From 0a1fbd509f287204cceaa175dc7c151f7cd0bdd8 Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Tue, 26 Mar 2024 15:14:32 +0100 Subject: [PATCH] [mailman3] Use gunicorn instead of apache Use apache only as reverse proxy, but run mailman-web through gunicorn. Signed-off-by: Michal Konecny --- playbooks/groups/mailman.yml | 1 + roles/mailman3/defaults/main.yml | 3 +- roles/mailman3/handlers/main.yml | 6 + roles/mailman3/tasks/main.yml | 149 ++++++------------ roles/mailman3/templates/apache.conf.j2 | 43 ----- roles/mailman3/templates/mailmanweb.conf.j2 | 12 ++ .../mailman3/templates/mailmanweb.service.j2 | 15 ++ 7 files changed, 84 insertions(+), 145 deletions(-) delete mode 100644 roles/mailman3/templates/apache.conf.j2 create mode 100644 roles/mailman3/templates/mailmanweb.conf.j2 create mode 100644 roles/mailman3/templates/mailmanweb.service.j2 diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index a98106c2cf..560666b1e4 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -109,6 +109,7 @@ mailman_hyperkitty_db_pass: "{{ mailman_hk_db_pass }}" mailman_hyperkitty_cookie_key: "{{ mailman_hk_cookie_key }}" mailman_hyperkitty_archiver_key: "{{ mailman_hk_stg_archiver_key }}" + mailman_httpd_hostname: lists.stg.fedoraproject.org when: env == "staging" - {role: fedmsg/base, when: env != "staging"} diff --git a/roles/mailman3/defaults/main.yml b/roles/mailman3/defaults/main.yml index 64f5731c4f..04556dfe30 100644 --- a/roles/mailman3/defaults/main.yml +++ b/roles/mailman3/defaults/main.yml @@ -26,6 +26,7 @@ mailman_hyperkitty_admin_db_pass: changeme mailman_hyperkitty_db_pass: changeme mailman_hyperkitty_cookie_key: changeme mailman_hyperkitty_archiver_key: changeme +mailman_gunicorn_workers: 4 mailman_domains: - lists.example.com - lists.example.org @@ -33,4 +34,4 @@ mailman_social_login: [] # Apache configuration # Use mailman-web wsgi for mailman3 -wsgi_dir: /usr/lib/python3.9/site-packages/mailman_web +mailman_httpd_hostname: lists.fedoraproject.org diff --git a/roles/mailman3/handlers/main.yml b/roles/mailman3/handlers/main.yml index 685b5fc917..980fe4f079 100644 --- a/roles/mailman3/handlers/main.yml +++ b/roles/mailman3/handlers/main.yml @@ -5,8 +5,14 @@ - name: reload apache service: name=httpd state=reloaded +- name: restart apache + service: name=httpd state=restarted + - name: restart memcached service: name=memcached state=restarted - name: systemctl daemon-reload command: /usr/bin/systemctl daemon-reload + +- name: restart mailmanweb + service: name=maimanweb state restarted diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml index 1b840faa6f..95ad76ecf3 100644 --- a/roles/mailman3/tasks/main.yml +++ b/roles/mailman3/tasks/main.yml @@ -2,91 +2,6 @@ # Configuration for Mailman 3 # PostgreSQL initialization must have been done already -# -# SELinux -# -- name: Set the SELinux policy for the fulltext index - community.general.sefcontext: - target: "{{ mailman_webui_basedir }}/fulltext_index(/.*)?" - setype: httpd_sys_rw_content_t - state: present - tags: - - mailman - - selinux - -- name: Set the SELinux policy for the static files directory - community.general.sefcontext: - target: "{{ mailman_webui_basedir }}/static(/.*)?" - setype: httpd_sys_content_t - state: present - tags: - - mailman - - selinux - -- name: Set the SELinux policy for the templates override directory - community.general.sefcontext: - target: "{{ mailman_webui_basedir }}/templates(/.*)?" - setype: httpd_sys_content_t - state: present - tags: - - mailman - - selinux - -- name: set the SELinux policy for the log directory - community.general.sefcontext: - target: "{{ mailman_log_directory }}(/.*)?" - setype: httpd_log_t - state: present - tags: - - mailman - - selinux - -- name: Set the SELinux policy for the generated postfix databases - community.general.sefcontext: - target: "{{ mailman_webui_basedir }}/var/data/postfix_.*" - setype: etc_aliases_t - state: present - tags: - - mailman - - selinux - -- name: Set the SELinux policy for the old static archives - community.general.sefcontext: - target: "{{ mailman_webui_basedir }}/old-archives/pipermail(/.*)?" - setype: httpd_sys_content_t - state: present - tags: - - mailman - - selinux - -- name: Allow Apache to remotely connect to PostgreSQL - ansible.posix.seboolean: - name: httpd_can_network_connect_db - state: yes - persistent: yes - tags: - - mailman - - selinux - -- name: Allow Apache to remotely connect to Mailman - ansible.posix.seboolean: - name: httpd_can_network_connect - state: yes - persistent: yes - tags: - - mailman - - selinux - -- name: Allow Apache to remotely connect to Memcached - ansible.posix.seboolean: - name: httpd_can_network_memcache - state: yes - persistent: yes - tags: - - mailman - - selinux - - - name: Install needed packages ansible.builtin.package: name: "{{item}}" @@ -98,6 +13,7 @@ - mailman3 - memcached - postorius + - python3-gunicorn - python3-mailman-hyperkitty - python3-mailman-web - python3-mod_wsgi @@ -207,19 +123,6 @@ ansible.builtin.template: src: settings.py.j2 dest: "{{ mailman_webui_confdir }}/settings.py" - owner: mailman - group: apache - mode: 0640 - tags: - - config - - mailman - notify: - - reload apache - -- name: Install the hyperkitty/postorius httpd conf file - ansible.builtin.template: - src: apache.conf.j2 - dest: /etc/httpd/conf.d/mailman-webui.conf tags: - config - mailman @@ -230,8 +133,8 @@ ansible.builtin.file: path: "{{ mailman_webui_basedir }}/fulltext_index" state: directory - owner: apache - group: apache + owner: mailman + group: mailman mode: 0755 tags: mailman @@ -280,7 +183,7 @@ src: top.html dest: "{{ mailman_webui_basedir }}/templates/hyperkitty/top.html" notify: - - reload apache + - restart mailmanweb tags: - mailman - banner @@ -399,6 +302,26 @@ when: - static_root_dir is changed +- name: Systemd unit to start postorius/hyperkitty through gunicorn + ansible.builtin.template: + src: mailmanweb.service.j2 + dest: /etc/systemd/system/mailmanweb.service + register: mailmanweb_systemd + notify: restart mailmanweb + tags: + - mailman + - systemd + +- name: Enable the mailmanweb server + ansible.builtin.systemd: + name: mailmanweb + daemon-reload: "{% if mailmanweb_systemd is changed %}yes{% else %}no{% endif %}" + state: started + enabled: yes + tags: + - mailman + - systemd + # # Scripts # @@ -447,6 +370,29 @@ - mailman - memcached +# Httpd +- name: Import needed httpd configurations + ansible.builtin.template: + src: "mailmanweb.conf.j2" + dest: "/etc/httpd/conf.d/mailmanweb.conf" + notify: + - reload apache + tags: + - config + - httpd + - mailman + +- name: Allow Apache to remotely connect to gunicorn + ansible.posix.seboolean: + name: httpd_can_network_connect + state: yes + persistent: yes + notify: + - restart apache + tags: + - mailman + - selinux + # Start services - name: Start services ansible.builtin.systemd: @@ -456,6 +402,7 @@ with_items: - httpd - mailman3 + - mailmanweb - postfix - webui-qcluster - webui-warm-up-cache diff --git a/roles/mailman3/templates/apache.conf.j2 b/roles/mailman3/templates/apache.conf.j2 deleted file mode 100644 index cdf09069bb..0000000000 --- a/roles/mailman3/templates/apache.conf.j2 +++ /dev/null @@ -1,43 +0,0 @@ -Alias /favicon.ico {{ mailman_webui_basedir }}/static/favicon.ico -Alias /robots.txt {{ mailman_webui_basedir }}/static/robots.txt -Alias /static {{ mailman_webui_basedir }}/static - -#ErrorLog /var/log/httpd/webui_error.log -#CustomLog /var/log/httpd/webui_access.log combined - -WSGIScriptAlias / {{ wsgi_dir }}/wsgi.py -WSGIDaemonProcess webui display-name=webui maximum-requests=1000 processes=4 threads=30 python-path={{ wsgi_dir }} -WSGIProcessGroup webui -WSGISocketPrefix run/wsgi -WSGIRestrictStdout On -WSGIRestrictSignal Off -WSGIPythonOptimize 1 - - - - Order deny,allow - Allow from all - Require all granted - - - - - Order deny,allow - Allow from all - Require all granted - - - -# Old static archives - -Alias /pipermail/ {{ mailman_webui_basedir }}/old-archives/pipermail/ - - Options FollowSymLinks - AllowOverride None - Require all granted - AddDefaultCharset Off - - -RedirectMatch ^/pipermail[/]*$ / -RedirectMatch ^/mailman/listinfo/$ / -RedirectMatch ^/mailman$ / diff --git a/roles/mailman3/templates/mailmanweb.conf.j2 b/roles/mailman3/templates/mailmanweb.conf.j2 new file mode 100644 index 0000000000..795c3cab2e --- /dev/null +++ b/roles/mailman3/templates/mailmanweb.conf.j2 @@ -0,0 +1,12 @@ + + ServerName {{ mailman_httpd_hostname }} + DocumentRoot /var/www/html/ +# CustomLog logs/{{ mailman_httpd_hostname }}.log combined +# ErrorLog logs/{{ mailman_httpd_hostname }}_error.log + + RewriteEngine On + RewriteCond $1 !^.well-known + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + diff --git a/roles/mailman3/templates/mailmanweb.service.j2 b/roles/mailman3/templates/mailmanweb.service.j2 new file mode 100644 index 0000000000..26dc05799a --- /dev/null +++ b/roles/mailman3/templates/mailmanweb.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Description= Mailman Web ui +DefaultDependencies=no +After=network.target + +[Install] +WantedBy=multi-user.target + +[Service] +Type=simple +User=mailman +Group=mailman +WorkingDirectory=/etc/mailman3 +ExecStart=/usr/bin/gunicorn --workers={{ mailman_gunicorn_workers }} --forwarded-allow-ips="*" mailman_web.wsgi +ExecStop=/bin/kill -s TERM $MAINPID