Filippo Giunchedi has submitted this change and it was merged.

Change subject: Make thumbor use a temp folder controlled by systemd-tmpfiles 
instead of /tmp
......................................................................


Make thumbor use a temp folder controlled by systemd-tmpfiles instead of /tmp

Refs T146143
This will allow accessing the manhole socket and the temporary files without 
being root.
It also creates a cron job that cleans up old temp files with systemd-tmpfiles 
--clean

Change-Id: Idaa146818ec4d41b38ef0315e9d32facaf31ac0e
---
M modules/thumbor/manifests/init.pp
M modules/thumbor/manifests/instance.pp
M modules/thumbor/templates/initscripts/thum...@.systemd.erb
A modules/thumbor/templates/thumbor.tmpfiles.d.erb
4 files changed, 34 insertions(+), 2 deletions(-)

Approvals:
  Filippo Giunchedi: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/thumbor/manifests/init.pp 
b/modules/thumbor/manifests/init.pp
index 14b2fc2..7c1fedb 100644
--- a/modules/thumbor/manifests/init.pp
+++ b/modules/thumbor/manifests/init.pp
@@ -46,6 +46,13 @@
         mode   => '0755',
     }
 
+    file { ['/srv/thumbor', '/srv/thumbor/tmp']:
+        ensure => directory,
+        mode   => '0755',
+        owner  => 'thumbor',
+        group  => 'thumbor',
+    }
+
     file { '/usr/local/lib/thumbor/tinyrgb.icc':
         ensure => present,
         source => 'puppet:///modules/thumbor/tinyrgb.icc',
@@ -116,4 +123,14 @@
     grub::bootparam { 'swapaccount':
         value => '1',
     }
+
+    cron { 'systemd-thumbor-tmpfiles-clean':
+        minute   => '*',
+        hour     => '*',
+        monthday => '*',
+        month    => '*',
+        weekday  => '*',
+        command  => '/bin/systemd-tmpfiles --clean --prefix=/srv/thumbor/tmp',
+        user     => 'thumbor',
+    }
 }
diff --git a/modules/thumbor/manifests/instance.pp 
b/modules/thumbor/manifests/instance.pp
index 85ceafb..0fb82a9 100644
--- a/modules/thumbor/manifests/instance.pp
+++ b/modules/thumbor/manifests/instance.pp
@@ -23,11 +23,24 @@
         require => File[$template_service_path],
     }
 
+    file { "/usr/lib/tmpfiles.d/thumbor@${port}.conf":
+        content => template('thumbor/thumbor.tmpfiles.d.erb'),
+    }
+
+    exec { "create-tmp-folder-${port}":
+        command => '/bin/systemd-tmpfiles --create --prefix=/srv/thumbor/tmp',
+        creates => "/srv/thumbor/tmp/thumbor@${port}",
+        before  => Service["thumbor@${port}"],
+    }
+
     service { "thumbor@${port}":
         ensure   => running,
         provider => 'systemd',
         enable   => true,
-        require  => File[$instance_service_path],
+        require  => File[
+            $instance_service_path,
+            "/srv/thumbor/tmp/thumbor@${port}"
+        ],
     }
 
     nrpe::monitor_systemd_unit_state{ "thumbor@${port}":
diff --git a/modules/thumbor/templates/initscripts/thum...@.systemd.erb 
b/modules/thumbor/templates/initscripts/thum...@.systemd.erb
index 2ac2046..28604c3 100644
--- a/modules/thumbor/templates/initscripts/thum...@.systemd.erb
+++ b/modules/thumbor/templates/initscripts/thum...@.systemd.erb
@@ -1,10 +1,11 @@
 [Unit]
 Description=Thumbor image manipulation service (instance %i)
 PartOf=thumbor-instances.service
+After=systemd-tmpfiles-setup.service
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/firejail --profile=/etc/firejail/thumbor.profile -- 
/usr/bin/thumbor --port %i --ip 127.0.0.1 --keyfile /etc/thumbor.key --conf 
/etc/thumbor.d/
+ExecStart=/usr/bin/firejail --profile=/etc/firejail/thumbor.profile 
--env=TMPDIR=/srv/thumbor/tmp/thumbor@%i -- /usr/bin/thumbor --port %i --ip 
127.0.0.1 --keyfile /etc/thumbor.key --conf /etc/thumbor.d/
 User=thumbor
 PrivateTmp=yes
 Restart=on-failure
diff --git a/modules/thumbor/templates/thumbor.tmpfiles.d.erb 
b/modules/thumbor/templates/thumbor.tmpfiles.d.erb
new file mode 100644
index 0000000..ece73e0
--- /dev/null
+++ b/modules/thumbor/templates/thumbor.tmpfiles.d.erb
@@ -0,0 +1 @@
+d /srv/thumbor/tmp/thumbor@<%= @port %> 0755 thumbor thumbor 10m
\ No newline at end of file

-- 
To view, visit https://gerrit.wikimedia.org/r/315062
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Idaa146818ec4d41b38ef0315e9d32facaf31ac0e
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Gilles <gdu...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Gilles <gdu...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to