Merge pull request #9487 from chef/ulimit

Add user_ulimit resource from the ulimit cookbook

4 files changed, 208 insertions, 0 deletions

diff --git a/lib/chef/resource/support/ulimit.erb b/lib/chef/resource/support/ulimit.erb
new file mode 100644
index 0000000000..6fc5539f27
--- /dev/null
+++ b/lib/chef/resource/support/ulimit.erb
@@ -0,0 +1,41 @@
+# Generated by <%= ChefConfig::Dist::PRODUCT %>. Changes will be overwritten.
+
+# Limits settings for <%= @ulimit_user %>
+
+<% unless @filehandle_limit.nil? -%>
+<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
+<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%>
+<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%>
+<% end -%>
+
+<% unless @process_limit.nil? -%>
+<%= @ulimit_user -%> - nproc <%= @process_limit %>
+<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%>
+<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%>
+<% end -%>
+
+<% unless @memory_limit.nil? -%>
+<%= @ulimit_user -%> - memlock <%= @memory_limit %>
+<% end -%>
+
+<% unless @core_limit.nil? -%>
+<%= @ulimit_user -%> - core <%= @core_limit %>
+<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%>
+<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%>
+<% end -%>
+
+<% unless @stack_limit.nil? -%>
+<%= @ulimit_user -%> - stack <%= @stack_limit %>
+<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%>
+<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%>
+<% end -%>
+
+<% unless @rtprio_limit.nil? -%>
+<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %>
+<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%>
+<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%>
+<% end -%>
+
+<% unless @virt_limit.nil? -%>
+  <%= @ulimit_user -%> - as <%= @virt_limit %>
+<% end -%>
diff --git a/lib/chef/resource/user_ulimit.rb b/lib/chef/resource/user_ulimit.rb
new file mode 100644
index 0000000000..82be09cf74
--- /dev/null
+++ b/lib/chef/resource/user_ulimit.rb
@@ -0,0 +1,113 @@
+#
+# Copyright:: Copyright 2018-2020, Chef Software Inc.
+# Copyright:: 2012, Brightcove, Inc
+#
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class UserUlimit < Chef::Resource
+      unified_mode true
+
+      provides :user_ulimit
+
+      introduced "16.0"
+      description "Use the user_ulimit resource to create individual ulimit files that are installed into the `/etc/security/limits.d/` directory."
+      examples <<~DOC
+        set filehandle limit for the tomcat user
+        ```ruby
+        user_ulimit 'tomcat' do
+          filehandle_limit 8192
+        end
+        ```
+
+        specify a username that differs from the name given to the resource block
+        ```ruby
+        user_ulimit 'Bump filehandle limits for tomcat user' do
+          username 'tomcat'
+          filehandle_limit 8192
+        end
+        ```
+
+        specify a non-default filename
+        set filehandle limit for the tomcat user
+        ```ruby
+        user_ulimit 'tomcat' do
+          filehandle_limit 8192
+          filename 'tomcat_filehandle_limits.conf'
+        end
+        ```
+      DOC
+
+      property :username, String, name_property: true
+      property :filehandle_limit, [String, Integer]
+      property :filehandle_soft_limit, [String, Integer]
+      property :filehandle_hard_limit, [String, Integer]
+      property :process_limit, [String, Integer]
+      property :process_soft_limit, [String, Integer]
+      property :process_hard_limit, [String, Integer]
+      property :memory_limit, [String, Integer]
+      property :core_limit, [String, Integer]
+      property :core_soft_limit, [String, Integer]
+      property :core_hard_limit, [String, Integer]
+      property :stack_limit, [String, Integer]
+      property :stack_soft_limit, [String, Integer]
+      property :stack_hard_limit, [String, Integer]
+      property :rtprio_limit, [String, Integer]
+      property :rtprio_soft_limit, [String, Integer]
+      property :rtprio_hard_limit, [String, Integer]
+      property :virt_limit, [String, Integer]
+      property :filename, String,
+               coerce: proc { |m| m.end_with?(".conf") ? m : m + ".conf" },
+               default: lazy { |r| r.username == "*" ? "00_all_limits.conf" : "#{r.username}_limits.conf" }
+
+      action :create do
+        template "/etc/security/limits.d/#{new_resource.filename}" do
+          source ::File.expand_path("../support/ulimit.erb", __FILE__)
+          mode "0644"
+          variables(
+            ulimit_user: new_resource.username,
+            filehandle_limit: new_resource.filehandle_limit,
+            filehandle_soft_limit: new_resource.filehandle_soft_limit,
+            filehandle_hard_limit: new_resource.filehandle_hard_limit,
+            process_limit: new_resource.process_limit,
+            process_soft_limit: new_resource.process_soft_limit,
+            process_hard_limit: new_resource.process_hard_limit,
+            memory_limit: new_resource.memory_limit,
+            core_limit: new_resource.core_limit,
+            core_soft_limit: new_resource.core_soft_limit,
+            core_hard_limit: new_resource.core_hard_limit,
+            stack_limit: new_resource.stack_limit,
+            stack_soft_limit: new_resource.stack_soft_limit,
+            stack_hard_limit: new_resource.stack_hard_limit,
+            rtprio_limit: new_resource.rtprio_limit,
+            rtprio_soft_limit: new_resource.rtprio_soft_limit,
+            rtprio_hard_limit: new_resource.rtprio_hard_limit,
+            virt_limit: new_resource.virt_limit
+          )
+        end
+      end
+
+      action :delete do
+        file "/etc/security/limits.d/#{new_resource.filename}" do
+          action :delete
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb
index f0736e2429..1fc707f642 100644
--- a/lib/chef/resources.rb
+++ b/lib/chef/resources.rb
@@ -124,6 +124,7 @@ require_relative "resource/user/mac_user"
 require_relative "resource/user/pw_user"
 require_relative "resource/user/solaris_user"
 require_relative "resource/user/windows_user"
+require_relative "resource/user_ulimit"
 require_relative "resource/whyrun_safe_ruby_block"
 require_relative "resource/windows_env"
 require_relative "resource/windows_package"
diff --git a/spec/unit/resource/user_ulimit_spec.rb b/spec/unit/resource/user_ulimit_spec.rb
new file mode 100644
index 0000000000..f4f101950f
--- /dev/null
+++ b/spec/unit/resource/user_ulimit_spec.rb
@@ -0,0 +1,53 @@
+#
+# Author:: Tim Smith (<tsmith@chef.io>)
+# Copyright:: 2020, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::UserUlimit do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::UserUlimit.new("fakey_fakerton", run_context) }
+
+  it "the username property is the name_property" do
+    expect(resource.username).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :create" do
+    expect(resource.action).to eql([:create])
+  end
+
+  it "coerces filename value to end in .conf" do
+    resource.filename("foo")
+    expect(resource.filename).to eql("foo.conf")
+  end
+
+  it "if username is * then the filename defaults to 00_all_limits.conf" do
+    resource.username("*")
+    expect(resource.filename).to eql("00_all_limits.conf")
+  end
+
+  it "if username is NOT * then the filename defaults to USERNAME_limits.conf" do
+    expect(resource.filename).to eql("fakey_fakerton_limits.conf")
+  end
+
+  it "supports :create and :delete actions" do
+    expect { resource.action :create }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+end