Adding beaker lab controller and server roles for beaker-stg

inventory/group_vars/beaker-stg

@@ -10,3 +10,19 @@ nrpe_procs_warn: 250
 nrpe_procs_crit: 300
 
 freezes: false
+
+# settings for the beaker db, server and lab controller
+beaker_db_host: localhost
+beaker_db_name: beaker
+beaker_db_user: '{{ stg_beaker_db_user }}'
+beaker_db_password: '{{ stg_beaker_db_password }}'
+
+beaker_server_url: 'https://beaker.stg.qa.fedoraproject.org'
+beaker_server_cname: 'beaker.stg.fedoraproject.org'
+beaker_server_hostname： 'beaker-stg01.qa.fedoraproject.org'
+beaker_server_admin_user: '{{ stg_beaker_server_admin_user }}'
+beaker_server_admin_pass: '{{ stg_beaker_server_admin_pass }}'
+beaker_server_email: 'sysadmin-qa-members@fedoraproject.org'
+
+beaker_lab_controller_username: 'host/beaker01.qa.fedoraproject.org'
+beaker_lab_controller_password: '{{ stg_beaker_lab_controller_password }}'

playbooks/groups/beaker-stg.yml

@@ -47,3 +47,22 @@
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
+
+- name: configure beaker and required services
+  hosts: beaker-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+   - { role: mariadb_server, tags: ['mariadb'] }
+   - { role: beaker/labcontroller, tags: ['beakerlabcontroller'] }
+   - { role: beaker/server, tags: ['beakerserver'] }
+
+  handlers:
+   - include: "{{ handlers }}/restart_services.yml"
+

roles/beaker/labcontroller/files/beaker-server-fedora.repo

@@ -0,0 +1,11 @@
+[beaker-server]
+name=Beaker Server - Fedora$releasever
+baseurl=https://beaker-project.org/yum/server/Fedora$releasever/
+enabled=1
+gpgcheck=0
+
+[beaker-server-testing]
+name=Beaker Server -Fedora$releasever - Testing
+baseurl=https://beaker-project.org/yum/server-testing/Fedora$releasever/
+enabled=0
+gpgcheck=0

roles/beaker/labcontroller/files/beaker-server-rhel.repo

@@ -0,0 +1,11 @@
+[beaker-server]
+name=Beaker Server - RedHatEnterpriseLinux$releasever
+baseurl=https://beaker-project.org/yum/server/RedHatEnterpriseLinux$releasever/
+enabled=1
+gpgcheck=0
+
+[beaker-server-testing]
+name=Beaker Server - RedHatEnterpriseLinux$releasever - Testing
+baseurl=https://beaker-project.org/yum/server-testing/RedHatEnterpriseLinux$releasever/
+enabled=0
+gpgcheck=0

roles/beaker/labcontroller/handlers/main.yml

@@ -0,0 +1,10 @@
+#####################################################################
+# Handlers for restarting services specific to beaker lab controllers
+#
+
+- name: restart beaker lab controller
+  service: name={{ item }} state=restarted
+  with_items:
+    - beaker-proxy
+    - beaker-provision
+    - beaker-watchdog

roles/beaker/labcontroller/tasks/main.yml

@@ -0,0 +1,63 @@
+#
+# This is a beaker_labcontroller role.
+#
+---
+- name: put beaker server repos on Rhel systems
+  action: copy src="{{ item }}" dest="/etc/yum.repos.d/{{ item }}"
+  with_items:
+    - beaker-server-rhel.repo
+  when: ansible_distribution == 'RedHat'
+
+- name: put beaker server repos on Fedora systems
+  action: copy src="{{ item }}" dest="/etc/yum.repos.d/{{ item }}"
+  with_items:
+    - beaker-server-fedora.repo
+  when: ansible_distribution == 'Fedora'
+
+- name: install beaker-lab-controller package
+  yum: name=beaker-lab-controller state=present
+  tags:
+    - beaker_lab_controller
+    - tftp-server
+
+- name: check beaker-transfer state
+  command: service beaker-transfer status
+  failed_when: no
+  changed_when: no
+  register: transfer_state
+
+- name: Replace default labcontroller.conf file
+  template:
+    src: etc/beaker/labcontroller.conf.j2
+    dest: /etc/beaker/labcontroller.conf
+    owner: apache
+    group: root
+    mode: 0660
+    backup: yes
+    force: yes
+  register: configure_result
+  notify:
+    - restart httpd
+    - restart beaker lab controller
+  tags:
+    - beaker_lab_controller
+
+- name: restart beaker-transfer
+  service: name=beaker-transfer state=restarted
+  when: (transfer_state.rc == 0) and (configure_result.changed)
+
+- name: enable tftp
+  command: chkconfig tftp on
+  tags:
+    - beaker_lab_controller
+
+- name: start required services 
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+    - httpd
+    - xinetd
+    - beaker-proxy
+    - beaker-provision
+    - beaker-watchdog
+  tags:
+    - beaker_lab_controller

