# Required vars # - openqa_email ## string - Email address of admin user # - openqa_nickname ## string - Short name of admin user (shown in the web UI for e.g.) # - openqa_fullname ## string - Full name of admin user # - openqa_key # - openqa_secret ## string - MUST be 16-character hexadecimals, and are secrets # openqa_userid ## string - User ID of admin user: for Fedora should be a Fedora openID URL, ## http://fasname.id.fedoraproject.org # Required vars with defaults # - external_hostname ## string - The public hostname for the server (will be used as ServerName) ## default - ansible_nodename # - openqa_repo ## string - Repo to enable when updating openQA packages. Set to ## 'updates-testing' to use packages from updates-testing ## default - 'updates', which is effectively a no-op # Optional vars # - openqa_static_uid ## int - a static ID for the geekotest user and group if desired ## this is useful for NFS mounting openQA data files # - openqa_dbname ## string - The name of the database to use # - openqa_dbhost ## string - The hostname of the database server # - openqa_dbuser ## string - The database username # - openqa_dbpassword ## string - The database password # - openqa_assetsize ## int - the asset size limit to set in GB (upstream default is 100GB) ## higher is recommended for normal Fedora testing, 300GB is good ## FIXME: this only works for pgsql ATM # - openqa_assetsize_updates ## int - the asset size limit to set for update job groups in GB ## (upstream default is 100GB). Lower is recommended for normal ## Fedora testing, 50GB is good ## FIXME: this only works for pgsql ATM # - openqa_amqp_publisher_prefix ## string - openQA AMQP 'topic_prefix' config value. This prefix is ## prepended to the topic when publishing messages with the ## AMQP or FedoraMessaging plugins, with a . added (so don't ## include the . in the value). If set to an empty string, ## openQA from before August 2019 will use 'suse' as the ## prefix; later openQA will omit the prefix entirely ## default - '' (empty string) # - openqa_amqp_publisher_url ## string - AMQP broker URL for publishing messages with the AMQP or ## FedoraMessaging plugins, e.g. ## amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpubsub ## default - amqp://test:@localhost/%2Fpubsub # - openqa_amqp_publisher_exchange ## string - exchange to publish AMQP messages to with AMQP or ## FedoraMessaging plugins, e.g. amq.topic. Note, this can ## be (ab)used to set additional query parameters for the ## publish request, by just appending them, e.g. ## amq.topic&cacertfile=/path/to/ca_certificate_file ## default - amq.topic # - openqa_webapi_plugins ## string - Space-separated list of openQA WebAPI plugins to enable ## Note if you enable FedoraMessaging or AMQP plugins, you should ## also set openqa_amqp_publisher_prefix, openqa_amqp_publisher_url ## and openqa_amqp_publisher_exchange # - deployment_type ## string - Fedora Infrastructure thing; for this role, applies an ## infra-specific tweak to httpd config. Don't set it outside ## Fedora infra. # - openqa_nfs_workers ## list - A list of hostnames of workers that will share the factory ## directory via NFS. All these will be granted rw access to ## the share (they need write access to be able to decompress ## compressed disk images on the fly). If not defined, the ## factory dir will not be shared via NFS at all. # - openqa_auth_method ## string - authentication method to use (Fake, OpenID, OAuth2) ## default - Fake # - openqa_oauth2_secret ## string - the secret to use for OAuth2 authentcation. Required if ## openqa_auth_method is OAuth2 # If openqa_dbhost is set, the other openqa_db* variables must be too, # and the server will be configured to use a pgsql database accordingly. # If openqa_dbhost is not set, the server will use a local SQLite database # and the other openqa_db* values are ignored. --- - name: Create geekotest group with static GID group: "name=geekotest gid={{ openqa_static_uid }} system=yes" when: "openqa_static_uid is defined" - name: Create geekotest user with static UID user: name: geekotest comment: "openQA user" uid: "{{ openqa_static_uid }}" group: geekotest home: "/var/lib/openqa" createhome: no system: yes shell: /sbin/nologin when: "openqa_static_uid is defined" - name: Remove old scratch repo directory ansible.builtin.file: path=/var/tmp/scratchrepo state=absent - name: Delete old scratch build repo config ansible.builtin.file: path=/etc/yum.repos.d/scratchrepo.repo state=absent - name: Write lab side repo config ansible.builtin.copy: src=openqa-lab-repo.repo dest=/etc/yum.repos.d/openqa-lab-repo.repo owner=root group=root mode=0644 when: "deployment_type is defined and deployment_type == 'stg'" - name: Write prod side repo config ansible.builtin.copy: src=openqa-prod-repo.repo dest=/etc/yum.repos.d/openqa-prod-repo.repo owner=root group=root mode=0644 when: "deployment_type is defined and deployment_type == 'prod'" # this is separate from the step below so we can use openqa_repo just # for these packages - name: Install openQA packages ansible.builtin.package: name: - openqa - openqa-httpd - openqa-plugin-fedora-messaging state: latest enablerepo: "{{ openqa_repo }}" tags: - packages - name: Install various other required packages ansible.builtin.package: name: - python3-libselinux # for using seboolean module - git # for checking out tests/tools - jq # for checking if tests changed after template load - python3-libsemanage # for using seboolean module - perl(Class::DBI::Pg) # for using postgresql DB - genisoimage # for building cloud-init ISO - policycoreutils # for loading SELinux policy module state: present tags: - packages - name: Install various other required packages ansible.builtin.package: name: - nfs-utils # for configuring/running NFS server state: present when: "openqa_nfs_workers is defined" tags: - packages - name: Check test directory exists with correct ownership ansible.builtin.file: path=/var/lib/openqa/share/tests/fedora state=directory owner=geekotest group=geekotest recurse=yes # we don't want to run the checkout if the tests are on a non-standard # branch, as that usually means we're messing around on staging and # don't want the checkout reset to HEAD. - name: Check if tests are checked out and on a non-standard branch ansible.builtin.command: "git status" # noqa 303 args: chdir: /var/lib/openqa/share/tests/fedora register: testsbranch failed_when: "1 != 1" changed_when: "1 != 1" check_mode: no - name: Check out the tests git: repo: https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git # noqa 401 dest: /var/lib/openqa/share/tests/fedora register: gittests become: true become_user: geekotest when: > (testsbranch.stderr.find('ot a git repository') != -1) or (testsbranch.stdout.find('On branch main') != -1 and testsbranch.stdout.find('Changes not staged') == -1) - name: Remove old openqa_fedora_tools checkout ansible.builtin.file: path=/root/openqa_fedora_tools state=absent - name: Create asset directories ansible.builtin.file: path={{ item }} state=directory owner=geekotest group=geekotest mode=0775 with_items: - /var/lib/openqa/share/factory/iso - /var/lib/openqa/share/factory/iso/fixed - /var/lib/openqa/share/factory/hdd - /var/lib/openqa/share/factory/hdd/fixed - /var/lib/openqa/share/factory/repo - /var/lib/openqa/share/factory/other - name: Copy in meta-data for cloud-init ISO creation ansible.builtin.copy: src=meta-data dest=/var/tmp/meta-data owner=root group=root mode=0644 - name: Copy in user-data for cloud-init ISO creation ansible.builtin.copy: src=user-data dest=/var/tmp/user-data owner=root group=root mode=0644 - name: Create cloud-init ISO ansible.builtin.command: genisoimage -output cloudinit.iso -volid cidata -joliet -rock /var/tmp/user-data /var/tmp/meta-data args: chdir: /var/lib/openqa/share/factory/iso/fixed creates: /var/lib/openqa/share/factory/iso/fixed/cloudinit.iso - name: Create exports file ansible.builtin.template: src=exports.j2 dest=/etc/exports.d/openqa.exports owner=root group=root mode=0644 register: exportsfile when: openqa_nfs_workers is defined tags: - config - name: Enable and start NFS server service: name=nfs-server enabled=yes state=started when: openqa_nfs_workers is defined - name: Refresh exports ansible.builtin.command: exportfs -r when: exportsfile is changed - name: Set up Apache config ansible.builtin.template: src=openqa.conf.httpd.j2 dest=/etc/httpd/conf.d/openqa.conf owner=root group=root mode=0644 notify: - Reload httpd tags: - config - name: OpenQA config ansible.builtin.template: src=openqa.ini.j2 dest=/etc/openqa/openqa.ini owner=geekotest group=root mode=0640 tags: - config - name: Create database delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true postgresql_db: db={{ openqa_dbname }} when: "openqa_dbhost is defined" - name: Ensure db user has access to database delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true postgresql_user: db={{ openqa_dbname }} user={{ openqa_dbuser }} password={{ openqa_dbpassword }} role_attr_flags=NOSUPERUSER when: "openqa_dbhost is defined" - name: Database config ansible.builtin.template: src=database.ini.pgsql.j2 dest=/etc/openqa/database.ini owner=geekotest group=root mode=0640 when: "openqa_dbhost is defined" tags: - config - name: Initialize database ansible.builtin.shell: "/usr/share/openqa/script/initdb --user geekotest --init_database" # noqa 305 register: initdb changed_when: "initdb.rc == 0" failed_when: "(initdb.rc > 0) and (initdb.stdout is not defined or initdb.stdout.find('already exists') == -1)" - name: Enable and start services service: name={{ item }} enabled=yes state=started register: services with_items: - openqa-livehandler - openqa-scheduler - openqa-webui - openqa-websockets - openqa-gru - name: Create somewhere to stick our custom SELinux module ansible.builtin.file: path: /usr/local/share/selinux state: directory mode: '0755' - name: Copy over custom SELinux module allowing httpd to connect to openQA ansible.builtin.copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644 register: selinux_module - name: Load our custom SELinux module ansible.builtin.command: semodule -i /usr/local/share/selinux/httpd-openqa.pp when: selinux_module is changed # Unfortunately still need this until port 9528 is tagged: # https://bugzilla.redhat.com/show_bug.cgi?id=1277312 - name: Set httpd_can_network_connect SELinux boolean seboolean: name=httpd_can_network_connect state=yes persistent=yes - name: Allow Apache to read from NFS (as we store test data files there now) seboolean: name=httpd_use_nfs state=yes persistent=yes # services is undefined in check mode - name: Wait for openQA to be fully started pause: seconds=5 when: "services is defined and services is changed" # the 'dispatcher' role may require this to have a non-root group and # sets it 0640, so we don't enforce ownership here and set mode to # 0640 so we don't wind up ping-ponging it between server and # dispatcher roles. - name: OpenQA client config ansible.builtin.template: src=client.conf.j2 dest=/etc/openqa/client.conf mode=0640 tags: - config - name: Create admin user ansible.builtin.command: > /var/lib/openqa/script/create_admin --email {{ openqa_email }} --nickname {{ openqa_nickname }} --fullname '{{ openqa_fullname }}' --key {{ openqa_key }} --secret {{ openqa_secret }} {{ openqa_userid }} register: admin changed_when: "admin.rc == 0" failed_when: "(admin.rc > 0) and (admin.stderr is not defined or admin.stderr.find('already exists') == -1)" - name: Check if we're on upstream template format or FIF stat: path: /var/lib/openqa/share/tests/fedora/templates.fif.json register: templatesfif - name: Dump existing config for checking changes ansible.builtin.shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-old.json || :" when: "(gittests is defined) and (gittests is changed)" changed_when: "1 != 1" # Because of the boring details of how template loading works, getting # a correct 'changed' for this step is too difficult. Instead we have # the dump (above) and check (later) steps; when the templates actually # changed, the *check* step will register as changed. - name: Load main tests (upstream format) ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/templates --clean" when: "(gittests is defined) and (gittests is changed) and (not templatesfif.stat.exists)" changed_when: "1 != 1" - name: Load update tests (upstream format) ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/templates-updates --update" when: "(gittests is defined) and (gittests is changed) and (not templatesfif.stat.exists)" changed_when: "1 != 1" - name: Load all tests (FIF format) ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/fifloader.py -l --clean templates.fif.json templates-updates.fif.json" args: chdir: /var/lib/openqa/share/tests/fedora when: "(gittests is defined) and (gittests is changed) and (templatesfif.stat.exists)" changed_when: "1 != 1" - name: Check if the tests changed in previous step ansible.builtin.shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-new.json && diff <(jq -S . /tmp/tmpl-old.json) <(jq -S . /tmp/tmpl-new.json)" when: "(gittests is defined) and (gittests is changed)" register: testsdiff changed_when: "testsdiff.rc > 0" failed_when: "1 != 1" - name: Set 'fedora' asset size limit (if specified) (pgsql) delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true ansible.builtin.command: > psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize }} WHERE name = 'fedora' AND (size_limit_gb != {{ openqa_assetsize }} OR size_limit_gb IS NULL);" when: "openqa_dbhost is defined and openqa_assetsize is defined" register: pgsqlsize changed_when: "pgsqlsize.stdout.find('UPDATE 0') == -1" - name: Set 'Fedora PowerPC' asset size limit (if specified) (pgsql) delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true ansible.builtin.command: > psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_ppc }} WHERE name = 'Fedora PowerPC' AND (size_limit_gb != {{ openqa_assetsize_ppc }} OR size_limit_gb IS NULL);" when: "openqa_dbhost is defined and openqa_assetsize_ppc is defined" register: pgsqlsizeppc changed_when: "pgsqlsizeppc.stdout.find('UPDATE 0') == -1" - name: Set 'Fedora AArch64' asset size limit (if specified) (pgsql) delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true ansible.builtin.command: > psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_aarch64 }} WHERE name = 'Fedora AArch64' AND (size_limit_gb != {{ openqa_assetsize_aarch64 }} OR size_limit_gb IS NULL);" when: "openqa_dbhost is defined and openqa_assetsize_aarch64 is defined" register: pgsqlsizeaarch64 changed_when: "pgsqlsizeaarch64.stdout.find('UPDATE 0') == -1" - name: Set (x86_64) update job group asset size limit (if specified) (pgsql) delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true ansible.builtin.command: > psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_updates }} WHERE name = 'Fedora Updates' AND (size_limit_gb != {{ openqa_assetsize_updates }} OR size_limit_gb IS NULL);" when: "openqa_dbhost is defined and openqa_assetsize_updates is defined" register: pgsqlupdatesize changed_when: "pgsqlupdatesize.stdout.find('UPDATE 0') == -1" - name: Set ppc64le update job group asset size limit (if specified) (pgsql) delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}" become_user: postgres become: true ansible.builtin.command: > psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_updates_ppc }} WHERE name = 'Fedora PowerPC Updates' AND (size_limit_gb != {{ openqa_assetsize_updates_ppc }} OR size_limit_gb IS NULL);" when: "openqa_dbhost is defined and openqa_assetsize_updates_ppc is defined" register: pgsqlupdatesizeppc changed_when: "pgsqlupdatesizeppc.stdout.find('UPDATE 0') == -1"