diff --git a/modules/sysadmin_guide/assets/images/ansible-repositories.png b/modules/sysadmin_guide/assets/images/ansible-repositories.png new file mode 100644 index 0000000..1754f29 Binary files /dev/null and b/modules/sysadmin_guide/assets/images/ansible-repositories.png differ diff --git a/modules/sysadmin_guide/nav.adoc b/modules/sysadmin_guide/nav.adoc index 9b9287b..29000a7 100644 --- a/modules/sysadmin_guide/nav.adoc +++ b/modules/sysadmin_guide/nav.adoc @@ -3,7 +3,7 @@ ** xref:2-factor.adoc[Two factor auth] ** xref:accountdeletion.adoc[Account Deletion SOP] ** xref:anitya.adoc[Anitya Infrastructure SOP] -** xref:ansible.adoc[ansible - SOP in review ] +** xref:ansible.adoc[ansible - SOP] ** xref:apps-fp-o.adoc[apps-fp-o - SOP in review ] ** xref:archive-old-fedora.adoc[archive-old-fedora - SOP in review ] ** xref:arm.adoc[arm - SOP in review ] diff --git a/modules/sysadmin_guide/pages/ansible.adoc b/modules/sysadmin_guide/pages/ansible.adoc index 784508f..7b9a719 100644 --- a/modules/sysadmin_guide/pages/ansible.adoc +++ b/modules/sysadmin_guide/pages/ansible.adoc @@ -28,83 +28,85 @@ some other groups to run playbooks against specific hosts. There are 2 git repositories associated with Ansible: * The Fedora Infrastructure Ansible repository and replicas. -+ + [CAUTION] -.Caution ==== This is a public repository. Never commit private data to this repo. ==== -+ + image:ansible-repositories.png[image] -+ + This repository exists as several copies or replicas: + ** The "upstream" repository on Pagure. -+ + https://pagure.io/fedora-infra/ansible -+ + This repository is the public facing place where people can contribute (e.g. pull requests) as well as the authoritative source. Members of the `sysadmin` FAS group or the `fedora-infra` Pagure group have commit access to this repository. -+ + To contribute changes, fork the repository on Pagure and submit a Pull Request. Someone from the aforementioned groups can then review and merge them. -+ + It is recommended that you configure git to use `pull --rebase` by default by running `git config --bool pull.rebase true` in your ansible clone directory. This configuration prevents unneeded merges which can occur if someone else pushes changes to the remote repository while you are working on your own local changes. -** Two bare mirrors on [.title-ref]#batcave01#, `/srv/git/ansible.git` + +** Two bare mirrors on _batcave01_, `/srv/git/ansible.git` and `/srv/git/mirrors/ansible.git` -+ + [CAUTION] -.Caution ==== These are public repositories. Never commit private data to these repositories. Don't commit or push to these repos directly, unless Pagure is unavailable. ==== -+ -The `mirror_pagure_ansible` service on [.title-ref]#batcave01# receives + +The `mirror_pagure_ansible` service on _batcave01_ receives bus messages about changes in the repository on Pagure, fetches these into `/srv/git/mirrors/ansible.git` and pushes from there to `/srv/git/ansible.git`. When this happens, various actions are triggered via git hooks: + *** The working copy at `/srv/web/infra/ansible` is updated. -*** A mail about the changes is sent to [.title-ref]#sysadmin-members#. + +*** A mail about the changes is sent to _sysadmin-members_. + *** The changes are announced on the message bus, which in turn triggers announcements on IRC. -+ -You can check out the repo locally on [.title-ref]#batcave01# with: -+ + +You can check out the repo locally on _batcave01_ with: + .... git clone /srv/git/ansible.git .... -+ + If the Ansible repository on Pagure is unavailable, members of the -[.title-ref]#sysadmin# group may commit directly, provided this +_sysadmin_ group may commit directly, provided this procedure is followed: [arabic] . The synchronization service is stopped and disabled: -+ + .... sudo systemctl disable --now mirror_pagure_ansible.service .... -. Changes are applied to the repository on [.title-ref]#batcave01#. +. Changes are applied to the repository on _batcave01_. . After Pagure is available again, the changes are pushed to the repository there. . The synchronization service is enabled and started: -+ + .... sudo systemctl enable --now mirror_pagure_ansible.service .... -** `/srv/web/infra/ansible` on [.title-ref]#batcave01#, the working copy +** `/srv/web/infra/ansible` on _batcave01_, the working copy from which playbooks are run. -+ + [CAUTION] -.Caution ==== This is a public repository. Never commit private data to this repo. Don't commit or push to this repo directly, unless Pagure is @@ -113,26 +115,21 @@ unavailable. + You can access it also via a cgit web interface at: https://pagure.io/fedora-infra/ansible/ -+ -[verse] --- --- -* `/srv/git/ansible-private` on [.title-ref]#batcave01#. -+ +* `/srv/git/ansible-private` on _batcave01_. + [CAUTION] -.Caution ==== This is a private repository for passwords and other sensitive data. It is not available in cgit, nor should it be cloned or copied remotely. ==== -+ + This repository is only accessible to members of 'sysadmin-main'. === Cron job/scheduled runs With use of run_ansible-playbook_cron.py that is run daily via cron we -walk through playbooks and run them with [.title-ref]#--check --diff# +walk through playbooks and run them with _--check --diff_ params to perform a dry-run. This way we make sure all the playbooks are idempotent and there is no @@ -149,7 +146,7 @@ when and what commands and playbooks were run. === role based access control for playbooks -There's a wrapper script on batcave01 called 'rbac-playbook' that allows +There's a wrapper script on _batcave01_ called 'rbac-playbook' that allows non sysadmin-main members to run specific playbooks against specific groups of hosts. This is part of the ansible_utils package. The upstream for ansible_utils is: https://bitbucket.org/tflink/ansible_utils