Elukey has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/398035 )
Change subject: Restrict read permissions to the config file when SSL is enabled
......................................................................
Restrict read permissions to the config file when SSL is enabled
Also set the default configuration file to Varnish 4 syntax.
Change-Id: I038658b4b702c24a353c7ce03aeb9b8f77fe3714
---
M manifests/instance.pp
M templates/varnishkafka.conf.erb
R templates/varnishkafka_v3.conf.erb
3 files changed, 65 insertions(+), 54 deletions(-)
Approvals:
Ottomata: Looks good to me, but someone else must approve
Elukey: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/instance.pp b/manifests/instance.pp
index f47ebab..8faca33 100644
--- a/manifests/instance.pp
+++ b/manifests/instance.pp
@@ -142,8 +142,19 @@
) {
require ::varnishkafka
+ # A more restrictive set of reading permissions
+ # is deployed if SSL is configured, since the key's password
+ # will be stored in the instance config.
+ $instance_conf_mode = $ssl_enabled ? {
+ true => '0400',
+ default => '0444',
+ }
+
file { "/etc/varnishkafka/${name}.conf":
content => template($conf_template),
+ owner => 'root',
+ group => 'root',
+ mode => $instance_conf_mode,
require => Package['varnishkafka'],
}
diff --git a/templates/varnishkafka.conf.erb b/templates/varnishkafka.conf.erb
index 9ce09e4..df797ca 100644
--- a/templates/varnishkafka.conf.erb
+++ b/templates/varnishkafka.conf.erb
@@ -3,7 +3,7 @@
#######################################################################
# #
# varnishkafka configuration file #
-# Varnish 3 specific #
+# Varnish 4 specific #
# #
#######################################################################
# #
@@ -130,36 +130,6 @@
# Defaults to 4096 bytes.
logline.scratch.size = <%= @logline_scratch_size %>
-
-# Logline cache hash tuning
-# 'log.hash.size * log.hash.max' dictates the maximum number of cached logline
-# entries in memory.
-
-# Number of hash buckets (keyed by log id).
-# Higher number yields more performance at the expense of memory.
-# Set this to avg_requests_per_second / 5.
-# Defaults to 5000
-logline.hash.size = <%= @logline_hash_size %>
-
-# Maximum number of loglines per hash bucket
-# Higher number yields less memory consumption at the expense of performance.
-# Set this to avg_requests_per_second / log.hash.size.
-# Defaults to 5
-logline.hash.max = <%= @logline_hash_max %>
-
-
-# EXPERIMENTAL
-# log.data.copy indicates if the log tag data read from VSL files should be
copied
-# instantly when read (true). If this is set to false the data is assumed to be
-# persistent (for the duration of collecting and formatting a single request)
-# and no copies will be made, thus improving performance.
-#
-# NOTE:
-# Must be set to true for offline files (-r file..) due to the way
-# libvarnishapi reads its data.
-logline.data.copy = <%= @logline_data_copy %>
-
-
#
# varnishkafka log messages configuration
# Debugging, error reporting, etc, not to be confused with varnish logs.
@@ -266,6 +236,18 @@
# Valid values are 'none', 'gzip', and 'snappy'.
kafka.compression.codec = <%= @compression_codec %>
+<% if @force_protocol_version -%>
+#
+# Kafka 0.9.0.[0,1] protocol versions may cause
+# https://issues.apache.org/jira/browse/KAFKA-3547. This workaround is
suggested
+# by the author of librdkafka and forces the protocol used to produce events
+# to a specific version. The goal is to avoid any issue like the one described
+# in https://phabricator.wikimedia.org/T172681
+# More info
https://github.com/edenhill/librdkafka/wiki/Broker-version-compatibility
+kafka.api.version.request=false
+kafka.broker.version.fallback=<%= @force_protocol_version %>
+
+<% end -%>
#
# Topic configuration
#
@@ -288,3 +270,13 @@
# SO_SNDBUFF Socket send buffer size. System default is used if 0.
kafka.socket.send.buffer.bytes = <%= @socket_send_buffer_bytes %>
<% end -%>
+<% if @ssl_enabled -%>
+#
+# TLS/SSL settings
+#
+kafka.security.protocol=SSL
+kafka.ssl.ca.location=<%= @ssl_ca_location %>
+kafka.ssl.key.password=<%= @ssl_key_password %>
+kafka.ssl.key.location=<%= @ssl_key_location %>
+kafka.ssl.certificate.location=<%= @ssl_certificate_location %>
+<% end -%>
\ No newline at end of file
diff --git a/templates/varnishkafka_v4.conf.erb
b/templates/varnishkafka_v3.conf.erb
similarity index 91%
rename from templates/varnishkafka_v4.conf.erb
rename to templates/varnishkafka_v3.conf.erb
index df797ca..9ce09e4 100644
--- a/templates/varnishkafka_v4.conf.erb
+++ b/templates/varnishkafka_v3.conf.erb
@@ -3,7 +3,7 @@
#######################################################################
# #
# varnishkafka configuration file #
-# Varnish 4 specific #
+# Varnish 3 specific #
# #
#######################################################################
# #
@@ -130,6 +130,36 @@
# Defaults to 4096 bytes.
logline.scratch.size = <%= @logline_scratch_size %>
+
+# Logline cache hash tuning
+# 'log.hash.size * log.hash.max' dictates the maximum number of cached logline
+# entries in memory.
+
+# Number of hash buckets (keyed by log id).
+# Higher number yields more performance at the expense of memory.
+# Set this to avg_requests_per_second / 5.
+# Defaults to 5000
+logline.hash.size = <%= @logline_hash_size %>
+
+# Maximum number of loglines per hash bucket
+# Higher number yields less memory consumption at the expense of performance.
+# Set this to avg_requests_per_second / log.hash.size.
+# Defaults to 5
+logline.hash.max = <%= @logline_hash_max %>
+
+
+# EXPERIMENTAL
+# log.data.copy indicates if the log tag data read from VSL files should be
copied
+# instantly when read (true). If this is set to false the data is assumed to be
+# persistent (for the duration of collecting and formatting a single request)
+# and no copies will be made, thus improving performance.
+#
+# NOTE:
+# Must be set to true for offline files (-r file..) due to the way
+# libvarnishapi reads its data.
+logline.data.copy = <%= @logline_data_copy %>
+
+
#
# varnishkafka log messages configuration
# Debugging, error reporting, etc, not to be confused with varnish logs.
@@ -236,18 +266,6 @@
# Valid values are 'none', 'gzip', and 'snappy'.
kafka.compression.codec = <%= @compression_codec %>
-<% if @force_protocol_version -%>
-#
-# Kafka 0.9.0.[0,1] protocol versions may cause
-# https://issues.apache.org/jira/browse/KAFKA-3547. This workaround is
suggested
-# by the author of librdkafka and forces the protocol used to produce events
-# to a specific version. The goal is to avoid any issue like the one described
-# in https://phabricator.wikimedia.org/T172681
-# More info
https://github.com/edenhill/librdkafka/wiki/Broker-version-compatibility
-kafka.api.version.request=false
-kafka.broker.version.fallback=<%= @force_protocol_version %>
-
-<% end -%>
#
# Topic configuration
#
@@ -270,13 +288,3 @@
# SO_SNDBUFF Socket send buffer size. System default is used if 0.
kafka.socket.send.buffer.bytes = <%= @socket_send_buffer_bytes %>
<% end -%>
-<% if @ssl_enabled -%>
-#
-# TLS/SSL settings
-#
-kafka.security.protocol=SSL
-kafka.ssl.ca.location=<%= @ssl_ca_location %>
-kafka.ssl.key.password=<%= @ssl_key_password %>
-kafka.ssl.key.location=<%= @ssl_key_location %>
-kafka.ssl.certificate.location=<%= @ssl_certificate_location %>
-<% end -%>
\ No newline at end of file
--
To view, visit https://gerrit.wikimedia.org/r/398035
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I038658b4b702c24a353c7ce03aeb9b8f77fe3714
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet/varnishkafka
Gerrit-Branch: master
Gerrit-Owner: Elukey <[email protected]>
Gerrit-Reviewer: Elukey <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
