Thcipriani has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/351179 )
Change subject: WIP: scap: Add a scap::master profile ...................................................................... WIP: scap: Add a scap::master profile Bring scap masters closer to following the puppet coding guidelines. Start by adding a master profile. Change-Id: I3afb15580729bd9c46f4c31db5537fb2b1aeee76 --- D hieradata/common/scap.yaml A hieradata/common/scap/master.yaml M hieradata/labs/deployment-prep/common.yaml M hieradata/role/common/deployment/server.yaml A modules/profile/manifests/scap/master.pp D modules/role/manifests/deployment/mediawiki.pp M modules/role/manifests/deployment/server.pp M modules/role/templates/deployment/inactive.motd.erb M modules/scap/manifests/init.pp M modules/scap/manifests/master.pp M modules/scap/manifests/target.pp 11 files changed, 238 insertions(+), 209 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/79/351179/1 diff --git a/hieradata/common/scap.yaml b/hieradata/common/scap.yaml deleted file mode 100644 index 53fd913..0000000 --- a/hieradata/common/scap.yaml +++ /dev/null @@ -1,2 +0,0 @@ -# scap3 (git-based) deployment server -scap::deployment_server: "naos.codfw.wmnet" diff --git a/hieradata/common/scap/master.yaml b/hieradata/common/scap/master.yaml new file mode 100644 index 0000000..9a7d841 --- /dev/null +++ b/hieradata/common/scap/master.yaml @@ -0,0 +1,109 @@ +scap::master::deployment_server: "naos.codfw.wmnet" +scap::master::keyholder_user: mwdeploy +scap::master::keyholder_group: + - 'wikidev' + - 'mwdeploy' +scap::master::deployment_group: wikidev + +# Default scap::server configuration. This is used in production. +# If you are setting up scap::server in labs, these will be used +# unless you override them for your labs project. +# See the overrides in hieradata/labs/deployment-prep/common.yaml +# for an example. + +# keyholder::agent declarations. These are created +# by the scap::server class. Each agent listed here +# will be present and useable by scap on the scap deploy server. +# NOTE: since labs +scap::master::keyholder_agents: + + phabricator: + trusted_groups: + - deploy-phabricator + + eventlogging: + trusted_groups: + - eventlogging-admins + + deploy-service: + trusted_groups: + - deploy-service + - aqs-admins + - deploy-aqs + + dumpsdeploy: + trusted_groups: + - ops + + analytics_deploy: + trusted_groups: + - analytics-admins + +# scap::source declarations. These are created +# by the scap::server class. Each source listed here +# will be cloned on the scap deploy server. +scap::master::sources: + analytics/refinery: + repository: analytics/refinery + scap_repository: analytics/refinery/scap + changeprop/deploy: + repository: mediawiki/services/change-propagation/deploy +# lvs_service: changeprop + citoid/deploy: {} +# lvs_service: citoid + cxserver/deploy: {} +# lvs_service: cxserver + dumps/dumps: + repository: operations/dumps + scap_repository: operations/dumps/scap + electron-render/deploy: {} + eventlogging/eventbus: + repository: eventlogging + scap_repository: eventlogging/scap/eventbus + eventlogging/analytics: + repository: eventlogging + scap_repository: eventlogging/scap/analytics + # Public EventStreams service + eventstreams/deploy: + repository: mediawiki/services/eventstreams/deploy + graphoid/deploy: {} +# lvs_service: graphoid + kartotherian/deploy: + repository: maps/kartotherian/deploy +# lvs_service: kartotherian + analytics/pivot/deploy: + repository: analytics/pivot/deploy + mathoid/deploy: {} +# lvs_service: mathoid + mobileapps/deploy: {} +# lvs_service: mobileapps + ores/deploy: {} +# lvs_service: ores + parsoid/deploy: {} +# lvs_service: parsoid + phabricator/deployment: + repository: phabricator/deployment + restbase/deploy: {} + # This is actually cloned from github at the moment and the repository