instance-balancer.cfg.in 6.49 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12
{% if software_type == slap_software_type -%}
{% set part_list = [] -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%}
{#
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
per partition. No more (undefined result), no less (IndexError).
-#}
# TODO: insert varnish between apache & haproxy.
# And think of a way to specify which urls goe through varnish, which go
# directly to haproxy. (maybe just passing literal configuration file chunk)
{% set ipv4 = (ipv4_set | list)[0] -%}
13 14 15 16 17
{% set apache_ip_list = [ipv4] -%}
{% if ipv6_set -%}
{%   set ipv6 = (ipv6_set | list)[0] -%}
{%   do apache_ip_list.append('[' ~ ipv6 ~ ']') -%}
{% endif -%}
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

{% if use_ipv6 -%}
[zope-tunnel-base]
recipe = slapos.cookbook:ipv4toipv6
runner-path = ${directory:services}/${:base-name}
6tunnel-path = {{ parameter_dict['6tunnel'] }}/bin/6tunnel
shell-path = {{ parameter_dict['dash'] }}/bin/dash
ipv4 = {{ ipv4 }}

{% endif -%}
{% set haproxy_dict = {} -%}
{% set apache_dict = {} -%}
{% set next_port = slapparameter_dict['tcpv4-port'] -%}
{% for family_name, parameter_id_list in slapparameter_dict['zope-family-dict'].items() -%}
{%   set zope_family_address_list = [] -%}
{%   for parameter_id in parameter_id_list -%}
{%     set zope_address_list = slapparameter_dict[parameter_id] -%}
35
{%     for zope_address, maxconn in zope_address_list -%}
36 37 38 39 40 41 42 43 44 45 46 47
{%       if use_ipv6 -%}
[{{ section('zope-tunnel-' ~ next_port) }}]
< = zope-tunnel-base
base-name = {{ 'zeo-tunnel-' ~ next_port }}
ipv4-port = {{ next_port }}
ipv6-port = {{ zope_address.split(']:')[1] }}
ipv6 = {{ zope_address.split(']:')[0][1:] }}
{%         set zope_effective_address = ipv4 ~ ":" ~ next_port -%}
{%         set next_port = next_port + 1 -%}
{%       else -%}
{%         set zope_effective_address = zope_address -%}
{%       endif -%}
48
{%       do zope_family_address_list.append((zope_effective_address, maxconn)) -%}
49 50
{%     endfor -%}
{%   endfor -%}
51 52 53 54 55 56 57
{# Make rendering fail artificially if any family has no known backend.
 # This is useful as haproxy's hot-reconfiguration mechanism is
 # supervisord-incompatible.
 # As jinja2 postpones KeyError until place-holder value is actually used,
 # do a no-op, type-safe concatenation.
-#}
{%   do '#' ~ zope_family_address_list[0] -%}
58 59 60 61 62 63 64
{%   set haproxy_port = next_port -%}
{%   set next_port = next_port + 1 -%}
{%   do haproxy_dict.__setitem__(family_name, (haproxy_port, zope_family_address_list)) -%}
{%   do apache_dict.__setitem__(family_name, (next_port, 'http://' ~ ipv4 ~ ':' ~ haproxy_port)) -%}
{%   set next_port = next_port + 1 -%}
{% endfor -%}

65
[haproxy-cfg-parameter-dict]
66
socket-path = ${directory:run}/haproxy.sock
67
server-check-path = {{ slapparameter_dict['haproxy-server-check-path'] }}
68
backend-dict = {{ dumps(haproxy_dict) }}
69 70 71 72 73 74 75 76 77 78 79 80 81 82
ip = {{ ipv4 }}

[haproxy-cfg]
recipe = slapos.recipe.template:jinja2
template = {{ parameter_dict['template-haproxy-cfg'] }}
rendered = ${directory:etc}/haproxy.cfg
context = section parameter_dict haproxy-cfg-parameter-dict

[{{ section('haproxy') }}]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:services}/haproxy
command-line = "{{ parameter_dict['haproxy'] }}/sbin/haproxy" -f "${haproxy-cfg:rendered}"

{# TODO: build socat and wrap it as "${directory:bin}/haproxy-ctl" to connect to "${haproxy-cfg-parameter-dict:socket-path}" #}
83 84 85 86

[apache]
recipe = slapos.cookbook:apache.zope.backend
backend-list = {{ dumps(apache_dict.values()) }}
87
ip = {{ dumps(apache_ip_list) }}
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108
wrapper = ${directory:bin}/apache
scheme = https
key-file = ${directory:apache-conf}/apache.key
cert-file = ${directory:apache-conf}/apache.crt
configuration-file = ${directory:apache-conf}/apache.conf
access-control-string = {{ slapparameter_dict['apache-access-control-string'] }}
pid-file = ${directory:run}/apache.pid
lock-file = ${directory:run}/apache.lock
ssl-session-cache = $${directory:log}/apache-ssl-session-cache
error-log = ${directory:log}/apache-error.log
access-log = ${directory:log}/apache-access.log
apache-binary = {{ parameter_dict['apache'] }}/bin/httpd
ssl-authentication = {{ slapparameter_dict['apache-ssl-authentication'] }}
backend-path = {{ slapparameter_dict['apache-backend-path'] }}
# Note: Without certificate-authority main certificate have to be hardcoded
ssl-authentication-certificate = ${certificate-authority:ca-dir}/cacert.pem
ssl-authentication-crl = ${certificate-authority:ca-crl}

[publish]
recipe = slapos.cookbook:publish.serialised
{% for family_name, (apache_port, _) in apache_dict.items() -%}
109 110 111
{%   if ipv6_set -%}
{{     family_name ~ '-v6' }} = ${apache:scheme}://[{{ ipv6 }}]:{{ apache_port }}
{%   endif -%}
112
{{   family_name }} = ${apache:scheme}://{{ ipv4 }}:{{ apache_port }}
113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175
{% endfor -%}

[certificate-authority]
recipe = slapos.cookbook:certificate_authority
openssl-binary = {{ parameter_dict['openssl'] }}/bin/openssl
ca-dir = ${directory:ca-dir}
requests-directory = ${directory:requests}
wrapper = ${directory:services}/ca
ca-private = ${directory:private}
ca-certs = ${directory:certs}
ca-newcerts = ${directory:newcerts}
ca-crl = ${directory:crl}
{% set ca = slapparameter_dict['ca'] -%}
country-code = {{ ca.get('country-code', 'ZZ') }}
email = {{ ca.get('email', 'nobody@example.com') }}
state = {{ ca.get('state', 'Dummy State') }}
city = {{ ca.get('city', 'Dummy City') }}
company = {{ ca.get('company', 'Dummy Company') }}

[ca-apache]
< = certificate-authority
recipe = slapos.cookbook:certificate_authority.request
key-file = ${apache:key-file}
cert-file = ${apache:cert-file}
executable = ${apache:wrapper}
wrapper = ${directory:services}/apache

[logrotate-apache]
recipe = slapos.cookbook:logrotate.d
logrotate-entries = ${logrotate:logrotate-entries}
backup = ${logrotate:backup}
name = apache
log = ${apache:error-log} ${apache:access-log}
post = {{ parameter_dict['bin-directory'] }}/killpidfromfile ${apache:pid-file} SIGUSR1

[directory]
recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache
bin = ${buildout:directory}/bin
etc = ${buildout:directory}/etc
services = ${:etc}/run
var = ${buildout:directory}/var
run = ${:var}/run
log = ${:var}/log
ca-dir = ${buildout:directory}/srv/ssl
requests = ${:ca-dir}/requests
private = ${:ca-dir}/private
certs = ${:ca-dir}/certs
newcerts = ${:ca-dir}/newcerts
crl = ${:ca-dir}/crl

[buildout]
extends = {{ parameter_dict['instance-logrotate-cfg'] }}
parts +=
  publish
  logrotate-apache
  haproxy
  ca-apache
  {{ part_list | join('\n  ') }}
eggs-directory = {{ eggs_directory }}
develop-eggs-directory = {{ develop_eggs_directory }}

{% endif %}