diff options
author | Riku Voipio <riku.voipio@linaro.org> | 2018-09-26 14:20:25 +0300 |
---|---|---|
committer | Riku Voipio <riku.voipio@linaro.org> | 2018-09-28 10:29:38 +0000 |
commit | c5d0408e8a1c3f2ff7520d32ed260481b7058c4e (patch) | |
tree | 75b990906536c913ebec86791b725ca07a01082c | |
parent | 82b58fc82960fcf309a3857937e5e3dcf9e77c88 (diff) |
jenkins-slaves/ufw: cleanup and add armhf slave on scaleway
Add armhf slave on scaleway.
On scaleway baremetal, root partition is over nbd. Allow
traffic to NBD to avoid ending locked on boot.
Other cleanups:
- move ssh to ufw_open_ports list instead of defining it in tasks
- Add fail: check to make sure ssh port is opened in firewall
- remove docker install from jenkins play since docker-deps already does it
- rename tag from "jenkins-master" to "jenkins", since this isn't for
the master
- flush handlers in end of ssh-ldap so servers can be deployed in one run
- add buildslave to docker users for ci-dockerfiles-deployment and other
jobs that need to call docker build etc.
Change-Id: I02fd62eea579cc205c2182720eebf0492a153a9c
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Reviewed-on: https://review.linaro.org/28521
-rw-r--r-- | group_vars/jenkins_slaves | 4 | ||||
-rw-r--r-- | hosts | 5 | ||||
-rw-r--r-- | jenkins-slaves.yml | 4 | ||||
-rw-r--r-- | roles/jenkins-slave-deps/tasks/main.yml | 12 | ||||
-rw-r--r-- | roles/ssh-ldap/tasks/main.yml | 3 | ||||
-rwxr-xr-x | roles/ufw/files/scaleway_fw | 3 | ||||
-rw-r--r-- | roles/ufw/tasks/main.yml | 11 | ||||
-rw-r--r-- | roles/ufw/tasks/scaleway.yml | 19 |
8 files changed, 45 insertions, 16 deletions
diff --git a/group_vars/jenkins_slaves b/group_vars/jenkins_slaves index 888c1f52..1ce91182 100644 --- a/group_vars/jenkins_slaves +++ b/group_vars/jenkins_slaves @@ -13,9 +13,13 @@ docker_group_user: - fathi.boudra - kelley.spoon - riku.voipio + - buildslave docker_engine_opts: - "-H fd://" - "-H tcp://0.0.0.0:2375" - "-H unix:///var/run/docker.sock" - "--dns 8.8.8.8 --dns 8.8.4.4" + +ufw_open_ports: + - 22 @@ -91,10 +91,14 @@ oe-x86_64-02 ansible_host=62.210.249.170 # oe-x86_64-02 [jenkins_slaves_packet] aarch64_08 ansible_host=147.75.32.78 # aarch64_08 +[jenkins_slaves_scaleway] +armhf-01 ansible_host=51.15.128.165 + [jenkins_slaves:children] jenkins_slaves_hetzner jenkins_slaves_online jenkins_slaves_packet +jenkins_slaves_scaleway [publishing-docker] publishing-ap.linaro.org @@ -128,6 +132,7 @@ obs-server-cn1.linaro.cloud [obs-workers] x86_64-10 r2-a19.aus-colo.linaro.org +armhf-01 ansible_host=51.15.128.165 [fossology] fossology.linaro.org diff --git a/jenkins-slaves.yml b/jenkins-slaves.yml index 647545c1..16b54336 100644 --- a/jenkins-slaves.yml +++ b/jenkins-slaves.yml @@ -5,7 +5,7 @@ - ["{{secrets_dir}}/group_vars/all"] roles: - {role: ssh-ldap, tags: [ssh-ldap]} - - {role: docker-deps, tags: [jenkins-master,docker]} - - role: jenkins-slave-deps + - {role: docker-deps, tags: [jenkins,docker]} + - {role: jenkins-slave-deps, tags: [jenkins]} - {role: nfs-client, tags: [nfs]} # - role: zabbix-agent diff --git a/roles/jenkins-slave-deps/tasks/main.yml b/roles/jenkins-slave-deps/tasks/main.yml index 4527e8b8..1dd37231 100644 --- a/roles/jenkins-slave-deps/tasks/main.yml +++ b/roles/jenkins-slave-deps/tasks/main.yml @@ -30,20 +30,11 @@ - restart-docker - reload-systemd -- name: Install apt package for docker repo - apt: pkg=apt-transport-https - -- name: Add Docker apt key - apt_key: - id: "0EBFCD88" - keyserver: "hkp://p80.pool.sks-keyservers.net" - # https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa - name: Add repos (xenial) apt_repository: repo: "{{item}}" with_items: - - 'deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable' - 'ppa:canonical-kernel-team/ppa' when: ansible_distribution_release == 'xenial' and ansible_machine == 'x86_64' @@ -54,10 +45,8 @@ - name: Install Jenkins slave deps apt: pkg={{item}} update_cache=yes with_items: - - docker-ce - openjdk-8-jdk-headless - openjdk-8-jre-headless - when: ansible_distribution_release == 'xenial' - name: Append Systems team to docker group user: name={{item}} groups=docker append=yes @@ -76,7 +65,6 @@ port: "{{item.port}}" src: "{{item.src}}" with_items: - - {port: 22, src: 'any'} - {port: 2375, src: '88.99.136.175'} #ci.linaro.org - {port: 16509, src: '172.17.0.0/24'} diff --git a/roles/ssh-ldap/tasks/main.yml b/roles/ssh-ldap/tasks/main.yml index cabdf8e9..2ef43dce 100644 --- a/roles/ssh-ldap/tasks/main.yml +++ b/roles/ssh-ldap/tasks/main.yml @@ -76,3 +76,6 @@ - name: Add cron job for syncing with LDAP template: src=cron.d dest=/etc/cron.d/ldap-sync + +- name: flush handlers so LDAP users are available for further roles + meta: flush_handlers diff --git a/roles/ufw/files/scaleway_fw b/roles/ufw/files/scaleway_fw new file mode 100755 index 00000000..98647bf5 --- /dev/null +++ b/roles/ufw/files/scaleway_fw @@ -0,0 +1,3 @@ +#!/bin/bash + +curl -s 169.254.42.42/conf | sed -nE 's/VOLUMES_[0-9]+_EXPORT_URI=.*nbd:\/\/([^:]+):.*/\1/p' diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml index 2b877980..63a2ce59 100644 --- a/roles/ufw/tasks/main.yml +++ b/roles/ufw/tasks/main.yml @@ -1,6 +1,10 @@ --- +- name: Check ufw_open_ports + fail: msg="ssh missing from ufw_open_ports" + when: 22 not in ufw_open_ports + - name: Install server deps - apt: pkg={{item}} state=installed + apt: pkg={{item}} state=present with_items: - ufw @@ -14,11 +18,14 @@ proto: tcp port: "{{item}}" with_items: - - 22 - "{{ufw_open_ports}}" notify: - restart-ufw +- name: include scaleway tasks + include_tasks: scaleway.yml + when: scaleway is defined + - name: Enable Firewall ufw: direction: "{{item.direction}}" diff --git a/roles/ufw/tasks/scaleway.yml b/roles/ufw/tasks/scaleway.yml new file mode 100644 index 00000000..7763f16a --- /dev/null +++ b/roles/ufw/tasks/scaleway.yml @@ -0,0 +1,19 @@ +--- +- name: Install script to get scaleway nbd server IP + copy: src=scaleway_fw dest=/usr/sbin/ mode=755 + +- name: Get scaleway NBD server ip + command: /usr/sbin/scaleway_fw + register: cloud_output + +- name: Set scaleway NBD server ip + set_fact: + scaleway_nbd: "{{cloud_output.stdout}}" + +- name: Open NBD internal traffic + ufw: + rule: allow + proto: tcp + src: "{{scaleway_nbd}}" + notify: + - restart-ufw |