refactor consul_agent job to use pre-start script

- monit now runs the agent_ctl script as vcap - all privileged commands run in the pre-start script [#119388013]
cloudfoundry-attic · Jun 8, 2016 · d940bc7 · d940bc7
1 parent 725c24c
commit d940bc7
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 97 deletions.
diff --git a/jobs/consul_agent/monit b/jobs/consul_agent/monit
@@ -1,7 +1,9 @@
 check process consul_agent
   with pidfile /var/vcap/sys/run/consul_agent/consul_agent.pid
-  start program "/var/vcap/jobs/consul_agent/bin/agent_ctl start" with timeout 60 seconds
+  start program "/var/vcap/jobs/consul_agent/bin/agent_ctl start"
+    as uid vcap and gid vcap with timeout 60 seconds
   stop program "/var/vcap/jobs/consul_agent/bin/agent_ctl stop"
+    as uid vcap and gid vcap
   group vcap
 
 <% if p("consul.agent.mode") == "server" && !p("consul.agent.servers.wan").empty? %>

diff --git a/jobs/consul_agent/spec b/jobs/consul_agent/spec
@@ -3,8 +3,9 @@ name: consul_agent
 
 templates:
   agent_ctl.sh.erb: bin/agent_ctl
-  confab.json.erb: confab.json
   join_ctl.sh.erb: bin/join_ctl
+  pre-start.erb: bin/pre-start
+  confab.json.erb: confab.json
   ca.crt.erb: config/certs/ca.crt
   server.crt.erb: config/certs/server.crt
   server.key.erb: config/certs/server.key

diff --git a/jobs/consul_agent/templates/agent_ctl.sh.erb b/jobs/consul_agent/templates/agent_ctl.sh.erb
@@ -2,75 +2,13 @@
 
 SCRIPT_NAME=$(basename $0)
 LOG_DIR=/var/vcap/sys/log/consul_agent
-RUN_DIR=/var/vcap/sys/run/consul_agent
-DATA_DIR=/var/vcap/store/consul_agent
-CONF_DIR=/var/vcap/jobs/consul_agent/config
-CERT_DIR=$CONF_DIR/certs
-PKG=/var/vcap/packages/consul
 JOB_DIR=/var/vcap/jobs/consul_agent
-PIDFILE=$RUN_DIR/consul_agent.pid
 CONFAB_PACKAGE=/var/vcap/packages/confab
 
-mkdir -p "${LOG_DIR}"
-chown -R vcap:vcap "${LOG_DIR}"
-
 exec > >(tee -a >(logger -p user.info -t vcap.${SCRIPT_NAME}.stdout) | awk -W interactive '{lineWithDate="echo [`date +\"%Y-%m-%d %H:%M:%S%z\"`] \"" $0 "\""; system(lineWithDate)	}' >>$LOG_DIR/${SCRIPT_NAME}.log)
 exec 2> >(tee -a >(logger -p user.error -t vcap.${SCRIPT_NAME}.stderr) | awk -W interactive '{lineWithDate="echo [`date +\"%Y-%m-%d %H:%M:%S%z\"`] \"" $0 "\""; system(lineWithDate)  }' >>$LOG_DIR/${SCRIPT_NAME}.err.log)
 
-function setup_resolvconf() {
-  local resolvconf_file
-  resolvconf_file=/etc/resolvconf/resolv.conf.d/head
-
-  if ! grep -qE '127.0.0.1\b' "${resolvconf_file}"; then
-          if [[ "$(stat -c "%s" "${resolvconf_file}")" = "0" ]]; then
-                  echo 'nameserver 127.0.0.1' > "${resolvconf_file}"
-          else
-                  sed -i -e '1i nameserver 127.0.0.1' "${resolvconf_file}"
-          fi
-  fi
-
-  resolvconf -u
-}
-
-function create_directories_and_chown_to_vcap() {
-  mkdir -p "${RUN_DIR}"
-  chown -R vcap:vcap "${RUN_DIR}"
-
-  mkdir -p "${DATA_DIR}"
-  chown -R vcap:vcap "${DATA_DIR}"
-
-  mkdir -p "${CONF_DIR}"
-  chown -R vcap:vcap "${CONF_DIR}"
-
-  chown vcap:vcap ${CERT_DIR}/*.{crt,key}
-  chmod 640 ${CERT_DIR}/*.{crt,key}
-}
-
-function set_virtual_memory() {
-  # "Consul uses a significant amount of virtual memory, since LMDB uses
-  # mmap() underneath. It uses about 700MB of a 32bit system and 40GB on a
-  # 64bit system."
-  #
-  # this mainly applies to bosh-lite
-  ulimit -v unlimited
-  ulimit -n 4096
-}
-
 function start_confab() {
-  set -exu
-
-  local confab_package
-  confab_package=$1
-
-  local job_dir
-  job_dir=$2
-
-  local log_dir
-  log_dir=$3
-
-  exec > >(tee -a ${log_dir}/consul_agent.stdout.log | logger -p user.info -t vcap.consul-agent)
-  exec 2> >(tee -a ${log_dir}/consul_agent.stderr.log | logger -p user.error -t vcap.consul-agent)
-
   local nameservers
   nameservers=("$(cat /etc/resolv.conf | grep nameserver | awk '{print $2}' | grep -Ev '127.0.0.1\b')")
 
