Clean up the role and further isolate the service

This change cleans up the role a little bit making it more consistent.

A new configuration file has been added which will further isolate
our services using a named cgroup; this is similar to what we already do in
our openstack services. By further isolating the service from the system
we get quite a bit more control and accountability.

Change-Id: I02a84a2560853473c986ad0db26874341a23fc82
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Andreas Jaeger 2017-11-17 07:46:05 +01:00 committed by Kevin Carter
parent dff6aeda04
commit 426a4f5f0d
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
7 changed files with 27 additions and 33 deletions

View File

@ -23,7 +23,7 @@ cache_timeout: 600
# Options are 'present' and 'latest'
memcached_package_state: "latest"
# MemcacheD sets 'PrivateDevices=True' for its systemd unit by default when
# MemcacheD could set 'PrivateDevices=True' for its systemd unit by default when
# installed into a container. This provides some additional security, but it
# causes problems with creating mount namespaces on CentOS 7 with systemd 219.
# While the security enhancements are helpful on bare metal hosts with
@ -37,7 +37,7 @@ memcached_package_state: "latest"
#
# Setting the following variable to 'yes' will disable the PrivateDevices
# setting in the systemd unit file for MemcacheD on CentOS 7 hosts.
memcached_disable_privatedevices: no
memcached_disable_privatedevices: "{{ ansible_pkg_mgr == 'yum' }}"
# The default memcache memory setting is to use .25 of the available system ram
# as long as that value is < 8192. However you can set the `memcached_memory`

View File

@ -18,12 +18,11 @@
if [ -h "{{ memcached_log | dirname }}" ]; then
chown -h root:root "{{ memcached_log | dirname }}"
chown -R root:root "$(readlink {{ memcached_log | dirname }})"
else
exit 1
fi
register: log_dir
failed_when: false
changed_when: log_dir.rc != 0
changed_when: log_dir.rc == 1
- name: Create memcached log dir
file:
@ -57,38 +56,17 @@
group: "root"
owner: "root"
mode: "0755"
when:
- ansible_service_mgr == 'systemd'
# See comments above 'memcached_disable_privatedevices' in defaults/main.yml for
# links to relevant bugs and discussion.
- name: Remove PrivateDevices systemd options when in container
- name: Apply systemd options
template:
src: without-privatedevices.conf.j2
dest: "/etc/systemd/system/memcached.service.d/without-privatedevices.conf"
when:
- ansible_pkg_mgr == 'yum'
- ansible_service_mgr == 'systemd'
notify: Restart memcached
- name: Add automatic restart on failure
template:
src: systemd-restart-on-failure.conf.j2
dest: "/etc/systemd/system/memcached.service.d/systemd-restart-on-failure.conf"
when:
- ansible_service_mgr == 'systemd'
notify: Restart memcached
- name: Apply resource limits (systemd)
template:
src: "limits.conf.j2"
dest: "/etc/systemd/system/memcached.service.d/limits.conf"
owner: "root"
group: "root"
src: "{{ item.src }}"
dest: "/etc/systemd/system/memcached.service.d/{{ item.dest }}"
mode: "0644"
when:
- ansible_service_mgr == 'systemd'
- memcached_connections > 1024
with_items:
- { src: "systemd.limits.conf.j2", dest: "limits.conf" }
- { src: "systemd.restart.conf.j2", dest: "restart.conf" }
- { src: "systemd.slice.conf.j2", dest: "slice.conf" }
- { src: "systemd.without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
notify:
- Restart memcached

View File

@ -1,4 +1,5 @@
# {{ ansible_managed }}
[Service]
Restart=on-failure
RestartSec=2

View File

@ -0,0 +1,11 @@
# {{ ansible_managed }}
[Service]
# This creates a specific slice to operate from. The accounting options give us
# the ability to see resource usage through the `systemd-cgtop` command and
# further isolate this service from the host machine.
Slice=memcached.slice
CPUAccounting=true
BlockIOAccounting=true
MemoryAccounting=false
TasksAccounting=true

View File

@ -1,2 +1,4 @@
# {{ ansible_managed }}
[Service]
PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }}

View File

@ -27,9 +27,11 @@
register: memcached_log_stat
- name: Check memcache is running
command: pgrep -a memcached
changed_when: false
register: memcached_proc
- name: Test connecting to memcache
shell: echo stats | nc -w5 127.0.0.1 11211
changed_when: false
register: memcached_stats
- name: Check role functions
assert: