diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index a750ec71d4..98d28d0924 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -51,3 +51,14 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + + +- name: Start the kojid builder daemon, but only on staging. + # Really -- this should never be set for prod. + hosts: koji-stg + user: root + gather_facts: True + + tasks: + - name: make sure kojid is running + action: service name=kojid state=running diff --git a/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts b/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..6dc078c4b3 --- /dev/null +++ b/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts @@ -0,0 +1,13 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +# Use admin.fedoraproject.org so we can get a fresh CRL from prod - it isn't +# synced to staging in a meaningful way. See /usr/local/bin/updatecrl.sh +209.132.181.16 admin.fedoraproject.org +10.5.126.89 admin.stg.fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.81 app01.stg.fedoraproject.org memcached01 memcached02 memcached03 memcached04 +10.5.126.85 db02.stg.fedoraproject.org db01 db-koji01 db05 db-ask db-datanommer db-datanommer01 db-datanommer02 db-datanommer02.phx2.fedoraproject.org db-tahrir db-elections db-fedocal db-github2fedmsg db-kerneltest db-notifs nuancier_db db-pkgdb2 db-summershum tagger_db +10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all +10.5.126.87 koji01.stg.phx2.fedoraproject.org koji.stg.fedoraproject.org koji01 kojipkgs kojipkgs.stg.phx2.fedoraproject.org kojipkgs.stg.fedoraproject.org diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 0e1e571baa..5a51ca50ae 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -3,30 +3,48 @@ # - name: set root passwd user: name=root password={{ builder_rootpw }} state=present + tags: + - koji_builder - name: add mock user as 425 user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + tags: + - koji_builder - name: make mock homedir perms file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock + tags: + - koji_builder - name: add mock ssh dir file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock + tags: + - koji_builder - name: add mock ssh keys copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock + tags: + - koji_builder - name: add kojibuilder user: name=kojibuilder groups=mock + tags: + - koji_builder - name: add mockbuilder user: name=mockbuilder groups=mock + tags: + - koji_builder - name: mockbuilder .ssh dir file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder + tags: + - koji_builder - name: mockbuilder ssh key copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder + tags: + - koji_builder - name: make a bunch of dirs file: state=directory path={{ item }} @@ -35,6 +53,8 @@ - /mnt/fedora_koji - /pub/fedora - /pub/epel + tags: + - koji_builder - name: make a bunch of dirs file: state=directory path={{ item }} owner=apache group=apache @@ -44,6 +64,8 @@ - /mnt/koji/work - /mnt/koji/scratch when: env == 'staging' + tags: + - koji_builder - name: add pkgs yum: state=present pkg={{ item }} @@ -57,6 +79,8 @@ - ntpdate - rsyslog - audit + tags: + - koji_builder - name: add oz/imagefctory pkgs on x86 and arm only. yum: state=present pkg={{ item }} @@ -75,42 +99,60 @@ - VMDKstream - pykickstart when: ansible_architecture != 'ppc64' + tags: + - koji_builder - name: /etc/kojid/kojid.conf copy: src=kojid.conf dest=/etc/kojid/kojid.conf when: not inventory_hostname.startswith(('arm01','arm03','koji01.stg','buildvm-01.stg')) notify: - restart kojid + tags: + - koji_builder - name: arm /etc/kojid/kojid.conf copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf when: inventory_hostname.startswith(('arm01','arm03')) notify: - restart kojid + tags: + - koji_builder - name: staging /etc/kojid/kojid.conf copy: src=stg-kojid.conf dest=/etc/kojid/kojid.conf when: inventory_hostname.startswith(('koji01.stg','buildvm-01.stg')) notify: - restart kojid + tags: + - koji_builder - name: /etc/koji/koji.conf copy: src=koji.conf dest=/etc/koji.conf when: not inventory_hostname.startswith(('arm01','arm03')) + tags: + - koji_builder - name: /etc/koji/koji.conf copy: src=arm-koji.conf dest=/etc/koji.conf when: inventory_hostname.startswith(('arm01','arm03')) + tags: + - koji_builder # setup for oz/imagefactory - name: make .psphere dir file: state=directory path=/root/.psphere mode=775 owner=root group=root + tags: + - koji_builder - name: make .psphere/templates dir file: state=directory path=/root/.psphere/templates mode=775 owner=root group=root + tags: + - koji_builder - name: copy over /root/.psphere/config.yaml copy: src={{ private }}/files/koji/config.yaml dest=/root/.psphere/config.yaml + tags: + - koji_builder # done oz/imagefactory - name: copy over koji ca cert @@ -118,19 +160,26 @@ - name: copy over /etc/security/limits.conf copy: src=limits.conf dest=/etc/security/limits.conf + tags: + - koji_builder - name: copy over builder cert to /etc/kojid/kojibuilder.pem copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 + tags: + - koji_builder # idmapd and make sure it's set to run - name: idmapd.conf copy: src=idmapd.conf dest=/etc/idmapd.conf tags: - configs + - koji_builder - name: make a mnt/koji link file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji when: inventory_hostname.startswith('build') and datacenter == 'phx2' + tags: + - koji_builder # mock configs for pungify job - name: put extra special mock configs in @@ -142,16 +191,24 @@ - fedora-rawhide-pungi-i386.cfg - fedora-rawhide-pungi-x86_64.cfg - fedora-rawhide-pungi-armhfp.cfg + tags: + - koji_builder - name: mock site-defaults.cfg copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock when: not inventory_hostname.startswith('bkernel') + tags: + - koji_builder - name: ntp steptickers copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers + tags: + - koji_builder - name: ntp.conf copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf + tags: + - koji_builder # # We want more loop devices on builders to allow more image creates @@ -163,6 +220,8 @@ always_run: yes changed_when: '1 != 1' when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' + tags: + - koji_builder - name: check for max_loop with grub1 command: cat /etc/grub.conf @@ -170,10 +229,14 @@ always_run: yes changed_when: '1 != 1' when: ansible_distribution == 'RedHat' and ansible_architecture == 'x86_64' + tags: + - koji_builder - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 when: max_loop is defined and max_loop.stdout.find("max_loop=64") == -1 + tags: + - koji_builder # # x86_64 builders run pungify, that needs hfs module in order to make @@ -185,3 +248,5 @@ with_items: - kmod-hfsplus when: is_rhel is defined and ansible_architecture == 'x86_64' + tags: + - koji_builder diff --git a/roles/koji_hub/files/updatecrl.cron b/roles/koji_hub/files/updatecrl.cron new file mode 100644 index 0000000000..a7efa260a0 --- /dev/null +++ b/roles/koji_hub/files/updatecrl.cron @@ -0,0 +1 @@ +0 * * * * root /usr/local/bin/updatecrl.sh &>/dev/null diff --git a/roles/koji_hub/files/updatecrl.sh b/roles/koji_hub/files/updatecrl.sh index f54f3235c4..1c7660a4dc 100644 --- a/roles/koji_hub/files/updatecrl.sh +++ b/roles/koji_hub/files/updatecrl.sh @@ -2,7 +2,7 @@ URL=https://admin.fedoraproject.org/ca/crl.pem OLD=/etc/pki/tls/crl.pem -NEW=/tmp/crl.pem +NEW=/var/tmp/crl.pem wget $URL -O $NEW OLDUPDATE=`openssl crl -in $OLD -noout -lastupdate` diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 086c5a4745..cd7893d6e3 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -15,6 +15,7 @@ - gnupg2 tags: - packages + - koji_hub - name: make koji pki directory file: state=directory path=/etc/pki/koji/ owner=root group=root @@ -25,58 +26,82 @@ - certs - private - confs + tags: + - koji_hub - name: hub config template: src=hub.conf.j2 dest=/etc/koji-hub/hub.conf owner=apache group=apache mode=600 tags: - config + - koji_hub notify: restart httpd - name: kojiweb config template: src=web.conf.j2 dest=/etc/kojiweb/web.conf owner=apache group=apache mode=600 tags: - config + - koji_hub notify: restart httpd - name: enable httpd_can_network_connect SELinux boolean for fedmsg seboolean: name=httpd_can_network_connect state=yes persistent=yes tags: - config + - selinux + - koji_hub - name: koji fedmsg plugin copy: src=fedmsg-koji-plugin.py dest=/usr/lib/koji-hub-plugins/fedmsg-koji-plugin.py + notify: + - restart httpd tags: - config - -- name: init koji ca key file - copy: src={{ puppet_private }}/koji/koji.stg_key.pem dest=/etc/pki/tls/private/koji.stg_key.pem - tags: - - config + - koji_hub - name: install kojiweb_cert_key.pem copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600 + notify: + - restart httpd tags: - config + - koji_hub + when: env != 'staging' -- name: install koji_key.pem - copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600 - tags: - - config - -- name: install koji_cert.pem +- name: install production koji_cert.pem copy: src={{ puppet_private }}/koji/koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600 + notify: + - restart httpd tags: - config + - koji_hub + when: env != 'staging' -- name: Install koji ssl certs +- name: install production koji_key.pem + copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600 + notify: + - restart httpd + tags: + - config + - koji_hub + when: env != 'staging' + +- name: Install staging koji ssl cert copy: src={{ puppet_private }}/koji/koji.stg_cert.pem dest=/etc/pki/tls/certs/koji.stg_cert.pem + notify: + - restart httpd tags: - config + - koji_hub + when: env == 'staging' -- name: init kojiweb ca cert file - copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem +- name: install staging koji ssl key + copy: src={{ puppet_private }}/koji/koji.stg_key.pem dest=/etc/pki/tls/private/koji.stg_key.pem + notify: + - restart httpd tags: - config + - koji_hub + when: env == 'staging' - name: instaall fedora-ca.cert in various places copy: src={{ puppet_private }}/fedora-ca.cert dest={{ item }} owner=apache @@ -87,16 +112,27 @@ - /etc/pki/tls/certs/upload_cacert.pem tags: - config + - koji_hub - name: install kojira_cert_key copy: src={{ puppet_private }}/koji/kojira_cert_key.pem dest=/etc/kojira/kojira_cert_key.pem owner=apache mode=600 tags: - config + - koji_hub - name: updatecrl script copy: src=updatecrl.sh dest=/usr/local/bin/updatecrl.sh owner=root mode=755 tags: - config + - koji_hub + - cron + +- name: updatecrl cronjob + copy: src=updatecrl.cron dest=/etc/cron.d/updatecrl owner=root mode=644 + tags: + - config + - cron + - koji_hub - name: koji web config files copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root @@ -108,27 +144,38 @@ - repo.conf tags: - config + - koji_hub notify: restart httpd - name: koji staging ssl config copy: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf tags: - config + - koji_hub when: env == "staging" - name: kojira config copy: src=kojira.conf dest=/etc/kojira/kojira.conf tags: - config + - koji_hub - name: make mnt/koji directory file: state=directory path=/mnt/koji/ owner=root group=root + tags: + - koji_hub - name: set sebooleans so koji can talk to the db seboolean: name=httpd_can_network_connect_db state=true persistent=true + tags: + - selinux + - koji_hub - name: set sebooleans so koji can anon write seboolean: name=allow_httpd_anon_write state=true persistent=true + tags: + - selinux + - koji_hub - name: Set httpd to run on boot service: name=httpd enabled=yes @@ -137,3 +184,4 @@ - restart httpd tags: - service + - koji_hub diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index c3833476f2..79bd82a109 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -17,6 +17,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true + remote_tmp: '/tmp/.ansible/' action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure stg resultsdb db user has access to stg database @@ -24,6 +25,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true + remote_tmp: '/tmp/.ansible/' action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure prod resultsdb db user has access to prod database @@ -31,9 +33,9 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true + remote_tmp: '/tmp/.ansible/' action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes