Matanya has uploaded a new change for review.
https://gerrit.wikimedia.org/r/108289
Change subject: beta: convert into a module
......................................................................
beta: convert into a module
Change-Id: I2200ce11e948ba96c1fedd20083db1fd62c64620
---
D manifests/misc/beta.pp
M manifests/role/beta.pp
R modules/beta/files/sync-site-resources
R modules/beta/files/wmf-beta-autoupdate.py
A modules/beta/manifests/autoupdater.pp
A modules/beta/manifests/init.pp
A modules/beta/manifests/natdestrewrite.pp
A modules/beta/manifests/natfix.pp
A modules/beta/manifests/syncsiteresources.pp
9 files changed, 111 insertions(+), 125 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/89/108289/1
diff --git a/manifests/misc/beta.pp b/manifests/misc/beta.pp
deleted file mode 100644
index 815960c..0000000
--- a/manifests/misc/beta.pp
+++ /dev/null
@@ -1,121 +0,0 @@
-class misc::beta::autoupdater {
-
- require misc::deployment::common_scripts
-
- # Parsoid JavaScript dependencies are updated on beta via npm
- package { 'npm':
- ensure => present,
- }
-
- file {
- # Old shell version
- "/usr/local/bin/wmf-beta-autoupdate":
- ensure => absent;
- # Python rewrite
- "/usr/local/bin/wmf-beta-autoupdate.py":
- owner => root,
- group => root,
- mode => 0555,
- require => [
- Package['git-core'],
- ],
- source =>
'puppet:///files/misc/beta/wmf-beta-autoupdate.py';
- "/etc/default/wmf-beta-autoupdate":
- ensure => absent;
- "/etc/init/wmf-beta-autoupdate.conf":
- ensure => absent;
- }
-
- # Phased out in favor of a dedicated Jenkins job running directly on the
- # beta parsoid instance.
- file { '/usr/local/bin/wmf-beta-parsoid-remote.sh':
- ensure => absent,
- }
-
- # Make sure wmf-beta-autoupdate can run the l10n updater as l10nupdate
- sudo_user { "mwdeploy" : privileges => [
- 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mw-update-l10n',
- 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mwscript',
- 'ALL = (l10nupdate)
NOPASSWD:/usr/local/bin/refreshCdbJsonFiles',
- # Some script running as mwdeploy explicily use "sudo -u
mwdeploy"
- # which makes Ubuntu to request a password. The following rule
- # make sure we are not going to ask the password to mwdeploy
when
- # it tries to identify as mwdeploy.
- 'ALL = (mwdeploy) NOPASSWD: ALL',
-
- # mergeMessageFileList.php is run by mw-update-l10n as the
apache user
- # since https://gerrit.wikimedia.org/r/#/c/44548/
- # Let it runs mwscript and others as apache user.
- 'ALL = (apache) NOPASSWD: ALL',
- ] }
-
- # Phase out old upstart job
- file { '/etc/init.d/wmf-beta-autoupdate':
- ensure => absent;
- }
-
-}
-
-# Workaround NAT traversal issue when a beta cluster instance attempt to
-# connect to a beta public IP. The NAT would get the packet loss, instead
-# transparently destination IP of outgoing packets to point directly to the
-# private IP instance instead of the public IP.
-#
-# FIXME should probably be applied by default on ALL beta cluster instances.
