Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Switch OSBS Prod to osbs-cluster

Browse source 
- remove osbs-master and osbs-node playbooks
    - add osbs production hosts to osbs-cluster playbook
    - migrate osbs production buildroot Dockerfile to j2 template
      (like we have in staging)
    - add infrastructure repo to buildroot dir and Dockerfile

Signed-off-by: Adam Miller <admiller@redhat.com>
This commit is contained in:
Adam Miller 2016-12-07 04:03:26 +00:00
parent e5d7bc82b6
commit 2d3951e5b0
6 changed files with 85 additions and 865 deletions
Download patch file Download diff file Expand all files Collapse all files

7
files/osbs/buildroot-Dockerfile-production
View file

@ -1,7 +0,0 @@
FROM fedora:latest
RUN dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash
ADD ./atomic-reactor.tar.gz /tmp/
RUN cd /tmp/atomic-reactor-*/ && python setup.py install
ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt
RUN update-ca-trust
CMD ["atomic-reactor", "--verbose", "inside-build"]

9
files/osbs/buildroot-Dockerfile-production.j2 Normal file
View file

@ -0,0 +1,9 @@
FROM fedora:latest
ADD ./infrastructure.repo /etc/yum.repos.d/infrastructure.repo
RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor*
RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf
ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/
ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt
RUN update-ca-trust
CMD ["python2", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]

1
files/osbs/buildroot-Dockerfile-staging.j2
View file

@ -1,4 +1,5 @@
FROM fedora:latest FROM fedora:latest
ADD ./infrastructure.repo /etc/yum.repos.d/infrastructure.repo
RUN curl -o /etc/yum.repos.d/maxamillion-atomic-reactor-copr.repo https://copr.fedorainfracloud.org/coprs/maxamillion/atomic-reactor/repo/fedora-24/maxamillion-atomic-reactor-fedora-24.repo RUN curl -o /etc/yum.repos.d/maxamillion-atomic-reactor-copr.repo https://copr.fedorainfracloud.org/coprs/maxamillion/atomic-reactor/repo/fedora-24/maxamillion-atomic-reactor-fedora-24.repo
RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor*
RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf

82
playbooks/groups/osbs-cluster.yml
View file

@ -54,7 +54,7 @@
line: "pipelining = True" line: "pipelining = True"
- name: Setup cluster hosts pre-reqs - name: Setup cluster hosts pre-reqs
hosts: osbs-masters-stg:osbs-nodes-stg hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags: tags:
- osbs-cluster-prereq - osbs-cluster-prereq
user: root user: root
@ -158,10 +158,29 @@
when: env == 'staging', when: env == 'staging',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
} }
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory",
openshift_htpasswd_file: "/etc/origin/htpasswd",
openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
openshift_release: "v1.3",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml",
openshift_ansible_version: "openshift-ansible-3.3.41-1",
openshift_cluster_masters_group: "osbs-masters-stg",
openshift_cluster_nodes_group: "osbs-nodes-stg",
openshift_named_certificates: [{
cert_file: "named_certificates/{{osbs_url}}.pem",
key_file: "named_certificates/{{osbs_url}}.key",
names: [ "{{osbs_url}}" ],
}],
when: env == 'production',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
- name: Setup OSBS requirements for OpenShift cluster hosts - name: Setup OSBS requirements for OpenShift cluster hosts
hosts: osbs-masters-stg:osbs-nodes-stg hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags: tags:
- osbs-cluster-req - osbs-cluster-req
user: root user: root
@ -211,7 +230,7 @@
dest: "/etc/dnsmasq.d/fedora-dns.conf" dest: "/etc/dnsmasq.d/fedora-dns.conf"
- name: Setup requirements for OpenShift master - name: Setup requirements for OpenShift master
hosts: osbs-masters-stg hosts: osbs-masters-stg:osbs-masters
tags: tags:
- osbs-master-req - osbs-master-req
user: root user: root
@ -293,9 +312,29 @@
osbs_docker_registry_storage: "/opt/openshift-registry", osbs_docker_registry_storage: "/opt/openshift-registry",
when: env == "staging" when: env == "staging"
} }
- {
role: osbs-on-openshift,
osbs_openshift_home: "/var/lib/origin",
osbs_namespace: "default",
osbs_namespace_create: "false",
osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig",
osbs_environment: [
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
],
osbs_service_accounts: [],
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"],
osbs_readwrite_groups: [ "system:authenticated"],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_docker_registry: false,
osbs_docker_registry_storage: "/opt/openshift-registry",
when: env == "production"
}
- name: Manage docker images and image stream - name: Manage docker images and image stream
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
tags: tags:
- osbs-post-install - osbs-post-install
- manage-docker-images - manage-docker-images
@ -369,7 +408,7 @@
creates: /etc/origin/fedoraimagestreamcreated creates: /etc/origin/fedoraimagestreamcreated
- name: post-install master host osbs tasks - name: post-install master host osbs tasks
hosts: osbs-masters-stg hosts: osbs-masters-stg:osbs-masters
tags: tags:
- osbs-post-install - osbs-post-install
vars_files: vars_files:
@ -424,7 +463,7 @@
- name: post-install osbs tasks - name: post-install osbs tasks
hosts: osbs-masters-stg:osbs-nodes-stg hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags: tags:
- osbs-post-install - osbs-post-install
vars_files: vars_files:
@ -496,6 +535,31 @@
notify: notify:
- buildroot container - buildroot container
- name: stat infra repofile
stat:
path: "/etc/yum.repos.d/infrastructure.repo"
register: infra_repo_stat
- name: stat /etc/osbs/buildroot/ infra repofile
stat:
path: "/etc/osbs/buildroot/infrastructure.repo"
register: etcosbs_infra_repo_stat
- name: remove old hardlink to /etc/osbs/buildroot/ infra repofile
file:
path: "/etc/osbs/buildroot/infrastructure.repo"
state: absent
when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum
- name: Hardlink repofile for buildroot container (because Docker)
file:
src: "/etc/yum.repos.d/infrastructure.repo"
dest: "/etc/osbs/buildroot/infrastructure.repo"
state: hard
notify:
- buildroot container
when: etcosbs_infra_repo_stat.stat.exists == false
- name: stat /etc/ keytab - name: stat /etc/ keytab
stat: stat:
path: "/etc/krb5.osbs_{{osbs_url}}.keytab" path: "/etc/krb5.osbs_{{osbs_url}}.keytab"
@ -552,7 +616,7 @@
- name: Post-Install image stream refresh - name: Post-Install image stream refresh
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
tags: tags:
- osbs-post-install - osbs-post-install
vars_files: vars_files:
@ -566,3 +630,7 @@
shell: "oc import-image fedora --all" shell: "oc import-image fedora --all"
when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed
- name: refresh fedora image streams
shell: "oc import-image fedora --all"
when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"]|changed

428
playbooks/groups/osbs-master.yml
View file

@ -1,428 +0,0 @@
# create an osbs server
- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs:osbs-stg"
- name: make the box be real
hosts: osbs:osbs-stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios/client
- hosts
- fas_client
- collectd/base
- rsyncd
- sudo
- { role: openvpn/client,
when: env != "staging" }
tasks:
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: pre-install osbs tasks
hosts: osbs:osbs-stg
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: cron entry to clean up docker storage
copy:
src: "{{files}}/osbs/cleanup-docker-storage"
dest: "/etc/cron.d/cleanup-docker-storage"
- name: copy docker-storage-setup config
copy:
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"
- name: create cert dir for openshift public facing REST API SSL
file:
path: "/etc/origin/master/named_certificates"
state: "directory"
- name: install cert for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
- name: install key for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
- name: ensure origin conf dir exists
file:
path: "/etc/origin"
state: "directory"
- name: place htpasswd file
copy:
src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
dest: /etc/origin/htpasswd
roles:
- {
role: push-docker,
docker_cert_name: "containerbuild",
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
when: env == "staging"
}
- {
role: push-docker,
docker_cert_name: "containerbuild",
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org",
when: env == "production"
}
- name: setup osbs
hosts: osbs:osbs-stg
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- osbs-atomic-reactor
- {
role: osbs-common,
osbs_manage_firewalld: false,
}
- osbs-install-openshift
- {
role: osbs-master,
osbs_openshift_loglevel: 2,
osbs_master_export_port: true,
osbs_manage_firewalld: false,
osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
osbs_readwrite_groups: [],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_master_max_pods: 3,
osbs_update_packages: false,
osbs_image_gc_high_threshold: 90,
osbs_image_gc_low_threshold: 80,
osbs_identity_provider: "htpasswd_provider",
osbs_identity_htpasswd: {
name: htpasswd_provider,
challenge: true,
login: true,
provider_file: "/etc/origin/htpasswd"
},
osbs_named_certificates: {
enabled: true,
cert_file: "named_certificates/{{osbs_url}}.pem",
key_file: "named_certificates/{{osbs_url}}.key",
names: [ "{{osbs_url}}" ],
},
osbs_public_api_url: "{{osbs_url}}",
when: env == "staging"
}
- {
role: osbs-master,
osbs_openshift_loglevel: 2,
osbs_master_export_port: true,
osbs_manage_firewalld: false,
osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: [ "{{ osbs_koji_prod_username }}" ],
osbs_readwrite_groups: [],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_master_max_pods: 3,
osbs_update_packages: false,
osbs_image_gc_high_threshold: 90,
osbs_image_gc_low_threshold: 80,
osbs_identity_provider: "htpasswd_provider",
osbs_identity_htpasswd: {
name: htpasswd_provider,
challenge: true,
login: true,
provider_file: "/etc/origin/htpasswd"
},
osbs_named_certificates: {
enabled: true,
cert_file: "named_certificates/{{osbs_url}}.pem",
key_file: "named_certificates/{{osbs_url}}.key",
names: [ "{{osbs_url}}" ],
},
osbs_public_api_url: "{{osbs_url}}",
when: env == "production"
}
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/usr/share/osbs/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_stg_username }}",
password: "{{ osbs_koji_stg_password }}",
koji_certs_secret: "koji",
openshift_url: 'https://{{osbs_url}}/',
registry_uri: 'https://{{docker_registry}}/v2',
source_registry_uri: 'https://{{source_registry}}/v2',
build_host: '{{osbs_url}}',
koji_root: 'https://{{koji_url}}/koji',
koji_hub: 'https://{{koji_url}}/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.example.com',
vendor: 'Fedora Project',
verify_ssl: true,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://172.17.0.1:8443/'
},
when: env == "staging"
}
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/usr/share/osbs/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_prod_username }}",
password: "{{ osbs_koji_prod_password }}",
koji_certs_secret: "koji",
openshift_url: 'https://{{osbs_url}}/',
registry_uri: 'https://{{docker_registry}}/v2',
source_registry_uri: 'https://{{source_registry}}/v2',
build_host: '{{osbs_url}}',
koji_root: 'https://{{koji_url}}/koji',
koji_hub: 'https://{{koji_url}}/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.example.com',
vendor: 'Fedora Project',
verify_ssl: true,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://172.17.0.1:8443/'
},
when: env == "production"
}
- name: post-install osbs tasks
hosts: osbs:osbs-stg
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: buildroot container
shell: 'docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/'
- name: oc secrets new
shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
environment: "{{ osbs_environment }}"
notify: oc secrets add
- name: oc secrets add
shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
environment: "{{ osbs_environment }}"
tasks:
- name: set nrpe read access for osbs.conf for nagios monitoring
acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present
- name: pull fedora required docker images
shell: "docker pull {{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: compose-x86-01.phx2.fedoraproject.org
register: docker_pull_fedora_delegated
changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout"
- name: tag fedora required docker images for our registry
shell: "docker tag {{item}} {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: compose-x86-01.phx2.fedoraproject.org
when: docker_pull_fedora_delegated|changed
- name: push fedora required docker images to our registry
shell: "docker push {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: compose-x86-01.phx2.fedoraproject.org
when: docker_pull_fedora_delegated|changed
- name: register origin_version_out rpm query
shell: "rpm -q origin --qf '%{Version}'"
register: origin_version_out
check_mode: no
changed_when: False
- set_fact:
origin_version: "{{origin_version_out.stdout}}"
- name: pull openshift required docker images
shell: "docker pull {{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: compose-x86-01.phx2.fedoraproject.org
register: docker_pull_openshift_delegated
changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout"
- name: tag openshift required docker images for our registry
shell: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: compose-x86-01.phx2.fedoraproject.org
when: docker_pull_openshift_delegated|changed
- name: push openshift required docker images to our registry
shell: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: compose-x86-01.phx2.fedoraproject.org
when: docker_pull_openshift_delegated|changed
- name: Ensure koji dockerbuilder cert path exists
file:
path: "{{ koji_pki_dir }}"
state: "directory"
mode: 0400
- name: Add koji dockerbuilder cert for Content Generator import
copy:
src: "{{private}}/files/koji/containerbuild.pem"
dest: "{{ koji_cert_path }}"
notify: oc secrets new
- name: Add koji dockerbuilder ca cert for Content Generator import
copy:
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
dest: "{{ koji_ca_cert_path }}"
notify: oc secrets new
- name: create fedora image stream for OpenShift
shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
environment: "{{ osbs_environment }}"
args:
creates: /etc/origin/fedoraimagestreamcreated
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "staging"
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
- name: set policy for koji builder in openshift for atomic-reactor
shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added"
args:
creates: "/etc/origin/atomic-reactor-policy-added"
- name: Create buildroot container conf directory
file:
path: "/etc/osbs/buildroot/"
state: directory
- name: Upload Dockerfile for buildroot container
copy:
src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}"
dest: "/etc/osbs/buildroot/Dockerfile"
mode: 0400
notify:
- buildroot container
- name: Upload internal CA for buildroot
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/osbs/buildroot/ca.crt"
mode: 0400
notify:
- buildroot container
- name: stat /usr/share/atomic-reactor/atomic-reactor.tar.gz
stat:
path: /usr/share/atomic-reactor/atomic-reactor.tar.gz
register: usr_ar_stat
- name: stat /etc/osbs/buildroot/atomic-reactor.tar.gz
stat:
path: /etc/osbs/buildroot/atomic-reactor.tar.gz
register: etc_ar_stat
- name: remove old hardlink to /etc/osbs/buildroot/atomic-reactor.tar.gz
file:
path: /etc/osbs/buildroot/atomic-reactor.tar.gz
state: absent
when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum
- name: Hardlink atomic-reactor source for buildroot container (because Docker)
file:
src: /usr/share/atomic-reactor/atomic-reactor.tar.gz
dest: /etc/osbs/buildroot/atomic-reactor.tar.gz
state: hard
notify:
- buildroot container
when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum
- name: pull fedora required docker images
shell: "docker pull {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
register: docker_pull_fedora
changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
- name: pull openshift required docker images
shell: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
register: docker_pull_openshift
changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"
- name: tag openshift required docker images locally
shell: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
when: docker_pull_openshift|changed
- name: refresh fedora image streams
shell: "oc import-image fedora --all"
when: docker_pull_fedora|changed

423
playbooks/groups/osbs-node.yml
View file

@ -1,423 +0,0 @@
# create an osbs server
- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-nodes-stg"
- name: make the box be real
hosts: osbs-nodes
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios/client
- hosts
- fas_client
- collectd/base
- rsyncd
- sudo
- { role: openvpn/client,
when: env != "staging" }
tasks:
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
# - name: pre-install osbs tasks
# hosts: osbs-nodes:osbs-nodes-stg
# vars_files:
# - /srv/web/infra/ansible/vars/global.yml
# - /srv/private/ansible/vars.yml
# - /srv/private/ansible/files/openstack/passwords.yml
# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
# tasks:
# - name: copy docker-storage-setup config
# copy:
# src: "{{files}}/osbs/docker-storage-setup"
# dest: "/etc/sysconfig/docker-storage-setup"
# - name: create cert dir for openshift public facing REST API SSL
# file:
# path: "/etc/origin/master/named_certificates"
# state: "directory"
# - name: install cert for openshift public facing REST API SSL
# copy:
# src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
# dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
# - name: install key for openshift public facing REST API SSL
# copy:
# src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
# dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
# - name: ensure origin conf dir exists
# file:
# path: "/etc/origin"
# state: "directory"
# - name: place htpasswd file
# copy:
# src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
# dest: /etc/origin/htpasswd
# roles:
# - {
# role: push-docker,
# docker_cert_name: "containerbuild",
# docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
# when: env == "staging"
# }
# - {
# role: push-docker,
# docker_cert_name: "containerbuild",
# docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org",
# when: env == "production"
# }
# - name: setup osbs
# hosts: osbs-nodes:osbs-nodes-stg
# vars_files:
# - /srv/web/infra/ansible/vars/global.yml
# - /srv/private/ansible/vars.yml
# - /srv/private/ansible/files/openstack/passwords.yml
# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
# roles:
# - osbs-atomic-reactor
# - {
# role: osbs-common,
# osbs_manage_firewalld: false,
# }
# - osbs-install-openshift
# - {
# role: osbs-master,
# osbs_openshift_loglevel: 2,
# osbs_master_export_port: true,
# osbs_manage_firewalld: false,
# osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
# osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
# osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
# osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
# osbs_readonly_users: [],
# osbs_readonly_groups: [],
# osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
# osbs_readwrite_groups: [],
# osbs_admin_users: [],
# osbs_admin_groups: [],
# osbs_master_max_pods: 3,
# osbs_update_packages: false,
# osbs_image_gc_high_threshold: 90,
# osbs_image_gc_low_threshold: 80,
# osbs_identity_provider: "htpasswd_provider",
# osbs_identity_htpasswd: {
# name: htpasswd_provider,
# challenge: true,
# login: true,
# provider_file: "/etc/origin/htpasswd"
# },
# osbs_named_certificates: {
# enabled: true,
# cert_file: "named_certificates/{{osbs_url}}.pem",
# key_file: "named_certificates/{{osbs_url}}.key",
# names: [ "{{osbs_url}}" ],
# },
# osbs_public_api_url: "{{osbs_url}}",
# when: env == "staging"
# }
# - {
# role: osbs-master,
# osbs_openshift_loglevel: 2,
# osbs_master_export_port: true,
# osbs_manage_firewalld: false,
# osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
# osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
# osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
# osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
# osbs_readonly_users: [],
# osbs_readonly_groups: [],
# osbs_readwrite_users: [ "{{ osbs_koji_prod_username }}" ],
# osbs_readwrite_groups: [],
# osbs_admin_users: [],
# osbs_admin_groups: [],
# osbs_master_max_pods: 3,
# osbs_update_packages: false,
# osbs_image_gc_high_threshold: 90,
# osbs_image_gc_low_threshold: 80,
# osbs_identity_provider: "htpasswd_provider",
# osbs_identity_htpasswd: {
# name: htpasswd_provider,
# challenge: true,
# login: true,
# provider_file: "/etc/origin/htpasswd"
# },
# osbs_named_certificates: {
# enabled: true,
# cert_file: "named_certificates/{{osbs_url}}.pem",
# key_file: "named_certificates/{{osbs_url}}.key",
# names: [ "{{osbs_url}}" ],
# },
# osbs_public_api_url: "{{osbs_url}}",
# when: env == "production"
# }
# - {
# role: osbs-client,
# general: {
# verbose: 0,
# build_json_dir: '/usr/share/osbs/',
# openshift_required_version: 1.1.0,
# },
# default: {
# username: "{{ osbs_koji_stg_username }}",
# password: "{{ osbs_koji_stg_password }}",
# koji_certs_secret: "koji",
# openshift_url: 'https://{{osbs_url}}/',
# registry_uri: 'https://{{docker_registry}}/v2',
# source_registry_uri: 'https://{{source_registry}}/v2',
# build_host: '{{osbs_url}}',
# koji_root: 'https://{{koji_url}}/koji',
# koji_hub: 'https://{{koji_url}}/kojihub',
# sources_command: 'fedpkg sources',
# build_type: 'prod',
# authoritative_registry: 'registry.example.com',
# vendor: 'Fedora Project',
# verify_ssl: true,
# use_auth: true,
# builder_use_auth: true,
# distribution_scope: 'private',
# registry_api_versions: 'v2',
# builder_openshift_url: 'https://172.17.0.1:8443/'
# },
# when: env == "staging"
# }
# - {
# role: osbs-client,
# general: {
# verbose: 0,
# build_json_dir: '/usr/share/osbs/',
# openshift_required_version: 1.1.0,
# },
# default: {
# username: "{{ osbs_koji_prod_username }}",
# password: "{{ osbs_koji_prod_password }}",
# koji_certs_secret: "koji",
# openshift_url: 'https://{{osbs_url}}/',
# registry_uri: 'https://{{docker_registry}}/v2',
# source_registry_uri: 'https://{{source_registry}}/v2',
# build_host: '{{osbs_url}}',
# koji_root: 'https://{{koji_url}}/koji',
# koji_hub: 'https://{{koji_url}}/kojihub',
# sources_command: 'fedpkg sources',
# build_type: 'prod',
# authoritative_registry: 'registry.example.com',
# vendor: 'Fedora Project',
# verify_ssl: true,
# use_auth: true,
# builder_use_auth: true,
# distribution_scope: 'private',
# registry_api_versions: 'v2',
# builder_openshift_url: 'https://172.17.0.1:8443/'
# },
# when: env == "production"
# }
# - name: post-install osbs tasks
# hosts: osbs-nodes:osbs-nodes-stg
# vars_files:
# - /srv/web/infra/ansible/vars/global.yml
# - /srv/private/ansible/vars.yml
# - /srv/private/ansible/files/openstack/passwords.yml
# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
# vars:
# osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
# osbs_environment:
# KUBECONFIG: "{{ osbs_kubeconfig_path }}"
# koji_pki_dir: /etc/pki/koji
# koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
# koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
# koji_builder_user: dockerbuilder
# osbs_builder_user: builder
# handlers:
# - name: buildroot container
# shell: 'docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/'
# - name: oc secrets new
# shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
# environment: "{{ osbs_environment }}"
# notify: oc secrets add
# - name: oc secrets add
# shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
# environment: "{{ osbs_environment }}"
# tasks:
# - name: set nrpe read access for osbs.conf for nagios monitoring
# acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present
# - name: pull fedora required docker images
# shell: "docker pull {{item}}"
# with_items: "{{fedora_required_images}}"
# delegate_to: compose-x86-01.phx2.fedoraproject.org
# register: docker_pull_fedora_delegated
# changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout"
# - name: tag fedora required docker images for our registry
# shell: "docker tag {{item}} {{docker_registry}}/{{item}}"
# with_items: "{{fedora_required_images}}"
# delegate_to: compose-x86-01.phx2.fedoraproject.org
# when: docker_pull_fedora_delegated|changed
# - name: push fedora required docker images to our registry
# shell: "docker push {{docker_registry}}/{{item}}"
# with_items: "{{fedora_required_images}}"
# delegate_to: compose-x86-01.phx2.fedoraproject.org
# when: docker_pull_fedora_delegated|changed
# - name: register origin_version_out rpm query
# shell: "rpm -q origin --qf '%{Version}'"
# register: origin_version_out
# check_mode: no
# changed_when: False
# - set_fact:
# origin_version: "{{origin_version_out.stdout}}"
# - name: pull openshift required docker images
# shell: "docker pull {{item}}:v{{origin_version}}"
# with_items: "{{openshift_required_images}}"
# delegate_to: compose-x86-01.phx2.fedoraproject.org
# register: docker_pull_openshift_delegated
# changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout"
# - name: tag openshift required docker images for our registry
# shell: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}"
# with_items: "{{openshift_required_images}}"
# delegate_to: compose-x86-01.phx2.fedoraproject.org
# when: docker_pull_openshift_delegated|changed
# - name: push openshift required docker images to our registry
# shell: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}"
# with_items: "{{openshift_required_images}}"
# delegate_to: compose-x86-01.phx2.fedoraproject.org
# when: docker_pull_openshift_delegated|changed
# - name: Ensure koji dockerbuilder cert path exists
# file:
# path: "{{ koji_pki_dir }}"
# state: "directory"
# mode: 0400
# - name: Add koji dockerbuilder cert for Content Generator import
# copy:
# src: "{{private}}/files/koji/containerbuild.pem"
# dest: "{{ koji_cert_path }}"
# notify: oc secrets new
# - name: Add koji dockerbuilder ca cert for Content Generator import
# copy:
# src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
# dest: "{{ koji_ca_cert_path }}"
# notify: oc secrets new
# - name: create fedora image stream for OpenShift
# shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
# environment: "{{ osbs_environment }}"
# args:
# creates: /etc/origin/fedoraimagestreamcreated
# - name: set policy for koji builder in openshift for osbs
# shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
# args:
# creates: "/etc/origin/koji-builder-policy-added"
# when: env == "staging"
# - name: set policy for koji builder in openshift for osbs
# shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
# args:
# creates: "/etc/origin/koji-builder-policy-added"
# when: env == "production"
# - name: set policy for koji builder in openshift for atomic-reactor
# shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added"
# args:
# creates: "/etc/origin/atomic-reactor-policy-added"
# - name: Create buildroot container conf directory
# file:
# path: "/etc/osbs/buildroot/"
# state: directory
# - name: Upload Dockerfile for buildroot container
# copy:
# src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}"
# dest: "/etc/osbs/buildroot/Dockerfile"
# mode: 0400
# notify:
# - buildroot container
# - name: Upload internal CA for buildroot
# copy:
# src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
# dest: "/etc/osbs/buildroot/ca.crt"
# mode: 0400
# notify:
# - buildroot container
# - name: stat /usr/share/atomic-reactor/atomic-reactor.tar.gz
# stat:
# path: /usr/share/atomic-reactor/atomic-reactor.tar.gz
# register: usr_ar_stat
# - name: stat /etc/osbs/buildroot/atomic-reactor.tar.gz
# stat:
# path: /etc/osbs/buildroot/atomic-reactor.tar.gz
# register: etc_ar_stat
# - name: remove old hardlink to /etc/osbs/buildroot/atomic-reactor.tar.gz
# file:
# path: /etc/osbs/buildroot/atomic-reactor.tar.gz
# state: absent
# when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum
# - name: Hardlink atomic-reactor source for buildroot container (because Docker)
# file:
# src: /usr/share/atomic-reactor/atomic-reactor.tar.gz
# dest: /etc/osbs/buildroot/atomic-reactor.tar.gz
# state: hard
# notify:
# - buildroot container
# when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum
# - name: pull fedora required docker images
# shell: "docker pull {{docker_registry}}/{{item}}"
# with_items: "{{fedora_required_images}}"
# register: docker_pull_fedora
# changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
# - name: pull openshift required docker images
# shell: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}"
# with_items: "{{openshift_required_images}}"
# register: docker_pull_openshift
# changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"
# - name: tag openshift required docker images locally
# shell: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}"
# with_items: "{{openshift_required_images}}"
# when: docker_pull_openshift|changed
# - name: refresh fedora image streams
# shell: "oc import-image fedora --all"
# when: docker_pull_fedora|changed