Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

bodhi: Deploy bodhi-4.0.0b0 to staging.

Browse source 
A lot of things have changed in Bodhi 4.0.0, so I'm sure this
commit isn't quite correct (too bad we can't easily test Ansible
code before committing!)

This adjusts the playbook to switch staging to Bodhi 4.0.0, which
includes switching to fedora-messaging and a new logging config
(Bodhi can now send rate-limited error e-mails!)

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
This commit is contained in:
Randy Barlow 2019-05-09 21:44:44 +00:00
parent 82cb3bbf18
commit b3a4f6fa2f
9 changed files with 309 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

33
playbooks/openshift-apps/bodhi.yml
View file

@ -27,24 +27,33 @@
secret_name: bodhi-keytab secret_name: bodhi-keytab
service: bodhi service: bodhi
host: "bodhi{{ env_suffix }}.fedoraproject.org" host: "bodhi{{ env_suffix }}.fedoraproject.org"
# When we deploy Bodhi 4.0.0 to production, we can drop the env staging statements on the
# fedora-messaging items below.
- role: openshift/secret-file - role: openshift/secret-file
app: bodhi app: bodhi
secret_name: bodhi-fedmsg-key secret_name: bodhi-fedora-messaging-ca
key: fedmsg-bodhi.key key: cacert.pem
privatefile: fedmsg-certs/keys/bodhi-bodhi01.stg.phx2.fedoraproject.org.key privatefile: "rabbitmq/{{env}}/pki/ca.crt"
when: env == "staging" when: env == "staging"
- role: openshift/secret-file
app: bodhi
secret_name: bodhi-fedora-messaging-crt
key: bodhi-cert.pem
privatefile: "rabbitmq/{{env}}/pki/issued/<app>.crt"
when: env == "staging"
- role: openshift/secret-file
app: bodhi
secret_name: bodhi-fedora-messaging-key
key: bodhi-key.pem
privatefile: "rabbitmq/{{env}}/pki/private/bodhi.key"
when: env == "staging"
# When we deploy Bodhi 4.0.0 to production, we can drop these fedmsg secrets.
- role: openshift/secret-file - role: openshift/secret-file
app: bodhi app: bodhi
secret_name: bodhi-fedmsg-key secret_name: bodhi-fedmsg-key
key: fedmsg-bodhi.key key: fedmsg-bodhi.key
privatefile: fedmsg-certs/keys/bodhi-bodhi-web-temp-bodhi.app.os.fedoraproject.org.key privatefile: fedmsg-certs/keys/bodhi-bodhi-web-temp-bodhi.app.os.fedoraproject.org.key
when: env != "staging" when: env != "staging"
- role: openshift/secret-file
app: bodhi
secret_name: bodhi-fedmsg-crt
key: fedmsg-bodhi.crt
privatefile: fedmsg-certs/keys/bodhi-bodhi01.stg.phx2.fedoraproject.org.crt
when: env == "staging"
- role: openshift/secret-file - role: openshift/secret-file
app: bodhi app: bodhi
secret_name: bodhi-fedmsg-crt secret_name: bodhi-fedmsg-crt
@ -58,14 +67,14 @@
app: bodhi app: bodhi
template: buildconfig.yml template: buildconfig.yml
objectname: buildconfig.yml objectname: buildconfig.yml
bodhi_version: 3.14.0-1.fc29.infra bodhi_version: 4.0.0-0.0.beta.fc29.infra
when: env == "staging" when: env == "staging"
- role: openshift/object - role: openshift/object
app: bodhi app: bodhi
template: buildconfig.yml template: buildconfig.yml
objectname: buildconfig.yml objectname: buildconfig.yml
bodhi_version: 3.14.0-1.fc29.infra bodhi_version: 3.14.0-1.fc29.infra
when: env != "staging" when: env == "production"
- role: openshift/start-build - role: openshift/start-build
app: bodhi app: bodhi
buildname: bodhi-web buildname: bodhi-web
@ -94,7 +103,7 @@
post_tasks: post_tasks:
- name: Scale up pods - name: Scale up pods
command: oc -n bodhi scale dc/bodhi-web --replicas={{ hostvars[groups['bodhi2'][0]]['openshift_pods'] }} command: oc -n bodhi scale dc/bodhi-web --replicas={{ hostvars[groups['bodhi2'][0]]['openshift_pods'] }}
when: env != "staging" when: env == "production"
- name: Scale up pods - name: Scale up pods
command: oc -n bodhi scale dc/bodhi-web --replicas={{ hostvars[groups['bodhi2-stg'][0]]['openshift_pods'] }} command: oc -n bodhi scale dc/bodhi-web --replicas={{ hostvars[groups['bodhi2-stg'][0]]['openshift_pods'] }}
when: env == "staging" when: env == "staging"

36
roles/bodhi2/backend/tasks/main.yml
View file

@ -1,6 +1,6 @@
--- ---
# tasklist for setting up bodhi/masher (requires bodhi/base) # tasklist for setting up bodhi/composer (requires bodhi/base)
# This is the base set of files needed for bodhi/masher # This is the base set of files needed for bodhi/composer
- name: add ftpsync group - name: add ftpsync group
group: name=ftpsync gid=263 system=yes state=present group: name=ftpsync gid=263 system=yes state=present
@ -185,6 +185,7 @@
- bodhi - bodhi
- cron - cron
# This task can be dropped once Bodhi 4.0.0 is deployed to production.
- name: Install bodhi-dequeue-stable cron job that moves updates from batched to stable - name: Install bodhi-dequeue-stable cron job that moves updates from batched to stable
cron: cron:
name: "bodhi-dequeue-stable" name: "bodhi-dequeue-stable"
@ -193,7 +194,7 @@
weekday: "*" weekday: "*"
job: "/usr/bin/bodhi-dequeue-stable && touch /var/lib/bodhi/dequeue-stable" job: "/usr/bin/bodhi-dequeue-stable && touch /var/lib/bodhi/dequeue-stable"
user: "apache" user: "apache"
when: inventory_hostname.startswith('bodhi-backend01.phx2') when: inventory_hostname.startswith('bodhi-backend01.phx2') and env == "production"
tags: tags:
- bodhi - bodhi
- cron - cron
@ -324,7 +325,21 @@
- bodhi - bodhi
- cron - cron
- name: setup basic /etc/bodhi/ contents - name: Install logging.yaml
template: >
src="{{ roles_path }}/bodhi2/base/templates/logging.yaml"
dest="/etc/bodhi/logging.yaml"
owner=apache
group=apache
mode=0600
when: inventory_hostname.startswith('bodhi-backend')
notify:
- reload bodhi httpd
tags:
- config
- bodhi
- name: Install production.ini
template: > template: >
src="{{ roles_path }}/bodhi2/base/templates/production.ini.j2" src="{{ roles_path }}/bodhi2/base/templates/production.ini.j2"
dest="/etc/bodhi/production.ini" dest="/etc/bodhi/production.ini"
@ -338,6 +353,19 @@
- config - config
- bodhi - bodhi
# Remove the env == "staging" condition when we deploy Bodhi 4.0.0 to production.
- name: Install fedora-messaging config
template: >
src="{{ roles_path }}/bodhi2/base/templates/fedora-messaging.toml.j2"
dest="/etc/fedora-messaging/config.toml"
owner=apache
group=apache
mode=0600
when: inventory_hostname.startswith('bodhi-backend') and env == "staging"
tags:
- config
- bodhi
- name: make a mnt/koji link - name: make a mnt/koji link
file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
tags: tags:

2
roles/bodhi2/base/tasks/main.yml
View file

@ -28,6 +28,7 @@
- config - config
- bodhi - bodhi
# When Bodhi 4.0.0 is deployed to production, we should drop this.
- name: Copy some fedmsg configuration of our own for fedmsg-hub-3 - name: Copy some fedmsg configuration of our own for fedmsg-hub-3
template: > template: >
src={{item}} src={{item}}
@ -42,6 +43,7 @@
- masher.py - masher.py
- updates_handler.py - updates_handler.py
- signed_handler.py - signed_handler.py
when: env == 'production'
notify: notify:
- restart fedmsg-hub-3 - restart fedmsg-hub-3
tags: tags:

23
roles/bodhi2/base/templates/configmap.yml
View file

@ -1,3 +1,4 @@
{%- macro load_file(filename) %} {% include filename %}{%- endmacro -%}
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -105,9 +106,26 @@ data:
WSGIRestrictSignal Off WSGIRestrictSignal Off
WSGIPythonOptimize 1 WSGIPythonOptimize 1
WSGIScriptAlias / /usr/share/bodhi/bodhi.wsgi WSGIScriptAlias / /usr/share/bodhi/bodhi.wsgi
logging.yaml: |-
{{ load_file('logging.yaml') | indent }}
production.ini: |- production.ini: |-
{%- macro production_ini() %} {% include "production.ini.j2" %}{%- endmacro -%} {{ load_file('production.ini.j2') | indent }}
{{ production_ini() | indent() }} # We can remove this if statement once we deploy Bodhi 4.0.0 to production.
{% if env == "staging" %}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: fedora-messaging-configmap
labels:
app: bodhi
data:
fedora-messaging.toml: |-
config.toml: |-
{{ load_file('fedora-messaging.toml.j2') | indent }}
{% endif %}
# We can drop the next ConfigMap once Bodhi 4.0.0 is deployed to production.
{% if env == "production" %}
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -136,3 +154,4 @@ data:
'environment': 'prod', 'environment': 'prod',
{% endif %} {% endif %}
} }
{% endif %}

