Merge "Make /usr readonly"

2022-04-29 21:00:44 +00:00 · 2022-04-29 21:00:44 +00:00 · 47dedaf3c0
commit 47dedaf3c0
parent eb8cc754e5 15f8f9e4a5
6 changed files with 15 additions and 14 deletions
--- a/puppet-manifests/src/bin/puppet-manifest-apply.sh
+++ b/puppet-manifests/src/bin/puppet-manifest-apply.sh
@ -168,6 +168,10 @@ mask_passwd() {
 }

 echo "Applying puppet ${MANIFEST} manifest..."
+
+# puppet wants to write to current directory. Need to move current directory to a writable place.
+# it is not possible to fail cd command, but tox doesn't like it without an exit.
+cd $PUPPET_TMP || exit
 flock /var/run/puppet.lock \
    puppet apply --debug --trace --modulepath ${PUPPET_MODULES_PATH} ${PUPPET_MANIFEST} \
        < /dev/null 2>&1 | awk ' { system("date -u +%FT%T.%3N | tr \"\n\" \" \""); print $0; fflush(); } ' > ${LOGFILE}
--- a/puppet-manifests/src/modules/platform/manifests/containerd.pp
+++ b/puppet-manifests/src/modules/platform/manifests/containerd.pp
@ -5,7 +5,7 @@ class platform::containerd::params (
  $no_proxy     = undef,
  $k8s_registry    = undef,
  $insecure_registries = undef,
-  $k8s_cni_bin_dir = '/usr/libexec/cni',
+  $k8s_cni_bin_dir = '/opt/cni/bin',
  $stream_server_address = 'localhost',
  $custom_container_runtime = undef,
 ) { }
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@ -17,8 +17,8 @@ class platform::kubernetes::params (
  $k8s_all_reserved_cpuset = undef,
  $k8s_cpu_mgr_policy = 'none',
  $k8s_topology_mgr_policy = 'best-effort',
-  $k8s_cni_bin_dir = '/usr/libexec/cni',
-  $k8s_vol_plugin_dir = '/usr/libexec/kubernetes/kubelet-plugins/volume/exec/',
+  $k8s_cni_bin_dir = '/opt/cni/bin',
+  $k8s_vol_plugin_dir = '/opt/libexec/kubernetes/kubelet-plugins/volume/exec/',
  $k8s_pod_max_pids = '65535',
  $join_cmd = undef,
  $oidc_issuer_url = undef,
--- a/puppet-manifests/src/modules/platform/manifests/ldap.pp
+++ b/puppet-manifests/src/modules/platform/manifests/ldap.pp
@ -76,13 +76,17 @@ class platform::ldap::server::local

  # don't populate the adminpw if binding anonymously
  if ! $bind_anonymous {
-    file { '/usr/local/etc/ldapscripts/ldapscripts.passwd':
+    file { '/etc/ldapscripts/ldapscripts.passwd':
      content => $admin_pw,
    }
  }

  if $::osfamily == 'RedHat' {
-    file { '/usr/share/cracklib/cracklib-small':
+    file { '/var/cracklib':
+      ensure  => 'directory',
+      recurse => true,
+    }
+    -> file { '/var/cracklib/cracklib-small':
      ensure => link,
      target => '/usr/share/cracklib/cracklib-small.pwd',
    }
@ -125,7 +129,7 @@ class platform::ldap::client
  }

  if $::personality == 'controller' {
-    file { '/usr/local/etc/ldapscripts/ldapscripts.conf':
+    file { '/etc/ldapscripts/ldapscripts.conf':
      ensure  => 'present',
      replace => true,
      content => template('platform/ldapscripts.conf.erb'),
--- a/puppet-manifests/src/modules/platform/manifests/users.pp
+++ b/puppet-manifests/src/modules/platform/manifests/users.pp
@ -24,13 +24,6 @@ class platform::users
    password_max_age => $sysadmin_password_max_age,
    shell            => '/bin/sh',
  }
-
-  # Keyring should only be executable by 'sys_protected'.
-  -> file { '/usr/bin/keyring':
-    owner => 'root',
-    group =>  $::platform::params::protected_group_name,
-    mode  => '0750',
-  }
 }


--- a/puppet-manifests/src/modules/platform/templates/ldapscripts.conf.erb
+++ b/puppet-manifests/src/modules/platform/templates/ldapscripts.conf.erb
@ -46,7 +46,7 @@ SASLAUTH=""

 <%- if @bind_anonymous != true -%>
 BINDDN="cn=ldapadmin,dc=cgcs,dc=local"
-BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd"
+BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 <%- end -%>

 # For older versions of OpenLDAP, it is still possible to use