Dynamic scoping for variables in ERB templates was removed in puppet
4[1] which means that the variables defined in the
manifest cannot be found when it is referenced in
the httpd::vhost defined type and will be evaluated as nil when
puppet runs. Use the scope object instead to be explicit about the
variable's source. The scope object and scope.lookupvar return :undef
instead of nil if the variable is undefined, and we expect it to
sometimes be undefined, so handle that too.
[1] https://puppet.com/docs/puppet/4.10/lang_updating_manifests.html#dynamic-scoping-in-erb
Change-Id: Ie9d943424aafa5d1d09586dc2cb61441c6d2628b
The Etherpad API is only useful for authenticated access via the
secret API key, which resides on the server's filesystem. It can
already be accessed from localhost over the nodejs listener socket,
so doesn't need to be reachable through the external Apache proxy.
Refuse connections to it through Apache in an effort to reduce
exposure to future unauthenticated or authentication bypass bugs in
the API implementation.
Change-Id: Ia5cf2f15c21eb397eeb878c81cd3c7a29f5aecbd
Add a service file for later Ubuntu versions. Centralise the logging
into init.pp as it's not as easy to get logs to file from stdout/err
via systemd. Fix up the logrotation while we're there
Change-Id: I43ea764d070fb44502bda0c845485769dace6ff3
This needs to be a proper url, also our attempt at looking up the var
was not working, just use the same lookup of vhost_name that is used
elsewhere and known to work.
Change-Id: If906f69688bf4412f50fcfafc05861b957ce42a8
Whether to thwart spam or to make more private pads add support for very
simple auth mechanism using mod_auth_openid.
Change-Id: Ife0daf670a20afde46516c60f877e1da8026758a
All our puppet projects rely on a Gemfile for tests
to run. This was missing, so add here as well.
Also fix the linter errors that this new Gemfile
addition is causing.
Change-Id: I24143df44c313ea76472649bb9a6fa0ce4536307
You must build additional pylons ... I mean we need more file
descriptors. Set that in upstart directly since it does not respect
limits.conf.
This rewrites the upstart job to be more upstarty so that the limits can
be applied without su undoing the work.
Change-Id: Ibf670f07d75c4ffcf333c971d03c620f839b04d3
Enable the proxy_websocket module.
Correct the ProxyPass directives in use with websockets. The
current versions result in 404 on socket.io.js because they strip
the socket.io component of the path.
Change-Id: I3505b4e9693602ec04baec2487871ce57a6dc7a6
We think Apache may be caching 503 responses (possibly themselves
a result of [1]). Set retry=0 so that we do not cache any failures
and switch to proxypass so that we can set that option.
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=37770
Change-Id: Ibd1087bc8feb288bfb8f66f4e6de61ebe8414233
Updating the robots.txt in the etherpad vcsrepo makes it hard to manage
that repo properly. Solve this by serving the static robots.txt file
directly from apache rather than via etherpad service. Use a mod_rewrite
since we are already using that to set up the proxying.
Change-Id: Iccccf1ef194060490512e6550c22bdb9d3478ba8
This change allows Apache servers with mod_proxy_wstunnel enabled
to pass thru Websocket connections to Etherpad, providing the
browser supports that.
Change-Id: I4f595f456e0d280c6f05958a36552213dd6cf1e2
This can enhance the user experience, as most modern web browsers
are capable of using Websockets.
Due to SocketIO fallback mechanism, if Websocket is not available
the next transport in the list will be used, so this change would
still work like before where Websockets is not possible.
Please note that Apache must be able to pass thru websockets to
the Etherpad nodejs server, the module mod_proxy_wstunnel is
needed for that, but it's only available as a package for
Apache 2.4.
I will create another change for etherpad-dev that adds
that module and sync up with infra root members to upgrade the server
to Trusty (it comes with Apache 2.4, Precise still comes with 2.2).
Change-Id: I30f425f7bf7dfeec1a2128e2caf7253459bccc21
According to https://wiki.apache.org/httpd/CommonMisconfigurations
is is wrong to specify server name in opening tag. ServerName
should be used instead.
Indentations also fixed in some files.
Change-Id: Id9d20a672103221efa01be61a174b62706036e57
It turns out that specifying the ciphers we want to use leads to
breakage. So instead we'll explicitly tell Apache which ciphers
we don't want to use.
Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
The poodle SSLv3 vulnerability is a good reason to stop using SSLv3.
Switch to TLS everywhere in our apache vhost configs.
Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385
Node was running into stack size limit errors at the Atlanta Juno
Summit. The default value for the stack size limit is 984 kBytes double
this value to 1968 kBytes to hopefully make etherpad-lite more stable.
Change-Id: Ib644e68689e9f6b1e00cb959ff7cf4e5dc553cf6
The general etherpad_lite module should not contain OpenStack as
a hardcoded title. Parameterize it.
Change-Id: I473720d9566233ab4c8d2081c9835b42ddfcb94e
* manifests/site.pp: Pass new mysql DB variables to
openstack::etherpad*.
* modules/etherpad_lite/manifests/apache.pp: Fix broken /etc/ssl/certs
permissions (0700 -> 0755).
* modules/etherpad_lite/manifests/init.pp: Update default nodejs and
etherpad versions. Remove ep_headings plugin install. New plugin define
should be used for this instead. Stop making the etherpad-lite ref to
checkout optional (defaults to develop). Note these changes are probably
not going to be backward compat.
* modules/etherpad_lite/manifests/plugin.pp: Define to install etherpad
lite plugins.
* modules/etherpad_lite/manifests/site.pp: Simplify DB support and
remove support for the dirty DB type.
* modules/etherpad_lite/templates/etherpad-lite_settings.json.erb: Bring
settings erb up to par with latest template.
* modules/etherpad_lite/templates/etherpadlite.vhost.erb: Update rewrite
rules for new etherpad. Instead of allowing nice pad urls rooted at /
redirect these url to /p/padname. Etherpad does not deal well with a
change in root path as /p/ is hardcoded in many places.
* modules/openstack_project/manifests/etherpad.pp
* modules/openstack_project/manifests/etherpad_dev.pp:
Update to use new etherpad module setup. MySQL DBs are now externally
managed, pass in needed connection info.
* modules/mysql_backup/manifests/backup_remote.pp: New define to backup
remote DB servers.
* modules/mysql_backup/templates/my.cnf.erb: Template for a my.cnf to be
used by the cron in backup_remote.pp. Allows for easy connectivity from
server using MySQL DB as root.
Change-Id: I1250297674b91e81d59cd28c07c52e09967ca548
Etherpad lite previously attempted to manage its cert files in two
different ways. This created a conflict and puppet would not run
successfully. Remove the old way of managing the cert files.
Change-Id: I9336c6f97d455917f4680bfdfd5543283714fe34
Reviewed-on: https://review.openstack.org/14584
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
As copied from jenkins. Both old and new names for the
cert contents are in hiera.
Change-Id: Ic6d8258479c260ac37346c49c1ecde8339c96a37
Reviewed-on: https://review.openstack.org/14432
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Also, actually redirect on incorrect hostnames.
Change-Id: I4e0981e45ed119eff02027e90a6a983ddeb6138b
Reviewed-on: https://review.openstack.org/14420
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
The version of node.js packaged by ubuntu does not seem to play nice
with require-kernel and etherpad-lite. Go back to compiling version
0.6.16 of node.js which is tested and appears to be working.
Change-Id: Ib9bda5d7acbda06561398a0c715b28e46edb531d
Set custom pad.js file to mode 0644. Add nginx config for Etherpad-Lite
to sites-available then symlink to that from sites-enabled. Use Ubuntu
packages for Node.js and NPM instead of building from source (Precise
appears to have fairly recent packages that work).
Change-Id: I752a10ea32b462ef0cc8a5a515dd44c9390a4776
Etherpad lite has changed their source tree slightly. This has
required a few updates to the etherpad lite puppet module. The
custom pad.js needs to go in a different directory and the upstart
conf file needs a couple updated paths.
In addition to the fixes a couple things have been cleaned up. Now
define an etherpadlite.openstack.org node in site.pp and copy SSL
certs from /root/secret-files.
Change-Id: I312b419aa98212b6db68232c672bc4d75f23777f
Part of the work necessary for bug #995248
Puppet module to do a basic install of etherpad-lite. Currently
installs etherpad-lite and node.js. Configures etherpad-lite to use
mysql for its DB backend and sets up nginx to reverse proxy
etherpad-lite.
Change-Id: I3ee1ce4594fcf2a27b520a3ad7a024318f69111a