[MediaWiki-commits] [Gerrit] operations/puppet[production]: First draft of the Pivot UI's puppetization

Fri, 23 Sep 2016 03:02:05 -0700 

Elukey has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/312495

Change subject: First draft of the Pivot UI's puppetization
......................................................................

First draft of the Pivot UI's puppetization

Remarks:
1) we tried to use service-runner but in the end we were not
   able to integrate its code with Pivot's one, so we'll work on it
   (maybe with upstream) later on.
2) for clarity and simplicity the only supported init is systemd so
   Pivot needs to be deployed to Debia.
3) Scap configuration has been provided. After a chat with Marko
   the proposal is to have analytics_deploy to own the files and
   the deployment key, but let pivot/pivot run the nodejs service.
4) The best thing to do, since the target host also runs other stuff,
   is imho to use Firejail.

Bug: T138262
Change-Id: I0898ddf86bc8074b772cfa26d04a90a76cac52ce
---
M hieradata/common/scap/server.yaml
A modules/pivot/files/pivot.logrotate.conf
A modules/pivot/files/pivot.profile.firejail
A modules/pivot/files/pivot.rsyslog.conf
A modules/pivot/manifests/init.pp
A modules/pivot/templates/initscripts/pivot.systemd.erb
A modules/role/manifests/pivot/pivot.pp
M modules/statistics/manifests/sites/pivot.pp
8 files changed, 187 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/95/312495/1

diff --git a/hieradata/common/scap/server.yaml 
b/hieradata/common/scap/server.yaml
index eb21642..2a0c074 100644
--- a/hieradata/common/scap/server.yaml
+++ b/hieradata/common/scap/server.yaml
@@ -43,6 +43,10 @@
     repository: analytics/refinery
     scap_repository: analytics/refinery/scap
 
+  # Analytics UI to explore Druid's data
+  analytics/pivot:
+    repository: analytics/pivot/deploy
+
   phabricator/deployment:
     repository: phabricator/deployment
 
