670107045a
This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
152 lines
3.0 KiB
YAML
152 lines
3.0 KiB
YAML
- name: Check AFS mounted
|
|
stat:
|
|
path: "/afs/openstack.org/mirror"
|
|
register: afs_mirror
|
|
- name: Sanity check AFS
|
|
assert:
|
|
that:
|
|
- afs_mirror.stat.exists
|
|
|
|
- name: Install apache2
|
|
apt:
|
|
name:
|
|
- apache2
|
|
- apache2-utils
|
|
state: present
|
|
|
|
- name: Rewrite module
|
|
apache2_module:
|
|
state: present
|
|
name: rewrite
|
|
|
|
- name: Substitute module
|
|
apache2_module:
|
|
state: present
|
|
name: substitute
|
|
|
|
- name: Cache module
|
|
apache2_module:
|
|
state: present
|
|
name: cache
|
|
|
|
- name: Cache disk module
|
|
apache2_module:
|
|
state: present
|
|
name: cache_disk
|
|
|
|
- name: Proxy module
|
|
apache2_module:
|
|
state: present
|
|
name: proxy
|
|
|
|
- name: HTTP Proxy module
|
|
apache2_module:
|
|
state: present
|
|
name: proxy_http
|
|
|
|
- name: Apache macro module
|
|
apache2_module:
|
|
state: present
|
|
name: macro
|
|
|
|
- name: Apache 2 ssl module
|
|
apache2_module:
|
|
state: present
|
|
name: ssl
|
|
|
|
- name: Apache webroot
|
|
file:
|
|
path: '{{ www_base }}'
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Apache www root
|
|
file:
|
|
path: '{{ www_root }}'
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
|
|
- name: AFS content symlinks
|
|
file:
|
|
src: '{{ mirror_root }}/{{ item }}'
|
|
dest: '{{ www_root }}/{{ item }}'
|
|
state: link
|
|
owner: root
|
|
group: root
|
|
with_items:
|
|
- centos
|
|
- ceph-deb-hammer
|
|
- ceph-deb-jewel
|
|
- ceph-deb-luminous
|
|
- ceph-deb-mimic
|
|
- deb-docker
|
|
- debian
|
|
- debian-security
|
|
- debian-openstack
|
|
- epel
|
|
- fedora
|
|
- opensuse
|
|
- ubuntu-ports
|
|
- ubuntu-cloud-archive
|
|
- wheel
|
|
- yum-puppetlabs
|
|
|
|
- name: Install robots.txt
|
|
copy:
|
|
src: robots.txt
|
|
dest: '{{ www_root }}'
|
|
owner: root
|
|
group: root
|
|
mode: 0444
|
|
|
|
- name: Apache proxy cache
|
|
file:
|
|
path: /var/cache/apache2/proxy
|
|
owner: www-data
|
|
group: www-data
|
|
mode: 0755
|
|
state: directory
|
|
|
|
- name: Set mirror servername and alias
|
|
set_fact:
|
|
apache_server_name: '{{ inventory_hostname }}'
|
|
# Strip the numeric host value from mirror01.region.provider.o.o
|
|
# for the serveralias
|
|
apache_server_alias: '{{ inventory_hostname | regex_replace("^mirror\d\d\.", "mirror.") }}'
|
|
|
|
- name: Create mirror virtual host
|
|
template:
|
|
src: mirror.vhost.j2
|
|
dest: /etc/apache2/sites-available/mirror.conf
|
|
|
|
- name: Make sure default site disabled
|
|
command: a2dissite 000-default.conf
|
|
args:
|
|
removes: /etc/apache2/sites-enabled/000-default.conf
|
|
|
|
- name: Enable mirror virtual host
|
|
command: a2ensite mirror
|
|
args:
|
|
creates: /etc/apache2/sites-enabled/mirror.conf
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: Debug config
|
|
slurp:
|
|
src: /etc/apache2/sites-available/mirror.conf
|
|
register: http_config
|
|
- name: Show config
|
|
debug:
|
|
msg: '{{ http_config["content"] | b64decode }}'
|
|
|
|
# Clean apache cache once an hour, keep size down to 70GiB.
|
|
- name: Proxy cleanup cron job
|
|
cron:
|
|
name: Apache cache cleanup
|
|
state: present
|
|
job: /usr/bin/flock -n /var/run/htcacheclean.lock /usr/bin/htcacheclean -n -p /var/cache/apache2/proxy -t -l 70200M > /dev/null
|
|
minute: '0'
|
|
hour: '*'
|