Commit Graph

112 Commits

Author SHA1 Message Date
Monty Taylor ff8acfb6b4 Retire repo
Depends-On: https://review.opendev.org/720892
Change-Id: I7b36dd190fba304ce19ba5fa2fb994504f1368cc
2020-04-22 10:18:52 -05:00
OpenDev Sysadmins c418e8dd2a OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:26:04 +00:00
Ian Wienand ff79f6a790 Replace openstack.org git:// URLs with https://
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.

This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.

This update should result in no functional change.

For more information see the thread at

 http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html

Change-Id: I8f5c94b34373cb0cc7696e0a19168db186e8164e
2019-03-24 20:35:37 +00:00
Zuul 2e7c29b248 Merge "Update Gemfile for Zuulv3" 2018-10-16 19:49:18 +00:00
Zuul e9b3c8f2d9 Merge "Filter out link-local ipv6 address in loadbalancer" 2018-10-16 19:44:40 +00:00
Colleen Murphy 7fe0c1eaee Filter out link-local ipv6 address in loadbalancer
On puppet 3, which uses facter 2, the $::ipaddress6 fact explicitly
filters out all link-local address[1]. On puppet 4, which uses facter 3,
the $::ipaddress6 fact only removes the link-local address if can find a
better one[2]. The beaker tests reveal that haproxy won't bind to the
ipv6 local address and will fail to start, with errors like:

  Starting proxy balance_git_daemon: cannot bind socket [fe80::5054:ff:fec5:7095:9418]

This matters in CI test cases where the test nodes don't have real ipv6
addresses.

This patch restores the puppet 3 behavior of ignoring the ipv6 address if
it's a link-local address.

[1] https://github.com/puppetlabs/facter/blob/2.x/lib/facter/ipaddress6.rb#L31
[2] https://docs.puppet.com/facter/3.1/release_notes.html#regression-fix-avoid-reporting-link-local-ipv6-addresses-if-a-valid-address-is-available

Change-Id: I481403a3a988211effd22c8524171379aea9ccf9
2018-10-15 20:03:31 +02:00
Zuul 8f321d3283 Merge "Use httpd::vhost $content parameter" 2018-07-20 18:15:50 +00:00
Zuul 0a0926db08 Merge "Add beaker check of vhost template" 2018-07-20 18:15:49 +00:00
Zuul 3c5cae109d Merge "Add order to cgit package" 2018-06-19 23:12:16 +00:00
Colleen Murphy 542b65f419 Update Gemfile for Zuulv3
The logic in the Gemfile was relying on Zuulv2 variables to find out
whether the spec helper gem was already available on disk, and since
Zuulv3 has changed things it was failing to find it and downloading the
master version instead. This patch ensures the Gemfile looks for the gem
in the right place when running in CI.

Change-Id: I353507114874a03fe7b11599e1186bca31fb2e3f
Depends-On: https://review.openstack.org/481943
Depends-On: https://review.openstack.org/575698
Depends-On: https://review.openstack.org/570825
Depends-On: https://review.openstack.org/575852
Depends-On: https://review.openstack.org/576262
2018-06-18 22:42:06 +02:00
Colleen Murphy f373b00bbc Add order to cgit package
The httpd module uses the file resource with the purge option to clear
out the httpd conf directory. On puppet 4, the resource ordering
algorithm changed such that the directory purge happens before the cgit
RPM adds a config file there, which means on the next puppet run it
purges it again and bounces the service again. This cause the
idempotency test in beaker to fail.

This patch adds an ordering parameter to ensure that the cgit package is
installed before the httpd class runs so that it doesn't have to clear
out the httpd config directory twice. Since puppet 4 more or less tries
to order resources in the order they appear, also swap the package
resourcs and httpd class just to make it clear what order things should
be in.

Change-Id: I813f6e9f82d3b44b1d38fb5773c5bd6160f58b78
2018-06-15 23:19:19 +02:00
Colleen Murphy d88bae6fdf Use httpd::vhost $content parameter
Use the new $content parameter of httpd::vhost instead of $template.
This way, the template gets rendered within the scope where it assumes
its variables are, and doesn't need to use the scope object which
doesn't work within a defined type. This will ensure the template keeps
working on puppet 4.

Depends-On: https://review.openstack.org/570824
Change-Id: I8458c930e48c4c0b60e9b4cadd528a2dc899bb7d
2018-06-06 22:44:44 +02:00
Colleen Murphy 74019b2d87 Add beaker check of vhost template
A subsequent patch will change how the the cgit apache vhost will be
defined, so add tests now to ensure that the future change produces
identical config files.

Change-Id: Ib8c1c3c63b52a6ea90bf25222fe0dba6936409da
2018-06-06 22:44:34 +02:00
Clark Boylan a44b818c21 Reduce vhost priority on default site
Multiple vhosts with ssl/tls requires clients support SNI. Unfortunately
older python2 does not. There are workarounds but in an attempt to
influence vhost ordering for non SNI clients reduce the default vhost
priority on the default site vhost.

Change-Id: If0b6dc5f5647f8da48711c740ada4729283f74dc
2018-05-29 15:08:58 -07:00
James E. Blair 55c432baf6 Separate cgit cache by vhost
If they share the same cache, they may cross-serve data.

Change-Id: I78dcea50237c5f613133b4823be5e6ca30c425a8
2018-03-27 16:02:59 -07:00
James E. Blair 48cef6aba7 Fix erroneous serveraliases entry
The current code creates a ServerAliases line even if the variable
is nil.  Correct that.

Also, fix a missed cgit:: scope reference.

Create distinct log files for each vhost, and also separate out
http/https logs.

Change-Id: Id03c72ece93350b26586490757cd50dd3d791c0d
2018-03-27 14:16:04 -07:00
James E. Blair 53d3dad0ca Support multiple git sites
Story: 2001382
Task: 6092
Change-Id: I8a2e209cc550bb6b1f494efbd3cb54fde73642c6
2018-03-26 09:34:24 -07:00
Colleen Murphy e6cac2e1b8 Depend on helper gem for spec_helper_acceptance
Instead of keeping a local copy of spec_helper_acceptance.rb and
requiring updates to all modules for any change, we can move it into the
common helper gem and require it from there. This will make it easier to
create and review changes that affect all puppet modules. Also change
the Gemfile to look for the gem in the local workspace if running in a
zuul environment.

Change-Id: If86144ecaf206ada80aebae350504c0d51495dff
2017-08-18 10:41:43 +02:00
Paul Belanger bb94079737 Add bindep.txt file
Bindep is a tool for checking the presence of binary packages needed
to use an application / library. It started life as a way to make it
easier to set up a development environment for OpenStack projects.

Change-Id: I609c84ff223c3b02f0c0aa5747333e843e12609e
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-04 15:03:34 +00:00
Colleen Murphy dc21150f8b Fix beaker
Since the beaker jobs are being run on xenial, we need a special nodeset
for it, otherwise beaker gives an error:

 beaker-hostgenerator was not able to use this value as input.
 Exiting with an Error.

We also want to install puppet from the Ubuntu repos rather than from
puppetlabs, since puppetlabs doesn't support puppet 3 for Xenial. For
centos we can keep the install process the same.

Finally, since the epel repo is now disabled by default on nodepool
nodes, make sure it's enabled in the package resource.

Change-Id: Ifd2244ae9dd212b2475f9cd6adb994bc058a4769
2017-05-03 20:34:05 +02:00
Spencer Krum 1a6b22ab7c Use new infra_spec_helper for gem dependencies
Change-Id: Icb9e6e7896c7205158f74f5798492220b9b94eef
2016-06-21 18:37:52 -07:00
Spencer Krum cb1e4dec82 Pin google-api-client; sanitize Gemfile
Change-Id: I078a8bcb3db04c399f8a903e69edd7c1cc70bc92
2016-04-14 15:17:37 -07:00
Andrey Nikitin 0cbe4bfd8e Order of the classes parameters is refactored
Order and intendation of those parameters are changed
to follow Puppet Style Guide recommendation [0].
Moreover, it will allow to an user to find much faster
a variable in a list of variables.

[0]. https://docs.puppetlabs.com/guides/style_guide.html

Change-Id: Icbf7252eae21f413290fcc80384ed3b71086bffa
2016-03-22 12:21:35 +03:00
Jenkins 0c3f449706 Merge "Fix logic in selinux execs" 2015-11-18 00:18:12 +00:00
Jenkins 76fc19c545 Merge "Allow to parameterize haproxy options" 2015-11-15 14:30:47 +00:00
Jenkins baa7fbf7cb Merge "Remove selinux from lb class, needs to be at higher level" 2015-11-15 14:25:07 +00:00
Jenkins db5ac675f2 Merge "Fix selinux tests" 2015-11-03 07:51:37 +00:00
Colleen Murphy 08457a8e9e Fix logic in selinux execs
Without this patch, the logic for managing selinux rules faces two
problems:

1. The use of the refreshonly is problematic. If for whatever reason
   the semanage command fails or is not executed in the course of a puppet
   run, a second puppet run can only fix the selinux problem if it is also
   changing the state of the file resource to which the exec is
   subscribed. If there is no change made to that file, puppet will not
   attempt to re-execute the semanage command and the rule will remain
   broken but unreported.

2. Using a system-modifying command as a value to the onlyif or unless
   parameters is bad practice. If the command in the onlyif fails (or
   if the command in the unless succeeds), the command in the command
   parameter will not be executed so puppet will report no changes,
   even though a change has occurred. The onlyif or unless parameters
   are intended to examine the state of the system to determine whether
   an action is needed, never to modify the system.

This patch removes the refreshonly parameters from the execs in
cgit::selinux in order to fix problem 1. This alone exacerbates problem
2 because when the exec is not tied to a file resource it always fails
to add the port after the first time, and so reports modifying the port
on every run. To fix this, this patch changes the onlyif to an unless
that examines whether the desired rule exists, and if not first tries
to add the port and then to modify the port if the port was already
added.

Change-Id: I98fa561b5367cd5fe11ff61479aa8b899db07a5a
Depends-On: I9d359b3fc71c7a83b6094f7ee535ab8418f20468
Depends-On: Iaa9c8cda7a2eae904eb8f25cfa33be249b2b4cab
2015-10-14 21:13:37 -07:00
Colleen Murphy 379d5890d6 Fix selinux tests
If things are working correctly, then there may only be one port number
for a given port type, so it may not be part of a comma-separated list.
This patch relaxes the tests to allow a single port number instead of
strictly a comma-separated list in the output of `semanage port -l`.

Change-Id: Iaa9c8cda7a2eae904eb8f25cfa33be249b2b4cab
2015-10-14 21:13:11 -07:00
Yolanda Robla 546dc76865 Add symlink on local git directory
We need that for zuul to properly fetch references
with /p/ path

Change-Id: If5cda9d3924cc4577d9a44e8cac6fef63cc4d17d
2015-10-06 20:06:14 +00:00
Jenkins fc3c6089f9 Merge "Add tests for selinux" 2015-10-02 07:43:24 +00:00
Jenkins 1d272b5504 Merge "Fix git-daemon refresh logic" 2015-10-01 18:11:11 +00:00
Jenkins b25d8c228d Merge "Move test assertions closer to apply." 2015-09-29 20:01:49 +00:00
Jenkins 0b792ee258 Merge "Do not execute selinux commands if policy disabled" 2015-09-29 19:01:52 +00:00
Colleen Murphy ecfe7841f6 Add tests for selinux
These tests ensure that selinux is set up properly for the basic case
as well as for when behind_proxy is set and higher ports are used.

Change-Id: I9d359b3fc71c7a83b6094f7ee535ab8418f20468
Depends-On: Ia985dad81a95130ea55bb6479632375ac4ea6d24
2015-09-25 14:04:03 -07:00
Colleen Murphy 9800f44a41 Fix git-daemon refresh logic
Without this patch, the git-daemon init script file resource subscribes
to the systemd git-daemon socket file resource, and the exec that adds
or updates the git-daemon selinux port subscribes to changes in the
init script. The logic is broken here because a file resource cannot
subscribe to anything, only services and execs can subscribe to an
event. If the selinux exec needs to run again, for instance because the
git-daemon port has changed, it must wait for a change in the init
script. Since the init script is built from a static file and not a
template, it won't change if the git-daemon port changes, so the
selinux exec will not run.

This patch adds another subscribe relationship to the git-daemon
selinux exec on the git-daemon socket because if that changes, the
git-daemon exec needs to run again. We also replace the subscribe in
the init script resource with a require, which is a no-op change but
makes the relationship more clear.

Change-Id: Ia985dad81a95130ea55bb6479632375ac4ea6d24
2015-09-25 13:34:28 -07:00
Bruno Tavares d62bb692ad Move test assertions closer to apply.
As discussed on another project patches when introducing tests[1], we
would like to keep the tests closer to the where we apply the spec.

This change makes the testing structure consistent to the feedback given
on puppet-bandersnatch discussion.

[1] https://review.openstack.org/#/c/221941/

Change-Id: I12b50747b9a8e40fe76af25f54b734f6239ff425
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
2015-09-24 20:41:47 -03:00
Glauco Oliveira 6c36488c23 Add acceptance tests for puppet-cgit
Add acceptance tests for puppet-cgit module so that once the module is
applied we check if files were created, packages were installed and
services were started.

Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>

Change-Id: I8d12999b6d91f1ab67fa16d6bbd8bc1d2efa3a05
2015-09-15 16:39:47 -03:00
Glauco Oliveira 507f36a98c Fix loadbalancer manifest to be able to apply.
There were two outstanding errors preventing us from applying this
manifest:
- It was assuming you always have a non-loopback network interface
configured to use IPv6
- It was assuming the service rsyslog was already defined

Our patch fixed these two problems allowing you to apply the script.

Change-Id: Ie2c2d6ec9740a1d57b0b82e431ad2161c2940a80
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
2015-09-14 14:38:47 -03:00
Yolanda Robla 2cd24e6b49 Remove selinux from lb class, needs to be at higher level
It is really optional and should not be enforced into
load balancer class. Instead of that, we need to manage
that on manifests calling it. So we give more flexibility
on the usage of this module, and avoid problems of selinux
duplications if co-locating services.

Change-Id: I35cc13ba0c0449a580720cf7b72eb3c7243b4d0d
2015-09-14 17:03:58 +00:00
Jenkins 3e5cc48a3a Merge "Do not send not existing values to haproxy" 2015-09-14 16:54:05 +00:00
Timothy Chavez 5e368973fe Do not execute selinux commands if policy disabled
If the system running cgit has disabled selinux, cgit should not attempt
to run any selinux commands to prevent puppet apply from failing.

Change-Id: I21add092d9d09077f2b23760a384f5a5cb91d86a
2015-09-10 13:37:03 -05:00
Clark Boylan dc7e58943d Use systemd'd git-daemon on Centos7
Centos7 is a bit more opinionated on how git-daemon should run. In
particular with selinux the git_system_t context does not have
permissions to the git_port_t port(s) because systemd is expected to do
socket activation for git-daemon.

Fix this by not fighting systemd and embracing it. Use it for socket
activation with the git-daemon process and potentially add the git
daemon port to git_port_t label if necessary.

Change-Id: Id3fadfa74261649d158f4f31879f74f83d5856a8
2015-08-28 09:31:37 -07:00
Yolanda Robla 0ae79e0106 New Updated config for CentOS 7 and Apache 2.4
This patch takes the original which was reverted and
adds mod_version which is needed to parse IfVersion if
on a Debian system.

When using puppet-cgit under CentOS 7, apache
fails because the config file is not working
in Apache 2.4 version.
Also, as CentOS 7 is starting apache on systemd,
it needs to load the systemd apache config under
conf.modules.d.

Original Patch: I7e0d51ee176c4f27721c16afeaae120eb8edf7ab

Change-Id: If3acc672ccd85b5704a2120379b60cb95528b7f7
Co-Authored-By: Yolanda Robla <yolanda.robla-mota@hp.com>
Co-Authored-By: Nicola Heald <nicola.heald@hp.com>
2015-08-27 14:34:32 -07:00
Yolanda Robla 7bff933fbe Allow to parameterize haproxy options
The default values for haproxy now are the
same as openstack-infra is using, that are considered
as sane defaults.

Change-Id: Ie130b5910b2c3559bdc63376446eed4a3f1b5749
2015-08-24 06:21:47 +00:00
Yolanda Robla e9c8674989 Do not send not existing values to haproxy
If facter is not providing values for ipaddress or
ipaddress6, it's causing rules with undef content
to be created into haproxy.cfg
So check if these settings have a defined value
before adding that to the manifest.

Change-Id: I18256fe5aaf71626ea458a0a3d949f8adea5d72c
2015-08-24 08:20:23 +02:00
Jenkins ddb501e501 Merge "Add cgit::ssh class to manage git over ssh" 2015-08-20 07:16:48 +00:00
Colleen Murphy 101df6f424 Fix git clone for local test runs
When running in CI, zuul-cloner clones repos to namespaced directories,
e.g. openstack-infra/puppet-cgit/. When running regular git clone, by
default it clones directly into the present working directory, e.g.
puppet-cgit/. This makes the relative directory inconsistent between
developer-run tests and CI jobs. This patch fixes the issue by telling
git clone to clone into the same directory that zuul-cloner would clone
it to.

Change-Id: I30ef38cda3420efc8834342298441e0733f0fb99
2015-08-11 19:21:25 -07:00
Colleen Murphy df927cacf9 Add beaker-rspec gem to Gemfile
In 3f1f51 we added most of the boilerplate needed to run beaker-rspec
tests, but we still need the beaker-rspec gem itself. This patch adds
the gem to the Gemfile and reorganizes the Gemfile following
puppet-openstackci's model.

Change-Id: Ifc1ee3c62693680c425f0ca7962f9a716e16ce11
2015-08-11 19:21:17 -07:00
Jenkins 4ab3347998 Merge "Add Gemfile and puppet 4 checks" 2015-08-09 02:51:40 +00:00