Browse Source

Split eavesdrop into its own playbook

Extract eavedrop into its own service playbook and
puppet manifest. While doing that, stop using jenkinsuser
on eavesdrop in favor of zuul-user.

Add the ability to override the keys for the zuul user.

Remove openstack_project::server, it doesn't do anything.

Containerize and anisblize accessbot. The structure of
how we're doing it in puppet makes it hard to actually
run the puppet in the gate. Run the script in its own
playbook so that we can avoid running it in the gate.

Change-Id: I53cb63ffa4ae50575d4fa37b24323ad13ec1bac3
changes/98/721098/30
Monty Taylor 3 months ago
parent
commit
9fd2135a46
28 changed files with 555 additions and 82 deletions
  1. +124
    -10
      .zuul.yaml
  2. +21
    -0
      docker/accessbot/Dockerfile
  3. +248
    -0
      docker/accessbot/accessbot.py
  4. +17
    -0
      docker/accessbot/accessbot.sh
  5. +30
    -0
      manifests/eavesdrop.pp
  6. +0
    -36
      manifests/site.pp
  7. +0
    -1
      modules.env
  8. +4
    -27
      modules/openstack_project/manifests/eavesdrop.pp
  9. +3
    -0
      playbooks/group_vars/eavesdrop.yaml
  10. +1
    -1
      playbooks/remote_puppet_else.yaml
  11. +1
    -0
      playbooks/roles/accessbot/README.rst
  12. +20
    -0
      playbooks/roles/accessbot/files/accessbot
  13. +36
    -0
      playbooks/roles/accessbot/tasks/main.yaml
  14. +5
    -0
      playbooks/roles/accessbot/templates/accessbot.config.j2
  15. +1
    -0
      playbooks/roles/set-hostname
  16. +5
    -0
      playbooks/roles/zuul-user/README.rst
  17. +4
    -1
      playbooks/roles/zuul-user/defaults/main.yaml
  18. +1
    -3
      playbooks/roles/zuul-user/tasks/main.yaml
  19. +5
    -0
      playbooks/run-accessbot.yaml
  20. +12
    -0
      playbooks/service-eavesdrop.yaml
  21. +0
    -1
      playbooks/set-hostnames.yaml
  22. +1
    -0
      playbooks/zuul/run-base-pre.yaml
  23. +1
    -2
      playbooks/zuul/run-base.yaml
  24. +11
    -0
      playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2
  25. +0
    -0
      roles/set-hostname/README.rst
  26. +4
    -0
      roles/set-hostname/tasks/main.yml
  27. +0
    -0
      roles/set-hostname/templates/hosts.j2
  28. +0
    -0
      roles/set-hostname/templates/mailname.j2

+ 124
- 10
.zuul.yaml View File

@@ -230,6 +230,37 @@
vars: *haproxy-statsd_vars
files: *haproxy-statsd_files

# accessbot jobs
- job:
name: system-config-build-image-accessbot
description: Build a accessbot image.
parent: system-config-build-image
requires: python-base-3.7-container-image
provides: accessbot-container-image
vars: &accessbot_vars
docker_images:
- context: docker/accessbot
repository: opendevorg/accessbot
files: &accessbot_files
- docker/accessbot/
- docker/python-base/

- job:
name: system-config-upload-image-accessbot
description: Build and upload a accessbot image.
parent: system-config-upload-image
requires: python-base-3.7-container-image
provides: accessbot-container-image
vars: *accessbot_vars
files: *accessbot_files

- job:
name: system-config-promote-image-accessbot
description: Promote a previously published accessbot image to latest.
parent: system-config-promote-image
vars: *accessbot_vars
files: *accessbot_files

# Gerrit 2.13 jobs
- job:
name: system-config-build-image-gerrit-2.13
@@ -980,22 +1011,36 @@

- job:
name: system-config-run-eavesdrop
parent: system-config-run
parent: system-config-run-containers
description: |
Run the playbook for an eavesdrop server.
required-projects:
- opendev/system-config
- openstack/project-config
requires: accessbot-container-image
nodeset:
nodes:
- name: bridge.openstack.org
label: ubuntu-bionic
- name: eavesdrop01.openstack.org
label: ubuntu-xenial
vars:
run_playbooks:
- playbooks/service-eavesdrop.yaml
files:
- playbooks/install-ansible.yaml
- playbooks/service-eavesdrop.yaml
- playbooks/run-accessbot.yaml
- playbooks/group_vars/eavesdrop.yaml
- playbooks/roles/zuul-user
- playbooks/roles/install-docker
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/accessbot
- playbooks/roles/logrotate
- modules/openstack_project/manifests/eavesdrop.pp
- manifests/eavesdrop.pp
- docker/accessbot/
- testinfra/test_eavesdrop.py
vars:
run_playbooks:
- playbooks/remote_puppet_else.yaml

- job:
name: system-config-run-codesearch
@@ -1521,7 +1566,6 @@
required-projects:
- opendev/system-config
- opendev/ansible-role-puppet
- opendev/puppet-accessbot
- opendev/puppet-ansible
- opendev/puppet-apparmor
- opendev/puppet-askbot
@@ -1700,7 +1744,6 @@
- opendev/puppet-snmpd
- opendev/puppet-user
- opendev/puppet-jeepyb
- opendev/puppet-accessbot
- opendev/puppet-ptgbot
- opendev/puppet-jenkins
- opendev/puppet-vcsrepo
@@ -1764,7 +1807,6 @@
required-projects:
- opendev/ansible-role-puppet
- openstack/logstash-filters
- opendev/puppet-accessbot
- opendev/puppet-ansible
- opendev/puppet-askbot
- opendev/puppet-asterisk
@@ -2287,6 +2329,52 @@
- modules/openstack_project/files/resync-hound-config.sh
- manifests/codesearch.pp

- job:
name: infra-prod-service-eavesdrop
parent: infra-prod-service-base
description: Run service-eavesdrop.yaml playbook
required-projects:
- opendev/system-config
- openstack/project-config
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt
soft: true
- name: system-config-promote-image-accessbot
soft: true
vars:
playbook_name: service-eavesdrop.yaml
files: &infra_prod_eavesdrop_files
- inventory/
- playbooks/service-eavesdrop.yaml
- playbooks/run-accessbot.yaml
- playbooks/group_vars/eavesdrop.yaml
- playbooks/roles/zuul-user
- playbooks/roles/install-docker
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/accessbot
- playbooks/roles/logrotate
- modules/openstack_project/manifests/eavesdrop.pp
- manifests/eavesdrop.pp
- docker/accessbot/

- job:
name: infra-prod-run-accessbot
parent: infra-prod-service-base
description: Run run-accessbot.yaml playbook
required-projects:
- opendev/system-config
- openstack/project-config
dependencies:
- infra-prod-service-eavesdrop
vars:
playbook_name: run-accessbot.yaml
files: *infra_prod_eavesdrop_files

# Run AFS changes separately so we can make sure to only do one at a time
# (turns out quorum is nice to have)
- job:
@@ -2537,7 +2625,11 @@
voting: false
- system-config-run-backup
- system-config-run-dns
- system-config-run-eavesdrop
- system-config-run-eavesdrop:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-accessbot
soft: true
- system-config-run-codesearch
- system-config-run-lists
- system-config-run-nodepool
@@ -2588,6 +2680,11 @@
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7
soft: true
- system-config-build-image-accessbot:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7
soft: true
- system-config-build-image-python-base-3.7
- system-config-build-image-python-base-3.8
- system-config-build-image-python-builder-3.7
@@ -2602,7 +2699,11 @@
- tox-linters
- system-config-run-base
- system-config-run-dns
- system-config-run-eavesdrop
- system-config-run-eavesdrop:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-accessbot
soft: true
- system-config-run-codesearch
- system-config-run-lists
- system-config-run-nodepool
@@ -2653,6 +2754,11 @@
- name: opendev-buildset-registry
- name: system-config-upload-image-python-base-3.7
soft: true
- system-config-upload-image-accessbot:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7
soft: true
- system-config-upload-image-python-base-3.7
- system-config-upload-image-python-base-3.8
- system-config-upload-image-python-builder-3.7
@@ -2668,6 +2774,7 @@
- system-config-promote-image-etherpad
- system-config-promote-image-jitsi-meet
- system-config-promote-image-haproxy-statsd
- system-config-promote-image-accessbot
- system-config-promote-image-python-base-3.7
- system-config-promote-image-python-base-3.8
- system-config-promote-image-python-builder-3.7
@@ -2717,6 +2824,7 @@
- infra-prod-service-review-dev
- infra-prod-service-gitea
- infra-prod-service-codesearch
- infra-prod-service-eavesdrop
- infra-prod-remote-puppet-afs
- infra-prod-remote-puppet-else
periodic:
@@ -2748,6 +2856,8 @@
- infra-prod-service-review-dev
- infra-prod-service-gitea
- infra-prod-service-codesearch
- infra-prod-service-eavesdrop
- infra-prod-run-accessbot
- infra-prod-remote-puppet-afs
opendev-prod-hourly:
jobs:
@@ -2768,3 +2878,7 @@
dependencies:
- name: infra-prod-install-ansible
soft: true
- infra-prod-run-accessbot:
dependencies:
- name: infra-prod-install-ansible
soft: true

+ 21
- 0
docker/accessbot/Dockerfile View File

@@ -0,0 +1,21 @@
# Copyright (c) 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.

FROM docker.io/opendevorg/python-base:3.7

RUN pip install pyyaml irc
COPY accessbot.py /usr/local/bin/accessbot.py
COPY accessbot.sh /usr/local/bin/accessbot
CMD ["/usr/local/bin/accessbot", "-c", "/etc/accessbot/accessbot.config", "-l", "/etc/accessbot/channels.yaml", ">>", "]]

+ 248
- 0
docker/accessbot/accessbot.py View File

@@ -0,0 +1,248 @@
#! /usr/bin/env python

# Copyright 2011, 2013-2014 OpenStack Foundation
# Copyright 2012 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import configparser
import argparse
import irc.client
import logging
import ssl
import sys
import time
import yaml

logging.basicConfig(
format='%(asctime)s [%(levelname)s] %(name)s - %(message)s',
level=logging.DEBUG)


class SetAccess(irc.client.SimpleIRCClient):
log = logging.getLogger("setaccess")

def __init__(self, config, noop, nick, password, server, port):
irc.client.SimpleIRCClient.__init__(self)
self.identify_msg_cap = False
self.config = config
self.nick = nick
self.password = password
self.server = server
self.port = int(port)
self.noop = noop
self.channels = [x['name'] for x in self.config['channels']]
self.current_channel = None
self.current_list = []
self.changes = []
self.identified = False
if self.port == 6697:
factory = irc.connection.Factory(wrapper=ssl.wrap_socket)
self.connect(self.server, self.port, self.nick,
connect_factory=factory)
else:
self.connect(self.server, self.port, self.nick)

def on_disconnect(self, connection, event):
sys.exit(0)

def on_welcome(self, c, e):
self.identify_msg_cap = False
self.log.debug("Requesting identify-msg capability")
c.cap('REQ', 'identify-msg')
c.cap('END')

def on_cap(self, c, e):
self.log.debug("Received cap response %s" % repr(e.arguments))
if e.arguments[0] == 'ACK' and 'identify-msg' in e.arguments[1]:
self.log.debug("identify-msg cap acked")
self.identify_msg_cap = True
self.log.debug("Identifying to nickserv")
c.privmsg("nickserv", "identify %s " % self.password)

def on_privnotice(self, c, e):
if not self.identify_msg_cap:
self.log.debug("Ignoring message because identify-msg "
"cap not enabled")
return
nick = e.source.split('!')[0]
auth = e.arguments[0][0]
msg = e.arguments[0][1:]
if auth == '+' and nick == 'NickServ' and not self.identified:
if msg.startswith('You are now identified'):
self.identified = True
# Prejoin and set ourselves as op in these channels,
# to facilitate +f forwarding.
for channel in self.config.get('op_channels', []):
c.join("#%s" % channel)
c.privmsg("chanserv", "op #%s" % channel)
self.advance()
return
if auth != '+' or nick != 'ChanServ':
self.log.debug("Ignoring message from unauthenticated "
"user %s" % nick)
return
self.failed = False
self.advance(msg)

def _get_access_list(self, channel_name):
ret = {}
alumni = []
mode = ''
channel = None
for c in self.config['channels']:
if c['name'] == channel_name:
channel = c
if channel is None:
raise Exception("Unknown channel %s" % (channel_name,))
mask = ''
for access, nicks in (self.config['global'].items() +
channel.items()):
if access == 'mask':
mask = self.config['access'].get(nicks)
continue
if access == 'alumni':
alumni += nicks
continue
if access == 'mode':
mode = nicks
continue
flags = self.config['access'].get(access)
if flags is None:
continue
for nick in nicks:
ret[nick] = flags
return mask, ret, alumni, mode

def _get_access_change(self, current, target, mask):
remove = ''
add = ''
change = ''
for x in current:
if x in '+-':
continue
if target:
if x not in target:
remove += x
else:
if x not in mask:
remove += x
for x in target:
if x in '+-':
continue
if x not in current:
add += x
if remove:
change += '-' + remove
if add:
change += '+' + add
return change

def _get_access_changes(self):
mask, target, alumni, mode = self._get_access_list(self.current_channel)
self.log.debug("Mask for %s: %s" % (self.current_channel, mask))
self.log.debug("Target for %s: %s" % (self.current_channel, target))
all_nicks = set()
global_alumni = self.config.get('alumni', {})
global_mode = self.config.get('mode', '')
current = {}
changes = []
for nick, flags, msg in self.current_list:
if nick in global_alumni or nick in alumni :
self.log.debug("%s is an alumni; removing access", nick)
changes.append('access #%s del %s' % (self.current_channel, nick))
continue
all_nicks.add(nick)
current[nick] = flags
for nick in target.keys():
all_nicks.add(nick)
for nick in all_nicks:
change = self._get_access_change(current.get(nick, ''),
target.get(nick, ''), mask)
if change:
changes.append('access #%s add %s %s' % (self.current_channel,
nick, change))

# Set the mode. Note we always just hard-set the mode for
# simplicity (per the man page mlock always clears and sets
# anyway). Channel mode overrides global mode.
#
# Note for +f you need to be op in the target channel; see
# op_channel option.
if not mode and global_mode:
mode = global_mode
self.log.debug("Setting mode to : %s" % mode)
if mode:
changes.append('set #%s mlock %s' % (self.current_channel, mode))

return changes

def advance(self, msg=None):
if self.changes:
if self.noop:
for change in self.changes:
self.log.info('NOOP: ' + change)
self.changes = []
else:
change = self.changes.pop()
self.log.info(change)
self.connection.privmsg('chanserv', change)
time.sleep(1)
return
if not self.current_channel:
if not self.channels:
self.connection.quit()
return
self.current_channel = self.channels.pop()
self.current_list = []
self.connection.privmsg('chanserv', 'access list #%s' %
self.current_channel)
time.sleep(1)
return
if msg.startswith('End of'):
self.changes = self._get_access_changes()
self.current_channel = None
self.advance()
return
parts = msg.split()
if parts[2].startswith('+'):
self.current_list.append((parts[1], parts[2], msg))


def main():
parser = argparse.ArgumentParser(description='IRC channel access check')
parser.add_argument('-c', dest='config', nargs=1,
help='specify the config file')
parser.add_argument('-l', dest='channels',
default='/etc/irc/channels.yaml',
help='path to the channel config')
parser.add_argument('--noop', dest='noop',
action='store_true',
help="Don't make any changes")
args = parser.parse_args()

config = configparser.ConfigParser()
config.read(args.config)

channels = yaml.load(open(args.channels))

a = SetAccess(channels, args.noop,
config.get('ircbot', 'nick'),
config.get('ircbot', 'pass'),
config.get('ircbot', 'server'),
config.get('ircbot', 'port'))
a.start()


if __name__ == "__main__":
main()