roles/beaker/labcontroller/templates/etc/beaker/labcontroller.conf.j2

@@ -0,0 +1,48 @@
+# Hub xml-rpc address.
+#HUB_URL = "https://localhost:8080"
+HUB_URL = "{{beaker_server_url}}"
+
+# Hub authentication method. Example: krbv, password, worker_key
+AUTH_METHOD = "password"
+#AUTH_METHOD = "krbv"
+
+# Username and password
+USERNAME = "{{beaker_lab_controller_username}}"
+PASSWORD = "{{beaker_lab_controller_password}}"
+
+# Kerberos service prefix. Example: host, HTTP
+KRB_SERVICE = "HTTP"
+
+# Kerberos realm. If commented, last two parts of domain name are used. Example: MYDOMAIN.COM.
+KRB_REALM = "DOMAIN.COM"
+
+#Uncomment and change the following two lines if using krb with qpid
+#QPID_KRB_PRINCIPAL='HTTP/localhost'
+
+#QPID_KRB_KEYTAB='/etc/my/file.keytab'
+
+# By default, job logs are stored locally on the lab controller.
+# If you have set up an archive server to store job logs, uncomment and 
+# configure the following settings. You will also need to enable the 
+# beaker-transfer daemon to move logs to the archive server.
+#ARCHIVE_SERVER = "http://archive-example.domain.com/beaker"
+#ARCHIVE_BASEPATH = "/var/www/html/beaker"
+#ARCHIVE_RSYNC = "rsync://USER@HOST/var/www/html/beaker"
+#RSYNC_FLAGS = "-ar --password-file /root/rsync-secret.txt"
+
+# How often to renew our session on the server
+#RENEW_SESSION_INTERVAL = 300
+
+# Root directory served by the TFTP server. Netboot images and configs will be
+# placed here.
+TFTP_ROOT = "/var/lib/tftpboot"
+
+# URL scheme used to generate absolute URLs for this lab controller.
+# It is used for job logs served by Apache. Set it to 'https' if you have
+# configured Apache for SSL and you want logs to be served over SSL.
+#URL_SCHEME = "http"
+
+# Fully qualified domain name of *this* system (not the Beaker server).
+# Defaults to socket.gethostname(). Ordinarily that is sufficient, unless you
+# have registered this lab controller with Beaker under a CNAME.
+URL_DOMAIN = "{{beaker_server_cname}}"

roles/beaker/server/files/beaker-server-fedora.repo

@@ -0,0 +1,11 @@
+[beaker-server]
+name=Beaker Server - Fedora$releasever
+baseurl=https://beaker-project.org/yum/server/Fedora$releasever/
+enabled=1
+gpgcheck=0
+
+[beaker-server-testing]
+name=Beaker Server -Fedora$releasever - Testing
+baseurl=https://beaker-project.org/yum/server-testing/Fedora$releasever/
+enabled=0
+gpgcheck=0

roles/beaker/server/files/beaker-server-rhel.repo

@@ -0,0 +1,11 @@
+[beaker-server]
+name=Beaker Server - RedHatEnterpriseLinux$releasever
+baseurl=https://beaker-project.org/yum/server/RedHatEnterpriseLinux$releasever/
+enabled=1
+gpgcheck=0
+
+[beaker-server-testing]
+name=Beaker Server - RedHatEnterpriseLinux$releasever - Testing
+baseurl=https://beaker-project.org/yum/server-testing/RedHatEnterpriseLinux$releasever/
+enabled=0
+gpgcheck=0

