Ori.livneh has uploaded a new change for review.
https://gerrit.wikimedia.org/r/75087
Change subject: Refactor sysctl
......................................................................
Refactor sysctl
This patch reorganizes the sysctlfile module and sysctl resource into a
reworked sysctl module. The module adds an Upstart task called "procps-puppet"
that is set to run on stopping procps, meaning it will run immediately after
procps whenever the latter is run. The service loads sysctl settings from
/etc/sysctl.d/puppet-managed, which Puppet manages recursively.
The module provides two custom types, sysctl::conffile and sysctl::params.
The former takes file contents or path reference as a parameter; the latter
takes a hash of sysctl values and generates the files using a template.
Standard configurations are provided as role::sysctl::* classes.
Change-Id: Ib294b691dad8500c2e0cd39896882f8cf4f3a286
---
R files/sysctl/advanced-routing-ipv6.conf
R files/sysctl/advanced-routing.conf
R files/sysctl/big-rmem.conf
R files/sysctl/high-bandwidth-rsync.conf
R files/sysctl/high-http-performance.conf
R files/sysctl/ipv6-disable-ra.conf
R files/sysctl/lvs.conf
R files/sysctl/wikimedia-base.conf
M manifests/base.pp
M manifests/generic-definitions.pp
M manifests/lvs.pp
M manifests/misc/download.pp
M manifests/misc/udp2log.pp
M manifests/openstack.pp
M manifests/role/ceph.pp
M manifests/role/fundraising.pp
M manifests/role/ipv6relay.pp
M manifests/role/memcached.pp
M manifests/role/mirror.pp
M manifests/role/protoproxy.pp
A manifests/role/sysctl.pp
M manifests/site.pp
M manifests/squid.pp
M manifests/swift.pp
M manifests/webserver.pp
A modules/sysctl/files/procps-puppet.conf
A modules/sysctl/files/sysctl.d-puppet-managed-empty/README
A modules/sysctl/manifests/conffile.pp
A modules/sysctl/manifests/init.pp
A modules/sysctl/manifests/params.pp
A modules/sysctl/templates/sysctl.conf.erb
D modules/sysctlfile/manifests/advanced-routing-ipv6.pp
D modules/sysctlfile/manifests/advanced-routing.pp
D modules/sysctlfile/manifests/high-bandwidth-rsync.pp
D modules/sysctlfile/manifests/high-http-performance.pp
D modules/sysctlfile/manifests/init.pp
D modules/sysctlfile/manifests/ipv6-disable-ra.pp
D modules/sysctlfile/manifests/lvs.pp
M modules/toollabs/manifests/exec_environ.pp
M modules/varnish/manifests/common.pp
40 files changed, 196 insertions(+), 293 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/87/75087/1
diff --git a/modules/sysctlfile/files/50-advanced-routing-ipv6.conf
b/files/sysctl/advanced-routing-ipv6.conf
similarity index 88%
rename from modules/sysctlfile/files/50-advanced-routing-ipv6.conf
rename to files/sysctl/advanced-routing-ipv6.conf
index fc28404..020d34a 100644
--- a/modules/sysctlfile/files/50-advanced-routing-ipv6.conf
+++ b/files/sysctl/advanced-routing-ipv6.conf
@@ -1,6 +1,6 @@
#####################################################################
#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/50-advanced-routing-ipv6.conf
+#### puppet:///files/sysctl/advanced-routing-ipv6.conf
######################################################################
# Enable router advertisements even when forwarding is enabled
diff --git a/modules/sysctlfile/files/50-advanced-routing.conf
b/files/sysctl/advanced-routing.conf
similarity index 84%
rename from modules/sysctlfile/files/50-advanced-routing.conf
rename to files/sysctl/advanced-routing.conf
index f727030..baf4684 100644
--- a/modules/sysctlfile/files/50-advanced-routing.conf
+++ b/files/sysctl/advanced-routing.conf
@@ -1,6 +1,6 @@
#####################################################################
#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/50-advanced-routing.conf
+#### puppet:///files/sysctl/advanced-routing.conf
######################################################################
# Turn OFF RP filter
diff --git a/modules/sysctlfile/files/99-big-rmem.conf
b/files/sysctl/big-rmem.conf
similarity index 82%
rename from modules/sysctlfile/files/99-big-rmem.conf
rename to files/sysctl/big-rmem.conf
index ed4c261..9fe8525 100644
--- a/modules/sysctlfile/files/99-big-rmem.conf
+++ b/files/sysctl/big-rmem.conf
@@ -1,6 +1,6 @@
#####################################################################
### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/99-big-rmem.conf
+### puppet:///files/sysctl/big-rmem.conf
#####################################################################
diff --git a/modules/sysctlfile/files/60-high-bandwidth-rsync.conf
b/files/sysctl/high-bandwidth-rsync.conf
similarity index 85%