+ 17
- 0
docker/accessbot/accessbot.sh View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright (c) 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.

exec python /usr/local/bin/accessbot.py -c /etc/accessbot/accessbot.config -l /etc/accessbot/channels.yaml >> /var/log/accessbot/accessbot.log 2>&1

+ 30
- 0
manifests/eavesdrop.pp View File

@@ -0,0 +1,30 @@
# Node-OS: xenial
node /^eavesdrop\d*\.open.*\.org$/ {
$group = "eavesdrop"
class { 'openstack_project::eavesdrop':
nickpass => hiera('openstack_meetbot_password'),
statusbot_nick => hiera('statusbot_nick', 'username'),
statusbot_password => hiera('statusbot_nick_password'),
statusbot_server => 'chat.freenode.net',
statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
statusbot_wiki_password => hiera('statusbot_wiki_password'),
statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
# https://wiki.openstack.org/wiki/Infrastructure_Status
statusbot_wiki_pageid => '1781',
statusbot_wiki_successpageid => '7717',
statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
statusbot_wiki_thankspageid => '37700',
statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
statusbot_twitter => true,
statusbot_twitter_key => hiera('statusbot_twitter_key'),
statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
ptgbot_nick => hiera('ptgbot_nick', 'username'),
ptgbot_password => hiera('ptgbot_password'),
}
}

+ 0
- 36
manifests/site.pp View File

@@ -86,42 +86,6 @@ node /planet\d*\.open.*\.org$/ {
}
}

# Node-OS: xenial
node /^eavesdrop\d*\.open.*\.org$/ {
$group = "eavesdrop"
class { 'openstack_project::server': }

class { 'openstack_project::eavesdrop':
project_config_repo => 'https://opendev.org/openstack/project-config',
nickpass => hiera('openstack_meetbot_password'),
statusbot_nick => hiera('statusbot_nick', 'username'),
statusbot_password => hiera('statusbot_nick_password'),
statusbot_server => 'chat.freenode.net',
statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
statusbot_wiki_password => hiera('statusbot_wiki_password'),
statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
# https://wiki.openstack.org/wiki/Infrastructure_Status
statusbot_wiki_pageid => '1781',
statusbot_wiki_successpageid => '7717',
statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
statusbot_wiki_thankspageid => '37700',
statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
statusbot_twitter => true,
statusbot_twitter_key => hiera('statusbot_twitter_key'),
statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
accessbot_nick => hiera('accessbot_nick', 'username'),
accessbot_password => hiera('accessbot_nick_password'),
meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
ptgbot_nick => hiera('ptgbot_nick', 'username'),
ptgbot_password => hiera('ptgbot_password'),
}
}

# Node-OS: xenial
node /^ethercalc\d+\.open.*\.org$/ {
$group = "ethercalc"


+ 0
- 1
modules.env View File

@@ -63,7 +63,6 @@ SOURCE_MODULES["https://github.com/voxpupuli/puppet-nodejs"]="v2.3.0"

# Add modules that should be part of the openstack-infra integration test here
# Please keep sorted
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-accessbot"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-ansible"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-askbot"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-asterisk"]="origin/master"


+ 4
- 27
modules/openstack_project/manifests/eavesdrop.pp View File

@@ -21,9 +21,6 @@ class openstack_project::eavesdrop (
$statusbot_twitter_secret = '',
$statusbot_twitter_token_key = '',
$statusbot_twitter_token_secret = '',
$accessbot_nick = '',
$accessbot_password = '',
$project_config_repo = '',
$meetbot_channels = [],
$ptgbot_nick = '',
$ptgbot_password = '',
@@ -83,36 +80,16 @@ class openstack_project::eavesdrop (
}
}

class { 'project_config':
url => $project_config_repo,
}

class { 'accessbot':
nick => $accessbot_nick,
password => $accessbot_password,
server => $statusbot_server,
channel_file => $::project_config::accessbot_channels_yaml,
require => $::project_config::config_dir,
}

# Needed to allow Jenkins jobs to publish meeting info to
# the eavesdrop server.
include openstack_project
class { 'jenkins::jenkinsuser':
ssh_key => $openstack_project::jenkins_ssh_key,
}

file { '/srv/yaml2ical':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
owner => 'zuul',
group => 'zuul',
}

file { '/srv/yaml2ical/calendars':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
owner => 'zuul',
group => 'zuul',
require => File['/srv/yaml2ical'],
}



+ 3
- 0
playbooks/group_vars/eavesdrop.yaml View File

@@ -1,2 +1,5 @@
iptables_extra_public_tcp_ports:
- 80
zuul_user_authorized_key: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h zuul-system-config-20180924
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQbidZ1wW8moNtPGBhZ3oDm1kcDtiAemI51euL6KZslwpG8CKMT0KBSYw1vpCYc5dYCerq63dQtg2Bm1rhc2gC/U2bbMlvnNPwlkS7eykVfrPDfJHVbff+qHv7l1e1ZoCVAEvVxXG/FgFUiqIKwEhMqG/Etegw07H7vERNETGE5RyRA8cMnK9Cj4oL0OUpZAv7o1a+A+gXRv1EMdWL7g9M6OImikO48w+ZSLOA8uD+0MmN23nh335k2VG609u+ZxTkZAB4GtW0HSCTFu5MCmJFaY1+5cCNedsC9O4ekaXNQxYelFxasN5Qe7miRWcR+Ax8g3HjHpG3Hc1LSc/6XVcj zuul-project-config-20180924

+ 1
- 1
playbooks/remote_puppet_else.yaml View File

@@ -1,4 +1,4 @@
- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!nb*:!codesearch:!disabled'
- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!nb*:!codesearch:!eavesdrop:!disabled'
name: "Puppet-else: run puppet on all other servers"
strategy: free
roles:


+ 1
- 0
playbooks/roles/accessbot/README.rst View File

@@ -0,0 +1 @@
Set up accessbot

+ 20
- 0
playbooks/roles/accessbot/files/accessbot View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.

exec docker run --rm --net=host \
-v/etc/accessbot:/etc/accessbot \
-v/var/log/accessbot:/var/log/accessbot \
docker.io/opendevorg/accessbot

+ 36
- 0
playbooks/roles/accessbot/tasks/main.yaml View File

@@ -0,0 +1,36 @@
- name: Install accessbot script
copy:
src: accessbot
dest: /usr/local/bin/accessbot
mode: 0755

- name: Ensure accessbot log dir
file:
path: /var/log/accessbot
state: directory

- name: Ensure config dir
file:
path: /etc/accessbot
state: directory

- name: Install accessbot config
template:
src: accessbot.config.j2
dest: /etc/accessbot/accessbot.config
mode: 0440

- name: Copy accessbot channel config
copy:
remote_src: true
src: /opt/project-config/accessbot/channels.yaml
dest: /etc/accessbot/channels.yaml

- name: Setup log rotation
include_role:
name: logrotate
vars:
logrotate_file_name: /var/log/accessbot/accessbot.log

- name: Pull latest image
command: docker pull docker.io/opendevorg/accessbot

+ 5
- 0
playbooks/roles/accessbot/templates/accessbot.config.j2 View File

@@ -0,0 +1,5 @@
[ircbot]
nick={{ accessbot_nick }}
pass={{ accessbot_nick_password }}
server=chat.freenode.net
port=6697

+ 1
- 0
playbooks/roles/set-hostname View File

@@ -0,0 +1 @@
../../roles/set-hostname/

+ 5
- 0
playbooks/roles/zuul-user/README.rst View File

@@ -9,3 +9,8 @@ Install a user ``zuul`` that has the per-project key from
:default: False

Enable passwordless ``sudo`` access for the zuul user.

.. zuul:rolevar:: zuul_user_authorized_key
:default: per-project key from system-config

Authorized key content for the zuul user.

+ 4
- 1
playbooks/roles/zuul-user/defaults/main.yaml View File

@@ -1 +1,4 @@
zuul_user_enable_sudo: False
zuul_user_enable_sudo: False
# Zuul key from https://zuul.opendev.org/api/tenant/openstack/project-ssh-key/opendev/system-config.pub at 2020-02-26
zuul_user_authorized_key: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h

+ 1
- 3
playbooks/roles/zuul-user/tasks/main.yaml View File

@@ -17,6 +17,4 @@
authorized_key:
user: zuul
state: present
key: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h
comment: Zuul key from https://zuul.opendev.org/api/tenant/openstack/project-ssh-key/opendev/system-config.pub at 2020-02-26
key: '{{ zuul_user_authorized_key }}'

+ 5
- 0
playbooks/run-accessbot.yaml View File

@@ -0,0 +1,5 @@
- hosts: 'eavesdrop:!disabled'
name: "eavesdrop: run accessbot"
tasks:
- name: Run accessbot
command: /usr/local/bin/accessbot

+ 12
- 0
playbooks/service-eavesdrop.yaml View File

@@ -0,0 +1,12 @@
- hosts: 'eavesdrop:!disabled'
name: "eavesdrop: run puppet on eavesdrop"
strategy: free
roles:
- zuul-user
- sync-project-config
- install-docker
- accessbot
- puppet-install
- disable-puppet-agent
- name: puppet
manifest: /opt/system-config/production/manifests/eavesdrop.pp

+ 0
- 1
playbooks/set-hostnames.yaml View File

@@ -1,5 +1,4 @@
- hosts: "!disabled"
gather_facts: false
user: root
roles:
- set-hostname

+ 1
- 0
playbooks/zuul/run-base-pre.yaml View File

@@ -4,6 +4,7 @@
- multi-node-known-hosts
- copy-build-sshkey
- use-docker-mirror
- set-hostname
tasks:
- include_role:
name: use-buildset-registry


+ 1
- 2
playbooks/zuul/run-base.yaml View File

@@ -45,6 +45,7 @@
loop:
- group_vars/all.yaml
- group_vars/adns.yaml
- group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml
- group_vars/ns.yaml
- group_vars/registry.yaml
@@ -90,8 +91,6 @@
dest: /home/zuul/src/opendev.org/opendev/system-config/playbooks/host_vars/bridge.openstack.org.yaml
become: true

- name: Set hostname on host
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/set-hostnames.yaml
- name: Run base.yaml
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml
- name: Run bridge service playbook


+ 11
- 0
playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2 View File

@@ -0,0 +1,11 @@
openstack_meetbot_password: password
statusbot_nick_password: password
statusbot_wiki_password: password
statusbot_twitter_key: twitter_key
statusbot_twitter_secret: twitter_secret
statusbot_twitter_token_key: token_key
statusbot_twitter_token_secret: token_secret
accessbot_nick: username
accessbot_nick_password: password
ptgbot_password: password
access_bot_install_only: true

playbooks/roles/set-hostname/README.rst → roles/set-hostname/README.rst View File


playbooks/roles/set-hostname/tasks/main.yml → roles/set-hostname/tasks/main.yml View File

@@ -3,6 +3,7 @@
# nodes, but not on the minimal ones we get from
# nodepool.
- name: ensure dbus for working hostnamectl
become: true
apt:
name: dbus
state: present
@@ -12,10 +13,13 @@
# https://github.com/ansible/ansible/pull/8482)
# https://gist.github.com/rothgar/8793800
- name: Set /etc/hostname
become: true
hostname: name="{{ inventory_hostname.split('.', 1)[0] }}"

- name: Set /etc/hosts
become: true
template: src=hosts.j2 dest=/etc/hosts mode=0644

- name: Set /etc/mailname
become: true
template: src=mailname.j2 dest=/etc/mailname mode=0644

playbooks/roles/set-hostname/templates/hosts.j2 → roles/set-hostname/templates/hosts.j2 View File


playbooks/roles/set-hostname/templates/mailname.j2 → roles/set-hostname/templates/mailname.j2 View File


Loading…
Cancel
Save