diff --git a/modules/pivot/files/pivot.logrotate.conf 
b/modules/pivot/files/pivot.logrotate.conf
new file mode 100644
index 0000000..2785782
--- /dev/null
+++ b/modules/pivot/files/pivot.logrotate.conf
@@ -0,0 +1,13 @@
+/var/log/pivot/*.log
+{
+    rotate 4
+    daily
+    missingok
+    notifempty
+    delaycompress
+    compress
+    sharedscripts
+    postrotate
+        service rsyslog rotate >/dev/null 2>&1 || true
+    endscript
+}
diff --git a/modules/pivot/files/pivot.profile.firejail 
b/modules/pivot/files/pivot.profile.firejail
new file mode 100644
index 0000000..e83f7e1
--- /dev/null
+++ b/modules/pivot/files/pivot.profile.firejail
@@ -0,0 +1,27 @@
+# system directories
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
+
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/evtest
+blacklist ${PATH}/xev
+blacklist ${PATH}/strace
+blacklist ${PATH}/nc
+blacklist ${PATH}/ncat
+
+blacklist /etc/shadow
+blacklist /etc/ssh
+blacklist /root
+blacklist /home
+noroot
+caps.drop all
+seccomp
+net none
+private-dev
\ No newline at end of file
diff --git a/modules/pivot/files/pivot.rsyslog.conf 
b/modules/pivot/files/pivot.rsyslog.conf
new file mode 100644
index 0000000..e6f8367
--- /dev/null
+++ b/modules/pivot/files/pivot.rsyslog.conf
@@ -0,0 +1,4 @@
+if ($programname startswith 'pivot') then {
+    action(type="omfile" file="/var/log/pivot/pivot.log")
+    stop
+}
diff --git a/modules/pivot/manifests/init.pp b/modules/pivot/manifests/init.pp
new file mode 100644
index 0000000..31f39f7
--- /dev/null
+++ b/modules/pivot/manifests/init.pp
@@ -0,0 +1,96 @@
+# == Class: imply_pivot
+#
+# This class installs and configures the Imply Pivot nodejs application.
+# 
+# Context up to September 2016:
+# There is a current dispute between Imply and Metamarkets about a possible
+# copyright infringement related to Imply's pivot UI.
+# The Analytics team set a while back a goal to provide a Pivot UI
+# to their users with the assumption that all the code
+# used/deployed was open souce and freely available. If this assumption will
+# change in the future, for example after a legal sentence, the Analytics team
+# will take the necessary actions.
+# For any question please reach out to the Analytics team:
+# https://www.mediawiki.org/wiki/Analytics#Contact
+#
+# Bug: T138262
+#
+# === Parameters
+#
+# TODO
+#
+
+class pivot(
+    $port            = 9090,
+    $druid_broker    = undef,
+    $deployment_user = 'analytics_deploy',
+    $scap_repo       = 'analytics/pivot/deploy',
+    $contact_group   = 'admins',
+) {
+
+    requires_os('debian >= jessie')
+    require_package('nodejs', 'nodejs-legacy', 'firejail')
+
+    $scap_deployment_base_dir = '/srv/deployment'
+    $pivot_deployment_dir = "$scap_deployment_base_dir/$scap_repo"
+
+    monitoring::service { 'pivot':
+        description   => 'pivot',
+        check_command => 'check_tcp!$port',
+        contact_group => $contact_group
+    }
+
+    scap::target { 'analytics/pivot/deploy':
+        deploy_user  => $deployment_user,
+        service_name => 'pivot',
+        before       => Base::Service_unit['pivot'],
+    }
+
+    group { 'pivot':
+        ensure => present,
+        system => true,
+        before => User['pivot'],
+    }
+
+    user { 'pivot':
+        gid    => 'pivot',
+        shell  => '/bin/bash',
+        system => true,
+        before => Base::Service_unit['pivot'],
+    }
+
+    file { '/var/log/pivot':
+        ensure => directory,
+        owner  => 'pivot',
+        group  => 'root',
+        mode   => '0755',
+        after  => User['pivot'],
+    }
+
+    file { '/etc/firejail/pivot.profile':
+        ensure => present,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0444',
+        source => 'puppet:///modules/pivot/pivot.profile.firejail',
+        before => Base::Service_Unit['pivot'],
+    }
+
+    logrotate::conf { 'pivot':
+        ensure => present,
+        source => 'puppet:///modules/pivot/pivot.logrotate.conf',
+    }
+
+    systemd::syslog { 'pivot':
+        readable_by => 'all',
+        base_dir    => '/var/log/pivot',
+        group       => 'root',
+        before      => Base::Service_unit['pivot'],
+    }
+
+    base::service_unit { 'pivot':
+        ensure  => present,
+        systemd => true,
+    }
+
+}
\ No newline at end of file
diff --git a/modules/pivot/templates/initscripts/pivot.systemd.erb 
b/modules/pivot/templates/initscripts/pivot.systemd.erb
new file mode 100644
index 0000000..5223c0f
--- /dev/null
+++ b/modules/pivot/templates/initscripts/pivot.systemd.erb
@@ -0,0 +1,19 @@
+# NOTE: This file is managed by Puppet
+# Systemd unit for the Imply Pivot UI
+[Unit]
+Description="pivot service"
+After=network.target
+
+[Service]
+User=pivot
+Group=pivot
+Environment="NODE_PATH=$pivot_deployment_dir/node_modules"
+Restart=always
+RestartSec=2s
+# wait 60 seconds for a graceful restart before killing the master
+TimeoutStopSec=60
+WorkingDirectory=$pivot_deployment_dir
+ExecStart=/usr/bin/firejail --profile=/etc/firejail/pivot.profile -- 
/usr/bin/nodejs $pivot_deployment_dir/build/bin/pivot -p $port -d $druid_broker
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/modules/role/manifests/pivot/pivot.pp 
b/modules/role/manifests/pivot/pivot.pp
new file mode 100644
index 0000000..934d7d2
--- /dev/null
+++ b/modules/role/manifests/pivot/pivot.pp
@@ -0,0 +1,18 @@
+# == Class: role::pivot
+class role::pivot {
+
+    system::role { 'role::pivot':
+        description => "Imply Pivot UI"
+    }
+
+    class { '::pivot':
+        port          => 9090,
+        druid_broker  => 'druid1001.eqiad.wmnet:8082',
+        contact_group => 'analytics',
+    }
+
+    ferm::service { 'pivot':
+        proto => 'tcp',
+        port  => '9090',
+    }
+}
\ No newline at end of file
diff --git a/modules/statistics/manifests/sites/pivot.pp 
b/modules/statistics/manifests/sites/pivot.pp
index 987bd3c..cb9db32 100644
--- a/modules/statistics/manifests/sites/pivot.pp
+++ b/modules/statistics/manifests/sites/pivot.pp
@@ -1,8 +1,11 @@
-# == Class statistics::sites::yarn
+# == Class statistics::sites::pivot
 # pivot.wikimedia.org
 #
-# This site will be a simple reverse proxy to the nodejs service serving
-# the pivot UI, used to limit the access to authenticated clients (via LDAP).
+# This site is composed by two parts:
+# 1) a simple Apache reverse proxy to limit the access to authenticated
+#    clients (via LDAP);
+# 2) a nodejs application (Imply's pivot UI) deployed via scap (not part of
+#    this class).
 #
 # Context up to September 2016:
 # There is a current dispute between Imply and Metamarkets about a possible

-- 
To view, visit https://gerrit.wikimedia.org/r/312495
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0898ddf86bc8074b772cfa26d04a90a76cac52ce
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Elukey <ltosc...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to