From 0456085a9b0c4e8ba9cbc0c4efa5dc14a1116221 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Fri, 28 Apr 2023 10:41:39 -0700 Subject: [PATCH 001/188] Fix lint fire on fbspec.rb Summary: Fixes Style/GlobalStdStream in OSS CI Reviewed By: joshuamiller01 Differential Revision: D45399133 fbshipit-source-id: 5f5f489bc38ec894cfc96e10c15f29e3d451f05e --- spec/fbspec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/fbspec.rb b/spec/fbspec.rb index 735eb8997..7ea7a5142 100644 --- a/spec/fbspec.rb +++ b/spec/fbspec.rb @@ -39,7 +39,7 @@ def self.fbspec_init(cookbook_path, platforms) config.after(:example) do result = RubyProf.stop printer = RubyProf::GraphPrinter.new(result) - printer.print(STDOUT) + printer.print($stdout) end end end From 78d9eb5708c18bb7e5b303b581762b1d10433a88 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Fri, 28 Apr 2023 15:18:23 -0700 Subject: [PATCH 002/188] fb_helpers: node.disruptable?, a method to define when a host can run disruptive chef code Summary: A method to define when a host can run disruptive chef code. By default this should be allowed during provisioning and boot (when the host is presumably drained and unable to be running a workload) Reviewed By: gogsbread Differential Revision: D34600530 fbshipit-source-id: d741d256e47df94bd9360dca7bc628b3a45f6d3b --- cookbooks/fb_helpers/README.md | 7 ++++++ .../fb_helpers/libraries/node_methods.rb | 7 ++++++ cookbooks/fb_helpers/spec/node_spec.rb | 24 +++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/cookbooks/fb_helpers/README.md b/cookbooks/fb_helpers/README.md index 6bd386ac9..26bd8f332 100644 --- a/cookbooks/fb_helpers/README.md +++ b/cookbooks/fb_helpers/README.md @@ -453,6 +453,13 @@ your node. True if `node['fb_helpers']['interface_start_allowed_method']` is set and returns true, or if `node.interface_change_allowed?` is true. +* `node.disruptable?` + A gate which can be used to limit dangerous code paths to only run during + provisioning, boot, or other times when the host is not running a + workload and can disrupted. For initial boot you must + pass `CHEF_BOOT_SERVICE=true` as an environment variable from your + boot-time chef invocation. + ### FB::Helpers The following constants are available: diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index a986c28b0..d369404da 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -1172,5 +1172,12 @@ def interface_start_allowed?(interface) return self.interface_change_allowed?(interface) end end + + # A gate which can be used to limit dangerous code to only run during + # provisioning or upon boot + def disruptable? + @disruptable ||= + node.firstboot_any_phase? || ENV['CHEF_BOOT_SERVICE'] == 'true' + end end end diff --git a/cookbooks/fb_helpers/spec/node_spec.rb b/cookbooks/fb_helpers/spec/node_spec.rb index 721cec805..18b1304b8 100644 --- a/cookbooks/fb_helpers/spec/node_spec.rb +++ b/cookbooks/fb_helpers/spec/node_spec.rb @@ -314,4 +314,28 @@ end.to raise_error(RuntimeError) end end + + context 'Chef::Node.disruptable?' do + it 'is not disruptable by default' do + expect(node.disruptable?).to be(false) + end + + it 'is not disruptable unless in provisioning or upon boot' do + allow(node).to receive(:firstboot_any_phase?).and_return(false) + ENV.stub(:[]).with('CHEF_BOOT_SERVICE').and_return '' + expect(node.disruptable?).to be(false) + end + + it 'is disruptable when in provisioning' do + allow(node).to receive(:firstboot_any_phase?).and_return(true) + ENV.stub(:[]).with('CHEF_BOOT_SERVICE').and_return '' + expect(node.disruptable?).to be(true) + end + + it 'is disruptable when booting' do + allow(node).to receive(:firstboot_any_phase?).and_return(false) + ENV.stub(:[]).with('CHEF_BOOT_SERVICE').and_return 'true' + expect(node.disruptable?).to be(true) + end + end end From 3a90afc9588999d380f7bc829d5c3009ec2ffba0 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Mon, 1 May 2023 08:47:12 -0700 Subject: [PATCH 003/188] fb_timers: refactor autostart handling for old systemd versions Summary: Refactor autostart handling for old systemd versions. This makes the code easier to read in differentiating when we're setting up timers the normal way (with modern systemd) versus the old way, and will make future transitioning to a different model (forthcoming) simpler also. This should be a no-op; node['packages'] is ohai-time and reordering the evaluation within a custom resource should be irrelevant. Reviewed By: dafyddcrosby Differential Revision: D45199845 fbshipit-source-id: 12b6ab20c90c59d1c9660f411de9fb29f2b295c4 --- cookbooks/fb_timers/resources/setup.rb | 45 +++++++++++++------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index d221381ec..ef531a92e 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -184,37 +184,36 @@ end # Setup services - node['fb_timers']['jobs'].to_hash.each_pair do |_name, conf| - timer_name = "#{conf['name']}.timer" + if FB::Version.new(node['packages']['systemd']['version']) > + FB::Version.new('201') - service "#{timer_name} enable/start" do - only_if do - conf['autostart'] && FB::Version.new(node['packages']['systemd'][ - 'version']) > FB::Version.new('201') + node['fb_timers']['jobs'].to_hash.each_pair do |_name, conf| + timer_name = "#{conf['name']}.timer" + + service "#{timer_name} enable/start" do + only_if { conf['autostart'] } + service_name timer_name + action [:enable, :start] end - service_name timer_name - action [:enable, :start] end - + else # Versions prior to 201 did not support enablement of unit symlinks. # Workaround is to create the following symlink. - link "/etc/systemd/system/timers.target.wants/#{timer_name}" do - only_if do - conf['autostart'] && FB::Version.new(node['packages']['systemd'][ - 'version']) <= FB::Version.new('201') + node['fb_timers']['jobs'].to_hash.each_pair do |_name, conf| + timer_name = "#{conf['name']}.timer" + + link "/etc/systemd/system/timers.target.wants/#{timer_name}" do + only_if { conf['autostart'] } + to lazy { + "#{node['fb_timers']['_timer_path']}/#{conf['name']}.timer" + } end - to lazy { - "#{node['fb_timers']['_timer_path']}/#{conf['name']}.timer" - } - end - service "#{timer_name} start only" do - only_if do - conf['autostart'] && FB::Version.new(node['packages']['systemd'][ - 'version']) <= FB::Version.new('201') + service "#{timer_name} start only" do + only_if { conf['autostart'] } + service_name timer_name + action [:start] end - service_name timer_name - action [:start] end end From 8f9031916fde737b42be8c73a1b188da0682bc69 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 004/188] Support RHEL_Family in fbit_tmpclean cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff expand actions on CentOS to all other RHEL_Family platforms. This diff needs stamp from [[chefit](https://www.internalfb.com/permission/group/965392640256092), [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697)] Reviewed By: joshuamiller01 Differential Revision: D45261981 fbshipit-source-id: 5eded266a277b639ca0723394d937f222908a983 --- cookbooks/fb_tmpclean/attributes/default.rb | 2 +- cookbooks/fb_tmpclean/metadata.rb | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_tmpclean/attributes/default.rb b/cookbooks/fb_tmpclean/attributes/default.rb index 938f6e2fb..1a4cf69cd 100644 --- a/cookbooks/fb_tmpclean/attributes/default.rb +++ b/cookbooks/fb_tmpclean/attributes/default.rb @@ -15,7 +15,7 @@ # limitations under the License. # -if node.centos? +if node.rhel_family? excludes = [ '.X11-unix', '.XIM-unix', diff --git a/cookbooks/fb_tmpclean/metadata.rb b/cookbooks/fb_tmpclean/metadata.rb index f4409da97..a05615ab3 100644 --- a/cookbooks/fb_tmpclean/metadata.rb +++ b/cookbooks/fb_tmpclean/metadata.rb @@ -10,5 +10,7 @@ supports 'debian' supports 'fedora' supports 'mac_os_x' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_helpers' From 4b2b031d6c9948e8e218bb7873c72a4d2344ae62 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 005/188] Support RHEL_Family in fb_chrony cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff just used latest rhel_family? functions and added more supported platforms. No effects on existing systems. This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45111725 fbshipit-source-id: 6bf7af74b90a741ac71ea19b1bc169f60f4739d0 --- cookbooks/fb_chrony/metadata.rb | 2 ++ cookbooks/fb_chrony/recipes/default.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_chrony/metadata.rb b/cookbooks/fb_chrony/metadata.rb index 28cd3c731..e4aa0dac6 100644 --- a/cookbooks/fb_chrony/metadata.rb +++ b/cookbooks/fb_chrony/metadata.rb @@ -9,6 +9,8 @@ supports 'centos' supports 'debian' supports 'fedora' +support 'oracle' supports 'redhat' +supports 'rocky' supports 'ubuntu' depends 'fb_helpers' diff --git a/cookbooks/fb_chrony/recipes/default.rb b/cookbooks/fb_chrony/recipes/default.rb index 05fb243f3..76901f056 100644 --- a/cookbooks/fb_chrony/recipes/default.rb +++ b/cookbooks/fb_chrony/recipes/default.rb @@ -19,7 +19,7 @@ # limitations under the License. # -if node.platform_family?('rhel') || node.platform_family?('fedora') +if node.rhel_family? || node.fedora_family? chrony_svc = 'chronyd' chrony_conf = '/etc/chrony.conf' chrony_user = 'chrony' From 6b12bc8b5e13019a0a80106897c2082f3c6b03b4 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 006/188] Support RHEL_Family in fb_fstab cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadata This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45262482 fbshipit-source-id: a1e10897b739c29e96123fcdccf8b038111a3bf3 --- cookbooks/fb_fstab/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_fstab/metadata.rb b/cookbooks/fb_fstab/metadata.rb index 413005ded..17eadf307 100644 --- a/cookbooks/fb_fstab/metadata.rb +++ b/cookbooks/fb_fstab/metadata.rb @@ -8,5 +8,7 @@ version '0.0.1' supports 'centos' supports 'debian' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_helpers' From 9ef745c9e794c06e9738c4b954c4138f421d86c9 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 007/188] Support RHEL_Family in fb_hosts cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff expand actions on CentOS to all other RHEL_Family platforms. This diff simply add more supported platforms in the metadate This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45263447 fbshipit-source-id: 200368833ea06464132953e0fb43966a3c0475fe --- cookbooks/fb_hosts/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_hosts/metadata.rb b/cookbooks/fb_hosts/metadata.rb index 3b0cca27c..41d6d3ba8 100644 --- a/cookbooks/fb_hosts/metadata.rb +++ b/cookbooks/fb_hosts/metadata.rb @@ -8,5 +8,7 @@ version '0.0.1' supports 'centos' supports 'debian' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_helpers' From 726049dd8c17a6bc8ba209772c6d427d2876c1e3 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 008/188] Support RHEL_Family in fb_limits cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadate This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45263741 fbshipit-source-id: 044c581e251964c725d8fe4741a346ac1d515c3d --- cookbooks/fb_limits/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_limits/metadata.rb b/cookbooks/fb_limits/metadata.rb index 967527cb6..47b747c28 100644 --- a/cookbooks/fb_limits/metadata.rb +++ b/cookbooks/fb_limits/metadata.rb @@ -8,5 +8,7 @@ version '0.0.1' supports 'centos' supports 'debian' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_helpers' From 317bde73268a2a9f63abe0a51017c33425bf1bce Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 009/188] Support RHEL_Family in fb_motd and fb_motd_settigns cookbooks Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff expand actions on CentOS to all other RHEL_Family platforms. This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45263995 fbshipit-source-id: 2c87394d302f94906232e9e897dd65b8ffca3181 --- cookbooks/fb_motd/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_motd/metadata.rb b/cookbooks/fb_motd/metadata.rb index 36fc95c8c..266b34924 100644 --- a/cookbooks/fb_motd/metadata.rb +++ b/cookbooks/fb_motd/metadata.rb @@ -8,6 +8,8 @@ version '0.0.1' supports 'centos' supports 'debian' +supports 'oracle' +supports 'redhat' supports 'ubuntu' supports 'mac_os_x' depends 'fb_helpers' From c737f3561c7e8fd3e49a2eca50dc6d6ee4825e0d Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 010/188] Support RHEL_Family in fb_nsswitch cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadate This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45264038 fbshipit-source-id: 2bd9d1d0cc81ee9cef8a8b0eba9a36c3a04dd8ec --- cookbooks/fb_nsswitch/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_nsswitch/metadata.rb b/cookbooks/fb_nsswitch/metadata.rb index 1ba0a47ff..2f64bb8b6 100644 --- a/cookbooks/fb_nsswitch/metadata.rb +++ b/cookbooks/fb_nsswitch/metadata.rb @@ -8,5 +8,7 @@ version '0.0.1' supports 'centos' supports 'debian' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_helpers' From d74c38641afc1c375ecdb2c7b2d2ee59324340c1 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 011/188] Support RHEL_Family in fb_postfix cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadate This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45264076 fbshipit-source-id: 13415cd3211344b0cadc2538478a2457f8c3c38a --- cookbooks/fb_postfix/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_postfix/metadata.rb b/cookbooks/fb_postfix/metadata.rb index c0ec2e0dd..f3aec7abc 100644 --- a/cookbooks/fb_postfix/metadata.rb +++ b/cookbooks/fb_postfix/metadata.rb @@ -6,4 +6,6 @@ description 'Installs/Configures postfix' source_url 'https://github.com/facebook/chef-cookbooks/' supports 'centos' +supports 'oracle' +supports 'redhat' version '0.0.1' From 1940475de304adc1f84965ceaa1372e8dca9003a Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 012/188] Support RHEL_Family in fb_profile cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadate This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45264112 fbshipit-source-id: 112387fbff20bbfedb7a49b926d308a80ef7c4d6 --- cookbooks/fb_profile/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_profile/metadata.rb b/cookbooks/fb_profile/metadata.rb index 21be3a2ea..e5416c68d 100644 --- a/cookbooks/fb_profile/metadata.rb +++ b/cookbooks/fb_profile/metadata.rb @@ -11,5 +11,7 @@ supports 'centos' supports 'debian' supports 'mac_os_x' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_helpers' From a8aa45e0cd4fec1354bcc8cd44f5c7dabb6598c0 Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 013/188] Support RHEL_Family in fb_sysstat cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadate This diff needs stamp from [[chefit](https://www.internalfb.com/permission/group/965392640256092), [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697)] Differential Revision: D45264277 fbshipit-source-id: 3bfd6e6ec59c03b9c9149e24d4d3c3f4cbaf9e93 --- cookbooks/fb_sysstat/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_sysstat/metadata.rb b/cookbooks/fb_sysstat/metadata.rb index 2d57e56d7..be5d44d9e 100644 --- a/cookbooks/fb_sysstat/metadata.rb +++ b/cookbooks/fb_sysstat/metadata.rb @@ -8,4 +8,6 @@ version '0.1.0' supports 'centos' supports 'fedora' +supports 'oracle' +supports 'redhat' depends 'fb_helpers' From 21e1a11993a9c69b192592a494977cb766ff552e Mon Sep 17 00:00:00 2001 From: Li Lei Date: Mon, 1 May 2023 11:23:22 -0700 Subject: [PATCH 014/188] Support RHEL_Family in fb_timer cookbook Summary: As titled. By checking the [chef infra](https://fburl.com/0rmv1bnc) and [Meta implementation](https://fburl.com/code/tzjadwep), we know: - *platform*, **centos** and **redhat** are two platforms names - *platform_family*, **rhel** is a family name that contains centos, redhat, rocky and more. More context can be found in this [post](https://fburl.com/workplace/1qm17oop). It looks we have Centos only in prod ([1](https://fburl.com/scuba/chef/k4nsvzfe) and [2](https://fburl.com/scuba/chef/t6xy763c)), and CentOS, Redhat and OEL platforms in [IT/Corp](https://fburl.com/scuba/ifs_chef/l0wj716g). And we have no host running with version<7. This diff simply add more supported platforms in the metadate This diff needs stamp from [hm_data_plane](https://www.internalfb.com/permission/group/437546304210697) Differential Revision: D45264375 fbshipit-source-id: 570242a54d1237259ce2babb6940b2b7e1170561 --- cookbooks/fb_timers/metadata.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/fb_timers/metadata.rb b/cookbooks/fb_timers/metadata.rb index 1d052792d..49d0fa6fb 100644 --- a/cookbooks/fb_timers/metadata.rb +++ b/cookbooks/fb_timers/metadata.rb @@ -9,5 +9,7 @@ version '0.1.0' supports 'centos' supports 'debian' +supports 'oracle' +supports 'redhat' supports 'ubuntu' depends 'fb_systemd' From b149ef6f9af0157804a4843c6c5bcdfa9e9d0041 Mon Sep 17 00:00:00 2001 From: Saravanan D Date: Tue, 2 May 2023 09:44:36 -0700 Subject: [PATCH 015/188] Library functions, logic encoding raid disks, firmwares Summary: * Moved existing logic to extract disk model, firmware and disks in mdarray as `FB::Storage` methods * No logic change to hosts with rootfs mounted on single disk. * On hosts where root is mounted on mdarray, we will now encode the sorted models, relative firmwares to aggregation labels. ``` # Separated by __ which is acceptable in ODS :__RAID__MZ1LB1T9HBLS-000FB__MZ1LB1T9HBLS-000FB__; :__RAID__EDW76F2Q__EDW76F2Q__; ``` Reviewed By: joshuamiller01 Differential Revision: D45419604 fbshipit-source-id: 25c37ad73ae55c2af609c0bf662400788baf179d --- cookbooks/fb_storage/libraries/storage.rb | 72 +++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/cookbooks/fb_storage/libraries/storage.rb b/cookbooks/fb_storage/libraries/storage.rb index 62a273534..c37a8f89c 100644 --- a/cookbooks/fb_storage/libraries/storage.rb +++ b/cookbooks/fb_storage/libraries/storage.rb @@ -31,6 +31,78 @@ class Storage # 'size' from sysfs always assumes 512 byte blocks SECTOR_SIZE = 512 + + # Helper function to make string compatible for ODS + # by replacing special characters with _ + def self.ods_compat(string) + string.gsub(/[^0-9a-zA-Z_-]/, '_') + end + + # Helper function to get disk model + def self.get_disk_model(node, block_device_name) + device = node['block_device'][block_device_name] + if device + if device['model'] + self.ods_compat(device['model'].to_s) + end + end + end + + # Helper function to get disk firmware + def self.get_disk_firmware(node, block_device_name) + device = node['block_device'][block_device_name] + if device + # When mounted on SATA, firmware is stored on rev + if device['rev'] + self.ods_compat(device['rev'].to_s) + # When mounted on NVME, firmware is stored on firmware_rev + elsif device['firmware_rev'] + self.ods_compat(device['firmware_rev'].to_s) + end + end + end + + # Helper function to get mdarray devices + def self.get_mdarray_devices(node, mdarray) + if node['mdadm'] + if node['mdadm'][mdarray] + if node['mdadm'][mdarray]['members'] + node['mdadm'][mdarray]['members'] + end + end + end + end + + # Helper function to extract sorted models and their + # relative firmwares of disks in mdarray with '__' + # delimiters + def self.get_mdarray_models_firmwares(node, mdarray) + disks_models = '' + disks_firmwares = '' + models_firmwares = [] + devices = self.get_mdarray_devices(node, mdarray) + devices.each do |device| + disk_model = self.get_disk_model(node, device) + disk_firmware = self.get_disk_firmware(node, device) + if disk_model && disk_firmware + # Create a hash of model => firmware + model_firmware = {} + model_firmware[disk_model] = disk_firmware + # Add it to the hash array + models_firmwares << model_firmware + end + end + # Sort the hash array by model + models_firmwares.sort_by! { |model, _firmware| model.to_s } + models_firmwares.each do |model_firmware| + model_firmware.each do |model, firmware| + disks_models += model.to_s + '__' + disks_firmwares += firmware.to_s + '__' + end + end + return disks_models, disks_firmwares + end + # Helper function for hybrid XFS users. Given the index (into # `eligible_devices` of the device to be used for metadata, and the number # of filesystems we expect to create, it will return the size of each From 3650020f3138c7e19f5dad8c4dd71a63b7b7debc Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 2 May 2023 13:06:30 -0700 Subject: [PATCH 016/188] fb_timers: manage timers directly through systemd rather than via native chef resources Summary: Manage timers directly through systemd rather than via native chef resources. This is much more CPU and time performant; managing 50 timer units with the native service chef resource requires 50 expensive shellouts via systemctl (even when no change needs to be made), which we can collapse into a single shellout to gather the state of all 50 units, and then a single call to enable, and start. Reviewed By: dafyddcrosby Differential Revision: D45170124 fbshipit-source-id: 43dc16c23d882dec660816290d12f9b451cbdfbe --- cookbooks/fb_timers/libraries/default.rb | 29 ++++++++ cookbooks/fb_timers/resources/setup.rb | 30 +++++++- cookbooks/fb_timers/spec/default_spec.rb | 5 ++ cookbooks/fb_timers/spec/libraries_spec.rb | 82 ++++++++++++++++++++++ 4 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 cookbooks/fb_timers/libraries/default.rb create mode 100644 cookbooks/fb_timers/spec/libraries_spec.rb diff --git a/cookbooks/fb_timers/libraries/default.rb b/cookbooks/fb_timers/libraries/default.rb new file mode 100644 index 000000000..19a258f62 --- /dev/null +++ b/cookbooks/fb_timers/libraries/default.rb @@ -0,0 +1,29 @@ +# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2 + +module FB + module Timers + # Take a list of systemd units, and gather up their status in a single + # class to systemctl, returning a hash + def self.get_systemd_unit_status(units) + systemctl_show = 'systemctl show -p Id -p UnitFileState -p ActiveState' + systemctl_show = "#{systemctl_show} #{units.join(' ')}" + so = Mixlib::ShellOut.new(systemctl_show).run_command + fail 'fb_timers: systemctl shellout failed!' if so.exitstatus != 0 + stdout = so.stdout + # Get rid of empty lines + stdout = stdout.split("\n").reject(&:empty?) + if stdout.size % 3 != 0 + fail 'fb_timers: unexpected output from systemctl unit status' + end + unit_status_map = {} + # Take three lines at a time, and create a hash entry for each keyed on + # unit id + until stdout.empty? + unit_status = stdout.pop(3) + id, active, unitfile = unit_status.map { |x| x.split('=')[1].to_s } + unit_status_map[id] = { :Active => active, :UnitFileState => unitfile } + end + unit_status_map + end + end +end diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index ef531a92e..9ac7b0f71 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -184,7 +184,35 @@ end # Setup services - if FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(0) && FB::Version.new(node['packages']['systemd']['version']) > + FB::Version.new('201') + # Build the list of timers with autostart enabled + enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| + conf['autostart'] + end.map { |_name, conf| "#{conf['name']}.timer" } + Chef::Log.debug("fb_timers: autostart enabled timers is: #{enabled_timers}") + timers_status = FB::Timers.get_systemd_unit_status(enabled_timers) + # Build the list of timers which need to be enabled + need_enable = timers_status.each_key.reject do |id| + timers_status[id][:UnitFileState] == 'enabled' + end + # Build the list of timers which need to be started + need_start = timers_status.each_key.reject do |id| + timers_status[id][:Active] == 'active' + end + if !need_enable.empty? + Chef::Log.info("fb_timers: enabling timers: #{need_enable}") + execute 'Enable systemd timers' do + command "systemctl enable #{need_enable.join(' ')}" + end + end + if !need_start.empty? + Chef::Log.info("fb_timers: starting timers: #{need_start}") + execute 'Start systemd timers' do + command "systemctl start #{need_start.join(' ')}" + end + end + elsif FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') node['fb_timers']['jobs'].to_hash.each_pair do |_name, conf| diff --git a/cookbooks/fb_timers/spec/default_spec.rb b/cookbooks/fb_timers/spec/default_spec.rb index 10d1660e9..1178efcea 100644 --- a/cookbooks/fb_timers/spec/default_spec.rb +++ b/cookbooks/fb_timers/spec/default_spec.rb @@ -88,6 +88,7 @@ ) do |node| allow(node).to receive(:systemd?).and_return(true) end.converge('fb_systemd::reload', described_recipe) do |node| + node.stub(:in_shard?).and_return(false) node.automatic['packages']['systemd']['version'] = '246.1' node.default['fb_timers']['jobs'] = { 'simple' => { @@ -194,6 +195,8 @@ expect(chef_run).to enable_service("#{job}.timer") expect(chef_run).to_not enable_service("#{job}.service") end + # Switch to this after moving to the new way + # expect(chef_run).to run_execute('Enable systemd timers') end it 'should start the timer unit' do @@ -201,6 +204,8 @@ expect(chef_run).to start_service("#{job}.timer") expect(chef_run).to_not start_service("#{job}.service") end + # Switch to this after moving to the new way + # expect(chef_run).to run_execute('Start systemd timers') end it 'should handle jobs with only_ifs' do diff --git a/cookbooks/fb_timers/spec/libraries_spec.rb b/cookbooks/fb_timers/spec/libraries_spec.rb new file mode 100644 index 000000000..fbd2ceee1 --- /dev/null +++ b/cookbooks/fb_timers/spec/libraries_spec.rb @@ -0,0 +1,82 @@ +require './spec/spec_helper' +require_relative '../../../../cookbooks/core/fb_timers/libraries/default' + +expected_service = { + # A service which is already active and enabled + 'a.service' => { + :Active => 'active', + :UnitFileState => 'enabled', + }, + # A service systemd doesn't know about + 'b.service' => { + :Active => 'inactive', + :UnitFileState => '', + }, +} + +expected_timer = { + # A timer which is already active and enabled + 'a.timer' => { + :Active => 'active', + :UnitFileState => 'enabled', + }, + # A timer systemd doesn't know about + 'b.timer' => { + :Active => 'inactive', + :UnitFileState => '', + }, +} + +service_list = ['a', 'b'] +service_list_with_type = ['a.service', 'b.service'] +systemctl_service_stdout = "Id=a.service\nActiveState=active\nUnitFileState" + + "=enabled\n\nId=b.service\nActiveState=inactive\nUnitFileState=\n" + +timer_list = ['a', 'b'] +timer_list_with_type = ['a.timer', 'b.timer'] +systemctl_timer_stdout = "Id=a.timer\nActiveState=active\nUnitFileState" + + "=enabled\n\nId=b.timer\nActiveState=inactive\nUnitFileState=\n" + +describe FB::Timers do + context 'get_systemd_unit_status' do + it 'should build the correct service status hash' do + allow_any_instance_of(Mixlib::ShellOut).to receive(:run_command). + and_return(double('shellout', :stdout => systemctl_service_stdout, :exitstatus => 0)) + service_status = FB::Timers.get_systemd_unit_status(service_list) + service_status.should eql(expected_service) + # If unit type is specified + service_status = FB::Timers.get_systemd_unit_status(service_list_with_type) + service_status.should eql(expected_service) + end + + it 'should build the correct timer status hash' do + allow_any_instance_of(Mixlib::ShellOut).to receive(:run_command). + and_return(double('shellout', :stdout => systemctl_timer_stdout, :exitstatus => 0)) + timer_status = FB::Timers.get_systemd_unit_status(timer_list) + timer_status.should eql(expected_timer) + # If unit type is specified + timer_status = FB::Timers.get_systemd_unit_status(timer_list_with_type) + timer_status.should eql(expected_timer) + end + + it 'should fail when the systemctl shellout returns non zero' do + allow_any_instance_of(Mixlib::ShellOut).to receive(:run_command). + and_return(double('shellout', :stdout => '', :exitstatus => 1)) + expect do + FB::Timers.get_systemd_unit_status(service_list) + end.to raise_error( + RuntimeError, /fb_timers: systemctl shellout failed!/ + ) + end + + it 'should fail when unexpected stdout encountered' do + allow_any_instance_of(Mixlib::ShellOut).to receive(:run_command). + and_return(double('shellout', :stdout => 'wut', :exitstatus => 0)) + expect do + FB::Timers.get_systemd_unit_status(service_list) + end.to raise_error( + RuntimeError, /fb_timers: unexpected output from systemctl unit status/ + ) + end + end +end From 45e9eae123764554a4ffc1d762f3ff49e1054372 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 2 May 2023 13:34:59 -0700 Subject: [PATCH 017/188] fb_timers: CPU perf improvements via avoiding read-write loops and node.rm Summary: If during a loop you modify an element of the node object, and then read from the same ImmutibleHash, it causes some kind of overhead which costs non-trivial amounts of CPU when iterating enough times. In other words: if you modify node.default['something'][...], then read from node['something'], and then loop and do that again and again, you get significant perf overhead. If the read is removed, this overhead is avoided; this diff takes an unnecessary read of `node['fb_timers']['_timer_path']` and captures it in an lvar, which saves ~5ms per iteration in my environment. While we're here, also switch from node.rm to node.rm_default, because that's also much less CPU expensive. Reviewed By: dafyddcrosby Differential Revision: D45459381 fbshipit-source-id: c641c67a3a6868a6bccb63d4b507a1d510295dad --- cookbooks/fb_timers/resources/setup.rb | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 9ac7b0f71..a9626d08a 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -17,8 +17,9 @@ # action :run do + timer_path = node['fb_timers']['_timer_path'] # Delete old jobs - Dir.glob("#{node['fb_timers']['_timer_path']}/*").each do |path| + Dir.glob("#{timer_path}/*").each do |path| # this doubles as the unit name. fname = ::File.basename(path) @@ -128,13 +129,13 @@ unless conf['only_if'].call Chef::Log.debug("fb_timers: Not including #{conf['name']}" + 'due to only_if') - node.rm('fb_timers', 'jobs', conf['name']) + node.rm_default('fb_timers', 'jobs', conf['name']) next end end %w{service timer}.each do |type| - filename = "#{node['fb_timers']['_timer_path']}/#{conf['name']}.#{type}" + filename = "#{timer_path}/#{conf['name']}.#{type}" template filename do source "#{type}.erb" mode '0644' @@ -232,9 +233,7 @@ link "/etc/systemd/system/timers.target.wants/#{timer_name}" do only_if { conf['autostart'] } - to lazy { - "#{node['fb_timers']['_timer_path']}/#{conf['name']}.timer" - } + to "#{timer_path}/#{conf['name']}.timer" end service "#{timer_name} start only" do @@ -250,7 +249,7 @@ # only delete symlinks ::File.symlink?(unit) && # whose targets are timer files - ::File.readlink(unit).start_with?(node['fb_timers']['_timer_path']) && + ::File.readlink(unit).start_with?(timer_path) && # whose targets don't exist !::File.exist?(::File.readlink(unit)) end From a297ece2b1260c0201d35e7bb9aa6cb8a0ed7c9b Mon Sep 17 00:00:00 2001 From: Ryan Yee Date: Wed, 3 May 2023 13:47:04 -0700 Subject: [PATCH 018/188] Add attribute to keep service alive Summary: Currently we do not enforce the fluentbit service is set to run at startup and kept running. One can manually disable/stop the service and it will not self-reenable. Lets add an attribute to control enforcement of the service state. Reviewed By: joshuamiller01 Differential Revision: D44970184 fbshipit-source-id: 482ae4678de51a317db3eec3c6f3e0b835be317b --- cookbooks/fb_fluentbit/README.md | 4 ++++ cookbooks/fb_fluentbit/attributes/default.rb | 3 +++ cookbooks/fb_fluentbit/metadata.rb | 2 ++ cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb | 8 +++++++- cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb | 8 +++++++- 5 files changed, 23 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_fluentbit/README.md b/cookbooks/fb_fluentbit/README.md index 2d2da80fe..692a7815f 100644 --- a/cookbooks/fb_fluentbit/README.md +++ b/cookbooks/fb_fluentbit/README.md @@ -224,3 +224,7 @@ like so: restart_command = 'powershell.exe -File C:\restart-script.ps1' node.default['fb_fluentbit']['custom_svc_restart_command'] = restart_command ``` + +### Windows Service Enforcement +To ensure the service is active and enabled (set to Automatic) on Windows, +it can be configured with `node.default['fb_fluentbit']['keep_alive'] = true` diff --git a/cookbooks/fb_fluentbit/attributes/default.rb b/cookbooks/fb_fluentbit/attributes/default.rb index bf6ae6d16..32a5a632e 100644 --- a/cookbooks/fb_fluentbit/attributes/default.rb +++ b/cookbooks/fb_fluentbit/attributes/default.rb @@ -55,6 +55,9 @@ # Set custom restart commands for service resource 'custom_svc_restart_command' => nil, + # Keep service on Windows alive + 'keep_alive' => nil, + # use for users already migrated to FluentBit 1.9 and newer which changes # the binary, service, and directory names from td-agent-bit to fluent-bit # This property will change to true on October 2nd, 2023. diff --git a/cookbooks/fb_fluentbit/metadata.rb b/cookbooks/fb_fluentbit/metadata.rb index 2285ea18d..1c09ff200 100644 --- a/cookbooks/fb_fluentbit/metadata.rb +++ b/cookbooks/fb_fluentbit/metadata.rb @@ -8,3 +8,5 @@ version '0.1.0' supports 'centos' supports 'windows' + +depends 'fb_helpers' diff --git a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb index bfacc8e28..bfab4b54c 100644 --- a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb @@ -138,10 +138,16 @@ if node.windows? windows_service 'FluentBit' do - action :nothing if node['fb_fluentbit']['custom_svc_restart_command'] restart_command node['fb_fluentbit']['custom_svc_restart_command'] end + action :nothing + end + + windows_service 'Keep Fluentbit Active' do + service_name 'FluentBit' + only_if { node['fb_fluentbit']['keep_alive'] } + action [:enable, :start] end else service 'fluent-bit' do diff --git a/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb index 8efd17cb7..e5f55a2cf 100644 --- a/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb @@ -138,10 +138,16 @@ if node.windows? windows_service 'FluentBit' do - action :nothing if node['fb_fluentbit']['custom_svc_restart_command'] restart_command node['fb_fluentbit']['custom_svc_restart_command'] end + action :nothing + end + + windows_service 'Keep Fluentbit Active' do + service_name 'FluentBit' + only_if { node['fb_fluentbit']['keep_alive'] } + action [:enable, :start] end else service 'td-agent-bit' do From 2a8920db25a180d9fd1879f0855ff639a4a18da7 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 3 May 2023 13:47:11 -0700 Subject: [PATCH 019/188] fb_timers: fix require_relative path in libraries_spec to work in GH Summary: Fix require_relative path in libraries_spec to work in GH Differential Revision: D45500711 fbshipit-source-id: 46df08e140fb11ce08e122546df0110f5e9c4146 --- cookbooks/fb_timers/spec/libraries_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/spec/libraries_spec.rb b/cookbooks/fb_timers/spec/libraries_spec.rb index fbd2ceee1..ed06d92a5 100644 --- a/cookbooks/fb_timers/spec/libraries_spec.rb +++ b/cookbooks/fb_timers/spec/libraries_spec.rb @@ -1,5 +1,5 @@ require './spec/spec_helper' -require_relative '../../../../cookbooks/core/fb_timers/libraries/default' +require_relative '../libraries/default' expected_service = { # A service which is already active and enabled From e2f188a580001696f392c6eb0e4a6ed02f78949c Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 4 May 2023 09:45:25 -0700 Subject: [PATCH 020/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 1% -> 2% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501926 fbshipit-source-id: bd522655399aa057425e55824055ebeca0ced08a --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index a9626d08a..9d00b817e 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(0) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(1) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From 2528edf7fefbbd22aca552eb7655bc723f6b3e0a Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 4 May 2023 16:13:13 -0700 Subject: [PATCH 021/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 2% -> 5% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501921 fbshipit-source-id: 981413141baca9bfea9d21731fec5b1da96d2b59 --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 9d00b817e..f657fd528 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(1) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(4) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From 4af317784299b5d2f0cd6b4b79097e187bdecd60 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Fri, 5 May 2023 11:10:29 -0700 Subject: [PATCH 022/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 5% -> 15% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501924 fbshipit-source-id: 99a79da6c88922783fa855592fc187600fb79dfc --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index f657fd528..f5356ce85 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(4) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(14) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From abf93e18309179d9fa961a083f8c7b9a2d7c09b9 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Mon, 8 May 2023 11:09:11 -0700 Subject: [PATCH 023/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 15% -> 25% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501922 fbshipit-source-id: 39e06bee2ece139b4bec6ab2e452d5fcae41c44b --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index f5356ce85..e73cb808f 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(14) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(24) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From a43f4140185fbfc7a3475588b866fbbad329afff Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Mon, 8 May 2023 16:30:05 -0700 Subject: [PATCH 024/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 25% -> 40% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501923 fbshipit-source-id: 51fe2cb4e7a62bc150e39ccdfc4f4e0768148326 --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index e73cb808f..d12cfe394 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(24) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(39) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From 152728bda0e617b44230483beafd15b75ca37c9f Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 9 May 2023 08:58:59 -0700 Subject: [PATCH 025/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 40% -> 60% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501918 fbshipit-source-id: db700be5de63820f917a589fa53fbd0f85bcdc3d --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index d12cfe394..5cfdfae6a 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(39) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(59) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From 95b69df24f931bf330a2bb6c7d5dbbdf0e7e8735 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 9 May 2023 17:30:29 -0700 Subject: [PATCH 026/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 60% -> 80% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501920 fbshipit-source-id: 97895230dffabc6788c657af49d2c0f1ddaf35c0 --- cookbooks/fb_timers/resources/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 5cfdfae6a..29b5d90f4 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,7 +185,7 @@ end # Setup services - if node.in_shard?(59) && FB::Version.new(node['packages']['systemd']['version']) > + if node.in_shard?(79) && FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| From f69fe694147a3e91c86d7ca8aa51205eccd0e935 Mon Sep 17 00:00:00 2001 From: Michael van der Westhuizen Date: Wed, 10 May 2023 04:45:11 -0700 Subject: [PATCH 027/188] Pin c9 rsyslog version in image builds Summary: Newer rsyslog has a bug in container builds where it exits immediately. While we figure out why (which is more complicated than one would expect), reflect changes in D45715090 into Chef solo runs so that booted container runs (i.e. Chef Solo runs) based on images built with booted container runs (i.e. Tupperware Base Image derivatives, in our case the Sandcastle Worker image) once again work. Reviewed By: wilkotom Differential Revision: D45725790 fbshipit-source-id: a943ef64d8bea056ab2243fa7ac0d9d925450d89 --- cookbooks/fb_syslog/recipes/packages.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_syslog/recipes/packages.rb b/cookbooks/fb_syslog/recipes/packages.rb index 3231895cc..7bff0a681 100644 --- a/cookbooks/fb_syslog/recipes/packages.rb +++ b/cookbooks/fb_syslog/recipes/packages.rb @@ -20,7 +20,15 @@ return if node.macos? package 'rsyslog' do - action :upgrade + # TODO(T152951763): Pin rsyslog to 8.2102.0.105.el9 in Antlir builds + # See D45729033 for the Antlir counterpart + if node.centos9? && node.antlir_build? + version '8.2102.0.105.el9' + action :install + allow_downgrade true + else + action :upgrade + end end # TODO(davide125): Document this From 9a5b0774d0bc00929b54504f5c57fb9ef3520309 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 10 May 2023 08:22:26 -0700 Subject: [PATCH 028/188] Rollout fb_timers manage directly through systemd rather than via native chef resources 80% -> 100% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Reviewed By: dafyddcrosby Differential Revision: D45501919 fbshipit-source-id: 24f55f4cf5e24faf24107fc1d7289132768dcf69 --- cookbooks/fb_timers/resources/setup.rb | 15 +-------------- cookbooks/fb_timers/spec/default_spec.rb | 15 ++------------- 2 files changed, 3 insertions(+), 27 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 29b5d90f4..3a1381b8f 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -185,8 +185,7 @@ end # Setup services - if node.in_shard?(79) && FB::Version.new(node['packages']['systemd']['version']) > - FB::Version.new('201') + if FB::Version.new(node['packages']['systemd']['version']) > FB::Version.new('201') # Build the list of timers with autostart enabled enabled_timers = node['fb_timers']['jobs'].each_pair.select do |_name, conf| conf['autostart'] @@ -213,18 +212,6 @@ command "systemctl start #{need_start.join(' ')}" end end - elsif FB::Version.new(node['packages']['systemd']['version']) > - FB::Version.new('201') - - node['fb_timers']['jobs'].to_hash.each_pair do |_name, conf| - timer_name = "#{conf['name']}.timer" - - service "#{timer_name} enable/start" do - only_if { conf['autostart'] } - service_name timer_name - action [:enable, :start] - end - end else # Versions prior to 201 did not support enablement of unit symlinks. # Workaround is to create the following symlink. diff --git a/cookbooks/fb_timers/spec/default_spec.rb b/cookbooks/fb_timers/spec/default_spec.rb index 1178efcea..a28f578cf 100644 --- a/cookbooks/fb_timers/spec/default_spec.rb +++ b/cookbooks/fb_timers/spec/default_spec.rb @@ -88,7 +88,6 @@ ) do |node| allow(node).to receive(:systemd?).and_return(true) end.converge('fb_systemd::reload', described_recipe) do |node| - node.stub(:in_shard?).and_return(false) node.automatic['packages']['systemd']['version'] = '246.1' node.default['fb_timers']['jobs'] = { 'simple' => { @@ -191,21 +190,11 @@ # fb_systemd_reload[system instance] to run immediately it 'should enable the timer unit' do - timer_jobs.each do |job| - expect(chef_run).to enable_service("#{job}.timer") - expect(chef_run).to_not enable_service("#{job}.service") - end - # Switch to this after moving to the new way - # expect(chef_run).to run_execute('Enable systemd timers') + expect(chef_run).to run_execute('Enable systemd timers') end it 'should start the timer unit' do - timer_jobs.each do |job| - expect(chef_run).to start_service("#{job}.timer") - expect(chef_run).to_not start_service("#{job}.service") - end - # Switch to this after moving to the new way - # expect(chef_run).to run_execute('Start systemd timers') + expect(chef_run).to run_execute('Start systemd timers') end it 'should handle jobs with only_ifs' do From b35276ed40a7e9bcc4a9d095f49c846a951cfa51 Mon Sep 17 00:00:00 2001 From: Gilbert Sanchez Date: Wed, 10 May 2023 10:58:23 -0700 Subject: [PATCH 029/188] Add disable PowerShell v2 feature Summary: Reviewed By: AadityaNair Differential Revision: D45713557 fbshipit-source-id: a4573894ca8b4b6835c39b27f680e9c20ad0bf4b --- cookbooks/fb_powershell/README.md | 9 +++++++++ cookbooks/fb_powershell/attributes/default.rb | 1 + cookbooks/fb_powershell/recipes/windows.rb | 10 ++++++++++ 3 files changed, 20 insertions(+) diff --git a/cookbooks/fb_powershell/README.md b/cookbooks/fb_powershell/README.md index 14bd10a10..d68f8b084 100644 --- a/cookbooks/fb_powershell/README.md +++ b/cookbooks/fb_powershell/README.md @@ -13,6 +13,7 @@ Attributes * node['fb_powershell']['powershell']['manage'] * node['fb_powershell']['powershell']['version'] +* node['fb_powershell']['powershell']['disable_v2'] * node['fb_powershell']['pwsh']['manage'] * node['fb_powershell']['pwsh']['version'] * node['fb_powershell']['pwsh']['version'] @@ -26,6 +27,14 @@ Usage If you include the cookbook, it won't manage anything by default. You'll need to set the appropriate attributes depending on your OS. +### Disable PowerShell v2 + +This should be the first thing you set. PowerShell v2 is a huge security risk. + +``` +node.default['fb_powershell']['powershell']['disable_v2'] = true +``` + ### powershell vs pwsh Microsoft decided that when it open sourced PowerShell that it would be good to diff --git a/cookbooks/fb_powershell/attributes/default.rb b/cookbooks/fb_powershell/attributes/default.rb index e86229326..3dc5c4370 100644 --- a/cookbooks/fb_powershell/attributes/default.rb +++ b/cookbooks/fb_powershell/attributes/default.rb @@ -20,6 +20,7 @@ 'powershell' => { 'manage' => false, 'version' => nil, + 'disable_v2' => false, }, # Opensource PowerShell aka Core 'pwsh' => { diff --git a/cookbooks/fb_powershell/recipes/windows.rb b/cookbooks/fb_powershell/recipes/windows.rb index e95c1e0e8..c1e690154 100644 --- a/cookbooks/fb_powershell/recipes/windows.rb +++ b/cookbooks/fb_powershell/recipes/windows.rb @@ -22,6 +22,16 @@ # Windows will has WindowsPowershell plus it can also run Pwsh 6+ (open source) +# Remove PowerShell v2 +windows_feature_dism 'powershell2' do + only_if do + node['fb_powershell']['powershell']['disable_v2'] && + registry_key_exists?('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\2') + end + feature_name 'MicrosoftWindowsPowerShellV2Root' + action :remove +end + # Windows Powershell # Upgrade to latest package if no specific version given chocolatey_package 'upgrade windows powershell' do From 5ec6876b4237b4d3b4ac97970670ce0886f7aac7 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Wed, 10 May 2023 11:54:16 -0700 Subject: [PATCH 030/188] fb_helpers: include cookbook name in error message Summary: Reviewed By: DanielGrzegorzewski Differential Revision: D45709812 fbshipit-source-id: 981a95f5c31130442ce9fda5b66137fac3226f74 --- cookbooks/fb_helpers/libraries/node_methods.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index d369404da..34905828f 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -43,7 +43,7 @@ def _canonical_version(version) elsif version.class == FB::Version version else - fail 'EL Version comparison can only be performed with strings and integers' + fail 'fb_helpers: EL Version comparison can only be performed with strings and integers' end end From 4c4f02d12cda50dd9eab8afa694bebf90c99684d Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Wed, 10 May 2023 15:15:15 -0700 Subject: [PATCH 031/188] fb_grub: rework platform logic and add support for Fedora Summary: This generally simplifies the existing logic Reviewed By: dafyddcrosby Differential Revision: D44694707 fbshipit-source-id: 801370be2a7a4be9ef26827bbd853c1ec14af4de --- cookbooks/fb_grub/attributes/default.rb | 46 +++++++++++++++---------- cookbooks/fb_grub/recipes/default.rb | 5 +++ 2 files changed, 32 insertions(+), 19 deletions(-) diff --git a/cookbooks/fb_grub/attributes/default.rb b/cookbooks/fb_grub/attributes/default.rb index 1b7d64068..728ee9107 100644 --- a/cookbooks/fb_grub/attributes/default.rb +++ b/cookbooks/fb_grub/attributes/default.rb @@ -18,16 +18,22 @@ version = node.centos6? ? 1 : 2 grub2_base_dir = '/boot/grub2' -if node.centos6? || node.redhat? +case node['platform'] +when 'centos' + vendor = node.centos6? ? 'redhat' : 'centos' +when 'redhat' vendor = 'redhat' -elsif node.debian? +when 'debian' grub2_base_dir = '/boot/grub' vendor = 'debian' -elsif node.ubuntu? - vendor = 'ubuntu' +when 'fedora' + vendor = 'fedora' +when 'ubuntu' grub2_base_dir = '/boot/grub' + vendor = 'ubuntu' else - vendor = 'centos' + # Not explicitly failing here because we're in attributes + vendor = nil end fb_grub = { @@ -78,20 +84,22 @@ 'environment' => {}, } -# Set the path to the grub config files -vendor_dir = "/boot/efi/EFI/#{vendor}" -fb_grub['_efi_vendor_dir'] = vendor_dir -fb_grub['_grub_config_efi'] = "#{vendor_dir}/grub.conf" -fb_grub['_grub2_config_efi'] = "#{vendor_dir}/grub.cfg" -fb_grub['_grub_config_bios'] = "#{fb_grub['_grub_base_dir']}/grub.conf" -fb_grub['_grub2_config_bios'] = "#{fb_grub['_grub2_base_dir']}/grub.cfg" -# Have a 'current' variable that will point to the one that should be in use -if node.efi? - fb_grub['_grub_config'] = fb_grub['_grub_config_efi'] - fb_grub['_grub2_config'] = fb_grub['_grub2_config_efi'] -else - fb_grub['_grub_config'] = fb_grub['_grub_config_bios'] - fb_grub['_grub2_config'] = fb_grub['_grub2_config_bios'] +unless vendor.nil? + # Set the path to the grub config files + vendor_dir = "/boot/efi/EFI/#{vendor}" + fb_grub['_efi_vendor_dir'] = vendor_dir + fb_grub['_grub_config_efi'] = "#{vendor_dir}/grub.conf" + fb_grub['_grub2_config_efi'] = "#{vendor_dir}/grub.cfg" + fb_grub['_grub_config_bios'] = "#{fb_grub['_grub_base_dir']}/grub.conf" + fb_grub['_grub2_config_bios'] = "#{fb_grub['_grub2_base_dir']}/grub.cfg" + # Have a 'current' variable that will point to the one that should be in use + if node.efi? + fb_grub['_grub_config'] = fb_grub['_grub_config_efi'] + fb_grub['_grub2_config'] = fb_grub['_grub2_config_efi'] + else + fb_grub['_grub_config'] = fb_grub['_grub_config_bios'] + fb_grub['_grub2_config'] = fb_grub['_grub2_config_bios'] + end end # Finally set the defaults diff --git a/cookbooks/fb_grub/recipes/default.rb b/cookbooks/fb_grub/recipes/default.rb index c5efc4899..e073d91cd 100644 --- a/cookbooks/fb_grub/recipes/default.rb +++ b/cookbooks/fb_grub/recipes/default.rb @@ -18,6 +18,11 @@ # limitations under the License. # +# Keep this in sync with the platform list in attributes +unless %{centos debian fedora redhat ubuntu}.include?(node['platform']) + fail "fb_grub: this platform is not supported: #{node['platform']}" +end + include_recipe 'fb_grub::packages' include_recipe 'fb_grub::validate' include_recipe 'fb_grub::config' From 3c08cea9f287fcec6fca96ceb057d4dde95eeea5 Mon Sep 17 00:00:00 2001 From: Saravanan D Date: Fri, 12 May 2023 06:06:23 -0700 Subject: [PATCH 032/188] New attribute search_enabled Summary: * S341260 revealed that vendor coreboot images have crude assumptions (first 5 lines) to [parse our grub.cfg](https://www.internalfb.com/phabricator/paste/view/P713678956?lines=168-155) and grep for terms like "search" * Gated retry, search template code under search_enabled attribute * Added logic to darwin fboss recipe to turn off template code that uses search command to hunt for grubenv Reviewed By: DanielGrzegorzewski Differential Revision: D45791452 fbshipit-source-id: 9b5b13b850386b1b47d80e3c3313546e96449a36 --- cookbooks/fb_grub/attributes/default.rb | 1 + cookbooks/fb_grub/templates/default/grub2.cfg.erb | 2 ++ 2 files changed, 3 insertions(+) diff --git a/cookbooks/fb_grub/attributes/default.rb b/cookbooks/fb_grub/attributes/default.rb index 728ee9107..dd128de34 100644 --- a/cookbooks/fb_grub/attributes/default.rb +++ b/cookbooks/fb_grub/attributes/default.rb @@ -82,6 +82,7 @@ 'users' => {}, 'require_auth_on_boot' => false, 'environment' => {}, + 'search_enabled' => true, } unless vendor.nil? diff --git a/cookbooks/fb_grub/templates/default/grub2.cfg.erb b/cookbooks/fb_grub/templates/default/grub2.cfg.erb index c84a1e35b..52924d1d7 100644 --- a/cookbooks/fb_grub/templates/default/grub2.cfg.erb +++ b/cookbooks/fb_grub/templates/default/grub2.cfg.erb @@ -150,11 +150,13 @@ else load_env -f ($root)/grub2/grubenv elif [ -f ($root)/boot/grub2/grubenv ]; then load_env -f ($root)/boot/grub2/grubenv +<% if node['fb_grub']['search_enabled'] -%> else search --set=retry --label / if [ -f ($retry)/boot/efi/EFI/centos/grubenv ]; then load_env -f ($retry)/boot/efi/EFI/centos/grubenv fi +<% end -%> fi fi From a20e9eca18874e42fd9e8c249bbf2c8a89f1e93a Mon Sep 17 00:00:00 2001 From: Michael van der Westhuizen Date: Fri, 12 May 2023 06:17:22 -0700 Subject: [PATCH 033/188] Remove deprecated allow_downgrade, correct version Summary: We recently started pinning a version of rsyslog to work around other bugs, and cargo-culted in an `allow_downgrade` statement. It seems as though triggering this warning ends up triggering this: undefined method `id' for # ... and then the world explodes. Let's avoid that. Reviewed By: AadityaNair Differential Revision: D45811785 fbshipit-source-id: adeb428984cbf7d07da738e2b78acaf218956ff6 --- cookbooks/fb_syslog/recipes/packages.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cookbooks/fb_syslog/recipes/packages.rb b/cookbooks/fb_syslog/recipes/packages.rb index 7bff0a681..43ea5ecd5 100644 --- a/cookbooks/fb_syslog/recipes/packages.rb +++ b/cookbooks/fb_syslog/recipes/packages.rb @@ -23,9 +23,8 @@ # TODO(T152951763): Pin rsyslog to 8.2102.0.105.el9 in Antlir builds # See D45729033 for the Antlir counterpart if node.centos9? && node.antlir_build? - version '8.2102.0.105.el9' + version '8.2102.0-105.el9' action :install - allow_downgrade true else action :upgrade end From 821eaf17d2c469f2937c3b321408e4e14bdab4c2 Mon Sep 17 00:00:00 2001 From: Matteo Croce Date: Tue, 16 May 2023 08:47:14 -0700 Subject: [PATCH 034/188] Add whole disks instead of partitions in `devices_to_skip` Summary: In `storage.rb` there is `devices_to_skip` which is filled with all the devices to skip, which are the ones for / and /boot. If / is mounted from a RAID array, all the devices in the array (e.g. /dev/sda1 and /dev/sdb1) are added to devices_to_skip. But when doing so, partitions are added, not disks. While at at: - fix device_name_from_partition() which was unable to handle loop devices and few others - fix typos in comments - add more tests Differential Revision: D45199010 fbshipit-source-id: 7f94df0b70ae416c639928255f6b4b401068adf0 --- cookbooks/fb_storage/libraries/storage.rb | 37 ++++++++++++++++++++--- cookbooks/fb_storage/spec/storage_spec.rb | 5 +++ 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/cookbooks/fb_storage/libraries/storage.rb b/cookbooks/fb_storage/libraries/storage.rb index c37a8f89c..e18ae08ff 100644 --- a/cookbooks/fb_storage/libraries/storage.rb +++ b/cookbooks/fb_storage/libraries/storage.rb @@ -165,7 +165,9 @@ def self.devices_to_skip(node, strict = false) to_skip.dup.each do |oot_dev| if oot_dev&.start_with?