Merge branch 'master' into feature/rskj_public_endpoint
This commit is contained in:
commit
5ac53633cd
|
@ -8,6 +8,7 @@ cookbook 'mediawiki',
|
|||
cookbook 'redis',
|
||||
git: 'https://github.com/phlipper/chef-redis.git',
|
||||
ref: 'v0.5.6'
|
||||
cookbook 'redisio', '= 5.0.0' # TODO upgrade to 6.x when we use Chef 16
|
||||
cookbook 'postfix', '= 5.0.2'
|
||||
cookbook 'php', '~> 8.0.0'
|
||||
cookbook 'composer', '~> 2.7.0'
|
||||
|
|
|
@ -48,6 +48,7 @@ DEPENDENCIES
|
|||
git: https://github.com/phlipper/chef-redis.git
|
||||
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
|
||||
ref: v0.5.6
|
||||
redisio (= 5.0.0)
|
||||
timezone_iii (= 1.0.4)
|
||||
ulimit (~> 1.0.0)
|
||||
users (~> 5.3.1)
|
||||
|
@ -150,6 +151,10 @@ GRAPH
|
|||
postfix (5.0.2)
|
||||
redis (0.5.6)
|
||||
apt (>= 0.0.0)
|
||||
redisio (5.0.0)
|
||||
selinux_policy (>= 2.2.0)
|
||||
ulimit (>= 0.1.2)
|
||||
selinux_policy (2.4.3)
|
||||
seven_zip (3.1.1)
|
||||
windows (>= 0.0.0)
|
||||
timezone_iii (1.0.4)
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "postgres-4",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -31,5 +31,6 @@
|
|||
],
|
||||
"gems": [
|
||||
|
||||
]
|
||||
],
|
||||
"eager_load_libraries": true
|
||||
}
|
||||
|
|
|
@ -32,5 +32,6 @@
|
|||
],
|
||||
"gems": [
|
||||
|
||||
]
|
||||
],
|
||||
"eager_load_libraries": true
|
||||
}
|
||||
|
|
|
@ -45,5 +45,6 @@
|
|||
],
|
||||
"gems": [
|
||||
|
||||
]
|
||||
],
|
||||
"eager_load_libraries": true
|
||||
}
|
||||
|
|
|
@ -32,5 +32,6 @@
|
|||
],
|
||||
"gems": [
|
||||
|
||||
]
|
||||
],
|
||||
"eager_load_libraries": true
|
||||
}
|
||||
|
|
|
@ -0,0 +1,363 @@
|
|||
|
||||
# redisio
|
||||
|
||||
## 5.0.0 - *2021-09-08*
|
||||
|
||||
- resolved cookstyle error: attributes/default.rb:74:40 refactor: `Chef/Modernize/UseChefLanguageSystemdHelper`
|
||||
## 4.3.2 - *2021-08-30*
|
||||
|
||||
- Standardise files with files in sous-chefs/repo-management
|
||||
|
||||
## 4.3.1 - *2021-06-01*
|
||||
|
||||
- Standardise files with files in sous-chefs/repo-management
|
||||
|
||||
## 4.3.0 - *2021-05-19*
|
||||
|
||||
- Fix disable recipe service naming for systemd
|
||||
|
||||
## 4.2.0 (2020-09-14)
|
||||
|
||||
- New server option 'permissions' to override default (0644) unix permissions on config file
|
||||
|
||||
## 4.1.2 (2020-09-11)
|
||||
|
||||
- Pull the disable_os_default recipe from the default one
|
||||
|
||||
## 4.1.1 (2020-08-14)
|
||||
|
||||
- Properly perform version check when needed in redis.conf template
|
||||
|
||||
## 4.1.0 (2020-05-05)
|
||||
|
||||
- Simplify platform check logic
|
||||
- Remove the deprecated ChefSpec coverage report
|
||||
- Migrate to actions for testing
|
||||
|
||||
## 4.0.0 (2019-09-19)
|
||||
|
||||
- Enable testing in CircleCI
|
||||
- Removed build essentials cookbook dependancy
|
||||
- Minimum Chef is now 14
|
||||
- Removed tests for Debian 8
|
||||
- Added support for chef 15
|
||||
- configure recipe now sets `['redisio']['servers']` using override instead of normal in line with new chef best practices
|
||||
|
||||
## 3.0.0 (2018-11-27)
|
||||
|
||||
- This cookbook is now maintained by the Sous Chefs. If you're interested in helping with maintenance or learning more check out <https://sous-chefs.org/> Thank you Brian Bianco for the work you've done over the years on this cookbook. We'll be sure to take good care of it.
|
||||
- This cookbook now requires Chef 13 or later
|
||||
- Incompatibilities with the latest selinux_policy cookbook have been resolved by using Chef's built in selinux helpers
|
||||
- All Chefstyle warnings have been resolved
|
||||
- Contributing.md and CODE_OF_CONDUCT.md files have been added
|
||||
- The build_essential resource is now directly used so that the built in resource in Chef 14+ can be used. This increases the required build-essential cookbook to 5.0+
|
||||
- Duplicate dependencies in the Berksfile have been removed
|
||||
- The chefignore file has been updated to prevent more unnecessary files from being uploaded to the chef server
|
||||
- Data bags are now loaded with the data_bag_item helper instead of Chef::EncryptedDataBagItem.load directly
|
||||
- Testing has been updated to use Delivery Local Mode which is built into ChefDK. The legacy Rakefile, Vagrantfile, Thorfile, and Cheffile have been removed
|
||||
- Platforms in Test Kitchen configurations have been updated and dokken images are now used in dokken
|
||||
|
||||
## 2.7.2 (2018-09-30)
|
||||
|
||||
- fixes sentinal cluster init script by providing missing LSB statements ([#374])
|
||||
|
||||
## 2.7.1 (2018-03-30)
|
||||
|
||||
- fixes sentinal config where `announce-ip` was being given the value of `announce-port` improperly ([#354])
|
||||
|
||||
## 2.7.0 (2018-03-28)
|
||||
|
||||
- enables diskless replication configuration for versions `~> 2.6 || ~> 3.0` [#340](https://github.com/brianbianco/redisio/pull/340)
|
||||
- adds chef 13 compatability [#350](https://github.com/brianbianco/redisio/pull/350)
|
||||
|
||||
## 2.6.1 (2017-05-10)
|
||||
|
||||
- Restrict aof-load-truncated to redis 3+ ([#343](https://github.com/brianbianco/redisio/pull/343))
|
||||
- Fix Redis 2.4.x config ([#344](https://github.com/brianbianco/redisio/pull/344))
|
||||
|
||||
## 2.6.0 (2017-05-09)
|
||||
|
||||
- Update 'bind' config comments ([#293](https://github.com/brianbianco/redisio/pull/293))
|
||||
- Add disable_os_default recipe ([#224](https://github.com/brianbianco/redisio/pull/224))
|
||||
- Use the config's ulimits if set and is > max_clients ([#234](https://github.com/brianbianco/redisio/pull/234))
|
||||
- Add Travis config ([#299](https://github.com/brianbianco/redisio/pull/299))
|
||||
- Fix test failures (FoodCritic and Rubocop) ([#298](https://github.com/brianbianco/redisio/pull/298))
|
||||
- Fix TravisCI builds ([#300](https://github.com/brianbianco/redisio/pull/300))
|
||||
- Add repl-backlog-size, repl-backlog-ttl, and aof-load-truncated options ([#278](https://github.com/brianbianco/redisio/pull/278))
|
||||
- Add sentinel_bind to bind sentinel to different IPs ([#306](https://github.com/brianbianco/redisio/pull/306))
|
||||
- Cleanup deprecation warnings ([#301](https://github.com/brianbianco/redisio/pull/301))
|
||||
- Fix version detection with epoch version numbers from deb/ubuntu ([#294](https://github.com/brianbianco/redisio/pull/294))
|
||||
- Restrict VM redis config to <= 2.4 ([#322](https://github.com/brianbianco/redisio/pull/322))
|
||||
- Rename_commands should be checked for nil before empty ([#311](https://github.com/brianbianco/redisio/pull/311))
|
||||
- Fixup foodcritic, rubocop, and kitchen testing ([#324](https://github.com/brianbianco/redisio/pull/324))
|
||||
- Note: this drops support for Chef < 11
|
||||
- Add min-slaves redis options ([#313](https://github.com/brianbianco/redisio/pull/313))
|
||||
- Allow /etc/init start after sigterm from system or user ([#310](https://github.com/brianbianco/redisio/pull/310))
|
||||
- Check user existence with Etc, not ohai node attributes ([#303](https://github.com/brianbianco/redisio/pull/303))
|
||||
- Various systemd-related improvements ([#302](https://github.com/brianbianco/redisio/pull/302))
|
||||
- Update serverspec testing with correct OS's for systemd ([#329](https://github.com/brianbianco/redisio/pull/329))
|
||||
- Add kitchen-dokken testing to Travis ([#330](https://github.com/brianbianco/redisio/pull/330))
|
||||
- Add fedora-25 to kitchen testing and clean up kitchen config ([#331](https://github.com/brianbianco/redisio/pull/331))
|
||||
- Fix systemd paths for sentinel service ([#332](https://github.com/brianbianco/redisio/pull/332))
|
||||
- Add redis-package and sentinel to Travis kitchen verify ([#334](https://github.com/brianbianco/redisio/pull/334))
|
||||
- Add breadcrumb-file creation condition as attribute ([#268](https://github.com/brianbianco/redisio/pull/268))
|
||||
- Fix cluster options in README ([#333](https://github.com/brianbianco/redisio/pull/333))
|
||||
- Fix systemd loader to use descriptors instead of max_clients+32 ([#338](https://github.com/brianbianco/redisio/pull/338))
|
||||
- Add SELinux support ([#305](https://github.com/brianbianco/redisio/pull/305))
|
||||
- Make source of redis.conf template configurable ([#341](https://github.com/brianbianco/redisio/pull/341))
|
||||
- Support sentinel notification-script and client-reconfig-script ([#342](https://github.com/brianbianco/redisio/pull/342))
|
||||
|
||||
## 2.5.0 (2016-09-15)
|
||||
|
||||
- Ubuntu 14 added as tested platform. (#264)
|
||||
- FreeBSD-10.3 support added. (#279)
|
||||
- installation from source is not supported
|
||||
- setting ulimits is not supported
|
||||
- Encrypted databag support added. (#228)
|
||||
- Systemd nofile limit fixed. (#228)
|
||||
- Announce-ip and announce-port directives for sentinel added. (#228)
|
||||
- Disabling safe_install in the install recipe allowed. (#284)
|
||||
- Protected-mode added as optional (#275, #289)
|
||||
- Fixes nil exception when installing sentinel on non-debian and non-rhel platforms (#288)
|
||||
|
||||
## 2.4.2 (2016-04-08)
|
||||
|
||||
- Created a 2.4.1 tag but somehow the metadata file wasn't updated. Instead
|
||||
of deleting a pushed tag, creating a new tag and updating metdatafile. Aside
|
||||
from the version number, this is an identical release to 2.4.1
|
||||
|
||||
## 2.4.1
|
||||
|
||||
- Increases default clusternodetimeout value from 5 to 5000
|
||||
- Allows you to set version for package based install
|
||||
- Sets UID of redis data directory if it is present
|
||||
- Install resource should now only notify when an installation actually occurs
|
||||
- Adds config options
|
||||
- tcpbacklog
|
||||
- rdbcompression
|
||||
- rdbchecksum
|
||||
- dbfilename
|
||||
- slavereadyonly
|
||||
- repldisabletcpnodelay
|
||||
- slavepriority
|
||||
- listmaxziplistentries
|
||||
- listmaxziplistvalue
|
||||
- hllsparsemaxbytes
|
||||
- Add CentOS 7 support with systemd configs
|
||||
- Fixes bug in ulimit resource guard
|
||||
- Fixes bug in sentinel required parameters sanity check
|
||||
- Adds --no-same-owner to untar command during install to fix NFS related issues
|
||||
- Adds support for rename_commands config option
|
||||
- Adds option to stop chef from managing sentinel configs after writing once
|
||||
- Adds config option rename_commands
|
||||
- Allow instance 'save' to be string or array
|
||||
- Adds sources_url and issues_url with guards to be Chef 12 compatible
|
||||
- Bumps Redis source version to 2.8.20
|
||||
- Fixes cluster settings with wrong attribute names
|
||||
- Monitor multiple masters with sentinel
|
||||
- Add support in sentinel resource for an array of masters to monitor, with backwards compatibility for the older attributes, fixes #73. Replaces #87.
|
||||
- Introduce a test-kitchen test for sentinel watching multiple masters.
|
||||
- Incidentally, fixes #193 as well, since it adds a master name attribute for each master.
|
||||
- Fixes path for pidfile in sentinel init script
|
||||
- Additional error checking and backwards compatibility for sentinel attribute keys
|
||||
|
||||
## 2.3.0 (2015-04-08)
|
||||
|
||||
- Add support for installing by distribution package for CentOS (#180)
|
||||
- Add conditionals to check for redis 3 that was released recently (#183)
|
||||
- Prevent `usermod: user redis is currently logged in` (#176)
|
||||
- Use correct sentinel port in default sentinel instance (#157)
|
||||
- Sentinel instances attribute (`node['redisio']['sentinels']`) should behave like Redis instances attribute (#160)
|
||||
- Add Rakefile and unit tests for verifying issues fixed are actually resolved (#158)
|
||||
- Fix serverspec tests to properly use sysv-init scripts on systemd distributions (#185)
|
||||
- Update documentation to reflect correct current redis version used for source installs (#151)
|
||||
- Update documentation to indicate that ulimit and build-essential are both dependencies (#165)
|
||||
- Update documentation to reflect that uninstall recipe is no longer available
|
||||
- Update documentation to reflect correct mirror in README.md, change was from 2.1.0 (#175)
|
||||
- Update documentation to reflect that cookbook uses `node['redisio']`, not `node['redis']` (#174)
|
||||
- Markdown formatting improvements in the README.md (#168, #172)
|
||||
|
||||
## 2.2.4 (2014-10-04)
|
||||
|
||||
- Updates installed version of redis to the latest stable (2.8.17)
|
||||
- Fixes backwards compatability bug with older version of redis (namely 2.6.x series) related to keyspaces
|
||||
|
||||
## 2.2.3 (2014-08-25)
|
||||
|
||||
- Bug Fix: Repackages the chef supermarket releaes with gnutar instead of BSD tar
|
||||
|
||||
## 2.2.2 (2014-08-22)
|
||||
|
||||
- Please refer to changelog for 2.0.0.
|
||||
- If moving from 1.7.x this release has many breaking changes. You will likely need to update your wrapper cookbook or role.
|
||||
- Added test-kitchen and serverspec coverage for both redis and redis_sentinel
|
||||
- Added cookbook testing information to readme
|
||||
- Bug fix for a fix that was introduced to resolve foodcritic rule fc002
|
||||
- Fix init script to use su instead of sudo for ubuntu debian fedora
|
||||
- Fix sentinel_enable recipe to properly run if using default attributes
|
||||
- Save property for redis config now is defined by using an array
|
||||
- Small changes to default configuration options to bring in line with redis defaults.
|
||||
- Added options for the following
|
||||
- tcp-keepalive
|
||||
|
||||
## 2.2.1
|
||||
|
||||
- Allow sentinel to control both redis and redis-sentinel configs depending on attribute `redisio.sentinel.manage_config` state.
|
||||
|
||||
## 2.2.0
|
||||
|
||||
- Adds behavior to allow the cookbook to NOT manage the redis config files as redis itself will write to them now if you are using sentinel
|
||||
|
||||
## 2.1.0
|
||||
|
||||
- Adds options for the following
|
||||
- lua-time-limit
|
||||
- slowlog-logs-slower-than
|
||||
- slowlog-max-len
|
||||
- notify-keyspace-events
|
||||
- client-output-buffer-limit
|
||||
- hz
|
||||
- aof-rewrite-incremental-fsync
|
||||
- Removes the uninstall recipe and resource.
|
||||
- Adds the ability to skip the default recipe calling install and configure by setting redisio bypass_setup attribute to true
|
||||
- Adds support for redis sentinel [Thanks to rcleere, Ryan Walker]
|
||||
- Splits up the install resource into separate install and configure resources [Thanks to rcleere]
|
||||
- By default now calls _install_prereqs, install, and configure in the default recipe.
|
||||
- Changes default version of redis to install to 2.8.5
|
||||
- Now depends on the build-essential cookbook.
|
||||
- Fixes issue #76 - Default settings save as empty string breaks install
|
||||
- Switches mirror server from googlefiles to redis.io. If you are using version of redis before 2.6.16 you will need to override the mirror server attribute
|
||||
to use the old site with archived versions.
|
||||
- Adds a Vagrant file!
|
||||
- maxmemory will be rounded when calculated as a percentage
|
||||
- Add stop-writes-on-bgsave-error config option
|
||||
- Changes default log level from verbose to notice
|
||||
- Adds configuration options for ziplists and active rehashing
|
||||
- Adds support for passing the address attribute as an array. This is to support the redis 2.8 series which allows binding to multiple addresses
|
||||
- Fixes a bug where multiple redis instances were using the same swapfile (only for version of redis 2.4 and below)
|
||||
- Changes the job_control per instance attribute to a global one.
|
||||
- Adds a status command to the init.d script, uses this in the initd based service for checking status
|
||||
|
||||
## 2.0.0
|
||||
|
||||
! THIS RELEASE HAS MANY BREAKING CHANGES !
|
||||
! Your old role file will most likely not work !
|
||||
|
||||
- Supports redis 2.8 and its use of the empty string for stdout in the logfile option
|
||||
- Allows the user to specify required_start and required_start when using the init scripts
|
||||
- Warns a user if they have syslogenabled set to yes and also have logfile set
|
||||
|
||||
## 1.7.1 (2014-02-10)
|
||||
|
||||
- Bumps default version of redis to 2.6.17
|
||||
- Changes the redis download mirror to redis.io
|
||||
- Fixes #76 - Default settings save as empty string breaks install. [Thanks to astlock]
|
||||
- Fixes bug with nil file resource for logfile. [Thanks to chrismoos]
|
||||
|
||||
## 1.7.0 (2013-07-25)
|
||||
|
||||
- Adds support for address attribute as an array or string. This is to support the feature that will be introduced in redis 2.8
|
||||
|
||||
## 1.6.0 (2013-06-27)
|
||||
|
||||
- Fixes a bug when using a percentage for max memory. [Thanks to organicveggie]
|
||||
- Allows installation of redis into custom directory. [Thanks to organicveggie, rcleere]
|
||||
- Bumps the default installed version of redis to the new stable, 2.6.14
|
||||
|
||||
## 1.5.0 (2013-03-30)
|
||||
|
||||
- Forces maxmemory to a string inside of install provider so it will not explode if you pass in an int. [Thanks to sprack]
|
||||
- Strips leading directory from downloaded tarball, and extracts into a newly created directory. This allows more versatility for where the package can be installed from (Github / BitBucket) [Thanks to dim]
|
||||
- Adds options for Redis Cluster [Thanks to jrallison]
|
||||
- Adds a call to ulimit into the init script, it was not honoring the limits set by the ulimit cookbook for some users. [Thanks to mike-yesware]
|
||||
|
||||
## 1.4.1 (2013-02-27)
|
||||
|
||||
- Removes left over debugging statement
|
||||
|
||||
## 1.4.0 (2013-02-27)
|
||||
|
||||
- ACTUALLY fixes the use of upstart and redis. Redis no longer daemonizes itself when using job_control type upstart and allows upstart to handle this
|
||||
- Adds dependency on the ulimit cookbook and allows you to set the ulimits for the redis instance users.
|
||||
- Adds associated node attribute for the ulimit. It defaults to the special value 0, which causes the cookbook to use maxclients + 32. 32 is the number of file descriptors redis needs itself
|
||||
- You can disable the use of the ulimits by setting the node attribute for it to "false" or "nil"
|
||||
- Comments out the start on by default in the upstart script. This will get uncommented by the upstart provider when the :enable action is called on it
|
||||
|
||||
## 1.3.2 (2013-02-26)
|
||||
|
||||
- Changes calls to Chef::ShellOut to Mixlib::ShellOut
|
||||
|
||||
## 1.3.1 (2013-02-26)
|
||||
|
||||
- Fixes bug in upstart script to create pid directory if it does not exist
|
||||
|
||||
## 1.3.0 (2013-02-20)
|
||||
|
||||
- Adds upstart support. This was a much requested feature.
|
||||
- Fixes bug in uninstall resource that would have prevented it from uninstalling named servers.
|
||||
- Reworks the init script to take into account the IP redis is listening on, and if it is listening on a socket.
|
||||
- Adds an attribute called "shutdown_save" which will explicitly call save on redis shutdown
|
||||
- Updates the README.md with a shorter and hopefully equally as useful usage section
|
||||
- maxmemory attribute now allows the use of percentages. You must include a % sign after the value.
|
||||
- Bumps default version of redis to install to the current stable, 2.6.10
|
||||
|
||||
## 1.2.0 (2013-02-06)
|
||||
|
||||
- Fixes bug related to where the template source resides when using the LWRP outside of the redisio cookbook
|
||||
- Fixes bug where the version method was not properly parsing version strings in redis 2.6.x, as the version string from redis-server -v changed
|
||||
- Fixes bug in default attributes for fedora default redis data directory
|
||||
- Now uses chefs service resource for each redis instance instead of using a custom redisio_service resource. This cleans up many issues, including a lack of updated_by_last_action
|
||||
- The use of the redisio_service resource is deprecated. Use the redis port_number instead.
|
||||
- The default version of redis has been bumped to the current stable, which is 2.6.9
|
||||
- Adds metadata.json to the gitignore file so that the cookbook can be submoduled.
|
||||
- Adds the ability to handle non standard bind address in the init scripts stop command
|
||||
- Adds attributes to allow redis to listen on a socket
|
||||
- Adds an attribute to allow redis service accounts to be created as system users, defaults this to true
|
||||
- Adds a per server "name" attribute that allows a server to use that instead of the port for its configuration files, service resource, and init script.
|
||||
- Shifts the responsbility for handling the case of default redis instances into the install recipe due to the behavior of arrays and deep merge
|
||||
|
||||
## 1.1.0 (2012-08-21)
|
||||
|
||||
! Warning breaking change !: The redis pidfile directory by default has changed, if you do not STOP redis before upgrading to the new version
|
||||
of this cookbook, it will not be able to stop your instance properly via the redis service provider, or the init script.
|
||||
If this happens to you, you can always log into the server and manually send a SIGTERM to redis
|
||||
|
||||
- Changed the init script to run redis as the specified redis user
|
||||
- Updated the default version of redis to 2.4.16
|
||||
- Setup a new directory structure for redis pid files. The install provider will now nest its pid directories in base_piddir/port number/redis_port.pid.
|
||||
- Added a RedisioHelper module in libraries. The recipe_eval method inside is used to wrap nested resources to allow for the proper resource update propigation. The install provider uses this.
|
||||
- The init script now properly respects the configdir attribute
|
||||
- Changed the redis data directories to be 775 instead of 755 (this allows multiple instances with different owners to write their data to the same shared dir so long as they are in a common group)
|
||||
- Changed default for maxclients to be 10000 instead of 0. This is to account for the fact that maxclients no longer supports 0 as 'unlimited' in the 2.6 series
|
||||
- Added logic to replace hash-max-ziplist-entries, hash-max-ziplist-value with hash-max-zipmap-entires, hash-max-zipmap-value when using 2.6 series
|
||||
- Added the ability to log to any file, not just syslog. Please do make sure after you set your file with the logfile attribute you also set syslogenabled to 'no'
|
||||
|
||||
## 1.0.3 (2012-05-02)
|
||||
|
||||
- Added changelog.md
|
||||
- Added a bunch more configuration options that were left out (default values left as they were before):
|
||||
- databases
|
||||
- slaveservestaledata
|
||||
- replpingslaveperiod
|
||||
- repltimeout
|
||||
- maxmemorysamples
|
||||
- noappendfsynconwrite
|
||||
- aofrewritepercentage
|
||||
- aofrewriteminsize
|
||||
|
||||
It is worth nothing that since there is a configurable option for conf include files, and the fact that redis uses the most recently read configuration option... even if a new option where to show up, or and old one was not included they could be added using that pattern.
|
||||
|
||||
## 1.0.2 (2012-04-25)
|
||||
|
||||
- Merged in pull request from meskyanichi which improved the README.md and added a .gitignore
|
||||
- Added a "safe_install" node attribute which will prevent redis from installing anything if it exists already. Defaults to true.
|
||||
- Addedd a "redis_gem" recipe which will install the redis gem from ruby gems, added associated attributes. See README for me
|
||||
|
||||
## 1.0.1 (2012-04-08)
|
||||
|
||||
- Added some prequisite checks for RHEL based distributions
|
||||
- Minor typos and formatting fixes in metadata.rb and README.md
|
||||
|
||||
## 1.0.0 (2012-04-08)
|
||||
|
||||
Initial Release
|
|
@ -0,0 +1,201 @@
|
|||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright {yyyy} {name of copyright owner}
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
|
@ -0,0 +1,512 @@
|
|||
# Redisio Cookbook
|
||||
|
||||
[![Cookbook Version](https://img.shields.io/cookbook/v/redisio.svg)](https://supermarket.chef.io/cookbooks/redisio)
|
||||
[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/redisio/master.svg)](https://circleci.com/gh/sous-chefs/redisio)
|
||||
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
|
||||
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
|
||||
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
|
||||
|
||||
Please read the changelog when upgrading from the 1.x series to the 2.x series
|
||||
|
||||
## Description
|
||||
|
||||
Website:: [https://github.com/sous-chefs/redisio](https://github.com/sous-chefs/redisio)
|
||||
|
||||
Installs and configures Redis server instances
|
||||
|
||||
## Maintainers
|
||||
|
||||
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
|
||||
|
||||
## Requirements
|
||||
|
||||
This cookbook builds redis from source or install it from packages, so it should work on any architecture for the supported distributions. Init scripts are installed into /etc/init.d/
|
||||
|
||||
It depends on the ulimit cookbook: [https://github.com/bmhatfield/chef-ulimit](https://github.com/bmhatfield/chef-ulimit) and the build-essentials cookbook: [https://github.com/chef-cookbooks/build-essential](https://github.com/opscode-cookbooks/build-essential)
|
||||
|
||||
### Platforms
|
||||
|
||||
* Debian, Ubuntu
|
||||
* CentOS, Red Hat, Fedora, Scientific Linux
|
||||
* FreeBSD
|
||||
|
||||
### Testing
|
||||
|
||||
This cookbook is tested with Delivery's local mode run under Chef-DK and Test Kitchen
|
||||
|
||||
* delivery local all
|
||||
* kitchen test
|
||||
|
||||
Tested on:
|
||||
|
||||
* Centos 6
|
||||
* Centos 7
|
||||
* Debian 8
|
||||
* Fedora 28
|
||||
* Ubuntu 16.04
|
||||
|
||||
## Usage
|
||||
|
||||
The redisio cookbook contains LWRP for installing, configuring and managing redis and redis_sentinel.
|
||||
|
||||
The install recipe can build, compile and install redis from sources or install from packages. The configure recipe will configure redis and setup service resources. These resources will be named for the port of the redis server, unless a "name" attribute was specified. Example names would be: service["redis6379"] or service["redismaster"] if the name attribute was "master".
|
||||
_NOTE: currently installation from source is not supported for FreeBSD_
|
||||
|
||||
The most common use case for the redisio cookbook is to use the default recipe, followed by the enable recipe.
|
||||
|
||||
Another common use case is to use the default, and then call the service resources created by it from another cookbook.
|
||||
|
||||
It is important to note that changing the configuration options of redis does not make them take effect on the next chef run. Due to how redis works, you cannot reload a configuration without restarting the redis service. Redis does not offer a reload option, in order to have new options be used redis must be stopped and started.
|
||||
|
||||
You should make sure to set the ulimit for the user you want to run redis as to be higher than the max connections you allow.
|
||||
_NOTE: setting ulimit is not supported on FreeBSD since the ulimit cookbook doesn't support FreeBSD_
|
||||
|
||||
The disable recipe just stops redis and removes it from run levels.
|
||||
|
||||
The cookbook also contains a recipe to allow for the installation of the redis ruby gem.
|
||||
|
||||
Redis-sentinel will write configuration and state data back into its configuration file. This creates obvious problems when that config is managed by chef. By default, this cookbook will create the config file once, and then leave a breadcrumb that will guard against the file from being updated again.
|
||||
|
||||
### Recipes
|
||||
|
||||
* configure - This recipe is used to configure redis.
|
||||
* default - This is used to install the pre-requisites for building redis, and to make the LWRPs available
|
||||
* disable - This recipe can be used to disable the redis service and remove it from runlevels
|
||||
* enable - This recipe can be used to enable the redis services and add it to runlevels
|
||||
* install - This recipe is used to install redis.
|
||||
* redis_gem - This recipe can be used to install the redis ruby gem
|
||||
* sentinel - This recipe can be used to install and configure sentinel
|
||||
* sentinel_enable - This recipe can be used to enable the sentinel service(s)
|
||||
* disable_os_default - This recipe can be used to disable the default OS redis init script
|
||||
|
||||
### Role File Examples
|
||||
|
||||
#### Install redis and setup an instance with default settings on default port, and start the service through a role file
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({})
|
||||
```
|
||||
|
||||
##### Install redis with packages and setup an instance with default settings on default port, and start the service through a role file
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
package_install: true
|
||||
version:
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
##### Install redis, give the instance a name, and use a unix socket
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'servers' => [
|
||||
{'name' => 'master', 'port' => '6379', 'unixsocket' => '/tmp/redis.sock', 'unixsocketperm' => '755'},
|
||||
]
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
##### Install redis and pull the password from an encrypted data bag
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'servers' => [
|
||||
{'data_bag_name' => 'redis', 'data_bag_item' => 'auth', 'data_bag_key' => 'password'},
|
||||
]
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
###### Data Bag
|
||||
|
||||
```ruby
|
||||
{
|
||||
"id": "auth",
|
||||
"password": "abcdefghijklmnopqrstuvwxyz"
|
||||
}
|
||||
```
|
||||
|
||||
##### Install redis and setup two instances on the same server, on different ports, with one slaved to the other through a role file
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'servers' => [
|
||||
{'port' => '6379'},
|
||||
{'port' => '6380', 'slaveof' => { 'address' => '127.0.0.1', 'port' => '6379' }}
|
||||
]
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
##### Install redis and setup two instances, on the same server, on different ports, with the default data directory changed to /mnt/redis, and the second instance named
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'default_settings' => {'datadir' => '/mnt/redis'},
|
||||
'servers' => [{'port' => '6379'}, {'port' => '6380', 'name' => "MyInstance"}]
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
##### Install redis and setup three instances on the same server, changing the default data directory to /mnt/redis, each instance will use a different backup type, and one instance will use a different data dir
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'default_settings' => { 'datadir' => '/mnt/redis/'},
|
||||
'servers' => [
|
||||
{'port' => '6379','backuptype' => 'aof'},
|
||||
{'port' => '6380','backuptype' => 'both'},
|
||||
{'port' => '6381','backuptype' => 'rdb', 'datadir' => '/mnt/redis6381'}
|
||||
]
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
##### Install redis 2.4.11 (lower than the default version) and turn safe install off, for the event where redis is already installed This will use the default settings. Keep in mind the redis version will not actually be updated until you restart the service (either through the LWRP or manually)
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'safe_install' => false,
|
||||
'version' => '2.4.11'
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
##### Install a single redis-sentinel to listen for a master on localhost and default port number
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio::sentinel]
|
||||
recipe[redisio::sentinel_enable]
|
||||
]
|
||||
```
|
||||
|
||||
#### Install redis and setup two instances, on the same server, on different ports, the second instance configuration file will be overwriten by chef
|
||||
|
||||
```ruby
|
||||
run_list *%w[
|
||||
recipe[redisio]
|
||||
recipe[redisio::enable]
|
||||
]
|
||||
|
||||
default_attributes({
|
||||
'redisio' => {
|
||||
'servers' => [{'port' => '6379'}, {'port' => '6380', 'breadcrumb' => false}]
|
||||
}
|
||||
})
|
||||
```
|
||||
|
||||
## LWRP Examples
|
||||
|
||||
Instead of using my provided recipes, you can simply depend on the redisio cookbook in your metadata and use the LWRP's yourself. I will show a few examples of ways to use the LWRPS, detailed breakdown of options are below
|
||||
in the resources/providers section
|
||||
|
||||
### Install Resource
|
||||
|
||||
It is important to note that this call has certain expectations for example, it expects the redis package to be in the format `redis-VERSION.tar.gz'.
|
||||
|
||||
```ruby
|
||||
redisio_install "redis-installation" do
|
||||
version '2.6.9'
|
||||
download_url 'http://redis.googlecode.com/files/redis-2.6.9.tar.gz'
|
||||
safe_install false
|
||||
install_dir '/usr/local/'
|
||||
end
|
||||
```
|
||||
|
||||
### Configure Resource
|
||||
|
||||
The servers resource expects an array of hashes where each hash is required to contain at a key-value pair of 'port' => 'port numbers'.
|
||||
|
||||
```ruby
|
||||
redisio_configure "redis-servers" do
|
||||
version '2.6.9'
|
||||
default_settings node['redisio']['default_settings']
|
||||
servers node['redisio']['servers']
|
||||
base_piddir node['redisio']['base_piddir']
|
||||
end
|
||||
```
|
||||
|
||||
### Sentinel Resource
|
||||
|
||||
The sentinel resource installs and configures all of your redis_sentinels defined in sentinel_instances
|
||||
|
||||
Using the sentinel resources:
|
||||
|
||||
```ruby
|
||||
redisio_sentinel "redis-sentinels" do
|
||||
version '2.6.9'
|
||||
sentinel_defaults node['redisio']['sentinel_defaults']
|
||||
sentinels sentinel_instances
|
||||
base_piddir node['redisio']['base_piddir']
|
||||
end
|
||||
```
|
||||
|
||||
## Attributes
|
||||
|
||||
Configuration options, each option corresponds to the same-named configuration option in the redis configuration file; default values listed
|
||||
|
||||
* `redisio['mirror']` - mirror server with path to download redis package, default is [http://download.redis.io/releases/](http://download.redis.io/releases/)
|
||||
* `redisio['base_name']` - the base name of the redis package to be downloaded (the part before the version), default is 'redis-'
|
||||
* `redisio['artifact_type']` - the file extension of the package. currently only .tar.gz and .tgz are supported, default is 'tar.gz'
|
||||
* `redisio['version']` - the version number of redis to install (also appended to the `base_name` for downloading), default is '2.8.17'
|
||||
* `redisio['safe_install']` - prevents redis from installing itself if another version of redis is installed, default is true
|
||||
* `redisio['base_piddir']` - This is the directory that redis pidfile directories and pidfiles will be placed in. Since redis can run as non root, it needs to have proper
|
||||
permissions to the directory to create its pid. Since each instance can run as a different user, these directories will all be nested inside this base one.
|
||||
* `redisio['bypass_setup']` - This attribute allows users to prevent the default recipe from calling the install and configure recipes.
|
||||
* `redisio['job_control']` - This deteremines what job control type will be used. Currently supports 'initd' or 'upstart' options. Defaults to 'initd'.
|
||||
|
||||
Default settings is a hash of default settings to be applied to to ALL instances. These can be overridden for each individual server in the servers attribute. If you are going to set logfile to a specific file, make sure to set syslog-enabled to no.
|
||||
|
||||
* `redisio['default_settings']` - { 'redis-option' => 'option setting' }
|
||||
|
||||
Available options and their defaults
|
||||
|
||||
```config
|
||||
'user' => 'redis' - the user to own the redis datadir, redis will also run under this user
|
||||
'group' => 'redis' - the group to own the redis datadir
|
||||
'permissions' => '0644' - the unix permissions applied to the server config file
|
||||
'homedir' => Home directory of the user. Varies on distribution, check attributes file
|
||||
'shell' => Users shell. Varies on distribution, check attributes file
|
||||
'systemuser' => true - Sets up the instances user as a system user
|
||||
'ulimit' => 0 - 0 is a special value causing the ulimit to be maxconnections +32. Set to nil or false to disable setting ulimits
|
||||
'configdir' => '/etc/redis' - configuration directory
|
||||
'name' => nil, Allows you to name the server with something other than port. Useful if you want to use unix sockets
|
||||
'tcpbacklog' => '511',
|
||||
'address' => nil, Can accept a single string or an array. When using an array, the FIRST value will be used by the init script for connecting to redis
|
||||
'databases' => '16',
|
||||
'backuptype' => 'rdb',
|
||||
'datadir' => '/var/lib/redis',
|
||||
'unixsocket' => nil - The location of the unix socket to use,
|
||||
'unixsocketperm' => nil - The permissions of the unix socket,
|
||||
'timeout' => '0',
|
||||
'keepalive' => '0',
|
||||
'loglevel' => 'notice',
|
||||
'logfile' => nil,
|
||||
'syslogenabled' => 'yes',
|
||||
'syslogfacility' => 'local0',
|
||||
'shutdown_save' => false,
|
||||
'save' => nil, # Defaults to ['900 1','300 10','60 10000'] inside of template. Needed due to lack of hash subtraction
|
||||
'stopwritesonbgsaveerror' => 'yes',
|
||||
'rdbcompression' => 'yes',
|
||||
'rdbchecksum' => 'yes',
|
||||
'dbfilename' => nil,
|
||||
'slaveof' => nil,
|
||||
'masterauth' => nil,
|
||||
'slaveservestaledata' => 'yes',
|
||||
'slavereadonly' => 'yes',
|
||||
'repldisklesssync' => 'no', # Requires redis 2.8.18+
|
||||
'repldisklesssyncdelay' => '5', # Requires redis 2.8.18+
|
||||
'replpingslaveperiod' => '10',
|
||||
'repltimeout' => '60',
|
||||
'repldisabletcpnodelay => 'no',
|
||||
'slavepriority' => '100',
|
||||
'requirepass' => nil,
|
||||
'rename_commands' => nil, or a hash where each key is a redis command and the value is the command's new name.
|
||||
'maxclients' => 10000,
|
||||
'maxmemory' => nil,
|
||||
'maxmemorypolicy' => nil,
|
||||
'maxmemorysamples' => nil,
|
||||
'appendfilename' => nil,
|
||||
'appendfsync' => 'everysec',
|
||||
'noappendfsynconrewrite' => 'no',
|
||||
'aofrewritepercentage' => '100',
|
||||
'aofrewriteminsize' => '64mb',
|
||||
'luatimelimit' => '5000',
|
||||
'slowloglogslowerthan' => '10000',
|
||||
'slowlogmaxlen' => '1024',
|
||||
'notifykeyspaceevents' => '',
|
||||
'hashmaxziplistentries' => '512',
|
||||
'hashmaxziplistvalue' => '64',
|
||||
'listmaxziplistentries' => '512',
|
||||
'listmaxziplistvalue' => '64',
|
||||
'setmaxintsetentries' => '512',
|
||||
'zsetmaxziplistentries' => '128',
|
||||
'zsetmaxziplistvalue' => '64',
|
||||
'hllsparsemaxbytes' => '3000',
|
||||
'activerehasing' => 'yes',
|
||||
'clientoutputbufferlimit' => [
|
||||
%w(normal 0 0 0),
|
||||
%w(slave 256mb 64mb 60),
|
||||
%w(pubsub 32mb 8mb 60)
|
||||
],
|
||||
'hz' => '10',
|
||||
'aofrewriteincrementalfsync' => 'yes',
|
||||
'clusterenabled' => 'no',
|
||||
'clusterconfigfile' => nil, # Defaults to redis instance name inside of template if cluster is enabled.
|
||||
'clusternodetimeout' => 5000,
|
||||
'includes' => nil,
|
||||
'breadcrumb' => true # Defaults to create breadcrumb lock-file.
|
||||
```
|
||||
|
||||
* `redisio['servers']` - An array where each item is a set of key value pairs for redis instance specific settings. The only required option is 'port'. These settings will override the options in 'default_settings', if it is left `nil` it will default to `[{'port' => '6379'}]`. If set to `[]` (empty array), no instances will be created.
|
||||
|
||||
The redis_gem recipe will also allow you to install the redis ruby gem, these are attributes related to that, and are in the redis_gem attributes file.
|
||||
|
||||
* `redisio['gem']['name']` - the name of the gem to install, defaults to 'redis'
|
||||
* `redisio['gem']['version']` - the version of the gem to install. if it is nil, the latest available version will be installed.
|
||||
|
||||
The sentinel recipe's use their own attribute file.
|
||||
|
||||
* `redisio['sentinel_defaults']` - { 'sentinel-option' => 'option setting' }
|
||||
|
||||
```config
|
||||
'user' => 'redis',
|
||||
'configdir' => '/etc/redis',
|
||||
'sentinel_bind' => nil,
|
||||
'sentinel_port' => 26379,
|
||||
'monitor' => nil,
|
||||
'down-after-milliseconds' => 30000,
|
||||
'can-failover' => 'yes',
|
||||
'parallel-syncs' => 1,
|
||||
'failover-timeout' => 900000,
|
||||
'loglevel' => 'notice',
|
||||
'logfile' => nil,
|
||||
'syslogenabled' => 'yes',
|
||||
'syslogfacility' => 'local0',
|
||||
'quorum_count' => 2
|
||||
```
|
||||
|
||||
* `redisio['redisio']['sentinel']['manage_config']` - Should the cookbook manage the redis and redis sentinel config files. This is best set to false when using redis_sentinel as it will write state into both configuration files.
|
||||
|
||||
* `redisio['redisio']['sentinels']` - Array of sentinels to configure on the node. These settings will override the options in 'sentinel_defaults', if it is left `nil` it will default to `[{'port' => '26379', 'name' => 'mycluster', 'master_ip' => '127.0.0.1', 'master_port' => 6379}]`. If set to `[]` (empty array), no instances will be created.
|
||||
|
||||
You may also pass an array of masters to monitor like so:
|
||||
|
||||
```ruby
|
||||
[{
|
||||
'sentinel_port' => '26379',
|
||||
'name' => 'mycluster_sentinel',
|
||||
'masters' => [
|
||||
{ 'master_name' => 'master6379', 'master_ip' => '127.0.0.1', 'master_port' => 6379 },
|
||||
{ 'master_name' => 'master6380', 'master_ip' => '127.0.0.1', 'master_port' => 6380 }
|
||||
]
|
||||
|
||||
}]
|
||||
```
|
||||
|
||||
## Resources/Providers
|
||||
|
||||
### `install`
|
||||
|
||||
Actions:
|
||||
|
||||
* `run` - perform the install (default)
|
||||
* `nothing` - do nothing
|
||||
|
||||
Attribute Parameters
|
||||
|
||||
* `version` - the version of redis to download / install
|
||||
* `download_url` - the URL plus filename of the redis package to install
|
||||
* `download_dir` - the directory to store the downloaded package
|
||||
* `artifact_type` - the file extension of the package
|
||||
* `base_name` - the name of the package minus the extension and version number
|
||||
* `safe_install` - a true or false value which determines if a version of redis will be installed if one already exists, defaults to true
|
||||
|
||||
This resource expects the following naming conventions:
|
||||
|
||||
package file should be in the format base_nameVersion_number.artifact_type
|
||||
|
||||
package file after extraction should be inside of the directory base_nameVersion_number
|
||||
|
||||
```ruby
|
||||
install "redis" do
|
||||
action [:run,:nothing]
|
||||
end
|
||||
```
|
||||
|
||||
### `configure`
|
||||
|
||||
Actions:
|
||||
|
||||
* `run` - perform the configure (default)
|
||||
* `nothing` - do nothing
|
||||
|
||||
Attribute Parameters
|
||||
|
||||
* `version` - the version of redis to download / install
|
||||
* `base_piddir` - directory where pid files will be created
|
||||
* `user` - the user to run redis as, and to own the redis files
|
||||
* `group` - the group to own the redis files
|
||||
* `default_settings` - a hash of the default redis server settings
|
||||
* `servers` - an array of hashes containing server configurations overrides (port is the only required)
|
||||
|
||||
```ruby
|
||||
configure "redis" do
|
||||
action [:run,:nothing]
|
||||
end
|
||||
```
|
||||
|
||||
## Contributors
|
||||
|
||||
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
|
||||
|
||||
### Backers
|
||||
|
||||
Thank you to all our backers!
|
||||
|
||||
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
|
||||
|
||||
### Sponsors
|
||||
|
||||
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
|
||||
|
||||
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)
|
|
@ -0,0 +1,164 @@
|
|||
package_bin_path = '/usr/bin'
|
||||
config_dir = '/etc/redis'
|
||||
default_package_install = false
|
||||
|
||||
case node['platform']
|
||||
when 'ubuntu', 'debian'
|
||||
shell = '/bin/false'
|
||||
homedir = '/var/lib/redis'
|
||||
package_name = 'redis-server'
|
||||
when 'centos', 'redhat', 'scientific', 'amazon', 'suse', 'fedora'
|
||||
shell = '/bin/sh'
|
||||
homedir = '/var/lib/redis'
|
||||
package_name = 'redis'
|
||||
when 'freebsd'
|
||||
shell = '/bin/sh'
|
||||
homedir = '/var/lib/redis'
|
||||
package_name = 'redis'
|
||||
package_bin_path = '/usr/local/bin'
|
||||
config_dir = '/usr/local/etc/redis'
|
||||
default_package_install = true
|
||||
else
|
||||
shell = '/bin/sh'
|
||||
homedir = '/redis'
|
||||
package_name = 'redis'
|
||||
end
|
||||
|
||||
# Overwite template used for the Redis Server config (not sentinel)
|
||||
default['redisio']['redis_config']['template_cookbook'] = 'redisio'
|
||||
default['redisio']['redis_config']['template_source'] = 'redis.conf.erb'
|
||||
|
||||
# Install related attributes
|
||||
default['redisio']['safe_install'] = true
|
||||
default['redisio']['package_install'] = default_package_install
|
||||
default['redisio']['package_name'] = package_name
|
||||
default['redisio']['bypass_setup'] = false
|
||||
|
||||
# Tarball and download related defaults
|
||||
default['redisio']['mirror'] = 'http://download.redis.io/releases/'
|
||||
default['redisio']['base_name'] = 'redis-'
|
||||
default['redisio']['artifact_type'] = 'tar.gz'
|
||||
default['redisio']['base_piddir'] = '/var/run/redis'
|
||||
|
||||
# Version
|
||||
default['redisio']['version'] = if node['redisio']['package_install']
|
||||
# latest version (only for package install)
|
||||
nil
|
||||
else
|
||||
# force version for tarball
|
||||
'3.2.11'
|
||||
end
|
||||
|
||||
# Custom installation directory
|
||||
default['redisio']['install_dir'] = nil
|
||||
|
||||
# Job control related options (initd, upstart, or systemd)
|
||||
default['redisio']['job_control'] = if systemd?
|
||||
'systemd'
|
||||
elsif platform_family?('freebsd')
|
||||
'rcinit'
|
||||
else
|
||||
'initd'
|
||||
end
|
||||
|
||||
# Init.d script related options
|
||||
default['redisio']['init.d']['required_start'] = []
|
||||
default['redisio']['init.d']['required_stop'] = []
|
||||
|
||||
# Default settings for all redis instances, these can be overridden on a per server basis in the 'servers' hash
|
||||
default['redisio']['default_settings'] = {
|
||||
'user' => 'redis',
|
||||
'group' => 'redis',
|
||||
'permissions' => '0644',
|
||||
'homedir' => homedir,
|
||||
'shell' => shell,
|
||||
'systemuser' => true,
|
||||
'uid' => nil,
|
||||
'ulimit' => 0,
|
||||
'configdir' => config_dir,
|
||||
'name' => nil,
|
||||
'tcpbacklog' => '511',
|
||||
'address' => nil,
|
||||
'databases' => '16',
|
||||
'backuptype' => 'rdb',
|
||||
'datadir' => '/var/lib/redis',
|
||||
'unixsocket' => nil,
|
||||
'unixsocketperm' => nil,
|
||||
'timeout' => '0',
|
||||
'keepalive' => '0',
|
||||
'loglevel' => 'notice',
|
||||
'logfile' => nil,
|
||||
'syslogenabled' => 'yes',
|
||||
'syslogfacility' => 'local0',
|
||||
'shutdown_save' => false,
|
||||
'save' => nil, # Defaults to ['900 1','300 10','60 10000'] inside of template. Needed due to lack of hash subtraction
|
||||
'stopwritesonbgsaveerror' => 'yes',
|
||||
'rdbcompression' => 'yes',
|
||||
'rdbchecksum' => 'yes',
|
||||
'dbfilename' => nil,
|
||||
'slaveof' => nil,
|
||||
'protected_mode' => nil, # unspecified by default but could be set explicitly to 'yes' or 'no'
|
||||
'masterauth' => nil,
|
||||
'slaveservestaledata' => 'yes',
|
||||
'slavereadonly' => 'yes',
|
||||
'repldisklesssync' => 'no',
|
||||
'repldisklesssyncdelay' => '5',
|
||||
'replpingslaveperiod' => '10',
|
||||
'repltimeout' => '60',
|
||||
'repldisabletcpnodelay' => 'no',
|
||||
'replbacklogsize' => '1mb',
|
||||
'replbacklogttl' => 3600,
|
||||
'slavepriority' => '100',
|
||||
'requirepass' => nil,
|
||||
'rename_commands' => nil,
|
||||
'maxclients' => 10000,
|
||||
'maxmemory' => nil,
|
||||
'maxmemorypolicy' => nil,
|
||||
'maxmemorysamples' => nil,
|
||||
'appendfilename' => nil,
|
||||
'appendfsync' => 'everysec',
|
||||
'noappendfsynconrewrite' => 'no',
|
||||
'aofrewritepercentage' => '100',
|
||||
'aofrewriteminsize' => '64mb',
|
||||
'aofloadtruncated' => 'yes',
|
||||
'luatimelimit' => '5000',
|
||||
'slowloglogslowerthan' => '10000',
|
||||
'slowlogmaxlen' => '1024',
|
||||
'notifykeyspaceevents' => '',
|
||||
'hashmaxziplistentries' => '512',
|
||||
'hashmaxziplistvalue' => '64',
|
||||
'listmaxziplistentries' => '512',
|
||||
'listmaxziplistvalue' => '64',
|
||||
'setmaxintsetentries' => '512',
|
||||
'zsetmaxziplistentries' => '128',
|
||||
'zsetmaxziplistvalue' => '64',
|
||||
'hllsparsemaxbytes' => '3000',
|
||||
'activerehasing' => 'yes',
|
||||
'clientoutputbufferlimit' => [
|
||||
%w(normal 0 0 0),
|
||||
%w(slave 256mb 64mb 60),
|
||||
%w(pubsub 32mb 8mb 60),
|
||||
],
|
||||
'hz' => '10',
|
||||
'aofrewriteincrementalfsync' => 'yes',
|
||||
'clusterenabled' => 'no',
|
||||
'clusterconfigfile' => nil, # Defaults to redis instance name inside of template if cluster is enabled.
|
||||
'clusternodetimeout' => 5000,
|
||||
'includes' => nil,
|
||||
'data_bag_name' => nil,
|
||||
'data_bag_item' => nil,
|
||||
'data_bag_key' => nil,
|
||||
'minslavestowrite' => nil,
|
||||
'minslavesmaxlag' => nil,
|
||||
'breadcrumb' => true,
|
||||
}
|
||||
|
||||
# The default for this is set inside of the "install" recipe. This is due to the way deep merge handles arrays
|
||||
default['redisio']['servers'] = nil
|
||||
|
||||
# Define binary path
|
||||
default['redisio']['bin_path'] = if node['redisio']['package_install']
|
||||
package_bin_path
|
||||
else
|
||||
'/usr/local/bin'
|
||||
end
|
|
@ -0,0 +1,3 @@
|
|||
# Allow for a redis ruby gem to be installed
|
||||
default['redisio']['gem']['name'] = 'redis'
|
||||
default['redisio']['gem']['version'] = nil
|
|
@ -0,0 +1,35 @@
|
|||
config_dir = if platform_family?('freebsd')
|
||||
'/usr/local/etc/redis'
|
||||
else
|
||||
'/etc/redis'
|
||||
end
|
||||
|
||||
default['redisio']['sentinel_defaults'] = {
|
||||
'user' => 'redis',
|
||||
'configdir' => config_dir,
|
||||
'sentinel_bind' => nil,
|
||||
'sentinel_port' => 26379,
|
||||
'monitor' => nil,
|
||||
'down_after_milliseconds' => 30000,
|
||||
'can-failover' => 'yes',
|
||||
'parallel-syncs' => 1,
|
||||
'failover_timeout' => 900000,
|
||||
'loglevel' => 'notice',
|
||||
'logfile' => nil,
|
||||
'syslogenabled' => 'yes',
|
||||
'syslogfacility' => 'local0',
|
||||
'quorum_count' => 2,
|
||||
'data_bag_name' => nil,
|
||||
'data_bag_item' => nil,
|
||||
'data_bag_key' => nil,
|
||||
'announce-ip' => nil,
|
||||
'announce-port' => nil,
|
||||
'notification-script' => nil,
|
||||
'client-reconfig-script' => nil,
|
||||
}
|
||||
|
||||
# Manage Sentinel Config File
|
||||
## Will write out the base config one time then no longer manage the config allowing sentinel to take over
|
||||
default['redisio']['sentinel']['manage_config'] = true # Deprecated
|
||||
|
||||
default['redisio']['sentinels'] = nil
|
|
@ -0,0 +1,115 @@
|
|||
# Put files/directories that should be ignored in this file when uploading
|
||||
# to a Chef Infra Server or Supermarket.
|
||||
# Lines that start with '# ' are comments.
|
||||
|
||||
# OS generated files #
|
||||
######################
|
||||
.DS_Store
|
||||
ehthumbs.db
|
||||
Icon?
|
||||
nohup.out
|
||||
Thumbs.db
|
||||
.envrc
|
||||
|
||||
# EDITORS #
|
||||
###########
|
||||
.#*
|
||||
.project
|
||||
.settings
|
||||
*_flymake
|
||||
*_flymake.*
|
||||
*.bak
|
||||
*.sw[a-z]
|
||||
*.tmproj
|
||||
*~
|
||||
\#*
|
||||
REVISION
|
||||
TAGS*
|
||||
tmtags
|
||||
.vscode
|
||||
.editorconfig
|
||||
|
||||
## COMPILED ##
|
||||
##############
|
||||
*.class
|
||||
*.com
|
||||
*.dll
|
||||
*.exe
|
||||
*.o
|
||||
*.pyc
|
||||
*.so
|
||||
*/rdoc/
|
||||
a.out
|
||||
mkmf.log
|
||||
|
||||
# Testing #
|
||||
###########
|
||||
.circleci/*
|
||||
.codeclimate.yml
|
||||
.delivery/*
|
||||
.foodcritic
|
||||
.kitchen*
|
||||
.mdlrc
|
||||
.overcommit.yml
|
||||
.rspec
|
||||
.rubocop.yml
|
||||
.travis.yml
|
||||
.watchr
|
||||
.yamllint
|
||||
azure-pipelines.yml
|
||||
Dangerfile
|
||||
examples/*
|
||||
features/*
|
||||
Guardfile
|
||||
kitchen.yml*
|
||||
mlc_config.json
|
||||
Procfile
|
||||
Rakefile
|
||||
spec/*
|
||||
test/*
|
||||
|
||||
# SCM #
|
||||
#######
|
||||
.git
|
||||
.gitattributes
|
||||
.gitconfig
|
||||
.github/*
|
||||
.gitignore
|
||||
.gitkeep
|
||||
.gitmodules
|
||||
.svn
|
||||
*/.bzr/*
|
||||
*/.git
|
||||
*/.hg/*
|
||||
*/.svn/*
|
||||
|
||||
# Berkshelf #
|
||||
#############
|
||||
Berksfile
|
||||
Berksfile.lock
|
||||
cookbooks/*
|
||||
tmp
|
||||
|
||||
# Bundler #
|
||||
###########
|
||||
vendor/*
|
||||
Gemfile
|
||||
Gemfile.lock
|
||||
|
||||
# Policyfile #
|
||||
##############
|
||||
Policyfile.rb
|
||||
Policyfile.lock.json
|
||||
|
||||
# Documentation #
|
||||
#############
|
||||
CODE_OF_CONDUCT*
|
||||
CONTRIBUTING*
|
||||
documentation/*
|
||||
TESTING*
|
||||
UPGRADING*
|
||||
|
||||
# Vagrant #
|
||||
###########
|
||||
.vagrant
|
||||
Vagrantfile
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
driver:
|
||||
name: dokken
|
||||
privileged: true
|
||||
chef_version: current
|
||||
env: [CHEF_LICENSE=accept]
|
||||
|
||||
transport:
|
||||
name: dokken
|
||||
|
||||
provisioner:
|
||||
name: dokken
|
||||
deprecations_as_errors: true
|
||||
|
||||
verifier:
|
||||
name: inspec
|
||||
|
||||
platforms:
|
||||
- name: centos-7
|
||||
driver:
|
||||
image: dokken/centos-7
|
||||
pid_one_command: /usr/lib/systemd/systemd
|
||||
run_list:
|
||||
- recipe[yum-epel::default]
|
||||
- recipe[yum-remi::default]
|
||||
|
||||
- name: debian-9
|
||||
driver:
|
||||
image: dokken/debian-9
|
||||
pid_one_command: /bin/systemd
|
||||
intermediate_instructions:
|
||||
- RUN /usr/bin/apt-get update
|
||||
|
||||
- name: ubuntu-16.04
|
||||
driver:
|
||||
image: dokken/ubuntu-16.04
|
||||
pid_one_command: /bin/systemd
|
||||
intermediate_instructions:
|
||||
- RUN /usr/bin/apt-get update
|
||||
|
||||
- name: ubuntu-18.04
|
||||
driver:
|
||||
image: dokken/ubuntu-18.04
|
||||
pid_one_command: /bin/systemd
|
||||
intermediate_instructions:
|
||||
- RUN /usr/bin/apt-get update
|
|
@ -0,0 +1 @@
|
|||
# cookbook/libraries/matchers.rb
|
|
@ -0,0 +1,32 @@
|
|||
module RedisioHelper
|
||||
def recipe_eval
|
||||
sub_run_context = @run_context.dup
|
||||
sub_run_context.resource_collection = Chef::ResourceCollection.new
|
||||
begin
|
||||
original_run_context = @run_context
|
||||
@run_context = sub_run_context
|
||||
yield
|
||||
ensure
|
||||
@run_context = original_run_context
|
||||
end
|
||||
|
||||
begin
|
||||
Chef::Runner.new(sub_run_context).converge
|
||||
ensure
|
||||
new_resource.updated_by_last_action(true) if sub_run_context.resource_collection.any?(&:updated?)
|
||||
end
|
||||
end
|
||||
|
||||
def self.version_to_hash(version_string)
|
||||
version_array = version_string.split('.')
|
||||
version_array[2] = version_array[2].split('-')
|
||||
version_array.flatten!
|
||||
|
||||
{
|
||||
major: version_array[0].include?(':') ? version_array[0].split(':')[1] : version_array[0],
|
||||
minor: version_array[1],
|
||||
tiny: version_array[2],
|
||||
rc: version_array[3],
|
||||
}
|
||||
end
|
||||
end
|
|
@ -0,0 +1,44 @@
|
|||
{
|
||||
"name": "redisio",
|
||||
"description": "Installs and configures redis",
|
||||
"long_description": "",
|
||||
"maintainer": "Sous Chefs",
|
||||
"maintainer_email": "help@sous-chefs.org",
|
||||
"license": "Apache-2.0",
|
||||
"platforms": {
|
||||
"amazon": ">= 0.0.0",
|
||||
"centos": ">= 0.0.0",
|
||||
"debian": ">= 0.0.0",
|
||||
"fedora": ">= 0.0.0",
|
||||
"redhat": ">= 0.0.0",
|
||||
"scientific": ">= 0.0.0",
|
||||
"suse": ">= 0.0.0",
|
||||
"ubuntu": ">= 0.0.0"
|
||||
},
|
||||
"dependencies": {
|
||||
"ulimit": ">= 0.1.2",
|
||||
"selinux_policy": ">= 2.2.0"
|
||||
},
|
||||
"providing": {
|
||||
|
||||
},
|
||||
"recipes": {
|
||||
|
||||
},
|
||||
"version": "5.0.0",
|
||||
"source_url": "https://github.com/sous-chefs/redisio",
|
||||
"issues_url": "https://github.com/sous-chefs/redisio/issues",
|
||||
"privacy": false,
|
||||
"chef_versions": [
|
||||
[
|
||||
">= 15.5"
|
||||
]
|
||||
],
|
||||
"ohai_versions": [
|
||||
|
||||
],
|
||||
"gems": [
|
||||
|
||||
],
|
||||
"eager_load_libraries": true
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
name 'redisio'
|
||||
maintainer 'Sous Chefs'
|
||||
maintainer_email 'help@sous-chefs.org'
|
||||
license 'Apache-2.0'
|
||||
description 'Installs and configures redis'
|
||||
version '5.0.0'
|
||||
source_url 'https://github.com/sous-chefs/redisio'
|
||||
issues_url 'https://github.com/sous-chefs/redisio/issues'
|
||||
chef_version '>= 15.5'
|
||||
|
||||
%w(
|
||||
amazon
|
||||
centos
|
||||
debian
|
||||
fedora
|
||||
redhat
|
||||
scientific
|
||||
suse
|
||||
ubuntu
|
||||
).each do |os|
|
||||
supports os
|
||||
end
|
||||
|
||||
depends 'ulimit', '>= 0.1.2'
|
||||
depends 'selinux_policy', '>= 2.2.0'
|
|
@ -0,0 +1,389 @@
|
|||
action :run do
|
||||
configure
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
def configure
|
||||
base_piddir = new_resource.base_piddir
|
||||
|
||||
if !new_resource.version
|
||||
redis_output = Mixlib::ShellOut.new("#{node['redisio']['bin_path']}/redis-server -v")
|
||||
redis_output.run_command
|
||||
redis_output.error!
|
||||
current_version = redis_output.stdout.gsub(/.*v=((\d+\.){2}\d+).*/, '\1').chomp
|
||||
else
|
||||
current_version = new_resource.version
|
||||
end
|
||||
version_hash = RedisioHelper.version_to_hash(current_version)
|
||||
|
||||
# Setup a configuration file and init script for each configuration provided
|
||||
new_resource.servers.each do |current_instance|
|
||||
# Retrieve the default settings hash and the current server setups settings hash.
|
||||
current_instance_hash = current_instance.to_hash
|
||||
current_defaults_hash = new_resource.default_settings.to_hash
|
||||
|
||||
# Merge the configuration defaults with the provided array of configurations provided
|
||||
current = current_defaults_hash.merge(current_instance_hash)
|
||||
|
||||
# Merge in the default maxmemory
|
||||
node_memory_kb = node['memory']['total']
|
||||
# On BSD platforms Ohai reports total memory as a Fixnum
|
||||
|
||||
node_memory_kb = node_memory_kb.sub('kB', '').to_i if node_memory_kb.is_a?(String)
|
||||
|
||||
# Here we determine what the logfile is. It has these possible states
|
||||
#
|
||||
# Redis 2.6 and lower can be
|
||||
# stdout
|
||||
# A path
|
||||
# nil
|
||||
# Redis 2.8 and higher can be
|
||||
# empty string, which means stdout)
|
||||
# A path
|
||||
# nil
|
||||
|
||||
if current['logfile'].nil?
|
||||
log_file = nil
|
||||
log_directory = nil
|
||||
elsif current['logfile'] == 'stdout' || current['logfile'].empty?
|
||||
log_directory = nil
|
||||
log_file = current['logfile']
|
||||
else
|
||||
log_directory = ::File.dirname(current['logfile'])
|
||||
log_file = ::File.basename(current['logfile'])
|
||||
if current['syslogenabled'] == 'yes'
|
||||
Chef::Log.warn("log file is set to #{current['logfile']} but syslogenabled is also set to 'yes'")
|
||||
end
|
||||
end
|
||||
|
||||
maxmemory = current['maxmemory'].to_s
|
||||
if !maxmemory.empty? && maxmemory.include?('%')
|
||||
# Just assume this is sensible like "95%" or "95 %"
|
||||
percent_factor = current['maxmemory'].to_f / 100.0
|
||||
# Ohai reports memory in KB as it looks in /proc/meminfo
|
||||
maxmemory = (node_memory_kb * 1024 * percent_factor / new_resource.servers.length).round.to_s
|
||||
end
|
||||
|
||||
descriptors = if current['ulimit'] == 0
|
||||
current['maxclients'] + 32
|
||||
elsif current['ulimit'] > current['maxclients']
|
||||
current['ulimit']
|
||||
else
|
||||
current['maxclients']
|
||||
end
|
||||
|
||||
recipe_eval do
|
||||
server_name = current['name'] || current['port']
|
||||
piddir = "#{base_piddir}/#{server_name}"
|
||||
aof_file = current['appendfilename'] || "#{current['datadir']}/appendonly-#{server_name}.aof"
|
||||
rdb_file = current['dbfilename'] || "#{current['datadir']}/dump-#{server_name}.rdb"
|
||||
|
||||
# Create the owner of the redis data directory
|
||||
user current['user'] do
|
||||
comment 'Redis service account'
|
||||
manage_home true
|
||||
home current['homedir']
|
||||
shell current['shell']
|
||||
system current['systemuser']
|
||||
uid current['uid'] unless current['uid'].nil?
|
||||
end
|
||||
|
||||
# Create the redis configuration directory
|
||||
directory current['configdir'] do
|
||||
owner 'root'
|
||||
group platform_family?('freebsd') ? 'wheel' : 'root'
|
||||
mode '0755'
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
# Create the instance data directory
|
||||
directory current['datadir'] do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0775'
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
# Create the pid file directory
|
||||
directory piddir do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0755'
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
# Create the log directory if syslog is not being used
|
||||
if log_directory
|
||||
directory log_directory do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0755'
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
end
|
||||
# Configure SELinux if it is enabled
|
||||
extend Chef::Util::Selinux
|
||||
|
||||
if selinux_enabled?
|
||||
selinux_policy_install 'install'
|
||||
|
||||
selinux_policy_fcontext "#{current['configdir']}(/.*)?" do
|
||||
secontext 'redis_conf_t'
|
||||
end
|
||||
selinux_policy_fcontext "#{current['datadir']}(/.*)?" do
|
||||
secontext 'redis_var_lib_t'
|
||||
end
|
||||
selinux_policy_fcontext "#{piddir}(/.*)?" do
|
||||
secontext 'redis_var_run_t'
|
||||
end
|
||||
if log_directory
|
||||
selinux_policy_fcontext "#{log_directory}(/.*)?" do
|
||||
secontext 'redis_log_t'
|
||||
end
|
||||
end
|
||||
end
|
||||
# Create the log file if syslog is not being used
|
||||
if log_file
|
||||
file current['logfile'] do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
backup false
|
||||
action :touch
|
||||
# in version 2.8 or higher the empty string is used instead of stdout
|
||||
only_if { !log_file.empty? && log_file != 'stdout' }
|
||||
end
|
||||
end
|
||||
# Set proper permissions on the AOF or RDB files
|
||||
file aof_file do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
only_if { current['backuptype'] == 'aof' || current['backuptype'] == 'both' }
|
||||
only_if { ::File.exist?(aof_file) }
|
||||
end
|
||||
file rdb_file do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
only_if { current['backuptype'] == 'rdb' || current['backuptype'] == 'both' }
|
||||
only_if { ::File.exist?(rdb_file) }
|
||||
end
|
||||
|
||||
# Setup the redis users descriptor limits
|
||||
# Pending response on https://github.com/brianbianco/redisio/commit/4ee9aad3b53029cc3b6c6cf741f5126755e712cd#diff-8ae42a59a6f4e8dc5b4e6dd2d6a34eab
|
||||
# TODO: ulimit cookbook v0.1.2 doesn't work with freeBSD
|
||||
if current['ulimit'] && !platform_family?('freebsd')
|
||||
user_ulimit current['user'] do
|
||||
filehandle_limit descriptors
|
||||
end
|
||||
end
|
||||
|
||||
computed_save = current['save']
|
||||
if current['save'] && current['save'].respond_to?(:each_line)
|
||||
computed_save = current['save'].each_line
|
||||
Chef::Log.warn("#{server_name}: given a save argument as a string, instead of an array.")
|
||||
Chef::Log.warn("#{server_name}: This will be deprecated in future versions of the redisio cookbook.")
|
||||
end
|
||||
|
||||
# Load password for use with requirepass from data bag if needed
|
||||
if current['data_bag_name'] && current['data_bag_item'] && current['data_bag_key']
|
||||
bag = data_bag_item(current['data_bag_name'], current['data_bag_item'])
|
||||
current['requirepass'] = bag[current['data_bag_key']]
|
||||
current['masterauth'] = bag[current['data_bag_key']]
|
||||
end
|
||||
|
||||
# Lay down the configuration files for the current instance
|
||||
template "#{current['configdir']}/#{server_name}.conf" do
|
||||
source node['redisio']['redis_config']['template_source']
|
||||
cookbook node['redisio']['redis_config']['template_cookbook']
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode current['permissions']
|
||||
action :create
|
||||
variables(
|
||||
version: version_hash,
|
||||
piddir: piddir,
|
||||
name: server_name,
|
||||
job_control: node['redisio']['job_control'],
|
||||
port: current['port'],
|
||||
tcpbacklog: current['tcpbacklog'],
|
||||
address: current['address'],
|
||||
databases: current['databases'],
|
||||
backuptype: current['backuptype'],
|
||||
datadir: current['datadir'],
|
||||
unixsocket: current['unixsocket'],
|
||||
unixsocketperm: current['unixsocketperm'],
|
||||
timeout: current['timeout'],
|
||||
keepalive: current['keepalive'],
|
||||
loglevel: current['loglevel'],
|
||||
logfile: current['logfile'],
|
||||
syslogenabled: current['syslogenabled'],
|
||||
syslogfacility: current['syslogfacility'],
|
||||
save: computed_save,
|
||||
stopwritesonbgsaveerror: current['stopwritesonbgsaveerror'],
|
||||
rdbcompression: current['rdbcompression'],
|
||||
rdbchecksum: current['rdbchecksum'],
|
||||
dbfilename: current['dbfilename'],
|
||||
slaveof: current['slaveof'],
|
||||
protected_mode: current['protected_mode'],
|
||||
masterauth: current['masterauth'],
|
||||
slaveservestaledata: current['slaveservestaledata'],
|
||||
slavereadonly: current['slavereadonly'],
|
||||
replpingslaveperiod: current['replpingslaveperiod'],
|
||||
repltimeout: current['repltimeout'],
|
||||
repldisabletcpnodelay: current['repldisabletcpnodelay'],
|
||||
replbacklogsize: current['replbacklogsize'],
|
||||
replbacklogttl: current['replbacklogttl'],
|
||||
slavepriority: current['slavepriority'],
|
||||
requirepass: current['requirepass'],
|
||||
rename_commands: current['rename_commands'],
|
||||
maxclients: current['maxclients'],
|
||||
maxmemory: maxmemory,
|
||||
maxmemorypolicy: current['maxmemorypolicy'],
|
||||
maxmemorysamples: current['maxmemorysamples'],
|
||||
appendfilename: current['appendfilename'],
|
||||
appendfsync: current['appendfsync'],
|
||||
noappendfsynconrewrite: current['noappendfsynconrewrite'],
|
||||
aofrewritepercentage: current['aofrewritepercentage'],
|
||||
aofrewriteminsize: current['aofrewriteminsize'],
|
||||
aofloadtruncated: current['aofloadtruncated'],
|
||||
luatimelimit: current['luatimelimit'],
|
||||
slowloglogslowerthan: current['slowloglogslowerthan'],
|
||||
slowlogmaxlen: current['slowlogmaxlen'],
|
||||
notifykeyspaceevents: current['notifykeyspaceevents'],
|
||||
hashmaxziplistentries: current['hashmaxziplistentries'],
|
||||
hashmaxziplistvalue: current['hashmaxziplistvalue'],
|
||||
listmaxziplistentries: current['listmaxziplistentries'],
|
||||
listmaxziplistvalue: current['listmaxziplistvalue'],
|
||||
setmaxintsetentries: current['setmaxintsetentries'],
|
||||
zsetmaxziplistentries: current['zsetmaxziplistentries'],
|
||||
zsetmaxziplistvalue: current['zsetmaxziplistvalue'],
|
||||
hllsparsemaxbytes: current['hllsparsemaxbytes'],
|
||||
activerehasing: current['activerehasing'],
|
||||
clientoutputbufferlimit: current['clientoutputbufferlimit'],
|
||||
hz: current['hz'],
|
||||
aofrewriteincrementalfsync: current['aofrewriteincrementalfsync'],
|
||||
clusterenabled: current['clusterenabled'],
|
||||
clusterconfigfile: current['clusterconfigfile'],
|
||||
clusternodetimeout: current['clusternodetimeout'],
|
||||
includes: current['includes'],
|
||||
minslavestowrite: current['minslavestowrite'],
|
||||
minslavesmaxlag: current['minslavesmaxlag'],
|
||||
repldisklesssync: current['repldisklesssync'],
|
||||
repldisklesssyncdelay: current['repldisklesssyncdelay']
|
||||
)
|
||||
not_if { ::File.exist?("#{current['configdir']}/#{server_name}.conf.breadcrumb") }
|
||||
end
|
||||
|
||||
file "#{current['configdir']}/#{server_name}.conf.breadcrumb" do
|
||||
content 'This file prevents the chef cookbook from overwritting the redis config more than once'
|
||||
action :create_if_missing
|
||||
only_if { current['breadcrumb'] == true }
|
||||
end
|
||||
|
||||
# Setup init.d file
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
|
||||
case node['redisio']['job_control']
|
||||
when 'initd'
|
||||
template "/etc/init.d/redis#{server_name}" do
|
||||
source 'redis.init.erb'
|
||||
cookbook 'redisio'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0755'
|
||||
variables(
|
||||
name: server_name,
|
||||
bin_path: bin_path,
|
||||
port: current['port'],
|
||||
address: current['address'],
|
||||
user: current['user'],
|
||||
configdir: current['configdir'],
|
||||
piddir: piddir,
|
||||
requirepass: current['requirepass'],
|
||||
shutdown_save: current['shutdown_save'],
|
||||
platform: node['platform'],
|
||||
unixsocket: current['unixsocket'],
|
||||
ulimit: descriptors,
|
||||
required_start: node['redisio']['init.d']['required_start'].join(' '),
|
||||
required_stop: node['redisio']['init.d']['required_stop'].join(' ')
|
||||
)
|
||||
end
|
||||
when 'upstart'
|
||||
template "/etc/init/redis#{server_name}.conf" do
|
||||
source 'redis.upstart.conf.erb'
|
||||
cookbook 'redisio'
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
variables(
|
||||
name: server_name,
|
||||
bin_path: bin_path,
|
||||
port: current['port'],
|
||||
user: current['user'],
|
||||
group: current['group'],
|
||||
configdir: current['configdir'],
|
||||
piddir: piddir
|
||||
)
|
||||
end
|
||||
when 'rcinit'
|
||||
template "/usr/local/etc/rc.d/redis#{server_name}" do
|
||||
source 'redis.rcinit.erb'
|
||||
cookbook 'redisio'
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0755'
|
||||
variables(
|
||||
name: server_name,
|
||||
bin_path: bin_path,
|
||||
user: current['user'],
|
||||
configdir: current['configdir'],
|
||||
piddir: piddir
|
||||
)
|
||||
end
|
||||
when 'systemd'
|
||||
service_name = "redis@#{server_name}"
|
||||
reload_name = "#{service_name} systemd reload"
|
||||
|
||||
file "/etc/tmpfiles.d/#{service_name}.conf" do
|
||||
content "d #{piddir} 0755 #{current['user']} #{current['group']}\n"
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
end
|
||||
|
||||
execute reload_name do
|
||||
command 'systemctl daemon-reload'
|
||||
action :nothing
|
||||
end
|
||||
|
||||
template "/lib/systemd/system/#{service_name}.service" do
|
||||
source 'redis@.service.erb'
|
||||
cookbook 'redisio'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
variables(
|
||||
bin_path: bin_path,
|
||||
user: current['user'],
|
||||
group: current['group'],
|
||||
limit_nofile: descriptors
|
||||
)
|
||||
notifies :run, "execute[#{reload_name}]", :immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
# servers each loop
|
||||
end
|
||||
|
||||
def load_current_resource
|
||||
@current_resource = Chef::Resource.resource_for_node(:redisio_configure, node).new(new_resource.name)
|
||||
@current_resource
|
||||
end
|
|
@ -0,0 +1,93 @@
|
|||
action :run do
|
||||
# Package install
|
||||
if node['redisio']['package_install']
|
||||
package_resource = package 'redisio_package_name' do
|
||||
package_name node['redisio']['package_name']
|
||||
version node['redisio']['version']
|
||||
action :nothing
|
||||
end
|
||||
|
||||
package_resource.run_action(:install)
|
||||
new_resource.updated_by_last_action(true) if package_resource.updated_by_last_action?
|
||||
|
||||
# freeBSD does not support from source since ports does not support versioning (without a lot of hassle)
|
||||
elsif platform_family?('freebsd')
|
||||
raise 'Source install not supported for freebsd'
|
||||
# Tarball install
|
||||
else
|
||||
@tarball = "#{new_resource.base_name}#{new_resource.version}.#{new_resource.artifact_type}"
|
||||
|
||||
unless current_resource.version == new_resource.version || (redis_exists? && new_resource.safe_install)
|
||||
Chef::Log.info("Installing Redis #{new_resource.version} from source")
|
||||
download
|
||||
unpack
|
||||
build
|
||||
install
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def download
|
||||
Chef::Log.info("Downloading redis tarball from #{new_resource.download_url}")
|
||||
remote_file "#{new_resource.download_dir}/#{@tarball}" do
|
||||
source new_resource.download_url
|
||||
end
|
||||
end
|
||||
|
||||
def unpack
|
||||
install_dir = "#{new_resource.base_name}#{new_resource.version}"
|
||||
case new_resource.artifact_type
|
||||
when 'tar.gz', '.tgz'
|
||||
execute %(cd #{new_resource.download_dir} ; mkdir -p '#{install_dir}' ; tar zxf '#{@tarball}' --strip-components=1 -C '#{install_dir}' --no-same-owner)
|
||||
else
|
||||
raise Chef::Exceptions::UnsupportedAction, "Current package type #{new_resource.artifact_type} is unsupported"
|
||||
end
|
||||
end
|
||||
|
||||
def build
|
||||
execute "cd #{new_resource.download_dir}/#{new_resource.base_name}#{new_resource.version} && make clean && make"
|
||||
end
|
||||
|
||||
def install
|
||||
install_prefix = if new_resource.install_dir
|
||||
"PREFIX=#{new_resource.install_dir}"
|
||||
else
|
||||
''
|
||||
end
|
||||
execute "cd #{new_resource.download_dir}/#{new_resource.base_name}#{new_resource.version} && make #{install_prefix} install"
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
def redis_exists?
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
redis_server = ::File.join(bin_path, 'redis-server')
|
||||
::File.exist?(redis_server)
|
||||
end
|
||||
|
||||
def version
|
||||
if redis_exists?
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
redis_server = ::File.join(bin_path, 'redis-server')
|
||||
redis_version = Mixlib::ShellOut.new("#{redis_server} -v")
|
||||
redis_version.run_command
|
||||
version = redis_version.stdout[/version (\d*.\d*.\d*)/, 1] || redis_version.stdout[/v=(\d*.\d*.\d*)/, 1]
|
||||
Chef::Log.info("The Redis server version is: #{version}")
|
||||
return version.delete("\n")
|
||||
end
|
||||
nil
|
||||
end
|
||||
|
||||
def load_current_resource
|
||||
@current_resource = Chef::Resource.resource_for_node(:redisio_install, node).new(new_resource.name)
|
||||
@current_resource.version(version)
|
||||
@current_resource
|
||||
end
|
|
@ -0,0 +1,255 @@
|
|||
action :run do
|
||||
configure
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
def configure
|
||||
base_piddir = new_resource.base_piddir
|
||||
|
||||
current_version = if new_resource.version.nil?
|
||||
version
|
||||
else
|
||||
new_resource.version
|
||||
end
|
||||
|
||||
version_hash = RedisioHelper.version_to_hash(current_version)
|
||||
|
||||
# Setup a configuration file and init script for each configuration provided
|
||||
new_resource.sentinels.each do |current_instance|
|
||||
# Retrieve the default settings hash and the current server setups settings hash.
|
||||
current_instance_hash = current_instance.to_hash
|
||||
current_defaults_hash = new_resource.sentinel_defaults.to_hash
|
||||
|
||||
# Merge the configuration defaults with the provided array of configurations provided
|
||||
current = current_defaults_hash.merge(current_instance_hash)
|
||||
|
||||
recipe_eval do
|
||||
sentinel_name = current['name'] || current['port']
|
||||
sentinel_name = "sentinel_#{sentinel_name}"
|
||||
piddir = "#{base_piddir}/#{sentinel_name}"
|
||||
|
||||
# Create the owner of the redis data directory
|
||||
user current['user'] do
|
||||
comment 'Redis service account'
|
||||
manage_home true
|
||||
home current['homedir']
|
||||
shell current['shell']
|
||||
system current['systemuser']
|
||||
uid current['uid'] unless current['uid'].nil?
|
||||
end
|
||||
|
||||
# Create the redis configuration directory
|
||||
directory current['configdir'] do
|
||||
owner 'root'
|
||||
group platform_family?('freebsd') ? 'wheel' : 'root'
|
||||
mode '0755'
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
# Create the pid file directory
|
||||
directory piddir do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0755'
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
|
||||
unless current['logfile'].nil?
|
||||
# Create the log directory if syslog is not being used
|
||||
directory ::File.dirname(current['logfile']) do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0755'
|
||||
recursive true
|
||||
action :create
|
||||
only_if { current['syslogenabled'] != 'yes' && current['logfile'] && current['logfile'] != 'stdout' }
|
||||
end
|
||||
|
||||
# Create the log file is syslog is not being used
|
||||
file current['logfile'] do
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
backup false
|
||||
action :touch
|
||||
only_if { current['logfile'] && current['logfile'] != 'stdout' }
|
||||
end
|
||||
end
|
||||
|
||||
# <%=@name%> <%=@masterip%> <%=@masterport%> <%= @quorum_count %>
|
||||
# <%= "sentinel auth-pass #{@name} #{@authpass}" unless @authpass.nil? %>
|
||||
# sentinel down-after-milliseconds <%=@name%> <%=@downaftermil%>
|
||||
# sentinel parallel-syncs <%=@name%> <%=@parallelsyncs%>
|
||||
# sentinel failover-timeout <%=@name%> <%=@failovertimeout%>
|
||||
|
||||
# convert from old format (preserve compat)
|
||||
if !current['masters'] && current['master_ip']
|
||||
Chef::Log.warn('You are using a deprecated sentinel format. This will be removed in future versions.')
|
||||
|
||||
# use old key names if newer key names aren't present (e.g. 'foo' || :foo)
|
||||
masters = [
|
||||
{
|
||||
master_name: current['master_name'] || current[:mastername],
|
||||
master_ip: current['master_ip'] || current[:masterip],
|
||||
master_port: current['master_port'] || current[:masterport],
|
||||
quorum_count: current['quorum_count'] || current[:quorum_count],
|
||||
auth_pass: current['auth-pass'] || current[:authpass],
|
||||
down_after_milliseconds: current['down-after-milliseconds'] || current[:downaftermil],
|
||||
parallel_syncs: current['parallel-syncs'] || current[:parallelsyncs],
|
||||
failover_timeout: current['failover-timeout'] || current[:failovertimeout],
|
||||
},
|
||||
]
|
||||
else
|
||||
masters = [current['masters']].flatten
|
||||
end
|
||||
|
||||
# Load password for use with requirepass from data bag if needed
|
||||
if current['data_bag_name'] && current['data_bag_item'] && current['data_bag_key']
|
||||
bag = data_bag_item(current['data_bag_name'], current['data_bag_item'])
|
||||
masters.each do |master|
|
||||
master['auth_pass'] = bag[current['data_bag_key']]
|
||||
end
|
||||
end
|
||||
|
||||
# merge in default values to each sentinel hash
|
||||
masters_with_defaults = []
|
||||
masters.each do |current_sentinel_master|
|
||||
default_sentinel_master = new_resource.sentinel_defaults.to_hash
|
||||
sentinel_master = default_sentinel_master.merge(current_sentinel_master || {})
|
||||
masters_with_defaults << sentinel_master
|
||||
end
|
||||
|
||||
# Don't render a template if we're missing these from any sentinel,
|
||||
# as these are the minimal settings required to be passed in
|
||||
masters_with_defaults.each do |sentinel_instance|
|
||||
%w(master_ip master_port quorum_count).each do |param|
|
||||
raise "Missing required sentinel parameter #{param} for #{sentinel_instance}" unless sentinel_instance[param]
|
||||
end
|
||||
end
|
||||
|
||||
# Lay down the configuration files for the current instance
|
||||
template "#{current['configdir']}/#{sentinel_name}.conf" do
|
||||
source 'sentinel.conf.erb'
|
||||
cookbook 'redisio'
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
action :create
|
||||
variables(
|
||||
name: current['name'],
|
||||
piddir: piddir,
|
||||
version: version_hash,
|
||||
job_control: node['redisio']['job_control'],
|
||||
sentinel_bind: current['sentinel_bind'],
|
||||
sentinel_port: current['sentinel_port'],
|
||||
loglevel: current['loglevel'],
|
||||
logfile: current['logfile'],
|
||||
syslogenabled: current['syslogenabled'],
|
||||
syslogfacility: current['syslogfacility'],
|
||||
masters: masters_with_defaults,
|
||||
announce_ip: current['announce-ip'],
|
||||
announce_port: current['announce-port'],
|
||||
notification_script: current['notification-script'],
|
||||
client_reconfig_script: current['client-reconfig-script']
|
||||
)
|
||||
not_if { ::File.exist?("#{current['configdir']}/#{sentinel_name}.conf.breadcrumb") }
|
||||
end
|
||||
|
||||
file "#{current['configdir']}/#{sentinel_name}.conf.breadcrumb" do
|
||||
content 'This file prevents the chef cookbook from overwritting the sentinel config more than once'
|
||||
action :create_if_missing
|
||||
end
|
||||
|
||||
# Setup init.d file
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
template "/etc/init.d/redis_#{sentinel_name}" do
|
||||
source 'sentinel.init.erb'
|
||||
cookbook 'redisio'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0755'
|
||||
variables(
|
||||
name: sentinel_name,
|
||||
bin_path: bin_path,
|
||||
user: current['user'],
|
||||
configdir: current['configdir'],
|
||||
piddir: piddir,
|
||||
platform: node['platform']
|
||||
)
|
||||
only_if { node['redisio']['job_control'] == 'initd' }
|
||||
end
|
||||
|
||||
template "/etc/init/redis_#{sentinel_name}.conf" do
|
||||
source 'sentinel.upstart.conf.erb'
|
||||
cookbook 'redisio'
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0644'
|
||||
variables(
|
||||
name: sentinel_name,
|
||||
bin_path: bin_path,
|
||||
user: current['user'],
|
||||
group: current['group'],
|
||||
configdir: current['configdir'],
|
||||
piddir: piddir
|
||||
)
|
||||
only_if { node['redisio']['job_control'] == 'upstart' }
|
||||
end
|
||||
# TODO: fix for freebsd
|
||||
template "/usr/local/etc/rc.d/redis_#{sentinel_name}" do
|
||||
source 'sentinel.rcinit.erb'
|
||||
cookbook 'redisio'
|
||||
owner current['user']
|
||||
group current['group']
|
||||
mode '0755'
|
||||
variables(
|
||||
name: sentinel_name,
|
||||
bin_path: bin_path,
|
||||
user: current['user'],
|
||||
configdir: current['configdir'],
|
||||
piddir: piddir
|
||||
)
|
||||
only_if { node['redisio']['job_control'] == 'rcinit' }
|
||||
end
|
||||
end
|
||||
end
|
||||
# servers each loop
|
||||
end
|
||||
|
||||
def redis_exists?
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
redis_server = ::File.join(bin_path, 'redis-server')
|
||||
::File.exist?(redis_server)
|
||||
end
|
||||
|
||||
def version
|
||||
if redis_exists?
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
redis_server = ::File.join(bin_path, 'redis-server')
|
||||
redis_version = Mixlib::ShellOut.new("#{redis_server} -v")
|
||||
redis_version.run_command
|
||||
version = redis_version.stdout[/version (\d*.\d*.\d*)/, 1] || redis_version.stdout[/v=(\d*.\d*.\d*)/, 1]
|
||||
Chef::Log.info("The Redis server version is: #{version}")
|
||||
return version.delete("\n")
|
||||
end
|
||||
nil
|
||||
end
|
||||
|
||||
def load_current_resource
|
||||
@current_resource = Chef::Resource.resource_for_node(:redisio_sentinel, node).new(new_resource.name)
|
||||
@current_resource.version(version)
|
||||
@current_resource
|
||||
end
|
|
@ -0,0 +1,18 @@
|
|||
packages_to_install = case node['platform']
|
||||
when 'debian', 'ubuntu'
|
||||
%w(
|
||||
tar
|
||||
)
|
||||
when 'redhat', 'centos', 'fedora', 'scientific', 'suse', 'amazon'
|
||||
%w(
|
||||
tar
|
||||
)
|
||||
else
|
||||
%w()
|
||||
end
|
||||
|
||||
packages_to_install.each do |pkg|
|
||||
package pkg do
|
||||
action :install
|
||||
end
|
||||
end
|
|
@ -0,0 +1,56 @@
|
|||
include_recipe 'redisio::default'
|
||||
include_recipe 'ulimit::default'
|
||||
|
||||
redis = node['redisio']
|
||||
|
||||
redis_instances = redis['servers']
|
||||
if redis_instances.nil?
|
||||
redis_instances = [
|
||||
{
|
||||
'port' => '6379',
|
||||
},
|
||||
]
|
||||
end
|
||||
|
||||
redisio_configure 'redis-servers' do
|
||||
version redis['version'] if redis['version']
|
||||
default_settings redis['default_settings']
|
||||
servers redis_instances
|
||||
base_piddir redis['base_piddir']
|
||||
end
|
||||
|
||||
# Create a service resource for each redis instance, named for the port it runs on.
|
||||
redis_instances.each do |current_server|
|
||||
server_name = current_server['name'] || current_server['port']
|
||||
|
||||
case node['redisio']['job_control']
|
||||
when 'initd'
|
||||
service "redis#{server_name}" do
|
||||
# don't supply start/stop/restart commands, Chef::Provider::Service::*
|
||||
# do a fine job on it's own, and support systemd correctly
|
||||
supports start: true, stop: true, restart: false, status: true
|
||||
end
|
||||
when 'upstart'
|
||||
service "redis#{server_name}" do
|
||||
provider Chef::Provider::Service::Upstart
|
||||
start_command "start redis#{server_name}"
|
||||
stop_command "stop redis#{server_name}"
|
||||
restart_command "restart redis#{server_name}"
|
||||
supports start: true, stop: true, restart: true, status: false
|
||||
end
|
||||
when 'systemd'
|
||||
service "redis@#{server_name}" do
|
||||
provider Chef::Provider::Service::Systemd
|
||||
supports start: true, stop: true, restart: true, status: true
|
||||
end
|
||||
when 'rcinit'
|
||||
service "redis#{server_name}" do
|
||||
provider Chef::Provider::Service::Freebsd
|
||||
supports start: true, stop: true, restart: true, status: true
|
||||
end
|
||||
else
|
||||
Chef::Log.error('Unknown job control type, no service resource created!')
|
||||
end
|
||||
end
|
||||
|
||||
node.override['redisio']['servers'] = redis_instances
|
|
@ -0,0 +1,22 @@
|
|||
# debian 6.0.x fails the build_essential recipe without an apt-get update prior to run
|
||||
if platform?('debian', 'ubuntu')
|
||||
execute 'apt-get-update-periodic' do
|
||||
command 'apt-get update'
|
||||
ignore_failure true
|
||||
only_if do
|
||||
!File.exist?('/var/lib/apt/periodic/update-success-stamp') ||
|
||||
File.mtime('/var/lib/apt/periodic/update-success-stamp') < Time.now - 86400
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
unless node['redisio']['package_install']
|
||||
include_recipe 'redisio::_install_prereqs'
|
||||
build_essential 'install build deps'
|
||||
end
|
||||
|
||||
unless node['redisio']['bypass_setup']
|
||||
include_recipe 'redisio::install'
|
||||
include_recipe 'redisio::disable_os_default'
|
||||
include_recipe 'redisio::configure'
|
||||
end
|
|
@ -0,0 +1,14 @@
|
|||
redis = node['redisio']
|
||||
|
||||
redis['servers'].each do |current_server|
|
||||
server_name = current_server['name'] || current_server['port']
|
||||
resource_name = if node['redisio']['job_control'] == 'systemd'
|
||||
"service[redis@#{server_name}]"
|
||||
else
|
||||
"service[redis#{server_name}]"
|
||||
end
|
||||
resource = resources(resource_name)
|
||||
resource.action Array(resource.action)
|
||||
resource.action << :stop
|
||||
resource.action << :disable
|
||||
end
|
|
@ -0,0 +1,12 @@
|
|||
# disable the default OS redis init script
|
||||
service_name = case node['platform']
|
||||
when 'debian', 'ubuntu'
|
||||
'redis-server'
|
||||
when 'redhat', 'centos', 'fedora', 'scientific', 'suse', 'amazon'
|
||||
'redis'
|
||||
end
|
||||
|
||||
service service_name do
|
||||
action [:stop, :disable]
|
||||
only_if { service_name }
|
||||
end
|
|
@ -0,0 +1,13 @@
|
|||
redis = node['redisio']
|
||||
|
||||
redis['servers'].each do |current_server|
|
||||
server_name = current_server['name'] || current_server['port']
|
||||
resource_name = if node['redisio']['job_control'] == 'systemd'
|
||||
"service[redis@#{server_name}]"
|
||||
else
|
||||
"service[redis#{server_name}]"
|
||||
end
|
||||
resource = resources(resource_name)
|
||||
resource.action Array(resource.action)
|
||||
resource.action.concat [:start, :enable]
|
||||
end
|
|
@ -0,0 +1,22 @@
|
|||
if node['redisio']['package_install']
|
||||
package 'redisio_package_name' do
|
||||
package_name node['redisio']['package_name']
|
||||
version node['redisio']['version'] if node['redisio']['version']
|
||||
action :install
|
||||
end
|
||||
else
|
||||
include_recipe 'redisio::_install_prereqs'
|
||||
build_essential 'install build deps'
|
||||
|
||||
redis = node['redisio']
|
||||
location = "#{redis['mirror']}/#{redis['base_name']}#{redis['version']}.#{redis['artifact_type']}"
|
||||
|
||||
redisio_install 'redis-installation' do
|
||||
version redis['version'] if redis['version']
|
||||
download_url location
|
||||
safe_install redis['safe_install']
|
||||
install_dir redis['install_dir'] if redis['install_dir']
|
||||
end
|
||||
end
|
||||
|
||||
include_recipe 'ulimit::default'
|
|
@ -0,0 +1,4 @@
|
|||
gem_package node['redisio']['gem']['name'] do
|
||||
version node['redisio']['gem']['version'] unless node['redisio']['gem']['version'].nil?
|
||||
action :install
|
||||
end
|
|
@ -0,0 +1,78 @@
|
|||
include_recipe 'redisio::_install_prereqs'
|
||||
include_recipe 'redisio::install'
|
||||
include_recipe 'ulimit::default'
|
||||
|
||||
redis = node['redisio']
|
||||
|
||||
sentinel_instances = redis['sentinels']
|
||||
if sentinel_instances.nil?
|
||||
sentinel_instances = [
|
||||
{
|
||||
'sentinel_port' => '26379',
|
||||
'name' => 'mycluster',
|
||||
'masters' => [
|
||||
{
|
||||
'master_name' => 'mycluster_master',
|
||||
'master_ip' => '127.0.0.1',
|
||||
'master_port' => '6379',
|
||||
},
|
||||
],
|
||||
},
|
||||
]
|
||||
end
|
||||
|
||||
redisio_sentinel 'redis-sentinels' do
|
||||
version redis['version'] if redis['version']
|
||||
sentinel_defaults redis['sentinel_defaults']
|
||||
sentinels sentinel_instances
|
||||
base_piddir redis['base_piddir']
|
||||
end
|
||||
|
||||
bin_path = if node['redisio']['install_dir']
|
||||
::File.join(node['redisio']['install_dir'], 'bin')
|
||||
else
|
||||
node['redisio']['bin_path']
|
||||
end
|
||||
|
||||
template '/lib/systemd/system/redis-sentinel@.service' do
|
||||
source 'redis-sentinel@.service'
|
||||
variables(
|
||||
bin_path: bin_path,
|
||||
limit_nofile: redis['default_settings']['maxclients'] + 32
|
||||
)
|
||||
only_if { node['redisio']['job_control'] == 'systemd' }
|
||||
end
|
||||
|
||||
# Create a service resource for each sentinel instance, named for the port it runs on.
|
||||
sentinel_instances.each do |current_sentinel|
|
||||
sentinel_name = current_sentinel['name']
|
||||
|
||||
case node['redisio']['job_control']
|
||||
when 'initd'
|
||||
service "redis_sentinel_#{sentinel_name}" do
|
||||
# don't supply start/stop/restart commands, Chef::Provider::Service::*
|
||||
# do a fine job on it's own, and support systemd correctly
|
||||
supports start: true, stop: true, restart: true, status: false
|
||||
end
|
||||
when 'upstart'
|
||||
service "redis_sentinel_#{sentinel_name}" do
|
||||
provider Chef::Provider::Service::Upstart
|
||||
start_command "start redis_sentinel_#{sentinel_name}"
|
||||
stop_command "stop redis_sentinel_#{sentinel_name}"
|
||||
restart_command "restart redis_sentinel_#{sentinel_name}"
|
||||
supports start: true, stop: true, restart: true, status: false
|
||||
end
|
||||
when 'systemd'
|
||||
service "redis-sentinel@#{sentinel_name}" do
|
||||
provider Chef::Provider::Service::Systemd
|
||||
supports start: true, stop: true, restart: true, status: true
|
||||
end
|
||||
when 'rcinit'
|
||||
service "redis_sentinel_#{sentinel_name}" do
|
||||
provider Chef::Provider::Service::Freebsd
|
||||
supports start: true, stop: true, restart: true, status: true
|
||||
end
|
||||
else
|
||||
Chef::Log.error('Unknown job control type, no service resource created!')
|
||||
end
|
||||
end
|
|
@ -0,0 +1,38 @@
|
|||
sentinel_instances = node['redisio']['sentinels']
|
||||
|
||||
if sentinel_instances.nil?
|
||||
sentinel_instances = [
|
||||
{
|
||||
'sentinel_port' => '26379',
|
||||
'name' => 'mycluster',
|
||||
'master_ip' => '127.0.0.1',
|
||||
'master_port' => '6379',
|
||||
},
|
||||
]
|
||||
end
|
||||
|
||||
execute 'reload-systemd-sentinel' do
|
||||
command 'systemctl daemon-reload'
|
||||
only_if { node['redisio']['job_control'] == 'systemd' }
|
||||
action :nothing
|
||||
end
|
||||
|
||||
sentinel_instances.each do |current_sentinel|
|
||||
sentinel_name = current_sentinel['name']
|
||||
resource_name = if node['redisio']['job_control'] == 'systemd'
|
||||
"service[redis-sentinel@#{sentinel_name}]"
|
||||
else
|
||||
"service[redis_sentinel_#{sentinel_name}]"
|
||||
end
|
||||
resource = resources(resource_name)
|
||||
resource.action Array(resource.action)
|
||||
resource.action << :start
|
||||
if node['redisio']['job_control'] != 'systemd'
|
||||
resource.action << :enable
|
||||
else
|
||||
link "/etc/systemd/system/multi-user.target.wants/redis-sentinel@#{sentinel_name}.service" do
|
||||
to '/usr/lib/systemd/system/redis-sentinel@.service'
|
||||
notifies :run, 'execute[reload-systemd-sentinel]', :immediately
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,12 @@
|
|||
actions :run
|
||||
|
||||
default_action :run
|
||||
|
||||
# Configuration attributes
|
||||
attribute :version, kind_of: String
|
||||
attribute :base_piddir, kind_of: String, default: '/var/run/redis'
|
||||
attribute :user, kind_of: String, default: 'redis'
|
||||
attribute :group, kind_of: String, default: 'redis'
|
||||
|
||||
attribute :default_settings, kind_of: Hash
|
||||
attribute :servers, kind_of: Array
|
|
@ -0,0 +1,13 @@
|
|||
actions :run
|
||||
|
||||
default_action :run
|
||||
|
||||
# Installation attributes
|
||||
attribute :version, kind_of: String
|
||||
attribute :download_url, kind_of: String
|
||||
attribute :download_dir, kind_of: String, default: Chef::Config[:file_cache_path]
|
||||
attribute :artifact_type, kind_of: String, default: 'tar.gz'
|
||||
attribute :base_name, kind_of: String, default: 'redis-'
|
||||
attribute :safe_install, kind_of: [TrueClass, FalseClass], default: true
|
||||
|
||||
attribute :install_dir, kind_of: String, default: nil
|
|
@ -0,0 +1,11 @@
|
|||
actions :run
|
||||
|
||||
default_action :run
|
||||
|
||||
# Configuration attributes
|
||||
attribute :version, kind_of: String
|
||||
attribute :base_piddir, kind_of: String, default: '/var/run/redis'
|
||||
attribute :user, kind_of: String, default: 'redis'
|
||||
|
||||
attribute :sentinel_defaults, kind_of: Hash
|
||||
attribute :sentinels, kind_of: Array
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Redis persistent key-value database
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=<%= @bin_path %>/redis-server /etc/redis/sentinel_%i.conf --sentinel --daemonize no
|
||||
User=redis
|
||||
Group=redis
|
||||
LimitNOFILE=<%= @limit_nofile %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,96 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Simple Redis init.d script conceived to work on Linux systems
|
||||
# as it does use of the /proc filesystem.
|
||||
#
|
||||
# description: Redis is an in memory key-value store database
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: redis<%= @port %>
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Required-Start: <%= @required_start %>
|
||||
# Required-Stop: <%= @required_stop %>
|
||||
# Description: redis<%= @port %> init script
|
||||
### END INIT INFO
|
||||
|
||||
REDISNAME=<%= @name %>
|
||||
REDISPORT=<%= @port %>
|
||||
<% case @platform %>
|
||||
<% when 'ubuntu','debian','fedora' %>
|
||||
EXEC="su -s /bin/sh -c '<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${REDISNAME}.conf' <%= @user %>"
|
||||
<% else %>
|
||||
EXEC="runuser <%= @user %> -c \"<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${REDISNAME}.conf\""
|
||||
<% end %>
|
||||
CLIEXEC=<%= File.join(@bin_path, 'redis-cli') %>
|
||||
|
||||
<% connection_string = String.new %>
|
||||
<% if @unixsocket.nil? %>
|
||||
<% connection_string << " -p #{@port}" %>
|
||||
<% connection_string << " -h #{@address.respond_to?(:first) ? @address.first : @address }" if @address %>
|
||||
<% else %>
|
||||
<% connection_string << " -s #{@unixsocket}" %>
|
||||
<% end %>
|
||||
<% connection_string << " -a '#{@requirepass}'" unless @requirepass.nil? %>
|
||||
|
||||
PIDFILE=<%= @piddir %>/redis_${REDISNAME}.pid
|
||||
|
||||
if [ ! -d <%= @piddir %> ]; then
|
||||
mkdir -p <%= @piddir %>
|
||||
chown <%= @user %> <%= @piddir %>
|
||||
fi
|
||||
|
||||
ulimit -n <%= @ulimit %>
|
||||
|
||||
case "$1" in
|
||||
status)
|
||||
if [ -f $PIDFILE ]
|
||||
then
|
||||
echo "redis$REDISNAME $PIDFILE exists, pid is $(cat $PIDFILE), should be running"
|
||||
ps -p $(cat $PIDFILE) >/dev/null 2>&1
|
||||
exit $?
|
||||
else
|
||||
echo "redis$REDISNAME $PIDFILE doesn't exist"
|
||||
exit 3
|
||||
fi
|
||||
;;
|
||||
start)
|
||||
if [ -f $PIDFILE ]
|
||||
then
|
||||
echo "$PIDFILE exists, process is already running or crashed"
|
||||
PIDNUM=`cat $PIDFILE`
|
||||
PROCESS_RUNNING=`ps --no-headers -q $PIDNUM | wc -l`
|
||||
if [ ! $PROCESS_RUNNING -eq 1 ]
|
||||
then
|
||||
echo "The PID doesn't exists, restarting it."
|
||||
rm $PIDFILE
|
||||
eval $EXEC
|
||||
fi
|
||||
else
|
||||
echo "Starting Redis server..."
|
||||
eval $EXEC
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
if [ ! -f $PIDFILE ]
|
||||
then
|
||||
echo "$PIDFILE does not exist, process is not running"
|
||||
else
|
||||
PID=$(cat $PIDFILE)
|
||||
echo "Stopping ..."
|
||||
|
||||
<%= "$CLIEXEC #{connection_string} save" if @shutdown_save %>
|
||||
$CLIEXEC <%= connection_string %> shutdown
|
||||
|
||||
while [ -x /proc/${PID} ]
|
||||
do
|
||||
echo "Waiting for Redis to shutdown ..."
|
||||
sleep 1
|
||||
done
|
||||
echo "Redis stopped"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo "Please use start or stop as first argument"
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,69 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
#
|
||||
|
||||
# PROVIDE: redis<%= @name %>
|
||||
# REQUIRE: LOGIN
|
||||
# BEFORE: securelevel
|
||||
# KEYWORD: shutdown
|
||||
|
||||
# Add the following line to /etc/rc.conf to enable `redis':
|
||||
#
|
||||
#redis<%= @name %>_enable="YES"
|
||||
#
|
||||
# Define profiles here to run separate redis instances:
|
||||
#
|
||||
#redis_profiles="foo bar" # Script uses /usr/local/etc/redis-NAME.conf respectively.
|
||||
# For correct script working please update pidfile entries in
|
||||
# redis-NAME.conf files.
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="redis<%= @name %>"
|
||||
rcvar="${name}_enable"
|
||||
|
||||
extra_commands="reload"
|
||||
|
||||
command="<%= File.join(@bin_path, 'redis-server') %>"
|
||||
pidfile="<%= @piddir %>/redis_<%=@name%>.pid"
|
||||
|
||||
# read configuration and set defaults
|
||||
load_rc_config "$name"
|
||||
: ${redis<%= @name %>_enable="NO"}
|
||||
: ${redis_user="<%= @user %>"}
|
||||
: ${redis_config="<%= @configdir %>/<%= @name %>.conf"}
|
||||
|
||||
command_args="${redis_config}"
|
||||
required_files="${redis_config}"
|
||||
|
||||
_profile_exists() {
|
||||
for _p in ${redis_profiles}; do
|
||||
[ "${_p}" = "$1" ] && return 1;
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ $# -eq 2 ]; then
|
||||
_profile=$2
|
||||
_profile_exists $_profile
|
||||
_exists=$?
