kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity

Merge branch 'master' into feature/rskj_public_endpoint

This commit is contained in:
Greg 2021-12-02 17:07:47 +00:00
parent 584da20d3e 62d7998da8
commit 5ac53633cd
101 changed files with 5446 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Berksfile
View File

@ -8,6 +8,7 @@ cookbook 'mediawiki',
cookbook 'redis',
git: 'https://github.com/phlipper/chef-redis.git',
ref: 'v0.5.6'
cookbook 'redisio', '= 5.0.0' # TODO upgrade to 6.x when we use Chef 16
cookbook 'postfix', '= 5.0.2'
cookbook 'php', '~> 8.0.0'
cookbook 'composer', '~> 2.7.0'

5
Berksfile.lock
View File

@ -48,6 +48,7 @@ DEPENDENCIES
git: https://github.com/phlipper/chef-redis.git
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
ref: v0.5.6
redisio (= 5.0.0)
timezone_iii (= 1.0.4)
ulimit (~> 1.0.0)
users (~> 5.3.1)
@ -150,6 +151,10 @@ GRAPH
postfix (5.0.2)
redis (0.5.6)
apt (>= 0.0.0)
redisio (5.0.0)
selinux_policy (>= 2.2.0)
ulimit (>= 0.1.2)
selinux_policy (2.4.3)
seven_zip (3.1.1)
windows (>= 0.0.0)
timezone_iii (1.0.4)

4
clients/postgres-4.json Normal file
View File

@ -0,0 +1,4 @@
{
"name": "postgres-4",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
}

3
cookbooks/ipfs/metadata.json
View File

@ -31,5 +31,6 @@
],
"gems": [
]
],
"eager_load_libraries": true
}

3
cookbooks/mediawiki/metadata.json
View File

@ -32,5 +32,6 @@
],
"gems": [
]
],
"eager_load_libraries": true
}

3
cookbooks/poise-javascript/metadata.json
View File

@ -45,5 +45,6 @@
],
"gems": [
]
],
"eager_load_libraries": true
}

3
cookbooks/redis/metadata.json
View File

@ -32,5 +32,6 @@
],
"gems": [
]
],
"eager_load_libraries": true
}

363
cookbooks/redisio/CHANGELOG.md Normal file
View File

@ -0,0 +1,363 @@
# redisio
## 5.0.0 - *2021-09-08*
- resolved cookstyle error: attributes/default.rb:74:40 refactor: `Chef/Modernize/UseChefLanguageSystemdHelper`
## 4.3.2 - *2021-08-30*
- Standardise files with files in sous-chefs/repo-management
## 4.3.1 - *2021-06-01*
- Standardise files with files in sous-chefs/repo-management
## 4.3.0 - *2021-05-19*
- Fix disable recipe service naming for systemd
## 4.2.0 (2020-09-14)
- New server option 'permissions' to override default (0644) unix permissions on config file
## 4.1.2 (2020-09-11)
- Pull the disable_os_default recipe from the default one
## 4.1.1 (2020-08-14)
- Properly perform version check when needed in redis.conf template
## 4.1.0 (2020-05-05)
- Simplify platform check logic
- Remove the deprecated ChefSpec coverage report
- Migrate to actions for testing
## 4.0.0 (2019-09-19)
- Enable testing in CircleCI
- Removed build essentials cookbook dependancy
- Minimum Chef is now 14
- Removed tests for Debian 8
- Added support for chef 15
- configure recipe now sets `['redisio']['servers']` using override instead of normal in line with new chef best practices
## 3.0.0 (2018-11-27)
- This cookbook is now maintained by the Sous Chefs. If you're interested in helping with maintenance or learning more check out <https://sous-chefs.org/> Thank you Brian Bianco for the work you've done over the years on this cookbook. We'll be sure to take good care of it.
- This cookbook now requires Chef 13 or later
- Incompatibilities with the latest selinux_policy cookbook have been resolved by using Chef's built in selinux helpers
- All Chefstyle warnings have been resolved
- Contributing.md and CODE_OF_CONDUCT.md files have been added
- The build_essential resource is now directly used so that the built in resource in Chef 14+ can be used. This increases the required build-essential cookbook to 5.0+
- Duplicate dependencies in the Berksfile have been removed
- The chefignore file has been updated to prevent more unnecessary files from being uploaded to the chef server
- Data bags are now loaded with the data_bag_item helper instead of Chef::EncryptedDataBagItem.load directly
- Testing has been updated to use Delivery Local Mode which is built into ChefDK. The legacy Rakefile, Vagrantfile, Thorfile, and Cheffile have been removed
- Platforms in Test Kitchen configurations have been updated and dokken images are now used in dokken
## 2.7.2 (2018-09-30)
- fixes sentinal cluster init script by providing missing LSB statements ([#374])
## 2.7.1 (2018-03-30)
- fixes sentinal config where `announce-ip` was being given the value of `announce-port` improperly ([#354])
## 2.7.0 (2018-03-28)
- enables diskless replication configuration for versions `~> 2.6 || ~> 3.0` [#340](https://github.com/brianbianco/redisio/pull/340)
- adds chef 13 compatability [#350](https://github.com/brianbianco/redisio/pull/350)
## 2.6.1 (2017-05-10)
- Restrict aof-load-truncated to redis 3+ ([#343](https://github.com/brianbianco/redisio/pull/343))
- Fix Redis 2.4.x config ([#344](https://github.com/brianbianco/redisio/pull/344))
## 2.6.0 (2017-05-09)
- Update 'bind' config comments ([#293](https://github.com/brianbianco/redisio/pull/293))
- Add disable_os_default recipe ([#224](https://github.com/brianbianco/redisio/pull/224))
- Use the config's ulimits if set and is > max_clients ([#234](https://github.com/brianbianco/redisio/pull/234))
- Add Travis config ([#299](https://github.com/brianbianco/redisio/pull/299))
- Fix test failures (FoodCritic and Rubocop) ([#298](https://github.com/brianbianco/redisio/pull/298))
- Fix TravisCI builds ([#300](https://github.com/brianbianco/redisio/pull/300))
- Add repl-backlog-size, repl-backlog-ttl, and aof-load-truncated options ([#278](https://github.com/brianbianco/redisio/pull/278))
- Add sentinel_bind to bind sentinel to different IPs ([#306](https://github.com/brianbianco/redisio/pull/306))
- Cleanup deprecation warnings ([#301](https://github.com/brianbianco/redisio/pull/301))
- Fix version detection with epoch version numbers from deb/ubuntu ([#294](https://github.com/brianbianco/redisio/pull/294))
- Restrict VM redis config to <= 2.4 ([#322](https://github.com/brianbianco/redisio/pull/322))
- Rename_commands should be checked for nil before empty ([#311](https://github.com/brianbianco/redisio/pull/311))
- Fixup foodcritic, rubocop, and kitchen testing ([#324](https://github.com/brianbianco/redisio/pull/324))
- Note: this drops support for Chef < 11
- Add min-slaves redis options ([#313](https://github.com/brianbianco/redisio/pull/313))
- Allow /etc/init start after sigterm from system or user ([#310](https://github.com/brianbianco/redisio/pull/310))
- Check user existence with Etc, not ohai node attributes ([#303](https://github.com/brianbianco/redisio/pull/303))
- Various systemd-related improvements ([#302](https://github.com/brianbianco/redisio/pull/302))
- Update serverspec testing with correct OS's for systemd ([#329](https://github.com/brianbianco/redisio/pull/329))
- Add kitchen-dokken testing to Travis ([#330](https://github.com/brianbianco/redisio/pull/330))
- Add fedora-25 to kitchen testing and clean up kitchen config ([#331](https://github.com/brianbianco/redisio/pull/331))
- Fix systemd paths for sentinel service ([#332](https://github.com/brianbianco/redisio/pull/332))
- Add redis-package and sentinel to Travis kitchen verify ([#334](https://github.com/brianbianco/redisio/pull/334))
- Add breadcrumb-file creation condition as attribute ([#268](https://github.com/brianbianco/redisio/pull/268))
- Fix cluster options in README ([#333](https://github.com/brianbianco/redisio/pull/333))
- Fix systemd loader to use descriptors instead of max_clients+32 ([#338](https://github.com/brianbianco/redisio/pull/338))
- Add SELinux support ([#305](https://github.com/brianbianco/redisio/pull/305))
- Make source of redis.conf template configurable ([#341](https://github.com/brianbianco/redisio/pull/341))
- Support sentinel notification-script and client-reconfig-script ([#342](https://github.com/brianbianco/redisio/pull/342))
## 2.5.0 (2016-09-15)
- Ubuntu 14 added as tested platform. (#264)
- FreeBSD-10.3 support added. (#279)
- installation from source is not supported
- setting ulimits is not supported
- Encrypted databag support added. (#228)
- Systemd nofile limit fixed. (#228)
- Announce-ip and announce-port directives for sentinel added. (#228)
- Disabling safe_install in the install recipe allowed. (#284)
- Protected-mode added as optional (#275, #289)
- Fixes nil exception when installing sentinel on non-debian and non-rhel platforms (#288)
## 2.4.2 (2016-04-08)
- Created a 2.4.1 tag but somehow the metadata file wasn't updated. Instead
of deleting a pushed tag, creating a new tag and updating metdatafile. Aside
from the version number, this is an identical release to 2.4.1
## 2.4.1
- Increases default clusternodetimeout value from 5 to 5000
- Allows you to set version for package based install
- Sets UID of redis data directory if it is present
- Install resource should now only notify when an installation actually occurs
- Adds config options
- tcpbacklog
- rdbcompression
- rdbchecksum
- dbfilename
- slavereadyonly
- repldisabletcpnodelay
- slavepriority
- listmaxziplistentries
- listmaxziplistvalue
- hllsparsemaxbytes
- Add CentOS 7 support with systemd configs
- Fixes bug in ulimit resource guard
- Fixes bug in sentinel required parameters sanity check
- Adds --no-same-owner to untar command during install to fix NFS related issues
- Adds support for rename_commands config option
- Adds option to stop chef from managing sentinel configs after writing once
- Adds config option rename_commands
- Allow instance 'save' to be string or array
- Adds sources_url and issues_url with guards to be Chef 12 compatible
- Bumps Redis source version to 2.8.20
- Fixes cluster settings with wrong attribute names
- Monitor multiple masters with sentinel
- Add support in sentinel resource for an array of masters to monitor, with backwards compatibility for the older attributes, fixes #73. Replaces #87.
- Introduce a test-kitchen test for sentinel watching multiple masters.
- Incidentally, fixes #193 as well, since it adds a master name attribute for each master.
- Fixes path for pidfile in sentinel init script
- Additional error checking and backwards compatibility for sentinel attribute keys
## 2.3.0 (2015-04-08)
- Add support for installing by distribution package for CentOS (#180)
- Add conditionals to check for redis 3 that was released recently (#183)
- Prevent `usermod: user redis is currently logged in` (#176)
- Use correct sentinel port in default sentinel instance (#157)
- Sentinel instances attribute (`node['redisio']['sentinels']`) should behave like Redis instances attribute (#160)
- Add Rakefile and unit tests for verifying issues fixed are actually resolved (#158)
- Fix serverspec tests to properly use sysv-init scripts on systemd distributions (#185)
- Update documentation to reflect correct current redis version used for source installs (#151)
- Update documentation to indicate that ulimit and build-essential are both dependencies (#165)
- Update documentation to reflect that uninstall recipe is no longer available
- Update documentation to reflect correct mirror in README.md, change was from 2.1.0 (#175)
- Update documentation to reflect that cookbook uses `node['redisio']`, not `node['redis']` (#174)
- Markdown formatting improvements in the README.md (#168, #172)
## 2.2.4 (2014-10-04)
- Updates installed version of redis to the latest stable (2.8.17)
- Fixes backwards compatability bug with older version of redis (namely 2.6.x series) related to keyspaces
## 2.2.3 (2014-08-25)
- Bug Fix: Repackages the chef supermarket releaes with gnutar instead of BSD tar
## 2.2.2 (2014-08-22)
- Please refer to changelog for 2.0.0.
- If moving from 1.7.x this release has many breaking changes. You will likely need to update your wrapper cookbook or role.
- Added test-kitchen and serverspec coverage for both redis and redis_sentinel
- Added cookbook testing information to readme
- Bug fix for a fix that was introduced to resolve foodcritic rule fc002
- Fix init script to use su instead of sudo for ubuntu debian fedora
- Fix sentinel_enable recipe to properly run if using default attributes
- Save property for redis config now is defined by using an array
- Small changes to default configuration options to bring in line with redis defaults.
- Added options for the following
- tcp-keepalive
## 2.2.1
- Allow sentinel to control both redis and redis-sentinel configs depending on attribute `redisio.sentinel.manage_config` state.
## 2.2.0
- Adds behavior to allow the cookbook to NOT manage the redis config files as redis itself will write to them now if you are using sentinel
## 2.1.0
- Adds options for the following
- lua-time-limit
- slowlog-logs-slower-than
- slowlog-max-len
- notify-keyspace-events
- client-output-buffer-limit
- hz
- aof-rewrite-incremental-fsync
- Removes the uninstall recipe and resource.
- Adds the ability to skip the default recipe calling install and configure by setting redisio bypass_setup attribute to true
- Adds support for redis sentinel [Thanks to rcleere, Ryan Walker]
- Splits up the install resource into separate install and configure resources [Thanks to rcleere]
- By default now calls _install_prereqs, install, and configure in the default recipe.
- Changes default version of redis to install to 2.8.5
- Now depends on the build-essential cookbook.
- Fixes issue #76 - Default settings save as empty string breaks install
- Switches mirror server from googlefiles to redis.io. If you are using version of redis before 2.6.16 you will need to override the mirror server attribute
to use the old site with archived versions.
- Adds a Vagrant file!
- maxmemory will be rounded when calculated as a percentage
- Add stop-writes-on-bgsave-error config option
- Changes default log level from verbose to notice
- Adds configuration options for ziplists and active rehashing
- Adds support for passing the address attribute as an array. This is to support the redis 2.8 series which allows binding to multiple addresses
- Fixes a bug where multiple redis instances were using the same swapfile (only for version of redis 2.4 and below)
- Changes the job_control per instance attribute to a global one.
- Adds a status command to the init.d script, uses this in the initd based service for checking status
## 2.0.0
! THIS RELEASE HAS MANY BREAKING CHANGES !
! Your old role file will most likely not work !
- Supports redis 2.8 and its use of the empty string for stdout in the logfile option
- Allows the user to specify required_start and required_start when using the init scripts
- Warns a user if they have syslogenabled set to yes and also have logfile set
## 1.7.1 (2014-02-10)
- Bumps default version of redis to 2.6.17
- Changes the redis download mirror to redis.io
- Fixes #76 - Default settings save as empty string breaks install. [Thanks to astlock]
- Fixes bug with nil file resource for logfile. [Thanks to chrismoos]
## 1.7.0 (2013-07-25)
- Adds support for address attribute as an array or string. This is to support the feature that will be introduced in redis 2.8
## 1.6.0 (2013-06-27)
- Fixes a bug when using a percentage for max memory. [Thanks to organicveggie]
- Allows installation of redis into custom directory. [Thanks to organicveggie, rcleere]
- Bumps the default installed version of redis to the new stable, 2.6.14
## 1.5.0 (2013-03-30)
- Forces maxmemory to a string inside of install provider so it will not explode if you pass in an int. [Thanks to sprack]
- Strips leading directory from downloaded tarball, and extracts into a newly created directory. This allows more versatility for where the package can be installed from (Github / BitBucket) [Thanks to dim]
- Adds options for Redis Cluster [Thanks to jrallison]
- Adds a call to ulimit into the init script, it was not honoring the limits set by the ulimit cookbook for some users. [Thanks to mike-yesware]
## 1.4.1 (2013-02-27)
- Removes left over debugging statement
## 1.4.0 (2013-02-27)
- ACTUALLY fixes the use of upstart and redis. Redis no longer daemonizes itself when using job_control type upstart and allows upstart to handle this
- Adds dependency on the ulimit cookbook and allows you to set the ulimits for the redis instance users.
- Adds associated node attribute for the ulimit. It defaults to the special value 0, which causes the cookbook to use maxclients + 32. 32 is the number of file descriptors redis needs itself
- You can disable the use of the ulimits by setting the node attribute for it to "false" or "nil"
- Comments out the start on by default in the upstart script. This will get uncommented by the upstart provider when the :enable action is called on it
## 1.3.2 (2013-02-26)
- Changes calls to Chef::ShellOut to Mixlib::ShellOut
## 1.3.1 (2013-02-26)
- Fixes bug in upstart script to create pid directory if it does not exist
## 1.3.0 (2013-02-20)
- Adds upstart support. This was a much requested feature.
- Fixes bug in uninstall resource that would have prevented it from uninstalling named servers.
- Reworks the init script to take into account the IP redis is listening on, and if it is listening on a socket.
- Adds an attribute called "shutdown_save" which will explicitly call save on redis shutdown
- Updates the README.md with a shorter and hopefully equally as useful usage section
- maxmemory attribute now allows the use of percentages. You must include a % sign after the value.
- Bumps default version of redis to install to the current stable, 2.6.10
## 1.2.0 (2013-02-06)
- Fixes bug related to where the template source resides when using the LWRP outside of the redisio cookbook
- Fixes bug where the version method was not properly parsing version strings in redis 2.6.x, as the version string from redis-server -v changed
- Fixes bug in default attributes for fedora default redis data directory
- Now uses chefs service resource for each redis instance instead of using a custom redisio_service resource. This cleans up many issues, including a lack of updated_by_last_action
- The use of the redisio_service resource is deprecated. Use the redis port_number instead.
- The default version of redis has been bumped to the current stable, which is 2.6.9
- Adds metadata.json to the gitignore file so that the cookbook can be submoduled.
- Adds the ability to handle non standard bind address in the init scripts stop command
- Adds attributes to allow redis to listen on a socket
- Adds an attribute to allow redis service accounts to be created as system users, defaults this to true
- Adds a per server "name" attribute that allows a server to use that instead of the port for its configuration files, service resource, and init script.
- Shifts the responsbility for handling the case of default redis instances into the install recipe due to the behavior of arrays and deep merge
## 1.1.0 (2012-08-21)
! Warning breaking change !: The redis pidfile directory by default has changed, if you do not STOP redis before upgrading to the new version
of this cookbook, it will not be able to stop your instance properly via the redis service provider, or the init script.
If this happens to you, you can always log into the server and manually send a SIGTERM to redis
- Changed the init script to run redis as the specified redis user
- Updated the default version of redis to 2.4.16
- Setup a new directory structure for redis pid files. The install provider will now nest its pid directories in base_piddir/port number/redis_port.pid.
- Added a RedisioHelper module in libraries. The recipe_eval method inside is used to wrap nested resources to allow for the proper resource update propigation. The install provider uses this.
- The init script now properly respects the configdir attribute
- Changed the redis data directories to be 775 instead of 755 (this allows multiple instances with different owners to write their data to the same shared dir so long as they are in a common group)
- Changed default for maxclients to be 10000 instead of 0. This is to account for the fact that maxclients no longer supports 0 as 'unlimited' in the 2.6 series
- Added logic to replace hash-max-ziplist-entries, hash-max-ziplist-value with hash-max-zipmap-entires, hash-max-zipmap-value when using 2.6 series
- Added the ability to log to any file, not just syslog. Please do make sure after you set your file with the logfile attribute you also set syslogenabled to 'no'
## 1.0.3 (2012-05-02)
- Added changelog.md
- Added a bunch more configuration options that were left out (default values left as they were before):
- databases
- slaveservestaledata
- replpingslaveperiod
- repltimeout
- maxmemorysamples
- noappendfsynconwrite
- aofrewritepercentage
- aofrewriteminsize
It is worth nothing that since there is a configurable option for conf include files, and the fact that redis uses the most recently read configuration option... even if a new option where to show up, or and old one was not included they could be added using that pattern.
## 1.0.2 (2012-04-25)
- Merged in pull request from meskyanichi which improved the README.md and added a .gitignore
- Added a "safe_install" node attribute which will prevent redis from installing anything if it exists already. Defaults to true.
- Addedd a "redis_gem" recipe which will install the redis gem from ruby gems, added associated attributes. See README for me
## 1.0.1 (2012-04-08)
- Added some prequisite checks for RHEL based distributions
- Minor typos and formatting fixes in metadata.rb and README.md
## 1.0.0 (2012-04-08)
Initial Release

