Merge branch 'master' of /git/ansible

2014-11-11 22:34:21 +00:00 · 2014-11-11 22:34:21 +00:00 · 62683d3bb2
commit 62683d3bb2
parent b36cf52a4c 63ff859fba
7 changed files with 156 additions and 16 deletions
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@ -51,3 +51,14 @@

  handlers:
  - include: "{{ handlers }}/restart_services.yml"
+
+
+- name: Start the kojid builder daemon, but only on staging.
+  # Really -- this should never be set for prod.
+  hosts: koji-stg
+  user: root
+  gather_facts: True
+
+  tasks:
+  - name: make sure kojid is running
+    action: service name=kojid state=running
--- a/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts
+++ b/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts
@ -0,0 +1,13 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+
+# Use admin.fedoraproject.org so we can get a fresh CRL from prod - it isn't
+# synced to staging in a meaningful way.  See /usr/local/bin/updatecrl.sh
+209.132.181.16  admin.fedoraproject.org
+10.5.126.89     admin.stg.fedoraproject.org
+10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
+10.5.126.23     infrastructure.fedoraproject.org
+10.5.126.81     app01.stg.fedoraproject.org memcached01 memcached02 memcached03 memcached04
+10.5.126.85     db02.stg.fedoraproject.org db01 db-koji01 db05 db-ask db-datanommer db-datanommer01 db-datanommer02 db-datanommer02.phx2.fedoraproject.org db-tahrir db-elections db-fedocal db-github2fedmsg db-kerneltest db-notifs nuancier_db db-pkgdb2 db-summershum tagger_db
+10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
+10.5.126.87     koji01.stg.phx2.fedoraproject.org koji.stg.fedoraproject.org koji01 kojipkgs kojipkgs.stg.phx2.fedoraproject.org kojipkgs.stg.fedoraproject.org
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@ -3,30 +3,48 @@
 #
 - name: set root passwd
  user: name=root password={{ builder_rootpw }} state=present
+  tags:
+  - koji_builder

 - name: add mock user as 425
  user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes
+  tags:
+  - koji_builder

 - name: make mock homedir perms
  file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock
+  tags:
+  - koji_builder

 - name: add mock ssh dir
  file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock
+  tags:
+  - koji_builder

 - name: add mock ssh keys
  copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock
+  tags:
+  - koji_builder

 - name: add kojibuilder
  user: name=kojibuilder groups=mock 
+  tags:
+  - koji_builder

 - name: add mockbuilder
  user: name=mockbuilder groups=mock
+  tags:
+  - koji_builder

 - name: mockbuilder .ssh dir
  file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder
+  tags:
+  - koji_builder

 - name: mockbuilder ssh key
  copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder
+  tags:
+  - koji_builder

 - name: make a bunch of dirs
  file: state=directory path={{ item }}
@ -35,6 +53,8 @@
    - /mnt/fedora_koji
    - /pub/fedora
    - /pub/epel
+  tags:
+  - koji_builder

 - name: make a bunch of dirs
  file: state=directory path={{ item }} owner=apache group=apache
@ -44,6 +64,8 @@
    - /mnt/koji/work
    - /mnt/koji/scratch
  when: env == 'staging'
+  tags:
+  - koji_builder

 - name: add pkgs
  yum: state=present pkg={{ item }}
@ -57,6 +79,8 @@
    - ntpdate
    - rsyslog
    - audit
+  tags:
+  - koji_builder

 - name: add oz/imagefctory pkgs on x86 and arm only. 
  yum: state=present pkg={{ item }}
@ -75,42 +99,60 @@
    - VMDKstream
    - pykickstart
  when: ansible_architecture != 'ppc64'
+  tags:
+  - koji_builder

 - name: /etc/kojid/kojid.conf
  copy: src=kojid.conf dest=/etc/kojid/kojid.conf
  when: not inventory_hostname.startswith(('arm01','arm03','koji01.stg','buildvm-01.stg'))
  notify:
  - restart kojid
+  tags:
+  - koji_builder

 - name: arm /etc/kojid/kojid.conf
  copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf
  when: inventory_hostname.startswith(('arm01','arm03'))
  notify:
  - restart kojid
+  tags:
+  - koji_builder

 - name: staging /etc/kojid/kojid.conf
  copy: src=stg-kojid.conf dest=/etc/kojid/kojid.conf
  when: inventory_hostname.startswith(('koji01.stg','buildvm-01.stg'))
  notify:
  - restart kojid
+  tags:
+  - koji_builder

 - name: /etc/koji/koji.conf
  copy: src=koji.conf dest=/etc/koji.conf
  when: not inventory_hostname.startswith(('arm01','arm03'))
+  tags:
+  - koji_builder

 - name: /etc/koji/koji.conf
  copy: src=arm-koji.conf dest=/etc/koji.conf
  when: inventory_hostname.startswith(('arm01','arm03'))
+  tags:
+  - koji_builder

 # setup for oz/imagefactory
 - name: make .psphere dir
  file: state=directory path=/root/.psphere mode=775 owner=root group=root
+  tags:
+  - koji_builder

 - name: make .psphere/templates dir
  file: state=directory path=/root/.psphere/templates mode=775 owner=root group=root
+  tags:
+  - koji_builder

 - name: copy over /root/.psphere/config.yaml
  copy: src={{ private }}/files/koji/config.yaml dest=/root/.psphere/config.yaml
+  tags:
+  - koji_builder
 # done oz/imagefactory

 - name: copy over koji ca cert
@ -118,19 +160,26 @@

 - name: copy over /etc/security/limits.conf
  copy: src=limits.conf dest=/etc/security/limits.conf
+  tags:
+  - koji_builder

 - name: copy over builder cert to /etc/kojid/kojibuilder.pem
  copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600   
+  tags:
+  - koji_builder

 # idmapd and make sure it's set to run
 - name: idmapd.conf
  copy: src=idmapd.conf dest=/etc/idmapd.conf
  tags:
  - configs
+  - koji_builder

 - name: make a mnt/koji link
  file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
  when: inventory_hostname.startswith('build') and datacenter == 'phx2'
+  tags:
+  - koji_builder

 # mock configs for pungify job
 - name: put extra special  mock configs in
@ -142,16 +191,24 @@
    - fedora-rawhide-pungi-i386.cfg
    - fedora-rawhide-pungi-x86_64.cfg
    - fedora-rawhide-pungi-armhfp.cfg
+  tags:
+  - koji_builder

 - name: mock site-defaults.cfg
  copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
  when: not inventory_hostname.startswith('bkernel')
+  tags:
+  - koji_builder

 - name: ntp steptickers
  copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers
+  tags:
+  - koji_builder

 - name: ntp.conf
  copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf
+  tags:
+  - koji_builder

 #
 # We want more loop devices on builders to allow more image creates
@ -163,6 +220,8 @@
  always_run: yes
  changed_when: '1 != 1'
  when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64'
+  tags:
+  - koji_builder

 - name: check for max_loop with grub1
  command: cat /etc/grub.conf
@ -170,10 +229,14 @@
  always_run: yes
  changed_when: '1 != 1'
  when: ansible_distribution == 'RedHat' and ansible_architecture == 'x86_64'
+  tags:
+  - koji_builder

 - name: set kernel params for more loops
  action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 
  when: max_loop is defined and max_loop.stdout.find("max_loop=64") == -1
+  tags:
+  - koji_builder

 #
 # x86_64 builders run pungify, that needs hfs module in order to make
@ -185,3 +248,5 @@
  with_items:
  - kmod-hfsplus    
  when: is_rhel is defined and ansible_architecture == 'x86_64'
+  tags:
+  - koji_builder
--- a/roles/koji_hub/files/updatecrl.cron
+++ b/roles/koji_hub/files/updatecrl.cron
@ -0,0 +1 @@
+0 * * * * root /usr/local/bin/updatecrl.sh &>/dev/null
--- a/roles/koji_hub/files/updatecrl.sh
+++ b/roles/koji_hub/files/updatecrl.sh
@ -2,7 +2,7 @@

 URL=https://admin.fedoraproject.org/ca/crl.pem
 OLD=/etc/pki/tls/crl.pem
-NEW=/tmp/crl.pem
+NEW=/var/tmp/crl.pem

 wget $URL -O $NEW
 OLDUPDATE=`openssl crl -in $OLD -noout -lastupdate`
--- a/roles/koji_hub/tasks/main.yml
+++ b/roles/koji_hub/tasks/main.yml
@ -15,6 +15,7 @@
  - gnupg2
  tags:
  - packages
+  - koji_hub

 - name: make koji pki directory
  file: state=directory path=/etc/pki/koji/ owner=root group=root
@ -25,58 +26,82 @@
  - certs
  - private
  - confs
+  tags:
+  - koji_hub

 - name: hub config
  template: src=hub.conf.j2 dest=/etc/koji-hub/hub.conf owner=apache group=apache mode=600
  tags:
  - config
+  - koji_hub
  notify: restart httpd

 - name: kojiweb config
  template: src=web.conf.j2 dest=/etc/kojiweb/web.conf owner=apache group=apache mode=600
  tags:
  - config
+  - koji_hub
  notify: restart httpd

 - name: enable httpd_can_network_connect SELinux boolean for fedmsg
  seboolean: name=httpd_can_network_connect state=yes persistent=yes
  tags:
  - config
+  - selinux
+  - koji_hub

 - name: koji fedmsg plugin
  copy: src=fedmsg-koji-plugin.py dest=/usr/lib/koji-hub-plugins/fedmsg-koji-plugin.py
+  notify:
+  - restart httpd
  tags:
  - config
-
- name: init koji ca key file
-  copy: src={{ puppet_private }}/koji/koji.stg_key.pem dest=/etc/pki/tls/private/koji.stg_key.pem
-  tags:
-  - config
+  - koji_hub

 - name: install kojiweb_cert_key.pem
  copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600
+  notify:
+  - restart httpd
  tags:
  - config
+  - koji_hub
+  when: env != 'staging'

- name: install koji_key.pem
-  copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600
-  tags:
-  - config
-
- name: install koji_cert.pem
+- name: install production koji_cert.pem
  copy: src={{ puppet_private }}/koji/koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600
+  notify:
+  - restart httpd
  tags:
  - config
+  - koji_hub
+  when: env != 'staging'

- name: Install koji ssl certs
+- name: install production koji_key.pem
+  copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - koji_hub
+  when: env != 'staging'
+
+- name: Install staging koji ssl cert
  copy: src={{ puppet_private }}/koji/koji.stg_cert.pem dest=/etc/pki/tls/certs/koji.stg_cert.pem
+  notify:
+  - restart httpd
  tags:
  - config
+  - koji_hub
+  when: env == 'staging'

- name: init kojiweb ca cert file
-  copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem
+- name: install staging koji ssl key
+  copy: src={{ puppet_private }}/koji/koji.stg_key.pem dest=/etc/pki/tls/private/koji.stg_key.pem
+  notify:
+  - restart httpd
  tags:
  - config
+  - koji_hub
+  when: env == 'staging'

 - name: instaall fedora-ca.cert in various places
  copy: src={{ puppet_private }}/fedora-ca.cert dest={{ item }} owner=apache
@ -87,16 +112,27 @@
  - /etc/pki/tls/certs/upload_cacert.pem
  tags:
  - config
+  - koji_hub

 - name: install kojira_cert_key
  copy: src={{ puppet_private }}/koji/kojira_cert_key.pem dest=/etc/kojira/kojira_cert_key.pem owner=apache mode=600
  tags:
  - config
+  - koji_hub

 - name: updatecrl script
  copy: src=updatecrl.sh dest=/usr/local/bin/updatecrl.sh owner=root mode=755
  tags:
  - config
+  - koji_hub
+  - cron
+
+- name: updatecrl cronjob
+  copy: src=updatecrl.cron dest=/etc/cron.d/updatecrl owner=root mode=644
+  tags:
+  - config
+  - cron
+  - koji_hub

 - name: koji web config files
  copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root
@ -108,27 +144,38 @@
  - repo.conf
  tags:
  - config
+  - koji_hub
  notify: restart httpd

 - name: koji staging ssl config
  copy: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf
  tags:
  - config
+  - koji_hub
  when: env == "staging"

 - name: kojira config
  copy: src=kojira.conf dest=/etc/kojira/kojira.conf
  tags:
  - config
+  - koji_hub

 - name: make mnt/koji directory
  file: state=directory path=/mnt/koji/ owner=root group=root
+  tags:
+  - koji_hub

 - name: set sebooleans so koji can talk to the db
  seboolean: name=httpd_can_network_connect_db state=true persistent=true
+  tags:
+  - selinux
+  - koji_hub

 - name: set sebooleans so koji can anon write
  seboolean: name=allow_httpd_anon_write state=true persistent=true
+  tags:
+  - selinux
+  - koji_hub

 - name: Set httpd to run on boot
  service: name=httpd enabled=yes
@ -137,3 +184,4 @@
  - restart httpd
  tags:
  - service
+  - koji_hub
--- a/roles/taskotron/resultsdb-backend/tasks/main.yml
+++ b/roles/taskotron/resultsdb-backend/tasks/main.yml
@ -17,6 +17,7 @@
  delegate_to: "{{ resultsdb_db_host }}"
  sudo_user: postgres
  sudo: true
+  remote_tmp: '/tmp/.ansible/'
  action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER

 - name: ensure stg resultsdb db user has access to stg database
@ -24,6 +25,7 @@
  delegate_to: "{{ resultsdb_db_host }}"
  sudo_user: postgres
  sudo: true
+  remote_tmp: '/tmp/.ansible/'
  action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER

 - name: ensure prod resultsdb db user has access to prod database
@ -31,9 +33,9 @@
  delegate_to: "{{ resultsdb_db_host }}"
  sudo_user: postgres
  sudo: true
+  remote_tmp: '/tmp/.ansible/'
  action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER

-
 - name: ensure selinux lets httpd talk to postgres
  seboolean: name=httpd_can_network_connect_db persistent=yes state=yes
				`@ -0,0 +1 @@`
				`0 * * * * root /usr/local/bin/updatecrl.sh &>/dev/null`