Dzahn has submitted this change and it was merged. Change subject: Clean up phabricator roles in puppet to remove tag pinning. ......................................................................
Clean up phabricator roles in puppet to remove tag pinning. Phabricator is now deployed with scap3, puppet should not manage the checked out tags on phabricator and related repos. Bug: T125851 Change-Id: I0bdf3266c85883871e6f9417a1ca77cc317c5906 --- A modules/phabricator/files/phab-deploy-key.labs A modules/phabricator/files/phab-deploy-key.production M modules/phabricator/manifests/extension.pp M modules/phabricator/manifests/init.pp M modules/phabricator/manifests/libext.pp M modules/phabricator/manifests/tools.pp M modules/role/manifests/phabricator/labs.pp M modules/role/manifests/phabricator/main.pp 8 files changed, 97 insertions(+), 198 deletions(-) Approvals: 20after4: Looks good to me, but someone else must approve jenkins-bot: Verified Dzahn: Looks good to me, approved diff --git a/modules/phabricator/files/phab-deploy-key.labs b/modules/phabricator/files/phab-deploy-key.labs new file mode 100644 index 0000000..17bc88e --- /dev/null +++ b/modules/phabricator/files/phab-deploy-key.labs @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5385VUpvkzTd2XPgpi5DppbuIBZyUQvXVpSSV3AG8/Pvx/x3U8lH3Tif2wKC/eXbH4tJmeRf8j16XaLaNorlhsRrG9HZSvjX/LFYj4FBInzxheXQkVSGasNWv17BDfsTSExBRTUOdAhoLfnbe9HfyEVvFHvxx6zfoGcrsiFeEjg2S41cnzn7cgkdUa6r2FKdurmmhZmGp9LhlGpq2wbb5z5GQbfs1d3Qd66dg/ktP1S+RdL5eyAQewzCTjqo4u4tpps2In9b0ZBLQ2H2C03kkWBG9Q4o0Fs4Z0/8vZ2mp0U30tWYYwqRB8htf8PdSknZjcVgFdjf5m3lJphJpfxr1 phab-deploy@deploy diff --git a/modules/phabricator/files/phab-deploy-key.production b/modules/phabricator/files/phab-deploy-key.production new file mode 100644 index 0000000..6be9cb1 --- /dev/null +++ b/modules/phabricator/files/phab-deploy-key.production @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuywxqDsJdHyjQZeSUOO3fwlEl7bJ7d3RJtoAsyE+oqoAair6L0F1j6Rq175tlCs1j8v8hPYmzJ10dOXmGtePvVTN7UbriKEX+EBBP47imE0mJjcVSyt1nSPoP1w2wn5vyDpgk0s+p1og6gQrrLuj09idwjOrWtB9/csgoBY/A2E9uXZbWljkSVmy88TqLk7bY2wfULoPFxtpPpix0obm5aEV9RD9zc6ToP6KKAEOZmtEGkQnCH4CZewQVw0Q5GvWBjrZbAyM7Qcez3lFqcVH0pkA7I8MNKGyEtbWteQe7y/9C4hxocg9WNp8cVpoaEngKK4vDDWA12Tt7hTQ62vS9 phab-deploy@iridium diff --git a/modules/phabricator/manifests/extension.pp b/modules/phabricator/manifests/extension.pp index bbd6c03..2b143b7 100644 --- a/modules/phabricator/manifests/extension.pp +++ b/modules/phabricator/manifests/extension.pp @@ -9,6 +9,6 @@ file { "${rootdir}/phabricator/src/extensions/${name}": ensure => 'link', target => "${rootdir}/extensions/${name}", - require => File["${rootdir}/phabricator/src/extensions"], + require => File[$rootdir], } } diff --git a/modules/phabricator/manifests/init.pp b/modules/phabricator/manifests/init.pp index d922762..73a5f62 100644 --- a/modules/phabricator/manifests/init.pp +++ b/modules/phabricator/manifests/init.pp @@ -12,22 +12,6 @@ # A php.ini compatible timezone # http://www.php.net//manual/en/datetime.configuration.php # -# [*lock_file*] -# The path on disk to place a file for holding a tag -# in the repos until the phab_update_tag command is run by root. -# -# [*git_tag*] -# The tag in the Phabricator repos to maintain. -# -# NOTE: -# -# If the lockfile is set this tag will not be honored by an existing -# install until the phab_update_tag command is run. This needs to be an -# interactive and monitored process to allow for the necessary DB and -# schema changes. -# -# For more info on tag forwarding see git::install -# # [*settings*] # A hash of configuration options for the local settings json file. # https://secure.phabricator.com/book/phabricator/article/advanced_configuration/#configuration-sources @@ -40,26 +24,24 @@ # Specify to use a different password for schema upgrades and database maintenance # Requires: mysql_admin_user # -# [*sprint_tag*] -# Track sprint app by tag -# -# [*security_tag*] -# Track