]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/planet/recipes/replication.rb
Improve filesystem sandboxing for planet replication services
[chef.git] / cookbooks / planet / recipes / replication.rb
index 165b9282a51bd2f4ae137bf0ede80b9bb8fbb399..e09bbcbe6c54222aebb2bfaf708f03e8c49365af 100644 (file)
 require "yaml"
 
 include_recipe "accounts"
+include_recipe "apt"
 include_recipe "osmosis"
+include_recipe "ruby"
+include_recipe "tools"
 
 db_passwords = data_bag_item("db", "passwords")
 
+## Install required packages
+
 package %w[
   postgresql-client
-  ruby
-  ruby-dev
   ruby-libxml
   make
   gcc
+  libc6-dev
   libpq-dev
   osmdbt
 ]
 
-gem_package "pg"
+gem_package "pg" do
+  gem_binary node[:ruby][:gem]
+end
+
+## Build preload library to flush files
 
 remote_directory "/opt/flush" do
   source "flush"
@@ -56,6 +64,8 @@ execute "/opt/flush/Makefile" do
   subscribes :run, "remote_directory[/opt/flush]"
 end
 
+## Install scripts
+
 remote_directory "/usr/local/bin" do
   source "replication-bin"
   owner "root"
@@ -66,13 +76,6 @@ remote_directory "/usr/local/bin" do
   files_mode "755"
 end
 
-template "/usr/local/bin/replicate-minute" do
-  source "replicate-minute.erb"
-  owner "root"
-  group "root"
-  mode "755"
-end
-
 template "/usr/local/bin/users-agreed" do
   source "users-agreed.erb"
   owner "root"
@@ -87,6 +90,8 @@ template "/usr/local/bin/users-deleted" do
   mode "755"
 end
 
+## Published deleted users directory
+
 remote_directory "/store/planet/users_deleted" do
   source "users_deleted"
   owner "planet"
@@ -97,6 +102,8 @@ remote_directory "/store/planet/users_deleted" do
   files_mode "644"
 end
 
+## Published replication directory
+
 remote_directory "/store/planet/replication" do
   source "replication-cgi"
   owner "root"
@@ -107,103 +114,144 @@ remote_directory "/store/planet/replication" do
   files_mode "755"
 end
 
-directory "/store/planet/replication/changesets" do
-  owner "planet"
-  group "planet"
+## Configuration directory
+
+directory "/etc/replication" do
+  owner "root"
+  group "root"
   mode "755"
 end
 
-directory "/store/planet/replication/day" do
+## Transient state directory
+
+systemd_tmpfile "/run/replication" do
+  type "d"
   owner "planet"
   group "planet"
   mode "755"
 end
 
-directory "/store/planet/replication/hour" do
+## Persistent state directory
+
+directory "/var/lib/replication" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-directory "/store/planet/replication/minute" do
+## Temporary directory
+
+directory "/store/replication" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-directory "/store/planet/replication/test" do
-  owner "planet"
+## Users replication
+
+template "/etc/replication/users-agreed.conf" do
+  source "users-agreed.conf.erb"
+  user "planet"
   group "planet"
-  mode "755"
+  mode "600"
+  variables :password => db_passwords["planetdiff"]
 end
 
-directory "/store/planet/replication/test/day" do
-  owner "planet"
-  group "planet"
-  mode "755"
+systemd_service "users-agreed" do
+  description "Update list of users accepting CTs"
+  user "planet"
+  exec_start "/usr/local/bin/users-agreed"
+  nice 10
+  private_tmp true
+  private_devices true
+  protect_system "strict"
+  protect_home true
+  read_write_paths "/store/planet/users_agreed"
+  restrict_address_families %w[AF_INET AF_INET6]
+  no_new_privileges true
 end
 
-directory "/store/planet/replication/test/hour" do
-  owner "planet"
-  group "planet"
-  mode "755"
+systemd_timer "users-agreed" do
+  description "Update list of users accepting CTs"
+  on_calendar "7:00"
 end
 
-directory "/store/planet/replication/test/minute" do
-  owner "planet"
-  group "planet"
-  mode "755"
+systemd_service "users-deleted" do
+  description "Update list of deleted users"
+  user "planet"
+  exec_start "/usr/local/bin/users-deleted"
+  nice 10
+  private_tmp true
+  private_devices true
+  protect_system "strict"
+  protect_home true
+  read_write_paths "/store/planet/users_deleted"
+  restrict_address_families %w[AF_INET AF_INET6]
+  no_new_privileges true
 end
 
-directory "/store/replication" do
-  owner "planet"
-  group "planet"
-  mode "755"
+systemd_timer "users-deleted" do
+  description "Update list of deleted users"
+  on_calendar "17:00"
 end
 
-directory "/store/replication/minute" do
+## Changeset replication
+
+directory "/store/planet/replication/changesets" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-systemd_tmpfile "/run/replication" do
-  type "d"
-  owner "planet"
+template "/etc/replication/changesets.conf" do
+  source "changesets.conf.erb"
+  user "root"
   group "planet"
-  mode "755"
+  mode "640"
+  variables :password => db_passwords["planetdiff"]
 end
 
-directory "/etc/replication" do
-  owner "root"
-  group "root"
-  mode "755"
+systemd_service "replication-changesets" do
+  description "Changesets replication"
+  user "planet"
+  exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
+  private_tmp true
+  private_devices true
+  protect_system "strict"
+  protect_home true
+  read_write_paths [
+    "/run/replication",
+    "/store/planet/replication/changesets"
+  ]
+  restrict_address_families %w[AF_INET AF_INET6]
+  no_new_privileges true
 end
 
-directory "/var/run/lock/changeset-replication/" do
-  owner "planet"
-  group "planet"
-  mode "750"
+systemd_timer "replication-changesets" do
+  description "Changesets replication"
+  on_boot_sec 60
+  on_unit_active_sec 60
+  accuracy_sec 5
 end
 
-directory "/var/lib/replication" do
+## Minutely replication
+
+directory "/store/planet/replication/minute" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-directory "/var/lib/replication/test" do
+directory "/var/lib/replication/minute" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-template "/etc/replication/auth.conf" do
-  source "replication.auth.erb"
-  user "root"
+directory "/store/replication/minute" do
+  owner "planet"
   group "planet"
-  mode "640"
-  variables :password => db_passwords["planetdiff"]
+  mode "755"
 end
 
 osmdbt_config = {
@@ -215,7 +263,7 @@ osmdbt_config = {
     "replication_slot" => "osmdbt"
   },
   "log_dir" => "/var/lib/replication/minute",
-  "changes_dir" => "/store/planet/replication/test/minute",
+  "changes_dir" => "/store/planet/replication/minute",
   "tmp_dir" => "/store/replication/minute",
   "run_dir" => "/run/replication"
 }
@@ -234,8 +282,14 @@ systemd_service "replication-minutely" do
   exec_start "/usr/local/bin/replicate-minute"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/run/replication",
+    "/store/replication/minute",
+    "/store/planet/replication/minute",
+    "/var/lib/replication/minute"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -247,32 +301,45 @@ systemd_timer "replication-minutely" do
   accuracy_sec 5
 end
 
-directory "/var/lib/replication/test/hour" do
+## Hourly replication
+
+directory "/store/planet/replication/hour" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-template "/var/lib/replication/test/hour/configuration.txt" do
-  source "replication.config.erb"
+directory "/var/lib/replication/hour" do
   owner "planet"
   group "planet"
-  mode "644"
-  variables :base => "test/minute", :interval => 3600
+  mode "755"
+end
+
+link "/var/lib/replication/hour/data" do
+  to "/store/planet/replication/hour"
 end
 
-link "/var/lib/replication/test/hour/data" do
-  to "/store/planet/replication/test/hour"
+template "/var/lib/replication/hour/configuration.txt" do
+  source "replication.config.erb"
+  owner "planet"
+  group "planet"
+  mode "644"
+  variables :base => "minute", :interval => 3600
 end
 
 systemd_service "replication-hourly" do
   description "Hourly replication"
   user "planet"
-  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/test/hour"
+  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
+  environment "LD_PRELOAD" => "/opt/flush/flush.so"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/store/planet/replication/hour",
+    "/var/lib/replication/hour"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -282,32 +349,45 @@ systemd_timer "replication-hourly" do
   on_calendar "*-*-* *:02/15:00"
 end
 
-directory "/var/lib/replication/test/day" do
+## Daily replication
+
+directory "/store/planet/replication/day" do
   owner "planet"
   group "planet"
   mode "755"
 end
 
-template "/var/lib/replication/test/day/configuration.txt" do
-  source "replication.config.erb"
+directory "/var/lib/replication/day" do
   owner "planet"
   group "planet"
-  mode "644"
-  variables :base => "test/hour", :interval => 86400
+  mode "755"
 end
 
-link "/var/lib/replication/test/day/data" do
-  to "/store/planet/replication/test/day"
+link "/var/lib/replication/day/data" do
+  to "/store/planet/replication/day"
+end
+
+template "/var/lib/replication/day/configuration.txt" do
+  source "replication.config.erb"
+  owner "planet"
+  group "planet"
+  mode "644"
+  variables :base => "hour", :interval => 86400
 end
 
 systemd_service "replication-daily" do
   description "Daily replication"
   user "planet"
-  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/test/day"
+  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
+  environment "LD_PRELOAD" => "/opt/flush/flush.so"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/store/planet/replication/day",
+    "/var/lib/replication/day"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -317,85 +397,41 @@ systemd_timer "replication-daily" do
   on_calendar "*-*-* *:02/15:00"
 end
 
-template "/etc/replication/changesets.conf" do
-  source "changesets.conf.erb"
-  user "root"
-  group "planet"
-  mode "640"
-  variables :password => db_passwords["planetdiff"]
-end
+## Replication cleanup
 
-template "/etc/replication/users-agreed.conf" do
-  source "users-agreed.conf.erb"
+systemd_service "replication-cleanup" do
+  description "Cleanup replication"
   user "planet"
-  group "planet"
-  mode "600"
-  variables :password => db_passwords["planetdiff"]
-end
-
-directory "/var/lib/replication/minute" do
-  owner "planet"
-  group "planet"
-  mode "755"
-end
-
-directory "/var/lib/replication/hour" do
-  owner "planet"
-  group "planet"
-  mode "755"
-end
-
-template "/var/lib/replication/hour/configuration.txt" do
-  source "replication.config.erb"
-  owner "planet"
-  group "planet"
-  mode "644"
-  variables :base => "minute", :interval => 3600
-end
-
-link "/var/lib/replication/hour/data" do
-  to "/store/planet/replication/hour"
-end
-
-directory "/var/lib/replication/day" do
-  owner "planet"
-  group "planet"
-  mode "755"
+  exec_start "/usr/local/bin/replicate-cleanup"
+  private_tmp true
+  private_devices true
+  private_network true
+  protect_system "strict"
+  protect_home true
+  read_write_paths "/var/lib/replication"
+  no_new_privileges true
 end
 
-template "/var/lib/replication/day/configuration.txt" do
-  source "replication.config.erb"
-  owner "planet"
-  group "planet"
-  mode "644"
-  variables :base => "hour", :interval => 86400
+systemd_timer "replication-cleanup" do
+  description "Cleanup replication"
+  on_boot_sec 60
+  on_unit_active_sec 86400
+  accuracy_sec 1800
 end
 
-link "/var/lib/replication/day/data" do
-  to "/store/planet/replication/day"
-end
+## Enable/disable feeds
 
 if node[:planet][:replication] == "enabled"
-  cron_d "users-agreed" do
-    minute "0"
-    hour "7"
-    user "planet"
-    command "/usr/local/bin/users-agreed"
-    mailto "zerebubuth@gmail.com"
+  service "users-agreed.timer" do
+    action [:enable, :start]
   end
 
-  cron_d "users-deleted" do
-    minute "0"
-    hour "17"
-    user "planet"
-    command "/usr/local/bin/users-deleted"
-    mailto "zerebubuth@gmail.com"
+  service "users-deleted.timer" do
+    action [:enable, :start]
   end
 
-  cron_d "replication-changesets" do
-    user "planet"
-    command "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
-    mailto "zerebubuth@gmail.com"
+  service "replication-changesets.timer" do
+    action [:enable, :start]
   end
 
   service "replication-minutely.timer" do
@@ -410,39 +446,20 @@ if node[:planet][:replication] == "enabled"
     action [:enable, :start]
   end
 
-  cron_d "replication-minutely" do
-    user "planet"
-    command "/usr/local/bin/osmosis -q --replicate-apidb authFile=/etc/replication/auth.conf validateSchemaVersion=false --write-replication workingDirectory=/store/planet/replication/minute"
-    mailto "brett@bretth.com"
-    environment "LD_PRELOAD" => "/opt/flush/flush.so"
-  end
-
-  cron_d "replication-hourly" do
-    minute "2,7,12,17"
-    user "planet"
-    command "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
-    mailto "brett@bretth.com"
-    environment "LD_PRELOAD" => "/opt/flush/flush.so"
-  end
-
-  cron_d "replication-daily" do
-    minute "5,10,15,20"
-    user "planet"
-    command "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
-    mailto "brett@bretth.com"
-    environment "LD_PRELOAD" => "/opt/flush/flush.so"
+  service "replication-cleanup.timer" do
+    action [:enable, :start]
   end
 else
-  cron_d "users-agreed" do
-    action :delete
+  service "users-agreed.timer" do
+    action [:stop, :disable]
   end
 
-  cron_d "users-deleted" do
-    action :delete
+  service "users-deleted.timer" do
+    action [:stop, :disable]
   end
 
-  cron_d "replication-changesets" do
-    action :delete
+  service "replication-changesets.timer" do
+    action [:stop, :disable]
   end
 
   service "replication-minutely.timer" do
@@ -457,15 +474,7 @@ else
     action [:stop, :disable]
   end
 
-  cron_d "replication-minutely" do
-    action :delete
-  end
-
-  cron_d "replication-hourly" do
-    action :delete
-  end
-
-  cron_d "replication-daily" do
-    action :delete
+  service "replication-cleanup.timer" do
+    action [:stop, :disable]
   end
 end