas, even when defin Please always use trailing commas, even when defining the last item. (I know this has been forgotten before, even in this file.) Fred 2015/07/06 16:11:52 Acknowledged. Show quoted text On 2015/07/03 13:51:04, mathias wrote: > Please always use trailing commas, even when defining the last item. (I know > this has been forgotten before, even in this file.) Acknowledged.
	133 # Kill the find process to force an exit status != 0 by finding the parent pid

	134 # of the exec's sh process

	135 $find_kill_exec = [

	136 '-exec', 'sh', '-c',

	137 'ps -p $$ -o ppid= \| xargs kill -TERM',

	138 ';',

	139 ]

	140

	141 $find_chown_base = [

	142 $find_cmd_base,

	143 '-not', '(', '-user', $nginx::params::user, '-and', '-group', 'adm', ')',

	144 ]

	145 $find_chown_exec = [

	146 '-ls', '-exec', 'chown',

	147 "${nginx::params::user}.adm", '{}', ';',

	148 ]

	149

	150 exec {"set_logfiles_owner":

	151 command => shellquote($find_chown_base, $find_chown_exec),

	152 unless => shellquote($find_chown_base, $find_kill_exec),

	153 subscribe => Service['nginx'],

	154 }

	155

	156 $find_chmod_base = [$find_cmd_base, '-not', '-perm', '0640']

	157 $find_chmod_exec = ['-ls', '-exec', 'chmod', '0640', '{}', ';']

	158

	159 exec {"set_logfiles_permissions":

	160 command => shellquote($find_chmod_base, $find_chmod_exec),

	161 unless => shellquote($find_chmod_base, $find_kill_exec),

	162 subscribe => Service['nginx'],

127 }	163 }

128	164

129 service {'nginx':	165 service {'nginx':

130 ensure => running,	166 ensure => running,

131 enable => true,	167 enable => true,

132 restart => '/etc/init.d/nginx reload',	168 restart => '/etc/init.d/nginx reload',

133 hasstatus => true,	169 hasstatus => true,

134 require => File['/etc/nginx/nginx.conf']	170 require => File['/etc/nginx/nginx.conf']

135 }	171 }

136 }	172 }

LEFT	RIGHT