From 67e4670ff9ebec83bafee2d9aa7abf94804522b0 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 18 Aug 2020 16:12:20 +0100
Subject: [PATCH] Remove all stretch-related configuration switches
No need to support those anymore. Fixes issue #78.
---
roles/base/files/mtail.service | 2 +-
roles/base/files/mtail.service.buster | 17 --------------
roles/base/files/node-exporter.default | 7 +-----
roles/base/files/node-exporter.default.buster | 1 -
roles/base/tasks/apt.yml | 19 ----------------
roles/base/tasks/harden.yml | 1 +
roles/base/tasks/prometheus.yml | 2 +-
roles/base/tasks/syslog.yml | 12 ++--------
roles/base/templates/ssh/sshd_config.j2 | 4 ----
roles/docker/tasks/buster_upgrade.yml | 22 -------------------
roles/docker/tasks/main.yml | 7 ------
roles/mariadb/tasks/main.yml | 2 +-
roles/mariadb/templates/exporter.service.j2 | 4 ----
test/integration-test-docker.yml | 7 ------
14 files changed, 7 insertions(+), 100 deletions(-)
delete mode 100644 roles/base/files/mtail.service.buster
delete mode 100644 roles/base/files/node-exporter.default.buster
delete mode 100644 roles/docker/tasks/buster_upgrade.yml
diff --git a/roles/base/files/mtail.service b/roles/base/files/mtail.service
index 69dec022..594e5218 100644
--- a/roles/base/files/mtail.service
+++ b/roles/base/files/mtail.service
@@ -5,7 +5,7 @@ Requires=mtail.socket
[Service]
Type=simple
# Systemd will pass mtail.socket as FD 3.
-ExecStart=/usr/bin/mtail -progs /etc/mtail -logtostderr -port 3903 -logfds 3
+ExecStart=/usr/bin/mtail --progs /etc/mtail --logtostderr --port 3903 --logs /dev/fd/3
Restart=on-failure
User=mtail
diff --git a/roles/base/files/mtail.service.buster b/roles/base/files/mtail.service.buster
deleted file mode 100644
index 594e5218..00000000
--- a/roles/base/files/mtail.service.buster
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=MTail
-Requires=mtail.socket
-
-[Service]
-Type=simple
-# Systemd will pass mtail.socket as FD 3.
-ExecStart=/usr/bin/mtail --progs /etc/mtail --logtostderr --port 3903 --logs /dev/fd/3
-Restart=on-failure
-User=mtail
-
-# Limit memory leaks
-MemoryMax=1G
-ExecStartPost=+/bin/sh -c "echo 0 > /sys/fs/cgroup/memory/system.slice/%n/memory.swappiness"
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/base/files/node-exporter.default b/roles/base/files/node-exporter.default
index b9948f2d..e97bc9bb 100644
--- a/roles/base/files/node-exporter.default
+++ b/roles/base/files/node-exporter.default
@@ -1,6 +1 @@
-
-ARGS="--collectors.enabled=conntrack,diskstats,entropy,filefd,filesystem,hwmon,loadavg,meminfo,netdev,netstat,sockstat,stat,systemd,textfile,time,uname,vmstat \
- --collector.diskstats.ignored-devices=^(ram|loop|fd)\d+$ \
- --collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/) \
- --collector.textfile.directory=/var/lib/prometheus/node-exporter \
- --collector.systemd.unit-blacklist=^.*\.(device|swap|mount)$"
+ARGS="--collector.systemd.unit-blacklist=.+(\.device|\.swap|\.mount|\.scope|\.slice|\.target)"
diff --git a/roles/base/files/node-exporter.default.buster b/roles/base/files/node-exporter.default.buster
deleted file mode 100644
index e97bc9bb..00000000
--- a/roles/base/files/node-exporter.default.buster
+++ /dev/null
@@ -1 +0,0 @@
-ARGS="--collector.systemd.unit-blacklist=.+(\.device|\.swap|\.mount|\.scope|\.slice|\.target)"
diff --git a/roles/base/tasks/apt.yml b/roles/base/tasks/apt.yml
