From b887e3b0b515f6f8ffb6c5c972b64bfcc6119cf1 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 17:15:16 +0000 Subject: [PATCH 01/15] Try preferring https for resultsdb. --- roles/taskotron/resultsdb-backend/templates/settings.py.j2 | 1 + roles/taskotron/resultsdb-frontend/templates/settings.py.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/taskotron/resultsdb-backend/templates/settings.py.j2 b/roles/taskotron/resultsdb-backend/templates/settings.py.j2 index 828c6a3ba5..3b4f004942 100644 --- a/roles/taskotron/resultsdb-backend/templates/settings.py.j2 +++ b/roles/taskotron/resultsdb-backend/templates/settings.py.j2 @@ -14,3 +14,4 @@ FILE_LOGGING = False LOGFILR = '/var/log/resultsdb/resultsdb.log' SYSLOG_LOGGING = False STREAM_LOGGING = True +PREFERRED_URL_SCHEME = 'https' diff --git a/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 b/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 index f8a94b52fd..31ed052a2b 100644 --- a/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 +++ b/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 @@ -14,3 +14,4 @@ FILE_LOGGING = False LOGFILR = '/var/log/resultsdb_frontend/resultsdb_frontend.log' SYSLOG_LOGGING = False STREAM_LOGGING = True +PREFERRED_URL_SCHEME = 'https' From be02f18dc197d2cc5ea6273af4a2fbdada7d146d Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 17:42:09 +0000 Subject: [PATCH 02/15] Revert "Try preferring https for resultsdb." - This had no effect. This reverts commit b887e3b0b515f6f8ffb6c5c972b64bfcc6119cf1. --- roles/taskotron/resultsdb-backend/templates/settings.py.j2 | 1 - roles/taskotron/resultsdb-frontend/templates/settings.py.j2 | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/taskotron/resultsdb-backend/templates/settings.py.j2 b/roles/taskotron/resultsdb-backend/templates/settings.py.j2 index 3b4f004942..828c6a3ba5 100644 --- a/roles/taskotron/resultsdb-backend/templates/settings.py.j2 +++ b/roles/taskotron/resultsdb-backend/templates/settings.py.j2 @@ -14,4 +14,3 @@ FILE_LOGGING = False LOGFILR = '/var/log/resultsdb/resultsdb.log' SYSLOG_LOGGING = False STREAM_LOGGING = True -PREFERRED_URL_SCHEME = 'https' diff --git a/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 b/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 index 31ed052a2b..f8a94b52fd 100644 --- a/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 +++ b/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 @@ -14,4 +14,3 @@ FILE_LOGGING = False LOGFILR = '/var/log/resultsdb_frontend/resultsdb_frontend.log' SYSLOG_LOGGING = False STREAM_LOGGING = True -PREFERRED_URL_SCHEME = 'https' From 3ca99df287c200dca24110d835f59796933cfa4a Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 18:00:08 +0000 Subject: [PATCH 03/15] try removing sudo from resultsdb postgresql commands to fix errors --- roles/taskotron/resultsdb-backend/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index c3833476f2..029816eb9e 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -8,29 +8,21 @@ - name: ensure dev database is created delegate_to: "{{ resultsdb_db_host }}" - sudo_user: postgres - sudo: true action: postgresql_db db={{ resultsdb_db_name }} - name: ensure dev resultsdb db user has access to dev database when: deployment_type == 'dev' delegate_to: "{{ resultsdb_db_host }}" - sudo_user: postgres - sudo: true action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure stg resultsdb db user has access to stg database when: deployment_type == 'stg' delegate_to: "{{ resultsdb_db_host }}" - sudo_user: postgres - sudo: true action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure prod resultsdb db user has access to prod database when: deployment_type == 'prod' delegate_to: "{{ resultsdb_db_host }}" - sudo_user: postgres - sudo: true action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER From c45cb4e945a6e02a0d65a24b8854d35eea14a53f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 19:19:41 +0000 Subject: [PATCH 04/15] Try to improve and organize the koji_hub role. --- roles/koji_hub/tasks/main.yml | 68 +++++++++++++++++++++++++++-------- 1 file changed, 54 insertions(+), 14 deletions(-) diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 086c5a4745..2ac18b9b81 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -15,6 +15,7 @@ - gnupg2 tags: - packages + - koji_hub - name: make koji pki directory file: state=directory path=/etc/pki/koji/ owner=root group=root @@ -25,58 +26,82 @@ - certs - private - confs + tags: + - koji_hub - name: hub config template: src=hub.conf.j2 dest=/etc/koji-hub/hub.conf owner=apache group=apache mode=600 tags: - config + - koji_hub notify: restart httpd - name: kojiweb config template: src=web.conf.j2 dest=/etc/kojiweb/web.conf owner=apache group=apache mode=600 tags: - config + - koji_hub notify: restart httpd - name: enable httpd_can_network_connect SELinux boolean for fedmsg seboolean: name=httpd_can_network_connect state=yes persistent=yes tags: - config + - selinux + - koji_hub - name: koji fedmsg plugin copy: src=fedmsg-koji-plugin.py dest=/usr/lib/koji-hub-plugins/fedmsg-koji-plugin.py + notify: + - restart httpd tags: - config - -- name: init koji ca key file - copy: src={{ puppet_private }}/koji/koji.stg_key.pem dest=/etc/pki/tls/private/koji.stg_key.pem - tags: - - config + - koji_hub - name: install kojiweb_cert_key.pem copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600 + notify: + - restart httpd tags: - config + - koji_hub + when: env != 'staging' -- name: install koji_key.pem - copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600 - tags: - - config - -- name: install koji_cert.pem +- name: install production koji_cert.pem copy: src={{ puppet_private }}/koji/koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600 + notify: + - restart httpd tags: - config + - koji_hub + when: env != 'staging' -- name: Install koji ssl certs +- name: install production koji_key.pem + copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600 + notify: + - restart httpd + tags: + - config + - koji_hub + when: env != 'staging' + +- name: Install staging koji ssl cert copy: src={{ puppet_private }}/koji/koji.stg_cert.pem dest=/etc/pki/tls/certs/koji.stg_cert.pem + notify: + - restart httpd tags: - config + - koji_hub + when: env == 'staging' -- name: init kojiweb ca cert file - copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem +- name: install staging koji ssl key + copy: src={{ puppet_private }}/koji/koji.stg_key.pem dest=/etc/pki/tls/private/koji.stg_key.pem + notify: + - restart httpd tags: - config + - koji_hub + when: env == 'staging' - name: instaall fedora-ca.cert in various places copy: src={{ puppet_private }}/fedora-ca.cert dest={{ item }} owner=apache @@ -87,16 +112,19 @@ - /etc/pki/tls/certs/upload_cacert.pem tags: - config + - koji_hub - name: install kojira_cert_key copy: src={{ puppet_private }}/koji/kojira_cert_key.pem dest=/etc/kojira/kojira_cert_key.pem owner=apache mode=600 tags: - config + - koji_hub - name: updatecrl script copy: src=updatecrl.sh dest=/usr/local/bin/updatecrl.sh owner=root mode=755 tags: - config + - koji_hub - name: koji web config files copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root @@ -108,27 +136,38 @@ - repo.conf tags: - config + - koji_hub notify: restart httpd - name: koji staging ssl config copy: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf tags: - config + - koji_hub when: env == "staging" - name: kojira config copy: src=kojira.conf dest=/etc/kojira/kojira.conf tags: - config + - koji_hub - name: make mnt/koji directory file: state=directory path=/mnt/koji/ owner=root group=root + tags: + - koji_hub - name: set sebooleans so koji can talk to the db seboolean: name=httpd_can_network_connect_db state=true persistent=true + tags: + - selinux + - koji_hub - name: set sebooleans so koji can anon write seboolean: name=allow_httpd_anon_write state=true persistent=true + tags: + - selinux + - koji_hub - name: Set httpd to run on boot service: name=httpd enabled=yes @@ -137,3 +176,4 @@ - restart httpd tags: - service + - koji_hub From a90f642d3191e139b19f8cb9e4b4669367d6d15f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 20:18:21 +0000 Subject: [PATCH 05/15] Add cronjob for koji updatecrl. --- roles/koji_hub/files/updatecrl.cron | 1 + roles/koji_hub/tasks/main.yml | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 roles/koji_hub/files/updatecrl.cron diff --git a/roles/koji_hub/files/updatecrl.cron b/roles/koji_hub/files/updatecrl.cron new file mode 100644 index 0000000000..a7efa260a0 --- /dev/null +++ b/roles/koji_hub/files/updatecrl.cron @@ -0,0 +1 @@ +0 * * * * root /usr/local/bin/updatecrl.sh &>/dev/null diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 2ac18b9b81..cd7893d6e3 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -125,6 +125,14 @@ tags: - config - koji_hub + - cron + +- name: updatecrl cronjob + copy: src=updatecrl.cron dest=/etc/cron.d/updatecrl owner=root mode=644 + tags: + - config + - cron + - koji_hub - name: koji web config files copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root From b281456e1e6ba70f687cb2e4228f55cb16c79238 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 21:05:57 +0000 Subject: [PATCH 06/15] /var/tmp/. Better than /tmp/. --- roles/koji_hub/files/updatecrl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_hub/files/updatecrl.sh b/roles/koji_hub/files/updatecrl.sh index f54f3235c4..1c7660a4dc 100644 --- a/roles/koji_hub/files/updatecrl.sh +++ b/roles/koji_hub/files/updatecrl.sh @@ -2,7 +2,7 @@ URL=https://admin.fedoraproject.org/ca/crl.pem OLD=/etc/pki/tls/crl.pem -NEW=/tmp/crl.pem +NEW=/var/tmp/crl.pem wget $URL -O $NEW OLDUPDATE=`openssl crl -in $OLD -noout -lastupdate` From a14aefac773965e78b75452c5c22964fe7a6a21c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 21:07:58 +0000 Subject: [PATCH 07/15] Specialize /etc/hosts for koji01.stg. --- .../files/koji01.stg.phx2.fedoraproject.org-hosts | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts diff --git a/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts b/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..6dc078c4b3 --- /dev/null +++ b/roles/hosts/files/koji01.stg.phx2.fedoraproject.org-hosts @@ -0,0 +1,13 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +# Use admin.fedoraproject.org so we can get a fresh CRL from prod - it isn't +# synced to staging in a meaningful way. See /usr/local/bin/updatecrl.sh +209.132.181.16 admin.fedoraproject.org +10.5.126.89 admin.stg.fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.81 app01.stg.fedoraproject.org memcached01 memcached02 memcached03 memcached04 +10.5.126.85 db02.stg.fedoraproject.org db01 db-koji01 db05 db-ask db-datanommer db-datanommer01 db-datanommer02 db-datanommer02.phx2.fedoraproject.org db-tahrir db-elections db-fedocal db-github2fedmsg db-kerneltest db-notifs nuancier_db db-pkgdb2 db-summershum tagger_db +10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all +10.5.126.87 koji01.stg.phx2.fedoraproject.org koji.stg.fedoraproject.org koji01 kojipkgs kojipkgs.stg.phx2.fedoraproject.org kojipkgs.stg.fedoraproject.org From 49db0ed83721fdd95b5a680567f5770491380339 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 21:23:00 +0000 Subject: [PATCH 08/15] Tag the koji_builder role. --- roles/koji_builder/tasks/main.yml | 65 +++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 0e1e571baa..5a51ca50ae 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -3,30 +3,48 @@ # - name: set root passwd user: name=root password={{ builder_rootpw }} state=present + tags: + - koji_builder - name: add mock user as 425 user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + tags: + - koji_builder - name: make mock homedir perms file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock + tags: + - koji_builder - name: add mock ssh dir file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock + tags: + - koji_builder - name: add mock ssh keys copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock + tags: + - koji_builder - name: add kojibuilder user: name=kojibuilder groups=mock + tags: + - koji_builder - name: add mockbuilder user: name=mockbuilder groups=mock + tags: + - koji_builder - name: mockbuilder .ssh dir file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder + tags: + - koji_builder - name: mockbuilder ssh key copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder + tags: + - koji_builder - name: make a bunch of dirs file: state=directory path={{ item }} @@ -35,6 +53,8 @@ - /mnt/fedora_koji - /pub/fedora - /pub/epel + tags: + - koji_builder - name: make a bunch of dirs file: state=directory path={{ item }} owner=apache group=apache @@ -44,6 +64,8 @@ - /mnt/koji/work - /mnt/koji/scratch when: env == 'staging' + tags: + - koji_builder - name: add pkgs yum: state=present pkg={{ item }} @@ -57,6 +79,8 @@ - ntpdate - rsyslog - audit + tags: + - koji_builder - name: add oz/imagefctory pkgs on x86 and arm only. yum: state=present pkg={{ item }} @@ -75,42 +99,60 @@ - VMDKstream - pykickstart when: ansible_architecture != 'ppc64' + tags: + - koji_builder - name: /etc/kojid/kojid.conf copy: src=kojid.conf dest=/etc/kojid/kojid.conf when: not inventory_hostname.startswith(('arm01','arm03','koji01.stg','buildvm-01.stg')) notify: - restart kojid + tags: + - koji_builder - name: arm /etc/kojid/kojid.conf copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf when: inventory_hostname.startswith(('arm01','arm03')) notify: - restart kojid + tags: + - koji_builder - name: staging /etc/kojid/kojid.conf copy: src=stg-kojid.conf dest=/etc/kojid/kojid.conf when: inventory_hostname.startswith(('koji01.stg','buildvm-01.stg')) notify: - restart kojid + tags: + - koji_builder - name: /etc/koji/koji.conf copy: src=koji.conf dest=/etc/koji.conf when: not inventory_hostname.startswith(('arm01','arm03')) + tags: + - koji_builder - name: /etc/koji/koji.conf copy: src=arm-koji.conf dest=/etc/koji.conf when: inventory_hostname.startswith(('arm01','arm03')) + tags: + - koji_builder # setup for oz/imagefactory - name: make .psphere dir file: state=directory path=/root/.psphere mode=775 owner=root group=root + tags: + - koji_builder - name: make .psphere/templates dir file: state=directory path=/root/.psphere/templates mode=775 owner=root group=root + tags: + - koji_builder - name: copy over /root/.psphere/config.yaml copy: src={{ private }}/files/koji/config.yaml dest=/root/.psphere/config.yaml + tags: + - koji_builder # done oz/imagefactory - name: copy over koji ca cert @@ -118,19 +160,26 @@ - name: copy over /etc/security/limits.conf copy: src=limits.conf dest=/etc/security/limits.conf + tags: + - koji_builder - name: copy over builder cert to /etc/kojid/kojibuilder.pem copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 + tags: + - koji_builder # idmapd and make sure it's set to run - name: idmapd.conf copy: src=idmapd.conf dest=/etc/idmapd.conf tags: - configs + - koji_builder - name: make a mnt/koji link file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji when: inventory_hostname.startswith('build') and datacenter == 'phx2' + tags: + - koji_builder # mock configs for pungify job - name: put extra special mock configs in @@ -142,16 +191,24 @@ - fedora-rawhide-pungi-i386.cfg - fedora-rawhide-pungi-x86_64.cfg - fedora-rawhide-pungi-armhfp.cfg + tags: + - koji_builder - name: mock site-defaults.cfg copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock when: not inventory_hostname.startswith('bkernel') + tags: + - koji_builder - name: ntp steptickers copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers + tags: + - koji_builder - name: ntp.conf copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf + tags: + - koji_builder # # We want more loop devices on builders to allow more image creates @@ -163,6 +220,8 @@ always_run: yes changed_when: '1 != 1' when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' + tags: + - koji_builder - name: check for max_loop with grub1 command: cat /etc/grub.conf @@ -170,10 +229,14 @@ always_run: yes changed_when: '1 != 1' when: ansible_distribution == 'RedHat' and ansible_architecture == 'x86_64' + tags: + - koji_builder - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 when: max_loop is defined and max_loop.stdout.find("max_loop=64") == -1 + tags: + - koji_builder # # x86_64 builders run pungify, that needs hfs module in order to make @@ -185,3 +248,5 @@ with_items: - kmod-hfsplus when: is_rhel is defined and ansible_architecture == 'x86_64' + tags: + - koji_builder From 6590546e050094a8e5ac1fd4c1b896d332f5863a Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Nov 2014 21:27:55 +0000 Subject: [PATCH 09/15] Start kojid for staging. --- playbooks/groups/koji-hub.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index a750ec71d4..98d28d0924 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -51,3 +51,14 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + + +- name: Start the kojid builder daemon, but only on staging. + # Really -- this should never be set for prod. + hosts: koji-stg + user: root + gather_facts: True + + tasks: + - name: make sure kojid is running + action: service name=kojid state=running From 20b1399425ef89c298cc56d904b5caa0101692ed Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 22:11:00 +0000 Subject: [PATCH 10/15] attempting to restructure postgres commands for resultsdb_backend to get rid of errors --- .../resultsdb-backend/tasks/main.yml | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index 029816eb9e..d82ffb90ce 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -6,25 +6,26 @@ - python-psycopg2 - libsemanage-python -- name: ensure dev database is created - delegate_to: "{{ resultsdb_db_host }}" - action: postgresql_db db={{ resultsdb_db_name }} +- name: prepare resultsdb database + hosts: "{{ resultsdb_db_host }}" + gather_facts: no + sudo: yes + sudo_user: postgres + tasks: + - name: ensure dev database is created + action: postgresql_db db={{ resultsdb_db_name }} -- name: ensure dev resultsdb db user has access to dev database - when: deployment_type == 'dev' - delegate_to: "{{ resultsdb_db_host }}" - action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + - name: ensure dev resultsdb db user has access to dev database + when: deployment_type == 'dev' + action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER -- name: ensure stg resultsdb db user has access to stg database - when: deployment_type == 'stg' - delegate_to: "{{ resultsdb_db_host }}" - action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - -- name: ensure prod resultsdb db user has access to prod database - when: deployment_type == 'prod' - delegate_to: "{{ resultsdb_db_host }}" - action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + - name: ensure stg resultsdb db user has access to stg database + when: deployment_type == 'stg' + action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + - name: ensure prod resultsdb db user has access to prod database + when: deployment_type == 'prod' + action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes From d6fdac91bdc11f4dbed7d69b10a1fb0e624c69eb Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 22:19:16 +0000 Subject: [PATCH 11/15] attempting to isolate the postgresql commands for resultsdb backend --- .../resultsdb-backend/tasks/database.yml | 22 +++++++++++++++++++ .../resultsdb-backend/tasks/main.yml | 21 +----------------- 2 files changed, 23 insertions(+), 20 deletions(-) create mode 100644 roles/taskotron/resultsdb-backend/tasks/database.yml diff --git a/roles/taskotron/resultsdb-backend/tasks/database.yml b/roles/taskotron/resultsdb-backend/tasks/database.yml new file mode 100644 index 0000000000..62505a1d52 --- /dev/null +++ b/roles/taskotron/resultsdb-backend/tasks/database.yml @@ -0,0 +1,22 @@ +- name: prepare resultsdb database + hosts: "{{ resultsdb_db_host }}" + gather_facts: no + sudo: yes + sudo_user: postgres + + tasks: + - name: ensure dev database is created + action: postgresql_db db={{ resultsdb_db_name }} + + - name: ensure dev resultsdb db user has access to dev database + when: deployment_type == 'dev' + action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + + - name: ensure stg resultsdb db user has access to stg database + when: deployment_type == 'stg' + action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + + - name: ensure prod resultsdb db user has access to prod database + when: deployment_type == 'prod' + action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index d82ffb90ce..abf7387045 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -6,26 +6,7 @@ - python-psycopg2 - libsemanage-python -- name: prepare resultsdb database - hosts: "{{ resultsdb_db_host }}" - gather_facts: no - sudo: yes - sudo_user: postgres - tasks: - - name: ensure dev database is created - action: postgresql_db db={{ resultsdb_db_name }} - - - name: ensure dev resultsdb db user has access to dev database - when: deployment_type == 'dev' - action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - - name: ensure stg resultsdb db user has access to stg database - when: deployment_type == 'stg' - action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - - name: ensure prod resultsdb db user has access to prod database - when: deployment_type == 'prod' - action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER +- include: database.yml - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes From e166e2a45756e88ba8b6c5cb2f89191a0ab235c4 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 22:27:03 +0000 Subject: [PATCH 12/15] Revert "attempting to isolate the postgresql commands for resultsdb backend" This reverts commit d6fdac91bdc11f4dbed7d69b10a1fb0e624c69eb. --- .../resultsdb-backend/tasks/database.yml | 22 ------------------- .../resultsdb-backend/tasks/main.yml | 21 +++++++++++++++++- 2 files changed, 20 insertions(+), 23 deletions(-) delete mode 100644 roles/taskotron/resultsdb-backend/tasks/database.yml diff --git a/roles/taskotron/resultsdb-backend/tasks/database.yml b/roles/taskotron/resultsdb-backend/tasks/database.yml deleted file mode 100644 index 62505a1d52..0000000000 --- a/roles/taskotron/resultsdb-backend/tasks/database.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: prepare resultsdb database - hosts: "{{ resultsdb_db_host }}" - gather_facts: no - sudo: yes - sudo_user: postgres - - tasks: - - name: ensure dev database is created - action: postgresql_db db={{ resultsdb_db_name }} - - - name: ensure dev resultsdb db user has access to dev database - when: deployment_type == 'dev' - action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - - name: ensure stg resultsdb db user has access to stg database - when: deployment_type == 'stg' - action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - - name: ensure prod resultsdb db user has access to prod database - when: deployment_type == 'prod' - action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index abf7387045..d82ffb90ce 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -6,7 +6,26 @@ - python-psycopg2 - libsemanage-python -- include: database.yml +- name: prepare resultsdb database + hosts: "{{ resultsdb_db_host }}" + gather_facts: no + sudo: yes + sudo_user: postgres + tasks: + - name: ensure dev database is created + action: postgresql_db db={{ resultsdb_db_name }} + + - name: ensure dev resultsdb db user has access to dev database + when: deployment_type == 'dev' + action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + + - name: ensure stg resultsdb db user has access to stg database + when: deployment_type == 'stg' + action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER + + - name: ensure prod resultsdb db user has access to prod database + when: deployment_type == 'prod' + action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes From adb54312726742808e3aaf67b6f6706bd61b4ca9 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 22:31:11 +0000 Subject: [PATCH 13/15] reverting earlier removal of sudo commands in resultsdb database --- .../resultsdb-backend/tasks/main.yml | 38 +++++++++++-------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index d82ffb90ce..bae896c18d 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -6,26 +6,32 @@ - python-psycopg2 - libsemanage-python -- name: prepare resultsdb database - hosts: "{{ resultsdb_db_host }}" - gather_facts: no - sudo: yes +- name: ensure dev database is created + delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres - tasks: - - name: ensure dev database is created - action: postgresql_db db={{ resultsdb_db_name }} + sudo: true + action: postgresql_db db={{ resultsdb_db_name }} - - name: ensure dev resultsdb db user has access to dev database - when: deployment_type == 'dev' - action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER +- name: ensure dev resultsdb db user has access to dev database + when: deployment_type == 'dev' + delegate_to: "{{ resultsdb_db_host }}" + sudo_user: postgres + sudo: true + action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - name: ensure stg resultsdb db user has access to stg database - when: deployment_type == 'stg' - action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER +- name: ensure stg resultsdb db user has access to stg database + when: deployment_type == 'stg' + delegate_to: "{{ resultsdb_db_host }}" + sudo_user: postgres + sudo: true + action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - - name: ensure prod resultsdb db user has access to prod database - when: deployment_type == 'prod' - action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER +- name: ensure prod resultsdb db user has access to prod database + when: deployment_type == 'prod' + delegate_to: "{{ resultsdb_db_host }}" + sudo_user: postgres + sudo: true + action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes From 5718ed87de1aaccff76d2cfabf580ba02546ab70 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 22:32:08 +0000 Subject: [PATCH 14/15] attempting to change remote tmpdir for postgres commands --- roles/taskotron/resultsdb-backend/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index bae896c18d..07955372b5 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -17,6 +17,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true + remote_tmp:/tmp/.ansible/ action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure stg resultsdb db user has access to stg database @@ -24,6 +25,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true + remote_tmp:/tmp/.ansible/ action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure prod resultsdb db user has access to prod database @@ -31,6 +33,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true + remote_tmp:/tmp/.ansible/ action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure selinux lets httpd talk to postgres From 63ff859fbaa8660ca74ca59d06f6d1468cb8f035 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 11 Nov 2014 22:33:27 +0000 Subject: [PATCH 15/15] adding quotes and spaces to remote_tmp in resultsdb backend db --- roles/taskotron/resultsdb-backend/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index 07955372b5..79bd82a109 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -17,7 +17,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true - remote_tmp:/tmp/.ansible/ + remote_tmp: '/tmp/.ansible/' action: postgresql_user db={{ resultsdb_db_name }} user={{ dev_resultsdb_db_user }} password={{ dev_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure stg resultsdb db user has access to stg database @@ -25,7 +25,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true - remote_tmp:/tmp/.ansible/ + remote_tmp: '/tmp/.ansible/' action: postgresql_user db={{ resultsdb_db_name }} user={{ stg_resultsdb_db_user }} password={{ stg_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure prod resultsdb db user has access to prod database @@ -33,7 +33,7 @@ delegate_to: "{{ resultsdb_db_host }}" sudo_user: postgres sudo: true - remote_tmp:/tmp/.ansible/ + remote_tmp: '/tmp/.ansible/' action: postgresql_user db={{ resultsdb_db_name }} user={{ prod_resultsdb_db_user }} password={{ prod_resultsdb_db_password }} role_attr_flags=NOSUPERUSER - name: ensure selinux lets httpd talk to postgres