subspace 2.5.10 → 3.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 19de34c265cd2948a3dc40c63d8974f76e5a4ce63a014eb2fe19db81181cf2ea
-  data.tar.gz: efeab17b834a3e09270c9ae2a94976f635e92eb890ae218324029d11dc139a92
+  metadata.gz: df006855b51c155540821c2e5fd82968ebf79580e3e85f1149eeef576bb63672
+  data.tar.gz: 3548c10a76fa9117c130d73e198c42097373a1f3942f47fa47722741e2368f92
 SHA512:
-  metadata.gz: b1137de151178b6960cf83438b05b0ba674b7918b56387fd1dfc2932647231d2fdb5225dddbdbef47849c84aca0dd6b340124c917396cce4a4022fea31bf0417
-  data.tar.gz: a9a78b1cae0a192319455041009f0bbe0ba1f928262b96c8fe357dd21dc6b4d5557ce375988ce44735cdefedae7d5f83a98573e7d87394b27a1918976786a1fb
+  metadata.gz: c5ed6d9c43e07d68482e1481378e9295bda85c2b133cd50ac4fb18787c6d755945ca4f58c83031ade513e0d01233ee088032506d427f080a07730aaf9deb22df
+  data.tar.gz: 7d7779fe933a7297a4a682cc3a76fce740c74d2bd84306760ab7248e50c34251e3401039082900918a588660b1b82afd76b42072ae13bb23dafac37af2da4c9b

data/.ruby-version

@@ -1 +1 @@
-2.7.4
+3.1.0

data/CHANGELOG.md

@@ -11,16 +11,23 @@ This project attempts to follow [semantic versioning](https://semver.org/).
   * Stops showing color if you `sudo su`
 
 ## Unreleased
-## 2.5.10
-  * Backport the fix for ansible's change of get_url checksum arguments
 
-## 2.5.9
-  * backport disabling mitogen
+## 3.0.0rc1
+  * Added infrastructure management via Terraform!
+  * Added new `subspace exec` command for manual remote management
+  * BREAKING: Consolidated inventory file into config/provision/inventory.env.yml
+    * No more hosts file
+    * No more host_vars directory
+    * No more group_vars directory
+    * All of the host/group configuration is in that one file now!
+  * BREAKING: `subspace vars` is now `subspace secrets`
+  * BREAKING: sidekiq_concurrency renamed to sidekiq_workers, default changed from 10 -> 1
+  * BREAKING: swap_space variable must be defined for the `common` ansible role (previously defaulted to 512MB)
+  * BREAKING: removed defaults from rails, postgis, puma roles
 
 ## 2.5.8
   * Add a new role for configuring a monit-based resque server
   * Auto-detect mitogen for speed
-
 ## 2.5.7
   * Add ability to set the timezone for servers instead of forcing to Central Time
   * Update puma configuration to support puma 5 with puma-daemon

data/README.md

@@ -32,13 +32,23 @@ Or install it yourself as:
 
     $ gem install subspace
 
+### Mitogen
+Optionally, you can install a python/pip packaged called "Mitogen" which dramatically speeds up running ansible over ssh.  See [Here](https://github.com/mitogen-hq/mitogen/blob/master/docs/ansible_detailed.rst) for details.
+
+    pip install mitogen
+
+Subspace will try and detect if mitogen is present and use it can.  If mitogen causes problems (sometimes it can cause problems depending on the system versions, and particaularly when brand new versions of anible come up and it hasn't updated), you can disable it:
+
+    DISABLE_MITOGEN=1 subspace provision env
 ## Usage
 
 ### `subspace init`
 
-Initialize the project for subspace. Creates `config/provision` with all
+Initialize the project for subspace. Creates `config/subspace` with all
 necessary files.
 
+Subspace 3 supports terraform.  You will need to create an IAM user manually with administrative access to the target AWS environment for terraform.
+
 ### `subspace bootstrap <environment>`
 
 Ensures the $HOME/.ssh directory is present and ensures python is installed.
@@ -56,7 +66,7 @@ At the time of this writing, we pass through the `ansible-playbook` "tags" and
 "start-at-task" options. The tags option is probably the most useful.
 
 e.g. To run only the alienvault tasks (all of which have been tagged with the
-'alienvault' tag): `subspace provision dev --tags=alienvault`
+'alienvault' tag): `subspace provision staging --tags=alienvault`
 
 ### `subspace maintain <environment>`
 
@@ -109,7 +119,7 @@ ENABLE_SOME_FEATURE: false
 development:
   INSECURE_VARIABLE: "this isn't secret"
 
-dev:
+staging:
   INSECURE_VARIABLE: "but it changes"
 
 production:
@@ -119,7 +129,7 @@ production:
 
 Further, you can use the extremely command to create a local copy of `config/application.yml`
 
-    # Create a local copy of config/application.yml with the secrets encrypted in vars/development.yml
+    # Create a local copy of config/application.yml with the secrets encrypted in secrets/development.yml
     $ subspace vars development --create
 
 This can get you up and running in development securely, the only thing you need to distribute to new team members is the vault password.  Grab it from a teammate and put it into `config/provision/.vault_pass`
@@ -138,7 +148,7 @@ Then,
 
 If you get an error saying you need a vault password file, you should be able to find it in 1Password. You might also need to update `ansible`.
 
-You'll want to do this for each environment (ie: `subspace provision qa`, etc.). Best to start with dev and work your way up.
+You'll want to do this for each environment (ie: `subspace provision qa`, etc.). Best to start with staging and work your way up.
 
 # Host configuration
 
@@ -202,8 +212,7 @@ Aside from basic statistics like free memory, disk, load averages, etc, we have
 3. If nginx is installed, it will collect stats from the "status port"
 4. (TODO) add something for pumas
 5. (TODO) add something for sidekiq
-6. (TODO) add something for memcache
-7. If you're using our standard lograge format, you can enable lograge collection which will provide stats on request count and timers (db/view/total)
+6. If you're using our standard lograge format, you can enable lograge collection which will provide stats on request count and timers (db/view/total)
 
     rails_lograge: true
 
@@ -274,6 +283,14 @@ Installs logrotate and lets you configure logs for automatic rotation.  Example
 
 ## memcache
 
+Installs memcache on the server.  By default, memcache will only listen on localhost which needs to be changed if other servers needs to connect.
+
+    # Default Value
+    memcache_bind: "127.0.0.1"
+
+    # bind to all interfaces
+    memcache_bind: "0.0.0.0"
+
 ## monit
 
 ## mysql
@@ -286,6 +303,7 @@ Installs logrotate and lets you configure logs for automatic rotation.  Example
 This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic.  The previous "newrelic" role is deprecated.
 
 Variables:
+
     # Required, the newrelic license key you get after signing up.
     newrelic_license: "longhashthingyougetfromnewrelichere"
     # Optional - send logs to newrelic one's log aggregator.
@@ -328,7 +346,14 @@ Optional variables:
 
 ## nodejs
 
-Used to install recent version of NodeJS. Must set `nodejs_version`. e.g. `nodejs_version: "8.x"`
+Used to install different versions of NodeJS. This uses NodeSource's apt repositories. You must define a variable called `nodejs_version` and choose a major version supported by NodeSource:
+
+    nodejs_version: 14.x
+    nodejs_version: 17.x
+    nodejs_version: lts
+    nodejs_version: current
+
+The full list of distributions is here: https://github.com/nodesource/distributions#installation-instructions
 
 ## papertrail
 
@@ -344,33 +369,42 @@ Used to install recent version of NodeJS. Must set `nodejs_version`. e.g. `nodej
     database_user: "{{project_name}}"
 
 ## puma
+Use the puma app server for your rails app.  Usually combined with nginx to server as a static file server and reverse proxy. 
 
-add puma gem to gemfile
-add config/puma to symlinks in deploy.rb
+**Prerequesites:**
+  - add `gem puma` to your gemfile
+  - add `config/puma/` to the `linked_dirs` config in capistrano's `deploy.rb`
 
+This role will generate a reasonable `puma.rb` and configure it to be controlled by systemd. 
+
+**Variables:**
+
+    puma_workers: 1        # Puma process count (usually == vCPU count)
+    puma_min_threads: 4    # Min threads/process
+    puma_max_threads: 16   # Max threads/process
 
 ## rails
 
 Provisions for a rails app.  This one is probably pretty important.
 
-Default values (these are usually fine)
+We no longer provider default values, so make sure to define all the following variables: 
 
+    rails_env: production
     database_pool: 5
     database_name: "{{project_name}}_{{rails_env}}"
     database_user: "{{project_name}}"
+    database_host: localhost
+    database_adapter: postgresql
+    database_password: # usually defined in the encrypted vault
     job_queues:
       - default
       - mailers
 
-Customize:
-
-    rails_env: [whatever]
-
 ## redis
 
 Installs redis on the server.
 
-    # Change to * if you want tthis available everywhere.
+    # Change to * if you want this available everywhere instead of localhost
     redis_bind: 127.0.0.1
 
 ## resque
@@ -381,12 +415,15 @@ Install monitoring and automatic startup for resque workers via monit. You MUST
       - default
       - mailers
       - exports
+
+    redis_bind: "*"
+
 ## ruby-common
 
 Installs ruby on the machine.  YOu can set a version by picking off the download url and sha hash from ruby-lang.org
 
     ruby_version: ruby-2.4.1
-    ruby_checksum: sha256:a330e10d5cb5e53b3a0078326c5731888bb55e32c4abfeb27d9e7f8e5d000250
+    ruby_checksum: a330e10d5cb5e53b3a0078326c5731888bb55e32c4abfeb27d9e7f8e5d000250
     ruby_download_location: 'https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz'
     bundler_version: 2.0.1
 
@@ -395,13 +432,13 @@ Installs ruby on the machine.  YOu can set a version by picking off the download
 
 This will install a monit script that keeps sidekiq running.  We spawn one sidekiq instance that manages as many queues as you need.  Varaibles of note:
 
-    # Process these background job queues
+    # Process these queues on this server
     job_queues:
       - default
       - mailers
 
     # Number of sidekiq *processes* to run
-    sidekiq_concurrency: 1
+    sidekiq_workers: 1
 
 * Note that as of v0.4.13, we now also add a unique job queue for each host with its hostname.  This is handy if you need to assign a job to a specific host.  In general you should use named queues, but occasionally this is useful and there's no harm in having it there unused.
 
@@ -425,11 +462,7 @@ In order to dramatically speed up ansible, you can install Mitogen: https://gith
 
     pip install -g mitogen
 
-Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.  Sometimes this can cause issues with older servers that have weird pythons, so if you have mitogen installed locally but dont wan't to use it, you can set an environment variable:
-
-    DISABLE_MITOGEN=1 subspace provision staging
-
-
+Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.
 
 
 ## Directory Structure

data/UPGRADING.md

@@ -0,0 +1,10 @@
+# Subspace Upgrade Guide
+
+
+# 2.x -> 3.0
+
+- Run subspace init
+- Someone write subspace upgrade3 please
+
+# 2.x -> 2.y
+We strive to follow semver so upgrading from 2.x to 2.y should be safe.  However, since use of this tool can affect your production infrastructure, we highly recommend reviewing the [CHANGELOG](CHANGELOG.md) when upgrading.

data/ansible/roles/common/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-  swap_space: 512M
   deploy_user: deploy
   send_stats: false
   timezone: America/Chicago

data/ansible/roles/common/files/sudoers-service

@@ -1 +1 @@
-deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service
+deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service, /bin/systemctl

data/ansible/roles/common/tasks/main.yml

@@ -64,6 +64,14 @@
     tags:
       - maintenance
 
+  - name: apt-get update
+    apt: update_cache=yes cache_valid_time=86400
+    become: true
+    tags:
+      - upgrade
+      - maintenance
+    ignore_errors: yes
+
   - name: install aptitude
     apt:
       pkg: aptitude
@@ -72,12 +80,11 @@
     tags:
       - maintenance
 
-  - name: apt-get update
-    apt: update_cache=yes cache_valid_time=86400
-    become: true
-    tags:
-      - upgrade
-      - maintenance
+  - name: "Ensure systemd is installed"
+    apt:
+      name: systemd
+      state: latest
+      update_cache: yes
 
   - name: Add ppa:ondrej/nginx apt repository for TLS 1.3
     apt_repository:
@@ -276,7 +283,7 @@
 
   - name: Update authorized_keys for deploy user
     copy:
-      src: authorized_keys
+      src: templates/authorized_keys
       dest: "/home/{{deploy_user}}/.ssh/authorized_keys"
       owner: "{{deploy_user}}"
     become: true
@@ -320,3 +327,7 @@
       - stats
 
   - import_tasks: swap.yml
+    when: swap_space is defined
+
+  - import_tasks: no_swap.yml
+    when: swap_space is not defined

data/ansible/roles/common/tasks/no_swap.yml

@@ -0,0 +1,26 @@
+---
+- name: turn off swap
+  become: true
+  command: swapoff -a
+
+- name: set swapiness
+  become: true
+  sysctl:
+    name: vm.swappiness
+    value: "0"
+
+- name: delete swap file
+  become: true
+  file:
+    path: /swapfile
+    state: absent
+
+- name: remove from fstab
+  become: true
+  lineinfile:
+    dest: /etc/fstab
+    regexp: /swapfile
+    line: "/swapfile none swap sw 0 0"
+    state: absent
+
+

data/ansible/roles/common/templates/motd

@@ -8,6 +8,6 @@ This server brought to you by:
 ~~~ https://github.com/tenforwardconsulting/subspace ~~~
 
 If you need to make configuration changes to the server, please modify the
-config/provision directory in the app or risk the changes disappearing.
+config/subspace directory in the app or risk the changes disappearing.
 
 Last subspace run: {{ansible_date_time.iso8601}}

data/ansible/roles/common/templates/motd2

@@ -21,4 +21,4 @@
  https://github.com/tenforwardconsulting/subspace
 
 If you need to make configuration changes to the server, please modify the
-config/provision directory in the app or risk the changes dissapearing.
+config/subspace directory in the app or risk the changes dissapearing.

data/ansible/roles/delayed_job/tasks/main.yml

@@ -40,6 +40,6 @@
     pause:
       seconds: 3
 
-  - name: restart_monit
+  - name: restart monit services
     shell: monit restart all
     become: true

data/ansible/roles/memcache/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+  memcache_bind: 127.0.0.1

data/ansible/roles/memcache/tasks/main.yml

@@ -3,4 +3,19 @@
   apt: update_cache=yes cache_valid_time=86400
 
 - name: Install Memcached.
-  apt: name=memcached state=present
+  apt:
+    name: memcached
+    state: present
+
+- name: Configure memcache bind address
+  lineinfile:
+    path: /etc/memcached.conf
+    regex: "^(#\\s*)?-l"
+    state: present
+    line: "-l {{memcache_bind}}"
+
+- name: restart memcached
+  systemd:
+    name: memcached
+    state: restarted
+    enabled: yes

data/ansible/roles/newrelic-infra/tasks/main.yml

@@ -1,12 +1,12 @@
 ---
   - name: Add New Relic apt key
     apt_key:
-      url: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg 
+      url: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg
       state: present
     become: true
 
   - name: create license key
-    copy: 
+    copy:
       dest: "/etc/newrelic-infra.yml"
       content: |
         license_key: {{newrelic_license}}
@@ -27,7 +27,7 @@
   - name: Configure application log forwarding if enabled
     when: "{{ newrelic_logs|length }}"
     become: true
-    template: 
+    template:
       dest: "/etc/newrelic-infra/logging.d/subspace.yml"
       src: logs.yml.j2
     notify: Restart newrelic-infra

data/ansible/roles/nginx/tasks/main.yml

@@ -25,10 +25,19 @@
     state: link
   become: true
 
-- name: Restart nginx
-  action: service name=nginx state=restarted
+- name: Restart nginx (systemd)
   become: true
+  systemd:
+    state: restarted
+    daemon_reload: yes
+    name: nginx
+
+- name: Enable nginx to start on reboot
+  become: true
+  systemd:
+    name: nginx
+    enabled: true
 
 - name: Nginx is installed
   set_fact:
-    nginx_installed: true
+    nginx_installed: true

data/ansible/roles/puma/tasks/main.yml

@@ -6,31 +6,43 @@
   tags: puma
 
 - name: Add puma shared/config
-  template: src=puma.rb dest=/u/apps/{{project_name}}/shared/config/puma/{{rails_env}}.rb group=deploy owner=deploy force=yes mode=755
+  template:
+    src: puma.rb
+    dest: /u/apps/{{project_name}}/shared/config/puma/{{rails_env}}.rb
+    group: deploy
+    owner: deploy
+    force: yes
+    mode: 0755
   tags: puma
 
 - name: Make shared/tmp/sockets
   file: path=/u/apps/{{project_name}}/shared/tmp/sockets group=deploy owner=deploy state=directory
   tags: tmp
 
-- name: Install puma monit script
+- name: Install systemd script
+  become: true
+  template:
+    src: puma-systemd.service
+    dest: /etc/systemd/system/puma.service
+
+- name: Install systemd socket
+  become: true
   template:
-    src: puma-monit-rc
-    dest: /etc/monit/conf-available/puma_{{project_name}}_{{rails_env}}
-
-- name: Clean up old puma monit scripts
-  shell: rm -f /etc/monit/conf.d/puma_*
-
-- name: mkdir /etc/monit/conf-enabled
-  file:
-    path: /etc/monit/conf-enabled
-    state: directory
-
-- name: Enable puma monit script
-  file:
-    src: /etc/monit/conf-available/puma_{{project_name}}_{{rails_env}}
-    dest: /etc/monit/conf-enabled/puma_{{project_name}}_{{rails_env}}
-    state: link
-  notify:
-    - restart_monit
+    src: puma-systemd.socket
+    dest: /etc/systemd/system/puma.socket
+
+- name: enable systemd service
+  become: true
+  systemd:
+    name: puma.service
+    enabled: yes
+    daemon_reload: yes
+
+- name: disable systemd socket
+  become: true
+  systemd:
+    name: puma.socket
+    enabled: no
+    daemon_reload: yes
+
 

data/ansible/roles/puma/templates/puma-systemd.service

@@ -0,0 +1,36 @@
+[Unit]
+Description=Puma HTTP Server
+After=network.target
+
+# Uncomment for socket activation (see below)
+# Requires=puma.socket
+
+[Service]
+# Puma supports systemd's `Type=notify` and watchdog service
+# monitoring, if the [sd_notify](https://github.com/agis/ruby-sdnotify) gem is installed,
+# as of Puma 5.1 or later.
+# On earlier versions of Puma or JRuby, change this to `Type=simple` and remove
+# the `WatchdogSec` line.
+Type=simple
+
+# If your Puma process locks up, systemd's watchdog will restart it within seconds.
+# WatchdogSec=10
+
+# Preferably configure a non-privileged user
+User=deploy
+
+WorkingDirectory=/u/apps/{{project_name}}/current
+
+# Helpful for debugging socket activation, etc.
+# Environment=PUMA_DEBUG=1
+
+# SystemD will not run puma even if it is in your path. You must specify
+# an absolute URL to puma. For example /usr/local/bin/puma
+
+# Variant: Use `bundle exec --keep-file-descriptors puma` instead of binstub
+ExecStart=/usr/local/bin/bundle exec --keep-file-descriptors puma -C /u/apps/{{project_name}}/current/config/puma/{{rails_env}}.rb
+
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

data/ansible/roles/puma/templates/puma-systemd.socket

@@ -0,0 +1,14 @@
+# /etc/systemd/system/puma.socket
+
+[Unit]
+Description=Puma HTTP Server Accept Sockets
+
+[Socket]
+ListenStream=0.0.0.0:9292
+
+NoDelay=true
+ReusePort=true
+Backlog=1024
+
+[Install]
+WantedBy=sockets.target

data/ansible/roles/puma/templates/puma.rb

@@ -1,10 +1,14 @@
+{% if monit_installed is defined %}
 begin
   # Needed for Puma 5 + puma-damon, but built in to Puma 4
   # https://github.com/kigster/puma-daemon
+  # however not needed if we're using systemd which is the future
   require 'puma/daemon'
 rescue LoadError => e
+  daemonize
   # Puma 4 has `daemonize` built in
 end
+{% endif %}
 
 # Change to match your CPU core count
 workers {{puma_workers}}
@@ -23,8 +27,6 @@ bind "tcp://127.0.0.1:9292"
 # Logging
 stdout_redirect "#{app_dir}/log/puma.stdout.log", "#{app_dir}/log/puma.stderr.log", true
 
-# Set master PID and state locations
-daemonize
 pidfile "/u/apps/{{project_name}}/shared/tmp/pids/puma.pid"
 state_path "/u/apps/{{project_name}}/shared/tmp/pids/puma.state"
 activate_control_app

data/ansible/roles/rails/defaults/main.yml

@@ -1,9 +1,2 @@
 ---
-database_pool: 5
-database_name: "{{project_name}}_{{rails_env}}"
-database_user: "{{project_name}}"
-database_adapter: postgresql
-job_queues:
-  - default
-  - mailers
 send_stats: false

data/ansible/roles/redis/tasks/main.yml

@@ -5,6 +5,7 @@
       pkg: redis-server
       state: present
       update_cache: true
+
   - name: Set bind IP
     become: true
     lineinfile:
@@ -12,3 +13,9 @@
       regexp: '^bind '
       line: 'bind {{redis_bind}}'
       state: present
+
+  - name: restart redis
+    become: true
+    systemd:
+      name: redis
+      state: restarted

data/ansible/roles/resque/tasks/main.yml

@@ -1,15 +1,14 @@
 ---
-  - name: Install resque monit script
-    template:
-      src: resque-monit-rc
-      dest: /etc/monit/conf-available/resque_{{project_name}}_{{rails_env}}
+  - name: Install systemd resque script
     become: true
+    template:
+      src: resque-systemd.service
+      dest: /etc/systemd/system/resque.service
 
-  - name: Enable resque monit script
-    file:
-      src: /etc/monit/conf-available/resque_{{project_name}}_{{rails_env}}
-      dest: /etc/monit/conf-enabled/resque_{{project_name}}_{{rails_env}}
-      state: link
-    notify:
-      - reload_monit
-      - restart_monit
+  - name: Enable systemd resque service
+    become: true
+    systemd:
+      name: resque
+      daemon_reload: true
+      enabled: yes
+      state: started