Merge pull request #122 from edx/feanil/ansible_xserver

Feanil/ansible xserver

Merge pull request #122 from edx/feanil/ansible_xserver
Feanil/ansible xserver
cc5be387 · Feanil Patel · 8c19e065 · b88fa2ea · cc5be387 · cc5be387
Commit cc5be387 authored Jun 21, 2013 by Feanil Patel
15 changed files
--- a/playbooks/edx-east/feanil_deploy.yml
+++ b/playbooks/edx-east/feanil_deploy.yml
+---
 - hosts: tag_aws_cloudformation_stack-name_feanilpractice:&tag_group_edxapp
  sudo: True
  vars_files:
@@ -7,3 +8,13 @@
    - common
    - nginx
    - edxapp
+- hosts: tag_aws_cloudformation_stack-name_feanilpractice:&tag_group_xserver
+  sudo: True
+  vars_files:
+    - "{{ secure_dir }}/vars/edxapp_continuous_integration_vars.yml"
+    - "{{ secure_dir }}/vars/users.yml"
+  roles:
+    - common
+    - nginx
+    - xserver
--- a/playbooks/roles/common/files/git_ssh.sh
+++ b/playbooks/roles/common/files/git_ssh.sh
+#!/bin/sh
+exec /usr/bin/ssh -o StrictHostKeyChecking=no -i /etc/git-identity "$@"
--- a/playbooks/roles/common/tasks/main.yml
+++ b/playbooks/roles/common/tasks/main.yml
@@ -37,6 +37,7 @@
  - rsyslog
  - screen
  - tree
+  - git
  tags:
  - pre_install
  - update
@@ -77,6 +78,24 @@
  - logging
  - update
+# Install ssh keys for ubuntu account to be able to check out from edx-platform
+# Temprory behavior, not needed after June 1. Perhaps still useful as a recipe.
+# {{ secure_dir }} is relative to the top-level playbooks dir so there is some
+- name: install read-only ssh key for edx-platform repo (private)
+  copy: src={{ secure_dir }}/files/git-identity dest=/etc/git-identity force=yes owner=ubuntu group=adm mode=600
+  tags:
+  - lms
+  - cms
+  - update
+- name: upload ssh script
+  copy: src=git_ssh.sh dest=/tmp/git_ssh.sh force=yes owner=root group=adm mode=750
+  tags:
+  - lms
+  - cms
+  - update
 - include: create_venv.yml
 - include: edx_logging_base.yml

--- a/playbooks/roles/edxapp/tasks/main.yml
+++ b/playbooks/roles/edxapp/tasks/main.yml
@@ -28,13 +28,6 @@
  - lms-env
  - update
-# Check out edx-platform repo to $app_base_dir
- name: install git and its recommends
-  apt: pkg=git state=present install_recommends=yes 
-  tags:
-  - lms
-  - cms
 - name: install a bunch of system packages on which LMS and CMS rely
  apt: pkg={{item}} state=present
  with_items: lms_debian_pkgs

--- a/playbooks/roles/edxapp/vars/main.yml
+++ b/playbooks/roles/edxapp/vars/main.yml
@@ -73,7 +73,6 @@ lms_debian_pkgs:
  - gcc
  - gfortran
  - ghostscript
-  - git
  - github-cli
  - graphviz
  - graphviz-dev

--- a/playbooks/roles/xserver/files/sandbox.conf
+++ b/playbooks/roles/xserver/files/sandbox.conf
+sandbox       hard   core  0
+sandbox       hard   data  100000
+sandbox       hard   fsize 10000
+sandbox       hard   memlock 10000
+sandbox       hard   nofile 20
+sandbox       hard   rss    10000
+sandbox       hard   stack  100000
+sandbox       hard   cpu    0
+sandbox       hard   nproc  8
+sandbox       hard   as     32000
+sandbox       hard   maxlogins  1
+sandbox       hard   priority  19
+sandbox       hard   locks     4
+sandbox       hard   sigpending  100
+sandbox       hard   msgqueue  100000
+sandbox       hard   nice     19
--- a/playbooks/roles/xserver/handlers/main.yml
+++ b/playbooks/roles/xserver/handlers/main.yml
+- name: restart nginx
+  service: name=nginx state=restarted
--- a/playbooks/roles/xserver/tasks/deploy.yml
+++ b/playbooks/roles/xserver/tasks/deploy.yml
+- name: stop xserver
+  service: name=xserver state=stopped
+  tags:
+  - deploy
+- name: checkout code
+  git: dest={{ xserver_code_dir }} repo={{ xserver_source_repo }} version={{ xserver_version }}
+  tags:
+  - deploy
+- name: install requirements
+  pip: requirements="{{ xserver_requirements_file }}" virtualenv="{{ venv_dir }}" state=present
+  tags:
+  - deploy
+- name: install sandbox requirements
+  pip: requirements="{{ xserver_requirements_file }}" virtualenv="{{ xserver_sandbox_venv_dir }}" state=present
+  tags:
+  - deploy
+- name: create xserver application config
+  template: src=xserver.env.json.j2 dest={{ app_base_dir }}/env.json mode=640 owner=www-data group=adm
+  tags:
+  - deploy
+- name: checkout grader code
+  git: dest={{ xserver_grader_dir }} repo={{ xserver_grader_source }} version={{ xserver_grader_version }}
+  environment:
+    GIT_SSH: /tmp/git_ssh.sh
+  tags:
+  - deploy
+- name: start xserver
+  service: name=xserver state=started
+  tags:
+  - deploy
--- a/playbooks/roles/xserver/tasks/main.yml
+++ b/playbooks/roles/xserver/tasks/main.yml
+# Provision and bring up xserver
+---
+- name: ensure sandbox group exists
+  group: name=sandbox
+- name: ensure sandbox user exists
+  user: name=sandbox group=sandbox
+- name: create sandbox python directory
+  file: path={{ xserver_sandbox_venv_dir }} owner=ubuntu group=adm mode=2775 state=directory
+- name: create sandbox python
+  command: /usr/local/bin/virtualenv {{ xserver_sandbox_venv_dir }} --distribute creates={{ xserver_sandbox_venv_dir }}/bin/activate
+# Make sure this line is in the common-session file.
+- name: ensure pam-limits module is loaded
+  lineinfile:
+    dest=/etc/pam.d/common-session
+    regexp="session required pam_limits.so"
+    line="session required pam_limits.so"
+- name: set sandbox limits
+  copy: src={{ item }} dest=/etc/security/limits.d/sandbox.conf
+  first_available_file:
+  - "{{ secure_dir }}/sandbox.conf"
+  - "sandbox.conf"
+- name: ensure apparmor package
+  apt: pkg=apparmor-utils state=present
+- name: load python-sandbox apparmor profile
+  template: src={{ item }} dest=/etc/apparmor.d/edx_apparmor_sandbox
+  first_available_file:
+  - "{{ secure_dir }}/files/edx_apparmor_sandbox.j2"
+  - "usr.bin.python-sandbox.j2"
+- name: enforce app-armor rules
+  command: aa-enforce {{ xserver_sandbox_venv_dir }}
+- name: setup upstart script
+  template: src=xserver.conf.j2 dest=/etc/init/xserver.conf owner=root group=root
+- name: install system dependencies of xserver
+  apt: pkg={{ item }} state=present
+  with_items: xserver_debian_pkgs
+- include: nginx.yml
+- include: deploy.yml
--- a/playbooks/roles/xserver/tasks/nginx.yml
+++ b/playbooks/roles/xserver/tasks/nginx.yml
+- name: add xserver nginx configuration
+  template: src=simple-proxy.j2 dest=/etc/nginx/sites-available/simple-proxy
+  notify:
+  - restart nginx
+- name: enable xserver nginx configuration
+  file: src=/etc/nginx/sites-available/simple-proxy dest=/etc/nginx/sites-enabled/simple-proxy state=link
+  notify:
+  - restart nginx
--- a/playbooks/roles/xserver/templates/simple-proxy.j2
+++ b/playbooks/roles/xserver/templates/simple-proxy.j2
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+upstream app_server {
+    # For a TCP configuration:
+    server 127.0.0.1:{{ xserver_port }} fail_timeout=0;
+}
+server {
+  listen {{ xserver_nginx_port }} default_server;
+  location / {
+    try_files $uri @proxy_to_app;
+  }
+location @proxy_to_app {
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
+    proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_redirect off;
+    proxy_pass http://app_server;
+  }
+}
--- a/playbooks/roles/xserver/templates/usr.bin.python-sandbox.j2
+++ b/playbooks/roles/xserver/templates/usr.bin.python-sandbox.j2
+#include <tunables/global>
+/usr/bin/python-sandbox {
+  #include <abstractions/base>
+  /usr/bin/python-sandbox mr,
+  /usr/include/python2.7/** r,
+  /usr/local/lib/python2.7/** r,
+  /usr/lib/python2.7** rix,
+  /tmp/** rix,
+}
--- a/playbooks/roles/xserver/templates/xserver.conf.j2
+++ b/playbooks/roles/xserver/templates/xserver.conf.j2
+# gunicorn
+description "gunicorn server"
+author "Calen Pennington <cpennington@mitx.mit.edu>"
+start on started edxapp
+stop on stopped edxapp
+respawn
+respawn limit 3 30
+env PID=/var/tmp/xserver.pid
+env NEW_RELIC_CONFIG_FILE={{ app_base_dir }}/newrelic.ini
+env NEWRELIC={{ venv_dir }}/bin/newrelic-admin
+env WORKERS={{ ansible_processor|length }}
+env PORT={{ xserver_port }}
+env LANG=en_US.UTF-8
+env DJANGO_SETTINGS_MODULE=xserver_aws_settings
+env SERVICE_VARIANT="xserver"
+chdir {{ xserver_code_dir }}
+setuid www-data
+exec {{ venv_dir }}/bin/gunicorn --preload -b 127.0.0.1:$PORT -w $WORKERS --timeout=30 --pythonpath={{ xserver_code_dir }} pyxserver_wsgi:application
--- a/playbooks/roles/xserver/templates/xserver.env.json.j2
+++ b/playbooks/roles/xserver/templates/xserver.env.json.j2
+{{ xserver_env_config | to_nice_json }} 
--- a/playbooks/roles/xserver/vars/main.yml
+++ b/playbooks/roles/xserver/vars/main.yml
+# Variables for the xserver.
+---
+xserver_code_dir: "{{ app_base_dir }}/xserver"
+xserver_source_repo: "git://github.com/edx/xserver.git"
+# This should probably be overridden in the playbook or groupvars
+# with the default pointing to the head of master.
+xserver_version: HEAD
+xserver_grader_dir: "{{ app_base_dir }}/data/content-mit-600x~2012_Fall"
+xserver_grader_source: "git@github.com:/MITx/6.00x.git"
+xserver_grader_version: HEAD
+xserver_sandbox_venv_dir: "{{ venv_dir }}_apparmor_sandbox"
+xserver_requirements_file: "{{ xserver_code_dir }}/requirements.txt"
+xserver_port: 8050
+xserver_nginx_port: 18050
+xserver_debian_pkgs:
+  - build-essential
+  - gcc
+  - gfortran
+  - liblapack-dev
+  - libxml++2.6-dev
+  - libxml2-dev
+  - libxml2-utils
+  - libxslt1-dev
+  - python-dev