Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

bodhi: Major cruft cleanup.

Browse source 
I worked with nirik, mizdebsk, and puiterwijk to clean up Bodhi's
roles and playbooks to remove lots of old crufty things, and this
is what we came up with.

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
This commit is contained in:
Randy Barlow 2019-05-30 21:45:21 +00:00
parent b65e1f9116
commit db786b6797
8 changed files with 21 additions and 314 deletions
Download patch file Download diff file Expand all files Collapse all files

7
playbooks/groups/bodhi-backend.yml
View file

@ -28,7 +28,6 @@
- nagios_client
- collectd/base
- hosts
- builder_repo
- fas_client
- sudo
- rkhunter
@ -48,21 +47,15 @@
nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/'
- bodhi2/backend
- role: collectd/fedmsg-service
process: fedmsg-hub
user: masher
- role: keytab/service
owner_user: apache
owner_group: apache
extra_acl_user: fedmsg
service: bodhi
host: "bodhi.fedoraproject.org"
when: env == "production"
- role: keytab/service
owner_user: apache
owner_group: apache
extra_acl_user: fedmsg
service: bodhi
host: "bodhi.stg.fedoraproject.org"
when: env == "staging"

16
playbooks/manual/upgrade/bodhi.yml
View file

@ -1,4 +1,4 @@
- name: check to see if a mash is going on before we do anything...
- name: check to see if a compose is going on before we do anything...
hosts: bodhi_backend:bodhi_backend_stg
user: root
vars_files:
@ -8,11 +8,11 @@
tasks:
- include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
- name: Check for the existance of a mashing lock.
- name: Check for running composes
shell: "curl https://bodhi{{env_suffix}}.fedoraproject.org/composes/"
register: composes
- name: Fail if we found that a mash was in progress
- name: Fail if we found that a compose was in progress
fail:
msg: "There are composes in progress."
any_errors_fatal: true
@ -29,18 +29,13 @@
- import_tasks: "{{ handlers_path }}/restart_services.yml"
tasks:
- name: clean all metadata {%if testing%}(with infrastructure-testing on){%endif%}
command: dnf clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- name: dnf update bodhi-server packages from main repo
dnf: name="{{ item }}" state=latest
dnf: name="{{ item }}" state=latest update_cache=true
with_items:
- bodhi-docs
- bodhi-server
- name: dnf update bodhi-server packages from testing repo
dnf: name="{{ item }}" state=latest enablerepo=infrastructure-tags-stg
dnf: name="{{ item }}" state=latest enablerepo=infrastructure-tags-stg update_cache=true
with_items:
- bodhi-docs
- bodhi-server
when: testing
@ -110,7 +105,6 @@
command: /usr/bin/alembic-3 -c /etc/bodhi/alembic.ini upgrade head
args:
chdir: /usr/share/bodhi/
when: inventory_hostname.startswith(('bodhi-backend01.phx2', 'bodhi-backend01.stg.phx2'))
- name: Start the fedora-messaging backend
service:

3
roles/bodhi2/backend/files/fedmsg-hub.conf
View file

@ -1,3 +0,0 @@
[Service]
User=apache
Group=apache

9
roles/bodhi2/backend/files/koji-config
View file

@ -1,9 +0,0 @@
[koji]
;client certificate
cert = /etc/pki/pkgdb/pkgdb.pem
;certificate of the CA that issued the client certificate
ca = /etc/pki/pkgdb/fedora-server-ca.cert
;certificate of the CA that issued the HTTP server certificate
serverca = /etc/pki/pkgdb/fedora-server-ca.cert

180
roles/bodhi2/backend/tasks/main.yml
View file

@ -2,87 +2,39 @@
# tasklist for setting up bodhi/composer (requires bodhi/base)
# This is the base set of files needed for bodhi/composer
# The ftpsync group and user are needed to sync the files to the master mirror
- name: add ftpsync group
group: name=ftpsync gid=263 system=yes state=present
tags:
- bodhi
- name: add ftpsync user
user: name=ftpsync uid=263 group=ftpsync createhome=yes system=yes state=present
tags:
- bodhi
- name: install needed packages
package: name={{ item }} state=present
with_items:
- bodhi-composer
- python3-pyramid_sawing
- sigul
- fedora-repo-zdicts
# Are these still needed?
- compose-utils
- pungi-utils
- python-scandir
- python2-fedfind
- python2-fedmsg-meta-fedora-infrastructure
- python2-koji-cli-plugins
- python2-pdc-client
- python2-productmd
package:
name:
- bodhi-composer
- python3-pyramid_sawing
- sigul
# This is used to generate zchunk data more efficiently
- fedora-repo-zdicts
# The new-updates-sync script uses this
- ostree
- pungi-utils
# Needed for runroot
- python2-koji-cli-plugins
state: present
tags:
- packages
- bodhi
- name: install python3-ccolutils on fedora bodhi backends
package: name=python3-cccolutils state=present
tags:
- packages
- bodhi
- name: install bodhi-composer
package: name=bodhi-composer state=present
tags:
- packages
- bodhi
- name: install ostree
package: name=ostree state=present
tags:
- packages
- bodhi
- name: add masher group
group: name=masher gid=751 system=yes state=present
tags:
- bodhi
# masher user 751
- name: add masher user as 751 - and group
user: name=masher uid=751 group=masher home=/home/masher groups=mock,ftpsync,bodhi
tags:
- bodhi
- name: add apache user to the masher group so it can talk to the monitoring socket
user: name=apache groups=mock,ftpsync,masher append=yes
tags:
- bodhi
- name: add nrpe to the apache group so it can talk to the monitoring socket
user: name=nrpe groups=apache append=yes
tags:
- fedmsgmonitor
- nagios_client
- name: install bodhi.pem file
copy: >
src="{{ private }}/files/bodhi_key_and_cert.pem"
dest="/etc/pki/bodhi/bodhi.pem"
owner=apache
group=apache
mode=0400
tags:
- config
- bodhi
- name: Put pungi configurations in place
template: src="{{item}}" dest=/etc/bodhi/{{item}}
with_items:
@ -95,29 +47,6 @@
- bodhi/pungi
- config
- name: setup /etc/bodhi/mash.conf file...
template: >
src=mash.conf
dest=/etc/bodhi/mash.conf
owner=apache
group=apache
mode=0640
tags:
- config
- bodhi
when: env == "production"
# tasks for setting up epelmasher
- name: install needed packages
package: name={{ item }} state=present
with_items:
- repoview
tags:
- packages
- bodhi
when: env == "production"
#
# koji ssl cert for owner sync jobs below
#
@ -131,26 +60,6 @@
- bodhi
- cron
- name: remove all old koji-sync cronjobs
file:
path: /etc/cron.d/{{item}}
state: absent
with_items:
- update-koji-owner-EL-6
- update-koji-owner-EL-6
- update-koji-owner-epel7
- update-koji-owner-fedora
- update-koji-owner-fedora-container
- update-koji-owner-modules
tags:
- bodhi
- cron
- name: have fedmsg own /usr/share/fedmsg, so it can write the CRL there.
file: path=/usr/share/fedmsg state=directory owner=fedmsg group=fedmsg
tags:
- bodhi
- name: sync packages from pagure-on-dist-git to koji (all branches)
# XXX If you modify this taglist. Please also modify the other copy in
# bodhi2/backend/files/koji-sync-listener.py
@ -163,17 +72,6 @@
- bodhi
- cron
- name: Ensure that /var/lib/bodhi exists
file:
path: /var/lib/bodhi
state: directory
mode: 0755
owner: apache
group: apache
tags:
- bodhi
- cron
- name: put the koji sync listener script in place
copy:
src: koji-sync-listener.py
@ -226,6 +124,7 @@
- bodhi
- cron
# These next two are used by quick-fedora-mirror
- name: put update-fullfiletimelist in place
copy: src="{{ files }}/scripts/update-fullfiletimelist" dest=/usr/local/bin/update-fullfiletimelist mode=0755
when: env == "production"
@ -233,7 +132,6 @@
- config
- bodhi
- cron
- name: add create-filelist script from quick-fedora-mirror
copy: src="{{ files }}/scripts/create-filelist" dest=/usr/local/bin/create-filelist mode=0755
when: env == "production"
@ -258,6 +156,7 @@
- bodhi
- cron
# This generates https://dl.fedoraproject.org/pub/DIRECTORY_SIZES.txt
- name: directory sizes update cron job.
cron: name="directory-sizes-update" minute="30" hour="19" user="ftpsync"
job="/usr/bin/find /pub/alt/ /pub/archive/ /pub/fedora-secondary/ /pub/fedora/ /pub/epel/ -type d ! -path '/pub/alt/screenshots/f21/source' | grep -v snapshot | /usr/bin/xargs -n 1 /usr/bin/du --exclude=.snapshot -sh > /tmp/DIRECTORY_SIZES.txt 2> /dev/null; cp /tmp/DIRECTORY_SIZES.txt /pub/"
@ -352,15 +251,6 @@
- bodhi
- config
- name: have the apache own /var/cache/bodhi because of course..
file: >
path="/var/cache/bodhi"
owner=apache
group=apache
tags:
- config
- bodhi
- name: ensure apache is disabled on the backend
service: name=httpd enabled=no state=stopped
tags:
@ -415,41 +305,3 @@
template: src=kojiprofile.conf dest=/etc/koji.conf.d/bodhi.conf
tags:
- bodhi
- name: Install dist-repo-regen.py
copy:
src: dist-repo-regen.py
dest: /usr/local/bin/dist-repo-regen.py
mode: 0755
owner: apache
group: apache
when: inventory_hostname.startswith('bodhi-backend01.stg')
tags:
- bodhi
- tag2distrepo
- name: Install cron job to regenerate dist repos regularly
cron:
cron_file: dist-repo-regen
name: dist-repo-regen
job: /usr/local/bin/dist-repo-regen.py
user: apache
minute: 42
when: inventory_hostname.startswith('bodhi-backend01.stg')
tags:
- bodhi
- cron
- tag2distrepo
- name: Redirect debugging output from dist-repo-regen cron to mizdebsk
cron:
cron_file: dist-repo-regen
name: MAILTO
value: mizdebsk
env: yes
user: apache
when: inventory_hostname.startswith('bodhi-backend01.stg')
tags:
- bodhi
- cron
- tag2distrepo

18
roles/bodhi2/backend/templates/mash.conf
View file

@ -1,18 +0,0 @@
[defaults]
{% if env == 'staging' %}
buildhost = https://koji.stg.fedoraproject.org/kojihub
{% else %}
buildhost = https://koji.fedoraproject.org/kojihub
{% endif %}
symlink = False
configdir = /etc/bodhi/
repodir = /mnt/koji
fork = True
use_sqlite = True
{% if env == 'staging' %}
strict_keys = False
{% else %}
strict_keys = True
{% endif %}
max_delta_rpm_size = 1500000000

3
roles/bodhi2/base/handlers/main.yml
View file

@ -1,3 +0,0 @@
- name: reload bodhi httpd
command: /usr/local/bin/conditional-reload.sh httpd httpd
when: not inventory_hostname.startswith('bodhi-backend')

99
roles/bodhi2/base/tasks/main.yml
View file

@ -2,22 +2,6 @@
# tasklist for setting up bodhi
# This is the base set of files needed for bodhi
- name: install needed packages
package: name={{ item }} state=present
with_items:
- bodhi-docs
- bodhi-server
- libsemanage-python
tags:
- packages
- bodhi
- name: setup /etc/bodhi/ directory
file: path=/etc/bodhi owner=root group=root mode=0755 state=directory
tags:
- config
- bodhi
- name: Configure alembic
template:
src: alembic.ini
@ -27,86 +11,3 @@
tags:
- config
- bodhi
- name: setup /etc/pki/bodhi directory
file: path=/etc/pki/bodhi owner=root group=root mode=0755 state=directory
tags:
- config
- bodhi
- name: setup /var/cache/bodhi directory
file: dest=/var/cache/bodhi mode=0755 state=directory
tags:
- config
- bodhi
- name: Create ccache directory
file: dest=/var/run/bodhi.ccache mode=0700 state=directory
owner=apache group=apache
tags:
- config
- bodhi
#- name: check the selinux context of the bugzilla cookie
# command: matchpathcon /var/tmp/bodhi-bz.cookie
# register: cookiecontext
# check_mode: no
# changed_when: "1 != 1"
# tags:
# - config
# - bodhi
# - selinux
#
#- name: set the SELinux policy for the bugzilla cookie
# command: semanage fcontext -a -t httpd_tmp_t "/var/tmp/bodhi-bz.cookie"
# when: cookiecontext.stdout.find('httpd_tmp_t') == -1
# tags:
# - config
# - bodhi
# - selinux
- name: enable httpd_tmp_exec SELinux boolean
seboolean: name=httpd_tmp_exec state=yes persistent=yes
tags:
- config
- bodhi
- selinux
- name: enable httpd_can_network_connect_db SELinux boolean
seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
tags:
- config
- bodhi
- selinux
- name: enable httpd_can_network_connect SELinux boolean
seboolean: name=httpd_can_network_connect state=yes persistent=yes
tags:
- config
- bodhi
- selinux
- name: enable httpd_execmem SELinux boolean
seboolean: name=httpd_execmem state=yes persistent=yes
tags:
- config
- bodhi
- selinux
#- name: check the selinux context of bodhi's homedir
# command: matchpathcon /usr/share/bodhi/.fedora
# register: homedir
# check_mode: no
# changed_when: "1 != 1"
# tags:
# - config
# - bodhi
# - selinux
#- name: /usr/share/bodhi/.fedora file contexts
# command: semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/bodhi/.fedora"
# when: homedir.stdout.find('httpd_sys_content_t') == -1 and env == 'production'
# tags:
# - config
# - bodhi
# - selinux