The vhost::proxy vhost template file uses the ssl_path var.
Unfortuantely this isn't defined in params so we get errors like:
Unknown variable: 'httpd::params::ssl_path'. at /etc/puppetlabs/code/modules/httpd/manifests/vhost/proxy.pp:37:15
Fix that by defining a value. Note this value should be correct for
debuntu, but is probably wrong for RHEL/CentOS.
Change-Id: Idbb1ac60a17d5506c4dd0d19eb10c1a45741c3b5
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: I76d1d384fd6c0f3ef6e765fa83fe02a060985b79
The logic in the Gemfile was relying on Zuulv2 variables to find out
whether the spec helper gem was already available on disk, and since
Zuulv3 has changed things it was failing to find it and downloading the
master version instead. This patch ensures the Gemfile looks for the gem
in the right place when running in CI.
Change-Id: I5a5c8613bf637f15d7a14481961991d242339d3c
Evaluating the template from the vhost defined type rather than the
module where it originates causes problems when dereferencing the
variables in the ERB file. If they are not accessed via the internal
scope object, they can't be found when using puppet 4. The scope object
is also useless when the variables are defined in a defined type and not
a class.
This patch adds a new parameter, $content, which overrides the $template
parameter. If provided, $content indicates the literal string content
for the vhost, as opposed to a reference to a template that needs to be
rendered. This can be used like this:
$content = template('example/example.vhost.erb')
httpd::vhost { 'vhostname':
content => $content,
priority => 50
}
This way the template is evaluated when the template() function is
called and has access to variables in that scope.
Change-Id: Ibe3c609d92f3321f43f4794062a64b119b07a1d0
In a httpd::vhost::proxy resource, if proxy exclusions and a docroot
are specified, we should allow clients to access contents of the
docroot.
Change-Id: If30b192b8f2c16375aa534131217a5aa2a9ff47d
Instead of keeping a local copy of spec_helper_acceptance.rb and
requiring updates to all modules for any change, we can move it into the
common helper gem and require it from there. This will make it easier to
create and review changes that affect all puppet modules. Also change
the Gemfile to look for the gem in the local workspace if running in a
zuul environment.
Change-Id: I8233333e7c35a3a1191c0f8d070f6de5dfb7b33d
The python apache mod is deprecated and does not work with the wsgi mod.
The apache service dies if both mods are enabled. We can keep the mod
class but it is not worth keeping tests for it.
Change-Id: Ie411ee5c6e9324371eaabe0a6f1761c912a79600
It is not necessary to check every file and package in the puppet
functional tests. It can be assumed that if puppet finished corretly
then it was also able to successfully find and install packages and
apply configs. We leave the service checks, however, because it is
possible for services to die due to misconfiguration after puppet starts
them.
Change-Id: I97682cb9d956803c3ab1be42fe44c0437c3d5f02
Add a xenial nodeset and update the spec helper to install puppet 3 from
the Ubuntu repos instead of from puppetlabs.
Change-Id: I5d48236074dcb4e5d0fbd3466355d4224250e393
Use the common spec helper gem instead of managing every gem
individually. This will keep the linter gems up to date and unbreak the
linter job.
Change-Id: I0034055dd172c23366ab5ba37b5b5174647e4f81
Bindep is a tool for checking the presence of binary packages needed
to use an application / library. It started life as a way to make it
easier to set up a development environment for OpenStack projects.
Change-Id: I6b353492e35f71bce66ea648d5f6f83e3d887587
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
When running on CentOS, that problem still persists: when trying
to access files under a vhost, apache was failing with
Access denied because search permissions are missing.
So running chcon on the docroot for each vhost
Please note that this change was reverted before. That was caused
by puppet-cgit sending a dummy location "MEANINGLESS ARGUMENT"
to docroot argument of vhost. To avoid that failure, execute only
the chcon call if docroot exists and is a directory.
Change-Id: I4ab7d4cc6d2115bd8f980be7f14a6a4557ffeb87
We are reverting as this breaks our gitXX.o.o servers, which are centos-7. EG:
(/Stage[main]/Cgit/Httpd::Vhost[git.openstack.org]/Exec[update_context_MEANINGLESS ARGUMENT]/returns) chcon: cannot access ‘MEANINGLESS’: No such file or directory
This reverts commit 10844f7c9e.
Change-Id: I06435e6203bd8770bc6a817d3f0b33a05d84bdf6
When running on CentOS, two problems appeared:
- when using proxy, apache was failing with an error 500,
fixed by enabling httpd_can_network_connect
- when trying to access files under a vhost, apache was
failing with Access denied because search permissions
are missing. So running chcon on the docroot for each vhost
Change-Id: I87c4c0e51f05eab8f5c8e094c2c54504e60b97af
Order and intendation of those parameters are changed
to follow Puppet Style Guide recommendation [0].
Moreover, it will allow to an user to find much faster
a variable in a list of variables.
[0]. https://docs.puppetlabs.com/guides/style_guide.html
Change-Id: If2443cbc57671784cfcb31bbe0ada0c09f78c996
Infra doesn't really use this template, but in case someone else does,
update the protocol to only use TLS and update the cipher list to the
list of strong ciphers.
