James E. Blair e69d879cae buildset registry: run socat in new session
We spawn socat processes in the background in buildset registry
related roles.  Ansible 5 is much better at killing all processes
in its session when the task is complete.  Work around that by
starting socat within a new session with setsid.

Change-Id: Iaab17f5d4068be6b08e3d89d2abe80199f0cd654
2022-05-24 10:46:42 -07:00

78 lines
2.6 KiB
YAML

- name: Install packages
become: yes
package:
name:
- openssl
- socat
state: present
- name: Ensure registry volume directories exists
file:
state: directory
path: "{{ buildset_registry_root }}/{{ zj_dir }}"
mode: 0755
loop:
- tls
- conf
loop_control:
loop_var: zj_dir
- name: Generate registry secrets
set_fact:
registry_password: "{{ lookup('password', '/dev/null') }}"
registry_secret: "{{ lookup('password', '/dev/null') }}"
no_log: true
- name: Write registry config
template:
src: registry.yaml.j2
dest: "{{ buildset_registry_root }}/conf/registry.yaml"
mode: 0600
- name: Generate a TLS key for the registry
command: "openssl req -x509 -newkey rsa:2048 -keyout {{ buildset_registry_root }}/tls/cert.key -out {{ buildset_registry_root }}/tls/cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ ansible_host }}' -addext 'subjectAltName = DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1'"
- name: Read TLS certificate
slurp:
src: "{{ buildset_registry_root }}/tls/cert.pem"
register: certificate
- name: Decode TLS certificate
set_fact:
certificate: "{{ certificate.content | b64decode }}"
- name: Start the buildset registry
command: >-
{{ container_command }} run -d
--name="{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}"
--restart=always
--publish="1{{ buildset_registry_port }}:5000"
--volume="{{ buildset_registry_root }}/tls:/tls"
--volume="{{ buildset_registry_root }}/conf:/conf"
docker.io/zuul/zuul-registry:latest zuul-registry -d
# Start a socat tunnel to the buildset registry to work around
# https://github.com/containers/libpod/issues/4311
# in case we're using podman.
- name: Start socat to work around https://github.com/containers/libpod/issues/4311
shell: "setsid socat -d -d TCP6-LISTEN:{{ buildset_registry_port }},fork TCP:127.0.0.1:1{{ buildset_registry_port }} 2> {{ buildset_registry_root }}/socat_port &"
- name: Set registry information fact
set_fact:
buildset_registry:
host: "{{ ansible_host }}"
port: "{{ buildset_registry_port }}"
username: zuul
password: "{{ registry_password }}"
cert: "{{ certificate }}"
no_log: true
- name: Return registry information to Zuul
zuul_return:
secret_data:
buildset_registry: "{{ buildset_registry }}"
# This isn't strictly necessary with the current implemenation of
# zuul_return but we set no_log: true in case the verbosity
# changes.
no_log: true