This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: I8f5c94b34373cb0cc7696e0a19168db186e8164e
On puppet 3, which uses facter 2, the $::ipaddress6 fact explicitly
filters out all link-local address[1]. On puppet 4, which uses facter 3,
the $::ipaddress6 fact only removes the link-local address if can find a
better one[2]. The beaker tests reveal that haproxy won't bind to the
ipv6 local address and will fail to start, with errors like:
Starting proxy balance_git_daemon: cannot bind socket [fe80::5054:ff:fec5:7095:9418]
This matters in CI test cases where the test nodes don't have real ipv6
addresses.
This patch restores the puppet 3 behavior of ignoring the ipv6 address if
it's a link-local address.
[1] https://github.com/puppetlabs/facter/blob/2.x/lib/facter/ipaddress6.rb#L31
[2] https://docs.puppet.com/facter/3.1/release_notes.html#regression-fix-avoid-reporting-link-local-ipv6-addresses-if-a-valid-address-is-available
Change-Id: I481403a3a988211effd22c8524171379aea9ccf9
The httpd module uses the file resource with the purge option to clear
out the httpd conf directory. On puppet 4, the resource ordering
algorithm changed such that the directory purge happens before the cgit
RPM adds a config file there, which means on the next puppet run it
purges it again and bounces the service again. This cause the
idempotency test in beaker to fail.
This patch adds an ordering parameter to ensure that the cgit package is
installed before the httpd class runs so that it doesn't have to clear
out the httpd config directory twice. Since puppet 4 more or less tries
to order resources in the order they appear, also swap the package
resourcs and httpd class just to make it clear what order things should
be in.
Change-Id: I813f6e9f82d3b44b1d38fb5773c5bd6160f58b78
Use the new $content parameter of httpd::vhost instead of $template.
This way, the template gets rendered within the scope where it assumes
its variables are, and doesn't need to use the scope object which
doesn't work within a defined type. This will ensure the template keeps
working on puppet 4.
Depends-On: https://review.openstack.org/570824
Change-Id: I8458c930e48c4c0b60e9b4cadd528a2dc899bb7d
A subsequent patch will change how the the cgit apache vhost will be
defined, so add tests now to ensure that the future change produces
identical config files.
Change-Id: Ib8c1c3c63b52a6ea90bf25222fe0dba6936409da
Multiple vhosts with ssl/tls requires clients support SNI. Unfortunately
older python2 does not. There are workarounds but in an attempt to
influence vhost ordering for non SNI clients reduce the default vhost
priority on the default site vhost.
Change-Id: If0b6dc5f5647f8da48711c740ada4729283f74dc
The current code creates a ServerAliases line even if the variable
is nil. Correct that.
Also, fix a missed cgit:: scope reference.
Create distinct log files for each vhost, and also separate out
http/https logs.
Change-Id: Id03c72ece93350b26586490757cd50dd3d791c0d
Instead of keeping a local copy of spec_helper_acceptance.rb and
requiring updates to all modules for any change, we can move it into the
common helper gem and require it from there. This will make it easier to
create and review changes that affect all puppet modules. Also change
the Gemfile to look for the gem in the local workspace if running in a
zuul environment.
Change-Id: If86144ecaf206ada80aebae350504c0d51495dff
Bindep is a tool for checking the presence of binary packages needed
to use an application / library. It started life as a way to make it
easier to set up a development environment for OpenStack projects.
Change-Id: I609c84ff223c3b02f0c0aa5747333e843e12609e
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Since the beaker jobs are being run on xenial, we need a special nodeset
for it, otherwise beaker gives an error:
beaker-hostgenerator was not able to use this value as input.
Exiting with an Error.
We also want to install puppet from the Ubuntu repos rather than from
puppetlabs, since puppetlabs doesn't support puppet 3 for Xenial. For
centos we can keep the install process the same.
Finally, since the epel repo is now disabled by default on nodepool
nodes, make sure it's enabled in the package resource.
Change-Id: Ifd2244ae9dd212b2475f9cd6adb994bc058a4769
Order and intendation of those parameters are changed
to follow Puppet Style Guide recommendation [0].
Moreover, it will allow to an user to find much faster
a variable in a list of variables.
[0]. https://docs.puppetlabs.com/guides/style_guide.html
Change-Id: Icbf7252eae21f413290fcc80384ed3b71086bffa
Without this patch, the logic for managing selinux rules faces two
problems:
1. The use of the refreshonly is problematic. If for whatever reason
the semanage command fails or is not executed in the course of a puppet
run, a second puppet run can only fix the selinux problem if it is also
changing the state of the file resource to which the exec is
subscribed. If there is no change made to that file, puppet will not
attempt to re-execute the semanage command and the rule will remain
broken but unreported.
2. Using a system-modifying command as a value to the onlyif or unless
parameters is bad practice. If the command in the onlyif fails (or
if the command in the unless succeeds), the command in the command
parameter will not be executed so puppet will report no changes,
even though a change has occurred. The onlyif or unless parameters
are intended to examine the state of the system to determine whether
an action is needed, never to modify the system.
This patch removes the refreshonly parameters from the execs in
cgit::selinux in order to fix problem 1. This alone exacerbates problem
2 because when the exec is not tied to a file resource it always fails
to add the port after the first time, and so reports modifying the port
on every run. To fix this, this patch changes the onlyif to an unless
that examines whether the desired rule exists, and if not first tries
to add the port and then to modify the port if the port was already
added.
