dust-deploy 0.6.1 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/changelog.md +16 -0
- data/lib/dust/recipes/hash_check.rb +11 -13
- data/lib/dust/recipes/mysql.rb +60 -8
- data/lib/dust/recipes/postgres.rb +4 -1
- data/lib/dust/recipes/redis.rb +91 -0
- data/lib/dust/version.rb +1 -1
- metadata +4 -3
data/changelog.md
CHANGED
@@ -1,6 +1,21 @@
|
|
1
1
|
Changelog
|
2
2
|
=============
|
3
3
|
|
4
|
+
0.6.2
|
5
|
+
------------
|
6
|
+
|
7
|
+
- adds redis recipe, you can now maintain your redis configurations with dust as well:
|
8
|
+
|
9
|
+
recipes:
|
10
|
+
redis:
|
11
|
+
port: 6379
|
12
|
+
daemonize: yes
|
13
|
+
|
14
|
+
- fixes hash_check recipe, now works with centos-like machines as well
|
15
|
+
- improves mysql recipe: now sets shm sysctls as well (like the postgresql recipe does)
|
16
|
+
- small improvements to automatic innodb tuning
|
17
|
+
|
18
|
+
|
4
19
|
0.6.1
|
5
20
|
------------
|
6
21
|
|
@@ -80,6 +95,7 @@ Changelog
|
|
80
95
|
------------
|
81
96
|
|
82
97
|
sshd recipe
|
98
|
+
|
83
99
|
- default PrintMotd to false on apt systems (will be displayed 2 times otherwise)
|
84
100
|
- no and yes can be specified in config file, without getting converted to booleans automatically
|
85
101
|
|
@@ -2,16 +2,9 @@ class HashCheck < Recipe
|
|
2
2
|
|
3
3
|
desc 'hash_check:deploy', 'checks /etc/shadow for weak hashes'
|
4
4
|
def deploy
|
5
|
-
# mkpasswd is in the package 'whois' resp. 'expect'
|
6
|
-
@node.install_package 'whois' if @node.uses_apt?
|
7
|
-
@node.install_package 'expect' if @node.uses_rpm?
|
8
|
-
|
9
5
|
# those keys indicate that no password is set, or login is disabled
|
10
6
|
keys = [ '*', '!', '!!', '', 'LK', 'NP' ]
|
11
7
|
|
12
|
-
# mapping the magic numbers to the actual hash algorithms
|
13
|
-
algorithms = { '1' => 'md5', '2' => 'blowfish', '5' => 'sha-256', '6' => 'sha-512' }
|
14
|
-
|
15
8
|
weak_passwords = File.open "#{@template_path}/weak_passwords", 'r'
|
16
9
|
shadow = @node.exec('cat /etc/shadow')[:stdout]
|
17
10
|
|
@@ -23,17 +16,22 @@ class HashCheck < Recipe
|
|
23
16
|
user, hash = line.split(':')[0..1]
|
24
17
|
next if keys.include? hash
|
25
18
|
method, salt = hash.split('$')[1..2]
|
26
|
-
|
19
|
+
|
27
20
|
weak_passwords.each_line do |password|
|
28
21
|
password.chomp!
|
29
22
|
|
30
|
-
#
|
31
|
-
|
32
|
-
|
23
|
+
# python was imho the best solution to generate /etc/shadow hashes.
|
24
|
+
# mkpasswd doesn't work on centos-like machines :/
|
25
|
+
# and python is more likely installed than ruby
|
26
|
+
ret = @node.exec("python -c \"import crypt; print crypt.crypt('#{password}', '\\$#{method}\\$#{salt}\\$')\"")
|
33
27
|
|
34
|
-
|
28
|
+
unless ret[:exit_code] == 0
|
29
|
+
::Dust.print_failed 'error during hash creation (is python installed?)'
|
30
|
+
return false
|
31
|
+
end
|
32
|
+
if hash == ret[:stdout].chomp
|
35
33
|
::Dust.print_failed "user #{user} has a weak password! (#{password})", :indent => 2
|
36
|
-
found_weak= true
|
34
|
+
found_weak = true
|
37
35
|
end
|
38
36
|
end
|
39
37
|
end
|
data/lib/dust/recipes/mysql.rb
CHANGED
@@ -9,12 +9,14 @@ class Mysql < Recipe
|
|
9
9
|
::Dust.print_msg "configuring mysql\n"
|
10
10
|
::Dust.print_ok "listen on #{@config['mysqld']['bind-address']}:#{@config['mysqld']['port']}", :indent => 2
|
11
11
|
|
12
|
-
@config['mysqld']['innodb_buffer_pool_size']
|
12
|
+
@config['mysqld']['innodb_buffer_pool_size'] ||= get_innodb_buffer_pool_size
|
13
13
|
::Dust.print_ok "set innodb buffer pool to '#{@config['mysqld']['innodb_buffer_pool_size']}'", :indent => 2
|
14
14
|
|
15
15
|
@node.write '/etc/mysql/my.cnf', generate_my_cnf
|
16
16
|
@node.chmod '644', '/etc/mysql/my.cnf'
|
17
|
-
|
17
|
+
|
18
|
+
configure_sysctl
|
19
|
+
|
18
20
|
@node.restart_service 'mysql' if options.restart?
|
19
21
|
@node.reload_service 'mysql' if options.reload?
|
20
22
|
end
|
@@ -53,7 +55,9 @@ class Mysql < Recipe
|
|
53
55
|
'max_binlog_size' => '100M',
|
54
56
|
'innodb_file_per_table' => 1,
|
55
57
|
'innodb_thread_concurrency' => 0,
|
56
|
-
'innodb_flush_log_at_trx_commit' => 1
|
58
|
+
'innodb_flush_log_at_trx_commit' => 1,
|
59
|
+
'innodb_additional_mem_pool_size' => '16M',
|
60
|
+
'innodb_log_buffer_size' => '4M'
|
57
61
|
},
|
58
62
|
'mysqldump' => {
|
59
63
|
'quick' => true,
|
@@ -77,12 +81,12 @@ class Mysql < Recipe
|
|
77
81
|
# get system memory (in kb)
|
78
82
|
system_mem = ::Dust.convert_size @node['memorysize']
|
79
83
|
|
80
|
-
# allocate
|
81
|
-
buffer_pool = (system_mem * 0.
|
82
|
-
|
84
|
+
# allocate 80% of the available ram to mysql
|
85
|
+
buffer_pool = (system_mem * 0.8).to_i
|
86
|
+
|
83
87
|
::Dust.print_ok
|
84
|
-
"#{buffer_pool}M"
|
85
|
-
end
|
88
|
+
"#{buffer_pool / 1024}M"
|
89
|
+
end
|
86
90
|
end
|
87
91
|
|
88
92
|
def generate_my_cnf
|
@@ -97,5 +101,53 @@ class Mysql < Recipe
|
|
97
101
|
my_cnf.concat "!includedir /etc/mysql/conf.d/\n"
|
98
102
|
my_cnf
|
99
103
|
end
|
104
|
+
|
105
|
+
# increase shm memory
|
106
|
+
def configure_sysctl
|
107
|
+
if @node.uses_apt?
|
108
|
+
::Dust.print_msg "setting mysql sysctl keys\n"
