30 Commits

Author SHA1 Message Date
Zuul
7fe8a64cdc Merge "Build gerrit images with bazelisk" 2020-02-24 18:20:48 +00:00
Monty Taylor
a8e1d1496d Build gerrit images with bazelisk
We need to use bazelisk to build gerrit so that we can properly
track bazel versions in the job. Use the roles developed for
gerrit-review to do that, then simplify the dockerfile to have
it simply copy the war into the target image.

Also add polymer-bridges.

Depends-On: https://review.opendev.org/709256
Change-Id: I7c13df51d3b8c117bcc9aab9caad59687471d622
2020-02-21 17:32:01 -06:00
Ian Wienand
170b0c0843 openafs-client: use dnf for CentOS 8
We are seeing some failures that seem to add up to the yum module not
detecting a failure installing the kernel modules for openafs.  See if
this works better with "dnf", which is the native package installer on
CentOS 8.

Change-Id: I82588ed5a02e5dff601b41b27b28a663611bfe89
2020-02-11 13:15:54 +11:00
Ian Wienand
22c5561df3 openafs-client: add option for OpenAFS cache location
Our control plane servers generally have large ephemeral storage
attached at /opt; for many uses this is enough space that we don't
need to add extra cinder volumes for a reasonable cache (as we usually
do on mirror nodes; but there we create large caches for both openafs
and httpd reverse proxy whose needs exceed even what we get from
ephemeral storage).

Add an option to set the cache location, and use /opt for our new
static01.opendev.org server.

Change-Id: I16eed1734a0a7e855e27105931a131ce4dbd0793
2020-01-28 21:05:27 +11:00
Ian Wienand
5b09e09c60 kerberos-client: remove kstart requirement on CentOS
All our AFS release roles use "kinit" for authentication.  The only
scripts using k5start are the mirror scripts, but since that doesn't
run on CentOS we don't need it there.

This avoids us having to use EPEL or, on 8, an unsupported build.
Anything needing to be portable should use kinit from now on.

Change-Id: I6323cb835cedf9974cf8d96faa7eb55b8aaafd9a
2020-01-23 12:27:46 +11:00
Zuul
e038eccbc3 Merge "openafs-client: add centos8" 2020-01-23 00:59:05 +00:00
Ian Wienand
3f68936a0c openafs-client: add centos8
Add CentOS 8 support for the openafs client build

Change-Id: I8290cf1eed9ee8e4af44ac209502553944c52103
Depends-On: https://review.opendev.org/702348
2020-01-22 23:14:43 +00:00
Ian Wienand
161906647b Replace skip with errors=ignore
Upstream deprecated "skip:" in preference of errors="ignore" [1].
Update playbooks to silence deprecation warning

[1] e17a2b502d

Change-Id: I72284f6ca8aaaa1ba5f94ad8e654d1b337ae762f
2020-01-16 22:34:09 +00:00
Ian Wienand
7f98daeb5a openafs: avoid pulling in client package before kernel modules
For whatever reason, the modules package recommends the client
package:

 Package: openafs-modules-dkms
 Depends: dkms (>= 2.1.0.0), perl:any, libc6-dev
 Recommends: openafs-client (>= 1.8.0~pre5-1ubuntu1)

However, if that gets installed before the modules are ready, the
service tries to start and fails, but maybe fools systemd into
thinking it started correctly; so our sanity checks seem to fail on
new servers without a manual restart of the openafs client services.

By ignoring this recommends, we should install the modules, then the
client (which should start OK) in that order only.

Change-Id: I6d69ac0bd2ade95fede33c5f82e7df218da9458b
2019-07-31 14:00:34 +10:00
Ian Wienand
439da9ec02 openafs-client: ensure latest package and reorder install
We've noticed that openafs was not getting upgraded to the PPA version
on one of our opendev.org mirrors.  Switch install of packages to
"latest" to make sure it upgrades (reboots to actually apply change
unresolved issue, but at least package is there).

Also, while looking at this, reorder this to install the PPA first,
then ensure we have the kernel headers, then build the openafs kernel
modules, then install.  Add a note about having to install/build the
modules first.

Change-Id: I058f5aa52359276a4013c44acfeb980efe4375a1
2019-07-03 06:51:09 +10:00
Ian Wienand
36d9687b4a Use openstack-ci-core PPA for openafs 1.8.3
This ppa has openafs 1.8.3 for Bionic hosts

Change-Id: I26dc2f3f1a14cf59a4b132c53b4738ed4d9919f8
2019-06-17 15:56:09 +10:00
Zuul
9867d6c6bb Merge "Update to ansible-lint 4.1.0" 2019-06-11 01:48:18 +00:00
James E. Blair
3199e3b225 Enable SPF checking on lists
This requires an external program and only works on Debian hosts.

Newer versions of exim (4.91) have SPF functionality built-in, but
they are not yet available to us.

Change-Id: Idfe6bfa5a404b61c8761aa1bfa2212e4b4e32be9
2019-06-07 10:34:33 -07:00
Ian Wienand
52780440ff Update to ansible-lint 4.1.0
In a follow-on change (I9bf74df351e056791ed817180436617048224d2c) I
want to use #noqa to ignore an ansible-lint rule on a task; however
emperical testing shows that it doesn't work with 3.5.1.  Upgrading to
4.1.0 it seems whatever was wrong has been fixed.

This, however, requires upgrading to 4.1.0.

I've been through the errors ... the comments inline I think justify
what has been turned off.  The two legitimate variable space issues I
have rolled into this change; all other hits were false positives as
described.

Change-Id: I7752648aa2d1728749390cf4f38459c1032c0877
2019-06-06 22:13:12 +00:00
Ian Wienand
d5b321b074 Handle moved puppet repos
As per [1], it seems puppet has "cleaned up" most of the packages we
are using to install.

Install the puppet-agent packages directly as puppet's archive location
is not a valid repo. With puppet 4 at least these packages should bundle
everything we need including ruby.

[1] https://groups.google.com/forum/#!msg/puppet-users/cCsGWKunBe4/OdG0T7LeDAAJ

Depends-On: https://review.opendev.org/659384
Depends-On: https://review.opendev.org/659395
Change-Id: Ie9e2b79b42f397bddd960ccdc303b536155ce123
2019-05-15 16:03:07 -07:00
OpenDev Sysadmins
1ee61397a3 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:26:05 +00:00
Ian Wienand
72b4b868ab Skip installing puppetlabs repos if they exist
Currently ansible fails on most puppet4 hosts with

 TASK [puppet-install : Install puppetlabs repo] ********************************
 fatal: [...]: FAILED! => {"changed": false, "msg": "A later version is already installed"}

As described inline, the version at the "top level" we are installing
via ansible here is actualy lower than the version in the repo this
package installs (inception).  Thus once an upgrade has been run on
the host, we are now trying to *downgrade* the puppetlabs-release
package.  This stops the ansible run and makes everything unhappy.

If we have the puppet repo, just skip trying to install it again.

We do this for just trusty and xenial; at this point we don't have any
puppet5 hosts (and none are planned) and I haven't checked if it has
the same issues.

Change-Id: I55ea8bfbfc40befb1d138e9bc0f95b120f8f5dbd
2019-04-09 18:30:13 +10:00
Clark Boylan
0269710c86 Don't manage puppet.conf during puppet-install
The ansible-role-puppet role manages puppet.conf for us. These two roles
are currently fighting each other over the presence of the server line
in puppet.conf. Avoid this by removing the removal of this line and the
templatedir line from the new puppet-install role since
ansible-role-puppet was there first. Basically just trust
ansible-role-puppet to write a working puppet.conf for us.

Change-Id: Ifb1dff31a61071bd867d3a7cc3cbcc496177e3ce
2019-04-08 10:09:35 -07:00
Monty Taylor
68329470fa
Use include_tasks instead of include
They're the same, basically, but include tasks is clearer.

