Ensure the friendly coexistence with other Fuel plugins

* use hard coded HTTP port 8001 to allow coexistence with other fuel plugins
* use Apache Puppet module to configure Virtualhost

implements blueprint lma-infra-alerting-plugin

Change-Id: Id82ef1a580d4e39f3dd207b725900d70570ba539

deployment_scripts/puppet/manifests/firewall.pp

@@ -0,0 +1,57 @@
+#    Copyright 2015 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+$plugin = hiera('lma_infrastructure_alerting')
+$user_node_name = hiera('user_node_name')
+
+if $plugin['node_name'] == $user_node_name {
+
+  class {'::firewall':}
+
+  firewall { '000 accept all icmp requests':
+    proto  => 'icmp',
+    action => 'accept',
+  }
+
+  firewall { '001 accept all to lo interface':
+    proto   => 'all',
+    iniface => 'lo',
+    action  => 'accept',
+  }
+
+  firewall { '002 accept related established rules':
+    proto  => 'all',
+    state  => ['RELATED', 'ESTABLISHED'],
+    action => 'accept',
+  }
+
+  firewall {'020 ssh':
+    port   => 22,
+    proto  => 'tcp',
+    action => 'accept',
+  }
+
+  firewall { '300 nagios cgi':
+    # Important: must match the $lma_infra_alerting::params::nagios_http_port
+    port   => 8001,
+    proto  => 'tcp',
+    action => 'accept',
+  }
+
+  firewall { '999 drop all other requests':
+    proto  => 'all',
+    chain  => 'INPUT',
+    action => 'drop',
+  }
+}

deployment_scripts/puppet/modules/lma_infra_alerting/manifests/init.pp

@@ -18,7 +18,6 @@
 class lma_infra_alerting (
   $openstack_management_vip = undef,
   $openstack_deployment_name = '',
-  $user = $lma_infra_alerting::params::nagios_http_user,
   $password = $lma_infra_alerting::params::nagios_http_password,
   $additional_services = [],
   $contact_email = $lma_infra_alerting::params::nagios_contact_email,
@@ -38,7 +37,6 @@ class lma_infra_alerting (
 
   # Install and configure nagios server
   class { 'lma_infra_alerting::nagios':
-    http_user => $user,
     http_password => $password,
   }
 

deployment_scripts/puppet/modules/lma_infra_alerting/manifests/nagios.pp

@@ -20,6 +20,7 @@
 class lma_infra_alerting::nagios (
   $http_user = $lma_infra_alerting::params::nagios_http_user,
   $http_password = $lma_infra_alerting::params::nagios_http_password,
+  $http_port = $lma_infra_alerting::params::nagios_http_port,
 ) inherits lma_infra_alerting::params {
 
   class { '::nagios':
@@ -40,7 +41,9 @@ class lma_infra_alerting::nagios (
   }
 
   class { '::nagios::cgi':
-    cgi_user => $http_user,
-    cgi_password => $http_password,
+    user      => $http_user,
+    password  => $http_password,
+    http_port => $http_port,
+    require   => Class[nagios],
   }
 }

deployment_scripts/puppet/modules/lma_infra_alerting/manifests/params.pp

@@ -18,6 +18,7 @@ class lma_infra_alerting::params {
   #
   $nagios_http_user = 'nagiosadmin'
   $nagios_http_password = ''
+  $nagios_http_port = 8001
   $nagios_cmd_check_ssh = 'check_ssh'
 
   $nagios_contactgroup = 'openstack'

deployment_scripts/puppet/modules/nagios/manifests/cgi.pp

@@ -17,61 +17,75 @@
 # Install and configure Nagios web interface
 #
 class nagios::cgi (
-  $cgi_user = $nagios::params::cgi_user,
-  $cgi_password = $nagios::params::cgi_password,
-  $cgi_htpasswd_file = $nagios::params::cgi_htpasswd_file,
-){
+  $user = $nagios::params::cgi_user,
+  $password = $nagios::params::cgi_password,
+  $htpasswd_file = $nagios::params::cgi_htpasswd_file,
+  $http_port = $nagios::params::cgi_http_port,
+  $vhost_listen_ip = '*',
+) inherits nagios::params {
 
-  include nagios::params
-  #TODO: use apache puppet module
-  $apache_service_name = $nagios::params::apache_service_name
-
-  $package_name = $nagios::params::nagios_cgi_package
-  package { $package_name:
-    ensure => present,
+  ## Configure apache
+  class { 'apache':
+    # be good citizen by not erasing other configurations
+    purge_configs       => false,
+    default_confd_files => false,
+    default_vhost       => false,
+    # prerequists for Nagios CGI
+    mpm_module          => 'prefork',
+    default_mods        => ['php', 'cgi'],
+    # allow to use the Puppet user resource later in the manifest
+    manage_group        => false,
+    manage_user         => false,
   }
 
-  # Configure apache
-  # TODO http port and vhost
-  package {$apache_service_name:
-    ensure => present,
+  apache::listen { $http_port: }
+
+  # Template uses these variables: http_port, vhost_listen_ip, cgi_htpasswd_file
+  apache::custom_config { 'nagios':
+    content => template("nagios/${nagios::params::apache_vhost_config_tpl}"),
   }
 
-  service {$apache_service_name:
-    ensure => running,
-    require => Package[$apache_service_name],
-  }
+  case $::osfamily {
+    'Debian': {
+      # Nagios CGI is provided by a dedicated package
+      $package_name = $nagios::params::nagios_cgi_package
+      package { $package_name:
+        ensure  => present,
+        require => Class[apache],
+      }
+      htpasswd { $user:
+        # TODO randomize salt?
+        cryptpasswd => ht_md5($password, 'salt'),
+        target      => $htpasswd_file,
+        require => Package[$package_name],
+      }
 
-  # TODO: update cgi config to allow this specific user to access UI
-  htpasswd { $cgi_user:
-    # TODO randomize salt?
-    cryptpasswd => ht_md5($cgi_password, 'salt'),
-    target      => $cgi_htpasswd_file,
-  #  notify => Service[$apache_service_name],
-    require => Package[$package_name],
-  }
+      # Fix a permission issue with Ubuntu
+      # to allow using external commands through the web UI
+      $apache_user = $apache::user
+      user { $apache_user:
+        groups => 'nagios',
+        require => Class[apache],
+      }
+      file { '/var/lib/nagios3/rw':
+        ensure => directory,
+        mode => '0650',
+        require => Package[$package_name],
+      }
 
-  # TODO: CentOS compatibility
-  $apache_user = 'www-data'
-
-  user { $apache_user:
-    groups => 'nagios',
-    require => Package[$apache_service_name],
-  }
-
-  # fix a permission issue with Ubuntu
-  # TODO: CentOS compatibility
-  file { '/var/lib/nagios3/rw':
-    ensure => directory,
-    mode => '0650',
-    require => Package[$package_name],
-  }
-
-  file { $cgi_htpasswd_file:
-    owner => root,
-    group => $apache_user,
-    mode  => '0640',
-    require => Htpasswd[$cgi_user],
+      file { $cgi_htpasswd_file:
+        owner => root,
+        group => $apache_user,
+        mode  => '0640',
+        require => Htpasswd[$user],
+      }
+    }
+    'Redhat': {
+      htpasswd { $user:
+        # TODO randomize salt?
+        cryptpasswd => ht_md5($password, 'salt'),
+        target      => $htpasswd_file,
+      }
+    }
   }
 }
-

deployment_scripts/puppet/modules/nagios/manifests/params.pp

@@ -24,9 +24,10 @@ class nagios::params {
   # CGI
   $nagios_cgi_package = 'nagios3-cgi'
   $cgi_htpasswd_file = '/etc/nagios3/htpasswd.users'
-  $apache_service_name = 'apache2'
   $cgi_user = 'nagiosadmin'
   $cgi_password = undef
+  $cgi_http_port = '80'
+  $apache_vhost_config_tpl = 'apache_vhost_ubuntu.conf.erb'
 
   # Nagios server configurations
   $nagios_debug = false

deployment_scripts/puppet/modules/nagios/metadata.json

@@ -19,6 +19,7 @@
     ],
     "description": "Puppet module for configuring Nagios server and Nagios CGI",
     "dependencies": [
+        {"name": "puppetlabs/apache", "version_requirement": "1.5.0"},
         {"name": "puppetlabs/stdlib", "version_requirement": "4.x"},
         {"name": "leinaddm/htpasswd", "version_requirement": ">= 0.0.3"}
     ]

deployment_scripts/puppet/modules/nagios/templates/apache_vhost_ubuntu.conf.erb

@@ -0,0 +1,38 @@
+# ************************************
+# Vhost template in module nagios
+# Managed by Puppet
+# ************************************
+
+<VirtualHost <%= @vhost_listen_ip %>:<%= @http_port %>>
+  ServerName nagios
+
+  DocumentRoot "/usr/share/nagios3/htdocs"
+  # Alias for UI
+  ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
+  # Alias for HTTP commands
+  ScriptAlias /cgi-bin /usr/lib/cgi-bin/nagios3
+  # Aliases for static content
+  Alias /stylesheets /etc/nagios3/stylesheets
+  Alias /nagios3/images /usr/share/nagios3/htdocs/images
+  Alias /nagios3/js /usr/share/nagios3/htdocs/js
+  Alias /nagios3/stylesheets /etc/nagios3/stylesheets
+  <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    Order Allow,Deny
+    Allow From All
+    AuthName "Nagios Access"
+    AuthType Basic
+    AuthUserFile <%= @cgi_htpasswd_file %>
+    require valid-user
+  </DirectoryMatch>
+
+  <Directory /usr/share/nagios3/htdocs>
+   Options +ExecCGI
+
+  </Directory>
+  ErrorLog "/var/log/apache2/nagios_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/nagios_access.log" combined
+</VirtualHost>

pre_build_hook

@@ -8,7 +8,8 @@ HTPASSWD_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/leinaddm-htpasswd
 # This is the commit id for the current stable/6.1 branch
 FUEL_LIB_COMMIT="be44e9ea792fe4314ac8c1b7596742ceb5163f61"
 FUEL_LIB_TARBALL_URL="https://github.com/stackforge/fuel-library/archive/${FUEL_LIB_COMMIT}.tar.gz"
-
+APACHE_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-apache-1.4.0.tar.gz"
+CONCAT_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-concat-1.2.3.tar.gz"
 
 function download_packages {
     while [ $# -gt 0 ]; do
@@ -55,11 +56,13 @@ download_packages \
     http://mirrors.kernel.org/ubuntu/pool/main/w/whois/whois_5.1.1_amd64.deb
 
 
-rm -rf "${MODULES_DIR:?}"/{openstack,stdlib,htpasswd}
-mkdir -p "${MODULES_DIR}"/{openstack,stdlib,htpasswd}
+rm -rf "${MODULES_DIR:?}"/{openstack,stdlib,htpasswd,apache,concat}
+mkdir -p "${MODULES_DIR}"/{openstack,stdlib,htpasswd,apache,concat}
 
 wget -qO- "${FUEL_LIB_TARBALL_URL}" | \
     tar -C "${MODULES_DIR}" --strip-components=3 -zxvf - \
     fuel-library-${FUEL_LIB_COMMIT}/deployment/puppet/{openstack,stdlib}
 
 wget -qO- "${HTPASSWD_TARBALL_URL}" | tar -C "${MODULES_DIR}/htpasswd" --strip-components=1 -xz
+wget -qO- "${APACHE_TARBALL_URL}" | tar -C "${MODULES_DIR}/apache" --strip-components=1 -xz
+wget -qO- "${CONCAT_TARBALL_URL}" | tar -C "${MODULES_DIR}/concat" --strip-components=1 -xz

tasks.yaml

@@ -8,6 +8,15 @@
     puppet_modules: /etc/puppet/modules
     timeout: 720
 
+# The following tasks are executed in the order they are declared
+- role: ['base-os']
+  stage: post_deployment/8100
+  type: puppet
+  parameters:
+    puppet_manifest: puppet/manifests/firewall.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 600
+
 - role: ['base-os']
   stage: post_deployment/8100
   type: puppet