From 66d0a9157f55240ae0f61ec4eda7fae96dfd6a6d Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 6 Apr 2023 22:49:49 -0500 Subject: [PATCH] burp-client: Switch from cron to systemd timer systemd timer units are supported on all relevant OS versions now. There is no longer any reason to use cron. --- burp-client.yml | 1 - roles/burp-client/files/burp-backup.cron | 1 - roles/burp-client/files/burp-backup.fcron | 1 - roles/burp-client/files/burp-backup.service | 27 ++++++++++++++++++++ roles/burp-client/files/burp-backup.timer | 10 ++++++++ roles/burp-client/handlers/main.yml | 5 ++-- roles/burp-client/tasks/main.yml | 28 ++++++++++++++++++--- 7 files changed, 64 insertions(+), 9 deletions(-) delete mode 100644 roles/burp-client/files/burp-backup.cron delete mode 100644 roles/burp-client/files/burp-backup.fcron create mode 100644 roles/burp-client/files/burp-backup.service create mode 100644 roles/burp-client/files/burp-backup.timer diff --git a/burp-client.yml b/burp-client.yml index 26dca3a..42bc092 100644 --- a/burp-client.yml +++ b/burp-client.yml @@ -1,4 +1,3 @@ - hosts: burp-client roles: - - cronie - burp-client diff --git a/roles/burp-client/files/burp-backup.cron b/roles/burp-client/files/burp-backup.cron deleted file mode 100644 index 7a003b8..0000000 --- a/roles/burp-client/files/burp-backup.cron +++ /dev/null @@ -1 +0,0 @@ -18,48 * * * * root /usr/sbin/burp -a t -Q diff --git a/roles/burp-client/files/burp-backup.fcron b/roles/burp-client/files/burp-backup.fcron deleted file mode 100644 index b87d559..0000000 --- a/roles/burp-client/files/burp-backup.fcron +++ /dev/null @@ -1 +0,0 @@ -@mail(no) 30 /usr/sbin/burp -a t diff --git a/roles/burp-client/files/burp-backup.service b/roles/burp-client/files/burp-backup.service new file mode 100644 index 0000000..5b9c0f7 --- /dev/null +++ b/roles/burp-client/files/burp-backup.service @@ -0,0 +1,27 @@ +# vim: set ft=systemd : +[Unit] +Description=BURP client +After=network-online.target +Wants=network-online.target + +[Service] +Type=exec +ExecStart=/usr/sbin/burp -a t -Q +SuccessExitStatus=3 +CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_FOWNER CAP_LEASE CAP_SETGID CAP_SETUID +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=noaccess +ProtectSystem=full +SystemCallArchitectures=native +SystemCallFilter=@system-service @privileged @mount +SystemCallFilter=~@clock @debug @module @reboot @swap diff --git a/roles/burp-client/files/burp-backup.timer b/roles/burp-client/files/burp-backup.timer new file mode 100644 index 0000000..c3cb827 --- /dev/null +++ b/roles/burp-client/files/burp-backup.timer @@ -0,0 +1,10 @@ +# vim: set ft=systemd : +[Unit] +Description=Periodically run BURP client + +[Timer] +OnCalendar=*:18 +OnCalendar=*:48 + +[Install] +WantedBy=timers.target diff --git a/roles/burp-client/handlers/main.yml b/roles/burp-client/handlers/main.yml index 1e26cd2..56a5c1e 100644 --- a/roles/burp-client/handlers/main.yml +++ b/roles/burp-client/handlers/main.yml @@ -1,2 +1,3 @@ -- name: reload system crontab - command: /usr/libexec/check_system_crontabs -v -i +- name: reload systemd + systemd: + daemon_reload: true diff --git a/roles/burp-client/tasks/main.yml b/roles/burp-client/tasks/main.yml index 5916203..a78136f 100644 --- a/roles/burp-client/tasks/main.yml +++ b/roles/burp-client/tasks/main.yml @@ -49,8 +49,28 @@ command: burp -c /etc/burp/burp.conf -g creates=/etc/burp/ssl_cert-client.pem -- name: ensure automatic backup is scheduled + +- name: ensure auto backup systemd units are installed copy: - src={{ burp_backup_crontab }} - dest=/etc/cron.d/burp-backup - mode=0644 + src: '{{ item }}' + dest: /etc/systemd/system/ + mode: u=rw,go=r + loop: + - burp-backup.service + - burp-backup.timer + notify: + - reload systemd + tags: + - systemd +- name: ensure auto backup timer is enabled + systemd: + name: burp-backup.timer + enabled: true + state: started + tags: + - service + +- name: ensure legacy burp crontab file is removed + file: + path: /etc/cron.d/burp-backup + state: absent