diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml index e097c25da..5cc8239ec 100644 --- a/inventory/service/groups.yaml +++ b/inventory/service/groups.yaml @@ -84,6 +84,9 @@ groups: - graphite3.apimon.eco.tsi-dev.otc-service.com - graphite1.eco.tsi-dev.otc-service.com + graphite-web: + - web3.eco.tsi-dev.otc-service.com + memcached: - graphite1.apimon.eco.tsi-dev.otc-service.com - graphite2.apimon.eco.tsi-dev.otc-service.com diff --git a/inventory/service/host_vars/web3.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/web3.eco.tsi-dev.otc-service.com.yaml index abf2ceca4..21152db53 100644 --- a/inventory/service/host_vars/web3.eco.tsi-dev.otc-service.com.yaml +++ b/inventory/service/host_vars/web3.eco.tsi-dev.otc-service.com.yaml @@ -1,5 +1,5 @@ -alerta_instance: production_vc -grafana_instance: production_vc +alerta_instance: "production_vc" +grafana_instance: "production_vc" ssl_certs: web3: - "web3.eco.tsi-dev.otc-service.com" @@ -13,5 +13,8 @@ ssl_certs: graphite: - "graphite.eco.tsi-dev.otc-service.com" +graphite_instance_group: "graphite-apimon" +graphite_cert: "graphite" + firewalld_extra_services_enable: ['http', 'https'] firewalld_extra_ports_enable: ['3000/tcp', '8080/tcp', '8081/tcp'] diff --git a/playbooks/roles/graphite/templates/docker-compose.yaml.j2 b/playbooks/roles/graphite/templates/docker-compose.yaml.j2 deleted file mode 100644 index 75e107e83..000000000 --- a/playbooks/roles/graphite/templates/docker-compose.yaml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# Version 2 is the latest that is supported by docker-compose in -# Ubuntu Xenial. -version: '2' - -services: - graphite: - restart: always - image: docker.io/graphiteapp/graphite-statsd - network_mode: host - volumes: - - /etc/graphite-docker/graphite-statsd.conf:/etc/nginx/sites-enabled/graphite-statsd.conf - - /etc/graphite-docker/statsd.js:/opt/statsd/config/udp.js - - /etc/graphite-docker/storage-schemas.conf:/opt/graphite/conf/storage-schemas.conf - - /etc/letsencrypt-certs:/etc/letsencrypt-certs - - /opt/graphite/storage:/opt/graphite/storage - - /var/log/graphite:/var/log/ diff --git a/playbooks/roles/graphite_web/README.rst b/playbooks/roles/graphite_web/README.rst new file mode 100644 index 000000000..e045c696e --- /dev/null +++ b/playbooks/roles/graphite_web/README.rst @@ -0,0 +1 @@ +Run Graphite diff --git a/playbooks/roles/graphite_web/defaults/main.yaml b/playbooks/roles/graphite_web/defaults/main.yaml new file mode 100644 index 000000000..6d3d73c72 --- /dev/null +++ b/playbooks/roles/graphite_web/defaults/main.yaml @@ -0,0 +1,8 @@ +graphite_config_location: "/etc/graphite" + +# graphite_cluster_servers: "127.0.0.1:8080" + +graphite_image: "quay.io/opentelekomcloud/graphite-statsd:1.1.7-9" + +container_command: "podman" +container_runtime: "/usr/bin/{{ container_command }}" diff --git a/playbooks/roles/graphite_web/handlers/main.yaml b/playbooks/roles/graphite_web/handlers/main.yaml new file mode 100644 index 000000000..3d8ac057c --- /dev/null +++ b/playbooks/roles/graphite_web/handlers/main.yaml @@ -0,0 +1,6 @@ +- name: Restart graphite-web + ansible.builtin.systemd: + name: "graphite-web" + enabled: true + state: "restarted" + daemon_reload: true diff --git a/playbooks/roles/graphite_web/tasks/main.yaml b/playbooks/roles/graphite_web/tasks/main.yaml new file mode 100644 index 000000000..9fcb1286c --- /dev/null +++ b/playbooks/roles/graphite_web/tasks/main.yaml @@ -0,0 +1,50 @@ +--- +- name: Include variables + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: "{{ distro_lookup_path }}" + paths: + - "vars" + +- name: Install required packages + become: true + ansible.builtin.package: + state: present + name: "{{ item }}" + loop: + - "{{ packages }}" + when: "ansible_facts.pkg_mgr != 'atomic_container'" + register: task_result + until: task_result is success + retries: 5 + +- name: Ensure directories exist + become: true + ansible.builtin.file: + state: "directory" + path: "{{ item }}" + mode: "0755" + loop: + - "{{ graphite_config_location }}" + - "/var/log/graphite" + +- name: Write config files + become: true + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ graphite_config_location }}//{{ item }}" + mode: "0644" + loop: + - "graphite-statsd.conf" + - "env" + notify: + - Restart graphite-web + +- name: Write systemd unit file + become: true + ansible.builtin.template: + src: "graphite-web.service.j2" + dest: "/etc/systemd/system/graphite-web.service" + notify: + - Restart graphite-web diff --git a/playbooks/roles/graphite_web/templates/env.j2 b/playbooks/roles/graphite_web/templates/env.j2 new file mode 100644 index 000000000..d6281bf59 --- /dev/null +++ b/playbooks/roles/graphite_web/templates/env.j2 @@ -0,0 +1,6 @@ +{% if graphite_cluster_servers is defined and graphite_cluster_servers|length %} +GRAPHITE_CLUSTER_SERVERS={{ graphite_cluster_servers }} +{% endif %} +{% if graphite_memcached_host is defined %} +MEMCACHE_HOST={{ graphite_memcached_host }} +{% endif %} diff --git a/playbooks/roles/graphite_web/templates/graphite-statsd.conf.j2 b/playbooks/roles/graphite_web/templates/graphite-statsd.conf.j2 new file mode 100644 index 000000000..4e7e61d2d --- /dev/null +++ b/playbooks/roles/graphite_web/templates/graphite-statsd.conf.j2 @@ -0,0 +1,62 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name {{ inventory_hostname }}; + + ssl_certificate /etc/ssl/{{ inventory_hostname }}/{{ graphite_cert }}.crt; + ssl_certificate_key /etc/ssl/{{ inventory_hostname }}/{{ graphite_cert }}.pem; + root /opt/graphite/static; + index index.html; + + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + + # No remote login + location /admin { + allow 127.0.0.1; + deny all; + } + + location /account { + allow 127.0.0.1; + deny all; + } + + location /media { + # django admin static files + alias /usr/local/lib/python3.6/dist-packages/django/contrib/admin/media/; + } + + location /admin/auth/admin { + alias /usr/local/lib/python3.6/dist-packages/django/contrib/admin/static/admin; + } + + location /admin/auth/user/admin { + alias /usr/local/lib/python3.6/dist-packages/django/contrib/admin/static/admin; + } + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type'; + add_header 'Access-Control-Allow-Credentials' 'true'; + } + +} diff --git a/playbooks/roles/graphite_web/templates/graphite-web.service.j2 b/playbooks/roles/graphite_web/templates/graphite-web.service.j2 new file mode 100644 index 000000000..6dde49a8c --- /dev/null +++ b/playbooks/roles/graphite_web/templates/graphite-web.service.j2 @@ -0,0 +1,27 @@ +[Unit] +Description=Graphite Web Service +After=syslog.target network.target + +[Service] +Restart=always +ExecStartPre=-{{ container_runtime }} kill graphite_web +ExecStartPre=-{{ container_runtime }} rm graphite_web + +ExecStart={{ container_runtime }} run \ + --name graphite_web \ + --port 8081:80 \ + --env-file /etc/graphite/env \ +{% if container_command == 'podman' %} + --log-opt=path=/dev/null \ +{% endif %} + -v /etc/ssl/{{ inventory_hostname }}/{{ graphite_cert }}.pem:/etc/ssl/{{ + inventory_hostname }}/{{ graphite_cert }}.pem:ro,z \ + -v /etc/ssl/{{ inventory_hostname }}/{{ graphite_cert }}.crt:/etc/ssl/{{ + inventory_hostname }}/{{ graphite_cert }}.crt:ro,z \ + -v /etc/graphite/graphite-statsd.conf:/etc/nginx/sites-enabled/graphite-statsd.conf:ro \ + -v /var/log/graphite:/var/log:rw,z \ + --tmpfs /tmp:rw,size=2g \ + {{ graphite_image }} + +[Install] +WantedBy=multi-user.target diff --git a/playbooks/roles/graphite_web/vars/Debian.yaml b/playbooks/roles/graphite_web/vars/Debian.yaml new file mode 100644 index 000000000..89564e32a --- /dev/null +++ b/playbooks/roles/graphite_web/vars/Debian.yaml @@ -0,0 +1,6 @@ +--- +packages: + - docker.io + - netcat + +container_command: docker diff --git a/playbooks/roles/graphite_web/vars/RedHat.yaml b/playbooks/roles/graphite_web/vars/RedHat.yaml new file mode 100644 index 000000000..5dee02e28 --- /dev/null +++ b/playbooks/roles/graphite_web/vars/RedHat.yaml @@ -0,0 +1,6 @@ +--- +packages: + - podman + - nmap-ncat + +container_command: podman diff --git a/playbooks/service-graphite.yaml b/playbooks/service-graphite.yaml index 588fcd031..18b7d22c4 100644 --- a/playbooks/service-graphite.yaml +++ b/playbooks/service-graphite.yaml @@ -17,11 +17,17 @@ aggregate_destinations: "{{ (aggregate_destinations|default([])) + [(hostvars[item]['ansible_host'] + ':2004')] }}" loop: "{{ groups[(graphite_instance_group | default('graphite'))] | list }}" + - name: Construct cluster memcache lists + ansible.builtin.set_fact: + memcache_hosts: "{{ (memcache_hosts|default([])) + [(hostvars[item]['ansible_host'] + ':11211')] }}" + loop: "{{ groups['memcached'] | list }}" + - name: Join cluster destination lists ansible.builtin.set_fact: graphite_relay_destinations: "{{ relay_destinations|join(', ') }}" graphite_aggregate_destinations: "{{ aggregate_destinations|join(', ') }}" graphite_cluster_servers: "{{ cluster_hosts|join(', ') }}" + graphite_cluster_memcache_hosts: "{{ memcache_hosts|join(', ') }}" graphite_relay: true when: - "graphite_instance_group is defined and graphite_instance_group|length" @@ -55,3 +61,34 @@ - name: Install carbonate tools ansible.builtin.pip: name: "carbonate" + +- hosts: "graphite-web:!disabled" + name: "Base: configure graphite web app" + become: true + roles: + # Group should be responsible for defining open ports + - firewalld + tasks: + + # host/group should have "graphite_instance_group" var with the name of the group + # graphite node should become member of (relay will be configired with all + # hosts from this group) + - block: + - name: Construct cluster destination lists + ansible.builtin.set_fact: + cluster_hosts: "{{ (cluster_hosts|default([])) + [(hostvars[item]['ansible_host'] + ':8080')] }}" + loop: "{{ groups[(graphite_instance_group | default('graphite'))] | list }}" + + - name: Construct cluster memcache lists + ansible.builtin.set_fact: + memcache_hosts: "{{ (memcache_hosts|default([])) + [(hostvars[item]['ansible_host'] + ':11211')] }}" + loop: "{{ groups['memcached'] | list }}" + + - name: Join cluster destination lists + ansible.builtin.set_fact: + graphite_cluster_servers: "{{ cluster_hosts | join(', ') }}" + graphite_cluster_memcache_hosts: "{{ (memcache_hosts|default([])) | join(', ') }}" + when: + - "graphite_instance_group is defined and graphite_instance_group|length" + + - include_role: name=graphite_web diff --git a/playbooks/zuul/templates/gate-groups.yaml.j2 b/playbooks/zuul/templates/gate-groups.yaml.j2 index c8de237da..6a36fc1af 100644 --- a/playbooks/zuul/templates/gate-groups.yaml.j2 +++ b/playbooks/zuul/templates/gate-groups.yaml.j2 @@ -43,11 +43,14 @@ groups: graphite-apimon: - graphite1.apimon.eco.tsi-dev.otc-service.com - graphite2.apimon.eco.tsi-dev.otc-service.com + graphite-web: + - web3.eco.tsi-dev.otc-service.com ssl_certs: - graphite1.apimon.eco.tsi-dev.otc-service.com - graphite2.apimon.eco.tsi-dev.otc-service.com - le1 - proxy1.f32 + - web1.eco.tsi-dev.otc-service.com memcached: - memcached.focal alerta: diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml index 5c7fdef8f..154a2a447 100644 --- a/zuul.d/system-config-run.yaml +++ b/zuul.d/system-config-run.yaml @@ -172,6 +172,8 @@ label: ubuntu-focal - name: graphite2.apimon.eco.tsi-dev.otc-service.com label: centos-8 + - name: web3.eco.tsi-dev.otc-service.com + label: ubuntu-focal vars: run_playbooks: - playbooks/acme-certs.yaml @@ -180,6 +182,7 @@ - tox.ini - playbooks/service-graphite.yaml - playbooks/roles/graphite + - playbooks/roles/graphite_web - playbooks/zuul/templates/group_vars/graphite.yaml.j2 - testinfra/test_graphite.py