Rush has uploaded a new change for review.
https://gerrit.wikimedia.org/r/284978
Change subject: cgred changes for toollabs bastions use case
......................................................................
cgred changes for toollabs bastions use case
- all explicit ordering of fragments for cgrules.conf
- puge unmanaged entries for conf and rules
- raise shell memory limits
- use '%' to match across subsystems
Bug: T131541
Change-Id: I5959482c2bdc4cfaf5dd94a9e4082ff21b7d02c4
---
M modules/cgred/manifests/group.pp
M modules/cgred/manifests/init.pp
M modules/toollabs/manifests/bastion.pp
3 files changed, 77 insertions(+), 56 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/78/284978/1
diff --git a/modules/cgred/manifests/group.pp b/modules/cgred/manifests/group.pp
index e1318a4..5a1d237 100644
--- a/modules/cgred/manifests/group.pp
+++ b/modules/cgred/manifests/group.pp
@@ -18,11 +18,31 @@
# '*:foo.sh subsystem /cgroup',
# ]
# }
+#
+#
+# The docs say 'First rule which matches the criteria will be executed.'
+#
+# - This applies even across different subsystems
+# - Use the '%' keyword char to apply multiple lines upon first match.
+# - Keep in mind cgroups are inherited by child processes
+#
+# Example that results in membership only in cpu shell cgroup:
+#
+# *:/bin/bash cpu /shell
+# *:/bin/bash memory /shell
+#
+# Example that results in membershp in cpu and memory shell cgroup:
+#
+# *:/bin/bash cpu /shell
+# % memory /shell
+#
+# See: man cgrules.conf
define cgred::group (
$ensure = 'present',
$config = {},
$rules = [],
+ $order = '50',
)
{
@@ -37,7 +57,7 @@
notify => Base::Service_unit['cgrulesengd'],
}
- file {"/etc/cgrules.d/${name}.conf":
+ file {"/etc/cgrules.d/${order}-${name}.conf":
ensure => $ensure,
mode => '0444',
owner => 'root',
diff --git a/modules/cgred/manifests/init.pp b/modules/cgred/manifests/init.pp
index 0763413..6b35192 100644
--- a/modules/cgred/manifests/init.pp
+++ b/modules/cgred/manifests/init.pp
@@ -17,10 +17,12 @@
file { [
'/etc/cgconfig.d/',
'/etc/cgrules.d/']:
- ensure => directory,
- mode => '0555',
- owner => 'root',
- group => 'root',
+ ensure => directory,
+ mode => '0555',
+ owner => 'root',
+ group => 'root',
+ recurse => true,
+ purge => true,
}
file { '/etc/cgrules.d/README':
diff --git a/modules/toollabs/manifests/bastion.pp
b/modules/toollabs/manifests/bastion.pp
index a464876..4c0ce5a 100644
--- a/modules/toollabs/manifests/bastion.pp
+++ b/modules/toollabs/manifests/bastion.pp
@@ -19,6 +19,25 @@
if $::operatingsystem == 'Ubuntu' {
+ # lint:ignore:arrow_alignment
+ cgred::group {'shell':
+ order => '01',
+ config => {
+ memory => {
+ 'memory.limit_in_bytes' => '4611686018427387903',
+ },
+ },
+ rules => [
+ '*:/bin/sh memory /shell',
+ '*:/bin/dash memory /shell',
+ '*:/bin/bash memory /shell',
+ '*:/usr/bin/zsh memory /shell',
+ '*:/usr/bin/screen memory /shell',
+ '*:/usr/bin/tmux memory /shell',
+ '*:/usr/bin/lshell memory /shell',
+ ],
+ }
+
# misc group for on-the-fly classification
# of expensive processes as opposed to kill
# lint:ignore:arrow_alignment
@@ -34,24 +53,6 @@
}
# lint:ignore:arrow_alignment
- cgred::group {'shell':
- config => {
- memory => {
- 'memory.limit_in_bytes' => '2305843009213693951',
- },
- },
- rules => [
- '*:/bin/sh memory /shell',
- '*:/bin/dash memory /shell',
- '*:/bin/bash memory /shell',
- '*:/usr/bin/zsh memory /shell',
- '*:/usr/bin/screen memory /shell',
- '*:/usr/bin/tmux memory /shell',
- '*:/usr/bin/lshell memory /shell',
- ],
- }
-
- # lint:ignore:arrow_alignment
cgred::group {'user-daemons':
config => {
cpu => {
@@ -62,9 +63,9 @@
},
},
rules => [
- '*:/usr/lib/openssh/sftp-server cpu /daemon',
- '*:/usr/lib/openssh/sftp-server memory /daemon',
- '*:/usr/bin/mosh-server memory /daemon',
+ '*:/usr/bin/mosh-server memory /daemon',
+ '*:/usr/lib/openssh/sftp-server cpu /daemon',
+ '% memory /daemon',
],
}
@@ -80,21 +81,21 @@
},
rules => [
'*:/usr/bin/ruby cpu /scripts',
- '*:/usr/bin/ruby memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/ruby1.9.1 cpu /scripts',
- '*:/usr/bin/ruby1.9.3 memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/python cpu /scripts',
- '*:/usr/bin/python memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/python2.7 cpu /scripts',
- '*:/usr/bin/python2.7 memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/python3 cpu /scripts',
- '*:/usr/bin/python3 memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/python3.4 cpu /scripts',
- '*:/usr/bin/python3.4 memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/perl cpu /scripts',
- '*:/usr/bin/perl memory /scripts',
+ '% memory /scripts',
'*:/usr/bin/perl5.18.2 cpu /scripts',
- '*:/usr/bin/perl5.18.2 memory /scripts',
+ '% memory /scripts',
],
}
@@ -115,47 +116,45 @@
'*:/usr/bin/vim.tiny memory /utilities',
'*:/usr/bin/nano memory /utilities',
'*:/bin/tar cpu /utilities',
- '*:/bin/tar memory /utilities',
+ '% memory /utilities',
'*:/bin/gzip cpu /utilities',
- '*:/bin/gzip memory /utilities',
- '*:/bin/gzip memory /utilities',
- '*:/usr/bin/nano memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/md5sum cpu /utilities',
- '*:/usr/bin/md5sum memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sha1sum cpu /utilities',
- '*:/usr/bin/sha1sum memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sha224sum cpu /utilities',
- '*:/usr/bin/sha224sum memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sha256sum cpu /utilities',
- '*:/usr/bin/sha256sum memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sha384sum cpu /utilities',
- '*:/usr/bin/sha384sum memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sha512sum cpu /utilities',
- '*:/usr/bin/sha512sum memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/make cpu /utilities',
- '*:/usr/bin/make memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/gcc cpu /utilities',
- '*:/usr/bin/gcc memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/g++ cpu /utilities',
- '*:/usr/bin/g++ memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/gcc-4.8 cpu /utilities',
- '*:/usr/bin/gcc-4.8 memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/find cpu /utilities',
- '*:/usr/bin/find memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/top cpu /utilities',
- '*:/usr/bin/top memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/htop cpu /utilities',
- '*:/usr/bin/htop memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sort cpu /utilities',
- '*:/usr/bin/sort memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/sed cpu /utilities',
- '*:/usr/bin/sed memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/mawk cpu /utilities',
- '*:/usr/bin/mawk memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/awk cpu /utilities',
- '*:/usr/bin/awk memory /utilities',
+ '% memory /utilities',
'*:/usr/bin/wc cpu /utilities',
- '*:/usr/bin/wc memory /utilities',
+ '% memory /utilities',
],
}
}
--
To view, visit https://gerrit.wikimedia.org/r/284978
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5959482c2bdc4cfaf5dd94a9e4082ff21b7d02c4
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <r...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
