7fe0c1eaee
On puppet 3, which uses facter 2, the $::ipaddress6 fact explicitly filters out all link-local address[1]. On puppet 4, which uses facter 3, the $::ipaddress6 fact only removes the link-local address if can find a better one[2]. The beaker tests reveal that haproxy won't bind to the ipv6 local address and will fail to start, with errors like: Starting proxy balance_git_daemon: cannot bind socket [fe80::5054:ff:fec5:7095:9418] This matters in CI test cases where the test nodes don't have real ipv6 addresses. This patch restores the puppet 3 behavior of ignoring the ipv6 address if it's a link-local address. [1] https://github.com/puppetlabs/facter/blob/2.x/lib/facter/ipaddress6.rb#L31 [2] https://docs.puppet.com/facter/3.1/release_notes.html#regression-fix-avoid-reporting-link-local-ipv6-addresses-if-a-valid-address-is-available Change-Id: I481403a3a988211effd22c8524171379aea9ccf9
154 lines
4.5 KiB
Puppet
154 lines
4.5 KiB
Puppet
# Copyright 2014 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# Class: cgit::lb
|
|
#
|
|
class cgit::lb (
|
|
$balancer_member_git_ports = ['29418',],
|
|
$balancer_member_http_ports = ['8080',],
|
|
$balancer_member_https_ports = ['4443',],
|
|
$balancer_member_ips = [],
|
|
$balancer_member_names = [],
|
|
$defaults_options = {
|
|
'log' => 'global',
|
|
'stats' => 'enable',
|
|
'option' => 'redispatch',
|
|
'retries' => '3',
|
|
'timeout' => [
|
|
'http-request 10s',
|
|
'queue 1m',
|
|
'connect 10s',
|
|
'client 2m',
|
|
'server 2m',
|
|
'check 10s',
|
|
],
|
|
'maxconn' => '8000',
|
|
},
|
|
$git_options = {
|
|
'maxconn' => '256',
|
|
'backlog' => '256',
|
|
'balance' => 'leastconn',
|
|
'option' => [
|
|
'tcplog',
|
|
],
|
|
},
|
|
$global_options = {
|
|
'log' => '127.0.0.1 local0',
|
|
'chroot' => '/var/lib/haproxy',
|
|
'pidfile' => '/var/run/haproxy.pid',
|
|
'maxconn' => '4000',
|
|
'user' => 'haproxy',
|
|
'group' => 'haproxy',
|
|
'daemon' => '',
|
|
'stats' => 'socket /var/lib/haproxy/stats user root group root mode 0600 level admin'
|
|
},
|
|
$http_options = {
|
|
'balance' => 'leastconn',
|
|
'option' => [
|
|
'tcplog',
|
|
],
|
|
},
|
|
$https_options = {
|
|
'balance' => 'leastconn',
|
|
'option' => [
|
|
'tcplog',
|
|
],
|
|
},
|
|
) {
|
|
|
|
package { 'socat':
|
|
ensure => present,
|
|
}
|
|
|
|
package { 'lsof':
|
|
ensure => present,
|
|
}
|
|
|
|
class { '::haproxy':
|
|
enable => true,
|
|
global_options => $global_options,
|
|
defaults_options => $defaults_options,
|
|
}
|
|
|
|
# NOTE(cmurphy) If the only available ipv6 address is a link-local address,
|
|
# facter won't filter it out:
|
|
# https://docs.puppet.com/facter/3.1/release_notes.html#regression-fix-avoid-reporting-link-local-ipv6-addresses-if-a-valid-address-is-available
|
|
# But we don't want haproxy to try to bind to a link local address, so filter
|
|
# it out
|
|
if $::ipaddress6 =~ /^fe[89a-f]/ {
|
|
$_ipaddress6 = undef
|
|
} else {
|
|
$_ipaddress6 = $::ipaddress6
|
|
}
|
|
# The three listen defines here are what the world will hit.
|
|
$haproxy_addresses = delete_undef_values([$::ipaddress, $_ipaddress6])
|
|
|
|
haproxy::listen { 'balance_git_http':
|
|
ipaddress => $haproxy_addresses,
|
|
ports => ['80'],
|
|
mode => 'tcp',
|
|
collect_exported => false,
|
|
options => $http_options,
|
|
}
|
|
haproxy::listen { 'balance_git_https':
|
|
ipaddress => $haproxy_addresses,
|
|
ports => ['443'],
|
|
mode => 'tcp',
|
|
collect_exported => false,
|
|
options => $https_options,
|
|
}
|
|
haproxy::listen { 'balance_git_daemon':
|
|
ipaddress => $haproxy_addresses,
|
|
ports => ['9418'],
|
|
mode => 'tcp',
|
|
collect_exported => false,
|
|
options => $git_options,
|
|
}
|
|
haproxy::balancermember { 'balance_git_http_member':
|
|
listening_service => 'balance_git_http',
|
|
server_names => $balancer_member_names,
|
|
ipaddresses => $balancer_member_ips,
|
|
ports => $balancer_member_http_ports,
|
|
}
|
|
haproxy::balancermember { 'balance_git_https_member':
|
|
listening_service => 'balance_git_https',
|
|
server_names => $balancer_member_names,
|
|
ipaddresses => $balancer_member_ips,
|
|
ports => $balancer_member_https_ports,
|
|
}
|
|
haproxy::balancermember { 'balance_git_daemon_member':
|
|
listening_service => 'balance_git_daemon',
|
|
server_names => $balancer_member_names,
|
|
ipaddresses => $balancer_member_ips,
|
|
ports => $balancer_member_git_ports,
|
|
options => 'maxqueue 512',
|
|
}
|
|
|
|
if (!defined(Service['rsyslog'])) {
|
|
service { 'rsyslog':
|
|
ensure => running,
|
|
enable => true,
|
|
}
|
|
}
|
|
|
|
file { '/etc/rsyslog.d/haproxy.conf':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
source => 'puppet:///modules/cgit/rsyslog.haproxy.conf',
|
|
notify => Service['rsyslog'],
|
|
}
|
|
}
|