This commit is contained in:
nazunalika 2020-12-22 20:52:59 -07:00
parent 9e62ae28cf
commit 0bccf61c87
19 changed files with 596 additions and 4 deletions

View File

@ -1,7 +1,11 @@
CI Badge
# Ansible template role
basic Role to use going forward because I forget pieces
# Kojihub Role
This role installs kojihub and kojiweb. Note that it does NOT install the database. The database must be installed from a different role or playbook method. This role also assumes you are using a Kerberos infrastructure, such as FreeIPA.
FAS is not yet implemented.
Ansible 2.10 users: You will need the community.general collection installed.
## Getting started
Ensure all dependencies are installed and then follow the below process

View File

@ -1,2 +1,68 @@
---
# ansible default variables - most variables live here
koji_hub_packages:
- koji
- koji-hub
- koji-hub-plugins
- koji-web
- koji-utils
- git
- gnupg2
- python3-paho-mqtt
- nfs-utils
koji_default_directories:
- packages
- repos
- work
- scratch
- repos-dist
koji_db_name: koji
koji_db_user: koji
koji_db_pass: ThisIsNotThePassword!
koji_db_host: localhost
# Web
koji_sitename: Rocky Linux Build Service
koji_theme: false
koji_theme_name: rocky
koji_theme_file: rocky.tar.gz
koji_web_url: https://koji.rockylinux.org/koji
koji_hub_url: https://koji.rockylinux.org/kojihub
koji_files_url: https://koji.rockylinux.org/kojifiles
# This should be changed before deployment
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
koji_web_cacert: /etc/pki/tls/certs/chain.crt
koji_web_tls_cert: /etc/pki/tls/certs/koji.rockylinux.org.crt
koji_web_tls_key: /etc/pki/tls/private/koji.rockylinux.org.key
# Kojira
koji_kojira: true
koji_kojira_user: kojira
koji_kojira_principal: koji/kojiria@ROCKYLINUX.ORG
koji_kojira_keytab: /etc/kojira.keytab
# Storage
koji_mount: /mnt/koji
koji_nfs_path: nfs.rockylinux.org:/exports/koji
# Koji Admin
koji_admin_client: true
koji_admin_user: rockykoji
koji_admin_keytab: rockykoji@ROCKYLINUX.ORG
# Koji FAS Syncing
# This isn't implemented yet
koji_fas_sync: false
koji_fas_url: https://accounts.rockylinux.org
# Koji Plugins
koji_hub_plugins: false
koji_hub_plugins_list: []
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
koji_hub_plugin_mqtt_topic: koji
koji_hub_plugin_mqtt_excluded_tags:
- testing-tag

10
handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: restart_kojira
service:
name: kojira
state: restarted
- name: restart_httpd
service:
name: httpd
state: restarted

26
tasks/db.yml Normal file
View File

@ -0,0 +1,26 @@
---
# Note: We do not install postgresql. It's up to you to do so.
- name: Template for koji admin and kojira
template:
src: koji-pgsql.sql.j2
dest: /var/tmp/koji-pgsql.sql
mode: '0644'
- name: Load schema to postgresql database
community.general.postgresql_db:
name: "{{ koji_db_name }}"
target: /usr/share/doc/koji/docs/schema.sql
owner: "{{ koji_db_user }}"
state: restore
login_host: "{{ koji_db_host }}"
login_user: "{{ koji_db_user }}"
login_password: "{{ koji_db_pass }}"
- name: Apply the postgres template
community.general.postgresql_db:
name: "{{ koji_db_name }}"
target: /var/tmp/koji-pgsql.sql
state: restore
login_host: "{{ koji_db_host }}"
login_user: "{{ koji_db_user }}"
login_password: "{{ koji_db_pass }}"

