redis: Move to container unit, Debian Bookworm

The container file is now directly based on Debian Bookworm, and uses official Debian packages.
2023-06-26 18:52:24 +01:00 · 2023-06-26 18:52:24 +01:00 · c5a6208e6a
parent dc48e4b06b
commit c5a6208e6a
9 changed files with 122 additions and 30 deletions
--- a/host/base/service/coreos-home-server-update
+++ b/host/base/service/coreos-home-server-update
@ -13,6 +13,7 @@ shopt -s globstar
 TEMP_CONFIG_PATH="$(git -C "$(dirname "$0")" rev-parse --show-toplevel)"
 HOST_CONFIG_PATH="/etc/coreos-home-server"
 SYSTEMD_CONFIG_PATH="/etc/systemd/system"
+QUADLET_CONFIG_PATH="/etc/containers/systemd"

 # Synchronize CoreOS home-server configuration for specific path.
 function sync-coreos-config() {
@ -67,6 +68,11 @@ function sync-systemd-services() {
        if test -n "$tmp"; then buffer="${buffer}"$'\n'"${tmp}"; fi
    done

+    for src in "$HOST_CONFIG_PATH"/*/quadlet/*; do
+        tmp="$(cp --verbose --recursive --update --target-directory "$QUADLET_CONFIG_PATH" "$src")"
+        if test -n "$tmp"; then buffer="${buffer}"$'\n'"${tmp}"; fi
+    done
+
    printf "%s\ndone.\n" "$buffer"
    if test -n "$buffer"; then return 0; else return 1; fi
 }
--- a/host/base/systemd/container-network@.service
+++ b/host/base/systemd/container-network@.service
@ -6,10 +6,9 @@ ConditionPathExists=!/etc/cni/net.d/%i.conflist

 [Service]
 Type=oneshot
-RemainAfterExit=true
 SyslogIdentifier=%N
+RemainAfterExit=true
 ExecStart=/bin/podman network create %i
-ExecStop=/bin/podman network rm %i

 [Install]
 WantedBy=multi-user.target
--- a/host/base/systemd/container-volume@.service
+++ b/host/base/systemd/container-volume@.service
@ -6,6 +6,7 @@ After=container-volume-restore@%i.service
 [Service]
 Type=oneshot
 SyslogIdentifier=%N
+RemainAfterExit=true
 ExecStart=/bin/sh -c 'podman volume exists %i || podman volume create %i'

 [Install]
--- a/service/README.md
+++ b/service/README.md
@ -13,17 +13,23 @@ corresponding directory:
  - `Containerfile` -- This file is used in building a container image, handled by the
    `container-build@example` service and presumably used in the systemd file for the `example`
    service.
-    
+
  - `example.env.template` -- An optional file containing `KEY=value` definitions that can then be
    used in the systemd service. Host-wide environment is also available in this context, and can be
    used in expanding shared configuration, secrets, etc. This file is used by the
    `container-environment@example` service.
-    
+
  - `systemd/` -- This directory contains systemd configuration, to be copied into the host-wide
    `/etc/systemd/system` directory. You'll typically find things like `example.service` files
    which run the service under Podman, as well as potential one-off services which copy files
    around in pre-existing Podman containers.

+  - `quadlet` -- This directory contains configuration for
+    [Quadlet](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html), aka
+    `podman-systemd.unit`, which allows for generating comprehensive Systemd configuration from more
+    idiomatic templates. Most services will be found as `example.container` files, installed under
+    `/etc/containers/systemd` in running systems.
+
  - `container/` -- This directory contains any static files included in the Podman image, including
    templated configuration, scripts, etc.

--- a/service/redis/Containerfile
+++ b/service/redis/Containerfile
@ -1,6 +1,14 @@
-FROM docker.io/redis:6.2
+FROM docker.io/debian:bookworm-slim
+ARG VERSION=7.0
+
+RUN apt-get update -y && apt-get install -y --no-install-recommends ca-certificates
+ADD --chown=_apt https://packages.redis.io/gpg /etc/apt/trusted.gpg.d/redis.asc
+
+RUN echo "deb https://packages.redis.io/deb bookworm main" > /etc/apt/sources.list.d/redis.list && \
+    apt-get update && apt-get install -y --no-install-recommends redis-server="6:${VERSION}*"