107
roles/bodhi2/base/templates/fedora-messaging.toml.j2 Normal file
View file

@ -0,0 +1,107 @@
amqp_url = "amqps://bodhi{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
{% if env == "staging" %}
topic_prefix = "org.fedoraproject.stg"
{% else %}
topic_prefix = "org.fedoraproject.prod"
{% endif %}
publish_exchange = "amq.topic"
passive_declares = false
callback = "bodhi.server.consumers:messaging_callback"
[tls]
ca_cert = "/etc/fedora-messaging/cacert.pem"
keyfile = "/etc/fedora-messaging/bodhi-key.pem"
certfile = "/etc/fedora-messaging/bodhi-cert.pem"
[client_properties]
app = "bodhi"
[queues."bodhi{{ env_suffix }}"]
durable = true
auto_delete = false
exclusive = false
arguments = {}
[[bindings]]
queue = "bodhi{{ env_suffix }}"
exchange = "amq.topic"
routing_keys = [
"org.fedoraproject.*.bodhi.composer.start",
"org.fedoraproject.*.bodhi.update.request.testing",
"org.fedoraproject.*.buildsys.tag",
]
[log_config]
version = 1
disable_existing_loggers = true
[log_config.filters.rate_limit]
() = bodhi.server.logging.RateLimiter
rate = 3600
[log_config.formatters.simple]
format = "[%(levelname)s %(name)s] %(message)s"
[log_config.handlers.console]
class = "logging.StreamHandler"
formatter = "simple"
stream = "ext://sys.stdout"
[log_config.handlers.email]
class = "logging.handlers.SMTPHandler"
formatter = "simple"
level = "ERROR"
filters = ["rate_limit"]
mailhost = "bastion"
{% if env == "staging" %}
fromaddr = "updates@stg.fedoraproject.org"
{% else %}
fromaddr = "updates@fedoraproject.org"
{% endif %}
toaddrs = ["bodhiadmin-members@fedoraproject.org"]
subject = "Bodhi error"
[log_config.loggers.bodhi]
level = "INFO"
propagate = false
handlers = ["console", "email"]
[log_config.loggers.fedora_messaging]
level = "INFO"
propagate = false
handlers = ["console", "email"]
# Twisted is the asynchronous framework that manages the TCP/TLS connection, as well
# as the consumer event loop. When debugging you may want to lower this log level.
[log_config.loggers.twisted]
level = "INFO"
propagate = false
handlers = ["console", "email"]
# Pika is the underlying AMQP client library. When debugging you may want to
# lower this log level.
[log_config.loggers.pika]
level = "WARNING"
propagate = false
handlers = ["console", "email"]
[log_config.root]
level = "ERROR"
handlers = ["console", "email"]

40
roles/bodhi2/base/templates/logging.yaml Normal file
View file

@ -0,0 +1,40 @@
---
version: 1
formatters:
generic:
format: '%(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s'
filters:
rate_limit:
(): bodhi.server.logging.RateLimiter
rate: 3600
handlers:
console:
class: StreamHandler
level: NOTSET
formatter: generic
smtp:
class: logging.handlers.SMTPHandler
level: ERROR
formatter: generic
filters: [rate_limit]
mailhost: "bastion"
{% if env == "production" %}
fromaddr: "updates@fedoraproject.org"
{% else %}
fromaddr: "updates@stg.fedoraproject.org"
{% endif %}
toaddrs:
- "bodhiadmin-members@fedoraproject.org"
subject: "Bodhi error"
loggers:
bodhi:
level: INFO
handlers: [console, smtp]
propagate: 0
root:
level: INFO
handlers: [console, smtp]
root:
level: NOTSET
handlers: []

57
roles/bodhi2/base/templates/production.ini.j2
View file

@ -37,14 +37,17 @@ filter-with = proxy-prefix
# Set this to true if you want to do federated dns libravatar lookup # Set this to true if you want to do federated dns libravatar lookup
# libravatar_dns = False # libravatar_dns = False
# If libravatar_dns is True, prefer_ssl will define what gets handed to # If libravatar_dns is True, libravatar_prefer_tls will define what gets handed to
# libravatar.libravatar_url()'s https setting. It may be set to True or False, but defaults to None, # libravatar.libravatar_url()'s https setting. Defaults to True.
# which is effectively False. # libravatar_prefer_tls =
# prefer_ssl =
# We can remove this block once Bodhi 4.0.0 is deployed to production.
{% if env != "staging" %}
# Set this to True in order to send fedmsg messages. # Set this to True in order to send fedmsg messages.
# fedmsg_enabled = False # fedmsg_enabled = False
fedmsg_enabled = True fedmsg_enabled = True
{% endif %}
## ##
### Legal ### Legal
@ -142,8 +145,22 @@ message_id_email_domain = admin{{env_suffix}}.fedoraproject.org
## ##
## Masher settings ## Masher settings
## ##
# We can remove this block once Bodhi 4.0.0 is deployed to production.
{% if env != "staging" %}
releng_fedmsg_certname = shell-bodhi-backend01{{env_suffix}}.phx2.fedoraproject.org releng_fedmsg_certname = shell-bodhi-backend01{{env_suffix}}.phx2.fedoraproject.org
{% endif %}
# We can remove this if/else once Bodhi 4.0.0 is deployed to production.
{% if env == "staging" %}
# Where to initially mash repositories. You can use %(here)s to reference the location of this file.
# compose_dir =
{% if inventory_hostname.startswith('bodhi-backend') %}
compose_dir = /mnt/koji/compose/updates/
{% else %}
# do not use on frontends as bodhi will check the mount and refuse to run without it.
# compose_dir = /mnt/koji/compose/updates/
{% endif %}
{% else %}
# Where to initially mash repositories. You can use %(here)s to reference the location of this file. # Where to initially mash repositories. You can use %(here)s to reference the location of this file.
# mash_dir = # mash_dir =
{% if inventory_hostname.startswith('bodhi-backend') %} {% if inventory_hostname.startswith('bodhi-backend') %}
@ -152,14 +169,34 @@ mash_dir = /mnt/koji/compose/updates/
# do not use on frontends as bodhi will check the mount and refuse to run without it. # do not use on frontends as bodhi will check the mount and refuse to run without it.
#mash_dir = /mnt/koji/compose/updates/ #mash_dir = /mnt/koji/compose/updates/
{% endif %} {% endif %}
{% endif %}
# We can remove this if/else once Bodhi 4.0.0 is deployed to production.
{% if env == "staging" %}
# The max number of composer threads running at the same time
# max_concurrent_composes = 2
max_concurrent_composes = 3
{% else %}
# The max number of mash threads running at the same time # The max number of mash threads running at the same time
# max_concurrent_mashes = 2 # max_concurrent_mashes = 2
max_concurrent_mashes = 3 max_concurrent_mashes = 3
{% endif %}
# Whether to clean old composes at the end of each run. # Whether to clean old composes at the end of each run.
clean_old_composes = false clean_old_composes = false
# We can remove this if/else once Bodhi 4.0.0 is deployed to production.
{% if env == "staging" %}
# Where to symlink the latest repos by their tag name. You can use %(here)s to reference the
# location of this file.
# compose_stage_dir =
{% if inventory_hostname.startswith('bodhi-backend') %}
compose_stage_dir = /mnt/koji/compose/updates/
{% else %}
# do not use on frontends as bodhi will check the mount and refuse to run without it.
# compose_stage_dir = /mnt/koji/compose/updates/
{% endif %}
{% else %}
# Where to symlink the latest repos by their tag name. You can use %(here)s to reference the # Where to symlink the latest repos by their tag name. You can use %(here)s to reference the
# location of this file. # location of this file.
# mash_stage_dir = # mash_stage_dir =
@ -169,6 +206,7 @@ mash_stage_dir = /mnt/koji/compose/updates/
# do not use on frontends as bodhi will check the mount and refuse to run without it. # do not use on frontends as bodhi will check the mount and refuse to run without it.
#mash_stage_dir = /mnt/koji/compose/updates/ #mash_stage_dir = /mnt/koji/compose/updates/
{% endif %} {% endif %}
{% endif %}
# The following jinja2 template variables are available for use to customize the Pungi configs and # The following jinja2 template variables are available for use to customize the Pungi configs and
# variants files to the Release and Updates: # variants files to the Release and Updates:
@ -679,6 +717,13 @@ pyramid.debug_notfound = false
pyramid.debug_routematch = false pyramid.debug_routematch = false
pyramid.default_locale_name = en pyramid.default_locale_name = en
# We should drop this if statement once we deploy Bodhi 4.0.0 to production.
{% if env == "staging" %}
pyramid.includes =
pyramid_sawing
pyramid_sawing.file = /etc/bodhi/logging.yaml
{% endif %}
debugtoolbar.hosts = 127.0.0.1 ::1 debugtoolbar.hosts = 127.0.0.1 ::1
## ##
@ -750,6 +795,9 @@ port = 6543
m = bodhi.server.models m = bodhi.server.models
#db = bodhi.server.util.pshell_db #db = bodhi.server.util.pshell_db
# We should remove the logging here once Bodhi 4.0.0 is deployed to production - it is configured in
# /etc/bodhi/logging.yaml instead.
{% if env == "production" %}
# Begin logging configuration # Begin logging configuration
[loggers] [loggers]
@ -788,3 +836,4 @@ formatter = generic
format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
# End logging configuration # End logging configuration
{% endif %}

2
roles/openshift-apps/bodhi/templates/buildconfig.yml
View file

@ -21,7 +21,7 @@ items:
{% endif %} {% endif %}
# While dnf has a --nodocs, it doesen't have a --docs... # While dnf has a --nodocs, it doesen't have a --docs...
RUN sed -i '/nodocs/d' /etc/dnf/dnf.conf RUN sed -i '/nodocs/d' /etc/dnf/dnf.conf
RUN dnf install -y bodhi-server-{{bodhi_version}} bodhi-docs-{{bodhi_version}} RUN dnf install -y bodhi-server-{{bodhi_version}} bodhi-docs-{{bodhi_version}} python3-pyramid_sawing
# Put the fedmsg config in place # Put the fedmsg config in place
RUN rm -f /etc/fedmsg.d/bodhi.py && \ RUN rm -f /etc/fedmsg.d/bodhi.py && \
# Let's name it starting with zz so it sorts last. # Let's name it starting with zz so it sorts last.

32
roles/openshift-apps/bodhi/templates/deploymentconfig.yml
View file

@ -49,6 +49,8 @@ items:
readOnly: true readOnly: true
- name: httpdir-volume - name: httpdir-volume
mountPath: /httpdir mountPath: /httpdir
# We can remove this if/else once we deploy Bodhi 4.0.0 to production.
{% if env == "production" %}
- name: fedmsg-config-volume - name: fedmsg-config-volume
mountPath: /etc/bodhi-fedmsg.d mountPath: /etc/bodhi-fedmsg.d
readOnly: true readOnly: true
@ -58,6 +60,20 @@ items:
- name: fedmsg-crt-volume - name: fedmsg-crt-volume
mountPath: /etc/pki/fedmsg/crt mountPath: /etc/pki/fedmsg/crt
readOnly: true readOnly: true
{% else %}
- name: fedora-messaging-config-volume
mountPath: /etc/fedora-messaging
readOnly: true
- name: fedora-messaging-ca-volume
mountPath: /etc/fedora-messaging/cacert.pem
readOnly: true
- name: fedora-messaging-crt-volume
mountPath: /etc/fedora-messaging/bodhi-cert.pem
readOnly: true
- name: fedora-messaging-key-volume
mountPath: /etc/fedora-messaging/bodhi-key.pem
readOnly: true
{% endif %}
readinessProbe: readinessProbe:
timeoutSeconds: 10 timeoutSeconds: 10
initialDelaySeconds: 5 initialDelaySeconds: 5
@ -79,6 +95,21 @@ items:
secretName: bodhi-keytab secretName: bodhi-keytab
- name: httpdir-volume - name: httpdir-volume
emptyDir: {} emptyDir: {}
# We can remove this if/else once we deploy Bodhi 4.0.0 to production.
{% if env == "staging" %}
- name: fedora-messaging-config-volume
configMap:
name: fedora-messaging-configmap
- name: fedora-messaging-ca-volume
secret:
secretName: bodhi-fedora-messaging-ca
- name: fedora-messaging-crt-volume
secret:
secretName: bodhi-fedora-messaging-crt
- name: fedora-messaging-key-volume
secret:
secretName: bodhi-fedora-messaging-key
{% else %}
- name: fedmsg-config-volume - name: fedmsg-config-volume
configMap: configMap:
name: fedmsg-configmap name: fedmsg-configmap
@ -88,6 +119,7 @@ items:
- name: fedmsg-crt-volume - name: fedmsg-crt-volume
secret: secret:
secretName: bodhi-fedmsg-crt secretName: bodhi-fedmsg-crt
{% endif %}
triggers: triggers:
- imageChangeParams: - imageChangeParams:
automatic: true automatic: true