jenkins-bot has submitted this change and it was merged.
Change subject: Cgroup support
......................................................................
Cgroup support
Bug: T120940
Bug: T120993
Change-Id: I8d2438bf788495ecb27b188fc0915532634d2f6f
---
A puppet/modules/cgroup/files/cgrulesengd.conf
A puppet/modules/cgroup/manifests/config.pp
A puppet/modules/cgroup/manifests/init.pp
M puppet/modules/thumbor/manifests/init.pp
M puppet/modules/thumbor/templates/upstart.erb
5 files changed, 138 insertions(+), 5 deletions(-)
Approvals:
Ori.livneh: Looks good to me, approved
Filippo Giunchedi: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/puppet/modules/cgroup/files/cgrulesengd.conf
b/puppet/modules/cgroup/files/cgrulesengd.conf
new file mode 100644
index 0000000..eaedb1f
--- /dev/null
+++ b/puppet/modules/cgroup/files/cgrulesengd.conf
@@ -0,0 +1,13 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+#####################################################################
+
+description "cgrulesengd"
+
+start on (local-filesystems and net-device-up IFACE!=lo)
+respawn
+
+setuid root
+setgid root
+
+exec /usr/sbin/cgrulesengd --nodaemon
\ No newline at end of file
diff --git a/puppet/modules/cgroup/manifests/config.pp
b/puppet/modules/cgroup/manifests/config.pp
new file mode 100644
index 0000000..fb038ba
--- /dev/null
+++ b/puppet/modules/cgroup/manifests/config.pp
@@ -0,0 +1,46 @@
+# == Define: cgroup::config
+#
+# Sets up a new cgroup.
+#
+# === Parameters
+#
+# [*limits*]
+# Optional, limits for the cgroup.
+#
+# [*cgrules*]
+# Optional, used to tie the cgroup to a system user/group.
+#
+# === Examples
+#
+# cgroup::config { 'thumbor':
+# limits => 'memory { memory.limit_in_bytes = "1073741824"; }',
+# cgrules => '@thumbor memory thumbor',
+# }
+#
+define cgroup::config(
+ $limits = undef,
+ $cgrules = undef,
+) {
+ include ::cgroup
+
+ unless $limits or $cgrules {
+ warning('cgroup::config must specify limits and/or cgrules')
+ }
+
+ if $limits {
+ file_line { "/etc/cgconfig.conf:${title}":
+ line => "group ${title} { ${limits} }\n",
+ match => "^group ${title}.*$",
+ path => '/etc/cgconfig.conf',
+ notify => Exec['cgconfigparser'],
+ }
+ }
+
+ if $cgrules {
+ file_line { "/etc/cgrules.conf:${title}":
+ line => "${cgrules}\n",
+ path => '/etc/cgrules.conf',
+ notify => Service['cgrulesengd'],
+ }
+ }
+}
diff --git a/puppet/modules/cgroup/manifests/init.pp
b/puppet/modules/cgroup/manifests/init.pp
new file mode 100644
index 0000000..5ca4aa3
--- /dev/null
+++ b/puppet/modules/cgroup/manifests/init.pp
@@ -0,0 +1,48 @@
+# == Class: cgroup
+#
+# This Puppet class provides the dependencies for cgroup management
+#
+class cgroup {
+ require_package('cgroup-bin')
+
+ file { '/etc/init/cgrulesengd.conf':
+ ensure => present,
+ source => 'puppet:///modules/cgroup/cgrulesengd.conf',
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+
+ # The reason we need the daemon is that upstart won't work with cgexec.
+ # As a result, if we want to put a service started via upstart into a
+ # cgroup, we need cgrulesengd to be running and set the service's process
+ # to a cgroup by system user/group
+
+ service { 'cgrulesengd':
+ ensure => running,
+ enable => true,
+ provider => 'upstart',
+ require => Package['cgroup-bin'],
+ subscribe => File['/etc/init/cgrulesengd.conf']
+ }
+
+ exec { 'cgconfigparser':
+ command => 'cgconfigparser -l /etc/cgconfig.conf',
+ refreshonly => true,
+ require => Package['cgroup-bin'],
+ }
+
+ file { '/etc/cgconfig.conf':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+
+ file { '/etc/cgrules.conf':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+}
diff --git a/puppet/modules/thumbor/manifests/init.pp
b/puppet/modules/thumbor/manifests/init.pp
index d1fb138..5118c71 100644
--- a/puppet/modules/thumbor/manifests/init.pp
+++ b/puppet/modules/thumbor/manifests/init.pp
@@ -42,10 +42,22 @@
# not used here by default because of
https://github.com/thumbor/opencv-engine/issues/16
require_package('python-opencv')
+ # For GIF engine
require_package('gifsicle')
$statsd_host = 'localhost'
$statsd_prefix = 'Thumbor'
+
+ group { 'thumbor':
+ ensure => present,
+ }
+
+ user { 'thumbor':
+ ensure => present,
+ home => '/var/run/thumbor',
+ gid => 'thumbor',
+ require => Group['thumbor'],
+ }
virtualenv::environment { $deploy_dir:
ensure => present,
@@ -86,10 +98,16 @@
file { $cfg_file:
ensure => present,
- group => 'www-data',
+ group => 'thumbor',
content => template('thumbor/thumbor.conf.erb'),
mode => '0640',
subscribe => File[$sentry_dsn_file],
+ require => User['thumbor'],
+ }
+
+ cgroup::config { 'thumbor':
+ limits => 'memory { memory.limit_in_bytes = "104857600"; }', # 100MB
+ cgrules => '@thumbor memory thumbor',
}
file { '/etc/init/thumbor.conf':
@@ -102,8 +120,14 @@
ensure => running,
enable => true,
provider => 'upstart',
- require => Virtualenv::Environment[$deploy_dir],
- subscribe => File["${deploy_dir}/tinyrgb.icc", $cfg_file,
'/etc/init/thumbor.conf'],
+ require => [
+ Virtualenv::Environment[$deploy_dir],
+ User['thumbor'],
+ ],
+ subscribe => [
+ File["${deploy_dir}/tinyrgb.icc", $cfg_file,
'/etc/init/thumbor.conf'],
+ Cgroup::Config['thumbor'],
+ ],
}
varnish::backend { 'thumbor':
diff --git a/puppet/modules/thumbor/templates/upstart.erb
b/puppet/modules/thumbor/templates/upstart.erb
index b8b5996..4b7260d 100644
--- a/puppet/modules/thumbor/templates/upstart.erb
+++ b/puppet/modules/thumbor/templates/upstart.erb
@@ -7,7 +7,9 @@
start on mediawiki-ready
respawn
-setuid www-data
-setgid www-data
+setuid thumbor
+setgid thumbor
+# Wrapping this with cgexec fails silently, which is why we rely on cgrulesengd
+# to put the thumbor process into a cgroup
exec <%= @deploy_dir %>/bin/thumbor -c <%= @cfg_file %> -a tc_core.app.App
\ No newline at end of file
--
To view, visit https://gerrit.wikimedia.org/r/258028
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I8d2438bf788495ecb27b188fc0915532634d2f6f
Gerrit-PatchSet: 9
Gerrit-Project: mediawiki/vagrant
Gerrit-Branch: master
Gerrit-Owner: Gilles <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Dduvall <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Gilles <[email protected]>
Gerrit-Reviewer: Mobrovac <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
