-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ocfenforcer as user #933
base: master
Are you sure you want to change the base?
Conversation
Committer: Wilson Nguyen <wilsonqnguyen@gmail.com>
Errored hosts (0)Changed hosts (2)Unaffected hosts (130)Changed hostsdiff for dev-whiteout.ocf.berkeley.edu, whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* Unaffected hosts
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well I was going to say something about making it a system user, but turns out that's already done by default now with
Line 12 in de8b3f6
User { system => true, groups => ['sys'] } |
Have you tested this on dev-whiteout
to see if it works when printing? It'll be a bit harder with the lab closed, but you can probably still test by sending a print job from a VM and see what CUPS etc. does
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this will work as currently set up. ocfenforcer
needs access to the config file at /opt/share/enforcer/enforcer.conf
. You can probably just modify the file resources for /opt/share/enforcer
and /opt/share/enforcer/enforcer.conf
.
So I deleted a bunch of messages but from some investigation this will cause error reports to fail also (since ocfenforcer doesn't exist on See the following log:
|
Will look into it! |
Errored hosts (0)Changed hosts (4)Unaffected hosts (128)Changed hostsdiff for anthrax.ocf.berkeley.edu, dev-anthrax.ocf.berkeley.edu*******************************************
File[/etc/aliases] =>
parameters =>
content =>
@@ -9,4 +9,5 @@
_
mirrors: root
+ocfenforcer: root
ocfstats: root
jenkins: root
******************************************* diff for whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* diff for dev-whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -u ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/etc/munin/plugin-conf.d/ocf-plugin-conf] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# Set warning at 80% and critical at 90%
[memory]
-env.apps_warning :3164412500
-env.apps_critical :3559964062
+env.apps_warning :3164403125
+env.apps_critical :3559953515
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* Unaffected hosts
|
Errored hosts (0)Changed hosts (5)Unaffected hosts (127)Changed hostsdiff for anthrax.ocf.berkeley.edu, dev-anthrax.ocf.berkeley.edu*******************************************
File[/etc/aliases] =>
parameters =>
content =>
@@ -9,4 +9,5 @@
_
mirrors: root
+ocfenforcer: root
ocfstats: root
jenkins: root
******************************************* diff for dev-whiteout.ocf.berkeley.edu*******************************************
Exec[systemctl-daemon-reload] =>
parameters =>
path =>
- /opt/puppetlabs/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+ /opt/share/utils/bin:/opt/share/utils/sbin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin:/usr/sbin:/usr/bin:/sbin:/bin
*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/etc/munin/plugin-conf.d/ocf-plugin-conf] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# Set warning at 80% and critical at 90%
[memory]
-env.apps_warning :3164412500
-env.apps_critical :3559964062
+env.apps_warning :3164403125
+env.apps_critical :3559953515
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
+ File[/var/spool/cups] =>
parameters =>
"backup": "main",
"ensure": "directory",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* diff for dev-firestorm.ocf.berkeley.edu*******************************************
Exec[systemctl-daemon-reload] =>
parameters =>
path =>
- /opt/puppetlabs/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+ /opt/share/utils/bin:/opt/share/utils/sbin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin:/usr/sbin:/usr/bin:/sbin:/bin
*******************************************
File[/etc/munin/plugin-conf.d/ocf-plugin-conf] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# Set warning at 80% and critical at 90%
[memory]
-env.apps_warning :3164646875
-env.apps_critical :3560227734
+env.apps_warning :3164621875
+env.apps_critical :3560199609
******************************************* diff for whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
+ File[/var/spool/cups] =>
parameters =>
"backup": "main",
"ensure": "directory",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* Unaffected hosts
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sweeeet
tea4cups saves files based on the owner (switched from root -> ocfenforcer) |
sorry, I meant like add a comment to the file |
Errored hosts (0)Changed hosts (5)Unaffected hosts (127)Changed hostsdiff for whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
Mount[/var/spool/cups] =>
parameters =>
options =>
- mode=0710,gid=lp,noatime,nodev,noexec,nosuid
+ uid=ocfenforcer,mode=0710,gid=lp,noatime,nodev,noexec,nosuid
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* diff for anthrax.ocf.berkeley.edu, dev-anthrax.ocf.berkeley.edu*******************************************
File[/etc/aliases] =>
parameters =>
content =>
@@ -9,4 +9,5 @@
_
mirrors: root
+ocfenforcer: root
ocfstats: root
jenkins: root
******************************************* diff for dev-whiteout.ocf.berkeley.edu*******************************************
Exec[systemctl-daemon-reload] =>
parameters =>
path =>
- /opt/puppetlabs/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+ /opt/share/utils/bin:/opt/share/utils/sbin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin:/usr/sbin:/usr/bin:/sbin:/bin
*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/etc/munin/plugin-conf.d/ocf-plugin-conf] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# Set warning at 80% and critical at 90%
[memory]
-env.apps_warning :3164412500
-env.apps_critical :3559964062
+env.apps_warning :3164403125
+env.apps_critical :3559953515
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
Mount[/var/spool/cups] =>
parameters =>
options =>
- mode=0710,gid=lp,noatime,nodev,noexec,nosuid
+ uid=ocfenforcer,mode=0710,gid=lp,noatime,nodev,noexec,nosuid
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* diff for dev-firestorm.ocf.berkeley.edu*******************************************
Apt::Pin[backports] =>
parameters =>
release =>
- stretch-backports
+ buster-backports
*******************************************
Apt::Pin[ocf-backports] =>
parameters =>
codename =>
- stretch-backports
+ buster-backports
*******************************************
Apt::Setting[list-backports] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
# This file is managed by Puppet. DO NOT EDIT.
# backports
-deb http://mirrors/debian/ stretch-backports main contrib non-free
+deb http://mirrors/debian/ buster-backports main contrib non-free
*******************************************
Apt::Setting[list-debian-security] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# debian-security
-deb http://mirrors/debian-security/ stretch/updates main contrib non-free
-deb-src http://mirrors/debian-security/ stretch/updates main contrib non-free
+deb http://mirrors/debian-security/ buster/updates main contrib non-free
+deb-src http://mirrors/debian-security/ buster/updates main contrib non-free
*******************************************
Apt::Setting[list-debian-updates] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# debian-updates
-deb http://mirrors/debian/ stretch-updates main contrib non-free
-deb-src http://mirrors/debian/ stretch-updates main contrib non-free
+deb http://mirrors/debian/ buster-updates main contrib non-free
+deb-src http://mirrors/debian/ buster-updates main contrib non-free
*******************************************
Apt::Setting[list-debian] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# debian
-deb http://mirrors/debian/ stretch main contrib non-free
-deb-src http://mirrors/debian/ stretch main contrib non-free
+deb http://mirrors/debian/ buster main contrib non-free
+deb-src http://mirrors/debian/ buster main contrib non-free
*******************************************
Apt::Setting[list-ocf-backports] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# ocf-backports
-deb http://apt/ stretch-backports main
-deb-src http://apt/ stretch-backports main
+deb http://apt/ buster-backports main
+deb-src http://apt/ buster-backports main
*******************************************
Apt::Setting[list-ocf] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# ocf
-deb http://apt/ stretch main
-deb-src http://apt/ stretch main
+deb http://apt/ buster main
+deb-src http://apt/ buster main
*******************************************
Apt::Setting[list-puppetlabs] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
# This file is managed by Puppet. DO NOT EDIT.
# puppetlabs
-deb http://mirrors/puppetlabs/apt/ stretch puppet
+deb http://mirrors/puppetlabs/apt/ buster puppet
*******************************************
Apt::Setting[pref-backports] =>
parameters =>
content =>
@@ -2,4 +2,4 @@
Explanation: apt: backports
Package: *
-Pin: release a=stretch-backports
+Pin: release a=buster-backports
Pin-Priority: 200
*******************************************
Apt::Setting[pref-ocf-backports] =>
parameters =>
content =>
@@ -2,4 +2,4 @@
Explanation: ocf: ocf-backports
Package: *
-Pin: release n=stretch-backports
+Pin: release n=buster-backports
Pin-Priority: 200
*******************************************
Apt::Source[backports] =>
parameters =>
pin =>
release =>
- stretch-backports
+ buster-backports
release =>
- stretch-backports
+ buster-backports
*******************************************
Apt::Source[debian-security] =>
parameters =>
release =>
- stretch/updates
+ buster/updates
*******************************************
Apt::Source[debian-updates] =>
parameters =>
release =>
- stretch-updates
+ buster-updates
*******************************************
Apt::Source[debian] =>
parameters =>
release =>
- stretch
+ buster
*******************************************
Apt::Source[ocf-backports] =>
parameters =>
release =>
- stretch-backports
+ buster-backports
*******************************************
Apt::Source[ocf] =>
parameters =>
release =>
- stretch
+ buster
*******************************************
Apt::Source[puppetlabs] =>
parameters =>
release =>
- stretch
+ buster
*******************************************
- Exec[apt install python3-attr]
*******************************************
- Exec[apt install python3-cryptography]
*******************************************
- Exec[apt install python3-ldap3]
*******************************************
File[/etc/apt/preferences.d/backports.pref] =>
parameters =>
content =>
@@ -2,4 +2,4 @@
Explanation: apt: backports
Package: *
-Pin: release a=stretch-backports
+Pin: release a=buster-backports
Pin-Priority: 200
*******************************************
File[/etc/apt/preferences.d/ocf-backports.pref] =>
parameters =>
content =>
@@ -2,4 +2,4 @@
Explanation: ocf: ocf-backports
Package: *
-Pin: release n=stretch-backports
+Pin: release n=buster-backports
Pin-Priority: 200
*******************************************
File[/etc/apt/sources.list.d/backports.list] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
# This file is managed by Puppet. DO NOT EDIT.
# backports
-deb http://mirrors/debian/ stretch-backports main contrib non-free
+deb http://mirrors/debian/ buster-backports main contrib non-free
*******************************************
File[/etc/apt/sources.list.d/debian-security.list] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# debian-security
-deb http://mirrors/debian-security/ stretch/updates main contrib non-free
-deb-src http://mirrors/debian-security/ stretch/updates main contrib non-free
+deb http://mirrors/debian-security/ buster/updates main contrib non-free
+deb-src http://mirrors/debian-security/ buster/updates main contrib non-free
*******************************************
File[/etc/apt/sources.list.d/debian-updates.list] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# debian-updates
-deb http://mirrors/debian/ stretch-updates main contrib non-free
-deb-src http://mirrors/debian/ stretch-updates main contrib non-free
+deb http://mirrors/debian/ buster-updates main contrib non-free
+deb-src http://mirrors/debian/ buster-updates main contrib non-free
*******************************************
File[/etc/apt/sources.list.d/debian.list] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# debian
-deb http://mirrors/debian/ stretch main contrib non-free
-deb-src http://mirrors/debian/ stretch main contrib non-free
+deb http://mirrors/debian/ buster main contrib non-free
+deb-src http://mirrors/debian/ buster main contrib non-free
*******************************************
File[/etc/apt/sources.list.d/ocf-backports.list] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# ocf-backports
-deb http://apt/ stretch-backports main
-deb-src http://apt/ stretch-backports main
+deb http://apt/ buster-backports main
+deb-src http://apt/ buster-backports main
*******************************************
File[/etc/apt/sources.list.d/ocf.list] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# This file is managed by Puppet. DO NOT EDIT.
# ocf
-deb http://apt/ stretch main
-deb-src http://apt/ stretch main
+deb http://apt/ buster main
+deb-src http://apt/ buster main
*******************************************
File[/etc/apt/sources.list.d/puppetlabs.list] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
# This file is managed by Puppet. DO NOT EDIT.
# puppetlabs
-deb http://mirrors/puppetlabs/apt/ stretch puppet
+deb http://mirrors/puppetlabs/apt/ buster puppet
*******************************************
File[/etc/munin/plugin-conf.d/ocf-plugin-conf] =>
parameters =>
content =>
@@ -1,4 +1,4 @@
# Set warning at 80% and critical at 90%
[memory]
-env.apps_warning :3164646875
-env.apps_critical :3560227734
+env.apps_warning :1596003125
+env.apps_critical :1795503515
*******************************************
Ocf::Repackage[grub-pc] =>
parameters =>
dist =>
- stretch-backports
+ buster-backports
*******************************************
Ocf::Repackage[libnss-ldap] =>
parameters =>
dist =>
- stretch-backports
+ buster-backports
*******************************************
Ocf::Repackage[python3-attr] =>
parameters =>
dist =>
- stretch-backports
+ buster-backports
*******************************************
Ocf::Repackage[python3-cryptography] =>
parameters =>
dist =>
- stretch-backports
+ buster-backports
*******************************************
Ocf::Repackage[python3-ldap3] =>
parameters =>
dist =>
- stretch-backports
+ buster-backports
******************************************* Unaffected hosts
|
file { '/usr/lib/cups/backend/tea4cups': | ||
ensure => 'file', | ||
owner => 'ocfenforcer', | ||
mode => '0700'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably also good to include require => Package['cups-tea4cups']
here since this is normally provided by that package so you'd want it to exist first before modifying it's permissions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, pending the one last require
I think the code looks good but let's wait to merge until we get lab access again |
Errored hosts (1)Changed hosts (2)Unaffected hosts (95)Errored hostserror for blight.ocf.berkeley.edu
Changed hostsdiff for whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
Mount[/var/spool/cups] =>
parameters =>
options =>
- mode=0710,gid=lp,noatime,nodev,noexec,nosuid
+ uid=ocfenforcer,mode=0710,gid=lp,noatime,nodev,noexec,nosuid
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* diff for anthrax.ocf.berkeley.edu*******************************************
File[/etc/aliases] =>
parameters =>
content =>
@@ -9,4 +9,5 @@
_
mirrors: root
+ocfenforcer: root
ocfstats: root
jenkins: root
******************************************* Unaffected hosts
|
Errored hosts (0)Changed hosts (2)Unaffected hosts (96)Changed hostsdiff for anthrax.ocf.berkeley.edu*******************************************
File[/etc/aliases] =>
parameters =>
content =>
@@ -9,4 +9,5 @@
_
mirrors: root
+ocfenforcer: root
ocfstats: root
jenkins: root
******************************************* diff for whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
Mount[/var/spool/cups] =>
parameters =>
options =>
- mode=0710,gid=lp,noatime,nodev,noexec,nosuid
+ uid=ocfenforcer,mode=0710,gid=lp,noatime,nodev,noexec,nosuid
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* Unaffected hosts
|
Errored hosts (1)Changed hosts (91)Unaffected hosts (0)WARNING: Output is too long for a comment, posted to a gist instead: https://gist.github.com/c0339f4e56de810145e97d7d7784747e |
Errored hosts (1)Changed hosts (91)Unaffected hosts (0)WARNING: Output is too long for a comment, posted to a gist instead: https://gist.github.com/25901e745680541108aa44171b1f0b40 |
Errored hosts (4)Changed hosts (2)Unaffected hosts (68)Errored hostserror for asteroid.ocf.berkeley.edu
error for avalanche.ocf.berkeley.edu
error for bigbang.ocf.berkeley.edu
error for segfault.ocf.berkeley.edu
Changed hostsdiff for anthrax.ocf.berkeley.edu*******************************************
File[/etc/aliases] =>
parameters =>
content =>
@@ -9,4 +9,5 @@
_
mirrors: root
+ocfenforcer: root
ocfstats: root
jenkins: root
******************************************* diff for whiteout.ocf.berkeley.edu*******************************************
File[/etc/cups/tea4cups.conf] =>
parameters =>
content =>
@@ -7,4 +7,4 @@
keepfiles : no
_
-prehook_enforcer : /usr/local/bin/enforcer prehook
-posthook_enforcer : /usr/local/bin/enforcer posthook
+prehook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer prehook
+posthook_enforcer : sudo -Eu ocfenforcer /usr/local/bin/enforcer posthook
*******************************************
File[/opt/share/enforcer/enforcer.conf] =>
parameters =>
mode =>
- 0644
+ 0500
owner =>
- root
+ ocfenforcer
*******************************************
File[/opt/share/enforcer] =>
parameters =>
owner =>
- root
+ ocfenforcer
*******************************************
+ File[/usr/lib/cups/backend/tea4cups] =>
parameters =>
"backup": "main",
"ensure": "file",
"group": "root",
"mode": "0700",
"owner": "ocfenforcer"
*******************************************
Mount[/var/spool/cups] =>
parameters =>
options =>
- mode=0710,gid=lp,noatime,nodev,noexec,nosuid
+ uid=ocfenforcer,mode=0710,gid=lp,noatime,nodev,noexec,nosuid
*******************************************
+ User[ocfenforcer] =>
parameters =>
"ensure": "present",
"groups": [
"sys"
],
"system": true
******************************************* Unaffected hosts
|
Fixes #930.