init: Enable to control /etc/security/limits.d/

This commit aims to allow the deployer to control the limits in /etc/security/limits.d/. man 5 limits.conf for more informations Change-Id: I80c2a093d8beeb2c8285d9595111c95f721e938f
2015-02-17 08:40:00 -05:00 · 2015-02-17 08:40:00 -05:00 · b5880c50fd
commit b5880c50fd
parent 06d33d63da
2 changed files with 40 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -62,6 +62,19 @@
 #   Example: ['module1', 'module2']
 #   Note: Those module should be in the $directory path
 #
+# [*limits*]
+#   (optional) Set of limits to set in /etc/security/limits.d/
+#   Defaults {}
+#   Example:
+#     {
+#       'mysql_nofile' => {
+#          'ensure'     => 'present',
+#          'user'       => 'mysql',
+#          'limit_type' => 'nofile',
+#          'both'       => '16384',
+#       },
+#     }
+#
 # [*manage_firewall*]
 #  (optional) Completely enable or disable firewall settings
 #  (false means disabled, and true means enabled)
@ -96,6 +109,7 @@ class cloud(
  $selinux_directory    = '/usr/share/selinux',
  $selinux_booleans     = [],
  $selinux_modules      = [],
+  $limits               = {},
  $manage_firewall      = false,
  $firewall_rules       = {},
  $purge_firewall_rules = false,
@ -139,6 +153,10 @@ This node is under the control of Puppet ${::puppetversion}.
  # NTP
  include ::ntp

+  # Security Limits
+  include ::limits
+  create_resources('limits::limits', $limits)
+
  # SELinux
  if $::osfamily == 'RedHat' {
    class {'cloud::selinux' :
--- a/spec/classes/cloud_init_spec.rb
+++ b/spec/classes/cloud_init_spec.rb
@ -39,6 +39,28 @@ describe 'cloud' do
    end

    it {is_expected.to contain_class('ntp')}
+    it {is_expected.to contain_class('limits')}
+
+    context 'with explicit limits enabled' do
+      before :each do
+        params.merge!( :limits => {
+                         'username_nofile' => {
+                           'ensure'     => 'present',
+                           'user'       => 'username',
+                           'limit_type' => 'nofile',
+                           'hard'       => '16384'
+                         }
+                      })
+      end
+
+      it { is_expected.to contain_limits__limits('username_nofile').with(
+        :ensure     => 'present',
+        :user       => 'username',
+        :limit_type => 'nofile',
+        :hard       => '16384',
+     ) }
+
+    end

    it {is_expected.to contain_file('/etc/motd').with(
      {:ensure => 'file'}.merge(file_defaults)