Clean up the role and further isolate the service

This change cleans up the role a little bit making it more consistent. A new configuration file has been added which will further isolate our services using a named cgroup; this is similar to what we already do in our openstack services. By further isolating the service from the system we get quite a bit more control and accountability. Change-Id: I02a84a2560853473c986ad0db26874341a23fc82 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2017-11-17 07:46:05 +01:00 · 2017-11-17 07:46:05 +01:00 · 426a4f5f0d
commit 426a4f5f0d
parent dff6aeda04
7 changed files with 27 additions and 33 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -23,7 +23,7 @@ cache_timeout: 600
 # Options are 'present' and 'latest'
 memcached_package_state: "latest"

-# MemcacheD sets 'PrivateDevices=True' for its systemd unit by default when
+# MemcacheD could set 'PrivateDevices=True' for its systemd unit by default when
 # installed into a container. This provides some additional security, but it
 # causes problems with creating mount namespaces on CentOS 7 with systemd 219.
 # While the security enhancements are helpful on bare metal hosts with
@ -37,7 +37,7 @@ memcached_package_state: "latest"
 #
 # Setting the following variable to 'yes' will disable the PrivateDevices
 # setting in the systemd unit file for MemcacheD on CentOS 7 hosts.
-memcached_disable_privatedevices: no
+memcached_disable_privatedevices: "{{ ansible_pkg_mgr == 'yum' }}"

 # The default memcache memory setting is to use .25 of the available system ram
 # as long as that value is < 8192. However you can set the `memcached_memory`
--- a/tasks/memcached_config.yml
+++ b/tasks/memcached_config.yml
@ -18,12 +18,11 @@
    if [ -h "{{ memcached_log | dirname }}"  ]; then
      chown -h root:root "{{ memcached_log | dirname }}"
      chown -R root:root "$(readlink {{ memcached_log | dirname }})"
-    else
      exit 1
    fi
  register: log_dir
  failed_when: false
-  changed_when: log_dir.rc != 0
+  changed_when: log_dir.rc == 1

 - name: Create memcached log dir
  file:
@ -57,38 +56,17 @@
    group: "root"
    owner: "root"
    mode: "0755"
-  when:
-    - ansible_service_mgr == 'systemd'

-# See comments above 'memcached_disable_privatedevices' in defaults/main.yml for
-# links to relevant bugs and discussion.
- name: Remove PrivateDevices systemd options when in container
+- name: Apply systemd options
  template:
-    src: without-privatedevices.conf.j2
-    dest: "/etc/systemd/system/memcached.service.d/without-privatedevices.conf"
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - ansible_service_mgr == 'systemd'
-  notify: Restart memcached
-
- name: Add automatic restart on failure
-  template:
-    src: systemd-restart-on-failure.conf.j2
-    dest: "/etc/systemd/system/memcached.service.d/systemd-restart-on-failure.conf"
-  when:
-    - ansible_service_mgr == 'systemd'
-  notify: Restart memcached
-
- name: Apply resource limits (systemd)
-  template:
-    src: "limits.conf.j2"
-    dest: "/etc/systemd/system/memcached.service.d/limits.conf"
-    owner: "root"
-    group: "root"
+    src: "{{ item.src }}"
+    dest: "/etc/systemd/system/memcached.service.d/{{ item.dest }}"
    mode: "0644"
-  when:
-    - ansible_service_mgr == 'systemd'
-    - memcached_connections > 1024
+  with_items:
+    - { src: "systemd.limits.conf.j2", dest: "limits.conf" }
+    - { src: "systemd.restart.conf.j2", dest: "restart.conf" }
+    - { src: "systemd.slice.conf.j2", dest: "slice.conf" }
+    - { src: "systemd.without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
  notify:
    - Restart memcached

--- a/templates/systemd.limits.conf.j2
+++ b/templates/systemd.limits.conf.j2
--- a/templates/systemd-restart-on-failure.conf.j2
+++ b/templates/systemd-restart-on-failure.conf.j2
@ -1,4 +1,5 @@
 # {{ ansible_managed }}
+
 [Service]
 Restart=on-failure
 RestartSec=2
--- a/templates/systemd.slice.conf.j2
+++ b/templates/systemd.slice.conf.j2
@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Service]
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=memcached.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=false
+TasksAccounting=true
--- a/templates/systemd.without-privatedevices.conf.j2
+++ b/templates/systemd.without-privatedevices.conf.j2
@ -1,2 +1,4 @@
+# {{ ansible_managed }}
+
 [Service]
 PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }}
--- a/tests/test.yml
+++ b/tests/test.yml
@ -27,9 +27,11 @@
      register: memcached_log_stat
    - name: Check memcache is running
      command: pgrep -a memcached
+      changed_when: false
      register: memcached_proc
    - name: Test connecting to memcache
      shell: echo stats | nc -w5 127.0.0.1 11211
+      changed_when: false
      register: memcached_stats
    - name: Check role functions
      assert: