Page MenuHomeDevCentral
Files F3768162

D3045.id7780.diff
No OneTemporary
Actions

D3045.id7780.diff
View Options

diff --git a/pillar/webserver/sites.sls b/pillar/webserver/sites.sls
--- a/pillar/webserver/sites.sls
+++ b/pillar/webserver/sites.sls
@@ -105,7 +105,7 @@
subdomain: wikis
user: mediawiki
php-fpm: prod
- skipCreateAccount: True
+ skipCreateUser: True
env:
MEDIAWIKI_ENTRY_POINT: /srv/mediawiki/index.php
DB_HOST: localhost
@@ -118,7 +118,7 @@
user: web-org-espacewin-www
source: wwwroot/espace-win.org/www
target: /var/wwwroot/espace-win.org/www
- php-fpm: legacy
+ php-fpm: prod
www51.espace-win.org:
domain: espace-win.org
diff --git a/roles/webserver-alkane/account/init.sls b/roles/webserver-alkane/account/init.sls
--- a/roles/webserver-alkane/account/init.sls
+++ b/roles/webserver-alkane/account/init.sls
@@ -8,7 +8,7 @@
# -------------------------------------------------------------
# User groups for domains served
#
-# Those account are mostly intended for static content,
+# Those accounts are mostly intended for static content,
# to allow users to access it through group.
#
# The user will often be "deploy" to allow continuous delivery.
@@ -29,3 +29,23 @@
- fullname: Websites account for {{ domain }}
{% endfor %}
{% endfor %}
+
+# -------------------------------------------------------------
+# PHP user accounts
+#
+# Those accounts are intended to serve content through php-fpm.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for fqdn, site in pillar['web_php_sites'].items() %}
+{% if 'skipCreateUser' not in site or not site['skipCreateUser'] %}
+
+webserver_user_{{ site['user'] }}:
+ user.present:
+ - name: {{ site['user' ] }}
+ - fullname: {{ fqdn }}
+ - gid: 9003
+ - system: True
+ - home: /var/run/web/{{ fqdn }}
+
+{% endif %}
+{% endfor %}
diff --git a/roles/webserver-alkane/alkane/init.sls b/roles/webserver-alkane/alkane/init.sls
--- a/roles/webserver-alkane/alkane/init.sls
+++ b/roles/webserver-alkane/alkane/init.sls
@@ -47,7 +47,7 @@
- file_mode: 555
{% for site_name, recipes in pillar.get("alkane_recipes", {}).items() %}
-/usr/local/libexec/alkane/{{ site_name }}:
+/usr/local/libexec/alkane/{{ site_name }}:
file.directory
{% for action, recipe in recipes.items() %}
diff --git a/roles/webserver-alkane/init.sls b/roles/webserver-alkane/init.sls
--- a/roles/webserver-alkane/init.sls
+++ b/roles/webserver-alkane/init.sls
@@ -9,3 +9,4 @@
- .account
- .alkane
- .directories
+ - .php
diff --git a/roles/webserver-legacy/php-sites/cleanup.sls b/roles/webserver-alkane/php/cleanup.sls
rename from roles/webserver-legacy/php-sites/cleanup.sls
rename to roles/webserver-alkane/php/cleanup.sls
diff --git a/roles/webserver-alkane/php/files/php-fpm-pool.conf b/roles/webserver-alkane/php/files/php-fpm-pool.conf
new file mode 100644
--- /dev/null
+++ b/roles/webserver-alkane/php/files/php-fpm-pool.conf
@@ -0,0 +1,49 @@
+; -------------------------------------------------------------
+; php-fpm pool configuration
+; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+; Project: Nasqueron
+; License: Trivial work, not eligible to copyright
+; Source file: roles/webserver-alkane/php/files/php-fpm-pool.conf
+; -------------------------------------------------------------
+;
+; <auto-generated>
+; This file is managed by our rOPS SaltStack repository.
+;
+; Changes to this file may cause incorrect behavior
+; and will be lost if the state is redeployed.
+; </auto-generated>
+
+[{{ user }}]
+listen = /var/run/web/{{ fqdn }}/php-fpm.sock
+listen.owner = {{ user }}
+listen.group = web
+listen.mode = 0660
+
+user = {{ user }}
+group = web
+
+pm = ondemand
+pm.max_children = 8
+pm.process_idle_timeout = 10s
+pm.max_requests = 50
+
+slowlog = /var/log/www/{{ domain }}/{{ subdomain }}-php-slow.log
+request_slowlog_timeout = {{ slow_delay }}
+
+catch_workers_output = yes
+php_admin_value[error_log] = /var/log/www/{{ domain }}/{{ subdomain }}-php.log
+php_flag[display_errors] = {{ display_errors }}
+php_flag[display_startup_errors] = {{ display_errors }}
+php_admin_flag[log_errors] = on
+
+{% if 'wordpress' in capabilities -%}
+; Allow Wordpress to process large images
+php_value[memory_limit] = 1024M
+{%- endif %}
+
+; Don't flood /tmp (T417)
+php_value[session.save_path] = /var/tmp/php/sessions/{{ fqdn }}
+
+{%- for key, value in env.items() %}
+env["{{ key }}"] = {{ value }}
+{%- endfor -%}
diff --git a/roles/webserver-alkane/php/files/php-fpm.conf b/roles/webserver-alkane/php/files/php-fpm.conf
new file mode 100644
--- /dev/null
+++ b/roles/webserver-alkane/php/files/php-fpm.conf
@@ -0,0 +1,33 @@
+; -------------------------------------------------------------
+; php-fpm instance configuration
+; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+; Project: Nasqueron
+; License: Trivial work, not eligible to copyright
+; Source file: roles/webserver-alkane/php/files/php-fpm.conf
+; -------------------------------------------------------------
+;
+; <auto-generated>
+; This file is managed by our rOPS SaltStack repository.
+;
+; Changes to this file may cause incorrect behavior
+; and will be lost if the state is redeployed.
+; </auto-generated>
+
+; -------------------------------------------------------------
+; Global directives
+; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+[global]
+pid = /var/run/php-fpm-{{ instance }}.pid
+error_log = /var/log/php-fpm-{{ instance }}.log
+
+emergency_restart_threshold = 10
+emergency_restart_interval = 1h
+
+process.max = 100
+
+; -------------------------------------------------------------
+; Pool definitions
+; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+include=/usr/local/etc/php-fpm.d/{{ instance }}-pools/*.conf
diff --git a/roles/webserver-alkane/php/files/php.ini b/roles/webserver-alkane/php/files/php.ini
new file mode 100644
--- /dev/null
+++ b/roles/webserver-alkane/php/files/php.ini
@@ -0,0 +1,37 @@
+; -------------------------------------------------------------
+; PHP configuration
+; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+; Project: Nasqueron
+; License: Trivial work, not eligible to copyright
+; Source file: roles/webserver-alkane/php/files/php.ini
+; -------------------------------------------------------------
+;
+; <auto-generated>
+; This file is managed by our rOPS SaltStack repository.
+;
+; Changes to this file may cause incorrect behavior
+; and will be lost if the state is redeployed.
+; </auto-generated>
+
+[Date]
+; Place de la bastille, Paris
+date.default_latitude = 48.853139
+date.default_longitude = 2.369111
+date.timezone = "UTC"
+
+{% if "set_mysql_sockets" in tasks -%}
+[MySQLi]
+mysqli.default_socket = /var/run/mysql/mysqld.sock
+
+[Pdo_mysql]
+pdo_mysql.default_socket = /var/run/mysql/mysqld.sock
+{%- endif %}
+
+{% if "optimize_opcache" in tasks -%}
+[opcache]
+opcache.max_accelerated_files = 20000
+opcache.memory_consumption = 512
+
+opcache.validate_timestamps = 0
+opcache.file_update_protection = 0
+{%- endif %}
diff --git a/roles/webserver-legacy/php-sites/files/rc/instances b/roles/webserver-alkane/php/files/rc/instances
rename from roles/webserver-legacy/php-sites/files/rc/instances
rename to roles/webserver-alkane/php/files/rc/instances
--- a/roles/webserver-legacy/php-sites/files/rc/instances
+++ b/roles/webserver-alkane/php/files/rc/instances
@@ -3,7 +3,7 @@
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-legacy/php-sites/files/rc/instances
+# Source file: roles/webserver-alkane/php/files/rc/instances
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/roles/webserver-legacy/php-sites/files/rc/per_instance b/roles/webserver-alkane/php/files/rc/per_instance
rename from roles/webserver-legacy/php-sites/files/rc/per_instance
rename to roles/webserver-alkane/php/files/rc/per_instance
--- a/roles/webserver-legacy/php-sites/files/rc/per_instance
+++ b/roles/webserver-alkane/php/files/rc/per_instance
@@ -3,7 +3,7 @@
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-legacy/php-sites/files/rc/per_instance
+# Source file: roles/webserver-alkane/php/files/rc/per_instance
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/roles/webserver-legacy/php-sites/files/rc/php-fpm b/roles/webserver-alkane/php/files/rc/php-fpm
rename from roles/webserver-legacy/php-sites/files/rc/php-fpm
rename to roles/webserver-alkane/php/files/rc/php-fpm
--- a/roles/webserver-legacy/php-sites/files/rc/php-fpm
+++ b/roles/webserver-alkane/php/files/rc/php-fpm
@@ -4,6 +4,22 @@
# REQUIRE: LOGIN
# KEYWORD: shutdown
+# -------------------------------------------------------------
+# php-fpm
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/webserver-alkane/php/files/rc/php-fpm
+# Descrioption: Custom service allowing to manage several pools
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
# Add the following lines to /etc/rc.conf to enable php-fpm:
# php_fpm_(instance_)?enable (bool): Set to "NO" by default.
# Set it to "YES" to enable php-fpm.
diff --git a/roles/webserver-legacy/php-sites/init.sls b/roles/webserver-alkane/php/init.sls
copy from roles/webserver-legacy/php-sites/init.sls
copy to roles/webserver-alkane/php/init.sls
--- a/roles/webserver-legacy/php-sites/init.sls
+++ b/roles/webserver-alkane/php/init.sls
@@ -6,8 +6,7 @@
# -------------------------------------------------------------
include:
- - .account
- - .files
- .php
- .php-fpm
+ - .service
- .cleanup
diff --git a/roles/webserver-legacy/php-sites/php-fpm.sls b/roles/webserver-alkane/php/php-fpm.sls
copy from roles/webserver-legacy/php-sites/php-fpm.sls
copy to roles/webserver-alkane/php/php-fpm.sls
--- a/roles/webserver-legacy/php-sites/php-fpm.sls
+++ b/roles/webserver-alkane/php/php-fpm.sls
@@ -16,7 +16,7 @@
php-fpm_config_{{ instance }}:
file.managed:
- name: {{ dirs.etc }}/php-fpm.d/{{ instance }}.conf
- - source: salt://roles/webserver-legacy/php-sites/files/php-fpm.conf
+ - source: salt://roles/webserver-alkane/php/files/php-fpm.conf
- template: jinja
- context:
instance: {{ instance }}
@@ -42,17 +42,17 @@
php-fpm_pool_{{ site['user'] }}:
file.managed:
- name: {{ dirs.etc }}/php-fpm.d/{{ site['php-fpm'] }}-pools/{{ site['user'] }}.conf
- - source: salt://roles/webserver-legacy/php-sites/files/php-fpm-pool.conf
+ - source: salt://roles/webserver-alkane/php/files/php-fpm-pool.conf
- template: jinja
- context:
fqdn: {{ fqdn }}
domain: {{ site['domain'] }}
subdomain: {{ site['subdomain'] }}
user: {{ site['user' ] }}
- display_errors: {{ site['display_errors']|default('off') }}
- slow_delay: {{ site['slow_delay']|default('5s') }}
- env : {{ site['env']|default({}) }}
- capabilities: {{ site['capabilities']|default([]) }}
+ display_errors: {{ site['display_errors'] | default('off') }}
+ slow_delay: {{ site['slow_delay'] | default('5s') }}
+ env : {{ site['env'] | default({}) }}
+ capabilities: {{ site['capabilities'] | default([]) }}
/var/log/www/{{ site['domain' ] }}/{{ site['subdomain' ] }}-php.log:
file.managed:
@@ -64,38 +64,22 @@
{% endfor %}
# -------------------------------------------------------------
-# Service
+# Sessions directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-{% if grains['os'] == 'FreeBSD' %}
-
-{% set instances = " ".join(pillar['php_fpm_instances'].keys()) %}
-
-# roles/webserver-legacy/php-sites/files/rc/php-fpm
-
-/usr/local/etc/rc.d/php-fpm:
- file.managed:
- - source: salt://roles/webserver-legacy/php-sites/files/rc/php-fpm
- - mode: 755
-
-/etc/rc.conf.d/php_fpm:
- file.directory
+/var/tmp/php:
+ file.directory:
+ - mode: 1770
+ - group: web
-/etc/rc.conf.d/php_fpm/instances:
- file.managed:
- - source: salt://roles/webserver-legacy/php-sites/files/rc/instances
- - template: jinja
- - context:
- instances: {{ instances }}
+/var/tmp/php/sessions:
+ file.directory:
+ - mode: 1770
+ - group: web
-{% for instance, config in pillar['php_fpm_instances'].items() %}
-/etc/rc.conf.d/php_fpm/{{ instance }}:
- file.managed:
- - source: salt://roles/webserver-legacy/php-sites/files/rc/per_instance
- - template: jinja
- - context:
- instance: {{ instance }}
- command: {{ config['command'] | default('') }}
+{% for fqdn, site in pillar['web_php_sites'].items() %}
+/var/tmp/php/sessions/{{ fqdn }}:
+ file.directory:
+ - mode: 700
+ - user: {{ site['user'] }}
{% endfor %}
-
-{% endif %}
diff --git a/roles/webserver-alkane/php/php.sls b/roles/webserver-alkane/php/php.sls
new file mode 100644
--- /dev/null
+++ b/roles/webserver-alkane/php/php.sls
@@ -0,0 +1,102 @@
+# -------------------------------------------------------------
+# Salt — Provision PHP websites — php-fpm pools
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, packages, packages_prefixes with context %}
+
+{% set is_devserver = salt['node.has_role']('devserver') %}
+
+# -------------------------------------------------------------
+# Install PHP through packages
+#
+# The extensions cover a standard PHP installation,
+# and the needs of the known applications we use.
+#
+# If you need Debian compatibility, this list should be
+# replaced by the shellserver one.
+#
+# The devserver role already install PHP through two layers:
+# - roles/shellserver/userland-software/base.sls
+# - roles/devserver/userland-software/dev.sls
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if not is_devserver %}
+
+php_software:
+ pkg.installed:
+ - pkgs:
+ - php82
+
+ # PHP extensions
+ - {{ packages_prefixes.php }}bcmath
+ - {{ packages_prefixes.php }}curl
+ - {{ packages_prefixes.php }}gd
+ - {{ packages_prefixes.php }}intl
+ - {{ packages_prefixes.php }}mbstring
+ - {{ packages_prefixes.php }}soap
+ - {{ packages_prefixes.php }}xml
+ - {{ packages_prefixes.php }}xsl
+
+ - {{ packages_prefixes.php }}calendar
+ - {{ packages_prefixes.php }}ctype
+ - {{ packages_prefixes.php }}dom
+ - {{ packages_prefixes.php }}fileinfo
+ - {{ packages_prefixes.php }}filter
+ - {{ packages_prefixes.php }}iconv
+ - {{ packages_prefixes.php }}mysqli
+ - {{ packages_prefixes.php }}pcntl
+ - {{ packages_prefixes.php }}pdo
+ - {{ packages_prefixes.php }}phar
+ - {{ packages_prefixes.php }}session
+ - {{ packages_prefixes.php }}simplexml
+ - {{ packages_prefixes.php }}sockets
+ - {{ packages_prefixes.php }}tokenizer
+ - {{ packages_prefixes.php }}xmlreader
+ - {{ packages_prefixes.php }}xmlwriter
+ - {{ packages_prefixes.php }}zlib
+
+ - {{ packages_prefixes.php }}pdo_mysql
+ - {{ packages_prefixes.php }}pdo_pgsql
+ - {{ packages_prefixes.php }}pdo_sqlite
+
+ # PECL extensions
+ - {{ packages_prefixes.pecl }}yaml
+
+ # PHP utilities
+ - {{ packages.composer }}
+
+{% endif %}
+
+# -------------------------------------------------------------
+# PHP global configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/php.ini:
+ file.managed:
+ - source: salt://roles/webserver-alkane/php/files/php.ini
+ - template: jinja
+ - context:
+ tasks:
+ {% if is_devserver %}
+ # Since D2655, devserver uses /var/run/mysql
+ # This is not needed on production as MySQL is on another node
+ - set_mysql_sockets
+ {% else %}
+ # Enable Opcache, with aggressive caching
+ # This is not suitable in devserver: it needs a php-fpm restart
+ # when a PHP site is updated to invalidate the cache
+ - optimize_opcache
+ {% endif %}
+
+{% for build in pillar.get('php_custom_builds', {}) %}
+/opt/php/{{ build }}/lib/php.ini:
+ file.managed:
+ - source: {{ dirs.etc }}/php.ini:
+{% endfor %}
+
+# T1728 - xdebug should be disabled by default and invoked when needed
+/usr/local/etc/php/ext-20-xdebug.ini:
+ file.absent
diff --git a/roles/webserver-alkane/php/service.sls b/roles/webserver-alkane/php/service.sls
new file mode 100644
--- /dev/null
+++ b/roles/webserver-alkane/php/service.sls
@@ -0,0 +1,41 @@
+# -------------------------------------------------------------