|
||||
[ ${_exists} -ne 1 ] && {
|
||||
echo "`basename /usr/local/etc/rc.d/redis`: no '$2' in 'redis_profiles'"
|
||||
exit 1
|
||||
};
|
||||
echo "-- Profile: ${name} --"
|
||||
config_file="/usr/local/etc/redis/${name}.conf"
|
||||
command_args="${config_file}"
|
||||
pidfile="<%= @piddir %>/${name}.pid"
|
||||
required_files="${config_file}"
|
||||
elif [ -n "${redis_profiles}" ]; then
|
||||
_swap=$*; shift; _profiles=$*
|
||||
_profiles=${_profiles:-${redis_profiles}}
|
||||
set -- ${_swap}
|
||||
for _profile in ${_profiles}; do
|
||||
/usr/local/etc/rc.d/redis $1 ${_profile}
|
||||
done
|
||||
exit 0
|
||||
fi
|
||||
|
||||
run_rc_command "$1"
|
|
@ -0,0 +1,19 @@
|
|||
description "Start the redis instance on port <%= @port %>"
|
||||
author "Installed by chef redisio cookbook"
|
||||
|
||||
#start on runlevel [2345]
|
||||
stop on runlevel [06]
|
||||
|
||||
script
|
||||
if [ ! -d <%= @piddir %> ]; then
|
||||
mkdir -p <%= @piddir %>
|
||||
chown <%= @user %>:<%= @group %> <%= @piddir %>
|
||||
fi
|
||||
end script
|
||||
|
||||
# If the job exits, restart it. Give up with more than 10 restarts in 30 seconds.
|
||||
respawn
|
||||
respawn limit 10 30
|
||||
|
||||
exec su -s /bin/sh -c 'exec "$0" "$@"' <%= @user %> <%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/<%= @name %>.conf
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Redis (%i) persistent key-value database
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=<%= @bin_path %>/redis-server /etc/redis/%i.conf --daemonize no
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
LimitNOFILE=<%= @limit_nofile %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,199 @@
|
|||
# Example sentinel.conf
|
||||
|
||||
# redisio Cookbook additions
|
||||
<% if @job_control == 'initd' || @job_control == 'rcinit' %>
|
||||
daemonize yes
|
||||
<% end %>
|
||||
pidfile <%= @piddir %>/sentinel_<%=@name%>.pid
|
||||
loglevel <%=@loglevel%>
|
||||
syslog-enabled <%= @syslogenabled %>
|
||||
syslog-ident redis-<%= @name %>
|
||||
syslog-facility <%= @syslogfacility %>
|
||||
<%= "logfile #{@logfile}" unless @logfile.nil? %>
|
||||
|
||||
# bind sentinel IP
|
||||
<% if @sentinel_bind %>
|
||||
bind <%=@sentinel_bind%>
|
||||
<% end %>
|
||||
# port <sentinel-port>
|
||||
# The port that this sentinel instance will run on
|
||||
port <%=@sentinel_port%>
|
||||
|
||||
# sentinel announce-ip <ip>
|
||||
# sentinel announce-port <port>
|
||||
#
|
||||
# The above two configuration directives are useful in environments where,
|
||||
# because of NAT, Sentinel is reachable from outside via a non-local address.
|
||||
#
|
||||
# When announce-ip is provided, the Sentinel will claim the specified IP address
|
||||
# in HELLO messages used to gossip its presence, instead of auto-detecting the
|
||||
# local address as it usually does.
|
||||
#
|
||||
# Similarly when announce-port is provided and is valid and non-zero, Sentinel
|
||||
# will announce the specified TCP port.
|
||||
#
|
||||
# The two options don't need to be used together, if only announce-ip is
|
||||
# provided, the Sentinel will announce the specified IP and the server port
|
||||
# as specified by the "port" option. If only announce-port is provided, the
|
||||
# Sentinel will announce the auto-detected local IP and the specified port.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# sentinel announce-ip 1.2.3.4
|
||||
<%= "sentinel announce-ip #{@announce_ip}" unless @announce_ip.nil? %>
|
||||
<%= "sentinel announce-port #{@announce_port}" unless @announce_port.nil? %>
|
||||
|
||||
# sentinel monitor <master-name> <ip> <redis-port> <quorum>
|
||||
#
|
||||
# Tells Sentinel to monitor this slave, and to consider it in O_DOWN
|
||||
# (Objectively Down) state only if at least <quorum> sentinels agree.
|
||||
#
|
||||
# Note: master name should not include special characters or spaces.
|
||||
# The valid charset is A-z 0-9 and the three characters ".-_".
|
||||
# sentinel monitor mymaster 127.0.0.1 6379 2
|
||||
<% @masters.each do |current| %>
|
||||
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
|
||||
<%= "sentinel monitor #{calc_name} #{current['master_ip']} #{current['master_port']} #{current['quorum_count']}" %>
|
||||
<% end %>
|
||||
# sentinel auth-pass <master-name> <password>
|
||||
#
|
||||
# Set the password to use to authenticate with the master and slaves.
|
||||
# Useful if there is a password set in the Redis instances to monitor.
|
||||
#
|
||||
# Note that the master password is also used for slaves, so it is not
|
||||
# possible to set a different password in masters and slaves instances
|
||||
# if you want to be able to monitor these instances with Sentinel.
|
||||
#
|
||||
# However you can have Redis instances without the authentication enabled
|
||||
# mixed with Redis instances requiring the authentication (as long as the
|
||||
# password set is the same for all the instances requiring the password) as
|
||||
# the AUTH command will have no effect in Redis instances with authentication
|
||||
# switched off.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# sentinel auth-pass mymaster MySUPER--secret-0123passw0rd
|
||||
<% @masters.each do |current| %>
|
||||
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
|
||||
<%= "sentinel auth-pass #{calc_name} #{current['auth_pass']}" unless current['auth_pass'].nil? %>
|
||||
<% end %>
|
||||
# sentinel down-after-milliseconds <master-name> <milliseconds>
|
||||
#
|
||||
# Number of milliseconds the master (or any attached slave or sentinel) should
|
||||
# be unreachable (as in, not acceptable reply to PING, continuously, for the
|
||||
# specified period) in order to consider it in S_DOWN state (Subjectively
|
||||
# Down).
|
||||
#
|
||||
# Default is 30 seconds.
|
||||
<% @masters.each do |current| %>
|
||||
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
|
||||
<%= "sentinel down-after-milliseconds #{calc_name} #{current['down_after_milliseconds']}" unless current['down_after_milliseconds'].nil? %>
|
||||
<% end %>
|
||||
# sentinel parallel-syncs <master-name> <numslaves>
|
||||
#
|
||||
# How many slaves we can reconfigure to point to the new slave simultaneously
|
||||
# during the failover. Use a low number if you use the slaves to serve query
|
||||
# to avoid that all the slaves will be unreachable at about the same
|
||||
# time while performing the synchronization with the master.
|
||||
<% @masters.each do |current| %>
|
||||
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
|
||||
<%= "sentinel parallel-syncs #{calc_name} #{current['parallel_syncs']}" unless current['parallel_syncs'].nil? %>
|
||||
<% end %>
|
||||
# sentinel failover-timeout <master-name> <milliseconds>
|
||||
#
|
||||
# Specifies the failover timeout in milliseconds. When this time has elapsed
|
||||
# without any progress in the failover process, it is considered concluded by
|
||||
# the sentinel even if not all the attached slaves were correctly configured
|
||||
# to replicate with the new master (however a "best effort" SLAVEOF command
|
||||
# is sent to all the slaves before).
|
||||
#
|
||||
# Also when 25% of this time has elapsed without any advancement, and there
|
||||
# is a leader switch (the sentinel did not started the failover but is now
|
||||
# elected as leader), the sentinel will continue the failover doing a
|
||||
# "takeover".
|
||||
#
|
||||
# Default is 15 minutes.
|
||||
<% @masters.each do |current| %>
|
||||
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
|
||||
<%= "sentinel failover-timeout #{calc_name} #{current['failover_timeout']}" unless current['failover_timeout'].nil? %>
|
||||
<% end %>
|
||||
|
||||
<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 8 || @version[:major].to_i > 3 %>
|
||||
# SCRIPTS EXECUTION
|
||||
#
|
||||
# sentinel notification-script and sentinel reconfig-script are used in order
|
||||
# to configure scripts that are called to notify the system administrator
|
||||
# or to reconfigure clients after a failover. The scripts are executed
|
||||
# with the following rules for error handling:
|
||||
#
|
||||
# If script exists with "1" the execution is retried later (up to a maximum
|
||||
# number of times currently set to 10).
|
||||
#
|
||||
# If script exists with "2" (or an higher value) the script execution is
|
||||
# not retried.
|
||||
#
|
||||
# If script terminates because it receives a signal the behavior is the same
|
||||
# as exit code 1.
|
||||
#
|
||||
# A script has a maximum running time of 60 seconds. After this limit is
|
||||
# reached the script is terminated with a SIGKILL and the execution retried.
|
||||
|
||||
# NOTIFICATION SCRIPT
|
||||
#
|
||||
# sentinel notification-script <master-name> <script-path>
|
||||
#
|
||||
# Call the specified notification script for any sentienl event that is
|
||||
# generated in the WARNING level (for instance -sdown, -odown, and so forth).
|
||||
# This script should notify the system administrator via email, SMS, or any
|
||||
# other messaging system, that there is something wrong with the monitored
|
||||
# Redis systems.
|
||||
#
|
||||
# The script is called with just two arguments: the first is the event type
|
||||
# and the second the event description.
|
||||
#
|
||||
# The script must exist and be executable in order for sentinel to start if
|
||||
# this option is provided.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# sentinel notification-script mymaster /var/redis/notify.sh
|
||||
<%= "sentinel notification-script #{@name} #{@notification_script}" unless @notification_script.nil? %>
|
||||
|
||||
# CLIENTS RECONFIGURATION SCRIPT
|
||||
#
|
||||
# sentinel client-reconfig-script <master-name> <script-path>
|
||||
#
|
||||
# When the failover starts, ends, or is aborted, a script can be called in
|
||||
# order to perform application-specific tasks to notify the clients that the
|
||||
# configuration has changed and the master is at a different address.
|
||||
#
|
||||
# The script is called in the following cases:
|
||||
#
|
||||
# Failover started (a slave is already promoted)
|
||||
# Failover finished (all the additional slaves already reconfigured)
|
||||
# Failover aborted (in that case the script was previously called when the
|
||||
# failover started, and now gets called again with swapped
|
||||
# addresses).
|
||||
#
|
||||
# The following arguments are passed to the script:
|
||||
#
|
||||
# <master-name> <role> <state> <from-ip> <from-port> <to-ip> <to-port>
|
||||
#
|
||||
# <state> is "start", "end" or "abort"
|
||||
# <role> is either "leader" or "observer"
|
||||
#
|
||||
# The arguments from-ip, from-port, to-ip, to-port are used to communicate
|
||||
# the old address of the master and the new address of the elected slave
|
||||
# (now a master) in the case state is "start" or "end".
|
||||
#
|
||||
# For abort instead the "from" is the address of the promoted slave and
|
||||
# "to" is the address of the original master address, since the failover
|
||||
# was aborted.
|
||||
#
|
||||
# This script should be resistant to multiple invocations.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
|
||||
<%= "sentinel client-reconfig-script #{@name} #{@client_reconfig_script}" unless @client_reconfig_script.nil? %>
|
||||
<% end %>
|
|
@ -0,0 +1,78 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Simple Redis init.d script conceived to work on Linux systems
|
||||
# as it does use of the /proc filesystem.
|
||||
#
|
||||
# description: Redis is an in memory key-value store database
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: redissentinel_<%=@name%>
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start:
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description:
|
||||
# Description: redissentinel_<%=@name%> init script
|
||||
### END INIT INFO
|
||||
|
||||
SENTINELNAME=<%= @name %>
|
||||
<% case @platform %>
|
||||
<% when 'ubuntu','debian','fedora' %>
|
||||
EXEC="su -s /bin/sh -c '<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${SENTINELNAME}.conf --sentinel' <%= @user %>"
|
||||
<% else %>
|
||||
EXEC="runuser <%= @user %> -c \"<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${SENTINELNAME}.conf --sentinel\""
|
||||
<% end %>
|
||||
CLIEXEC=<%= File.join(@bin_path, 'redis-cli') %>
|
||||
|
||||
|
||||
PIDFILE=<%= @piddir %>/${SENTINELNAME}.pid
|
||||
|
||||
if [ ! -d <%= @piddir %> ]; then
|
||||
mkdir -p <%= @piddir %>
|
||||
chown <%= @user %> <%= @piddir %>
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
status)
|
||||
if [ -f $PIDFILE ]
|
||||
then
|
||||
echo "redis$SENTINELNAME $PIDFILE exists, pid is $(cat $PIDFILE), should be running"
|
||||
ps -p $(cat $PIDFILE) >/dev/null 2>&1
|
||||
exit $?
|
||||
else
|
||||
echo "redis$SENTINELNAME $PIDFILE doesn't exist"
|
||||
exit 3
|
||||
fi
|
||||
;;
|
||||
start)
|
||||
if [ -f $PIDFILE ]
|
||||
then
|
||||
echo "$PIDFILE exists, process is already running or crashed"
|
||||
else
|
||||
echo "Starting Redis server..."
|
||||
eval $EXEC
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
if [ ! -f $PIDFILE ]
|
||||
then
|
||||
echo "$PIDFILE does not exist, process is not running"
|
||||
else
|
||||
PID=$(cat $PIDFILE)
|
||||
echo "Stopping ..."
|
||||
|
||||
kill ${PID}
|
||||
|
||||
while [ -x /proc/${PID} ]
|
||||
do
|
||||
echo "Waiting for Redis to shutdown ..."
|
||||
sleep 1
|
||||
done
|
||||
echo "Redis stopped"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo "Please use start or stop as first argument"
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,39 @@
|
|||
#!/bin/sh
|
||||
|
||||
# PROVIDE: sentinel_<%=@name%>
|
||||
# REQUIRE: LOGIN
|
||||
# BEFORE: securelevel
|
||||
# KEYWORD: shutdown
|
||||
|
||||
# Add the following line to /etc/rc.conf to enable `sentinel':
|
||||
#
|
||||
#redis_<%= @name %>_enable="YES"
|
||||
#
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="redis_<%= @name %>"
|
||||
rcvar="${name}_enable"
|
||||
|
||||
command="<%= File.join(@bin_path, 'redis-sentinel') %>"
|
||||
pidfile="<%= @piddir %>/<%=@name%>.pid"
|
||||
|
||||
# read configuration and set defaults
|
||||
load_rc_config "$name"
|
||||
: ${sentinel_enable="NO"}
|
||||
: ${sentinel_user="<%= @user %>"}
|
||||
: ${sentinel_config="<%= @configdir %>/<%= @name %>.conf"}
|
||||
|
||||
command_args="${sentinel_config} --daemonize yes --pidfile ${pidfile}"
|
||||
required_files="${sentinel_config}"
|
||||
start_precmd="sentinel_checks"
|
||||
restart_precmd="sentinel_checks"
|
||||
|
||||
sentinel_checks()
|
||||
{
|
||||
if [ x`id -u ${sentinel_user}` != x`stat -f %u ${sentinel_config}` ]; then
|
||||
err 1 "${sentinel_config} must be owned by user ${sentinel_user}"
|
||||
fi
|
||||
}
|
||||
|
||||
run_rc_command "$1"
|
|
@ -0,0 +1,19 @@
|
|||
description "Start the redis-sentinel instance on port <%= @port %>"
|
||||
author "Installed by chef redisio cookbook"
|
||||
|
||||
#start on runlevel [2345]
|
||||
stop on runlevel [06]
|
||||
|
||||
script
|
||||
if [ ! -d <%= @piddir %> ]; then
|
||||
mkdir -p <%= @piddir %>
|
||||
chown <%= @user %>:<%= @group %> <%= @piddir %>
|
||||
fi
|
||||
end script
|
||||
|
||||
# If the job exits, restart it. Give up with more than 10 restarts in 30 seconds.
|
||||
respawn
|
||||
respawn limit 10 30
|
||||
|
||||
exec su -s /bin/sh -c 'exec "$0" "$@"' -- <%= @user %> <%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/<%= @name %>.conf --sentinel
|
||||
|
|
@ -0,0 +1,221 @@
|
|||
# selinux_policy CHANGELOG
|
||||
|
||||
This file is used to changes made in each version of the selinux_policy cookbook.
|
||||
|
||||
## 2.4.3 (2020-08-07)
|
||||
|
||||
- Ship the correct license file since this cookbook was relicensed - [@tas50](https://github.com/tas50)
|
||||
- Update testing configs - [@tas50](https://github.com/tas50)
|
||||
- Update the maintainer to be Chef Software - [@tas50](https://github.com/tas50)
|
||||
|
||||
## 2.4.2 (2020-08-07)
|
||||
|
||||
- Make sure the `setpersist` action runs by default not `set` to match the docs.
|
||||
|
||||
## 2.4.1 - 2020-05-14
|
||||
|
||||
- resolved cookstyle error: resources/module.rb:26:35 convention: `Layout/TrailingWhitespace`
|
||||
- resolved cookstyle error: resources/module.rb:26:36 refactor: `ChefModernize/FoodcriticComments`
|
||||
|
||||
## [2.4.0] - 2020-02-13
|
||||
|
||||
- Fix port_defined helper function for Centos 8 compatibility
|
||||
- Test fixes
|
||||
|
||||
## [2.3.6] - 2020-01-26
|
||||
|
||||
- Fix issue on use_selinux function
|
||||
- Migrate to github actions
|
||||
- Resolved ChefStyle/ImmediateNotificationTiming: Use :immediately instead of :immediate for resource notification timing notifies
|
||||
|
||||
## [2.3.5] - 2019-02-15
|
||||
|
||||
- Fix resource failure in permissive.rb Caused by [#96](https://github.com/sous-chefs/selinux_policy/pull/96)
|
||||
- Migrated testing to circleci
|
||||
|
||||
## [2.3.4] - 2019-02-07
|
||||
|
||||
- Fix `shell_out` to use an actual shell. Caused by [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
|
||||
|
||||
## [2.3.3] - 2019-02-06
|
||||
|
||||
- Perform relabel (restorecon) using xargs while still supporting regexes. Fixes [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
|
||||
|
||||
## [2.3.2] - 2018-11-29
|
||||
|
||||
- Cache which helper method calls
|
||||
|
||||
## [2.3.1] - 2018-11-29
|
||||
|
||||
- Use `chef/mixin/which` to locate selinux binaries. Fixes [#85](https://github.com/sous-chefs/selinux_policy/issues/85) & [#93](https://github.com/sous-chefs/selinux_policy/issues/93)
|
||||
|
||||
## [2.3.0] - 2018-11-27
|
||||
|
||||
- Further fixes for the earlier refactoring
|
||||
- Repair CI jobs
|
||||
|
||||
## [2.2.0] - 2018-11-21
|
||||
|
||||
- Large refactoring to helpers and resources
|
||||
- Add RHEL-8 packages
|
||||
|
||||
## [2.1.0] - 2018-04-12
|
||||
|
||||
- Port definition methods to check for already defined ports
|
||||
- Cleanup resource cloning
|
||||
- Deprecate support for Chef 12.x now it's EOL
|
||||
- Fix Foodcritic warnings & update test platforms
|
||||
|
||||
## 2.0.1 - 2017-04-21
|
||||
|
||||
- Perform relabel (restorecon) using find to support regexes
|
||||
|
||||
## 2.0.0 - 2017-02-23
|
||||
|
||||
- This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
|
||||
- Require Chef 12.1 or later
|
||||
- Use compat_resource instead of requiring yum
|
||||
- Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
|
||||
- Don't define attributes in the metadata as these aren't used
|
||||
- Remove the Vagrantfile
|
||||
- Add chef_version requirements to the metadata
|
||||
- Test with ChefDK / Rake in Travis instead of gems
|
||||
- Resolve Foodcritic, Cookstyle, and Chefspec warnings
|
||||
|
||||
## 1.1.1
|
||||
|
||||
- [7307850] (Adam Ward) Silence fcontext guard output
|
||||
- [ad71437] (nitz) Restorecon is now done via shell_out
|
||||
- [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
|
||||
- [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists
|
||||
|
||||
## 1.1.0
|
||||
|
||||
- [daften] Added `file_type` for fcontext
|
||||
|
||||
## 1.0.1
|
||||
|
||||
- [backslasher] - Foodcritic and rubocop improvements
|
||||
|
||||
## 1.0.0
|
||||
|
||||
- [equick] - Validating ports better
|
||||
- [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
|
||||
- [backslasher] - testing made slightly more elegant
|
||||
|
||||
## 0.9.6
|
||||
|
||||
- [jhmartin] - Updated README
|
||||
- [backslasher] - Major revision of testing
|
||||
|
||||
## 0.9.5
|
||||
|
||||
- [backslasher] - Modified yum dependency
|
||||
|
||||
## 0.9.4
|
||||
|
||||
- [mhorbul] - Fixed state detection in boolean resource
|
||||
|
||||
## 0.9.3
|
||||
|
||||
- [backlsasher] - Fixed testing & kitchen
|
||||
- [jbartko] - Added Fedora support
|
||||
|
||||
## 0.9.2
|
||||
|
||||
- [backslasher] - Ignoring nonexisting files in restorecon
|
||||
|
||||
## 0.9.1
|
||||
|
||||
- [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled
|
||||
|
||||
## 0.9.0
|
||||
|
||||
- [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
|
||||
- [backslasher] - fcontext overhaul: code refactoring, testing, new action
|
||||
|
||||
**Note**: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)
|
||||
|
||||
## 0.8.1
|
||||
|
||||
- [backslasher] - Added Travis CI harness
|
||||
- [backslasher] - Fixed typo in README
|
||||
|
||||
## 0.8.0
|
||||
|
||||
- [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
|
||||
- [backslasher] - Port search is a function
|
||||
- [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)
|
||||
|
||||
## 0.7.2
|
||||
|
||||
- [shortdudey123] - ChefSpec matchers, helps testing
|
||||
|
||||
## 0.7.1
|
||||
|
||||
- [backslasher] - Forgot contributor
|
||||
|
||||
## 0.7.0
|
||||
|
||||
- [chewi] - Fixed prereq packages
|
||||
- [backslasher] - Modified misleading comment
|
||||
- [chewi] - Move helpers into a cookbook-specific module
|
||||
- [chewi] - Prevent use_selinux from blowing up on systems without getenforce
|
||||
|
||||
## 0.6.5
|
||||
|
||||
- [backslasher] - Ubuntu installation warning
|
||||
|
||||
## 0.6.4
|
||||
|
||||
- [sauraus] - CentOS 7 support
|
||||
- [sauraus] - Typos
|
||||
|
||||
## 0.6.3
|
||||
|
||||
- [backslasher] - Readme updates
|
||||
- [kevans] - Added kitchen testing
|
||||
|
||||
## 0.6.2
|
||||
|
||||
- [kevans] - Support Chef 11.8.0 running shellout!()
|
||||
- [backslasher] - Simplified support info
|
||||
- [backslasher] - ASCIIed files
|
||||
|
||||
## 0.6.1
|
||||
|
||||
- [backslasher] - Migrated to `only_if` instead of if
|
||||
- [backslasher] - README typos
|
||||
|
||||
## 0.6.0
|
||||
|
||||
- [joerg] - Added fcontext resource for managing file contexts under SELinux
|
||||
|
||||
## 0.5.0
|
||||
|
||||
- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
|
||||
- **Cookbook will break on RHEL7\. If anyone experiences this, please check required packages and create an issue/PR**
|
||||
- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
|
||||
|
||||
## 0.4.0
|
||||
|
||||
- [backlasher] - Fixed foodcritic errors
|
||||
|
||||
## 0.3.0
|
||||
|
||||
- [backlasher] - Fixed `install.rb` syntax. Now it actually works
|
||||
|
||||
## 0.2.0
|
||||
|
||||
- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
|
||||
- [backlasher] - Added permissive resource
|
||||
|
||||
## 0.1.0
|
||||
|
||||
- [backlasher] - Initial release of selinuxpolicy
|
||||
|
||||
[2.3.2]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.1...v2.3.2
|
||||
[2.3.1]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.0...v2.3.1
|
||||
[2.3.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.2.0...v2.3.0
|
||||
[2.2.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.1.0...v2.2.0
|
||||
[2.1.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.0.1...v2.1.0
|
|
@ -0,0 +1,4 @@
|
|||
# Contributing
|
||||
|
||||
Please refer to
|
||||
[https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
|
|
@ -0,0 +1,209 @@
|
|||
# selinux_policy Cookbook
|
||||
|
||||
[![Cookbook Version](https://img.shields.io/cookbook/v/selinux_policy.svg)](https://supermarket.chef.io/cookbooks/selinux_policy)
|
||||
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
|
||||
|
||||
This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.
|
||||
|
||||
## Requirements
|
||||
|
||||
Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).
|
||||
|
||||
### Chef Infra Client
|
||||
|
||||
- 13 or later
|
||||
|
||||
### Platforms
|
||||
|
||||
- rhel
|
||||
- fedora
|
||||
|
||||
## Attributes
|
||||
|
||||
These attributes affect the way all of the resource behave.
|
||||
|
||||
- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.
|
||||
|
||||
## Usage
|
||||
|
||||
- `selinux_policy::install` - Installs SELinux policy management tools
|
||||
|
||||
This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.
|
||||
|
||||
### boolean
|
||||
|
||||
Represents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).
|
||||
|
||||
Properties:
|
||||
|
||||
- `name`: boolean's name. Defaults to resource name.
|
||||
- `value`: Its new value (`true`/`false`).
|
||||
- `force`: Use `setsebool` even if the current value agrees with the requested one.
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
selinux_policy_boolean 'httpd_can_network_connect' do
|
||||
value true
|
||||
# Make sure nginx is started if this value was modified
|
||||
notifies :start,'service[nginx]', :immediate
|
||||
end
|
||||
```
|
||||
|
||||
**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.
|
||||
|
||||
### port
|
||||
|
||||
Allows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.
|
||||
|
||||
Actions:
|
||||
|
||||
- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.
|
||||
- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).
|
||||
- `modify`: Changes the port's context if it's already listed (only uses `-m`).
|
||||
- `delete`: Removes the port's context if it's listed (uses `-d`).
|
||||
|
||||
Properties:
|
||||
|
||||
- `port`: The port in question, defaults to resource name.
|
||||
- `protocol`: `tcp`/`udp`.
|
||||
- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Allow nginx to bind to port 5678, by giving it the http_port_t context
|
||||
selinux_policy_port '5678' do
|
||||
protocol 'tcp'
|
||||
secontext 'http_port_t'
|
||||
end
|
||||
```
|
||||
|
||||
### module
|
||||
|
||||
Manages SEModules
|
||||
|
||||
Actions:
|
||||
|
||||
- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior
|
||||
- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.
|
||||
- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.
|
||||
- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.
|
||||
- `remove`: Removes a module.
|
||||
|
||||
Properties:
|
||||
|
||||
- `name`: The module name. Defaults to resource name.
|
||||
- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.
|
||||
- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.
|
||||
- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.
|
||||
- `cookbook`: Modifies the source cookbook for the `remote_directory`.
|
||||
- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Allow openvpn to write/delete in '/etc/openvpn'
|
||||
selinux_policy_module 'openvpn-googleauthenticator' do
|
||||
content <<-eos
|
||||
module dy-openvpn-googleauthenticator 1.0;
|
||||
|
||||
require {
|
||||
type openvpn_t;
|
||||
type openvpn_etc_t;
|
||||
class file { write unlink };
|
||||
}
|
||||
|
||||
|
||||
#============= openvpn_t ==============
|
||||
allow openvpn_t openvpn_etc_t:file { write unlink };
|
||||
eos
|
||||
action :deploy
|
||||
end
|
||||
```
|
||||
|
||||
### fcontext
|
||||
|
||||
Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.
|
||||
|
||||
Actions:
|
||||
|
||||
- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
|
||||
- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).
|
||||
- `modify`: Changes the file regexp context if it's already listed (only uses -m).
|
||||
- `delete`: Removes the file regexp context if it's listed (uses -d).
|
||||
|
||||
Properties:
|
||||
|
||||
- `file_spec`: This is the file regexp in question, defaults to resource name.
|
||||
- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`
|
||||
- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info
|
||||
- **a** All files
|
||||
- **f** Regular files
|
||||
- **d** Directory
|
||||
- **c** Character device
|
||||
- **b** Block device
|
||||
- **s** Socket
|
||||
- **l** Symbolic link
|
||||
- **p** Namedpipe
|
||||
|
||||
Example usage (see mysql cookbook for example daemons ):
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Allow http servers (nginx/apache) to modify moodle files
|
||||
selinux_policy_fcontext '/var/www/moodle(/.*)?' do
|
||||
secontext 'httpd_sys_rw_content_t'
|
||||
end
|
||||
|
||||
# Allow a custom mysql daemon to access its files.
|
||||
{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
|
||||
'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
|
||||
'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
|
||||
'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
|
||||
'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
|
||||
'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
|
||||
selinux_policy_fcontext f do
|
||||
secontext sc
|
||||
end
|
||||
end
|
||||
|
||||
# Adapt a symbolic link
|
||||
selinux_policy_fcontext '/var/www/symlink_to_webroot' do
|
||||
secontext 'httpd_sys_rw_content_t'
|
||||
filetype 'l'
|
||||
end
|
||||
```
|
||||
|
||||
### permissive
|
||||
|
||||
Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
|
||||
|
||||
Actions:
|
||||
|
||||
- `add`: Adds a permissive, unless it's already added
|
||||
- `delete`: Deletes a permissive if it's listed
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Disable enforcement on Nginx
|
||||
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
|
||||
|
||||
selinux_policy_permissive 'nginx' do
|
||||
notifies :restart, 'service[nginx]'
|
||||
end
|
||||
```
|
||||
|
||||
## Original Author
|
||||
|
||||
[Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))
|
|
@ -0,0 +1,108 @@
|
|||
class Chef
|
||||
module SELinuxPolicy
|
||||
module Helpers
|
||||
require 'chef/mixin/shell_out'
|
||||
include Chef::Mixin::ShellOut
|
||||
# Checks if SELinux is disabled or otherwise unavailable and
|
||||
# whether we're allowed to run when disabled
|
||||
def use_selinux(allow_disabled)
|
||||
begin
|
||||
getenforce = shell_out!(getenforce_cmd)
|
||||
rescue
|
||||
selinux_disabled = true
|
||||
else
|
||||
selinux_disabled = getenforce.stdout =~ /disabled/i
|
||||
end
|
||||
|
||||
# return false only when SELinux is disabled and it's allowed
|
||||
return_val = !selinux_disabled || !(selinux_disabled && allow_disabled)
|
||||
Chef::Log.warn('SELinux is disabled / unreachable, skipping') unless return_val
|
||||
return_val
|
||||
end
|
||||
|
||||
def sebool(new_resource, persist = false)
|
||||
persist_string = persist ? '-P ' : ''
|
||||
new_value = new_resource.value ? 'on' : 'off'
|
||||
execute "selinux-setbool-#{new_resource.name}-#{new_value}" do
|
||||
command "#{setsebool_cmd} #{persist_string} #{new_resource.name} #{new_value}"
|
||||
not_if "#{getsebool_cmd} #{new_resource.name} | grep '#{new_value}$' >/dev/null" unless new_resource.force
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
def module_defined(name)
|
||||
"#{semodule_cmd} -l | grep -w '^#{name}'"
|
||||
end
|
||||
|
||||
def shell_boolean(expression)
|
||||
expression ? 'true' : 'false'
|
||||
end
|
||||
|
||||
def port_defined(protocol, port, label = nil)
|
||||
base_command = "seinfo --portcon=#{port} | grep 'portcon #{protocol}' | awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'"
|
||||
grep = if label
|
||||
"grep -P '#{Regexp.escape(label)}'"
|
||||
else
|
||||
'grep -q ^'
|
||||
end
|
||||
"#{base_command} | #{grep}"
|
||||
end
|
||||
|
||||
def validate_port(port)
|
||||
raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
|
||||
end
|
||||
|
||||
def fcontext_defined(file_spec, file_type, label = nil)
|
||||
file_hash = {
|
||||
'a' => 'all files',
|
||||
'f' => 'regular file',
|
||||
'd' => 'directory',
|
||||
'c' => 'character device',
|
||||
'b' => 'block device',
|
||||
's' => 'socket',
|
||||
'l' => 'symbolic link',
|
||||
'p' => 'named pipe',
|
||||
}
|
||||
|
||||
label_matcher = label ? "system_u:object_r:#{Regexp.escape(label)}:s0\\s*$" : ''
|
||||
"#{semanage_cmd} fcontext -l | grep -qP '^#{Regexp.escape(file_spec)}\\s+#{Regexp.escape(file_hash[file_type])}\\s+#{label_matcher}'"
|
||||
end
|
||||
|
||||
def semanage_options(file_type)
|
||||
# Set options for file_type
|
||||
if node['platform_family'].include?('rhel') && Chef::VersionConstraint.new('< 7.0').include?(node['platform_version'])
|
||||
case file_type
|
||||
when 'a' then '-f ""'
|
||||
when 'f' then '-f --'
|
||||
else; "-f -#{file_type}"
|
||||
end
|
||||
else
|
||||
"-f #{file_type}"
|
||||
end
|
||||
end
|
||||
|
||||
require 'chef/mixin/which'
|
||||
include Chef::Mixin::Which
|
||||
|
||||
def setsebool_cmd
|
||||
@setsebool_cmd ||= which('setsebool')
|
||||
end
|
||||
|
||||
def getsebool_cmd
|
||||
@getsebool_cmd ||= which('getsebool')
|
||||
end
|
||||
|
||||
def getenforce_cmd
|
||||
@getenforce_cmd ||= which('getenforce')
|
||||
end
|
||||
|
||||
def semanage_cmd
|
||||
@semanage_cmd ||= which('semanage')
|
||||
end
|
||||
|
||||
def semodule_cmd
|
||||
@semodule_cmd ||= which('semodule')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1 @@
|
|||
{"name":"selinux_policy","version":"2.4.3","description":"Manages SELinux policy components","long_description":"","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","amazon":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/sous-chefs/selinux_policy","issues_url":"https://github.com/sous-chefs/selinux_policy/issues","chef_version":[[">= 13.0"]],"ohai_version":[]}
|
|
@ -0,0 +1,16 @@
|
|||
name 'selinux_policy'
|
||||
maintainer 'Chef Software, Inc.'
|
||||
maintainer_email 'cookbooks@chef.io'
|
||||
license 'Apache-2.0'
|
||||
description 'Manages SELinux policy components'
|
||||
source_url 'https://github.com/sous-chefs/selinux_policy'
|
||||
issues_url 'https://github.com/sous-chefs/selinux_policy/issues'
|
||||
chef_version '>= 13.0'
|
||||
version '2.4.3'
|
||||
|
||||
supports 'redhat'
|
||||
supports 'centos'
|
||||
supports 'fedora'
|
||||
supports 'ubuntu'
|
||||
supports 'debian'
|
||||
supports 'amazon'
|
|
@ -0,0 +1 @@
|
|||
# Nothing here
|
|
@ -0,0 +1 @@
|
|||
selinux_policy_install 'install'
|
|
@ -0,0 +1,19 @@
|
|||
# A resource for managing SELinux Booleans
|
||||
|
||||
property :value, [true, false]
|
||||
property :force, [true, false], default: false
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
# Set and persist
|
||||
action :setpersist do
|
||||
sebool(new_resource, true)
|
||||
end
|
||||
|
||||
# Set for now, without persisting
|
||||
action :set do
|
||||
sebool(new_resource, false)
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,71 @@
|
|||
# Manages file specs in SELinux
|
||||
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
|
||||
|
||||
property :file_spec, String, name_property: true
|
||||
property :secontext, String
|
||||
property :file_type, String, default: 'a', equal_to: %w(a f d c b s l p)
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :addormodify do
|
||||
run_action(:add)
|
||||
run_action(:modify)
|
||||
end
|
||||
|
||||
# Run restorecon to fix label
|
||||
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
|
||||
action :relabel do
|
||||
converge_by 'relabel' do
|
||||
spec = new_resource.file_spec
|
||||
escaped = Regexp.escape spec
|
||||
|
||||
common =
|
||||
if spec == escaped
|
||||
spec
|
||||
else
|
||||
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
|
||||
::File.dirname spec[0...index]
|
||||
end
|
||||
|
||||
# Just in case the spec is very weird...
|
||||
common = '/' if common[0] != '/'
|
||||
|
||||
if ::File.exist? common
|
||||
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 2>/dev/null | xargs -0 restorecon -iRv")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if fcontext is already registered
|
||||
action :add do
|
||||
execute "selinux-fcontext-#{new_resource.secontext}-add" do
|
||||
command "#{semanage_cmd} fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
|
||||
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
notifies :relabel, new_resource, :immediately
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
execute "selinux-fcontext-#{new_resource.secontext}-delete" do
|
||||
command "#{semanage_cmd} fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
|
||||
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
notifies :relabel, new_resource, :immediately
|
||||
end
|
||||
end
|
||||
|
||||
action :modify do
|
||||
execute "selinux-fcontext-#{new_resource.secontext}-modify" do
|
||||
command "#{semanage_cmd} fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
|
||||
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
|
||||
notifies :relabel, new_resource, :immediately
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
include Chef::Mixin::Which
|
||||
end
|
|
@ -0,0 +1,32 @@
|
|||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :install do
|
||||
case node['platform_family']
|
||||
when 'debian'
|
||||
raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if platform?('ubuntu')
|
||||
|
||||
execute 'selinux-activate' do
|
||||
action :nothing
|
||||
end
|
||||
|
||||
package %w(selinux-policy-default selinux-basics auditd) do
|
||||
notifies :run, 'execute[selinux-activate]', :immediately
|
||||
end
|
||||
|
||||
when 'rhel'
|
||||
case node['platform_version'].to_i
|
||||
when 6
|
||||
package %w(policycoreutils-python selinux-policy setools-console make)
|
||||
when 7
|
||||
package %w(policycoreutils-python selinux-policy-devel setools-console make)
|
||||
when 8
|
||||
package %w(policycoreutils-python-utils selinux-policy-devel setools-console make)
|
||||
else
|
||||
raise 'Unknown version of RHEL/derivative, cannot determine required package names'
|
||||
end
|
||||
when 'fedora'
|
||||
package %w(policycoreutils-python selinux-policy-devel setools-console make)
|
||||
else
|
||||
raise 'Unknown distro, cannot determine required package names'
|
||||
end
|
||||
end
|
|
@ -0,0 +1,75 @@
|
|||
# A resource for managing SE modules
|
||||
|
||||
property :module_name, String, name_property: true
|
||||
property :force, [true, false], default: false
|
||||
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
|
||||
# Content options:
|
||||
property :content, String # provide a 'te' file directly. Optional
|
||||
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
|
||||
property :cookbook, String # Related to directory
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :deploy do
|
||||
run_action(:fetch)
|
||||
run_action(:compile)
|
||||
run_action(:install)
|
||||
end
|
||||
|
||||
# Get all the components in the right place
|
||||
action :fetch do
|
||||
directory new_resource.directory do
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
|
||||
raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
|
||||
|
||||
if new_resource.directory_source
|
||||
remote_directory new_resource.directory do
|
||||
source new_resource.directory_source
|
||||
cookbook new_resource.cookbook
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
if new_resource.content
|
||||
file "#{new_resource.directory}/#{new_resource.module_name}.te" do
|
||||
content new_resource.content
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :compile do
|
||||
make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
|
||||
execute "semodule-compile-#{new_resource.module_name}" do
|
||||
command make_command
|
||||
not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
cwd new_resource.directory
|
||||
end
|
||||
end
|
||||
|
||||
# deploy / upgrade module
|
||||
# XXX this looks ugly because CentOS 6.X doesn't support extracting
|
||||
# SELinux modules from the current policy, which I planned on comparing
|
||||
# to my compiled file. I'll be happy to see anything else (that works).
|
||||
action :install do
|
||||
filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
|
||||
execute "semodule-install-#{new_resource.module_name}" do
|
||||
command "#{semodule_cmd} -i #{filename}"
|
||||
only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action :remove do
|
||||
execute "semodule-remove-#{new_resource.module_name}" do
|
||||
command "#{semodule_cmd} -r #{new_resource.module_name}"
|
||||
only_if module_defined(new_resource.module_name)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,25 @@
|
|||
# a resource for managing selinux permissive contexts
|
||||
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
||||
action :add do
|
||||
execute "selinux-permissive-#{new_resource.name}-add" do
|
||||
command "#{semanage_cmd} permissive -a '#{new_resource.name}'"
|
||||
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
execute "selinux-port-#{new_resource.name}-delete" do
|
||||
command "#{semanage_cmd} permissive -d '#{new_resource.name}'"
|
||||
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,50 @@
|
|||
# Manages a port assignment in SELinux
|
||||
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
|
||||
|
||||
property :port, [Integer, String], name_property: true
|
||||
property :protocol, String, equal_to: %w(tcp udp)
|
||||
property :secontext, String
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :addormodify do
|
||||
# TODO: We can be a bit more clever here, and try to detect if it's already
|
||||
# there then modify
|
||||
# Try to add new port
|
||||
run_action(:add)
|
||||
# Try to modify existing port
|
||||
run_action(:modify)
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
||||
action :add do
|
||||
validate_port(new_resource.port)
|
||||
execute "selinux-port-#{new_resource.port}-add" do
|
||||
command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
|
||||
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
|
||||
not_if port_defined(new_resource.protocol, new_resource.port)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
validate_port(new_resource.port)
|
||||
execute "selinux-port-#{new_resource.port}-delete" do
|
||||
command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
|
||||
only_if port_defined(new_resource.protocol, new_resource.port)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action :modify do
|
||||
execute "selinux-port-#{new_resource.port}-modify" do
|
||||
command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
|
||||
only_if port_defined(new_resource.protocol, new_resource.port)
|
||||
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,21 @@
|
|||
Backup
|
||||
======
|
||||
|
||||
## Backup gem
|
||||
|
||||
Backups are stored on AWS S3, in the `kosmos-dev-backups` bucket.
|
||||
|
||||
The S3 credentials as well as the backup password are stored in the
|
||||
`credentials` data bag under the `backup` item.
