Thcipriani has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/351179 )
Change subject: WIP: scap: Add a scap::master profile
......................................................................
WIP: scap: Add a scap::master profile
Bring scap masters closer to following the puppet coding guidelines.
Start by adding a master profile.
Change-Id: I3afb15580729bd9c46f4c31db5537fb2b1aeee76
---
D hieradata/common/scap.yaml
A hieradata/common/scap/master.yaml
M hieradata/labs/deployment-prep/common.yaml
M hieradata/role/common/deployment/server.yaml
A modules/profile/manifests/scap/master.pp
D modules/role/manifests/deployment/mediawiki.pp
M modules/role/manifests/deployment/server.pp
M modules/role/templates/deployment/inactive.motd.erb
M modules/scap/manifests/init.pp
M modules/scap/manifests/master.pp
M modules/scap/manifests/target.pp
11 files changed, 238 insertions(+), 209 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/79/351179/1
diff --git a/hieradata/common/scap.yaml b/hieradata/common/scap.yaml
deleted file mode 100644
index 53fd913..0000000
--- a/hieradata/common/scap.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-# scap3 (git-based) deployment server
-scap::deployment_server: "naos.codfw.wmnet"
diff --git a/hieradata/common/scap/master.yaml
b/hieradata/common/scap/master.yaml
new file mode 100644
index 0000000..9a7d841
--- /dev/null
+++ b/hieradata/common/scap/master.yaml
@@ -0,0 +1,109 @@
+scap::master::deployment_server: "naos.codfw.wmnet"
+scap::master::keyholder_user: mwdeploy
+scap::master::keyholder_group:
+ - 'wikidev'
+ - 'mwdeploy'
+scap::master::deployment_group: wikidev
+
+# Default scap::server configuration. This is used in production.
+# If you are setting up scap::server in labs, these will be used
+# unless you override them for your labs project.
+# See the overrides in hieradata/labs/deployment-prep/common.yaml
+# for an example.
+
+# keyholder::agent declarations. These are created
+# by the scap::server class. Each agent listed here
+# will be present and useable by scap on the scap deploy server.
+# NOTE: since labs
+scap::master::keyholder_agents:
+
+ phabricator:
+ trusted_groups:
+ - deploy-phabricator
+
+ eventlogging:
+ trusted_groups:
+ - eventlogging-admins
+
+ deploy-service:
+ trusted_groups:
+ - deploy-service
+ - aqs-admins
+ - deploy-aqs
+
+ dumpsdeploy:
+ trusted_groups:
+ - ops
+
+ analytics_deploy:
+ trusted_groups:
+ - analytics-admins
+
+# scap::source declarations. These are created
+# by the scap::server class. Each source listed here
+# will be cloned on the scap deploy server.
+scap::master::sources:
+ analytics/refinery:
+ repository: analytics/refinery
+ scap_repository: analytics/refinery/scap
+ changeprop/deploy:
+ repository: mediawiki/services/change-propagation/deploy
+# lvs_service: changeprop
+ citoid/deploy: {}
+# lvs_service: citoid
+ cxserver/deploy: {}
+# lvs_service: cxserver
+ dumps/dumps:
+ repository: operations/dumps
+ scap_repository: operations/dumps/scap
+ electron-render/deploy: {}
+ eventlogging/eventbus:
+ repository: eventlogging
+ scap_repository: eventlogging/scap/eventbus
+ eventlogging/analytics:
+ repository: eventlogging
+ scap_repository: eventlogging/scap/analytics
+ # Public EventStreams service
+ eventstreams/deploy:
+ repository: mediawiki/services/eventstreams/deploy
+ graphoid/deploy: {}
+# lvs_service: graphoid
+ kartotherian/deploy:
+ repository: maps/kartotherian/deploy
+# lvs_service: kartotherian
+ analytics/pivot/deploy:
+ repository: analytics/pivot/deploy
+ mathoid/deploy: {}
+# lvs_service: mathoid
+ mobileapps/deploy: {}
+# lvs_service: mobileapps
+ ores/deploy: {}
+# lvs_service: ores
+ parsoid/deploy: {}
+# lvs_service: parsoid
+ phabricator/deployment:
+ repository: phabricator/deployment
+ restbase/deploy: {}
+ # This is actually cloned from github at the moment and the repository
indicated
+ # doesn't exist.
+ servermon/servermon:
+ repository: operations/software/servermon
+ striker/deploy:
+ repository: labs/striker/deploy
+ tilerator/deploy:
+ repository: maps/tilerator/deploy
+# lvs_service: tilerator
+ trending-edits/deploy: {}
+ wdqs/wdqs:
+ repository: wikidata/query/deploy
+# lvs_service: wdqs
+ zotero/translation-server: {}
+# lvs_service: zotero
+ zotero/translators: {}
+# lvs_service: zotero
+ # Time-window compaction strategy for Cassandra
+ cassandra/twcs:
+ repository: operations/software/cassandra-twcs
+ # Prometheus JMX exporter
+ prometheus/jmx_exporter:
+ repository: operations/software/prometheus_jmx_exporter
diff --git a/hieradata/labs/deployment-prep/common.yaml
b/hieradata/labs/deployment-prep/common.yaml
index 3df1b05..f75d0e3 100644
--- a/hieradata/labs/deployment-prep/common.yaml
+++ b/hieradata/labs/deployment-prep/common.yaml
@@ -169,7 +169,12 @@
"zotero::http_proxy":
deployment-urldownloader.deployment-prep.eqiad.wmflabs:8080
deployment_server: deployment-tin.deployment-prep.eqiad.wmflabs
"trebuchet::deployment_server": deployment-tin.deployment-prep.eqiad.wmflabs
-"scap::deployment_server": deployment-tin.deployment-prep.eqiad.wmflabs
+scap::master::deployment_server: deployment-tin.deployment-prep.eqiad.wmflabs
+scap::master::keyholder_user: mwdeploy
+scap::master::keyholder_group:
+ - 'wikidev'
+ - 'mwdeploy'
+scap::master::deployment_group: wikidev
scap::dsh::scap_masters:
- deployment-tin.deployment-prep.eqiad.wmflabs
@@ -240,7 +245,7 @@
# deployment-prep keyholder::agent declarations. These are created
# by the scap::server class. Each agent listed here
# will be present and useable by scap on the scap deploy server.
-scap::keyholder_agents:
+scap::master::keyholder_agents:
phabricator:
trusted_groups:
@@ -257,7 +262,7 @@
# deployment-prep scap::source declarations. These are created
# by the role deployment::server. Each source listed here
# will be cloned on the scap deploy server.
-scap::sources:
+scap::master::sources:
phabricator/deployment:
repository: phabricator/deployment
diff --git a/hieradata/role/common/deployment/server.yaml
b/hieradata/role/common/deployment/server.yaml
index 36ad813..c04f29a 100644
--- a/hieradata/role/common/deployment/server.yaml
+++ b/hieradata/role/common/deployment/server.yaml
@@ -29,105 +29,3 @@
server:
light_process_count: 0
light_process_file_prefix:
-# Default scap::server configuration. This is used in production.
-# If you are setting up scap::server in labs, these will be used
-# unless you override them for your labs project.
-# See the overrides in hieradata/labs/deployment-prep/common.yaml
-# for an example.
-
-# keyholder::agent declarations. These are created
-# by the scap::server class. Each agent listed here
-# will be present and useable by scap on the scap deploy server.
-# NOTE: since labs
-scap::keyholder_agents:
-
- phabricator:
- trusted_groups:
- - deploy-phabricator
-
- eventlogging:
- trusted_groups:
- - eventlogging-admins
-
- deploy-service:
- trusted_groups:
- - deploy-service
- - aqs-admins
- - deploy-aqs
-
- dumpsdeploy:
- trusted_groups:
- - ops
-
- analytics_deploy:
- trusted_groups:
- - analytics-admins
-
-# scap::source declarations. These are created
-# by the scap::server class. Each source listed here
-# will be cloned on the scap deploy server.
-scap::sources:
- analytics/refinery:
- repository: analytics/refinery
- scap_repository: analytics/refinery/scap
- changeprop/deploy:
- repository: mediawiki/services/change-propagation/deploy
-# lvs_service: changeprop
- citoid/deploy: {}
-# lvs_service: citoid
- cxserver/deploy: {}
-# lvs_service: cxserver
- dumps/dumps:
- repository: operations/dumps
- scap_repository: operations/dumps/scap
- electron-render/deploy: {}
- eventlogging/eventbus:
- repository: eventlogging
- scap_repository: eventlogging/scap/eventbus
- eventlogging/analytics:
- repository: eventlogging
- scap_repository: eventlogging/scap/analytics
- # Public EventStreams service
- eventstreams/deploy:
- repository: mediawiki/services/eventstreams/deploy
- graphoid/deploy: {}
-# lvs_service: graphoid
- kartotherian/deploy:
- repository: maps/kartotherian/deploy
-# lvs_service: kartotherian
- analytics/pivot/deploy:
- repository: analytics/pivot/deploy
- mathoid/deploy: {}
-# lvs_service: mathoid
- mobileapps/deploy: {}
-# lvs_service: mobileapps
- ores/deploy: {}
-# lvs_service: ores
- parsoid/deploy: {}
-# lvs_service: parsoid
- phabricator/deployment:
- repository: phabricator/deployment
- restbase/deploy: {}
- # This is actually cloned from github at the moment and the repository
indicated
- # doesn't exist.
- servermon/servermon:
- repository: operations/software/servermon
- striker/deploy:
- repository: labs/striker/deploy
- tilerator/deploy:
- repository: maps/tilerator/deploy
-# lvs_service: tilerator
- trending-edits/deploy: {}
- wdqs/wdqs:
- repository: wikidata/query/deploy
-# lvs_service: wdqs
- zotero/translation-server: {}
-# lvs_service: zotero
- zotero/translators: {}
-# lvs_service: zotero
- # Time-window compaction strategy for Cassandra
- cassandra/twcs:
- repository: operations/software/cassandra-twcs
- # Prometheus JMX exporter
- prometheus/jmx_exporter:
- repository: operations/software/prometheus_jmx_exporter
diff --git a/modules/profile/manifests/scap/master.pp
b/modules/profile/manifests/scap/master.pp
new file mode 100644
index 0000000..7647981
--- /dev/null
+++ b/modules/profile/manifests/scap/master.pp
@@ -0,0 +1,100 @@
+# == Class profile::scap::master
+#
+# Setup scap server
+class profile::scap::master(
+ $keyholder_user = hiera('scap::master::keyholder_user'),
+ $keyholder_group = hiera('scap::master::keyholder_group', []),
+ $keyholder_agents = hiera('scap::master::keyholder_agents', {}),
+ $keyholder_sources = hiera('scap::master::keyholder_sources', {}),
+ $deployment_group = hiera('scap::master::deployment_group'),
+ $active_deployment_server = hiera('scap::master::deployment_server'),
+) {
+ include ::profile::mediawiki::nutcracker
+ include ::profile::scap::dsh
+
+ if $::realm != 'labs' {
+ include role::microsites::releases::upload
+ # backup /home dirs on deployment servers
+ include ::profile::backup::host
+ backup::set {'home': }
+ }
+
+ # Base scap setup
+ class { '::scap':
+ active_deployment_server => $active_deployment_server,
+ }
+ class { '::scap::ferm': }
+ class { '::scap::master':
+ active_deployment_server => $active_deployment_server,
+ deployment_group => $deployment_group,
+ }
+
+ # All needed classes for deploying mediawiki
+ class { '::mediawiki': }
+ class { '::mediawiki::packages::php5': }
+
+ # Keyholder
+ class { '::keyholder': }
+ class { '::keyholder::monitoring': }
+
+ # Resources
+ keyholder::agent { $keyholder_user:
+ trusted_groups => $keyholder_group,
+ }
+
+ ## Scap Config ##
+ # Create an instance of $keyholder_agents for each of the key specs.
+ create_resources('keyholder::agent', $keyholder_agents)
+
+ $base_path = '/srv/deployment'
+
+ # Create an instance of scap_source for each of the key specs in hiera.
+ Scap::Source {
+ base_path => $base_path,
+ }
+
+ create_resources('scap::source', $keyholder_sources)
+ ## End scap config ###
+
+ # Firewall rules
+ ferm::service { 'rsyncd_scap_master':
+ proto => 'tcp',
+ port => '873',
+ srange => '$MW_APPSERVER_NETWORKS',
+ }
+ ### End firewall rules
+
+ #T83854
+ ::monitoring::icinga::git_merge { 'mediawiki_config':
+ dir => '/srv/mediawiki-staging/',
+ user => 'root',
+ remote => 'readonly',
+ remote_branch => 'master',
+ }
+
+ # Also make sure that no files have been stolen by root ;-)
+ ::monitoring::icinga::bad_directory_owner { '/srv/mediawiki-staging': }
+
+ $deploy_ensure = $active_deployment_server ? {
+ $::fqdn => 'absent',
+ default => 'present'
+ }
+
+ class { '::deployment::rsync':
+ deployment_server => $active_deployment_server,
+ cron_ensure => $deploy_ensure,
+ }
+
+ motd::script { 'inactive_warning':
+ ensure => $deploy_ensure,
+ priority => 01,
+ content => template('role/deployment/inactive.motd.erb'),
+ }
+
+ file { '/var/lock/scap-global-lock':
+ ensure => $deploy_ensure,
+ owner => 'root',
+ group => 'root',
+ content => "Not the active deployment server, use
${active_deployment_server}",
+ }
+}
diff --git a/modules/role/manifests/deployment/mediawiki.pp
b/modules/role/manifests/deployment/mediawiki.pp
deleted file mode 100644
index ae1a161..0000000
--- a/modules/role/manifests/deployment/mediawiki.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-# === Class role::deployment::mediawiki
-# Installs everything needed to deploy mediawiki
-class role::deployment::mediawiki(
- $keyholder_user = 'mwdeploy',
- $keyholder_group = ['wikidev', 'mwdeploy'],
- ) {
-
- # All needed classes for deploying mediawiki
- include ::mediawiki
- include ::mediawiki::packages::php5
- include ::profile::mediawiki::nutcracker
- include ::scap::master
- include ::profile::scap::dsh
- include ::scap::ferm
-
- # Keyholder
- require ::keyholder
- require ::keyholder::monitoring
-
- keyholder::agent { $keyholder_user:
- trusted_groups => $keyholder_group,
- }
-
- # Wikitech credentials file
-}
diff --git a/modules/role/manifests/deployment/server.pp
b/modules/role/manifests/deployment/server.pp
index 5d793c6..29bb796 100644
--- a/modules/role/manifests/deployment/server.pp
+++ b/modules/role/manifests/deployment/server.pp
@@ -5,23 +5,12 @@
) {
include ::standard
- $base_path = '/srv/deployment'
- include role::deployment::mediawiki
+ include profile::scap::master
- ## Scap Config ##
- require ::scap
-
- # Create an instance of $keyholder_agents for each of the key specs.
- create_resources('keyholder::agent', hiera('scap::keyholder_agents', {}))
-
- # Create an instance of scap_source for each of the key specs in hiera.
- Scap::Source {
- base_path => $base_path,
- }
-
- create_resources('scap::source', hiera('scap::sources', {}))
- ## End scap config ###
-
+ # TODO: move below to profiles
+ #
+ # Much of this is shared config of trebuchet and scap3. Fully removing
+ # trebuchet will make this much easier to sort in separate profiles.
include ::deployment::umask_wikidev
class { 'deployment::deployment_server':
@@ -36,23 +25,9 @@
include network::constants
$deployable_networks = $::network::constants::deployable_networks
- if $::realm != 'labs' {
- include role::microsites::releases::upload
- # backup /home dirs on deployment servers
- include ::profile::backup::host
- backup::set {'home': }
- }
-
- # Firewall rules
- ferm::service { 'rsyncd_scap_master':
- proto => 'tcp',
- port => '873',
- srange => '$MW_APPSERVER_NETWORKS',
- }
-
-
$deployable_networks_ferm = join($deployable_networks, ' ')
+ # Firewall rules
# T113351
ferm::service { 'http_deployment_server':
desc => 'http on trebuchet deployment servers, for serving actual
files to deploy',
@@ -62,17 +37,6 @@
}
### End firewall rules
-
- #T83854
- ::monitoring::icinga::git_merge { 'mediawiki_config':
- dir => '/srv/mediawiki-staging/',
- user => 'root',
- remote => 'readonly',
- remote_branch => 'master',
- }
-
- # Also make sure that no files have been stolen by root ;-)
- ::monitoring::icinga::bad_directory_owner { '/srv/mediawiki-staging': }
### Trebuchet
file { '/srv/deployment':
@@ -89,30 +53,6 @@
$deployment_server = hiera('deployment_server', 'tin.eqiad.wmnet')
class { '::deployment::redis':
deployment_server => $deployment_server
- }
-
- $deploy_ensure = $deployment_server ? {
- $::fqdn => 'absent',
- default => 'present'
- }
-
- class { '::deployment::rsync':
- deployment_server => $deployment_server,
- cron_ensure => $deploy_ensure,
- }
-
- $main_deployment_server = hiera('scap::deployment_server')
- motd::script { 'inactive_warning':
- ensure => $deploy_ensure,
- priority => 01,
- content => template('role/deployment/inactive.motd.erb'),
- }
-
- file { '/var/lock/scap-global-lock':
- ensure => $deploy_ensure,
- owner => 'root',
- group => 'root',
- content => "Not the active deployment server, use
${main_deployment_server}",
}
# Bacula backups (T125527)
diff --git a/modules/role/templates/deployment/inactive.motd.erb
b/modules/role/templates/deployment/inactive.motd.erb
index 4eb13bc..0a41d7b 100755
--- a/modules/role/templates/deployment/inactive.motd.erb
+++ b/modules/role/templates/deployment/inactive.motd.erb
@@ -18,6 +18,6 @@
If you want to deploy software, you should /not/ do it from here; it
will probably work, but the next deployer could lose track of any of
-your changes. Connect to '<%= @main_deployment_server %>' instead, it will
+your changes. Connect to '<%= @active_deployment_server %>' instead, it will
route you to the correct server.
MOTD
diff --git a/modules/scap/manifests/init.pp b/modules/scap/manifests/init.pp
index 162d922..bc2b883 100644
--- a/modules/scap/manifests/init.pp
+++ b/modules/scap/manifests/init.pp
@@ -3,14 +3,14 @@
# Common role for scap masters and targets
#
# == Parameters:
-# [*deployment_server*]
+# [*active_deployment_server*]
# Server that provides git repositories for scap3. Default 'deployment'.
#
# [*wmflabs_master*]
# Master scap rsync host in the wmflabs domain.
# Default 'deployment-tin.deployment-prep.eqiad.wmflabs'.
class scap (
- $deployment_server = 'deployment',
+ $active_deployment_server = 'deployment',
$wmflabs_master = 'deployment-tin.deployment-prep.eqiad.wmflabs',
$version = '3.5.7-1',
) {
diff --git a/modules/scap/manifests/master.pp b/modules/scap/manifests/master.pp
index f99a54b..35240b7 100644
--- a/modules/scap/manifests/master.pp
+++ b/modules/scap/manifests/master.pp
@@ -2,13 +2,14 @@
#
# Sets up a scap master (currently tin and mira)
class scap::master(
- $common_path = '/srv/mediawiki',
- $common_source_path = '/srv/mediawiki-staging',
- $patches_path = '/srv/patches',
- $rsync_host = "deployment.${::site}.wmnet",
- $statsd_host = 'statsd.eqiad.wmnet',
- $statsd_port = 8125,
- $deployment_group = 'wikidev',
+ $common_path = '/srv/mediawiki',
+ $common_source_path = '/srv/mediawiki-staging',
+ $patches_path = '/srv/patches',
+ $rsync_host = "deployment.${::site}.wmnet",
+ $statsd_host = 'statsd.eqiad.wmnet',
+ $statsd_port = 8125,
+ $deployment_group = 'wikidev',
+ $active_deployment_server = undef,
) {
include scap::scripts
include rsync::server
@@ -52,8 +53,11 @@
hosts_allow =>
$::network::constants::special_hosts[$::realm]['deployment_hosts'];
}
+ $run_l10nupdate = $active_deployment_server == $::fqdn
+
class { 'scap::l10nupdate':
deployment_group => $deployment_group,
+ run_l10nupdate => $run_l10nupdate,
}
file { '/usr/local/bin/scap-master-sync':
diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp
index 00a9955..46109d3 100644
--- a/modules/scap/manifests/target.pp
+++ b/modules/scap/manifests/target.pp
@@ -94,7 +94,7 @@
# Allow $deploy_user login from scap deployment host.
# adds an exception in /etc/security/access.conf
# to work around labs-specific restrictions
- $deployment_host = hiera('scap::deployment_server')
+ $deployment_host = hiera('scap::master::deployment_server')
$deployment_ip = ipresolve($deployment_host, 4, $::nameservers[0])
security::access::config { "scap-allow-${deploy_user}":
content => "+ : ${deploy_user} : ${deployment_ip}\n",
--
To view, visit https://gerrit.wikimedia.org/r/351179
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3afb15580729bd9c46f4c31db5537fb2b1aeee76
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Thcipriani <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
