feat: automate maintenance shutdown of Rosetta (issue #2297)

tasks/rosetta/configure_maintenance.yml

+---
+# ZIH has monthly maintenance windows for their VMware environment, which also
+# affects the Library Manager VMs used by SLUBArchiv.digital. This time window
+# is also used for upgrading the OS and IBM packages on the storage servers. To
+# make sure that there is no write/read access during that time, we shutdown
+# Rosetta and start them afterwards using systemd timers.
+- name: create directory for SystemD units
+  ansible.builtin.file:
+    path: "/usr/local/lib/systemd/system/"
+    mode: "0755"
+    state: directory
+    owner: "root"
+    group: "root"
+- name: install Rosetta maintenance services and timers
+  ansible.builtin.template:
+    src: "usr/local/lib/systemd/system/{{ item }}.j2"
+    dest: "/usr/local/lib/systemd/system/{{ item }}"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  loop:
+    - "rosetta_maintenance_begin.service"
+    - "rosetta_maintenance_begin.timer"
+    - "rosetta_maintenance_end.timer"
+- name: enable Rosetta maintenance services and timers
+  ansible.builtin.systemd:
+    name: "{{ item.name }}"
+    enabled: "{{ item.enabled | default(true) }}"
+    state: "{{ item.state | default('started') }}"
+    daemon_reload: true
+  loop:
+    - name: "rosetta_maintenance_begin.service"
+      state: "stopped"
+    - name: "rosetta_maintenance_begin.timer"
+    - name: "rosetta_maintenance_end.timer"

tasks/rosetta/main_rosetta.yml

@@ -13,6 +13,9 @@
 - name: configure Rosetta prerequisites
   ansible.builtin.import_tasks: "rosetta/configure_rosetta_prerequisites.yml"
   tags: [rosetta]
+- name: configure Rosetta maintenance timer
+  ansible.builtin.import_tasks: "rosetta/configure_maintenance.yml"
+  tags: [rosetta, maintenance, systemd, timer, cron, cronjob]
 - name: install Check_MK plugins for Rosetta
   ansible.builtin.import_tasks: "rosetta/install_checkmk_plugins_rosetta.yml"
   tags: [checkmk, monitoring]

templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.service.j2

+[Unit]
+Description=stop Rosetta for monthly maintenance at ZIH
+After=remote-fs.target
+Conflicts=exlibris.service
+
+[Service]
+Type=simple
+Restart=no
+ExecStart=true
+User={{ vault_rosetta_user }}
+Group={{ vault_rosetta_group }}
+
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# or at `man (5) systemd.exec`
+ProtectSystem=strict
+ProtectHome=read-only
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+#RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@debug,@file-system
+#SystemCallErrorNumber=1337
+
+[Install]
+WantedBy=multi-user.target

templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.timer.j2

+[Unit]
+Description=timer for rosetta_maintenance.service
+
+[Timer]
+# run on the 1st Tuesday of each month
+# You can validate your calendar expressions using `systemd-analyze calendar EXPR`.
+OnCalendar=Tue *-*-01..07 08:00:00
+Unit=rosetta_maintenance_begin
+
+[Install]
+WantedBy=default.target

templates/usr/local/lib/systemd/system/rosetta_maintenance_end.timer.j2

+[Unit]
+Description=timer for rosetta_maintenance.service
+
+[Timer]
+# run on the 1st Tuesday of each month
+# You can validate your calendar expressions using `systemd-analyze calendar EXPR`.
+OnCalendar=Tue *-*-01..07 11:00:00
+Unit=exlibris.service
+
+[Install]
+WantedBy=default.target