X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/38c8960ea8385b58b60492fc51da0e217d3275a8..6b8e67103d90b327fb6eb1dd859cfd7f7d18340f:/cookbooks/squid/recipes/default.rb

diff --git a/cookbooks/squid/recipes/default.rb b/cookbooks/squid/recipes/default.rb
index 917834eb2..f024adcc6 100644
--- a/cookbooks/squid/recipes/default.rb
+++ b/cookbooks/squid/recipes/default.rb
@@ -50,6 +50,11 @@ systemd_service "squid" do
   exec_start "/usr/sbin/squid -N $SQUID_ARGS"
   exec_reload "/usr/sbin/squid -k reconfigure"
   exec_stop "/usr/sbin/squid -k shutdown"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  no_new_privileges true
   restart "on-failure"
   timeout_sec 0
 end
@@ -62,6 +67,16 @@ service "squid" do
   subscribes :reload, "template[/etc/resolv.conf]"
 end
 
+log "squid-restart" do
+  message "Restarting squid due to counter wraparound"
+  notifies :restart, "service[squid]"
+  only_if do
+    IO.popen(["squidclient", "--host=127.0.0.1", "--port=80", "mgr:counters"]) do |io|
+      io.each.grep(/^[a-z][a-z_.]+ = -[0-9]+$/).count.positive?
+    end
+  end
+end
+
 munin_plugin "squid_cache"
 munin_plugin "squid_delay_pools"
 munin_plugin "squid_delay_pools_noreferer"
@@ -70,3 +85,7 @@ munin_plugin "squid_icp"
 munin_plugin "squid_objectsize"
 munin_plugin "squid_requests"
 munin_plugin "squid_traffic"
+
+Dir.glob("/var/log/squid/zere.log*") do |log|
+  File.unlink(log)
+end