puppet: Inline all sysctl settings, and always check for containers.

2024-02-02 15:26:27 -05:00 · 2024-02-02 15:26:27 -05:00 · 069f262e7b
parent fd69f5f8e2
commit 069f262e7b
7 changed files with 31 additions and 25 deletions
--- a/puppet/zulip/manifests/app_frontend_base.pp
+++ b/puppet/zulip/manifests/app_frontend_base.pp
@ -206,8 +206,9 @@ class zulip::app_frontend_base {
    notify  => Service[$zulip::common::supervisor_service],
  }
  zulip::sysctl { 'uwsgi':
-    content     => template('zulip/sysctl.d/40-uwsgi.conf.erb'),
-    skip_docker => true,
+    comment => 'Allow larger listen backlog',
+    key     => 'net.core.somaxconn',
+    value   => $somaxconn,
  }

  file { [
--- a/puppet/zulip/manifests/sysctl.pp
+++ b/puppet/zulip/manifests/sysctl.pp
@ -1,25 +1,31 @@
 # @summary Adds a sysctl file, and immediately runs it.
 define zulip::sysctl (
-  $source = undef,
-  $content = undef,
-  $skip_docker = false,
+  $key,
+  $value,
+  $order = 40,
+  $comment = '',
 ) {
-  file { "/etc/sysctl.d/40-${name}.conf":
+  if $comment == '' {
+    $content = "${key} = ${value}\n"
+  } else {
+    $content = "# ${comment}\n${key} = ${value}\n"
+  }
+  file { "/etc/sysctl.d/${order}-${name}.conf":
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
-    source  => $source,
    content => $content,
  }
-  $onlyif = $skip_docker ? {
-    true    => 'touch /proc/sys/net/core/somaxconn',
-    default => undef,
-  }
+
+  # Try to touch the procfile before trying to adjust it -- if we're
+  # in a containerized environment, failure to set this is not a fatal
+  # exception.
+  $procpath = regsubst($key, '\.', '/')
  exec { "sysctl_p_${name}":
-    command     => "/sbin/sysctl -p /etc/sysctl.d/40-${name}.conf",
-    subscribe   => File["/etc/sysctl.d/40-${name}.conf"],
+    command     => "/sbin/sysctl -p /etc/sysctl.d/${order}-${name}.conf",
+    subscribe   => File["/etc/sysctl.d/${order}-${name}.conf"],
    refreshonly => true,
-    onlyif      => $onlyif,
+    onlyif      => "touch /proc/sys/${procpath}",
  }
 }
--- a/puppet/zulip/templates/sysctl.d/40-uwsgi.conf.erb
+++ b/puppet/zulip/templates/sysctl.d/40-uwsgi.conf.erb
@ -1,2 +0,0 @@
-# Allow larger listen backlog
-net.core.somaxconn=<%= [128, @somaxconn].max %>
--- a/puppet/zulip_ops/files/postgresql/40-postgresql.conf
+++ b/puppet/zulip_ops/files/postgresql/40-postgresql.conf
@ -1,3 +0,0 @@
-# Virtual memory settings
-vm.swappiness = 0
-vm.overcommit_memory = 2
--- a/puppet/zulip_ops/manifests/profile/postgresql.pp
+++ b/puppet/zulip_ops/manifests/profile/postgresql.pp
@ -9,8 +9,13 @@ class zulip_ops::profile::postgresql inherits zulip_ops::profile::base {

  zulip_ops::firewall_allow{ 'postgresql': }

-  zulip::sysctl { 'postgresql':
-    source => 'puppet:///modules/zulip_ops/postgresql/40-postgresql.conf',
+  zulip::sysctl { 'postgresql-swappiness':
+    key   => 'vm.swappiness',
+    value => '0',
+  }
+  zulip::sysctl { 'postgresql-overcommit':
+    key   => 'vm.overcommit_memory',
+    value => '2',
  }

  file { '/root/setup_disks.sh':
--- a/puppet/zulip_ops/manifests/profile/prod_app_frontend.pp
+++ b/puppet/zulip_ops/manifests/profile/prod_app_frontend.pp
@ -9,9 +9,10 @@ class zulip_ops::profile::prod_app_frontend inherits zulip_ops::profile::base {
    keys => 'internal-limited-write-deploy-key',
  }

-  $conntrack_max = zulipconf('application_server', 'conntrack_max', 262144)
  zulip::sysctl { 'conntrack':
-    content => template('zulip_ops/sysctl.d/40-conntrack.conf.erb'),
+    comment => 'Increase conntrack kernel table size',
+    key     => 'net.nf_conntrack_max',
+    value   => zulipconf('application_server', 'conntrack_max', 262144),
  }

  file { '/etc/nginx/sites-available/zulip':
--- a/puppet/zulip_ops/templates/sysctl.d/40-conntrack.conf.erb
+++ b/puppet/zulip_ops/templates/sysctl.d/40-conntrack.conf.erb
@ -1,2 +0,0 @@
-# Increase conntrack kernel table size
-net.nf_conntrack_max=<%= @conntrack_max %>