From 18f65c4fc539e6b281169271dbd7cd443d90de7f Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 16 Nov 2021 13:25:30 -0600 Subject: [PATCH] Add new Redis cookbook --- Berksfile | 1 + Berksfile.lock | 4 + cookbooks/redisio/CHANGELOG.md | 380 ++++++ cookbooks/redisio/LICENSE | 201 ++++ cookbooks/redisio/README.md | 513 ++++++++ cookbooks/redisio/attributes/default.rb | 171 +++ cookbooks/redisio/attributes/redis_gem.rb | 3 + .../redisio/attributes/redis_sentinel.rb | 36 + cookbooks/redisio/chefignore | 115 ++ cookbooks/redisio/files/sudo | 8 + cookbooks/redisio/kitchen.dokken.yml | 46 + cookbooks/redisio/libraries/matchers.rb | 1 + cookbooks/redisio/libraries/redisio.rb | 32 + cookbooks/redisio/metadata.json | 43 + cookbooks/redisio/metadata.rb | 24 + cookbooks/redisio/providers/configure.rb | 389 ++++++ cookbooks/redisio/providers/install.rb | 93 ++ cookbooks/redisio/providers/sentinel.rb | 256 ++++ cookbooks/redisio/recipes/_install_prereqs.rb | 18 + cookbooks/redisio/recipes/configure.rb | 56 + cookbooks/redisio/recipes/default.rb | 12 + cookbooks/redisio/recipes/disable.rb | 14 + .../redisio/recipes/disable_os_default.rb | 12 + cookbooks/redisio/recipes/enable.rb | 13 + cookbooks/redisio/recipes/install.rb | 22 + cookbooks/redisio/recipes/redis_gem.rb | 4 + cookbooks/redisio/recipes/sentinel.rb | 78 ++ cookbooks/redisio/recipes/sentinel_enable.rb | 38 + cookbooks/redisio/recipes/ulimit.rb | 25 + cookbooks/redisio/resources/configure.rb | 12 + cookbooks/redisio/resources/install.rb | 13 + cookbooks/redisio/resources/sentinel.rb | 11 + .../redisio/templates/default/domain.erb | 9 + .../templates/default/redis-sentinel@.service | 12 + .../redisio/templates/default/redis.conf.erb | 1039 +++++++++++++++++ .../redisio/templates/default/redis.init.erb | 96 ++ .../templates/default/redis.rcinit.erb | 69 ++ .../templates/default/redis.upstart.conf.erb | 19 + .../templates/default/redis@.service.erb | 12 + .../templates/default/sentinel.conf.erb | 203 ++++ .../templates/default/sentinel.init.erb | 78 ++ .../templates/default/sentinel.rcinit.erb | 39 + .../default/sentinel.upstart.conf.erb | 19 + cookbooks/redisio/templates/default/su.erb | 62 + .../redisio/templates/default/ulimit.erb | 32 + cookbooks/selinux/CHANGELOG.md | 184 +++ cookbooks/selinux/LICENSE | 201 ++++ cookbooks/selinux/README.md | 81 ++ cookbooks/selinux/chefignore | 115 ++ cookbooks/selinux/libraries/boolean.rb | 17 + cookbooks/selinux/libraries/install.rb | 22 + cookbooks/selinux/libraries/state.rb | 43 + cookbooks/selinux/metadata.json | 43 + cookbooks/selinux/metadata.rb | 13 + cookbooks/selinux/recipes/disabled.rb | 23 + cookbooks/selinux/recipes/enforcing.rb | 24 + cookbooks/selinux/recipes/permissive.rb | 23 + cookbooks/selinux/resources/boolean.rb | 56 + cookbooks/selinux/resources/fcontext.rb | 132 +++ cookbooks/selinux/resources/install.rb | 54 + cookbooks/selinux/resources/module.rb | 125 ++ cookbooks/selinux/resources/permissive.rb | 46 + cookbooks/selinux/resources/port.rb | 98 ++ cookbooks/selinux/resources/state.rb | 114 ++ .../selinux/templates/debian/selinux.erb | 18 + .../selinux/templates/default/selinux.erb | 15 + 66 files changed, 5780 insertions(+) create mode 100644 cookbooks/redisio/CHANGELOG.md create mode 100644 cookbooks/redisio/LICENSE create mode 100644 cookbooks/redisio/README.md create mode 100644 cookbooks/redisio/attributes/default.rb create mode 100644 cookbooks/redisio/attributes/redis_gem.rb create mode 100644 cookbooks/redisio/attributes/redis_sentinel.rb create mode 100644 cookbooks/redisio/chefignore create mode 100644 cookbooks/redisio/files/sudo create mode 100644 cookbooks/redisio/kitchen.dokken.yml create mode 100644 cookbooks/redisio/libraries/matchers.rb create mode 100644 cookbooks/redisio/libraries/redisio.rb create mode 100644 cookbooks/redisio/metadata.json create mode 100644 cookbooks/redisio/metadata.rb create mode 100644 cookbooks/redisio/providers/configure.rb create mode 100644 cookbooks/redisio/providers/install.rb create mode 100644 cookbooks/redisio/providers/sentinel.rb create mode 100644 cookbooks/redisio/recipes/_install_prereqs.rb create mode 100644 cookbooks/redisio/recipes/configure.rb create mode 100644 cookbooks/redisio/recipes/default.rb create mode 100644 cookbooks/redisio/recipes/disable.rb create mode 100644 cookbooks/redisio/recipes/disable_os_default.rb create mode 100644 cookbooks/redisio/recipes/enable.rb create mode 100644 cookbooks/redisio/recipes/install.rb create mode 100644 cookbooks/redisio/recipes/redis_gem.rb create mode 100644 cookbooks/redisio/recipes/sentinel.rb create mode 100644 cookbooks/redisio/recipes/sentinel_enable.rb create mode 100644 cookbooks/redisio/recipes/ulimit.rb create mode 100644 cookbooks/redisio/resources/configure.rb create mode 100644 cookbooks/redisio/resources/install.rb create mode 100644 cookbooks/redisio/resources/sentinel.rb create mode 100644 cookbooks/redisio/templates/default/domain.erb create mode 100644 cookbooks/redisio/templates/default/redis-sentinel@.service create mode 100644 cookbooks/redisio/templates/default/redis.conf.erb create mode 100644 cookbooks/redisio/templates/default/redis.init.erb create mode 100644 cookbooks/redisio/templates/default/redis.rcinit.erb create mode 100644 cookbooks/redisio/templates/default/redis.upstart.conf.erb create mode 100644 cookbooks/redisio/templates/default/redis@.service.erb create mode 100644 cookbooks/redisio/templates/default/sentinel.conf.erb create mode 100644 cookbooks/redisio/templates/default/sentinel.init.erb create mode 100644 cookbooks/redisio/templates/default/sentinel.rcinit.erb create mode 100644 cookbooks/redisio/templates/default/sentinel.upstart.conf.erb create mode 100644 cookbooks/redisio/templates/default/su.erb create mode 100644 cookbooks/redisio/templates/default/ulimit.erb create mode 100644 cookbooks/selinux/CHANGELOG.md create mode 100644 cookbooks/selinux/LICENSE create mode 100644 cookbooks/selinux/README.md create mode 100644 cookbooks/selinux/chefignore create mode 100644 cookbooks/selinux/libraries/boolean.rb create mode 100644 cookbooks/selinux/libraries/install.rb create mode 100644 cookbooks/selinux/libraries/state.rb create mode 100644 cookbooks/selinux/metadata.json create mode 100644 cookbooks/selinux/metadata.rb create mode 100644 cookbooks/selinux/recipes/disabled.rb create mode 100644 cookbooks/selinux/recipes/enforcing.rb create mode 100644 cookbooks/selinux/recipes/permissive.rb create mode 100644 cookbooks/selinux/resources/boolean.rb create mode 100644 cookbooks/selinux/resources/fcontext.rb create mode 100644 cookbooks/selinux/resources/install.rb create mode 100644 cookbooks/selinux/resources/module.rb create mode 100644 cookbooks/selinux/resources/permissive.rb create mode 100644 cookbooks/selinux/resources/port.rb create mode 100644 cookbooks/selinux/resources/state.rb create mode 100644 cookbooks/selinux/templates/debian/selinux.erb create mode 100644 cookbooks/selinux/templates/default/selinux.erb diff --git a/Berksfile b/Berksfile index bcbf7f6..6e713d0 100644 --- a/Berksfile +++ b/Berksfile @@ -8,6 +8,7 @@ cookbook 'mediawiki', cookbook 'redis', git: 'https://github.com/phlipper/chef-redis.git', ref: 'v0.5.6' +cookbook 'redisio', '~> 6.1.0' cookbook 'postfix', '= 5.0.2' cookbook 'php', '~> 8.0.0' cookbook 'composer', '~> 2.7.0' diff --git a/Berksfile.lock b/Berksfile.lock index aa8574a..5bf2b50 100644 --- a/Berksfile.lock +++ b/Berksfile.lock @@ -48,6 +48,7 @@ DEPENDENCIES git: https://github.com/phlipper/chef-redis.git revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b ref: v0.5.6 + redisio (~> 6.1.0) timezone_iii (= 1.0.4) ulimit (~> 1.0.0) users (~> 5.3.1) @@ -150,6 +151,9 @@ GRAPH postfix (5.0.2) redis (0.5.6) apt (>= 0.0.0) + redisio (6.1.0) + selinux (>= 0.0.0) + selinux (6.0.1) seven_zip (3.1.1) windows (>= 0.0.0) timezone_iii (1.0.4) diff --git a/cookbooks/redisio/CHANGELOG.md b/cookbooks/redisio/CHANGELOG.md new file mode 100644 index 0000000..113fad7 --- /dev/null +++ b/cookbooks/redisio/CHANGELOG.md @@ -0,0 +1,380 @@ + +# redisio + +This file is used to list changes made in each version of the redisio cookbook. + +## 6.1.0 - *2021-09-15* + +- Add protected mode to sentinel configuration file + +## 6.0.0 - *2021-09-09* + +- Set unified_mode true for Chef 17+ support +- Require Chef 15.3+ for unified_mode +- Require Chef 16 for user_ulimit resource +- Remove dependency on the ulimit cookbook +- Switch from using the selinux_policy cookbook to the selinux cookbook + - The selinux_policy cookbook is now deprecated. The resources have been moved + to the selinux cookbook + +## 5.0.0 - *2021-09-08* + +- resolved cookstyle error: attributes/default.rb:74:40 refactor: `Chef/Modernize/UseChefLanguageSystemdHelper` + +## 4.3.2 - *2021-08-30* + +- Standardise files with files in sous-chefs/repo-management + +## 4.3.1 - *2021-06-01* + +- Standardise files with files in sous-chefs/repo-management + +## 4.3.0 - *2021-05-19* + +- Fix disable recipe service naming for systemd + +## 4.2.0 (2020-09-14) + +- New server option 'permissions' to override default (0644) unix permissions on config file + +## 4.1.2 (2020-09-11) + +- Pull the disable_os_default recipe from the default one + +## 4.1.1 (2020-08-14) + +- Properly perform version check when needed in redis.conf template + +## 4.1.0 (2020-05-05) + +- Simplify platform check logic +- Remove the deprecated ChefSpec coverage report +- Migrate to actions for testing + +## 4.0.0 (2019-09-19) + +- Enable testing in CircleCI +- Removed build essentials cookbook dependancy +- Minimum Chef is now 14 +- Removed tests for Debian 8 +- Added support for chef 15 +- configure recipe now sets `['redisio']['servers']` using override instead of normal in line with new chef best practices + +## 3.0.0 (2018-11-27) + +- This cookbook is now maintained by the Sous Chefs. If you're interested in helping with maintenance or learning more check out Thank you Brian Bianco for the work you've done over the years on this cookbook. We'll be sure to take good care of it. +- This cookbook now requires Chef 13 or later +- Incompatibilities with the latest selinux_policy cookbook have been resolved by using Chef's built in selinux helpers +- All Chefstyle warnings have been resolved +- Contributing.md and CODE_OF_CONDUCT.md files have been added +- The build_essential resource is now directly used so that the built in resource in Chef 14+ can be used. This increases the required build-essential cookbook to 5.0+ +- Duplicate dependencies in the Berksfile have been removed +- The chefignore file has been updated to prevent more unnecessary files from being uploaded to the chef server +- Data bags are now loaded with the data_bag_item helper instead of Chef::EncryptedDataBagItem.load directly +- Testing has been updated to use Delivery Local Mode which is built into ChefDK. The legacy Rakefile, Vagrantfile, Thorfile, and Cheffile have been removed +- Platforms in Test Kitchen configurations have been updated and dokken images are now used in dokken + +## 2.7.2 (2018-09-30) + +- fixes sentinal cluster init script by providing missing LSB statements ([#374]) + +## 2.7.1 (2018-03-30) + +- fixes sentinal config where `announce-ip` was being given the value of `announce-port` improperly ([#354]) + +## 2.7.0 (2018-03-28) + +- enables diskless replication configuration for versions `~> 2.6 || ~> 3.0` [#340](https://github.com/brianbianco/redisio/pull/340) +- adds chef 13 compatability [#350](https://github.com/brianbianco/redisio/pull/350) + +## 2.6.1 (2017-05-10) + +- Restrict aof-load-truncated to redis 3+ ([#343](https://github.com/brianbianco/redisio/pull/343)) +- Fix Redis 2.4.x config ([#344](https://github.com/brianbianco/redisio/pull/344)) + +## 2.6.0 (2017-05-09) + +- Update 'bind' config comments ([#293](https://github.com/brianbianco/redisio/pull/293)) +- Add disable_os_default recipe ([#224](https://github.com/brianbianco/redisio/pull/224)) +- Use the config's ulimits if set and is > max_clients ([#234](https://github.com/brianbianco/redisio/pull/234)) +- Add Travis config ([#299](https://github.com/brianbianco/redisio/pull/299)) +- Fix test failures (FoodCritic and Rubocop) ([#298](https://github.com/brianbianco/redisio/pull/298)) +- Fix TravisCI builds ([#300](https://github.com/brianbianco/redisio/pull/300)) +- Add repl-backlog-size, repl-backlog-ttl, and aof-load-truncated options ([#278](https://github.com/brianbianco/redisio/pull/278)) +- Add sentinel_bind to bind sentinel to different IPs ([#306](https://github.com/brianbianco/redisio/pull/306)) +- Cleanup deprecation warnings ([#301](https://github.com/brianbianco/redisio/pull/301)) +- Fix version detection with epoch version numbers from deb/ubuntu ([#294](https://github.com/brianbianco/redisio/pull/294)) +- Restrict VM redis config to <= 2.4 ([#322](https://github.com/brianbianco/redisio/pull/322)) +- Rename_commands should be checked for nil before empty ([#311](https://github.com/brianbianco/redisio/pull/311)) +- Fixup foodcritic, rubocop, and kitchen testing ([#324](https://github.com/brianbianco/redisio/pull/324)) + - Note: this drops support for Chef < 11 +- Add min-slaves redis options ([#313](https://github.com/brianbianco/redisio/pull/313)) +- Allow /etc/init start after sigterm from system or user ([#310](https://github.com/brianbianco/redisio/pull/310)) +- Check user existence with Etc, not ohai node attributes ([#303](https://github.com/brianbianco/redisio/pull/303)) +- Various systemd-related improvements ([#302](https://github.com/brianbianco/redisio/pull/302)) +- Update serverspec testing with correct OS's for systemd ([#329](https://github.com/brianbianco/redisio/pull/329)) +- Add kitchen-dokken testing to Travis ([#330](https://github.com/brianbianco/redisio/pull/330)) +- Add fedora-25 to kitchen testing and clean up kitchen config ([#331](https://github.com/brianbianco/redisio/pull/331)) +- Fix systemd paths for sentinel service ([#332](https://github.com/brianbianco/redisio/pull/332)) +- Add redis-package and sentinel to Travis kitchen verify ([#334](https://github.com/brianbianco/redisio/pull/334)) +- Add breadcrumb-file creation condition as attribute ([#268](https://github.com/brianbianco/redisio/pull/268)) +- Fix cluster options in README ([#333](https://github.com/brianbianco/redisio/pull/333)) +- Fix systemd loader to use descriptors instead of max_clients+32 ([#338](https://github.com/brianbianco/redisio/pull/338)) +- Add SELinux support ([#305](https://github.com/brianbianco/redisio/pull/305)) +- Make source of redis.conf template configurable ([#341](https://github.com/brianbianco/redisio/pull/341)) +- Support sentinel notification-script and client-reconfig-script ([#342](https://github.com/brianbianco/redisio/pull/342)) + +## 2.5.0 (2016-09-15) + +- Ubuntu 14 added as tested platform. (#264) +- FreeBSD-10.3 support added. (#279) + - installation from source is not supported + - setting ulimits is not supported +- Encrypted databag support added. (#228) +- Systemd nofile limit fixed. (#228) +- Announce-ip and announce-port directives for sentinel added. (#228) +- Disabling safe_install in the install recipe allowed. (#284) +- Protected-mode added as optional (#275, #289) +- Fixes nil exception when installing sentinel on non-debian and non-rhel platforms (#288) + +## 2.4.2 (2016-04-08) + +- Created a 2.4.1 tag but somehow the metadata file wasn't updated. Instead + of deleting a pushed tag, creating a new tag and updating metdatafile. Aside + from the version number, this is an identical release to 2.4.1 + +## 2.4.1 + +- Increases default clusternodetimeout value from 5 to 5000 +- Allows you to set version for package based install +- Sets UID of redis data directory if it is present +- Install resource should now only notify when an installation actually occurs +- Adds config options + - tcpbacklog + - rdbcompression + - rdbchecksum + - dbfilename + - slavereadyonly + - repldisabletcpnodelay + - slavepriority + - listmaxziplistentries + - listmaxziplistvalue + - hllsparsemaxbytes +- Add CentOS 7 support with systemd configs +- Fixes bug in ulimit resource guard +- Fixes bug in sentinel required parameters sanity check +- Adds --no-same-owner to untar command during install to fix NFS related issues +- Adds support for rename_commands config option +- Adds option to stop chef from managing sentinel configs after writing once +- Adds config option rename_commands +- Allow instance 'save' to be string or array +- Adds sources_url and issues_url with guards to be Chef 12 compatible +- Bumps Redis source version to 2.8.20 +- Fixes cluster settings with wrong attribute names +- Monitor multiple masters with sentinel + - Add support in sentinel resource for an array of masters to monitor, with backwards compatibility for the older attributes, fixes #73. Replaces #87. + - Introduce a test-kitchen test for sentinel watching multiple masters. + - Incidentally, fixes #193 as well, since it adds a master name attribute for each master. +- Fixes path for pidfile in sentinel init script +- Additional error checking and backwards compatibility for sentinel attribute keys + +## 2.3.0 (2015-04-08) + +- Add support for installing by distribution package for CentOS (#180) +- Add conditionals to check for redis 3 that was released recently (#183) +- Prevent `usermod: user redis is currently logged in` (#176) +- Use correct sentinel port in default sentinel instance (#157) +- Sentinel instances attribute (`node['redisio']['sentinels']`) should behave like Redis instances attribute (#160) +- Add Rakefile and unit tests for verifying issues fixed are actually resolved (#158) +- Fix serverspec tests to properly use sysv-init scripts on systemd distributions (#185) +- Update documentation to reflect correct current redis version used for source installs (#151) +- Update documentation to indicate that ulimit and build-essential are both dependencies (#165) +- Update documentation to reflect that uninstall recipe is no longer available +- Update documentation to reflect correct mirror in README.md, change was from 2.1.0 (#175) +- Update documentation to reflect that cookbook uses `node['redisio']`, not `node['redis']` (#174) +- Markdown formatting improvements in the README.md (#168, #172) + +## 2.2.4 (2014-10-04) + +- Updates installed version of redis to the latest stable (2.8.17) +- Fixes backwards compatability bug with older version of redis (namely 2.6.x series) related to keyspaces + +## 2.2.3 (2014-08-25) + +- Bug Fix: Repackages the chef supermarket releaes with gnutar instead of BSD tar + +## 2.2.2 (2014-08-22) + +- Please refer to changelog for 2.0.0. + - If moving from 1.7.x this release has many breaking changes. You will likely need to update your wrapper cookbook or role. +- Added test-kitchen and serverspec coverage for both redis and redis_sentinel +- Added cookbook testing information to readme +- Bug fix for a fix that was introduced to resolve foodcritic rule fc002 +- Fix init script to use su instead of sudo for ubuntu debian fedora +- Fix sentinel_enable recipe to properly run if using default attributes +- Save property for redis config now is defined by using an array +- Small changes to default configuration options to bring in line with redis defaults. +- Added options for the following + - tcp-keepalive + +## 2.2.1 + +- Allow sentinel to control both redis and redis-sentinel configs depending on attribute `redisio.sentinel.manage_config` state. + +## 2.2.0 + +- Adds behavior to allow the cookbook to NOT manage the redis config files as redis itself will write to them now if you are using sentinel + +## 2.1.0 + +- Adds options for the following + - lua-time-limit + - slowlog-logs-slower-than + - slowlog-max-len + - notify-keyspace-events + - client-output-buffer-limit + - hz + - aof-rewrite-incremental-fsync +- Removes the uninstall recipe and resource. +- Adds the ability to skip the default recipe calling install and configure by setting redisio bypass_setup attribute to true +- Adds support for redis sentinel [Thanks to rcleere, Ryan Walker] +- Splits up the install resource into separate install and configure resources [Thanks to rcleere] +- By default now calls _install_prereqs, install, and configure in the default recipe. +- Changes default version of redis to install to 2.8.5 +- Now depends on the build-essential cookbook. +- Fixes issue #76 - Default settings save as empty string breaks install +- Switches mirror server from googlefiles to redis.io. If you are using version of redis before 2.6.16 you will need to override the mirror server attribute + to use the old site with archived versions. +- Adds a Vagrant file! +- maxmemory will be rounded when calculated as a percentage +- Add stop-writes-on-bgsave-error config option +- Changes default log level from verbose to notice +- Adds configuration options for ziplists and active rehashing +- Adds support for passing the address attribute as an array. This is to support the redis 2.8 series which allows binding to multiple addresses +- Fixes a bug where multiple redis instances were using the same swapfile (only for version of redis 2.4 and below) +- Changes the job_control per instance attribute to a global one. +- Adds a status command to the init.d script, uses this in the initd based service for checking status + +## 2.0.0 + + ! THIS RELEASE HAS MANY BREAKING CHANGES ! + ! Your old role file will most likely not work ! + +- Supports redis 2.8 and its use of the empty string for stdout in the logfile option +- Allows the user to specify required_start and required_start when using the init scripts +- Warns a user if they have syslogenabled set to yes and also have logfile set + +## 1.7.1 (2014-02-10) + +- Bumps default version of redis to 2.6.17 +- Changes the redis download mirror to redis.io +- Fixes #76 - Default settings save as empty string breaks install. [Thanks to astlock] +- Fixes bug with nil file resource for logfile. [Thanks to chrismoos] + +## 1.7.0 (2013-07-25) + +- Adds support for address attribute as an array or string. This is to support the feature that will be introduced in redis 2.8 + +## 1.6.0 (2013-06-27) + +- Fixes a bug when using a percentage for max memory. [Thanks to organicveggie] +- Allows installation of redis into custom directory. [Thanks to organicveggie, rcleere] +- Bumps the default installed version of redis to the new stable, 2.6.14 + +## 1.5.0 (2013-03-30) + +- Forces maxmemory to a string inside of install provider so it will not explode if you pass in an int. [Thanks to sprack] +- Strips leading directory from downloaded tarball, and extracts into a newly created directory. This allows more versatility for where the package can be installed from (Github / BitBucket) [Thanks to dim] +- Adds options for Redis Cluster [Thanks to jrallison] +- Adds a call to ulimit into the init script, it was not honoring the limits set by the ulimit cookbook for some users. [Thanks to mike-yesware] + +## 1.4.1 (2013-02-27) + +- Removes left over debugging statement + +## 1.4.0 (2013-02-27) + +- ACTUALLY fixes the use of upstart and redis. Redis no longer daemonizes itself when using job_control type upstart and allows upstart to handle this +- Adds dependency on the ulimit cookbook and allows you to set the ulimits for the redis instance users. +- Adds associated node attribute for the ulimit. It defaults to the special value 0, which causes the cookbook to use maxclients + 32. 