[MediaWiki-commits] [Gerrit] Allow optional firejail containment for nodejs services. - change (operations/puppet)

Muehlenhoff (Code Review) Thu, 18 Jun 2015 08:06:12 -0700

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/219177


Change subject: Allow optional firejail containment for nodejs services.
......................................................................

Allow optional firejail containment for nodejs services.

This has been tested with mathoid and we can convert the services
one by one after individual review.
Bug: T101870

Change-Id: I7e9c8d1c3f7d6655bba598938eba885210c9e9d6
---
M modules/service/manifests/node.pp
M modules/service/templates/node/upstart.conf.erb
2 files changed, 8 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/77/219177/1

diff --git a/modules/service/manifests/node.pp 
b/modules/service/manifests/node.pp
index d917527..c348e9d 100644
--- a/modules/service/manifests/node.pp
+++ b/modules/service/manifests/node.pp
@@ -49,6 +49,7 @@
                       $config = undef,
                       $no_file = 10000,
                       $healthcheck_url='/_info',
+                      $firejail = false,
 ) {
     # Import all common configuration
     include service::configuration
@@ -74,8 +75,8 @@
     $local_logdir = "${service::configuration::log_dir}/${title}"
     $local_logfile = "${local_logdir}/main.log"
 
-    # Software and the deployed code
-    require_package('nodejs', 'nodejs-legacy')
+    # Software and the deployed code, firejail for containment
+    require_package('nodejs', 'nodejs-legacy', 'firejail')
     package { "${title}/deploy":
         provider => 'trebuchet',
     }
@@ -164,3 +165,4 @@
         check_command => "check_http_port_url!${port}!${healthcheck_url}",
     }
 }
+
diff --git a/modules/service/templates/node/upstart.conf.erb 
b/modules/service/templates/node/upstart.conf.erb
index ba0803d..7297956 100644
--- a/modules/service/templates/node/upstart.conf.erb
+++ b/modules/service/templates/node/upstart.conf.erb
@@ -21,4 +21,8 @@
 kill timeout 60
 
 chdir /srv/deployment/<%= @title %>/deploy
+<% if @firejail %>
 exec /usr/bin/nodejs src/server.js -c /etc/<%= @title %>/config.yaml
+<% else %>
+exec /usr/bin/firejail --caps.drop=all --seccomp /usr/bin/nodejs src/server.js 
-c /etc/<%= @title %>/config.yaml
+<% end %>

-- 
To view, visit https://gerrit.wikimedia.org/r/219177
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7e9c8d1c3f7d6655bba598938eba885210c9e9d6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Allow optional firejail containment for nodejs services. - change (operations/puppet)

Reply via email to