Jcrespo has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/392674 )
Change subject: proxysql: Enable systemd support so it starts as non-root ...................................................................... proxysql: Enable systemd support so it starts as non-root There is no good support of systemd by proxysql, we are creating one based on the suggestions at https://github.com/sysown/proxysql/issues/425 Opting to try a non-init.d wrapper. If it doesn't work, we should fallback to it. Other changes include creating a dedicated proxysql user and group and modifying puppet accordingly. This would reduce security issues. Bug: T175672 Change-Id: I7734c7f8bdba0d86d74df751c9e2b25b17eca5e8 --- M modules/profile/manifests/proxysql.pp A modules/profile/templates/initscripts/proxysql.systemd.erb M modules/proxysql/manifests/init.pp 3 files changed, 39 insertions(+), 7 deletions(-) Approvals: jenkins-bot: Verified Jcrespo: Looks good to me, approved diff --git a/modules/profile/manifests/proxysql.pp b/modules/profile/manifests/proxysql.pp index ee61c82..61e0f59 100644 --- a/modules/profile/manifests/proxysql.pp +++ b/modules/profile/manifests/proxysql.pp @@ -22,17 +22,27 @@ # notrack => true, #} + # we need to setup the service, as by default there is only an init.d script + # that start as root. We will not start it by default, but will have monitoring + # to check it is running. We can change that in the future. + systemd::unit { 'proxysql': + ensure => present, + content => systemd_template('proxysql'), + require => Class['proxysql'], + } + file {'/run/proxysql': ensure => directory, - owner => 'root', - group => 'root', + owner => 'proxysql', + group => 'proxysql', mode => '0755', require => Class['proxysql'], } + # I think with systemd there should be only 1 process running ? nrpe::monitor_service { 'proxysql': description => 'proxysql processes', - nrpe_command => '/usr/lib/nagios/plugins/check_procs -c 2:2 -C proxysql', + nrpe_command => '/usr/lib/nagios/plugins/check_procs -c 1:1 -C proxysql', critical => false, contact_group => 'admins', # show on icinga/irc only } diff --git a/modules/profile/templates/initscripts/proxysql.systemd.erb b/modules/profile/templates/initscripts/proxysql.systemd.erb new file mode 100644 index 0000000..8674450 --- /dev/null +++ b/modules/profile/templates/initscripts/proxysql.systemd.erb @@ -0,0 +1,14 @@ +[Unit] +Description=ProxySQL instance +Documentation=https://github.com/sysown/proxysql/wiki + +[Service] +LimitNOFILE=102400 +LimitCORE=1073741824 +Restart=always +User=proxysql +Group=proxysql +ExecStart=/usr/bin/proxysql -f + +[Install] +WantedBy=multi-user.target diff --git a/modules/proxysql/manifests/init.pp b/modules/proxysql/manifests/init.pp index df6391c..ed53278 100644 --- a/modules/proxysql/manifests/init.pp +++ b/modules/proxysql/manifests/init.pp @@ -12,11 +12,19 @@ $mysql_socket = '/tmp/proxysql.sock', ) { - package { [ - 'proxysql', - 'wmf-mariadb101-client', - ]: + # We need to manualy setup users, as the package doesn't do it for us + group { 'proxysql': ensure => present, + system => true, + } + + user { 'proxysql': + ensure => present, + gid => 'proxysql', + shell => '/bin/false', + home => '/nonexistent', + system => true, + managehome => false, } file { '/etc/proxysql.cnf': -- To view, visit https://gerrit.wikimedia.org/r/392674 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7734c7f8bdba0d86d74df751c9e2b25b17eca5e8 Gerrit-PatchSet: 5 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Jcrespo <jcre...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Jcrespo <jcre...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
