infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions
ansible/roles/openqa/server/tasks/main.yml
Ryan Lerch 3c41882bb0 ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell 
Replaces references to shell: with ansible.builtin.shell

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
2025-01-15 11:29:10 +10:00

408 lines
17 KiB
YAML
Raw Blame History

# Required vars
# - openqa_email
## string - Email address of admin user
# - openqa_nickname
## string - Short name of admin user (shown in the web UI for e.g.)
# - openqa_fullname
## string - Full name of admin user
# - openqa_key
# - openqa_secret
## string - MUST be 16-character hexadecimals, and are secrets
# openqa_userid
## string - User ID of admin user: for Fedora should be a Fedora openID URL,
## http://fasname.id.fedoraproject.org
# Required vars with defaults
# - external_hostname
## string - The public hostname for the server (will be used as ServerName)
## default - ansible_nodename
# - openqa_repo
## string - Repo to enable when updating openQA packages. Set to
## 'updates-testing' to use packages from updates-testing
## default - 'updates', which is effectively a no-op
# Optional vars
# - openqa_static_uid
## int - a static ID for the geekotest user and group if desired
## this is useful for NFS mounting openQA data files
# - openqa_dbname
## string - The name of the database to use
# - openqa_dbhost
## string - The hostname of the database server
# - openqa_dbuser
## string - The database username
# - openqa_dbpassword
## string - The database password
# - openqa_assetsize
## int - the asset size limit to set in GB (upstream default is 100GB)
## higher is recommended for normal Fedora testing, 300GB is good
## FIXME: this only works for pgsql ATM
# - openqa_assetsize_updates
## int - the asset size limit to set for update job groups in GB
## (upstream default is 100GB). Lower is recommended for normal
## Fedora testing, 50GB is good
## FIXME: this only works for pgsql ATM
# - openqa_amqp_publisher_prefix
## string - openQA AMQP 'topic_prefix' config value. This prefix is
## prepended to the topic when publishing messages with the
## AMQP or FedoraMessaging plugins, with a . added (so don't
## include the . in the value). If set to an empty string,
## openQA from before August 2019 will use 'suse' as the
## prefix; later openQA will omit the prefix entirely
## default - '' (empty string)
# - openqa_amqp_publisher_url
## string - AMQP broker URL for publishing messages with the AMQP or
## FedoraMessaging plugins, e.g.
## amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpubsub
## default - amqp://test:@localhost/%2Fpubsub
# - openqa_amqp_publisher_exchange
## string - exchange to publish AMQP messages to with AMQP or
## FedoraMessaging plugins, e.g. amq.topic. Note, this can
## be (ab)used to set additional query parameters for the
## publish request, by just appending them, e.g.
## amq.topic&cacertfile=/path/to/ca_certificate_file
## default - amq.topic
# - openqa_webapi_plugins
## string - Space-separated list of openQA WebAPI plugins to enable
## Note if you enable FedoraMessaging or AMQP plugins, you should
## also set openqa_amqp_publisher_prefix, openqa_amqp_publisher_url
## and openqa_amqp_publisher_exchange
# - deployment_type
## string - Fedora Infrastructure thing; for this role, applies an
## infra-specific tweak to httpd config. Don't set it outside
## Fedora infra.
# - openqa_nfs_workers
## list - A list of hostnames of workers that will share the factory
## directory via NFS. All these will be granted rw access to
## the share (they need write access to be able to decompress
## compressed disk images on the fly). If not defined, the
## factory dir will not be shared via NFS at all.
# If openqa_dbhost is set, the other openqa_db* variables must be too,
# and the server will be configured to use a pgsql database accordingly.
# If openqa_dbhost is not set, the server will use a local SQLite database
# and the other openqa_db* values are ignored.
---
