From e2a8626eee1ad1bca0a1ee819002b82a979ec6ff Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Fri, 29 May 2020 11:42:14 -0400 Subject: [PATCH] start standing up openqa for iad2 --- inventory/group_vars/openqa_iad2 | 30 +++++++++ inventory/group_vars/resultsdb_iad_prod | 82 +++++++++++++++++++++++ inventory/inventory | 23 ++++++- playbooks/groups/openqa.yml | 6 +- playbooks/groups/postgresql-server.yml | 4 +- playbooks/groups/resultsdb.yml | 8 +-- roles/rkhunter/templates/rkhunter.conf.j2 | 2 +- 7 files changed, 144 insertions(+), 11 deletions(-) create mode 100644 inventory/group_vars/openqa_iad2 create mode 100644 inventory/group_vars/resultsdb_iad_prod diff --git a/inventory/group_vars/openqa_iad2 b/inventory/group_vars/openqa_iad2 new file mode 100644 index 0000000000..5d3660399d --- /dev/null +++ b/inventory/group_vars/openqa_iad2 @@ -0,0 +1,30 @@ +# this is to enable nested virt, which we need for disk image creation +virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough,+vmx" + +external_hostname: openqa.fedoraproject.org + +openqa_dbname: openqa +openqa_dbhost: db-qa03.iad2.fedoraproject.org +openqa_dbuser: openqa +openqa_dbpassword: "{{ prod_openqa_dbpassword }}" +openqa_assetsize: 500 + +openqa_key: "{{ prod_openqa_apikey }}" +openqa_secret: "{{ prod_openqa_apisecret }}" + +openqa_webapi_plugins: FedoraMessaging FedoraUpdateRestart + +# this is because openqa staging isn't really a staging host +# we don't want to set env_suffix to stg on it because that may +# break some other plays, but we do need the env suffix for the +# fedora-messaging bits, so let's make our own +openqa_env_suffix: +openqa_env: production + +wikitcms_token: "{{ private }}/files/openidc/production/wikitcms.json" +openqa_wikitcms_hostname: fedoraproject.org +openqa_resultsdb_url: http://resultsdb01.iad2.fedoraproject.org/resultsdb_api/api/v2.0/ +openqa_update_arches: ['x86_64'] + +deployment_type: prod +freezes: false diff --git a/inventory/group_vars/resultsdb_iad_prod b/inventory/group_vars/resultsdb_iad_prod new file mode 100644 index 0000000000..2de63c4cb0 --- /dev/null +++ b/inventory/group_vars/resultsdb_iad_prod @@ -0,0 +1,82 @@ +--- +############################################################ +# general information +############################################################ +deployment_type: prod +external_hostname: taskotron.fedoraproject.org +tcp_ports: [ 80, 443, "{{ resultsdb_db_port }}" ] + +# common items for the releng-* boxes +lvm_size: 50000 +mem_size: 4096 +num_cpus: 4 +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +fas_client_groups: sysadmin-qa +nrpe_procs_warn: 250 +nrpe_procs_crit: 300 + + + + + +############################################################ +# resultsdb details +############################################################ + +# the db_host_machine bits are so that delegation continues to work, even if +# that db is localhost relative to resultsdb + +resultsdb_db_host_machine: db-qa02.iad2.fedoraproject.org +resultsdb_db_host: "{{ resultsdb_db_host_machine }}" +resultsdb_db_port: 5432 +resultsdb_endpoint: 'resultsdb_api' +resultsdb_db_name: resultsdb +resultsdb_db_user: "{{ prod_resultsdb_db_user }}" +resultsdb_db_password: "{{ prod_resultsdb_db_password }}" +resultsdb_secret_key: "{{ prod_resultsdb_secret_key }}" + +allowed_hosts: + - 10.5.124 + - 10.5.131 + + +############################################################ +# resultsdb-frontend details +############################################################ +resultsdb_fe_endpoint: "resultsdb" +resultsdb_frontend_secret_key: "{{ prod_resultsdb_frontend_secret_key }}" + + +############################################################ +# execdb details +############################################################ +execdb_db_host_machine: db-qa01.iad2.fedoraproject.org +execdb_db_host: "{{ execdb_db_host_machine }}" +execdb_db_port: 5432 +execdb_endpoint: 'execdb' +execdb_db_name: execdb +execdb_db_user: "{{ prod_execdb_db_user }}" +execdb_db_password: "{{ prod_execdb_db_password }}" +execdb_secret_key: "{{ prod_execdb_secret_key }}" + + +############################################################ +# fedmsg details +############################################################ +fedmsg_active: True +fedmsg_cert_prefix: resultsdb + +fedmsg_certs: +- service: shell + owner: root + group: sysadmin + can_send: + - logger.log +- service: resultsdb + owner: root + group: apache + can_send: + - taskotron.result.new + - resultsdb.result.new diff --git a/inventory/inventory b/inventory/inventory index c729235298..477eed1d64 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -235,6 +235,9 @@ db-koji02.phx2.fedoraproject.org db-qa01.qa.fedoraproject.org db-qa02.qa.fedoraproject.org db-qa03.qa.fedoraproject.org +db-qa01.iad2.fedoraproject.org +db-qa02.iad2.fedoraproject.org +db-qa03.iad2.fedoraproject.org [dbserver_stg] db-fas01.stg.phx2.fedoraproject.org @@ -523,6 +526,9 @@ openqa-stg01.qa.fedoraproject.org [openqa] openqa01.qa.fedoraproject.org +[openqa_iad2] +openqa01.iad2.fedoraproject.org + [openqa_workers] qa02.qa.fedoraproject.org qa05.qa.fedoraproject.org @@ -619,11 +625,13 @@ proxy01.stg.phx2.fedoraproject.org [relvalconsumer_common] openqa01.qa.fedoraproject.org +openqa01.iad2.fedoraproject.org openqa-stg01.qa.fedoraproject.org # This group should only ever contain *ONE* system [relvalconsumer] openqa01.qa.fedoraproject.org +#openqa01.iad2.fedoraproject.org [relvalconsumer_test] openqa-stg01.qa.fedoraproject.org @@ -631,10 +639,12 @@ openqa-stg01.qa.fedoraproject.org [checkcompose_common] openqa01.qa.fedoraproject.org openqa-stg01.qa.fedoraproject.org +openqa01.iad2.fedoraproject.org # This group should only ever contain *ONE* system [checkcompose] openqa01.qa.fedoraproject.org +#openqa01.iad2.fedoraproject.org [checkcompose_stg] openqa-stg01.qa.fedoraproject.org @@ -642,13 +652,15 @@ openqa-stg01.qa.fedoraproject.org [resultsdb:children] resultsdb_stg resultsdb_prod +resultsdb_iad_prod [resultsdb_stg] resultsdb-stg01.qa.fedoraproject.org - [resultsdb_prod] resultsdb01.qa.fedoraproject.org + +[resultsdb_iad_prod] resultsdb01.iad2.fedoraproject.org [smtp_mm] @@ -869,6 +881,7 @@ zanata2fedmsg01.phx2.fedoraproject.org retrace01.qa.fedoraproject.org resultsdb01.qa.fedoraproject.org openqa01.qa.fedoraproject.org +openqa01.iad2.fedoraproject.org openqa-ppc64le-01.qa.fedoraproject.org [fedmsg_qa_network_stg] @@ -1086,6 +1099,7 @@ gnome-backups01.phx2.fedoraproject.org # openQA boxes start - note old openQA aarch64 workers intentionally # not here as they are not in QA network at all openqa01.qa.fedoraproject.org +openqa01.iad2.fedoraproject.org openqa-stg01.qa.fedoraproject.org openqa-aarch64-01.qa.fedoraproject.org openqa-aarch64-03.qa.fedoraproject.org @@ -1102,6 +1116,9 @@ qa14.qa.fedoraproject.org db-qa01.qa.fedoraproject.org db-qa02.qa.fedoraproject.org db-qa03.qa.fedoraproject.org +db-qa01.iad2.fedoraproject.org +db-qa02.iad2.fedoraproject.org +db-qa03.iad2.fedoraproject.org resultsdb01.qa.fedoraproject.org resultsdb-stg01.qa.fedoraproject.org taskotron-dev01.qa.fedoraproject.org @@ -1385,6 +1402,10 @@ vmhost-x86-05.iad2.fedoraproject.org vmhost-x86-06.iad2.fedoraproject.org vmhost-x86-07.iad2.fedoraproject.org wiki01.iad2.fedoraproject.org +openqa01.iad2.fedoraproject.org +db-qa01.iad2.fedoraproject.org +db-qa02.iad2.fedoraproject.org +db-qa03.iad2.fedoraproject.org [iad2:vars] ansible_group_priority=10 diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index c504485a72..6f9a7fc4cd 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -1,7 +1,7 @@ -- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=openqa:openqa_stg" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=openqa:openqa_stg:openqa_iad2" - name: setup base openQA host - hosts: openqa:openqa_stg + hosts: openqa:openqa_stg:openqa_iad2 user: root gather_facts: True @@ -33,7 +33,7 @@ - import_tasks: "{{ handlers_path }}/restart_services.yml" - name: configure fedora-messaging queues on openQA