(#issue_318) Added ability for users to switch between '/bin/true' an…

…d '/bin/false' when disabling kernel modules via the kmod_blacklist class Fixes #318
simp · Jul 9, 2024 · 983077e · 983077e
1 parent 4549884
commit 983077e
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 2 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+* Mon Jul 09 2024 Mike Riddle <[email protected]> - 4.22.0
+- Added ability for users to switch between '/bin/true' and '/bin/false' when disabling kernel modules via the kmod_blacklist class
+
 * Tue Jul 02 2024 Steven Pritchard <[email protected]> - 4.21.0
 - Clean up use of legacy facts to better support Puppet 8
 

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -714,6 +714,7 @@ The following parameters are available in the `simp::kmod_blacklist` class:
 
 * [`enable_defaults`](#-simp--kmod_blacklist--enable_defaults)
 * [`blacklist`](#-simp--kmod_blacklist--blacklist)
+* [`produce_error`](#-simp--kmod_blacklist--produce_error)
 * [`custom_blacklist`](#-simp--kmod_blacklist--custom_blacklist)
 * [`allow_overrides`](#-simp--kmod_blacklist--allow_overrides)
 * [`lock_modules`](#-simp--kmod_blacklist--lock_modules)
@@ -758,6 +759,16 @@ Default value:
   ]
 ```
 
+##### <a name="-simp--kmod_blacklist--produce_error"></a>`produce_error`
+
+Data type: `Boolean`
+
+If set to true, any disabled modules will point to '/bin/false', which will
+produce an error when anyone attempts to load the module. Default is false,
+which will point to '/bin/true', which will not produce any error.
+
+Default value: `false`
+
 ##### <a name="-simp--kmod_blacklist--custom_blacklist"></a>`custom_blacklist`
 
 Data type: `Array[String]`

diff --git a/manifests/kmod_blacklist.pp b/manifests/kmod_blacklist.pp
@@ -8,6 +8,11 @@
 # @param blacklist
 #   List of kernel modules to be blacklisted by default
 #
+# @param produce_error
+#   If set to true, any disabled modules will point to '/bin/false', which will
+#   produce an error when anyone attempts to load the module. Default is false,
+#   which will point to '/bin/true', which will not produce any error.
+#
 # @param custom_blacklist
 #   Additional kernel modules to be blacklisted
 #
@@ -50,6 +55,7 @@
     'usb-storage'
   ],
   Array[String]   $custom_blacklist          = [],
+  Boolean         $produce_error             = false,
   Boolean         $allow_overrides           = true,
   Boolean         $lock_modules              = false,
   Boolean         $notify_if_reboot_required = true
@@ -80,7 +86,12 @@
     $_obsolete_disable_file = '/etc/modprobe.d/zz_simp_disable.conf'
   }
 
-  $_disable_file_content = join($_blacklist.map |$mod| { "install ${mod} /bin/true" }, "\n")
+  $_produce_error = $produce_error ? {
+    true  => '/bin/false',
+    false => '/bin/true'
+  }
+
+  $_disable_file_content = join($_blacklist.map |$mod| { "install ${mod} ${_produce_error}" }, "\n")
 
   file { $_disable_file:
     ensure  => file,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-simp",
-  "version": "4.21.0",
+  "version": "4.22.0",
   "author": "SIMP Team",
   "summary": "default profiles for core SIMP installations",
   "license": "Apache-2.0",

diff --git a/spec/classes/00_classes/kmod_blacklist_spec.rb b/spec/classes/00_classes/kmod_blacklist_spec.rb
@@ -183,6 +183,16 @@
 
           end
 
+          context 'when producing an error on module load' do
+            let(:params){{
+              :produce_error => true
+            }}
+
+            it 'should blacklist all the default kmods and point to /bin/false' do
+              is_expected.to create_file("/etc/modprobe.d/00_simp_disable.conf").with_content(stock_blacklist.map{|x| x = "install #{x} /bin/false" }.join("\n") + "\n")
+            end
+          end
+
         end
       end
     end