* [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support
@ 2016-11-28 16:59 Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 1/5] Add a systemd service file for redis Frank Meerkoetter
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Frank Meerkoetter @ 2016-11-28 16:59 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
Improve the redis recipe with a focus on systemd support.
Frank Meerkoetter (5):
Add a systemd service file for redis
Do not expose the redis service to the network by default
Log to syslog
Do not run redis as root
Increase the max number of fds to match the concfig in redis.conf
meta-oe/recipes-extended/redis/redis/redis.conf | 8 ++++----
meta-oe/recipes-extended/redis/redis/redis.service | 15 +++++++++++++++
meta-oe/recipes-extended/redis/redis_3.0.2.bb | 21 ++++++++++++++++++++-
3 files changed, 39 insertions(+), 5 deletions(-)
create mode 100644 meta-oe/recipes-extended/redis/redis/redis.service
--
2.7.4
^ permalink raw reply [flat|nested] 8+ messages in thread
* [meta-oe][PATCH 1/5] Add a systemd service file for redis
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
@ 2016-11-28 16:59 ` Frank Meerkoetter
2016-12-01 15:51 ` Pau Espin Pedrol
2016-11-28 16:59 ` [meta-oe][PATCH 2/5] Do not expose the redis service to the network by default Frank Meerkoetter
` (4 subsequent siblings)
5 siblings, 1 reply; 8+ messages in thread
From: Frank Meerkoetter @ 2016-11-28 16:59 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
The redis.conf is changed on the fly to not daemonize redis.
The reason for that is that with this appraoch we don't need
special permissions to write to /var/run/.
Signed-off-by: Frank Meerkoetter <frank@meerkoetter.org>
---
meta-oe/recipes-extended/redis/redis/redis.service | 14 ++++++++++++++
meta-oe/recipes-extended/redis/redis_3.0.2.bb | 15 ++++++++++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-extended/redis/redis/redis.service
diff --git a/meta-oe/recipes-extended/redis/redis/redis.service b/meta-oe/recipes-extended/redis/redis/redis.service
new file mode 100644
index 0000000..e2dc6a7
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/redis.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Redis In-Memory Data Store
+After=network.target
+
+[Service]
+User=root
+Group=root
+ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
+ExecStop=/usr/bin/redis-cli shutdown
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/meta-oe/recipes-extended/redis/redis_3.0.2.bb b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
index 2e4b760..89b79d4 100644
--- a/meta-oe/recipes-extended/redis/redis_3.0.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
@@ -12,13 +12,16 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://oe-use-libc-malloc.patch \
file://redis.conf \
file://init-redis-server \
+ file://redis.service \
file://hiredis-update-Makefile-to-add-symbols-to-staticlib.patch \
"
SRC_URI[md5sum] = "87be8867447f62524b584813e5a7bd14"
SRC_URI[sha256sum] = "93e422c0d584623601f89b956045be158889ebe594478a2c24e1bf218495633f"
-inherit autotools-brokensep update-rc.d
+inherit autotools-brokensep update-rc.d systemd
+
+REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}"
do_install() {
export PREFIX=${D}/${prefix}
@@ -28,9 +31,19 @@ do_install() {
install -d ${D}/${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server
install -d ${D}/var/lib/redis/
+
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_unitdir}/system
+ sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${systemd_unitdir}/system/redis.service
+
+ if [ "${REDIS_ON_SYSTEMD}" = true ]; then
+ sed -i 's!daemonize yes!# daemonize yes!' ${D}/${sysconfdir}/redis/redis.conf
+ fi
}
CONFFILES_${PN} = "${sysconfdir}/redis/redis.conf"
INITSCRIPT_NAME = "redis-server"
INITSCRIPT_PARAMS = "defaults 87"
+
+SYSTEMD_SERVICE_${PN} = "redis.service"
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-oe][PATCH 2/5] Do not expose the redis service to the network by default
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 1/5] Add a systemd service file for redis Frank Meerkoetter
@ 2016-11-28 16:59 ` Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 3/5] Log to syslog Frank Meerkoetter
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Frank Meerkoetter @ 2016-11-28 16:59 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
Binding it to localhost is a safe default.
