]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/planet/recipes/replication.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Switch birthday20 to a static container
[chef.git] / cookbooks / planet / recipes / replication.rb
diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index 629186fe2ee905eb634a19d6f97c684e4e4968a6..d719d11ae519c33800a36865f501f8f8c61ced1c 100644 (file)
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -22,6 +22,9 @@ require "yaml"
 include_recipe "accounts"
 include_recipe "apt"
 include_recipe "osmosis"
 include_recipe "accounts"
 include_recipe "apt"
 include_recipe "osmosis"
+include_recipe "planet::aws"
+include_recipe "ruby"
+include_recipe "tools"
 
 db_passwords = data_bag_item("db", "passwords")
 
 
 db_passwords = data_bag_item("db", "passwords")
 
@@ -29,8 +32,6 @@ db_passwords = data_bag_item("db", "passwords")
 
 package %w[
   postgresql-client
 
 package %w[
   postgresql-client
-  ruby
-  ruby-dev
   ruby-libxml
   make
   gcc
   ruby-libxml
   make
   gcc
@@ -39,7 +40,9 @@ package %w[
   osmdbt
 ]
 
   osmdbt
 ]
 
-gem_package "pg"
+gem_package "pg" do
+  gem_binary node[:ruby][:gem]
+end
 
 ## Build preload library to flush files
 
 
 ## Build preload library to flush files
 
@@ -159,12 +162,9 @@ systemd_service "users-agreed" do
   description "Update list of users accepting CTs"
   user "planet"
   exec_start "/usr/local/bin/users-agreed"
   description "Update list of users accepting CTs"
   user "planet"
   exec_start "/usr/local/bin/users-agreed"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  nice 10
+  sandbox :enable_network => true
+  read_write_paths "/store/planet/users_agreed"
 end
 
 systemd_timer "users-agreed" do
 end
 
 systemd_timer "users-agreed" do
@@ -176,12 +176,9 @@ systemd_service "users-deleted" do
   description "Update list of deleted users"
   user "planet"
   exec_start "/usr/local/bin/users-deleted"
   description "Update list of deleted users"
   user "planet"
   exec_start "/usr/local/bin/users-deleted"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  nice 10
+  sandbox :enable_network => true
+  read_write_paths "/store/planet/users_deleted"
 end
 
 systemd_timer "users-deleted" do
 end
 
 systemd_timer "users-deleted" do
@@ -209,12 +206,13 @@ systemd_service "replication-changesets" do
   description "Changesets replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
   description "Changesets replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  sandbox :enable_network => true
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/run/replication",
+    "/store/planet/replication/changesets"
+  ]
 end
 
 systemd_timer "replication-changesets" do
 end
 
 systemd_timer "replication-changesets" do
@@ -270,12 +268,14 @@ systemd_service "replication-minutely" do
   user "planet"
   working_directory "/etc/replication"
   exec_start "/usr/local/bin/replicate-minute"
   user "planet"
   working_directory "/etc/replication"
   exec_start "/usr/local/bin/replicate-minute"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  sandbox :enable_network => true
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/run/replication",
+    "/store",
+    "/var/lib/replication/minute"
+  ]
 end
 
 systemd_timer "replication-minutely" do
 end
 
 systemd_timer "replication-minutely" do
@@ -314,17 +314,20 @@ end
 systemd_service "replication-hourly" do
   description "Hourly replication"
   user "planet"
 systemd_service "replication-hourly" do
   description "Hourly replication"
   user "planet"
-  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  exec_start "/usr/local/bin/replicate-hour"
+  environment "LD_PRELOAD" => "/opt/flush/flush.so"
+  sandbox :enable_network => true
+  memory_deny_write_execute false
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/store/planet/replication/hour",
+    "/var/lib/replication/hour"
+  ]
 end
 
 systemd_timer "replication-hourly" do
 end
 
 systemd_timer "replication-hourly" do
-  description "Daily replication"
+  description "Hourly replication"
   on_calendar "*-*-* *:02/15:00"
 end
 
   on_calendar "*-*-* *:02/15:00"
 end
 
@@ -357,13 +360,16 @@ end
 systemd_service "replication-daily" do
   description "Daily replication"
   user "planet"
 systemd_service "replication-daily" do
   description "Daily replication"
   user "planet"
-  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  exec_start "/usr/local/bin/replicate-day"
+  environment "LD_PRELOAD" => "/opt/flush/flush.so"
+  sandbox :enable_network => true
+  memory_deny_write_execute false
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/store/planet/replication/day",
+    "/var/lib/replication/day"
+  ]
 end
 
 systemd_timer "replication-daily" do
 end
 
 systemd_timer "replication-daily" do
@@ -377,12 +383,8 @@ systemd_service "replication-cleanup" do
   description "Cleanup replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-cleanup"
   description "Cleanup replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-cleanup"
-  private_tmp true
-  private_devices true
-  private_network true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  sandbox true
+  read_write_paths "/var/lib/replication"
 end
 
 systemd_timer "replication-cleanup" do
 end
 
 systemd_timer "replication-cleanup" do
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.