Change-Id: I98fa561b5367cd5fe11ff61479aa8b899db07a5a
Depends-On: I9d359b3fc71c7a83b6094f7ee535ab8418f20468
Depends-On: Iaa9c8cda7a2eae904eb8f25cfa33be249b2b4cab
If things are working correctly, then there may only be one port number
for a given port type, so it may not be part of a comma-separated list.
This patch relaxes the tests to allow a single port number instead of
strictly a comma-separated list in the output of `semanage port -l`.
Change-Id: Iaa9c8cda7a2eae904eb8f25cfa33be249b2b4cab
These tests ensure that selinux is set up properly for the basic case
as well as for when behind_proxy is set and higher ports are used.
Change-Id: I9d359b3fc71c7a83b6094f7ee535ab8418f20468
Depends-On: Ia985dad81a95130ea55bb6479632375ac4ea6d24
Without this patch, the git-daemon init script file resource subscribes
to the systemd git-daemon socket file resource, and the exec that adds
or updates the git-daemon selinux port subscribes to changes in the
init script. The logic is broken here because a file resource cannot
subscribe to anything, only services and execs can subscribe to an
event. If the selinux exec needs to run again, for instance because the
git-daemon port has changed, it must wait for a change in the init
script. Since the init script is built from a static file and not a
template, it won't change if the git-daemon port changes, so the
selinux exec will not run.
This patch adds another subscribe relationship to the git-daemon
selinux exec on the git-daemon socket because if that changes, the
git-daemon exec needs to run again. We also replace the subscribe in
the init script resource with a require, which is a no-op change but
makes the relationship more clear.
Change-Id: Ia985dad81a95130ea55bb6479632375ac4ea6d24
As discussed on another project patches when introducing tests[1], we
would like to keep the tests closer to the where we apply the spec.
This change makes the testing structure consistent to the feedback given
on puppet-bandersnatch discussion.
[1] https://review.openstack.org/#/c/221941/
Change-Id: I12b50747b9a8e40fe76af25f54b734f6239ff425
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
Add acceptance tests for puppet-cgit module so that once the module is
applied we check if files were created, packages were installed and
services were started.
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
Change-Id: I8d12999b6d91f1ab67fa16d6bbd8bc1d2efa3a05
There were two outstanding errors preventing us from applying this
manifest:
- It was assuming you always have a non-loopback network interface
configured to use IPv6
- It was assuming the service rsyslog was already defined
Our patch fixed these two problems allowing you to apply the script.
Change-Id: Ie2c2d6ec9740a1d57b0b82e431ad2161c2940a80
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
It is really optional and should not be enforced into
load balancer class. Instead of that, we need to manage
that on manifests calling it. So we give more flexibility
on the usage of this module, and avoid problems of selinux
duplications if co-locating services.
Change-Id: I35cc13ba0c0449a580720cf7b72eb3c7243b4d0d
If the system running cgit has disabled selinux, cgit should not attempt
to run any selinux commands to prevent puppet apply from failing.
Change-Id: I21add092d9d09077f2b23760a384f5a5cb91d86a
Centos7 is a bit more opinionated on how git-daemon should run. In
particular with selinux the git_system_t context does not have
permissions to the git_port_t port(s) because systemd is expected to do
socket activation for git-daemon.
Fix this by not fighting systemd and embracing it. Use it for socket
activation with the git-daemon process and potentially add the git
daemon port to git_port_t label if necessary.
Change-Id: Id3fadfa74261649d158f4f31879f74f83d5856a8
This patch takes the original which was reverted and
adds mod_version which is needed to parse IfVersion if
on a Debian system.
When using puppet-cgit under CentOS 7, apache
fails because the config file is not working
in Apache 2.4 version.
Also, as CentOS 7 is starting apache on systemd,
it needs to load the systemd apache config under
conf.modules.d.
Original Patch: I7e0d51ee176c4f27721c16afeaae120eb8edf7ab
Change-Id: If3acc672ccd85b5704a2120379b60cb95528b7f7
Co-Authored-By: Yolanda Robla <yolanda.robla-mota@hp.com>
Co-Authored-By: Nicola Heald <nicola.heald@hp.com>
The default values for haproxy now are the
same as openstack-infra is using, that are considered
as sane defaults.
Change-Id: Ie130b5910b2c3559bdc63376446eed4a3f1b5749
If facter is not providing values for ipaddress or
ipaddress6, it's causing rules with undef content
to be created into haproxy.cfg
So check if these settings have a defined value
before adding that to the manifest.
Change-Id: I18256fe5aaf71626ea458a0a3d949f8adea5d72c
When running in CI, zuul-cloner clones repos to namespaced directories,
e.g. openstack-infra/puppet-cgit/. When running regular git clone, by
default it clones directly into the present working directory, e.g.
puppet-cgit/. This makes the relative directory inconsistent between
developer-run tests and CI jobs. This patch fixes the issue by telling
git clone to clone into the same directory that zuul-cloner would clone
it to.
Change-Id: I30ef38cda3420efc8834342298441e0733f0fb99
In 3f1f51 we added most of the boilerplate needed to run beaker-rspec
tests, but we still need the beaker-rspec gem itself. This patch adds
the gem to the Gemfile and reorganizes the Gemfile following
puppet-openstackci's model.
Change-Id: Ifc1ee3c62693680c425f0ca7962f9a716e16ce11