modules/discourse/manifests/init.pp - Issue 4924880143253504: Issue 2471 - Update our Discourse instance

Delta Between Two Patch Sets: modules/discourse/manifests/init.pp

Issue 4924880143253504: Issue 2471 - Update our Discourse instance (Closed)

Left Patch Set: Fixed requirements and minor improvements Created May 8, 2015, 9:53 p.m.

Right Patch Set: Check out correct revision Created May 12, 2015, 10:15 a.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 class discourse(	1 class discourse(

2 $domain,	2 $domain,

3 $certificate,	3 $certificate,

4 $private_key,	4 $private_key,

5 $is_default = false	5 $is_default = false

6 ) inherits private::discourse {	6 ) inherits private::discourse {

7	7

	8 $hg_revision = 'd31d28147381'

	9 $git_revision = '8a3a02421a39f53b6adf3ca9a6fdba73f42bc932'

	10 $ruby_version = '2.1.2'

	11 $postgresql_version = '9.3'

	12

8 class { 'postgresql::globals':	13 class { 'postgresql::globals':

9 manage_package_repo => true,	14 manage_package_repo => true,

10 version => '9.3',	15 version => $postgresql_version,

11 }->	16 }->

12 class {"postgresql::server":}	17 class {"postgresql::server":}

13	18

14 class {"postgresql::server::contrib":	19 class {"postgresql::server::contrib":

15 package_ensure => 'present',	20 package_ensure => 'present',

16 }	21 }

17	22

18 postgresql::server::database {'discourse':}	23 postgresql::server::database {'discourse':}

19	24

20 postgresql::server::role {'discourse':	25 postgresql::server::role {'discourse':

(...skipping 13 matching lines...) Expand all Loading...
34 $gem_dependencies = ['libpq-dev']	39 $gem_dependencies = ['libpq-dev']

35 $image_optim_dependencies = ['advancecomp', 'gifsicle', 'jhead', 'jpegoptim',	40 $image_optim_dependencies = ['advancecomp', 'gifsicle', 'jhead', 'jpegoptim',

36 'libjpeg-progs', 'optipng', 'pngcrush']	41 'libjpeg-progs', 'optipng', 'pngcrush']

37 $image_sorcery_dependencies = 'imagemagick'	42 $image_sorcery_dependencies = 'imagemagick'

38	43

39 package {[$rvm_dependencies, $discourse_dependencies, $gem_dependencies, $imag e_optim_dependencies, $image_sorcery_dependencies]:	44 package {[$rvm_dependencies, $discourse_dependencies, $gem_dependencies, $imag e_optim_dependencies, $image_sorcery_dependencies]:

40 ensure => present	45 ensure => present

41 }	46 }

42	47

43 Exec <\| tag == 'rvm' \|> {	48 Exec <\| tag == 'rvm' \|> {

44 path => '/bin:/usr/bin:/usr/sbin:/usr/local/bin:/home/discourse/.rvm/bin',	49 path => '/home/discourse/.rvm/bin:/usr/local/bin:/usr/bin:/bin',
mathias 2015/05/09 15:34:19 Do you know why the directory precedence here is i Do you know why the directory precedence here is inverted, in contrast to what one would expect? I do realize that the former version did the same, but there's no obvious reason for either one - and it looks like it can quickly become an issue. Wladimir Palant 2015/05/11 15:00:42 Done. Show quoted text On 2015/05/09 15:34:19, matze wrote: > Do you know why the directory precedence here is inverted, in contrast to what > one would expect? I do realize that the former version did the same, but there's > no obvious reason for either one - and it looks like it can quickly become an > issue. Done.
45 user => discourse,	50 user => discourse,

46 group => www-data,	51 group => www-data,

47 environment => ['HOME=/home/discourse'],	52 environment => ['HOME=/home/discourse'],

48 }	53 }

49	54

50 exec {'install-rvm-key':	55 exec {'install-rvm-key':

51 command => 'gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C2754 62A1703113804BB82D39DC0E3',	56 command => 'gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C2754 62A1703113804BB82D39DC0E3',

52 tag => 'rvm',	57 tag => 'rvm',

53 unless => 'gpg --list-keys \| grep D39DC0E3',	58 unless => 'gpg --list-keys \| grep D39DC0E3',

54 }	59 }

55	60

56 exec {'install-ruby':	61 exec {'install-rvm':

57 command => 'curl -sSL https://get.rvm.io \| bash -s stable --ruby=2.1.2',	62 command => 'curl -sSL https://get.rvm.io \| bash -s stable',
mathias 2015/05/09 15:34:19 Note that this does not cover upgrading to future Note that this does not cover upgrading to future Ruby versions, a specific patch or similar. Also, it introduces yet another major (but avoidable) dependency on external resources. However, it's fine for now that we want to fix Discourse logins, but we have to re-visit it afterwards at least. Wladimir Palant 2015/05/11 15:00:42 Yes, I had RVM and Ruby installation separate init Show quoted text On 2015/05/09 15:34:19, matze wrote: > Note that this does not cover upgrading to future Ruby versions, a specific > patch or similar. Yes, I had RVM and Ruby installation separate initially but dropped that for reasons of simplicity. I guess we'll want to reintroduce that separation. I verified that updating Ruby actually works correctly now. However, I didn't update to Ruby 2.2.2 yet because in my VM it produced out of memory errors.
58 tag => 'rvm',	63 tag => 'rvm',

59 creates => '/home/discourse/.rvm',	64 creates => '/home/discourse/.rvm',

60 timeout => 0,	65 timeout => 0,

61 logoutput => true,	66 logoutput => true,

62 require => [Exec['install-rvm-key'], Package[$rvm_dependencies]],	67 require => [Exec['install-rvm-key'], Package[$rvm_dependencies]],

63 }	68 }

64	69

	70 exec {'install-ruby':

	71 command => "rvm install $ruby_version && rvm default do rvm --default use $r uby_version",

	72 tag => 'rvm',

	73 unless => "rvm list \| grep $ruby_version",
	mathias 2015/05/26 10:02:16 Please use shellquote() to ensure $ruby_version ca Please use shellquote() to ensure $ruby_version cannot break anything here -- Wladimir Palant 2015/05/26 10:41:17 Given that $ruby_version is a constant set above, Show quoted text On 2015/05/26 10:02:16, matze wrote: > Please use shellquote() to ensure $ruby_version cannot break anything here -- Given that $ruby_version is a constant set above, do you consider that necessary? Also, if we do it for $ruby_version then we should do it for $hg_revision as well. mathias 2015/05/26 10:54:36 Indeed, it should be done there as well. And yes Show quoted text On 2015/05/26 10:41:17, Wladimir Palant wrote: > On 2015/05/26 10:02:16, matze wrote: > > Please use shellquote() to ensure $ruby_version cannot break anything here -- > > Given that $ruby_version is a constant set above, do you consider that > necessary? Also, if we do it for $ruby_version then we should do it for > $hg_revision as well. Indeed, it should be done there as well. And yes I believe it's necessary. One should always assume the next programmer to be less careful and wise than oneself (even if it will be oneself most likely). And such a guy may forget to check for the use of $ruby_version when migrating it to become a parameter one day (for example, but not even unlikely), which can also easily be overseen in a code-review. However, please note that we agreed last year on making use of shell_escape() wherever it may make sense - just to have an easy but secure guideline that does not require the same decision ("is it necessary?") over and over again..
	74 timeout => 0,

	75 logoutput => true,

	76 notify => Exec['init-discourse'],

	77 require => Exec['install-rvm'],

	78 }

	79

65 exec {'install-bundler':	80 exec {'install-bundler':
mathias 2015/05/09 15:34:19 Note that this would be better handled as a Packag Note that this would be better handled as a Package with provider => gem -- Though our Puppet version may not be compatible with this version of Gem itself. So gain this may be fine for now, but should become revisited at least. Wladimir Palant 2015/05/11 15:00:42 We need two different Ruby versions: one for Puppe Show quoted text On 2015/05/09 15:34:19, matze wrote: > Note that this would be better handled as a Package with provider => gem -- We need two different Ruby versions: one for Puppet/Hiera (1.9), another one for Discourse (2.0+). So we don't touch the system Ruby version and install a separate version for discourse user only. Using Package will only install bundler in the system Ruby - that's what we did before but it won't be usable with the Ruby installation in the discourse account. So Exec seems to be the only way.
66 command => 'rvm default do gem install bundler',	81 command => 'rvm default do gem install bundler',

67 tag => 'rvm',	82 tag => 'rvm',

68 unless => 'rvm default do gem list \| grep "^bundler ")',	83 unless => 'rvm default do gem list \| grep "^bundler "',

69 require => Exec['install-ruby'],	84 require => Exec['install-ruby'],

70 }	85 }

71	86

72 file {'/opt/discourse':	87 file {'/opt/discourse':

73 ensure => directory,	88 ensure => directory,

74 mode => 755,	89 mode => 755,

75 owner => discourse,	90 owner => discourse,

76 group => www-data	91 group => www-data

77 }	92 }

78	93

79 file {['/opt/discourse/tmp', '/opt/discourse/tmp/pids']:	94 file {['/opt/discourse/tmp', '/opt/discourse/tmp/pids']:

80 ensure => directory,	95 ensure => directory,

81 mode => 755,	96 mode => 755,

82 owner => discourse,	97 owner => discourse,

83 group => www-data,	98 group => www-data,

84 require => Exec['fetch-discourse']	99 require => Exec['fetch-discourse']

85 }	100 }

86	101

87 file {'/opt/discourse/config/discourse.conf':	102 file {'/opt/discourse/config/discourse.conf':

88 mode => 600,	103 mode => 600,

89 owner => discourse,	104 owner => discourse,

90 group => www-data,	105 group => www-data,

91 content => template('discourse/discourse.conf.erb'),	106 content => template('discourse/discourse.conf.erb'),

92 notify => Service['discourse'],	107 notify => Service['discourse'],

93 require => Exec['fetch-discourse']	108 require => Exec['update-discourse']

94 }	109 }

95	110

96 file {'/usr/local/bin/init-discourse':	111 file {'/usr/local/bin/init-discourse':

97 mode => 0755,	112 mode => 0755,

98 owner => root,	113 owner => root,

99 group => root,	114 group => root,

100 source => 'puppet:///modules/discourse/init-discourse'	115 source => 'puppet:///modules/discourse/init-discourse'

101 }	116 }

102	117

103 user {'discourse':	118 user {'discourse':

104 ensure => present,	119 ensure => present,

105 comment => 'Discourse user',	120 comment => 'Discourse user',

106 home => '/home/discourse',	121 home => '/home/discourse',

107 gid => www-data,	122 gid => www-data,

108 password => '*',	123 password => '*',

109 managehome => true	124 managehome => true

110 }	125 }

111	126

112 file {'/etc/sudoers.d/discourse':	127 file {'/etc/sudoers.d/discourse':

113 ensure => present,	128 ensure => present,

114 owner => root,	129 owner => root,

115 group => root,	130 group => root,

116 mode => 0440,	131 mode => 0440,

117 source => 'puppet:///modules/discourse/sudoers',	132 source => 'puppet:///modules/discourse/sudoers',

118 require => User['discourse']	133 require => User['discourse']

119 }	134 }

120	135

121 exec {'fetch-discourse':	136 exec {'fetch-discourse':

122 command => "hg clone https://hg.adblockplus.org/discourse /opt/discourse",	137 command => 'hg clone --noupdate https://hg.adblockplus.org/discourse /opt/di scourse',

123 path => ["/usr/bin/", "/bin/"],	138 path => ["/usr/bin/", "/bin/"],

124 user => discourse,	139 user => discourse,

125 group => www-data,	140 group => www-data,

126 timeout => 0,	141 timeout => 0,

127 require => [Package['mercurial'], File['/opt/discourse']],	142 require => [Package['mercurial'], File['/opt/discourse']],

	143 onlyif => "test ! -d /opt/discourse/.hg"

	144 }

	145

	146 exec {'update-discourse':

	147 command => "hg update -R /opt/discourse --clean -r $hg_revision",

	148 unless => "hg id -R /opt/discourse \| grep $hg_revision",

	149 path => ["/usr/bin/", "/bin/"],

	150 user => discourse,

	151 group => www-data,

128 notify => Exec['init-discourse'],	152 notify => Exec['init-discourse'],

129 onlyif => "test ! -d /opt/discourse/.hg"	153 require => Exec['fetch-discourse'],
mathias 2015/05/09 15:34:19 (Not part of this patch-set, but a bug that needs (Not part of this patch-set, but a bug that needs to be addressed as well; cloning into a non-empty directory does not work. Though in practice that should not happen with the code here, it's still a footgun.) Wladimir Palant 2015/05/11 15:00:42 Why would it be non-empty? It's created right befo Show quoted text On 2015/05/09 15:34:19, matze wrote: > (Not part of this patch-set, but a bug that needs to be addressed as well; > cloning into a non-empty directory does not work. Though in practice that should > not happen with the code here, it's still a footgun.) Why would it be non-empty? It's created right before cloning - and it's only a separate step because the discourse user doesn't have permission to write to /opt.
130 }

131

132 file {'/opt/discourse/config/initializers/airbrake.rb':

133 ensure => absent,

134 before => Exec['init-discourse'],

135 }	154 }

136	155

137 file {'/opt/discourse/config/version.rb':	156 file {'/opt/discourse/config/version.rb':

138 ensure => present,	157 ensure => present,

139 owner => discourse,	158 owner => discourse,

140 group => www-data,	159 group => www-data,

141	160

142 # This is hardcoded here so that Discourse doesn't try to extract it from	161 # This is hardcoded here so that Discourse doesn't try to extract it from

143 # the repository. Ideally, we should update it when updating Discourse.	162 # the repository. Ideally, we should update it when updating Discourse.

144 content => '$git_version = "8a3a02421a39f53b6adf3ca9a6fdba73f42bc932"',	163 content => "\$git_version = '$git_revision'",

145 require => Exec['fetch-discourse'],	164 require => Exec['update-discourse'],

146 before => Exec['init-discourse'],	165 before => Exec['init-discourse'],

147 }	166 }

148	167

149 exec {'init-discourse':	168 exec {'init-discourse':

150 command => 'rvm default do /usr/local/bin/init-discourse',	169 command => 'rvm default do /usr/local/bin/init-discourse',

151 tag => 'rvm',	170 tag => 'rvm',

152 subscribe => File['/usr/local/bin/init-discourse'],	171 subscribe => File['/usr/local/bin/init-discourse'],

153 refreshonly => true,	172 refreshonly => true,

154 timeout => 0,	173 timeout => 0,

155 logoutput => true,	174 logoutput => true,

156 require => [Exec['install-bundler'],	175 require => [Exec['install-bundler'],

157 Package[$discourse_dependencies, $gem_dependencies],	176 Package[$discourse_dependencies, $gem_dependencies],

158 User['discourse'], File['/etc/sudoers.d/discourse'],	177 User['discourse'], File['/etc/sudoers.d/discourse'],

159 Exec['fetch-discourse'],	178 Exec['update-discourse'],

160 File['/opt/discourse/config/discourse.conf'],	179 File['/opt/discourse/config/discourse.conf'],

161 Postgresql::Server::Role['discourse']]	180 Postgresql::Server::Role['discourse']]

162 }	181 }

163	182

164 Discourse::Sitesetting <\| \|> {	183 Discourse::Sitesetting <\| \|> {

165 require => Exec['init-discourse']	184 require => Exec['init-discourse']

166 }	185 }

167	186

168 discourse::sitesetting {'title':	187 discourse::sitesetting {'title':

169 ensure => present,	188 ensure => present,

(...skipping 149 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
319 ensure => present,	338 ensure => present,

320 type => 3,	339 type => 3,

321 value => '50',	340 value => '50',

322 }	341 }

323	342

324 Discourse::Customservice <\| \|> {	343 Discourse::Customservice <\| \|> {

325 user => 'discourse',	344 user => 'discourse',

326 workdir => '/opt/discourse',	345 workdir => '/opt/discourse',

327 env => ['RAILS_ENV=production', 'RUBY_GC_MALLOC_LIMIT=90000000',	346 env => ['RAILS_ENV=production', 'RUBY_GC_MALLOC_LIMIT=90000000',

328 'UNICORN_WORKERS=2', 'LD_PRELOAD=/usr/lib/libjemalloc.so.1'],	347 'UNICORN_WORKERS=2', 'LD_PRELOAD=/usr/lib/libjemalloc.so.1'],

329 require => Exec['init-discourse']	348 require => Exec['init-discourse']
mathias 2015/05/09 15:34:19 Wouldn't it make more sense to make it subscribe t Wouldn't it make more sense to make it subscribe to all Discourse::Sitesetting[]s? (Then Exec['init-discourse'] is covered as well.) Wladimir Palant 2015/05/11 15:00:42 Not sure whether the services should really be con Show quoted text On 2015/05/09 15:34:19, matze wrote: > Wouldn't it make more sense to make it subscribe to all > Discourse::Sitesetting[]s? (Then Exec['init-discourse'] is covered as well.) Not sure whether the services should really be considered dependent on the settings. Given that these settings are non-essential (the essential ones are in discourse.conf) and can be changed via web UI - I think they shouldn't prevent the services from starting up.
330 }	349 }

331	350

332 discourse::customservice {'discourse':	351 discourse::customservice {'discourse':

333 command => '/home/discourse/.rvm/bin/rvm default do bundle exec config/unico rn_launcher -c config/unicorn.conf.rb',	352 command => '/home/discourse/.rvm/bin/rvm default do bundle exec config/unico rn_launcher -c config/unicorn.conf.rb',

334 require => File['/opt/discourse/tmp/pids'],	353 require => File['/opt/discourse/tmp/pids'],

335 }	354 }

336	355

337 discourse::customservice {'sidekiq':	356 discourse::customservice {'sidekiq':

338 command => '/home/discourse/.rvm/bin/rvm default do bundle exec sidekiq'	357 command => '/home/discourse/.rvm/bin/rvm default do bundle exec sidekiq'

339 }	358 }

340	359

341 class {'nginx':	360 class {'nginx':

342 worker_processes => 1,	361 worker_processes => 1,

343 worker_connections => 500	362 worker_connections => 500

344 }	363 }

345	364

346 nginx::hostconfig{$domain:	365 nginx::hostconfig{$domain:

347 source => 'puppet:///modules/discourse/site.conf',	366 source => 'puppet:///modules/discourse/site.conf',

348 global_config => '	367 global_config => '

349 upstream discourse {	368 upstream discourse {

350 server localhost:3000;	369 server localhost:3000;

351 }',	370 }',

352 is_default => $is_default,	371 is_default => $is_default,

353 certificate => $certificate,	372 certificate => $certificate,

354 private_key => $private_key,	373 private_key => $private_key,

355 log => 'access_log_intraforum'	374 log => 'access_log_intraforum'

356 }	375 }

357 }	376 }

LEFT	RIGHT