diff --git a/ansible/deploy-api.yml b/ansible/deploy-api.yml index 106434f5a..b90d10795 100644 --- a/ansible/deploy-api.yml +++ b/ansible/deploy-api.yml @@ -12,22 +12,3 @@ - role: ooni-measurements tags: "api" ssl_domain: ams-api.ooni.nu - -# Commented out because it fails to run due to an old base OS -#- hosts: hkgmetadb.infra.ooni.io -# roles: -# - role: pguser-readonly -# login_user: shovel # FIXME: revoke superuser access from this user :) -# login_password: '{{ shovel_postgres_password }}' -# pg_db: metadb -# pg_name: oomsm-beta -# pg_password: '{{ oomsm_beta_postgres_password }}' -# tags: pg -# -# - role: pguser-readonly -# login_user: shovel # FIXME: revoke superuser access from this user :) -# login_password: '{{ shovel_postgres_password }}' -# pg_db: metadb -# pg_name: amsapi -# pg_password: '{{ metadb_amsapi_password }}' -# tags: pg diff --git a/ansible/deploy-backend.yml b/ansible/deploy-backend.yml index 8ae7b9707..222477da4 100644 --- a/ansible/deploy-backend.yml +++ b/ansible/deploy-backend.yml @@ -22,7 +22,6 @@ - "ps2.ooni.io" - "ps3.ooni.io" - "ps4.ooni.io" - - role: postgresql11 - role: ooni-backend ssl_domain: ams-pg.ooni.org diff --git a/ansible/deploy-msg.yml b/ansible/deploy-msg.yml deleted file mode 100644 index 2fc37353d..000000000 --- a/ansible/deploy-msg.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- import_playbook: ansible-version.yml - -- hosts: msg.ooni.io - gather_facts: true - vars: - letsencrypt_nginx: yes - letsencrypt_domains: "msg.ooni.io" - roles: - - letsencrypt - - grav diff --git a/ansible/deploy-pipeline-ddl.yml b/ansible/deploy-pipeline-ddl.yml deleted file mode 100644 index 970fd84a1..000000000 --- a/ansible/deploy-pipeline-ddl.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- import_playbook: ansible-version.yml - -- hosts: hkgmetadb.infra.ooni.io - gather_facts: false - vars: - local_ddl: "{{ 'oometa/*.install.sql' | fileglob | difference(['oometa/000-A-versioning.install.sql']) | map('basename') | sort }}" - tasks: - - name: fetch applied DDLs - command: docker exec -i pl-psql psql -U shovel metadb -At -c "SELECT patch_name || '.install.sql' FROM _v.patches" - register: remote_ddl - changed_when: false - - - name: massage applied DDLs - set_fact: - remote_ddl: "{{ remote_ddl.stdout_lines | sort }}" - - - name: list local DDLs - debug: var=local_ddl - - - name: list applied DDLs - debug: var=remote_ddl - - - name: verify that all applied DDLs are already local - # if it fails do $(ln -s .../ooni-pipeline/af/oometa) :-) - assert: {that: remote_ddl | difference(local_ddl) | length == 0} - - - name: set DDLs to apply - set_fact: - new_ddl: "{{ local_ddl | difference(remote_ddl) | sort }}" - - - name: list new DDLs - debug: var=new_ddl - - - block: - - pause: - prompt: "is this fine? Type `This is fine.` if this is (-" - register: the_dog - - - assert: {that: the_dog.user_input | upper == "THIS IS FINE."} - - - name: create dir for DDLs - file: dest=/srv/pl-psql/ooni_ddl state=directory owner=root group=plpsql mode=0750 # this directory is bind-mounted inside of pl-pslq container - when: new_ddl | length > 0 - - - name: upload DDLs - copy: src={{ inventory_dir }}/oometa/{{ item }} dest=/srv/pl-psql/ooni_ddl/{{ item }} - with_items: "{{ new_ddl }}" - - - name: apply DDLs - command: docker exec -i pl-psql psql -U shovel metadb -f /srv/pl-psql/ooni_ddl/{{ item }} - with_items: "{{ new_ddl }}" diff --git a/ansible/deploy-pipeline.yml b/ansible/deploy-pipeline.yml index 63a6d0bb3..2247d86aa 100644 --- a/ansible/deploy-pipeline.yml +++ b/ansible/deploy-pipeline.yml @@ -1,48 +1,2 @@ --- - import_playbook: ansible-version.yml - -- hosts: [datacollector.infra.ooni.io, hkgmetadb.infra.ooni.io, amsmetadb.ooni.nu] - roles: - - docker_py - -- hosts: hkgmetadb.infra.ooni.io - gather_facts: false # already gathered - roles: - - role: ooca-cert - ooca_ssl_dir: /srv/pl-psql_ssl/pusher - ooca_ssl_subj: '/O=OONI/OU=Prometheus Pusher/CN=plpsql@{{ inventory_hostname }}' - ooca_group: plpsql - ooca_ca: pusher_ca - tags: [ on-rename, plpsql ] - -- hosts: [hkgmetadb.infra.ooni.io, amsmetadb.ooni.nu] - gather_facts: false # already gathered - vars: - ansible_python_interpreter: "/root/venv/bin/python2.7" - roles: - - role: plpsql - tags: plpsql - -- hosts: hkgmetadb.infra.ooni.io - gather_facts: false - tasks: - - name: ensure replication user exists - postgresql_user: - login_host: localhost - login_user: shovel - login_password: '{{ shovel_postgres_password }}' - db: metadb # otherwise connection fail - name: amsrepl - password: '{{ amsrepl_hkgmetadb_password }}' - encrypted: true - role_attr_flags: 'REPLICATION,LOGIN' - state: present - tags: plpsql - -- hosts: datacollector.infra.ooni.io - gather_facts: false # already gathered - vars: - ansible_python_interpreter: "/root/venv/bin/python2.7" - roles: - - role: airflow - tags: airflow diff --git a/ansible/deploy-postgres-11.yml b/ansible/deploy-postgres-11.yml deleted file mode 100644 index 464f7333b..000000000 --- a/ansible/deploy-postgres-11.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -# Deploy PostgreSQL 11.7 - -- import_playbook: ansible-version.yml - -- hosts: ams-pg.ooni.org - gather_facts: true # to gather `ansible_service_mgr` - tags: postgresql11 - roles: - - role: postgresql11 - -- hosts: ams-pg-test.ooni.org - gather_facts: true # to gather `ansible_service_mgr` - tags: postgresql11 - roles: - - role: postgresql11 - -#- name: install prometheus-postgres-exporter -# apt: -# cache_valid_time: 86400 -# install_recommends: no -# name: prometheus-postgres-exporter -# -# -#- name: install prom process exporter -# apt: -# cache_valid_time: 86400 -# install_recommends: no -# name: prometheus-process-exporter -# -#- name: install prom Nginx exporter -# apt: -# cache_valid_time: 86400 -# install_recommends: no -# name: prometheus-nginx-exporter -# -# -#- name: install prox Haproxy exporter -# apt: -# cache_valid_time: 86400 -# install_recommends: no -# name: prometheus-haproxy-exporter -# diff --git a/ansible/deploy-prometheus.yml b/ansible/deploy-prometheus.yml deleted file mode 100644 index 204deac20..000000000 --- a/ansible/deploy-prometheus.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -- import_playbook: ansible-version.yml - -- hosts: prometheus.infra.ooni.io - roles: - # 202006 this is broken due to it being on debian jessie - # - docker_py - - role: mon.ooni.nu - tags: mon.ooni.nu - # 202006 letsencrypt role is broken with this old host - #- role: letsencrypt - # letsencrypt_domains: ['mon.ooni.nu'] - # tags: mon.ooni.nu - # prometheus roles do not need extra `pip` modules and `local_action` should use default python - - role: alertmanager - tags: alertmanager - - role: ooca-cert - ooca_ssl_dir: '{{ prometheus_ssl_dir }}' - ooca_ssl_subj: '/O=OONI/OU=Prometheus Scraper/CN={{ inventory_hostname }}' - ooca_ca: scraper_ca - ooca_group: prometh - - role: tor-bin - tags: tor-bin - - role: etc-onion - tags: etc-onion - - role: prometheus - tags: prometheus - - role: blackbox_exporter - tags: blackbox_exporter - - role: pushgateway - tags: pushgateway - - # 202006 this role is broken on this old host - #- role: letsencrypt - # letsencrypt_domains: ['prometheus.infra.ooni.io'] # legacy hostname-based pushgateway domain - # tags: pushgateway - -- hosts: prometheus.infra.ooni.io - gather_facts: false # already gathered - vars: - ansible_python_interpreter: "/root/venv/bin/python2.7" - roles: - - role: grafana - tags: grafana diff --git a/ansible/deploy-superset.yml b/ansible/deploy-superset.yml deleted file mode 100644 index 1cdc555d6..000000000 --- a/ansible/deploy-superset.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- import_playbook: ansible-version.yml - -- hosts: hkgmetadb.infra.ooni.io - gather_facts: false # no useful facts there :) - roles: - - role: pguser-readonly - login_user: shovel # FIXME: revoke superuser access from this user :) - login_password: '{{ shovel_postgres_password }}' - db: metadb - name: oosuperset - password: '{{ hkgsuperset_postgres_password }}' -... diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml index ffc722afe..d183b5993 100644 --- a/ansible/group_vars/all/vars.yml +++ b/ansible/group_vars/all/vars.yml @@ -22,16 +22,6 @@ passwd: # - uid [2000, 10000), grouped together by "service" # - base for next service is `echo $(( 2000 + 50*($RANDOM % 160) ))` # - login name must be <= 8 chars to be nice to `top` util - afredis: {login: afredis, comment: Airflow Redis} - afpsql: {login: afpsql, comment: Airflow Postgresql} - afsched: {login: afsched, comment: Airflow Scheduler} - afwebsrv: {login: afwebsrv, comment: Airflow Webserver} - afworker: {login: afworker, comment: Airflow Worker} - afflower: {login: afflower, comment: Airflow Celery Flower} - - plpsql: {login: plpsql, comment: Pipeline Postgresql} # DONE - plshovel: {login: plshovel, comment: Pipeline Shovel} - nodeexp: {login: nodeexp, comment: Prometheus Node Exporter} # DONE prometh: {login: prometh, comment: Prometheus Poller} alertman: {login: alertman, comment: Prometheus Alert Manager} @@ -42,8 +32,6 @@ passwd: piwik: {login: piwik, comment: Piwik user} - grav: {login: grav, comment: Grav user} - prtreg: {login: prtreg, comment: Orchestration Registry} prtevent: {login: prtevent, comment: Orchestration Events} prtnotif: {login: prtnotif, comment: Orchestration Notifications} diff --git a/ansible/host_vars/datacollector.infra.ooni.io/.travis.vault b/ansible/host_vars/datacollector.infra.ooni.io/.travis.vault deleted file mode 100644 index b4a029e37..000000000 --- a/ansible/host_vars/datacollector.infra.ooni.io/.travis.vault +++ /dev/null @@ -1,19 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -33663533613231356334356364306535363663363362303165616363376432643063313662636132 -6232613235306363366661646462323066336261306537660a636533643336326234663761323266 -30333435303338626135646238363464313337303963306362333235326337316231623863613232 -6335313234643436370a616463326334303634303836643931653464653166393337353632333331 -32393730306334643937333764343334656562376261393261343163646232316534643339643031 -63363034376264656239613739386637333361663864633365316538386138373035386333616531 -31666333666361623164626339336261663033613832333766633833323066306631383833336237 -30393066373061376232366462633865636330323937653663643030613332303435353730313335 -34623864383361333238363032363534383834646637353361366166356666656531363333326662 -61366333643530643232356661643831626565313930646233346663376230633066653735653162 -64643939353563663935646238343563333365336530336561336161393530353361346366643461 -31613466626439626436663631373236643932383031346232323439653436653535663430353232 -65636537363262613134323966613563346166646363303535386561663833643164636236363963 -36663531663639393732333737656336346635356331363730643937343136336332356163626339 -30623531343965616136383131393336623831653936336637326633393033383233363439376430 -62356237343839363962663061333133646431633932323264663730383336363762366336636162 -65666639366536323334336530666230303364626636363366663262623963643061356233373565 -6663386138353866643337666534336463643966326439326265 diff --git a/ansible/host_vars/datacollector.infra.ooni.io/vars.yml b/ansible/host_vars/datacollector.infra.ooni.io/vars.yml deleted file mode 100644 index 6220ed184..000000000 --- a/ansible/host_vars/datacollector.infra.ooni.io/vars.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -docker_apt_ver: "=1.12.6-0~debian-jessie" # should be in sync with openobservatory/airflow-worker image - -# bunch of containers is deployed only at this host -airflow_fernet_key: "{{ vault_airflow_fernet_key }}" -airflow_redis_password: "{{ vault_airflow_redis_password }}" -airflow_postgres_password: "{{ vault_airflow_postgres_password }}" - -# tokens to fill https://s3.amazonaws.com/ooni-data buckets from https://aws.amazon.com/public-datasets/ -s3root_access_key_id: "AKIAJURD7T4DTN5JMJ5Q" # arn:aws:iam::676739448697:user/ooni-pipeline, AWS: OONI Open Data -s3root_secret_access_key: "{{ vault_s3root_secret_access_key }}" - -s3_ooni_datacollector_key_id: "AKIAJ27S62Y27WZWPFKA" # arn:aws:iam::082866812839:user/ooni-datacollector, AWS: OONI Team -s3_ooni_datacollector_access_key: '{{ vault_s3_ooni_datacollector_access_key }}' - -root_ssh_authrorized_keys: - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8FEFf9GMY+ATUKtftzK9Gc1g+6dKsMtibEcx4vATaont7G+HAByVFMQnrShDcV+E6Ha2aRfLwKyyy5LGscur50LKuBsLv2TjEdbgKT0szsctW/GUJay28WkTuZAhzLNtk4FORFR//fupQs3IGygguhPxs3NOVP+ATs6xDAlIlp0bwEBtoRxr3Dq0VQmEnrMtLu2w14ApUv+qBTCra7AhcpJU+Xbp/gcn4EToeDl44shdEP39aLT8SJYbS9Vq0m7WRDkjUNKRn3YdnNwrFHc3/bxmVxz6rFjN3hk4CgNMOzLspinaqIqs9JiwT2X35w0pnA0qfcmIQXhtvEn3fZicF ooni@art-house" -... diff --git a/ansible/host_vars/datacollector.infra.ooni.io/vault b/ansible/host_vars/datacollector.infra.ooni.io/vault deleted file mode 100644 index 3598fa53a..000000000 --- a/ansible/host_vars/datacollector.infra.ooni.io/vault +++ /dev/null @@ -1,35 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65656237323436386637366261333666343836656662666235353163306266303438643631646366 -3936303735353133646166376539653331363264656565370a393934666330366432383734396330 -63663430663339623439373430336635343731643037306662656133613833343764633733316534 -3035353161313737610a393438383565623437346139663966313266316632613165333734653262 -65636337626234333034333933626338653864313337353333303235663265653133646436393936 -31613631643730643630633238333734373963326366363232663238376161396135393964303263 -61303066396637343061313166656637653366363563636137353265313562363036613433396563 -34323735343739666133656666663265303839663937376236626662303635666533333736303664 -61653037303531623664626166633832633231353834326266346161353931323430623133313339 -38376264383365383662633966383366623831643166323135353932356265323737343462316336 -34336536343638353761323362646464633333383636623264313539376133363934346438356361 -37626666376530663264333330623663666434376361326334333238656463376266353233383239 -62666563396334326136643734666233623266643733356534356363303136343235663531396631 -31313463643038653233666632373433353437643566313533376332373465656234643932623331 -62323864386466636364393934623161343261663861616336616431636533376131313931303434 -65633630613831643332326561343033333865393136363733393533353634613965613331383566 -33386238646563343531326264316464393031663566326138633566393337616262316632303234 -34336164376138326434656339346435663165343937646561303332313435366236383033613131 -63326133326138326566333534666236323764383862346461393136303765636337343435326433 -37373464313062633438613633353130616136343435313766373536646163383563333033386433 -33393434326166656236376664356532313864306234633531313733383630366163663739306361 -39306339396366333338653631613337396235323534326464613939663835313633633461363165 -31636439663165343235313030396531616263333335613763666438643135346162376638363365 -33326665303361323632383836356465376432666232363862646634646464326264333265383736 -64306565373034666434363230373864643132386362323436313464366539373436386330636331 -35393637643332626534626331363532666135393838626330393964623961333332646363303739 -32313535613133393066333031633162303531306336343261663437336462376539383038353939 -61616434333362663961316635336439373439306638623937396563613566396365646536633238 -39643939633761346462383964613862313537366266636362616337636462343863356261626634 -63336264386434393437623963306636306330326438323865663738633431626433396562313836 -38666536386662653237666137646166363933363663323435663362306662353233636235663664 -34356462393264356165626662643065393736323936663462316338376136623866326562383236 -31653931343337653937623736313933383130616661313461303132386331303738363331376336 -3264363363343232383935663538663537336535633132613462 diff --git a/ansible/host_vars/events.proteus.test.ooni.io/vars.yml b/ansible/host_vars/events.proteus.test.ooni.io/vars.yml index 95477594d..9815df25a 100644 --- a/ansible/host_vars/events.proteus.test.ooni.io/vars.yml +++ b/ansible/host_vars/events.proteus.test.ooni.io/vars.yml @@ -1,3 +1,3 @@ --- -adm_logins: [ art, federico, sarath, sbs, nuke ] +adm_logins: [ art, federico, sbs ] ... diff --git a/ansible/host_vars/monitoring.ooni.org/vars.yml b/ansible/host_vars/monitoring.ooni.org/vars.yml index f16cdbf74..3d7b05a6b 100644 --- a/ansible/host_vars/monitoring.ooni.org/vars.yml +++ b/ansible/host_vars/monitoring.ooni.org/vars.yml @@ -1,5 +1,5 @@ --- -adm_logins: [ art, federico, sarath, sbs ] +adm_logins: [ art, federico, sbs ] ngxprom_scrapers: - prometheus.infra.ooni.io diff --git a/ansible/host_vars/msg.ooni.io/.travis.vault b/ansible/host_vars/msg.ooni.io/.travis.vault deleted file mode 100644 index 62a7ba935..000000000 --- a/ansible/host_vars/msg.ooni.io/.travis.vault +++ /dev/null @@ -1,7 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31343935336265306465343039356164636631396166373137333439613836393839393636613834 -3937396438313436366662623232346461323961313062340a373464626135326134663634393031 -64636561393436663238383864653565303466313132393236636334333233326434653964306636 -3933646435346230630a393365333937353761646561383464613130643230353065303131376163 -31316330613465343639313362363830636636323865663563626235616532633134376532323935 -3362363634343232646239323035313330326635333666636162 diff --git a/ansible/host_vars/msg.ooni.io/vars.yml b/ansible/host_vars/msg.ooni.io/vars.yml deleted file mode 100644 index 3ec52e23f..000000000 --- a/ansible/host_vars/msg.ooni.io/vars.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -grav_admin_pass: '{{ vault_grav_admin_pass }}' -... diff --git a/ansible/host_vars/msg.ooni.io/vault b/ansible/host_vars/msg.ooni.io/vault deleted file mode 100644 index e84798091..000000000 --- a/ansible/host_vars/msg.ooni.io/vault +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65623830386134613132376334346632653737643830313634636633333166616266636431613431 -3037613736333234646238653032313238383662656134300a326335363462363835306139356232 -32333832393038336463363131306335383266313264373664333635396638396363626635376538 -3530396437333132320a303338623838643236366132306361613137323738373261623339386139 -33306566613566363966366135613734373766636362633363623462643630626161353832353632 -31323634383839636434363365353132316639626332643335333838376462353037653063353763 -633232313833613666373835636530633735 diff --git a/ansible/host_vars/notify.proteus.test.ooni.io/vars.yml b/ansible/host_vars/notify.proteus.test.ooni.io/vars.yml index 95477594d..9815df25a 100644 --- a/ansible/host_vars/notify.proteus.test.ooni.io/vars.yml +++ b/ansible/host_vars/notify.proteus.test.ooni.io/vars.yml @@ -1,3 +1,3 @@ --- -adm_logins: [ art, federico, sarath, sbs, nuke ] +adm_logins: [ art, federico, sbs ] ... diff --git a/ansible/inventory b/ansible/inventory index 708bc4070..b86e51664 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -65,8 +65,6 @@ doams1-countly.ooni.nu backend-fsn.ooni.org ams-pg-test.ooni.org -[psk_hkgmetadb] - [psk_oomsm_beta] # FIXME: drop `oomsm-beta` user @@ -87,8 +85,6 @@ backend-fsn.ooni.org # FIXME: untie `psk_orchestration` into something more manageable db-1.proteus.ooni.io -[psk_superset_hkgmetadb] - ######################################################################## # role tags diff --git a/ansible/roles/airflow/defaults/main.yml b/ansible/roles/airflow/defaults/main.yml deleted file mode 100644 index 21202b048..000000000 --- a/ansible/roles/airflow/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -airflow_tag: "1.8.0-oo4" diff --git a/ansible/roles/airflow/files/airflow-dags/analysis.py b/ansible/roles/airflow/files/airflow-dags/analysis.py deleted file mode 100644 index d273b9fcd..000000000 --- a/ansible/roles/airflow/files/airflow-dags/analysis.py +++ /dev/null @@ -1,17 +0,0 @@ -# -*- coding: utf-8 -*- -# -# Use the existing shovel_jump.sh script to start the analysis script -# -from airflow import DAG -from airflow.operators.bash_operator import BashOperator -from datetime import datetime, timedelta - -dag = DAG( - dag_id="analysis", - schedule_interval=timedelta(days=1), - start_date=datetime(2019, 6, 21), - catchup=False, - default_args={"retries": 0}, -) -with dag: - BashOperator(task_id="analysis", bash_command="shovel_jump.sh") diff --git a/ansible/roles/airflow/files/airflow-dags/canning.py b/ansible/roles/airflow/files/airflow-dags/canning.py deleted file mode 100644 index 82fb70e81..000000000 --- a/ansible/roles/airflow/files/airflow-dags/canning.py +++ /dev/null @@ -1,107 +0,0 @@ -# -*- coding: utf-8 -*- -import json -import subprocess -from airflow import DAG -from airflow.exceptions import AirflowException # signal ERROR -from airflow.operators.bash_operator import BashOperator -from airflow.operators.sensors import BaseSensorOperator -from datetime import datetime, timedelta - -class OOBashSensor(BaseSensorOperator): - def poke(self, context): - retcode = subprocess.call(['sudo', '--non-interactive', '/usr/local/bin/docker-trampoline', self.task_id, - context['ds'], context['execution_date'].isoformat(), (context['execution_date'] + context['dag'].schedule_interval).isoformat()] + - self.params.get('argv', [])) - if retcode == 42: - return True - elif retcode == 13: - return False - else: - raise AirflowException('Unexpected exit code: {:d}'.format(retcode)) - -dag = DAG( - dag_id='hist_canning', - schedule_interval=timedelta(days=1), - start_date=datetime(2012, 12, 5), - #end_date=datetime(2017, 7, 7), # NB: end_date is included - default_args={ - 'retries': 1, - }) - -# NB: removing an Operator from DAG leaves some trash in the database tracking -# old state of that operator, but it seems to trigger no issues with 1.8.0 - -OOBashSensor(task_id='reports_raw_sensor', poke_interval=5*60, timeout=12*3600, retries=0, dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='canning', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='tar_reports_raw', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='reports_tgz_s3_sync', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='reports_tgz_s3_ls', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='reports_tgz_cleanup', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='canned_s3_sync', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='canned_s3_ls', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='canned_cleanup', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='autoclaving', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='meta_pg', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='meta_wal_flush', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='reports_raw_cleanup', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='autoclaved_tarlz4_s3_sync', bash_command='shovel_jump.sh', dag=dag) -BashOperator(pool='datacollector_disk_io', task_id='autoclaved_jsonl_s3_sync', bash_command='shovel_jump.sh', dag=dag) - -dag.set_dependency('reports_raw_sensor', 'canning') - -dag.set_dependency('reports_raw_sensor', 'tar_reports_raw') -dag.set_dependency('canning', 'tar_reports_raw') - -dag.set_dependency('tar_reports_raw', 'reports_tgz_s3_sync') - -dag.set_dependency('reports_tgz_s3_sync', 'reports_tgz_s3_ls') - -# reports_raw_cleanup -> reports_tgz_cleanup is NOT a dependency as reports_raw_cleanup uses only index file -dag.set_dependency('reports_tgz_s3_sync', 'reports_tgz_cleanup') # can't cleanup unless synced -dag.set_dependency('reports_tgz_s3_ls', 'reports_tgz_cleanup') # data dependency - -dag.set_dependency('canning', 'canned_s3_sync') - -dag.set_dependency('canned_s3_sync', 'canned_s3_ls') - -# reports_raw_cleanup -> canned_cleanup is NOT a dependency as reports_raw_cleanup uses only index file -dag.set_dependency('autoclaving', 'canned_cleanup') # uses `canned` data -dag.set_dependency('tar_reports_raw', 'canned_cleanup') # may use `canned` data -dag.set_dependency('canned_s3_sync', 'canned_cleanup') # can't cleanup unless synced -dag.set_dependency('canned_s3_ls', 'canned_cleanup') # data dependency - -dag.set_dependency('canning', 'autoclaving') - -dag.set_dependency('autoclaving', 'meta_pg') - -dag.set_dependency('meta_pg', 'meta_wal_flush') - -# reports_raw_cleanup is done when both tasks are finished and have same data -# reports_raw_cleanup does not remove unknown files as a safeguard -dag.set_dependency('canning', 'reports_raw_cleanup') -dag.set_dependency('tar_reports_raw', 'reports_raw_cleanup') - -dag.set_dependency('autoclaving', 'autoclaved_tarlz4_s3_sync') - -dag.set_dependency('autoclaving', 'autoclaved_jsonl_s3_sync') - -with open('/usr/local/airflow/dags/have_collector.json') as fd: - have_collector = json.load(fd) - name_collector = [_.split('.ooni.')[0] for _ in have_collector] - -with DAG( - dag_id='fetcher', - schedule_interval=timedelta(days=1), - start_date=datetime(2018, 9, 14), - catchup=False, - default_args={ - 'retries': 1, - 'pool': 'datacollector_disk_io', - }) as fetcher: - - BashOperator(task_id='reports_raw_merge', bash_command='shovel_jump.sh', params={'argv': have_collector}) - for fqdn, name in zip(have_collector, name_collector): - OOBashSensor(task_id='collector_sensor_{}'.format(name), poke_interval=5*60, timeout=3600, retries=0, params={'argv': [fqdn]}) - BashOperator(task_id='rsync_collector_{}'.format(name), bash_command='shovel_jump.sh', params={'argv': [fqdn]}, trigger_rule='all_done') # either wait or fall-through - fetcher.set_dependency('collector_sensor_{}'.format(name), 'rsync_collector_{}'.format(name)) - fetcher.set_dependency('rsync_collector_{}'.format(name), 'reports_raw_merge') diff --git a/ansible/roles/airflow/files/airflow-dags/shovel_jump.sh b/ansible/roles/airflow/files/airflow-dags/shovel_jump.sh deleted file mode 100644 index 5d3fa8f3b..000000000 --- a/ansible/roles/airflow/files/airflow-dags/shovel_jump.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -exec sudo --non-interactive /usr/local/bin/docker-trampoline "{{ task.task_id }}" "{{ ds }}" "{{ execution_date.isoformat() }}" "{{ (execution_date + dag.schedule_interval).isoformat() }}" {{ params.argv | default([]) | join(' ') }} diff --git a/ansible/roles/airflow/files/airflow-dags/sync.py b/ansible/roles/airflow/files/airflow-dags/sync.py deleted file mode 100644 index 092fac3b6..000000000 --- a/ansible/roles/airflow/files/airflow-dags/sync.py +++ /dev/null @@ -1,15 +0,0 @@ -# -*- coding: utf-8 -*- -from airflow import DAG -from airflow.operators.bash_operator import BashOperator -from datetime import datetime, timedelta - -with DAG( - dag_id='sync_test_lists_dag', - schedule_interval=timedelta(hours=1), - start_date=datetime(2018, 10, 21), - catchup=False, - default_args={ - 'retries': 0, - }) as fetcher: - - BashOperator(task_id='sync_test_lists', bash_command='shovel_jump.sh') diff --git a/ansible/roles/airflow/files/collector_ssh.env b/ansible/roles/airflow/files/collector_ssh.env deleted file mode 100644 index c56ee1ec8..000000000 --- a/ansible/roles/airflow/files/collector_ssh.env +++ /dev/null @@ -1,2 +0,0 @@ -# ansible-managed in ooni-sysadmin.git -RSYNC_RSH=ssh -oBatchMode=yes -oGlobalKnownHostsFile=/etc/collector_ssh/known_collectors -oIdentityFile=/etc/collector_ssh/id_ed25519 -l sync-user diff --git a/ansible/roles/airflow/files/docker-trampoline b/ansible/roles/airflow/files/docker-trampoline deleted file mode 100755 index 45f6a1971..000000000 --- a/ansible/roles/airflow/files/docker-trampoline +++ /dev/null @@ -1,247 +0,0 @@ -#!/bin/bash -# -# Ability to execute arbitrary docker commands on the host equals to root-shell -# on the host (datacollector.infra.ooni.io), so this script does some -# whitelisting. -# -# Look at `git grep docker-trampoline ansible/roles/airflow/files/airflow-dags/` -# for the code invoking the script. -# -# The script is launched by airflow-dags inside of af-worker container. -# The containers running Airflow and actual pipeline steps are separated -# to ease dependency management and to make steps more self-contained. -# The af-worker container launched from openobservatory/airflow* image has no -# suid binaries besides sudo and has /var/run/docker.sock mounted from -# datacollector.infra.ooni.io "dom0". So the script acts as... -# 1) a configuration file having various paths and paths to credentials -# 2) a "trampoline" to avoid giving unlimited root shell to the Airflow code. -# - -# FIXME: 1000 = `id -u benchmark` at the datacollector dom0 -uidno=1000 - -script="$1" -bucket="$2" -isofrom="$3" # execution_date -isotill="$4" # execution_date + schedule_interval -shift 4 - -( -shopt -s extglob -if [ -z "$bucket" -o -n "${bucket/+([-0-9])/}" ]; then - echo "$0: bad bucket arg <$bucket> -> <${bucket/+([-0-9])/}>" 1>&2 - exit 1 -fi -for var in "$isofrom" "$isotill"; do - if [ -z "$var" -o -n "${var/+([-0-9T:.])/}" ]; then - echo "$0: bad isofrom/isotill arg <$var> -> <${var/+([-0-9T:.])/}>" 1>&2 - exit 1 - fi -done -) || exit 1 - -docksafe="--rm --interactive --read-only" -docknet="--network none" - -private=/data/ooni/private -public=/data/ooni/public -volargs="" -case "$script" in - reports_raw_sensor) - volargs="${volargs} --volume=$private/reports-raw/${bucket}:$private/reports-raw/${bucket}:ro" - volargs="${volargs} --volume=$private/reports-raw-shals:$private/reports-raw-shals:ro" - exec docker run $docksafe $docknet $volargs debian:jessie \ - /bin/bash -c "set -o pipefail && find $private/reports-raw/${bucket} -type f -printf '%f %s\n' | LC_ALL=C sort --buffer-size=96M | sha256sum --check $private/reports-raw-shals/${bucket} && exit 42 || exit 13" - ;; - - canning) - docker run $docksafe --network none -v=$private/canned:$private/canned debian:jessie /bin/bash -c "mkdir -p $private/canned/${bucket} && chown $uidno $private/canned/${bucket}" - volargs="${volargs} --volume=$private/reports-raw/${bucket}:$private/reports-raw/${bucket}:ro" - volargs="${volargs} --volume=$private/canned/${bucket}:$private/canned/${bucket}:rw" - volargs="${volargs} --tmpfs /tmp:rw,noexec,nosuid,size=128m" - set -- /usr/local/bin/canning.py --start "$isofrom" --end "$isotill" \ - --reports-raw-root $private/reports-raw \ - --canned-root $private/canned - ;; - - autoclaving) - docker run $docksafe --network none -v=$public/autoclaved:$public/autoclaved debian:jessie /bin/bash -c "mkdir -p $public/autoclaved/${bucket} && chown $uidno $public/autoclaved/${bucket}" - volargs="${volargs} --volume=$private/bridge_db:$private/bridge_db:ro" - volargs="${volargs} --volume=$private/canned/${bucket}:$private/canned/${bucket}:ro" - volargs="${volargs} --volume=$public/autoclaved/${bucket}:$public/autoclaved/${bucket}:rw" - set -- /usr/local/bin/autoclaving.py --start "$isofrom" --end "$isotill" \ - --canned-root $private/canned \ - --bridge-db $private/bridge_db/bridge_db.json \ - --autoclaved-root $public/autoclaved - ;; - - meta_pg) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/hkgmetadb.env" - volargs="${volargs} --volume=$public/autoclaved/${bucket}:$public/autoclaved/${bucket}:ro" - set -- /usr/local/bin/centrifugation.py --start "$isofrom" --end "$isotill" \ - --autoclaved-root /data/ooni/public/autoclaved \ - --postgres "host=hkgmetadb.infra.ooni.io user=shovel dbname=metadb" - ;; - - # WAL is flushed after `meta_pg` to ensure that hot replica is not affected - # by 64+ subtransactions in the whole-bucket `meta_pg` transaction. E.g. - # the transaction had 283 `subxacts` on 2019-04-21. Manual `CHECKPOINT` is - # needed to place corresponding record into the latest WAL segment, - # otherwise the replica will be unable to restart as there will be no redo - # point covering the large transaction in the latest WAL segment. See also: - # - https://github.com/ooni/sysadmin/issues/272#issuecomment-485418243 - # - https://www.postgresql.org/docs/9.6/hot-standby.html#HOT-STANDBY-CAVEATS - meta_wal_flush) - set -o xtrace - # It may be postgres:9.6 as well, openobservatory/... is used only for consistency. - exec docker run $docksafe --env-file=/etc/af-worker/hkgmetadb.env \ - openobservatory/sysadmin-postgres-metadb:20190412-010f6f70 \ - psql --host=hkgmetadb.infra.ooni.io --username=shovel --dbname=metadb \ - -c 'CHECKPOINT; SELECT pg_switch_xlog()' - exit 1 # if exec fails - ;; - - tar_reports_raw) - # some `reports-raw` buckets were already removed from datacollector and have to be restored from `.tar.lz4` for compression - docker run $docksafe --network none -v=$private/reports-raw:$private/reports-raw debian:jessie /bin/bash -c "mkdir -p $private/reports-raw/${bucket} && chown $uidno $private/reports-raw/${bucket}" - volargs="${volargs} --volume=$private/reports-tgz:$private/reports-tgz:rw" - volargs="${volargs} --volume=$private/reports-raw/${bucket}:$private/reports-raw/${bucket}:rw" - volargs="${volargs} --volume=$private/canned/${bucket}:$private/canned/${bucket}:ro" - set -- /usr/local/bin/tar_reports_raw.py --bucket "$bucket" --reports-tgz "$private/reports-tgz" --reports-raw "$private/reports-raw" --canned "$private/canned" - ;; - - reports_raw_cleanup) - volargs="${volargs} --volume=$private/reports-tgz:$private/reports-tgz:ro" - volargs="${volargs} --volume=$private/canned/${bucket}:$private/canned/${bucket}:ro" - volargs="${volargs} --volume=$private/reports-raw/${bucket}:$private/reports-raw/${bucket}:rw" - set -- /usr/local/bin/cleanup_reports_raw.py --bucket "${bucket}" --reports-raw-root "$private/reports-raw" --canned-index "$private/canned/${bucket}/index.json.gz" --reports-tgz-index "$private/reports-tgz/${bucket}.index.json.gz" - ;; - - reports_tgz_s3_sync) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/s3root.env" - volargs="${volargs} --volume=$private/reports-tgz:$private/reports-tgz:ro" - set -- aws s3 sync --size-only "$private/reports-tgz/" s3://ooni-data/archives-raw/yaml/ --exclude '*' --include "${bucket}.tar.gz" --include "${bucket}.index.json.gz" - ;; - - reports_tgz_s3_ls) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/s3root.env" - volargs="${volargs} --volume=$private/reports-tgz-s3-ls:$private/reports-tgz-s3-ls:rw" - set -- /usr/local/bin/aws_s3_ls.py --url "s3://ooni-data/archives-raw/yaml/$bucket" --s3-ls "$private/reports-tgz-s3-ls/${bucket}.json.gz" - ;; - - reports_tgz_cleanup) - volargs="${volargs} --volume=$private/reports-tgz-s3-ls:$private/reports-tgz-s3-ls:ro" - volargs="${volargs} --volume=$private/reports-tgz:$private/reports-tgz:rw" - set -- /usr/local/bin/cleanup_uploaded.py --dir "$private/reports-tgz" --s3-ls "$private/reports-tgz-s3-ls/${bucket}.json.gz" --exclude "$private/reports-tgz/${bucket}.index.json.gz" - ;; - - canned_s3_sync) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/s3root.env" - volargs="${volargs} --volume=$private/canned/${bucket}:$private/canned/${bucket}:ro" - set -- aws s3 sync --size-only "$private/canned/${bucket}/" "s3://ooni-data/canned/${bucket}/" - ;; - - canned_s3_ls) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/s3root.env" - volargs="${volargs} --volume=$private/canned-s3-ls:$private/canned-s3-ls:rw" - set -- /usr/local/bin/aws_s3_ls.py --url "s3://ooni-data/canned/$bucket" --s3-ls "$private/canned-s3-ls/${bucket}.json.gz" - ;; - - canned_cleanup) - volargs="${volargs} --volume=$private/canned/${bucket}:$private/canned/${bucket}:rw" - docker run $docksafe $docknet $volargs debian:jessie chmod u+w "$private/canned/${bucket}" # it's marked as read-only when it's done - volargs="${volargs} --volume=$private/canned-s3-ls:$private/canned-s3-ls:ro" - set -- /usr/local/bin/cleanup_uploaded.py --dir "$private/canned/${bucket}" --s3-ls "$private/canned-s3-ls/${bucket}.json.gz" --exclude "$private/canned/${bucket}/index.json.gz" - ;; - - autoclaved_tarlz4_s3_sync) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/s3root.env" - volargs="${volargs} --volume=$public/autoclaved/${bucket}:$public/autoclaved/${bucket}:ro" - set -- aws s3 sync --size-only "$public/autoclaved/${bucket}/" "s3://ooni-data/autoclaved/jsonl.tar.lz4/${bucket}/" - ;; - - autoclaved_jsonl_s3_sync) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/s3root.env" - volargs="${volargs} --volume=$public/autoclaved/${bucket}:$public/autoclaved/${bucket}:ro" - # disk-backed /tmp may be preferred as the largest report ever is ~1.4Gb, - # concurrent processing of alike reports may be affected. OTOH, the usual - # size of scratchpad is ~64M and it probably should not be an issue. - volargs="${volargs} --tmpfs /tmp:rw,noexec,nosuid,size=1536m" - set -- /usr/local/bin/aws_s3_lz4cat_sync.py --src "$public/autoclaved/${bucket}" --s3-bucket "ooni-data" --s3-prefix "autoclaved/jsonl/${bucket}" - ;; - - collector_sensor_*) - fqdn="$1" - ping -nq -c 5 -i 0.2 "$fqdn" || exit 1 # poor-man input validation - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/collector_ssh.env" - volargs="${volargs} --volume=/srv/etc/collector_ssh:/etc/collector_ssh:ro" - volargs="${volargs} --tmpfs /tmp:rw,noexec,nosuid,size=64m" - # if it's non-empty and does not grow - set -- /bin/bash -c 'set -ex; cd /tmp; mkfifo f; rsync "$0": >f & f=$(wc -l "/p/reports-raw-shals/$0"' "${bucket}" "$@" - ;; - - sync_test_lists) - docknet="" # no `--network none' - volargs="${volargs} --env-file=/etc/af-worker/orchestradb.env" - volargs="${volargs} --volume=/etc/ssl/ooca-cert:/ooca-cert:ro" - volargs="${volargs} --tmpfs /tmp:rw,noexec,nosuid,size=64m" - set -o xtrace - exec docker run $docksafe --user "$uidno" $docknet ${volargs} \ - openobservatory/orchestra-scripts:20181206-3be1378e \ - sync-test-lists.py \ - --working-dir /tmp \ - --postgres 'host=db-1.proteus.ooni.io user=proteus dbname=proteus sslmode=verify-full sslrootcert=/ooca-cert/postgres_ca.cert' - exit 1 # if exec fails - ;; - - analysis) - volargs="" - volargs="${volargs} --volume=$public/analysis:/srv/analysis:rw" - volargs="${volargs} --tmpfs /tmp:rw,noexec,nosuid,size=128m" - rundocker="/usr/bin/docker run --interactive --rm --read-only --log-driver=journald" - $rundocker $volargs --name analysis openobservatory/pipeline-analysis:latest /srv/analysis.py - exit 0 # stop here - ;; - - *) - echo "$0: unknown script <$script>" 1>&2 - exit 1 - ;; -esac - -# FIXME: hardcoded uid of the `benchmark` user at `datacollector` -set -o xtrace -exec docker run $docksafe --user "$uidno" $docknet ${volargs} openobservatory/pipeline-shovel:20190902-4867a206 "$@" diff --git a/ansible/roles/airflow/files/nodeexp_airflow b/ansible/roles/airflow/files/nodeexp_airflow deleted file mode 100644 index 699c272f2..000000000 --- a/ansible/roles/airflow/files/nodeexp_airflow +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -. <(docker inspect af-psql | jq -r '.[].Config.Env[] | select(startswith("POSTGRES_"))' | sed 's/^POSTGRES_/PG/') -export PGUSER PGPASSWORD -export PGHOSTADDR=`docker inspect af-psql | jq -r '.[].NetworkSettings.Networks.af.IPAddress'` - -dest=`mktemp -t textfile.XXXXXXXXXX` - -# It previously was airflow_7day_task_count{state=*} (the total number of -# TaskInstances within last 7 days in specific state). It turned out that only -# `failed` state matters. -cat >"$dest" <>"$dest" <= NOW() - INTERVAL '7 DAYS' -GROUP BY task_id, dag_id -EOF - -cat >>"$dest" <>"$dest" <= NOW() - INTERVAL '7 DAYS' -GROUP BY task_id, dag_id -EOF - -cat >>"$dest" <>"$dest" <= NOW() - INTERVAL '7 DAYS' -GROUP BY dag_id -EOF - -cat >>"$dest" <>"$dest" <= NOW() - INTERVAL '7 DAYS' -GROUP BY dag_id -EOF - -cp "$dest" /run/nodeexp/airflow.prom -chmod 444 /run/nodeexp/airflow.prom -rm -f "$dest" diff --git a/ansible/roles/airflow/handlers/main.yml b/ansible/roles/airflow/handlers/main.yml deleted file mode 100644 index d2729c737..000000000 --- a/ansible/roles/airflow/handlers/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: restart af-sched - docker_container: name=af-sched restart=true - listen: restart airflow - -- name: restart af-websrv - docker_container: name=af-websrv restart=true - listen: restart airflow - -- name: restart af-worker - docker_container: name=af-worker restart=true - listen: restart airflow diff --git a/ansible/roles/airflow/tasks/af-container.yml b/ansible/roles/airflow/tasks/af-container.yml deleted file mode 100644 index 3f9e01196..000000000 --- a/ansible/roles/airflow/tasks/af-container.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: get the user ids - shell: > - egrep "^{{login}}:" /etc/passwd | awk -F: '{ print $3":"$4 }' - changed_when: false - register: user_group_id -- name: chmod & chown {{ dockname }} home - file: path=/srv/{{ dockname }} state=directory mode=0750 owner={{ login }} group={{ login }} -- name: check {{ dockname }} airflow.cfg - stat: path=/srv/{{ dockname }}/airflow.cfg - register: afcfg -- name: create new {{ dockname }} airflow.cfg - copy: src=/srv/etc/af-share-{{ airflow_tag }}/airflow.cfg dest=/srv/{{ dockname }}/airflow.cfg mode=0600 owner={{ login }} group={{ login }} remote_src=true - when: not afcfg.stat.exists -- name: airflow service -- {{ command }} - docker_container: - image: openobservatory/airflow{{ image_ext | default('') }}:{{ airflow_tag }} - name: "{{ dockname }}" - hostname: "{{ dockname }}" - networks: [ "{{ {'name': 'af'} | combine( - ipv4_address | default(False) | ternary({'ipv4_address': ipv4_address}, {}) - ) }}" ] - purge_networks: true - volumes: "{{ [ - '/srv/etc/af-share-' + airflow_tag + '/passwd:/etc/passwd:ro', - '/srv/etc/af-share-' + airflow_tag + '/group:/etc/group:ro', - '/srv/' + dockname + ':/usr/local/airflow:rw', - '/srv/airflow-dags:/usr/local/airflow/dags:ro', - ] | union( - volume_ext | default([]) - ) }}" - env: - LOAD_EX: n - EXECUTOR: Celery - FERNET_KEY: "{{ airflow_fernet_key }}" - REDIS_HOST: af-redis - REDIS_PASSWORD: "{{ airflow_redis_password }}" - POSTGRES_HOST: af-psql - POSTGRES_USER: airflow - POSTGRES_PASSWORD: "{{ airflow_postgres_password }}" - command: "{{ command }}" - user: "{{ user_group_id.stdout }}" - restart_policy: unless-stopped diff --git a/ansible/roles/airflow/tasks/af-psql.yml b/ansible/roles/airflow/tasks/af-psql.yml deleted file mode 100644 index ff5ce06c2..000000000 --- a/ansible/roles/airflow/tasks/af-psql.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# 1. if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/ -# 2. /run has to be writable by postgres and `docker_container` does not support tmpfs -# https://github.com/ansible/ansible/pull/22646 -# -- name: create group - group: name=afpsql state=present -- name: create user - user: - name: "afpsql" - group: "afpsql" - comment: "afpsql for Pipeline" - state: present - register: afpsql_user - -- name: airflow postgres tmp directory - file: dest=/srv/tmp/af-psql state=directory owner=afpsql group=afpsql mode=0750 -- name: airflow postgres /data directory - file: dest=/srv/af-psql state=directory owner=afpsql group=afpsql mode=0700 -- name: docker run airflow postgres - docker_container: - image: postgres:9.6 - name: af-psql - hostname: af-psql - networks: [{name: af}] - purge_networks: true # drop `bridge` network - volumes: - - /srv/tmp/af-psql:/run/postgresql:rw - - /srv/af-psql:/srv/af-psql:rw - env: - PGDATA: /srv/af-psql - POSTGRES_USER: airflow - POSTGRES_PASSWORD: "{{ airflow_postgres_password }}" - user: "{{ afpsql_user.uid }}:{{ afpsql_user.group }}" - stop_signal: SIGINT # Fast shutdown. Default SIGTERM waits for all the sessions to terminate. - stop_timeout: 60 # default is 10 - restart_policy: unless-stopped -... diff --git a/ansible/roles/airflow/tasks/af-redis.yml b/ansible/roles/airflow/tasks/af-redis.yml deleted file mode 100644 index 6a4881f9d..000000000 --- a/ansible/roles/airflow/tasks/af-redis.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: create group - group: name=afredis state=present - -- name: create user - user: - name: "afredis" - group: "afredis" - comment: "afredis for Pipeline" - state: present - register: afredis_user - -- name: redis .../etc directory - file: dest=/srv/etc/af-redis state=directory owner=root group=root mode=0755 -- name: redis .../etc/redis.conf - template: dest=/srv/etc/af-redis/redis.conf src=af-redis.conf mode=0640 owner=root group=afredis -- name: redis /data directory - file: dest=/srv/af-redis state=directory owner=afredis group=afredis mode=0750 -- name: docker run redis - docker_container: - image: redis:3.2 - name: af-redis - hostname: af-redis - networks: [{name: af}] - purge_networks: true # drop `bridge` network - volumes: - - /srv/etc/af-redis:/usr/local/etc:ro - - /srv/af-redis:/data:rw - command: /usr/local/etc/redis.conf - user: "{{ afredis_user.uid }}:{{ afredis_user.group }}" - restart_policy: unless-stopped diff --git a/ansible/roles/airflow/tasks/af-update-passwd.yml b/ansible/roles/airflow/tasks/af-update-passwd.yml deleted file mode 100644 index 2d214f531..000000000 --- a/ansible/roles/airflow/tasks/af-update-passwd.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: get the user id - shell: > - egrep "^{{ login }}:" /etc/passwd | awk -F: '{ print $4 }' - changed_when: false - register: user_id - -- name: update shared airflow group - lineinfile: - dest: /srv/etc/af-share-{{ airflow_tag }}/group - line: "{{ login }}:x:{{ user_id.stdout }}:" - -- name: update shared airflow passwd - lineinfile: - dest: /srv/etc/af-share-{{ airflow_tag }}/passwd - line: "{{ login }}:x:{{ user_id.stdout }}:{{ user_id.stdout }}::/usr/local/airflow:/bin/bash" diff --git a/ansible/roles/airflow/tasks/collector_ssh.yml b/ansible/roles/airflow/tasks/collector_ssh.yml deleted file mode 100644 index 803401e4b..000000000 --- a/ansible/roles/airflow/tasks/collector_ssh.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: create SSH config directory - file: dest=/srv/etc/collector_ssh state=directory owner=root group=root mode=0755 - -- name: create sync-user role key - command: ssh-keygen -t ed25519 -N '' -C sync-user@{{ inventory_hostname }} -f /srv/etc/collector_ssh/id_ed25519 - args: - creates: /srv/etc/collector_ssh/id_ed25519 - -# TODO: `benchmark` is an ugly legacy username for uid=1000 at datacollector.infra.ooni.io, it should be eventually re-numbered -- name: set sync-user role key owner - file: path={{item}} owner=benchmark group=benchmark - with_items: - - /srv/etc/collector_ssh/id_ed25519 - - /srv/etc/collector_ssh/id_ed25519.pub - -- name: create known_collectors - template: dest=/srv/etc/collector_ssh/known_collectors src=known_collectors owner=root group=root mode=0444 - -- name: fetch public sync-user key - fetch: src=/srv/etc/collector_ssh/id_ed25519.pub dest="{{ inventory_dir }}/files/sync-user@{{ inventory_hostname }}.pub" flat=yes -... diff --git a/ansible/roles/airflow/tasks/main.yml b/ansible/roles/airflow/tasks/main.yml deleted file mode 100644 index f2f90b3ce..000000000 --- a/ansible/roles/airflow/tasks/main.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -- name: shared tmp directory to workaround lack of tmpfs support in docker_container - file: dest=/srv/tmp state=directory owner=root group=root mode=0750 - -- name: config file directory - file: dest=/srv/etc state=directory owner=root group=root mode=0750 - -- name: docker network for airflow - docker_network: - name: af - driver_options: - com.docker.network.bridge.name: braf - ipam_options: - subnet: 172.26.43.0/24 - gateway: 172.26.43.1 - -- import_tasks: af-redis.yml - -- import_tasks: af-psql.yml - -- import_tasks: collector_ssh.yml - tags: collector_ssh -- name: collector spool directories - file: dest=/data/ooni/private/spool/{{ item }} state=directory owner=benchmark group=root mode=0755 - with_items: '{{ groups.have_collector }}' - -- name: copy nodeexp_airflow check - copy: src=nodeexp_airflow dest=/etc/cron.hourly/nodeexp_airflow mode=0555 owner=root group=root mode=0555 - -- name: shared airflow config templates - file: dest=/srv/etc/af-share-{{ airflow_tag }} state=directory owner=root group=root mode=0750 -- name: check shared airflow passwd - stat: path=/srv/etc/af-share-{{ airflow_tag }}/passwd - register: afpasswd -- name: check shared airflow group - stat: path=/srv/etc/af-share-{{ airflow_tag }}/group - register: afgroup -- name: check shared airflow.cfg - stat: path=/srv/etc/af-share-{{ airflow_tag }}/airflow.cfg - register: afcfg - -- name: create temporary openobservatory/airflow container to extract file - docker_container: - image: openobservatory/airflow:{{ airflow_tag }} - name: af-tmp - purge_networks: true - state: present # NB: it's not `started` - when: not (afpasswd.stat.exists and afgroup.stat.exists and afcfg.stat.exists) -- name: extract shared airflow passwd - command: docker cp af-tmp:/etc/passwd /srv/etc/af-share-{{ airflow_tag }}/passwd - when: not afpasswd.stat.exists -- name: extract shared airflow group - command: docker cp af-tmp:/etc/group /srv/etc/af-share-{{ airflow_tag }}/group - when: not afgroup.stat.exists -- name: extract shared airflow.cfg - command: docker cp af-tmp:/usr/local/airflow/airflow.cfg /srv/etc/af-share-{{ airflow_tag }}/airflow.cfg - when: not afcfg.stat.exists -- name: drop temporary openobservatory/airflow container - docker_container: - name: af-tmp - state: absent - -- name: chown & chmod shared airflow.cfg - file: path=/srv/etc/af-share-{{ airflow_tag }}/airflow.cfg mode=0644 owner=root group=root - -- include_tasks: af-update-passwd.yml - vars: - login: "{{ item }}" - with_items: - - "afsched" - - "afwebsrv" - - "afworker" -- name: mkdir etc/af-worker - file: dest=/srv/etc/af-worker state=directory owner=root group=root mode=0700 -- file: dest=/srv/etc/af-worker/s3read.env state=absent # FIXME: drop when executed -- template: dest=/srv/etc/af-worker/s3root.env src=af-worker-s3root.env owner=root group=root mode=0400 -- file: dest=/srv/etc/af-worker/s3_ceo_backup_creator.env state=absent # FIXME: drop when executed -- template: dest=/srv/etc/af-worker/s3_ooni_datacollector.env src=af-worker-s3_ooni_datacollector.env owner=root group=root mode=0400 -- template: dest=/srv/etc/af-worker/hkgmetadb.env src=af-worker-hkgmetadb.env owner=root group=root mode=0400 -- template: dest=/srv/etc/af-worker/orchestradb.env src=af-worker-orchestradb.env owner=root group=root mode=0400 -- copy: dest=/srv/etc/af-worker/collector_ssh.env src=collector_ssh.env owner=root group=root mode=0400 - -- name: mkdir /etc/ssl/ooca-cert/ - file: dest=/etc/ssl/ooca-cert state=directory owner=root group=root mode=0755 -- name: copy postgres_ca.cert to /etc/ssl/ooca-cert - copy: src=postgres_ca.cert dest=/etc/ssl/ooca-cert/ owner=root group=root mode=0644 - -- name: mkdir af-worker-bin - file: dest=/srv/af-worker-bin state=directory owner=root group=root mode=0755 -- name: copy docker-trampoline - tags: airflow-dags - copy: src=docker-trampoline dest=/srv/af-worker-bin/ owner=root group=root mode=0755 - notify: restart af-worker # because the _file_ is bind-monted, not a directory - -- name: mkdir airflow-dags - file: dest=/srv/airflow-dags state=directory owner=root group=root mode=0755 -# FIXME: `rsync --delete` followed by `template dest=/srv/airflow-dags/have_collector.json` always provides "changed" state -- name: copy airflow-dags # depends on `rsync` - tags: airflow-dags - synchronize: src=airflow-dags/ dest=/srv/airflow-dags/ archive=no recursive=yes checksum=yes delete=yes - notify: restart airflow -- name: store `have_collector` group in have_collector.json - template: src=have_collector.json dest=/srv/airflow-dags/have_collector.json owner=root group=root mode=0444 # NB: `synchronize` with delete=yes may drop it - tags: airflow-dags - notify: restart airflow - -- import_tasks: af-container.yml - vars: - dockname: af-sched - login: afsched - command: scheduler -- import_tasks: af-container.yml - vars: - dockname: af-websrv - login: afwebsrv - command: webserver - ipv4_address: 172.26.43.254 -- import_tasks: af-container.yml - vars: - dockname: af-worker - login: afworker - command: worker - image_ext: -worker - volume_ext: - - /var/run/docker.sock:/var/run/docker.sock - - /srv/af-worker-bin/docker-trampoline:/usr/local/bin/docker-trampoline:ro - - /srv/etc/af-worker:/etc/af-worker:ro diff --git a/ansible/roles/airflow/templates/af-redis.conf b/ansible/roles/airflow/templates/af-redis.conf deleted file mode 100644 index 6f61569e7..000000000 --- a/ansible/roles/airflow/templates/af-redis.conf +++ /dev/null @@ -1,12 +0,0 @@ -# ansible-managed in ooni-sysadmin.git -# Insipred by https://raw.githubusercontent.com/antirez/redis/3.2/redis.conf - -requirepass {{ airflow_redis_password }} - -# after 900 sec (15 min) if at least 1 key changed -save 900 1 -stop-writes-on-bgsave-error yes -rdbcompression yes -rdbchecksum yes -dbfilename dump.rdb -dir /data diff --git a/ansible/roles/airflow/templates/af-worker-hkgmetadb.env b/ansible/roles/airflow/templates/af-worker-hkgmetadb.env deleted file mode 100644 index 3acf7bbb9..000000000 --- a/ansible/roles/airflow/templates/af-worker-hkgmetadb.env +++ /dev/null @@ -1,3 +0,0 @@ -# ansible-managed in ooni-sysadmin.git -# See https://www.postgresql.org/docs/current/static/libpq-envars.html for doc. -PGPASSWORD={{ shovel_postgres_password }} diff --git a/ansible/roles/airflow/templates/af-worker-orchestradb.env b/ansible/roles/airflow/templates/af-worker-orchestradb.env deleted file mode 100644 index 2917d1ad7..000000000 --- a/ansible/roles/airflow/templates/af-worker-orchestradb.env +++ /dev/null @@ -1,3 +0,0 @@ -# ansible-managed in ooni-sysadmin.git -# See https://www.postgresql.org/docs/current/static/libpq-envars.html for doc. -PGPASSWORD={{ orchestra_db_prod_password }} diff --git a/ansible/roles/airflow/templates/af-worker-s3_ooni_datacollector.env b/ansible/roles/airflow/templates/af-worker-s3_ooni_datacollector.env deleted file mode 100644 index c2657c889..000000000 --- a/ansible/roles/airflow/templates/af-worker-s3_ooni_datacollector.env +++ /dev/null @@ -1,3 +0,0 @@ -# ansible-managed in ooni-sysadmin.git -AWS_ACCESS_KEY_ID={{ s3_ooni_datacollector_key_id }} -AWS_SECRET_ACCESS_KEY={{ s3_ooni_datacollector_access_key }} diff --git a/ansible/roles/airflow/templates/af-worker-s3root.env b/ansible/roles/airflow/templates/af-worker-s3root.env deleted file mode 100644 index af07fd363..000000000 --- a/ansible/roles/airflow/templates/af-worker-s3root.env +++ /dev/null @@ -1,3 +0,0 @@ -# ansible-managed in ooni-sysadmin.git -AWS_ACCESS_KEY_ID={{ s3root_access_key_id }} -AWS_SECRET_ACCESS_KEY={{ s3root_secret_access_key }} diff --git a/ansible/roles/airflow/templates/have_collector.json b/ansible/roles/airflow/templates/have_collector.json deleted file mode 100644 index 850a84e74..000000000 --- a/ansible/roles/airflow/templates/have_collector.json +++ /dev/null @@ -1 +0,0 @@ -{{ groups.active_collector | to_nice_json }} diff --git a/ansible/roles/airflow/templates/known_collectors b/ansible/roles/airflow/templates/known_collectors deleted file mode 100644 index 8ea691bc1..000000000 --- a/ansible/roles/airflow/templates/known_collectors +++ /dev/null @@ -1,3 +0,0 @@ -{% for host in groups.active_collector %} -{{ lookup('pipe', 'grep -F -e {}, {}/../ext/known_hosts'.format(host, inventory_dir)) }} -{% endfor %} diff --git a/ansible/roles/grav/defaults/main.yml b/ansible/roles/grav/defaults/main.yml deleted file mode 100644 index 011feed72..000000000 --- a/ansible/roles/grav/defaults/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -grav_version: "1.3.1" -grav_download_url: "https://github.com/getgrav/grav/releases/download/{{ grav_version}}/grav-admin-v{{ grav_version }}.zip" - -# XXX we currently don't create this -grav_admin_user: grav_admin -grav_admin_pass: '{{ CHANGE_ME }}' -grav_admin_email: "admin@openobservatory.org" - -grav_user: "{{ passwd.grav.login }}" -grav_group: "{{ passwd.grav.login }}" - -grav_path: "/srv/grav" -grav_tmp_path: "{{ grav_path }}/tmp" -grav_install_path: "{{ grav_path }}/grav-{{ grav_version }}" -grav_user_path: "{{ grav_path }}/settings/user" diff --git a/ansible/roles/grav/handlers/main.yml b/ansible/roles/grav/handlers/main.yml deleted file mode 100644 index fa4d7465d..000000000 --- a/ansible/roles/grav/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: restart nginx - service: name=nginx state=restarted diff --git a/ansible/roles/grav/tasks/main.yml b/ansible/roles/grav/tasks/main.yml deleted file mode 100644 index c98e3f289..000000000 --- a/ansible/roles/grav/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: "Install dependencies" - apt: name={{ item }} update_cache=yes state=latest - with_items: - - 'unzip' - - 'zip' - -- name: Create grav install folder - file: - path: "{{ item }}" - owner: "{{ grav_user }}" - group: "{{ grav_group }}" - state: directory - with_items: - - "{{ grav_path }}" - - "{{ grav_tmp_path }}" - - "{{ grav_install_path }}" - -- import_tasks: setup-php.yml -- import_tasks: setup-nginx.yml -- import_tasks: setup-grav.yml diff --git a/ansible/roles/grav/tasks/setup-grav.yml b/ansible/roles/grav/tasks/setup-grav.yml deleted file mode 100644 index ac2856c2f..000000000 --- a/ansible/roles/grav/tasks/setup-grav.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: Download files - get_url: url={{ grav_download_url }} dest={{ grav_tmp_path }}/grav-{{ grav_version }}.zip - -- name: Ensure users directory is absent - file: - state: absent - path: "{{ grav_install_path }}/grav-admin/user" - -- name: Extract archive - unarchive: - remote_src: true - src: "{{ grav_tmp_path }}/grav-{{ grav_version }}.zip" - dest: "{{ grav_install_path }}" - -- name: Delete users directory - file: - state: absent - path: "{{ grav_install_path }}/grav-admin/user" - -- name: Create users directory symlink - file: - dest: "{{ grav_install_path }}/grav-admin/user" - src: "{{ grav_user_path }}" - force: "yes" - state: link - -- name: Fixup permissions - file: - path: "{{ grav_install_path }}" - state: directory - owner: "{{ grav_user }}" - group: "{{ grav_group }}" - recurse: "yes" - mode: 0755 - notify: - - restart nginx diff --git a/ansible/roles/grav/tasks/setup-nginx.yml b/ansible/roles/grav/tasks/setup-nginx.yml deleted file mode 100644 index 2e3e4daf6..000000000 --- a/ansible/roles/grav/tasks/setup-nginx.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: Install nginx - environment: - RUNLEVEL: 1 # Done to avoid nginx auto starting - apt: - name: "{{ item }}" - state: present - with_items: - - nginx - -- name: Remove default nginx virtual host - file: - name: /etc/nginx/sites-enabled/default - state: absent - register: nginx - -- name: Configure nginx - template: - src: nginx.conf.j2 - dest: /etc/nginx/nginx.conf - -- name: Configure grav virtual host - template: - src: nginx-site-grav.j2 - dest: /etc/nginx/sites-available/grav - -- name: Link nginx sites - file: - path: /etc/nginx/sites-enabled/grav - src: /etc/nginx/sites-available/grav - state: link - force: yes - notify: - - restart nginx - diff --git a/ansible/roles/grav/tasks/setup-php.yml b/ansible/roles/grav/tasks/setup-php.yml deleted file mode 100644 index 36114769b..000000000 --- a/ansible/roles/grav/tasks/setup-php.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: "Install PHP dependencies" - apt: name={{ item }} update_cache=yes state=latest - with_items: - - 'php5' - - 'php5-gd' - - 'php5-curl' - - 'php5-geoip' - - 'php5-ldap' - - 'php5-fpm' - - 'php5-cli' - -- name: Configure php-fpm php.ini - template: - src: php-fpm.ini.j2 - dest: /etc/php5/fpm/php.ini -- name: Configure php-fpm www.conf - template: - src: php-fpm-www.conf.j2 - dest: /etc/php5/fpm/pool.d/www.conf - -- name: Restart PHP FPM - shell: service php5-fpm restart diff --git a/ansible/roles/grav/templates/nginx-site-grav.j2 b/ansible/roles/grav/templates/nginx-site-grav.j2 deleted file mode 100644 index 0bbb6135a..000000000 --- a/ansible/roles/grav/templates/nginx-site-grav.j2 +++ /dev/null @@ -1,49 +0,0 @@ -server { - server_name _; - - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domains.split(',')[0] }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains.split(',')[0] }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ letsencrypt_domains.split(',')[0] }}/fullchain.pem; - - root {{ grav_install_path }}/grav-admin; - index index.php index.html; - - ## Begin - Index - # for subfolders, simply adjust the rewrite: - # to use `/subfolder/index.php` - location / { - try_files $uri $uri/ /index.php?_url=$uri; - } - ## End - Index - - ## Begin - PHP - location ~ \.php$ { - # Choose either a socket or TCP/IP address - fastcgi_pass unix:/var/run/php5-fpm.sock; - # fastcgi_pass 127.0.0.1:9000; - - fastcgi_index index.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - include fastcgi_params; - } - ## End - PHP - - ## Begin - Security - # deny all direct access for these folders - location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; } - # deny running scripts inside core system folders - location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } - # deny running scripts inside user folder - location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } - # deny access to specific files in the root folder - location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; } - ## End - Security - -} diff --git a/ansible/roles/grav/templates/nginx.conf.j2 b/ansible/roles/grav/templates/nginx.conf.j2 deleted file mode 100644 index 382c3d577..000000000 --- a/ansible/roles/grav/templates/nginx.conf.j2 +++ /dev/null @@ -1,84 +0,0 @@ -user www-data; -worker_processes 4; -pid /run/nginx.pid; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} diff --git a/ansible/roles/grav/templates/php-fpm-www.conf.j2 b/ansible/roles/grav/templates/php-fpm-www.conf.j2 deleted file mode 100644 index 3d9de2243..000000000 --- a/ansible/roles/grav/templates/php-fpm-www.conf.j2 +++ /dev/null @@ -1,384 +0,0 @@ -; Start a new pool named 'www'. -; the variable $pool can we used in any directive and will be replaced by the -; pool name ('www' here) -[www] - -; Per pool prefix -; It only applies on the following directives: -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ grav_user }} -group = www-data - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = /var/run/php5-fpm.sock - -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: 128 (-1 on FreeBSD and OpenBSD) -;listen.backlog = -1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0660 -listen.owner = www-data -listen.group = www-data -listen.mode = 0660 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -;listen.allowed_clients = 127.0.0.1 - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 10 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 4 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 2 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 6 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: ${prefix}/share/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: ouput header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = %R - %u %t "%m %r%Q%q" %s %f %{mili}d %{kilo}M %C%% - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -;slowlog = log/$pool.log.slow - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -chdir = / - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or /usr) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/fpm-php.www.log -;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M diff --git a/ansible/roles/grav/templates/php-fpm.ini.j2 b/ansible/roles/grav/templates/php-fpm.ini.j2 deleted file mode 100644 index dd17202f8..000000000 --- a/ansible/roles/grav/templates/php-fpm.ini.j2 +++ /dev/null @@ -1,1870 +0,0 @@ -[PHP] - -;;;;;;;;;;;;;;;;;;; -; About php.ini ; -;;;;;;;;;;;;;;;;;;; -; PHP's initialization file, generally called php.ini, is responsible for -; configuring many of the aspects of PHP's behavior. - -; PHP attempts to find and load this configuration from a number of locations. -; The following is a summary of its search order: -; 1. SAPI module specific location. -; 2. The PHPRC environment variable. (As of PHP 5.2.0) -; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) -; 4. Current working directory (except CLI) -; 5. The web server's directory (for SAPI modules), or directory of PHP -; (otherwise in Windows) -; 6. The directory from the --with-config-file-path compile time option, or the -; Windows directory (C:\windows or C:\winnt) -; See the PHP docs for more specific information. -; http://php.net/configuration.file - -; The syntax of the file is extremely simple. Whitespace and Lines -; beginning with a semicolon are silently ignored (as you probably guessed). -; Section headers (e.g. [Foo]) are also silently ignored, even though -; they might mean something in the future. - -; Directives following the section heading [PATH=/www/mysite] only -; apply to PHP files in the /www/mysite directory. Directives -; following the section heading [HOST=www.example.com] only apply to -; PHP files served from www.example.com. Directives set in these -; special sections cannot be overridden by user-defined INI files or -; at runtime. Currently, [PATH=] and [HOST=] sections only work under -; CGI/FastCGI. -; http://php.net/ini.sections - -; Directives are specified using the following syntax: -; directive = value -; Directive names are *case sensitive* - foo=bar is different from FOO=bar. -; Directives are variables used to configure PHP or PHP extensions. -; There is no name validation. If PHP can't find an expected -; directive because it is not set or is mistyped, a default value will be used. - -; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one -; of the INI constants (On, Off, True, False, Yes, No and None) or an expression -; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a -; previously set variable or directive (e.g. ${foo}) - -; Expressions in the INI file are limited to bitwise operators and parentheses: -; | bitwise OR -; ^ bitwise XOR -; & bitwise AND -; ~ bitwise NOT -; ! boolean NOT - -; Boolean flags can be turned on using the values 1, On, True or Yes. -; They can be turned off using the values 0, Off, False or No. - -; An empty string can be denoted by simply not writing anything after the equal -; sign, or by using the None keyword: - -; foo = ; sets foo to an empty string -; foo = None ; sets foo to an empty string -; foo = "None" ; sets foo to the string 'None' - -; If you use constants in your value, and these constants belong to a -; dynamically loaded extension (either a PHP extension or a Zend extension), -; you may only use these constants *after* the line that loads the extension. - -;;;;;;;;;;;;;;;;;;; -; About this file ; -;;;;;;;;;;;;;;;;;;; -; PHP comes packaged with two INI files. One that is recommended to be used -; in production environments and one that is recommended to be used in -; development environments. - -; php.ini-production contains settings which hold security, performance and -; best practices at its core. But please be aware, these settings may break -; compatibility with older or less security conscience applications. We -; recommending using the production ini in production and testing environments. - -; php.ini-development is very similar to its production variant, except it's -; much more verbose when it comes to errors. We recommending using the -; development version only in development environments as errors shown to -; application users can inadvertently leak otherwise secure information. - -;;;;;;;;;;;;;;;;;;; -; Quick Reference ; -;;;;;;;;;;;;;;;;;;; -; The following are all the settings which are different in either the production -; or development versions of the INIs with respect to PHP's default behavior. -; Please see the actual settings later in the document for more details as to why -; we recommend these changes in PHP's behavior. - -; allow_call_time_pass_reference -; Default Value: On -; Development Value: Off -; Production Value: Off - -; display_errors -; Default Value: On -; Development Value: On -; Production Value: Off - -; display_startup_errors -; Default Value: Off -; Development Value: On -; Production Value: Off - -; error_reporting -; Default Value: E_ALL & ~E_NOTICE -; Development Value: E_ALL | E_STRICT -; Production Value: E_ALL & ~E_DEPRECATED - -; html_errors -; Default Value: On -; Development Value: On -; Production value: Off - -; log_errors -; Default Value: Off -; Development Value: On -; Production Value: On - -; magic_quotes_gpc -; Default Value: On -; Development Value: Off -; Production Value: Off - -; max_input_time -; Default Value: -1 (Unlimited) -; Development Value: 60 (60 seconds) -; Production Value: 60 (60 seconds) - -; output_buffering -; Default Value: Off -; Development Value: 4096 -; Production Value: 4096 - -; register_argc_argv -; Default Value: On -; Development Value: Off -; Production Value: Off - -; register_long_arrays -; Default Value: On -; Development Value: Off -; Production Value: Off - -; request_order -; Default Value: None -; Development Value: "GP" -; Production Value: "GP" - -; session.bug_compat_42 -; Default Value: On -; Development Value: On -; Production Value: Off - -; session.bug_compat_warn -; Default Value: On -; Development Value: On -; Production Value: Off - -; session.gc_divisor -; Default Value: 100 -; Development Value: 1000 -; Production Value: 1000 - -; session.hash_bits_per_character -; Default Value: 4 -; Development Value: 5 -; Production Value: 5 - -; short_open_tag -; Default Value: On -; Development Value: Off -; Production Value: Off - -; track_errors -; Default Value: Off -; Development Value: On -; Production Value: Off - -; url_rewriter.tags -; Default Value: "a=href,area=href,frame=src,form=,fieldset=" -; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" -; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" - -; variables_order -; Default Value: "EGPCS" -; Development Value: "GPCS" -; Production Value: "GPCS" - -;;;;;;;;;;;;;;;;;;;; -; php.ini Options ; -;;;;;;;;;;;;;;;;;;;; -; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" -;user_ini.filename = ".user.ini" - -; To disable this feature set this option to empty value -;user_ini.filename = - -; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) -;user_ini.cache_ttl = 300 - -;;;;;;;;;;;;;;;;;;;; -; Language Options ; -;;;;;;;;;;;;;;;;;;;; - -; Enable the PHP scripting language engine under Apache. -; http://php.net/engine -engine = On - -; This directive determines whether or not PHP will recognize code between -; tags as PHP source which should be processed as such. It's been -; recommended for several years that you not use the short tag "short cut" and -; instead to use the full tag combination. With the wide spread use -; of XML and use of these tags by other languages, the server can become easily -; confused and end up parsing the wrong code in the wrong context. But because -; this short cut has been a feature for such a long time, it's currently still -; supported for backwards compatibility, but we recommend you don't use them. -; Default Value: On -; Development Value: Off -; Production Value: Off -; http://php.net/short-open-tag -short_open_tag = On - -; Allow ASP-style <% %> tags. -; http://php.net/asp-tags -asp_tags = Off - -; The number of significant digits displayed in floating point numbers. -; http://php.net/precision -precision = 14 - -; Enforce year 2000 compliance (will cause problems with non-compliant browsers) -; http://php.net/y2k-compliance -y2k_compliance = On - -; Output buffering is a mechanism for controlling how much output data -; (excluding headers and cookies) PHP should keep internally before pushing that -; data to the client. If your application's output exceeds this setting, PHP -; will send that data in chunks of roughly the size you specify. -; Turning on this setting and managing its maximum buffer size can yield some -; interesting side-effects depending on your application and web server. -; You may be able to send headers and cookies after you've already sent output -; through print or echo. You also may see performance benefits if your server is -; emitting less packets due to buffered output versus PHP streaming the output -; as it gets it. On production servers, 4096 bytes is a good setting for performance -; reasons. -; Note: Output buffering can also be controlled via Output Buffering Control -; functions. -; Possible Values: -; On = Enabled and buffer is unlimited. (Use with caution) -; Off = Disabled -; Integer = Enables the buffer and sets its maximum size in bytes. -; Note: This directive is hardcoded to Off for the CLI SAPI -; Default Value: Off -; Development Value: 4096 -; Production Value: 4096 -; http://php.net/output-buffering -output_buffering = 4096 - -; You can redirect all of the output of your scripts to a function. For -; example, if you set output_handler to "mb_output_handler", character -; encoding will be transparently converted to the specified encoding. -; Setting any output handler automatically turns on output buffering. -; Note: People who wrote portable scripts should not depend on this ini -; directive. Instead, explicitly set the output handler using ob_start(). -; Using this ini directive may cause problems unless you know what script -; is doing. -; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" -; and you cannot use both "ob_gzhandler" and "zlib.output_compression". -; Note: output_handler must be empty if this is set 'On' !!!! -; Instead you must use zlib.output_handler. -; http://php.net/output-handler -;output_handler = - -; Transparent output compression using the zlib library -; Valid values for this option are 'off', 'on', or a specific buffer size -; to be used for compression (default is 4KB) -; Note: Resulting chunk size may vary due to nature of compression. PHP -; outputs chunks that are few hundreds bytes each as a result of -; compression. If you prefer a larger chunk size for better -; performance, enable output_buffering in addition. -; Note: You need to use zlib.output_handler instead of the standard -; output_handler, or otherwise the output will be corrupted. -; http://php.net/zlib.output-compression -zlib.output_compression = Off - -; http://php.net/zlib.output-compression-level -;zlib.output_compression_level = -1 - -; You cannot specify additional output handlers if zlib.output_compression -; is activated here. This setting does the same as output_handler but in -; a different order. -; http://php.net/zlib.output-handler -;zlib.output_handler = - -; Implicit flush tells PHP to tell the output layer to flush itself -; automatically after every output block. This is equivalent to calling the -; PHP function flush() after each and every call to print() or echo() and each -; and every HTML block. Turning this option on has serious performance -; implications and is generally recommended for debugging purposes only. -; http://php.net/implicit-flush -; Note: This directive is hardcoded to On for the CLI SAPI -implicit_flush = Off - -; The unserialize callback function will be called (with the undefined class' -; name as parameter), if the unserializer finds an undefined class -; which should be instantiated. A warning appears if the specified function is -; not defined, or if the function doesn't include/implement the missing class. -; So only set this entry, if you really want to implement such a -; callback-function. -unserialize_callback_func = - -; When floats & doubles are serialized store serialize_precision significant -; digits after the floating point. The default value ensures that when floats -; are decoded with unserialize, the data will remain the same. -serialize_precision = 17 - -; This directive allows you to enable and disable warnings which PHP will issue -; if you pass a value by reference at function call time. Passing values by -; reference at function call time is a deprecated feature which will be removed -; from PHP at some point in the near future. The acceptable method for passing a -; value by reference to a function is by declaring the reference in the functions -; definition, not at call time. This directive does not disable this feature, it -; only determines whether PHP will warn you about it or not. These warnings -; should enabled in development environments only. -; Default Value: On (Suppress warnings) -; Development Value: Off (Issue warnings) -; Production Value: Off (Issue warnings) -; http://php.net/allow-call-time-pass-reference -allow_call_time_pass_reference = Off - -; Safe Mode -; http://php.net/safe-mode -safe_mode = Off - -; By default, Safe Mode does a UID compare check when -; opening files. If you want to relax this to a GID compare, -; then turn on safe_mode_gid. -; http://php.net/safe-mode-gid -safe_mode_gid = Off - -; When safe_mode is on, UID/GID checks are bypassed when -; including files from this directory and its subdirectories. -; (directory must also be in include_path or full path must -; be used when including) -; http://php.net/safe-mode-include-dir -safe_mode_include_dir = - -; When safe_mode is on, only executables located in the safe_mode_exec_dir -; will be allowed to be executed via the exec family of functions. -; http://php.net/safe-mode-exec-dir -safe_mode_exec_dir = - -; Setting certain environment variables may be a potential security breach. -; This directive contains a comma-delimited list of prefixes. In Safe Mode, -; the user may only alter environment variables whose names begin with the -; prefixes supplied here. By default, users will only be able to set -; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). -; Note: If this directive is empty, PHP will let the user modify ANY -; environment variable! -; http://php.net/safe-mode-allowed-env-vars -safe_mode_allowed_env_vars = PHP_ - -; This directive contains a comma-delimited list of environment variables that -; the end user won't be able to change using putenv(). These variables will be -; protected even if safe_mode_allowed_env_vars is set to allow to change them. -; http://php.net/safe-mode-protected-env-vars -safe_mode_protected_env_vars = LD_LIBRARY_PATH - -; open_basedir, if set, limits all file operations to the defined directory -; and below. This directive makes most sense if used in a per-directory -; or per-virtualhost web server configuration file. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. -; http://php.net/open-basedir -;open_basedir = - -; This directive allows you to disable certain functions for security reasons. -; It receives a comma-delimited list of function names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. -; http://php.net/disable-functions -disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, - -; This directive allows you to disable certain classes for security reasons. -; It receives a comma-delimited list of class names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. -; http://php.net/disable-classes -disable_classes = - -; Colors for Syntax Highlighting mode. Anything that's acceptable in -; would work. -; http://php.net/syntax-highlighting -;highlight.string = #DD0000 -;highlight.comment = #FF9900 -;highlight.keyword = #007700 -;highlight.bg = #FFFFFF -;highlight.default = #0000BB -;highlight.html = #000000 - -; If enabled, the request will be allowed to complete even if the user aborts -; the request. Consider enabling it if executing long requests, which may end up -; being interrupted by the user or a browser timing out. PHP's default behavior -; is to disable this feature. -; http://php.net/ignore-user-abort -;ignore_user_abort = On - -; Determines the size of the realpath cache to be used by PHP. This value should -; be increased on systems where PHP opens many files to reflect the quantity of -; the file operations performed. -; http://php.net/realpath-cache-size -;realpath_cache_size = 16k - -; Duration of time, in seconds for which to cache realpath information for a given -; file or directory. For systems with rarely changing files, consider increasing this -; value. -; http://php.net/realpath-cache-ttl -;realpath_cache_ttl = 120 - -; Enables or disables the circular reference collector. -; http://php.net/zend.enable-gc -zend.enable_gc = On - -;;;;;;;;;;;;;;;;; -; Miscellaneous ; -;;;;;;;;;;;;;;;;; - -; Decides whether PHP may expose the fact that it is installed on the server -; (e.g. by adding its signature to the Web server header). It is no security -; threat in any way, but it makes it possible to determine whether you use PHP -; on your server or not. -; http://php.net/expose-php -expose_php = On - -;;;;;;;;;;;;;;;;;;; -; Resource Limits ; -;;;;;;;;;;;;;;;;;;; - -; Maximum execution time of each script, in seconds -; http://php.net/max-execution-time -; Note: This directive is hardcoded to 0 for the CLI SAPI -max_execution_time = 30 - -; Maximum amount of time each script may spend parsing request data. It's a good -; idea to limit this time on productions servers in order to eliminate unexpectedly -; long running scripts. -; Note: This directive is hardcoded to -1 for the CLI SAPI -; Default Value: -1 (Unlimited) -; Development Value: 60 (60 seconds) -; Production Value: 60 (60 seconds) -; http://php.net/max-input-time -max_input_time = 60 - -; Maximum input variable nesting level -; http://php.net/max-input-nesting-level -;max_input_nesting_level = 64 - -; How many GET/POST/COOKIE input variables may be accepted -; max_input_vars = 1000 - -; Maximum amount of memory a script may consume (128MB) -; http://php.net/memory-limit -memory_limit = 128M - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; Error handling and logging ; -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -; This directive informs PHP of which errors, warnings and notices you would like -; it to take action for. The recommended way of setting values for this -; directive is through the use of the error level constants and bitwise -; operators. The error level constants are below here for convenience as well as -; some common settings and their meanings. -; By default, PHP is set to take action on all errors, notices and warnings EXCEPT -; those related to E_NOTICE and E_STRICT, which together cover best practices and -; recommended coding standards in PHP. For performance reasons, this is the -; recommend error reporting setting. Your production server shouldn't be wasting -; resources complaining about best practices and coding standards. That's what -; development servers and development settings are for. -; Note: The php.ini-development file has this setting as E_ALL | E_STRICT. This -; means it pretty much reports everything which is exactly what you want during -; development and early testing. -; -; Error Level Constants: -; E_ALL - All errors and warnings (includes E_STRICT as of PHP 6.0.0) -; E_ERROR - fatal run-time errors -; E_RECOVERABLE_ERROR - almost fatal run-time errors -; E_WARNING - run-time warnings (non-fatal errors) -; E_PARSE - compile-time parse errors -; E_NOTICE - run-time notices (these are warnings which often result -; from a bug in your code, but it's possible that it was -; intentional (e.g., using an uninitialized variable and -; relying on the fact it's automatically initialized to an -; empty string) -; E_STRICT - run-time notices, enable to have PHP suggest changes -; to your code which will ensure the best interoperability -; and forward compatibility of your code -; E_CORE_ERROR - fatal errors that occur during PHP's initial startup -; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's -; initial startup -; E_COMPILE_ERROR - fatal compile-time errors -; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) -; E_USER_ERROR - user-generated error message -; E_USER_WARNING - user-generated warning message -; E_USER_NOTICE - user-generated notice message -; E_DEPRECATED - warn about code that will not work in future versions -; of PHP -; E_USER_DEPRECATED - user-generated deprecation warnings -; -; Common Values: -; E_ALL & ~E_NOTICE (Show all errors, except for notices and coding standards warnings.) -; E_ALL & ~E_NOTICE | E_STRICT (Show all errors, except for notices) -; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) -; E_ALL | E_STRICT (Show all errors, warnings and notices including coding standards.) -; Default Value: E_ALL & ~E_NOTICE -; Development Value: E_ALL | E_STRICT -; Production Value: E_ALL & ~E_DEPRECATED -; http://php.net/error-reporting -error_reporting = E_ALL & ~E_DEPRECATED - -; This directive controls whether or not and where PHP will output errors, -; notices and warnings too. Error output is very useful during development, but -; it could be very dangerous in production environments. Depending on the code -; which is triggering the error, sensitive information could potentially leak -; out of your application such as database usernames and passwords or worse. -; It's recommended that errors be logged on production servers rather than -; having the errors sent to STDOUT. -; Possible Values: -; Off = Do not display any errors -; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) -; On or stdout = Display errors to STDOUT -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/display-errors -display_errors = Off - -; The display of errors which occur during PHP's startup sequence are handled -; separately from display_errors. PHP's default behavior is to suppress those -; errors from clients. Turning the display of startup errors on can be useful in -; debugging configuration problems. But, it's strongly recommended that you -; leave this setting off on production servers. -; Default Value: Off -; Development Value: On -; Production Value: Off -; http://php.net/display-startup-errors -display_startup_errors = Off - -; Besides displaying errors, PHP can also log errors to locations such as a -; server-specific log, STDERR, or a location specified by the error_log -; directive found below. While errors should not be displayed on productions -; servers they should still be monitored and logging is a great way to do that. -; Default Value: Off -; Development Value: On -; Production Value: On -; http://php.net/log-errors -log_errors = On - -; Set maximum length of log_errors. In error_log information about the source is -; added. The default is 1024 and 0 allows to not apply any maximum length at all. -; http://php.net/log-errors-max-len -log_errors_max_len = 1024 - -; Do not log repeated messages. Repeated errors must occur in same file on same -; line unless ignore_repeated_source is set true. -; http://php.net/ignore-repeated-errors -ignore_repeated_errors = Off - -; Ignore source of message when ignoring repeated messages. When this setting -; is On you will not log errors with repeated messages from different files or -; source lines. -; http://php.net/ignore-repeated-source -ignore_repeated_source = Off - -; If this parameter is set to Off, then memory leaks will not be shown (on -; stdout or in the log). This has only effect in a debug compile, and if -; error reporting includes E_WARNING in the allowed list -; http://php.net/report-memleaks -report_memleaks = On - -; This setting is on by default. -;report_zend_debug = 0 - -; Store the last error/warning message in $php_errormsg (boolean). Setting this value -; to On can assist in debugging and is appropriate for development servers. It should -; however be disabled on production servers. -; Default Value: Off -; Development Value: On -; Production Value: Off -; http://php.net/track-errors -track_errors = Off - -; Turn off normal error reporting and emit XML-RPC error XML -; http://php.net/xmlrpc-errors -;xmlrpc_errors = 0 - -; An XML-RPC faultCode -;xmlrpc_error_number = 0 - -; When PHP displays or logs an error, it has the capability of inserting html -; links to documentation related to that error. This directive controls whether -; those HTML links appear in error messages or not. For performance and security -; reasons, it's recommended you disable this on production servers. -; Note: This directive is hardcoded to Off for the CLI SAPI -; Default Value: On -; Development Value: On -; Production value: Off -; http://php.net/html-errors -html_errors = Off - -; If html_errors is set On PHP produces clickable error messages that direct -; to a page describing the error or function causing the error in detail. -; You can download a copy of the PHP manual from http://php.net/docs -; and change docref_root to the base URL of your local copy including the -; leading '/'. You must also specify the file extension being used including -; the dot. PHP's default behavior is to leave these settings empty. -; Note: Never use this feature for production boxes. -; http://php.net/docref-root -; Examples -;docref_root = "/phpmanual/" - -; http://php.net/docref-ext -;docref_ext = .html - -; String to output before an error message. PHP's default behavior is to leave -; this setting blank. -; http://php.net/error-prepend-string -; Example: -;error_prepend_string = "" - -; String to output after an error message. PHP's default behavior is to leave -; this setting blank. -; http://php.net/error-append-string -; Example: -;error_append_string = "" - -; Log errors to specified file. PHP's default behavior is to leave this value -; empty. -; http://php.net/error-log -; Example: -;error_log = php_errors.log -; Log errors to syslog (Event Log on NT, not valid in Windows 95). -;error_log = syslog - -;windows.show_crt_warning -; Default value: 0 -; Development value: 0 -; Production value: 0 - -;;;;;;;;;;;;;;;;; -; Data Handling ; -;;;;;;;;;;;;;;;;; - -; The separator used in PHP generated URLs to separate arguments. -; PHP's default setting is "&". -; http://php.net/arg-separator.output -; Example: -;arg_separator.output = "&" - -; List of separator(s) used by PHP to parse input URLs into variables. -; PHP's default setting is "&". -; NOTE: Every character in this directive is considered as separator! -; http://php.net/arg-separator.input -; Example: -;arg_separator.input = ";&" - -; This directive determines which super global arrays are registered when PHP -; starts up. If the register_globals directive is enabled, it also determines -; what order variables are populated into the global space. G,P,C,E & S are -; abbreviations for the following respective super globals: GET, POST, COOKIE, -; ENV and SERVER. There is a performance penalty paid for the registration of -; these arrays and because ENV is not as commonly used as the others, ENV is -; is not recommended on productions servers. You can still get access to -; the environment variables through getenv() should you need to. -; Default Value: "EGPCS" -; Development Value: "GPCS" -; Production Value: "GPCS"; -; http://php.net/variables-order -variables_order = "GPCS" - -; This directive determines which super global data (G,P,C,E & S) should -; be registered into the super global array REQUEST. If so, it also determines -; the order in which that data is registered. The values for this directive are -; specified in the same manner as the variables_order directive, EXCEPT one. -; Leaving this value empty will cause PHP to use the value set in the -; variables_order directive. It does not mean it will leave the super globals -; array REQUEST empty. -; Default Value: None -; Development Value: "GP" -; Production Value: "GP" -; http://php.net/request-order -request_order = "GP" - -; Whether or not to register the EGPCS variables as global variables. You may -; want to turn this off if you don't want to clutter your scripts' global scope -; with user data. -; You should do your best to write your scripts so that they do not require -; register_globals to be on; Using form variables as globals can easily lead -; to possible security problems, if the code is not very well thought of. -; http://php.net/register-globals -register_globals = Off - -; Determines whether the deprecated long $HTTP_*_VARS type predefined variables -; are registered by PHP or not. As they are deprecated, we obviously don't -; recommend you use them. They are on by default for compatibility reasons but -; they are not recommended on production servers. -; Default Value: On -; Development Value: Off -; Production Value: Off -; http://php.net/register-long-arrays -register_long_arrays = Off - -; This directive determines whether PHP registers $argv & $argc each time it -; runs. $argv contains an array of all the arguments passed to PHP when a script -; is invoked. $argc contains an integer representing the number of arguments -; that were passed when the script was invoked. These arrays are extremely -; useful when running scripts from the command line. When this directive is -; enabled, registering these variables consumes CPU cycles and memory each time -; a script is executed. For performance reasons, this feature should be disabled -; on production servers. -; Note: This directive is hardcoded to On for the CLI SAPI -; Default Value: On -; Development Value: Off -; Production Value: Off -; http://php.net/register-argc-argv -register_argc_argv = Off - -; When enabled, the SERVER and ENV variables are created when they're first -; used (Just In Time) instead of when the script starts. If these variables -; are not used within a script, having this directive on will result in a -; performance gain. The PHP directives register_globals, register_long_arrays, -; and register_argc_argv must be disabled for this directive to have any affect. -; http://php.net/auto-globals-jit -auto_globals_jit = On - -; Maximum size of POST data that PHP will accept. -; http://php.net/post-max-size -post_max_size = 8M - -; Magic quotes are a preprocessing feature of PHP where PHP will attempt to -; escape any character sequences in GET, POST, COOKIE and ENV data which might -; otherwise corrupt data being placed in resources such as databases before -; making that data available to you. Because of character encoding issues and -; non-standard SQL implementations across many databases, it's not currently -; possible for this feature to be 100% accurate. PHP's default behavior is to -; enable the feature. We strongly recommend you use the escaping mechanisms -; designed specifically for the database your using instead of relying on this -; feature. Also note, this feature has been deprecated as of PHP 5.3.0 and is -; scheduled for removal in PHP 6. -; Default Value: On -; Development Value: Off -; Production Value: Off -; http://php.net/magic-quotes-gpc -magic_quotes_gpc = Off - -; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. -; http://php.net/magic-quotes-runtime -magic_quotes_runtime = Off - -; Use Sybase-style magic quotes (escape ' with '' instead of \'). -; http://php.net/magic-quotes-sybase -magic_quotes_sybase = Off - -; Automatically add files before PHP document. -; http://php.net/auto-prepend-file -auto_prepend_file = - -; Automatically add files after PHP document. -; http://php.net/auto-append-file -auto_append_file = - -; By default, PHP will output a character encoding using -; the Content-type: header. To disable sending of the charset, simply -; set it to be empty. -; -; PHP's built-in default is text/html -; http://php.net/default-mimetype -default_mimetype = "text/html" - -; PHP's default character set is set to empty. -; http://php.net/default-charset -;default_charset = "iso-8859-1" - -; Always populate the $HTTP_RAW_POST_DATA variable. PHP's default behavior is -; to disable this feature. -; http://php.net/always-populate-raw-post-data -always_populate_raw_post_data = -1 - -;;;;;;;;;;;;;;;;;;;;;;;;; -; Paths and Directories ; -;;;;;;;;;;;;;;;;;;;;;;;;; - -; UNIX: "/path1:/path2" -;include_path = ".:/usr/share/php" -; -; Windows: "\path1;\path2" -;include_path = ".;c:\php\includes" -; -; PHP's default setting for include_path is ".;/path/to/php/pear" -; http://php.net/include-path - -; The root of the PHP pages, used only if nonempty. -; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root -; if you are running php as a CGI under any web server (other than IIS) -; see documentation for security issues. The alternate is to use the -; cgi.force_redirect configuration below -; http://php.net/doc-root -doc_root = - -; The directory under which PHP opens the script using /~username used only -; if nonempty. -; http://php.net/user-dir -user_dir = - -; Directory in which the loadable extensions (modules) reside. -; http://php.net/extension-dir -; extension_dir = "./" -; On windows: -; extension_dir = "ext" - -; Whether or not to enable the dl() function. The dl() function does NOT work -; properly in multithreaded servers, such as IIS or Zeus, and is automatically -; disabled on them. -; http://php.net/enable-dl -enable_dl = Off - -; cgi.force_redirect is necessary to provide security running PHP as a CGI under -; most web servers. Left undefined, PHP turns this on by default. You can -; turn it off here AT YOUR OWN RISK -; **You CAN safely turn this off for IIS, in fact, you MUST.** -; http://php.net/cgi.force-redirect -;cgi.force_redirect = 1 - -; if cgi.nph is enabled it will force cgi to always sent Status: 200 with -; every request. PHP's default behavior is to disable this feature. -;cgi.nph = 1 - -; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape -; (iPlanet) web servers, you MAY need to set an environment variable name that PHP -; will look for to know it is OK to continue execution. Setting this variable MAY -; cause security issues, KNOW WHAT YOU ARE DOING FIRST. -; http://php.net/cgi.redirect-status-env -;cgi.redirect_status_env = ; - -; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's -; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok -; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting -; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting -; of zero causes PHP to behave as before. Default is 1. You should fix your scripts -; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. -; http://php.net/cgi.fix-pathinfo -;cgi.fix_pathinfo=0 - -; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate -; security tokens of the calling client. This allows IIS to define the -; security context that the request runs under. mod_fastcgi under Apache -; does not currently support this feature (03/17/2002) -; Set to 1 if running under IIS. Default is zero. -; http://php.net/fastcgi.impersonate -;fastcgi.impersonate = 1; - -; Disable logging through FastCGI connection. PHP's default behavior is to enable -; this feature. -;fastcgi.logging = 0 - -; cgi.rfc2616_headers configuration option tells PHP what type of headers to -; use when sending HTTP response code. If it's set 0 PHP sends Status: header that -; is supported by Apache. When this option is set to 1 PHP will send -; RFC2616 compliant header. -; Default is zero. -; http://php.net/cgi.rfc2616-headers -;cgi.rfc2616_headers = 0 - -;;;;;;;;;;;;;;;; -; File Uploads ; -;;;;;;;;;;;;;;;; - -; Whether to allow HTTP file uploads. -; http://php.net/file-uploads -file_uploads = On - -; Temporary directory for HTTP uploaded files (will use system default if not -; specified). -; http://php.net/upload-tmp-dir -;upload_tmp_dir = - -; Maximum allowed size for uploaded files. -; http://php.net/upload-max-filesize -upload_max_filesize = 2M - -; Maximum number of files that can be uploaded via a single request -max_file_uploads = 20 - -;;;;;;;;;;;;;;;;;; -; Fopen wrappers ; -;;;;;;;;;;;;;;;;;; - -; Whether to allow the treatment of URLs (like http:// or ftp://) as files. -; http://php.net/allow-url-fopen -allow_url_fopen = On - -; Whether to allow include/require to open URLs (like http:// or ftp://) as files. -; http://php.net/allow-url-include -allow_url_include = Off - -; Define the anonymous ftp password (your email address). PHP's default setting -; for this is empty. -; http://php.net/from -;from="john@doe.com" - -; Define the User-Agent string. PHP's default setting for this is empty. -; http://php.net/user-agent -;user_agent="PHP" - -; Default timeout for socket based streams (seconds) -; http://php.net/default-socket-timeout -default_socket_timeout = 60 - -; If your scripts have to deal with files from Macintosh systems, -; or you are running on a Mac and need to deal with files from -; unix or win32 systems, setting this flag will cause PHP to -; automatically detect the EOL character in those files so that -; fgets() and file() will work regardless of the source of the file. -; http://php.net/auto-detect-line-endings -;auto_detect_line_endings = Off - -;;;;;;;;;;;;;;;;;;;;;; -; Dynamic Extensions ; -;;;;;;;;;;;;;;;;;;;;;; - -; If you wish to have an extension loaded automatically, use the following -; syntax: -; -; extension=modulename.extension -; -; For example, on Windows: -; -; extension=msql.dll -; -; ... or under UNIX: -; -; extension=msql.so -; -; ... or with a path: -; -; extension=/path/to/extension/msql.so -; -; If you only provide the name of the extension, PHP will look for it in its -; default extension directory. - -;;;;;;;;;;;;;;;;;;; -; Module Settings ; -;;;;;;;;;;;;;;;;;;; - -[Date] -; Defines the default timezone used by the date functions -; http://php.net/date.timezone -;date.timezone = - -; http://php.net/date.default-latitude -;date.default_latitude = 31.7667 - -; http://php.net/date.default-longitude -;date.default_longitude = 35.2333 - -; http://php.net/date.sunrise-zenith -;date.sunrise_zenith = 90.583333 - -; http://php.net/date.sunset-zenith -;date.sunset_zenith = 90.583333 - -[filter] -; http://php.net/filter.default -;filter.default = unsafe_raw - -; http://php.net/filter.default-flags -;filter.default_flags = - -[iconv] -;iconv.input_encoding = ISO-8859-1 -;iconv.internal_encoding = ISO-8859-1 -;iconv.output_encoding = ISO-8859-1 - -[intl] -;intl.default_locale = -; This directive allows you to produce PHP errors when some error -; happens within intl functions. The value is the level of the error produced. -; Default is 0, which does not produce any errors. -;intl.error_level = E_WARNING - -[sqlite] -; http://php.net/sqlite.assoc-case -;sqlite.assoc_case = 0 - -[sqlite3] -;sqlite3.extension_dir = - -[Pcre] -;PCRE library backtracking limit. -; http://php.net/pcre.backtrack-limit -;pcre.backtrack_limit=100000 - -;PCRE library recursion limit. -;Please note that if you set this value to a high number you may consume all -;the available process stack and eventually crash PHP (due to reaching the -;stack size limit imposed by the Operating System). -; http://php.net/pcre.recursion-limit -;pcre.recursion_limit=100000 - -[Pdo] -; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" -; http://php.net/pdo-odbc.connection-pooling -;pdo_odbc.connection_pooling=strict - -;pdo_odbc.db2_instance_name - -[Pdo_mysql] -; If mysqlnd is used: Number of cache slots for the internal result set cache -; http://php.net/pdo_mysql.cache_size -pdo_mysql.cache_size = 2000 - -; Default socket name for local MySQL connects. If empty, uses the built-in -; MySQL defaults. -; http://php.net/pdo_mysql.default-socket -pdo_mysql.default_socket= - -[Phar] -; http://php.net/phar.readonly -;phar.readonly = On - -; http://php.net/phar.require-hash -;phar.require_hash = On - -;phar.cache_list = - -[Syslog] -; Whether or not to define the various syslog variables (e.g. $LOG_PID, -; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In -; runtime, you can define these variables by calling define_syslog_variables(). -; http://php.net/define-syslog-variables -define_syslog_variables = Off - -[mail function] -; For Win32 only. -; http://php.net/smtp -SMTP = localhost -; http://php.net/smtp-port -smtp_port = 25 - -; For Win32 only. -; http://php.net/sendmail-from -;sendmail_from = me@example.com - -; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). -; http://php.net/sendmail-path -;sendmail_path = - -; Force the addition of the specified parameters to be passed as extra parameters -; to the sendmail binary. These parameters will always replace the value of -; the 5th parameter to mail(), even in safe mode. -;mail.force_extra_parameters = - -; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename -mail.add_x_header = On - -; The path to a log file that will log all mail() calls. Log entries include -; the full path of the script, line number, To address and headers. -;mail.log = - -[SQL] -; http://php.net/sql.safe-mode -sql.safe_mode = Off - -[ODBC] -; http://php.net/odbc.default-db -;odbc.default_db = Not yet implemented - -; http://php.net/odbc.default-user -;odbc.default_user = Not yet implemented - -; http://php.net/odbc.default-pw -;odbc.default_pw = Not yet implemented - -; Controls the ODBC cursor model. -; Default: SQL_CURSOR_STATIC (default). -;odbc.default_cursortype - -; Allow or prevent persistent links. -; http://php.net/odbc.allow-persistent -odbc.allow_persistent = On - -; Check that a connection is still valid before reuse. -; http://php.net/odbc.check-persistent -odbc.check_persistent = On - -; Maximum number of persistent links. -1 means no limit. -; http://php.net/odbc.max-persistent -odbc.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -; http://php.net/odbc.max-links -odbc.max_links = -1 - -; Handling of LONG fields. Returns number of bytes to variables. 0 means -; passthru. -; http://php.net/odbc.defaultlrl -odbc.defaultlrl = 4096 - -; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. -; See the documentation on odbc_binmode and odbc_longreadlen for an explanation -; of odbc.defaultlrl and odbc.defaultbinmode -; http://php.net/odbc.defaultbinmode -odbc.defaultbinmode = 1 - -;birdstep.max_links = -1 - -[Interbase] -; Allow or prevent persistent links. -ibase.allow_persistent = 1 - -; Maximum number of persistent links. -1 means no limit. -ibase.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -ibase.max_links = -1 - -; Default database name for ibase_connect(). -;ibase.default_db = - -; Default username for ibase_connect(). -;ibase.default_user = - -; Default password for ibase_connect(). -;ibase.default_password = - -; Default charset for ibase_connect(). -;ibase.default_charset = - -; Default timestamp format. -ibase.timestampformat = "%Y-%m-%d %H:%M:%S" - -; Default date format. -ibase.dateformat = "%Y-%m-%d" - -; Default time format. -ibase.timeformat = "%H:%M:%S" - -[MySQL] -; Allow accessing, from PHP's perspective, local files with LOAD DATA statements -; http://php.net/mysql.allow_local_infile -mysql.allow_local_infile = On - -; Allow or prevent persistent links. -; http://php.net/mysql.allow-persistent -mysql.allow_persistent = On - -; If mysqlnd is used: Number of cache slots for the internal result set cache -; http://php.net/mysql.cache_size -mysql.cache_size = 2000 - -; Maximum number of persistent links. -1 means no limit. -; http://php.net/mysql.max-persistent -mysql.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -; http://php.net/mysql.max-links -mysql.max_links = -1 - -; Default port number for mysql_connect(). If unset, mysql_connect() will use -; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the -; compile-time value defined MYSQL_PORT (in that order). Win32 will only look -; at MYSQL_PORT. -; http://php.net/mysql.default-port -mysql.default_port = - -; Default socket name for local MySQL connects. If empty, uses the built-in -; MySQL defaults. -; http://php.net/mysql.default-socket -mysql.default_socket = - -; Default host for mysql_connect() (doesn't apply in safe mode). -; http://php.net/mysql.default-host -mysql.default_host = - -; Default user for mysql_connect() (doesn't apply in safe mode). -; http://php.net/mysql.default-user -mysql.default_user = - -; Default password for mysql_connect() (doesn't apply in safe mode). -; Note that this is generally a *bad* idea to store passwords in this file. -; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") -; and reveal this password! And of course, any users with read access to this -; file will be able to reveal the password as well. -; http://php.net/mysql.default-password -mysql.default_password = - -; Maximum time (in seconds) for connect timeout. -1 means no limit -; http://php.net/mysql.connect-timeout -mysql.connect_timeout = 60 - -; Trace mode. When trace_mode is active (=On), warnings for table/index scans and -; SQL-Errors will be displayed. -; http://php.net/mysql.trace-mode -mysql.trace_mode = Off - -[MySQLi] - -; Maximum number of persistent links. -1 means no limit. -; http://php.net/mysqli.max-persistent -mysqli.max_persistent = -1 - -; Allow accessing, from PHP's perspective, local files with LOAD DATA statements -; http://php.net/mysqli.allow_local_infile -;mysqli.allow_local_infile = On - -; Allow or prevent persistent links. -; http://php.net/mysqli.allow-persistent -mysqli.allow_persistent = On - -; Maximum number of links. -1 means no limit. -; http://php.net/mysqli.max-links -mysqli.max_links = -1 - -; If mysqlnd is used: Number of cache slots for the internal result set cache -; http://php.net/mysqli.cache_size -mysqli.cache_size = 2000 - -; Default port number for mysqli_connect(). If unset, mysqli_connect() will use -; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the -; compile-time value defined MYSQL_PORT (in that order). Win32 will only look -; at MYSQL_PORT. -; http://php.net/mysqli.default-port -mysqli.default_port = 3306 - -; Default socket name for local MySQL connects. If empty, uses the built-in -; MySQL defaults. -; http://php.net/mysqli.default-socket -mysqli.default_socket = - -; Default host for mysql_connect() (doesn't apply in safe mode). -; http://php.net/mysqli.default-host -mysqli.default_host = - -; Default user for mysql_connect() (doesn't apply in safe mode). -; http://php.net/mysqli.default-user -mysqli.default_user = - -; Default password for mysqli_connect() (doesn't apply in safe mode). -; Note that this is generally a *bad* idea to store passwords in this file. -; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") -; and reveal this password! And of course, any users with read access to this -; file will be able to reveal the password as well. -; http://php.net/mysqli.default-pw -mysqli.default_pw = - -; Allow or prevent reconnect -mysqli.reconnect = Off - -[mysqlnd] -; Enable / Disable collection of general statistics by mysqlnd which can be -; used to tune and monitor MySQL operations. -; http://php.net/mysqlnd.collect_statistics -mysqlnd.collect_statistics = On - -; Enable / Disable collection of memory usage statistics by mysqlnd which can be -; used to tune and monitor MySQL operations. -; http://php.net/mysqlnd.collect_memory_statistics -mysqlnd.collect_memory_statistics = Off - -; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. -; http://php.net/mysqlnd.net_cmd_buffer_size -;mysqlnd.net_cmd_buffer_size = 2048 - -; Size of a pre-allocated buffer used for reading data sent by the server in -; bytes. -; http://php.net/mysqlnd.net_read_buffer_size -;mysqlnd.net_read_buffer_size = 32768 - -[OCI8] - -; Connection: Enables privileged connections using external -; credentials (OCI_SYSOPER, OCI_SYSDBA) -; http://php.net/oci8.privileged-connect -;oci8.privileged_connect = Off - -; Connection: The maximum number of persistent OCI8 connections per -; process. Using -1 means no limit. -; http://php.net/oci8.max-persistent -;oci8.max_persistent = -1 - -; Connection: The maximum number of seconds a process is allowed to -; maintain an idle persistent connection. Using -1 means idle -; persistent connections will be maintained forever. -; http://php.net/oci8.persistent-timeout -;oci8.persistent_timeout = -1 - -; Connection: The number of seconds that must pass before issuing a -; ping during oci_pconnect() to check the connection validity. When -; set to 0, each oci_pconnect() will cause a ping. Using -1 disables -; pings completely. -; http://php.net/oci8.ping-interval -;oci8.ping_interval = 60 - -; Connection: Set this to a user chosen connection class to be used -; for all pooled server requests with Oracle 11g Database Resident -; Connection Pooling (DRCP). To use DRCP, this value should be set to -; the same string for all web servers running the same application, -; the database pool must be configured, and the connection string must -; specify to use a pooled server. -;oci8.connection_class = - -; High Availability: Using On lets PHP receive Fast Application -; Notification (FAN) events generated when a database node fails. The -; database must also be configured to post FAN events. -;oci8.events = Off - -; Tuning: This option enables statement caching, and specifies how -; many statements to cache. Using 0 disables statement caching. -; http://php.net/oci8.statement-cache-size -;oci8.statement_cache_size = 20 - -; Tuning: Enables statement prefetching and sets the default number of -; rows that will be fetched automatically after statement execution. -; http://php.net/oci8.default-prefetch -;oci8.default_prefetch = 100 - -; Compatibility. Using On means oci_close() will not close -; oci_connect() and oci_new_connect() connections. -; http://php.net/oci8.old-oci-close-semantics -;oci8.old_oci_close_semantics = Off - -[PostgreSQL] -; Allow or prevent persistent links. -; http://php.net/pgsql.allow-persistent -pgsql.allow_persistent = On - -; Detect broken persistent links always with pg_pconnect(). -; Auto reset feature requires a little overheads. -; http://php.net/pgsql.auto-reset-persistent -pgsql.auto_reset_persistent = Off - -; Maximum number of persistent links. -1 means no limit. -; http://php.net/pgsql.max-persistent -pgsql.max_persistent = -1 - -; Maximum number of links (persistent+non persistent). -1 means no limit. -; http://php.net/pgsql.max-links -pgsql.max_links = -1 - -; Ignore PostgreSQL backends Notice message or not. -; Notice message logging require a little overheads. -; http://php.net/pgsql.ignore-notice -pgsql.ignore_notice = 0 - -; Log PostgreSQL backends Notice message or not. -; Unless pgsql.ignore_notice=0, module cannot log notice message. -; http://php.net/pgsql.log-notice -pgsql.log_notice = 0 - -[Sybase-CT] -; Allow or prevent persistent links. -; http://php.net/sybct.allow-persistent -sybct.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -; http://php.net/sybct.max-persistent -sybct.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -; http://php.net/sybct.max-links -sybct.max_links = -1 - -; Minimum server message severity to display. -; http://php.net/sybct.min-server-severity -sybct.min_server_severity = 10 - -; Minimum client message severity to display. -; http://php.net/sybct.min-client-severity -sybct.min_client_severity = 10 - -; Set per-context timeout -; http://php.net/sybct.timeout -;sybct.timeout= - -;sybct.packet_size - -; The maximum time in seconds to wait for a connection attempt to succeed before returning failure. -; Default: one minute -;sybct.login_timeout= - -; The name of the host you claim to be connecting from, for display by sp_who. -; Default: none -;sybct.hostname= - -; Allows you to define how often deadlocks are to be retried. -1 means "forever". -; Default: 0 -;sybct.deadlock_retry_count= - -[bcmath] -; Number of decimal digits for all bcmath functions. -; http://php.net/bcmath.scale -bcmath.scale = 0 - -[browscap] -; http://php.net/browscap -;browscap = extra/browscap.ini - -[Session] -; Handler used to store/retrieve data. -; http://php.net/session.save-handler -session.save_handler = files - -; Argument passed to save_handler. In the case of files, this is the path -; where data files are stored. Note: Windows users have to change this -; variable in order to use PHP's session functions. -; -; The path can be defined as: -; -; session.save_path = "N;/path" -; -; where N is an integer. Instead of storing all the session files in -; /path, what this will do is use subdirectories N-levels deep, and -; store the session data in those directories. This is useful if you -; or your OS have problems with lots of files in one directory, and is -; a more efficient layout for servers that handle lots of sessions. -; -; NOTE 1: PHP will not create this directory structure automatically. -; You can use the script in the ext/session dir for that purpose. -; NOTE 2: See the section on garbage collection below if you choose to -; use subdirectories for session storage -; -; The file storage module creates files using mode 600 by default. -; You can change that by using -; -; session.save_path = "N;MODE;/path" -; -; where MODE is the octal representation of the mode. Note that this -; does not overwrite the process's umask. -; http://php.net/session.save-path -;session.save_path = "/tmp" - -; Whether to use cookies. -; http://php.net/session.use-cookies -session.use_cookies = 1 - -; http://php.net/session.cookie-secure -;session.cookie_secure = - -; This option forces PHP to fetch and use a cookie for storing and maintaining -; the session id. We encourage this operation as it's very helpful in combatting -; session hijacking when not specifying and managing your own session id. It is -; not the end all be all of session hijacking defense, but it's a good start. -; http://php.net/session.use-only-cookies -session.use_only_cookies = 1 - -; Name of the session (used as cookie name). -; http://php.net/session.name -session.name = PHPSESSID - -; Initialize session on request startup. -; http://php.net/session.auto-start -session.auto_start = 0 - -; Lifetime in seconds of cookie or, if 0, until browser is restarted. -; http://php.net/session.cookie-lifetime -session.cookie_lifetime = 0 - -; The path for which the cookie is valid. -; http://php.net/session.cookie-path -session.cookie_path = / - -; The domain for which the cookie is valid. -; http://php.net/session.cookie-domain -session.cookie_domain = - -; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. -; http://php.net/session.cookie-httponly -session.cookie_httponly = - -; Handler used to serialize data. php is the standard serializer of PHP. -; http://php.net/session.serialize-handler -session.serialize_handler = php - -; Defines the probability that the 'garbage collection' process is started -; on every session initialization. The probability is calculated by using -; gc_probability/gc_divisor. Where session.gc_probability is the numerator -; and gc_divisor is the denominator in the equation. Setting this value to 1 -; when the session.gc_divisor value is 100 will give you approximately a 1% chance -; the gc will run on any give request. -; Default Value: 1 -; Development Value: 1 -; Production Value: 1 -; http://php.net/session.gc-probability -session.gc_probability = 0 - -; Defines the probability that the 'garbage collection' process is started on every -; session initialization. The probability is calculated by using the following equation: -; gc_probability/gc_divisor. Where session.gc_probability is the numerator and -; session.gc_divisor is the denominator in the equation. Setting this value to 1 -; when the session.gc_divisor value is 100 will give you approximately a 1% chance -; the gc will run on any give request. Increasing this value to 1000 will give you -; a 0.1% chance the gc will run on any give request. For high volume production servers, -; this is a more efficient approach. -; Default Value: 100 -; Development Value: 1000 -; Production Value: 1000 -; http://php.net/session.gc-divisor -session.gc_divisor = 1000 - -; After this number of seconds, stored data will be seen as 'garbage' and -; cleaned up by the garbage collection process. -; http://php.net/session.gc-maxlifetime -session.gc_maxlifetime = 1440 - -; NOTE: If you are using the subdirectory option for storing session files -; (see session.save_path above), then garbage collection does *not* -; happen automatically. You will need to do your own garbage -; collection through a shell script, cron entry, or some other method. -; For example, the following script would is the equivalent of -; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): -; find /path/to/sessions -cmin +24 | xargs rm - -; PHP 4.2 and less have an undocumented feature/bug that allows you to -; to initialize a session variable in the global scope, even when register_globals -; is disabled. PHP 4.3 and later will warn you, if this feature is used. -; You can disable the feature and the warning separately. At this time, -; the warning is only displayed, if bug_compat_42 is enabled. This feature -; introduces some serious security problems if not handled correctly. It's -; recommended that you do not use this feature on production servers. But you -; should enable this on development servers and enable the warning as well. If you -; do not enable the feature on development servers, you won't be warned when it's -; used and debugging errors caused by this can be difficult to track down. -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/session.bug-compat-42 -session.bug_compat_42 = Off - -; This setting controls whether or not you are warned by PHP when initializing a -; session value into the global space. session.bug_compat_42 must be enabled before -; these warnings can be issued by PHP. See the directive above for more information. -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/session.bug-compat-warn -session.bug_compat_warn = Off - -; Check HTTP Referer to invalidate externally stored URLs containing ids. -; HTTP_REFERER has to contain this substring for the session to be -; considered as valid. -; http://php.net/session.referer-check -session.referer_check = - -; How many bytes to read from the file. -; http://php.net/session.entropy-length -session.entropy_length = 0 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; On systems that don't have /dev/urandom /dev/arandom can be used -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom - -; Set to {nocache,private,public,} to determine HTTP caching aspects -; or leave this empty to avoid sending anti-caching headers. -; http://php.net/session.cache-limiter -session.cache_limiter = nocache - -; Document expires after n minutes. -; http://php.net/session.cache-expire -session.cache_expire = 180 - -; trans sid support is disabled by default. -; Use of trans sid may risk your users security. -; Use this option with caution. -; - User may send URL contains active session ID -; to other person via. email/irc/etc. -; - URL that contains active session ID may be stored -; in publically accessible computer. -; - User may access your site with the same session ID -; always using URL stored in browser's history or bookmarks. -; http://php.net/session.use-trans-sid -session.use_trans_sid = 0 - -; Select a hash function for use in generating session ids. -; Possible Values -; 0 (MD5 128 bits) -; 1 (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 - -; Define how many bits are stored in each character when converting -; the binary hash data to something readable. -; Possible values: -; 4 (4 bits: 0-9, a-f) -; 5 (5 bits: 0-9, a-v) -; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") -; Default Value: 4 -; Development Value: 5 -; Production Value: 5 -; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 - -; The URL rewriter will look for URLs in a defined set of HTML tags. -; form/fieldset are special; if you include them here, the rewriter will -; add a hidden field with the info which is otherwise appended -; to URLs. If you want XHTML conformity, remove the form entry. -; Note that all valid entries require a "=", even if no value follows. -; Default Value: "a=href,area=href,frame=src,form=,fieldset=" -; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" -; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" -; http://php.net/url-rewriter.tags -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" - -[MSSQL] -; Allow or prevent persistent links. -mssql.allow_persistent = On - -; Maximum number of persistent links. -1 means no limit. -mssql.max_persistent = -1 - -; Maximum number of links (persistent+non persistent). -1 means no limit. -mssql.max_links = -1 - -; Minimum error severity to display. -mssql.min_error_severity = 10 - -; Minimum message severity to display. -mssql.min_message_severity = 10 - -; Compatibility mode with old versions of PHP 3.0. -mssql.compatability_mode = Off - -; Connect timeout -;mssql.connect_timeout = 5 - -; Query timeout -;mssql.timeout = 60 - -; Valid range 0 - 2147483647. Default = 4096. -;mssql.textlimit = 4096 - -; Valid range 0 - 2147483647. Default = 4096. -;mssql.textsize = 4096 - -; Limits the number of records in each batch. 