51611845d4
Following-on from Iffb462371939989b03e5d6ac6c5df63aa7708513, instead of directly referring to a hostname when adding the bastion host to the inventory for the production playbooks, this finds it from the first element of the "bastion" group. As we do this twice for the run and post playbooks, abstract it into a role. The host value is currently "bridge.openstack.org" -- as is the existing hard-coding -- thus this is intended to be a no-op change. It is setting the foundation to make replacing the bastion host a simpler process in the future. Change-Id: I286796ebd71173019a627f8fe8d9a25d0bfc575a
113 lines
3.6 KiB
YAML
113 lines
3.6 KiB
YAML
- hosts: localhost
|
|
roles:
|
|
- add-bastion-host
|
|
|
|
- hosts: bastion[0]
|
|
tasks:
|
|
- name: Encrypt log
|
|
when: infra_prod_playbook_encrypt_log|default(False)
|
|
block:
|
|
|
|
- name: Create temporary staging area for encrypted logs
|
|
tempfile:
|
|
state: directory
|
|
register: _encrypt_tempdir
|
|
|
|
- name: Copy log to tempdir as Zuul user
|
|
copy:
|
|
src: '/var/log/ansible/{{ playbook_name }}.log'
|
|
dest: '{{ _encrypt_tempdir.path }}'
|
|
owner: zuul
|
|
group: zuul
|
|
mode: '0644'
|
|
remote_src: yes
|
|
become: yes
|
|
|
|
- name: Encrypt logs
|
|
include_role:
|
|
name: encrypt-logs
|
|
vars:
|
|
encrypt_logs_files:
|
|
- '{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log'
|
|
# Artifact URL should just point to root directory, so blank
|
|
encrypt_logs_artifact_path: ''
|
|
encrypt_logs_download_script_path: '{{ _encrypt_tempdir.path }}'
|
|
|
|
- name: Return logs
|
|
synchronize:
|
|
src: '{{ item[0] }}'
|
|
dest: '{{ item[1] }}'
|
|
mode: pull
|
|
verify_host: true
|
|
loop:
|
|
- ['{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log.gpg', '{{ zuul.executor.log_root }}/{{ playbook_name }}.log.gpg']
|
|
- ['{{ _encrypt_tempdir.path }}/download-logs.sh' , '{{ zuul.executor.log_root }}/download-gpg-logs.sh']
|
|
|
|
always:
|
|
|
|
- name: Remove temporary staging
|
|
file:
|
|
path: '{{ _encrypt_tempdir.path }}'
|
|
state: absent
|
|
when: _encrypt_tempdir is defined
|
|
|
|
# Not using normal zuul job roles as the bastion host is not a
|
|
# test node with all the normal bits in place.
|
|
- name: Collect log output
|
|
synchronize:
|
|
dest: "{{ zuul.executor.log_root }}/{{ playbook_name }}.log"
|
|
mode: pull
|
|
src: "/var/log/ansible/{{ playbook_name }}.log"
|
|
verify_host: true
|
|
when: infra_prod_playbook_collect_log
|
|
|
|
- name: Return playbook log artifact to Zuul
|
|
when: infra_prod_playbook_collect_log
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: "Playbook Log"
|
|
url: "{{ playbook_name }}.log"
|
|
metadata:
|
|
type: text
|
|
|
|
# Save files locally on bridge
|
|
- name: Get original timestamp from file header
|
|
shell: |
|
|
head -1 /var/log/ansible/{{ playbook_name }}.log | sed -n 's/^Running \(.*\):.*$/\1/p'
|
|
args:
|
|
executable: /bin/bash
|
|
register: _log_timestamp
|
|
|
|
- name: Turn timestamp into a string
|
|
set_fact:
|
|
_log_timestamp: '{{ _log_timestamp.stdout | trim }}'
|
|
|
|
- name: Rename playbook log on bridge
|
|
when: not infra_prod_playbook_collect_log
|
|
become: yes
|
|
copy:
|
|
remote_src: yes
|
|
src: "/var/log/ansible/{{ playbook_name }}.log"
|
|
dest: "/var/log/ansible/{{ playbook_name }}.log.{{ _log_timestamp }}"
|
|
|
|
# Reset the access/modification time to the timestamp in the filename; this
|
|
# makes lining things up more logical
|
|
- name: Reset file time
|
|
file:
|
|
path: '/var/log/ansible/{{ playbook_name }}.log.{{ _log_timestamp }}'
|
|
state: touch
|
|
modification_time: '{{ _log_timestamp }}'
|
|
modification_time_format: '%Y-%m-%dT%H:%M:%S'
|
|
access_time: '{{ _log_timestamp }}'
|
|
access_time_format: '%Y-%m-%dT%H:%M:%S'
|
|
become: yes
|
|
|
|
- name: Cleanup old playbook logs on bridge
|
|
when: not infra_prod_playbook_collect_log
|
|
become: yes
|
|
shell: |
|
|
find /var/log/ansible -name '{{ playbook_name }}.log.*' -type f -mtime +30 -delete
|
|
|