From ea494b10e34507c3ba06fdf7c0d30f8444806700 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Wed, 20 Oct 2021 23:47:22 +0200 Subject: [PATCH 1/6] wip --- bundles/redis/items.py | 48 +++++++++++++ bundles/redis/metadata.py | 145 +++++++++++++++++++++++++++++++++++++- nodes/netcup.secondary.py | 6 ++ 3 files changed, 198 insertions(+), 1 deletion(-) diff --git a/bundles/redis/items.py b/bundles/redis/items.py index f36b11b..1d69726 100644 --- a/bundles/redis/items.py +++ b/bundles/redis/items.py @@ -1,5 +1,53 @@ directories = { + '/etc/redis': { + 'purge': True, + 'needs': [ + 'pkg_apt:redis-server', + ], + }, '/var/lib/redis': { 'owner': 'redis', + 'purge': True, + 'needs': [ + 'pkg_apt:redis-server', + ], }, } + +files = { + '/etc/systemd/system/redis.service': { + 'delete': True, + 'needs': [ + 'pkg_apt:redis-server', + ], + }, +} + +svc_systemd = { + 'redis': { + 'running': False, + 'enabled': False, + 'needs': [ + 'pkg_apt:redis-server', + ], + }, +} + + +for name, conf in node.metadata.get('redis').items(): + files[f'/etc/redis/{name}.conf'] = { + 'content': '\n'.join( + f'{key} {value}' for key, value in sorted(conf.items()) + ), + 'owner': 'redis', + 'triggers': [ + f'svc_systemd:redis-{name}:restart' + ], + } + + svc_systemd[f'redis-{name}'] = { + 'needs': [ + 'svc_systemd:redis', + f'file:/etc/redis/{name}.conf', + ], + } diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index 15f46f7..1dfd246 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -8,7 +8,10 @@ defaults = { 'paths': { '/var/lib/redis', }, - } + }, + 'redis': { + 'server': {}, + }, } if node.has_bundle('zfs'): @@ -23,3 +26,143 @@ if node.has_bundle('zfs'): }, }, } + + +@metadata_reactor.provides( + 'redis', +) +def config(metadata): + redis = {} + + for name, conf in metadata.get('redis').items(): + redis[name] = { + 'bind': '127.0.0.1 ::1', + 'protected-mode': 'yes', + 'port': '6379', + 'tcp-backlog': '511', + 'unixsocket': f'/var/run/redis/redis-{name}.sock', + 'unixsocketperm': '700', + 'timeout': '0', + 'tcp-keepalive': '300', + 'daemonize': 'yes', + 'supervised': 'no', + 'pidfile': f'/var/run/redis/redis-{name}.pid', + 'loglevel': 'notice', + 'logfile': f'/var/log/redis/redis-{name}.log', + 'databases': '16', + 'always-show-logo': 'yes', + 'save': '900 1', + 'save': '300 10', + 'save': '60 10000', + 'stop-writes-on-bgsave-error': 'yes', + 'rdbcompression': 'yes', + 'rdbchecksum': 'yes', + 'dbfilename': f'{name}.rdb', + 'dir': '/var/lib/redis', + 'replica-serve-stale-data': 'yes', + 'replica-read-only': 'yes', + 'repl-diskless-sync': 'no', + 'repl-diskless-sync-delay': '5', + 'repl-disable-tcp-nodelay': 'no', + 'replica-priority': '100', + 'lazyfree-lazy-eviction': 'no', + 'lazyfree-lazy-expire': 'no', + 'lazyfree-lazy-server-del': 'no', + 'replica-lazy-flush': 'no', + 'appendonly': 'no', + 'appendfilename': '"appendonly.aof"', + 'appendfsync': 'everysec', + 'no-appendfsync-on-rewrite': 'no', + 'auto-aof-rewrite-percentage': '100', + 'auto-aof-rewrite-min-size': '64mb', + 'aof-load-truncated': 