index e959d5d2..50a02f07 100644
--- a/roles/base/tasks/apt.yml
+++ b/roles/base/tasks/apt.yml
@@ -76,26 +76,7 @@
- restic
- runcron
- acpid
-
-- name: Install Stretch packages
- apt:
- name: "{{ packages }}"
- state: present
- vars:
- packages:
- - apt-transport-https
- - liblz4-tool
- - python-docker
- when: float_debian_dist == 'stretch'
-
-- name: Install Buster packages
- apt:
- name: "{{ packages }}"
- state: present
- vars:
- packages:
- lz4
- when: float_debian_dist == 'buster'
- name: Install extra packages
apt:
diff --git a/roles/base/tasks/harden.yml b/roles/base/tasks/harden.yml
index a23b0ced..3ed2700d 100644
--- a/roles/base/tasks/harden.yml
+++ b/roles/base/tasks/harden.yml
@@ -41,6 +41,7 @@
# Audit configuration on Debian stretch uses augenrules by default, so
# we copy our rules in /etc/audit/rules.d.
+# TODO: evaluate whether we still need this.
- name: Auditd installed
apt:
name: "{{ packages }}"
diff --git a/roles/base/tasks/prometheus.yml b/roles/base/tasks/prometheus.yml
index dc22d3da..8e822dfe 100644
--- a/roles/base/tasks/prometheus.yml
+++ b/roles/base/tasks/prometheus.yml
@@ -2,7 +2,7 @@
- name: Install prometheus config files in /etc/default
copy:
- src: "{{ 'node-exporter.default' if ansible_distribution_release == 'stretch' else 'node-exporter.default.buster' }}"
+ src: "node-exporter.default"
dest: "/etc/default/prometheus-node-exporter"
notify:
- reload prometheus-node-exporter
diff --git a/roles/base/tasks/syslog.yml b/roles/base/tasks/syslog.yml
index 09828c14..cac9e5fb 100644
--- a/roles/base/tasks/syslog.yml
+++ b/roles/base/tasks/syslog.yml
@@ -8,17 +8,9 @@
dest: "/etc/apt/preferences.d/99float-syslog"
when: float_debian_dist == 'buster'
-# Install rsyslog from the backports repository. This isn't strictly
-# necessary but it is done to have the same version of rsyslog on all
-# hosts, including the log-collector.
-#
-# This sources.list check must use float_debian_dist because otherwise
-# Ansible complains about the unknown source on dist upgrades.
-# TODO: drop this check when stretch is obsolete.
-- name: Install rsyslog packages from backports
+- name: Install rsyslog packages
apt:
name: "{{ packages }}"
- default_release: "{{ 'stretch-backports' if float_debian_dist == 'stretch' else '' }}"
state: present
vars:
packages:
@@ -34,7 +26,7 @@
- name: Install mtail systemd unit
copy:
- src: "{{ 'mtail.service' if ansible_distribution_release == 'stretch' else 'mtail.service.buster' }}"
+ src: "mtail.service"
dest: "/etc/systemd/system/mtail.service"
notify: restart mtail
diff --git a/roles/base/templates/ssh/sshd_config.j2 b/roles/base/templates/ssh/sshd_config.j2
index ac1a9694..4c7baeb8 100644
--- a/roles/base/templates/ssh/sshd_config.j2
+++ b/roles/base/templates/ssh/sshd_config.j2
@@ -12,10 +12,6 @@ HostKey /etc/ssh/ssh_host_{{ key_type }}_key
HostCertificate /etc/ssh/ssh_host_{{ key_type }}_key-cert.pub
{% endfor %}
-{% if ansible_distribution_release == 'stretch' %}
-UsePrivilegeSeparation sandbox
-{% endif %}
-
# Ciphers and MACs
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
diff --git a/roles/docker/tasks/buster_upgrade.yml b/roles/docker/tasks/buster_upgrade.yml
deleted file mode 100644
index 5d31aeb1..00000000
--- a/roles/docker/tasks/buster_upgrade.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-- name: Remove docker.com GPG key
- apt_key:
- id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
- url: https://download.docker.com/linux/debian/gpg
- state: absent
-
-- name: Remove docker packages
- apt:
- name: "{{ packages }}"
- state: absent
- vars:
- packages:
- - docker-ce
- - systemd-docker
-
-- name: Remove docker files
- file:
- dest: "{{ item }}"
- state: absent
- with_items:
- - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
- - /etc/docker
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index ae497647..d4493153 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -3,13 +3,6 @@
- set_fact:
container_runtime: "podman"
-- set_fact:
- container_runtime: "docker"
- when: "ansible_distribution_release == 'stretch'"
-
-- include_tasks: buster_upgrade.yml
- when: "ansible_distribution_release == 'buster'"
-
- include_tasks: docker.yml
when: "container_runtime == 'docker'"
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index 56316d13..9f410f96 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -114,7 +114,7 @@
register: mariadb_systemd_unit
- name: Bootstrap data directory
- shell: "/usr/bin/mysql_install_db --defaults-file={{ mariadb_config }} --datadir={{ mariadb_data_dir }} --user=mysql --auth-root-authentication-method=socket {{ ansible_distribution_release == 'stretch' and '--skip-auth-anonymous-user' or '' }} && date > {{ mariadb_data_dir }}/.float-bootstrap-ok"
+ shell: "/usr/bin/mysql_install_db --defaults-file={{ mariadb_config }} --datadir={{ mariadb_data_dir }} --user=mysql --auth-root-authentication-method=socket && date > {{ mariadb_data_dir }}/.float-bootstrap-ok"
args:
creates: "{{ mariadb_data_dir }}/.float-bootstrap-ok"
diff --git a/roles/mariadb/templates/exporter.service.j2 b/roles/mariadb/templates/exporter.service.j2
index 2cd55e04..30b7e2d0 100644
--- a/roles/mariadb/templates/exporter.service.j2
+++ b/roles/mariadb/templates/exporter.service.j2
@@ -4,11 +4,7 @@ Description=Prometheus exporter for MySQL server (%I)
[Service]
Restart=always
User=prometheus
-{% if ansible_distribution_release == 'stretch' %}
-ExecStart=/usr/bin/prometheus-mysqld-exporter -web.listen-address {{ mariadb_metrics_address }}:{{ mariadb_metrics_port }} -config.my-cnf {{ mariadb_metrics_config }} -collect.info_schema.tables=false -collect.info_schema.tablestats=false
-{% else %}
ExecStart=/usr/bin/prometheus-mysqld-exporter --web.listen-address {{ mariadb_metrics_address }}:{{ mariadb_metrics_port }} --config.my-cnf {{ mariadb_metrics_config }} --no-collect.info_schema.tables --no-collect.info_schema.tablestats
-{% endif %}
[Install]
WantedBy=multi-user.target
diff --git a/test/integration-test-docker.yml b/test/integration-test-docker.yml
index d896929a..ade66b7e 100644
--- a/test/integration-test-docker.yml
+++ b/test/integration-test-docker.yml
@@ -8,15 +8,8 @@
dest: /tmp/test-config.yml
content: "{{ vars|to_nice_yaml }}"
- - name: Setup test Docker image
- docker_image:
- name: registry.git.autistici.org/ai3/float:integration-test
- force: true
- when: "ansible_distribution_release == 'stretch'"
-
- name: Setup test Docker image
command: "podman pull registry.git.autistici.org/ai3/float:integration-test"
- when: "ansible_distribution_release != 'stretch'"
- name: Run tests
command: docker run --net host --mount type=bind,source=/tmp/test-config.yml,destination=/test-config.yml registry.git.autistici.org/ai3/float:integration-test
--
GitLab