openafs-server : add ansible roles for OpenAFS servers

This starts at migrating OpenAFS server setup to Ansible. Firstly we split up the groups and explicitly name hosts, as we will me migrating each one step-by-step. We split out 1.8 hosts into a new afs-1.8 group; the first host is afs01.ord.openstack.org which already has openafs 1.8 installed manually. An openafs-server role is introduced that does the same setup as the extant puppet. The AFS job is renamed to infra-prod-afs as the puppet component will eventually disappear. Otherwise it runs in the same way, but also runs the openafs-server role for the 1.8 servers. Once this is merged, we can run it against afs01.ord.openstack.org to ensure it works and is idempotent. We can then take on upgrading the other file servers, and work further on the database servers. Change-Id: I7998af43961999412f58a78214f4b5387713d30e
2021-01-18 15:30:35 +11:00 · 2021-01-18 15:30:35 +11:00 · 7683fa11b3
parent f56f3f5492
commit 7683fa11b3
8 changed files with 117 additions and 11 deletions
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@ -1,7 +1,13 @@
 plugin: yamlgroup
 groups:
  adns: adns*.open*.org
-  afs: afs[0-9]*.open*.org
+  afs-1.8:
+    - afs01.ord.openstack.org
+  afs:
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
  afs-client:
    - review-dev[0-9]*.open*.org
    - mirror[0-9]*.opendev.org
@ -139,8 +145,10 @@ groups:
  pbx:
    - pbx[0-9]*.opendev.org
  puppet:
-    - afs[0-9]*.open*.org
-    - afsdb[0-9]*.open*.org
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
    - ask*.open*.org
    - backup[0-9]*.openstack.org
    - cacti[0-9]*.open*.org
@ -173,8 +181,10 @@ groups:
    - wiki-dev[0-9]*.openstack.org
    - wiki[0-9]*.openstack.org
  puppet4:
-    - afs[0-9]*.open*.org
-    - afsdb[0-9]*.open*.org
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
    - ask*.open*.org
    - ask-staging[0-9]*.open*.org
    - cacti[0-9]*.open*.org
--- a/playbooks/roles/openafs-server/README.rst
+++ b/playbooks/roles/openafs-server/README.rst
@ -0,0 +1 @@
+Install openafs server components
--- a/playbooks/roles/openafs-server/files/CellServDB
+++ b/playbooks/roles/openafs-server/files/CellServDB
@ -0,0 +1,3 @@
+>openstack.org  #Cell name
+104.130.136.20  #afsdb01.openstack.org
+23.253.200.228  #afsdb02.openstack.org
--- a/playbooks/roles/openafs-server/files/ThisCell
+++ b/playbooks/roles/openafs-server/files/ThisCell
@ -0,0 +1 @@
+openstack.org
--- a/playbooks/roles/openafs-server/tasks/main.yaml
+++ b/playbooks/roles/openafs-server/tasks/main.yaml
@ -0,0 +1,85 @@
+- name: Install pre-reqs
+  package:
+    name: '{{ item }}'
+    state: present
+  loop:
+    - apt-transport-https
+    - software-properties-common
+
+- name: Ensure server directory
+  file:
+    state: directory
+    path: /etc/openafs/server
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy configuration files
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/openafs/server'
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - CellServDB
+    - ThisCell
+
+- name: Install rxkad.keytab
+  shell: 'echo "{{ openafs_server_rxkad_keytab }}" | base64 -d > /etc/openafs/server/rxkad.keytab'
+  args:
+    creates: '/etc/openafs/server/rxkad.keytab'
+  no_log: True
+
+- name: Ensure permissions rxkad.keytab
+  file:
+    path: '/etc/openafs/server/rxkad.keytab'
+    owner: root
+    group: root
+    mode: '0400'
+
+# This is generated by aconvert from rxkad.keytab; or if we ever need
+# to regenerate everything see asetkey(8) man page, which creates this
+# from a keytab.  It's used by openafs 1.8 instead of keytabs to
+# reduce kerberos library dependencies or some such.
+- name: Install KeyfileExt
+  shell: 'echo "{{ openafs_server_keyfileext }}" | base64 -d > /etc/openafs/server/KeyFileExt'
+  args:
+    creates: '/etc/openafs/server/KeyFileExt'
+  no_log: True
+
+- name: Ensure permissions on KeyFileExt
+  file:
+    path: '/etc/openafs/server/KeyFileExt'
+    owner: root
+    group: root
+    mode: '0400'
+
+- name: Install openstackci openafs PPA
+  apt_repository:
+    repo: 'ppa:openstack-ci-core/openafs'
+
+- name: Install kernel headers dependency
+  package:
+    name:
+      - linux-headers-{{ ansible_kernel }}
+    state: present
+  become: yes
+
+# NOTE(ianw) : Need to do this first and separately so that the
+# modules are ready for the openafs server/client package to start.
+# Avoid recommends because that drags in the client, which can't start
+# without the modules which are building in this step (we do it next)
+- name: Install openafs kernel modules
+  apt:
+    name: openafs-modules-dkms
+    state: latest
+    install_recommends: no
+
+- name: Install packages
+  package:
+    name:
+      - openafs-fileserver
+      - openafs-client
+      - openafs-krb5
+    state: latest
--- a/playbooks/remote_puppet_afs.yaml
+++ b/playbooks/remote_puppet_afs.yaml
@ -10,6 +10,11 @@
  roles:
    - puppet-run

+- hosts: "afs-1.8:!disabled"
+  name: "Configure AFS server"
+  roles:
+    - openafs-server
+
 - hosts: "mirror-update:!disabled"
  name: "Create key for remote vos release"
  tasks:
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@ -555,18 +555,18 @@
 # Run AFS changes separately so we can make sure to only do one at a time
 # (turns out quorum is nice to have)
 - job:
-    name: infra-prod-remote-puppet-afs
+    name: infra-prod-service-afs
    parent: infra-prod-service-base
-    description: Run remote-puppet-afs.yaml playbook.
+    description: Run AFS playbook.
    vars:
-      playbook_name: remote_puppet_afs.yaml
+      playbook_name: service-afs.yaml
      infra_prod_ansible_forks: 1
    required-projects:
      - opendev/ansible-role-puppet
      - opendev/system-config
    files:
      - inventory/
-      - playbooks/remote_puppet_afs.yaml
+      - playbooks/service-afs.yaml
      - inventory/service/group_vars/afs
      - inventory/service/group_vars/mirror-update
      - inventory/service/group_vars/puppet
@ -576,6 +576,7 @@
      - playbooks/roles/disable-puppet-agent/
      - playbooks/roles/iptables/
      - playbooks/roles/vos-release/
+      - playbooks/roles/openafs-server/
      - modules/
      - manifests/

--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -274,7 +274,7 @@
              - infra-prod-service-eavesdrop
              - name: system-config-promote-image-accessbot
                soft: true
-        - infra-prod-remote-puppet-afs
+        - infra-prod-service-afs
        - infra-prod-remote-puppet-else
        - infra-prod-run-cloud-launcher
    periodic:
@ -310,7 +310,7 @@
        - infra-prod-service-codesearch
        - infra-prod-service-eavesdrop
        - infra-prod-run-accessbot
-        - infra-prod-remote-puppet-afs
+        - infra-prod-service-afs
    opendev-prod-hourly:
      jobs:
        - infra-prod-install-ansible