diff --git a/files/zabbix-server.te b/files/zabbix-server.te new file mode 100644 index 000000000..b4a37b865 --- /dev/null +++ b/files/zabbix-server.te @@ -0,0 +1,9 @@ +module zabbix-server 1.0; + +require { + type zabbix_t; + class process setrlimit; +} + +#============= zabbix_t ============== +allow zabbix_t self:process setrlimit; diff --git a/manifests/init.pp b/manifests/init.pp index fcdc97ff6..dd6fbcce4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -174,6 +174,7 @@ $loadmodule = $zabbix::params::server_loadmodule, Boolean $manage_selinux = $zabbix::params::manage_selinux, String $additional_service_params = $zabbix::params::additional_service_params, + Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, ) inherits zabbix::params { class { '::zabbix::web': diff --git a/manifests/params.pp b/manifests/params.pp index 728a6ef63..d057133d4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,6 +25,7 @@ $agent_zabbix_user = 'zabbix' $agent_config_group = 'zabbix' $agent_pidfile = '/var/run/zabbix/zabbix_agentd.pid' + $server_zabbix_user = 'zabbix' } 'Archlinux': { $server_fpinglocation = '/usr/bin/fping' @@ -38,6 +39,7 @@ $agent_zabbix_user = 'zabbix-agent' $agent_config_group = 'zabbix-agent' $agent_pidfile = undef + $server_zabbix_user = 'zabbix-server' } 'Fedora': { $server_fpinglocation = '/usr/sbin/fping' @@ -51,6 +53,7 @@ $agent_zabbix_user = 'zabbix' $agent_config_group = 'zabbix' $agent_pidfile = '/var/run/zabbix/zabbix_agentd.pid' + $server_zabbix_user = 'zabbix' } default : { $server_fpinglocation = '/usr/sbin/fping' @@ -64,6 +67,7 @@ $agent_zabbix_user = 'zabbix' $agent_config_group = 'zabbix' $agent_pidfile = '/var/run/zabbix/zabbix_agentd.pid' + $server_zabbix_user = 'zabbix' } } diff --git a/manifests/server.pp b/manifests/server.pp index 608c13ed4..354f9ffeb 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -373,6 +373,7 @@ $sslkeylocation_dir = $zabbix::params::server_sslkeylocation, Boolean $manage_selinux = $zabbix::params::manage_selinux, String $additional_service_params = $zabbix::params::additional_service_params, + Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, ) inherits zabbix::params { # the following codeblock is a bit blargh. The correct default value for @@ -457,7 +458,9 @@ pidfile => $pidfile, database_type => $database_type, server_configfile_path => $server_configfile_path, + zabbix_user => $zabbix_user, additional_service_params => $real_additional_service_params, + manage_database => $manage_database, require => Package["zabbix-server-${db}"], } @@ -468,13 +471,6 @@ } } - # Workaround for: The redhat provider can not handle attribute enable - # This is only happening when using an redhat family version 5.x. - if $::osfamily == 'redhat' and $::operatingsystemrelease !~ /^5.*/ and $manage_service { - Service[$server_service_name] { - enable => true } - } - # Controlling the 'zabbix-server' service if $pacemaker { exec { 'prevent zabbix boot-start': @@ -509,6 +505,7 @@ if $manage_service { service { $server_service_name: ensure => running, + enable => true, hasstatus => true, hasrestart => true, require => [ @@ -558,6 +555,12 @@ selboolean{'zabbix_can_network': persistent => true, value => 'on', + notify => Service[$server_service_name], + } + -> selinux::module{'zabbix-server': + ensure => 'present', + source_te => 'puppet:///modules/zabbix/zabbix-server.te', + before => Service[$server_service_name], } } } diff --git a/manifests/startup.pp b/manifests/startup.pp index c6c5f7f44..ca01b613e 100644 --- a/manifests/startup.pp +++ b/manifests/startup.pp @@ -19,6 +19,7 @@ Optional[String] $zabbix_user = undef, String $additional_service_params = '', String $service_type = 'simple', + Optional[Boolean] $manage_database = undef, ) { case $title { @@ -34,6 +35,9 @@ unless $database_type { fail('you have to provide a database_type param') } + unless $manage_database { + fail('you have to provide a manage_database param') + } } default: { fail('we currently only spport a title that contains agent or server') diff --git a/spec/acceptance/server_spec.rb b/spec/acceptance/server_spec.rb new file mode 100644 index 000000000..628d97f4f --- /dev/null +++ b/spec/acceptance/server_spec.rb @@ -0,0 +1,38 @@ +require 'spec_helper_acceptance' + +describe 'zabbix::server class' do + context 'default parameters' do + # Using puppet_apply as a helper + it 'works idempotently with no errors' do + # this is a minimal working example if you've a postgres server + # running on another node. multinode testing with beaker is pain, + # so we will deploy multiple services into one box + # pp = <<-EOS + # class { 'zabbix::server': + # manage_database => false, + # } + # EOS + + # this will actually deploy apache + postgres + zabbix-server + zabbix-web + pp = <<-EOS + class { 'postgresql::server': } -> + class { 'zabbix::database': } -> + class { 'zabbix::server': } + EOS + + # Run it twice and test for idempotency + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_changes: true) + end + + # do some basic checks + describe package('zabbix-server-pgsql') do + it { is_expected.to be_installed } + end + + describe service('zabbix-server') do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + end +end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index d320676e3..1107558dc 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -6,15 +6,10 @@ end on_supported_os.each do |os, facts| + next if facts[:osfamily] == 'Archlinux' # zabbix server is currently not supported on archlinux context "on #{os} " do - systemd_fact = case facts[:osfamily] - when 'Archlinux' - { systemd: true } - else - { systemd: false } - end let :facts do - facts.merge(systemd_fact) + facts end describe 'with default settings' do @@ -23,12 +18,14 @@ it { is_expected.to contain_zabbix__startup('zabbix-server') } end - describe 'with enabled selinux' do - let :facts do - super().merge(selinux: true) - end + if facts[:osfamily] == 'RedHat' + describe 'with enabled selinux' do + let :facts do + super().merge(selinux: true) + end - it { is_expected.to contain_selboolean('zabbix_can_network').with('value' => 'on', 'persistent' => true) } + it { is_expected.to contain_selboolean('zabbix_can_network').with('value' => 'on', 'persistent' => true) } + end end describe 'with disabled selinux' do diff --git a/spec/defines/startup_spec.rb b/spec/defines/startup_spec.rb index 521b24b83..6f6fcd176 100644 --- a/spec/defines/startup_spec.rb +++ b/spec/defines/startup_spec.rb @@ -107,7 +107,8 @@ let :params do { server_configfile_path: '/something', - database_type: 'mysql' + database_type: 'mysql', + manage_database: true } end @@ -159,7 +160,8 @@ server_configfile_path: '/something', pidfile: '/somethingelse', database_type: 'mysql', - additional_service_params: '--foreground' + additional_service_params: '--foreground', + manage_database: true } end @@ -173,18 +175,19 @@ end it { is_expected.to contain_file('/etc/systemd/system/zabbix-server.service').with_content(%r{ExecStart=/usr/sbin/zabbix_server --foreground -c /something}) } it { is_expected.to contain_file('/etc/systemd/system/zabbix-server.service').with_content(%r{PIDFile=/somethingelse}) } - it { is_expected.to contain_file('/etc/systemd/system/zabbix-server.service').with_content(%r{After=syslog.target network.target mysqld.service}) } + it { is_expected.to contain_file('/etc/systemd/system/zabbix-server.service').with_content(%r{After=mysqld.service}) } context 'and works on postgres' do let :params do { server_configfile_path: '/something', pidfile: '/somethingelse', - database_type: 'postgres' + database_type: 'postgresql', + manage_database: true } end - it { is_expected.to contain_file('/etc/systemd/system/zabbix-server.service').with_content(%r{After=syslog.target network.target postgresql.service}) } + it { is_expected.to contain_file('/etc/systemd/system/zabbix-server.service').with_content(%r{After=postgresql.service}) } end end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 2ee33017f..b94ec1b11 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -10,4 +10,9 @@ RSpec.configure do |c| # Readable test descriptions c.formatter = :documentation + hosts.each do |host| + if host[:platform] =~ %r{el-7-x86_64} && host[:hypervisor] =~ %r{docker} + on(host, "sed -i '/nodocs/d' /etc/yum.conf") + end + end end diff --git a/templates/zabbix-server-systemd.init.erb b/templates/zabbix-server-systemd.init.erb index abca28fb4..7b0aca9b2 100644 --- a/templates/zabbix-server-systemd.init.erb +++ b/templates/zabbix-server-systemd.init.erb @@ -1,10 +1,10 @@ [Unit] Description=Zabbix Server Documentation=man:zabbix_server -<% if @database_type == "mysql" %> -After=syslog.target network.target mysqld.service -<% else %> -After=syslog.target network.target postgresql.service +<% if @database_type == "mysql" and @manage_database %> +After=mysqld.service +<% elsif @database_type == "postgresql" and @manage_database %> +After=postgresql.service <% end -%> [Service] @@ -16,6 +16,7 @@ PrivateDevices=yes PrivateTmp=yes ProtectSystem=full ProtectHome=yes +<% if @zabbix_user %>User=<%= @zabbix_user %><% end %> [Install] WantedBy=multi-user.target