1e777285e6
Enables the `image-builder` plugin from `koji-image-builder` in the production environment for both the koji hub, and the koji builder (kojid). This is based on the earlier enablement in staging where I've succesfully tested some builds and it didn't seem to bring down all of the staging instance. Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
488 lines
13 KiB
YAML
488 lines
13 KiB
YAML
---
|
|
#
|
|
# Setup koji hub server.
|
|
#
|
|
- name: Install koji hub server packages
|
|
ansible.builtin.package: name={{ item }} state=present
|
|
with_items:
|
|
- koji-hub
|
|
- koji-hub-plugins
|
|
- koji-web
|
|
- koji-utils
|
|
- koji-theme-fedora
|
|
- mod_ssl
|
|
- mod_wsgi
|
|
- mod_auth_gssapi
|
|
- git
|
|
- gnupg2
|
|
tags:
|
|
- packages
|
|
- koji_hub
|
|
|
|
#
|
|
# Setup koji hub osbuild and image-builder plugin.
|
|
#
|
|
- name: Install osbuild server packages
|
|
ansible.builtin.package: name={{ item }} state=present
|
|
with_items:
|
|
- koji-osbuild-hub
|
|
notify:
|
|
- Restart kojira
|
|
tags:
|
|
- packages
|
|
- koji_hub
|
|
- koji_hub_osbuild
|
|
|
|
- name: Install image-builder server packages
|
|
ansible.builtin.package: name={{ item }} state=present
|
|
with_items:
|
|
- koji-image-builder-hub
|
|
notify:
|
|
- Restart kojira
|
|
tags:
|
|
- packages
|
|
- koji_hub
|
|
- koji_hub_image_builder
|
|
|
|
- name: Make koji pki directory
|
|
ansible.builtin.file: state=directory path=/etc/pki/koji/ owner=root group=root
|
|
|
|
- name: Make koji pki subdirectories
|
|
ansible.builtin.file: state=directory path=/etc/pki/koji/{{ item }} owner=root group=root
|
|
with_items:
|
|
- certs
|
|
- private
|
|
- confs
|
|
tags:
|
|
- koji_hub
|
|
|
|
- name: Fedmenu shim
|
|
ansible.builtin.template: src=fedmenu-extra-footer.html dest=/usr/share/koji-web/static/extra-footer.html
|
|
tags: koji_hub
|
|
notify: Reload httpd
|
|
# XXX - we only want to do this in staging for now because it requires a patch
|
|
# to koji itself to include the extra-footer.html file in a sufficiently
|
|
# advanced way.
|
|
# https://lists.fedoraproject.org/pipermail/buildsys/2015-April/004636.html
|
|
when: env == 'staging'
|
|
|
|
- name: Set the apache mpm to use event MPM
|
|
ansible.builtin.copy: src=00-mpm.conf dest=/etc/httpd/conf.modules.d/00-mpm.conf
|
|
notify:
|
|
- Reload proxyhttpd
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
|
|
- name: Hub config
|
|
ansible.builtin.template: src=hub.conf.j2 dest=/etc/koji-hub/hub.conf owner=apache group=apache mode=600
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
- koji_hub_osbuild
|
|
- koji_hub_image_builder
|
|
notify: Reload httpd
|
|
|
|
- name: Kojiweb config
|
|
ansible.builtin.template: src=web.conf.j2 dest=/etc/kojiweb/web.conf owner=apache group=apache mode=600
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
notify: Reload httpd
|
|
|
|
- name: Enable httpd_can_network_connect SELinux boolean for fedmsg
|
|
seboolean: name=httpd_can_network_connect state=yes persistent=yes
|
|
tags:
|
|
- config
|
|
- selinux
|
|
- koji_hub
|
|
|
|
- name: Enable httpd_use_nfs SELinux boolean for fedmsg
|
|
seboolean: name=httpd_use_nfs state=yes persistent=yes
|
|
tags:
|
|
- config
|
|
- selinux
|
|
- koji_hub
|
|
|
|
- name: Install fedora-messaging as a dependency for the plugin (fedora)
|
|
ansible.builtin.package: name={{ item }} state=present
|
|
with_items:
|
|
- python3-fedora-messaging
|
|
tags:
|
|
- packages
|
|
- koji_hub
|
|
- fedora-messaging
|
|
when: ansible_distribution == "Fedora"
|
|
|
|
- name: Create the config folder for fedora-messaging
|
|
ansible.builtin.file: path=/etc/fedora-messaging/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- koji_hub
|
|
- fedora-messaging
|
|
|
|
- name: Install the configuration file for fedora-messaging
|
|
ansible.builtin.template:
|
|
src=fedora-messaging.toml
|
|
dest=/etc/fedora-messaging/config.toml
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
- fedora-messaging
|
|
|
|
- name: Create folder where we'll place the certs
|
|
ansible.builtin.file: path=/etc/pki/rabbitmq/kojicert/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
- fedora-messaging
|
|
|
|
- name: deploy koji/rabbitmq certificate (primary)
|
|
copy: src={{ item.src }}
|
|
dest=/etc/pki/rabbitmq/kojicert/{{ item.dest }}
|
|
owner={{ item.owner }} group=root mode={{ item.mode }}
|
|
with_items:
|
|
- src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/koji{{ env_suffix }}.crt"
|
|
dest: koji.crt
|
|
owner: apache
|
|
mode: "0644"
|
|
- src: "{{private}}/files/rabbitmq/{{env}}/pki/private/koji{{ env_suffix }}.key"
|
|
dest: koji.key
|
|
owner: apache
|
|
mode: "600"
|
|
- src: "{{private}}/files/rabbitmq/{{env}}/ca-combined.crt"
|
|
dest: koji.ca
|
|
owner: apache
|
|
mode: "0644"
|
|
when: inventory_hostname.startswith('koji')
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
- fedora-messaging
|
|
|
|
- name: deploy koji/rabbitmq certificate (secondary)
|
|
copy: src={{ item.src }}
|
|
dest=/etc/pki/rabbitmq/kojicert/{{ item.dest }}
|
|
owner={{ item.owner }} group=root mode={{ item.mode }}
|
|
with_items:
|
|
- src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/riscv-koji{{ env_suffix }}.crt"
|
|
dest: koji.crt
|
|
owner: apache
|
|
mode: "0644"
|
|
- src: "{{private}}/files/rabbitmq/{{env}}/pki/private/riscv-koji{{ env_suffix }}.key"
|
|
dest: koji.key
|
|
owner: apache
|
|
mode: "600"
|
|
- src: "{{private}}/files/rabbitmq/{{env}}/ca-combined.crt"
|
|
dest: koji.ca
|
|
owner: apache
|
|
mode: "0644"
|
|
when: inventory_hostname.startswith('riscv-koji')
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
- fedora-messaging
|
|
|
|
# install the plugin with the rpm from infra repo on stg
|
|
- name: Install fedora-messaging schemas and plugin
|
|
ansible.builtin.package: name={{ item }} state=present
|
|
with_items:
|
|
- koji-fedoramessaging
|
|
- python3-koji-fedoramessaging-messages
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- packages
|
|
- koji_hub
|
|
- fedora-messaging
|
|
when: ansible_distribution == "Fedora"
|
|
|
|
|
|
- name: Install the configuration file for the sidetag plugin
|
|
ansible.builtin.copy:
|
|
src: sidetag.conf
|
|
dest: /etc/koji-hub/plugins/sidetag.conf
|
|
tags:
|
|
- koji_hub
|
|
|
|
#
|
|
# rpmautospec plugin
|
|
#
|
|
|
|
- name: Uninstall koji hub rpmautospec plugin
|
|
ansible.builtin.package: name={{ item }} state=absent
|
|
with_items:
|
|
- koji-hub-plugin-rpmautospec
|
|
tags:
|
|
- packages
|
|
- koji_hub
|
|
- rpmautospec
|
|
|
|
- name: Remove obsolete configuration for rpmautospec
|
|
ansible.builtin.file:
|
|
path: "/etc/koji-hub/plugins/{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- rpmautospec.conf
|
|
- rpmautospec.conf.rpmnew
|
|
- rpmautospec.conf.rpmsave
|
|
- rpmautospec.conf.rpmorig
|
|
tags:
|
|
- koji_hub
|
|
- rpmautospec
|
|
|
|
- name: Install Flatpak hub plugin
|
|
ansible.builtin.package: name=koji-flatpak-hub state=present
|
|
tags:
|
|
- koji_hub
|
|
|
|
#
|
|
# install keytabs
|
|
#
|
|
|
|
- name: install koji-hub keytab
|
|
copy: src={{ private }}/files/keytabs/{{ env }}/koji-hub-{{ koji_instance }} dest=/etc/koji-hub/koji-hub.keytab
|
|
owner=apache group=apache mode=0600
|
|
notify:
|
|
- Reload httpd
|
|
when: env != 'staging'
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
|
|
- name: Install GSSAPI keytab
|
|
ansible.builtin.copy: src={{ private }}/files/keytabs/{{ env }}/koji-gssapi-{{ koji_instance }} dest=/etc/koji-hub/gssapi.keytab
|
|
owner=apache group=apache mode=0600
|
|
notify:
|
|
- Reload httpd
|
|
when: env != 'staging'
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
|
|
#
|
|
# install production certs and keys
|
|
#
|
|
- name: Install kojiweb_cert_key.pem
|
|
ansible.builtin.copy: src={{ private }}/files/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
when: env != 'staging' and ansible_hostname.startswith('koji')
|
|
|
|
- name: Install production koji_cert.pem
|
|
ansible.builtin.copy: src={{ private }}/files/koji/koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
when: env != 'staging' and ansible_hostname.startswith('koji')
|
|
|
|
- name: Install production koji_key.pem
|
|
ansible.builtin.copy: src={{ private }}/files/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
when: env != 'staging' and ansible_hostname.startswith('koji')
|
|
|
|
- name: Instaall fedora-ca.cert in various places
|
|
ansible.builtin.copy: src={{ private }}/files/fedora-ca.cert dest={{ item }} owner=apache
|
|
with_items:
|
|
- /etc/kojira/extras_cacert.pem
|
|
- /etc/pki/tls/certs/extras_cacert.pem
|
|
- /etc/pki/tls/certs/extras_upload_cacert.pem
|
|
- /etc/pki/tls/certs/upload_cacert.pem
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
|
|
- name: Install kojira_cert_key
|
|
ansible.builtin.copy: src={{ private }}/files/koji/kojira_cert_key.pem dest=/etc/kojira/kojira_cert_key.pem owner=apache mode=600
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
|
|
- name: Koji web common config files
|
|
ansible.builtin.copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root
|
|
with_items:
|
|
- mash.conf
|
|
- rel-eng.conf
|
|
- repo.conf
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
notify: Reload httpd
|
|
|
|
- name: Koji web hub specific config files
|
|
ansible.builtin.template: src={{ item }}.j2 dest=/etc/httpd/conf.d/{{ item }} owner=root group=root
|
|
with_items:
|
|
- kojiweb.conf
|
|
- kojihub.conf
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
notify: Reload httpd
|
|
|
|
- name: Koji web staging config files
|
|
ansible.builtin.copy: src=kojiweb.conf.stg dest=/etc/httpd/conf.d/kojiweb-stg.conf owner=root group=root
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
notify: Reload httpd
|
|
when: env == "staging"
|
|
|
|
- name: Koji robots.txt config
|
|
ansible.builtin.copy: src=robots.txt dest=/var/www/html/robots.txt
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
notify: Reload httpd
|
|
|
|
- name: Kojira log dir
|
|
ansible.builtin.file: dest=/var/log/kojira owner=root group=root mode=0750 state=directory
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
- kojira
|
|
|
|
- name: Kojira config
|
|
ansible.builtin.template: src=kojira.conf.j2 dest=/etc/kojira/kojira.conf
|
|
tags:
|
|
- config
|
|
- koji_hub
|
|
notify:
|
|
- Restart kojira
|
|
|
|
- name: Make an empty /mnt/fedora_koji for stg.
|
|
ansible.builtin.file: state=directory path=/mnt/fedora_koji/koji owner=root group=root
|
|
tags:
|
|
- koji_hub
|
|
when: env == "staging" and ansible_hostname.startswith('koji')
|
|
|
|
- name: make mnt/koji directory (primary)
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji owner=root group=root
|
|
tags:
|
|
- koji_hub
|
|
when: ansible_hostname.startswith('koji')
|
|
|
|
- name: make mnt/koji directory (secondary)
|
|
file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji owner=root group=root
|
|
tags:
|
|
- koji_hub
|
|
when: ansible_hostname.startswith('riscv-koji')
|
|
|
|
- name: check selinux default context for /mnt/fedora_koji in staging
|
|
ansible.builtin.command: matchpathcon /mnt/fedora_koji
|
|
register: mnt_fedora_koji_context
|
|
when: env == "staging"
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- koji_hub
|
|
- selinux
|
|
|
|
- name: /mnt/fedora_koji selinux file context
|
|
ansible.builtin.command: semanage fcontext -a -t httpd_sys_rw_content_t "/mnt/fedora_koji(/.*)?"
|
|
when: env == "staging" and
|
|
mnt_fedora_koji_context.stdout.find('httpd_sys_rw_content_t') == -1
|
|
tags:
|
|
- koji_hub
|
|
- selinux
|
|
|
|
- name: Set sebooleans so koji can talk to the db
|
|
seboolean: name=httpd_can_network_connect_db state=true persistent=true
|
|
tags:
|
|
- selinux
|
|
- koji_hub
|
|
|
|
- name: Set sebooleans so koji can run the fedora-messaging plugin
|
|
seboolean: name=httpd_execmem state=true persistent=true
|
|
tags:
|
|
- selinux
|
|
- koji_hub
|
|
|
|
- name: Set sebooleans so koji can anon write
|
|
seboolean: name=httpd_anon_write state=true persistent=true
|
|
tags:
|
|
- selinux
|
|
- koji_hub
|
|
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
|
|
|
|
- name: make httpd override directory
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: /etc/systemd/system/httpd.service.d
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
tags:
|
|
- service
|
|
- koji_hub
|
|
|
|
- name: Set httpd service override for fedora-messaging to work
|
|
ansible.builtin.copy: src=httpd-override.conf dest=/etc/systemd/system/httpd.service.d/override.conf
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- service
|
|
- koji_hub
|
|
|
|
|
|
- name: Set httpd to run on boot
|
|
service: name=httpd enabled=yes
|
|
ignore_errors: true
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- service
|
|
- koji_hub
|
|
|
|
- name: Make sure kojira is set to run on boot
|
|
service: name=kojira enabled=yes
|
|
tags:
|
|
- service
|
|
- koji_hub
|
|
when: ansible_hostname.startswith('koji02')
|
|
|
|
- name: Install koji-gc.conf
|
|
ansible.builtin.template: src=koji-gc.conf.j2 dest=/etc/koji-gc/koji-gc.conf
|
|
tags:
|
|
- koji_hub
|
|
|
|
- name: Install prune-signed-copies-protected-tags config for prunesigs
|
|
ansible.builtin.template: src=prune-signed-copies-protected-tags.j2 dest=/etc/prune-signed-copies-protected-tags
|
|
tags:
|
|
- koji_hub
|
|
|
|
- name: Install cron jobs in /usr/local/etc/
|
|
ansible.builtin.copy: src={{ item }} dest=/usr/local/etc/{{ item }}
|
|
with_items:
|
|
- koji-directory-cleanup
|
|
- koji-gc
|
|
- koji-prune-signed-copies
|
|
- koji-sidetag-cleanup
|
|
when: ansible_hostname.startswith('koji01')
|
|
tags:
|
|
- files
|
|
- koji_hub
|
|
|
|
- name: Enable crons on koji02 normally.
|
|
ansible.builtin.copy: src={{ item }} dest=/etc/cron.d/{{ item }}
|
|
with_items:
|
|
- koji-directory-cleanup
|
|
- koji-gc
|
|
- koji-prune-signed-copies
|
|
- koji-sidetag-cleanup
|
|
tags:
|
|
- files
|
|
when: env != 'staging' and ansible_hostname.startswith('koji02')
|
|
|
|
- name: Disable systemd-oomd we do not need or want it
|
|
service: name=systemd-oomd state=stopped enabled=no
|
|
tags:
|
|
- koji_hub
|
|
- koji_hub/oomd
|