BBlack has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/385231 )
Change subject: varnish: integrate sec into main unit file
......................................................................
varnish: integrate sec into main unit file
base::service_unit doesn't support the combination of both a
custom base unit file and a custom override together, it expects
if you have a custom unit file you'd put all customizations there.
Bug:
Change-Id: I4b3304f620c4c78c9bb31a46e6bb501b96dbf085
---
M modules/varnish/manifests/instance.pp
D modules/varnish/templates/initscripts/varnish.systemd-security.erb
M modules/varnish/templates/initscripts/varnish.systemd.erb
3 files changed, 16 insertions(+), 15 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/31/385231/1
diff --git a/modules/varnish/manifests/instance.pp
b/modules/varnish/manifests/instance.pp
index cf11151..4478176 100644
--- a/modules/varnish/manifests/instance.pp
+++ b/modules/varnish/manifests/instance.pp
@@ -136,7 +136,6 @@
base::service_unit { "varnish${instancesuffix}":
systemd => systemd_template('varnish'),
- systemd_override =>
template('varnish/initscripts/varnish.systemd-security.erb'),
refresh => false,
service_params => {
tag => 'varnish_instance',
@@ -147,11 +146,17 @@
File["/etc/varnish/${vcl}.inc.vcl"],
File["/etc/varnish/wikimedia_${vcl}.vcl"],
File["/etc/varnish/wikimedia-common_${vcl}.inc.vcl"],
+
File["/etc/systemd/system/${instancesuffix}.service.d/puppet-override.conf"],
Mount['/var/lib/varnish'],
],
},
}
+ # XXX temporary while sorting out the bug above!
+ file {
"/etc/systemd/system/${instancesuffix}.service.d/puppet-override.conf":
+ ensure => absent,
+ }
+
# This mechanism with the touch/rm conditionals in the pair of execs
# below should ensure that reload-vcl failures are retried on
# future puppet runs until they succeed.
diff --git a/modules/varnish/templates/initscripts/varnish.systemd-security.erb
b/modules/varnish/templates/initscripts/varnish.systemd-security.erb
deleted file mode 100644
index 4634f2c..0000000
--- a/modules/varnish/templates/initscripts/varnish.systemd-security.erb
+++ /dev/null
@@ -1,14 +0,0 @@
-# Execution environment configuration for varnish <%= @inst %>.
-#
-# See systemd.exec(5).
-#
-# This file is managed by Puppet.
-[Service]
-PrivateTmp=true
-PrivateDevices=true
-ProtectSystem=full
-ProtectHome=true
-NoNewPrivileges=true
-# No special powers for root with the exception of the following.
-# See capabilities(7).
-CapabilityBoundingSet=<%= @capabilities %>
diff --git a/modules/varnish/templates/initscripts/varnish.systemd.erb
b/modules/varnish/templates/initscripts/varnish.systemd.erb
index 661879d..0d093e8 100644
--- a/modules/varnish/templates/initscripts/varnish.systemd.erb
+++ b/modules/varnish/templates/initscripts/varnish.systemd.erb
@@ -6,6 +6,16 @@
LimitNOFILE=500000
LimitMEMLOCK=90000
LimitRTPRIO=infinity
+### start sec settings
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=full
+ProtectHome=true
+NoNewPrivileges=true
+# No special powers for root with the exception of the following.
+# See capabilities(7).
+CapabilityBoundingSet=<%= @capabilities %>
+### end sec settings
PIDFile=%t/%p.pid
Restart=on-failure
KillMode=process
--
To view, visit https://gerrit.wikimedia.org/r/385231
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I4b3304f620c4c78c9bb31a46e6bb501b96dbf085
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
