Merge pull request #875 from puppetlabs/revert-863-maint-codebase-har…

…dening

Revert "(maint) Hardening manifests and tasks"

manifests/compose.pp

@@ -71,6 +71,8 @@
     }
 
     if $facts['os']['family'] == 'windows' {
+      $docker_download_command = "if (Invoke-WebRequest ${docker_compose_url} ${proxy_opt} -UseBasicParsing -OutFile \"${docker_compose_location_versioned}\") { exit 0 } else { exit 1}" # lint:ignore:140chars
+
       exec { "Install Docker Compose ${version}":
         command  => template('docker/windows/download_docker_compose.ps1.erb'),
         provider => powershell,
@@ -87,11 +89,10 @@
         ensure_packages(['curl'])
       }
 
-      $compose_install = "curl -s -S -L ${proxy_opt} ${docker_compose_url} -o ${docker_compose_location_versioned}"
       exec { "Install Docker Compose ${version}":
         path    => '/usr/bin/',
         cwd     => '/tmp',
-        command => $compose_install,
+        command => "curl -s -S -L ${proxy_opt} ${docker_compose_url} -o ${docker_compose_location_versioned}",
         creates => $docker_compose_location_versioned,
         require => Package['curl'],
       }

manifests/machine.pp

@@ -56,6 +56,8 @@
     }
 
     if $facts['os']['family'] == 'windows' {
+      $docker_download_command = "if (Invoke-WebRequest ${docker_machine_url} ${proxy_opt} -UseBasicParsing -OutFile \"${docker_machine_location_versioned}\") { exit 0 } else { exit 1}" # lint:ignore:140chars
+
       exec { "Install Docker Machine ${version}":
         command  => template('docker/windows/download_docker_machine.ps1.erb'),
         provider => powershell,
@@ -72,11 +74,10 @@
         ensure_packages(['curl'])
       }
 
-      $install_command = ['curl', '-s', '-S', '-L', $proxy_opt, $docker_machine_url, '-o', $docker_machine_location_versioned] # lint:ignore:140chars
       exec { "Install Docker Machine ${version}":
         path    => '/usr/bin/',
         cwd     => '/tmp',
-        command => $install_command,
+        command => "curl -s -S -L ${proxy_opt} ${docker_machine_url} -o ${docker_machine_location_versioned}",
         creates => $docker_machine_location_versioned,
         require => Package['curl'],
       }

manifests/plugin.pp

@@ -85,7 +85,7 @@
       }
     )
 
-    $exec_rm   = [$docker_command, 'rm', $docker_plugin_remove_flags]
+    $exec_rm   = "${docker_command} rm ${docker_plugin_remove_flags}"
     $onlyif_rm = "${docker_command} ls --format='{{.PluginReference}}' | grep -w ${plugin_name}"
 
     exec { "plugin remove ${plugin_name}":
@@ -105,7 +105,7 @@
       }
     )
 
-    $exec_enable   = [$docker_command, 'enable', $docker_plugin_enable_flags]
+    $exec_enable   = "${docker_command} enable ${docker_plugin_enable_flags}"
     $onlyif_enable = "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"
 
     exec { "plugin enable ${plugin_name}":
@@ -116,15 +116,12 @@
       onlyif      => $onlyif_enable,
     }
   } elsif $enabled == false {
-    $else_command = [$docker_command, 'disable', $plugin_name]
-    $else_unless = "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}"
-
     exec { "disable ${plugin_name}":
-      command     => $else_command,
+      command     => "${docker_command} disable ${plugin_name}",
       environment => 'HOME=/root',
       path        => ['/bin', '/usr/bin',],
       timeout     => 0,
-      unless      => $else_unless,
+      unless      => "${docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w ${plugin_name}",
     }
   }
 }

manifests/registry.pp

@@ -112,7 +112,7 @@
         default => $pass_hash
       }
 
-      $_auth_command = [$auth_cmd, '||', "(rm -f \"/${_local_user_home}/registry-auth-puppet_receipt_${server_strip}_${local_user}\"; exit 1;)"] # lint:ignore:140chars
+      $_auth_command = "${auth_cmd} || (rm -f \"/${_local_user_home}/registry-auth-puppet_receipt_${server_strip}_${local_user}\"; exit 1;)"
 
       file { "/${_local_user_home}/registry-auth-puppet_receipt_${server_strip}_${local_user}":
         ensure  => $ensure,
@@ -125,7 +125,7 @@
       # server may be an URI, which can contain /
       $server_strip  = regsubst($server, '[/:]', '_', 'G')
       $passfile      = "${::docker_user_temp_path}/registry-auth-puppet_receipt_${server_strip}_${local_user}"
-      $_auth_command = ["if (-not (${auth_cmd}))", "{ Remove-Item -Path ${passfile}", '-Force', '-Recurse', '-EA', 'SilentlyContinue; exit 1 } else { exit 0 }'] # lint:ignore:140chars
+      $_auth_command = "if (-not (${auth_cmd})) { Remove-Item -Path ${passfile} -Force -Recurse -EA SilentlyContinue; exit 1 } else { exit 0 }" # lint:ignore:140chars
 
       if $ensure == 'absent' {
         file { $passfile:

manifests/run.pp

@@ -373,10 +373,8 @@
   }
 
   if $restart_on_unhealthy {
-    $unhealthy_command = [$docker_command, 'restart', $sanitised_title]
-
     exec { "Restart unhealthy container ${title} with docker":
-      command     => $unhealthy_command,
+      command     => "${docker_command} restart ${sanitised_title}",
       onlyif      => $restart_check,
       environment => $exec_environment,
       path        => $exec_path,
@@ -387,24 +385,18 @@
 
   if $restart {
     if $ensure == 'absent' {
-      $restart_stop_command = [$docker_command, 'stop', '--time', $stop_wait_time, $sanitised_title]
-      $restart_stop_onlyif = [[$docker_command, 'inspect', $sanitised_title]]
-
       exec { "stop ${title} with docker":
-        command     => $restart_stop_command,
-        onlyif      => $restart_stop_onlyif,
+        command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
+        onlyif      => "${docker_command} inspect ${sanitised_title}",
         environment => $exec_environment,
         path        => $exec_path,
         provider    => $exec_provider,
         timeout     => $exec_timeout,
       }
 
-      $restart_remove_command = "${docker_command} rm -v ${sanitised_title}"
-      $restart_remove_onlyif = [[$docker_command, 'inspect', $sanitised_title]]
-
       exec { "remove ${title} with docker":
-        command     => $restart_remove_command,
-        onlyif      => $restart_remove_onlyif,
+        command     => "${docker_command} rm -v ${sanitised_title}",
+        onlyif      => "${docker_command} inspect ${sanitised_title}",
         environment => $exec_environment,
         path        => $exec_path,
         provider    => $exec_provider,
@@ -429,26 +421,57 @@
         $exec_unless = $inspect
       }
 
-      $docker_params_changed_args = {
-        sanitised_title   => $sanitised_title,
-        osfamily          => $facts['os']['family'],
-        command           => join($run_with_docker_command, ' '),
-        cidfile           => $cidfile,
-        image             => $image,
-        volumes           => $volumes,
-        ports             => $ports,
-        stop_wait_time    => $stop_wait_time,
-        container_running => $running,
-        # logfile_path      => ($facts['os']['family'] == 'windows') ? {
-        # true    => ::docker_user_temp_path,
-        # default => '/tmp',
-        # },
-      }
+      if versioncmp($facts['puppetversion'], '6') < 0 {
+        exec { "run ${title} with docker":
+          command     => join($run_with_docker_command, ' '),
+          unless      => $exec_unless,
+          environment => $exec_environment,
+          path        => $exec_path,
+          provider    => $exec_provider,
+          timeout     => $exec_timeout,
+        }
+
+        if $running == false {
+          exec { "stop ${title} with docker":
+            command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
+            onlyif      => $container_running_check,
+            environment => $exec_environment,
+            path        => $exec_path,
+            provider    => $exec_provider,
+            timeout     => $exec_timeout,
+          }
+        } else {
+          exec { "start ${title} with docker":
+            command     => "${docker_command} start ${sanitised_title}",
+            unless      => $container_running_check,
+            environment => $exec_environment,
+            path        => $exec_path,
+            provider    => $exec_provider,
+            timeout     => $exec_timeout,
+          }
+        }
+      } else {
+        $docker_params_changed_args = {
+          sanitised_title   => $sanitised_title,
+          osfamily          => $facts['os']['family'],
+          command           => join($run_with_docker_command, ' '),
+          cidfile           => $cidfile,
+          image             => $image,
+          volumes           => $volumes,
+          ports             => $ports,
+          stop_wait_time    => $stop_wait_time,
+          container_running => $running,
+          # logfile_path      => ($facts['os']['family'] == 'windows') ? {
+          # true    => ::docker_user_temp_path,
+          # default => '/tmp',
+          # },
+        }
 
-      $detect_changes = Deferred('docker_params_changed', [$docker_params_changed_args])
+        $detect_changes = Deferred('docker_params_changed', [$docker_params_changed_args])
 
-      notify { "${title}_docker_params_changed":
-        message  => $detect_changes,
+        notify { "${title}_docker_params_changed":
+          message  => $detect_changes,
+        }
       }
     }
   } else {
@@ -494,12 +517,9 @@
 
     if $ensure == 'absent' {
       if $facts['os']['family'] == 'windows' {
-        $absent_stop_command = "${docker_command} stop --time ${stop_wait_time} ${sanitised_title}"
-        $absent_stop_onlyif = "${docker_command} inspect ${sanitised_title}"
-
         exec { "stop container ${service_prefix}${sanitised_title}":
-          command     => $absent_stop_command,
-          onlyif      => $absent_stop_onlyif,
+          command     => "${docker_command} stop --time=${stop_wait_time} ${sanitised_title}",
+          onlyif      => "${docker_command} inspect ${sanitised_title}",
           environment => $exec_environment,
           path        => $exec_path,
           provider    => $exec_provider,
@@ -516,12 +536,9 @@
           notify    => Exec["remove container ${service_prefix}${sanitised_title}"],
         }
       }
-      $absent_remove_command = "${docker_command} rm -v ${sanitised_title}"
-      $absent_remove_onlyif = "${docker_command} inspect ${sanitised_title}"
-
       exec { "remove container ${service_prefix}${sanitised_title}":
-        command     => $absent_remove_command,
-        onlyif      => $absent_remove_onlyif,
+        command     => "${docker_command} rm -v ${sanitised_title}",
+        onlyif      => "${docker_command} inspect ${sanitised_title}",
         environment => $exec_environment,
         path        => $exec_path,
         refreshonly => true,

manifests/secrets.pp

@@ -27,8 +27,8 @@
       }
     )
 
-    $exec_secret   = [$docker_command, $docker_secrets_flags]
-    $unless_secret = [$docker_command, 'inspect', $secret_name]
+    $exec_secret   = "${docker_command} ${docker_secrets_flags}"
+    $unless_secret = "${docker_command} inspect ${secret_name}"
 
     exec { "${title} docker secret create":
       command => $exec_secret,
@@ -38,12 +38,9 @@
   }
 
   if $ensure == 'absent' {
-    $absent_secret_command = [$docker_command, 'rm', $secret_name]
-    $absent_secret_onlyif = [$docker_command, 'inspect', $secret_name]
-
     exec { "${title} docker secret rm":
-      command => $absent_secret_command,
-      onlyif  => $absent_secret_onlyif,
+      command => "${docker_command} rm ${secret_name}",
+      onlyif  => "${docker_command} inspect ${secret_name}",
       path    => ['/bin', '/usr/bin',],
     }
   }

manifests/services.pp

@@ -132,7 +132,7 @@
       }
     )
 
-    $exec_create   = [$docker_command, 'create', '--name', $docker_service_create_flags]
+    $exec_create   = "${docker_command} create --name ${docker_service_create_flags}"
     $unless_create = "docker service ps ${service_name}"
 
     exec { "${title} docker service create":
@@ -163,7 +163,7 @@
       }
     )
 
-    $exec_update = [$docker_command, 'update', $docker_service_flags]
+    $exec_update = "${docker_command} update ${docker_service_flags}"
 
     exec { "${title} docker service update":
       command     => $exec_update,
@@ -182,7 +182,7 @@
       }
     )
 
-    $exec_scale = [$docker_command, 'scale', "${service_name}=${replicas}"]
+    $exec_scale = "${docker_command} scale ${service_name}=${replicas}"
 
     exec { "${title} docker service scale":
       command     => $exec_scale,
@@ -194,12 +194,9 @@
   }
 
   if $ensure == 'absent' {
-    $service_command = ['docker', 'service', 'rm', $service_name]
-    $service_onlyif = ['docker', 'service', 'ps', $service_name]
-
     exec { "${title} docker service remove":
-      command  => $service_command,
-      onlyif   => $service_onlyif,
+      command  => "docker service rm ${service_name}",
+      onlyif   => "docker service ps ${service_name}",
       path     => $exec_path,
       provider => $exec_provider,
       timeout  => $exec_timeout,

manifests/stack.pp

@@ -59,7 +59,7 @@
       }
     )
 
-    $exec_stack = [$docker_command, 'deploy', $docker_stack_flags, $stack_name]
+    $exec_stack = "${docker_command} deploy ${docker_stack_flags} ${stack_name}"
 
     exec { "docker stack create ${stack_name}":
       command  => $exec_stack,
@@ -70,10 +70,8 @@
   }
 
   if $ensure == 'absent' {
-    $destroy_command = [$docker_command, 'rm', $stack_name]
-
     exec { "docker stack destroy ${stack_name}":
-      command  => $destroy_command,
+      command  => "${docker_command} rm ${stack_name}",
       onlyif   => $check_stack,
       path     => $exec_path,
       provider => $provider,

manifests/swarm.pp

@@ -117,7 +117,7 @@
       }
     )
 
-    $exec_init = [$docker_command, $docker_swarm_init_flags]
+    $exec_init = "${docker_command} ${docker_swarm_init_flags}"
 
     exec { 'Swarm init':
       command     => $exec_init,
@@ -138,7 +138,7 @@
       }
     )
 
-    $exec_join = [$docker_command, $docker_swarm_join_flags, $manager_ip]
+    $exec_join = "${docker_command} ${docker_swarm_join_flags} ${manager_ip}"
 
     exec { 'Swarm join':
       command     => $exec_join,

spec/shared_examples/machine.rb

@@ -62,7 +62,7 @@
         is_expected.to contain_exec("Install Docker Machine #{version}").with(
           'path'    => '/usr/bin/',
           'cwd'     => '/tmp',
-          'command' => ['curl', '-s', '-S', '-L', proxy_opt, docker_machine_url, '-o', docker_machine_location_versioned],
+          'command' => "curl -s -S -L #{proxy_opt} #{docker_machine_url} -o #{docker_machine_location_versioned}",
           'creates' => docker_machine_location_versioned,
         ).that_requires(
           'Package[curl]',

spec/shared_examples/plugin.rb

@@ -43,7 +43,7 @@
       'force_remove' => force_remove,
     )
 
-    exec_rm   = [docker_command, 'rm', docker_plugin_remove_flags]
+    exec_rm   = "#{docker_command} rm #{docker_plugin_remove_flags}"
     onlyif_rm = "#{docker_command} ls --format='{{.PluginReference}}' | grep -w #{plugin_name}"
 
     it {
@@ -64,7 +64,7 @@
       'timeout'      => timeout,
     )
 
-    exec_enable   = [docker_command, 'enable', docker_plugin_enable_flags]
+    exec_enable   = "#{docker_command} enable #{docker_plugin_enable_flags}"
     onlyif_enable = "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"
 
     it {
@@ -77,16 +77,13 @@
       )
     }
   else
-    else_command = [docker_command, 'disable', plugin_name]
-    else_unless = "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}"
-
     it {
       is_expected.to contain_exec("disable #{plugin_name}").with(
-        'command'     => else_command,
+        'command'     => "#{docker_command} disable #{plugin_name}",
         'environment' => 'HOME=/root',
         'path'        => ['/bin', '/usr/bin'],
         'timeout'     => 0,
-        'unless'      => else_unless,
+        'unless'      => "#{docker_command} ls -f enabled=false --format='{{.PluginReference}}' | grep -w #{plugin_name}",
       )
     }
   end