From f0954daaf36393d6bfbd6ad857ab062ea47cff61 Mon Sep 17 00:00:00 2001 From: Wilson Nguyen Date: Wed, 8 Apr 2020 18:41:41 -0700 Subject: [PATCH 1/5] Add ocfenforcer as user Committer: Wilson Nguyen --- modules/ocf_printhost/manifests/enforcer.pp | 4 ++++ modules/ocf_printhost/templates/cups/tea4cups.conf.erb | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/ocf_printhost/manifests/enforcer.pp b/modules/ocf_printhost/manifests/enforcer.pp index ef07c1271..8d27d110a 100644 --- a/modules/ocf_printhost/manifests/enforcer.pp +++ b/modules/ocf_printhost/manifests/enforcer.pp @@ -1,4 +1,8 @@ class ocf_printhost::enforcer { + user { 'ocfenforcer': + ensure => present, + } + package { ['cups-tea4cups', 'mariadb-client']: } $mysql_password = assert_type(Pattern[/^[a-zA-Z0-9]*$/], lookup('ocfprinting::mysql::password')) diff --git a/modules/ocf_printhost/templates/cups/tea4cups.conf.erb b/modules/ocf_printhost/templates/cups/tea4cups.conf.erb index 989f7b235..a439edf4c 100644 --- a/modules/ocf_printhost/templates/cups/tea4cups.conf.erb +++ b/modules/ocf_printhost/templates/cups/tea4cups.conf.erb @@ -8,5 +8,5 @@ keepfiles : no <% else %> keepfiles : yes <% end %> -prehook_enforcer : /usr/local/bin/enforcer prehook -posthook_enforcer : /usr/local/bin/enforcer posthook +prehook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer prehook +posthook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer posthook From 5e9d46164f68ab116e94f245ed48b47d67e94890 Mon Sep 17 00:00:00 2001 From: Wilson Nguyen Date: Thu, 9 Apr 2020 22:29:27 -0700 Subject: [PATCH 2/5] Allow ocfenforcer to read config files --- modules/ocf_mail/files/site_ocf/aliases | 1 + modules/ocf_printhost/manifests/enforcer.pp | 3 +++ 2 files changed, 4 insertions(+) diff --git a/modules/ocf_mail/files/site_ocf/aliases b/modules/ocf_mail/files/site_ocf/aliases index e31593b36..c60915205 100644 --- a/modules/ocf_mail/files/site_ocf/aliases +++ b/modules/ocf_mail/files/site_ocf/aliases @@ -8,6 +8,7 @@ postmaster: sm mailer-daemon: postmaster mirrors: root +ocfenforcer: root ocfstats: root jenkins: root rancid: root diff --git a/modules/ocf_printhost/manifests/enforcer.pp b/modules/ocf_printhost/manifests/enforcer.pp index 8d27d110a..1a634f6f7 100644 --- a/modules/ocf_printhost/manifests/enforcer.pp +++ b/modules/ocf_printhost/manifests/enforcer.pp @@ -23,6 +23,7 @@ '/opt/share/enforcer': ensure => directory, + owner => 'ocfenforcer', mode => '0500'; '/opt/share/enforcer/enforcer.conf': @@ -30,6 +31,8 @@ 'ocf_printhost/enforcer/enforcer.conf.erb', 'ocf/broker/broker.conf.erb', ), + owner => 'ocfenforcer', + mode => '0500', show_diff => false; } From 7ca2d786a32808aba97dc3af3610965c402b4811 Mon Sep 17 00:00:00 2001 From: Wilson Nguyen Date: Fri, 10 Apr 2020 01:24:53 -0700 Subject: [PATCH 3/5] Fix permissions for tea4cups --- modules/ocf_printhost/manifests/cups.pp | 11 ++++++++++- .../ocf_printhost/templates/cups/tea4cups.conf.erb | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/modules/ocf_printhost/manifests/cups.pp b/modules/ocf_printhost/manifests/cups.pp index 46c0b4fed..750c300d3 100644 --- a/modules/ocf_printhost/manifests/cups.pp +++ b/modules/ocf_printhost/manifests/cups.pp @@ -58,7 +58,16 @@ content => epp('ocf_printhost/cups/ppd/m806.ppd.epp', { 'double' => true }); } } - + file { '/var/spool/cups/': + ensure => 'directory', + owner => 'ocfenforcer', + mode => '0700'; + } + file { '/usr/lib/cups/backend/tea4cups': + ensure => 'file', + owner => 'ocfenforcer', + mode => '0700'; + } mount { '/var/spool/cups': device => 'tmpfs', fstype => 'tmpfs', diff --git a/modules/ocf_printhost/templates/cups/tea4cups.conf.erb b/modules/ocf_printhost/templates/cups/tea4cups.conf.erb index a439edf4c..35ebea867 100644 --- a/modules/ocf_printhost/templates/cups/tea4cups.conf.erb +++ b/modules/ocf_printhost/templates/cups/tea4cups.conf.erb @@ -8,5 +8,5 @@ keepfiles : no <% else %> keepfiles : yes <% end %> -prehook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer prehook -posthook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer posthook +prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook +posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook From 31d2a1f7e1f27274c2002744c1a9b4442502d37a Mon Sep 17 00:00:00 2001 From: Wilson Nguyen Date: Sat, 11 Apr 2020 00:02:45 -0700 Subject: [PATCH 4/5] Minor detail fix --- modules/ocf_printhost/manifests/cups.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/ocf_printhost/manifests/cups.pp b/modules/ocf_printhost/manifests/cups.pp index 750c300d3..62c8307a3 100644 --- a/modules/ocf_printhost/manifests/cups.pp +++ b/modules/ocf_printhost/manifests/cups.pp @@ -58,19 +58,17 @@ content => epp('ocf_printhost/cups/ppd/m806.ppd.epp', { 'double' => true }); } } - file { '/var/spool/cups/': - ensure => 'directory', - owner => 'ocfenforcer', - mode => '0700'; - } + + #Tea4cups saves files based on its owner file { '/usr/lib/cups/backend/tea4cups': ensure => 'file', owner => 'ocfenforcer', mode => '0700'; } + mount { '/var/spool/cups': device => 'tmpfs', fstype => 'tmpfs', - options => 'mode=0710,gid=lp,noatime,nodev,noexec,nosuid'; + options => 'uid=ocfenforcer,mode=0710,gid=lp,noatime,nodev,noexec,nosuid'; } } From b5cba46bc4f330213ebec9ef471b0fb42b5769a5 Mon Sep 17 00:00:00 2001 From: "Ja (Thanakul) Wattanawong" Date: Wed, 29 Jul 2020 00:47:08 -0700 Subject: [PATCH 5/5] Update Jenkinsfile --- Jenkinsfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4ee24a407..26f5c1886 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -113,9 +113,7 @@ pipeline { emailNotification() } always { - node(label: 'slave') { ircNotification() - } } } }