8361ab701c
This adds a retirement and purge list to the borg management role. The idea here is that when a backed-up host is shut-down, we add its backup user to the retired list. On the next ansible run the user will be disabled on the backup-server and the backup repo marked as retired. On the next prune, we will trim the backup to only the last run to save space. This gives us a grace period to restore if we should need to. When we are sure we don't want the data, we can put it in the purge list, and the backup repo is removed on the next ansible run (hosts can go straight into this if we want). This allows us to have a review process/history before we purge data. To test, we create a fake "borg-retired" user on the backup-server, and give it a simple backup. This is marked as retired, which is reflected in the testinfra run of the prune script. Similarly a "borg-purge" user is created, and we ensure it's backup dir is removed. Documentation is updated. Change-Id: I5dff0a9d35b11a1f021048a12ecddce952c0c13c
249 lines
9.0 KiB
YAML
249 lines
9.0 KiB
YAML
- import_playbook: ../bootstrap-bridge.yaml
|
|
vars:
|
|
root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa', rstrip=False) }}"
|
|
ansible_cron_disable_job: true
|
|
cloud_launcher_disable_job: true
|
|
|
|
# setup opendev CA
|
|
- hosts: prod_bastion[0]
|
|
become: true
|
|
tasks:
|
|
- name: Make temporary dir for CA generation
|
|
tempfile:
|
|
state: directory
|
|
register: _ca_tempdir
|
|
|
|
- name: Create CA PEM/crt
|
|
shell: |
|
|
set -x
|
|
# Generate a CA key
|
|
openssl genrsa -out ca.key 2048
|
|
# Create fake CA root certificate
|
|
openssl req -x509 -new -nodes -key ca.key -sha256 -days 30 -subj "/C=US/ST=CA/O=OpenDev Infra" -out ca.crt
|
|
args:
|
|
chdir: '{{ _ca_tempdir.path }}'
|
|
executable: /bin/bash
|
|
|
|
- name: Save key
|
|
slurp:
|
|
src: '{{ _ca_tempdir.path }}/ca.key'
|
|
register: _opendev_ca_key
|
|
|
|
- name: Save certificate
|
|
slurp:
|
|
src: '{{ _ca_tempdir.path }}//ca.crt'
|
|
register: _opendev_ca_certificate
|
|
|
|
- name: Cleanup tempdir
|
|
file:
|
|
path: '{{ _ca_tempdir.path }}'
|
|
state: absent
|
|
when: _ca_tempdir.path is defined
|
|
|
|
- hosts: all
|
|
become: true
|
|
tasks:
|
|
- name: Make CA directory
|
|
file:
|
|
path: '/etc/opendev-ca'
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: Import files
|
|
shell: 'echo "{{ item.content }}" | base64 -d > {{ item.file }}'
|
|
args:
|
|
creates: '{{ item.file }}'
|
|
loop:
|
|
- file: '/etc/opendev-ca/ca.key'
|
|
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_key"]["content"] }}'
|
|
- file: '/etc/opendev-ca/ca.crt'
|
|
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
|
|
|
|
- name: Install and trust certificate
|
|
shell:
|
|
cmd: |
|
|
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
|
|
update-ca-certificates
|
|
|
|
- hosts: prod_bastion[0]
|
|
become: true
|
|
tasks:
|
|
- name: Write inventory on bridge
|
|
include_role:
|
|
name: write-inventory
|
|
vars:
|
|
write_inventory_dest: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml
|
|
write_inventory_exclude_hostvars:
|
|
- ansible_user
|
|
- ansible_python_interpreter
|
|
write_inventory_additional_hostvars:
|
|
public_v4: nodepool.private_ipv4
|
|
public_v6: nodepool.public_ipv6
|
|
- name: Add groups config for test nodes
|
|
template:
|
|
src: "templates/gate-groups.yaml.j2"
|
|
dest: "/etc/ansible/hosts/gate-groups.yaml"
|
|
- name: Update ansible.cfg to use job inventory
|
|
ini_file:
|
|
path: /etc/ansible/ansible.cfg
|
|
section: defaults
|
|
option: inventory
|
|
value: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml,/home/zuul/src/opendev.org/opendev/system-config/inventory/service/groups.yaml,/etc/ansible/hosts/gate-groups.yaml
|
|
- name: Make host_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/host_vars"
|
|
state: directory
|
|
- name: Make group_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/group_vars"
|
|
state: directory
|
|
- name: Write hostvars files
|
|
vars:
|
|
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
|
|
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
|
|
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
|
|
iptables_test_public_tcp_ports:
|
|
# Zuul web console
|
|
- 19885
|
|
# selenium
|
|
- 4444
|
|
template:
|
|
src: "templates/{{ item }}.j2"
|
|
dest: "/etc/ansible/hosts/{{ item }}"
|
|
loop:
|
|
- group_vars/all.yaml
|
|
- group_vars/adns.yaml
|
|
- group_vars/adns-primary.yaml
|
|
- group_vars/bastion.yaml
|
|
- group_vars/eavesdrop.yaml
|
|
- group_vars/nodepool.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/gitea.yaml
|
|
- group_vars/gitea-lb.yaml
|
|
- group_vars/kerberos-kdc.yaml
|
|
- group_vars/keycloak.yaml
|
|
- group_vars/letsencrypt.yaml
|
|
- group_vars/mailman3.yaml
|
|
- group_vars/meetpad.yaml
|
|
- group_vars/jvb.yaml
|
|
- group_vars/refstack.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/control-plane-clouds.yaml
|
|
- group_vars/afs-client.yaml
|
|
- group_vars/zuul-db.yaml
|
|
- group_vars/zuul-lb.yaml
|
|
- group_vars/zuul.yaml
|
|
- group_vars/zuul-executor.yaml
|
|
- group_vars/zuul-launcher.yaml
|
|
- group_vars/zuul-merger.yaml
|
|
- group_vars/zuul-scheduler.yaml
|
|
- group_vars/zuul-web.yaml
|
|
- host_vars/borg-backup01.region.provider.opendev.org.yaml
|
|
- host_vars/codesearch01.opendev.org.yaml
|
|
- host_vars/etherpad99.opendev.org.yaml
|
|
- host_vars/letsencrypt01.opendev.org.yaml
|
|
- host_vars/letsencrypt02.opendev.org.yaml
|
|
- host_vars/gitea99.opendev.org.yaml
|
|
- host_vars/grafana01.opendev.org.yaml
|
|
- host_vars/mirror01.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror02.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror03.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror04.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror-update99.opendev.org.yaml
|
|
- host_vars/paste99.opendev.org.yaml
|
|
- host_vars/refstack01.openstack.org.yaml
|
|
- host_vars/review99.opendev.org.yaml
|
|
|
|
- name: Display group membership
|
|
command: ansible localhost -m debug -a 'var=groups'
|
|
- name: Run base.yaml
|
|
shell: 'set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml 2>&1 | tee /var/log/ansible/base.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
- name: Run bridge service playbook
|
|
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml 2>&1 | tee /var/log/ansible/service-bridge.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
- name: Run dstat logger playbook
|
|
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-dstatlogger.yaml 2>&1 | tee /var/log/ansible/service-dstatlogger.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Run playbook
|
|
when: run_playbooks is defined
|
|
loop: "{{ run_playbooks }}"
|
|
shell: "set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }} 2>&1 | tee /var/log/ansible/{{ item | basename }}.log"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Build list of playbook logs
|
|
find:
|
|
paths: '/var/log/ansible'
|
|
patterns: '*.yaml.log'
|
|
register: _run_playbooks_logs
|
|
|
|
- name: Encrypt playbook logs
|
|
when: run_playbooks is defined
|
|
include_role:
|
|
name: encrypt-logs
|
|
vars:
|
|
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
|
|
encrypt_logs_artifact_path: '{{ groups["prod_bastion"][0] }}/ansible'
|
|
encrypt_logs_download_script_path: '/var/log/ansible'
|
|
|
|
- name: Run test playbook
|
|
when: run_test_playbook is defined
|
|
shell: "set -o pipefail && ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }} 2>&1 | tee /var/log/ansible/{{ run_test_playbook | basename }}.log"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Generate testinfra extra data fixture
|
|
set_fact:
|
|
testinfra_extra_data:
|
|
zuul_job: '{{ zuul.job }}'
|
|
zuul: '{{ zuul }}'
|
|
|
|
- name: Write out testinfra extra data fixture
|
|
copy:
|
|
content: '{{ testinfra_extra_data | to_nice_yaml(indent=2) }}'
|
|
dest: '/home/zuul/testinfra_extra_data_fixture.yaml'
|
|
|
|
- name: Make screenshots directory
|
|
file:
|
|
path: '/var/log/screenshots'
|
|
state: directory
|
|
|
|
- name: Return screenshots artifact
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: Screenshots
|
|
url: '{{ groups["prod_bastion"][0] }}/screenshots'
|
|
|
|
- name: Allow PBR's git calls to operate in system-config, despite not owning it
|
|
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
|
|
|
|
- name: Run and collect testinfra
|
|
block:
|
|
- name: Run testinfra to validate configuration
|
|
include_role:
|
|
name: tox
|
|
vars:
|
|
tox_envlist: testinfra
|
|
# This allows us to run from external projects (like testinfra
|
|
# itself)
|
|
tox_environment:
|
|
TESTINFRA_EXTRA_DATA: '/home/zuul/testinfra_extra_data_fixture.yaml'
|
|
zuul_work_dir: src/opendev.org/opendev/system-config
|
|
always:
|
|
- name: Return testinfra report artifact
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: testinfra results
|
|
url: '{{ groups["prod_bastion"][0] }}/test-results.html'
|