roles/beaker/server/files/beaker-server.conf

@@ -0,0 +1,84 @@
+# Unencrypted access is bad
+# Un-comment the following to force https connections
+RewriteEngine on
+#RewriteCond %{REQUEST_URI} !^/rpms/.* [NC]
+#RewriteCond %{REQUEST_URI} !^/repos/.* [NC]
+#RewriteCond %{REQUEST_URI} !^/harness/.* [NC]
+#RewriteCond %{REQUEST_URI} !^/kickstart/.* [NC]
+#RewriteCond %{REQUEST_URI} !/ipxe-script$ [NC]
+#RewriteCond %{HTTPS} off
+#RewriteRule ^/(.*) https://%{HTTP_HOST}%{REQUEST_URI}
+#RewriteRule   ^/bkr$  /bkr/   [R]
+
+Alias /static /usr/share/bkr/server/static
+Alias /assets/generated /var/cache/beaker/assets
+Alias /assets /usr/share/bkr/server/assets
+Redirect permanent /apidoc http://beaker-project.org/docs/server-api
+Alias /logs /var/www/beaker/logs
+Alias /rpms /var/www/beaker/rpms
+Alias /repos /var/www/beaker/repos
+Alias /harness /var/www/beaker/harness
+
+<Directory "/var/www/beaker/logs">
+    <Files "*.log">
+        ForceType text/plain
+    </Files>
+</Directory>
+
+# To work around a thread safety issue in TurboGears where HTTP requests will
+# sometimes fail with NoApplicableMethods during application startup, it is
+# recommended to set threads=1 here.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=796037 for details.
+WSGIDaemonProcess beaker-server user=apache group=apache display-name=beaker-server maximum-requests=1000 processes=8 threads=1
+WSGISocketPrefix /var/run/wsgi
+WSGIRestrictStdout On
+WSGIRestrictSignal Off
+WSGIPythonOptimize 2
+WSGIPassAuthorization On
+
+WSGIScriptAlias / /usr/share/bkr/beaker-server.wsgi
+
+<Directory /usr/share/bkr>
+    WSGIApplicationGroup beaker-server
+    WSGIProcessGroup beaker-server
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Allow from all
+    </IfModule>
+</Directory>
+
+<Directory /var/cache/beaker/assets>
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Allow from all
+    </IfModule>
+    # Generated assets have a content hash in their filename so they can
+    # safely be cached forever.
+    ExpiresActive on
+    ExpiresDefault "access plus 1 year"
+</Directory>
+
+# Authentication settings for kerberos logins..
+# Uncomment and customize for your environment
+#<Location /bkr/login>
+#    AuthType Kerberos
+#    AuthName "Inventory Web UI"
+#    KrbMethodNegotiate on
+#    KrbMethodK5Passwd on
+#    KrbServiceName HTTP
+#    KrbAuthRealm DOMAIN.COM
+#    Krb5Keytab /etc/httpd/conf/httpd.keytab
+#    KrbSaveCredentials on
+#    Require valid-user
+#</Location>
+

roles/beaker/server/handlers/main.yml

@@ -0,0 +1,6 @@
+#############################################################
+# Handlers for restarting services specific to beaker servers
+#
+
+- name: restart beaker server
+  service: name=beakerd state=restarted

