mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-04-30 13:32:30 +08:00
5da2faac67
OpenID support in FAS is going away. openQA has OAuth2 support. I've tested this config to work with manual edits on lab, now ansiblizing it (for lab only to start with). Signed-off-by: Adam Williamson <awilliam@redhat.com>
415 lines
17 KiB
YAML
415 lines
17 KiB
YAML
# Required vars
|
|
# - openqa_email
|
|
## string - Email address of admin user
|
|
# - openqa_nickname
|
|
## string - Short name of admin user (shown in the web UI for e.g.)
|
|
# - openqa_fullname
|
|
## string - Full name of admin user
|
|
# - openqa_key
|
|
# - openqa_secret
|
|
## string - MUST be 16-character hexadecimals, and are secrets
|
|
# openqa_userid
|
|
## string - User ID of admin user: for Fedora should be a Fedora openID URL,
|
|
## http://fasname.id.fedoraproject.org
|
|
|
|
# Required vars with defaults
|
|
# - external_hostname
|
|
## string - The public hostname for the server (will be used as ServerName)
|
|
## default - ansible_nodename
|
|
# - openqa_repo
|
|
## string - Repo to enable when updating openQA packages. Set to
|
|
## 'updates-testing' to use packages from updates-testing
|
|
## default - 'updates', which is effectively a no-op
|
|
|
|
# Optional vars
|
|
# - openqa_static_uid
|
|
## int - a static ID for the geekotest user and group if desired
|
|
## this is useful for NFS mounting openQA data files
|
|
# - openqa_dbname
|
|
## string - The name of the database to use
|
|
# - openqa_dbhost
|
|
## string - The hostname of the database server
|
|
# - openqa_dbuser
|
|
## string - The database username
|
|
# - openqa_dbpassword
|
|
## string - The database password
|
|
# - openqa_assetsize
|
|
## int - the asset size limit to set in GB (upstream default is 100GB)
|
|
## higher is recommended for normal Fedora testing, 300GB is good
|
|
## FIXME: this only works for pgsql ATM
|
|
# - openqa_assetsize_updates
|
|
## int - the asset size limit to set for update job groups in GB
|
|
## (upstream default is 100GB). Lower is recommended for normal
|
|
## Fedora testing, 50GB is good
|
|
## FIXME: this only works for pgsql ATM
|
|
# - openqa_amqp_publisher_prefix
|
|
## string - openQA AMQP 'topic_prefix' config value. This prefix is
|
|
## prepended to the topic when publishing messages with the
|
|
## AMQP or FedoraMessaging plugins, with a . added (so don't
|
|
## include the . in the value). If set to an empty string,
|
|
## openQA from before August 2019 will use 'suse' as the
|
|
## prefix; later openQA will omit the prefix entirely
|
|
## default - '' (empty string)
|
|
# - openqa_amqp_publisher_url
|
|
## string - AMQP broker URL for publishing messages with the AMQP or
|
|
## FedoraMessaging plugins, e.g.
|
|
## amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpubsub
|
|
## default - amqp://test:@localhost/%2Fpubsub
|
|
# - openqa_amqp_publisher_exchange
|
|
## string - exchange to publish AMQP messages to with AMQP or
|
|
## FedoraMessaging plugins, e.g. amq.topic. Note, this can
|
|
## be (ab)used to set additional query parameters for the
|
|
## publish request, by just appending them, e.g.
|
|
## amq.topic&cacertfile=/path/to/ca_certificate_file
|
|
## default - amq.topic
|
|
# - openqa_webapi_plugins
|
|
## string - Space-separated list of openQA WebAPI plugins to enable
|
|
## Note if you enable FedoraMessaging or AMQP plugins, you should
|
|
## also set openqa_amqp_publisher_prefix, openqa_amqp_publisher_url
|
|
## and openqa_amqp_publisher_exchange
|
|
