Dzahn has submitted this change and it was merged.
Change subject: Clean up phabricator roles in puppet to remove tag pinning.
......................................................................
Clean up phabricator roles in puppet to remove tag pinning.
Phabricator is now deployed with scap3, puppet should not
manage the checked out tags on phabricator and related repos.
Bug: T125851
Change-Id: I0bdf3266c85883871e6f9417a1ca77cc317c5906
---
A modules/phabricator/files/phab-deploy-key.labs
A modules/phabricator/files/phab-deploy-key.production
M modules/phabricator/manifests/extension.pp
M modules/phabricator/manifests/init.pp
M modules/phabricator/manifests/libext.pp
M modules/phabricator/manifests/tools.pp
M modules/role/manifests/phabricator/labs.pp
M modules/role/manifests/phabricator/main.pp
8 files changed, 97 insertions(+), 198 deletions(-)
Approvals:
20after4: Looks good to me, but someone else must approve
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/modules/phabricator/files/phab-deploy-key.labs
b/modules/phabricator/files/phab-deploy-key.labs
new file mode 100644
index 0000000..17bc88e
--- /dev/null
+++ b/modules/phabricator/files/phab-deploy-key.labs
@@ -0,0 +1 @@
+ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC5385VUpvkzTd2XPgpi5DppbuIBZyUQvXVpSSV3AG8/Pvx/x3U8lH3Tif2wKC/eXbH4tJmeRf8j16XaLaNorlhsRrG9HZSvjX/LFYj4FBInzxheXQkVSGasNWv17BDfsTSExBRTUOdAhoLfnbe9HfyEVvFHvxx6zfoGcrsiFeEjg2S41cnzn7cgkdUa6r2FKdurmmhZmGp9LhlGpq2wbb5z5GQbfs1d3Qd66dg/ktP1S+RdL5eyAQewzCTjqo4u4tpps2In9b0ZBLQ2H2C03kkWBG9Q4o0Fs4Z0/8vZ2mp0U30tWYYwqRB8htf8PdSknZjcVgFdjf5m3lJphJpfxr1
phab-deploy@deploy
diff --git a/modules/phabricator/files/phab-deploy-key.production
b/modules/phabricator/files/phab-deploy-key.production
new file mode 100644
index 0000000..6be9cb1
--- /dev/null
+++ b/modules/phabricator/files/phab-deploy-key.production
@@ -0,0 +1 @@
+ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCuywxqDsJdHyjQZeSUOO3fwlEl7bJ7d3RJtoAsyE+oqoAair6L0F1j6Rq175tlCs1j8v8hPYmzJ10dOXmGtePvVTN7UbriKEX+EBBP47imE0mJjcVSyt1nSPoP1w2wn5vyDpgk0s+p1og6gQrrLuj09idwjOrWtB9/csgoBY/A2E9uXZbWljkSVmy88TqLk7bY2wfULoPFxtpPpix0obm5aEV9RD9zc6ToP6KKAEOZmtEGkQnCH4CZewQVw0Q5GvWBjrZbAyM7Qcez3lFqcVH0pkA7I8MNKGyEtbWteQe7y/9C4hxocg9WNp8cVpoaEngKK4vDDWA12Tt7hTQ62vS9
phab-deploy@iridium
diff --git a/modules/phabricator/manifests/extension.pp
b/modules/phabricator/manifests/extension.pp
index bbd6c03..2b143b7 100644
--- a/modules/phabricator/manifests/extension.pp
+++ b/modules/phabricator/manifests/extension.pp
@@ -9,6 +9,6 @@
file { "${rootdir}/phabricator/src/extensions/${name}":
ensure => 'link',
target => "${rootdir}/extensions/${name}",
- require => File["${rootdir}/phabricator/src/extensions"],
+ require => File[$rootdir],
}
}
diff --git a/modules/phabricator/manifests/init.pp
b/modules/phabricator/manifests/init.pp
index d922762..73a5f62 100644
--- a/modules/phabricator/manifests/init.pp
+++ b/modules/phabricator/manifests/init.pp
@@ -12,22 +12,6 @@
# A php.ini compatible timezone
# http://www.php.net//manual/en/datetime.configuration.php
#
-# [*lock_file*]
-# The path on disk to place a file for holding a tag
-# in the repos until the phab_update_tag command is run by root.
-#
-# [*git_tag*]
-# The tag in the Phabricator repos to maintain.
-#
-# NOTE:
-#
-# If the lockfile is set this tag will not be honored by an existing
-# install until the phab_update_tag command is run. This needs to be an
-# interactive and monitored process to allow for the necessary DB and
-# schema changes.
-#
-# For more info on tag forwarding see git::install
-#
# [*settings*]
# A hash of configuration options for the local settings json file.
#
https://secure.phabricator.com/book/phabricator/article/advanced_configuration/#configuration-sources
@@ -40,26 +24,24 @@
# Specify to use a different password for schema upgrades and database
maintenance
# Requires: mysql_admin_user
#
-# [*sprint_tag*]
-# Track sprint app by tag
-#
-# [*security_tag*]
-# Track security extension by tag
-#
-# [*extension_tag*]
-# Track generic / small extensions by tag
-#
# [*extensions*]
# Array of extensions to load
#
# [*serveralias*]
# Alternative domain on which to respond too
#
+# [*deploy_user*]
+# The username that is used for scap deployments
+#
+# [*deploy_target*]
+# The name of the scap3 deployment repo, e.g. phabricator/deployment
+#
+# [*deploy_key*]
+# The url of the public key for the deploy_user to deploy with scap
+
# === Examples
#
# class { 'phabricator':
-# git_tag => 'demo',
-# lock_file => '/var/run/phab_repo_lock',
# settings => {
# 'phabricator.base-uri' => 'http://myurl.domain',
# },
@@ -72,20 +54,23 @@
$phabdir = '/srv/phab',
$timezone = 'UTC',
$trusted_proxies = [],
- $lock_file = '',
- $git_tag = 'HEAD',
- $sprint_tag = '',
- $security_tag = '',
$libraries = [],
- $extension_tag = '',
$extensions = [],
$settings = {},
$mysql_admin_user = '',
$mysql_admin_pass = '',
$serveradmin = '',
$serveralias = '',
+ $deploy_user = 'phab-deploy',
+ $deploy_target = 'phabricator/deployment',
+ $deploy_key =
"puppet:///modules/phabricator/phab-deploy-key.${::realm}",
) {
+ $deploy_root = "/srv/deployment/${deploy_target}"
+
+ # base dependencies to ensure the phabricator deployment root exists
+ # save as a var since this will be required by many resources in this class
+ $base_requirements = [Package[$deploy_target], File[$phabdir]]
#A combination of static and dynamic conf parameters must be merged
$module_path = get_module_path($module_name)
@@ -130,12 +115,10 @@
$docroot = "${phabdir}/phabricator/webroot"
$phab_servername = $phab_settings['phabricator.base-uri']
+
apache::site { 'phabricator':
content => template('phabricator/phabricator-default.conf.erb'),
- }
-
- file { $phabdir:
- ensure => directory,
+ require => $base_requirements,
}
# Robots.txt disallowing to crawl the alias domain
@@ -149,113 +132,53 @@
}
}
- git::install { 'phabricator/libphutil':
- directory => "${phabdir}/libphutil",
- git_tag => $git_tag,
- lock_file => $lock_file,
- before => Git::Install['phabricator/arcanist'],
+ scap::target { $deploy_target:
+ deploy_user => $deploy_user,
+ public_key_source => $deploy_key,
+ service_name => 'phd',
}
- git::install { 'phabricator/arcanist':
- directory => "${phabdir}/arcanist",
- git_tag => $git_tag,
- lock_file => $lock_file,
- before => Git::Install['phabricator/phabricator'],
- }
-
- git::install { 'phabricator/phabricator':
- directory => "${phabdir}/phabricator",
- git_tag => $git_tag,
- lock_file => $lock_file,
- notify => Exec["ensure_lock_${lock_file}"],
- before => File["${phabdir}/phabricator/.git/config"],
- }
-
- file { "${phabdir}/phabricator/.git/config":
- source => 'puppet:///modules/phabricator/phabricator.gitconfig',
- before => File["${phabdir}/phabricator/scripts/"],
+ file { $phabdir:
+ ensure => 'link',
+ target => $deploy_root,
+ require => Package[$deploy_target],
}
file { "${phabdir}/phabricator/scripts/":
mode => '0754',
recurse => true,
before => File["${phabdir}/phabricator/scripts/mail/"],
+ require => $base_requirements,
}
file { "${phabdir}/phabricator/scripts/mail/":
mode => '0755',
recurse => true,
+ require => $base_requirements,
}
if ($libraries) {
- file { "${phabdir}/libext":
- ensure => 'directory',
+ phabricator::libext { $libraries:
+ rootdir => $phabdir,
+ require => $base_requirements,
}
-
$phab_settings['load-libraries'] = $libraries
- $libext_lock_path = "${lock_file}_libext"
}
- # Would love to do these as an array but the sprint vs Sprint
- # case issue makes this complicated at the moment.
- if ($sprint_tag) {
- phabricator::libext { 'Sprint':
- rootdir => $phabdir,
- libext_tag => $sprint_tag,
- libext_lock_path => $libext_lock_path,
- }
-
- }
-
- if ($security_tag) {
- phabricator::libext { 'security':
- rootdir => $phabdir,
- libext_tag => $security_tag,
- libext_lock_path => $libext_lock_path,
- }
- }
-
- if ($extension_tag) {
- $ext_lock_name = regsubst($extension_tag, '\W', '-', 'G')
- $ext_lock_path = "${phabdir}/extension_lock_${ext_lock_name}"
- git::install { 'phabricator/extensions':
- directory => "${phabdir}/extensions",
- git_tag => $extension_tag,
- lock_file => $ext_lock_path,
- notify => Exec[$ext_lock_path],
- before => Git::Install['phabricator/phabricator'],
- }
-
+ if ($extensions) {
file { "${phabdir}/phabricator/src/extensions":
ensure => 'directory',
path => "${phabdir}/phabricator/src/extensions",
owner => 'root',
group => 'root',
mode => '0755',
- require => [
- Git::Install['phabricator/extensions'],
- Git::Install['phabricator/phabricator'],
- ],
- }
-
- exec {$ext_lock_path:
- command => "touch ${ext_lock_path}",
- unless => "test -z ${ext_lock_path} || test -e ${ext_lock_path}",
- path => '/usr/bin:/bin',
+ require => $base_requirements,
}
phabricator::extension { $extensions:
rootdir => $phabdir,
- require => File["${phabdir}/phabricator/src/extensions"],
+ require => $base_requirements,
}
-
- }
-
- #we ensure lock exists if string is not null
- exec {"ensure_lock_${lock_file}":
- command => "touch ${lock_file}",
- unless => "test -z ${lock_file} || test -e ${lock_file}",
- path => '/usr/bin:/bin',
}
file { '/etc/php5/apache2/php.ini':
@@ -272,29 +195,23 @@
file { "${phabdir}/phabricator/conf/local/local.json":
content => template('phabricator/local.json.erb'),
- require => Git::Install['phabricator/phabricator'],
+ require => $base_requirements,
}
-
- # ^Disable PHD autorestart until:
- # https://secure.phabricator.com/T7475
- # notify => Service[phd],
#default location for phabricator tracked repositories
if ($phab_settings['repository.default-local-path']) {
- file { $phab_settings['repository.default-local-path']:
- ensure => directory,
- mode => '0755',
- owner => 'phd',
- group => 'www-data',
- require => Git::Install['phabricator/phabricator'],
+ $repo_root = $phab_settings['repository.default-local-path']
+ file { $repo_root:
+ ensure => directory,
+ mode => '0755',
+ owner => 'phd',
+ group => 'www-data',
}
- }
-
- file { '/usr/local/sbin/phab_update_tag':
- content => template('phabricator/phab_update_tag.erb'),
- owner => 'root',
- group => 'root',
- mode => '0500',
+ file { "${deploy_root}/repos":
+ ensure => 'link',
+ target => $repo_root,
+ require => $base_requirements,
+ }
}
file { '/usr/local/bin/arc':
@@ -303,18 +220,20 @@
group => 'root',
mode => '0755',
target => '/srv/phab/arcanist/bin/arc',
- require => Git::Install['phabricator/arcanist'],
+ require => $base_requirements,
}
class { 'phabricator::vcs':
basedir => $phabdir,
settings => $phab_settings,
+ require => $base_requirements,
}
class { 'phabricator::phd':
basedir => $phabdir,
settings => $phab_settings,
before => Service['phd'],
+ require => $base_requirements,
}
# This needs to become Upstart managed
@@ -326,6 +245,6 @@
start => '/usr/sbin/service phd start --force',
status => '/usr/bin/pgrep -f phd-daemon',
hasrestart => true,
- require => Git::Install['phabricator/phabricator'],
+ require => $base_requirements,
}
}
diff --git a/modules/phabricator/manifests/libext.pp
b/modules/phabricator/manifests/libext.pp
index 6d99658..225ce96 100644
--- a/modules/phabricator/manifests/libext.pp
+++ b/modules/phabricator/manifests/libext.pp
@@ -1,41 +1,16 @@
# == Define: phabricator::libext
#
-# Installs libphutil library extensions
+# Installs phutil library extensions
#
# === Parameters
#
# [*rootdir*]
# The path on disk to clone the needed repositories
-#
-# [*libext_tag*]
-# Git tag to hold repo at
-#
-# [*libext_lock_path*]
-# Path to local file that provides local settings lock
-#
# [*libname*]
# Case sensitive extension name
-define phabricator::libext ($rootdir, $libext_tag, $libext_lock_path, $libname
= $name) {
-
- # Build per extension lock file
- $libname_lock = "${libext_lock_path}_${libname}"
-
- git::install { "phabricator/extensions/${libname}" :
- directory => "${rootdir}/libext/${libname}",
- git_tag => $libext_tag,
- lock_file => $libname_lock,
- notify => Exec[$libname_lock],
- before => Git::Install['phabricator/phabricator'],
- }
-
- exec {$libname_lock:
- command => "touch ${libname_lock}",
- unless => "test -z ${libname_lock} || test -e ${libname_lock}",
- path => '/usr/bin:/bin',
- }
-
+define phabricator::libext ($rootdir, $libname = $name) {
# symlink static directories for extensions
$static_dir = "${rootdir}/libext/${libname}/rsrc/webroot-static"
@@ -46,7 +21,7 @@
command => "/bin/ln -s ${static_dir} ${symlink_dir}",
onlyif => "/usr/bin/test -e ${static_dir}",
creates => $symlink_dir,
- require => Git::Install["phabricator/extensions/${libname}"],
+ require => File[$rootdir],
}
}
diff --git a/modules/phabricator/manifests/tools.pp
b/modules/phabricator/manifests/tools.pp
index 9c565d5..90408d6 100644
--- a/modules/phabricator/manifests/tools.pp
+++ b/modules/phabricator/manifests/tools.pp
@@ -7,6 +7,7 @@
$dbhost = 'localhost',
$dbslave = 'localhost',
$directory = '/srv/phab/tools',
+ $deploy_target = 'phabricator/deployment',
$manifest_user = '',
$manifest_pass = '',
$app_user = '',
@@ -39,7 +40,7 @@
file { $dump_script:
mode => '0555',
- require => Git::Install['phabricator/tools'],
+ require => Package[$deploy_target],
}
cron { $dump_script:
@@ -47,7 +48,7 @@
command => $dump_script,
user => root,
hour => '2',
- require => File[$dump_script],
+ require => Package[$deploy_target],
}
}
@@ -57,7 +58,7 @@
command => "/usr/bin/flock -n ${bz_header} -c
'/srv/phab/tools/bugzilla_update_user_header.py -a' >/dev/null 2>&1",
user => root,
hour => '0',
- require => Git::Install['phabricator/tools'],
+ require => Package[$deploy_target],
}
$bz_comments = '/var/run/bz_comments.flock'
@@ -66,6 +67,6 @@
command => "/usr/bin/flock -n ${bz_comments} -c
'/srv/phab/tools/bugzilla_update_user_comments.py -a' >/dev/null 2>&1",
user => root,
hour => '1',
- require => Git::Install['phabricator/tools'],
+ require => Package[$deploy_target],
}
}
diff --git a/modules/role/manifests/phabricator/labs.pp
b/modules/role/manifests/phabricator/labs.pp
index b1ee757..b27fd0d 100644
--- a/modules/role/manifests/phabricator/labs.pp
+++ b/modules/role/manifests/phabricator/labs.pp
@@ -1,17 +1,15 @@
# phabricator instance on wmflabs at phab-0[1-9].wmflabs.org
+
class role::phabricator::labs {
# pass not sensitive but has to match phab and db
$mysqlpass = 'labspass'
- $current_tag = 'release/2016-02-18/1'
+ $phab_root_dir = '/srv/phab'
class { '::phabricator':
- git_tag => $current_tag,
- lock_file => '/var/run/phab_repo_lock',
- sprint_tag => 'release/2016-02-18/1',
- security_tag => 'release/2016-02-18/2',
- libraries => ['/srv/phab/libext/Sprint/src',
- '/srv/phab/libext/security/src'],
- extension_tag => 'release/2016-02-18/1',
+ deploy_target => 'phabricator/deployment',
+ phabdir => $phab_root_dir,
+ libraries => ["${phab_root_dir}/libext/Sprint/src",
+ "${phab_root_dir}/libext/security/src"],
extensions => [ 'MediaWikiUserpageCustomField.php',
'LDAPUserpageCustomField.php',
'PhabricatorMediaWikiAuthProvider.php',
@@ -22,7 +20,8 @@
'mysql.pass' => $mysqlpass,
'auth.require-email-verification' => false,
'metamta.mail-adapter' =>
'PhabricatorMailImplementationTestAdapter',
- 'repository.default-local-path' => '/srv/phab/repos',
+ 'repository.default-local-path' => '/srv/repos',
+ 'phd.taskmasters' => 1,
'config.ignore-issues' => '{
"security.security.alternate-file-domain": true
}',
diff --git a/modules/role/manifests/phabricator/main.pp
b/modules/role/manifests/phabricator/main.pp
index d2a76e2..0d383ce 100644
--- a/modules/role/manifests/phabricator/main.pp
+++ b/modules/role/manifests/phabricator/main.pp
@@ -19,45 +19,43 @@
# this site's misc-lb caching proxies hostnames
$cache_misc_nodes = hiera('cache::misc::nodes', [])
- $current_tag = 'release/2016-02-18/1'
$domain = 'phabricator.wikimedia.org'
$altdom = 'phab.wmfusercontent.org'
$mysql_host = 'm3-master.eqiad.wmnet'
$mysql_slave = 'm3-slave.eqiad.wmnet'
+ $phab_root_dir = '/srv/phab'
+ $deploy_target = 'phabricator/deployment'
class { '::phabricator':
+ deploy_target => $deploy_target,
+ phabdir => $phab_root_dir,
serveralias => $altdom,
trusted_proxies => $cache_misc_nodes[$::site],
- git_tag => $current_tag,
- lock_file => '/var/run/phab_repo_lock',
mysql_admin_user => $role::phabricator::config::mysql_adminuser,
mysql_admin_pass => $role::phabricator::config::mysql_adminpass,
- sprint_tag => 'release/2016-02-18/1',
- security_tag => 'release/2016-02-18/2',
- libraries => ['/srv/phab/libext/Sprint/src',
- '/srv/phab/libext/security/src'],
- extension_tag => 'release/2016-02-18/1',
+ libraries => [ "${phab_root_dir}/libext/Sprint/src",
+ "${phab_root_dir}/libext/security/src" ],
extensions => [ 'MediaWikiUserpageCustomField.php',
'LDAPUserpageCustomField.php',
'PhabricatorMediaWikiAuthProvider.php',
'PhutilMediaWikiAuthAdapter.php'],
settings => {
- 'darkconsole.enabled' => false,
- 'phabricator.base-uri' => "https://${domain}";,
- 'security.alternate-file-domain' => "https://${altdom}";,
- 'mysql.user' =>
$role::phabricator::config::mysql_appuser,
- 'mysql.pass' =>
$role::phabricator::config::mysql_apppass,
- 'mysql.host' => $mysql_host,
- 'phpmailer.smtp-host' => inline_template('<%=
@mail_smarthost.join(";") %>'),
- 'metamta.default-address' => "no-reply@${domain}",
- 'metamta.domain' => $domain,
- 'metamta.maniphest.public-create-email' => "task@${domain}",
- 'metamta.reply-handler-domain' => $domain,
- 'repository.default-local-path' => '/srv/repos',
- 'phd.taskmasters' => 10,
- 'events.listeners' => [],
- 'diffusion.allow-http-auth' => true,
- 'diffusion.ssh-host' => 'git-ssh.wikimedia.org',
+ 'darkconsole.enabled' => false,
+ 'phabricator.base-uri' => "https://${domain}";,
+ 'security.alternate-file-domain' => "https://${altdom}";,
+ 'mysql.user' =>
$role::phabricator::config::mysql_appuser,
+ 'mysql.pass' =>
$role::phabricator::config::mysql_apppass,
+ 'mysql.host' => $mysql_host,
+ 'phpmailer.smtp-host' => inline_template('<%=
@mail_smarthost.join(";") %>'),
+ 'metamta.default-address' => "no-reply@${domain}",
+ 'metamta.domain' => $domain,
+ 'metamta.maniphest.public-create-email' => "task@${domain}",
+ 'metamta.reply-handler-domain' => $domain,
+ 'repository.default-local-path' => '/srv/repos',
+ 'phd.taskmasters' => 10,
+ 'events.listeners' => [],
+ 'diffusion.allow-http-auth' => true,
+ 'diffusion.ssh-host' =>
'git-ssh.wikimedia.org',
},
}
@@ -76,6 +74,7 @@
}
class { '::phabricator::tools':
+ directory => "${phab_root_dir}/tools",
dbhost => $mysql_host,
dbslave => $mysql_slave,
manifest_user => $role::phabricator::config::mysql_maniphestuser,
@@ -90,6 +89,7 @@
phabtools_user => $role::phabricator::config::phabtools_user,
gerritbot_token => $role::phabricator::config::gerritbot_token,
dump => true,
+ require => Package[$deploy_target]
}
cron { 'phab_dump':
@@ -171,6 +171,7 @@
field_index => '4rRUkCdImLQU',
phab_host => $domain,
alt_host => $altdom,
+ require => Package[$deploy_target],
}
# community metrics mail (T81784, T1003)
@@ -179,6 +180,7 @@
rcpt_address => 'wikitec...@lists.wikimedia.org',
sndr_address => 'communitymetr...@wikimedia.org',
monthday => '1',
+ require => Package[$deploy_target],
}
# project changes mail (T85183)
@@ -187,6 +189,7 @@
rcpt_address => [ 'aklap...@wikimedia.org', 'kren...@gmail.com' ],
sndr_address => 'aklap...@wikimedia.org',
monthday => [1, 8, 15, 22, 29],
+ require => Package[$deploy_target],
}
}
--
To view, visit https://gerrit.wikimedia.org/r/269561
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0bdf3266c85883871e6f9417a1ca77cc317c5906
Gerrit-PatchSet: 13
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: ArielGlenn <ar...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Chasemp <r...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