This affects both sysv and systemd based systems.
Signed-off-by: Frank Meerkoetter <frank@meerkoetter.org>
---
meta-oe/recipes-extended/redis/redis/redis.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-extended/redis/redis/redis.conf b/meta-oe/recipes-extended/redis/redis/redis.conf
index 923b98e..b932089 100644
--- a/meta-oe/recipes-extended/redis/redis/redis.conf
+++ b/meta-oe/recipes-extended/redis/redis/redis.conf
@@ -30,7 +30,7 @@ port 6379
# If you want you can bind a single interface, if the bind option is not
# specified all the interfaces will listen for incoming connections.
#
-# bind 127.0.0.1
+bind 127.0.0.1
# Specify the path for the unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-oe][PATCH 3/5] Log to syslog
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 1/5] Add a systemd service file for redis Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 2/5] Do not expose the redis service to the network by default Frank Meerkoetter
@ 2016-11-28 16:59 ` Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 4/5] Do not run redis as root Frank Meerkoetter
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Frank Meerkoetter @ 2016-11-28 16:59 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
Creating /var/log/redis.log requires root permissions to
create the file. Use syslog instead so redis does not
require root.
This affects both sysv and systemd based systems.
Signed-off-by: Frank Meerkoetter <frank@meerkoetter.org>
---
meta-oe/recipes-extended/redis/redis/redis.conf | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-oe/recipes-extended/redis/redis/redis.conf b/meta-oe/recipes-extended/redis/redis/redis.conf
index b932089..ab024ad 100644
--- a/meta-oe/recipes-extended/redis/redis/redis.conf
+++ b/meta-oe/recipes-extended/redis/redis/redis.conf
@@ -53,14 +53,14 @@ loglevel notice
# Specify the log file name. Also 'stdout' can be used to force
# Redis to log on the standard output. Note that if you use standard
# output for logging but daemonize, logs will be sent to /dev/null
-logfile /var/log/redis.log
+# logfile /var/log/redis.log
# To enable logging to the system logger, just set 'syslog-enabled' to yes,
# and optionally update the other syslog parameters to suit your needs.
-# syslog-enabled no
+syslog-enabled yes
# Specify the syslog identity.
-# syslog-ident redis
+syslog-ident redis
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
# syslog-facility local0
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-oe][PATCH 4/5] Do not run redis as root
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
` (2 preceding siblings ...)
2016-11-28 16:59 ` [meta-oe][PATCH 3/5] Log to syslog Frank Meerkoetter
@ 2016-11-28 16:59 ` Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 5/5] Increase the max number of fds to match the concfig in redis.conf Frank Meerkoetter
2016-11-29 9:15 ` [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Martin Jansa
5 siblings, 0 replies; 8+ messages in thread
From: Frank Meerkoetter @ 2016-11-28 16:59 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
Running a network facing daemon written in C as root is not
a good idea. Introduce a redis system user/group for that.
A drawback is that now redis can no longer increase the
number of open fds to 10000 (MaxClients). If this is needed
the ulimit needs to be tweaked in the init script or systemd
unit file.
This only affects systemd based systems.
