debian: Package ulimits and sudo rules

wido · wido · commit 41e3db39c3bc · 2013-03-14T15:55:32.000+01:00
The old packages used to write this data to the configuration
in a postinst file.

That was horrible to track since system administrators had no
idea what was going on.
diff --git a/debian/cloudstack-management.install b/debian/cloudstack-management.install
@@ -5,9 +5,9 @@
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
-# 
+#
 #   http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -18,6 +18,8 @@
 /etc/cloudstack/server/*
 /etc/cloudstack/management/*
 /etc/init.d/cloudstack-management
+/etc/security/limits.d/cloudstack-limits.conf
+/etc/sudoers.d/cloudstack
 /var/cache/cloudstack/management
 /var/cache/cloudstack/management/work
 /var/cache/cloudstack/management/temp
diff --git a/debian/rules b/debian/rules
@@ -38,12 +38,12 @@ build-indep-stamp: configure
         -Dcs.replace.properties=replace.properties.tmp
 	touch $@
 
-clean: 
+clean:
 	dh_testdir
 	dh_testroot
 	rm -f build-arch-stamp build-indep-stamp configure-stamp
 	rm -f replace.properties.tmp
-	dh_clean 
+	dh_clean
 
 install:
 	dh_testdir
@@ -75,6 +75,8 @@ install:
 	# cloudstack-management
 	mkdir $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server
 	mkdir $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management
+	mkdir -p $(DESTDIR)/$(SYSCONFDIR)/security/limits.d/
+	mkdir -p $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/
 	mkdir -p $(DESTDIR)/usr/share/$(PACKAGE)-management
 	mkdir -p $(DESTDIR)/usr/share/$(PACKAGE)-management/webapps/client
 	mkdir $(DESTDIR)/usr/share/$(PACKAGE)-management/setup
@@ -89,6 +91,12 @@ install:
 	cp -r client/target/cloud-client-ui-$(VERSION)-SNAPSHOT/* $(DESTDIR)/usr/share/$(PACKAGE)-management/webapps/client/
 	cp server/target/conf/* $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/
 	cp client/target/conf/* $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/
+
+	# nast hack for a couple of configuration files
+	mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-limits.conf $(DESTDIR)/$(SYSCONFDIR)/security/limits.d/
+	mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-sudoers $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/cloudstack
+	chmod 0440 $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/cloudstack
+
 	ln -s tomcat6-nonssl.conf $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/tomcat6.conf
 	mkdir -p $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/Catalina/localhost/client
 	install -D packaging/debian/init/cloud-management $(DESTDIR)/$(SYSCONFDIR)/init.d/$(PACKAGE)-management
diff --git a/server/conf/cloudstack-limits.conf.in b/server/conf/cloudstack-limits.conf.in
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Specific limits for the CloudStack management server which
+# runs under the user 'cloud' by default
+@MSUSER hard nofile 4096
+@MSUSER soft nofile 4096
diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in
@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# The CloudStack management server needs sudo permissions
+# without a password.
+
+@MSUSER ALL =NOPASSWD : ALL
+
