system-config/manifests/site.pp

#
# Default: should at least behave like an openstack server
#
node default {
  include openstack_project::puppet_cron
  include openstack_project::server
}

#
# Long lived servers:
#

# Current thinking on Gerrit tuning parameters:

# database.poolLimit:
# This limit must be several units higher than the total number of
# httpd and sshd threads as some request processing code paths may need
# multiple connections.
# database.poolLimit = 1 + max(sshd.threads,sshd.batchThreads) + sshd.streamThreads + sshd.commandStartThreads + httpd.acceptorThreads + httpd.maxThreads 
# http://groups.google.com/group/repo-discuss/msg/4c2809310cd27255
# or "2x sshd.threads"
# http://groups.google.com/group/repo-discuss/msg/269024c966e05d6a

# container.heaplimit:
# core.packedgit*
# http://groups.google.com/group/repo-discuss/msg/269024c966e05d6a

# sshd.threads:
# http://groups.google.com/group/repo-discuss/browse_thread/thread/b91491c185295a71

# httpd.maxWait:
# 12:07 <@spearce> httpd.maxwait defaults to 5 minutes and is how long gerrit
#                  waits for an idle sshd.thread before aboring the http request
# 12:08 <@spearce> ironically
# 12:08 <@spearce> ProjectQosFilter passes this value as minutes
# 12:08 <@spearce> to a method that accepts milliseconds
# 12:09 <@spearce> so. you get 5 milliseconds before aborting
# thus, set it to 5000minutes until the bug is fixed.

node "review.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 29418]
  }
  class { 'gerrit':
    virtual_hostname => 'review.openstack.org',
    canonicalweburl => "https://review.openstack.org/",
    ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
    ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
    email => 'review@openstack.org',
    database_poollimit => '150',    # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
    container_heaplimit => '8g',
    core_packedgitopenfiles => '4096',
    core_packedgitlimit => '400m',
    core_packedgitwindowsize => '16k',
    sshd_threads => '100',
    httpd_maxwait => '5000min',
    github_projects => $openstack_project::project_list,
    upstream_projects => [ {
                         name => 'openstack-ci/gerrit',
                         remote => 'https://gerrit.googlesource.com/gerrit'
                         } ],
    logo => 'openstack.png',
    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.1-10-g63110fd.war',
    script_user => 'launchpadsync',
    script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
    script_site => 'openstack',
    enable_melody => 'true',
    melody_session => 'true',
    gerritbot_nick => 'openstackgerrit',
    gerritbot_password => hiera('gerrit_gerritbot_password'),
    gerritbot_server => 'irc.freenode.net',
    gerritbot_user => 'gerritbot',
    github_user => 'openstack-gerrit',
    github_token => hiera('gerrit_github_token'),
    mysql_password => hiera('gerrit_mysql_password'),
    email_private_key => hiera('gerrit_email_private_key'),
  }
}

node "gerrit-dev.openstack.org", "review-dev.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 29418]
  }

  class { 'gerrit':
    virtual_hostname => 'review-dev.openstack.org',
    canonicalweburl => "https://review-dev.openstack.org/",
    ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
    ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
    ssl_chain_file => '',
    email => "review-dev@openstack.org",
    github_projects => [ {
                         name => 'gtest-org/test',
                         close_pull => 'true'
                         } ],
    logo => 'openstack.png',
    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-10-g93ffc27.war',
    script_user => 'update',
    script_key_file => '/home/gerrit2/.ssh/id_rsa',
    script_site => 'openstack',
    enable_melody => 'true',
    melody_session => 'true',
    gerritbot_nick => '',
    gerritbot_password => '',
    gerritbot_server => '',
    gerritbot_user => '',
    github_user => 'openstack-gerrit-dev',
    github_token => hiera('gerrit_dev_github_token'),
    mysql_password => hiera('gerrit_dev_mysql_password'),
    email_private_key => hiera('gerrit_dev_email_private_key'),
  }
}

node "jenkins.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 4155]
  }
  class { 'jenkins_master':
    site => 'jenkins.openstack.org',
    serveradmin => 'webmaster@openstack.org',
    logo => 'openstack.png',
    ssl_cert_file => '/etc/ssl/certs/jenkins.openstack.org.pem',
    ssl_key_file => '/etc/ssl/private/jenkins.openstack.org.key',
    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
  }
  class { "jenkins_jobs":
    url => "https://jenkins.openstack.org/",
    username => "gerrig",
    password => hiera('jenkins_jobs_password'),
    site => "openstack",
  }
  class { "openstack_project::zuul": }
}

node "jenkins-dev.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 4155]
  } 
  class { 'backup':
    backup_user => 'bup-jenkins-dev',
    backup_server => 'ci-backup-rs-ord.openstack.org'
  }
  class { 'jenkins_master':
    site => 'jenkins-dev.openstack.org',
    serveradmin => 'webmaster@openstack.org',
    logo => 'openstack.png',
    ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
    ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
    ssl_chain_file => '',
  }
}

node "community.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 8099, 8080]
  }

  realize (
    User::Virtual::Localuser["smaffulli"],
  )
}

node "ci-puppetmaster.openstack.org" {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [8140]
  }
  cron { "updatepuppetmaster":
    user => root,
    minute => "*/15",
    command => 'sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet/production && /usr/bin/git pull -q',
    environment => "PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin",
  }

}

$sysadmins = $openstack_project::sysadmins

node "lists.openstack.org" {
  include openstack_project::remove_cron

  # Using openstack_project::template instead of openstack_project::server
  # because the exim config on this machine is almost certainly
  # going to be more complicated than normal.
  class { 'openstack_project::template':
    iptables_public_tcp_ports => [25, 80, 465]
  }

  $sysadmins += ['duncan@dreamhost.com']
  class { 'exim':
    sysadmin => $sysadmins,
    mailman_domains => ['lists.openstack.org'],
  }

  class { 'mailman':
    mailman_host => 'lists.openstack.org'
  }

  realize (
    User::Virtual::Localuser["oubiwann"],
  )
}

node "docs.openstack.org" {
  include openstack_project::remove_cron
  include openstack_project::server
  include doc_server
}

node "paste.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80]
  }
  include lodgeit
  lodgeit::site { "openstack":
    port => "5000",
    image => "header-bg2.png"
  }

  lodgeit::site { "drizzle":
    port => "5001"
  }

}

node "planet.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80]
  }
  include planet

  planet::site { "openstack":
    git_url => "https://github.com/openstack/openstack-planet.git"
  }
}

node "eavesdrop.openstack.org" {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80]
  }
  include meetbot

  meetbot::site { "openstack":
    nick => "openstack",
    nickpass => hiera('openstack_meetbot_password'),
    network => "FreeNode",
    server => "chat.us.freenode.net:7000",
    url => "eavesdrop.openstack.org",
    channels => "#openstack #openstack-dev #openstack-meeting",
    use_ssl => "True"
  }
}

node "pypi.openstack.org" {
  include openstack_project::remove_cron

  # include jenkins slave so that build deps are there for the pip download
  class { 'jenkins_slave':
    ssh_key => "",
    user => false
  }

  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80]
  }

  class { "pypimirror":
    base_url => "http://pypi.openstack.org",
    projects => $openstack_project::project_list,
  }
}

node 'etherpad.openstack.org' {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22, 80, 443]
  }

  include etherpad_lite
  class { 'etherpad_lite::nginx':
    etherpad_crt => hiera('etherpad_crt'),
    etherpad_key => hiera('etherpad_key')
  }
  class { 'etherpad_lite::site':
    database_password => hiera('etherpad_db_password'),
  }
  class { 'etherpad_lite::mysql':
    database_password => hiera('etherpad_db_password'),
  }
  include etherpad_lite::backup
}

node 'wiki.openstack.org' {
  include openstack_project::remove_cron
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443]
  }

  realize (
    User::Virtual::Localuser["rlane"],
  )
}

# A bare machine, but with a jenkins user
node /^.*\.template\.openstack\.org$/ {
  class { 'openstack_project::template':
    iptables_public_tcp_ports => []
  }
  class { 'jenkins_slave':
    ssh_key => $openstack_project::jenkins_ssh_key,
    sudo => true,
    bare => true
  }
}

# A backup machine.  Don't run cron or puppet agent on it.
node /^ci-backup-.*\.openstack\.org$/ {
  class { 'openstack_project::template':
    iptables_public_tcp_ports => []
  }
}

#
# Jenkins slaves:
#

# Test cgroups and ulimits on precise8
node 'precise8.slave.openstack.org' {
  include openstack_project::puppet_cron
  include openstack_project::jenkins_slave

  include ulimit
  ulimit::conf { 'limit_jenkins_procs':
    limit_domain => 'jenkins',
    limit_type   => 'hard',
    limit_item   => 'nproc',
    limit_value  => '256'
  }
  include jenkins_slave::cgroups
}

node /^.*\.slave\.openstack\.org$/ {
  include openstack_project::puppet_cron
  include openstack_project::jenkins_slave
}

# bare-bones slaves spun up by jclouds. Specifically need to not set ssh
# login limits, because it screws up jclouds provisioning
node /^.*\.jclouds\.openstack\.org$/ {

  include openstack_project::base

  class { 'jenkins_slave':
    ssh_key => "",
    user => false
  }
}