From 38dfaa92924b06b5ec8cffe4b2bdfbd2a774ab9d Mon Sep 17 00:00:00 2001
From: Trevor Robinson <trobinson@affinipay.com>
Date: Tue, 16 Aug 2016 18:51:31 -0500
Subject: [PATCH 1/2] Allow upstart to be used on non-Debian systems

---
 tasks/install.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/install.yml b/tasks/install.yml
index bd3967f..960f965 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -139,7 +139,7 @@
     owner=root
     group=root
     mode=0644
-  when: consul_use_upstart and ansible_os_family == "Debian"
+  when: consul_use_upstart
   notify:
     - "{{ consul_restart_handler }}"
 

From df103490f46f92c6434a42e6f37e3cdd42441bcd Mon Sep 17 00:00:00 2001
From: Trevor Robinson <trobinson@affinipay.com>
Date: Wed, 17 Aug 2016 15:22:01 -0500
Subject: [PATCH 2/2] Use su instead of sudo in upstart script (issue #163)

Remove unnecessary sudo from setcap
Also indent script for readability and include "normal exit 0 INT" for consul leave
---
 templates/consul.conf.j2 | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/templates/consul.conf.j2 b/templates/consul.conf.j2
index da40360..32fd094 100644
--- a/templates/consul.conf.j2
+++ b/templates/consul.conf.j2
@@ -5,29 +5,30 @@ start on (local-filesystems and net-device-up IFACE!=lo)
 stop on runlevel [016]
 
 script
-
-# Make sure to use all our CPUs, because Consul can block a scheduler thread
-
 {% if consul_dynamic_bind %}
-# Get the public IP
-BIND=`ifconfig eth0 | grep "inet addr" | awk '{ print substr($2,6) }'`
+  # Get the public IP
+  BIND=`ifconfig eth0 | grep "inet addr" | awk '{ print substr($2,6) }'`
 {% endif %}
 
 {% if consul_client_address_bind %}
-# Get the public IP
-CLIENT_BIND=`ifconfig eth0 | grep "inet addr" | awk '{ print substr($2,6) }'`
+  # Get the public IP
+  CLIENT_BIND=`ifconfig eth0 | grep "inet addr" | awk '{ print substr($2,6) }'`
 {% endif %}
 
-sudo setcap CAP_NET_BIND_SERVICE=+eip {{ consul_home }}/bin/consul; exec sudo -u {{ consul_user }} -g {{ consul_group }} GOMAXPROCS=`nproc` {{ consul_home }}/bin/consul agent \
+  # Allow non-root to bind to privileged ports (if used)
+  setcap CAP_NET_BIND_SERVICE=+eip {{ consul_home }}/bin/consul
+
+  # Set GOMAXPROCS to use all our CPUs, because Consul can block a scheduler thread
+  # Use su to become consul user non-interactively on old Upstart versions (see http://superuser.com/a/234541/76168)
+  exec su -s /bin/sh -c 'GOMAXPROCS=`nproc` exec "$0" "$@" &>>{{ consul_log_file }}' consul -- /opt/consul/bin/consul agent \
 {% if consul_dynamic_bind %}
-  -bind=$BIND \
+    -bind=$BIND \
 {% endif %}
 {% if consul_client_address_bind %}
-  -client=$CLIENT_BIND \
+    -client=$CLIENT_BIND \
 {% endif %}
-  -config-dir {{ consul_config_dir }} \
-  -config-file={{ consul_config_file }} \
-  >> {{ consul_log_file }} 2>&1
+    -config-dir={{ consul_config_dir }} \
+    -config-file={{ consul_config_file }}
 end script
 
 {% if consul_leave_on_terminate -%}
@@ -37,4 +38,7 @@ pre-stop exec {{ consul_home }}/bin/consul leave
 respawn
 respawn limit 10 10
 
+# Avoid Upstart re-spawning the process upon `consul leave`
+normal exit 0 INT
+
 kill timeout 10