]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/planet/recipes/replication.rb
Make sure database backups abort on error
[chef.git] / cookbooks / planet / recipes / replication.rb
index 68868d1921dcb751d4c964e189ad5b58815b39d2..fa9649a3897b19747d68bcadddc38d210e216ea3 100644 (file)
@@ -162,13 +162,8 @@ systemd_service "users-agreed" do
   user "planet"
   exec_start "/usr/local/bin/users-agreed"
   nice 10
   user "planet"
   exec_start "/usr/local/bin/users-agreed"
   nice 10
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths "/store/planet/users_agreed"
   read_write_paths "/store/planet/users_agreed"
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
 end
 
 systemd_timer "users-agreed" do
 end
 
 systemd_timer "users-agreed" do
@@ -181,13 +176,8 @@ systemd_service "users-deleted" do
   user "planet"
   exec_start "/usr/local/bin/users-deleted"
   nice 10
   user "planet"
   exec_start "/usr/local/bin/users-deleted"
   nice 10
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths "/store/planet/users_deleted"
   read_write_paths "/store/planet/users_deleted"
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
 end
 
 systemd_timer "users-deleted" do
 end
 
 systemd_timer "users-deleted" do
@@ -215,16 +205,11 @@ systemd_service "replication-changesets" do
   description "Changesets replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
   description "Changesets replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths [
     "/run/replication",
     "/store/planet/replication/changesets"
   ]
   read_write_paths [
     "/run/replication",
     "/store/planet/replication/changesets"
   ]
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
 end
 
 systemd_timer "replication-changesets" do
 end
 
 systemd_timer "replication-changesets" do
@@ -280,17 +265,12 @@ systemd_service "replication-minutely" do
   user "planet"
   working_directory "/etc/replication"
   exec_start "/usr/local/bin/replicate-minute"
   user "planet"
   working_directory "/etc/replication"
   exec_start "/usr/local/bin/replicate-minute"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths [
     "/run/replication",
     "/store",
     "/var/lib/replication/minute"
   ]
   read_write_paths [
     "/run/replication",
     "/store",
     "/var/lib/replication/minute"
   ]
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
 end
 
 systemd_timer "replication-minutely" do
 end
 
 systemd_timer "replication-minutely" do
@@ -331,16 +311,12 @@ systemd_service "replication-hourly" do
   user "planet"
   exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
   environment "LD_PRELOAD" => "/opt/flush/flush.so"
   user "planet"
   exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
   environment "LD_PRELOAD" => "/opt/flush/flush.so"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
+  memory_deny_write_execute false
   read_write_paths [
     "/store/planet/replication/hour",
     "/var/lib/replication/hour"
   ]
   read_write_paths [
     "/store/planet/replication/hour",
     "/var/lib/replication/hour"
   ]
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
 end
 
 systemd_timer "replication-hourly" do
 end
 
 systemd_timer "replication-hourly" do
@@ -379,16 +355,12 @@ systemd_service "replication-daily" do
   user "planet"
   exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
   environment "LD_PRELOAD" => "/opt/flush/flush.so"
   user "planet"
   exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
   environment "LD_PRELOAD" => "/opt/flush/flush.so"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
+  memory_deny_write_execute false
   read_write_paths [
     "/store/planet/replication/day",
     "/var/lib/replication/day"
   ]
   read_write_paths [
     "/store/planet/replication/day",
     "/var/lib/replication/day"
   ]
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
 end
 
 systemd_timer "replication-daily" do
 end
 
 systemd_timer "replication-daily" do
@@ -402,13 +374,8 @@ systemd_service "replication-cleanup" do
   description "Cleanup replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-cleanup"
   description "Cleanup replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-cleanup"
-  private_tmp true
-  private_devices true
-  private_network true
-  protect_system "strict"
-  protect_home true
+  sandbox true
   read_write_paths "/var/lib/replication"
   read_write_paths "/var/lib/replication"
-  no_new_privileges true
 end
 
 systemd_timer "replication-cleanup" do
 end
 
 systemd_timer "replication-cleanup" do