From 1cfcb0005aa25d6d4972b36536d5da5b347ecf31 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 8 Oct 2020 19:52:13 +0200 Subject: [PATCH] Add `procted-mode` only to services that support it chronological order: * https://github.com/voxpupuli/puppet-redis/pull/272 was opened * https://github.com/voxpupuli/puppet-redis/pull/365 was opened * #365 was merged * #272 was merged without a rebase * tests are broken --- REFERENCE.md | 24 ++++++++++++++++++++++++ manifests/init.pp | 1 + manifests/instance.pp | 3 +++ manifests/sentinel.pp | 14 ++++++++++++++ spec/classes/redis_sentinel_spec.rb | 1 + templates/redis-sentinel.conf.erb | 2 ++ templates/redis.conf.erb | 4 +++- 7 files changed, 48 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index 9b3f8f28..4199606e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1112,6 +1112,14 @@ Specify the port of the master redis server. Default value: `6379` +##### `protected_mode` + +Data type: `Boolean` + +Whether protected mode is enabled or not. Only applicable when no bind is set. + +Default value: `$redis::params::sentinel_protected_mode` + ##### `package_name` Data type: `String[1]` @@ -1244,6 +1252,14 @@ Data type: `Stdlib::Ensure::Service` Default value: `'running'` +##### `minimum_version` + +Data type: `String[5]` + + + +Default value: `$redis::params::minimum_version` + ## Defined types ### `redis::instance` @@ -1955,6 +1971,14 @@ set if cluster_enabled is true Default value: `$redis::cluster_migration_barrier` +##### `supports_protected_mode` + +Data type: `Boolean` + +Determine support for the protected mode. If it's supported we default to enabling it. We don't add the config option to systems that do not yet support it + +Default value: `$redis::supports_protected_mode` + ##### `output_buffer_limit_slave` Data type: `String[1]` diff --git a/manifests/init.pp b/manifests/init.pp index 924eb027..583a9c26 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -332,6 +332,7 @@ Integer[0] $cluster_migration_barrier = 1, Hash[String[1], Hash] $instances = {}, ) inherits redis::params { + contain redis::preinstall contain redis::install contain redis::config diff --git a/manifests/instance.pp b/manifests/instance.pp index bd945023..94ca461c 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -194,6 +194,8 @@ # Minimum number of slaves master will remain connected with, for another # slave to migrate to a master which is no longer covered by any slave Only # set if cluster_enabled is true +# @param supports_protected_mode +# Determine support for the protected mode. If it's supported we default to enabling it. We don't add the config option to systems that do not yet support it define redis::instance ( Boolean $activerehashing = $redis::activerehashing, Boolean $aof_load_truncated = $redis::aof_load_truncated, @@ -285,6 +287,7 @@ Stdlib::Absolutepath $pid_file = "/var/run/redis/redis-server-${name}.pid", Variant[Stdlib::Absolutepath, Enum['']] $unixsocket = "/var/run/redis/redis-server-${name}.sock", Stdlib::Absolutepath $workdir = "${redis::workdir}/redis-server-${name}", + Boolean $supports_protected_mode = $redis::supports_protected_mode, ) { if $title == 'default' { $redis_file_name_orig = $config_file_orig diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp index fb3e3ef4..90b9af25 100644 --- a/manifests/sentinel.pp +++ b/manifests/sentinel.pp @@ -139,9 +139,23 @@ Stdlib::Absolutepath $working_dir = $redis::params::sentinel_working_dir, Optional[Stdlib::Absolutepath] $notification_script = undef, Optional[Stdlib::Absolutepath] $client_reconfig_script = undef, + String[5] $minimum_version = $redis::params::minimum_version, ) inherits redis::params { require 'redis' + if $package_ensure =~ /^([0-9]+:)?[0-9]+\.[0-9]/ { + if ':' in $package_ensure { + $_redis_version_real = split($package_ensure, ':') + $redis_version_real = $_redis_version_real[1] + } else { + $redis_version_real = $package_ensure + } + } else { + $redis_version_real = pick(getvar('redis_server_version'), $minimum_version) + } + + $supports_protected_mode = !$redis_version_real or versioncmp($redis_version_real, '3.2.0') >= 0 + if $facts['os']['family'] == 'Debian' { package { $package_name: ensure => $package_ensure, diff --git a/spec/classes/redis_sentinel_spec.rb b/spec/classes/redis_sentinel_spec.rb index 21935ecc..acdc0b01 100644 --- a/spec/classes/redis_sentinel_spec.rb +++ b/spec/classes/redis_sentinel_spec.rb @@ -136,6 +136,7 @@ dir /tmp/redis daemonize #{facts[:osfamily] == 'RedHat' ? 'no' : 'yes'} pidfile #{pidfile} +protected-mode yes sentinel monitor cow 127.0.0.1 6379 2 sentinel down-after-milliseconds cow 6000 diff --git a/templates/redis-sentinel.conf.erb b/templates/redis-sentinel.conf.erb index 38bb3224..632fa302 100644 --- a/templates/redis-sentinel.conf.erb +++ b/templates/redis-sentinel.conf.erb @@ -5,7 +5,9 @@ port <%= @sentinel_port %> dir <%= @working_dir %> daemonize <%= @daemonize ? 'yes' : 'no' %> pidfile <%= @pid_file %> +<% if @supports_protected_mode -%> protected-mode <%= @protected_mode ? 'yes' : 'no' %> +<% end -%> sentinel monitor <%= @master_name %> <%= @redis_host %> <%= @redis_port %> <%= @quorum %> sentinel down-after-milliseconds <%= @master_name %> <%= @down_after %> diff --git a/templates/redis.conf.erb b/templates/redis.conf.erb index d395bb1f..a5a63dab 100644 --- a/templates/redis.conf.erb +++ b/templates/redis.conf.erb @@ -34,11 +34,13 @@ pidfile <%= @pid_file %> # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain # sockets. # -# By default protected mode is enabled. You should disable it only if +# By default protected mode is enabled *on systems that support it*. You should disable it only if # you are sure you want clients from other hosts to connect to Redis # even if no authentication is configured, nor a specific set of interfaces # are explicitly listed using the "bind" directive. +#<% if @supports_protected_mode -%> protected-mode <%= @protected_mode ? 'yes' : 'no' %> +<% end -%> <% end -%> # Accept connections on the specified port, default is 6379.