From 743225d946030d146d8a130eb6551e9246d7ada4 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 4 Mar 2017 12:13:28 +0000 Subject: [PATCH] Separate the replication and expiry tasks for tile servers They need to run as different users, so use a systemd path unit to trigger the expiry without needing an awkward security transition. --- cookbooks/tile/recipes/default.rb | 37 +++++++++++++++---- .../tile/templates/default/expire-tiles.erb | 3 +- .../tile/templates/default/replicate.erb | 4 +- cookbooks/tile/templates/default/sudoers.erb | 4 -- 4 files changed, 34 insertions(+), 14 deletions(-) delete mode 100644 cookbooks/tile/templates/default/sudoers.erb diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb index 4293427b6..615afb844 100644 --- a/cookbooks/tile/recipes/default.rb +++ b/cookbooks/tile/recipes/default.rb @@ -433,19 +433,18 @@ template "/usr/local/bin/expire-tiles" do mode 0o755 end -template "/etc/sudoers.d/tile" do - source "sudoers.erb" - owner "root" - group "root" - mode 0o440 -end - directory "/var/lib/replicate" do owner "tile" group "tile" mode 0o755 end +directory "/var/lib/replicate/expire-queue" do + owner "tile" + group "www-data" + mode 0o775 +end + template "/var/lib/replicate/configuration.txt" do source "replicate.configuration.erb" owner "tile" @@ -460,6 +459,29 @@ template "/usr/local/bin/replicate" do mode 0o755 end +systemd_service "expire-tiles" do + description "Tile dirtying service" + type "oneshot" + user "www-data" + exec_start "/usr/local/bin/expire-tiles" + standard_output "null" + private_tmp true + private_devices true + protect_system "full" + protect_home true + no_new_privileges true +end + +systemd_path "expire-tiles" do + description "Tile dirtying trigger" + directory_not_empty "/var/lib/replicate/expire-queue" +end + +service "expire-tiles.path" do + action [:enable, :start] + subscribes :restart, "systemd_path[expire-tiles]" +end + systemd_service "replicate" do description "Rendering database replication service" after "postgresql.service" @@ -470,6 +492,7 @@ systemd_service "replicate" do private_devices true protect_system "full" protect_home true + no_new_privileges true restart "on-failure" end diff --git a/cookbooks/tile/templates/default/expire-tiles.erb b/cookbooks/tile/templates/default/expire-tiles.erb index 2c0e7406e..6716fd66c 100644 --- a/cookbooks/tile/templates/default/expire-tiles.erb +++ b/cookbooks/tile/templates/default/expire-tiles.erb @@ -12,6 +12,7 @@ tile_dirs = [ max_zoom = <%= node[:tile][:styles].collect { |n,d| d[:max_zoom] }.max %> -ARGV.each do |f| +Dir.glob("/var/lib/replicate/expire-queue/changes-*.osm.gz").each do |f| Expire::expire(f, 13, max_zoom, tile_dirs) + File::unlink(f) end diff --git a/cookbooks/tile/templates/default/replicate.erb b/cookbooks/tile/templates/default/replicate.erb index 145f6eb40..ecc6b69b0 100644 --- a/cookbooks/tile/templates/default/replicate.erb +++ b/cookbooks/tile/templates/default/replicate.erb @@ -76,8 +76,8 @@ do # No need to rollback now rm state-prev.txt - # Expire tiles which are touched by the changes - sudo -u www-data /usr/local/bin/expire-tiles ${file} > /dev/null 2>&1 & + # Queue these changes for expiry processing + ln ${file} expire-queue/$file fi # Delete old downloads diff --git a/cookbooks/tile/templates/default/sudoers.erb b/cookbooks/tile/templates/default/sudoers.erb deleted file mode 100644 index 90db9cd73..000000000 --- a/cookbooks/tile/templates/default/sudoers.erb +++ /dev/null @@ -1,4 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# Allow the replication service to expire tiles -tile ALL=(www-data) NOPASSWD: /usr/local/bin/expire-tiles -- 2.43.2