# - deployment_type
|
|
## string - Fedora Infrastructure thing; for this role, applies an
|
|
## infra-specific tweak to httpd config. Don't set it outside
|
|
## Fedora infra.
|
|
# - openqa_nfs_workers
|
|
## list - A list of hostnames of workers that will share the factory
|
|
## directory via NFS. All these will be granted rw access to
|
|
## the share (they need write access to be able to decompress
|
|
## compressed disk images on the fly). If not defined, the
|
|
## factory dir will not be shared via NFS at all.
|
|
# - openqa_auth_method
|
|
## string - authentication method to use (Fake, OpenID, OAuth2)
|
|
## default - Fake
|
|
# - openqa_oauth2_secret
|
|
## string - the secret to use for OAuth2 authentcation. Required if
|
|
## openqa_auth_method is OAuth2
|
|
|
|
# If openqa_dbhost is set, the other openqa_db* variables must be too,
|
|
# and the server will be configured to use a pgsql database accordingly.
|
|
# If openqa_dbhost is not set, the server will use a local SQLite database
|
|
# and the other openqa_db* values are ignored.
|
|
|
|
---
|
|
- name: Create geekotest group with static GID
|
|
group: "name=geekotest gid={{ openqa_static_uid }} system=yes"
|
|
when: "openqa_static_uid is defined"
|
|
|
|
- name: Create geekotest user with static UID
|
|
user:
|
|
name: geekotest
|
|
comment: "openQA user"
|
|
uid: "{{ openqa_static_uid }}"
|
|
group: geekotest
|
|
home: "/var/lib/openqa"
|
|
createhome: no
|
|
system: yes
|
|
shell: /sbin/nologin
|
|
when: "openqa_static_uid is defined"
|
|
|
|
- name: Remove old scratch repo directory
|
|
ansible.builtin.file: path=/var/tmp/scratchrepo state=absent
|
|
|
|
- name: Delete old scratch build repo config
|
|
ansible.builtin.file: path=/etc/yum.repos.d/scratchrepo.repo state=absent
|
|
|
|
- name: Write lab side repo config
|
|
ansible.builtin.copy: src=openqa-lab-repo.repo dest=/etc/yum.repos.d/openqa-lab-repo.repo owner=root group=root mode=0644
|
|
when: "deployment_type is defined and deployment_type == 'stg'"
|
|
|
|
- name: Write prod side repo config
|
|
ansible.builtin.copy: src=openqa-prod-repo.repo dest=/etc/yum.repos.d/openqa-prod-repo.repo owner=root group=root mode=0644
|
|
when: "deployment_type is defined and deployment_type == 'prod'"
|
|
|
|
# this is separate from the step below so we can use openqa_repo just
|
|
# for these packages
|
|
- name: Install openQA packages
|
|
ansible.builtin.package:
|
|
name:
|
|
- openqa
|
|
- openqa-httpd
|
|
- openqa-plugin-fedora-messaging
|
|
state: latest
|
|
enablerepo: "{{ openqa_repo }}"
|
|
tags:
|
|
- packages
|
|
|
|
- name: Install various other required packages
|
|
ansible.builtin.package:
|
|
name:
|
|
- python3-libselinux # for using seboolean module
|
|
- git # for checking out tests/tools
|
|
- jq # for checking if tests changed after template load
|
|
- python3-libsemanage # for using seboolean module
|
|
- perl(Class::DBI::Pg) # for using postgresql DB
|
|
- genisoimage # for building cloud-init ISO
|
|
- policycoreutils # for loading SELinux policy module
|
|
state: present
|
|
tags:
|
|
- packages
|
|
|
|
- name: Install various other required packages
|
|
ansible.builtin.package:
|
|
name:
|
|
- nfs-utils # for configuring/running NFS server
|
|
state: present
|
|
when: "openqa_nfs_workers is defined"
|
|
tags:
|
|
- packages
|
|
|
|
- name: Check test directory exists with correct ownership
|
|
ansible.builtin.file: path=/var/lib/openqa/share/tests/fedora state=directory owner=geekotest group=geekotest recurse=yes
|
|
|
|
# we don't want to run the checkout if the tests are on a non-standard
|
|
# branch, as that usually means we're messing around on staging and
|
|
# don't want the checkout reset to HEAD.
|
|
- name: Check if tests are checked out and on a non-standard branch
|
|
ansible.builtin.command: "git status" # noqa 303
|
|
args:
|
|
chdir: /var/lib/openqa/share/tests/fedora
|
|
register: testsbranch
|
|
failed_when: "1 != 1"
|
|
changed_when: "1 != 1"
|
|
check_mode: no
|
|
|
|
- name: Check out the tests
|
|
git:
|
|
repo: https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git # noqa 401
|
|
dest: /var/lib/openqa/share/tests/fedora
|
|
register: gittests
|
|
become: true
|
|
become_user: geekotest
|
|
when: >
|
|
(testsbranch.stderr.find('ot a git repository') != -1) or
|
|
(testsbranch.stdout.find('On branch main') != -1 and
|
|
testsbranch.stdout.find('Changes not staged') == -1)
|
|
|
|
- name: Remove old openqa_fedora_tools checkout
|
|
ansible.builtin.file: path=/root/openqa_fedora_tools state=absent
|
|
|
|
- name: Create asset directories
|
|
ansible.builtin.file: path={{ item }} state=directory owner=geekotest group=geekotest mode=0775
|
|
with_items:
|
|
- /var/lib/openqa/share/factory/iso
|
|
- /var/lib/openqa/share/factory/iso/fixed
|
|
- /var/lib/openqa/share/factory/hdd
|
|
- /var/lib/openqa/share/factory/hdd/fixed
|
|
- /var/lib/openqa/share/factory/repo
|
|
- /var/lib/openqa/share/factory/other
|
|
|
|
- name: Copy in meta-data for cloud-init ISO creation
|
|
ansible.builtin.copy: src=meta-data dest=/var/tmp/meta-data owner=root group=root mode=0644
|
|
|
|
- name: Copy in user-data for cloud-init ISO creation
|
|
ansible.builtin.copy: src=user-data dest=/var/tmp/user-data owner=root group=root mode=0644
|
|
|
|
- name: Create cloud-init ISO
|
|
ansible.builtin.command: genisoimage -output cloudinit.iso -volid cidata -joliet -rock /var/tmp/user-data /var/tmp/meta-data
|
|
args:
|
|
chdir: /var/lib/openqa/share/factory/iso/fixed
|
|
creates: /var/lib/openqa/share/factory/iso/fixed/cloudinit.iso
|
|
|
|
- name: Create exports file
|
|
ansible.builtin.template: src=exports.j2 dest=/etc/exports.d/openqa.exports owner=root group=root mode=0644
|
|
register: exportsfile
|
|
when: openqa_nfs_workers is defined
|
|
tags:
|
|
- config
|
|
|
|
- name: Enable and start NFS server
|
|
service: name=nfs-server enabled=yes state=started
|
|
when: openqa_nfs_workers is defined
|
|
|
|
- name: Refresh exports
|
|
ansible.builtin.command: exportfs -r
|
|
when: exportsfile is changed
|
|
|
|
- name: Set up Apache config
|
|
ansible.builtin.template: src=openqa.conf.httpd.j2 dest=/etc/httpd/conf.d/openqa.conf owner=root group=root mode=0644
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- config
|
|
|
|
- name: OpenQA config
|
|
ansible.builtin.template: src=openqa.ini.j2 dest=/etc/openqa/openqa.ini owner=geekotest group=root mode=0640
|
|
tags:
|
|
- config
|
|
|
|
- name: Create database
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
postgresql_db: db={{ openqa_dbname }}
|
|
when: "openqa_dbhost is defined"
|
|
|
|
- name: Ensure db user has access to database
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
