mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-01 05:51:56 +08:00
1e777285e6
Enables the `image-builder` plugin from `koji-image-builder` in the production environment for both the koji hub, and the koji builder (kojid). This is based on the earlier enablement in staging where I've succesfully tested some builds and it didn't seem to bring down all of the staging instance. Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
454 lines
12 KiB
YAML
454 lines
12 KiB
YAML
#
|
|
# This is a base koji_builder role.
|
|
#
|
|
---
|
|
- name: Set hostname
|
|
hostname: name="{{inventory_hostname}}"
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Set root passwd
|
|
user: name=root password={{ builder_rootpw }} state=present
|
|
tags:
|
|
- koji_builder
|
|
- rootpw
|
|
|
|
- name: Add mock user as 425
|
|
user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make mock homedir perms
|
|
ansible.builtin.file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add mock ssh dir
|
|
ansible.builtin.file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add mock ssh keys
|
|
ansible.builtin.copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add kojibuilder
|
|
user: name=kojibuilder groups=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Add mockbuilder
|
|
user: name=mockbuilder groups=mock
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Mockbuilder .ssh dir
|
|
ansible.builtin.file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Mockbuilder ssh key
|
|
ansible.builtin.copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make a bunch of dirs
|
|
ansible.builtin.file: state=directory path={{ item }}
|
|
with_items:
|
|
- /pub
|
|
- /mnt/fedora_koji
|
|
- /pub/fedora
|
|
- /pub/epel
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Install packages needed by koji_builders
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- koji-builder
|
|
- koji-builder-plugins
|
|
- python3-koji
|
|
- strace
|
|
- mock
|
|
- mock-rpmautospec
|
|
- linux-firmware
|
|
- kernel-modules
|
|
- rsyslog
|
|
- audit
|
|
- pycdio
|
|
- python3-kickstart
|
|
- libvirt-client
|
|
- oz
|
|
- imagefactory
|
|
- imagefactory-plugins-TinMan
|
|
- imagefactory-plugins-Docker
|
|
- imagefactory-plugins-GCE
|
|
- imagefactory-plugins-vSphere
|
|
- imagefactory-plugins-ovfcommon
|
|
- imagefactory-plugins
|
|
- imagefactory-plugins-OVA
|
|
- imagefactory-plugins-RHEVM
|
|
- pykickstart
|
|
- nosync
|
|
- koji-osbuild-builder
|
|
- ipset
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_osbuild
|
|
|
|
- name: Install packages needed by koji_builders for image-builder
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- koji-image-builder-builder
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_image_builder
|
|
|
|
#
|
|
# rpmautospec plugin
|
|
#
|
|
|
|
- name: Remove koji builder rpmautospec plugin
|
|
ansible.builtin.package:
|
|
name:
|
|
- koji-builder-plugin-rpmautospec
|
|
- python3-rpmautospec
|
|
- rpmautospec
|
|
state: absent
|
|
tags:
|
|
- packages
|
|
- koji_builder
|
|
- rpmautospec
|
|
|
|
- name: Remove obsolete configuration of rpmautospec
|
|
ansible.builtin.file:
|
|
path: "/etc/kojid/plugins/{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- rpmautospec.conf
|
|
- rpmautospec.conf.rpmnew
|
|
- rpmautospec.conf.rpmsave
|
|
- rpmautospec.conf.rpmorig
|
|
tags:
|
|
- koji_builder
|
|
- rpmautospec
|
|
|
|
- name: Install Flatpak builder plugin
|
|
ansible.builtin.package: name=koji-flatpak-builder state=present
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Configure flatpak-builder plugin
|
|
ansible.builtin.template: src=flatpak.conf dest=/etc/kojid/plugins/flatpak.conf
|
|
vars:
|
|
candidate_registry: "candidate-registry{{ env_suffix }}.fedoraproject.org"
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Install arm UEFI firmware package (aarch64 only)
|
|
ansible.builtin.package: name=edk2-arm state=present
|
|
tags:
|
|
- koji_builder
|
|
when: "ansible_architecture is defined and ansible_architecture == 'aarch64'"
|
|
|
|
- name: Enable virtlogd service
|
|
service: name=virtlogd state=started enabled=yes
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Build /etc/kojid/kojid.conf from group vars
|
|
ansible.builtin.template: src=kojid.conf dest=/etc/kojid/kojid.conf
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
- rpmautospec
|
|
|
|
- name: Create osbuild builder config directory
|
|
ansible.builtin.file: path=/etc/koji-osbuild state=directory mode=0755
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_osbuild
|
|
|
|
- name: Build /etc/koji-osbuild/builder.conf
|
|
ansible.builtin.template: src=builder.conf{{env_suffix}} dest=/etc/koji-osbuild/builder.conf
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder_osbuild
|
|
|
|
- name: Build /etc/koji/koji.conf from group vars
|
|
ansible.builtin.template: src=koji.conf dest=/etc/koji.conf
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Config for the kojid runroot plugin (only some builders)
|
|
ansible.builtin.template: src=runroot.conf.j2 dest=/etc/kojid/plugins/runroot.conf
|
|
when: "'runroot' in group_names"
|
|
notify:
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Override kojid.service file to set TasksMax to unlimited
|
|
ansible.builtin.copy: src=kojid.service dest=/etc/systemd/system/kojid.service
|
|
notify:
|
|
- Reload systemd
|
|
- Restart kojid
|
|
tags:
|
|
- koji_builder
|
|
|
|
# setup for oz/imagefactory
|
|
- name: Make .psphere dir
|
|
ansible.builtin.file: state=directory path=/root/.psphere mode=775 owner=root group=root
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make .psphere/templates dir
|
|
ansible.builtin.file: state=directory path=/root/.psphere/templates mode=775 owner=root group=root
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Copy over /root/.psphere/config.yaml
|
|
ansible.builtin.copy: src={{ private }}/files/koji/config.yaml dest=/root/.psphere/config.yaml
|
|
tags:
|
|
- koji_builder
|
|
# done oz/imagefactory
|
|
|
|
- name: Copy over /etc/security/limits.conf
|
|
ansible.builtin.copy: src=limits.conf dest=/etc/security/limits.conf
|
|
tags:
|
|
- koji_builder
|
|
|
|
# oz.cfg upstream ram and cpu definitions are not enough
|
|
- name: Oz.cfg
|
|
ansible.builtin.template: src=oz.cfg.j2 dest=/etc/oz/oz.cfg
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/oz.cfg
|
|
|
|
# install libvirtd.conf
|
|
#
|
|
# This provides us with the ability to use virt-manager from non root accounts.
|
|
# This is useful in the oz/imagefactory context for debugging
|
|
|
|
- name: Install libvirtd.conf
|
|
ansible.builtin.copy: src="{{ files }}/virthost/libvirtd.conf" dest=/etc/libvirt/libvirtd.conf
|
|
tags:
|
|
- koji_builder
|
|
when: env != "staging"
|
|
|
|
# install libvirt/network.conf
|
|
#
|
|
# The default in f41+ is to use nftables, but it's not compatible with the
|
|
# iptables setup we are using on the builders for some reason.
|
|
# So, switch back to iptables until we switch to nftables, or move everying
|
|
# away from oz/Imagefactory so we don't need virt instances for image builds
|
|
# anymore.
|
|
|
|
- name: Install libvirt/network.conf
|
|
ansible.builtin.copy: src=network.conf dest=/etc/libvirt/network.conf
|
|
notify:
|
|
- Restart virtnetworkd
|
|
tags:
|
|
- koji_builder
|
|
- iptables
|
|
when: env != "staging"
|
|
|
|
#
|
|
# On primary we want to make a /mnt/koji link to /mnt/fedora_koji/koji
|
|
#
|
|
|
|
- name: Make a mnt/koji link
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
|
|
when: koji_hub_nfs is defined and koji_hub_nfs == "fedora_koji" and createrepo == True
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Make a mnt/koji link
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji force=yes
|
|
when: inventory_hostname.startswith(('buildvm-s390x-11', 'buildvm-s390x-12', 'buildvm-s390x-13'))
|
|
tags:
|
|
- koji_builder
|
|
|
|
#
|
|
# alternative arch builders however want to link to just /mnt/fedora_koji
|
|
#
|
|
|
|
- name: Make a mnt/koji link
|
|
ansible.builtin.file: state=link src=/mnt/fedora_koji dest=/mnt/koji
|
|
when: koji_hub_nfs is defined and koji_hub_nfs != "fedora_koji" and createrepo == True
|
|
tags:
|
|
- koji_builder
|
|
|
|
- name: Mock site-defaults.cfg
|
|
ansible.builtin.template: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
|
|
when: not inventory_hostname.startswith(('bkernel'))
|
|
tags:
|
|
- koji_builder
|
|
- site-defaults
|
|
|
|
# x86_64 builders run both x86_64 and i686 builds, that requires multilib
|
|
# version of nosync installed to fully take advantage of nosync
|
|
- name: Special pkgs for the x86_64 builders
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- nosync.i686
|
|
when: ansible_architecture == 'x86_64'
|
|
tags:
|
|
- koji_builder
|
|
|
|
# Before, the builders had the "apache" role. This is a temporary play to remove the httpd daemon everywhere
|
|
- name: Uninstall httpd
|
|
ansible.builtin.package: name=httpd
|
|
state=absent
|
|
tags:
|
|
- koji_builder
|
|
- removehttpd
|
|
|
|
- name: Add the Apache group
|
|
group: name=apache
|
|
gid=48
|
|
system=yes
|
|
state=present
|
|
tags:
|
|
- koji_builder
|
|
- removehttpd
|
|
|
|
- name: Create the apache user
|
|
user: name=apache
|
|
uid=48
|
|
createhome=no
|
|
group=apache
|
|
home=/usr/share/httpd
|
|
shell=/sbin/nologin
|
|
system=yes
|
|
state=present
|
|
tags:
|
|
- koji_builder
|
|
- removehttpd
|
|
|
|
- name: Make sure we are in permissive selinux mode
|
|
selinux: policy=targeted state=permissive
|
|
tags:
|
|
- koji_builder
|
|
- selinux
|
|
|
|
- name: Create directory for shared secrets
|
|
ansible.builtin.file:
|
|
path: /etc/kojid/secrets
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0660"
|
|
tags:
|
|
- koji_builder
|
|
when: env == "staging"
|
|
|
|
# https://pagure.io/fedora-infrastructure/issue/6636
|
|
- name: Install libkcapi to get increased sockets on armv7
|
|
dnf: name=libkcapi enablerepo=updates-testing state=present
|
|
tags:
|
|
- koji_builder
|
|
when: ansible_architecture == 'armv7l'
|
|
|
|
# set highmem_is_dirtyable in compose armv7 machines.
|
|
# see: https://bugzilla.redhat.com/show_bug.cgi?id=1504264
|
|
#
|
|
- name: Set highmem_is_dirtyable on armv7 builders that are in the compose channel.
|
|
sysctl: name=vm.highmem_is_dirtyable value=1 state=present sysctl_set=yes reload=yes
|
|
tags:
|
|
- koji_builder
|
|
when: inventory_hostname.startswith(('buildvm-armv7-01.arm', 'buildvm-armv7-02', 'buildvm-armv7-03'))
|
|
|
|
#
|
|
# Add rngd so that virtual maachines have enough randomness to boot in our lifetimes
|
|
#
|
|
- name: Install rng-tools for entropy
|
|
ansible.builtin.package: name=rng-tools state=present
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/rngd
|
|
when: ansible_architecture == 'x86_64'
|
|
|
|
- name: Start rngd
|
|
service: name=rngd state=started enabled=yes
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/rngd
|
|
when: ansible_architecture == 'x86_64'
|
|
|
|
- name: Disable systemd-oomd we do not need or want it
|
|
systemd: name=systemd-oomd state=stopped enabled=no masked=true
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/oomd
|
|
|
|
- name: Install script to update osbuild api ip in the firewall
|
|
ansible.builtin.template: src=osbuildapi-update.sh dest=/usr/local/bin/osbuildapi-update.sh mode=755
|
|
when: not nftables
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Install cron job to run osbuild api ip update script every minute.
|
|
ansible.builtin.template: src=osbuildapi-update.cron dest=/etc/cron.d/osbuildapi-update.cron mode=644
|
|
when: not nftables and 'osbuild' in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Remove cron job to run osbuild api ip update script.
|
|
ansible.builtin.file: path=/etc/cron.d/osbuildapi-update.cron state=absent
|
|
when: nftables or 'osbuild' not in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Install script to update osbuild api ip in the firewall (nftables)
|
|
ansible.builtin.template: src=osbuildapi-update-nft.sh dest=/usr/local/bin/osbuildapi-update-nft.sh mode=755
|
|
when: nftables
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Install cron job to run osbuild api ip update script every minute. (nftables)
|
|
ansible.builtin.template: src=osbuildapi-update-nft.cron dest=/etc/cron.d/osbuildapi-update-nft.cron mode=644
|
|
when: nftables and 'osbuild' in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Remove cron job to run osbuild api ip update script every minute. (nftables)
|
|
ansible.builtin.file: path=/etc/cron.d/osbuildapi-update-nft.cron state=absent
|
|
when: not nftables or 'osbuild' not in group_names
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/osbuildapi
|
|
|
|
- name: Create override dir for systemd-nspawn containers config
|
|
ansible.builtin.file:
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
path: /etc/systemd/system/machine-.scope.d
|
|
when: inventory_hostname.startswith(('buildhw-a64'))
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/nspawn
|
|
|
|
- name: Create override config for systemd-nspawn containers to allow coredumps
|
|
ansible.builtin.template: src=nspawn-override.conf dest=/etc/systemd/system/machine-.scope.d/80-infra.conf mode=0644
|
|
when: inventory_hostname.startswith(('buildhw-a64'))
|
|
tags:
|
|
- koji_builder
|
|
- koji_builder/nspawn
|