openstack/openstack-ansible
Code Issues Proposed changes
994c193df0
openstack-ansible/playbooks/infra-journal-remote.yml
Benoît Knecht 8c057ad76f Set DynamicUser in systemd-journal-upload unit file 
At least on Ubuntu 18.04, the `systemd-journal-remote` doesn't create
the `systemd-journal-upload` user, since the service is supposed to run
with `DynamicUser=True`.

This commit ensures that `DynamicUser` and `StateDirectory` are set
appropriately on all Systemd versions that support them (i.e. >= 235).

It requires https://review.openstack.org/#/c/630664/ to be merged first.

Change-Id: I743e936df9e69ef5532b7ec69e29057d4f1f8ef2
Closes-Bug: 1805847
2021-04-23 14:25:44 +00:00

137 lines
4.5 KiB
YAML
Raw Blame History

---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Gather facts
hosts: hosts
gather_facts: "{{ osa_gather_facts | default(True) }}"
tags:
- always
- name: Install Journal-Remote
hosts: hosts
gather_facts: false
become: true
handlers:
- name: Restart systemd-journald
systemd:
name: systemd-journald
state: restarted
pre_tasks:
# At this time there's no suitable package available for systemd-journal-remote/gateway
# When installing on SUSE 42.x. For now this playbook will omit suse when the package
# manager is "zypper". When a suitable package is available on SUSE this should be removed.
- name: Omit suse from this playbook
meta: end_play
when:
- ansible_facts['pkg_mgr'] == 'zypper'
- name: Skip playbook if log_hosts group is empty
meta: end_play
when:
- groups['log_hosts'] | length == 0
- name: Install systemd-journal-remote
package:
name: "{{ systemd_journal_remote_distro_package[ansible_facts['pkg_mgr']] }}"
state: "{{ package_state }}"
- name: Ensure systemd-journal-remote socket is enabled on receiving host
systemd:
name: systemd-journal-remote.socket
enabled: yes
state: started
when:
- (ansible_host == systemd_journal_remote_target)
- name: Create journal directory
file:
path: "/var/log/journal"
state: "directory"
owner: "root"
group: "systemd-journal"
- name: Create journal remote directory
file:
path: "/var/log/journal/remote"
state: "directory"
owner: "systemd-journal-remote"
group: "systemd-journal"
- name: Ensure receiving hosts are tuned
ini_file:
path: "/etc/systemd/journald.conf"
section: Journal
option: "{{ item.key }}"
value: "{{ item.value }}"
backup: yes
with_items:
- key: RuntimeMaxFiles
value: "{{ ((((groups['hosts'] | length) * 1.5) + (groups['hosts'] | length)) // 1) | int }}"
- key: RuntimeMaxFileSize
value: "5G"
- key: Compress
value: "yes"
- key: MaxFileSec
value: "1d"
- key: MaxRetentionSec
value: "2d"
when:
- (ansible_host == systemd_journal_remote_target)
notify:
- Restart systemd-journald
roles:
- role: "systemd_service"
systemd_tempd_prefix: "openstack"
systemd_CPUAccounting: true
systemd_BlockIOAccounting: true
systemd_MemoryAccounting: true
systemd_TasksAccounting: true
systemd_services:
- service_name: "systemd-journal-remote"
enabled: "{{ (ansible_host != systemd_journal_remote_target) | ternary('no', 'yes') }}"
state: "{{ (ansible_host != systemd_journal_remote_target) | ternary('stopped', 'started') }}"
execstarts: >-
{{ systemd_utils_prefix }}/systemd-journal-remote
--listen-http=-3
--split-mode=host
--compress
--seal
--output=/var/log/journal/remote/
config_overrides:
Unit:
Requires: "systemd-journal-remote.socket"
- service_name: "systemd-journal-upload"
enabled: "{{ (ansible_host == systemd_journal_remote_target) | ternary('no', 'yes') }}"
state: "{{ (ansible_host == systemd_journal_remote_target) | ternary('stopped', 'started') }}"
execstarts: >-
{{ systemd_utils_prefix }}/systemd-journal-upload
--save-state
--merge
--url=http://{{ systemd_journal_remote_target }}:19532
dynamic_user: true
state_directory: systemd/journal-upload
vars:
systemd_journal_remote_target: "{{ hostvars[groups['log_hosts'][0]]['ansible_host'] }}"
systemd_journal_remote_distro_package:
apt: "systemd-journal-remote"
yum: "systemd-journal-gateway"
dnf: "systemd-journal-gateway"
tags:
- journal-remote
View Git Blame Copy Permalink