diff --git a/manifests/database/sql.pp b/manifests/database/sql.pp index e6596c34..d16395b9 100644 --- a/manifests/database/sql.pp +++ b/manifests/database/sql.pp @@ -170,6 +170,7 @@ class cloud::database::sql ( $mysql_client_package_name = 'mariadb' $wsrep_provider = '/usr/lib64/galera/libgalera_smm.so' $mysql_server_config_file = '/etc/my.cnf' + $mysql_init_file = '/usr/lib/systemd/system/mysql-bootstrap.service' if $::hostname == $galera_master_name { $mysql_service_name = 'mysql-bootstrap' @@ -204,6 +205,7 @@ class cloud::database::sql ( $mysql_client_package_name = 'mariadb-client' $wsrep_provider = '/usr/lib/galera/libgalera_smm.so' $mysql_server_config_file = '/etc/mysql/my.cnf' + $mysql_init_file = '/etc/init.d/mysql-bootstrap' if $::hostname == $galera_master_name { $mysql_service_name = 'mysql-bootstrap' @@ -239,7 +241,7 @@ class cloud::database::sql ( # To check that the mysqld support the options you can : # strings `which mysqld` | grep wsrep-new-cluster # TODO: to be remove as soon as the API 25 is packaged, ie galera 3 ... - file { '/etc/init.d/mysql-bootstrap': + file { $mysql_init_file : content => template("cloud/database/etc_initd_mysql_${::osfamily}"), owner => 'root', mode => '0755', diff --git a/manifests/init.pp b/manifests/init.pp index 00689b30..fcb168a0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -18,13 +18,19 @@ # Installs the private cloud system requirements # class cloud( - $rhn_registration = undef, - $root_password = 'root', - $dns_ips = ['8.8.8.8', '8.8.4.4'], - $site_domain = 'mydomain', - $motd_title = 'eNovance IT Operations', + $rhn_registration = undef, + $root_password = 'root', + $dns_ips = ['8.8.8.8', '8.8.4.4'], + $site_domain = 'mydomain', + $motd_title = 'eNovance IT Operations', + $selinux_mode = 'permissive', + $selinux_directory = '/usr/share/selinux', + $selinux_booleans = [], + $selinux_modules = [], ) { + include ::stdlib + if ! ($::osfamily in [ 'RedHat', 'Debian' ]) { fail("OS family unsuppored yet (${::osfamily}), module puppet-openstack-cloud only support RedHat or Debian") } @@ -59,6 +65,17 @@ This node is under the control of Puppet ${::puppetversion}. # NTP include ::ntp +# SELinux + if $::osfamily == 'RedHat' { + class {'cloud::selinux' : + mode => $selinux_mode, + booleans => $selinux_booleans, + modules => $selinux_modules, + directory => $selinux_directory, + stage => 'setup', + } + } + # Strong root password for all servers user { 'root': ensure => 'present', diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index d8aa2f1b..87cc4ea1 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -302,7 +302,8 @@ class cloud::loadbalancer( } keepalived::vrrp_script { 'haproxy': - name_is_process => true + name_is_process => $::cloud::params::keepalived_name_is_process, + script => $::cloud::params::keepalived_vrrp_script, } keepalived::instance { '1': diff --git a/manifests/params.pp b/manifests/params.pp index 81e25a76..c1de5d2b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -39,16 +39,20 @@ class cloud::params { case $::osfamily { 'RedHat': { # Specific to Red Hat - $start_haproxy_service = '"/usr/bin/systemctl start haproxy"' - $stop_haproxy_service = '"/usr/bin/systemctl stop haproxy"' - $horizon_auth_url = 'dashboard' - $libvirt_service_name = 'libvirtd' + $start_haproxy_service = '"/usr/bin/systemctl start haproxy"' + $stop_haproxy_service = '"/usr/bin/systemctl stop haproxy"' + $horizon_auth_url = 'dashboard' + $libvirt_service_name = 'libvirtd' + $keepalived_name_is_process = false + $keepalived_vrrp_script = 'systemctl status haproxy.service' } # RedHat 'Debian': { # Specific to Debian / Ubuntu - $start_haproxy_service = '"/etc/init.d/haproxy start"' - $stop_haproxy_service = '"/etc/init.d/haproxy stop"' - $horizon_auth_url = 'horizon' + $start_haproxy_service = '"/etc/init.d/haproxy start"' + $stop_haproxy_service = '"/etc/init.d/haproxy stop"' + $horizon_auth_url = 'horizon' + $keepalived_name_is_process = true + $keepalived_vrrp_script = undef case $::operatingsystem { 'Ubuntu': { $libvirt_service_name = 'libvirt-bin' diff --git a/manifests/selinux.pp b/manifests/selinux.pp new file mode 100644 index 00000000..3f583333 --- /dev/null +++ b/manifests/selinux.pp @@ -0,0 +1,96 @@ +# +# Copyright (C) 2014 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::selinux +# +# Helper class to configure SELinux on nodes +# +# === Parameters: +# +# [*mode*] +# (optional) SELinux mode the system should be in +# Defaults to 'permissive' +# Possible values : disabled, permissive, enforcing +# +# [*directory*] +# (optional) Path where to find the SELinux modules +# Defaults to '/usr/share/selinux' +# +# [*booleans*] +# (optional) Set of booleans to persistenly enables +# SELinux booleans are the one getsebool -a returns +# Defaults [] +# Example: ['rsync_full_access', 'haproxy_connect_any'] +# +# [*modules*] +# (optional) Set of modules to load on the system +# Defaults [] +# Example: ['module1', 'module2'] +# Note: Those module should be in the $directory path +# +class cloud::selinux ( + $mode = 'permissive', + $directory = '/usr/share/selinux/', + $booleans = [], + $modules = [], +) { + + if $::osfamily != 'RedHat' { + fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS") + } + + Selboolean { + persistent => true, + value => 'on', + } + + Selmodule { + ensure => present, + selmoduledir => $directory, + } + + file { '/etc/selinux/config': + ensure => present, + mode => '0444', + content => template('cloud/selinux/sysconfig_selinux.erb') + } + + $current_mode = $::selinux? { + 'false' => 'disabled', + false => 'disabled', + default => $::selinux_current_mode, + } + + if $current_mode != $mode { + case $mode { + /^(disabled|permissive)$/: { + if $current_mode == 'enforcing' { + exec { 'setenforce 0': } + } + } + 'enforcing': { + exec { 'setenforce 1': } + } + default: { + fail('You must specify a mode (enforcing, permissive, or disabled)') + } + } + } + + selboolean { $booleans : } + selmodule { $modules: } + +} + diff --git a/spec/classes/cloud_init_spec.rb b/spec/classes/cloud_init_spec.rb index 0e63f64a..19016625 100644 --- a/spec/classes/cloud_init_spec.rb +++ b/spec/classes/cloud_init_spec.rb @@ -85,6 +85,27 @@ describe 'cloud' do #it_configures 'private cloud node' xit { is_expected.to contain_rhn_register('rhn-redhat1') } + + context 'with SELinux set to enforcing' do + let :params do + { :selinux_mode => 'enforcing', + :selinux_modules => ['module1', 'module2'], + :selinux_booleans => ['foo', 'bar'], + :selinux_directory => '/path/to/modules'} + end + + it 'set SELINUX=enforcing' do + is_expected.to contain_class('cloud::selinux').with( + :mode => params[:selinux_mode], + :booleans => params[:selinux_booleans], + :modules => params[:selinux_modules], + :directory => params[:selinux_directory], + :stage => 'setup', + ) + end + + end + end context 'on other platforms' do diff --git a/spec/classes/cloud_loadbalancer_spec.rb b/spec/classes/cloud_loadbalancer_spec.rb index 3578beb0..4c85d22f 100644 --- a/spec/classes/cloud_loadbalancer_spec.rb +++ b/spec/classes/cloud_loadbalancer_spec.rb @@ -171,6 +171,15 @@ describe 