Merge pull request #863 from puppetlabs/maint-codebase-hardening

(maint) Hardening manifests and tasks

Author: david22swan

manifests/compose.pp

@@ -71,8 +71,6 @@
     }
 
     if $facts['os']['family'] == 'windows' {
-      $docker_download_command = "if (Invoke-WebRequest ${docker_compose_url} ${proxy_opt} -UseBasicParsing -OutFile \"${docker_compose_location_versioned}\") { exit 0 } else { exit 1}" # lint:ignore:140chars
-
       exec { "Install Docker Compose ${version}":
         command  => template('docker/windows/download_docker_compose.ps1.erb'),
         provider => powershell,
@@ -89,10 +87,11 @@
         ensure_packages(['curl'])
       }
 
+      $compose_install = "curl -s -S -L ${proxy_opt} ${docker_compose_url} -o ${docker_compose_location_versioned}"
       exec { "Install Docker Compose ${version}":
         path    => '/usr/bin/',
         cwd     => '/tmp',
-        command => "curl -s -S -L ${proxy_opt} ${docker_compose_url} -o ${docker_compose_location_versioned}",
+        command => $compose_install,
         creates => $docker_compose_location_versioned,
         require => Package['curl'],
       }

manifests/machine.pp

@@ -56,8 +56,6 @@
     }
 
     if $facts['os']['family'] == 'windows' {
-      $docker_download_command = "if (Invoke-WebRequest ${docker_machine_url} ${proxy_opt} -UseBasicParsing -OutFile \"${docker_machine_location_versioned}\") { exit 0 } else { exit 1}" # lint:ignore:140chars
-
       exec { "Install Docker Machine ${version}":
         command  => template('docker/windows/download_docker_machine.ps1.erb'),
         provider => powershell,
@@ -74,10 +72,11 @@
         ensure_packages(['curl'])
       }
 
+      $install_command = ['curl', '-s', '-S', '-L', $proxy_opt, $docker_machine_url, '-o', $docker_machine_location_versioned] # lint:ignore:140chars
       exec { "Install Docker Machine ${version}":
         path    => '/usr/bin/',
         cwd     => '/tmp',
-        command => "curl -s -S -L ${proxy_opt} ${docker_machine_url} -o ${docker_machine_location_versioned}",
+        command => $install_command,
         creates => $docker_machine_location_versioned,
         require => Package['curl'],
       }

manifests/plugin.pp

@@ -85,7 +85,7 @@
       }
     )
 
-    $exec_rm   = "${docker_command} rm ${docker_plugin_remove_flags}"
+    $exec_rm   = [$docker_command, 'rm', $docker_plugin_remove_flags]
     $onlyif_rm = "${docker_command} ls --format='{{.PluginReference}}' | grep -w ${plugin_name}"
 
     exec { "plugin remove ${plugin_name}":
@@ -105,7 +105,7 @@
       }
     )
 
-    $exec_enable   = "${docker_command} enable ${docker_plugin_enable_flags}"
+    $exec_enable   = [$docker_command, 'enable', $docker_plugin_enable_flags]
     $onlyif_enable = "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"
 
     exec { "plugin enable ${plugin_name}":
@@ -116,12 +116,15 @@
       onlyif      => $onlyif_enable,
     }
   } elsif $enabled == false {
+    $else_command = [$docker_command, 'disable', $plugin_name]
+    $else_unless = "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"
+
     exec { "disable ${plugin_name}":
-      command     => "${docker_command} disable ${plugin_name}",
+      command     => $else_command,
       environment => 'HOME=/root',
       path        => ['/bin', '/usr/bin',],
       timeout     => 0,
-      unless      => "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}",
+      unless      => $else_unless,
     }
   }
 }

manifests/registry.pp

@@ -112,7 +112,7 @@
         default => $pass_hash
       }
 
-      $_auth_command = "${auth_cmd} || (rm -f \"/${_local_user_home}/registry-auth-puppet_receipt_${server_strip}_${local_user}\"; exit 1;)"
+      $_auth_command = [$auth_cmd, '||', "(rm -f \"/${_local_user_home}/registry-auth-puppet_receipt_${server_strip}_${local_user}\"; exit 1;)"] # lint:ignore:140chars
 
