opendev/system-config
Code Issues Proposed changes
system-config/modules/openstack_project/manifests/static.pp
Ian Wienand 91bca8d574 Remove mlocate from static.o.o 
mlocate is filling up the disk trying to index logs and docs.

Its default is not to index remote mounts, but since these are mounted
on static.o.o as block devices it descends into them.  Another option
is to update PRUNEPATHS in updatedb.conf, but since this is wholly
unnecessary let's KISS and just get rid of it.

It is only installed because it is a "suggests" of findutils, so has
no reverse-dependencies.

Change-Id: Ib23f3f1fb3397b66f897a0d284da521ce50293e8
2017-02-14 10:40:08 +11:00

438 lines
12 KiB
Puppet
Raw Blame History

# == Class: openstack_project::static
#
class openstack_project::static (
$swift_authurl = '',
$swift_user = '',
$swift_key = '',
$swift_tenant_name = '',
$swift_region_name = '',
$swift_default_container = '',
$project_config_repo = '',
$ssl_cert_file = '',
$ssl_cert_file_contents = '',
$ssl_key_file = '',
$ssl_key_file_contents = '',
$ssl_chain_file = '',
$ssl_chain_file_contents = '',
$releases_cert_file_contents = '',
$releases_key_file_contents = '',
$releases_chain_file_contents = '',
$jenkins_gitfullname = 'OpenStack Jenkins',
$jenkins_gitemail = 'jenkins@openstack.org',
) {
class { 'project_config':
url => $project_config_repo,
}
include openstack_project
class { 'jenkins::jenkinsuser':
ssh_key => $openstack_project::jenkins_ssh_key,
gitfullname => $jenkins_gitfullname,
gitemail => $jenkins_gitemail,
}
# This will try to index our millions of logs and docs by default
# and cause all sorts of IO and disk-usage issues.
package { 'mlocate':
ensure => absent,
}
include ::httpd
include ::httpd::mod::wsgi
if ! defined(Httpd::Mod['rewrite']) {
httpd::mod { 'rewrite':
ensure => present,
}
}
if ! defined(Httpd::Mod['proxy']) {
httpd::mod { 'proxy':
ensure => present,
}
}
if ! defined(Httpd::Mod['proxy_http']) {
httpd::mod { 'proxy_http':
ensure => present,
}
}
if ! defined(Httpd::Mod['alias']) {
httpd::mod { 'alias': ensure => present }
}
if ! defined(Httpd::Mod['headers']) {
httpd::mod { 'headers': ensure => present }
}
if ! defined(File['/srv/static']) {
file { '/srv/static':
ensure => directory,
}
}
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
# To use the standard ssl-certs package snakeoil certificate, leave both
# $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
# certificate, specify its path for $ssl_cert_file and leave
# $ssl_cert_file_contents empty. To manage the certificate with puppet,
# provide $ssl_cert_file_contents and optionally specify the path to use for
# it in $ssl_cert_file.
if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
$cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
} else {
if $ssl_cert_file == '' {
$cert_file = "/etc/ssl/certs/${::fqdn}.pem"
} else {
$cert_file = $ssl_cert_file
}
if $ssl_cert_file_contents != '' {
file { $cert_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_cert_file_contents,
require => File['/etc/ssl/certs'],
}
}
}
# To use the standard ssl-certs package snakeoil key, leave both
# $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
# specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
# To manage the key with puppet, provide $ssl_key_file_contents and
# optionally specify the path to use for it in $ssl_key_file.
if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
$key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
} else {
if $ssl_key_file == '' {
$key_file = "/etc/ssl/private/${::fqdn}.key"
} else {
$key_file = $ssl_key_file
}
if $ssl_key_file_contents != '' {
file { $key_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $ssl_key_file_contents,
require => File['/etc/ssl/private'],
}
}
}
# To avoid using an intermediate certificate chain, leave both
# $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
# chain, specify its path for $ssl_chain_file and leave
# $ssl_chain_file_contents empty. To manage the chain with puppet, provide
# $ssl_chain_file_contents and optionally specify the path to use for it in
# $ssl_chain_file.
if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
$chain_file = ''
} else {
if $ssl_chain_file == '' {
$chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
} else {
$chain_file = $ssl_chain_file
}
if $ssl_chain_file_contents != '' {
file { $chain_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File[$cert_file],
}
}
}
###########################################################
# Tarballs
::httpd::vhost { 'tarballs.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/tarballs',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'tarballs.openstack.org',
require => [
File['/srv/static/tarballs'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/tarballs':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# legacy ci.openstack.org site redirect
::httpd::vhost { 'ci.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/ci.vhost.erb',
}
###########################################################
# Logs
class { 'openstackci::logserver':
jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
domain => 'openstack.org',
swift_authurl => $swift_authurl,
swift_user => $swift_user,
swift_key => $swift_key,
swift_tenant_name => $swift_tenant_name,
swift_region_name => $swift_region_name,
swift_default_container => $swift_default_container,
}
###########################################################
# Docs-draft
::httpd::vhost { 'docs-draft.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/docs-draft',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'docs-draft.openstack.org',
require => [
File['/srv/static/docs-draft'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/docs-draft':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
file { '/srv/static/docs-draft/robots.txt':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/disallow_robots.txt',
require => File['/srv/static/docs-draft'],
}
###########################################################
# Security
::httpd::vhost { 'security.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/security',
priority => '50',
ssl => true,
template => 'openstack_project/static-https-redirect.vhost.erb',
vhost_name => 'security.openstack.org',
require => [
File['/srv/static/security'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/security':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# Governance (TC and UC) & Election
# Extra aliases and directories needed for vhost template:
$governance_aliases = {
'/election/' => '/srv/static/election/',
'/tc/' => '/srv/static/tc/',
'/uc/' => '/srv/static/uc/',
}
# Extra redirects needed for vhost template:
$governance_redirects = {
'/badges/' => '/tc/badges/',
'/goals/' => '/tc/goals/',
'/reference/' => '/tc/reference/',
'/resolutions/' => '/tc/resolutions/',
}
# One of these must also be the docroot
$governance_directories = [
'/srv/static/election',
'/srv/static/governance',
'/srv/static/tc',
'/srv/static/uc',
]
::httpd::vhost { 'governance.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/governance',
priority => '50',
ssl => true,
template => 'openstack_project/static-governance.vhost.erb',
vhost_name => 'governance.openstack.org',
require => [
File[$governance_directories],
File[$cert_file],
File[$key_file],
],
}
file { $governance_directories:
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# Specs
::httpd::vhost { 'specs.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/specs',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'specs.openstack.org',
require => [
File['/srv/static/specs'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/specs':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# legacy summit.openstack.org site redirect
::httpd::vhost { 'summit.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/summit.vhost.erb',
}
###########################################################
# legacy devstack.org site redirect
::httpd::vhost { 'devstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
serveraliases => ['*.devstack.org'],
template => 'openstack_project/devstack.vhost.erb',
}
###########################################################
# Trystack
::httpd::vhost { 'trystack.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/opt/trystack',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'trystack.openstack.org',
serveraliases => ['trystack.org', 'www.trystack.org'],
require => [
Vcsrepo['/opt/trystack'],
File[$cert_file],
File[$key_file],
],
}
vcsrepo { '/opt/trystack':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://git.openstack.org/openstack-infra/trystack-site',
}
###########################################################
# Releases
# Temporary separate HTTPS cert/key/chain for releases.o.o so that we
# don't have to renew the static.o.o cert just to add one SubjectAltName
file { '/etc/ssl/certs/releases.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $releases_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/releases.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $releases_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/releases.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $releases_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/releases.openstack.org.pem'],
}
::httpd::vhost { 'releases.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/releases',
priority => '50',
ssl => true,
template => 'openstack_project/static-releases.vhost.erb',
vhost_name => 'releases.openstack.org',
require => [
File['/srv/static/releases'],
File['/etc/ssl/certs/releases.openstack.org.pem'],
File['/etc/ssl/private/releases.openstack.org.key'],
],
}
file { '/srv/static/releases':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
}
View Git Blame Copy Permalink