Merge "Load balance git requests."

install_modules.sh

@@ -27,6 +27,7 @@ MODULES["openstackci-vcsrepo"]="0.0.8"
 
 MODULES["puppetlabs-apache"]="0.0.4"
 MODULES["puppetlabs-apt"]="1.1.0"
+MODULES["puppetlabs-haproxy"]="0.3.0"
 MODULES["puppetlabs-mysql"]="0.5.0"
 MODULES["puppetlabs-postgresql"]="2.3.0"
 MODULES["puppetlabs-stdlib"]="3.2.0"

manifests/site.pp

@@ -289,14 +289,46 @@ node /^elasticsearch\d*\.openstack\.org$/ {
   }
 }
 
-# A CentOS machine to run cgit and git daemon.
+# A CentOS machine load balance git access. Will also
+# run local cgit and git daemon.
 node 'git.openstack.org' {
   class { 'openstack_project::git':
+    vhost_name              => 'git.openstack.org',
     sysadmins               => hiera('sysadmins'),
     git_gerrit_ssh_key      => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
     ssl_cert_file_contents  => hiera('git_ssl_cert_file_contents'),
     ssl_key_file_contents   => hiera('git_ssl_key_file_contents'),
     ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
+    balance_git             => true,
+    behind_proxy            => true,
+    balancer_member_names   => [
+      'localhost',
+      'git01.openstack.org',
+      'git02.openstack.org',
+      'git03.openstack.org',
+      'git04.openstack.org',
+    ],
+    balancer_member_ips     => [
+      '127.0.0.1',
+      '192.237.218.169',
+      '192.237.217.253',
+      '192.237.218.239',
+      '192.237.218.34',
+    ],
+  }
+}
+
+# CentOS machines to run cgit and git daemon. Will be
+# load balanced by git.openstack.org.
+node /^git\d+\.openstack\.org$/ {
+  class { 'openstack_project::git':
+    vhost_name              => 'git.openstack.org',
+    sysadmins               => hiera('sysadmins'),
+    git_gerrit_ssh_key      => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
+    ssl_cert_file_contents  => hiera('git_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('git_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
+    behind_proxy            => true,
   }
 }
 

modules/cgit/files/rsyslog.haproxy.conf

@@ -0,0 +1,6 @@
+# Provides UDP syslog reception
+$ModLoad imudp
+$UDPServerRun 514
+
+# Save haproxy messages to haproxy.log
+local0.*  /var/log/haproxy.log

modules/cgit/files/ssl.conf

@@ -1,222 +0,0 @@
-#
-# This is the Apache server configuration file providing SSL support.
-# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these 
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
-# 
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
-#
-
-LoadModule ssl_module modules/mod_ssl.so
-
-#
-# When we also provide SSL we have to listen to the 
-# the HTTPS port in addition.
-#
-Listen 443
-
-##
-##  SSL Global Context
-##
-##  All SSL configuration in this context applies both to
-##  the main server and all SSL-enabled virtual hosts.
-##
-
-#   Pass Phrase Dialog:
-#   Configure the pass phrase gathering process.
-#   The filtering dialog program (`builtin' is a internal
-#   terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog  builtin
-
-#   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
-#   to use and second the expiring timeout (in seconds).
-SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout  300
-
-#   Semaphore:
-#   Configure the path to the mutual exclusion semaphore the
-#   SSL engine uses internally for inter-process synchronization. 
-SSLMutex default
-
-#   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
-#   SSL library. The seed data should be of good random quality.
-#   WARNING! On some platforms /dev/random blocks if not enough entropy
-#   is available. This means you then cannot use the /dev/random device
-#   because it would lead to very long connection times (as long as
-#   it requires to make more entropy available). But usually those
-#   platforms additionally provide a /dev/urandom device which doesn't
-#   block. So, if available, use this one instead. Read the mod_ssl User
-#   Manual for more details.
-SSLRandomSeed startup file:/dev/urandom  256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random  512
-#SSLRandomSeed connect file:/dev/random  512
-#SSLRandomSeed connect file:/dev/urandom 512
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names.  NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly. 
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
-
-##
-## SSL Virtual Host Context
-##
-
-<VirtualHost _default_:443>
-
-# General setup for the virtual host, inherited from global configuration
-#DocumentRoot "/var/www/html"
-#ServerName www.example.com:443
-
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
-#   SSL Engine Switch:
-#   Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-#   SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
-
-#   SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
-
-#   Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate.  If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase.  Note that a kill -HUP will prompt again.  A new
-# certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-
-#   Server Private Key:
-#   If the key is not combined with the certificate, use this
-#   directive to point at the key file.  Keep in mind that if
-#   you've both a RSA and a DSA private key you can configure
-#   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
-#   Server Certificate Chain:
-#   Point SSLCertificateChainFile at a file containing the
-#   concatenation of PEM encoded CA certificates which form the
-#   certificate chain for the server certificate. Alternatively
-#   the referenced file can be the same as SSLCertificateFile
-#   when the CA certificates are directly appended to the server
-#   certificate for convinience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-#   Certificate Authority (CA):
-#   Set the CA certificate verification path where to find CA
-#   certificates for client authentication or alternatively one
-#   huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
-#   Client Authentication (Type):
-#   Client certificate verification type and depth.  Types are
-#   none, optional, require and optional_no_ca.  Depth is a
-#   number which specifies how deeply to verify the certificate
-#   issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth  10
-
-#   Access Control:
-#   With SSLRequire you can do per-directory access control based
-#   on arbitrary complex boolean expressions containing server
-#   variable checks and other lookup directives.  The syntax is a
-#   mixture between C and Perl.  See the mod_ssl documentation
-#   for more details.
-#<Location />
-#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-#   SSL Engine Options:
-#   Set various options for the SSL engine.
-#   o FakeBasicAuth:
-#     Translate the client X.509 into a Basic Authorisation.  This means that
-#     the standard Auth/DBMAuth methods can be used for access control.  The
-#     user name is the `one line' version of the client's X.509 certificate.
-#     Note that no password is obtained from the user. Every entry in the user
-#     file needs this password: `xxj31ZMTZzkVA'.
-#   o ExportCertData:
-#     This exports two additional environment variables: SSL_CLIENT_CERT and
-#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-#     server (always existing) and the client (only existing when client
-#     authentication is used). This can be used to import the certificates
-#     into CGI scripts.
-#   o StdEnvVars:
-#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-#     Per default this exportation is switched off for performance reasons,
-#     because the extraction step is an expensive operation and is usually
-#     useless for serving static content. So one usually enables the
-#     exportation for CGI and SSI requests only.
-#   o StrictRequire:
-#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-#     under a "Satisfy any" situation, i.e. when it applies access is denied
-#     and no other module can change it.
-#   o OptRenegotiate:
-#     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
-    SSLOptions +StdEnvVars
-</Files>
-<Directory "/var/www/cgi-bin">
-    SSLOptions +StdEnvVars
-</Directory>
-
-#   SSL Protocol Adjustments:
-#   The safe and default but still SSL/TLS standard compliant shutdown
-#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-#   the close notify alert from client. When you need a different shutdown
-#   approach you can use one of the following variables:
-#   o ssl-unclean-shutdown:
-#     This forces an unclean shutdown when the connection is closed, i.e. no
-#     SSL close notify alert is send or allowed to received.  This violates
-#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-#     this when you receive I/O errors because of the standard approach where
-#     mod_ssl sends the close notify alert.
-#   o ssl-accurate-shutdown:
-#     This forces an accurate shutdown when the connection is closed, i.e. a
-#     SSL close notify alert is send and mod_ssl waits for the close notify
-#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-#     practice often causes hanging connections with brain-dead browsers. Use
-#     this only for browsers where you know that their SSL implementation
-#     works correctly. 
-#   Notice: Most problems of broken clients are also related to the HTTP
-#   keep-alive facility, so you usually additionally want to disable
-#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-#   "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
-
-#   Per-Server Logging:
-#   The home of a custom SSL log file. Use this when you want a
-#   compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>                                  
-

modules/cgit/manifests/init.pp

@@ -26,6 +26,10 @@ class cgit(
   $ssl_cert_file_contents = '', # If left empty puppet will not create file.
   $ssl_key_file_contents = '', # If left empty puppet will not create file.
   $ssl_chain_file_contents = '', # If left empty puppet will not create file.
+  $balance_git = false,
+  $behind_proxy = false,
+  $balancer_member_names = [],
+  $balancer_member_ips = []
 ) {
 
