From 1239320dffc39f6f55e3a42b69486ee7b4ecdce8 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Jan 07 2022 12:49:57 +0000 Subject: Merge branch 'cboltz-wikisearch' into 'production' Update wikisearch role to Elasticsearch 6.8 See merge request infra/salt!531 --- diff --git a/pillar/role/wikisearch.sls b/pillar/role/wikisearch.sls index 891508a..3e5439b 100644 --- a/pillar/role/wikisearch.sls +++ b/pillar/role/wikisearch.sls @@ -7,38 +7,19 @@ apparmor: source: salt://profile/wikisearch/files/elasticsearch.apparmor elasticsearch: + pkg: elasticsearch6 use_repo: False config: node.name: ${HOSTNAME} node.master: true node.data: true - index.number_of_shards: 1 - index.number_of_replicas: 0 + path.data: /var/lib/elasticsearch + path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 http.enabled: true - discovery.zen.minimum_master_nodes: 1 - discovery.zen.ping.multicast.enabled: false sysconfig: # elasticsearch-formula rewrites the sysconfig file from scratch, therefore we have to copy all of its contents here - CONF_DIR: /etc/elasticsearch - CONF_FILE: /etc/elasticsearch/elasticsearch.yml - DATA_DIR: /var/lib - ES_CLUSTER_NAME: elasticsearch - ES_DIRECT_SIZE: '' - ES_HEAP_NEWSIZE: '' - ES_HEAP_SIZE: 256m - ES_HOME: /usr/share/elasticsearch - ES_HTTP_HOST: '' - ES_JAVA_OPTS: '' - ES_NODE_NAME: '' - ES_PLUGIN_DIR: /usr/share/java/elasticsearch/plugins + ES_PATH_CONF: /etc/elasticsearch ES_STARTUP_SLEEP_TIME: 5 - ES_USER: elasticsearch - LOG_DIR: /var/log/elasticsearch - MAX_OPEN_FILES: 65534 - MAX_LOCKED_MEMORY: unlimited - PID_DIR: /var/run/elasticsearch - RESTART_ON_UPGRADE: true - WORK_DIR: /tmp/elasticsearch - version: 1.7.6 + version: 6.8.22 diff --git a/salt/profile/wiki/files/LocalSettings.php b/salt/profile/wiki/files/LocalSettings.php index 521b4fe..588bf24 100644 --- a/salt/profile/wiki/files/LocalSettings.php +++ b/salt/profile/wiki/files/LocalSettings.php @@ -365,5 +365,6 @@ $wgCirrusSearchNamespaceWeights = array( NS_ARCHIVE => 0.2, NS_HCL => 0.2, ); +$wgCirrusSearchPhraseSuggestUseText = true; # use fulltext (not only page titles) for "did you mean?" language model # ---------------------------------- diff --git a/salt/profile/wikisearch/files/elasticsearch.apparmor b/salt/profile/wikisearch/files/elasticsearch.apparmor index b7b5c73..ba60150 100644 --- a/salt/profile/wikisearch/files/elasticsearch.apparmor +++ b/salt/profile/wikisearch/files/elasticsearch.apparmor @@ -1,11 +1,10 @@ # managed by salt - do not edit manually! -# AppArmor profile for elasticsearch 1.7 - +# AppArmor profile for elasticsearch 6.8 # vim: ft=apparmor # ------------------------------------------------------------------ # -# Copyright (C) 2017 Christian Boltz +# Copyright (C) 2017-2022 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -15,101 +14,132 @@ #include -profile elasticsearch /usr/share/java/elasticsearch/bin/elasticsearch flags=(complain) { +profile elasticsearch /usr/share/elasticsearch/bin/elasticsearch flags=(complain) { #include - /bin/hostname Cx, + capability sys_ptrace, + /dev/tty rw, - /usr/bin/dirname mrix, - /usr/bin/getopt mrix, - /usr/bin/uname mrix, - /usr/bin/which mrix, - /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java rCx -> java, - /usr/share/java/elasticsearch/bin/elasticsearch r, - /usr/share/java/elasticsearch/bin/elasticsearch.in.sh r, + /etc/nsswitch.conf r, + /etc/passwd r, + /usr/bin/basename Cx -> helper, + /usr/bin/dirname Cx -> helper, + /usr/bin/grep Cx -> helper, + /usr/bin/which Cx -> helper, + /usr/lib64/jvm/java-11-openjdk-11/bin/java Cx -> java, + /usr/share/elasticsearch/ r, + /usr/share/elasticsearch/bin/elasticsearch r, + /usr/share/elasticsearch/bin/elasticsearch-env r, - profile /bin/hostname flags=(complain) { + profile helper flags=(complain) { #include - #include - /bin/hostname mr, + /usr/bin/basename mr, + /usr/bin/dirname mr, + /usr/bin/grep mr, + /usr/bin/which mr, } profile java flags=(complain) { #include - #include - / r, - /dev/ r, - /dev/hugepages/ r, - /dev/mqueue/ r, - /dev/pts/ r, + ptrace read peer=elasticsearch//ldconfig, + /etc/elasticsearch/ r, /etc/elasticsearch/elasticsearch.yml r, - /etc/elasticsearch/logging.yml r, - /lib*/ r, - /proc/ r, - /proc/*/ r, - /proc/*/fd/ r, - /proc/*/maps r, - /proc/*/mounts r, - /proc/*/net/dev r, + /etc/elasticsearch/jvm.options r, + /etc/elasticsearch/log4j2.properties r, + /etc/elasticsearch/scripts/ r, + /etc/host.conf r, + /etc/hosts r, + /etc/nsswitch.conf r, + /etc/passwd r, /proc/*/net/if_inet6 r, /proc/*/net/ipv6_route r, - /proc/*/net/snmp r, /proc/*/stat r, - /proc/*/statm r, - /proc/cpuinfo r, /proc/diskstats r, /proc/loadavg r, - /proc/meminfo r, - /proc/mtrr r, - /proc/stat r, - /proc/sys/fs/binfmt_misc/ r, - /proc/uptime r, - /proc/vmstat r, - /run/ r, - /run/elasticsearch/ r, - /run/elasticsearch/elasticsearch.pid rw, - /run/user/0/ r, - /sys/ r, - /sys/devices/system/cpu/ r, - /sys/fs/cgroup/ r, - /sys/fs/cgroup/blkio/ r, - /sys/fs/cgroup/cpu,cpuacct/ r, - /sys/fs/cgroup/cpuset/ r, - /sys/fs/cgroup/devices/ r, - /sys/fs/cgroup/freezer/ r, - /sys/fs/cgroup/hugetlb/ r, - /sys/fs/cgroup/memory/ r, - /sys/fs/cgroup/net_cls,net_prio/ r, - /sys/fs/cgroup/perf_event/ r, - /sys/fs/cgroup/pids/ r, - /sys/fs/cgroup/systemd/ r, - /sys/fs/pstore/ r, - /sys/kernel/debug/ r, - /sys/kernel/security/ r, - /tmp/ r, + /proc/sys/kernel/core_pattern r, + /proc/sys/kernel/pid_max r, + /proc/sys/kernel/threads-max r, + /proc/sys/net/core/somaxconn r, + /proc/sys/vm/max_map_count r, + /run/netconfig/resolv.conf r, + /sbin/ldconfig Px -> elasticsearch//ldconfig, + /sys/devices/system/cpu/offline r, + /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, + /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, + /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, + /sys/fs/cgroup/cpu,cpuacct/cpuacct.usage r, + /sys/fs/cgroup/cpuset/cpuset.cpus r, + /sys/fs/cgroup/cpuset/cpuset.mems r, + /sys/fs/cgroup/memory/memory.limit_in_bytes r, + /sys/fs/cgroup/memory/memory.max_usage_in_bytes r, + /sys/fs/cgroup/memory/memory.soft_limit_in_bytes r, + /sys/fs/cgroup/memory/memory.stat r, + /sys/fs/cgroup/memory/memory.usage_in_bytes r, + /sys/fs/cgroup/memory/memory.use_hierarchy r, + /sys/kernel/mm/transparent_hugepage/defrag r, + /sys/kernel/mm/transparent_hugepage/enabled r, + /usr/lib64/jvm/java-11-openjdk-11/bin/java mr, + /usr/share/elasticsearch/ r, + /usr/share/elasticsearch/lib/ r, + /usr/share/elasticsearch/lib/*.jar r, + /usr/share/elasticsearch/modules/ r, + /usr/share/elasticsearch/modules/*/ r, + /usr/share/elasticsearch/modules/*/*.jar r, + /usr/share/elasticsearch/modules/*/*.policy