Allow changing the configuration directory and files owner #535
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I've fixed the default value to now honor the "user" override, and also added a spec test to check for config dir and file ownership when this parameter is used. |
|
FYI, the failing check is because some CentOS 6 packages couldn't be installed for one of the jobs. |
|
@solarkennedy : Any feedback on this change? It's fairly straightforward, passes checks and (to me at least) makes a lot of sense security-wise. |
|
I think this is fine |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is because it's good practice to keep the service from potentially overwriting its own configuration through some security flaw, meaning having the owner 'root', the group 'consul' and files mode 0640 and directories mode 0750 makes the most sense to keep everyting secure and private.
Note that this works for me because I deploy consul using an rpm where I have set the config directory to have mode 0750, but this is not something this Puppet module will be enforcing. Should a new
config_dir_modealso be added, defaulting toundefto keep backwards compatibility?