From aba005a548da625f0777ced014c45996fd376155 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 18 Jun 2019 16:40:07 -0700 Subject: [PATCH] Convert relvalconsumer to fedora-messaging Following the basic scheme I set up for fedora_openqa, hope it's all right... Signed-off-by: Adam Williamson --- inventory/group_vars/relvalconsumer | 1 + inventory/group_vars/relvalconsumer_common | 19 +++ inventory/group_vars/relvalconsumer_test | 2 +- inventory/inventory | 4 + playbooks/groups/openqa.yml | 13 ++ roles/relvalconsumer/defaults/main.yml | 8 ++ roles/relvalconsumer/tasks/main.yml | 128 +++++++++++++++--- .../templates/relvalconsumer.toml.j2 | 113 ++++++++++++++++ 8 files changed, 266 insertions(+), 22 deletions(-) create mode 100644 inventory/group_vars/relvalconsumer_common create mode 100644 roles/relvalconsumer/templates/relvalconsumer.toml.j2 diff --git a/inventory/group_vars/relvalconsumer b/inventory/group_vars/relvalconsumer index 579c4fcb41..0995759fc1 100644 --- a/inventory/group_vars/relvalconsumer +++ b/inventory/group_vars/relvalconsumer @@ -1,2 +1,3 @@ # This var should never be set for more than one machine relvalconsumer_prod: true +relvalconsumer_env_suffix: diff --git a/inventory/group_vars/relvalconsumer_common b/inventory/group_vars/relvalconsumer_common new file mode 100644 index 0000000000..14688e5fd7 --- /dev/null +++ b/inventory/group_vars/relvalconsumer_common @@ -0,0 +1,19 @@ +# we need this for our fedora-messaging consumer as it is not allowed +# to create queues on the infra AMQP broker, by broker config +relvalconsumer_amqp_passive: true + +# fedora-messaging job scheduler settings: most of these are the same +# for prod and stg as they both must listen for prod messages. Only +# the queue names differs +relvalconsumer_amqp_url: "amqps://openqa:@rabbitmq.fedoraproject.org/%2Fpubsub" +relvalconsumer_amqp_cacert: /etc/fedora-messaging/cacert.pem +relvalconsumer_amqp_key: /etc/pki/fedora-messaging/openqa-key.pem +relvalconsumer_amqp_cert: /etc/pki/fedora-messaging/openqa-cert.pem +relvalconsumer_amqp_queue: "relvalconsumer{{ relvalconsumer_env_suffix }}" +relvalconsumer_amqp_routing_keys: ["org.fedoraproject.prod.pungi.compose.status.change", + "org.fedoraproject.prod.bodhi.update.request.testing", + "org.fedoraproject.prod.bodhi.update.edit"] + +# fedora-messaging email error reporting settings +relvalconsumer_amqp_mailto: ["adamwill@fedoraproject.org", "lruzicka@fedoraproject.org"] +relvalconsumer_amqp_smtp: bastion diff --git a/inventory/group_vars/relvalconsumer_test b/inventory/group_vars/relvalconsumer_test index 98027437f3..fe92a33f08 100644 --- a/inventory/group_vars/relvalconsumer_test +++ b/inventory/group_vars/relvalconsumer_test @@ -1,2 +1,2 @@ relvalconsumer_prod: false - +relvalconsumer_env_suffix: .test diff --git a/inventory/inventory b/inventory/inventory index 2f6afddad7..c5fefc140a 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -666,6 +666,10 @@ proxies_internal [proxies_stg] proxy01.stg.phx2.fedoraproject.org +[relvalconsumer_common] +openqa01.qa.fedoraproject.org +openqa-stg01.qa.fedoraproject.org + # This group should only ever contain *ONE* system [relvalconsumer] openqa01.qa.fedoraproject.org diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index 4218cc0fce..da1f72abab 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -106,6 +106,19 @@ env_suffix: "{{ openqa_env_suffix }}" tags: ['rabbit'] when: deployment_type == "stg" + # relvalconsumer queue, we still use openqa auth for this as it's + # easy that way + - role: rabbit/queue + username: "openqa" + queue_name: "relvalconsumer{{ relvalconsumer_env_suffix }}_scheduler" + routing_keys: + - "org.fedoraproject.prod.pungi.compose.status.change" + vars: + # yes, even the staging scheduler listens to production, it + # has to or else it wouldn't schedule any jobs + env: "production" + env_suffix: "" + tags: ['rabbit'] # nfs client setup - role: nfs/client mnt_dir: '/var/lib/openqa/testresults' diff --git a/roles/relvalconsumer/defaults/main.yml b/roles/relvalconsumer/defaults/main.yml index f1da2069c3..c3e7b83e19 100644 --- a/roles/relvalconsumer/defaults/main.yml +++ b/roles/relvalconsumer/defaults/main.yml @@ -1 +1,9 @@ relvalconsumer_prod: false +relvalconsumer_amqp_passive: false +relvalconsumer_amqp_url: "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub" +relvalconsumer_amqp_cacert: /etc/fedora-messaging/cacert.pem +relvalconsumer_amqp_key: /etc/fedora-messaging/fedora-key.pem +relvalconsumer_amqp_cert: /etc/fedora-messaging/fedora-cert.pem +relvalconsumer_amqp_routing_keys: ["org.fedoraproject.prod.pungi.compose.status.change"] +relvalconsumer_amqp_mailfrom: "root@{{ external_hostname }}" +relvalconsumer_amqp_smtp: localhost diff --git a/roles/relvalconsumer/tasks/main.yml b/roles/relvalconsumer/tasks/main.yml index 097fe820cc..7ea77fe180 100644 --- a/roles/relvalconsumer/tasks/main.yml +++ b/roles/relvalconsumer/tasks/main.yml @@ -4,14 +4,66 @@ # # Required vars # - wikitcms_token -## string - a token file to install for unattended reporting to -# a wiki using openidc auth +## string - a token file to install for unattended wiki editing +# using openidc auth +# - relvalconsumer_amqp_queue +## string - Message queue name for the consumer. To use the +## fedora-messaging scheduler with public authentication +## on the Fedora production AMQP broker (which is what +## you'd typically want), you only need to set this. +## This should be a unique and private string; the +## official recommendation is to use a random UUID +## generated by uuidgen. # # Required vars with defaults # - relvalconsumer_prod ## bool - whether this is the production instance. **SHOULD ONLY ## EVER BE TRUE ON ONE SYSTEM IN THE WORLD** ## default - False +# - relvalconsumer_amqp_passive +## bool - If true, passive_declares will be set true in all the +## fedora-messaging consumer configuration files. This +## is needed for private authentication on the Fedora +## brokers. +## default - False +# - relvalconsumer_amqp_url +## string - AMQP broker URL for fedora-messaging job scheduler. +## The role default for this is the Fedora production +## broker with the shared 'fedora' username. +# - relvalconsumer_amqp_cacert +## string - CA certificate file to use for authenticating with +## AMQP broker for fedora-messaging job scheduler. +## The role default for this is the CA cert file for the +## Fedora production broker. +# - relvalconsumer_amqp_cert +## string - Certificate file to use for authenticating with AMQP +## broker for fedora-messaging job scheduler. The role +## default for this is the certificate file for the +## public 'fedora' account on the Fedora production +## broker. +# - relvalconsumer_amqp_key +## string - Private key file to use for authenticating with AMQP +## broker for fedora-messaging job scheduler. The role +## default for this is the key file for the public +## 'fedora' account on the Fedora production broker. +# - relvalconsumer_amqp_routing_keys +## list - List of routing key names for the fedora-messaging +## scheduler to subscribe to. The role default for this +## is the appropriate keys for the Fedora production +## broker. +# - relvalconsumer_amqp_mailfrom +## string - From email address for error report emails. Defaults +## to "root@{{ external_hostname }}". Only relevant if +## relvalconsumer_amqp_mailto is set. +# - relvalconsumer_amqp_smtp +## string - Hostname of SMTP server to use for sending error +## emails. Defaults to 'localhost'. Only relevant if +## relvalconsumer_amqp_mailto is set. +# +# Optional vars +# - relvalconsumer_amqp_mailto +## list - List of email addresses to email errors to. If set, +## the email log handler will be configured. # note: kept around for when we need packages from u-t #- name: Install required packages (testing) @@ -25,7 +77,7 @@ package: # 'relval' itself is needed as we call it directly for size # checking - name: ['python3-fedfind', 'python3-wikitcms', 'python3-fedmsg', + name: ['python3-fedfind', 'python3-wikitcms', 'fedora-messaging', 'python3-mwclient', 'python3-setuptools', 'relval'] state: present tags: @@ -37,12 +89,9 @@ tags: - packages -# next two duplicated with openqa/dispatcher, but I kinda don't want to -# move them up somewhere shared, I like the roles to be somewhat usable +# duplicated with openqa/dispatcher, but I kinda don't want to move +# this up somewhere shared, I like the roles to be somewhat usable # outside of Fedora infra... -- name: Create /etc/fedora (credentials files location) - file: path=/etc/fedora state=directory owner=root group=fedmsg mode=0750 - # We actually want to handle the case where wikitcms_token isn't defined # even though it makes this role essentially do nothing, as we don't # really want openqa-stg creating stuff in the staging wiki all the @@ -50,20 +99,11 @@ - name: Create /root/.openidc (token file location for manual runs as root) file: path=/root/.openidc state=directory owner=root group=root mode=0700 -- name: Create /usr/share/fedmsg/.openidc (token file location for fedmsg consumer runs) - file: path=/usr/share/fedmsg/.openidc state=directory owner=root group=fedmsg mode=0770 - #- name: Write wikitcms token file for root # copy: src={{ wikitcms_token }} dest=/root/.openidc/oidc_wikitcms.json owner=root group=root mode=0600 # when: "wikitcms_token is defined" # tags: # - config -# -#- name: Write wikitcms token file for fedmsg -# copy: src={{ wikitcms_token }} dest=/usr/share/fedmsg/.openidc/oidc_wikitcms.json owner=root group=fedmsg mode=0660 -# when: "wikitcms_token is defined" -# tags: -# - config - name: Check out relvalconsumer git: @@ -77,12 +117,58 @@ chdir: /root/relvalconsumer when: "gitrvc is changed" notify: - - restart fedmsg-hub + - restart relvalconsumer -- name: Enable fedmsg consumer - template: src=relvalconsumer.py.j2 dest=/etc/fedmsg.d/relvalconsumer.py owner=root group=root mode=0644 - when: "wikitcms_token is defined" +- name: Create /etc/pki/fedora-messaging + file: + dest: /etc/pki/fedora-messaging + mode: 0775 + owner: root + group: root + state: directory + when: "deployment_type is defined" + tags: + - config + +# We always use the openQA production cert and key here for now; we +# don't really need a separate identity for relvalconsumer. We don't +# use the staging identity as even staging relvalconsumer listens on +# the prod bus. +- name: Deploy the Fedora infra fedora-messaging cert (openQA production) + copy: + src: "{{ private }}/files/rabbitmq/production/pki/issued/openqa.crt" + dest: /etc/pki/fedora-messaging/openqa-cert.pem + mode: 0644 + owner: root + group: root + when: "deployment_type is defined" + tags: + - config + +- name: Deploy the Fedora infra fedora-messaging key + copy: + src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key" + dest: /etc/pki/fedora-messaging/openqa-key.pem + mode: 0600 + owner: root + group: root + when: "deployment_type is defined" + tags: + - config + +- name: Configure fedora-messaging relvalconsumer + template: src=relvalconsumer.toml.j2 dest=/etc/fedora-messaging/relvalconsumer.toml owner=root group=root mode=0640 + notify: + - restart relvalconsumer + tags: + - config + +- name: Wipe the old fedmsg consumer config file + file: path=/etc/fedmsg.d/relvalconsumer.py state=absent notify: - restart fedmsg-hub tags: - config + +- name: Enable and start fedora-messaging relvalconsumer + service: name=fm-consumer@relvalconsumer enabled=yes state=started diff --git a/roles/relvalconsumer/templates/relvalconsumer.toml.j2 b/roles/relvalconsumer/templates/relvalconsumer.toml.j2 new file mode 100644 index 0000000000..821d0e80a3 --- /dev/null +++ b/roles/relvalconsumer/templates/relvalconsumer.toml.j2 @@ -0,0 +1,113 @@ +# fedora-messaging consumer configuration file for relvalconsumer +# (release validation event creator). See relvalconsumer main.yml +# comments for details on the variables that must be set here. +# +# This file is in the TOML format. + +amqp_url = "{{ relvalconsumer_amqp_url }}" +{% if relvalconsumer_amqp_passive|bool %} +passive_declares = true +{% endif %} +callback = "relvalconsumer:RelvalConsumer" + +[tls] +ca_cert = "{{ relvalconsumer_amqp_cacert }}" +keyfile = "{{ relvalconsumer_amqp_key }}" +certfile = "{{ relvalconsumer_amqp_cert }}" + +[client_properties] +app = "Fedora release validation event creator (relvalconsumer)" +app_url = "https://pagure.io/fedora-qa/relvalconsumer" +app_contacts_email = ["adamwill@fedoraproject.org", "lruzicka@redhat.com", "qa-devel@lists.fedoraproject.org"] + +[exchanges."amq.topic"] +type = "topic" +durable = true +auto_delete = false +arguments = {} + +[queues."{{ relvalconsumer_amqp_queue }}"] +durable = false +auto_delete = true +exclusive = true +arguments = {} + +[[bindings]] +queue = "{{ relvalconsumer_amqp_queue }}" +exchange = "amq.topic" +routing_keys = [{% for key in relvalconsumer_amqp_routing_keys %}"{{ key }}",{% endfor %}] +# need this to receive messages from ZMQ->AMQP bridge +[[bindings]] +queue = "{{ relvalconsumer_amqp_queue }}" +exchange = "zmq.topic" +routing_keys = [{% for key in relvalconsumer_amqp_routing_keys %}"{{ key }}",{% endfor %}] + +[consumer_config] +relval_prod = {{ relvalconsumer_prod }} + +[qos] +prefetch_size = 0 +prefetch_count = 25 + +[log_config] +version = 1 +disable_existing_loggers = true + +[log_config.formatters.simple] +format = "[%(levelname)s %(name)s] %(message)s" + +[log_config.handlers.console] +class = "logging.StreamHandler" +formatter = "simple" +stream = "ext://sys.stdout" + +{% if relvalconsumer_amqp_mailto is defined %} +[log_config.handlers.email] +class = "logging.handlers.SMTPHandler" +formatter = "simple" +level = "ERROR" +mailhost = "{{ relvalconsumer_amqp_smtp }}" +fromaddr = "{{ relvalconsumer_amqp_mailfrom }}" +toaddrs = [{% for key in relvalconsumer_amqp_mailto %}"{{ key }}",{% endfor %}] +subject = "openQA scheduler error" +{% endif %} + +[log_config.loggers.RelvalConsumer] +level = "INFO" +propagate = false +{% if relvalconsumer_amqp_mailto is defined %} +handlers = ["console", "email"] +{% else %} +handlers = ["console"] +{% endif %} + +[log_config.loggers.fedora_messaging] +level = "INFO" +propagate = false +{% if relvalconsumer_amqp_mailto is defined %} +handlers = ["console", "email"] +{% else %} +handlers = ["console"] +{% endif %} + +[log_config.loggers.twisted] +level = "INFO" +propagate = false +{% if relvalconsumer_amqp_mailto is defined %} +handlers = ["console", "email"] +{% else %} +handlers = ["console"] +{% endif %} + +[log_config.loggers.pika] +level = "WARNING" +propagate = false +handlers = ["console"] + +[log_config.root] +level = "ERROR" +{% if relvalconsumer_amqp_mailto is defined %} +handlers = ["console", "email"] +{% else %} +handlers = ["console"] +{% endif %}