diff options
author | Riku Voipio <riku.voipio@linaro.org> | 2017-11-29 16:36:28 +0200 |
---|---|---|
committer | Benjamin Copeland <ben.copeland@linaro.org> | 2017-11-29 15:02:56 +0000 |
commit | b0f24fb214b083d98a686ba210ab1e7d58a2d754 (patch) | |
tree | 81cad5bf4942967e4634a4746fee174d603f8213 | |
parent | 52cc344cda395f1c39df45abc9353500549e8e43 (diff) |
obs: fixes/refactor for devcloud
- new role, obs-bastion for handling firewall and volumes
- install OBS from our repositories
- refactor systemd-container
- correct some files used by OBS
Change-Id: Ie4bd548703313a1fff2b0e26e00ff330c71c57ee
Reviewed-on: https://review.linaro.org/22736
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
-rw-r--r-- | host_vars/obs-bastion-us1.linaro.cloud | 4 | ||||
-rw-r--r-- | roles/obs-bastion/tasks/main.yml | 87 | ||||
-rw-r--r-- | roles/obs/tasks/main.yml | 14 | ||||
-rw-r--r-- | roles/obs/tasks/sign.yml | 4 | ||||
-rw-r--r-- | roles/obs/tasks/ufw.yml | 43 | ||||
-rw-r--r-- | roles/systemd-container/files/container.nspawn | 1 | ||||
-rw-r--r-- | roles/systemd-container/tasks/base-container.yml | 23 | ||||
-rw-r--r-- | roles/systemd-container/tasks/main.yml | 9 |
8 files changed, 120 insertions, 65 deletions
diff --git a/host_vars/obs-bastion-us1.linaro.cloud b/host_vars/obs-bastion-us1.linaro.cloud new file mode 100644 index 00000000..f6cd4ec2 --- /dev/null +++ b/host_vars/obs-bastion-us1.linaro.cloud @@ -0,0 +1,4 @@ +obsdata_fstype: ext4 +obsdata_dev: /dev/sdb +obsbackup_fstype: ext4 +obsbackup_dev: /dev/sdc diff --git a/roles/obs-bastion/tasks/main.yml b/roles/obs-bastion/tasks/main.yml new file mode 100644 index 00000000..4cbfef05 --- /dev/null +++ b/roles/obs-bastion/tasks/main.yml @@ -0,0 +1,87 @@ +#- name: Reset ufw to defaults +# ufw: state=reset +# when: firewall_reset is defined + +- name: install ufw + apt: + update_cache: yes + name: ufw + state: present + +- name: Open 5252 for slaves + ufw: + rule: allow + proto: tcp + port: 5252 + src: "{{item}}" + with_items: "{{worker_ip}}" + +- name: Open 5352 for slaves + ufw: + rule: allow + proto: tcp + port: 5352 + src: "{{item}}" + with_items: "{{worker_ip}}" + +# Only adds ports does not delete. +# ufw reset is required for a fresh ufw deploy. +- name: Open firewall ports + ufw: + rule: allow + proto: tcp + port: "{{item}}" + with_items: + - 22 + - 80 + - 443 + +- name: Enable Firewall + ufw: + direction: "{{item.direction}}" + policy: "{{item.policy}}" + logging: off + state: enabled + with_items: + - { direction: 'incoming', policy: 'deny' } + - { direction: 'outgoing', policy: 'allow' } + +- name: Format obs_data volume + filesystem: + fstype: "{{obsdata_fstype}}" + dev: "{{obsdata_dev}}" + +- name: Mount obs_data volume + mount: + path: /var/lib/machines/obs/srv + state: mounted + passno: 2 + fstype: "{{obsdata_fstype}}" + src: "{{obsdata_dev}}" + +- name: Format obs_backup volume + filesystem: + fstype: "{{obsbackup_fstype}}" + dev: "{{obsbackup_dev}}" + +- name: Mount obs_backup volume + mount: + path: /srv/backups + state: mounted + passno: 2 + fstype: "{{obsbackup_fstype}}" + src: "{{obsbackup_dev}}" + +- name: add obs-backup user + user: + name: obs-backup + home: /srv/backups/obs + state: present + +- name: Set authorized key took from file + authorized_key: + user: obs-backup + state: present + key: "{{lookup('file', '{{secrets_dir}}/files/obs/id_rsa.pub')}}" + + diff --git a/roles/obs/tasks/main.yml b/roles/obs/tasks/main.yml index 211773ee..18457fe4 100644 --- a/roles/obs/tasks/main.yml +++ b/roles/obs/tasks/main.yml @@ -22,6 +22,15 @@ question: obs-api/mysql/app-password value: "{{mysql_password}}" vtype: password +- name: Add OBS apt key + apt_key: + url: http://obs.linaro.org/linaro-overlay-stretch/Debian_9.0/Release.key + state: present +- name: Add OBS overlay repository + apt_repository: + repo: deb http://obs.linaro.org/linaro-overlay-stretch/Debian_9.0/ ./ + state: present + - name: Install OBS apt: pkg={{item}} state=installed with_items: @@ -33,7 +42,7 @@ - name: Rails configuration with rake shell: /usr/share/obs/api/script/rake-tasks.sh setup >> /home/obs-admin/install.log 2>&1 args: - creates: /etc/obs/api/config/production.sphinx.conf + creates: /srv/obs/configuration.xml - name: Enable ldap template: src: options.yml @@ -54,6 +63,5 @@ enabled: yes state: started -- {include: sign.yml, tags: [gpg]} -- {include: ufw.yml, tags: [firewall]} +- {import_tasks: sign.yml, tags: [gpg]} diff --git a/roles/obs/tasks/sign.yml b/roles/obs/tasks/sign.yml index 4dbbb880..120a7692 100644 --- a/roles/obs/tasks/sign.yml +++ b/roles/obs/tasks/sign.yml @@ -1,9 +1,9 @@ - name: Copy Secret GPG key - copy: src="{{secrets_dir}}/files/gnupg/private.key" dest=/root/private.key + copy: src="{{secrets_dir}}/files/obs/private.key" dest=/root/private.key mode=0400 - name: Copy public GPG key - copy: src="{{secrets_dir}}/files/gnupg/public.key" dest=/etc/obs/public.key + copy: src="{{secrets_dir}}/files/obs/public.key" dest=/etc/obs/public.key mode=0444 - name: Install support scripts diff --git a/roles/obs/tasks/ufw.yml b/roles/obs/tasks/ufw.yml deleted file mode 100644 index 538b2314..00000000 --- a/roles/obs/tasks/ufw.yml +++ /dev/null @@ -1,43 +0,0 @@ -#- name: Reset ufw to defaults -# ufw: state=reset -# when: firewall_reset is defined - -- name: Open 5252 for slaves - ufw: - rule: allow - proto: tcp - port: 5252 - src: "{{item}}" - with_items: "{{worker_ip}}" - -- name: Open 5352 for slaves - ufw: - rule: allow - proto: tcp - port: 5352 - src: "{{item}}" - with_items: "{{worker_ip}}" - -# Only adds ports does not delete. -# ufw reset is required for a fresh ufw deploy. -- name: Open firewall ports - ufw: - rule: allow - proto: tcp - port: "{{item}}" - with_items: - - 22 - - 80 - - 443 - - 2201 - -- name: Enable Firewall - ufw: - direction: "{{item.direction}}" - policy: "{{item.policy}}" - logging: off - state: enabled - with_items: - - { direction: 'incoming', policy: 'deny' } - - { direction: 'outgoing', policy: 'allow' } - diff --git a/roles/systemd-container/files/container.nspawn b/roles/systemd-container/files/container.nspawn index 1c1630af..1bce6e78 100644 --- a/roles/systemd-container/files/container.nspawn +++ b/roles/systemd-container/files/container.nspawn @@ -1,5 +1,6 @@ [Exec] Boot=on +PrivateUsers=no [Network] VirtualEthernet=no diff --git a/roles/systemd-container/tasks/base-container.yml b/roles/systemd-container/tasks/base-container.yml index a22b1a85..b1bc24bd 100644 --- a/roles/systemd-container/tasks/base-container.yml +++ b/roles/systemd-container/tasks/base-container.yml @@ -6,21 +6,24 @@ tags: - update - name: Create Debian Stretch container - command: debootstrap --include=openssh-server,dbus,python,sudo stretch /var/lib/machines/debian http://deb.debian.org/debian + command: debootstrap --include=openssh-server,dbus,python,sudo stretch /var/lib/machines/{{container_name}}/ http://deb.debian.org/debian args: - creates: /var/lib/machines/debian -- name: Add admin user in container - command: chroot /var/lib/machines/debian useradd -m obs-admin + creates: /var/lib/machines/{{container_name}}/etc/apt/sources.list +- name: Add user in container + command: chroot /var/lib/machines/{{container_name}}/ useradd -m {{container_user}} args: - creates: /var/lib/machines/debian/home/obs-admin + creates: /var/lib/machines/{{container_name}}/home/{{container_user}} - name: Make ssh dir file: - path: /var/lib/machines/debian/home/obs-admin/.ssh + path: /var/lib/machines/{{container_name}}/home/{{container_user}}/.ssh state: directory mode: 0700 -- name: Copy ssh key - copy: content="{{ssh_pub_key}}" dest=/var/lib/machines/debian/home/obs-admin/.ssh/authorized_keys +- name: Copy ssh authorized keys + copy: + src: /home/debian/.ssh/authorized_keys + dest: /var/lib/machines/{{container_name}}/home/{{container_user}}/.ssh/authorized_keys + remote_src: yes - name: verify .ssh permissions - command: chroot /var/lib/machines/debian chown -R obs-admin:obs-admin /home/obs-admin/.ssh + command: chroot /var/lib/machines/{{container_name}} chown -R {{container_user}}:{{container_user}} /home/{{container_user}}/.ssh - name: add admin escalation rights - copy: src=sudoers dest=/var/lib/machines/debian/etc/sudoers.d/obs-admin mode=0440 + copy: src=sudoers dest=/var/lib/machines/{{container_name}}/etc/sudoers.d/{{container_user}} mode=0440 diff --git a/roles/systemd-container/tasks/main.yml b/roles/systemd-container/tasks/main.yml index cd809506..f304b544 100644 --- a/roles/systemd-container/tasks/main.yml +++ b/roles/systemd-container/tasks/main.yml @@ -1,9 +1,4 @@ -- include: base-container.yml - -- name: Copy base stretch container - command: cp -a /var/lib/machines/debian /var/lib/machines/{{container_name}} - args: - creates: /var/lib/machines/{{container_name}} +- import_tasks: base-container.yml - name: Set hostname to "{{container_name}}" copy: @@ -14,7 +9,7 @@ lineinfile: dest: /var/lib/machines/{{container_name}}/etc/hosts regexp: '^127\.0\.0\.2' - line: 127.0.0.2 "{{container_name}}" "{{container_name}}".linaro.org + line: 127.0.0.2 {{container_name}} owner: root group: root mode: 0644 |