+# Salt — Provision PHP websites — php-fpm service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if grains['os'] == 'FreeBSD' %}
+
+{% set instances = " ".join(pillar['php_fpm_instances'].keys()) %}
+
+/usr/local/etc/rc.d/php-fpm:
+ file.managed:
+ - source: salt://roles/webserver-alkane/php/files/rc/php-fpm
+ - mode: 755
+
+/etc/rc.conf.d/php_fpm:
+ file.directory
+
+/etc/rc.conf.d/php_fpm/instances:
+ file.managed:
+ - source: salt://roles/webserver-alkane/php/files/rc/instances
+ - template: jinja
+ - context:
+ instances: {{ instances }}
+
+{% for instance, config in pillar['php_fpm_instances'].items() %}
+/etc/rc.conf.d/php_fpm/{{ instance }}:
+ file.managed:
+ - source: salt://roles/webserver-alkane/php/files/rc/per_instance
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+ command: {{ config['command'] | default('') }}
+{% endfor %}
+
+{% endif %}
diff --git a/roles/webserver-legacy/php-sites/account.sls b/roles/webserver-legacy/php-sites/account.sls
deleted file mode 100644
--- a/roles/webserver-legacy/php-sites/account.sls
+++ /dev/null
@@ -1,24 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Provision PHP websites
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-# -------------------------------------------------------------
-# Sites user accounts
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% for fqdn, site in pillar['web_php_sites'].items() %}
-{% if 'skipCreateAccount' not in site or not site['skipCreateAccount'] %}
-
-web_account_{{ site['user'] }}:
- user.present:
- - name: {{ site['user' ] }}
- - fullname: {{ fqdn }}
- - gid: web
- - system: True
- - home: /var/run/web/{{ fqdn }}
-
-{% endif %}
-{% endfor %}
diff --git a/roles/webserver-legacy/php-sites/init.sls b/roles/webserver-legacy/php-sites/init.sls
--- a/roles/webserver-legacy/php-sites/init.sls
+++ b/roles/webserver-legacy/php-sites/init.sls
@@ -6,8 +6,8 @@
# -------------------------------------------------------------
include:
- - .account
- .files
- .php
- .php-fpm
- - .cleanup
+ - roles/webserver-alkane/php/service
+ - roles/webserver-alkane/php/cleanup
diff --git a/roles/webserver-legacy/php-sites/php-fpm.sls b/roles/webserver-legacy/php-sites/php-fpm.sls
--- a/roles/webserver-legacy/php-sites/php-fpm.sls
+++ b/roles/webserver-legacy/php-sites/php-fpm.sls
@@ -62,40 +62,3 @@
- chmod: 600
{% endfor %}
-
-# -------------------------------------------------------------
-# Service
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% if grains['os'] == 'FreeBSD' %}
-
-{% set instances = " ".join(pillar['php_fpm_instances'].keys()) %}
-
-# roles/webserver-legacy/php-sites/files/rc/php-fpm
-
-/usr/local/etc/rc.d/php-fpm:
- file.managed:
- - source: salt://roles/webserver-legacy/php-sites/files/rc/php-fpm
- - mode: 755
-
-/etc/rc.conf.d/php_fpm:
- file.directory
-
-/etc/rc.conf.d/php_fpm/instances:
- file.managed:
- - source: salt://roles/webserver-legacy/php-sites/files/rc/instances
- - template: jinja
- - context:
- instances: {{ instances }}
-
-{% for instance, config in pillar['php_fpm_instances'].items() %}
-/etc/rc.conf.d/php_fpm/{{ instance }}:
- file.managed:
- - source: salt://roles/webserver-legacy/php-sites/files/rc/per_instance
- - template: jinja
- - context:
- instance: {{ instance }}
- command: {{ config['command'] | default('') }}
-{% endfor %}
-
-{% endif %}

File Metadata

Mime Type
text/plain
Expires
Sun, Nov 24, 06:56 (11 h, 1 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259429
Default Alt Text
D3045.id7780.diff (21 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator