diff --git a/manifests/site.pp b/manifests/site.pp index fd30153626..2a975191d6 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -289,27 +289,17 @@ node /^elasticsearch\d*\.openstack\.org$/ { } } -# A CentOS machine load balance git access. Will also -# run local cgit and git daemon. +# A CentOS machine to load balance git access. node 'git.openstack.org' { class { 'openstack_project::git': - vhost_name => 'git.openstack.org', sysadmins => hiera('sysadmins'), - git_gerrit_ssh_key => hiera('gerrit_replication_ssh_rsa_pubkey_contents'), - ssl_cert_file_contents => hiera('git_ssl_cert_file_contents'), - ssl_key_file_contents => hiera('git_ssl_key_file_contents'), - ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'), - balance_git => true, - behind_proxy => true, balancer_member_names => [ - 'localhost', 'git01.openstack.org', 'git02.openstack.org', 'git03.openstack.org', 'git04.openstack.org', ], balancer_member_ips => [ - '127.0.0.1', '192.237.218.169', '192.237.217.253', '192.237.218.239', @@ -321,7 +311,7 @@ node 'git.openstack.org' { # CentOS machines to run cgit and git daemon. Will be # load balanced by git.openstack.org. node /^git\d+\.openstack\.org$/ { - class { 'openstack_project::git': + class { 'openstack_project::git_backend': vhost_name => 'git.openstack.org', sysadmins => hiera('sysadmins'), git_gerrit_ssh_key => hiera('gerrit_replication_ssh_rsa_pubkey_contents'), diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp index 44fcc7196e..e0a3768d31 100644 --- a/modules/cgit/manifests/init.pp +++ b/modules/cgit/manifests/init.pp @@ -18,7 +18,6 @@ class cgit( $vhost_name = $::fqdn, $serveradmin = "webmaster@${::fqdn}", $cgitdir = '/var/www/cgit', - $daemon_port = '29418', $staticfiles = '/var/www/cgit/static', $ssl_cert_file = '', $ssl_key_file = '', @@ -26,10 +25,7 @@ class cgit( $ssl_cert_file_contents = '', # If left empty puppet will not create file. $ssl_key_file_contents = '', # If left empty puppet will not create file. $ssl_chain_file_contents = '', # If left empty puppet will not create file. - $balance_git = false, $behind_proxy = false, - $balancer_member_names = [], - $balancer_member_ips = [] ) { include apache @@ -90,10 +86,12 @@ class cgit( if $behind_proxy == true { $http_port = 8080 $https_port = 4443 + $daemon_port = 29418 } else { $http_port = 80 $https_port = 443 + $daemon_port = 9418 } exec { 'cgit_allow_http_port': @@ -162,19 +160,6 @@ class cgit( require => File[$cgitdir], } - file { '/etc/xinetd.d/git': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - source => 'puppet:///modules/cgit/git.xinetd', - } - - service { 'xinetd': - ensure => stopped, - subscribe => File['/etc/xinetd.d/git'], - } - file { '/etc/init.d/git-daemon': ensure => present, owner => 'root', @@ -217,90 +202,4 @@ class cgit( before => Apache::Vhost[$vhost_name], } } - - if $balance_git == true { - class { 'haproxy': - enable => true, - global_options => { - 'log' => '127.0.0.1 local0', - 'chroot' => '/var/lib/haproxy', - 'pidfile' => '/var/run/haproxy.pid', - 'maxconn' => '4000', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'stats' => 'socket /var/lib/haproxy/stats' - }, - } - # The three listen defines here are what the world will hit. - haproxy::listen { 'balance_git_http': - ipaddress => [$::ipaddress, $::ipaddress6], - ports => ['80'], - mode => 'tcp', - collect_exported => false, - options => { - 'balance' => 'source', - 'option' => [ - 'tcplog', - ], - }, - } - haproxy::listen { 'balance_git_https': - ipaddress => [$::ipaddress, $::ipaddress6], - ports => ['443'], - mode => 'tcp', - collect_exported => false, - options => { - 'balance' => 'source', - 'option' => [ - 'tcplog', - ], - }, - } - haproxy::listen { 'balance_git_daemon': - ipaddress => [$::ipaddress, $::ipaddress6], - ports => ['9418'], - mode => 'tcp', - collect_exported => false, - options => { - 'maxconn' => '32', - 'backlog' => '64', - 'balance' => 'source', - 'option' => [ - 'tcplog', - ], - }, - } - haproxy::balancermember { 'balance_git_http_member': - listening_service => 'balance_git_http', - server_names => $balancer_member_names, - ipaddresses => $balancer_member_ips, - ports => '8080', - } - haproxy::balancermember { 'balance_git_https_member': - listening_service => 'balance_git_https', - server_names => $balancer_member_names, - ipaddresses => $balancer_member_ips, - ports => '4443', - } - haproxy::balancermember { 'balance_git_daemon_member': - listening_service => 'balance_git_daemon', - server_names => $balancer_member_names, - ipaddresses => $balancer_member_ips, - ports => '29418', - options => 'maxqueue 512', - } - - file { '/etc/rsyslog.d/haproxy.conf': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - source => 'puppet:///modules/cgit/rsyslog.haproxy.conf', - } - service { 'rsyslog': - ensure => running, - subscribe => file['/etc/rsyslog.d/haproxy.conf'], - } - } } diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp index a8a33e2e72..a38727d975 100644 --- a/modules/openstack_project/manifests/git.pp +++ b/modules/openstack_project/manifests/git.pp @@ -12,125 +12,104 @@ # License for the specific language governing permissions and limitations # under the License. # -# Class to configure cgit on a CentOS node. +# Class to configure haproxy to serve git on a CentOS node. # # == Class: openstack_project::git class openstack_project::git ( - $vhost_name = $::fqdn, $sysadmins = [], - $git_gerrit_ssh_key = '', - $ssl_cert_file_contents = '', - $ssl_key_file_contents = '', - $ssl_chain_file_contents = '', - $balance_git = false, - $behind_proxy = false, $balancer_member_names = [], $balancer_member_ips = [] ) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 4443, 8080, 9418, 29418], + iptables_public_tcp_ports => [80, 443, 9418], sysadmins => $sysadmins, } - include jeepyb - include pip - - class { '::cgit': - vhost_name => $vhost_name, - ssl_cert_file => '/etc/pki/tls/certs/git.openstack.org.pem', - ssl_key_file => '/etc/pki/tls/private/git.openstack.org.key', - ssl_chain_file => '/etc/pki/tls/certs/intermediate.pem', - ssl_cert_file_contents => $ssl_cert_file_contents, - ssl_key_file_contents => $ssl_key_file_contents, - ssl_chain_file_contents => $ssl_chain_file_contents, - balance_git => $balance_git, - behind_proxy => $behind_proxy, - balancer_member_names => $balancer_member_names, - balancer_member_ips => $balancer_member_ips, - } - - # We don't actually use these, but jeepyb requires them. - $local_git_dir = '/var/lib/git' - $ssh_project_key = '' - - file { '/etc/cgitrc': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - source => 'puppet:///modules/openstack_project/git/cgitrc' - } - - file { '/home/cgit/.ssh/': - ensure => directory, - owner => 'cgit', - group => 'cgit', - mode => '0700', - require => User['cgit'], - } - - file { '/home/cgit/.ssh/authorized_keys': - owner => 'cgit', - group => 'cgit', - mode => '0600', - content => $git_gerrit_ssh_key, - replace => true, - require => File['/home/cgit/.ssh/'] - } - - file { '/home/cgit/projects.yaml': - ensure => present, - owner => 'cgit', - group => 'cgit', - mode => '0444', - content => template('openstack_project/review.projects.yaml.erb'), - replace => true, - } - - exec { 'create_cgitrepos': - command => 'create-cgitrepos', - path => '/bin:/usr/bin:/usr/local/bin', - require => File['/home/cgit/projects.yaml'], - subscribe => File['/home/cgit/projects.yaml'], - refreshonly => true, - } - class { 'selinux': mode => 'enforcing' } - cron { 'mirror_repack': - user => 'cgit', - weekday => '0', - hour => '4', - minute => '7', - command => 'find /var/lib/git/ -type d -name "*.git" -print -exec git --git-dir="{}" repack -afd \; -exec git --git-dir="{}" pack-refs --all \;', - environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin', - require => User['cgit'], + class { 'haproxy': + enable => true, + global_options => { + 'log' => '127.0.0.1 local0', + 'chroot' => '/var/lib/haproxy', + 'pidfile' => '/var/run/haproxy.pid', + 'maxconn' => '4000', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'stats' => 'socket /var/lib/haproxy/stats' + }, + } + # The three listen defines here are what the world will hit. + haproxy::listen { 'balance_git_http': + ipaddress => [$::ipaddress, $::ipaddress6], + ports => ['80'], + mode => 'tcp', + collect_exported => false, + options => { + 'balance' => 'source', + 'option' => [ + 'tcplog', + ], + }, + } + haproxy::listen { 'balance_git_https': + ipaddress => [$::ipaddress, $::ipaddress6], + ports => ['443'], + mode => 'tcp', + collect_exported => false, + options => { + 'balance' => 'source', + 'option' => [ + 'tcplog', + ], + }, + } + haproxy::listen { 'balance_git_daemon': + ipaddress => [$::ipaddress, $::ipaddress6], + ports => ['9418'], + mode => 'tcp', + collect_exported => false, + options => { + 'maxconn' => '32', + 'backlog' => '64', + 'balance' => 'source', + 'option' => [ + 'tcplog', + ], + }, + } + haproxy::balancermember { 'balance_git_http_member': + listening_service => 'balance_git_http', + server_names => $balancer_member_names, + ipaddresses => $balancer_member_ips, + ports => '8080', + } + haproxy::balancermember { 'balance_git_https_member': + listening_service => 'balance_git_https', + server_names => $balancer_member_names, + ipaddresses => $balancer_member_ips, + ports => '4443', + } + haproxy::balancermember { 'balance_git_daemon_member': + listening_service => 'balance_git_daemon', + server_names => $balancer_member_names, + ipaddresses => $balancer_member_ips, + ports => '29418', + options => 'maxqueue 512', } - file { '/var/www/cgit/static/openstack.png': - ensure => present, - source => 'puppet:///modules/openstack_project/openstack.png', - require => File['/var/www/cgit/static'], + file { '/etc/rsyslog.d/haproxy.conf': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/cgit/rsyslog.haproxy.conf', } - - file { '/var/www/cgit/static/favicon.ico': - ensure => present, - source => 'puppet:///modules/openstack_project/status/favicon.ico', - require => File['/var/www/cgit/static'], + service { 'rsyslog': + ensure => running, + subscribe => file['/etc/rsyslog.d/haproxy.conf'], } - - file { '/var/www/cgit/static/openstack-page-bkg.jpg': - ensure => present, - source => 'puppet:///modules/openstack_project/openstack-page-bkg.jpg', - require => File['/var/www/cgit/static'], - } - - file { '/var/www/cgit/static/openstack.css': - ensure => present, - source => 'puppet:///modules/openstack_project/git/openstack.css', - require => File['/var/www/cgit/static'], - } - } diff --git a/modules/openstack_project/manifests/git_backend.pp b/modules/openstack_project/manifests/git_backend.pp new file mode 100644 index 0000000000..83819a1099 --- /dev/null +++ b/modules/openstack_project/manifests/git_backend.pp @@ -0,0 +1,130 @@ +# Copyright 2013 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Class to configure cgit on a CentOS node. +# +# == Class: openstack_project::git_backend +class openstack_project::git_backend ( + $vhost_name = $::fqdn, + $sysadmins = [], + $git_gerrit_ssh_key = '', + $ssl_cert_file_contents = '', + $ssl_key_file_contents = '', + $ssl_chain_file_contents = '', + $behind_proxy = false +) { + class { 'openstack_project::server': + iptables_public_tcp_ports => [4443, 8080, 29418], + sysadmins => $sysadmins, + } + + include jeepyb + include pip + + class { '::cgit': + vhost_name => $vhost_name, + ssl_cert_file => '/etc/pki/tls/certs/git.openstack.org.pem', + ssl_key_file => '/etc/pki/tls/private/git.openstack.org.key', + ssl_chain_file => '/etc/pki/tls/certs/intermediate.pem', + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, + behind_proxy => $behind_proxy, + } + + # We don't actually use these, but jeepyb requires them. + $local_git_dir = '/var/lib/git' + $ssh_project_key = '' + + file { '/etc/cgitrc': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/openstack_project/git/cgitrc' + } + + file { '/home/cgit/.ssh/': + ensure => directory, + owner => 'cgit', + group => 'cgit', + mode => '0700', + require => User['cgit'], + } + + file { '/home/cgit/.ssh/authorized_keys': + owner => 'cgit', + group => 'cgit', + mode => '0600', + content => $git_gerrit_ssh_key, + replace => true, + require => File['/home/cgit/.ssh/'] + } + + file { '/home/cgit/projects.yaml': + ensure => present, + owner => 'cgit', + group => 'cgit', + mode => '0444', + content => template('openstack_project/review.projects.yaml.erb'), + replace => true, + } + + exec { 'create_cgitrepos': + command => 'create-cgitrepos', + path => '/bin:/usr/bin:/usr/local/bin', + require => File['/home/cgit/projects.yaml'], + subscribe => File['/home/cgit/projects.yaml'], + refreshonly => true, + } + + class { 'selinux': + mode => 'enforcing' + } + + cron { 'mirror_repack': + user => 'cgit', + weekday => '0', + hour => '4', + minute => '7', + command => 'find /var/lib/git/ -type d -name "*.git" -print -exec git --git-dir="{}" repack -afd \; -exec git --git-dir="{}" pack-refs --all \;', + environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin', + require => User['cgit'], + } + + file { '/var/www/cgit/static/openstack.png': + ensure => present, + source => 'puppet:///modules/openstack_project/openstack.png', + require => File['/var/www/cgit/static'], + } + + file { '/var/www/cgit/static/favicon.ico': + ensure => present, + source => 'puppet:///modules/openstack_project/status/favicon.ico', + require => File['/var/www/cgit/static'], + } + + file { '/var/www/cgit/static/openstack-page-bkg.jpg': + ensure => present, + source => 'puppet:///modules/openstack_project/openstack-page-bkg.jpg', + require => File['/var/www/cgit/static'], + } + + file { '/var/www/cgit/static/openstack.css': + ensure => present, + source => 'puppet:///modules/openstack_project/git/openstack.css', + require => File['/var/www/cgit/static'], + } + +} diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp index c854ff9333..2735a66103 100644 --- a/modules/openstack_project/manifests/review.pp +++ b/modules/openstack_project/manifests/review.pp @@ -119,13 +119,6 @@ class openstack_project::review ( threads => '4', mirror => true, }, - { - name => 'cgit', - url => 'cgit@git.openstack.org:/var/lib/git/', - replicationDelay => '0', - threads => '4', - mirror => true, - }, { name => 'git01', url => 'cgit@git01.openstack.org:/var/lib/git/',