redis: use /run instead or /var/run

2021-02-18 16:42:54 +01:00 · 2021-02-18 16:42:54 +01:00 · 3709808fdc
parent ddd3e1aa06
commit 3709808fdc
5 changed files with 54 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -27,6 +27,7 @@ The **patch** part changes incrementally at each release.
 * evoacme: upstream release 21.01
 * minifirewall: change some defaults
 * nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
+* redis: use /run instead or /var/run

 ### Fixed

--- a/redis/defaults/main.yml
+++ b/redis/defaults/main.yml
@ -9,10 +9,10 @@ redis_port: 6379
 redis_bind_interface: 127.0.0.1

 redis_socket_enabled: True
-redis_socket_dir_prefix: '/var/run/redis'
+redis_socket_dir_prefix: '/run/redis'
 redis_socket_perms: 770

-redis_pid_dir_prefix: "/var/run/redis"
+redis_pid_dir_prefix: "/run/redis"

 redis_timeout: 300

--- a/redis/tasks/instance-server.yml
+++ b/redis/tasks/instance-server.yml
@ -110,7 +110,7 @@
  tags:
    - redis

- name: Systemd template for redis instances is installed (Debian 9 or later)
+- name: Systemd template for redis instances is installed (Debian 9)
  template:
    src: 'redis-server@stretch.service.j2'
    dest: '/etc/systemd/system/redis-server@.service'
@ -119,7 +119,20 @@
    group: "root"
  when:
    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('9', '>=')
+    - ansible_distribution_major_version is version('9', '=')
+  tags:
+    - redis
+
+- name: Systemd template for redis instances is installed (Debian 10 or later)
+  template:
+    src: 'redis-server@buster.service.j2'
+    dest: '/etc/systemd/system/redis-server@.service'
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version is version('10', '>=')
  tags:
    - redis

--- a/redis/templates/redis-server@buster.service.j2
+++ b/redis/templates/redis-server@buster.service.j2
@ -0,0 +1,35 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf
+PIDFile=/run/redis-%i/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis-%i
+Group=redis-%i
+RuntimeDirectory=redis-%i
+
+ExecStop=/bin/kill -s TERM $MAINPID
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }}
+ReadOnlyDirectories=/
+ReadWriteDirectories=-{{ redis_data_dir_prefix }}-%i
+ReadWriteDirectories=-{{ redis_log_dir_prefix }}-%i
+ReadWriteDirectories=-{{ redis_pid_dir_prefix }}-%i
+ReadWriteDirectories=-{{ redis_socket_dir_prefix }}-%i
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+
+# redis-server writes its own config file when in cluster mode so we allow
+# writing there (NB. ProtectSystem=true over ProtectSystem=full)
+ProtectSystem=true
+ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i
+
+[Install]
+WantedBy=multi-user.target
--- a/redis/templates/redis-server@stretch.service.j2
+++ b/redis/templates/redis-server@stretch.service.j2
@ -5,7 +5,7 @@ After=network.target
 [Service]
 Type=forking
 ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf
-PIDFile=/var/run/redis-%i/redis-server.pid
+PIDFile=/run/redis-%i/redis-server.pid
 TimeoutStopSec=0
 Restart=always
 User=redis-%i