Giuseppe Lavagetto has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/395715 )
Change subject: mediawiki: move mediawiki::web to a profile
......................................................................
mediawiki: move mediawiki::web to a profile
Also, I didn't bother to fix all the hiera data because this is still a
test commit in a series to remove explicit hiera calls.
Change-Id: I8bd2a493c5e17926554409259a457f7adbff2374
---
M hieradata/role/common/mediawiki/appserver.yaml
D modules/mediawiki/manifests/web.pp
M modules/mediawiki/manifests/web/modules.pp
M modules/mediawiki/manifests/web/php_engine.pp
A modules/profile/manifests/mediawiki/web.pp
M modules/role/manifests/mediawiki/webserver.pp
6 files changed, 111 insertions(+), 90 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/15/395715/1
diff --git a/hieradata/role/common/mediawiki/appserver.yaml
b/hieradata/role/common/mediawiki/appserver.yaml
index 7d14664..3534daa 100644
--- a/hieradata/role/common/mediawiki/appserver.yaml
+++ b/hieradata/role/common/mediawiki/appserver.yaml
@@ -1,12 +1,14 @@
+# Parameters coming from explicit lookups
cluster: appserver
+standard::has_ganglia: false
role::lvs::realserver::pools:
hhvm:
lvs_name: apaches
admin::groups:
- deployment
- perf-roots
-apache::mpm::mpm: worker
-mediawiki::web::mpm_config::mpm: worker
+profile::mediawiki::web::apache_mpm: worker
+role::mediawiki::webserver::tls: true
hhvm::extra::fcgi:
hhvm:
mysql:
@@ -15,7 +17,9 @@
hhvm:
mysql:
connect_timeout: 3000
+
+
+
+# Parameters we get from hiera autolookup
apache::logrotate::rotate: 12
nutcracker::verbosity: "4"
-role::mediawiki::webserver::tls: true
-standard::has_ganglia: false
diff --git a/modules/mediawiki/manifests/web.pp
b/modules/mediawiki/manifests/web.pp
deleted file mode 100644
index 342af4e..0000000
--- a/modules/mediawiki/manifests/web.pp
+++ /dev/null
@@ -1,85 +0,0 @@
-# === Class mediawiki::web
-#
-# Installs and configures a web environment for mediawiki
-class mediawiki::web {
- tag 'mediawiki', 'mw-apache-config'
-
- include ::apache
- include ::mediawiki
- include ::mediawiki::users
-
- include ::mediawiki::web::modules
- include ::mediawiki::web::mpm_config
-
-
- file { '/etc/apache2/apache2.conf':
- content => template('mediawiki/apache/apache2.conf.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- before => Service['apache2'],
- require => Package['apache2'],
- }
-
- # Starting with stretch libapache2-mod-security2 includes the following
- # in /etc/apache2/mods-enabled/security2.conf:
- # # Include OWASP ModSecurity CRS rules if installed
- # IncludeOptional /usr/share/modsecurity-crs/owasp-crs*.load
- # The directory /usr/share/modsecurity-crs is shipped by the
- # modsecurity-crs package, but it's only a Recommends: of
- # libapache2-mod-security2, so it doesn'get installed. And IncludeOptional
- # is only optional for the full path, so if /usr/share/modsecurity-crs
doesn't
- # exist, it bails out and apache refuses to start/restart. As such, ship an
- # empty directory to make that include truly optional
- # In addition IncludeOptional expects a wildcard (which the original config
- # from modsecurity-crs doesn't ship, so we also need to ship an empty
- # stub config
- # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878920
- # https://bz.apache.org/bugzilla/show_bug.cgi?id=57585
- # Once we're running a version of the patch proposed in Apache bugzilla,
this
- # workaround can be removed
- if os_version('debian >= stretch') {
- file { '/usr/share/modsecurity-crs':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0775',
- before => File['/usr/share/modsecurity-crs/owasp-crs.load'],
- }
- file { '/usr/share/modsecurity-crs/owasp-crs.load':
- owner => 'root',
- content => '',
- group => 'root',
- mode => '0444',
- before => Service['apache2'],
- }
- }
-
- file { '/var/lock/apache2':
- ensure => directory,
- owner => $::mediawiki::users::web,
- group => 'root',
- mode => '0755',
- before => File['/etc/apache2/apache2.conf'],
- }
-
- apache::env { 'chuid_apache':
- vars => {
- 'APACHE_RUN_USER' => $::mediawiki::users::web,
- 'APACHE_RUN_GROUP' => $::mediawiki::users::web,
- },
- }
-
-
- # Not needed anymore. TODO: remove at a later stage
- apache::def { 'HHVM':
- ensure => absent,
- }
-
- # Set the Server response header to be equal to the app server FQDN.
- include ::apache::mod::security2
-
- apache::conf { 'server_header':
- content => template('mediawiki/apache/server-header.conf.erb'),
- }
-}
diff --git a/modules/mediawiki/manifests/web/modules.pp
b/modules/mediawiki/manifests/web/modules.pp
index bbb3136..52dc994 100644
--- a/modules/mediawiki/manifests/web/modules.pp
+++ b/modules/mediawiki/manifests/web/modules.pp
@@ -76,4 +76,40 @@
group => 'root',
mode => '0444',
}
+
+ # mod_security2 configuration
+ # Starting with stretch libapache2-mod-security2 includes the following
+ # in /etc/apache2/mods-enabled/security2.conf:
+ # # Include OWASP ModSecurity CRS rules if installed
+ # IncludeOptional /usr/share/modsecurity-crs/owasp-crs*.load
+ # The directory /usr/share/modsecurity-crs is shipped by the
+ # modsecurity-crs package, but it's only a Recommends: of
+ # libapache2-mod-security2, so it doesn'get installed. And IncludeOptional
+ # is only optional for the full path, so if /usr/share/modsecurity-crs
doesn't
+ # exist, it bails out and apache refuses to start/restart. As such, ship an
+ # empty directory to make that include truly optional
+ # In addition IncludeOptional expects a wildcard (which the original config
+ # from modsecurity-crs doesn't ship, so we also need to ship an empty
+ # stub config
+ # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878920
+ # https://bz.apache.org/bugzilla/show_bug.cgi?id=57585
+ # Once we're running a version of the patch proposed in Apache bugzilla,
this
+ # workaround can be removed
+ if os_version('debian >= stretch') {
+ file { '/usr/share/modsecurity-crs':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0775',
+ before => File['/usr/share/modsecurity-crs/owasp-crs.load'],
+ }
+ file { '/usr/share/modsecurity-crs/owasp-crs.load':
+ owner => 'root',
+ content => '',
+ group => 'root',
+ mode => '0444',
+ before => Service['apache2'],
+ }
+ }
+ class { '::apache::mod::security2': }
}
diff --git a/modules/mediawiki/manifests/web/php_engine.pp
b/modules/mediawiki/manifests/web/php_engine.pp
index ae8d7df..ce00dda 100644
--- a/modules/mediawiki/manifests/web/php_engine.pp
+++ b/modules/mediawiki/manifests/web/php_engine.pp
@@ -18,4 +18,13 @@
source =>
'puppet:///modules/mediawiki/apache/configs/fcgi_headers.conf',
priority => 0,
}
+
+ # furl is a cURL-like command-line tool for making FastCGI requests.
+ # See `furl --help` for documentation and usage.
+ file { '/usr/local/bin/furl':
+ source => 'puppet:///modules/mediawiki/furl',
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ }
}
diff --git a/modules/profile/manifests/mediawiki/web.pp
b/modules/profile/manifests/mediawiki/web.pp
new file mode 100644
index 0000000..02fccd1
--- /dev/null
+++ b/modules/profile/manifests/mediawiki/web.pp
@@ -0,0 +1,57 @@
+# === Class mediawiki::web
+#
+# Installs and configures a web environment for mediawiki
+class profile::mediawiki::web(
+ $apache_mpm = hiera('profile::mediawiki::web::apache_mpm'),
+ $workers_limit = hiera('profile::mediawiki::web::workers_limit', undef),
+) {
+ tag 'mediawiki', 'mw-apache-config'
+
+ # AFAICS, we use www-data everywhere.
+ $user = 'www-data'
+
+ require ::profile::mediawiki::common
+ class { '::apache::mpm':
+ mpm => $apache_mpm
+ }
+
+ class { '::apache': }
+
+ class { '::mediawiki::users':
+ web => $user,
+ }
+
+ class { '::mediawiki::web::modules': }
+ class { '::mediawiki::web::mpm_config':
+ mpm => $apache_mpm,
+ workers_limit => $workers_limit
+ }
+
+ file { '/etc/apache2/apache2.conf':
+ content => template('mediawiki/apache/apache2.conf.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ before => Service['apache2'],
+ require => Package['apache2'],
+ }
+
+ file { '/var/lock/apache2':
+ ensure => directory,
+ owner => $::mediawiki::users::web,
+ group => 'root',
+ mode => '0755',
+ before => File['/etc/apache2/apache2.conf'],
+ }
+
+ apache::env { 'chuid_apache':
+ vars => {
+ 'APACHE_RUN_USER' => $::mediawiki::users::web,
+ 'APACHE_RUN_GROUP' => $::mediawiki::users::web,
+ },
+ }
+
+ apache::conf { 'server_header':
+ content => template('mediawiki/apache/server-header.conf.erb'),
+ }
+}
diff --git a/modules/role/manifests/mediawiki/webserver.pp
b/modules/role/manifests/mediawiki/webserver.pp
index 43d0080..b7b466a 100644
--- a/modules/role/manifests/mediawiki/webserver.pp
+++ b/modules/role/manifests/mediawiki/webserver.pp
@@ -1,7 +1,7 @@
class role::mediawiki::webserver {
include ::role::mediawiki::common
include ::apache::monitoring
- include ::mediawiki::web
+ include ::profile::mediawiki::web
include ::mediawiki::web::sites
include ::mediawiki::packages::fonts
# FIXME: These should all be merged into the generic sites class!
--
To view, visit https://gerrit.wikimedia.org/r/395715
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8bd2a493c5e17926554409259a457f7adbff2374
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
