From b29637b6994fc342f7caa090e174d376409ab1cf Mon Sep 17 00:00:00 2001 From: Yenni Chen Date: Wed, 26 Feb 2020 11:40:03 +0000 Subject: [PATCH 1/9] Allow allowConnectionsWithoutCertificates option --- manifests/server.pp | 1 + manifests/server/config.pp | 1 + templates/mongodb.conf.2.6.erb | 3 +++ 3 files changed, 5 insertions(+) diff --git a/manifests/server.pp b/manifests/server.pp index 007f52f76..93285ea26 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -69,6 +69,7 @@ Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Stdlib::Absolutepath] $ssl_ca = undef, Boolean $ssl_weak_cert = false, + Boolean $ssl_without_cert = false, Boolean $ssl_invalid_hostnames = false, Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL', Boolean $restart = $mongodb::params::restart, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 486af7557..850004c7b 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -64,6 +64,7 @@ $ssl_key = $mongodb::server::ssl_key $ssl_ca = $mongodb::server::ssl_ca $ssl_weak_cert = $mongodb::server::ssl_weak_cert + $ssl_without_cert = $mongodb::server::ssl_without_cert $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames $ssl_mode = $mongodb::server::ssl_mode $storage_engine = $mongodb::server::storage_engine diff --git a/templates/mongodb.conf.2.6.erb b/templates/mongodb.conf.2.6.erb index 3da682a77..8d1f932b8 100644 --- a/templates/mongodb.conf.2.6.erb +++ b/templates/mongodb.conf.2.6.erb @@ -117,6 +117,9 @@ net.ssl.CAFile: <%= @ssl_ca %> <% if @ssl_weak_cert -%> net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %> <% end -%> +<% if @ssl_without_cert -%> +net.ssl.allowConnectionsWithoutCertificates: <%= @ssl_without_cert %> +<% end -%> <% if @ssl_invalid_hostnames -%> net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %> <% end -%> From 064bc8c49eb35590a2cc13631c313203b58e4ef4 Mon Sep 17 00:00:00 2001 From: Yenni Chen Date: Wed, 26 Feb 2020 11:55:44 +0000 Subject: [PATCH 2/9] fix spacing --- manifests/server/config.pp | 134 ++++++++++++++++++------------------- 1 file changed, 67 insertions(+), 67 deletions(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 850004c7b..edbfe2f64 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,73 +1,73 @@ # PRIVATE CLASS: do not call directly class mongodb::server::config { - $ensure = $mongodb::server::ensure - $user = $mongodb::server::user - $group = $mongodb::server::group - $config = $mongodb::server::config - $config_content = $mongodb::server::config_content - $config_template = $mongodb::server::config_template - $config_data = $mongodb::server::config_data - $dbpath = $mongodb::server::dbpath - $dbpath_fix = $mongodb::server::dbpath_fix - $pidfilepath = $mongodb::server::pidfilepath - $pidfilemode = $mongodb::server::pidfilemode - $manage_pidfile = $mongodb::server::manage_pidfile - $logpath = $mongodb::server::logpath - $logappend = $mongodb::server::logappend - $system_logrotate = $mongodb::server::system_logrotate - $fork = $mongodb::server::fork - $port = $mongodb::server::port - $journal = $mongodb::server::journal - $nojournal = $mongodb::server::nojournal - $smallfiles = $mongodb::server::smallfiles - $cpu = $mongodb::server::cpu - $auth = $mongodb::server::auth - $noath = $mongodb::server::noauth - $create_admin = $mongodb::server::create_admin - $admin_username = $mongodb::server::admin_username - $admin_password = $mongodb::server::admin_password - $handle_creds = $mongodb::server::handle_creds - $store_creds = $mongodb::server::store_creds - $rcfile = $mongodb::server::rcfile - $verbose = $mongodb::server::verbose - $verbositylevel = $mongodb::server::verbositylevel - $objcheck = $mongodb::server::objcheck - $quota = $mongodb::server::quota - $quotafiles = $mongodb::server::quotafiles - $diaglog = $mongodb::server::diaglog - $oplog_size = $mongodb::server::oplog_size - $nohints = $mongodb::server::nohints - $nohttpinterface = $mongodb::server::nohttpinterface - $noscripting = $mongodb::server::noscripting - $notablescan = $mongodb::server::notablescan - $noprealloc = $mongodb::server::noprealloc - $nssize = $mongodb::server::nssize - $mms_token = $mongodb::server::mms_token - $mms_name = $mongodb::server::mms_name - $mms_interval = $mongodb::server::mms_interval - $configsvr = $mongodb::server::configsvr - $shardsvr = $mongodb::server::shardsvr - $replset = $mongodb::server::replset - $rest = $mongodb::server::rest - $quiet = $mongodb::server::quiet - $slowms = $mongodb::server::slowms - $keyfile = $mongodb::server::keyfile - $key = $mongodb::server::key - $ipv6 = $mongodb::server::ipv6 - $bind_ip = $mongodb::server::bind_ip - $directoryperdb = $mongodb::server::directoryperdb - $profile = $mongodb::server::profile - $maxconns = $mongodb::server::maxconns - $set_parameter = $mongodb::server::set_parameter - $syslog = $mongodb::server::syslog - $ssl = $mongodb::server::ssl - $ssl_key = $mongodb::server::ssl_key - $ssl_ca = $mongodb::server::ssl_ca - $ssl_weak_cert = $mongodb::server::ssl_weak_cert - $ssl_without_cert = $mongodb::server::ssl_without_cert + $ensure = $mongodb::server::ensure + $user = $mongodb::server::user + $group = $mongodb::server::group + $config = $mongodb::server::config + $config_content = $mongodb::server::config_content + $config_template = $mongodb::server::config_template + $config_data = $mongodb::server::config_data + $dbpath = $mongodb::server::dbpath + $dbpath_fix = $mongodb::server::dbpath_fix + $pidfilepath = $mongodb::server::pidfilepath + $pidfilemode = $mongodb::server::pidfilemode + $manage_pidfile = $mongodb::server::manage_pidfile + $logpath = $mongodb::server::logpath + $logappend = $mongodb::server::logappend + $system_logrotate = $mongodb::server::system_logrotate + $fork = $mongodb::server::fork + $port = $mongodb::server::port + $journal = $mongodb::server::journal + $nojournal = $mongodb::server::nojournal + $smallfiles = $mongodb::server::smallfiles + $cpu = $mongodb::server::cpu + $auth = $mongodb::server::auth + $noath = $mongodb::server::noauth + $create_admin = $mongodb::server::create_admin + $admin_username = $mongodb::server::admin_username + $admin_password = $mongodb::server::admin_password + $handle_creds = $mongodb::server::handle_creds + $store_creds = $mongodb::server::store_creds + $rcfile = $mongodb::server::rcfile + $verbose = $mongodb::server::verbose + $verbositylevel = $mongodb::server::verbositylevel + $objcheck = $mongodb::server::objcheck + $quota = $mongodb::server::quota + $quotafiles = $mongodb::server::quotafiles + $diaglog = $mongodb::server::diaglog + $oplog_size = $mongodb::server::oplog_size + $nohints = $mongodb::server::nohints + $nohttpinterface = $mongodb::server::nohttpinterface + $noscripting = $mongodb::server::noscripting + $notablescan = $mongodb::server::notablescan + $noprealloc = $mongodb::server::noprealloc + $nssize = $mongodb::server::nssize + $mms_token = $mongodb::server::mms_token + $mms_name = $mongodb::server::mms_name + $mms_interval = $mongodb::server::mms_interval + $configsvr = $mongodb::server::configsvr + $shardsvr = $mongodb::server::shardsvr + $replset = $mongodb::server::replset + $rest = $mongodb::server::rest + $quiet = $mongodb::server::quiet + $slowms = $mongodb::server::slowms + $keyfile = $mongodb::server::keyfile + $key = $mongodb::server::key + $ipv6 = $mongodb::server::ipv6 + $bind_ip = $mongodb::server::bind_ip + $directoryperdb = $mongodb::server::directoryperdb + $profile = $mongodb::server::profile + $maxconns = $mongodb::server::maxconns + $set_parameter = $mongodb::server::set_parameter + $syslog = $mongodb::server::syslog + $ssl = $mongodb::server::ssl + $ssl_key = $mongodb::server::ssl_key + $ssl_ca = $mongodb::server::ssl_ca + $ssl_weak_cert = $mongodb::server::ssl_weak_cert + $ssl_without_cert = $mongodb::server::ssl_without_cert $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames - $ssl_mode = $mongodb::server::ssl_mode - $storage_engine = $mongodb::server::storage_engine + $ssl_mode = $mongodb::server::ssl_mode + $storage_engine = $mongodb::server::storage_engine File { owner => $user, From 15ec17e099cba0e92a4730d7eaeeae4b6d3294da Mon Sep 17 00:00:00 2001 From: Gerric Chaplin Date: Wed, 11 Mar 2020 17:36:22 +0000 Subject: [PATCH 3/9] Add support for net.ssl.clusterFile --- manifests/server.pp | 1 + manifests/server/config.pp | 1 + templates/mongodb.conf.2.6.erb | 3 +++ 3 files changed, 5 insertions(+) diff --git a/manifests/server.pp b/manifests/server.pp index 93285ea26..54bf01581 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -68,6 +68,7 @@ Optional[Boolean] $ssl = undef, Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Stdlib::Absolutepath] $ssl_ca = undef, + Optional[Stdlib::Absolutepath] $ssl_cluster_file = undef, Boolean $ssl_weak_cert = false, Boolean $ssl_without_cert = false, Boolean $ssl_invalid_hostnames = false, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index edbfe2f64..4e9696299 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -63,6 +63,7 @@ $ssl = $mongodb::server::ssl $ssl_key = $mongodb::server::ssl_key $ssl_ca = $mongodb::server::ssl_ca + $ssl_cluster_file = $mongodb::server::ssl_cluster_file $ssl_weak_cert = $mongodb::server::ssl_weak_cert $ssl_without_cert = $mongodb::server::ssl_without_cert $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames diff --git a/templates/mongodb.conf.2.6.erb b/templates/mongodb.conf.2.6.erb index 8d1f932b8..8eceba52d 100644 --- a/templates/mongodb.conf.2.6.erb +++ b/templates/mongodb.conf.2.6.erb @@ -114,6 +114,9 @@ net.ssl.PEMKeyFile: <%= @ssl_key %> <% if @ssl_ca -%> net.ssl.CAFile: <%= @ssl_ca %> <% end -%> +<% if @ssl_cluster_file -%> +net.ssl.clusterFile: <%= @ssl_cluster_file %> +<% end -%> <% if @ssl_weak_cert -%> net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %> <% end -%> From 1675eeebb5621e60f5dcc942449177ae18e6db95 Mon Sep 17 00:00:00 2001 From: Arturo Noha Date: Thu, 7 May 2020 06:11:13 +0100 Subject: [PATCH 4/9] replace ssl with tls --- CHANGELOG.md | 2 +- README.md | 4 +- lib/facter/is_master.rb | 29 ++-- lib/puppet/provider/mongodb.rb | 16 +- lib/puppet/util/mongodb_output.rb | 4 +- manifests/server.pp | 4 +- manifests/server/config.pp | 140 ++++++++-------- spec/classes/server_spec.rb | 6 +- templates/mongodb.conf.2.6.erb | 6 + templates/mongodb.conf.4.erb | 168 +++++++++++++++++++ templates/opsmanager/conf-mms.properties.epp | 2 +- 11 files changed, 282 insertions(+), 99 deletions(-) create mode 100644 templates/mongodb.conf.4.erb diff --git a/CHANGELOG.md b/CHANGELOG.md index c88a6f553..43ca4da57 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,7 @@ These should not affect the functionality of the module. - Wrong APT-key [\#546](https://github.com/voxpupuli/puppet-mongodb/issues/546) - Mongo 4.0.x: unable to create user [\#525](https://github.com/voxpupuli/puppet-mongodb/issues/525) - user creation idempotency issues [\#412](https://github.com/voxpupuli/puppet-mongodb/issues/412) -- fix\(is\_master-fact\): use --ssl if --sslPEMKeyFile or --sslCAFile is s… [\#573](https://github.com/voxpupuli/puppet-mongodb/pull/573) ([buchstabensalat](https://github.com/buchstabensalat)) +- fix\(is\_master-fact\): use --tls if --tlsCertificateKeyFile or --tlsCAFile is s… [\#573](https://github.com/voxpupuli/puppet-mongodb/pull/573) ([buchstabensalat](https://github.com/buchstabensalat)) - Fixed the problem: the user was not created for Mongodb 4.x [\#561](https://github.com/voxpupuli/puppet-mongodb/pull/561) ([identw](https://github.com/identw)) - Only create database and user when mongodb\_is\_master [\#558](https://github.com/voxpupuli/puppet-mongodb/pull/558) ([JvGinkel](https://github.com/JvGinkel)) diff --git a/README.md b/README.md index a14985dc0..273a3cbb5 100644 --- a/README.md +++ b/README.md @@ -535,8 +535,8 @@ Set to true to disable fqdn SSL cert check Default: False ##### `ssl_mode` -Ssl authorization mode. Valid options are: requireSSL, preferSSL, allowSSL. -Default: requireSSL +Ssl authorization mode. Valid options are: requireTLS, preferTLS, allowTLS. +Default: requireTLS ##### `service_manage` Whether or not the MongoDB service resource should be part of the catalog. diff --git a/lib/facter/is_master.rb b/lib/facter/is_master.rb index 2ac6e36d6..6890eb691 100644 --- a/lib/facter/is_master.rb +++ b/lib/facter/is_master.rb @@ -10,13 +10,14 @@ def get_options_from_hash_config(config) result = [] result << "--port #{config['net.port']}" unless config['net.port'].nil? - # use --ssl and --host if: - # - sslMode is "requireSSL" - # - Parameter --sslPEMKeyFile is set - # - Parameter --sslCAFile is set - result << "--ssl --host #{Facter.value(:fqdn)}" if config['net.ssl.mode'] == 'requireSSL' || !config['net.ssl.PEMKeyFile'].nil? || !config['net.ssl.CAFile'].nil? - result << "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}" unless config['net.ssl.PEMKeyFile'].nil? - result << "--sslCAFile #{config['net.ssl.CAFile']}" unless config['net.ssl.CAFile'].nil? + # use --tls and --host if: + # - sslMode is "requireTLS" + # - Parameter --tlsCertificateKeyFile is set + # - Parameter --tlsCAFile is set + result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil? + result << "--tlsCertificateKeyFile #{config['net.tls.certificateKeyFile']}" unless config['net.tls.certificateKeyFile'].nil? + result << "--tlsCAFile #{config['net.tls.CAFile']}" unless config['net.tls.CAFile'].nil? + result << '--ipv6' unless config['net.ipv6'].nil? result.join(' ') @@ -32,13 +33,13 @@ def get_options_from_keyvalue_config(file) result = [] result << "--port #{config['port']}" unless config['port'].nil? - # use --ssl and --host if: - # - sslMode is "requireSSL" - # - Parameter --sslPEMKeyFile is set - # - Parameter --sslCAFile is set - result << "--ssl --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireSSL' || !config['sslcert'].nil? || !config['sslca'].nil? - result << "--sslPEMKeyFile #{config['sslcert']}" unless config['sslcert'].nil? - result << "--sslCAFile #{config['sslca']}" unless config['sslca'].nil? + # use --tls and --host if: + # - sslMode is "requireTLS" + # - Parameter --tlsCertificateKeyFile is set + # - Parameter --tlsCAFile is set + result << "--tls --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireTLS' || !config['sslcert'].nil? || !config['sslca'].nil? + result << "--tlsCertificateKeyFile #{config['sslcert']}" unless config['sslcert'].nil? + result << "--tlsCAFile #{config['sslca']}" unless config['sslca'].nil? result << '--ipv6' unless config['ipv6'].nil? result.join(' ') diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb index 56919be77..addd083d8 100644 --- a/lib/puppet/provider/mongodb.rb +++ b/lib/puppet/provider/mongodb.rb @@ -31,10 +31,10 @@ def self.mongo_conf 'bindip' => config['net.bindIp'], 'port' => config['net.port'], 'ipv6' => config['net.ipv6'], - 'allowInvalidHostnames' => config['net.ssl.allowInvalidHostnames'], - 'ssl' => config['net.ssl.mode'], - 'sslcert' => config['net.ssl.PEMKeyFile'], - 'sslca' => config['net.ssl.CAFile'], + 'allowInvalidHostnames' => config['net.tls.allowInvalidHostnames'], + 'ssl' => config['net.tls.mode'], + 'sslcert' => config['net.tls.certificateKeyFile'], + 'sslca' => config['net.tls.CAFile'], 'auth' => config['security.authorization'], 'shardsvr' => config['sharding.clusterRole'], 'confsvr' => config['sharding.clusterRole'] @@ -62,14 +62,14 @@ def self.mongo_cmd(db, host, cmd) args = [db, '--quiet', '--host', host] args.push('--ipv6') if ipv6_is_enabled(config) - args.push('--sslAllowInvalidHostnames') if ssl_invalid_hostnames(config) + args.push('--tlsAllowInvalidHostnames') if ssl_invalid_hostnames(config) if ssl_is_enabled(config) - args.push('--ssl') - args += ['--sslPEMKeyFile', config['sslcert']] + args.push('--tls') + args += ['--tlsCertificateKeyFile', config['sslcert']] ssl_ca = config['sslca'] - args += ['--sslCAFile', ssl_ca] unless ssl_ca.nil? + args += ['--tlsCAFile', ssl_ca] unless ssl_ca.nil? end args += ['--eval', cmd] diff --git a/lib/puppet/util/mongodb_output.rb b/lib/puppet/util/mongodb_output.rb index da5ddbb68..64ac84d54 100644 --- a/lib/puppet/util/mongodb_output.rb +++ b/lib/puppet/util/mongodb_output.rb @@ -7,8 +7,8 @@ def self.sanitize(data) data.gsub!(%r{\w+\((.+?)\)}, '\1') data.gsub!(%r{^Error\:.+}, '') - data.gsub!(%r{^.*warning\:.+}, '') # remove warnings if sslAllowInvalidHostnames is true - data.gsub!(%r{^.*The server certificate does not match the host name.+}, '') # remove warnings if sslAllowInvalidHostnames is true mongo 3.x + data.gsub!(%r{^.*warning\:.+}, '') # remove warnings if tlsAllowInvalidHostnames is true + data.gsub!(%r{^.*The server certificate does not match the host name.+}, '') # remove warnings if tlsAllowInvalidHostnames is true mongo 3.x data end end diff --git a/manifests/server.pp b/manifests/server.pp index 007f52f76..e71e2fc47 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -68,9 +68,11 @@ Optional[Boolean] $ssl = undef, Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Stdlib::Absolutepath] $ssl_ca = undef, + Optional[Stdlib::Absolutepath] $ssl_cluster_file = undef, Boolean $ssl_weak_cert = false, + Boolean $ssl_without_cert = false, Boolean $ssl_invalid_hostnames = false, - Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL', + Enum['requireTLS', 'preferTLS', 'allowTLS'] $ssl_mode = 'requireTLS', Boolean $restart = $mongodb::params::restart, Optional[String] $storage_engine = undef, Boolean $create_admin = $mongodb::params::create_admin, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 486af7557..589059012 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,72 +1,74 @@ # PRIVATE CLASS: do not call directly class mongodb::server::config { - $ensure = $mongodb::server::ensure - $user = $mongodb::server::user - $group = $mongodb::server::group - $config = $mongodb::server::config - $config_content = $mongodb::server::config_content - $config_template = $mongodb::server::config_template - $config_data = $mongodb::server::config_data - $dbpath = $mongodb::server::dbpath - $dbpath_fix = $mongodb::server::dbpath_fix - $pidfilepath = $mongodb::server::pidfilepath - $pidfilemode = $mongodb::server::pidfilemode - $manage_pidfile = $mongodb::server::manage_pidfile - $logpath = $mongodb::server::logpath - $logappend = $mongodb::server::logappend - $system_logrotate = $mongodb::server::system_logrotate - $fork = $mongodb::server::fork - $port = $mongodb::server::port - $journal = $mongodb::server::journal - $nojournal = $mongodb::server::nojournal - $smallfiles = $mongodb::server::smallfiles - $cpu = $mongodb::server::cpu - $auth = $mongodb::server::auth - $noath = $mongodb::server::noauth - $create_admin = $mongodb::server::create_admin - $admin_username = $mongodb::server::admin_username - $admin_password = $mongodb::server::admin_password - $handle_creds = $mongodb::server::handle_creds - $store_creds = $mongodb::server::store_creds - $rcfile = $mongodb::server::rcfile - $verbose = $mongodb::server::verbose - $verbositylevel = $mongodb::server::verbositylevel - $objcheck = $mongodb::server::objcheck - $quota = $mongodb::server::quota - $quotafiles = $mongodb::server::quotafiles - $diaglog = $mongodb::server::diaglog - $oplog_size = $mongodb::server::oplog_size - $nohints = $mongodb::server::nohints - $nohttpinterface = $mongodb::server::nohttpinterface - $noscripting = $mongodb::server::noscripting - $notablescan = $mongodb::server::notablescan - $noprealloc = $mongodb::server::noprealloc - $nssize = $mongodb::server::nssize - $mms_token = $mongodb::server::mms_token - $mms_name = $mongodb::server::mms_name - $mms_interval = $mongodb::server::mms_interval - $configsvr = $mongodb::server::configsvr - $shardsvr = $mongodb::server::shardsvr - $replset = $mongodb::server::replset - $rest = $mongodb::server::rest - $quiet = $mongodb::server::quiet - $slowms = $mongodb::server::slowms - $keyfile = $mongodb::server::keyfile - $key = $mongodb::server::key - $ipv6 = $mongodb::server::ipv6 - $bind_ip = $mongodb::server::bind_ip - $directoryperdb = $mongodb::server::directoryperdb - $profile = $mongodb::server::profile - $maxconns = $mongodb::server::maxconns - $set_parameter = $mongodb::server::set_parameter - $syslog = $mongodb::server::syslog - $ssl = $mongodb::server::ssl - $ssl_key = $mongodb::server::ssl_key - $ssl_ca = $mongodb::server::ssl_ca - $ssl_weak_cert = $mongodb::server::ssl_weak_cert + $ensure = $mongodb::server::ensure + $user = $mongodb::server::user + $group = $mongodb::server::group + $config = $mongodb::server::config + $config_content = $mongodb::server::config_content + $config_template = $mongodb::server::config_template + $config_data = $mongodb::server::config_data + $dbpath = $mongodb::server::dbpath + $dbpath_fix = $mongodb::server::dbpath_fix + $pidfilepath = $mongodb::server::pidfilepath + $pidfilemode = $mongodb::server::pidfilemode + $manage_pidfile = $mongodb::server::manage_pidfile + $logpath = $mongodb::server::logpath + $logappend = $mongodb::server::logappend + $system_logrotate = $mongodb::server::system_logrotate + $fork = $mongodb::server::fork + $port = $mongodb::server::port + $journal = $mongodb::server::journal + $nojournal = $mongodb::server::nojournal + $smallfiles = $mongodb::server::smallfiles + $cpu = $mongodb::server::cpu + $auth = $mongodb::server::auth + $noath = $mongodb::server::noauth + $create_admin = $mongodb::server::create_admin + $admin_username = $mongodb::server::admin_username + $admin_password = $mongodb::server::admin_password + $handle_creds = $mongodb::server::handle_creds + $store_creds = $mongodb::server::store_creds + $rcfile = $mongodb::server::rcfile + $verbose = $mongodb::server::verbose + $verbositylevel = $mongodb::server::verbositylevel + $objcheck = $mongodb::server::objcheck + $quota = $mongodb::server::quota + $quotafiles = $mongodb::server::quotafiles + $diaglog = $mongodb::server::diaglog + $oplog_size = $mongodb::server::oplog_size + $nohints = $mongodb::server::nohints + $nohttpinterface = $mongodb::server::nohttpinterface + $noscripting = $mongodb::server::noscripting + $notablescan = $mongodb::server::notablescan + $noprealloc = $mongodb::server::noprealloc + $nssize = $mongodb::server::nssize + $mms_token = $mongodb::server::mms_token + $mms_name = $mongodb::server::mms_name + $mms_interval = $mongodb::server::mms_interval + $configsvr = $mongodb::server::configsvr + $shardsvr = $mongodb::server::shardsvr + $replset = $mongodb::server::replset + $rest = $mongodb::server::rest + $quiet = $mongodb::server::quiet + $slowms = $mongodb::server::slowms + $keyfile = $mongodb::server::keyfile + $key = $mongodb::server::key + $ipv6 = $mongodb::server::ipv6 + $bind_ip = $mongodb::server::bind_ip + $directoryperdb = $mongodb::server::directoryperdb + $profile = $mongodb::server::profile + $maxconns = $mongodb::server::maxconns + $set_parameter = $mongodb::server::set_parameter + $syslog = $mongodb::server::syslog + $ssl = $mongodb::server::ssl + $ssl_key = $mongodb::server::ssl_key + $ssl_ca = $mongodb::server::ssl_ca + $ssl_cluster_file = $mongodb::server::ssl_cluster_file + $ssl_weak_cert = $mongodb::server::ssl_weak_cert + $ssl_without_cert = $mongodb::server::ssl_without_cert $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames - $ssl_mode = $mongodb::server::ssl_mode - $storage_engine = $mongodb::server::storage_engine + $ssl_mode = $mongodb::server::ssl_mode + $storage_engine = $mongodb::server::storage_engine File { owner => $user, @@ -107,10 +109,14 @@ # Template has available user-supplied data # - $config_data $cfg_content = template($config_template) - } else { + } elsif $facts['mongodb_version'] != undef and $facts['mongodb_version'] =~ /^3/ { # Template has available user-supplied data # - $config_data $cfg_content = template('mongodb/mongodb.conf.2.6.erb') + } else { + # Template has available user-supplied data + # - $config_data + $cfg_content = template('mongodb/mongodb.conf.4.erb') } file { $config: diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index ffeab1355..b772fc3ca 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -290,11 +290,11 @@ let :params do { ssl: true, - ssl_mode: 'requireSSL' + ssl_mode: 'requireTLS' } end - it { is_expected.to contain_file(config_file).with_content(%r{^net\.ssl\.mode: requireSSL$}) } + it { is_expected.to contain_file(config_file).with_content(%r{^net\.tls\.mode: requireTLS}) } end context 'disabled' do @@ -304,7 +304,7 @@ } end - it { is_expected.not_to contain_file(config_file).with_content(%r{net\.ssl\.mode}) } + it { is_expected.not_to contain_file(config_file).with_content(%r{net\.tls\.mode}) } end end diff --git a/templates/mongodb.conf.2.6.erb b/templates/mongodb.conf.2.6.erb index 3da682a77..8eceba52d 100644 --- a/templates/mongodb.conf.2.6.erb +++ b/templates/mongodb.conf.2.6.erb @@ -114,9 +114,15 @@ net.ssl.PEMKeyFile: <%= @ssl_key %> <% if @ssl_ca -%> net.ssl.CAFile: <%= @ssl_ca %> <% end -%> +<% if @ssl_cluster_file -%> +net.ssl.clusterFile: <%= @ssl_cluster_file %> +<% end -%> <% if @ssl_weak_cert -%> net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %> <% end -%> +<% if @ssl_without_cert -%> +net.ssl.allowConnectionsWithoutCertificates: <%= @ssl_without_cert %> +<% end -%> <% if @ssl_invalid_hostnames -%> net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %> <% end -%> diff --git a/templates/mongodb.conf.4.erb b/templates/mongodb.conf.4.erb new file mode 100644 index 000000000..7919c6303 --- /dev/null +++ b/templates/mongodb.conf.4.erb @@ -0,0 +1,168 @@ +#mongodb.conf - generated from Puppet + +#System Log + +<% if @logpath -%> +systemLog.path: <%= @logpath %> +systemLog.destination: file +<% if @logappend -%> +systemLog.logAppend: <%= @logappend %> +<% end -%> +<% if @system_logrotate -%> +systemLog.logRotate: <%= @system_logrotate %> +<% end -%> +<% elsif @syslog -%> +systemLog.destination: syslog +<% end -%> +<% if @verbose -%> +systemLog.quiet: false +<% else -%> +systemLog.quiet: true +<% end -%> +<% if @verbositylevel == "v" -%> +systemLog.verbosity: 1 +<% elsif @verbositylevel == "vv" -%> +systemLog.verbosity: 2 +<% elsif @verbositylevel == "vvv" -%> +systemLog.verbosity: 3 +<% elsif @verbositylevel == "vvvv" -%> +systemLog.verbosity: 4 +<% elsif @verbositylevel == "vvvvv" -%> +systemLog.verbosity: 5 +<% end -%> + +#Process Management +<% if @fork or @pidfilepath -%> +processManagement: + <%- if @fork -%> + fork: <%= @fork %> + <%- end -%> + <%- if @pidfilepath -%> + pidFilePath: <%= @pidfilepath %> + <%- end -%> +<% end -%> + +#Storage +storage.dbPath: <%= @dbpath %> +<% if @nojournal -%> +storage.journal.enabled: false +<% elsif @journal -%> +storage.journal.enabled: true +<% end -%> +<% if @noprealloc -%> +storage.preallocDataFiles: <%= !@noprealloc %> +<% end -%> +<% if @nssize -%> +storage.nsSize: <%= @nssize %> +<% end -%> +<% if @directoryperdb -%> +storage.directoryPerDB: <%= @directoryperdb %> +<% end -%> +<% if @smallfiles -%> +storage.smallFiles: <%= @smallfiles %> +<% end -%> +<% if @quota -%> +storage.quota.enforced: <%= @quota %> +<% if @quotafiles -%> +storage.quota.maxFilesPerDB: <%= @quotafiles %> +<% end -%> +<% end -%> +<% if @storage_engine_internal -%> +storage.engine: <%= @storage_engine_internal %> +<% end -%> + + +#Security +<% if @auth -%> +security.authorization: enabled +<% else -%> +security.authorization: disabled +<% end -%> +<% if @keyfile -%> +security.keyFile: <%= @keyfile %> +<% end -%> +<% if @noscripting -%> +security.javascriptEnabled: <%= @noscripting %> +<% end -%> + + +#Net +<% if @ipv6 -%> +net.ipv6: <%= @ipv6 %> +<% end -%> +<% if @bind_ip -%> +net.bindIp: <%= @bind_ip.join(',') %> +<% end -%> +<% if @port -%> +net.port: <%= @port %> +<% end -%> +<% if @objcheck -%> +net.wireObjectCheck: <%= @objcheck %> +<% end -%> +<% if @rest -%> +net.http.RESTInterfaceEnabled: true +<% end -%> +<% if @maxconns -%> +net.maxIncomingConnections: <%= @maxconns %> +<% end -%> +<% if ! @nohttpinterface.nil? -%> +net.http.enabled: <%= ! @nohttpinterface %> +<% end -%> +<% if @ssl -%> +net.tls.mode: <%= @ssl_mode %> +net.tls.certificateKeyFile: <%= @ssl_key %> +<% if @ssl_ca -%> +net.tls.CAFile: <%= @ssl_ca %> +<% end -%> +<% if @ssl_cluster_file -%> +net.tls.clusterFile: <%= @ssl_cluster_file %> +<% end -%> +<% if @ssl_weak_cert -%> +net.tls.weakCertificateValidation: <%= @ssl_weak_cert %> +<% end -%> +<% if @ssl_without_cert -%> +net.tls.allowConnectionsWithoutCertificates: <%= @ssl_without_cert %> +<% end -%> +<% if @ssl_invalid_hostnames -%> +net.tls.allowInvalidHostnames: <%= @ssl_invalid_hostnames %> +<% end -%> +<% end -%> + +#Replication +<% if @replset -%> +replication.replSetName: <%= @replset %> +<% end -%> +<% if @oplog_size -%> +replication.oplogSizeMB: <%= @oplog_size %> +<% end -%> + +#Sharding +<% if @configsvr -%> +sharding.clusterRole: configsvr +<% end -%> +<% if @shardsvr -%> +sharding.clusterRole: shardsvr +<% end -%> + +#Operation Profiling +<% if @profile == "0" -%> +operationProfiling.mode: off +<% elsif @profile == "1" -%> +operationProfiling.mode: slowOp +<% elsif @profile == "2" -%> +operationProfiling.mode: all +<% end -%> +<% if @slowms -%> +operationProfiling.slowOpThresholdMs: <%= @slowms %> +<% end -%> + + +<% if @set_parameter -%> +setParameter: <%= @set_parameter %> +<% end -%> + +<% if @config_data -%> +<% @config_data.each do |k,v| -%> +<%= k %>: <%= v %> +<% end -%> +<% end -%> diff --git a/templates/opsmanager/conf-mms.properties.epp b/templates/opsmanager/conf-mms.properties.epp index 9ea2aca61..5632b9337 100644 --- a/templates/opsmanager/conf-mms.properties.epp +++ b/templates/opsmanager/conf-mms.properties.epp @@ -26,7 +26,7 @@ mongo.ssl=<%=$mongodb::opsmanager::ssl %> # `mongo.ssl` is set to true. # CAFile - the certificate of the CA that issued the MongoDB server certificate(s) # PEMKeyFile - a client certificate containing a certificate and private key -# (needed when MongoDB is running with --sslCAFile) +# (needed when MongoDB is running with --tlsCAFile) # PEMKeyFilePassword - required if the `PEMKeyFile` contains an encrypted private key # #################################### mongodb.ssl.CAFile=<%=$mongodb::opsmanager::ca_file %> From 72c5305cc72406583ae0007514b8dca7596edaf5 Mon Sep 17 00:00:00 2001 From: Arturo Noha Date: Thu, 14 May 2020 15:02:49 +0100 Subject: [PATCH 5/9] bind ip Stdlib::Host --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index e71e2fc47..94b54b888 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -19,7 +19,7 @@ Variant[Boolean, String] $package_ensure = $mongodb::params::package_ensure, String $package_name = $mongodb::params::server_package_name, Variant[Boolean, Stdlib::Absolutepath] $logpath = $mongodb::params::logpath, - Array[Stdlib::Compat::Ip_address] $bind_ip = $mongodb::params::bind_ip, + Array[Stdlib::Host] $bind_ip = $mongodb::params::bind_ip, Optional[Boolean] $ipv6 = undef, Boolean $logappend = true, Optional[String] $system_logrotate = undef, From 8bc44d311f31d389aabc8a35fa6554967af0ad81 Mon Sep 17 00:00:00 2001 From: Allan Briffa Date: Thu, 23 Feb 2023 09:40:54 +0000 Subject: [PATCH 6/9] Add repo GPG keys for newer versions --- manifests/repo.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/repo.pp b/manifests/repo.pp index bf303dc72..1f6ac7baf 100644 --- a/manifests/repo.pp +++ b/manifests/repo.pp @@ -57,6 +57,9 @@ default => undef } $key = "${mongover[0]}.${mongover[1]}" ? { + '6.0' => '39BD841E4BE5FB195A65400E6A26B1AE64C3C388', + '5.0' => 'F5679A222C647C87527C2F8CB00A0BD1E2C63C11', + '4.4' => '20691EEC35216C63CAF66CE1656408E390CFB1F5', '4.2' => 'E162F504A20CDF15827F718D4B7C549A058F8B6B', '4.0' => '9DA31620334BD75D9DCB49F368818C72E52529D4', '3.6' => '2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5', From 52244c6f979758af783be776dee258aeb158f352 Mon Sep 17 00:00:00 2001 From: Allan Briffa Date: Mon, 27 Feb 2023 12:10:35 +0000 Subject: [PATCH 7/9] Compatibility for secondaryOk in new releases --- lib/puppet/provider/mongodb_database/mongodb.rb | 4 +++- spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/mongodb_database/mongodb.rb b/lib/puppet/provider/mongodb_database/mongodb.rb index d7ec407f1..b306b9395 100644 --- a/lib/puppet/provider/mongodb_database/mongodb.rb +++ b/lib/puppet/provider/mongodb_database/mongodb.rb @@ -6,7 +6,9 @@ def self.instances require 'json' - dbs = JSON.parse mongo_eval('rs.slaveOk();printjson(db.getMongo().getDBs())') + + pre_cmd = 'try { rs.secondaryOk() } catch (err) { rs.slaveOk() }' + dbs = JSON.parse mongo_eval(pre_cmd + ';printjson(db.getMongo().getDBs())') dbs['databases'].map do |db| new(name: db['name'], diff --git a/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb b/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb index 0e313d853..f87b108a3 100644 --- a/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb +++ b/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb @@ -36,7 +36,7 @@ tmp = Tempfile.new('test') mongodconffile = tmp.path allow(provider.class).to receive(:mongod_conf_file).and_return(mongodconffile) - allow(provider.class).to receive(:mongo_eval).with('rs.slaveOk();printjson(db.getMongo().getDBs())').and_return(raw_dbs) + allow(provider.class).to receive(:mongo_eval).with('try { rs.secondaryOk() } catch (err) { rs.slaveOk() };printjson(db.getMongo().getDBs())').and_return(raw_dbs) allow(provider.class).to receive(:db_ismaster).and_return(true) end From 8a02e5eabdde6429e3b1a4348fb11270912286fe Mon Sep 17 00:00:00 2001 From: Allan Briffa Date: Thu, 2 Mar 2023 12:01:14 +0000 Subject: [PATCH 8/9] Add SecondaryOk syntax support for monorc.js --- templates/mongorc.js.erb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/templates/mongorc.js.erb b/templates/mongorc.js.erb index d4f8b3dad..320476b5e 100644 --- a/templates/mongorc.js.erb +++ b/templates/mongorc.js.erb @@ -25,10 +25,16 @@ function authRequired() { } if (authRequired()) { + <%- if @replset -%> + // rs.slaveOk has been deprecated, use secondaryOk if available try { -<% if @replset -%> + rs.secondaryOk() + } + catch (err) { rs.slaveOk() -<% end -%> + } + <%- end -%> + try { var prev_db = db db = db.getSiblingDB('admin') db.auth('<%= @admin_username %>', '<%= @admin_password %>') From 281c305a910bd569781b8becd8014834896278d7 Mon Sep 17 00:00:00 2001 From: Allan Briffa Date: Mon, 27 Mar 2023 14:09:08 +0100 Subject: [PATCH 9/9] Fix for Percona shell not obeying quiet flag --- lib/puppet/provider/mongodb.rb | 29 ++++++++++++++++++++- lib/puppet/provider/mongodb_user/mongodb.rb | 2 +- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb index addd083d8..f88574c36 100644 --- a/lib/puppet/provider/mongodb.rb +++ b/lib/puppet/provider/mongodb.rb @@ -73,7 +73,7 @@ def self.mongo_cmd(db, host, cmd) end args += ['--eval', cmd] - mongo(args) + percona_clean(mongo(args)) end def self.conn_string @@ -157,6 +157,15 @@ def mongo_eval(cmd, db = 'admin', retries = 10, host = nil) self.class.mongo_eval(cmd, db, retries, host) end + def self.percona_clean(result) + if result.include? "Started a new thread for the timer service" + lines = result.split("\n") + lines.shift + result = lines.join("\n") + end + return result + end + # Mongo Version checker def self.mongo_version @mongo_version ||= mongo_eval('db.version()') @@ -183,4 +192,22 @@ def self.mongo_4? def mongo_4? self.class.mongo_4? end + + def self.mongo_5? + v = mongo_version + !v[%r{^5\.}].nil? + end + + def mongo_5? + self.class.mongo_5? + end + + def self.mongo_6? + v = mongo_version + !v[%r{^5\.}].nil? + end + + def mongo_6? + self.class.mongo_6? + end end diff --git a/lib/puppet/provider/mongodb_user/mongodb.rb b/lib/puppet/provider/mongodb_user/mongodb.rb index b86beb694..64ffc3329 100644 --- a/lib/puppet/provider/mongodb_user/mongodb.rb +++ b/lib/puppet/provider/mongodb_user/mongodb.rb @@ -53,7 +53,7 @@ def create digestPassword: false } - if mongo_4? + if mongo_4? || mongo_5? || mongo_6? # SCRAM-SHA-256 requires digestPassword to be true. command[:mechanisms] = ['SCRAM-SHA-1'] end