Change-Id: Ibd8a0e65800e022ab8bc52f6af63c3c85e84419d
Enable Server Name Indication (SNI) on Ubuntu 12.04 LTS which runs
Apache 2.2. This allows running multiple HTTPS sites from one IP
address/TCP port when SubjectAltNames are specified in the
certificate, but MSIE on WinXP does not support this extension and
so will cease working for HTTPS sites managed by this module. Note
that this behavior is already implicit on Apache 2.4 based platforms
(such as Ubuntu 14.04 LTS).
Change-Id: I05c8e335f68d9461d8d81a3d12343d1920a738d4
We recently introduced on bf7ce40e2f the
use of mod_version. The module is enabled and installed by default on
Ubuntu Trusty 14.04, CentOS 6 and CentOS 7.
On Ubuntu Precise 12.04 the module comes installed, but not enabled by
default. This is needed to maintain compatibility with downstream pool
of servers.
Change-Id: I01a8a12b959e3cbecd0355562db0393404ae54bf
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
Apache's configuration for access control has changed on 2.4. To allow
access to served directories we need to include the new directive
"Require grant all".
We scoped the configuration to only be applied on Apache 2.4. More
information can be viewed on the Apache's upgrade document[1].
The tests were changed to ensure that the configuration is working
without any extra override, as the extra test vhost is on a custom
directory that requires the template to grant access to it.
[1] http://httpd.apache.org/docs/trunk/upgrading.html
Change-Id: I898ca049c5b3592cb70ad8c22eba8d4c681f3b22
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
While working on puppet-lodgeit acceptance tests we found that the
configuration file that `httpd::mod::proxy` creates was not being picked
up by Apache because it was missing the prefix `.conf`. This transition
is required to configure httpd modules correctly on Apache >= 2.4
To prevent Apache from loading two the same configuration twice, we
remove the file without extension, so this change does not affect
running systems.
This change has fixes for `httpd::mod::proxy` and `httpd::mod::redirect`
as they have the same issue. We added tests as well to increase the
confidence on the fix.
The acceptance will be fixed on the follow-up patch, as the redirect
grants are broken for 2.4 as well.
Change-Id: I82241038d687316f91f18209fe8323c12422e2f8
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
According to
https://docs.puppetlabs.com/puppet/3.8/reference/lang_datatypes.html
there is no way to end a single-quoted string with a literal
backslash, so fold this content into the preceding double-quoted
string in an effort to satisfy the linter as well.
Change-Id: Ic639cd2fc1c7953cbf4311ce7c958f9bdb61e31b
If any locations are being excluded from reverse-proxying, we need
to be able to specify a DocumentRoot to serve up un-proxied files.
Change-Id: I1c5fe6f73b5983886578975e89c5e4148b506795
A user of httpd::vhost::proxy may wish to exclude certain URLs from
being proxied. This change allows the template to be populated with
such exclusions.
Change-Id: I55a86d3c703a667daf55cb75cf559eb23a556219
CentOS 7 has offically deprecated mod_python in favor of mod_wsgi and
the package is not available anymore. This change add a note on the
module about the offically supported way to run python applications on
CentOS 7.
Change-Id: I9bf2e0dde6575f50db6ce12abf896b5890b42419
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
Add acceptance tests for puppet-httpd module so that once the module is
applied we check if files were created, packages were installed and
services were started.
Change-Id: I3e1430f2937bd2bc5ea789c626784af7d5d85959
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
Replace usage of httpd_mod with the httpd::mod wrapper to allow classes
to be applied as well on RedHat systems and have the httpd service
ordering fixed.
Change-Id: If790efd7b465e77c2eca7710f79e563d69ee3783
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
While writing acceptance tests for puppet-httpd we noticed that the
manifest of httpd::python is not working on Ubuntu Trusty.
The httpd::python manifest was using a non-declared
$apache::params::mod_python_package instead of
$httpd::params::mod_python_package
Change-Id: I4db9298aba7da90a017527b2fb29dcd17af28efc
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
While writing acceptance tests for puppet-httpd we noticed that the
manifest of httpd::dev was not working on Ubuntu Trusty.
That is because httpd::dev was trying to install multiple package using
the wrong syntax. Also, the one of the modules for Ubuntu was wrong and
we updated to keep applying.
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Danilo Ramalho <dramalho@thoughtworks.com>
Change-Id: Ibe1e107417b4670902f74b8c2fedc0d9d927ce9b
This allows for before => Service['httpd'] on every resource without
being explicit.
Co-Authored-By: Bruno Tavares <btavare@thoughtworks.com>
Co-Authored-By: Glauco Oliveira <gvinici@thoughtworks.com>
Change-Id: I0e991a7a63317e608cc6ef35b58dc79b518ba863
Use same target directory for zuul-cloner and
the regular git command.
Change-Id: Ia93972eb910cbff202820151a0407d36b3317dc4
Co-Authored-By: Fabien Boucher <fabien.boucher@enovance.com>
Adding this subclass to httpd configuration, to allow
modules using this manifest to setup log rotation for
apache on demand.
Please note that apache is installing a logrotate file by
default here, but naming that on same way will overwrite it,
and allow our desired log rotation.
Depends-On: I7451ecc550b50b85c55784ef598f6b45412117fc
Change-Id: I3ef60fd9386795007e5b55264cc6e91fa0b67c68
$configure_firewall defaults to true, however the related firewall
dependency is missing from the module metadata. The lower bound
used here reflects that of puppetlabs-apache v0.0.4, the upper bound is
the current release.
Change-Id: Ic628fcacf11a65786241047f58839544e3d1fc52