]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/nominatim/recipes/default.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix alerting for failed chef runs
[chef.git] / cookbooks / nominatim / recipes / default.rb
diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index df5f6618f89dcb38d35387f70998a74f4f0f7ed2..44bf649eac9a2cbcd7a8faa2c2d92953e6527b67 100644 (file)
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -1,14 +1,14 @@
 #
 #
-# Cookbook Name:: nominatim
-# Recipe:: default
+# Cookbook:: nominatim
+# Recipe:: base
 #
 #
-# Copyright 2012, OpenStreetMap Foundation
+# Copyright:: 2015, OpenStreetMap Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,281 +17,539 @@
 # limitations under the License.
 #
 
 # limitations under the License.
 #
 
-include_recipe "apache::ssl"
-include_recipe "postgresql"
-include_recipe "git"
-
-package "php5"
-package "php5-cli"
-package "php5-pgsql"
-package "php5-fpm"
-package "php-pear"
-package "php-apc"
+include_recipe "accounts"
+include_recipe "munin"
+include_recipe "php::fpm"
+include_recipe "prometheus"
 
 
-apache_module "rewrite"
-apache_module "proxy"
-apache_module "proxy_fcgi"
-
-passwords = data_bag_item("nominatim", "passwords")
-home_directory = data_bag_item("accounts", "nominatim")["home"]
-source_directory = "#{home_directory}/nominatim"
+basedir = data_bag_item("accounts", "nominatim")["home"]
 email_errors = data_bag_item("accounts", "lonvia")["email"]
 
 email_errors = data_bag_item("accounts", "lonvia")["email"]
 
-database_cluster = node[:nominatim][:database][:cluster]
-database_version = database_cluster.sub(%r{/.*}, "")
-database_name = node[:nominatim][:database][:dbname]
+directory basedir do
+  owner "nominatim"
+  group "nominatim"
+  mode "755"
+  recursive true
+end
 
 
-postgis_version = node[:nominatim][:database][:postgis]
+## Log directory setup
 
 
-service "php5-fpm" do
-  provider Chef::Provider::Service::Upstart
-  action [:enable, :start]
-  supports :status => true, :restart => true, :reload => true
+directory node[:nominatim][:logdir] do
+  owner "nominatim"
+  group "nominatim"
+  mode "755"
+  recursive true
 end
 
 end
 
-apache_site "nominatim.openstreetmap.org" do
-  template "apache.erb"
-  directory source_directory
-  variables :pools => node[:nominatim][:fpm_pools]
+file "#{node[:nominatim][:logdir]}/query.log" do
+  action :create_if_missing
+  owner "www-data"
+  group "adm"
+  mode "664"
 end
 
 end
 
-apache_site "default" do
-  action [:disable]
+file "#{node[:nominatim][:logdir]}/update.log" do
+  action :create_if_missing
+  owner "nominatim"
+  group "adm"
+  mode "664"
 end
 
 end
 
-node[:nominatim][:fpm_pools].each do |name, data|
-  template "/etc/php5/fpm/pool.d/#{name}.conf" do
-    source "fpm.conf.erb"
-    owner "root"
-    group "root"
-    mode 0644
-    variables data.merge(:name => name, :port => data[:port])
-    notifies :reload, "service[php5-fpm]"
-  end
-end
+## Postgresql
 
 
-superusers = %w(tomh lonvia twain nominatim)
+include_recipe "postgresql"
+
+postgresql_version = node[:nominatim][:dbcluster].split("/").first
+postgis_version = node[:nominatim][:postgis]
+
+package "postgresql-#{postgresql_version}-postgis-#{postgis_version}"
 
 
-superusers.each do |user|
+node[:nominatim][:dbadmins].each do |user|
   postgresql_user user do
   postgresql_user user do
-    cluster database_cluster
+    cluster node[:nominatim][:dbcluster]
     superuser true
     superuser true
+    only_if { node[:nominatim][:state] != "slave" }
   end
 end
 
   end
 end
 
-postgresql_user "www-data" do
-  cluster database_cluster
+postgresql_user "nominatim" do
+  cluster node[:nominatim][:dbcluster]
+  superuser true
+  only_if { node[:nominatim][:state] != "slave" }
 end
 
 end
 
-postgresql_user "replication" do
-  cluster database_cluster
-  password passwords["replication"]
-  replication true
+postgresql_user "www-data" do
+  cluster node[:nominatim][:dbcluster]
+  only_if { node[:nominatim][:state] != "slave" }
 end
 
 postgresql_munin "nominatim" do
 end
 
 postgresql_munin "nominatim" do
-  cluster database_cluster
-  database database_name
+  cluster node[:nominatim][:dbcluster]
+  database node[:nominatim][:dbname]
 end
 
 end
 
-directory "/var/log/nominatim" do
-  owner "nominatim"
-  group "nominatim"
-  mode 0755
+directory "#{basedir}/tablespaces" do
+  owner "postgres"
+  group "postgres"
+  mode "700"
+end
+
+# NOTE: tablespaces must be exactly in the same location on each
+#       Nominatim instance when replication is in use. Therefore
+#       use symlinks to canonical directory locations.
+node[:nominatim][:tablespaces].each do |name, location|
+  directory location do
+    owner "postgres"
+    group "postgres"
+    mode "700"
+    recursive true
+  end
+
+  link "#{basedir}/tablespaces/#{name}" do
+    to location
+  end
+
+  postgresql_tablespace name do
+    cluster node[:nominatim][:dbcluster]
+    location "#{basedir}/tablespaces/#{name}"
+  end
 end
 
 end
 
-template "/etc/logrotate.d/nominatim" do
-  source "logrotate.nominatim.erb"
-  owner "root"
-  group "root"
-  mode 0644
-end
-
-package "osmosis"
-package "gcc"
-package "proj-bin"
-package "libgeos-c1"
-package "postgresql-#{database_version}-postgis-#{postgis_version}"
-package "postgresql-server-dev-#{database_version}"
-package "build-essential"
-package "libxml2-dev"
-package "libgeos-dev"
-package "libgeos++-dev"
-package "libpq-dev"
-package "libbz2-dev"
-package "libtool"
-package "automake"
-package "libproj-dev"
-package "libprotobuf-c0-dev"
-package "protobuf-c-compiler"
-package "python-psycopg2"
-package "libboost-dev"
-package "libboost-system-dev"
-package "libboost-filesystem-dev"
-package "libboost-thread-dev"
-
-execute "php-pear-db" do
-  command "pear install DB"
-  not_if { File.exist?("/usr/share/php/DB") }
+## Nominatim backend
+
+include_recipe "git"
+
+package %w[
+  build-essential
+  cmake
+  g++
+  libboost-dev
+  libboost-system-dev
+  libboost-filesystem-dev
+  libexpat1-dev
+  zlib1g-dev
+  libbz2-dev
+  libpq-dev
+  libproj-dev
+  liblua5.3-dev
+  libluajit-5.1-dev
+  lua5.3
+  python3-pyosmium
+  python3-psycopg2
+  python3-dotenv
+  python3-psutil
+  python3-jinja2
+  python3-icu
+  python3-datrie
+  python3-yaml
+  python3-sqlalchemy-ext
+  python3-geoalchemy2
+  python3-asyncpg
+  php-pgsql
+  php-intl
+  ruby
+  ruby-file-tail
+  ruby-pg
+  ruby-webrick
+]
+
+source_directory = "#{basedir}/src/nominatim"
+build_directory = "#{basedir}/src/build"
+project_directory = "#{basedir}/planet-project"
+bin_directory = "#{basedir}/bin"
+cfg_directory = "#{basedir}/etc"
+ui_directory = "#{basedir}/ui"
+qa_bin_directory = "#{basedir}/src/Nominatim-Data-Analyser"
+qa_data_directory = "#{basedir}/qa-data"
+
+[basedir, "#{basedir}/src", cfg_directory, bin_directory, build_directory, project_directory].each do |path|
+  directory path do
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+    recursive true
+  end
 end
 
 end
 
-execute "compile_nominatim" do
-  action :nothing
-  command "cd #{source_directory} && ./autogen.sh && ./configure && make"
-  user "nominatim"
+directory "#{bin_directory}/maintenance" do
+  owner "nominatim"
+  group "nominatim"
+  mode "775"
 end
 
 end
 
+if node[:nominatim][:flatnode_file]
+  directory File.dirname(node[:nominatim][:flatnode_file]) do
+    recursive true
+  end
+end
+
+remote_directory "#{project_directory}/website" do
+  source "website"
+  owner "nominatim"
+  group "nominatim"
+  mode "755"
+  files_owner "nominatim"
+  files_group "nominatim"
+  files_mode "644"
+  purge false
+end
+
+# Normally syncing via chef is a bad idea because syncing might involve
+# an update of database functions which should not be done while an update
+# is ongoing. Therefore we sync in between update cycles. There is an
+# exception for slaves: they get DB function updates from the master, so
+# only the source code needs to be updated, which chef may do.
 git source_directory do
 git source_directory do
-  action :checkout
+  action node[:nominatim][:state] == "slave" ? :sync : :checkout
   repository node[:nominatim][:repository]
   repository node[:nominatim][:repository]
+  revision node[:nominatim][:revision]
   enable_submodules true
   user "nominatim"
   group "nominatim"
   enable_submodules true
   user "nominatim"
   group "nominatim"
+  not_if { node[:nominatim][:state] != "slave" && File.exist?("#{source_directory}/README.md") }
   notifies :run, "execute[compile_nominatim]"
 end
 
   notifies :run, "execute[compile_nominatim]"
 end
 
-directory "#{source_directory}/log" do
+remote_file "#{source_directory}/data/country_osm_grid.sql.gz" do
+  action :create_if_missing
+  source "https://nominatim.org/data/country_grid.sql.gz"
   owner "nominatim"
   group "nominatim"
   owner "nominatim"
   group "nominatim"
-  mode 0755
+  mode "644"
 end
 
 end
 
-template "#{source_directory}/.git/hooks/post-merge" do
-  source "update_source.erb"
-  owner "nominatim"
-  group "nominatim"
-  mode 0755
-  variables :source_directory => source_directory
+execute "compile_nominatim" do
+  action :nothing
+  user "nominatim"
+  cwd build_directory
+  command "cmake -D WITH_LUAJIT=ON #{source_directory} && make"
+  notifies :run, "execute[install_nominatim]"
 end
 
 end
 
-template "#{source_directory}/settings/local.php" do
-  source "nominatim.erb"
-  owner "nominatim"
-  group "nominatim"
-  mode 0664
-  variables :postgres_version => database_version
+execute "install_nominatim" do
+  action :nothing
+  cwd build_directory
+  command "make install"
 end
 
 end
 
-template "#{source_directory}/settings/ip_blocks.conf" do
-  action :create_if_missing
-  source "ipblocks.erb"
+# Project directory
+
+template "#{project_directory}/.env" do
+  source "nominatim.env.erb"
   owner "nominatim"
   group "nominatim"
   owner "nominatim"
   group "nominatim"
-  mode 0664
+  mode "664"
+  variables :base_url => node[:nominatim][:state] == "off" ? node[:fqdn] : "nominatim.openstreetmap.org",
+            :dbname => node[:nominatim][:dbname],
+            :flatnode_file => node[:nominatim][:flatnode_file],
+            :log_file => "#{node[:nominatim][:logdir]}/query.log",
+            :tokenizer => node[:nominatim][:config][:tokenizer],
+            :forward_dependencies => node[:nominatim][:config][:forward_dependencies]
 end
 
 end
 
-file "#{source_directory}/settings/apache_blocks.conf" do
+remote_file "#{project_directory}/wikimedia-importance.sql.gz" do
   action :create_if_missing
   action :create_if_missing
+  source "https://nominatim.org/data/wikimedia-importance.sql.gz"
   owner "nominatim"
   group "nominatim"
   owner "nominatim"
   group "nominatim"
-  mode 0664
+  mode "644"
 end
 
 end
 
-file "#{source_directory}/settings/ip_blocks.map" do
-  action :create_if_missing
-  owner "nominatim"
-  group "nominatim"
-  mode 0664
+%w[gb_postcodes.csv.gz us_postcodes.csv.gz].each do |fname|
+  remote_file "#{project_directory}/#{fname}" do
+    action :create
+    source "https://nominatim.org/data/#{fname}"
+    owner "nominatim"
+    group "nominatim"
+    mode "644"
+  end
+end
+
+# Webserver + frontend
+
+%w[user_agent referrer email generic].each do |name|
+  file "#{cfg_directory}/nginx_blocked_#{name}.conf" do
+    action :create_if_missing
+    owner "nominatim"
+    group "adm"
+    mode "664"
+  end
+end
+
+node[:nominatim][:fpm_pools].each do |name, data|
+  php_fpm name do
+    port data[:port]
+    pm data[:pm]
+    pm_max_children data[:max_children]
+    pm_start_servers 20
+    pm_min_spare_servers 10
+    pm_max_spare_servers 20
+    pm_max_requests 10000
+    prometheus_port data[:prometheus_port]
+  end
+end
+
+ssl_certificate node[:fqdn] do
+  domains [node[:fqdn],
+           "nominatim.openstreetmap.org",
+           "nominatim.osm.org",
+           "nominatim.openstreetmap.com",
+           "nominatim.openstreetmap.net",
+           "nominatim.openstreetmaps.org",
+           "nominatim.openmaps.org",
+           "nominatim.qgis.org"]
+  notifies :reload, "service[nginx]"
+end
+
+include_recipe "nginx"
+
+nginx_site "default" do
+  action [:delete]
 end
 
 end
 
-if node[:nominatim][:enabled]
-  cron_action = :create
-else
-  cron_action = :delete
+frontends = search(:node, "recipes:web\\:\\:frontend").sort_by(&:name)
+
+nginx_site "nominatim" do
+  template "nginx.erb"
+  directory project_directory
+  variables :pools => node[:nominatim][:fpm_pools],
+            :frontends => frontends,
+            :confdir => "#{basedir}/etc",
+            :ui_directory => ui_directory
 end
 
 end
 
-template "/etc/cron.d/nominatim" do
-  action cron_action
-  source "cron.erb"
+template "/etc/logrotate.d/nginx" do
+  source "logrotate.nginx.erb"
   owner "root"
   group "root"
   owner "root"
   group "root"
-  mode "0644"
-  variables :bin_directory => "#{source_directory}/utils", :mailto => email_errors
+  mode "644"
 end
 
 end
 
-template "#{source_directory}/utils/nominatim-update" do
-  source "updater.erb"
-  user "nominatim"
-  group "nominatim"
-  mode 0755
+# Updates
+
+%w[nominatim-update
+   nominatim-update-source
+   nominatim-update-refresh-db
+   nominatim-update-data
+   nominatim-daily-maintenance].each do |fname|
+  template "#{bin_directory}/#{fname}" do
+    source "#{fname}.erb"
+    owner "nominatim"
+    group "nominatim"
+    mode "554"
+    variables :bindir => bin_directory,
+              :srcdir => source_directory,
+              :builddir => build_directory,
+              :projectdir => project_directory,
+              :qabindir => qa_bin_directory,
+              :qadatadir => qa_data_directory
+  end
 end
 
 end
 
-template "/etc/init.d/nominatim-update" do
-  source "updater.init.erb"
+systemd_service "nominatim-update" do
+  description "Update the Nominatim database"
+  exec_start "#{bin_directory}/nominatim-update"
+  restart "on-success"
+  standard_output "append:#{node[:nominatim][:logdir]}/update.log"
+  standard_error "inherit"
+  working_directory project_directory
+end
+
+systemd_service "nominatim-update-maintenance-trigger" do
+  description "Trigger daily maintenance tasks for Nominatim DB"
+  exec_start "ln -sf #{bin_directory}/nominatim-daily-maintenance #{bin_directory}/maintenance/"
   user "nominatim"
   user "nominatim"
-  group "nominatim"
-  mode 0755
-  variables :source_directory => source_directory
 end
 
 end
 
-munin_plugin_conf "nominatim" do
-  template "munin.erb"
+systemd_timer "nominatim-update-maintenance-trigger" do
+  action node[:nominatim][:state] != "off" ? :create : :delete
+  description "Schedule daily maintenance tasks for Nominatim DB"
+  on_calendar "*-*-* 02:03:00 UTC"
 end
 
 end
 
-munin_plugin "nominatim_importlag" do
-  target "#{source_directory}/munin/nominatim_importlag"
+service "nominatim-update-maintenance-trigger" do
+  action node[:nominatim][:state] != "off" ? :enable : :disable
 end
 
 end
 
-munin_plugin "nominatim_query_speed" do
-  target "#{source_directory}/munin/nominatim_query_speed_querylog"
+# Nominatim UI
+
+git ui_directory do
+  action :sync
+  repository node[:nominatim][:ui_repository]
+  revision node[:nominatim][:ui_revision]
+  user "nominatim"
+  group "nominatim"
 end
 
 end
 
-munin_plugin "nominatim_requests" do
-  target "#{source_directory}/munin/nominatim_requests_querylog"
+template "#{ui_directory}/dist/theme/config.theme.js" do
+  source "ui-config.js.erb"
+  owner "nominatim"
+  group "nominatim"
+  mode "664"
 end
 
 end
 
-munin_plugin "nominatim_throttled_ips" do
-  target "#{source_directory}/munin/nominatim_throttled_ips"
+# Nominatim QA
+
+if node[:nominatim][:enable_qa_tiles]
+  package "python3-geojson"
+
+  git qa_bin_directory do
+    repository node[:nominatim][:qa_repository]
+    revision node[:nominatim][:qa_revision]
+    enable_submodules true
+    user "nominatim"
+    group "nominatim"
+    notifies :run, "execute[compile_qa]"
+  end
+
+  execute "compile_qa" do
+    action :nothing
+    user "nominatim"
+    cwd "#{qa_bin_directory}/clustering-vt"
+    command "make"
+  end
+
+  directory qa_data_directory do
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+    recursive true
+  end
+
+  template "#{qa_bin_directory}/analyser/config/config.yaml" do
+    source "qa_config.erb"
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+    variables :outputdir => "#{qa_data_directory}/new"
+  end
+
+  ssl_certificate "qa-tile.nominatim.openstreetmap.org" do
+    domains ["qa-tile.nominatim.openstreetmap.org"]
+    notifies :reload, "service[nginx]"
+  end
+
+  nginx_site "qa-tiles.nominatim" do
+    template "nginx-qa-tiles.erb"
+    directory build_directory
+    variables :qa_data_directory => qa_data_directory
+  end
+
 end
 
 end
 
-external_data = [
-  "wikipedia_article.sql.bin",
-  "wikipedia_redirect.sql.bin",
-  "gb_postcode_data.sql.gz"
-]
+# Replication
 
 
-external_data.each do |fname|
-  remote_file "#{source_directory}/data/#{fname}" do
-    action :create_if_missing
-    source "http://www.nominatim.org/data/#{fname}"
+cron_d "nominatim-clean-db" do
+  action node[:nominatim][:state] == "master" ? :create : :delete
+  minute "5"
+  hour "*/4"
+  user "postgres"
+  command "#{bin_directory}/clean-db-nominatim"
+  mailto email_errors
+end
+
+if node[:nominatim][:state] == "master"
+  postgresql_user "replication" do
+    cluster node[:nominatim][:dbcluster]
+    password data_bag_item("nominatim", "passwords")["replication"]
+    replication true
+  end
+
+  directory node[:rsyncd][:modules][:archive][:path] do
+    owner "postgres"
+    group "postgres"
+    mode "700"
+  end
+
+  template "#{bin_directory}/clean-db-nominatim" do
+    source "clean-db-nominatim.erb"
     owner "nominatim"
     group "nominatim"
     owner "nominatim"
     group "nominatim"
-    mode 0644
+    mode "755"
+    variables :archive_dir => node[:rsyncd][:modules][:archive][:path],
+              :update_stop_file => "#{basedir}/status/updates_disabled",
+              :streaming_clients => search(:node, "nominatim_state:slave").map { |slave| slave[:fqdn] }.join(" ")
   end
 end
 
   end
 end
 
-additional_scripts = %w(backup-nominatim clean-db-nominatim)
+# Maintenance
+
+cron_d "nominatim-backup" do
+  action (node[:nominatim][:enable_backup] && node[:nominatim][:state] != "off") ? :create : :delete
+  minute "0"
+  hour "3"
+  day "1"
+  user "nominatim"
+  command "#{bin_directory}/backup-nominatim"
+  mailto email_errors
+end
 
 
-additional_scripts.each do |fname|
-  template "/usr/local/bin/#{fname}" do
+cron_d "nominatim-vacuum-db" do
+  action node[:nominatim][:state] != "off" ? :create : :delete
+  minute "20"
+  hour "0"
+  user "postgres"
+  command "#{bin_directory}/vacuum-db-nominatim"
+  mailto email_errors
+end
+
+%w[backup-nominatim vacuum-db-nominatim].each do |fname|
+  template "#{bin_directory}/#{fname}" do
     source "#{fname}.erb"
     source "#{fname}.erb"
-    owner "root"
-    group "root"
-    mode 0755
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+    variables :db => node[:nominatim][:dbname]
   end
 end
 
   end
 end
 
-directory File.dirname(node[:nominatim][:flatnode_file]) do
-  owner "nominatim"
-  group "nominatim"
-  mode 0755
-  recursive true
+# Logging
+
+template "/etc/logrotate.d/nominatim" do
+  source "logrotate.nominatim.erb"
+  owner "root"
+  group "root"
+  mode "644"
 end
 
 end
 
-directory "/data/postgresql-archive" do
-  owner "postgres"
-  group "postgres"
-  mode 0700
-  only_if { node[:postgresql][:settings][:defaults][:archive_mode] == "on" }
+# Monitoring
+
+munin_plugin_conf "nominatim" do
+  template "munin.erb"
+  variables :db => node[:nominatim][:dbname],
+            :querylog => "#{node[:nominatim][:logdir]}/query.log"
 end
 
 end
 
-fail2ban_filter "nominatim" do
-  failregex '^<HOST> - - \[[^]]+\] "[^"]+" (403|429) '
+munin_plugin "nominatim_importlag" do
+  target "#{source_directory}/munin/nominatim_importlag"
 end
 
 end
 
-fail2ban_jail "nominatim" do
-  filter "nominatim"
-  logpath "/var/log/apache2/nominatim.openstreetmap.org-access.log"
+munin_plugin "nominatim_query_speed" do
+  target "#{source_directory}/munin/nominatim_query_speed_querylog"
+end
+
+munin_plugin "nominatim_requests" do
+  target "#{source_directory}/munin/nominatim_requests_querylog"
+end
+
+prometheus_exporter "nominatim" do
+  port 8082
+  user "www-data"
+  restrict_address_families "AF_UNIX"
+  options [
+    "--nominatim.query-log=#{node[:nominatim][:logdir]}/query.log",
+    "--nominatim.database-name=#{node[:nominatim][:dbname]}"
+  ]
+end
+
+include_recipe "fail2ban"
+
+frontend_addresses = frontends.collect { |f| f.ipaddresses(:role => :external) }
+
+fail2ban_jail "nominatim_limit_req" do
+  filter "nginx-limit-req"
+  logpath "#{node[:nominatim][:logdir]}/nominatim.openstreetmap.org-error.log"
   ports [80, 443]
   ports [80, 443]
-  maxretry 100
+  maxretry 20
+  ignoreips frontend_addresses.flatten.sort
 end
 end
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.