v1.1.4: Full process detection for unsafe_process_list (#62)

* add support for unsafe process arguments
* update documentation & changelog for 1.1.4
* bump version to 1.1.4

Author: kreeuwijk

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 All notable changes to this project will be documented in this file.
 
+## Release 1.1.4
+
+**Improvements**
+- Added support for matching against full process arguments for the `patching_as_code::unsafe_process_list`.
+
 ## Release 1.1.3
 
 **Bugfixes**

README.md

@@ -237,6 +237,14 @@ patching_as_code::unsafe_process_list:
 
 This works on both Linux and Windows, and the matching is done case-insensitive. If one process from the `unsafe_process_list` is found as an active process, patching will be skipped.
 
+If you need to match on a specific process including its arguments, prepend the entry with `{full}`:
+```yaml
+patching_as_code::unsafe_process_list:
+  - application1
+  - '{full} /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers'
+```
+You can have whitespace between `{full}` and the process value for sake of readability, this will be automatically stripped before the matching happens.
+
 ### Managing patching over metered links (Windows only)
 
 By default, this module will not perform patching over metered links (e.g. 3G/4G connections). You can control this behavior through the `patch_on_metered_links` parameter. To force patching to occur even over metered links, either define this value in Hiera:

REFERENCE.md

@@ -110,6 +110,7 @@ List of Chocolatey updates to install on the patch schedule set by `$high_priori
 Data type: `Array`
 
 List of processes that will cause patching to be skipped if any of the processes in the list are active on the system.
+Prepend an entry with `{full}` to match against the full process arguments.
 
 ##### `pre_patch_commands`
 

lib/facter/patch_unsafe_process_active.rb

@@ -3,12 +3,22 @@
 Facter.add('patch_unsafe_process_active') do
   confine { Facter.value(:kernel) == 'windows' || Facter.value(:kernel) == 'Linux' }
   setcode do
-    def process_running(processname)
+    def process_running(processname, full = false)
       case Facter.value(:kernel)
       when 'windows'
-        tasklist = `tasklist`.downcase
+        if full
+          tasklist = `wmic path win32_process get Commandline`.downcase
+          processname = processname[6..-1].strip
+        else
+          tasklist = `wmic path win32_process get Caption`.downcase
+        end
       when 'Linux'
-        tasklist = `ps -A`.downcase
+        if full
+          tasklist = `ps -Ao cmd`.downcase
+          processname = processname[6..-1].strip
+        else
+          tasklist = `ps -Ao comm`.downcase
+        end
       end
       tasklist.include? processname.downcase
     end
@@ -19,7 +29,11 @@ def process_running(processname)
       unsafe_processes = File.open(processfile, 'r').read
       unsafe_processes.each_line do |line|
         next if line.match?(%r{^#|^$})
-        next if process_running(line.chomp) == false
+        if line.match?(%r{^{full}})
+          next if process_running(line.chomp, true) == false
+        elsif process_running(line.chomp) == false
+          next
+        end
         result = true
         break
       end

manifests/init.pp

@@ -46,6 +46,7 @@
 #   List of Chocolatey updates to install on the patch schedule set by `$high_priority_patch_group`.
 # @param [Array] unsafe_process_list
 #   List of processes that will cause patching to be skipped if any of the processes in the list are active on the system.
+#   Prepend an entry with `{full}` to match against the full process arguments.
 # @param [Hash] pre_patch_commands
 #   Hash of command to run before patching
 # @option pre_patch_commands [String] :command

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-patching_as_code",
-  "version": "1.1.3",
+  "version": "1.1.4",
   "author": "puppetlabs",
   "summary": "Automated patching through desired state code",
   "license": "Apache-2.0",