Separate the replication and expiry tasks for tile servers
authorTom Hughes <tom@compton.nu>
Sat, 4 Mar 2017 12:13:28 +0000 (12:13 +0000)
committerTom Hughes <tom@compton.nu>
Sat, 4 Mar 2017 12:27:10 +0000 (12:27 +0000)
They need to run as different users, so use a systemd path unit to
trigger the expiry without needing an awkward security transition.

cookbooks/tile/recipes/default.rb
cookbooks/tile/templates/default/expire-tiles.erb
cookbooks/tile/templates/default/replicate.erb
cookbooks/tile/templates/default/sudoers.erb [deleted file]

index 4293427b6c5bb5435e1b1c4a4ee533eed2772dd1..615afb84431f6a3b58e0bc2d9737f3df5562dbb7 100644 (file)
@@ -433,19 +433,18 @@ template "/usr/local/bin/expire-tiles" do
   mode 0o755
 end
 
-template "/etc/sudoers.d/tile" do
-  source "sudoers.erb"
-  owner "root"
-  group "root"
-  mode 0o440
-end
-
 directory "/var/lib/replicate" do
   owner "tile"
   group "tile"
   mode 0o755
 end
 
+directory "/var/lib/replicate/expire-queue" do
+  owner "tile"
+  group "www-data"
+  mode 0o775
+end
+
 template "/var/lib/replicate/configuration.txt" do
   source "replicate.configuration.erb"
   owner "tile"
@@ -460,6 +459,29 @@ template "/usr/local/bin/replicate" do
   mode 0o755
 end
 
+systemd_service "expire-tiles" do
+  description "Tile dirtying service"
+  type "oneshot"
+  user "www-data"
+  exec_start "/usr/local/bin/expire-tiles"
+  standard_output "null"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  no_new_privileges true
+end
+
+systemd_path "expire-tiles" do
+  description "Tile dirtying trigger"
+  directory_not_empty "/var/lib/replicate/expire-queue"
+end
+
+service "expire-tiles.path" do
+  action [:enable, :start]
+  subscribes :restart, "systemd_path[expire-tiles]"
+end
+
 systemd_service "replicate" do
   description "Rendering database replication service"
   after "postgresql.service"
@@ -470,6 +492,7 @@ systemd_service "replicate" do
   private_devices true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
index 2c0e7406e10c2e9c5d81ac5565fc210aba037373..6716fd66c2597cf194220e7de9a8cf9379535f42 100644 (file)
@@ -12,6 +12,7 @@ tile_dirs = [
 
 max_zoom = <%= node[:tile][:styles].collect { |n,d| d[:max_zoom] }.max %>
 
-ARGV.each do |f|
+Dir.glob("/var/lib/replicate/expire-queue/changes-*.osm.gz").each do |f|
    Expire::expire(f, 13, max_zoom, tile_dirs)
+   File::unlink(f)
 end
index 145f6eb407c9f35e980b7a366a2a035143e15c5b..ecc6b69b036fd79dcf977c61b2afe1de4c8eb5b5 100644 (file)
@@ -76,8 +76,8 @@ do
             # No need to rollback now
             rm state-prev.txt
 
-            # Expire tiles which are touched by the changes
-            sudo -u www-data /usr/local/bin/expire-tiles ${file} > /dev/null 2>&1 &
+            # Queue these changes for expiry processing
+            ln ${file} expire-queue/$file
         fi
 
         # Delete old downloads
diff --git a/cookbooks/tile/templates/default/sudoers.erb b/cookbooks/tile/templates/default/sudoers.erb
deleted file mode 100644 (file)
index 90db9cd..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-# DO NOT EDIT - This file is being maintained by Chef
-
-# Allow the replication service to expire tiles
-tile ALL=(www-data) NOPASSWD: /usr/local/bin/expire-tiles