Merged
Conversation
crogers1
approved these changes
Oct 18, 2021
Contributor
|
Will merge when corresponding PR is merged on vglass |
Contributor
Author
|
I was getting to tricky here with the dom0-cfg file. Monit is listening on 0.0.0.0 from /etc/monitrc with default credentials. I think I'll change to using a monitrc override. Is the 2 second refresh good? Maybe 5 seconds would be good enough while allowing more sleep? |
Contributor
|
We've had good results with a 6 second interval using a custom monitrc. |
jandryuk
force-pushed
the
monit-vglass
branch
from
0dc1d1c to
3ee1c68
Compare
Contributor
Author
|
Re-worked the dom0 configuration into monitrc via an override and moved the volatiles portion into volatiles-cfg. |
Contributor
Author
|
The vglass changes were merged, so this can go in: https://gitlab.com/vglass/meta-vglass/-/merge_requests/20 |
Contributor
|
@jandryuk can you resolve the conflicts and then I'll merge? |
Undo the masking of meta-selinux initscript bbappend. It was originally added in commit b318c93 because checkroot.sh didn't exist. But now the file does, so that is not a problem. commit c43cb3a "layer: Amend comment on BBMASK in layer.conf." expanded the comment to mention populate-volatiles.sh. The populate-volatiles.sh part we actually want so that /var/volatile is labeled properly. `touch /var/log/lastlog` is superfluous with the volatiles creating it, so that is fine. restorecon against the read-write /var/volatile and /run are fine. /var/lib is read only, but labels were set already during image creation. Since the label is correct, restorecon won't try to modify it. /etc/resolv.conf is a readonly symlink to volatile, so that is also okay. /etc/adjtime does not exist, but restorecon `-i` will skip non-existant files, so that is okay to leave. We want this so that monit will have properly labeled /var/lib/monit -> /var/volatile/monit access. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
We want to run monit in dom0, but the refpolicy needs some tweaks. With monit using volatiles, we need to label /var/volatile/monit and allow following the symlink from /var/lib/monit to there. Monit will start and stop vglass, disman, & ivcdaemon via initscript, so that needs to be allowed. Trying to put init_domtrans_script(monit_t) inside the monit_startstop_services tunable_policy failed to build with: ERROR 'syntax error' at token 'range_transition' on line 7718: | range_transition monit_t initrc_exec_t:process s0; Moving it outside of the tunable_policy section let everything build. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
We want monit to run in dom0 to monitor vglass, disman and ivcdaemon. Those components only run in runlevel 5. If we don't do something, monit would start them in console mode (runlevel 3). Solve this by only running monit in runlevel 5. It works for now since monit is only watching vglass and friends. The benefit of this is to streamline monit's checks. Monit doesn't have an internal notion of the current runlevel, so it would have to check the current runlevel on each interval which adds up. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Monit used /var/lib/monit for writeable id and state files. Use volatiles to provide that. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Configure dom0 via a drop-in to /etc/monit.d to avoid having to import and overwrite monitrc. 30 seconds is a little too long to wait for monit to discover the UI has died. Decrease it to 2 seconds. Also use a delay of 12 seconds to give disman and vglass time to start before monit attempts to start them. Point monit paths to the volatile path /var/lib/monit, so it doesn't try to use the default of /root/.monit Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
jandryuk
force-pushed
the
monit-vglass
branch
from
3ee1c68 to
b6112e8
Compare
Contributor
Author
|
I rebased and force-pushed here. The conflicts were minor from the refpolicy uprev. This PR and #1442 will conflict since they both add patches to refpolicy. Let's just do this one first and then I'll re-rebase the usbvm one. |
Contributor
|
Merged |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds monit to dom0. It will monitor vglass, disman & ivcdaemon and restart them as necessary.
We want to run more frequently than the default monit interval of 30 seconds, so we use every 2 seconds. There is also a 12 second delay at startup to give things a change to start. I did this via dom0-cfg to avoid overriding monitrc which would require keeping in sync... Maybe this was a bad choice and monitrc should just be overridden.
refpolicy needs tweaks to work with volatiles and actually start the daemons.
Goes with https://gitlab.com/vglass/meta-vglass/-/merge_requests/20