|
|
@@ -60,167 +60,29 @@
|
|
|
{{ quay_cert }}
|
|
|
{{ ca_cert }}
|
|
|
|
|
|
-- name: Prepare registry VM to run Quay services.
|
|
|
+- name: Ensure registry VM has a data directory for Quay.
|
|
|
hosts: registry.ocp4.example.com
|
|
|
+ become: yes
|
|
|
gather_subset: min
|
|
|
tasks:
|
|
|
- - name: Ensure firewall allows HTTP/HTTPS.
|
|
|
- become: yes
|
|
|
- ansible.posix.firewalld:
|
|
|
- immediate: yes
|
|
|
- permanent: yes
|
|
|
- zone: public
|
|
|
- service: "{{ item }}"
|
|
|
- state: enabled
|
|
|
- loop:
|
|
|
- - http
|
|
|
- - https
|
|
|
-
|
|
|
- - name: Ensure unpriv users can open ports from 80 onwards.
|
|
|
- become: yes
|
|
|
- ansible.posix.sysctl:
|
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
|
- value: "80"
|
|
|
- state: present
|
|
|
- sysctl_file: /etc/sysctl.d/quay-low-ports.conf
|
|
|
- reload: yes
|
|
|
-
|
|
|
- - name: Ensure user quay exists.
|
|
|
- become: yes
|
|
|
- ansible.builtin.user:
|
|
|
- name: quay
|
|
|
- create_home: yes
|
|
|
- state: present
|
|
|
-
|
|
|
- - name: Have the quay user accept student's SSH key.
|
|
|
- become: yes
|
|
|
- ansible.posix.authorized_key:
|
|
|
- key: "{{ lookup('ansible.builtin.file', '/home/student/.ssh/lab_rsa.pub') }}"
|
|
|
- user: quay
|
|
|
- state: present
|
|
|
-
|
|
|
- - name: Ensure user quay will linger.
|
|
|
- become: yes
|
|
|
- ansible.builtin.command:
|
|
|
- cmd: loginctl enable-linger quay
|
|
|
- creates: /var/lib/systemd/linger/quay
|
|
|
-
|
|
|
- - name: Ensure data directories are there.
|
|
|
- become: yes
|
|
|
+ - name: Ensure data directory is there.
|
|
|
ansible.builtin.file:
|
|
|
- path: "{{ item }}"
|
|
|
+ path: /local/quay
|
|
|
mode: 0770
|
|
|
owner: quay
|
|
|
group: quay
|
|
|
state: directory
|
|
|
- loop:
|
|
|
- - /local/quay-pg
|
|
|
- - /local/quay
|
|
|
-
|
|
|
- - name: Ensure .docker directory is there
|
|
|
- become: yes
|
|
|
- ansible.builtin.file:
|
|
|
- path: "/home/quay/.docker"
|
|
|
- mode: 0700
|
|
|
- owner: quay
|
|
|
- group: quay
|
|
|
- state: directory
|
|
|
-
|
|
|
- # TODO: figure out how to customise this with registry host changes
|
|
|
- - name: Ensure podman will be able to log into the upstream registry
|
|
|
- become: yes
|
|
|
- ansible.builtin.copy:
|
|
|
- dest: "/home/quay/.docker/config.json"
|
|
|
- content: |
|
|
|
- {"auths":{"registry.redhat.io":{"auth":"fHVoYy1wb29sLTlmMDA1Mzc2LTM2YTItNDJhMS1hNTQwLTA0NzNkYzg3MzYzMzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVPRGc1WVdFeFl6Qm1PV0kwWmpVM1lqazNObUk1WldFeU16SXdaalUwTUNKOS5zWmQ5VE1RbzBXREc2NUc5Qk1ObmtuYlBjRkIzNmhyRFhkMThfdTNLeHFaczdlOG1hQ19QeEFReGpwdVk0YVM2VERIbkxDNWpGYjRRNXFYVEpWbjJCOGE4cDFuY08tM24ySG5QdDg3NmktVUFDU3lldWtpb3k4aHI0V3d1ZkhReFVYMmxxWFhYdjN6blE3am1URUNBc25rWkNRSFU1dFNpRnNUZHhFZGZkeU42Z20xN3VqY2thZG5NbFBZcTZfU1I2bUtLaUpUdFQ3SFlDWXJBVk5zZ0tfNGFkZ2MtRXBlbEtHbGNERWkzNGhYbzFqbEIzRERyUWkxSUxCV0UwZkdXb1czZy1ZUzFGMFlEXzc0bm1XSU5mUE1jM25UOERaQWl0OEw0VlFPTnZnUE51YnVfTVVGUGhqX29VUjF3VUR0a1BRNktJdm82UWYyRkdwMndLM1B6YnRBRFFzRVZTZDlITzQ3a0RKdGFobk95YTFmRmdqZVk1bFNxLW1vT2RqUldCZ3U2XzNIX25lZExJR1lQRHRBZnp5cGJ1eHZ1cEd1M2hYWnVzeWN0aURtR203SkR5RW5KdjF1RFZmYVduU2EzSV9NcFRSVVcyZWU1RF9CanJleTdlU2I0bEpGcmp1eC1nY2JVaHFsWGJZc2l6azdXWHpvRmtrVFlMdXFDQ1FvS1J0OFdSN1UzTmh3c3Q2ckV3eEFOaWJFTlNzUVB3MGg4X0NDRm5qTHFSTl82cWpTc0tpeWRGT2tHVFliT0taTktaSVVhYkZFTjRhYVRVYmlYTVdPS2Eyak1xLUhwazBMNEowUmtOM2JkQVVqWmtERHE0ZFY1ZVFjdXNIeV9LY29nd1VKSjZ4MDNObnM4b0xBdjRJZ3RKeXlxcmE1YUJHSkxReHNjRXVSNzQwWQ=="}}}
|
|
|
- mode: 0600
|
|
|
- owner: quay
|
|
|
- group: quay
|
|
|
|
|
|
- name: Configure containers and their environment on registry VM.
|
|
|
hosts: registry.ocp4.example.com
|
|
|
gather_subset: min
|
|
|
remote_user: quay
|
|
|
tasks:
|
|
|
- - name: Create a podman network, if necessary.
|
|
|
- containers.podman.podman_network:
|
|
|
- name: quay
|
|
|
- state: present
|
|
|
-
|
|
|
- name: Pull all the images if necessary.
|
|
|
containers.podman.podman_image:
|
|
|
- name: "{{ registry_host }}/{{ item }}"
|
|
|
+ name: "{{ registry_host }}/quay/quay-rhel8:v{{ quay_version }}"
|
|
|
pull: yes
|
|
|
state: present
|
|
|
- loop:
|
|
|
- - rhel9/postgresql-15:latest
|
|
|
- - rhel9/redis-7:latest
|
|
|
- - quay/quay-rhel8:v{{ quay_version }}
|
|
|
- - quay/clair-rhel8:v{{ quay_version }}
|
|
|
-
|
|
|
- # TODO: recursive!
|
|
|
- - name: Ensure PG datadir is owned by the correct user.
|
|
|
- become_method: containers.podman.podman_unshare
|
|
|
- become: yes
|
|
|
- ansible.builtin.file:
|
|
|
- path: /local/quay-pg
|
|
|
- state: directory
|
|
|
- owner: 26
|
|
|
- mode: 0770
|
|
|
-
|
|
|
- - name: Start postgres container if necessary.
|
|
|
- containers.podman.podman_container:
|
|
|
- name: postgresql
|
|
|
- image: "{{ registry_host }}/rhel9/postgresql-15:latest"
|
|
|
- rm: yes
|
|
|
- detach: yes
|
|
|
- env:
|
|
|
- POSTGRESQL_USER: quay
|
|
|
- POSTGRESQL_PASSWORD: secret
|
|
|
- POSTGRESQL_DATABASE: quay
|
|
|
- POSTGRESQL_ADMIN_PASSWORD: verysecret
|
|
|
- network:
|
|
|
- - quay
|
|
|
- volumes:
|
|
|
- - /local/quay-pg:/var/lib/pgsql/data:Z
|
|
|
- state: started
|
|
|
- register: pg_started
|
|
|
-
|
|
|
- - name: Wait for the PostgreSQL container to become ready if it was changed in any way.
|
|
|
- containers.podman.podman_container_info:
|
|
|
- name: postgresql
|
|
|
- when: pg_started.changed
|
|
|
- register: pg_info
|
|
|
- until: pg_info.containers[0].State.Running
|
|
|
- retries: 12
|
|
|
- delay: 5
|
|
|
-
|
|
|
- - name: Wait for the server inside container to start up.
|
|
|
- containers.podman.podman_container_exec:
|
|
|
- name: postgresql
|
|
|
- command: 'psql -d quay -U postgres -c "SELECT 1"'
|
|
|
- when: pg_started.changed
|
|
|
- changed_when: no
|
|
|
- register: pg_rdy
|
|
|
- until: pg_rdy.rc == 0
|
|
|
- retries: 10
|
|
|
- delay: 3
|
|
|
-
|
|
|
- - name: Create the trigram extension if necessary.
|
|
|
- containers.podman.podman_container_exec:
|
|
|
- name: postgresql
|
|
|
- command: 'psql -d quay -U postgres -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"'
|
|
|
- register: pg_ext
|
|
|
- changed_when:
|
|
|
- - not "already exists" in pg_ext.stderr
|
|
|
-
|
|
|
- - name: If we started the PG container and created the extension, stop the container now.
|
|
|
- containers.podman.podman_container:
|
|
|
- name: postgresql
|
|
|
- state: stopped
|
|
|
- when:
|
|
|
- - pg_started.changed
|
|
|
- - pg_ext.changed
|
|
|
|
|
|
- name: Create Quay config directory if necessary.
|
|
|
ansible.builtin.file:
|
|
|
@@ -291,12 +153,8 @@
|
|
|
|
|
|
- name: Deploy service units.
|
|
|
ansible.builtin.template:
|
|
|
- dest: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/{{ item }}"
|
|
|
- src: "templates/{{ item }}.j2"
|
|
|
- loop:
|
|
|
- - quay-pg.service
|
|
|
- - quay-redis.service
|
|
|
- - quay.service
|
|
|
+ dest: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/quay.service"
|
|
|
+ src: "templates/quay.service.j2"
|
|
|
|
|
|
- name: Reload systemd.
|
|
|
ansible.builtin.systemd_service:
|
|
|
@@ -305,14 +163,10 @@
|
|
|
|
|
|
- name: Enable services and start them.
|
|
|
ansible.builtin.systemd_service:
|
|
|
- name: "{{ item }}"
|
|
|
+ name: quay
|
|
|
scope: user
|
|
|
state: started
|
|
|
enabled: yes
|
|
|
- loop:
|
|
|
- - quay-pg
|
|
|
- - quay-redis
|
|
|
- - quay
|
|
|
register: startup
|
|
|
|
|
|
- name: Wait a bit if the Quay container was just started.
|
|
|
@@ -327,7 +181,7 @@
|
|
|
- 200
|
|
|
- 404
|
|
|
- 502
|
|
|
- when: startup.results[2].changed
|
|
|
+ when: startup.changed
|
|
|
register: startup_wait
|
|
|
until: startup_wait.status == 200
|
|
|
retries: 30
|
