Update the basic systemd extra configs for isolation and consistency

For the sake of consistency the "systemd" prefix was added to the
without-privatedevices.conf file.

A new configuration file has been added which will further isolate
our services using a named cgroup; this is similar to what we already do in
our openstack services. By further isolating the service from the system
we get quite a bit more control and accountability.

Change-Id: I5707ef318341259b086a5f1d49656fd0d1c7f269
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

tasks/galera_post_install.yml

@@ -141,9 +141,10 @@
   with_items:
     - { src: "systemd.environment.conf.j2", dest: "environment.conf" }
     - { src: "systemd.limits.conf.j2", dest: "limits.conf" }
-    - { src: "systemd.timeout.conf.j2", dest: "timeout.conf" }
     - { src: "systemd.restart.conf.j2", dest: "restart.conf" }
-    - { src: "without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
+    - { src: "systemd.slice.conf.j2", dest: "slice.conf" }
+    - { src: "systemd.timeout.conf.j2", dest: "timeout.conf" }
+    - { src: "systemd.without-privatedevices.conf.j2", dest: "without-privatedevices.conf" }
   notify:
     - Manage LB
     - Reload the systemd daemon

templates/systemd.slice.conf.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Service]
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=galera.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=false
+TasksAccounting=true

templates/systemd.without-privatedevices.conf.j2

@@ -1,2 +1,4 @@
+# {{ ansible_managed }}
+
 [Service]
 PrivateDevices={{ galera_disable_privatedevices | bool | ternary('false', 'true') }}