'cloud::loadbalancer' do end end + context 'configure keepalived with proper haproxy track script' do + it 'configure keepalived with a proper haproxy track script' do + is_expected.to contain_keepalived__vrrp_script('haproxy').with({ + 'name_is_process' => platform_params[:keepalived_name_is_process], + 'script' => platform_params[:keepalived_vrrp_script], + }) + end + end + context 'when keepalived and HAproxy are in backup' do it 'configure vrrp_instance with BACKUP state' do is_expected.to contain_keepalived__instance('1').with({ @@ -516,9 +525,11 @@ describe 'cloud::loadbalancer' do end let :platform_params do - { :auth_url => 'horizon', - :start_haproxy_service => '"/etc/init.d/haproxy start"', - :stop_haproxy_service => '"/etc/init.d/haproxy stop"', + { :auth_url => 'horizon', + :start_haproxy_service => '"/etc/init.d/haproxy start"', + :stop_haproxy_service => '"/etc/init.d/haproxy stop"', + :keepalived_name_is_process => 'true', + :keepalived_vrrp_script => nil, } end @@ -533,13 +544,14 @@ describe 'cloud::loadbalancer' do end let :platform_params do - { :auth_url => 'dashboard', - :start_haproxy_service => '"/usr/bin/systemctl start haproxy"', - :stop_haproxy_service => '"/usr/bin/systemctl stop haproxy"', + { :auth_url => 'dashboard', + :start_haproxy_service => '"/usr/bin/systemctl start haproxy"', + :stop_haproxy_service => '"/usr/bin/systemctl stop haproxy"', + :keepalived_name_is_process => 'false', + :keepalived_vrrp_script => 'systemctl status haproxy.service', } end - it_configures 'openstack loadbalancer' end diff --git a/spec/classes/cloud_selinux_spec.rb b/spec/classes/cloud_selinux_spec.rb new file mode 100644 index 00000000..1da314f1 --- /dev/null +++ b/spec/classes/cloud_selinux_spec.rb @@ -0,0 +1,107 @@ +# +# Copyright (C) 2014 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for cloud::cache +# + +require 'spec_helper' + +describe 'cloud::selinux' do + + shared_examples_for 'manage selinux' do + + context 'with selinux disabled' do + before :each do + facts.merge!( :selinux_current_mode => 'enforcing' ) + end + + let :params do + { :mode => 'disabled', + :booleans => ['foo', 'bar'], + :modules => ['module1', 'module2'], + :directory => '/path/to/modules'} + end + + it 'runs setenforce 0' do + is_expected.to contain_exec('setenforce 0') + end + + it 'enables the SELinux boolean' do + is_expected.to contain_selboolean('foo').with( + :persistent => true, + :value => 'on', + ) + end + + it 'enables the SELinux modules' do + is_expected.to contain_selmodule('module1').with( + :ensure => 'present', + :selmoduledir => '/path/to/modules', + ) + end + + end + + context 'with selinux enforcing' do + before :each do + facts.merge!( :selinux => 'false' ) + end + + let :params do + { :mode => 'enforcing', + :booleans => ['foo', 'bar'], + :modules => ['module1', 'module2'], + :directory => '/path/to/modules'} + end + + it 'runs setenforce 1' do + is_expected.to contain_exec('setenforce 1') + end + + it 'enables the SELinux boolean' do + is_expected.to contain_selboolean('foo').with( + :persistent => true, + :value => 'on', + ) + end + + it 'enables the SELinux modules' do + is_expected.to contain_selmodule('module1').with( + :ensure => 'present', + :selmoduledir => '/path/to/modules', + ) + end + + end + + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + it_raises 'a Puppet::Error', /OS family unsuppored yet \(Debian\), SELinux support is only limited to RedHat family OS/ + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'manage selinux' + end + +end diff --git a/templates/database/etc_initd_mysql_RedHat b/templates/database/etc_initd_mysql_RedHat index 6d5764e3..c81996a9 100755 --- a/templates/database/etc_initd_mysql_RedHat +++ b/templates/database/etc_initd_mysql_RedHat @@ -1,451 +1,45 @@ -#!/bin/sh -# Copyright Abandoned 1996 TCX DataKonsult AB & Monty Program KB & Detron HB -# This file is public domain and comes with NO WARRANTY of any kind - -# MySQL daemon start/stop script. - -# Usually this is put in /etc/init.d (at least on machines SYSV R4 based -# systems) and linked to /etc/rc3.d/S99mysql and /etc/rc0.d/K01mysql. -# When this is done the mysql server will be started when the machine is -# started and shut down when the systems goes down. - -# Comments to support chkconfig on RedHat Linux -# chkconfig: 2345 64 36 -# description: A very fast and reliable SQL database engine. - -# Comments to support LSB init script conventions -### BEGIN INIT INFO -# Provides: mysql -# Required-Start: $local_fs $network $remote_fs -# Should-Start: ypbind nscd ldap ntpd xntpd -# Required-Stop: $local_fs $network $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: start and stop MySQL -# Description: MySQL is a very fast and reliable SQL database engine. -### END INIT INFO - -# If you install MySQL on some other places than /usr, then you -# have to do one of the following things for this script to work: +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, the +# best way is to create a file "/etc/systemd/system/mariadb.service", +# containing +# .include /lib/systemd/system/mariadb.service +# ...make your changes here... +# or create a file "/etc/systemd/system/mariadb.service.d/foo.conf", +# which doesn't need to include ".include" call and which will be parsed +# after the file mariadb.service itself is parsed. # -# - Run this script from within the MySQL installation directory -# - Create a /etc/my.cnf file with the following information: -# [mysqld] -# basedir= -# - Add the above to any other configuration file (for example ~/.my.ini) -# and copy my_print_defaults to /usr/bin -# - Add the path to the mysql-installation-directory to the basedir variable -# below. -# -# If you want to affect other MySQL variables, you should make your changes -# in the /etc/my.cnf, ~/.my.cnf or other MySQL configuration files. +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# For example, if you want to increase mysql's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, so create a file named +# "/etc/systemd/system/mariadb.service.d/limits.conf" containing: +# [Service] +# LimitNOFILE=10000 +# Note: /usr/lib/... is recommended in the .include line though /lib/... +# still works. +# Don't forget to reload systemd daemon after you change unit configuration: +# root> systemctl --system daemon-reload -# If you change base dir, you must also change datadir. These may get -# overwritten by settings in the MySQL configuration files. +[Unit] +Description=MariaDB database server +After=syslog.target +After=network.target -basedir= -datadir=<%= scope.lookupvar('::mysql::datadir') %> +[Service] +Type=simple +User=mysql +Group=mysql +ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=/usr/bin/mysqld_safe --wsrep-new-cluster --basedir=/usr +ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID -# Default value, in seconds, afterwhich the script should timeout waiting -# for server start. -# Value here is overriden by value in my.cnf. -# 0 means don't wait at all -# Negative numbers mean to wait indefinitely -service_startup_timeout=900 -startup_sleep=1 +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 -# Lock directory for RedHat / SuSE. -lockdir='/var/lock/subsys' -lock_file_path="$lockdir/mysql" +# Place temp files in a secure directory, not /tmp +PrivateTmp=true -# The following variables are only set for letting mysql.server find things. - -# Set some defaults -mysqld_pid_file_path= -if test -z "$basedir" -then - basedir=/usr - bindir=/usr/bin - if test -z "$datadir" - then - datadir=/var/lib/mysql - fi - sbindir=/usr/sbin - libexecdir=/usr/sbin -else - bindir="$basedir/bin" - if test -z "$datadir" - then - datadir="$basedir/data" - fi - sbindir="$basedir/sbin" - if test -f "$basedir/bin/mysqld" - then - libexecdir="$basedir/bin" - else - libexecdir="$basedir/libexec" - fi -fi - -# datadir_set is used to determine if datadir was set (and so should be -# *not* set inside of the --basedir= handler.) -datadir_set= - -# -# Use LSB init script functions for printing messages, if possible -# -lsb_functions="/lib/lsb/init-functions" -if test -f $lsb_functions ; then - . $lsb_functions -else - log_success_msg() - { - echo " SUCCESS! $@" - } - log_failure_msg() - { - echo " ERROR! $@" - } -fi - -PATH="/sbin:/usr/sbin:/bin:/usr/bin:$basedir/bin" -export PATH - -mode=$1 # start or stop - -[ $# -ge 1 ] && shift - - -other_args="$*" # uncommon, but needed when called from an RPM upgrade action - # Expected: "--skip-networking --skip-grant-tables" - # They are not checked here, intentionally, as it is the resposibility - # of the "spec" file author to give correct arguments only. - -case `echo "testing\c"`,`echo -n testing` in - *c*,-n*) echo_n= echo_c= ;; - *c*,*) echo_n=-n echo_c= ;; - *) echo_n= echo_c='\c' ;; -esac - -parse_server_arguments() { - for arg do - case "$arg" in - --basedir=*) basedir=`echo "$arg" | sed -e 's/^[^=]*=//'` - bindir="$basedir/bin" - if test -z "$datadir_set"; then - datadir="$basedir/data" - fi - sbindir="$basedir/sbin" - if test -f "$basedir/bin/mysqld" - then - libexecdir="$basedir/bin" - else - libexecdir="$basedir/libexec" - fi - libexecdir="$basedir/libexec" - ;; - --datadir=*) datadir=`echo "$arg" | sed -e 's/^[^=]*=//'` - datadir_set=1 - ;; - --pid-file=*) mysqld_pid_file_path=`echo "$arg" | sed -e 's/^[^=]*=//'` ;; - --service-startup-timeout=*) service_startup_timeout=`echo "$arg" | sed -e 's/^[^=]*=//'` ;; - esac - done -} - -wait_for_pid () { - verb="$1" # created | removed - pid="$2" # process ID of the program operating on the pid-file - pid_file_path="$3" # path to the PID file. - - sst_progress_file=$datadir/sst_in_progress - i=0 - avoid_race_condition="by checking again" - - while test $i -ne $service_startup_timeout ; do - - case "$verb" in - 'created') - # wait for a PID-file to pop into existence. - test -s "$pid_file_path" && i='' && break - ;; - 'removed') - # wait for this PID-file to disappear - test ! -s "$pid_file_path" && i='' && break - ;; - *) - echo "wait_for_pid () usage: wait_for_pid created|removed pid pid_file_path" - exit 1 - ;; - esac - - # if server isn't running, then pid-file will never be updated - if test -n "$pid"; then - if kill -0 "$pid" 2>/dev/null; then - : # the server still runs - else - # The server may have exited between the last pid-file check and now. - if test -n "$avoid_race_condition"; then - avoid_race_condition="" - continue # Check again. - fi - - # there's nothing that will affect the file. - log_failure_msg "The server quit without updating PID file ($pid_file_path)." - return 1 # not waiting any more. - fi - fi - - if test -e $sst_progress_file && [ $startup_sleep -ne 10 ];then - echo $echo_n "SST in progress, setting sleep higher" - startup_sleep=10 - fi - - echo $echo_n ".$echo_c" - i=`expr $i + 1` - sleep $startup_sleep - - done - - if test -z "$i" ; then - log_success_msg - return 0 - else - log_failure_msg - return 1 - fi -} - -# Get arguments from the my.cnf file, -# the only group, which is read from now on is [mysqld] -if test -x ./bin/my_print_defaults -then - print_defaults="./bin/my_print_defaults" -elif test -x $bindir/my_print_defaults -then - print_defaults="$bindir/my_print_defaults" -elif test -x $bindir/mysql_print_defaults -then - print_defaults="$bindir/mysql_print_defaults" -else - # Try to find basedir in /etc/my.cnf - conf=/etc/my.cnf - print_defaults= - if test -r $conf - then - subpat='^[^=]*basedir[^=]*=\(.*\)$' - dirs=`sed -e "/$subpat/!d" -e 's//\1/' $conf` - for d in $dirs - do - d=`echo $d | sed -e 's/[ ]//g'` - if test -x "$d/bin/my_print_defaults" - then - print_defaults="$d/bin/my_print_defaults" - break - fi - if test -x "$d/bin/mysql_print_defaults" - then - print_defaults="$d/bin/mysql_print_defaults" - break - fi - done - fi - - # Hope it's in the PATH ... but I doubt it - test -z "$print_defaults" && print_defaults="my_print_defaults" -fi - -# -# Read defaults file from 'basedir'. If there is no defaults file there -# check if it's in the old (depricated) place (datadir) and read it from there -# - -extra_args="" -if test -r "$basedir/my.cnf" -then - extra_args="-e $basedir/my.cnf" -else - if test -r "$datadir/my.cnf" - then - extra_args="-e $datadir/my.cnf" - fi -fi - -parse_server_arguments `$print_defaults $extra_args mysqld server mysql_server mysql.server` - -# -# Set pid file if not given -# -if test -z "$mysqld_pid_file_path" -then - mysqld_pid_file_path=$datadir/`hostname`.pid -else - case "$mysqld_pid_file_path" in - /* ) ;; - * ) mysqld_pid_file_path="$datadir/$mysqld_pid_file_path" ;; - esac -fi - -case "$mode" in - 'start') - # Start daemon - - # Safeguard (relative paths, core dumps..) - cd $basedir - - echo $echo_n "Starting MySQL" - if test -x $bindir/mysqld_safe - then - # Give extra arguments to mysqld with the my.cnf file. This script - # may be overwritten at next upgrade. - - # Start MariaDB! in a Galera setup we want to use - # new-cluster only when the galera cluster hasn't been - # bootstraped - if [ -e ${datadir}/grastate.dat ]; then - # normal boot - $bindir/mysqld_safe --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 & - else - # bootstrap boot - $bindir/mysqld_safe --wsrep-new-cluster --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 & - fi - wait_for_pid created "$!" "$mysqld_pid_file_path"; return_value=$? - - # Make lock for RedHat / SuSE - if test -w "$lockdir" - then - touch "$lock_file_path" - fi - - exit $return_value - else - log_failure_msg "Couldn't find MySQL server ($bindir/mysqld_safe)" - fi - ;; - - 'stop') - # Stop daemon. We use a signal here to avoid having to know the - # root password. - - if test -s "$mysqld_pid_file_path" - then - mysqld_pid=`cat "$mysqld_pid_file_path"` - - if (kill -0 $mysqld_pid 2>/dev/null) - then - echo $echo_n "Shutting down MySQL" - kill $mysqld_pid - # mysqld should remove the pid file when it exits, so wait for it. - wait_for_pid removed "$mysqld_pid" "$mysqld_pid_file_path"; return_value=$? - else - log_failure_msg "MySQL server process #$mysqld_pid is not running!" - rm "$mysqld_pid_file_path" - fi - - # Delete lock for RedHat / SuSE - if test -f "$lock_file_path" - then - rm -f "$lock_file_path" - fi - exit $return_value - else - log_failure_msg "MySQL server PID file could not be found!" - fi - ;; - - 'restart') - # Stop the service and regardless of whether it was - # running or not, start it again. - if $0 stop $other_args; then - $0 start $other_args - else - log_failure_msg "Failed to stop running server, so refusing to try to start." - exit 1 - fi - ;; - - 'reload'|'force-reload') - if test -s "$mysqld_pid_file_path" ; then - read mysqld_pid < "$mysqld_pid_file_path" - kill -HUP $mysqld_pid && log_success_msg "Reloading service MySQL" - touch "$mysqld_pid_file_path" - else - log_failure_msg "MySQL PID file could not be found!" - exit 1 - fi - ;; - 'status') - # First, check to see if pid file exists - if test -s "$mysqld_pid_file_path" ; then - read mysqld_pid < "$mysqld_pid_file_path" - if kill -0 $mysqld_pid 2>/dev/null ; then - log_success_msg "MySQL running ($mysqld_pid)" - exit 0 - else - log_failure_msg "MySQL is not running, but PID file exists" - exit 1 - fi - else - # Try to find appropriate mysqld process - mysqld_pid=`pidof $libexecdir/mysqld` - - # test if multiple pids exist - pid_count=`echo $mysqld_pid | wc -w` - if test $pid_count -gt 1 ; then - log_failure_msg "Multiple MySQL running but PID file could not be found ($mysqld_pid)" - exit 5 - elif test -z $mysqld_pid ; then - if test -f "$lock_file_path" ; then - log_failure_msg "MySQL is not running, but lock file ($lock_file_path) exists" - exit 2 - fi - log_failure_msg "MySQL is not running" - exit 3 - else - log_failure_msg "MySQL is running but PID file could not be found" - exit 4 - fi - fi - ;; - 'configtest') - # Safeguard (relative paths, core dumps..) - cd $basedir - echo $echo_n "Testing MySQL configuration syntax" - daemon=$bindir/mysqld - if test -x $libexecdir/mysqld - then - daemon=$libexecdir/mysqld - elif test -x $sbindir/mysqld - then - daemon=$sbindir/mysqld - elif test -x `which mysqld` - then - daemon=`which mysqld` - else - log_failure_msg "Unable to locate the mysqld binary!" - exit 1 - fi - help_out=`$daemon --help 2>&1`; r=$? - if test "$r" != 0 ; then - log_failure_msg "$help_out" - log_failure_msg "There are syntax errors in the server configuration. Please fix them!" - else - log_success_msg "Syntax OK" - fi - exit $r - ;; - 'bootstrap') - # Bootstrap the cluster, start the first node - # that initiate the cluster - echo $echo_n "Bootstrapping the cluster" - $0 start $other_args --wsrep-new-cluster - ;; - *) - # usage - basename=`basename "$0"` - echo "Usage: $basename {start|stop|restart|reload|force-reload|status|configtest|bootstrap} [ MySQL server options ]" - exit 1 - ;; -esac - -exit 0 +[Install] +WantedBy=multi-user.target diff --git a/templates/database/mysql.conf.erb b/templates/database/mysql.conf.erb index 46ea36a6..3dbee454 100644 --- a/templates/database/mysql.conf.erb +++ b/templates/database/mysql.conf.erb @@ -63,7 +63,7 @@ wsrep_provider_options = "gcache.size=<%= @galera_gcache %>;gcs.fc_mast # and wsrep_sst_xtrabackup take only one configuration file and use the last one # (/etc/mysql/my.cnf is not used) datadir = /var/lib/mysql -tmpdir = /dev/shm +tmpdir = /tmp/ innodb_flush_method = O_DIRECT innodb_log_buffer_size = 32M innodb_log_file_size = 256M diff --git a/templates/selinux/sysconfig_selinux.erb b/templates/selinux/sysconfig_selinux.erb new file mode 100644 index 00000000..e3bc2f85 --- /dev/null +++ b/templates/selinux/sysconfig_selinux.erb @@ -0,0 +1,11 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=<%= @mode %> +# SELINUXTYPE= can take one of these two values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted