This is an initial host for testing opendev.org mirrors
Change-Id: I26b9ed1e21e2111f48bc7ecc384880c274eed213
Depends-On: https://review.opendev.org/660235
This impelements mirrors to live in the opendev.org namespace. The
implementation is Ansible native for deployment on a Bionic node.
The hostname prefix remains the same (mirrorXX.region.provider.) but
the groups.yaml splits the opendev.org mirrors into a separate group.
The matches in the puppet group are also updated so to not run puppet
on the hosts.
The kerberos and openafs client parts do not need any updating and
works on the Bionic host.
The hosts are setup to provision certificates for themselves from
letsencrypt. Note we've added a new handler for mirror nodes to use
that restarts apache on certificate issue/renewal.
The new "mirror" role is a port of the existing puppet mirror.pp. It
installs apache, sets up some modules, makes some symlinks, sets up a
cleanup cron job and installs the apache vhost configuration.
The vhost configuration is also ported from the extant puppet. It is
simplified somewhat; but the biggest change is that we have extracted
the main port 80 configuration into a macro which is applied to both
port 80 and 443; i.e. the host will have SSL support. The other ports
are left alone for now, but can be updated in due course.
Thus we should be able to CNAME the existing mirrors to new nodes, and
any existing http access can continue. We can update our mirror setup
scripts to point to https resources as appropriate.
Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
There is convoluted code in openstack ansible CI to
fetch the file from the official mirror, which is frowned
upon for CI reliability purposes. so we have to mirror
it into AFS.
Change-Id: I84c43f8d4eb0d0ae5ca81c4f8620058a3ecc46fe
puppet-solr is dead upstream. Even the un-merged pull request for
Xenial support isn't sufficient [1].
We can either get into the business of owning puppet-solr, or hack
around it. It seems the major difference is that jetty package split
into separate jetty[8|9] packages, and puppet-solr just uses "jetty"
everywhere.
This deb, created by equivs does the following
* pre-depends on jetty8
* installs a symlink /etc/init.d/jetty -> jetty8
* symlinks in the webserver directory to /usr/share/jetty
This appears to be enough to get things going. By pre-installing it,
puppet-solr is happy enough to go on...
[1] https://github.com/vamsee/puppet-solr/pull/33
Change-Id: Ie86303caeb26634434dc4b2d0d3f1195749a277e
This was introduced with Ia67e65d25a1d961b619aa445303015fd577dee57
Passing "-i file1,file2,file.." makes Ansible think that the inventory
argument is a list of hostnames. Separate out the "-i" flags so it
reads each file as desired.
Change-Id: I92c9a74de6552968da6c919074d84f2911faf4d4
We're not really using/maintaining this at the moment. Before we do
put it back in production, we're likely to simply rebuild it from
scratch.
Change-Id: I469f00e90903a010f2cec45031b049556eb268a2
This is a first step toward making smaller playbooks which can be
run by Zuul in CD.
Zuul should be able to handle missing projects now, so remove it
from the puppet_git playbook and into puppet.
Make the base playbook be merely the base roles.
Make service playbooks for each service.
Remove the run-docker job because it's covered by service jobs.
Stop testing that puppet is installed in testinfra. It's accidentally
working due to the selection of non-puppeted hosts only being on
bionic nodes and not installing puppet on bionic. Instead, we can now
rely on actually *running* puppet when it's important, such as in the
eavesdrop job. Also remove the installation of puppet on the nodes in
the base job, since it's only useful to test that a synthetic test
of installing puppet on nodes we don't use works.
Don't run remote_puppet_git on gitea for now - it's too slow. A
followup patch will rework gitea project creation to not take hours.
Change-Id: Ibb78341c2c6be28005cea73542e829d8f7cfab08
This reverts commit 0d370a285b09bd28c5b1cdfc6b89d2997f67da5d.
Fixed by https://github.com/containers/skopeo/pull/653 so safe to
merge this once a new build appears in the PPA.
Change-Id: I858eee79d084016b6b71eec46a6118d78f68cafa
The ansible 2.8 release breaks testinfra because it does not include
paramiko anymore. Work around this by capping ansible below 2.8 until
testinfra is updated to bring paramiko along itself.
Change-Id: Ic33a08f4771207fc11af2f44104a3bcb5ec19bc5
Pin skopeo back to 0.1.36-1~dev~ubuntu16.04.2~ppa14 which is before
the code that changed the required capabilities, breaking the use of
skopeo from inside of bubblewrap.
Change-Id: Ibf3000d87772d02b7325315cfeed078716e0d7bf
Do this in an attempt to mitigate/work around the dns resolution
problems we have had in that cloud. One thoguht is that this could be
ipv6 specific.
Change-Id: I1f9ef4a031749484d06de9427943abac4de33d29
Production letsencrypt certificate generation creates an intermediate
chain file (ca.cer); to simulate this during the self-signed tests
generate a fake CA certifcate, and use that to sign the generated
server certificate.
Tests updated to look for all these files
Change-Id: I3990529bca7ff3c6413ed0066f9c4feaf5464b1c
This change proposes calling a handler each time a certificate is
created/updated. The handler name is based on the name of the
certificate given in the letsencrypt_certs variable, as described in
the role documentation.
Because Ansible considers calling a handler with no listeners an error
this means each letsencrypt user will need to provide a handler.
One simple option illustrated here is just to produce a stamp file.
This can facilitate cross-playbook and even cross-orchestration-tool
communication. For example, puppet or other ansible playbooks can
detect this stamp file and schedule their reloads, etc. then remove
the stamp file. It is conceivable more complex listeners could be
setup via other roles, etc. should the need arise.
A test is added to make sure the stamp file is created for the
letsencrypt test hosts, which are always generating a new certificate
in the gate test.
Change-Id: I4e0609c4751643d6e0c8d9eaa38f184e0ce5452e
Now that the tools/owners.py script is a module in the
openstack_election package within the openstack/election repository,
we can stop providing a copy here.
Change-Id: I39efbad539790687646c1d76159894e9e997ff72
Depends-On: I180ef0e5ec880b46f0427c1c952b640a780b5732
There are many references to review.openstack.org, and while the
redirect should work, we can also go ahead and fix them.
Change-Id: I28f398796a6392a3dffea1d25cfe2ae3a36a3589