Merge pull request #482 from cirrax/dev_journal

bastelfreak · web-flow · commit 1fc5d99e2aec · 2024-11-12T09:42:11.000+01:00
add support for journal upload and remote server
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -15,6 +15,8 @@
 
 * `systemd::coredump`: This class manages the systemd-coredump configuration.
 * `systemd::install`: Install any systemd sub packages
+* `systemd::journal_remote`: This class manages and configures journal-remote.
+* `systemd::journal_upload`: This class manages and configures journal-upload.
 * `systemd::journald`: This class manages and configures journald.
 * `systemd::logind`: This class manages systemd's login manager configuration.
 * `systemd::machine_info`: This class manages systemd's machine-info file (hostnamectl)
@@ -60,6 +62,8 @@
 * [`Systemd::Capabilities`](#Systemd--Capabilities): Defines allowed capabilities
 * [`Systemd::CoredumpSettings`](#Systemd--CoredumpSettings): Configurations for coredump.conf
 * [`Systemd::Dropin`](#Systemd--Dropin): custom datatype that validates filenames/paths for valid systemd dropin files
+* [`Systemd::JournalRemoteSettings`](#Systemd--JournalRemoteSettings): matches Systemd journal remote config Struct
+* [`Systemd::JournalUploadSettings`](#Systemd--JournalUploadSettings): matches Systemd journal upload config Struct
 * [`Systemd::JournaldSettings`](#Systemd--JournaldSettings): Matches Systemd journald config Struct
 * [`Systemd::JournaldSettings::Ensure`](#Systemd--JournaldSettings--Ensure): defines allowed ensure states for systemd-journald settings
 * [`Systemd::LogLevel`](#Systemd--LogLevel): Defines allowed log levels
@@ -136,6 +140,10 @@ The following parameters are available in the `systemd` class:
 * [`set_local_rtc`](#-systemd--set_local_rtc)
 * [`manage_journald`](#-systemd--manage_journald)
 * [`journald_settings`](#-systemd--journald_settings)
+* [`manage_journal_upload`](#-systemd--manage_journal_upload)
+* [`journal_upload_settings`](#-systemd--journal_upload_settings)
+* [`manage_journal_remote`](#-systemd--manage_journal_remote)
+* [`journal_remote_settings`](#-systemd--journal_remote_settings)
 * [`manage_udevd`](#-systemd--manage_udevd)
 * [`udev_log`](#-systemd--udev_log)
 * [`udev_children_max`](#-systemd--udev_children_max)
@@ -475,6 +483,38 @@ Config Hash that is used to configure settings in journald.conf
 
 Default value: `{}`
 
+##### <a name="-systemd--manage_journal_upload"></a>`manage_journal_upload`
+
+Data type: `Boolean`
+
+Manage the systemd journal upload to a remote server
+
+Default value: `false`
+
+##### <a name="-systemd--journal_upload_settings"></a>`journal_upload_settings`
+
+Data type: `Systemd::JournalUploadSettings`
+
+Config Hash that is used to configure settings in journal-upload.conf
+
+Default value: `{}`
+
+##### <a name="-systemd--manage_journal_remote"></a>`manage_journal_remote`
+
+Data type: `Boolean`
+
+Manage the systemd journal remote server used to upload journals
+
+Default value: `false`
+
+##### <a name="-systemd--journal_remote_settings"></a>`journal_remote_settings`
+
+Data type: `Systemd::JournalRemoteSettings`
+
+Config Hash that is used to configure settings in journal-remote.conf
+
+Default value: `{}`
+
 ##### <a name="-systemd--manage_udevd"></a>`manage_udevd`
 
 Data type: `Boolean`
@@ -2690,6 +2730,42 @@ custom datatype that validates filenames/paths for valid systemd dropin files
 
 Alias of `Pattern['^[^/]+\.conf$']`
 
+### <a name="Systemd--JournalRemoteSettings"></a>`Systemd::JournalRemoteSettings`
+
+matches Systemd journal remote config Struct
+
+Alias of
+
+```puppet
+Struct[{
+    Optional['Seal']                   => Variant[Enum['yes','no'],Systemd::JournaldSettings::Ensure],
+    Optional['SplitMode']              => Variant[Enum['host','none'],Systemd::JournaldSettings::Ensure],
+    Optional['ServerKeyFile']          => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['ServerCertificateFile']  => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['TrustedCertificateFile'] => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['MaxUse']                 => Variant[Systemd::Unit::Amount,Systemd::JournaldSettings::Ensure],
+    Optional['KeepFree']               => Variant[Systemd::Unit::Amount,Systemd::JournaldSettings::Ensure],
+    Optional['MaxFileSize']            => Variant[Systemd::Unit::Amount,Systemd::JournaldSettings::Ensure],
+    Optional['MaxFiles']               => Variant[Integer,Systemd::JournaldSettings::Ensure],
+  }]
+```
+
+### <a name="Systemd--JournalUploadSettings"></a>`Systemd::JournalUploadSettings`
+
+matches Systemd journal upload config Struct
+
+Alias of
+
+```puppet
+Struct[{
+    Optional['URL']                    => Variant[Stdlib::HTTPUrl,Systemd::JournaldSettings::Ensure],
+    Optional['ServerKeyFile']          => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['ServerCertificateFile']  => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['TrustedCertificateFile'] => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['NetworkTimeoutSec']      => Variant[Systemd::Unit::Timespan,Systemd::JournaldSettings::Ensure],
+  }]
+```
+
 ### <a name="Systemd--JournaldSettings"></a>`Systemd::JournaldSettings`
 
 Matches Systemd journald config Struct
diff --git a/data/Debian-family.yaml b/data/Debian-family.yaml
@@ -1,2 +1,4 @@
 ---
 systemd::nspawn_package: 'systemd-container'
+systemd::journal_upload::package_name: 'systemd-journal-remote'
+systemd::journal_remote::package_name: 'systemd-journal-remote'
diff --git a/data/RedHat-family.yaml b/data/RedHat-family.yaml
@@ -2,3 +2,5 @@
 systemd::networkd_package: systemd-networkd
 systemd::nspawn_package: 'systemd-container'
 systemd::resolved_package: 'systemd-resolved'
+systemd::journal_upload::package_name: 'systemd-journal-remote'
+systemd::journal_remote::package_name: 'systemd-journal-remote'
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -132,6 +132,18 @@
 # @param journald_settings
 #   Config Hash that is used to configure settings in journald.conf
 #
+# @param manage_journal_upload
+#   Manage the systemd journal upload to a remote server
+#
+# @param journal_upload_settings
+#   Config Hash that is used to configure settings in journal-upload.conf
+#
+# @param manage_journal_remote
+#   Manage the systemd journal remote server used to upload journals
+#
+# @param journal_remote_settings
+#   Config Hash that is used to configure settings in journal-remote.conf
+#
 # @param manage_udevd
 #   Manage the systemd udev daemon
 #
@@ -275,6 +287,10 @@
   Boolean                                             $purge_dropin_dirs = true,
   Boolean                                             $manage_journald = true,
   Systemd::JournaldSettings                           $journald_settings = {},
+  Boolean                                             $manage_journal_upload = false,
+  Systemd::JournalUploadSettings                      $journal_upload_settings = {},
+  Boolean                                             $manage_journal_remote = false,
+  Systemd::JournalRemoteSettings                      $journal_remote_settings = {},
   Systemd::MachineInfoSettings                        $machine_info_settings = {},
   Boolean                                             $manage_udevd = false,
   Optional[Variant[Integer,String]]                   $udev_log = undef,
@@ -383,6 +399,14 @@
     contain systemd::journald
   }
 
+  if $manage_journal_upload {
+    contain systemd::journal_upload
+  }
+
+  if $manage_journal_remote {
+    contain systemd::journal_remote
+  }
+
   if $manage_logind {
     contain systemd::logind
   }
diff --git a/manifests/journal_remote.pp b/manifests/journal_remote.pp
@@ -0,0 +1,38 @@
+# @api private
+# @summary This class manages and configures journal-remote.
+# @see https://www.freedesktop.org/software/systemd/man/journal-remote.conf.html
+#
+# @param package_name
+#  name of the package to install for the functionality
+#
+class systemd::journal_remote (
+  Optional[String[1]] $package_name = undef,
+) {
+  assert_private()
+
+  if $package_name {
+    stdlib::ensure_packages($package_name)
+  }
+
+  service { 'systemd-journal-remote':
+    ensure => running,
+    enable => true,
+  }
+  $systemd::journal_remote_settings.each |$option, $value| {
+    ini_setting { "journal-remote_${option}":
+      path    => '/etc/systemd/journal-remote.conf',
+      section => 'Remote',
+      setting => $option,
+      notify  => Service['systemd-journal-remote'],
+    }
+    if $value =~ Systemd::JournaldSettings::Ensure {
+      Ini_setting["journal-remote_${option}"] {
+        * => $value,
+      }
+    } else {
+      Ini_setting["journal-remote_${option}"] {
+        value   => $value,
+      }
+    }
+  }
+}
diff --git a/manifests/journal_upload.pp b/manifests/journal_upload.pp
@@ -0,0 +1,46 @@
+# @api private
+# @summary This class manages and configures journal-upload.
+# @see https://www.freedesktop.org/software/systemd/man/journald.conf.html
+#
+# @param package_name
+#  name of the package to install for the functionality
+#
+# @param service_ensure
+#  what we ensure for the service
+#
+# @param service_enable
+#  to enable the service
+#
+class systemd::journal_upload (
+  Optional[String[1]]       $package_name   = undef,
+  Enum['running','stopped'] $service_ensure = 'running',
+  Boolean                   $service_enable = true,
+) {
+  assert_private()
+
+  if $package_name {
+    stdlib::ensure_packages($package_name)
+  }
+
+  service { 'systemd-journal-upload':
+    ensure => $service_ensure,
+    enable => $service_enable,
+  }
+  $systemd::journal_upload_settings.each |$option, $value| {
+    ini_setting { "journal-upload_${option}":
+      path    => '/etc/systemd/journal-upload.conf',
+      section => 'Upload',
+      setting => $option,
+      notify  => Service['systemd-journal-upload'],
+    }
+    if $value =~ Systemd::JournaldSettings::Ensure {
+      Ini_setting["journal-upload_${option}"] {
+        * => $value,
+      }
+    } else {
+      Ini_setting["journal-upload_${option}"] {
+        value   => $value,
+      }
+    }
+  }
+}
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -675,6 +675,101 @@
           it { is_expected.not_to contain_service('systemd-journald') }
         end
 
+        context 'when journal-upload and journal-remote is enabled' do
+          let(:params) do
+            {
+              manage_journal_upload: true,
+              journal_upload_settings: {
+                'URL' => 'https://central.server:19532',
+                'ServerKeyFile' => '/tmp/key-upload.pem',
+                'ServerCertificateFile' => {
+                  'ensure' => 'absent',
+                },
+                'TrustedCertificateFile' => '/tmp/cert-upload.pem',
+              },
+              manage_journal_remote: true,
+              journal_remote_settings: {
+                'SplitMode' => 'host',
+                'ServerKeyFile' => '/tmp/key-remote.pem',
+                'ServerCertificateFile' => '/tmp/cert-remote.pem',
+                'TrustedCertificateFile' => {
+                  'ensure' => 'absent',
+                },
+              },
+            }
+          end
+
+          it { is_expected.to compile.with_all_deps }
+
+          it {
+            is_expected.to contain_service('systemd-journal-upload').with(
+              ensure: 'running',
+              enable: true
+            )
+          }
+
+          it {
+            is_expected.to contain_service('systemd-journal-remote').with(
+              ensure: 'running'
+            )
+          }
+
+          it { is_expected.to have_ini_setting_resource_count(8) }
+
+          it {
+            expect(subject).to contain_ini_setting('journal-upload_TrustedCertificateFile').with(
+              path: '/etc/systemd/journal-upload.conf',
+              section: 'Upload',
+              setting: 'TrustedCertificateFile',
+              notify: 'Service[systemd-journal-upload]',
+              value: '/tmp/cert-upload.pem'
+            )
+          }
+
+          it {
+            expect(subject).to contain_ini_setting('journal-remote_TrustedCertificateFile').with(
+              path: '/etc/systemd/journal-remote.conf',
+              section: 'Remote',
+              setting: 'TrustedCertificateFile',
+              notify: 'Service[systemd-journal-remote]',
+              ensure: 'absent'
+            )
+          }
+
+          it {
+            expect(subject).to contain_ini_setting('journal-upload_ServerCertificateFile').with(
+              path: '/etc/systemd/journal-upload.conf',
+              section: 'Upload',
+              setting: 'ServerCertificateFile',
+              notify: 'Service[systemd-journal-upload]',
+              ensure: 'absent'
+            )
+          }
+
+          it {
+            expect(subject).to contain_ini_setting('journal-remote_ServerCertificateFile').with(
+              path: '/etc/systemd/journal-remote.conf',
+              section: 'Remote',
+              setting: 'ServerCertificateFile',
+              notify: 'Service[systemd-journal-remote]',
+              value: '/tmp/cert-remote.pem'
+            )
+          }
+        end
+
+        context 'when journal-upload/journal-remote is not enabled' do
+          let(:params) do
+            {
+              manage_journal_upload: false,
+              manage_journal_remote: false,
+            }
+          end
+
+          it { is_expected.to compile.with_all_deps }
+          it { is_expected.not_to contain_service('systemd-journal-upload') }
+          it { is_expected.not_to contain_service('systemd-journal-remote') }
+        end
+
         context 'when disabling udevd management' do
           let(:params) do
             {
diff --git a/types/journalremotesettings.pp b/types/journalremotesettings.pp
@@ -0,0 +1,16 @@
+# @summary matches Systemd journal remote config Struct
+type Systemd::JournalRemoteSettings = Struct[
+  # lint:ignore:140chars
+  {
+    Optional['Seal']                   => Variant[Enum['yes','no'],Systemd::JournaldSettings::Ensure],
+    Optional['SplitMode']              => Variant[Enum['host','none'],Systemd::JournaldSettings::Ensure],
+    Optional['ServerKeyFile']          => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['ServerCertificateFile']  => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['TrustedCertificateFile'] => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['MaxUse']                 => Variant[Systemd::Unit::Amount,Systemd::JournaldSettings::Ensure],
+    Optional['KeepFree']               => Variant[Systemd::Unit::Amount,Systemd::JournaldSettings::Ensure],
+    Optional['MaxFileSize']            => Variant[Systemd::Unit::Amount,Systemd::JournaldSettings::Ensure],
+    Optional['MaxFiles']               => Variant[Integer,Systemd::JournaldSettings::Ensure],
+  }
+  # lint:endignore
+]
diff --git a/types/journaluploadsettings.pp b/types/journaluploadsettings.pp
@@ -0,0 +1,12 @@
+# @summary matches Systemd journal upload config Struct
+type Systemd::JournalUploadSettings = Struct[
+  # lint:ignore:140chars
+  {
+    Optional['URL']                    => Variant[Stdlib::HTTPUrl,Systemd::JournaldSettings::Ensure],
+    Optional['ServerKeyFile']          => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['ServerCertificateFile']  => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['TrustedCertificateFile'] => Variant[Stdlib::Unixpath,Systemd::JournaldSettings::Ensure],
+    Optional['NetworkTimeoutSec']      => Variant[Systemd::Unit::Timespan,Systemd::JournaldSettings::Ensure],
+  }
+  # lint:endignore
+]
