Ori.livneh has uploaded a new change for review. https://gerrit.wikimedia.org/r/75087
Change subject: Refactor sysctl ...................................................................... Refactor sysctl This patch reorganizes the sysctlfile module and sysctl resource into a reworked sysctl module. The module adds an Upstart task called "procps-puppet" that is set to run on stopping procps, meaning it will run immediately after procps whenever the latter is run. The service loads sysctl settings from /etc/sysctl.d/puppet-managed, which Puppet manages recursively. The module provides two custom types, sysctl::conffile and sysctl::params. The former takes file contents or path reference as a parameter; the latter takes a hash of sysctl values and generates the files using a template. Standard configurations are provided as role::sysctl::* classes. Change-Id: Ib294b691dad8500c2e0cd39896882f8cf4f3a286 --- R files/sysctl/advanced-routing-ipv6.conf R files/sysctl/advanced-routing.conf R files/sysctl/big-rmem.conf R files/sysctl/high-bandwidth-rsync.conf R files/sysctl/high-http-performance.conf R files/sysctl/ipv6-disable-ra.conf R files/sysctl/lvs.conf R files/sysctl/wikimedia-base.conf M manifests/base.pp M manifests/generic-definitions.pp M manifests/lvs.pp M manifests/misc/download.pp M manifests/misc/udp2log.pp M manifests/openstack.pp M manifests/role/ceph.pp M manifests/role/fundraising.pp M manifests/role/ipv6relay.pp M manifests/role/memcached.pp M manifests/role/mirror.pp M manifests/role/protoproxy.pp A manifests/role/sysctl.pp M manifests/site.pp M manifests/squid.pp M manifests/swift.pp M manifests/webserver.pp A modules/sysctl/files/procps-puppet.conf A modules/sysctl/files/sysctl.d-puppet-managed-empty/README A modules/sysctl/manifests/conffile.pp A modules/sysctl/manifests/init.pp A modules/sysctl/manifests/params.pp A modules/sysctl/templates/sysctl.conf.erb D modules/sysctlfile/manifests/advanced-routing-ipv6.pp D modules/sysctlfile/manifests/advanced-routing.pp D modules/sysctlfile/manifests/high-bandwidth-rsync.pp D modules/sysctlfile/manifests/high-http-performance.pp D modules/sysctlfile/manifests/init.pp D modules/sysctlfile/manifests/ipv6-disable-ra.pp D modules/sysctlfile/manifests/lvs.pp M modules/toollabs/manifests/exec_environ.pp M modules/varnish/manifests/common.pp 40 files changed, 196 insertions(+), 293 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/87/75087/1 diff --git a/modules/sysctlfile/files/50-advanced-routing-ipv6.conf b/files/sysctl/advanced-routing-ipv6.conf similarity index 88% rename from modules/sysctlfile/files/50-advanced-routing-ipv6.conf rename to files/sysctl/advanced-routing-ipv6.conf index fc28404..020d34a 100644 --- a/modules/sysctlfile/files/50-advanced-routing-ipv6.conf +++ b/files/sysctl/advanced-routing-ipv6.conf @@ -1,6 +1,6 @@ ##################################################################### #### THIS FILE IS MANAGED BY PUPPET -#### puppet:///modules/sysctlfile/50-advanced-routing-ipv6.conf +#### puppet:///files/sysctl/advanced-routing-ipv6.conf ###################################################################### # Enable router advertisements even when forwarding is enabled diff --git a/modules/sysctlfile/files/50-advanced-routing.conf b/files/sysctl/advanced-routing.conf similarity index 84% rename from modules/sysctlfile/files/50-advanced-routing.conf rename to files/sysctl/advanced-routing.conf index f727030..baf4684 100644 --- a/modules/sysctlfile/files/50-advanced-routing.conf +++ b/files/sysctl/advanced-routing.conf @@ -1,6 +1,6 @@ ##################################################################### #### THIS FILE IS MANAGED BY PUPPET -#### puppet:///modules/sysctlfile/50-advanced-routing.conf +#### puppet:///files/sysctl/advanced-routing.conf ###################################################################### # Turn OFF RP filter diff --git a/modules/sysctlfile/files/99-big-rmem.conf b/files/sysctl/big-rmem.conf similarity index 82% rename from modules/sysctlfile/files/99-big-rmem.conf rename to files/sysctl/big-rmem.conf index ed4c261..9fe8525 100644 --- a/modules/sysctlfile/files/99-big-rmem.conf +++ b/files/sysctl/big-rmem.conf @@ -1,6 +1,6 @@ ##################################################################### ### THIS FILE IS MANAGED BY PUPPET -### puppet:///modules/sysctlfile/99-big-rmem.conf +### puppet:///files/sysctl/big-rmem.conf ##################################################################### diff --git a/modules/sysctlfile/files/60-high-bandwidth-rsync.conf b/files/sysctl/high-bandwidth-rsync.conf similarity index 85% rename from modules/sysctlfile/files/60-high-bandwidth-rsync.conf rename to files/sysctl/high-bandwidth-rsync.conf index 9013c00..43d0651 100644 --- a/modules/sysctlfile/files/60-high-bandwidth-rsync.conf +++ b/files/sysctl/high-bandwidth-rsync.conf @@ -1,6 +1,6 @@ ##################################################################### ### THIS FILE IS MANAGED BY PUPPET -### puppet:///modules/sysctlfile/60-high-bandwidth-rsync.conf +### puppet:///files/sysctl/high-bandwidth-rsync.conf ##################################################################### diff --git a/modules/sysctlfile/files/60-high-http-performance.conf b/files/sysctl/high-http-performance.conf similarity index 91% rename from modules/sysctlfile/files/60-high-http-performance.conf rename to files/sysctl/high-http-performance.conf index 0528b74..8b1e37e 100644 --- a/modules/sysctlfile/files/60-high-http-performance.conf +++ b/files/sysctl/high-http-performance.conf @@ -1,6 +1,6 @@ ##################################################################### ### THIS FILE IS MANAGED BY PUPPET -### puppet:///modules/sysctlfile/60-high-http-performance.conf +### puppet:///files/sysctl/high-http-performance.conf ##################################################################### diff --git a/modules/sysctlfile/files/50-ipv6-disable-ra.conf b/files/sysctl/ipv6-disable-ra.conf similarity index 79% rename from modules/sysctlfile/files/50-ipv6-disable-ra.conf rename to files/sysctl/ipv6-disable-ra.conf index c986bbe..80d453d 100644 --- a/modules/sysctlfile/files/50-ipv6-disable-ra.conf +++ b/files/sysctl/ipv6-disable-ra.conf @@ -1,6 +1,6 @@ ##################################################################### #### THIS FILE IS MANAGED BY PUPPET -#### puppet:///modules/sysctlfile/60-ipv6-disable-ra.conf +#### puppet:///files/sysctl/ipv6-disable-ra.conf ###################################################################### diff --git a/modules/sysctlfile/files/50-lvs.conf b/files/sysctl/lvs.conf similarity index 90% rename from modules/sysctlfile/files/50-lvs.conf rename to files/sysctl/lvs.conf index 2a04070..66b5567 100644 --- a/modules/sysctlfile/files/50-lvs.conf +++ b/files/sysctl/lvs.conf @@ -1,6 +1,6 @@ ##################################################################### #### THIS FILE IS MANAGED BY PUPPET -#### puppet:///modules/sysctlfile/50-lvs.conf +#### puppet:///files/sysctl/lvs.conf ###################################################################### # Turn OFF RP filter diff --git a/modules/sysctlfile/files/50-wikimedia-base.conf b/files/sysctl/wikimedia-base.conf similarity index 94% rename from modules/sysctlfile/files/50-wikimedia-base.conf rename to files/sysctl/wikimedia-base.conf index 02a1a59..40bda7f 100644 --- a/modules/sysctlfile/files/50-wikimedia-base.conf +++ b/files/sysctl/wikimedia-base.conf @@ -1,6 +1,6 @@ ##################################################################### ### THIS FILE IS MANAGED BY PUPPET -### puppet:///modules/sysctlfile/50-wikimedia-base.conf +### puppet:///files/sysctl/wikimedia-base.conf ##################################################################### # increase TCP max buffer size diff --git a/manifests/base.pp b/manifests/base.pp index 71b4337..d7ffbad 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -296,35 +296,6 @@ } } -class base::sysctl { - if ($::lsbdistid == "Ubuntu") and ($::lsbdistrelease != "8.04") { - exec { "/sbin/start procps": - path => "/bin:/sbin:/usr/bin:/usr/sbin", - refreshonly => true; - } - - # FIXME: *never* source a file from a module - sysctlfile { 'wikimedia-base': - source => 'puppet:///modules/sysctlfile/50-wikimedia-base.conf', - number_prefix => '50', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } - - # Disable IPv6 privacy extensions, we rather not see our servers hide - file { "/etc/sysctl.d/10-ipv6-privacy.conf": - ensure => absent - } - } else { - # FIXME: this is a super ugly hack but the sysctlfile module is broken, - # relying on a definition to be defined in base.pp to actually work - exec { "/sbin/start procps": - command => '/bin/true', - refreshonly => true, - } - } -} - class base::standard-packages { $packages = [ @@ -772,7 +743,7 @@ base::grub, base::resolving, base::remote-syslog, - base::sysctl, + role::sysctl::base, base::motd, base::vimconfig, base::standard-packages, diff --git a/manifests/generic-definitions.pp b/manifests/generic-definitions.pp index 6e063b1..09ed452 100644 --- a/manifests/generic-definitions.pp +++ b/manifests/generic-definitions.pp @@ -708,84 +708,6 @@ } } -# Sysctl settings - -# Define: sysctl -# -# Creates a file in /etc/sysctl.d to set sysctl settings, and reloads -# sysctl with the new settings. -# -# There are three ways to use this define. You must specify one of -# $value, $content, or $source. Not specifying one of these results -# in a parse failure. -# -# Usage 1: $value -# sysctl { "net.core.rmem_max": value => 16777218 } -# -# Usage 2: $content -# $rmem_max = 536870912 -# sysctl { "custom_rmem_max": content => template("sysctl/sysctl_rmemmax.erb") } -# -# Usage 3: $source -# sysctl { "custom_rmem_max": source => "puppet:///files/misc/rmem_max.sysctl.conf" } -# -# Parameters: -# $value - Puts "$title = $value" in the sysctl.d file. -# $content - Puts this exact content in the sysctl.d file. -# $source - Puts the $source file at the sysctl.d file. -# $ensure - Either 'present' or 'absent'. Default: 'present'. -# $number_prefix - The load order prefix number in the sysctl.d filename. Default '60'. You probably don't need to change this. -# -define sysctl( - $value = undef, - $content = undef, - $source = undef, - $ensure = "present", - $number_prefix = "60") -{ - $sysctl_file = "/etc/sysctl.d/${number_prefix}-${title}.conf" - - file { "$sysctl_file": - mode => 0444, - owner => "root", - group => "root", - ensure => $ensure, - } - - # if using $value, then set $title = $value in the sysctl.d file - if $value { - File[$sysctl_file] { content => "${title} = ${value}" } - } - # else just set the content - elsif $content { - File[$sysctl_file] { content => $content } - } - # else put the file in place from a source file. - elsif $source { - File[$sysctl_file] { source => $source } - } - # if none of the above are defined, then throw a parse failure. - else { - alert("sysctl '${title}' must specify one of \$content, \$source or \$value.") - } - - # Refresh sysctl if we are ensuring the sysctl.d file - # exists. NOTE: I'm not sure how to reset the sysctl - # value to its original if we ensure => absent. For now, - # that will have to wait until a reboot happens. This - # probably won't be a real problem anyway. Anyone - # using this define can just explicitly set the value - # back to what it should be, rather than using ensure => 'absent'. - if $ensure == 'present' { - # refresh sysctl when the sysctl file changes - exec { "sysctl_reload_${title}": - command => "/sbin/sysctl -p $sysctl_file", - subscribe => File["$sysctl_file"], - refreshonly => true, - } - } -} - class generic::sysfs::enable-rps { upstart_job { "enable-rps": install => "true", start => "true" } } diff --git a/manifests/lvs.pp b/manifests/lvs.pp index b2faaf0..529cd78 100644 --- a/manifests/lvs.pp +++ b/manifests/lvs.pp @@ -829,8 +829,8 @@ class { "lvs::realserver": realserver_ips => $service_ips } # Sysctl settings - class { "sysctlfile::advanced-routing": ensure => absent } - include sysctlfile::lvs + class { "role::sysctl::advanced_routing": ensure => absent } + include role::sysctl::lvs } # Supporting the PyBal RunCommand monitor diff --git a/manifests/misc/download.pp b/manifests/misc/download.pp index 5ea5cd2..7a2136d 100644 --- a/manifests/misc/download.pp +++ b/manifests/misc/download.pp @@ -55,7 +55,7 @@ require => [ Package[nfs-kernel-server], File["/etc/exports"] ], } - include sysctlfile::high-bandwidth-rsync + include role::sysctl::high_bandwidth_rsync monitor_service { "lighttpd http": description => "Lighttpd HTTP", check_command => "check_http" } monitor_service { "nfs": description => "NFS", check_command => "check_tcp!2049" } diff --git a/manifests/misc/udp2log.pp b/manifests/misc/udp2log.pp index bf2f7cf..ecd91d9 100644 --- a/manifests/misc/udp2log.pp +++ b/manifests/misc/udp2log.pp @@ -12,7 +12,7 @@ include contacts::udp2log, misc::udp2log::udp_filter, - misc::udp2log::sysctl + role::sysctl::big_rmem # include the monitoring scripts # required for monitoring udp2log instances @@ -37,20 +37,6 @@ ensure => present; } } - -class misc::udp2log::sysctl($ensure="present") { - # make sure base::sysctl is here so that - # start procps can be notified. - include base::sysctl - - sysctlfile { 'big-rmem': - source => 'puppet:///modules/sysctlfile/99-big-rmem.conf', - number_prefix => '99', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} - # Class: misc::udp2log::rsyncd # diff --git a/manifests/openstack.pp b/manifests/openstack.pp index d4c28f9..d544dc6 100644 --- a/manifests/openstack.pp +++ b/manifests/openstack.pp @@ -587,8 +587,8 @@ } # Enable IP forwarding - include sysctlfile::advanced-routing, - sysctlfile::ipv6-disable-ra + include role::sysctl::advanced_routing, + role::sysctl::ipv6_disable_ra } class openstack::api-service($openstack_version="essex", $novaconfig) { diff --git a/manifests/role/ceph.pp b/manifests/role/ceph.pp index bf79d54..cfd3b7d 100644 --- a/manifests/role/ceph.pp +++ b/manifests/role/ceph.pp @@ -67,11 +67,11 @@ include ceph::osd # I/O busy systems, tune a few knobs to avoid page alloc failures - sysctl { 'sys.vm.min_free_kbytes': - value => '512000', - } - sysctl { 'sys.vm.vfs_cache_pressure': - value => '120', + sysctl::params { 'ceph': + values => { + 'sys.vm.min_free_kbytes' => '512000', + 'sys.vm.vfs_cache_pressure' => '120', + }, } } @@ -82,7 +82,7 @@ class { "lvs::realserver": realserver_ips => [ "10.2.2.27" ] } - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance class { 'ceph::radosgw': servername => 'ms-fe.eqiad.wmnet', diff --git a/manifests/role/fundraising.pp b/manifests/role/fundraising.pp index d6bed75..b11a7ac 100644 --- a/manifests/role/fundraising.pp +++ b/manifests/role/fundraising.pp @@ -75,7 +75,7 @@ base::puppet, base::resolving, base::standard-packages, - base::sysctl, + role::sysctl::base, base::tcptweaks, base::vimconfig, passwords::root, diff --git a/manifests/role/ipv6relay.pp b/manifests/role/ipv6relay.pp index 07cf332..750c610 100644 --- a/manifests/role/ipv6relay.pp +++ b/manifests/role/ipv6relay.pp @@ -1,7 +1,7 @@ class role::ipv6relay { system_role { "role::ipv6relay": description => "IPv6 tunnel relay (6to4/Teredo)" } - include sysctlfile::advanced-routing-ipv6 + include role::sysctl::advanced_routing_ipv6 # Teredo include misc::miredo diff --git a/manifests/role/memcached.pp b/manifests/role/memcached.pp index e588349..2dceb01 100644 --- a/manifests/role/memcached.pp +++ b/manifests/role/memcached.pp @@ -10,7 +10,7 @@ system_role { "role::memcached": description => "memcached server" } include standard, - sysctlfile::high-http-performance + role::sysctl::high_http_performance class { "::memcached": memcached_size => '89088', diff --git a/manifests/role/mirror.pp b/manifests/role/mirror.pp index 57e4e63..012cc6c 100644 --- a/manifests/role/mirror.pp +++ b/manifests/role/mirror.pp @@ -9,7 +9,7 @@ ensure => latest; } - include sysctlfile::high-bandwidth-rsync + include role::sysctl::high_bandwidth_rsync } class role::mirror::media { diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp index 5b884da..6c009fd 100644 --- a/manifests/role/protoproxy.pp +++ b/manifests/role/protoproxy.pp @@ -20,7 +20,7 @@ include protoproxy::package # Tune kernel settings - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance $nginx_worker_connections = '32768' $nginx_use_ssl = true diff --git a/manifests/role/sysctl.pp b/manifests/role/sysctl.pp new file mode 100644 index 0000000..278227f --- /dev/null +++ b/manifests/role/sysctl.pp @@ -0,0 +1,60 @@ +class role::sysctl::base { + sysctl::conffile { 'wikimedia base': + source => 'puppet:///files/sysctl/wikimedia-base.conf', + priority => 50, + } + + # Disable IPv6 privacy extensions, we rather not see our servers hide + file { '/etc/sysctl.d/10-ipv6-privacy.conf': + ensure => absent, + } +} + +class role::sysctl::advanced_routing_ipv6 { + sysctl::conffile { 'advanced routing ipv6': + source => 'puppet:///files/sysctl/advanced-routing-ipv6.conf', + priority => 50, + } +} + +class role::sysctl::advanced_routing { + sysctl::conffile { 'advanced routing': + source => 'puppet:///files/sysctl/advanced-routing.conf', + priority => 50, + } +} + +class role::sysctl::high_bandwidth_rsync { + sysctl::conffile { 'high bandwidth rsync': + source => 'puppet:///files/sysctl/high-bandwidth-rsync.conf', + priority => 60, + } +} + +class role::sysctl::high_http_performance { + sysctl::conffile { 'high http performance': + source => 'puppet:///files/sysctl/high-http-performance.conf', + priority => 60, + } +} + +class role::sysctl::ipv6_disable_ra { + sysctl::conffile { 'ipv6 disable ra': + source => 'puppet:///files/sysctl/ipv6-disable-ra.conf', + priority => 50, + } +} + +class role::sysctl::lvs { + sysctl::conffile { 'lvs': + source => 'puppet:///files/sysctl/lvs.conf', + priority => 50, + } +} + +class role::sysctl::big_rmem { + sysctl::conffile { 'big rmem': + source => 'puppet:///files/sysctl/big-rmem.conf', + priority => 99, + } +} diff --git a/manifests/site.pp b/manifests/site.pp index 15c0a29..374980d 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -812,7 +812,7 @@ # base_analytics_logging_node is defined in role/logging.pp node "emery.wikimedia.org" inherits "base_analytics_logging_node" { include - sysctlfile::high-bandwidth-rsync, + role::sysctl::high_bandwidth_rsync, admins::mortals, # RT 4312 accounts::milimetric @@ -2171,7 +2171,7 @@ system_role { "misc::payments": description => "Fundraising payments server" } include base::remote-syslog, - base::sysctl, + role::sysctl::base, base::resolving, base::motd, base::monitoring::host, @@ -2682,7 +2682,7 @@ include passwords::root, base::resolving, - base::sysctl, + role::sysctl::base, base::motd, base::vimconfig, base::standard-packages, diff --git a/manifests/squid.pp b/manifests/squid.pp index bd05398..7857408 100644 --- a/manifests/squid.pp +++ b/manifests/squid.pp @@ -110,7 +110,7 @@ include aufs # Tune kernel settings - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance } class squid::redirector { diff --git a/manifests/swift.pp b/manifests/swift.pp index c71f60b..531fa7b 100644 --- a/manifests/swift.pp +++ b/manifests/swift.pp @@ -7,7 +7,7 @@ # include tcp settings include swift::sysctl::tcp-improvements - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance # this is on purpose not a >=. the cloud archive only exists for # precise right now, and will perhaps exist for the next LTS, but diff --git a/manifests/webserver.pp b/manifests/webserver.pp index 605024a..489a312 100644 --- a/manifests/webserver.pp +++ b/manifests/webserver.pp @@ -5,7 +5,7 @@ # Installs a generic, static web server (lighttpd) with default config, which serves /var/www class webserver::static { - include sysctlfile::high-http-performance, + include role::sysctl::high_http_performance, firewall package { lighttpd: @@ -34,7 +34,7 @@ class webserver::php5( $ssl = 'false' ) { - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance package { [ "apache2-mpm-prefork", "libapache2-mod-php5" ]: ensure => present; @@ -60,7 +60,7 @@ class webserver::modproxy { - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance package { libapache2-mod-proxy-html: ensure => present; @@ -71,7 +71,7 @@ # include mysql and apache via dependencies. class webserver::php5-mysql { - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance package { php5-mysql: ensure => present; @@ -80,7 +80,7 @@ class webserver::php5-gd { - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance package { "php5-gd": ensure => present; @@ -90,7 +90,7 @@ # Install the 'apache2' package class webserver::apache2 { - include sysctlfile::high-http-performance + include role::sysctl::high_http_performance package { apache2: ensure => present; @@ -326,5 +326,5 @@ include packages, config, service, - sysctlfile::high-http-performance + role::sysctl::high_http_performance } diff --git a/modules/sysctl/files/procps-puppet.conf b/modules/sysctl/files/procps-puppet.conf new file mode 100644 index 0000000..fdf2126 --- /dev/null +++ b/modules/sysctl/files/procps-puppet.conf @@ -0,0 +1,17 @@ +# procps-puppet - set puppet-managed sysctls +# +# This task sets Puppet-managed sysctl kernel parameters +# from /etc/sysctl.d/puppet-managed. +description "set sysctls from /etc/sysctl.d/puppet-managed" +start on stopping procps + +task + +script + if [ -x /sbin/sysctl ]; then + for config in /etc/sysctl.d/puppet-managed/*.conf; do + [ -e "$config" ] || break + sysctl -e -p "$config" + done + fi +end script diff --git a/modules/sysctl/files/sysctl.d-puppet-managed-empty/README b/modules/sysctl/files/sysctl.d-puppet-managed-empty/README new file mode 100644 index 0000000..4521ab8 --- /dev/null +++ b/modules/sysctl/files/sysctl.d-puppet-managed-empty/README @@ -0,0 +1,2 @@ +This directory is managed by Puppet. +PUPPET WILL DELETE UNMANAGED FILES IN THIS DIRECTORY WITHOUT WARNING. diff --git a/modules/sysctl/manifests/conffile.pp b/modules/sysctl/manifests/conffile.pp new file mode 100644 index 0000000..6614b8c --- /dev/null +++ b/modules/sysctl/manifests/conffile.pp @@ -0,0 +1,22 @@ +# == Define: sysctl::conffile +# +# Represents a Puppet-managed file with sysctl kernel parameters in +# /etc/sysctl.d/puppet-managed. +# +define sysctl::conffile( + $ensure = present, + $file = $title, + $content = undef, + $source = undef, + $priority = '10', +) { + include sysctl + + $basename = regsubst($file, '\W', '-', 'G') + file { "/etc/sysctl.d/puppet-managed/${priority}-${basename}.conf": + ensure => $ensure, + content => $content, + source => $source, + notify => Service['procps-puppet'], + } +} diff --git a/modules/sysctl/manifests/init.pp b/modules/sysctl/manifests/init.pp new file mode 100644 index 0000000..20f1bae --- /dev/null +++ b/modules/sysctl/manifests/init.pp @@ -0,0 +1,29 @@ +# == Class: sysctl +# +# This Puppet class provides 'sysctl::conffile' and 'sysctl::params' +# resources which manages kernel parameters using /etc/sysctl.d files +# and the procps service. +# +class sysctl { + file { '/etc/sysctl.d': + ensure => directory, + } + + file { '/etc/sysctl.d/puppet-managed': + ensure => directory, + recurse => true, + purge => true, + force => true, + source => 'puppet:///modules/sysctl/sysctl.d-puppet-managed-empty', + } + + file { '/etc/init/procps-puppet.conf': + source => 'puppet:///modules/sysctl/procps-puppet.conf', + require => File['/etc/sysctl.d/puppet-managed'], + } + + service { 'procps-puppet': + provider => upstart, + require => File['/etc/init/procps-puppet.conf'], + } +} diff --git a/modules/sysctl/manifests/params.pp b/modules/sysctl/manifests/params.pp new file mode 100644 index 0000000..c1337ba --- /dev/null +++ b/modules/sysctl/manifests/params.pp @@ -0,0 +1,17 @@ +# == Define: sysctl::params +# +# This custom resource lets you specify sysctl parameters using a Puppet +# hash, set as the 'values' parameter. +# +define sysctl::params( + $values, + $ensure = present, + $file = $title, + $priority = '10', +) { + sysctl::conffile { $file: + ensure => $ensure, + content => template('sysctl/sysctl.conf.erb'), + priority => $priority, + } +} diff --git a/modules/sysctl/templates/sysctl.conf.erb b/modules/sysctl/templates/sysctl.conf.erb new file mode 100644 index 0000000..061b6a5 --- /dev/null +++ b/modules/sysctl/templates/sysctl.conf.erb @@ -0,0 +1,3 @@ +# sysctl parameters managed by Puppet. +<%= @values.sort.map { |kv| kv.join("=") }.join("\n") %> + diff --git a/modules/sysctlfile/manifests/advanced-routing-ipv6.pp b/modules/sysctlfile/manifests/advanced-routing-ipv6.pp deleted file mode 100644 index 1c38eb9..0000000 --- a/modules/sysctlfile/manifests/advanced-routing-ipv6.pp +++ /dev/null @@ -1,9 +0,0 @@ -# sysctl values for advanced routing ipv6 -class sysctlfile::advanced-routing-ipv6($ensure="present") { - sysctlfile {'advanced-routing-ipv6': - source => 'puppet:///modules/sysctlfile/50-advanced-routing-ipv6.conf', - number_prefix => '50', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} diff --git a/modules/sysctlfile/manifests/advanced-routing.pp b/modules/sysctlfile/manifests/advanced-routing.pp deleted file mode 100644 index ddb4f88..0000000 --- a/modules/sysctlfile/manifests/advanced-routing.pp +++ /dev/null @@ -1,9 +0,0 @@ -# sysctl values for 'advanced routing' -class sysctlfile::advanced-routing($ensure='present') { - sysctlfile {'advanced-routing': - source => 'puppet:///modules/sysctlfile/50-advanced-routing.conf', - number_prefix => '50', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} diff --git a/modules/sysctlfile/manifests/high-bandwidth-rsync.pp b/modules/sysctlfile/manifests/high-bandwidth-rsync.pp deleted file mode 100644 index ee71f19..0000000 --- a/modules/sysctlfile/manifests/high-bandwidth-rsync.pp +++ /dev/null @@ -1,8 +0,0 @@ -# sysctl values for high bandwidth rsyn -class sysctlfile::high-bandwidth-rsync($ensure="present") { - sysctlfile {'high-bandwidth-rsync': - source => 'puppet:///modules/sysctlfile/60-high-bandwidth-rsync.conf', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} diff --git a/modules/sysctlfile/manifests/high-http-performance.pp b/modules/sysctlfile/manifests/high-http-performance.pp deleted file mode 100644 index aa9eb93..0000000 --- a/modules/sysctlfile/manifests/high-http-performance.pp +++ /dev/null @@ -1,8 +0,0 @@ -# sysctl values for http high performance -class sysctlfile::high-http-performance($ensure="present") { - sysctlfile {'high-http-performance': - source => 'puppet:///modules/sysctlfile/60-high-http-performance.conf', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} diff --git a/modules/sysctlfile/manifests/init.pp b/modules/sysctlfile/manifests/init.pp deleted file mode 100644 index 189b4e7..0000000 --- a/modules/sysctlfile/manifests/init.pp +++ /dev/null @@ -1,79 +0,0 @@ -# Sysctlfile - -# Creates a file in /etc/sysctl.d to set sysctl settings, and reloads -# sysctl with the new settings. -# -# There are three ways to use this define. You must specify one of -# $value, $content, or $source. Not specifying one of these results -# in a parse failure. -# -# Usage 1: $value -# sysctlfile { "net.core.rmem_max": value => 16777218 } -# -# Usage 2: $content -# $rmem_max = 536870912 -# sysctlfile { "custom_rmem_max": content => template("sysctl/sysctl_rmemmax.erb") } -# -# Usage 3: $source -# sysctlfile { "custom_rmem_max": source => "puppet:///files/misc/rmem_max.sysctl.conf" } -# -# Parameters: -# $key -# $value - Puts "$key = $value" in the sysctl.d file. -# $content - Puts this exact content in the sysctl.d file. -# $source - Puts the $source file at the sysctl.d file. -# $ensure - Either 'present' or 'absent'. Default: 'present'. -# $number_prefix - The load order prefix number in the sysctl.d filename. Default '60'. You probably don't need to change this. -# -define sysctlfile($value = undef, - $key = $title, - $content = undef, - $source = undef, - $ensure = 'present', - $number_prefix = '60') { - $sysctl_file = "/etc/sysctl.d/${number_prefix}-${key}.conf" - - file { $sysctl_file: - mode => '0444', - owner => 'root', - group => 'root', - ensure => $ensure, - } - - # if using $value, then set $key = $value in the sysctl.d file - if $value { - File[$sysctl_file] { content => "${key} = ${value}" } - } - # else just set the content - elsif $content { - File[$sysctl_file] { content => $content } - } - # else put the file in place from a source file. - elsif $source { - File[$sysctl_file] { source => $source } - } - # if none of the above are defined, then throw a parse failure. - else { - fail("sysctl '${title}' must specify one of \$content, \$source or \$value.") - } - - # Refresh sysctl if we are ensuring the sysctl.d file - # exists. NOTE: I'm not sure how to reset the sysctl - # value to its original if we ensure => absent. For now, - # that will have to wait until a reboot happens. This - # probably won't be a real problem anyway. Anyone - # using this define can just explicitly set the value - # back to what it should be, rather than using ensure => 'absent'. - if $ensure == 'present' { - # refresh sysctl when the sysctl file changes - exec { "sysctl_reload_${key}": - command => "/sbin/sysctl -p $sysctl_file", - subscribe => File[$sysctl_file], - refreshonly => true, - } - } - - if !($::lsbdistid == "Ubuntu" and versioncmp($::lsbdistrelease, "10.04") >= 0) { - alert("Distribution on $hostname does not support /etc/sysctl.d/ files yet.") - } -} diff --git a/modules/sysctlfile/manifests/ipv6-disable-ra.pp b/modules/sysctlfile/manifests/ipv6-disable-ra.pp deleted file mode 100644 index 9a67345..0000000 --- a/modules/sysctlfile/manifests/ipv6-disable-ra.pp +++ /dev/null @@ -1,9 +0,0 @@ -# sysctl values for ipv6-disable-ra -class sysctlfile::ipv6-disable-ra($ensure="present") { - sysctlfile {'ipv6-disable-ra': - source => 'puppet:///modules/sysctlfile/50-ipv6-disable-ra.conf', - number_prefix => '50', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} diff --git a/modules/sysctlfile/manifests/lvs.pp b/modules/sysctlfile/manifests/lvs.pp deleted file mode 100644 index 4f72112..0000000 --- a/modules/sysctlfile/manifests/lvs.pp +++ /dev/null @@ -1,9 +0,0 @@ -# sysctl values for lvs -class sysctlfile::lvs($ensure="present") { - sysctlfile {'lvs': - source => 'puppet:///modules/sysctlfile/50-lvs.conf', - number_prefix => '50', - ensure => $ensure, - notify => Exec["/sbin/start procps"], - } -} diff --git a/modules/toollabs/manifests/exec_environ.pp b/modules/toollabs/manifests/exec_environ.pp index d6855cd..7a45ab6 100644 --- a/modules/toollabs/manifests/exec_environ.pp +++ b/modules/toollabs/manifests/exec_environ.pp @@ -154,8 +154,12 @@ ensure => present } - sysctl { "vm.overcommit_memory": value => 2 } - sysctl { "vm.overcommit_ratio": value => 95 } + sysctl::params { 'tool labs': + values => { + 'vm.overcommit_memory' => 2, + 'vm.overcommit_ratio' => 95, + }, + } # TODO: quotas } diff --git a/modules/varnish/manifests/common.pp b/modules/varnish/manifests/common.pp index b8ae8d7..f2620cb 100644 --- a/modules/varnish/manifests/common.pp +++ b/modules/varnish/manifests/common.pp @@ -2,7 +2,8 @@ require varnish::packages # Tune kernel settings - include sysctlfile::high-http-performance + # TODO: Should be moved to a role class. + include role::sysctl::high_http_performance # Mount /var/lib/ganglia as tmpfs to avoid Linux flushing mlocked # shm memory to disk -- To view, visit https://gerrit.wikimedia.org/r/75087 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib294b691dad8500c2e0cd39896882f8cf4f3a286 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ori.livneh <o...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits