mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-05 06:43:35 +08:00
457 lines
12 KiB
YAML
457 lines
12 KiB
YAML
#
|
|
# This is a base koji_builder role.
|
|
#
|
|
---
|
|
- name: Set hostname
|
|
hostname: name="{{inventory_hostname}}"
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Set root passwd
|
|
user: name=root password={{ builder_rootpw }} state=present
|
|
tags:
|
|
- koji_builder
|
|
- rootpw
|
|
|
|
- name: Add mock user as 425
|
|
user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make mock homedir perms
|
|
ansible.builtin.file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add mock ssh dir
|
|
ansible.builtin.file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add mock ssh keys
|
|
ansible.builtin.copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add kojibuilder
|
|
user: name=kojibuilder groups=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add mockbuilder
|
|
user: name=mockbuilder groups=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Mockbuilder .ssh dir
|
|
ansible.builtin.file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Mockbuilder ssh key
|
|
ansible.builtin.copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make a bunch of dirs
|
|
ansible.builtin.file: state=directory path={{ item }}
|
|
with_items:
|
|
- /pub
|
|
- /pub/fedora
|
|
- /pub/epel
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Install packages needed by koji_builders
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- koji-builder
|
|
- koji-builder-plugins
|
|
- python3-koji
|
|
- strace
|
|
- mock
|
|
- mock-rpmautospec
|
|
- linux-firmware
|
|
- kernel-modules
|
|
- rsyslog
|
|
- audit
|
|
- pycdio
|
|
- python3-kickstart
|
|
- libvirt-client
|
|
- oz
|
|
- imagefactory
|
|
- imagefactory-plugins-TinMan
|
|
- imagefactory-plugins-Docker
|
|
- imagefactory-plugins-GCE
|
|
- imagefactory-plugins-vSphere
|
|
- imagefactory-plugins-ovfcommon
|
|
- imagefactory-plugins
|
|
- imagefactory-plugins-OVA
|
|
- imagefactory-plugins-RHEVM
|
|
- pykickstart
|
|
- nosync
|
|
- koji-osbuild-builder
|
|
- ipset
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_osbuild
|
|
|
|
- name: Install packages needed by koji_builders for image-builder
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- koji-image-builder-builder
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_image_builder
|
|
|
|
#
|
|
# rpmautospec plugin
|
|
#
|
|
|
|
- name: Remove koji builder rpmautospec plugin
|
|
ansible.builtin.package:
|
|
name:
|
|
- koji-builder-plugin-rpmautospec
|
|
- python3-rpmautospec
|
|
- rpmautospec
|
|
state: absent
|
|
tags:
|
|
- packages
|
|
- koji_builder
|
|
- rpmautospec
|
|
|
|
- name: Remove obsolete configuration of rpmautospec
|
|
ansible.builtin.file:
|
|
path: "/etc/kojid/plugins/{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- rpmautospec.conf
|
|
- rpmautospec.conf.rpmnew
|
|
- rpmautospec.conf.rpmsave
|
|
- rpmautospec.conf.rpmorig
|
|
tags:
|
|
- koji_builder
|
|
- rpmautospec
|
|
|
|
- name: Install Flatpak builder plugin
|
|
ansible.builtin.package: name=koji-flatpak-builder state=present
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Configure flatpak-builder plugin
|
|
ansible.builtin.template: src=flatpak.conf dest=/etc/kojid/plugins/flatpak.conf
|
|
vars:
|
|
candidate_registry: "candidate-registry{{ env_suffix }}.fedoraproject.org"
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
|
|
# edk2-arm is dead as of F42 ...
|
|
# From: https://src.fedoraproject.org/rpms/edk2/
|
|
# commit 53fa21dafcef14a7d264a89c2977cdbef58df770
|
|
# edk2-aarch64 says: UEFI firmware for aarch64 virtual machines
|
|
- name: Install arm UEFI firmware package (aarch64 only)
|
|
ansible.builtin.package: name=edk2-aarch64 state=present
|
|
tags:
|
|
- koji_builder
|
|
when: "ansible_architecture is defined and ansible_architecture == 'aarch64'"
|
|
|
|
- name: Enable virtlogd service
|
|
service: name=virtlogd state=started enabled=yes
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Build /etc/kojid/kojid.conf from group vars
|
|
ansible.builtin.template: src=kojid.conf dest=/etc/kojid/kojid.conf
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
- rpmautospec
|
|
|
|
- name: Create osbuild builder config directory
|
|
ansible.builtin.file: path=/etc/koji-osbuild state=directory mode=0755
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_osbuild
|
|
|
|
- name: Build /etc/koji-osbuild/builder.conf
|
|
ansible.builtin.template: src=builder.conf{{env_suffix}} dest=/etc/koji-osbuild/builder.conf
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_osbuild
|
|
|
|
- name: Build /etc/koji/koji.conf from group vars
|
|
ansible.builtin.template: src=koji.conf dest=/etc/koji.conf
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Config for the kojid runroot plugin (only some builders)
|
|
ansible.builtin.template: src=runroot.conf.j2 dest=/etc/kojid/plugins/runroot.conf
|
|
when: "'runroot' in group_names"
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Override kojid.service file to set TasksMax to unlimited
|
|
ansible.builtin.copy: src=kojid.service dest=/etc/systemd/system/kojid.service
|
|
notify:
|
|
- Reload systemd
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
|
|
# setup for oz/imagefactory
|
|
- name: Make .psphere dir
|
|
ansible.builtin.file: state=directory path=/root/.psphere mode=775 owner=root group=root
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make .psphere/templates dir
|
|
ansible.builtin.file: state=directory path=/root/.psphere/templates mode=775 owner=root group=root
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Copy over /root/.psphere/config.yaml
|
|
ansible.builtin.copy: src={{ private }}/files/koji/config.yaml dest=/root/.psphere/config.yaml
|
|
tags:
|
|
- koji_builder
|
|
# done oz/imagefactory
|
|
|
|
- name: Copy over /etc/security/limits.conf
|
|
ansible.builtin.copy: src=limits.conf dest=/etc/security/limits.conf
|
|
tags:
|
|
- koji_builder
|
|
|
|
# oz.cfg upstream ram and cpu definitions are not enough
|
|
- name: Oz.cfg
|
|
ansible.builtin.template: src=oz.cfg.j2 dest=/etc/oz/oz.cfg
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/oz.cfg
|
|
|
|
# install libvirtd.conf
|
|
#
|
|
# This provides us with the ability to use virt-manager from non root accounts.
|
|
# This is useful in the oz/imagefactory context for debugging
|
|
|
|
- name: Install libvirtd.conf
|
|
ansible.builtin.copy: src="{{ files }}/virthost/libvirtd.conf" dest=/etc/libvirt/libvirtd.conf
|
|
tags:
|
|
- koji_builder
|
|
when: env != "staging"
|
|
|
|
# install libvirt/network.conf
|
|
#
|
|
# The default in f41+ is to use nftables, but it's not compatible with the
|
|
# iptables setup we are using on the builders for some reason.
|
|
# So, switch back to iptables until we switch to nftables, or move everying
|
|
# away from oz/Imagefactory so we don't need virt instances for image builds
|
|
# anymore.
|
|
|
|
- name: Install libvirt/network.conf
|
|
ansible.builtin.copy: src=network.conf dest=/etc/libvirt/network.conf
|
|
notify:
|
|
- Restart virtnetworkd
|
|
tags:
|
|
- koji_builder
|
|
- iptables
|
|
when: env != "staging"
|
|
|
|
#
|
|
# On primary we want to make a /mnt/koji link to /mnt/fedora_koji/koji
|
|
#
|
|
|
|
- name: Make a mnt/koji link
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
|
|
when: koji_hub_nfs is defined and koji_hub_nfs == "fedora_koji" and createrepo == True
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make a mnt/koji link
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji force=yes
|
|
when: inventory_hostname.startswith(('buildvm-s390x-11', 'buildvm-s390x-12', 'buildvm-s390x-13'))
|
|
tags:
|
|
- koji_builder
|
|
|
|
#
|
|
# alternative arch builders however want to link to /mnt/fedora_koji/koji
|
|
#
|
|
|
|
- name: Make a mnt/koji link
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
|
|
when: koji_hub_nfs is defined and koji_hub_nfs != "fedora_koji" and createrepo == True
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Mock site-defaults.cfg
|
|
ansible.builtin.template: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
|
|
when: not inventory_hostname.startswith(('bkernel'))
|
|
tags:
|
|
- koji_builder
|
|
- site-defaults
|
|
|
|
# x86_64 builders run both x86_64 and i686 builds, that requires multilib
|
|
# version of nosync installed to fully take advantage of nosync
|
|
- name: Special pkgs for the x86_64 builders
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- nosync.i686
|
|
when: ansible_architecture == 'x86_64'
|
|
tags:
|
|
- koji_builder
|
|
|
|
# Before, the builders had the "apache" role. This is a temporary play to remove the httpd daemon everywhere
|
|
- name: Uninstall httpd
|
|
ansible.builtin.package: name=httpd
|
|
state=absent
|
|
tags:
|
|
- koji_builder
|
|
- removehttpd
|
|
|
|
- name: Add the Apache group
|
|
group: name=apache
|
|
gid=48
|
|
system=yes
|
|
state=present
|
|
tags:
|
|
- koji_builder
|
|
- removehttpd
|
|
|
|
- name: Create the apache user
|
|
user: name=apache
|
|
uid=48
|
|
createhome=no
|
|
group=apache
|
|
home=/usr/share/httpd
|
|
shell=/sbin/nologin
|
|
system=yes
|
|
state=present
|
|
tags:
|
|
- koji_builder
|
|
- removehttpd
|
|
|
|
- name: Make sure we are in permissive selinux mode
|
|
selinux: policy=targeted state=permissive
|
|
tags:
|
|
- koji_builder
|
|
- selinux
|
|
|
|
- name: Create directory for shared secrets
|
|
ansible.builtin.file:
|
|
path: /etc/kojid/secrets
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0660"
|
|
tags:
|
|
- koji_builder
|
|
when: env == "staging"
|
|
|
|
# https://pagure.io/fedora-infrastructure/issue/6636
|
|
- name: Install libkcapi to get increased sockets on armv7
|
|
dnf: name=libkcapi enablerepo=updates-testing state=present
|
|
tags:
|
|
- koji_builder
|
|
when: ansible_architecture == 'armv7l'
|
|
|
|
# set highmem_is_dirtyable in compose armv7 machines.
|
|
# see: https://bugzilla.redhat.com/show_bug.cgi?id=1504264
|
|
#
|
|
- name: Set highmem_is_dirtyable on armv7 builders that are in the compose channel.
|
|
sysctl: name=vm.highmem_is_dirtyable value=1 state=present sysctl_set=yes reload=yes
|
|
tags:
|
|
- koji_builder
|
|
when: inventory_hostname.startswith(('buildvm-armv7-01.arm', 'buildvm-armv7-02', 'buildvm-armv7-03'))
|
|
|
|
#
|
|
# Add rngd so that virtual maachines have enough randomness to boot in our lifetimes
|
|
#
|
|
- name: Install rng-tools for entropy
|
|
ansible.builtin.package: name=rng-tools state=present
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/rngd
|
|
when: ansible_architecture == 'x86_64'
|
|
|
|
- name: Start rngd
|
|
service: name=rngd state=started enabled=yes
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/rngd
|
|
when: ansible_architecture == 'x86_64'
|
|
|
|
- name: Disable systemd-oomd we do not need or want it
|
|
systemd: name=systemd-oomd state=stopped enabled=no masked=true
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/oomd
|
|
|
|
- name: Install script to update osbuild api ip in the firewall
|
|
ansible.builtin.template: src=osbuildapi-update.sh dest=/usr/local/bin/osbuildapi-update.sh mode=755
|
|
when: not nftables
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Install cron job to run osbuild api ip update script every minute.
|
|
ansible.builtin.template: src=osbuildapi-update.cron dest=/etc/cron.d/osbuildapi-update.cron mode=644
|
|
when: not nftables and 'osbuild' in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Remove cron job to run osbuild api ip update script.
|
|
ansible.builtin.file: path=/etc/cron.d/osbuildapi-update.cron state=absent
|
|
when: nftables or 'osbuild' not in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Install script to update osbuild api ip in the firewall (nftables)
|
|
ansible.builtin.template: src=osbuildapi-update-nft.sh dest=/usr/local/bin/osbuildapi-update-nft.sh mode=755
|
|
when: nftables
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Install cron job to run osbuild api ip update script every minute. (nftables)
|
|
ansible.builtin.template: src=osbuildapi-update-nft.cron dest=/etc/cron.d/osbuildapi-update-nft.cron mode=644
|
|
when: nftables and 'osbuild' in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Remove cron job to run osbuild api ip update script every minute. (nftables)
|
|
ansible.builtin.file: path=/etc/cron.d/osbuildapi-update-nft.cron state=absent
|
|
when: not nftables or 'osbuild' not in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Create override dir for systemd-nspawn containers config
|
|
ansible.builtin.file:
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
path: /etc/systemd/system/machine-.scope.d
|
|
when: inventory_hostname.startswith(('buildhw-a64'))
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/nspawn
|
|
|
|
- name: Create override config for systemd-nspawn containers to allow coredumps
|
|
ansible.builtin.template: src=nspawn-override.conf dest=/etc/systemd/system/machine-.scope.d/80-infra.conf mode=0644
|
|
when: inventory_hostname.startswith(('buildhw-a64'))
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/nspawn
|