From 29a3ab73548c8cad8082f8bba1bed3b60d1851bd Mon Sep 17 00:00:00 2001 From: Jack Ding Date: Thu, 6 Sep 2018 16:01:44 -0400 Subject: [PATCH] Remove customizations to memcached package Keep memcached package intact and customize memcached service file by overwriting it from platform-util. Story: 2002826 Task: 24548 Depends-On: https://review.openstack.org/600867 Change-Id: Ic18d7efc1ea5548dc6245c7e9658843bd8d557cf Signed-off-by: Jack Ding --- base/memcached/centos/build_srpm.data | 1 - ...te-package-versioning-for-TIS-format.patch | 25 ------- ...002-always-restart-memcached-service.patch | 32 --------- ...-and-comment-out-incompatible-servic.patch | 33 --------- .../memcached/centos/meta_patches/PATCH_ORDER | 3 - ...002-always-restart-memcached-service.patch | 26 ------- ...-and-comment-out-incompatible-servic.patch | 67 ------------------- base/memcached/centos/srpm_path | 1 - centos_iso_image.inc | 1 + centos_pkg_dirs | 1 - .../platform-util/centos/build_srpm.data | 2 +- .../platform-util/centos/platform-util.spec | 11 +++ .../platform-util/scripts/memcached.service | 55 +++++++++++++++ 13 files changed, 68 insertions(+), 190 deletions(-) delete mode 100644 base/memcached/centos/build_srpm.data delete mode 100644 base/memcached/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch delete mode 100644 base/memcached/centos/meta_patches/0002-always-restart-memcached-service.patch delete mode 100644 base/memcached/centos/meta_patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch delete mode 100644 base/memcached/centos/meta_patches/PATCH_ORDER delete mode 100644 base/memcached/centos/patches/0002-always-restart-memcached-service.patch delete mode 100644 base/memcached/centos/patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch delete mode 100644 base/memcached/centos/srpm_path create mode 100644 utilities/platform-util/scripts/memcached.service diff --git a/base/memcached/centos/build_srpm.data b/base/memcached/centos/build_srpm.data deleted file mode 100644 index 8aeb55368..000000000 --- a/base/memcached/centos/build_srpm.data +++ /dev/null @@ -1 +0,0 @@ -TIS_PATCH_VER=1 diff --git a/base/memcached/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/base/memcached/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch deleted file mode 100644 index 5625e1b28..000000000 --- a/base/memcached/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch +++ /dev/null @@ -1,25 +0,0 @@ -From de355606dea0404c4ae92bad5ce00b841697c698 Mon Sep 17 00:00:00 2001 -From: Jack Ding -Date: Tue, 8 May 2018 14:29:14 -0400 -Subject: [PATCH] Update package versioning for TIS format - ---- - SPECS/memcached.spec | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec -index 6008493..c8575c8 100644 ---- a/SPECS/memcached.spec -+++ b/SPECS/memcached.spec -@@ -4,7 +4,7 @@ - - Name: memcached - Version: 1.4.39 --Release: 1%{?dist} -+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver} - Epoch: 0 - Summary: High Performance, Distributed Memory Object Cache - --- -1.8.3.1 - diff --git a/base/memcached/centos/meta_patches/0002-always-restart-memcached-service.patch b/base/memcached/centos/meta_patches/0002-always-restart-memcached-service.patch deleted file mode 100644 index 89cf9c2ee..000000000 --- a/base/memcached/centos/meta_patches/0002-always-restart-memcached-service.patch +++ /dev/null @@ -1,32 +0,0 @@ -From f321c8a8b800a7c2ca9394d3c76bec72b98c0d77 Mon Sep 17 00:00:00 2001 -From: Jack Ding -Date: Fri, 11 May 2018 15:38:56 -0400 -Subject: [PATCH] always restart memcached service - ---- - SPECS/memcached.spec | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec -index c8575c8..f389035 100644 ---- a/SPECS/memcached.spec -+++ b/SPECS/memcached.spec -@@ -16,6 +16,7 @@ Source1: memcached.sysconfig - - # https://github.com/memcached/memcached/issues/218 - Patch1: 0001-systemd-fix-upstream-provided-service.patch -+Patch2: 0002-always-restart-memcached-service.patch - - BuildRequires: libevent-devel systemd-units - BuildRequires: perl-generators -@@ -44,6 +45,7 @@ access to the memcached binary include files. - %prep - %setup -q - %patch1 -p1 -b .unit -+%patch2 -p1 - - %build - # compile with full RELRO --- -1.8.3.1 - diff --git a/base/memcached/centos/meta_patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch b/base/memcached/centos/meta_patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch deleted file mode 100644 index 93beb0546..000000000 --- a/base/memcached/centos/meta_patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb6fd3da3ace960eb587e7ff01d5816ea2baaa54 Mon Sep 17 00:00:00 2001 -From: Jack Ding -Date: Sun, 13 May 2018 18:22:15 -0400 -Subject: [PATCH] Add dependencies and comment out incompatible service - parameters - ---- - SPECS/memcached.spec | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec -index f389035..86653a1 100644 ---- a/SPECS/memcached.spec -+++ b/SPECS/memcached.spec -@@ -17,6 +17,7 @@ Source1: memcached.sysconfig - # https://github.com/memcached/memcached/issues/218 - Patch1: 0001-systemd-fix-upstream-provided-service.patch - Patch2: 0002-always-restart-memcached-service.patch -+Patch3: 0003-Add-dependencies-and-comment-out-incompatible-servic.patch - - BuildRequires: libevent-devel systemd-units - BuildRequires: perl-generators -@@ -46,6 +47,7 @@ access to the memcached binary include files. - %setup -q - %patch1 -p1 -b .unit - %patch2 -p1 -+%patch3 -p1 - - %build - # compile with full RELRO --- -1.8.3.1 - diff --git a/base/memcached/centos/meta_patches/PATCH_ORDER b/base/memcached/centos/meta_patches/PATCH_ORDER deleted file mode 100644 index 163c84245..000000000 --- a/base/memcached/centos/meta_patches/PATCH_ORDER +++ /dev/null @@ -1,3 +0,0 @@ -0001-Update-package-versioning-for-TIS-format.patch -0002-always-restart-memcached-service.patch -0003-Add-dependencies-and-comment-out-incompatible-servic.patch diff --git a/base/memcached/centos/patches/0002-always-restart-memcached-service.patch b/base/memcached/centos/patches/0002-always-restart-memcached-service.patch deleted file mode 100644 index 5f899f13e..000000000 --- a/base/memcached/centos/patches/0002-always-restart-memcached-service.patch +++ /dev/null @@ -1,26 +0,0 @@ -From bb7b75184f7037e6d8d844874ae248fce1d06736 Mon Sep 17 00:00:00 2001 -From: Jack Ding -Date: Fri, 11 May 2018 15:24:28 -0400 -Subject: [PATCH] Always restart memcached service - ---- - scripts/memcached.service | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/scripts/memcached.service b/scripts/memcached.service -index 1bb9d33..8e58485 100644 ---- a/scripts/memcached.service -+++ b/scripts/memcached.service -@@ -71,5 +71,9 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX - # Takes away the ability to create or manage any kind of namespace - RestrictNamespaces=true - -+# WRS -+Restart=always -+RestartSec=0 -+ - [Install] - WantedBy=multi-user.target --- -1.8.3.1 - diff --git a/base/memcached/centos/patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch b/base/memcached/centos/patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch deleted file mode 100644 index a2ef1db58..000000000 --- a/base/memcached/centos/patches/0003-Add-dependencies-and-comment-out-incompatible-servic.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1d9f43c5ecb20fe0a2a4abe9b94abd0d389edb40 Mon Sep 17 00:00:00 2001 -From: Jack Ding -Date: Mon, 14 May 2018 22:44:32 -0400 -Subject: [PATCH 2/2] Add dependencies and comment out incompatible service - parameters - ---- - scripts/memcached.service | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/scripts/memcached.service b/scripts/memcached.service -index 8e58485..021b8b4 100644 ---- a/scripts/memcached.service -+++ b/scripts/memcached.service -@@ -12,7 +12,7 @@ - [Unit] - Description=memcached daemon - Before=httpd.service --After=network.target -+After=network-online.target - - [Service] - EnvironmentFile=/etc/sysconfig/memcached -@@ -46,34 +46,34 @@ LimitNOFILE=16384 - # Explicit module loading will be denied. This allows to turn off module load and unload - # operations on modular kernels. It is recommended to turn this on for most services that - # do not need special file systems or extra kernel modules to work. --ProtectKernelModules=true -+#ProtectKernelModules=true - - # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, - # /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes - # of the unit. Usually, tunable kernel variables should only be written at boot-time, with the - # sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence - # recommended to turn this on for most services. --ProtectKernelTunables=true -+#ProtectKernelTunables=true - - # The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be - # made read-only to all processes of the unit. Except for container managers no services should - # require write access to the control groups hierarchies; it is hence recommended to turn this on - # for most services --ProtectControlGroups=true -+#ProtectControlGroups=true - - # Any attempts to enable realtime scheduling in a process of the unit are refused. --RestrictRealtime=true -+#RestrictRealtime=true - - # Restricts the set of socket address families accessible to the processes of this unit. - # Protects against vulnerabilities such as CVE-2016-8655 - RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX - - # Takes away the ability to create or manage any kind of namespace --RestrictNamespaces=true -+#RestrictNamespaces=true - - # WRS - Restart=always --RestartSec=0 -+RestartSec=10 - - [Install] - WantedBy=multi-user.target --- -1.8.3.1 - diff --git a/base/memcached/centos/srpm_path b/base/memcached/centos/srpm_path deleted file mode 100644 index dc4b6de47..000000000 --- a/base/memcached/centos/srpm_path +++ /dev/null @@ -1 +0,0 @@ -mirror:Source/memcached-1.4.39-1.el7.src.rpm diff --git a/centos_iso_image.inc b/centos_iso_image.inc index 3ebf82576..328facc58 100644 --- a/centos_iso_image.inc +++ b/centos_iso_image.inc @@ -104,6 +104,7 @@ collector # platform-util platform-util platform-util-noncontroller +platform-util-controller # monitor-tools monitor-tools diff --git a/centos_pkg_dirs b/centos_pkg_dirs index 7d3e286f1..bc6e1a196 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -97,7 +97,6 @@ security/tboot networking/mellanox/libibverbs kernel/kernel-modules/mlnx-ofa_kernel networking/mellanox/rdma-core -base/memcached config/puppet-modules/openstack/puppet-memcached-3.0.2 config/puppet-modules/openstack/puppet-horizon-9.5.0 config/puppet-modules/openstack/puppet-swift-11.3.0 diff --git a/utilities/platform-util/centos/build_srpm.data b/utilities/platform-util/centos/build_srpm.data index 8cae09b1e..c2ecd7719 100644 --- a/utilities/platform-util/centos/build_srpm.data +++ b/utilities/platform-util/centos/build_srpm.data @@ -1,4 +1,4 @@ SRC_DIR="platform-util" COPY_LIST_TO_TAR="scripts" -TIS_PATCH_VER=12 +TIS_PATCH_VER=13 diff --git a/utilities/platform-util/centos/platform-util.spec b/utilities/platform-util/centos/platform-util.spec index 12d9c510f..946b33da5 100644 --- a/utilities/platform-util/centos/platform-util.spec +++ b/utilities/platform-util/centos/platform-util.spec @@ -20,6 +20,12 @@ Summary: non controller platform utilities %description -n platform-util-noncontroller Platform utilities that don't get packaged on controller hosts +%package -n platform-util-controller +Summary: controller platform utilities + +%description -n platform-util-controller +Platform utilities that packaged on controllers or one node system + %define local_dir /usr/local %define local_bindir %{local_dir}/bin %define local_sbindir %{local_dir}/sbin @@ -52,6 +58,7 @@ install -m 700 -p -D %{_buildsubdir}/scripts/patch-restart-haproxy %{buildroot}% install -d %{buildroot}/etc/systemd/system install -m 644 -p -D %{_buildsubdir}/scripts/opt-platform.mount %{buildroot}/etc/systemd/system install -m 644 -p -D %{_buildsubdir}/scripts/opt-platform.service %{buildroot}/etc/systemd/system +install -m 644 -p -D %{_buildsubdir}/scripts/memcached.service %{buildroot}/etc/systemd/system # Mask the systemd ctrl-alt-delete.target, to disable reboot on ctrl-alt-del ln -sf /dev/null %{buildroot}/etc/systemd/system/ctrl-alt-del.target @@ -85,3 +92,7 @@ systemctl enable opt-platform.service # from parsing the fstab is not used by systemd. /etc/systemd/system/opt-platform.mount /etc/systemd/system/opt-platform.service + +%files -n platform-util-controller +%defattr(-,root,root,-) +/etc/systemd/system/memcached.service diff --git a/utilities/platform-util/scripts/memcached.service b/utilities/platform-util/scripts/memcached.service new file mode 100644 index 000000000..8dd1e891c --- /dev/null +++ b/utilities/platform-util/scripts/memcached.service @@ -0,0 +1,55 @@ +# +# This service file is a customized version in platform-util package from +# openstack/stx-integ project + +[Unit] +Description=memcached daemon +Before=httpd.service +After=network-online.target + +[Service] +EnvironmentFile=/etc/sysconfig/memcached +ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS + +# Set up a new file system namespace and mounts private /tmp and /var/tmp directories +# so this service cannot access the global directories and other processes cannot +# access this service's directories. +PrivateTmp=true + +# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. +ProtectSystem=full + +# Ensures that the service process and all its children can never gain new privileges +NoNewPrivileges=true + +# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices +# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, +# but no physical devices such as /dev/sda. +PrivateDevices=true + +# Required for dropping privileges and running as a different user +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +LimitNOFILE=16384 + +# Attempts to create memory mappings that are writable and executable at the same time, +# or to change existing memory mappings to become executable are prohibited. +# XXX: this property is supported with systemd 231+ which is not yet on EL7 +# MemoryDenyWriteExecute=true + +# Restricts the set of socket address families accessible to the processes of this unit. +# Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +# These service parameters are commented out since they are incompatible with +# Centos 7 and generate warning messages when included. +#ProtectKernelModules=true +#ProtectKernelTunables=true +#ProtectControlGroups=true +#RestrictRealtime=true +#RestrictNamespaces=true + +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target