indicated + # doesn't exist. + servermon/servermon: + repository: operations/software/servermon + striker/deploy: + repository: labs/striker/deploy + tilerator/deploy: + repository: maps/tilerator/deploy +# lvs_service: tilerator + trending-edits/deploy: {} + wdqs/wdqs: + repository: wikidata/query/deploy +# lvs_service: wdqs + zotero/translation-server: {} +# lvs_service: zotero + zotero/translators: {} +# lvs_service: zotero + # Time-window compaction strategy for Cassandra + cassandra/twcs: + repository: operations/software/cassandra-twcs + # Prometheus JMX exporter + prometheus/jmx_exporter: + repository: operations/software/prometheus_jmx_exporter diff --git a/hieradata/labs/deployment-prep/common.yaml b/hieradata/labs/deployment-prep/common.yaml index 3df1b05..f75d0e3 100644 --- a/hieradata/labs/deployment-prep/common.yaml +++ b/hieradata/labs/deployment-prep/common.yaml @@ -169,7 +169,12 @@ "zotero::http_proxy": deployment-urldownloader.deployment-prep.eqiad.wmflabs:8080 deployment_server: deployment-tin.deployment-prep.eqiad.wmflabs "trebuchet::deployment_server": deployment-tin.deployment-prep.eqiad.wmflabs -"scap::deployment_server": deployment-tin.deployment-prep.eqiad.wmflabs +scap::master::deployment_server: deployment-tin.deployment-prep.eqiad.wmflabs +scap::master::keyholder_user: mwdeploy +scap::master::keyholder_group: + - 'wikidev' + - 'mwdeploy' +scap::master::deployment_group: wikidev scap::dsh::scap_masters: - deployment-tin.deployment-prep.eqiad.wmflabs @@ -240,7 +245,7 @@ # deployment-prep keyholder::agent declarations. These are created # by the scap::server class. Each agent listed here # will be present and useable by scap on the scap deploy server. -scap::keyholder_agents: +scap::master::keyholder_agents: phabricator: trusted_groups: @@ -257,7 +262,7 @@ # deployment-prep scap::source declarations. These are created # by the role deployment::server. Each source listed here # will be cloned on the scap deploy server. -scap::sources: +scap::master::sources: phabricator/deployment: repository: phabricator/deployment diff --git a/hieradata/role/common/deployment/server.yaml b/hieradata/role/common/deployment/server.yaml index 36ad813..c04f29a 100644 --- a/hieradata/role/common/deployment/server.yaml +++ b/hieradata/role/common/deployment/server.yaml @@ -29,105 +29,3 @@ server: light_process_count: 0 light_process_file_prefix: -# Default scap::server configuration. This is used in production. -# If you are setting up scap::server in labs, these will be used -# unless you override them for your labs project. -# See the overrides in hieradata/labs/deployment-prep/common.yaml -# for an example. - -# keyholder::agent declarations. These are created -# by the scap::server class. Each agent listed here -# will be present and useable by scap on the scap deploy server. -# NOTE: since labs -scap::keyholder_agents: - - phabricator: - trusted_groups: - - deploy-phabricator - - eventlogging: - trusted_groups: - - eventlogging-admins - - deploy-service: - trusted_groups: - - deploy-service - - aqs-admins - - deploy-aqs - - dumpsdeploy: - trusted_groups: - - ops - - analytics_deploy: - trusted_groups: - - analytics-admins - -# scap::source declarations. These are created -# by the scap::server class. Each source listed here -# will be cloned on the scap deploy server. -scap::sources: - analytics/refinery: - repository: analytics/refinery - scap_repository: analytics/refinery/scap - changeprop/deploy: - repository: mediawiki/services/change-propagation/deploy -# lvs_service: changeprop - citoid/deploy: {} -# lvs_service: citoid - cxserver/deploy: {} -# lvs_service: cxserver - dumps/dumps: - repository: operations/dumps - scap_repository: operations/dumps/scap - electron-render/deploy: {} - eventlogging/eventbus: - repository: eventlogging - scap_repository: eventlogging/scap/eventbus - eventlogging/analytics: - repository: eventlogging - scap_repository: eventlogging/scap/analytics - # Public EventStreams service - eventstreams/deploy: - repository: mediawiki/services/eventstreams/deploy - graphoid/deploy: {} -# lvs_service: graphoid - kartotherian/deploy: - repository: maps/kartotherian/deploy -# lvs_service: kartotherian - analytics/pivot/deploy: - repository: analytics/pivot/deploy - mathoid/deploy: {} -# lvs_service: mathoid - mobileapps/deploy: {} -# lvs_service: mobileapps - ores/deploy: {} -# lvs_service: ores - parsoid/deploy: {} -# lvs_service: parsoid - phabricator/deployment: - repository: phabricator/deployment - restbase/deploy: {} - # This is actually cloned from github at the moment and the repository indicated - # doesn't exist. - servermon/servermon: - repository: operations/software/servermon - striker/deploy: - repository: labs/striker/deploy - tilerator/deploy: - repository: maps/tilerator/deploy -# lvs_service: tilerator - trending-edits/deploy: {} - wdqs/wdqs: - repository: wikidata/query/deploy -# lvs_service: wdqs - zotero/translation-server: {} -# lvs_service: zotero - zotero/translators: {} -# lvs_service: zotero - # Time-window compaction strategy for Cassandra - cassandra/twcs: - repository: operations/software/cassandra-twcs - # Prometheus JMX exporter - prometheus/jmx_exporter: - repository: operations/software/prometheus_jmx_exporter diff --git a/modules/profile/manifests/scap/master.pp b/modules/profile/manifests/scap/master.pp new file mode 100644 index 0000000..7647981 --- /dev/null +++ b/modules/profile/manifests/scap/master.pp @@ -0,0 +1,100 @@ +# == Class profile::scap::master +# +# Setup scap server +class profile::scap::master( + $keyholder_user = hiera('scap::master::keyholder_user'), + $keyholder_group = hiera('scap::master::keyholder_group', []), + $keyholder_agents = hiera('scap::master::keyholder_agents', {}), + $keyholder_sources = hiera('scap::master::keyholder_sources', {}), + $deployment_group = hiera('scap::master::deployment_group'), + $active_deployment_server = hiera('scap::master::deployment_server'), +) { + include ::profile::mediawiki::nutcracker + include ::profile::scap::dsh + + if $::realm != 'labs' { + include role::microsites::releases::upload + # backup /home dirs on deployment servers + include ::profile::backup::host + backup::set {'home': } + } + + # Base scap setup + class { '::scap': + active_deployment_server => $active_deployment_server, + } + class { '::scap::ferm': } + class { '::scap::master': + active_deployment_server => $active_deployment_server, + deployment_group => $deployment_group, + } + + # All needed classes for deploying mediawiki + class { '::mediawiki': } + class { '::mediawiki::packages::php5': } + + # Keyholder + class { '::keyholder': } + class { '::keyholder::monitoring': } + + # Resources + keyholder::agent { $keyholder_user: + trusted_groups => $keyholder_group, + } + + ## Scap Config ## + # Create an instance of $keyholder_agents for each of the key specs. + create_resources('keyholder::agent', $keyholder_agents) + + $base_path = '/srv/deployment' + + # Create an instance of scap_source for each of the key specs in hiera. + Scap::Source { + base_path => $base_path, + } + + create_resources('scap::source', $keyholder_sources) + ## End scap config ### + + # Firewall rules + ferm::service { 'rsyncd_scap_master': + proto => 'tcp', + port => '873', + srange => '$MW_APPSERVER_NETWORKS', + } + ### End firewall rules + + #T83854 + ::monitoring::icinga::git_merge { 'mediawiki_config': + dir => '/srv/mediawiki-staging/', + user => 'root', + remote => 'readonly', + remote_branch => 'master', + } + + # Also make sure that no files have been stolen by root ;-) + ::monitoring::icinga::bad_directory_owner { '/srv/mediawiki-staging': } + + $deploy_ensure = $active_deployment_server ? { + $::fqdn => 'absent', + default => 'present' + } + + class { '::deployment::rsync': + deployment_server => $active_deployment_server, + cron_ensure => $deploy_ensure, + } + + motd::script { 'inactive_warning': + ensure => $deploy_ensure, + priority => 01, + content => template('role/deployment/inactive.motd.erb'), + } + + file { '/var/lock/scap-global-lock': + ensure => $deploy_ensure, + owner => 'root', + group => 'root', + content => "Not the active deployment server, use ${active_deployment_server}", + } +} diff --git a/modules/role/manifests/deployment/mediawiki.pp b/modules/role/manifests/deployment/mediawiki.pp deleted file mode 100644 index ae1a161..0000000 --- a/modules/role/manifests/deployment/mediawiki.pp +++ /dev/null @@ -1,25 +0,0 @@ -# === Class role::deployment::mediawiki -# Installs everything needed to deploy mediawiki -class role::deployment::mediawiki( - $keyholder_user = 'mwdeploy', - $keyholder_group = ['wikidev', 'mwdeploy'], - ) { - - # All needed classes for deploying mediawiki - include ::mediawiki - include ::mediawiki::packages::php5 - include ::profile::mediawiki::nutcracker - include ::scap::master - include ::profile::scap::dsh - include ::scap::ferm - - # Keyholder - require ::keyholder - require ::keyholder::monitoring - - keyholder::agent { $keyholder_user: - trusted_groups => $keyholder_group, - } - - # Wikitech credentials file -} diff --git a/modules/role/manifests/deployment/server.pp b/modules/role/manifests/deployment/server.pp index 5d793c6..29bb796 100644 --- a/modules/role/manifests/deployment/server.pp +++ b/modules/role/manifests/deployment/server.pp @@ -5,23 +5,12 @@ ) { include ::standard - $base_path = '/srv/deployment' - include role::deployment::mediawiki + include profile::scap::master - ## Scap Config ## - require ::scap - - # Create an instance of $keyholder_agents for each of the key specs. - create_resources('keyholder::agent', hiera('scap::keyholder_agents', {})) - - # Create an instance of scap_source for each of the key specs in hiera. - Scap::Source { - base_path => $base_path, - } - - create_resources('scap::source', hiera('scap::sources', {})) - ## End scap config ### - + # TODO: move below to profiles + # + # Much of this is shared config of trebuchet and scap3. Fully removing + # trebuchet will make this much easier to sort in separate profiles. include ::deployment::umask_wikidev class { 'deployment::deployment_server': @@ -36,23 +25,9 @@ include network::constants $deployable_networks = $::network::constants::deployable_networks - if $::realm != 'labs' { - include role::microsites::releases::upload - # backup /home dirs on deployment servers - include ::profile::backup::host - backup::set {'home': } - } - - # Firewall rules - ferm::service { 'rsyncd_scap_master': - proto => 'tcp', - port => '873', - srange => '$MW_APPSERVER_NETWORKS', - } - - $deployable_networks_ferm = join($deployable_networks, ' ') + # Firewall rules # T113351 ferm::service { 'http_deployment_server': desc => 'http on trebuchet deployment servers, for serving actual files to deploy', @@ -62,17 +37,6 @@ } ### End firewall rules - - #T83854 - ::monitoring::icinga::git_merge { 'mediawiki_config': - dir => '/srv/mediawiki-staging/', - user => 'root', - remote => 'readonly', - remote_branch => 'master', - } - - # Also make sure that no files have been stolen by root ;-) - ::monitoring::icinga::bad_directory_owner { '/srv/mediawiki-staging': } ### Trebuchet file { '/srv/deployment': @@ -89,30 +53,6 @@ $deployment_server = hiera('deployment_server', 'tin.eqiad.wmnet') class { '::deployment::redis': deployment_server => $deployment_server - } - - $deploy_ensure = $deployment_server ? { - $::fqdn => 'absent', - default => 'present' - } - - class { '::deployment::rsync': - deployment_server => $deployment_server, - cron_ensure => $deploy_ensure, - } - - $main_deployment_server = hiera('scap::deployment_server') - motd::script { 'inactive_warning': - ensure => $deploy_ensure, - priority => 01, - content => template('role/deployment/inactive.motd.erb'), - } - - file { '/var/lock/scap-global-lock': - ensure => $deploy_ensure, - owner => 'root', - group => 'root', - content => "Not the active deployment server, use ${main_deployment_server}", } # Bacula backups (T125527) diff --git a/modules/role/templates/deployment/inactive.motd.erb b/modules/role/templates/deployment/inactive.motd.erb index 4eb13bc..0a41d7b 100755 --- a/modules/role/templates/deployment/inactive.motd.erb +++ b/modules/role/templates/deployment/inactive.motd.erb @@ -18,6 +18,6 @@ If you want to deploy software, you should /not/ do it from here; it will probably work, but the next deployer could lose track of any of -your changes. Connect to '<%= @main_deployment_server %>' instead, it will +your changes. Connect to '<%= @active_deployment_server %>' instead, it will route you to the correct server. MOTD diff --git a/modules/scap/manifests/init.pp b/modules/scap/manifests/init.pp index 162d922..bc2b883 100644 --- a/modules/scap/manifests/init.pp +++ b/modules/scap/manifests/init.pp @@ -3,14 +3,14 @@ # Common role for scap masters and targets # # == Parameters: -# [*deployment_server*] +# [*active_deployment_server*] # Server that provides git repositories for scap3. Default 'deployment'. # # [*wmflabs_master*] # Master scap rsync host in the wmflabs domain. # Default 'deployment-tin.deployment-prep.eqiad.wmflabs'. class scap ( - $deployment_server = 'deployment', + $active_deployment_server = 'deployment', $wmflabs_master = 'deployment-tin.deployment-prep.eqiad.wmflabs', $version = '3.5.7-1', ) { diff --git a/modules/scap/manifests/master.pp b/modules/scap/manifests/master.pp index f99a54b..35240b7 100644 --- a/modules/scap/manifests/master.pp +++ b/modules/scap/manifests/master.pp @@ -2,13 +2,14 @@ # # Sets up a scap master (currently tin and mira) class scap::master( - $common_path = '/srv/mediawiki', - $common_source_path = '/srv/mediawiki-staging', - $patches_path = '/srv/patches', - $rsync_host = "deployment.${::site}.wmnet", - $statsd_host = 'statsd.eqiad.wmnet', - $statsd_port = 8125, - $deployment_group = 'wikidev', + $common_path = '/srv/mediawiki', + $common_source_path = '/srv/mediawiki-staging', + $patches_path = '/srv/patches', + $rsync_host = "deployment.${::site}.wmnet", + $statsd_host = 'statsd.eqiad.wmnet', + $statsd_port = 8125, + $deployment_group = 'wikidev', + $active_deployment_server = undef, ) { include scap::scripts include rsync::server @@ -52,8 +53,11 @@ hosts_allow => $::network::constants::special_hosts[$::realm]['deployment_hosts']; } + $run_l10nupdate = $active_deployment_server == $::fqdn + class { 'scap::l10nupdate': deployment_group => $deployment_group, + run_l10nupdate => $run_l10nupdate, } file { '/usr/local/bin/scap-master-sync': diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp index 00a9955..46109d3 100644 --- a/modules/scap/manifests/target.pp +++ b/modules/scap/manifests/target.pp @@ -94,7 +94,7 @@ # Allow $deploy_user login from scap deployment host. # adds an exception in /etc/security/access.conf # to work around labs-specific restrictions - $deployment_host = hiera('scap::deployment_server') + $deployment_host = hiera('scap::master::deployment_server') $deployment_ip = ipresolve($deployment_host, 4, $::nameservers[0]) security::access::config { "scap-allow-${deploy_user}": content => "+ : ${deploy_user} : ${deployment_ip}\n", -- To view, visit https://gerrit.wikimedia.org/r/351179 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3afb15580729bd9c46f4c31db5537fb2b1aeee76 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Thcipriani <tcipri...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits