Peter Souter's questions

I'm trying to update some of my Puppet manifests that disable CAD on RHEL machines.

Right now I'm doing it the over the top way on systemd: masking (ie. linking to /dev/null)

$ctrlaltdel_process = '/usr/bin/logger -p security.info "Control-Alt-Delete pressed"'

  # Every version of RHEL has a different way of doing this! :)
  case $::operatingsystemmajrelease {
    '4','5': {
      augeas { 'disable-inittab-ctrlaltdel':
        context => '/files/etc/inittab',
        lens    => 'inittab.lns',
        incl    => '/etc/inittab',
        changes => "set *[action = 'ctrlaltdel']/process '${ctrlaltdelprocess}'",
      }
    }
    '6': {
      file { '/etc/init/control-alt-delete.conf':
        ensure  => file,
        content => $ctrlaltdel_process,
      }
    }
    '7': {
      file { '/etc/systemd/system/ctrl-alt-del.target':
        ensure => 'link',
        target => '/dev/null',
      }
    }
    default: {
      fail("Module ${module_name} is not supported on this ${::operatingsystemmajrelease}")
    }
  }

As you can see, on other systems I'm actually writing a security log saying that CAD was pressed, but I wouldn't get this with systemd machines.

I like the idea of actually having the trap in the logs so we can trace if people are doing it.

Can someone give me an example systemd config file for ctrl+alt+delete that would do the same thing?

I'm starting to use RHEL7 and learning a little about the changes that come with systemd.

Is there a way to perform /sbin/service iptables save in firewalld?

$ /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

The closest parallel I can find from the Documentation is --reload:

Reload the firewall without loosing state information:
$ firewall-cmd --reload

But it doesn't explicitly say if it's saving or not.

I have a FreeBSD Vagrant box that looks like this:

# -*- mode: ruby -*-
# vi: set ft=ruby :

VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|

  config.vm.box = "chef/freebsd-10.0"

  config.vm.network "private_network", ip: "10.0.1.10"
  config.vm.synced_folder '.', '/vagrant', :nfs => true, id: "vagrant-root"

end

However, if it tries to run in a directory path with too long a name it fails:

==> default: Mounting NFS shared folders...
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

mount -t nfs '10.0.1.1:/Users/petersouter/projects/reallylongpathnameover88characterssothatmountfswillfail12345678910111213141516' '/vagrant'

Stdout from the command:



Stderr from the command:

mount_nfs: 10.0.1.1:/Users/petersouter/projects/reallylongpathnameover88characterssothatmountfswillfail12345678910111213141516: File name too long

Is there a way to resolve this other than copying the directory to one with a shorter name? Can I update FreeBSD stuff so it can accept larger file names?

I have a suite of Beaker tests running against a docker host.

I dont know the intricacies of how docker handles swap files, but it seems that it doesn't like it.

The Puppet code looks like this:

exec { 'Create swap file':
  command => "/bin/dd if=/dev/zero of=${swapfile} bs=1M count=${swapfilesize_mb}",
  creates => $swapfile,
}
exec { 'Attach swap file':
  command => "/sbin/mkswap ${swapfile} && /sbin/swapon ${swapfile}",
  require => Exec['Create swap file'],
  unless  => "/sbin/swapon -s | grep ${swapfile}",
}
if $add_mount {
  mount { 'swap':
    ensure  => present,
    fstype  => swap,
    device  => $swapfile,
    dump    => 0,
    pass    => 0,
    require => Exec['Attach swap file'],
  }
}

And the error message is as follows:

Info: Loading facts
Notice: Compiled catalog for centos-6-x64 in environment production in 0.22 seconds
Info: Applying configuration version '1411345072'
Notice: /Stage[main]/Swap_file/Exec[Create swap file]/returns: executed successfully
Notice: /Stage[main]/Swap_file/Exec[Attach swap file]/returns: mkswap: /tmp/swapfile: warning: don't erase bootbits sectors
Notice: /Stage[main]/Swap_file/Exec[Attach swap file]/returns:         on whole disk. Use -f to force.
Notice: /Stage[main]/Swap_file/Exec[Attach swap file]/returns: Setting up swapspace version 1, size = 5116 KiB
Notice: /Stage[main]/Swap_file/Exec[Attach swap file]/returns: no label, UUID=ceb75f7d-ae8b-4781-bd1b-4123bec9bcf1
Notice: /Stage[main]/Swap_file/Exec[Attach swap file]/returns: swapon: /tmp/swapfile: swapon failed: Input/output error
Error: /sbin/mkswap /tmp/swapfile && /sbin/swapon /tmp/swapfile returned 255 instead of one of [0]
Error: /Stage[main]/Swap_file/Exec[Attach swap file]/returns: change from notrun to 0 failed: /sbin/mkswap /tmp/swapfile && /sbin/swapon /tmp/swapfile returned 255 instead of one of [0]
Notice: /Stage[main]/Swap_file/Mount[swap]: Dependency Exec[Attach swap file] has failures: true
Warning: /Stage[main]/Swap_file/Mount[swap]: Skipping because of failed dependencies
Notice: Finished catalog run in 0.26 seconds

So basically, how do I setup a docker container to where I can run swapon without it erroring out?