System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

static.pp 15KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529
  1. # == Class: openstack_project::static
  2. #
  3. class openstack_project::static (
  4. $swift_authurl = '',
  5. $swift_user = '',
  6. $swift_key = '',
  7. $swift_tenant_name = '',
  8. $swift_region_name = '',
  9. $swift_default_container = '',
  10. $project_config_repo = '',
  11. $ssl_cert_file = '',
  12. $ssl_cert_file_contents = '',
  13. $ssl_key_file = '',
  14. $ssl_key_file_contents = '',
  15. $ssl_chain_file = '',
  16. $ssl_chain_file_contents = '',
  17. $jenkins_gitfullname = 'OpenStack Jenkins',
  18. $jenkins_gitemail = 'jenkins@openstack.org',
  19. ) {
  20. class { 'project_config':
  21. url => $project_config_repo,
  22. }
  23. include openstack_project
  24. class { 'jenkins::jenkinsuser':
  25. ssh_key => $openstack_project::jenkins_ssh_key,
  26. gitfullname => $jenkins_gitfullname,
  27. gitemail => $jenkins_gitemail,
  28. }
  29. # This will try to index our millions of logs and docs by default
  30. # and cause all sorts of IO and disk-usage issues.
  31. package { 'mlocate':
  32. ensure => absent,
  33. }
  34. include ::httpd
  35. include ::httpd::mod::wsgi
  36. if ! defined(Httpd::Mod['rewrite']) {
  37. httpd::mod { 'rewrite':
  38. ensure => present,
  39. }
  40. }
  41. if ! defined(Httpd::Mod['proxy']) {
  42. httpd::mod { 'proxy':
  43. ensure => present,
  44. }
  45. }
  46. if ! defined(Httpd::Mod['proxy_http']) {
  47. httpd::mod { 'proxy_http':
  48. ensure => present,
  49. }
  50. }
  51. if ! defined(Httpd::Mod['alias']) {
  52. httpd::mod { 'alias': ensure => present }
  53. }
  54. if ! defined(Httpd::Mod['headers']) {
  55. httpd::mod { 'headers': ensure => present }
  56. }
  57. if ! defined(File['/srv/static']) {
  58. file { '/srv/static':
  59. ensure => directory,
  60. }
  61. }
  62. file { '/etc/ssl/certs':
  63. ensure => directory,
  64. owner => 'root',
  65. group => 'root',
  66. mode => '0755',
  67. }
  68. file { '/etc/ssl/private':
  69. ensure => directory,
  70. owner => 'root',
  71. group => 'root',
  72. mode => '0700',
  73. }
  74. # To use the standard ssl-certs package snakeoil certificate, leave both
  75. # $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
  76. # certificate, specify its path for $ssl_cert_file and leave
  77. # $ssl_cert_file_contents empty. To manage the certificate with puppet,
  78. # provide $ssl_cert_file_contents and optionally specify the path to use for
  79. # it in $ssl_cert_file.
  80. if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
  81. $cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
  82. } else {
  83. if $ssl_cert_file == '' {
  84. $cert_file = "/etc/ssl/certs/${::fqdn}.pem"
  85. } else {
  86. $cert_file = $ssl_cert_file
  87. }
  88. if $ssl_cert_file_contents != '' {
  89. file { $cert_file:
  90. ensure => present,
  91. owner => 'root',
  92. group => 'root',
  93. mode => '0644',
  94. content => $ssl_cert_file_contents,
  95. require => File['/etc/ssl/certs'],
  96. }
  97. }
  98. }
  99. # To use the standard ssl-certs package snakeoil key, leave both
  100. # $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
  101. # specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
  102. # To manage the key with puppet, provide $ssl_key_file_contents and
  103. # optionally specify the path to use for it in $ssl_key_file.
  104. if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
  105. $key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
  106. } else {
  107. if $ssl_key_file == '' {
  108. $key_file = "/etc/ssl/private/${::fqdn}.key"
  109. } else {
  110. $key_file = $ssl_key_file
  111. }
  112. if $ssl_key_file_contents != '' {
  113. file { $key_file:
  114. ensure => present,
  115. owner => 'root',
  116. group => 'root',
  117. mode => '0600',
  118. content => $ssl_key_file_contents,
  119. require => File['/etc/ssl/private'],
  120. }
  121. }
  122. }
  123. # To avoid using an intermediate certificate chain, leave both
  124. # $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
  125. # chain, specify its path for $ssl_chain_file and leave
  126. # $ssl_chain_file_contents empty. To manage the chain with puppet, provide
  127. # $ssl_chain_file_contents and optionally specify the path to use for it in
  128. # $ssl_chain_file.
  129. if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
  130. $chain_file = ''
  131. } else {
  132. if $ssl_chain_file == '' {
  133. $chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
  134. } else {
  135. $chain_file = $ssl_chain_file
  136. }
  137. if $ssl_chain_file_contents != '' {
  138. file { $chain_file:
  139. ensure => present,
  140. owner => 'root',
  141. group => 'root',
  142. mode => '0644',
  143. content => $ssl_chain_file_contents,
  144. require => File['/etc/ssl/certs'],
  145. before => File[$cert_file],
  146. }
  147. }
  148. }
  149. ###########################################################
  150. # Tarballs
  151. ::httpd::vhost { 'tarballs.openstack.org':
  152. port => 443, # Is required despite not being used.
  153. docroot => '/srv/static/tarballs',
  154. priority => '50',
  155. ssl => true,
  156. template => 'openstack_project/static-http-and-https.vhost.erb',
  157. vhost_name => 'tarballs.openstack.org',
  158. require => [
  159. File['/srv/static/tarballs'],
  160. File[$cert_file],
  161. File[$key_file],
  162. ],
  163. }
  164. file { '/srv/static/tarballs':
  165. ensure => directory,
  166. owner => 'jenkins',
  167. group => 'jenkins',
  168. require => User['jenkins'],
  169. }
  170. ###########################################################
  171. # legacy ci.openstack.org site redirect
  172. ::httpd::vhost { 'ci.openstack.org':
  173. port => 80,
  174. priority => '50',
  175. docroot => 'MEANINGLESS_ARGUMENT',
  176. template => 'openstack_project/ci.vhost.erb',
  177. }
  178. ###########################################################
  179. # Logs
  180. class { 'openstackci::logserver':
  181. jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
  182. domain => 'openstack.org',
  183. ara_middleware => true,
  184. wsgi_processes => 16,
  185. swift_authurl => $swift_authurl,
  186. swift_user => $swift_user,
  187. swift_key => $swift_key,
  188. swift_tenant_name => $swift_tenant_name,
  189. swift_region_name => $swift_region_name,
  190. swift_default_container => $swift_default_container,
  191. readmes => {
  192. '/*/*/*/*/*-tempest-dsvm*/*' => '/help/tempest-overview.html',
  193. '/periodic*/*/*-tempest-dsvm*/*' => '/help/tempest-overview.html',
  194. '/*/*/*/*/*-tempest-dsvm*/*/logs/' => '/help/tempest-logs.html',
  195. '/periodic*/*/*-tempest-dsvm*/*/logs/' => '/help/tempest-logs.html',
  196. '/*/*/*/*/*tripleo-ci-*/*/logs/' => '/help/tripleo-quickstart-logs.html'
  197. }
  198. }
  199. ::httpd::vhost { "logs.opendev.org":
  200. port => 443,
  201. priority => '50',
  202. ssl => true,
  203. docroot => '/srv/static/logs',
  204. require => File['/srv/static/logs'],
  205. vhost_name => 'logs.opendev.org',
  206. template => 'openstack_project/logs.vhost.erb',
  207. }
  208. vcsrepo { '/opt/devstack-gate':
  209. ensure => latest,
  210. provider => git,
  211. revision => 'master',
  212. source => 'https://opendev.org/openstack/devstack-gate',
  213. }
  214. file { '/srv/static/logs/help':
  215. ensure => directory,
  216. owner => 'root',
  217. group => 'root',
  218. mode => '0755',
  219. require => File['/srv/static/logs'],
  220. }
  221. file { '/srv/static/logs/help/tempest-logs.html':
  222. ensure => present,
  223. owner => 'root',
  224. group => 'root',
  225. mode => '0444',
  226. source => 'file:///opt/devstack-gate/help/tempest-logs.html',
  227. require => [File['/srv/static/logs/help'], Vcsrepo['/opt/devstack-gate']],
  228. }
  229. file { '/srv/static/logs/help/tempest-overview.html':
  230. ensure => present,
  231. owner => 'root',
  232. group => 'root',
  233. mode => '0444',
  234. source => 'file:///opt/devstack-gate/help/tempest-overview.html',
  235. require => [File['/srv/static/logs/help'], Vcsrepo['/opt/devstack-gate']],
  236. }
  237. vcsrepo { '/opt/tripleo-ci':
  238. ensure => latest,
  239. provider => git,
  240. revision => 'master',
  241. source => 'https://opendev.org/openstack/tripleo-ci',
  242. }
  243. file { '/srv/static/logs/help/tripleo-quickstart-logs.html':
  244. ensure => present,
  245. owner => 'root',
  246. group => 'root',
  247. mode => '0444',
  248. source => 'file:///opt/tripleo-ci/docs/tripleo-quickstart-logs.html',
  249. require => [File['/srv/static/logs/help'], Vcsrepo['/opt/tripleo-ci']],
  250. }
  251. ###########################################################
  252. # Security
  253. ::httpd::vhost { 'security.openstack.org':
  254. port => 443, # Is required despite not being used.
  255. docroot => '/srv/static/security',
  256. priority => '50',
  257. ssl => true,
  258. template => 'openstack_project/static-https-redirect.vhost.erb',
  259. vhost_name => 'security.openstack.org',
  260. require => [
  261. File['/srv/static/security'],
  262. File[$cert_file],
  263. File[$key_file],
  264. ],
  265. }
  266. file { '/srv/static/security':
  267. ensure => directory,
  268. owner => 'jenkins',
  269. group => 'jenkins',
  270. require => User['jenkins'],
  271. }
  272. ###########################################################
  273. # Governance (TC and UC) & Election
  274. # Extra aliases and directories needed for vhost template:
  275. $governance_aliases = {
  276. '/election/' => '/srv/static/election/',
  277. '/sigs/' => '/srv/static/sigs/',
  278. '/tc/' => '/srv/static/tc/',
  279. '/uc/' => '/srv/static/uc/',
  280. }
  281. # Extra redirects needed for vhost template:
  282. $governance_redirects = {
  283. '/badges/' => '/tc/badges/',
  284. '/goals/' => '/tc/goals/',
  285. '/reference/' => '/tc/reference/',
  286. '/resolutions/' => '/tc/resolutions/',
  287. }
  288. # One of these must also be the docroot
  289. $governance_directories = [
  290. '/srv/static/election',
  291. '/srv/static/governance',
  292. '/srv/static/sigs',
  293. '/srv/static/tc',
  294. '/srv/static/uc',
  295. ]
  296. ::httpd::vhost { 'governance.openstack.org':
  297. port => 443, # Is required despite not being used.
  298. docroot => '/srv/static/governance',
  299. priority => '50',
  300. ssl => true,
  301. template => 'openstack_project/static-governance.vhost.erb',
  302. vhost_name => 'governance.openstack.org',
  303. require => [
  304. File[$governance_directories],
  305. File[$cert_file],
  306. File[$key_file],
  307. ],
  308. }
  309. file { $governance_directories:
  310. ensure => directory,
  311. owner => 'jenkins',
  312. group => 'jenkins',
  313. require => User['jenkins'],
  314. }
  315. ###########################################################
  316. # Specs
  317. ::httpd::vhost { 'specs.openstack.org':
  318. port => 443, # Is required despite not being used.
  319. docroot => '/srv/static/specs',
  320. priority => '50',
  321. ssl => true,
  322. template => 'openstack_project/static-http-and-https.vhost.erb',
  323. vhost_name => 'specs.openstack.org',
  324. require => [
  325. File['/srv/static/specs'],
  326. File[$cert_file],
  327. File[$key_file],
  328. ],
  329. }
  330. file { '/srv/static/specs':
  331. ensure => directory,
  332. owner => 'jenkins',
  333. group => 'jenkins',
  334. require => User['jenkins'],
  335. }
  336. ###########################################################
  337. # legacy summit.openstack.org site redirect
  338. ::httpd::vhost { 'summit.openstack.org':
  339. port => 80,
  340. priority => '50',
  341. docroot => 'MEANINGLESS_ARGUMENT',
  342. template => 'openstack_project/summit.vhost.erb',
  343. }
  344. ###########################################################
  345. # legacy site redirects
  346. ::httpd::vhost { 'devstack.org':
  347. port => 80,
  348. priority => '50',
  349. docroot => 'MEANINGLESS_ARGUMENT',
  350. serveraliases => ['*.devstack.org'],
  351. template => 'openstack_project/legacy.vhost.erb',
  352. }
  353. ::httpd::vhost { 'cinder.openstack.org':
  354. port => 80,
  355. priority => '50',
  356. docroot => 'MEANINGLESS_ARGUMENT',
  357. template => 'openstack_project/legacy.vhost.erb',
  358. }
  359. ::httpd::vhost { 'glance.openstack.org':
  360. port => 80,
  361. priority => '50',
  362. docroot => 'MEANINGLESS_ARGUMENT',
  363. template => 'openstack_project/legacy.vhost.erb',
  364. }
  365. ::httpd::vhost { 'horizon.openstack.org':
  366. port => 80,
  367. priority => '50',
  368. docroot => 'MEANINGLESS_ARGUMENT',
  369. template => 'openstack_project/legacy.vhost.erb',
  370. }
  371. ::httpd::vhost { 'keystone.openstack.org':
  372. port => 80,
  373. priority => '50',
  374. docroot => 'MEANINGLESS_ARGUMENT',
  375. template => 'openstack_project/legacy.vhost.erb',
  376. }
  377. ::httpd::vhost { 'nova.openstack.org':
  378. port => 80,
  379. priority => '50',
  380. docroot => 'MEANINGLESS_ARGUMENT',
  381. template => 'openstack_project/legacy.vhost.erb',
  382. }
  383. ::httpd::vhost { 'qa.openstack.org':
  384. port => 80,
  385. priority => '50',
  386. docroot => 'MEANINGLESS_ARGUMENT',
  387. template => 'openstack_project/legacy.vhost.erb',
  388. }
  389. ::httpd::vhost { 'swift.openstack.org':
  390. port => 80,
  391. priority => '50',
  392. docroot => 'MEANINGLESS_ARGUMENT',
  393. template => 'openstack_project/legacy.vhost.erb',
  394. }
  395. ###########################################################
  396. # Trystack
  397. ::httpd::vhost { 'trystack.openstack.org':
  398. port => 443, # Is required despite not being used.
  399. docroot => '/opt/trystack',
  400. priority => '50',
  401. ssl => true,
  402. template => 'openstack_project/static-http-and-https.vhost.erb',
  403. vhost_name => 'trystack.openstack.org',
  404. serveraliases => ['trystack.org', 'www.trystack.org'],
  405. require => [
  406. Vcsrepo['/opt/trystack'],
  407. File[$cert_file],
  408. File[$key_file],
  409. ],
  410. }
  411. vcsrepo { '/opt/trystack':
  412. ensure => latest,
  413. provider => git,
  414. revision => 'master',
  415. source => 'https://opendev.org/x/trystack-site',
  416. }
  417. ###########################################################
  418. # Releases
  419. ::httpd::vhost { 'releases.openstack.org':
  420. port => 443, # Is required despite not being used.
  421. docroot => '/srv/static/releases',
  422. priority => '50',
  423. ssl => true,
  424. template => 'openstack_project/static-https-redirect.vhost.erb',
  425. vhost_name => 'releases.openstack.org',
  426. require => [
  427. File['/srv/static/releases'],
  428. File[$cert_file],
  429. File[$key_file],
  430. ],
  431. }
  432. file { '/srv/static/releases':
  433. ensure => directory,
  434. owner => 'jenkins',
  435. group => 'jenkins',
  436. require => User['jenkins'],
  437. }
  438. ###########################################################
  439. # service-types.openstack.org
  440. ::httpd::vhost { 'service-types.openstack.org':
  441. port => 443, # Is required despite not being used.
  442. docroot => '/srv/static/service-types',
  443. priority => '50',
  444. ssl => true,
  445. template => 'openstack_project/static-https-redirect.vhost.erb',
  446. vhost_name => 'service-types.openstack.org',
  447. require => [
  448. File['/srv/static/service-types'],
  449. File[$cert_file],
  450. File[$key_file],
  451. ],
  452. }
  453. file { '/srv/static/service-types':
  454. ensure => directory,
  455. owner => 'jenkins',
  456. group => 'jenkins',
  457. require => User['jenkins'],
  458. }
  459. # Until Apache 2.4.24 the event MPM has some issues scalability
  460. # bottlenecks that were seen to drop connections, especially on
  461. # larger files; see
  462. # https://httpd.apache.org/docs/2.4/mod/event.html
  463. #
  464. # The main advantage of event MPM is for keep-alive requests which
  465. # are not really a big issue on this static file server. Therefore
  466. # we switch to the threaded worker MPM as a workaround. This can be
  467. # reconsidered when the apache version running is sufficient to
  468. # avoid these problems.
  469. httpd::mod { 'mpm_event': ensure => 'absent' }
  470. httpd::mod { 'mpm_worker': ensure => 'present' }
  471. }