rename from modules/sysctlfile/files/60-high-bandwidth-rsync.conf
rename to files/sysctl/high-bandwidth-rsync.conf
index 9013c00..43d0651 100644
--- a/modules/sysctlfile/files/60-high-bandwidth-rsync.conf
+++ b/files/sysctl/high-bandwidth-rsync.conf
@@ -1,6 +1,6 @@
#####################################################################
### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/60-high-bandwidth-rsync.conf
+### puppet:///files/sysctl/high-bandwidth-rsync.conf
#####################################################################
diff --git a/modules/sysctlfile/files/60-high-http-performance.conf
b/files/sysctl/high-http-performance.conf
similarity index 91%
rename from modules/sysctlfile/files/60-high-http-performance.conf
rename to files/sysctl/high-http-performance.conf
index 0528b74..8b1e37e 100644
--- a/modules/sysctlfile/files/60-high-http-performance.conf
+++ b/files/sysctl/high-http-performance.conf
@@ -1,6 +1,6 @@
#####################################################################
### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/60-high-http-performance.conf
+### puppet:///files/sysctl/high-http-performance.conf
#####################################################################
diff --git a/modules/sysctlfile/files/50-ipv6-disable-ra.conf
b/files/sysctl/ipv6-disable-ra.conf
similarity index 79%
rename from modules/sysctlfile/files/50-ipv6-disable-ra.conf
rename to files/sysctl/ipv6-disable-ra.conf
index c986bbe..80d453d 100644
--- a/modules/sysctlfile/files/50-ipv6-disable-ra.conf
+++ b/files/sysctl/ipv6-disable-ra.conf
@@ -1,6 +1,6 @@
#####################################################################
#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/60-ipv6-disable-ra.conf
+#### puppet:///files/sysctl/ipv6-disable-ra.conf
######################################################################
diff --git a/modules/sysctlfile/files/50-lvs.conf b/files/sysctl/lvs.conf
similarity index 90%
rename from modules/sysctlfile/files/50-lvs.conf
rename to files/sysctl/lvs.conf
index 2a04070..66b5567 100644
--- a/modules/sysctlfile/files/50-lvs.conf
+++ b/files/sysctl/lvs.conf
@@ -1,6 +1,6 @@
#####################################################################
#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/50-lvs.conf
+#### puppet:///files/sysctl/lvs.conf
######################################################################
# Turn OFF RP filter
diff --git a/modules/sysctlfile/files/50-wikimedia-base.conf
b/files/sysctl/wikimedia-base.conf
similarity index 94%
rename from modules/sysctlfile/files/50-wikimedia-base.conf
rename to files/sysctl/wikimedia-base.conf
index 02a1a59..40bda7f 100644
--- a/modules/sysctlfile/files/50-wikimedia-base.conf
+++ b/files/sysctl/wikimedia-base.conf
@@ -1,6 +1,6 @@
#####################################################################
### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/50-wikimedia-base.conf
+### puppet:///files/sysctl/wikimedia-base.conf
#####################################################################
# increase TCP max buffer size
diff --git a/manifests/base.pp b/manifests/base.pp
index 71b4337..d7ffbad 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -296,35 +296,6 @@
}
}
-class base::sysctl {
- if ($::lsbdistid == "Ubuntu") and ($::lsbdistrelease != "8.04") {
- exec { "/sbin/start procps":
- path => "/bin:/sbin:/usr/bin:/usr/sbin",
- refreshonly => true;
- }
-
- # FIXME: *never* source a file from a module
- sysctlfile { 'wikimedia-base':
- source =>
'puppet:///modules/sysctlfile/50-wikimedia-base.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-
- # Disable IPv6 privacy extensions, we rather not see our
servers hide
- file { "/etc/sysctl.d/10-ipv6-privacy.conf":
- ensure => absent
- }
- } else {
- # FIXME: this is a super ugly hack but the sysctlfile module is
broken,
- # relying on a definition to be defined in base.pp to actually work
- exec { "/sbin/start procps":
- command => '/bin/true',
- refreshonly => true,
- }
- }
-}
-
class base::standard-packages {
$packages = [
@@ -772,7 +743,7 @@
base::grub,
base::resolving,
base::remote-syslog,
- base::sysctl,
+ role::sysctl::base,
base::motd,
base::vimconfig,
base::standard-packages,
diff --git a/manifests/generic-definitions.pp b/manifests/generic-definitions.pp
index 6e063b1..09ed452 100644
--- a/manifests/generic-definitions.pp
+++ b/manifests/generic-definitions.pp
@@ -708,84 +708,6 @@
}
}
-# Sysctl settings
-
-# Define: sysctl
-#
-# Creates a file in /etc/sysctl.d to set sysctl settings, and reloads
-# sysctl with the new settings.
-#
-# There are three ways to use this define. You must specify one of
-# $value, $content, or $source. Not specifying one of these results
-# in a parse failure.
-#
-# Usage 1: $value
-# sysctl { "net.core.rmem_max": value => 16777218 }
-#
-# Usage 2: $content
-# $rmem_max = 536870912
-# sysctl { "custom_rmem_max": content =>
template("sysctl/sysctl_rmemmax.erb") }
-#
-# Usage 3: $source
-# sysctl { "custom_rmem_max": source =>
"puppet:///files/misc/rmem_max.sysctl.conf" }
-#
-# Parameters:
-# $value - Puts "$title = $value" in the sysctl.d file.
-# $content - Puts this exact content in the sysctl.d file.
-# $source - Puts the $source file at the sysctl.d file.
-# $ensure - Either 'present' or 'absent'. Default: 'present'.
-# $number_prefix - The load order prefix number in the sysctl.d filename.
Default '60'. You probably don't need to change this.
-#
-define sysctl(
- $value = undef,
- $content = undef,
- $source = undef,
- $ensure = "present",
- $number_prefix = "60")
-{
- $sysctl_file = "/etc/sysctl.d/${number_prefix}-${title}.conf"
-
- file { "$sysctl_file":
- mode => 0444,
- owner => "root",
- group => "root",
- ensure => $ensure,
- }
-
- # if using $value, then set $title = $value in the sysctl.d file
- if $value {
- File[$sysctl_file] { content => "${title} = ${value}" }
- }
- # else just set the content
- elsif $content {
- File[$sysctl_file] { content => $content }
- }
- # else put the file in place from a source file.
- elsif $source {
- File[$sysctl_file] { source => $source }
- }
- # if none of the above are defined, then throw a parse failure.
- else {
- alert("sysctl '${title}' must specify one of \$content,
\$source or \$value.")
- }
-
- # Refresh sysctl if we are ensuring the sysctl.d file
- # exists. NOTE: I'm not sure how to reset the sysctl
- # value to its original if we ensure => absent. For now,
- # that will have to wait until a reboot happens. This
- # probably won't be a real problem anyway. Anyone
- # using this define can just explicitly set the value
- # back to what it should be, rather than using ensure => 'absent'.
- if $ensure == 'present' {
- # refresh sysctl when the sysctl file changes
- exec { "sysctl_reload_${title}":
- command => "/sbin/sysctl -p $sysctl_file",
- subscribe => File["$sysctl_file"],
- refreshonly => true,
- }
- }
-}
-
class generic::sysfs::enable-rps {
upstart_job { "enable-rps": install => "true", start => "true" }
}
diff --git a/manifests/lvs.pp b/manifests/lvs.pp
index b2faaf0..529cd78 100644
--- a/manifests/lvs.pp
+++ b/manifests/lvs.pp
@@ -829,8 +829,8 @@
class { "lvs::realserver": realserver_ips => $service_ips }
# Sysctl settings
- class { "sysctlfile::advanced-routing": ensure => absent }
- include sysctlfile::lvs
+ class { "role::sysctl::advanced_routing": ensure => absent }
+ include role::sysctl::lvs
}
# Supporting the PyBal RunCommand monitor
diff --git a/manifests/misc/download.pp b/manifests/misc/download.pp
index 5ea5cd2..7a2136d 100644
--- a/manifests/misc/download.pp
+++ b/manifests/misc/download.pp
@@ -55,7 +55,7 @@
require => [ Package[nfs-kernel-server], File["/etc/exports"] ],
}
- include sysctlfile::high-bandwidth-rsync
+ include role::sysctl::high_bandwidth_rsync
monitor_service { "lighttpd http": description => "Lighttpd HTTP",
check_command => "check_http" }
monitor_service { "nfs": description => "NFS", check_command =>
"check_tcp!2049" }
diff --git a/manifests/misc/udp2log.pp b/manifests/misc/udp2log.pp
index bf2f7cf..ecd91d9 100644
--- a/manifests/misc/udp2log.pp
+++ b/manifests/misc/udp2log.pp
@@ -12,7 +12,7 @@
include
contacts::udp2log,
misc::udp2log::udp_filter,
- misc::udp2log::sysctl
+ role::sysctl::big_rmem
# include the monitoring scripts
# required for monitoring udp2log instances
@@ -37,20 +37,6 @@
ensure => present;
}
}
-
-class misc::udp2log::sysctl($ensure="present") {
- # make sure base::sysctl is here so that
- # start procps can be notified.
- include base::sysctl
-
- sysctlfile { 'big-rmem':
- source => 'puppet:///modules/sysctlfile/99-big-rmem.conf',
- number_prefix => '99',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
-
# Class: misc::udp2log::rsyncd
#
diff --git a/manifests/openstack.pp b/manifests/openstack.pp
index d4c28f9..d544dc6 100644
--- a/manifests/openstack.pp
+++ b/manifests/openstack.pp
@@ -587,8 +587,8 @@
}
# Enable IP forwarding
- include sysctlfile::advanced-routing,
- sysctlfile::ipv6-disable-ra
+ include role::sysctl::advanced_routing,
+ role::sysctl::ipv6_disable_ra
}
class openstack::api-service($openstack_version="essex", $novaconfig) {
diff --git a/manifests/role/ceph.pp b/manifests/role/ceph.pp
index bf79d54..cfd3b7d 100644
--- a/manifests/role/ceph.pp
+++ b/manifests/role/ceph.pp
@@ -67,11 +67,11 @@
include ceph::osd
# I/O busy systems, tune a few knobs to avoid page alloc failures
- sysctl { 'sys.vm.min_free_kbytes':
- value => '512000',
- }
- sysctl { 'sys.vm.vfs_cache_pressure':
- value => '120',
+ sysctl::params { 'ceph':
+ values => {
+ 'sys.vm.min_free_kbytes' => '512000',
+ 'sys.vm.vfs_cache_pressure' => '120',
+ },
}
}
@@ -82,7 +82,7 @@
class { "lvs::realserver": realserver_ips => [ "10.2.2.27" ] }
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
class { 'ceph::radosgw':
servername => 'ms-fe.eqiad.wmnet',
diff --git a/manifests/role/fundraising.pp b/manifests/role/fundraising.pp
index d6bed75..b11a7ac 100644
--- a/manifests/role/fundraising.pp
+++ b/manifests/role/fundraising.pp
@@ -75,7 +75,7 @@
base::puppet,
base::resolving,
base::standard-packages,
- base::sysctl,
+ role::sysctl::base,
base::tcptweaks,
base::vimconfig,
passwords::root,
diff --git a/manifests/role/ipv6relay.pp b/manifests/role/ipv6relay.pp
index 07cf332..750c610 100644
--- a/manifests/role/ipv6relay.pp
+++ b/manifests/role/ipv6relay.pp
@@ -1,7 +1,7 @@
class role::ipv6relay {
system_role { "role::ipv6relay": description => "IPv6 tunnel relay
(6to4/Teredo)" }
- include sysctlfile::advanced-routing-ipv6
+ include role::sysctl::advanced_routing_ipv6
# Teredo
include misc::miredo
diff --git a/manifests/role/memcached.pp b/manifests/role/memcached.pp
index e588349..2dceb01 100644
--- a/manifests/role/memcached.pp
+++ b/manifests/role/memcached.pp
@@ -10,7 +10,7 @@
system_role { "role::memcached": description => "memcached server" }
include standard,
- sysctlfile::high-http-performance
+ role::sysctl::high_http_performance
class { "::memcached":
memcached_size => '89088',
diff --git a/manifests/role/mirror.pp b/manifests/role/mirror.pp
index 57e4e63..012cc6c 100644
--- a/manifests/role/mirror.pp
+++ b/manifests/role/mirror.pp
@@ -9,7 +9,7 @@
ensure => latest;
}
- include sysctlfile::high-bandwidth-rsync
+ include role::sysctl::high_bandwidth_rsync
}
class role::mirror::media {
diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp
index 5b884da..6c009fd 100644
--- a/manifests/role/protoproxy.pp
+++ b/manifests/role/protoproxy.pp
@@ -20,7 +20,7 @@
include protoproxy::package
# Tune kernel settings
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
$nginx_worker_connections = '32768'
$nginx_use_ssl = true
diff --git a/manifests/role/sysctl.pp b/manifests/role/sysctl.pp
new file mode 100644
index 0000000..278227f
--- /dev/null
+++ b/manifests/role/sysctl.pp
@@ -0,0 +1,60 @@
+class role::sysctl::base {
+ sysctl::conffile { 'wikimedia base':
+ source => 'puppet:///files/sysctl/wikimedia-base.conf',
+ priority => 50,
+ }
+
+ # Disable IPv6 privacy extensions, we rather not see our servers hide
+ file { '/etc/sysctl.d/10-ipv6-privacy.conf':
+ ensure => absent,
+ }
+}
+
+class role::sysctl::advanced_routing_ipv6 {
+ sysctl::conffile { 'advanced routing ipv6':
+ source => 'puppet:///files/sysctl/advanced-routing-ipv6.conf',
+ priority => 50,
+ }
+}
+
+class role::sysctl::advanced_routing {
+ sysctl::conffile { 'advanced routing':
+ source => 'puppet:///files/sysctl/advanced-routing.conf',
+ priority => 50,
+ }
+}
+
+class role::sysctl::high_bandwidth_rsync {
+ sysctl::conffile { 'high bandwidth rsync':
+ source => 'puppet:///files/sysctl/high-bandwidth-rsync.conf',
+ priority => 60,
+ }
+}
+
+class role::sysctl::high_http_performance {
+ sysctl::conffile { 'high http performance':
+ source => 'puppet:///files/sysctl/high-http-performance.conf',
+ priority => 60,
+ }
+}
+
+class role::sysctl::ipv6_disable_ra {
+ sysctl::conffile { 'ipv6 disable ra':
+ source => 'puppet:///files/sysctl/ipv6-disable-ra.conf',
+ priority => 50,
+ }
+}
+
+class role::sysctl::lvs {
+ sysctl::conffile { 'lvs':
+ source => 'puppet:///files/sysctl/lvs.conf',
+ priority => 50,
+ }
+}
+
+class role::sysctl::big_rmem {
+ sysctl::conffile { 'big rmem':
+ source => 'puppet:///files/sysctl/big-rmem.conf',
+ priority => 99,
+ }
+}
diff --git a/manifests/site.pp b/manifests/site.pp
index 15c0a29..374980d 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -812,7 +812,7 @@
# base_analytics_logging_node is defined in role/logging.pp
node "emery.wikimedia.org" inherits "base_analytics_logging_node" {
include
- sysctlfile::high-bandwidth-rsync,
+ role::sysctl::high_bandwidth_rsync,
admins::mortals,
# RT 4312
accounts::milimetric
@@ -2171,7 +2171,7 @@
system_role { "misc::payments": description => "Fundraising payments
server" }
include base::remote-syslog,
- base::sysctl,
+ role::sysctl::base,
base::resolving,
base::motd,
base::monitoring::host,
@@ -2682,7 +2682,7 @@
include passwords::root,
base::resolving,
- base::sysctl,
+ role::sysctl::base,
base::motd,
base::vimconfig,
base::standard-packages,
diff --git a/manifests/squid.pp b/manifests/squid.pp
index bd05398..7857408 100644
--- a/manifests/squid.pp
+++ b/manifests/squid.pp
@@ -110,7 +110,7 @@
include aufs
# Tune kernel settings
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
}
class squid::redirector {
diff --git a/manifests/swift.pp b/manifests/swift.pp
index c71f60b..531fa7b 100644
--- a/manifests/swift.pp
+++ b/manifests/swift.pp
@@ -7,7 +7,7 @@
# include tcp settings
include swift::sysctl::tcp-improvements
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
# this is on purpose not a >=. the cloud archive only exists for
# precise right now, and will perhaps exist for the next LTS, but
diff --git a/manifests/webserver.pp b/manifests/webserver.pp
index 605024a..489a312 100644
--- a/manifests/webserver.pp
+++ b/manifests/webserver.pp
@@ -5,7 +5,7 @@
# Installs a generic, static web server (lighttpd) with default config, which
serves /var/www
class webserver::static {
- include sysctlfile::high-http-performance,
+ include role::sysctl::high_http_performance,
firewall
package { lighttpd:
@@ -34,7 +34,7 @@
class webserver::php5( $ssl = 'false' ) {
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
package { [ "apache2-mpm-prefork", "libapache2-mod-php5" ]:
ensure => present;
@@ -60,7 +60,7 @@
class webserver::modproxy {
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
package { libapache2-mod-proxy-html:
ensure => present;
@@ -71,7 +71,7 @@
# include mysql and apache via dependencies.
class webserver::php5-mysql {
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
package { php5-mysql:
ensure => present;
@@ -80,7 +80,7 @@
class webserver::php5-gd {
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
package { "php5-gd":
ensure => present;
@@ -90,7 +90,7 @@
# Install the 'apache2' package
class webserver::apache2 {
- include sysctlfile::high-http-performance
+ include role::sysctl::high_http_performance
package { apache2:
ensure => present;
@@ -326,5 +326,5 @@
include packages,
config,
service,
- sysctlfile::high-http-performance
+ role::sysctl::high_http_performance
}
diff --git a/modules/sysctl/files/procps-puppet.conf
b/modules/sysctl/files/procps-puppet.conf
new file mode 100644
index 0000000..fdf2126
--- /dev/null
+++ b/modules/sysctl/files/procps-puppet.conf
@@ -0,0 +1,17 @@
+# procps-puppet - set puppet-managed sysctls
+#
+# This task sets Puppet-managed sysctl kernel parameters
+# from /etc/sysctl.d/puppet-managed.
+description "set sysctls from /etc/sysctl.d/puppet-managed"
+start on stopping procps
+
+task
+
+script
+ if [ -x /sbin/sysctl ]; then
+ for config in /etc/sysctl.d/puppet-managed/*.conf; do
+ [ -e "$config" ] || break
+ sysctl -e -p "$config"
+ done
+ fi
+end script
diff --git a/modules/sysctl/files/sysctl.d-puppet-managed-empty/README
b/modules/sysctl/files/sysctl.d-puppet-managed-empty/README
new file mode 100644
index 0000000..4521ab8
--- /dev/null
+++ b/modules/sysctl/files/sysctl.d-puppet-managed-empty/README
@@ -0,0 +1,2 @@
+This directory is managed by Puppet.
+PUPPET WILL DELETE UNMANAGED FILES IN THIS DIRECTORY WITHOUT WARNING.
diff --git a/modules/sysctl/manifests/conffile.pp
b/modules/sysctl/manifests/conffile.pp
new file mode 100644
index 0000000..6614b8c
--- /dev/null
+++ b/modules/sysctl/manifests/conffile.pp
@@ -0,0 +1,22 @@
+# == Define: sysctl::conffile
+#
+# Represents a Puppet-managed file with sysctl kernel parameters in
+# /etc/sysctl.d/puppet-managed.
+#
+define sysctl::conffile(
+ $ensure = present,
+ $file = $title,
+ $content = undef,
+ $source = undef,
+ $priority = '10',
+) {
+ include sysctl
+
+ $basename = regsubst($file, '\W', '-', 'G')
+ file { "/etc/sysctl.d/puppet-managed/${priority}-${basename}.conf":
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ notify => Service['procps-puppet'],
+ }
+}
diff --git a/modules/sysctl/manifests/init.pp b/modules/sysctl/manifests/init.pp
new file mode 100644
index 0000000..20f1bae
--- /dev/null
+++ b/modules/sysctl/manifests/init.pp
@@ -0,0 +1,29 @@
+# == Class: sysctl
+#
+# This Puppet class provides 'sysctl::conffile' and 'sysctl::params'
+# resources which manages kernel parameters using /etc/sysctl.d files
+# and the procps service.
+#
+class sysctl {
+ file { '/etc/sysctl.d':
+ ensure => directory,
+ }
+
+ file { '/etc/sysctl.d/puppet-managed':
+ ensure => directory,
+ recurse => true,
+ purge => true,
+ force => true,
+ source => 'puppet:///modules/sysctl/sysctl.d-puppet-managed-empty',
+ }
+
+ file { '/etc/init/procps-puppet.conf':
+ source => 'puppet:///modules/sysctl/procps-puppet.conf',
+ require => File['/etc/sysctl.d/puppet-managed'],
+ }
+
+ service { 'procps-puppet':
+ provider => upstart,
+ require => File['/etc/init/procps-puppet.conf'],
+ }
+}
diff --git a/modules/sysctl/manifests/params.pp
b/modules/sysctl/manifests/params.pp
new file mode 100644
index 0000000..c1337ba
--- /dev/null
+++ b/modules/sysctl/manifests/params.pp
@@ -0,0 +1,17 @@
+# == Define: sysctl::params
+#
+# This custom resource lets you specify sysctl parameters using a Puppet
+# hash, set as the 'values' parameter.
+#
+define sysctl::params(
+ $values,
+ $ensure = present,
+ $file = $title,
+ $priority = '10',
+) {
+ sysctl::conffile { $file:
+ ensure => $ensure,
+ content => template('sysctl/sysctl.conf.erb'),
+ priority => $priority,
+ }
+}
diff --git a/modules/sysctl/templates/sysctl.conf.erb
b/modules/sysctl/templates/sysctl.conf.erb
new file mode 100644
index 0000000..061b6a5
--- /dev/null
+++ b/modules/sysctl/templates/sysctl.conf.erb
@@ -0,0 +1,3 @@
+# sysctl parameters managed by Puppet.
+<%= @values.sort.map { |kv| kv.join("=") }.join("\n") %>
+
diff --git a/modules/sysctlfile/manifests/advanced-routing-ipv6.pp
b/modules/sysctlfile/manifests/advanced-routing-ipv6.pp
deleted file mode 100644
index 1c38eb9..0000000
--- a/modules/sysctlfile/manifests/advanced-routing-ipv6.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for advanced routing ipv6
-class sysctlfile::advanced-routing-ipv6($ensure="present") {
- sysctlfile {'advanced-routing-ipv6':
- source => 'puppet:///modules/sysctlfile/50-advanced-routing-ipv6.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/advanced-routing.pp
b/modules/sysctlfile/manifests/advanced-routing.pp
deleted file mode 100644
index ddb4f88..0000000
--- a/modules/sysctlfile/manifests/advanced-routing.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for 'advanced routing'
-class sysctlfile::advanced-routing($ensure='present') {
- sysctlfile {'advanced-routing':
- source => 'puppet:///modules/sysctlfile/50-advanced-routing.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/high-bandwidth-rsync.pp
b/modules/sysctlfile/manifests/high-bandwidth-rsync.pp
deleted file mode 100644
index ee71f19..0000000
--- a/modules/sysctlfile/manifests/high-bandwidth-rsync.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-# sysctl values for high bandwidth rsyn
-class sysctlfile::high-bandwidth-rsync($ensure="present") {
- sysctlfile {'high-bandwidth-rsync':
- source => 'puppet:///modules/sysctlfile/60-high-bandwidth-rsync.conf',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/high-http-performance.pp
b/modules/sysctlfile/manifests/high-http-performance.pp
deleted file mode 100644
index aa9eb93..0000000
--- a/modules/sysctlfile/manifests/high-http-performance.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-# sysctl values for http high performance
-class sysctlfile::high-http-performance($ensure="present") {
- sysctlfile {'high-http-performance':
- source => 'puppet:///modules/sysctlfile/60-high-http-performance.conf',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/init.pp
b/modules/sysctlfile/manifests/init.pp
deleted file mode 100644
index 189b4e7..0000000
--- a/modules/sysctlfile/manifests/init.pp
+++ /dev/null
@@ -1,79 +0,0 @@
-# Sysctlfile
-
-# Creates a file in /etc/sysctl.d to set sysctl settings, and reloads
-# sysctl with the new settings.
-#
-# There are three ways to use this define. You must specify one of
-# $value, $content, or $source. Not specifying one of these results
-# in a parse failure.
-#
-# Usage 1: $value
-# sysctlfile { "net.core.rmem_max": value => 16777218 }
-#
-# Usage 2: $content
-# $rmem_max = 536870912
-# sysctlfile { "custom_rmem_max": content =>
template("sysctl/sysctl_rmemmax.erb") }
-#
-# Usage 3: $source
-# sysctlfile { "custom_rmem_max": source =>
"puppet:///files/misc/rmem_max.sysctl.conf" }
-#
-# Parameters:
-# $key
-# $value - Puts "$key = $value" in the sysctl.d file.
-# $content - Puts this exact content in the sysctl.d file.
-# $source - Puts the $source file at the sysctl.d file.
-# $ensure - Either 'present' or 'absent'. Default: 'present'.
-# $number_prefix - The load order prefix number in the sysctl.d filename.
Default '60'. You probably don't need to change this.
-#
-define sysctlfile($value = undef,
- $key = $title,
- $content = undef,
- $source = undef,
- $ensure = 'present',
- $number_prefix = '60') {
- $sysctl_file = "/etc/sysctl.d/${number_prefix}-${key}.conf"
-
- file { $sysctl_file:
- mode => '0444',
- owner => 'root',
- group => 'root',
- ensure => $ensure,
- }
-
- # if using $value, then set $key = $value in the sysctl.d file
- if $value {
- File[$sysctl_file] { content => "${key} = ${value}" }
- }
- # else just set the content
- elsif $content {
- File[$sysctl_file] { content => $content }
- }
- # else put the file in place from a source file.
- elsif $source {
- File[$sysctl_file] { source => $source }
- }
- # if none of the above are defined, then throw a parse failure.
- else {
- fail("sysctl '${title}' must specify one of \$content, \$source or
\$value.")
- }
-
- # Refresh sysctl if we are ensuring the sysctl.d file
- # exists. NOTE: I'm not sure how to reset the sysctl
- # value to its original if we ensure => absent. For now,
- # that will have to wait until a reboot happens. This
- # probably won't be a real problem anyway. Anyone
- # using this define can just explicitly set the value
- # back to what it should be, rather than using ensure => 'absent'.
- if $ensure == 'present' {
- # refresh sysctl when the sysctl file changes
- exec { "sysctl_reload_${key}":
- command => "/sbin/sysctl -p $sysctl_file",
- subscribe => File[$sysctl_file],
- refreshonly => true,
- }
- }
-
- if !($::lsbdistid == "Ubuntu" and versioncmp($::lsbdistrelease, "10.04")
>= 0) {
- alert("Distribution on $hostname does not support /etc/sysctl.d/ files
yet.")
- }
-}
diff --git a/modules/sysctlfile/manifests/ipv6-disable-ra.pp
b/modules/sysctlfile/manifests/ipv6-disable-ra.pp
deleted file mode 100644
index 9a67345..0000000
--- a/modules/sysctlfile/manifests/ipv6-disable-ra.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for ipv6-disable-ra
-class sysctlfile::ipv6-disable-ra($ensure="present") {
- sysctlfile {'ipv6-disable-ra':
- source => 'puppet:///modules/sysctlfile/50-ipv6-disable-ra.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/lvs.pp
b/modules/sysctlfile/manifests/lvs.pp
deleted file mode 100644
index 4f72112..0000000
--- a/modules/sysctlfile/manifests/lvs.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for lvs
-class sysctlfile::lvs($ensure="present") {
- sysctlfile {'lvs':
- source => 'puppet:///modules/sysctlfile/50-lvs.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/toollabs/manifests/exec_environ.pp
b/modules/toollabs/manifests/exec_environ.pp
index d6855cd..7a45ab6 100644
--- a/modules/toollabs/manifests/exec_environ.pp
+++ b/modules/toollabs/manifests/exec_environ.pp
@@ -154,8 +154,12 @@
ensure => present
}
- sysctl { "vm.overcommit_memory": value => 2 }
- sysctl { "vm.overcommit_ratio": value => 95 }
+ sysctl::params { 'tool labs':
+ values => {
+ 'vm.overcommit_memory' => 2,
+ 'vm.overcommit_ratio' => 95,
+ },
+ }
# TODO: quotas
}
diff --git a/modules/varnish/manifests/common.pp
b/modules/varnish/manifests/common.pp
index b8ae8d7..f2620cb 100644
--- a/modules/varnish/manifests/common.pp
+++ b/modules/varnish/manifests/common.pp
@@ -2,7 +2,8 @@
require varnish::packages
# Tune kernel settings
- include sysctlfile::high-http-performance
+ # TODO: Should be moved to a role class.
+ include role::sysctl::high_http_performance
# Mount /var/lib/ganglia as tmpfs to avoid Linux flushing mlocked
# shm memory to disk
--
To view, visit https://gerrit.wikimedia.org/r/75087
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib294b691dad8500c2e0cd39896882f8cf4f3a286
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <o...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
