initial checkin

README.md

@@ -0,0 +1,4 @@
+# Description
+Configures and sets up the MON api. Includes attributes for log backups, ossec file watching and ossec rules.
+Also included is an icinga check for the service health check.
+

attributes/backup.rb

@@ -0,0 +1,2 @@
+# Logs to backup
+node.default[:mon_log_backup][:logs][:som_api] = [ '/var/log/som-api/' ]

attributes/default.rb

@@ -0,0 +1,2 @@
+node.default[:som_api][:group] = 'som_api'
+node.default[:som_api][:owner] = 'som_api'

attributes/ufw.rb

@@ -0,0 +1,14 @@
+default[:som_api][:firewall][:rules] = [
+  :https => {
+    :port => "443",
+    :protocol => "tcp"
+  },
+  :https_8080 => {
+    :port => "8080",
+    :protocol => "tcp"
+  },
+  :http_8081 => {
+    :port => "8081",
+    :protocol => "tcp"
+  }
+]

metadata.rb

@@ -0,0 +1,7 @@
+name             'mon_api'
+maintainer       "MON Team"
+maintainer_email "hpcs-mon-som@hp.com"
+license          "All rights reserved"
+description      "Installs/Configures mon_api"
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          "0.0.1"

recipes/default.rb

@@ -0,0 +1,60 @@
+#require 'zlib'
+
+package 'mon-api' do
+  action :upgrade
+end
+
+service 'mon-api' do
+  action :enable
+  provider Chef::Provider::Service::Upstart
+end
+
+directory "/var/log/mon-api" do
+    recursive true
+    owner node[:mon_api][:owner]
+    group node[:mon_api][:group]
+    mode 0755
+    action :create
+end
+
+# Create the config file
+template '/etc/mon/mon-api-config.yml' do
+  action :create
+  owner 'root'
+  group node[:mon_api][:group]
+  mode '640'
+  source "service-config.yml.erb"
+  variables(
+    :creds => creds,
+    :keystore_pass => keystore_pass
+  )
+  notifies :restart, "service[som-api]"
+end
+
+
+credentials = data_bag_item(node[:mon_api][:data_bag], 'mon_credentials')
+setting = data_bag_item(node[:mon_api][:data_bag], 'mon_api')
+
+cookbook_file "/etc/ssl/hpmiddleware-keystore.jks" do 
+  source creds[:keystore_file]
+  owner 'root'
+  group node[:mon_api][:group]
+  mode '640'
+end
+
+cookbook_file "/etc/ssl/hpmiddleware-truststore.jks" do 
+  source "hpmiddleware-truststore.jks"
+  owner 'root'
+  group node[:mon_api][:group]
+  mode '640'
+end
+
+
+# Until dropwizard 0.7.0 there is no support for running on a privileged port as an unprivleged user, I work around this via ufw rules
+bash "nat 443 to 8080" do
+  action :run
+  code 'echo -e "*nat\n:PREROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080\nCOMMIT" >> /etc/ufw/before.rules'
+  not_if "grep 'to-port 8080' /etc/ufw/before.rules"
+  notifies :restart, "service[ufw]"
+end
+

templates/default/ehCacheConfig.xml.erb

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ehcache name="MiddlewareCache">
+
+      <defaultCache
+          maxElementsInMemory="10000"
+          eternal="false"
+          timeToIdleSeconds="120"
+          timeToLiveSeconds="120"
+          overflowToDisk="true"
+          diskSpoolBufferSizeMB="30"
+          maxElementsOnDisk="10000000"
+          diskPersistent="false"
+          diskExpiryThreadIntervalSeconds="120"
+          memoryStoreEvictionPolicy="LRU"/>
+
+      <cache name="TokenCache"
+             maxElementsInMemory="100"
+             maxElementsOnDisk="0"
+             eternal="false"
+             timeToIdleSeconds="120"
+             timeToLiveSeconds="120"
+             memoryStoreEvictionPolicy="LFU">
+      </cache>
+
+</ehcache>

templates/default/mon-service-config.yml.erb

@@ -0,0 +1,68 @@
+# Whether this server is running on a secure port
+accessedViaHttps: false
+
+# Cloud service integration information
+cloudServices:
+  hpcs.compute:
+    version: 2 #1.1
+    # API URL format with an optional placeholder for AZ
+    urlFormat: https://region-b.geo-1.compute.hpcloudsvc.com/v2 # https://region-a.geo-1.compute.hpcloudsvc.com/v1.1
+    port: 80
+  hpcs.object-store:
+    version: 1.0
+    urlFormat: https://region-a.geo-1.objects.hpcloudsvc.com/v1.0 # https://region-a.geo-1.compute.hpcloudsvc.com/v1
+    port: 80
+
+# Identity (Control services)
+identityService:
+  url: <%=@creds['identyService']['url']%> #https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens
+  username: <%=username%>
+  password: <%=password%>
+  tenantId: <%=tenantId%> 
+
+# Topic for publishing metrics to
+metricsTopic: metrics
+
+# Topic for publishing domain events to
+eventsTopic: events
+
+kafka:
+  brokerUris: 
+    - <%=@settings['kafka']['hostname']%>:9092
+  zookeeperUris:
+    - <%=@settings['kafka']['hostname']%>:2181
+  healthCheckTopic: healthcheck
+
+database:
+  driverClass: com.mysql.jdbc.Driver
+  url: jdbc:mysql://<%= @creds['mysql']['hostname']%>:3306/<%=@creds['mysql']['schema']%>?connectTimeout=5000&autoReconnect=true
+  user: <%=@creds['mysql']['username'] %>
+  password: <%=@creds['mysql']['password'] %> 
+  maxWaitForConnection: 1s
+  validationQuery: "/* MyService Health Check */ SELECT 1"
+  minSize: 8
+  maxSize: 32
+  checkConnectionWhileIdle: false
+
+jerseyClient:
+  gzipEnabledForRequests: false
+
+middleware:
+  enabled: false
+  serviceIds: 100
+  endpointIds: 160
+  serverVIP: <%= @creds['middleware']['vip']%>
+  serverPort: 9543
+  connTimeout: 500
+  connSSLClientAuth: true
+  keystore: /etc/ssl/hpmiddleware-keystore.jks
+  keystorePass: changeit
+  truststore: /etc/ssl/hpmiddleware-truststore.jks
+  truststorePass: <%= @creds['middleware']['truststore_password'] %>
+  connPoolMaxActive: 3
+  connPoolMaxIdle: 3
+  connPoolEvictPeriod: 600000
+  connPoolMinIdleTime: 600000
+  connRetryTimes: 2
+  connRetryInterval: 50
+  rolesToMatch: [user, domainuser, domainadmin]

templates/default/service-config.yml.erb

@@ -0,0 +1,92 @@
+repositoryType: vertica
+useMiddleware: true
+
+roles:
+   users: [som-user,monitoring-user]
+   delegates: [som-delegate,monitoring-delegate]
+
+http:
+  port: 8080 #Note that until dropwizard 0.7.0 there is no support for privileged ports
+  adminPort: 8081
+  maxThreads: 1024
+  minThreads: 32
+  connectorType: nonblocking+ssl
+
+  contextParameters:
+     ServerVIP: <%= @creds[:context_params][:server_vip] %>
+     ServerPort: 35357
+     ConnTimeout: 500
+     ServiceIds: 230,260
+     Endpoints: 2301,2601,2602
+     ConnSSLClientAuth: True
+     Keystore: /etc/ssl/hpmiddleware-keystore.jks
+     KeystorePass: <%= @creds[:context_params][:keystore_password]%>
+     Truststore: /etc/ssl/hpmiddleware-truststore.jks
+     TruststorePass: <%= @creds[:context_params][:truststore_password] %> 
+     ConnPoolMaxActive: 3
+     ConnPoolMaxIdle: 3
+     ConnPoolEvictPeriod: 60000
+     ConnPoolMinIdleTime: 90000
+     DelayAuthDecision: False
+     AuthVersion: v3
+     EHCacheConfig: ehCacheConfig.xml
+  ssl:
+    keyStore: /etc/ssl/som-api-keystore.jks
+    keyStorePassword: <%= @keystore_pass %>
+    supportedProtocols: ["SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
+
+  requestLog:
+    console:
+      enabled: false
+    file:
+      enabled: true
+      currentLogFilename: /var/log/som-api/requests.log
+      archivedLogFilenamePattern: /var/log/som-api/requests-%d.log.gz
+      archivedFileCount: 32
+
+database:
+  driverClass: com.vertica.jdbc.Driver
+  url: jdbc:vertica://<%= @creds[:db][:host][node[:fqdn]] %>:5433/som
+  user: <%= @creds[:db][:user] %>
+  password: "<%= @creds[:db][:password] %>"
+  properties:
+    charSet: UTF-8
+    ssl: true
+
+  # The maximum amount of time to wait on an empty pool before throwing an exception
+  maxWaitForConnection: 1s
+
+  # The SQL vertica to run when validating a connection's liveness
+  validationQuery: "/* MyService Health Check */ SELECT 1"
+
+  # The minimum number of connections to keep open
+  minSize: 8
+
+  # The maximum number of connections to keep open
+  maxSize: 64
+
+  # Whether or not idle connections should be validated
+  checkConnectionWhileIdle: false
+
+  # How long a connection must be held before it can be validated
+  checkConnectionHealthWhenIdleFor: 10s
+
+  # The maximum lifetime of an idle connection
+  closeConnectionIfIdleFor: 1 minute
+
+logging:
+  # Options: DEBUG, TRACE, WARN, INFO
+  level: INFO
+
+  console:
+    enabled: false
+
+  file:
+    enabled: true
+    # Do not write log statements below this threshold to the file
+    threshold: ALL
+    # The file to which statements will be logged
+    currentLogFilename: /var/log/som-api/som-api.log
+    archivedLogFilenamePattern: /var/log/som-api/som-api%d.log.gz
+    # The maximum number of log files to archive
+    archivedFileCount: 10