roles/beaker/server/tasks/main.yml

@@ -0,0 +1,79 @@
+#
+# This is a beaker_server role. 
+#
+---
+
+# it's unfortunate, but the beaker devs say that this is required until
+# https://bugzilla.redhat.com/show_bug.cgi?id=1074384 is solved
+- name: switch selinux off
+  selinux: state=disabled
+  tags:
+    - selinux
+    - beaker_server
+
+- name: put beaker server repos on Rhel systems
+  action: copy src="{{ item }}" dest="/etc/yum.repos.d/{{ item }}"
+  with_items:
+    - beaker-server-rhel.repo
+  when: ansible_distribution == 'RedHat'
+
+- name: put beaker server repos on Fedora systems
+  action: copy src="{{ item }}" dest="/etc/yum.repos.d/{{ item }}"
+  with_items:
+    - beaker-server-fedora.repo
+  when: ansible_distribution == 'Fedora'
+
+- name: install beaker-server package
+  yum: name=beaker-server state=present
+  tags:
+    - beaker_server
+    - MySQL-python
+
+- name: Replace default apache beaker-server.conf
+  copy:
+    src: beaker-server.conf
+    dest: /etc/httpd/conf.d/beaker-server.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart httpd
+  tags:
+    - beaker-server
+
+- name: Replace default beaker_server.cfg file
+  template:
+    src: etc/beaker/server.cfg.j2
+    dest: /etc/beaker/server.cfg
+    owner: apache
+    group: root
+    mode: 0660
+    backup: yes
+    force: yes
+  register: setup_beaker_conf
+  notify:
+    - restart beaker server
+    - restart httpd
+  tags:
+    - beaker-server
+
+- name: create the beaker database
+  mysql_db: name=beaker state=present
+
+- name: create beaker user
+  mysql_user: name={{beaker_server_admin_user}} password={{beaker_server_admin_pass}} priv=beaker.*:ALL,GRANT state=present
+
+- name: initialize beaker database
+  command: "beaker-init -u {{beaker_server_admin_user}} -p {{beaker_server_admin_pass}} -e {{beaker_server_email}}"
+  when: setup_beaker_conf|success
+  tags:
+    - beaker-init
+    - beaker-server
+
+- name: ensure the Apache server and the Beaker daemon are running
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+    - httpd
+    - beakerd
+  tags:
+    - beaker-server

roles/beaker/server/templates/etc/beaker/server.cfg.j2

@@ -0,0 +1,148 @@
+[global]
+# This defines the URL prefix under which the Beaker web application will be 
+# served. This must match the prefix used in the Alias and WSGIScriptAlias 
+# directives in /etc/httpd/conf.d/beaker-server.conf.
+# The default configuration places the application at: http://example.com/bkr/
+# server.webpath = "/"
+
+# Database connection URI for Beaker's database, in the form:
+#   <driver>://<user>:<password>@<hostname>:<port>/<database>?<options>
+# The charset=utf8 option is required for proper Unicode support.
+# The pool_recycle setting is required for MySQL, which will (by default) 
+# terminate idle client connections after 10 hours.
+sqlalchemy.dburi="mysql://{{beaker_db_user}}:{{beaker_db_password}}@{{beaker_db_host}}/{{beaker_db_name}}?charset=utf8"
+sqlalchemy.pool_recycle = 3600
+
+# If you want to send read-only report queries to a separate slave 
+# database, configure it here. If not configured, report queries will 
+# fall back to using the main Beaker database (above).
+#reports_engine.dburi = "mysql://beaker_ro:beaker_ro@dbslave/beaker?charset=utf8"
+#reports_engine.pool_recycle = 3600
+
+# Set to True to enable sending emails.
+#mail.on = False
+
+# TurboMail transport to use. The default 'smtp' sends mails over SMTP to the 
+# server configured below. Other transports may be available as TurboMail 
+# extension packages.
+#mail.transport = "smtp"
+# SMTP server where mails should be sent. By default we assume there is an 
+# SMTP-capable MTA running on the local host.
+#mail.smtp.server = "127.0.0.1"
+
+# The address which will appear as the From: address in emails sent by Beaker.
+#beaker_email = "root@localhost.localdomain"
+
+# If this is set to a value greater than zero, Beaker will enforce a limit on 
+# the number of concurrently running power/provision commands in each lab. Set 
+# this option if you have a lab with many machines and are concerned about 
+# a flood of commands overwhelming your lab controller.
+#beaker.max_running_commands = 10
+
+# Timeout for authentication tokens. After this many minutes of inactivity 
+# users will be required to re-authenticate.
+#visit.timeout = 360
+
+# Secret key for encrypting authentication tokens. Set this to a very long 
+# random string and DO NOT disclose it. Changing this value will invalidate all 
+# existing tokens and force users to re-authenticate.
+# If not set, a secret key will be generated and stored in /var/lib/beaker, 
+# however this configuration impacts performance therefore you should supply 
+# a secret key here.
+#visit.token_secret_key = ""
+
+# Enable LDAP for user account lookup and password authentication.
+#identity.ldap.enabled = False
+# URI of LDAP directory.
+#identity.soldapprovider.uri = "ldaps://ldap.domain.com"
+# Base DN for looking up user accounts.
+#identity.soldapprovider.basedn = "dc=domain,dc=com"
+# If set to True, Beaker user acounts will be automatically created on demand 
+# if they exist in LDAP. Account attributes are populated from LDAP.
+#identity.soldapprovider.autocreate = False
+# Timeout (seconds) for LDAP lookups.
+#identity.soldapprovider.timeout = 20
+# Server principal and keytab for Kerberos authentication. If using Kerberos 
+# authentication, this must match the mod_auth_kerb configuration in 
+# /etc/httpd/conf.d/beaker-server.conf.
+#identity.krb_auth_principal = "HTTP/hostname@EXAMPLE.COM"
+#identity.krb_auth_keytab = "/etc/krb5.keytab"
+
+# These are used when generating absolute URLs (e.g. in e-mails sent by Beaker)
+# You should only have to set this if socket.gethostname() returns the wrong
+# name, for example if you are using CNAMEs.
+tg.url_domain = '{{beaker_server_cname}}'
+tg.url_scheme = "https"
+# If your scheduler is multi-homed and has a different hostname for your test
+# machines you can use the tg.lab_domain variable here to specify it.
+# If tg.lab_domain is not set it will fall back to tg.url_domain, and if that's
+# not set it will fall back to socket.gethostname().
+tg.lab_domain = '{{beaker_server_hostname}}'
+
+# Tag for distros which are considered "reliable".
+# Broken system detection logic will be activated for distros with this tag 
+# (see the bkr.server.model:System.suspicious_abort method). Leave this unset 
+# to deactivate broken system detection.
+#beaker.reliable_distro_tag = "RELEASED"
+
+# The contents of this file will be displayed to users on every page in Beaker. 
+# If it exists, it must contain a valid HTML fragment (e.g. <span>...</span>).
+#beaker.motd = "/etc/beaker/motd.xml"
+
+# The URL of a page describing your organisation's policies for reserving 
+# Beaker machines. If configured, a message will appear on the reserve workflow 
+# page, warning users to adhere to the policy with a hyperlink to this URL. By 
+# default no message is shown.
+#beaker.reservation_policy_url = "http://example.com/reservation-policy"
+
+# If both of these options are set, the Piwik tracking javascript snippet will
+# be embedded in all pages, reporting statistics back to the given Piwik
+# installation.
+# Make sure that piwik.base_url is a protocol-relative URL starting with //
+#piwik.base_url = "//analytics.example.invalid/piwik/"
+#piwik.site_id = 123
+
+# These install options are used as global defaults for every provision. They
+# can be overriden by options on the distro tree, the system, or the recipe.
+#beaker.ks_meta = ""
+#beaker.kernel_options = "ksdevice=bootif"
+#beaker.kernel_options_post = ""
+
+# See BZ#1000861
+#beaker.deprecated_job_group_permissions.on = True
+
+# When generating MAC addresses for virtual systems, Beaker will always pick 
+# the lowest free address starting from this base address.
+#beaker.base_mac_addr = "52:54:00:00:00:00"
+
+# Beaker increases the priority of recipes when it detects that they match only 
+# one candidate system. You can disable this behaviour here.
+#beaker.priority_bumping_enabled = True
+
+# When generating RPM repos, we can configure what utility
+# to use. So far, only 'createrepo' and 'createrepo_c' have been
+# tested. See https://github.com/Tojaj/createrepo_c
+#beaker.createrepo_command = "createrepo"
+
+# If you have set up a log archive server (with beaker-transfer) and it 
+# requires HTTP digest authentication for deleting old logs, set the username 
+# and password here.
+#beaker.log_delete_user = "log-delete"
+#beaker.log_delete_password = "examplepassword"
+
+# If carbon.address is set, Beaker will send various metrics to carbon 
+# (collection daemon for Graphite) at the given address. The address must be 
+# a tuple of (hostname, port).
+# The value of carbon.prefix is prepended to all names used by Beaker.
+#carbon.address = ('graphite.example.invalid', 2023)
+#carbon.prefix = 'beaker.'
+
+# Use OpenStack for running recipes on dynamically created guests.
+#openstack.identity_api_url = 'https://openstack.example.com:5000/v2.0'
+#openstack.dashboard_url = 'https://openstack.example.com/dashboard/'
+
+# Set this to limit the Beaker web application's address space to the given 
+# size (in bytes). This may be helpful to catch excessive memory consumption by 
+# Beaker. On large deployments 1500000000 is a reasonable value.
+# By default no address space limit is enforced.
+#rlimit_as=