Giuseppe Lavagetto has submitted this change and it was merged.
Change subject: webserver: move to a module, fix and remove a few things
......................................................................
webserver: move to a module, fix and remove a few things
- Renamed webserver::base to webserver::sysctl_settings
- Removed completely webserver::apache::php5-{mysql,gd}
Change-Id: I8123d618e3ef8a56ee8bb65b21cbb95f45cbb664
Signed-off-by: Giuseppe Lavagetto <[email protected]>
---
M manifests/misc/blogs.pp
M manifests/role/labslamp.pp
M manifests/role/memcached.pp
M manifests/role/protoproxy.pp
M manifests/site.pp
M manifests/swift.pp
D manifests/webserver.pp
M modules/icinga/manifests/web.pp
M modules/mediawiki_singlenode/manifests/init.pp
M modules/varnish/manifests/common.pp
A modules/webserver/init.pp
A modules/webserver/manifests/apache.pp
A modules/webserver/manifests/apache/site.pp
A modules/webserver/manifests/php5.pp
A modules/webserver/manifests/static.pp
A modules/webserver/manifests/sysctl_settings.pp
A modules/webserver/sysctl_settings.pp
M modules/wikimania_scholarships/manifests/init.pp
M modules/wikistats/manifests/web.pp
19 files changed, 202 insertions(+), 183 deletions(-)
Approvals:
Giuseppe Lavagetto: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/misc/blogs.pp b/manifests/misc/blogs.pp
index f68dfb6..3bcc18d 100644
--- a/manifests/misc/blogs.pp
+++ b/manifests/misc/blogs.pp
@@ -6,8 +6,8 @@
class {'webserver::php5': ssl => true; }
- require webserver::php5-mysql,
- webserver::php5-gd
+ require_package('php5-mysql')
+ require_package('php5-gd')
include ::apache::mod::rpaf
diff --git a/manifests/role/labslamp.pp b/manifests/role/labslamp.pp
index cfdc61c..1b81a99 100644
--- a/manifests/role/labslamp.pp
+++ b/manifests/role/labslamp.pp
@@ -3,12 +3,12 @@
# - Apache
# - Mysql
# - PHP5
-#
+#
# The root mysql password is empty to start. You should
# change it!
class role::lamp::labs {
include role::labs-mysql-server
- include webserver::php5-mysql
include webserver::php5
+ require_package('php5-mysql')
}
diff --git a/manifests/role/memcached.pp b/manifests/role/memcached.pp
index 854b630..3209f99 100644
--- a/manifests/role/memcached.pp
+++ b/manifests/role/memcached.pp
@@ -10,7 +10,7 @@
system::role { 'role::memcached': description => 'memcached server' }
include standard
- include webserver::base
+ include webserver::sysctl_settings
$memcached_size = $::realm ? {
'production' => '89088',
diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp
index 24a1512..c49cef7 100644
--- a/manifests/role/protoproxy.pp
+++ b/manifests/role/protoproxy.pp
@@ -18,7 +18,7 @@
class role::protoproxy::ssl::common {
# Tune kernel settings
- include webserver::base
+ include webserver::sysctl_settings
$nginx_worker_connections = '32768'
$nginx_use_ssl = true
diff --git a/manifests/site.pp b/manifests/site.pp
index e37fd13..8fd59d7 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -17,7 +17,6 @@
import 'role/analytics/*.pp'
import 'search.pp'
import 'swift.pp'
-import 'webserver.pp'
# Include stages last
import 'stages.pp'
