manifests/issuesserver.pp - Issue 5735669590654976: #753 - set up an order system to let eyeo employees file order requests

Delta Between Two Patch Sets: manifests/issuesserver.pp

Issue 5735669590654976: #753 - set up an order system to let eyeo employees file order requests (Closed)

Left Patch Set: #753 - set up an order system to let eyeo employees file order requests Created July 22, 2014, 12:47 a.m.

Right Patch Set: #753 - set up an order system to let eyeo employees file order requests Created Aug. 6, 2014, 12:38 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 node 'issues1' {	1 node 'issues1' {

2	2

3 include base, private::trac	3 include base, private::trac

4	4

5 class {'trac':	5 class {'trac':

6 domain => 'issues.adblockplus.org',	6 domain => 'issues.adblockplus.org',

7 certificate => 'issues.adblockplus.org_sslcert.pem',	7 certificate => 'issues.adblockplus.org_sslcert.pem',

8 private_key => 'issues.adblockplus.org_sslcert.key',	8 private_key => 'issues.adblockplus.org_sslcert.key',

9 is_default => true,	9 is_default => true,

10 }	10 }

11	11

12 trac::instance {'trac':	12 trac::instance {'issues':

13 config => 'trac/trac.ini.erb',	13 config => 'trac/trac.ini.erb',

14 description => 'Adblock Plus Issue Tracker',	14 description => 'Adblock Plus Issue Tracker',

15 environment => 'environment',

16 location => '/',	15 location => '/',

17 logo => 'adblockplus_logo.png',	16 logo => 'puppet:///modules/trac/adblockplus_logo.png',

18 database => 'trac',	17 database => 'trac',

	18 permissions => "puppet:///modules/trac/permissions.csv",

19 }	19 }

20	20

21 trac::instance {'orders':	21 trac::instance {'orders':

22 config => 'trac/orders.ini.erb',	22 config => 'trac/orders.ini.erb',

23 description => 'Eyeo Order System',	23 description => 'Eyeo Order System',

24 environment => 'environment-orders',	24 location => '/orders',

25 location => '/orders/',	25 logo => 'puppet:///modules/trac/eyeo_logo.png',

26 logo => 'eyeo_logo.png',

27 database => 'trac_orders',	26 database => 'trac_orders',

	27 permissions => "puppet:///modules/trac/order-permissions.csv",

28 }	28 }

29	29

30 # Transforming the auth_cookie table of the "new" Trac project into a	30 # Transforming the auth_cookie table of the "new" Trac project into an

31 # federated uplink for the "old" project's table of the same name avoids	31 # insertable view for the "old" project's table of the same name avoids

32 # the need to convert the entire auth to htpasswd-file handling, which	32 # the need to convert the entire auth to htpasswd-file handling, which

33 # would be the official way to go for achieving a shared authentication.	33 # would be the official way to go for achieving a shared authentication.

34 exec { 'trac_auth_cookie_federated':	34 exec { 'trac_auth_cookie_view':

35 command => "mysql -utrac -p'${private::trac::database_password}' trac --exec ute 'SHOW CREATE TABLE auth_cookie' -N \	35 command => "mysql -utrac -p'${private::trac::database_password}' trac_orders --execute '

36 \| cut -d'»' -f2 \	36 DROP TABLE IF EXISTS auth_cookie;

37 \| sed -e 's/auth_cookie/auth_cookie_federated/' -e 's/\\\\n//g' \	37 CREATE VIEW auth_cookie AS SELECT * FROM trac.auth_cookie;'",

38 -e 's/ENGINE=[A-Za-z]\\+/ENGINE=FEDERATED/' \	38 unless => "mysql -utrac -p'${private::trac::database_password}' trac_orders --execute '

39 -e 's/$/ CONNECTION=\"mysql:\\/\\/trac:${private::trac::database_pas sword}@localhost\\/trac\\/auth_cookie\";/' \	39 SHOW CREATE VIEW auth_cookie'",

40 -e 's/$/ RENAME TABLE auth_cookie TO auth_cookie_original, auth_cook ie_federated TO auth_cookie;/' \

41 \| mysql -utrac -p'${private::trac::database_password}' trac_orders

42 ",

43 unless => "mysql -utrac -p'${private::trac::database_password}' trac_orders --execute 'SHOW CREATE TABLE auth_cookie' \| grep FEDERATED",
Wladimir Palant 2014/07/22 13:52:24 This is quite complex, and there are lots of warni This is quite complex, and there are lots of warning referring to federated MySQL tables (performance, security). Since both instances run on the same server, what about: CREATE VIEW trac_orders.auth_cookie AS SELECT * FROM trac.auth_cookie; This view should be updatable, won't it work as well? mathias 2014/07/24 16:36:49 Sure, it does. Yet it does not allow to move to a Show quoted text On 2014/07/22 13:52:24, Wladimir Palant wrote: > This is quite complex, and there are lots of warning referring to federated > MySQL tables (performance, security). Since both instances run on the same > server, what about: > > CREATE VIEW trac_orders.auth_cookie AS SELECT * FROM trac.auth_cookie; > > This view should be updatable, won't it work as well? Sure, it does. Yet it does not allow to move to a distinct server some day (which was intended before). However, since that's not an issue any more, I'll update it accordingly.
44 path => "/usr/bin:/usr/sbin:/bin:/usr/local/bin",	40 path => "/usr/bin:/usr/sbin:/bin:/usr/local/bin",

45 require => [	41 require => [

46 Exec["deploy_trac"],	42 Exec["deploy_issues"],

47 Exec["deploy_orders"],	43 Exec["deploy_orders"],

48 ],	44 ],

49 }	45 }

50	46

51 # Synchronizing e-mail and password information between the project	47 # Synchronizing e-mail and password information between the project

52 # allows for logging in from any entry point - whilst maintaining a	48 # allows for logging in from any entry point - whilst maintaining a

53 # registration form (and process) in one project only.	49 # registration form (and process) in one project only.
Wladimir Palant 2014/07/22 13:52:24 Why do we want this table to be synced (rather inf Why do we want this table to be synced (rather infrequently) rather than shared? mathias 2014/07/24 16:36:49 Because the Trac software also stores other inform Show quoted text On 2014/07/22 13:52:24, Wladimir Palant wrote: > Why do we want this table to be synced (rather infrequently) rather than shared? Because the Trac software also stores other information in this fashion (see the NAME IN() clause, which restricts to those pieces we need). One example is search criteria, which may include ticket types and the like - those are not equal in the Trac instances.
54 cron {'trac_session_attribute_sync':	50 cron {'trac_session_attribute_sync':

55 ensure => present,	51 ensure => present,

56 user => trac,	52 user => trac,

57 minute => '*/30',	53 minute => '*/30',

58 command => "mysql -utrac -p'${private::trac::database_password}' trac_orders --execute ' \	54 command => "mysql -utrac -p'${private::trac::database_password}' trac_orders --execute ' \

59 INSERT INTO session_attribute (sid, authenticated, name, value) SELECT sid , authenticated, name, value \	55 INSERT INTO session_attribute (sid, authenticated, name, value) SELECT sid , authenticated, name, value \

60 FROM trac.session_attribute WHERE authenticated = 1 AND name IN (\"email\" , \"password\") \	56 FROM trac.session_attribute WHERE authenticated = 1 AND name IN (\"email\" , \"password\") \

61 ON DUPLICATE KEY UPDATE value=VALUES(value) ' >/dev/null	57 ON DUPLICATE KEY UPDATE value=VALUES(value) ' >/dev/null

62 ",	58 ",

63 require => Exec['trac_auth_cookie_federated'],	59 require => Exec['trac_auth_cookie_view'],

	60 }

	61

	62 # This directive is required due to legacy issues, where only one trac

	63 # project was configured. Now we want to have more verbose names, e.g.

	64 # tracd_issues and tracd_orders, but the spawn-fcgi module doesn't remove

	65 # unmentioned former setups. So, in order to avoid conflicts or manual

	66 # intervention during rollout, we must keep this statement here and never

	67 # re-use the name again. Ugly, but neccessary.

	68 spawn-fcgi::pool {"tracd":

	69 ensure => absent,

	70 require => Exec['tracd_kludge'],

	71 }

	72

	73 # Unfortunately, the spawn-fcgi module is not capable of stopping the

	74 # processes of pools that are changed to absent - simply because it removes

	75 # the configuration file and the subsequent reload or restart does not

	76 # recognize the pool any more. Thus, we have to ensure that the service is

	77 # stopped before:

	78 exec { 'tracd_kludge':

	79 command => 'service spawn-fcgi stop',

	80 onlyif => 'service spawn-fcgi status',

	81 path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',

	82 notify => Service['spawn-fcgi'],

	83 }

	84

	85 # Pretty similar to the "tracd" pool issue above: The trac-admin initenv

	86 # command would fail for environment-issues after creation of the directory

	87 # structure, when it comes to the database setup (which already exists),

	88 # if we do not handle the existing resources manually..

	89 exec { 'trac_env_issues_kludge':

	90 command => 'ln -s environment /home/trac/environment-issues',

	91 before => Exec['trac_env_issues'],

	92 path => "/usr/bin:/bin",

	93 user => trac,

	94 onlyif => 'test -d /home/trac/environment && \

	95 test ! -e /home/trac/environment-issues',

	96 require => User['trac'],

64 }	97 }

65	98

66 class {'nagios::client':	99 class {'nagios::client':

67 server_address => 'monitoring.adblockplus.org'	100 server_address => 'monitoring.adblockplus.org'

68 }	101 }

69 }	102 }

LEFT	RIGHT