jenkins-slaves/ufw: cleanup and add armhf slave on scaleway

Add armhf slave on scaleway.

On scaleway baremetal, root partition is over nbd. Allow
traffic to NBD to avoid ending locked on boot.

Other cleanups:

- move ssh to ufw_open_ports list instead of defining it in tasks
  - Add fail: check to make sure ssh port is opened in firewall
- remove docker install from jenkins play since docker-deps already does it
- rename tag from "jenkins-master" to "jenkins", since this isn't for
  the master
- flush handlers in end of ssh-ldap so servers can be deployed in one run
- add buildslave to docker users for ci-dockerfiles-deployment and other
  jobs that need to call docker build etc.

Change-Id: I02fd62eea579cc205c2182720eebf0492a153a9c
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Reviewed-on: https://review.linaro.org/28521

8 files changed, 45 insertions, 16 deletions

diff --git a/group_vars/jenkins_slaves b/group_vars/jenkins_slaves
index 888c1f52..1ce91182 100644
--- a/group_vars/jenkins_slaves
+++ b/group_vars/jenkins_slaves
@@ -13,9 +13,13 @@ docker_group_user:
   - fathi.boudra
   - kelley.spoon
   - riku.voipio
+  - buildslave
 
 docker_engine_opts:
   - "-H fd://"
   - "-H tcp://0.0.0.0:2375"
   - "-H unix:///var/run/docker.sock"
   - "--dns 8.8.8.8 --dns 8.8.4.4"
+
+ufw_open_ports:
+  - 22
diff --git a/hosts b/hosts
index bf59a638..04dc53fc 100644
--- a/hosts
+++ b/hosts
@@ -91,10 +91,14 @@ oe-x86_64-02 ansible_host=62.210.249.170    # oe-x86_64-02
 [jenkins_slaves_packet]
 aarch64_08 ansible_host=147.75.32.78        # aarch64_08
 
+[jenkins_slaves_scaleway]
+armhf-01 ansible_host=51.15.128.165
+
 [jenkins_slaves:children]
 jenkins_slaves_hetzner
 jenkins_slaves_online
 jenkins_slaves_packet
+jenkins_slaves_scaleway
 
 [publishing-docker]
 publishing-ap.linaro.org
@@ -128,6 +132,7 @@ obs-server-cn1.linaro.cloud
 [obs-workers]
 x86_64-10
 r2-a19.aus-colo.linaro.org
+armhf-01 ansible_host=51.15.128.165
 
 [fossology]
 fossology.linaro.org
diff --git a/jenkins-slaves.yml b/jenkins-slaves.yml
index 647545c1..16b54336 100644
--- a/jenkins-slaves.yml
+++ b/jenkins-slaves.yml
@@ -5,7 +5,7 @@
     - ["{{secrets_dir}}/group_vars/all"]
   roles:
   - {role: ssh-ldap, tags: [ssh-ldap]}
-  - {role: docker-deps, tags: [jenkins-master,docker]}
-  - role: jenkins-slave-deps
+  - {role: docker-deps, tags: [jenkins,docker]}
+  - {role: jenkins-slave-deps, tags: [jenkins]}
   - {role: nfs-client, tags: [nfs]}
 #  - role: zabbix-agent
diff --git a/roles/jenkins-slave-deps/tasks/main.yml b/roles/jenkins-slave-deps/tasks/main.yml
index 4527e8b8..1dd37231 100644
--- a/roles/jenkins-slave-deps/tasks/main.yml
+++ b/roles/jenkins-slave-deps/tasks/main.yml
@@ -30,20 +30,11 @@
     - restart-docker
     - reload-systemd
 
-- name: Install apt package for docker repo
-  apt: pkg=apt-transport-https
-
-- name: Add Docker apt key
-  apt_key:
-    id: "0EBFCD88"
-    keyserver: "hkp://p80.pool.sks-keyservers.net"
-
 # https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa
 - name: Add repos (xenial)
   apt_repository:
     repo: "{{item}}"
   with_items:
-    - 'deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable'
     - 'ppa:canonical-kernel-team/ppa'
   when: ansible_distribution_release == 'xenial' and ansible_machine == 'x86_64'
 
@@ -54,10 +45,8 @@
 - name: Install Jenkins slave deps
   apt: pkg={{item}} update_cache=yes
   with_items:
-    - docker-ce
     - openjdk-8-jdk-headless
     - openjdk-8-jre-headless
-  when: ansible_distribution_release == 'xenial'
 
 - name: Append Systems team to docker group
   user: name={{item}} groups=docker append=yes
@@ -76,7 +65,6 @@
     port: "{{item.port}}"
     src: "{{item.src}}"
   with_items:
-    - {port: 22, src: 'any'}
     - {port: 2375, src: '88.99.136.175'} #ci.linaro.org
     - {port: 16509, src: '172.17.0.0/24'}
 
diff --git a/roles/ssh-ldap/tasks/main.yml b/roles/ssh-ldap/tasks/main.yml
index cabdf8e9..2ef43dce 100644
--- a/roles/ssh-ldap/tasks/main.yml
+++ b/roles/ssh-ldap/tasks/main.yml
@@ -76,3 +76,6 @@
 
 - name: Add cron job for syncing with LDAP
   template: src=cron.d dest=/etc/cron.d/ldap-sync
+
+- name: flush handlers so LDAP users are available for further roles
+  meta: flush_handlers
diff --git a/roles/ufw/files/scaleway_fw b/roles/ufw/files/scaleway_fw
new file mode 100755
index 00000000..98647bf5
--- /dev/null
+++ b/roles/ufw/files/scaleway_fw
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+curl -s 169.254.42.42/conf | sed -nE 's/VOLUMES_[0-9]+_EXPORT_URI=.*nbd:\/\/([^:]+):.*/\1/p'
diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml
index 2b877980..63a2ce59 100644
--- a/roles/ufw/tasks/main.yml
+++ b/roles/ufw/tasks/main.yml
@@ -1,6 +1,10 @@
 ---
+- name: Check ufw_open_ports
+  fail: msg="ssh missing from ufw_open_ports"
+  when: 22 not in ufw_open_ports
+
 - name: Install server deps
-  apt: pkg={{item}} state=installed
+  apt: pkg={{item}} state=present
   with_items:
     - ufw
 
@@ -14,11 +18,14 @@
     proto: tcp
     port: "{{item}}"
   with_items:
-    - 22
     - "{{ufw_open_ports}}"
   notify:
     - restart-ufw
 
+- name: include scaleway tasks
+  include_tasks: scaleway.yml
+  when: scaleway is defined
+
 - name: Enable Firewall
   ufw:
     direction: "{{item.direction}}"
diff --git a/roles/ufw/tasks/scaleway.yml b/roles/ufw/tasks/scaleway.yml
new file mode 100644
index 00000000..7763f16a
--- /dev/null
+++ b/roles/ufw/tasks/scaleway.yml
@@ -0,0 +1,19 @@
+---
+- name: Install script to get scaleway nbd server IP
+  copy: src=scaleway_fw dest=/usr/sbin/ mode=755
+
+- name: Get scaleway NBD server ip
+  command: /usr/sbin/scaleway_fw
+  register: cloud_output
+
+- name: Set scaleway NBD server ip
+  set_fact:
+      scaleway_nbd: "{{cloud_output.stdout}}"
+
+- name: Open NBD internal traffic
+  ufw:
+      rule: allow
+      proto: tcp
+      src: "{{scaleway_nbd}}"
+  notify:
+    - restart-ufw