8eb981b47f
We want to use stop_grace_period to manage gerrit service stops. This feature was added in docker-compose 1.10 but the distro provides 1.5. Work around this by installing docker-compose from pypi. This seems like a useful feature and we want to manage docker-compose the same way globally so move docker-compose installation into the install-docker role. New docker-compose has slightly different output that we must check for in the gitea start/stop machinery. We also need to check for different container name formatting in our test cases. We should pause here and consider if this has any upgrade implications for our existing services. Change-Id: Ia8249a2b84a2ef167ee4ffd66d7a7e7cff8e21fb
331 lines
8.7 KiB
YAML
331 lines
8.7 KiB
YAML
# TODO(mordred) We should do *something* where this could use a zuul cloned
|
|
# copy of project-config instead. This is needed not just for things like
|
|
# manage-projects (which could be run completely differently and non-locally)
|
|
# but also for things like notify-impact, which is currently run by a gerrit
|
|
# hook inside of the container via jeepyb.
|
|
- name: Clone project-config repo
|
|
git:
|
|
repo: https://opendev.org/openstack/project-config
|
|
dest: /opt/project-config
|
|
force: yes
|
|
|
|
- name: Ensure /etc/gerrit-compose directory
|
|
file:
|
|
state: directory
|
|
path: /etc/gerrit-compose
|
|
mode: 0755
|
|
|
|
- name: Put docker-compose file in place
|
|
template:
|
|
src: docker-compose.yaml.j2
|
|
dest: /etc/gerrit-compose/docker-compose.yaml
|
|
mode: 0644
|
|
|
|
- name: Clean up old directory
|
|
file:
|
|
state: absent
|
|
path: /etc/gerrit-podman
|
|
|
|
- name: Create Gerrit Group
|
|
group:
|
|
name: "{{ gerrit_user_name }}"
|
|
gid: "{{ gerrit_id }}"
|
|
system: yes
|
|
|
|
- name: Create Gerrit User
|
|
user:
|
|
name: "{{ gerrit_user_name }}"
|
|
uid: "{{ gerrit_id }}"
|
|
comment: Gerrit User
|
|
shell: /bin/bash
|
|
home: "{{ gerrit_home_dir }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
create_home: yes
|
|
system: yes
|
|
|
|
- name: Ensure review_site directory exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_site_dir }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0755
|
|
|
|
- name: Ensure Gerrit volume directories exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_site_dir }}/{{ item }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0755
|
|
loop:
|
|
- etc
|
|
- git
|
|
- index
|
|
- cache
|
|
- static
|
|
- hooks
|
|
- tmp
|
|
- logs
|
|
|
|
- name: Write Gerrit config file
|
|
template:
|
|
src: gerrit.config
|
|
dest: "{{ gerrit_site_dir }}/etc/gerrit.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gerrit secure config file
|
|
template:
|
|
src: secure.config
|
|
dest: "{{ gerrit_site_dir }}/etc/secure.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit replication config
|
|
template:
|
|
src: replication.config.j2
|
|
dest: "{{ gerrit_site_dir }}/etc/replication.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
when: gerrit_replication is defined
|
|
|
|
# Server host key for SSH service on port 29418
|
|
- name: Write Gerrit SSH host private key
|
|
copy:
|
|
content: "{{ gerrit_ssh_rsa_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH host public key
|
|
copy:
|
|
content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Private key for openstack-project-creator user
|
|
- name: Write Gerrit SSH project private key
|
|
copy:
|
|
content: "{{ gerrit_project_ssh_rsa_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
# Public key for openstack-project-creator user
|
|
- name: Write Gerrit SSH project public key
|
|
copy:
|
|
content: "{{ gerrit_project_ssh_rsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Private key for welcome message user
|
|
- name: Write Welcome SSH private key
|
|
copy:
|
|
content: "{{ welcome_message_gerrit_ssh_private_key }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
when: welcome_message_gerrit_ssh_private_key is defined
|
|
|
|
- name: Write Welcome SSH public key
|
|
copy:
|
|
content: "{{ welcome_message_gerrit_ssh_public_key }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
when: welcome_message_gerrit_ssh_public_key is defined
|
|
|
|
- name: Ensure .ssh directory exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_home_dir }}/.ssh"
|
|
mode: 0700
|
|
|
|
# Private key for gerrit user to connect to other systems,
|
|
# such as for replication.
|
|
- name: Write Gerrit SSH private key
|
|
copy:
|
|
content: "{{ gerrit_replication_ssh_rsa_key_contents }}"
|
|
dest: "{{ gerrit_home_dir }}/.ssh/id_rsa"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH public key
|
|
copy:
|
|
content: "{{ gerrit_replication_ssh_rsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_home_dir }}/.ssh/id_rsa.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Make the directory even if we don't have creds to make
|
|
# bind mounting in the docker-compose file simple.
|
|
- name: Ensure launchpadlib directory exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_home_dir }}/.launchpadlib"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0775
|
|
|
|
- name: Write Launchpad creds file
|
|
template:
|
|
src: infra_lp_creds.j2
|
|
dest: "{{ gerrit_home_dir }}/.launchpadlib/creds"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
when: lp_access_token is defined
|
|
|
|
- name: Copy static hooks
|
|
copy:
|
|
src: "hooks/{{ item }}"
|
|
dest: "{{ gerrit_site_dir }}/hooks/{{ item }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0555
|
|
loop:
|
|
- change-merged
|
|
- change-abandoned
|
|
- patchset-created
|
|
|
|
- name: Copy notify-impact yaml file
|
|
copy:
|
|
src: "{{ gerrit_project_config_base }}/gerrit/notify_impact.yaml"
|
|
dest: "{{ gerrit_site_dir }}/hooks/notify_impact.yaml"
|
|
remote_src: yes
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0444
|
|
|
|
# TODO(mordred) These things should really go into the image instead.
|
|
- name: Copy static and etc
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ gerrit_site_dir }}/{{ item }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: preserve
|
|
loop:
|
|
- static/hideci.js
|
|
- static/robots.txt
|
|
- static/system-cla.html
|
|
- static/usg-cla.html
|
|
- etc/GerritSite.css
|
|
- etc/GerritSiteHeader.html
|
|
|
|
- name: Write jeepyb utility scripts
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/usr/local/bin/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
loop:
|
|
- manage-projects
|
|
- track-upstream
|
|
|
|
- name: Write projects.ini
|
|
template:
|
|
src: projects.ini.j2
|
|
dest: /home/gerrit2/projects.ini
|
|
owner: gerrit2
|
|
group: gerrit2
|
|
mode: 0600
|
|
|
|
- name: Install apache2
|
|
apt:
|
|
name:
|
|
- apache2
|
|
- apache2-utils
|
|
state: present
|
|
|
|
- name: Apache modules
|
|
apache2_module:
|
|
state: present
|
|
name: "{{ item }}"
|
|
loop:
|
|
- rewrite
|
|
- proxy
|
|
- proxy_http
|
|
- ssl
|
|
- headers
|
|
|
|
- name: Copy apache config
|
|
template:
|
|
src: gerrit.vhost.j2
|
|
dest: /etc/apache2/sites-enabled/000-default.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify: gerrit Reload apache2
|
|
|
|
- name: Copy redirect config
|
|
template:
|
|
src: redirect.vhost.j2
|
|
dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
when: gerrit_redirect_vhost is defined
|
|
notify: gerrit Reload apache2
|
|
|
|
- name: Start gerrit
|
|
include_tasks: start.yaml
|
|
|
|
- name: Set up cron job to optmize git repos
|
|
cron:
|
|
name: optmize-git-repos
|
|
state: present
|
|
user: gerrit2
|
|
job: 'find /home/gerrit2/review_site/git/ -type d -name "*.git" -print -exec git --git-dir="{}" gc \;'
|
|
minute: 17
|
|
hour: 4
|
|
|
|
- name: Set up cron job to optmize local mirror git repos
|
|
cron:
|
|
name: optmize-local-git-repos
|
|
state: present
|
|
user: gerrit2
|
|
job: 'find /opt/lib/git/ -type d -name "*.git" -print -exec git --git-dir="{}" gc \;'
|
|
minute: 17
|
|
hour: 4
|
|
|
|
- name: Set up cron job to track upstream
|
|
cron:
|
|
name: track-upstream
|
|
job: '/usr/local/bin/track-upstream'
|
|
user: root
|
|
minute: 42
|
|
|
|
- name: Set up cron job to back up gerrit db
|
|
cron:
|
|
name: gerrit-backup
|
|
user: root
|
|
hour: 0
|
|
minute: 0
|
|
job: '/usr/bin/mysqldump --defaults-file=/root/.gerrit_db.cnf --opt --ignore-table mysql.event --all-databases --single-transaction | gzip -9 > /home/gerrit2/mysql_backups/gerrit.sql.gz'
|
|
|
|
# Gerrit rotates their own logs, but doesn't clean them out
|
|
# Delete logs older than a month
|
|
- name: Set up cron job to clean old gerrit logs
|
|
cron:
|
|
name: clear-gerrit-logs
|
|
state: present
|
|
user: gerrit2
|
|
job: 'find /home/gerrit2/review_site/logs/*.gz -mtime +30 -exec rm -f {} \;'
|
|
minute: 1
|
|
hour: 6
|