security extension by tag -# -# [*extension_tag*] -# Track generic / small extensions by tag -# # [*extensions*] # Array of extensions to load # # [*serveralias*] # Alternative domain on which to respond too # +# [*deploy_user*] +# The username that is used for scap deployments +# +# [*deploy_target*] +# The name of the scap3 deployment repo, e.g. phabricator/deployment +# +# [*deploy_key*] +# The url of the public key for the deploy_user to deploy with scap + # === Examples # # class { 'phabricator': -# git_tag => 'demo', -# lock_file => '/var/run/phab_repo_lock', # settings => { # 'phabricator.base-uri' => 'http://myurl.domain', # }, @@ -72,20 +54,23 @@ $phabdir = '/srv/phab', $timezone = 'UTC', $trusted_proxies = [], - $lock_file = '', - $git_tag = 'HEAD', - $sprint_tag = '', - $security_tag = '', $libraries = [], - $extension_tag = '', $extensions = [], $settings = {}, $mysql_admin_user = '', $mysql_admin_pass = '', $serveradmin = '', $serveralias = '', + $deploy_user = 'phab-deploy', + $deploy_target = 'phabricator/deployment', + $deploy_key = "puppet:///modules/phabricator/phab-deploy-key.${::realm}", ) { + $deploy_root = "/srv/deployment/${deploy_target}" + + # base dependencies to ensure the phabricator deployment root exists + # save as a var since this will be required by many resources in this class + $base_requirements = [Package[$deploy_target], File[$phabdir]] #A combination of static and dynamic conf parameters must be merged $module_path = get_module_path($module_name) @@ -130,12 +115,10 @@ $docroot = "${phabdir}/phabricator/webroot" $phab_servername = $phab_settings['phabricator.base-uri'] + apache::site { 'phabricator': content => template('phabricator/phabricator-default.conf.erb'), - } - - file { $phabdir: - ensure => directory, + require => $base_requirements, } # Robots.txt disallowing to crawl the alias domain @@ -149,113 +132,53 @@ } } - git::install { 'phabricator/libphutil': - directory => "${phabdir}/libphutil", - git_tag => $git_tag, - lock_file => $lock_file, - before => Git::Install['phabricator/arcanist'], + scap::target { $deploy_target: + deploy_user => $deploy_user, + public_key_source => $deploy_key, + service_name => 'phd', } - git::install { 'phabricator/arcanist': - directory => "${phabdir}/arcanist", - git_tag => $git_tag, - lock_file => $lock_file, - before => Git::Install['phabricator/phabricator'], - } - - git::install { 'phabricator/phabricator': - directory => "${phabdir}/phabricator", - git_tag => $git_tag, - lock_file => $lock_file, - notify => Exec["ensure_lock_${lock_file}"], - before => File["${phabdir}/phabricator/.git/config"], - } - - file { "${phabdir}/phabricator/.git/config": - source => 'puppet:///modules/phabricator/phabricator.gitconfig', - before => File["${phabdir}/phabricator/scripts/"], + file { $phabdir: + ensure => 'link', + target => $deploy_root, + require => Package[$deploy_target], } file { "${phabdir}/phabricator/scripts/": mode => '0754', recurse => true, before => File["${phabdir}/phabricator/scripts/mail/"], + require => $base_requirements, } file { "${phabdir}/phabricator/scripts/mail/": mode => '0755', recurse => true, + require => $base_requirements, } if ($libraries) { - file { "${phabdir}/libext": - ensure => 'directory', + phabricator::libext { $libraries: + rootdir => $phabdir, + require => $base_requirements, } - $phab_settings['load-libraries'] = $libraries - $libext_lock_path = "${lock_file}_libext" } - # Would love to do these as an array but the sprint vs Sprint - # case issue makes this complicated at the moment. - if ($sprint_tag) { - phabricator::libext { 'Sprint': - rootdir => $phabdir, - libext_tag => $sprint_tag, - libext_lock_path => $libext_lock_path, - } - - } - - if ($security_tag) { - phabricator::libext { 'security': - rootdir => $phabdir, - libext_tag => $security_tag, - libext_lock_path => $libext_lock_path, - } - } - - if ($extension_tag) { - $ext_lock_name = regsubst($extension_tag, '\W', '-', 'G') - $ext_lock_path = "${phabdir}/extension_lock_${ext_lock_name}" - git::install { 'phabricator/extensions': - directory => "${phabdir}/extensions", - git_tag => $extension_tag, - lock_file => $ext_lock_path, - notify => Exec[$ext_lock_path], - before => Git::Install['phabricator/phabricator'], - } - + if ($extensions) { file { "${phabdir}/phabricator/src/extensions": ensure => 'directory', path => "${phabdir}/phabricator/src/extensions", owner => 'root', group => 'root', mode => '0755', - require => [ - Git::Install['phabricator/extensions'], - Git::Install['phabricator/phabricator'], - ], - } - - exec {$ext_lock_path: - command => "touch ${ext_lock_path}", - unless => "test -z ${ext_lock_path} || test -e ${ext_lock_path}", - path => '/usr/bin:/bin', + require => $base_requirements, } phabricator::extension { $extensions: rootdir => $phabdir, - require => File["${phabdir}/phabricator/src/extensions"], + require => $base_requirements, } - - } - - #we ensure lock exists if string is not null - exec {"ensure_lock_${lock_file}": - command => "touch ${lock_file}", - unless => "test -z ${lock_file} || test -e ${lock_file}", - path => '/usr/bin:/bin', } file { '/etc/php5/apache2/php.ini': @@ -272,29 +195,23 @@ file { "${phabdir}/phabricator/conf/local/local.json": content => template('phabricator/local.json.erb'), - require => Git::Install['phabricator/phabricator'], + require => $base_requirements, } - - # ^Disable PHD autorestart until: - # https://secure.phabricator.com/T7475 - # notify => Service[phd], #default location for phabricator tracked repositories if ($phab_settings['repository.default-local-path']) { - file { $phab_settings['repository.default-local-path']: - ensure => directory, - mode => '0755', - owner => 'phd', - group => 'www-data', - require => Git::Install['phabricator/phabricator'], + $repo_root = $phab_settings['repository.default-local-path'] + file { $repo_root: + ensure => directory, + mode => '0755', + owner => 'phd', + group => 'www-data', } - } - - file { '/usr/local/sbin/phab_update_tag': - content => template('phabricator/phab_update_tag.erb'), - owner => 'root', - group => 'root', - mode => '0500', + file { "${deploy_root}/repos": + ensure => 'link', + target => $repo_root, + require => $base_requirements, + } } file { '/usr/local/bin/arc': @@ -303,18 +220,20 @@ group => 'root', mode => '0755', target => '/srv/phab/arcanist/bin/arc', - require => Git::Install['phabricator/arcanist'], + require => $base_requirements, } class { 'phabricator::vcs': basedir => $phabdir, settings => $phab_settings, + require => $base_requirements, } class { 'phabricator::phd': basedir => $phabdir, settings => $phab_settings, before => Service['phd'], + require => $base_requirements, } # This needs to become Upstart managed @@ -326,6 +245,6 @@ start => '/usr/sbin/service phd start --force', status => '/usr/bin/pgrep -f phd-daemon', hasrestart => true, - require => Git::Install['phabricator/phabricator'], + require => $base_requirements, } } diff --git a/modules/phabricator/manifests/libext.pp b/modules/phabricator/manifests/libext.pp index 6d99658..225ce96 100644 --- a/modules/phabricator/manifests/libext.pp +++ b/modules/phabricator/manifests/libext.pp @@ -1,41 +1,16 @@ # == Define: phabricator::libext # -# Installs libphutil library extensions +# Installs phutil library extensions # # === Parameters # # [*rootdir*] # The path on disk to clone the needed repositories -# -# [*libext_tag*] -# Git tag to hold repo at -# -# [*libext_lock_path*] -# Path to local file that provides local settings lock -# # [*libname*] # Case sensitive extension name -define phabricator::libext ($rootdir, $libext_tag, $libext_lock_path, $libname = $name) { - - # Build per extension lock file - $libname_lock = "${libext_lock_path}_${libname}" - - git::install { "phabricator/extensions/${libname}" : - directory => "${rootdir}/libext/${libname}", - git_tag => $libext_tag, - lock_file => $libname_lock, - notify => Exec[$libname_lock], - before => Git::Install['phabricator/phabricator'], - } - - exec {$libname_lock: - command => "touch ${libname_lock}", - unless => "test -z ${libname_lock} || test -e ${libname_lock}", - path => '/usr/bin:/bin', - } - +define phabricator::libext ($rootdir, $libname = $name) { # symlink static directories for extensions $static_dir = "${rootdir}/libext/${libname}/rsrc/webroot-static" @@ -46,7 +21,7 @@ command => "/bin/ln -s ${static_dir} ${symlink_dir}", onlyif => "/usr/bin/test -e ${static_dir}", creates => $symlink_dir, - require => Git::Install["phabricator/extensions/${libname}"], + require => File[$rootdir], } } diff --git a/modules/phabricator/manifests/tools.pp b/modules/phabricator/manifests/tools.pp index 9c565d5..90408d6 100644 --- a/modules/phabricator/manifests/tools.pp +++ b/modules/phabricator/manifests/tools.pp @@ -7,6 +7,7 @@ $dbhost = 'localhost', $dbslave = 'localhost', $directory = '/srv/phab/tools', + $deploy_target = 'phabricator/deployment', $manifest_user = '', $manifest_pass = '', $app_user = '', @@ -39,7 +40,7 @@ file { $dump_script: mode => '0555', - require => Git::Install['phabricator/tools'], + require => Package[$deploy_target], } cron { $dump_script: @@ -47,7 +48,7 @@ command => $dump_script, user => root, hour => '2', - require => File[$dump_script], + require => Package[$deploy_target], } } @@ -57,7 +58,7 @@ command => "/usr/bin/flock -n ${bz_header} -c '/srv/phab/tools/bugzilla_update_user_header.py -a' >/dev/null 2>&1", user => root, hour => '0', - require => Git::Install['phabricator/tools'], + require => Package[$deploy_target], } $bz_comments = '/var/run/bz_comments.flock' @@ -66,6 +67,6 @@ command => "/usr/bin/flock -n ${bz_comments} -c '/srv/phab/tools/bugzilla_update_user_comments.py -a' >/dev/null 2>&1", user => root, hour => '1', - require => Git::Install['phabricator/tools'], + require => Package[$deploy_target], } } diff --git a/modules/role/manifests/phabricator/labs.pp b/modules/role/manifests/phabricator/labs.pp index b1ee757..b27fd0d 100644 --- a/modules/role/manifests/phabricator/labs.pp +++ b/modules/role/manifests/phabricator/labs.pp @@ -1,17 +1,15 @@ # phabricator instance on wmflabs at phab-0[1-9].wmflabs.org + class role::phabricator::labs { # pass not sensitive but has to match phab and db $mysqlpass = 'labspass' - $current_tag = 'release/2016-02-18/1' + $phab_root_dir = '/srv/phab' class { '::phabricator': - git_tag => $current_tag, - lock_file => '/var/run/phab_repo_lock', - sprint_tag => 'release/2016-02-18/1', - security_tag => 'release/2016-02-18/2', - libraries => ['/srv/phab/libext/Sprint/src', - '/srv/phab/libext/security/src'], - extension_tag => 'release/2016-02-18/1', + deploy_target => 'phabricator/deployment', + phabdir => $phab_root_dir, + libraries => ["${phab_root_dir}/libext/Sprint/src", + "${phab_root_dir}/libext/security/src"], extensions => [ 'MediaWikiUserpageCustomField.php', 'LDAPUserpageCustomField.php', 'PhabricatorMediaWikiAuthProvider.php', @@ -22,7 +20,8 @@ 'mysql.pass' => $mysqlpass, 'auth.require-email-verification' => false, 'metamta.mail-adapter' => 'PhabricatorMailImplementationTestAdapter', - 'repository.default-local-path' => '/srv/phab/repos', + 'repository.default-local-path' => '/srv/repos', + 'phd.taskmasters' => 1, 'config.ignore-issues' => '{ "security.security.alternate-file-domain": true }', diff --git a/modules/role/manifests/phabricator/main.pp b/modules/role/manifests/phabricator/main.pp index d2a76e2..0d383ce 100644 --- a/modules/role/manifests/phabricator/main.pp +++ b/modules/role/manifests/phabricator/main.pp @@ -19,45 +19,43 @@ # this site's misc-lb caching proxies hostnames $cache_misc_nodes = hiera('cache::misc::nodes', []) - $current_tag = 'release/2016-02-18/1' $domain = 'phabricator.wikimedia.org' $altdom = 'phab.wmfusercontent.org' $mysql_host = 'm3-master.eqiad.wmnet' $mysql_slave = 'm3-slave.eqiad.wmnet' + $phab_root_dir = '/srv/phab' + $deploy_target = 'phabricator/deployment' class { '::phabricator': + deploy_target => $deploy_target, + phabdir => $phab_root_dir, serveralias => $altdom, trusted_proxies => $cache_misc_nodes[$::site], - git_tag => $current_tag, - lock_file => '/var/run/phab_repo_lock', mysql_admin_user => $role::phabricator::config::mysql_adminuser, mysql_admin_pass => $role::phabricator::config::mysql_adminpass, - sprint_tag => 'release/2016-02-18/1', - security_tag => 'release/2016-02-18/2', - libraries => ['/srv/phab/libext/Sprint/src', - '/srv/phab/libext/security/src'], - extension_tag => 'release/2016-02-18/1', + libraries => [ "${phab_root_dir}/libext/Sprint/src", + "${phab_root_dir}/libext/security/src" ], extensions => [ 'MediaWikiUserpageCustomField.php', 'LDAPUserpageCustomField.php', 'PhabricatorMediaWikiAuthProvider.php', 'PhutilMediaWikiAuthAdapter.php'], settings => { - 'darkconsole.enabled' => false, - 'phabricator.base-uri' => "https://${domain}", - 'security.alternate-file-domain' => "https://${altdom}", - 'mysql.user' => $role::phabricator::config::mysql_appuser, - 'mysql.pass' => $role::phabricator::config::mysql_apppass, - 'mysql.host' => $mysql_host, - 'phpmailer.smtp-host' => inline_template('<%= @mail_smarthost.join(";") %>'), - 'metamta.default-address' => "no-reply@${domain}", - 'metamta.domain' => $domain, - 'metamta.maniphest.public-create-email' => "task@${domain}", - 'metamta.reply-handler-domain' => $domain, - 'repository.default-local-path' => '/srv/repos', - 'phd.taskmasters' => 10, - 'events.listeners' => [], - 'diffusion.allow-http-auth' => true, - 'diffusion.ssh-host' => 'git-ssh.wikimedia.org', + 'darkconsole.enabled' => false, + 'phabricator.base-uri' => "https://${domain}", + 'security.alternate-file-domain' => "https://${altdom}", + 'mysql.user' => $role::phabricator::config::mysql_appuser, + 'mysql.pass' => $role::phabricator::config::mysql_apppass, + 'mysql.host' => $mysql_host, + 'phpmailer.smtp-host' => inline_template('<%= @mail_smarthost.join(";") %>'), + 'metamta.default-address' => "no-reply@${domain}", + 'metamta.domain' => $domain, + 'metamta.maniphest.public-create-email' => "task@${domain}", + 'metamta.reply-handler-domain' => $domain, + 'repository.default-local-path' => '/srv/repos', + 'phd.taskmasters' => 10, + 'events.listeners' => [], + 'diffusion.allow-http-auth' => true, + 'diffusion.ssh-host' => 'git-ssh.wikimedia.org', }, } @@ -76,6 +74,7 @@ } class { '::phabricator::tools': + directory => "${phab_root_dir}/tools", dbhost => $mysql_host, dbslave => $mysql_slave, manifest_user => $role::phabricator::config::mysql_maniphestuser, @@ -90,6 +89,7 @@ phabtools_user => $role::phabricator::config::phabtools_user, gerritbot_token => $role::phabricator::config::gerritbot_token, dump => true, + require => Package[$deploy_target] } cron { 'phab_dump': @@ -171,6 +171,7 @@ field_index => '4rRUkCdImLQU', phab_host => $domain, alt_host => $altdom, + require => Package[$deploy_target], } # community metrics mail (T81784, T1003) @@ -179,6 +180,7 @@ rcpt_address => 'wikitec...@lists.wikimedia.org', sndr_address => 'communitymetr...@wikimedia.org', monthday => '1', + require => Package[$deploy_target], } # project changes mail (T85183) @@ -187,6 +189,7 @@ rcpt_address => [ 'aklap...@wikimedia.org', 'kren...@gmail.com' ], sndr_address => 'aklap...@wikimedia.org', monthday => [1, 8, 15, 22, 29], + require => Package[$deploy_target], } } -- To view, visit https://gerrit.wikimedia.org/r/269561 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0bdf3266c85883871e6f9417a1ca77cc317c5906 Gerrit-PatchSet: 13 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: 20after4 <mmod...@wikimedia.org> Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org> Gerrit-Reviewer: ArielGlenn <ar...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Chasemp <r...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits