--- # Tasks required by 10-quay-deploy.adoc. - name: Prepare registry VM to run Quay services. hosts: registry.ocp4.example.com gather_subset: min tasks: - name: Ensure firewall allows HTTP/HTTPS. become: yes ansible.posix.firewalld: immediate: yes permanent: yes zone: public service: "{{ item }}" state: enabled loop: - http - https - name: Ensure unpriv users can open ports from 80 onwards. become: yes ansible.posix.sysctl: name: net.ipv4.ip_unprivileged_port_start value: "80" state: present sysctl_file: /etc/sysctl.d/quay-low-ports.conf reload: yes - name: Ensure user quay exists. become: yes ansible.builtin.user: name: quay create_home: yes state: present - name: Have the quay user accept student's SSH key. become: yes ansible.posix.authorized_key: key: "{{ lookup('ansible.builtin.file', '/home/student/.ssh/lab_rsa.pub') }}" user: quay state: present - name: Ensure user quay will linger. become: yes ansible.builtin.command: cmd: loginctl enable-linger quay creates: /var/lib/systemd/linger/quay - name: Ensure PG data directory is there. become: yes ansible.builtin.file: path: /local/quay-pg mode: 0770 owner: quay group: quay state: directory - name: Ensure .docker directory is there become: yes ansible.builtin.file: path: "/home/quay/.docker" mode: 0700 owner: quay group: quay state: directory # TODO: figure out how to customise this with registry host changes - name: Ensure podman will be able to log into the upstream registry become: yes ansible.builtin.copy: dest: "/home/quay/.docker/config.json" content: | {"auths":{"registry.redhat.io":{"auth":"fHVoYy1wb29sLTlmMDA1Mzc2LTM2YTItNDJhMS1hNTQwLTA0NzNkYzg3MzYzMzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVPRGc1WVdFeFl6Qm1PV0kwWmpVM1lqazNObUk1WldFeU16SXdaalUwTUNKOS5zWmQ5VE1RbzBXREc2NUc5Qk1ObmtuYlBjRkIzNmhyRFhkMThfdTNLeHFaczdlOG1hQ19QeEFReGpwdVk0YVM2VERIbkxDNWpGYjRRNXFYVEpWbjJCOGE4cDFuY08tM24ySG5QdDg3NmktVUFDU3lldWtpb3k4aHI0V3d1ZkhReFVYMmxxWFhYdjN6blE3am1URUNBc25rWkNRSFU1dFNpRnNUZHhFZGZkeU42Z20xN3VqY2thZG5NbFBZcTZfU1I2bUtLaUpUdFQ3SFlDWXJBVk5zZ0tfNGFkZ2MtRXBlbEtHbGNERWkzNGhYbzFqbEIzRERyUWkxSUxCV0UwZkdXb1czZy1ZUzFGMFlEXzc0bm1XSU5mUE1jM25UOERaQWl0OEw0VlFPTnZnUE51YnVfTVVGUGhqX29VUjF3VUR0a1BRNktJdm82UWYyRkdwMndLM1B6YnRBRFFzRVZTZDlITzQ3a0RKdGFobk95YTFmRmdqZVk1bFNxLW1vT2RqUldCZ3U2XzNIX25lZExJR1lQRHRBZnp5cGJ1eHZ1cEd1M2hYWnVzeWN0aURtR203SkR5RW5KdjF1RFZmYVduU2EzSV9NcFRSVVcyZWU1RF9CanJleTdlU2I0bEpGcmp1eC1nY2JVaHFsWGJZc2l6azdXWHpvRmtrVFlMdXFDQ1FvS1J0OFdSN1UzTmh3c3Q2ckV3eEFOaWJFTlNzUVB3MGg4X0NDRm5qTHFSTl82cWpTc0tpeWRGT2tHVFliT0taTktaSVVhYkZFTjRhYVRVYmlYTVdPS2Eyak1xLUhwazBMNEowUmtOM2JkQVVqWmtERHE0ZFY1ZVFjdXNIeV9LY29nd1VKSjZ4MDNObnM4b0xBdjRJZ3RKeXlxcmE1YUJHSkxReHNjRXVSNzQwWQ=="}}} mode: 0600 owner: quay group: quay - name: Configure containers and their environment on registry VM. hosts: registry.ocp4.example.com gather_subset: min remote_user: quay tasks: - name: Create a podman network, if necessary. containers.podman.podman_network: name: quay state: present - name: Pull all the images if necessary. containers.podman.podman_image: name: "{{ registry_host }}/{{ item }}" pull: yes state: present loop: - rhel9/postgresql-15:latest - rhel9/redis-7:latest # TODO: recursive! - name: Ensure PG datadir is owned by the correct user. become_method: containers.podman.podman_unshare become: yes ansible.builtin.file: path: /local/quay-pg state: directory owner: 26 mode: 0770 - name: Start postgres container if necessary. containers.podman.podman_container: name: postgresql image: "{{ registry_host }}/rhel9/postgresql-15:latest" rm: yes detach: yes env: POSTGRESQL_USER: quay POSTGRESQL_PASSWORD: secret POSTGRESQL_DATABASE: quay POSTGRESQL_ADMIN_PASSWORD: verysecret network: - quay volumes: - /local/quay-pg:/var/lib/pgsql/data:Z state: started register: pg_started - name: Wait for the PostgreSQL container to become ready if it was changed in any way. containers.podman.podman_container_info: name: postgresql when: pg_started.changed register: pg_info until: pg_info.containers[0].State.Running retries: 12 delay: 5 - name: Wait for the server inside container to start up. containers.podman.podman_container_exec: name: postgresql command: 'psql -d quay -U postgres -c "SELECT 1"' when: pg_started.changed changed_when: no register: pg_rdy until: pg_rdy.rc == 0 retries: 10 delay: 3 - name: Create the trigram extension if necessary. containers.podman.podman_container_exec: name: postgresql command: 'psql -d quay -U postgres -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"' register: pg_ext changed_when: - not "already exists" in pg_ext.stderr - name: If we started the PG container and created the extension, stop the container now. containers.podman.podman_container: name: postgresql state: stopped when: - pg_started.changed - pg_ext.changed - name: Ensure systemd user dir is there. ansible.builtin.file: path: "{{ ansible_facts['user_dir'] }}/.config/systemd/user" state: directory - name: Deploy service units. ansible.builtin.template: dest: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/{{ item }}" src: "templates/{{ item }}.j2" loop: - quay-pg.service - quay-redis.service - name: Reload systemd. ansible.builtin.systemd_service: daemon_reload: yes scope: user - name: Enable services and start them. ansible.builtin.systemd_service: name: "{{ item }}" scope: user state: started enabled: yes loop: - quay-pg - quay-redis ...