Add docker based welcome.openstreetmap.org using podman

.github/workflows/test-kitchen.yml

@@ -43,6 +43,7 @@ jobs:
           - foundation-dwg
           - foundation-mwg
           - foundation-owg
+          - foundation-welcome
           - foundation-wiki
           - ftp
           - geodns

.kitchen.yml

@@ -139,6 +139,9 @@ suites:
   - name: foundation-owg
     run_list:
       - recipe[foundation::owg]
+  - name: foundation-welcome
+    run_list:
+      - recipe[foundation::welcome]
   - name: foundation-wiki
     run_list:
       - recipe[foundation::wiki]

cookbooks/foundation/metadata.rb

@@ -9,4 +9,5 @@
 depends           "apache"
 depends           "git"
 depends           "mediawiki"
+depends           "podman"
 depends           "ruby"

cookbooks/foundation/recipes/welcome.rb

@@ -0,0 +1,41 @@
+#
+# Cookbook:: foundation
+# Recipe:: welcome
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apache"
+include_recipe "podman"
+
+docker_external_port = 8090
+
+podman_service "welcome-mat" do
+  description "Container service for welcome.openstreetmap.org"
+  image "ghcr.io/osmfoundation/welcome-mat:latest"
+  ports docker_external_port => "8080"
+end
+
+ssl_certificate "welcome.openstreetmap.org" do
+  domains ["welcome.openstreetmap.org", "welcome.osm.org"]
+  notifies :reload, "service[apache2]"
+end
+
+apache_module "proxy_http"
+
+apache_site "welcome.openstreetmap.org" do
+  template "apache.welcome.erb"
+  variables :docker_external_port => docker_external_port, :aliases => ["welcome.osm.org"]
+end

cookbooks/foundation/templates/default/apache.welcome.erb

@@ -0,0 +1,38 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:443>
+   ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+   ServerAlias <%= alias_name %>
+<% end -%>
+   ServerAdmin [email protected]
+
+   CustomLog /var/log/apache2/<%= @name %>-access.log combined
+   ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+   SSLEngine on
+   SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+   SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+   # Let the backend know we are using HTTPS
+   RequestHeader set X-Forwarded-Proto “https”
+   RequestHeader set X-Forwarded-Port “443”
+
+   ProxyPass / http://localhost:<%= @docker_external_port %>/
+   ProxyPreserveHost on
+
+</VirtualHost>
+
+<VirtualHost *:80>
+   ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+   ServerAlias <%= alias_name %>
+<% end -%>
+   ServerAdmin [email protected]
+
+   CustomLog /var/log/apache2/<%= @name %>-access.log combined
+   ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+   RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+   RedirectPermanent / https://<%= @name %>/
+</VirtualHost>

cookbooks/podman/metadata.rb

@@ -0,0 +1,9 @@
+name              "podman"
+maintainer        "OpenStreetMap Administrators"
+maintainer_email  "[email protected]"
+license           "Apache-2.0"
+description       "Installs and configures podman"
+
+version           "1.0.0"
+supports          "ubuntu"
+depends           "systemd"

cookbooks/podman/recipes/default.rb

@@ -0,0 +1,46 @@
+#
+# Cookbook:: podman
+# Recipe:: default
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package %w[
+  podman
+  slirp4netns
+  uidmap
+]
+
+ruby_block "subuid-containers" do
+  block do
+    File.open("/etc/subuid", "a") do |file|
+      file.puts("containers:2147483647:2147483648")
+    end
+  end
+  not_if "grep -q '^containers:' /etc/subuid"
+end
+
+ruby_block "subgid-containers" do
+  block do
+    File.open("/etc/subgid", "a") do |file|
+      file.puts("containers:2147483647:2147483648")
+    end
+  end
+  not_if "grep -q '^containers:' /etc/subgid"
+end
+
+service "podman-auto-update.timer" do
+  action [:enable, :start]
+end

cookbooks/podman/resources/service.rb

@@ -0,0 +1,65 @@
+#
+# Cookbook:: podman
+# Resource:: podman_service
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+default_action :create
+
+property :service, String, :name_property => true
+property :description, String, :required => true
+property :image, String, :required => true
+property :ports, Hash
+
+action :create do
+  systemd_service new_resource.service do
+    description new_resource.description
+    type "notify"
+    notify_access "all"
+    environment "PODMAN_SYSTEMD_UNIT" => "%n"
+    exec_start_pre "/bin/rm --force %t/%n.ctr-id"
+    exec_start "/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --userns=auto --label=io.containers.autoupdate=registry --network=slirp4netns #{publish_options} --rm --sdnotify=conmon --detach --replace --name=%N #{new_resource.image}"
+    exec_stop "/usr/bin/podman stop --ignore --time=10 --cidfile=%t/%n.ctr-id"
+    exec_stop_post "/usr/bin/podman rm --force --ignore --cidfile=%t/%n.ctr-id"
+    timeout_stop_sec 70
+    restart "on-failure"
+  end
+
+  service new_resource.service do
+    action [:enable, :start]
+    subscribes :restart, "systemd_service[#{new_resource.service}]"
+  end
+end
+
+action :delete do
+  service new_resource.service do
+    action [:disable, :stop]
+  end
+
+  systemd_service new_resource.service do
+    action :delete
+  end
+end
+
+action_class do
+  def publish_options
+    new_resource.ports.collect do |host, guest|
+      "--publish=127.0.0.1:#{host}:#{guest}"
+    end.join(" ")
+  end
+end

cookbooks/systemd/resources/service.rb

@@ -32,6 +32,7 @@
 property :requires, [String, Array]
 property :joins_namespace_of, [String, Array]
 property :type, String, :is => %w[simple forking oneshot dbus notify idle]
+property :notify_access, String, :is => %w[none main exec all]
 property :limit_nofile, Integer
 property :limit_as, [Integer, String]
 property :limit_cpu, [Integer, String]
@@ -48,6 +49,7 @@
 property :exec_start, [String, Array]
 property :exec_start_post, [String, Array]
 property :exec_stop, [String, Array]
+property :exec_stop_post, [String, Array]
 property :exec_reload, String
 property :runtime_directory, String
 property :runtime_directory_mode, Integer

cookbooks/systemd/templates/default/service.erb

@@ -30,6 +30,9 @@ JoinsNamespaceOf=<%= Array(@joins_namespace_of).join(" ") %>
 <% if @type -%>
 Type=<%= @type %>
 <% end -%>
+<% if @notify_access -%>
+NotifyAccess=<%= @notify_access %>
+<% end -%>
 <% if @limit_nofile -%>
 LimitNOFILE=<%= @limit_nofile %>
 <% end -%>
@@ -98,6 +101,14 @@ ExecStop=
 ExecStop=<%= exec_stop %>
 <% end -%>
 <% end -%>
+<% if @exec_stop_post -%>
+<% if @dropin -%>
+ExecStopPost=
+<% end -%>
+<% Array(@exec_stop_post).each do |exec_stop_post| -%>
+ExecStopPost=<%= exec_stop_post %>
+<% end -%>
+<% end -%>
 <% if @exec_reload -%>
 <% if @dropin -%>
 ExecReload=

test/integration/foundation-welcome/serverspec/apache_spec.rb

@@ -0,0 +1,21 @@
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("apache2") do
+  it { should be_installed }
+end
+
+describe service("apache2") do
+  it { should be_enabled }
+  it { should be_running }
+end
+
+describe port(80) do
+  it { should be_listening.with("tcp") }
+end
+
+describe port(443) do
+  it { should be_listening.with("tcp") }
+end