koji_builder: first cut at a script to update osbuild api ip for builder firewalls

This is a quick, hacked up script that just runs once per minute and updates the ip addresses for the osbuild koji plugin. The script calls systemd's resolvectl without cache and puts the ips in a ipset. The koji_builder firewall has a added rule to check that ipset for outgoing connections that are allowed. TODO: add some kind of error checking TODO: probibly won't work on s390x builders as they can't reach the host even with open firewalls, but should work for others. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-07-28 11:29:07 -07:00 · 2022-07-28 11:29:07 -07:00 · 1951c7fb1b
commit 1951c7fb1b
parent 022ac7036a
4 changed files with 25 additions and 0 deletions
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@ -27,6 +27,9 @@
 {% endfor %}
 {% endif %}

+# osbuild api for osbuild koji plugin
+-A OUTPUT -p tcp --dport 443 -m set --match-set osbuildapi dst -j ACCEPT
+
 # kojipkgs
 {% if host in groups['buildvm_s390x'] %}
 -A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT
--- a/roles/koji_builder/files/osbuildapi-update.cron
+++ b/roles/koji_builder/files/osbuildapi-update.cron
@ -0,0 +1 @@
+* * * * * root /usr/local/bin/lock-wrapper osbuildapi "/usr/local/bin/osbuildapi-update.sh"
--- a/roles/koji_builder/files/osbuildapi-update.sh
+++ b/roles/koji_builder/files/osbuildapi-update.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+
+/usr/sbin/ipset create osbuildapi hash:ip >& /dev/null
+
+RESOLVEQUERY=`resolvectl --cache=no --legend=no query api.stage.openshift.com 2> /dev/null`         
+test $? -eq 0 || exit $?
+
+NEWIPS=`echo $RESOLVEQUERY | grep link | awk '{print $2 " " $6}' | sort -n`                         
+#APIIP=`resolvectl --cache=no --legend=no query api.stage.openshift.com | grep link | sed -e "s|api.stage.openshift.com:||" | awk '{print $1}'`
+
+/usr/sbin/ipset flush osbuildapi
+for j in $NEWIPS
+do
+     /usr/sbin/ipset add osbuildapi $j
+done
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@ -356,3 +356,9 @@
  tags:
  - koji_builder
  - koji_builder/oomd
+
+- name: install script to update osbuild api ip in the firewall
+  copy: src=osbuildapi-update.sh dst=/usr/local/bin/osbuildapi-update.sh mode=755
+
+- name: install cron job to run osbuild api ip update script every minute.
+  copy: src=osbuildapi-update.cron dst=/etc/cron.d/osbuildapi-update.cron mode=644
				`@ -0,0 +1 @@`
				`* * * * * root /usr/local/bin/lock-wrapper osbuildapi "/usr/local/bin/osbuildapi-update.sh"`