Signed-off-by: Frank Meerkoetter <frank@meerkoetter.org>
---
meta-oe/recipes-extended/redis/redis/redis.service | 4 ++--
meta-oe/recipes-extended/redis/redis_3.0.2.bb | 8 +++++++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/meta-oe/recipes-extended/redis/redis/redis.service b/meta-oe/recipes-extended/redis/redis/redis.service
index e2dc6a7..577bb14 100644
--- a/meta-oe/recipes-extended/redis/redis/redis.service
+++ b/meta-oe/recipes-extended/redis/redis/redis.service
@@ -3,8 +3,8 @@ Description=Redis In-Memory Data Store
After=network.target
[Service]
-User=root
-Group=root
+User=redis
+Group=redis
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/usr/bin/redis-cli shutdown
Restart=always
diff --git a/meta-oe/recipes-extended/redis/redis_3.0.2.bb b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
index 89b79d4..a8242b2 100644
--- a/meta-oe/recipes-extended/redis/redis_3.0.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
@@ -19,7 +19,12 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
SRC_URI[md5sum] = "87be8867447f62524b584813e5a7bd14"
SRC_URI[sha256sum] = "93e422c0d584623601f89b956045be158889ebe594478a2c24e1bf218495633f"
-inherit autotools-brokensep update-rc.d systemd
+inherit autotools-brokensep update-rc.d systemd useradd
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis"
+GROUPADD_PARAM_${PN} = "--system redis"
+
REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}"
@@ -31,6 +36,7 @@ do_install() {
install -d ${D}/${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server
install -d ${D}/var/lib/redis/
+ chown redis.redis ${D}/var/lib/redis/
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_unitdir}/system
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-oe][PATCH 5/5] Increase the max number of fds to match the concfig in redis.conf
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
` (3 preceding siblings ...)
2016-11-28 16:59 ` [meta-oe][PATCH 4/5] Do not run redis as root Frank Meerkoetter
@ 2016-11-28 16:59 ` Frank Meerkoetter
2016-11-29 9:15 ` [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Martin Jansa
5 siblings, 0 replies; 8+ messages in thread
From: Frank Meerkoetter @ 2016-11-28 16:59 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
Now that the processes no longer runs as root, we need to increase
the limit for it.
This only affects systemd based systems.
Signed-off-by: Frank Meerkoetter <frank@meerkoetter.org>
---
meta-oe/recipes-extended/redis/redis/redis.service | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-oe/recipes-extended/redis/redis/redis.service b/meta-oe/recipes-extended/redis/redis/redis.service
index 577bb14..36d2985 100644
--- a/meta-oe/recipes-extended/redis/redis/redis.service
+++ b/meta-oe/recipes-extended/redis/redis/redis.service
@@ -8,6 +8,7 @@ Group=redis
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/usr/bin/redis-cli shutdown
Restart=always
+LimitNOFILE=10032
[Install]
WantedBy=multi-user.target
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
` (4 preceding siblings ...)
2016-11-28 16:59 ` [meta-oe][PATCH 5/5] Increase the max number of fds to match the concfig in redis.conf Frank Meerkoetter
@ 2016-11-29 9:15 ` Martin Jansa
5 siblings, 0 replies; 8+ messages in thread
From: Martin Jansa @ 2016-11-29 9:15 UTC (permalink / raw)
To: openembedded-devel; +Cc: Frank Meerkoetter
[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]
On Mon, Nov 28, 2016 at 05:59:43PM +0100, Frank Meerkoetter wrote:
> Improve the redis recipe with a focus on systemd support.
>
> Frank Meerkoetter (5):
> Add a systemd service file for redis
> Do not expose the redis service to the network by default
> Log to syslog
> Do not run redis as root
> Increase the max number of fds to match the concfig in redis.conf
Please follow:
http://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
and start the commit messages with
"redis: "
>
> meta-oe/recipes-extended/redis/redis/redis.conf | 8 ++++----
> meta-oe/recipes-extended/redis/redis/redis.service | 15 +++++++++++++++
> meta-oe/recipes-extended/redis/redis_3.0.2.bb | 21 ++++++++++++++++++++-
> 3 files changed, 39 insertions(+), 5 deletions(-)
> create mode 100644 meta-oe/recipes-extended/redis/redis/redis.service
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-oe][PATCH 1/5] Add a systemd service file for redis
2016-11-28 16:59 ` [meta-oe][PATCH 1/5] Add a systemd service file for redis Frank Meerkoetter
@ 2016-12-01 15:51 ` Pau Espin Pedrol
0 siblings, 0 replies; 8+ messages in thread
From: Pau Espin Pedrol @ 2016-12-01 15:51 UTC (permalink / raw)
To: openembedded-devel@lists.openembedded.org; +Cc: Frank Meerkoetter
Hi,
Please use "${systemd_system_unitdir}" instead of
"${systemd_unitdir}/system".
Pau Espin Pedrol
2016-11-28 17:59 GMT+01:00 Frank Meerkoetter <meerkoetter@googlemail.com>:
> The redis.conf is changed on the fly to not daemonize redis.
> The reason for that is that with this appraoch we don't need
> special permissions to write to /var/run/.
>
> Signed-off-by: Frank Meerkoetter <frank@meerkoetter.org>
> ---
> meta-oe/recipes-extended/redis/redis/redis.service | 14 ++++++++++++++
> meta-oe/recipes-extended/redis/redis_3.0.2.bb | 15 ++++++++++++++-
> 2 files changed, 28 insertions(+), 1 deletion(-)
> create mode 100644 meta-oe/recipes-extended/redis/redis/redis.service
>
> diff --git a/meta-oe/recipes-extended/redis/redis/redis.service
> b/meta-oe/recipes-extended/redis/redis/redis.service
> new file mode 100644
> index 0000000..e2dc6a7
> --- /dev/null
> +++ b/meta-oe/recipes-extended/redis/redis/redis.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=Redis In-Memory Data Store
> +After=network.target
> +
> +[Service]
> +User=root
> +Group=root
> +ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
> +ExecStop=/usr/bin/redis-cli shutdown
> +Restart=always
> +
> +[Install]
> +WantedBy=multi-user.target
> +
> diff --git a/meta-oe/recipes-extended/redis/redis_3.0.2.bb
> b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
> index 2e4b760..89b79d4 100644
> --- a/meta-oe/recipes-extended/redis/redis_3.0.2.bb
> +++ b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
> @@ -12,13 +12,16 @@ SRC_URI = "http://download.redis.io/
> releases/${BP}.tar.gz \
> file://oe-use-libc-malloc.patch \
> file://redis.conf \
> file://init-redis-server \
> + file://redis.service \
> file://hiredis-update-Makefile-to-add-symbols-to-staticlib.patch
> \
> "
>
> SRC_URI[md5sum] = "87be8867447f62524b584813e5a7bd14"
> SRC_URI[sha256sum] = "93e422c0d584623601f89b956045be
> 158889ebe594478a2c24e1bf218495633f"
>
> -inherit autotools-brokensep update-rc.d
> +inherit autotools-brokensep update-rc.d systemd
> +
> +REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd',
> 'true', 'false', d)}"
>
> do_install() {
> export PREFIX=${D}/${prefix}
> @@ -28,9 +31,19 @@ do_install() {
> install -d ${D}/${sysconfdir}/init.d
> install -m 0755 ${WORKDIR}/init-redis-server
> ${D}/${sysconfdir}/init.d/redis-server
> install -d ${D}/var/lib/redis/
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_unitdir}/system
> + sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${systemd_unitdir}/system/
> redis.service
> +
> + if [ "${REDIS_ON_SYSTEMD}" = true ]; then
> + sed -i 's!daemonize yes!# daemonize yes!'
> ${D}/${sysconfdir}/redis/redis.conf
> + fi
> }
>
> CONFFILES_${PN} = "${sysconfdir}/redis/redis.conf"
>
> INITSCRIPT_NAME = "redis-server"
> INITSCRIPT_PARAMS = "defaults 87"
> +
> +SYSTEMD_SERVICE_${PN} = "redis.service"
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-12-01 15:51 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-28 16:59 [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 1/5] Add a systemd service file for redis Frank Meerkoetter
2016-12-01 15:51 ` Pau Espin Pedrol
2016-11-28 16:59 ` [meta-oe][PATCH 2/5] Do not expose the redis service to the network by default Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 3/5] Log to syslog Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 4/5] Do not run redis as root Frank Meerkoetter
2016-11-28 16:59 ` [meta-oe][PATCH 5/5] Increase the max number of fds to match the concfig in redis.conf Frank Meerkoetter
2016-11-29 9:15 ` [meta-oe][PATCH 0/5] Improve the redis recipe with a focus on systemd support Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.