 COPY container/config /etc/redis
 USER redis

-CMD ["redis-server", "/etc/redis/redis.conf"]
+EXPOSE 6379
+ENTRYPOINT ["redis-server", "/etc/redis/redis.conf"]
--- a/service/redis/container/config/redis.conf
+++ b/service/redis/container/config/redis.conf
@ -1,2 +1,78 @@
-# Enable persistence via append-only file.
+################################## NETWORK #####################################
+
+# Protected mode is a layer of security protection, in order to avoid that
+# Redis instances left open on the internet are accessed and exploited.
+#
+# When protected mode is on and the default user has no password, the server
+# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
+# (::1) or Unix domain sockets.
+#
+# By default protected mode is enabled. You should disable it only if
+# you are sure you want clients from other hosts to connect to Redis
+# even if no authentication is configured.
+
+protected-mode no
+
+################################# GENERAL #####################################
+
+# If you run Redis from upstart or systemd, Redis can interact with your
+# supervision tree. Options:
+#   supervised no      - no supervision interaction
+#   supervised upstart - signal upstart by putting Redis into SIGSTOP mode
+#                        requires "expect stop" in your upstart job config
+#   supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
+#                        on startup, and updating Redis status on a regular
+#                        basis.
+#   supervised auto    - detect upstart or systemd method based on
+#                        UPSTART_JOB or NOTIFY_SOCKET environment variables
+# Note: these supervision methods only signal "process is ready."
+#       They do not enable continuous pings back to your supervisor.
+#
+# The default is "no". To run under upstart/systemd, you can simply uncomment
+# the line below:
+
+supervised systemd
+
+# Specify the server verbosity level.
+# This can be one of:
+# debug (a lot of information, useful for development/testing)
+# verbose (many rarely useful info, but not a mess like the debug level)
+# notice (moderately verbose, what you want in production probably)
+# warning (only very important / critical messages are logged)
+
+loglevel notice
+
+################################ SNAPSHOTTING  ################################
+
+# The working directory.
+#
+# The DB will be written inside this directory, with the filename specified
+# above using the 'dbfilename' configuration directive.
+#
+# The Append Only File will also be created inside this directory.
+#
+# Note that you must specify a directory here, not a file name.
+
+dir /var/lib/redis
+
+############################## APPEND ONLY MODE ###############################
+
+# By default Redis asynchronously dumps the dataset on disk. This mode is
+# good enough in many applications, but an issue with the Redis process or
+# a power outage may result into a few minutes of writes lost (depending on
+# the configured save points).
+#
+# The Append Only File is an alternative persistence mode that provides
+# much better durability. For instance using the default data fsync policy
+# (see later in the config file) Redis can lose just one second of writes in a
+# dramatic event like a server power outage, or a single write if something
+# wrong with the Redis process itself happens, but the operating system is
+# still running correctly.
+#
+# AOF and RDB persistence can be enabled at the same time without problems.
+# If the AOF is enabled on startup Redis will load the AOF, that is the file
+# with the better durability guarantees.
+#
+# Please check https://redis.io/topics/persistence for more information.
+
 appendonly yes
--- a/service/redis/quadlet/redis.container
+++ b/service/redis/quadlet/redis.container
@ -0,0 +1,17 @@
+[Unit]
+Description=Redis Key-Value Store
+Wants=container-build@%N.service container-volume@%N.service
+After=container-build@%N.service container-volume@%N.service
+
+[Container]
+ContainerName=%N
+Image=localhost/%N:latest
+Network=internal
+Notify=true
+Volume=%N:/var/lib/%N:z
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/service/redis/spec.bu
+++ b/service/redis/spec.bu
@ -4,9 +4,5 @@ storage:
  trees:
    - path: /etc/coreos-home-server/redis
      local: service/redis/
-    - path: /etc/systemd/system
-      local: service/redis/systemd/
-systemd:
-  units:
-    - name: redis.service
-      enabled: true
+    - path: /etc/containers/systemd
+      local: service/redis/quadlet/
--- a/service/redis/systemd/redis.service
+++ b/service/redis/systemd/redis.service
@ -1,17 +0,0 @@
-[Unit]
-Description=Redis Key-Value Store
-Wants=container-build@%N.service container-volume@%N.service
-After=container-build@%N.service container-volume@%N.service
-
-[Service]
-Type=notify
-NotifyAccess=all
-SyslogIdentifier=%N
-Restart=on-failure
-Environment=PODMAN_SYSTEMD_UNIT=%n
-ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon --volume %N:/data:z localhost/%N:latest
-ExecStop=/bin/podman stop --ignore --time 10 %N
-ExecStopPost=/bin/podman rm --ignore --force %N
-
-[Install]
-WantedBy=multi-user.target