- name: Create geekotest group with static GID
group: "name=geekotest gid={{ openqa_static_uid }} system=yes"
when: "openqa_static_uid is defined"
- name: Create geekotest user with static UID
user:
name: geekotest
comment: "openQA user"
uid: "{{ openqa_static_uid }}"
group: geekotest
home: "/var/lib/openqa"
createhome: no
system: yes
ansible.builtin.shell: /sbin/nologin
when: "openqa_static_uid is defined"
- name: Remove old scratch repo directory
ansible.builtin.file: path=/var/tmp/scratchrepo state=absent
- name: Delete old scratch build repo config
ansible.builtin.file: path=/etc/yum.repos.d/scratchrepo.repo state=absent
- name: Write lab side repo config
ansible.builtin.copy: src=openqa-lab-repo.repo dest=/etc/yum.repos.d/openqa-lab-repo.repo owner=root group=root mode=0644
when: "deployment_type is defined and deployment_type == 'stg'"
- name: Write prod side repo config
ansible.builtin.copy: src=openqa-prod-repo.repo dest=/etc/yum.repos.d/openqa-prod-repo.repo owner=root group=root mode=0644
when: "deployment_type is defined and deployment_type == 'prod'"
# this is separate from the step below so we can use openqa_repo just
# for these packages
- name: Install openQA packages
ansible.builtin.package:
name:
- openqa
- openqa-httpd
- openqa-plugin-fedora-messaging
state: latest
enablerepo: "{{ openqa_repo }}"
tags:
- packages
- name: Install various other required packages
ansible.builtin.package:
name:
- python3-libselinux # for using seboolean module
- git # for checking out tests/tools
- jq # for checking if tests changed after template load
- python3-libsemanage # for using seboolean module
- perl(Class::DBI::Pg) # for using postgresql DB
- genisoimage # for building cloud-init ISO
- policycoreutils # for loading SELinux policy module
state: present
tags:
- packages
- name: Install various other required packages
ansible.builtin.package:
name:
- nfs-utils # for configuring/running NFS server
state: present
when: "openqa_nfs_workers is defined"
tags:
- packages
- name: Check test directory exists with correct ownership
ansible.builtin.file: path=/var/lib/openqa/share/tests/fedora state=directory owner=geekotest group=geekotest recurse=yes
# we don't want to run the checkout if the tests are on a non-standard
# branch, as that usually means we're messing around on staging and
# don't want the checkout reset to HEAD.
- name: Check if tests are checked out and on a non-standard branch
ansible.builtin.command: "git status" # noqa 303
args:
chdir: /var/lib/openqa/share/tests/fedora
register: testsbranch
failed_when: "1 != 1"
changed_when: "1 != 1"
check_mode: no
- name: Check out the tests
git:
repo: https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git # noqa 401
dest: /var/lib/openqa/share/tests/fedora
register: gittests
become: true
become_user: geekotest
when: >
(testsbranch.stderr.find('ot a git repository') != -1) or
(testsbranch.stdout.find('On branch main') != -1 and
testsbranch.stdout.find('Changes not staged') == -1)
- name: Remove old openqa_fedora_tools checkout
ansible.builtin.file: path=/root/openqa_fedora_tools state=absent
- name: Create asset directories
ansible.builtin.file: path={{ item }} state=directory owner=geekotest group=geekotest mode=0775
with_items:
- /var/lib/openqa/share/factory/iso
- /var/lib/openqa/share/factory/iso/fixed
- /var/lib/openqa/share/factory/hdd
- /var/lib/openqa/share/factory/hdd/fixed
- /var/lib/openqa/share/factory/repo
- /var/lib/openqa/share/factory/other
- name: Copy in meta-data for cloud-init ISO creation
ansible.builtin.copy: src=meta-data dest=/var/tmp/meta-data owner=root group=root mode=0644
- name: Copy in user-data for cloud-init ISO creation
ansible.builtin.copy: src=user-data dest=/var/tmp/user-data owner=root group=root mode=0644
- name: Create cloud-init ISO
ansible.builtin.command: genisoimage -output cloudinit.iso -volid cidata -joliet -rock /var/tmp/user-data /var/tmp/meta-data
args:
chdir: /var/lib/openqa/share/factory/iso/fixed
creates: /var/lib/openqa/share/factory/iso/fixed/cloudinit.iso
- name: Create exports file
template: src=exports.j2 dest=/etc/exports.d/openqa.exports owner=root group=root mode=0644
register: exportsfile
when: openqa_nfs_workers is defined
tags:
- config
- name: Enable and start NFS server
service: name=nfs-server enabled=yes state=started
when: openqa_nfs_workers is defined
- name: Refresh exports
ansible.builtin.command: exportfs -r
when: exportsfile is changed
- name: Set up Apache config
template: src=openqa.conf.httpd.j2 dest=/etc/httpd/conf.d/openqa.conf owner=root group=root mode=0644
notify:
- reload httpd
tags:
- config
- name: OpenQA config
template: src=openqa.ini.j2 dest=/etc/openqa/openqa.ini owner=geekotest group=root mode=0644
tags:
- config
- name: Create database
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
postgresql_db: db={{ openqa_dbname }}
when: "openqa_dbhost is defined"
- name: Ensure db user has access to database
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
postgresql_user: db={{ openqa_dbname }} user={{ openqa_dbuser }} password={{ openqa_dbpassword }} role_attr_flags=NOSUPERUSER
when: "openqa_dbhost is defined"
- name: Database config
template: src=database.ini.pgsql.j2 dest=/etc/openqa/database.ini owner=geekotest group=root mode=0640
when: "openqa_dbhost is defined"
tags:
- config
- name: Initialize database
ansible.builtin.shell: "/usr/share/openqa/script/initdb --user geekotest --init_database" # noqa 305
register: initdb
changed_when: "initdb.rc == 0"
failed_when: "(initdb.rc > 0) and (initdb.stdout is not defined or initdb.stdout.find('already exists') == -1)"
- name: Enable and start services
service: name={{ item }} enabled=yes state=started
register: services
with_items:
- openqa-livehandler
- openqa-scheduler
- openqa-webui
- openqa-websockets
- openqa-gru
- name: Create somewhere to stick our custom SELinux module
ansible.builtin.file:
path: /usr/local/share/selinux
state: directory
mode: '0755'
- name: Copy over custom SELinux module allowing httpd to connect to openQA
ansible.builtin.copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644
register: selinux_module
- name: Load our custom SELinux module
ansible.builtin.command: semodule -i /usr/local/share/selinux/httpd-openqa.pp
when: selinux_module is changed
# Unfortunately still need this until port 9528 is tagged:
# https://bugzilla.redhat.com/show_bug.cgi?id=1277312
- name: Set httpd_can_network_connect SELinux boolean
seboolean: name=httpd_can_network_connect state=yes persistent=yes
- name: Allow Apache to read from NFS (as we store test data files there now)
seboolean: name=httpd_use_nfs state=yes persistent=yes
# services is undefined in check mode
- name: Wait for openQA to be fully started
pause: seconds=5
when: "services is defined and services is changed"
# the 'dispatcher' role may require this to have a non-root group and
# sets it 0640, so we don't enforce ownership here and set mode to
# 0640 so we don't wind up ping-ponging it between server and
# dispatcher roles.
- name: OpenQA client config
template: src=client.conf.j2 dest=/etc/openqa/client.conf mode=0640
tags:
- config
- name: Create admin user
ansible.builtin.command: >
/var/lib/openqa/script/create_admin --email {{ openqa_email }} --nickname {{ openqa_nickname }}
--fullname '{{ openqa_fullname }}' --key {{ openqa_key }} --secret {{ openqa_secret }}
{{ openqa_userid }}
register: admin
changed_when: "admin.rc == 0"
failed_when: "(admin.rc > 0) and (admin.stderr is not defined or admin.stderr.find('already exists') == -1)"
- name: Check if we're on upstream template format or FIF
stat:
path: /var/lib/openqa/share/tests/fedora/templates.fif.json
register: templatesfif
- name: Dump existing config for checking changes
ansible.builtin.shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-old.json || :"
when: "(gittests is defined) and (gittests is changed)"
changed_when: "1 != 1"
# Because of the boring details of how template loading works, getting
# a correct 'changed' for this step is too difficult. Instead we have
# the dump (above) and check (later) steps; when the templates actually
# changed, the *check* step will register as changed.
- name: Load main tests (upstream format)
ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/templates --clean"
when: "(gittests is defined) and (gittests is changed) and (not templatesfif.stat.exists)"
changed_when: "1 != 1"
- name: Load update tests (upstream format)
ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/templates-updates --update"
when: "(gittests is defined) and (gittests is changed) and (not templatesfif.stat.exists)"
changed_when: "1 != 1"
- name: Load all tests (FIF format)
ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/fifloader.py -l --clean templates.fif.json templates-updates.fif.json"
args:
chdir: /var/lib/openqa/share/tests/fedora
when: "(gittests is defined) and (gittests is changed) and (templatesfif.stat.exists)"
changed_when: "1 != 1"
- name: Check if the tests changed in previous step
ansible.builtin.shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-new.json && diff <(jq -S . /tmp/tmpl-old.json) <(jq -S . /tmp/tmpl-new.json)"
when: "(gittests is defined) and (gittests is changed)"
register: testsdiff
changed_when: "testsdiff.rc > 0"
failed_when: "1 != 1"
- name: Set 'fedora' asset size limit (if specified) (pgsql)
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
ansible.builtin.command: >
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize }}
WHERE name = 'fedora' AND (size_limit_gb != {{ openqa_assetsize }} OR size_limit_gb IS NULL);"
when: "openqa_dbhost is defined and openqa_assetsize is defined"
register: pgsqlsize
changed_when: "pgsqlsize.stdout.find('UPDATE 0') == -1"
- name: Set 'Fedora PowerPC' asset size limit (if specified) (pgsql)
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
ansible.builtin.command: >
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_ppc }}
WHERE name = 'Fedora PowerPC' AND (size_limit_gb != {{ openqa_assetsize_ppc }}
OR size_limit_gb IS NULL);"
when: "openqa_dbhost is defined and openqa_assetsize_ppc is defined"
register: pgsqlsizeppc
changed_when: "pgsqlsizeppc.stdout.find('UPDATE 0') == -1"
- name: Set 'Fedora AArch64' asset size limit (if specified) (pgsql)
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
ansible.builtin.command: >
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_aarch64 }}
WHERE name = 'Fedora AArch64' AND (size_limit_gb != {{ openqa_assetsize_aarch64 }}
OR size_limit_gb IS NULL);"
when: "openqa_dbhost is defined and openqa_assetsize_aarch64 is defined"
register: pgsqlsizeaarch64
changed_when: "pgsqlsizeaarch64.stdout.find('UPDATE 0') == -1"
- name: Set (x86_64) update job group asset size limit (if specified) (pgsql)
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
ansible.builtin.command: >
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_updates }}
WHERE name = 'Fedora Updates' AND (size_limit_gb != {{ openqa_assetsize_updates }}
OR size_limit_gb IS NULL);"
when: "openqa_dbhost is defined and openqa_assetsize_updates is defined"
register: pgsqlupdatesize
changed_when: "pgsqlupdatesize.stdout.find('UPDATE 0') == -1"
- name: Set ppc64le update job group asset size limit (if specified) (pgsql)
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
become_user: postgres
become: true
ansible.builtin.command: >
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_updates_ppc }}
WHERE name = 'Fedora PowerPC Updates' AND (size_limit_gb != {{ openqa_assetsize_updates_ppc }}
OR size_limit_gb IS NULL);"
when: "openqa_dbhost is defined and openqa_assetsize_updates_ppc is defined"
register: pgsqlupdatesizeppc
changed_when: "pgsqlupdatesizeppc.stdout.find('UPDATE 0') == -1"
Reference in a new issue View git blame Copy permalink