From 916c1d3dc825dd3cb16a7cf7f27460cb0c8ce09a Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 29 Jun 2021 11:57:10 +1000 Subject: [PATCH] Add paste service The paste service needs an upgrade; since others have created a lodgeit container it seems worth us keeping the service going if only to maintain the historical corpus of pastes. This adds the ansible to deploy lodgeit and a sibling mariadb container. I have imported a dump of the old data as a test. The dump is ~4gb and imported it takes up about double that; certainly nothing we need to be too concerned over. The server will be more than capable of running the db container alongside the lodgeit instance. This should have no effect on production until we decide to switch DNS. Change-Id: I284864217aa49d664ddc3ebdc800383b2d7e00e3 --- inventory/service/groups.yaml | 9 ++- .../host_vars/paste01.opendev.org.yaml | 5 ++ .../handlers/main.yaml | 5 ++ playbooks/roles/lodgeit/README.rst | 25 +++++++ playbooks/roles/lodgeit/defaults/main.yaml | 2 + playbooks/roles/lodgeit/handlers/main.yaml | 4 ++ playbooks/roles/lodgeit/tasks/main.yaml | 70 +++++++++++++++++++ .../lodgeit/templates/docker-compose.yaml.j2 | 36 ++++++++++ .../roles/lodgeit/templates/paste.vhost.j2 | 41 +++++++++++ .../root.my.cnf.mariadb_container.j2 | 7 ++ playbooks/service-paste.yaml | 6 ++ playbooks/test-paste.yaml | 6 ++ playbooks/zuul/run-base.yaml | 1 + .../host_vars/paste01.opendev.org.yaml.j2 | 2 + testinfra/test_paste.py | 51 ++++++++++++++ zuul.d/infra-prod.yaml | 16 +++++ zuul.d/project.yaml | 7 ++ zuul.d/system-config-run.yaml | 31 ++++++++ 18 files changed, 321 insertions(+), 3 deletions(-) create mode 100644 inventory/service/host_vars/paste01.opendev.org.yaml create mode 100644 playbooks/roles/lodgeit/README.rst create mode 100644 playbooks/roles/lodgeit/defaults/main.yaml create mode 100644 playbooks/roles/lodgeit/handlers/main.yaml create mode 100644 playbooks/roles/lodgeit/tasks/main.yaml create mode 100644 playbooks/roles/lodgeit/templates/docker-compose.yaml.j2 create mode 100644 playbooks/roles/lodgeit/templates/paste.vhost.j2 create mode 100644 playbooks/roles/lodgeit/templates/root.my.cnf.mariadb_container.j2 create mode 100644 playbooks/service-paste.yaml create mode 100644 playbooks/test-paste.yaml create mode 100644 playbooks/zuul/templates/host_vars/paste01.opendev.org.yaml.j2 create mode 100644 testinfra/test_paste.py diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml index 7b4d34bea7..a3146c6a62 100644 --- a/inventory/service/groups.yaml +++ b/inventory/service/groups.yaml @@ -94,6 +94,7 @@ groups: - mirror[0-9]*.opendev.org - nb[0-9]*.opendev.org - openstackid[0-9]*.openstack.org + - paste[0-9]*.opendev.org - refstack[0-9]*.openstack.org - review[0-9]*.open*.org - review-test.opendev.org @@ -129,7 +130,9 @@ groups: - openstackid.org - openstackid[0-9]*.openstack.org paste: - - paste[0-9]*.open*.org + - paste[0-9]*.openstack.org + paste_opendev: + - paste[0-1]*.opendev.org puppet: - cacti[0-9]*.open*.org - elasticsearch[0-9]*.open*.org @@ -140,7 +143,7 @@ groups: - openstackid-dev*.openstack.org - openstackid.org - openstackid[0-9]*.openstack.org - - paste[0-9]*.open*.org + - paste[0-9]*.openstack.org - status*.open*.org - storyboard-dev[0-9]*.opendev.org - storyboard[0-9]*.opendev.org @@ -158,7 +161,7 @@ groups: - logstash[0-9]*.open*.org - openstackid[0-9]*.openstack.org - openstackid-dev[0-9]*.openstack.org - - paste[0-9]*.open*.org + - paste[0-9]*.openstack.org - status*.open*.org - storyboard[0-9]*.opendev.org - storyboard-dev[0-9]*.opendev.org diff --git a/inventory/service/host_vars/paste01.opendev.org.yaml b/inventory/service/host_vars/paste01.opendev.org.yaml new file mode 100644 index 0000000000..b2ef6cff36 --- /dev/null +++ b/inventory/service/host_vars/paste01.opendev.org.yaml @@ -0,0 +1,5 @@ +letsencrypt_certs: + paste01-opendev-org-main: + - paste01.opendev.org + - paste.opendev.org + - paste.openstack.org diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml index 304285958f..02fe4f43d6 100644 --- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml @@ -153,6 +153,11 @@ - name: letsencrypt updated nb03-opendev-org-main include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml +# paste + +- name: letsencrypt updated paste01-opendev-org-main + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + # review - name: letsencrypt updated review01-opendev-org-main diff --git a/playbooks/roles/lodgeit/README.rst b/playbooks/roles/lodgeit/README.rst new file mode 100644 index 0000000000..f7ed441fb7 --- /dev/null +++ b/playbooks/roles/lodgeit/README.rst @@ -0,0 +1,25 @@ +lodgeit + +Paste service. Runs a mariadb container and lodgeit container. + +** Role Variables ** + +.. zuul:rolevar:: lodgeit_db_username + :default: lodgeit + + db username + +.. zuul:rolevar:: lodgeit_db_password + :default: + + lodgeit_db_password + +.. zuul:rolevar:: lodgeit_db_dbname + :default: lodgeit + + database to connect to + +.. zuul:rolevar:: lodgeit_secret_key + :default: + + secret key diff --git a/playbooks/roles/lodgeit/defaults/main.yaml b/playbooks/roles/lodgeit/defaults/main.yaml new file mode 100644 index 0000000000..821088c319 --- /dev/null +++ b/playbooks/roles/lodgeit/defaults/main.yaml @@ -0,0 +1,2 @@ +lodgeit_db_username: lodgeit +lodgeit_db_dbname: lodgeit diff --git a/playbooks/roles/lodgeit/handlers/main.yaml b/playbooks/roles/lodgeit/handlers/main.yaml new file mode 100644 index 0000000000..17b3f0a8e8 --- /dev/null +++ b/playbooks/roles/lodgeit/handlers/main.yaml @@ -0,0 +1,4 @@ +- name: paste Reload apache2 + service: + name: apache2 + state: reloaded diff --git a/playbooks/roles/lodgeit/tasks/main.yaml b/playbooks/roles/lodgeit/tasks/main.yaml new file mode 100644 index 0000000000..6577a1244c --- /dev/null +++ b/playbooks/roles/lodgeit/tasks/main.yaml @@ -0,0 +1,70 @@ +- name: Ensure /etc/lodgeit-compose directory + file: + state: directory + path: /etc/lodgeit-compose + mode: 0755 + +- name: Put docker-compose file in place + template: + src: docker-compose.yaml.j2 + dest: /etc/lodgeit-compose/docker-compose.yaml + mode: 0644 + +- name: Setup mariadb container + block: + - name: Setup db directory + file: + state: directory + path: /var/lib/lodgeit_db + owner: root + group: root + mode: 0755 + + - name: Set up root mariadb conf file + template: + src: root.my.cnf.mariadb_container.j2 + dest: /root/.lodgeit_db.cnf + mode: 0400 + +- name: Install apache2 + apt: + name: + - apache2 + - apache2-utils + state: present + +- name: Apache modules + apache2_module: + state: present + name: "{{ item }}" + loop: + - rewrite + - proxy + - proxy_http + - ssl + - headers + +- name: Copy apache config + template: + src: paste.vhost.j2 + dest: /etc/apache2/sites-enabled/000-default.conf + owner: root + group: root + mode: 0644 + notify: paste Reload apache2 + +- name: Run docker-compose pull + shell: + cmd: docker-compose pull + chdir: /etc/lodgeit-compose/ + +- name: Run docker-compose up + shell: + cmd: "docker-compose up -d" + chdir: /etc/lodgeit-compose/ + +- name: Run docker prune to cleanup unneeded images + shell: + cmd: docker image prune -f + +# TODO : db backups diff --git a/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2 b/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2 new file mode 100644 index 0000000000..7bca1bf2c8 --- /dev/null +++ b/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2 @@ -0,0 +1,36 @@ +version: '2' + +services: + mariadb: + image: docker.io/library/mariadb:10.4 + network_mode: host + restart: always + environment: + MYSQL_ROOT_PASSWORD: "{{ lodgeit_db_password }}" + MYSQL_DATABASE: "{{ lodgeit_db_dbname }}" + MYSQL_USER: "{{ lodgeit_db_username }}" + MYSQL_PASSWORD: "{{ lodgeit_db_password }}" + command: [ + '--wait_timeout=28800', + ] + volumes: + - /var/lib/lodgeit_db:/var/lib/mysql + logging: + driver: syslog + options: + tag: "docker-mariadb" + lodgeit: + image: docker.io/opendevorg/lodgeit + depends_on: + - mariadb + network_mode: host + command: ['/bin/bash', '-c', 'echo "*** Starting"; sleep 30; /usr/local/bin/uwsgi'] + logging: + driver: syslog + options: + tag: "docker-lodgeit" + environment: + LODGEIT_DBURI: 'mysql+pymysql://{{ lodgeit_db_username }}:{{ lodgeit_db_password }}@127.0.0.1:3306/{{ lodgeit_db_dbname }}' + LODGEIT_SECRET_KEY: '{{ lodgeit_secret_key }}' + LODGEIT_TITLE_OVERRIDE: 'Opendev Pastebin' + diff --git a/playbooks/roles/lodgeit/templates/paste.vhost.j2 b/playbooks/roles/lodgeit/templates/paste.vhost.j2 new file mode 100644 index 0000000000..99ded2af40 --- /dev/null +++ b/playbooks/roles/lodgeit/templates/paste.vhost.j2 @@ -0,0 +1,41 @@ + + ServerName {{ inventory_hostname }} + ServerAdmin webmaster@openstack.org + + ErrorLog ${APACHE_LOG_DIR}/paste-error.log + + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/paste-access.log combined + + Redirect / https://paste.opendev.org/ + + + + + ServerName {{ inventory_hostname }} + ServerAdmin webmaster@openstack.org + + AllowEncodedSlashes On + + ErrorLog ${APACHE_LOG_DIR}/paste-ssl-error.log + + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/paste-ssl-access.log combined + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key + SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer + + ProxyPass / http://localhost:9000/ retry=0 + ProxyPassReverse / http://localhost:9000/ + + + diff --git a/playbooks/roles/lodgeit/templates/root.my.cnf.mariadb_container.j2 b/playbooks/roles/lodgeit/templates/root.my.cnf.mariadb_container.j2 new file mode 100644 index 0000000000..29313e2c86 --- /dev/null +++ b/playbooks/roles/lodgeit/templates/root.my.cnf.mariadb_container.j2 @@ -0,0 +1,7 @@ +[client] +host=127.0.0.1 +port=3306 +user={{ lodgeit_db_username }} +password={{ lodgeit_db_password }} +database={{ lodgeit_db_dbname }} +ssl-mode=disabled diff --git a/playbooks/service-paste.yaml b/playbooks/service-paste.yaml new file mode 100644 index 0000000000..e308d5e205 --- /dev/null +++ b/playbooks/service-paste.yaml @@ -0,0 +1,6 @@ +- hosts: "paste_opendev:!disabled" + name: "Base: configure paste" + roles: + - iptables + - install-docker + - lodgeit diff --git a/playbooks/test-paste.yaml b/playbooks/test-paste.yaml new file mode 100644 index 0000000000..5d4e7105d9 --- /dev/null +++ b/playbooks/test-paste.yaml @@ -0,0 +1,6 @@ +- hosts: "paste_opendev" + tasks: + + - name: Run selenium container + include_role: + name: run-selenium diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index 642627b181..e5b71b100d 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -85,6 +85,7 @@ - host_vars/mirror01.openafs.provider.opendev.org.yaml - host_vars/mirror02.openafs.provider.opendev.org.yaml - host_vars/mirror-update01.opendev.org.yaml + - host_vars/paste01.opendev.org.yaml - host_vars/refstack01.openstack.org.yaml - name: Display group membership command: ansible localhost -m debug -a 'var=groups' diff --git a/playbooks/zuul/templates/host_vars/paste01.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/paste01.opendev.org.yaml.j2 new file mode 100644 index 0000000000..58a6dbe079 --- /dev/null +++ b/playbooks/zuul/templates/host_vars/paste01.opendev.org.yaml.j2 @@ -0,0 +1,2 @@ +lodgeit_secret_key: secretkey +lodgeit_db_password: password diff --git a/testinfra/test_paste.py b/testinfra/test_paste.py new file mode 100644 index 0000000000..be4fe0c90b --- /dev/null +++ b/testinfra/test_paste.py @@ -0,0 +1,51 @@ +# Copyright 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from selenium import webdriver +from selenium.webdriver.support.ui import WebDriverWait +from selenium.common.exceptions import TimeoutException +import time + +testinfra_hosts = ['paste01.opendev.org'] + + +def test_lodgeit_container_web_listening(host): + paste_http = host.socket("tcp://127.0.0.1:80") + assert paste_http.is_listening + + paste_https = host.socket("tcp://127.0.0.1:443") + assert paste_https.is_listening + +def test_paste(host): + cmd = host.run('curl --insecure ' + '--resolve paste.opendev.org:443:127.0.0.1 ' + 'https://paste.opendev.org') + assert 'New Paste' in cmd.stdout + +def test_paste_screenshots(host): + driver = webdriver.Remote( + command_executor='http://%s:4444/wd/hub' % (host.backend.get_hostname()), + desired_capabilities=webdriver.DesiredCapabilities.FIREFOX) + + try: + driver.get("https://localhost") + WebDriverWait(driver, 30).until(lambda driver: driver.execute_script( + 'return document.readyState') == 'complete') + time.sleep(5) + driver.save_screenshot("/var/log/screenshots/paste-main-page.png") + + except TimeoutException as e: + raise e + finally: + driver.quit() diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml index c68c5f65de..2534644304 100644 --- a/zuul.d/infra-prod.yaml +++ b/zuul.d/infra-prod.yaml @@ -256,6 +256,22 @@ - playbooks/roles/logrotate/ - roles/openafs-client/ +- job: + name: infra-prod-service-paste + parent: infra-prod-service-base + description: Run service-paste.yaml playbook. + vars: + playbook_name: service-paste.yaml + files: + - inventory/ + - playbooks/service-paste.yaml + - inventory/service/host_vars/paste01.opendev.org.yaml + - inventory/service/group_vars/paste + - playbooks/roles/install-docker/ + - playbooks/roles/pip3/ + - playbooks/roles/lodgeit/ + - playbooks/roles/iptables/ + - job: name: infra-prod-service-static parent: infra-prod-service-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 24c10445ae..42ceff608c 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -36,6 +36,9 @@ - system-config-run-meetpad - system-config-run-mirror-x86 - system-config-run-mirror-update + - system-config-run-paste: + dependencies: + - name: opendev-buildset-registry - system-config-run-static - system-config-run-docker-registry - system-config-run-etherpad: @@ -165,6 +168,9 @@ - system-config-run-meetpad - system-config-run-mirror-x86 - system-config-run-mirror-update + - system-config-run-paste: + dependencies: + - name: opendev-buildset-registry - system-config-run-static - system-config-run-docker-registry - system-config-run-etherpad: @@ -374,6 +380,7 @@ - infra-prod-service-kerberos - infra-prod-service-mirror-update - infra-prod-service-mirror + - infra-prod-service-paste - infra-prod-service-static - infra-prod-service-borg-backup - infra-prod-service-zookeeper diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml index 5240255426..cd4dabb027 100644 --- a/zuul.d/system-config-run.yaml +++ b/zuul.d/system-config-run.yaml @@ -687,6 +687,37 @@ - playbooks/zuul/templates/group_vars/meetpad.yaml.j2 - testinfra/test_meetpad.py +- job: + name: system-config-run-paste + parent: system-config-run-containers + description: | + Run the playbook for the paste server. + timeout: 3600 + required-projects: + - opendev/system-config + requires: + - lodgeit-container-image + nodeset: + nodes: + - name: bridge.openstack.org + label: ubuntu-bionic + - name: paste01.opendev.org + label: ubuntu-focal + vars: + run_playbooks: + - playbooks/letsencrypt.yaml + - playbooks/service-paste.yaml + run_test_playbook: playbooks/test-paste.yaml + files: + - playbooks/bridge.yaml + - playbooks/letsencrypt.yaml + - playbooks/service-paste.yaml + - playbooks/roles/lodgeit + - playbooks/roles/install-docker/ + - playbooks/roles/pip3/ + - playbooks/test-paste.yaml + - testinfra/test_paste.py + - job: name: system-config-run-zookeeper parent: system-config-run