'yes', + 'aof-use-rdb-preamble': 'yes', + 'lua-time-limit': '5000', + 'slowlog-log-slower-than': '10000', + 'slowlog-max-len': '128', + 'latency-monitor-threshold': '0', + 'notify-keyspace-events': '""', + 'hash-max-ziplist-entries': '512', + 'hash-max-ziplist-value': '64', + 'list-max-ziplist-size': '-2', + 'list-compress-depth': '0', + 'set-max-intset-entries': '512', + 'zset-max-ziplist-entries': '128', + 'zset-max-ziplist-value': '64', + 'hll-sparse-max-bytes': '3000', + 'stream-node-max-bytes': '4096', + 'stream-node-max-entries': '100', + 'activerehashing': 'yes', + 'client-output-buffer-limit': 'normal 0 0 0', + 'client-output-buffer-limit': 'replica 256mb 64mb 60', + 'client-output-buffer-limit': 'pubsub 32mb 8mb 60', + 'hz': '10', + 'dynamic-hz': 'yes', + 'aof-rewrite-incremental-fsync': 'yes', + 'rdb-save-incremental-fsync': 'yes', + } + + return { + 'redis': redis, + } + + +@metadata_reactor.provides( + 'systemd/units', +) +def units(metadata): + units = {} + + for name, conf in metadata.get('redis').items(): + units[f'redis-{name}.service'] = { + 'Unit': { + 'Description': f'redis {name}', + 'After': 'network.target', + }, + 'Service': { + 'Type': 'notify', + 'ExecStart': f'/usr/bin/redis-server /etc/redis/{name}.conf --supervised systemd --daemonize no', + 'PIDFile': f'/run/redis/redis-{name}.pid', + 'TimeoutStopSec': '0', + 'Restart': 'always', + 'User': 'redis', + 'Group': 'redis', + 'RuntimeDirectory': f'redis', + 'RuntimeDirectoryMode': '2755', + + 'UMask': '007', + 'PrivateTmp': 'yes', + 'LimitNOFILE': '65535', + 'PrivateDevices': 'yes', + 'ProtectHome': 'yes', + 'ReadOnlyDirectories': '/', + 'ReadWritePaths': [ + '-/var/lib/redis', + '-/var/log/redis', + '-/var/run/redis', + ], + + 'NoNewPrivileges': 'true', + 'CapabilityBoundingSet': 'CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE', + 'MemoryDenyWriteExecute': 'true', + 'ProtectKernelModules': 'true', + 'ProtectKernelTunables': 'true', + 'ProtectControlGroups': 'true', + 'RestrictRealtime': 'true', + 'RestrictNamespaces': 'true', + 'RestrictAddressFamilies': 'AF_INET AF_INET6 AF_UNIX', + + 'ProtectSystem': 'true', + 'ReadWriteDirectories': '-/etc/redis', + }, + 'Install': { + 'WantedBy': {'multi-user.target'}, + 'Alias': f'redis-{name}.service', + }, + } + + return { + 'systemd': { + 'units': units, + } + } diff --git a/nodes/netcup.secondary.py b/nodes/netcup.secondary.py index 313c6e3..2a48bb1 100644 --- a/nodes/netcup.secondary.py +++ b/nodes/netcup.secondary.py @@ -7,6 +7,7 @@ ], 'bundles': [ 'wireguard', + 'redis', ], 'metadata': { 'id': '890848b2-a900-4f74-ad5b-b811fbb4f0bc', @@ -27,6 +28,11 @@ 'master_node': 'htz.mails', 'hostname': 'second.resolver.name', }, + 'redis': { + 'nextcloud': { + 'port': '6380', + }, + }, # 'postfix': { # 'master_node': 'htz.mails', # 'hostname': 'mail2.sublimity.de', From d1bbfecbc949abdc289e5900c39ea1627e3fccf5 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Wed, 20 Oct 2021 23:50:12 +0200 Subject: [PATCH 2/6] wip --- bundles/redis/metadata.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index 1dfd246..15ab1c2 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -40,15 +40,15 @@ def config(metadata): 'protected-mode': 'yes', 'port': '6379', 'tcp-backlog': '511', - 'unixsocket': f'/var/run/redis/redis-{name}.sock', + 'unixsocket': f'/var/run/redis-{name}/redis.sock', 'unixsocketperm': '700', 'timeout': '0', 'tcp-keepalive': '300', 'daemonize': 'yes', 'supervised': 'no', - 'pidfile': f'/var/run/redis/redis-{name}.pid', + 'pidfile': f'/var/run/redis-{name}/redis.pid', 'loglevel': 'notice', - 'logfile': f'/var/log/redis/redis-{name}.log', + 'logfile': f'/var/log/redis/{name}.log', 'databases': '16', 'always-show-logo': 'yes', 'save': '900 1', @@ -122,12 +122,12 @@ def units(metadata): 'Service': { 'Type': 'notify', 'ExecStart': f'/usr/bin/redis-server /etc/redis/{name}.conf --supervised systemd --daemonize no', - 'PIDFile': f'/run/redis/redis-{name}.pid', + 'PIDFile': f'/run/redis-{name}/redis.pid', 'TimeoutStopSec': '0', 'Restart': 'always', 'User': 'redis', 'Group': 'redis', - 'RuntimeDirectory': f'redis', + 'RuntimeDirectory': f'redis-{name}', 'RuntimeDirectoryMode': '2755', 'UMask': '007', @@ -139,7 +139,7 @@ def units(metadata): 'ReadWritePaths': [ '-/var/lib/redis', '-/var/log/redis', - '-/var/run/redis', + f'-/var/run/redis-{name}', ], 'NoNewPrivileges': 'true', From 4e6071183f9f9ae1cade7d2b8daa27bd97be81ed Mon Sep 17 00:00:00 2001 From: mwiegand Date: Wed, 20 Oct 2021 23:53:48 +0200 Subject: [PATCH 3/6] wip --- bundles/redis/items.py | 2 -- bundles/redis/metadata.py | 1 - 2 files changed, 3 deletions(-) diff --git a/bundles/redis/items.py b/bundles/redis/items.py index 1d69726..e557d09 100644 --- a/bundles/redis/items.py +++ b/bundles/redis/items.py @@ -7,7 +7,6 @@ directories = { }, '/var/lib/redis': { 'owner': 'redis', - 'purge': True, 'needs': [ 'pkg_apt:redis-server', ], @@ -33,7 +32,6 @@ svc_systemd = { }, } - for name, conf in node.metadata.get('redis').items(): files[f'/etc/redis/{name}.conf'] = { 'content': '\n'.join( diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index 15ab1c2..702ff51 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -153,7 +153,6 @@ def units(metadata): 'RestrictAddressFamilies': 'AF_INET AF_INET6 AF_UNIX', 'ProtectSystem': 'true', - 'ReadWriteDirectories': '-/etc/redis', }, 'Install': { 'WantedBy': {'multi-user.target'}, From 75d0043578478d4a7b41d2052e5874e7702a663e Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 22 Oct 2021 16:06:42 +0200 Subject: [PATCH 4/6] multiredis --- bundles/nextcloud/files/managed.config.php | 7 +++++++ bundles/nextcloud/metadata.py | 3 +++ bundles/redis/items.py | 4 +++- bundles/redis/metadata.py | 9 ++++++--- bundles/rspamd/files/local.d/redis.conf | 2 +- bundles/rspamd/metadata.py | 3 +++ nodes/netcup.secondary.py | 6 ------ 7 files changed, 23 insertions(+), 11 deletions(-) diff --git a/bundles/nextcloud/files/managed.config.php b/bundles/nextcloud/files/managed.config.php index 3e50c94..8877d48 100644 --- a/bundles/nextcloud/files/managed.config.php +++ b/bundles/nextcloud/files/managed.config.php @@ -25,4 +25,11 @@ $CONFIG = array ( "memcache.local" => "\\OC\\Memcache\\Redis", "memcache.locking" => "\\OC\\Memcache\\Redis", "memcache.distributed" => "\OC\Memcache\Redis", + "redis" => [ + "host" => "/var/run/redis-nextcloud/redis.sock", + "port" => 0, + "dbindex" => 0, + "password" => "secret", + "timeout" => 1.5, + ], ); diff --git a/bundles/nextcloud/metadata.py b/bundles/nextcloud/metadata.py index 49ad2ba..2be5eb9 100644 --- a/bundles/nextcloud/metadata.py +++ b/bundles/nextcloud/metadata.py @@ -52,6 +52,9 @@ defaults = { }, }, }, + 'redis': { + 'nextcloud': {}, + }, 'systemd-timers': { 'nextcloud-cron': { 'command': '/usr/bin/sudo -u www-data /usr/bin/php -f /opt/nextcloud/cron.php', diff --git a/bundles/redis/items.py b/bundles/redis/items.py index e557d09..25cf083 100644 --- a/bundles/redis/items.py +++ b/bundles/redis/items.py @@ -35,7 +35,9 @@ svc_systemd = { for name, conf in node.metadata.get('redis').items(): files[f'/etc/redis/{name}.conf'] = { 'content': '\n'.join( - f'{key} {value}' for key, value in sorted(conf.items()) + f'{key} {value}' + for key, value in sorted(conf.items()) + if value is not False ), 'owner': 'redis', 'triggers': [ diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index 702ff51..648906a 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -10,7 +10,9 @@ defaults = { }, }, 'redis': { - 'server': {}, + 'server': { + 'port': '6379', + }, }, } @@ -38,10 +40,10 @@ def config(metadata): redis[name] = { 'bind': '127.0.0.1 ::1', 'protected-mode': 'yes', - 'port': '6379', + 'port': '0', 'tcp-backlog': '511', 'unixsocket': f'/var/run/redis-{name}/redis.sock', - 'unixsocketperm': '700', + 'unixsocketperm': '777', 'timeout': '0', 'tcp-keepalive': '300', 'daemonize': 'yes', @@ -100,6 +102,7 @@ def config(metadata): 'dynamic-hz': 'yes', 'aof-rewrite-incremental-fsync': 'yes', 'rdb-save-incremental-fsync': 'yes', + **metadata.get(f'redis/{name}', {}), } return { diff --git a/bundles/rspamd/files/local.d/redis.conf b/bundles/rspamd/files/local.d/redis.conf index 5a9c582..d35aabf 100644 --- a/bundles/rspamd/files/local.d/redis.conf +++ b/bundles/rspamd/files/local.d/redis.conf @@ -1 +1 @@ -servers = "127.0.0.1"; +servers = "/var/run/redis-rspamd/redis.sock"; diff --git a/bundles/rspamd/metadata.py b/bundles/rspamd/metadata.py index 3614bc6..48b8de7 100644 --- a/bundles/rspamd/metadata.py +++ b/bundles/rspamd/metadata.py @@ -10,6 +10,9 @@ defaults = { 'rspamd': {}, }, }, + 'redis': { + 'rspamd': {}, + }, 'rspamd': { 'web_password': repo.vault.password_for(node.name + ' rspamd web password'), 'ip_whitelist': set(), diff --git a/nodes/netcup.secondary.py b/nodes/netcup.secondary.py index 2a48bb1..313c6e3 100644 --- a/nodes/netcup.secondary.py +++ b/nodes/netcup.secondary.py @@ -7,7 +7,6 @@ ], 'bundles': [ 'wireguard', - 'redis', ], 'metadata': { 'id': '890848b2-a900-4f74-ad5b-b811fbb4f0bc', @@ -28,11 +27,6 @@ 'master_node': 'htz.mails', 'hostname': 'second.resolver.name', }, - 'redis': { - 'nextcloud': { - 