Change-Id: Ia03b8eb2b3e17b421fd5a178b0d9907cc71ebcae
2018-09-20 09:08:55 -05:00
Zuul
97319f0cd8 Merge "roles/kerberos-client: fix defaults" 2018-09-12 21:03:05 +00:00
Zuul
21a81de59f Merge "Don't use loops with package task" 2018-08-30 20:53:32 +00:00
Ian Wienand
faa6207e8c roles/kerberos-client: fix defaults
During review these variable names changed, but I didn't update the
defaults.

Change-Id: I825a738abe67b7e329421df3389ad2ed9137eec0
2018-08-29 15:34:06 +10:00
Paul Belanger
17a8a70643 Don't git clone system-config in puppet-install
Talking to clarkb, it was decided we can remove this logic in favor of
having ansible-role-puppet push system-config and modules to the remote
nodes.

Change-Id: I59b8a713cdf2b4c1fede44e977c49be5e8cc08fa
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-08-28 19:28:48 -04:00
Paul Belanger
30c2e03281 Don't use loops with package task
We can directly pass a list of packages to the package task in ansible,
this will help save us some times on run times.

Change-Id: I9b26f4f4f9731dc7d32186584620f1cec04b7a81
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-08-28 18:32:42 -04:00
Ian Wienand
ee7faefe08 Create ansible roles to install puppet
Currently our puppet-requiring hosts (all !bridge) do not manage their
puppet installs.  This is OK for existing servers, but new servers
come up without puppet installed.

This is playbooks to manage puppet installs on hosts.  It is mostly a
port of the relevant parts of ./install_puppet.sh for our various
control-plane platforms.

Basic testing with zuul-integration jobs is added.  Using this in the
control-plane base.yaml playbooks will be a follow-on.

Change-Id: Id5b2f5eb0f1ade198acf53a7c886dd5b3ab79816
2018-08-28 16:42:45 +10:00
Zuul
4bd5095f37 Merge "Scope exim service name variable" 2018-08-27 14:53:04 +00:00
James E. Blair
3bc18bc705 Scope exim service name variable
This is used in a handler which may be run after intervening roles;
ensure it has a unique variable name.

Change-Id: I6a3d856d3252ff62220d9769232e31ea7c4f9080
2018-08-24 17:05:03 -07:00
Ian Wienand
801e7c9bd0 Add openafs-client role
The role sets up a host as an OpenAFS client.

As noted in the README, OpenAFS is not available in every
distribution, or on every architecture.  The goal is to provide
sensible defaults but allow for flexibility.

This is largely a port of the client parts of
openstack-infra/puppet-openafs.

This is a generic role because it will be used from Zuul jobs
(wheel-builds) and in the control-plane (servers mounting AFS)

Tested-By: https://review.openstack.org/589335
Needed-By: https://review.openstack.org/590636
Change-Id: Iaaa18194baca4ebd37669ea00505416ebf6c884c
2018-08-23 21:34:47 +10:00
Ian Wienand
1939f3e8ec Move exim role to top-level
Move the exim role to be a "generic" role in the top-level roles/
directory, making it available for use as a Zuul role.

Update the linters jobs to look for roles in the top level

Update the Role documentation to explain what the split in roles is
about.

Change-Id: I6b49d2a4b120141b3c99f5f1e28c410da12d9dc3
2018-08-23 21:34:47 +10:00
Ian Wienand
e3da2c2e3e Add kerberos-client role
A role to setup a host as a kerberos client

This is largely a port of the client ports of
openstack-infra/puppet-kerberos.

This is a generic role because it will be used from Zuul jobs
(wheel-builds) and in the control-plane (servers mounting AFS)

Tested-By: https://review.openstack.org/589335
Needed-By: https://review.openstack.org/590636
Change-Id: I4b38ea7ec2325071a67068555ef47e15d559c18e
2018-08-23 21:34:47 +10:00