Puppet Class: profile::mediawiki::php::monitoring

Defined in:
modules/profile/manifests/mediawiki/php/monitoring.pp

Overview

Parameters:

  • prometheus_nodes (Array[Stdlib::Host]) (defaults to: lookup('prometheus_nodes'))
  • auth_passwd (String) (defaults to: lookup('profile::mediawiki::php::monitoring::password'))
  • auth_salt (String) (defaults to: lookup('profile::mediawiki::php::monitoring::salt'))
  • fcgi_port (Optional[Stdlib::Port::User]) (defaults to: lookup('profile::php_fpm::fcgi_port', {default_value => undef}))
  • fcgi_pool (String) (defaults to: lookup('profile::mediawiki::fcgi_pool', {default_value => 'www'}))
  • monitor_page (Boolean) (defaults to: lookup('profile::mediawiki::php::monitoring::monitor_page', {default_value => true}))
  • deployment_nodes (Array[String]) (defaults to: lookup('deployment_hosts', {default_value => []}))
  • monitor_opcache (Boolean) (defaults to: lookup('profile::mediawiki::php::monitoring::monitor_opcache', {default_value => true}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# File 'modules/profile/manifests/mediawiki/php/monitoring.pp', line 1

class profile::mediawiki::php::monitoring(
    Array[Stdlib::Host] $prometheus_nodes = lookup('prometheus_nodes'),
    String $auth_passwd = lookup('profile::mediawiki::php::monitoring::password'),
    String $auth_salt = lookup('profile::mediawiki::php::monitoring::salt'),
    Optional[Stdlib::Port::User] $fcgi_port = lookup('profile::php_fpm::fcgi_port', {default_value => undef}),
    String $fcgi_pool = lookup('profile::mediawiki::fcgi_pool', {default_value => 'www'}),
    Boolean $monitor_page = lookup('profile::mediawiki::php::monitoring::monitor_page', {default_value => true}),
    Array[String] $deployment_nodes = lookup('deployment_hosts', {default_value => []}),
    Boolean $monitor_opcache = lookup('profile::mediawiki::php::monitoring::monitor_opcache', {default_value => true}),
) {
    require ::network::constants
    require ::profile::mediawiki::php
    $php_versions = $profile::mediawiki::php::php_versions
    $versioned_port = php::fpm::versioned_port($fcgi_port, $php_versions)
    $default_php_version = $php_versions[0]
    $admin_port = 9181
    $admin_data = $php_versions.map |$idx, $php_version| {
        $versioned_fcgi_pool = $php_version ? {
            $default_php_version => $fcgi_pool,
            default              => "${fcgi_pool}-${php_version}"
        }
        $versioned_admin_port = $admin_port + $idx
        $retval = {
            'version'    => $php_version,
            'fcgi_proxy' => mediawiki::fcgi_endpoint($versioned_port[$php_version], $versioned_fcgi_pool),
            'admin_port' => $versioned_admin_port
        }
    }

    $docroot = '/var/www/php-monitoring'
    $htpasswd_file = '/etc/apache2/htpasswd.php7adm'
    $prometheus_nodes_str = join($prometheus_nodes, ' ')
    # Admin interface (and prometheus metrics) for APCu and opcache
    file { $docroot:
        ensure  => directory,
        recurse => true,
        owner   => 'root',
        group   => 'www-data',
        mode    => '0555',
        source  => 'puppet:///modules/profile/mediawiki/php/admin'
    }
    httpd::conf { 'php-admin-port':
        ensure  => present,
        content => template('profile/mediawiki/php-admin-ports.conf.erb')
    }
    # Will actually be one virtualhost per php version.
    httpd::site { 'php-admin':
        ensure  => present,
        content => template('profile/mediawiki/php-admin.conf.erb')
    }

    $htpasswd_string = htpasswd($auth_passwd, $auth_salt)
    file { $htpasswd_file:
        ensure  => present,
        content => "root:${htpasswd_string}\n",
        owner   => 'root',
        group   => 'www-data',
        mode    => '0440'
    }

    # TODO: remove this. It was added to allow opcache invalidation from scap but we're definitely
    # not doing it now. Also remove it from the virtualhosts.
    ferm::service { 'phpadmin_deployment':
        ensure => present,
        proto  => 'tcp',
        port   => $admin_port,
        srange => '$DEPLOYMENT_HOSTS',
    }

    $ferm_srange = "(@resolve((${prometheus_nodes_str})) @resolve((${prometheus_nodes_str}), AAAA))"
    ferm::service { 'prometheus-php-cache-exporter':
        proto  => 'tcp',
        port   => $admin_port,
        srange => $ferm_srange,
    }

    ## Admin script
    file { '/usr/local/bin/php7adm':
        ensure => present,
        source => 'puppet:///modules/profile/mediawiki/php/php7adm.sh',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }
    # Create a hash of php_version => admin port, save it as json in a file.
    $version_ports = $admin_data.map |$d| {
        {$d['version'] => $d['admin_port']}
    }.reduce({}) |$m,$v| {$m.merge($v)}
    file { '/etc/php7adm.versions':
        ensure  => present,
        content => $version_ports.to_json,
        owner   => 'root',
        group   => 'ops',
        mode    => '0444',
    }
    file { '/etc/php7adm.netrc':
        ensure  => present,
        content => "machine localhost login root password ${auth_passwd}\n",
        owner   => 'root',
        group   => 'ops',
        mode    => '0440',
    }
    ## Monitoring
    # Check that php-fpm is running
    $php_versions.each |$php_version| {
        $svc_name = php::fpm::programname($php_version)
        nrpe::monitor_systemd_unit_state{ $svc_name: }
    }

    # Export basic php-fpm stats using a textfile exporter
    class { '::prometheus::node_phpfpm_statustext':
        php_versions => $php_versions,
    }
    # TODO: extend all this beyond the default php version that is assumed here.
    # It will be done once we've moved to serving actual traffic with more than one version of
    # php.
    if $monitor_page {
        # Check that a simple page can be rendered via php-fpm.
        # If a service check happens to run while we are performing a
        # graceful restart of Apache, we want to try again before declaring
        # defeat.
        monitoring::service { 'appserver_http_php7':
            description    => 'PHP7 rendering',
            check_command  => 'check_http_wikipedia_main_php7',
            retry_interval => 2,
            notes_url      => 'https://wikitech.wikimedia.org/wiki/Application_servers/Runbook#PHP7_rendering',
        }
    }
    else {
        # Check that the basic health check url can be rendered via php-fpm.
        monitoring::service { 'appserver_health_php7':
            description    => 'PHP7 rendering',
            check_command  => 'check_http_jobrunner_php7',
            retries        => 2,
            retry_interval => 2,
            notes_url      => 'https://wikitech.wikimedia.org/wiki/Application_servers/Runbook#PHP7_rendering',
        }
    }
    # Monitor opcache status
    file { '/usr/local/lib/nagios/plugins/nrpe_check_opcache':
        ensure => present,
        source => 'puppet:///modules/profile/mediawiki/php/nrpe_check_opcache.py',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    if $monitor_opcache {
        nrpe::monitor_service { 'opcache':
            description  => 'PHP opcache health',
            nrpe_command => '/usr/local/lib/nagios/plugins/nrpe_check_opcache -w 100 -c 50',
            notes_url    => 'https://wikitech.wikimedia.org/wiki/Application_servers/Runbook#PHP7_opcache_health',
        }
    }
}