'port': '6380', - }, - }, # 'postfix': { # 'master_node': 'htz.mails', # 'hostname': 'mail2.sublimity.de', From 40cedbf20cc1cc8a549eac389419e6a47b3a0d0b Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 22 Oct 2021 16:59:03 +0200 Subject: [PATCH 5/6] wip --- bundles/nextcloud/files/managed.config.php | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bundles/nextcloud/files/managed.config.php b/bundles/nextcloud/files/managed.config.php index 8877d48..867d740 100644 --- a/bundles/nextcloud/files/managed.config.php +++ b/bundles/nextcloud/files/managed.config.php @@ -27,9 +27,5 @@ $CONFIG = array ( "memcache.distributed" => "\OC\Memcache\Redis", "redis" => [ "host" => "/var/run/redis-nextcloud/redis.sock", - "port" => 0, - "dbindex" => 0, - "password" => "secret", - "timeout" => 1.5, ], ); From 077c65d8b961ff2e54a8c73d241900e50d8c6664 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 22 Oct 2021 17:15:31 +0200 Subject: [PATCH 6/6] redis conf multiple values --- bundles/redis/items.py | 5 +++-- bundles/redis/metadata.py | 22 +++++++++------------- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/bundles/redis/items.py b/bundles/redis/items.py index 25cf083..c077b46 100644 --- a/bundles/redis/items.py +++ b/bundles/redis/items.py @@ -36,9 +36,10 @@ for name, conf in node.metadata.get('redis').items(): files[f'/etc/redis/{name}.conf'] = { 'content': '\n'.join( f'{key} {value}' - for key, value in sorted(conf.items()) + for key, values in sorted(conf.items()) + for value in ([values] if isinstance(values, str) else sorted(values)) if value is not False - ), + ) + '\n', 'owner': 'redis', 'triggers': [ f'svc_systemd:redis-{name}:restart' diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index 648906a..b125ccf 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -53,24 +53,19 @@ def config(metadata): 'logfile': f'/var/log/redis/{name}.log', 'databases': '16', 'always-show-logo': 'yes', - 'save': '900 1', - 'save': '300 10', - 'save': '60 10000', + 'save': { + '900 1', + '300 10', + '60 10000', + }, 'stop-writes-on-bgsave-error': 'yes', 'rdbcompression': 'yes', 'rdbchecksum': 'yes', 'dbfilename': f'{name}.rdb', 'dir': '/var/lib/redis', - 'replica-serve-stale-data': 'yes', - 'replica-read-only': 'yes', - 'repl-diskless-sync': 'no', - 'repl-diskless-sync-delay': '5', - 'repl-disable-tcp-nodelay': 'no', - 'replica-priority': '100', 'lazyfree-lazy-eviction': 'no', 'lazyfree-lazy-expire': 'no', 'lazyfree-lazy-server-del': 'no', - 'replica-lazy-flush': 'no', 'appendonly': 'no', 'appendfilename': '"appendonly.aof"', 'appendfsync': 'everysec', @@ -95,9 +90,10 @@ def config(metadata): 'stream-node-max-bytes': '4096', 'stream-node-max-entries': '100', 'activerehashing': 'yes', - 'client-output-buffer-limit': 'normal 0 0 0', - 'client-output-buffer-limit': 'replica 256mb 64mb 60', - 'client-output-buffer-limit': 'pubsub 32mb 8mb 60', + 'client-output-buffer-limit': { + 'normal 0 0 0', + 'pubsub 32mb 8mb 60', + }, 'hz': '10', 'dynamic-hz': 'yes', 'aof-rewrite-incremental-fsync': 'yes',