|
109
|
+
@node.collect_facts :quiet => true
|
110
|
+
|
111
|
+
# make sure system allows more than innodb_buffer_pool_size of memory ram to be allocated
|
112
|
+
# shmmax = (convert_mysql_size(@config['mysqld']['innodb_buffer_pool_size']) * 1.1).to_i # TODO: 1.1?
|
113
|
+
|
114
|
+
# get pagesize
|
115
|
+
pagesize = @node.exec('getconf PAGESIZE')[:stdout].to_i || 4096
|
116
|
+
|
117
|
+
# use half of system memory for shmmax
|
118
|
+
shmmax = ::Dust.convert_size(@node['memorysize']) * 1024 / 2
|
119
|
+
shmall = shmmax / pagesize
|
120
|
+
|
121
|
+
::Dust.print_msg "setting shmmax to: #{shmmax}", :indent => 2
|
122
|
+
::Dust.print_result @node.exec("sysctl -w kernel.shmmax=#{shmmax}")[:exit_code]
|
123
|
+
::Dust.print_msg "setting shmall to: #{shmall}", :indent => 2
|
124
|
+
::Dust.print_result @node.exec("sysctl -w kernel.shmall=#{shmall}")[:exit_code]
|
125
|
+
::Dust.print_msg 'setting swappiness to 0', :indent => 2
|
126
|
+
::Dust.print_result @node.exec('sysctl -w vm.swappiness=0')[:exit_code]
|
127
|
+
|
128
|
+
file = ''
|
129
|
+
file += "kernel.shmmax=#{shmmax}\n"
|
130
|
+
file += "kernel.shmall=#{shmall}\n"
|
131
|
+
file += "vm.swappiness=0\n" # rather shrink cache then use swap as filesystem cache
|
132
|
+
|
133
|
+
@node.write "/etc/sysctl.d/30-mysql-shm.conf", file
|
134
|
+
|
135
|
+
else
|
136
|
+
::Dust.print_warning 'sysctl configuration not supported for your os'
|
137
|
+
end
|
138
|
+
end
|
139
|
+
|
140
|
+
def convert_mysql_size s
|
141
|
+
case s[-1].chr
|
142
|
+
when 'K'
|
143
|
+
return (s[0..-2].to_f * 1024).to_i
|
144
|
+
when 'M'
|
145
|
+
return (s[0..-2].to_f * 1024 * 1024).to_i
|
146
|
+
when 'G'
|
147
|
+
return (s[0..-2].to_f * 1024 * 1024 * 1024).to_i
|
148
|
+
else
|
149
|
+
return s.to_i
|
150
|
+
end
|
151
|
+
end
|
100
152
|
end
|
101
153
|
|
@@ -93,9 +93,12 @@ class Postgres < Recipe
|
|
93
93
|
::Dust.print_msg "setting postgres sysctl keys\n"
|
94
94
|
@node.collect_facts :quiet => true
|
95
95
|
|
96
|
+
# get pagesize
|
97
|
+
pagesize = @node.exec('getconf PAGESIZE')[:stdout] || 4096
|
98
|
+
|
96
99
|
# use half of system memory for shmmax
|
97
100
|
shmmax = ::Dust.convert_size(@node['memorysize']) * 1024 / 2
|
98
|
-
shmall = shmmax /
|
101
|
+
shmall = shmmax / pagesize
|
99
102
|
|
100
103
|
::Dust.print_msg "setting shmmax to: #{shmmax}", :indent => 2
|
101
104
|
::Dust.print_result @node.exec("sysctl -w kernel.shmmax=#{shmmax}")[:exit_code]
|
@@ -0,0 +1,91 @@
|
|
1
|
+
class Redis < Recipe
|
2
|
+
desc 'redis:deploy', 'installs and configures redis key-value store'
|
3
|
+
def deploy
|
4
|
+
@node.install_package 'redis-server'
|
5
|
+
@node.write '/etc/redis/redis.conf', generate_redis_conf
|
6
|
+
configure_sysctl
|
7
|
+
@node.restart_service 'redis-server' if @options.restart
|
8
|
+
end
|
9
|
+
|
10
|
+
desc 'redis:status', 'displays redis-cli info'
|
11
|
+
def status
|
12
|
+
return false unless @node.package_installed? 'redis-server'
|
13
|
+
puts @node.exec('redis-cli info')[:stdout]
|
14
|
+
end
|
15
|
+
|
16
|
+
|
17
|
+
private
|
18
|
+
|
19
|
+
# default configuration variables for ubuntu
|
20
|
+
# if you use a different os, you may adapt these
|
21
|
+
# listens on all interfaces per default
|
22
|
+
def default_config
|
23
|
+
{ 'daemonize' => 'yes',
|
24
|
+
'port' => 6379,
|
25
|
+
'timeout' => 300,
|
26
|
+
'loglevel' => 'notice',
|
27
|
+
'databases' => 16,
|
28
|
+
'save' => [ '900 1', '300 10', '60 10000' ],
|
29
|
+
'rdbcompression' => 'yes',
|
30
|
+
'dbfilename' => 'dump.rdb',
|
31
|
+
'slave-serve-stale-data' => 'yes',
|
32
|
+
'appendonly' => 'no',
|
33
|
+
'appendfsync' => 'everysec',
|
34
|
+
'no-appendfsync-on-rewrite' => 'no',
|
35
|
+
'vm-enabled' => 'no',
|
36
|
+
'vm-max-memory' => 0,
|
37
|
+
'vm-page-size' => 32,
|
38
|
+
'vm-pages' => 134217728,
|
39
|
+
'vm-max-threads' => 4,
|
40
|
+
'hash-max-zipmap-entries' => 512,
|
41
|
+
'hash-max-zipmap-value' => 64,
|
42
|
+
'list-max-ziplist-entries' => 512,
|
43
|
+
'list-max-ziplist-value' => 64,
|
44
|
+
'set-max-intset-entries' => 512,
|
45
|
+
'activerehashing' => 'yes',
|
46
|
+
|
47
|
+
# os specific settings
|
48
|
+
'dir' => '/var/lib/redis',
|
49
|
+
'pidfile' => '/var/run/redis.pid',
|
50
|
+
'logfile' => '/var/log/redis/redis-server.log',
|
51
|
+
'vm-swap-file' => '/var/lib/redis/redis.swap'
|
52
|
+
}
|
53
|
+
end
|
54
|
+
|
55
|
+
def generate_redis_conf
|
56
|
+
@config.boolean_to_string!
|
57
|
+
@config = default_config.merge @config
|
58
|
+
|
59
|
+
redis_conf = ''
|
60
|
+
@config.each do |key, value|
|
61
|
+
if value.is_a? Array
|
62
|
+
value.each { |v| redis_conf.concat "#{key} #{v}\n" }
|
63
|
+
else
|
64
|
+
redis_conf.concat "#{key} #{value}\n"
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
redis_conf
|
69
|
+
end
|
70
|
+
|
71
|
+
# redis complains if vm.overcommit_memory != 1
|
72
|
+
def configure_sysctl
|
73
|
+
if @node.uses_apt?
|
74
|
+
::Dust.print_msg "setting redis sysctl keys\n"
|
75
|
+
|
76
|
+
::Dust.print_msg 'setting overcommit memory to 1', :indent => 2
|
77
|
+
::Dust.print_result @node.exec('sysctl -w vm.overcommit_memory=1')[:exit_code]
|
78
|
+
::Dust.print_msg 'setting swappiness to 0', :indent => 2
|
79
|
+
::Dust.print_result @node.exec('sysctl -w vm.swappiness=0')[:exit_code]
|
80
|
+
|
81
|
+
file = ''
|
82
|
+
file += "vm.overcommit_memory=1\n"
|
83
|
+
file += "vm.swappiness=0\n"
|
84
|
+
|
85
|
+
@node.write "/etc/sysctl.d/30-redis.conf", file
|
86
|
+
|
87
|
+
else
|
88
|
+
::Dust.print_warning 'sysctl configuration not supported for your os'
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
data/lib/dust/version.rb
CHANGED
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 6
|
8
|
-
-
|
9
|
-
version: 0.6.
|
8
|
+
- 2
|
9
|
+
version: 0.6.2
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- kris kechagia
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2012-
|
17
|
+
date: 2012-02-02 00:00:00 +01:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
@@ -139,6 +139,7 @@ files:
|
|
139
139
|
- lib/dust/recipes/packages.rb
|
140
140
|
- lib/dust/recipes/postgres.rb
|
141
141
|
- lib/dust/recipes/rc_local.rb
|
142
|
+
- lib/dust/recipes/redis.rb
|
142
143
|
- lib/dust/recipes/remove_packages.rb
|
143
144
|
- lib/dust/recipes/repositories.rb
|
144
145
|
- lib/dust/recipes/resolv_conf.rb
|