Import ulimit version 0.3.0

jhmartin · Aug 24, 2013 · 00bd849 · 00bd849
1 parent 2818eaf
commit 00bd849
Show file tree

Hide file tree

Showing 14 changed files with 380 additions and 0 deletions.
diff --git a/cookbooks/ulimit/CHANGELOG.md b/cookbooks/ulimit/CHANGELOG.md
@@ -0,0 +1,36 @@
+# CHANGELOG for ulimit
+
+This file is used to list changes made in each version of ulimit.
+
+## 0.3.0
+
+* Add Domain LWRP for arbitrary rule creation. Thanks for Chris Roberts (https://github.com/chrisroberts)
+
+## 0.2.0
+
+* Support specifying users via attributes (as long as your runlist includes the ulimit::default recipe). Thanks to Dmytro Shteflyuk (https://github.com/kpumuk)
+
+## 0.1.5
+
+* Allow setting core_limit. Thanks to Aaron Nichols (https://github.com/adnichols)
+
+## 0.1.4:
+
+* Does not set any ulimit parameter by default - only when specified. Thanks to Graham Christensen (https://github.com/zippykid)
+
+## 0.1.3:
+
+* Adds node attribute node['ulimit']['pam_su_template_cookbook'] to allow users to provide a su pam.d template from another cookbook
+
+## 0.1.2:
+
+* Add memory limit handling, courtesy of Sean Porter (https://github.com/bmhatfield/chef-ulimit/pull/3)
+
+## 0.1.0:
+
+* Initial release of ulimit
+
+- - - 
+Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
+
+The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
diff --git a/cookbooks/ulimit/README.md b/cookbooks/ulimit/README.md
@@ -0,0 +1,66 @@
+Description
+===========
+
+This is a short-and-simple cookbook to provide a user_ulimit resource for overriding various ulimit settings. It places configured templates into /etc/security/limits.d/, named for the user the ulimit applies to.
+
+It also provides a helper recipe (default.rb) for allowing ulimit overrides with the 'su' command on Ubuntu, which is disabled by default for some reason.
+
+Requirements
+============
+
+Add to your repo, then depend upon this cookbook from wherever you need to override ulimits.
+
+Attributes
+==========
+
+* `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook).  Determines what cookbook the su pam.d template is taken from
+* `node['ulimit']['users']` - Defaults to empty Hash.  List of users with their limits
+
+Usage
+=====
+
+Consume the user_ulimit resource like so:
+```ruby
+user_ulimit "tomcat" do
+  filehandle_limit 8192 # optional
+  process_limit 61504 # optional
+  memory_limit 1024 # optional
+  core_limit 2048 # optional
+end
+```
+
+You can also define limits using attributes on roles or nodes:
+
+```
+"default_attributes": {
+   "ulimit": {
+      "users": {
+         "tomcat": {
+            "filehandle_limit": 8193,
+               "process_limit": 61504
+             },
+            "hbase": {
+               "filehandle_limit": 32768
+             }
+       }
+    }
+ }
+ ```
+
+Domain LWRP
+===========
+
+```ruby
+ulimit_domain 'my_user' do
+  rule do
+    item :nofile
+    type :hard
+    value 10000
+  end
+  rule do
+    item :nofile
+    type :soft
+    value 5000
+  end
+end
+```
diff --git a/cookbooks/ulimit/attributes/default.rb b/cookbooks/ulimit/attributes/default.rb
@@ -0,0 +1,3 @@
+default['ulimit']['pam_su_template_cookbook'] = nil
+default['ulimit']['users'] = Mash.new
+default['ulimit']['security_limits_directory'] = '/etc/security/limits.d'
diff --git a/cookbooks/ulimit/definitions/user_ulimit.rb b/cookbooks/ulimit/definitions/user_ulimit.rb
@@ -0,0 +1,27 @@
+# Defines a user_ulimit modification
+# Sample:
+#
+# depends 'ulimit'
+#
+# user_ulimit "tomcat" do
+#  filehandle_limit 8192
+#  process_limit 61504
+#  memory_limit 1024
+# end
+
+define :user_ulimit, :filehandle_limit => nil, :process_limit => nil, :memory_limit => nil do
+  template "/etc/security/limits.d/#{params[:name]}_limits.conf" do
+    source "ulimit.erb"
+    cookbook "ulimit"
+    owner "root"
+    group "root"
+    mode 0644
+    variables(
+      :ulimit_user => params[:name],
+      :filehandle_limit => params[:filehandle_limit],
+      :process_limit => params[:process_limit],
+      :memory_limit => params[:memory_limit],
+      :core_limit => params[:core_limit]
+    )
+  end
+end
diff --git a/cookbooks/ulimit/metadata.json b/cookbooks/ulimit/metadata.json
@@ -0,0 +1,48 @@
+{
+    "recommendations": {
+    },
+    "attributes": {
+    },
+    "maintainer": "Brian Hatfield",
+    "suggestions": {
+    },
+    "dependencies": {
+    },
+    "maintainer_email": "bmhatfield@gmail.com",
+    "conflicting": {
+    },
+    "platforms": {
+      "debian": [
+
+      ],
+      "fedora": [
+
+      ],
+      "centos": [
+
+      ],
+      "ubuntu": [
+
+      ],
+      "suse": [
+
+      ],
+      "redhat": [
+
+      ]
+    },
+    "license": "Apache 2.0",
+    "version": "0.3.0",
+    "providing": {
+    },
+    "recipes": {
+      "ulimit": "configures ulimit ability for operating systems that disable it by default"
+    },
+    "replacing": {
+    },
+    "name": "ulimit",
+    "description": "Provides user_ulimit resource",
+    "groupings": {
+    },
+    "long_description": ""
+  }
diff --git a/cookbooks/ulimit/metadata.rb b/cookbooks/ulimit/metadata.rb
@@ -0,0 +1,7 @@
+maintainer       "Brian Hatfield"
+maintainer_email "bmhatfield@gmail.com"
+license          "Apache 2.0"
+description      "Installs/Configures ulimit"
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+name             "ulimit"
+version          "0.3.0"
diff --git a/cookbooks/ulimit/providers/domain.rb b/cookbooks/ulimit/providers/domain.rb
@@ -0,0 +1,44 @@
+def load_current_resource
+  new_resource.filename new_resource.name unless new_resource.filename
+  new_resource.subresource_rules.map! do |name, block|
+    urule = Chef::Resource::UlimitRule.new("ulimit_rule[#{new_resource.name}:#{name}]", nil)
+    urule.domain new_resource
+    urule.action :nothing
+    urule.instance_eval(&block)
+    unless(name)
+      urule.name "ulimit_rule[#{new_resource.name}:#{urule.item}-#{urule.type}-#{urule.value}]"
+    end
+    urule
+  end
+end
+
+action :create do
+  use_inline_resources if self.respond_to?(:use_inline_resources)
+
+  new_resource.subresource_rules.map do |sub_resource|
+    sub_resource.run_context = new_resource.run_context
+    sub_resource.run_action(:create)
+  end
+
+  utemplate = template ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
+    source 'domain.erb'
+    cookbook 'ulimit'
+    variables :domain => new_resource.domain_name
+  end
+
+  unless(self.respond_to?(:use_inline_resources))
+    new_resource.updated_by_last_action(ufile.updated_by_last_action?)
+  end
+
+end
+
+action :delete do
+  use_inline_resources if self.respond_to?(:use_inline_resources)
+  ufile = file ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
+    action :delete
+  end
+
+  unless(self.respond_to?(:use_inline_resources))
+    new_resource.updated_by_last_action(ufile.updated_by_last_action?)
+  end
+end
diff --git a/cookbooks/ulimit/providers/rule.rb b/cookbooks/ulimit/providers/rule.rb
@@ -0,0 +1,14 @@
+def load_current_resource
+  new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
+  node.run_state[:ulimit] ||= Mash.new
+  node.run_state[:ulimit][new_resource.domain] ||= Mash.new
+end
+
+action :create do
+  node.run_state[:ulimit][new_resource.domain][new_resource.item] ||= Mash.new
+  node.run_state[:ulimit][new_resource.domain][new_resource.item][new_resource.type] = new_resource.value
+end
+
+action :delete do
+  # NOOP
+end
diff --git a/cookbooks/ulimit/recipes/default.rb b/cookbooks/ulimit/recipes/default.rb
@@ -0,0 +1,23 @@
+# Cookbook Name:: ulimit
+# Recipe:: default
+#
+# Copyright 2012, Brightcove, Inc
+#
+# All rights reserved - Do Not Redistribute
+#
+ulimit = node['ulimit']
+
+case node[:platform]
+  when "debian", "ubuntu"
+    template "/etc/pam.d/su" do
+      cookbook ulimit['pam_su_template_cookbook']
+    end
+end
+
+ulimit['users'].each do |user, attributes|
+  user_ulimit user do
+    attributes.each do |a, v|
+      send(a.to_sym, v)
+    end
+  end
+end
diff --git a/cookbooks/ulimit/resources/domain.rb b/cookbooks/ulimit/resources/domain.rb
@@ -0,0 +1,16 @@
+attr_reader :subresource_rules
+
+def initialize(*args)
+  @subresource_rules = []
+  super
+end
+
+actions :create, :delete
+default_action :create
+
+attribute :domain_name, :kind_of => String, :name_attribute => true
+attribute :filename, :kind_of => String
+
+def rule(name=nil, &block)
+  @subresource_rules << [name, block]
+end
diff --git a/cookbooks/ulimit/resources/rule.rb b/cookbooks/ulimit/resources/rule.rb
@@ -0,0 +1,7 @@
+actions :create, :delete
+default_action :create
+
+attribute :type, :kind_of => [Symbol,String], :required => true
+attribute :item, :kind_of => [Symbol,String], :required => true
+attribute :value, :kind_of => [String,Numeric], :required => true
+attribute :domain, :kind_of => [Chef::Resource::UlimitDomain, String], :required => true
diff --git a/cookbooks/ulimit/templates/default/domain.erb b/cookbooks/ulimit/templates/default/domain.erb
@@ -0,0 +1,9 @@
+<% 
+  node.run_state[:ulimit][@domain].each do |item, entries|
+    entries.each do |type, value|
+-%>
+<%= @domain %> <%= type %> <%= item %> <%= value %>
+<%
+    end
+  end
+-%>
diff --git a/cookbooks/ulimit/templates/default/su.erb b/cookbooks/ulimit/templates/default/su.erb
@@ -0,0 +1,63 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+# This file modified by Chef to enable ulimit switching with `su`
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
diff --git a/cookbooks/ulimit/templates/default/ulimit.erb b/cookbooks/ulimit/templates/default/ulimit.erb
@@ -0,0 +1,17 @@
+# Limits settings for <%= @ulimit_user %>
+
+<% unless @filehandle_limit.nil? -%>
+<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
+<% end -%>
+
+<% unless @process_limit.nil? -%>
+<%= @ulimit_user -%> - nproc <%= @process_limit %>
+<% end -%>
+
+<% unless @memory_limit.nil? -%>
+<%= @ulimit_user -%> - memlock <%= @memory_limit %>
+<% end -%>
+
+<% unless @core_limit.nil? -%>
+<%= @ulimit_user -%> - core <%= @core_limit %>
+<% end -%>