search

voxpupuli / puppet-redis

Puppet Module to manage Redis
https://forge.puppet.com/puppet/redis
Apache License 2.0
40 stars 183 forks source link

Missing SELinux policies when using instances #276

Open bostrowski13 opened 5 years ago

bostrowski13 commented 5 years ago

As I was implementing a number of instances on my RHEL 7.x i ran into 2 issues.

  1. It doesn't look like ulimit is getting set correctly for each service. It looks like this could be implemented on each individual service level with this in the systemd unit file. LimitNOFILE=$ulimit

Since the available class for ulimit is private and not being called unless you use config via the "default_install => true" arguement, i think its a pretty safe addition to add it to the unit file template and reference it where necessary.

  1. I'm using selinux (because RHEL). and because i'm defining multiple instances, every instance runs on a different port. The problem was the port group for selinux was not allowing me start the service. i was receiving the following error in the redis logfile.

# Creating Server TCP listening socket 192.168.0.5:6381: bind: Permission denied

After looking around a bit, i found that the selinux group is not configured to allow the non-default port i was using (6381) to bind.

# semanage port -l | grep "redis_port_t"
redis_port_t                   tcp      6379, 16379, 26379

I was able to temporarily work around this with the addition of the non-default port semanage port -a -t redis_port_t -p tcp 6381

now its all happy...

# semanage port -l | grep "redis_port_t"
redis_port_t                   tcp      6381, 6379, 16379, 26379
ekohl commented 3 years ago

The ulimit part has been fixed in 0f930aad8cfed622b66ce522f2186b35de127165. Adjusting the title to only reflect the SELinux part.