diff --git a/.gitignore b/.gitignore index be41323..e26240f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.sw[pon] +hieradata/local.yaml diff --git a/hiera.yaml b/hiera.yaml index 5e64c6c..90e0a1e 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -4,4 +4,5 @@ :yaml: :datadir: ./hieradata :hierarchy: + - local - common diff --git a/manifests/.first.pp.swp b/manifests/.first.pp.swp deleted file mode 100644 index 82256bc..0000000 Binary files a/manifests/.first.pp.swp and /dev/null differ diff --git a/manifests/first.pp b/manifests/first.pp index 671d496..baec4cb 100644 --- a/manifests/first.pp +++ b/manifests/first.pp @@ -51,3 +51,5 @@ require => Exec["generate-jinfo"], user => 'root', } + +#### Tomcat 8 diff --git a/modules/tomcat8/files/catalina.policy b/modules/tomcat8/files/catalina.policy new file mode 100755 index 0000000..e952110 --- /dev/null +++ b/modules/tomcat8/files/catalina.policy @@ -0,0 +1,198 @@ +// AUTO-GENERATED FILE from /opt/tomcat8/conf/policy.d/ + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// ============================================================================ +// catalina.corepolicy - Security Policy Permissions for Tomcat 6 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to the codebase specific to each web application: +// +// * Read access to the document root directory +// +// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; +// These permissions apply to all JARs from Debian packages +grant codeBase "file:/usr/share/java/-" { + permission java.security.AllPermission; +}; +grant codeBase "file:/usr/share/maven-repo/-" { + permission java.security.AllPermission; +}; +grant codeBase "file:/usr/share/ant/lib/-" { + permission java.security.AllPermission; +}; +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the logging API +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + //permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + //permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.security.AllPermission; + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.logging.LoggingPermission "control"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "setContextClassLoader"; + // To enable per context logging configuration, permit read access to the appropriate file. + // Be sure that the logging configuration is secure before enabling such access + // eg for the examples web application: + // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Example JSPs need those to work properly + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + + // java.io.tmpdir should be usable as a temporary file directory + permission java.util.PropertyPermission "java.io.tmpdir", "read"; + permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; + +}; +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.base}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + +grant codebase "file:/installations/dspace/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.home}/webapps/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.*"; +}; diff --git a/modules/tomcat8/manifests/init.pp b/modules/tomcat8/manifests/init.pp new file mode 100644 index 0000000..4f8734a --- /dev/null +++ b/modules/tomcat8/manifests/init.pp @@ -0,0 +1,120 @@ +class tomcat8( + $install_dir = hiera('tomcat8::install_dir', '/opt' ), + $ensure = 'installed', + $from = hiera('tomcat8::from'), + $keypath = hiera('tomcat8::keypath'), + ) { + + if $ensure == 'installed' { + # Set default exec path for this module + Exec { path => ['/usr/bin', '/usr/sbin', '/bin'] } + + #fixed mirror, version + $downloadURI = "http://mirror.hosting90.cz/apache/tomcat/tomcat-8/v8.0.23/bin/apache-tomcat-8.0.23.tar.gz" + + if ! defined(File[$install_dir]) { + file { $install_dir: + ensure => directory, + } + } + + $installerFilename = inline_template('<%= File.basename(@downloadURI) %>') + + exec { 'get_tomcat': + cwd => $install_dir, + creates => "${install_dir}/${installerFilename}", + command => "wget -c --no-cookies --no-check-certificate \"${downloadURI}\" -O ${installerFilename}", + timeout => 600, + require => Package['wget'], + } + + file { "${install_dir}/${installerFilename}": + mode => '0755', + require => Exec['get_tomcat'], + } + + if ! defined(Package['wget']) { + package { 'wget': + ensure => present, + } + } + + # tarball so just extract it. + $dirname = regsubst($installerFilename, '(.*)\.tar\.gz', '\1') + exec { 'extract_tomcat': + cwd => "${install_dir}/", + command => "tar -xzf ${installerFilename}", + creates => "${install_dir}/${dirname}", + require => Exec['get_tomcat'], + } + + file { "${install_dir}/tomcat8": + ensure => link, + target => "${install_dir}/${dirname}", + require => Exec['extract_tomcat'], + } + + $var_dirs = ["/var/lib/tomcat8", "/var/lib/tomcat8/temp", "/var/lib/tomcat8/webapps", + "/var/log/tomcat8", "/var/cache/tomcat8", "/var/cache/tomcat8/Catalina"] + file {$var_dirs: + ensure => directory, + } + file { '/var/lib/tomcat8/logs': + ensure => link, + target => '/var/log/tomcat8', + } + file { '/var/lib/tomcat8/work': + ensure => link, + target => '/var/cache/tomcat8', + } + file { '/var/lib/tomcat8/conf': + ensure => link, + target => "${install_dir}/tomcat8/conf", + } + file{ '/var/lib/tomcat8/work/catalina.policy': + ensure => file, + source => 'puppet:///modules/tomcat8/catalina.policy', + } + exec { 'scp_policy.d': + command => "scp -r -i ${keypath} -o StrictHostKeyChecking=no ${from}:/opt/tomcat8/conf/policy.d ${install_dir}/tomcat8/conf/", + creates => "${install_dir}/tomcat8/conf/policy.d", + require => File["${install_dir}/tomcat8"], + } + exec { 'scp_init_script': + command => "scp -r -i ${keypath} -o StrictHostKeyChecking=no ${from}:/etc/init.d/tomcat8 /etc/init.d/", + creates => "/etc/init.d/tomcat8", + require => File["${install_dir}/tomcat8"], + notify => Exec['cleanup_init'] + } + exec {'cleanup_init': + command => "sed -i -e \"s/tomcat6/tomcat/g\" -e \"s#/opt/\$NAME#${install_dir}/tomcat8#g\" /etc/init.d/tomcat8" + } + #user { "tomcat": + # ensure => present, + # managehome => true, + # shell => '/bin/bash', + #} + #service { "tomcat8": + # ensure => running, + # enable => true, + # reguire => Exec['scp_init_scrip'], + #} + +#probe +#native +#user on files + + + # Ensure that files belong to tomcat + #file {$java_home: + # recurse => true, + # owner => root, + # group => root, + # subscribe => Exec['extract_tomcat'], + #} + + # Set links depending on osfamily or operating system fact + } +} + +class { 'tomcat8':}