('md') Dir.glob("/sys/block/#{oot_dev}/slaves/*").each do |x| - to_skip << ::File.basename(x) + rawdev = '/dev/' + ::File.basename(x) + rawdev = device_name_from_existing_partition(rawdev) + to_skip << ::File.basename(rawdev) end end end @@ -219,9 +221,9 @@ def self.partition_device_name(device, partnum) "#{device}#{prefix}#{partnum}" end - # Given a device including a partiition, return just the device without + # Given a device including a partition, return just the device without # the partition. i.e. - # /dev/sda1 -> /dev/sd + # /dev/sda1 -> /dev/sda # /dev/md0p0 -> /dev/md0 # /dev/nvme0n1p0 -> /dev/nvm0n1 # @@ -238,8 +240,13 @@ def self.partition_device_name(device, partnum) # So, for devices that we *know* would require such # a thing, we also force them to use that regex, so if someone erroneously # passes in `/dev/md0`, we give them back `/dev/md0`. + # Special treatment is needed for /dev/loop0 because the trailing "p0" can trick the + # regexp and we return an invalid "/dev/loo" device. def self.device_name_from_partition(partition) - if partition =~ /[0-9]+p[0-9]+$/ || partition =~ %r{/(nvme|etherd|md|nbd)} + if partition =~ %r{/loop[0-9]+$} + return partition + end + if partition =~ /[0-9]+p[0-9]+$/ || partition =~ %r{/(nvme|etherd|md|nbd|ram|sr)} re = /p[0-9]+$/ else re = /[0-9]+$/ @@ -247,6 +254,28 @@ def self.device_name_from_partition(partition) partition.sub(re, '') end + # Given a device including a partition, return just the device without + # the partition. i.e. + # /dev/sda1 -> /dev/sda + # /dev/md0p0 -> /dev/md0 + # /dev/nvme0n1p0 -> /dev/nvm0n1 + # + # this works by looking for /sys/class/block/$dev/partition + # to ensure that the device is a partition, then using + # realpath on /sys/class/block/$dev/.. to get the disk, + # as in sysfs the partitions are represented as subdirectories + # of disk devices. + def self.device_name_from_existing_partition(partition) + sys = '/sys/class/block/' + File.basename(partition) + + if !File.exist?(sys) || !File.exist?(sys + '/partition') + return partition + end + + sys = File.realpath(sys + '/..') + '/dev/' + File.basename(sys) + end + # External automation can pass us disks to rebuild for hot-swap. In order # to ensure atomicity, we have one file per device, named by that device. def self.disks_from_automation diff --git a/cookbooks/fb_storage/spec/storage_spec.rb b/cookbooks/fb_storage/spec/storage_spec.rb index afa272bd7..d0f96b013 100644 --- a/cookbooks/fb_storage/spec/storage_spec.rb +++ b/cookbooks/fb_storage/spec/storage_spec.rb @@ -159,6 +159,8 @@ '/dev/md0p1' => '/dev/md0', '/dev/nvme0n1p0' => '/dev/nvme0n1', '/dev/nvme1n2p1' => '/dev/nvme1n2', + '/dev/loop0p1' => '/dev/loop0', + '/dev/ram0p1' => '/dev/ram0', '/dev/something0p0' => '/dev/something0', }.each do |part, dev| expect(FB::Storage.device_name_from_partition(part)). @@ -172,6 +174,9 @@ { '/dev/md0' => '/dev/md0', '/dev/nvme0n1' => '/dev/nvme0n1', + '/dev/loop0' => '/dev/loop0', + '/dev/ram0' => '/dev/ram0', + '/dev/sr0' => '/dev/sr0', }.each do |part, dev| expect(FB::Storage.device_name_from_partition(part)). to eq(dev) From b40e3976ba4b3101f4a8695406040bbe2ed8fb9c Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 17 May 2023 13:28:50 -0700 Subject: [PATCH 035/188] Remove Rubocop 0.55 shim Summary: Once https://github.com/facebook/between-meals/pull/127 and https://github.com/facebook/grocery-delivery/pull/66 have been merged, this version shim can go. We now take an allowlist-based approach with 1.3.1+, so shouldn't need new shims going forward. Differential Revision: D45874516 fbshipit-source-id: 15f5d7977dcdb5a426d38cc841a6d54c670b2133 --- .rubocop_55.yml | 220 ------------------------------------------------ 1 file changed, 220 deletions(-) delete mode 100644 .rubocop_55.yml diff --git a/.rubocop_55.yml b/.rubocop_55.yml deleted file mode 100644 index 2e46fcbf0..000000000 --- a/.rubocop_55.yml +++ /dev/null @@ -1,220 +0,0 @@ -AllCops: - TargetRubyVersion: 2.4 - Exclude: - # template files named `rb` instead of `erb` are a sin against ruby-nature. - - '**/templates/**/*.rb'# - -Layout/DotPosition: - EnforcedStyle: trailing - -# enforce lf to avoid failures on Windows systems -Layout/EndOfLine: - EnforcedStyle: lf - -Layout/IndentArray: - EnforcedStyle: consistent - -# This recommends using external gems to parse heredocs -Layout/IndentHeredoc: - Enabled: false - -# disabling until corrected in core -Layout/MultilineOperationIndentation: - Enabled: false - EnforcedStyle: indented - -# no, we're not putting parens around `lazy` -Lint/AmbiguousBlockAssociation: - Enabled: false - -Metrics/AbcSize: - Enabled: false - -Metrics/BlockLength: - Enabled: false - -# Unrealistic -Metrics/BlockNesting: - Enabled: false - -Metrics/ClassLength: - Enabled: false - -Metrics/CyclomaticComplexity: - Enabled: false - -Metrics/LineLength: - Max: 80 - -Metrics/MethodLength: - Enabled: false - -Metrics/ModuleLength: - Enabled: false - -# I don't know what it's metric for "human complexity" is, but it's wrong. -Metrics/PerceivedComplexity: - Enabled: false - -# this trips on *any* method called 'get_*' wtf. -Naming/AccessorMethodName: - Enabled: false - -# This blows up on things like base_packages-redhat -Naming/FileName: - Enabled: false - -# Heredocs are fine with "EOF" -Naming/HeredocDelimiterNaming: - Enabled: false - -# re-evaluate after upgrade to chef workstation, is highly configurable -# fires on methods with short args: def foo(k, v, i) -Naming/UncommunicativeMethodParamName: - Enabled: false - -# no autocorrection -Naming/VariableNumber: - Enabled: false - -# This results in very confusing code to read with little perf benefit -Performance/Casecmp: - Enabled: false - -# buggy: https://github.com/bbatsov/rubocop/issues/2639 -Performance/RedundantMatch: - Enabled: false - -# https://github.com/bbatsov/rubocop/issues/2676 -# appears to be fixed in v61: https://github.com/rubocop-hq/rubocop/pull/6547 -Performance/RedundantMerge: - Enabled: false - -# disable until we upgrade chef solo to chef 13. Otherwise people will be told -# to use a method that doesn't exist in the verison of ruby in solo -Performance/RegexpMatch: - Enabled: false - -# We'll .times.map all we want. -Performance/TimesMap: - Enabled: false - -# Disabled because of the way 'variables' works. -# removed in v80 https://github.com/rubocop-hq/rubocop/pull/7643 -Style/BracesAroundHashParameters: - Enabled: false - -Style/CommentAnnotation: - Enabled: false - -# Bug with constants? https://phabricator.fb.com/P56108678 -Style/ConditionalAssignment: - Enabled: false - -# this is disabled by default in v59 so am just disabling it now -# https://github.com/rubocop-hq/rubocop/pull/6189 -Style/DateTime: - Enabled: false - -Style/Documentation: - Enabled: false - -Style/Encoding: - Enabled: false - -Style/FormatStringToken: - Enabled: false - -# This comes with changing the ruby target to 2.3+ -Style/FrozenStringLiteralComment: - Enabled: false - -# guardclause sacrifices ease of readability for consistency at times -Style/GuardClause: - Enabled: false - -Style/HashSyntax: - EnforcedStyle: hash_rockets - -# compact code is nice, but this is actually harder to read for new users -Style/IfUnlessModifier: - Enabled: false - -# backslash is extra dumb in ruby, we want the OPPOSITE of this rule -Style/LineEndConcatenation: - Enabled: false - -# autocorrection in v86 https://github.com/rubocop-hq/rubocop/pull/8148 -Style/MultilineTernaryOperator: - Enabled: false - -# So just keep iterating instead of breaking? wtf. -Style/Next: - Enabled: false - -Style/NumericLiteralPrefix: - Enabled: false - -# Underscores in numbers are unnecessary, especially for port numbers where -# they are unexpected -Style/NumericLiterals: - Enabled: false - -# The autocorrect of this one isn't safe, and since using -# numeric predicts may be more or less readable than comparisons -# depending on the code, bugging people about this when we can't -# autocorrect it doesn't seem worth the hassle for our customers -Style/NumericPredicate: - Enabled: false - -Style/PercentLiteralDelimiters: - PreferredDelimiters: - '%': '{}' - '%i': '{}' - '%I': '{}' - '%q': '{}' - '%Q': '{}' - '%r': '{}' - '%s': '{}' - '%w': '{}' - '%W': '{}' - '%x': '{}' - -# TODO: re-evaluate this for performance impacts -Style/PerlBackrefs: - Enabled: false - -Style/RedundantReturn: - Enabled: false - -Style/RedundantSelf: - Enabled: false - -Style/RegexpLiteral: - EnforcedStyle: mixed - -# enable after v72 where many dangerous autocorrect bugs were corrected -Style/SafeNavigation: - Enabled: false - -Style/SignalException: - EnforcedStyle: semantic - -# It would forbid action [:enable, :start] -# in v66 we can specify brackets for enforced style with autocorrect -# https://github.com/rubocop-hq/rubocop/pull/6802 -Style/SymbolArray: - Enabled: false - -Style/TrailingCommaInArguments: - EnforcedStyleForMultiline: comma - -Style/TrailingCommaInArrayLiteral: - EnforcedStyleForMultiline: comma - -Style/TrailingCommaInHashLiteral: - EnforcedStyleForMultiline: comma - -# TODO: convert the codebase to enable this -Style/WordArray: - Enabled: false From 58bbbe897bfbee0738d06220b902c446d76580b7 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 17 May 2023 17:20:08 -0700 Subject: [PATCH 036/188] Bump TargetChefVersion to 14.15.6 Summary: This enables the following cops: - Chef/Deprecations/DeprecatedShelloutMethods - Chef/Deprecations/WindowsVersionHelpers - Chef/Modernize/UnnecessaryDependsChef14 - Chef/Modernize/CronDFileOrTemplate - Chef/Modernize/CronManageResource - Chef/Modernize/ExecuteScExe - Chef/Modernize/ExecuteSysctl - Chef/Modernize/ExecuteTzUtil - Chef/Modernize/MacOsXUserdefaults - Chef/Modernize/OpensslRsaKeyResource - Chef/Modernize/OpensslX509Resource - Chef/Modernize/PowershellInstallWindowsFeature - Chef/Modernize/WindowsScResource - Chef/Modernize/SysctlParamResource Differential Revision: D45967167 fbshipit-source-id: 9491a32ca63b6256f4cb9c54e805a092e110f00a --- .cookstyle.yml | 2 +- cookbooks/fb_sysstat/recipes/cron.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.cookstyle.yml b/.cookstyle.yml index aca8126e4..02c90fc65 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -5,7 +5,7 @@ AllCops: # new cops and make upgrades easier (ie not dealing with a bunch of noise # each Cookstyle update) DisabledByDefault: true - TargetChefVersion: 13.10.0 + TargetChefVersion: 14.15.6 Chef/Correctness/BlockGuardWithOnlyString: Enabled: true diff --git a/cookbooks/fb_sysstat/recipes/cron.rb b/cookbooks/fb_sysstat/recipes/cron.rb index cd61cb012..e2b2807fc 100644 --- a/cookbooks/fb_sysstat/recipes/cron.rb +++ b/cookbooks/fb_sysstat/recipes/cron.rb @@ -56,6 +56,6 @@ # the sa[12] commands here trample on those defined in the # sysstat_accounting_[12] jobs -file '/etc/cron.d/sysstat' do +file '/etc/cron.d/sysstat' do # rubocop:disable Chef/Modernize/CronDFileOrTemplate action :delete end From eca119d81304acb5cd79d2e3341c09a68ffa68e3 Mon Sep 17 00:00:00 2001 From: Matteo Croce Date: Thu, 18 May 2023 16:05:19 -0700 Subject: [PATCH 037/188] fix wrong Chef/Meta/NoFileWrites warning Summary: fix wrong Chef/Meta/NoFileWrites warning Differential Revision: D45910895 fbshipit-source-id: 4148e8a4e469a7a61aad743b4496d16457ee7c4c --- cookbooks/fb_storage/libraries/storage.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_storage/libraries/storage.rb b/cookbooks/fb_storage/libraries/storage.rb index e18ae08ff..ae75954b3 100644 --- a/cookbooks/fb_storage/libraries/storage.rb +++ b/cookbooks/fb_storage/libraries/storage.rb @@ -502,7 +502,7 @@ def self.write_out_disk_order(disks, version = 2) fail 'fb_storage: Unknown persistent disk format ' + "specified: #{version}" end - File.open(PREVIOUS_DISK_ORDER, 'w') do |fd| # ~FB030 + File.open(PREVIOUS_DISK_ORDER, 'w') do |fd| # rubocop:disable Chef/Meta/NoFileWrites Chef::Log.debug('fb_storage: Writing out disk order') fd.write(JSON.generate(data)) end From a940d8d2c38ff49f38fada0ad63d7f86579e8477 Mon Sep 17 00:00:00 2001 From: Paola Quevedo Date: Mon, 22 May 2023 10:51:19 -0700 Subject: [PATCH 038/188] Add helper function to check for arista os version Summary: Differential Revision: D45922721 fbshipit-source-id: 5da1d74b71e751f91ec8cfaa92c1c2397dadb7b2 --- cookbooks/fb_helpers/README.md | 3 +++ cookbooks/fb_helpers/libraries/node_methods.rb | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/cookbooks/fb_helpers/README.md b/cookbooks/fb_helpers/README.md index 26bd8f332..fb91153e0 100644 --- a/cookbooks/fb_helpers/README.md +++ b/cookbooks/fb_helpers/README.md @@ -216,6 +216,9 @@ your node. * `node.aristaeos?` Is network switch running Arista EOS +* `node.aristaeos_4_28_or_newer?` + Is network switch running Arista EOS and OS version is 4.28 or newer + * `node.embedded?` Is embedded Linux, implies 'node.aristaeos?'. These devices likely have minimal packages installed, little space, and/or some non-persistent diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 34905828f..8daf4b9ec 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -467,6 +467,10 @@ def aristaeos? self['platform'] == 'arista_eos' end + def aristaeos_4_28_or_newer? + self.aristaeos? && FB::Version.new(self['platform_version']) >= FB::Version.new('4.28') + end + def embedded? self.aristaeos? end From a4e3a60294eb7db34f61b536e92a11572160934f Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 31 May 2023 13:20:14 -0700 Subject: [PATCH 039/188] fb_fstab: stop setting up bpf mount point via fb_fstab Summary: systemd has automatically mounted /sys/fs/bpf for many years, such that there's no need to mount it via other means, so update fb_fstab to not automatically unmount it. Differential Revision: D46297493 fbshipit-source-id: 315a81c2e774ba4e06227d975f3ea4d8d4dc6601 --- cookbooks/fb_fstab/attributes/default.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/fb_fstab/attributes/default.rb b/cookbooks/fb_fstab/attributes/default.rb index ecb9f0447..08e7bdfa1 100644 --- a/cookbooks/fb_fstab/attributes/default.rb +++ b/cookbooks/fb_fstab/attributes/default.rb @@ -67,6 +67,7 @@ # Core OS stuff to never umount... '/dev/shm', '/run', + '/sys/fs/bpf', '/sys/fs/cgroup', '/sys/fs/selinux', # Debian-isms From 54065b2cb1ef248aea1130f4b038312acc3d7255 Mon Sep 17 00:00:00 2001 From: Jaymz Julian Date: Thu, 1 Jun 2023 10:18:05 -0700 Subject: [PATCH 040/188] Deal with stop_pending state on fluentbit Summary: This causes a bunch of chef errors, because the chef windows_service resource is not smart enough to wait for `stop pending` to complete before starting a service, and the fluentbit restart script does a background restart rather than a foreground one, causing this to fall over randomly on a small percentage of nodes. Becasuse we know it's coming back in that case, we can just defer doing this until the next run if the service is in that state Differential Revision: D46238248 fbshipit-source-id: 5b70fbb6250abe509295fe43067903fbeab4d6d0 --- .../fb_fluentbit/recipes/fluent-bit_default.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb index bfab4b54c..a501f6a43 100644 --- a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb @@ -144,9 +144,24 @@ action :nothing end + # We've seen a bunch of chef failures around the next part failing because something + # notified the service, but the service comes back in stop pending... this is because the + # custom restart command doens't actually wait for the service to stop, presumably by design. + # In fluentd, this was worked around by just killing it with fire if we got here, which... + # isn't great. Normally how we'd handle this, is by putting a bunch of retries on the service + # start, but that's also not great because sometimes the service _does_ fail, at which point + # you're waiting minutes for a chef error... but we _also_ know that if we're in stop_pending, + # the service _was_ up,a nd is coming from a restart command, and hence the service _will_ + # be up again, so we can just not do this in that case... at the very worst, it'll pick + # up next chef run, but that situation should never actually happen, and in reality it should + # always come back. windows_service 'Keep Fluentbit Active' do service_name 'FluentBit' only_if { node['fb_fluentbit']['keep_alive'] } + not_if do + !::Win32::Service.exists?('fluentbit') || + ::Win32::Service.status('fluentbit').current_state.downcase == 'stop pending' + end action [:enable, :start] end else From 18d346aafc30d5d285f8959c0a424911c87ccb6a Mon Sep 17 00:00:00 2001 From: My Tran Date: Thu, 1 Jun 2023 15:42:17 -0700 Subject: [PATCH 041/188] Allow mount point exclusions by regex Summary: The `.snapshot` directory on the NetApp is a special directory that only gets mounted when its accessed. Since we have `enable_unmount=true`, Chef will attempt to unmount the volume and fail if its in use. Currently we can only ignore by prefix, I decided to add an ignore by regex to give a bit more control vs doing something an include. Differential Revision: D46297189 fbshipit-source-id: 4e5c614218c271d5c8df9883cb754faf0e5abd91 --- cookbooks/fb_fstab/README.md | 1 + cookbooks/fb_fstab/attributes/default.rb | 1 + cookbooks/fb_fstab/libraries/provider.rb | 10 +++ cookbooks/fb_fstab/spec/public_spec.rb | 104 +++++++++++++++++++++++ 4 files changed, 116 insertions(+) diff --git a/cookbooks/fb_fstab/README.md b/cookbooks/fb_fstab/README.md index 8ec9ae2ae..19c0b746e 100644 --- a/cookbooks/fb_fstab/README.md +++ b/cookbooks/fb_fstab/README.md @@ -18,6 +18,7 @@ Attributes * node['fb_fstab']['umount_ignores']['types'] * node['fb_fstab']['umount_ignores']['mount_points'] * node['fb_fstab']['umount_ignores']['mount_point_prefixes'] +* node['fb_fstab']['umount_ignores']['mount_point_regexes'] * node['fb_fstab']['umount_delete_empty_mountdir'] * node['fb_fstab']['mounts'][$NAME]['device'] * node['fb_fstab']['mounts'][$NAME]['mount_point'] diff --git a/cookbooks/fb_fstab/attributes/default.rb b/cookbooks/fb_fstab/attributes/default.rb index 08e7bdfa1..ad80bd844 100644 --- a/cookbooks/fb_fstab/attributes/default.rb +++ b/cookbooks/fb_fstab/attributes/default.rb @@ -81,6 +81,7 @@ 'mount_point_prefixes' => [ '/run/user', ], + 'mount_point_regexes' => [], }, 'type_normalization_map' => { # Gluster is mounted as '-t gluster', but shows up as 'fuse.gluster' diff --git a/cookbooks/fb_fstab/libraries/provider.rb b/cookbooks/fb_fstab/libraries/provider.rb index 7afa6d313..e34059781 100644 --- a/cookbooks/fb_fstab/libraries/provider.rb +++ b/cookbooks/fb_fstab/libraries/provider.rb @@ -279,6 +279,8 @@ def check_unwanted_filesystems node['fb_fstab']['umount_ignores']['mount_points'].dup mount_prefixes_to_skip = node['fb_fstab']['umount_ignores']['mount_point_prefixes'].dup + mount_regexes_to_skip = + node['fb_fstab']['umount_ignores']['mount_point_regexes'].dup fstypes_to_skip = node['fb_fstab']['umount_ignores']['types'].dup base_mounts = get_unmasked_base_mounts(:hash) @@ -341,6 +343,14 @@ def check_unwanted_filesystems "(#{mounted_data['mount']}) - exempted mount_point prefix", ) next + elsif mount_regexes_to_skip.any? do |i| + mounted_data['mount'] =~ /#{i}/ + end + Chef::Log.debug( + "fb_fstab: Skipping umount check for #{mounted_data['device']} " + + "(#{mounted_data['mount']}) - exempted mount_point regex", + ) + next end # Is this device in our list of desired mounts? diff --git a/cookbooks/fb_fstab/spec/public_spec.rb b/cookbooks/fb_fstab/spec/public_spec.rb index b8582a973..f5e68c551 100644 --- a/cookbooks/fb_fstab/spec/public_spec.rb +++ b/cookbooks/fb_fstab/spec/public_spec.rb @@ -1156,4 +1156,108 @@ expect(mount(desired_mount, [], [])).to eq(true) end end + + context 'check_unwanted_filesystems' do + base_contents = < { + 'device' => '/dev/sda1', + 'mount' => '/', + 'fs_type' => 'ext4', + }, + '/dev/sda2,/boot' => { + 'device' => '/dev/sda2', + 'mount' => '/boot', + 'fs_type' => 'ext3', + }, + '/dev/sda3,' => { + 'device' => '/dev/sda3', + 'fs_type' => 'swap', + }, + '/dev/sdb1,/foo' => { + 'device' => '/dev/sdb1', + 'mount' => '/foo', + 'fs_type' => 'xfs', + }, + } + node.default[attr_name]['by_device'] = { + '/dev/sda1' => { + 'mounts' => ['/'], + 'fs_type' => 'ext4', + 'label' => '/', + }, + '/dev/sda2' => { + 'mounts' => ['/boot'], + 'fs_type' => 'ext3', + 'label' => '/boot', + }, + '/dev/sda3' => { + 'fs_type' => 'swap', + 'label' => '/swap', + }, + '/dev/sdb1' => { + 'mounts' => ['/foo'], + 'fs_type' => 'xfs', + 'label' => '/foo', + }, + } + expect(File).to receive(:read).with(FB::Fstab::BASE_FILENAME). + and_return(base_contents) + end + + it 'should unmount unknown mounts' do + expect_any_instance_of(FB::FstabProvider).to receive(:converge_by).with('unmount /foo') + check_unwanted_filesystems + end + + it 'should not unmount ignored device prefixes' do + node.default['fb_fstab']['umount_ignores']['device_prefixes'] = ['/dev/sdb'] + expect_any_instance_of(FB::FstabProvider).not_to receive(:converge_by) + check_unwanted_filesystems + end + + it 'should not unmount ignored devices' do + node.default['fb_fstab']['umount_ignores']['devices'] = ['/dev/sdb1'] + expect_any_instance_of(FB::FstabProvider).not_to receive(:converge_by) + check_unwanted_filesystems + end + + it 'should not unmount ignored mount point prefixes' do + node.default['fb_fstab']['umount_ignores']['mount_point_prefixes'] = ['/fo'] + expect_any_instance_of(FB::FstabProvider).not_to receive(:converge_by) + check_unwanted_filesystems + end + + it 'should not unmount ignored mount point regexes' do + node.default['fb_fstab']['umount_ignores']['mount_point_regexes'] = ['^\/foo$'] + expect_any_instance_of(FB::FstabProvider).not_to receive(:converge_by) + check_unwanted_filesystems + end + + it 'should not unmount ignored mount points' do + node.default['fb_fstab']['umount_ignores']['mount_points'] = ['/foo'] + expect_any_instance_of(FB::FstabProvider).not_to receive(:converge_by) + check_unwanted_filesystems + end + + it 'should not unmount ignored types' do + node.default['fb_fstab']['umount_ignores']['types'] = ['xfs'] + expect_any_instance_of(FB::FstabProvider).not_to receive(:converge_by) + check_unwanted_filesystems + end + end end From 7b252fcc372b4ac7f7b72382037b54f074466fb5 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Mon, 12 Jun 2023 01:48:07 -0700 Subject: [PATCH 042/188] fb_systemd: add knob to control whether nspawn is installed Summary: nspawn is split into a subpackage in most distributions, add a knob to explicitly control whether it's installed Differential Revision: D46625711 fbshipit-source-id: ecdaa22e2eb671b0876ea58d14482117df1fe86e --- cookbooks/fb_systemd/README.md | 5 +++++ cookbooks/fb_systemd/attributes/default.rb | 3 +++ cookbooks/fb_systemd/recipes/default_packages.rb | 3 +++ 3 files changed, 11 insertions(+) diff --git a/cookbooks/fb_systemd/README.md b/cookbooks/fb_systemd/README.md index 17a1bdfff..81ebc2eb9 100644 --- a/cookbooks/fb_systemd/README.md +++ b/cookbooks/fb_systemd/README.md @@ -23,6 +23,7 @@ Attributes * node['fb_systemd']['logind']['config'] * node['fb_systemd']['networkd']['enable'] * node['fb_systemd']['networkd']['config'] +* node['fb_systemd']['nspawn']['enable'] * node['fb_systemd']['resolved']['enable'] * node['fb_systemd']['resolved']['enable_nss_resolve'] * node['fb_systemd']['resolved']['config'] @@ -302,6 +303,10 @@ to work, this is required, and it defaults to true. Logind can be configured using the `node['fb_systemd']['logind']['config']` attribute, according to the [logind documentation](https://www.freedesktop.org/software/systemd/man/logind.conf.html). +### nspawn configuration +You can choose whether or not to enable `systemd-nspawn` with the +`node['fb_systemd']['nspawn']['enable']` attribute, which defaults to `false`. + ### networkd configuration You can choose whether or not to enable `systemd-networkd` with the `node['fb_systemd']['networkd']['enable']` attribute, which defaults to `false`. diff --git a/cookbooks/fb_systemd/attributes/default.rb b/cookbooks/fb_systemd/attributes/default.rb index 4f38795b9..431893a2b 100644 --- a/cookbooks/fb_systemd/attributes/default.rb +++ b/cookbooks/fb_systemd/attributes/default.rb @@ -114,6 +114,9 @@ 'use_networkd_socket_with_networkd' => false, 'config' => {}, }, + 'nspawn' => { + 'enable' => false, + }, 'resolved' => { 'enable' => enable_resolved, 'enable_nss_resolve' => enable_nss_resolve, diff --git a/cookbooks/fb_systemd/recipes/default_packages.rb b/cookbooks/fb_systemd/recipes/default_packages.rb index a532572b3..940f56f8b 100644 --- a/cookbooks/fb_systemd/recipes/default_packages.rb +++ b/cookbooks/fb_systemd/recipes/default_packages.rb @@ -69,6 +69,9 @@ if node['fb_systemd']['resolved']['enable'] && has_split_rpms systemd_packages << 'systemd-resolved' end + if node['fb_systemd']['nspawn']['enable'] && has_split_rpms + systemd_packages << 'systemd-container' + end end systemd_packages } From 1e44fe639e4e7345de6da55ab5667ec78ddaab95 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 14 Jun 2023 05:01:18 -0700 Subject: [PATCH 043/188] Report to build dot file of cookbook dependencies Summary: A quick way to visualize cookbook dependency graph Differential Revision: D46596467 fbshipit-source-id: 051ebeab21d2871fe9bbdff224d08d443edc87d2 --- .../bookworm/reports/CookbookDependencyDot.rb | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/reports/CookbookDependencyDot.rb diff --git a/cookbooks/fb_bookworm/files/default/bookworm/reports/CookbookDependencyDot.rb b/cookbooks/fb_bookworm/files/default/bookworm/reports/CookbookDependencyDot.rb new file mode 100644 index 000000000..9a155b3ee --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/reports/CookbookDependencyDot.rb @@ -0,0 +1,30 @@ +# Copyright (c) 2023-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Determine cookbook dependencies from cookbook metadata.rb, output to Dot language' +needs_rules ['ExplicitMetadataDepends'] + +def to_s + cookbook_deps = [] + @kb.metadatarbs.each do |x, metadata| + metadata['ExplicitMetadataDepends'].each do |cb| + cookbook_deps << [x.gsub(/:.*/, ''), cb] + end + end + "digraph deps {\n#{cookbook_deps.map { |arr| arr.join('->') }.join("\n")}\n}" +end + +def output + to_s +end From 073e35c2fad87747424f83e205dcca187fc18842 Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Wed, 21 Jun 2023 05:33:31 -0700 Subject: [PATCH 044/188] fb_networking_settings/fb_fboss: helper+fix to make VLAN w/ networkd (and use it) Summary: Adds a helper function that will configure VLAN for network-scripts and systemd-networkd. For some reason, the netdev was only added after systemd-networkd restarts (i.e. `networkctl reload` did not work). This case was added to fb_networkd. Differential Revision: D46560287 fbshipit-source-id: d5089b428f250f0840270cd2fdc22bd8d999ceb8 --- cookbooks/fb_networkd/resources/default.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index 1d44e4cfd..a1ca473c8 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -233,6 +233,7 @@ end node['fb_networkd']['devices'].each do |name, defconf| + restart_for_new_vlan = false conf = defconf.dup conf['name'] = name @@ -273,6 +274,13 @@ ) notifies :run, 'execute[networkctl reload]', :immediately notifies :run, "execute[networkctl reconfigure #{conf['name']}]" + + # If we are making a new VLAN, we must restart systemd-networkd for it to + # be created. Detect this case and set the restart flag. + if !on_host_networks.include?(conffile) && + conf['config']['NetDev']['Kind'] == 'vlan' + restart_for_new_vlan = true + end end # This file is actively managed and already exists on the host so remove it @@ -291,6 +299,10 @@ conflicting_netdevs.each do |path| on_host_netdevs.delete(path) + # This was managed under a different file name so don't restart + # systemd-networkd. + restart_for_new_vlan = false + file path do only_if { node.interface_change_allowed?(conf['name']) } owner node.root_user @@ -305,6 +317,8 @@ FB::Helpers._request_nw_changes_permission(run_context, new_resource) end end + + restart_networkd ||= restart_for_new_vlan end # For each remaining file, check if we can make network changes on the From 6e7a2a5f20f588041c736b555aa7a1d7f7554037 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Fri, 23 Jun 2023 02:06:00 -0700 Subject: [PATCH 045/188] bump TargetRubyVersion to 2.5 Differential Revision: D46901582 fbshipit-source-id: 71d44f678e4717976f3fdc11b991ebf137acc70f --- .rubocop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rubocop.yml b/.rubocop.yml index fef6c4659..3856d7603 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,6 +1,6 @@ AllCops: DisabledByDefault: true - TargetRubyVersion: 2.4 + TargetRubyVersion: 2.5 Exclude: # template files named `rb` instead of `erb` are a sin against ruby-nature. - '**/templates/**/*.rb'# From f933c4518b365d3c40fa767e90bf5d4d2ae7787e Mon Sep 17 00:00:00 2001 From: Marlon Jacques Date: Tue, 27 Jun 2023 13:44:58 -0700 Subject: [PATCH 046/188] Delete fb_smartctl cookbook Summary: **Internal:** With the cleanup of removing `/opt/homebrew`, this helps removes the symlink to the path since it no longer exists. This gets rid of the need for the symlink of `/opt/homebrew/bin/smartctl` plus gets rid of the 2014 Mac Mini hardware. There shouldn't have any (CPE-specific) use case for 2014 mac minis, so any code explicitly targeting them is almost certainly a safe candidate for summary removal. As someone once stated, "*they should be lovingly and affectionately hit with a blackjack and have it confiscated. :)*" Plus, `fb_macos_shared::smartmontools` recipe already handles the nix version of this tool, making this cookbook redundant. Differential Revision: D46707384 fbshipit-source-id: c6475554f3c878270fa760a9b4ad8df377d532d3 --- cookbooks/fb_smartctl/README.md | 14 ------ cookbooks/fb_smartctl/metadata.rb | 10 ---- cookbooks/fb_smartctl/recipes/default.rb | 23 --------- cookbooks/fb_smartctl/recipes/osx.rb | 61 ------------------------ 4 files changed, 108 deletions(-) delete mode 100644 cookbooks/fb_smartctl/README.md delete mode 100644 cookbooks/fb_smartctl/metadata.rb delete mode 100644 cookbooks/fb_smartctl/recipes/default.rb delete mode 100644 cookbooks/fb_smartctl/recipes/osx.rb diff --git a/cookbooks/fb_smartctl/README.md b/cookbooks/fb_smartctl/README.md deleted file mode 100644 index 74246a64d..000000000 --- a/cookbooks/fb_smartctl/README.md +++ /dev/null @@ -1,14 +0,0 @@ -fb_smartctl Cookbook -==================== -Installs/configures smartmon-tools which includes smartctl. osquery relies -on smartctl for some counters - -Requirements ------------- - -Attributes ----------- - -Usage ------ -Include `fb_smartctl` in your runlist. diff --git a/cookbooks/fb_smartctl/metadata.rb b/cookbooks/fb_smartctl/metadata.rb deleted file mode 100644 index 6db0c88e7..000000000 --- a/cookbooks/fb_smartctl/metadata.rb +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright (c) 2021-present, Facebook, Inc. -name 'fb_smartctl' -maintainer 'Facebook' -maintainer_email 'noreply@facebook.com' -source_url 'https://github.com/facebook/chef-cookbooks/' -license 'Apache-2.0' -description 'Smartctl install and configuration' -version '0.0.1' -depends 'fb_helpers' -supports 'mac_os_x' diff --git a/cookbooks/fb_smartctl/recipes/default.rb b/cookbooks/fb_smartctl/recipes/default.rb deleted file mode 100644 index 7b31913ee..000000000 --- a/cookbooks/fb_smartctl/recipes/default.rb +++ /dev/null @@ -1,23 +0,0 @@ -# -# Cookbook Name:: fb_smartctl -# Recipe:: default -# -# Copyright (c) 2021-present, Facebook, Inc. -# All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -if node.macos? - include_recipe 'fb_smartctl::osx' -end diff --git a/cookbooks/fb_smartctl/recipes/osx.rb b/cookbooks/fb_smartctl/recipes/osx.rb deleted file mode 100644 index 2583c9a6a..000000000 --- a/cookbooks/fb_smartctl/recipes/osx.rb +++ /dev/null @@ -1,61 +0,0 @@ -# -# Cookbook Name:: fb_smartctl -# Recipe:: osx -# -# Copyright (c) 2021-present, Facebook, Inc. -# All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -smartmon_version = '7.2' -smartmon_hash = 'd11fk14ygy2cfyz4xijds2w4y0bx43s3' - -# Cleanup the old brew2rpm version -package 'smartmontools' do - action :remove -end - -# Install the nix2rpm version of smartmontools -package "nix2rpm-smartmontools-#{smartmon_version}-#{smartmon_hash}" do - action :upgrade -end - -smartctl_path = ::File.join( - '/opt/facebook/nix/store', - "#{smartmon_hash}-smartmontools-#{smartmon_version}", - 'bin', - 'smartctl', -) - -# Backwards compatibility -link '/opt/homebrew/bin/smartctl' do - to smartctl_path -end - -# This is what tools SHOULD use -link '/usr/local/bin/smartctl' do - to smartctl_path -end - -# On 2014 Mac Minis, SMART has to be enabled -execute 'enable smartctl' do - only_if { node.mac_mini_2014? } - only_if do - # So far this holds for OSX but the disk will probably be an attribute later - s = Mixlib::ShellOut.new("#{smartctl_path} -a disk0") - s.run_command - s.stdout[/SMART support is:\s+(Enabled|Disabled)/, 1] == 'Disabled' - end - command "#{smartctl_path} -s on disk0" -end From 7cbfb039b3e83b4c2426763bf963d5ea8eb19d27 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 4 Jul 2023 14:40:09 -0700 Subject: [PATCH 047/188] Fix Rubocop lints Summary: Internal linter didn't fire on this in D43891262, breaking OSS CI. Differential Revision: D47217370 fbshipit-source-id: b506e7d22a34ae6be2468b768c95e554afe04483 --- .../files/default/bookworm/bookworm.rb | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb b/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb index 6fa7d41cc..56e3b7264 100755 --- a/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb +++ b/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb @@ -227,12 +227,12 @@ def generate_report def load_classes_for_report @report_src_dirs.each do |d| - begin - Bookworm.load_report_class @report_name, :dir => d - break - rescue Bookworm::ClassLoadError - # puts "Unable to load report #{report_name}, take a look at bookworm --list-reports\n\n" - end + + Bookworm.load_report_class @report_name, :dir => d + break + rescue Bookworm::ClassLoadError + # puts "Unable to load report #{report_name}, take a look at bookworm --list-reports\n\n" + end unless Bookworm::Reports.const_defined?(@report_name.to_sym) cli_fail "Unable to load report #{@report_name}, take a look at bookworm --list-reports" @@ -245,12 +245,12 @@ def load_classes_for_report @rules = Bookworm.get_report_rules(@report_name) @rules.each do |rule| @rule_src_dirs.each do |d| - begin - Bookworm.load_rule_class rule, :dir => d - break - rescue Bookworm::ClassLoadError - # puts "Unable to load rule #{rule}, take a look at bookworm --list-rules\n\n" - end + + Bookworm.load_rule_class rule, :dir => d + break + rescue Bookworm::ClassLoadError + # puts "Unable to load rule #{rule}, take a look at bookworm --list-rules\n\n" + end unless Bookworm::InferRules.const_defined?(rule.to_sym) cli_fail "Unable to load rule #{rule}, take a look at bookworm --list-rules" From 4e7e6e153b75a5bebe7af64fa2862cd0d3c5c653 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Mon, 10 Jul 2023 16:55:28 -0700 Subject: [PATCH 048/188] Cleanup uses of FB031 Summary: This has been migrated off foodcritic to rubocop Differential Revision: D47346023 fbshipit-source-id: 8485a3a3d002311f4dd379ac0b01d2b545c2e9cf --- cookbooks/fb_choco/resources/fb_choco_bootstrap.rb | 2 +- cookbooks/fb_chrony/recipes/default.rb | 2 +- cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb | 6 +++--- cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb | 6 +++--- cookbooks/fb_grub/recipes/config.rb | 4 ++-- cookbooks/fb_kernel/resources/bls_entries.rb | 2 +- cookbooks/fb_networkd/resources/default.rb | 6 +++--- .../fb_powershell/resources/fb_powershell_apply_config.rb | 2 +- cookbooks/fb_stunnel/recipes/default.rb | 2 +- cookbooks/fb_yum_repos/resources/default.rb | 2 +- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb b/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb index 3d41db557..721ffbe1e 100644 --- a/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb +++ b/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb @@ -74,7 +74,7 @@ def run_bootstrap_script node['fb_choco']['bootstrap']['use_windows_compression'].to_s, } - cookbook_file 'chocolatey_install script' do # ~FB031 + cookbook_file 'chocolatey_install script' do path choco_install_ps1 source 'choco_install/install.ps1' owner 'Administrators' diff --git a/cookbooks/fb_chrony/recipes/default.rb b/cookbooks/fb_chrony/recipes/default.rb index 76901f056..d2d68ff11 100644 --- a/cookbooks/fb_chrony/recipes/default.rb +++ b/cookbooks/fb_chrony/recipes/default.rb @@ -41,7 +41,7 @@ mode '0750' end -template 'chrony.conf' do # ~FB031 +template 'chrony.conf' do path chrony_conf source 'chrony.conf.erb' owner 'root' diff --git a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb index a501f6a43..eb1962752 100644 --- a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb @@ -74,7 +74,7 @@ include_recipe 'fb_fluentbit::fluent-bit_rhel' if node.rhel_family? include_recipe 'fb_fluentbit::fluent-bit_windows' if node.windows? -template 'plugins config' do # ~FB031 +template 'plugins config' do action :create source 'plugins.conf.erb' path plugins_file_path @@ -89,7 +89,7 @@ end end -template 'parsers config' do # ~FB031 +template 'parsers config' do action :create source 'parsers.conf.erb' path parsers_file_path @@ -120,7 +120,7 @@ end end -template 'local config' do # ~FB031 +template 'local config' do not_if { node['fb_fluentbit']['external_config_url'] } action :create source 'conf.erb' diff --git a/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb index e5f55a2cf..700642584 100644 --- a/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb @@ -74,7 +74,7 @@ include_recipe 'fb_fluentbit::td-agent-bit_rhel' if node.rhel_family? include_recipe 'fb_fluentbit::td-agent-bit_windows' if node.windows? -template 'plugins config' do # ~FB031 +template 'plugins config' do action :create source 'plugins.conf.erb' path plugins_file_path @@ -89,7 +89,7 @@ end end -template 'parsers config' do # ~FB031 +template 'parsers config' do action :create source 'parsers.conf.erb' path parsers_file_path @@ -120,7 +120,7 @@ end end -template 'local config' do # ~FB031 +template 'local config' do not_if { node['fb_fluentbit']['external_config_url'] } action :create source 'conf.erb' diff --git a/cookbooks/fb_grub/recipes/config.rb b/cookbooks/fb_grub/recipes/config.rb index 8afed4815..f09c859ab 100644 --- a/cookbooks/fb_grub/recipes/config.rb +++ b/cookbooks/fb_grub/recipes/config.rb @@ -36,7 +36,7 @@ mode '0755' end -template 'grub_config' do # ~FB031 +template 'grub_config' do only_if do node['platform_family'] == 'rhel' && node['fb_grub']['kernels'] && node['fb_grub']['version'] == 1 @@ -82,7 +82,7 @@ # to x86_64. efi_command = type == 'efi' && node.x64? - template "grub2_config_#{type}" do # ~FB031 + template "grub2_config_#{type}" do only_if do (node['fb_grub']['kernels'] && node['fb_grub']['version'] == 2) && (our_type || node['fb_grub']['force_both_efi_and_bios']) diff --git a/cookbooks/fb_kernel/resources/bls_entries.rb b/cookbooks/fb_kernel/resources/bls_entries.rb index da3ad6bc8..db11b2daa 100644 --- a/cookbooks/fb_kernel/resources/bls_entries.rb +++ b/cookbooks/fb_kernel/resources/bls_entries.rb @@ -24,7 +24,7 @@ bls_entry = ::File.join(bls_root, "#{node['machine_id']}-#{data['version']}.conf") - template bls_entry do # ~FB031 + template bls_entry do source 'bls-entry.conf.erb' owner 'root' group 'root' diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index a1ca473c8..a1e41d1c0 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -102,7 +102,7 @@ ) # Set up the template for this interface - fb_helpers_gated_template conffile do # ~FB031 + fb_helpers_gated_template conffile do allow_changes node.interface_change_allowed?(conf['name']) source 'networkd.conf.erb' owner node.root_user @@ -180,7 +180,7 @@ ) # Set up the template for this interface - fb_helpers_gated_template conffile do # ~FB031 + fb_helpers_gated_template conffile do allow_changes node.interface_change_allowed?(conf['name']) source 'networkd.conf.erb' owner node.root_user @@ -263,7 +263,7 @@ ) # Set up the template for this interface - fb_helpers_gated_template conffile do # ~FB031 + fb_helpers_gated_template conffile do allow_changes node.interface_change_allowed?(conf['name']) source 'networkd.conf.erb' owner node.root_user diff --git a/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb b/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb index 7d5f0ef09..4043183c6 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb @@ -26,7 +26,7 @@ install_paths = install_pwsh_path_list(node) install_paths.each do |install_path| path = ::File.join(install_path, 'powershell.config.json') - template path do # ~FB031 + template path do only_if { node['fb_powershell']['manage_config'] } source 'powershell.config.json.erb' if platform?('windows') diff --git a/cookbooks/fb_stunnel/recipes/default.rb b/cookbooks/fb_stunnel/recipes/default.rb index 1fbade98d..f51508b35 100644 --- a/cookbooks/fb_stunnel/recipes/default.rb +++ b/cookbooks/fb_stunnel/recipes/default.rb @@ -60,7 +60,7 @@ end end -template sysconfig do # ~FB031 +template sysconfig do source 'sysconfig.erb' owner 'root' group 'root' diff --git a/cookbooks/fb_yum_repos/resources/default.rb b/cookbooks/fb_yum_repos/resources/default.rb index 6a3ced84d..6c33cd35b 100644 --- a/cookbooks/fb_yum_repos/resources/default.rb +++ b/cookbooks/fb_yum_repos/resources/default.rb @@ -43,7 +43,7 @@ group end - template ::File.join(YUM_REPOS_D, "#{group}.repo") do # ~FB031 + template ::File.join(YUM_REPOS_D, "#{group}.repo") do source 'yum.repo.erb' owner 'root' group 'root' From 0f5330e09c13a5aad0955c3c34e4b97043c26665 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Fri, 14 Jul 2023 09:26:17 -0700 Subject: [PATCH 049/188] remove exclusion on Lint/BinaryOperatorWithIdenticalOperands Summary: Was fixed in D34117172 Differential Revision: D47267603 fbshipit-source-id: 45819a012a83bb8fea802e247265660e25e4c2fd --- .rubocop.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 3856d7603..8699accc2 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -334,10 +334,8 @@ Lint/AssignmentInCondition: Lint/BigDecimalNew: Enabled: true -# TODO move exception to file after chef-workstation upgrade Lint/BinaryOperatorWithIdenticalOperands: - Exclude: - - cookbooks/fb_helpers/spec/version_spec.rb + Enabled: true Lint/BooleanSymbol: Enabled: true From 2ecede1049afbbc6de07d4285cc348f146521d85 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Fri, 14 Jul 2023 11:57:57 -0700 Subject: [PATCH 050/188] fb_syslog: add a knob to gate package managing and remove internal hack Summary: Fixes: https://github.com/facebook/chef-cookbooks/issues/223 Differential Revision: D47370901 fbshipit-source-id: 360fc4f40cec63a7ff3b0b4a36ee131122f3faee --- cookbooks/fb_syslog/README.md | 5 +++++ cookbooks/fb_syslog/attributes/default.rb | 1 + cookbooks/fb_syslog/recipes/packages.rb | 10 ++-------- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cookbooks/fb_syslog/README.md b/cookbooks/fb_syslog/README.md index 049f95a83..e894a3e27 100644 --- a/cookbooks/fb_syslog/README.md +++ b/cookbooks/fb_syslog/README.md @@ -7,6 +7,7 @@ Requirements Attributes ---------- +* node['fb_syslog']['manage_packages'] * node['fb_syslog']['syslog-entries'] * node['fb_syslog']['rsyslog_server'] * node['fb_syslog']['rsyslog_server_address'] @@ -30,6 +31,10 @@ Attributes Usage ----- +### Packages +This cookbook will install and manage the `rsyslog` package unless the +`node['fb_syslog']['manage_packages]` attribute is set to `false`. + ### syslog-compatible entries The `node['fb_syslog']['syslog-entries']` is used to populate all lines in a `syslog.conf`, and all syslog-style entries in `rsyslog.conf`. diff --git a/cookbooks/fb_syslog/attributes/default.rb b/cookbooks/fb_syslog/attributes/default.rb index adeba32d2..864573652 100644 --- a/cookbooks/fb_syslog/attributes/default.rb +++ b/cookbooks/fb_syslog/attributes/default.rb @@ -99,4 +99,5 @@ 'rsyslog_omprog_binary_args' => [], 'sysconfig' => sysconfig, '_enable_syslog_socket_override' => true, + 'manage_packages' => true, } diff --git a/cookbooks/fb_syslog/recipes/packages.rb b/cookbooks/fb_syslog/recipes/packages.rb index 43ea5ecd5..2a1136f39 100644 --- a/cookbooks/fb_syslog/recipes/packages.rb +++ b/cookbooks/fb_syslog/recipes/packages.rb @@ -20,14 +20,8 @@ return if node.macos? package 'rsyslog' do - # TODO(T152951763): Pin rsyslog to 8.2102.0.105.el9 in Antlir builds - # See D45729033 for the Antlir counterpart - if node.centos9? && node.antlir_build? - version '8.2102.0-105.el9' - action :install - else - action :upgrade - end + only_if { node['fb_syslog']['manage_packages'] } + action :upgrade end # TODO(davide125): Document this From 4a3bccff26e0fb8cc35f369a7a7ac6aad97d32dc Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Mon, 17 Jul 2023 14:56:59 -0700 Subject: [PATCH 051/188] fb_helpers: make unit testing gated_template resource easier Summary: Unit tests against anything which uses the gated_template resource are difficult. This changes the way the resource is handled slightly to ease testing. With that fix, some of the previous hacks to make this spec possible are no longer necessary, so clean up the UserID crap Within the custom resource, this switches from `converge_by` to use a template resource. This should be equivalent (if not DRY), but is what makes the unit testing work properly. I tested the usual flow for this via taste-tester, to confirm: - Within permission, the file is not changed, and permission is requested - With permission, the file is changed, and permission request is cleaned up - With no change required, nothing happens Differential Revision: D46749176 fbshipit-source-id: 1f0bd74d2a2929dcf62841b94f9bfa182f660369 --- cookbooks/fb_helpers/recipes/spec.rb | 15 ++++-- .../fb_helpers/resources/gated_template.rb | 10 +++- .../fixtures/default/gated_template_network | 6 +++ cookbooks/fb_helpers/spec/gated_spec.rb | 52 ++++++++++++++----- 4 files changed, 64 insertions(+), 19 deletions(-) create mode 100644 cookbooks/fb_helpers/spec/fixtures/default/gated_template_network diff --git a/cookbooks/fb_helpers/recipes/spec.rb b/cookbooks/fb_helpers/recipes/spec.rb index 50b9c4c84..049c7d944 100644 --- a/cookbooks/fb_helpers/recipes/spec.rb +++ b/cookbooks/fb_helpers/recipes/spec.rb @@ -20,12 +20,21 @@ # This recipe is only for running ChefSpec tests if defined?(ChefSpec) + fb_helpers_request_nw_changes 'manage' do + action :nothing + delayed_action :cleanup_signal_files_when_no_change_required + end + + service 'critical_service' do + action :nothing + end + fb_helpers_gated_template '/tmp/testfile' do allow_changes node.nw_changes_allowed? - # purposefully bogus, so we raise UserIDNotFound and catch in spec - owner 'bogususer123' - group 'bogususer123' + owner 'root' + group 'root' mode '0644' source 'spec_network.erb' + notifies :restart, 'service[critical_service]', :immediately end end diff --git a/cookbooks/fb_helpers/resources/gated_template.rb b/cookbooks/fb_helpers/resources/gated_template.rb index 81d0c2850..74ca2aad0 100644 --- a/cookbooks/fb_helpers/resources/gated_template.rb +++ b/cookbooks/fb_helpers/resources/gated_template.rb @@ -58,8 +58,14 @@ def forced_why_run if new_resource.allow_changes Chef::Log.info('fb_helpers: changes are allowed - updating ' + new_resource.name.to_s) - converge_by("Updating template #{new_resource.name}") do - t.run_action(new_resource.gated_action) + template new_resource.name do + owner new_resource.owner + group new_resource.group + mode new_resource.mode + path new_resource.path if new_resource.path + source new_resource.source + variables new_resource.variables if new_resource.variables + action new_resource.gated_action end else Chef::Log.info('fb_helpers: not allowed to change configs for ' + diff --git a/cookbooks/fb_helpers/spec/fixtures/default/gated_template_network b/cookbooks/fb_helpers/spec/fixtures/default/gated_template_network new file mode 100644 index 000000000..80702ec6b --- /dev/null +++ b/cookbooks/fb_helpers/spec/fixtures/default/gated_template_network @@ -0,0 +1,6 @@ +# Test template used for chefspec + +NETWORKING=yes +HOSTNAME=fauxhai.local +NETWORKING_IPV6=yes +IFDOWN_ON_SHUTDOWN=no diff --git a/cookbooks/fb_helpers/spec/gated_spec.rb b/cookbooks/fb_helpers/spec/gated_spec.rb index 8b9132a34..9f459cd07 100644 --- a/cookbooks/fb_helpers/spec/gated_spec.rb +++ b/cookbooks/fb_helpers/spec/gated_spec.rb @@ -17,28 +17,41 @@ # require './spec/spec_helper' +require_relative '../libraries/fb_helpers' recipe 'fb_helpers::spec', :unsupported => [:mac_os_x] do |tc| - # hack for t70172554 - stubs_for_provider('template[/tmp/testfile]') do |provider| - allow(provider). - to receive_shell_out('/usr/sbin/selinuxenabled', { :returns => [0, 1] }) - end - # fb_helpers_gated_template internally inspects whether the resource - # actually ran, so we have to step in to it and the template resource. - # Stepping into 'template' means the spec will actually change things - # on the running system, which is very bad, so we cause that to fail - # purposefully with a bad user id. + # actually ran, so we have to step in to it + + template_path = '/tmp/testfile' + it 'should try to update the template when nw changes are allowed' do chef_run = tc.chef_run( - :step_into => ['fb_helpers_gated_template', 'template'], + :step_into => ['fb_helpers_gated_template'], ) do |_| allow_any_instance_of(Chef::Node).to receive(:nw_changes_allowed?). and_return(true) + # Since fb_helpers_gated_template uses `updated_by_last_action?` and + # whyrun to extrapolate if a change will happen, we have to mock it + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) end - expect { chef_run.converge(described_recipe) }. - to raise_error(Chef::Exceptions::UserIDNotFound) + + expect(FB::Helpers).not_to receive(:_request_nw_changes_permission) + + allow(Chef::Log).to receive(:info).and_call_original + expect(Chef::Log).to receive(:info).with(/fb_helpers: changes are allowed/) + + chef_run.converge(described_recipe) + + expect(chef_run).to render_file(template_path).with_content( + tc.fixture('gated_template_network'), + ) + + # Notifications still work as expected because resource properly updates + expect(chef_run.fb_helpers_gated_template(template_path)).to notify( + 'service[critical_service]', + ).to(:restart).immediately end it 'should not modify the template when nw changes are not allowed' do @@ -47,8 +60,19 @@ ) do |_| allow_any_instance_of(Chef::Node).to receive(:nw_changes_allowed?). and_return(false) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) end + + expect(FB::Helpers).to receive(:_request_nw_changes_permission) + + allow(Chef::Log).to receive(:info).and_call_original + expect(Chef::Log).to receive(:info).with(/fb_helpers: not allowed to change configs/) + chef_run.converge(described_recipe) - expect(chef_run).not_to render_file('/tmp/testfile') + + expect(chef_run).not_to render_file(template_path) + + expect(chef_run.fb_helpers_gated_template(template_path)).not_to be_updated end end From 43f95e701c8035dce3c0e1d0569846729a0a8498 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Mon, 17 Jul 2023 16:54:02 -0700 Subject: [PATCH 052/188] fb_networkd: add unit tests for network, link, and netdev template rendering Summary: fb_networkd: add unit tests for network, link, and netdev template rendering Differential Revision: D46488690 fbshipit-source-id: c020557ab4632d82b8aba886b4458bcc68570c0b --- cookbooks/fb_networkd/spec/default_spec.rb | 78 +++++++++++++++++++ .../fixtures/default/1-fb_networkd-eth0.link | 5 ++ .../default/1-fb_networkd-eth0.network | 18 +++++ .../default/50-fb_networkd-tap0.netdev | 6 ++ 4 files changed, 107 insertions(+) create mode 100644 cookbooks/fb_networkd/spec/default_spec.rb create mode 100644 cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.link create mode 100644 cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network create mode 100644 cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-tap0.netdev diff --git a/cookbooks/fb_networkd/spec/default_spec.rb b/cookbooks/fb_networkd/spec/default_spec.rb new file mode 100644 index 000000000..50554f2c2 --- /dev/null +++ b/cookbooks/fb_networkd/spec/default_spec.rb @@ -0,0 +1,78 @@ +# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2 +# +# Copyright (c) 2023-present, Facebook, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require './spec/spec_helper' + +recipe 'fb_networkd::default', :unsupported => [:mac_os_x] do |tc| + + context 'basic networkd setup' do + iface = 'eth0' + cached(:chef_run) do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks'][iface] = { + 'priority' => 1, + 'config' => { + 'Network' => { + 'Address' => [ + '2001:db00::1/64', + '192.168.1.1/24', + '2401:db00::1/64', + ], + }, + 'Address' => [ + { + 'Address' => '2001:db00::1/64', + 'PreferredLifetime' => 'infinity', + }, + { + 'Address' => '2401:db00::1/64', + 'PreferredLifetime' => '0', + }, + ], + }, + } + node.default['fb_networkd']['links'][iface]['config']['Match'][ + 'OriginalName'] = iface + + node.default['fb_networkd']['devices']['tap0']['config']['NetDev'][ + 'Kind'] = 'tap' + end + end + + it 'should create networkd config files' do + # Primary interfaces gets priority 1 + expect(chef_run).to render_file("/etc/systemd/network/1-fb_networkd-#{iface}.network"). + with_content(tc.fixture("1-fb_networkd-#{iface}.network")) + + expect(chef_run).to render_file("/etc/systemd/network/1-fb_networkd-#{iface}.link"). + with_content(tc.fixture("1-fb_networkd-#{iface}.link")) + + # default device priority is 50 + expect(chef_run).to render_file('/etc/systemd/network/50-fb_networkd-tap0.netdev'). + with_content(tc.fixture('50-fb_networkd-tap0.netdev')) + end + end +end diff --git a/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.link b/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.link new file mode 100644 index 000000000..aed05ac9a --- /dev/null +++ b/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.link @@ -0,0 +1,5 @@ +# This file is maintained by Chef. Do not edit, all changes will be +# overwritten. See fb_networkd/README.md + +[Match] +OriginalName = eth0 diff --git a/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network b/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network new file mode 100644 index 000000000..065e970d6 --- /dev/null +++ b/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network @@ -0,0 +1,18 @@ +# This file is maintained by Chef. Do not edit, all changes will be +# overwritten. See fb_networkd/README.md + +[Network] +Address = 2001:db00::1/64 +Address = 192.168.1.1/24 +Address = 2401:db00::1/64 + +[Match] +Name = eth0 + +[Address] +Address = 2001:db00::1/64 +PreferredLifetime = infinity + +[Address] +Address = 2401:db00::1/64 +PreferredLifetime = 0 diff --git a/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-tap0.netdev b/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-tap0.netdev new file mode 100644 index 000000000..217968ca8 --- /dev/null +++ b/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-tap0.netdev @@ -0,0 +1,6 @@ +# This file is maintained by Chef. Do not edit, all changes will be +# overwritten. See fb_networkd/README.md + +[NetDev] +Kind = tap +Name = tap0 From 125d5dc6e538557747abdd6374ce23a6700f6925 Mon Sep 17 00:00:00 2001 From: John Timon Date: Tue, 18 Jul 2023 14:14:25 -0700 Subject: [PATCH 053/188] Get chef working for rhel 9 Summary: Bootstrap chef core cookbooks to RHEL 9 Differential Revision: D47532272 fbshipit-source-id: ff6d26338709f65e0eb17df20106761e0a2b68f2 --- cookbooks/fb_helpers/libraries/node_methods.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 8daf4b9ec..b26a8ee09 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -964,7 +964,7 @@ def filesystem_data # returns the version-release of an rpm installed, or nil if not present def rpm_version(name) - if (self.centos? && !self.centos7?) || self.fedora? || self.redhat8? || self.oracle8? + if (self.centos? && !self.centos7?) || self.fedora? || self.redhat8? || self.oracle8? || self.redhat9? # returns epoch.version v = Chef::Provider::Package::Dnf::PythonHelper.instance. package_query(:whatinstalled, name).version From 06352f5a03b50d5964a80f5f9eb6c310428eb2f7 Mon Sep 17 00:00:00 2001 From: PatrickDale Date: Wed, 19 Jul 2023 09:11:01 -0700 Subject: [PATCH 054/188] fix(fb_modprobe, fb_systemd): updates to recipes for ubuntu jammy (#224) Summary: ## Description `fb_modprobe` - Updates the cookbook metadata to support `ubuntu`. `fb_systemd` - Adds the required `systemd-timesyncd` package when `timesyncd` is enabled. - Adds the `dns` resolver to the `fb_nsswitch` configuration to be used as a fallback to `systemd-resolved`. This is a recommended configuration for `nss-resolve`: https://man7.org/linux/man-pages/man8/nss-resolve.8.html. ## Impact These cookbooks will now be able to converge on Ubuntu Jammy. Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/224 Differential Revision: D47484960 fbshipit-source-id: 2eefa662eeec5762f9927c69c4f344693d871c9b --- cookbooks/fb_modprobe/metadata.rb | 2 ++ cookbooks/fb_systemd/recipes/default_packages.rb | 6 +++++- cookbooks/fb_systemd/recipes/resolved.rb | 14 ++++++++++---- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/cookbooks/fb_modprobe/metadata.rb b/cookbooks/fb_modprobe/metadata.rb index a1cd58d7a..ca65acd48 100644 --- a/cookbooks/fb_modprobe/metadata.rb +++ b/cookbooks/fb_modprobe/metadata.rb @@ -7,5 +7,7 @@ source_url 'https://github.com/facebook/chef-cookbooks/' version '0.0.1' supports 'centos' +supports 'debian' +supports 'ubuntu' depends 'fb_helpers' depends 'fb_systemd' diff --git a/cookbooks/fb_systemd/recipes/default_packages.rb b/cookbooks/fb_systemd/recipes/default_packages.rb index 940f56f8b..3c787050a 100644 --- a/cookbooks/fb_systemd/recipes/default_packages.rb +++ b/cookbooks/fb_systemd/recipes/default_packages.rb @@ -35,7 +35,8 @@ end # older versions of Debian and Ubuntu are missing some extra packages - unless ['trusty', 'jessie'].include?(node['lsb']['codename']) + if (node.ubuntu? && node['platform_version'].to_i < 14) || + (node.debian? && node['platform_version'].to_i < 8) systemd_packages += %w{ libnss-myhostname libnss-mymachines @@ -59,6 +60,9 @@ !['trusty', 'jessie'].include?(node['lsb']['codename']) systemd_packages << 'systemd-journal-remote' end + if node['fb_systemd']['timesyncd']['enable'] + systemd_packages << 'systemd-timesyncd' + end if node['packages'] && node['packages']['systemd']['version'] systemd_version = FB::Version.new(node['packages']['systemd']['version']) has_split_rpms = node.debian? || ((node.fedora? || node.centos?) && diff --git a/cookbooks/fb_systemd/recipes/resolved.rb b/cookbooks/fb_systemd/recipes/resolved.rb index b86c518a6..455907565 100644 --- a/cookbooks/fb_systemd/recipes/resolved.rb +++ b/cookbooks/fb_systemd/recipes/resolved.rb @@ -31,10 +31,11 @@ end # nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR caching -# stub resolver. According to upstream this should replace the glibc "dns" -# resolver and is required for systemd-resolved to work. This block attempts -# to place the resolver between mymachines and myhostname as recommended by +# stub resolver. According to upstream this should be used in favor of the glibc +# "dns" resolver and is required for systemd-resolved to work. This block attempts +# to place "resolver dns" between mymachines and myhostname as recommended by # upstream. +# See: https://man7.org/linux/man-pages/man8/nss-resolve.8.html whyrun_safe_ruby_block 'enable nss-resolve' do only_if do node['fb_systemd']['resolved']['enable'] && @@ -46,13 +47,18 @@ if idx node.default['fb_nsswitch']['databases']['hosts'].insert(idx + 1, 'resolve') + node.default['fb_nsswitch']['databases']['hosts'].insert(idx + 2, + 'dns') else idx = node['fb_nsswitch']['databases']['hosts'].index('myhostname') if idx - node.default['fb_nsswitch']['databases']['hosts'].insert(idx - 1, + node.default['fb_nsswitch']['databases']['hosts'].insert(idx - 2, 'resolve') + node.default['fb_nsswitch']['databases']['hosts'].insert(idx - 1, + 'dns') else node.default['fb_nsswitch']['databases']['hosts'] << 'resolve' + node.default['fb_nsswitch']['databases']['hosts'] << 'dns' end end end From e2ff147ede4a5c416c5cdd3f836890cdf6185803 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 25 Jul 2023 08:24:16 -0700 Subject: [PATCH 055/188] Drop Ruby 2.4 CI test Summary: Ruby 2.4 is EOL, and the tests will fail when we bump RuboCop versions Differential Revision: D47607760 fbshipit-source-id: ff0929a52599214bad944ef772b556e8467670ef --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a05fd0c3d..d859b4124 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - ruby: [2.4, 2.5, 2.6] + ruby: [2.5, 2.6] runs-on: ubuntu-latest steps: - name: Checkout repository From 75901a74e3fe840c0838bfd2c918189e1202dd43 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 25 Jul 2023 08:35:45 -0700 Subject: [PATCH 056/188] Add Ruby 2.7, 3.0, 3.1 CI tests Summary: Ruby 3.1 is what's running in the latest Chef Infra client versions. Differential Revision: D47609973 fbshipit-source-id: 526242491c6bc7495d4ded115b087ae39eef988f --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d859b4124..a41e5435b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - ruby: [2.5, 2.6] + ruby: [2.5, 2.6, 2.7, 3.0, 3.1] runs-on: ubuntu-latest steps: - name: Checkout repository From a8b18b7a0f8c68d1152e871da37e62666b7fbd7d Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 25 Jul 2023 12:11:17 -0700 Subject: [PATCH 057/188] bump to rubocop 1.25.1 and cookstyle 7.32.1 Summary: These versions work on Ruby 2.5. The warnings from the newly disabled `Chef/Sharing` lints are new, so we'll ratchet those back in along with the two new `rubocop:todo` lines. `Chef/Style/CommentSentenceSpacing` is broken in 7.32.1, fixed in 7.32.3 Differential Revision: D47609492 fbshipit-source-id: 06f3ef56c7e177254d71d660656b0a7397563ad7 --- .cookstyle.yml | 8 ++++---- Gemfile | 4 ++-- cookbooks/fb_grubby/libraries/fb_grubby_helpers.rb | 2 +- cookbooks/fb_powershell/resources/fb_powershell_module.rb | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.cookstyle.yml b/.cookstyle.yml index 02c90fc65..e6e2717f5 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -366,11 +366,11 @@ Chef/Sharing/DefaultMetadataMaintainer: Chef/Sharing/EmptyMetadataField: Enabled: true Chef/Sharing/IncludePropertyDescriptions: - Enabled: true + Enabled: false # TODO(T158836638) ratchet back in Chef/Sharing/IncludeResourceDescriptions: - Enabled: true + Enabled: false # TODO(T158836638) ratchet back in Chef/Sharing/IncludeResourceExamples: - Enabled: true + Enabled: false # TODO(T158836638) ratchet back in Chef/Sharing/InsecureCookbookURL: Enabled: true Chef/Sharing/InvalidLicenseString: @@ -379,7 +379,7 @@ Chef/Sharing/InvalidLicenseString: Chef/Style/AttributeKeys: Enabled: true Chef/Style/CommentSentenceSpacing: - Enabled: true + Enabled: false # TODO: Re-enable in Cookstyle 7.32.3+ Chef/Style/DefaultCopyrightComments: Enabled: true Chef/Style/FileMode: diff --git a/Gemfile b/Gemfile index e7f904c42..fa39b0076 100644 --- a/Gemfile +++ b/Gemfile @@ -1,9 +1,9 @@ source 'https://rubygems.org' gem 'chef', '~> 14' -gem 'cookstyle', '= 7.2.1' +gem 'cookstyle', '= 7.32.1' gem 'rspec', '= 3.10' -gem 'rubocop', '= 1.3.1' +gem 'rubocop', '= 1.25.1' %w{ chefspec diff --git a/cookbooks/fb_grubby/libraries/fb_grubby_helpers.rb b/cookbooks/fb_grubby/libraries/fb_grubby_helpers.rb index 566345b47..34b77e5ac 100644 --- a/cookbooks/fb_grubby/libraries/fb_grubby_helpers.rb +++ b/cookbooks/fb_grubby/libraries/fb_grubby_helpers.rb @@ -25,7 +25,7 @@ def self.default_kernel end def self.kernels - @kernels ||= begin + @kernels ||= begin # rubocop:todo Style/RedundantBegin ::Dir.glob('/boot/vmlinuz-*-*.*.*').sort end end diff --git a/cookbooks/fb_powershell/resources/fb_powershell_module.rb b/cookbooks/fb_powershell/resources/fb_powershell_module.rb index 55c571f5e..8fae507f0 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_module.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_module.rb @@ -14,7 +14,7 @@ [Integer, String, Array], :coerce => proc { |m| Array(m) }, :default => '0' -property :repository, +property :repository, # rubocop:todo Chef/RedundantCode/PropertyWithRequiredAndDefault String, :required => true, :default => 'PSGallery' From dd101d39dfaed216ddf1b7fdfcf4bee80c0f0909 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 25 Jul 2023 14:38:28 -0700 Subject: [PATCH 058/188] Change TargetChefVersion to 16.18.0 Summary: Activates the following lints which, while enabled in cookstyle.yml, weren't running due to the unmet - Chef/Modernize/LibarchiveFileResource - Chef/Deprecations/MacosUserdefaultsGlobalProperty - Chef/Deprecations/PoiseArchiveUsage - Chef/Modernize/PowershellScriptExpandArchive - Chef/Modernize/SevenZipArchiveResource - Chef/Modernize/WindowsRegistryUAC - Chef/Modernize/WindowsZipfileUsage - Chef/Modernize/ZipfileResource Chef/Deprecations/LogResourceNotifications will need to be ratcheted in. Differential Revision: D47613067 fbshipit-source-id: c7c7ca4bff79c2862a1dd1e8a4f8859f3ee989f0 --- .cookstyle.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cookstyle.yml b/.cookstyle.yml index e6e2717f5..d65193315 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -5,7 +5,7 @@ AllCops: # new cops and make upgrades easier (ie not dealing with a bunch of noise # each Cookstyle update) DisabledByDefault: true - TargetChefVersion: 14.15.6 + TargetChefVersion: 16.18.0 Chef/Correctness/BlockGuardWithOnlyString: Enabled: true @@ -137,7 +137,7 @@ Chef/Deprecations/LibrarianChefSpec: Chef/Deprecations/LocaleDeprecatedLcAllProperty: Enabled: true Chef/Deprecations/LogResourceNotifications: - Enabled: true + Enabled: false # TODO(T158851402) ratchet back in Chef/Deprecations/MacosUserdefaultsGlobalProperty: Enabled: true Chef/Deprecations/NamePropertyWithDefaultValue: From 5cd7894a2953a0f70057ba93b3b39273e8cf3e3b Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 26 Jul 2023 11:26:56 -0700 Subject: [PATCH 059/188] re-enable autocorrection on Lint/AmbiguousRegexpLiteral Summary: The open-source RuboCop version pin is now greater than 1.19 Differential Revision: D47802717 fbshipit-source-id: 16bc3e92c95bce46e4d87dd6c5740b57ab2cbf1f --- .rubocop.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 8699accc2..baee4f40c 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -325,8 +325,6 @@ Lint/AmbiguousOperator: Lint/AmbiguousRegexpLiteral: Enabled: true - # TODO re-enable autocorrection on RuboCop >= v1.19 see https://github.com/rubocop/rubocop/issues/10002 - AutoCorrect: false Lint/AssignmentInCondition: Enabled: true From 52bcad174ab1263a4c1fad0ac017562383b139e6 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 26 Jul 2023 11:37:05 -0700 Subject: [PATCH 060/188] fix core cookbooks Summary: Doing proactive cosmetic cleanup before doing work to clean up missing/unused dependencies. Differential Revision: D47775954 fbshipit-source-id: de9d0d46601ac74ab700b5480b1b3ddccd6c0607 --- cookbooks/fb_grub/metadata.rb | 2 +- cookbooks/fb_ntp/metadata.rb | 2 +- cookbooks/fb_sdparm/metadata.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cookbooks/fb_grub/metadata.rb b/cookbooks/fb_grub/metadata.rb index b08f10a3d..53c68e3e1 100644 --- a/cookbooks/fb_grub/metadata.rb +++ b/cookbooks/fb_grub/metadata.rb @@ -7,5 +7,5 @@ source_url 'https://github.com/facebook/chef-cookbooks/' version '0.1.0' supports 'centos' -depends 'fb_helpers' depends 'fb_fstab' +depends 'fb_helpers' diff --git a/cookbooks/fb_ntp/metadata.rb b/cookbooks/fb_ntp/metadata.rb index 1a0fb6ba9..77859e477 100644 --- a/cookbooks/fb_ntp/metadata.rb +++ b/cookbooks/fb_ntp/metadata.rb @@ -9,5 +9,5 @@ supports 'centos' supports 'ubuntu' supports 'windows' -depends 'fb_systemd' depends 'fb_helpers' +depends 'fb_systemd' diff --git a/cookbooks/fb_sdparm/metadata.rb b/cookbooks/fb_sdparm/metadata.rb index 17b5784c9..04af91af1 100644 --- a/cookbooks/fb_sdparm/metadata.rb +++ b/cookbooks/fb_sdparm/metadata.rb @@ -7,6 +7,6 @@ source_url 'https://github.com/facebook/chef-cookbooks/' version '0.1.0' supports 'centos' +depends 'fb_fstab' depends 'fb_helpers' depends 'fb_sysfs' -depends 'fb_fstab' From aad54d87cf9a557bea21fd026de8d273987c8449 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Thu, 27 Jul 2023 10:16:57 -0700 Subject: [PATCH 061/188] CPU perf improvements via avoiding read-write loops Summary: This loop triggers a DeepMergeCache flap. Moving the globals outside the loop fixes the flap, and uses a single node.default write for the block Differential Revision: D47308032 fbshipit-source-id: 86a13dbc408859021e6466daecfd3fc6af3b9871 --- cookbooks/fb_logrotate/recipes/default.rb | 27 +++++++++++------------ 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/cookbooks/fb_logrotate/recipes/default.rb b/cookbooks/fb_logrotate/recipes/default.rb index 30b769032..dba2e54aa 100644 --- a/cookbooks/fb_logrotate/recipes/default.rb +++ b/cookbooks/fb_logrotate/recipes/default.rb @@ -34,11 +34,13 @@ whyrun_safe_ruby_block 'munge logrotate configs' do block do + globals = node['fb_logrotate']['globals'] # Keep globals out of loop below to avoid deep merge cache flap node['fb_logrotate']['configs'].to_hash.each do |name, block| + config = block.dup time = nil - if block['overrides'] - rotation = block['overrides']['rotation'] - size = block['overrides']['size'] + if config['overrides'] + rotation = config['overrides']['rotation'] + size = config['overrides']['size'] if rotation && size fail "fb_logrotate:[#{name}]: you can only use size or rotation " + @@ -48,15 +50,13 @@ if rotation # if someone wants to override weekly but didn't specify # how many to keep, we default to 4 - if rotation == 'weekly' && !block['overrides']['rotate'] - node.default['fb_logrotate']['configs'][name][ - 'overrides']['rotate'] = '4' + if rotation == 'weekly' && !config['overrides']['rotate'] + config['overrides']['rotate'] = '4' end if %w{hourly daily weekly monthly yearly}.include?(rotation) time = rotation - node.default[ - 'fb_logrotate']['configs'][name]['overrides']['rotation'] = nil + config['overrides']['rotation'] = nil else fail "fb_logrotate:[#{name}]: rotation #{rotation} invalid" end @@ -64,19 +64,18 @@ if size time = "size #{size}" - node.rm(:fb_logrotate, :configs, name, :overrides, :size) + config['overrides']['size'] = nil end - if block['overrides']['nocompress'] && - node['fb_logrotate']['globals']['nocompress'] + if config['overrides']['nocompress'] && globals['nocompress'] # redundant, remove - node.default[ - 'fb_logrotate']['configs'][name]['overrides']['nocompress'] = nil + config['overrides']['nocompress'] = nil end end if time - node.default['fb_logrotate']['configs'][name]['time'] = time + config['time'] = time end + node.default['fb_logrotate']['configs'][name] = config end end end From 08797d55e28851c78302ccb32589a26bd907f470 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Mon, 31 Jul 2023 08:49:56 -0700 Subject: [PATCH 062/188] Turn off CommentSentenceSpacing for good Summary: Too noisy, and doesn't really serve a functional purpose (ie AST mutation). Differential Revision: D47836299 fbshipit-source-id: d92de51a22a4949491b1860614c91ff7f0f14d4f --- .cookstyle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cookstyle.yml b/.cookstyle.yml index d65193315..96525702a 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -379,7 +379,7 @@ Chef/Sharing/InvalidLicenseString: Chef/Style/AttributeKeys: Enabled: true Chef/Style/CommentSentenceSpacing: - Enabled: false # TODO: Re-enable in Cookstyle 7.32.3+ + Enabled: false # Turned off intentionally, too opinionated/noisy Chef/Style/DefaultCopyrightComments: Enabled: true Chef/Style/FileMode: From 56404e9197476d8dae7cb0fbcde88c2357019eb3 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 1 Aug 2023 00:48:59 -0700 Subject: [PATCH 063/188] fb_swap: when a label exists on a swap device, use that for the mount device Summary: We prefer to use labels rather than devices, because device numbers can be reordered after device changes / kernel changes. If there is a swap device, and it has a label, use that. Differential Revision: D47889869 fbshipit-source-id: 1ac6ad7d8812db96262a61d53e6a061076dd86c0 --- cookbooks/fb_swap/libraries/default.rb | 28 +++++++++++++++++++- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 9 ++++++- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index be7312fcf..d84cea5ed 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -293,8 +293,34 @@ def self._path(node, type) end end + def self._label(node) + device = self._device(node) + label = node.filesystem_data['by_device'][device] && + node.filesystem_data['by_device'][device]['label'] + if label && label.empty? + label = nil + end + label + end + def self._swap_unit(node, type) - FB::Systemd.path_to_unit(self._path(node, type), 'swap') + if type == 'device' + label = self._label(node) + if label && node.in_shard?(0) + # the kernel escapes slash characters in the label name, so we have to + # construct the by-label path with escapes, then resolve what path + # systemd will create via the generators + if label.start_with?('/') + label = label.sub('/', '\\x2f') + end + path = "/dev/disk/by-label/#{label}" + FB::Systemd.path_to_unit(path, 'swap') + else + FB::Systemd.path_to_unit(self._path(node, type), 'swap') + end + else + FB::Systemd.path_to_unit(self._path(node, type), 'swap') + end end def self._get_max_device_size_bytes(device) diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index f79ac89da..2e326fbbd 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -59,9 +59,16 @@ only_if { node['fb_swap']['_calculated']["#{type}_size_bytes"].positive? } block do # ask fb_fstab to create the unit + device = FB::FbSwap._path(node, type) + if type == 'device' && node.in_shard?(0) + label = FB::FbSwap._label(node) + if label + device = "LABEL=#{label}" + end + end node.default['fb_fstab']['mounts']["swap_#{type}"] = { 'mount_point' => 'swap', - 'device' => FB::FbSwap._path(node, type), + 'device' => device, 'type' => 'swap', # prioritize swap file in case that swap partition is on a spinning disk 'opts' => type == 'device' ? 'pri=5' : 'pri=10', From 0b31992e5058d2846b073c79d459bb84e5783a14 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 1 Aug 2023 05:59:12 -0700 Subject: [PATCH 064/188] fb_swap: prefer label as mount device for swap 1% -> 2% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948323 fbshipit-source-id: 5c139eb1f4c6eae45a1debe907eb08ca14774519 --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index d84cea5ed..807dfdcdb 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(0) + if label && node.in_shard?(1) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 2e326fbbd..30bcf3a3a 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(0) + if type == 'device' && node.in_shard?(1) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From 0cba50cb30d6f2f0b3abbe4289d1c60a26cab0da Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 1 Aug 2023 08:05:48 -0700 Subject: [PATCH 065/188] fb_swap: prefer label as mount device for swap 2% -> 5% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948322 fbshipit-source-id: d1c562314da0b908eb5603e2997e7793409f23da --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 807dfdcdb..7ee6b94a4 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(1) + if label && node.in_shard?(4) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 30bcf3a3a..45f067d5d 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(1) + if type == 'device' && node.in_shard?(4) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From 4120802b2ba76775187fdb6b397634450df2171e Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 2 Aug 2023 00:28:47 -0700 Subject: [PATCH 066/188] fb_swap: prefer label as mount device for swap 5% -> 15% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948321 fbshipit-source-id: 8c6ecf7ce5a95be24058c66ddfb5e2952c31fd0a --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 7ee6b94a4..9006a51f8 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(4) + if label && node.in_shard?(14) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 45f067d5d..ceaef8abe 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(4) + if type == 'device' && node.in_shard?(14) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From 69c8c45259c7dfc0ba70e5bed3c7d3ffd0874e94 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 2 Aug 2023 04:16:47 -0700 Subject: [PATCH 067/188] fb_swap: prefer label as mount device for swap 15% -> 25% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948320 fbshipit-source-id: 9b7de3c71e7fdc184f701b8f4283e9a063dc6489 --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 9006a51f8..68beca8c8 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(14) + if label && node.in_shard?(24) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index ceaef8abe..5d39c423e 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(14) + if type == 'device' && node.in_shard?(24) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From a96480e44435835d9dee28935248b6bc68e0bfd8 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 2 Aug 2023 08:08:51 -0700 Subject: [PATCH 068/188] fb_swap: prefer label as mount device for swap 25% -> 40% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948318 fbshipit-source-id: f3c2257cf0ad61fc57e3061730a1a0bda65ad29f --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 68beca8c8..ac4e6dd8f 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(24) + if label && node.in_shard?(39) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 5d39c423e..13c940e3d 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(24) + if type == 'device' && node.in_shard?(39) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From aa588faf6f2266267e8456b3ea6e9a3cdb64db85 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 3 Aug 2023 01:56:55 -0700 Subject: [PATCH 069/188] fb_swap: prefer label as mount device for swap 40% -> 60% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948319 fbshipit-source-id: d1e947046789f8c75979b9a73207bf474990fda5 --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index ac4e6dd8f..0df4e1fed 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(39) + if label && node.in_shard?(59) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 13c940e3d..076b1fe9c 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(39) + if type == 'device' && node.in_shard?(59) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From 05c32f80be3d2f0f5a0521914967caea3583c4df Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 3 Aug 2023 03:23:52 -0700 Subject: [PATCH 070/188] fb_networkd: add API to trigger notifications after networkd changes Summary: There are scenarios where we need to take some action after a networkd change has been made. This builds this API into fb_networkd, such that the set of resources and actions to run via notifications can be set via a node API. Differential Revision: D47993625 fbshipit-source-id: 1f208b18016a9b82ac44078856ae693932fe0650 --- cookbooks/fb_networkd/README.md | 18 ++++++++++ cookbooks/fb_networkd/attributes/default.rb | 1 + cookbooks/fb_networkd/recipes/default.rb | 10 ++++-- cookbooks/fb_networkd/resources/notify.rb | 37 +++++++++++++++++++++ 4 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 cookbooks/fb_networkd/resources/notify.rb diff --git a/cookbooks/fb_networkd/README.md b/cookbooks/fb_networkd/README.md index 94a80c9e4..e2b8120a0 100644 --- a/cookbooks/fb_networkd/README.md +++ b/cookbooks/fb_networkd/README.md @@ -16,6 +16,7 @@ Attributes * node['fb_networkd']['links'][$LINK]['config'] * node['fb_networkd']['devices'][$DEVICE]['priority'] * node['fb_networkd']['devices'][$DEVICE]['config'] +* node['fb_networkd']['notify_resources'] Usage ----- @@ -139,6 +140,23 @@ Refer to the upstream documentation for more details on how to configure [links](https://www.freedesktop.org/software/systemd/man/systemd.link.html) and [virtual network devices](https://www.freedesktop.org/software/systemd/man/systemd.netdev.html). +### Notifications +If the networkd configuration is changed, `fb_networkd` will fire delayed +notifications for resources listed in `node['fb_networkd']['notify_resources']`. +This is a `Hash` in the `resource` => `action` format. For example, setting: + +```ruby +node.default['fb_networkd']['notify_resources'] = { + 'service[some_service]' => :restart, +} +``` + +will result in: + +``` +notifies :restart, 'service[some_service]' +``` + ### When can Chef make network changes Network changes can be disruptive and have potential for major impact. To mitigate this, `node.interface_change_allowed?(interface)` from `fb_helpers` diff --git a/cookbooks/fb_networkd/attributes/default.rb b/cookbooks/fb_networkd/attributes/default.rb index 9566d7bd9..eed95fcea 100644 --- a/cookbooks/fb_networkd/attributes/default.rb +++ b/cookbooks/fb_networkd/attributes/default.rb @@ -30,4 +30,5 @@ }, 'links' => {}, 'devices' => {}, + 'notify_resources' => {}, } diff --git a/cookbooks/fb_networkd/recipes/default.rb b/cookbooks/fb_networkd/recipes/default.rb index 1637a1316..9ddd3b451 100644 --- a/cookbooks/fb_networkd/recipes/default.rb +++ b/cookbooks/fb_networkd/recipes/default.rb @@ -24,7 +24,13 @@ node.default['fb_systemd']['networkd']['enable'] = true -fb_networkd 'manage configuration' +fb_networkd 'manage configuration' do + notifies :trigger, 'fb_networkd_notify[doit]' +end + +fb_networkd_notify 'doit' do + action :nothing +end # Increase timeout to avoid conflicting with any start/restart calls. # Yes this could be racy but if systemd-networkd takes more than 30 min to come @@ -37,7 +43,7 @@ command '/bin/networkctl reload' action :nothing environment({ 'SYSTEMD_BUS_TIMEOUT' => '1800s' }) - + notifies :trigger, 'fb_networkd_notify[doit]' end node['network']['interfaces'].to_hash.each_key do |iface| diff --git a/cookbooks/fb_networkd/resources/notify.rb b/cookbooks/fb_networkd/resources/notify.rb new file mode 100644 index 000000000..ddd496dad --- /dev/null +++ b/cookbooks/fb_networkd/resources/notify.rb @@ -0,0 +1,37 @@ +# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2 +# +# Copyright (c) 2023-present, Facebook, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +default_action :trigger + +action :trigger do + if Chef::VERSION.to_i >= 16 + notify_group 'notify resources after networkd change' do # rubocop:disable Chef/Meta/Chef16 + node['fb_networkd']['notify_resources'].each do |my_r, my_a| + notifies my_a, my_r + end + action :run + end + else + log 'notify resources after networkd change' do + node['fb_networkd']['notify_resources'].each do |my_r, my_a| + notifies my_a, my_r + end + action :write + end + end +end From f03ac7d2c160935e27a8a9f440a2d14fc346e1a4 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 3 Aug 2023 04:44:35 -0700 Subject: [PATCH 071/188] fb_swap: prefer label as mount device for swap 60% -> 80% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948316 fbshipit-source-id: 25a3216302b4cb51c46c1802c4b44a7145c7a522 --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 0df4e1fed..549b8b6b9 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(59) + if label && node.in_shard?(79) # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 076b1fe9c..9d761075a 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(59) + if type == 'device' && node.in_shard?(79) label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From 1099ab911283236c3ef19496d0617a6d339afd1c Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 3 Aug 2023 08:08:27 -0700 Subject: [PATCH 072/188] fb_swap: prefer label as mount device for swap 80% -> 100% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D47948317 fbshipit-source-id: dd8dc273faf11840321f47e6afd0416e13ad5be4 --- cookbooks/fb_swap/libraries/default.rb | 2 +- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 549b8b6b9..5d9f3ea41 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -306,7 +306,7 @@ def self._label(node) def self._swap_unit(node, type) if type == 'device' label = self._label(node) - if label && node.in_shard?(79) + if label # the kernel escapes slash characters in the label name, so we have to # construct the by-label path with escapes, then resolve what path # systemd will create via the generators diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 9d761075a..01b976eb8 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -60,7 +60,7 @@ block do # ask fb_fstab to create the unit device = FB::FbSwap._path(node, type) - if type == 'device' && node.in_shard?(79) + if type == 'device' label = FB::FbSwap._label(node) if label device = "LABEL=#{label}" From e65eeedc1a689d41286953f93a4a4f0d8a48f427 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 8 Aug 2023 10:40:22 -0700 Subject: [PATCH 073/188] Explicitly disable some upstream cops Summary: These are either non-AST mutating or otherwise make suggestions that don't make sense to our envs. Differential Revision: D48081695 fbshipit-source-id: caab0af6d88bfdbf9f9fc38904223645a64904d6 --- .cookstyle.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/.cookstyle.yml b/.cookstyle.yml index 96525702a..b69ed8e3a 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -201,6 +201,27 @@ Chef/Deprecations/WindowsTaskChangeAction: Chef/Deprecations/WindowsVersionHelpers: Enabled: true +# These cookbooks don't follow the Effortless Pattern +# See https://docs.chef.io/effortless/ +Chef/Effortless/Berksfile: + Enabled: false +Chef/Effortless/ChefVaultUsed: + Enabled: false +Chef/Effortless/CookbookUsesDatabags: + Enabled: false +Chef/Effortless/CookbookUsesEnvironments: + Enabled: false +Chef/Effortless/CookbookUsesPolicygroups: + Enabled: false +Chef/Effortless/CookbookUsesRoles: + Enabled: false +Chef/Effortless/CookbookUsesSearch: + Enabled: false +Chef/Effortless/DependsChefVault: + Enabled: false +Chef/Effortless/SearchForEnvironmentsOrRoles: + Enabled: false + Chef/Modernize/ActionMethodInResource: Enabled: true Chef/Modernize/AllowedActionsFromInitialize: @@ -378,8 +399,14 @@ Chef/Sharing/InvalidLicenseString: Chef/Style/AttributeKeys: Enabled: true +Chef/Style/ChefWhaaat: + Enabled: false # Turned off intentionally, too opinionated/noisy +Chef/Style/CommentFormat: + Enabled: false # Turned off intentionally, too opinionated/noisy Chef/Style/CommentSentenceSpacing: Enabled: false # Turned off intentionally, too opinionated/noisy +Chef/Style/CopyrightCommentFormat: + Enabled: false # Turned off intentionally, too opinionated/noisy Chef/Style/DefaultCopyrightComments: Enabled: true Chef/Style/FileMode: From 236ab71e97a6a7690e7b499682c9f0c09ca8b498 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 8 Aug 2023 10:40:22 -0700 Subject: [PATCH 074/188] Ratchet in more upstream lints Summary: Now that we're requiring a recent Cookstyle release in the OSS repo, there's a bunch of new lints we can turn on. ``` Chef/Correctness/InvalidCookbookName Chef/Correctness/MetadataMalformedDepends Chef/Correctness/MetadataMissingVersion Chef/Correctness/PowershellFileExists Chef/Deprecations/ChefSugarHelpers Chef/Deprecations/DependsOnChefNginxCookbook Chef/Deprecations/DependsOnChefReportingCookbook Chef/Deprecations/DependsOnOmnibusUpdaterCookbook Chef/Deprecations/DeprecatedSudoActions Chef/Deprecations/FoodcriticFile Chef/Deprecations/HWRPWithoutUnifiedTrue Chef/Deprecations/PolicyfileCommunitySource Chef/Modernize/DeclareActionClass Chef/Modernize/DependsOnChefVaultCookbook Chef/Modernize/DependsOnChocolateyCookbooks Chef/Modernize/DependsOnKernelModuleCookbook Chef/Modernize/DependsOnLocaleCookbook Chef/Modernize/DependsOnOpensslCookbook Chef/Modernize/DependsOnTimezoneLwrpCookbook Chef/Modernize/DependsOnWindowsFirewallCookbook Chef/Modernize/UnnecessaryDependsChef15 Chef/Modernize/UseChefLanguageEnvHelpers Chef/Modernize/UseChefLanguageSystemdHelper Chef/Security/SshPrivateKey ``` Differential Revision: D48082338 fbshipit-source-id: 6903365fdea3b3c303268dec19e032220278cd11 --- .cookstyle.yml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.cookstyle.yml b/.cookstyle.yml index b69ed8e3a..c427ff22b 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -19,6 +19,8 @@ Chef/Correctness/DnfPackageAllowDowngrades: Enabled: true Chef/Correctness/IncorrectLibraryInjection: Enabled: true +Chef/Correctness/InvalidCookbookName: + Enabled: true Chef/Correctness/InvalidDefaultAction: Enabled: true Chef/Correctness/InvalidNotificationTiming: @@ -43,8 +45,12 @@ Chef/Correctness/MacosUserdefaultsInvalidType: Enabled: true Chef/Correctness/MalformedPlatformValueForPlatformHelper: Enabled: true +Chef/Correctness/MetadataMalformedDepends: + Enabled: true Chef/Correctness/MetadataMissingName: Enabled: true +Chef/Correctness/MetadataMissingVersion: + Enabled: true Chef/Correctness/NodeNormal: Enabled: true Chef/Correctness/NodeNormalUnless: @@ -55,6 +61,8 @@ Chef/Correctness/OctalModeAsString: Enabled: true Chef/Correctness/OpenSSLPasswordHelpers: Enabled: true +Chef/Correctness/PowershellFileExists: + Enabled: true Chef/Correctness/PowershellScriptDeleteFile: Enabled: true Chef/Correctness/ResourceSetsInternalProperties: @@ -86,6 +94,8 @@ Chef/Deprecations/ChefSpecCoverageReport: Enabled: true Chef/Deprecations/ChefSpecLegacyRunner: Enabled: true +Chef/Deprecations/ChefSugarHelpers: + Enabled: true Chef/Deprecations/ChefWindowsPlatformHelper: Enabled: true Chef/Deprecations/Cheffile: @@ -100,10 +110,18 @@ Chef/Deprecations/CookbookDependsOnPoise: Enabled: true Chef/Deprecations/CookbooksDependsOnSelf: Enabled: true +Chef/Deprecations/DependsOnChefNginxCookbook: + Enabled: true +Chef/Deprecations/DependsOnChefReportingCookbook: + Enabled: true +Chef/Deprecations/DependsOnOmnibusUpdaterCookbook: + Enabled: true Chef/Deprecations/DeprecatedPlatformMethods: Enabled: true Chef/Deprecations/DeprecatedShelloutMethods: Enabled: true +Chef/Deprecations/DeprecatedSudoActions: + Enabled: true Chef/Deprecations/DeprecatedWindowsVersionCheck: Enabled: true Chef/Deprecations/DeprecatedYumRepositoryProperties: @@ -120,8 +138,12 @@ Chef/Deprecations/ExecutePathProperty: Enabled: true Chef/Deprecations/ExecuteRelativeCreatesWithoutCwd: Enabled: true +Chef/Deprecations/FoodcriticFile: + Enabled: true Chef/Deprecations/HWRPWithoutProvides: Enabled: true +Chef/Deprecations/HWRPWithoutUnifiedTrue: + Enabled: true Chef/Deprecations/IncludingXMLRubyRecipe: Enabled: true Chef/Deprecations/IncludingYumDNFCompatRecipe: @@ -156,6 +178,8 @@ Chef/Deprecations/PartialSearchHelperUsage: Enabled: true Chef/Deprecations/PoiseArchiveUsage: Enabled: true +Chef/Deprecations/PolicyfileCommunitySource: + Enabled: true Chef/Deprecations/PowershellCookbookHelpers: Enabled: true Chef/Deprecations/RequireRecipe: @@ -238,10 +262,26 @@ Chef/Modernize/CustomResourceWithAttributes: Enabled: true Chef/Modernize/DatabagHelpers: Enabled: true +Chef/Modernize/DeclareActionClass: + Enabled: true Chef/Modernize/DefaultActionFromInitialize: Enabled: true Chef/Modernize/Definitions: Enabled: true +Chef/Modernize/DependsOnChefVaultCookbook: + Enabled: true +Chef/Modernize/DependsOnChocolateyCookbooks: + Enabled: true +Chef/Modernize/DependsOnKernelModuleCookbook: + Enabled: true +Chef/Modernize/DependsOnLocaleCookbook: + Enabled: true +Chef/Modernize/DependsOnOpensslCookbook: + Enabled: true +Chef/Modernize/DependsOnTimezoneLwrpCookbook: + Enabled: true +Chef/Modernize/DependsOnWindowsFirewallCookbook: + Enabled: true Chef/Modernize/DependsOnZypperCookbook: Enabled: true Chef/Modernize/DslIncludeInResource: @@ -316,10 +356,16 @@ Chef/Modernize/SysctlParamResource: Enabled: true Chef/Modernize/UnnecessaryDependsChef14: Enabled: true +Chef/Modernize/UnnecessaryDependsChef15: + Enabled: true Chef/Modernize/UnnecessaryMixlibShelloutRequire: Enabled: true Chef/Modernize/UseBuildEssentialResource: Enabled: true +Chef/Modernize/UseChefLanguageEnvHelpers: + Enabled: true +Chef/Modernize/UseChefLanguageSystemdHelper: + Enabled: true Chef/Modernize/UseMultipackageInstalls: Enabled: true Chef/Modernize/UseRequireRelative: @@ -382,6 +428,9 @@ Chef/RedundantCode/UnnecessaryNameProperty: Chef/RedundantCode/UseCreateIfMissing: Enabled: true +Chef/Security/SshPrivateKey: + Enabled: true + Chef/Sharing/DefaultMetadataMaintainer: Enabled: true Chef/Sharing/EmptyMetadataField: From f86967404380dd4fc20d7979c132d99cb1c8fedf Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 15 Aug 2023 11:27:59 -0700 Subject: [PATCH 075/188] Disable lint FP Summary: Differential Revision: D48331038 fbshipit-source-id: 17ac13d93737a885188e432ec89349b5ad42f2f6 --- cookbooks/fb_helpers/resources/reboot.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/fb_helpers/resources/reboot.rb b/cookbooks/fb_helpers/resources/reboot.rb index 9383d2556..12e7e039c 100644 --- a/cookbooks/fb_helpers/resources/reboot.rb +++ b/cookbooks/fb_helpers/resources/reboot.rb @@ -14,6 +14,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# rubocop:disable Chef/Meta/FBUtilReboot resource_name :fb_helpers_reboot From 56b530409aa41a47e4ad68308fab23a945a5318e Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 15 Aug 2023 13:38:53 -0700 Subject: [PATCH 076/188] Explicitly set pre-Chef 18 behaviour Summary: Chef 18 defaults `unified_mode` to `true`, setting explicitly to false so that they can be ratcheted to true as they've been audited. This is the start of addressing the open-source issue https://github.com/facebook/chef-cookbooks/issues/178 - https://docs.chef.io/release_notes_client/#18.0.155-unified-mode-in-custom-resources - https://docs.chef.io/unified_mode/ Differential Revision: D48282167 fbshipit-source-id: cd746aeeae2e2cf58abb806cc587d64d1250091a --- cookbooks/fb_apache/resources/cleanup_modules.rb | 1 + cookbooks/fb_apache/resources/verify_configs.rb | 1 + cookbooks/fb_apt/resources/keys.rb | 1 + cookbooks/fb_apt/resources/sources_list.rb | 1 + cookbooks/fb_choco/resources/fb_choco_bootstrap.rb | 1 + cookbooks/fb_choco/resources/fb_choco_configure.rb | 1 + cookbooks/fb_dbus/resources/implementation.rb | 1 + cookbooks/fb_dnf/resources/modularity.rb | 1 + cookbooks/fb_fstab/resources/default.rb | 1 + cookbooks/fb_grub/resources/environment.rb | 1 + cookbooks/fb_grub/resources/packages.rb | 1 + cookbooks/fb_grubby/resources/fb_grubby.rb | 1 + cookbooks/fb_hdparm/resources/default.rb | 1 + cookbooks/fb_helpers/resources/gated_template.rb | 1 + cookbooks/fb_helpers/resources/reboot.rb | 1 + cookbooks/fb_helpers/resources/request_nw_changes.rb | 1 + cookbooks/fb_helpers/resources/serialize.rb | 1 + cookbooks/fb_ipc/resources/default.rb | 1 + cookbooks/fb_ipset/resources/default.rb | 1 + cookbooks/fb_kernel/resources/bls_entries.rb | 1 + cookbooks/fb_kernel/resources/packages.rb | 1 + cookbooks/fb_launchd/resources/default.rb | 1 + cookbooks/fb_modprobe/resources/module.rb | 1 + cookbooks/fb_motd/resources/update_motd.rb | 1 + cookbooks/fb_network_scripts/resources/default.rb | 1 + cookbooks/fb_network_scripts/resources/redhat_interface.rb | 1 + cookbooks/fb_networkd/resources/default.rb | 1 + cookbooks/fb_networkd/resources/notify.rb | 1 + cookbooks/fb_networksetup/resources/default.rb | 1 + cookbooks/fb_ntp/resources/windows_config.rb | 1 + cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb | 1 + .../fb_powershell/resources/fb_powershell_apply_profiles.rb | 1 + cookbooks/fb_rsync/resources/default.rb | 1 + cookbooks/fb_sdparm/resources/default.rb | 1 + cookbooks/fb_storage/resources/format_devices.rb | 1 + cookbooks/fb_stunnel/resources/create_certs.rb | 1 + cookbooks/fb_sysctl/resources/default.rb | 1 + cookbooks/fb_sysfs/resources/default.rb | 1 + cookbooks/fb_system_upgrade/resources/default.rb | 1 + cookbooks/fb_systemd/resources/loader_entries.rb | 1 + cookbooks/fb_systemd/resources/override.rb | 1 + cookbooks/fb_systemd/resources/reload.rb | 1 + cookbooks/fb_timers/resources/setup.rb | 1 + cookbooks/fb_users/resources/default.rb | 1 + cookbooks/fb_yum_repos/resources/config.rb | 1 + cookbooks/fb_yum_repos/resources/default.rb | 1 + 46 files changed, 46 insertions(+) diff --git a/cookbooks/fb_apache/resources/cleanup_modules.rb b/cookbooks/fb_apache/resources/cleanup_modules.rb index abfdc332f..bb4b85f9a 100644 --- a/cookbooks/fb_apache/resources/cleanup_modules.rb +++ b/cookbooks/fb_apache/resources/cleanup_modules.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :mod_dir, String action :manage do diff --git a/cookbooks/fb_apache/resources/verify_configs.rb b/cookbooks/fb_apache/resources/verify_configs.rb index ef947a341..c80fe64c0 100644 --- a/cookbooks/fb_apache/resources/verify_configs.rb +++ b/cookbooks/fb_apache/resources/verify_configs.rb @@ -1,3 +1,4 @@ +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) require 'fileutils' property :httpdir, String diff --git a/cookbooks/fb_apt/resources/keys.rb b/cookbooks/fb_apt/resources/keys.rb index b4cfccbf5..02c9b591d 100644 --- a/cookbooks/fb_apt/resources/keys.rb +++ b/cookbooks/fb_apt/resources/keys.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do keyserver = node['fb_apt']['keyserver'] desired_keys = node['fb_apt']['keys'].to_hash diff --git a/cookbooks/fb_apt/resources/sources_list.rb b/cookbooks/fb_apt/resources/sources_list.rb index a37d579bc..bfacae3de 100644 --- a/cookbooks/fb_apt/resources/sources_list.rb +++ b/cookbooks/fb_apt/resources/sources_list.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do mirror = node['fb_apt']['mirror'] security_mirror = node['fb_apt']['security_mirror'] diff --git a/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb b/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb index 721ffbe1e..ed09e88b1 100644 --- a/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb +++ b/cookbooks/fb_choco/resources/fb_choco_bootstrap.rb @@ -18,6 +18,7 @@ resource_name :fb_choco_bootstrap provides :fb_choco_bootstrap +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :install property :version, :kind_of => String diff --git a/cookbooks/fb_choco/resources/fb_choco_configure.rb b/cookbooks/fb_choco/resources/fb_choco_configure.rb index bb743cabe..22e0ea101 100644 --- a/cookbooks/fb_choco/resources/fb_choco_configure.rb +++ b/cookbooks/fb_choco/resources/fb_choco_configure.rb @@ -18,6 +18,7 @@ resource_name :fb_choco_configure provides :fb_choco_configure, :os => 'windows' +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :change property :config, Hash, :coerce => proc { |i| diff --git a/cookbooks/fb_dbus/resources/implementation.rb b/cookbooks/fb_dbus/resources/implementation.rb index c8e5f12a6..9ff08f44c 100644 --- a/cookbooks/fb_dbus/resources/implementation.rb +++ b/cookbooks/fb_dbus/resources/implementation.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :implementation, ['dbus-daemon', 'dbus-broker'] default_action :setup diff --git a/cookbooks/fb_dnf/resources/modularity.rb b/cookbooks/fb_dnf/resources/modularity.rb index 7a1d4ac2d..52c1582db 100644 --- a/cookbooks/fb_dnf/resources/modularity.rb +++ b/cookbooks/fb_dnf/resources/modularity.rb @@ -15,6 +15,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :run action :run do diff --git a/cookbooks/fb_fstab/resources/default.rb b/cookbooks/fb_fstab/resources/default.rb index 38ca172a1..1be3b917a 100644 --- a/cookbooks/fb_fstab/resources/default.rb +++ b/cookbooks/fb_fstab/resources/default.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) require 'fileutils' default_action :doeverything diff --git a/cookbooks/fb_grub/resources/environment.rb b/cookbooks/fb_grub/resources/environment.rb index 740f90699..f16cdda03 100644 --- a/cookbooks/fb_grub/resources/environment.rb +++ b/cookbooks/fb_grub/resources/environment.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :manage do to_unset = [] to_set = [] diff --git a/cookbooks/fb_grub/resources/packages.rb b/cookbooks/fb_grub/resources/packages.rb index ea41b3faa..0436ac4f6 100644 --- a/cookbooks/fb_grub/resources/packages.rb +++ b/cookbooks/fb_grub/resources/packages.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :install do packages = [] case node['fb_grub']['version'] diff --git a/cookbooks/fb_grubby/resources/fb_grubby.rb b/cookbooks/fb_grubby/resources/fb_grubby.rb index e465aef2d..c1dfd835b 100644 --- a/cookbooks/fb_grubby/resources/fb_grubby.rb +++ b/cookbooks/fb_grubby/resources/fb_grubby.rb @@ -18,6 +18,7 @@ resource_name :fb_grubby provides :fb_grubby +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :manage action_class do diff --git a/cookbooks/fb_hdparm/resources/default.rb b/cookbooks/fb_hdparm/resources/default.rb index 9f09f916a..d9b9fc31b 100644 --- a/cookbooks/fb_hdparm/resources/default.rb +++ b/cookbooks/fb_hdparm/resources/default.rb @@ -17,5 +17,6 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) actions [:set] default_action :set diff --git a/cookbooks/fb_helpers/resources/gated_template.rb b/cookbooks/fb_helpers/resources/gated_template.rb index 74ca2aad0..6dad1ba96 100644 --- a/cookbooks/fb_helpers/resources/gated_template.rb +++ b/cookbooks/fb_helpers/resources/gated_template.rb @@ -19,6 +19,7 @@ # This resource will change the template only when network changes # are allowed. If it is not allowed, it will request permission to make # network changes. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :allow_changes, :kind_of => [TrueClass, FalseClass], :required => true property :path, [String, nil], :required => false property :source, String, :required => true diff --git a/cookbooks/fb_helpers/resources/reboot.rb b/cookbooks/fb_helpers/resources/reboot.rb index 12e7e039c..4745e0ba9 100644 --- a/cookbooks/fb_helpers/resources/reboot.rb +++ b/cookbooks/fb_helpers/resources/reboot.rb @@ -19,6 +19,7 @@ resource_name :fb_helpers_reboot provides :fb_helpers_reboot, :os => ['darwin', 'linux'] +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) # description 'Use the fb_helpers_reboot resource if you need to indicate to an' # ' external service that the host needs to be rebooted and when' diff --git a/cookbooks/fb_helpers/resources/request_nw_changes.rb b/cookbooks/fb_helpers/resources/request_nw_changes.rb index e1e01c69b..f416c5e66 100644 --- a/cookbooks/fb_helpers/resources/request_nw_changes.rb +++ b/cookbooks/fb_helpers/resources/request_nw_changes.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :request_nw_changes action :request_nw_changes do diff --git a/cookbooks/fb_helpers/resources/serialize.rb b/cookbooks/fb_helpers/resources/serialize.rb index e1e09d180..0c7fc03e6 100644 --- a/cookbooks/fb_helpers/resources/serialize.rb +++ b/cookbooks/fb_helpers/resources/serialize.rb @@ -15,6 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :path, String, :name_property => true property :object, Object, :required => true property :filter, [Array, String] diff --git a/cookbooks/fb_ipc/resources/default.rb b/cookbooks/fb_ipc/resources/default.rb index 93d6753d2..1485b2935 100644 --- a/cookbooks/fb_ipc/resources/default.rb +++ b/cookbooks/fb_ipc/resources/default.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) actions :remove default_action :remove attribute :id, :name_attribute => true, :kind_of => Integer, diff --git a/cookbooks/fb_ipset/resources/default.rb b/cookbooks/fb_ipset/resources/default.rb index 103cf882a..dd42c24b8 100644 --- a/cookbooks/fb_ipset/resources/default.rb +++ b/cookbooks/fb_ipset/resources/default.rb @@ -15,6 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :state_file, String default_action :update diff --git a/cookbooks/fb_kernel/resources/bls_entries.rb b/cookbooks/fb_kernel/resources/bls_entries.rb index db11b2daa..75eae04cb 100644 --- a/cookbooks/fb_kernel/resources/bls_entries.rb +++ b/cookbooks/fb_kernel/resources/bls_entries.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do bls_root = ::File.join(node['fb_kernel']['boot_path'], 'loader', 'entries') bls_entries = [] diff --git a/cookbooks/fb_kernel/resources/packages.rb b/cookbooks/fb_kernel/resources/packages.rb index 86669816c..8f536048f 100644 --- a/cookbooks/fb_kernel/resources/packages.rb +++ b/cookbooks/fb_kernel/resources/packages.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do installed_versions = [] node['packages']['kernel']['versions'].each do |v| diff --git a/cookbooks/fb_launchd/resources/default.rb b/cookbooks/fb_launchd/resources/default.rb index b0b730c4b..821c6c7fe 100644 --- a/cookbooks/fb_launchd/resources/default.rb +++ b/cookbooks/fb_launchd/resources/default.rb @@ -17,6 +17,7 @@ # provides :fb_launchd, :os => 'darwin' +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :run diff --git a/cookbooks/fb_modprobe/resources/module.rb b/cookbooks/fb_modprobe/resources/module.rb index 79a753e36..86bbc361c 100644 --- a/cookbooks/fb_modprobe/resources/module.rb +++ b/cookbooks/fb_modprobe/resources/module.rb @@ -15,6 +15,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :load property :module_name, :kind_of => String, :name_property => true diff --git a/cookbooks/fb_motd/resources/update_motd.rb b/cookbooks/fb_motd/resources/update_motd.rb index ce3922dae..b327e8008 100644 --- a/cookbooks/fb_motd/resources/update_motd.rb +++ b/cookbooks/fb_motd/resources/update_motd.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do settings = node['fb_motd']['update_motd'] Dir.glob('/etc/update-motd.d/*').each do |motd| diff --git a/cookbooks/fb_network_scripts/resources/default.rb b/cookbooks/fb_network_scripts/resources/default.rb index 18acbf83e..eacb2cdfa 100644 --- a/cookbooks/fb_network_scripts/resources/default.rb +++ b/cookbooks/fb_network_scripts/resources/default.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :create action_class do diff --git a/cookbooks/fb_network_scripts/resources/redhat_interface.rb b/cookbooks/fb_network_scripts/resources/redhat_interface.rb index 4459cee15..141fa60e2 100644 --- a/cookbooks/fb_network_scripts/resources/redhat_interface.rb +++ b/cookbooks/fb_network_scripts/resources/redhat_interface.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :nothing property :interface, :kind_of => String, :name_attribute => true property :config, :kind_of => Hash diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index a1e41d1c0..49284ee9c 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :manage action :manage do diff --git a/cookbooks/fb_networkd/resources/notify.rb b/cookbooks/fb_networkd/resources/notify.rb index ddd496dad..ab68f68ca 100644 --- a/cookbooks/fb_networkd/resources/notify.rb +++ b/cookbooks/fb_networkd/resources/notify.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :trigger action :trigger do diff --git a/cookbooks/fb_networksetup/resources/default.rb b/cookbooks/fb_networksetup/resources/default.rb index d6bc1ad79..231359b77 100644 --- a/cookbooks/fb_networksetup/resources/default.rb +++ b/cookbooks/fb_networksetup/resources/default.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :manage action :manage do diff --git a/cookbooks/fb_ntp/resources/windows_config.rb b/cookbooks/fb_ntp/resources/windows_config.rb index 177127069..f2251f8c0 100644 --- a/cookbooks/fb_ntp/resources/windows_config.rb +++ b/cookbooks/fb_ntp/resources/windows_config.rb @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action_class do def get_current_config config = {} diff --git a/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb b/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb index 4043183c6..036f2e142 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb @@ -17,6 +17,7 @@ resource_name :fb_powershell_apply_config provides :fb_powershell_apply_config, :os => 'windows' +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) provides :fb_powershell_apply_config, :os => 'darwin' provides :fb_powershell_apply_config, :os => 'linux' diff --git a/cookbooks/fb_powershell/resources/fb_powershell_apply_profiles.rb b/cookbooks/fb_powershell/resources/fb_powershell_apply_profiles.rb index f879dc0dd..66dd619e2 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_apply_profiles.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_apply_profiles.rb @@ -17,6 +17,7 @@ resource_name :fb_powershell_apply_profiles provides :fb_powershell_apply_profiles, :os => 'windows' +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) provides :fb_powershell_apply_profiles, :os => 'darwin' provides :fb_powershell_apply_profiles, :os => 'linux' diff --git a/cookbooks/fb_rsync/resources/default.rb b/cookbooks/fb_rsync/resources/default.rb index dc5218bf8..d358dfa67 100644 --- a/cookbooks/fb_rsync/resources/default.rb +++ b/cookbooks/fb_rsync/resources/default.rb @@ -15,6 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :destination, String, :name_property => true, :required => true property :source, String, :required => true property :sharddelete, [TrueClass, FalseClass], :default => false diff --git a/cookbooks/fb_sdparm/resources/default.rb b/cookbooks/fb_sdparm/resources/default.rb index dba8f3d8c..be7a8696e 100644 --- a/cookbooks/fb_sdparm/resources/default.rb +++ b/cookbooks/fb_sdparm/resources/default.rb @@ -20,6 +20,7 @@ default_action :set resource_name :fb_sdparm provides :fb_sdparm +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) def get_sdparm_value(param, device) cmd = Mixlib::ShellOut.new("sdparm --get #{param} /dev/#{device}").run_command diff --git a/cookbooks/fb_storage/resources/format_devices.rb b/cookbooks/fb_storage/resources/format_devices.rb index c2d695a93..62b1f3afb 100644 --- a/cookbooks/fb_storage/resources/format_devices.rb +++ b/cookbooks/fb_storage/resources/format_devices.rb @@ -15,6 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :do_reprobe, [true, false] action_class do diff --git a/cookbooks/fb_stunnel/resources/create_certs.rb b/cookbooks/fb_stunnel/resources/create_certs.rb index f0bcc83e0..25e52a685 100644 --- a/cookbooks/fb_stunnel/resources/create_certs.rb +++ b/cookbooks/fb_stunnel/resources/create_certs.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :enable do node['fb_stunnel']['config'].each do |section, config| if !config['_create_self_signed_cert'] || !config['cert'] || !config['key'] diff --git a/cookbooks/fb_sysctl/resources/default.rb b/cookbooks/fb_sysctl/resources/default.rb index 77f736069..abdf349c0 100644 --- a/cookbooks/fb_sysctl/resources/default.rb +++ b/cookbooks/fb_sysctl/resources/default.rb @@ -1,5 +1,6 @@ # Copyright (c) 2018-present, Facebook, Inc. +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :apply def set_sysctl(node, name, val) diff --git a/cookbooks/fb_sysfs/resources/default.rb b/cookbooks/fb_sysfs/resources/default.rb index c50165def..df3b5516a 100644 --- a/cookbooks/fb_sysfs/resources/default.rb +++ b/cookbooks/fb_sysfs/resources/default.rb @@ -17,6 +17,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :set property :path, String, :name_property => true diff --git a/cookbooks/fb_system_upgrade/resources/default.rb b/cookbooks/fb_system_upgrade/resources/default.rb index 272b239e1..da6e6afb5 100644 --- a/cookbooks/fb_system_upgrade/resources/default.rb +++ b/cookbooks/fb_system_upgrade/resources/default.rb @@ -15,6 +15,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :run action :run do diff --git a/cookbooks/fb_systemd/resources/loader_entries.rb b/cookbooks/fb_systemd/resources/loader_entries.rb index deb98b237..9ac095904 100644 --- a/cookbooks/fb_systemd/resources/loader_entries.rb +++ b/cookbooks/fb_systemd/resources/loader_entries.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do esp_path = node['fb_systemd']['boot']['path'] entries = node['fb_systemd']['boot']['entries'].to_hash diff --git a/cookbooks/fb_systemd/resources/override.rb b/cookbooks/fb_systemd/resources/override.rb index 59c977365..dee6f1cf0 100644 --- a/cookbooks/fb_systemd/resources/override.rb +++ b/cookbooks/fb_systemd/resources/override.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :override_name, String, :name_property => true property :unit_name, String, :required => true property :content, [String, Hash], :required => false diff --git a/cookbooks/fb_systemd/resources/reload.rb b/cookbooks/fb_systemd/resources/reload.rb index 605eb9305..d51aa7adb 100644 --- a/cookbooks/fb_systemd/resources/reload.rb +++ b/cookbooks/fb_systemd/resources/reload.rb @@ -15,6 +15,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :reload property :instance, :kind_of => String, :default => 'system' diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 3a1381b8f..818300d39 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) action :run do timer_path = node['fb_timers']['_timer_path'] # Delete old jobs diff --git a/cookbooks/fb_users/resources/default.rb b/cookbooks/fb_users/resources/default.rb index 226358b1a..c55c18d24 100644 --- a/cookbooks/fb_users/resources/default.rb +++ b/cookbooks/fb_users/resources/default.rb @@ -16,6 +16,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action [:manage] action_class do diff --git a/cookbooks/fb_yum_repos/resources/config.rb b/cookbooks/fb_yum_repos/resources/config.rb index 77e61582c..4e26d67be 100644 --- a/cookbooks/fb_yum_repos/resources/config.rb +++ b/cookbooks/fb_yum_repos/resources/config.rb @@ -15,6 +15,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) property :path, String, :name_property => true property :config, Hash, :required => true property :repos, Hash, :required => true diff --git a/cookbooks/fb_yum_repos/resources/default.rb b/cookbooks/fb_yum_repos/resources/default.rb index 6c33cd35b..65fc5726e 100644 --- a/cookbooks/fb_yum_repos/resources/default.rb +++ b/cookbooks/fb_yum_repos/resources/default.rb @@ -15,6 +15,7 @@ # limitations under the License. # +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :run action :run do From 4c557e939b466e3629c181490c03b1498f8f063c Mon Sep 17 00:00:00 2001 From: dcrosby Date: Mon, 21 Aug 2023 08:25:56 -0700 Subject: [PATCH 077/188] Actions versions bumped to latest (#227) Summary: Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/227 Differential Revision: D48485699 fbshipit-source-id: c457726e503caba0e30c398f0b6682e91f535b13 --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a41e5435b..0793f4219 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Ruby uses: ruby/setup-ruby@v1 with: @@ -39,14 +39,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install Chef - uses: actionshub/chef-install@1.1.0 + uses: actionshub/chef-install@2.0.4 with: project: chef-workstation version: 20.11.180 - name: Run Kitchen - uses: actionshub/test-kitchen@2.0.0 + uses: actionshub/test-kitchen@2.1.0 with: suite: default os: ${{ matrix.os }} @@ -57,6 +57,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run Shellcheck - uses: ludeeus/action-shellcheck@0.3.0 + uses: ludeeus/action-shellcheck@2.0.0 From 25521f237d45481c6191dd9e6d2e758810735bb4 Mon Sep 17 00:00:00 2001 From: Bryan Wann Date: Tue, 22 Aug 2023 11:41:06 -0700 Subject: [PATCH 078/188] fb_smokeping: fix debian packages list (#219) Summary: Metadata claims it supports Debian and Ubuntu but this was breaking tests because Debian packages weren't provided Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/219 Test Plan: Debian Test Kitchen CI no longer failing on fb_smokeping https://github.com/facebook/chef-cookbooks/actions/runs/5930863707/job/16081523013?pr=219 Differential Revision: D44802567 fbshipit-source-id: 4b8a032b747e63a7e95985114c7e3610cbf4033a --- cookbooks/fb_smokeping/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_smokeping/recipes/default.rb b/cookbooks/fb_smokeping/recipes/default.rb index cb57bbe3a..881edf59d 100644 --- a/cookbooks/fb_smokeping/recipes/default.rb +++ b/cookbooks/fb_smokeping/recipes/default.rb @@ -19,7 +19,7 @@ # packages = value_for_platform( - 'ubuntu' => { :default => %w{fcgiwrap smokeping} }, + ['debian', 'ubuntu'] => { :default => %w{fcgiwrap smokeping} }, ) package packages do From f034ac9c1dc870489b30c71622553ad45d63a9e1 Mon Sep 17 00:00:00 2001 From: dcrosby Date: Fri, 25 Aug 2023 06:07:24 -0700 Subject: [PATCH 079/188] Update CI to Chef 16, drop Ruby 2.5/2.6 support (#229) Summary: The end result of this is working rubocop/chefspec tests (which have been broken for a while now, so I'm happy to be seeing green). Test Kitchen fixes are out of scope for this one, since there's a bunch more work in that area. Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/229 Differential Revision: D48526808 fbshipit-source-id: 59dca361538e863adcd8bd7bea23269abb164777 --- .github/workflows/ci.yml | 4 ++-- Gemfile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0793f4219..a70449cbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - ruby: [2.5, 2.6, 2.7, 3.0, 3.1] + ruby: ['2.7', '3.0', '3.1'] runs-on: ubuntu-latest steps: - name: Checkout repository @@ -52,7 +52,7 @@ jobs: os: ${{ matrix.os }} env: CHEF_LICENSE: accept-no-persist - CHEF_VERSION: 14.15.6 + CHEF_VERSION: 16.18.0 shellcheck: runs-on: ubuntu-latest steps: diff --git a/Gemfile b/Gemfile index fa39b0076..577b99341 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,6 @@ source 'https://rubygems.org' -gem 'chef', '~> 14' +gem 'chef', '~> 16' gem 'cookstyle', '= 7.32.1' gem 'rspec', '= 3.10' gem 'rubocop', '= 1.25.1' From f3af01125d1efa06a9bfa0df24815a8d420068a3 Mon Sep 17 00:00:00 2001 From: dcrosby Date: Wed, 30 Aug 2023 02:53:40 -0700 Subject: [PATCH 080/188] bump gems to 3.11 (#228) Summary: Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/228 Differential Revision: D48697284 fbshipit-source-id: 0570795f48b31ef81a7af42f93dbbece01dcfc18 --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 577b99341..069a88db4 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' gem 'chef', '~> 16' gem 'cookstyle', '= 7.32.1' -gem 'rspec', '= 3.10' +gem 'rspec', '= 3.11' gem 'rubocop', '= 1.25.1' %w{ From 4e016661643252e4dd34c8575e1966b175a76649 Mon Sep 17 00:00:00 2001 From: Vlad Skvortsov Date: Thu, 31 Aug 2023 02:44:21 -0700 Subject: [PATCH 081/188] Enable basic macOS 14 Sonoma support Summary: The diff adds new default Xcode CLI tools package which is compatible with Sonoma Also the diff adds a function to check if node is macOS 14 Followed the guide here https://www.internalfb.com/intern/wiki/PE_macOS/Internal/MacOS_upgrade_rollout_Runbook/ Differential Revision: D48828827 fbshipit-source-id: 7c7ff8cb0b8396d4192831fe5b153b189edb4e33 --- cookbooks/fb_helpers/libraries/node_methods.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index b26a8ee09..b8cf741dd 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -338,6 +338,10 @@ def macos13? macos? && node['platform_version'].start_with?('13.') end + def macos14? + macos? && node['platform_version'].start_with?('14.') + end + def mac_mini_2014? macos? && node['hardware']['machine_model'] == 'Macmini7,1' end From 6baf374a6b2a6cdad61c641a04fb0495a0ba821c Mon Sep 17 00:00:00 2001 From: Vinnie Magro Date: Thu, 31 Aug 2023 09:39:22 -0700 Subject: [PATCH 082/188] fixes for antlir2 Summary: antlir2 builds never have a booted systemd as pid1, so any dbus interactions will fail This diff no-ops: - `daemon-reload` - `daemon-reexec` and branches with `--root=/` for: - `set-default` Differential Revision: D48618221 fbshipit-source-id: 4cecc50040bcbae7325063bdca7e1c9fffd07868 --- cookbooks/fb_systemd/metadata.rb | 1 + cookbooks/fb_systemd/recipes/default.rb | 8 ++++++-- cookbooks/fb_systemd/resources/reload.rb | 4 ++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/metadata.rb b/cookbooks/fb_systemd/metadata.rb index 4466e443e..3efa1a3b0 100644 --- a/cookbooks/fb_systemd/metadata.rb +++ b/cookbooks/fb_systemd/metadata.rb @@ -13,3 +13,4 @@ supports 'arch' depends 'fb_helpers' depends 'fb_nsswitch' +depends 'fb_util' diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index 1b78fe358..08fba2165 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -159,7 +159,11 @@ execute 'set default target' do only_if do - current = shell_out('systemctl get-default').stdout.strip + if node.antlir2_build? + current = shell_out('systemctl --root=/ get-default').stdout.strip + else + current = shell_out('systemctl get-default').stdout.strip + end is_ignored = node['fb_systemd']['ignore_targets'].include?(current) is_supported = FB::Version.new(node['packages']['systemd'][ 'version']) >= FB::Version.new('205') @@ -167,7 +171,7 @@ current != node['fb_systemd']['default_target'] end command lazy { - "systemctl set-default #{node['fb_systemd']['default_target']}" + "systemctl set-default #{node['fb_systemd']['default_target']} #{node.antlir2_build? ? '--root=/' : ''}" } end diff --git a/cookbooks/fb_systemd/resources/reload.rb b/cookbooks/fb_systemd/resources/reload.rb index d51aa7adb..d836d6e22 100644 --- a/cookbooks/fb_systemd/resources/reload.rb +++ b/cookbooks/fb_systemd/resources/reload.rb @@ -34,6 +34,10 @@ def daemon_reload_or_reexec(action) ) return end + # Image builds don't have a running systemd, that would make no sense + if node.antlir2_build? + return + end case new_resource.instance when 'system' execute "#{action} systemd system instance" do From c7463044185a7afee155f68a04429e8738407873 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Fri, 1 Sep 2023 07:49:14 -0700 Subject: [PATCH 083/188] Back out "fixes for antlir2" Summary: This breaks opensource customers. Fixes: https://github.com/facebook/chef-cookbooks/issues/230 Original commit changeset: 4cecc50040bc Original Phabricator Diff: D48618221 Differential Revision: D48906694 fbshipit-source-id: ec2e443ccb22a044507c467254b8a4c48cdabf38 --- cookbooks/fb_systemd/metadata.rb | 1 - cookbooks/fb_systemd/recipes/default.rb | 8 ++------ cookbooks/fb_systemd/resources/reload.rb | 4 ---- 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/cookbooks/fb_systemd/metadata.rb b/cookbooks/fb_systemd/metadata.rb index 3efa1a3b0..4466e443e 100644 --- a/cookbooks/fb_systemd/metadata.rb +++ b/cookbooks/fb_systemd/metadata.rb @@ -13,4 +13,3 @@ supports 'arch' depends 'fb_helpers' depends 'fb_nsswitch' -depends 'fb_util' diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index 08fba2165..1b78fe358 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -159,11 +159,7 @@ execute 'set default target' do only_if do - if node.antlir2_build? - current = shell_out('systemctl --root=/ get-default').stdout.strip - else - current = shell_out('systemctl get-default').stdout.strip - end + current = shell_out('systemctl get-default').stdout.strip is_ignored = node['fb_systemd']['ignore_targets'].include?(current) is_supported = FB::Version.new(node['packages']['systemd'][ 'version']) >= FB::Version.new('205') @@ -171,7 +167,7 @@ current != node['fb_systemd']['default_target'] end command lazy { - "systemctl set-default #{node['fb_systemd']['default_target']} #{node.antlir2_build? ? '--root=/' : ''}" + "systemctl set-default #{node['fb_systemd']['default_target']}" } end diff --git a/cookbooks/fb_systemd/resources/reload.rb b/cookbooks/fb_systemd/resources/reload.rb index d836d6e22..d51aa7adb 100644 --- a/cookbooks/fb_systemd/resources/reload.rb +++ b/cookbooks/fb_systemd/resources/reload.rb @@ -34,10 +34,6 @@ def daemon_reload_or_reexec(action) ) return end - # Image builds don't have a running systemd, that would make no sense - if node.antlir2_build? - return - end case new_resource.instance when 'system' execute "#{action} systemd system instance" do From 4e5669c3ff982f720f1f2f663e904b806f898aa3 Mon Sep 17 00:00:00 2001 From: Matthew Huynh Date: Thu, 14 Sep 2023 08:52:13 -0700 Subject: [PATCH 084/188] Chef Storage API: fix /dev/sdaa bug Summary: The current `.existing_partitions` uses a simple `starts_with` but there is a corner case: when /dev/sda is queried, the partitions returned include partitions under /dev/sdaa. This bug affects drive hotswap because when /dev/sda is replaced, Chef Storage API tries to mark all /dev/sda* partitions as failed. That includes /dev/sdaa* partitions, which are in use - and Chef fails. Example: https://www.internalfb.com/intern/provisioning/asset_details/3533538530193558 Fix is to change implementation to regex that checks for numbers after device name. Differential Revision: D49239939 fbshipit-source-id: 55b6a664ed135114c6f0246692126afe06efafe7 --- .../fb_storage/libraries/storage_handlers.rb | 6 +++--- .../fb_storage/spec/storage_handlers_spec.rb | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/cookbooks/fb_storage/libraries/storage_handlers.rb b/cookbooks/fb_storage/libraries/storage_handlers.rb index 1213602e8..d25413db7 100644 --- a/cookbooks/fb_storage/libraries/storage_handlers.rb +++ b/cookbooks/fb_storage/libraries/storage_handlers.rb @@ -253,7 +253,7 @@ def format_partition(partition, config) 'filesystem', ) limit = File.read(limit_file) - File.write(limit_file, "0\n") # ~FB030 + File.write(limit_file, "0\n") # rubocop:disable Chef/Meta/NoFileWrites end mkfs = Mixlib::ShellOut.new(cmd, :timeout => timeout) @@ -264,7 +264,7 @@ def format_partition(partition, config) 'fb_storage: Resuming md resyncing after creating ' + 'filesystem', ) - File.write(limit_file, limit) # ~FB030 + File.write(limit_file, limit) # rubocop:disable Chef/Meta/NoFileWrites end end end @@ -479,7 +479,7 @@ def partition_device_name(num) def existing_partitions @existing_partitions ||= @node.filesystem_data['by_device'].keys.select do |x| - x.start_with?(@device) && x != @device + x =~ /^#{@device}((?<=\dn\d)p)?\d+/ end end diff --git a/cookbooks/fb_storage/spec/storage_handlers_spec.rb b/cookbooks/fb_storage/spec/storage_handlers_spec.rb index c603135fd..82c57774d 100644 --- a/cookbooks/fb_storage/spec/storage_handlers_spec.rb +++ b/cookbooks/fb_storage/spec/storage_handlers_spec.rb @@ -654,6 +654,25 @@ def initialize(device, node) ) end + it 'finds only partitions under that device' do + node.automatic[attr_name]['by_device'] = { + '/dev/sdz' => {}, + '/dev/sdz1' => {}, + '/dev/sdz2' => {}, + '/dev/sdzz' => {}, + '/dev/sdzz1' => {}, + '/dev/sdzz2' => {}, + '/dev/sdzp' => {}, + '/dev/sdzp1' => {}, + '/dev/sdzp2' => {}, + } + + sh = TestHandler.new('/dev/sdz', node) + expect(sh.existing_partitions).to eq( + %w{/dev/sdz1 /dev/sdz2}, + ) + end + it 'finds all partitions on weirdly named devices' do # Similarly, all tests happen on sdzX to decrease any chance of # actually being related to real disks From e6320daf8f3c20516920eca5a8fcf259650844ee Mon Sep 17 00:00:00 2001 From: chantra Date: Wed, 20 Sep 2023 08:04:38 -0700 Subject: [PATCH 085/188] Update README.md (#231) Summary: When checking a field, we downcase the subcommand. Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/231 Differential Revision: D49431911 fbshipit-source-id: 5d9b3883e0fc5ac1b05741fce1348b66ade37964 --- cookbooks/fb_network_scripts/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_network_scripts/README.md b/cookbooks/fb_network_scripts/README.md index e89b20e12..fb78fa716 100644 --- a/cookbooks/fb_network_scripts/README.md +++ b/cookbooks/fb_network_scripts/README.md @@ -289,7 +289,7 @@ node.default['fb_network_scripts']['ifup']['ethtool'] << { Would, on interface startup run: ``` -ethtool -L eth0 | egrep -i -A5 current | awk '/Combined:/{print $2}' +ethtool -l eth0 | egrep -i -A5 current | awk '/Combined:/{print $2}' ``` And compare that to `16`. If it was not `16` then it would run: From ec34be97326d8ccde67dad301599279a1e657c02 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 20 Sep 2023 09:10:07 -0700 Subject: [PATCH 086/188] Combine Cookstyle and Rubocop runs Summary: There's a speed benefit to combining the runs, both in only crawling the files once, and reducing linter whack-a-mole. Differential Revision: D45196190 fbshipit-source-id: 99fc2e3c71b5a190a651ce7738b475142df6a51d --- .cookstyle_combined.yml | 5 +++++ .github/workflows/ci.yml | 2 -- scripts/run_cookstyle | 2 +- scripts/run_rubocop | 48 ---------------------------------------- 4 files changed, 6 insertions(+), 51 deletions(-) create mode 100644 .cookstyle_combined.yml delete mode 100755 scripts/run_rubocop diff --git a/.cookstyle_combined.yml b/.cookstyle_combined.yml new file mode 100644 index 000000000..6a4056405 --- /dev/null +++ b/.cookstyle_combined.yml @@ -0,0 +1,5 @@ +# Combine the RuboCop and Cookstyle specific rules here (as opposed to directly +# including .rubocop.yml into .cookstyle.yml) +inherit_from: + - .rubocop.yml + - .cookstyle.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a70449cbd..355536bcf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,8 +21,6 @@ jobs: run: bundle install - name: Run rspec run: ./scripts/run_chefspec - - name: Run rubocop - run: ./scripts/run_rubocop .rubocop.yml - name: Run cookstyle run: ./scripts/run_cookstyle kitchen: diff --git a/scripts/run_cookstyle b/scripts/run_cookstyle index cd7fdb918..4bdf8354d 100755 --- a/scripts/run_cookstyle +++ b/scripts/run_cookstyle @@ -19,7 +19,7 @@ set -eu -default_config='.cookstyle.yml' +default_config='.cookstyle_combined.yml' if bundle exec cookstyle --version > /dev/null 2>&1; then COOKSTYLE='bundle exec cookstyle' elif [ -x /opt/chef-workstation/embedded/bin/cookstyle ]; then diff --git a/scripts/run_rubocop b/scripts/run_rubocop deleted file mode 100755 index d10294aeb..000000000 --- a/scripts/run_rubocop +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -# -# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2 -# -# Copyright (c) 2016-present, Facebook, Inc. -# All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -eu - -default_config='.rubocop.yml' -if bundle exec rubocop --version > /dev/null 2>&1; then - RUBOCOP='bundle exec rubocop' -elif [ -x /opt/chef-workstation/embedded/bin/rubocop ]; then - RUBOCOP='/opt/chef-workstation/embedded/bin/rubocop' -elif [ -x /opt/chef/embedded/bin/rubocop ]; then - RUBOCOP='/opt/chef/embedded/bin/rubocop' -else - echo 'Cannot find rubocop!' - exit 1 -fi - -if [ "$#" -eq 0 ]; then - config="$default_config" -elif [ "$#" -eq 1 ]; then - config="$1" -else - echo "Usage: $0 [config]" - exit 1 -fi - -if [ ! -r "$config" ]; then - echo "Cannot read rubocop config: $config" - exit 1 -fi - -exec $RUBOCOP --display-cop-names -c "$config" From 8840563025d25efd014182c4cf9dd8aa4f985a92 Mon Sep 17 00:00:00 2001 From: Vinnie Magro Date: Thu, 21 Sep 2023 06:53:01 -0700 Subject: [PATCH 087/188] manage /etc/stunnel in chef Summary: antlir2 image builds don't run systemd services which exposed this deficiency. Generally though, if Chef is being used to manage files in a directory, it should also ensure that that directory exists, otherwise there can be fun race conditions :) Differential Revision: D49016526 fbshipit-source-id: 5a130e2bf37d5a772116605b1f2d8136f783d1b4 --- cookbooks/fb_stunnel/recipes/default.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cookbooks/fb_stunnel/recipes/default.rb b/cookbooks/fb_stunnel/recipes/default.rb index f51508b35..09e23f28c 100644 --- a/cookbooks/fb_stunnel/recipes/default.rb +++ b/cookbooks/fb_stunnel/recipes/default.rb @@ -44,6 +44,12 @@ end end +directory '/etc/stunnel' do + owner 'root' + group 'root' + mode '0755' +end + template '/etc/stunnel/fb_tunnel.conf' do owner 'root' group 'root' From 9974b8ffb384f77c864c688ea97f13d4cc7dc442 Mon Sep 17 00:00:00 2001 From: Austin Proctor Date: Mon, 25 Sep 2023 10:32:32 -0700 Subject: [PATCH 088/188] Add :allow_clobber resource property to fb_powershell_module Summary: Sometimes modules can have the same command names. When installing a new module, PowerShell will halt the installation if a command in a new module is found in a previously installed module. `-AllowClobber` bypasses this check. Differential Revision: D49525952 fbshipit-source-id: f6f7e4e262bba7e553990210c9a4396f6a1de915 --- cookbooks/fb_powershell/resources/fb_powershell_module.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cookbooks/fb_powershell/resources/fb_powershell_module.rb b/cookbooks/fb_powershell/resources/fb_powershell_module.rb index 8fae507f0..54d645866 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_module.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_module.rb @@ -21,6 +21,9 @@ property :skip_publisher_check, [true, false], :default => false +property :allow_clobber, + [true, false], + :default => false property :scope, String, :default => 'AllUsers' @@ -98,6 +101,9 @@ if new_resource.skip_publisher_check splat['SkipPublisherCheck'] = true end + if new_resource.allow_clobber + splat['AllowClobber'] = true + end psscript = <<-EOH $splat = @{ From 9cfb6f3ef1c4eb64442fcc5d4c5a9e1ed3db6d2c Mon Sep 17 00:00:00 2001 From: Jacob Jedlicka Date: Mon, 2 Oct 2023 15:51:24 -0700 Subject: [PATCH 089/188] WuFB - Adding Windows 11 Support, and => 22H2 to CPE Summary: This adds Windows 11 management support to WuFB that currently only handles Windows 10. Since we aren't updating Windows 10 devices to Windows 11 we needed to add support for **Product Version** 10 __**and**__ 11 using a node detection. This way both version of Windows can get their feature/build updates but stay on their major release. With this, I'm pushing 22H2 to __CPE__ first to validate its function and successful upgrades, and later Trusted Testers. **Upgrade impact is minimal**; both Windows 10 and 11 Build 21H1 went to 22H2 with a reboot that takes __less than 1 minute__ to apply. Differential Revision: D49306013 fbshipit-source-id: c80b450581cf86371f21517467ce4fed263e6b62 --- cookbooks/fb_helpers/libraries/node_methods.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index b8cf741dd..669d5af5b 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -367,7 +367,11 @@ def windows8_1? end def windows10? - windows? && self['platform_version'].start_with?('10.0') + windows? && self['platform_version'].start_with?('10.0.1') + end + + def windows11? + windows? && self['platform_version'].start_with?('10.0.2') end def windows2008? From 6d45c5827457450cd3c7093174d5cf3cf760dc78 Mon Sep 17 00:00:00 2001 From: Marlon Jacques Date: Tue, 3 Oct 2023 09:52:05 -0700 Subject: [PATCH 090/188] Clear out removal of fb_tmpreaper from /usr/bin/ Summary: Since the config to `fb_tmpreaper` is now in `/usr/local/bin`, its now safe to remove the part where it used to be in `/usr/bin`. Differential Revision: D49381715 fbshipit-source-id: 2e4155974de4aba76dec516f6979a1a1fcd857db --- cookbooks/fb_tmpclean/recipes/default.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cookbooks/fb_tmpclean/recipes/default.rb b/cookbooks/fb_tmpclean/recipes/default.rb index b94bfe41b..d05d94dab 100644 --- a/cookbooks/fb_tmpclean/recipes/default.rb +++ b/cookbooks/fb_tmpclean/recipes/default.rb @@ -47,11 +47,11 @@ end if node.macos? - # TODO T68640353 clean up once this is fully rolled out - file '/usr/bin/fb_tmpreaper' do - action :delete + unless node.in_shard?(0) + file '/usr/bin/fb_tmpreaper' do + action :delete + end end - launchd 'com.facebook.tmpreaper' do action :enable program config From 14db503f4a2e1ee7a39685d2d54efc5ab118d58e Mon Sep 17 00:00:00 2001 From: Gilbert Sanchez Date: Wed, 4 Oct 2023 09:58:56 -0700 Subject: [PATCH 091/188] Memoize version casting + Windows Server/Desktop Distinction Summary: 1. Several methods cast strings into version and it's very likely this is happening multiple times unnecessarily. 2. Several Windows assume versions would be unique to server/desktop and it's a bad assumption. The methods have been updated to confirm this. Differential Revision: D49522597 fbshipit-source-id: 9eab128fbdbb5aefec41462c996b202d3fcf034f --- .../fb_helpers/libraries/node_methods.rb | 87 ++++++++++++------- 1 file changed, 54 insertions(+), 33 deletions(-) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 669d5af5b..273fce6b3 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -36,25 +36,34 @@ def rhel_family? end def _canonical_version(version) - if version.class == Integer - FB::Version.new(version.to_s) - elsif version.class == String - FB::Version.new(version) - elsif version.class == FB::Version - version - else - fail 'fb_helpers: EL Version comparison can only be performed with strings and integers' + @canonical_version ||= {} + + @canonical_version.fetch(version) do |ver| + @canonical_version[ver] = + if ver.class == Integer + FB::Version.new(version.to_s) + elsif ver.class == String + FB::Version.new(version) + elsif ver.class == FB::Version + version + else + fail 'fb_helpers: EL Version comparison can only be performed with strings and integers' + end end end + def _self_version + @self_version ||= FB::Version.new(self['platform_version']) + end + # Is this a RHEL-compatible OS with a minimum major version number of `version` def el_min_version?(version) - self.rhel_family? && FB::Version.new(self['platform_version']) >= self._canonical_version(version) + self.rhel_family? && self._self_version >= self._canonical_version(version) end # Is this a RHEL-compatible OS with a maximum major version number of `version` def el_max_version?(version) - self.rhel_family? && FB::Version.new(self['platform_version']) <= self._canonical_version(version) + self.rhel_family? && self._self_version <= self._canonical_version(version) end def rhel_family7? @@ -358,52 +367,64 @@ def windows? self['platform_family'] == 'windows' end + def windows_desktop? + windows? && node['kernel']['product_type'] == 'Workstation' + end + def windows8? - windows? && self['platform_version'].start_with?('6.2') + windows_desktop? && self['platform_version'].start_with?('6.2') end def windows8_1? - windows? && self['platform_version'].start_with?('6.3') + windows_desktop? && self['platform_version'].start_with?('6.3') end def windows10? - windows? && self['platform_version'].start_with?('10.0.1') + windows_desktop? && self['platform_version'].start_with?('10.0.1') end def windows11? - windows? && self['platform_version'].start_with?('10.0.2') + windows_desktop? && self['platform_version'].start_with?('10.0.2') + end + + def windows10_or_newer? + windows_desktop? && self._self_version >= self._canonical_version('10.0.1') + end + + def windows_server? + windows? && node['kernel']['product_type'] == 'Server' end def windows2008? - windows? && self['platform_version'] == '6.0' + windows_server? && self['platform_version'] == '6.0' end def windows2008r2? - windows? && self['platform_version'] == '6.1.7600' + windows_server? && self['platform_version'] == '6.1.7600' end def windows2008r2sp1? - windows? && self['platform_version'] == '6.1.7601' + windows_server? && self['platform_version'] == '6.1.7601' end def windows2012? - windows? && self['platform_version'].start_with?('6.2') + windows_server? && self['platform_version'].start_with?('6.2') end def windows2012r2? - windows? && self['platform_version'].start_with?('6.3') + windows_server? && self['platform_version'].start_with?('6.3') end def windows2016? - windows? && self['platform_version'] == '10.0.14393' + windows_server? && self['platform_version'] == '10.0.14393' end def windows2019? - windows? && self['platform_version'] == '10.0.17763' + windows_server? && self['platform_version'] == '10.0.17763' end def windows2022? - windows? && self['platform_version'] == '10.0.20348' + windows_server? && self['platform_version'] == '10.0.20348' end # from https://en.wikipedia.org/wiki/Windows_10_version_history @@ -432,43 +453,43 @@ def windows21h2? end def windows2012_or_newer? - windows? && Gem::Version.new(self['platform_version']) >= Gem::Version.new('6.2') + windows_server? && self._self_version >= self._canonical_version('6.2') end def windows2012r2_or_newer? - windows? && Gem::Version.new(self['platform_version']) >= Gem::Version.new('6.3') + windows_server? && self._self_version >= self._canonical_version('6.3') end def windows2016_or_newer? - windows? && Gem::Version.new(self['platform_version']) >= Gem::Version.new('10.0.14393') + windows_server? && self._self_version >= self._canonical_version('10.0.14393') end def windows2019_or_newer? - windows? && Gem::Version.new(self['platform_version']) >= Gem::Version.new('10.0.17763') + windows_server? && self._self_version >= self._canonical_version('10.0.17763') end def windows2022_or_newer? - windows? && Gem::Version.new(self['platform_version']) >= Gem::Version.new('10.0.20348') + windows_server? && self._self_version >= self._canonical_version('10.0.20348') end def windows2012_or_older? - windows? && Gem::Version.new(self['platform_version']) < Gem::Version.new('6.3') + windows_server? && self._self_version < self._canonical_version('6.3') end def windows2012r2_or_older? - windows? && Gem::Version.new(self['platform_version']) < Gem::Version.new('6.4') + windows_server? && self._self_version < self._canonical_version('6.4') end def windows2016_or_older? - windows? && Gem::Version.new(self['platform_version']) <= Gem::Version.new('10.0.14393') + windows_server? && self._self_version <= self._canonical_version('10.0.14393') end def windows2019_or_older? - windows? && Gem::Version.new(self['platform_version']) <= Gem::Version.new('10.0.17763') + windows_server? && self._self_version <= self._canonical_version('10.0.17763') end def windows2022_or_older? - windows? && Gem::Version.new(self['platform_version']) <= Gem::Version.new('10.0.20348') + windows_server? && self._self_version <= self._canonical_version('10.0.20348') end def aristaeos? @@ -476,7 +497,7 @@ def aristaeos? end def aristaeos_4_28_or_newer? - self.aristaeos? && FB::Version.new(self['platform_version']) >= FB::Version.new('4.28') + self.aristaeos? && self._self_version >= self._canonical_version('4.28') end def embedded? From d8d4c60f256ec819c642399bc80948499b4cff31 Mon Sep 17 00:00:00 2001 From: Gilbert Sanchez Date: Mon, 9 Oct 2023 13:21:17 -0700 Subject: [PATCH 092/188] fb_powershell: Add feature to turn of pwsh telemtry Summary: Pwsh collects some telemetry on start up. This allows us to turn it off. If attribute is unset, it does nothing. Setting true or false will enable/disable. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry?view=powershell-7.3 Differential Revision: D50018656 fbshipit-source-id: 717106af63fa781e99a0f767356b85011e492128 --- cookbooks/fb_powershell/README.md | 22 ++++++++++++++++++- cookbooks/fb_powershell/attributes/default.rb | 1 + cookbooks/fb_powershell/recipes/windows.rb | 6 +++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_powershell/README.md b/cookbooks/fb_powershell/README.md index d68f8b084..157f34c6c 100644 --- a/cookbooks/fb_powershell/README.md +++ b/cookbooks/fb_powershell/README.md @@ -16,7 +16,10 @@ Attributes * node['fb_powershell']['powershell']['disable_v2'] * node['fb_powershell']['pwsh']['manage'] * node['fb_powershell']['pwsh']['version'] -* node['fb_powershell']['pwsh']['version'] +* node['fb_powershell']['manage_config'] +* node['fb_powershell']['config'] +* node['fb_powershell']['disable_telemetry'] +* node['fb_powershell']['manage_profiles'] * node['fb_powershell']['profiles']['AllUsersAllHosts'] * node['fb_powershell']['profiles']['AllUsersCurrentHost'] * node['fb_powershell']['profiles']['CurrentUserAllHosts'] @@ -35,6 +38,23 @@ This should be the first thing you set. PowerShell v2 is a huge security risk. node.default['fb_powershell']['powershell']['disable_v2'] = true ``` +### Disabling Telemetry for PowerShell (pwsh) + +If you wish to disable telemetry at your organization you can set the following +node attribute. By default, it won't manage the environment variable. + +``` +node.default['fb_powershell']['disable_telemetry'] = true +``` + +To enable it you can set it to: + +``` +node.default['fb_powershell']['disable_telemetry'] = false +``` + +Learn more: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry?view=powershell-7.3 + ### powershell vs pwsh Microsoft decided that when it open sourced PowerShell that it would be good to diff --git a/cookbooks/fb_powershell/attributes/default.rb b/cookbooks/fb_powershell/attributes/default.rb index 3dc5c4370..ace15dc97 100644 --- a/cookbooks/fb_powershell/attributes/default.rb +++ b/cookbooks/fb_powershell/attributes/default.rb @@ -30,6 +30,7 @@ # Manage the powershell.config.json used by PowerShell Core 'manage_config' => false, 'config' => {}, + 'disable_telemetry' => nil, # Profiles # TODO: manage_profiles should default to false, but we need to refactor # the call sites first diff --git a/cookbooks/fb_powershell/recipes/windows.rb b/cookbooks/fb_powershell/recipes/windows.rb index c1e690154..240c29bb2 100644 --- a/cookbooks/fb_powershell/recipes/windows.rb +++ b/cookbooks/fb_powershell/recipes/windows.rb @@ -32,6 +32,12 @@ action :remove end +# Manage Telemtry +windows_env 'POWERSHELL_TELEMETRY_OPTOUT' do + not_if { node['fb_powershell']['disable_telemetry'].nil? } + value (node['fb_powershell']['disable_telemetry']).to_s +end + # Windows Powershell # Upgrade to latest package if no specific version given chocolatey_package 'upgrade windows powershell' do From 1032b115012d540613a69cafaca7d479101d3a68 Mon Sep 17 00:00:00 2001 From: Andrew Ryan Date: Fri, 13 Oct 2023 14:51:45 -0700 Subject: [PATCH 093/188] if we find multiple swap partitions, tell us what they were Summary: I got this weird error on my devserver, but couldn't figure out what chef thought because according to /proc/swaps I don't have another swap device mounted. Turns out its some ghost device from qemu testing... Anyway I thought I would make this less awful to debug for the next poor soul who encounters this. Example output: {P854013843, lines=15, highlight=14} Differential Revision: D50280342 fbshipit-source-id: f9965315f18fa84359b4c5bcf02f811ed80a91b6 --- cookbooks/fb_swap/libraries/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_swap/libraries/default.rb b/cookbooks/fb_swap/libraries/default.rb index 5d9f3ea41..eeef23bc2 100644 --- a/cookbooks/fb_swap/libraries/default.rb +++ b/cookbooks/fb_swap/libraries/default.rb @@ -260,7 +260,7 @@ def self._device(node) when 1 return swap_mounts.keys[0] else - fail 'More than one swap mount found, this is not right.' + fail "More than one swap mount found, this is not right (found #{swap_mounts})." end end From 8d6c90f7a0cbf3bb6f9b8a01058f45a9c58f0384 Mon Sep 17 00:00:00 2001 From: Leoswaldo Macias Mancilla Date: Thu, 19 Oct 2023 10:25:29 -0700 Subject: [PATCH 094/188] Adopt fluent-bit name by default instead of td-agent-bit Summary: FluentBit changed the name of its binaries from `td-agent-bit` to `fluent-bit` starting 1.9 versions. Therefore we needed to have logic that supported both names for a period of a time. It has been over 6 months since this operation and we are moving to default to `fluent-bit` for name. The logic to support `td-agent-bit` name will continue to be supported for the coming 6 months, until April 15th, 2024. Differential Revision: D50092325 fbshipit-source-id: 3d9c5a944728971a18a15923e831b1b1a2ca8fe4 --- cookbooks/fb_fluentbit/README.md | 7 +++--- cookbooks/fb_fluentbit/attributes/default.rb | 7 +++--- cookbooks/fb_fluentbit/spec/default_spec.rb | 26 ++++++++++---------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/cookbooks/fb_fluentbit/README.md b/cookbooks/fb_fluentbit/README.md index 692a7815f..d06af6746 100644 --- a/cookbooks/fb_fluentbit/README.md +++ b/cookbooks/fb_fluentbit/README.md @@ -36,12 +36,11 @@ Fluentbit supports built-in and external plugins. ### Upgrade to fluent-bit package/service/directory name FluentBit moved from `td-agent-bit` naming starting with [v1.9.9](https://docs.fluentbit.io/manual/installation/upgrade-notes#fluent-bit-v1.9.9). -If your tier uses FluentBit you can upgrade and continue using this cookbook -by setting: -`node.default['fb_fluentbit']['adopt_package_name_fluent-bi'] = true` +If your tier uses FluentBit and you want to continue using the old +'td-agent-bit' you can by setting: +`node.default['fb_fluentbit']['adopt_package_name_fluent-bit'] = false` **Important dates for this** -- October 2nd, 2023 fb_fluentbit will adopt the `fluent-bit` name by default - April 15th, 2024 support of the `td-agen-bit` name will be dropped ### Install FluentBit diff --git a/cookbooks/fb_fluentbit/attributes/default.rb b/cookbooks/fb_fluentbit/attributes/default.rb index 32a5a632e..a32e748b4 100644 --- a/cookbooks/fb_fluentbit/attributes/default.rb +++ b/cookbooks/fb_fluentbit/attributes/default.rb @@ -58,8 +58,7 @@ # Keep service on Windows alive 'keep_alive' => nil, - # use for users already migrated to FluentBit 1.9 and newer which changes - # the binary, service, and directory names from td-agent-bit to fluent-bit - # This property will change to true on October 2nd, 2023. - 'adopt_package_name_fluent-bit' => false, + # if you want to continue using old td-agent-bit name set + # adopt_package_name_fluent-bit to false + 'adopt_package_name_fluent-bit' => true, } diff --git a/cookbooks/fb_fluentbit/spec/default_spec.rb b/cookbooks/fb_fluentbit/spec/default_spec.rb index 338ac8317..c93a8c7e2 100644 --- a/cookbooks/fb_fluentbit/spec/default_spec.rb +++ b/cookbooks/fb_fluentbit/spec/default_spec.rb @@ -190,17 +190,17 @@ end it 'should install external plugin packages' do - expect(chef_run).to upgrade_package('fluentbit external plugins'). + expect(chef_run).to upgrade_package('Install fluentbit external plugins'). with_package_name(['my-custom-rpm', 'my-fake-package']) end it 'should render plugins.conf' do - expect(chef_run).to render_file('/etc/td-agent-bit/plugins.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/plugins.conf'). with_content(tc.fixture('multiple_external_plugins_plugins.conf')) end it 'should render service conf' do - expect(chef_run).to render_file('/etc/td-agent-bit/td-agent-bit.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/fluent-bit.conf'). with_content(tc.fixture('multiple_external_plugins_service.conf')) end end @@ -259,32 +259,32 @@ end it 'should upgrade the package' do - expect(chef_run).to upgrade_package('td-agent-bit') + expect(chef_run).to upgrade_package('fluent-bit') end it 'should install external plugin packages' do - expect(chef_run).to upgrade_package('fluentbit external plugins'). + expect(chef_run).to upgrade_package('Install fluentbit external plugins'). with_package_name(['my-custom-rpm']) end it 'should render parsers.conf' do - expect(chef_run).to render_file('/etc/td-agent-bit/parsers.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/parsers.conf'). with_content(tc.fixture('clean_config_parsers.conf')) end it 'should render plugins.conf' do - expect(chef_run).to render_file('/etc/td-agent-bit/plugins.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/plugins.conf'). with_content(tc.fixture('clean_config_plugins.conf')) end it 'should render service conf' do - expect(chef_run).to render_file('/etc/td-agent-bit/td-agent-bit.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/fluent-bit.conf'). with_content(tc.fixture('clean_config_service.conf')) end it 'should start the service' do - expect(chef_run).to enable_service('td-agent-bit') - expect(chef_run).to start_service('td-agent-bit') + expect(chef_run).to enable_service('fluent-bit') + expect(chef_run).to start_service('fluent-bit') end end @@ -306,7 +306,7 @@ end it 'should not upgrade the fluentbit package' do - expect(chef_run).to_not upgrade_package('td-agent-bit') + expect(chef_run).to_not upgrade_package('fluent-bit') end it 'should not install external plugin packages' do @@ -329,7 +329,7 @@ } end - expect(chef_run).to render_file('/etc/td-agent-bit/td-agent-bit.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/fluent-bit.conf'). with_content(tc.fixture('systemd_duplicate_keys_service.conf')) end @@ -340,7 +340,7 @@ } end - expect(chef_run).to render_file('/etc/td-agent-bit/td-agent-bit.conf'). + expect(chef_run).to render_file('/etc/fluent-bit/fluent-bit.conf'). with_content(tc.fixture('record_modifier_duplicate_keys_service.conf')) end end From 337867f3f2e9b86a2cf11005d3976e30dd2e64fa Mon Sep 17 00:00:00 2001 From: Harvey Hunt Date: Fri, 20 Oct 2023 05:53:47 -0700 Subject: [PATCH 095/188] fb_systemd: Don't call systemd-sysusers on older versions of systemd Summary: D36004124 updated the `fb_systemd` recipe to call `systemd-sysusers` to create a missing user. However, the command uses the `--inline` flag that was only added in systemd 238. D36528947 was sent to update the minimum version to 215 (which is when the `system-sysusers` command was added). However, the `--inline` flag was still missing from that version. Thanks to gmambro for spotting that! From the systemd changelog: https://github.com/systemd/systemd/blob/main/NEWS ``` CHANGES WITH 238: * systemd-sysusers gained a mode where the configuration to execute is specified on the command line, but this configuration is not executed directly, but instead it is merged with the configuration on disk, and the result is executed. This is useful for package installation scripts which want to create the user before installing any files on disk (in case some of those files are owned by that user), while still allowing local admin overrides. ``` The missing arg caused S372980 as the lego-linux tier runs Ubuntu VMs with systemd 237. There's some more context in my post in the systemd group: https://fb.workplace.com/groups/systemd.and.friends/posts/3509161785966261. I think that it might be possible to remove this block of code entirely, however I want to make the smallest change possible to fix lego-linux. Those supporting systemd will have a better idea of whether the code can be removed. Differential Revision: D50494316 fbshipit-source-id: db7bcff80672673aac48be372d2434b768c99d96 --- cookbooks/fb_systemd/recipes/default.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index 1b78fe358..06370527d 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -96,8 +96,9 @@ execute 'Ensure systemd-network user exists' do only_if do systemd_version = FB::Version.new(node['packages']['systemd']['version']) - # 'systemd-sysusers' was only introduced in v.215 - systemd_version >= FB::Version.new('215') + # 'systemd-sysusers' was introduced in v.215, but the --inline flag was + # only added in 238. + systemd_version >= FB::Version.new('238') end # rubocop:disable Layout/LineLength command "#{systemd_prefix}/bin/systemd-sysusers --inline \"u systemd-network 192 \\\"systemd Network Management\\\"\"" From e830c9ccdcc7b516862ce612d97b2e7bbd32a176 Mon Sep 17 00:00:00 2001 From: Jon Janzen Date: Wed, 25 Oct 2023 09:47:10 -0700 Subject: [PATCH 096/188] shipit-source-id: 96ee08d9a066e44d119817ac1db03e7a012f53d7 From a8790370665834a7c00dc736bcbedebe120b154f Mon Sep 17 00:00:00 2001 From: Jon Janzen Date: Wed, 25 Oct 2023 09:58:31 -0700 Subject: [PATCH 097/188] fbshipit-source-id: 96ee08d9a066e44d119817ac1db03e7a012f53d7 From 5c596f775b9928dad4d9fe3202d99dc6d10c5517 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Mon, 23 Oct 2023 17:12:51 -0700 Subject: [PATCH 098/188] fb_networkd: fix boot service ordering to avoid races between udev, chef, and network-online.target Summary: There are several problems during boot right now wrt networkd, udev, chef, and the network-online.target - networkd starts while the udev rules are running, and may try to apply rules that might be incorrect - the udev rules are `networkctl reconfigure`ing interfaces at the same time networkd is trying to configure them - chef-boot runs while the udev rules are running, and may observe interim interfaces or interfaces with the wrong MAC - network-online.target doesn't actually block until the network is online; the target is reached before any interface is configured - this means that chef is also concurrently running while networkd is configuring the interfaces, basically creating the same problem as with the udev rules The only reasonable way to tackle this is to make things execute in a proper order and end the races. This does the following: - make the udev rules not call `reconfigure`; these rules should only run on boot, so the interfaces should subsequently be configured by networkd - make networkd wait for udev rules to 'settle', so that before networkd runs the interfaces have been renamed - fix network-online.target to actually work - since chef already waits for network-online.target, if it actually works there shouldn't be a problem The end result is that the udev rules run, then when they're done, systemd-networkd starts up, and chef only runs once network-online.target is reached Note: network-online.target is not "all interfaces are up and fully configured". See https://www.freedesktop.org/software/systemd/man/latest/systemd-networkd-wait-online.service.html This _also_ causes problems, but ... I'm not going to try to address that here. Differential Revision: D50518948 fbshipit-source-id: 8daabb31555ae019b6f32867bcae4a2bc9ce8967 --- cookbooks/fb_systemd/recipes/networkd.rb | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index 797d4285b..bf1038296 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -31,6 +31,22 @@ notifies :restart, 'service[systemd-networkd.service]' end +if node.in_shard?(0) + # We need systemd-networkd to wait for udev rules to run before starting at boot + wait_for_udev = <<~EOF + [Unit] + After=systemd-udev-settle.service + Wants=systemd-udev-settle.service + EOF + + fb_systemd_override 'systemd-networkd wait for udev' do + only_if { node['fb_systemd']['networkd']['enable'] } + unit_name 'systemd-networkd.service' + content wait_for_udev + action :create + end +end + service 'systemd-networkd.socket' do only_if { node['fb_systemd']['networkd']['enable'] } only_if { node['fb_systemd']['networkd']['use_networkd_socket_with_networkd'] } @@ -62,3 +78,12 @@ service_name 'systemd-networkd.service' action [:stop, :disable] end + +if node.in_shard?(0) + # Get networkd to block network-online.target until interfaces are up + service 'systemd-networkd-wait-online.service' do + only_if { node['fb_systemd']['networkd']['enable'] } + # This is a one-shot at boot time, no :start + action :enable + end +end From 453a3d1236c4914d21aa296ec8d83213fa02d701 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Tue, 24 Oct 2023 09:42:10 -0700 Subject: [PATCH 099/188] fb_networkd: fix boot service ordering between udev, chef, network-online.target 1% -> 11% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D50602111 fbshipit-source-id: 98b7d7f91d3e548ed28df49ada98d830ca2c14af --- cookbooks/fb_systemd/recipes/networkd.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index bf1038296..7a76829b8 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -31,7 +31,7 @@ notifies :restart, 'service[systemd-networkd.service]' end -if node.in_shard?(0) +if node.in_shard?(10) # We need systemd-networkd to wait for udev rules to run before starting at boot wait_for_udev = <<~EOF [Unit] @@ -79,7 +79,7 @@ action [:stop, :disable] end -if node.in_shard?(0) +if node.in_shard?(10) # Get networkd to block network-online.target until interfaces are up service 'systemd-networkd-wait-online.service' do only_if { node['fb_systemd']['networkd']['enable'] } From 4ce0cedec6af6ec8eb28933aabdf3a11bdb0c887 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 25 Oct 2023 08:49:28 -0700 Subject: [PATCH 100/188] fb_networkd: fix boot service ordering between udev, chef, network-online.target 11% -> 26% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D50602114 fbshipit-source-id: 334c3f54b9578c75b69c098162f0ccc274110975 --- cookbooks/fb_systemd/recipes/networkd.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index 7a76829b8..86a53f400 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -31,7 +31,7 @@ notifies :restart, 'service[systemd-networkd.service]' end -if node.in_shard?(10) +if node.in_shard?(25) # We need systemd-networkd to wait for udev rules to run before starting at boot wait_for_udev = <<~EOF [Unit] @@ -79,7 +79,7 @@ action [:stop, :disable] end -if node.in_shard?(10) +if node.in_shard?(25) # Get networkd to block network-online.target until interfaces are up service 'systemd-networkd-wait-online.service' do only_if { node['fb_systemd']['networkd']['enable'] } From 626978b7fe4964a28ebf1c1e659816eb7963b47c Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 25 Oct 2023 14:09:37 -0700 Subject: [PATCH 101/188] fb_networkd: fix boot service ordering between udev, chef, network-online.target 26% -> 51% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D50602112 fbshipit-source-id: 8085757a1a01757f31747f426f9b9733957ff4f8 --- cookbooks/fb_systemd/recipes/networkd.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index 86a53f400..f8605b8f3 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -31,7 +31,7 @@ notifies :restart, 'service[systemd-networkd.service]' end -if node.in_shard?(25) +if node.in_shard?(50) # We need systemd-networkd to wait for udev rules to run before starting at boot wait_for_udev = <<~EOF [Unit] @@ -79,7 +79,7 @@ action [:stop, :disable] end -if node.in_shard?(25) +if node.in_shard?(50) # Get networkd to block network-online.target until interfaces are up service 'systemd-networkd-wait-online.service' do only_if { node['fb_systemd']['networkd']['enable'] } From 0b6e6d640d3d2e804d6ee3c23b51c1bf815addea Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 25 Oct 2023 15:59:00 -0700 Subject: [PATCH 102/188] fb_networkd: fix boot service ordering between udev, chef, network-online.target 51% -> 76% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D50602110 fbshipit-source-id: 615de3da9a62a1704458220caca04f78bcfe0ebf --- cookbooks/fb_systemd/recipes/networkd.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index f8605b8f3..b287d54b8 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -31,7 +31,7 @@ notifies :restart, 'service[systemd-networkd.service]' end -if node.in_shard?(50) +if node.in_shard?(75) # We need systemd-networkd to wait for udev rules to run before starting at boot wait_for_udev = <<~EOF [Unit] @@ -79,7 +79,7 @@ action [:stop, :disable] end -if node.in_shard?(50) +if node.in_shard?(75) # Get networkd to block network-online.target until interfaces are up service 'systemd-networkd-wait-online.service' do only_if { node['fb_systemd']['networkd']['enable'] } From 912ddbd79587c8eab695e6e83fe47889f356d5f0 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 26 Oct 2023 07:39:21 -0700 Subject: [PATCH 103/188] fb_networkd: fix boot service ordering between udev, chef, network-online.target 76% -> 100% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D50602109 fbshipit-source-id: 4ae654f0785d8cdd615bc7e7ee60b8bfb0af1cc7 --- cookbooks/fb_systemd/recipes/networkd.rb | 36 +++++++++++------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index b287d54b8..0f4d531e7 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -31,20 +31,18 @@ notifies :restart, 'service[systemd-networkd.service]' end -if node.in_shard?(75) - # We need systemd-networkd to wait for udev rules to run before starting at boot - wait_for_udev = <<~EOF - [Unit] - After=systemd-udev-settle.service - Wants=systemd-udev-settle.service - EOF +# We need systemd-networkd to wait for udev rules to run before starting at boot +wait_for_udev = <<~EOF + [Unit] + After=systemd-udev-settle.service + Wants=systemd-udev-settle.service +EOF - fb_systemd_override 'systemd-networkd wait for udev' do - only_if { node['fb_systemd']['networkd']['enable'] } - unit_name 'systemd-networkd.service' - content wait_for_udev - action :create - end +fb_systemd_override 'systemd-networkd wait for udev' do + only_if { node['fb_systemd']['networkd']['enable'] } + unit_name 'systemd-networkd.service' + content wait_for_udev + action :create end service 'systemd-networkd.socket' do @@ -79,11 +77,9 @@ action [:stop, :disable] end -if node.in_shard?(75) - # Get networkd to block network-online.target until interfaces are up - service 'systemd-networkd-wait-online.service' do - only_if { node['fb_systemd']['networkd']['enable'] } - # This is a one-shot at boot time, no :start - action :enable - end +# Get networkd to block network-online.target until interfaces are up +service 'systemd-networkd-wait-online.service' do + only_if { node['fb_systemd']['networkd']['enable'] } + # This is a one-shot at boot time, no :start + action :enable end From 2ab53bf1a45eda46ffa52393dd4fecca64a34079 Mon Sep 17 00:00:00 2001 From: Kai-Hsiang Chang Date: Thu, 2 Nov 2023 13:35:24 -0700 Subject: [PATCH 104/188] support HyperNode provisioning on T5 Summary: as per title. What's in this diff: 1. Create a new FbJbodHandler that replace the generic JbodHandler for twstorage, which supports formatting HDD by hnadmin. 2. Install hnadmin on all twstorage hosts. 3. Pairing JMC and Offline metadata with HDD by physical slot number. For example, /mnt/hn10 pairs with the HDD in slot 10. Differential Revision: D50522143 fbshipit-source-id: 6caed96071016ef6d7afcb00ba85eedbf321c268 --- cookbooks/fb_storage/libraries/storage_handlers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_storage/libraries/storage_handlers.rb b/cookbooks/fb_storage/libraries/storage_handlers.rb index d25413db7..a0ae601b8 100644 --- a/cookbooks/fb_storage/libraries/storage_handlers.rb +++ b/cookbooks/fb_storage/libraries/storage_handlers.rb @@ -44,7 +44,7 @@ def self.get_handler(device, node) info = {} end node['fb_storage']['_handlers'].each do |handler| - unless handler.superclass == FB::Storage::Handler + unless handler.ancestors.include?(FB::Storage::Handler) fail "fb_storage: handler #{handler.name} is not a subclass of " + 'FB::Storage::Handler, aborting!' end From dfcd3bebd56532d73da6f6b0e2d727035b56ac03 Mon Sep 17 00:00:00 2001 From: Pablo Mazzini Date: Fri, 3 Nov 2023 08:07:18 -0700 Subject: [PATCH 105/188] gpsd-clients -> gpsd-minimal-clients Summary: The package is no longer available. Differential Revision: D50972912 fbshipit-source-id: 46a2c96f95cdc3e96da3daa1215953ef417f897a --- cookbooks/fb_gpsd_clients/recipes/packages.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cookbooks/fb_gpsd_clients/recipes/packages.rb b/cookbooks/fb_gpsd_clients/recipes/packages.rb index 6147268df..7ac1af0b7 100644 --- a/cookbooks/fb_gpsd_clients/recipes/packages.rb +++ b/cookbooks/fb_gpsd_clients/recipes/packages.rb @@ -11,5 +11,9 @@ end package 'gpsd-clients' do + action :remove +end + +package 'gpsd-minimal-clients' do action :upgrade end From 35fefd30f7394a5a7b96db3aff54e8b624b528bf Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 9 Nov 2023 08:54:14 -0800 Subject: [PATCH 106/188] fb_network_scripts: add ability to configure system wide static default gateway Summary: Add ability to configure system wide static default gateway And remove incorrect comment Differential Revision: D51118754 fbshipit-source-id: 15e533972e90282bb515a4634bf53f208c0bf2f4 --- cookbooks/fb_network_scripts/README.md | 3 +++ cookbooks/fb_network_scripts/attributes/default.rb | 1 + cookbooks/fb_network_scripts/templates/default/network.erb | 4 +++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_network_scripts/README.md b/cookbooks/fb_network_scripts/README.md index fb78fa716..82dc2ae5e 100644 --- a/cookbooks/fb_network_scripts/README.md +++ b/cookbooks/fb_network_scripts/README.md @@ -53,6 +53,9 @@ Controls whether to manage packages for `network-scripts`; defaults to `true`. Controls pause frame settings of the primary interface. Keys correspond to parameters of `ethtool -a/-A`, values: `nil` (don't care), `true`, `false`. +#### `node['fb_network_scripts']['v6_default_gw']` +Sets IPV6_DEFAULTGW in /etc/sysconfig/network. Defaults to `nil` + ### Interface Configs This cookbook also provides interface configuration: diff --git a/cookbooks/fb_network_scripts/attributes/default.rb b/cookbooks/fb_network_scripts/attributes/default.rb index ab6a14b40..e1597ce73 100644 --- a/cookbooks/fb_network_scripts/attributes/default.rb +++ b/cookbooks/fb_network_scripts/attributes/default.rb @@ -60,6 +60,7 @@ 'enable_tun' => false, 'enable_bridge_filter' => false, 'linkdelay' => 0, + 'v6_default_gw' => nil, # Internal attributes, do not use '_rerun_ifup_local' => false, diff --git a/cookbooks/fb_network_scripts/templates/default/network.erb b/cookbooks/fb_network_scripts/templates/default/network.erb index 738296305..a863ac329 100644 --- a/cookbooks/fb_network_scripts/templates/default/network.erb +++ b/cookbooks/fb_network_scripts/templates/default/network.erb @@ -1,9 +1,11 @@ # This file is maintained by Chef. Do not edit, all changes will be # overwritten. See fb_network_scripts/README.md -# Note that we don't set GATEWAY in here because ifup-local will do it NETWORKING=yes HOSTNAME=<%= node['fqdn'] %> LINKDELAY=<%= node['fb_network_scripts']['linkdelay'] %> NETWORKING_IPV6=yes IFDOWN_ON_SHUTDOWN=no +<% if node['fb_network_scripts']['v6_default_gw'] %> +IPV6_DEFAULTGW="<%= node['fb_network_scripts']['v6_default_gw'] %>" +<% end %> From d1b1a925866aadba5aeb996681bff4216e85b644 Mon Sep 17 00:00:00 2001 From: Marlon Jacques Date: Wed, 15 Nov 2023 11:02:22 -0800 Subject: [PATCH 107/188] Cleanup homebrew from template Summary: As the cleanup for `homebrew` continues, this makes sure we deprecate it from the paths as possible. This clears out `opt/homebrew/bin` from the path in favor of `opt/facebook/bin`. Differential Revision: D51203332 fbshipit-source-id: f16d3014dcd4801bff230d148fd97098eff6f521 --- cookbooks/fb_tmpclean/templates/default/tmpreaper.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_tmpclean/templates/default/tmpreaper.erb b/cookbooks/fb_tmpclean/templates/default/tmpreaper.erb index 2a002ad28..5bbf7e24d 100755 --- a/cookbooks/fb_tmpclean/templates/default/tmpreaper.erb +++ b/cookbooks/fb_tmpclean/templates/default/tmpreaper.erb @@ -1,7 +1,7 @@ #!/bin/sh <% path = '/usr/sbin:/usr/bin:/sbin:/bin' if node.macos? - path << ':/opt/local/sbin:/opt/homebrew/sbin' + path << ':/opt/local/sbin:/opt/facebook/sbin' end tmpclean = node['fb_tmpclean'].to_hash topt = tmpclean['timestamptype'] == 'atime' ? '--mtime-dir' : '--mtime' -%> From 83c704a9f5a20405995bfdc6fa217d57c4194362 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 29 Nov 2023 08:45:52 -0800 Subject: [PATCH 108/188] fb_systemd: make knob for mgmt of default target Summary: Make knob for mgmt of default target, so that it's possible to opt out as needed Differential Revision: D51510688 fbshipit-source-id: 7c1a0f44975b4aa49ebba0ff5d81700297412e87 --- cookbooks/fb_systemd/README.md | 6 ++++++ cookbooks/fb_systemd/attributes/default.rb | 1 + cookbooks/fb_systemd/recipes/default.rb | 3 +++ cookbooks/fb_systemd/spec/default_spec.rb | 12 ++++++++++++ 4 files changed, 22 insertions(+) diff --git a/cookbooks/fb_systemd/README.md b/cookbooks/fb_systemd/README.md index 81ebc2eb9..78a7f1df2 100644 --- a/cookbooks/fb_systemd/README.md +++ b/cookbooks/fb_systemd/README.md @@ -34,6 +34,7 @@ Attributes * node['fb_systemd']['tmpfiles_excluded_prefixes'] * node['fb_systemd']['preset'] * node['fb_systemd']['manage_systemd_packages'] +* node['fb_systemd']['manage_default_target'] * node['fb_systemd']['boot']['enable'] * node['fb_systemd']['boot']['path'] * node['fb_systemd']['boot']['loader'] @@ -408,6 +409,11 @@ By default this cookbook keeps the systemd packages up-to-date, but if you want to manage them locally, simply set `node['fb_systemd']['manage_systemd_packages']` to false. +### Default target +By default this cookbook manages the default systemd target, but if you +want otherwise, set +`node['fb_systemd']['manage_default_target']` to false. + ### Boot You can choose whether or not to enable `systemd-boot` with the `node['fb_systemd']['boot']['enable']` attribute, which defaults to `false`. diff --git a/cookbooks/fb_systemd/attributes/default.rb b/cookbooks/fb_systemd/attributes/default.rb index 431893a2b..215cccdb2 100644 --- a/cookbooks/fb_systemd/attributes/default.rb +++ b/cookbooks/fb_systemd/attributes/default.rb @@ -131,6 +131,7 @@ 'tmpfiles_excluded_prefixes' => [], 'preset' => {}, 'manage_systemd_packages' => true, + 'manage_default_target' => true, 'boot' => { 'enable' => false, 'path' => esp_path, diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index 06370527d..bdab2b649 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -153,12 +153,14 @@ end directory '/etc/systemd/user/default.target.wants' do + only_if { node['fb_systemd']['manage_default_target'] } owner 'root' group 'root' mode '0755' end execute 'set default target' do + only_if { node['fb_systemd']['manage_default_target'] } only_if do current = shell_out('systemctl get-default').stdout.strip is_ignored = node['fb_systemd']['ignore_targets'].include?(current) @@ -173,6 +175,7 @@ end link '/etc/systemd/system/default.target' do + only_if { node['fb_systemd']['manage_default_target'] } only_if do FB::Version.new(node['packages']['systemd'][ 'version']) < FB::Version.new('205') diff --git a/cookbooks/fb_systemd/spec/default_spec.rb b/cookbooks/fb_systemd/spec/default_spec.rb index 840d1a8d8..bfc7db350 100644 --- a/cookbooks/fb_systemd/spec/default_spec.rb +++ b/cookbooks/fb_systemd/spec/default_spec.rb @@ -49,4 +49,16 @@ tc.fixture('system.conf'), ) end + + it 'should skip default target when manage_default_target is false' do + chef_run.converge(described_recipe) do |node| + node.default['fb_systemd']['manage_default_target'] = false + end + expect(chef_run).not_to run_execute('set default target') + end + + it 'should set default target when manage_default_target is true' do + chef_run.converge(described_recipe) + expect(chef_run).not_to run_execute('set default target') + end end From 3b9741a718b4b9b85429c368683058ea2b44f8a2 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Tue, 5 Dec 2023 16:50:57 -0800 Subject: [PATCH 109/188] Add proper support for USD on Artemis Summary: Removed the actual bind mounts from this diff as boyuni's changes should be live by now. Added a bunch of changes to make USD support better. Not perfect yet as the initial setup is still a bit problematic (the initial provisioning doesn't have the SMC tiers required to know that this should be using USD, therefore Tupperware bundle generation generates an `fbaccel` config, which breaks as soon as USD is activated): * Added `fb-mtiautil-cli` as that's required to administer the card * Added `fb-platform010-artemis-compiler` as that's required in the container but that RPM installs in the runtime and one cannot install that in the container. Long term this will be bundled into the binary * Install `fb-asic-bootd` as that's USD * Move the `asic_bootd` from the RPM into chef, 'cause babar prefers this, and it makes it easier to control start / stop / notifications upon changes. It's also easier to modify anything as one doesn't have to build, push and update the RPM * Added a bunch of comments that `fb_grub` doesn't do anything on `twshared`, but all those changes have already been implemented where they are needed using host profiles * Added the possibility to use two SMC tiers to control the deployment. As mentioned above, this isn't perfect, but we don't really have a better solution yet * Taught Tupperware how to reset the card(s) before starting a container when in USD * Rename `twshared_inference` to `twshared_t17` as we have inference on T16, TNG, even T20 and we always had it on T1 so this was misleading * Added `asic_bootd` as an allowed WDB on T17 * Ensured the directories that Tupperware bindmounts exit. No longer bind-mount them ourselves as boyuni's changes to the agent should take care of that part ** To do that part, changed the systemd tmpclean recipe to actually run as soon as the file is modified, so the folders get created right before Tupperware tries to use them by validating the config. Differential Revision: D51473619 fbshipit-source-id: 1fd749117df0a5f98f3180ec4b408999bceeb1f1 --- cookbooks/fb_systemd/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index bdab2b649..6251945ce 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -131,7 +131,7 @@ owner 'root' group 'root' mode '0644' - notifies :run, 'execute[process tmpfiles]' + notifies :run, 'execute[process tmpfiles]', :immediately end execute 'load modules' do From 30bb9ead157d268dca610ea62272228a38db6fc7 Mon Sep 17 00:00:00 2001 From: Oleg Obleukhov Date: Wed, 13 Dec 2023 07:35:35 -0800 Subject: [PATCH 110/188] clean ntpchkng usages in opsfiles Summary: Remove most of the outdated references Differential Revision: D52121246 fbshipit-source-id: d41b74228d8b865167a2d22010858258feffb751 --- cookbooks/fb_ntp/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_ntp/README.md b/cookbooks/fb_ntp/README.md index 18a049bc3..a6446b0fd 100644 --- a/cookbooks/fb_ntp/README.md +++ b/cookbooks/fb_ntp/README.md @@ -47,7 +47,7 @@ Contains an actual copy of [IETF Leap Seconds file](https://www.ietf.org/timezon The file should be updated twice a year. We will get notification in ntp-notify@fb.com mailing list before it happens, and you will need to update this file in the cookbook. If you want to add fake leap second for testing or -debug purposes, you will can use 'ntpchkng utils fakeseconds' to generate +debug purposes, you will can use 'ntpcheck utils fakeseconds' to generate fake leap seconds and update checksums in this file. Make sure that the production version of the file contains only real leap seconds! `node['fb_ntp']['leapsmearinterval']` should be set only on Stratum 2 servers. From 34d76b507a2f78144a720422008f0e77a54581c2 Mon Sep 17 00:00:00 2001 From: Nicolas Hurman Date: Wed, 13 Dec 2023 13:52:45 -0800 Subject: [PATCH 111/188] Move to overcommit.slice so it can see all the CPUs Summary: 1] Change to fb_timer (for hm_data_plane) The API exposes a way to set custom properties, but also manually sets slice. We can override slice by specifying it twice, but it's ugly -- the resulting file ends up looking like ``` Slice=system-timers-trickle_test_runner.slice Slice=overcommit-timers-trickle_test_runner.slice ``` This makes it not set the first Slice= value if Slice is part of the overrides. Differential Revision: D52097721 fbshipit-source-id: bf6440cd97255e884edd89710586a1f9339ebf5e --- cookbooks/fb_timers/templates/default/service.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/templates/default/service.erb b/cookbooks/fb_timers/templates/default/service.erb index 78d376e9e..717de165f 100644 --- a/cookbooks/fb_timers/templates/default/service.erb +++ b/cookbooks/fb_timers/templates/default/service.erb @@ -22,7 +22,7 @@ Type=oneshot <% if @conf['envfile'] %> EnvironmentFile=<%= @conf['envfile'] %> <% end %> -<% if node['fb_timers']['enable_named_slices'] %> +<% if node['fb_timers']['enable_named_slices'] and !@conf['service_options'].key?('Slice') %> Slice=system-timers-<%= @conf['name'] %>.slice <% end %> <% @conf['commands'].each do |command| %> From 350728ce66192345d1d939e275f1ad3841f26c72 Mon Sep 17 00:00:00 2001 From: Antony Thomas Date: Fri, 15 Dec 2023 15:06:17 -0800 Subject: [PATCH 112/188] Use dnf modularity only when needed Differential Revision: D52218129 fbshipit-source-id: 7207ae4f9c8c2afd8ba27544b52dbae78fe83dc4 --- cookbooks/fb_dnf/recipes/default.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_dnf/recipes/default.rb b/cookbooks/fb_dnf/recipes/default.rb index 42e6bbb27..953a26c46 100644 --- a/cookbooks/fb_dnf/recipes/default.rb +++ b/cookbooks/fb_dnf/recipes/default.rb @@ -41,6 +41,8 @@ notifies :run, 'whyrun_safe_ruby_block[clean chef yum metadata]', :immediately end -fb_dnf_modularity 'manage modularity' +fb_dnf_modularity 'manage modularity' do + not_if { node['fb_dnf']['modules'].empty? } +end include_recipe 'fb_dnf::packages' From 0f6aab9fe2664c3546f0508845fb37a609d2e22b Mon Sep 17 00:00:00 2001 From: Gilbert Sanchez Date: Thu, 21 Dec 2023 11:11:51 -0800 Subject: [PATCH 113/188] fb_powershell_module: Use PowerShell exec for improved performance Differential Revision: D50035571 fbshipit-source-id: 3c98750e7ce90b676b7d9102b050ff52b66ad0b2 --- .../resources/fb_powershell_apply_config.rb | 3 +- .../resources/fb_powershell_module.rb | 55 ++++++++++++++----- 2 files changed, 43 insertions(+), 15 deletions(-) diff --git a/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb b/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb index 036f2e142..565b07a80 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_apply_config.rb @@ -17,9 +17,10 @@ resource_name :fb_powershell_apply_config provides :fb_powershell_apply_config, :os => 'windows' -unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) provides :fb_powershell_apply_config, :os => 'darwin' provides :fb_powershell_apply_config, :os => 'linux' +unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) +description 'This resource was added to fb_powershell to manage configuration in a runtime safe manner.' default_action :manage diff --git a/cookbooks/fb_powershell/resources/fb_powershell_module.rb b/cookbooks/fb_powershell/resources/fb_powershell_module.rb index 54d645866..d5afb6c2c 100644 --- a/cookbooks/fb_powershell/resources/fb_powershell_module.rb +++ b/cookbooks/fb_powershell/resources/fb_powershell_module.rb @@ -1,4 +1,4 @@ -# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2 +require 'chef/mixin/powershell_exec' unless defined?(Chef::Mixin::PowershellExec) unified_mode true resource_name :fb_powershell_module @@ -9,28 +9,52 @@ property :module_name, String, :required => true, - :name_property => true + :name_property => true, + :description => <<~DOC + Specifies the exact names of the module to manage from the repository. + DOC property :version, [Integer, String, Array], :coerce => proc { |m| Array(m) }, - :default => '0' + :default => '0', + :description => <<~DOC + Specifies the version(s) of a single module to install. If there is no match in the repository for the specified version, an error is displayed. + If given a major version it will attempt to get the latest the matches. And so on for minor and release. + See https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-2.x#-requiredversion + DOC property :repository, # rubocop:todo Chef/RedundantCode/PropertyWithRequiredAndDefault String, :required => true, - :default => 'PSGallery' + :default => 'PSGallery', + :description => <<~DOC + Use the Repository parameter to specify the name of repository from which to download and install a module. Used when multiple repositories are registered. + See https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-2.x#-repository + DOC property :skip_publisher_check, [true, false], - :default => false + :default => false, + :description => <<~DOC + Allows you to install a newer version of a module that already exists on your computer. For example, when an existing module is digitally signed by a trusted publisher but the new version isn't digitally signed by a trusted publisher. + See https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-2.x#-skippublishercheck + DOC property :allow_clobber, [true, false], - :default => false + :default => false, + :description => <<~DOC + Overrides warning messages about installation conflicts about existing commands on a computer. Overwrites existing commands that have the same name as commands being installed by a module. + See https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-2.x#-allowclobber + DOC property :scope, - String, - :default => 'AllUsers' + ['AllUsers', 'CurrentUser'], + :default => 'AllUsers', + :description => <<~DOC + Specifies the installation scope of the module. + See https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-2.x#-scope + DOC load_current_value do |new_resource| # Returns an array - version powershell_out!( + version powershell_exec( <<-EOH, $splat = @{ Name = '#{new_resource.name}' @@ -38,7 +62,7 @@ } (Get-Module @splat).Version.ForEach({$_.ToString()}) EOH - ).stdout.chomp.split("\r\n").map { |v| Gem::Version.new(v) } + ).result.map { |v| Gem::Version.new(v) } end action :upgrade do @@ -117,7 +141,8 @@ } Install-Module @splat EOH - powershell_out!(psscript) + psexec = powershell_exec(psscript) + psexec.error! # Throw if there's an error end end end @@ -166,7 +191,8 @@ Install-Module @splat EOH - powershell_out!(psscript) + psexec = powershell_exec(psscript) + psexec.error! # Throw if there's an error end end end @@ -203,7 +229,7 @@ def get_repo_list "Fetching all versions of #{new_resource.module_name} " + "from #{new_resource.repository}.", ) - latest = powershell_out!( + psexec = powershell_exec( <<-EOH, $splat = @{ Name = "#{new_resource.module_name}" @@ -212,7 +238,8 @@ def get_repo_list } (Find-Module @splat).Version.ForEach({$_.ToString()}) EOH - ).stdout.to_s.chomp.split("\r\n") + ).error! + latest = psexec.result Chef::Log.debug("Available versions: #{latest.join(', ')}") return latest.map { |v| Gem::Version.new(v) } From e17c84060949f3a6fde4da8dd508d1492267402f Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 2 Jan 2024 09:10:10 -0800 Subject: [PATCH 114/188] Report for cookbooks without recipes Summary: Cookbooks that don't evaluate Ruby outside of recipes presumably are easier to remove from other cookbook dependencies, since without an include_recipe call to a recipe they will be unlikely to have any purpose (though this is not a substitute for checking for other usage). Differential Revision: D52215844 fbshipit-source-id: 876dacc0e686168fdda72f2064949e25ce61c998 --- .../bookworm/reports/RecipeOnlyCookbooks.rb | 35 +++++++++++++++++++ .../default/bookworm/rules/AttributeExists.rb | 22 ++++++++++++ .../default/bookworm/rules/LibraryExists.rb | 22 ++++++++++++ .../bookworm/rules/MetadatarbExists.rb | 22 ++++++++++++ .../default/bookworm/rules/ProviderExists.rb | 22 ++++++++++++ .../default/bookworm/rules/RecipeExists.rb | 22 ++++++++++++ .../default/bookworm/rules/ResourceExists.rb | 22 ++++++++++++ 7 files changed, 167 insertions(+) create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/reports/RecipeOnlyCookbooks.rb create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/rules/AttributeExists.rb create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/rules/LibraryExists.rb create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/rules/MetadatarbExists.rb create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/rules/ProviderExists.rb create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/rules/RecipeExists.rb create mode 100644 cookbooks/fb_bookworm/files/default/bookworm/rules/ResourceExists.rb diff --git a/cookbooks/fb_bookworm/files/default/bookworm/reports/RecipeOnlyCookbooks.rb b/cookbooks/fb_bookworm/files/default/bookworm/reports/RecipeOnlyCookbooks.rb new file mode 100644 index 000000000..49617c2b1 --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/reports/RecipeOnlyCookbooks.rb @@ -0,0 +1,35 @@ +# Copyright (c) 2023-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Determines all cookbooks that do not evaluate Ruby code on load' +needs_rules %w{ + MetadatarbExists + AttributeExists + LibraryExists + ResourceExists + ProviderExists +} + +def to_a + cookbooks = Set.new(@kb.cookbooks.keys) + cookbooks.subtract(Set.new(@kb.attributes.map { |_, c| c['cookbook'] })) + cookbooks.subtract(Set.new(@kb.libraries.map { |_, c| c['cookbook'] })) + cookbooks.subtract(Set.new(@kb.resources.map { |_, c| c['cookbook'] })) + cookbooks.subtract(Set.new(@kb.providers.map { |_, c| c['cookbook'] })) + cookbooks.to_a.sort +end + +def output + to_a +end diff --git a/cookbooks/fb_bookworm/files/default/bookworm/rules/AttributeExists.rb b/cookbooks/fb_bookworm/files/default/bookworm/rules/AttributeExists.rb new file mode 100644 index 000000000..8ccfd4eb7 --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/rules/AttributeExists.rb @@ -0,0 +1,22 @@ +# Copyright (c) 2022-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Helper rule to show existence of an attributes file' +keys %w{ + attribute +} + +def output + true +end diff --git a/cookbooks/fb_bookworm/files/default/bookworm/rules/LibraryExists.rb b/cookbooks/fb_bookworm/files/default/bookworm/rules/LibraryExists.rb new file mode 100644 index 000000000..b8b9e2342 --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/rules/LibraryExists.rb @@ -0,0 +1,22 @@ +# Copyright (c) 2022-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Helper rule to show existence of a library file' +keys %w{ + library +} + +def output + true +end diff --git a/cookbooks/fb_bookworm/files/default/bookworm/rules/MetadatarbExists.rb b/cookbooks/fb_bookworm/files/default/bookworm/rules/MetadatarbExists.rb new file mode 100644 index 000000000..c1da95d22 --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/rules/MetadatarbExists.rb @@ -0,0 +1,22 @@ +# Copyright (c) 2022-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Helper rule to show existence of a metadata.rb file' +keys %w{ + metadatarb +} + +def output + true +end diff --git a/cookbooks/fb_bookworm/files/default/bookworm/rules/ProviderExists.rb b/cookbooks/fb_bookworm/files/default/bookworm/rules/ProviderExists.rb new file mode 100644 index 000000000..d0b2ebd53 --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/rules/ProviderExists.rb @@ -0,0 +1,22 @@ +# Copyright (c) 2022-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Helper rule to show existence of a provider file' +keys %w{ + provider +} + +def output + true +end diff --git a/cookbooks/fb_bookworm/files/default/bookworm/rules/RecipeExists.rb b/cookbooks/fb_bookworm/files/default/bookworm/rules/RecipeExists.rb new file mode 100644 index 000000000..5ef88485d --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/rules/RecipeExists.rb @@ -0,0 +1,22 @@ +# Copyright (c) 2022-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Helper rule to show existence of a recipe' +keys %w{ + recipe +} + +def output + true +end diff --git a/cookbooks/fb_bookworm/files/default/bookworm/rules/ResourceExists.rb b/cookbooks/fb_bookworm/files/default/bookworm/rules/ResourceExists.rb new file mode 100644 index 000000000..49c88d774 --- /dev/null +++ b/cookbooks/fb_bookworm/files/default/bookworm/rules/ResourceExists.rb @@ -0,0 +1,22 @@ +# Copyright (c) 2022-present, Meta, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +description 'Helper rule to show existence of a resource file' +keys %w{ + resource +} + +def output + true +end From 0dec9d0226e2de18e3b52ed651b31ffa2cc97764 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Thu, 4 Jan 2024 08:21:19 -0800 Subject: [PATCH 115/188] Enable Lint/Syntax Differential Revision: D52517969 fbshipit-source-id: 60b1f33229d2cab743b2c43fd956fe6fdb63c25f --- .cookstyle.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.cookstyle.yml b/.cookstyle.yml index c427ff22b..a874ddf3c 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -7,6 +7,10 @@ AllCops: DisabledByDefault: true TargetChefVersion: 16.18.0 +# NOTE: this is also handled in regular RuboCop. T114949895 +Lint/Syntax: + Enabled: true + Chef/Correctness/BlockGuardWithOnlyString: Enabled: true Chef/Correctness/ChefApplicationFatal: From fc840bb645f1a4c27e18e70c5766519040e36075 Mon Sep 17 00:00:00 2001 From: Ryan Yee Date: Fri, 5 Jan 2024 10:30:47 -0800 Subject: [PATCH 116/188] Add OEL 9 support to helpers, fbit_yum, fbit_repo Differential Revision: D52529389 fbshipit-source-id: 1c4f67fab80a30cf21519fe7ce98023ded30ca16 --- cookbooks/fb_helpers/libraries/node_methods.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 273fce6b3..19c4fa362 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -186,6 +186,10 @@ def oracle_max_version?(version) self.oracle? && self.el_max_version?(version) end + def oracle9? + self.oracle? && self['platform_version'].start_with?('9') + end + def oracle8? self.oracle? && self['platform_version'].start_with?('8') end From bd500e34cc9ab38cc038a421479cdca8e79858d8 Mon Sep 17 00:00:00 2001 From: Ryan Yee Date: Tue, 9 Jan 2024 09:54:38 -0800 Subject: [PATCH 117/188] Update node_methods for rpm_version and fb_slowroll for OEL9 Differential Revision: D52569881 fbshipit-source-id: 1d190e5542c5ad74bc73d1d146a353b5655a0b42 --- cookbooks/fb_helpers/libraries/node_methods.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 19c4fa362..86928ca17 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -997,7 +997,8 @@ def filesystem_data # returns the version-release of an rpm installed, or nil if not present def rpm_version(name) - if (self.centos? && !self.centos7?) || self.fedora? || self.redhat8? || self.oracle8? || self.redhat9? + if (self.centos? && !self.centos7?) || self.fedora? || self.redhat8? || self.oracle8? || self.redhat9? || + self.oracle9? # returns epoch.version v = Chef::Provider::Package::Dnf::PythonHelper.instance. package_query(:whatinstalled, name).version From 363bf82d45aca5a4acc28d0b661fe640bc960281 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Fri, 12 Jan 2024 22:37:49 -0800 Subject: [PATCH 118/188] Cleanup uses of FB031 (& 19,21,22,23,24,26) Differential Revision: D52530525 fbshipit-source-id: c80ff5b80c2c060cd9be91540fb482536b16cddb --- cookbooks/fb_systemd/resources/override.rb | 2 +- cookbooks/fb_yum_repos/resources/config.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_systemd/resources/override.rb b/cookbooks/fb_systemd/resources/override.rb index dee6f1cf0..59997db28 100644 --- a/cookbooks/fb_systemd/resources/override.rb +++ b/cookbooks/fb_systemd/resources/override.rb @@ -63,7 +63,7 @@ def get_reload_resource mode '0755' end - template ::File.join(override_dir, override_file) do # rubocop:disable Chef/Meta/AvoidCookbookProperty # ~FB031 ~FB032 + template ::File.join(override_dir, override_file) do # rubocop:disable Chef/Meta/AvoidCookbookProperty # If source is specified, use it, otherwise use our template... if new_resource.source source new_resource.source diff --git a/cookbooks/fb_yum_repos/resources/config.rb b/cookbooks/fb_yum_repos/resources/config.rb index 4e26d67be..441383b1a 100644 --- a/cookbooks/fb_yum_repos/resources/config.rb +++ b/cookbooks/fb_yum_repos/resources/config.rb @@ -23,7 +23,7 @@ default_action :create action :create do - template new_resource.path do # rubocop:disable Chef/Meta/AvoidCookbookProperty # ~FB031 ~FB032 + template new_resource.path do # rubocop:disable Chef/Meta/AvoidCookbookProperty cookbook 'fb_yum_repos' source 'yum.conf.erb' owner node.root_user From 613e802701ec961397700e7bcb3621e995b1923b Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 17 Jan 2024 13:04:58 -0800 Subject: [PATCH 119/188] Write datestamped profiles Differential Revision: D52745862 fbshipit-source-id: a7888ad12b457809f225500d09de53b9e84f309c --- spec/fbspec.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/spec/fbspec.rb b/spec/fbspec.rb index 7ea7a5142..01bd6bbd1 100644 --- a/spec/fbspec.rb +++ b/spec/fbspec.rb @@ -15,7 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -require 'ruby-prof' if ENV['FB_RSPEC_PROFILING'] require 'chefspec' require 'chefspec/lib/chefspec/matchers/render_file_matcher.rb' @@ -33,13 +32,18 @@ def self.fbspec_init(cookbook_path, platforms) end config.cookbook_path = cookbook_path if ENV['FB_RSPEC_PROFILING'] + require 'ruby-prof' config.before(:example) do RubyProf.start end config.after(:example) do result = RubyProf.stop printer = RubyProf::GraphPrinter.new(result) - printer.print($stdout) + profile_name = "rspec_profile-#{DateTime.now.iso8601(4)}.out" + File.open(profile_name, 'w+') do |file| + printer.print(file) + end + puts "Rspec profiling dumped to #{profile_name}" end end end From 2c9eab4640499bf57faa2196cb45b1efdf91c4c1 Mon Sep 17 00:00:00 2001 From: Serge Dubrouski Date: Fri, 26 Jan 2024 08:06:00 -0800 Subject: [PATCH 120/188] Mark ROU extra repos as antlir_extra_repo Differential Revision: D53095540 fbshipit-source-id: 8912a8fa928c3a4f942aa12b8b2aba36275cc917 --- cookbooks/fb_yum_repos/libraries/yum_repos_helpers.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/fb_yum_repos/libraries/yum_repos_helpers.rb b/cookbooks/fb_yum_repos/libraries/yum_repos_helpers.rb index c5c5a56e0..4ca001738 100644 --- a/cookbooks/fb_yum_repos/libraries/yum_repos_helpers.rb +++ b/cookbooks/fb_yum_repos/libraries/yum_repos_helpers.rb @@ -24,6 +24,7 @@ class YumRepos 'countme', 'repo_gpgcheck', 'module_hotfixes', + 'antlir_extra_repo', ].freeze def self.get_default_gpg_key(_node) From 6567b9ac3fc71139d8a1218b0765736545e9b214 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Fri, 26 Jan 2024 12:07:17 -0800 Subject: [PATCH 121/188] Clean up manually a few of the rubocop / foodcritic exceptions Summary: They don't make sense otherwise and I don't want to bundle them into the next diff so the next diff is fully automated and easier to review` Differential Revision: D53077187 fbshipit-source-id: d2928ddf9032707fce7b857db0ea46b739c25c13 --- cookbooks/fb_cron/recipes/default.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_cron/recipes/default.rb b/cookbooks/fb_cron/recipes/default.rb index 4346bebb1..03b4ec334 100644 --- a/cookbooks/fb_cron/recipes/default.rb +++ b/cookbooks/fb_cron/recipes/default.rb @@ -164,12 +164,12 @@ 'cron_deny' => '/etc/cron.deny', 'cron_allow' => '/etc/cron.allow', }.each do |key, cronfile| - file cronfile do # this is an absolute path: ~FB031 + file cronfile do only_if { node['fb_cron'][key].empty? } action :delete end - template cronfile do # this is an absolute path: ~FB031 + template cronfile do not_if { node['fb_cron'][key].empty? } source 'fb_cron_allow_deny.erb' owner node.root_user From 2db57f7700c0c5d9fd3be3eb7db205eb284022e8 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Fri, 26 Jan 2024 12:07:17 -0800 Subject: [PATCH 122/188] Apply the linter to remove all the foodcritic exemption for the ones migrated to cookstyle: prod Differential Revision: D53077178 fbshipit-source-id: e3759650d0df0a9a64cc278ac065de41a1ae1db2 --- cookbooks/fb_consul/recipes/default.rb | 8 ++++---- cookbooks/fb_fstab/libraries/provider.rb | 2 +- cookbooks/fb_grub/recipes/config.rb | 2 +- cookbooks/fb_helpers/resources/reboot.rb | 6 +++--- cookbooks/fb_sysfs/resources/default.rb | 2 +- cookbooks/fb_tmpclean/recipes/windows.rb | 4 ++-- cookbooks/fb_users/resources/default.rb | 10 +++++----- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/cookbooks/fb_consul/recipes/default.rb b/cookbooks/fb_consul/recipes/default.rb index 95c563ca7..b6058c86c 100644 --- a/cookbooks/fb_consul/recipes/default.rb +++ b/cookbooks/fb_consul/recipes/default.rb @@ -75,7 +75,7 @@ mode '0644' end -cookbook_file '/etc/consul/consul-agent-ca.pem' do # ~FB032 +cookbook_file '/etc/consul/consul-agent-ca.pem' do # rubocop:disable Chef/Meta/AvoidCookbookProperty only_if { node['fb_consul']['certificate_cookbook'] } cookbook lazy { node['fb_consul']['certificate_cookbook'] } owner 'root' @@ -84,7 +84,7 @@ notifies :restart, 'service[consul]' end -cookbook_file '/etc/consul/consul-agent-ca-key.pem' do # ~FB032 +cookbook_file '/etc/consul/consul-agent-ca-key.pem' do # rubocop:disable Chef/Meta/AvoidCookbookProperty only_if do node['fb_consul']['config']['server'] && node['fb_consul']['certificate_cookbook'] @@ -96,7 +96,7 @@ notifies :restart, 'service[consul]' end -cookbook_file '/etc/consul/consul-server.pem' do # ~FB032 +cookbook_file '/etc/consul/consul-server.pem' do # rubocop:disable Chef/Meta/AvoidCookbookProperty only_if do node['fb_consul']['config']['server'] && node['fb_consul']['certificate_cookbook'] @@ -109,7 +109,7 @@ notifies :restart, 'service[consul]' end -cookbook_file '/etc/consul/consul-server-key.pem' do # ~FB032 +cookbook_file '/etc/consul/consul-server-key.pem' do # rubocop:disable Chef/Meta/AvoidCookbookProperty only_if do node['fb_consul']['config']['server'] && node['fb_consul']['certificate_cookbook'] diff --git a/cookbooks/fb_fstab/libraries/provider.rb b/cookbooks/fb_fstab/libraries/provider.rb index e34059781..91dab496c 100644 --- a/cookbooks/fb_fstab/libraries/provider.rb +++ b/cookbooks/fb_fstab/libraries/provider.rb @@ -84,7 +84,7 @@ def mount(mount_data, in_maint_disks, in_maint_mounts) 'immutable mountpoint. If you can see this, ' + "the mount is missing!\n" # rubocop:disable Chef/Meta/NoFileWrites - File.open(readme, 'w') do |f| # ~FB030 + File.open(readme, 'w') do |f| # rubocop:disable Chef/Meta/NoFileWrites f.write(readme_body) end # rubocop:enable Chef/Meta/NoFileWrites diff --git a/cookbooks/fb_grub/recipes/config.rb b/cookbooks/fb_grub/recipes/config.rb index f09c859ab..fee58b876 100644 --- a/cookbooks/fb_grub/recipes/config.rb +++ b/cookbooks/fb_grub/recipes/config.rb @@ -21,7 +21,7 @@ grub_base_dir = node['fb_grub']['_grub_base_dir'] grub2_base_dir = node['fb_grub']['_grub2_base_dir'] -directory 'efi_vendor_dir' do # rubocop:disable Chef/Meta/RequireOwnerGroupMode # ~FB024 mode is controlled by mount options +directory 'efi_vendor_dir' do # rubocop:disable Chef/Meta/RequireOwnerGroupMode mode is controlled by mount options only_if { node.efi? } path lazy { node['fb_grub']['_efi_vendor_dir'] } owner 'root' diff --git a/cookbooks/fb_helpers/resources/reboot.rb b/cookbooks/fb_helpers/resources/reboot.rb index 4745e0ba9..e849bd38f 100644 --- a/cookbooks/fb_helpers/resources/reboot.rb +++ b/cookbooks/fb_helpers/resources/reboot.rb @@ -138,7 +138,7 @@ def reboot_allowed(node) set_reboot_override('immediate') do_managed_reboot else - command = execute 'reboot' do # ~FB026 + command = execute 'reboot' do # rubocop:disable Chef/Meta/FBUtilReboot command 'reboot' action :nothing end @@ -196,7 +196,7 @@ def reboot_allowed(node) node, load_reboot_reason, ) - reboot 'reboot' do # ~FB026 + reboot 'reboot' do # rubocop:disable Chef/Meta/FBUtilReboot action :request_reboot end else @@ -224,7 +224,7 @@ def reboot_allowed(node) command "rtcwake -m no -s #{new_resource.wakeup_time_secs}" action :nothing end - poweroff = execute 'poweroff' do # ~FB026 + poweroff = execute 'poweroff' do # rubocop:disable Chef/Meta/FBUtilReboot command 'shutdown -P now' action :nothing end diff --git a/cookbooks/fb_sysfs/resources/default.rb b/cookbooks/fb_sysfs/resources/default.rb index df3b5516a..f93561d1d 100644 --- a/cookbooks/fb_sysfs/resources/default.rb +++ b/cookbooks/fb_sysfs/resources/default.rb @@ -105,7 +105,7 @@ end # We are using file to write content, not to manage the file itself, # so we exempt the internal foodcritic rule that requires owner/group/mode. - file new_resource.path do # rubocop:disable Chef/Meta/RequireOwnerGroupMode # ~FB023 + file new_resource.path do # rubocop:disable Chef/Meta/RequireOwnerGroupMode if new_resource.type == :list # Some :list sysfs require a newline at the end of the value to take # effect. For others, the newline is ignored, so always write one (and diff --git a/cookbooks/fb_tmpclean/recipes/windows.rb b/cookbooks/fb_tmpclean/recipes/windows.rb index b253d7a66..d09e51307 100644 --- a/cookbooks/fb_tmpclean/recipes/windows.rb +++ b/cookbooks/fb_tmpclean/recipes/windows.rb @@ -82,12 +82,12 @@ } end -windows_task 'create-cleanup-task' do # ~FB047 +windows_task 'create-cleanup-task' do # rubocop:disable Chef/Meta/WindowsTaskAbsolutePaths # This is an absolute path - the linter is wrong command lazy { 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File ' + (node['fb_tmpclean']['windows_script_location']).to_s - } # ~FB047 + } # rubocop:disable Chef/Meta/WindowsTaskAbsolutePaths frequency :weekly start_time '02:20' start_when_available true diff --git a/cookbooks/fb_users/resources/default.rb b/cookbooks/fb_users/resources/default.rb index c55c18d24..8ea5d1092 100644 --- a/cookbooks/fb_users/resources/default.rb +++ b/cookbooks/fb_users/resources/default.rb @@ -48,7 +48,7 @@ def bootstrap_pgroups # We may not have this group if it's a remote one, so check we do and # that it's set to create if info && info['action'] && info['action'] != :delete - group "bootstrap #{grp}" do # rubocop:disable Chef/Meta/ResourceReplacer # ~FB015 + group "bootstrap #{grp}" do # rubocop:disable Chef/Meta/ResourceReplacer group_name grp gid ::FB::Users::GID_MAP[grp]['gid'] action :create @@ -123,7 +123,7 @@ def bootstrap_pgroups # delete any users and optionally clean up home dirs if `manage_home true` if info['action'] == :delete # keep property list in sync with FB::Users._validate - user username do # rubocop:disable Chef/Meta/ResourceReplacer # ~FB014 + user username do # rubocop:disable Chef/Meta/ResourceReplacer manage_home manage_homedir action :remove info['notifies']&.each_value do |notif| @@ -142,7 +142,7 @@ def bootstrap_pgroups # disabling fc009 because it triggers on 'secure_token' below which # is already guarded by a version 'if' - user username do # rubocop:disable Chef/Meta/ResourceReplacer # ~FB014 ~FC009 + user username do # rubocop:disable Chef/Meta/ResourceReplacer uid mapinfo['uid'].to_i # the .to_i here is important - if the usermap accidentally # quotes the gid, then it will try to look up a group named "142" @@ -189,7 +189,7 @@ def bootstrap_pgroups next unless info['only_if'].call end if info['action'] == :delete - group groupname do # rubocop:disable Chef/Meta/ResourceReplacer # ~FB015 + group groupname do # rubocop:disable Chef/Meta/ResourceReplacer action :remove info['notifies']&.each_value do |notif| timing = notif['timing'] || 'delayed' @@ -202,7 +202,7 @@ def bootstrap_pgroups mapinfo = ::FB::Users::GID_MAP[groupname] # disabling fc009 becasue it triggers on 'comment' below which # is already guarded by a version 'if' - group groupname do # rubocop:disable Chef/Meta/ResourceReplacer # ~FB015 + group groupname do # rubocop:disable Chef/Meta/ResourceReplacer gid mapinfo['gid'].to_i system mapinfo['system'] unless mapinfo['system'].nil? if info['members'] From 916de38d6ac2306ef92f1fb2837b3e39af695de7 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Fri, 26 Jan 2024 18:34:50 -0800 Subject: [PATCH 123/188] Apply the linter to remove all the foodcritic exemption for the ones migrated to cookstyle: rest of itchef Summary: Apply the second diff of the stack onto the rest of `itchef` codebase Differential Revision: D53077186 fbshipit-source-id: 3f6c3dc338d65dd622b163a46330a47bc7293575 --- cookbooks/ci_fixes/attributes/default.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cookbooks/ci_fixes/attributes/default.rb b/cookbooks/ci_fixes/attributes/default.rb index 22a2b886f..64b043605 100644 --- a/cookbooks/ci_fixes/attributes/default.rb +++ b/cookbooks/ci_fixes/attributes/default.rb @@ -28,9 +28,9 @@ 'Plugin Virtualization Monkeypatch: /proc/self/cgroup indicates ' + "#{$1} container. Detecting as #{$1} guest", ) - node.automatic['virtualization']['system'] = $1 # ~FC047 - node.automatic['virtualization']['role'] = 'guest' # ~FC047 - node.automatic['virtualization']['systems'][$1.to_s] = 'guest' # ~FC047 + node.automatic['virtualization']['system'] = $1 # rubocop:disable Chef/Meta/UseNodeDefault + node.automatic['virtualization']['role'] = 'guest' # rubocop:disable Chef/Meta/UseNodeDefault + node.automatic['virtualization']['systems'][$1.to_s] = 'guest' # rubocop:disable Chef/Meta/UseNodeDefault end end else From 564dd0f5451c47a2d5e4b5117b7cfaa920ddd8a7 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Mon, 29 Jan 2024 08:00:09 -0800 Subject: [PATCH 124/188] remove remaining core foodcritic annotations Differential Revision: D53142318 fbshipit-source-id: 93002dfde1f1c440212a6b453ac4e1552e4e5570 --- cookbooks/fb_cron/recipes/default.rb | 2 +- cookbooks/fb_cron/recipes/packages.rb | 2 +- cookbooks/fb_launchd/resources/default.rb | 2 +- cookbooks/fb_network_scripts/resources/redhat_interface.rb | 4 ++-- cookbooks/fb_networkd/resources/default.rb | 6 +++--- cookbooks/fb_storage/resources/format_devices.rb | 6 +++--- cookbooks/fb_swap/recipes/before_fb_fstab.rb | 2 +- cookbooks/fb_sysctl/resources/default.rb | 2 +- cookbooks/fb_system_upgrade/resources/default.rb | 2 +- cookbooks/fb_systemd/resources/loader_entries.rb | 2 +- cookbooks/fb_timers/resources/setup.rb | 2 +- 11 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cookbooks/fb_cron/recipes/default.rb b/cookbooks/fb_cron/recipes/default.rb index 03b4ec334..a831f9b70 100644 --- a/cookbooks/fb_cron/recipes/default.rb +++ b/cookbooks/fb_cron/recipes/default.rb @@ -111,7 +111,7 @@ 'debian' => '/etc/default/cron', ['rhel', 'fedora'] => '/etc/sysconfig/crond', ) -if envfile # ~FC023 +if envfile template envfile do source 'crond_env.erb' owner 'root' diff --git a/cookbooks/fb_cron/recipes/packages.rb b/cookbooks/fb_cron/recipes/packages.rb index 3b40efdb5..5b236e8f9 100644 --- a/cookbooks/fb_cron/recipes/packages.rb +++ b/cookbooks/fb_cron/recipes/packages.rb @@ -28,7 +28,7 @@ package_name = 'cron' end -if package_name # ~FC023 +if package_name package package_name do action :upgrade end diff --git a/cookbooks/fb_launchd/resources/default.rb b/cookbooks/fb_launchd/resources/default.rb index 821c6c7fe..08e3a7d5e 100644 --- a/cookbooks/fb_launchd/resources/default.rb +++ b/cookbooks/fb_launchd/resources/default.rb @@ -87,7 +87,7 @@ def launchd_resource(label, action, attrs = {}) "and attributes #{attrs}", ) return unless label - res = launchd label do # ~FC022 + res = launchd label do action action.to_sym if attrs['only_if'] only_if { attrs['only_if'].call } diff --git a/cookbooks/fb_network_scripts/resources/redhat_interface.rb b/cookbooks/fb_network_scripts/resources/redhat_interface.rb index 141fa60e2..1746d32b9 100644 --- a/cookbooks/fb_network_scripts/resources/redhat_interface.rb +++ b/cookbooks/fb_network_scripts/resources/redhat_interface.rb @@ -61,7 +61,7 @@ def stop(interface) s.error! end -action :enable do # ~FC017 +action :enable do requires_full_restart = false to_converge = [] interface = new_resource.interface @@ -326,7 +326,7 @@ def stop(interface) end end -action :update_ips do # ~FC017 +action :update_ips do interface = new_resource.interface if Helpers.will_restart_network?(run_context) Chef::Log.info("Ignoring #{interface} update_ips, network restart queued") diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index 49284ee9c..bb6b2ff53 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -336,7 +336,7 @@ action :nothing end - file path do # ~FC022 + file path do only_if { node.interface_change_allowed?(iface) } action :delete notifies :run, "execute[networkctl down #{iface}]", :immediately @@ -360,7 +360,7 @@ action :nothing end - file path do # ~FC022 + file path do only_if { node.interface_change_allowed?(iface) } action :delete notifies :run, "execute[udevadm trigger #{iface}]" @@ -383,7 +383,7 @@ action :nothing end - file path do # ~FC022 + file path do only_if { node.interface_change_allowed?(iface) } action :delete notifies :run, "execute[networkctl delete #{iface}]", :immediately diff --git a/cookbooks/fb_storage/resources/format_devices.rb b/cookbooks/fb_storage/resources/format_devices.rb index 62b1f3afb..a67f30551 100644 --- a/cookbooks/fb_storage/resources/format_devices.rb +++ b/cookbooks/fb_storage/resources/format_devices.rb @@ -87,7 +87,7 @@ storage.config.each_key do |device| dev = FB::Storage.device_name_from_path(device) - if node['fb_storage']['tuning']['scheduler'] # ~FC023 + if node['fb_storage']['tuning']['scheduler'] fb_sysfs "/sys/block/#{dev}/queue/scheduler" do # Kernels prior to 4.11 do not have multi-queue support - t19377518 not_if { dev.start_with?('nvme') && !kernel_has_mq } @@ -96,14 +96,14 @@ end end - if node['fb_storage']['tuning']['queue_depth'] # ~FC023 + if node['fb_storage']['tuning']['queue_depth'] fb_sysfs "/sys/block/#{dev}/device/queue_depth" do type :int value node['fb_storage']['tuning']['queue_depth'] end end - if node['fb_storage']['tuning']['discard_max_bytes'] # ~FC023 + if node['fb_storage']['tuning']['discard_max_bytes'] fname = "/sys/block/#{dev}/device/discard_max_bytes" fb_sysfs fname do only_if do diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index 01b976eb8..c9a71f561 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -90,7 +90,7 @@ # Note: FC022 is masked because the unit name is derived from the type # variable in the loop - service manage_unit do # ~FC022 + service manage_unit do # we can get restarted, but we don't need to enable/start this explicitly # due to the use of BindsTo on the swap unit action :nothing diff --git a/cookbooks/fb_sysctl/resources/default.rb b/cookbooks/fb_sysctl/resources/default.rb index abdf349c0..c24051c84 100644 --- a/cookbooks/fb_sysctl/resources/default.rb +++ b/cookbooks/fb_sysctl/resources/default.rb @@ -21,7 +21,7 @@ def set_sysctl(node, name, val) FB::Sysctl.current_settings(node), node['fb_sysctl'].to_hash, ) - unless bad_settings.empty? # ~FC023 + unless bad_settings.empty? converge_by 'Converging sysctls' do messages = bad_settings.map do |k, v| "#{k} (#{v} -> #{node['fb_sysctl'][k]})" diff --git a/cookbooks/fb_system_upgrade/resources/default.rb b/cookbooks/fb_system_upgrade/resources/default.rb index da6e6afb5..ddeaa5e05 100644 --- a/cookbooks/fb_system_upgrade/resources/default.rb +++ b/cookbooks/fb_system_upgrade/resources/default.rb @@ -51,7 +51,7 @@ cmd = FB::SystemUpgrade.get_upgrade_command(node) - ruby_block 'actual_dnf_upgrade' do # ~FC014 + ruby_block 'actual_dnf_upgrade' do block do Chef::Log.info("fb_system_upgrade: Actual upgrade command: #{cmd}") s = Mixlib::ShellOut.new( diff --git a/cookbooks/fb_systemd/resources/loader_entries.rb b/cookbooks/fb_systemd/resources/loader_entries.rb index 9ac095904..0dc2a0948 100644 --- a/cookbooks/fb_systemd/resources/loader_entries.rb +++ b/cookbooks/fb_systemd/resources/loader_entries.rb @@ -23,7 +23,7 @@ Dir.glob("#{esp_path}/loader/entries/fb_systemd_*.conf").each do |path| entry = /^fb_systemd_(\w+)\.conf$/.match(::File.basename(path)) - if entry && !entries.include?(entry[1]) # ~FC023 + if entry && !entries.include?(entry[1]) file path do action :delete end diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 818300d39..db5aa68e6 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -54,7 +54,7 @@ # We have to do this first cause you can't disable a unit who's file has # disappeared off the filesystem possible_link = "/etc/systemd/system/#{fname}" - if ::File.symlink?(possible_link) && # ~FC023 + if ::File.symlink?(possible_link) && ::File.readlink(possible_link) == path # systemd can get confused if you delete the file without disabling # the unit first. Disabling a linked unit removes the symlink anyway. From 65ec06e7234116e1f611731eea4c20871ed95bf3 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Wed, 31 Jan 2024 14:01:03 -0800 Subject: [PATCH 125/188] Ratchet in Chef/Modernize/FoodcriticComments Summary: Now that the awful work of tearing out the Foodcritic annotations is done, enable the upstream cop so we don't need to deal with Differential Revision: D53137508 fbshipit-source-id: c1ed3195cd6500c90679f983177cede83a3bb791 --- .cookstyle.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.cookstyle.yml b/.cookstyle.yml index a874ddf3c..42f248868 100644 --- a/.cookstyle.yml +++ b/.cookstyle.yml @@ -302,6 +302,8 @@ Chef/Modernize/ExecuteSysctl: Enabled: true Chef/Modernize/ExecuteTzUtil: Enabled: true +Chef/Modernize/FoodcriticComments: + Enabled: true Chef/Modernize/IfProvidesDefaultAction: Enabled: true Chef/Modernize/IncludingAptDefaultRecipe: From 9218cc5e7046da43547d694a411f0ca67ac9cb7e Mon Sep 17 00:00:00 2001 From: Adam Saponara Date: Tue, 6 Feb 2024 13:49:06 -0800 Subject: [PATCH 126/188] fb_apt: Add ability to log output of `apt-get update` (#232) Test Plan: Imported from GitHub, without a `Test Plan:` line. Tested with a basic regression test on a twshared host, though this cookbook isn't used internally and this should be a no-op Differential Revision: D52880450 fbshipit-source-id: 1c4a1cc20837cb0cafd95f432f73639fce3a4eb6 --- cookbooks/fb_apt/README.md | 6 ++++++ cookbooks/fb_apt/attributes/default.rb | 1 + cookbooks/fb_apt/recipes/default.rb | 8 +++++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_apt/README.md b/cookbooks/fb_apt/README.md index 040549ade..560f2732f 100644 --- a/cookbooks/fb_apt/README.md +++ b/cookbooks/fb_apt/README.md @@ -22,6 +22,7 @@ Attributes * node['fb_apt']['want_source'] * node['fb_apt']['preserve_unknown_keyrings'] * node['fb_apt']['allow_modified_pkg_keyrings'] +* node['fb_apt']['apt_update_log_path'] Usage ----- @@ -107,3 +108,8 @@ As mentioned above, `fb_apt` can assemble the basic sources for you. It uses the LSB "codename" of the current systemd to build the URLs. In the event you want to use Chef to upgrade across distros, however, you can set `node['fb_apt']['distro']` to the appropriate name and it will be used instead. + +### Logging `apt-get update` +Set `node['fb_apt']['apt_update_log_path']` to log stdout and stderr of the +`apt-get update` command invoked by this cookbook. This may be useful for +debugging purposes. The caller must handle log rotation. diff --git a/cookbooks/fb_apt/attributes/default.rb b/cookbooks/fb_apt/attributes/default.rb index 21364dbc1..f4f21781f 100644 --- a/cookbooks/fb_apt/attributes/default.rb +++ b/cookbooks/fb_apt/attributes/default.rb @@ -38,6 +38,7 @@ 'want_source' => false, 'preserve_unknown_keyrings' => false, 'allow_modified_pkg_keyrings' => false, + 'apt_update_log_path' => nil, } # fb_apt must be defined for this to work... keys = FB::Apt.get_official_keyids(node).map { |id| [id, nil] }.to_h diff --git a/cookbooks/fb_apt/recipes/default.rb b/cookbooks/fb_apt/recipes/default.rb index 40be50fbb..56c0c6a44 100644 --- a/cookbooks/fb_apt/recipes/default.rb +++ b/cookbooks/fb_apt/recipes/default.rb @@ -18,6 +18,8 @@ # limitations under the License. # +require 'shellwords' + unless node.debian? || node.ubuntu? fail 'fb_apt is only supported on Debian and Ubuntu.' end @@ -94,7 +96,11 @@ end execute 'apt-get update' do - command 'apt-get update' + command lazy do + log_path = node['fb_apt']['apt_update_log_path'] + cmd_suffix = " >>#{Shellwords.shellescape(log_path)} 2>&1" if log_path + "apt-get update#{cmd_suffix}" + end action :nothing end From ceca0eddb4b57bfb1aa5fa6f5a5eb202234eca6b Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 14 Feb 2024 08:24:36 -0800 Subject: [PATCH 127/188] fb_apt: correct multiline command proc for log_path to work Differential Revision: D53741083 fbshipit-source-id: f121b988d85c041f9f4d120fd5d5e16236ef6cb9 --- cookbooks/fb_apt/recipes/default.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_apt/recipes/default.rb b/cookbooks/fb_apt/recipes/default.rb index 56c0c6a44..85f0dbcbc 100644 --- a/cookbooks/fb_apt/recipes/default.rb +++ b/cookbooks/fb_apt/recipes/default.rb @@ -96,11 +96,11 @@ end execute 'apt-get update' do - command lazy do + command(lazy do log_path = node['fb_apt']['apt_update_log_path'] cmd_suffix = " >>#{Shellwords.shellescape(log_path)} 2>&1" if log_path "apt-get update#{cmd_suffix}" - end + end) action :nothing end From 430668773ff362112ff0ed530563ddc36d9841b4 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Thu, 22 Feb 2024 14:26:51 -0800 Subject: [PATCH 128/188] fb_iproute: ensure directory exists Summary: On c10s and ELN iproute doesn't create this directory anymore, so we need to ensure it actually exists. Differential Revision: D54077468 fbshipit-source-id: bca370ff40d7d3c7380be72c452866e0fa8f9bf8 --- cookbooks/fb_iproute/recipes/rt_protos.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cookbooks/fb_iproute/recipes/rt_protos.rb b/cookbooks/fb_iproute/recipes/rt_protos.rb index 726400f78..1802677ca 100644 --- a/cookbooks/fb_iproute/recipes/rt_protos.rb +++ b/cookbooks/fb_iproute/recipes/rt_protos.rb @@ -19,6 +19,14 @@ rt_protos_d_dir = '/etc/iproute2/rt_protos.d'.freeze +directory '/etc/iproute2' do + only_if { node['fb_iproute']['rt_protos_ids'] } + owner 'root' + group 'root' + mode '0755' + action :create +end + directory rt_protos_d_dir do only_if { node['fb_iproute']['rt_protos_ids'] } owner 'root' From 3e25d0351338bc4f6faf27f6c2d77337d1bb2e81 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Thu, 22 Feb 2024 15:38:12 -0800 Subject: [PATCH 129/188] fb_helpers: add helpers for new distro versions Summary: Cover the latest Fedora, CentOS and RHEL Differential Revision: D54079561 fbshipit-source-id: 7d2c34273d8b3256f38d4c76c9dc42c617ad21ba --- cookbooks/fb_helpers/README.md | 21 ++++++++++++++ .../fb_helpers/libraries/node_methods.rb | 28 +++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/cookbooks/fb_helpers/README.md b/cookbooks/fb_helpers/README.md index fb91153e0..09c044f31 100644 --- a/cookbooks/fb_helpers/README.md +++ b/cookbooks/fb_helpers/README.md @@ -39,6 +39,9 @@ your node. * `node.centos9?` Is CentOS Stream 9 +* `node.centos10?` + Is CentOS Stream 10 + * `node.centos_max_version?(v)` Is RHEL-compatible with a maximum version number of v @@ -78,6 +81,18 @@ your node. * `node.fedora36?` Is Fedora 36 +* `node.fedora37?` + Is Fedora 37 + +* `node.fedora38?` + Is Fedora 38 + +* `node.fedora39?` + Is Fedora 39 + +* `node.fedora40?` + Is Fedora 40 + * `node.eln?` Is Fedora ELN @@ -96,6 +111,9 @@ your node. * `node.redhat9?` Is Redhat Enterprise Linux 9 +* `node.redhat10?` + Is Redhat Enterprise Linux 10 + * `node.rhel_max_version?(v)` Is Redhat Enterprise Linux with a maximum version number of v @@ -114,6 +132,9 @@ your node. * `node.rhel9?` Is Redhat Enterprise Linux 9 +* `node.rhel10?` + Is Redhat Enterprise Linux 10 + * `node.oracle?` Is Oracle Enterprise Linux diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 86928ca17..48e9e76e0 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -102,6 +102,10 @@ def rhel9? self.rhel? && self['platform_version'].start_with?('9') end + def rhel10? + self.rhel? && self['platform_version'].start_with?('10') + end + def centos_min_version?(version) self.centos? && self.el_min_version?(version) end @@ -114,6 +118,10 @@ def centos? self['platform'] == 'centos' end + def centos10? + self.centos? && self['platform_version'].start_with?('10') + end + def centos9? self.centos? && self['platform_version'].start_with?('9') end @@ -174,6 +182,10 @@ def redhat9? self.redhat? && self['platform_version'].start_with?('9') end + def redhat10? + self.redhat? && self['platform_version'].start_with?('10') + end + def oracle? self['platform'] == 'oracle' end @@ -254,6 +266,22 @@ def fedora36? self.fedora? && self['platform_version'] == '36' end + def fedora37? + self.fedora? && self['platform_version'] == '37' + end + + def fedora38? + self.fedora? && self['platform_version'] == '38' + end + + def fedora39? + self.fedora? && self['platform_version'] == '39' + end + + def fedora40? + self.fedora? && self['platform_version'] == '40' + end + def eln? self['platform'] == 'fedora' && self['os_release'] && From 54336423d4741afad83c8c966ee27b886cae49dc Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Fri, 23 Feb 2024 09:18:26 -0800 Subject: [PATCH 130/188] fb_postfix: default to lmdb maps for el10 and later (#235) Summary: Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/235 Upstream dropped support for libdb in https://src.fedoraproject.org/rpms/postfix/c/6a2621e4d73d59337dc64ba45922132286b841a1 so we need to use lmdb in RHEL 10 and later Differential Revision: D54077466 fbshipit-source-id: 7045a9762ce0390d485c20f9ff2818ccf41fedb5 --- cookbooks/fb_postfix/attributes/default.rb | 18 +++++++++++++----- cookbooks/fb_postfix/recipes/default.rb | 12 ++++++++++-- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/cookbooks/fb_postfix/attributes/default.rb b/cookbooks/fb_postfix/attributes/default.rb index 02a7d00fe..e87b22c1b 100644 --- a/cookbooks/fb_postfix/attributes/default.rb +++ b/cookbooks/fb_postfix/attributes/default.rb @@ -15,6 +15,14 @@ # See the License for the specific language governing permissions and # limitations under the License. +# RHEL 10 and later don't support hash maps anymore +# https://src.fedoraproject.org/rpms/postfix/c/6a2621e4d73d59337dc64ba45922132286b841a1 +if node.el_min_version?(10) || node.eln? + map_type = 'lmdb' +else + map_type = 'hash' +end + default['fb_postfix'] = { 'enable' => true, 'mask_service' => false, @@ -32,7 +40,7 @@ 'mail_owner' => 'postfix', 'mynetworks' => '/etc/postfix/mynetworks', 'relay_domains' => '/etc/postfix/relaydomains', - 'alias_maps' => 'hash:/etc/postfix/aliases', + 'alias_maps' => "#{map_type}:/etc/postfix/aliases", 'recipient_delimiter' => '+', 'smtpd_banner' => '$myhostname ESMTP', 'debug_peer_level' => 2, @@ -40,13 +48,13 @@ 'PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ' + 'ddd $daemon_directory/$process_name $process_id & sleep 5', 'newaliases_path' => '/usr/bin/newaliases.postfix', - 'alias_database' => 'hash:/etc/postfix/aliases', + 'alias_database' => "#{map_type}:/etc/postfix/aliases", 'disable_vrfy_command' => 'yes', 'smtpd_client_restrictions' => - 'hash:/etc/postfix/access, permit_mynetworks', + "#{map_type}:/etc/postfix/access, permit_mynetworks", 'smtpd_helo_required' => 'yes', 'smtpd_recipient_restrictions' => - 'check_recipient_access hash:/etc/postfix/local_access,' + + "check_recipient_access #{map_type}:/etc/postfix/local_access," + 'permit_mynetworks, reject_unauth_destination', 'biff' => 'no', 'require_home_directory' => 'no', @@ -95,7 +103,7 @@ 'smtpd_hard_error_limit' => '10', 'smtpd_recipient_limit' => '1000', 'smtpd_sender_restrictions' => - 'reject_unknown_sender_domain, hash:/etc/postfix/access', + "reject_unknown_sender_domain, #{map_type}:/etc/postfix/access", 'smtpd_soft_error_limit' => '5', 'smtpd_timeout' => '120s', 'smtp_sasl_auth_enable' => nil, diff --git a/cookbooks/fb_postfix/recipes/default.rb b/cookbooks/fb_postfix/recipes/default.rb index bf878a983..19c606153 100644 --- a/cookbooks/fb_postfix/recipes/default.rb +++ b/cookbooks/fb_postfix/recipes/default.rb @@ -93,6 +93,14 @@ action :nothing end +# RHEL 10 and later don't support hash maps anymore +# https://src.fedoraproject.org/rpms/postfix/c/6a2621e4d73d59337dc64ba45922132286b841a1 +if node.el_min_version?(10) || node.eln? + map_type = 'lmdb' +else + map_type = 'hash' +end + %w{ access canonical @@ -115,14 +123,14 @@ else mode '0644' end - notifies :run, "execute[postmap #{text_map}]", :immediately + notifies :run, "execute[postmap #{map_type}:#{text_map}]", :immediately notifies :reload, 'service[postfix]' variables( :db_file => text_map_rel, ) end - execute "postmap #{text_map}" do + execute "postmap #{map_type}:#{text_map}" do action :nothing end end From e6d7e35e82ff8e5430a059cda9b6056ededb7e59 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Fri, 23 Feb 2024 10:57:13 -0800 Subject: [PATCH 131/188] fb_logrotate: update rsyslog-logrotate removal logic for new versions Summary: rsyslog-logrotate was introduced in f36 (https://bugzilla.redhat.com/show_bug.cgi?id=1992153) and backported to c9s (https://bugzilla.redhat.com/show_bug.cgi?id=1992155) but it has since been subsumed again in https://bugzilla.redhat.com/show_bug.cgi?id=2242243 for f40 (which will carry over in c10s). Differential Revision: D54079562 fbshipit-source-id: db20b41625ebf0506f2dcad9d5305c4ae7dd4a62 --- cookbooks/fb_logrotate/recipes/default.rb | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/cookbooks/fb_logrotate/recipes/default.rb b/cookbooks/fb_logrotate/recipes/default.rb index dba2e54aa..3c0cd08b5 100644 --- a/cookbooks/fb_logrotate/recipes/default.rb +++ b/cookbooks/fb_logrotate/recipes/default.rb @@ -186,22 +186,25 @@ end end -# syslog has been moved into the main fb_logrotate.conf -if node.debian_family? || - node.rhel7? || node.rhel8? || - node.centos7? || node.centos8? - # CentOS and Debian use different files for their main syslog configuration +if node.centos9? || node.fedora38? || node.fedora39? + # This was a separate package but it's been subsumed again + # https://bugzilla.redhat.com/show_bug.cgi?id=2242243 + # https://bugzilla.redhat.com/show_bug.cgi?id=1992153 + package 'rsyslog-logrotate' do + action :remove + end +else + # On all other systems the config is part of the main rsyslog package and + # needs to be clobbered directly. Note that CentOS and Debian use different + # files for their main syslog configuration. syslog_config = value_for_platform_family( ['rhel', 'fedora'] => '/etc/logrotate.d/syslog', 'debian' => '/etc/logrotate.d/rsyslog', ) + # We want to manage the rsyslog logrotate config with fb_logrote so we + # remove the one installed by the system package. file syslog_config do action 'delete' end -else - # As of Fedora 36 this is in a subpackage - package 'rsyslog-logrotate' do - action :remove - end end From 6e97acaabeddc7ca85912c2c0591002ac02c5989 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Wed, 28 Feb 2024 09:15:44 -0800 Subject: [PATCH 132/188] fb_systemd: add basic management for homed Summary: This isn't used by any distribution yet, so keep it disabled by default. Differential Revision: D54310828 fbshipit-source-id: f22bdffa061f5e8a5b8c8d1ffc29ae27582379c7 --- cookbooks/fb_systemd/README.md | 5 ++++ cookbooks/fb_systemd/attributes/default.rb | 3 +++ cookbooks/fb_systemd/recipes/default.rb | 1 + cookbooks/fb_systemd/recipes/homed.rb | 29 ++++++++++++++++++++++ 4 files changed, 38 insertions(+) create mode 100644 cookbooks/fb_systemd/recipes/homed.rb diff --git a/cookbooks/fb_systemd/README.md b/cookbooks/fb_systemd/README.md index 78a7f1df2..a31be704f 100644 --- a/cookbooks/fb_systemd/README.md +++ b/cookbooks/fb_systemd/README.md @@ -19,6 +19,7 @@ Attributes * node['fb_systemd']['journal-remote']['config'] * node['fb_systemd']['journal-upload']['enable'] * node['fb_systemd']['journal-upload']['config'] +* node['fb_systemd']['homed']['enable'] * node['fb_systemd']['logind']['enable'] * node['fb_systemd']['logind']['config'] * node['fb_systemd']['networkd']['enable'] @@ -297,6 +298,10 @@ to `false`. journal-upload can be configured using the `node['fb_systemd']['journal-upload']['config']` attribute, according to the [journal-upload documentation](https://www.freedesktop.org/software/systemd/man/systemd-journal-upload.html). +### homed configuration +You can choose whether or not to enable `systemd-homed` with the +`node['fb_systemd']['homed']['enable']` attribute. + ### logind configuration You can choose whether or not to enable `systemd-logind` with the `node['fb_systemd']['logind']['enable']` attribute. Note that for user sessions diff --git a/cookbooks/fb_systemd/attributes/default.rb b/cookbooks/fb_systemd/attributes/default.rb index 215cccdb2..5d17f1a29 100644 --- a/cookbooks/fb_systemd/attributes/default.rb +++ b/cookbooks/fb_systemd/attributes/default.rb @@ -105,6 +105,9 @@ 'enable' => false, 'config' => {}, }, + 'homed' => { + 'enable' => false, + }, 'logind' => { 'enable' => true, 'config' => {}, diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index 6251945ce..2311c8087 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -81,6 +81,7 @@ include_recipe 'fb_systemd::journal-remote' include_recipe 'fb_systemd::journal-upload' include_recipe 'fb_systemd::logind' +include_recipe 'fb_systemd::homed' include_recipe 'fb_systemd::networkd' include_recipe 'fb_systemd::resolved' include_recipe 'fb_systemd::timesyncd' diff --git a/cookbooks/fb_systemd/recipes/homed.rb b/cookbooks/fb_systemd/recipes/homed.rb new file mode 100644 index 000000000..e651e44fa --- /dev/null +++ b/cookbooks/fb_systemd/recipes/homed.rb @@ -0,0 +1,29 @@ +# +# Cookbook Name:: fb_systemd +# Recipe:: homed +# +# Copyright (c) 2024-present, Facebook, Inc. +# All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +service 'systemd-homed' do + only_if { node['fb_systemd']['homed']['enable'] } + action [:enable, :start] +end + +service 'disable systemd-homed' do + not_if { node['fb_systemd']['homed']['enable'] } + action [:stop, :disable] +end From e7b446b2ac503272f0c7ffe093a3324e29d50a5a Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 28 Feb 2024 13:25:16 -0800 Subject: [PATCH 133/188] fb_networkd: setup a way to stop and start services around a networkd change Differential Revision: D54094219 fbshipit-source-id: 1f13316e4ba957309552a079a946f0da8bfbe046 --- cookbooks/fb_networkd/README.md | 9 ++++++ cookbooks/fb_networkd/attributes/default.rb | 1 + cookbooks/fb_networkd/recipes/default.rb | 4 +++ cookbooks/fb_networkd/resources/notify.rb | 36 +++++++++++++++++++++ 4 files changed, 50 insertions(+) diff --git a/cookbooks/fb_networkd/README.md b/cookbooks/fb_networkd/README.md index e2b8120a0..ea49c662e 100644 --- a/cookbooks/fb_networkd/README.md +++ b/cookbooks/fb_networkd/README.md @@ -157,6 +157,15 @@ will result in: notifies :restart, 'service[some_service]' ``` +If you need to stop a service before a networkd change is made (and then start +it against afterwards) you can use `node['fb_networkd']['stop_before']`. +This is a list of resource names which will be issued a :stop before the +networkd change is made, than a :start at the end of the run. + +```ruby +node.default['fb_networkd']['stop_before'] << 'service[cool_service]' +``` + ### When can Chef make network changes Network changes can be disruptive and have potential for major impact. To mitigate this, `node.interface_change_allowed?(interface)` from `fb_helpers` diff --git a/cookbooks/fb_networkd/attributes/default.rb b/cookbooks/fb_networkd/attributes/default.rb index eed95fcea..73384b135 100644 --- a/cookbooks/fb_networkd/attributes/default.rb +++ b/cookbooks/fb_networkd/attributes/default.rb @@ -31,4 +31,5 @@ 'links' => {}, 'devices' => {}, 'notify_resources' => {}, + 'stop_before' => [], } diff --git a/cookbooks/fb_networkd/recipes/default.rb b/cookbooks/fb_networkd/recipes/default.rb index 9ddd3b451..37eab94c4 100644 --- a/cookbooks/fb_networkd/recipes/default.rb +++ b/cookbooks/fb_networkd/recipes/default.rb @@ -25,7 +25,11 @@ node.default['fb_systemd']['networkd']['enable'] = true fb_networkd 'manage configuration' do + # Trigger deferred actions (e.g. :restart) notifies :trigger, 'fb_networkd_notify[doit]' + # Trigger service stops (and starts) around networkd changes + notifies :stop, 'fb_networkd_notify[doit]', :before + notifies :start, 'fb_networkd_notify[doit]' end fb_networkd_notify 'doit' do diff --git a/cookbooks/fb_networkd/resources/notify.rb b/cookbooks/fb_networkd/resources/notify.rb index ab68f68ca..8dd111c67 100644 --- a/cookbooks/fb_networkd/resources/notify.rb +++ b/cookbooks/fb_networkd/resources/notify.rb @@ -36,3 +36,39 @@ end end end + +action :stop do + if Chef::VERSION.to_i >= 16 + notify_group 'stop resources before networkd change' do # rubocop:disable Chef/Meta/Chef16 + node['fb_networkd']['stop_before'].each do |r| + notifies :stop, r, :immediately + end + action :run + end + else + log 'stop resources before networkd change' do + node['fb_networkd']['stop_before'].each do |r| + notifies :stop, r, :immediately + end + action :write + end + end +end + +action :start do + if Chef::VERSION.to_i >= 16 + notify_group 'start resources after networkd change' do # rubocop:disable Chef/Meta/Chef16 + node['fb_networkd']['stop_before'].each do |r| + notifies :start, r + end + action :run + end + else + log 'start resources after networkd change' do + node['fb_networkd']['stop_before'].each do |r| + notifies :start, r + end + action :write + end + end +end From 344da65614ddc4707d244c69f325010ad4aff3d0 Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Thu, 29 Feb 2024 08:06:45 -0800 Subject: [PATCH 134/188] fb_postfix: specify map type when rebuilding aliases too Differential Revision: D54362650 fbshipit-source-id: 7b0cc6b54fd9fe005e62f5f9b3a3d08f4e2b5612 --- cookbooks/fb_postfix/recipes/default.rb | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/cookbooks/fb_postfix/recipes/default.rb b/cookbooks/fb_postfix/recipes/default.rb index 19c606153..b06fda93c 100644 --- a/cookbooks/fb_postfix/recipes/default.rb +++ b/cookbooks/fb_postfix/recipes/default.rb @@ -58,6 +58,14 @@ end end +# RHEL 10 and later don't support hash maps anymore +# https://src.fedoraproject.org/rpms/postfix/c/6a2621e4d73d59337dc64ba45922132286b841a1 +if node.el_min_version?(10) || node.eln? + map_type = 'lmdb' +else + map_type = 'hash' +end + # postfix remnant blocks running postalias if it exists file '/etc/postfix/__db.aliases.db' do action :delete @@ -68,7 +76,7 @@ owner 'root' group 'root' mode '0644' - notifies :run, 'execute[postalias /etc/postfix/aliases]', :immediately + notifies :run, "execute[postalias #{map_type}:/etc/postfix/aliases]", :immediately notifies :reload, 'service[postfix]' end @@ -89,18 +97,10 @@ end # setup aliases file & db -execute 'postalias /etc/postfix/aliases' do +execute "postalias #{map_type}:/etc/postfix/aliases" do action :nothing end -# RHEL 10 and later don't support hash maps anymore -# https://src.fedoraproject.org/rpms/postfix/c/6a2621e4d73d59337dc64ba45922132286b841a1 -if node.el_min_version?(10) || node.eln? - map_type = 'lmdb' -else - map_type = 'hash' -end - %w{ access canonical From 7efa8433ea2be71e15f56c73fa9ff0bf5cc96976 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Wed, 6 Mar 2024 14:10:38 -0800 Subject: [PATCH 135/188] Shard out disabling `requires_enable` API (1%) Differential Revision: D54571787 fbshipit-source-id: cac7d664703cd216eaa84d0c276edf6c9f99082a --- cookbooks/fb_timers/libraries/timers.rb | 1 + cookbooks/fb_timers/resources/setup.rb | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/cookbooks/fb_timers/libraries/timers.rb b/cookbooks/fb_timers/libraries/timers.rb index 4df4c1db6..7d0c03435 100644 --- a/cookbooks/fb_timers/libraries/timers.rb +++ b/cookbooks/fb_timers/libraries/timers.rb @@ -34,6 +34,7 @@ class Systemd 'fixed_splay' => true, 'only_if' => nil, 'persistent' => false, + # TODO: Deprecate post rollout + clean up logic that uses it 'requires_enable' => true, 'service_options' => {}, 'service_unit_options' => {}, diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index db5aa68e6..495504ac0 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -73,6 +73,15 @@ # Setup current jobs node['fb_timers']['jobs'].to_hash.each_pair do |name, conf| conf = FB::Systemd::TIMER_DEFAULTS.merge(conf.merge('name' => name)) + + # Tempoary logic to shard out defaulting `requires_enable` to false + # and to deprecate the API parameter once done + # Check it's not already disabled elsewhere + if conf['requires_enable'] == true + # Work down shard - set false for any box in shard 98-99 (1%) + conf['requires_enable'] = node.in_shard?(98) + end + node.default['fb_timers']['jobs'][name] = conf # Do this early so we can rely on commands being filled in From f6816d71a6c587923448d512620823b28d589959 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Thu, 7 Mar 2024 06:58:45 -0800 Subject: [PATCH 136/188] Shard out disabling `requires_enable` API (2%) Differential Revision: D54591689 fbshipit-source-id: 8b60a9d08afd31af58a5516ab7e4c92e63b463a6 --- cookbooks/fb_timers/resources/setup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 495504ac0..312f1ede7 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -78,8 +78,8 @@ # and to deprecate the API parameter once done # Check it's not already disabled elsewhere if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 98-99 (1%) - conf['requires_enable'] = node.in_shard?(98) + # Work down shard - set false for any box in shard 97-99 (2%) + conf['requires_enable'] = node.in_shard?(97) end node.default['fb_timers']['jobs'][name] = conf From 272061bb5dd8fb8e39756b43086e2f9270af85ed Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Thu, 7 Mar 2024 12:58:15 -0800 Subject: [PATCH 137/188] Shard out disabling `requires_enable` API (5%) Differential Revision: D54606246 fbshipit-source-id: 5cf0aef2a3e193999f4d72bfb5d59f5a1e05a48b --- cookbooks/fb_timers/resources/setup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 312f1ede7..db2563b40 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -78,8 +78,8 @@ # and to deprecate the API parameter once done # Check it's not already disabled elsewhere if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 97-99 (2%) - conf['requires_enable'] = node.in_shard?(97) + # Work down shard - set false for any box in shard 94-99 (5%) + conf['requires_enable'] = node.in_shard?(94) end node.default['fb_timers']['jobs'][name] = conf From 96dc889c88ca5b0de3d3c3849d4488227bb02810 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Fri, 8 Mar 2024 11:46:52 -0800 Subject: [PATCH 138/188] Shard out disabling `requires_enable` API (10%) Differential Revision: D54608085 fbshipit-source-id: 4c09d4f44770e55a3bbf1ffd45ff494c4c4371a6 --- cookbooks/fb_timers/resources/setup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index db2563b40..2c318a97f 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -78,8 +78,8 @@ # and to deprecate the API parameter once done # Check it's not already disabled elsewhere if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 94-99 (5%) - conf['requires_enable'] = node.in_shard?(94) + # Work down shard - set false for any box in shard 89-99 (10%) + conf['requires_enable'] = node.in_shard?(89) end node.default['fb_timers']['jobs'][name] = conf From c788f755cffa92156fd0cb7e0077967842331c89 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Mon, 11 Mar 2024 05:38:40 -0700 Subject: [PATCH 139/188] Shard out disabling `requires_enable` API (25%) Differential Revision: D54608083 fbshipit-source-id: 9fd6ae63183a5ff1b0c5673c2f5a5a35bc9b95e5 --- cookbooks/fb_timers/resources/setup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 2c318a97f..2720325eb 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -78,8 +78,8 @@ # and to deprecate the API parameter once done # Check it's not already disabled elsewhere if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 89-99 (10%) - conf['requires_enable'] = node.in_shard?(89) + # Work down shard - set false for any box in shard 74-99 (25%) + conf['requires_enable'] = node.in_shard?(74) end node.default['fb_timers']['jobs'][name] = conf From a00f578896dd8e2d132e5f57e5d71b38b1121e60 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 12 Mar 2024 00:54:29 -0700 Subject: [PATCH 140/188] Shard out disabling `requires_enable` API (50%) Differential Revision: D54608082 fbshipit-source-id: eff0e6439c05159af2f263ff8107838df6f3f53e --- cookbooks/fb_timers/resources/setup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index 2720325eb..d29d2cbb9 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -78,8 +78,8 @@ # and to deprecate the API parameter once done # Check it's not already disabled elsewhere if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 74-99 (25%) - conf['requires_enable'] = node.in_shard?(74) + # Work down shard - set false for any box in shard 49-99 (25%) + conf['requires_enable'] = node.in_shard?(49) end node.default['fb_timers']['jobs'][name] = conf From e50ee354b8c90cae73048d37fd3b212769204ac4 Mon Sep 17 00:00:00 2001 From: Fabian Mastenbroek Date: Tue, 12 Mar 2024 03:18:00 -0700 Subject: [PATCH 141/188] Configure DNF on Arista EOS 4.31+ Differential Revision: D54747272 fbshipit-source-id: fb45b067dbd6f408ed50d2921a2738713079bee9 --- cookbooks/fb_helpers/README.md | 3 +++ cookbooks/fb_helpers/libraries/node_methods.rb | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_helpers/README.md b/cookbooks/fb_helpers/README.md index 09c044f31..459864898 100644 --- a/cookbooks/fb_helpers/README.md +++ b/cookbooks/fb_helpers/README.md @@ -240,6 +240,9 @@ your node. * `node.aristaeos_4_28_or_newer?` Is network switch running Arista EOS and OS version is 4.28 or newer +* `node.aristaeos_4_31_or_newer?` + Is network switch running Arista EOS and OS version is 4.31 or newer + * `node.embedded?` Is embedded Linux, implies 'node.aristaeos?'. These devices likely have minimal packages installed, little space, and/or some non-persistent diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 48e9e76e0..9997ac266 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -532,6 +532,10 @@ def aristaeos_4_28_or_newer? self.aristaeos? && self._self_version >= self._canonical_version('4.28') end + def aristaeos_4_31_or_newer? + self.aristaeos? && self._self_version >= self._canonical_version('4.31') + end + def embedded? self.aristaeos? end @@ -1026,7 +1030,7 @@ def filesystem_data # returns the version-release of an rpm installed, or nil if not present def rpm_version(name) if (self.centos? && !self.centos7?) || self.fedora? || self.redhat8? || self.oracle8? || self.redhat9? || - self.oracle9? + self.oracle9? || self.aristaeos_4_31_or_newer? # returns epoch.version v = Chef::Provider::Package::Dnf::PythonHelper.instance. package_query(:whatinstalled, name).version From 8c586c6932ab568ea73902d25cef1ee54de3929a Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 12 Mar 2024 07:19:15 -0700 Subject: [PATCH 142/188] Shard out disabling `requires_enable` API (75%) Differential Revision: D54608086 fbshipit-source-id: 64c60fdfdfb3f922b7f2923cd2643aeb71921883 --- cookbooks/fb_timers/resources/setup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index d29d2cbb9..c0cdd7e83 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -78,8 +78,8 @@ # and to deprecate the API parameter once done # Check it's not already disabled elsewhere if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 49-99 (25%) - conf['requires_enable'] = node.in_shard?(49) + # Work down shard - set false for any box in shard 24-99 (75%) + conf['requires_enable'] = node.in_shard?(24) end node.default['fb_timers']['jobs'][name] = conf From 7a8b222790c207f88f3f58245c9e95491aa5e55c Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 12 Mar 2024 16:26:15 -0700 Subject: [PATCH 143/188] disable and remove `requires_enable` API Differential Revision: D54608084 fbshipit-source-id: cc5f9b1131a9e33f7037b089d58d71c08a7ef4d6 --- cookbooks/fb_timers/README.md | 2 -- cookbooks/fb_timers/libraries/timers.rb | 2 -- cookbooks/fb_timers/resources/setup.rb | 9 --------- cookbooks/fb_timers/spec/fixtures/default/complex.timer | 1 - .../fb_timers/spec/fixtures/default/complex_245.timer | 1 - cookbooks/fb_timers/spec/fixtures/default/multiple.timer | 1 - cookbooks/fb_timers/spec/fixtures/default/onboot.timer | 1 - cookbooks/fb_timers/spec/fixtures/default/params.timer | 1 - cookbooks/fb_timers/spec/fixtures/default/simple.timer | 1 - cookbooks/fb_timers/templates/default/timer.erb | 3 --- 10 files changed, 22 deletions(-) diff --git a/cookbooks/fb_timers/README.md b/cookbooks/fb_timers/README.md index eda3c52cb..339a94824 100644 --- a/cookbooks/fb_timers/README.md +++ b/cookbooks/fb_timers/README.md @@ -123,8 +123,6 @@ whatever you're doing. * `autostart`: Setting this to false will prevent units from being enabled and started in the chef run. This can be used for creating user units which are managed by other means. (defaults to `true`) -* `requires_enable`: Setting this to false will prevent including the `Requires` - field in the timer unit file. (defaults to `true`) ### Common Calendar Patterns A helper library is provided to allow easy generation of [systemd calendar diff --git a/cookbooks/fb_timers/libraries/timers.rb b/cookbooks/fb_timers/libraries/timers.rb index 7d0c03435..e0a16141b 100644 --- a/cookbooks/fb_timers/libraries/timers.rb +++ b/cookbooks/fb_timers/libraries/timers.rb @@ -34,8 +34,6 @@ class Systemd 'fixed_splay' => true, 'only_if' => nil, 'persistent' => false, - # TODO: Deprecate post rollout + clean up logic that uses it - 'requires_enable' => true, 'service_options' => {}, 'service_unit_options' => {}, 'splay' => '0s', diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index c0cdd7e83..db5aa68e6 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -73,15 +73,6 @@ # Setup current jobs node['fb_timers']['jobs'].to_hash.each_pair do |name, conf| conf = FB::Systemd::TIMER_DEFAULTS.merge(conf.merge('name' => name)) - - # Tempoary logic to shard out defaulting `requires_enable` to false - # and to deprecate the API parameter once done - # Check it's not already disabled elsewhere - if conf['requires_enable'] == true - # Work down shard - set false for any box in shard 24-99 (75%) - conf['requires_enable'] = node.in_shard?(24) - end - node.default['fb_timers']['jobs'][name] = conf # Do this early so we can rely on commands being filled in diff --git a/cookbooks/fb_timers/spec/fixtures/default/complex.timer b/cookbooks/fb_timers/spec/fixtures/default/complex.timer index bf49b8b3f..0115aecd8 100644 --- a/cookbooks/fb_timers/spec/fixtures/default/complex.timer +++ b/cookbooks/fb_timers/spec/fixtures/default/complex.timer @@ -3,7 +3,6 @@ [Unit] Description=Run scheduled task complex -Requires=complex.service [Install] WantedBy=timers.target diff --git a/cookbooks/fb_timers/spec/fixtures/default/complex_245.timer b/cookbooks/fb_timers/spec/fixtures/default/complex_245.timer index bf49b8b3f..0115aecd8 100644 --- a/cookbooks/fb_timers/spec/fixtures/default/complex_245.timer +++ b/cookbooks/fb_timers/spec/fixtures/default/complex_245.timer @@ -3,7 +3,6 @@ [Unit] Description=Run scheduled task complex -Requires=complex.service [Install] WantedBy=timers.target diff --git a/cookbooks/fb_timers/spec/fixtures/default/multiple.timer b/cookbooks/fb_timers/spec/fixtures/default/multiple.timer index 065138abf..ff3db03e2 100644 --- a/cookbooks/fb_timers/spec/fixtures/default/multiple.timer +++ b/cookbooks/fb_timers/spec/fixtures/default/multiple.timer @@ -3,7 +3,6 @@ [Unit] Description=Run scheduled task multiple -Requires=multiple.service [Install] WantedBy=timers.target diff --git a/cookbooks/fb_timers/spec/fixtures/default/onboot.timer b/cookbooks/fb_timers/spec/fixtures/default/onboot.timer index cdd0b1d86..7b4f95e1f 100644 --- a/cookbooks/fb_timers/spec/fixtures/default/onboot.timer +++ b/cookbooks/fb_timers/spec/fixtures/default/onboot.timer @@ -3,7 +3,6 @@ [Unit] Description=Run scheduled task onboot -Requires=onboot.service [Install] WantedBy=timers.target diff --git a/cookbooks/fb_timers/spec/fixtures/default/params.timer b/cookbooks/fb_timers/spec/fixtures/default/params.timer index 23a1d2678..d49c9553d 100644 --- a/cookbooks/fb_timers/spec/fixtures/default/params.timer +++ b/cookbooks/fb_timers/spec/fixtures/default/params.timer @@ -3,7 +3,6 @@ [Unit] Description=Custom set description field -Requires=params.service jkl=aaaaah [Install] diff --git a/cookbooks/fb_timers/spec/fixtures/default/simple.timer b/cookbooks/fb_timers/spec/fixtures/default/simple.timer index 3f16fc918..96e52dc8b 100644 --- a/cookbooks/fb_timers/spec/fixtures/default/simple.timer +++ b/cookbooks/fb_timers/spec/fixtures/default/simple.timer @@ -3,7 +3,6 @@ [Unit] Description=Run scheduled task simple -Requires=simple.service [Install] WantedBy=timers.target diff --git a/cookbooks/fb_timers/templates/default/timer.erb b/cookbooks/fb_timers/templates/default/timer.erb index 49e4d859e..624454a07 100644 --- a/cookbooks/fb_timers/templates/default/timer.erb +++ b/cookbooks/fb_timers/templates/default/timer.erb @@ -3,9 +3,6 @@ [Unit] Description=<%= @conf['description'] %> -<% if @conf['requires_enable'] %> -Requires=<%= @conf['name'] %>.service -<% end %> <% @conf['timer_unit_options'].each do |name, value| %> <%= name %>=<%= value %> <% end %> From 76109bbc05af2f98f04d6338c7f55873b6bcffb4 Mon Sep 17 00:00:00 2001 From: Sweet Tea Dorminy Date: Mon, 18 Mar 2024 15:55:36 -0700 Subject: [PATCH 144/188] remove btrfs leaf size Differential Revision: D55038841 fbshipit-source-id: 6ca52c0576fab0d71aebf110a67d9c5473e759bd --- cookbooks/fb_storage/libraries/storage_handlers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_storage/libraries/storage_handlers.rb b/cookbooks/fb_storage/libraries/storage_handlers.rb index a0ae601b8..b7c03bf12 100644 --- a/cookbooks/fb_storage/libraries/storage_handlers.rb +++ b/cookbooks/fb_storage/libraries/storage_handlers.rb @@ -500,7 +500,7 @@ def default_format_options(type) when 'xfs' '-i size=2048' when 'btrfs' - '-l 16K -n 16K' + '-n 16K' when 'ext4' '' end From 5522a55f97792d441f4cae76bdc0065a9fae0d95 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 20 Mar 2024 08:10:29 -0700 Subject: [PATCH 145/188] Remove some more fusionio bits Differential Revision: D54771183 fbshipit-source-id: 81a20817f2a708ba9e53174ab42c949166097f81 --- cookbooks/fb_storage/README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cookbooks/fb_storage/README.md b/cookbooks/fb_storage/README.md index cdf7ed140..8f24562a4 100644 --- a/cookbooks/fb_storage/README.md +++ b/cookbooks/fb_storage/README.md @@ -419,7 +419,6 @@ used optimal partition layout, and so if we are told to add a device to an existing device without a proper layout, it can fail. This case is not handled, at all. Chef will fail and manual intervention is needed. The only time we can hit this is: - * The array was built with the old mdfio or some other chunk of code * Hot swap is enabled, and a card is replaced by external automation and we are told about that. This should be exceedingly rare. @@ -556,8 +555,7 @@ are subclasses of `FB::Storage::Handler` and must implement the handler interface. Handler classes listed in `node['fb_storage']['_handlers']` will be queried in order, and the first one to match for a given device will be used. -By default `fb_storage` provides handlers for FusionIO, MD (software RAID) and -JBOD devices. +By default `fb_storage` provides handlers for MD (software RAID) and JBOD devices. ### WARNINGS From 5960b3d545f469eb03e77adb565b5be4f9c01e16 Mon Sep 17 00:00:00 2001 From: Edward Pilatowicz Date: Wed, 20 Mar 2024 13:11:06 -0700 Subject: [PATCH 146/188] Stop trying to upgrade dnf on every chef run Differential Revision: D55095284 fbshipit-source-id: 38ec6a43bbeac94aa132c8d22651dab35c8a3be3 --- cookbooks/fb_dnf/recipes/packages.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_dnf/recipes/packages.rb b/cookbooks/fb_dnf/recipes/packages.rb index 08df32a09..12e2cb829 100644 --- a/cookbooks/fb_dnf/recipes/packages.rb +++ b/cookbooks/fb_dnf/recipes/packages.rb @@ -33,5 +33,5 @@ package dnf_packages do only_if { node['fb_dnf']['manage_packages'] } - action :upgrade + action :install end From 7c455a288a9e8c6bbe7560222a9f7c68c3f61160 Mon Sep 17 00:00:00 2001 From: Phil Dibowitz Date: Fri, 22 Mar 2024 08:45:05 -0700 Subject: [PATCH 147/188] Fix fb_systemd on hosts without networkd (#236) Test Plan: Tested that this didn't result in a networkd config change on CentOS9, and that it stops managing the networkd config on CentOS8, which is fine since we aren't using networkd on CentOS8 at least internally. anitazha did some testing of this internal to Meta already, plus I've rolled this out to the SCALE infra Differential Revision: D55154300 fbshipit-source-id: db4822e2df0ab65258a204c881afd042898cd0a5 --- cookbooks/fb_systemd/recipes/networkd.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/fb_systemd/recipes/networkd.rb b/cookbooks/fb_systemd/recipes/networkd.rb index 0f4d531e7..667bee282 100644 --- a/cookbooks/fb_systemd/recipes/networkd.rb +++ b/cookbooks/fb_systemd/recipes/networkd.rb @@ -19,6 +19,7 @@ # fb_helpers_gated_template '/etc/systemd/networkd.conf' do + only_if { node['fb_systemd']['networkd']['enable'] } allow_changes node.nw_changes_allowed? source 'systemd.conf.erb' owner node.root_user From 3ee3d0601e78c4d566e3da1a2c80cbb0d9168ce4 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Mon, 25 Mar 2024 14:58:11 -0700 Subject: [PATCH 148/188] Add 'disable_makecache' API Differential Revision: D55318525 fbshipit-source-id: 23e2bcb990319bbb7c3c05f97111cd8a2f7fefc0 --- cookbooks/fb_dnf/README.md | 8 ++++++++ cookbooks/fb_dnf/attributes/default.rb | 1 + cookbooks/fb_dnf/recipes/default.rb | 2 ++ cookbooks/fb_dnf/recipes/makecache.rb | 18 ++++++++++++++++++ 4 files changed, 29 insertions(+) create mode 100644 cookbooks/fb_dnf/recipes/makecache.rb diff --git a/cookbooks/fb_dnf/README.md b/cookbooks/fb_dnf/README.md index 57ec79673..d42b2edef 100644 --- a/cookbooks/fb_dnf/README.md +++ b/cookbooks/fb_dnf/README.md @@ -7,6 +7,7 @@ Requirements Attributes ---------- * node['fb_dnf']['config'][$SECTION][$KEY][$VALUE] +* node['fb_dnf']['disable_makecache_timer'] * node['fb_dnf']['manage_packages'] * node['fb_dnf']['modules'][$MODULE][$CONFIG] * node['fb_dnf']['repos'][$GROUP]['repos'][$REPO][$KEY][$VALUE] @@ -49,6 +50,13 @@ ways: These are not mutually exclusive and can be mixed as desired. See the README for `fb_yum_repos` for details on how to define repositories. +### Disable dnf-makecache.timer + +The dnf RPM includes a default make cache timer. This is not always required +depending how one wants to use dnf. Set +`node['fb_dnf']['disable_makecache_timer']` API to `true` to stop this periodic +refresh of the dnf metadata cache. + ### Modularity support DNF supports modules which may need to be enabled, disabled, or default. You can use `node['fb_dnf']['modules']` to configure modules. Do this via: diff --git a/cookbooks/fb_dnf/attributes/default.rb b/cookbooks/fb_dnf/attributes/default.rb index 9a8cf9dba..0d2f5352e 100644 --- a/cookbooks/fb_dnf/attributes/default.rb +++ b/cookbooks/fb_dnf/attributes/default.rb @@ -26,6 +26,7 @@ 'skip_if_unavailable' => node.centos? ? false : true, }, }, + 'disable_makecache_timer' => false, 'manage_packages' => true, 'modules' => {}, 'repos' => {}, diff --git a/cookbooks/fb_dnf/recipes/default.rb b/cookbooks/fb_dnf/recipes/default.rb index 953a26c46..899c85ad3 100644 --- a/cookbooks/fb_dnf/recipes/default.rb +++ b/cookbooks/fb_dnf/recipes/default.rb @@ -46,3 +46,5 @@ end include_recipe 'fb_dnf::packages' +# Need RPMs installed before we can disable/enable the makecache timer +include_recipe 'fb_dnf::makecache' diff --git a/cookbooks/fb_dnf/recipes/makecache.rb b/cookbooks/fb_dnf/recipes/makecache.rb new file mode 100644 index 000000000..cf19c86bb --- /dev/null +++ b/cookbooks/fb_dnf/recipes/makecache.rb @@ -0,0 +1,18 @@ +# (c) Meta Platforms, Inc. and its affiliates. Confidential and proprietary. +# +# Cookbook Name:: fb_dnf +# Recipe:: makecache + +MAKECACHE_SYSTEMD_UNIT_NAME = 'dnf-makecache.timer'.freeze + +# If API is set to true, stop + disable the timer +systemd_unit MAKECACHE_SYSTEMD_UNIT_NAME do + only_if { node['fb_dnf']['disable_makecache_timer'] } + action [:stop, :disable] +end + +# If API is set to false, start + enable the timer +systemd_unit MAKECACHE_SYSTEMD_UNIT_NAME do + not_if { node['fb_dnf']['disable_makecache_timer'] } + action [:start, :enable] +end From 2f830f4972e1e67c94d7aa318e3a6864db5ce2a1 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 26 Mar 2024 08:00:53 -0700 Subject: [PATCH 149/188] memoize root_user/root_group methods Summary: We don't expect the platform to change mid-run, so memoizing these methods to save calls to `#value_for_platform`, which has node attribute reads under the hood. Differential Revision: D55338996 fbshipit-source-id: 7c563a1f5f13c58b35b081b2796143b9d6939cd7 --- cookbooks/fb_helpers/libraries/node_methods.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 9997ac266..c20862589 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -990,7 +990,7 @@ def solo? end def root_user - value_for_platform( + @root_user ||= value_for_platform( 'windows' => { 'default' => 'Administrator' }, 'default' => 'root', ) @@ -999,7 +999,7 @@ def root_user def root_group # rubocop:disable Chef/Correctness/InvalidPlatformValueForPlatformHelper # See the `macos?` method above - value_for_platform( + @root_group ||= value_for_platform( %w{openbsd freebsd mac_os_x macos} => { 'default' => 'wheel' }, 'windows' => { 'default' => 'Administrators' }, 'default' => 'root', From 03ff688afce990476349f0e98aac7b93b09695c4 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 26 Mar 2024 10:11:49 -0700 Subject: [PATCH 150/188] Make the renable optional Differential Revision: D55366233 fbshipit-source-id: 450a2f6a8285133f5b55064ef4670bd7dd22af72 --- cookbooks/fb_dnf/README.md | 5 +++++ cookbooks/fb_dnf/attributes/default.rb | 1 + cookbooks/fb_dnf/recipes/makecache.rb | 8 ++++++++ 3 files changed, 14 insertions(+) diff --git a/cookbooks/fb_dnf/README.md b/cookbooks/fb_dnf/README.md index d42b2edef..d53eebe63 100644 --- a/cookbooks/fb_dnf/README.md +++ b/cookbooks/fb_dnf/README.md @@ -57,6 +57,11 @@ depending how one wants to use dnf. Set `node['fb_dnf']['disable_makecache_timer']` API to `true` to stop this periodic refresh of the dnf metadata cache. +To rollback / renable *dnf-makecahce.timer* you also need a second API boolean set: +- `node['fb_dnf']['enable_makecache_timer']` (set to `true`) +This is to protect use cases where *dnf-mcachecache.timer* is being disabled/stopped +another way. + ### Modularity support DNF supports modules which may need to be enabled, disabled, or default. You can use `node['fb_dnf']['modules']` to configure modules. Do this via: diff --git a/cookbooks/fb_dnf/attributes/default.rb b/cookbooks/fb_dnf/attributes/default.rb index 0d2f5352e..da80a8719 100644 --- a/cookbooks/fb_dnf/attributes/default.rb +++ b/cookbooks/fb_dnf/attributes/default.rb @@ -26,6 +26,7 @@ 'skip_if_unavailable' => node.centos? ? false : true, }, }, + 'enable_makecache_timer' => false, 'disable_makecache_timer' => false, 'manage_packages' => true, 'modules' => {}, diff --git a/cookbooks/fb_dnf/recipes/makecache.rb b/cookbooks/fb_dnf/recipes/makecache.rb index cf19c86bb..815da9c98 100644 --- a/cookbooks/fb_dnf/recipes/makecache.rb +++ b/cookbooks/fb_dnf/recipes/makecache.rb @@ -5,14 +5,22 @@ MAKECACHE_SYSTEMD_UNIT_NAME = 'dnf-makecache.timer'.freeze +if node['fb_dnf']['disable_makecache_timer'] && node['fb_dnf']['enable_makecache_timer'] + Chef::Log.error( + '[fb_dnf] Something has set BOTH disable + enable makecache timer - Nothing will happen!', + ) +end + # If API is set to true, stop + disable the timer systemd_unit MAKECACHE_SYSTEMD_UNIT_NAME do only_if { node['fb_dnf']['disable_makecache_timer'] } + not_if { node['fb_dnf']['enable_makecache_timer'] } action [:stop, :disable] end # If API is set to false, start + enable the timer systemd_unit MAKECACHE_SYSTEMD_UNIT_NAME do + only_if { node['fb_dnf']['enable_makecache_timer'] } not_if { node['fb_dnf']['disable_makecache_timer'] } action [:start, :enable] end From 176ef3087c7d70de744dd7139e1c3c0622d739aa Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Fri, 5 Apr 2024 12:18:51 -0700 Subject: [PATCH 151/188] fb_grub: support Fedora too for grub-install Summary: This is needed for ELN but should help if there's any non-EFI fedora installs as well Differential Revision: D55753946 fbshipit-source-id: 066ca67c63d41572b26eaf57f5bcdec69878f25a --- cookbooks/fb_grub/recipes/packages.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_grub/recipes/packages.rb b/cookbooks/fb_grub/recipes/packages.rb index b08a472dd..ae16cadc1 100644 --- a/cookbooks/fb_grub/recipes/packages.rb +++ b/cookbooks/fb_grub/recipes/packages.rb @@ -30,7 +30,7 @@ command lazy { cmd = value_for_platform_family( 'debian' => 'grub-install', - 'rhel' => 'grub2-install', + ['fedora', 'rhel'] => 'grub2-install', ) # device of root-mount, strip off partition # note that this is a hack and it doesn't support properly dm devices From a780272b6a4b5934d48bcb5631f04e58322d4555 Mon Sep 17 00:00:00 2001 From: Jonathan McDowell Date: Mon, 8 Apr 2024 01:41:59 -0700 Subject: [PATCH 152/188] Clean up mentions of tboot Summary: Simplify the grub cookbook by removing the now unnecessary tboot related stanzas; they haven't been in use since we moved off CentOS 7. Differential Revision: D55189051 fbshipit-source-id: d866c6811505fd4ed47642e03beff27e69378333 --- cookbooks/fb_grub/README.md | 17 ------- cookbooks/fb_grub/attributes/default.rb | 15 ------ cookbooks/fb_grub/recipes/config.rb | 15 ------ cookbooks/fb_grub/recipes/validate.rb | 49 ------------------- cookbooks/fb_grub/resources/packages.rb | 4 -- .../fb_grub/templates/default/grub2.cfg.erb | 41 ---------------- 6 files changed, 141 deletions(-) diff --git a/cookbooks/fb_grub/README.md b/cookbooks/fb_grub/README.md index cf266d2f3..730a9c160 100644 --- a/cookbooks/fb_grub/README.md +++ b/cookbooks/fb_grub/README.md @@ -16,8 +16,6 @@ Attributes * node['fb_grub']['serial']['word'] * node['fb_grub']['serial']['parity'] * node['fb_grub']['serial']['stop'] -* node['fb_grub']['tboot']['enable'] -* node['fb_grub']['tboot']['logging'] * node['fb_grub']['terminal'] * node['fb_grub']['version'] * node['fb_grub']['use_labels'] @@ -75,21 +73,6 @@ may not exist so this behavior may be disabled by setting `force_both_efi_and_bios` to false. This default is mostly an artifact of Facebook history - you probably want to disable it. -### tboot -This cookbook optionally supports enabling tboot. This is only supported for -GRUB 2 and is disabled by default. It can be controlled with the attribute -`node['fb_grub']['tboot']['enable']`. If desired, tboot logging output can be -controlled with `node['fb_grub']['tboot']['logging']` (defaults to `memory`). -If `serial` output is requested, it will reuse `node['fb_grub']['serial']` for -its settings. - -When tboot is enabled, two menu entries are created for each kernel: one with -tboot as the MLE before launching the kernel, and one launching the kernel -directly without tboot. - -NOTE: tboot is not compatible with Secure Boot enabled. Please see the RedHat -bug report for more information: https://bugzilla.redhat.com/show_bug.cgi?id=1318667 - ### Boot Loader Specification support Set `node['fb_grub']['enable_bls']` to `true` to enable automatic parsing and menu entry generation from diff --git a/cookbooks/fb_grub/attributes/default.rb b/cookbooks/fb_grub/attributes/default.rb index dd128de34..2483051ef 100644 --- a/cookbooks/fb_grub/attributes/default.rb +++ b/cookbooks/fb_grub/attributes/default.rb @@ -57,21 +57,6 @@ 'parity' => 'no', 'stop' => 1, }, - 'tboot' => { - '_grub_modules' => [ - 'relocator.mod', - 'multiboot2.mod', - ], - 'enable' => false, - 'kernel_extra_args' => [ - 'intel_iommu=on', - 'noefi', - ], - 'logging' => [ - 'memory', - ], - 'tboot_extra_args' => [], - }, 'terminal' => [ 'console', ], diff --git a/cookbooks/fb_grub/recipes/config.rb b/cookbooks/fb_grub/recipes/config.rb index fee58b876..4e36d0885 100644 --- a/cookbooks/fb_grub/recipes/config.rb +++ b/cookbooks/fb_grub/recipes/config.rb @@ -111,21 +111,6 @@ end end -# grub2 cannot read / if it's compressed with zstd, so hack around it -node['fb_grub']['tboot']['_grub_modules'].each do |mod_file| - remote_file "Copy #{mod_file} file for grub" do - only_if do - node['fb_grub']['tboot']['enable'] && - !node['fb_grub']['_grub2_copy_path'].nil? - end - path "/boot/#{mod_file}" - source lazy { "file://#{node['fb_grub']['_grub2_copy_path']}/#{mod_file}" } - owner 'root' - group 'root' - mode '0644' - end -end - # cleanup configs for the grub major version that we're not using ['_grub_config_bios', '_grub_config_efi'].each do |tpl_name| file "cleanup #{tpl_name}" do diff --git a/cookbooks/fb_grub/recipes/validate.rb b/cookbooks/fb_grub/recipes/validate.rb index 599ca910b..03da62a4e 100644 --- a/cookbooks/fb_grub/recipes/validate.rb +++ b/cookbooks/fb_grub/recipes/validate.rb @@ -44,13 +44,6 @@ end node.default['fb_grub']['_root_label'] = boot_label - - # For tboot, we have to specify the full path to the modules. - # They are in /usr/lib/grub , so we need the label for the root disk - slash_label = node.filesystem_data['by_mountpoint']['/']['label'] - if slash_label - node.default['fb_grub']['_module_label'] = slash_label - end elsif node['fb_grub']['use_uuids'] if node['fb_grub']['version'] < 2 fail 'fb_grub: Booting by label requires grub2.' @@ -125,48 +118,6 @@ elsif uuid && !uuid.empty? node.default['fb_grub']['rootfs_arg'] = "UUID=#{uuid}" end - # Set the correct grub module path for e.g. the tboot modules - if node.efi? && node['fb_grub']['version'] == 2 && - node['fb_grub']['tboot']['enable'] - if node['fb_grub']['_module_label'] - module_path = "/usr/lib/grub/#{node['kernel']['machine']}-efi" - else - os_device = node.device_of_mount('/') - if os_device - m = os_device.match(/[0-9]+$/) - unless m - fail 'fb_grub: cannot parse the OS device!' - end - else - fail 'fb_grub: cannot find the OS device!' - end - - # People can override the boot_disk if they have a good reason. - if node['fb_grub']['boot_disk'] - boot_disk = node['fb_grub']['boot_disk'] - elsif node['fb_grub']['root_device'] - boot_disk = node['fb_grub']['root_device'].split(',')[0] - else - # This basically just happens if someone enables labels - # but doesn't override the boot_disk param and we don't use our new - # logic to figure out the boot disk - boot_disk = bootdisk_guess - end - os_part = "(#{boot_disk},#{m[0].to_i})" - module_path = "#{os_part}/usr/lib/grub/#{node['kernel']['machine']}-efi" - end - node.default['fb_grub']['_grub2_module_path'] = module_path - - # So that we can use btrfs subvolumes and still insmod filesystems - if node.root_btrfs? - node.default['fb_grub']['_grub2_copy_path'] = node['fb_grub'][ - '_grub2_module_path'] - node.default['fb_grub']['_module_label'] = node['fb_grub'][ - '_root_label'] - node.default['fb_grub']['_grub2_module_path'] = node['fb_grub'][ - 'path_prefix'] - end - end node.default['fb_grub']['_decided_boot_disk'] = boot_disk end end diff --git a/cookbooks/fb_grub/resources/packages.rb b/cookbooks/fb_grub/resources/packages.rb index 0436ac4f6..1a873688d 100644 --- a/cookbooks/fb_grub/resources/packages.rb +++ b/cookbooks/fb_grub/resources/packages.rb @@ -52,10 +52,6 @@ fail "fb_grub: unsupported grub version: #{node['fb_grub']['version']}" end - if node['fb_grub']['tboot']['enable'] - packages << 'tboot' - end - package 'grub packages' do package_name packages action :upgrade diff --git a/cookbooks/fb_grub/templates/default/grub2.cfg.erb b/cookbooks/fb_grub/templates/default/grub2.cfg.erb index 52924d1d7..5cb5059d6 100644 --- a/cookbooks/fb_grub/templates/default/grub2.cfg.erb +++ b/cookbooks/fb_grub/templates/default/grub2.cfg.erb @@ -20,24 +20,6 @@ terminal = node['fb_grub']['terminal'].join(' ') serial = node['fb_grub']['serial'].to_hash - kernel_extra_args = node['fb_grub']['tboot']['kernel_extra_args'].join(' ') - - tboot_cmdline = "logging=#{node['fb_grub']['tboot']['logging'].join(',')}" - if node['fb_grub']['tboot']['logging'].include?('serial') - tboot_port = '0x3f8' # I/O port for ttyS0 - if serial['unit'] == '1' - tboot_port = '0x2f8' # I/O port for ttyS1 - end - tboot_parity = serial['parity'][0] - tboot_cmdline += " serial=#{serial['speed']}," + - "#{serial['word']}#{tboot_parity}#{serial['stop']}," + - tboot_port - end - unless node['fb_grub']['tboot']['tboot_extra_args'].empty? - tboot_cmdline += - " #{node['fb_grub']['tboot']['tboot_extra_args'].join(' ')}" - end - path_prefix = node['fb_grub']['path_prefix'] users = node['fb_grub']['users'].to_hash @@ -184,29 +166,6 @@ blscfg default # then the first menu entry below this line will be chosen to boot <% end %> <% node['fb_grub']['kernels'].to_hash.each do |kernel, data| -%> -<% if node['fb_grub']['tboot']['enable'] && !kernel.include?('rescue') -%> - -menuentry 'tboot <%= kernel %>' <%= restriction %>{ - <%= root_line %> - <% if node['fb_grub']['_module_label'] %> - search --set=module_root --label <%= node['fb_grub']['_module_label'] %> - <% module_root = "($module_root)" - elsif node['fb_grub']['_module_uuid'] %> - search --set=module_root --fs-uuid <%= node['fb_grub']['_module_uuid'] %> - <% module_root = "($module_root)" - else - module_root = '' - end -%> - <% node['fb_grub']['tboot']['_grub_modules'].each do |mod| -%> - insmod <%= "#{module_root}#{node['fb_grub']['_grub2_module_path']}/#{mod}" %> - <% end %> - multiboot2 /tboot.gz <%= tboot_cmdline %> - module2 <%= path_prefix %><%= data['path'] %> <%= kargs %> <%= kernel_extra_args %> -<% if data['initrd_path'] -%> - module2 <%= path_prefix %><%= data['initrd_path'] %> -<% end -%> -} -<% end -%> menuentry '<%= kernel %>' <%= restriction %>{ <%= root_line %> From 072b1a8685ecaae0d78422eb6fd48552e6bf531b Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Fri, 12 Apr 2024 10:45:12 -0700 Subject: [PATCH 153/188] Setup slowroll for iptables-legacy Differential Revision: D55988297 fbshipit-source-id: e64d9b00c703480d1cbd37c75a8e50fdb3063b0f --- cookbooks/fb_iptables/recipes/packages.rb | 32 ++++++++++++++--------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/cookbooks/fb_iptables/recipes/packages.rb b/cookbooks/fb_iptables/recipes/packages.rb index b1532d5c9..a1793553c 100644 --- a/cookbooks/fb_iptables/recipes/packages.rb +++ b/cookbooks/fb_iptables/recipes/packages.rb @@ -20,21 +20,29 @@ # if (node.centos? && !(node.centos7? || node.centos8?)) || node.fedora? - packages = ['iptables-legacy'] + slowroll_name = 'iptables-legacy' + node.default['fb_slowroll'][slowroll_name]['phases'] = + FB::Slowroll::PhaseTemplates.slow_start(node) + node.default['fb_slowroll'][slowroll_name]['export_json'] = true + + fb_slowroll slowroll_name do + notifies :run, 'execute[reload iptables]' + notifies :run, 'execute[reload ip6tables]' + end else packages = ['iptables'] -end -if node.ubuntu? - packages << 'iptables-persistent' -else - packages << 'iptables-services' -end + if node.ubuntu? + packages << 'iptables-persistent' + else + packages << 'iptables-services' + end -package packages do - only_if { node['fb_iptables']['manage_packages'] } - action :upgrade - notifies :run, 'execute[reload iptables]' - notifies :run, 'execute[reload ip6tables]' + package packages do + only_if { node['fb_iptables']['manage_packages'] } + action :upgrade + notifies :run, 'execute[reload iptables]' + notifies :run, 'execute[reload ip6tables]' + end end execute 'reload iptables' do From 19ab77fed63692a14528648e396bc593983946e1 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Fri, 12 Apr 2024 14:11:58 -0700 Subject: [PATCH 154/188] Exclude fedora from slowroll Differential Revision: D56079700 fbshipit-source-id: 78c2449a4e70f0bbaeb5ea3bc6464b4c136181b1 --- cookbooks/fb_iptables/recipes/packages.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_iptables/recipes/packages.rb b/cookbooks/fb_iptables/recipes/packages.rb index a1793553c..49a43ddf9 100644 --- a/cookbooks/fb_iptables/recipes/packages.rb +++ b/cookbooks/fb_iptables/recipes/packages.rb @@ -19,7 +19,7 @@ # limitations under the License. # -if (node.centos? && !(node.centos7? || node.centos8?)) || node.fedora? +if node.centos? && !(node.centos7? || node.centos8?) slowroll_name = 'iptables-legacy' node.default['fb_slowroll'][slowroll_name]['phases'] = FB::Slowroll::PhaseTemplates.slow_start(node) @@ -30,7 +30,12 @@ notifies :run, 'execute[reload ip6tables]' end else - packages = ['iptables'] + if node.fedora? + packages = ['iptables-legacy'] + else + packages = ['iptables'] + end + if node.ubuntu? packages << 'iptables-persistent' else From 3e3386a0681c08d72ce39f88404cb5eeab62799c Mon Sep 17 00:00:00 2001 From: David Crosby Date: Mon, 15 Apr 2024 08:16:12 -0700 Subject: [PATCH 155/188] Drop Fauxhai 6 code Differential Revision: D56024221 fbshipit-source-id: 775d3b568532ab92013708e29e2e3c181949eff4 --- spec/fbspec_platforms.rb | 52 +++++++++++++--------------------------- 1 file changed, 16 insertions(+), 36 deletions(-) diff --git a/spec/fbspec_platforms.rb b/spec/fbspec_platforms.rb index 53c724c36..7d3ec8aa3 100644 --- a/spec/fbspec_platforms.rb +++ b/spec/fbspec_platforms.rb @@ -17,40 +17,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -PLATFORMS = if Fauxhai::VERSION.start_with?('6') - { - 'default' => { - :centos7 => [ - { - 'platform' => 'centos', - 'version' => '7.3.1611', - }, - ], - :mac_os_x => [ - { - 'platform' => 'mac_os_x', - 'version' => '10.12', - }, - ], - }, - 'extra' => {}, - }.freeze - else - { - 'default' => { - :centos8 => [ - { - 'platform' => 'centos', - 'version' => '8', - }, - ], - :mac_os_x => [ - { - 'platform' => 'mac_os_x', - 'version' => '10.15', - }, - ], - }, +PLATFORMS = { + 'default' => { + :centos8 => [ + { + 'platform' => 'centos', + 'version' => '8', + }, + ], + :mac_os_x => [ + { + 'platform' => 'mac_os_x', + 'version' => '10.15', + }, + ], + }, 'extra' => { :centos7 => [ { @@ -59,5 +40,4 @@ }, ], }, - }.freeze - end +}.freeze From 84ecd110df9729683eceda793eb0dd2b3193fa45 Mon Sep 17 00:00:00 2001 From: dcrosby Date: Mon, 15 Apr 2024 13:24:14 -0700 Subject: [PATCH 156/188] Remove supermarket_push script (#237) Summary: I didn't see any of the cookbooks on the supermarket, suspect the script is derelict. jaymzh is this still in use on your end? Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/237 Differential Revision: D56030336 fbshipit-source-id: 978acfc6ad35c1bfa18535839318e86a352d04bb --- scripts/supermarket_push | 45 --------------------------------------- supermarket.pem.enc | Bin 1680 -> 0 bytes 2 files changed, 45 deletions(-) delete mode 100755 scripts/supermarket_push delete mode 100644 supermarket.pem.enc diff --git a/scripts/supermarket_push b/scripts/supermarket_push deleted file mode 100755 index ca7a77b2f..000000000 --- a/scripts/supermarket_push +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -# -# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2 -# -# Copyright (c) 2016-present, Facebook, Inc. -# All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -eu - -if [ -z "$SKEY" ]; then - SKEY='../supermarket.pem' -fi -if [ -z "$SUSER" ]; then - SUSER='phild' -fi -if [ -z "$TRAVIS_RUBY_VERSION" ]; then - BUNDLE='bundle' -else - BUNDLE="rvm $TRAVIS_RUBY_VERSION do bundle" -fi - -COMMON_OPTS="-m https://supermarket.chef.io -k $SKEY -u $SUSER" - -$BUNDLE install -cd cookbooks -for i in *; do - echo "Unpublishing $i" - # shellcheck disable=SC2086 - $BUNDLE exec knife supermarket unshare "$i" $COMMON_OPTS -y - echo "Publishing $i" - # shellcheck disable=SC2086 - $BUNDLE exec knife supermarket share "$i" Other -o . $COMMON_OPTS -done diff --git a/supermarket.pem.enc b/supermarket.pem.enc deleted file mode 100644 index 1545f251396fd356fa36c7812e0b87ef94f393f9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1680 zcmV;B25PBDd|Wwqf zTwdYI_yGmvzwzHxd5GIqI}LJc>5)rn*_s?`8C0U_q*^p_!TuRtMWf_Ri@`N0V?5x}_Vv4@O6f`b?y(gkWL zcIPth)ZZ>W|01N`Qh#HQ2B{}vid&5U;QM@b^NTGz1&PbCZIHi5SSrKLt6ypD%X}?! zaTNsR7nCRmo2ZMAR<%%IOwj8Fly52NEVRf2 zUWGpPvOWJ{u+&dRe{%`)$NJ8Yjr5HLW~E-1$ib0DfNMK0)-oICmnZ9c;Wm_~<$q}s zqsh7z>lMl-s}6)D{@h_ba#yCdHNI#3gYN4is4-e1W&dR6(g}OW9)2W1Rr)kYhNZVp zjuLp}s+JSCYe`pTbe|s#q8qn~LT4_F|BUH`M&^`IKcbmYr$7W}*va+nJZwfn2Ve1e z6l}Y(d2(PUsP!~RpH~FAH%td#CCsCOA))ahkMv7WZkWWrDl`I7B{TR|u@#DTSU@@Eon=}@SDurOdF5wl1 zzLfP7^n?T5&UycB@(4i?Ggaqank4=r^}6fddi$V5 z_$k!{ice6bE~km&rE%5!g2Wxt@Ex=lsoITG*t*93Z{JY>6_-0wN<@3ssvbGl-%5%9 ziSa6`9fEBAkCNhKTLxe*6r3SQl9t_Y=A3_;t{xWqH}w-5-8005ZGqr9A7$+_?1>lg zgl~j{qjkc(URq?ZGc?D4*!LCu^&WqOn&r09X&eX`k}4#aZ(NlntQd*~*GsJ5ZtXsi zblMS$OH9|%l?~m-AA!Wts>%DBP$1_sql{ISRzZWG`w6pH+<3nF<;*$ApG57z2*m&B z{9l0zL7?vxS%*kGl>%1-R0zV`f4Z#~A)?MhRmCifT*Wy0?gdvjie-5lk`^27uR^GH zm$pAJk5T86m+bpKL+c|kFJ*>+sy{1T>1Ych0FIC^x^NjB>s8)79Rm& z?!%I)R$%h7A|v#~Ev66!=kpiO3XFe@Vg|NKz+KVguwyaRFTK=ZC1&py zx}O0013;}}g~pC)pu&j6iS~~gCv)6N1LhHl&}1`|s{F}*9BF{}BWKo_TB6iVY-Rmw zy>RIMUvM2(71_>y)8 zN}y#kp2aqypdi^j4N1nPV4<8ZWt(*7_N0lTAXquW#j%xhn(ExSh{6&0x80r2mR?c3 zYmBC4FKuh+P%E5{`W;kEmrR7;ah$Lai;;I$&qecH%8KOw%GtQ@pY$^S)zGF8XUb2j zXS_pCI7o$ Date: Mon, 15 Apr 2024 13:41:16 -0700 Subject: [PATCH 157/188] Pair HyperNode partitions by partlabel for T5 Differential Revision: D54864378 fbshipit-source-id: e2bedc899e538d45ab0a998db1e08f1a1ecfbf12 --- cookbooks/fb_storage/libraries/storage.rb | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/cookbooks/fb_storage/libraries/storage.rb b/cookbooks/fb_storage/libraries/storage.rb index ae75954b3..09cddf8f1 100644 --- a/cookbooks/fb_storage/libraries/storage.rb +++ b/cookbooks/fb_storage/libraries/storage.rb @@ -28,6 +28,7 @@ class Storage FORCE_WRITE_CUSTOM_DISK_ORDER = '/var/chef/storage_force_write_custom_disk_order'.freeze DEV_ID_DIR = '/dev/disk/by-id'.freeze + DEV_PARTLABEL_DIR = '/dev/disk/by-partlabel'.freeze # 'size' from sysfs always assumes 512 byte blocks SECTOR_SIZE = 512 @@ -221,6 +222,31 @@ def self.partition_device_name(device, partnum) "#{device}#{prefix}#{partnum}" end + def self.get_partition_from_partlabel(partlabel) + unless Dir.exist?(DEV_PARTLABEL_DIR) + fail 'Host does not have a by-partlabel directory!' + end + path = File.join(DEV_PARTLABEL_DIR, partlabel.gsub('/', '\x2f')) + partition = File.realpath(path) + return partition + end + + def self.get_partuuid(partition) + cmd = "lsblk -o name,partuuid -J #{partition}" + lsblk = Mixlib::ShellOut.new(cmd).run_command + lsblk.error! + blkinfo = JSON.parse(lsblk.stdout) + blkdevs = blkinfo['blockdevices'] + + fail "Partition #{partition} not found" if blkdevs.empty? + + blkdev = blkdevs.pop + partuuid = blkdev['partuuid'] + Chef::Log.debug("fb_storage: found partuuid #{partuuid} for partition: #{partition}") + + return partuuid + end + # Given a device including a partition, return just the device without # the partition. i.e. # /dev/sda1 -> /dev/sda From 3dfdb9f24c8920d9ad2aaa469e9098bdbbe6ca04 Mon Sep 17 00:00:00 2001 From: David Crosby Date: Tue, 16 Apr 2024 08:06:43 -0700 Subject: [PATCH 158/188] Add profiling hooks Summary: This adds the `--profiler` option for running ruby-prof. Differential Revision: D56162222 fbshipit-source-id: ec7ccdc1641abfef63a3ff980ca6700bf2467ada --- .../files/default/bookworm/bookworm.rb | 36 ++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb b/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb index 56e3b7264..d3deacc3c 100755 --- a/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb +++ b/cookbooks/fb_bookworm/files/default/bookworm/bookworm.rb @@ -52,11 +52,10 @@ def initialize # 'Enable verbose mode', # ) - # TODO(dcrosby) get ruby-prof working - # parser.on( - # '--profiler', - # '(WIP) Enable profiler for performance debugging', - # ) + parser.on( + '--profiler', + 'Enable profiler for performance debugging (requires ruby-prof)', + ) parser.on( '--irb-config-step', @@ -94,11 +93,12 @@ def parse end parser = Bookworm::CLIParser.new options = parser.parse -# TODO(dcrosby) get ruby-prof working -# if options[:profiler] -# require 'ruby-prof' -# RubyProf.start -# end + +if options[:profiler] + require 'ruby-prof' + Bookworm::Profile = RubyProf::Profile.new + Bookworm::Profile.start +end # We require the libraries *after* the profiler has a chance to start, # also means faster `bookworm -h` response @@ -299,9 +299,13 @@ def build_report run.do_action end -# TODO(dcrosby) get ruby-prof working -# if options[:profiler] -# result = RubyProf.stop -# printer = RubyProf::FlatPrinter.new(result) -# printer.print($stdout) -# end +if options[:profiler] + result = Bookworm::Profile.stop + printer = RubyProf::GraphPrinter.new(result) + path = "#{Dir.tmpdir}/bookworm_profile-#{DateTime.now.iso8601(4)}.out" + printer = ::RubyProf::GraphPrinter.new(result) + File.open(path, 'w+') do |file| + printer.print(file) + end + puts "Wrote profiler output to #{path}" +end From d81f5ca9792b1097fe8676de354837da370714f3 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Thu, 18 Apr 2024 10:20:48 -0700 Subject: [PATCH 159/188] Back out "'Exclude fedora from slowroll' and 'Setup slowroll for iptables-legacy'" Summary: Original commit changeset: 78c2449a4e70 Original Phabricator Diff: D56079700 *** Back out "[S409410][fb_iptables] " Original commit changeset: e64d9b00c703 Original Phabricator Diff: D55988297 *** This cookbook is open source so we cannot use slowroll here Differential Revision: D56272737 fbshipit-source-id: bf4a78b3a4cbe7607357a6d25c76f5e911fdf60c --- cookbooks/fb_iptables/recipes/packages.rb | 41 ++++++++--------------- 1 file changed, 14 insertions(+), 27 deletions(-) diff --git a/cookbooks/fb_iptables/recipes/packages.rb b/cookbooks/fb_iptables/recipes/packages.rb index 49a43ddf9..b1532d5c9 100644 --- a/cookbooks/fb_iptables/recipes/packages.rb +++ b/cookbooks/fb_iptables/recipes/packages.rb @@ -19,35 +19,22 @@ # limitations under the License. # -if node.centos? && !(node.centos7? || node.centos8?) - slowroll_name = 'iptables-legacy' - node.default['fb_slowroll'][slowroll_name]['phases'] = - FB::Slowroll::PhaseTemplates.slow_start(node) - node.default['fb_slowroll'][slowroll_name]['export_json'] = true - - fb_slowroll slowroll_name do - notifies :run, 'execute[reload iptables]' - notifies :run, 'execute[reload ip6tables]' - end +if (node.centos? && !(node.centos7? || node.centos8?)) || node.fedora? + packages = ['iptables-legacy'] else - if node.fedora? - packages = ['iptables-legacy'] - else - packages = ['iptables'] - end - - if node.ubuntu? - packages << 'iptables-persistent' - else - packages << 'iptables-services' - end + packages = ['iptables'] +end +if node.ubuntu? + packages << 'iptables-persistent' +else + packages << 'iptables-services' +end - package packages do - only_if { node['fb_iptables']['manage_packages'] } - action :upgrade - notifies :run, 'execute[reload iptables]' - notifies :run, 'execute[reload ip6tables]' - end +package packages do + only_if { node['fb_iptables']['manage_packages'] } + action :upgrade + notifies :run, 'execute[reload iptables]' + notifies :run, 'execute[reload ip6tables]' end execute 'reload iptables' do From b5406e624709679cc0c377576ad82d481e59f273 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Fri, 19 Apr 2024 11:27:46 -0700 Subject: [PATCH 160/188] Run NoOwnerGroupRoot on the entire codebase: core Summary: Just run the previous diff on `core` base to clean everything up ``` $ hg show | grep '^[-+] ' | grep -vEe "^- *(owner|group) *'root'\$" -e '^\+ *(owner|group) *node.root_(user|group)$' ``` So it literally just changes what it's supposed to. Differential Revision: D56178482 fbshipit-source-id: c1697841b5188450240b02a3750bd281e837bd1f --- cookbooks/fb_apache/recipes/default.rb | 28 +++++++++---------- cookbooks/fb_apcupsd/recipes/default.rb | 8 +++--- cookbooks/fb_apcupsd/recipes/frontend.rb | 4 +-- cookbooks/fb_apt/recipes/default.rb | 8 +++--- cookbooks/fb_apt/resources/sources_list.rb | 4 +-- cookbooks/fb_apt_cacher/recipes/default.rb | 8 +++--- cookbooks/fb_chrony/recipes/default.rb | 4 +-- cookbooks/fb_collectd/recipes/default.rb | 8 +++--- cookbooks/fb_collectd/recipes/frontend.rb | 4 +-- cookbooks/fb_consul/recipes/default.rb | 26 ++++++++--------- cookbooks/fb_cron/recipes/default.rb | 20 ++++++------- cookbooks/fb_dbus/recipes/default.rb | 8 +++--- cookbooks/fb_dnf/recipes/default.rb | 4 +-- cookbooks/fb_dnf/resources/modularity.rb | 8 +++--- cookbooks/fb_dnsmasq/recipes/default.rb | 4 +-- cookbooks/fb_dracut/recipes/default.rb | 4 +-- cookbooks/fb_e2fsprogs/recipes/default.rb | 4 +-- cookbooks/fb_ebtables/recipes/default.rb | 4 +-- cookbooks/fb_fstab/recipes/default.rb | 8 +++--- cookbooks/fb_grub/recipes/config.rb | 24 ++++++++-------- cookbooks/fb_hddtemp/recipes/default.rb | 4 +-- cookbooks/fb_hostconf/recipes/default.rb | 4 +-- cookbooks/fb_hostname/recipes/default.rb | 4 +-- cookbooks/fb_iproute/recipes/rt_protos.rb | 12 ++++---- cookbooks/fb_ipset/recipes/default.rb | 8 +++--- cookbooks/fb_ipset/resources/default.rb | 4 +-- cookbooks/fb_iptables/recipes/default.rb | 24 ++++++++-------- cookbooks/fb_kernel/recipes/bls.rb | 8 +++--- cookbooks/fb_kernel/resources/bls_entries.rb | 4 +-- cookbooks/fb_ldconfig/recipes/default.rb | 8 +++--- cookbooks/fb_logrotate/recipes/default.rb | 20 ++++++------- cookbooks/fb_mlocate/recipes/default.rb | 4 +-- cookbooks/fb_modprobe/recipes/default.rb | 20 ++++++------- cookbooks/fb_motd/resources/update_motd.rb | 4 +-- .../fb_network_scripts/recipes/default.rb | 16 +++++------ .../resources/redhat_interface.rb | 4 +-- cookbooks/fb_networkd/recipes/default.rb | 4 +-- cookbooks/fb_nscd/recipes/default.rb | 4 +-- cookbooks/fb_nsswitch/recipes/default.rb | 4 +-- cookbooks/fb_postfix/recipes/default.rb | 24 ++++++++-------- cookbooks/fb_profile/recipes/default.rb | 4 +-- cookbooks/fb_reprepro/recipes/default.rb | 8 +++--- cookbooks/fb_resolv/recipes/default.rb | 4 +-- cookbooks/fb_rpm/recipes/default.rb | 8 +++--- cookbooks/fb_rsync/recipes/secure_client.rb | 4 +-- cookbooks/fb_rsync/recipes/secure_server.rb | 4 +-- cookbooks/fb_rsync/recipes/server.rb | 8 +++--- cookbooks/fb_securetty/recipes/default.rb | 4 +-- cookbooks/fb_storage/recipes/default.rb | 24 ++++++++-------- cookbooks/fb_stunnel/recipes/default.rb | 16 +++++------ cookbooks/fb_swap/recipes/before_fb_fstab.rb | 12 ++++---- cookbooks/fb_sysfs/recipes/default.rb | 8 +++--- cookbooks/fb_systemd/recipes/boot.rb | 12 ++++---- cookbooks/fb_systemd/recipes/default.rb | 28 +++++++++---------- .../fb_systemd/recipes/journal-remote.rb | 4 +-- .../fb_systemd/recipes/journal-upload.rb | 4 +-- cookbooks/fb_systemd/recipes/journald.rb | 4 +-- cookbooks/fb_systemd/recipes/logind.rb | 4 +-- cookbooks/fb_systemd/recipes/resolved.rb | 4 +-- cookbooks/fb_systemd/recipes/timesyncd.rb | 4 +-- cookbooks/fb_systemd/recipes/udevd.rb | 16 +++++------ .../fb_systemd/resources/loader_entries.rb | 4 +-- cookbooks/fb_systemd/resources/override.rb | 8 +++--- cookbooks/fb_timers/recipes/default.rb | 12 ++++---- cookbooks/fb_timers/resources/setup.rb | 8 +++--- cookbooks/fb_vsftpd/recipes/default.rb | 12 ++++---- cookbooks/fb_yum_repos/recipes/default.rb | 4 +-- cookbooks/fb_yum_repos/resources/default.rb | 4 +-- 68 files changed, 305 insertions(+), 305 deletions(-) diff --git a/cookbooks/fb_apache/recipes/default.rb b/cookbooks/fb_apache/recipes/default.rb index 1b79716d1..2dc152d29 100644 --- a/cookbooks/fb_apache/recipes/default.rb +++ b/cookbooks/fb_apache/recipes/default.rb @@ -118,16 +118,16 @@ template sysconfig do source 'sysconfig.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[apache]' end [moddir, sitesdir, confdir].uniq.each do |dir| directory dir do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end end @@ -155,32 +155,32 @@ template "#{moddir}/fb_modules.conf" do not_if { node.centos6? } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :verify, 'fb_apache_verify_configs[doit]', :before notifies :restart, 'service[apache]' end template "#{sitesdir}/fb_sites.conf" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :verify, 'fb_apache_verify_configs[doit]', :before notifies :reload, 'service[apache]' end template "#{confdir}/fb_apache.conf" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :verify, 'fb_apache_verify_configs[doit]', :before notifies :reload, 'service[apache]' end template "#{moddir}/00-mpm.conf" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # MPM cannot be changed on reload, only restart notifies :verify, 'fb_apache_verify_configs[doit]', :before @@ -190,8 +190,8 @@ # We want to collect apache stats template "#{confdir}/status.conf" do source 'status.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables(:location => '/server-status') notifies :verify, 'fb_apache_verify_configs[doit]', :before diff --git a/cookbooks/fb_apcupsd/recipes/default.rb b/cookbooks/fb_apcupsd/recipes/default.rb index 9452c0e1d..17ed6de2a 100644 --- a/cookbooks/fb_apcupsd/recipes/default.rb +++ b/cookbooks/fb_apcupsd/recipes/default.rb @@ -34,16 +34,16 @@ cookbook_file '/etc/default/apcupsd' do only_if { node.debian? || node.ubuntu? } source 'apcupsd' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[apcupsd]' end template '/etc/apcupsd/apcupsd.conf' do source 'apcupsd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[apcupsd]' end diff --git a/cookbooks/fb_apcupsd/recipes/frontend.rb b/cookbooks/fb_apcupsd/recipes/frontend.rb index 709107d5f..c89b8ab53 100644 --- a/cookbooks/fb_apcupsd/recipes/frontend.rb +++ b/cookbooks/fb_apcupsd/recipes/frontend.rb @@ -24,7 +24,7 @@ template '/etc/apcupsd/hosts.conf' do source 'hosts.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_apt/recipes/default.rb b/cookbooks/fb_apt/recipes/default.rb index 85f0dbcbc..b299bda2d 100644 --- a/cookbooks/fb_apt/recipes/default.rb +++ b/cookbooks/fb_apt/recipes/default.rb @@ -47,8 +47,8 @@ # clobber that as several packages will drop configs there. template '/etc/apt/apt.conf' do source 'apt.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, 'execute[apt-get update]' end @@ -63,8 +63,8 @@ template '/etc/apt/preferences' do source 'preferences.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_apt/resources/sources_list.rb b/cookbooks/fb_apt/resources/sources_list.rb index bfacae3de..344a47071 100644 --- a/cookbooks/fb_apt/resources/sources_list.rb +++ b/cookbooks/fb_apt/resources/sources_list.rb @@ -82,8 +82,8 @@ template '/etc/apt/sources.list' do source 'sources.list.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end end diff --git a/cookbooks/fb_apt_cacher/recipes/default.rb b/cookbooks/fb_apt_cacher/recipes/default.rb index fa8c3ad5f..dd11b94e1 100644 --- a/cookbooks/fb_apt_cacher/recipes/default.rb +++ b/cookbooks/fb_apt_cacher/recipes/default.rb @@ -37,16 +37,16 @@ template '/etc/default/apt-cacher-ng' do source 'apt-cacher-ng.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[apt-cacher-ng]' end template '/etc/apt-cacher-ng/acng.conf' do source 'acng.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :section => 'config', diff --git a/cookbooks/fb_chrony/recipes/default.rb b/cookbooks/fb_chrony/recipes/default.rb index d2d68ff11..8e9ba5609 100644 --- a/cookbooks/fb_chrony/recipes/default.rb +++ b/cookbooks/fb_chrony/recipes/default.rb @@ -44,8 +44,8 @@ template 'chrony.conf' do path chrony_conf source 'chrony.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[chrony]' end diff --git a/cookbooks/fb_collectd/recipes/default.rb b/cookbooks/fb_collectd/recipes/default.rb index da504e083..279f09ee4 100644 --- a/cookbooks/fb_collectd/recipes/default.rb +++ b/cookbooks/fb_collectd/recipes/default.rb @@ -40,8 +40,8 @@ template '/etc/default/collectd' do only_if { node['platform_family'] == 'debian' } source 'collectd.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[collectd]' end @@ -54,8 +54,8 @@ template conf do source 'collectd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[collectd]' end diff --git a/cookbooks/fb_collectd/recipes/frontend.rb b/cookbooks/fb_collectd/recipes/frontend.rb index 805f84c1a..917e03faf 100644 --- a/cookbooks/fb_collectd/recipes/frontend.rb +++ b/cookbooks/fb_collectd/recipes/frontend.rb @@ -37,7 +37,7 @@ template conf do source 'collection.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_consul/recipes/default.rb b/cookbooks/fb_consul/recipes/default.rb index b6058c86c..212cae9e0 100644 --- a/cookbooks/fb_consul/recipes/default.rb +++ b/cookbooks/fb_consul/recipes/default.rb @@ -58,28 +58,28 @@ end path lazy { node['fb_consul']['config']['data_dir'] } owner 'consul' - group 'root' + group node.root_group mode '0770' end directory '/etc/consul' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end cookbook_file '/etc/default/consul' do source 'consul.default' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end cookbook_file '/etc/consul/consul-agent-ca.pem' do # rubocop:disable Chef/Meta/AvoidCookbookProperty only_if { node['fb_consul']['certificate_cookbook'] } cookbook lazy { node['fb_consul']['certificate_cookbook'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[consul]' end @@ -91,7 +91,7 @@ end cookbook lazy { node['fb_consul']['certificate_cookbook'] } owner 'consul' - group 'root' + group node.root_group mode '0600' notifies :restart, 'service[consul]' end @@ -103,8 +103,8 @@ end cookbook lazy { node['fb_consul']['certificate_cookbook'] } source "consul-server-#{node['hostname']}.pem" - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[consul]' end @@ -117,7 +117,7 @@ cookbook lazy { node['fb_consul']['certificate_cookbook'] } source "consul-server-key-#{node['hostname']}.pem" owner 'consul' - group 'root' + group node.root_group mode '0600' notifies :restart, 'service[consul]' end @@ -137,8 +137,8 @@ end template '/etc/consul/consul.json' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' source 'consul.json.erb' verify '/usr/bin/consul validate %{path}' diff --git a/cookbooks/fb_cron/recipes/default.rb b/cookbooks/fb_cron/recipes/default.rb index a831f9b70..a0709f49a 100644 --- a/cookbooks/fb_cron/recipes/default.rb +++ b/cookbooks/fb_cron/recipes/default.rb @@ -94,16 +94,16 @@ node['fb_cron']['_crontab_path'] } source 'fb_crontab.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end template '/etc/anacrontab' do only_if { node['platform_family'] == 'rhel' } source 'anacrontab.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end @@ -114,8 +114,8 @@ if envfile template envfile do source 'crond_env.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[cron]' end @@ -142,16 +142,16 @@ cookbook_file '/usr/local/bin/exclusive_cron.sh' do source 'exclusive_cron.sh' - owner 'root' - group 0 + owner node.root_user + group node.root_group mode '0755' end if node.macos? cookbook_file '/usr/local/bin/osx_make_crond.sh' do source 'osx_make_crond.sh' - owner 'root' - group 0 + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_dbus/recipes/default.rb b/cookbooks/fb_dbus/recipes/default.rb index 5508a0095..f6c15b101 100644 --- a/cookbooks/fb_dbus/recipes/default.rb +++ b/cookbooks/fb_dbus/recipes/default.rb @@ -40,16 +40,16 @@ directory '/usr/lib/systemd/scripts' do only_if { node['fb_dbus']['implementation'] == 'dbus-daemon' } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end # Drop in override to force a daemon-reload when dbus restarts (#10321854) cookbook_file '/usr/lib/systemd/scripts/dbus-restart-hack.sh' do only_if { node['fb_dbus']['implementation'] == 'dbus-daemon' } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_dnf/recipes/default.rb b/cookbooks/fb_dnf/recipes/default.rb index 899c85ad3..8f4140b68 100644 --- a/cookbooks/fb_dnf/recipes/default.rb +++ b/cookbooks/fb_dnf/recipes/default.rb @@ -29,8 +29,8 @@ include_recipe 'fb_yum_repos' directory '/etc/dnf' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_dnf/resources/modularity.rb b/cookbooks/fb_dnf/resources/modularity.rb index 52c1582db..d79984359 100644 --- a/cookbooks/fb_dnf/resources/modularity.rb +++ b/cookbooks/fb_dnf/resources/modularity.rb @@ -24,8 +24,8 @@ node['fb_dnf']['modules'].each do |name, mod| template "#{DEFAULTS_DIR}/#{name}.yaml" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' source 'fb_modules.yaml.erb' variables({ :name => name, :module => mod }) @@ -37,8 +37,8 @@ "for module '#{name}'" end template "#{MODS_DIR}/#{name}.module" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' source 'fb_modules.module.erb' variables({ :name => name, :module => mod }) diff --git a/cookbooks/fb_dnsmasq/recipes/default.rb b/cookbooks/fb_dnsmasq/recipes/default.rb index 5f0030bd1..9d7ce39ba 100644 --- a/cookbooks/fb_dnsmasq/recipes/default.rb +++ b/cookbooks/fb_dnsmasq/recipes/default.rb @@ -28,8 +28,8 @@ template '/etc/dnsmasq.conf' do source 'dnsmasq.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' verify 'dnsmasq --test -C %{path}' notifies :restart, 'service[dnsmasq]' diff --git a/cookbooks/fb_dracut/recipes/default.rb b/cookbooks/fb_dracut/recipes/default.rb index dd2cee7f4..60069f05f 100644 --- a/cookbooks/fb_dracut/recipes/default.rb +++ b/cookbooks/fb_dracut/recipes/default.rb @@ -27,8 +27,8 @@ template '/etc/dracut.conf.d/ZZ-chef.conf' do not_if { node['fb_dracut']['disable'] } source 'dracut.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, 'execute[rebuild all initramfs]' end diff --git a/cookbooks/fb_e2fsprogs/recipes/default.rb b/cookbooks/fb_e2fsprogs/recipes/default.rb index b5200d13a..1ed3bdb78 100644 --- a/cookbooks/fb_e2fsprogs/recipes/default.rb +++ b/cookbooks/fb_e2fsprogs/recipes/default.rb @@ -29,8 +29,8 @@ }.each do |cmd| template "/etc/#{cmd}.conf" do source 'e2fsprogs.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :command => cmd, diff --git a/cookbooks/fb_ebtables/recipes/default.rb b/cookbooks/fb_ebtables/recipes/default.rb index 9233f5599..1002cd3aa 100644 --- a/cookbooks/fb_ebtables/recipes/default.rb +++ b/cookbooks/fb_ebtables/recipes/default.rb @@ -40,7 +40,7 @@ template '/etc/sysconfig/ebtables-config' do source 'ebtables-config.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' end diff --git a/cookbooks/fb_fstab/recipes/default.rb b/cookbooks/fb_fstab/recipes/default.rb index 4d271a4bb..28b9e319c 100644 --- a/cookbooks/fb_fstab/recipes/default.rb +++ b/cookbooks/fb_fstab/recipes/default.rb @@ -26,8 +26,8 @@ # ensure permissions file FB::Fstab::BASE_FILENAME do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0444' end @@ -110,8 +110,8 @@ template '/etc/fstab' do source 'fstab.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # On systemd hosts we use the generated mount units to mount filesystems # so it's important we ask it to regenerate them when we edit fstab diff --git a/cookbooks/fb_grub/recipes/config.rb b/cookbooks/fb_grub/recipes/config.rb index 4e36d0885..136ffa054 100644 --- a/cookbooks/fb_grub/recipes/config.rb +++ b/cookbooks/fb_grub/recipes/config.rb @@ -24,15 +24,15 @@ directory 'efi_vendor_dir' do # rubocop:disable Chef/Meta/RequireOwnerGroupMode mode is controlled by mount options only_if { node.efi? } path lazy { node['fb_grub']['_efi_vendor_dir'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group end # GRUB 1 directory grub_base_dir do only_if { node['fb_grub']['version'] == 1 } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -43,8 +43,8 @@ end path lazy { node['fb_grub']['_grub_config'] } source 'grub.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode node.efi? ? '0700' : '0644' end @@ -57,16 +57,16 @@ end path '/boot/grub/grub.conf' source 'grub.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode node.efi? ? '0700' : '0644' end # GRUB 2 directory grub2_base_dir do only_if { node['fb_grub']['version'] == 2 } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -89,8 +89,8 @@ end path lazy { node['fb_grub']["_grub2_config_#{type}"] } source 'grub2.cfg.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group # No "mode" for EFI since mode is determined by mount options, # not files if type == 'bios' diff --git a/cookbooks/fb_hddtemp/recipes/default.rb b/cookbooks/fb_hddtemp/recipes/default.rb index e9c069fe6..ba148d828 100644 --- a/cookbooks/fb_hddtemp/recipes/default.rb +++ b/cookbooks/fb_hddtemp/recipes/default.rb @@ -34,8 +34,8 @@ template "#{sysconfig}/hddtemp" do source 'hddtemp.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[hddtemp]' end diff --git a/cookbooks/fb_hostconf/recipes/default.rb b/cookbooks/fb_hostconf/recipes/default.rb index 5f798ef9a..e7f338b42 100644 --- a/cookbooks/fb_hostconf/recipes/default.rb +++ b/cookbooks/fb_hostconf/recipes/default.rb @@ -21,7 +21,7 @@ template '/etc/host.conf' do only_if { node.centos? } source 'host.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_hostname/recipes/default.rb b/cookbooks/fb_hostname/recipes/default.rb index ab2b8272a..33ac0229b 100644 --- a/cookbooks/fb_hostname/recipes/default.rb +++ b/cookbooks/fb_hostname/recipes/default.rb @@ -47,8 +47,8 @@ file '/etc/hostname' do only_if { node.linux? && node['fb_hostname']['hostname'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' content lazy { node['fb_hostname']['hostname'] } end diff --git a/cookbooks/fb_iproute/recipes/rt_protos.rb b/cookbooks/fb_iproute/recipes/rt_protos.rb index 1802677ca..d0219852e 100644 --- a/cookbooks/fb_iproute/recipes/rt_protos.rb +++ b/cookbooks/fb_iproute/recipes/rt_protos.rb @@ -21,16 +21,16 @@ directory '/etc/iproute2' do only_if { node['fb_iproute']['rt_protos_ids'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' action :create end directory rt_protos_d_dir do only_if { node['fb_iproute']['rt_protos_ids'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' action :create end @@ -38,7 +38,7 @@ template "#{rt_protos_d_dir}/chef.conf" do only_if { node['fb_iproute']['rt_protos_ids'] } source 'rt_protos.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_ipset/recipes/default.rb b/cookbooks/fb_ipset/recipes/default.rb index 87c991ee7..b9b67df12 100644 --- a/cookbooks/fb_ipset/recipes/default.rb +++ b/cookbooks/fb_ipset/recipes/default.rb @@ -28,8 +28,8 @@ cookbook_file '/etc/init.d/ipset' do only_if { node['fb_ipset']['enable'] } source 'ipset-init' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -46,8 +46,8 @@ end directory '/etc/ipset' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_ipset/resources/default.rb b/cookbooks/fb_ipset/resources/default.rb index dd42c24b8..6523edd4a 100644 --- a/cookbooks/fb_ipset/resources/default.rb +++ b/cookbooks/fb_ipset/resources/default.rb @@ -26,8 +26,8 @@ def ipset_save(state_file) ipset_save_output.run_command.error! file state_file do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' content ipset_save_output.stdout end diff --git a/cookbooks/fb_iptables/recipes/default.rb b/cookbooks/fb_iptables/recipes/default.rb index fb97aa337..b2df72224 100644 --- a/cookbooks/fb_iptables/recipes/default.rb +++ b/cookbooks/fb_iptables/recipes/default.rb @@ -74,8 +74,8 @@ ## iptables ## template '/etc/fb_iptables.conf' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :iptables_config_dir => iptables_config_dir, @@ -87,22 +87,22 @@ # DO NOT MAKE THIS A TEMPLATE! USE THE CONFIG FILE TEMPLATED ABOVE!! cookbook_file '/usr/sbin/fb_iptables_reload' do source 'fb_iptables_reload.sh' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end template "#{iptables_config_dir}/iptables-config" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0640' variables(:ipversion => 4) end template iptables_rules do source 'iptables.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0640' variables(:ip => 4) verify do |path| @@ -123,16 +123,16 @@ template "#{iptables_config_dir}/ip6tables-config" do source 'iptables-config.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0640' variables(:ipversion => 6) end template ip6tables_rules do source 'iptables.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0640' variables(:ip => 6) verify do |path| diff --git a/cookbooks/fb_kernel/recipes/bls.rb b/cookbooks/fb_kernel/recipes/bls.rb index 89c5d2a04..b7238173a 100644 --- a/cookbooks/fb_kernel/recipes/bls.rb +++ b/cookbooks/fb_kernel/recipes/bls.rb @@ -21,16 +21,16 @@ directory 'loader' do only_if { node['fb_kernel']['manage_bls_configs'] } path lazy { File.join(node['fb_kernel']['boot_path'], 'loader') } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end directory 'loader/entries' do only_if { node['fb_kernel']['manage_bls_configs'] } path lazy { File.join(node['fb_kernel']['boot_path'], 'loader', 'entries') } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_kernel/resources/bls_entries.rb b/cookbooks/fb_kernel/resources/bls_entries.rb index 75eae04cb..d02007bf4 100644 --- a/cookbooks/fb_kernel/resources/bls_entries.rb +++ b/cookbooks/fb_kernel/resources/bls_entries.rb @@ -27,8 +27,8 @@ template bls_entry do source 'bls-entry.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :kernel => name, diff --git a/cookbooks/fb_ldconfig/recipes/default.rb b/cookbooks/fb_ldconfig/recipes/default.rb index 9eb6867bf..44bd053de 100644 --- a/cookbooks/fb_ldconfig/recipes/default.rb +++ b/cookbooks/fb_ldconfig/recipes/default.rb @@ -29,8 +29,8 @@ cookbook_file '/etc/ld.so.conf' do source 'ld.so.conf' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # immediately because stuff in the run probably needs this notifies :run, 'execute[ldconfig]', :immediately @@ -38,8 +38,8 @@ template '/etc/ld.so.conf.d/chef.conf' do source 'ld.so.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # immediately because stuff in the run probably needs this notifies :run, 'execute[ldconfig]', :immediately diff --git a/cookbooks/fb_logrotate/recipes/default.rb b/cookbooks/fb_logrotate/recipes/default.rb index 3c0cd08b5..f467885f7 100644 --- a/cookbooks/fb_logrotate/recipes/default.rb +++ b/cookbooks/fb_logrotate/recipes/default.rb @@ -109,8 +109,8 @@ template '/etc/logrotate.d/fb_logrotate.conf' do source 'fb_logrotate.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end @@ -131,8 +131,8 @@ template service_logrotate do source 'logrotate.service.erb' mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group notifies :run, 'execute[logrotate reload systemd]', :immediately end @@ -140,8 +140,8 @@ template timer_logrotate do source 'logrotate.timer.erb' mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group notifies :run, 'execute[logrotate reload systemd]', :immediately end @@ -161,15 +161,15 @@ template cron_logrotate do source 'logrotate_rpm_cron_override.erb' mode '0755' - owner 'root' - group 'root' + owner node.root_user + group node.root_group end else # Fall back to the job RPM comes with CentOS7 RPM cookbook_file cron_logrotate do source 'logrotate.cron.daily' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' action :create end diff --git a/cookbooks/fb_mlocate/recipes/default.rb b/cookbooks/fb_mlocate/recipes/default.rb index a302bb9e3..366c41058 100644 --- a/cookbooks/fb_mlocate/recipes/default.rb +++ b/cookbooks/fb_mlocate/recipes/default.rb @@ -34,8 +34,8 @@ template conf_path do only_if { node['fb_mlocate']['want_mlocate'] } source 'updatedb.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' action :create end diff --git a/cookbooks/fb_modprobe/recipes/default.rb b/cookbooks/fb_modprobe/recipes/default.rb index cbeb6ce98..cf7404d30 100644 --- a/cookbooks/fb_modprobe/recipes/default.rb +++ b/cookbooks/fb_modprobe/recipes/default.rb @@ -25,8 +25,8 @@ end directory '/etc/modprobe.d' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -41,32 +41,32 @@ template '/etc/modprobe.d/fb_modprobe.conf' do source 'fb_modprobe.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end if node.systemd? template '/etc/modules-load.d/chef.conf' do source 'modules-load.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, 'execute[load modules]' end else directory '/etc/sysconfig/modules' do only_if { node.centos? && !node.systemd? } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end template '/etc/sysconfig/modules/fb.modules' do only_if { node.centos? && !node.systemd? } source 'fb.modules.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end end diff --git a/cookbooks/fb_motd/resources/update_motd.rb b/cookbooks/fb_motd/resources/update_motd.rb index b327e8008..092c537a3 100644 --- a/cookbooks/fb_motd/resources/update_motd.rb +++ b/cookbooks/fb_motd/resources/update_motd.rb @@ -41,8 +41,8 @@ end file motd do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode allow ? '0755' : '0644' end end diff --git a/cookbooks/fb_network_scripts/recipes/default.rb b/cookbooks/fb_network_scripts/recipes/default.rb index a5825dc9b..bfdabbe0b 100644 --- a/cookbooks/fb_network_scripts/recipes/default.rb +++ b/cookbooks/fb_network_scripts/recipes/default.rb @@ -44,8 +44,8 @@ template '/etc/sysconfig/network' do only_if { ['rhel', 'fedora'].include?(node['platform_family']) } source 'network.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' if node.firstboot_any_phase? notifies :restart, 'service[network]' @@ -62,8 +62,8 @@ if node.centos? directory '/dev/net' do only_if { node['fb_network_scripts']['enable_tun'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -85,8 +85,8 @@ # Workaround for https://github.com/fedora-sysv/initscripts/issues/296 cookbook_file '/sbin/ifup-pre-local' do source 'ifup-pre-local' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -200,8 +200,8 @@ # the provider. template '/sbin/ifup-local' do source 'ifup-local.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' notifies :run, 'whyrun_safe_ruby_block[trigger re-run of ifup-local]', :immediately diff --git a/cookbooks/fb_network_scripts/resources/redhat_interface.rb b/cookbooks/fb_network_scripts/resources/redhat_interface.rb index 1746d32b9..11546bf36 100644 --- a/cookbooks/fb_network_scripts/resources/redhat_interface.rb +++ b/cookbooks/fb_network_scripts/resources/redhat_interface.rb @@ -208,8 +208,8 @@ def stop(interface) t.run_action(:create) t = template "#{ifcfg_file}-range" do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' source 'ifcfg-range.erb' variables({ diff --git a/cookbooks/fb_networkd/recipes/default.rb b/cookbooks/fb_networkd/recipes/default.rb index 37eab94c4..70877c715 100644 --- a/cookbooks/fb_networkd/recipes/default.rb +++ b/cookbooks/fb_networkd/recipes/default.rb @@ -74,8 +74,8 @@ if node.centos? directory '/dev/net' do only_if { node['fb_networkd']['enable_tun'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_nscd/recipes/default.rb b/cookbooks/fb_nscd/recipes/default.rb index ebda5d17d..124f60fc0 100644 --- a/cookbooks/fb_nscd/recipes/default.rb +++ b/cookbooks/fb_nscd/recipes/default.rb @@ -22,8 +22,8 @@ template '/etc/nscd.conf' do only_if { FB::Nscd.nscd_enabled?(node) } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' source 'nscd.conf.erb' notifies :restart, 'service[nscd]', :immediately diff --git a/cookbooks/fb_nsswitch/recipes/default.rb b/cookbooks/fb_nsswitch/recipes/default.rb index bf0f746b4..74d2b5552 100644 --- a/cookbooks/fb_nsswitch/recipes/default.rb +++ b/cookbooks/fb_nsswitch/recipes/default.rb @@ -20,7 +20,7 @@ template '/etc/nsswitch.conf' do source 'nsswitch.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_postfix/recipes/default.rb b/cookbooks/fb_postfix/recipes/default.rb index b06fda93c..9ec20be53 100644 --- a/cookbooks/fb_postfix/recipes/default.rb +++ b/cookbooks/fb_postfix/recipes/default.rb @@ -33,8 +33,8 @@ template '/etc/postfix/main.cf' do source 'main.cf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # We restart here instead of reloading because some main.cf changes require # a full restart (e.g. inet_interfaces) @@ -48,8 +48,8 @@ }.each do |file| template "/etc/postfix/#{file}" do source 'line_config.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :reload, 'service[postfix]' variables( @@ -73,8 +73,8 @@ template '/etc/postfix/aliases' do source 'aliases.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, "execute[postalias #{map_type}:/etc/postfix/aliases]", :immediately notifies :reload, 'service[postfix]' @@ -82,16 +82,16 @@ template '/etc/postfix/master.cf' do mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group source 'master.cf.erb' notifies :restart, 'service[postfix]' end template '/etc/postfix/custom_headers.regexp' do mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group source 'custom_headers.regexp.erb' notifies :reload, 'service[postfix]' end @@ -115,8 +115,8 @@ template text_map do source 'db_file.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group if text_map_rel == 'sasl_passwd' mode '0600' sensitive true diff --git a/cookbooks/fb_profile/recipes/default.rb b/cookbooks/fb_profile/recipes/default.rb index 1d4df3540..52dbefa2b 100644 --- a/cookbooks/fb_profile/recipes/default.rb +++ b/cookbooks/fb_profile/recipes/default.rb @@ -41,8 +41,8 @@ # So this is the bashrc from debian/ubuntu with that extra bit in there if node.debian? || node.ubuntu? cookbook_file '/etc/bash.bashrc' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' source 'debian.bashrc' end diff --git a/cookbooks/fb_reprepro/recipes/default.rb b/cookbooks/fb_reprepro/recipes/default.rb index e1ce12b94..7be1d480b 100644 --- a/cookbooks/fb_reprepro/recipes/default.rb +++ b/cookbooks/fb_reprepro/recipes/default.rb @@ -76,8 +76,8 @@ "#{node['fb_reprepro']['options']['basedir']}/conf/#{conffile}" end source 'config.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => conffile, @@ -91,7 +91,7 @@ "#{node['fb_reprepro']['options']['basedir']}/conf/options" end source 'options.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_resolv/recipes/default.rb b/cookbooks/fb_resolv/recipes/default.rb index 76ee0a435..40158984a 100644 --- a/cookbooks/fb_resolv/recipes/default.rb +++ b/cookbooks/fb_resolv/recipes/default.rb @@ -24,7 +24,7 @@ template '/etc/resolv.conf' do source 'resolv.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_rpm/recipes/default.rb b/cookbooks/fb_rpm/recipes/default.rb index 126d809ee..1636e8986 100644 --- a/cookbooks/fb_rpm/recipes/default.rb +++ b/cookbooks/fb_rpm/recipes/default.rb @@ -25,8 +25,8 @@ include_recipe 'fb_rpm::packages' directory '/etc/rpm' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -40,8 +40,8 @@ template '/etc/rpm/macros' do source 'macros.erb' variables :overrides => {} - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_rsync/recipes/secure_client.rb b/cookbooks/fb_rsync/recipes/secure_client.rb index 335966bc5..84fc659fa 100644 --- a/cookbooks/fb_rsync/recipes/secure_client.rb +++ b/cookbooks/fb_rsync/recipes/secure_client.rb @@ -22,8 +22,8 @@ include_recipe 'fb_rsync::stunnel' template '/usr/local/libexec/rsync-ssl-stunnel' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' source 'rsync-ssl-stunnel.erb' end diff --git a/cookbooks/fb_rsync/recipes/secure_server.rb b/cookbooks/fb_rsync/recipes/secure_server.rb index 16f774b9b..35fc05452 100644 --- a/cookbooks/fb_rsync/recipes/secure_server.rb +++ b/cookbooks/fb_rsync/recipes/secure_server.rb @@ -48,10 +48,10 @@ end template '/etc/stunnel/stunnel_rsyncd.conf' do - group 'root' + group node.root_group mode '0644' notifies :restart, 'service[stunnel_rsyncd start]' - owner 'root' + owner node.root_user source 'stunnel_rsyncd.conf.erb' end diff --git a/cookbooks/fb_rsync/recipes/server.rb b/cookbooks/fb_rsync/recipes/server.rb index 21785b4c5..f23456aee 100644 --- a/cookbooks/fb_rsync/recipes/server.rb +++ b/cookbooks/fb_rsync/recipes/server.rb @@ -24,18 +24,18 @@ # In lieu of running rsync via xinetd we use a simple init script cookbook_file '/etc/init.d/rsyncd' do not_if { node.systemd? } - group 'root' + group node.root_group mode '0755' - owner 'root' + owner node.root_user source 'rsyncd.init' end # This is the default config everywhere template '/etc/rsyncd.conf' do - group 'root' + group node.root_group mode '0644' notifies :restart, 'service[rsyncd start]' - owner 'root' + owner node.root_user source 'rsyncd.conf.erb' end diff --git a/cookbooks/fb_securetty/recipes/default.rb b/cookbooks/fb_securetty/recipes/default.rb index f94aea95d..91ca62e2e 100644 --- a/cookbooks/fb_securetty/recipes/default.rb +++ b/cookbooks/fb_securetty/recipes/default.rb @@ -20,7 +20,7 @@ template '/etc/securetty' do source 'securetty.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' end diff --git a/cookbooks/fb_storage/recipes/default.rb b/cookbooks/fb_storage/recipes/default.rb index b5c284e87..97420d307 100644 --- a/cookbooks/fb_storage/recipes/default.rb +++ b/cookbooks/fb_storage/recipes/default.rb @@ -20,22 +20,22 @@ cookbook_file '/sbin/mount.rtxfs' do only_if { node.centos? } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end # fsck for XFS with realtime devices (rtxfs filesystem type) cookbook_file '/sbin/fsck.rtxfs' do only_if { node.centos? } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end directory FB::Storage::REPLACED_DISKS_DIR do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -47,8 +47,8 @@ /run/systemd/system-generators }.each do |dir| directory dir do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end end @@ -236,14 +236,14 @@ # and we've been asked to create this node['fb_storage']['manage_mdadm_conf'] end - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end file '/var/chef/storage_api_active' do not_if { node['fb_storage']['devices'].empty? } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end diff --git a/cookbooks/fb_stunnel/recipes/default.rb b/cookbooks/fb_stunnel/recipes/default.rb index 09e23f28c..3eb2cd24f 100644 --- a/cookbooks/fb_stunnel/recipes/default.rb +++ b/cookbooks/fb_stunnel/recipes/default.rb @@ -37,22 +37,22 @@ if node.centos? && node.systemd? cookbook_file '/etc/systemd/system/stunnel.service' do source 'stunnel.service' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, 'fb_systemd_reload[system instance]', :immediately end end directory '/etc/stunnel' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end template '/etc/stunnel/fb_tunnel.conf' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[stunnel]' end @@ -68,8 +68,8 @@ template sysconfig do source 'sysconfig.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[stunnel]' end diff --git a/cookbooks/fb_swap/recipes/before_fb_fstab.rb b/cookbooks/fb_swap/recipes/before_fb_fstab.rb index c9a71f561..ab6c39bfc 100644 --- a/cookbooks/fb_swap/recipes/before_fb_fstab.rb +++ b/cookbooks/fb_swap/recipes/before_fb_fstab.rb @@ -35,8 +35,8 @@ template '/usr/local/libexec/manage-additional-swap-file' do source 'manage-additional-swap-file.sh.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group # read/execute for root, read only for everyone else. mode '0544' notifies :run, 'execute[manage-additional-swap-file]', :immediately @@ -81,8 +81,8 @@ manage_unit = "manage-swap-#{type}.service" template "/etc/systemd/system/#{manage_unit}" do source "#{manage_unit}.erb" - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, 'fb_systemd_reload[system instance]', :immediately notifies :restart, "service[#{manage_unit}]" @@ -148,8 +148,8 @@ template '/usr/local/libexec/manage-swap-file' do source 'manage-swap-file.sh.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group # read/execute for root, read only for everyone else. mode '0544' notifies :restart, 'service[manage-swap-file.service]', :immediately diff --git a/cookbooks/fb_sysfs/recipes/default.rb b/cookbooks/fb_sysfs/recipes/default.rb index 45b136059..ff982452e 100644 --- a/cookbooks/fb_sysfs/recipes/default.rb +++ b/cookbooks/fb_sysfs/recipes/default.rb @@ -1,7 +1,7 @@ template '/etc/sysfs_files_on_boot' do source 'sysfs_on_boot.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables(:resource_hash=> lazy { node['fb_sysfs']['_set_on_boot'] }) delayed_action :create @@ -10,8 +10,8 @@ template '/usr/local/bin/set_sysfs_on_boot.py' do source 'set_sysfs_on_boot.py.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' action :create end diff --git a/cookbooks/fb_systemd/recipes/boot.rb b/cookbooks/fb_systemd/recipes/boot.rb index 110c73401..a21522ea5 100644 --- a/cookbooks/fb_systemd/recipes/boot.rb +++ b/cookbooks/fb_systemd/recipes/boot.rb @@ -23,8 +23,8 @@ node['fb_systemd']['boot']['enable'] && node['fb_systemd']['boot']['path'] end path lazy { "#{node['fb_systemd']['boot']['path']}/loader" } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -34,8 +34,8 @@ end path lazy { "#{node['fb_systemd']['boot']['path']}/loader/loader.conf" } source 'loader.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end @@ -44,8 +44,8 @@ node['fb_systemd']['boot']['enable'] && node['fb_systemd']['boot']['path'] end path lazy { "#{node['fb_systemd']['boot']['path']}/loader/entries" } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_systemd/recipes/default.rb b/cookbooks/fb_systemd/recipes/default.rb index 2311c8087..31c2c0143 100644 --- a/cookbooks/fb_systemd/recipes/default.rb +++ b/cookbooks/fb_systemd/recipes/default.rb @@ -40,8 +40,8 @@ template '/etc/systemd/system.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'system', @@ -52,8 +52,8 @@ template '/etc/systemd/user.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'user', @@ -64,8 +64,8 @@ template '/etc/systemd/coredump.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'coredump', @@ -129,8 +129,8 @@ template '/etc/tmpfiles.d/chef.conf' do source 'tmpfiles.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :run, 'execute[process tmpfiles]', :immediately end @@ -141,22 +141,22 @@ end directory '/etc/systemd/system-preset' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end template '/etc/systemd/system-preset/00-fb_systemd.preset' do source 'preset.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end directory '/etc/systemd/user/default.target.wants' do only_if { node['fb_systemd']['manage_default_target'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_systemd/recipes/journal-remote.rb b/cookbooks/fb_systemd/recipes/journal-remote.rb index e3996c9a3..ec583248e 100644 --- a/cookbooks/fb_systemd/recipes/journal-remote.rb +++ b/cookbooks/fb_systemd/recipes/journal-remote.rb @@ -20,8 +20,8 @@ template '/etc/systemd/journal-remote.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'journal-remote', diff --git a/cookbooks/fb_systemd/recipes/journal-upload.rb b/cookbooks/fb_systemd/recipes/journal-upload.rb index 87a926bb2..a694647d0 100644 --- a/cookbooks/fb_systemd/recipes/journal-upload.rb +++ b/cookbooks/fb_systemd/recipes/journal-upload.rb @@ -20,8 +20,8 @@ template '/etc/systemd/journal-upload.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'journal-upload', diff --git a/cookbooks/fb_systemd/recipes/journald.rb b/cookbooks/fb_systemd/recipes/journald.rb index 3bdfb5121..91bf5bf16 100644 --- a/cookbooks/fb_systemd/recipes/journald.rb +++ b/cookbooks/fb_systemd/recipes/journald.rb @@ -20,8 +20,8 @@ template '/etc/systemd/journald.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'journald', diff --git a/cookbooks/fb_systemd/recipes/logind.rb b/cookbooks/fb_systemd/recipes/logind.rb index a3a76d011..5e84cfb82 100644 --- a/cookbooks/fb_systemd/recipes/logind.rb +++ b/cookbooks/fb_systemd/recipes/logind.rb @@ -20,8 +20,8 @@ template '/etc/systemd/logind.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'logind', diff --git a/cookbooks/fb_systemd/recipes/resolved.rb b/cookbooks/fb_systemd/recipes/resolved.rb index 455907565..622e8ebb1 100644 --- a/cookbooks/fb_systemd/recipes/resolved.rb +++ b/cookbooks/fb_systemd/recipes/resolved.rb @@ -20,8 +20,8 @@ template '/etc/systemd/resolved.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'resolved', diff --git a/cookbooks/fb_systemd/recipes/timesyncd.rb b/cookbooks/fb_systemd/recipes/timesyncd.rb index 4e3056b22..4ba89ee8a 100644 --- a/cookbooks/fb_systemd/recipes/timesyncd.rb +++ b/cookbooks/fb_systemd/recipes/timesyncd.rb @@ -20,8 +20,8 @@ template '/etc/systemd/timesyncd.conf' do source 'systemd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :config => 'timesyncd', diff --git a/cookbooks/fb_systemd/recipes/udevd.rb b/cookbooks/fb_systemd/recipes/udevd.rb index b4560c54f..44012bdd1 100644 --- a/cookbooks/fb_systemd/recipes/udevd.rb +++ b/cookbooks/fb_systemd/recipes/udevd.rb @@ -42,15 +42,15 @@ end directory '/etc/udev/hwdb.d' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end template '/etc/udev/hwdb.d/00-chef.hwdb' do source 'hwdb.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # we use :immediately here because this is a critical service notifies :run, 'execute[update hwdb]', :immediately @@ -58,8 +58,8 @@ template '/etc/udev/udev.conf' do source 'udev.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # we use :immediately here because this is a critical service notifies :run, 'execute[reload udev]', :immediately @@ -71,8 +71,8 @@ template '/etc/udev/rules.d/99-chef.rules' do source 'rules.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # we use :immediately here because this is a critical service notifies :run, 'execute[reload udev]', :immediately diff --git a/cookbooks/fb_systemd/resources/loader_entries.rb b/cookbooks/fb_systemd/resources/loader_entries.rb index 0dc2a0948..794a1afc3 100644 --- a/cookbooks/fb_systemd/resources/loader_entries.rb +++ b/cookbooks/fb_systemd/resources/loader_entries.rb @@ -33,8 +33,8 @@ entries.each_key do |entry| template "#{esp_path}/loader/entries/fb_systemd_#{entry}.conf" do source 'loader-entry.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :entry => entry, diff --git a/cookbooks/fb_systemd/resources/override.rb b/cookbooks/fb_systemd/resources/override.rb index 59997db28..df77a8f0c 100644 --- a/cookbooks/fb_systemd/resources/override.rb +++ b/cookbooks/fb_systemd/resources/override.rb @@ -58,8 +58,8 @@ def get_reload_resource override_file = "#{FB::Systemd.sanitize(new_resource.override_name)}.conf" directory override_dir do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end @@ -71,8 +71,8 @@ def get_reload_resource cookbook 'fb_systemd' source 'systemd-override.conf.erb' end - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' # ... and rely on content to populate the override unless new_resource.source diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index d9363204e..7bd5a14a0 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -25,8 +25,8 @@ # The default timer location directory '/etc/systemd/timers' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' action :create end @@ -38,8 +38,8 @@ path lazy { node['fb_timers']['_timer_path'] } - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' action :create only_if do @@ -54,8 +54,8 @@ content "This directory is managed by the chef cookbook fb_timers.\n" + 'DO NOT put unit files here; they will be deleted.' mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group end fb_timers_setup 'fb_timers system setup' diff --git a/cookbooks/fb_timers/resources/setup.rb b/cookbooks/fb_timers/resources/setup.rb index db5aa68e6..e4a01c670 100644 --- a/cookbooks/fb_timers/resources/setup.rb +++ b/cookbooks/fb_timers/resources/setup.rb @@ -140,8 +140,8 @@ template filename do source "#{type}.erb" mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group # Use of variables within templates is heavily discouraged. # It's safe to use here since it's in a provider and isn't used # directly. @@ -180,8 +180,8 @@ FB::Version.new(node['packages']['systemd'][ 'version']) <= FB::Version.new('201') end - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_vsftpd/recipes/default.rb b/cookbooks/fb_vsftpd/recipes/default.rb index 1ebdb1877..67a077e74 100644 --- a/cookbooks/fb_vsftpd/recipes/default.rb +++ b/cookbooks/fb_vsftpd/recipes/default.rb @@ -39,16 +39,16 @@ template "#{prefix}/vsftpd.conf" do source 'vsftpd.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[vsftpd]' end template "#{prefix}/ftpusers" do source 'ftpusers.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[vsftpd]' variables( @@ -58,8 +58,8 @@ template user_list do source 'ftpusers.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' notifies :restart, 'service[vsftpd]' variables( diff --git a/cookbooks/fb_yum_repos/recipes/default.rb b/cookbooks/fb_yum_repos/recipes/default.rb index 287d92a31..9b97ad32b 100644 --- a/cookbooks/fb_yum_repos/recipes/default.rb +++ b/cookbooks/fb_yum_repos/recipes/default.rb @@ -45,8 +45,8 @@ end directory '/etc/yum.repos.d' do - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end diff --git a/cookbooks/fb_yum_repos/resources/default.rb b/cookbooks/fb_yum_repos/resources/default.rb index 65fc5726e..34c1669f9 100644 --- a/cookbooks/fb_yum_repos/resources/default.rb +++ b/cookbooks/fb_yum_repos/resources/default.rb @@ -46,8 +46,8 @@ template ::File.join(YUM_REPOS_D, "#{group}.repo") do source 'yum.repo.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' variables( :group_name => group, From e01ff122ec51cd309109a32bcf17167e1a18ec14 Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Wed, 24 Apr 2024 07:42:01 -0700 Subject: [PATCH 161/188] fb_networkd/fb_networking_settings: extend support for multiple VLAN 1% Summary: When adding multiple VLANs, the network file for the interface was not appending additional VLAN properties because it was not a list. Change to list and add corresponding validation. Differential Revision: D56334510 fbshipit-source-id: bdaac43f1d47a8ad58bc494ab7978c652ff44ffb --- cookbooks/fb_networkd/spec/default_spec.rb | 20 +++++++++++++++++++ .../default/1-fb_networkd-eth0.network | 3 +++ .../default/50-fb_networkd-eth0.4088.netdev | 9 +++++++++ .../default/50-fb_networkd-eth0.4092.netdev | 9 +++++++++ 4 files changed, 41 insertions(+) create mode 100644 cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4088.netdev create mode 100644 cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4092.netdev diff --git a/cookbooks/fb_networkd/spec/default_spec.rb b/cookbooks/fb_networkd/spec/default_spec.rb index 50554f2c2..e6f2681cd 100644 --- a/cookbooks/fb_networkd/spec/default_spec.rb +++ b/cookbooks/fb_networkd/spec/default_spec.rb @@ -41,6 +41,10 @@ '192.168.1.1/24', '2401:db00::1/64', ], + 'VLAN' => [ + "#{iface}.4092", + "#{iface}.4088", + ], }, 'Address' => [ { @@ -54,9 +58,19 @@ ], }, } + node.default['fb_networkd']['links'][iface]['config']['Match'][ 'OriginalName'] = iface + node.default['fb_networkd']['devices']["#{iface}.4092"]['config']['NetDev'][ + 'Kind'] = 'vlan' + node.default['fb_networkd']['devices']["#{iface}.4088"]['config']['NetDev'][ + 'Kind'] = 'vlan' + node.default['fb_networkd']['devices']["#{iface}.4092"]['config']['VLAN'][ + 'Id'] = 4092 + node.default['fb_networkd']['devices']["#{iface}.4088"]['config']['VLAN'][ + 'Id'] = 4088 + node.default['fb_networkd']['devices']['tap0']['config']['NetDev'][ 'Kind'] = 'tap' end @@ -70,6 +84,12 @@ expect(chef_run).to render_file("/etc/systemd/network/1-fb_networkd-#{iface}.link"). with_content(tc.fixture("1-fb_networkd-#{iface}.link")) + expect(chef_run).to render_file("/etc/systemd/network/50-fb_networkd-#{iface}.4092.netdev"). + with_content(tc.fixture("50-fb_networkd-#{iface}.4092.netdev")) + + expect(chef_run).to render_file("/etc/systemd/network/50-fb_networkd-#{iface}.4088.netdev"). + with_content(tc.fixture("50-fb_networkd-#{iface}.4088.netdev")) + # default device priority is 50 expect(chef_run).to render_file('/etc/systemd/network/50-fb_networkd-tap0.netdev'). with_content(tc.fixture('50-fb_networkd-tap0.netdev')) diff --git a/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network b/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network index 065e970d6..660671d02 100644 --- a/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network +++ b/cookbooks/fb_networkd/spec/fixtures/default/1-fb_networkd-eth0.network @@ -5,6 +5,8 @@ Address = 2001:db00::1/64 Address = 192.168.1.1/24 Address = 2401:db00::1/64 +VLAN = eth0.4092 +VLAN = eth0.4088 [Match] Name = eth0 @@ -16,3 +18,4 @@ PreferredLifetime = infinity [Address] Address = 2401:db00::1/64 PreferredLifetime = 0 + diff --git a/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4088.netdev b/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4088.netdev new file mode 100644 index 000000000..3ee37f178 --- /dev/null +++ b/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4088.netdev @@ -0,0 +1,9 @@ +# This file is maintained by Chef. Do not edit, all changes will be +# overwritten. See fb_networkd/README.md + +[NetDev] +Kind = vlan +Name = eth0.4088 + +[VLAN] +Id = 4088 diff --git a/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4092.netdev b/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4092.netdev new file mode 100644 index 000000000..2b671eda8 --- /dev/null +++ b/cookbooks/fb_networkd/spec/fixtures/default/50-fb_networkd-eth0.4092.netdev @@ -0,0 +1,9 @@ +# This file is maintained by Chef. Do not edit, all changes will be +# overwritten. See fb_networkd/README.md + +[NetDev] +Kind = vlan +Name = eth0.4092 + +[VLAN] +Id = 4092 From 79bb1a309d05a8cef24869f237f624cfdda0ba78 Mon Sep 17 00:00:00 2001 From: Boa-Lin Lai Date: Thu, 25 Apr 2024 15:17:25 -0700 Subject: [PATCH 162/188] expose is rhel 8.8 helper for later migration Summary: new function no callsite yet ``` Differential Revision: D56587816 fbshipit-source-id: be02c025c394b6245e88c706b7af8bc3515ba60f --- cookbooks/fb_helpers/README.md | 3 +++ cookbooks/fb_helpers/libraries/node_methods.rb | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/cookbooks/fb_helpers/README.md b/cookbooks/fb_helpers/README.md index 459864898..54075f5c7 100644 --- a/cookbooks/fb_helpers/README.md +++ b/cookbooks/fb_helpers/README.md @@ -129,6 +129,9 @@ your node. * `node.rhel8?` Is Redhat Enterprise Linux 8 +* `node.rhel8_8?` + Is Redhat Enterprise Linux 8.8 + * `node.rhel9?` Is Redhat Enterprise Linux 9 diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index c20862589..b7ef7dc96 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -98,6 +98,10 @@ def rhel8? self.rhel? && self['platform_version'].start_with?('8') end + def rhel8_8? + self.rhel? && self['platform_version'].start_with?('8.8') + end + def rhel9? self.rhel? && self['platform_version'].start_with?('9') end From 110297b9df5c4e01f8032ef4510c4d7bba673ccc Mon Sep 17 00:00:00 2001 From: Jan Korycan Date: Fri, 3 May 2024 08:54:27 -0700 Subject: [PATCH 163/188] Fix chocolatey.exe detection Summary: This diff is a part of bigger effort to migrate from engenv chef to prod chef solo. In the lab environment, there is no Chocolatey present on the machine during the chef bootstrap, and it's important to properly detect the `chocolatey.exe`. In the recent chef versions (17.4.38) the behavior of the `which()` function changed, and now it's returning `false` instead of `nil`. If you look at D36651569, you can see that the return value of `which()` is changing. To be on the safe side, I am adding the test that looks for **both** `nil` and `false` Differential Revision: D56729989 fbshipit-source-id: 35f071a9b2ab131dfa5ac71cff1bd7939d921864 --- cookbooks/fb_choco/libraries/helpers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_choco/libraries/helpers.rb b/cookbooks/fb_choco/libraries/helpers.rb index 19019493e..f0ff2fecb 100644 --- a/cookbooks/fb_choco/libraries/helpers.rb +++ b/cookbooks/fb_choco/libraries/helpers.rb @@ -29,7 +29,7 @@ def get_choco_bin # choco.exe in $env:PATH it returns 'nil' # In this situtation lets also check the most likely location. which_path = which(file_name) - return which_path unless which_path.nil? + return which_path unless which_path.nil? || (which_path == false) expected_paths = [ "C:\\ProgramData\\Chocolatey\\bin\\#{file_name}", From d9c1d015c359ce12bbb6ba15be940af7e52af652 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Wed, 15 May 2024 15:33:52 -0700 Subject: [PATCH 164/188] Ensure we rebuild dracut when changing /etc/fstab Summary: Dracut gets a copy of `/etc/fstab` to know what disks to mount before changeroot, so we need to make sure that any change (like reconfiguring the mount options) is reflected into dracut's copy Differential Revision: D57394916 fbshipit-source-id: 04b745c47bb5098d6856ab0780ec2bc11e9fd7ad --- cookbooks/fb_dracut/recipes/default.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cookbooks/fb_dracut/recipes/default.rb b/cookbooks/fb_dracut/recipes/default.rb index 60069f05f..bb92155d1 100644 --- a/cookbooks/fb_dracut/recipes/default.rb +++ b/cookbooks/fb_dracut/recipes/default.rb @@ -43,12 +43,13 @@ not_if { node.container? || node.quiescent? || node['fb_dracut']['disable'] } command 'dracut --force' action :nothing + subscribes :run, 'template[/etc/sysctl.conf]' + subscribes :run, 'package[e2fsprogs]' + subscribes :run, 'template[/etc/e2fsck.conf]' + subscribes :run, 'template[/etc/modprobe.d/fb_modprobe.conf]' + subscribes :run, 'template[/etc/fstab]' if node.systemd? subscribes :run, 'package[systemd packages]' subscribes :run, 'template[/etc/systemd/system.conf]' - subscribes :run, 'template[/etc/sysctl.conf]' - subscribes :run, 'package[e2fsprogs]' - subscribes :run, 'template[/etc/e2fsck.conf]' - subscribes :run, 'template[/etc/modprobe.d/fb_modprobe.conf]' end end From 63c6501863bcc4bf92f7290b29eee51caa03a559 Mon Sep 17 00:00:00 2001 From: Sejin Park Date: Fri, 17 May 2024 05:19:50 -0700 Subject: [PATCH 165/188] Remove over_provisioning_mapping from fb_storage Summary: > Removed over_provisioning_mapping from fb_storage cookbook Differential Revision: D57170934 fbshipit-source-id: 1c91d411dac4c3632065fe390446daea58d6b207 --- cookbooks/fb_storage/README.md | 6 ++---- cookbooks/fb_storage/attributes/default.rb | 1 - 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/cookbooks/fb_storage/README.md b/cookbooks/fb_storage/README.md index 8f24562a4..b5d162e05 100644 --- a/cookbooks/fb_storage/README.md +++ b/cookbooks/fb_storage/README.md @@ -17,7 +17,6 @@ Attributes * node['fb_storage']['tuning']['queue_depth'] * node['fb_storage']['tuning']['discard_max_bytes'] * node['fb_storage']['tuning']['over_provisioning'] -* node['fb_storage']['tuning']['over_provisioning_mapping'] * node['fb_storage']['tuning']['max_sectors_kb'] * node['fb_storage']['fstab_use_labels'] * node['fb_storage']['manage_packages'] @@ -326,9 +325,8 @@ storage controlled by this API: `queue_depth`, `scheduler`, Note: `max_sectors_kb` sets the maximum IO sizes to the minimum of the device's `max_hw_sectors_kb` and the one provided. -The `over_provisioning` and `over_provisioning_mapping` attributes are provided -for storage handlers to manage over provisioning, but are currently not used -by `fb_storage` itself. +The `over_provisioning` attribute is provided for storage handlers to manage +over provisioning, but are currently not used by `fb_storage` itself. ### Software Raid diff --git a/cookbooks/fb_storage/attributes/default.rb b/cookbooks/fb_storage/attributes/default.rb index e825f31f5..1176a7110 100644 --- a/cookbooks/fb_storage/attributes/default.rb +++ b/cookbooks/fb_storage/attributes/default.rb @@ -35,7 +35,6 @@ 'scheduler' => nil, 'queue_depth' => nil, 'over_provisioning' => 'low', - 'over_provisioning_mapping' => {}, 'max_sectors_kb' => nil, }, 'format_options' => nil, From 35063906785c18fd800958014d5b953f14056961 Mon Sep 17 00:00:00 2001 From: Sejin Park Date: Fri, 17 May 2024 08:13:54 -0700 Subject: [PATCH 166/188] Fix grammar in README Summary: Just fixing grammar in README Differential Revision: D57492309 fbshipit-source-id: 6b21c4a9218334778b1747b300f552db06af999b --- cookbooks/fb_storage/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_storage/README.md b/cookbooks/fb_storage/README.md index b5d162e05..b929d4cdf 100644 --- a/cookbooks/fb_storage/README.md +++ b/cookbooks/fb_storage/README.md @@ -326,7 +326,7 @@ Note: `max_sectors_kb` sets the maximum IO sizes to the minimum of the device's `max_hw_sectors_kb` and the one provided. The `over_provisioning` attribute is provided for storage handlers to manage -over provisioning, but are currently not used by `fb_storage` itself. +over provisioning, but is currently not used by `fb_storage` itself. ### Software Raid From 61bcc512e5ba8e99df5984e01897563053cadeab Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 22 May 2024 08:49:05 -0700 Subject: [PATCH 167/188] Validate given IP addresses - 1% Differential Revision: D48831692 fbshipit-source-id: c6d0508915f7f21d8d4ecaf2a7d5af560bd177bd --- cookbooks/fb_networkd/resources/default.rb | 40 ++++++ cookbooks/fb_networkd/spec/default_spec.rb | 149 +++++++++++++++++++++ 2 files changed, 189 insertions(+) diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index bb6b2ff53..b41fb9fc0 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -15,10 +15,48 @@ # See the License for the specific language governing permissions and # limitations under the License. # +require 'ipaddr' unified_mode(false) if Chef::VERSION >= 18 # TODO(T144966423) default_action :manage +action_class do + # TODO: A more reusable approach community-wise would be to create custom + # resources for the different networkd units and move this validation to those + # custom resources + def validate_network_addresses(conf) + return if !node.in_shard?(0) + conf.dig('config', 'Network', 'Address')&.each do |ip| + ::IPAddr.new(ip) + rescue ::IPAddr::Error + raise "Trying to use bad Network Address IP: '#{ip}' from conf: #{conf}" + end + + conf.dig('config', 'Address')&.each do |addr| + if (ip = addr['Address']) + begin + ::IPAddr.new(ip) + rescue ::IPAddr::Error + raise "Trying to use bad Address IP: '#{ip}' from conf: #{conf}" + end + end + end + + conf.dig('config', 'Route')&.each do |route| + ['Gateway', 'Destination', 'Source'].each do |route_type| + if route[route_type] + ip = route[route_type] + begin + ::IPAddr.new(ip) + rescue ::IPAddr::Error + raise "Trying to use bad route #{route_type} IP: '#{ip}' from route: #{route}" + end + end + end + end + end +end + action :manage do # There are some situations (i.e. changing the primary interface and # corresponding addresses) where we need to restart systemd-networkd to make @@ -102,6 +140,8 @@ "#{conf['priority']}-fb_networkd-#{conf['name']}.network", ) + validate_network_addresses conf + # Set up the template for this interface fb_helpers_gated_template conffile do allow_changes node.interface_change_allowed?(conf['name']) diff --git a/cookbooks/fb_networkd/spec/default_spec.rb b/cookbooks/fb_networkd/spec/default_spec.rb index e6f2681cd..03bf83e52 100644 --- a/cookbooks/fb_networkd/spec/default_spec.rb +++ b/cookbooks/fb_networkd/spec/default_spec.rb @@ -95,4 +95,153 @@ with_content(tc.fixture('50-fb_networkd-tap0.netdev')) end end + + context 'use of bad ip addresses' do + it 'should fail the run with bad Network Address' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + allow(node).to receive(:in_shard?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'priority' => 1, + 'config' => { + 'Network' => { + 'Address' => [ + '2001::db00:1/64', + '2001::bad1::1/64', # Extra colon + ], + }, + }, + } + end + end.to raise_error(RuntimeError, %r{fb_networkd:.*Trying to use bad Network Address IP: '2001::bad1::1/64'.*}) + end + + it 'should fail the run with bad Address Address' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + allow(node).to receive(:in_shard?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'config' => { + 'Address' => [ + { + 'Address' => '2001:db00::1/64', + 'PreferredLifetime' => 'infinity', + }, + { + 'Address' => '2001::bad1::1/64', + 'PreferredLifetime' => 'infinity', + }, + ], + }, + } + end + end.to raise_error(RuntimeError, %r{fb_networkd:.*Trying to use bad Address IP: '2001::bad1::1/64'.*}) + end + + it 'should fail the run with bad Route Gateway' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + allow(node).to receive(:in_shard?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'priority' => 1, + 'config' => { + 'Route' => [ + { + 'Gateway' => '2001::bad1::1', + 'Source' => '::/0', + 'Destination' => '::/0', + 'Metric' => '1', + }, + ], + }, + } + end + end.to raise_error(RuntimeError, /fb_networkd:.*Trying to use bad .*bad1.*/) + end + it 'should fail the run with bad Route Source' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + allow(node).to receive(:in_shard?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'priority' => 1, + 'config' => { + 'Route' => [ + { + 'Gateway' => '2001::db00:1', + 'Source' => '::/bad0', + 'Destination' => '::/0', + 'Metric' => '1', + }, + ], + }, + } + end + end.to raise_error(RuntimeError, /fb_networkd:.*Trying to use bad .*bad0.*/) + end + it 'should fail the run with bad Route Destination' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + allow(node).to receive(:in_shard?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'priority' => 1, + 'config' => { + 'Route' => [ + { + 'Gateway' => '2001::db00:1', + 'Source' => '::/0', + 'Destination' => '::/bad2', + 'Metric' => '1', + }, + ], + }, + } + end + end.to raise_error(RuntimeError, /fb_networkd:.*Trying to use bad .*bad2.*/) + end + end end From 46ccd8affcb76d48afc626225a15152f34cb047d Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Wed, 22 May 2024 11:53:15 -0700 Subject: [PATCH 168/188] fb_networkd: Validate given IP addresses - 100% Differential Revision: D57674868 fbshipit-source-id: d0c82ffbedb9908684f7a7a26916ef773e833a40 --- cookbooks/fb_networkd/resources/default.rb | 1 - cookbooks/fb_networkd/spec/default_spec.rb | 5 ----- 2 files changed, 6 deletions(-) diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index b41fb9fc0..173d38157 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -25,7 +25,6 @@ # resources for the different networkd units and move this validation to those # custom resources def validate_network_addresses(conf) - return if !node.in_shard?(0) conf.dig('config', 'Network', 'Address')&.each do |ip| ::IPAddr.new(ip) rescue ::IPAddr::Error diff --git a/cookbooks/fb_networkd/spec/default_spec.rb b/cookbooks/fb_networkd/spec/default_spec.rb index 03bf83e52..38189dd56 100644 --- a/cookbooks/fb_networkd/spec/default_spec.rb +++ b/cookbooks/fb_networkd/spec/default_spec.rb @@ -103,7 +103,6 @@ :step_into => ['fb_networkd', 'fb_helpers_gated_template'], ) do |node| allow(node).to receive(:systemd?).and_return(true) - allow(node).to receive(:in_shard?).and_return(true) # These enable the fb_helpers_gated_template resources allow(node).to receive(:interface_change_allowed?).and_return(true) @@ -131,7 +130,6 @@ :step_into => ['fb_networkd', 'fb_helpers_gated_template'], ) do |node| allow(node).to receive(:systemd?).and_return(true) - allow(node).to receive(:in_shard?).and_return(true) # These enable the fb_helpers_gated_template resources allow(node).to receive(:interface_change_allowed?).and_return(true) @@ -162,7 +160,6 @@ :step_into => ['fb_networkd', 'fb_helpers_gated_template'], ) do |node| allow(node).to receive(:systemd?).and_return(true) - allow(node).to receive(:in_shard?).and_return(true) # These enable the fb_helpers_gated_template resources allow(node).to receive(:interface_change_allowed?).and_return(true) @@ -191,7 +188,6 @@ :step_into => ['fb_networkd', 'fb_helpers_gated_template'], ) do |node| allow(node).to receive(:systemd?).and_return(true) - allow(node).to receive(:in_shard?).and_return(true) # These enable the fb_helpers_gated_template resources allow(node).to receive(:interface_change_allowed?).and_return(true) @@ -220,7 +216,6 @@ :step_into => ['fb_networkd', 'fb_helpers_gated_template'], ) do |node| allow(node).to receive(:systemd?).and_return(true) - allow(node).to receive(:in_shard?).and_return(true) # These enable the fb_helpers_gated_template resources allow(node).to receive(:interface_change_allowed?).and_return(true) From 59fa4c05b45b51bcfed1af6fef521141381e23a0 Mon Sep 17 00:00:00 2001 From: Joshua Miller Date: Thu, 23 May 2024 09:25:04 -0700 Subject: [PATCH 169/188] fb_networkd: extend validation logic to allow Address key to be a string Differential Revision: D57728699 fbshipit-source-id: d340eb5d677cd9342853d32b6ee4895ca24cb326 --- cookbooks/fb_networkd/resources/default.rb | 17 ++++++-- cookbooks/fb_networkd/spec/default_spec.rb | 48 ++++++++++++++++++++++ 2 files changed, 61 insertions(+), 4 deletions(-) diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index 173d38157..a711f0f6d 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -25,10 +25,19 @@ # resources for the different networkd units and move this validation to those # custom resources def validate_network_addresses(conf) - conf.dig('config', 'Network', 'Address')&.each do |ip| - ::IPAddr.new(ip) - rescue ::IPAddr::Error - raise "Trying to use bad Network Address IP: '#{ip}' from conf: #{conf}" + address = conf.dig('config', 'Network', 'Address') + if address.is_a?(String) + begin + ::IPAddr.new(address) + rescue ::IPAddr::Error + raise "Trying to use bad Network Address IP: '#{address}' from conf: #{conf}" + end + elsif address.is_a?(Array) + address.each do |ip| + ::IPAddr.new(ip) + rescue ::IPAddr::Error + raise "Trying to use bad Network Address IP: '#{ip}' from conf: #{conf}" + end end conf.dig('config', 'Address')&.each do |addr| diff --git a/cookbooks/fb_networkd/spec/default_spec.rb b/cookbooks/fb_networkd/spec/default_spec.rb index 38189dd56..d3b0a94dd 100644 --- a/cookbooks/fb_networkd/spec/default_spec.rb +++ b/cookbooks/fb_networkd/spec/default_spec.rb @@ -124,6 +124,54 @@ end.to raise_error(RuntimeError, %r{fb_networkd:.*Trying to use bad Network Address IP: '2001::bad1::1/64'.*}) end + it 'should not fail the run with good Network Address as a string' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'priority' => 1, + 'config' => { + 'Network' => { + 'Address' => '2001::db00:1/64', + }, + }, + } + end + end + end + + it 'should fail the run with bad Network Address as a string' do + expect do + tc.chef_run( + :step_into => ['fb_networkd', 'fb_helpers_gated_template'], + ) do |node| + allow(node).to receive(:systemd?).and_return(true) + + # These enable the fb_helpers_gated_template resources + allow(node).to receive(:interface_change_allowed?).and_return(true) + allow(Chef::Resource::Template).to receive(:updated_by_last_action?).and_call_original + allow_any_instance_of(Chef::Resource::Template).to receive(:updated_by_last_action?).and_return(true) + end.converge(described_recipe) do |node| + node.default['fb_networkd']['networks']['eth0'] = { + 'priority' => 1, + 'config' => { + 'Network' => { + 'Address' => '2001::db0z:1/64', + }, + }, + } + end + end.to raise_error(RuntimeError, %r{fb_networkd:.*Trying to use bad Network Address IP: '2001::db0z:1/64'.*}) + end + it 'should fail the run with bad Address Address' do expect do tc.chef_run( From 1b9ac4bb6878ecf0c58637b720a8b8ced14d530c Mon Sep 17 00:00:00 2001 From: Francis Date: Fri, 24 May 2024 09:18:25 -0700 Subject: [PATCH 170/188] Update checkout GHA to avoid Node16 deprecation warnings (#239) Summary: This is a very basic PR I know. But it cleans up the deprecation warnings so I thought I'd add it. Pull Request resolved: https://github.com/facebook/chef-cookbooks/pull/239 Test Plan: Imported from GitHub, without a `Test Plan:` line. Checked https://github.com/facebook/chef-cookbooks/pull/239/checks, deprecation notices are gone Differential Revision: D57752486 fbshipit-source-id: aa4accc12e6dcbab47e6a1637502eec5f17f508e --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 355536bcf..6cca544f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Ruby uses: ruby/setup-ruby@v1 with: @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Chef uses: actionshub/chef-install@2.0.4 with: @@ -55,6 +55,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Shellcheck uses: ludeeus/action-shellcheck@2.0.0 From a2eb99bfa8401769a430eb10e4625936d10d5a17 Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Mon, 27 May 2024 22:20:14 -0700 Subject: [PATCH 171/188] Run NoOwnerGroupRoot on the entire codebase: github Summary: Just run the previous diff on the rest of the code base to clean everything up. Only github showed something. ``` $ hg show | grep '^[-+] ' | grep -vEe "^- *(owner|group) *'root'\$" -e '^\+ *(owner|group) *node.root_(user|group)$' ``` So it literally just changes what it's supposed to. Differential Revision: D56219068 fbshipit-source-id: 5084f44b47978ad885ff1a98cda9af7efbde3a56 --- .../recipes/fluent-bit_default.rb | 20 +++++++++---------- .../recipes/td-agent-bit_default.rb | 20 +++++++++---------- cookbooks/fb_smokeping/recipes/default.rb | 10 +++++----- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb index eb1962752..8717e795b 100644 --- a/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/fluent-bit_default.rb @@ -65,8 +65,8 @@ if node.windows? rights :full_control, 'Administrators' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end end @@ -82,8 +82,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[fluent-bit]' end @@ -97,8 +97,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[fluent-bit]' end @@ -113,8 +113,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[fluent-bit]' end @@ -129,8 +129,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[fluent-bit]' end diff --git a/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb b/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb index 700642584..d1b5858a3 100644 --- a/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb +++ b/cookbooks/fb_fluentbit/recipes/td-agent-bit_default.rb @@ -65,8 +65,8 @@ if node.windows? rights :full_control, 'Administrators' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0755' end end @@ -82,8 +82,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[td-agent-bit]' end @@ -97,8 +97,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[td-agent-bit]' end @@ -113,8 +113,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[td-agent-bit]' end @@ -129,8 +129,8 @@ rights :full_control, 'Administrators' notifies :restart, 'windows_service[FluentBit]' else - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0600' notifies :restart, 'service[td-agent-bit]' end diff --git a/cookbooks/fb_smokeping/recipes/default.rb b/cookbooks/fb_smokeping/recipes/default.rb index 881edf59d..e339efab6 100644 --- a/cookbooks/fb_smokeping/recipes/default.rb +++ b/cookbooks/fb_smokeping/recipes/default.rb @@ -40,7 +40,7 @@ directory '/var/run/smokeping' do mode '0755' owner 'smokeping' - group 'root' + group node.root_group end directory '/var/lib/smokeping' do @@ -66,8 +66,8 @@ cookbook_file '/etc/smokeping/config' do mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group end directory '/etc/smokeping/config.d' do @@ -89,8 +89,8 @@ template "/etc/smokeping/config.d/#{config}" do source "#{config}.erb" mode '0644' - owner 'root' - group 'root' + owner node.root_user + group node.root_group notifies :restart, 'service[smokeping]' end end From 32eaf4b421eaa27d1231f0b28adcb3a36254bfac Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Tue, 28 May 2024 14:45:55 -0700 Subject: [PATCH 172/188] Fix all the uses of node.in_shard?(x) where x is a multiple of 5 Differential Revision: D49900503 fbshipit-source-id: 6372c56d38d161a8a819fc3d0a0698b8ee423153 --- cookbooks/fb_helpers/spec/node_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/fb_helpers/spec/node_spec.rb b/cookbooks/fb_helpers/spec/node_spec.rb index 18b1304b8..a9f2df68b 100644 --- a/cookbooks/fb_helpers/spec/node_spec.rb +++ b/cookbooks/fb_helpers/spec/node_spec.rb @@ -149,9 +149,9 @@ expect(node.in_shard?(67)).to eq(true) end it 'should return false if we are not in shard' do - expect(node.in_shard?(65)).to eq(false) + expect(node.in_shard?(64)).to eq(false) # Should remain false on second calling - expect(node.in_shard?(65)).to eq(false) + expect(node.in_shard?(64)).to eq(false) end it 'should retain legacy overflow behaviour' do # avoid using literals so linters don't fire From 9e171b3829191ed456023344c73987ebf1e1457a Mon Sep 17 00:00:00 2001 From: Cedric Van Goethem Date: Mon, 3 Jun 2024 12:00:29 -0700 Subject: [PATCH 173/188] Block homed from starting in presets, disable in Chef Differential Revision: D58093895 fbshipit-source-id: 1079cfbbff3858c39dba2f496c2c721f23a29d81 --- cookbooks/fb_systemd/recipes/homed.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/fb_systemd/recipes/homed.rb b/cookbooks/fb_systemd/recipes/homed.rb index e651e44fa..84d786e6f 100644 --- a/cookbooks/fb_systemd/recipes/homed.rb +++ b/cookbooks/fb_systemd/recipes/homed.rb @@ -25,5 +25,6 @@ service 'disable systemd-homed' do not_if { node['fb_systemd']['homed']['enable'] } + service_name 'systemd-homed' action [:stop, :disable] end From 26d81821cd3b4bf718a1d1312c4049fc43ff9dfa Mon Sep 17 00:00:00 2001 From: Olivier Raginel Date: Tue, 11 Jun 2024 10:38:05 -0700 Subject: [PATCH 174/188] Enhance gated template to have content of changes Differential Revision: D55665988 fbshipit-source-id: 835ced0078917565168f4ce771f8e9d3df894371 --- cookbooks/fb_helpers/libraries/fb_helpers.rb | 6 +- .../fb_helpers/resources/gated_template.rb | 24 ++++-- .../resources/request_nw_changes.rb | 8 ++ .../resources/redhat_interface.rb | 16 +++- cookbooks/fb_networkd/resources/default.rb | 75 ++++++++----------- 5 files changed, 75 insertions(+), 54 deletions(-) diff --git a/cookbooks/fb_helpers/libraries/fb_helpers.rb b/cookbooks/fb_helpers/libraries/fb_helpers.rb index 19f7e6273..5d3b9d1d1 100644 --- a/cookbooks/fb_helpers/libraries/fb_helpers.rb +++ b/cookbooks/fb_helpers/libraries/fb_helpers.rb @@ -640,13 +640,15 @@ def self.get_hwaddr(interface) ::File.read(addrfile).strip.upcase end - def self._request_nw_changes_permission(run_context, new_resource) + def self._request_nw_changes_permission(run_context, new_resource, diff) run_context.node.default['fb_helpers']['_nw_perm_requested'] = true notification = Chef::Resource::Notification.new( 'fb_helpers_request_nw_changes[manage]', :request_nw_changes, new_resource, ) + run_context.node.default['fb_helpers']['_nw_perm_changes_requested'][ + new_resource.name.to_s] = diff notification.fix_resource_reference(run_context.resource_collection) run_context.root_run_context.add_delayed_action(notification) end @@ -654,7 +656,7 @@ def self._request_nw_changes_permission(run_context, new_resource) # readfile() safely reads file content in a variable, # removing the last line termination. # It is suitable to read a single-liners (sysctl settings or similar). - # It would return an empty string when the file is not avialable. + # It would return an empty string when the file is not available. # # Usage: # readfile(path) diff --git a/cookbooks/fb_helpers/resources/gated_template.rb b/cookbooks/fb_helpers/resources/gated_template.rb index 6dad1ba96..fdbbe1fb8 100644 --- a/cookbooks/fb_helpers/resources/gated_template.rb +++ b/cookbooks/fb_helpers/resources/gated_template.rb @@ -32,13 +32,15 @@ default_action :manage action_class do + attr_reader :saved_why_run + # Copied from lib/chef/runner.rb def forced_why_run - saved = Chef::Config[:why_run] + @saved_why_run = Chef::Config[:why_run] Chef::Config[:why_run] = true yield ensure - Chef::Config[:why_run] = saved + Chef::Config[:why_run] = @saved_why_run end end @@ -69,10 +71,20 @@ def forced_why_run action new_resource.gated_action end else - Chef::Log.info('fb_helpers: not allowed to change configs for ' + - new_resource.name.to_s) - Chef::Log.info('fb_helpers: requesting nw change permission') - FB::Helpers._request_nw_changes_permission(run_context, new_resource) + unless saved_why_run + if t.respond_to? :diff + # spec mocks respond_to? but return nil + diff = t.diff || '' + diff_msg = ' would have changed: ' + diff + else + diff = nil + diff_msg = '' + end + Chef::Log.info('fb_helpers: not allowed to change configs for ' + + new_resource.name.to_s + diff_msg) + Chef::Log.info('fb_helpers: requesting nw change permission') + FB::Helpers._request_nw_changes_permission(run_context, new_resource, diff) + end end end end diff --git a/cookbooks/fb_helpers/resources/request_nw_changes.rb b/cookbooks/fb_helpers/resources/request_nw_changes.rb index f416c5e66..c4c7102ac 100644 --- a/cookbooks/fb_helpers/resources/request_nw_changes.rb +++ b/cookbooks/fb_helpers/resources/request_nw_changes.rb @@ -21,7 +21,15 @@ action :request_nw_changes do file FB::Helpers::NW_CHANGES_NEEDED do + owner node.root_user + group node.root_group + mode '0644' action :touch + content lazy { + node['fb_helpers']['_nw_perm_changes_requested'].map do |resource, diff| + "#{resource} requesting to change:\n#{diff}" + end.join("\n").gsub(/\\n/, "\n").concat("\n") + } end end diff --git a/cookbooks/fb_network_scripts/resources/redhat_interface.rb b/cookbooks/fb_network_scripts/resources/redhat_interface.rb index 11546bf36..006eac9ed 100644 --- a/cookbooks/fb_network_scripts/resources/redhat_interface.rb +++ b/cookbooks/fb_network_scripts/resources/redhat_interface.rb @@ -190,7 +190,9 @@ def stop(interface) Chef::Log.info( "fb_network_scripts[#{interface}]: requesting nw change permission", ) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) + FB::Helpers._request_nw_changes_permission( + run_context, new_resource, "Would have enabled #{interface}" + ) end end @@ -392,7 +394,9 @@ def stop(interface) Chef::Log.info( "fb_network_scripts[#{interface}]: requesting nw change permission", ) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) + FB::Helpers._request_nw_changes_permission( + run_context, new_resource, "Would have started #{interface}" + ) end end @@ -412,7 +416,9 @@ def stop(interface) interface.to_s) Chef::Log.info("fb_network_scripts[#{interface}]: requesting nw change " + 'permission') - FB::Helpers._request_nw_changes_permission(run_context, new_resource) + FB::Helpers._request_nw_changes_permission( + run_context, new_resource, "Would have stopped #{interface}" + ) end end @@ -449,6 +455,8 @@ def stop(interface) Chef::Log.info( "fb_network_scripts[#{interface}]: requesting nw change permission", ) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) + FB::Helpers._request_nw_changes_permission( + run_context, new_resource, "Would have disabled #{interface}" + ) end end diff --git a/cookbooks/fb_networkd/resources/default.rb b/cookbooks/fb_networkd/resources/default.rb index a711f0f6d..eb2e7f82e 100644 --- a/cookbooks/fb_networkd/resources/default.rb +++ b/cookbooks/fb_networkd/resources/default.rb @@ -187,19 +187,16 @@ def validate_network_addresses(conf) on_host_networks.delete(path) - file path do - only_if { node.interface_change_allowed?(conf['name']) } + fb_helpers_gated_template path do + allow_changes node.interface_change_allowed?(conf['name']) + gated_action :delete + source 'networkd.conf.erb' owner node.root_user group node.root_group mode '0644' - action :delete notifies :run, 'execute[networkctl reload]', :immediately notifies :run, "execute[networkctl reconfigure #{conf['name']}]" end - - if !node.interface_change_allowed?(conf['name']) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) - end end end @@ -266,18 +263,15 @@ def validate_network_addresses(conf) conflicting_links.each do |path| on_host_links.delete(path) - file path do - only_if { node.interface_change_allowed?(conf['name']) } + fb_helpers_gated_template path do + allow_changes node.interface_change_allowed?(conf['name']) + gated_action :delete + source 'networkd.conf.erb' owner node.root_user group node.root_group mode '0644' - action :delete notifies :run, "execute[udevadm trigger #{conf['name']}]" end - - if !node.interface_change_allowed?(conf['name']) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) - end end end @@ -352,19 +346,16 @@ def validate_network_addresses(conf) # systemd-networkd. restart_for_new_vlan = false - file path do - only_if { node.interface_change_allowed?(conf['name']) } + fb_helpers_gated_template path do + allow_changes node.interface_change_allowed?(conf['name']) + gated_action :delete + source 'networkd.conf.erb' owner node.root_user group node.root_group mode '0644' - action :delete notifies :run, 'execute[networkctl reload]', :immediately notifies :run, "execute[networkctl reconfigure #{conf['name']}]" end - - if !node.interface_change_allowed?(conf['name']) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) - end end restart_networkd ||= restart_for_new_vlan @@ -384,16 +375,16 @@ def validate_network_addresses(conf) action :nothing end - file path do - only_if { node.interface_change_allowed?(iface) } - action :delete + fb_helpers_gated_template path do + allow_changes node.interface_change_allowed?(iface) + gated_action :delete + source 'networkd.conf.erb' + owner node.root_user + group node.root_group + mode '0644' notifies :run, "execute[networkctl down #{iface}]", :immediately notifies :run, 'execute[networkctl reload]' end - - unless node.interface_change_allowed?(iface) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) - end end end @@ -408,15 +399,15 @@ def validate_network_addresses(conf) action :nothing end - file path do - only_if { node.interface_change_allowed?(iface) } - action :delete + fb_helpers_gated_template path do + allow_changes node.interface_change_allowed?(iface) + gated_action :delete + source 'networkd.conf.erb' + owner node.root_user + group node.root_group + mode '0644' notifies :run, "execute[udevadm trigger #{iface}]" end - - unless node.interface_change_allowed?(iface) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) - end end end @@ -431,16 +422,16 @@ def validate_network_addresses(conf) action :nothing end - file path do - only_if { node.interface_change_allowed?(iface) } - action :delete + fb_helpers_gated_template path do + allow_changes node.interface_change_allowed?(iface) + gated_action :delete + source 'networkd.conf.erb' + owner node.root_user + group node.root_group + mode '0644' notifies :run, "execute[networkctl delete #{iface}]", :immediately notifies :run, 'execute[networkctl reload]' end - - unless node.interface_change_allowed?(iface) - FB::Helpers._request_nw_changes_permission(run_context, new_resource) - end end end From f41af660c09c17c6307e32059ac64c310d0919fc Mon Sep 17 00:00:00 2001 From: Travis Graham Date: Tue, 18 Jun 2024 15:43:31 -0700 Subject: [PATCH 175/188] Changes to support macOS 15 Differential Revision: D58749691 fbshipit-source-id: 99a37e1cb13dad77d5cd14e85da4368765f06415 --- cookbooks/fb_helpers/libraries/node_methods.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index b7ef7dc96..411f9fdcd 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -387,6 +387,10 @@ def macos14? macos? && node['platform_version'].start_with?('14.') end + def macos15? + macos? && node['platform_version'].start_with?('15.') + end + def mac_mini_2014? macos? && node['hardware']['machine_model'] == 'Macmini7,1' end From 1eba098ed1948d57012b6b3ddea8613d1acf29f6 Mon Sep 17 00:00:00 2001 From: Brandon Adams Date: Thu, 20 Jun 2024 21:01:57 -0700 Subject: [PATCH 176/188] special partition size handling for FBPN 01-005817, 01-005959 Summary: eag-prod-2 has three different kinds of T16, each with slightly different storage capacities. This diff makes such that each of the smaller capacity machines will format its disks to have partitions passed to the VM that are the same size as the largest machine. Confirmed we currently have only one of these machines for each FBPN. Other anvils should not be impacted. Had to add "s" to the allowed suffixes that can be passed for partition start/end in fb_storage so that we can be precise in partition sizing. Differential Revision: D58845625 fbshipit-source-id: a63b8fb28170053845e66423d27e15d89cd40bec --- cookbooks/fb_storage/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_storage/recipes/default.rb b/cookbooks/fb_storage/recipes/default.rb index 97420d307..176eea947 100644 --- a/cookbooks/fb_storage/recipes/default.rb +++ b/cookbooks/fb_storage/recipes/default.rb @@ -111,7 +111,7 @@ 'It must be a number with an optional suffix of %%kmgt' %w{start end}.each do |disp| unless partition["partition_#{disp}"].match( - /^\d+(\.\d+)?([KkMmGgTt%](iB)?)?$/, + /^\d+(\.\d+)?([KkMmGgsTt%](iB)?)?$/, ) fail format(pmsg, partition["partition_#{disp}"]) end From d6dd0cc76125c49bcb922f6ad3b3e4ffa76e7451 Mon Sep 17 00:00:00 2001 From: Peter Papucciu Date: Tue, 2 Jul 2024 07:11:41 -0700 Subject: [PATCH 177/188] adding usage of DNF in Arista 4.30 and higher Differential Revision: D59270448 fbshipit-source-id: 4ae81e326262083fded5f97fa888c50d4e0d597b --- cookbooks/fb_helpers/README.md | 4 ++-- cookbooks/fb_helpers/libraries/node_methods.rb | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cookbooks/fb_helpers/README.md b/cookbooks/fb_helpers/README.md index 54075f5c7..a9bd973ee 100644 --- a/cookbooks/fb_helpers/README.md +++ b/cookbooks/fb_helpers/README.md @@ -243,8 +243,8 @@ your node. * `node.aristaeos_4_28_or_newer?` Is network switch running Arista EOS and OS version is 4.28 or newer -* `node.aristaeos_4_31_or_newer?` - Is network switch running Arista EOS and OS version is 4.31 or newer +* `node.aristaeos_4_30_or_newer?` + Is network switch running Arista EOS and OS version is 4.30 or newer * `node.embedded?` Is embedded Linux, implies 'node.aristaeos?'. These devices likely have diff --git a/cookbooks/fb_helpers/libraries/node_methods.rb b/cookbooks/fb_helpers/libraries/node_methods.rb index 411f9fdcd..edddbac50 100644 --- a/cookbooks/fb_helpers/libraries/node_methods.rb +++ b/cookbooks/fb_helpers/libraries/node_methods.rb @@ -540,8 +540,8 @@ def aristaeos_4_28_or_newer? self.aristaeos? && self._self_version >= self._canonical_version('4.28') end - def aristaeos_4_31_or_newer? - self.aristaeos? && self._self_version >= self._canonical_version('4.31') + def aristaeos_4_30_or_newer? + self.aristaeos? && self._self_version >= self._canonical_version('4.30') end def embedded? @@ -1038,7 +1038,7 @@ def filesystem_data # returns the version-release of an rpm installed, or nil if not present def rpm_version(name) if (self.centos? && !self.centos7?) || self.fedora? || self.redhat8? || self.oracle8? || self.redhat9? || - self.oracle9? || self.aristaeos_4_31_or_newer? + self.oracle9? || self.aristaeos_4_30_or_newer? # returns epoch.version v = Chef::Provider::Package::Dnf::PythonHelper.instance. package_query(:whatinstalled, name).version From 0cfd81e16d8cc78bfbae65923f0a6fd7376087c6 Mon Sep 17 00:00:00 2001 From: David Heyer Date: Tue, 2 Jul 2024 13:08:09 -0700 Subject: [PATCH 178/188] handle corrupt config Differential Revision: D58844542 fbshipit-source-id: 7fe52e3b5c24b0c3cf79f1b8fa70cad1a36144f5 --- cookbooks/fb_choco/libraries/state.rb | 31 +++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/cookbooks/fb_choco/libraries/state.rb b/cookbooks/fb_choco/libraries/state.rb index b7549fc9b..650ebde30 100644 --- a/cookbooks/fb_choco/libraries/state.rb +++ b/cookbooks/fb_choco/libraries/state.rb @@ -26,9 +26,40 @@ module Config SOURCES = '//sources/source'.freeze FEATURES = '//features/feature'.freeze CONFIG_LOC = 'C:\ProgramData\chocolatey\config\chocolatey.config'.freeze + DEFAULT_CONFIG = <<-EOF.strip.freeze + + + + + + + + + + + + + + + + + + + + + + EOF def config_state @config_state ||= REXML::Document.new(@raw_config) + rescue StandardError => e + Chef::Log.warn( + "[fb_choco] Failed to parse chocolatey config due to #{e.to_s[0..300]}\n Using default config instead", + ) + f = File.new(CONFIG_LOC, 'w') + f.write(DEFAULT_CONFIG) + f.close + @config_state = REXML::Document.new(DEFAULT_CONFIG) end def load_config From e478f19398c2e823b5c192b28312d5cd7f904d07 Mon Sep 17 00:00:00 2001 From: Cedric Van Goethem Date: Wed, 3 Jul 2024 05:23:55 -0700 Subject: [PATCH 179/188] Add splay to sysstat collection Differential Revision: D59322935 fbshipit-source-id: 47688f9b05c3b5f2afebf51b13eff4396b10e7c2 --- cookbooks/fb_sysstat/recipes/cron.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_sysstat/recipes/cron.rb b/cookbooks/fb_sysstat/recipes/cron.rb index e2b2807fc..b55fd917e 100644 --- a/cookbooks/fb_sysstat/recipes/cron.rb +++ b/cookbooks/fb_sysstat/recipes/cron.rb @@ -33,8 +33,9 @@ 'command' => "#{sa_dir}/sa1 -S DISK,SNMP 1 1", }, 'sysstat_accounting_2' => { - 'calendar' => '23:53', + 'calendar' => 'daily', 'command' => "#{sa_dir}/sa2 -A", + 'splay' => '30m', }, }.each do |k, v| node.default['fb_timers']['jobs'][k] = v From 66c88ad781fb673d86f54ebfa7f04b7d58b5b1a3 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Wed, 3 Jul 2024 12:34:13 -0700 Subject: [PATCH 180/188] Shard out disabling running during firstboot (provisioning) Summary: - Let's defer setting up systemd timers till after workload.ready on boxes - These should not be needed for provisioning a new box ready for workload - If there are, we should fix (e.g. explicitly run the timers .service file or command from chef) - Use not_if to shard out and eventually gate all of our infra out of first boot setup of systemd timers - Good for OSS people to do too ... Differential Revision: D59290162 fbshipit-source-id: 52168797949fb4fae5330d301c1b9deb5a0116b4 --- cookbooks/fb_timers/recipes/default.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index 7bd5a14a0..d4d81cc56 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -58,4 +58,6 @@ group node.root_group end -fb_timers_setup 'fb_timers system setup' +fb_timers_setup 'fb_timers system setup' do + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(0) } # __BUMP__ +end From 3a8fcebbe136bfa58a09209dcd285e05a302dd1b Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Fri, 5 Jul 2024 11:21:16 -0700 Subject: [PATCH 181/188] Shard out disabling running during firstboot (provisioning) 1% -> 2% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290161 fbshipit-source-id: 2c205a1af8baf40085aa20d79b482efeb98b1d04 --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index d4d81cc56..bf5d2d3b0 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(0) } # __BUMP__ + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(1) } end From 5ed0e3f6d163cd0dbc7bc291da5ddde94bc1c69a Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Mon, 8 Jul 2024 08:55:37 -0700 Subject: [PATCH 182/188] Shard out disabling running during firstboot (provisioning) 2% -> 5% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290158 fbshipit-source-id: cd718ff4bd76fca1de79cf072477cce66df7237a --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index bf5d2d3b0..3e7e8fdd1 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(1) } + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(4) } end From f26148a4b3739f9b788555c0bc678ce302efc593 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Mon, 8 Jul 2024 12:22:57 -0700 Subject: [PATCH 183/188] Shard out disabling running during firstboot (provisioning) 5% -> 15% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290159 fbshipit-source-id: 7ff92a8ee50230f6f8df22b102a93e96d11685ee --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index 3e7e8fdd1..f1ebc3367 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(4) } + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(14) } end From 3e68ebbac3430c8492682fadc8df2d3950896ac3 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Mon, 8 Jul 2024 15:07:26 -0700 Subject: [PATCH 184/188] Shard out disabling running during firstboot (provisioning) 15% -> 25% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290160 fbshipit-source-id: 6634fc2395553e8862b708ca57477a54514037cd --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index f1ebc3367..8da119ffe 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(14) } + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(24) } end From 24d06efe2b5c7324fff2b75f20850aeb5f1c6b71 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 9 Jul 2024 09:13:07 -0700 Subject: [PATCH 185/188] Shard out disabling running during firstboot (provisioning) 25% -> 40% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290163 fbshipit-source-id: 14c1aa66d18d99f27a1815732f2f6f8f380ac662 --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index 8da119ffe..fae1ae64f 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(24) } + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(39) } end From 6807993b7eddab186b923c7853a3c127cb11223b Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 9 Jul 2024 13:15:43 -0700 Subject: [PATCH 186/188] Shard out disabling running during firstboot (provisioning) 40% -> 60% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290157 fbshipit-source-id: 718d22bbaef2d5aa772f06ba8531c22a78090122 --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index fae1ae64f..ac99d4b41 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(39) } + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(59) } end From 16e1e790d5249a0baf92e83ca02edb9579495de2 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 9 Jul 2024 15:57:06 -0700 Subject: [PATCH 187/188] Shard out disabling running during firstboot (provisioning) 60% -> 80% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290156 fbshipit-source-id: e00739ab6754daaa0c45cd3a41142935831da447 --- cookbooks/fb_timers/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index ac99d4b41..82178c5a7 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(59) } + not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(79) } end From 93b032869079c47e219ff41831f4bce37edbc810 Mon Sep 17 00:00:00 2001 From: Cooper Lees Date: Tue, 9 Jul 2024 18:50:23 -0700 Subject: [PATCH 188/188] Shard out disabling running during firstboot (provisioning) 80% -> 100% Summary: bumpsign This diff was created using http://fburl.com/chefshardbump Differential Revision: D59290155 fbshipit-source-id: fbd2e93fae947c7f4999d527c12642251ac3b5f3 --- cookbooks/fb_timers/README.md | 5 +++++ cookbooks/fb_timers/recipes/default.rb | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/cookbooks/fb_timers/README.md b/cookbooks/fb_timers/README.md index 339a94824..5c363f962 100644 --- a/cookbooks/fb_timers/README.md +++ b/cookbooks/fb_timers/README.md @@ -52,6 +52,11 @@ A global attribute `node['fb_timers']['enable_named_slices']` controls whether the timer units that systemd sets up will be bound to an individual slice, versus using `timers.slice` for everything. +This cookbook does not setup timers until `node.firstboot_any_phase?` +phases are complete. This is due to timers not being required to bootstrap +a new system. If you have a lot of timers, this cookbook can eat up a lot of +first boot runtime. + ### Fields Required fields: diff --git a/cookbooks/fb_timers/recipes/default.rb b/cookbooks/fb_timers/recipes/default.rb index 82178c5a7..bd7514b86 100644 --- a/cookbooks/fb_timers/recipes/default.rb +++ b/cookbooks/fb_timers/recipes/default.rb @@ -59,5 +59,5 @@ end fb_timers_setup 'fb_timers system setup' do - not_if { (node.firstboot_os? || node.firstboot_tier?) && node.in_shard?(79) } + not_if { node.firstboot_os? || node.firstboot_tier? } end