|
||||
|
||||
### Restore
|
||||
|
||||
To decrypt a backup archive, use the following command:
|
||||
|
||||
openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
|
||||
|
||||
If you get an error message along the lines of "bad decrypt", the archive was
|
||||
likely encrypted before we switched the key derivation scheme. Try without
|
||||
`-pbkdf2` in this case:
|
||||
|
||||
openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar
|
|
@ -18,7 +18,7 @@
|
|||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos-postgresql::hostsfile",
|
||||
"kosmos_postgresql::hostsfile",
|
||||
"kosmos-akkounts",
|
||||
"kosmos-akkounts::default",
|
||||
"kosmos-akkounts::nginx",
|
||||
|
|
|
@ -18,16 +18,17 @@
|
|||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"tor-full",
|
||||
"tor-full::default",
|
||||
"kosmos-bitcoin::source",
|
||||
"kosmos-bitcoin::c-lightning",
|
||||
"kosmos-bitcoin::lnd",
|
||||
"kosmos-bitcoin::rtl",
|
||||
"kosmos-bitcoin::lndhub",
|
||||
"kosmos-postgresql::hostsfile",
|
||||
"kosmos-bitcoin::dotnet",
|
||||
"kosmos-bitcoin::nbxplorer",
|
||||
"kosmos-bitcoin::btcpay",
|
||||
"tor-full",
|
||||
"tor-full::default",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -52,6 +53,14 @@
|
|||
"nodejs::repo",
|
||||
"firewall::default",
|
||||
"chef-sugar::default",
|
||||
"redisio::default",
|
||||
"redisio::_install_prereqs",
|
||||
"redisio::install",
|
||||
"ulimit::default",
|
||||
"redisio::disable_os_default",
|
||||
"redisio::configure",
|
||||
"redisio::enable",
|
||||
"kosmos-base::letsencrypt",
|
||||
"kosmos-nginx::default",
|
||||
"nginx::default",
|
||||
"nginx::package",
|
||||
|
@ -62,7 +71,8 @@
|
|||
"nginx::commons_script",
|
||||
"nginx::commons_conf",
|
||||
"kosmos-nginx::firewall",
|
||||
"kosmos-base::letsencrypt"
|
||||
"backup::default",
|
||||
"logrotate::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
|
@ -80,11 +90,12 @@
|
|||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"recipe[tor-full]",
|
||||
"recipe[kosmos-bitcoin::source]",
|
||||
"recipe[kosmos-bitcoin::c-lightning]",
|
||||
"recipe[kosmos-bitcoin::lnd]",
|
||||
"recipe[kosmos-bitcoin::rtl]",
|
||||
"role[btcpay]",
|
||||
"recipe[tor-full]"
|
||||
"recipe[kosmos-bitcoin::lndhub]",
|
||||
"role[btcpay]"
|
||||
]
|
||||
}
|
|
@ -33,6 +33,8 @@
|
|||
"kosmos_assets::nginx_site",
|
||||
"kosmos_kvm::host",
|
||||
"kosmos-ejabberd::firewall",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos_zerotier::firewall",
|
||||
"sockethub::_firewall",
|
||||
"apt::default",
|
||||
|
@ -86,6 +88,7 @@
|
|||
"recipe[kosmos_assets::nginx_site]",
|
||||
"recipe[kosmos_kvm::host]",
|
||||
"recipe[kosmos-ejabberd::firewall]",
|
||||
"recipe[kosmos_website::default]",
|
||||
"recipe[kosmos_zerotier::firewall]",
|
||||
"recipe[sockethub::_firewall]"
|
||||
]
|
||||
|
|
|
@ -8,17 +8,17 @@
|
|||
"automatic": {
|
||||
"fqdn": "postgres-2",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-64-generic",
|
||||
"os_version": "5.4.0-77-generic",
|
||||
"hostname": "postgres-2",
|
||||
"ipaddress": "192.168.122.244",
|
||||
"roles": [
|
||||
"postgresql_replica"
|
||||
"postgresql_primary"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos-postgresql::replica",
|
||||
"kosmos-postgresql::firewall",
|
||||
"kosmos_postgresql::primary",
|
||||
"kosmos_postgresql::firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -52,4 +52,4 @@
|
|||
"recipe[kosmos-base]",
|
||||
"role[postgresql_primary]"
|
||||
]
|
||||
}
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"name": "postgres-4",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.107"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "postgres-4",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-91-generic",
|
||||
"hostname": "postgres-4",
|
||||
"ipaddress": "192.168.122.3",
|
||||
"roles": [
|
||||
"postgresql_replica"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_postgresql::hostsfile",
|
||||
"kosmos_postgresql::replica",
|
||||
"kosmos_postgresql::firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.7.29",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.7.29/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.7.8",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.8/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[postgresql_replica]"
|
||||
]
|
||||
}
|
|
@ -3,5 +3,5 @@
|
|||
name "postgresql_client"
|
||||
|
||||
run_list %w(
|
||||
kosmos-postgresql::hostsfile
|
||||
kosmos_postgresql::hostsfile
|
||||
)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
name "postgresql_primary"
|
||||
|
||||
run_list %w(
|
||||
kosmos-postgresql::primary
|
||||
kosmos-postgresql::firewall
|
||||
kosmos_postgresql::primary
|
||||
kosmos_postgresql::firewall
|
||||
)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
name "postgresql_replica"
|
||||
|
||||
run_list %w(
|
||||
kosmos-postgresql::hostsfile
|
||||
kosmos-postgresql::replica
|
||||
kosmos-postgresql::firewall
|
||||
kosmos_postgresql::hostsfile
|
||||
kosmos_postgresql::replica
|
||||
kosmos_postgresql::firewall
|
||||
)
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
name "redis_local"
|
||||
|
||||
run_list %w(
|
||||
redisio::default
|
||||
redisio::enable
|
||||
)
|
||||
|
||||
default_attributes({})
|
|
@ -32,6 +32,8 @@ gem_package 'backup' do
|
|||
version '5.0.0.beta.2'
|
||||
end
|
||||
|
||||
smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
|
||||
|
||||
backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup')
|
||||
backup_dir = node["backup"]["dir"]
|
||||
directory backup_dir
|
||||
|
@ -46,8 +48,12 @@ template "#{backup_dir}/config.rb" do
|
|||
s3_secret_access_key: backup_data["s3_secret_access_key"],
|
||||
s3_region: backup_data["s3_region"],
|
||||
encryption_password: backup_data["encryption_password"],
|
||||
mail_from: "backups@kosmos.org",
|
||||
mail_to: "ops@5apps.com",
|
||||
mail_from: "backups@kosmos.org"
|
||||
mail_address: 'smtp.mailgun.org',
|
||||
mail_domain: 'kosmos.org',
|
||||
mail_user_name: smtp_credentials["user_name"],
|
||||
mail_password: smtp_credentials["password"]
|
||||
end
|
||||
|
||||
template "#{backup_dir}/models/default.rb" do
|
||||
|
|
|
@ -6,6 +6,18 @@
|
|||
# Documentation: http://backup.github.io/backup
|
||||
# Issue Tracker: https://github.com/backup/backup/issues
|
||||
|
||||
#
|
||||
# Monkey patch to not use deprecated key derivation scheme
|
||||
# https://github.com/backup/backup/issues/949#issuecomment-589883577
|
||||
#
|
||||
module OpenSSLFixDeprecatedKeyDerivation
|
||||
def options
|
||||
super + ' -pbkdf2'
|
||||
end
|
||||
end
|
||||
require 'backup/encryptor/open_ssl'
|
||||
Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)
|
||||
|
||||
Storage::S3.defaults do |s3|
|
||||
s3.access_key_id = "<%= @s3_access_key_id %>"
|
||||
s3.secret_access_key = "<%= @s3_secret_access_key %>"
|
||||
|
@ -22,7 +34,13 @@ end
|
|||
Notifier::Mail.defaults do |mail|
|
||||
mail.from = "<%= node.name %> <<%= @mail_from %>>"
|
||||
mail.to = "<%= @mail_to %>"
|
||||
mail.delivery_method = :sendmail
|
||||
mail.address = "<%= @mail_address %>"
|
||||
mail.domain = "<%= @mail_domain %>"
|
||||
mail.user_name = "<%= @mail_user_name %>"
|
||||
mail.password = "<%= @mail_password %>"
|
||||
mail.port = <%= @mail_port || 587 %>
|
||||
mail.authentication = "<%= @mail_authentication || 'plain' %>"
|
||||
mail.encryption = <%= @mail_encryption || ':starttls' %>
|
||||
end
|
||||
|
||||
<%- if node["backup"]["mongodb"] -%>
|
||||
|
@ -75,7 +93,7 @@ preconfigure 'KosmosBackup' do
|
|||
encrypt_with OpenSSL
|
||||
notify_by Mail do |mail|
|
||||
mail.on_success = false
|
||||
mail.on_warning = false
|
||||
mail.on_warning = true
|
||||
mail.on_failure = true
|
||||
end
|
||||
end
|
||||
|
|
|
@ -14,5 +14,5 @@ depends "poise-ruby-build"
|
|||
depends "application"
|
||||
depends 'application_git'
|
||||
depends "postgresql"
|
||||
depends "kosmos-postgresql"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
|
|
|
@ -57,6 +57,11 @@ node.default['rtl']['revision'] = 'v0.11.0'
|
|||
node.default['rtl']['host'] = '10.1.1.163'
|
||||
node.default['rtl']['port'] = '3000'
|
||||
|
||||
node.default['lndhub']['repo'] = 'https://github.com/bumi/LndHub.git'
|
||||
node.default['lndhub']['revision'] = 'master'
|
||||
node.default['lndhub']['port'] = '3023'
|
||||
node.default['lndhub']['domain'] = 'lndhub.kosmos.org'
|
||||
|
||||
node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
|
||||
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ chef_version '>= 14.0'
|
|||
# source_url 'https://github.com/<insert_org_here>/kosmos-bitcoin'
|
||||
|
||||
depends 'ark'
|
||||
depends 'backup'
|
||||
depends 'git'
|
||||
depends 'golang'
|
||||
depends 'kosmos-nginx'
|
||||
|
@ -27,3 +28,4 @@ depends 'kosmos-nodejs'
|
|||
depends 'firewall'
|
||||
depends 'application_javascript'
|
||||
depends 'tor-full'
|
||||
depends 'redisio'
|
||||
|
|
|
@ -0,0 +1,120 @@
|
|||
#
|
||||
# Cookbook:: kosmos-bitcoin
|
||||
# Recipe:: lndhub
|
||||
#
|
||||
|
||||
include_recipe 'redisio::default'
|
||||
include_recipe 'redisio::enable'
|
||||
|
||||
app_name = "lndhub"
|
||||
app_dir = "/opt/#{app_name}"
|
||||
lnd_dir = node['lnd']['lnd_dir']
|
||||
bitcoin_user = node['bitcoin']['username']
|
||||
bitcoin_group = node['bitcoin']['usergroup']
|
||||
bitcoin_credentials = Chef::EncryptedDataBagItem.load('credentials', 'bitcoin')
|
||||
|
||||
application app_dir do
|
||||
owner bitcoin_user
|
||||
group bitcoin_group
|
||||
|
||||
git do
|
||||
user bitcoin_user
|
||||
group bitcoin_group
|
||||
repository node['lndhub']['repo']
|
||||
revision node['lndhub']['revision']
|
||||
notifies :restart, "systemd_unit[lndhub.service]", :delayed
|
||||
end
|
||||
|
||||
npm_install do
|
||||
user bitcoin_user
|
||||
end
|
||||
|
||||
link "#{app_dir}/admin.macaroon" do
|
||||
to "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon"
|
||||
owner bitcoin_user
|
||||
group bitcoin_group
|
||||
end
|
||||
|
||||
link "#{app_dir}/tls.cert" do
|
||||
to "#{lnd_dir}/tls.cert"
|
||||
owner bitcoin_user
|
||||
group bitcoin_group
|
||||
end
|
||||
|
||||
template "#{app_dir}/config.js" do
|
||||
source "lndhub.config.js.erb"
|
||||
owner bitcoin_user
|
||||
group bitcoin_group
|
||||
mode '0600'
|
||||
variables bitcoin_rpc_host: node['bitcoin']['conf']['rpcbind'],
|
||||
bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'],
|
||||
bitcoin_rpc_pass: bitcoin_credentials["rpcpassword"],
|
||||
lnd_rpc_host: '127.0.0.1:10009'
|
||||
notifies :restart, "systemd_unit[lndhub.service]", :delayed
|
||||
end
|
||||
|
||||
systemd_unit 'lndhub.service' do
|
||||
content({
|
||||
Unit: {
|
||||
Description: 'LND Hub',
|
||||
Documentation: ['https://github.com/BlueWallet/LndHub'],
|
||||
Requires: 'lnd.service',
|
||||
After: 'lnd.service'
|
||||
},
|
||||
Service: {
|
||||
User: bitcoin_user,
|
||||
Group: bitcoin_group,
|
||||
Type: 'simple',
|
||||
Environment: "PORT=#{node['lndhub']['port']}",
|
||||
WorkingDirectory: app_dir,
|
||||
ExecStart: "/usr/bin/npm start",
|
||||
Restart: 'always',
|
||||
RestartSec: '30',
|
||||
TimeoutSec: '120',
|
||||
PrivateTmp: true,
|
||||
ProtectSystem: 'full',
|
||||
NoNewPrivileges: true,
|
||||
PrivateDevices: true,
|
||||
},
|
||||
Install: {
|
||||
WantedBy: 'multi-user.target'
|
||||
}
|
||||
})
|
||||
verify false
|
||||
triggers_reload true
|
||||
action [:create, :enable, :start]
|
||||
end
|
||||
end
|
||||
|
||||
include_recipe 'firewall'
|
||||
firewall_rule 'lndhub_private' do
|
||||
port node['lndhub']['port'].to_i
|
||||
source "10.1.1.0/24"
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
nginx_certbot_site node[app_name]['domain']
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
|
||||
source 'nginx_conf_lndhub.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
variables port: node[app_name]['port'],
|
||||
server_name: node[app_name]['domain'],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site node[app_name]['domain'] do
|
||||
action :enable
|
||||
end
|
||||
|
||||
node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
|
||||
include_recipe "backup"
|
||||
end
|
|
@ -0,0 +1,21 @@
|
|||
let config = {
|
||||
enableUpdateDescribeGraph: false,
|
||||
postRateLimit: 100,
|
||||
rateLimit: 200,
|
||||
forwardReserveFee: 0.01, // default 0.01
|
||||
intraHubFee: 0.003, // default 0.003
|
||||
bitcoind: {
|
||||
rpc: 'http://<%= @bitcoin_rpc_user %>:<%= @bitcoin_rpc_pass %>@<%= @bitcoin_rpc_host %>/wallet/wallet.dat',
|
||||
},
|
||||
redis: {
|
||||
port: 6379,
|
||||
host: '127.0.0.1',
|
||||
family: 4,
|
||||
db: 0,
|
||||
},
|
||||
lnd: {
|
||||
url: '<%= @lnd_rpc_host %>'
|
||||
},
|
||||
};
|
||||
|
||||
module.exports = config;
|
|
@ -0,0 +1,25 @@
|
|||
#
|
||||
# Generated by Chef
|
||||
#
|
||||
upstream _lndhub {
|
||||
server localhost:<%= @port %>;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
|
||||
location / {
|
||||
proxy_pass http://_lndhub;
|
||||
}
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
}
|
||||
<% end -%>
|
|
@ -2,5 +2,5 @@
|
|||
source 'https://supermarket.chef.io'
|
||||
source chef_repo: ".."
|
||||
|
||||
cookbook "kosmos-postgresql", path: "../kosmos-postgresql"
|
||||
cookbook "kosmos_postgresql", path: "../kosmos_postgresql"
|
||||
metadata
|
||||
|
|
|
@ -20,9 +20,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
|
|||
# source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
|
||||
|
||||
depends "kosmos-base"
|
||||
depends "kosmos-postgresql"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-dirsrv"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
depends "firewall"
|
||||
depends "tor-full"
|
||||
|
|
|
@ -13,7 +13,7 @@ depends "poise-ruby-build"
|
|||
depends "application"
|
||||
depends "application_git"
|
||||
depends "postgresql"
|
||||
depends "kosmos-postgresql"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
depends "elasticsearch"
|
||||
depends "tor-full"
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
# kosmos-postgresql CHANGELOG
|
||||
|
||||
# 0.1.0
|
||||
|
||||
Initial release.
|
|
@ -20,5 +20,5 @@ chef_version '>= 14.0'
|
|||
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
|
||||
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-postgresql"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
|
|
|
@ -2,34 +2,13 @@
|
|||
# Cookbook:: kosmos_kvm
|
||||
# Recipe:: host
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2020, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
package %w(virtinst libvirt-daemon-system)
|
||||
|
||||
directory "/var/lib/libvirt/images/base" do
|
||||
recursive true
|
||||
owner "libvirt-qemu"
|
||||
group "root"
|
||||
group "kvm"
|
||||
mode "0750"
|
||||
end
|
||||
|
||||
|
@ -37,7 +16,7 @@ end
|
|||
remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do
|
||||
source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img"
|
||||
owner "libvirt-qemu"
|
||||
group "root"
|
||||
group "kvm"
|
||||
mode "0640"
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
# kosmos_postgresql CHANGELOG
|
||||
|
||||
# 0.1.0
|
||||
|
||||
Initial release.
|
|
@ -1,4 +1,4 @@
|
|||
# kosmos-postgresql
|
||||
# kosmos_postgresql
|
||||
|
||||
## Usage
|
||||
|
|
@ -1,3 +1,3 @@
|
|||
# This is set to false by default, and set to true in the server resource
|
||||
# for replicas.
|
||||
node.default['kosmos-postgresql']['ready_to_set_up_replica'] = false
|
||||
node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false
|
|
@ -1,9 +1,9 @@
|
|||
name 'kosmos-postgresql'
|
||||
name 'kosmos_postgresql'
|
||||
maintainer 'Kosmos'
|
||||
maintainer_email 'ops@5apps.com'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures kosmos-postgresql'
|
||||
long_description 'Installs/Configures kosmos-postgresql'
|
||||
description 'Installs/Configures kosmos_postgresql'
|
||||
long_description 'Installs/Configures kosmos_postgresql'
|
||||
version '0.1.0'
|
||||
chef_version '>= 12.14' if respond_to?(:chef_version)
|
||||
|
||||
|
@ -11,13 +11,13 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
|
|||
# tracked. A `View Issues` link will be displayed on this cookbook's page when
|
||||
# uploaded to a Supermarket.
|
||||
#
|
||||
# issues_url 'https://github.com/<insert_org_here>/kosmos-postgresql/issues'
|
||||
# issues_url 'https://github.com/<insert_org_here>/kosmos_postgresql/issues'
|
||||
|
||||
# The `source_url` points to the development repository for this cookbook. A
|
||||
# `View Source` link will be displayed on this cookbook's page when uploaded to
|
||||
# a Supermarket.
|
||||
#
|
||||
# source_url 'https://github.com/<insert_org_here>/kosmos-postgresql'
|
||||
# source_url 'https://github.com/<insert_org_here>/kosmos_postgresql'
|
||||
|
||||
depends "postgresql", ">= 7.0.0"
|
||||
depends "build-essential"
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Cookbook:: kosmos-postgresql
|
||||
# Cookbook:: kosmos_postgresql
|
||||
# Recipe:: firewall
|
||||
#
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Cookbook:: kosmos-postgresql
|
||||
# Cookbook:: kosmos_postgresql
|
||||
# Recipe:: hostsfile
|
||||
#
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Cookbook:: kosmos-postgresql
|
||||
# Cookbook:: kosmos_postgresql
|
||||
# Recipe:: primary
|
||||
#
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Cookbook:: kosmos-postgresql
|
||||
# Cookbook:: kosmos_postgresql
|
||||
# Recipe:: replica
|
||||
#
|
||||
|
|
@ -1,4 +1,5 @@
|
|||
resource_name :postgresql_custom_server
|
||||
provides :postgresql_custom_server
|
||||
|
||||
property :postgresql_version, String, required: true, name_property: true
|
||||
property :role, String, required: true # Can be primary or replica
|
||||
|
@ -41,14 +42,14 @@ action :create do
|
|||
action :disable
|
||||
end
|
||||
|
||||
shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
|
||||
shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # < 1GB RAM
|
||||
"128MB"
|
||||
else # >= 1GB RAM, use 25% of total RAM
|
||||
"#{node['memory']['total'].to_i / 1024 / 4}MB"
|
||||
else # >= 1GB RAM, use 50% of total RAM
|
||||
"#{node['memory']['total'].to_i / 1024 / 2}MB"
|
||||
end
|
||||
|
||||
additional_config = {
|
||||
max_connections: 100, # default
|
||||
max_connections: 200, # default
|
||||
shared_buffers: shared_buffers,
|
||||
unix_socket_directories: "/var/run/postgresql",
|
||||
dynamic_shared_memory_type: "posix",
|
|
@ -0,0 +1,3 @@
|
|||
node.default["kosmos_website"]["domain"] = "kosmos.org"
|
||||
node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git"
|
||||
node.default["kosmos_website"]["revision"] = "master"
|
|
@ -0,0 +1,10 @@
|
|||
name 'kosmos_website'
|
||||
maintainer 'Kosmos'
|
||||
maintainer_email 'ops@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Configures the main kosmos.org website'
|
||||
long_description 'Configures the main kosmos.org website'
|
||||
version '1.0.0'
|
||||
chef_version '>= 15.10' if respond_to?(:chef_version)
|
||||
|
||||
depends "kosmos-nginx"
|
|
@ -0,0 +1,38 @@
|
|||
#
|
||||
# Cookbook:: kosmos_website
|
||||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node["kosmos_website"]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
directory "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode "0755"
|
||||
end
|
||||
|
||||
git "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
repository node["kosmos_website"]["repo"]
|
||||
revision node["kosmos_website"]["revision"]
|
||||
action :sync
|
||||
end
|
||||
|
||||
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
||||
source "nginx_conf_website.erb"
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
variables domain: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue