From: Javier BĂ©rtoli Date: Tue, 3 Nov 2020 20:31:57 +0000 (-0300) Subject: feat(distro): add centos-7 support X-Git-Url: https://git.arvados.org/arvados-formula.git/commitdiff_plain/ba5e37ebc18049d4340388fc0c19dcb2a78d6a86 feat(distro): add centos-7 support --- diff --git a/.salt-lint b/.salt-lint index 2389f56..469c14e 100644 --- a/.salt-lint +++ b/.salt-lint @@ -7,6 +7,7 @@ rules: ignore: | arvados/shell/config/files/default/shell-libpam-arvados.tmpl.jinja test/salt/pillar/examples/nginx_webshell_configuration.sls + test/salt/pillar/examples/nginx_passenger.sls skip_list: # Using `salt-lint` for linting other files as well, such as Jinja macros/templates - 205 # Use ".sls" as a Salt State file extension diff --git a/.travis.yml b/.travis.yml index fcca481..ba356a2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -106,7 +106,7 @@ jobs: - env: INSTANCE=workbench-ubuntu-1804-master-py3 - env: INSTANCE=api-debian-10-3001-py3 # - env: INSTANCE=keepstore-debian-10-3001-py3 - - env: INSTANCE=shell-debian-10-3001-py3 + # - env: INSTANCE=shell-debian-10-3001-py3 # - env: INSTANCE=workbench-debian-10-3001-py3 # - env: INSTANCE=api-debian-9-3001-py3 # - env: INSTANCE=keepstore-debian-9-3001-py3 @@ -122,7 +122,7 @@ jobs: # - env: INSTANCE=workbench-ubuntu-1804-3001-py3 # - env: INSTANCE=api-centos-7-3001-py3 # - env: INSTANCE=keepstore-centos-7-3001-py3 - # - env: INSTANCE=shell-centos-7-3001-py3 + - env: INSTANCE=shell-centos-7-3001-py3 # - env: INSTANCE=workbench-centos-7-3001-py3 # - env: INSTANCE=api-debian-10-3000-3-py3 # - env: INSTANCE=keepstore-debian-10-3000-3-py3 @@ -137,11 +137,11 @@ jobs: # - env: INSTANCE=shell-ubuntu-1804-3000-3-py3 # - env: INSTANCE=workbench-ubuntu-1804-3000-3-py3 # - env: INSTANCE=api-centos-7-3000-3-py3 - # - env: INSTANCE=keepstore-centos-7-3000-3-py3 + - env: INSTANCE=keepstore-centos-7-3000-3-py3 # - env: INSTANCE=shell-centos-7-3000-3-py3 # - env: INSTANCE=workbench-centos-7-3000-3-py3 # - env: INSTANCE=api-ubuntu-1804-3000-3-py2 - - env: INSTANCE=keepstore-ubuntu-1804-3000-3-py2 + # - env: INSTANCE=keepstore-ubuntu-1804-3000-3-py2 # - env: INSTANCE=shell-ubuntu-1804-3000-3-py2 # - env: INSTANCE=workbench-ubuntu-1804-3000-3-py2 diff --git a/arvados/api/package/install.sls b/arvados/api/package/install.sls index 63cf427..c157acd 100644 --- a/arvados/api/package/install.sls +++ b/arvados/api/package/install.sls @@ -4,16 +4,17 @@ {#- Get the `tplroot` from `tpldir` #} {%- set tplroot = tpldir.split('/')[0] %} {%- set sls_config_file = tplroot ~ '.config.file' %} +{%- set sls_ruby_install = tplroot ~ '.ruby.package.install' %} {%- from tplroot ~ "/map.jinja" import arvados with context %} -# The API server requires a valid config BEFORE installing... +{%- if arvados.ruby.manage_ruby %} + {%- set ruby_dep = 'rvm' if arvados.ruby.use_rvm else 'pkg' %} +{%- endif %} + include: + # The API server requires a valid config BEFORE installing... - {{ sls_config_file }} - -arvados-api-package-install-ruby-pkg-installed: - pkg.installed: - - name: {{ arvados.ruby.pkg }} - - only_if: test "{{ arvados.ruby.manage_ruby | lower }}" = "true" + - {{ sls_ruby_install }} arvados-api-package-install-gems-deps-pkg-installed: pkg.installed: @@ -26,6 +27,9 @@ arvados-api-package-install-gem-{{ gm }}-installed: - name: {{ gm }} - require: - pkg: arvados-api-package-install-gems-deps-pkg-installed + {%- if arvados.ruby.manage_ruby %} + - {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed + {%- endif %} - require_in: - pkg: arvados-api-package-install-pkg-installed {% endfor %} diff --git a/arvados/defaults.yaml b/arvados/defaults.yaml index 31f805e..da441d0 100644 --- a/arvados/defaults.yaml +++ b/arvados/defaults.yaml @@ -12,6 +12,7 @@ arvados: ruby: manage_ruby: false pkg: ruby + use_rvm: false manage_gems_deps: false gems_deps: @@ -140,6 +141,7 @@ arvados: name: nginx # just for reference, is where the upstream is configured port: 9000 + ##### WORKBENCH2 workbench2: pkg: diff --git a/arvados/dispatcher/package/install.sls b/arvados/dispatcher/package/install.sls index 4c9c8ad..ec76dab 100644 --- a/arvados/dispatcher/package/install.sls +++ b/arvados/dispatcher/package/install.sls @@ -9,3 +9,14 @@ arvados-dispatcher-package-install-pkg-installed: pkg.installed: - name: {{ arvados.dispatcher.pkg.name }} - version: {{ arvados.version }} + +# FIXME! Until https://dev.arvados.org/issues/16995 makes it to +# a new release, this is required so the dependency is installed +{%- if arvados.dispatcher.pkg.name == 'crunch-dispatch-local' %} +arvados-dispatcher-package-install-crunch-run-pkg-installed: + pkg.installed: + - name: crunch-run + - require: + - pkg: arvados-dispatcher-package-install-pkg-installed + - version: {{ arvados.version }} +{%- endif %} diff --git a/arvados/files/default/config.tmpl.jinja b/arvados/files/default/config.tmpl.jinja index 46923cd..fc01a13 100644 --- a/arvados/files/default/config.tmpl.jinja +++ b/arvados/files/default/config.tmpl.jinja @@ -66,7 +66,6 @@ Clusters: ### DATABASE CONFIGURATION PostgreSQL: - # FIXME!!!!!! ALL as database or using Arvados' PostgreSQL ?? ConnectionPool: {{ arvados.cluster.database.connection_pool_max }} Connection: # All parameters here are passed to the PG client library in a connection string; @@ -76,9 +75,9 @@ Clusters: password: {{ arvados.cluster.database.password | yaml_encode }} user: {{ arvados.cluster.database.user }} client_encoding: {{ arvados.cluster.database.client_encoding }} - {%- if 'PostgreSQL' in arvados.cluster %} - {{ arvados.cluster.PostgreSQL | yaml(False) | indent(6) }} - {%- endif %} + {%- if arvados.cluster.database.extra_conn_params is defined %} + {{ arvados.cluster.database.extra_conn_params | yaml(False) | indent(8) }} + {%- endif %} ### SERVICES URLs Services: diff --git a/arvados/osfamilymap.yaml b/arvados/osfamilymap.yaml index ab316cb..d6e9df1 100644 --- a/arvados/osfamilymap.yaml +++ b/arvados/osfamilymap.yaml @@ -24,6 +24,7 @@ RedHat: ruby: manage_ruby: true + use_rvm: true pkg: ruby-2.5.7 gems_deps: @@ -41,3 +42,9 @@ RedHat: - python3-devel - ruby-devel - zlib-devel + ##### SHELL + shell: + shellinabox: + config: /etc/sysconfig/shellinaboxd + service: + name: shellinaboxd diff --git a/arvados/ruby/package/install.sls b/arvados/ruby/package/install.sls index 2200176..c76c043 100644 --- a/arvados/ruby/package/install.sls +++ b/arvados/ruby/package/install.sls @@ -6,8 +6,42 @@ {%- from tplroot ~ "/map.jinja" import arvados with context %} {%- if arvados.ruby.manage_ruby %} + + {%- if arvados.ruby.use_rvm %} + # Centos 7 has no python3-gnupg package, so using gpg.present + # will fail when it can't list the existing keys. + # Doing it the hard way +arvados-ruby-package-install-gpg-cmd-run-gpg-michal-papis: + cmd.run: + - name: /bin/gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 + - unless: + - /bin/gpg --list-keys 409B6B1796C275462A1703113804BB82D39DC0E3 + +arvados-ruby-package-install-gpg-cmd-run-gpg-piotr-kuczynski: + cmd.run: + - name: /bin/gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB + - unless: + - /bin/gpg --list-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB + +arvados-ruby-package-install-rvm-cmd-run-curl: + cmd.run: + - name: curl -s -L http://get.rvm.io | bash -s stable + - unless: test -f /usr/local/rvm/bin/rvm + - require: + - cmd: arvados-ruby-package-install-gpg-cmd-run-gpg-michal-papis + - cmd: arvados-ruby-package-install-gpg-cmd-run-gpg-piotr-kuczynski + +arvados-ruby-package-install-ruby-rvm-installed: + rvm.installed: + - name: {{ arvados.ruby.pkg }} + - default: true + - require: + - cmd: arvados-ruby-package-install-rvm-cmd-run-curl + + {%- else %} + arvados-ruby-package-install-ruby-pkg-installed: pkg.installed: - name: {{ arvados.ruby.pkg }} - - require_in: arvados-ruby-package-install-ruby-profile-installed + {%- endif %} {%- endif %} diff --git a/arvados/shell/config/files/RedHat/shell-shellinabox.tmpl.jinja b/arvados/shell/config/files/RedHat/shell-shellinabox.tmpl.jinja new file mode 100644 index 0000000..3fe0e3c --- /dev/null +++ b/arvados/shell/config/files/RedHat/shell-shellinabox.tmpl.jinja @@ -0,0 +1,11 @@ +######################################################################## +# File managed by Salt at <{{ source }}>. +# Your changes will be overwritten. +######################################################################## +USER=shellinabox +GROUP=shellinabox +CERTDIR=/var/lib/shellinabox +# TCP port that shellinboxd's webserver listens on +PORT={{ arvados.shell.shellinabox.service.port }} +# SSL is disabled because it is terminated in Nginx. Adjust as needed. +OPTS="--disable-ssl --no-beep --service=/shell.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}:SSH" diff --git a/arvados/shell/package/install.sls b/arvados/shell/package/install.sls index d2de401..8ebfd59 100644 --- a/arvados/shell/package/install.sls +++ b/arvados/shell/package/install.sls @@ -6,6 +6,10 @@ {%- set sls_ruby_install = tplroot ~ '.ruby.package.install' %} {%- from tplroot ~ "/map.jinja" import arvados with context %} +{%- if arvados.ruby.manage_ruby %} + {%- set ruby_dep = 'rvm' if arvados.ruby.use_rvm else 'pkg' %} +{%- endif %} + include: - {{ sls_ruby_install }} @@ -38,15 +42,8 @@ arvados-shell-package-install-gem-{{ gm }}-installed: gem.installed: - name: {{ gm }} - require: - - pkg: arvados-shell-package-install-gems-deps-pkg-installed {%- if arvados.ruby.manage_ruby %} - {%- if salt['grains.get']('osfinger') != 'CentOS Linux-7' %} - - pkg: arvados-ruby-package-install-ruby-pkg-installed - {%- else %} - # - rvm: arvados-ruby-package-install-ruby-gemset-present - - rvm: arvados-ruby-package-install-ruby-rvm-installed - # - rvm: gemset_present - # - ruby: ruby-2.5.7@arvados - {%- endif %} + - {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed {%- endif %} + - pkg: arvados-shell-package-install-gems-deps-pkg-installed {% endfor %} diff --git a/arvados/workbench/package/install.sls b/arvados/workbench/package/install.sls index 7487a60..cbda268 100644 --- a/arvados/workbench/package/install.sls +++ b/arvados/workbench/package/install.sls @@ -4,16 +4,17 @@ {#- Get the `tplroot` from `tpldir` #} {%- set tplroot = tpldir.split('/')[0] %} {%- set sls_config_file = tplroot ~ '.config.file' %} +{%- set sls_ruby_install = tplroot ~ '.ruby.package.install' %} {%- from tplroot ~ "/map.jinja" import arvados with context %} -# The workbench server requires a valid config BEFORE installing... +{%- if arvados.ruby.manage_ruby %} + {%- set ruby_dep = 'rvm' if arvados.ruby.use_rvm else 'pkg' %} +{%- endif %} + include: + # The workbench server requires a valid config BEFORE installing... - {{ sls_config_file }} - -arvados-workbench-package-install-ruby-pkg-installed: - pkg.installed: - - name: {{ arvados.ruby.pkg }} - - only_if: test "{{ arvados.ruby.manage_ruby | lower }}" = "true" + - {{ sls_ruby_install }} arvados-workbench-package-install-gems-deps-pkg-installed: pkg.installed: diff --git a/kitchen.yml b/kitchen.yml index b55392b..0a9c7ab 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -39,6 +39,10 @@ platforms: driver: image: saltimages/salt-master-py3:ubuntu-18.04 + - name: amazonlinux-2-3001-py3 + driver: + image: saltimages/salt-3001-py3:amazonlinux-2 + ## SALT `3001` - name: debian-10-3001-py3 driver: @@ -105,13 +109,11 @@ suites: - nginx.passenger - postgres - arvados.repo - # - arvados.config - # - arvados.ruby - arvados.api - arvados.websocket # keepproxy complains when using snakeoil certs, so we can't # properly test it here until next version removes this limitation - # - arvados.keepproxy + - arvados.keepproxy - arvados.keepweb - arvados.controller - arvados.dispatcher @@ -129,7 +131,7 @@ suites: - example_nginx_controller # keepproxy expects to retrieve a list of services from API, so # installing/testing it without an api server running will fail - # - example_nginx_keepproxy + - example_nginx_keepproxy pillars_from_files: # yamllint disable rule:line-length arvados.sls: test/salt/pillar/arvados.sls @@ -139,7 +141,7 @@ suites: example_nginx_api.sls: test/salt/pillar/examples/nginx_api_configuration.sls example_nginx_websocket.sls: test/salt/pillar/examples/nginx_websocket_configuration.sls example_nginx_keepweb.sls: test/salt/pillar/examples/nginx_keepweb_configuration.sls - # example_nginx_keepproxy.sls: test/salt/pillar/examples/nginx_keepproxy_configuration.sls + example_nginx_keepproxy.sls: test/salt/pillar/examples/nginx_keepproxy_configuration.sls example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls # yamllint enable rule:line-length dependencies: @@ -158,7 +160,7 @@ suites: inspec_tests: - path: test/integration/api - path: test/integration/websocket - # - path: test/integration/keepproxy + - path: test/integration/keepproxy - path: test/integration/keepweb - path: test/integration/controller @@ -195,7 +197,7 @@ suites: path: test/salt/states - name: nginx repo: git - source: https://github.com/saltstack-formulas/nginx-formula.git + source: https://github.com/netmanagers/nginx-formula.git verifier: inspec_tests: - path: test/integration/workbench diff --git a/pillar.example b/pillar.example index 7bdfe98..3fc4b8b 100644 --- a/pillar.example +++ b/pillar.example @@ -26,8 +26,9 @@ arvados: ## We set these to `true` here for testing purposes. ## They both default to `false`. manage_ruby: true + use_rvm: false # If you want to use rvm. Defaults to true for centos-7 + # pkg: ruby # Can specify a version like ruby-2.5.7 for rvm manage_gems_deps: true - # pkg: ruby # gems_deps: # - curl # - g++ @@ -66,6 +67,12 @@ arvados: user: arvados encoding: en_US.utf8 client_encoding: UTF8 + # You can pass extra database connections parameters here, + # which will be rendered as yaml. + # extra_conn_params: + # sslmode: prefer + # verify-ca: false + tls: # certificate: '' diff --git a/test/integration/api/controls/config_spec.rb b/test/integration/api/controls/config_spec.rb index 7ad922f..5d8afc4 100644 --- a/test/integration/api/controls/config_spec.rb +++ b/test/integration/api/controls/config_spec.rb @@ -11,13 +11,20 @@ rails_stanza = <<-RAILS_STANZA http://127.0.0.2:8004: {} RAILS_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired api lines' describe file('/etc/arvados/config.yml') do it { should be_file } it { should be_owned_by 'root' } - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/api/controls/services_spec.rb b/test/integration/api/controls/services_spec.rb index 26d004c..83b23eb 100644 --- a/test/integration/api/controls/services_spec.rb +++ b/test/integration/api/controls/services_spec.rb @@ -10,7 +10,16 @@ control 'arvados api service' do end describe port(8004) do + proc = case os[:name] + when 'centos' + # Centos ps adds an extra colon and the end of the process + # probably a bug + 'nginx:' + when 'debian', 'ubuntu' + 'nginx' + end + it { should be_listening } - its('processes') { should include 'nginx' } + its('processes') { should cmp proc } end end diff --git a/test/integration/controller/controls/config_spec.rb b/test/integration/controller/controls/config_spec.rb index c3bc176..d885e9b 100644 --- a/test/integration/controller/controls/config_spec.rb +++ b/test/integration/controller/controls/config_spec.rb @@ -18,6 +18,13 @@ volumes_stanza = <<-VOLUMES_STANZA Replication: 2 VOLUMES_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired controller lines' @@ -25,7 +32,7 @@ control 'arvados configuration' do it { should be_file } it { should be_owned_by 'root' } # We're testing it in the API instance, so group will be nginx's - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/controller/controls/services_spec.rb b/test/integration/controller/controls/services_spec.rb index 3b24532..785bdac 100644 --- a/test/integration/controller/controls/services_spec.rb +++ b/test/integration/controller/controls/services_spec.rb @@ -9,8 +9,15 @@ control 'arvados controller service' do it { should be_running } end describe port(8003) do + proc = case os[:name] + when 'centos' + 'arvados-contr' + when 'debian', 'ubuntu' + 'arvados-control' + end + it { should be_listening } # The undelying tools inspec uses to get the process truncates their names - its('processes') { should include 'arvados-control' } + its('processes') { should cmp proc } end end diff --git a/test/integration/dispatcher/controls/config_spec.rb b/test/integration/dispatcher/controls/config_spec.rb index bbc54f8..46282f7 100644 --- a/test/integration/dispatcher/controls/config_spec.rb +++ b/test/integration/dispatcher/controls/config_spec.rb @@ -6,6 +6,13 @@ dispatcher_stanza = <<-DISPATCHER_STANZA http://fixme.example.net:9006: {} DISPATCHER_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired dispatcher lines' @@ -13,7 +20,7 @@ control 'arvados configuration' do it { should be_file } it { should be_owned_by 'root' } # We're testing it in the API instance, so group will be nginx's - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/dispatcher/controls/files_spec.rb b/test/integration/dispatcher/controls/files_spec.rb index 17945a0..739d893 100644 --- a/test/integration/dispatcher/controls/files_spec.rb +++ b/test/integration/dispatcher/controls/files_spec.rb @@ -11,9 +11,9 @@ control 'arvados dispatcher service' do its('mode') { should cmp '0755' } its('content') do should include( - # rubocop:disable Metrics/LineLength + # rubocop:disable Layout/LineLength 'File managed by Salt at .' - # rubocop:enable Metrics/LineLength + # rubocop:enable Layout/LineLength ) end end @@ -24,9 +24,9 @@ control 'arvados dispatcher service' do its('mode') { should cmp '0644' } its('content') do should include( - # rubocop:disable Metrics/LineLength + # rubocop:disable Layout/LineLength 'File managed by Salt at .' - # rubocop:enable Metrics/LineLength + # rubocop:enable Layout/LineLength ) end end diff --git a/test/integration/keepproxy/controls/config_spec.rb b/test/integration/keepproxy/controls/config_spec.rb index 7dd4f71..6eb24ce 100644 --- a/test/integration/keepproxy/controls/config_spec.rb +++ b/test/integration/keepproxy/controls/config_spec.rb @@ -18,6 +18,13 @@ volumes_stanza = <<-VOLUMES_STANZA Replication: 2 VOLUMES_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired keepproxy lines' @@ -25,7 +32,7 @@ control 'arvados configuration' do it { should be_file } it { should be_owned_by 'root' } # We're testing it in the API instance, so group will be nginx's - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/keepproxy/controls/services_spec.rb b/test/integration/keepproxy/controls/services_spec.rb index 4106acc..d9f6f2a 100644 --- a/test/integration/keepproxy/controls/services_spec.rb +++ b/test/integration/keepproxy/controls/services_spec.rb @@ -8,8 +8,8 @@ control 'arvados keepproxy service' do it { should be_enabled } it { should be_running } end - describe port(25_107) do + describe port(25_100) do it { should be_listening } - its('processes') { should include 'keepproxy' } + its('processes') { should cmp 'keepproxy' } end end diff --git a/test/integration/keepstore/controls/services_spec.rb b/test/integration/keepstore/controls/services_spec.rb index df376a5..b2915a6 100644 --- a/test/integration/keepstore/controls/services_spec.rb +++ b/test/integration/keepstore/controls/services_spec.rb @@ -10,6 +10,6 @@ control 'arvados keepstore service' do end describe port(25_107) do it { should be_listening } - its('processes') { should include 'keepstore' } + its('processes') { should cmp 'keepstore' } end end diff --git a/test/integration/keepweb/controls/config_spec.rb b/test/integration/keepweb/controls/config_spec.rb index c2bd8e9..6ac0db8 100644 --- a/test/integration/keepweb/controls/config_spec.rb +++ b/test/integration/keepweb/controls/config_spec.rb @@ -9,6 +9,13 @@ keepweb_stanza = <<-KEEPWEB_STANZA ExternalURL: https://download.fixme.example.net KEEPWEB_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired keepweb lines' @@ -16,7 +23,7 @@ control 'arvados configuration' do it { should be_file } it { should be_owned_by 'root' } # We're testing it in the API instance, so group will be nginx's - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/keepweb/controls/services_spec.rb b/test/integration/keepweb/controls/services_spec.rb index 268af29..ccc3532 100644 --- a/test/integration/keepweb/controls/services_spec.rb +++ b/test/integration/keepweb/controls/services_spec.rb @@ -10,6 +10,6 @@ control 'arvados keepweb service' do end describe port(9002) do it { should be_listening } - its('processes') { should include 'keep-web' } + its('processes') { should cmp 'keep-web' } end end diff --git a/test/integration/repo/controls/repo_spec.rb b/test/integration/repo/controls/repo_spec.rb index bfde111..33caf8f 100644 --- a/test/integration/repo/controls/repo_spec.rb +++ b/test/integration/repo/controls/repo_spec.rb @@ -3,9 +3,8 @@ case os[:name] when 'centos' repo_file = '/etc/yum.repos.d/arvados.repo' - repo_url = 'baseurl=http://rpm.arvados.org/CentOS/$releasever/os/$basearch/' -when 'debian' +when 'debian', 'ubuntu' repo_file = '/etc/apt/sources.list.d/arvados.list' repo_url = 'deb http://apt.arvados.org buster main' end @@ -15,6 +14,6 @@ control 'arvados repository' do title 'should be configured' desc 'Ensures arvados source is correctly configured' describe file(repo_file) do - its('content') { should match repo_url } + its('content') { should include repo_url } end end diff --git a/test/integration/shell/controls/config_spec.rb b/test/integration/shell/controls/config_spec.rb index 13bfa24..603e337 100644 --- a/test/integration/shell/controls/config_spec.rb +++ b/test/integration/shell/controls/config_spec.rb @@ -1,19 +1,27 @@ # frozen_string_literal: true -siab_stanza = <<~SIAB_STANZA - SHELLINABOX_PORT=4200 - # SSL is disabled because it is terminated in Nginx. Adjust as needed. - SHELLINABOX_ARGS="--disable-ssl --no-beep --service=/shell.fixme.example.net:AUTH:HOME:SHELL" -SIAB_STANZA - -libpam_stanza = <<~LIBPAM_STANZA - auth [success=1 default=ignore] /usr/lib/pam_arvados.so fixme.example.net shell.fixme.example.net -LIBPAM_STANZA - control 'shellinabox configuration' do title 'should match desired lines' - describe file('/etc/default/shellinabox') do + case os[:name] + when 'centos' + file = '/etc/sysconfig/shellinaboxd' + tpl = 'RedHat' + siab_stanza = <<~SIAB_STANZA + PORT=4200 + # SSL is disabled because it is terminated in Nginx. Adjust as needed. + OPTS="--disable-ssl --no-beep --service=/shell.fixme.example.net:SSH" + SIAB_STANZA + when 'debian', 'ubuntu' + file = '/etc/default/shellinabox' + tpl = 'default' + siab_stanza = <<~SIAB_STANZA + SHELLINABOX_PORT=4200 + # SSL is disabled because it is terminated in Nginx. Adjust as needed. + SHELLINABOX_ARGS="--disable-ssl --no-beep --service=/shell.fixme.example.net:AUTH:HOME:SHELL" + SIAB_STANZA + end + describe file(file) do it { should be_file } it { should be_owned_by 'root' } it { should be_grouped_into 'root' } @@ -21,7 +29,7 @@ control 'shellinabox configuration' do its('content') do should include( # rubocop:disable Layout/LineLength - 'File managed by Salt at .' + "File managed by Salt at ." # rubocop:enable Layout/LineLength ) end @@ -32,6 +40,10 @@ end control 'libpam-arvados configuration' do title 'should match desired lines' + libpam_stanza = <<~LIBPAM_STANZA + auth [success=1 default=ignore] /usr/lib/pam_arvados.so fixme.example.net shell.fixme.example.net + LIBPAM_STANZA + describe file('/etc/pam.d/arvados') do it { should be_file } it { should be_owned_by 'root' } diff --git a/test/integration/shell/controls/repo_spec.rb b/test/integration/shell/controls/repo_spec.rb index 10d1929..528b82f 100644 --- a/test/integration/shell/controls/repo_spec.rb +++ b/test/integration/shell/controls/repo_spec.rb @@ -3,9 +3,8 @@ case os[:name] when 'centos' repo_file = '/etc/yum.repos.d/arvados.repo' - repo_url = 'baseurl=http://rpm.arvados.org/CentOS/$releasever/dev/$basearch/' -when 'debian' +when 'debian', 'ubuntu' repo_file = '/etc/apt/sources.list.d/arvados.list' repo_url = 'deb http://apt.arvados.org buster-dev main' end @@ -15,6 +14,6 @@ control 'arvados repository' do title 'should be configured' desc 'Ensures arvados source is correctly configured' describe file(repo_file) do - its('content') { should match repo_url } + its('content') { should include repo_url } end end diff --git a/test/integration/shell/controls/services_spec.rb b/test/integration/shell/controls/services_spec.rb index a33f268..6ebfc8b 100644 --- a/test/integration/shell/controls/services_spec.rb +++ b/test/integration/shell/controls/services_spec.rb @@ -4,13 +4,20 @@ control 'arvados shellinabox service' do impact 0.5 title 'should be running and enabled' - describe service('shellinabox') do + serv = case os[:name] + when 'centos' + 'shellinaboxd' + when 'debian', 'ubuntu' + 'shellinabox' + end + + describe service(serv) do it { should be_enabled } it { should be_running } end describe port(4200) do it { should be_listening } - its('processes') { should include 'shellinaboxd' } + its('processes') { should cmp 'shellinaboxd' } end end diff --git a/test/integration/websocket/controls/config_spec.rb b/test/integration/websocket/controls/config_spec.rb index e4a4779..0152476 100644 --- a/test/integration/websocket/controls/config_spec.rb +++ b/test/integration/websocket/controls/config_spec.rb @@ -7,6 +7,13 @@ websocket_stanza = <<-WEBSOCKET_STANZA http://127.0.0.2:8005: {} WEBSOCKET_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired websocket lines' @@ -14,7 +21,7 @@ control 'arvados configuration' do it { should be_file } it { should be_owned_by 'root' } # We're testing it in the API instance, so group will be nginx's - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/websocket/controls/services_spec.rb b/test/integration/websocket/controls/services_spec.rb index ffdd109..0900a47 100644 --- a/test/integration/websocket/controls/services_spec.rb +++ b/test/integration/websocket/controls/services_spec.rb @@ -11,6 +11,6 @@ control 'arvados websocket service' do describe port(8005) do it { should be_listening } - its('processes') { should include 'arvados-ws' } + its('processes') { should cmp 'arvados-ws' } end end diff --git a/test/integration/workbench/controls/config_spec.rb b/test/integration/workbench/controls/config_spec.rb index ddcb550..f8be4d4 100644 --- a/test/integration/workbench/controls/config_spec.rb +++ b/test/integration/workbench/controls/config_spec.rb @@ -11,13 +11,20 @@ workbench_service = <<-WORKBENCH_SERVICE_STANZA ExternalURL: https://workbench.fixme.example.net WORKBENCH_SERVICE_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired workbench lines' describe file('/etc/arvados/config.yml') do it { should be_file } it { should be_owned_by 'root' } - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/integration/workbench/controls/services_spec.rb b/test/integration/workbench/controls/services_spec.rb index 15ae30f..006d96f 100644 --- a/test/integration/workbench/controls/services_spec.rb +++ b/test/integration/workbench/controls/services_spec.rb @@ -4,13 +4,22 @@ control 'arvados workbench service' do impact 0.5 title 'should be running and enabled' - describe service('nginx') do + describe systemd_service('nginx') do it { should be_enabled } it { should be_running } end describe port(9000) do + proc = case os[:name] + when 'centos' + # Centos ps adds an extra colon and the end of the process + # probably a bug + 'nginx:' + when 'debian', 'ubuntu' + 'nginx' + end + it { should be_listening } - its('processes') { should include 'nginx' } + its('processes') { should cmp proc } end end diff --git a/test/integration/workbench2/controls/config_spec.rb b/test/integration/workbench2/controls/config_spec.rb index 5583688..110cb1a 100644 --- a/test/integration/workbench2/controls/config_spec.rb +++ b/test/integration/workbench2/controls/config_spec.rb @@ -5,13 +5,20 @@ workbench2_service = <<-WORKBENCH2_STANZA ExternalURL: https://workbench2.fixme.example.net WORKBENCH2_STANZA +group = case os[:name] + when 'centos' + 'nginx' + when 'debian', 'ubuntu' + 'www-data' + end + control 'arvados configuration' do title 'should match desired workbench2 lines' describe file('/etc/arvados/config.yml') do it { should be_file } it { should be_owned_by 'root' } - it { should be_grouped_into 'www-data' } + it { should be_grouped_into group } its('mode') { should cmp '0640' } its('content') do should include( diff --git a/test/salt/pillar/arvados.sls b/test/salt/pillar/arvados.sls index 13a9dbd..e018410 100644 --- a/test/salt/pillar/arvados.sls +++ b/test/salt/pillar/arvados.sls @@ -41,6 +41,14 @@ arvados: user: arvados encoding: en_US.utf8 client_encoding: UTF8 + # Centos7 does not enable SSL by default, so we disable + # it here just for testing of the formula purposes only. + # You should not do this in production, and should + # configure Postgres certificates correctly + {%- if grains.os_family in ('RedHat',) %} + extra_conn_params: + sslmode: disable + {%- endif %} tls: # certificate: '' diff --git a/test/salt/pillar/examples/nginx_api_configuration.sls b/test/salt/pillar/examples/nginx_api_configuration.sls index 39eb3bc..3313eab 100644 --- a/test/salt/pillar/examples/nginx_api_configuration.sls +++ b/test/salt/pillar/examples/nginx_api_configuration.sls @@ -1,15 +1,21 @@ --- +{%- if grains.os_family in ('RedHat',) %} + {%- set group = 'nginx' %} +{%- else %} + {%- set group = 'www-data' %} +{%- endif %} + ### ARVADOS arvados: config: - group: www-data + group: {{ group }} ### NGINX nginx: ### SITES servers: managed: - arvados_api: + arvados_api.conf: enabled: true overwrite: true config: diff --git a/test/salt/pillar/examples/nginx_controller_configuration.sls b/test/salt/pillar/examples/nginx_controller_configuration.sls index 20e9445..3e95cce 100644 --- a/test/salt/pillar/examples/nginx_controller_configuration.sls +++ b/test/salt/pillar/examples/nginx_controller_configuration.sls @@ -16,7 +16,7 @@ nginx: servers: managed: ### DEFAULT - arvados_controller_default: + arvados_controller_default.conf: enabled: true overwrite: true config: @@ -29,7 +29,7 @@ nginx: - location /: - return: '301 https://$host$request_uri' - arvados_controller_ssl: + arvados_controller_ssl.conf: enabled: true overwrite: true config: @@ -48,8 +48,9 @@ nginx: - proxy_set_header: 'X-Real-IP $remote_addr' - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for' - proxy_set_header: 'X-External-Client $external_client' + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/fixme.example.net.access.log combined - error_log: /var/log/nginx/fixme.example.net.error.log - client_max_body_size: 128m diff --git a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls index 41871c8..c20d7bc 100644 --- a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls +++ b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls @@ -12,7 +12,7 @@ nginx: servers: managed: ### DEFAULT - arvados_keepproxy_default: + arvados_keepproxy_default.conf: enabled: true overwrite: true config: @@ -25,7 +25,7 @@ nginx: - location /: - return: '301 https://$host$request_uri' - arvados_keepproxy_default: + arvados_keepproxy_ssl.conf: enabled: true overwrite: true config: @@ -48,7 +48,8 @@ nginx: - client_max_body_size: 64M - proxy_http_version: '1.1' - proxy_request_buffering: 'off' + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/keepproxy.fixme.example.net.access.log combined - error_log: /var/log/nginx/keepproxy.fixme.example.net.error.log diff --git a/test/salt/pillar/examples/nginx_keepweb_configuration.sls b/test/salt/pillar/examples/nginx_keepweb_configuration.sls index 6547e82..dfb02f6 100644 --- a/test/salt/pillar/examples/nginx_keepweb_configuration.sls +++ b/test/salt/pillar/examples/nginx_keepweb_configuration.sls @@ -12,7 +12,7 @@ nginx: servers: managed: ### DEFAULT - arvados_collections_download_default: + arvados_collections_download_default.conf: enabled: true overwrite: true config: @@ -26,7 +26,7 @@ nginx: - return: '301 https://$host$request_uri' ### COLLECTIONS / DOWNLOAD - arvados_collections_download_ssl: + arvados_collections_download_ssl.conf: enabled: true overwrite: true config: @@ -48,7 +48,8 @@ nginx: - client_max_body_size: 0 - proxy_http_version: '1.1' - proxy_request_buffering: 'off' + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/collections.fixme.example.net.access.log combined - error_log: /var/log/nginx/collections.fixme.example.net.error.log diff --git a/test/salt/pillar/examples/nginx_passenger.sls b/test/salt/pillar/examples/nginx_passenger.sls index 2c05dbd..1cc9cce 100644 --- a/test/salt/pillar/examples/nginx_passenger.sls +++ b/test/salt/pillar/examples/nginx_passenger.sls @@ -1,17 +1,60 @@ --- +{%- if grains.os_family in ('RedHat',) %} + {%- set passenger_pkg = 'nginx-mod-http-passenger' %} + {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so' %} +{%- else %} + {%- set passenger_pkg = 'libnginx-mod-http-passenger' %} + {%- set passenger_mod = '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %} +{%- endif %} + ### NGINX nginx: install_from_phusionpassenger: true lookup: - passenger_package: libnginx-mod-http-passenger - passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf - + passenger_package: {{ passenger_pkg }} ### SERVER server: config: - include: 'modules-enabled/*.conf' + # This is required to get the passenger module loaded + # In Debian it can be done with this + # include: 'modules-enabled/*.conf' + load_module: {{ passenger_mod }} + worker_processes: 4 + ### SNIPPETS + snippets: + # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 + ssl_hardening_default.conf: + - ssl_session_timeout: 1d + - ssl_session_cache: 'shared:curiiSSL:10m' + - ssl_session_tickets: 'off' + + # intermediate configuration + - ssl_protocols: TLSv1.2 TLSv1.3 + - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + - ssl_prefer_server_ciphers: 'off' + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + - add_header: 'Strict-Transport-Security "max-age=63072000" always' + + # OCSP stapling + - ssl_stapling: 'on' + - ssl_stapling_verify: 'on' + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + # - ssl_dhparam: /path/to/dhparam + + # replace with the IP address of your resolver + # - resolver: 127.0.0.1 + + ssl_snakeoil.conf: + - ssl_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem + - ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key + ### SITES servers: managed: diff --git a/test/salt/pillar/examples/nginx_webshell_configuration.sls b/test/salt/pillar/examples/nginx_webshell_configuration.sls index 4a59cc5..c1a8907 100644 --- a/test/salt/pillar/examples/nginx_webshell_configuration.sls +++ b/test/salt/pillar/examples/nginx_webshell_configuration.sls @@ -13,7 +13,7 @@ nginx: ### SITES servers: managed: - arvados_webshell_default: + arvados_webshell_default.conf: enabled: true overwrite: true config: @@ -26,7 +26,7 @@ nginx: - location /: - return: '301 https://$host$request_uri' - arvados_webshell_ssl: + arvados_webshell_ssl.conf: enabled: true overwrite: true config: @@ -63,9 +63,9 @@ nginx: - add_header: "'Access-Control-Allow-Origin' '*'" - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'" - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'" - + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined - error_log: /var/log/nginx/webshell.fixme.example.net.error.log diff --git a/test/salt/pillar/examples/nginx_websocket_configuration.sls b/test/salt/pillar/examples/nginx_websocket_configuration.sls index d7e75c9..48e9db2 100644 --- a/test/salt/pillar/examples/nginx_websocket_configuration.sls +++ b/test/salt/pillar/examples/nginx_websocket_configuration.sls @@ -12,7 +12,7 @@ nginx: servers: managed: ### DEFAULT - arvados_websocket_default: + arvados_websocket_default.conf: enabled: true overwrite: true config: @@ -25,7 +25,7 @@ nginx: - location /: - return: '301 https://$host$request_uri' - arvados_websocket_ssl: + arvados_websocket_ssl.conf: enabled: true overwrite: true config: @@ -49,7 +49,8 @@ nginx: - client_max_body_size: 64M - proxy_http_version: '1.1' - proxy_request_buffering: 'off' + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/ws.fixme.example.net.access.log combined - error_log: /var/log/nginx/ws.fixme.example.net.error.log diff --git a/test/salt/pillar/examples/nginx_workbench2_configuration.sls b/test/salt/pillar/examples/nginx_workbench2_configuration.sls index f8946f4..c633649 100644 --- a/test/salt/pillar/examples/nginx_workbench2_configuration.sls +++ b/test/salt/pillar/examples/nginx_workbench2_configuration.sls @@ -1,8 +1,14 @@ --- +{%- if grains.os_family in ('RedHat',) %} + {%- set group = 'nginx' %} +{%- else %} + {%- set group = 'www-data' %} +{%- endif %} + ### ARVADOS arvados: config: - group: www-data + group: {{ group }} ### NGINX nginx: @@ -10,7 +16,7 @@ nginx: servers: managed: ### DEFAULT - arvados_workbench2_default: + arvados_workbench2_default.conf: enabled: true overwrite: true config: @@ -23,7 +29,7 @@ nginx: - location /: - return: '301 https://$host$request_uri' - arvados_workbench2_ssl: + arvados_workbench2_ssl.conf: enabled: true overwrite: true config: @@ -39,7 +45,8 @@ nginx: - return: 503 - location /config.json: - return: {{ "200 '" ~ '{"API_HOST":"fixme.example.net"}' ~ "'" }} + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/workbench2.fixme.example.net.access.log combined - error_log: /var/log/nginx/workbench2.fixme.example.net.error.log diff --git a/test/salt/pillar/examples/nginx_workbench_configuration.sls b/test/salt/pillar/examples/nginx_workbench_configuration.sls index 5a394f5..5b8e0e2 100644 --- a/test/salt/pillar/examples/nginx_workbench_configuration.sls +++ b/test/salt/pillar/examples/nginx_workbench_configuration.sls @@ -1,8 +1,14 @@ --- +{%- if grains.os_family in ('RedHat',) %} + {%- set group = 'nginx' %} +{%- else %} + {%- set group = 'www-data' %} +{%- endif %} + ### ARVADOS arvados: config: - group: www-data + group: {{ group }} ### NGINX nginx: @@ -19,7 +25,7 @@ nginx: servers: managed: ### DEFAULT - arvados_workbench_default: + arvados_workbench_default.conf: enabled: true overwrite: true config: @@ -32,7 +38,7 @@ nginx: - location /: - return: '301 https://$host$request_uri' - arvados_workbench_ssl: + arvados_workbench_ssl.conf: enabled: true overwrite: true config: @@ -50,12 +56,13 @@ nginx: - proxy_set_header: 'Host $http_host' - proxy_set_header: 'X-Real-IP $remote_addr' - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for' + - include: 'snippets/ssl_hardening_default.conf' # - include: 'snippets/letsencrypt.conf' - - include: 'snippets/snakeoil.conf' + - include: 'snippets/ssl_snakeoil.conf' - access_log: /var/log/nginx/workbench.fixme.example.net.access.log combined - error_log: /var/log/nginx/workbench.fixme.example.net.error.log - arvados_workbench_upstream: + arvados_workbench_upstream.conf: enabled: true overwrite: true config: diff --git a/test/salt/pillar/examples/postgresql.sls b/test/salt/pillar/examples/postgresql.sls index dbca5b5..aec4f13 100644 --- a/test/salt/pillar/examples/postgresql.sls +++ b/test/salt/pillar/examples/postgresql.sls @@ -6,6 +6,9 @@ postgres: - postgresql-contrib postgresconf: |- listen_addresses = '*' # listen on all interfaces + #ssl = on + #ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' + #ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' acls: - ['local', 'all', 'postgres', 'peer'] - ['local', 'all', 'all', 'peer'] diff --git a/test/salt/states/example_add_snakeoil_certs/init.sls b/test/salt/states/example_add_snakeoil_certs/init.sls index 9d7b644..e004128 100644 --- a/test/salt/states/example_add_snakeoil_certs/init.sls +++ b/test/salt/states/example_add_snakeoil_certs/init.sls @@ -1,3 +1,32 @@ snake_oil_certs: +{%- if grains.os_family in ('RedHat',) %} + pkg.installed: + - name: openssl + cmd.run: + - name: | + cat > /tmp/openssl.cnf <<-CNF + RANDFILE = /dev/urandom + [ req ] + default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + prompt = no + policy = policy_anything + req_extensions = v3_req + x509_extensions = v3_req + [ req_distinguished_name ] + commonName = {{ grains.fqdn }} + [ v3_req ] + basicConstraints = CA:FALSE + CNF + mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \ + openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \ + -out /etc/ssl/certs/ssl-cert-snakeoil.pem \ + -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 + - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key + - require: + - pkg: openssl +{%- else %} pkg.installed: - name: ssl-cert +{%- endif %}