ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-12 13:40:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

pam_limits: add support nice and priority limits (#654)

Browse source
This commit is contained in:
Abhijeet Kasurde 2021-01-01 16:15:02 +05:30 committed by GitHub
parent ed813176ce
commit 1c53894920
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/47680_pam_limits.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- pam_limits - add support for nice and priority limits (https://github.com/ansible/ansible/pull/47680).

84
plugins/modules/system/pam_limits.py
View file

@ -1,39 +1,38 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# (c) 2014, Sebastien Rohaut <sebastien.rohaut@gmail.com> # Copyright: (c) 2014, Sebastien Rohaut <sebastien.rohaut@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r'''
--- ---
module: pam_limits module: pam_limits
author: author:
- "Sebastien Rohaut (@usawa)" - "Sebastien Rohaut (@usawa)"
short_description: Modify Linux PAM limits short_description: Modify Linux PAM limits
description: description:
- The C(pam_limits) module modifies PAM limits. The default file is - The C(pam_limits) module modifies PAM limits.
C(/etc/security/limits.conf). For the full documentation, see C(man 5 - The default file is C(/etc/security/limits.conf).
limits.conf). - For the full documentation, see C(man 5 limits.conf).
options: options:
domain: domain:
type: str type: str
description: description:
- A username, @groupname, wildcard, uid/gid range. - A username, @groupname, wildcard, UID/GID range.
required: true required: true
limit_type: limit_type:
type: str type: str
description: description:
- Limit type, see C(man 5 limits.conf) for an explanation - Limit type, see C(man 5 limits.conf) for an explanation.
required: true required: true
choices: [ "hard", "soft", "-" ] choices: [ "hard", "soft", "-" ]
limit_item: limit_item:
type: str type: str
description: description:
- The limit to be set - The limit to be set.
required: true required: true
choices: choices:
- "core" - "core"
@ -59,6 +58,9 @@ options:
type: str type: str
description: description:
- The value of the limit. - The value of the limit.
- Value must either be C(unlimited), C(infinity) or C(-1), all of which indicate no limit, or a limit of 0 or larger.
- Value must be a number in the range -20 to 19 inclusive, if I(limit_item) is set to C(nice) or C(priority).
- Refer to the C(man 5 limits.conf) manual pages for more details.
required: true required: true
backup: backup:
description: description:
@ -70,16 +72,16 @@ options:
use_min: use_min:
description: description:
- If set to C(yes), the minimal value will be used or conserved. - If set to C(yes), the minimal value will be used or conserved.
If the specified value is inferior to the value in the file, file content is replaced with the new value, - If the specified value is inferior to the value in the file,
else content is not modified. file content is replaced with the new value, else content is not modified.
required: false required: false
type: bool type: bool
default: "no" default: "no"
use_max: use_max:
description: description:
- If set to C(yes), the maximal value will be used or conserved. - If set to C(yes), the maximal value will be used or conserved.
If the specified value is superior to the value in the file, file content is replaced with the new value, - If the specified value is superior to the value in the file,
else content is not modified. file content is replaced with the new value, else content is not modified.
required: false required: false
type: bool type: bool
default: "no" default: "no"
@ -96,10 +98,10 @@ options:
required: false required: false
default: '' default: ''
notes: notes:
- If C(dest) file doesn't exist, it is created. - If I(dest) file does not exist, it is created.
''' '''
EXAMPLES = ''' EXAMPLES = r'''
- name: Add or modify nofile soft limit for the user joe - name: Add or modify nofile soft limit for the user joe
community.general.pam_limits: community.general.pam_limits:
domain: joe domain: joe
@ -107,7 +109,7 @@ EXAMPLES = '''
limit_item: nofile limit_item: nofile
value: 64000 value: 64000
- name: Add or modify fsize hard limit for the user smith. Keep or set the maximal value. - name: Add or modify fsize hard limit for the user smith. Keep or set the maximal value
community.general.pam_limits: community.general.pam_limits:
domain: smith domain: smith
limit_type: hard limit_type: hard
@ -115,7 +117,7 @@ EXAMPLES = '''
value: 1000000 value: 1000000
use_max: yes use_max: yes
- name: Add or modify memlock, both soft and hard, limit for the user james with a comment. - name: Add or modify memlock, both soft and hard, limit for the user james with a comment
community.general.pam_limits: community.general.pam_limits:
domain: james domain: james
limit_type: '-' limit_type: '-'
@ -132,7 +134,6 @@ EXAMPLES = '''
''' '''
import os import os
import os.path
import tempfile import tempfile
import re import re
@ -140,6 +141,21 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_native from ansible.module_utils._text import to_native
def _assert_is_valid_value(module, item, value, prefix=''):
if item in ['nice', 'priority']:
try:
valid = -20 <= int(value) <= 19
except ValueError:
valid = False
if not valid:
module.fail_json(msg="%s Value of %r for item %r is invalid. Value must be a number in the range -20 to 19 inclusive. "
"Refer to the limits.conf(5) manual pages for more details." % (prefix, value, item))
elif not (value in ['unlimited', 'infinity', '-1'] or value.isdigit()):
module.fail_json(msg="%s Value of %r for item %r is invalid. Value must either be 'unlimited', 'infinity' or -1, all of "
"which indicate no limit, or a limit of 0 or larger. Refer to the limits.conf(5) manual pages for "
"more details." % (prefix, value, item))
def main(): def main():
pam_items = ['core', 'data', 'fsize', 'memlock', 'nofile', 'rss', 'stack', 'cpu', 'nproc', 'as', 'maxlogins', 'maxsyslogins', 'priority', 'locks', pam_items = ['core', 'data', 'fsize', 'memlock', 'nofile', 'rss', 'stack', 'cpu', 'nproc', 'as', 'maxlogins', 'maxsyslogins', 'priority', 'locks',
'sigpending', 'msgqueue', 'nice', 'rtprio', 'chroot'] 'sigpending', 'msgqueue', 'nice', 'rtprio', 'chroot']
@ -189,8 +205,7 @@ def main():
if use_max and use_min: if use_max and use_min:
module.fail_json(msg="Cannot use use_min and use_max at the same time.") module.fail_json(msg="Cannot use use_min and use_max at the same time.")
if not (value in ['unlimited', 'infinity', '-1'] or value.isdigit()): _assert_is_valid_value(module, limit_item, value)
module.fail_json(msg="Argument 'value' can be one of 'unlimited', 'infinity', '-1' or positive number. Refer to manual pages for more details.")
# Backup # Backup
if backup: if backup:
@ -240,8 +255,8 @@ def main():
line_item = line_fields[2] line_item = line_fields[2]
actual_value = line_fields[3] actual_value = line_fields[3]
if not (actual_value in ['unlimited', 'infinity', '-1'] or actual_value.isdigit()): _assert_is_valid_value(module, line_item, actual_value,
module.fail_json(msg="Invalid configuration of '%s'. Current value of %s is unsupported." % (limits_conf, line_item)) prefix="Invalid configuration found in '%s'." % limits_conf)
# Found the line # Found the line
if line_domain == domain and line_type == limit_type and line_item == limit_item: if line_domain == domain and line_type == limit_type and line_item == limit_item:
@ -251,24 +266,29 @@ def main():
nf.write(line) nf.write(line)
continue continue
actual_value_unlimited = actual_value in ['unlimited', 'infinity', '-1'] if line_type not in ['nice', 'priority']:
value_unlimited = value in ['unlimited', 'infinity', '-1'] actual_value_unlimited = actual_value in ['unlimited', 'infinity', '-1']
value_unlimited = value in ['unlimited', 'infinity', '-1']
else:
actual_value_unlimited = value_unlimited = False
if use_max: if use_max:
if value.isdigit() and actual_value.isdigit(): if actual_value_unlimited:
new_value = str(max(int(value), int(actual_value)))
elif actual_value_unlimited:
new_value = actual_value new_value = actual_value
else: elif value_unlimited:
new_value = value new_value = value
else:
new_value = str(max(int(value), int(actual_value)))
if use_min: if use_min:
if value.isdigit() and actual_value.isdigit(): if actual_value_unlimited and value_unlimited:
new_value = str(min(int(value), int(actual_value))) new_value = actual_value
elif actual_value_unlimited:
new_value = value
elif value_unlimited: elif value_unlimited:
new_value = actual_value new_value = actual_value
else: else:
new_value = value new_value = str(min(int(value), int(actual_value)))
# Change line only if value has changed # Change line only if value has changed
if new_value != actual_value: if new_value != actual_value: