Clean up the role and further isolate the service

This change cleans up the role a little bit making it more consistent.

A new configuration file has been added which will further isolate
our services using a named cgroup; this is similar to what we already do in
our openstack services. By further isolating the service from the system
we get quite a bit more control and accountability.

Change-Id: I02a84a2560853473c986ad0db26874341a23fc82
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -23,7 +23,7 @@ cache_timeout: 600
 # Options are 'present' and 'latest'
 memcached_package_state: "latest"
 
-# MemcacheD sets 'PrivateDevices=True' for its systemd unit by default when
+# MemcacheD could set 'PrivateDevices=True' for its systemd unit by default when
 # installed into a container. This provides some additional security, but it
 # causes problems with creating mount namespaces on CentOS 7 with systemd 219.
 # While the security enhancements are helpful on bare metal hosts with
@@ -37,7 +37,7 @@ memcached_package_state: "latest"
 #
 # Setting the following variable to 'yes' will disable the PrivateDevices
 # setting in the systemd unit file for MemcacheD on CentOS 7 hosts.
-memcached_disable_privatedevices: no
+memcached_disable_privatedevices: "{{ ansible_pkg_mgr == 'yum' }}"
 
 # The default memcache memory setting is to use .25 of the available system ram
 # as long as that value is < 8192. However you can set the `memcached_memory`

tasks/memcached_config.yml

@@ -18,12 +18,11 @@
     if [ -h "{{ memcached_log | dirname }}"  ]; then
       chown -h root:root "{{ memcached_log | dirname }}"
       chown -R root:root "$(readlink {{ memcached_log | dirname }})"
-    else
       exit 1
     fi
   register: log_dir
   failed_when: false
-  changed_when: log_dir.rc != 0
+  changed_when: log_dir.rc == 1
 
 - name: Create memcached log dir
   file:
@@ -57,38 +56,17 @@
     group: "root"
     owner: "root"
     mode: "0755"
-  when:
-    - ansible_service_mgr == 'systemd'
 
-# See comments above 'memcached_disable_privatedevices' in defaults/main.yml for
+- name: Apply systemd options
-# links to relevant bugs and discussion.
-- name: Remove PrivateDevices systemd options when in container
   template:
-    src: without-privatedevices.conf.j2
+    src: "{{ item.src }}"
-    dest: "/etc/systemd/system/memcached.service.d/without-privatedevices.conf"
+    dest: "/etc/systemd/system/memcached.service.d/{{ item.dest }}"
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - ansible_service_mgr == 'systemd'
-  notify: Restart memcached
-
-- name: Add automatic restart on failure
-  template:
-    src: systemd-restart-on-failure.conf.j2
-    dest: "/etc/systemd/system/memcached.service.d/systemd-restart-on-failure.conf"
-  when:
-    - ansible_service_mgr == 'systemd'
-  notify: Restart memcached
-
-- name: Apply resource limits (systemd)
-  template:
-    src: "limits.conf.j2"
-    dest: "/etc/systemd/system/memcached.service.d/limits.conf"
-    owner: "root"
-    group: "root"
     mode: "0644"
-  when:
+  with_items:
-    - ansible_service_mgr == 'systemd'
+    - { src: "systemd.limits.conf.j2", dest: "limits.conf" }
-    - memcached_connections > 1024
+    - { src: "systemd.restart.conf.j2", dest: "restart.conf" }
+    - { src: "systemd.slice.conf.j2", dest: "slice.conf" }
+    - { src: "systemd.without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
   notify:
     - Restart memcached
 

templates/systemd.restart.conf.j2

@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
+
 [Service]
 Restart=on-failure
 RestartSec=2

templates/systemd.slice.conf.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Service]
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=memcached.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=false
+TasksAccounting=true

templates/systemd.without-privatedevices.conf.j2

@@ -1,2 +1,4 @@
+# {{ ansible_managed }}
+
 [Service]
 PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }}

tests/test.yml

@@ -27,9 +27,11 @@
       register: memcached_log_stat
     - name: Check memcache is running
       command: pgrep -a memcached
+      changed_when: false
       register: memcached_proc
     - name: Test connecting to memcache
       shell: echo stats | nc -w5 127.0.0.1 11211
+      changed_when: false
       register: memcached_stats
     - name: Check role functions
       assert: