Skip to content

(MODULES-8108) - Support added for Debian 9 #1849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 21, 2018
+154 −67
Merged

(MODULES-8108) - Support added for Debian 9 #1849

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion manifests/mod/dav_svn.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

::apache::mod { 'dav_svn': }

if $::osfamily == 'Debian' and ($::operatingsystemmajrelease != '6' and $::operatingsystemmajrelease != '10.04' and $::operatingsystemrelease != '10.04' and $::operatingsystemmajrelease != '16.04') {
if $::osfamily == 'Debian' and ! ($::operatingsystemmajrelease in ['6', '16.04', '9']) {
$loadfile_name = undef
} else {
$loadfile_name = 'dav_svn_authz_svn.load'
Expand Down
5 changes: 4 additions & 1 deletion manifests/mod/security.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@
}
}

unless $::operatingsystem == 'SLES' { apache::security::rule_link { $activated_rules: } }
# Debian 9 has a different rule setup
unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) {
apache::security::rule_link { $activated_rules: }
}

}
96 changes: 74 additions & 22 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,34 @@
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
}
} elsif ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) {
# Debian stretch uses a different dav_svn from Ubuntu Xenial
$php_version = '7.0'
$mod_packages = {
'auth_cas' => 'libapache2-mod-auth-cas',
'auth_kerb' => 'libapache2-mod-auth-kerb',
'auth_gssapi' => 'libapache2-mod-auth-gssapi',
'auth_mellon' => 'libapache2-mod-auth-mellon',
'authnz_pam' => 'libapache2-mod-authnz-pam',
'dav_svn' => 'libapache2-mod-svn',
'fastcgi' => 'libapache2-mod-fastcgi',
'fcgid' => 'libapache2-mod-fcgid',
'geoip' => 'libapache2-mod-geoip',
'intercept_form_submit' => 'libapache2-mod-intercept-form-submit',
'lookup_identity' => 'libapache2-mod-lookup-identity',
'nss' => 'libapache2-mod-nss',
'pagespeed' => 'mod-pagespeed-stable',
'passenger' => 'libapache2-mod-passenger',
'perl' => 'libapache2-mod-perl2',
'phpXXX' => 'libapache2-mod-phpXXX',
'python' => 'libapache2-mod-python',
'rpaf' => 'libapache2-mod-rpaf',
'security' => 'libapache2-mod-security2',
'shib2' => 'libapache2-mod-shib2',
'suphp' => 'libapache2-mod-suphp',
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
}
} else {
# major.minor version used since Debian stretch and Ubuntu Xenial
$php_version = '7.0'
Expand Down Expand Up @@ -326,28 +354,52 @@
$secpcrematchlimit = 1500
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
if $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0 {
$modsec_default_rules = [
'crawlers-user-agents.data',
'iis-errors.data',
'java-code-leakages.data',
'java-errors.data',
'lfi-os-files.data',
'php-config-directives.data',
'php-errors.data',
'php-function-names-933150.data',
'php-function-names-933151.data',
'php-variables.data',
'restricted-files.data',
'scanners-headers.data',
'scanners-urls.data',
'scanners-user-agents.data',
'scripting-user-agents.data',
'sql-errors.data',
'sql-function-names.data',
'unix-shell.data',
'windows-powershell-commands.data',
]
} else {
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
}
$alias_icons_path = '/usr/share/apache2/icons'
$error_documents_path = '/usr/share/apache2/error'
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) {
Expand Down
3 changes: 2 additions & 1 deletion metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@
{
"operatingsystem": "Debian",
"operatingsystemrelease": [
"8"
"8",
"9"
]
},
{
Expand Down
2 changes: 1 addition & 1 deletion spec/acceptance/mod_dav_svn_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
describe 'apache::mod::dav_svn class', unless: (fact('operatingsystem') == 'OracleLinux' && fact('operatingsystemmajrelease') == '7') do
authz_svn_load_file = case fact('osfamily')
when 'Debian'
if fact('operatingsystemmajrelease') == '16.04'
if fact('operatingsystemmajrelease') == '16.04' || fact('operatingsystemmajrelease') == '9'
'dav_svn_authz_svn.load'
else
'authz_svn.load'
Expand Down
81 changes: 50 additions & 31 deletions spec/acceptance/mod_passenger_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,11 @@
passenger_ruby = '/usr/bin/ruby'
end
when 'Debian'
case fact('lsbdistcodename')
when 'jessie'
case fact('operatingsystemmajrelease')
when '8'
passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
passenger_default_ruby = '/usr/bin/ruby'
when '9'
passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
passenger_default_ruby = '/usr/bin/ruby'
else
Expand Down Expand Up @@ -76,35 +79,35 @@
when 'Debian'
context 'passenger config with passenger_installed_version set' do
pp_one = <<-MANIFEST
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '4.0.0',
passenger_instance_registry_dir => '/some/path/to/nowhere'
}
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '4.0.0',
passenger_instance_registry_dir => '/some/path/to/nowhere'
}
MANIFEST
it 'fails when an option is not valid for $passenger_installed_version' do
apply_manifest(pp_one, expect_failures: true) do |r|
expect(r.stderr).to match(%r{passenger_instance_registry_dir is not introduced until version 5.0.0})
end
end
pp_two = <<-MANIFEST
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_autodetect => 'on'
}
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_autodetect => 'on'
}
MANIFEST
it 'fails when an option is removed' do
apply_manifest(pp_two, expect_failures: true) do |r|
expect(r.stderr).to match(%r{REMOVED PASSENGER OPTION})
end
end
pp_three = <<-MANIFEST
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_ruby => '/some/path/to/ruby'
}
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_ruby => '/some/path/to/ruby'
}
MANIFEST
it 'warns when an option is deprecated' do
apply_manifest(pp_three, catch_failures: true) do |r|
Expand All @@ -113,12 +116,23 @@ class { 'apache::mod::passenger':
end
end
context 'default passenger config' do
pp = <<-MANIFEST
/* stock apache and mod_passenger */
class { 'apache': }
class { 'apache::mod::passenger': }
#{pp_rackapp}
MANIFEST
pp = if ['7', '9', '16.04', '18.04'].include?(fact('operatingsystemmajrelease'))
<<-MANIFEST
/* stock apache and mod_passenger */
class { 'apache': }
class { 'apache::mod::passenger':
passenger_instance_registry_dir => '/var/run',
}
#{pp_rackapp}
MANIFEST
else
<<-MANIFEST
/* stock apache and mod_passenger */
class { 'apache': }
class { 'apache::mod::passenger': }
#{pp_rackapp}
MANIFEST
end
it 'succeeds in puppeting passenger' do
apply_manifest(pp, catch_failures: true)
end
Expand Down Expand Up @@ -150,8 +164,11 @@ class { 'apache::mod::passenger': }
it { is_expected.not_to contain '/PassengerDefaultRuby/' }
end
when 'Debian'
case fact('lsbdistcodename')
when 'jessie'
case fact('operatingsystemmajrelease')
when '8'
it { is_expected.to contain %(PassengerDefaultRuby "#{passenger_default_ruby}") }
it { is_expected.not_to contain '/PassengerRuby/' }
when '9'
it { is_expected.to contain %(PassengerDefaultRuby "#{passenger_default_ruby}") }
it { is_expected.not_to contain '/PassengerRuby/' }
else
Expand All @@ -173,7 +190,8 @@ class { 'apache::mod::passenger': }
# these two lines
unless (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') ||
(fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8')
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
expected_one << [%r{### Processes: [0-9]+}, %r{### Total private dirty RSS: [0-9\.]+ MB}]
end
it 'outputs status via passenger-memory-stats #stdout' do
Expand All @@ -193,27 +211,28 @@ class { 'apache::mod::passenger': }
# even when the passenger process is successfully installed and running
unless fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '12.04'
it 'outputs status via passenger-status #General information' do
shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r|
shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r|
# spacing may vary
expect(r.stdout).to match(%r{[\-]+ General information [\-]+})
end
end
expected_two = if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04' ||
expected_two = if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') ||
(fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') ||
fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8'
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
[%r{Max pool size[ ]+: [0-9]+}, %r{Processes[ ]+: [0-9]+}, %r{Requests in top-level queue[ ]+: [0-9]+}]
else
[%r{max[ ]+= [0-9]+}, %r{count[ ]+= [0-9]+}, %r{active[ ]+= [0-9]+}, %r{inactive[ ]+= [0-9]+}, %r{Waiting on global queue: [0-9]+}]
end
it 'outputs status via passenger-status #stdout' do
shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r|
shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r|
expected_two.each do |expect|
expect(r.stdout).to match(expect)
end
end
end
it 'outputs status via passenger-status #exit_code' do
shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r|
shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r|
expect(r.exit_code).to eq(0)
end
end
Expand Down
9 changes: 6 additions & 3 deletions spec/acceptance/mod_php_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ class { 'apache::mod::php': }
it { is_expected.to be_running }
end

if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04'
if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
describe file("#{$mod_dir}/php7.0.conf") do
it { is_expected.to contain 'DirectoryIndex index.php' }
end
Expand Down Expand Up @@ -120,7 +121,8 @@ class {'apache::mod::php':
it 'succeeds in puppeting php' do
apply_manifest(pp, catch_failures: true)
end
if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04'
if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
describe file("#{$mod_dir}/php7.0.conf") do
it { is_expected.to contain '# somecontent' }
end
Expand All @@ -145,7 +147,8 @@ class {'apache::mod::php':
apply_manifest(pp, catch_failures: true)
end

if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04'
if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
describe file("#{$mod_dir}/php7.0.conf") do
it { is_expected.to contain '# somecontent' }
end
Expand Down
18 changes: 12 additions & 6 deletions spec/acceptance/mod_security_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ class { 'apache::mod::security': }
end
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -114,7 +115,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -176,7 +178,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -242,7 +245,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -308,7 +312,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -374,7 +379,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down
Loading