Puppet Class: profile::mediawiki::jobrunner

Defined in:
modules/profile/manifests/mediawiki/jobrunner.pp

Overview

Parameters:

  • statsd (Any) (defaults to: hiera('statsd'))

    The address of the statsd server.

  • fcgi_port (Optional[Wmflib::UserIpPort]) (defaults to: hiera('profile::php_fpm::fcgi_port', undef))

    If defined, sets up php-fpm to listen to that IP port instead of a unix socket

  • fcgi_pool (String) (defaults to: hiera('profile::mediawiki::fcgi_pool', 'www'))

    Defines the name of the pool for php-fpm. Defaults to 'www'

  • expose_endpoint (Boolean) (defaults to: hiera('profile::mediawiki::jobrunner::expose_endpoint', false))

    If true, the jobrunner endpoint is exposed to all clients. Defaults to false, should only be set to true if no TLS setup is used (as in deployment-prep).



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'modules/profile/manifests/mediawiki/jobrunner.pp', line 16

class profile::mediawiki::jobrunner(
    $statsd = hiera('statsd'),
    Optional[Wmflib::UserIpPort] $fcgi_port = hiera('profile::php_fpm::fcgi_port', undef),
    String $fcgi_pool = hiera('profile::mediawiki::fcgi_pool', 'www'),
    Boolean $expose_endpoint = hiera('profile::mediawiki::jobrunner::expose_endpoint', false),
) {
    # Parameters we don't need to override
    $port = 9005
    $local_only_port = 9006
    $fcgi_proxy = mediawiki::fcgi_endpoint($fcgi_port, $fcgi_pool)

    # Add headers lost by mod_proxy_fastcgi
    # The apache module doesn't pass along to the fastcgi appserver
    # a few headers, like Content-Type and Content-Length.
    # We need to add them back here.
    ::httpd::conf { 'fcgi_headers':
        source   => 'puppet:///modules/mediawiki/apache/configs/fcgi_headers.conf',
        priority => 0,
    }
    # Declare the proxies explicitly with retry=0
    httpd::conf { 'fcgi_proxies':
        ensure  => present,
        content => template('mediawiki/apache/fcgi_proxies.conf.erb')
    }

    class { '::httpd':
        period  => 'daily',
        rotate  => 7,
        modules => [
            'alias',
            'authz_host',
            'autoindex',
            'deflate',
            'dir',
            'expires',
            'headers',
            'mime',
            'rewrite',
            'setenvif',
            'proxy_fcgi',
        ]
    }

    class { '::httpd::mpm':
        mpm => 'worker',
    }

    # Modules we don't enable.
    # TODO: We should also disable auth_basic, authn_file, authz_user
    # env, negotiation and reqtimeout
    ::httpd::mod_conf { [
        'authz_default',
        'authz_groupfile',
        'cgi',
    ]:
        ensure => absent,
    }

    httpd::conf { 'jobrunner_port':
        ensure   => present,
        priority => 1,
        content  => inline_template("# This file is managed by Puppet\nListen <%= @port %>\nListen <%= @local_only_port %>\n"),
    }

    httpd::site { 'php7_jobrunner':
        priority => 1,
        content  => template('profile/mediawiki/jobrunner/site.conf.erb'),
    }

    ::monitoring::service { 'jobrunner_http':
        description   => 'PHP7 jobrunner',
        check_command => 'check_http_jobrunner',
        retries       => 2,
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Jobrunner',
    }

    # TODO: restrict this to monitoring and localhost only.
    ::ferm::service { 'mediawiki-jobrunner':
        proto   => 'tcp',
        port    => $port,
        notrack => true,
        srange  => '$DOMAIN_NETWORKS',
    }
    # If no TLS proxy is present in front of the jobrunner, expose the port directly.
    if $expose_endpoint {
        ::ferm::service { 'mediawiki-jobrunner-notls':
            proto   => 'tcp',
            port    => $local_only_port,
            notrack => true,
            srange  => '$DOMAIN_NETWORKS',
        }
    }
}