201
cookbooks/redisio/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

512
cookbooks/redisio/README.md Normal file
View File

@ -0,0 +1,512 @@
# Redisio Cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/redisio.svg)](https://supermarket.chef.io/cookbooks/redisio)
[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/redisio/master.svg)](https://circleci.com/gh/sous-chefs/redisio)
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
Please read the changelog when upgrading from the 1.x series to the 2.x series
## Description
Website:: [https://github.com/sous-chefs/redisio](https://github.com/sous-chefs/redisio)
Installs and configures Redis server instances
## Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If youd like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
## Requirements
This cookbook builds redis from source or install it from packages, so it should work on any architecture for the supported distributions. Init scripts are installed into /etc/init.d/
It depends on the ulimit cookbook: [https://github.com/bmhatfield/chef-ulimit](https://github.com/bmhatfield/chef-ulimit) and the build-essentials cookbook: [https://github.com/chef-cookbooks/build-essential](https://github.com/opscode-cookbooks/build-essential)
### Platforms
* Debian, Ubuntu
* CentOS, Red Hat, Fedora, Scientific Linux
* FreeBSD
### Testing
This cookbook is tested with Delivery's local mode run under Chef-DK and Test Kitchen
* delivery local all
* kitchen test
Tested on:
* Centos 6
* Centos 7
* Debian 8
* Fedora 28
* Ubuntu 16.04
## Usage
The redisio cookbook contains LWRP for installing, configuring and managing redis and redis_sentinel.
The install recipe can build, compile and install redis from sources or install from packages. The configure recipe will configure redis and setup service resources. These resources will be named for the port of the redis server, unless a "name" attribute was specified. Example names would be: service["redis6379"] or service["redismaster"] if the name attribute was "master".
_NOTE: currently installation from source is not supported for FreeBSD_
The most common use case for the redisio cookbook is to use the default recipe, followed by the enable recipe.
Another common use case is to use the default, and then call the service resources created by it from another cookbook.
It is important to note that changing the configuration options of redis does not make them take effect on the next chef run. Due to how redis works, you cannot reload a configuration without restarting the redis service. Redis does not offer a reload option, in order to have new options be used redis must be stopped and started.
You should make sure to set the ulimit for the user you want to run redis as to be higher than the max connections you allow.
_NOTE: setting ulimit is not supported on FreeBSD since the ulimit cookbook doesn't support FreeBSD_
The disable recipe just stops redis and removes it from run levels.
The cookbook also contains a recipe to allow for the installation of the redis ruby gem.
Redis-sentinel will write configuration and state data back into its configuration file. This creates obvious problems when that config is managed by chef. By default, this cookbook will create the config file once, and then leave a breadcrumb that will guard against the file from being updated again.
### Recipes
* configure - This recipe is used to configure redis.
* default - This is used to install the pre-requisites for building redis, and to make the LWRPs available
* disable - This recipe can be used to disable the redis service and remove it from runlevels
* enable - This recipe can be used to enable the redis services and add it to runlevels
* install - This recipe is used to install redis.
* redis_gem - This recipe can be used to install the redis ruby gem
* sentinel - This recipe can be used to install and configure sentinel
* sentinel_enable - This recipe can be used to enable the sentinel service(s)
* disable_os_default - This recipe can be used to disable the default OS redis init script
### Role File Examples
#### Install redis and setup an instance with default settings on default port, and start the service through a role file
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({})
```
##### Install redis with packages and setup an instance with default settings on default port, and start the service through a role file
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
package_install: true
version:
}
})
```
##### Install redis, give the instance a name, and use a unix socket
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'servers' => [
{'name' => 'master', 'port' => '6379', 'unixsocket' => '/tmp/redis.sock', 'unixsocketperm' => '755'},
]
}
})
```
##### Install redis and pull the password from an encrypted data bag
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'servers' => [
{'data_bag_name' => 'redis', 'data_bag_item' => 'auth', 'data_bag_key' => 'password'},
]
}
})
```
###### Data Bag
```ruby
{
"id": "auth",
"password": "abcdefghijklmnopqrstuvwxyz"
}
```
##### Install redis and setup two instances on the same server, on different ports, with one slaved to the other through a role file
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'servers' => [
{'port' => '6379'},
{'port' => '6380', 'slaveof' => { 'address' => '127.0.0.1', 'port' => '6379' }}
]
}
})
```
##### Install redis and setup two instances, on the same server, on different ports, with the default data directory changed to /mnt/redis, and the second instance named
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'default_settings' => {'datadir' => '/mnt/redis'},
'servers' => [{'port' => '6379'}, {'port' => '6380', 'name' => "MyInstance"}]
}
})
```
##### Install redis and setup three instances on the same server, changing the default data directory to /mnt/redis, each instance will use a different backup type, and one instance will use a different data dir
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'default_settings' => { 'datadir' => '/mnt/redis/'},
'servers' => [
{'port' => '6379','backuptype' => 'aof'},
{'port' => '6380','backuptype' => 'both'},
{'port' => '6381','backuptype' => 'rdb', 'datadir' => '/mnt/redis6381'}
]
}
})
```
##### Install redis 2.4.11 (lower than the default version) and turn safe install off, for the event where redis is already installed This will use the default settings. Keep in mind the redis version will not actually be updated until you restart the service (either through the LWRP or manually)
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'safe_install' => false,
'version' => '2.4.11'
}
})
```
##### Install a single redis-sentinel to listen for a master on localhost and default port number
```ruby
run_list *%w[
recipe[redisio::sentinel]
recipe[redisio::sentinel_enable]
]
```
#### Install redis and setup two instances, on the same server, on different ports, the second instance configuration file will be overwriten by chef
```ruby
run_list *%w[
recipe[redisio]
recipe[redisio::enable]
]
default_attributes({
'redisio' => {
'servers' => [{'port' => '6379'}, {'port' => '6380', 'breadcrumb' => false}]
}
})
```
## LWRP Examples
Instead of using my provided recipes, you can simply depend on the redisio cookbook in your metadata and use the LWRP's yourself. I will show a few examples of ways to use the LWRPS, detailed breakdown of options are below
in the resources/providers section
### Install Resource
It is important to note that this call has certain expectations for example, it expects the redis package to be in the format `redis-VERSION.tar.gz'.
```ruby
redisio_install "redis-installation" do
version '2.6.9'
download_url 'http://redis.googlecode.com/files/redis-2.6.9.tar.gz'
safe_install false
install_dir '/usr/local/'
end
```
### Configure Resource
The servers resource expects an array of hashes where each hash is required to contain at a key-value pair of 'port' => 'port numbers'.
```ruby
redisio_configure "redis-servers" do
version '2.6.9'
default_settings node['redisio']['default_settings']
servers node['redisio']['servers']
base_piddir node['redisio']['base_piddir']
end
```
### Sentinel Resource
The sentinel resource installs and configures all of your redis_sentinels defined in sentinel_instances
Using the sentinel resources:
```ruby
redisio_sentinel "redis-sentinels" do
version '2.6.9'
sentinel_defaults node['redisio']['sentinel_defaults']
sentinels sentinel_instances
base_piddir node['redisio']['base_piddir']
end
```
## Attributes
Configuration options, each option corresponds to the same-named configuration option in the redis configuration file; default values listed
* `redisio['mirror']` - mirror server with path to download redis package, default is [http://download.redis.io/releases/](http://download.redis.io/releases/)
* `redisio['base_name']` - the base name of the redis package to be downloaded (the part before the version), default is 'redis-'
* `redisio['artifact_type']` - the file extension of the package. currently only .tar.gz and .tgz are supported, default is 'tar.gz'
* `redisio['version']` - the version number of redis to install (also appended to the `base_name` for downloading), default is '2.8.17'
* `redisio['safe_install']` - prevents redis from installing itself if another version of redis is installed, default is true
* `redisio['base_piddir']` - This is the directory that redis pidfile directories and pidfiles will be placed in. Since redis can run as non root, it needs to have proper
permissions to the directory to create its pid. Since each instance can run as a different user, these directories will all be nested inside this base one.
* `redisio['bypass_setup']` - This attribute allows users to prevent the default recipe from calling the install and configure recipes.
* `redisio['job_control']` - This deteremines what job control type will be used. Currently supports 'initd' or 'upstart' options. Defaults to 'initd'.
Default settings is a hash of default settings to be applied to to ALL instances. These can be overridden for each individual server in the servers attribute. If you are going to set logfile to a specific file, make sure to set syslog-enabled to no.
* `redisio['default_settings']` - { 'redis-option' => 'option setting' }
Available options and their defaults
```config
'user' => 'redis' - the user to own the redis datadir, redis will also run under this user
'group' => 'redis' - the group to own the redis datadir
'permissions' => '0644' - the unix permissions applied to the server config file
'homedir' => Home directory of the user. Varies on distribution, check attributes file
'shell' => Users shell. Varies on distribution, check attributes file
'systemuser' => true - Sets up the instances user as a system user
'ulimit' => 0 - 0 is a special value causing the ulimit to be maxconnections +32. Set to nil or false to disable setting ulimits
'configdir' => '/etc/redis' - configuration directory
'name' => nil, Allows you to name the server with something other than port. Useful if you want to use unix sockets
'tcpbacklog' => '511',
'address' => nil, Can accept a single string or an array. When using an array, the FIRST value will be used by the init script for connecting to redis
'databases' => '16',
'backuptype' => 'rdb',
'datadir' => '/var/lib/redis',
'unixsocket' => nil - The location of the unix socket to use,
'unixsocketperm' => nil - The permissions of the unix socket,
'timeout' => '0',
'keepalive' => '0',
'loglevel' => 'notice',
'logfile' => nil,
'syslogenabled' => 'yes',
'syslogfacility' => 'local0',
'shutdown_save' => false,
'save' => nil, # Defaults to ['900 1','300 10','60 10000'] inside of template. Needed due to lack of hash subtraction
'stopwritesonbgsaveerror' => 'yes',
'rdbcompression' => 'yes',
'rdbchecksum' => 'yes',
'dbfilename' => nil,
'slaveof' => nil,
'masterauth' => nil,
'slaveservestaledata' => 'yes',
'slavereadonly' => 'yes',
'repldisklesssync' => 'no', # Requires redis 2.8.18+
'repldisklesssyncdelay' => '5', # Requires redis 2.8.18+
'replpingslaveperiod' => '10',
'repltimeout' => '60',
'repldisabletcpnodelay => 'no',
'slavepriority' => '100',
'requirepass' => nil,
'rename_commands' => nil, or a hash where each key is a redis command and the value is the command's new name.
'maxclients' => 10000,
'maxmemory' => nil,
'maxmemorypolicy' => nil,
'maxmemorysamples' => nil,
'appendfilename' => nil,
'appendfsync' => 'everysec',
'noappendfsynconrewrite' => 'no',
'aofrewritepercentage' => '100',
'aofrewriteminsize' => '64mb',
'luatimelimit' => '5000',
'slowloglogslowerthan' => '10000',
'slowlogmaxlen' => '1024',
'notifykeyspaceevents' => '',
'hashmaxziplistentries' => '512',
'hashmaxziplistvalue' => '64',
'listmaxziplistentries' => '512',
'listmaxziplistvalue' => '64',
'setmaxintsetentries' => '512',
'zsetmaxziplistentries' => '128',
'zsetmaxziplistvalue' => '64',
'hllsparsemaxbytes' => '3000',
'activerehasing' => 'yes',
'clientoutputbufferlimit' => [
%w(normal 0 0 0),
%w(slave 256mb 64mb 60),
%w(pubsub 32mb 8mb 60)
],
'hz' => '10',
'aofrewriteincrementalfsync' => 'yes',
'clusterenabled' => 'no',
'clusterconfigfile' => nil, # Defaults to redis instance name inside of template if cluster is enabled.
'clusternodetimeout' => 5000,
'includes' => nil,
'breadcrumb' => true # Defaults to create breadcrumb lock-file.
```
* `redisio['servers']` - An array where each item is a set of key value pairs for redis instance specific settings. The only required option is 'port'. These settings will override the options in 'default_settings', if it is left `nil` it will default to `[{'port' => '6379'}]`. If set to `[]` (empty array), no instances will be created.
The redis_gem recipe will also allow you to install the redis ruby gem, these are attributes related to that, and are in the redis_gem attributes file.
* `redisio['gem']['name']` - the name of the gem to install, defaults to 'redis'
* `redisio['gem']['version']` - the version of the gem to install. if it is nil, the latest available version will be installed.
The sentinel recipe's use their own attribute file.
* `redisio['sentinel_defaults']` - { 'sentinel-option' => 'option setting' }
```config
'user' => 'redis',
'configdir' => '/etc/redis',
'sentinel_bind' => nil,
'sentinel_port' => 26379,
'monitor' => nil,
'down-after-milliseconds' => 30000,
'can-failover' => 'yes',
'parallel-syncs' => 1,
'failover-timeout' => 900000,
'loglevel' => 'notice',
'logfile' => nil,
'syslogenabled' => 'yes',
'syslogfacility' => 'local0',
'quorum_count' => 2
```
* `redisio['redisio']['sentinel']['manage_config']` - Should the cookbook manage the redis and redis sentinel config files. This is best set to false when using redis_sentinel as it will write state into both configuration files.
* `redisio['redisio']['sentinels']` - Array of sentinels to configure on the node. These settings will override the options in 'sentinel_defaults', if it is left `nil` it will default to `[{'port' => '26379', 'name' => 'mycluster', 'master_ip' => '127.0.0.1', 'master_port' => 6379}]`. If set to `[]` (empty array), no instances will be created.
You may also pass an array of masters to monitor like so:
```ruby
[{
'sentinel_port' => '26379',
'name' => 'mycluster_sentinel',
'masters' => [
{ 'master_name' => 'master6379', 'master_ip' => '127.0.0.1', 'master_port' => 6379 },
{ 'master_name' => 'master6380', 'master_ip' => '127.0.0.1', 'master_port' => 6380 }
]
}]
```
## Resources/Providers
### `install`
Actions:
* `run` - perform the install (default)
* `nothing` - do nothing
Attribute Parameters
* `version` - the version of redis to download / install
* `download_url` - the URL plus filename of the redis package to install
* `download_dir` - the directory to store the downloaded package
* `artifact_type` - the file extension of the package
* `base_name` - the name of the package minus the extension and version number
* `safe_install` - a true or false value which determines if a version of redis will be installed if one already exists, defaults to true
This resource expects the following naming conventions:
package file should be in the format base_nameVersion_number.artifact_type
package file after extraction should be inside of the directory base_nameVersion_number
```ruby
install "redis" do
action [:run,:nothing]
end
```
### `configure`
Actions:
* `run` - perform the configure (default)
* `nothing` - do nothing
Attribute Parameters
* `version` - the version of redis to download / install
* `base_piddir` - directory where pid files will be created
* `user` - the user to run redis as, and to own the redis files
* `group` - the group to own the redis files
* `default_settings` - a hash of the default redis server settings
* `servers` - an array of hashes containing server configurations overrides (port is the only required)
```ruby
configure "redis" do
action [:run,:nothing]
end
```
## Contributors
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
### Backers
Thank you to all our backers!
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
### Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)

164
cookbooks/redisio/attributes/default.rb Normal file
View File

@ -0,0 +1,164 @@
package_bin_path = '/usr/bin'
config_dir = '/etc/redis'
default_package_install = false
case node['platform']
when 'ubuntu', 'debian'
shell = '/bin/false'
homedir = '/var/lib/redis'
package_name = 'redis-server'
when 'centos', 'redhat', 'scientific', 'amazon', 'suse', 'fedora'
shell = '/bin/sh'
homedir = '/var/lib/redis'
package_name = 'redis'
when 'freebsd'
shell = '/bin/sh'
homedir = '/var/lib/redis'
package_name = 'redis'
package_bin_path = '/usr/local/bin'
config_dir = '/usr/local/etc/redis'
default_package_install = true
else
shell = '/bin/sh'
homedir = '/redis'
package_name = 'redis'
end
# Overwite template used for the Redis Server config (not sentinel)
default['redisio']['redis_config']['template_cookbook'] = 'redisio'
default['redisio']['redis_config']['template_source'] = 'redis.conf.erb'
# Install related attributes
default['redisio']['safe_install'] = true
default['redisio']['package_install'] = default_package_install
default['redisio']['package_name'] = package_name
default['redisio']['bypass_setup'] = false
# Tarball and download related defaults
default['redisio']['mirror'] = 'http://download.redis.io/releases/'
default['redisio']['base_name'] = 'redis-'
default['redisio']['artifact_type'] = 'tar.gz'
default['redisio']['base_piddir'] = '/var/run/redis'
# Version
default['redisio']['version'] = if node['redisio']['package_install']
# latest version (only for package install)
nil
else
# force version for tarball
'3.2.11'
end
# Custom installation directory
default['redisio']['install_dir'] = nil
# Job control related options (initd, upstart, or systemd)
default['redisio']['job_control'] = if systemd?
'systemd'
elsif platform_family?('freebsd')
'rcinit'
else
'initd'
end
# Init.d script related options
default['redisio']['init.d']['required_start'] = []
default['redisio']['init.d']['required_stop'] = []
# Default settings for all redis instances, these can be overridden on a per server basis in the 'servers' hash
default['redisio']['default_settings'] = {
'user' => 'redis',
'group' => 'redis',
'permissions' => '0644',
'homedir' => homedir,
'shell' => shell,
'systemuser' => true,
'uid' => nil,
'ulimit' => 0,
'configdir' => config_dir,
'name' => nil,
'tcpbacklog' => '511',
'address' => nil,
'databases' => '16',
'backuptype' => 'rdb',
'datadir' => '/var/lib/redis',
'unixsocket' => nil,
'unixsocketperm' => nil,
'timeout' => '0',
'keepalive' => '0',
'loglevel' => 'notice',
'logfile' => nil,
'syslogenabled' => 'yes',
'syslogfacility' => 'local0',
'shutdown_save' => false,
'save' => nil, # Defaults to ['900 1','300 10','60 10000'] inside of template. Needed due to lack of hash subtraction
'stopwritesonbgsaveerror' => 'yes',
'rdbcompression' => 'yes',
'rdbchecksum' => 'yes',
'dbfilename' => nil,
'slaveof' => nil,
'protected_mode' => nil, # unspecified by default but could be set explicitly to 'yes' or 'no'
'masterauth' => nil,
'slaveservestaledata' => 'yes',
'slavereadonly' => 'yes',
'repldisklesssync' => 'no',
'repldisklesssyncdelay' => '5',
'replpingslaveperiod' => '10',
'repltimeout' => '60',
'repldisabletcpnodelay' => 'no',
'replbacklogsize' => '1mb',
'replbacklogttl' => 3600,
'slavepriority' => '100',
'requirepass' => nil,
'rename_commands' => nil,
'maxclients' => 10000,
'maxmemory' => nil,
'maxmemorypolicy' => nil,
'maxmemorysamples' => nil,
'appendfilename' => nil,
'appendfsync' => 'everysec',
'noappendfsynconrewrite' => 'no',
'aofrewritepercentage' => '100',
'aofrewriteminsize' => '64mb',
'aofloadtruncated' => 'yes',
'luatimelimit' => '5000',
'slowloglogslowerthan' => '10000',
'slowlogmaxlen' => '1024',
'notifykeyspaceevents' => '',
'hashmaxziplistentries' => '512',
'hashmaxziplistvalue' => '64',
'listmaxziplistentries' => '512',
'listmaxziplistvalue' => '64',
'setmaxintsetentries' => '512',
'zsetmaxziplistentries' => '128',
'zsetmaxziplistvalue' => '64',
'hllsparsemaxbytes' => '3000',
'activerehasing' => 'yes',
'clientoutputbufferlimit' => [
%w(normal 0 0 0),
%w(slave 256mb 64mb 60),
%w(pubsub 32mb 8mb 60),
],
'hz' => '10',
'aofrewriteincrementalfsync' => 'yes',
'clusterenabled' => 'no',
'clusterconfigfile' => nil, # Defaults to redis instance name inside of template if cluster is enabled.
'clusternodetimeout' => 5000,
'includes' => nil,
'data_bag_name' => nil,
'data_bag_item' => nil,
'data_bag_key' => nil,
'minslavestowrite' => nil,
'minslavesmaxlag' => nil,
'breadcrumb' => true,
}
# The default for this is set inside of the "install" recipe. This is due to the way deep merge handles arrays
default['redisio']['servers'] = nil
# Define binary path
default['redisio']['bin_path'] = if node['redisio']['package_install']
package_bin_path
else
'/usr/local/bin'
end

3
cookbooks/redisio/attributes/redis_gem.rb Normal file
View File

@ -0,0 +1,3 @@
# Allow for a redis ruby gem to be installed
default['redisio']['gem']['name'] = 'redis'
default['redisio']['gem']['version'] = nil

35
cookbooks/redisio/attributes/redis_sentinel.rb Normal file
View File

@ -0,0 +1,35 @@
config_dir = if platform_family?('freebsd')
'/usr/local/etc/redis'
else
'/etc/redis'
end
default['redisio']['sentinel_defaults'] = {
'user' => 'redis',
'configdir' => config_dir,
'sentinel_bind' => nil,
'sentinel_port' => 26379,
'monitor' => nil,
'down_after_milliseconds' => 30000,
'can-failover' => 'yes',
'parallel-syncs' => 1,
'failover_timeout' => 900000,
'loglevel' => 'notice',
'logfile' => nil,
'syslogenabled' => 'yes',
'syslogfacility' => 'local0',
'quorum_count' => 2,
'data_bag_name' => nil,
'data_bag_item' => nil,
'data_bag_key' => nil,
'announce-ip' => nil,
'announce-port' => nil,
'notification-script' => nil,
'client-reconfig-script' => nil,
}
# Manage Sentinel Config File
## Will write out the base config one time then no longer manage the config allowing sentinel to take over
default['redisio']['sentinel']['manage_config'] = true # Deprecated
default['redisio']['sentinels'] = nil

115
cookbooks/redisio/chefignore Normal file
View File

@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

46
cookbooks/redisio/kitchen.dokken.yml Normal file
View File

@ -0,0 +1,46 @@
---
driver:
name: dokken
privileged: true
chef_version: current
env: [CHEF_LICENSE=accept]
transport:
name: dokken
provisioner:
name: dokken
deprecations_as_errors: true
verifier:
name: inspec
platforms:
- name: centos-7
driver:
image: dokken/centos-7
pid_one_command: /usr/lib/systemd/systemd
run_list:
- recipe[yum-epel::default]
- recipe[yum-remi::default]
- name: debian-9
driver:
image: dokken/debian-9
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update
- name: ubuntu-16.04
driver:
image: dokken/ubuntu-16.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update
- name: ubuntu-18.04
driver:
image: dokken/ubuntu-18.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update

1
cookbooks/redisio/libraries/matchers.rb Normal file
View File

@ -0,0 +1 @@
# cookbook/libraries/matchers.rb

32
cookbooks/redisio/libraries/redisio.rb Normal file
View File

@ -0,0 +1,32 @@
module RedisioHelper
def recipe_eval
sub_run_context = @run_context.dup
sub_run_context.resource_collection = Chef::ResourceCollection.new
begin
original_run_context = @run_context
@run_context = sub_run_context
yield
ensure
@run_context = original_run_context
end
begin
Chef::Runner.new(sub_run_context).converge
ensure
new_resource.updated_by_last_action(true) if sub_run_context.resource_collection.any?(&:updated?)
end
end
def self.version_to_hash(version_string)
version_array = version_string.split('.')
version_array[2] = version_array[2].split('-')
version_array.flatten!
{
major: version_array[0].include?(':') ? version_array[0].split(':')[1] : version_array[0],
minor: version_array[1],
tiny: version_array[2],
rc: version_array[3],
}
end
end

44
cookbooks/redisio/metadata.json Normal file
View File

@ -0,0 +1,44 @@
{
"name": "redisio",
"description": "Installs and configures redis",
"long_description": "",
"maintainer": "Sous Chefs",
"maintainer_email": "help@sous-chefs.org",
"license": "Apache-2.0",
"platforms": {
"amazon": ">= 0.0.0",
"centos": ">= 0.0.0",
"debian": ">= 0.0.0",
"fedora": ">= 0.0.0",
"redhat": ">= 0.0.0",
"scientific": ">= 0.0.0",
"suse": ">= 0.0.0",
"ubuntu": ">= 0.0.0"
},
"dependencies": {
"ulimit": ">= 0.1.2",
"selinux_policy": ">= 2.2.0"
},
"providing": {
},
"recipes": {
},
"version": "5.0.0",
"source_url": "https://github.com/sous-chefs/redisio",
"issues_url": "https://github.com/sous-chefs/redisio/issues",
"privacy": false,
"chef_versions": [
[
">= 15.5"
]
],
"ohai_versions": [
],
"gems": [
],
"eager_load_libraries": true
}

25
cookbooks/redisio/metadata.rb Normal file
View File

@ -0,0 +1,25 @@
name 'redisio'
maintainer 'Sous Chefs'
maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Installs and configures redis'
version '5.0.0'
source_url 'https://github.com/sous-chefs/redisio'
issues_url 'https://github.com/sous-chefs/redisio/issues'
chef_version '>= 15.5'
%w(
amazon
centos
debian
fedora
redhat
scientific
suse
ubuntu
).each do |os|
supports os
end
depends 'ulimit', '>= 0.1.2'
depends 'selinux_policy', '>= 2.2.0'

389
cookbooks/redisio/providers/configure.rb Normal file
View File

@ -0,0 +1,389 @@
action :run do
configure
new_resource.updated_by_last_action(true)
end
def configure
base_piddir = new_resource.base_piddir
if !new_resource.version
redis_output = Mixlib::ShellOut.new("#{node['redisio']['bin_path']}/redis-server -v")
redis_output.run_command
redis_output.error!
current_version = redis_output.stdout.gsub(/.*v=((\d+\.){2}\d+).*/, '\1').chomp
else
current_version = new_resource.version
end
version_hash = RedisioHelper.version_to_hash(current_version)
# Setup a configuration file and init script for each configuration provided
new_resource.servers.each do |current_instance|
# Retrieve the default settings hash and the current server setups settings hash.
current_instance_hash = current_instance.to_hash
current_defaults_hash = new_resource.default_settings.to_hash
# Merge the configuration defaults with the provided array of configurations provided
current = current_defaults_hash.merge(current_instance_hash)
# Merge in the default maxmemory
node_memory_kb = node['memory']['total']
# On BSD platforms Ohai reports total memory as a Fixnum
node_memory_kb = node_memory_kb.sub('kB', '').to_i if node_memory_kb.is_a?(String)
# Here we determine what the logfile is. It has these possible states
#
# Redis 2.6 and lower can be
# stdout
# A path
# nil
# Redis 2.8 and higher can be
# empty string, which means stdout)
# A path
# nil
if current['logfile'].nil?
log_file = nil
log_directory = nil
elsif current['logfile'] == 'stdout' || current['logfile'].empty?
log_directory = nil
log_file = current['logfile']
else
log_directory = ::File.dirname(current['logfile'])
log_file = ::File.basename(current['logfile'])
if current['syslogenabled'] == 'yes'
Chef::Log.warn("log file is set to #{current['logfile']} but syslogenabled is also set to 'yes'")
end
end
maxmemory = current['maxmemory'].to_s
if !maxmemory.empty? && maxmemory.include?('%')
# Just assume this is sensible like "95%" or "95 %"
percent_factor = current['maxmemory'].to_f / 100.0
# Ohai reports memory in KB as it looks in /proc/meminfo
maxmemory = (node_memory_kb * 1024 * percent_factor / new_resource.servers.length).round.to_s
end
descriptors = if current['ulimit'] == 0
current['maxclients'] + 32
elsif current['ulimit'] > current['maxclients']
current['ulimit']
else
current['maxclients']
end
recipe_eval do
server_name = current['name'] || current['port']
piddir = "#{base_piddir}/#{server_name}"
aof_file = current['appendfilename'] || "#{current['datadir']}/appendonly-#{server_name}.aof"
rdb_file = current['dbfilename'] || "#{current['datadir']}/dump-#{server_name}.rdb"
# Create the owner of the redis data directory
user current['user'] do
comment 'Redis service account'
manage_home true
home current['homedir']
shell current['shell']
system current['systemuser']
uid current['uid'] unless current['uid'].nil?
end
# Create the redis configuration directory
directory current['configdir'] do
owner 'root'
group platform_family?('freebsd') ? 'wheel' : 'root'
mode '0755'
recursive true
action :create
end
# Create the instance data directory
directory current['datadir'] do
owner current['user']
group current['group']
mode '0775'
recursive true
action :create
end
# Create the pid file directory
directory piddir do
owner current['user']
group current['group']
mode '0755'
recursive true
action :create
end
# Create the log directory if syslog is not being used
if log_directory
directory log_directory do
owner current['user']
group current['group']
mode '0755'
recursive true
action :create
end
end
# Configure SELinux if it is enabled
extend Chef::Util::Selinux
if selinux_enabled?
selinux_policy_install 'install'
selinux_policy_fcontext "#{current['configdir']}(/.*)?" do
secontext 'redis_conf_t'
end
selinux_policy_fcontext "#{current['datadir']}(/.*)?" do
secontext 'redis_var_lib_t'
end
selinux_policy_fcontext "#{piddir}(/.*)?" do
secontext 'redis_var_run_t'
end
if log_directory
selinux_policy_fcontext "#{log_directory}(/.*)?" do
secontext 'redis_log_t'
end
end
end
# Create the log file if syslog is not being used
if log_file
file current['logfile'] do
owner current['user']
group current['group']
mode '0644'
backup false
action :touch
# in version 2.8 or higher the empty string is used instead of stdout
only_if { !log_file.empty? && log_file != 'stdout' }
end
end
# Set proper permissions on the AOF or RDB files
file aof_file do
owner current['user']
group current['group']
mode '0644'
only_if { current['backuptype'] == 'aof' || current['backuptype'] == 'both' }
only_if { ::File.exist?(aof_file) }
end
file rdb_file do
owner current['user']
group current['group']
mode '0644'
only_if { current['backuptype'] == 'rdb' || current['backuptype'] == 'both' }
only_if { ::File.exist?(rdb_file) }
end
# Setup the redis users descriptor limits
# Pending response on https://github.com/brianbianco/redisio/commit/4ee9aad3b53029cc3b6c6cf741f5126755e712cd#diff-8ae42a59a6f4e8dc5b4e6dd2d6a34eab
# TODO: ulimit cookbook v0.1.2 doesn't work with freeBSD
if current['ulimit'] && !platform_family?('freebsd')
user_ulimit current['user'] do
filehandle_limit descriptors
end
end
computed_save = current['save']
if current['save'] && current['save'].respond_to?(:each_line)
computed_save = current['save'].each_line
Chef::Log.warn("#{server_name}: given a save argument as a string, instead of an array.")
Chef::Log.warn("#{server_name}: This will be deprecated in future versions of the redisio cookbook.")
end
# Load password for use with requirepass from data bag if needed
if current['data_bag_name'] && current['data_bag_item'] && current['data_bag_key']
bag = data_bag_item(current['data_bag_name'], current['data_bag_item'])
current['requirepass'] = bag[current['data_bag_key']]
current['masterauth'] = bag[current['data_bag_key']]
end
# Lay down the configuration files for the current instance
template "#{current['configdir']}/#{server_name}.conf" do
source node['redisio']['redis_config']['template_source']
cookbook node['redisio']['redis_config']['template_cookbook']
owner current['user']
group current['group']
mode current['permissions']
action :create
variables(
version: version_hash,
piddir: piddir,
name: server_name,
job_control: node['redisio']['job_control'],
port: current['port'],
tcpbacklog: current['tcpbacklog'],
address: current['address'],
databases: current['databases'],
backuptype: current['backuptype'],
datadir: current['datadir'],
unixsocket: current['unixsocket'],
unixsocketperm: current['unixsocketperm'],
timeout: current['timeout'],
keepalive: current['keepalive'],
loglevel: current['loglevel'],
logfile: current['logfile'],
syslogenabled: current['syslogenabled'],
syslogfacility: current['syslogfacility'],
save: computed_save,
stopwritesonbgsaveerror: current['stopwritesonbgsaveerror'],
rdbcompression: current['rdbcompression'],
rdbchecksum: current['rdbchecksum'],
dbfilename: current['dbfilename'],
slaveof: current['slaveof'],
protected_mode: current['protected_mode'],
masterauth: current['masterauth'],
slaveservestaledata: current['slaveservestaledata'],
slavereadonly: current['slavereadonly'],
replpingslaveperiod: current['replpingslaveperiod'],
repltimeout: current['repltimeout'],
repldisabletcpnodelay: current['repldisabletcpnodelay'],
replbacklogsize: current['replbacklogsize'],
replbacklogttl: current['replbacklogttl'],
slavepriority: current['slavepriority'],
requirepass: current['requirepass'],
rename_commands: current['rename_commands'],
maxclients: current['maxclients'],
maxmemory: maxmemory,
maxmemorypolicy: current['maxmemorypolicy'],
maxmemorysamples: current['maxmemorysamples'],
appendfilename: current['appendfilename'],
appendfsync: current['appendfsync'],
noappendfsynconrewrite: current['noappendfsynconrewrite'],
aofrewritepercentage: current['aofrewritepercentage'],
aofrewriteminsize: current['aofrewriteminsize'],
aofloadtruncated: current['aofloadtruncated'],
luatimelimit: current['luatimelimit'],
slowloglogslowerthan: current['slowloglogslowerthan'],
slowlogmaxlen: current['slowlogmaxlen'],
notifykeyspaceevents: current['notifykeyspaceevents'],
hashmaxziplistentries: current['hashmaxziplistentries'],
hashmaxziplistvalue: current['hashmaxziplistvalue'],
listmaxziplistentries: current['listmaxziplistentries'],
listmaxziplistvalue: current['listmaxziplistvalue'],
setmaxintsetentries: current['setmaxintsetentries'],
zsetmaxziplistentries: current['zsetmaxziplistentries'],
zsetmaxziplistvalue: current['zsetmaxziplistvalue'],
hllsparsemaxbytes: current['hllsparsemaxbytes'],
activerehasing: current['activerehasing'],
clientoutputbufferlimit: current['clientoutputbufferlimit'],
hz: current['hz'],
aofrewriteincrementalfsync: current['aofrewriteincrementalfsync'],
clusterenabled: current['clusterenabled'],
clusterconfigfile: current['clusterconfigfile'],
clusternodetimeout: current['clusternodetimeout'],
includes: current['includes'],
minslavestowrite: current['minslavestowrite'],
minslavesmaxlag: current['minslavesmaxlag'],
repldisklesssync: current['repldisklesssync'],
repldisklesssyncdelay: current['repldisklesssyncdelay']
)
not_if { ::File.exist?("#{current['configdir']}/#{server_name}.conf.breadcrumb") }
end
file "#{current['configdir']}/#{server_name}.conf.breadcrumb" do
content 'This file prevents the chef cookbook from overwritting the redis config more than once'
action :create_if_missing
only_if { current['breadcrumb'] == true }
end
# Setup init.d file
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
case node['redisio']['job_control']
when 'initd'
template "/etc/init.d/redis#{server_name}" do
source 'redis.init.erb'
cookbook 'redisio'
owner 'root'
group 'root'
mode '0755'
variables(
name: server_name,
bin_path: bin_path,
port: current['port'],
address: current['address'],
user: current['user'],
configdir: current['configdir'],
piddir: piddir,
requirepass: current['requirepass'],
shutdown_save: current['shutdown_save'],
platform: node['platform'],
unixsocket: current['unixsocket'],
ulimit: descriptors,
required_start: node['redisio']['init.d']['required_start'].join(' '),
required_stop: node['redisio']['init.d']['required_stop'].join(' ')
)
end
when 'upstart'
template "/etc/init/redis#{server_name}.conf" do
source 'redis.upstart.conf.erb'
cookbook 'redisio'
owner current['user']
group current['group']
mode '0644'
variables(
name: server_name,
bin_path: bin_path,
port: current['port'],
user: current['user'],
group: current['group'],
configdir: current['configdir'],
piddir: piddir
)
end
when 'rcinit'
template "/usr/local/etc/rc.d/redis#{server_name}" do
source 'redis.rcinit.erb'
cookbook 'redisio'
owner current['user']
group current['group']
mode '0755'
variables(
name: server_name,
bin_path: bin_path,
user: current['user'],
configdir: current['configdir'],
piddir: piddir
)
end
when 'systemd'
service_name = "redis@#{server_name}"
reload_name = "#{service_name} systemd reload"
file "/etc/tmpfiles.d/#{service_name}.conf" do
content "d #{piddir} 0755 #{current['user']} #{current['group']}\n"
owner 'root'
group 'root'
mode '0644'
end
execute reload_name do
command 'systemctl daemon-reload'
action :nothing
end
template "/lib/systemd/system/#{service_name}.service" do
source 'redis@.service.erb'
cookbook 'redisio'
owner 'root'
group 'root'
mode '0644'
variables(
bin_path: bin_path,
user: current['user'],
group: current['group'],
limit_nofile: descriptors
)
notifies :run, "execute[#{reload_name}]", :immediately
end
end
end
end
# servers each loop
end
def load_current_resource
@current_resource = Chef::Resource.resource_for_node(:redisio_configure, node).new(new_resource.name)
@current_resource
end

93
cookbooks/redisio/providers/install.rb Normal file
View File

@ -0,0 +1,93 @@
action :run do
# Package install
if node['redisio']['package_install']
package_resource = package 'redisio_package_name' do
package_name node['redisio']['package_name']
version node['redisio']['version']
action :nothing
end
package_resource.run_action(:install)
new_resource.updated_by_last_action(true) if package_resource.updated_by_last_action?
# freeBSD does not support from source since ports does not support versioning (without a lot of hassle)
elsif platform_family?('freebsd')
raise 'Source install not supported for freebsd'
# Tarball install
else
@tarball = "#{new_resource.base_name}#{new_resource.version}.#{new_resource.artifact_type}"
unless current_resource.version == new_resource.version || (redis_exists? && new_resource.safe_install)
Chef::Log.info("Installing Redis #{new_resource.version} from source")
download
unpack
build
install
new_resource.updated_by_last_action(true)
end
end
end
def download
Chef::Log.info("Downloading redis tarball from #{new_resource.download_url}")
remote_file "#{new_resource.download_dir}/#{@tarball}" do
source new_resource.download_url
end
end
def unpack
install_dir = "#{new_resource.base_name}#{new_resource.version}"
case new_resource.artifact_type
when 'tar.gz', '.tgz'
execute %(cd #{new_resource.download_dir} ; mkdir -p '#{install_dir}' ; tar zxf '#{@tarball}' --strip-components=1 -C '#{install_dir}' --no-same-owner)
else
raise Chef::Exceptions::UnsupportedAction, "Current package type #{new_resource.artifact_type} is unsupported"
end
end
def build
execute "cd #{new_resource.download_dir}/#{new_resource.base_name}#{new_resource.version} && make clean && make"
end
def install
install_prefix = if new_resource.install_dir
"PREFIX=#{new_resource.install_dir}"
else
''
end
execute "cd #{new_resource.download_dir}/#{new_resource.base_name}#{new_resource.version} && make #{install_prefix} install"
new_resource.updated_by_last_action(true)
end
def redis_exists?
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
redis_server = ::File.join(bin_path, 'redis-server')
::File.exist?(redis_server)
end
def version
if redis_exists?
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
redis_server = ::File.join(bin_path, 'redis-server')
redis_version = Mixlib::ShellOut.new("#{redis_server} -v")
redis_version.run_command
version = redis_version.stdout[/version (\d*.\d*.\d*)/, 1] || redis_version.stdout[/v=(\d*.\d*.\d*)/, 1]
Chef::Log.info("The Redis server version is: #{version}")
return version.delete("\n")
end
nil
end
def load_current_resource
@current_resource = Chef::Resource.resource_for_node(:redisio_install, node).new(new_resource.name)
@current_resource.version(version)
@current_resource
end

255
cookbooks/redisio/providers/sentinel.rb Normal file
View File

@ -0,0 +1,255 @@
action :run do
configure
new_resource.updated_by_last_action(true)
end
def configure
base_piddir = new_resource.base_piddir
current_version = if new_resource.version.nil?
version
else
new_resource.version
end
version_hash = RedisioHelper.version_to_hash(current_version)
# Setup a configuration file and init script for each configuration provided
new_resource.sentinels.each do |current_instance|
# Retrieve the default settings hash and the current server setups settings hash.
current_instance_hash = current_instance.to_hash
current_defaults_hash = new_resource.sentinel_defaults.to_hash
# Merge the configuration defaults with the provided array of configurations provided
current = current_defaults_hash.merge(current_instance_hash)
recipe_eval do
sentinel_name = current['name'] || current['port']
sentinel_name = "sentinel_#{sentinel_name}"
piddir = "#{base_piddir}/#{sentinel_name}"
# Create the owner of the redis data directory
user current['user'] do
comment 'Redis service account'
manage_home true
home current['homedir']
shell current['shell']
system current['systemuser']
uid current['uid'] unless current['uid'].nil?
end
# Create the redis configuration directory
directory current['configdir'] do
owner 'root'
group platform_family?('freebsd') ? 'wheel' : 'root'
mode '0755'
recursive true
action :create
end
# Create the pid file directory
directory piddir do
owner current['user']
group current['group']
mode '0755'
recursive true
action :create
end
unless current['logfile'].nil?
# Create the log directory if syslog is not being used
directory ::File.dirname(current['logfile']) do
owner current['user']
group current['group']
mode '0755'
recursive true
action :create
only_if { current['syslogenabled'] != 'yes' && current['logfile'] && current['logfile'] != 'stdout' }
end
# Create the log file is syslog is not being used
file current['logfile'] do
owner current['user']
group current['group']
mode '0644'
backup false
action :touch
only_if { current['logfile'] && current['logfile'] != 'stdout' }
end
end
# <%=@name%> <%=@masterip%> <%=@masterport%> <%= @quorum_count %>
# <%= "sentinel auth-pass #{@name} #{@authpass}" unless @authpass.nil? %>
# sentinel down-after-milliseconds <%=@name%> <%=@downaftermil%>
# sentinel parallel-syncs <%=@name%> <%=@parallelsyncs%>
# sentinel failover-timeout <%=@name%> <%=@failovertimeout%>
# convert from old format (preserve compat)
if !current['masters'] && current['master_ip']
Chef::Log.warn('You are using a deprecated sentinel format. This will be removed in future versions.')
# use old key names if newer key names aren't present (e.g. 'foo' || :foo)
masters = [
{
master_name: current['master_name'] || current[:mastername],
master_ip: current['master_ip'] || current[:masterip],
master_port: current['master_port'] || current[:masterport],
quorum_count: current['quorum_count'] || current[:quorum_count],
auth_pass: current['auth-pass'] || current[:authpass],
down_after_milliseconds: current['down-after-milliseconds'] || current[:downaftermil],
parallel_syncs: current['parallel-syncs'] || current[:parallelsyncs],
failover_timeout: current['failover-timeout'] || current[:failovertimeout],
},
]
else
masters = [current['masters']].flatten
end
# Load password for use with requirepass from data bag if needed
if current['data_bag_name'] && current['data_bag_item'] && current['data_bag_key']
bag = data_bag_item(current['data_bag_name'], current['data_bag_item'])
masters.each do |master|
master['auth_pass'] = bag[current['data_bag_key']]
end
end
# merge in default values to each sentinel hash
masters_with_defaults = []
masters.each do |current_sentinel_master|
default_sentinel_master = new_resource.sentinel_defaults.to_hash
sentinel_master = default_sentinel_master.merge(current_sentinel_master || {})
masters_with_defaults << sentinel_master
end
# Don't render a template if we're missing these from any sentinel,
# as these are the minimal settings required to be passed in
masters_with_defaults.each do |sentinel_instance|
%w(master_ip master_port quorum_count).each do |param|
raise "Missing required sentinel parameter #{param} for #{sentinel_instance}" unless sentinel_instance[param]
end
end
# Lay down the configuration files for the current instance
template "#{current['configdir']}/#{sentinel_name}.conf" do
source 'sentinel.conf.erb'
cookbook 'redisio'
owner current['user']
group current['group']
mode '0644'
action :create
variables(
name: current['name'],
piddir: piddir,
version: version_hash,
job_control: node['redisio']['job_control'],
sentinel_bind: current['sentinel_bind'],
sentinel_port: current['sentinel_port'],
loglevel: current['loglevel'],
logfile: current['logfile'],
syslogenabled: current['syslogenabled'],
syslogfacility: current['syslogfacility'],
masters: masters_with_defaults,
announce_ip: current['announce-ip'],
announce_port: current['announce-port'],
notification_script: current['notification-script'],
client_reconfig_script: current['client-reconfig-script']
)
not_if { ::File.exist?("#{current['configdir']}/#{sentinel_name}.conf.breadcrumb") }
end
file "#{current['configdir']}/#{sentinel_name}.conf.breadcrumb" do
content 'This file prevents the chef cookbook from overwritting the sentinel config more than once'
action :create_if_missing
end
# Setup init.d file
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
template "/etc/init.d/redis_#{sentinel_name}" do
source 'sentinel.init.erb'
cookbook 'redisio'
owner 'root'
group 'root'
mode '0755'
variables(
name: sentinel_name,
bin_path: bin_path,
user: current['user'],
configdir: current['configdir'],
piddir: piddir,
platform: node['platform']
)
only_if { node['redisio']['job_control'] == 'initd' }
end
template "/etc/init/redis_#{sentinel_name}.conf" do
source 'sentinel.upstart.conf.erb'
cookbook 'redisio'
owner current['user']
group current['group']
mode '0644'
variables(
name: sentinel_name,
bin_path: bin_path,
user: current['user'],
group: current['group'],
configdir: current['configdir'],
piddir: piddir
)
only_if { node['redisio']['job_control'] == 'upstart' }
end
# TODO: fix for freebsd
template "/usr/local/etc/rc.d/redis_#{sentinel_name}" do
source 'sentinel.rcinit.erb'
cookbook 'redisio'
owner current['user']
group current['group']
mode '0755'
variables(
name: sentinel_name,
bin_path: bin_path,
user: current['user'],
configdir: current['configdir'],
piddir: piddir
)
only_if { node['redisio']['job_control'] == 'rcinit' }
end
end
end
# servers each loop
end
def redis_exists?
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
redis_server = ::File.join(bin_path, 'redis-server')
::File.exist?(redis_server)
end
def version
if redis_exists?
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
redis_server = ::File.join(bin_path, 'redis-server')
redis_version = Mixlib::ShellOut.new("#{redis_server} -v")
redis_version.run_command
version = redis_version.stdout[/version (\d*.\d*.\d*)/, 1] || redis_version.stdout[/v=(\d*.\d*.\d*)/, 1]
Chef::Log.info("The Redis server version is: #{version}")
return version.delete("\n")
end
nil
end
def load_current_resource
@current_resource = Chef::Resource.resource_for_node(:redisio_sentinel, node).new(new_resource.name)
@current_resource.version(version)
@current_resource
end

18
cookbooks/redisio/recipes/_install_prereqs.rb Normal file
View File

@ -0,0 +1,18 @@
packages_to_install = case node['platform']
when 'debian', 'ubuntu'
%w(
tar
)
when 'redhat', 'centos', 'fedora', 'scientific', 'suse', 'amazon'
%w(
tar
)
else
%w()
end
packages_to_install.each do |pkg|
package pkg do
action :install
end
end

56
cookbooks/redisio/recipes/configure.rb Normal file
View File

@ -0,0 +1,56 @@
include_recipe 'redisio::default'
include_recipe 'ulimit::default'
redis = node['redisio']
redis_instances = redis['servers']
if redis_instances.nil?
redis_instances = [
{
'port' => '6379',
},
]
end
redisio_configure 'redis-servers' do
version redis['version'] if redis['version']
default_settings redis['default_settings']
servers redis_instances
base_piddir redis['base_piddir']
end
# Create a service resource for each redis instance, named for the port it runs on.
redis_instances.each do |current_server|
server_name = current_server['name'] || current_server['port']
case node['redisio']['job_control']
when 'initd'
service "redis#{server_name}" do
# don't supply start/stop/restart commands, Chef::Provider::Service::*
# do a fine job on it's own, and support systemd correctly
supports start: true, stop: true, restart: false, status: true
end
when 'upstart'
service "redis#{server_name}" do
provider Chef::Provider::Service::Upstart
start_command "start redis#{server_name}"
stop_command "stop redis#{server_name}"
restart_command "restart redis#{server_name}"
supports start: true, stop: true, restart: true, status: false
end
when 'systemd'
service "redis@#{server_name}" do
provider Chef::Provider::Service::Systemd
supports start: true, stop: true, restart: true, status: true
end
when 'rcinit'
service "redis#{server_name}" do
provider Chef::Provider::Service::Freebsd
supports start: true, stop: true, restart: true, status: true
end
else
Chef::Log.error('Unknown job control type, no service resource created!')
end
end
node.override['redisio']['servers'] = redis_instances

22
cookbooks/redisio/recipes/default.rb Normal file
View File

@ -0,0 +1,22 @@
# debian 6.0.x fails the build_essential recipe without an apt-get update prior to run
if platform?('debian', 'ubuntu')
execute 'apt-get-update-periodic' do
command 'apt-get update'
ignore_failure true
only_if do
!File.exist?('/var/lib/apt/periodic/update-success-stamp') ||
File.mtime('/var/lib/apt/periodic/update-success-stamp') < Time.now - 86400
end
end
end
unless node['redisio']['package_install']
include_recipe 'redisio::_install_prereqs'
build_essential 'install build deps'
end
unless node['redisio']['bypass_setup']
include_recipe 'redisio::install'
include_recipe 'redisio::disable_os_default'
include_recipe 'redisio::configure'
end

14
cookbooks/redisio/recipes/disable.rb Normal file
View File

@ -0,0 +1,14 @@
redis = node['redisio']
redis['servers'].each do |current_server|
server_name = current_server['name'] || current_server['port']
resource_name = if node['redisio']['job_control'] == 'systemd'
"service[redis@#{server_name}]"
else
"service[redis#{server_name}]"
end
resource = resources(resource_name)
resource.action Array(resource.action)
resource.action << :stop
resource.action << :disable
end

12
cookbooks/redisio/recipes/disable_os_default.rb Normal file
View File

@ -0,0 +1,12 @@
# disable the default OS redis init script
service_name = case node['platform']
when 'debian', 'ubuntu'
'redis-server'
when 'redhat', 'centos', 'fedora', 'scientific', 'suse', 'amazon'
'redis'
end
service service_name do
action [:stop, :disable]
only_if { service_name }
end

13
cookbooks/redisio/recipes/enable.rb Normal file
View File

@ -0,0 +1,13 @@
redis = node['redisio']
redis['servers'].each do |current_server|
server_name = current_server['name'] || current_server['port']
resource_name = if node['redisio']['job_control'] == 'systemd'
"service[redis@#{server_name}]"
else
"service[redis#{server_name}]"
end
resource = resources(resource_name)
resource.action Array(resource.action)
resource.action.concat [:start, :enable]
end

22
cookbooks/redisio/recipes/install.rb Normal file
View File

@ -0,0 +1,22 @@
if node['redisio']['package_install']
package 'redisio_package_name' do
package_name node['redisio']['package_name']
version node['redisio']['version'] if node['redisio']['version']
action :install
end
else
include_recipe 'redisio::_install_prereqs'
build_essential 'install build deps'
redis = node['redisio']
location = "#{redis['mirror']}/#{redis['base_name']}#{redis['version']}.#{redis['artifact_type']}"
redisio_install 'redis-installation' do
version redis['version'] if redis['version']
download_url location
safe_install redis['safe_install']
install_dir redis['install_dir'] if redis['install_dir']
end
end
include_recipe 'ulimit::default'

4
cookbooks/redisio/recipes/redis_gem.rb Normal file
View File

@ -0,0 +1,4 @@
gem_package node['redisio']['gem']['name'] do
version node['redisio']['gem']['version'] unless node['redisio']['gem']['version'].nil?
action :install
end

78
cookbooks/redisio/recipes/sentinel.rb Normal file
View File

@ -0,0 +1,78 @@
include_recipe 'redisio::_install_prereqs'
include_recipe 'redisio::install'
include_recipe 'ulimit::default'
redis = node['redisio']
sentinel_instances = redis['sentinels']
if sentinel_instances.nil?
sentinel_instances = [
{
'sentinel_port' => '26379',
'name' => 'mycluster',
'masters' => [
{
'master_name' => 'mycluster_master',
'master_ip' => '127.0.0.1',
'master_port' => '6379',
},
],
},
]
end
redisio_sentinel 'redis-sentinels' do
version redis['version'] if redis['version']
sentinel_defaults redis['sentinel_defaults']
sentinels sentinel_instances
base_piddir redis['base_piddir']
end
bin_path = if node['redisio']['install_dir']
::File.join(node['redisio']['install_dir'], 'bin')
else
node['redisio']['bin_path']
end
template '/lib/systemd/system/redis-sentinel@.service' do
source 'redis-sentinel@.service'
variables(
bin_path: bin_path,
limit_nofile: redis['default_settings']['maxclients'] + 32
)
only_if { node['redisio']['job_control'] == 'systemd' }
end
# Create a service resource for each sentinel instance, named for the port it runs on.
sentinel_instances.each do |current_sentinel|
sentinel_name = current_sentinel['name']
case node['redisio']['job_control']
when 'initd'
service "redis_sentinel_#{sentinel_name}" do
# don't supply start/stop/restart commands, Chef::Provider::Service::*
# do a fine job on it's own, and support systemd correctly
supports start: true, stop: true, restart: true, status: false
end
when 'upstart'
service "redis_sentinel_#{sentinel_name}" do
provider Chef::Provider::Service::Upstart
start_command "start redis_sentinel_#{sentinel_name}"
stop_command "stop redis_sentinel_#{sentinel_name}"
restart_command "restart redis_sentinel_#{sentinel_name}"
supports start: true, stop: true, restart: true, status: false
end
when 'systemd'
service "redis-sentinel@#{sentinel_name}" do
provider Chef::Provider::Service::Systemd
supports start: true, stop: true, restart: true, status: true
end
when 'rcinit'
service "redis_sentinel_#{sentinel_name}" do
provider Chef::Provider::Service::Freebsd
supports start: true, stop: true, restart: true, status: true
end
else
Chef::Log.error('Unknown job control type, no service resource created!')
end
end

38
cookbooks/redisio/recipes/sentinel_enable.rb Normal file
View File

@ -0,0 +1,38 @@
sentinel_instances = node['redisio']['sentinels']
if sentinel_instances.nil?
sentinel_instances = [
{
'sentinel_port' => '26379',
'name' => 'mycluster',
'master_ip' => '127.0.0.1',
'master_port' => '6379',
},
]
end
execute 'reload-systemd-sentinel' do
command 'systemctl daemon-reload'
only_if { node['redisio']['job_control'] == 'systemd' }
action :nothing
end
sentinel_instances.each do |current_sentinel|
sentinel_name = current_sentinel['name']
resource_name = if node['redisio']['job_control'] == 'systemd'
"service[redis-sentinel@#{sentinel_name}]"
else
"service[redis_sentinel_#{sentinel_name}]"
end
resource = resources(resource_name)
resource.action Array(resource.action)
resource.action << :start
if node['redisio']['job_control'] != 'systemd'
resource.action << :enable
else
link "/etc/systemd/system/multi-user.target.wants/redis-sentinel@#{sentinel_name}.service" do
to '/usr/lib/systemd/system/redis-sentinel@.service'
notifies :run, 'execute[reload-systemd-sentinel]', :immediately
end
end
end

12
cookbooks/redisio/resources/configure.rb Normal file
View File

@ -0,0 +1,12 @@
actions :run
default_action :run
# Configuration attributes
attribute :version, kind_of: String
attribute :base_piddir, kind_of: String, default: '/var/run/redis'
attribute :user, kind_of: String, default: 'redis'
attribute :group, kind_of: String, default: 'redis'
attribute :default_settings, kind_of: Hash
attribute :servers, kind_of: Array

13
cookbooks/redisio/resources/install.rb Normal file
View File

@ -0,0 +1,13 @@
actions :run
default_action :run
# Installation attributes
attribute :version, kind_of: String
attribute :download_url, kind_of: String
attribute :download_dir, kind_of: String, default: Chef::Config[:file_cache_path]
attribute :artifact_type, kind_of: String, default: 'tar.gz'
attribute :base_name, kind_of: String, default: 'redis-'
attribute :safe_install, kind_of: [TrueClass, FalseClass], default: true
attribute :install_dir, kind_of: String, default: nil

11
cookbooks/redisio/resources/sentinel.rb Normal file
View File

@ -0,0 +1,11 @@
actions :run
default_action :run
# Configuration attributes
attribute :version, kind_of: String
attribute :base_piddir, kind_of: String, default: '/var/run/redis'
attribute :user, kind_of: String, default: 'redis'
attribute :sentinel_defaults, kind_of: Hash
attribute :sentinels, kind_of: Array

12
cookbooks/redisio/templates/default/redis-sentinel@.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Redis persistent key-value database
After=network.target
[Service]
ExecStart=<%= @bin_path %>/redis-server /etc/redis/sentinel_%i.conf --sentinel --daemonize no
User=redis
Group=redis
LimitNOFILE=<%= @limit_nofile %>
[Install]
WantedBy=multi-user.target

1039
cookbooks/redisio/templates/default/redis.conf.erb Normal file
View File

File diff suppressed because it is too large Load Diff

96
cookbooks/redisio/templates/default/redis.init.erb Normal file
View File

@ -0,0 +1,96 @@
#!/bin/sh
#
# Simple Redis init.d script conceived to work on Linux systems
# as it does use of the /proc filesystem.
#
# description: Redis is an in memory key-value store database
#
### BEGIN INIT INFO
# Provides: redis<%= @port %>
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Required-Start: <%= @required_start %>
# Required-Stop: <%= @required_stop %>
# Description: redis<%= @port %> init script
### END INIT INFO
REDISNAME=<%= @name %>
REDISPORT=<%= @port %>
<% case @platform %>
<% when 'ubuntu','debian','fedora' %>
EXEC="su -s /bin/sh -c '<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${REDISNAME}.conf' <%= @user %>"
<% else %>
EXEC="runuser <%= @user %> -c \"<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${REDISNAME}.conf\""
<% end %>
CLIEXEC=<%= File.join(@bin_path, 'redis-cli') %>
<% connection_string = String.new %>
<% if @unixsocket.nil? %>
<% connection_string << " -p #{@port}" %>
<% connection_string << " -h #{@address.respond_to?(:first) ? @address.first : @address }" if @address %>
<% else %>
<% connection_string << " -s #{@unixsocket}" %>
<% end %>
<% connection_string << " -a '#{@requirepass}'" unless @requirepass.nil? %>
PIDFILE=<%= @piddir %>/redis_${REDISNAME}.pid
if [ ! -d <%= @piddir %> ]; then
mkdir -p <%= @piddir %>
chown <%= @user %> <%= @piddir %>
fi
ulimit -n <%= @ulimit %>
case "$1" in
status)
if [ -f $PIDFILE ]
then
echo "redis$REDISNAME $PIDFILE exists, pid is $(cat $PIDFILE), should be running"
ps -p $(cat $PIDFILE) >/dev/null 2>&1
exit $?
else
echo "redis$REDISNAME $PIDFILE doesn't exist"
exit 3
fi
;;
start)
if [ -f $PIDFILE ]
then
echo "$PIDFILE exists, process is already running or crashed"
PIDNUM=`cat $PIDFILE`
PROCESS_RUNNING=`ps --no-headers -q $PIDNUM | wc -l`
if [ ! $PROCESS_RUNNING -eq 1 ]
then
echo "The PID doesn't exists, restarting it."
rm $PIDFILE
eval $EXEC
fi
else
echo "Starting Redis server..."
eval $EXEC
fi
;;
stop)
if [ ! -f $PIDFILE ]
then
echo "$PIDFILE does not exist, process is not running"
else
PID=$(cat $PIDFILE)
echo "Stopping ..."
<%= "$CLIEXEC #{connection_string} save" if @shutdown_save %>
$CLIEXEC <%= connection_string %> shutdown
while [ -x /proc/${PID} ]
do
echo "Waiting for Redis to shutdown ..."
sleep 1
done
echo "Redis stopped"
fi
;;
*)
echo "Please use start or stop as first argument"
;;
esac

69
cookbooks/redisio/templates/default/redis.rcinit.erb Normal file
View File

@ -0,0 +1,69 @@
#!/bin/sh
#
#
# PROVIDE: redis<%= @name %>
# REQUIRE: LOGIN
# BEFORE: securelevel
# KEYWORD: shutdown
# Add the following line to /etc/rc.conf to enable `redis':
#
#redis<%= @name %>_enable="YES"
#
# Define profiles here to run separate redis instances:
#
#redis_profiles="foo bar" # Script uses /usr/local/etc/redis-NAME.conf respectively.
# For correct script working please update pidfile entries in
# redis-NAME.conf files.
. /etc/rc.subr
name="redis<%= @name %>"
rcvar="${name}_enable"
extra_commands="reload"
command="<%= File.join(@bin_path, 'redis-server') %>"
pidfile="<%= @piddir %>/redis_<%=@name%>.pid"
# read configuration and set defaults
load_rc_config "$name"
: ${redis<%= @name %>_enable="NO"}
: ${redis_user="<%= @user %>"}
: ${redis_config="<%= @configdir %>/<%= @name %>.conf"}
command_args="${redis_config}"
required_files="${redis_config}"
_profile_exists() {
for _p in ${redis_profiles}; do
[ "${_p}" = "$1" ] && return 1;
done
return 0
}
if [ $# -eq 2 ]; then
_profile=$2
_profile_exists $_profile
_exists=$?
[ ${_exists} -ne 1 ] && {
echo "`basename /usr/local/etc/rc.d/redis`: no '$2' in 'redis_profiles'"
exit 1
};
echo "-- Profile: ${name} --"
config_file="/usr/local/etc/redis/${name}.conf"
command_args="${config_file}"
pidfile="<%= @piddir %>/${name}.pid"
required_files="${config_file}"
elif [ -n "${redis_profiles}" ]; then
_swap=$*; shift; _profiles=$*
_profiles=${_profiles:-${redis_profiles}}
set -- ${_swap}
for _profile in ${_profiles}; do
/usr/local/etc/rc.d/redis $1 ${_profile}
done
exit 0
fi
run_rc_command "$1"

19
cookbooks/redisio/templates/default/redis.upstart.conf.erb Normal file
View File

@ -0,0 +1,19 @@
description "Start the redis instance on port <%= @port %>"
author "Installed by chef redisio cookbook"
#start on runlevel [2345]
stop on runlevel [06]
script
if [ ! -d <%= @piddir %> ]; then
mkdir -p <%= @piddir %>
chown <%= @user %>:<%= @group %> <%= @piddir %>
fi
end script
# If the job exits, restart it. Give up with more than 10 restarts in 30 seconds.
respawn
respawn limit 10 30
exec su -s /bin/sh -c 'exec "$0" "$@"' <%= @user %> <%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/<%= @name %>.conf

12
cookbooks/redisio/templates/default/redis@.service.erb Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Redis (%i) persistent key-value database
After=network.target
[Service]
ExecStart=<%= @bin_path %>/redis-server /etc/redis/%i.conf --daemonize no
User=<%= @user %>
Group=<%= @group %>
LimitNOFILE=<%= @limit_nofile %>
[Install]
WantedBy=multi-user.target

199
cookbooks/redisio/templates/default/sentinel.conf.erb Normal file
View File

@ -0,0 +1,199 @@
# Example sentinel.conf
# redisio Cookbook additions
<% if @job_control == 'initd' || @job_control == 'rcinit' %>
daemonize yes
<% end %>
pidfile <%= @piddir %>/sentinel_<%=@name%>.pid
loglevel <%=@loglevel%>
syslog-enabled <%= @syslogenabled %>
syslog-ident redis-<%= @name %>
syslog-facility <%= @syslogfacility %>
<%= "logfile #{@logfile}" unless @logfile.nil? %>
# bind sentinel IP
<% if @sentinel_bind %>
bind <%=@sentinel_bind%>
<% end %>
# port <sentinel-port>
# The port that this sentinel instance will run on
port <%=@sentinel_port%>
# sentinel announce-ip <ip>
# sentinel announce-port <port>
#
# The above two configuration directives are useful in environments where,
# because of NAT, Sentinel is reachable from outside via a non-local address.
#
# When announce-ip is provided, the Sentinel will claim the specified IP address
# in HELLO messages used to gossip its presence, instead of auto-detecting the
# local address as it usually does.
#
# Similarly when announce-port is provided and is valid and non-zero, Sentinel
# will announce the specified TCP port.
#
# The two options don't need to be used together, if only announce-ip is
# provided, the Sentinel will announce the specified IP and the server port
# as specified by the "port" option. If only announce-port is provided, the
# Sentinel will announce the auto-detected local IP and the specified port.
#
# Example:
#
# sentinel announce-ip 1.2.3.4
<%= "sentinel announce-ip #{@announce_ip}" unless @announce_ip.nil? %>
<%= "sentinel announce-port #{@announce_port}" unless @announce_port.nil? %>
# sentinel monitor <master-name> <ip> <redis-port> <quorum>
#
# Tells Sentinel to monitor this slave, and to consider it in O_DOWN
# (Objectively Down) state only if at least <quorum> sentinels agree.
#
# Note: master name should not include special characters or spaces.
# The valid charset is A-z 0-9 and the three characters ".-_".
# sentinel monitor mymaster 127.0.0.1 6379 2
<% @masters.each do |current| %>
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
<%= "sentinel monitor #{calc_name} #{current['master_ip']} #{current['master_port']} #{current['quorum_count']}" %>
<% end %>
# sentinel auth-pass <master-name> <password>
#
# Set the password to use to authenticate with the master and slaves.
# Useful if there is a password set in the Redis instances to monitor.
#
# Note that the master password is also used for slaves, so it is not
# possible to set a different password in masters and slaves instances
# if you want to be able to monitor these instances with Sentinel.
#
# However you can have Redis instances without the authentication enabled
# mixed with Redis instances requiring the authentication (as long as the
# password set is the same for all the instances requiring the password) as
# the AUTH command will have no effect in Redis instances with authentication
# switched off.
#
# Example:
#
# sentinel auth-pass mymaster MySUPER--secret-0123passw0rd
<% @masters.each do |current| %>
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
<%= "sentinel auth-pass #{calc_name} #{current['auth_pass']}" unless current['auth_pass'].nil? %>
<% end %>
# sentinel down-after-milliseconds <master-name> <milliseconds>
#
# Number of milliseconds the master (or any attached slave or sentinel) should
# be unreachable (as in, not acceptable reply to PING, continuously, for the
# specified period) in order to consider it in S_DOWN state (Subjectively
# Down).
#
# Default is 30 seconds.
<% @masters.each do |current| %>
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
<%= "sentinel down-after-milliseconds #{calc_name} #{current['down_after_milliseconds']}" unless current['down_after_milliseconds'].nil? %>
<% end %>
# sentinel parallel-syncs <master-name> <numslaves>
#
# How many slaves we can reconfigure to point to the new slave simultaneously
# during the failover. Use a low number if you use the slaves to serve query
# to avoid that all the slaves will be unreachable at about the same
# time while performing the synchronization with the master.
<% @masters.each do |current| %>
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
<%= "sentinel parallel-syncs #{calc_name} #{current['parallel_syncs']}" unless current['parallel_syncs'].nil? %>
<% end %>
# sentinel failover-timeout <master-name> <milliseconds>
#
# Specifies the failover timeout in milliseconds. When this time has elapsed
# without any progress in the failover process, it is considered concluded by
# the sentinel even if not all the attached slaves were correctly configured
# to replicate with the new master (however a "best effort" SLAVEOF command
# is sent to all the slaves before).
#
# Also when 25% of this time has elapsed without any advancement, and there
# is a leader switch (the sentinel did not started the failover but is now
# elected as leader), the sentinel will continue the failover doing a
# "takeover".
#
# Default is 15 minutes.
<% @masters.each do |current| %>
<% calc_name = String(current['master_name'] || @name || 'master_name') %>
<%= "sentinel failover-timeout #{calc_name} #{current['failover_timeout']}" unless current['failover_timeout'].nil? %>
<% end %>
<% if @version[:major].to_i == 2 && @version[:minor].to_i >= 8 || @version[:major].to_i > 3 %>
# SCRIPTS EXECUTION
#
# sentinel notification-script and sentinel reconfig-script are used in order
# to configure scripts that are called to notify the system administrator
# or to reconfigure clients after a failover. The scripts are executed
# with the following rules for error handling:
#
# If script exists with "1" the execution is retried later (up to a maximum
# number of times currently set to 10).
#
# If script exists with "2" (or an higher value) the script execution is
# not retried.
#
# If script terminates because it receives a signal the behavior is the same
# as exit code 1.
#
# A script has a maximum running time of 60 seconds. After this limit is
# reached the script is terminated with a SIGKILL and the execution retried.
# NOTIFICATION SCRIPT
#
# sentinel notification-script <master-name> <script-path>
#
# Call the specified notification script for any sentienl event that is
# generated in the WARNING level (for instance -sdown, -odown, and so forth).
# This script should notify the system administrator via email, SMS, or any
# other messaging system, that there is something wrong with the monitored
# Redis systems.
#
# The script is called with just two arguments: the first is the event type
# and the second the event description.
#
# The script must exist and be executable in order for sentinel to start if
# this option is provided.
#
# Example:
#
# sentinel notification-script mymaster /var/redis/notify.sh
<%= "sentinel notification-script #{@name} #{@notification_script}" unless @notification_script.nil? %>
# CLIENTS RECONFIGURATION SCRIPT
#
# sentinel client-reconfig-script <master-name> <script-path>
#
# When the failover starts, ends, or is aborted, a script can be called in
# order to perform application-specific tasks to notify the clients that the
# configuration has changed and the master is at a different address.
#
# The script is called in the following cases:
#
# Failover started (a slave is already promoted)
# Failover finished (all the additional slaves already reconfigured)
# Failover aborted (in that case the script was previously called when the
# failover started, and now gets called again with swapped
# addresses).
#
# The following arguments are passed to the script:
#
# <master-name> <role> <state> <from-ip> <from-port> <to-ip> <to-port>
#
# <state> is "start", "end" or "abort"
# <role> is either "leader" or "observer"
#
# The arguments from-ip, from-port, to-ip, to-port are used to communicate
# the old address of the master and the new address of the elected slave
# (now a master) in the case state is "start" or "end".
#
# For abort instead the "from" is the address of the promoted slave and
# "to" is the address of the original master address, since the failover
# was aborted.
#
# This script should be resistant to multiple invocations.
#
# Example:
#
# sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
<%= "sentinel client-reconfig-script #{@name} #{@client_reconfig_script}" unless @client_reconfig_script.nil? %>
<% end %>

78
cookbooks/redisio/templates/default/sentinel.init.erb Normal file
View File

@ -0,0 +1,78 @@
#!/bin/sh
#
# Simple Redis init.d script conceived to work on Linux systems
# as it does use of the /proc filesystem.
#
# description: Redis is an in memory key-value store database
#
### BEGIN INIT INFO
# Provides: redissentinel_<%=@name%>
# Required-Start:
# Required-Stop:
# Should-Start:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description:
# Description: redissentinel_<%=@name%> init script
### END INIT INFO
SENTINELNAME=<%= @name %>
<% case @platform %>
<% when 'ubuntu','debian','fedora' %>
EXEC="su -s /bin/sh -c '<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${SENTINELNAME}.conf --sentinel' <%= @user %>"
<% else %>
EXEC="runuser <%= @user %> -c \"<%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/${SENTINELNAME}.conf --sentinel\""
<% end %>
CLIEXEC=<%= File.join(@bin_path, 'redis-cli') %>
PIDFILE=<%= @piddir %>/${SENTINELNAME}.pid
if [ ! -d <%= @piddir %> ]; then
mkdir -p <%= @piddir %>
chown <%= @user %> <%= @piddir %>
fi
case "$1" in
status)
if [ -f $PIDFILE ]
then
echo "redis$SENTINELNAME $PIDFILE exists, pid is $(cat $PIDFILE), should be running"
ps -p $(cat $PIDFILE) >/dev/null 2>&1
exit $?
else
echo "redis$SENTINELNAME $PIDFILE doesn't exist"
exit 3
fi
;;
start)
if [ -f $PIDFILE ]
then
echo "$PIDFILE exists, process is already running or crashed"
else
echo "Starting Redis server..."
eval $EXEC
fi
;;
stop)
if [ ! -f $PIDFILE ]
then
echo "$PIDFILE does not exist, process is not running"
else
PID=$(cat $PIDFILE)
echo "Stopping ..."
kill ${PID}
while [ -x /proc/${PID} ]
do
echo "Waiting for Redis to shutdown ..."
sleep 1
done
echo "Redis stopped"
fi
;;
*)
echo "Please use start or stop as first argument"
;;
esac

39
cookbooks/redisio/templates/default/sentinel.rcinit.erb Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
# PROVIDE: sentinel_<%=@name%>
# REQUIRE: LOGIN
# BEFORE: securelevel
# KEYWORD: shutdown
# Add the following line to /etc/rc.conf to enable `sentinel':
#
#redis_<%= @name %>_enable="YES"
#
. /etc/rc.subr
name="redis_<%= @name %>"
rcvar="${name}_enable"
command="<%= File.join(@bin_path, 'redis-sentinel') %>"
pidfile="<%= @piddir %>/<%=@name%>.pid"
# read configuration and set defaults
load_rc_config "$name"
: ${sentinel_enable="NO"}
: ${sentinel_user="<%= @user %>"}
: ${sentinel_config="<%= @configdir %>/<%= @name %>.conf"}
command_args="${sentinel_config} --daemonize yes --pidfile ${pidfile}"
required_files="${sentinel_config}"
start_precmd="sentinel_checks"
restart_precmd="sentinel_checks"
sentinel_checks()
{
if [ x`id -u ${sentinel_user}` != x`stat -f %u ${sentinel_config}` ]; then
err 1 "${sentinel_config} must be owned by user ${sentinel_user}"
fi
}
run_rc_command "$1"

19
cookbooks/redisio/templates/default/sentinel.upstart.conf.erb Normal file
View File

@ -0,0 +1,19 @@
description "Start the redis-sentinel instance on port <%= @port %>"
author "Installed by chef redisio cookbook"
#start on runlevel [2345]
stop on runlevel [06]
script
if [ ! -d <%= @piddir %> ]; then
mkdir -p <%= @piddir %>
chown <%= @user %>:<%= @group %> <%= @piddir %>
fi
end script
# If the job exits, restart it. Give up with more than 10 restarts in 30 seconds.
respawn
respawn limit 10 30
exec su -s /bin/sh -c 'exec "$0" "$@"' -- <%= @user %> <%= File.join(@bin_path, 'redis-server') %> <%= @configdir %>/<%= @name %>.conf --sentinel

221
cookbooks/selinux_policy/CHANGELOG.md Normal file
View File

@ -0,0 +1,221 @@
# selinux_policy CHANGELOG
This file is used to changes made in each version of the selinux_policy cookbook.
## 2.4.3 (2020-08-07)
- Ship the correct license file since this cookbook was relicensed - [@tas50](https://github.com/tas50)
- Update testing configs - [@tas50](https://github.com/tas50)
- Update the maintainer to be Chef Software - [@tas50](https://github.com/tas50)
## 2.4.2 (2020-08-07)
- Make sure the `setpersist` action runs by default not `set` to match the docs.
## 2.4.1 - 2020-05-14
- resolved cookstyle error: resources/module.rb:26:35 convention: `Layout/TrailingWhitespace`
- resolved cookstyle error: resources/module.rb:26:36 refactor: `ChefModernize/FoodcriticComments`
## [2.4.0] - 2020-02-13
- Fix port_defined helper function for Centos 8 compatibility
- Test fixes
## [2.3.6] - 2020-01-26
- Fix issue on use_selinux function
- Migrate to github actions
- Resolved ChefStyle/ImmediateNotificationTiming: Use :immediately instead of :immediate for resource notification timing notifies
## [2.3.5] - 2019-02-15
- Fix resource failure in permissive.rb Caused by [#96](https://github.com/sous-chefs/selinux_policy/pull/96)
- Migrated testing to circleci
## [2.3.4] - 2019-02-07
- Fix `shell_out` to use an actual shell. Caused by [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
## [2.3.3] - 2019-02-06
- Perform relabel (restorecon) using xargs while still supporting regexes. Fixes [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
## [2.3.2] - 2018-11-29
- Cache which helper method calls
## [2.3.1] - 2018-11-29
- Use `chef/mixin/which` to locate selinux binaries. Fixes [#85](https://github.com/sous-chefs/selinux_policy/issues/85) & [#93](https://github.com/sous-chefs/selinux_policy/issues/93)
## [2.3.0] - 2018-11-27
- Further fixes for the earlier refactoring
- Repair CI jobs
## [2.2.0] - 2018-11-21
- Large refactoring to helpers and resources
- Add RHEL-8 packages
## [2.1.0] - 2018-04-12
- Port definition methods to check for already defined ports
- Cleanup resource cloning
- Deprecate support for Chef 12.x now it's EOL
- Fix Foodcritic warnings & update test platforms
## 2.0.1 - 2017-04-21
- Perform relabel (restorecon) using find to support regexes
## 2.0.0 - 2017-02-23
- This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
- Require Chef 12.1 or later
- Use compat_resource instead of requiring yum
- Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
- Don't define attributes in the metadata as these aren't used
- Remove the Vagrantfile
- Add chef_version requirements to the metadata
- Test with ChefDK / Rake in Travis instead of gems
- Resolve Foodcritic, Cookstyle, and Chefspec warnings
## 1.1.1
- [7307850] (Adam Ward) Silence fcontext guard output
- [ad71437] (nitz) Restorecon is now done via shell_out
- [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
- [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists
## 1.1.0
- [daften] Added `file_type` for fcontext
## 1.0.1
- [backslasher] - Foodcritic and rubocop improvements
## 1.0.0
- [equick] - Validating ports better
- [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
- [backslasher] - testing made slightly more elegant
## 0.9.6
- [jhmartin] - Updated README
- [backslasher] - Major revision of testing
## 0.9.5
- [backslasher] - Modified yum dependency
## 0.9.4
- [mhorbul] - Fixed state detection in boolean resource
## 0.9.3
- [backlsasher] - Fixed testing & kitchen
- [jbartko] - Added Fedora support
## 0.9.2
- [backslasher] - Ignoring nonexisting files in restorecon
## 0.9.1
- [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled
## 0.9.0
- [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
- [backslasher] - fcontext overhaul: code refactoring, testing, new action
**Note**: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)
## 0.8.1
- [backslasher] - Added Travis CI harness
- [backslasher] - Fixed typo in README
## 0.8.0
- [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
- [backslasher] - Port search is a function
- [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)
## 0.7.2
- [shortdudey123] - ChefSpec matchers, helps testing
## 0.7.1
- [backslasher] - Forgot contributor
## 0.7.0
- [chewi] - Fixed prereq packages
- [backslasher] - Modified misleading comment
- [chewi] - Move helpers into a cookbook-specific module
- [chewi] - Prevent use_selinux from blowing up on systems without getenforce
## 0.6.5
- [backslasher] - Ubuntu installation warning
## 0.6.4
- [sauraus] - CentOS 7 support
- [sauraus] - Typos
## 0.6.3
- [backslasher] - Readme updates
- [kevans] - Added kitchen testing
## 0.6.2
- [kevans] - Support Chef 11.8.0 running shellout!()
- [backslasher] - Simplified support info
- [backslasher] - ASCIIed files
## 0.6.1
- [backslasher] - Migrated to `only_if` instead of if
- [backslasher] - README typos
## 0.6.0
- [joerg] - Added fcontext resource for managing file contexts under SELinux
## 0.5.0
- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
- **Cookbook will break on RHEL7\. If anyone experiences this, please check required packages and create an issue/PR**
- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
## 0.4.0
- [backlasher] - Fixed foodcritic errors
## 0.3.0
- [backlasher] - Fixed `install.rb` syntax. Now it actually works
## 0.2.0
- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
- [backlasher] - Added permissive resource
## 0.1.0
- [backlasher] - Initial release of selinuxpolicy
[2.3.2]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.1...v2.3.2
[2.3.1]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.0...v2.3.1
[2.3.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.2.0...v2.3.0
[2.2.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.1.0...v2.2.0
[2.1.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.0.1...v2.1.0

4
cookbooks/selinux_policy/CONTRIBUTING.md Normal file
View File

@ -0,0 +1,4 @@
# Contributing
Please refer to
[https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)

209
cookbooks/selinux_policy/README.md Normal file
View File

@ -0,0 +1,209 @@
# selinux_policy Cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/selinux_policy.svg)](https://supermarket.chef.io/cookbooks/selinux_policy)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.
## Requirements
Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).
### Chef Infra Client
- 13 or later
### Platforms
- rhel
- fedora
## Attributes
These attributes affect the way all of the resource behave.
- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.
## Usage
- `selinux_policy::install` - Installs SELinux policy management tools
This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.
### boolean
Represents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).
Properties:
- `name`: boolean's name. Defaults to resource name.
- `value`: Its new value (`true`/`false`).
- `force`: Use `setsebool` even if the current value agrees with the requested one.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
selinux_policy_boolean 'httpd_can_network_connect' do
value true
# Make sure nginx is started if this value was modified
notifies :start,'service[nginx]', :immediate
end
```
**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.
### port
Allows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.
Actions:
- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.
- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).
- `modify`: Changes the port's context if it's already listed (only uses `-m`).
- `delete`: Removes the port's context if it's listed (uses `-d`).
Properties:
- `port`: The port in question, defaults to resource name.
- `protocol`: `tcp`/`udp`.
- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Allow nginx to bind to port 5678, by giving it the http_port_t context
selinux_policy_port '5678' do
protocol 'tcp'
secontext 'http_port_t'
end
```
### module
Manages SEModules
Actions:
- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior
- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.
- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.
- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.
- `remove`: Removes a module.
Properties:
- `name`: The module name. Defaults to resource name.
- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.
- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.
- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.
- `cookbook`: Modifies the source cookbook for the `remote_directory`.
- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Allow openvpn to write/delete in '/etc/openvpn'
selinux_policy_module 'openvpn-googleauthenticator' do
content <<-eos
module dy-openvpn-googleauthenticator 1.0;
require {
type openvpn_t;
type openvpn_etc_t;
class file { write unlink };
}
#============= openvpn_t ==============
allow openvpn_t openvpn_etc_t:file { write unlink };
eos
action :deploy
end
```
### fcontext
Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.
Actions:
- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).
- `modify`: Changes the file regexp context if it's already listed (only uses -m).
- `delete`: Removes the file regexp context if it's listed (uses -d).
Properties:
- `file_spec`: This is the file regexp in question, defaults to resource name.
- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`
- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info
- **a** All files
- **f** Regular files
- **d** Directory
- **c** Character device
- **b** Block device
- **s** Socket
- **l** Symbolic link
- **p** Namedpipe
Example usage (see mysql cookbook for example daemons ):
```ruby
include_recipe 'selinux_policy::install'
# Allow http servers (nginx/apache) to modify moodle files
selinux_policy_fcontext '/var/www/moodle(/.*)?' do
secontext 'httpd_sys_rw_content_t'
end
# Allow a custom mysql daemon to access its files.
{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
selinux_policy_fcontext f do
secontext sc
end
end
# Adapt a symbolic link
selinux_policy_fcontext '/var/www/symlink_to_webroot' do
secontext 'httpd_sys_rw_content_t'
filetype 'l'
end
```
### permissive
Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
Actions:
- `add`: Adds a permissive, unless it's already added
- `delete`: Deletes a permissive if it's listed
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Disable enforcement on Nginx
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
selinux_policy_permissive 'nginx' do
notifies :restart, 'service[nginx]'
end
```
## Original Author
[Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))

108
cookbooks/selinux_policy/libraries/helpers.rb Normal file
View File

@ -0,0 +1,108 @@
class Chef
module SELinuxPolicy
module Helpers
require 'chef/mixin/shell_out'
include Chef::Mixin::ShellOut
# Checks if SELinux is disabled or otherwise unavailable and
# whether we're allowed to run when disabled
def use_selinux(allow_disabled)
begin
getenforce = shell_out!(getenforce_cmd)
rescue
selinux_disabled = true
else
selinux_disabled = getenforce.stdout =~ /disabled/i
end
# return false only when SELinux is disabled and it's allowed
return_val = !selinux_disabled || !(selinux_disabled && allow_disabled)
Chef::Log.warn('SELinux is disabled / unreachable, skipping') unless return_val
return_val
end
def sebool(new_resource, persist = false)
persist_string = persist ? '-P ' : ''
new_value = new_resource.value ? 'on' : 'off'
execute "selinux-setbool-#{new_resource.name}-#{new_value}" do
command "#{setsebool_cmd} #{persist_string} #{new_resource.name} #{new_value}"
not_if "#{getsebool_cmd} #{new_resource.name} | grep '#{new_value}$' >/dev/null" unless new_resource.force
only_if { use_selinux(new_resource.allow_disabled) }
end
end
def module_defined(name)
"#{semodule_cmd} -l | grep -w '^#{name}'"
end
def shell_boolean(expression)
expression ? 'true' : 'false'
end
def port_defined(protocol, port, label = nil)
base_command = "seinfo --portcon=#{port} | grep 'portcon #{protocol}' | awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'"
grep = if label
"grep -P '#{Regexp.escape(label)}'"
else
'grep -q ^'
end
"#{base_command} | #{grep}"
end
def validate_port(port)
raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
end
def fcontext_defined(file_spec, file_type, label = nil)
file_hash = {
'a' => 'all files',
'f' => 'regular file',
'd' => 'directory',
'c' => 'character device',
'b' => 'block device',
's' => 'socket',
'l' => 'symbolic link',
'p' => 'named pipe',
}
label_matcher = label ? "system_u:object_r:#{Regexp.escape(label)}:s0\\s*$" : ''
"#{semanage_cmd} fcontext -l | grep -qP '^#{Regexp.escape(file_spec)}\\s+#{Regexp.escape(file_hash[file_type])}\\s+#{label_matcher}'"
end
def semanage_options(file_type)
# Set options for file_type
if node['platform_family'].include?('rhel') && Chef::VersionConstraint.new('< 7.0').include?(node['platform_version'])
case file_type
when 'a' then '-f ""'
when 'f' then '-f --'
else; "-f -#{file_type}"
end
else
"-f #{file_type}"
end
end
require 'chef/mixin/which'
include Chef::Mixin::Which
def setsebool_cmd
@setsebool_cmd ||= which('setsebool')
end
def getsebool_cmd
@getsebool_cmd ||= which('getsebool')
end
def getenforce_cmd
@getenforce_cmd ||= which('getenforce')
end
def semanage_cmd
@semanage_cmd ||= which('semanage')
end
def semodule_cmd
@semodule_cmd ||= which('semodule')
end
end
end
end

1
cookbooks/selinux_policy/metadata.json Normal file
View File

@ -0,0 +1 @@
{"name":"selinux_policy","version":"2.4.3","description":"Manages SELinux policy components","long_description":"","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","amazon":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/sous-chefs/selinux_policy","issues_url":"https://github.com/sous-chefs/selinux_policy/issues","chef_version":[[">= 13.0"]],"ohai_version":[]}

16
cookbooks/selinux_policy/metadata.rb Normal file
View File

@ -0,0 +1,16 @@
name 'selinux_policy'
maintainer 'Chef Software, Inc.'
maintainer_email 'cookbooks@chef.io'
license 'Apache-2.0'
description 'Manages SELinux policy components'
source_url 'https://github.com/sous-chefs/selinux_policy'
issues_url 'https://github.com/sous-chefs/selinux_policy/issues'
chef_version '>= 13.0'
version '2.4.3'
supports 'redhat'
supports 'centos'
supports 'fedora'
supports 'ubuntu'
supports 'debian'
supports 'amazon'

1
cookbooks/selinux_policy/recipes/default.rb Normal file
View File

@ -0,0 +1 @@
# Nothing here

1
cookbooks/selinux_policy/recipes/install.rb Normal file
View File

@ -0,0 +1 @@
selinux_policy_install 'install'

19
cookbooks/selinux_policy/resources/boolean.rb Normal file
View File

@ -0,0 +1,19 @@
# A resource for managing SELinux Booleans
property :value, [true, false]
property :force, [true, false], default: false
property :allow_disabled, [true, false], default: true
# Set and persist
action :setpersist do
sebool(new_resource, true)
end
# Set for now, without persisting
action :set do
sebool(new_resource, false)
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

71
cookbooks/selinux_policy/resources/fcontext.rb Normal file
View File

@ -0,0 +1,71 @@
# Manages file specs in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :file_spec, String, name_property: true
property :secontext, String
property :file_type, String, default: 'a', equal_to: %w(a f d c b s l p)
property :allow_disabled, [true, false], default: true
action :addormodify do
run_action(:add)
run_action(:modify)
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
action :relabel do
converge_by 'relabel' do
spec = new_resource.file_spec
escaped = Regexp.escape spec
common =
if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# Just in case the spec is very weird...
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 2>/dev/null | xargs -0 restorecon -iRv")
end
end
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
execute "selinux-fcontext-#{new_resource.secontext}-add" do
command "#{semanage_cmd} fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
# Delete if exists
action :delete do
execute "selinux-fcontext-#{new_resource.secontext}-delete" do
command "#{semanage_cmd} fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
action :modify do
execute "selinux-fcontext-#{new_resource.secontext}-modify" do
command "#{semanage_cmd} fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
only_if { use_selinux(new_resource.allow_disabled) }
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
notifies :relabel, new_resource, :immediately
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
include Chef::Mixin::Which
end

32
cookbooks/selinux_policy/resources/install.rb Normal file
View File

@ -0,0 +1,32 @@
property :allow_disabled, [true, false], default: true
action :install do
case node['platform_family']
when 'debian'
raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if platform?('ubuntu')
execute 'selinux-activate' do
action :nothing
end
package %w(selinux-policy-default selinux-basics auditd) do
notifies :run, 'execute[selinux-activate]', :immediately
end
when 'rhel'
case node['platform_version'].to_i
when 6
package %w(policycoreutils-python selinux-policy setools-console make)
when 7
package %w(policycoreutils-python selinux-policy-devel setools-console make)
when 8
package %w(policycoreutils-python-utils selinux-policy-devel setools-console make)
else
raise 'Unknown version of RHEL/derivative, cannot determine required package names'
end
when 'fedora'
package %w(policycoreutils-python selinux-policy-devel setools-console make)
else
raise 'Unknown distro, cannot determine required package names'
end
end

75
cookbooks/selinux_policy/resources/module.rb Normal file
View File

@ -0,0 +1,75 @@
# A resource for managing SE modules
property :module_name, String, name_property: true
property :force, [true, false], default: false
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
# Content options:
property :content, String # provide a 'te' file directly. Optional
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
property :cookbook, String # Related to directory
property :allow_disabled, [true, false], default: true
action :deploy do
run_action(:fetch)
run_action(:compile)
run_action(:install)
end
# Get all the components in the right place
action :fetch do
directory new_resource.directory do
only_if { use_selinux(new_resource.allow_disabled) }
end
raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
if new_resource.directory_source
remote_directory new_resource.directory do
source new_resource.directory_source
cookbook new_resource.cookbook
only_if { use_selinux(new_resource.allow_disabled) }
end
end
if new_resource.content
file "#{new_resource.directory}/#{new_resource.module_name}.te" do
content new_resource.content
only_if { use_selinux(new_resource.allow_disabled) }
end
end
end
action :compile do
make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
execute "semodule-compile-#{new_resource.module_name}" do
command make_command
not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
only_if { use_selinux(new_resource.allow_disabled) }
cwd new_resource.directory
end
end
# deploy / upgrade module
# XXX this looks ugly because CentOS 6.X doesn't support extracting
# SELinux modules from the current policy, which I planned on comparing
# to my compiled file. I'll be happy to see anything else (that works).
action :install do
filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
execute "semodule-install-#{new_resource.module_name}" do
command "#{semodule_cmd} -i #{filename}"
only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :remove do
execute "semodule-remove-#{new_resource.module_name}" do
command "#{semodule_cmd} -r #{new_resource.module_name}"
only_if module_defined(new_resource.module_name)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

25
cookbooks/selinux_policy/resources/permissive.rb Normal file
View File

@ -0,0 +1,25 @@
# a resource for managing selinux permissive contexts
property :allow_disabled, [true, false], default: true
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
execute "selinux-permissive-#{new_resource.name}-add" do
command "#{semanage_cmd} permissive -a '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
execute "selinux-port-#{new_resource.name}-delete" do
command "#{semanage_cmd} permissive -d '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

50
cookbooks/selinux_policy/resources/port.rb Normal file
View File

@ -0,0 +1,50 @@
# Manages a port assignment in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :port, [Integer, String], name_property: true
property :protocol, String, equal_to: %w(tcp udp)
property :secontext, String
property :allow_disabled, [true, false], default: true
action :addormodify do
# TODO: We can be a bit more clever here, and try to detect if it's already
# there then modify
# Try to add new port
run_action(:add)
# Try to modify existing port
run_action(:modify)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-add" do
command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
not_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-delete" do
command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :modify do
execute "selinux-port-#{new_resource.port}-modify" do
command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

21
doc/backups.md Normal file
View File

@ -0,0 +1,21 @@
Backup
======
## Backup gem
Backups are stored on AWS S3, in the `kosmos-dev-backups` bucket.
The S3 credentials as well as the backup password are stored in the
`credentials` data bag under the `backup` item.
### Restore
To decrypt a backup archive, use the following command:
openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
If you get an error message along the lines of "bad decrypt", the archive was
likely encrypted before we switched the key derivation scheme. Try without
`-pbkdf2` in this case:
openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar

2
nodes/akkounts-1.json
View File

@ -18,7 +18,7 @@
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos-postgresql::hostsfile",
"kosmos_postgresql::hostsfile",
"kosmos-akkounts",
"kosmos-akkounts::default",
"kosmos-akkounts::nginx",

21
nodes/bitcoin-2.json
View File

@ -18,16 +18,17 @@
"recipes": [
"kosmos-base",
"kosmos-base::default",
"tor-full",
"tor-full::default",
"kosmos-bitcoin::source",
"kosmos-bitcoin::c-lightning",
"kosmos-bitcoin::lnd",
"kosmos-bitcoin::rtl",
"kosmos-bitcoin::lndhub",
"kosmos-postgresql::hostsfile",
"kosmos-bitcoin::dotnet",
"kosmos-bitcoin::nbxplorer",
"kosmos-bitcoin::btcpay",
"tor-full",
"tor-full::default",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@ -52,6 +53,14 @@
"nodejs::repo",
"firewall::default",
"chef-sugar::default",
"redisio::default",
"redisio::_install_prereqs",
"redisio::install",
"ulimit::default",
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable",
"kosmos-base::letsencrypt",
"kosmos-nginx::default",
"nginx::default",
"nginx::package",
@ -62,7 +71,8 @@
"nginx::commons_script",
"nginx::commons_conf",
"kosmos-nginx::firewall",
"kosmos-base::letsencrypt"
"backup::default",
"logrotate::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
@ -80,11 +90,12 @@
},
"run_list": [
"recipe[kosmos-base]",
"recipe[tor-full]",
"recipe[kosmos-bitcoin::source]",
"recipe[kosmos-bitcoin::c-lightning]",
"recipe[kosmos-bitcoin::lnd]",
"recipe[kosmos-bitcoin::rtl]",
"role[btcpay]",
"recipe[tor-full]"
"recipe[kosmos-bitcoin::lndhub]",
"role[btcpay]"
]
}

3
nodes/centaurus.kosmos.org.json
View File

@ -33,6 +33,8 @@
"kosmos_assets::nginx_site",
"kosmos_kvm::host",
"kosmos-ejabberd::firewall",
"kosmos_website",
"kosmos_website::default",
"kosmos_zerotier::firewall",
"sockethub::_firewall",
"apt::default",
@ -86,6 +88,7 @@
"recipe[kosmos_assets::nginx_site]",
"recipe[kosmos_kvm::host]",
"recipe[kosmos-ejabberd::firewall]",
"recipe[kosmos_website::default]",
"recipe[kosmos_zerotier::firewall]",
"recipe[sockethub::_firewall]"
]

10
nodes/postgres-2.json
View File

@ -8,17 +8,17 @@
"automatic": {
"fqdn": "postgres-2",
"os": "linux",
"os_version": "5.4.0-64-generic",
"os_version": "5.4.0-77-generic",
"hostname": "postgres-2",
"ipaddress": "192.168.122.244",
"roles": [
"postgresql_replica"
"postgresql_primary"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos-postgresql::replica",
"kosmos-postgresql::firewall",
"kosmos_postgresql::primary",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@ -52,4 +52,4 @@
"recipe[kosmos-base]",
"role[postgresql_primary]"
]
}
}

57
nodes/postgres-4.json Normal file
View File

@ -0,0 +1,57 @@
{
"name": "postgres-4",
"normal": {
"knife_zero": {
"host": "10.1.1.107"
}
},
"automatic": {
"fqdn": "postgres-4",
"os": "linux",
"os_version": "5.4.0-91-generic",
"hostname": "postgres-4",
"ipaddress": "192.168.122.3",
"roles": [
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "17.7.29",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.7.29/lib",
"chef_effortless": null
},
"ohai": {
"version": "17.7.8",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.8/lib/ohai"
}
}
},
"run_list": [
"recipe[kosmos-base]",
"role[postgresql_replica]"
]
}

2
roles/postgresql_client.rb
View File

@ -3,5 +3,5 @@
name "postgresql_client"
run_list %w(
kosmos-postgresql::hostsfile
kosmos_postgresql::hostsfile
)

4
roles/postgresql_primary.rb
View File

@ -1,6 +1,6 @@
name "postgresql_primary"
run_list %w(
kosmos-postgresql::primary
kosmos-postgresql::firewall
kosmos_postgresql::primary
kosmos_postgresql::firewall
)

6
roles/postgresql_replica.rb
View File

@ -1,7 +1,7 @@
name "postgresql_replica"
run_list %w(
kosmos-postgresql::hostsfile
kosmos-postgresql::replica
kosmos-postgresql::firewall
kosmos_postgresql::hostsfile
kosmos_postgresql::replica
kosmos_postgresql::firewall
)

8
roles/redis_local.rb Normal file
View File

@ -0,0 +1,8 @@
name "redis_local"
run_list %w(
redisio::default
redisio::enable
)
default_attributes({})

8
site-cookbooks/backup/recipes/default.rb
View File

@ -32,6 +32,8 @@ gem_package 'backup' do
version '5.0.0.beta.2'
end
smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup')
backup_dir = node["backup"]["dir"]
directory backup_dir
@ -46,8 +48,12 @@ template "#{backup_dir}/config.rb" do
s3_secret_access_key: backup_data["s3_secret_access_key"],
s3_region: backup_data["s3_region"],
encryption_password: backup_data["encryption_password"],
mail_from: "backups@kosmos.org",
mail_to: "ops@5apps.com",
mail_from: "backups@kosmos.org"
mail_address: 'smtp.mailgun.org',
mail_domain: 'kosmos.org',
mail_user_name: smtp_credentials["user_name"],
mail_password: smtp_credentials["password"]
end
template "#{backup_dir}/models/default.rb" do

22
site-cookbooks/backup/templates/default/config.rb.erb
View File

@ -6,6 +6,18 @@
# Documentation: http://backup.github.io/backup
# Issue Tracker: https://github.com/backup/backup/issues
#
# Monkey patch to not use deprecated key derivation scheme
# https://github.com/backup/backup/issues/949#issuecomment-589883577
#
module OpenSSLFixDeprecatedKeyDerivation
def options
super + ' -pbkdf2'
end
end
require 'backup/encryptor/open_ssl'
Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)
Storage::S3.defaults do |s3|
s3.access_key_id = "<%= @s3_access_key_id %>"
s3.secret_access_key = "<%= @s3_secret_access_key %>"
@ -22,7 +34,13 @@ end
Notifier::Mail.defaults do |mail|
mail.from = "<%= node.name %> <<%= @mail_from %>>"
mail.to = "<%= @mail_to %>"
mail.delivery_method = :sendmail
mail.address = "<%= @mail_address %>"
mail.domain = "<%= @mail_domain %>"
mail.user_name = "<%= @mail_user_name %>"
mail.password = "<%= @mail_password %>"
mail.port = <%= @mail_port || 587 %>
mail.authentication = "<%= @mail_authentication || 'plain' %>"
mail.encryption = <%= @mail_encryption || ':starttls' %>
end
<%- if node["backup"]["mongodb"] -%>
@ -75,7 +93,7 @@ preconfigure 'KosmosBackup' do
encrypt_with OpenSSL
notify_by Mail do |mail|
mail.on_success = false
mail.on_warning = false
mail.on_warning = true
mail.on_failure = true
end
end

2
site-cookbooks/kosmos-akkounts/metadata.rb
View File

@ -14,5 +14,5 @@ depends "poise-ruby-build"
depends "application"
depends 'application_git'
depends "postgresql"
depends "kosmos-postgresql"
depends "kosmos_postgresql"
depends "backup"

5
site-cookbooks/kosmos-bitcoin/attributes/default.rb
View File

@ -57,6 +57,11 @@ node.default['rtl']['revision'] = 'v0.11.0'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
node.default['lndhub']['repo'] = 'https://github.com/bumi/LndHub.git'
node.default['lndhub']['revision'] = 'master'
node.default['lndhub']['port'] = '3023'
node.default['lndhub']['domain'] = 'lndhub.kosmos.org'
node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"

2
site-cookbooks/kosmos-bitcoin/metadata.rb
View File

@ -20,6 +20,7 @@ chef_version '>= 14.0'
# source_url 'https://github.com/<insert_org_here>/kosmos-bitcoin'
depends 'ark'
depends 'backup'
depends 'git'
depends 'golang'
depends 'kosmos-nginx'
@ -27,3 +28,4 @@ depends 'kosmos-nodejs'
depends 'firewall'
depends 'application_javascript'
depends 'tor-full'
depends 'redisio'

120
site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb Normal file
View File

@ -0,0 +1,120 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: lndhub
#
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
app_name = "lndhub"
app_dir = "/opt/#{app_name}"
lnd_dir = node['lnd']['lnd_dir']
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
bitcoin_credentials = Chef::EncryptedDataBagItem.load('credentials', 'bitcoin')
application app_dir do
owner bitcoin_user
group bitcoin_group
git do
user bitcoin_user
group bitcoin_group
repository node['lndhub']['repo']
revision node['lndhub']['revision']
notifies :restart, "systemd_unit[lndhub.service]", :delayed
end
npm_install do
user bitcoin_user
end
link "#{app_dir}/admin.macaroon" do
to "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon"
owner bitcoin_user
group bitcoin_group
end
link "#{app_dir}/tls.cert" do
to "#{lnd_dir}/tls.cert"
owner bitcoin_user
group bitcoin_group
end
template "#{app_dir}/config.js" do
source "lndhub.config.js.erb"
owner bitcoin_user
group bitcoin_group
mode '0600'
variables bitcoin_rpc_host: node['bitcoin']['conf']['rpcbind'],
bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'],
bitcoin_rpc_pass: bitcoin_credentials["rpcpassword"],
lnd_rpc_host: '127.0.0.1:10009'
notifies :restart, "systemd_unit[lndhub.service]", :delayed
end
systemd_unit 'lndhub.service' do
content({
Unit: {
Description: 'LND Hub',
Documentation: ['https://github.com/BlueWallet/LndHub'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
Environment: "PORT=#{node['lndhub']['port']}",
WorkingDirectory: app_dir,
ExecStart: "/usr/bin/npm start",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '120',
PrivateTmp: true,
ProtectSystem: 'full',
NoNewPrivileges: true,
PrivateDevices: true,
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end
end
include_recipe 'firewall'
firewall_rule 'lndhub_private' do
port node['lndhub']['port'].to_i
source "10.1.1.0/24"
protocol :tcp
command :allow
end
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
include_recipe "kosmos-nginx"
nginx_certbot_site node[app_name]['domain']
template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
source 'nginx_conf_lndhub.erb'
owner node["nginx"]["user"]
mode 0640
variables port: node[app_name]['port'],
server_name: node[app_name]['domain'],
ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site node[app_name]['domain'] do
action :enable
end
node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
include_recipe "backup"
end

21
site-cookbooks/kosmos-bitcoin/templates/lndhub.config.js.erb Normal file
View File

@ -0,0 +1,21 @@
let config = {
enableUpdateDescribeGraph: false,
postRateLimit: 100,
rateLimit: 200,
forwardReserveFee: 0.01, // default 0.01
intraHubFee: 0.003, // default 0.003
bitcoind: {
rpc: 'http://<%= @bitcoin_rpc_user %>:<%= @bitcoin_rpc_pass %>@<%= @bitcoin_rpc_host %>/wallet/wallet.dat',
},
redis: {
port: 6379,
host: '127.0.0.1',
family: 4,
db: 0,
},
lnd: {
url: '<%= @lnd_rpc_host %>'
},
};
module.exports = config;

25
site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb Normal file
View File

@ -0,0 +1,25 @@
#
# Generated by Chef
#
upstream _lndhub {
server localhost:<%= @port %>;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
listen 443 ssl http2;
server_name <%= @server_name %>;
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
location / {
proxy_pass http://_lndhub;
}
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
}
<% end -%>

2
site-cookbooks/kosmos-ejabberd/Berksfile
View File

@ -2,5 +2,5 @@
source 'https://supermarket.chef.io'
source chef_repo: ".."
cookbook "kosmos-postgresql", path: "../kosmos-postgresql"
cookbook "kosmos_postgresql", path: "../kosmos_postgresql"
metadata

2
site-cookbooks/kosmos-ejabberd/metadata.rb
View File

@ -20,9 +20,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
# source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
depends "kosmos-base"
depends "kosmos-postgresql"
depends "kosmos-nginx"
depends "kosmos-dirsrv"
depends "kosmos_postgresql"
depends "backup"
depends "firewall"
depends "tor-full"

2
site-cookbooks/kosmos-mastodon/metadata.rb
View File

@ -13,7 +13,7 @@ depends "poise-ruby-build"
depends "application"
depends "application_git"
depends "postgresql"
depends "kosmos-postgresql"
depends "kosmos_postgresql"
depends "backup"
depends "elasticsearch"
depends "tor-full"

5
site-cookbooks/kosmos-postgresql/CHANGELOG.md
View File

@ -1,5 +0,0 @@
# kosmos-postgresql CHANGELOG
# 0.1.0
Initial release.

2
site-cookbooks/kosmos_gitea/metadata.rb
View File

@ -20,5 +20,5 @@ chef_version '>= 14.0'
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
depends "kosmos-nginx"
depends "kosmos-postgresql"
depends "kosmos_postgresql"
depends "backup"

25
site-cookbooks/kosmos_kvm/recipes/host.rb
View File

@ -2,34 +2,13 @@
# Cookbook:: kosmos_kvm
# Recipe:: host
#
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
package %w(virtinst libvirt-daemon-system)
directory "/var/lib/libvirt/images/base" do
recursive true
owner "libvirt-qemu"
group "root"
group "kvm"
mode "0750"
end
@ -37,7 +16,7 @@ end
remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do
source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img"
owner "libvirt-qemu"
group "root"
group "kvm"
mode "0640"
end

0
site-cookbooks/kosmos-postgresql/.gitignore → site-cookbooks/kosmos_postgresql/.gitignore vendored
View File

0
site-cookbooks/kosmos-postgresql/Berksfile → site-cookbooks/kosmos_postgresql/Berksfile
View File

5
site-cookbooks/kosmos_postgresql/CHANGELOG.md Normal file
View File

@ -0,0 +1,5 @@
# kosmos_postgresql CHANGELOG
# 0.1.0
Initial release.

0
site-cookbooks/kosmos-postgresql/LICENSE → site-cookbooks/kosmos_postgresql/LICENSE
View File

2
site-cookbooks/kosmos-postgresql/README.md → site-cookbooks/kosmos_postgresql/README.md
View File

@ -1,4 +1,4 @@
# kosmos-postgresql
# kosmos_postgresql
## Usage

2
site-cookbooks/kosmos-postgresql/attributes/default.rb → site-cookbooks/kosmos_postgresql/attributes/default.rb
View File

@ -1,3 +1,3 @@
# This is set to false by default, and set to true in the server resource
# for replicas.
node.default['kosmos-postgresql']['ready_to_set_up_replica'] = false
node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false

0
site-cookbooks/kosmos-postgresql/chefignore → site-cookbooks/kosmos_postgresql/chefignore
View File

0
site-cookbooks/kosmos-postgresql/libraries/helpers.rb → site-cookbooks/kosmos_postgresql/libraries/helpers.rb
View File

10
site-cookbooks/kosmos-postgresql/metadata.rb → site-cookbooks/kosmos_postgresql/metadata.rb
View File

@ -1,9 +1,9 @@
name 'kosmos-postgresql'
name 'kosmos_postgresql'
maintainer 'Kosmos'
maintainer_email 'ops@5apps.com'
license 'MIT'
description 'Installs/Configures kosmos-postgresql'
long_description 'Installs/Configures kosmos-postgresql'
description 'Installs/Configures kosmos_postgresql'
long_description 'Installs/Configures kosmos_postgresql'
version '0.1.0'
chef_version '>= 12.14' if respond_to?(:chef_version)
@ -11,13 +11,13 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
# tracked. A `View Issues` link will be displayed on this cookbook's page when
# uploaded to a Supermarket.
#
# issues_url 'https://github.com/<insert_org_here>/kosmos-postgresql/issues'
# issues_url 'https://github.com/<insert_org_here>/kosmos_postgresql/issues'
# The `source_url` points to the development repository for this cookbook. A
# `View Source` link will be displayed on this cookbook's page when uploaded to
# a Supermarket.
#
# source_url 'https://github.com/<insert_org_here>/kosmos-postgresql'
# source_url 'https://github.com/<insert_org_here>/kosmos_postgresql'
depends "postgresql", ">= 7.0.0"
depends "build-essential"

2
site-cookbooks/kosmos-postgresql/recipes/firewall.rb → site-cookbooks/kosmos_postgresql/recipes/firewall.rb
View File

@ -1,5 +1,5 @@
#
# Cookbook:: kosmos-postgresql
# Cookbook:: kosmos_postgresql
# Recipe:: firewall
#

2
site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb → site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb
View File

@ -1,5 +1,5 @@
#
# Cookbook:: kosmos-postgresql
# Cookbook:: kosmos_postgresql
# Recipe:: hostsfile
#

2
site-cookbooks/kosmos-postgresql/recipes/primary.rb → site-cookbooks/kosmos_postgresql/recipes/primary.rb
View File

@ -1,5 +1,5 @@
#
# Cookbook:: kosmos-postgresql
# Cookbook:: kosmos_postgresql
# Recipe:: primary
#

2
site-cookbooks/kosmos-postgresql/recipes/replica.rb → site-cookbooks/kosmos_postgresql/recipes/replica.rb
View File

@ -1,5 +1,5 @@
#
# Cookbook:: kosmos-postgresql
# Cookbook:: kosmos_postgresql
# Recipe:: replica
#

9
site-cookbooks/kosmos-postgresql/resources/server.rb → site-cookbooks/kosmos_postgresql/resources/server.rb
View File

@ -1,4 +1,5 @@
resource_name :postgresql_custom_server
provides :postgresql_custom_server
property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica
@ -41,14 +42,14 @@ action :create do
action :disable
end
shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # < 1GB RAM
"128MB"
else # >= 1GB RAM, use 25% of total RAM
"#{node['memory']['total'].to_i / 1024 / 4}MB"
else # >= 1GB RAM, use 50% of total RAM
"#{node['memory']['total'].to_i / 1024 / 2}MB"
end
additional_config = {
max_connections: 100, # default
max_connections: 200, # default
shared_buffers: shared_buffers,
unix_socket_directories: "/var/run/postgresql",
dynamic_shared_memory_type: "posix",

3
site-cookbooks/kosmos_website/attributes/default.rb Normal file
View File

@ -0,0 +1,3 @@
node.default["kosmos_website"]["domain"] = "kosmos.org"
node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git"
node.default["kosmos_website"]["revision"] = "master"

10
site-cookbooks/kosmos_website/metadata.rb Normal file
View File

@ -0,0 +1,10 @@
name 'kosmos_website'
maintainer 'Kosmos'
maintainer_email 'ops@kosmos.org'
license 'MIT'
description 'Configures the main kosmos.org website'
long_description 'Configures the main kosmos.org website'
version '1.0.0'
chef_version '>= 15.10' if respond_to?(:chef_version)
depends "kosmos-nginx"

38
site-cookbooks/kosmos_website/recipes/default.rb Normal file
View File

@ -0,0 +1,38 @@
#
# Cookbook:: kosmos_website
# Recipe:: default
#
include_recipe "kosmos-nginx"
domain = node["kosmos_website"]["domain"]
nginx_certbot_site domain
directory "/var/www/#{domain}/site" do
user node["nginx"]["user"]
group node["nginx"]["group"]
mode "0755"
end
git "/var/www/#{domain}/site" do
user node["nginx"]["user"]
group node["nginx"]["group"]
repository node["kosmos_website"]["repo"]
revision node["kosmos_website"]["revision"]
action :sync
end
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
source "nginx_conf_website.erb"
owner node["nginx"]["user"]
mode 0640
variables domain: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, "service[nginx]", :delayed
end
nginx_site domain do
action :enable
end

Some files were not shown because too many files have changed in this diff Show More