stackforge/puppet-openstack-cloud
Code Issues Proposed changes

Merge pull request #693 from enovance/support_selinux

Browse Source 
Support for SELinux on RedHat platforms
This commit is contained in:
Emilien Macchi
2014-11-15 18:54:38 +01:00
parent 4244907f34 3d07cdedc0
commit 20bb1dd097
11 changed files with 332 additions and 467 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/database/sql.pp
View File

@@ -170,6 +170,7 @@ class cloud::database::sql (
$mysql_client_package_name = 'mariadb'
$wsrep_provider = '/usr/lib64/galera/libgalera_smm.so'
$mysql_server_config_file = '/etc/my.cnf'
$mysql_init_file = '/usr/lib/systemd/system/mysql-bootstrap.service'
if $::hostname == $galera_master_name {
$mysql_service_name = 'mysql-bootstrap'
@@ -204,6 +205,7 @@ class cloud::database::sql (
$mysql_client_package_name = 'mariadb-client'
$wsrep_provider = '/usr/lib/galera/libgalera_smm.so'
$mysql_server_config_file = '/etc/mysql/my.cnf'
$mysql_init_file = '/etc/init.d/mysql-bootstrap'
if $::hostname == $galera_master_name {
$mysql_service_name = 'mysql-bootstrap'
@@ -239,7 +241,7 @@ class cloud::database::sql (
# To check that the mysqld support the options you can :
# strings `which mysqld` | grep wsrep-new-cluster
# TODO: to be remove as soon as the API 25 is packaged, ie galera 3 ...
file { '/etc/init.d/mysql-bootstrap':
file { $mysql_init_file :
content => template("cloud/database/etc_initd_mysql_${::osfamily}"),
owner => 'root',
mode => '0755',

27
manifests/init.pp
View File

@@ -18,13 +18,19 @@
# Installs the private cloud system requirements
#
class cloud(
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$selinux_mode = 'permissive',
$selinux_directory = '/usr/share/selinux',
$selinux_booleans = [],
$selinux_modules = [],
) {
include ::stdlib
if ! ($::osfamily in [ 'RedHat', 'Debian' ]) {
fail("OS family unsuppored yet (${::osfamily}), module puppet-openstack-cloud only support RedHat or Debian")
}
@@ -59,6 +65,17 @@ This node is under the control of Puppet ${::puppetversion}.
# NTP
include ::ntp
# SELinux
if $::osfamily == 'RedHat' {
class {'cloud::selinux' :
mode => $selinux_mode,
booleans => $selinux_booleans,
modules => $selinux_modules,
directory => $selinux_directory,
stage => 'setup',
}
}
# Strong root password for all servers
user { 'root':
ensure => 'present',

3
manifests/loadbalancer.pp
View File

@@ -302,7 +302,8 @@ class cloud::loadbalancer(
}
keepalived::vrrp_script { 'haproxy':
name_is_process => true
name_is_process => $::cloud::params::keepalived_name_is_process,
script => $::cloud::params::keepalived_vrrp_script,
}
keepalived::instance { '1':

18
manifests/params.pp
View File

@@ -39,16 +39,20 @@ class cloud::params {
case $::osfamily {
'RedHat': {
# Specific to Red Hat
$start_haproxy_service = '"/usr/bin/systemctl start haproxy"'
$stop_haproxy_service = '"/usr/bin/systemctl stop haproxy"'
$horizon_auth_url = 'dashboard'
$libvirt_service_name = 'libvirtd'
$start_haproxy_service = '"/usr/bin/systemctl start haproxy"'
$stop_haproxy_service = '"/usr/bin/systemctl stop haproxy"'
$horizon_auth_url = 'dashboard'
$libvirt_service_name = 'libvirtd'
$keepalived_name_is_process = false
$keepalived_vrrp_script = 'systemctl status haproxy.service'
} # RedHat
'Debian': {
# Specific to Debian / Ubuntu
$start_haproxy_service = '"/etc/init.d/haproxy start"'
$stop_haproxy_service = '"/etc/init.d/haproxy stop"'
$horizon_auth_url = 'horizon'
$start_haproxy_service = '"/etc/init.d/haproxy start"'
$stop_haproxy_service = '"/etc/init.d/haproxy stop"'
$horizon_auth_url = 'horizon'
$keepalived_name_is_process = true
$keepalived_vrrp_script = undef
case $::operatingsystem {
'Ubuntu': {
$libvirt_service_name = 'libvirt-bin'

96
manifests/selinux.pp Normal file
View File

@@ -0,0 +1,96 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::selinux
#
# Helper class to configure SELinux on nodes
#
# === Parameters:
#
# [*mode*]
# (optional) SELinux mode the system should be in
# Defaults to 'permissive'
# Possible values : disabled, permissive, enforcing
#
# [*directory*]
# (optional) Path where to find the SELinux modules
# Defaults to '/usr/share/selinux'
#
# [*booleans*]
# (optional) Set of booleans to persistenly enables
# SELinux booleans are the one getsebool -a returns
# Defaults []
# Example: ['rsync_full_access', 'haproxy_connect_any']
#
# [*modules*]
# (optional) Set of modules to load on the system
# Defaults []
# Example: ['module1', 'module2']
# Note: Those module should be in the $directory path
#
class cloud::selinux (
$mode = 'permissive',
$directory = '/usr/share/selinux/',
$booleans = [],
$modules = [],
) {
if $::osfamily != 'RedHat' {
fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
}
Selboolean {
persistent => true,
value => 'on',
}
Selmodule {
ensure => present,
selmoduledir => $directory,
}
file { '/etc/selinux/config':
ensure => present,
mode => '0444',
content => template('cloud/selinux/sysconfig_selinux.erb')
}
$current_mode = $::selinux? {
'false' => 'disabled',
false => 'disabled',
default => $::selinux_current_mode,
}
if $current_mode != $mode {
case $mode {
/^(disabled|permissive)$/: {
if $current_mode == 'enforcing' {
exec { 'setenforce 0': }
}
}
'enforcing': {
exec { 'setenforce 1': }
}
default: {
fail('You must specify a mode (enforcing, permissive, or disabled)')
}
}
}
selboolean { $booleans : }
selmodule { $modules: }
}

21
spec/classes/cloud_init_spec.rb
View File

@@ -85,6 +85,27 @@ describe 'cloud' do
#it_configures 'private cloud node'
xit { is_expected.to contain_rhn_register('rhn-redhat1') }
context 'with SELinux set to enforcing' do
let :params do
{ :selinux_mode => 'enforcing',
:selinux_modules => ['module1', 'module2'],
:selinux_booleans => ['foo', 'bar'],
:selinux_directory => '/path/to/modules'}
end
it 'set SELINUX=enforcing' do
is_expected.to contain_class('cloud::selinux').with(
:mode => params[:selinux_mode],
:booleans => params[:selinux_booleans],
:modules => params[:selinux_modules],
:directory => params[:selinux_directory],
:stage => 'setup',
)
end
end
end
context 'on other platforms' do

26
spec/classes/cloud_loadbalancer_spec.rb
View File

@@ -171,6 +171,15 @@ describe 'cloud::loadbalancer' do
end
end
context 'configure keepalived with proper haproxy track script' do
it 'configure keepalived with a proper haproxy track script' do
is_expected.to contain_keepalived__vrrp_script('haproxy').with({
'name_is_process' => platform_params[:keepalived_name_is_process],
'script' => platform_params[:keepalived_vrrp_script],
})
end
end
context 'when keepalived and HAproxy are in backup' do
it 'configure vrrp_instance with BACKUP state' do
is_expected.to contain_keepalived__instance('1').with({
@@ -516,9 +525,11 @@ describe 'cloud::loadbalancer' do
end
let :platform_params do
{ :auth_url => 'horizon',
:start_haproxy_service => '"/etc/init.d/haproxy start"',
:stop_haproxy_service => '"/etc/init.d/haproxy stop"',
{ :auth_url => 'horizon',
:start_haproxy_service => '"/etc/init.d/haproxy start"',
:stop_haproxy_service => '"/etc/init.d/haproxy stop"',
:keepalived_name_is_process => 'true',
:keepalived_vrrp_script => nil,
}
end
@@ -533,13 +544,14 @@ describe 'cloud::loadbalancer' do
end
let :platform_params do
{ :auth_url => 'dashboard',
:start_haproxy_service => '"/usr/bin/systemctl start haproxy"',
:stop_haproxy_service => '"/usr/bin/systemctl stop haproxy"',
{ :auth_url => 'dashboard',
:start_haproxy_service => '"/usr/bin/systemctl start haproxy"',
:stop_haproxy_service => '"/usr/bin/systemctl stop haproxy"',
:keepalived_name_is_process => 'false',
:keepalived_vrrp_script => 'systemctl status haproxy.service',
}
end
it_configures 'openstack loadbalancer'
end

107
spec/classes/cloud_selinux_spec.rb Normal file
View File

@@ -0,0 +1,107 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for cloud::cache
#
require 'spec_helper'
describe 'cloud::selinux' do
shared_examples_for 'manage selinux' do
context 'with selinux disabled' do
before :each do
facts.merge!( :selinux_current_mode => 'enforcing' )
end
let :params do
{ :mode => 'disabled',
:booleans => ['foo', 'bar'],
:modules => ['module1', 'module2'],
:directory => '/path/to/modules'}
end
it 'runs setenforce 0' do
is_expected.to contain_exec('setenforce 0')
end
it 'enables the SELinux boolean' do
is_expected.to contain_selboolean('foo').with(
:persistent => true,
:value => 'on',
)
end
it 'enables the SELinux modules' do
is_expected.to contain_selmodule('module1').with(
:ensure => 'present',
:selmoduledir => '/path/to/modules',
)
end
end
context 'with selinux enforcing' do
before :each do
facts.merge!( :selinux => 'false' )
end
let :params do
{ :mode => 'enforcing',
:booleans => ['foo', 'bar'],
:modules => ['module1', 'module2'],
:directory => '/path/to/modules'}
end
it 'runs setenforce 1' do
is_expected.to contain_exec('setenforce 1')
end
it 'enables the SELinux boolean' do
is_expected.to contain_selboolean('foo').with(
:persistent => true,
:value => 'on',
)
end
it 'enables the SELinux modules' do
is_expected.to contain_selmodule('module1').with(
:ensure => 'present',
:selmoduledir => '/path/to/modules',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_raises 'a Puppet::Error', /OS family unsuppored yet \(Debian\), SELinux support is only limited to RedHat family OS/
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'manage selinux'
end
end

484
templates/database/etc_initd_mysql_RedHat
View File

@@ -1,451 +1,45 @@
#!/bin/sh
# Copyright Abandoned 1996 TCX DataKonsult AB & Monty Program KB & Detron HB
# This file is public domain and comes with NO WARRANTY of any kind
# MySQL daemon start/stop script.
# Usually this is put in /etc/init.d (at least on machines SYSV R4 based
# systems) and linked to /etc/rc3.d/S99mysql and /etc/rc0.d/K01mysql.
# When this is done the mysql server will be started when the machine is
# started and shut down when the systems goes down.
# Comments to support chkconfig on RedHat Linux
# chkconfig: 2345 64 36
# description: A very fast and reliable SQL database engine.
# Comments to support LSB init script conventions
### BEGIN INIT INFO
# Provides: mysql
# Required-Start: $local_fs $network $remote_fs
# Should-Start: ypbind nscd ldap ntpd xntpd
# Required-Stop: $local_fs $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop MySQL
# Description: MySQL is a very fast and reliable SQL database engine.
### END INIT INFO
# If you install MySQL on some other places than /usr, then you
# have to do one of the following things for this script to work:
# It's not recommended to modify this file in-place, because it will be
# overwritten during package upgrades. If you want to customize, the
# best way is to create a file "/etc/systemd/system/mariadb.service",
# containing
# .include /lib/systemd/system/mariadb.service
# ...make your changes here...
# or create a file "/etc/systemd/system/mariadb.service.d/foo.conf",
# which doesn't need to include ".include" call and which will be parsed
# after the file mariadb.service itself is parsed.
#
# - Run this script from within the MySQL installation directory
# - Create a /etc/my.cnf file with the following information:
# [mysqld]
# basedir=<path-to-mysql-installation-directory>
# - Add the above to any other configuration file (for example ~/.my.ini)
# and copy my_print_defaults to /usr/bin
# - Add the path to the mysql-installation-directory to the basedir variable
# below.
#
# If you want to affect other MySQL variables, you should make your changes
# in the /etc/my.cnf, ~/.my.cnf or other MySQL configuration files.
# For more info about custom unit files, see systemd.unit(5) or
# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
# For example, if you want to increase mysql's open-files-limit to 10000,
# you need to increase systemd's LimitNOFILE setting, so create a file named
# "/etc/systemd/system/mariadb.service.d/limits.conf" containing:
# [Service]
# LimitNOFILE=10000
# Note: /usr/lib/... is recommended in the .include line though /lib/...
# still works.
# Don't forget to reload systemd daemon after you change unit configuration:
# root> systemctl --system daemon-reload
# If you change base dir, you must also change datadir. These may get
# overwritten by settings in the MySQL configuration files.
[Unit]
Description=MariaDB database server
After=syslog.target
After=network.target
basedir=
datadir=<%= scope.lookupvar('::mysql::datadir') %>
[Service]
Type=simple
User=mysql
Group=mysql
ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n
# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# per bug #547485
ExecStart=/usr/bin/mysqld_safe --wsrep-new-cluster --basedir=/usr
ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID
# Default value, in seconds, afterwhich the script should timeout waiting
# for server start.
# Value here is overriden by value in my.cnf.
# 0 means don't wait at all
# Negative numbers mean to wait indefinitely
service_startup_timeout=900
startup_sleep=1
# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300
# Lock directory for RedHat / SuSE.
lockdir='/var/lock/subsys'
lock_file_path="$lockdir/mysql"
# Place temp files in a secure directory, not /tmp
PrivateTmp=true
# The following variables are only set for letting mysql.server find things.
# Set some defaults
mysqld_pid_file_path=
if test -z "$basedir"
then
basedir=/usr
bindir=/usr/bin
if test -z "$datadir"
then
datadir=/var/lib/mysql
fi
sbindir=/usr/sbin
libexecdir=/usr/sbin
else
bindir="$basedir/bin"
if test -z "$datadir"
then
datadir="$basedir/data"
fi
sbindir="$basedir/sbin"
if test -f "$basedir/bin/mysqld"
then
libexecdir="$basedir/bin"
else
libexecdir="$basedir/libexec"
fi
fi
# datadir_set is used to determine if datadir was set (and so should be
# *not* set inside of the --basedir= handler.)
datadir_set=
#
# Use LSB init script functions for printing messages, if possible
#
lsb_functions="/lib/lsb/init-functions"
if test -f $lsb_functions ; then
. $lsb_functions
else
log_success_msg()
{
echo " SUCCESS! $@"
}
log_failure_msg()
{
echo " ERROR! $@"
}
fi
PATH="/sbin:/usr/sbin:/bin:/usr/bin:$basedir/bin"
export PATH
mode=$1 # start or stop
[ $# -ge 1 ] && shift
other_args="$*" # uncommon, but needed when called from an RPM upgrade action
# Expected: "--skip-networking --skip-grant-tables"
# They are not checked here, intentionally, as it is the resposibility
# of the "spec" file author to give correct arguments only.
case `echo "testing\c"`,`echo -n testing` in
*c*,-n*) echo_n= echo_c= ;;
*c*,*) echo_n=-n echo_c= ;;
*) echo_n= echo_c='\c' ;;
esac
parse_server_arguments() {
for arg do
case "$arg" in
--basedir=*) basedir=`echo "$arg" | sed -e 's/^[^=]*=//'`
bindir="$basedir/bin"
if test -z "$datadir_set"; then
datadir="$basedir/data"
fi
sbindir="$basedir/sbin"
if test -f "$basedir/bin/mysqld"
then
libexecdir="$basedir/bin"
else
libexecdir="$basedir/libexec"
fi
libexecdir="$basedir/libexec"
;;
--datadir=*) datadir=`echo "$arg" | sed -e 's/^[^=]*=//'`
datadir_set=1
;;
--pid-file=*) mysqld_pid_file_path=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
--service-startup-timeout=*) service_startup_timeout=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
esac
done
}
wait_for_pid () {
verb="$1" # created | removed
pid="$2" # process ID of the program operating on the pid-file
pid_file_path="$3" # path to the PID file.
sst_progress_file=$datadir/sst_in_progress
i=0
avoid_race_condition="by checking again"
while test $i -ne $service_startup_timeout ; do
case "$verb" in
'created')
# wait for a PID-file to pop into existence.
test -s "$pid_file_path" && i='' && break
;;
'removed')
# wait for this PID-file to disappear
test ! -s "$pid_file_path" && i='' && break
;;
*)
echo "wait_for_pid () usage: wait_for_pid created|removed pid pid_file_path"
exit 1
;;
esac
# if server isn't running, then pid-file will never be updated
if test -n "$pid"; then
if kill -0 "$pid" 2>/dev/null; then
: # the server still runs
else
# The server may have exited between the last pid-file check and now.
if test -n "$avoid_race_condition"; then
avoid_race_condition=""
continue # Check again.
fi
# there's nothing that will affect the file.
log_failure_msg "The server quit without updating PID file ($pid_file_path)."
return 1 # not waiting any more.
fi
fi
if test -e $sst_progress_file && [ $startup_sleep -ne 10 ];then
echo $echo_n "SST in progress, setting sleep higher"
startup_sleep=10
fi
echo $echo_n ".$echo_c"
i=`expr $i + 1`
sleep $startup_sleep
done
if test -z "$i" ; then
log_success_msg
return 0
else
log_failure_msg
return 1
fi
}
# Get arguments from the my.cnf file,
# the only group, which is read from now on is [mysqld]
if test -x ./bin/my_print_defaults
then
print_defaults="./bin/my_print_defaults"
elif test -x $bindir/my_print_defaults
then
print_defaults="$bindir/my_print_defaults"
elif test -x $bindir/mysql_print_defaults
then
print_defaults="$bindir/mysql_print_defaults"
else
# Try to find basedir in /etc/my.cnf
conf=/etc/my.cnf
print_defaults=
if test -r $conf
then
subpat='^[^=]*basedir[^=]*=\(.*\)$'
dirs=`sed -e "/$subpat/!d" -e 's//\1/' $conf`
for d in $dirs
do
d=`echo $d | sed -e 's/[ ]//g'`
if test -x "$d/bin/my_print_defaults"
then
print_defaults="$d/bin/my_print_defaults"
break
fi
if test -x "$d/bin/mysql_print_defaults"
then
print_defaults="$d/bin/mysql_print_defaults"
break
fi
done
fi
# Hope it's in the PATH ... but I doubt it
test -z "$print_defaults" && print_defaults="my_print_defaults"
fi
#
# Read defaults file from 'basedir'. If there is no defaults file there
# check if it's in the old (depricated) place (datadir) and read it from there
#
extra_args=""
if test -r "$basedir/my.cnf"
then
extra_args="-e $basedir/my.cnf"
else
if test -r "$datadir/my.cnf"
then
extra_args="-e $datadir/my.cnf"
fi
fi
parse_server_arguments `$print_defaults $extra_args mysqld server mysql_server mysql.server`
#
# Set pid file if not given
#
if test -z "$mysqld_pid_file_path"
then
mysqld_pid_file_path=$datadir/`hostname`.pid
else
case "$mysqld_pid_file_path" in
/* ) ;;
* ) mysqld_pid_file_path="$datadir/$mysqld_pid_file_path" ;;
esac
fi
case "$mode" in
'start')
# Start daemon
# Safeguard (relative paths, core dumps..)
cd $basedir
echo $echo_n "Starting MySQL"
if test -x $bindir/mysqld_safe
then
# Give extra arguments to mysqld with the my.cnf file. This script
# may be overwritten at next upgrade.
# Start MariaDB! in a Galera setup we want to use
# new-cluster only when the galera cluster hasn't been
# bootstraped
if [ -e ${datadir}/grastate.dat ]; then
# normal boot
$bindir/mysqld_safe --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 &
else
# bootstrap boot
$bindir/mysqld_safe --wsrep-new-cluster --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 &
fi
wait_for_pid created "$!" "$mysqld_pid_file_path"; return_value=$?
# Make lock for RedHat / SuSE
if test -w "$lockdir"
then
touch "$lock_file_path"
fi
exit $return_value
else
log_failure_msg "Couldn't find MySQL server ($bindir/mysqld_safe)"
fi
;;
'stop')
# Stop daemon. We use a signal here to avoid having to know the
# root password.
if test -s "$mysqld_pid_file_path"
then
mysqld_pid=`cat "$mysqld_pid_file_path"`
if (kill -0 $mysqld_pid 2>/dev/null)
then
echo $echo_n "Shutting down MySQL"
kill $mysqld_pid
# mysqld should remove the pid file when it exits, so wait for it.
wait_for_pid removed "$mysqld_pid" "$mysqld_pid_file_path"; return_value=$?
else
log_failure_msg "MySQL server process #$mysqld_pid is not running!"
rm "$mysqld_pid_file_path"
fi
# Delete lock for RedHat / SuSE
if test -f "$lock_file_path"
then
rm -f "$lock_file_path"
fi
exit $return_value
else
log_failure_msg "MySQL server PID file could not be found!"
fi
;;
'restart')
# Stop the service and regardless of whether it was
# running or not, start it again.
if $0 stop $other_args; then
$0 start $other_args
else
log_failure_msg "Failed to stop running server, so refusing to try to start."
exit 1
fi
;;
'reload'|'force-reload')
if test -s "$mysqld_pid_file_path" ; then
read mysqld_pid < "$mysqld_pid_file_path"
kill -HUP $mysqld_pid && log_success_msg "Reloading service MySQL"
touch "$mysqld_pid_file_path"
else
log_failure_msg "MySQL PID file could not be found!"
exit 1
fi
;;
'status')
# First, check to see if pid file exists
if test -s "$mysqld_pid_file_path" ; then
read mysqld_pid < "$mysqld_pid_file_path"
if kill -0 $mysqld_pid 2>/dev/null ; then
log_success_msg "MySQL running ($mysqld_pid)"
exit 0
else
log_failure_msg "MySQL is not running, but PID file exists"
exit 1
fi
else
# Try to find appropriate mysqld process
mysqld_pid=`pidof $libexecdir/mysqld`
# test if multiple pids exist
pid_count=`echo $mysqld_pid | wc -w`
if test $pid_count -gt 1 ; then
log_failure_msg "Multiple MySQL running but PID file could not be found ($mysqld_pid)"
exit 5
elif test -z $mysqld_pid ; then
if test -f "$lock_file_path" ; then
log_failure_msg "MySQL is not running, but lock file ($lock_file_path) exists"
exit 2
fi
log_failure_msg "MySQL is not running"
exit 3
else
log_failure_msg "MySQL is running but PID file could not be found"
exit 4
fi
fi
;;
'configtest')
# Safeguard (relative paths, core dumps..)
cd $basedir
echo $echo_n "Testing MySQL configuration syntax"
daemon=$bindir/mysqld
if test -x $libexecdir/mysqld
then
daemon=$libexecdir/mysqld
elif test -x $sbindir/mysqld
then
daemon=$sbindir/mysqld
elif test -x `which mysqld`
then
daemon=`which mysqld`
else
log_failure_msg "Unable to locate the mysqld binary!"
exit 1
fi
help_out=`$daemon --help 2>&1`; r=$?
if test "$r" != 0 ; then
log_failure_msg "$help_out"
log_failure_msg "There are syntax errors in the server configuration. Please fix them!"
else
log_success_msg "Syntax OK"
fi
exit $r
;;
'bootstrap')
# Bootstrap the cluster, start the first node
# that initiate the cluster
echo $echo_n "Bootstrapping the cluster"
$0 start $other_args --wsrep-new-cluster
;;
*)
# usage
basename=`basename "$0"`
echo "Usage: $basename {start|stop|restart|reload|force-reload|status|configtest|bootstrap} [ MySQL server options ]"
exit 1
;;
esac
exit 0
[Install]
WantedBy=multi-user.target

2
templates/database/mysql.conf.erb
View File

@@ -63,7 +63,7 @@ wsrep_provider_options = "gcache.size=<%= @galera_gcache %>;gcs.fc_mast
# and wsrep_sst_xtrabackup take only one configuration file and use the last one
# (/etc/mysql/my.cnf is not used)
datadir = /var/lib/mysql
tmpdir = /dev/shm
tmpdir = /tmp/
innodb_flush_method = O_DIRECT
innodb_log_buffer_size = 32M
innodb_log_file_size = 256M

11
templates/selinux/sysconfig_selinux.erb Normal file
View File

@@ -0,0 +1,11 @@
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<%= @mode %>
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted