merge upstream v21.0.0

Author: Paas Bot

jobs/limits/monit

@@ -0,0 +1,18 @@
+---
+name: limits
+
+templates:
+  pre-start.sh.erb: bin/pre-start
+
+properties:
+  nofile.soft:
+    description: |
+      Modifies the soft max number of open files. Linux defaults to 1024.
+    example: 16384
+    default: 16384
+  nofile.hard:
+    description: |
+      Modifies the hard max number of open files. Linux defaults to 4096.
+      It needs to be greater or equal to the soft limit
+    example: 16384
+    default: 16384

jobs/limits/spec

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -ex
+
+if pidof systemd >/dev/null 2>&1; then
+  NEW_NOFILE="DefaultLimitNOFILE=<%= p("nofile.soft") %>:<%= p("nofile.hard") %>"
+  LINE=$(grep -nE '^DefaultLimitNOFILE=' /etc/systemd/system.conf | tail -1 | awk -F: '{print $1}')
+  if [[ -n "$LINE" ]]; then
+    sed -i "${LINE}s/.*/$NEW_NOFILE/" /etc/systemd/system.conf
+  else
+    echo "$NEW_NOFILE" >> /etc/systemd/system.conf
+  fi
+  systemctl daemon-reload
+else
+  >&2 echo "Failed to update systemd configuration because systemd is not running"
+fi
+
+pid=$(pgrep monit | awk '{print $1}')
+
+if command -v prlimit >/dev/null 2>&1; then
+  while [[ $pid -gt 1 ]]; do
+    prlimit --pid "$pid" --nofile=<%= p("nofile.soft") %>:<%= p("nofile.hard") %>
+    pid=$(ps -o ppid:1= -p "$pid")
+  done
+else
+  >&2 echo "Failed to set limits because command 'prlimit' is not available"
+fi

jobs/limits/templates/pre-start.sh.erb

@@ -14,6 +14,10 @@ templates:
   limits.conf.erb: etc/limits.conf
 
 properties:
+  limits_systemd_default_nofile:
+    description: |
+      Ubuntu xenial needs this set for systemd.conf, DefaultLimitNOFILE
+      All limits.conf and limit.d settings are ignored.
   limits_conf:
     description: |
       Linux `limits.conf` file https://linux.die.net/man/5/limits.conf'

jobs/limits_not_recommended/spec

@@ -3,3 +3,7 @@
 set -ex
 
 cp -f /var/vcap/jobs/limits_not_recommended/etc/limits.conf /etc/security/limits.d/61-bosh-os-conf.conf
+
+<% if_p("limits_systemd_default_nofile") do | limit_nofile| %>
+echo "DefaultLimitNOFILE=<%= p("limits_systemd_default_nofile") %>" >> /etc/systemd/system.conf
+<% end %>

jobs/limits_not_recommended/templates/pre-start.sh.erb

@@ -19,10 +19,6 @@ set -ex
         raise "User must be configured with a 'name' attribute. '#{user_hash}'"
       end
 
-      if !crypted_password.nil? && !public_key.nil?
-        raise "User: '#{user}' is configured with both 'crypted_password' and 'public_key'. Choose one."
-      end
-
       if crypted_password.nil? && public_key.nil?
         raise "User: '#{user}' must contain one of 'crypted_password' or 'public_key' key/values."
       end
@@ -58,7 +54,9 @@ set -ex
 
   <% if !crypted_password.nil? %>
     echo '<%=user%>:<%=crypted_password%>' | chpasswd -e
-  <% elsif !public_key.nil?  %>
+  <% end %>
+
+  <% if !public_key.nil?  %>
     echo '<%=public_key%>' > ~<%=user%>/.ssh/authorized_keys
     chmod 600 ~<%=user%>/.ssh/authorized_keys
     chown -R <%=user%> ~<%=user%>/.ssh

jobs/user_add/templates/pre-start.sh.erb

@@ -79,6 +79,12 @@ instance_groups:
       limits_conf: |
         * soft nofile 60000
         * hard nofile 100000
+  - name: limits
+    release: os-conf
+    properties:
+      nofile:
+        soft: 60000
+        hard: 100000
   - name: login_banner
     release: os-conf
     properties:
@@ -134,6 +140,11 @@ instance_groups:
         shell: /bin/rbash
       - name: test-user-key
         public_key: test-user-public-key
+      - name: test-user-key-and-password
+        sudo: false
+        crypted_password: $6$kMBogqsbx$70Y2m/mwYR8vKZqR9RD2UUPoWz8mJoBiH8IAbvH2v6LCjxJgB3kDtwR8QttqtI/WSqCsFy4qXZaKPM64sZMwK.
+        shell: /bin/rbash
+        public_key: test-user-public-key
   vm_type: default
   stemcell: default
   networks:

src/os-conf-acceptance-tests/assets/manifest.yml

@@ -0,0 +1,50 @@
+package os_conf_acceptance_tests_test
+
+import (
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gbytes"
+	"github.com/onsi/gomega/gexec"
+)
+
+var _ = Describe("Limits", func() {
+	BeforeEach(func() {
+		if boshStemcell == "ubuntu-trusty" {
+			Skip("Trusty Stemcells are not supported.")
+		}
+	})
+
+	Context("when limits are configured", func() {
+		It("sets the limits for the monit process", func() {
+			session := boshSSH("os-conf/0", "pid=$(ps -e | grep monit | awk '{print $1}'); cat /proc/$pid/limits | grep 'Max open files' | awk '{print $4}'")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("60000"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+
+			session = boshSSH("os-conf/0", "pid=$(ps -e | grep monit | awk '{print $1}'); cat /proc/$pid/limits | grep 'Max open files' | awk '{print $5}'")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("100000"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+		})
+
+		It("sets the limits for the parent process", func() {
+			session := boshSSH("os-conf/0", "pid=$(ps -e | grep monit | awk '{print $1}'); pid_parent=$(ps -o ppid:1= -p $pid); cat /proc/$pid_parent/limits | grep 'Max open files' | awk '{print $4}'")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("60000"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+
+			session = boshSSH("os-conf/0", "pid=$(ps -e | grep monit | awk '{print $1}'); pid_parent=$(ps -o ppid:1= -p $pid); cat /proc/$pid_parent/limits | grep 'Max open files' | awk '{print $5}'")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("100000"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+		})
+
+		It("sets the limits for the systemd process", func() {
+			session := boshSSH("os-conf/0", "systemctl show | grep 'DefaultLimitNOFILESoft=' | awk -F= '{print $2}'")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("60000"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+
+			session = boshSSH("os-conf/0", "systemctl show | grep 'DefaultLimitNOFILE=' | awk -F= '{print $2}'")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("100000"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+		})
+	})
+})

src/os-conf-acceptance-tests/limits_test.go

@@ -15,13 +15,15 @@ var _ = Describe("UserAdd", func() {
 			session := boshSSH("os-conf/0", "sudo cat /etc/passwd")
 			Eventually(session, 30*time.Second).Should(gbytes.Say(`test-user-password:x:\d+:\d+::/home/test-user-password:/bin/rbash`))
 			Eventually(session, 30*time.Second).Should(gbytes.Say(`test-user-key:x:\d+:\d+::/home/test-user-key:/bin/bash`))
+			Eventually(session, 30*time.Second).Should(gbytes.Say(`test-user-key-and-password:x:\d+:\d+::/home/test-user-key-and-password:/bin/rbash`))
 			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
 		})
 
 		By("adding a password for the password user", func() {
 			session := boshSSH("os-conf/0", "sudo cat /etc/shadow")
 			Eventually(session, 30*time.Second).Should(gbytes.Say(`test-user-password:\$6\$kMBogqsbx\$70Y2m/mwYR8vKZqR9RD2UUPoWz8mJoBiH8IAbvH2v6LCjxJgB3kDtwR8QttqtI/WSqCsFy4qXZaKPM64sZMwK\.:\d+:1:99999:7:::`))
 			Eventually(session, 30*time.Second).Should(gbytes.Say(`test-user-key::\d+:1:99999:7:::`))
+			Eventually(session, 30*time.Second).Should(gbytes.Say(`test-user-key-and-password:\$6\$kMBogqsbx\$70Y2m/mwYR8vKZqR9RD2UUPoWz8mJoBiH8IAbvH2v6LCjxJgB3kDtwR8QttqtI/WSqCsFy4qXZaKPM64sZMwK\.:\d+:1:99999:7:::`))
 			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
 		})
 
@@ -35,6 +37,12 @@ var _ = Describe("UserAdd", func() {
 			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
 		})
 
+		By("adding an authorized key for the key-and-password user", func() {
+			session := boshSSH("os-conf/0", "sudo cat /home/test-user-key-and-password/.ssh/authorized_keys")
+			Eventually(session, 30*time.Second).Should(gbytes.Say("test-user-public-key"))
+			Eventually(session, 30*time.Second).Should(gexec.Exit(0))
+		})
+
 		By("adding them to the bosh_sshers group", func() {
 			session := boshSSH("os-conf/0", "sudo grep bosh_sshers /etc/group")
 			Eventually(session, 30*time.Second).Should(gbytes.Say("test-user-password,test-user-key"))