feat(networkd): allow configuration of file attributes

Allow to configure user/group/mode of networkd configuration files to set e.g. systemd-networkd or a specific mode for sensitive configuration.

feat(networkd): allow configuration of file attributes
34dd64b6 · Tobias Jungel · f4be1ed2 · 34dd64b6 · 34dd64b6 · 34dd64b6
Commit 34dd64b6 authored 4 years ago by Tobias Jungel
--- a/pillar.example
+++ b/pillar.example
@@ -121,12 +121,17 @@ systemd:

  ## networkd
  networkd:
+    fileattr:
+      br0.network:
+        user: systemd-network
+        group: systemd-network
+        mode: "0600"
    profiles:
      network:
-        # eth0.network
-        eth0:
+        # br0.network
+        br0:
          - Match:
-              - Name: eth0
+              - Name: br0
          - Network:
              - DHCP: "yes"


--- a/systemd/defaults.yaml
+++ b/systemd/defaults.yaml
@@ -22,6 +22,7 @@ systemd:
    # networkctl reload is available since systemd 244
    networkctl_reload: false
    pkg: {}
+    fileattr: {}
    path: /etc/systemd/network
    service: systemd-networkd
    wait_online: true

--- a/systemd/networkd/profiles.sls
+++ b/systemd/networkd/profiles.sls
@@ -10,21 +10,33 @@ include:
  - systemd.networkd.reload
 {%- endif %}

-{% if profiles is mapping %}
-{% for networkdprofile, types in profiles.items()  %}
-  {% for profile, profileconfig in types.items() %}
+{%- if profiles is mapping %}

-/etc/systemd/network/{{ profile }}.{{ networkdprofile }}:
-  file.managed:
-    - template: jinja
-    - source: salt://systemd/networkd/templates/profile.jinja
+/etc/systemd/network:
+  file.directory:
    - user: root
    - group: root
-    - mode: '0644'
    - makedirs: true
    - dir_mode: 755
+
+{%- for networkdprofile, types in profiles.items()  %}
+  {%- for profile, profileconfig in types.items() %}
+  {%- set filename = profile ~ "." ~ networkdprofile %}
+  {%- set user = networkd.fileattr.get(filename, {}).user | default("root") %}
+  {%- set group = networkd.fileattr.get(filename, {}).group | default("root") %}
+  {%- set mode = networkd.fileattr.get(filename, {}).mode | default("0644") %}
+
+/etc/systemd/network/{{ filename }}:
+  file.managed:
+    - template: jinja
+    - source: salt://systemd/networkd/templates/profile.jinja
+    - user: {{ user }}
+    - group: {{ group }}
+    - mode: {{ mode }}
    - context:
        config: {{ profileconfig|json }}
+    - require:
+      - file: /etc/systemd/network
 {%- if networkd.networkctl_reload %}
    - watch_in:
      - cmd: systemd-networkd-reload-cmd-wait

--- a/test/integration/default/controls/networkd_spec.rb
+++ b/test/integration/default/controls/networkd_spec.rb
@@ -14,11 +14,11 @@ control 'Systemd Networkd' do
    it { should_not exist }
  end

-  describe file('/etc/systemd/network/eth0.network') do
+  describe file('/etc/systemd/network/br0.network') do
    its('type') { should eq :file }
-    its('mode') { should cmp '0644' }
-    its('owner') { should eq 'root' }
-    its('group') { should eq 'root' }
+    its('mode') { should cmp '0600' }
+    its('owner') { should eq 'systemd-network' }
+    its('group') { should eq 'systemd-network' }
  end

  describe file('/etc/systemd/network/br0.netdev') do