postgresql_user: db={{ openqa_dbname }} user={{ openqa_dbuser }} password={{ openqa_dbpassword }} role_attr_flags=NOSUPERUSER
|
|
when: "openqa_dbhost is defined"
|
|
|
|
- name: Database config
|
|
ansible.builtin.template: src=database.ini.pgsql.j2 dest=/etc/openqa/database.ini owner=geekotest group=root mode=0640
|
|
when: "openqa_dbhost is defined"
|
|
tags:
|
|
- config
|
|
|
|
- name: Initialize database
|
|
ansible.builtin.shell: "/usr/share/openqa/script/initdb --user geekotest --init_database" # noqa 305
|
|
register: initdb
|
|
changed_when: "initdb.rc == 0"
|
|
failed_when: "(initdb.rc > 0) and (initdb.stdout is not defined or initdb.stdout.find('already exists') == -1)"
|
|
|
|
- name: Enable and start services
|
|
service: name={{ item }} enabled=yes state=started
|
|
register: services
|
|
with_items:
|
|
- openqa-livehandler
|
|
- openqa-scheduler
|
|
- openqa-webui
|
|
- openqa-websockets
|
|
- openqa-gru
|
|
|
|
- name: Create somewhere to stick our custom SELinux module
|
|
ansible.builtin.file:
|
|
path: /usr/local/share/selinux
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Copy over custom SELinux module allowing httpd to connect to openQA
|
|
ansible.builtin.copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644
|
|
register: selinux_module
|
|
|
|
- name: Load our custom SELinux module
|
|
ansible.builtin.command: semodule -i /usr/local/share/selinux/httpd-openqa.pp
|
|
when: selinux_module is changed
|
|
|
|
# Unfortunately still need this until port 9528 is tagged:
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1277312
|
|
- name: Set httpd_can_network_connect SELinux boolean
|
|
seboolean: name=httpd_can_network_connect state=yes persistent=yes
|
|
|
|
- name: Allow Apache to read from NFS (as we store test data files there now)
|
|
seboolean: name=httpd_use_nfs state=yes persistent=yes
|
|
|
|
# services is undefined in check mode
|
|
- name: Wait for openQA to be fully started
|
|
pause: seconds=5
|
|
when: "services is defined and services is changed"
|
|
|
|
# the 'dispatcher' role may require this to have a non-root group and
|
|
# sets it 0640, so we don't enforce ownership here and set mode to
|
|
# 0640 so we don't wind up ping-ponging it between server and
|
|
# dispatcher roles.
|
|
- name: OpenQA client config
|
|
ansible.builtin.template: src=client.conf.j2 dest=/etc/openqa/client.conf mode=0640
|
|
tags:
|
|
- config
|
|
|
|
- name: Create admin user
|
|
ansible.builtin.command: >
|
|
/var/lib/openqa/script/create_admin --email {{ openqa_email }} --nickname {{ openqa_nickname }}
|
|
--fullname '{{ openqa_fullname }}' --key {{ openqa_key }} --secret {{ openqa_secret }}
|
|
{{ openqa_userid }}
|
|
register: admin
|
|
changed_when: "admin.rc == 0"
|
|
failed_when: "(admin.rc > 0) and (admin.stderr is not defined or admin.stderr.find('already exists') == -1)"
|
|
|
|
- name: Check if we're on upstream template format or FIF
|
|
stat:
|
|
path: /var/lib/openqa/share/tests/fedora/templates.fif.json
|
|
register: templatesfif
|
|
|
|
- name: Dump existing config for checking changes
|
|
ansible.builtin.shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-old.json || :"
|
|
when: "(gittests is defined) and (gittests is changed)"
|
|
changed_when: "1 != 1"
|
|
|
|
# Because of the boring details of how template loading works, getting
|
|
# a correct 'changed' for this step is too difficult. Instead we have
|
|
# the dump (above) and check (later) steps; when the templates actually
|
|
# changed, the *check* step will register as changed.
|
|
- name: Load main tests (upstream format)
|
|
ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/templates --clean"
|
|
when: "(gittests is defined) and (gittests is changed) and (not templatesfif.stat.exists)"
|
|
changed_when: "1 != 1"
|
|
|
|
- name: Load update tests (upstream format)
|
|
ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/templates-updates --update"
|
|
when: "(gittests is defined) and (gittests is changed) and (not templatesfif.stat.exists)"
|
|
changed_when: "1 != 1"
|
|
|
|
- name: Load all tests (FIF format)
|
|
ansible.builtin.command: "/var/lib/openqa/share/tests/fedora/fifloader.py -l --clean templates.fif.json templates-updates.fif.json"
|
|
args:
|
|
chdir: /var/lib/openqa/share/tests/fedora
|
|
when: "(gittests is defined) and (gittests is changed) and (templatesfif.stat.exists)"
|
|
changed_when: "1 != 1"
|
|
|
|
- name: Check if the tests changed in previous step
|
|
ansible.builtin.shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-new.json && diff <(jq -S . /tmp/tmpl-old.json) <(jq -S . /tmp/tmpl-new.json)"
|
|
when: "(gittests is defined) and (gittests is changed)"
|
|
register: testsdiff
|
|
changed_when: "testsdiff.rc > 0"
|
|
failed_when: "1 != 1"
|
|
|
|
- name: Set 'fedora' asset size limit (if specified) (pgsql)
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
ansible.builtin.command: >
|
|
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize }}
|
|
WHERE name = 'fedora' AND (size_limit_gb != {{ openqa_assetsize }} OR size_limit_gb IS NULL);"
|
|
when: "openqa_dbhost is defined and openqa_assetsize is defined"
|
|
register: pgsqlsize
|
|
changed_when: "pgsqlsize.stdout.find('UPDATE 0') == -1"
|
|
|
|
- name: Set 'Fedora PowerPC' asset size limit (if specified) (pgsql)
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
ansible.builtin.command: >
|
|
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_ppc }}
|
|
WHERE name = 'Fedora PowerPC' AND (size_limit_gb != {{ openqa_assetsize_ppc }}
|
|
OR size_limit_gb IS NULL);"
|
|
when: "openqa_dbhost is defined and openqa_assetsize_ppc is defined"
|
|
register: pgsqlsizeppc
|
|
changed_when: "pgsqlsizeppc.stdout.find('UPDATE 0') == -1"
|
|
|
|
- name: Set 'Fedora AArch64' asset size limit (if specified) (pgsql)
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
ansible.builtin.command: >
|
|
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_aarch64 }}
|
|
WHERE name = 'Fedora AArch64' AND (size_limit_gb != {{ openqa_assetsize_aarch64 }}
|
|
OR size_limit_gb IS NULL);"
|
|
when: "openqa_dbhost is defined and openqa_assetsize_aarch64 is defined"
|
|
register: pgsqlsizeaarch64
|
|
changed_when: "pgsqlsizeaarch64.stdout.find('UPDATE 0') == -1"
|
|
|
|
- name: Set (x86_64) update job group asset size limit (if specified) (pgsql)
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
ansible.builtin.command: >
|
|
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_updates }}
|
|
WHERE name = 'Fedora Updates' AND (size_limit_gb != {{ openqa_assetsize_updates }}
|
|
OR size_limit_gb IS NULL);"
|
|
when: "openqa_dbhost is defined and openqa_assetsize_updates is defined"
|
|
register: pgsqlupdatesize
|
|
changed_when: "pgsqlupdatesize.stdout.find('UPDATE 0') == -1"
|
|
|
|
- name: Set ppc64le update job group asset size limit (if specified) (pgsql)
|
|
delegate_to: "{{ openqa_dbhost_delegate|default(openqa_dbhost) }}"
|
|
become_user: postgres
|
|
become: true
|
|
ansible.builtin.command: >
|
|
psql -d {{ openqa_dbname }} -c "UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize_updates_ppc }}
|
|
WHERE name = 'Fedora PowerPC Updates' AND (size_limit_gb != {{ openqa_assetsize_updates_ppc }}
|
|
OR size_limit_gb IS NULL);"
|
|
when: "openqa_dbhost is defined and openqa_assetsize_updates_ppc is defined"
|
|
register: pgsqlupdatesizeppc
|
|
changed_when: "pgsqlupdatesizeppc.stdout.find('UPDATE 0') == -1"
|