X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/09fa8bafec35393ab1b5e0ad3aaf7792bcc32a71..23d8f4f4043479c3cbd43239bc2ab2e20dd87eb8:/cookbooks/planet/recipes/replication.rb diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb index 629186fe2..e09bbcbe6 100644 --- a/cookbooks/planet/recipes/replication.rb +++ b/cookbooks/planet/recipes/replication.rb @@ -22,6 +22,8 @@ require "yaml" include_recipe "accounts" include_recipe "apt" include_recipe "osmosis" +include_recipe "ruby" +include_recipe "tools" db_passwords = data_bag_item("db", "passwords") @@ -29,8 +31,6 @@ db_passwords = data_bag_item("db", "passwords") package %w[ postgresql-client - ruby - ruby-dev ruby-libxml make gcc @@ -39,7 +39,9 @@ package %w[ osmdbt ] -gem_package "pg" +gem_package "pg" do + gem_binary node[:ruby][:gem] +end ## Build preload library to flush files @@ -159,10 +161,12 @@ systemd_service "users-agreed" do description "Update list of users accepting CTs" user "planet" exec_start "/usr/local/bin/users-agreed" + nice 10 private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths "/store/planet/users_agreed" restrict_address_families %w[AF_INET AF_INET6] no_new_privileges true end @@ -176,10 +180,12 @@ systemd_service "users-deleted" do description "Update list of deleted users" user "planet" exec_start "/usr/local/bin/users-deleted" + nice 10 private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths "/store/planet/users_deleted" restrict_address_families %w[AF_INET AF_INET6] no_new_privileges true end @@ -211,8 +217,12 @@ systemd_service "replication-changesets" do exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths [ + "/run/replication", + "/store/planet/replication/changesets" + ] restrict_address_families %w[AF_INET AF_INET6] no_new_privileges true end @@ -272,8 +282,14 @@ systemd_service "replication-minutely" do exec_start "/usr/local/bin/replicate-minute" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths [ + "/run/replication", + "/store/replication/minute", + "/store/planet/replication/minute", + "/var/lib/replication/minute" + ] restrict_address_families %w[AF_INET AF_INET6] no_new_privileges true end @@ -315,10 +331,15 @@ systemd_service "replication-hourly" do description "Hourly replication" user "planet" exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour" + environment "LD_PRELOAD" => "/opt/flush/flush.so" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths [ + "/store/planet/replication/hour", + "/var/lib/replication/hour" + ] restrict_address_families %w[AF_INET AF_INET6] no_new_privileges true end @@ -358,10 +379,15 @@ systemd_service "replication-daily" do description "Daily replication" user "planet" exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day" + environment "LD_PRELOAD" => "/opt/flush/flush.so" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths [ + "/store/planet/replication/day", + "/var/lib/replication/day" + ] restrict_address_families %w[AF_INET AF_INET6] no_new_privileges true end @@ -380,8 +406,9 @@ systemd_service "replication-cleanup" do private_tmp true private_devices true private_network true - protect_system "full" + protect_system "strict" protect_home true + read_write_paths "/var/lib/replication" no_new_privileges true end