Fixes #13431 - Apache changes for pulp 2.8

Includes updates for docker/nodes/ostree/puppet and rpm

manifests/apache.pp

@@ -72,6 +72,8 @@
   }
 
   if $pulp::manage_httpd or $pulp::manage_plugins_httpd {
+    pulp::apache_plugin {'content' : vhosts80 => false}
+
     file { '/etc/pulp/vhosts80/':
       ensure => directory,
       owner  => 'apache',

manifests/init.pp

@@ -31,6 +31,9 @@
 #
 # $broker_use_ssl::             Require SSL if set to 'true', otherwise do not require SSL.
 #
+# $tasks_login_method::         Select the SASL login method used to connect to the broker. This should be left
+#                               unset except in special cases such as SSL client certificate authentication.
+#
 # $ca_cert::                    full path to the CA certificate that will be used to sign consumer
 #                               and admin identification certificates; this must match the value of
 #                               SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf
@@ -64,6 +67,14 @@
 #                               certificates, which are used to validate certificates passed from the other end
 #                               of the connection.
 #
+# $db_unsafe_autoretry:         If true, retry commands to the database if there is a connection error.
+#                               Warning: if set to true, this setting can result in duplicate records.
+#
+# $db_write_concern:            Write concern of 'majority' or 'all'. When 'all' is specified, 'w' is set to
+#                               number of seeds specified. For version of MongoDB < 2.6, replica_set must also
+#                               be specified. Please note that 'all' will cause Pulp to halt if any of the
+#                               replica set members is not available. 'majority' is used by defau
+#
 # $server_name::                hostname the admin client and consumers should use when accessing
 #                               the server; if not specified, this is defaulted to the server's hostname
 #
@@ -76,6 +87,8 @@
 # $log_level::                  The desired logging level. Options are: CRITICAL, ERROR, WARNING, INFO, DEBUG,
 #                               and NOTSET. Pulp will default to INFO.
 #
+# $server_working_directory::   Path to where pulp workers can create working directories needed to complete tasks
+#
 # $rsa_key::                    The RSA private key used for authentication.
 #
 # $rsa_pub::                    The RSA public key used for authentication.
@@ -133,6 +146,10 @@
 # $messaging_topic_exchange::   The name of the exchange to use. The exchange must be a topic exchange. The
 #                               default is 'amq.topic', which is a default exchange that is guaranteed to exist on a Qpid broker.
 #
+# $messaging_event_notifications_enabled:: Enables or disables Pulp event notfications on the message bus. Defaults to 'false'.
+#
+# $messaging_event_notification_url:: The AMQP URL for event notifications. Defaults to 'qpid://localhost:5672/'.
+#
 # $email_host::                 host name of the MTA pulp should relay through
 #
 # $email_port::                 destination port to connect on
@@ -142,6 +159,29 @@
 # $email_enabled::              boolean controls whether or not emails will be sent
 #                               type:boolean
 #
+# $lazy_enabled::               boolean controls whether redirect is enabled
+#
+# $lazy_redirect_host::         The host FQDN or IP to which requests are redirected.
+#
+# $lazy_redirect_port::         The TCP port to which requests are redirected
+#
+# $lazy_redirect_path::         The base path to which requests are redirected
+#
+# $lazy_https_retrieval::       boolean; controls whether Pulp uses HTTPS or HTTP to
+#                               retrieve content from the streamer.
+#                               WARNING: Setting this to 'false' is not safe if you wish
+#                               to use Pulp to provide repository entitlement
+#                               enforcement. It is strongly recommended to keep
+#                               this set to 'true' and use certificates that are
+#                               signed by a trusted authority on the web server
+#                               that serves as the streamer reverse proxy.
+#
+# $lazy_download_interval::     The interval in minutes between checks for content cached
+#                               by the Squid proxy.
+#
+# $lazy_download_concurrency:   The number of downloads to perform concurrently when
+#                               downloading content from the Squid cache.
+#
 # $proxy_url::                  URL of the proxy server
 #
 # $proxy_port::                 Port the proxy is running on
@@ -223,13 +263,16 @@
   $db_ssl_certfile           = $pulp::params::db_ssl_certfile,
   $db_verify_ssl             = $pulp::params::db_verify_ssl,
   $db_ca_path                = $pulp::params::db_ca_path,
+  $db_unsafe_autoretry       = $pulp::params::db_unsafe_autoretry,
+  $db_write_concern          = $pulp::params::db_write_concern,
   $server_name               = $pulp::params::server_name,
   $key_url                   = $pulp::params::key_url,
   $ks_url                    = $pulp::params::ks_url,
   $default_login             = $pulp::params::default_login,
   $default_password          = $pulp::params::default_password,
   $debugging_mode            = $pulp::params::debugging_mode,
   $log_level                 = $pulp::params::log_level,
+  $server_working_directory  = $pulp::params::server_working_directory,
   $rsa_key                   = $pulp::params::rsa_key,
   $rsa_pub                   = $pulp::params::rsa_pub,
   $ca_cert                   = $pulp::params::ca_cert,
@@ -250,12 +293,22 @@
   $messaging_ca_cert         = $pulp::params::messaging_ca_cert,
   $messaging_client_cert     = $pulp::params::messaging_client_cert,
   $messaging_topic_exchange  = $pulp::params::messaging_topic_exchange,
+  $messaging_event_notifications_enabled = $pulp::params::messaging_event_notifications_enabled,
+  $messaging_event_notification_url = $pulp::params::messaging_event_notification_url,
   $broker_url                = $pulp::params::broker_url,
   $broker_use_ssl            = $pulp::params::broker_use_ssl,
+  $tasks_login_method        = $pulp::params::tasks_login_method,
   $email_host                = $pulp::params::email_host,
   $email_port                = $pulp::params::email_port,
   $email_from                = $pulp::params::email_from,
   $email_enabled             = $pulp::params::email_enabled,
+  $lazy_enabled              = $pulp::params::lazy_enabled,
+  $lazy_redirect_host        = $pulp::params::lazy_redirect_host,
+  $lazy_redirect_port        = $pulp::params::lazy_redirect_port,
+  $lazy_redirect_path        = $pulp::params::lazy_redirect_path,
+  $lazy_https_retrieval      = $pulp::params::lazy_https_retrieval,
+  $lazy_download_interval    = $pulp::params::lazy_download_interval,
+  $lazy_download_concurrency = $pulp::params::lazy_download_concurrency,
   $consumers_crl             = $pulp::params::consumers_crl,
   $reset_cache               = $pulp::params::reset_cache,
   $ssl_verify_client         = $pulp::params::ssl_verify_client,
@@ -298,6 +351,10 @@
   validate_bool($enable_parent_node)
   validate_bool($repo_auth)
   validate_bool($reset_cache)
+  validate_bool($db_unsafe_autoretry)
+  validate_bool($messaging_event_notifications_enabled)
+  validate_bool($lazy_enabled)
+  validate_bool($lazy_https_retrieval)
   validate_array($disabled_authenticators)
   validate_hash($additional_wsgi_scripts)
 

manifests/params.pp

@@ -13,12 +13,15 @@
   $db_ssl_certfile = undef
   $db_verify_ssl = true
   $db_ca_path = '/etc/pki/tls/certs/ca-bundle.crt'
+  $db_unsafe_autoretry = false
+  $db_write_concern = undef
 
   $server_name = downcase($::fqdn)
   $key_url = '/pulp/gpg'
   $ks_url = '/pulp/ks'
   $debugging_mode = false
   $log_level = 'INFO'
+  $server_working_directory = undef
 
   $rsa_key = '/etc/pki/pulp/rsa.key'
   $rsa_pub = '/etc/pki/pulp/rsa_pub.key'
@@ -38,9 +41,12 @@
   $messaging_ca_cert = undef
   $messaging_client_cert = undef
   $messaging_topic_exchange = 'amq.topic'
+  $messaging_event_notifications_enabled = false
+  $messaging_event_notifications_url = undef
 
   $broker_url = "qpid:///guest@${::fqdn}:5672"
   $broker_use_ssl = false
+  $tasks_login_method = undef
 
   $ca_cert = '/etc/pki/pulp/ca.crt'
   $ca_key = '/etc/pki/pulp/ca.key'
@@ -62,6 +68,14 @@
   $email_from = "no-reply@${::domain}"
   $email_enabled = false
 
+  $lazy_enabled = false
+  $lazy_redirect_host = downcase($::fqdn)
+  $lazy_redirect_port = undef
+  $lazy_redirect_path = '/streamer/'
+  $lazy_https_retrieval = false
+  $lazy_download_interval = 30
+  $lazy_download_concurrency = 5
+
   $consumers_crl = undef
 
   $manage_db = true

spec/classes/pulp_apache_spec.rb

@@ -69,7 +69,7 @@
       let :pre_condition do
         "class {'pulp': manage_httpd => false, manage_plugins_httpd => true, enable_rpm => true}"
       end
- 
+
        it { should_not contain_apache__vhost('pulp-http') }
        it { is_expected.to contain_file('/etc/httpd/conf.d/pulp_rpm.conf') }
     end
@@ -91,6 +91,39 @@
       end
     end
 
+    describe 'with manage_httpd true or manage_plugins_httpd true' do
+      let :pre_condition do
+        "class {'pulp': manage_httpd => true}"
+      end
+
+      it 'should configure pulp_content' do
+        is_expected.to contain_file('/etc/httpd/conf.d/pulp_content.conf').with(
+        :content => 'WSGISocketPrefix run/wsgi
+WSGIProcessGroup pulp-content
+WSGIApplicationGroup pulp-content
+WSGIScriptAlias /pulp/content /usr/share/pulp/wsgi/content.wsgi
+WSGIDaemonProcess pulp-content user=apache group=apache processes=3 display-name=%{GROUP}
+WSGIImportScript /usr/share/pulp/wsgi/content.wsgi process-group=pulp-content application-group=pulp-content
+
+<Files content.wsgi>
+    WSGIPassAuthorization On
+    WSGIProcessGroup pulp-content
+    WSGIApplicationGroup pulp-content
+    SSLRenegBufferSize  1048576
+    SSLVerifyDepth 9
+    SSLOptions +StdEnvVars +ExportCertData
+    SSLVerifyClient require
+</Files>
+
+<Location /pulp/content/>
+    XSendFile on
+    XSendFilePath /var/lib/pulp/content
+    XSendFilePath /var/lib/pulp/published
+</Location>
+')
+      end
+    end
+
     describe 'with enable_rpm' do
       let :pre_condition do
         "class {'pulp': enable_rpm => true}"
@@ -102,17 +135,32 @@
 # Apache configuration file for pulp web services and repositories
 #
 
-# -- HTTPS Repositories ---------
-Alias /pulp/repos /var/www/pub/yum/https/repos
+AddType application/x-pkcs7-crl .crl
+AddType application/x-x509-ca-cert .crt
+
+# -- Yum Repositories ---------
+#
+# This Location block replaces an `Alias` directive. In order to maintain
+# backwards compatibility with existing Yum repository configurations, this
+# block rewrites all requests to `/pulp/repos/` to the location of the WSGI
+# application, content.wsgi, provided by the Pulp platform. The content.wsgi
+# application adds support for downloading content on-demand.
+<Location /pulp/repos/>
+  RewriteEngine On
+  RewriteCond %{HTTPS} on
+  RewriteRule (.+/pulp/repos/)(.+) /pulp/content/var/www/pub/yum/https/repos/$2 [DPI]
+  RewriteCond %{HTTPS} off
+  RewriteRule (.+/pulp/repos/)(.+) /pulp/content/var/www/pub/yum/http/repos/$2 [DPI]
+</Location>
 
 # -- HTTPS Exports
 Alias /pulp/exports /var/www/pub/yum/https/exports
 
 <Directory /var/www/pub/yum/https>
-    WSGIAccessScript /srv/pulp/repo_auth.wsgi
+    WSGIAccessScript /usr/share/pulp/wsgi/repo_auth.wsgi
     SSLRequireSSL
     SSLVerifyClient require
-    SSLVerifyDepth 2
+    SSLVerifyDepth 9
     SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
     Options FollowSymLinks Indexes
 </Directory>
@@ -122,12 +170,11 @@
     Options FollowSymLinks Indexes
 </Directory>
 
-
 # -- HTTPS ISOS
 Alias /pulp/isos /var/www/pub/https/isos
 
 <Directory /var/www/pub/https/isos>
-    WSGIAccessScript /srv/pulp/repo_auth.wsgi
+    WSGIAccessScript /usr/share/pulp/wsgi/repo_auth.wsgi
     SSLRequireSSL
     SSLVerifyClient require
     SSLVerifyDepth 2
@@ -170,11 +217,24 @@
 
 # -- HTTPS Repositories ---------
 
-Alias /pulp/docker /var/www/pub/docker/web
+# This prevents mod_mime_magic from adding content-type and content-encoding headers, which will confuse the Docker
+# client.
+MimeMagicFile NEVER_EVER_USE
+
+# Docker v2
+Alias /pulp/docker/v2 /var/www/pub/docker/v2/web
+<Directory /var/www/pub/docker/v2/web>
+    Header set Docker-Distribution-API-Version "registry/2.0"
+    SSLRequireSSL
+    Options FollowSymlinks Indexes
+</Directory>
 
-<Location /var/www/pub/docker/web>
+# Docker v1
+Alias /pulp/docker/v1 /var/www/pub/docker/v1/web
+<Directory /var/www/pub/docker/v1/web>
+    SSLRequireSSL
     Options FollowSymLinks Indexes
-</Location>
+</Directory>
 ')
       end
     end
@@ -224,10 +284,12 @@
 # and so the following redirect will match any path that isn\'t the above.
 RedirectMatch ^\/?pulp_puppet\/forge\/[^\/]+\/[^\/]+\/(?!api\/v1\/releases\.json)(.*)$ /$1
 
-# for puppet < 3.3
-WSGIScriptAlias /api/v1 /srv/pulp/puppet_forge_pre33_api.wsgi
-# for puppet >= 3.3
-WSGIScriptAlias /pulp_puppet/forge /srv/pulp/puppet_forge_post33_api.wsgi
+WSGIDaemonProcess pulp_forge user=apache group=apache processes=3 display-name=%{GROUP}
+WSGIProcessGroup pulp_forge
+WSGIApplicationGroup pulp_forge
+WSGIScriptAlias /api/v1 /usr/share/pulp/wsgi/puppet_forge.wsgi process-group=pulp_forge application-group=pulp_forge
+WSGIScriptAlias /pulp_puppet/forge /usr/share/pulp/wsgi/puppet_forge.wsgi process-group=pulp_forge application-group=pulp_forge
+WSGIScriptAlias /v3 /usr/share/pulp/wsgi/puppet_forge.wsgi process-group=pulp_forge application-group=pulp_forge
 WSGIPassAuthorization On
 ')
 
@@ -259,6 +321,34 @@
       end
     end
 
+
+    describe 'with enable_ostree' do
+      let :pre_condition do
+        "class {'pulp': enable_ostree => true}"
+      end
+
+      it 'should configure apache for serving ostree' do
+        is_expected.to contain_file('/etc/httpd/conf.d/pulp_ostree.conf').with(
+        :content => '#
+# Apache configuration file for Pulp\'s OSTree support
+#
+
+# -- HTTPS Repositories ---------
+
+Alias /pulp/ostree /var/www/pub/ostree/
+
+<Directory /var/www/pub/ostree>
+    WSGIAccessScript /usr/share/pulp/wsgi/repo_auth.wsgi
+    SSLRequireSSL
+    SSLVerifyClient require
+    SSLVerifyDepth 2
+    SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
+    Options FollowSymLinks Indexes
+</Directory>
+')
+      end
+    end
+
     describe 'with enable_parent_node' do
       let :pre_condition do
         "class {'pulp': enable_parent_node => true}"
@@ -290,6 +380,17 @@
   SSLOptions +FakeBasicAuth
   SSLRequire %{SSL_CLIENT_S_DN_O} eq "PULP" and %{SSL_CLIENT_S_DN_OU} eq "NODES"
 </Directory>
+
+Alias /pulp/nodes/content /var/www/pulp/nodes/content
+
+<Directory /var/www/pulp/nodes/content >
+  Options FollowSymLinks Indexes
+  SSLRequireSSL
+  SSLVerifyClient require
+  SSLVerifyDepth  5
+  SSLOptions +FakeBasicAuth
+  SSLRequire %{SSL_CLIENT_S_DN_O} eq "PULP" and %{SSL_CLIENT_S_DN_OU} eq "NODES"
+</Directory>
 ')
       end
     end

templates/etc/httpd/conf.d/pulp_content.conf.erb

@@ -0,0 +1,22 @@
+WSGISocketPrefix run/wsgi
+WSGIProcessGroup pulp-content
+WSGIApplicationGroup pulp-content
+WSGIScriptAlias /pulp/content /usr/share/pulp/wsgi/content.wsgi
+WSGIDaemonProcess pulp-content user=apache group=apache processes=3 display-name=%{GROUP}
+WSGIImportScript /usr/share/pulp/wsgi/content.wsgi process-group=pulp-content application-group=pulp-content
+
+<Files content.wsgi>
+    WSGIPassAuthorization On
+    WSGIProcessGroup pulp-content
+    WSGIApplicationGroup pulp-content
+    SSLRenegBufferSize  1048576
+    SSLVerifyDepth 9
+    SSLOptions +StdEnvVars +ExportCertData
+    SSLVerifyClient <%= scope['pulp::ssl_verify_client'] %>
+</Files>
+
+<Location /pulp/content/>
+    XSendFile on
+    XSendFilePath /var/lib/pulp/content
+    XSendFilePath /var/lib/pulp/published
+</Location>