diff options
| author | J. Grizzard <elfchief-github@lupine.org> | 2017-07-05 08:57:00 -0700 |
|---|---|---|
| committer | dormando <dormando@rydia.net> | 2018-02-19 21:52:06 -0800 |
| commit | 7141922a6188b00bc542b29c578506e0db52c9c7 (patch) | |
| tree | 388e01fd7649d48afb4649d3bc4812bef57460d8 /scripts | |
| parent | 4f3d6d6f8ce3b595bbe9fbcce67603f7134def63 (diff) | |
| download | memcached-7141922a6188b00bc542b29c578506e0db52c9c7.tar.gz | |
systemd instancing support & rpm build improvements
The major things this does are adding systemd support to the rpm .spec
file, and adding systemd instancing support. This means that it is
possible to run multiple memcached instances without having to do
any additional configuration or hack on init scripts.
To use:
systemctl start memcached@11211 memcached@11311 memcached@11411
sysconfig files at /etc/sysconfig/memcached.<port> will be read as
appropriate, to allow differing configurations per-port. Defaults
will be read from /etc/sysconfig/memcached before the port-specific
settings are read.
You can also still start memcached the standard way just by doing
"systemctl start memcached". This will read /etc/sysconfig/memcached
and nothing else.
The "enhanced security" lines in the systemd unit file will be commented
out on systems where we know systemd isn't knew enough (fedora < 26 and
Redhat/CentOS 7), and enabled on other systems.
There are two versions of the .service file included, one for standard
memcached invocations and one for instanced invocations. The two are
very similar, but not identical. Ideally, we'd only have one version
in the source tree and we'd massage it with sed or somesuch during the
rpm build, but couldn't think of a super clean way to do that, so erred
on the side of simplicity.
A decent amount of spec file work was needed to enable this functionality.
In the process, I also cleaned up several additional aspects of the spec
file (like using %{name} in places where it was appropriate). I also
commented out the automatic restart in the %postun section, for two main
reasons:
1. The try-restart for instanced memcached will produce an error if
instanced memcached isn't in use, which is probably quite confusing to
people who aren't using that functionality and are just trying to update
their package. (There's workarounds for this, but I try to keep pre/post
scripts as simple as humanly possible)
2. Automatic restarts on updates means the cache gets flushed, which
means you can no longer safely use large-scale management tools (like
puppet or chef) to roll out new versions, at least not without a lot
of planning first. Not automatically dumping someone's caches feels
safer, here.
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/memcached.service | 80 | ||||
| -rw-r--r-- | scripts/memcached.sysconfig | 10 | ||||
| -rw-r--r-- | scripts/memcached@.service | 89 |
3 files changed, 145 insertions, 34 deletions
diff --git a/scripts/memcached.service b/scripts/memcached.service index 2bfbb67..88a4b8a 100644 --- a/scripts/memcached.service +++ b/scripts/memcached.service @@ -1,10 +1,10 @@ # It's not recommended to modify this file in-place, because it will be # overwritten during upgrades. If you want to customize, the best # way is to use the "systemctl edit" command to create an override unit. - +# # For example, to pass additional options, create an override unit # (as is done by systemctl edit) and enter the following: - +# # [Service] # Environment=OPTIONS="-l 127.0.0.1,::1" @@ -17,56 +17,68 @@ After=network.target EnvironmentFile=/etc/sysconfig/memcached ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS -# Set up a new file system namespace and mounts private /tmp and /var/tmp directories -# so this service cannot access the global directories and other processes cannot -# access this service's directories. +# Set up a new file system namespace and mounts private /tmp and /var/tmp +# directories so this service cannot access the global directories and +# other processes cannot access this service's directories. PrivateTmp=true -# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. +# Mounts the /usr, /boot, and /etc directories read-only for processes +# invoked by this unit. ProtectSystem=full -# Ensures that the service process and all its children can never gain new privileges +# Ensures that the service process and all its children can never gain new +# privileges NoNewPrivileges=true -# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices -# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, -# but no physical devices such as /dev/sda. +# Sets up a new /dev namespace for the executed processes and only adds API +# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as +# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda. PrivateDevices=true # Required for dropping privileges and running as a different user CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE -# Attempts to create memory mappings that are writable and executable at the same time, -# or to change existing memory mappings to become executable are prohibited. -MemoryDenyWriteExecute=true +# Restricts the set of socket address families accessible to the processes +# of this unit. Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -# Explicit module loading will be denied. This allows to turn off module load and unload -# operations on modular kernels. It is recommended to turn this on for most services that -# do not need special file systems or extra kernel modules to work. -ProtectKernelModules=true -# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, -# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes -# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the -# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence -# recommended to turn this on for most services. -ProtectKernelTunables=true +# Some security features are not in the older versions of systemd used by +# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package +# build time to uncomment them if the target platform supports them. -# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be -# made read-only to all processes of the unit. Except for container managers no services should -# require write access to the control groups hierarchies; it is hence recommended to turn this on -# for most services -ProtectControlGroups=true +# Attempts to create memory mappings that are writable and executable at +# the same time, or to change existing memory mappings to become executable +# are prohibited. +##safer##MemoryDenyWriteExecute=true -# Any attempts to enable realtime scheduling in a process of the unit are refused. -RestrictRealtime=true +# Explicit module loading will be denied. This allows to turn off module +# load and unload operations on modular kernels. It is recommended to turn +# this on for most services that do not need special file systems or extra +# kernel modules to work. +##safer##ProtectKernelModules=true -# Restricts the set of socket address families accessible to the processes of this unit. -# Protects against vulnerabilities such as CVE-2016-8655 -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, +# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq +# will be made read-only to all processes of the unit. Usually, tunable +# kernel variables should only be written at boot-time, with the sysctl.d(5) +# mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +##safer##ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through +# /sys/fs/cgroup will be made read-only to all processes of the unit. +# Except for container managers no services should require write access +# to the control groups hierarchies; it is hence recommended to turn this +# on for most services +##safer##ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are +# refused. +##safer##RestrictRealtime=true # Takes away the ability to create or manage any kind of namespace -RestrictNamespaces=true +##safer##RestrictNamespaces=true [Install] WantedBy=multi-user.target diff --git a/scripts/memcached.sysconfig b/scripts/memcached.sysconfig new file mode 100644 index 0000000..bd46483 --- /dev/null +++ b/scripts/memcached.sysconfig @@ -0,0 +1,10 @@ +# These defaults will be used by every memcached instance, unless overridden +# by values in /etc/sysconfig/memcached.<port> +USER="nobody" +MAXCONN="1024" +CACHESIZE="64" +OPTIONS="" + +# The PORT variable will only be used by memcached.service, not by +# memcached@xxxxx services, which will use the xxxxx +PORT="11211" diff --git a/scripts/memcached@.service b/scripts/memcached@.service new file mode 100644 index 0000000..4e9f1d7 --- /dev/null +++ b/scripts/memcached@.service @@ -0,0 +1,89 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during upgrades. If you want to customize, the best +# way is to use the "systemctl edit" command to create an override unit. +# +# For example, to pass additional options, create an override unit +# (as is done by systemctl edit) and enter the following: +# +# [Service] +# Environment=OPTIONS="-l 127.0.0.1,::1" +# +# To use the "instanced" version of this, just start 'memcached@11211' or +# whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it +# will be read first, so you can set different parameters for a given +# instance. + +[Unit] +Description=memcached daemon +After=network.target + +[Service] +EnvironmentFile=/etc/sysconfig/memcached +EnvironmentFile=-/etc/sysconfig/memcached.%i +ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS + +# Set up a new file system namespace and mounts private /tmp and /var/tmp +# directories so this service cannot access the global directories and +# other processes cannot access this service's directories. +PrivateTmp=true + +# Mounts the /usr, /boot, and /etc directories read-only for processes +# invoked by this unit. +ProtectSystem=full + +# Ensures that the service process and all its children can never gain new +# privileges +NoNewPrivileges=true + +# Sets up a new /dev namespace for the executed processes and only adds API +# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as +# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda. +PrivateDevices=true + +# Required for dropping privileges and running as a different user +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE + +# Restricts the set of socket address families accessible to the processes +# of this unit. Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + + +# Some security features are not in the older versions of systemd used by +# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package +# build time to uncomment them if the target platform supports them. + +# Attempts to create memory mappings that are writable and executable at +# the same time, or to change existing memory mappings to become executable +# are prohibited. +##safer##MemoryDenyWriteExecute=true + +# Explicit module loading will be denied. This allows to turn off module +# load and unload operations on modular kernels. It is recommended to turn +# this on for most services that do not need special file systems or extra +# kernel modules to work. +##safer##ProtectKernelModules=true + +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, +# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq +# will be made read-only to all processes of the unit. Usually, tunable +# kernel variables should only be written at boot-time, with the sysctl.d(5) +# mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +##safer##ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through +# /sys/fs/cgroup will be made read-only to all processes of the unit. +# Except for container managers no services should require write access +# to the control groups hierarchies; it is hence recommended to turn this +# on for most services +##safer##ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are +# refused. +##safer##RestrictRealtime=true + +# Takes away the ability to create or manage any kind of namespace +##safer##RestrictNamespaces=true + +[Install] +WantedBy=multi-user.target |