@@ -81,53 +19,30 @@ function start_confab() {
     recursors="${recursors} -recursor=${nameserver}"
   done
 
-  "${confab_package}/bin/confab" \
+  "${CONFAB_PACKAGE}/bin/confab" \
     start \
     ${recursors} \
-    --config-file "${job_dir}/confab.json"
+    --config-file "${JOB_DIR}/confab.json" \
+    1 > >(tee -a ${LOG_DIR}/consul_agent.stdout.log | logger -p user.info -t vcap.consul-agent) \
+    2> >(tee -a ${LOG_DIR}/consul_agent.stderr.log | logger -p user.error -t vcap.consul-agent)
 }
-export -f start_confab
 
 function stop_confab() {
-  set -exu
-
-  local confab_package
-  confab_package=$1
-
-  local job_dir
-  job_dir=$2
-
-  local log_dir
-  log_dir=$3
-
-  exec > >(tee -a ${log_dir}/consul_agent.stdout.log | logger -p user.info -t vcap.consul-agent)
-  exec 2> >(tee -a ${log_dir}/consul_agent.stderr.log | logger -p user.error -t vcap.consul-agent)
-
-  "${confab_package}/bin/confab" \
+  "${CONFAB_PACKAGE}/bin/confab" \
     stop \
-    --config-file "${job_dir}/confab.json"
-}
-export -f stop_confab
-
-function setup() {
-  create_directories_and_chown_to_vcap
-
-  set_virtual_memory
-
-  setup_resolvconf
-
-  setcap cap_net_bind_service=+ep ${PKG}/bin/consul
+    --config-file "${JOB_DIR}/confab.json" \
+    1> >(tee -a ${LOG_DIR}/consul_agent.stdout.log | logger -p user.info -t vcap.consul-agent) \
+    2> >(tee -a ${LOG_DIR}/consul_agent.stderr.log | logger -p user.error -t vcap.consul-agent)
 }
 
 function main() {
   case ${1} in
         start)
-          setup
-          su vcap -c "start_confab ${CONFAB_PACKAGE} ${JOB_DIR} ${LOG_DIR}" &> /dev/null
+          start_confab
           ;;
 
         stop)
-          su vcap -c "stop_confab ${CONFAB_PACKAGE} ${JOB_DIR} ${LOG_DIR}" &> /dev/null
+          stop_confab
           ;;
 
         *)

diff --git a/jobs/consul_agent/templates/pre-start.erb b/jobs/consul_agent/templates/pre-start.erb
@@ -0,0 +1,62 @@
+#!/bin/bash -exu
+
+LOG_DIR=/var/vcap/sys/log/consul_agent
+RUN_DIR=/var/vcap/sys/run/consul_agent
+DATA_DIR=/var/vcap/store/consul_agent
+CONF_DIR=/var/vcap/jobs/consul_agent/config
+CERT_DIR=$CONF_DIR/certs
+PKG=/var/vcap/packages/consul
+
+function setup_resolvconf() {
+  local resolvconf_file
+  resolvconf_file=/etc/resolvconf/resolv.conf.d/head
+
+  if ! grep -qE '127.0.0.1\b' "${resolvconf_file}"; then
+          if [[ "$(stat -c "%s" "${resolvconf_file}")" = "0" ]]; then
+                  echo 'nameserver 127.0.0.1' > "${resolvconf_file}"
+          else
+                  sed -i -e '1i nameserver 127.0.0.1' "${resolvconf_file}"
+          fi
+  fi
+
+  resolvconf -u
+}
+
+function create_directories_and_chown_to_vcap() {
+  mkdir -p "${LOG_DIR}"
+  chown -R vcap:vcap "${LOG_DIR}"
+
+  mkdir -p "${RUN_DIR}"
+  chown -R vcap:vcap "${RUN_DIR}"
+
+  mkdir -p "${DATA_DIR}"
+  chown -R vcap:vcap "${DATA_DIR}"
+
+  mkdir -p "${CONF_DIR}"
+  chown -R vcap:vcap "${CONF_DIR}"
+
+  chown vcap:vcap ${CERT_DIR}/*.{crt,key}
+  chmod 640 ${CERT_DIR}/*.{crt,key}
+}
+
+function set_virtual_memory() {
+  # "Consul uses a significant amount of virtual memory, since LMDB uses
+  # mmap() underneath. It uses about 700MB of a 32bit system and 40GB on a
+  # 64bit system."
+  #
+  # this mainly applies to bosh-lite
+  ulimit -v unlimited
+  ulimit -n 4096
+}
+
+function setup() {
+  create_directories_and_chown_to_vcap
+
+  set_virtual_memory
+
+  setup_resolvconf
+
+  setcap cap_net_bind_service=+ep ${PKG}/bin/consul
+}
+
+setup