From d972c6c794d0f882d08437abbc33b65a4b9ba18d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 5 Sep 2019 09:41:58 +0200 Subject: [PATCH] rewrite systemd unit, separate configuration files --- redis/defaults/main.yml | 6 +++++- redis/files/redis-server@.service | 32 ++++++++++++++++++++++++------- redis/tasks/default-server.yml | 6 ++++-- redis/tasks/instance-server.yml | 26 ++++++++++++++++++++++--- redis/tasks/main.yml | 5 +++-- redis/templates/redis.conf.j2 | 2 +- 6 files changed, 61 insertions(+), 16 deletions(-) diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 7ed4b8b6..2045ff3d 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -5,9 +5,13 @@ redis_conf_dir: /etc/redis redis_port: 6379 redis_bind_interface: 127.0.0.1 + +redis_socket_enabled: True redis_socket_dir: '/var/run/redis' redis_socket_perms: 770 + redis_pid_dir: "/var/run/redis" + redis_timeout: 300 # for client authorization @@ -52,4 +56,4 @@ redis_disabled_commands: [] redis_sentinel_install: False -redis_default_server_disabled: True +redis_default_server_disabled: False diff --git a/redis/files/redis-server@.service b/redis/files/redis-server@.service index 02fa1f56..7bed41c8 100644 --- a/redis/files/redis-server@.service +++ b/redis/files/redis-server@.service @@ -3,17 +3,35 @@ Description=Advanced key-value store After=network.target [Service] -ExecStartPre=/bin/mkdir -m 0755 -p /var/run/redis-%i -ExecStartPre=/bin/chown redis-%i: /var/run/redis-%i -PermissionsStartOnly=yes - Type=forking -ExecStart=/usr/bin/redis-server /etc/redis-%i/redis.conf --unixsocket /var/run/redis-%i/redis.sock --pidfile /var/run/redis-%i/redis-server.pid -ExecStop=/usr/bin/redis-cli -s /var/run/redis-%i/redis.sock shutdown +ExecStart=/usr/bin/redis-server /etc/redis-%i/redis.conf +PIDFile=/var/run/redis-%i/redis-server.pid +TimeoutStopSec=0 Restart=always User=redis-%i Group=redis-%i -LimitNOFILE=65535 +RuntimeDirectory=redis-%i +ExecStartPre=-/bin/run-parts --verbose /etc/redis-%i/redis-server.pre-up.d +ExecStartPost=-/bin/run-parts --verbose /etc/redis-%i/redis-server.post-up.d +ExecStop=-/bin/run-parts --verbose /etc/redis-%i/redis-server.pre-down.d +ExecStop=/bin/kill -s TERM $MAINPID +ExecStopPost=-/bin/run-parts --verbose /etc/redis-%i/redis-server.post-down.d + +UMask=007 +PrivateTmp=yes +LimitNOFILE=65535 +PrivateDevices=yes +ProtectHome=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/redis-%i +ReadWriteDirectories=-/var/log/redis-%i +ReadWriteDirectories=-/var/run/redis-%i +CapabilityBoundingSet=~CAP_SYS_PTRACE + +# redis-server writes its own config file when in cluster mode so we allow +# writing there (NB. ProtectSystem=true over ProtectSystem=full) +ProtectSystem=true +ReadWriteDirectories=-/etc/redis-%i [Install] WantedBy=multi-user.target diff --git a/redis/tasks/default-server.yml b/redis/tasks/default-server.yml index de32e9de..08653cfa 100644 --- a/redis/tasks/default-server.yml +++ b/redis/tasks/default-server.yml @@ -3,8 +3,10 @@ - name: Redis is configured. template: src: redis.conf.j2 - dest: "{{ redis_conf_dir }}" - mode: "0644" + dest: "{{ redis_conf_dir }}/redis.conf" + mode: "0640" + owner: redis + group: redis notify: "{{ redis_restart_handler_name }}" tags: - redis diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 555598f4..700c8669 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -18,16 +18,32 @@ tags: - redis -- name: "Instances '{{ redis_instance_name }}' directories are present" +- name: "Instances '{{ redis_instance_name }}' config directories are present" file: dest: "{{ item }}" mode: "0755" + owner: "root" + group: "root" + follow: yes + state: directory + with_items: + - "{{ redis_conf_dir }}" + - "{{ redis_conf_dir }}/redis-server.pre-up.d" + - "{{ redis_conf_dir }}/redis-server.post-up.d" + - "{{ redis_conf_dir }}/redis-server.pre-down.d" + - "{{ redis_conf_dir }}/redis-server.post-down.d" + tags: + - redis + +- name: "Instances '{{ redis_instance_name }}' other directories are present" + file: + dest: "{{ item }}" + mode: "0750" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" follow: yes state: directory with_items: - - "{{ redis_conf_dir }}" - "{{ redis_pid_dir }}" - "{{ redis_socket_dir }}" - "{{ redis_data_dir }}" @@ -39,7 +55,9 @@ template: src: redis.conf.j2 dest: "{{ redis_conf_dir }}/redis.conf" - mode: "0644" + mode: "0640" + owner: redis-{{ redis_instance_name }} + group: redis-{{ redis_instance_name }} tags: - redis @@ -48,6 +66,8 @@ src: 'redis-server@.service' dest: '/etc/systemd/system/' mode: "0644" + owner: "root" + group: "root" tags: - redis diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 285cd25f..ca6ecc47 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -62,7 +62,7 @@ when: - _munin_installed.stat.exists - _munin_installed.stat.isdir - - redis_instance_name is not defined + - redis_instance_name is undefined tags: - redis - munin @@ -87,7 +87,8 @@ - include: nrpe_stretch.yml when: - - ansible_distribution_release == "stretch" + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '>=') - nrpe_evolix_config.stat.exists == true tags: - redis diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index a173169f..b5f8d373 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -3,7 +3,7 @@ pidfile {{ redis_pid_dir }}/redis-server.pid port {{ redis_port }} bind {{ redis_bind_interface }} -{% if redis_unixsocket %} +{% if redis_socket_enabled %} unixsocket {{ redis_socket_dir }}/redis.sock unixsocketperm {{ redis_socket_perms }} {% endif %}