diff --git a/manifests/swift.pp b/manifests/swift.pp
index 4194fed..f5df095 100644
--- a/manifests/swift.pp
+++ b/manifests/swift.pp
@@ -3,7 +3,7 @@
# It is used to find the ring files in the puppet files
class swift::base($hash_path_suffix, $cluster_name) {
- include webserver::base
+ include webserver::sysctl_settings
# Recommendations from Swift -- see <http://tinyurl.com/swift-sysctl>.
sysctl::parameters { 'swift_performance':
diff --git a/manifests/webserver.pp b/manifests/webserver.pp
deleted file mode 100644
index 4c63e15..0000000
--- a/manifests/webserver.pp
+++ /dev/null
@@ -1,164 +0,0 @@
-# This file is for all generic web server classes
-# Apache, php, etc belong in here
-# Specific services (racktables, etherpad) do not
-
-
-class webserver::base {
- # Sysctl settings for high-load HTTP caches
- sysctl::parameters { 'high http performance':
- values => {
- # Increase the number of ephemeral ports
- 'net.ipv4.ip_local_port_range' => [ 1024, 65535 ],
-
- # Recommended to increase this for 1000 BT or higher
- 'net.core.netdev_max_backlog' => 30000,
-
- # Increase the queue size of new TCP connections
- 'net.core.somaxconn' => 4096,
- 'net.ipv4.tcp_max_syn_backlog' => 262144,
- 'net.ipv4.tcp_max_tw_buckets' => 360000,
-
- # Decrease FD usage
- 'net.ipv4.tcp_fin_timeout' => 3,
- 'net.ipv4.tcp_max_orphans' => 262144,
- 'net.ipv4.tcp_synack_retries' => 2,
- 'net.ipv4.tcp_syn_retries' => 2,
- },
- }
-}
-
-# Installs a generic, static web server (lighttpd)
-# with default config, which serves /var/www
-class webserver::static {
- include webserver::base
- include firewall
-
- package { 'lighttpd':
- ensure => 'present',
- }
-
- $hasstatus = $::lsbdistcodename ? {
- 'hardy' => false,
- default => true,
- }
-
- service { 'lighttpd':
- ensure => 'running',
- hasstatus => $hasstatus,
- }
-
- # Monitoring
- monitor_service { 'http':
- description => 'HTTP',
- check_command => 'check_http',
- }
-
- # Firewall
- firewall::open_port { "http-${::hostname}":
- port => 80,
- }
-
- firewall::open_port { "https-${::hostname}":
- port => 443,
- }
-}
-
-class webserver::php5(
- $ssl = 'false',
-) {
-
- include webserver::base
- include ::apache
- include ::apache::mod::php5
-
- if $ssl == true {
- include ::apache::mod::ssl
- }
-
- # Monitoring
- monitor_service { 'http':
- description => 'HTTP',
- check_command => 'check_http',
- }
-}
-
-# Install the 'php5-mysql' package which will
-# include mysql and apache via dependencies.
-class webserver::php5-mysql {
-
- include webserver::base
-
- require_package('php5-mysql')
-}
-
-class webserver::php5-gd {
-
- include webserver::base
-
- package { 'php5-gd':
- ensure => 'present',
- }
-}
-
-# New style attempt at handling misc web servers
-# - keep independent from the existing stuff
-
-
-class webserver::apache {
-
- class config {
- # Realize virtual resources for enabling virtual hosts
- Webserver::Apache::Site <| |>
- }
-
- # Define: site
- # Configures and installs an apache virtual host file using
generic_vhost.erb.
- #
- # Parameters:
- # $aliases=[] - array of ServerAliases
- # $ssl="false" - if true, sets up an ssl certificate for $title
- # $certfile=undef - defaults to /etc/ssl/certs/${title}.pem
- # $certkey=undef - defaults to "/etc/ssl/private/${title}.key
- # $docroot=undef - defaults to: $title == 'stats.wikimedia.org', then
/srv/stats.wikimedia.org
- # $custom=[] - custom Apache config strings to put into virtual
host site file
- # $includes=[]
- # $server_admin="[email protected]",
- # $access_log - path to access log, default:
/var/log/apache2/access.log
- # $error_log - path to error log, default:
/var/log/apache2/error.log
- # $ensure=present
- #
- # Usage:
- # webserver::apache::site { "mysite.wikimedia.org": aliases =
["mysite.wikimedia.com"] }
- define site(
- $aliases = [],
- $ssl = 'false',
- $certfile = "/etc/ssl/certs/${title}.pem",
- $certkey = "/etc/ssl/private/${title}.key",
- $docroot = undef,
- $custom = [],
- $includes = [],
- $server_admin = '[email protected]',
- $access_log = "/var/log/apache2/${title}.access.log",
- $error_log = "/var/log/apache2/${title}.error.log",
- $ensure = 'present',
- ) {
-
- if ubuntu_version('>= trusty') {
- $ssl_settings = ssl_ciphersuite('apache-2.4', 'compat')
- } else {
- $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
- }
-
- file { "/etc/apache2/sites-enabled/${title}":
- notify => Service['apache2'],
- owner => 'root',
- group => 'root',
- mode => '0444',
- content => template('apache/generic_vhost.erb'),
- }
- }
-
- # Default selection
- include config
- include webserver::base
-}
diff --git a/modules/icinga/manifests/web.pp b/modules/icinga/manifests/web.pp
index ea773bd..4042b9c 100644
--- a/modules/icinga/manifests/web.pp
+++ b/modules/icinga/manifests/web.pp
@@ -20,7 +20,7 @@
port => 80,
}
- include webserver::php5-gd
+ require_packages('php5-gd')
include passwords::ldap::wmf_cluster
$proxypass = $passwords::ldap::wmf_cluster::proxypass
diff --git a/modules/mediawiki_singlenode/manifests/init.pp
b/modules/mediawiki_singlenode/manifests/init.pp
index 35b27f0..dbe905d 100644
--- a/modules/mediawiki_singlenode/manifests/init.pp
+++ b/modules/mediawiki_singlenode/manifests/init.pp
@@ -21,8 +21,10 @@
$mysql_pass = '',
$memcached_size = 128,
$apache_site_template = 'mediawiki_singlenode/mediawiki_singlenode.erb'
-) {
- require role::labs-mysql-server, webserver::php5-mysql
+ ) {
+ require role::labs-mysql-server, webserver::sysctl_settings
+
+ require_package('php5-mysql')
package { [ 'imagemagick', 'php-apc', 'php5-cli' ] :
ensure => latest,
diff --git a/modules/varnish/manifests/common.pp
b/modules/varnish/manifests/common.pp
index 62d6cbf..71a75a2 100644
--- a/modules/varnish/manifests/common.pp
+++ b/modules/varnish/manifests/common.pp
@@ -3,7 +3,7 @@
# Tune kernel settings
# TODO: Should be moved to a role class.
- include webserver::base
+ include webserver::sysctl_settings
# Mount /var/lib/ganglia as tmpfs to avoid Linux flushing mlocked
# shm memory to disk
diff --git a/modules/webserver/init.pp b/modules/webserver/init.pp
new file mode 100644
index 0000000..3957b1b
--- /dev/null
+++ b/modules/webserver/init.pp
@@ -0,0 +1,24 @@
+class webserver::sysctl_settings {
+ # Sysctl settings for high-load HTTP caches
+ sysctl::parameters { 'high http performance':
+ values => {
+ # Increase the number of ephemeral ports
+ 'net.ipv4.ip_local_port_range' => [ 1024, 65535 ],
+
+ # Recommended to increase this for 1000 BT or higher
+ 'net.core.netdev_max_backlog' => 30000,
+
+ # Increase the queue size of new TCP connections
+ 'net.core.somaxconn' => 4096,
+ 'net.ipv4.tcp_max_syn_backlog' => 262144,
+ 'net.ipv4.tcp_max_tw_buckets' => 360000,
+
+ # Decrease FD usage
+ 'net.ipv4.tcp_fin_timeout' => 3,
+ 'net.ipv4.tcp_max_orphans' => 262144,
+ 'net.ipv4.tcp_synack_retries' => 2,
+ 'net.ipv4.tcp_syn_retries' => 2,
+ },
+ }
+
+}
diff --git a/modules/webserver/manifests/apache.pp
b/modules/webserver/manifests/apache.pp
new file mode 100644
index 0000000..881cc56
--- /dev/null
+++ b/modules/webserver/manifests/apache.pp
@@ -0,0 +1,9 @@
+# New style attempt at handling misc web servers
+# - keep independent from the existing stuff
+class webserver::apache {
+
+ # Realize virtual resources for enabling virtual hosts
+ Webserver::Apache::Site <| |>
+
+ include webserver::sysctl_settings
+}
diff --git a/modules/webserver/manifests/apache/site.pp
b/modules/webserver/manifests/apache/site.pp
new file mode 100644
index 0000000..88a8345
--- /dev/null
+++ b/modules/webserver/manifests/apache/site.pp
@@ -0,0 +1,47 @@
+# Define: site
+# Configures and installs an apache virtual host file using
generic_vhost.erb.
+#
+# Parameters:
+# $aliases=[] - array of ServerAliases
+# $ssl="false" - if true, sets up an ssl certificate for $title
+# $certfile=undef - defaults to /etc/ssl/certs/${title}.pem
+# $certkey=undef - defaults to "/etc/ssl/private/${title}.key
+# $docroot=undef - defaults to: $title == 'stats.wikimedia.org', then
/srv/stats.wikimedia.org
+# $custom=[] - custom Apache config strings to put into virtual host
site file
+# $includes=[]
+# $server_admin="[email protected]",
+# $access_log - path to access log, default:
/var/log/apache2/access.log
+# $error_log - path to error log, default: /var/log/apache2/error.log
+# $ensure=present
+#
+# Usage:
+# webserver::apache::site { "mysite.wikimedia.org": aliases =
["mysite.wikimedia.com"] }
+define webserver::apache::site(
+ $aliases = [],
+ $ssl = 'false',
+ $certfile = "/etc/ssl/certs/${title}.pem",
+ $certkey = "/etc/ssl/private/${title}.key",
+ $docroot = undef,
+ $custom = [],
+ $includes = [],
+ $server_admin = '[email protected]',
+ $access_log = "/var/log/apache2/${title}.access.log",
+ $error_log = "/var/log/apache2/${title}.error.log",
+ $ensure = 'present',
+ ) {
+
+ if ubuntu_version('>= trusty') {
+ $ssl_settings = ssl_ciphersuite('apache-2.4', 'compat')
+ } else {
+ $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+ }
+
+ #TODO: convert to apache::site
+ file { "/etc/apache2/sites-enabled/${title}":
+ notify => Service['apache2'],
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ content => template('apache/generic_vhost.erb'),
+ }
+}
diff --git a/modules/webserver/manifests/php5.pp
b/modules/webserver/manifests/php5.pp
new file mode 100644
index 0000000..45effd4
--- /dev/null
+++ b/modules/webserver/manifests/php5.pp
@@ -0,0 +1,22 @@
+# === Class webserver::php5
+#
+# Install a basic apache2 web server with mod_php
+#
+class webserver::php5(
+ $ssl = 'false',
+ ) {
+
+ include webserver::sysctl_settings
+ include ::apache
+ include ::apache::mod::php5
+
+ if $ssl == true {
+ include ::apache::mod::ssl
+ }
+
+ # Monitoring
+ monitor_service { 'http':
+ description => 'HTTP',
+ check_command => 'check_http',
+ }
+}
diff --git a/modules/webserver/manifests/static.pp
b/modules/webserver/manifests/static.pp
new file mode 100644
index 0000000..a66e2a9
--- /dev/null
+++ b/modules/webserver/manifests/static.pp
@@ -0,0 +1,37 @@
+# Installs a generic, static web server (lighttpd)
+# with default config, which serves /var/www
+class webserver::static {
+ include webserver::sysctl_settings
+ include firewall
+
+ #TODO: declare this class as incompatible with the other webserver classes.
+
+ package { 'lighttpd':
+ ensure => 'present',
+ }
+
+ $hasstatus = $::lsbdistcodename ? {
+ 'hardy' => false,
+ default => true,
+ }
+
+ service { 'lighttpd':
+ ensure => 'running',
+ hasstatus => $hasstatus,
+ }
+
+ # Monitoring
+ monitor_service { 'http':
+ description => 'HTTP',
+ check_command => 'check_http',
+ }
+
+ # Firewall
+ firewall::open_port { "http-${::hostname}":
+ port => 80,
+ }
+
+ firewall::open_port { "https-${::hostname}":
+ port => 443,
+ }
+}
diff --git a/modules/webserver/manifests/sysctl_settings.pp
b/modules/webserver/manifests/sysctl_settings.pp
new file mode 100644
index 0000000..3957b1b
--- /dev/null
+++ b/modules/webserver/manifests/sysctl_settings.pp
@@ -0,0 +1,24 @@
+class webserver::sysctl_settings {
+ # Sysctl settings for high-load HTTP caches
+ sysctl::parameters { 'high http performance':
+ values => {
+ # Increase the number of ephemeral ports
+ 'net.ipv4.ip_local_port_range' => [ 1024, 65535 ],
+
+ # Recommended to increase this for 1000 BT or higher
+ 'net.core.netdev_max_backlog' => 30000,
+
+ # Increase the queue size of new TCP connections
+ 'net.core.somaxconn' => 4096,
+ 'net.ipv4.tcp_max_syn_backlog' => 262144,
+ 'net.ipv4.tcp_max_tw_buckets' => 360000,
+
+ # Decrease FD usage
+ 'net.ipv4.tcp_fin_timeout' => 3,
+ 'net.ipv4.tcp_max_orphans' => 262144,
+ 'net.ipv4.tcp_synack_retries' => 2,
+ 'net.ipv4.tcp_syn_retries' => 2,
+ },
+ }
+
+}
diff --git a/modules/webserver/sysctl_settings.pp
b/modules/webserver/sysctl_settings.pp
new file mode 100644
index 0000000..3957b1b
--- /dev/null
+++ b/modules/webserver/sysctl_settings.pp
@@ -0,0 +1,24 @@
+class webserver::sysctl_settings {
+ # Sysctl settings for high-load HTTP caches
+ sysctl::parameters { 'high http performance':
+ values => {
+ # Increase the number of ephemeral ports
+ 'net.ipv4.ip_local_port_range' => [ 1024, 65535 ],
+
+ # Recommended to increase this for 1000 BT or higher
+ 'net.core.netdev_max_backlog' => 30000,
+
+ # Increase the queue size of new TCP connections
+ 'net.core.somaxconn' => 4096,
+ 'net.ipv4.tcp_max_syn_backlog' => 262144,
+ 'net.ipv4.tcp_max_tw_buckets' => 360000,
+
+ # Decrease FD usage
+ 'net.ipv4.tcp_fin_timeout' => 3,
+ 'net.ipv4.tcp_max_orphans' => 262144,
+ 'net.ipv4.tcp_synack_retries' => 2,
+ 'net.ipv4.tcp_syn_retries' => 2,
+ },
+ }
+
+}
diff --git a/modules/wikimania_scholarships/manifests/init.pp
b/modules/wikimania_scholarships/manifests/init.pp
index 4d57767..5208fd8 100644
--- a/modules/wikimania_scholarships/manifests/init.pp
+++ b/modules/wikimania_scholarships/manifests/init.pp
@@ -37,7 +37,8 @@
include passwords::mysql::wikimania_scholarships,
webserver::php5,
- webserver::php5-mysql
+
+ require_package('php5-mysql')
$mysql_user = $passwords::mysql::wikimania_scholarships::app_user
$mysql_pass = $passwords::mysql::wikimania_scholarships::app_password
diff --git a/modules/wikistats/manifests/web.pp
b/modules/wikistats/manifests/web.pp
index 3d043b4..c625b83 100644
--- a/modules/wikistats/manifests/web.pp
+++ b/modules/wikistats/manifests/web.pp
@@ -3,15 +3,9 @@
# class {'webserver::php5': ssl => true; }
# to be on the node already, but can be enabled if not sharing
# with other roles already using it
-# include webserver::php5-mysql to talk to mariadb on localhost (currently)
class wikistats::web (
$wikistats_host,
) {
-
- # class {'webserver::php5': ssl => true; }
- # SSL not needed anymore, we are behind proxy meanwhile
- # include webserver::php5-mysql
-
# Apache site from template
apache::site { $wikistats_host:
content => template('wikistats/apache/wikistats.erb'),
--
To view, visit https://gerrit.wikimedia.org/r/168604
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I8123d618e3ef8a56ee8bb65b21cbb95f45cbb664
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
