Merge sa2ajj/buildbot-infra:bootstrap (PR #12)

buildbot · Nov 23, 2014 · b146795 · b146795
2 parents 286f123 + d2981a1
commit b146795
Show file tree

Hide file tree

Showing 12 changed files with 119 additions and 30 deletions.
diff --git a/bootstrap b/bootstrap
@@ -0,0 +1,28 @@
+#! /bin/sh
+#
+# This script invokes bootstrap.yml while settings special parameters
+#
+# Usage: ./bootstrap <host-pattern> [-i <inventory>] [<ansible-playbook-options>]
+#
+# host-pattern specifies the host to bootstrap; in most cases this should be a single
+# hostname, but for bootstrapping a set of hosts this can be any Ansible pattern.
+#
+# -i <inventory> is needed when you deploy on hosts other than listed in 'dev-hosts'
+#
+# The `ControlPersist` parameter below is set to 10m, so ssh would keep the
+# connection after the first authentication.
+
+set -e
+
+hostpattern=$1
+shift
+if [ -z "$hostpattern" ]; then
+    echo "hostpattern is required"
+    exit 1
+fi
+
+export ANSIBLE_HOST_KEY_CHECKING=False
+export ANSIBLE_SSH_ARGS="-o PreferredAuthentications=password,keyboard-interactive -o ControlPersist=10m"
+
+ansible-playbook bootstrap.yml -l $hostpattern $*
+ansible-playbook site.yml -u root -l $hostpattern $*
diff --git a/bootstrap.yml b/bootstrap.yml
@@ -0,0 +1,27 @@
+# Playbook to bootstrap new service hosts
+#
+# Prerequisites:
+# * basic system is installed (FreeBSD 10.0+) on the target machines
+# * there's only root account that allows to connect to those machines
+# * root passwords are known for all target machines so we can connect as root
+# * ssh access for 'root' is enabled (`PermitRootLogin yes`)
+#
+# Outcome:
+# * machine has basic infrastructure so it can be managed by Ansible:
+#   * user "{{ service_account }}" is created
+#   * this user is granted passwordless sudo right (added to wheel group)
+#   * a crontab entry for running ansible-pull is added
+---
+- name: perform initial bootstrap of service hosts
+  hosts: servicehosts
+  gather_facts: no
+  # we do not have admin users on the target hosts yet, hence using root
+  # directly
+  remote_user: root
+
+  tasks:
+  # This is the only task that requires 'raw' module
+  - name: install ansible
+    raw: "env ASSUME_ALWAYS_YES=YES pkg install ansible"
+
+# vim:ft=yaml:nosi:noai:ts=2:sw=2
diff --git a/docs/ansible-notes.txt b/docs/ansible-notes.txt
diff --git a/docs/ansible-todo.txt b/docs/ansible-todo.txt
@@ -0,0 +1,10 @@
+Things to implement for cron task
+---------------------------------
+
+(based on discussion in https://github.com/buildbot/buildbot-infra/pull/12)
+
+* run under service account
+* ensure path does not depend on external configuration
+* run daily
+* document a way to "force" a run
+* collect logs and send a notification in case of errors
diff --git a/group_vars/all b/group_vars/all
@@ -1,4 +1,9 @@
+# This file defines all kind of global parameters and defaults
 ---
+# Use non-fully qualified name of python2
+# On FreeBSD machines it's available as /usr/local/bin/python2, on most Linux
+# machines it's available as /usr/bin/python2
+ansible_python_interpreter: python2
 
 # admin users have administrative access to all systems (but they know better
 # than to change things by hand).  They will be added to the 'wheel' group.
@@ -18,3 +23,21 @@ admin_users:
   state: present
 - username: sean
   state: present
+
+service_account: bbinfra
+
+# Mandatory packages are the ones that must be installed on every host.
+# Ansible installation is taken care of depending on what kind of host is that
+# (service host, jail, vm)
+mandatory_packages:
+- sudo
+- git       # this is a mandatory package since we rely on ansible-pull
+
+# TODO: make use of these
+# Utility packages are the ones that must be installed on service host only (at
+# least, at the moment).
+# The original list is based on http://trac.buildbot.net/ticket/3036
+utility_packages:
+- bash
+- screen
+- vim-lite  # we probably do not want to bring all the stuff
diff --git a/prod-hosts b/prod-hosts
@@ -1,2 +1,2 @@
 [servicehosts]
-service[1:3].buildbot.net ansible_python_interpreter=python2
+service[1:3].buildbot.net
diff --git a/roles/base/templates/sudoers-wheel.j2 → roles/base/files/sudoers-wheel b/roles/base/templates/sudoers-wheel.j2 → roles/base/files/sudoers-wheel
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
 - include: secrets.yml
-- include: python.yml
+- include: packages.yml
 - include: sudo.yml
-- include: admin_users.yml
+- include: users.yml
diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml
@@ -0,0 +1,11 @@
+- name: install mandatory packages
+  pkgng:
+    name: "{{item}}"
+    state: present
+  with_items: mandatory_packages
+
+- name: install utility packages
+  pkgng:
+    name: "{{item}}"
+    state: present
+  with_items: utility_packages
diff --git a/roles/base/tasks/python.yml b/roles/base/tasks/python.yml
diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml
@@ -1,6 +1,12 @@
 ---
-- name: install sudo
-  pkgng: name=sudo state=present
+- name: enable sudo modular configuration
+  lineinfile:
+    dest: "/usr/local/etc/sudoers"
+    line: "#includedir /usr/local/etc/sudoers.d"
+    state: present
+    validate: "visudo -cf %s"
 
-- name: configure sudo
-  template: src=sudoers-wheel.j2 dest=/usr/local/etc/sudoers.d/sudoers-wheel validate='visudo -cf %s'
+- name: enable passwordless sudo for members of the wheel group
+  copy:
+    src: "files/sudoers-wheel"
+    dest: "/usr/local/etc/sudoers.d/sudoers-wheel"
diff --git a/roles/base/tasks/admin_users.yml → roles/base/tasks/users.yml b/roles/base/tasks/admin_users.yml → roles/base/tasks/users.yml
@@ -10,3 +10,10 @@
   with_items: admin_users
   # only operate on present users; absent users don't have a homedir in /etc/passwd anymore
   when: item.state == 'present'
+
+- name: add service account
+  user:
+    name: "{{ service_account }}"
+    comment: Buildbot Service Account
+    state: present
+    groups: wheel