32 is the number of file descriptors redis needs itself +- You can disable the use of the ulimits by setting the node attribute for it to "false" or "nil" +- Comments out the start on by default in the upstart script. This will get uncommented by the upstart provider when the :enable action is called on it + +## 1.3.2 (2013-02-26) + +- Changes calls to Chef::ShellOut to Mixlib::ShellOut + +## 1.3.1 (2013-02-26) + +- Fixes bug in upstart script to create pid directory if it does not exist + +## 1.3.0 (2013-02-20) + +- Adds upstart support. This was a much requested feature. +- Fixes bug in uninstall resource that would have prevented it from uninstalling named servers. +- Reworks the init script to take into account the IP redis is listening on, and if it is listening on a socket. +- Adds an attribute called "shutdown_save" which will explicitly call save on redis shutdown +- Updates the README.md with a shorter and hopefully equally as useful usage section +- maxmemory attribute now allows the use of percentages. You must include a % sign after the value. +- Bumps default version of redis to install to the current stable, 2.6.10 + +## 1.2.0 (2013-02-06) + +- Fixes bug related to where the template source resides when using the LWRP outside of the redisio cookbook +- Fixes bug where the version method was not properly parsing version strings in redis 2.6.x, as the version string from redis-server -v changed +- Fixes bug in default attributes for fedora default redis data directory +- Now uses chefs service resource for each redis instance instead of using a custom redisio_service resource. This cleans up many issues, including a lack of updated_by_last_action +- The use of the redisio_service resource is deprecated. Use the redis port_number instead. +- The default version of redis has been bumped to the current stable, which is 2.6.9 +- Adds metadata.json to the gitignore file so that the cookbook can be submoduled. +- Adds the ability to handle non standard bind address in the init scripts stop command +- Adds attributes to allow redis to listen on a socket +- Adds an attribute to allow redis service accounts to be created as system users, defaults this to true +- Adds a per server "name" attribute that allows a server to use that instead of the port for its configuration files, service resource, and init script. +- Shifts the responsbility for handling the case of default redis instances into the install recipe due to the behavior of arrays and deep merge + +## 1.1.0 (2012-08-21) + +! Warning breaking change !: The redis pidfile directory by default has changed, if you do not STOP redis before upgrading to the new version + of this cookbook, it will not be able to stop your instance properly via the redis service provider, or the init script. + If this happens to you, you can always log into the server and manually send a SIGTERM to redis + +- Changed the init script to run redis as the specified redis user +- Updated the default version of redis to 2.4.16 +- Setup a new directory structure for redis pid files. The install provider will now nest its pid directories in base_piddir/port number/redis_port.pid. +- Added a RedisioHelper module in libraries. The recipe_eval method inside is used to wrap nested resources to allow for the proper resource update propigation. The install provider uses this. +- The init script now properly respects the configdir attribute +- Changed the redis data directories to be 775 instead of 755 (this allows multiple instances with different owners to write their data to the same shared dir so long as they are in a common group) +- Changed default for maxclients to be 10000 instead of 0. This is to account for the fact that maxclients no longer supports 0 as 'unlimited' in the 2.6 series +- Added logic to replace hash-max-ziplist-entries, hash-max-ziplist-value with hash-max-zipmap-entires, hash-max-zipmap-value when using 2.6 series +- Added the ability to log to any file, not just syslog. Please do make sure after you set your file with the logfile attribute you also set syslogenabled to 'no' + +## 1.0.3 (2012-05-02) + +- Added changelog.md +- Added a bunch more configuration options that were left out (default values left as they were before): + - databases + - slaveservestaledata + - replpingslaveperiod + - repltimeout + - maxmemorysamples + - noappendfsynconwrite + - aofrewritepercentage + - aofrewriteminsize + + It is worth nothing that since there is a configurable option for conf include files, and the fact that redis uses the most recently read configuration option... even if a new option where to show up, or and old one was not included they could be added using that pattern. + +## 1.0.2 (2012-04-25) + +- Merged in pull request from meskyanichi which improved the README.md and added a .gitignore +- Added a "safe_install" node attribute which will prevent redis from installing anything if it exists already. Defaults to true. +- Addedd a "redis_gem" recipe which will install the redis gem from ruby gems, added associated attributes. See README for me + +## 1.0.1 (2012-04-08) + +- Added some prequisite checks for RHEL based distributions +- Minor typos and formatting fixes in metadata.rb and README.md + +## 1.0.0 (2012-04-08) + + Initial Release diff --git a/cookbooks/redisio/LICENSE b/cookbooks/redisio/LICENSE new file mode 100644 index 0000000..5c304d1 --- /dev/null +++ b/cookbooks/redisio/LICENSE @@ -0,0 +1,201 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cookbooks/redisio/README.md b/cookbooks/redisio/README.md new file mode 100644 index 0000000..ff70a51 --- /dev/null +++ b/cookbooks/redisio/README.md @@ -0,0 +1,513 @@ +# Redisio Cookbook + +[![Cookbook Version](https://img.shields.io/cookbook/v/redisio.svg)](https://supermarket.chef.io/cookbooks/redisio) +[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/redisio/master.svg)](https://circleci.com/gh/sous-chefs/redisio) +[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers) +[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors) +[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0) + +Please read the changelog when upgrading from the 1.x series to the 2.x series + +## Description + +Website:: [https://github.com/sous-chefs/redisio](https://github.com/sous-chefs/redisio) + +Installs and configures Redis server instances + +## Maintainers + +This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF). + +## Requirements + +This cookbook builds redis from source or install it from packages, so it should work on any architecture for the supported distributions. Init scripts are installed into /etc/init.d/ + +It depends on the ulimit cookbook: [https://github.com/bmhatfield/chef-ulimit](https://github.com/bmhatfield/chef-ulimit) and the build-essentials cookbook: [https://github.com/chef-cookbooks/build-essential](https://github.com/opscode-cookbooks/build-essential) + +### Platforms + +* Debian, Ubuntu +* CentOS, Red Hat, Fedora, Scientific Linux +* FreeBSD + +### Testing + +This cookbook is tested with Delivery's local mode run under Chef-DK and Test Kitchen + +* delivery local all +* kitchen test + +Tested on: + +* Centos 6 +* Centos 7 +* Debian 8 +* Fedora 28 +* Ubuntu 16.04 + +## Usage + +The redisio cookbook contains LWRP for installing, configuring and managing redis and redis_sentinel. + +The install recipe can build, compile and install redis from sources or install from packages. The configure recipe will configure redis and setup service resources. These resources will be named for the port of the redis server, unless a "name" attribute was specified. Example names would be: service["redis6379"] or service["redismaster"] if the name attribute was "master". +_NOTE: currently installation from source is not supported for FreeBSD_ + +The most common use case for the redisio cookbook is to use the default recipe, followed by the enable recipe. + +Another common use case is to use the default, and then call the service resources created by it from another cookbook. + +It is important to note that changing the configuration options of redis does not make them take effect on the next chef run. Due to how redis works, you cannot reload a configuration without restarting the redis service. Redis does not offer a reload option, in order to have new options be used redis must be stopped and started. + +You should make sure to set the ulimit for the user you want to run redis as to be higher than the max connections you allow. +_NOTE: setting ulimit is not supported on FreeBSD since the ulimit cookbook doesn't support FreeBSD_ + +The disable recipe just stops redis and removes it from run levels. + +The cookbook also contains a recipe to allow for the installation of the redis ruby gem. + +Redis-sentinel will write configuration and state data back into its configuration file. This creates obvious problems when that config is managed by chef. By default, this cookbook will create the config file once, and then leave a breadcrumb that will guard against the file from being updated again. + +### Recipes + +* configure - This recipe is used to configure redis. +* default - This is used to install the pre-requisites for building redis, and to make the LWRPs available +* disable - This recipe can be used to disable the redis service and remove it from runlevels +* enable - This recipe can be used to enable the redis services and add it to runlevels +* install - This recipe is used to install redis. +* redis_gem - This recipe can be used to install the redis ruby gem +* sentinel - This recipe can be used to install and configure sentinel +* sentinel_enable - This recipe can be used to enable the sentinel service(s) +* disable_os_default - This recipe can be used to disable the default OS redis init script + +### Role File Examples + +#### Install redis and setup an instance with default settings on default port, and start the service through a role file + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({}) +``` + +##### Install redis with packages and setup an instance with default settings on default port, and start the service through a role file + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + package_install: true + version: + } +}) +``` + +##### Install redis, give the instance a name, and use a unix socket + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'servers' => [ + {'name' => 'master', 'port' => '6379', 'unixsocket' => '/tmp/redis.sock', 'unixsocketperm' => '755'}, + ] + } +}) +``` + +##### Install redis and pull the password from an encrypted data bag + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'servers' => [ + {'data_bag_name' => 'redis', 'data_bag_item' => 'auth', 'data_bag_key' => 'password'}, + ] + } +}) +``` + +###### Data Bag + +```ruby +{ + "id": "auth", + "password": "abcdefghijklmnopqrstuvwxyz" +} +``` + +##### Install redis and setup two instances on the same server, on different ports, with one slaved to the other through a role file + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'servers' => [ + {'port' => '6379'}, + {'port' => '6380', 'slaveof' => { 'address' => '127.0.0.1', 'port' => '6379' }} + ] + } +}) +``` + +##### Install redis and setup two instances, on the same server, on different ports, with the default data directory changed to /mnt/redis, and the second instance named + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'default_settings' => {'datadir' => '/mnt/redis'}, + 'servers' => [{'port' => '6379'}, {'port' => '6380', 'name' => "MyInstance"}] + } +}) +``` + +##### Install redis and setup three instances on the same server, changing the default data directory to /mnt/redis, each instance will use a different backup type, and one instance will use a different data dir + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'default_settings' => { 'datadir' => '/mnt/redis/'}, + 'servers' => [ + {'port' => '6379','backuptype' => 'aof'}, + {'port' => '6380','backuptype' => 'both'}, + {'port' => '6381','backuptype' => 'rdb', 'datadir' => '/mnt/redis6381'} + ] + } +}) +``` + +##### Install redis 2.4.11 (lower than the default version) and turn safe install off, for the event where redis is already installed This will use the default settings. Keep in mind the redis version will not actually be updated until you restart the service (either through the LWRP or manually) + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'safe_install' => false, + 'version' => '2.4.11' + } +}) +``` + +##### Install a single redis-sentinel to listen for a master on localhost and default port number + +```ruby +run_list *%w[ + recipe[redisio::sentinel] + recipe[redisio::sentinel_enable] +] +``` + +#### Install redis and setup two instances, on the same server, on different ports, the second instance configuration file will be overwriten by chef + +```ruby +run_list *%w[ + recipe[redisio] + recipe[redisio::enable] +] + +default_attributes({ + 'redisio' => { + 'servers' => [{'port' => '6379'}, {'port' => '6380', 'breadcrumb' => false}] + } +}) +``` + +## LWRP Examples + +Instead of using my provided recipes, you can simply depend on the redisio cookbook in your metadata and use the LWRP's yourself. I will show a few examples of ways to use the LWRPS, detailed breakdown of options are below +in the resources/providers section + +### Install Resource + +It is important to note that this call has certain expectations for example, it expects the redis package to be in the format `redis-VERSION.tar.gz'. + +```ruby +redisio_install "redis-installation" do + version '2.6.9' + download_url 'http://redis.googlecode.com/files/redis-2.6.9.tar.gz' + safe_install false + install_dir '/usr/local/' +end +``` + +### Configure Resource + +The servers resource expects an array of hashes where each hash is required to contain at a key-value pair of 'port' => 'port numbers'. + +```ruby +redisio_configure "redis-servers" do + version '2.6.9' + default_settings node['redisio']['default_settings'] + servers node['redisio']['servers'] + base_piddir node['redisio']['base_piddir'] +end +``` + +### Sentinel Resource + +The sentinel resource installs and configures all of your redis_sentinels defined in sentinel_instances + +Using the sentinel resources: + +```ruby +redisio_sentinel "redis-sentinels" do + version '2.6.9' + sentinel_defaults node['redisio']['sentinel_defaults'] + sentinels sentinel_instances + base_piddir node['redisio']['base_piddir'] +end +``` + +## Attributes + +Configuration options, each option corresponds to the same-named configuration option in the redis configuration file; default values listed + +* `redisio['mirror']` - mirror server with path to download redis package, default is [http://download.redis.io/releases/](http://download.redis.io/releases/) +* `redisio['base_name']` - the base name of the redis package to be downloaded (the part before the version), default is 'redis-' +* `redisio['artifact_type']` - the file extension of the package. currently only .tar.gz and .tgz are supported, default is 'tar.gz' +* `redisio['version']` - the version number of redis to install (also appended to the `base_name` for downloading), default is '2.8.17' +* `redisio['safe_install']` - prevents redis from installing itself if another version of redis is installed, default is true +* `redisio['base_piddir']` - This is the directory that redis pidfile directories and pidfiles will be placed in. Since redis can run as non root, it needs to have proper + permissions to the directory to create its pid. Since each instance can run as a different user, these directories will all be nested inside this base one. +* `redisio['bypass_setup']` - This attribute allows users to prevent the default recipe from calling the install and configure recipes. +* `redisio['job_control']` - This deteremines what job control type will be used. Currently supports 'initd' or 'upstart' options. Defaults to 'initd'. + +Default settings is a hash of default settings to be applied to to ALL instances. These can be overridden for each individual server in the servers attribute. If you are going to set logfile to a specific file, make sure to set syslog-enabled to no. + +* `redisio['default_settings']` - { 'redis-option' => 'option setting' } + +Available options and their defaults + +```config +'user' => 'redis' - the user to own the redis datadir, redis will also run under this user +'group' => 'redis' - the group to own the redis datadir +'permissions' => '0644' - the unix permissions applied to the server config file +'homedir' => Home directory of the user. Varies on distribution, check attributes file +'shell' => Users shell. Varies on distribution, check attributes file +'systemuser' => true - Sets up the instances user as a system user +'ulimit' => 0 - 0 is a special value causing the ulimit to be maxconnections +32. Set to nil or false to disable setting ulimits +'configdir' => '/etc/redis' - configuration directory +'name' => nil, Allows you to name the server with something other than port. Useful if you want to use unix sockets +'tcpbacklog' => '511', +'address' => nil, Can accept a single string or an array. When using an array, the FIRST value will be used by the init script for connecting to redis +'databases' => '16', +'backuptype' => 'rdb', +'datadir' => '/var/lib/redis', +'unixsocket' => nil - The location of the unix socket to use, +'unixsocketperm' => nil - The permissions of the unix socket, +'timeout' => '0', +'keepalive' => '0', +'loglevel' => 'notice', +'logfile' => nil, +'syslogenabled' => 'yes', +'syslogfacility' => 'local0', +'shutdown_save' => false, +'save' => nil, # Defaults to ['900 1','300 10','60 10000'] inside of template. Needed due to lack of hash subtraction +'stopwritesonbgsaveerror' => 'yes', +'rdbcompression' => 'yes', +'rdbchecksum' => 'yes', +'dbfilename' => nil, +'slaveof' => nil, +'masterauth' => nil, +'slaveservestaledata' => 'yes', +'slavereadonly' => 'yes', +'repldisklesssync' => 'no', # Requires redis 2.8.18+ +'repldisklesssyncdelay' => '5', # Requires redis 2.8.18+ +'replpingslaveperiod' => '10', +'repltimeout' => '60', +'repldisabletcpnodelay => 'no', +'slavepriority' => '100', +'requirepass' => nil, +'rename_commands' => nil, or a hash where each key is a redis command and the value is the command's new name. +'maxclients' => 10000, +'maxmemory' => nil, +'maxmemorypolicy' => nil, +'maxmemorysamples' => nil, +'appendfilename' => nil, +'appendfsync' => 'everysec', +'noappendfsynconrewrite' => 'no', +'aofrewritepercentage' => '100', +'aofrewriteminsize' => '64mb', +'luatimelimit' => '5000', +'slowloglogslowerthan' => '10000', +'slowlogmaxlen' => '1024', +'notifykeyspaceevents' => '', +'hashmaxziplistentries' => '512', +'hashmaxziplistvalue' => '64', +'listmaxziplistentries' => '512', +'listmaxziplistvalue' => '64', +'setmaxintsetentries' => '512', +'zsetmaxziplistentries' => '128', +'zsetmaxziplistvalue' => '64', +'hllsparsemaxbytes' => '3000', +'activerehasing' => 'yes', +'clientoutputbufferlimit' => [ + %w(normal 0 0 0), + %w(slave 256mb 64mb 60), + %w(pubsub 32mb 8mb 60) +], +'hz' => '10', +'aofrewriteincrementalfsync' => 'yes', +'clusterenabled' => 'no', +'clusterconfigfile' => nil, # Defaults to redis instance name inside of template if cluster is enabled. +'clusternodetimeout' => 5000, +'includes' => nil, +'breadcrumb' => true # Defaults to create breadcrumb lock-file. +``` + +* `redisio['servers']` - An array where each item is a set of key value pairs for redis instance specific settings. The only required option is 'port'. These settings will override the options in 'default_settings', if it is left `nil` it will default to `[{'port' => '6379'}]`. If set to `[]` (empty array), no instances will be created. + +The redis_gem recipe will also allow you to install the redis ruby gem, these are attributes related to that, and are in the redis_gem attributes file. + +* `redisio['gem']['name']` - the name of the gem to install, defaults to 'redis' +* `redisio['gem']['version']` - the version of the gem to install. if it is nil, the latest available version will be installed. + +The sentinel recipe's use their own attribute file. + +* `redisio['sentinel_defaults']` - { 'sentinel-option' => 'option setting' } + +```config +'user' => 'redis', +'configdir' => '/etc/redis', +'sentinel_bind' => nil, +'sentinel_port' => 26379, +'monitor' => nil, +'down-after-milliseconds' => 30000, +'can-failover' => 'yes', +'parallel-syncs' => 1, +'failover-timeout' => 900000, +'loglevel' => 'notice', +'logfile' => nil, +'syslogenabled' => 'yes', +'syslogfacility' => 'local0', +'quorum_count' => 2, +'protected-mode' => nil, +``` + +* `redisio['redisio']['sentinel']['manage_config']` - Should the cookbook manage the redis and redis sentinel config files. This is best set to false when using redis_sentinel as it will write state into both configuration files. + +* `redisio['redisio']['sentinels']` - Array of sentinels to configure on the node. These settings will override the options in 'sentinel_defaults', if it is left `nil` it will default to `[{'port' => '26379', 'name' => 'mycluster', 'master_ip' => '127.0.0.1', 'master_port' => 6379}]`. If set to `[]` (empty array), no instances will be created. + +You may also pass an array of masters to monitor like so: + +```ruby +[{ + 'sentinel_port' => '26379', + 'name' => 'mycluster_sentinel', + 'masters' => [ + { 'master_name' => 'master6379', 'master_ip' => '127.0.0.1', 'master_port' => 6379 }, + { 'master_name' => 'master6380', 'master_ip' => '127.0.0.1', 'master_port' => 6380 } + ] + +}] +``` + +## Resources/Providers + +### `install` + +Actions: + +* `run` - perform the install (default) +* `nothing` - do nothing + +Attribute Parameters + +* `version` - the version of redis to download / install +* `download_url` - the URL plus filename of the redis package to install +* `download_dir` - the directory to store the downloaded package +* `artifact_type` - the file extension of the package +* `base_name` - the name of the package minus the extension and version number +* `safe_install` - a true or false value which determines if a version of redis will be installed if one already exists, defaults to true + +This resource expects the following naming conventions: + +package file should be in the format base_nameVersion_number.artifact_type + +package file after extraction should be inside of the directory base_nameVersion_number + +```ruby +install "redis" do + action [:run,:nothing] +end +``` + +### `configure` + +Actions: + +* `run` - perform the configure (default) +* `nothing` - do nothing + +Attribute Parameters + +* `version` - the version of redis to download / install +* `base_piddir` - directory where pid files will be created +* `user` - the user to run redis as, and to own the redis files +* `group` - the group to own the redis files +* `default_settings` - a hash of the default redis server settings +* `servers` - an array of hashes containing server configurations overrides (port is the only required) + +```ruby +configure "redis" do + action [:run,:nothing] +end +``` + +## Contributors + +This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false) + +### Backers + +Thank you to all our backers! + +![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40) + +### Sponsors + +Support this project by becoming a sponsor. Your logo will show up here with a link to your website. + +![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100) diff --git a/cookbooks/redisio/attributes/default.rb b/cookbooks/redisio/attributes/default.rb new file mode 100644 index 0000000..411b943 --- /dev/null +++ b/cookbooks/redisio/attributes/default.rb @@ -0,0 +1,171 @@ +package_bin_path = '/usr/bin' +config_dir = '/etc/redis' +default_package_install = false + +case node['platform'] +when 'ubuntu', 'debian' + shell = '/bin/false' + homedir = '/var/lib/redis' + package_name = 'redis-server' +when 'centos', 'redhat', 'scientific', 'amazon', 'suse', 'fedora' + shell = '/bin/sh' + homedir = '/var/lib/redis' + package_name = 'redis' +when 'freebsd' + shell = '/bin/sh' + homedir = '/var/lib/redis' + package_name = 'redis' + package_bin_path = '/usr/local/bin' + config_dir = '/usr/local/etc/redis' + default_package_install = true +else + shell = '/bin/sh' + homedir = '/redis' + package_name = 'redis' +end + +# Overwite template used for the Redis Server config (not sentinel) +default['redisio']['redis_config']['template_cookbook'] = 'redisio' +default['redisio']['redis_config']['template_source'] = 'redis.conf.erb' + +# Install related attributes +default['redisio']['safe_install'] = true +default['redisio']['package_install'] = default_package_install +default['redisio']['package_name'] = package_name +default['redisio']['bypass_setup'] = false + +# Tarball and download related defaults +default['redisio']['mirror'] = 'http://download.redis.io/releases/' +default['redisio']['base_name'] = 'redis-' +default['redisio']['artifact_type'] = 'tar.gz' +default['redisio']['base_piddir'] = '/var/run/redis' + +# Version +default['redisio']['version'] = if node['redisio']['package_install'] + # latest version (only for package install) + nil + else + # force version for tarball + '3.2.11' + end + +# Custom installation directory +default['redisio']['install_dir'] = nil + +# Job control related options (initd, upstart, or systemd) +default['redisio']['job_control'] = if systemd? + 'systemd' + elsif platform_family?('freebsd') + 'rcinit' + else + 'initd' + end + +# Init.d script related options +default['redisio']['init.d']['required_start'] = [] +default['redisio']['init.d']['required_stop'] = [] + +# Default settings for all redis instances, these can be overridden on a per server basis in the 'servers' hash +default['redisio']['default_settings'] = { + 'user' => 'redis', + 'group' => 'redis', + 'permissions' => '0644', + 'homedir' => homedir, + 'shell' => shell, + 'systemuser' => true, + 'uid' => nil, + 'ulimit' => 0, + 'configdir' => config_dir, + 'name' => nil, + 'tcpbacklog' => '511', + 'address' => nil, + 'databases' => '16', + 'backuptype' => 'rdb', + 'datadir' => '/var/lib/redis', + 'unixsocket' => nil, + 'unixsocketperm' => nil, + 'timeout' => '0', + 'keepalive' => '0', + 'loglevel' => 'notice', + 'logfile' => nil, + 'syslogenabled' => 'yes', + 'syslogfacility' => 'local0', + 'shutdown_save' => false, + 'save' => nil, # Defaults to ['900 1','300 10','60 10000'] inside of template. Needed due to lack of hash subtraction + 'stopwritesonbgsaveerror' => 'yes', + 'rdbcompression' => 'yes', + 'rdbchecksum' => 'yes', + 'dbfilename' => nil, + 'slaveof' => nil, + 'protected_mode' => nil, # unspecified by default but could be set explicitly to 'yes' or 'no' + 'masterauth' => nil, + 'slaveservestaledata' => 'yes', + 'slavereadonly' => 'yes', + 'repldisklesssync' => 'no', + 'repldisklesssyncdelay' => '5', + 'replpingslaveperiod' => '10', + 'repltimeout' => '60', + 'repldisabletcpnodelay' => 'no', + 'replbacklogsize' => '1mb', + 'replbacklogttl' => 3600, + 'slavepriority' => '100', + 'requirepass' => nil, + 'rename_commands' => nil, + 'maxclients' => 10000, + 'maxmemory' => nil, + 'maxmemorypolicy' => nil, + 'maxmemorysamples' => nil, + 'appendfilename' => nil, + 'appendfsync' => 'everysec', + 'noappendfsynconrewrite' => 'no', + 'aofrewritepercentage' => '100', + 'aofrewriteminsize' => '64mb', + 'aofloadtruncated' => 'yes', + 'luatimelimit' => '5000', + 'slowloglogslowerthan' => '10000', + 'slowlogmaxlen' => '1024', + 'notifykeyspaceevents' => '', + 'hashmaxziplistentries' => '512', + 'hashmaxziplistvalue' => '64', + 'listmaxziplistentries' => '512', + 'listmaxziplistvalue' => '64', + 'setmaxintsetentries' => '512', + 'zsetmaxziplistentries' => '128', + 'zsetmaxziplistvalue' => '64', + 'hllsparsemaxbytes' => '3000', + 'activerehasing' => 'yes', + 'clientoutputbufferlimit' => [ + %w(normal 0 0 0), + %w(slave 256mb 64mb 60), + %w(pubsub 32mb 8mb 60), + ], + 'hz' => '10', + 'aofrewriteincrementalfsync' => 'yes', + 'clusterenabled' => 'no', + 'clusterconfigfile' => nil, # Defaults to redis instance name inside of template if cluster is enabled. + 'clusternodetimeout' => 5000, + 'includes' => nil, + 'data_bag_name' => nil, + 'data_bag_item' => nil, + 'data_bag_key' => nil, + 'minslavestowrite' => nil, + 'minslavesmaxlag' => nil, + 'breadcrumb' => true, +} + +# The default for this is set inside of the "install" recipe. This is due to the way deep merge handles arrays +default['redisio']['servers'] = nil + +# Define binary path +default['redisio']['bin_path'] = if node['redisio']['package_install'] + package_bin_path + else + '/usr/local/bin' + end + +# Ulimit +default['ulimit']['pam_su_template_cookbook'] = nil +default['ulimit']['users'] = Mash.new +default['ulimit']['security_limits_directory'] = '/etc/security/limits.d' +default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo' +default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil diff --git a/cookbooks/redisio/attributes/redis_gem.rb b/cookbooks/redisio/attributes/redis_gem.rb new file mode 100644 index 0000000..5c84a8a --- /dev/null +++ b/cookbooks/redisio/attributes/redis_gem.rb @@ -0,0 +1,3 @@ +# Allow for a redis ruby gem to be installed +default['redisio']['gem']['name'] = 'redis' +default['redisio']['gem']['version'] = nil diff --git a/cookbooks/redisio/attributes/redis_sentinel.rb b/cookbooks/redisio/attributes/redis_sentinel.rb new file mode 100644 index 0000000..3d8469e --- /dev/null +++ b/cookbooks/redisio/attributes/redis_sentinel.rb @@ -0,0 +1,36 @@ +config_dir = if platform_family?('freebsd') + '/usr/local/etc/redis' + else + '/etc/redis' + end + +default['redisio']['sentinel_defaults'] = { + 'user' => 'redis', + 'configdir' => config_dir, + 'sentinel_bind' => nil, + 'sentinel_port' => 26379, + 'monitor' => nil, + 'down_after_milliseconds' => 30000, + 'can-failover' => 'yes', + 'parallel-syncs' => 1, + 'failover_timeout' => 900000, + 'loglevel' => 'notice', + 'logfile' => nil, + 'syslogenabled' => 'yes', + 'syslogfacility' => 'local0', + 'quorum_count' => 2, + 'data_bag_name' => nil, + 'data_bag_item' => nil, + 'data_bag_key' => nil, + 'announce-ip' => nil, + 'announce-port' => nil, + 'notification-script' => nil, + 'client-reconfig-script' => nil, + 'protected_mode' => nil, +} + +# Manage Sentinel Config File +## Will write out the base config one time then no longer manage the config allowing sentinel to take over +default['redisio']['sentinel']['manage_config'] = true # Deprecated + +default['redisio']['sentinels'] = nil diff --git a/cookbooks/redisio/chefignore b/cookbooks/redisio/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/cookbooks/redisio/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/cookbooks/redisio/files/sudo b/cookbooks/redisio/files/sudo new file mode 100644 index 0000000..5e97689 --- /dev/null +++ b/cookbooks/redisio/files/sudo @@ -0,0 +1,8 @@ +#%PAM-1.0 + +auth required pam_env.so readenv=1 user_readenv=0 +auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 +session required pam_limits.so +@include common-auth +@include common-account +@include common-session-noninteractive diff --git a/cookbooks/redisio/kitchen.dokken.yml b/cookbooks/redisio/kitchen.dokken.yml new file mode 100644 index 0000000..913c591 --- /dev/null +++ b/cookbooks/redisio/kitchen.dokken.yml @@ -0,0 +1,46 @@ +--- +driver: + name: dokken + privileged: true + chef_version: current + env: [CHEF_LICENSE=accept] + +transport: + name: dokken + +provisioner: + name: dokken + deprecations_as_errors: true + +verifier: + name: inspec + +platforms: + - name: centos-7 + driver: + image: dokken/centos-7 + pid_one_command: /usr/lib/systemd/systemd + run_list: + - recipe[yum-epel::default] + - recipe[yum-remi::default] + + - name: debian-9 + driver: + image: dokken/debian-9 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + + - name: ubuntu-16.04 + driver: + image: dokken/ubuntu-16.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + + - name: ubuntu-18.04 + driver: + image: dokken/ubuntu-18.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update diff --git a/cookbooks/redisio/libraries/matchers.rb b/cookbooks/redisio/libraries/matchers.rb new file mode 100644 index 0000000..813cdd9 --- /dev/null +++ b/cookbooks/redisio/libraries/matchers.rb @@ -0,0 +1 @@ +# cookbook/libraries/matchers.rb diff --git a/cookbooks/redisio/libraries/redisio.rb b/cookbooks/redisio/libraries/redisio.rb new file mode 100644 index 0000000..f1e7cdb --- /dev/null +++ b/cookbooks/redisio/libraries/redisio.rb @@ -0,0 +1,32 @@ +module RedisioHelper + def recipe_eval + sub_run_context = @run_context.dup + sub_run_context.resource_collection = Chef::ResourceCollection.new + begin + original_run_context = @run_context + @run_context = sub_run_context + yield + ensure + @run_context = original_run_context + end + + begin + Chef::Runner.new(sub_run_context).converge + ensure + new_resource.updated_by_last_action(true) if sub_run_context.resource_collection.any?(&:updated?) + end + end + + def self.version_to_hash(version_string) + version_array = version_string.split('.') + version_array[2] = version_array[2].split('-') + version_array.flatten! + + { + major: version_array[0].include?(':') ? version_array[0].split(':')[1] : version_array[0], + minor: version_array[1], + tiny: version_array[2], + rc: version_array[3], + } + end +end diff --git a/cookbooks/redisio/metadata.json b/cookbooks/redisio/metadata.json new file mode 100644 index 0000000..c23bc8a --- /dev/null +++ b/cookbooks/redisio/metadata.json @@ -0,0 +1,43 @@ +{ + "name": "redisio", + "description": "Installs and configures redis", + "long_description": "", + "maintainer": "Sous Chefs", + "maintainer_email": "help@sous-chefs.org", + "license": "Apache-2.0", + "platforms": { + "amazon": ">= 0.0.0", + "centos": ">= 0.0.0", + "debian": ">= 0.0.0", + "fedora": ">= 0.0.0", + "redhat": ">= 0.0.0", + "scientific": ">= 0.0.0", + "suse": ">= 0.0.0", + "ubuntu": ">= 0.0.0" + }, + "dependencies": { + "selinux": ">= 0.0.0" + }, + "providing": { + + }, + "recipes": { + + }, + "version": "6.1.0", + "source_url": "https://github.com/sous-chefs/redisio", + "issues_url": "https://github.com/sous-chefs/redisio/issues", + "privacy": false, + "chef_versions": [ + [ + ">= 16" + ] + ], + "ohai_versions": [ + + ], + "gems": [ + + ], + "eager_load_libraries": true +} diff --git a/cookbooks/redisio/metadata.rb b/cookbooks/redisio/metadata.rb new file mode 100644 index 0000000..ed977e9 --- /dev/null +++ b/cookbooks/redisio/metadata.rb @@ -0,0 +1,24 @@ +name 'redisio' +maintainer 'Sous Chefs' +maintainer_email 'help@sous-chefs.org' +license 'Apache-2.0' +description 'Installs and configures redis' +version '6.1.0' +source_url 'https://github.com/sous-chefs/redisio' +issues_url 'https://github.com/sous-chefs/redisio/issues' +chef_version '>= 16' + +%w( + amazon + centos + debian + fedora + redhat + scientific + suse + ubuntu +).each do |os| + supports os +end + +depends 'selinux' diff --git a/cookbooks/redisio/providers/configure.rb b/cookbooks/redisio/providers/configure.rb new file mode 100644 index 0000000..f3f19e6 --- /dev/null +++ b/cookbooks/redisio/providers/configure.rb @@ -0,0 +1,389 @@ +action :run do + configure + new_resource.updated_by_last_action(true) +end + +def configure + base_piddir = new_resource.base_piddir + + if !new_resource.version + redis_output = Mixlib::ShellOut.new("#{node['redisio']['bin_path']}/redis-server -v") + redis_output.run_command + redis_output.error! + current_version = redis_output.stdout.gsub(/.*v=((\d+\.){2}\d+).*/, '\1').chomp + else + current_version = new_resource.version + end + version_hash = RedisioHelper.version_to_hash(current_version) + + # Setup a configuration file and init script for each configuration provided + new_resource.servers.each do |current_instance| + # Retrieve the default settings hash and the current server setups settings hash. + current_instance_hash = current_instance.to_hash + current_defaults_hash = new_resource.default_settings.to_hash + + # Merge the configuration defaults with the provided array of configurations provided + current = current_defaults_hash.merge(current_instance_hash) + + # Merge in the default maxmemory + node_memory_kb = node['memory']['total'] + # On BSD platforms Ohai reports total memory as a Fixnum + + node_memory_kb = node_memory_kb.sub('kB', '').to_i if node_memory_kb.is_a?(String) + + # Here we determine what the logfile is. It has these possible states + # + # Redis 2.6 and lower can be + # stdout + # A path + # nil + # Redis 2.8 and higher can be + # empty string, which means stdout) + # A path + # nil + + if current['logfile'].nil? + log_file = nil + log_directory = nil + elsif current['logfile'] == 'stdout' || current['logfile'].empty? + log_directory = nil + log_file = current['logfile'] + else + log_directory = ::File.dirname(current['logfile']) + log_file = ::File.basename(current['logfile']) + if current['syslogenabled'] == 'yes' + Chef::Log.warn("log file is set to #{current['logfile']} but syslogenabled is also set to 'yes'") + end + end + + maxmemory = current['maxmemory'].to_s + if !maxmemory.empty? && maxmemory.include?('%') + # Just assume this is sensible like "95%" or "95 %" + percent_factor = current['maxmemory'].to_f / 100.0 + # Ohai reports memory in KB as it looks in /proc/meminfo + maxmemory = (node_memory_kb * 1024 * percent_factor / new_resource.servers.length).round.to_s + end + + descriptors = if current['ulimit'] == 0 + current['maxclients'] + 32 + elsif current['ulimit'] > current['maxclients'] + current['ulimit'] + else + current['maxclients'] + end + + recipe_eval do + server_name = current['name'] || current['port'] + piddir = "#{base_piddir}/#{server_name}" + aof_file = current['appendfilename'] || "#{current['datadir']}/appendonly-#{server_name}.aof" + rdb_file = current['dbfilename'] || "#{current['datadir']}/dump-#{server_name}.rdb" + + # Create the owner of the redis data directory + user current['user'] do + comment 'Redis service account' + manage_home true + home current['homedir'] + shell current['shell'] + system current['systemuser'] + uid current['uid'] unless current['uid'].nil? + end + + # Create the redis configuration directory + directory current['configdir'] do + owner 'root' + group platform_family?('freebsd') ? 'wheel' : 'root' + mode '0755' + recursive true + action :create + end + # Create the instance data directory + directory current['datadir'] do + owner current['user'] + group current['group'] + mode '0775' + recursive true + action :create + end + # Create the pid file directory + directory piddir do + owner current['user'] + group current['group'] + mode '0755' + recursive true + action :create + end + # Create the log directory if syslog is not being used + if log_directory + directory log_directory do + owner current['user'] + group current['group'] + mode '0755' + recursive true + action :create + end + end + # Configure SELinux if it is enabled + extend Chef::Util::Selinux + + if selinux_enabled? + selinux_policy_install 'install' + + selinux_policy_fcontext "#{current['configdir']}(/.*)?" do + secontext 'redis_conf_t' + end + selinux_policy_fcontext "#{current['datadir']}(/.*)?" do + secontext 'redis_var_lib_t' + end + selinux_policy_fcontext "#{piddir}(/.*)?" do + secontext 'redis_var_run_t' + end + if log_directory + selinux_policy_fcontext "#{log_directory}(/.*)?" do + secontext 'redis_log_t' + end + end + end + # Create the log file if syslog is not being used + if log_file + file current['logfile'] do + owner current['user'] + group current['group'] + mode '0644' + backup false + action :touch + # in version 2.8 or higher the empty string is used instead of stdout + only_if { !log_file.empty? && log_file != 'stdout' } + end + end + # Set proper permissions on the AOF or RDB files + file aof_file do + owner current['user'] + group current['group'] + mode '0644' + only_if { current['backuptype'] == 'aof' || current['backuptype'] == 'both' } + only_if { ::File.exist?(aof_file) } + end + file rdb_file do + owner current['user'] + group current['group'] + mode '0644' + only_if { current['backuptype'] == 'rdb' || current['backuptype'] == 'both' } + only_if { ::File.exist?(rdb_file) } + end + + # Setup the redis users descriptor limits + # Pending response on https://github.com/brianbianco/redisio/commit/4ee9aad3b53029cc3b6c6cf741f5126755e712cd#diff-8ae42a59a6f4e8dc5b4e6dd2d6a34eab + # TODO: ulimit cookbook v0.1.2 doesn't work with freeBSD + if current['ulimit'] && !platform_family?('freebsd') + user_ulimit current['user'] do + filehandle_limit descriptors + end + end + + computed_save = current['save'] + if current['save'] && current['save'].respond_to?(:each_line) + computed_save = current['save'].each_line + Chef::Log.warn("#{server_name}: given a save argument as a string, instead of an array.") + Chef::Log.warn("#{server_name}: This will be deprecated in future versions of the redisio cookbook.") + end + + # Load password for use with requirepass from data bag if needed + if current['data_bag_name'] && current['data_bag_item'] && current['data_bag_key'] + bag = data_bag_item(current['data_bag_name'], current['data_bag_item']) + current['requirepass'] = bag[current['data_bag_key']] + current['masterauth'] = bag[current['data_bag_key']] + end + + # Lay down the configuration files for the current instance + template "#{current['configdir']}/#{server_name}.conf" do + source node['redisio']['redis_config']['template_source'] + cookbook node['redisio']['redis_config']['template_cookbook'] + owner current['user'] + group current['group'] + mode current['permissions'] + action :create + variables( + version: version_hash, + piddir: piddir, + name: server_name, + job_control: node['redisio']['job_control'], + port: current['port'], + tcpbacklog: current['tcpbacklog'], + address: current['address'], + databases: current['databases'], + backuptype: current['backuptype'], + datadir: current['datadir'], + unixsocket: current['unixsocket'], + unixsocketperm: current['unixsocketperm'], + timeout: current['timeout'], + keepalive: current['keepalive'], + loglevel: current['loglevel'], + logfile: current['logfile'], + syslogenabled: current['syslogenabled'], + syslogfacility: current['syslogfacility'], + save: computed_save, + stopwritesonbgsaveerror: current['stopwritesonbgsaveerror'], + rdbcompression: current['rdbcompression'], + rdbchecksum: current['rdbchecksum'], + dbfilename: current['dbfilename'], + slaveof: current['slaveof'], + protected_mode: current['protected_mode'], + masterauth: current['masterauth'], + slaveservestaledata: current['slaveservestaledata'], + slavereadonly: current['slavereadonly'], + replpingslaveperiod: current['replpingslaveperiod'], + repltimeout: current['repltimeout'], + repldisabletcpnodelay: current['repldisabletcpnodelay'], + replbacklogsize: current['replbacklogsize'], + replbacklogttl: current['replbacklogttl'], + slavepriority: current['slavepriority'], + requirepass: current['requirepass'], + rename_commands: current['rename_commands'], + maxclients: current['maxclients'], + maxmemory: maxmemory, + maxmemorypolicy: current['maxmemorypolicy'], + maxmemorysamples: current['maxmemorysamples'], + appendfilename: current['appendfilename'], + appendfsync: current['appendfsync'], + noappendfsynconrewrite: current['noappendfsynconrewrite'], + aofrewritepercentage: current['aofrewritepercentage'], + aofrewriteminsize: current['aofrewriteminsize'], + aofloadtruncated: current['aofloadtruncated'], + luatimelimit: current['luatimelimit'], + slowloglogslowerthan: current['slowloglogslowerthan'], + slowlogmaxlen: current['slowlogmaxlen'], + notifykeyspaceevents: current['notifykeyspaceevents'], + hashmaxziplistentries: current['hashmaxziplistentries'], + hashmaxziplistvalue: current['hashmaxziplistvalue'], + listmaxziplistentries: current['listmaxziplistentries'], + listmaxziplistvalue: current['listmaxziplistvalue'], + setmaxintsetentries: current['setmaxintsetentries'], + zsetmaxziplistentries: current['zsetmaxziplistentries'], + zsetmaxziplistvalue: current['zsetmaxziplistvalue'], + hllsparsemaxbytes: current['hllsparsemaxbytes'], + activerehasing: current['activerehasing'], + clientoutputbufferlimit: current['clientoutputbufferlimit'], + hz: current['hz'], + aofrewriteincrementalfsync: current['aofrewriteincrementalfsync'], + clusterenabled: current['clusterenabled'], + clusterconfigfile: current['clusterconfigfile'], + clusternodetimeout: current['clusternodetimeout'], + includes: current['includes'], + minslavestowrite: current['minslavestowrite'], + minslavesmaxlag: current['minslavesmaxlag'], + repldisklesssync: current['repldisklesssync'], + repldisklesssyncdelay: current['repldisklesssyncdelay'] + ) + not_if { ::File.exist?("#{current['configdir']}/#{server_name}.conf.breadcrumb") } + end + + file "#{current['configdir']}/#{server_name}.conf.breadcrumb" do + content 'This file prevents the chef cookbook from overwritting the redis config more than once' + action :create_if_missing + only_if { current['breadcrumb'] == true } + end + + # Setup init.d file + bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + + case node['redisio']['job_control'] + when 'initd' + template "/etc/init.d/redis#{server_name}" do + source 'redis.init.erb' + cookbook 'redisio' + owner 'root' + group 'root' + mode '0755' + variables( + name: server_name, + bin_path: bin_path, + port: current['port'], + address: current['address'], + user: current['user'], + configdir: current['configdir'], + piddir: piddir, + requirepass: current['requirepass'], + shutdown_save: current['shutdown_save'], + platform: node['platform'], + unixsocket: current['unixsocket'], + ulimit: descriptors, + required_start: node['redisio']['init.d']['required_start'].join(' '), + required_stop: node['redisio']['init.d']['required_stop'].join(' ') + ) + end + when 'upstart' + template "/etc/init/redis#{server_name}.conf" do + source 'redis.upstart.conf.erb' + cookbook 'redisio' + owner current['user'] + group current['group'] + mode '0644' + variables( + name: server_name, + bin_path: bin_path, + port: current['port'], + user: current['user'], + group: current['group'], + configdir: current['configdir'], + piddir: piddir + ) + end + when 'rcinit' + template "/usr/local/etc/rc.d/redis#{server_name}" do + source 'redis.rcinit.erb' + cookbook 'redisio' + owner current['user'] + group current['group'] + mode '0755' + variables( + name: server_name, + bin_path: bin_path, + user: current['user'], + configdir: current['configdir'], + piddir: piddir + ) + end + when 'systemd' + service_name = "redis@#{server_name}" + reload_name = "#{service_name} systemd reload" + + file "/etc/tmpfiles.d/#{service_name}.conf" do + content "d #{piddir} 0755 #{current['user']} #{current['group']}\n" + owner 'root' + group 'root' + mode '0644' + end + + execute reload_name do + command 'systemctl daemon-reload' + action :nothing + end + + template "/lib/systemd/system/#{service_name}.service" do + source 'redis@.service.erb' + cookbook 'redisio' + owner 'root' + group 'root' + mode '0644' + variables( + bin_path: bin_path, + user: current['user'], + group: current['group'], + limit_nofile: descriptors + ) + notifies :run, "execute[#{reload_name}]", :immediately + end + end + end + end + # servers each loop +end + +def load_current_resource + @current_resource = Chef::Resource.resource_for_node(:redisio_configure, node).new(new_resource.name) + @current_resource +end diff --git a/cookbooks/redisio/providers/install.rb b/cookbooks/redisio/providers/install.rb new file mode 100644 index 0000000..977500d --- /dev/null +++ b/cookbooks/redisio/providers/install.rb @@ -0,0 +1,93 @@ +action :run do + # Package install + if node['redisio']['package_install'] + package_resource = package 'redisio_package_name' do + package_name node['redisio']['package_name'] + version node['redisio']['version'] + action :nothing + end + + package_resource.run_action(:install) + new_resource.updated_by_last_action(true) if package_resource.updated_by_last_action? + + # freeBSD does not support from source since ports does not support versioning (without a lot of hassle) + elsif platform_family?('freebsd') + raise 'Source install not supported for freebsd' + # Tarball install + else + @tarball = "#{new_resource.base_name}#{new_resource.version}.#{new_resource.artifact_type}" + + unless current_resource.version == new_resource.version || (redis_exists? && new_resource.safe_install) + Chef::Log.info("Installing Redis #{new_resource.version} from source") + download + unpack + build + install + new_resource.updated_by_last_action(true) + end + end +end + +def download + Chef::Log.info("Downloading redis tarball from #{new_resource.download_url}") + remote_file "#{new_resource.download_dir}/#{@tarball}" do + source new_resource.download_url + end +end + +def unpack + install_dir = "#{new_resource.base_name}#{new_resource.version}" + case new_resource.artifact_type + when 'tar.gz', '.tgz' + execute %(cd #{new_resource.download_dir} ; mkdir -p '#{install_dir}' ; tar zxf '#{@tarball}' --strip-components=1 -C '#{install_dir}' --no-same-owner) + else + raise Chef::Exceptions::UnsupportedAction, "Current package type #{new_resource.artifact_type} is unsupported" + end +end + +def build + execute "cd #{new_resource.download_dir}/#{new_resource.base_name}#{new_resource.version} && make clean && make" +end + +def install + install_prefix = if new_resource.install_dir + "PREFIX=#{new_resource.install_dir}" + else + '' + end + execute "cd #{new_resource.download_dir}/#{new_resource.base_name}#{new_resource.version} && make #{install_prefix} install" + new_resource.updated_by_last_action(true) +end + +def redis_exists? + bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + redis_server = ::File.join(bin_path, 'redis-server') + ::File.exist?(redis_server) +end + +def version + if redis_exists? + bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + redis_server = ::File.join(bin_path, 'redis-server') + redis_version = Mixlib::ShellOut.new("#{redis_server} -v") + redis_version.run_command + version = redis_version.stdout[/version (\d*.\d*.\d*)/, 1] || redis_version.stdout[/v=(\d*.\d*.\d*)/, 1] + Chef::Log.info("The Redis server version is: #{version}") + return version.delete("\n") + end + nil +end + +def load_current_resource + @current_resource = Chef::Resource.resource_for_node(:redisio_install, node).new(new_resource.name) + @current_resource.version(version) + @current_resource +end diff --git a/cookbooks/redisio/providers/sentinel.rb b/cookbooks/redisio/providers/sentinel.rb new file mode 100644 index 0000000..cf8a61c --- /dev/null +++ b/cookbooks/redisio/providers/sentinel.rb @@ -0,0 +1,256 @@ +action :run do + configure + new_resource.updated_by_last_action(true) +end + +def configure + base_piddir = new_resource.base_piddir + + current_version = if new_resource.version.nil? + version + else + new_resource.version + end + + version_hash = RedisioHelper.version_to_hash(current_version) + + # Setup a configuration file and init script for each configuration provided + new_resource.sentinels.each do |current_instance| + # Retrieve the default settings hash and the current server setups settings hash. + current_instance_hash = current_instance.to_hash + current_defaults_hash = new_resource.sentinel_defaults.to_hash + + # Merge the configuration defaults with the provided array of configurations provided + current = current_defaults_hash.merge(current_instance_hash) + + recipe_eval do + sentinel_name = current['name'] || current['port'] + sentinel_name = "sentinel_#{sentinel_name}" + piddir = "#{base_piddir}/#{sentinel_name}" + + # Create the owner of the redis data directory + user current['user'] do + comment 'Redis service account' + manage_home true + home current['homedir'] + shell current['shell'] + system current['systemuser'] + uid current['uid'] unless current['uid'].nil? + end + + # Create the redis configuration directory + directory current['configdir'] do + owner 'root' + group platform_family?('freebsd') ? 'wheel' : 'root' + mode '0755' + recursive true + action :create + end + # Create the pid file directory + directory piddir do + owner current['user'] + group current['group'] + mode '0755' + recursive true + action :create + end + + unless current['logfile'].nil? + # Create the log directory if syslog is not being used + directory ::File.dirname(current['logfile']) do + owner current['user'] + group current['group'] + mode '0755' + recursive true + action :create + only_if { current['syslogenabled'] != 'yes' && current['logfile'] && current['logfile'] != 'stdout' } + end + + # Create the log file is syslog is not being used + file current['logfile'] do + owner current['user'] + group current['group'] + mode '0644' + backup false + action :touch + only_if { current['logfile'] && current['logfile'] != 'stdout' } + end + end + + # <%=@name%> <%=@masterip%> <%=@masterport%> <%= @quorum_count %> + # <%= "sentinel auth-pass #{@name} #{@authpass}" unless @authpass.nil? %> + # sentinel down-after-milliseconds <%=@name%> <%=@downaftermil%> + # sentinel parallel-syncs <%=@name%> <%=@parallelsyncs%> + # sentinel failover-timeout <%=@name%> <%=@failovertimeout%> + + # convert from old format (preserve compat) + if !current['masters'] && current['master_ip'] + Chef::Log.warn('You are using a deprecated sentinel format. This will be removed in future versions.') + + # use old key names if newer key names aren't present (e.g. 'foo' || :foo) + masters = [ + { + master_name: current['master_name'] || current[:mastername], + master_ip: current['master_ip'] || current[:masterip], + master_port: current['master_port'] || current[:masterport], + quorum_count: current['quorum_count'] || current[:quorum_count], + auth_pass: current['auth-pass'] || current[:authpass], + down_after_milliseconds: current['down-after-milliseconds'] || current[:downaftermil], + parallel_syncs: current['parallel-syncs'] || current[:parallelsyncs], + failover_timeout: current['failover-timeout'] || current[:failovertimeout], + }, + ] + else + masters = [current['masters']].flatten + end + + # Load password for use with requirepass from data bag if needed + if current['data_bag_name'] && current['data_bag_item'] && current['data_bag_key'] + bag = data_bag_item(current['data_bag_name'], current['data_bag_item']) + masters.each do |master| + master['auth_pass'] = bag[current['data_bag_key']] + end + end + + # merge in default values to each sentinel hash + masters_with_defaults = [] + masters.each do |current_sentinel_master| + default_sentinel_master = new_resource.sentinel_defaults.to_hash + sentinel_master = default_sentinel_master.merge(current_sentinel_master || {}) + masters_with_defaults << sentinel_master + end + + # Don't render a template if we're missing these from any sentinel, + # as these are the minimal settings required to be passed in + masters_with_defaults.each do |sentinel_instance| + %w(master_ip master_port quorum_count).each do |param| + raise "Missing required sentinel parameter #{param} for #{sentinel_instance}" unless sentinel_instance[param] + end + end + + # Lay down the configuration files for the current instance + template "#{current['configdir']}/#{sentinel_name}.conf" do + source 'sentinel.conf.erb' + cookbook 'redisio' + owner current['user'] + group current['group'] + mode '0644' + action :create + variables( + name: current['name'], + piddir: piddir, + version: version_hash, + job_control: node['redisio']['job_control'], + sentinel_bind: current['sentinel_bind'], + sentinel_port: current['sentinel_port'], + loglevel: current['loglevel'], + logfile: current['logfile'], + syslogenabled: current['syslogenabled'], + syslogfacility: current['syslogfacility'], + masters: masters_with_defaults, + announce_ip: current['announce-ip'], + announce_port: current['announce-port'], + notification_script: current['notification-script'], + client_reconfig_script: current['client-reconfig-script'], + protected_mode: current['protected_mode'] + ) + not_if { ::File.exist?("#{current['configdir']}/#{sentinel_name}.conf.breadcrumb") } + end + + file "#{current['configdir']}/#{sentinel_name}.conf.breadcrumb" do + content 'This file prevents the chef cookbook from overwritting the sentinel config more than once' + action :create_if_missing + end + + # Setup init.d file + bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + template "/etc/init.d/redis_#{sentinel_name}" do + source 'sentinel.init.erb' + cookbook 'redisio' + owner 'root' + group 'root' + mode '0755' + variables( + name: sentinel_name, + bin_path: bin_path, + user: current['user'], + configdir: current['configdir'], + piddir: piddir, + platform: node['platform'] + ) + only_if { node['redisio']['job_control'] == 'initd' } + end + + template "/etc/init/redis_#{sentinel_name}.conf" do + source 'sentinel.upstart.conf.erb' + cookbook 'redisio' + owner current['user'] + group current['group'] + mode '0644' + variables( + name: sentinel_name, + bin_path: bin_path, + user: current['user'], + group: current['group'], + configdir: current['configdir'], + piddir: piddir + ) + only_if { node['redisio']['job_control'] == 'upstart' } + end + # TODO: fix for freebsd + template "/usr/local/etc/rc.d/redis_#{sentinel_name}" do + source 'sentinel.rcinit.erb' + cookbook 'redisio' + owner current['user'] + group current['group'] + mode '0755' + variables( + name: sentinel_name, + bin_path: bin_path, + user: current['user'], + configdir: current['configdir'], + piddir: piddir + ) + only_if { node['redisio']['job_control'] == 'rcinit' } + end + end + end + # servers each loop +end + +def redis_exists? + bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + redis_server = ::File.join(bin_path, 'redis-server') + ::File.exist?(redis_server) +end + +def version + if redis_exists? + bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + redis_server = ::File.join(bin_path, 'redis-server') + redis_version = Mixlib::ShellOut.new("#{redis_server} -v") + redis_version.run_command + version = redis_version.stdout[/version (\d*.\d*.\d*)/, 1] || redis_version.stdout[/v=(\d*.\d*.\d*)/, 1] + Chef::Log.info("The Redis server version is: #{version}") + return version.delete("\n") + end + nil +end + +def load_current_resource + @current_resource = Chef::Resource.resource_for_node(:redisio_sentinel, node).new(new_resource.name) + @current_resource.version(version) + @current_resource +end diff --git a/cookbooks/redisio/recipes/_install_prereqs.rb b/cookbooks/redisio/recipes/_install_prereqs.rb new file mode 100644 index 0000000..ae35774 --- /dev/null +++ b/cookbooks/redisio/recipes/_install_prereqs.rb @@ -0,0 +1,18 @@ +packages_to_install = case node['platform'] + when 'debian', 'ubuntu' + %w( + tar + ) + when 'redhat', 'centos', 'fedora', 'scientific', 'suse', 'amazon' + %w( + tar + ) + else + %w() + end + +packages_to_install.each do |pkg| + package pkg do + action :install + end +end diff --git a/cookbooks/redisio/recipes/configure.rb b/cookbooks/redisio/recipes/configure.rb new file mode 100644 index 0000000..dc1ad43 --- /dev/null +++ b/cookbooks/redisio/recipes/configure.rb @@ -0,0 +1,56 @@ +include_recipe 'redisio::default' +include_recipe 'redisio::ulimit' + +redis = node['redisio'] + +redis_instances = redis['servers'] +if redis_instances.nil? + redis_instances = [ + { + 'port' => '6379', + }, + ] +end + +redisio_configure 'redis-servers' do + version redis['version'] if redis['version'] + default_settings redis['default_settings'] + servers redis_instances + base_piddir redis['base_piddir'] +end + +# Create a service resource for each redis instance, named for the port it runs on. +redis_instances.each do |current_server| + server_name = current_server['name'] || current_server['port'] + + case node['redisio']['job_control'] + when 'initd' + service "redis#{server_name}" do + # don't supply start/stop/restart commands, Chef::Provider::Service::* + # do a fine job on it's own, and support systemd correctly + supports start: true, stop: true, restart: false, status: true + end + when 'upstart' + service "redis#{server_name}" do + provider Chef::Provider::Service::Upstart + start_command "start redis#{server_name}" + stop_command "stop redis#{server_name}" + restart_command "restart redis#{server_name}" + supports start: true, stop: true, restart: true, status: false + end + when 'systemd' + service "redis@#{server_name}" do + provider Chef::Provider::Service::Systemd + supports start: true, stop: true, restart: true, status: true + end + when 'rcinit' + service "redis#{server_name}" do + provider Chef::Provider::Service::Freebsd + supports start: true, stop: true, restart: true, status: true + end + else + Chef::Log.error('Unknown job control type, no service resource created!') + end +end + +node.override['redisio']['servers'] = redis_instances diff --git a/cookbooks/redisio/recipes/default.rb b/cookbooks/redisio/recipes/default.rb new file mode 100644 index 0000000..ed51ac4 --- /dev/null +++ b/cookbooks/redisio/recipes/default.rb @@ -0,0 +1,12 @@ +apt_update + +unless node['redisio']['package_install'] + include_recipe 'redisio::_install_prereqs' + build_essential 'install build deps' +end + +unless node['redisio']['bypass_setup'] + include_recipe 'redisio::install' + include_recipe 'redisio::disable_os_default' + include_recipe 'redisio::configure' +end diff --git a/cookbooks/redisio/recipes/disable.rb b/cookbooks/redisio/recipes/disable.rb new file mode 100644 index 0000000..2c913d4 --- /dev/null +++ b/cookbooks/redisio/recipes/disable.rb @@ -0,0 +1,14 @@ +redis = node['redisio'] + +redis['servers'].each do |current_server| + server_name = current_server['name'] || current_server['port'] + resource_name = if node['redisio']['job_control'] == 'systemd' + "service[redis@#{server_name}]" + else + "service[redis#{server_name}]" + end + resource = resources(resource_name) + resource.action Array(resource.action) + resource.action << :stop + resource.action << :disable +end diff --git a/cookbooks/redisio/recipes/disable_os_default.rb b/cookbooks/redisio/recipes/disable_os_default.rb new file mode 100644 index 0000000..e755ed6 --- /dev/null +++ b/cookbooks/redisio/recipes/disable_os_default.rb @@ -0,0 +1,12 @@ +# disable the default OS redis init script +service_name = case node['platform'] + when 'debian', 'ubuntu' + 'redis-server' + when 'redhat', 'centos', 'fedora', 'scientific', 'suse', 'amazon' + 'redis' + end + +service service_name do + action [:stop, :disable] + only_if { service_name } +end diff --git a/cookbooks/redisio/recipes/enable.rb b/cookbooks/redisio/recipes/enable.rb new file mode 100644 index 0000000..e841fde --- /dev/null +++ b/cookbooks/redisio/recipes/enable.rb @@ -0,0 +1,13 @@ +redis = node['redisio'] + +redis['servers'].each do |current_server| + server_name = current_server['name'] || current_server['port'] + resource_name = if node['redisio']['job_control'] == 'systemd' + "service[redis@#{server_name}]" + else + "service[redis#{server_name}]" + end + resource = resources(resource_name) + resource.action Array(resource.action) + resource.action.concat [:start, :enable] +end diff --git a/cookbooks/redisio/recipes/install.rb b/cookbooks/redisio/recipes/install.rb new file mode 100644 index 0000000..bb7064f --- /dev/null +++ b/cookbooks/redisio/recipes/install.rb @@ -0,0 +1,22 @@ +if node['redisio']['package_install'] + package 'redisio_package_name' do + package_name node['redisio']['package_name'] + version node['redisio']['version'] if node['redisio']['version'] + action :install + end +else + include_recipe 'redisio::_install_prereqs' + build_essential 'install build deps' + + redis = node['redisio'] + location = "#{redis['mirror']}/#{redis['base_name']}#{redis['version']}.#{redis['artifact_type']}" + + redisio_install 'redis-installation' do + version redis['version'] if redis['version'] + download_url location + safe_install redis['safe_install'] + install_dir redis['install_dir'] if redis['install_dir'] + end +end + +include_recipe 'redisio::ulimit' diff --git a/cookbooks/redisio/recipes/redis_gem.rb b/cookbooks/redisio/recipes/redis_gem.rb new file mode 100644 index 0000000..358b99a --- /dev/null +++ b/cookbooks/redisio/recipes/redis_gem.rb @@ -0,0 +1,4 @@ +gem_package node['redisio']['gem']['name'] do + version node['redisio']['gem']['version'] unless node['redisio']['gem']['version'].nil? + action :install +end diff --git a/cookbooks/redisio/recipes/sentinel.rb b/cookbooks/redisio/recipes/sentinel.rb new file mode 100644 index 0000000..84a49d0 --- /dev/null +++ b/cookbooks/redisio/recipes/sentinel.rb @@ -0,0 +1,78 @@ +include_recipe 'redisio::_install_prereqs' +include_recipe 'redisio::install' +include_recipe 'redisio::ulimit' + +redis = node['redisio'] + +sentinel_instances = redis['sentinels'] +if sentinel_instances.nil? + sentinel_instances = [ + { + 'sentinel_port' => '26379', + 'name' => 'mycluster', + 'masters' => [ + { + 'master_name' => 'mycluster_master', + 'master_ip' => '127.0.0.1', + 'master_port' => '6379', + }, + ], + }, + ] +end + +redisio_sentinel 'redis-sentinels' do + version redis['version'] if redis['version'] + sentinel_defaults redis['sentinel_defaults'] + sentinels sentinel_instances + base_piddir redis['base_piddir'] +end + +bin_path = if node['redisio']['install_dir'] + ::File.join(node['redisio']['install_dir'], 'bin') + else + node['redisio']['bin_path'] + end + +template '/lib/systemd/system/redis-sentinel@.service' do + source 'redis-sentinel@.service' + variables( + bin_path: bin_path, + limit_nofile: redis['default_settings']['maxclients'] + 32 + ) + only_if { node['redisio']['job_control'] == 'systemd' } +end + +# Create a service resource for each sentinel instance, named for the port it runs on. +sentinel_instances.each do |current_sentinel| + sentinel_name = current_sentinel['name'] + + case node['redisio']['job_control'] + when 'initd' + service "redis_sentinel_#{sentinel_name}" do + # don't supply start/stop/restart commands, Chef::Provider::Service::* + # do a fine job on it's own, and support systemd correctly + supports start: true, stop: true, restart: true, status: false + end + when 'upstart' + service "redis_sentinel_#{sentinel_name}" do + provider Chef::Provider::Service::Upstart + start_command "start redis_sentinel_#{sentinel_name}" + stop_command "stop redis_sentinel_#{sentinel_name}" + restart_command "restart redis_sentinel_#{sentinel_name}" + supports start: true, stop: true, restart: true, status: false + end + when 'systemd' + service "redis-sentinel@#{sentinel_name}" do + provider Chef::Provider::Service::Systemd + supports start: true, stop: true, restart: true, status: true + end + when 'rcinit' + service "redis_sentinel_#{sentinel_name}" do + provider Chef::Provider::Service::Freebsd + supports start: true, stop: true, restart: true, status: true + end + else + Chef::Log.error('Unknown job control type, no service resource created!') + end +end diff --git a/cookbooks/redisio/recipes/sentinel_enable.rb b/cookbooks/redisio/recipes/sentinel_enable.rb new file mode 100644 index 0000000..59dc7bc --- /dev/null +++ b/cookbooks/redisio/recipes/sentinel_enable.rb @@ -0,0 +1,38 @@ +sentinel_instances = node['redisio']['sentinels'] + +if sentinel_instances.nil? + sentinel_instances = [ + { + 'sentinel_port' => '26379', + 'name' => 'mycluster', + 'master_ip' => '127.0.0.1', + 'master_port' => '6379', + }, + ] +end + +execute 'reload-systemd-sentinel' do + command 'systemctl daemon-reload' + only_if { node['redisio']['job_control'] == 'systemd' } + action :nothing +end + +sentinel_instances.each do |current_sentinel| + sentinel_name = current_sentinel['name'] + resource_name = if node['redisio']['job_control'] == 'systemd' + "service[redis-sentinel@#{sentinel_name}]" + else + "service[redis_sentinel_#{sentinel_name}]" + end + resource = resources(resource_name) + resource.action Array(resource.action) + resource.action << :start + if node['redisio']['job_control'] != 'systemd' + resource.action << :enable + else + link "/etc/systemd/system/multi-user.target.wants/redis-sentinel@#{sentinel_name}.service" do + to '/usr/lib/systemd/system/redis-sentinel@.service' + notifies :run, 'execute[reload-systemd-sentinel]', :immediately + end + end +end diff --git a/cookbooks/redisio/recipes/ulimit.rb b/cookbooks/redisio/recipes/ulimit.rb new file mode 100644 index 0000000..fbe4bfb --- /dev/null +++ b/cookbooks/redisio/recipes/ulimit.rb @@ -0,0 +1,25 @@ +# Pulled from the now replaced ulimit cookbook +# TODO: find a more tidy way to do this +ulimit = node['ulimit'] + +if platform_family?('debian') + template '/etc/pam.d/su' do + cookbook ulimit['pam_su_template_cookbook'] + end + + cookbook_file '/etc/pam.d/sudo' do + cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook'] + source node['ulimit']['ulimit_overriding_sudo_file_name'] + mode '0644' + end +end + +if ulimit.key?('users') + ulimit['users'].each do |user, attributes| + user_ulimit user do + attributes.each do |a, v| + send(a.to_sym, v) + end + end + end +end diff --git a/cookbooks/redisio/resources/configure.rb b/cookbooks/redisio/resources/configure.rb new file mode 100644 index 0000000..328e07c --- /dev/null +++ b/cookbooks/redisio/resources/configure.rb @@ -0,0 +1,12 @@ +actions :run +unified_mode true +default_action :run + +# Configuration attributes +attribute :version, kind_of: String +attribute :base_piddir, kind_of: String, default: '/var/run/redis' +attribute :user, kind_of: String, default: 'redis' +attribute :group, kind_of: String, default: 'redis' + +attribute :default_settings, kind_of: Hash +attribute :servers, kind_of: Array diff --git a/cookbooks/redisio/resources/install.rb b/cookbooks/redisio/resources/install.rb new file mode 100644 index 0000000..c299dcb --- /dev/null +++ b/cookbooks/redisio/resources/install.rb @@ -0,0 +1,13 @@ +actions :run +unified_mode true +default_action :run + +# Installation attributes +attribute :version, kind_of: String +attribute :download_url, kind_of: String +attribute :download_dir, kind_of: String, default: Chef::Config[:file_cache_path] +attribute :artifact_type, kind_of: String, default: 'tar.gz' +attribute :base_name, kind_of: String, default: 'redis-' +attribute :safe_install, kind_of: [TrueClass, FalseClass], default: true + +attribute :install_dir, kind_of: String, default: nil diff --git a/cookbooks/redisio/resources/sentinel.rb b/cookbooks/redisio/resources/sentinel.rb new file mode 100644 index 0000000..1c07599 --- /dev/null +++ b/cookbooks/redisio/resources/sentinel.rb @@ -0,0 +1,11 @@ +actions :run +unified_mode true +default_action :run + +# Configuration attributes +attribute :version, kind_of: String +attribute :base_piddir, kind_of: String, default: '/var/run/redis' +attribute :user, kind_of: String, default: 'redis' + +attribute :sentinel_defaults, kind_of: Hash +attribute :sentinels, kind_of: Array diff --git a/cookbooks/redisio/templates/default/domain.erb b/cookbooks/redisio/templates/default/domain.erb new file mode 100644 index 0000000..219080c --- /dev/null +++ b/cookbooks/redisio/templates/default/domain.erb @@ -0,0 +1,9 @@ +<% + node.run_state[:ulimit][@domain].each do |item, entries| + entries.each do |type, value| +-%> +<%= @domain %> <%= type %> <%= item %> <%= value %> +<% + end + end +-%> diff --git a/cookbooks/redisio/templates/default/redis-sentinel@.service b/cookbooks/redisio/templates/default/redis-sentinel@.service new file mode 100644 index 0000000..0343d35 --- /dev/null +++ b/cookbooks/redisio/templates/default/redis-sentinel@.service @@ -0,0 +1,12 @@ +[Unit] +Description=Redis persistent key-value database +After=network.target + +[Service] +ExecStart=<%= @bin_path %>/redis-server /etc/redis/sentinel_%i.conf --sentinel --daemonize no +User=redis +Group=redis +LimitNOFILE=<%= @limit_nofile %> + +[Install] +WantedBy=multi-user.target diff --git a/cookbooks/redisio/templates/default/redis.conf.erb b/cookbooks/redisio/templates/default/redis.conf.erb new file mode 100644 index 0000000..6e28d19 --- /dev/null +++ b/cookbooks/redisio/templates/default/redis.conf.erb @@ -0,0 +1,1039 @@ +# Redis configuration file example. + +# Note on units: when memory size is needed, it is possible to specify +# it in the usual form of 1k 5GB 4M and so forth: +# +# 1k => 1000 bytes +# 1kb => 1024 bytes +# 1m => 1000000 bytes +# 1mb => 1024*1024 bytes +# 1g => 1000000000 bytes +# 1gb => 1024*1024*1024 bytes +# +# units are case insensitive so 1GB 1Gb 1gB are all the same. + +# By default Redis does not run as a daemon. Use 'yes' if you need it. +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. +<% if @job_control == 'initd' || @job_control == 'rcinit' %> +daemonize yes +<% end %> + +# When running daemonized, Redis writes a pid file in /var/run/redis.pid by +# default. You can specify a custom pid file location here. +pidfile <%= @piddir %>/redis_<%=@name%>.pid + +# Accept connections on the specified port, default is 6379. +# If port 0 is specified Redis will not listen on a TCP socket. +port <%=@port%> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 8 && @version[:patch].to_i >= 5 || @version[:major].to_i == 3 %> +# TCP listen() backlog. +# +# In high requests-per-second environments you need an high backlog in order +# to avoid slow clients connections issues. Note that the Linux kernel +# will silently truncate it to the value of /proc/sys/net/core/somaxconn so +# make sure to raise both the value of somaxconn and tcp_max_syn_backlog +# in order to get the desired effect. +tcp-backlog <%= @tcpbacklog %> +<% end %> + +# By default Redis listens for connections from all the network interfaces +# available on the server. It is possible to listen to just one or multiple +# interfaces using the "bind" configuration directive, followed by one or +# more IP addresses. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 +# bind 127.0.0.1 +<% unless @address.nil? %> + <%= "bind #{@address.respond_to?(:join) ? @address.join(" ") : @address }" %> +<% end %> + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and if: +# +# 1) The server is not binding explicitly to a set of addresses using the +# "bind" directive. +# 2) No password is configured. +# +# The server only accepts connections from clients connecting from the +# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain +# sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured, nor a specific set of interfaces +# are explicitly listed using the "bind" directive. +<% unless @protected_mode.nil? %> +protected-mode <%= @protected_mode %> +<% end %> + +# Specify the path for the Unix socket that will be used to listen for +# incoming connections. There is no default, so Redis will not listen +# on a unix socket when not specified. +# +# unixsocket /tmp/redis.sock +# unixsocketperm 755 +<%= "unixsocket #{@unixsocket}" unless @unixsocket.nil? %> +<%= "unixsocketperm #{@unixsocketperm}" unless @unixsocketperm.nil? %> + +# Close the connection after a client is idle for N seconds (0 to disable) +<%= "timeout #{@timeout}" %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 8) || @version[:major].to_i >= 3 %> +# TCP keepalive. +# +# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence +# of communication. This is useful for two reasons: +# +# 1) Detect dead peers. +# 2) Take the connection alive from the point of view of network +# equipment in the middle. +# +# On Linux, the specified value (in seconds) is the period used to send ACKs. +# Note that to close the connection the double of the time is needed. +# On other kernels the period depends on the kernel configuration. +# +# A reasonable value for this option is 60 seconds. +tcp-keepalive <%=@keepalive%> +<% end %> + +# Set server verbosity to 'debug' +# it can be one of: +# debug (a lot of information, useful for development/testing) +# verbose (many rarely useful info, but not a mess like the debug level) +# notice (moderately verbose, what you want in production probably) +# warning (only very important / critical messages are logged) +loglevel <%=@loglevel%> + +# Specify the log file name. Also 'stdout' can be used to force +# Redis to log on the standard output. Note that if you use standard +# output for logging but daemonize, logs will be sent to /dev/null +# +# In version of redis 2.8 and higher to log to stdout use the empty +# string instead of "stdout" +# +# logfile stdout +<%= "logfile #{@logfile}" unless @logfile.nil? %> + +# To enable logging to the system logger, just set 'syslog-enabled' to yes, +# and optionally update the other syslog parameters to suit your needs. +syslog-enabled <%= @syslogenabled %> + +# Specify the syslog identity. +syslog-ident redis-<%=@name%> + +# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. +syslog-facility <%= @syslogfacility %> + +# Set the number of databases. The default database is DB 0, you can select +# a different one on a per-connection basis using SELECT where +# dbid is a number between 0 and 'databases'-1 +databases <%=@databases%> + +################################ SNAPSHOTTING ################################# +# +# Save the DB on disk: +# +# save +# +# Will save the DB if both the given number of seconds and the given +# number of write operations against the DB occurred. +# +# In the example below the behaviour will be to save: +# after 900 sec (15 min) if at least 1 key changed +# after 300 sec (5 min) if at least 10 keys changed +# after 60 sec if at least 10000 keys changed +# +# Note: you can disable completely by commenting out all "save" lines. + +<% if (@backuptype == 'rdb' || @backuptype == 'both') %> + + <% if @save.nil? %> + save 900 1 + save 300 10 + save 60 10000 + <% else %> + <% @save.each do |save_option| %> + <%= "save #{save_option}" %> + <% end %> + <% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 6) || @version[:major].to_i >= 3 %> +# By default Redis will stop accepting writes if RDB snapshots are enabled +# (at least one save point) and the latest background save failed. +# This will make the user aware (in a hard way) that data is not persisting +# on disk properly, otherwise chances are that no one will notice and some +# disaster will happen. +# +# If the background saving process will start working again Redis will +# automatically allow writes again. +# +# However if you have setup your proper monitoring of the Redis server +# and persistence, you may want to disable this feature so that Redis will +# continue to work as usual even if there are problems with disk, +# permissions, and so forth. +stop-writes-on-bgsave-error <%= @stopwritesonbgsaveerror %> +<% end %> + +# Compress string objects using LZF when dump .rdb databases? +# For default that's set to 'yes' as it's almost always a win. +# If you want to save some CPU in the saving child set it to 'no' but +# the dataset will likely be bigger if you have compressible values or keys. +rdbcompression <%= @rdbcompression %> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 6 || @version[:major].to_i == 3 %> +# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. +# This makes the format more resistant to corruption but there is a performance +# hit to pay (around 10%) when saving and loading RDB files, so you can disable it +# for maximum performances. +# +# RDB files created with checksum disabled have a checksum of zero that will +# tell the loading code to skip the check. +rdbchecksum <%= @rdbchecksum %> +<% end %> + +# The filename where to dump the DB +<% if @dbfilename %> +dbfilename <%= @dbfilename %> +<% else %> +dbfilename dump-<%=@name%>.rdb +<% end %> + +<%end%> + +# The working directory. +# +# The DB will be written inside this directory, with the filename specified +# above using the 'dbfilename' configuration directive. +# +# Also the Append Only File will be created inside this directory. +# +# Note that you must specify a directory here, not a file name. +dir <%=@datadir%> + +################################# REPLICATION ################################# + +# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# another Redis server. A few things to understand ASAP about Redis replication. +# +# 1) Redis replication is asynchronous, but you can configure a master to +# stop accepting writes if it appears to be not connected with at least +# a given number of slaves. +# 2) Redis slaves are able to perform a partial resynchronization with the +# master if the replication link is lost for a relatively small amount of +# time. You may want to configure the replication backlog size (see the next +# sections of this file) with a sensible value depending on your needs. +# 3) Replication is automatic and does not need user intervention. After a +# network partition slaves automatically try to reconnect to masters +# and resynchronize with them. +# +# slaveof +<%= "slaveof #{@slaveof['address']} #{@slaveof['port']}" unless @slaveof.nil? %> + +# If the master is password protected (using the "requirepass" configuration +# directive below) it is possible to tell the slave to authenticate before +# starting the replication synchronization process, otherwise the master will +# refuse the slave request. +# +# masterauth +<%= "masterauth #{@masterauth}" unless @masterauth.nil? %> + +# When a slave lost the connection with the master, or when the replication +# is still in progress, the slave can act in two different ways: +# +# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# still reply to client requests, possibly with out of date data, or the +# data set may just be empty if this is the first synchronization. +# +# 2) if slave-serve-stale data is set to 'no' the slave will reply with +# an error "SYNC with master in progress" to all the kind of commands +# but to INFO and SLAVEOF. +# +slave-serve-stale-data <%=@slaveservestaledata%> +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 6 || @version[:major].to_i >= 3 -%> +<% ######## Redis 2.6 and higher ######## -%> + +# You can configure a slave instance to accept writes or not. Writing against +# a slave instance may be useful to store some ephemeral data (because data +# written on a slave will be easily deleted after resync with the master) but +# may also cause problems if clients are writing to it because of a +# misconfiguration. +# +# Since Redis 2.6 by default slaves are read-only. +# +# Note: read only slaves are not designed to be exposed to untrusted clients +# on the internet. It's just a protection layer against misuse of the instance. +# Still a read only slave exports by default all the administrative commands +# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve +# security of read only slaves using 'rename-command' to shadow all the +# administrative / dangerous commands. +slave-read-only <%=@slavereadonly%> +<% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i == 8 && @version[:tiny].to_i >= 18) or (@version[:major].to_i == 2 && @version[:minor].to_i >= 9) or @version[:major].to_i >= 3 -%> +<% ######## Redis 2.8.18 and higher ######## -%> +# Replication SYNC strategy: disk or socket. +# +# ------------------------------------------------------- +# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY +# ------------------------------------------------------- +# +# New slaves and reconnecting slaves that are not able to continue the replication +# process just receiving differences, need to do what is called a "full +# synchronization". An RDB file is transmitted from the master to the slaves. +# The transmission can happen in two different ways: +# +# 1) Disk-backed: The Redis master creates a new process that writes the RDB +# file on disk. Later the file is transferred by the parent +# process to the slaves incrementally. +# 2) Diskless: The Redis master creates a new process that directly writes the +# RDB file to slave sockets, without touching the disk at all. +# +# With disk-backed replication, while the RDB file is generated, more slaves +# can be queued and served with the RDB file as soon as the current child producing +# the RDB file finishes its work. With diskless replication instead once +# the transfer starts, new slaves arriving will be queued and a new transfer +# will start when the current one terminates. +# +# When diskless replication is used, the master waits a configurable amount of +# time (in seconds) before starting the transfer in the hope that multiple slaves +# will arrive and the transfer can be parallelized. +# +# With slow disks and fast (large bandwidth) networks, diskless replication +# works better. +repl-diskless-sync <%=@repldisklesssync%> + +# When diskless replication is enabled, it is possible to configure the delay +# the server waits in order to spawn the child that transfers the RDB via socket +# to the slaves. +# +# This is important since once the transfer starts, it is not possible to serve +# new slaves arriving, that will be queued for the next RDB transfer, so the server +# waits a delay in order to let more slaves arrive. +# +# The delay is specified in seconds, and by default is 5 seconds. To disable +# it entirely just set it to 0 seconds and the transfer will start ASAP. +repl-diskless-sync-delay <%=@repldisklesssyncdelay%> +<% end %> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 6 || @version[:major].to_i == 3 %> +# You can configure a slave instance to accept writes or not. Writing against +# a slave instance may be useful to store some ephemeral data (because data +# written on a slave will be easily deleted after resync with the master) but +# may also cause problems if clients are writing to it because of a +# misconfiguration. +# +# Since Redis 2.6 by default slaves are read-only. +# +# Note: read only slaves are not designed to be exposed to untrusted clients +# on the internet. It's just a protection layer against misuse of the instance. +# Still a read only slave exports by default all the administrative commands +# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve +# security of read only slaves using 'rename-command' to shadow all the +# administrative / dangerous commands. +slave-read-only <%= @slavereadonly %> +<% end %> + +# Slaves send PINGs to server in a predefined interval. It's possible to change +# this interval with the repl_ping_slave_period option. The default value is 10 +# seconds. +# +repl-ping-slave-period <%=@replpingslaveperiod%> + +# The following option sets a timeout for both Bulk transfer I/O timeout and +# master data or ping response timeout. The default value is 60 seconds. +# +# It is important to make sure that this value is greater than the value +# specified for repl-ping-slave-period otherwise a timeout will be detected +# every time there is low traffic between the master and the slave. +# +repl-timeout <%=@repltimeout%> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 6 || @version[:major].to_i == 3 %> +# Disable TCP_NODELAY on the slave socket after SYNC? +# +# If you select "yes" Redis will use a smaller number of TCP packets and +# less bandwidth to send data to slaves. But this can add a delay for +# the data to appear on the slave side, up to 40 milliseconds with +# Linux kernels using a default configuration. +# +# If you select "no" the delay for data to appear on the slave side will +# be reduced but more bandwidth will be used for replication. +# +# By default we optimize for low latency, but in very high traffic conditions +# or when the master and slaves are many hops away, turning this to "yes" may +# be a good idea. +repl-disable-tcp-nodelay <%= @repldisabletcpnodelay %> +<% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 8) || @version[:major].to_i >= 3 %> +# Set the replication backlog size. The backlog is a buffer that accumulates +# slave data when slaves are disconnected for some time, so that when a slave +# wants to reconnect again, often a full resync is not needed, but a partial +# resync is enough, just passing the portion of data the slave missed while +# disconnected. +# +# The bigger the replication backlog, the longer the time the slave can be +# disconnected and later be able to perform a partial resynchronization. +# +# The backlog is only allocated once there is at least a slave connected. +# +repl-backlog-size <%= @replbacklogsize %> + +# After a master has no longer connected slaves for some time, the backlog +# will be freed. The following option configures the amount of seconds that +# need to elapse, starting from the time the last slave disconnected, for +# the backlog buffer to be freed. +# +# A value of 0 means to never release the backlog. +# +repl-backlog-ttl <%= @replbacklogttl %> +<% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 6) || @version[:major].to_i >= 3 %> +# The slave priority is an integer number published by Redis in the INFO output. +# It is used by Redis Sentinel in order to select a slave to promote into a +# master if the master is no longer working correctly. +# +# A slave with a low priority number is considered better for promotion, so +# for instance if there are three slaves with priority 10, 100, 25 Sentinel will +# pick the one with priority 10, that is the lowest. +# +# However a special priority of 0 marks the slave as not able to perform the +# role of master, so a slave with priority of 0 will never be selected by +# Redis Sentinel for promotion. +# +# By default the priority is 100. +slave-priority <%= @slavepriority %> +<% end %> + +<% if @version[:major].to_i >= 3 %> +# It is possible for a master to stop accepting writes if there are less than +# N slaves connected, having a lag less or equal than M seconds. +# +# The N slaves need to be in "online" state. +# +# The lag in seconds, that must be <= the specified value, is calculated from +# the last ping received from the slave, that is usually sent every second. +# +# This option does not GUARANTEE that N replicas will accept the write, but +# will limit the window of exposure for lost writes in case not enough slaves +# are available, to the specified number of seconds. +# +# For example to require at least 3 slaves with a lag <= 10 seconds use: +# +# min-slaves-to-write 3 +# min-slaves-max-lag 10 +# +# Setting one or the other to 0 disables the feature. +# +# By default min-slaves-to-write is set to 0 (feature disabled) and +# min-slaves-max-lag is set to 10. +<%= "min-slaves-to-write #{@minslavestowrite}" unless @minslavestowrite.nil? %> +<%= "min-slaves-max-lag #{@minslavesmaxlag}" unless @minslavesmaxlag.nil? %> +<% end %> + +<% if @version[:major].to_i >= 4 %> +# A Redis master is able to list the address and port of the attached +# slaves in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover slave instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a masteer. +# +# The listed IP and address normally reported by a slave is obtained +# in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the slave to connect with the master. +# +# Port: The port is communicated by the slave during the replication +# handshake, and is normally the port that the slave is using to +# list for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the slave may be actually reachable via different IP and port +# pairs. The following two options can be used by a slave in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# slave-announce-ip 5.5.5.5 +# slave-announce-port 1234 +<% end %> + +################################## SECURITY ################################### + +# Require clients to issue AUTH before processing any other +# commands. This might be useful in environments in which you do not trust +# others with access to the host running redis-server. +# +# This should stay commented out for backward compatibility and because most +# people do not need auth (e.g. they run their own servers). +# +# Warning: since Redis is pretty fast an outside user can try up to +# 150k passwords per second against a good box. This means that you should +# use a very strong password otherwise it will be very easy to break. +# +# requirepass foobared +<%= "requirepass #{@requirepass}" unless @requirepass.nil? %> + +# Command renaming. +# +# It is possible to change the name of dangerous commands in a shared +# environment. For instance the CONFIG command may be renamed into something +# of hard to guess so that it will still be available for internal-use +# tools but not available for general clients. +# +# Example: +# +# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 +# +# It is also possible to completely kill a command renaming it into +# an empty string: +# +# rename-command CONFIG "" +<% if !@rename_commands.nil? %> + <% @rename_commands.each do |k, v| %> + <% v = '""' if v.nil? || v.empty? %> + <%= "rename-command #{k} #{v}" %> + <% end %> +<% end %> + +################################### LIMITS #################################### + +# Set the max number of connected clients at the same time. By default there +# is no limit, and it's up to the number of file descriptors the Redis process +# is able to open. The special value '0' means no limits. +# Once the limit is reached Redis will close all the new connections sending +# an error 'max number of clients reached'. +# +<%= "maxclients #{@maxclients}" %> + +# Don't use more memory than the specified amount of bytes. +# When the memory limit is reached Redis will try to remove keys +# according to the eviction policy selected (see maxmemmory-policy). +# +# If Redis can't remove keys according to the policy, or if the policy is +# set to 'noeviction', Redis will start to reply with errors to commands +# that would use more memory, like SET, LPUSH, and so on, and will continue +# to reply to read-only commands like GET. +# +# This option is usually useful when using Redis as an LRU cache, or to set +# a hard memory limit for an instance (using the 'noeviction' policy). +# +# WARNING: If you have slaves attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the slaves are subtracted +# from the used memory count, so that network problems / resyncs will +# not trigger a loop where keys are evicted, and in turn the output +# buffer of slaves is full with DELs of keys evicted triggering the deletion +# of more keys, and so forth until the database is completely emptied. +# +# In short... if you have slaves attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for slave +# output buffers (but this is not needed if the policy is 'noeviction'). +# +#maxmemory +<%= "maxmemory #{@maxmemory}" unless @maxmemory.empty? %> + +# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory +# is reached. You can select among five behaviors: +# +# volatile-lru -> remove the key with an expire set using an LRU algorithm +# allkeys-lru -> remove any key according to the LRU algorithm +# volatile-random -> remove a random key with an expire set +# allkeys->random -> remove a random key, any key +# volatile-ttl -> remove the key with the nearest expire time (minor TTL) +# noeviction -> don't expire at all, just return an error on write operations +# +# Note: with any of the above of policies, Redis will return an error on write +# operations, when there are no suitable keys for eviction. +# +# At the date of writing these commands are: set setnx setex append +# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd +# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby +# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby +# getset mset msetnx exec sort +# +# The default is: +# +# maxmemory-policy volatile-lru +<%= "maxmemory-policy #{@maxmemorypolicy}" unless @maxmemorypolicy.nil? %> + +# LRU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can select as well the sample +# size to check. For instance for default Redis will check three keys and +# pick the one that was used less recently, you can change the sample size +# using the following configuration directive. +# +# maxmemory-samples 3 +<%= "maxmemory-samples #{@maxmemorysamples}" unless @maxmemorysamples.nil? %> + +############################## APPEND ONLY MODE ############################### + +# By default Redis asynchronously dumps the dataset on disk. This mode is +# good enough in many applications, but an issue with the Redis process or +# a power outage may result into a few minutes of writes lost (depending on +# the configured save points). +# +# The Append Only File is an alternative persistence mode that provides +# much better durability. For instance using the default data fsync policy +# (see later in the config file) Redis can lose just one second of writes in a +# dramatic event like a server power outage, or a single write if something +# wrong with the Redis process itself happens, but the operating system is +# still running correctly. +# +# AOF and RDB persistence can be enabled at the same time without problems. +# If the AOF is enabled on startup Redis will load the AOF, that is the file +# with the better durability guarantees. +# +# Please check http://redis.io/topics/persistence for more information. + +<%if (@backuptype == 'aof' || @backuptype == 'both')%> +appendonly yes +<%else%> +appendonly no +<%end%> +# The name of the append only file (default: "appendonly.aof") +<% if @appendfilename %> +appendfilename <%= @appendfilename %> +<% else %> +appendfilename appendonly-<%=@name%>.aof +<% end %> + +# The fsync() call tells the Operating System to actually write data on disk +# instead of waiting for more data in the output buffer. Some OS will really flush +# data on disk, some other OS will just try to do it ASAP. +# +# Redis supports three different modes: +# +# no: don't fsync, just let the OS flush the data when it wants. Faster. +# always: fsync after every write to the append only log. Slow, Safest. +# everysec: fsync only one time every second. Compromise. +# +# The default is "everysec", as that's usually the right compromise between +# speed and data safety. It's up to you to understand if you can relax this to +# "no" that will let the operating system flush the output buffer when +# it wants, for better performances (but if you can live with the idea of +# some data loss consider the default persistence mode that's snapshotting), +# or on the contrary, use "always" that's very slow but a bit safer than +# everysec. +# +# More details please check the following article: +# http://antirez.com/post/redis-persistence-demystified.html +# +# If unsure, use "everysec". + +# appendfsync always +# appendfsync everysec +# appendfsync no +<%= "appendfsync #{@appendfsync}" %> + +# When the AOF fsync policy is set to always or everysec, and a background +# saving process (a background save or AOF log background rewriting) is +# performing a lot of I/O against the disk, in some Linux configurations +# Redis may block too long on the fsync() call. Note that there is no fix for +# this currently, as even performing fsync in a different thread will block +# our synchronous write(2) call. +# +# In order to mitigate this problem it's possible to use the following option +# that will prevent fsync() from being called in the main process while a +# BGSAVE or BGREWRITEAOF is in progress. +# +# This means that while another child is saving, the durability of Redis is +# the same as "appendfsync none". In practical terms, this means that it is +# possible to lose up to 30 seconds of log in the worst scenario (with the +# default Linux settings). +# +# If you have latency problems turn this to "yes". Otherwise leave it as +# "no" that is the safest pick from the point of view of durability. + +no-appendfsync-on-rewrite <%=@noappendfsynconrewrite%> + +# Automatic rewrite of the append only file. +# Redis is able to automatically rewrite the log file implicitly calling +# BGREWRITEAOF when the AOF log size grows by the specified percentage. +# +# This is how it works: Redis remembers the size of the AOF file after the +# latest rewrite (if no rewrite has happened since the restart, the size of +# the AOF at startup is used). +# +# This base size is compared to the current size. If the current size is +# bigger than the specified percentage, the rewrite is triggered. Also +# you need to specify a minimal size for the AOF file to be rewritten, this +# is useful to avoid rewriting the AOF file even if the percentage increase +# is reached but it is still pretty small. +# +# Specify a percentage of zero in order to disable the automatic AOF +# rewrite feature. + +auto-aof-rewrite-percentage <%=@aofrewritepercentage%> +auto-aof-rewrite-min-size <%=@aofrewriteminsize%> + +<% if @version[:major].to_i >= 3 %> +# An AOF file may be found to be truncated at the end during the Redis +# startup process, when the AOF data gets loaded back into memory. +# This may happen when the system where Redis is running +# crashes, especially when an ext4 filesystem is mounted without the +# data=ordered option (however this can't happen when Redis itself +# crashes or aborts but the operating system still works correctly). +# +# Redis can either exit with an error when this happens, or load as much +# data as possible (the default now) and start if the AOF file is found +# to be truncated at the end. The following option controls this behavior. +# +# If aof-load-truncated is set to yes, a truncated AOF file is loaded and +# the Redis server starts emitting a log to inform the user of the event. +# Otherwise if the option is set to no, the server aborts with an error +# and refuses to start. When the option is set to no, the user requires +# to fix the AOF file using the "redis-check-aof" utility before to restart +# the server. +# +# Note that if the AOF file will be found to be corrupted in the middle +# the server will still exit with an error. This option only applies when +# Redis will try to read more data from the AOF file but not enough bytes +# will be found. +aof-load-truncated <%= @aofloadtruncated %> +<% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 6) || @version[:major].to_i >= 3 %> +################################ LUA SCRIPTING ############################### + +# Max execution time of a Lua script in milliseconds. +# +# If the maximum execution time is reached Redis will log that a script is +# still in execution after the maximum allowed time and will start to +# reply to queries with an error. +# +# When a long running script exceeds the maximum execution time only the +# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be +# used to stop a script that did not yet called write commands. The second +# is the only way to shut down the server in the case a write command was +# already issued by the script but the user doesn't want to wait for the natural +# termination of the script. +# +# Set it to 0 or a negative value for unlimited execution without warnings. +lua-time-limit <%= @luatimelimit %> +<% end %> + +################################## SLOW LOG ################################### + +# The Redis Slow Log is a system to log queries that exceeded a specified +# execution time. The execution time does not include the I/O operations +# like talking with the client, sending the reply and so forth, +# but just the time needed to actually execute the command (this is the only +# stage of command execution where the thread is blocked and can not serve +# other requests in the meantime). +# +# You can configure the slow log with two parameters: one tells Redis +# what is the execution time, in microseconds, to exceed in order for the +# command to get logged, and the other parameter is the length of the +# slow log. When a new command is logged the oldest one is removed from the +# queue of logged commands. + +# The following time is expressed in microseconds, so 1000000 is equivalent +# to one second. Note that a negative number disables the slow log, while +# a value of zero forces the logging of every command. +slowlog-log-slower-than <%= @slowloglogslowerthan %> + +# There is no limit to this length. Just be aware that it will consume memory. +# You can reclaim memory used by the slow log with SLOWLOG RESET. +slowlog-max-len <%= @slowlogmaxlen %> + +<% if @version[:major].to_i <= 2 && @version[:minor].to_i <= 4 %> +################################ VIRTUAL MEMORY ############################### + +### WARNING! Virtual Memory is deprecated in Redis 2.4 +### The use of Virtual Memory is strongly discouraged. + +# Virtual Memory allows Redis to work with datasets bigger than the actual +# amount of RAM needed to hold the whole dataset in memory. +# In order to do so very used keys are taken in memory while the other keys +# are swapped into a swap file, similarly to what operating systems do +# with memory pages. +# +# To enable VM just set 'vm-enabled' to yes, and set the following three +# VM parameters accordingly to your needs. + +vm-enabled no +# vm-enabled yes + +# This is the path of the Redis swap file. As you can guess, swap files +# can't be shared by different Redis instances, so make sure to use a swap +# file for every redis process you are running. Redis will complain if the +# swap file is already in use. +# +# The best kind of storage for the Redis swap file (that's accessed at random) +# is a Solid State Disk (SSD). +# +# *** WARNING *** if you are using a shared hosting the default of putting +# the swap file under /tmp is not secure. Create a dir with access granted +# only to Redis user and configure Redis to create the swap file there. +vm-swap-file <%= "/tmp/redis-#{@name}.swap" %> + +# vm-max-memory configures the VM to use at max the specified amount of +# RAM. Everything that deos not fit will be swapped on disk *if* possible, that +# is, if there is still enough contiguous space in the swap file. +# +# With vm-max-memory 0 the system will swap everything it can. Not a good +# default, just specify the max amount of RAM you can in bytes, but it's +# better to leave some margin. For instance specify an amount of RAM +# that's more or less between 60 and 80% of your free RAM. +vm-max-memory 0 + +# Redis swap files is split into pages. An object can be saved using multiple +# contiguous pages, but pages can't be shared between different objects. +# So if your page is too big, small objects swapped out on disk will waste +# a lot of space. If you page is too small, there is less space in the swap +# file (assuming you configured the same number of total swap file pages). +# +# If you use a lot of small objects, use a page size of 64 or 32 bytes. +# If you use a lot of big objects, use a bigger page size. +# If unsure, use the default :) +vm-page-size 32 + +# Number of total memory pages in the swap file. +# Given that the page table (a bitmap of free/used pages) is taken in memory, +# every 8 pages on disk will consume 1 byte of RAM. +# +# The total swap size is vm-page-size * vm-pages +# +# With the default of 32-bytes memory pages and 134217728 pages Redis will +# use a 4 GB swap file, that will use 16 MB of RAM for the page table. +# +# It's better to use the smallest acceptable value for your application, +# but the default is large in order to work in most conditions. +vm-pages 134217728 + +# Max number of VM I/O threads running at the same time. +# This threads are used to read/write data from/to swap file, since they +# also encode and decode objects from disk to memory or the reverse, a bigger +# number of threads can help with big objects even if they can't help with +# I/O itself as the physical device may not be able to couple with many +# reads/writes operations at the same time. +# +# The special value of 0 turn off threaded I/O and enables the blocking +# Virtual Memory implementation. +vm-max-threads 4 +<% end %> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 8 || @version[:major].to_i >= 3 %> +<% ######## Redis 2.8 and higher ######## %> +############################# Event notification ############################## + +# Redis can notify Pub/Sub clients about events happening in the key space. +# This feature is documented at http://redis.io/topics/keyspace-events +# +# For instance if keyspace events notification is enabled, and a client +# performs a DEL operation on key "foo" stored in the Database 0, two +# messages will be published via Pub/Sub: +# +# PUBLISH __keyspace@0__:foo del +# PUBLISH __keyevent@0__:del foo +# +# It is possible to select the events that Redis will notify among a set +# of classes. Every class is identified by a single character: +# +# K Keyspace events, published with __keyspace@__ prefix. +# E Keyevent events, published with __keyevent@__ prefix. +# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... +# $ String commands +# l List commands +# s Set commands +# h Hash commands +# z Sorted set commands +# x Expired events (events generated every time a key expires) +# e Evicted events (events generated when a key is evicted for maxmemory) +# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# +# The "notify-keyspace-events" takes as argument a string that is composed +# of zero or multiple characters. The empty string means that notifications +# are disabled. +# +# Example: to enable list and generic events, from the point of view of the +# event name, use: +# +# notify-keyspace-events Elg +# +# Example 2: to get the stream of the expired keys subscribing to channel +# name __keyevent@0__:expired use: +# +# notify-keyspace-events Ex +# +# By default all notifications are disabled because most users don't need +# this feature and the feature has some overhead. Note that if you don't +# specify at least one of K or E, no events will be delivered. +notify-keyspace-events "<%= @notifykeyspaceevents %>" +<% end %> + +############################### ADVANCED CONFIG ############################### + +# Hashes are encoded using a memory efficient data structure when they have a +# small number of entries, and the biggest entry does not exceed a given +# threshold. These thresholds can be configured using the following directives. + +# Similarly to hashes, small lists are also encoded in a special way in order +# to save a lot of space. The special representation is only used when +# you are under the following limits: + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 6 || @version[:major].to_i >= 3 %> +<% ######## Redis 2.6 and higher ######## %> +hash-max-ziplist-entries <%= @hashmaxziplistentries %> +hash-max-ziplist-value <%= @hashmaxziplistvalue %> + +# Similarly to hashes, small lists are also encoded in a special way in order +# # to save a lot of space. The special representation is only used when +# # you are under the following limits: +list-max-ziplist-entries <%= @listmaxziplistentries %> +list-max-ziplist-value <%= @listmaxziplistvalue %> + +# Sets have a special encoding in just one case: when a set is composed +# of just strings that happen to be integers in radix 10 in the range +# of 64 bit signed integers. +# The following configuration setting sets the limit in the size of the +# set in order to use this special memory saving encoding. +set-max-intset-entries <%= @setmaxintsetentries %> + +# Similarly to hashes and lists, sorted sets are also specially encoded in +# order to save a lot of space. This encoding is only used when the length and +# elements of a sorted set are below the following limits: +zset-max-ziplist-entries <%= @zsetmaxziplistentries %> +zset-max-ziplist-value <%= @zsetmaxziplistvalue %> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 8 && @version[:patch].to_i >= 9 || @version[:major].to_i == 3 %> +# HyperLogLog sparse representation bytes limit. The limit includes the +# 16 bytes header. When an HyperLogLog using the sparse representation crosses +# this limit, it is converted into the dense representation. +# +# A value greater than 16000 is totally useless, since at that point the +# dense representation is more memory efficient. +# +# The suggested value is ~ 3000 in order to have the benefits of +# the space efficient encoding without slowing down too much PFADD, +# which is O(N) with the sparse encoding. The value can be raised to +# ~ 10000 when CPU is not a concern, but space is, and the data set is +# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. +hll-sparse-max-bytes <%= @hllsparsemaxbytes %> +<% end %> + +# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in +# order to help rehashing the main Redis hash table (the one mapping top-level +# keys to values). The hash table implementation Redis uses (see dict.c) +# performs a lazy rehashing: the more operation you run into a hash table +# that is rehashing, the more rehashing "steps" are performed, so if the +# server is idle the rehashing is never complete and some more memory is used +# by the hash table. +# +# The default is to use this millisecond 10 times every second in order to +# actively rehash the main dictionaries, freeing memory when possible. +# +# If unsure: +# use "activerehashing no" if you have hard latency requirements and it is +# not a good thing in your environment that Redis can reply from time to time +# to queries with 2 milliseconds delay. +# +# use "activerehashing yes" if you don't have such hard requirements but +# want to free memory asap when possible. +activerehashing <%= @activerehasing %> + +<% elsif @version[:major].to_i == 2 && @version[:minor].to_i == 4 %> +<% ######## Redis 2.4 ######## %> + hash-max-zipmap-entries 512 + hash-max-zipmap-value 64 +<% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 6) || @version[:major].to_i >= 3 %> +# The client output buffer limits can be used to force disconnection of clients +# that are not reading data from the server fast enough for some reason (a +# common reason is that a Pub/Sub client can't consume messages as fast as the +# publisher can produce them). +# +# The limit can be set differently for the three different classes of clients: +# +# normal -> normal clients +# slave -> slave clients and MONITOR clients +# pubsub -> clients subscribed to at least one pubsub channel or pattern +# +# The syntax of every client-output-buffer-limit directive is the following: +# +# client-output-buffer-limit +# +# A client is immediately disconnected once the hard limit is reached, or if +# the soft limit is reached and remains reached for the specified number of +# seconds (continuously). +# So for instance if the hard limit is 32 megabytes and the soft limit is +# 16 megabytes / 10 seconds, the client will get disconnected immediately +# if the size of the output buffers reach 32 megabytes, but will also get +# disconnected if the client reaches 16 megabytes and continuously overcomes +# the limit for 10 seconds. +# +# By default normal clients are not limited because they don't receive data +# without asking (in a push way), but just after a request, so only +# asynchronous clients may create a scenario where data is requested faster +# than it can read. +# +# Instead there is a default limit for pubsub and slave clients, since +# subscribers and slaves receive data in a push fashion. +# +# Both the hard or the soft limit can be disabled by setting them to zero. + +#client-output-buffer-limit normal 0 0 0 +#client-output-buffer-limit slave 256mb 64mb 60 +#client-output-buffer-limit pubsub 32mb 8mb 60 + +<% @clientoutputbufferlimit.each do |c| %> +<%= "client-output-buffer-limit #{c.flatten.join(' ')}" %> +<% end %> +<% end %> + +<% if (@version[:major].to_i == 2 && @version[:minor].to_i >= 8) || @version[:major].to_i >= 3 %> +# Redis calls an internal function to perform many background tasks, like +# closing connections of clients in timeout, purging expired keys that are +# never requested, and so forth. +# +# Not all tasks are performed with the same frequency, but Redis checks for +# tasks to perform according to the specified "hz" value. +# +# By default "hz" is set to 10. Raising the value will use more CPU when +# Redis is idle, but at the same time will make Redis more responsive when +# there are many keys expiring at the same time, and timeouts may be +# handled with more precision. +# +# The range is between 1 and 500, however a value over 100 is usually not +# a good idea. Most users should use the default of 10 and raise this up to +# 100 only in environments where very low latency is required. +hz <%= @hz %> + +# When a child rewrites the AOF file, if the following option is enabled +# the file will be fsync-ed every 32 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +aof-rewrite-incremental-fsync <%= @aofrewriteincrementalfsync %> +<% end %> + +<%if @clusterenabled == 'yes' %> +cluster-enabled yes +cluster-config-file <%= @clusterconfigfile || "nodes-#{@name}.conf" %> +cluster-node-timeout <%= @clusternodetimeout %> +<%end%> + +################################## INCLUDES ################################### + +# Include one or more other config files here. This is useful if you +# have a standard template that goes to all redis server but also need +# to customize a few per-server settings. Include files can include +# other files, so use this wisely. +# +# include /path/to/local.conf +# include /path/to/other.conf +<% unless @includes.nil? %> + <% @includes.each do |include_option| %> + <%= "include #{include_option}" %> + <% end %> +<% end %> diff --git a/cookbooks/redisio/templates/default/redis.init.erb b/cookbooks/redisio/templates/default/redis.init.erb new file mode 100644 index 0000000..e687616 --- /dev/null +++ b/cookbooks/redisio/templates/default/redis.init.erb @@ -0,0 +1,96 @@ +#!/bin/sh +# +# Simple Redis init.d script conceived to work on Linux systems +# as it does use of the /proc filesystem. +# +# description: Redis is an in memory key-value store database +# +### BEGIN INIT INFO +# Provides: redis<%= @port %> +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Required-Start: <%= @required_start %> +# Required-Stop: <%= @required_stop %> +# Description: redis<%= @port %> init script +### END INIT INFO + +REDISNAME=<%= @name %> +REDISPORT=<%= @port %> +<% case @platform %> +<% when 'ubuntu','debian','fedora' %> +EXEC="su -s /bin/sh -c '<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${REDISNAME}.conf' <%= @user %>" +<% else %> +EXEC="runuser <%= @user %> -c \"<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${REDISNAME}.conf\"" +<% end %> +CLIEXEC=<%= File.join(@bin_path, 'redis-cli') %> + +<% connection_string = String.new %> +<% if @unixsocket.nil? %> + <% connection_string << " -p #{@port}" %> + <% connection_string << " -h #{@address.respond_to?(:first) ? @address.first : @address }" if @address %> +<% else %> + <% connection_string << " -s #{@unixsocket}" %> +<% end %> +<% connection_string << " -a '#{@requirepass}'" unless @requirepass.nil? %> + +PIDFILE=<%= @piddir %>/redis_${REDISNAME}.pid + +if [ ! -d <%= @piddir %> ]; then + mkdir -p <%= @piddir %> + chown <%= @user %> <%= @piddir %> +fi + +ulimit -n <%= @ulimit %> + +case "$1" in + status) + if [ -f $PIDFILE ] + then + echo "redis$REDISNAME $PIDFILE exists, pid is $(cat $PIDFILE), should be running" + ps -p $(cat $PIDFILE) >/dev/null 2>&1 + exit $? + else + echo "redis$REDISNAME $PIDFILE doesn't exist" + exit 3 + fi + ;; + start) + if [ -f $PIDFILE ] + then + echo "$PIDFILE exists, process is already running or crashed" + PIDNUM=`cat $PIDFILE` + PROCESS_RUNNING=`ps --no-headers -q $PIDNUM | wc -l` + if [ ! $PROCESS_RUNNING -eq 1 ] + then + echo "The PID doesn't exists, restarting it." + rm $PIDFILE + eval $EXEC + fi + else + echo "Starting Redis server..." + eval $EXEC + fi + ;; + stop) + if [ ! -f $PIDFILE ] + then + echo "$PIDFILE does not exist, process is not running" + else + PID=$(cat $PIDFILE) + echo "Stopping ..." + + <%= "$CLIEXEC #{connection_string} save" if @shutdown_save %> + $CLIEXEC <%= connection_string %> shutdown + + while [ -x /proc/${PID} ] + do + echo "Waiting for Redis to shutdown ..." + sleep 1 + done + echo "Redis stopped" + fi + ;; + *) + echo "Please use start or stop as first argument" + ;; +esac diff --git a/cookbooks/redisio/templates/default/redis.rcinit.erb b/cookbooks/redisio/templates/default/redis.rcinit.erb new file mode 100644 index 0000000..a2dfd32 --- /dev/null +++ b/cookbooks/redisio/templates/default/redis.rcinit.erb @@ -0,0 +1,69 @@ +#!