55da1e3d06
This reverts commit c25e91f49632d8e187f35807f250567446bd5102. This script parses the Apache logs and writes out a local count of the 404 data to files.openstack.org, and then exports it via files.openstack.org. As part of the spec [1] we're trying to remove publishing from local volumes, in general. Since this is not widely used, there is only one link to it, it's not discoverable from the landing page of files.openstack.org (which just shows the afs directory listing), it has a very long latency making it not that useful for debugging and grepping the logs there have been no accesses in the past 2 weeks (as far back as logs go) I propose we remove it. If we want to retain this, we should publish the output alongside the docs AFS volume. That could certainly be done by distributing the docs keytab to the host and having it write out in a similar cron job. Another option could be to setup a keypair for remote login and keep that as a secret in Zuul, and do the same from a periodic job (complicated by apache logs being root only, so needs some sudo magic or similar). Or, we could figure out an altogether better, privacy respecting client analytics solution. [1] https://docs.opendev.org/opendev/infra-specs/latest/specs/retire-static.html Depends-On: https://review.opendev.org/709036 Change-Id: Iccf24a72cf82592bae8c699f9f857aa54fc74f10
308 lines
8.8 KiB
Puppet
308 lines
8.8 KiB
Puppet
# == Class: openstack_project::files
|
|
#
|
|
class openstack_project::files (
|
|
$vhost_name = $::fqdn,
|
|
$developer_cert_file_contents,
|
|
$developer_key_file_contents,
|
|
$developer_chain_file_contents,
|
|
$docs_cert_file_contents,
|
|
$docs_key_file_contents,
|
|
$docs_chain_file_contents,
|
|
$git_airship_cert_file_contents,
|
|
$git_airship_key_file_contents,
|
|
$git_airship_chain_file_contents,
|
|
$git_openstack_cert_file_contents,
|
|
$git_openstack_key_file_contents,
|
|
$git_openstack_chain_file_contents,
|
|
$git_starlingx_cert_file_contents,
|
|
$git_starlingx_key_file_contents,
|
|
$git_starlingx_chain_file_contents,
|
|
) {
|
|
|
|
$afs_root = '/afs/openstack.org/'
|
|
$www_base = '/var/www'
|
|
|
|
#####################################################
|
|
# Build Apache Webroot
|
|
file { "${www_base}":
|
|
ensure => directory,
|
|
owner => root,
|
|
group => root,
|
|
}
|
|
|
|
file { "${www_base}/robots.txt":
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0444',
|
|
source => 'puppet:///modules/openstack_project/disallow_robots.txt',
|
|
require => File["${www_base}"],
|
|
}
|
|
|
|
#####################################################
|
|
# Git Redirects Webroot
|
|
file { "${www_base}/git-redirect":
|
|
ensure => directory,
|
|
owner => root,
|
|
group => root,
|
|
require => File["${www_base}"],
|
|
}
|
|
|
|
file { "${www_base}/git-redirect/.htaccess":
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0444',
|
|
source => 'puppet:///modules/openstack_project/git-redirect.htaccess',
|
|
require => File["${www_base}/git-redirect"],
|
|
}
|
|
|
|
#####################################################
|
|
# Set up directories needed by HTTPS certs/keys
|
|
file { '/etc/ssl/certs':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
}
|
|
|
|
file { '/etc/ssl/private':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0700',
|
|
}
|
|
|
|
#####################################################
|
|
# Build VHost
|
|
include ::httpd
|
|
|
|
::httpd::vhost { $vhost_name:
|
|
port => 80,
|
|
priority => '50',
|
|
docroot => "${afs_root}",
|
|
template => 'openstack_project/files.vhost.erb',
|
|
require => [
|
|
File["${www_base}"],
|
|
]
|
|
}
|
|
|
|
httpd_mod { 'rewrite':
|
|
ensure => present,
|
|
before => Service['httpd'],
|
|
}
|
|
|
|
class { '::httpd::logrotate':
|
|
options => [
|
|
'daily',
|
|
'missingok',
|
|
'rotate 7',
|
|
'compress',
|
|
'delaycompress',
|
|
'notifempty',
|
|
'create 640 root adm',
|
|
],
|
|
}
|
|
|
|
# Until Apache 2.4.24 the event MPM has some issues scalability
|
|
# bottlenecks that were seen to drop connections, especially on
|
|
# larger files; see
|
|
# https://httpd.apache.org/docs/2.4/mod/event.html
|
|
#
|
|
# The main advantage of event MPM is for keep-alive requests which
|
|
# are not really a big issue on this static file server. Therefore
|
|
# we switch to the threaded worker MPM as a workaround. This can be
|
|
# reconsidered when the apache version running is sufficient to
|
|
# avoid these problems.
|
|
|
|
httpd::mod { 'mpm_event': ensure => 'absent' }
|
|
httpd::mod { 'mpm_worker': ensure => 'present' }
|
|
|
|
file { '/etc/apache2/mods-available/mpm_worker.conf':
|
|
ensure => file,
|
|
source => 'puppet:///modules/openstack_project/files/mpm_worker.conf',
|
|
notify => Service['httpd'],
|
|
}
|
|
|
|
###########################################################
|
|
# docs.openstack.org
|
|
|
|
::httpd::vhost { 'docs.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => "${afs_root}docs",
|
|
priority => '50',
|
|
template => 'openstack_project/docs.vhost.erb',
|
|
}
|
|
file { '/etc/ssl/certs/docs.openstack.org.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $docs_cert_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
}
|
|
file { '/etc/ssl/private/docs.openstack.org.key':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $docs_key_file_contents,
|
|
require => File['/etc/ssl/private'],
|
|
}
|
|
file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $docs_chain_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
before => File['/etc/ssl/certs/docs.openstack.org.pem'],
|
|
}
|
|
|
|
###########################################################
|
|
# developer.openstack.org
|
|
|
|
::httpd::vhost { 'developer.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => "${afs_root}developer-docs",
|
|
priority => '50',
|
|
template => 'openstack_project/developer.vhost.erb',
|
|
}
|
|
file { '/etc/ssl/certs/developer.openstack.org.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $developer_cert_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
}
|
|
file { '/etc/ssl/private/developer.openstack.org.key':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $developer_key_file_contents,
|
|
require => File['/etc/ssl/private'],
|
|
}
|
|
file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $developer_chain_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
|
|
}
|
|
|
|
|
|
###########################################################
|
|
# git.airshipit.org
|
|
|
|
::httpd::vhost { 'git.airshipit.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => "${www_base}/git-redirect",
|
|
priority => '50',
|
|
template => 'openstack_project/git-redirect.vhost.erb',
|
|
require => File["${www_base}/git-redirect"],
|
|
}
|
|
file { '/etc/ssl/certs/git.airshipit.org.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $git_airship_cert_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
}
|
|
file { '/etc/ssl/private/git.airshipit.org.key':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $git_airship_key_file_contents,
|
|
require => File['/etc/ssl/private'],
|
|
}
|
|
file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $git_airship_chain_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
before => File['/etc/ssl/certs/git.airshipit.org.pem'],
|
|
}
|
|
|
|
|
|
###########################################################
|
|
# git.openstack.org
|
|
|
|
::httpd::vhost { 'git.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => "${www_base}/git-redirect",
|
|
priority => '50',
|
|
template => 'openstack_project/git-redirect.vhost.erb',
|
|
require => File["${www_base}/git-redirect"],
|
|
}
|
|
file { '/etc/ssl/certs/git.openstack.org.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $git_openstack_cert_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
}
|
|
file { '/etc/ssl/private/git.openstack.org.key':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $git_openstack_key_file_contents,
|
|
require => File['/etc/ssl/private'],
|
|
}
|
|
file { '/etc/ssl/certs/git.openstack.org_intermediate.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $git_openstack_chain_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
before => File['/etc/ssl/certs/git.openstack.org.pem'],
|
|
}
|
|
|
|
|
|
###########################################################
|
|
# git.starlingx.io
|
|
|
|
::httpd::vhost { 'git.starlingx.io':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => "${www_base}/git-redirect",
|
|
priority => '50',
|
|
template => 'openstack_project/git-redirect.vhost.erb',
|
|
require => File["${www_base}/git-redirect"],
|
|
}
|
|
file { '/etc/ssl/certs/git.starlingx.io.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $git_starlingx_cert_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
}
|
|
file { '/etc/ssl/private/git.starlingx.io.key':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $git_starlingx_key_file_contents,
|
|
require => File['/etc/ssl/private'],
|
|
}
|
|
file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $git_starlingx_chain_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
|
|
}
|
|
}
|