From 9b0fc1fc7c0419af7d5d200c2e4c7aff685ee41e Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Wed, 29 Nov 2017 20:22:28 -0600
Subject: [PATCH] Update the basic systemd extra configs for isolation and
 consistency

For the sake of consistency the "systemd" prefix was added to the
without-privatedevices.conf file.

A new configuration file has been added which will further isolate
our services using a named cgroup; this is similar to what we already do in
our openstack services. By further isolating the service from the system
we get quite a bit more control and accountability.

Change-Id: I5707ef318341259b086a5f1d49656fd0d1c7f269
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 tasks/galera_post_install.yml                         |  5 +++--
 templates/systemd.slice.conf.j2                       | 11 +++++++++++
 ...conf.j2 => systemd.without-privatedevices.conf.j2} |  2 ++
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 templates/systemd.slice.conf.j2
 rename templates/{without-privatedevices.conf.j2 => systemd.without-privatedevices.conf.j2} (79%)

diff --git a/tasks/galera_post_install.yml b/tasks/galera_post_install.yml
index 31fe24f2..82585e7e 100644
--- a/tasks/galera_post_install.yml
+++ b/tasks/galera_post_install.yml
@@ -141,9 +141,10 @@
   with_items:
     - { src: "systemd.environment.conf.j2", dest: "environment.conf" }
     - { src: "systemd.limits.conf.j2", dest: "limits.conf" }
-    - { src: "systemd.timeout.conf.j2", dest: "timeout.conf" }
     - { src: "systemd.restart.conf.j2", dest: "restart.conf" }
-    - { src: "without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
+    - { src: "systemd.slice.conf.j2", dest: "slice.conf" }
+    - { src: "systemd.timeout.conf.j2", dest: "timeout.conf" }
+    - { src: "systemd.without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
   notify:
     - Manage LB
     - Reload the systemd daemon
diff --git a/templates/systemd.slice.conf.j2 b/templates/systemd.slice.conf.j2
new file mode 100644
index 00000000..6180d4e3
--- /dev/null
+++ b/templates/systemd.slice.conf.j2
@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Service]
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=galera.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=false
+TasksAccounting=true
diff --git a/templates/without-privatedevices.conf.j2 b/templates/systemd.without-privatedevices.conf.j2
similarity index 79%
rename from templates/without-privatedevices.conf.j2
rename to templates/systemd.without-privatedevices.conf.j2
index a0075650..e9dd64a3 100644
--- a/templates/without-privatedevices.conf.j2
+++ b/templates/systemd.without-privatedevices.conf.j2
@@ -1,2 +1,4 @@
+# {{ ansible_managed }}
+
 [Service]
 PrivateDevices={{ galera_disable_privatedevices | bool | ternary('false', 'true') }}