/bin/sh +# +# + +# PROVIDE: redis<%= @name %> +# REQUIRE: LOGIN +# BEFORE: securelevel +# KEYWORD: shutdown + +# Add the following line to /etc/rc.conf to enable `redis': +# +#redis<%= @name %>_enable="YES" +# +# Define profiles here to run separate redis instances: +# +#redis_profiles="foo bar" # Script uses /usr/local/etc/redis-NAME.conf respectively. +# For correct script working please update pidfile entries in +# redis-NAME.conf files. + +. /etc/rc.subr + +name="redis<%= @name %>" +rcvar="${name}_enable" + +extra_commands="reload" + +command="<%= File.join(@bin_path, 'redis-server') %>" +pidfile="<%= @piddir %>/redis_<%=@name%>.pid" + +# read configuration and set defaults +load_rc_config "$name" +: ${redis<%= @name %>_enable="NO"} +: ${redis_user="<%= @user %>"} +: ${redis_config="<%= @configdir %>/<%= @name %>.conf"} + +command_args="${redis_config}" +required_files="${redis_config}" + +_profile_exists() { + for _p in ${redis_profiles}; do + [ "${_p}" = "$1" ] && return 1; + done + return 0 +} + +if [ $# -eq 2 ]; then + _profile=$2 + _profile_exists $_profile + _exists=$? + [ ${_exists} -ne 1 ] && { + echo "`basename /usr/local/etc/rc.d/redis`: no '$2' in 'redis_profiles'" + exit 1 + }; + echo "-- Profile: ${name} --" + config_file="/usr/local/etc/redis/${name}.conf" + command_args="${config_file}" + pidfile="<%= @piddir %>/${name}.pid" + required_files="${config_file}" +elif [ -n "${redis_profiles}" ]; then + _swap=$*; shift; _profiles=$* + _profiles=${_profiles:-${redis_profiles}} + set -- ${_swap} + for _profile in ${_profiles}; do + /usr/local/etc/rc.d/redis $1 ${_profile} + done + exit 0 +fi + +run_rc_command "$1" \ No newline at end of file diff --git a/cookbooks/redisio/templates/default/redis.upstart.conf.erb b/cookbooks/redisio/templates/default/redis.upstart.conf.erb new file mode 100644 index 0000000..479d048 --- /dev/null +++ b/cookbooks/redisio/templates/default/redis.upstart.conf.erb @@ -0,0 +1,19 @@ +description "Start the redis instance on port <%= @port %>" +author "Installed by chef redisio cookbook" + +#start on runlevel [2345] +stop on runlevel [06] + +script + if [ ! -d <%= @piddir %> ]; then + mkdir -p <%= @piddir %> + chown <%= @user %>:<%= @group %> <%= @piddir %> + fi +end script + +# If the job exits, restart it. Give up with more than 10 restarts in 30 seconds. +respawn +respawn limit 10 30 + +exec su -s /bin/sh -c 'exec "$0" "$@"' <%= @user %> <%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/<%= @name %>.conf + diff --git a/cookbooks/redisio/templates/default/redis@.service.erb b/cookbooks/redisio/templates/default/redis@.service.erb new file mode 100644 index 0000000..c5cd645 --- /dev/null +++ b/cookbooks/redisio/templates/default/redis@.service.erb @@ -0,0 +1,12 @@ +[Unit] +Description=Redis (%i) persistent key-value database +After=network.target + +[Service] +ExecStart=<%= @bin_path %>/redis-server /etc/redis/%i.conf --daemonize no +User=<%= @user %> +Group=<%= @group %> +LimitNOFILE=<%= @limit_nofile %> + +[Install] +WantedBy=multi-user.target diff --git a/cookbooks/redisio/templates/default/sentinel.conf.erb b/cookbooks/redisio/templates/default/sentinel.conf.erb new file mode 100644 index 0000000..278e854 --- /dev/null +++ b/cookbooks/redisio/templates/default/sentinel.conf.erb @@ -0,0 +1,203 @@ +# Example sentinel.conf + +# redisio Cookbook additions +<% if @job_control == 'initd' || @job_control == 'rcinit' %> +daemonize yes +<% end %> +pidfile <%= @piddir %>/sentinel_<%=@name%>.pid +loglevel <%=@loglevel%> +syslog-enabled <%= @syslogenabled %> +syslog-ident redis-<%= @name %> +syslog-facility <%= @syslogfacility %> +<%= "logfile #{@logfile}" unless @logfile.nil? %> + +<% if @sentinel_bind %> +bind <%=@sentinel_bind%> +<% end %> + + <% if @protected_mode %> +<%= "protected-mode #{@protected_mode}" %> +<% end %> + +# port +# The port that this sentinel instance will run on +port <%=@sentinel_port%> + +# sentinel announce-ip +# sentinel announce-port +# +# The above two configuration directives are useful in environments where, +# because of NAT, Sentinel is reachable from outside via a non-local address. +# +# When announce-ip is provided, the Sentinel will claim the specified IP address +# in HELLO messages used to gossip its presence, instead of auto-detecting the +# local address as it usually does. +# +# Similarly when announce-port is provided and is valid and non-zero, Sentinel +# will announce the specified TCP port. +# +# The two options don't need to be used together, if only announce-ip is +# provided, the Sentinel will announce the specified IP and the server port +# as specified by the "port" option. If only announce-port is provided, the +# Sentinel will announce the auto-detected local IP and the specified port. +# +# Example: +# +# sentinel announce-ip 1.2.3.4 +<%= "sentinel announce-ip #{@announce_ip}" unless @announce_ip.nil? %> +<%= "sentinel announce-port #{@announce_port}" unless @announce_port.nil? %> + +# sentinel monitor +# +# Tells Sentinel to monitor this slave, and to consider it in O_DOWN +# (Objectively Down) state only if at least sentinels agree. +# +# Note: master name should not include special characters or spaces. +# The valid charset is A-z 0-9 and the three characters ".-_". +# sentinel monitor mymaster 127.0.0.1 6379 2 +<% @masters.each do |current| %> +<% calc_name = String(current['master_name'] || @name || 'master_name') %> +<%= "sentinel monitor #{calc_name} #{current['master_ip']} #{current['master_port']} #{current['quorum_count']}" %> +<% end %> +# sentinel auth-pass +# +# Set the password to use to authenticate with the master and slaves. +# Useful if there is a password set in the Redis instances to monitor. +# +# Note that the master password is also used for slaves, so it is not +# possible to set a different password in masters and slaves instances +# if you want to be able to monitor these instances with Sentinel. +# +# However you can have Redis instances without the authentication enabled +# mixed with Redis instances requiring the authentication (as long as the +# password set is the same for all the instances requiring the password) as +# the AUTH command will have no effect in Redis instances with authentication +# switched off. +# +# Example: +# +# sentinel auth-pass mymaster MySUPER--secret-0123passw0rd +<% @masters.each do |current| %> +<% calc_name = String(current['master_name'] || @name || 'master_name') %> +<%= "sentinel auth-pass #{calc_name} #{current['auth_pass']}" unless current['auth_pass'].nil? %> +<% end %> +# sentinel down-after-milliseconds +# +# Number of milliseconds the master (or any attached slave or sentinel) should +# be unreachable (as in, not acceptable reply to PING, continuously, for the +# specified period) in order to consider it in S_DOWN state (Subjectively +# Down). +# +# Default is 30 seconds. +<% @masters.each do |current| %> +<% calc_name = String(current['master_name'] || @name || 'master_name') %> +<%= "sentinel down-after-milliseconds #{calc_name} #{current['down_after_milliseconds']}" unless current['down_after_milliseconds'].nil? %> +<% end %> +# sentinel parallel-syncs +# +# How many slaves we can reconfigure to point to the new slave simultaneously +# during the failover. Use a low number if you use the slaves to serve query +# to avoid that all the slaves will be unreachable at about the same +# time while performing the synchronization with the master. +<% @masters.each do |current| %> +<% calc_name = String(current['master_name'] || @name || 'master_name') %> +<%= "sentinel parallel-syncs #{calc_name} #{current['parallel_syncs']}" unless current['parallel_syncs'].nil? %> +<% end %> +# sentinel failover-timeout +# +# Specifies the failover timeout in milliseconds. When this time has elapsed +# without any progress in the failover process, it is considered concluded by +# the sentinel even if not all the attached slaves were correctly configured +# to replicate with the new master (however a "best effort" SLAVEOF command +# is sent to all the slaves before). +# +# Also when 25% of this time has elapsed without any advancement, and there +# is a leader switch (the sentinel did not started the failover but is now +# elected as leader), the sentinel will continue the failover doing a +# "takeover". +# +# Default is 15 minutes. +<% @masters.each do |current| %> +<% calc_name = String(current['master_name'] || @name || 'master_name') %> +<%= "sentinel failover-timeout #{calc_name} #{current['failover_timeout']}" unless current['failover_timeout'].nil? %> +<% end %> + +<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 8 || @version[:major].to_i > 3 %> +# SCRIPTS EXECUTION +# +# sentinel notification-script and sentinel reconfig-script are used in order +# to configure scripts that are called to notify the system administrator +# or to reconfigure clients after a failover. The scripts are executed +# with the following rules for error handling: +# +# If script exists with "1" the execution is retried later (up to a maximum +# number of times currently set to 10). +# +# If script exists with "2" (or an higher value) the script execution is +# not retried. +# +# If script terminates because it receives a signal the behavior is the same +# as exit code 1. +# +# A script has a maximum running time of 60 seconds. After this limit is +# reached the script is terminated with a SIGKILL and the execution retried. + +# NOTIFICATION SCRIPT +# +# sentinel notification-script +# +# Call the specified notification script for any sentienl event that is +# generated in the WARNING level (for instance -sdown, -odown, and so forth). +# This script should notify the system administrator via email, SMS, or any +# other messaging system, that there is something wrong with the monitored +# Redis systems. +# +# The script is called with just two arguments: the first is the event type +# and the second the event description. +# +# The script must exist and be executable in order for sentinel to start if +# this option is provided. +# +# Example: +# +# sentinel notification-script mymaster /var/redis/notify.sh +<%= "sentinel notification-script #{@name} #{@notification_script}" unless @notification_script.nil? %> + +# CLIENTS RECONFIGURATION SCRIPT +# +# sentinel client-reconfig-script +# +# When the failover starts, ends, or is aborted, a script can be called in +# order to perform application-specific tasks to notify the clients that the +# configuration has changed and the master is at a different address. +# +# The script is called in the following cases: +# +# Failover started (a slave is already promoted) +# Failover finished (all the additional slaves already reconfigured) +# Failover aborted (in that case the script was previously called when the +# failover started, and now gets called again with swapped +# addresses). +# +# The following arguments are passed to the script: +# +# +# +# is "start", "end" or "abort" +# is either "leader" or "observer" +# +# The arguments from-ip, from-port, to-ip, to-port are used to communicate +# the old address of the master and the new address of the elected slave +# (now a master) in the case state is "start" or "end". +# +# For abort instead the "from" is the address of the promoted slave and +# "to" is the address of the original master address, since the failover +# was aborted. +# +# This script should be resistant to multiple invocations. +# +# Example: +# +# sentinel client-reconfig-script mymaster /var/redis/reconfig.sh +<%= "sentinel client-reconfig-script #{@name} #{@client_reconfig_script}" unless @client_reconfig_script.nil? %> +<% end %> diff --git a/cookbooks/redisio/templates/default/sentinel.init.erb b/cookbooks/redisio/templates/default/sentinel.init.erb new file mode 100644 index 0000000..d2620be --- /dev/null +++ b/cookbooks/redisio/templates/default/sentinel.init.erb @@ -0,0 +1,78 @@ +#!/bin/sh +# +# Simple Redis init.d script conceived to work on Linux systems +# as it does use of the /proc filesystem. +# +# description: Redis is an in memory key-value store database +# +### BEGIN INIT INFO +# Provides: redissentinel_<%=@name%> +# Required-Start: +# Required-Stop: +# Should-Start: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: +# Description: redissentinel_<%=@name%> init script +### END INIT INFO + +SENTINELNAME=<%= @name %> +<% case @platform %> +<% when 'ubuntu','debian','fedora' %> +EXEC="su -s /bin/sh -c '<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${SENTINELNAME}.conf --sentinel' <%= @user %>" +<% else %> +EXEC="runuser <%= @user %> -c \"<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${SENTINELNAME}.conf --sentinel\"" +<% end %> +CLIEXEC=<%= File.join(@bin_path, 'redis-cli') %> + + +PIDFILE=<%= @piddir %>/${SENTINELNAME}.pid + +if [ ! -d <%= @piddir %> ]; then + mkdir -p <%= @piddir %> + chown <%= @user %> <%= @piddir %> +fi + +case "$1" in + status) + if [ -f $PIDFILE ] + then + echo "redis$SENTINELNAME $PIDFILE exists, pid is $(cat $PIDFILE), should be running" + ps -p $(cat $PIDFILE) >/dev/null 2>&1 + exit $? + else + echo "redis$SENTINELNAME $PIDFILE doesn't exist" + exit 3 + fi + ;; + start) + if [ -f $PIDFILE ] + then + echo "$PIDFILE exists, process is already running or crashed" + else + echo "Starting Redis server..." + eval $EXEC + fi + ;; + stop) + if [ ! -f $PIDFILE ] + then + echo "$PIDFILE does not exist, process is not running" + else + PID=$(cat $PIDFILE) + echo "Stopping ..." + + kill ${PID} + + while [ -x /proc/${PID} ] + do + echo "Waiting for Redis to shutdown ..." + sleep 1 + done + echo "Redis stopped" + fi + ;; + *) + echo "Please use start or stop as first argument" + ;; +esac diff --git a/cookbooks/redisio/templates/default/sentinel.rcinit.erb b/cookbooks/redisio/templates/default/sentinel.rcinit.erb new file mode 100644 index 0000000..212e737 --- /dev/null +++ b/cookbooks/redisio/templates/default/sentinel.rcinit.erb @@ -0,0 +1,39 @@ +#!/bin/sh + +# PROVIDE: sentinel_<%=@name%> +# REQUIRE: LOGIN +# BEFORE: securelevel +# KEYWORD: shutdown + +# Add the following line to /etc/rc.conf to enable `sentinel': +# +#redis_<%= @name %>_enable="YES" +# + +. /etc/rc.subr + +name="redis_<%= @name %>" +rcvar="${name}_enable" + +command="<%= File.join(@bin_path, 'redis-sentinel') %>" +pidfile="<%= @piddir %>/<%=@name%>.pid" + +# read configuration and set defaults +load_rc_config "$name" +: ${sentinel_enable="NO"} +: ${sentinel_user="<%= @user %>"} +: ${sentinel_config="<%= @configdir %>/<%= @name %>.conf"} + +command_args="${sentinel_config} --daemonize yes --pidfile ${pidfile}" +required_files="${sentinel_config}" +start_precmd="sentinel_checks" +restart_precmd="sentinel_checks" + +sentinel_checks() +{ + if [ x`id -u ${sentinel_user}` != x`stat -f %u ${sentinel_config}` ]; then + err 1 "${sentinel_config} must be owned by user ${sentinel_user}" + fi +} + +run_rc_command "$1" \ No newline at end of file diff --git a/cookbooks/redisio/templates/default/sentinel.upstart.conf.erb b/cookbooks/redisio/templates/default/sentinel.upstart.conf.erb new file mode 100644 index 0000000..a9e5faf --- /dev/null +++ b/cookbooks/redisio/templates/default/sentinel.upstart.conf.erb @@ -0,0 +1,19 @@ +description "Start the redis-sentinel instance on port <%= @port %>" +author "Installed by chef redisio cookbook" + +#start on runlevel [2345] +stop on runlevel [06] + +script + if [ ! -d <%= @piddir %> ]; then + mkdir -p <%= @piddir %> + chown <%= @user %>:<%= @group %> <%= @piddir %> + fi +end script + +# If the job exits, restart it. Give up with more than 10 restarts in 30 seconds. +respawn +respawn limit 10 30 + +exec su -s /bin/sh -c 'exec "$0" "$@"' -- <%= @user %> <%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/<%= @name %>.conf --sentinel + diff --git a/cookbooks/redisio/templates/default/su.erb b/cookbooks/redisio/templates/default/su.erb new file mode 100644 index 0000000..882fbd6 --- /dev/null +++ b/cookbooks/redisio/templates/default/su.erb @@ -0,0 +1,62 @@ +# +# The PAM configuration file for the Shadow `su' service +# +# This file modified by Chef to enable ulimit switching with `su` +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session diff --git a/cookbooks/redisio/templates/default/ulimit.erb b/cookbooks/redisio/templates/default/ulimit.erb new file mode 100644 index 0000000..46065e9 --- /dev/null +++ b/cookbooks/redisio/templates/default/ulimit.erb @@ -0,0 +1,32 @@ +# Limits settings for <%= @ulimit_user %> +<% unless @filehandle_limit.nil? -%> +<%= @ulimit_user -%> - nofile <%= @filehandle_limit %> +<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%> +<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%> +<% end -%> +<% unless @process_limit.nil? -%> +<%= @ulimit_user -%> - nproc <%= @process_limit %> +<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%> +<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%> +<% end -%> +<% unless @memory_limit.nil? -%> +<%= @ulimit_user -%> - memlock <%= @memory_limit %> +<% end -%> +<% unless @core_limit.nil? -%> +<%= @ulimit_user -%> - core <%= @core_limit %> +<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%> +<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%> +<% end -%> +<% unless @stack_limit.nil? -%> +<%= @ulimit_user -%> - stack <%= @stack_limit %> +<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%> +<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%> +<% end -%> +<% unless @rtprio_limit.nil? -%> +<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %> +<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%> +<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%> +<% end -%> +<% unless @virt_limit.nil? -%> + <%= @ulimit_user -%> - as <%= @virt_limit %> +<% end -%> diff --git a/cookbooks/selinux/CHANGELOG.md b/cookbooks/selinux/CHANGELOG.md new file mode 100644 index 0000000..2e0c151 --- /dev/null +++ b/cookbooks/selinux/CHANGELOG.md @@ -0,0 +1,184 @@ +# selinux Cookbook CHANGELOG + +This file is used to list changes made in each version of the selinux cookbook. + +## 6.0.1 - *2021-11-03* + +- Correctly parse ports with multple contexts + +## 6.0.0 - *2021-09-02* + +- Import `selinux_policy` resources into this cookbook (`_fcontext`, `_permissive`, and `_port`) + - `selinux_policy_module` not imported since it is a duplicate of `selinux_module` + +### Deprecations + +- `selinux_fcontext` action `addormodify` renamed to `manage` +- `selinux_port` action `addormodify` renamed to `manage` + +## 5.1.1 - *2021-08-30* + +- Standardise files with files in sous-chefs/repo-management + +## 5.1.0 - *2021-08-21* + +- Fix `selinux_install` on Alma Linux / Oracle Linux + +## 5.0.0 - *2021-08-10* + +### Note: With version 5.0.0 the default recipe has been removed + +- Major refactoring +- Restore support for Debian based distros +- All resources now use unified_mode +- Added selinux_boolean resource +- Remove attributes and default recipe + - Replaced with a set of bare recipes for the three selinux states +- Add automatic restart function to `selinux_state` resource + +## 4.0.0 - *2021-07-21* + +- Sous Chefs adoption +- Enable `unified_mode` for Chef 17 compatibility +- Update test platforms + +## 3.1.1 (2020-09-29) + +- Move `default['selinux']['status']` attribute to `default['selinux']['state']` to avoid conflicts with Ohai in Chef Infra Client 16 - [@shoekstra](https://github.com/shoekstra) + +## 3.1.0 (2020-09-29) + +- Cookstyle Bot Auto Corrections with Cookstyle 6.16.8 - [@cookstyle](https://github.com/cookstyle) +- Add a new `node['selinux']['install_mcstrans_package']` attribute to control installation of the mcdtrans package. This default to true to maintain existing functionality. - [@kapilchouhan99](https://github.com/kapilchouhan99) + +## 3.0.2 (2020-08-25) + +- Fix failures in CI- [@shoekstra](https://github.com/shoekstra) +- Specify platform to SoloRunner - [@shoekstra](https://github.com/shoekstra) +- Remove unnecessary Foodcritic comments - [@tas50](https://github.com/tas50) +- Notify :immediately not :immediate - [@tas50](https://github.com/tas50) +- Add Github actions testing of style/unit - [@tas50](https://github.com/tas50) +- [GH-67] - Do not try to modify frozen checksum - [@vzDevelopment](https://github.com/vzDevelopment) +- Standardise files with files in chef-cookbooks/repo-management - [@xorimabot](https://github.com/xorimabot) + +## 3.0.1 (2019-11-14) + +- Remove the deprecated ChefSpec report - [@tas50](https://github.com/tas50) +- Allow "-" and "_" for module names - [@ramereth](https://github.com/ramereth) +- Update Fedora versions we test on - [@tas50](https://github.com/tas50) + +## 3.0.0 (2019-06-06) + +- Support for SELinux Modules, via new resource `selinux_module`, able to compile `.te` files, install and remove modules; +- Improving test coverage for all resources +- Remove support for Ubuntu/Debian +- Require Chef 13+ + +## 2.1.1 (2018-06-07) + +- Do not execute setenforce 1 always +- Remove chefspec matchers that are autogenerated now +- Chef 13 Fixes + +## 2.1.0 (2017-09-15) + +- Simplify Travis config and fix ChefDK 2.0 failures +- Use bento slugs in Kitchen +- Remove maintainer files +- More cleanup of the maintainer files +- Speed up install with multi-package install + +## 2.0.3 (2017-06-13) + +- Fix boolean check within default recipe + +## 2.0.2 (2017-06-05) + +- Permissive guard should grep for permissive not just disabled + +## 2.0.1 (2017-05-30) + +- Remove class_eval usage + +## 2.0.0 (2017-05-15) + +- Deprecate debian family support +- Make default for rhel family use setenforce regardless of whether a temporary change or not. Eliminates the requirement for a required reboot to effect change in the running system. + +## 1.0.4 (2017-04-17) + +- Switch to local delivery for testing +- Use the standard apache license string +- Updates for early Chef 12 and Chef 13 compatibility +- Update and add copyright blocks to the various files + +## 1.0.3 (2017-03-14) + +- Fix requirement in metadata to reflect need for Chef 12.7 as using action_class in state resource. + +## 1.0.2 (2017-03-01) + +- Remove setools* packages from install resource (utility to analyze and query policies, monitor and report audit logs, and manage file context). Future versions of this cookbook that might use this need to handle package install on Oracle Linux as not available in default repo. + +## 1.0.1 (2017-02-26) + +- Fix logic error in the permissive state change + +## 1.0.0 (2017-02-26) + +- **BREAKING CHANGE** `node['selinux']['state']` is now `node['selinux']['status']` to meet Chef 13 requirements. +- Update to current cookbook engineering standards +- Rewrite LWRP to 12.5 resources +- Resolved cookstyle errors +- Update package information for debian based on + + - selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected. + +- Add property temporary to allow for switching between permissive and enabled + +- Add install resource + +## v0.9.0 (2015-02-22) + +- Initial Debian / Ubuntu support +- Various bug fixes + +## v0.8.0 (2014-04-23) + +- [COOK-4528] - Fix selinux directory permissions +- [COOK-4562] - Basic support for Ubuntu/Debian + +## v0.7.2 (2014-03-24) + +handling minimal installs + +## v0.7.0 (2014-02-27) + +[COOK-4218] Support setting SELinux boolean values + +## v0.6.2 + +- Fixing bug introduced in 0.6.0 +- adding basic test-kitchen coverage + +## v0.6.0 + +- [COOK-760] - selinux enforce/permit/disable based on attribute + +## v0.5.6 + +- [COOK-2124] - enforcing recipe fails if selinux is disabled + +## v0.5.4 + +- [COOK-1277] - disabled recipe fails on systems w/o selinux installed + +## v0.5.2 + +- [COOK-789] - fix dangling commas causing syntax error on some rubies + +## v0.5.0 + +- [COOK-678] - add the selinux cookbook to the repository +- Use main selinux config file (/etc/selinux/config) +- Use getenforce instead of selinuxenabled for enforcing and permissive diff --git a/cookbooks/selinux/LICENSE b/cookbooks/selinux/LICENSE new file mode 100644 index 0000000..8dada3e --- /dev/null +++ b/cookbooks/selinux/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cookbooks/selinux/README.md b/cookbooks/selinux/README.md new file mode 100644 index 0000000..9a452bf --- /dev/null +++ b/cookbooks/selinux/README.md @@ -0,0 +1,81 @@ +# SELinux Cookbook + +[![Cookbook Version](https://img.shields.io/cookbook/v/selnux.svg)](https://supermarket.chef.io/cookbooks/selinux) +[![CI State](https://github.com/sous-chefs/selinux/workflows/ci/badge.svg)](https://github.com/sous-chefs/selinux/actions?query=workflow%3Aci) +[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers) +[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors) +[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0) + +## Description + +The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state. + +SELinux can have one of three settings: + +`Enforcing` + +- Watches all system access checks, stops all 'Denied access' +- Default mode on RHEL systems + +`Permissive` + +- Allows access but reports violations + +`Disabled` + +- Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot. + +Disable SELinux only if you plan to not use it. Use `Permissive` mode if you just need to debug your system. + +## Requirements + +- Chef 15.3 or higher + +## Platform + +- RHEL 7+ +- CentOS 7+ +- Fedora +- Ubuntu +- Debian + +## Resources + +The following resources are provided: + +- [selinux_boolean](documentation/selinux_boolean.md) +- [selinux_fcontext](documentation/selinux_fcontext.md) +- [selinux_install](documentation/selinux_install.md) +- [selinux_module](documentation/selinux_module.md) +- [selinux_permissive](documentation/selinux_permissive.md) +- [selinux_port](documentation/selinux_port.md) +- [selinux_state](documentation/selinux_state.md) + +## Maintainers + +This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF). + +## Contributors + +This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false) + +### Backers + +Thank you to all our backers! + +![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40) + +### Sponsors + +Support this project by becoming a sponsor. Your logo will show up here with a link to your website. + +![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100) diff --git a/cookbooks/selinux/chefignore b/cookbooks/selinux/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/cookbooks/selinux/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/cookbooks/selinux/libraries/boolean.rb b/cookbooks/selinux/libraries/boolean.rb new file mode 100644 index 0000000..c64d07c --- /dev/null +++ b/cookbooks/selinux/libraries/boolean.rb @@ -0,0 +1,17 @@ +module SELinux + module Cookbook + module BooleanHelpers + def selinux_bool(bool) + if ['on', 'true', '1', true, 1].include?