1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
|
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2014, Sebastien Rohaut <sebastien.rohaut@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r'''
---
module: pam_limits
author:
- "Sebastien Rohaut (@usawa)"
short_description: Modify Linux PAM limits
description:
- The M(community.general.pam_limits) module modifies PAM limits.
- The default file is V(/etc/security/limits.conf).
- For the full documentation, see C(man 5 limits.conf).
extends_documentation_fragment:
- community.general.attributes
attributes:
check_mode:
support: full
version_added: 2.0.0
diff_mode:
support: full
version_added: 2.0.0
options:
domain:
type: str
description:
- A username, @groupname, wildcard, UID/GID range.
required: true
limit_type:
type: str
description:
- Limit type, see C(man 5 limits.conf) for an explanation.
required: true
choices: [ "hard", "soft", "-" ]
limit_item:
type: str
description:
- The limit to be set.
required: true
choices:
- "core"
- "data"
- "fsize"
- "memlock"
- "nofile"
- "rss"
- "stack"
- "cpu"
- "nproc"
- "as"
- "maxlogins"
- "maxsyslogins"
- "priority"
- "locks"
- "sigpending"
- "msgqueue"
- "nice"
- "rtprio"
- "chroot"
value:
type: str
description:
- The value of the limit.
- Value must either be V(unlimited), V(infinity) or V(-1), all of which indicate no limit, or a limit of 0 or larger.
- Value must be a number in the range -20 to 19 inclusive, if O(limit_item) is set to V(nice) or V(priority).
- Refer to the C(man 5 limits.conf) manual pages for more details.
required: true
backup:
description:
- Create a backup file including the timestamp information so you can get
the original file back if you somehow clobbered it incorrectly.
required: false
type: bool
default: false
use_min:
description:
- If set to V(true), the minimal value will be used or conserved.
- If the specified value is inferior to the value in the file,
file content is replaced with the new value, else content is not modified.
required: false
type: bool
default: false
use_max:
description:
- If set to V(true), the maximal value will be used or conserved.
- If the specified value is superior to the value in the file,
file content is replaced with the new value, else content is not modified.
required: false
type: bool
default: false
dest:
type: str
description:
- Modify the limits.conf path.
required: false
default: "/etc/security/limits.conf"
comment:
type: str
description:
- Comment associated with the limit.
required: false
default: ''
notes:
- If O(dest) file does not exist, it is created.
'''
EXAMPLES = r'''
- name: Add or modify nofile soft limit for the user joe
community.general.pam_limits:
domain: joe
limit_type: soft
limit_item: nofile
value: 64000
- name: Add or modify fsize hard limit for the user smith. Keep or set the maximal value
community.general.pam_limits:
domain: smith
limit_type: hard
limit_item: fsize
value: 1000000
use_max: true
- name: Add or modify memlock, both soft and hard, limit for the user james with a comment
community.general.pam_limits:
domain: james
limit_type: '-'
limit_item: memlock
value: unlimited
comment: unlimited memory lock for james
- name: Add or modify hard nofile limits for wildcard domain
community.general.pam_limits:
domain: '*'
limit_type: hard
limit_item: nofile
value: 39693561
'''
import os
import re
import tempfile
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_native
def _assert_is_valid_value(module, item, value, prefix=''):
if item in ['nice', 'priority']:
try:
valid = -20 <= int(value) <= 19
except ValueError:
valid = False
if not valid:
module.fail_json(msg="%s Value of %r for item %r is invalid. Value must be a number in the range -20 to 19 inclusive. "
"Refer to the limits.conf(5) manual pages for more details." % (prefix, value, item))
elif not (value in ['unlimited', 'infinity', '-1'] or value.isdigit()):
module.fail_json(msg="%s Value of %r for item %r is invalid. Value must either be 'unlimited', 'infinity' or -1, all of "
"which indicate no limit, or a limit of 0 or larger. Refer to the limits.conf(5) manual pages for "
"more details." % (prefix, value, item))
def main():
pam_items = ['core', 'data', 'fsize', 'memlock', 'nofile', 'rss', 'stack', 'cpu', 'nproc', 'as', 'maxlogins', 'maxsyslogins', 'priority', 'locks',
'sigpending', 'msgqueue', 'nice', 'rtprio', 'chroot']
pam_types = ['soft', 'hard', '-']
limits_conf = '/etc/security/limits.conf'
module = AnsibleModule(
argument_spec=dict(
domain=dict(required=True, type='str'),
limit_type=dict(required=True, type='str', choices=pam_types),
limit_item=dict(required=True, type='str', choices=pam_items),
value=dict(required=True, type='str'),
use_max=dict(default=False, type='bool'),
use_min=dict(default=False, type='bool'),
backup=dict(default=False, type='bool'),
dest=dict(default=limits_conf, type='str'),
comment=dict(required=False, default='', type='str')
),
supports_check_mode=True,
)
domain = module.params['domain']
limit_type = module.params['limit_type']
limit_item = module.params['limit_item']
value = module.params['value']
use_max = module.params['use_max']
use_min = module.params['use_min']
backup = module.params['backup']
limits_conf = module.params['dest']
new_comment = module.params['comment']
changed = False
does_not_exist = False
if os.path.isfile(limits_conf):
if not os.access(limits_conf, os.W_OK):
module.fail_json(msg="%s is not writable. Use sudo" % limits_conf)
else:
limits_conf_dir = os.path.dirname(limits_conf)
if os.path.isdir(limits_conf_dir) and os.access(limits_conf_dir, os.W_OK):
does_not_exist = True
changed = True
else:
module.fail_json(msg="directory %s is not writable (check presence, access rights, use sudo)" % limits_conf_dir)
if use_max and use_min:
module.fail_json(msg="Cannot use use_min and use_max at the same time.")
_assert_is_valid_value(module, limit_item, value)
# Backup
if backup:
backup_file = module.backup_local(limits_conf)
space_pattern = re.compile(r'\s+')
if does_not_exist:
lines = []
else:
with open(limits_conf, 'rb') as f:
lines = list(f)
message = ''
# Tempfile
nf = tempfile.NamedTemporaryFile(mode='w+')
found = False
new_value = value
for line in lines:
line = to_native(line, errors='surrogate_or_strict')
if line.startswith('#'):
nf.write(line)
continue
newline = re.sub(space_pattern, ' ', line).strip()
if not newline:
nf.write(line)
continue
# Remove comment in line
newline = newline.split('#', 1)[0]
try:
old_comment = line.split('#', 1)[1]
except Exception:
old_comment = ''
newline = newline.rstrip()
if not new_comment:
new_comment = old_comment
line_fields = newline.split(' ')
if len(line_fields) != 4:
nf.write(line)
continue
line_domain = line_fields[0]
line_type = line_fields[1]
line_item = line_fields[2]
actual_value = line_fields[3]
_assert_is_valid_value(module, line_item, actual_value,
prefix="Invalid configuration found in '%s'." % limits_conf)
# Found the line
if line_domain == domain and line_type == limit_type and line_item == limit_item:
found = True
if value == actual_value:
message = line
nf.write(line)
continue
if line_type not in ['nice', 'priority']:
actual_value_unlimited = actual_value in ['unlimited', 'infinity', '-1']
value_unlimited = value in ['unlimited', 'infinity', '-1']
else:
actual_value_unlimited = value_unlimited = False
if use_max:
if actual_value_unlimited:
new_value = actual_value
elif value_unlimited:
new_value = value
else:
new_value = str(max(int(value), int(actual_value)))
if use_min:
if actual_value_unlimited and value_unlimited:
new_value = actual_value
elif actual_value_unlimited:
new_value = value
elif value_unlimited:
new_value = actual_value
else:
new_value = str(min(int(value), int(actual_value)))
# Change line only if value has changed
if new_value != actual_value:
changed = True
if new_comment:
new_comment = "\t#" + new_comment
new_limit = domain + "\t" + limit_type + "\t" + limit_item + "\t" + new_value + new_comment + "\n"
message = new_limit
nf.write(new_limit)
else:
message = line
nf.write(line)
else:
nf.write(line)
if not found:
changed = True
if new_comment:
new_comment = "\t#" + new_comment
new_limit = domain + "\t" + limit_type + "\t" + limit_item + "\t" + new_value + new_comment + "\n"
message = new_limit
nf.write(new_limit)
nf.flush()
with open(nf.name, 'r') as content:
content_new = content.read()
if not module.check_mode:
if does_not_exist:
with open(limits_conf, 'a'):
pass
# Move tempfile to newfile
module.atomic_move(nf.name, limits_conf)
try:
nf.close()
except Exception:
pass
res_args = dict(
changed=changed,
msg=message,
diff=dict(before=b''.join(lines), after=content_new),
)
if backup:
res_args['backup_file'] = backup_file
module.exit_json(**res_args)
if __name__ == '__main__':
main()
|
