Puppet Class: profile::mediawiki::jobrunner

Defined in:
modules/profile/manifests/mediawiki/jobrunner.pp

Summary

Sets up the basic functionalities of a jobrunner.

Overview

Parameters:

  • statsd (String) (defaults to: lookup('statsd'))

    The address of the statsd server.

  • fcgi_port (Optional[Stdlib::Port::User]) (defaults to: lookup('profile::php_fpm::fcgi_port', {default_value => undef}))

    If defined, sets up php-fpm to listen to that IP port instead of a unix socket

  • fcgi_pool (String) (defaults to: lookup('profile::mediawiki::fcgi_pool', {default_value => 'www'}))

    Defines the name of the pool for php-fpm. Defaults to 'www'

  • expose_endpoint (Boolean) (defaults to: lookup('profile::mediawiki::jobrunner::expose_endpoint', {default_value => false}))

    If true, the jobrunner endpoint is exposed to all clients. Defaults to false, should only be set to true if no TLS setup is used (as in deployment-prep).

  • cluster (String) (defaults to: lookup('cluster'))
  • php_versions (Array[Wmflib::Php_version]) (defaults to: lookup('profile::mediawiki::php::php_versions', {'default_value' => ['7.2']}))
  • default_php_version (Optional[Wmflib::Php_version]) (defaults to: lookup('profile::mediawiki::jobrunner::default_php_version', {'default_value' => undef}))


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'modules/profile/manifests/mediawiki/jobrunner.pp', line 16

class profile::mediawiki::jobrunner(
    String $cluster = lookup('cluster'),
    String $statsd = lookup('statsd'),
    Optional[Stdlib::Port::User] $fcgi_port = lookup('profile::php_fpm::fcgi_port', {default_value => undef}),
    String $fcgi_pool = lookup('profile::mediawiki::fcgi_pool', {default_value => 'www'}),
    Boolean $expose_endpoint = lookup('profile::mediawiki::jobrunner::expose_endpoint', {default_value => false}),
    Array[Wmflib::Php_version] $php_versions = lookup('profile::mediawiki::php::php_versions', {'default_value' => ['7.2']}),
    Optional[Wmflib::Php_version] $default_php_version = lookup('profile::mediawiki::jobrunner::default_php_version', {'default_value' => undef})
) {
    # Parameters we don't need to override
    $port = 9005
    $local_only_port = 9006
    $versioned_port = php::fpm::versioned_port($fcgi_port, $php_versions)
    # The ordering of $fcgi_proxies determines the fallback php version in profile/mediawiki/jobrunner/site.conf.erb
    # via the mediawiki/apache/php_backend_selection.erb template function
    $ordered_php_versions = $default_php_version ? {
        undef => $php_versions,
        default => [$default_php_version] + $php_versions.filter |$x| { $x != $default_php_version}
    }
    $fcgi_proxies = $ordered_php_versions.map |$idx, $version| {
        $retval = [$version, mediawiki::fcgi_endpoint($versioned_port[$version], "${fcgi_pool}-${version}")]
    }
    # We're sharing template functions with mediawiki::web::vhost, so keep the same nomenclature.
    $php_fpm_fcgi_endpoint = $fcgi_proxies[0]
    $additional_fcgi_endpoints = $fcgi_proxies[1, -1]
    # Add headers lost by mod_proxy_fastcgi
    # The apache module doesn't pass along to the fastcgi appserver
    # a few headers, like Content-Type and Content-Length.
    # We need to add them back here.
    ::httpd::conf { 'fcgi_headers':
        source   => 'puppet:///modules/mediawiki/apache/configs/fcgi_headers.conf',
        priority => 0,
    }
    # Declare the proxies explicitly with retry=0
    httpd::conf { 'fcgi_proxies':
        ensure  => present,
        content => template('mediawiki/apache/fcgi_proxies.conf.erb')
    }

    # Expose a SERVERGROUP variable to php-fpm
    ::httpd::conf { 'wikimedia_cluster':
        content => "SetEnvIf Request_URI \".\" SERVERGROUP=${cluster}\n"
    }

    class { '::httpd':
        period  => 'daily',
        rotate  => 7,
        modules => [
            'alias',
            'authz_host',
            'autoindex',
            'deflate',
            'dir',
            'expires',
            'headers',
            'mime',
            'rewrite',
            'setenvif',
            'proxy_fcgi',
        ]
    }

    class { '::httpd::mpm':
        mpm => 'worker',
    }

    # Modules we don't enable.
    # TODO: We should also disable auth_basic, authn_file, authz_user
    # env, negotiation and reqtimeout
    ::httpd::mod_conf { [
        'authz_default',
        'authz_groupfile',
        'cgi',
    ]:
        ensure => absent,
    }

    httpd::conf { 'jobrunner_port':
        ensure   => present,
        priority => 1,
        content  => inline_template("# This file is managed by Puppet\nListen <%= @port %>\nListen <%= @local_only_port %>\n"),
    }

    httpd::site { 'php7_jobrunner':
        priority => 1,
        content  => template('profile/mediawiki/jobrunner/site.conf.erb'),
    }

    ::monitoring::service { 'jobrunner_http':
        description   => 'PHP7 jobrunner',
        check_command => 'check_http_jobrunner',
        retries       => 2,
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Jobrunner',
    }

    # TODO: restrict this to monitoring and localhost only.
    ::ferm::service { 'mediawiki-jobrunner':
        proto   => 'tcp',
        port    => $port,
        notrack => true,
        srange  => '$DOMAIN_NETWORKS',
    }
    # If no TLS proxy is present in front of the jobrunner, expose the port directly.
    if $expose_endpoint {
        ::ferm::service { 'mediawiki-jobrunner-notls':
            proto   => 'tcp',
            port    => $local_only_port,
            notrack => true,
            srange  => '$DOMAIN_NETWORKS',
        }
    }
}