   include apache
@@ -78,13 +82,59 @@ class cgit(
     value      => on
   }
 
+  package { 'policycoreutils-python':
+    ensure => present,
+  }
+
+  if $behind_proxy == true {
+    $http_port = 8080
+    $https_port = 4443
+  }
+  else {
+    $http_port = 80
+    $https_port = 443
+  }
+
+  exec { 'cgit_allow_http_port':
+    # If we cannot add the rule modify the existing rule.
+    onlyif      => "bash -c \'! semanage port -a -t http_port_t -p tcp ${http_port}\'",
+    command     => "semanage port -m -t http_port_t -p tcp ${http_port}",
+    path        => '/bin:/usr/sbin',
+    before      => Service['httpd'],
+    require     => Package['policycoreutils-python'],
+    subscribe   => File['/etc/httpd/conf/httpd.conf'],
+    refreshonly => true,
+  }
+
+  exec { 'cgit_allow_https_port':
+    # If we cannot add the rule modify the existing rule.
+    onlyif      => "bash -c \'! semanage port -a -t http_port_t -p tcp ${https_port}\'",
+    command     => "semanage port -m -t http_port_t -p tcp ${https_port}",
+    path        => '/bin:/usr/sbin',
+    require     => Package['policycoreutils-python'],
+    subscribe   => File['/etc/httpd/conf.d/ssl.conf'],
+    refreshonly => true,
+  }
+
   apache::vhost { $vhost_name:
-    port     => 443,
+    port     => $https_port,
     docroot  => 'MEANINGLESS ARGUMENT',
     priority => '50',
     template => 'cgit/git.vhost.erb',
     ssl      => true,
-    require  => [ File[$staticfiles], Package['cgit'] ],
+    require  => [
+      File[$staticfiles],
+      Package['cgit'],
+    ],
+  }
+
+  file { '/etc/httpd/conf/httpd.conf':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cgit/httpd.conf.erb'),
+    require => Package['httpd'],
   }
 
   file { '/etc/httpd/conf.d/ssl.conf':
@@ -92,7 +142,7 @@ class cgit(
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    source  => 'puppet:///modules/cgit/ssl.conf',
+    content => template('cgit/ssl.conf.erb'),
     require => Package['mod_ssl'],
   }
 
@@ -166,4 +216,87 @@ class cgit(
       before  => Apache::Vhost[$vhost_name],
     }
   }
+
+  if $balance_git == true {
+    class { 'haproxy':
+      enable         => true,
+      global_options => {
+        'log'     => '127.0.0.1 local0',
+        'chroot'  => '/var/lib/haproxy',
+        'pidfile' => '/var/run/haproxy.pid',
+        'maxconn' => '4000',
+        'user'    => 'haproxy',
+        'group'   => 'haproxy',
+        'daemon'  => '',
+        'stats'   => 'socket /var/lib/haproxy/stats'
+      },
+    }
+    # The three listen defines here are what the world will hit.
+    haproxy::listen { 'balance_git_http':
+      ipaddress        => [$::ipaddress, $::ipaddress6],
+      ports            => ['80'],
+      mode             => 'tcp',
+      collect_exported => false,
+      options          => {
+        'option'   => [
+          'tcplog',
+        ],
+      },
+    }
+    haproxy::listen { 'balance_git_https':
+      ipaddress        => [$::ipaddress, $::ipaddress6],
+      ports            => ['443'],
+      mode             => 'tcp',
+      collect_exported => false,
+      options          => {
+        'option'  => [
+          'tcplog',
+        ],
+      },
+    }
+    haproxy::listen { 'balance_git_daemon':
+      ipaddress        => [$::ipaddress, $::ipaddress6],
+      ports            => ['9418'],
+      mode             => 'tcp',
+      collect_exported => false,
+      options          => {
+        'maxconn'  => '32',
+        'backlog'  => '64',
+        'option'   => [
+          'tcplog',
+        ],
+      },
+    }
+    haproxy::balancermember { 'balance_git_http_member':
+      listening_service => 'balance_git_http',
+      server_names      => $balancer_member_names,
+      ipaddresses       => $balancer_member_ips,
+      ports             => '8080',
+    }
+    haproxy::balancermember { 'balance_git_https_member':
+      listening_service => 'balance_git_https',
+      server_names      => $balancer_member_names,
+      ipaddresses       => $balancer_member_ips,
+      ports             => '4443',
+    }
+    haproxy::balancermember { 'balance_git_daemon_member':
+      listening_service => 'balance_git_daemon',
+      server_names      => $balancer_member_names,
+      ipaddresses       => $balancer_member_ips,
+      ports             => '29418',
+      options           => 'maxqueue 512',
+    }
+
+    file { '/etc/rsyslog.d/haproxy.conf':
+      ensure => present,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+      source => 'puppet:///modules/cgit/rsyslog.haproxy.conf',
+    }
+    service { 'rsyslog':
+      ensure    => running,
+      subscribe => file['/etc/rsyslog.d/haproxy.conf'],
+    }
+  }
 }

modules/cgit/templates/git.vhost.erb

@@ -1,18 +1,28 @@
-<VirtualHost <%= scope.lookupvar("cgit::vhost_name") %>:80>
+<VirtualHost *:<%= scope.lookupvar("cgit::http_port") %>>
   ServerName <%= scope.lookupvar("cgit::vhost_name") %>
   ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
 
+  Alias /cgit-data /usr/share/cgit
+  ScriptAlias /cgit /var/www/cgi-bin/cgit
+  Alias /static <%= scope.lookupvar("cgit::staticfiles") %>
+  RewriteEngine On
+  RewriteRule ^/$ /cgit [R]
+
+  SetEnv GIT_PROJECT_ROOT /var/lib/git/
+  SetEnv GIT_HTTP_EXPORT_ALL
+
+  AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/lib/git/$1
+  AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/lib/git/$1
+  ScriptAlias / /usr/libexec/git-core/git-http-backend/
+
   ErrorLog /var/log/httpd/git-error.log
 
   LogLevel warn
 
   CustomLog /var/log/httpd/git-access.log combined
-
-  Redirect / https://<%= scope.lookupvar("cgit::vhost_name") %>/
-
 </VirtualHost>
 
-<VirtualHost <%= scope.lookupvar("cgit::vhost_name") %>:443>
+<VirtualHost *:<%= scope.lookupvar("cgit::https_port") %>>
   ServerName <%= scope.lookupvar("cgit::vhost_name") %>
   ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
 

modules/cgit/templates/ssl.conf.erb

@@ -0,0 +1,68 @@
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these 
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+# 
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# When we also provide SSL we have to listen to the 
+# the HTTPS port in addition.
+#
+Listen <%= scope.lookupvar("cgit::https_port") %>
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog  builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout  300
+
+#   Semaphore:
+#   Configure the path to the mutual exclusion semaphore the
+#   SSL engine uses internally for inter-process synchronization. 
+SSLMutex default
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec

modules/openstack_project/manifests/git.pp

@@ -16,14 +16,19 @@
 #
 # == Class: openstack_project::git
 class openstack_project::git (
+  $vhost_name = $::fqdn,
   $sysadmins = [],
   $git_gerrit_ssh_key = '',
   $ssl_cert_file_contents = '',
   $ssl_key_file_contents = '',
   $ssl_chain_file_contents = '',
+  $balance_git = false,
+  $behind_proxy = false,
+  $balancer_member_names = [],
+  $balancer_member_ips = []
 ) {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 9418],
+    iptables_public_tcp_ports => [80, 443, 4443, 8080, 9418, 29418],
     sysadmins                 => $sysadmins,
   }
 
@@ -31,12 +36,17 @@ class openstack_project::git (
   include pip
 
   class { '::cgit':
+    vhost_name              => $vhost_name,
     ssl_cert_file           => '/etc/pki/tls/certs/git.openstack.org.pem',
     ssl_key_file            => '/etc/pki/tls/private/git.openstack.org.key',
     ssl_chain_file          => '/etc/pki/tls/certs/intermediate.pem',
     ssl_cert_file_contents  => $ssl_cert_file_contents,
     ssl_key_file_contents   => $ssl_key_file_contents,
     ssl_chain_file_contents => $ssl_chain_file_contents,
+    balance_git             => $balance_git,
+    behind_proxy            => $behind_proxy,
+    balancer_member_names   => $balancer_member_names,
+    balancer_member_ips     => $balancer_member_ips,
   }
 
   # We don't actually use these, but jeepyb requires them.