[MediaWiki-commits] [Gerrit] operations/puppet[production]: kmod::blacklist: prevent manual install, update initramfs

Mon, 27 Nov 2017 11:45:11 -0800 

BBlack has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/393639 )

Change subject: kmod::blacklist: prevent manual install, update initramfs
......................................................................


kmod::blacklist: prevent manual install, update initramfs

* Without the update-initramfs notify, I don't think the blacklist
  necessarily comes into effect until next time initramfs is
  updated for some other reason?

* Without the "install foo /bin/true" hack, it's still possible
  for the module to be loaded by runtime actions (e.g. modprobe,
  or autoloading by some CLI tool...)

Change-Id: I2b4839a580bdf75b6229b144531ba82b7a3696ef
---
M modules/kmod/manifests/blacklist.pp
M modules/kmod/templates/blacklist.conf.erb
2 files changed, 6 insertions(+), 0 deletions(-)

Approvals:
  BBlack: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/kmod/manifests/blacklist.pp 
b/modules/kmod/manifests/blacklist.pp
index f33b1e3..28be03b 100644
--- a/modules/kmod/manifests/blacklist.pp
+++ b/modules/kmod/manifests/blacklist.pp
@@ -21,4 +21,9 @@
         mode    => '0444',
         content => template('kmod/blacklist.conf.erb'),
     }
+
+    # Could be notify=> above, but the exec only exists in base for jessie+...
+    if os_version('debian >= jessie') {
+        File["/etc/modprobe.d/blacklist-${name}.conf"] ~> 
Exec['update-initramfs']
+    }
 }
diff --git a/modules/kmod/templates/blacklist.conf.erb 
b/modules/kmod/templates/blacklist.conf.erb
index 4da3f52..acd86dd 100644
--- a/modules/kmod/templates/blacklist.conf.erb
+++ b/modules/kmod/templates/blacklist.conf.erb
@@ -3,4 +3,5 @@
 #
 <%- @modules.sort.each do |mod| -%>
 blacklist <%= mod %>
+install <%= mod %> /bin/true
 <%- end -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/393639
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I2b4839a580bdf75b6229b144531ba82b7a3696ef
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to