servers - hosts: openqa:openqa_stg + hosts: openqa:openqa_stg:openqa_iad2 user: root gather_facts: True diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml index 197bac147e..596a1e89c8 100644 --- a/playbooks/groups/postgresql-server.yml +++ b/playbooks/groups/postgresql-server.yml @@ -2,12 +2,12 @@ # NOTE: should be used with --limit most of the time # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars -- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db_qa03.qa.fedoraproject.org:db-koji02.phx2.fedoraproject.org:db-fas01.iad2.fedoraproject.org:db01.iad2.fedoraproject.org:db-datanommer01.iad2.fedoraproject.org:db-koji01.iad2.fedoraproject.org" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db-qa03.qa.fedoraproject.org:db-koji02.phx2.fedoraproject.org:db-fas01.iad2.fedoraproject.org:db01.iad2.fedoraproject.org:db-datanommer01.iad2.fedoraproject.org:db-koji01.iad2.fedoraproject.org:db-qa01.iad2.fedoraproject.org:db-qa02.iad2.fedoraproject.org:db-qa03.iad2.fedoraproject.org" # Once the instance exists, configure it. - name: configure postgresql server system - hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db-qa03.qa.fedoraproject.org:db-koji02.phx2.fedoraproject.org:db-fas01.iad2.fedoraproject.org:db01.iad2.fedoraproject.org:db-datanommer01.iad2.fedoraproject.org:db-koji01.iad2.fedoraproject.org + hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db-qa03.qa.fedoraproject.org:db-koji02.phx2.fedoraproject.org:db-fas01.iad2.fedoraproject.org:db01.iad2.fedoraproject.org:db-datanommer01.iad2.fedoraproject.org:db-koji01.iad2.fedoraproject.org:db-qa01.iad2.fedoraproject.org:db-qa02.iad2.fedoraproject.org:db-qa03.iad2.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/resultsdb.yml b/playbooks/groups/resultsdb.yml index 91372e1fc1..413d022fff 100644 --- a/playbooks/groups/resultsdb.yml +++ b/playbooks/groups/resultsdb.yml @@ -3,10 +3,10 @@ # NOTE: make sure there is room/space for this server on the vmhost # NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars -- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=resultsdb_dev:resultsdb_stg:resultsdb_prod" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=resultsdb_dev:resultsdb_stg:resultsdb_prod:resultsdb_iad2_prod" - name: make the box be real - hosts: resultsdb_dev:resultsdb_stg:resultsdb_prod + hosts: resultsdb_dev:resultsdb_stg:resultsdb_prod:resultsdb_iad2_prod user: root gather_facts: True @@ -78,7 +78,7 @@ - import_tasks: "{{ handlers_path }}/restart_services.yml" - name: configure resultsdb production - hosts: resultsdb_dev:resultsdb_stg:resultsdb_prod + hosts: resultsdb_dev:resultsdb_stg:resultsdb_prod:resultsdb_iad2_prod user: root gather_facts: True @@ -96,7 +96,7 @@ - import_tasks: "{{ handlers_path }}/restart_services.yml" - name: Install ci-resultsdb-listener - hosts: resultsdb_stg:resultsdb_prod + hosts: resultsdb_stg:resultsdb_prod:resultsdb_iad2_prod user: root gather_facts: True diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index ed19ae0efa..638ad55345 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -408,7 +408,7 @@ ALLOWDEVFILE=/dev/shm/sem.slapd*.stats {% if inventory_hostname in groups['proxies'] or inventory_hostname in groups['proxies_stg'] %} ALLOWDEVFILE=/dev/shm/libpod_rootless_lock_441 {% endif %} -{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr_stg'] or inventory_hostname == 'hubs01.stg.phx2.fedoraproject.org' or inventory_hostname == 'db-koji01.stg.phx2.fedoraproject.org' or inventory_hostname == 'db-qa03.qa.fedoraproject.org' or inventory_hostname == 'pagure-stg01.fedoraproject.org' %} +{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr_stg'] or inventory_hostname == 'hubs01.stg.phx2.fedoraproject.org' or inventory_hostname == 'db-koji01.stg.phx2.fedoraproject.org' or inventory_hostname == 'db-qa03.qa.fedoraproject.org' or inventory_hostname == 'db-qa03.iad2.fedoraproject.org' or inventory_hostname == 'pagure-stg01.fedoraproject.org' %} ALLOWDEVFILE=/dev/shm/PostgreSQL* {% endif %}