0 = all records in one batch. -;mssql.batchsize = 0 - -; Specify how datetime and datetim4 columns are returned -; On => Returns data converted to SQL server settings -; Off => Returns values as YYYY-MM-DD hh:mm:ss -;mssql.datetimeconvert = On - -; Use NT authentication when connecting to the server -mssql.secure_connection = Off - -; Specify max number of processes. -1 = library default -; msdlib defaults to 25 -; FreeTDS defaults to 4096 -;mssql.max_procs = -1 - -; Specify client character set. -; If empty or not set the client charset from freetds.conf is used -; This is only used when compiled with FreeTDS -;mssql.charset = "ISO-8859-1" - -[Assertion] -; Assert(expr); active by default. -; http://php.net/assert.active -;assert.active = On - -; Issue a PHP warning for each failed assertion. -; http://php.net/assert.warning -;assert.warning = On - -; Don't bail out by default. -; http://php.net/assert.bail -;assert.bail = Off - -; User-function to be called if an assertion fails. -; http://php.net/assert.callback -;assert.callback = 0 - -; Eval the expression with current error_reporting(). Set to true if you want -; error_reporting(0) around the eval(). -; http://php.net/assert.quiet-eval -;assert.quiet_eval = 0 - -[COM] -; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs -; http://php.net/com.typelib-file -;com.typelib_file = - -; allow Distributed-COM calls -; http://php.net/com.allow-dcom -;com.allow_dcom = true - -; autoregister constants of a components typlib on com_load() -; http://php.net/com.autoregister-typelib -;com.autoregister_typelib = true - -; register constants casesensitive -; http://php.net/com.autoregister-casesensitive -;com.autoregister_casesensitive = false - -; show warnings on duplicate constant registrations -; http://php.net/com.autoregister-verbose -;com.autoregister_verbose = true - -; The default character set code-page to use when passing strings to and from COM objects. -; Default: system ANSI code page -;com.code_page= - -[mbstring] -; language for internal character representation. -; http://php.net/mbstring.language -;mbstring.language = Japanese - -; internal/script encoding. -; Some encoding cannot work as internal encoding. -; (e.g. SJIS, BIG5, ISO-2022-*) -; http://php.net/mbstring.internal-encoding -;mbstring.internal_encoding = EUC-JP - -; http input encoding. -; http://php.net/mbstring.http-input -;mbstring.http_input = auto - -; http output encoding. mb_output_handler must be -; registered as output buffer to function -; http://php.net/mbstring.http-output -;mbstring.http_output = SJIS - -; enable automatic encoding translation according to -; mbstring.internal_encoding setting. Input chars are -; converted to internal encoding by setting this to On. -; Note: Do _not_ use automatic encoding translation for -; portable libs/applications. -; http://php.net/mbstring.encoding-translation -;mbstring.encoding_translation = Off - -; automatic encoding detection order. -; auto means -; http://php.net/mbstring.detect-order -;mbstring.detect_order = auto - -; substitute_character used when character cannot be converted -; one from another -; http://php.net/mbstring.substitute-character -;mbstring.substitute_character = none; - -; overload(replace) single byte functions by mbstring functions. -; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), -; etc. Possible values are 0,1,2,4 or combination of them. -; For example, 7 for overload everything. -; 0: No overload -; 1: Overload mail() function -; 2: Overload str*() functions -; 4: Overload ereg*() functions -; http://php.net/mbstring.func-overload -;mbstring.func_overload = 0 - -; enable strict encoding detection. -;mbstring.strict_detection = Off - -; This directive specifies the regex pattern of content types for which mb_output_handler() -; is activated. -; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) -;mbstring.http_output_conv_mimetype= - -; Allows to set script encoding. Only affects if PHP is compiled with --enable-zend-multibyte -; Default: "" -;mbstring.script_encoding= - -[gd] -; Tell the jpeg decode to ignore warnings and try to create -; a gd image. The warning will then be displayed as notices -; disabled by default -; http://php.net/gd.jpeg-ignore-warning -;gd.jpeg_ignore_warning = 0 - -[exif] -; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. -; With mbstring support this will automatically be converted into the encoding -; given by corresponding encode setting. When empty mbstring.internal_encoding -; is used. For the decode settings you can distinguish between motorola and -; intel byte order. A decode setting cannot be empty. -; http://php.net/exif.encode-unicode -;exif.encode_unicode = ISO-8859-15 - -; http://php.net/exif.decode-unicode-motorola -;exif.decode_unicode_motorola = UCS-2BE - -; http://php.net/exif.decode-unicode-intel -;exif.decode_unicode_intel = UCS-2LE - -; http://php.net/exif.encode-jis -;exif.encode_jis = - -; http://php.net/exif.decode-jis-motorola -;exif.decode_jis_motorola = JIS - -; http://php.net/exif.decode-jis-intel -;exif.decode_jis_intel = JIS - -[Tidy] -; The path to a default tidy configuration file to use when using tidy -; http://php.net/tidy.default-config -;tidy.default_config = /usr/local/lib/php/default.tcfg - -; Should tidy clean and repair output automatically? -; WARNING: Do not use this option if you are generating non-html content -; such as dynamic images -; http://php.net/tidy.clean-output -tidy.clean_output = Off - -[soap] -; Enables or disables WSDL caching feature. -; http://php.net/soap.wsdl-cache-enabled -soap.wsdl_cache_enabled=1 - -; Sets the directory name where SOAP extension will put cache files. -; http://php.net/soap.wsdl-cache-dir -soap.wsdl_cache_dir="/tmp" - -; (time to live) Sets the number of second while cached file will be used -; instead of original one. -; http://php.net/soap.wsdl-cache-ttl -soap.wsdl_cache_ttl=86400 - -; Sets the size of the cache limit. (Max. number of WSDL files to cache) -soap.wsdl_cache_limit = 5 - -[sysvshm] -; A default size of the shared memory segment -;sysvshm.init_mem = 10000 - -[ldap] -; Sets the maximum number of open links or -1 for unlimited. -ldap.max_links = -1 - -[mcrypt] -; For more information about mcrypt settings see http://php.net/mcrypt-module-open - -; Directory where to load mcrypt algorithms -; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) -;mcrypt.algorithms_dir= - -; Directory where to load mcrypt modes -; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) -;mcrypt.modes_dir= - -[dba] -;dba.default_handler= - -[xsl] -; Write operations from within XSLT are disabled by default. -; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44 -; Set it to 0 to allow all operations -;xsl.security_prefs = 44 - -; Local Variables: -; tab-width: 4 -; End: diff --git a/ansible/roles/mon.ooni.nu/defaults/vars.yml b/ansible/roles/mon.ooni.nu/defaults/vars.yml deleted file mode 100644 index 07b06705b..000000000 --- a/ansible/roles/mon.ooni.nu/defaults/vars.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -prometheus_listen_address: '{{ CHANGE_ME }}' -alertmanager_listen_address: '{{ CHANGE_ME }}' -grafana_backend_ipv4: '{{ CHANGE_ME }}' -grafana_backend_port: '{{ CHANGE_ME }}' -... diff --git a/ansible/roles/mon.ooni.nu/files/mon.ooni.nu.htpasswd b/ansible/roles/mon.ooni.nu/files/mon.ooni.nu.htpasswd deleted file mode 100644 index 5caed2627..000000000 --- a/ansible/roles/mon.ooni.nu/files/mon.ooni.nu.htpasswd +++ /dev/null @@ -1,26 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31336165316339393139306533323065323432326138653339313163363734336366613136646231 -6138326434636263383933393165663831313534656232660a613937333233373263393932653837 -37663361653465396236633736356665623230323966643739346539333235343531636335623061 -3634653566313237310a623634643938666632306463373532313362383130636139623738383965 -64636535326437653238313934326138376130353638366234316136343037306536313533376564 -61336164643131356238663162333038323639326433666661333464626261626662363166653366 -65396138353164383530396334646237353161313766663838343336356233373865386434656330 -62613262323236386566633766636666643835393536306336313033613338363432616666346330 -65386634346339346338383466383562363864613838656237383031356139376630653937303865 -63323733636662313634633530356539616334353831636265306636613061383561323331616161 -35613036613237633137616164616661386363616266613362386130323838346134616437336164 -31356136653732613630663530356662613230633261633663393036336532346566303431623164 -61373937653862363639636461316631346138643634303564366237613630306330353132353465 -38356633633862343730623832343863326263343863346132323439373036653439333762373262 -61303539633962333136653862396434313438396532376237353135336130306134383538636237 -35383934323736306331336139373331313639613433333539623864656565333862343532326466 -61373130316264326362313635313964303761373566663034363362613632343666353764393063 -37336338376634363839306462653466313562366630613337303635386439383365643065303334 -63336164316238626432663766653734373837663133366563616337313130346633343833613030 -64356431613831313266393236643833323830323038393966343132366337343233633633373534 -66623430633663643661656430643933663832306563336163633563316230393362343632363662 -64353532636130373731393862666366336363326630373561363536653730653965613134343635 -37346138336338306137396138646535336237653130366639303165663530343332303364343430 -32383034366136393463316666393636376561646661653532373738623664346530336132653532 -3962 diff --git a/ansible/roles/mon.ooni.nu/tasks/main.yml b/ansible/roles/mon.ooni.nu/tasks/main.yml deleted file mode 100644 index d7e45d132..000000000 --- a/ansible/roles/mon.ooni.nu/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: copy ooni_monitoring.htpasswd - copy: src=mon.ooni.nu.htpasswd dest=/etc/nginx/mon.ooni.nu.htpasswd mode=0440 owner=root group=nginx - -- name: add mon.ooni.nu config - notify: reload nginx - template: src=mon.ooni.nu.conf dest=/etc/nginx/sites-enabled/mon.ooni.nu.conf mode=0444 owner=root group=root - -- name: clean stale files - file: path={{item}} state=absent - notify: reload nginx - with_items: - - /etc/nginx/sites-enabled/grafana - - /etc/nginx/sites-enabled/prometheus - - /etc/nginx/prometheus_webfront.htpasswd -... diff --git a/ansible/roles/mon.ooni.nu/templates/mon.ooni.nu.conf b/ansible/roles/mon.ooni.nu/templates/mon.ooni.nu.conf deleted file mode 100644 index 6e064b099..000000000 --- a/ansible/roles/mon.ooni.nu/templates/mon.ooni.nu.conf +++ /dev/null @@ -1,34 +0,0 @@ -{% import 'common.j2' as c %} -{{ c.server_letsencrypt(['mon.ooni.nu']) }} - -server { - server_name mon.ooni.nu; - - listen 443 ssl http2; - - {{ c.ssl_letsencrypt('mon.ooni.nu', 'ssl_modern.conf') }} - {{ c.add_header_hsts() }} - - auth_basic "OONI Monitoring"; - auth_basic_user_file /etc/nginx/mon.ooni.nu.htpasswd; - - location / { - return 404; - } - - location = / { - return "https://mon.ooni.nu/prometheus/"; - } - - location /prometheus/ { - proxy_pass http://{{ prometheus_listen_address }}/; # /prometheus/ -> / - } - - location /alertmanager/ { - proxy_pass http://{{ alertmanager_listen_address }}/; # /alertmanager/ -> / - } - - location /grafana/ { - proxy_pass http://{{ grafana_backend_ipv4 }}:{{ grafana_backend_port }}/; # /grafana/ -> / - } -} diff --git a/ansible/roles/ooni-backend/templates/clickhouse_config.xml b/ansible/roles/ooni-backend/templates/clickhouse_config.xml index dfe2eda94..e84e53ffa 100644 --- a/ansible/roles/ooni-backend/templates/clickhouse_config.xml +++ b/ansible/roles/ooni-backend/templates/clickhouse_config.xml @@ -24,7 +24,8 @@ 0.0.0.0 - + + diff --git a/ansible/roles/plpsql/defaults/main.yml b/ansible/roles/plpsql/defaults/main.yml deleted file mode 100644 index dd88ad1d0..000000000 --- a/ansible/roles/plpsql/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# metadb_wal_s3_* are empty by default, only master ships WAL to S3. -metadb_wal_s3_key_id: '' -metadb_wal_s3_access_key: '' -... diff --git a/ansible/roles/plpsql/handlers/main.yml b/ansible/roles/plpsql/handlers/main.yml deleted file mode 100644 index 5550c915e..000000000 --- a/ansible/roles/plpsql/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: restart pl-psql - command: docker restart pl-psql # XXX: is `stop_timeout` respected? -- name: reload pl-psql - command: docker exec -it pl-psql pg_ctl reload -D /srv/pl-psql -- name: restart openvpn - service: - name: openvpn - state: restarted -... diff --git a/ansible/roles/plpsql/meta/main.yml b/ansible/roles/plpsql/meta/main.yml deleted file mode 100644 index 655239f56..000000000 --- a/ansible/roles/plpsql/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - libhandlers -... diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml deleted file mode 100644 index 15a876a16..000000000 --- a/ansible/roles/plpsql/tasks/main.yml +++ /dev/null @@ -1,124 +0,0 @@ ---- -- name: create group - group: name=plpsql state=present - -- name: create user - user: - name: "plpsql" - group: "plpsql" - comment: "plpsql for Postgres" - state: present - register: plpsql_user - -- name: pipeline postgres PGDATA directory - file: dest=/srv/pl-psql state=directory owner=plpsql group=plpsql mode=0700 - -- name: place pg_hba.conf in PGDATA - template: src=pg_hba.conf dest=/srv/pl-psql/pg_hba.conf owner=plpsql group=plpsql mode=0444 - notify: reload pl-psql - -- name: place config in PGDATA for active DB - template: src=postgresql.active.conf dest=/srv/pl-psql/postgresql.conf owner=plpsql group=plpsql mode=0444 - notify: reload pl-psql - when: "'db_active' in group_names" - -- name: drop recovery.conf from PGDATA on active DB - file: name=/srv/pl-psql/recovery.conf state=absent - notify: reload pl-psql - when: "'db_active' in group_names" - -- name: place config in PGDATA for standby DB - template: src=postgresql.standby.conf dest=/srv/pl-psql/postgresql.conf owner=plpsql group=plpsql mode=0444 - notify: reload pl-psql - when: "'db_standby' in group_names" - -- name: place recovery.conf to PGDATA on standby DB - template: src=recovery.conf dest=/srv/pl-psql/recovery.conf owner=plpsql group=plpsql mode=0444 - notify: reload pl-psql - when: "'db_standby' in group_names" - -# TODO fix this with the apt module once we update to the latest debian -# apt: -# name: openvpn -# install_recommends: no - -- name: install openvpn - command: apt-get install --no-install-recommends -y openvpn - tags: dbvpn - -- name: openvpn create conf on standby node - template: src=openvpn.standby.conf dest=/etc/openvpn/oonidbvpn.conf - notify: systemctl daemon-reload - when: "'db_standby' in group_names" - tags: dbvpn - -- name: openvpn create conf on active node - template: src=openvpn.active.conf dest=/etc/openvpn/oonidbvpn.conf - notify: systemctl daemon-reload - when: "'db_active' in group_names" - tags: dbvpn - -- name: openvpn create shared secret on active node - command: openvpn --genkey --secret /etc/openvpn/oonipgvpn.key - args: - creates: /etc/openvpn/oonipgvpn.key - notify: restart openvpn - when: "'db_active' in group_names" - tags: dbvpn - -- name: openvpn copy shared secret from active node - slurp: - src: /etc/openvpn/oonipgvpn.key - register: pgvpn_secret - when: "'db_active' in group_names" - tags: dbvpn - -- name: openvpn copy shared secret to standby node - copy: - content: "{{ pgvpn_secret }}" - dest: /etc/openvpn/oonipgvpn.key - notify: restart openvpn - when: "'db_standby' in group_names" - tags: dbvpn - -# if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/ -- name: docker run pipeline postgres - docker_container: - image: openobservatory/sysadmin-postgres-metadb:20190412-010f6f70 # 9.6.12 - name: pl-psql - hostname: pl-psql - network_mode: 'host' - purge_networks: true # drop `bridge` network - volumes: - - /etc/passwd:/etc/passwd:ro # to make `initdb` happy - - /etc/group:/etc/group:ro # to make `initdb` happy - - /srv/pl-psql_ssl:/srv/pl-psql_ssl:ro - - /srv/pl-psql:/srv/pl-psql:rw - # XXX this is disabled because it was triggering the following error: - # container_linux.go:247: starting container process caused - # "process_linux.go:359: container init caused \"rootfs_linux.go:54: - # mounting \\\"tmpfs\\\" to rootfs - # \\\"/var/lib/docker/aufs/mnt/e64b7ff9f8a5c196215a1c17f2bff18a94c8888a9bcffc8db60a49fc9ce93405\\\" - # at \\\"/run/postgresql\\\" caused \\\"invalid argument\\\"\"" - # container_linux.go:247: starting container process caused - # "process_linux.go:359: container init caused \"rootfs_linux.go:54: mounting - # \\\"tmpfs\\\" to rootfs - # \\\"/var/lib/docker/aufs/mnt/e64b7ff9f8a5c196215a1c17f2bff18a94c8888a9bcffc8db60a49fc9ce93405\\\" - # at \\\"/run/postgresql\\\" caused \\\"invalid argument\\\"\"" - #tmpfs: - #- '/run/postgresql:size=1m,mode=0700,uid=plpsql' - env: - PGDATA: /srv/pl-psql - POSTGRES_DB: metadb - POSTGRES_USER: shovel - POSTGRES_PASSWORD: "{{ shovel_postgres_password }}" - AWS_DEFAULT_REGION: us-east-1 # US East (N. Virginia) - AWS_ACCESS_KEY_ID: "{{ metadb_wal_s3_key_id }}" - AWS_SECRET_ACCESS_KEY: "{{ metadb_wal_s3_access_key }}" - PUSHGATEWAY_CERT: "/srv/pl-psql_ssl/pusher/{{ inventory_hostname }}.cert" - PUSHGATEWAY_KEY: "/srv/pl-psql_ssl/pusher/{{ inventory_hostname }}.key" - stop_signal: SIGINT # Fast shutdown. Default SIGTERM waits for all the sessions to terminate. - user: "{{ plpsql_user.uid }}:{{ plpsql_user.group }}" - stop_timeout: 60 # default is 10 - restart_policy: unless-stopped -... diff --git a/ansible/roles/plpsql/templates/openvpn.active.conf b/ansible/roles/plpsql/templates/openvpn.active.conf deleted file mode 100644 index e8c37f46d..000000000 --- a/ansible/roles/plpsql/templates/openvpn.active.conf +++ /dev/null @@ -1,17 +0,0 @@ -# OONI DB VPN - managed by ansible -# /etc/openvpn/oonidbvpn.conf -# HKG -> mia-ps-test.ooni.nu -> AMS - -dev tun -remote {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} -# fallback to direct connection HKG -> AMS -remote {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -ifconfig 10.1.0.2 10.1.0.1 -secret oonipgvpn.key -cipher AES-256-CBC -comp-lzo -verb 3 -keepalive 10 60 -ping-timer-rem -persist-tun -persist-key diff --git a/ansible/roles/plpsql/templates/openvpn.standby.conf b/ansible/roles/plpsql/templates/openvpn.standby.conf deleted file mode 100644 index b2f41c729..000000000 --- a/ansible/roles/plpsql/templates/openvpn.standby.conf +++ /dev/null @@ -1,13 +0,0 @@ -# OONI DB VPN - managed by ansible -# /etc/openvpn/oonidbvpn.conf -# HKG -> mia-ps-test.ooni.nu -> AMS -# Configuration for AMS db -dev tun -ifconfig 10.1.0.1 10.1.0.2 -secret oonipgvpn.key -comp-lzo -cipher AES-256-CBC -keepalive 10 60 -ping-timer-rem -persist-tun -persist-key diff --git a/ansible/roles/plpsql/templates/pg_hba.conf b/ansible/roles/plpsql/templates/pg_hba.conf deleted file mode 100644 index 6a8552235..000000000 --- a/ansible/roles/plpsql/templates/pg_hba.conf +++ /dev/null @@ -1,100 +0,0 @@ -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# plain TCP/IP socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", -# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that -# "password" sends passwords in clear text; "md5" is preferred since -# it sends encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the postmaster receives -# a SIGHUP signal. If you edit the file on a running system, you have -# to SIGHUP the postmaster for the changes to take effect. You can -# use "pg_ctl reload" to do that. - -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL -# listen on a non-local interface via the listen_addresses -# configuration parameter, or via the -i or -h command line switches. - -# CAUTION: Configuring the system for local "trust" authentication -# allows any local user to connect as any PostgreSQL user, including -# the database superuser. If you do not trust all your local users, -# use another authentication method. - - -# TYPE DATABASE USER ADDRESS METHOD - -# "local" is for Unix domain socket connections only -local all all trust -# IPv4 local connections: -host all all 127.0.0.1/32 trust -# IPv6 local connections: -host all all ::1/128 trust -# Allow replication connections from localhost, by a user with the -# replication privilege. -#local replication postgres trust -#host replication postgres 127.0.0.1/32 trust -#host replication postgres ::1/128 trust - -# NB: `ssl` is neither supported nor enforced. -{% if 'db_active' in group_names %} -host replication amsrepl {{ lookup('dig', 'amsmetadb.ooni.nu/A') }}/32 md5 -{% endif %} - -host all all all md5 diff --git a/ansible/roles/plpsql/templates/postgresql.active.conf b/ansible/roles/plpsql/templates/postgresql.active.conf deleted file mode 100644 index 5bbbce880..000000000 --- a/ansible/roles/plpsql/templates/postgresql.active.conf +++ /dev/null @@ -1,566 +0,0 @@ -# PostgreSQL configuration file for active metadb -# Generated by ansible roles/plpsql/templates/postgresql.active.conf -# -# This file consists of lines of the form: -# -# name = value -# -# (The "=" is optional.) Whitespace may be used. Comments are introduced with -# "#" anywhere on a line. The complete list of parameter names and allowed -# values can be found in the PostgreSQL documentation. -# -# The commented-out settings shown in this file represent the default values. -# Re-commenting a setting is NOT sufficient to revert it to the default value; -# you need to reload the server. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, or use "pg_ctl reload". Some -# parameters, which are marked below, require a server shutdown and restart to -# take effect. -# -# Any parameter can also be given as a command-line option to the server, e.g., -# "postgres -c log_connections=on". Some parameters can be changed at run time -# with the "SET" SQL command. -# -# Memory units: kB = kilobytes Time units: ms = milliseconds -# MB = megabytes s = seconds -# GB = gigabytes min = minutes -# TB = terabytes h = hours -# d = days - - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -# The default values of these variables are driven from the -D command-line -# option or PGDATA environment variable, represented here as ConfigDir. - -#data_directory = 'ConfigDir' # use data in another directory - # (change requires restart) -#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file - # (change requires restart) -#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file - # (change requires restart) - -# If external_pid_file is not explicitly set, no extra PID file is written. -#external_pid_file = '' # write an extra PID file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTIONS AND AUTHENTICATION -#------------------------------------------------------------------------------ - -# - Connection Settings - - -listen_addresses = '*' - # comma-separated list of addresses; - # defaults to 'localhost'; use '*' for all - # (change requires restart) -#port = 5432 # (change requires restart) -max_connections = 100 # (change requires restart) -#superuser_reserved_connections = 3 # (change requires restart) -#unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories - # (change requires restart) -#unix_socket_group = '' # (change requires restart) -#unix_socket_permissions = 0777 # begin with 0 to use octal notation - # (change requires restart) -#bonjour = off # advertise server via Bonjour - # (change requires restart) -#bonjour_name = '' # defaults to the computer name - # (change requires restart) - -# - Security and Authentication - - -#authentication_timeout = 1min # 1s-600s -#ssl = off # (change requires restart) -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers - # (change requires restart) -#ssl_prefer_server_ciphers = on # (change requires restart) -#ssl_ecdh_curve = 'prime256v1' # (change requires restart) -#ssl_cert_file = 'server.crt' # (change requires restart) -#ssl_key_file = 'server.key' # (change requires restart) -#ssl_ca_file = '' # (change requires restart) -#ssl_crl_file = '' # (change requires restart) -#password_encryption = on -#db_user_namespace = off -#row_security = on - -# GSSAPI using Kerberos -#krb_server_keyfile = '' -#krb_caseins_users = off - -# - TCP Keepalives - -# see "man 7 tcp" for details - -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; - # 0 selects the system default -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; - # 0 selects the system default -#tcp_keepalives_count = 0 # TCP_KEEPCNT; - # 0 selects the system default - - -#------------------------------------------------------------------------------ -# RESOURCE USAGE (except WAL) -#------------------------------------------------------------------------------ - -# - Memory - - -shared_buffers = {{ (ansible_memtotal_mb / 4) | int }}MB # min 128kB - # (change requires restart) -#huge_pages = try # on, off, or try - # (change requires restart) -#temp_buffers = 8MB # min 800kB -#max_prepared_transactions = 0 # zero disables the feature - # (change requires restart) -# Caution: it is not advisable to set max_prepared_transactions nonzero unless -# you actively intend to use prepared transactions. -#work_mem = 4MB # min 64kB -#maintenance_work_mem = 64MB # min 1MB -#replacement_sort_tuples = 150000 # limits use of replacement selection sort -#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem -#max_stack_depth = 2MB # min 100kB -dynamic_shared_memory_type = posix # the default is the first option - # supported by the operating system: - # posix - # sysv - # windows - # mmap - # use none to disable dynamic shared memory - -# - Disk - - -#temp_file_limit = -1 # limits per-process temp file space - # in kB, or -1 for no limit - -# - Kernel Resource Usage - - -#max_files_per_process = 1000 # min 25, (change requires restart) -shared_preload_libraries = 'pg_stat_statements' # (change requires restart) - -# - Cost-Based Vacuum Delay - - -#vacuum_cost_delay = 0 # 0-100 milliseconds -#vacuum_cost_page_hit = 1 # 0-10000 credits -#vacuum_cost_page_miss = 10 # 0-10000 credits -#vacuum_cost_page_dirty = 20 # 0-10000 credits -#vacuum_cost_limit = 200 # 1-10000 credits - -# - Background Writer - - -#bgwriter_delay = 200ms # 10-10000ms between rounds -#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round -#bgwriter_flush_after = 512kB # measured in pages, 0 disables - -# - Asynchronous Behavior - - -#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching -#max_worker_processes = 8 # (change requires restart) -#max_parallel_workers_per_gather = 0 # taken from max_worker_processes -#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate - # (change requires restart) -#backend_flush_after = 0 # measured in pages, 0 disables - - -#------------------------------------------------------------------------------ -# WRITE AHEAD LOG -#------------------------------------------------------------------------------ - -# - Settings - - -wal_level = replica # minimal, replica, or logical. (change requires restart) -#fsync = on # flush data to disk for crash safety - # (turning this off can cause - # unrecoverable data corruption) -#synchronous_commit = on # synchronization level; - # off, local, remote_write, remote_apply, or on -#wal_sync_method = fsync # the default is the first option - # supported by the operating system: - # open_datasync - # fdatasync (default on Linux) - # fsync - # fsync_writethrough - # open_sync -#full_page_writes = on # recover from partial page writes -#wal_compression = off # enable compression of full-page writes -# NB: `wal_log_hints` are required for `pg_rewind` to work -#wal_log_hints = off # also do full page writes of non-critical updates - # (change requires restart) -#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers - # (change requires restart) -#wal_writer_delay = 200ms # 1-10000 milliseconds -#wal_writer_flush_after = 1MB # measured in pages, 0 disables - -#commit_delay = 0 # range 0-100000, in microseconds -#commit_siblings = 5 # range 1-1000 - -# - Checkpoints - - -#checkpoint_timeout = 5min # range 30s-1d -#max_wal_size = 1GB -#min_wal_size = 80MB -#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 -#checkpoint_flush_after = 256kB # measured in pages, 0 disables -#checkpoint_warning = 30s # 0 disables - -# - Archiving - -archive_mode = on -archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"' - # placeholders: %p = path of file to archive - # %f = file name only -#archive_timeout = 0 # force a logfile segment switch after this - # number of seconds; 0 disables - - -#------------------------------------------------------------------------------ -# REPLICATION -#------------------------------------------------------------------------------ - -# - Sending Server(s) - - -# Set these on the master and on any standby that will send replication data. - -max_wal_senders = 2 # (change requires restart) - -# 2018-01-17: the DB grows at ~0.8Gb/day within 40min of centrifugation, 2x is error margin -wal_keep_segments = {{ (2 * 0.8 * 1024 / 16) | int }} # in logfile segments, 16MB each; 0 disables - -#wal_sender_timeout = 60s # in milliseconds; 0 disables - -max_replication_slots = 1 # (change requires restart) -#track_commit_timestamp = off # collect timestamp of transaction commit - # (change requires restart) - -# - Master Server - - -# These settings are ignored on a standby server. - -#synchronous_standby_names = '' # standby servers that provide sync rep - # number of sync standbys and comma-separated list of application_name - # from standby(s); '*' = all -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed - -# - Standby Servers - - -# These settings are ignored on a master server. - -hot_standby = on # "on" allows queries during recovery, (change requires restart) -max_standby_archive_delay = -1 # max delay before canceling queries - # when reading WAL from archive; - # -1 allows indefinite delay -max_standby_streaming_delay = -1 # max delay before canceling queries - # when reading streaming WAL; - # -1 allows indefinite delay -#wal_receiver_status_interval = 10s # send replies at least this often - # 0 disables -#hot_standby_feedback = off # send info from standby to prevent - # query conflicts -#wal_receiver_timeout = 60s # time that receiver waits for - # communication from master - # in milliseconds; 0 disables -#wal_retrieve_retry_interval = 5s # time to wait before retrying to - # retrieve WAL after a failed attempt - - -#------------------------------------------------------------------------------ -# QUERY TUNING -#------------------------------------------------------------------------------ - -# - Planner Method Configuration - - -#enable_bitmapscan = on -#enable_hashagg = on -#enable_hashjoin = on -#enable_indexscan = on -#enable_indexonlyscan = on -#enable_material = on -#enable_mergejoin = on -#enable_nestloop = on -#enable_seqscan = on -#enable_sort = on -#enable_tidscan = on - -# - Planner Cost Constants - - -# XXX: hw stats: -# HDD @ HKG ~ 20.0ms seek 50 MB/s seq -# SSD @ AMS ~ 1.5ms seek 210 MB/s seq -# local SSD @ AMS ~ 0.2ms seek 475 MB/s seq -# and ~ same CPU. How to convert that knowledge to costs?! - -{% if have_ssd %} -seq_page_cost = 1.0 -random_page_cost = 1.0 -{% else %} -#seq_page_cost = 1.0 # measured on an arbitrary scale -#random_page_cost = 4.0 # same scale as above -{% endif %} - -#cpu_tuple_cost = 0.01 # same scale as above -#cpu_index_tuple_cost = 0.005 # same scale as above -#cpu_operator_cost = 0.0025 # same scale as above -#parallel_tuple_cost = 0.1 # same scale as above -#parallel_setup_cost = 1000.0 # same scale as above -#min_parallel_relation_size = 8MB -effective_cache_size= {{ (ansible_memtotal_mb * 3 / 4) | int }}MB # default is 4GB, 15GB is ~ node_memory_Cached + node_memory_MemFree - -# - Genetic Query Optimizer - - -#geqo = on -#geqo_threshold = 12 -#geqo_effort = 5 # range 1-10 -#geqo_pool_size = 0 # selects default based on effort -#geqo_generations = 0 # selects default based on effort -#geqo_selection_bias = 2.0 # range 1.5-2.0 -#geqo_seed = 0.0 # range 0.0-1.0 - -# - Other Planner Options - - -#default_statistics_target = 100 # range 1-10000 -#constraint_exclusion = partition # on, off, or partition -#cursor_tuple_fraction = 0.1 # range 0.0-1.0 -#from_collapse_limit = 8 -#join_collapse_limit = 8 # 1 disables collapsing of explicit - # JOIN clauses -#force_parallel_mode = off - - -#------------------------------------------------------------------------------ -# ERROR REPORTING AND LOGGING -#------------------------------------------------------------------------------ - -# - Where to Log - - -log_destination = 'stderr' # Valid values are combinations of stderr, csvlog, syslog. - -logging_collector = on # Enable capturing of stderr and csvlog into log files. - -# These are only used if logging_collector is on: -#log_directory = 'pg_log' # directory where log files are written, - # can be absolute or relative to PGDATA -log_filename = '{{ inventory_hostname_short }}-%Y-%m-%d_%H%M%S.log' -#log_file_mode = 0600 # creation mode for log files, - # begin with 0 to use octal notation -#log_truncate_on_rotation = off # If on, an existing log file with the - # same name as the new log file will be - # truncated rather than appended to. - # But such truncation only occurs on - # time-driven rotation, not on restarts - # or size-driven rotation. Default is - # off, meaning append to existing files - # in all cases. -log_rotation_age = 1d # 0 disables. -log_rotation_size = 128MB # 0 disables. - -# - When to Log - - -#client_min_messages = notice # values in order of decreasing detail: -#log_min_messages = warning # values in order of decreasing detail: -#log_min_error_statement = error # values in order of decreasing detail: - -log_min_duration_statement = 20000 # -1 is disabled, 0 (ms) logs all statements - -# - What to Log - - -#debug_print_parse = off -#debug_print_rewritten = off -#debug_print_plan = off -#debug_pretty_print = on -#log_checkpoints = off -log_connections = on -log_disconnections = on -#log_duration = off -#log_error_verbosity = default # terse, default, or verbose messages -#log_hostname = off -log_line_prefix = '%m [%p]:%l %q%u@%r/%a ' -#log_line_prefix = '' # special values: - # %a = application name - # %u = user name - # %d = database name - # %r = remote host and port - # %h = remote host - # %p = process ID - # %t = timestamp without milliseconds - # %m = timestamp with milliseconds - # %n = timestamp with milliseconds (as a Unix epoch) - # %i = command tag - # %e = SQL state - # %c = session ID - # %l = session line number - # %s = session start timestamp - # %v = virtual transaction ID - # %x = transaction ID (0 if none) - # %q = stop here in non-session - # processes - # %% = '%' - # e.g. '<%u%%%d> ' -#log_lock_waits = off # log lock waits >= deadlock_timeout -#log_statement = 'none' # none, ddl, mod, all -#log_replication_commands = off -log_temp_files = 16384 # log temporary files >= 16Mb, -1 disables, 0 logs all temp files -log_timezone = 'UTC' - - -# - Process Title - - -#cluster_name = '' # added to process titles if nonempty - # (change requires restart) -#update_process_title = on - - -#------------------------------------------------------------------------------ -# RUNTIME STATISTICS -#------------------------------------------------------------------------------ - -# - Query/Index Statistics Collector - - -#track_activities = on -#track_counts = on -#track_io_timing = off -#track_functions = none # none, pl, all -#track_activity_query_size = 1024 # (change requires restart) -#stats_temp_directory = 'pg_stat_tmp' - - -# - Statistics Monitoring - - -#log_parser_stats = off -#log_planner_stats = off -#log_executor_stats = off -#log_statement_stats = off - - -#------------------------------------------------------------------------------ -# AUTOVACUUM PARAMETERS -#------------------------------------------------------------------------------ - -#autovacuum = on # Enable autovacuum subprocess? 'on' - # requires track_counts to also be on. -#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and - # their durations, > 0 logs only - # actions running at least this number - # of milliseconds. -#autovacuum_max_workers = 3 # max number of autovacuum subprocesses - # (change requires restart) -#autovacuum_naptime = 1min # time between autovacuum runs -#autovacuum_vacuum_threshold = 50 # min number of row updates before - # vacuum -#autovacuum_analyze_threshold = 50 # min number of row updates before - # analyze -#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum -#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum - # (change requires restart) -#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age - # before forced vacuum - # (change requires restart) -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for - # autovacuum, in milliseconds; - # -1 means use vacuum_cost_delay -#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for - # autovacuum, -1 means use - # vacuum_cost_limit - - -#------------------------------------------------------------------------------ -# CLIENT CONNECTION DEFAULTS -#------------------------------------------------------------------------------ - -# - Statement Behavior - - -#search_path = '"$user", public' # schema names -#default_tablespace = '' # a tablespace name, '' uses the default -#temp_tablespaces = '' # a list of tablespace names, '' uses - # only default tablespace -#check_function_bodies = on -#default_transaction_isolation = 'read committed' -#default_transaction_read_only = off -#default_transaction_deferrable = off -#session_replication_role = 'origin' -#statement_timeout = 0 # in milliseconds, 0 is disabled -#lock_timeout = 0 # in milliseconds, 0 is disabled -#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled -#vacuum_freeze_min_age = 50000000 -#vacuum_freeze_table_age = 150000000 -#vacuum_multixact_freeze_min_age = 5000000 -#vacuum_multixact_freeze_table_age = 150000000 -#bytea_output = 'hex' # hex, escape -#xmlbinary = 'base64' -#xmloption = 'content' -#gin_fuzzy_search_limit = 0 -#gin_pending_list_limit = 4MB - -# - Locale and Formatting - - -datestyle = 'iso, mdy' -#intervalstyle = 'postgres' -timezone = 'UTC' -#timezone_abbreviations = 'Default' # Select the set of available time zone - # abbreviations. Currently, there are - # Default - # Australia (historical usage) - # India - # You can create your own file in - # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 -#client_encoding = sql_ascii # actually, defaults to database - # encoding - -# These settings are initialized by initdb, but they can be changed. -lc_messages = 'en_US.utf8' # locale for system error message - # strings -lc_monetary = 'en_US.utf8' # locale for monetary formatting -lc_numeric = 'en_US.utf8' # locale for number formatting -lc_time = 'en_US.utf8' # locale for time formatting - -# default configuration for text search -default_text_search_config = 'pg_catalog.english' - -# - Other Defaults - - -#dynamic_library_path = '$libdir' -#local_preload_libraries = '' -#session_preload_libraries = '' - - -#------------------------------------------------------------------------------ -# LOCK MANAGEMENT -#------------------------------------------------------------------------------ - -#deadlock_timeout = 1s -#max_locks_per_transaction = 64 # min 10 - # (change requires restart) -#max_pred_locks_per_transaction = 64 # min 10 - # (change requires restart) - - -#------------------------------------------------------------------------------ -# ERROR HANDLING -#------------------------------------------------------------------------------ - -#exit_on_error = off # terminate session on any error? -#restart_after_crash = on # reinitialize after backend crash? - - -#------------------------------------------------------------------------------ -# CONFIG FILE INCLUDES -#------------------------------------------------------------------------------ - -# These options allow settings to be loaded from files other than the -# default postgresql.conf. - -#include_dir = 'conf.d' # include files ending in '.conf' from - # directory 'conf.d' -#include_if_exists = 'exists.conf' # include file only if it exists -#include = 'special.conf' # include file - - -#------------------------------------------------------------------------------ -# CUSTOMIZED OPTIONS -#------------------------------------------------------------------------------ - -# Add settings for extensions here diff --git a/ansible/roles/plpsql/templates/postgresql.standby.conf b/ansible/roles/plpsql/templates/postgresql.standby.conf deleted file mode 100644 index 9cca2a59d..000000000 --- a/ansible/roles/plpsql/templates/postgresql.standby.conf +++ /dev/null @@ -1,567 +0,0 @@ -# PostgreSQL configuration file for standby metadb -# Generated by ansible roles/plpsql/templates/postgresql.standby.conf -# -# This file consists of lines of the form: -# -# name = value -# -# (The "=" is optional.) Whitespace may be used. Comments are introduced with -# "#" anywhere on a line. The complete list of parameter names and allowed -# values can be found in the PostgreSQL documentation. -# -# The commented-out settings shown in this file represent the default values. -# Re-commenting a setting is NOT sufficient to revert it to the default value; -# you need to reload the server. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, or use "pg_ctl reload". Some -# parameters, which are marked below, require a server shutdown and restart to -# take effect. -# -# Any parameter can also be given as a command-line option to the server, e.g., -# "postgres -c log_connections=on". Some parameters can be changed at run time -# with the "SET" SQL command. -# -# Memory units: kB = kilobytes Time units: ms = milliseconds -# MB = megabytes s = seconds -# GB = gigabytes min = minutes -# TB = terabytes h = hours -# d = days - - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -# The default values of these variables are driven from the -D command-line -# option or PGDATA environment variable, represented here as ConfigDir. - -#data_directory = 'ConfigDir' # use data in another directory - # (change requires restart) -#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file - # (change requires restart) -#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file - # (change requires restart) - -# If external_pid_file is not explicitly set, no extra PID file is written. -#external_pid_file = '' # write an extra PID file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTIONS AND AUTHENTICATION -#------------------------------------------------------------------------------ - -# - Connection Settings - - -listen_addresses = '*' - # comma-separated list of addresses; - # defaults to 'localhost'; use '*' for all - # (change requires restart) -#port = 5432 # (change requires restart) -max_connections = 100 # (change requires restart) -#superuser_reserved_connections = 3 # (change requires restart) -#unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories - # (change requires restart) -#unix_socket_group = '' # (change requires restart) -#unix_socket_permissions = 0777 # begin with 0 to use octal notation - # (change requires restart) -#bonjour = off # advertise server via Bonjour - # (change requires restart) -#bonjour_name = '' # defaults to the computer name - # (change requires restart) - -# - Security and Authentication - - -#authentication_timeout = 1min # 1s-600s -#ssl = off # (change requires restart) -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers - # (change requires restart) -#ssl_prefer_server_ciphers = on # (change requires restart) -#ssl_ecdh_curve = 'prime256v1' # (change requires restart) -#ssl_cert_file = 'server.crt' # (change requires restart) -#ssl_key_file = 'server.key' # (change requires restart) -#ssl_ca_file = '' # (change requires restart) -#ssl_crl_file = '' # (change requires restart) -#password_encryption = on -#db_user_namespace = off -#row_security = on - -# GSSAPI using Kerberos -#krb_server_keyfile = '' -#krb_caseins_users = off - -# - TCP Keepalives - -# see "man 7 tcp" for details - -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; - # 0 selects the system default -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; - # 0 selects the system default -#tcp_keepalives_count = 0 # TCP_KEEPCNT; - # 0 selects the system default - - -#------------------------------------------------------------------------------ -# RESOURCE USAGE (except WAL) -#------------------------------------------------------------------------------ - -# - Memory - - -shared_buffers = {{ (ansible_memtotal_mb / 4) | int }}MB # min 128kB - # (change requires restart) -#huge_pages = try # on, off, or try - # (change requires restart) -#temp_buffers = 8MB # min 800kB -#max_prepared_transactions = 0 # zero disables the feature - # (change requires restart) -# Caution: it is not advisable to set max_prepared_transactions nonzero unless -# you actively intend to use prepared transactions. -#work_mem = 4MB # min 64kB -#maintenance_work_mem = 64MB # min 1MB -#replacement_sort_tuples = 150000 # limits use of replacement selection sort -#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem -#max_stack_depth = 2MB # min 100kB -dynamic_shared_memory_type = posix # the default is the first option - # supported by the operating system: - # posix - # sysv - # windows - # mmap - # use none to disable dynamic shared memory - -# - Disk - - -#temp_file_limit = -1 # limits per-process temp file space - # in kB, or -1 for no limit - -# - Kernel Resource Usage - - -#max_files_per_process = 1000 # min 25, (change requires restart) -shared_preload_libraries = 'pg_stat_statements' # (change requires restart) - -# - Cost-Based Vacuum Delay - - -#vacuum_cost_delay = 0 # 0-100 milliseconds -#vacuum_cost_page_hit = 1 # 0-10000 credits -#vacuum_cost_page_miss = 10 # 0-10000 credits -#vacuum_cost_page_dirty = 20 # 0-10000 credits -#vacuum_cost_limit = 200 # 1-10000 credits - -# - Background Writer - - -#bgwriter_delay = 200ms # 10-10000ms between rounds -#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round -#bgwriter_flush_after = 512kB # measured in pages, 0 disables - -# - Asynchronous Behavior - - -#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching -#max_worker_processes = 8 # (change requires restart) -#max_parallel_workers_per_gather = 0 # taken from max_worker_processes -#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate - # (change requires restart) -#backend_flush_after = 0 # measured in pages, 0 disables - - -#------------------------------------------------------------------------------ -# WRITE AHEAD LOG -#------------------------------------------------------------------------------ - -# - Settings - - -wal_level = replica # minimal, replica, or logical. (change requires restart) -#fsync = on # flush data to disk for crash safety - # (turning this off can cause - # unrecoverable data corruption) -#synchronous_commit = on # synchronization level; - # off, local, remote_write, remote_apply, or on -#wal_sync_method = fsync # the default is the first option - # supported by the operating system: - # open_datasync - # fdatasync (default on Linux) - # fsync - # fsync_writethrough - # open_sync -#full_page_writes = on # recover from partial page writes -#wal_compression = off # enable compression of full-page writes -# NB: `wal_log_hints` are required for `pg_rewind` to work -#wal_log_hints = off # also do full page writes of non-critical updates - # (change requires restart) -#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers - # (change requires restart) -#wal_writer_delay = 200ms # 1-10000 milliseconds -#wal_writer_flush_after = 1MB # measured in pages, 0 disables - -#commit_delay = 0 # range 0-100000, in microseconds -#commit_siblings = 5 # range 1-1000 - -# - Checkpoints - - -#checkpoint_timeout = 5min # range 30s-1d -#max_wal_size = 1GB -#min_wal_size = 80MB -#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 -#checkpoint_flush_after = 256kB # measured in pages, 0 disables -#checkpoint_warning = 30s # 0 disables - -# - Archiving - -# Disable archiving because standby -#archive_mode = on -#archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"' - # placeholders: %p = path of file to archive - # %f = file name only -#archive_timeout = 0 # force a logfile segment switch after this - # number of seconds; 0 disables - - -#------------------------------------------------------------------------------ -# REPLICATION -#------------------------------------------------------------------------------ - -# - Sending Server(s) - - -# Set these on the master and on any standby that will send replication data. - -max_wal_senders = 2 # (change requires restart) - -# 2018-01-17: the DB grows at ~0.8Gb/day within 40min of centrifugation, 2x is error margin -wal_keep_segments = {{ (2 * 0.8 * 1024 / 16) | int }} # in logfile segments, 16MB each; 0 disables - -#wal_sender_timeout = 60s # in milliseconds; 0 disables - -max_replication_slots = 1 # (change requires restart) -#track_commit_timestamp = off # collect timestamp of transaction commit - # (change requires restart) - -# - Master Server - - -# These settings are ignored on a standby server. - -#synchronous_standby_names = '' # standby servers that provide sync rep - # number of sync standbys and comma-separated list of application_name - # from standby(s); '*' = all -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed - -# - Standby Servers - - -# These settings are ignored on a master server. - -hot_standby = on # "on" allows queries during recovery, (change requires restart) -max_standby_archive_delay = -1 # max delay before canceling queries - # when reading WAL from archive; - # -1 allows indefinite delay -max_standby_streaming_delay = -1 # max delay before canceling queries - # when reading streaming WAL; - # -1 allows indefinite delay -#wal_receiver_status_interval = 10s # send replies at least this often - # 0 disables -#hot_standby_feedback = off # send info from standby to prevent - # query conflicts -#wal_receiver_timeout = 60s # time that receiver waits for - # communication from master - # in milliseconds; 0 disables -#wal_retrieve_retry_interval = 5s # time to wait before retrying to - # retrieve WAL after a failed attempt - - -#------------------------------------------------------------------------------ -# QUERY TUNING -#------------------------------------------------------------------------------ - -# - Planner Method Configuration - - -#enable_bitmapscan = on -#enable_hashagg = on -#enable_hashjoin = on -#enable_indexscan = on -#enable_indexonlyscan = on -#enable_material = on -#enable_mergejoin = on -#enable_nestloop = on -#enable_seqscan = on -#enable_sort = on -#enable_tidscan = on - -# - Planner Cost Constants - - -# XXX: hw stats: -# HDD @ HKG ~ 20.0ms seek 50 MB/s seq -# SSD @ AMS ~ 1.5ms seek 210 MB/s seq -# local SSD @ AMS ~ 0.2ms seek 475 MB/s seq -# and ~ same CPU. How to convert that knowledge to costs?! - -{% if have_ssd %} -seq_page_cost = 1.0 -random_page_cost = 1.0 -{% else %} -#seq_page_cost = 1.0 # measured on an arbitrary scale -#random_page_cost = 4.0 # same scale as above -{% endif %} - -#cpu_tuple_cost = 0.01 # same scale as above -#cpu_index_tuple_cost = 0.005 # same scale as above -#cpu_operator_cost = 0.0025 # same scale as above -#parallel_tuple_cost = 0.1 # same scale as above -#parallel_setup_cost = 1000.0 # same scale as above -#min_parallel_relation_size = 8MB -effective_cache_size= {{ (ansible_memtotal_mb * 3 / 4) | int }}MB # default is 4GB, 15GB is ~ node_memory_Cached + node_memory_MemFree - -# - Genetic Query Optimizer - - -#geqo = on -#geqo_threshold = 12 -#geqo_effort = 5 # range 1-10 -#geqo_pool_size = 0 # selects default based on effort -#geqo_generations = 0 # selects default based on effort -#geqo_selection_bias = 2.0 # range 1.5-2.0 -#geqo_seed = 0.0 # range 0.0-1.0 - -# - Other Planner Options - - -#default_statistics_target = 100 # range 1-10000 -#constraint_exclusion = partition # on, off, or partition -#cursor_tuple_fraction = 0.1 # range 0.0-1.0 -#from_collapse_limit = 8 -#join_collapse_limit = 8 # 1 disables collapsing of explicit - # JOIN clauses -#force_parallel_mode = off - - -#------------------------------------------------------------------------------ -# ERROR REPORTING AND LOGGING -#------------------------------------------------------------------------------ - -# - Where to Log - - -log_destination = 'stderr' # Valid values are combinations of stderr, csvlog, syslog. - -logging_collector = on # Enable capturing of stderr and csvlog into log files. - -# These are only used if logging_collector is on: -#log_directory = 'pg_log' # directory where log files are written, - # can be absolute or relative to PGDATA -log_filename = '{{ inventory_hostname_short }}-%Y-%m-%d_%H%M%S.log' -#log_file_mode = 0600 # creation mode for log files, - # begin with 0 to use octal notation -#log_truncate_on_rotation = off # If on, an existing log file with the - # same name as the new log file will be - # truncated rather than appended to. - # But such truncation only occurs on - # time-driven rotation, not on restarts - # or size-driven rotation. Default is - # off, meaning append to existing files - # in all cases. -log_rotation_age = 1d # 0 disables. -log_rotation_size = 128MB # 0 disables. - -# - When to Log - - -#client_min_messages = notice # values in order of decreasing detail: -#log_min_messages = warning # values in order of decreasing detail: -#log_min_error_statement = error # values in order of decreasing detail: - -log_min_duration_statement = 20000 # -1 is disabled, 0 (ms) logs all statements - -# - What to Log - - -#debug_print_parse = off -#debug_print_rewritten = off -#debug_print_plan = off -#debug_pretty_print = on -#log_checkpoints = off -log_connections = on -log_disconnections = on -#log_duration = off -#log_error_verbosity = default # terse, default, or verbose messages -#log_hostname = off -log_line_prefix = '%m [%p]:%l %q%u@%r/%a ' -#log_line_prefix = '' # special values: - # %a = application name - # %u = user name - # %d = database name - # %r = remote host and port - # %h = remote host - # %p = process ID - # %t = timestamp without milliseconds - # %m = timestamp with milliseconds - # %n = timestamp with milliseconds (as a Unix epoch) - # %i = command tag - # %e = SQL state - # %c = session ID - # %l = session line number - # %s = session start timestamp - # %v = virtual transaction ID - # %x = transaction ID (0 if none) - # %q = stop here in non-session - # processes - # %% = '%' - # e.g. '<%u%%%d> ' -#log_lock_waits = off # log lock waits >= deadlock_timeout -#log_statement = 'none' # none, ddl, mod, all -#log_replication_commands = off -log_temp_files = 16384 # log temporary files >= 16Mb, -1 disables, 0 logs all temp files -log_timezone = 'UTC' - - -# - Process Title - - -#cluster_name = '' # added to process titles if nonempty - # (change requires restart) -#update_process_title = on - - -#------------------------------------------------------------------------------ -# RUNTIME STATISTICS -#------------------------------------------------------------------------------ - -# - Query/Index Statistics Collector - - -#track_activities = on -#track_counts = on -#track_io_timing = off -#track_functions = none # none, pl, all -#track_activity_query_size = 1024 # (change requires restart) -#stats_temp_directory = 'pg_stat_tmp' - - -# - Statistics Monitoring - - -#log_parser_stats = off -#log_planner_stats = off -#log_executor_stats = off -#log_statement_stats = off - - -#------------------------------------------------------------------------------ -# AUTOVACUUM PARAMETERS -#------------------------------------------------------------------------------ - -#autovacuum = on # Enable autovacuum subprocess? 'on' - # requires track_counts to also be on. -#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and - # their durations, > 0 logs only - # actions running at least this number - # of milliseconds. -#autovacuum_max_workers = 3 # max number of autovacuum subprocesses - # (change requires restart) -#autovacuum_naptime = 1min # time between autovacuum runs -#autovacuum_vacuum_threshold = 50 # min number of row updates before - # vacuum -#autovacuum_analyze_threshold = 50 # min number of row updates before - # analyze -#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum -#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum - # (change requires restart) -#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age - # before forced vacuum - # (change requires restart) -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for - # autovacuum, in milliseconds; - # -1 means use vacuum_cost_delay -#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for - # autovacuum, -1 means use - # vacuum_cost_limit - - -#------------------------------------------------------------------------------ -# CLIENT CONNECTION DEFAULTS -#------------------------------------------------------------------------------ - -# - Statement Behavior - - -#search_path = '"$user", public' # schema names -#default_tablespace = '' # a tablespace name, '' uses the default -#temp_tablespaces = '' # a list of tablespace names, '' uses - # only default tablespace -#check_function_bodies = on -#default_transaction_isolation = 'read committed' -#default_transaction_read_only = off -#default_transaction_deferrable = off -#session_replication_role = 'origin' -#statement_timeout = 0 # in milliseconds, 0 is disabled -#lock_timeout = 0 # in milliseconds, 0 is disabled -#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled -#vacuum_freeze_min_age = 50000000 -#vacuum_freeze_table_age = 150000000 -#vacuum_multixact_freeze_min_age = 5000000 -#vacuum_multixact_freeze_table_age = 150000000 -#bytea_output = 'hex' # hex, escape -#xmlbinary = 'base64' -#xmloption = 'content' -#gin_fuzzy_search_limit = 0 -#gin_pending_list_limit = 4MB - -# - Locale and Formatting - - -datestyle = 'iso, mdy' -#intervalstyle = 'postgres' -timezone = 'UTC' -#timezone_abbreviations = 'Default' # Select the set of available time zone - # abbreviations. Currently, there are - # Default - # Australia (historical usage) - # India - # You can create your own file in - # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 -#client_encoding = sql_ascii # actually, defaults to database - # encoding - -# These settings are initialized by initdb, but they can be changed. -lc_messages = 'en_US.utf8' # locale for system error message - # strings -lc_monetary = 'en_US.utf8' # locale for monetary formatting -lc_numeric = 'en_US.utf8' # locale for number formatting -lc_time = 'en_US.utf8' # locale for time formatting - -# default configuration for text search -default_text_search_config = 'pg_catalog.english' - -# - Other Defaults - - -#dynamic_library_path = '$libdir' -#local_preload_libraries = '' -#session_preload_libraries = '' - - -#------------------------------------------------------------------------------ -# LOCK MANAGEMENT -#------------------------------------------------------------------------------ - -#deadlock_timeout = 1s -#max_locks_per_transaction = 64 # min 10 - # (change requires restart) -#max_pred_locks_per_transaction = 64 # min 10 - # (change requires restart) - - -#------------------------------------------------------------------------------ -# ERROR HANDLING -#------------------------------------------------------------------------------ - -#exit_on_error = off # terminate session on any error? -#restart_after_crash = on # reinitialize after backend crash? - - -#------------------------------------------------------------------------------ -# CONFIG FILE INCLUDES -#------------------------------------------------------------------------------ - -# These options allow settings to be loaded from files other than the -# default postgresql.conf. - -#include_dir = 'conf.d' # include files ending in '.conf' from - # directory 'conf.d' -#include_if_exists = 'exists.conf' # include file only if it exists -#include = 'special.conf' # include file - - -#------------------------------------------------------------------------------ -# CUSTOMIZED OPTIONS -#------------------------------------------------------------------------------ - -# Add settings for extensions here diff --git a/ansible/roles/plpsql/templates/recovery.conf b/ansible/roles/plpsql/templates/recovery.conf deleted file mode 100644 index c1e95a5af..000000000 --- a/ansible/roles/plpsql/templates/recovery.conf +++ /dev/null @@ -1,7 +0,0 @@ -standby_mode = 'on' -primary_slot_name = 'amsmetadb_3' -primary_conninfo = 'host=hkgmetadb.infra.ooni.io port=5432 user=amsrepl password={{ amsrepl_hkgmetadb_password }}' -trigger_file = '/srv/pl-psql/trigger.flag' - -# https://github.com/ooni/sysadmin/issues/328 -archive_cleanup_command = '/usr/bin/pg_archivecleanup -d /srv/pl-psql/pg_xlog %r 2>>/srv/pl-psql/pg_log/{{ inventory_hostname_short }}_cleanup.log' diff --git a/ansible/roles/postgresql11/meta/main.yml b/ansible/roles/postgresql11/meta/main.yml deleted file mode 100644 index c82f9e2db..000000000 --- a/ansible/roles/postgresql11/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: nftables diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml deleted file mode 100644 index c7afa64d4..000000000 --- a/ansible/roles/postgresql11/tasks/main.yml +++ /dev/null @@ -1,179 +0,0 @@ ---- -- name: install LVM - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg.ooni.org' - apt: - cache_valid_time: 86400 - name: lvm2 - -- name: Create vg.metadb Volume Group - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg.ooni.org' - lvg: - vg: vg.metadb - pvs: - - /dev/sda - -- name: Create metadb logical volume - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg.ooni.org' - lvol: - vg: vg.metadb - lv: metadb - size: 100%VG - -- name: Create ext4 filesystem for metadb - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg.ooni.org' - filesystem: - fstype: ext4 - dev: /dev/vg.metadb/metadb - opts: -L metadb - -- name: Mount ext4 metadb FS - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg.ooni.org' - mount: - fstype: ext4 - opts: noatime - path: /var/lib/postgresql - src: LABEL=metadb - state: mounted - -- name: Create btrfs filesystem for metadb - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg-test.ooni.org' - filesystem: - fstype: btrfs - dev: /dev/sda - opts: -L metadb - -- name: install kernel to support BTRFS with zstd - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg-test.ooni.org' - apt: - cache_valid_time: 86400 - name: linux-image-5.8.0-0.bpo.2-cloud-amd64 - -- name: ensure the running kernel is correct - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg-test.ooni.org' - shell: uname -a | grep 5.8.0-0.bpo.2-cloud-amd64 - -- name: Mount btrfs metadb FS - tags: postgresql11-fs - when: inventory_hostname == 'ams-pg-test.ooni.org' - mount: - fstype: btrfs - opts: defaults,space_cache,noatime,compress=zstd:1,nodatacow,autodefrag - path: /var/lib/postgresql - src: LABEL=metadb - state: mounted - -- name: install PG11 - tags: postgresql11 - apt: - cache_valid_time: 86400 - name: - - postgresql-11 - -- name: Overwrite pg_hba.conf - tags: postgresql11 - template: - src: templates/pg_hba.conf - dest: /etc/postgresql/11/main/pg_hba.conf - mode: 0644 - owner: root - -- name: Prepare postgresql.conf - tags: postgresql11 - template: - src: templates/postgresql.conf - dest: /etc/postgresql/11/main/postgresql.conf - mode: 0644 - owner: root - -- name: Enable and start service - tags: postgresql11 - shell: systemctl enable --now postgresql.service - -- name: Reload pg after conf change - tags: postgresql11 - shell: systemctl reload postgresql.service - -- name: allow incoming TCP connections to database - tags: pg-nftables - blockinfile: - path: /etc/ooni/nftables/tcp/5432.nft - create: yes - block: | - add rule inet filter input ip saddr {{ lookup('dig', 'jupyter.ooni.org/A') }} tcp dport 5432 counter accept comment "psql from jupyter.ooni.org" - add rule inet filter input ip saddr {{ lookup('dig', 'backend-fsn.ooni.org/A') }} tcp dport 5432 counter accept comment "psql from backend-fsn.ooni.org" - -- name: reload nftables service - tags: pg-nftables - shell: systemctl reload nftables.service - -- name: Create metadb - tags: postgresql11 - become_user: postgres - postgresql_db: - name: metadb - -- name: Create readonly user - become_user: postgres - tags: postgresql11 - postgresql_user: - db: metadb - name: readonly - # already made public - password: b2HUU6gKM19SvXzXJCzpUV - role_attr_flags: NOSUPERUSER - priv: ALL - ssl_mode: require - -- name: Create shovel user - become_user: postgres - tags: postgresql11 - postgresql_user: - db: metadb - name: shovel - # already made public - password: yEqgNr2eXvgG255iEBxVeP - role_attr_flags: NOSUPERUSER - priv: ALL - ssl_mode: require - -- name: Create replicator user - become_user: postgres - tags: postgresql11 - postgresql_user: - db: metadb - name: replicator - role_attr_flags: NOSUPERUSER,REPLICATION - ssl_mode: require - -- name: Simple select query - tags: postgresql11 - postgresql_query: - db: metadb - query: SELECT version() - login_user: readonly - -- name: configure Netdata Postgres monitoring - tags: netdata - blockinfile: - path: /etc/netdata/python.d/postgres.conf - create: yes - block: | - socket: - name : 'local' - user : 'shovel' - database : 'metadb' - -- name: restart netdata service - tags: netdata - systemd: - name: netdata.service - state: restarted - diff --git a/ansible/roles/postgresql11/templates/pg_hba.conf b/ansible/roles/postgresql11/templates/pg_hba.conf deleted file mode 100644 index 883d0b6cc..000000000 --- a/ansible/roles/postgresql11/templates/pg_hba.conf +++ /dev/null @@ -1,109 +0,0 @@ -# Managed by ansible -# roles/postgresql11/templates/pg_hba.conf - - -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# plain TCP/IP socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", -# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". -# Note that "password" sends passwords in clear text; "md5" or -# "scram-sha-256" are preferred since they send encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the server receives a -# SIGHUP signal. If you edit the file on a running system, you have to -# SIGHUP the server for the changes to take effect, run "pg_ctl reload", -# or execute "SELECT pg_reload_conf()". -# -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL -# listen on a non-local interface via the listen_addresses -# configuration parameter, or via the -i or -h command line switches. - - - - -# DO NOT DISABLE! -# If you change this first entry you will need to make sure that the -# database superuser can access the database using some other method. -# Noninteractive access to all databases is required during automatic -# maintenance (custom daily cronjobs, replication, and similar tasks). -# -# Database administrative login by Unix domain socket -local all postgres peer - -# TYPE DATABASE USER ADDRESS METHOD - -# Unix domain socket: allow all local connections without password -local all all trust - -# IPv4 local connections: -host all all 127.0.0.1/32 md5 -host all all 127.0.0.1/32 md5 -# IPv6 local connections: -host all all ::1/128 md5 -# Allow replication connections from localhost, by a user with the -# replication privilege. -local replication all peer -host replication all 127.0.0.1/32 md5 -host replication all ::1/128 md5 - -# Allow incoming SSL connections without password -# protected by filtering on source ipaddr using nftables -hostssl all all 0.0.0.0/0 trust diff --git a/ansible/roles/postgresql11/templates/postgresql.conf b/ansible/roles/postgresql11/templates/postgresql.conf deleted file mode 100644 index efade5087..000000000 --- a/ansible/roles/postgresql11/templates/postgresql.conf +++ /dev/null @@ -1,729 +0,0 @@ -# ----------------------------- -# PostgreSQL configuration file -# ----------------------------- -# -# This file consists of lines of the form: -# -# name = value -# -# (The "=" is optional.) Whitespace may be used. Comments are introduced with -# "#" anywhere on a line. The complete list of parameter names and allowed -# values can be found in the PostgreSQL documentation. -# -# The commented-out settings shown in this file represent the default values. -# Re-commenting a setting is NOT sufficient to revert it to the default value; -# you need to reload the server. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, run "pg_ctl reload", or execute -# "SELECT pg_reload_conf()". Some parameters, which are marked below, -# require a server shutdown and restart to take effect. -# -# Any parameter can also be given as a command-line option to the server, e.g., -# "postgres -c log_connections=on". Some parameters can be changed at run time -# with the "SET" SQL command. -# -# Memory units: kB = kilobytes Time units: ms = milliseconds -# MB = megabytes s = seconds -# GB = gigabytes min = minutes -# TB = terabytes h = hours -# d = days - - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -# The default values of these variables are driven from the -D command-line -# option or PGDATA environment variable, represented here as ConfigDir. - -data_directory = '/var/lib/postgresql/11/main' # use data in another directory - # (change requires restart) -hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file - # (change requires restart) -ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file - # (change requires restart) - -# If external_pid_file is not explicitly set, no extra PID file is written. -external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTIONS AND AUTHENTICATION -#------------------------------------------------------------------------------ - -# - Connection Settings - - -#listen_addresses = 'localhost' # what IP address(es) to listen on; -listen_addresses = '*' - # comma-separated list of addresses; - # defaults to 'localhost'; use '*' for all - # (change requires restart) -port = 5432 # (change requires restart) -max_connections = 100 # (change requires restart) -#superuser_reserved_connections = 3 # (change requires restart) -unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories - # (change requires restart) -#unix_socket_group = '' # (change requires restart) -#unix_socket_permissions = 0777 # begin with 0 to use octal notation - # (change requires restart) -#bonjour = off # advertise server via Bonjour - # (change requires restart) -#bonjour_name = '' # defaults to the computer name - # (change requires restart) - -# - TCP Keepalives - -# see "man 7 tcp" for details - -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; - # 0 selects the system default -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; - # 0 selects the system default -#tcp_keepalives_count = 0 # TCP_KEEPCNT; - # 0 selects the system default - -# - Authentication - - -#authentication_timeout = 1min # 1s-600s -#password_encryption = md5 # md5 or scram-sha-256 -#db_user_namespace = off - -# GSSAPI using Kerberos -#krb_server_keyfile = '' -#krb_caseins_users = off - -# - SSL - - -ssl = on -#ssl_ca_file = '' -ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' -#ssl_crl_file = '' -ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers -#ssl_prefer_server_ciphers = on -#ssl_ecdh_curve = 'prime256v1' -#ssl_dh_params_file = '' -#ssl_passphrase_command = '' -#ssl_passphrase_command_supports_reload = off - - -#------------------------------------------------------------------------------ -# RESOURCE USAGE (except WAL) -#------------------------------------------------------------------------------ - -# - Memory - - -{% if inventory_hostname == 'ams-pg-test.ooni.org' %} -shared_buffers = 128MB -{% else %} -shared_buffers = 4011MB -{% endif %} - - # (change requires restart) -#huge_pages = try # on, off, or try - # (change requires restart) -#temp_buffers = 8MB # min 800kB -#max_prepared_transactions = 0 # zero disables the feature - # (change requires restart) -# Caution: it is not advisable to set max_prepared_transactions nonzero unless -# you actively intend to use prepared transactions. - -{% if inventory_hostname == 'ams-pg-test.ooni.org' %} -work_mem = 4MB -{% else %} -work_mem = 32MB -{% endif %} - -{% if inventory_hostname == 'ams-pg-test.ooni.org' %} -maintenance_work_mem = 64MB -{% else %} -maintenance_work_mem = 1024MB -{% endif %} - -#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem -#max_stack_depth = 2MB # min 100kB -dynamic_shared_memory_type = posix # the default is the first option - # supported by the operating system: - # posix - # sysv - # windows - # mmap - # use none to disable dynamic shared memory - # (change requires restart) - -# - Disk - - -#temp_file_limit = -1 # limits per-process temp file space - # in kB, or -1 for no limit - -# - Kernel Resources - - -#max_files_per_process = 1000 # min 25 - # (change requires restart) - -# - Cost-Based Vacuum Delay - - -#vacuum_cost_delay = 0 # 0-100 milliseconds -#vacuum_cost_page_hit = 1 # 0-10000 credits -#vacuum_cost_page_miss = 10 # 0-10000 credits -#vacuum_cost_page_dirty = 20 # 0-10000 credits -#vacuum_cost_limit = 200 # 1-10000 credits - -# - Background Writer - - -#bgwriter_delay = 200ms # 10-10000ms between rounds -#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round -#bgwriter_flush_after = 512kB # measured in pages, 0 disables - -# - Asynchronous Behavior - - -## Optimized for SSD -effective_io_concurrency = 8 - -#max_worker_processes = 8 # (change requires restart) -#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers - -max_parallel_maintenance_workers = 16 - -#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers -#parallel_leader_participation = on -#max_parallel_workers = 8 # maximum number of max_worker_processes that - # can be used in parallel operations - -max_parallel_workers = 16 - -#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate - # (change requires restart) -#backend_flush_after = 0 # measured in pages, 0 disables - - -#------------------------------------------------------------------------------ -# WRITE-AHEAD LOG -#------------------------------------------------------------------------------ - -# - Settings - - -#wal_level = replica # minimal, replica, or logical - # (change requires restart) - -wal_level = minimal - -# TODO -fsync = off # flush data to disk for crash safety - # (turning this off can cause - # unrecoverable data corruption) -# TODO -synchronous_commit = off # synchronization level; - # off, local, remote_write, remote_apply, or on -#wal_sync_method = fsync # the default is the first option - # supported by the operating system: - # open_datasync - # fdatasync (default on Linux) - # fsync - # fsync_writethrough - # open_sync -# TODO restore after import -full_page_writes = off # recover from partial page writes -#wal_compression = off # enable compression of full-page writes -#wal_log_hints = off # also do full page writes of non-critical updates - # (change requires restart) -# TODO disabled after restore -wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers - # (change requires restart) -#wal_writer_delay = 200ms # 1-10000 milliseconds -#wal_writer_flush_after = 1MB # measured in pages, 0 disables - -#commit_delay = 0 # range 0-100000, in microseconds -#commit_siblings = 5 # range 1-1000 - -# - Checkpoints - - -#checkpoint_timeout = 5min # range 30s-1d -max_wal_size = 1GB -min_wal_size = 80MB -#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 -#checkpoint_flush_after = 256kB # measured in pages, 0 disables -#checkpoint_warning = 30s # 0 disables - -# - Archiving - - -archive_mode = off - -#archive_mode = off # enables archiving; off, on, or always - # (change requires restart) -#archive_command = '' # command to use to archive a logfile segment - # placeholders: %p = path of file to archive - # %f = file name only - # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' -#archive_timeout = 0 # force a logfile segment switch after this - # number of seconds; 0 disables - - -#------------------------------------------------------------------------------ -# REPLICATION -#------------------------------------------------------------------------------ - -# - Sending Servers - - -# Set these on the master and on any standby that will send replication data. - -## REQUIRED by wal_level=minimal ## -max_wal_senders = 0 - -#max_wal_senders = 10 # max number of walsender processes - # (change requires restart) -#wal_keep_segments = 0 # in logfile segments; 0 disables -#wal_sender_timeout = 60s # in milliseconds; 0 disables - -#max_replication_slots = 10 # max number of replication slots - # (change requires restart) -#track_commit_timestamp = off # collect timestamp of transaction commit - # (change requires restart) - -# - Master Server - - -# These settings are ignored on a standby server. - -#synchronous_standby_names = '' # standby servers that provide sync rep - # method to choose sync standbys, number of sync standbys, - # and comma-separated list of application_name - # from standby(s); '*' = all -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed - -# - Standby Servers - - -# These settings are ignored on a master server. - -#hot_standby = on # "off" disallows queries during recovery - # (change requires restart) -#max_standby_archive_delay = 30s # max delay before canceling queries - # when reading WAL from archive; - # -1 allows indefinite delay -#max_standby_streaming_delay = 30s # max delay before canceling queries - # when reading streaming WAL; - # -1 allows indefinite delay -#wal_receiver_status_interval = 10s # send replies at least this often - # 0 disables -#hot_standby_feedback = off # send info from standby to prevent - # query conflicts -#wal_receiver_timeout = 60s # time that receiver waits for - # communication from master - # in milliseconds; 0 disables -#wal_retrieve_retry_interval = 5s # time to wait before retrying to - # retrieve WAL after a failed attempt - -# - Subscribers - - -# These settings are ignored on a publisher. - -#max_logical_replication_workers = 4 # taken from max_worker_processes - # (change requires restart) -#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers - - -#------------------------------------------------------------------------------ -# QUERY TUNING -#------------------------------------------------------------------------------ - -# - Planner Method Configuration - - -#enable_bitmapscan = on -#enable_hashagg = on -#enable_hashjoin = on -#enable_indexscan = on -#enable_indexonlyscan = on -#enable_material = on -#enable_mergejoin = on -#enable_nestloop = on -#enable_parallel_append = on -#enable_seqscan = on -#enable_sort = on -#enable_tidscan = on -#enable_partitionwise_join = off -#enable_partitionwise_aggregate = off -#enable_parallel_hash = on -#enable_partition_pruning = on - -# - Planner Cost Constants - - -seq_page_cost = 1.0 # measured on an arbitrary scale -random_page_cost = 1.0 # same scale as above -#cpu_tuple_cost = 0.01 # same scale as above -#cpu_index_tuple_cost = 0.005 # same scale as above -#cpu_operator_cost = 0.0025 # same scale as above -#parallel_tuple_cost = 0.1 # same scale as above -#parallel_setup_cost = 1000.0 # same scale as above - -#jit_above_cost = 100000 # perform JIT compilation if available - # and query more expensive than this; - # -1 disables -#jit_inline_above_cost = 500000 # inline small functions if query is - # more expensive than this; -1 disables -#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if - # query is more expensive than this; - # -1 disables - -#min_parallel_table_scan_size = 8MB -#min_parallel_index_scan_size = 512kB -effective_cache_size = 12035MB - -# - Genetic Query Optimizer - - -#geqo = on -#geqo_threshold = 12 -#geqo_effort = 5 # range 1-10 -#geqo_pool_size = 0 # selects default based on effort -#geqo_generations = 0 # selects default based on effort -#geqo_selection_bias = 2.0 # range 1.5-2.0 -#geqo_seed = 0.0 # range 0.0-1.0 - -# - Other Planner Options - - -#default_statistics_target = 100 # range 1-10000 -#constraint_exclusion = partition # on, off, or partition -#cursor_tuple_fraction = 0.1 # range 0.0-1.0 -#from_collapse_limit = 8 -#join_collapse_limit = 8 # 1 disables collapsing of explicit - # JOIN clauses -#force_parallel_mode = off -#jit = off # allow JIT compilation - - -#------------------------------------------------------------------------------ -# REPORTING AND LOGGING -#------------------------------------------------------------------------------ - -# - Where to Log - - -#log_destination = 'stderr' # Valid values are combinations of - # stderr, csvlog, syslog, and eventlog, - # depending on platform. csvlog - # requires logging_collector to be on. - -# This is used when logging to stderr: -#logging_collector = off # Enable capturing of stderr and csvlog - # into log files. Required to be on for - # csvlogs. - # (change requires restart) - -# These are only used if logging_collector is on: -#log_directory = 'log' # directory where log files are written, - # can be absolute or relative to PGDATA -#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, - # can include strftime() escapes -#log_file_mode = 0600 # creation mode for log files, - # begin with 0 to use octal notation -#log_truncate_on_rotation = off # If on, an existing log file with the - # same name as the new log file will be - # truncated rather than appended to. - # But such truncation only occurs on - # time-driven rotation, not on restarts - # or size-driven rotation. Default is - # off, meaning append to existing files - # in all cases. -#log_rotation_age = 1d # Automatic rotation of logfiles will - # happen after that time. 0 disables. -#log_rotation_size = 10MB # Automatic rotation of logfiles will - # happen after that much log output. - # 0 disables. - -# These are relevant when logging to syslog: -#syslog_facility = 'LOCAL0' -#syslog_ident = 'postgres' -#syslog_sequence_numbers = on -#syslog_split_messages = on - -# This is only relevant when logging to eventlog (win32): -# (change requires restart) -#event_source = 'PostgreSQL' - -# - When to Log - - -#log_min_messages = warning # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic - -#log_min_error_statement = error # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic (effectively off) - -#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements - # and their durations, > 0 logs only - # statements running at least this number - # of milliseconds - - -# - What to Log - - -#debug_print_parse = off -#debug_print_rewritten = off -#debug_print_plan = off -#debug_pretty_print = on -#log_checkpoints = off -#log_connections = off -#log_disconnections = off -#log_duration = off -#log_error_verbosity = default # terse, default, or verbose messages -#log_hostname = off -log_line_prefix = '%m [%p] %q%u@%d ' # special values: - # %a = application name - # %u = user name - # %d = database name - # %r = remote host and port - # %h = remote host - # %p = process ID - # %t = timestamp without milliseconds - # %m = timestamp with milliseconds - # %n = timestamp with milliseconds (as a Unix epoch) - # %i = command tag - # %e = SQL state - # %c = session ID - # %l = session line number - # %s = session start timestamp - # %v = virtual transaction ID - # %x = transaction ID (0 if none) - # %q = stop here in non-session - # processes - # %% = '%' - # e.g. '<%u%%%d> ' -#log_lock_waits = off # log lock waits >= deadlock_timeout -#log_statement = 'none' # none, ddl, mod, all -#log_replication_commands = off -#log_temp_files = -1 # log temporary files equal or larger - # than the specified size in kilobytes; - # -1 disables, 0 logs all temp files -log_timezone = 'Etc/UTC' - -#------------------------------------------------------------------------------ -# PROCESS TITLE -#------------------------------------------------------------------------------ - -cluster_name = '11/main' # added to process titles if nonempty - # (change requires restart) -#update_process_title = on - - -#------------------------------------------------------------------------------ -# STATISTICS -#------------------------------------------------------------------------------ - -# - Query and Index Statistics Collector - - -#track_activities = on -#track_counts = on -#track_io_timing = off -#track_functions = none # none, pl, all -#track_activity_query_size = 1024 # (change requires restart) -stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp' - - -# - Monitoring - - -#log_parser_stats = off -#log_planner_stats = off -#log_executor_stats = off -#log_statement_stats = off - - -#------------------------------------------------------------------------------ -# AUTOVACUUM -#------------------------------------------------------------------------------ - -autovacuum = on - - # requires track_counts to also be on. -#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and - # their durations, > 0 logs only - # actions running at least this number - # of milliseconds. -#autovacuum_max_workers = 3 # max number of autovacuum subprocesses - # (change requires restart) -#autovacuum_naptime = 1min # time between autovacuum runs -#autovacuum_vacuum_threshold = 50 # min number of row updates before - # vacuum -#autovacuum_analyze_threshold = 50 # min number of row updates before - # analyze -#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum -#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum - # (change requires restart) -#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age - # before forced vacuum - # (change requires restart) -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for - # autovacuum, in milliseconds; - # -1 means use vacuum_cost_delay -#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for - # autovacuum, -1 means use - # vacuum_cost_limit - - -#------------------------------------------------------------------------------ -# CLIENT CONNECTION DEFAULTS -#------------------------------------------------------------------------------ - -# - Statement Behavior - - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error -#search_path = '"$user", public' # schema names -#row_security = on -#default_tablespace = '' # a tablespace name, '' uses the default -#temp_tablespaces = '' # a list of tablespace names, '' uses - # only default tablespace -#check_function_bodies = on -#default_transaction_isolation = 'read committed' -#default_transaction_read_only = off -#default_transaction_deferrable = off -#session_replication_role = 'origin' -#statement_timeout = 0 # in milliseconds, 0 is disabled -#lock_timeout = 0 # in milliseconds, 0 is disabled -#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled -#vacuum_freeze_min_age = 50000000 -#vacuum_freeze_table_age = 150000000 -#vacuum_multixact_freeze_min_age = 5000000 -#vacuum_multixact_freeze_table_age = 150000000 -#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples - # before index cleanup, 0 always performs - # index cleanup -#bytea_output = 'hex' # hex, escape -#xmlbinary = 'base64' -#xmloption = 'content' -#gin_fuzzy_search_limit = 0 -#gin_pending_list_limit = 4MB - -# - Locale and Formatting - - -datestyle = 'iso, mdy' -#intervalstyle = 'postgres' -timezone = 'Etc/UTC' -#timezone_abbreviations = 'Default' # Select the set of available time zone - # abbreviations. Currently, there are - # Default - # Australia (historical usage) - # India - # You can create your own file in - # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 -#client_encoding = sql_ascii # actually, defaults to database - # encoding - -# These settings are initialized by initdb, but they can be changed. -lc_messages = 'C.UTF-8' # locale for system error message - # strings -lc_monetary = 'C.UTF-8' # locale for monetary formatting -lc_numeric = 'C.UTF-8' # locale for number formatting -lc_time = 'C.UTF-8' # locale for time formatting - -# default configuration for text search -default_text_search_config = 'pg_catalog.english' - -# - Shared Library Preloading - - -#shared_preload_libraries = '' # (change requires restart) -#local_preload_libraries = '' -#session_preload_libraries = '' -#jit_provider = 'llvmjit' # JIT library to use - -# - Other Defaults - - -#dynamic_library_path = '$libdir' - - -#------------------------------------------------------------------------------ -# LOCK MANAGEMENT -#------------------------------------------------------------------------------ - -#deadlock_timeout = 1s -#max_locks_per_transaction = 64 # min 10 - # (change requires restart) -#max_pred_locks_per_transaction = 64 # min 10 - # (change requires restart) -#max_pred_locks_per_relation = -2 # negative values mean - # (max_pred_locks_per_transaction - # / -max_pred_locks_per_relation) - 1 -#max_pred_locks_per_page = 2 # min 0 - - -#------------------------------------------------------------------------------ -# VERSION AND PLATFORM COMPATIBILITY -#------------------------------------------------------------------------------ - -# - Previous PostgreSQL Versions - - -#array_nulls = on -#backslash_quote = safe_encoding # on, off, or safe_encoding -#default_with_oids = off -#escape_string_warning = on -#lo_compat_privileges = off -#operator_precedence_warning = off -#quote_all_identifiers = off -#standard_conforming_strings = on -#synchronize_seqscans = on - -# - Other Platforms and Clients - - -#transform_null_equals = off - - -#------------------------------------------------------------------------------ -# ERROR HANDLING -#------------------------------------------------------------------------------ - -#exit_on_error = off # terminate session on any error? -#restart_after_crash = on # reinitialize after backend crash? -#data_sync_retry = off # retry or panic on failure to fsync - # data? - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONFIG FILE INCLUDES -#------------------------------------------------------------------------------ - -# These options allow settings to be loaded from files other than the -# default postgresql.conf. Note that these are directives, not variable -# assignments, so they can usefully be given more than once. - -include_dir = 'conf.d' # include files ending in '.conf' from - # a directory, e.g., 'conf.d' -#include_if_exists = '...' # include file only if it exists -#include = '...' # include file - - -#------------------------------------------------------------------------------ -# CUSTOMIZED OPTIONS -#------------------------------------------------------------------------------ - -# Add settings for extensions here diff --git a/ansible/roles/postgresql13/meta/main.yml b/ansible/roles/postgresql13/meta/main.yml deleted file mode 100644 index c82f9e2db..000000000 --- a/ansible/roles/postgresql13/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: nftables diff --git a/ansible/roles/postgresql13/tasks/main.yml b/ansible/roles/postgresql13/tasks/main.yml deleted file mode 100644 index 4824ab289..000000000 --- a/ansible/roles/postgresql13/tasks/main.yml +++ /dev/null @@ -1,109 +0,0 @@ ---- -- name: install PostgreSQL 13 - tags: postgresql13 - apt: - cache_valid_time: 86400 - name: - - postgresql-13 - -- name: Overwrite pg_hba.conf - tags: postgresql13 - template: - src: templates/pg_hba.conf - dest: /etc/postgresql/13/main/pg_hba.conf - mode: 0644 - owner: root - -- name: Prepare postgresql.conf - tags: postgresql13 - template: - src: templates/postgresql.conf - dest: /etc/postgresql/13/main/postgresql.conf - mode: 0644 - owner: root - -- name: Enable and start service - tags: postgresql13 - shell: systemctl enable --now postgresql.service - -- name: Reload pg after conf change - tags: postgresql13 - shell: systemctl reload postgresql.service - -- name: allow incoming TCP connections to database - tags: pg-nftables - blockinfile: - path: /etc/ooni/nftables/tcp/5432.nft - create: yes - block: | - add rule inet filter input ip saddr {{ lookup('dig', 'jupyter.ooni.org/A') }} tcp dport 5432 counter accept comment "psql from jupyter.ooni.org" - -- name: reload nftables service - tags: pg-nftables - shell: systemctl reload nftables.service - -- name: Create metadb - tags: postgresql13 - become_user: postgres - postgresql_db: - name: metadb - -- name: Create readonly user - tags: postgresql13 - become_user: postgres - postgresql_user: - db: metadb - name: readonly - # already made public - password: b2HUU6gKM19SvXzXJCzpUV - role_attr_flags: NOSUPERUSER - priv: ALL - ssl_mode: require - -- name: Create shovel user - tags: postgresql13 - become_user: postgres - postgresql_user: - db: metadb - name: shovel - # already made public - password: yEqgNr2eXvgG255iEBxVeP - role_attr_flags: NOSUPERUSER - priv: ALL - ssl_mode: require - -- name: Create amsapi user - tags: postgresql13 - become_user: postgres - postgresql_user: - db: metadb - name: amsapi - role_attr_flags: NOSUPERUSER - priv: ALL - ssl_mode: require - -- name: Simple select query - tags: postgresql13 - postgresql_query: - db: metadb - query: SELECT version() - login_user: readonly - -- name: configure Netdata Postgres monitoring - tags: netdata - blockinfile: - path: /etc/netdata/python.d/postgres.conf - create: yes - block: | - socket: - name : 'local' - user : 'shovel' - database : 'metadb' -# CREATE SUBSCRIPTION metadbsub CONNECTION 'dbname=metadb host=ams-pg-test.ooni.org user=readonly' PUBLICATION metadbpub; - -- name: restart netdata service - tags: netdata - systemd: - name: netdata.service - state: restarted - diff --git a/ansible/roles/postgresql13/templates/pg_hba.conf b/ansible/roles/postgresql13/templates/pg_hba.conf deleted file mode 100644 index bbe5af3b7..000000000 --- a/ansible/roles/postgresql13/templates/pg_hba.conf +++ /dev/null @@ -1,112 +0,0 @@ -# Managed by ansible -# roles/postgresql11/templates/pg_hba.conf - - -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a -# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a -# non-GSSAPI socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", -# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". -# Note that "password" sends passwords in clear text; "md5" or -# "scram-sha-256" are preferred since they send encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the server receives a -# SIGHUP signal. If you edit the file on a running system, you have to -# SIGHUP the server for the changes to take effect, run "pg_ctl reload", -# or execute "SELECT pg_reload_conf()". -# -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL -# listen on a non-local interface via the listen_addresses -# configuration parameter, or via the -i or -h command line switches. - - - - -# DO NOT DISABLE! -# If you change this first entry you will need to make sure that the -# database superuser can access the database using some other method. -# Noninteractive access to all databases is required during automatic -# maintenance (custom daily cronjobs, replication, and similar tasks). -# -# Database administrative login by Unix domain socket -local all postgres peer - -# TYPE DATABASE USER ADDRESS METHOD - -# Unix domain socket: allow all local connections without password -local all all trust - -# IPv4 local connections: -host all all 127.0.0.1/32 md5 -# IPv6 local connections: -host all all ::1/128 md5 -# Allow replication connections from localhost, by a user with the -# replication privilege. -local replication all peer -host replication all 127.0.0.1/32 md5 -host replication all ::1/128 md5 - -# Allow incoming SSL connections without password -# protected by filtering on source ipaddr using nftables -hostssl all all 0.0.0.0/0 trust diff --git a/ansible/roles/postgresql13/templates/postgresql.conf b/ansible/roles/postgresql13/templates/postgresql.conf deleted file mode 100644 index 30006fe7d..000000000 --- a/ansible/roles/postgresql13/templates/postgresql.conf +++ /dev/null @@ -1,817 +0,0 @@ -# ----------------------------- -# PostgreSQL configuration file -# ----------------------------- -# -# This file consists of lines of the form: -# -# name = value -# -# (The "=" is optional.) Whitespace may be used. Comments are introduced with -# "#" anywhere on a line. The complete list of parameter names and allowed -# values can be found in the PostgreSQL documentation. -# -# The commented-out settings shown in this file represent the default values. -# Re-commenting a setting is NOT sufficient to revert it to the default value; -# you need to reload the server. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, run "pg_ctl reload", or execute -# "SELECT pg_reload_conf()". Some parameters, which are marked below, -# require a server shutdown and restart to take effect. -# -# Any parameter can also be given as a command-line option to the server, e.g., -# "postgres -c log_connections=on". Some parameters can be changed at run time -# with the "SET" SQL command. -# -# Memory units: B = bytes Time units: us = microseconds -# kB = kilobytes ms = milliseconds -# MB = megabytes s = seconds -# GB = gigabytes min = minutes -# TB = terabytes h = hours -# d = days - - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -# The default values of these variables are driven from the -D command-line -# option or PGDATA environment variable, represented here as ConfigDir. - -data_directory = '/var/lib/postgresql/13/main' # use data in another directory - # (change requires restart) -hba_file = '/etc/postgresql/13/main/pg_hba.conf' # host-based authentication file - # (change requires restart) -ident_file = '/etc/postgresql/13/main/pg_ident.conf' # ident configuration file - # (change requires restart) - -# If external_pid_file is not explicitly set, no extra PID file is written. -external_pid_file = '/var/run/postgresql/13-main.pid' # write an extra PID file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTIONS AND AUTHENTICATION -#------------------------------------------------------------------------------ - -# - Connection Settings - - -#listen_addresses = 'localhost' # what IP address(es) to listen on; -listen_addresses = '*' - # comma-separated list of addresses; - # defaults to 'localhost'; use '*' for all - # (change requires restart) -port = 5432 # (change requires restart) -max_connections = 100 # (change requires restart) -#superuser_reserved_connections = 3 # (change requires restart) -unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories - # (change requires restart) -#unix_socket_group = '' # (change requires restart) -#unix_socket_permissions = 0777 # begin with 0 to use octal notation - # (change requires restart) -#bonjour = off # advertise server via Bonjour - # (change requires restart) -#bonjour_name = '' # defaults to the computer name - # (change requires restart) - -# - TCP settings - -# see "man tcp" for details - -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; - # 0 selects the system default -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; - # 0 selects the system default -#tcp_keepalives_count = 0 # TCP_KEEPCNT; - # 0 selects the system default -#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; - # 0 selects the system default - -# - Authentication - - -#authentication_timeout = 1min # 1s-600s -#password_encryption = md5 # md5 or scram-sha-256 -#db_user_namespace = off - -# GSSAPI using Kerberos -#krb_server_keyfile = '' -#krb_caseins_users = off - -# - SSL - - -ssl = on -#ssl_ca_file = '' -ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' -#ssl_crl_file = '' -ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers -#ssl_prefer_server_ciphers = on -#ssl_ecdh_curve = 'prime256v1' -#ssl_min_protocol_version = 'TLSv1.2' -#ssl_max_protocol_version = '' -#ssl_dh_params_file = '' -#ssl_passphrase_command = '' -#ssl_passphrase_command_supports_reload = off - - -#------------------------------------------------------------------------------ -# RESOURCE USAGE (except WAL) -#------------------------------------------------------------------------------ - -# - Memory - - -{% if inventory_hostname == 'ams-pg-test.ooni.org' %} -shared_buffers = 128MB -{% else %} -shared_buffers = 4011MB -{% endif %} - - # (change requires restart) -#huge_pages = try # on, off, or try - # (change requires restart) -#temp_buffers = 8MB # min 800kB -#max_prepared_transactions = 0 # zero disables the feature - # (change requires restart) -# Caution: it is not advisable to set max_prepared_transactions nonzero unless -# you actively intend to use prepared transactions. -#hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem - - -{% if inventory_hostname == 'ams-pg-test.ooni.org' %} -work_mem = 4MB -{% else %} -work_mem = 32MB -{% endif %} - -{% if inventory_hostname == 'ams-pg-test.ooni.org' %} -maintenance_work_mem = 64MB -{% else %} -maintenance_work_mem = 1024MB -{% endif %} - -#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem -#logical_decoding_work_mem = 64MB # min 64kB -#max_stack_depth = 2MB # min 100kB -#shared_memory_type = mmap # the default is the first option - # supported by the operating system: - # mmap - # sysv - # windows - # (change requires restart) -dynamic_shared_memory_type = posix # the default is the first option - # supported by the operating system: - # posix - # sysv - # windows - # mmap - # use none to disable dynamic shared memory - # (change requires restart) - -# - Disk - - -#temp_file_limit = -1 # limits per-process temp file space - # in kilobytes, or -1 for no limit - -# - Kernel Resources - - -#max_files_per_process = 1000 # min 64 - # (change requires restart) - -# - Cost-Based Vacuum Delay - - -#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) -#vacuum_cost_page_hit = 1 # 0-10000 credits -#vacuum_cost_page_miss = 10 # 0-10000 credits -#vacuum_cost_page_dirty = 20 # 0-10000 credits -#vacuum_cost_limit = 200 # 1-10000 credits - -# - Background Writer - - -#bgwriter_delay = 200ms # 10-10000ms between rounds -#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round -#bgwriter_flush_after = 512kB # measured in pages, 0 disables - -# - Asynchronous Behavior - - -## Optimized for SSD -effective_io_concurrency = 8 - -#max_worker_processes = 8 # (change requires restart) -#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers - -max_parallel_maintenance_workers = 16 - -#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers -#parallel_leader_participation = on -#max_parallel_workers = 8 # maximum number of max_worker_processes that - # can be used in parallel operations - -max_parallel_workers = 16 - -#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate - # (change requires restart) -#backend_flush_after = 0 # measured in pages, 0 disables - - -#------------------------------------------------------------------------------ -# WRITE-AHEAD LOG -#------------------------------------------------------------------------------ -# - Settings - - -#wal_level = replica # minimal, replica, or logical - # (change requires restart) - -wal_level = minimal - -#fsync = on # flush data to disk for crash safety - # (turning this off can cause - # unrecoverable data corruption) -# TODO -synchronous_commit = off # synchronization level; - # off, local, remote_write, remote_apply, or on -#wal_sync_method = fsync # the default is the first option - # supported by the operating system: - # open_datasync - # fdatasync (default on Linux) - # fsync - # fsync_writethrough - # open_sync -# TODO restore after import -full_page_writes = off # recover from partial page writes -#wal_compression = off # enable compression of full-page writes -#wal_log_hints = off # also do full page writes of non-critical updates - # (change requires restart) - -#wal_init_zero = on # zero-fill new WAL files -#wal_recycle = on # recycle WAL files -#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers -#wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers - # (change requires restart) -#wal_writer_delay = 200ms # 1-10000 milliseconds -#wal_writer_flush_after = 1MB # measured in pages, 0 disables -#wal_skip_threshold = 2MB - -#commit_delay = 0 # range 0-100000, in microseconds -#commit_siblings = 5 # range 1-1000 - -# - Checkpoints - - -#checkpoint_timeout = 5min # range 30s-1d -max_wal_size = 1GB -min_wal_size = 80MB -#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 -#checkpoint_flush_after = 256kB # measured in pages, 0 disables -#checkpoint_warning = 30s # 0 disables - -# - Archiving - - -archive_mode = off - -#archive_mode = off # enables archiving; off, on, or always - # (change requires restart) -#archive_command = '' # command to use to archive a logfile segment - # placeholders: %p = path of file to archive - # %f = file name only - # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' -#archive_timeout = 0 # force a logfile segment switch after this - # number of seconds; 0 disables - -# - Archive Recovery - - -# These are only used in recovery mode. - -#restore_command = '' # command to use to restore an archived logfile segment - # placeholders: %p = path of file to restore - # %f = file name only - # e.g. 'cp /mnt/server/archivedir/%f %p' - # (change requires restart) -#archive_cleanup_command = '' # command to execute at every restartpoint -#recovery_end_command = '' # command to execute at completion of recovery - -# - Recovery Target - - -# Set these only when performing a targeted recovery. - -#recovery_target = '' # 'immediate' to end recovery as soon as a - # consistent state is reached - # (change requires restart) -#recovery_target_name = '' # the named restore point to which recovery will proceed - # (change requires restart) -#recovery_target_time = '' # the time stamp up to which recovery will proceed - # (change requires restart) -#recovery_target_xid = '' # the transaction ID up to which recovery will proceed - # (change requires restart) -#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed - # (change requires restart) -#recovery_target_inclusive = on # Specifies whether to stop: - # just after the specified recovery target (on) - # just before the recovery target (off) - # (change requires restart) -#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID - # (change requires restart) -#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' - # (change requires restart) - - -#------------------------------------------------------------------------------ -# REPLICATION -#------------------------------------------------------------------------------ - -# - Sending Servers - - -# Set these on the master and on any standby that will send replication data. - -#max_wal_senders = 10 # max number of walsender processes - # (change requires restart) -#wal_keep_size = 0 # in megabytes; 0 disables -#max_slot_wal_keep_size = -1 # in megabytes; -1 disables -#wal_sender_timeout = 60s # in milliseconds; 0 disables - -#max_replication_slots = 10 # max number of replication slots - # (change requires restart) -#track_commit_timestamp = off # collect timestamp of transaction commit - # (change requires restart) - -# - Master Server - - -# These settings are ignored on a standby server. - -#synchronous_standby_names = '' # standby servers that provide sync rep - # method to choose sync standbys, number of sync standbys, - # and comma-separated list of application_name - # from standby(s); '*' = all -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed - -# - Standby Servers - - -# These settings are ignored on a master server. - -#primary_conninfo = '' # connection string to sending server -#primary_slot_name = '' # replication slot on sending server -#promote_trigger_file = '' # file name whose presence ends recovery -#hot_standby = on # "off" disallows queries during recovery - # (change requires restart) -#max_standby_archive_delay = 30s # max delay before canceling queries - # when reading WAL from archive; - # -1 allows indefinite delay -#max_standby_streaming_delay = 30s # max delay before canceling queries - # when reading streaming WAL; - # -1 allows indefinite delay -#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name - # is not set -#wal_receiver_status_interval = 10s # send replies at least this often - # 0 disables -#hot_standby_feedback = off # send info from standby to prevent - # query conflicts -#wal_receiver_timeout = 60s # time that receiver waits for - # communication from master - # in milliseconds; 0 disables -#wal_retrieve_retry_interval = 5s # time to wait before retrying to - # retrieve WAL after a failed attempt -#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery - -# - Subscribers - - -# These settings are ignored on a publisher. - -#max_logical_replication_workers = 4 # taken from max_worker_processes - # (change requires restart) -#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers - - -#------------------------------------------------------------------------------ -# QUERY TUNING -#------------------------------------------------------------------------------ - -# - Planner Method Configuration - - -#enable_bitmapscan = on -#enable_hashagg = on -#enable_hashjoin = on -#enable_indexscan = on -#enable_indexonlyscan = on -#enable_material = on -#enable_mergejoin = on -#enable_nestloop = on -#enable_parallel_append = on -#enable_seqscan = on -#enable_sort = on -#enable_incremental_sort = on -#enable_tidscan = on -#enable_partitionwise_join = off -#enable_partitionwise_aggregate = off -#enable_parallel_hash = on -#enable_partition_pruning = on - -# - Planner Cost Constants - - -seq_page_cost = 1.0 # measured on an arbitrary scale -random_page_cost = 1.0 # same scale as above -#cpu_tuple_cost = 0.01 # same scale as above -#cpu_index_tuple_cost = 0.005 # same scale as above -#cpu_operator_cost = 0.0025 # same scale as above -#parallel_tuple_cost = 0.1 # same scale as above -#parallel_setup_cost = 1000.0 # same scale as above - -#jit_above_cost = 100000 # perform JIT compilation if available - # and query more expensive than this; - # -1 disables -#jit_inline_above_cost = 500000 # inline small functions if query is - # more expensive than this; -1 disables -#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if - # query is more expensive than this; - # -1 disables - -#min_parallel_table_scan_size = 8MB -#min_parallel_index_scan_size = 512kB -effective_cache_size = 12035MB - -# - Genetic Query Optimizer - - -#geqo = on -#geqo_threshold = 12 -#geqo_effort = 5 # range 1-10 -#geqo_pool_size = 0 # selects default based on effort -#geqo_generations = 0 # selects default based on effort -#geqo_selection_bias = 2.0 # range 1.5-2.0 -#geqo_seed = 0.0 # range 0.0-1.0 - -# - Other Planner Options - - -#default_statistics_target = 100 # range 1-10000 -#constraint_exclusion = partition # on, off, or partition -#cursor_tuple_fraction = 0.1 # range 0.0-1.0 -#from_collapse_limit = 8 -#join_collapse_limit = 8 # 1 disables collapsing of explicit - # JOIN clauses -#force_parallel_mode = off -#jit = on # allow JIT compilation -#plan_cache_mode = auto # auto, force_generic_plan or - # force_custom_plan - - -#------------------------------------------------------------------------------ -# REPORTING AND LOGGING -#------------------------------------------------------------------------------ - -# - Where to Log - - -#log_destination = 'stderr' # Valid values are combinations of - # stderr, csvlog, syslog, and eventlog, - # depending on platform. csvlog - # requires logging_collector to be on. - -# This is used when logging to stderr: -#logging_collector = off # Enable capturing of stderr and csvlog - # into log files. Required to be on for - # csvlogs. - # (change requires restart) - -# These are only used if logging_collector is on: -#log_directory = 'log' # directory where log files are written, - # can be absolute or relative to PGDATA -#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, - # can include strftime() escapes -#log_file_mode = 0600 # creation mode for log files, - # begin with 0 to use octal notation -#log_truncate_on_rotation = off # If on, an existing log file with the - # same name as the new log file will be - # truncated rather than appended to. - # But such truncation only occurs on - # time-driven rotation, not on restarts - # or size-driven rotation. Default is - # off, meaning append to existing files - # in all cases. -#log_rotation_age = 1d # Automatic rotation of logfiles will - # happen after that time. 0 disables. -#log_rotation_size = 10MB # Automatic rotation of logfiles will - # happen after that much log output. - # 0 disables. - -# These are relevant when logging to syslog: -#syslog_facility = 'LOCAL0' -#syslog_ident = 'postgres' -#syslog_sequence_numbers = on -#syslog_split_messages = on - -# This is only relevant when logging to eventlog (win32): -# (change requires restart) -#event_source = 'PostgreSQL' - -# - When to Log - - -#log_min_messages = warning # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic - -#log_min_error_statement = error # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic (effectively off) - -#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements - # and their durations, > 0 logs only - # statements running at least this number - # of milliseconds - -#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements - # and their durations, > 0 logs only a sample of - # statements running at least this number - # of milliseconds; - # sample fraction is determined by log_statement_sample_rate - -#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding - # log_min_duration_sample to be logged; - # 1.0 logs all such statements, 0.0 never logs - - -#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements - # are logged regardless of their duration; 1.0 logs all - # statements from all transactions, 0.0 never logs - -# - What to Log - - -#debug_print_parse = off -#debug_print_rewritten = off -#debug_print_plan = off -#debug_pretty_print = on -#log_checkpoints = off -#log_connections = off -#log_disconnections = off -#log_duration = off -#log_error_verbosity = default # terse, default, or verbose messages -#log_hostname = off -log_line_prefix = '%m [%p] %q%u@%d ' # special values: - # %a = application name - # %u = user name - # %d = database name - # %r = remote host and port - # %h = remote host - # %b = backend type - # %p = process ID - # %t = timestamp without milliseconds - # %m = timestamp with milliseconds - # %n = timestamp with milliseconds (as a Unix epoch) - # %i = command tag - # %e = SQL state - # %c = session ID - # %l = session line number - # %s = session start timestamp - # %v = virtual transaction ID - # %x = transaction ID (0 if none) - # %q = stop here in non-session - # processes - # %% = '%' - # e.g. '<%u%%%d> ' -#log_lock_waits = off # log lock waits >= deadlock_timeout -#log_parameter_max_length = -1 # when logging statements, limit logged - # bind-parameter values to N bytes; - # -1 means print in full, 0 disables -#log_parameter_max_length_on_error = 0 # when logging an error, limit logged - # bind-parameter values to N bytes; - # -1 means print in full, 0 disables -#log_statement = 'none' # none, ddl, mod, all -#log_replication_commands = off -#log_temp_files = -1 # log temporary files equal or larger - # than the specified size in kilobytes; - # -1 disables, 0 logs all temp files -log_timezone = 'Etc/UTC' - -#------------------------------------------------------------------------------ -# PROCESS TITLE -#------------------------------------------------------------------------------ - -cluster_name = '13/main' # added to process titles if nonempty - # (change requires restart) -#update_process_title = on - - -#------------------------------------------------------------------------------ -# STATISTICS -#------------------------------------------------------------------------------ - -# - Query and Index Statistics Collector - - -#track_activities = on -#track_counts = on -#track_io_timing = off -#track_functions = none # none, pl, all -#track_activity_query_size = 1024 # (change requires restart) -stats_temp_directory = '/var/run/postgresql/13-main.pg_stat_tmp' - - -# - Monitoring - - -#log_parser_stats = off -#log_planner_stats = off -#log_executor_stats = off -#log_statement_stats = off - - -#------------------------------------------------------------------------------ -# AUTOVACUUM -#------------------------------------------------------------------------------ - -autovacuum = on - - # requires track_counts to also be on. -#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and - # their durations, > 0 logs only - # actions running at least this number - # of milliseconds. -#autovacuum_max_workers = 3 # max number of autovacuum subprocesses - # (change requires restart) -#autovacuum_naptime = 1min # time between autovacuum runs -#autovacuum_vacuum_threshold = 50 # min number of row updates before - # vacuum -#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts - # before vacuum; -1 disables insert - # vacuums -#autovacuum_analyze_threshold = 50 # min number of row updates before - # analyze -#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum -#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table - # size before insert vacuum -#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum - # (change requires restart) -#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age - # before forced vacuum - # (change requires restart) -#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for - # autovacuum, in milliseconds; - # -1 means use vacuum_cost_delay -#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for - # autovacuum, -1 means use - # vacuum_cost_limit - - -#------------------------------------------------------------------------------ -# CLIENT CONNECTION DEFAULTS -#------------------------------------------------------------------------------ - -# - Statement Behavior - - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error -#search_path = '"$user", public' # schema names -#row_security = on -#default_tablespace = '' # a tablespace name, '' uses the default -#temp_tablespaces = '' # a list of tablespace names, '' uses - # only default tablespace -#default_table_access_method = 'heap' -#check_function_bodies = on -#default_transaction_isolation = 'read committed' -#default_transaction_read_only = off -#default_transaction_deferrable = off -#session_replication_role = 'origin' -#statement_timeout = 0 # in milliseconds, 0 is disabled -#lock_timeout = 0 # in milliseconds, 0 is disabled -#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled -#vacuum_freeze_min_age = 50000000 -#vacuum_freeze_table_age = 150000000 -#vacuum_multixact_freeze_min_age = 5000000 -#vacuum_multixact_freeze_table_age = 150000000 -#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples - # before index cleanup, 0 always performs - # index cleanup -#bytea_output = 'hex' # hex, escape -#xmlbinary = 'base64' -#xmloption = 'content' -#gin_fuzzy_search_limit = 0 -#gin_pending_list_limit = 4MB - -# - Locale and Formatting - - -datestyle = 'iso, mdy' -#intervalstyle = 'postgres' -timezone = 'Etc/UTC' -#timezone_abbreviations = 'Default' # Select the set of available time zone - # abbreviations. Currently, there are - # Default - # Australia (historical usage) - # India - # You can create your own file in - # share/timezonesets/. -#extra_float_digits = 1 # min -15, max 3; any value >0 actually - # selects precise output mode -#client_encoding = sql_ascii # actually, defaults to database - # encoding - -# These settings are initialized by initdb, but they can be changed. -lc_messages = 'C.UTF-8' # locale for system error message - # strings -lc_monetary = 'C.UTF-8' # locale for monetary formatting -lc_numeric = 'C.UTF-8' # locale for number formatting -lc_time = 'C.UTF-8' # locale for time formatting - -# default configuration for text search -default_text_search_config = 'pg_catalog.english' - -# - Shared Library Preloading - - -#shared_preload_libraries = '' # (change requires restart) -#local_preload_libraries = '' -#session_preload_libraries = '' -#jit_provider = 'llvmjit' # JIT library to use - -# - Other Defaults - - -#dynamic_library_path = '$libdir' -#extension_destdir = '' # prepend path when loading extensions - # and shared objects (added by Debian) - - -#------------------------------------------------------------------------------ -# LOCK MANAGEMENT -#------------------------------------------------------------------------------ - -#deadlock_timeout = 1s -#max_locks_per_transaction = 64 # min 10 - # (change requires restart) -#max_pred_locks_per_transaction = 64 # min 10 - # (change requires restart) -#max_pred_locks_per_relation = -2 # negative values mean - # (max_pred_locks_per_transaction - # / -max_pred_locks_per_relation) - 1 -#max_pred_locks_per_page = 2 # min 0 - - -#------------------------------------------------------------------------------ -# VERSION AND PLATFORM COMPATIBILITY -#------------------------------------------------------------------------------ - -# - Previous PostgreSQL Versions - - -#array_nulls = on -#backslash_quote = safe_encoding # on, off, or safe_encoding -#escape_string_warning = on -#lo_compat_privileges = off -#operator_precedence_warning = off -#quote_all_identifiers = off -#standard_conforming_strings = on -#synchronize_seqscans = on - -# - Other Platforms and Clients - - -#transform_null_equals = off - - -#------------------------------------------------------------------------------ -# ERROR HANDLING -#------------------------------------------------------------------------------ - -#exit_on_error = off # terminate session on any error? -#restart_after_crash = on # reinitialize after backend crash? -#data_sync_retry = off # retry or panic on failure to fsync - # data? - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONFIG FILE INCLUDES -#------------------------------------------------------------------------------ - -# These options allow settings to be loaded from files other than the -# default postgresql.conf. Note that these are directives, not variable -# assignments, so they can usefully be given more than once. - -include_dir = 'conf.d' # include files ending in '.conf' from - # a directory, e.g., 'conf.d' -#include_if_exists = '...' # include file only if it exists -#include = '...' # include file - - -#------------------------------------------------------------------------------ -# CUSTOMIZED OPTIONS -#------------------------------------------------------------------------------ - -# Add settings for extensions here diff --git a/ansible/roles/pushgateway/templates/pushgateway_nginx.conf b/ansible/roles/pushgateway/templates/pushgateway_nginx.conf index ab25d3e04..27727eef0 100644 --- a/ansible/roles/pushgateway/templates/pushgateway_nginx.conf +++ b/ansible/roles/pushgateway/templates/pushgateway_nginx.conf @@ -28,10 +28,6 @@ server { } location = /metrics/job/metadb_wal { - if ($ssl_client_s_dn != "CN=plpsql@hkgmetadb.infra.ooni.io,OU=Prometheus Pusher,O=OONI") { - return 403; - } - allow {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }}; deny all; proxy_pass http://{{ pushgateway_listen_address }}; }