diff --git a/PORTS b/PORTS
index bba5ae1..73abce4 100644
--- a/PORTS
+++ b/PORTS
@@ -1,46 +1,47 @@
reserved-for-legacy-docker-migration-medium-priority
3000 Mastodon public HTTP
4000 Mastodon streaming HTTP
15674 RabbitMQ
41080 Nasqueron Tools HTTP
reserved-for-legacy-docker-migration-low-priority
4440 Rundeck HTTP
21080 Drupal CRM HTTP
22080 Zammad HTTP
27080 Grafana HTTP
28080 phragile HTTP
29080 etcd HTTP
32080 Discourse HTTP
40080 RocketChat HTTP
paas-docker
5000 Docker registry HTTP
9090 Openfire HTTP
19080 Nasqueron API - Datasources
20080 Nasqueron API - Docker registry API
22220 Phabricator Aphlict (client)
22221 Phabricator Aphlict (admin)
23080 Phabricator HTTP - River Sector
24080 Tommy HTTP - CI
24180 Tommy HTTP - CD
25080 Auth Grove HTTP
26080 Sentry HTTP
+ 26300 Sentry - Relay
30080 Pixelfed HTTP
31080 Phabricator HTTP - DevCentral
33080 Bugzilla HTTP - Espace Win
34080 Etherpad
35080 Phabricator HTTP - Wolfplex
36080 Phabricator HTTP - Zed
37080 Notifications center HTTP
38080 Jenkins HTTP - CD
39080 Cachet HTTP
41080 ACME DNS server HTTP
42080 Jenkins HTTP - CI
43080 Hauk
44080 Hound
# 45080 should be reserved for OpenGrok to compare with Hound
47080 Jenkins HTTP - Test
50000 Jenkins controller's port for JNLP-based Jenkins agents - CD
52000 Jenkins controller's port for JNLP-based Jenkins agents - Test
55000 Jenkins controller's port for JNKP-based Jenkins agents - CI
diff --git a/pillar/paas/docker/docker-002/sentry.sls b/pillar/paas/docker/docker-002/sentry.sls
index 8614d92..607603c 100644
--- a/pillar/paas/docker/docker-002/sentry.sls
+++ b/pillar/paas/docker/docker-002/sentry.sls
@@ -1,240 +1,254 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Service: Sentry
# -------------------------------------------------------------
docker_networks:
sentry:
subnet: 172.18.3.0/24
docker_images:
- library/postgres
- library/redis:3.2-alpine
- library/sentry
+ - getsentry/relay:nightly
- getsentry/snuba:nightly
- tianon/exim4
- yandex/clickhouse-server:20.3.9.70
- getsentry/symbolicator:nightly
docker_containers:
#
# Core services used by Sentry
#
exim:
sentry_smtp:
mailname: mx.sentry.nasqueron.org
network: sentry
memcached:
sentry_memcached:
version: 1.6.9-alpine
network: sentry
redis:
sentry_redis:
network: sentry
postgresql:
sentry_db:
credential: nasqueron.sentry.postgresql
network: sentry
#
# Kafka instance
#
zookeeper:
sentry_zookeeper:
version: 5.5.0
network: sentry
kafka:
sentry_kafka:
version: 5.5.0
zookeeper: sentry_zookeeper
network: sentry
topics:
- ingest-attachments
- ingest-transactions
- ingest-events
- ingest-replay-recordings
#
# ClickHouse
#
clickhouse:
sentry_clickhouse:
version: 20.3.9.70
network: sentry
config: sentry.xml
max_memory_ratio: 0.2
#
# Snuba
#
snuba:
sentry_snuba_api:
network: sentry
api: True
services: &sentry_snuba_services
broker: sentry_kafka:9092
clickhouse: sentry_clickhouse
redis: sentry_redis
sentry_snuba_consumer:
command: consumer --storage errors --auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_outcomes_consumer:
command: consumer --storage outcomes_raw --auto-offset-reset=earliest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_replacer:
command: replacer --storage errors --auto-offset-reset=latest
network: sentry
services: *sentry_snuba_services
sentry_snuba_replays_consumer:
command: consumer --storage replays --auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_sessions_consumer:
command: consumer --storage sessions_raw --auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_subscription_consumer_events:
command: subscriptions-scheduler-executor --dataset events --entity events --auto-offset-reset=latest
--no-strict-offset-reset --consumer-group=snuba-events-subscriptions-consumers
--followed-consumer-group=snuba-consumers --delay-seconds=60 --schedule-ttl=60
--stale-threshold-seconds=900
network: sentry
services: *sentry_snuba_services
sentry_snuba_subscription_consumer_sessions:
command: subscriptions-scheduler-executor --dataset sessions --entity sessions
--auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-sessions-subscriptions-consumers
--followed-consumer-group=sessions-group --delay-seconds=60 --schedule-ttl=60
--stale-threshold-seconds=900
network: sentry
services: *sentry_snuba_services
sentry_snuba_subscription_consumer_transactions:
command: subscriptions-scheduler-executor --dataset transactions --entity transactions
--auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-transactions-subscriptions-consumers
--followed-consumer-group=transactions_group --delay-seconds=60 --schedule-ttl=60
--stale-threshold-seconds=900
network: sentry
services: *sentry_snuba_services
sentry_snuba_transactions_consumer:
command: consumer --storage transactions --consumer-group transactions_group
--auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
#
# Symbolicator
#
symbolicator:
sentry_symbolicator:
network: sentry
+ #
+ # Relay
+ #
+
+ relay:
+ sentry_relay:
+ app_port: 26300
+ kafka: sentry_kafka
+ redis: sentry_redis
+ web: sentry_web
+ network: sentry
+
#
# Sentry
#
sentry:
sentry_web:
app_port: 26080
+ relay_port: 26300
host: sentry.nasqueron.org
command: run web
realm: nasqueron
network: sentry
sentry_worker:
command: run worker
realm: nasqueron
network: sentry
sentry_cron:
command: run cron
realm: nasqueron
network: sentry
sentry_ingest_consumer:
command: run ingest-consumer --all-consumer-types
realm: nasqueron
network: sentry
sentry_ingest_replay_recordings:
command: run ingest-replay-recordings
realm: nasqueron
network: sentry
sentry_post_process_forwarder_errors:
command: run post-process-forwarder --entity errors
realm: nasqueron
network: sentry
sentry_post_process_forwarder_transations:
command: run post-process-forwarder --entity transactions
--commit-log-topic=snuba-transactions-commit-log
--synchronize-commit-group transactions_group
realm: nasqueron
network: sentry
sentry_consumer_events:
command: run query-subscription-consumer --commit-batch-size 1
--topic events-subscription-results
realm: nasqueron
network: sentry
sentry_consumer_transactions:
command: run query-subscription-consumer --commit-batch-size 1
--topic transactions-subscription-results
realm: nasqueron
network: sentry
# -------------------------------------------------------------
# Services configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
kakfa_loggers:
kafka.cluster: WARN
kafka.controller: WARN
kafka.coordinator: WARN
kafka.log: WARN
kafka.server: WARN
kafka.zookeeper: WARN
state.change.logger: WARN
sentry_realms:
nasqueron:
network: sentry
services:
kafka: sentry_kafka
memcached: sentry_memcached
postgresql: sentry_db
redis: sentry_redis
smtp: sentry_smtp
snuba: sentry_snuba_api
symbolicator: sentry_symbolicator
web: sentry_web
credentials:
secret_key: nasqueron.sentry.app_key
postgresql: nasqueron.sentry.postgresql
vault: nasqueron.sentry.vault
hostname: sentry.nasqueron.org
email_from: noreply@sentry.nasqueron.org
diff --git a/roles/paas-docker/containers/files/relay/config.yml.jinja b/roles/paas-docker/containers/files/relay/config.yml.jinja
new file mode 100644
index 0000000..c1cec7d
--- /dev/null
+++ b/roles/paas-docker/containers/files/relay/config.yml.jinja
@@ -0,0 +1,36 @@
+# -------------------------------------------------------------
+# Sentry configuration - Relay
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/containers/files/relay/config.yml.jinja
+# -------------------------------------------------------------
+#
+#
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+#
+
+relay:
+ upstream: http://{{ container.web }}:9000/
+
+ host: 0.0.0.0
+ port: 3000
+
+logging:
+ level: WARN
+
+processing:
+ enabled: true
+
+ kafka_config:
+ - name: bootstrap.servers
+ value: {{ container.kafka }}:9092
+ - name: message.max.bytes
+ value: 50000000 # 50MB
+
+ redis: redis://{{ container.redis }}:6379
+
+ geoip_path: "/usr/local/share/geoip/GeoLite2-City.mmdb"
diff --git a/roles/paas-docker/containers/relay.sls b/roles/paas-docker/containers/relay.sls
new file mode 100644
index 0000000..375e830
--- /dev/null
+++ b/roles/paas-docker/containers/relay.sls
@@ -0,0 +1,67 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+
+{% for instance, container in pillar['docker_containers']['relay'].items() %}
+
+# -------------------------------------------------------------
+# Data directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/relay/{{ instance }}:
+ file.directory:
+ - makedirs: True
+
+/srv/relay/{{ instance }}/config.yml:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/relay/config.yml.jinja
+ - mode: 644
+ - template: jinja
+ - context:
+ container: {{ container }}
+
+relay_{{ instance }}_credentials:
+ docker_container.run:
+ - image: getsentry/relay:nightly
+ - command: bash -c "relay credentials generate --stdout > /work/.relay/credentials.json"
+ - binds:
+ - /srv/relay/{{ instance }}:/work/.relay
+ - replace: True
+ - creates: /srv/relay/{{ instance }}/credentials.json
+
+{% if has_selinux %}
+selinux_context_{{ instance }}_relay_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/relay/{{ instance }}
+ - sel_type: container_file_t
+
+selinux_context_{{ instance }}_relay_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/relay/{{ instance }}
+{% endif %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: getsentry/relay:nightly
+ - binds:
+ - /srv/relay/{{ instance }}:/work/.relay
+ - /srv/geoip:/usr/local/share/geoip:ro
+ - ports:
+ - 3000
+ - port_bindings:
+ - {{ container['app_port'] }}:3000
+ - networks:
+ - {{ container['network'] }}
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/sentry.conf b/roles/paas-docker/nginx/files/vhosts/sentry.conf
index a44fddd..075497a 100644
--- a/roles/paas-docker/nginx/files/vhosts/sentry.conf
+++ b/roles/paas-docker/nginx/files/vhosts/sentry.conf
@@ -1,49 +1,66 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-11
-# Source file: roles/paas-docker/nginx/files/vhosts/_default.conf
+# Source file: roles/paas-docker/nginx/files/vhosts/sentry.conf
# -------------------------------------------------------------
#
#
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
#
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
+ include includes/proxy_params;
+ proxy_redirect off;
+
+ location /api/store/ {
+ proxy_buffer_size 128k;
+ proxy_buffers 4 256k;
+ proxy_busy_buffers_size 256k;
+ proxy_temp_file_write_size 256k;
+
+ proxy_pass http://localhost:{{ args.relay_port }};
+ }
+
+ location ~ ^/api/[1-9]\d*/ {
+ proxy_buffer_size 128k;
+ proxy_buffers 4 256k;
+ proxy_busy_buffers_size 256k;
+ proxy_temp_file_write_size 256k;
+
+ proxy_pass http://localhost:{{ args.relay_port }};
+ }
+
location / {
proxy_pass http://localhost:{{ app_port }};
-
- include includes/proxy_params;
- proxy_redirect off;
}
location /.well-known/change-password {
return 301 https://$host/settings/account/security/;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
}