Ayounsi has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/390330 )
Change subject: [WIP] Bird-lg
......................................................................
[WIP] Bird-lg
Change-Id: I3bbd8851a67fde8d9d778f6d3c263879ccfd659a
---
A modules/birdlg/manifests/lg_backend.pp
A modules/birdlg/manifests/lg_frontend.pp
A modules/birdlg/templates/lg.cfg.erb
A modules/birdlg/templates/lgproxy.cfg.erb
A modules/profile/manifests/birdlg/lg_backend.pp
A modules/profile/manifests/birdlg/lg_frontend.pp
A modules/profile/templates/birdlg/lg.wikimedia.org.erb
A modules/role/manifests/birdlg/lg_backend.pp
A modules/role/manifests/birdlg/lg_frontend.pp
9 files changed, 351 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/30/390330/1
diff --git a/modules/birdlg/manifests/lg_backend.pp
b/modules/birdlg/manifests/lg_backend.pp
new file mode 100644
index 0000000..047ea4f
--- /dev/null
+++ b/modules/birdlg/manifests/lg_backend.pp
@@ -0,0 +1,80 @@
+# == Class: librenms
+#
+# This class installs & manages Bird and lgproxy, the backend part of BirdLG
+#
+class birdlg::lg_backend(
+ $install_dir='/srv/deployment/birdlg/',
+ $access_list=['127.0.0.1'],
+ $port = 5000,
+) {
+
+ package { [
+ 'python-flask',
+ 'python-dnspython',
+ 'python-memcache',
+ 'whois',
+ 'traceroute',
+ 'bird',
+ ]:
+ ensure => present,
+ }
+
+ file { '/etc/bird/bird.conf': # TODO
+ ensure => present,
+ owner => 'bird',
+ group => 'bird',
+ mode => '0440',
+ content => template('birdlg/bird.conf.erb'),
+ }
+ file { '/etc/bird/bird6.conf': # TODO
+ ensure => present,
+ owner => 'bird',
+ group => 'bird',
+ mode => '0440',
+ content => template('birdlg/bird6.conf.erb'),
+ }
+
+ service { 'bird':
+ ensure => running,
+ subscribe => [
+ File['/etc/bird/bird.conf'],
+ File['/etc/bird/bird6.conf'],
+ ],
+ require => Package['bird'],
+ }
+
+ file { "${install_dir}/lgproxy.cfg":
+ ensure => present,
+ owner => 'bird',
+ group => 'bird',
+ mode => '0440',
+ content => template('birdlg/lgproxy.cfg.erb'),
+ }
+
+ service::uwsgi { 'lgproxy':
+ port => $port,
+ deployment_user => 'bird', # TODO
+ config => {
+ need-plugins => 'python',
+ chdir => $install_dir,
+ wsgi => 'lgproxy.wsgi',
+ vacuum => true,
+ http-socket => "0.0.0.0:${port}",
+ # T170189: make sure Python has a sane default encoding
+ env => [
+ 'LANG=C.UTF-8',
+ 'PYTHONENCODING=utf-8',
+ ],
+ },
+ healthcheck_url => '/',
+ icinga_check => false,
+ sudo_rules => [
+ 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy restart',
+ 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy start',
+ 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy status',
+ 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy stop',
+ ],
+ }
+
+
+}
diff --git a/modules/birdlg/manifests/lg_frontend.pp
b/modules/birdlg/manifests/lg_frontend.pp
new file mode 100644
index 0000000..1eeb1ad
--- /dev/null
+++ b/modules/birdlg/manifests/lg_frontend.pp
@@ -0,0 +1,29 @@
+# == Class: librenms
+#
+# This class installs & manages bird-lg frontend
+#
+class birdlg::lg_frontend(
+ $session_key, #TODO
+ $install_dir='/srv/deployment/birdlg/',
+) {
+
+
+ package { [
+ 'python-flask',
+ 'python-dnspython',
+ 'python-pydot',
+ 'python-memcache',
+ 'graphviz',
+ ]:
+ ensure => present,
+ }
+
+ file { "${install_dir}/lg.cfg":
+ ensure => present,
+ owner => 'bird',
+ group => 'bird',
+ mode => '0440',
+ content => template('birdlg/lg.cfg.erb'),
+ }
+
+}
diff --git a/modules/birdlg/templates/lg.cfg.erb
b/modules/birdlg/templates/lg.cfg.erb
new file mode 100644
index 0000000..cddcadd
--- /dev/null
+++ b/modules/birdlg/templates/lg.cfg.erb
@@ -0,0 +1,32 @@
+DEBUG = False
+LOG_FILE="<%= @install_dir %>/lg.log"
+LOG_LEVEL="WARNING"
+
+DOMAIN = "lg.wikimedia.org"
+
+BIND_IP = "127.0.0.1"
+BIND_PORT = 5001
+
+## TODO: Need to either add a line to /etc/hosts or a A record for PROXY.DOMAIN
+PROXY = {
+ "codfw": 5000,
+ "eqiad": 5000,
+ }
+
+# Used for bgpmap
+ROUTER_IP = {
+ "codfw" : ["208.80.153.192", "2620:0:860:ffff::1", "208.80.153.193",
"2620:0:860:ffff::2", "208.80.153.198", "2620:0:860:ffff::5"],
+ "eqiad" : ["208.80.154.196", "2620:0:861:ffff::1", "208.80.154.197",
"2620:0:861:ffff::2"],
+}
+
+AS_NUMBER = {
+ "codfw" : "14907",
+ "eqiad" : "14907"
+}
+
+#WHOIS_SERVER = "whois.foo.bar"
+
+# DNS zone to query for ASN -> name mapping
+ASN_ZONE = "asn.cymru.com"
+
+SESSION_KEY = '<%= @session_key %>'
diff --git a/modules/birdlg/templates/lgproxy.cfg.erb
b/modules/birdlg/templates/lgproxy.cfg.erb
new file mode 100644
index 0000000..a3d954b
--- /dev/null
+++ b/modules/birdlg/templates/lgproxy.cfg.erb
@@ -0,0 +1,8 @@
+DEBUG=False
+LOG_FILE="<%= @install_dir %>/lg-proxy.log"
+LOG_LEVEL="WARNING"
+ACCESS_LIST = ["<%= @access_list.join('", "') %>"]
+IPV4_SOURCE=""
+IPV6_SOURCE=""
+BIRD_SOCKET="/var/run/bird/bird.ctl"
+BIRD6_SOCKET="/var/run/bird/bird6.ctl"
diff --git a/modules/profile/manifests/birdlg/lg_backend.pp
b/modules/profile/manifests/birdlg/lg_backend.pp
new file mode 100644
index 0000000..6eaa67d
--- /dev/null
+++ b/modules/profile/manifests/birdlg/lg_backend.pp
@@ -0,0 +1,35 @@
+# Class: profile::birdlg::lg_backend
+#
+# This profile installs all the bird-lg backend related parts as WMF requires
it
+#
+# Actions:
+# Deploy bird-lg
+# Install uwsgi
+# Configure firewall rules
+#
+# Requires:
+#
+# Sample Usage:
+# include profile::birdlg::lg_backend
+
+
+class profile::birdlg::lg_backend(
+) {
+ $port = 5000
+
+ include passwords::bird-lg
+ $secret_key = $passwords::birdlg::secret_key ### TODO Not defined yet
+
+
+ ferm::service { 'bird-lg-proxy':
+ proto => 'tcp',
+ port => $port,
+ srange => '$PRODUCTION_NETWORKS',
+ }
+
+class { 'birdlg::lg_backend':
+ port => $port,
+ access_list => ['208.80.154.5','208.80.153.110'],
+ }
+
+}
diff --git a/modules/profile/manifests/birdlg/lg_frontend.pp
b/modules/profile/manifests/birdlg/lg_frontend.pp
new file mode 100644
index 0000000..19b4075
--- /dev/null
+++ b/modules/profile/manifests/birdlg/lg_frontend.pp
@@ -0,0 +1,67 @@
+
+# Class: profile::birdlg::lg_frontend
+#
+# This profile installs all the bird-lg frontend related parts as WMF requires
it
+#
+# Actions:
+# Deploy bird-lg
+# Install uwsgi
+# Install apache
+#
+# Requires:
+#
+# Sample Usage:
+# include profile::birdlg::lg_backend
+
+
+class profile::birdlg::lg_frontend($active_server = hiera('netmon_server',
'netmon1002.wikimedia.org')){
+ # lint:ignore:wmf_styleguide
+ include ::apache
+ include ::apache::mod::headers
+ include ::apache::mod::proxy_http
+ include ::apache::mod::proxy
+ include ::apache::mod::rewrite
+ include ::apache::mod::ssl
+ include ::apache::mod::wsgi
+ # lint:endignore
+
+ include passwords::bird-lg
+ $secret_key = $passwords::birdlg::secret_key
+
+ class { 'birdlg::lg_frontend':
+ secret_key => $secret_key,
+ }
+
+ $ssl_settings = ssl_ciphersuite('apache', 'mid', true)
+
+ apache::site { 'lg.wikimedia.org':
+ content => template('profile/birdlg/lg.wikimedia.org.erb'),
+ }
+
+ letsencrypt::cert::integrated { 'birdlg':
+ subjects => 'lg.wikimedia.org',
+ puppet_svc => 'apache2',
+ system_svc => 'apache2',
+ require => Class['apache::mod::ssl'],
+ }
+
+ if $active_server == $::fqdn {
+ $monitoring_ensure = 'present'
+ } else {
+ $monitoring_ensure = 'absent'
+ }
+
+ monitoring::service { 'birdlg-https':
+ ensure => $monitoring_ensure,
+ description => 'HTTPS',
+ check_command => 'check_ssl_http_letsencrypt!lg.wikimedia.org',
+ }
+
+ monitoring::service { 'birdlg':
+ ensure => $monitoring_ensure,
+ description => 'LibreNMS HTTPS',
+ check_command =>
'check_https_url!lg.wikimedia.org!https://lg.wikimedia.org',
+ }
+
+
+}
diff --git a/modules/profile/templates/birdlg/lg.wikimedia.org.erb
b/modules/profile/templates/birdlg/lg.wikimedia.org.erb
new file mode 100644
index 0000000..5d97636
--- /dev/null
+++ b/modules/profile/templates/birdlg/lg.wikimedia.org.erb
@@ -0,0 +1,60 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+#####################################################################
+# vim: filetype=apache
+
+
+<VirtualHost *:80>
+ ServerName birdlg.wikimedia.org
+ ServerAdmin n...@wikimedia.org
+ Include /etc/acme/challenge-apache.conf
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
+ RewriteRule ^/(.*)$ https://birdlg.wikimedia.org/$1 [L,R=301]
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName netbox.wikimedia.org
+ ServerAdmin n...@wikimedia.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/acme/cert/birdlg.crt
+ SSLCertificateChainFile /etc/acme/cert/birdlg.chain.crt
+ SSLCertificateKeyFile /etc/acme/key/birdlg.key
+ <%= @ssl_settings.join("\n ") %>
+
+ # https://httpoxy.org/
+ RequestHeader unset Proxy early
+
+ ProxyPreserveHost On
+
+ Alias /static /srv/deployment/birdlg/static
+
+ # Needed to allow token-based API authentication
+ WSGIPassAuthorization on
+
+ <Directory /srv/deployment/birdlg/static>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Require all granted
+ </Directory>
+
+ <Location /static>
+ ProxyPass !
+ </Location>
+
+ <%- if @port -%>
+ ProxyPass / http://127.0.0.1:<%= @port%>/
+ ProxyPassReverse / http://127.0.0.1:<%= @port%>/
+ <%- else -%>
+ ProxyPass / http://127.0.0.1:5001/
+ ProxyPassReverse / http://127.0.0.1:5001/
+ <%- end -%>
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ LogLevel warn
+ CustomLog /var/log/apache2/lg.wikimedia.org-access.log wmf
+ ErrorLog /var/log/apache2/lg.wikimedia.org-error.log
+
+</VirtualHost>
diff --git a/modules/role/manifests/birdlg/lg_backend.pp
b/modules/role/manifests/birdlg/lg_backend.pp
new file mode 100644
index 0000000..6259dd6
--- /dev/null
+++ b/modules/role/manifests/birdlg/lg_backend.pp
@@ -0,0 +1,20 @@
+# Class: role::birdlg::lg_backend
+#
+# This profile installs all the bird-lg backend related parts as WMF requires
it
+#
+# Actions:
+# Deploy bird-lg backend
+#
+# Requires:
+#
+# Sample Usage:
+# include role::birdlg::lg_backend
+#
+
+class role::birdlg::lg_backend {
+
+ system::role { 'birdlg::lg_backend': description => 'Bird-lg backend' }
+
+ include ::profile::birdlg::lg_backend
+
+}
diff --git a/modules/role/manifests/birdlg/lg_frontend.pp
b/modules/role/manifests/birdlg/lg_frontend.pp
new file mode 100644
index 0000000..f9628a0
--- /dev/null
+++ b/modules/role/manifests/birdlg/lg_frontend.pp
@@ -0,0 +1,20 @@
+# Class: role::birdlg::lg_frontend
+#
+# This profile installs all the bird-lg frontend related parts as WMF requires
it
+#
+# Actions:
+# Deploy bird-lg frontend
+#
+# Requires:
+#
+# Sample Usage:
+# include role::birdlg::lg_frontend
+#
+
+class role::birdlg::lg_frontend {
+
+ system::role { 'birdlg::lg_frontend': description => 'Bird-lg frontend' }
+
+ include ::profile::birdlg::lg_frontend
+
+}
--
To view, visit https://gerrit.wikimedia.org/r/390330
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3bbd8851a67fde8d9d778f6d3c263879ccfd659a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ayounsi <ayou...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
