Giuseppe Lavagetto has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/395715 )
Change subject: mediawiki: move mediawiki::web to a profile ...................................................................... mediawiki: move mediawiki::web to a profile Also, I didn't bother to fix all the hiera data because this is still a test commit in a series to remove explicit hiera calls. Change-Id: I8bd2a493c5e17926554409259a457f7adbff2374 --- M hieradata/role/common/mediawiki/appserver.yaml D modules/mediawiki/manifests/web.pp M modules/mediawiki/manifests/web/modules.pp M modules/mediawiki/manifests/web/php_engine.pp A modules/profile/manifests/mediawiki/web.pp M modules/role/manifests/mediawiki/webserver.pp 6 files changed, 111 insertions(+), 90 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/15/395715/1 diff --git a/hieradata/role/common/mediawiki/appserver.yaml b/hieradata/role/common/mediawiki/appserver.yaml index 7d14664..3534daa 100644 --- a/hieradata/role/common/mediawiki/appserver.yaml +++ b/hieradata/role/common/mediawiki/appserver.yaml @@ -1,12 +1,14 @@ +# Parameters coming from explicit lookups cluster: appserver +standard::has_ganglia: false role::lvs::realserver::pools: hhvm: lvs_name: apaches admin::groups: - deployment - perf-roots -apache::mpm::mpm: worker -mediawiki::web::mpm_config::mpm: worker +profile::mediawiki::web::apache_mpm: worker +role::mediawiki::webserver::tls: true hhvm::extra::fcgi: hhvm: mysql: @@ -15,7 +17,9 @@ hhvm: mysql: connect_timeout: 3000 + + + +# Parameters we get from hiera autolookup apache::logrotate::rotate: 12 nutcracker::verbosity: "4" -role::mediawiki::webserver::tls: true -standard::has_ganglia: false diff --git a/modules/mediawiki/manifests/web.pp b/modules/mediawiki/manifests/web.pp deleted file mode 100644 index 342af4e..0000000 --- a/modules/mediawiki/manifests/web.pp +++ /dev/null @@ -1,85 +0,0 @@ -# === Class mediawiki::web -# -# Installs and configures a web environment for mediawiki -class mediawiki::web { - tag 'mediawiki', 'mw-apache-config' - - include ::apache - include ::mediawiki - include ::mediawiki::users - - include ::mediawiki::web::modules - include ::mediawiki::web::mpm_config - - - file { '/etc/apache2/apache2.conf': - content => template('mediawiki/apache/apache2.conf.erb'), - owner => 'root', - group => 'root', - mode => '0444', - before => Service['apache2'], - require => Package['apache2'], - } - - # Starting with stretch libapache2-mod-security2 includes the following - # in /etc/apache2/mods-enabled/security2.conf: - # # Include OWASP ModSecurity CRS rules if installed - # IncludeOptional /usr/share/modsecurity-crs/owasp-crs*.load - # The directory /usr/share/modsecurity-crs is shipped by the - # modsecurity-crs package, but it's only a Recommends: of - # libapache2-mod-security2, so it doesn'get installed. And IncludeOptional - # is only optional for the full path, so if /usr/share/modsecurity-crs doesn't - # exist, it bails out and apache refuses to start/restart. As such, ship an - # empty directory to make that include truly optional - # In addition IncludeOptional expects a wildcard (which the original config - # from modsecurity-crs doesn't ship, so we also need to ship an empty - # stub config - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878920 - # https://bz.apache.org/bugzilla/show_bug.cgi?id=57585 - # Once we're running a version of the patch proposed in Apache bugzilla, this - # workaround can be removed - if os_version('debian >= stretch') { - file { '/usr/share/modsecurity-crs': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0775', - before => File['/usr/share/modsecurity-crs/owasp-crs.load'], - } - file { '/usr/share/modsecurity-crs/owasp-crs.load': - owner => 'root', - content => '', - group => 'root', - mode => '0444', - before => Service['apache2'], - } - } - - file { '/var/lock/apache2': - ensure => directory, - owner => $::mediawiki::users::web, - group => 'root', - mode => '0755', - before => File['/etc/apache2/apache2.conf'], - } - - apache::env { 'chuid_apache': - vars => { - 'APACHE_RUN_USER' => $::mediawiki::users::web, - 'APACHE_RUN_GROUP' => $::mediawiki::users::web, - }, - } - - - # Not needed anymore. TODO: remove at a later stage - apache::def { 'HHVM': - ensure => absent, - } - - # Set the Server response header to be equal to the app server FQDN. - include ::apache::mod::security2 - - apache::conf { 'server_header': - content => template('mediawiki/apache/server-header.conf.erb'), - } -} diff --git a/modules/mediawiki/manifests/web/modules.pp b/modules/mediawiki/manifests/web/modules.pp index bbb3136..52dc994 100644 --- a/modules/mediawiki/manifests/web/modules.pp +++ b/modules/mediawiki/manifests/web/modules.pp @@ -76,4 +76,40 @@ group => 'root', mode => '0444', } + + # mod_security2 configuration + # Starting with stretch libapache2-mod-security2 includes the following + # in /etc/apache2/mods-enabled/security2.conf: + # # Include OWASP ModSecurity CRS rules if installed + # IncludeOptional /usr/share/modsecurity-crs/owasp-crs*.load + # The directory /usr/share/modsecurity-crs is shipped by the + # modsecurity-crs package, but it's only a Recommends: of + # libapache2-mod-security2, so it doesn'get installed. And IncludeOptional + # is only optional for the full path, so if /usr/share/modsecurity-crs doesn't + # exist, it bails out and apache refuses to start/restart. As such, ship an + # empty directory to make that include truly optional + # In addition IncludeOptional expects a wildcard (which the original config + # from modsecurity-crs doesn't ship, so we also need to ship an empty + # stub config + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878920 + # https://bz.apache.org/bugzilla/show_bug.cgi?id=57585 + # Once we're running a version of the patch proposed in Apache bugzilla, this + # workaround can be removed + if os_version('debian >= stretch') { + file { '/usr/share/modsecurity-crs': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0775', + before => File['/usr/share/modsecurity-crs/owasp-crs.load'], + } + file { '/usr/share/modsecurity-crs/owasp-crs.load': + owner => 'root', + content => '', + group => 'root', + mode => '0444', + before => Service['apache2'], + } + } + class { '::apache::mod::security2': } } diff --git a/modules/mediawiki/manifests/web/php_engine.pp b/modules/mediawiki/manifests/web/php_engine.pp index ae8d7df..ce00dda 100644 --- a/modules/mediawiki/manifests/web/php_engine.pp +++ b/modules/mediawiki/manifests/web/php_engine.pp @@ -18,4 +18,13 @@ source => 'puppet:///modules/mediawiki/apache/configs/fcgi_headers.conf', priority => 0, } + + # furl is a cURL-like command-line tool for making FastCGI requests. + # See `furl --help` for documentation and usage. + file { '/usr/local/bin/furl': + source => 'puppet:///modules/mediawiki/furl', + owner => 'root', + group => 'root', + mode => '0555', + } } diff --git a/modules/profile/manifests/mediawiki/web.pp b/modules/profile/manifests/mediawiki/web.pp new file mode 100644 index 0000000..02fccd1 --- /dev/null +++ b/modules/profile/manifests/mediawiki/web.pp @@ -0,0 +1,57 @@ +# === Class mediawiki::web +# +# Installs and configures a web environment for mediawiki +class profile::mediawiki::web( + $apache_mpm = hiera('profile::mediawiki::web::apache_mpm'), + $workers_limit = hiera('profile::mediawiki::web::workers_limit', undef), +) { + tag 'mediawiki', 'mw-apache-config' + + # AFAICS, we use www-data everywhere. + $user = 'www-data' + + require ::profile::mediawiki::common + class { '::apache::mpm': + mpm => $apache_mpm + } + + class { '::apache': } + + class { '::mediawiki::users': + web => $user, + } + + class { '::mediawiki::web::modules': } + class { '::mediawiki::web::mpm_config': + mpm => $apache_mpm, + workers_limit => $workers_limit + } + + file { '/etc/apache2/apache2.conf': + content => template('mediawiki/apache/apache2.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + before => Service['apache2'], + require => Package['apache2'], + } + + file { '/var/lock/apache2': + ensure => directory, + owner => $::mediawiki::users::web, + group => 'root', + mode => '0755', + before => File['/etc/apache2/apache2.conf'], + } + + apache::env { 'chuid_apache': + vars => { + 'APACHE_RUN_USER' => $::mediawiki::users::web, + 'APACHE_RUN_GROUP' => $::mediawiki::users::web, + }, + } + + apache::conf { 'server_header': + content => template('mediawiki/apache/server-header.conf.erb'), + } +} diff --git a/modules/role/manifests/mediawiki/webserver.pp b/modules/role/manifests/mediawiki/webserver.pp index 43d0080..b7b466a 100644 --- a/modules/role/manifests/mediawiki/webserver.pp +++ b/modules/role/manifests/mediawiki/webserver.pp @@ -1,7 +1,7 @@ class role::mediawiki::webserver { include ::role::mediawiki::common include ::apache::monitoring - include ::mediawiki::web + include ::profile::mediawiki::web include ::mediawiki::web::sites include ::mediawiki::packages::fonts # FIXME: These should all be merged into the generic sites class! -- To view, visit https://gerrit.wikimedia.org/r/395715 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I8bd2a493c5e17926554409259a457f7adbff2374 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits