System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

static.pp 15KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519
  1. # == Class: openstack_project::static
  2. #
  3. class openstack_project::static (
  4. $swift_authurl = '',
  5. $swift_user = '',
  6. $swift_key = '',
  7. $swift_tenant_name = '',
  8. $swift_region_name = '',
  9. $swift_default_container = '',
  10. $project_config_repo = '',
  11. $ssl_cert_file = '',
  12. $ssl_cert_file_contents = '',
  13. $ssl_key_file = '',
  14. $ssl_key_file_contents = '',
  15. $ssl_chain_file = '',
  16. $ssl_chain_file_contents = '',
  17. $jenkins_gitfullname = 'OpenStack Jenkins',
  18. $jenkins_gitemail = 'jenkins@openstack.org',
  19. ) {
  20. class { 'project_config':
  21. url => $project_config_repo,
  22. }
  23. include openstack_project
  24. class { 'jenkins::jenkinsuser':
  25. ssh_key => $openstack_project::jenkins_ssh_key,
  26. gitfullname => $jenkins_gitfullname,
  27. gitemail => $jenkins_gitemail,
  28. }
  29. # This will try to index our millions of logs and docs by default
  30. # and cause all sorts of IO and disk-usage issues.
  31. package { 'mlocate':
  32. ensure => absent,
  33. }
  34. include ::httpd
  35. include ::httpd::mod::wsgi
  36. if ! defined(Httpd::Mod['rewrite']) {
  37. httpd::mod { 'rewrite':
  38. ensure => present,
  39. }
  40. }
  41. if ! defined(Httpd::Mod['proxy']) {
  42. httpd::mod { 'proxy':
  43. ensure => present,
  44. }
  45. }
  46. if ! defined(Httpd::Mod['proxy_http']) {
  47. httpd::mod { 'proxy_http':
  48. ensure => present,
  49. }
  50. }
  51. if ! defined(Httpd::Mod['alias']) {
  52. httpd::mod { 'alias': ensure => present }
  53. }
  54. if ! defined(Httpd::Mod['headers']) {
  55. httpd::mod { 'headers': ensure => present }
  56. }
  57. if ! defined(File['/srv/static']) {
  58. file { '/srv/static':
  59. ensure => directory,
  60. }
  61. }
  62. file { '/etc/ssl/certs':
  63. ensure => directory,
  64. owner => 'root',
  65. group => 'root',
  66. mode => '0755',
  67. }
  68. file { '/etc/ssl/private':
  69. ensure => directory,
  70. owner => 'root',
  71. group => 'root',
  72. mode => '0700',
  73. }
  74. # To use the standard ssl-certs package snakeoil certificate, leave both
  75. # $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
  76. # certificate, specify its path for $ssl_cert_file and leave
  77. # $ssl_cert_file_contents empty. To manage the certificate with puppet,
  78. # provide $ssl_cert_file_contents and optionally specify the path to use for
  79. # it in $ssl_cert_file.
  80. if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
  81. $cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
  82. } else {
  83. if $ssl_cert_file == '' {
  84. $cert_file = "/etc/ssl/certs/${::fqdn}.pem"
  85. } else {
  86. $cert_file = $ssl_cert_file
  87. }
  88. if $ssl_cert_file_contents != '' {
  89. file { $cert_file:
  90. ensure => present,
  91. owner => 'root',
  92. group => 'root',
  93. mode => '0644',
  94. content => $ssl_cert_file_contents,
  95. require => File['/etc/ssl/certs'],
  96. }
  97. }
  98. }
  99. # To use the standard ssl-certs package snakeoil key, leave both
  100. # $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
  101. # specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
  102. # To manage the key with puppet, provide $ssl_key_file_contents and
  103. # optionally specify the path to use for it in $ssl_key_file.
  104. if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
  105. $key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
  106. } else {
  107. if $ssl_key_file == '' {
  108. $key_file = "/etc/ssl/private/${::fqdn}.key"
  109. } else {
  110. $key_file = $ssl_key_file
  111. }
  112. if $ssl_key_file_contents != '' {
  113. file { $key_file:
  114. ensure => present,
  115. owner => 'root',
  116. group => 'root',
  117. mode => '0600',
  118. content => $ssl_key_file_contents,
  119. require => File['/etc/ssl/private'],
  120. }
  121. }
  122. }
  123. # To avoid using an intermediate certificate chain, leave both
  124. # $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
  125. # chain, specify its path for $ssl_chain_file and leave
  126. # $ssl_chain_file_contents empty. To manage the chain with puppet, provide
  127. # $ssl_chain_file_contents and optionally specify the path to use for it in
  128. # $ssl_chain_file.
  129. if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
  130. $chain_file = ''
  131. } else {
  132. if $ssl_chain_file == '' {
  133. $chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
  134. } else {
  135. $chain_file = $ssl_chain_file
  136. }
  137. if $ssl_chain_file_contents != '' {
  138. file { $chain_file:
  139. ensure => present,
  140. owner => 'root',
  141. group => 'root',
  142. mode => '0644',
  143. content => $ssl_chain_file_contents,
  144. require => File['/etc/ssl/certs'],
  145. before => File[$cert_file],
  146. }
  147. }
  148. }
  149. ###########################################################
  150. # Tarballs
  151. ::httpd::vhost { 'tarballs.openstack.org':
  152. port => 443, # Is required despite not being used.
  153. docroot => '/srv/static/tarballs',
  154. priority => '50',
  155. ssl => true,
  156. template => 'openstack_project/static-http-and-https.vhost.erb',
  157. vhost_name => 'tarballs.openstack.org',
  158. require => [
  159. File['/srv/static/tarballs'],
  160. File[$cert_file],
  161. File[$key_file],
  162. ],
  163. }
  164. file { '/srv/static/tarballs':
  165. ensure => directory,
  166. owner => 'jenkins',
  167. group => 'jenkins',
  168. require => User['jenkins'],
  169. }
  170. ###########################################################
  171. # legacy ci.openstack.org site redirect
  172. ::httpd::vhost { 'ci.openstack.org':
  173. port => 80,
  174. priority => '50',
  175. docroot => 'MEANINGLESS_ARGUMENT',
  176. template => 'openstack_project/ci.vhost.erb',
  177. }
  178. ###########################################################
  179. # Logs
  180. class { 'openstackci::logserver':
  181. jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
  182. domain => 'openstack.org',
  183. ara_middleware => true,
  184. wsgi_processes => 16,
  185. swift_authurl => $swift_authurl,
  186. swift_user => $swift_user,
  187. swift_key => $swift_key,
  188. swift_tenant_name => $swift_tenant_name,
  189. swift_region_name => $swift_region_name,
  190. swift_default_container => $swift_default_container,
  191. readmes => {
  192. '/*/*/*/*/*-tempest-dsvm*/*' => '/help/tempest-overview.html',
  193. '/periodic*/*/*-tempest-dsvm*/*' => '/help/tempest-overview.html',
  194. '/*/*/*/*/*-tempest-dsvm*/*/logs/' => '/help/tempest-logs.html',
  195. '/periodic*/*/*-tempest-dsvm*/*/logs/' => '/help/tempest-logs.html',
  196. '/*/*/*/*/*tripleo-ci-*/*/logs/' => '/help/tripleo-quickstart-logs.html'
  197. }
  198. }
  199. vcsrepo { '/opt/devstack-gate':
  200. ensure => latest,
  201. provider => git,
  202. revision => 'master',
  203. source => 'https://opendev.org/openstack/devstack-gate',
  204. }
  205. file { '/srv/static/logs/help':
  206. ensure => directory,
  207. owner => 'root',
  208. group => 'root',
  209. mode => '0755',
  210. require => File['/srv/static/logs'],
  211. }
  212. file { '/srv/static/logs/help/tempest-logs.html':
  213. ensure => present,
  214. owner => 'root',
  215. group => 'root',
  216. mode => '0444',
  217. source => 'file:///opt/devstack-gate/help/tempest-logs.html',
  218. require => [File['/srv/static/logs/help'], Vcsrepo['/opt/devstack-gate']],
  219. }
  220. file { '/srv/static/logs/help/tempest-overview.html':
  221. ensure => present,
  222. owner => 'root',
  223. group => 'root',
  224. mode => '0444',
  225. source => 'file:///opt/devstack-gate/help/tempest-overview.html',
  226. require => [File['/srv/static/logs/help'], Vcsrepo['/opt/devstack-gate']],
  227. }
  228. vcsrepo { '/opt/tripleo-ci':
  229. ensure => latest,
  230. provider => git,
  231. revision => 'master',
  232. source => 'https://opendev.org/openstack/tripleo-ci',
  233. }
  234. file { '/srv/static/logs/help/tripleo-quickstart-logs.html':
  235. ensure => present,
  236. owner => 'root',
  237. group => 'root',
  238. mode => '0444',
  239. source => 'file:///opt/tripleo-ci/docs/tripleo-quickstart-logs.html',
  240. require => [File['/srv/static/logs/help'], Vcsrepo['/opt/tripleo-ci']],
  241. }
  242. ###########################################################
  243. # Security
  244. ::httpd::vhost { 'security.openstack.org':
  245. port => 443, # Is required despite not being used.
  246. docroot => '/srv/static/security',
  247. priority => '50',
  248. ssl => true,
  249. template => 'openstack_project/static-https-redirect.vhost.erb',
  250. vhost_name => 'security.openstack.org',
  251. require => [
  252. File['/srv/static/security'],
  253. File[$cert_file],
  254. File[$key_file],
  255. ],
  256. }
  257. file { '/srv/static/security':
  258. ensure => directory,
  259. owner => 'jenkins',
  260. group => 'jenkins',
  261. require => User['jenkins'],
  262. }
  263. ###########################################################
  264. # Governance (TC and UC) & Election
  265. # Extra aliases and directories needed for vhost template:
  266. $governance_aliases = {
  267. '/election/' => '/srv/static/election/',
  268. '/sigs/' => '/srv/static/sigs/',
  269. '/tc/' => '/srv/static/tc/',
  270. '/uc/' => '/srv/static/uc/',
  271. }
  272. # Extra redirects needed for vhost template:
  273. $governance_redirects = {
  274. '/badges/' => '/tc/badges/',
  275. '/goals/' => '/tc/goals/',
  276. '/reference/' => '/tc/reference/',
  277. '/resolutions/' => '/tc/resolutions/',
  278. }
  279. # One of these must also be the docroot
  280. $governance_directories = [
  281. '/srv/static/election',
  282. '/srv/static/governance',
  283. '/srv/static/sigs',
  284. '/srv/static/tc',
  285. '/srv/static/uc',
  286. ]
  287. ::httpd::vhost { 'governance.openstack.org':
  288. port => 443, # Is required despite not being used.
  289. docroot => '/srv/static/governance',
  290. priority => '50',
  291. ssl => true,
  292. template => 'openstack_project/static-governance.vhost.erb',
  293. vhost_name => 'governance.openstack.org',
  294. require => [
  295. File[$governance_directories],
  296. File[$cert_file],
  297. File[$key_file],
  298. ],
  299. }
  300. file { $governance_directories:
  301. ensure => directory,
  302. owner => 'jenkins',
  303. group => 'jenkins',
  304. require => User['jenkins'],
  305. }
  306. ###########################################################
  307. # Specs
  308. ::httpd::vhost { 'specs.openstack.org':
  309. port => 443, # Is required despite not being used.
  310. docroot => '/srv/static/specs',
  311. priority => '50',
  312. ssl => true,
  313. template => 'openstack_project/static-http-and-https.vhost.erb',
  314. vhost_name => 'specs.openstack.org',
  315. require => [
  316. File['/srv/static/specs'],
  317. File[$cert_file],
  318. File[$key_file],
  319. ],
  320. }
  321. file { '/srv/static/specs':
  322. ensure => directory,
  323. owner => 'jenkins',
  324. group => 'jenkins',
  325. require => User['jenkins'],
  326. }
  327. ###########################################################
  328. # legacy summit.openstack.org site redirect
  329. ::httpd::vhost { 'summit.openstack.org':
  330. port => 80,
  331. priority => '50',
  332. docroot => 'MEANINGLESS_ARGUMENT',
  333. template => 'openstack_project/summit.vhost.erb',
  334. }
  335. ###########################################################
  336. # legacy site redirects
  337. ::httpd::vhost { 'devstack.org':
  338. port => 80,
  339. priority => '50',
  340. docroot => 'MEANINGLESS_ARGUMENT',
  341. serveraliases => ['*.devstack.org'],
  342. template => 'openstack_project/legacy.vhost.erb',
  343. }
  344. ::httpd::vhost { 'cinder.openstack.org':
  345. port => 80,
  346. priority => '50',
  347. docroot => 'MEANINGLESS_ARGUMENT',
  348. template => 'openstack_project/legacy.vhost.erb',
  349. }
  350. ::httpd::vhost { 'glance.openstack.org':
  351. port => 80,
  352. priority => '50',
  353. docroot => 'MEANINGLESS_ARGUMENT',
  354. template => 'openstack_project/legacy.vhost.erb',
  355. }
  356. ::httpd::vhost { 'horizon.openstack.org':
  357. port => 80,
  358. priority => '50',
  359. docroot => 'MEANINGLESS_ARGUMENT',
  360. template => 'openstack_project/legacy.vhost.erb',
  361. }
  362. ::httpd::vhost { 'keystone.openstack.org':
  363. port => 80,
  364. priority => '50',
  365. docroot => 'MEANINGLESS_ARGUMENT',
  366. template => 'openstack_project/legacy.vhost.erb',
  367. }
  368. ::httpd::vhost { 'nova.openstack.org':
  369. port => 80,
  370. priority => '50',
  371. docroot => 'MEANINGLESS_ARGUMENT',
  372. template => 'openstack_project/legacy.vhost.erb',
  373. }
  374. ::httpd::vhost { 'qa.openstack.org':
  375. port => 80,
  376. priority => '50',
  377. docroot => 'MEANINGLESS_ARGUMENT',
  378. template => 'openstack_project/legacy.vhost.erb',
  379. }
  380. ::httpd::vhost { 'swift.openstack.org':
  381. port => 80,
  382. priority => '50',
  383. docroot => 'MEANINGLESS_ARGUMENT',
  384. template => 'openstack_project/legacy.vhost.erb',
  385. }
  386. ###########################################################
  387. # Trystack
  388. ::httpd::vhost { 'trystack.openstack.org':
  389. port => 443, # Is required despite not being used.
  390. docroot => '/opt/trystack',
  391. priority => '50',
  392. ssl => true,
  393. template => 'openstack_project/static-http-and-https.vhost.erb',
  394. vhost_name => 'trystack.openstack.org',
  395. serveraliases => ['trystack.org', 'www.trystack.org'],
  396. require => [
  397. Vcsrepo['/opt/trystack'],
  398. File[$cert_file],
  399. File[$key_file],
  400. ],
  401. }
  402. vcsrepo { '/opt/trystack':
  403. ensure => latest,
  404. provider => git,
  405. revision => 'master',
  406. source => 'https://opendev.org/x/trystack-site',
  407. }
  408. ###########################################################
  409. # Releases
  410. ::httpd::vhost { 'releases.openstack.org':
  411. port => 443, # Is required despite not being used.
  412. docroot => '/srv/static/releases',
  413. priority => '50',
  414. ssl => true,
  415. template => 'openstack_project/static-https-redirect.vhost.erb',
  416. vhost_name => 'releases.openstack.org',
  417. require => [
  418. File['/srv/static/releases'],
  419. File[$cert_file],
  420. File[$key_file],
  421. ],
  422. }
  423. file { '/srv/static/releases':
  424. ensure => directory,
  425. owner => 'jenkins',
  426. group => 'jenkins',
  427. require => User['jenkins'],
  428. }
  429. ###########################################################
  430. # service-types.openstack.org
  431. ::httpd::vhost { 'service-types.openstack.org':
  432. port => 443, # Is required despite not being used.
  433. docroot => '/srv/static/service-types',
  434. priority => '50',
  435. ssl => true,
  436. template => 'openstack_project/static-https-redirect.vhost.erb',
  437. vhost_name => 'service-types.openstack.org',
  438. require => [
  439. File['/srv/static/service-types'],
  440. File[$cert_file],
  441. File[$key_file],
  442. ],
  443. }
  444. file { '/srv/static/service-types':
  445. ensure => directory,
  446. owner => 'jenkins',
  447. group => 'jenkins',
  448. require => User['jenkins'],
  449. }
  450. # Until Apache 2.4.24 the event MPM has some issues scalability
  451. # bottlenecks that were seen to drop connections, especially on
  452. # larger files; see
  453. # https://httpd.apache.org/docs/2.4/mod/event.html
  454. #
  455. # The main advantage of event MPM is for keep-alive requests which
  456. # are not really a big issue on this static file server. Therefore
  457. # we switch to the threaded worker MPM as a workaround. This can be
  458. # reconsidered when the apache version running is sufficient to
  459. # avoid these problems.
  460. httpd::mod { 'mpm_event': ensure => 'absent' }
  461. httpd::mod { 'mpm_worker': ensure => 'present' }
  462. }