X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/f90f3de7232aea6fb8f26c906645d98cf603e565..62476c5af5a5d5289c8ff24ad80898c823ded7f5:/cookbooks/planet/recipes/replication.rb

diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index 629186fe2..f7552ddf2 100644
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -22,6 +22,9 @@ require "yaml"
 include_recipe "accounts"
 include_recipe "apt"
 include_recipe "osmosis"
+include_recipe "planet::aws"
+include_recipe "ruby"
+include_recipe "tools"
 
 db_passwords = data_bag_item("db", "passwords")
 
@@ -29,17 +32,21 @@ db_passwords = data_bag_item("db", "passwords")
 
 package %w[
   postgresql-client
-  ruby
-  ruby-dev
-  ruby-libxml
   make
   gcc
   libc6-dev
   libpq-dev
+  libxml2-dev
   osmdbt
 ]
 
-gem_package "pg"
+gem_package "libxml-ruby" do
+  gem_binary node[:ruby][:gem]
+end
+
+gem_package "pg" do
+  gem_binary node[:ruby][:gem]
+end
 
 ## Build preload library to flush files
 
@@ -88,6 +95,13 @@ template "/usr/local/bin/users-deleted" do
   mode "755"
 end
 
+template "/usr/local/bin/replicate-changesets" do
+  source "replicate-changesets.erb"
+  owner "root"
+  group "root"
+  mode "755"
+end
+
 ## Published deleted users directory
 
 remote_directory "/store/planet/users_deleted" do
@@ -159,12 +173,9 @@ systemd_service "users-agreed" do
   description "Update list of users accepting CTs"
   user "planet"
   exec_start "/usr/local/bin/users-agreed"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  nice 10
+  sandbox :enable_network => true
+  read_write_paths "/store/planet/users_agreed"
 end
 
 systemd_timer "users-agreed" do
@@ -176,12 +187,9 @@ systemd_service "users-deleted" do
   description "Update list of deleted users"
   user "planet"
   exec_start "/usr/local/bin/users-deleted"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  nice 10
+  sandbox :enable_network => true
+  read_write_paths "/store/planet/users_deleted"
 end
 
 systemd_timer "users-deleted" do
@@ -209,12 +217,13 @@ systemd_service "replication-changesets" do
   description "Changesets replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  sandbox :enable_network => true
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/run/replication",
+    "/store/planet/replication/changesets"
+  ]
 end
 
 systemd_timer "replication-changesets" do
@@ -270,12 +279,14 @@ systemd_service "replication-minutely" do
   user "planet"
   working_directory "/etc/replication"
   exec_start "/usr/local/bin/replicate-minute"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  sandbox :enable_network => true
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/run/replication",
+    "/store",
+    "/var/lib/replication/minute"
+  ]
 end
 
 systemd_timer "replication-minutely" do
@@ -314,17 +325,20 @@ end
 systemd_service "replication-hourly" do
   description "Hourly replication"
   user "planet"
-  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  exec_start "/usr/local/bin/replicate-hour"
+  environment "LD_PRELOAD" => "/opt/flush/flush.so"
+  sandbox :enable_network => true
+  memory_deny_write_execute false
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/store/planet/replication/hour",
+    "/var/lib/replication/hour"
+  ]
 end
 
 systemd_timer "replication-hourly" do
-  description "Daily replication"
+  description "Hourly replication"
   on_calendar "*-*-* *:02/15:00"
 end
 
@@ -357,13 +371,16 @@ end
 systemd_service "replication-daily" do
   description "Daily replication"
   user "planet"
-  exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  restrict_address_families %w[AF_INET AF_INET6]
-  no_new_privileges true
+  exec_start "/usr/local/bin/replicate-day"
+  environment "LD_PRELOAD" => "/opt/flush/flush.so"
+  sandbox :enable_network => true
+  memory_deny_write_execute false
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths [
+    "/store/planet/replication/day",
+    "/var/lib/replication/day"
+  ]
 end
 
 systemd_timer "replication-daily" do
@@ -377,12 +394,8 @@ systemd_service "replication-cleanup" do
   description "Cleanup replication"
   user "planet"
   exec_start "/usr/local/bin/replicate-cleanup"
-  private_tmp true
-  private_devices true
-  private_network true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  sandbox true
+  read_write_paths "/var/lib/replication"
 end
 
 systemd_timer "replication-cleanup" do