       file { "/${_local_user_home}/registry-auth-puppet_receipt_${server_strip}_${local_user}":
         ensure  => $ensure,
@@ -125,7 +125,7 @@
       # server may be an URI, which can contain /
       $server_strip  = regsubst($server, '[/:]', '_', 'G')
       $passfile      = "${::docker_user_temp_path}/registry-auth-puppet_receipt_${server_strip}_${local_user}"
-      $_auth_command = "if (-not (${auth_cmd})) { Remove-Item -Path ${passfile} -Force -Recurse -EA SilentlyContinue; exit 1 } else { exit 0 }" # lint:ignore:140chars
+      $_auth_command = ["if (-not (${auth_cmd}))", "{ Remove-Item -Path ${passfile}", '-Force', '-Recurse', '-EA', 'SilentlyContinue; exit 1 } else { exit 0 }'] # lint:ignore:140chars
 
       if $ensure == 'absent' {
         file { $passfile:

manifests/run.pp

@@ -373,8 +373,10 @@
   }
 
   if $restart_on_unhealthy {
+    $unhealthy_command = [$docker_command, 'restart', $sanitised_title]
+
     exec { "Restart unhealthy container ${title} with docker":
-      command     => "${docker_command} restart ${sanitised_title}",
+      command     => $unhealthy_command,
       onlyif      => $restart_check,
       environment => $exec_environment,
       path        => $exec_path,
@@ -385,18 +387,24 @@
 
   if $restart {
     if $ensure == 'absent' {
+      $restart_stop_command = [$docker_command, 'stop', '--time', $stop_wait_time, $sanitised_title]
+      $restart_stop_onlyif = [[$docker_command, 'inspect', $sanitised_title]]
+
       exec { "stop ${title} with docker":
-        command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
-        onlyif      => "${docker_command} inspect ${sanitised_title}",
+        command     => $restart_stop_command,
+        onlyif      => $restart_stop_onlyif,
         environment => $exec_environment,
         path        => $exec_path,
         provider    => $exec_provider,
         timeout     => $exec_timeout,
       }
 
+      $restart_remove_command = "${docker_command} rm -v ${sanitised_title}"
+      $restart_remove_onlyif = [[$docker_command, 'inspect', $sanitised_title]]
+
       exec { "remove ${title} with docker":
-        command     => "${docker_command} rm -v ${sanitised_title}",
-        onlyif      => "${docker_command} inspect ${sanitised_title}",
+        command     => $restart_remove_command,
+        onlyif      => $restart_remove_onlyif,
         environment => $exec_environment,
         path        => $exec_path,
         provider    => $exec_provider,
@@ -421,57 +429,26 @@
         $exec_unless = $inspect
       }
 
-      if versioncmp($facts['puppetversion'], '6') < 0 {
-        exec { "run ${title} with docker":
-          command     => join($run_with_docker_command, ' '),
-          unless      => $exec_unless,
-          environment => $exec_environment,
-          path        => $exec_path,
-          provider    => $exec_provider,
-          timeout     => $exec_timeout,
-        }
-
-        if $running == false {
-          exec { "stop ${title} with docker":
-            command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
-            onlyif      => $container_running_check,
-            environment => $exec_environment,
-            path        => $exec_path,
-            provider    => $exec_provider,
-            timeout     => $exec_timeout,
-          }
-        } else {
-          exec { "start ${title} with docker":
-            command     => "${docker_command} start ${sanitised_title}",
-            unless      => $container_running_check,
-            environment => $exec_environment,
-            path        => $exec_path,
-            provider    => $exec_provider,
-            timeout     => $exec_timeout,
-          }
-        }
-      } else {
-        $docker_params_changed_args = {
-          sanitised_title   => $sanitised_title,
-          osfamily          => $facts['os']['family'],
-          command           => join($run_with_docker_command, ' '),
-          cidfile           => $cidfile,
-          image             => $image,
-          volumes           => $volumes,
-          ports             => $ports,
-          stop_wait_time    => $stop_wait_time,
-          container_running => $running,
-          # logfile_path      => ($facts['os']['family'] == 'windows') ? {
-          # true    => ::docker_user_temp_path,
-          # default => '/tmp',
-          # },
-        }
+      $docker_params_changed_args = {
+        sanitised_title   => $sanitised_title,
+        osfamily          => $facts['os']['family'],
+        command           => join($run_with_docker_command, ' '),
+        cidfile           => $cidfile,
+        image             => $image,
+        volumes           => $volumes,
+        ports             => $ports,
+        stop_wait_time    => $stop_wait_time,
+        container_running => $running,
+        # logfile_path      => ($facts['os']['family'] == 'windows') ? {
+        # true    => ::docker_user_temp_path,
+        # default => '/tmp',
+        # },
+      }
 
-        $detect_changes = Deferred('docker_params_changed', [$docker_params_changed_args])
+      $detect_changes = Deferred('docker_params_changed', [$docker_params_changed_args])
 
-        notify { "${title}_docker_params_changed":
-          message  => $detect_changes,
-        }
+      notify { "${title}_docker_params_changed":
+        message  => $detect_changes,
       }
     }
   } else {
@@ -517,9 +494,12 @@
 
     if $ensure == 'absent' {
       if $facts['os']['family'] == 'windows' {
+        $absent_stop_command = "${docker_command} stop --time ${stop_wait_time} ${sanitised_title}"
+        $absent_stop_onlyif = "${docker_command} inspect ${sanitised_title}"
+
         exec { "stop container ${service_prefix}${sanitised_title}":
-          command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
-          onlyif      => "${docker_command} inspect ${sanitised_title}",
+          command     => $absent_stop_command,
+          onlyif      => $absent_stop_onlyif,
           environment => $exec_environment,
           path        => $exec_path,
           provider    => $exec_provider,
@@ -536,9 +516,12 @@
           notify    => Exec["remove container ${service_prefix}${sanitised_title}"],
         }
       }
+      $absent_remove_command = "${docker_command} rm -v ${sanitised_title}"
+      $absent_remove_onlyif = "${docker_command} inspect ${sanitised_title}"
+
       exec { "remove container ${service_prefix}${sanitised_title}":
-        command     => "${docker_command} rm -v ${sanitised_title}",
-        onlyif      => "${docker_command} inspect ${sanitised_title}",
+        command     => $absent_remove_command,
+        onlyif      => $absent_remove_onlyif,
         environment => $exec_environment,
         path        => $exec_path,
         refreshonly => true,

manifests/secrets.pp

@@ -27,8 +27,8 @@
       }
     )
 
-    $exec_secret   = "${docker_command} ${docker_secrets_flags}"
-    $unless_secret = "${docker_command} inspect ${secret_name}"
+    $exec_secret   = [$docker_command, $docker_secrets_flags]
+    $unless_secret = [$docker_command, 'inspect', $secret_name]
 
     exec { "${title} docker secret create":
       command => $exec_secret,
@@ -38,9 +38,12 @@
   }
 
   if $ensure == 'absent' {
+    $absent_secret_command = [$docker_command, 'rm', $secret_name]
+    $absent_secret_onlyif = [$docker_command, 'inspect', $secret_name]
+
     exec { "${title} docker secret rm":
-      command => "${docker_command} rm ${secret_name}",
-      onlyif  => "${docker_command} inspect ${secret_name}",
+      command => $absent_secret_command,
+      onlyif  => $absent_secret_onlyif,
       path    => ['/bin', '/usr/bin',],
     }
   }

manifests/services.pp

@@ -132,7 +132,7 @@
       }
     )
 
-    $exec_create   = "${docker_command} create --name ${docker_service_create_flags}"
+    $exec_create   = [$docker_command, 'create', '--name', $docker_service_create_flags]
     $unless_create = "docker service ps ${service_name}"
 
     exec { "${title} docker service create":
@@ -163,7 +163,7 @@
       }
     )
 
-    $exec_update = "${docker_command} update ${docker_service_flags}"
+    $exec_update = [$docker_command, 'update', $docker_service_flags]
 
     exec { "${title} docker service update":
       command     => $exec_update,
@@ -182,7 +182,7 @@
       }
     )
 
-    $exec_scale = "${docker_command} scale ${service_name}=${replicas}"
+    $exec_scale = [$docker_command, 'scale', "${service_name}=${replicas}"]
 
     exec { "${title} docker service scale":
       command     => $exec_scale,
@@ -194,9 +194,12 @@
   }
 
   if $ensure == 'absent' {
+    $service_command = ['docker', 'service', 'rm', $service_name]
+    $service_onlyif = ['docker', 'service', 'ps', $service_name]
+
     exec { "${title} docker service remove":
-      command  => "docker service rm ${service_name}",
-      onlyif   => "docker service ps ${service_name}",
+      command  => $service_command,
+      onlyif   => $service_onlyif,
       path     => $exec_path,
       provider => $exec_provider,
       timeout  => $exec_timeout,

manifests/stack.pp

@@ -59,7 +59,7 @@
       }
     )
 
-    $exec_stack = "${docker_command} deploy ${docker_stack_flags} ${stack_name}"
+    $exec_stack = [$docker_command, 'deploy', $docker_stack_flags, $stack_name]
 
     exec { "docker stack create ${stack_name}":
       command  => $exec_stack,
@@ -70,8 +70,10 @@
   }
 
   if $ensure == 'absent' {
+    $destroy_command = [$docker_command, 'rm', $stack_name]
+
     exec { "docker stack destroy ${stack_name}":
-      command  => "${docker_command} rm ${stack_name}",
+      command  => $destroy_command,
       onlyif   => $check_stack,
       path     => $exec_path,
       provider => $provider,

manifests/swarm.pp

@@ -117,7 +117,7 @@
       }
     )
 
-    $exec_init = "${docker_command} ${docker_swarm_init_flags}"
+    $exec_init = [$docker_command, $docker_swarm_init_flags]
 
     exec { 'Swarm init':
       command     => $exec_init,
@@ -138,7 +138,7 @@
       }
     )
 
-    $exec_join = "${docker_command} ${docker_swarm_join_flags} ${manager_ip}"
+    $exec_join = [$docker_command, $docker_swarm_join_flags, $manager_ip]
 
     exec { 'Swarm join':
       command     => $exec_join,

spec/shared_examples/machine.rb

@@ -62,7 +62,7 @@
         is_expected.to contain_exec("Install Docker Machine #{version}").with(
           'path'    => '/usr/bin/',
           'cwd'     => '/tmp',
-          'command' => "curl -s -S -L #{proxy_opt} #{docker_machine_url} -o #{docker_machine_location_versioned}",
+          'command' => ['curl', '-s', '-S', '-L', proxy_opt, docker_machine_url, '-o', docker_machine_location_versioned],
           'creates' => docker_machine_location_versioned,
         ).that_requires(
           'Package[curl]',

spec/shared_examples/plugin.rb

@@ -43,7 +43,7 @@
       'force_remove' => force_remove,
     )
 
-    exec_rm   = "#{docker_command} rm #{docker_plugin_remove_flags}"
+    exec_rm   = [docker_command, 'rm', docker_plugin_remove_flags]
     onlyif_rm = "#{docker_command} ls --format='{{.PluginReference}}' | grep -w #{plugin_name}"
 
     it {
@@ -64,7 +64,7 @@
       'timeout'      => timeout,
     )
 
-    exec_enable   = "#{docker_command} enable #{docker_plugin_enable_flags}"
+    exec_enable   = [docker_command, 'enable', docker_plugin_enable_flags]
     onlyif_enable = "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"
 
     it {
@@ -77,13 +77,16 @@
       )
     }
   else
+    else_command = [docker_command, 'disable', plugin_name]
+    else_unless = "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"
+
     it {
       is_expected.to contain_exec("disable #{plugin_name}").with(
-        'command'     => "#{docker_command} disable #{plugin_name}",
+        'command'     => else_command,
         'environment' => 'HOME=/root',
         'path'        => ['/bin', '/usr/bin'],
         'timeout'     => 0,
-        'unless'      => "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}",
+        'unless'      => else_unless,
       )
     }
   end