45
tasks/koji-admin.yml Normal file
View File

@ -0,0 +1,45 @@
---
# Create the koji admin user
- name: Create local koji admin user
user: "{{ koji_admin_user }}"
- name: Create koji config directory
file:
path: "/home/{{ koji_admin_user }}/.koji"
state: directory
owner: "{{ koji_admin_user }}"
group: "{{ koji_admin_user }}"
recurse: true
- name: Reset permissions
file:
path: "/home/{{ koji_admin_user }}"
state: directory
owner: "{{ koji_admin_user }}"
group: "{{ koji_admin_user }}"
mode: '0700'
- name: Configure the koji client
template:
src: koji-client-config.j2
dest: "/home/{{ koji_admin_user }}/.koji/config"
owner: "{{ koji_admin_user }}"
group: "{{ koji_admin_user }}"
mode: '0644'
- name: Ensuring we have our scripts store
file:
path: /opt/rocky-tools/scripts
state: directory
owner: "{{ koji_admin_user }}"
group: "{{ koji_admin_user }}"
mode: '0750'
recurse: true
# name: Cron job to rebuild repos
# cron:
# name: "Regenerate repos"
# job: "/opt/rocky-tools/scripts/regen_build_repos.sh > /dev/null 2>&1"
# minute: "5"
# hour: "3"
# user: "{{ koji_admin_user }}"

15
tasks/kojira.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Kojira
- name: Configure kojira
template:
src: etc/kojira/kojira.conf.j2
dest: /etc/kojira/kojira.conf
mode: '0644'
notify:
- restart_kojira
- name: Ensure kojira is running
service:
name: kojira
state: started
enabled: yes

View File

@ -1,2 +1,60 @@
---
# tasks
# Koji hub and web installation
# This is not for builder nodes
- name: Apply required SELinux booleans
import_tasks: selinux_boolean.yml
- name: Ensure NFS is mounted
import_tasks: nfs.yml
- name: Install required packages
yum:
name: {{ koji_hub_packages }}
state: present
- name: Configure koji database
import_tasks: db.yml
- name: Configure koji admin
import_tasks: koji-admin.yml
when: koji_admin_client
- name: Configure plugins
import_tasks: plugins.yml
when: koji_hub_plugins
- name: Configure kojira
import_tasks: kojira.yml
- name: Configure kojihub and web
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: '0644'
with_items:
- etc/koji-hub/hub.conf
- etc/kojiweb/web.conf
notify:
- restart_httpd
- name: Configure httpd for hub and web
template:
src: "etc/httpd/conf.d/{{ item }}.j2"
dest: "/etc/httpd/conf.d/{{ item }}"
mode: '0644'
with_items:
- kojihub.conf
- kojiweb.conf
notify:
- restart_httpd
- name: Deploy custom theme for koji
unarchive:
src: "{{ koji_theme_file }}"
dest: /
when: koji_theme
- name: User Sync from FAS
import_tasks: user-sync.yml
when: koji_fas_sync

21
tasks/nfs.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Ensure the koji mountpoint exists
file:
path: "{{ koji_mount }}"
state: directory
- name: Mount the NFS store
mount:
path: "{{ koji_mount }}"
src: "{{ koji_nfs_path }}"
fstype: nfs
state: mounted
- name: Create required default directories
file:
path: "{{ koji_mount }}/{{ item }}"
state: directory
owner: apache
group: apache
with_items: "{{ koji_default_directories }}"

15
tasks/plugins.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Plugins
- name: Deploying enabled plugins
copy:
src: "plugins/{{ item }}.py"
dest: "/usr/lib/koji-hub-plugins/{{ item }}.py"
mode: 0755
with_items: "{{ koji_hub_plugins_list }}"
- name: Configuring enabled plugins
template:
src: "etc/koji-hub/plugins/{{ item }}.conf.j2"
dest: "/etc/koji-hub/plugins/{{ item }}.conf"
mode: 0644
with_items: "{{ koji_hub_plugins_list }}"

12
tasks/selinux_boolean.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Enabling SELinux booleans
seboolean:
name: "{{ item }}"
persistent: true
state: true
with_items:
- httpd_can_network_connect_db
- httpd_can_network_connect
- allow_httpd_anon_write
- httpd_use_nfs