-#
-# References:
-#
-# RT #4824 - https://rt.wikimedia.org/Ticket/Display.html?id=4824
-# bug #45868 - https://bugzilla.wikimedia.org/show_bug.cgi?id=45868
-class misc::beta::natfixup {
-
- # List out the instance public IP and private IP as described in
OpenStack
- # manager interface
- #
- # FIXME ideally that should be fetched directly from OpenStack
- # configuration to make sure the iptables revwrites are always in sync
with
- # the web interface :-D
- #
- $nat_mappings = {
- 'deployment-cache-text1' => { public_ip => '208.80.153.219',
private_ip => '10.4.1.133' },
- 'deployment-cache-upload04' => { public_ip => '208.80.153.242',
private_ip => '10.4.0.211' },
- 'deployment-cache-bits03' => { public_ip => '208.80.153.243',
private_ip => '10.4.0.51' },
- 'deployment-eventlogging' => { public_ip => '208.80.153.244',
private_ip => '10.4.0.48' },
- 'deployment-cache-mobile01' => { public_ip => '208.80.153.143',
private_ip => '10.4.1.82' },
- }
- create_resources( 'misc::beta::natdestrewrite', $nat_mappings )
-}
-
-define misc::beta::natdestrewrite( $public_ip, $private_ip ) {
-
- include base::firewall
-
- # iptables -t nat -I OUTPUT --dest $public_ip -j DNAT --to-dest
$private_ip
- ferm::rule { "nat_rewrite_for_${name}":
- table => 'nat',
- chain => 'OUTPUT',
- domain => 'ip',
- rule => "daddr ${public_ip} { DNAT to ${private_ip}; }",
- }
-
-}
-
-
-class misc::beta::sync-site-resources {
- file { "/usr/local/bin/sync-site-resources":
- ensure => present,
- owner => root,
- group => root,
- mode => 0555,
- source => "puppet:///files/misc/beta/sync-site-resources"
- }
-
- cron { "sync-site-resources":
- command => "/usr/local/bin/sync-site-resources >/dev/null 2>&1",
- require => File["/usr/local/bin/sync-site-resources"],
- hour => 12,
- user => apache,
- ensure => present,
- }
-}
-
diff --git a/manifests/role/beta.pp b/manifests/role/beta.pp
index 8291113..405b082 100644
--- a/manifests/role/beta.pp
+++ b/manifests/role/beta.pp
@@ -7,21 +7,21 @@
# branches.
class role::beta::autoupdater {
- include misc::beta::autoupdater
+ include beta::autoupdater
- system::role { 'role::beta::autoupdater':
+ system::role { 'role::beta':
description => 'Server is autoupdating MediaWiki core and extension on
beta.'
}
}
-class role::beta::natfixup {
+class role::beta::natfix {
system::role { 'role::beta::natfix':
description => 'Server has beta NAT fixup'
}
- include misc::beta::natfixup
+ include beta::natfix
}
class role::beta::maintenance {
diff --git a/files/misc/beta/sync-site-resources
b/modules/beta/files/sync-site-resources
similarity index 100%
rename from files/misc/beta/sync-site-resources
rename to modules/beta/files/sync-site-resources
diff --git a/files/misc/beta/wmf-beta-autoupdate.py
b/modules/beta/files/wmf-beta-autoupdate.py
similarity index 100%
rename from files/misc/beta/wmf-beta-autoupdate.py
rename to modules/beta/files/wmf-beta-autoupdate.py
diff --git a/modules/beta/manifests/autoupdater.pp
b/modules/beta/manifests/autoupdater.pp
new file mode 100644
index 0000000..31e2efd
--- /dev/null
+++ b/modules/beta/manifests/autoupdater.pp
@@ -0,0 +1,36 @@
+class beta::autoupdater {
+
+ require misc::deployment::common_scripts
+
+ # Parsoid JavaScript dependencies are updated on beta via npm
+ package { 'npm':
+ ensure => present,
+ }
+
+ file { '/usr/local/bin/wmf-beta-autoupdate.py':
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ require => Package['git-core'],
+ source => 'puppet:///modules/beta/wmf-beta-autoupdate.py',
+ }
+
+ # Make sure wmf-beta-autoupdate can run the l10n updater as l10nupdate
+ sudo_user { 'mwdeploy' :
+ privileges => [
+ 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mw-update-l10n',
+ 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mwscript',
+ 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/refreshCdbJsonFiles',
+ # Some script running as mwdeploy explicily use "sudo -u mwdeploy"
+ # which makes Ubuntu to request a password. The following rule
+ # make sure we are not going to ask the password to mwdeploy when
+ # it tries to identify as mwdeploy.
+ 'ALL = (mwdeploy) NOPASSWD: ALL',
+
+ # mergeMessageFileList.php is run by mw-update-l10n as the apache
user
+ # since https://gerrit.wikimedia.org/r/#/c/44548/
+ # Let it runs mwscript and others as apache user.
+ 'ALL = (apache) NOPASSWD: ALL',
+ ]
+ }
+}
diff --git a/modules/beta/manifests/init.pp b/modules/beta/manifests/init.pp
new file mode 100644
index 0000000..eebf47e
--- /dev/null
+++ b/modules/beta/manifests/init.pp
@@ -0,0 +1,6 @@
+class beta{
+ include beta::autoupdater,
+ beta::natfix,
+ beta::natdestrewrite
+ beta::syncsiteresources
+ }
diff --git a/modules/beta/manifests/natdestrewrite.pp
b/modules/beta/manifests/natdestrewrite.pp
new file mode 100644
index 0000000..022b63f
--- /dev/null
+++ b/modules/beta/manifests/natdestrewrite.pp
@@ -0,0 +1,13 @@
+define beta::natdestrewrite( $public_ip, $private_ip ) {
+
+ include base::firewall
+
+ # iptables -t nat -I OUTPUT --dest $public_ip -j DNAT --to-dest $private_ip
+ ferm::rule { "nat_rewrite_for_${name}":
+ table => 'nat',
+ chain => 'OUTPUT',
+ domain => 'ip',
+ rule => "daddr ${public_ip} { DNAT to ${private_ip}; }",
+ }
+}
+
diff --git a/modules/beta/manifests/natfix.pp b/modules/beta/manifests/natfix.pp
new file mode 100644
index 0000000..dbf8501
--- /dev/null
+++ b/modules/beta/manifests/natfix.pp
@@ -0,0 +1,34 @@
+# Workaround NAT traversal issue when a beta cluster instance attempt to
+# connect to a beta public IP. The NAT would get the packet loss, instead
+# transparently destination IP of outgoing packets to point directly to the
+# private IP instance instead of the public IP.
+#
+# FIXME should probably be applied by default on ALL beta cluster instances.
+#
+# References:
+#
+# RT #4824 - https://rt.wikimedia.org/Ticket/Display.html?id=4824
+# bug #45868 - https://bugzilla.wikimedia.org/show_bug.cgi?id=45868
+class beta::natfix {
+
+ # List out the instance public IP and private IP as described in OpenStack
+ # manager interface
+ #
+ # FIXME ideally that should be fetched directly from OpenStack
+ # configuration to make sure the iptables revwrites are always in sync with
+ # the web interface :-D
+ #
+ $nat_mappings = {
+ 'deployment-cache-text1' => {public_ip => '208.80.153.219',
+ private_ip => '10.4.1.133' },
+ 'deployment-cache-upload04' => {public_ip => '208.80.153.242',
+ private_ip => '10.4.0.211' },
+ 'deployment-cache-bits03' => {public_ip => '208.80.153.243',
+ private_ip => '10.4.0.51' },
+ 'deployment-eventlogging' => {public_ip => '208.80.153.244',
+ private_ip => '10.4.0.48' },
+ 'deployment-cache-mobile01' => {public_ip => '208.80.153.143',
+ private_ip => '10.4.1.82' },
+ }
+ create_resources( 'beta::natdestrewrite', $nat_mappings )
+}
diff --git a/modules/beta/manifests/syncsiteresources.pp
b/modules/beta/manifests/syncsiteresources.pp
new file mode 100644
index 0000000..bd39c6e
--- /dev/null
+++ b/modules/beta/manifests/syncsiteresources.pp
@@ -0,0 +1,18 @@
+class beta::syncsiteresources {
+ file { '/usr/local/bin/sync-site-resources':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ source => 'puppet:///modules/beta/sync-site-resources',
+ }
+
+ cron { 'sync-site-resources':
+ ensure => present,
+ command => '/usr/local/bin/sync-site-resources >/dev/null 2>&1',
+ require => File['/usr/local/bin/sync-site-resources'],
+ hour => '12',
+ user => 'apache',
+ }
+}
+
--
To view, visit https://gerrit.wikimedia.org/r/108289
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2200ce11e948ba96c1fedd20083db1fd62c64620
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
