Connect to Redis via a UNIX socket rather than TCP

chewi · chewi · commit 14a660ece465 · 2017-06-12T16:51:57.000+01:00
We are already assuming that Redis is local. A UNIX socket is faster,
more secure, and avoids the IPv6 headache.

We now have to create the git user earlier so that the redisio
cookbook does not create it with different properties and because
usermod will fail if Redis is already running.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -72,8 +72,18 @@
   nodejs::install
 )
 
-# Redisio instance name
-default['gitlab']['redis_instance'] = 'redis-server'
+# redisio instance
+default['gitlab']['redis_instance'] = 'redisgitlab'
+default['redisio']['servers'] = [
+  {
+    'name' => 'gitlab',
+    'user' => node['gitlab']['user'],
+    'group' => node['gitlab']['group'],
+    'unixsocket' => '/var/run/redis/gitlab/redis.sock',
+    'unixsocketperm' => '660',
+    'port' => 0
+  }
+]
 
 # Required packages for Gitlab
 default['gitlab']['packages'] = %w(
diff --git a/recipes/default.rb b/recipes/default.rb
@@ -42,14 +42,6 @@
 extend SELinuxPolicy::Helpers
 include_recipe 'selinux_policy::install' if use_selinux
 
-# Install the required packages via cookbook
-node['gitlab']['cookbook_dependencies'].each do |requirement|
-  include_recipe requirement
-end
-
-# Install required packages for Gitlab
-package node['gitlab']['packages']
-
 # Add a git user for Gitlab
 user node['gitlab']['user'] do
   comment 'Gitlab User'
@@ -58,6 +50,14 @@
   supports manage_home: true
 end
 
+# Install the required packages via cookbook
+node['gitlab']['cookbook_dependencies'].each do |requirement|
+  include_recipe requirement
+end
+
+# Install required packages for Gitlab
+package node['gitlab']['packages']
+
 # Fix home permissions for nginx
 directory node['gitlab']['home'] do
   owner node['gitlab']['user']
@@ -178,6 +178,9 @@ class file open;
 api_fqdn = \
   node['gitlab']['shell']['gitlab_host'] || node['gitlab']['web_fqdn']
 
+redis_socket = \
+  node['redisio']['servers'].find { |s| s['name'] == 'gitlab' }['unixsocket']
+
 # render gitlab-shell config
 template node['gitlab']['shell']['home'] + '/config.yml' do
   owner node['gitlab']['user']
@@ -186,7 +189,8 @@ class file open;
   source 'shell_config.yml.erb'
   variables(
     fqdn: api_fqdn,
-    listen_port: listen_port
+    listen_port: listen_port,
+    redis_socket: redis_socket
   )
 end
 
@@ -233,6 +237,15 @@ class file open;
   )
 end
 
+file "#{node['gitlab']['app_home']}/config/resque.yml" do
+  owner 'root'
+  group node['gitlab']['group']
+  mode '0640'
+  content lazy {
+    { 'production' => { 'url' => "unix:#{redis_socket}" } }.to_yaml
+  }
+end
+
 # Render gitlab config file
 template "#{node['gitlab']['app_home']}/config/gitlab.yml" do
   owner node['gitlab']['user']
@@ -463,4 +476,5 @@ class unix_stream_socket connectto;
   pattern "unicorn_rails master -D -c #{node['gitlab']['app_home']}/config/unicorn.rb"
   action [:enable, :start]
   subscribes :restart, "template[#{node['gitlab']['app_home']}/config/gitlab.yml]", :delayed
+  subscribes :restart, "file[#{node['gitlab']['app_home']}/config/resque.yml]", :delayed
 end
diff --git a/templates/default/shell_config.yml.erb b/templates/default/shell_config.yml.erb
@@ -21,9 +21,7 @@ auth_file: <%= node['gitlab']['home'] + "/.ssh/authorized_keys"%>
 # Redis settings used for pushing commit notices to gitlab
 redis:
   bin: <%= node['redisio']['bin_path'] %>/redis-cli
-  host: 127.0.0.1
-  port: 6379
-  # socket: /tmp/redis.socket # Only define this if you want to use sockets
+  socket: <%= @redis_socket %>
   namespace: resque:gitlab
 
 # Log file.
