modules/nginx/manifests/init.pp - Issue 29344646: Issue 4073 - Improve Nginx integration with "upstart" service provider

Delta Between Two Patch Sets: modules/nginx/manifests/init.pp

Issue 29344646: Issue 4073 - Improve Nginx integration with "upstart" service provider (Closed)

Left Patch Set: Created May 26, 2016, 8:47 p.m.

Right Patch Set: Issue 4073 - Address feedback from code-review Created May 27, 2016, 4:03 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 class nginx (	1 class nginx (

2 $worker_processes = $nginx::params::worker_processes,	2 $worker_processes = $nginx::params::worker_processes,

3 $worker_connections = $nginx::params::worker_connections,	3 $worker_connections = $nginx::params::worker_connections,

4 $ssl_session_cache = $nginx::params::ssl_session_cache,	4 $ssl_session_cache = $nginx::params::ssl_session_cache,

5 $geoip_country = undef,	5 $geoip_country = undef,

6 $geoip_city = undef,	6 $geoip_city = undef,

7 ) inherits nginx::params {	7 ) inherits nginx::params {

8	8

9 apt::ppa {'ppa:nginx/stable':	9 apt::ppa {'ppa:nginx/stable':

10 }	10 }

(...skipping 28 matching lines...) Expand all Loading...
39 }	39 }

40	40

41 Exec {	41 Exec {

42 path => '/usr/bin:/bin',	42 path => '/usr/bin:/bin',

43 logoutput => 'on_failure',	43 logoutput => 'on_failure',

44 }	44 }

45	45

46	46

47 file {'/etc/nginx/nginx.conf':	47 file {'/etc/nginx/nginx.conf':

48 content => template('nginx/nginx.conf.erb'),	48 content => template('nginx/nginx.conf.erb'),

49 require => Package['nginx'],	49 require => Package['nginx'],
Wladimir Palant 2016/05/27 11:15:08 If I see it correctly, you replaced notify here by If I see it correctly, you replaced notify here by subscribe on the service itself, and this effectively doesn't change anything. Why did you do it? It's now inconsistent with other configuration files which still use notify. mathias 2016/05/27 11:43:53 Beside the notify for the service in this section Show quoted text On 2016/05/27 11:15:08, Wladimir Palant wrote: > If I see it correctly, you replaced notify here by subscribe on the service > itself, and this effectively doesn't change anything. Why did you do it? It's > now inconsistent with other configuration files which still use notify. Beside the notify for the service in this section here I have also removed require for this file here in the service section - with the notification the latter was implicit. Regarding consistency: That part of comment was a joke, right? Even if not: There is no such rule regarding the ordering in Puppet files, neither in the common coding style nor in any of our extension. (If you want to introduce a preference for consistency I am open to that thought, though I actually prefer explicit operand notation.) But in fact there was still a rationale: Removing this line here implicitly fixes the missing comma at the end of the line, in contrast to removing the obsolete require in the other resource. Wladimir Palant 2016/05/27 12:33:01 Well, you require the package now - it should inst Show quoted text On 2016/05/27 11:43:53, mathias wrote: > Beside the notify for the service in this section here I have also removed > require for this file here in the service section Well, you require the package now - it should install nginx.conf so I don't see a problem here, and I don't see why that change should be related. Show quoted text > Regarding consistency: That part of comment was a joke, right? Even if not: > There is no such rule regarding the ordering in Puppet files, neither in the > common coding style nor in any of our extension. (If you want to introduce a > preference for consistency I am open to that thought, though I actually prefer > explicit operand notation.) I'm not talking about rules. However, there are multiple configuration files listed here, all notifying the Nginx service. Now you took one of them and made the service subscribe to it. I don't really see why you did it. As it is now, the code suggests that Nginx depends on a single configuration file. That's simply not true - there are multiple configuration files and also certificates which will cause a service restart. Show quoted text > But in fact there was still a rationale: Removing this line here implicitly > fixes the missing comma at the end of the line, in contrast to removing the > obsolete require in the other resource. I hope you forgive me if I don't accept missing commas as rationale for unrelated changes. mathias 2016/05/27 14:16:16 I do forgive you, but again this is not the full p Show quoted text On 2016/05/27 12:33:01, Wladimir Palant wrote: > Well, you require the package now - it should install nginx.conf so I don't see > a problem here, and I don't see why that change should be related. > > I'm not talking about rules. However, there are multiple configuration files > listed here, all notifying the Nginx service. Now you took one of them and made > the service subscribe to it. I don't really see why you did it. > > As it is now, the code suggests that Nginx depends on a single configuration > file. That's simply not true - there are multiple configuration files and also > certificates which will cause a service restart. > > I hope you forgive me if I don't accept missing commas as rationale for > unrelated changes. I do forgive you, but again this is not the full picture: The change was related, and the chosen phenotype does not matter technically, at which exact point I start considering rationale like this one - not earlier. Please stop trying to micro-optimize such stuff in reviews; it's the wrong channel, and just blocking operations. Especially because you seem to sometimes still value opinion arguments the same as technical fact ones. In this example it's the "unrelated" part: You did not make any argument to ratify that attribute, let me articulate and write my motivation, but then state nothing more than "I don't see how" in reply. That's quite some overhead for a possible change that does not change anything in behavior. But don't get me wrong, I do appreciate feedback in this direction. So, while we're at it anyway, let's go down that road another time: In fact I do see from your comments that there is a need for a convention on how to denote relationships in Puppet. But that won't be as simple as "just prefer notify over subscribe": I would argue that I care way more about what a service could be triggered from (or, more general, depends on), and not want to potentially search through the entire code-base to find notification declarations. One could reply that there are plenty of cases where one cannot know at service definition time what will trigger the resource later, and that's correct. One could continue that the scheme that always works is preferable, and that's correct as well. But that does not implicitly favor notify over subscribe either: There are other options, in particular the notation using (arrow) operators, which is not only applicable in every case, but also way more explicit, grep- and readable. In addition, it does not require definition with the underlying resource itself, thus allows for flexible combination with i.e. function create_resources(). It's clearly the most sophisticated approach. Usually I would make a cut here and push towards a follow-up, leaving that patch-set as it is in that regard and finally being able to continue with the tasks depending on this one. But since you seem to feel pretty strongly about some of these aspects, I let you decide: a) introducing more unrelated changes by letting this very patch-set become an example for the to-be-introduced convention of using operator notation or b) creating an explicit follow-up ticket with the exact same intention. So, what should it be? Wladimir Palant 2016/05/27 14:41:34 You are free to remove unrelated changes from this Show quoted text On 2016/05/27 14:16:16, mathias wrote: > Please stop trying to micro-optimize such stuff in reviews; it's the wrong > channel, and just blocking operations. You are free to remove unrelated changes from this review. That's generally advisable as unrelated changes tend to make reviews unnecessarily complicated. Besides, the way I see things we really have a one-line change change here - something that's not really obvious due to all the unrelated changes. Show quoted text > Especially because you seem to sometimes > still value opinion arguments the same as technical fact ones. Yes, when it comes to code readability I value opinion arguments. Show quoted text > In this example > it's the "unrelated" part: You did not make any argument to ratify that > attribute, let me articulate and write my motivation, but then state nothing > more than "I don't see how" in reply. That's quite some overhead for a possible > change that does not change anything in behavior. In fact, I verified myself that the behavior doesn't change (not being a Puppet expert, this wasn't really obvious to me). The change does make some aspects of what is happening here less obvious however, that's why I'm asking for rationale. Show quoted text > In fact I do see from your comments that there is a need for a convention on how > to denote relationships in Puppet. As I said, I don't care about global conventions. I only care about relationships being specified differently for one and the same service, within one and the same file. Show quoted text > But that won't be as simple as "just prefer > notify over subscribe": I didn't suggest anything like that. Show quoted text > I let you decide: > > a) introducing more unrelated changes by letting this very patch-set become an > example for the to-be-introduced convention of using operator notation or > b) creating an explicit follow-up ticket with the exact same intention. Clearly b). The intention of this change is cleaning up nginx restart behavior, there shouldn't be any additional non-trivial changes.
	50 notify => Service['nginx']

50 }	51 }

51	52

52 file {'/etc/nginx/sites-available':	53 file {'/etc/nginx/sites-available':

53 ensure => directory,	54 ensure => directory,

54 require => Package['nginx']	55 require => Package['nginx']

55 }	56 }

56	57

57 file {'/etc/nginx/sites-enabled':	58 file {'/etc/nginx/sites-enabled':

58 ensure => directory,	59 ensure => directory,

59 require => Package['nginx']	60 require => Package['nginx']

60 }	61 }

61	62

62 file {'/var/cache/nginx':	63 file {'/var/cache/nginx':

63 before => Service['nginx'],	64 before => Service['nginx'],

64 ensure => directory,	65 ensure => directory,

65 require => Package['nginx'],	66 require => Package['nginx'],

	67 }

	68

	69 @file {'/etc/nginx/dhparam.pem':

	70 ensure => 'present',

	71 mode => 0600,

	72 notify => Service['nginx'],

	73 require => Package['nginx'],

	74 source => 'puppet:///modules/private/dhe_rsa_export.pem',

66 }	75 }

67	76

68 define hostconfig (	77 define hostconfig (

69 $domain = $title,	78 $domain = $title,

70 $alt_names = [],	79 $alt_names = [],

71 $log,	80 $log,

72 $log_format = 'main',	81 $log_format = 'main',

73 $is_default = false,	82 $is_default = false,

74 $source = undef,	83 $source = undef,

75 $content = undef,	84 $content = undef,

76 $global_config = undef,	85 $global_config = undef,

77 $certificate = undef,	86 $certificate = undef,

78 $private_key = undef,	87 $private_key = undef,

79 $enabled = true) {	88 $enabled = true) {

80 file {"/etc/nginx/sites-available/${domain}":	89 file {"/etc/nginx/sites-available/${domain}":

81 ensure => file,	90 ensure => file,

82 content => template('nginx/site.erb'),	91 content => template('nginx/site.erb'),

83 require => Package['nginx'],	92 require => Package['nginx'],

84 notify => Service['nginx'],	93 notify => Service['nginx'],

85 }	94 }

86	95

87 if $certificate and $private_key {	96 if $certificate and $private_key {

	97 realize(File['/etc/nginx/dhparam.pem'])

	98

88 if !defined(File["/etc/nginx/${certificate}"]) {	99 if !defined(File["/etc/nginx/${certificate}"]) {

89 file {"/etc/nginx/${certificate}":	100 file {"/etc/nginx/${certificate}":

90 ensure => file,	101 ensure => file,

91 mode => 0400,	102 mode => 0400,

92 notify => Service['nginx'],	103 notify => Service['nginx'],

93 before => File["/etc/nginx/sites-available/${domain}"],	104 before => File["/etc/nginx/sites-available/${domain}"],

94 require => Package['nginx'],	105 require => Package['nginx'],

95 source => "puppet:///modules/private/${certificate}"	106 source => "puppet:///modules/private/${certificate}"

96 }	107 }

97 }	108 }

(...skipping 80 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
178	189

179 $find_chmod_base = [$find_cmd_base, '-not', '-perm', '0640']	190 $find_chmod_base = [$find_cmd_base, '-not', '-perm', '0640']

180 $find_chmod_exec = ['-ls', '-exec', 'chmod', '0640', '{}', ';']	191 $find_chmod_exec = ['-ls', '-exec', 'chmod', '0640', '{}', ';']

181	192

182 exec {"set_logfiles_permissions":	193 exec {"set_logfiles_permissions":

183 command => shellquote($find_chmod_base, $find_chmod_exec),	194 command => shellquote($find_chmod_base, $find_chmod_exec),

184 unless => shellquote($find_chmod_base, $find_kill_exec),	195 unless => shellquote($find_chmod_base, $find_kill_exec),

185 subscribe => Service['nginx'],	196 subscribe => Service['nginx'],

186 }	197 }

187	198

	199 $restart_command = join([

	200 'set -e',

	201 'pid=`cat /var/run/nginx.pid`',

	202 'kill -USR2 "$pid"',

	203 'sleep 2',

	204 'kill -QUIT "$pid"',

	205 ], "\n")

	206

188 service {'nginx':	207 service {'nginx':

189 ensure => running,	208 ensure => running,

190 enable => true,	209 enable => true,

191 hasrestart => true,	210 restart => $restart_command,
Wladimir Palant 2016/05/27 11:15:08 Do I see it correctly that we will now restart Ngi Do I see it correctly that we will now restart Nginx for every configuration change? In other words, whenever we deploy a configuration change Nginx will stop accepting connections for some time. This is rather suboptimal, isn't there any better solution? mathias 2016/05/27 11:43:53 No, not with Puppet, at least not without a custom Show quoted text On 2016/05/27 11:15:08, Wladimir Palant wrote: > Do I see it correctly that we will now restart Nginx for every configuration > change? In other words, whenever we deploy a configuration change Nginx will > stop accepting connections for some time. This is rather suboptimal, isn't there > any better solution? No, not with Puppet, at least not without a custom service provider. But this is not as bad as it may seem: Nginx restarts way faster than any common timeout, and with hasrestart => true we avoid the common pitfall of first stopping and then starting, which often leads to port collision (resp. false-positives) and similar issues, thus is often done with a delay in between. Wladimir Palant 2016/05/27 12:33:01 That's not how I think it works - the original pro Show quoted text On 2016/05/27 11:43:53, mathias wrote: > Nginx restarts way faster than any common timeout, > and with hasrestart => true we avoid the common pitfall of first stopping and > then starting, That's not how I think it works - the original process has to stop before the new one can start. And stopping takes a while on heavily loaded servers due to some connections taking much time to be handled, during that time the server won't accept any new connections. How about specifying an explicit restart command, one that won't produce any dropped connections? restart => 'PID=`cat /run/nginx.pid` && kill -USR2 $PID && sleep 1 && kill -QUIT $PID', This will start a new nginx instance before instructing the old one to shut down. Shutting down the old instance will take minutes, the new instance will be processing incoming connections already however. mathias 2016/05/27 14:16:16 Using the restart parameter for this approach is n Show quoted text On 2016/05/27 12:33:01, Wladimir Palant wrote: > That's not how I think it works - the original process has to stop before the > new one can start. And stopping takes a while on heavily loaded servers due to > some connections taking much time to be handled, during that time the server > won't accept any new connections. > > How about specifying an explicit restart command, one that won't produce any > dropped connections? > > restart => 'PID=`cat /run/nginx.pid` && kill -USR2 $PID && sleep 1 && kill > -QUIT $PID', > > This will start a new nginx instance before instructing the old one to shut > down. Shutting down the old instance will take minutes, the new instance will be > processing incoming connections already however. Using the restart parameter for this approach is not the cleanest of solutions, and there are some pitfalls; i.e. the restart being reported as successful despite still being in progress and potentially failing. But I do see how the resulting behavior could be preferable. Hence I'd say we try it out, and if it works in this or adjusted form we can subsequently integrate it as a service provider overlay for Nginx, covering most pitfalls. Will update and test the patch-set aligned to your suggestion while waiting for your feedback regarding the topic above. Wladimir Palant 2016/05/27 14:41:34 Thank you. Show quoted text On 2016/05/27 14:16:16, mathias wrote: > Will update and test the patch-set aligned to your suggestion Thank you.
192 hasstatus => true,	211 hasstatus => true,

193 require => Package['nginx'],	212 require => Package['nginx'],

194 subscribe => File['/etc/nginx/nginx.conf'],

195 }	213 }

196	214

197 file {'/usr/share/nginx/html/50x.html':	215 file {'/usr/share/nginx/html/50x.html':

198 mode => 0644,	216 mode => 0644,

199 owner => 'root',	217 owner => 'root',

200 require => Package['nginx'],	218 require => Package['nginx'],

201 source => 'puppet:///modules/nginx/50x.html',	219 source => 'puppet:///modules/nginx/50x.html',

202 }	220 }

203 }	221 }

LEFT	RIGHT