stackforge/puppet-openstack-cloud
Code Issues Proposed changes

SELinux: Support for SELinux on RedHat platforms

Browse Source 
Enable support for SELinux on RedHat platforms. The resource
SELinux will be activated before the installation of openstack
takes place.
This commit is contained in:
Yanis Guenane 2014-10-17 10:00:49 -04:00 committed by Emilien Macchi
parent 4244907f34
commit 3d07cdedc0
11 changed files with 332 additions and 467 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/database/sql.pp
View File

@ -170,6 +170,7 @@ class cloud::database::sql (
$mysql_client_package_name = 'mariadb'
$wsrep_provider = '/usr/lib64/galera/libgalera_smm.so'
$mysql_server_config_file = '/etc/my.cnf'
$mysql_init_file = '/usr/lib/systemd/system/mysql-bootstrap.service'
if $::hostname == $galera_master_name {
$mysql_service_name = 'mysql-bootstrap'
@ -204,6 +205,7 @@ class cloud::database::sql (
$mysql_client_package_name = 'mariadb-client'
$wsrep_provider = '/usr/lib/galera/libgalera_smm.so'
$mysql_server_config_file = '/etc/mysql/my.cnf'
$mysql_init_file = '/etc/init.d/mysql-bootstrap'
if $::hostname == $galera_master_name {
$mysql_service_name = 'mysql-bootstrap'
@ -239,7 +241,7 @@ class cloud::database::sql (
# To check that the mysqld support the options you can :
# strings `which mysqld` | grep wsrep-new-cluster
# TODO: to be remove as soon as the API 25 is packaged, ie galera 3 ...
file { '/etc/init.d/mysql-bootstrap':
file { $mysql_init_file :
content => template("cloud/database/etc_initd_mysql_${::osfamily}"),
owner => 'root',
mode => '0755',

27
manifests/init.pp
View File

@ -18,13 +18,19 @@
# Installs the private cloud system requirements
#
class cloud(
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$selinux_mode = 'permissive',
$selinux_directory = '/usr/share/selinux',
$selinux_booleans = [],
$selinux_modules = [],
) {
include ::stdlib
if ! ($::osfamily in [ 'RedHat', 'Debian' ]) {
fail("OS family unsuppored yet (${::osfamily}), module puppet-openstack-cloud only support RedHat or Debian")
}
@ -59,6 +65,17 @@ This node is under the control of Puppet ${::puppetversion}.
# NTP
include ::ntp
# SELinux
if $::osfamily == 'RedHat' {
class {'cloud::selinux' :
mode => $selinux_mode,
booleans => $selinux_booleans,
modules => $selinux_modules,
directory => $selinux_directory,
stage => 'setup',
}
}
# Strong root password for all servers
user { 'root':
ensure => 'present',

3
manifests/loadbalancer.pp
View File

@ -302,7 +302,8 @@ class cloud::loadbalancer(
}
keepalived::vrrp_script { 'haproxy':
name_is_process => true
name_is_process => $::cloud::params::keepalived_name_is_process,
script => $::cloud::params::keepalived_vrrp_script,
}
keepalived::instance { '1':

18
manifests/params.pp
View File

@ -39,16 +39,20 @@ class cloud::params {
case $::osfamily {
'RedHat': {
# Specific to Red Hat
$start_haproxy_service = '"/usr/bin/systemctl start haproxy"'
$stop_haproxy_service = '"/usr/bin/systemctl stop haproxy"'
$horizon_auth_url = 'dashboard'
$libvirt_service_name = 'libvirtd'
$start_haproxy_service = '"/usr/bin/systemctl start haproxy"'
$stop_haproxy_service = '"/usr/bin/systemctl stop haproxy"'
$horizon_auth_url = 'dashboard'
$libvirt_service_name = 'libvirtd'
$keepalived_name_is_process = false
$keepalived_vrrp_script = 'systemctl status haproxy.service'
} # RedHat
'Debian': {
# Specific to Debian / Ubuntu
$start_haproxy_service = '"/etc/init.d/haproxy start"'
$stop_haproxy_service = '"/etc/init.d/haproxy stop"'
$horizon_auth_url = 'horizon'
$start_haproxy_service = '"/etc/init.d/haproxy start"'
$stop_haproxy_service = '"/etc/init.d/haproxy stop"'
$horizon_auth_url = 'horizon'
$keepalived_name_is_process = true
$keepalived_vrrp_script = undef
case $::operatingsystem {
'Ubuntu': {
$libvirt_service_name = 'libvirt-bin'

96
manifests/selinux.pp Normal file
View File

@ -0,0 +1,96 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::selinux
#
# Helper class to configure SELinux on nodes
#
# === Parameters:
#
# [*mode*]
# (optional) SELinux mode the system should be in
# Defaults to 'permissive'
# Possible values : disabled, permissive, enforcing
#
# [*directory*]
# (optional) Path where to find the SELinux modules
# Defaults to '/usr/share/selinux'
#
# [*booleans*]
# (optional) Set of booleans to persistenly enables
# SELinux booleans are the one getsebool -a returns
# Defaults []
# Example: ['rsync_full_access', 'haproxy_connect_any']
#
# [*modules*]
# (optional) Set of modules to load on the system
# Defaults []
# Example: ['module1', 'module2']
# Note: Those module should be in the $directory path
#
class cloud::selinux (
$mode = 'permissive',
$directory = '/usr/share/selinux/',
$booleans = [],
$modules = [],
) {
if $::osfamily != 'RedHat' {
fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
}
Selboolean {
persistent => true,
value => 'on',
}
Selmodule {
ensure => present,
selmoduledir => $directory,
}
file { '/etc/selinux/config':
ensure => present,
mode => '0444',
content => template('cloud/selinux/sysconfig_selinux.erb')
}
$current_mode = $::selinux? {
'false' => 'disabled',
false => 'disabled',
default => $::selinux_current_mode,
}
if $current_mode != $mode {
case $mode {
/^(disabled|permissive)$/: {
if $current_mode == 'enforcing' {
exec { 'setenforce 0': }
}
}
'enforcing': {
exec { 'setenforce 1': }
}
default: {
fail('You must specify a mode (enforcing, permissive, or disabled)')
}
}
}
selboolean { $booleans : }
selmodule { $modules: }
}

21
spec/classes/cloud_init_spec.rb
View File

@ -85,6 +85,27 @@ describe 'cloud' do
#it_configures 'private cloud node'
xit { is_expected.to contain_rhn_register('rhn-redhat1') }
context 'with SELinux set to enforcing' do
let :params do
{ :selinux_mode => 'enforcing',
:selinux_modules => ['module1', 'module2'],
:selinux_booleans => ['foo', 'bar'],
:selinux_directory => '/path/to/modules'}
end
it 'set SELINUX=enforcing' do
is_expected.to contain_class('cloud::selinux').with(
:mode => params[:selinux_mode],
:booleans => params[:selinux_booleans],
:modules => params[:selinux_modules],
:directory => params[:selinux_directory],
:stage => 'setup',
)
end
end
end
context 'on other platforms' do

26
spec/classes/cloud_loadbalancer_spec.rb
View File

@ -171,6 +171,15 @@ describe 'cloud::loadbalancer' do
end
end
context 'configure keepalived with proper haproxy track script' do
it 'configure keepalived with a proper haproxy track script' do
is_expected.to contain_keepalived__vrrp_script('haproxy').with({
'name_is_process' => platform_params[:keepalived_name_is_process],
'script' => platform_params[:keepalived_vrrp_script],
})
end
end
context 'when keepalived and HAproxy are in backup' do
it 'configure vrrp_instance with BACKUP state' do
is_expected.to contain_keepalived__instance('1').with({
@ -516,9 +525,11 @@ describe 'cloud::loadbalancer' do
end
let :platform_params do
{ :auth_url => 'horizon',
:start_haproxy_service => '"/etc/init.d/haproxy start"',
:stop_haproxy_service => '"/etc/init.d/haproxy stop"',
{ :auth_url => 'horizon',
:start_haproxy_service => '"/etc/init.d/haproxy start"',
:stop_haproxy_service => '"/etc/init.d/haproxy stop"',
:keepalived_name_is_process => 'true',
:keepalived_vrrp_script => nil,
}
end
@ -533,13 +544,14 @@ describe 'cloud::loadbalancer' do
end
let :platform_params do
{ :auth_url => 'dashboard',
:start_haproxy_service => '"/usr/bin/systemctl start haproxy"',
:stop_haproxy_service => '"/usr/bin/systemctl stop haproxy"',
{ :auth_url => 'dashboard',
:start_haproxy_service => '"/usr/bin/systemctl start haproxy"',
:stop_haproxy_service => '"/usr/bin/systemctl stop haproxy"',
:keepalived_name_is_process => 'false',
:keepalived_vrrp_script => 'systemctl status haproxy.service',
}
end
it_configures 'openstack loadbalancer'
end

107
spec/classes/cloud_selinux_spec.rb Normal file
View File

@ -0,0 +1,107 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for cloud::cache
#
require 'spec_helper'
describe 'cloud::selinux' do
shared_examples_for 'manage selinux' do
context 'with selinux disabled' do
before :each do
facts.merge!( :selinux_current_mode => 'enforcing' )
end
let :params do
{ :mode => 'disabled',
:booleans => ['foo', 'bar'],
:modules => ['module1', 'module2'],
:directory => '/path/to/modules'}
end
it 'runs setenforce 0' do
is_expected.to contain_exec('setenforce 0')
end
it 'enables the SELinux boolean' do
is_expected.to contain_selboolean('foo').with(
:persistent => true,
:value => 'on',
)
end
it 'enables the SELinux modules' do
is_expected.to contain_selmodule('module1').with(
:ensure => 'present',
:selmoduledir => '/path/to/modules',
)
end
end
context 'with selinux enforcing' do
before :each do
facts.merge!( :selinux => 'false' )
end
let :params do
{ :mode => 'enforcing',
:booleans => ['foo', 'bar'],
:modules => ['module1', 'module2'],
:directory => '/path/to/modules'}
end
it 'runs setenforce 1' do
is_expected.to contain_exec('setenforce 1')
end
it 'enables the SELinux boolean' do
is_expected.to contain_selboolean('foo').with(
:persistent => true,
:value => 'on',
)
end
it 'enables the SELinux modules' do
is_expected.to contain_selmodule('module1').with(
:ensure => 'present',
:selmoduledir => '/path/to/modules',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_raises 'a Puppet::Error', /OS family unsuppored yet \(Debian\), SELinux support is only limited to RedHat family OS/
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'manage selinux'
end
end

484
templates/database/etc_initd_mysql_RedHat
View File

@ -1,451 +1,45 @@
#!/bin/sh
# Copyright Abandoned 1996 TCX DataKonsult AB & Monty Program KB & Detron HB
# This file is public domain and comes with NO WARRANTY of any kind
# MySQL daemon start/stop script.
# Usually this is put in /etc/init.d (at least on machines SYSV R4 based
# systems) and linked to /etc/rc3.d/S99mysql and /etc/rc0.d/K01mysql.
# When this is done the mysql server will be started when the machine is
# started and shut down when the systems goes down.
# Comments to support chkconfig on RedHat Linux
# chkconfig: 2345 64 36
# description: A very fast and reliable SQL database engine.
# Comments to support LSB init script conventions
### BEGIN INIT INFO
# Provides: mysql
# Required-Start: $local_fs $network $remote_fs
# Should-Start: ypbind nscd ldap ntpd xntpd
# Required-Stop: $local_fs $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop MySQL
# Description: MySQL is a very fast and reliable SQL database engine.
### END INIT INFO
# If you install MySQL on some other places than /usr, then you
# have to do one of the following things for this script to work:
# It's not recommended to modify this file in-place, because it will be
# overwritten during package upgrades. If you want to customize, the
# best way is to create a file "/etc/systemd/system/mariadb.service",
# containing
# .include /lib/systemd/system/mariadb.service
# ...make your changes here...
# or create a file "/etc/systemd/system/mariadb.service.d/foo.conf",
# which doesn't need to include ".include" call and which will be parsed
# after the file mariadb.service itself is parsed.
#
# - Run this script from within the MySQL installation directory
# - Create a /etc/my.cnf file with the following information:
# [mysqld]
# basedir=<path-to-mysql-installation-directory>
# - Add the above to any other configuration file (for example ~/.my.ini)
# and copy my_print_defaults to /usr/bin
# - Add the path to the mysql-installation-directory to the basedir variable
# below.
#
# If you want to affect other MySQL variables, you should make your changes
# in the /etc/my.cnf, ~/.my.cnf or other MySQL configuration files.
# For more info about custom unit files, see systemd.unit(5) or
# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
# For example, if you want to increase mysql's open-files-limit to 10000,
# you need to increase systemd's LimitNOFILE setting, so create a file named
# "/etc/systemd/system/mariadb.service.d/limits.conf" containing:
# [Service]
# LimitNOFILE=10000
# Note: /usr/lib/... is recommended in the .include line though /lib/...
# still works.
# Don't forget to reload systemd daemon after you change unit configuration:
# root> systemctl --system daemon-reload
# If you change base dir, you must also change datadir. These may get
# overwritten by settings in the MySQL configuration files.
[Unit]
Description=MariaDB database server
After=syslog.target
After=network.target
basedir=
datadir=<%= scope.lookupvar('::mysql::datadir') %>
[Service]
Type=simple
User=mysql
Group=mysql
ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n
# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# per bug #547485
ExecStart=/usr/bin/mysqld_safe --wsrep-new-cluster --basedir=/usr
ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID
# Default value, in seconds, afterwhich the script should timeout waiting
# for server start.
# Value here is overriden by value in my.cnf.
# 0 means don't wait at all
# Negative numbers mean to wait indefinitely
service_startup_timeout=900
startup_sleep=1
# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300
# Lock directory for RedHat / SuSE.
lockdir='/var/lock/subsys'
lock_file_path="$lockdir/mysql"
# Place temp files in a secure directory, not /tmp
PrivateTmp=true
# The following variables are only set for letting mysql.server find things.
# Set some defaults
mysqld_pid_file_path=
if test -z "$basedir"
then
basedir=/usr
bindir=/usr/bin
if test -z "$datadir"
then
datadir=/var/lib/mysql
fi
sbindir=/usr/sbin
libexecdir=/usr/sbin
else
bindir="$basedir/bin"
if test -z "$datadir"
then
datadir="$basedir/data"
fi
sbindir="$basedir/sbin"
if test -f "$basedir/bin/mysqld"
then
libexecdir="$basedir/bin"
else
libexecdir="$basedir/libexec"
fi
fi
# datadir_set is used to determine if datadir was set (and so should be
# *not* set inside of the --basedir= handler.)
datadir_set=
#
# Use LSB init script functions for printing messages, if possible
#
lsb_functions="/lib/lsb/init-functions"
if test -f $lsb_functions ; then
. $lsb_functions
else
log_success_msg()
{
echo " SUCCESS! $@"
}
log_failure_msg()
{
echo " ERROR! $@"
}
fi
PATH="/sbin:/usr/sbin:/bin:/usr/bin:$basedir/bin"
export PATH
mode=$1 # start or stop
[ $# -ge 1 ] && shift
other_args="$*" # uncommon, but needed when called from an RPM upgrade action
# Expected: "--skip-networking --skip-grant-tables"
# They are not checked here, intentionally, as it is the resposibility
# of the "spec" file author to give correct arguments only.
case `echo "testing\c"`,`echo -n testing` in
*c*,-n*) echo_n= echo_c= ;;
*c*,*) echo_n=-n echo_c= ;;
*) echo_n= echo_c='\c' ;;
esac
parse_server_arguments() {
for arg do
case "$arg" in
--basedir=*) basedir=`echo "$arg" | sed -e 's/^[^=]*=//'`
bindir="$basedir/bin"
if test -z "$datadir_set"; then
datadir="$basedir/data"
fi
sbindir="$basedir/sbin"
if test -f "$basedir/bin/mysqld"
then
libexecdir="$basedir/bin"
else
libexecdir="$basedir/libexec"
fi
libexecdir="$basedir/libexec"
;;
--datadir=*) datadir=`echo "$arg" | sed -e 's/^[^=]*=//'`
datadir_set=1
;;
--pid-file=*) mysqld_pid_file_path=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
--service-startup-timeout=*) service_startup_timeout=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
esac
done
}
wait_for_pid () {
verb="$1" # created | removed
pid="$2" # process ID of the program operating on the pid-file
pid_file_path="$3" # path to the PID file.
sst_progress_file=$datadir/sst_in_progress
i=0
avoid_race_condition="by checking again"
while test $i -ne $service_startup_timeout ; do
case "$verb" in
'created')
# wait for a PID-file to pop into existence.
test -s "$pid_file_path" && i='' && break
;;
'removed')
# wait for this PID-file to disappear
test ! -s "$pid_file_path" && i='' && break
;;
*)
echo "wait_for_pid () usage: wait_for_pid created|removed pid pid_file_path"
exit 1
;;
esac
# if server isn't running, then pid-file will never be updated
if test -n "$pid"; then
if kill -0 "$pid" 2>/dev/null; then
: # the server still runs
else
# The server may have exited between the last pid-file check and now.
if test -n "$avoid_race_condition"; then
avoid_race_condition=""
continue # Check again.
fi
# there's nothing that will affect the file.
log_failure_msg "The server quit without updating PID file ($pid_file_path)."
return 1 # not waiting any more.
fi
fi
if test -e $sst_progress_file && [ $startup_sleep -ne 10 ];then
echo $echo_n "SST in progress, setting sleep higher"
startup_sleep=10
fi
echo $echo_n ".$echo_c"
i=`expr $i + 1`
sleep $startup_sleep
done
if test -z "$i" ; then
log_success_msg
return 0
else
log_failure_msg
return 1
fi
}
# Get arguments from the my.cnf file,
# the only group, which is read from now on is [mysqld]
if test -x ./bin/my_print_defaults
then
print_defaults="./bin/my_print_defaults"
elif test -x $bindir/my_print_defaults
then
print_defaults="$bindir/my_print_defaults"
elif test -x $bindir/mysql_print_defaults
then
print_defaults="$bindir/mysql_print_defaults"
else
# Try to find basedir in /etc/my.cnf
conf=/etc/my.cnf
print_defaults=
if test -r $conf
then
subpat='^[^=]*basedir[^=]*=\(.*\)$'
dirs=`sed -e "/$subpat/!d" -e 's//\1/' $conf`
for d in $dirs
do
d=`echo $d | sed -e 's/[ ]//g'`
if test -x "$d/bin/my_print_defaults"
then
print_defaults="$d/bin/my_print_defaults"
break
fi
if test -x "$d/bin/mysql_print_defaults"
then
print_defaults="$d/bin/mysql_print_defaults"
break
fi
done
fi
# Hope it's in the PATH ... but I doubt it
test -z "$print_defaults" && print_defaults="my_print_defaults"
fi
#
# Read defaults file from 'basedir'. If there is no defaults file there
# check if it's in the old (depricated) place (datadir) and read it from there
#
extra_args=""
if test -r "$basedir/my.cnf"
then
extra_args="-e $basedir/my.cnf"
else
if test -r "$datadir/my.cnf"
then
extra_args="-e $datadir/my.cnf"
fi
fi
parse_server_arguments `$print_defaults $extra_args mysqld server mysql_server mysql.server`
#
# Set pid file if not given
#
if test -z "$mysqld_pid_file_path"
then
mysqld_pid_file_path=$datadir/`hostname`.pid
else
case "$mysqld_pid_file_path" in
/* ) ;;
* ) mysqld_pid_file_path="$datadir/$mysqld_pid_file_path" ;;
esac
fi
case "$mode" in
'start')
# Start daemon
# Safeguard (relative paths, core dumps..)
cd $basedir
echo $echo_n "Starting MySQL"
if test -x $bindir/mysqld_safe
then
# Give extra arguments to mysqld with the my.cnf file. This script
# may be overwritten at next upgrade.
# Start MariaDB! in a Galera setup we want to use
# new-cluster only when the galera cluster hasn't been
# bootstraped
if [ -e ${datadir}/grastate.dat ]; then
# normal boot
$bindir/mysqld_safe --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 &
else
# bootstrap boot
$bindir/mysqld_safe --wsrep-new-cluster --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 &
fi
wait_for_pid created "$!" "$mysqld_pid_file_path"; return_value=$?
# Make lock for RedHat / SuSE
if test -w "$lockdir"
then
touch "$lock_file_path"
fi
exit $return_value
else
log_failure_msg "Couldn't find MySQL server ($bindir/mysqld_safe)"
fi
;;
'stop')
# Stop daemon. We use a signal here to avoid having to know the
# root password.
if test -s "$mysqld_pid_file_path"
then
mysqld_pid=`cat "$mysqld_pid_file_path"`
if (kill -0 $mysqld_pid 2>/dev/null)
then
echo $echo_n "Shutting down MySQL"
kill $mysqld_pid
# mysqld should remove the pid file when it exits, so wait for it.
wait_for_pid removed "$mysqld_pid" "$mysqld_pid_file_path"; return_value=$?
else
log_failure_msg "MySQL server process #$mysqld_pid is not running!"
rm "$mysqld_pid_file_path"
fi
# Delete lock for RedHat / SuSE
if test -f "$lock_file_path"
then
rm -f "$lock_file_path"
fi
exit $return_value
else
log_failure_msg "MySQL server PID file could not be found!"
fi
;;
'restart')
# Stop the service and regardless of whether it was
# running or not, start it again.
if $0 stop $other_args; then
$0 start $other_args
else
log_failure_msg "Failed to stop running server, so refusing to try to start."
exit 1
fi
;;
'reload'|'force-reload')
if test -s "$mysqld_pid_file_path" ; then
read mysqld_pid < "$mysqld_pid_file_path"
kill -HUP $mysqld_pid && log_success_msg "Reloading service MySQL"
touch "$mysqld_pid_file_path"
else
log_failure_msg "MySQL PID file could not be found!"
exit 1
fi
;;
'status')
# First, check to see if pid file exists
if test -s "$mysqld_pid_file_path" ; then
read mysqld_pid < "$mysqld_pid_file_path"
if kill -0 $mysqld_pid 2>/dev/null ; then
log_success_msg "MySQL running ($mysqld_pid)"
exit 0
else
log_failure_msg "MySQL is not running, but PID file exists"
exit 1
fi
else
# Try to find appropriate mysqld process
mysqld_pid=`pidof $libexecdir/mysqld`
# test if multiple pids exist
pid_count=`echo $mysqld_pid | wc -w`
if test $pid_count -gt 1 ; then
log_failure_msg "Multiple MySQL running but PID file could not be found ($mysqld_pid)"
exit 5
elif test -z $mysqld_pid ; then
if test -f "$lock_file_path" ; then
log_failure_msg "MySQL is not running, but lock file ($lock_file_path) exists"
exit 2
fi
log_failure_msg "MySQL is not running"
exit 3
else
log_failure_msg "MySQL is running but PID file could not be found"
exit 4
fi
fi
;;
'configtest')
# Safeguard (relative paths, core dumps..)
cd $basedir
echo $echo_n "Testing MySQL configuration syntax"
daemon=$bindir/mysqld
if test -x $libexecdir/mysqld
then
daemon=$libexecdir/mysqld
elif test -x $sbindir/mysqld
then
daemon=$sbindir/mysqld
elif test -x `which mysqld`
then
daemon=`which mysqld`
else
log_failure_msg "Unable to locate the mysqld binary!"
exit 1
fi
help_out=`$daemon --help 2>&1`; r=$?
if test "$r" != 0 ; then
log_failure_msg "$help_out"
log_failure_msg "There are syntax errors in the server configuration. Please fix them!"
else
log_success_msg "Syntax OK"
fi
exit $r
;;
'bootstrap')
# Bootstrap the cluster, start the first node
# that initiate the cluster
echo $echo_n "Bootstrapping the cluster"
$0 start $other_args --wsrep-new-cluster
;;
*)
# usage
basename=`basename "$0"`
echo "Usage: $basename {start|stop|restart|reload|force-reload|status|configtest|bootstrap} [ MySQL server options ]"
exit 1
;;
esac
exit 0
[Install]
WantedBy=multi-user.target

2
templates/database/mysql.conf.erb
View File

@ -63,7 +63,7 @@ wsrep_provider_options = "gcache.size=<%= @galera_gcache %>;gcs.fc_mast
# and wsrep_sst_xtrabackup take only one configuration file and use the last one
# (/etc/mysql/my.cnf is not used)
datadir = /var/lib/mysql
tmpdir = /dev/shm
tmpdir = /tmp/
innodb_flush_method = O_DIRECT
innodb_log_buffer_size = 32M
innodb_log_file_size = 256M

11
templates/selinux/sysconfig_selinux.erb Normal file
View File

@ -0,0 +1,11 @@
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<%= @mode %>
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted