Elukey has uploaded a new change for review. https://gerrit.wikimedia.org/r/312495
Change subject: First draft of the Pivot UI's puppetization ...................................................................... First draft of the Pivot UI's puppetization Remarks: 1) we tried to use service-runner but in the end we were not able to integrate its code with Pivot's one, so we'll work on it (maybe with upstream) later on. 2) for clarity and simplicity the only supported init is systemd so Pivot needs to be deployed to Debia. 3) Scap configuration has been provided. After a chat with Marko the proposal is to have analytics_deploy to own the files and the deployment key, but let pivot/pivot run the nodejs service. 4) The best thing to do, since the target host also runs other stuff, is imho to use Firejail. Bug: T138262 Change-Id: I0898ddf86bc8074b772cfa26d04a90a76cac52ce --- M hieradata/common/scap/server.yaml A modules/pivot/files/pivot.logrotate.conf A modules/pivot/files/pivot.profile.firejail A modules/pivot/files/pivot.rsyslog.conf A modules/pivot/manifests/init.pp A modules/pivot/templates/initscripts/pivot.systemd.erb A modules/role/manifests/pivot/pivot.pp M modules/statistics/manifests/sites/pivot.pp 8 files changed, 187 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/95/312495/1 diff --git a/hieradata/common/scap/server.yaml b/hieradata/common/scap/server.yaml index eb21642..2a0c074 100644 --- a/hieradata/common/scap/server.yaml +++ b/hieradata/common/scap/server.yaml @@ -43,6 +43,10 @@ repository: analytics/refinery scap_repository: analytics/refinery/scap + # Analytics UI to explore Druid's data + analytics/pivot: + repository: analytics/pivot/deploy + phabricator/deployment: repository: phabricator/deployment diff --git a/modules/pivot/files/pivot.logrotate.conf b/modules/pivot/files/pivot.logrotate.conf new file mode 100644 index 0000000..2785782 --- /dev/null +++ b/modules/pivot/files/pivot.logrotate.conf @@ -0,0 +1,13 @@ +/var/log/pivot/*.log +{ + rotate 4 + daily + missingok + notifempty + delaycompress + compress + sharedscripts + postrotate + service rsyslog rotate >/dev/null 2>&1 || true + endscript +} diff --git a/modules/pivot/files/pivot.profile.firejail b/modules/pivot/files/pivot.profile.firejail new file mode 100644 index 0000000..e83f7e1 --- /dev/null +++ b/modules/pivot/files/pivot.profile.firejail @@ -0,0 +1,27 @@ +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + +# system management +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo +blacklist ${PATH}/xinput +blacklist ${PATH}/evtest +blacklist ${PATH}/xev +blacklist ${PATH}/strace +blacklist ${PATH}/nc +blacklist ${PATH}/ncat + +blacklist /etc/shadow +blacklist /etc/ssh +blacklist /root +blacklist /home +noroot +caps.drop all +seccomp +net none +private-dev \ No newline at end of file diff --git a/modules/pivot/files/pivot.rsyslog.conf b/modules/pivot/files/pivot.rsyslog.conf new file mode 100644 index 0000000..e6f8367 --- /dev/null +++ b/modules/pivot/files/pivot.rsyslog.conf @@ -0,0 +1,4 @@ +if ($programname startswith 'pivot') then { + action(type="omfile" file="/var/log/pivot/pivot.log") + stop +} diff --git a/modules/pivot/manifests/init.pp b/modules/pivot/manifests/init.pp new file mode 100644 index 0000000..31f39f7 --- /dev/null +++ b/modules/pivot/manifests/init.pp @@ -0,0 +1,96 @@ +# == Class: imply_pivot +# +# This class installs and configures the Imply Pivot nodejs application. +# +# Context up to September 2016: +# There is a current dispute between Imply and Metamarkets about a possible +# copyright infringement related to Imply's pivot UI. +# The Analytics team set a while back a goal to provide a Pivot UI +# to their users with the assumption that all the code +# used/deployed was open souce and freely available. If this assumption will +# change in the future, for example after a legal sentence, the Analytics team +# will take the necessary actions. +# For any question please reach out to the Analytics team: +# https://www.mediawiki.org/wiki/Analytics#Contact +# +# Bug: T138262 +# +# === Parameters +# +# TODO +# + +class pivot( + $port = 9090, + $druid_broker = undef, + $deployment_user = 'analytics_deploy', + $scap_repo = 'analytics/pivot/deploy', + $contact_group = 'admins', +) { + + requires_os('debian >= jessie') + require_package('nodejs', 'nodejs-legacy', 'firejail') + + $scap_deployment_base_dir = '/srv/deployment' + $pivot_deployment_dir = "$scap_deployment_base_dir/$scap_repo" + + monitoring::service { 'pivot': + description => 'pivot', + check_command => 'check_tcp!$port', + contact_group => $contact_group + } + + scap::target { 'analytics/pivot/deploy': + deploy_user => $deployment_user, + service_name => 'pivot', + before => Base::Service_unit['pivot'], + } + + group { 'pivot': + ensure => present, + system => true, + before => User['pivot'], + } + + user { 'pivot': + gid => 'pivot', + shell => '/bin/bash', + system => true, + before => Base::Service_unit['pivot'], + } + + file { '/var/log/pivot': + ensure => directory, + owner => 'pivot', + group => 'root', + mode => '0755', + after => User['pivot'], + } + + file { '/etc/firejail/pivot.profile': + ensure => present, + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///modules/pivot/pivot.profile.firejail', + before => Base::Service_Unit['pivot'], + } + + logrotate::conf { 'pivot': + ensure => present, + source => 'puppet:///modules/pivot/pivot.logrotate.conf', + } + + systemd::syslog { 'pivot': + readable_by => 'all', + base_dir => '/var/log/pivot', + group => 'root', + before => Base::Service_unit['pivot'], + } + + base::service_unit { 'pivot': + ensure => present, + systemd => true, + } + +} \ No newline at end of file diff --git a/modules/pivot/templates/initscripts/pivot.systemd.erb b/modules/pivot/templates/initscripts/pivot.systemd.erb new file mode 100644 index 0000000..5223c0f --- /dev/null +++ b/modules/pivot/templates/initscripts/pivot.systemd.erb @@ -0,0 +1,19 @@ +# NOTE: This file is managed by Puppet +# Systemd unit for the Imply Pivot UI +[Unit] +Description="pivot service" +After=network.target + +[Service] +User=pivot +Group=pivot +Environment="NODE_PATH=$pivot_deployment_dir/node_modules" +Restart=always +RestartSec=2s +# wait 60 seconds for a graceful restart before killing the master +TimeoutStopSec=60 +WorkingDirectory=$pivot_deployment_dir +ExecStart=/usr/bin/firejail --profile=/etc/firejail/pivot.profile -- /usr/bin/nodejs $pivot_deployment_dir/build/bin/pivot -p $port -d $druid_broker + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/modules/role/manifests/pivot/pivot.pp b/modules/role/manifests/pivot/pivot.pp new file mode 100644 index 0000000..934d7d2 --- /dev/null +++ b/modules/role/manifests/pivot/pivot.pp @@ -0,0 +1,18 @@ +# == Class: role::pivot +class role::pivot { + + system::role { 'role::pivot': + description => "Imply Pivot UI" + } + + class { '::pivot': + port => 9090, + druid_broker => 'druid1001.eqiad.wmnet:8082', + contact_group => 'analytics', + } + + ferm::service { 'pivot': + proto => 'tcp', + port => '9090', + } +} \ No newline at end of file diff --git a/modules/statistics/manifests/sites/pivot.pp b/modules/statistics/manifests/sites/pivot.pp index 987bd3c..cb9db32 100644 --- a/modules/statistics/manifests/sites/pivot.pp +++ b/modules/statistics/manifests/sites/pivot.pp @@ -1,8 +1,11 @@ -# == Class statistics::sites::yarn +# == Class statistics::sites::pivot # pivot.wikimedia.org # -# This site will be a simple reverse proxy to the nodejs service serving -# the pivot UI, used to limit the access to authenticated clients (via LDAP). +# This site is composed by two parts: +# 1) a simple Apache reverse proxy to limit the access to authenticated +# clients (via LDAP); +# 2) a nodejs application (Imply's pivot UI) deployed via scap (not part of +# this class). # # Context up to September 2016: # There is a current dispute between Imply and Metamarkets about a possible -- To view, visit https://gerrit.wikimedia.org/r/312495 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0898ddf86bc8074b772cfa26d04a90a76cac52ce Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Elukey <ltosc...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits