From 3c5d281651ba0e69760b1d5da1338d73830b293e Mon Sep 17 00:00:00 2001
From: Mark Wong <mark.wong@enterprisedb.com>
Date: Wed, 20 Sep 2023 16:21:34 -0700
Subject: [PATCH] Move core dump setup into manage_operating_system

* Move handling of installing helper packages to install debug symbols
  into manage_operating_system role; running the tools to install the
  debug symbols stay near respective package installation tasks
* Set core size unlimited for all users, not just the database owner
* Set core size limit in limits.conf, not in systemd
* Do not adjust OS default setuid for potential core dumps
* Stop overriding core dump locations, which confuses distro specific
  helper tools

Note that core dump handling is currently only handled for RHEL based
systems and EPAS.  These changes rearrange the functionality that is
currently available.
---
 roles/init_dbserver/defaults/main.yml         |  1 -
 .../init_dbserver/tasks/pg_setup_systemd.yml  | 12 -----
 roles/install_dbserver/defaults/main.yml      |  4 --
 .../tasks/EPAS_RedHat_install.yml             | 20 ++++++++
 .../tasks/install_dbserver.yml                |  7 ---
 .../install_dbserver/tasks/linux_coredump.yml | 49 -------------------
 roles/manage_operating_system/README.md       |  8 ++-
 .../manage_operating_system/defaults/main.yml |  1 +
 .../tasks/enable_core_dump.yml                | 15 ++++++
 roles/manage_operating_system/tasks/main.yml  |  5 ++
 roles/setup_patroni/defaults/main.yml         |  1 -
 roles/setup_pgd/defaults/main.yml             |  1 -
 roles/setup_pgd/tasks/pg_setup_systemd.yml    | 12 -----
 roles/setup_replication/defaults/main.yml     |  2 -
 .../tasks/pg_setup_systemd.yml                | 12 -----
 15 files changed, 48 insertions(+), 102 deletions(-)
 delete mode 100644 roles/install_dbserver/tasks/linux_coredump.yml
 create mode 100644 roles/manage_operating_system/tasks/enable_core_dump.yml

diff --git a/roles/init_dbserver/defaults/main.yml b/roles/init_dbserver/defaults/main.yml
index b3537b759..c6844fdda 100644
--- a/roles/init_dbserver/defaults/main.yml
+++ b/roles/init_dbserver/defaults/main.yml
@@ -35,7 +35,6 @@ disable_logging: true
 use_replication_slots: true
 use_hostname: true
 update_etc_file: true
-enable_core_dump: false
 
 # setting validate_only to true allows you to validate setup on an existing node
 # use_validation flag applies to deployment configuration and validation after setup
diff --git a/roles/init_dbserver/tasks/pg_setup_systemd.yml b/roles/init_dbserver/tasks/pg_setup_systemd.yml
index 8ae56d07e..ad54137f2 100644
--- a/roles/init_dbserver/tasks/pg_setup_systemd.yml
+++ b/roles/init_dbserver/tasks/pg_setup_systemd.yml
@@ -28,15 +28,3 @@
   become: true
   when:
     - ansible_os_family == 'RedHat'
-
-- name: Add LimitCORE in systemd file
-  edb_devops.edb_postgres.linesinfile:
-    path: "/etc/systemd/system/{{ pg_service }}.service"
-    lines:
-      - line: "LimitCORE=infinity"
-        regexp: "^LimitCORE=.*"
-        insertafter: "^\\[Service\\]$"
-  become: true
-  when:
-    - enable_core_dump|bool
-    - ansible_os_family == 'RedHat'
diff --git a/roles/install_dbserver/defaults/main.yml b/roles/install_dbserver/defaults/main.yml
index 54ab204e0..3794b8029 100644
--- a/roles/install_dbserver/defaults/main.yml
+++ b/roles/install_dbserver/defaults/main.yml
@@ -6,7 +6,6 @@ pg_version: 14
 pg_tuner_version: 1
 pg_owner: "{{ 'enterprisedb' if pg_type == 'EPAS' else 'postgres' }}"
 enable_core_dump: false
-core_dump_directory: "/var/coredumps"
 pg_instance_name: "main"
 
 # setting validate_only to true allows you to validate setup on an existing node
@@ -33,9 +32,6 @@ pg_deb_drop_cluster: "/usr/bin/pg_dropcluster"
 pg_service: "{{ lookup('edb_devops.edb_postgres.pg_service') }}"
 pg_ssl: true
 
-sysctl_params:
-  - {"name": "fs.suid_dumpable", "value": "2", "state": "present"}
-
 supported_os:
   - CentOS7
   - CentOS8
diff --git a/roles/install_dbserver/tasks/EPAS_RedHat_install.yml b/roles/install_dbserver/tasks/EPAS_RedHat_install.yml
index 4c7861e6d..0e9de5e55 100644
--- a/roles/install_dbserver/tasks/EPAS_RedHat_install.yml
+++ b/roles/install_dbserver/tasks/EPAS_RedHat_install.yml
@@ -70,3 +70,23 @@
     state: present
   become: true
   when: pg_ssl
+
+- name: Install debuginfo helper packages
+  ansible.builtin.package:
+    name:
+      - yum-utils
+    state: present
+  become: true
+  when: enable_core_dump | bool
+
+- name: Install debug packages
+  ansible.builtin.command:
+    cmd: >-
+      debuginfo-install -y
+      edb-as{{ pg_version }}-server
+      edb-as{{ pg_version }}-server-core
+      edb-as{{ pg_version }}-server-contrib
+      edb-as{{ pg_version }}-server-libs
+      edb-as{{ pg_version }}-server-client
+  when: enable_core_dump | bool
+  become: true
diff --git a/roles/install_dbserver/tasks/install_dbserver.yml b/roles/install_dbserver/tasks/install_dbserver.yml
index c730c0dbc..ad973b71b 100644
--- a/roles/install_dbserver/tasks/install_dbserver.yml
+++ b/roles/install_dbserver/tasks/install_dbserver.yml
@@ -39,13 +39,6 @@
     - not validate_only|bool
     - not remove_only|bool
 
-- name: Enable coredump based on enable_core_dump
-  ansible.builtin.include_tasks: linux_coredump.yml
-  when:
-    - enable_core_dump|bool
-    - not validate_only|bool
-    - not remove_only|bool
-
 - name: Validate install_dbserver tasks
   ansible.builtin.include_tasks: validate_install_dbserver.yml
   when:
diff --git a/roles/install_dbserver/tasks/linux_coredump.yml b/roles/install_dbserver/tasks/linux_coredump.yml
deleted file mode 100644
index f964a17ea..000000000
--- a/roles/install_dbserver/tasks/linux_coredump.yml
+++ /dev/null
@@ -1,49 +0,0 @@
----
-- name: Ensure core dump directory exists
-  ansible.builtin.file:
-    path: "{{ core_dump_directory }}"
-    owner: root
-    mode: "0733"
-    state: directory
-  become: true
-  no_log: "{{ disable_logging }}"
-
-- name: Add core dump parameters in sysctl.conf
-  ansible.posix.sysctl:
-    name: "{{ line_item.name }}"
-    value: "{{ line_item.value }}"
-    state: "{{ line_item.state | default('present') }}"
-    reload: true
-  with_items: "{{ sysctl_params }}"
-  loop_control:
-    loop_var: line_item
-  become: true
-  no_log: "{{ disable_logging }}"
-
-- name: Update limits.conf file
-  community.general.pam_limits:
-    domain: "{{ pg_owner }}"
-    limit_type: soft
-    limit_item: core
-    value: unlimited
-  become: true
-  no_log: "{{ disable_logging }}"
-
-- name: Install debuginfo helper packages
-  ansible.builtin.package:
-    name: yum-utils
-    state: present
-  become: true
-
-- name: Install debug packages
-  ansible.builtin.command:
-    cmd: >-
-      debuginfo-install -y
-      edb-as{{ pg_version }}-server
-      edb-as{{ pg_version }}-server-core
-      edb-as{{ pg_version }}-server-contrib
-      edb-as{{ pg_version }}-server-libs
-      edb-as{{ pg_version }}-server-client
-  become: true
-  when: >-
-    pg_type == 'EPAS'
diff --git a/roles/manage_operating_system/README.md b/roles/manage_operating_system/README.md
index 2e5a75844..d0046c021 100644
--- a/roles/manage_operating_system/README.md
+++ b/roles/manage_operating_system/README.md
@@ -12,6 +12,11 @@ Following are the requirements of this role.
 
 When executing the role via Ansible these are the applicable variables:
 
+  * ***enable_core_dump***
+
+    When `true`, enable operating system facilities to capture and save core
+    dumps.  Default: `false`
+
   * ***enable_user_profiling***
 
     When `true`, sets relevant operating system settings such that any user and
@@ -49,6 +54,7 @@ Content of the `inventory.yml` file:
   pre_tasks:
     - name: Initialize the user defined variables
       ansible.builtin.set_fact:
+        enable_core_dump: true
         enable_user_profiling: true
 
   collections:
@@ -65,7 +71,7 @@ $ ansible-playbook playbook.yml \
   -i inventory.yml \
   -u centos \
   --private-key <key.pem> \
-  --extra-vars="enable_user_profiling=true"
+  --extra-vars="enable_user_profiling=true enable_core_dump=true"
 ```
 
 ## License
diff --git a/roles/manage_operating_system/defaults/main.yml b/roles/manage_operating_system/defaults/main.yml
index e28a9a583..a2acfd306 100644
--- a/roles/manage_operating_system/defaults/main.yml
+++ b/roles/manage_operating_system/defaults/main.yml
@@ -1,2 +1,3 @@
 ---
+enable_core_dump: false
 enable_user_profiling: false
diff --git a/roles/manage_operating_system/tasks/enable_core_dump.yml b/roles/manage_operating_system/tasks/enable_core_dump.yml
new file mode 100644
index 000000000..bd3cd8802
--- /dev/null
+++ b/roles/manage_operating_system/tasks/enable_core_dump.yml
@@ -0,0 +1,15 @@
+---
+- name: Enable unlimited core size for all users
+  community.general.pam_limits:
+    domain: "*"
+    limit_type: "-"
+    limit_item: "core"
+    value: "unlimited"
+  become: true
+
+- name: Install debuginfo helper packages
+  ansible.builtin.package:
+    name: yum-utils
+    state: present
+  when: ansible_os_family == 'RedHat'
+  become: true
diff --git a/roles/manage_operating_system/tasks/main.yml b/roles/manage_operating_system/tasks/main.yml
index 616c1e4bf..5badc97d1 100644
--- a/roles/manage_operating_system/tasks/main.yml
+++ b/roles/manage_operating_system/tasks/main.yml
@@ -3,3 +3,8 @@
   ansible.builtin.include_tasks: enable_user_profiling.yml
   when:
     - enable_user_profiling | bool
+
+- name: Enable core dumps
+  ansible.builtin.include_tasks: enable_core_dump.yml
+  when:
+    - enable_core_dump | bool
diff --git a/roles/setup_patroni/defaults/main.yml b/roles/setup_patroni/defaults/main.yml
index c3703a923..c2822f34b 100644
--- a/roles/setup_patroni/defaults/main.yml
+++ b/roles/setup_patroni/defaults/main.yml
@@ -9,7 +9,6 @@ pg_remote_ssl_src: false
 disable_logging: true
 use_hostname: true
 update_etc_file: true
-enable_core_dump: false
 use_replication_slots: true
 
 pass_dir: "~/.edb"
diff --git a/roles/setup_pgd/defaults/main.yml b/roles/setup_pgd/defaults/main.yml
index f496525d9..c70d16e86 100644
--- a/roles/setup_pgd/defaults/main.yml
+++ b/roles/setup_pgd/defaults/main.yml
@@ -22,7 +22,6 @@ disable_logging: true
 use_replication_slots: true
 use_hostname: true
 update_etc_file: true
-enable_core_dump: false
 
 # setting validate_only to true allows you to validate setup on an existing node
 # use_validation flag applies to deployment configuration and validation after setup
diff --git a/roles/setup_pgd/tasks/pg_setup_systemd.yml b/roles/setup_pgd/tasks/pg_setup_systemd.yml
index 8ae56d07e..ad54137f2 100644
--- a/roles/setup_pgd/tasks/pg_setup_systemd.yml
+++ b/roles/setup_pgd/tasks/pg_setup_systemd.yml
@@ -28,15 +28,3 @@
   become: true
   when:
     - ansible_os_family == 'RedHat'
-
-- name: Add LimitCORE in systemd file
-  edb_devops.edb_postgres.linesinfile:
-    path: "/etc/systemd/system/{{ pg_service }}.service"
-    lines:
-      - line: "LimitCORE=infinity"
-        regexp: "^LimitCORE=.*"
-        insertafter: "^\\[Service\\]$"
-  become: true
-  when:
-    - enable_core_dump|bool
-    - ansible_os_family == 'RedHat'
diff --git a/roles/setup_replication/defaults/main.yml b/roles/setup_replication/defaults/main.yml
index 8b964626c..2057d82ab 100644
--- a/roles/setup_replication/defaults/main.yml
+++ b/roles/setup_replication/defaults/main.yml
@@ -11,8 +11,6 @@ force_replication: false
 use_replication_slots: true
 use_hostname: true
 update_etc_file: true
-enable_core_dump: false
-
 
 # TDE functionality key
 edb_enable_tde: false
diff --git a/roles/setup_replication/tasks/pg_setup_systemd.yml b/roles/setup_replication/tasks/pg_setup_systemd.yml
index ffdf3cacf..950401047 100644
--- a/roles/setup_replication/tasks/pg_setup_systemd.yml
+++ b/roles/setup_replication/tasks/pg_setup_systemd.yml
@@ -29,15 +29,3 @@
   become: true
   when:
     - ansible_os_family == "RedHat"
-
-- name: Add LimitCORE in systemd file
-  edb_devops.edb_postgres.linesinfile:
-    path: "/etc/systemd/system/{{ pg_service }}.service"
-    lines:
-      - line: "LimitCORE=infinity"
-        regexp: "^LimitCORE=.*"
-        insertafter: "^\\[Service\\]$"
-  become: true
-  when:
-    - enable_core_dump|bool
-    - ansible_os_family == 'RedHat'