670107045a
This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
136 lines
3.9 KiB
Bash
Executable File
136 lines
3.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2014 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# If updating the puppet system-config repo or installing puppet modules
|
|
# fails then abort the puppet run as we will not get the results we
|
|
# expect.
|
|
set -e
|
|
|
|
SYSTEM_CONFIG=/opt/system-config
|
|
ANSIBLE_PLAYBOOKS=$SYSTEM_CONFIG/playbooks
|
|
|
|
# We only send stats if running under cron
|
|
UNDER_CRON=0
|
|
|
|
while getopts ":c" arg; do
|
|
case $arg in
|
|
c)
|
|
UNDER_CRON=1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
GLOBAL_START_TIME=$(date '+%s')
|
|
|
|
# Send a timer stat to statsd
|
|
# send_timer metric [start_time]
|
|
# * uses timer metric bridge.ansible.run_all.<$1>
|
|
# * time will be taken from last call of start_timer, or $2 if set
|
|
function send_timer {
|
|
# Only send stats under cron conditions
|
|
if [[ ${UNDER_CRON} != 1 ]]; then
|
|
return
|
|
fi
|
|
|
|
local current=$(date '+%s')
|
|
local name=$1
|
|
local start=${2-$_START_TIME}
|
|
local elapsed_ms=$(( (current - start) * 1000 ))
|
|
|
|
echo "bridge.ansible.run_all.${name}:${elapsed_ms}|ms" | nc -w 1 -u graphite.opendev.org 8125
|
|
echo "End $name"
|
|
}
|
|
# See send_timer
|
|
function start_timer {
|
|
_START_TIME=$(date '+%s')
|
|
}
|
|
|
|
echo "--- begin run @ $(date -Is) ---"
|
|
|
|
# It's possible for connectivity to a server or manifest application to break
|
|
# for indeterminate periods of time, so the playbooks should be run without
|
|
# errexit
|
|
set +e
|
|
|
|
# Run all the ansible playbooks under timeout to prevent them from getting
|
|
# stuck if they are oomkilled
|
|
|
|
# Clone system-config and install modules and roles
|
|
start_timer
|
|
timeout -k 2m 10m ansible-playbook ${ANSIBLE_PLAYBOOKS}/update-system-config.yaml
|
|
send_timer update_system_config
|
|
|
|
# Update the code on bridge
|
|
start_timer
|
|
timeout -k 2m 10m ansible-playbook ${ANSIBLE_PLAYBOOKS}/bridge.yaml
|
|
send_timer bridge
|
|
|
|
# Run the base playbook everywhere
|
|
start_timer
|
|
timeout -k 2m 120m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/base.yaml
|
|
send_timer base
|
|
|
|
# Service playbooks
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-gitea-lb.yaml
|
|
send_timer gitea-lb
|
|
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-letsencrypt.yaml
|
|
send_timer letsencrypt
|
|
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nameserver.yaml
|
|
send_timer nameserver
|
|
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nodepool.yaml
|
|
send_timer nodepool
|
|
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-mirror.yaml
|
|
send_timer nodepool
|
|
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-registry.yaml
|
|
send_timer registry
|
|
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-zuul.yaml
|
|
send_timer zuul
|
|
|
|
# Run the git/gerrit/zuul sequence, since it's important that they all work together
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
|
|
send_timer git
|
|
|
|
# Run AFS changes separately so we can make sure to only do one at a time
|
|
# (turns out quorum is nice to have)
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 1 ${ANSIBLE_PLAYBOOKS}/remote_puppet_afs.yaml
|
|
send_timer afs
|
|
|
|
# Run everything else. We do not care if the other things worked
|
|
start_timer
|
|
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/remote_puppet_else.yaml
|
|
send_timer else
|
|
|
|
# Send the combined time for everything
|
|
send_timer total $GLOBAL_START_TIME
|
|
|
|
echo "--- end run @ $(date -Is) ---"
|
|
echo
|