(bool) + 'on' + elsif ['off', 'false', '0', false, 0].include?(bool) + 'off' + else + raise ArgumentError, "selinux_bool: Invalid selinux boolean value #{bool}" + end + end + + module_function :selinux_bool + end + end +end diff --git a/cookbooks/selinux/libraries/install.rb b/cookbooks/selinux/libraries/install.rb new file mode 100644 index 0000000..b99c64f --- /dev/null +++ b/cookbooks/selinux/libraries/install.rb @@ -0,0 +1,22 @@ +module SELinux + module Cookbook + module InstallHelpers + def default_install_packages + case node['platform_family'] + when 'rhel', 'fedora', 'amazon' + %w(make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console) + when 'debian' + if node['platform'] == 'ubuntu' + if node['platform_version'].to_f == 18.04 + %w(make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools) + else + %w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools) + end + else + %w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools) + end + end + end + end + end +end diff --git a/cookbooks/selinux/libraries/state.rb b/cookbooks/selinux/libraries/state.rb new file mode 100644 index 0000000..56ce2fb --- /dev/null +++ b/cookbooks/selinux/libraries/state.rb @@ -0,0 +1,43 @@ +module SELinux + module Cookbook + module StateHelpers + def selinux_disabled? + selinux_state.eql?(:disabled) + end + + def selinux_enforcing? + selinux_state.eql?(:enforcing) + end + + def selinux_permissive? + selinux_state.eql?(:permissive) + end + + def state_change_reboot_required? + (selinux_disabled? && %i(enforcing permissive).include?(action)) || ((selinux_enforcing? || selinux_permissive?) && action == :disabled) + end + + def selinux_state + state = shell_out!('getenforce').stdout.strip.downcase.to_sym + raise "Got unknown SELinux state #{state}" unless %i(disabled enforcing permissive).include?(state) + + state + end + + def selinux_activate_required? + return false unless platform_family?('debian') + + !File.read('/etc/default/grub').match?('security=selinux') + end + + def default_policy_platform + case node['platform_family'] + when 'rhel', 'fedora', 'amazon' + 'targeted' + when 'debian' + 'default' + end + end + end + end +end diff --git a/cookbooks/selinux/metadata.json b/cookbooks/selinux/metadata.json new file mode 100644 index 0000000..b961589 --- /dev/null +++ b/cookbooks/selinux/metadata.json @@ -0,0 +1,43 @@ +{ + "name": "selinux", + "description": "Manages SELinux policy state and rules.", + "long_description": "", + "maintainer": "Sous Chefs", + "maintainer_email": "help@sous-chefs.org", + "license": "Apache-2.0", + "platforms": { + "redhat": ">= 0.0.0", + "centos": ">= 0.0.0", + "scientific": ">= 0.0.0", + "oracle": ">= 0.0.0", + "amazon": ">= 0.0.0", + "fedora": ">= 0.0.0", + "debian": ">= 0.0.0", + "ubuntu": ">= 0.0.0" + }, + "dependencies": { + + }, + "providing": { + + }, + "recipes": { + + }, + "version": "6.0.1", + "source_url": "https://github.com/sous-chefs/selinux", + "issues_url": "https://github.com/sous-chefs/selinux/issues", + "privacy": false, + "chef_versions": [ + [ + ">= 15.3" + ] + ], + "ohai_versions": [ + + ], + "gems": [ + + ], + "eager_load_libraries": true +} diff --git a/cookbooks/selinux/metadata.rb b/cookbooks/selinux/metadata.rb new file mode 100644 index 0000000..d6291c6 --- /dev/null +++ b/cookbooks/selinux/metadata.rb @@ -0,0 +1,13 @@ +name 'selinux' +maintainer 'Sous Chefs' +maintainer_email 'help@sous-chefs.org' +license 'Apache-2.0' +description 'Manages SELinux policy state and rules.' +version '6.0.1' +source_url 'https://github.com/sous-chefs/selinux' +issues_url 'https://github.com/sous-chefs/selinux/issues' +chef_version '>= 15.3' + +%w(redhat centos scientific oracle amazon fedora debian ubuntu).each do |os| + supports os +end diff --git a/cookbooks/selinux/recipes/disabled.rb b/cookbooks/selinux/recipes/disabled.rb new file mode 100644 index 0000000..35cedbb --- /dev/null +++ b/cookbooks/selinux/recipes/disabled.rb @@ -0,0 +1,23 @@ +# +# Cookbook:: selinux +# Recipe:: disabled +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +selinux_install 'selinux' + +selinux_state 'disabled' do + automatic_reboot true + action :disabled +end diff --git a/cookbooks/selinux/recipes/enforcing.rb b/cookbooks/selinux/recipes/enforcing.rb new file mode 100644 index 0000000..ae003d3 --- /dev/null +++ b/cookbooks/selinux/recipes/enforcing.rb @@ -0,0 +1,24 @@ + +# +# Cookbook:: selinux +# Recipe:: enforcing +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +selinux_install 'selinux' + +selinux_state 'enforcing' do + automatic_reboot true + action :enforcing +end diff --git a/cookbooks/selinux/recipes/permissive.rb b/cookbooks/selinux/recipes/permissive.rb new file mode 100644 index 0000000..3edba4a --- /dev/null +++ b/cookbooks/selinux/recipes/permissive.rb @@ -0,0 +1,23 @@ +# +# Cookbook:: selinux +# Recipe:: permissive +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +selinux_install 'selinux' + +selinux_state 'permissive' do + automatic_reboot true + action :permissive +end diff --git a/cookbooks/selinux/resources/boolean.rb b/cookbooks/selinux/resources/boolean.rb new file mode 100644 index 0000000..0ed7444 --- /dev/null +++ b/cookbooks/selinux/resources/boolean.rb @@ -0,0 +1,56 @@ +# +# Cookbook:: selinux +# Resource:: boolean +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +unified_mode true + +property :boolean, String, + name_property: true, + description: 'SELinux boolean to set' + +property :value, [Integer, String, true, false], + required: true, + equal_to: %w(on off), + coerce: proc { |p| SELinux::Cookbook::BooleanHelpers.selinux_bool(p) }, + description: 'SELinux boolean value' + +property :persistent, [true, false], + default: true, + desired_state: false, + description: 'Set to true for value setting to survive reboot' + +load_current_value do |new_resource| + value shell_out!("getsebool #{new_resource.boolean}").stdout.split('-->').map(&:strip).last +end + +action_class do + include SELinux::Cookbook::StateHelpers +end + +action :set do + if selinux_disabled? + Chef::Log.warn("Unable to set SELinux boolean #{new_resource.name} as SELinux is disabled") + return + end + + converge_if_changed do + cmd = 'setsebool' + cmd += ' -P' if new_resource.persistent + cmd += " #{new_resource.boolean} #{new_resource.value}" + + shell_out!(cmd) + end +end diff --git a/cookbooks/selinux/resources/fcontext.rb b/cookbooks/selinux/resources/fcontext.rb new file mode 100644 index 0000000..ac2b4d6 --- /dev/null +++ b/cookbooks/selinux/resources/fcontext.rb @@ -0,0 +1,132 @@ +# +# Cookbook:: selinux +# Resource:: fcontext +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +unified_mode true + +property :file_spec, String, + name_property: true, + description: 'Path to or regex matching the files or directoriesto label' + +property :secontext, String, + required: %i(add modify manage), + description: 'SELinux context to assign' + +property :file_type, String, + default: 'a', + equal_to: %w(a f d c b s l p), + description: 'The type of the file being labeled' + +action_class do + include SELinux::Cookbook::StateHelpers + + def current_file_context + file_hash = { + 'a' => 'all files', + 'f' => 'regular file', + 'd' => 'directory', + 'c' => 'character device', + 'b' => 'block device', + 's' => 'socket', + 'l' => 'symbolic link', + 'p' => 'named pipe', + } + + contexts = shell_out!('semanage fcontext -l').stdout.split("\n") + # pull out file label from user:role:type:level context string + contexts.grep(/^#{Regexp.escape(new_resource.file_spec)}\s+#{file_hash[new_resource.file_type]}/) do |c| + c.match(/.+ (?.+):(?.+):(?.+):(?.+)$/)[:type] + # match returns ['foo'] or [], shift converts that to 'foo' or nil + end.shift + end + + # Run restorecon to fix label + # https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721 + def relabel_files + spec = new_resource.file_spec + escaped = Regexp.escape spec + + # find common path between regex and string + common = if spec == escaped + spec + else + index = spec.size.times { |i| break i if spec[i] != escaped[i] } + ::File.dirname spec[0...index] + end + + # if path is not absolute, ignore it and search everything + common = '/' if common[0] != '/' + + if ::File.exist? common + shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 | xargs -0 restorecon -iRv") + end + end +end + +action :manage do + run_action(:add) + run_action(:modify) +end + +action :addormodify do + Chef::Log.warn('The :addormodify action for selinux_fcontext is deprecated and will be removed in a future release. Use the :manage action instead.') + run_action(:manage) +end + +# Create if doesn't exist, do not touch if fcontext is already registered +action :add do + if selinux_disabled? + Chef::Log.warn("Unable to add SELinux fcontext #{new_resource.name} as SELinux is disabled") + return + end + + unless current_file_context + converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do + shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'") + relabel_files + end + end +end + +# Only modify if fcontext exists & doesn't have the correct label already +action :modify do + if selinux_disabled? + Chef::Log.warn("Unable to modify SELinux fcontext #{new_resource.name} as SELinux is disabled") + return + end + + if current_file_context && current_file_context != new_resource.secontext + converge_by "modifying label #{new_resource.secontext} to #{new_resource.file_spec}" do + shell_out!("semanage fcontext -m -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'") + relabel_files + end + end +end + +# Delete if exists +action :delete do + if selinux_disabled? + Chef::Log.warn("Unable to delete SELinux fcontext #{new_resource.name} as SELinux is disabled") + return + end + + if current_file_context + converge_by "deleting label for #{new_resource.file_spec}" do + shell_out!("semanage fcontext -d -f #{new_resource.file_type} '#{new_resource.file_spec}'") + relabel_files + end + end +end diff --git a/cookbooks/selinux/resources/install.rb b/cookbooks/selinux/resources/install.rb new file mode 100644 index 0000000..4571b54 --- /dev/null +++ b/cookbooks/selinux/resources/install.rb @@ -0,0 +1,54 @@ +# +# Cookbook:: selinux +# Resource:: install +# +# Copyright:: 2016-2021, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true + +include SELinux::Cookbook::InstallHelpers + +property :packages, [String, Array], + default: lazy { default_install_packages }, + description: 'SELinux packages for system' + +action_class do + def do_package_action(action) + # friendly message for unsupported platforms + raise "The platform #{node['platform']} is not currently supported by the `selinux_install` resource. Please file an issue at https://github.com/sous-chefs/selinux/issues/new with details on the platform this cookbook is running on." if new_resource.packages.nil? + + package 'selinux' do + package_name new_resource.packages + action action + end + end +end + +action :install do + do_package_action(action) + + directory '/etc/selinux' do + owner 'root' + group 'root' + mode '0755' + action :create + end +end + +%i(upgrade remove).each do |a| + action a do + do_package_action(a) + end +end diff --git a/cookbooks/selinux/resources/module.rb b/cookbooks/selinux/resources/module.rb new file mode 100644 index 0000000..9526bd3 --- /dev/null +++ b/cookbooks/selinux/resources/module.rb @@ -0,0 +1,125 @@ +# +# Cookbook:: selinux +# Resource:: module +# +# Copyright:: 2016-2021, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true + +property :module_name, String, + name_property: true, + description: 'Override the module name' + +property :source, String, + description: 'Module source file name' + +property :content, String, + description: 'Module source as String' + +property :cookbook, String, + default: lazy { cookbook_name }, + description: 'Cookbook to source from module source file from' + +property :base_dir, String, + default: '/etc/selinux/local', + description: 'Directory to create module source file in' + +action_class do + def selinux_module_filepath(type) + path = ::File.join(new_resource.base_dir, "#{new_resource.module_name}") + path.concat(".#{type}") if type + end + + def list_installed_modules + shell_out!('semodule --list-modules').stdout.split("\n").map { |x| x.split(/\s/).first } + end +end + +action :create do + directory new_resource.base_dir + + if property_is_set?(:content) + file selinux_module_filepath('te') do + content new_resource.content + + mode '0600' + owner 'root' + group 'root' + + action :create + + notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately + end + else + cookbook_file selinux_module_filepath('te') do + cookbook new_resource.cookbook + source new_resource.source + + mode '0600' + owner 'root' + group 'root' + + action :create + + notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately + end + end + + execute "Compiling SELinux modules at '#{new_resource.base_dir}'" do + cwd new_resource.base_dir + command "make -C #{new_resource.base_dir} -f /usr/share/selinux/devel/Makefile" + timeout 120 + user 'root' + + action :nothing + + notifies :run, "execute[Install SELinux module '#{selinux_module_filepath('pp')}']", :immediately + end + + raise "Compilation must have failed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp')) + + execute "Install SELinux module '#{selinux_module_filepath('pp')}'" do + command "semodule --install '#{selinux_module_filepath('pp')}'" + action :nothing + end +end + +action :delete do + %w(fc if pp te).each do |type| + next unless ::File.exist?(selinux_module_filepath(type)) + + file selinux_module_filepath(type) do + action :delete + end + end +end + +action :install do + raise "Module must be compiled before it can be installed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp')) + + unless list_installed_modules.include? new_resource.module_name + converge_by "Install SELinux module #{selinux_module_filepath('pp')}" do + shell_out!("semodule --install '#{selinux_module_filepath('pp')}'") + end + end +end + +action :remove do + if list_installed_modules.include? new_resource.module_name + converge_by "Remove SELinux module #{new_resource.module_name}" do + shell_out!("semodule --remove '#{new_resource.module_name}'") + end + end +end diff --git a/cookbooks/selinux/resources/permissive.rb b/cookbooks/selinux/resources/permissive.rb new file mode 100644 index 0000000..161b02c --- /dev/null +++ b/cookbooks/selinux/resources/permissive.rb @@ -0,0 +1,46 @@ +# +# Cookbook:: selinux +# Resource:: permissive +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +unified_mode true + +property :context, String, + name_property: true, + description: 'The SELinux context to permit' + +action_class do + def current_permissives + shell_out!('semanage permissive -ln').stdout.split("\n") + end +end + +# Create if doesn't exist, do not touch if permissive is already registered (even under different type) +action :add do + unless current_permissives.include? new_resource.context + converge_by "adding permissive context #{new_resource.context}" do + shell_out!("semanage permissive -a '#{new_resource.context}'") + end + end +end + +# Delete if exists +action :delete do + if current_permissives.include? new_resource.context + converge_by "deleting permissive context #{new_resource.context}" do + shell_out!("semanage permissive -d '#{new_resource.context}'") + end + end +end diff --git a/cookbooks/selinux/resources/port.rb b/cookbooks/selinux/resources/port.rb new file mode 100644 index 0000000..b8393ca --- /dev/null +++ b/cookbooks/selinux/resources/port.rb @@ -0,0 +1,98 @@ +# +# Cookbook:: selinux +# Resource:: port +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +unified_mode true + +property :port, [Integer, String], + name_property: true, + regex: /^\d+$/, + description: 'Port to modify' + +property :protocol, String, + equal_to: %w(tcp udp), + required: %i(manage add modify), + description: 'Protocol to modify' + +property :secontext, String, + required: %i(manage add modify), + description: 'SELinux context to assign to the port' + +action_class do + include SELinux::Cookbook::StateHelpers + + def current_port_context + # use awk to see if the given port is within a reported port range + shell_out!( + <<~CMD + seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \ + awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}' + CMD + ).stdout.split + end +end + +action :manage do + run_action(:add) + run_action(:modify) +end + +action :addormodify do + Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.') + run_action(:manage) +end + +# Create if doesn't exist, do not touch if port is already registered (even under different type) +action :add do + if selinux_disabled? + Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled") + return + end + + if current_port_context.empty? + converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do + shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}") + end + end +end + +# Only modify port if it exists & doesn't have the correct context already +action :modify do + if selinux_disabled? + Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled") + return + end + + if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext) + converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do + shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}") + end + end +end + +# Delete if exists +action :delete do + if selinux_disabled? + Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled") + return + end + + unless current_port_context.empty? + converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do + shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}") + end + end +end diff --git a/cookbooks/selinux/resources/state.rb b/cookbooks/selinux/resources/state.rb new file mode 100644 index 0000000..0a34d7a --- /dev/null +++ b/cookbooks/selinux/resources/state.rb @@ -0,0 +1,114 @@ +# +# Cookbook:: selinux +# Resource:: state +# +# Copyright:: 2016-2021, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true + +include SELinux::Cookbook::StateHelpers + +default_action :nothing + +property :config_file, String, + default: '/etc/selinux/config' + +property :persistent, [true, false], + default: true, + description: 'Persist status update to the selinux configuration file' + +property :policy, String, + default: lazy { default_policy_platform }, + equal_to: %w(default minimum mls src strict targeted), + description: 'SELinux policy type' + +property :automatic_reboot, [true, false, Symbol], + default: false, + description: 'Perform an automatic node reboot if required for state change' + +deprecated_property_alias 'temporary', 'persistent', 'The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name.' + +action_class do + include SELinux::Cookbook::StateHelpers + + def render_selinux_template(action) + Chef::Log.warn( + 'It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.' + ) if selinux_disabled? && action == :enforcing + + unless new_resource.automatic_reboot + Chef::Log.warn('Changes from disabled require a reboot.') if selinux_disabled? && %i(enforcing permissive).include?(action) + Chef::Log.warn('Disabling selinux requires a reboot.') if (selinux_enforcing? || selinux_permissive?) && action == :disabled + end + + template "#{action} selinux config" do + path new_resource.config_file + source 'selinux.erb' + cookbook 'selinux' + variables( + selinux: action.to_s, + selinuxtype: new_resource.policy + ) + end + end + + def node_selinux_restart + unless new_resource.automatic_reboot + Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.") + return + end + + outer_action = action + reboot 'selinux_state_change' do + delay_mins 1 + reason "SELinux state change to #{outer_action} from #{selinux_state}" + + action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now + end + end +end + +action :enforcing do + execute 'selinux-setenforce-enforcing' do + command '/usr/sbin/setenforce 1' + end unless selinux_disabled? || selinux_enforcing? + + execute 'debian-selinux-activate' do + command '/usr/sbin/selinux-activate' + end if selinux_activate_required? + + render_selinux_template(action) if new_resource.persistent + node_selinux_restart if state_change_reboot_required? +end + +action :permissive do + execute 'selinux-setenforce-permissive' do + command '/usr/sbin/setenforce 0' + end unless selinux_disabled? || selinux_permissive? + + execute 'debian-selinux-activate' do + command '/usr/sbin/selinux-activate' + end if selinux_activate_required? + + render_selinux_template(action) if new_resource.persistent + node_selinux_restart if state_change_reboot_required? +end + +action :disabled do + raise 'A non-persistent change to the disabled SELinux status is not possible.' unless new_resource.persistent + + render_selinux_template(action) + node_selinux_restart if state_change_reboot_required? +end diff --git a/cookbooks/selinux/templates/debian/selinux.erb b/cookbooks/selinux/templates/debian/selinux.erb new file mode 100644 index 0000000..7a403b6 --- /dev/null +++ b/cookbooks/selinux/templates/debian/selinux.erb @@ -0,0 +1,18 @@ +# Generated by Chef for <%= node['fqdn'] %> +# Do NOT modify this file by hand. +# + +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=<%= @selinux %> +# SELINUXTYPE= can take one of these three values: +# default - equivalent to the old strict and targeted policies +# mls - Multi-Level Security (for military and educational use) +# src - Custom policy built from source +SELINUXTYPE=<%= @selinuxtype %> + +# SETLOCALDEFS= Check local definition changes +SETLOCALDEFS=0 diff --git a/cookbooks/selinux/templates/default/selinux.erb b/cookbooks/selinux/templates/default/selinux.erb new file mode 100644 index 0000000..e1c84d8 --- /dev/null +++ b/cookbooks/selinux/templates/default/selinux.erb @@ -0,0 +1,15 @@ +# Generated by Chef for <%= node['fqdn'] %> +# Do NOT modify this file by hand. +# + +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=<%= @selinux %> +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=<%= @selinuxtype %>