backups: remove all bup

All hosts are now running thier backups via borg to servers in
vexxhost and rax.ord.

For reference, the servers being backed up at this time are:

 borg-ask01
 borg-ethercalc02
 borg-etherpad01
 borg-gitea01
 borg-lists
 borg-review-dev01
 borg-review01
 borg-storyboard01
 borg-translate01
 borg-wiki-update-test
 borg-zuul01

This removes the old bup backup hosts, the no-longer used ansible
roles for the bup backup server and client roles, and any remaining
bup related configuration.

For simplicity, we will remove any remaining bup cron jobs on the
above servers manually after this merges.

Change-Id: I32554ca857a81ae8a250ce082421a7ede460ea3c

inventory/base/hosts.yaml

@@ -49,13 +49,6 @@ all:
         region_name: DFW
       public_ipv4: 104.239.149.165
       public_ipv6: 2001:4800:7819:105:be76:4eff:fe01:e6ff
-    backup01.ca-ymq-1.vexxhost.opendev.org:
-      ansible_host: 199.204.45.119
-      location:
-        cloud: openstackci-vexxhost
-        region_name: ca-ymq-1
-      public_v4: 199.204.45.119
-      public_v6: 2604:e100:1:0:f816:3eff:feab:d678
     backup02.ca-ymq-1.vexxhost.opendev.org:
       ansible_host: 199.204.45.196
       location:
@@ -70,13 +63,6 @@ all:
         region_name: ORD
       public_v4: 23.253.160.180
       public_v6: 2001:4801:7825:103:be76:4eff:fe10:1b1
-    backup01.ord.rax.ci.openstack.org:
-      ansible_host: 23.253.20.173
-      location:
-        cloud: openstackci-rax
-        region_name: ORD
-      public_v4: 23.253.20.173
-      public_v6: 2001:4801:7824:101:be76:4eff:fe10:20cf
     bridge.openstack.org:
       ansible_host: 23.253.234.219
       location:

inventory/service/groups.yaml

@@ -19,27 +19,6 @@ groups:
   afs-admin:
     - mirror-update[0-9]*.openstack.org
   ask: ask*.open*.org
-# NOTE: By default we keep the backup-server group empty as an
-# emergency escape hatch if a problem were to propage through
-# production servers.  However, this also means if you add a server to
-# the "backup" group to be backed up, you should uncomment the
-# "backup-server" group for an Ansible pulse so the users & keys are
-# setup on the server(s).  You can submit a follow-on change to revert
-# this at the same time.
-  backup:
-    - gitea01.opendev.org
-    - review[0-9]*.openstack.org
-    - review-dev[0-9]*.open*.org
-    - zuul[0-9]*.open*.org
-    # All these servers are "special-cased" in specifically
-    # as they are puppet and should be replaced "soon"
-    - ethercalc02.openstack.org
-    - ask01.openstack.org
-    - lists.openstack.org
-    - storyboard01.opendev.org
-    - translate01.openstack.org
-  backup-server:
-    - backup01.ca-ymq-1.vexxhost.opendev.org
   borg-backup:
     - etherpad[0-9]*.opendev.org
     - gitea01.opendev.org
@@ -66,7 +45,6 @@ groups:
   control-plane-clouds:
     - bridge.openstack.org
   disabled:
-    - backup01.ord.rax.ci.openstack.org
     - corvustest
     - idp.openstackid.org
     - lists-dev01.openstack.org
@@ -146,7 +124,6 @@ groups:
     - pbx[0-9]*.opendev.org
   puppet:
     - ask*.open*.org
-    - backup[0-9]*.openstack.org
     - cacti[0-9]*.open*.org
     - corvustest
     - eavesdrop[0-9]*.open*.org

manifests/site.pp

@@ -355,14 +355,6 @@ node /^pbx\d*\.open.*\.org$/ {
   }
 }
 
-# Node-OS: xenial
-# A backup machine.  Don't run cron or puppet agent on it.
-node /^backup\d+\..*\.ci\.open.*\.org$/ {
-  $group = "ci-backup"
-  class { 'openstack_project::server': }
-  include openstack_project::backup_server
-}
-
 # Node-OS: xenial
 node /^openstackid\d*(\.openstack)?\.org$/ {
   $group = "openstackid"

modules/openstack_project/manifests/backup_server.pp

@@ -1,7 +0,0 @@
-# == Class: openstack_project::backup_server
-#
-class openstack_project::backup_server {
-  package { 'bup':
-    ensure => present,
-  }
-}

modules/openstack_project/manifests/ethercalc.pp

@@ -21,14 +21,4 @@ class openstack_project::ethercalc (
 
   include ethercalc::redis
 
-  # Redis creates a snapshot at /var/lib/redis/dump.rdb periodically
-  # (at worst every 15 minutes if at least one change is made to redis)
-  # which can be used to recover the Redis DB. Bup will automagically
-  # pick this file up during its normal operation so no other DB dumping
-  # is required like with mysql.
-  include bup
-  bup::site { 'ord.rax':
-    backup_user   => "bup-$::hostname",
-    backup_server => 'backup01.ord.rax.ci.openstack.org',
-  }
 }

modules/openstack_project/manifests/lists.pp

@@ -42,12 +42,6 @@ class openstack_project::lists(
   user::virtual::disable { 'oubiwann': }
   user::virtual::disable { 'rockstar': }
 
-  include bup
-  bup::site { 'ord.rax':
-    backup_user   => 'bup-lists',
-    backup_server => 'backup01.ord.rax.ci.openstack.org',
-  }
-
   # Begin user servicable parts
 
   mailman::site { 'openstack':

modules/openstack_project/manifests/storyboard.pp

@@ -86,9 +86,4 @@ class openstack_project::storyboard(
     source => $superusers,
   }
 
-  include bup
-  bup::site { 'ord.rax':
-    backup_user   => 'bup-storyboard',
-    backup_server => 'backup01.ord.rax.ci.openstack.org',
-  }
 }

modules/openstack_project/manifests/wiki.pp

@@ -75,14 +75,6 @@ class openstack_project::wiki (
     require => File['/srv/mediawiki'],
   }
 
-  if $bup_user != undef {
-    include bup
-    bup::site { 'ord.rax':
-      backup_user   => $bup_user,
-      backup_server => 'backup01.ord.rax.ci.openstack.org',
-    }
-  }
-
   class { '::elasticsearch':
     es_template_config => {
       'bootstrap.mlockall'               => true,

playbooks/roles/backup-server/README.rst

@@ -1,15 +0,0 @@
-Setup backup server
-
-This role configures backup server(s) in the ``backup-server`` group
-to accept backups from remote hosts.
-
-Note that the ``backup`` role must have run on each host in the
-``backup`` group before this role.  That role will create a
-``bup_user`` tuple in the hostvars for for each host consisting of the
-required username and public key.
-
-Each required user gets a separate home directory in ``/opt/backups``.
-Their ``authorized_keys`` file is configured with the public key to
-allow the remote host to log in and only run ``bup``.
-
-**Role Variables**

playbooks/roles/backup-server/defaults/main.yaml

@@ -1 +0,0 @@
-bup_users: []

playbooks/roles/backup-server/tasks/main.yaml

@@ -1,21 +0,0 @@
-- name: Create backup directory
-  file:
-    state: directory
-    path: /opt/backups
-
-- name: Install bup
-  package:
-    name:
-      - bup
-    state: present
-
-- name: Build all bup users from backup hosts
-  set_fact:
-    bup_users: '{{ bup_users }} + [ {{ hostvars[item]["bup_user"] }} ]'
-  with_inventory_hostnames: 'backup:!disabled'
-
-- name: Create bup users
-  include_tasks: user.yaml
-  loop: '{{ bup_users }}'
-  loop_control:
-    loop_var: bup_user

playbooks/roles/backup-server/tasks/user.yaml

@@ -1,32 +0,0 @@
-# note bup_user is the parent loop variable name; this works on each
-# element from the bup_users global.
-- name: Set variables
-  set_fact:
-    user_name: '{{ bup_user[0] }}'
-    user_key: '{{ bup_user[1] }}'
-
-- name: Create bup user
-  user:
-    name: '{{ user_name }}'
-    comment: 'Backup user'
-    shell: /bin/bash
-    home: '/opt/backups/{{ user_name }}'
-    create_home: yes
-  register: homedir
-
-- name: Create bup user authorized key
-  authorized_key:
-    user: '{{ user_name }}'
-    state: present
-    key: '{{ user_key }}'
-    key_options: 'command="BUP_DEBUG=0 BUP_FORCE_TTY=3 bup server",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'
-
-# ansible-lint wants this in a handler, it should be done here and
-# now; this isn't like a service restart where multiple things might
-# call it.
-- name: Initalise bup
-  shell: |
-    BUP_DIR=/opt/backups/{{ user_name }}/.bup bup init
-  become: yes
-  become_user: '{{ user_name }}'
-  when: homedir.changed

playbooks/roles/backup/README.rst

@@ -1,23 +0,0 @@
-Configure a host to be backed up
-
-This role setups a host to use ``bup`` for backup to any hosts in the
-``backup-server`` group.
-
-A separate ssh key will be generated for root to connect to the backup
-server(s) and the host key for the backup servers will be accepted to
-the host.
-
-The ``bup`` tool is installed and a cron job is setup to run the
-backup periodically.
-
-Note the ``backup-server`` role must run after this to create the user
-correctly on the backup server.  This role sets a tuple ``bup_user``
-with the username and public key; the ``backup-server`` role uses this
-variable for each host in the ``backup`` group to initalise users.
-
-**Role Variables**
-
-.. zuul:rolevar:: bup_username
-
-   The username to connect to the backup server.  If this is left
-   undefined, it will be automatically set to ``bup-$(hostname)``

playbooks/roles/backup/files/bup-excludes

@@ -1,25 +0,0 @@
-/proc/*
-/sys/*
-/dev/*
-/tmp/*
-/floppy/*
-/cdrom/*
-/var/spool/squid/*
-/var/spool/exim/*
-/media/*
-/mnt/*
-/var/agentx/*
-/run/*
-/root/backup-restore-*
-/root/.bup
-/etc/puppet/modules/*
-/etc/puppet/hieradata/*
-/var/cache/*
-/var/lib/docker/*
-/var/lib/puppet/reports/*
-/var/lib/postgresql/*
-/var/lib/lxcfs/*
-/var/lib/zuul/backup/*
-/var/lib/zuul/times/*
-/opt/system-config/*
-/afs/*

playbooks/roles/backup/tasks/main.yaml

@@ -1,57 +0,0 @@
-- name: Generate bup username for this host
-  set_fact:
-    bup_username: 'bup-{{ inventory_hostname.split(".", 1)[0] }}'
-  when: bup_username is not defined
-
-- debug:
-    var: bup_username
-
-- name: Install bup
-  package:
-    name:
-      - bup
-    state: absent
-
-- name: Remove old keypair
-  file:
-    path: /root/.ssh/id_backup_ed25519
-    state: absent
-
-- name: Remove old keypair
-  file:
-    path: /root/.ssh/id_backup_ed25519.pub
-    state: absent
-
-- name: Remove old config directory
-  file:
-    path: /root/.bup
-    state: absent
-
-- name: Remove ssh config
-  blockinfile:
-    path: /root/.ssh/config
-    state: absent
-    create: false
-    block: |
-      Host {{ item }}
-      HostName {{ item }}
-      IdentityFile /root/.ssh/id_backup_ed25519
-      User {{ bup_username }}
-    mode: 0600
-  with_inventory_hostnames: backup-server
-  ignore_errors: True
-
-- name: Remove /etc/bup-excludes
-  file:
-    path: /etc/bup-excludes
-    state: absent
-
-- name: Remove backup cronjob
-  cron:
-    name: "Run bup backup"
-    job: "tar -X /etc/bup-excludes -cPF - / | bup split -r {{ bup_username }}@{{ item }}: -n root -q"
-    user: root
-    hour: '5'
-    minute: '{{ 59|random(seed=item) }}'
-    state: absent
-  with_inventory_hostnames: backup-server

playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml

@@ -38,15 +38,13 @@ results:
     - mirror
 
   review01.openstack.org:
-    - backup
     - borg-backup
     - gerrit
     - letsencrypt
     - review
 
-  backup01.ord.rax.ci.openstack.org:
-    - disabled
-    - puppet
+  backup01.ord.rax.opendev.org:
+    - borg-backup-server
 
   ze01.openstack.org:
     - afs-client

playbooks/service-backup.yaml

@@ -1,8 +0,0 @@
-# NOTE(ianw) : we are removing bup for borg.  This just needs to run
-# once to remove bup parts from the backup clients, then we will
-# remove it completely.
-- hosts: "backup:!disabled"
-  name: "Base: Generate backup users and keys"
-  roles:
-    - iptables
-    - backup

playbooks/zuul/run-base.yaml

@@ -83,8 +83,6 @@
         - host_vars/mirror01.openafs.provider.opendev.org.yaml
         - host_vars/mirror02.openafs.provider.opendev.org.yaml
         - host_vars/mirror-update01.opendev.org.yaml
-        - host_vars/backup-test01.opendev.org.yaml
-        - host_vars/backup-test02.opendev.org.yaml
         - host_vars/refstack01.openstack.org.yaml
     - name: Display group membership
       command: ansible localhost -m debug -a 'var=groups'

playbooks/zuul/templates/host_vars/backup-test01.opendev.org.yaml.j2

@@ -1 +0,0 @@
-bup_username: bup-backup01

playbooks/zuul/templates/host_vars/backup-test02.opendev.org.yaml.j2

@@ -1,2 +0,0 @@
-# Intentionally left blank to test autogeneration of name
-#bup_username: bup-backup-test02

zuul.d/infra-prod.yaml

@@ -275,19 +275,6 @@
       - playbooks/roles/static/
       - playbooks/roles/zuul-user/
 
-- job:
-    name: infra-prod-service-backup
-    parent: infra-prod-service-base
-    description: Run service-backup.yaml playbook.
-    vars:
-      playbook_name: service-backup.yaml
-    files:
-      - inventory/
-      - playbooks/service-backup.yaml
-      - playbooks/roles/backup/
-      - playbooks/roles/backup-server/
-      - playbooks/roles/iptables/
-
 - job:
     name: infra-prod-service-borg-backup
     parent: infra-prod-service-base

zuul.d/project.yaml

@@ -13,7 +13,6 @@
         - system-config-run-base
         - system-config-run-base-ansible-devel:
             voting: false
-        - system-config-run-backup
         - system-config-run-borg-backup
         - system-config-run-dns
         - system-config-run-eavesdrop:
@@ -271,7 +270,6 @@
         - infra-prod-service-mirror-update
         - infra-prod-service-mirror
         - infra-prod-service-static
-        - infra-prod-service-backup
         - infra-prod-service-borg-backup
         - infra-prod-service-registry
         - infra-prod-service-refstack
@@ -316,7 +314,6 @@
         - infra-prod-service-mirror
         - infra-prod-service-static
         - infra-prod-service-borg-backup
-        - infra-prod-service-backup
         - infra-prod-service-zookeeper
         - infra-prod-service-review
         - infra-prod-service-review-dev

zuul.d/system-config-run.yaml

@@ -305,30 +305,6 @@
       - testinfra/test_adns.py
       - testinfra/test_ns.py
 
-- job:
-    name: system-config-run-backup
-    parent: system-config-run
-    description: |
-      Run the playbook for backup configuration
-    nodeset:
-      nodes:
-        - name: bridge.openstack.org
-          label: ubuntu-bionic
-        - name: backup01.region.provider.opendev.org
-          label: ubuntu-bionic
-        - name: backup-test01.opendev.org
-          label: ubuntu-bionic
-        - name: backup-test02.opendev.org
-          label: ubuntu-xenial
-    vars:
-      run_playbooks:
-        - playbooks/service-backup.yaml
-    files:
-      - playbooks/install-ansible.yaml
-      - playbooks/roles/backup
-      - playbooks/zuul/templates/host_vars/backup
-      - testinfra/test_backups.py
-
 - job:
     name: system-config-run-borg-backup
     parent: system-config-run