r, + /usr/share/elasticsearch/modules/*/*.properties r, + /usr/share/elasticsearch/modules/percolator/*.jar r, + /usr/share/elasticsearch/plugins/ r, + /var/lib/ca-certificates/java-cacerts r, + owner /etc/elasticsearch/elasticsearch.keystore rw, + owner /etc/elasticsearch/elasticsearch.keystore.tmp rw, + owner /proc/*/ r, + owner /proc/*/cgroup r, + owner /proc/*/coredump_filter rw, + owner /proc/*/fd/ r, + owner /proc/*/mountinfo r, + owner /proc/*/mounts r, + owner /run/elasticsearch/elasticsearch.pid w, + owner /tmp/elasticsearch-*/ w, + owner /tmp/elasticsearch-*/*.tmp w, + owner /tmp/hs_err_pid*.log rw, owner /tmp/hsperfdata_elasticsearch/ rw, owner /tmp/hsperfdata_elasticsearch/* rw, - owner /tmp/jna--*/ rw, - owner /tmp/jna--*/*.tmp mrw, - /usr/ r, - /usr/lib*/ r, - /usr/share/ r, - /usr/share/java/ r, - /usr/share/java/elasticsearch/ r, - /usr/share/java/elasticsearch/** r, - /usr/share/java/elasticsearch/lib/sigar/libsigar-amd64-linux.so mr, - /var/ r, - /var/lib/ r, - owner /var/lib/elasticsearch/ r, - owner /var/lib/elasticsearch/nodes/ rw, - owner /var/lib/elasticsearch/nodes/** rwk, - owner /var/log/elasticsearch/*.log rw, - owner /var/log/elasticsearch/elasticsearch.log.20[12][0-9]-[01][0-9]-[0-3][0-9] rw, + owner /var/lib/elasticsearch/.cache/ w, + owner /var/lib/elasticsearch/.cache/JNA/ w, + owner /var/lib/elasticsearch/.cache/JNA/temp/ rw, + owner /var/lib/elasticsearch/.cache/JNA/temp/*.tmp mrw, + owner /var/lib/elasticsearch/nodes/ w, + owner /var/lib/elasticsearch/nodes/0/ w, + owner /var/lib/elasticsearch/nodes/0/.es_temp_file w, + owner /var/lib/elasticsearch/nodes/0/.es_temp_file.final w, + owner /var/lib/elasticsearch/nodes/0/.es_temp_file.tmp rw, + owner /var/lib/elasticsearch/nodes/0/_state/ rw, + owner /var/lib/elasticsearch/nodes/0/_state/global-[0-9].st rw, + owner /var/lib/elasticsearch/nodes/0/_state/global-[0-9].st.tmp rw, + owner /var/lib/elasticsearch/nodes/0/_state/node-[0-9].st rw, + owner /var/lib/elasticsearch/nodes/0/_state/node-[0-9].st.tmp rw, + owner /var/lib/elasticsearch/nodes/0/indices/ rw, + owner /var/lib/elasticsearch/nodes/0/indices/** rwk, + owner /var/lib/elasticsearch/nodes/0/node.lock wk, + owner /var/log/elasticsearch/elasticsearch.log rw, + owner /var/log/elasticsearch/elasticsearch_deprecation.log rw, + owner /var/log/elasticsearch/elasticsearch_index_indexing_slowlog.log rw, + owner /var/log/elasticsearch/elasticsearch_index_search_slowlog.log rw, + owner /var/log/elasticsearch/loggc rw, + owner /var/log/elasticsearch/loggc.*[0-9] w, + + } + + profile ldconfig flags=(complain) { + #include + + /sbin/ldconfig mr, } } diff --git a/salt/profile/wikisearch/init.sls b/salt/profile/wikisearch/init.sls index 533be1b..2738048 100644 --- a/salt/profile/wikisearch/init.sls +++ b/salt/profile/wikisearch/init.sls @@ -1,2 +1,19 @@ include: - elasticsearch + + +# enforce that elasticsearch only starts if the AppArmor profile is loaded +/etc/systemd/system/elasticsearch.service.d: + file.directory + +/etc/systemd/system/elasticsearch.service.d/es-apparmor.conf: + file.managed: + - contents: + - '[service]' + - AppArmorProfile=elasticsearch + - require_in: + - elasticsearch + cmd.run: + - name: systemctl daemon-reload + - onchanges: + - file: /etc/systemd/system/elasticsearch.service.d/es-apparmor.conf