2
tasks/users-sync.yml Normal file
View File

@ -0,0 +1,2 @@
---
# No tasks

View File

@ -0,0 +1,66 @@
#
# koji-hub is an xmlrpc interface to the Koji database
#
Alias /kojihub /usr/share/koji-hub/kojixmlrpc.py
<Directory "/usr/share/koji-hub">
Options ExecCGI
SetHandler wsgi-script
WSGIApplicationGroup %{GLOBAL}
# ^ works around a hub issue with OpenSSL
# see: https://cryptography.io/en/latest/faq/#starting-cryptography-using-mod-wsgi-produces-an-internalerror-during-a-call-in-register-osrandom-engine
WSGIScriptReloading Off
# ^ reloading breaks hub "firstcall" check
# see: https://pagure.io/koji/issue/875
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
# Also serve /mnt/koji
Alias /kojifiles "/mnt/koji/"
<Directory "/mnt/koji">
Options Indexes SymLinksIfOwnerMatch
#If your top /mnt/koji directory is not owned by the httpd user, then
#you will need to follow all symlinks instead, e.g.
#Options Indexes FollowSymLinks
AllowOverride None
IndexOptions +NameWidth=*
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
# uncomment this to enable authentication via SSL client certificates
# <Location /kojihub/ssllogin>
# SSLVerifyClient require
# SSLVerifyDepth 10
# SSLOptions +StdEnvVars
# </Location>
# If you need to support koji < 1.4.0 clients using SSL authentication, then use the following instead:
# <Location /kojihub>
# SSLOptions +StdEnvVars
# </Location>
# In this case, you will need to enable these options globally (in ssl.conf):
# SSLVerifyClient require
# SSLVerifyDepth 10
# uncomment this to enable authentication via GSSAPI
<Location /kojihub/ssllogin>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/koji.keytab
Require valid-user
</Location>

View File

@ -0,0 +1,79 @@
#We use wsgi by default
Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
#(configuration goes in /etc/kojiweb/web.conf)
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
RewriteRule ^/$ /koji [R,L]
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "same-origin"
Alias /repos {{ koji_mount }}/repos
<Directory "{{ koji_mount }}/repos">
Options Indexes FollowSymLinks
AllowOverride None
# HeaderName /header/header.html
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8
Require all granted
</IfVersion>
</Directory>
# Python 3 Cheetah expectes unicode everywhere, apache's default lang is C
# which is not sufficient to open our templates
WSGIDaemonProcess koji lang=C.UTF-8
WSGIProcessGroup koji
<Directory "/usr/share/koji-web/scripts/">
Options ExecCGI
SetHandler wsgi-script
WSGIApplicationGroup %{GLOBAL}
# ^ works around an OpenSSL issue
# see: https://cryptography.io/en/latest/faq/#starting-cryptography-using-mod-wsgi-produces-an-internalerror-during-a-call-in-register-osrandom-engine
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
# uncomment this to enable authentication via Kerberos
<Location /koji/login>
AuthType GSSAPI
AuthName "Koji Web UI"
GssapiCredStore keytab:/etc/koji.keytab
Require valid-user
ErrorDocument 401 /koji-static/errors/unauthorized.html
</Location>
# uncomment this to enable authentication via SSL client certificates
# <Location /koji/login>
# SSLVerifyClient require
# SSLVerifyDepth 10
# SSLOptions +StdEnvVars
# </Location>
Alias /koji-static/ "/usr/share/koji-web/static/"
<Directory "/usr/share/koji-web/static/">
Options None
AllowOverride None
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>

View File

@ -0,0 +1,81 @@
[hub]
## ConfigParser style config file, similar to ini files
## http://docs.python.org/library/configparser.html
##
## Note that multiline values can be set by indenting subsequent lines
## (which means you should not indent regular lines)
## Basic options ##
DBName = {{ koji_db_name }}
DBUser = {{ koji_db_user }}
DBHost = {{ koji_db_host }}
DBPass = {{ koji_db_pass }}
KojiDir = {{ koji_mount }}
AuthPrincipal host/kojihub@ROCKYLINUX.ORG
AuthKeytab /etc/koji.keytab
ProxyPrincipals koji/kojiweb@ROCKYLINUX.ORG
HostPrincipalFormat compile/%s@ROCKYLINUX.ORG
## Other options ##
LoginCreatesUser = Off
KojiWebURL = {{ koji_web_url }}
# The domain name that will be appended to Koji usernames
# when creating email notifications
#EmailDomain = example.com
# whether to send the task owner and package owner email or not on success. this still goes to watchers
NotifyOnSuccess = True
## Disables all notifications
# DisableNotifications = False
DisableNotifications = True
## Extended features
## Support Maven builds
# EnableMaven = False
## Support Windows builds
# EnableWin = False
## Koji hub plugins
## The path where plugins are found
# PluginPath = /usr/lib/koji-hub-plugins
## A space-separated list of plugins to load
# Plugins = echo
{% if koji_hub_plugins %}
Plugins = {% for plugin in koji_hub_plugins_list + koji_hub_noconfig_plugins_list %}{{ plugin }} {% endfor %}
{% endif %}
## If KojiDebug is on, the hub will be /very/ verbose and will report exception
## details to clients for anticipated errors (i.e. koji's own exceptions --
## subclasses of koji.GenericError).
# KojiDebug = On
## Determines how much detail about exceptions is reported to the client (via faults)
## Meaningful values:
## normal - a basic traceback (format_exception)
## extended - an extended traceback (format_exc_plus)
## anything else - no traceback, just the error message
## The extended traceback is intended for debugging only and should NOT be
## used in production, since it may contain sensitive information.
# KojiTraceback = normal
## These options are intended for planned outages
# ServerOffline = False
# OfflineMessage = temporary outage
# LockOut = False
## If ServerOffline is True, the server will always report a ServerOffline fault (with
## OfflineMessage as the fault string).
## If LockOut is True, the server will report a ServerOffline fault for all non-admin
## requests.
[policy]
tag =
all :: allow
package_list =
all :: allow
build_from_srpm =
tag * :: allow
has_perm build :: allow

View File

@ -0,0 +1,49 @@
[kojira]
; For user/pass authentication
; user=kojira
; password=kojira
; The URL for the koji hub server
server={{ koji_hub_url }}
; The directory containing the repos/ directory
topdir={{ koji_mount }}
; Logfile
logfile=/var/log/kojira.log
with_src=no
;configuration for Kerberos authentication
;the kerberos principal to use
principal = {{ koji_kojira_principal }}
;location of the keytab
keytab = {{ koji_kojira_keytab }}
;configuration for SSL authentication
;client certificate
;cert = /etc/kojira/client.crt
;certificate of the CA that issued the HTTP server certificate
;serverca = /etc/kojira/serverca.crt
;how soon (in seconds) to clean up expired repositories. 1 week default
;deleted_repo_lifetime = 604800
;how soon (in seconds) to clean up dist repositories. 1 week default here too
;dist_repo_lifetime = 604800
;turn on debugging statements in the log
;debug = false
; ignored repositories according to glob. Multiple masks separated by space.
; ignore_tags =
; Monitor external repos and trigger the appropriate Koji repo regenerations
; when they change. Note that you need to have your database set to use UTC,
; as otherwise you can end with weird behaviour. For details see
; https://pagure.io/koji/issue/2159
; check_external_repos = false

View File

@ -0,0 +1,23 @@
[web]
SiteName = {{ koji_sitename }}
{% if koji_custom_theme %}
KojiTheme = {{ koji_theme }}
{% endif %}
# Key urls
KojiHubURL = {{ koji_hub_url }}
KojiFilesURL = {{ koji_files_url }}
# Kerberos authentication options
WebPrincipal = koji/web@ROCKYLINUX.ORG
WebKeytab = /etc/httpd.keytab
WebCCache = /var/tmp/kojiweb.ccache
# The service name of the principal being used by the hub
KrbService = host
LoginTimeout = 72
# This must be changed and uncommented before deployment
Secret = {{ koji_hub_secret }}
LibPath = /usr/share/koji-web/lib

View File

@ -0,0 +1,13 @@
[koji]
;url of XMLRPC server
server = {{ koji_hub_url }}
;url of web interface
weburl = {{ koji_web_url }}
;url of package download site
topurl = {{ koji_files_url }}
;path to the koji top directory
topdir = {{ koji_mount }}

View File

@ -0,0 +1,2 @@
insert into users (name, status, usertype) values ('{{ koji_kojira_user }}', 0, 0);
INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 3, 1);

View File

@ -0,0 +1,5 @@
with user_id as (insert into users (name, status, usertype) values ('{{ koji_admin_user }}', 0, 0) returning id)
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_admin_keytab }}');
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);
insert into users (name, status, usertype) values ('{{ koji_kojira_user }}', 0, 0);
INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 3, 1);