From 426a4f5f0da7e0b8d163c005813dff2640d17d3b Mon Sep 17 00:00:00 2001 From: Andreas Jaeger Date: Fri, 17 Nov 2017 07:46:05 +0100 Subject: [PATCH] Clean up the role and further isolate the service This change cleans up the role a little bit making it more consistent. A new configuration file has been added which will further isolate our services using a named cgroup; this is similar to what we already do in our openstack services. By further isolating the service from the system we get quite a bit more control and accountability. Change-Id: I02a84a2560853473c986ad0db26874341a23fc82 Signed-off-by: Kevin Carter --- defaults/main.yml | 4 +- tasks/memcached_config.yml | 40 +++++-------------- ...{limits.conf.j2 => systemd.limits.conf.j2} | 0 ...ailure.conf.j2 => systemd.restart.conf.j2} | 1 + templates/systemd.slice.conf.j2 | 11 +++++ ...=> systemd.without-privatedevices.conf.j2} | 2 + tests/test.yml | 2 + 7 files changed, 27 insertions(+), 33 deletions(-) rename templates/{limits.conf.j2 => systemd.limits.conf.j2} (100%) rename templates/{systemd-restart-on-failure.conf.j2 => systemd.restart.conf.j2} (98%) create mode 100644 templates/systemd.slice.conf.j2 rename templates/{without-privatedevices.conf.j2 => systemd.without-privatedevices.conf.j2} (79%) diff --git a/defaults/main.yml b/defaults/main.yml index e9a34f6..2bd0d54 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,7 +23,7 @@ cache_timeout: 600 # Options are 'present' and 'latest' memcached_package_state: "latest" -# MemcacheD sets 'PrivateDevices=True' for its systemd unit by default when +# MemcacheD could set 'PrivateDevices=True' for its systemd unit by default when # installed into a container. This provides some additional security, but it # causes problems with creating mount namespaces on CentOS 7 with systemd 219. # While the security enhancements are helpful on bare metal hosts with @@ -37,7 +37,7 @@ memcached_package_state: "latest" # # Setting the following variable to 'yes' will disable the PrivateDevices # setting in the systemd unit file for MemcacheD on CentOS 7 hosts. -memcached_disable_privatedevices: no +memcached_disable_privatedevices: "{{ ansible_pkg_mgr == 'yum' }}" # The default memcache memory setting is to use .25 of the available system ram # as long as that value is < 8192. However you can set the `memcached_memory` diff --git a/tasks/memcached_config.yml b/tasks/memcached_config.yml index fab9e11..eda16aa 100644 --- a/tasks/memcached_config.yml +++ b/tasks/memcached_config.yml @@ -18,12 +18,11 @@ if [ -h "{{ memcached_log | dirname }}" ]; then chown -h root:root "{{ memcached_log | dirname }}" chown -R root:root "$(readlink {{ memcached_log | dirname }})" - else exit 1 fi register: log_dir failed_when: false - changed_when: log_dir.rc != 0 + changed_when: log_dir.rc == 1 - name: Create memcached log dir file: @@ -57,38 +56,17 @@ group: "root" owner: "root" mode: "0755" - when: - - ansible_service_mgr == 'systemd' -# See comments above 'memcached_disable_privatedevices' in defaults/main.yml for -# links to relevant bugs and discussion. -- name: Remove PrivateDevices systemd options when in container +- name: Apply systemd options template: - src: without-privatedevices.conf.j2 - dest: "/etc/systemd/system/memcached.service.d/without-privatedevices.conf" - when: - - ansible_pkg_mgr == 'yum' - - ansible_service_mgr == 'systemd' - notify: Restart memcached - -- name: Add automatic restart on failure - template: - src: systemd-restart-on-failure.conf.j2 - dest: "/etc/systemd/system/memcached.service.d/systemd-restart-on-failure.conf" - when: - - ansible_service_mgr == 'systemd' - notify: Restart memcached - -- name: Apply resource limits (systemd) - template: - src: "limits.conf.j2" - dest: "/etc/systemd/system/memcached.service.d/limits.conf" - owner: "root" - group: "root" + src: "{{ item.src }}" + dest: "/etc/systemd/system/memcached.service.d/{{ item.dest }}" mode: "0644" - when: - - ansible_service_mgr == 'systemd' - - memcached_connections > 1024 + with_items: + - { src: "systemd.limits.conf.j2", dest: "limits.conf" } + - { src: "systemd.restart.conf.j2", dest: "restart.conf" } + - { src: "systemd.slice.conf.j2", dest: "slice.conf" } + - { src: "systemd.without-privatedevices.conf.j2", dest: "without-privatedevices.conf" } notify: - Restart memcached diff --git a/templates/limits.conf.j2 b/templates/systemd.limits.conf.j2 similarity index 100% rename from templates/limits.conf.j2 rename to templates/systemd.limits.conf.j2 diff --git a/templates/systemd-restart-on-failure.conf.j2 b/templates/systemd.restart.conf.j2 similarity index 98% rename from templates/systemd-restart-on-failure.conf.j2 rename to templates/systemd.restart.conf.j2 index 8acdc0f..c680921 100644 --- a/templates/systemd-restart-on-failure.conf.j2 +++ b/templates/systemd.restart.conf.j2 @@ -1,4 +1,5 @@ # {{ ansible_managed }} + [Service] Restart=on-failure RestartSec=2 diff --git a/templates/systemd.slice.conf.j2 b/templates/systemd.slice.conf.j2 new file mode 100644 index 0000000..b58a95c --- /dev/null +++ b/templates/systemd.slice.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +[Service] +# This creates a specific slice to operate from. The accounting options give us +# the ability to see resource usage through the `systemd-cgtop` command and +# further isolate this service from the host machine. +Slice=memcached.slice +CPUAccounting=true +BlockIOAccounting=true +MemoryAccounting=false +TasksAccounting=true diff --git a/templates/without-privatedevices.conf.j2 b/templates/systemd.without-privatedevices.conf.j2 similarity index 79% rename from templates/without-privatedevices.conf.j2 rename to templates/systemd.without-privatedevices.conf.j2 index 848b326..dd4c0ca 100644 --- a/templates/without-privatedevices.conf.j2 +++ b/templates/systemd.without-privatedevices.conf.j2 @@ -1,2 +1,4 @@ +# {{ ansible_managed }} + [Service] PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }} diff --git a/tests/test.yml b/tests/test.yml index ac1f8ad..f626b98 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -27,9 +27,11 @@ register: memcached_log_stat - name: Check memcache is running command: pgrep -a memcached + changed_when: false register: memcached_proc - name: Test connecting to memcache shell: echo stats | nc -w5 127.0.0.1 11211 + changed_when: false register: memcached_stats - name: Check role functions assert: