Page MenuHomeSoftware Heritage
Files F9311624

No OneTemporary
Actions

View Options

diff --git a/site-modules/profile/manifests/sentry.pp b/site-modules/profile/manifests/sentry.pp
index c2129e93..6c2a9703 100644
--- a/site-modules/profile/manifests/sentry.pp
+++ b/site-modules/profile/manifests/sentry.pp
@@ -1,193 +1,203 @@
# Deploy a Sentry instance
class profile::sentry {
include profile::docker
include profile::docker_compose
$onpremise_dir = '/var/lib/sentry-onpremise'
$onpremise_repo = 'https://forge.softwareheritage.org/source/getsentry-onpremise.git'
$onpremise_repo_branch = 'softwareheritage'
vcsrepo {$onpremise_dir:
ensure => latest,
provider => 'git',
source => $onpremise_repo,
revision => $onpremise_repo_branch,
notify => [
File_Line['sentry_environment_kafka'],
Exec['run sentry-onpremise install.sh'],
],
} ->
file {$onpremise_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
$requirements_file = "${onpremise_dir}/sentry/requirements.txt"
$config_yml = "${onpremise_dir}/sentry/config.yml"
$config_py = "${onpremise_dir}/sentry/sentry.conf.py"
$relay_credentials_json = "${onpremise_dir}/relay/credentials.json"
$relay_config_yml = "${onpremise_dir}/relay/config.yml"
$symbolicator_config_yml = "${onpremise_dir}/symbolicator/config.yml"
$clickhouse_config_xml = "${onpremise_dir}/clickhouse/config.xml"
$geoip_conf = "${onpremise_dir}/geoip/GeoIP.conf"
file {$requirements_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/requirements.txt.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
# variables for config.yml
$admin_email = lookup('sentry::admin_email')
$secret_key = lookup('sentry::secret_key')
$vhost_name = lookup('sentry::vhost::name')
$mail_host = lookup('sentry::mail::host')
$mail_from = lookup('sentry::mail::from')
$mail_list_namespace = lookup('sentry::mail::list_namespace')
file {$config_yml:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/config.yml.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
file {$relay_config_yml:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/relay.yml.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
file {$symbolicator_config_yml:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/symbolicator.yml.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
file {$clickhouse_config_xml:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/clickhouse.xml.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
#####
# variables for sentry.conf.py
# postgresql
$postgres_host = lookup('sentry::postgres::host')
$postgres_port = lookup('sentry::postgres::port')
$postgres_dbname = lookup('sentry::postgres::dbname')
$postgres_user = lookup('sentry::postgres::user')
$postgres_password = lookup('sentry::postgres::password')
# relay
$relay_public_key = lookup('sentry::relay::public_key')
#####
file {$config_py:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/sentry.conf.py.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
$relay_secret_key = lookup('sentry::relay::secret_key')
$relay_id = lookup('sentry::relay::id')
file {$relay_credentials_json:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/relay_credentials.json.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
$geoip_account_id = lookup('sentry::geoip::account_id')
$geoip_license_key = lookup('sentry::geoip::license_key')
file {$geoip_conf:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/sentry/geoip.conf.erb'),
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
file_line {'sentry_environment_kafka':
ensure => absent,
path => "${onpremise_dir}/.env",
match => '^DEFAULT_BROKERS=',
match_for_absence => true,
multiple => true,
require => Vcsrepo[$onpremise_dir],
notify => Exec['run sentry-onpremise install.sh'],
}
+ file_line {'sentry_environment_mail_host':
+ ensure => present,
+ path => "${onpremise_dir}/.env",
+ match => '^(# )?SENTRY_MAIL_HOST=',
+ line => "SENTRY_MAIL_HOST=${mail_list_namespace}",
+ multiple => true,
+ require => Vcsrepo[$onpremise_dir],
+ notify => Exec['run sentry-onpremise install.sh'],
+ }
+
$onpremise_flag = "${onpremise_dir}-installed"
$onpremise_log = "/var/log/sentry-onpremise-install.log"
exec {'check sentry-onpremise install flag':
command => 'true',
unless => "bash -c '[[ \"$(cat ${onpremise_flag})\" = \"$(git rev-parse HEAD)\" ]]'",
cwd => $onpremise_dir,
path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'],
notify => Exec['run sentry-onpremise install.sh'],
}
exec {'run sentry-onpremise install.sh':
command => "rm -f ${onpremise_flag}; (./install.sh --minimize-downtime && git rev-parse HEAD > ${onpremise_flag}) | tee -a ${onpremise_log}",
timeout => 0,
provider => shell,
cwd => $onpremise_dir,
path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'],
environment => ["CI=yes"],
refreshonly => true,
require => [
Class['profile::docker'],
Package['docker-compose'],
File[$requirements_file, $config_yml, $config_py],
],
notify => Exec['start sentry-onpremise docker compose'],
}
exec {'start sentry-onpremise docker compose':
command => 'docker-compose up -d',
timeout => 0,
cwd => $onpremise_dir,
path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'],
refreshonly => true,
require => [
Class['profile::docker'],
Package['docker-compose'],
File[$requirements_file, $config_yml, $config_py],
],
}
}
diff --git a/site-modules/profile/templates/sentry/config.yml.erb b/site-modules/profile/templates/sentry/config.yml.erb
index 68d6e3c9..02fcb350 100644
--- a/site-modules/profile/templates/sentry/config.yml.erb
+++ b/site-modules/profile/templates/sentry/config.yml.erb
@@ -1,130 +1,136 @@
# File managed by puppet (module profile::sentry), modifications will be lost!
# While a lot of configuration in Sentry can be changed via the UI, for all
# new-style config (as of 8.0) you can also declare values here in this file
# to enforce defaults or to ensure they cannot be changed via the UI. For more
# information see the Sentry documentation.
###############
# Mail Server #
###############
# mail.backend: 'smtp' # Use dummy if you want to disable email entirely
mail.host: '<%= @mail_host %>'
mail.port: 25
mail.username: ''
mail.password: ''
mail.use-tls: false
mail.use-ssl: false
+
+# NOTE: The following 2 configs (mail.from and mail.list-namespace) are set
+# through SENTRY_MAIL_HOST in sentry.conf.py so remove those first if
+# you want your values in this file to be effective!
+
+
# The email address to send on behalf of
-mail.from: '<%= @mail_from %>'
+# mail.from: 'root@localhost'
# The mailing list namespace for emails sent by this Sentry server.
# This should be a domain you own (often the same domain as the domain
# part of the `mail.from` configuration parameter value) or `localhost`.
-mail.list-namespace: '<%= @mail_list_namespace %>'
+# mail.list-namespace: 'localhost'
# If you'd like to configure email replies, enable this.
# mail.enable-replies: true
# When email-replies are enabled, this value is used in the Reply-To header
# mail.reply-hostname: ''
# If you're using mailgun for inbound mail, set your API key and configure a
# route to forward to /api/hooks/mailgun/inbound/
# Also don't forget to set `mail.enable-replies: true` above.
# mail.mailgun-api-key: ''
###################
# System Settings #
###################
# If this file ever becomes compromised, it's important to generate a new key.
# Changing this value will result in all current sessions being invalidated.
# A new key can be generated with `$ sentry config generate-secret-key`
system.secret-key: '<%= @secret_key %>'
# The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis
# clusters. These clusters can be then referred to by name when configuring
# backends such as the cache, digests, or TSDB backend.
# redis.clusters:
# default:
# hosts:
# 0:
# host: 127.0.0.1
# port: 6379
################
# File storage #
################
# Uploaded media uses these `filestore` settings. The available
# backends are either `filesystem` or `s3`.
filestore.backend: 'filesystem'
filestore.options:
location: '/data/files'
dsym.cache-path: '/data/dsym-cache'
releasefile.cache-path: '/data/releasefile-cache'
# filestore.backend: 's3'
# filestore.options:
# access_key: 'AKIXXXXXX'
# secret_key: 'XXXXXXX'
# bucket_name: 's3-bucket-name'
system.internal-url-prefix: 'http://web:9000'
symbolicator.enabled: true
symbolicator.options:
url: "http://symbolicator:3021"
transaction-events.force-disable-internal-project: true
######################
# GitHub Integration #
######################
# github-login.extended-permissions: ['repo']
# github-app.id: GITHUB_APP_ID
# github-app.name: 'GITHUB_APP_NAME'
# github-app.webhook-secret: 'GITHUB_WEBHOOK_SECRET' # Use only if configured in GitHub
# github-app.client-id: 'GITHUB_CLIENT_ID'
# github-app.client-secret: 'GITHUB_CLIENT_SECRET'
# github-app.private-key: |
# -----BEGIN RSA PRIVATE KEY-----
# privatekeyprivatekeyprivatekeyprivatekey
# privatekeyprivatekeyprivatekeyprivatekey
# privatekeyprivatekeyprivatekeyprivatekey
# privatekeyprivatekeyprivatekeyprivatekey
# privatekeyprivatekeyprivatekeyprivatekey
# -----END RSA PRIVATE KEY-----
#####################
# Slack Integration #
#####################
# Refer to https://develop.sentry.dev/integrations/slack/ for setup instructions.
# slack.client-id: <'client id'>
# slack.client-secret: <client secret>
# slack.signing-secret: <signing secret>
## If legacy-app is True use verfication-token instead of signing-secret
# slack.verification-token: <verification token>
########################
# SWH config overrides #
########################
# Sentry URL prefix
system.url-prefix: 'https://<%= @vhost_name %>'
# Sentry admin email address
system.admin-email: '<%= @admin_email %>'
# Report full data via the sentry beacon
# Docs: https://docs.sentry.io/server/beacon/
beacon.anonymous: false
# Allow user registration
auth.allow-registration: false
diff --git a/site-modules/profile/templates/sentry/sentry.conf.py.erb b/site-modules/profile/templates/sentry/sentry.conf.py.erb
index 70042aae..54010ab8 100644
--- a/site-modules/profile/templates/sentry/sentry.conf.py.erb
+++ b/site-modules/profile/templates/sentry/sentry.conf.py.erb
@@ -1,281 +1,288 @@
# File managed by puppet (module profile::sentry), modifications will be lost!
# This file is just Python, with a touch of Django which means
# you can inherit and tweak settings to your hearts content.
from sentry.conf.server import * # NOQA
# Generously adapted from pynetlinux: https://git.io/JJmga
def get_internal_network():
import ctypes
import fcntl
import math
import socket
import struct
iface = b"eth0"
sockfd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ifreq = struct.pack(b"16sH14s", iface, socket.AF_INET, b"\x00" * 14)
try:
ip = struct.unpack(
b"!I", struct.unpack(b"16sH2x4s8x", fcntl.ioctl(sockfd, 0x8915, ifreq))[2]
)[0]
netmask = socket.ntohl(
struct.unpack(b"16sH2xI8x", fcntl.ioctl(sockfd, 0x891B, ifreq))[2]
)
except IOError:
return ()
base = socket.inet_ntoa(struct.pack(b"!I", ip & netmask))
netmask_bits = 32 - int(round(math.log(ctypes.c_uint32(~netmask).value + 1, 2), 1))
return "{0:s}/{1:d}".format(base, netmask_bits)
INTERNAL_SYSTEM_IPS = (get_internal_network(),)
DATABASES = {
"default": {
"ENGINE": "sentry.db.postgres",
"NAME": "<%= @postgres_dbname %>",
"USER": "<%= @postgres_user %>",
"PASSWORD": "<%= @postgres_password %>",
"HOST": "<%= @postgres_host %>",
"PORT": "<%= @postgres_port %>",
}
}
# You should not change this setting after your database has been created
# unless you have altered all schemas first
SENTRY_USE_BIG_INTS = True
# If you're expecting any kind of real traffic on Sentry, we highly recommend
# configuring the CACHES and Redis settings
###########
# General #
###########
# Instruct Sentry that this install intends to be run by a single organization
# and thus various UI optimizations should be enabled.
SENTRY_SINGLE_ORGANIZATION = True
SENTRY_OPTIONS["system.event-retention-days"] = int(
env("SENTRY_EVENT_RETENTION_DAYS", "90")
)
#########
# Redis #
#########
# Generic Redis configuration used as defaults for various things including:
# Buffers, Quotas, TSDB
SENTRY_OPTIONS["redis.clusters"] = {
"default": {
"hosts": {0: {"host": "redis", "password": "", "port": "6379", "db": "0"}}
}
}
#########
# Queue #
#########
# See https://develop.sentry.dev/services/queue/ for more
# information on configuring your queue broker and workers. Sentry relies
# on a Python framework called Celery to manage queues.
rabbitmq_host = None
if rabbitmq_host:
BROKER_URL = "amqp://{username}:{password}@{host}/{vhost}".format(
username="guest", password="guest", host=rabbitmq_host, vhost="/"
)
else:
BROKER_URL = "redis://:{password}@{host}:{port}/{db}".format(
**SENTRY_OPTIONS["redis.clusters"]["default"]["hosts"][0]
)
#########
# Cache #
#########
# Sentry currently utilizes two separate mechanisms. While CACHES is not a
# requirement, it will optimize several high throughput patterns.
CACHES = {
"default": {
"BACKEND": "django.core.cache.backends.memcached.MemcachedCache",
"LOCATION": ["memcached:11211"],
"TIMEOUT": 3600,
}
}
# A primary cache is required for things such as processing events
SENTRY_CACHE = "sentry.cache.redis.RedisCache"
DEFAULT_KAFKA_OPTIONS = {
"bootstrap.servers": "kafka:9092",
"message.max.bytes": 50000000,
"socket.timeout.ms": 1000,
}
SENTRY_EVENTSTREAM = "sentry.eventstream.kafka.KafkaEventStream"
SENTRY_EVENTSTREAM_OPTIONS = {"producer_configuration": DEFAULT_KAFKA_OPTIONS}
KAFKA_CLUSTERS["default"] = DEFAULT_KAFKA_OPTIONS
###############
# Rate Limits #
###############
# Rate limits apply to notification handlers and are enforced per-project
# automatically.
SENTRY_RATELIMITER = "sentry.ratelimits.redis.RedisRateLimiter"
##################
# Update Buffers #
##################
# Buffers (combined with queueing) act as an intermediate layer between the
# database and the storage API. They will greatly improve efficiency on large
# numbers of the same events being sent to the API in a short amount of time.
# (read: if you send any kind of real data to Sentry, you should enable buffers)
SENTRY_BUFFER = "sentry.buffer.redis.RedisBuffer"
##########
# Quotas #
##########
# Quotas allow you to rate limit individual projects or the Sentry install as
# a whole.
SENTRY_QUOTAS = "sentry.quotas.redis.RedisQuota"
########
# TSDB #
########
# The TSDB is used for building charts as well as making things like per-rate
# alerts possible.
SENTRY_TSDB = "sentry.tsdb.redissnuba.RedisSnubaTSDB"
#########
# SNUBA #
#########
SENTRY_SEARCH = "sentry.search.snuba.EventsDatasetSnubaSearchBackend"
SENTRY_SEARCH_OPTIONS = {}
SENTRY_TAGSTORE_OPTIONS = {}
###########
# Digests #
###########
# The digest backend powers notification summaries.
SENTRY_DIGESTS = "sentry.digests.backends.redis.RedisBackend"
##############
# Web Server #
##############
SENTRY_WEB_HOST = "0.0.0.0"
SENTRY_WEB_PORT = 9000
SENTRY_WEB_OPTIONS = {
"http": "%s:%s" % (SENTRY_WEB_HOST, SENTRY_WEB_PORT),
"protocol": "uwsgi",
# This is needed in order to prevent https://git.io/fj7Lw
"uwsgi-socket": None,
"so-keepalive": True,
# Keep this between 15s-75s as that's what Relay supports
"http-keepalive": 15,
"http-chunked-input": True,
# the number of web workers
"workers": 3,
"threads": 4,
"memory-report": False,
# Some stuff so uwsgi will cycle workers sensibly
"max-requests": 100000,
"max-requests-delta": 500,
"max-worker-lifetime": 86400,
# Duplicate options from sentry default just so we don't get
# bit by sentry changing a default value that we depend on.
"thunder-lock": True,
"log-x-forwarded-for": False,
"buffer-size": 32768,
"limit-post": 209715200,
"disable-logging": True,
"reload-on-rss": 600,
"ignore-sigpipe": True,
"ignore-write-errors": True,
"disable-write-exception": True,
}
###########
# SSL/TLS #
###########
# If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto
# header and enable the settings below
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
# End of SSL/TLS settings
+########
+# Mail #
+########
+
+SENTRY_OPTIONS["mail.list-namespace"] = env('SENTRY_MAIL_HOST', 'localhost')
+SENTRY_OPTIONS["mail.from"] = "<%= @mail_from %>"
+
############
# Features #
############
SENTRY_FEATURES["projects:sample-events"] = False
SENTRY_FEATURES.update(
{
feature: True
for feature in (
"organizations:discover",
"organizations:events",
"organizations:global-views",
"organizations:incidents",
"organizations:integrations-issue-basic",
"organizations:integrations-issue-sync",
"organizations:invite-members",
"organizations:metric-alert-builder-aggregate",
"organizations:sso-basic",
"organizations:sso-rippling",
"organizations:sso-saml2",
"organizations:performance-view",
"organizations:advanced-search",
"projects:custom-inbound-filters",
"projects:data-forwarding",
"projects:discard-groups",
"projects:plugins",
"projects:rate-limits",
"projects:servicehooks",
)
}
)
#######################
# MaxMind Integration #
#######################
GEOIP_PATH_MMDB = '/geoip/GeoLite2-City.mmdb'
#########################
# Bitbucket Integration #
#########################
# BITBUCKET_CONSUMER_KEY = 'YOUR_BITBUCKET_CONSUMER_KEY'
# BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET'
#######################
# Relay configuration #
#######################
SENTRY_RELAY_WHITELIST_PK = ['<%= @relay_public_key %>']

File Metadata

Mime Type
text/x-diff
Expires
Thu, Jul 3, 10:25 AM (2 w, 4 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3343472

Event Timeline

About · Developer information · Legal