Move memcached changes from platform-utils

Use mecached-custom package to package service file to system folder instead of platform-utils. Basic deployment test pass and service file status check pass. Story: 2004108 Task: 27517 Depends-on: https://review.openstack.org/#/c/614085/ Change-Id: Ic66f077159be2f21caa6e8e68241aae65b9f2245 Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2018-10-30 19:15:40 +08:00 · 2018-10-30 19:15:40 +08:00 · 47c844d9f2
commit 47c844d9f2
parent a9ebc3cac0
3 changed files with 88 additions and 0 deletions
--- a/memcached-custom/centos/build_srpm.data
+++ b/memcached-custom/centos/build_srpm.data
@ -0,0 +1,2 @@
+SRC_DIR="files"
+TIS_PATCH_VER=1
--- a/memcached-custom/centos/memcached-custom.spec
+++ b/memcached-custom/centos/memcached-custom.spec
@ -0,0 +1,31 @@
+Summary: memcached-custom
+Name: memcached-custom
+Version: 1.0
+Release: %{tis_patch_ver}%{?_tis_dist}
+License: Apache-2.0
+Group: base
+Packager: StarlingX
+URL: unknown
+BuildArch: noarch
+Source: %name-%version.tar.gz
+
+Summary: package memcached service files to system folder.
+
+%description
+package memcached service files to system folder.
+
+%prep
+%setup
+
+%build
+
+%install
+%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
+%{__install} -m 644 -p memcached.service %{buildroot}%{_sysconfdir}/systemd/system/memcached.service
+
+%post
+
+%files
+%defattr(-,root,root,-)
+%{_sysconfdir}/systemd/system/memcached.service
+
--- a/memcached-custom/files/memcached.service
+++ b/memcached-custom/files/memcached.service
@ -0,0 +1,55 @@
+#
+# This service file is a customized version in platform-util package from
+# openstack/stx-integ project
+
+[Unit]
+Description=memcached daemon
+Before=httpd.service
+After=network-online.target
+
+[Service]
+EnvironmentFile=/etc/sysconfig/memcached
+ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
+
+# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
+# so this service cannot access the global directories and other processes cannot
+# access this service's directories.
+PrivateTmp=true
+
+# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
+ProtectSystem=full
+
+# Ensures that the service process and all its children can never gain new privileges
+NoNewPrivileges=true
+
+# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
+# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
+# but no physical devices such as /dev/sda.
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+LimitNOFILE=16384
+
+# Attempts to create memory mappings that are writable and executable at the same time,
+# or to change existing memory mappings to become executable are prohibited.
+# XXX: this property is supported with systemd 231+ which is not yet on EL7
+# MemoryDenyWriteExecute=true
+
+# Restricts the set of socket address families accessible to the processes of this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# These service parameters are commented out since they are incompatible with
+# Centos 7 and generate warning messages when included.
+#ProtectKernelModules=true
+#ProtectKernelTunables=true
+#ProtectControlGroups=true
+#RestrictRealtime=true
+#RestrictNamespaces=true
+
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target