From: Tom Hughes Date: Thu, 30 Nov 2023 00:08:56 +0000 (+0000) Subject: Use unix domain sockets for cgimap on the dev server X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/4e99c5be590629426248a522a1c09ce2ab9196d1 Use unix domain sockets for cgimap on the dev server --- diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb index 8a6fd665d..b6a11b905 100644 --- a/cookbooks/dev/recipes/default.rb +++ b/cookbooks/dev/recipes/default.rb @@ -318,16 +318,17 @@ if node[:postgresql][:clusters][:"15/main"] type "forking" environment_file "/etc/default/cgimap-%i" user "apis" - exec_start "/srv/%i.apis.dev.openstreetmap.org/cgimap/openstreetmap-cgimap --daemon --port $CGIMAP_PORT --instances 5" + group "www-data" + umask "0002" + exec_start "/srv/%i.apis.dev.openstreetmap.org/cgimap/openstreetmap-cgimap --daemon --instances 5" exec_reload "/bin/kill -HUP $MAINPID" + runtime_directory "cgimap-%i" sandbox :enable_network => true restrict_address_families "AF_UNIX" read_write_paths ["/srv/%i.apis.dev.openstreetmap.org/logs", "/srv/%i.apis.dev.openstreetmap.org/rails/tmp"] restart "on-failure" end - cgimap_port = 9000 - Dir.glob("/srv/*.apis.dev.openstreetmap.org").each do |dir| node.default_unless[:dev][:rails][File.basename(dir).split(".").first] = {} end @@ -477,7 +478,7 @@ if node[:postgresql][:clusters][:"15/main"] owner "root" group "root" mode "640" - variables :cgimap_port => cgimap_port, + variables :cgimap_socket => "/run/cgimap-#{name}/socket", :database_port => node[:postgresql][:clusters][:"15/main"][:port], :database_name => database_name, :log_directory => log_directory, @@ -503,7 +504,7 @@ if node[:postgresql][:clusters][:"15/main"] :aliases => site_aliases, :secret_key_base => secret_key_base, :cgimap_enabled => details.key?(:cgimap_repository), - :cgimap_port => cgimap_port + :cgimap_socket => "/run/cgimap-#{name}/socket" end template "/etc/logrotate.d/apis-#{name}" do @@ -515,8 +516,6 @@ if node[:postgresql][:clusters][:"15/main"] :log_directory => log_directory, :rails_directory => rails_directory end - - cgimap_port += 1 else file "/etc/logrotate.d/apis-#{name}" do action :delete diff --git a/cookbooks/dev/templates/default/apache.rails.erb b/cookbooks/dev/templates/default/apache.rails.erb index cf2a56613..18b0d77a0 100644 --- a/cookbooks/dev/templates/default/apache.rails.erb +++ b/cookbooks/dev/templates/default/apache.rails.erb @@ -41,15 +41,15 @@ # Pass supported calls to cgimap RewriteEngine on - RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] + RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$ - RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] - RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] - RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] - RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] - RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] - RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] - RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ fcgi://127.0.0.1:<%= @cgimap_port %>$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:<%= @cgimap_socket %>|fcgi://127.0.0.1$0 [P] <% end -%> diff --git a/cookbooks/dev/templates/default/cgimap.environment.erb b/cookbooks/dev/templates/default/cgimap.environment.erb index 1e592cc0c..a49b8f48b 100644 --- a/cookbooks/dev/templates/default/cgimap.environment.erb +++ b/cookbooks/dev/templates/default/cgimap.environment.erb @@ -1,6 +1,6 @@ # DO NOT EDIT - This file is being maintained by Chef -CGIMAP_PORT="<%= @cgimap_port %>" +CGIMAP_SOCKET="<%= @cgimap_socket %>" CGIMAP_DBPORT="<%= @database_port %>" CGIMAP_DBNAME="<%= @database_name %>" CGIMAP_USERNAME="apis" diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb index 8cd4406cf..4a2480489 100644 --- a/cookbooks/systemd/resources/service.rb +++ b/cookbooks/systemd/resources/service.rb @@ -45,6 +45,7 @@ property :user, String property :group, String property :dynamic_user, [true, false] property :working_directory, String +property :umask, String property :exec_start_pre, [String, Array] property :exec_start, [String, Array] property :exec_start_post, [String, Array] diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb index 29bd10e33..b979703dd 100644 --- a/cookbooks/systemd/templates/default/service.erb +++ b/cookbooks/systemd/templates/default/service.erb @@ -69,6 +69,9 @@ DynamicUser=<%= @dynamic_user %> <% if @working_directory -%> WorkingDirectory=<%= @working_directory %> <% end -%> +<% if @umask -%> +UMask=<%= @umask %> +<% end -%> <% if @exec_start_pre -%> <% if @dropin -%> ExecStartPre=