rht
/
ocp-disco-install-materials


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
							---
# Tasks required by 15-clair-deploy.adoc.
- name: Ensure backup file is readable by postgresql containers.
  hosts: registry.ocp4.example.com
  gather_subset: min
  become: yes
  tasks:
    - name: Ensure backup file is owned by quay user.
      ansible.builtin.file:
        path: /local/backups/clair.backup
        owner: quay
        group: quay
        mode: 0644

- name: Prepare registry VM to run Clair services.
  hosts: registry.ocp4.example.com
  gather_subset: min
  remote_user: quay
  tasks:
    - name: Ensure the podman network is there.
      containers.podman.podman_network_info:
        name: quay
      register: quay_net
      ignore_errors: yes

    - ansible.builtin.assert:
        that:
          - not quay_net.failed
          - quay_net.networks is defined
          - quay_net.networks is iterable
          - quay_net.networks | length == 1
        fail_msg: "FATAL: Podman network 'quay' does not exist for 'quay' user. Ensure you deployed Quay before running this playbook."
        success_msg: "OK, network 'quay' found."

    - name: Ensure the quay service is defined.
      ansible.builtin.stat:
        path: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/quay.service"
        get_attributes: no
        get_checksum: no
        get_mime: no
      register: quay_svc_unit

    - ansible.builtin.assert:
        that:
          - not quay_svc_unit.failed
          - quay_svc_unit.stat.exists
        fail_msg: "FATAL: User service 'quay.service' not found for 'quay' user. Ensure you deployed Quay before running this playbook."
        success_msg: "OK, service 'quay.service' found."

    - name: Ensure the quay-pg service is defined.
      ansible.builtin.stat:
        path: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/quay-pg.service"
        get_attributes: no
        get_checksum: no
        get_mime: no
      register: quay_pg_svc_unit

    - ansible.builtin.assert:
        that:
          - not quay_pg_svc_unit.failed
          - quay_pg_svc_unit.stat.exists
        fail_msg: "FATAL: User service 'quay-pg.service' not found for 'quay' user. Ensure you deployed Quay before running this playbook."
        success_msg: "OK, service 'quay-pg.service' found."

    - name: Ensure Quay PostgreSQL is running.
      ansible.builtin.systemd_service:
        name: quay-pg
        scope: user
        state: started

    - name: Check whether the clair database exists.
      containers.podman.podman_container_exec:
        name: postgresql
        command: psql -d postgres -U postgres -t -A -c "SELECT datname FROM pg_database WHERE datname = 'clair'"
      register: pg_clair
      changed_when: no

    - name: Create the clair database if necessary.
      containers.podman.podman_container_exec:
        name: postgresql
        command: 'psql -d postgres -U postgres -c "CREATE DATABASE clair OWNER quay"'
      when:
        - pg_clair is defined
        - pg_clair.stdout_lines | length == 0

    - name: Create the uuid-ossp extension if necessary.
      containers.podman.podman_container_exec:
        name: postgresql
        command: psql -d clair -U postgres -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp"'
      register: pg_ext
      changed_when:
        - not "already exists" in pg_ext.stderr

    - name: Pull all the images if necessary.
      containers.podman.podman_image:
        name: "{{ registry_host }}/quay/clair-rhel8:v{{ quay_version }}"
        pull: yes
        state: present

    # TODO: Make loop labels nicer.
    - name: Patch Quay config if necessary.
      ansible.builtin.lineinfile:
        path: "{{ ansible_facts['user_dir'] }}/config/config.yaml"
        insertafter: "{{ item.after }}"
        regexp: "{{ item.fixre }}"
        line: "{{ item.value }}"
      loop:
        - after: "^FEATURE_MAILING: false$"
          fixre: "^FEATURE_SECURITY_SCANNER: .*$"
          value: "FEATURE_SECURITY_SCANNER: true"
        - after: "^SECRET_KEY: .*$"
          fixre: "^SECURITY_SCANNER_INDEXING_INTERVAL: .*$"
          value: "SECURITY_SCANNER_INDEXING_INTERVAL: 30"
        - after: "^SECURITY_SCANNER_INDEXING_INTERVAL: .*$"
          fixre: "^SECURITY_SCANNER_V4_PSK: .*$"
          value: "SECURITY_SCANNER_V4_PSK: NjA1aWhnNWk4MWhqNw=="
        - after: "^SECURITY_SCANNER_V4_PSK: .*$"
          fixre: "^SECURITY_SCANNER_V4_ENDPOINT: .*$"
          value: "SECURITY_SCANNER_V4_ENDPOINT: http://clair:8081"
      notify:
        - restart quay and wait for ready

    - name: Create Clair config directory if necessary.
      ansible.builtin.file:
        path: "{{ ansible_facts['user_dir'] }}/clair"
        state: directory
        mode: 0775

    - name: Publish Clair config if necessary.
      ansible.builtin.copy:
        dest: "{{ ansible_facts['user_dir'] }}/clair/config.yaml"
        content: |
          http_listen_addr: :8081
          introspection_addr: :8088
          #log_level: debug # too noisy
          log_level: info
          indexer:
            connstring: host=postgresql port=5432 dbname=clair user=quay password=secret sslmode=disable
            scanlock_retry: 10
            layer_scan_concurrency: 5
            migrations: true
            scanner:
              repo:
                rhel-repository-scanner:
                  repo2cpe_mapping_file: /data/repository-to-cpe.json
              package:
                rhel_containerscanner:
                  name2repos_mapping_file: /data/container-name-repos-map.json
            airgap: true
          matcher:
            connstring: host=postgresql port=5432 dbname=clair user=quay password=secret sslmode=disable
            max_conn_pool: 100
            migrations: true
            indexer_addr: clair-indexer
            disable_updaters: true
          notifier:
            connstring: host=postgresql port=5432 dbname=clair user=quay password=secret sslmode=disable
            delivery_interval: 1m
            poll_interval: 5m
            migrations: true
          updaters:
            config:
              rhel:
                ignore_unpatched: false
          auth:
            psk:
              key: "NjA1aWhnNWk4MWhqNw=="
              iss: ["quay"]
          metrics:
            name: "prometheus"
        mode: 0664
      notify:
        - restart quay and wait for ready
        - restart clair

    - name: Ensure same TLS trust will be used for Clair as for workstation.
      ansible.builtin.copy:
        src: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
        dest: "{{ ansible_facts['user_dir'] }}/tls-ca-bundle.pem"
        mode: 0664
      notify:
        - restart clair

    - name: Ensure Clair service unit is there.
      ansible.builtin.template:
        dest: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/clair.service"
        src: "templates/clair.service.j2"

    - name: Reload systemd.
      ansible.builtin.systemd_service:
        daemon_reload: yes
        scope: user

    - name: Verify that the vulnerability definitions exist.
      containers.podman.podman_container_exec:
        name: postgresql
        command: psql -d clair -U postgres -t -c 'SELECT COUNT(id) FROM vuln'
      ignore_errors: yes
      register: clair_vuln

    - name: Remember the number of vulnerability definitions in clair.
      ansible.builtin.set_fact:
        clair_nvuln: "{{ clair_vuln.stdout_lines[0] | default(0) | trim | int }}"

    - name: Import clair backup if vulnerabilities seem to be missing.
      block:

        - name: Ensure clair service is stopped.
          ansible.builtin.systemd_service:
            name: clair
            scope: user
            state: stopped

        - name: Ensure clair container is stopped.
          containers.podman.podman_container:
            name: clair
            state: stopped

        - name: Create a temporary pgpass file
          ansible.builtin.copy:
            dest: /tmp/pgpass
            owner: quay
            group: quay
            mode: 0600
            content: |
              postgresql:5432:clair:postgres:verysecret

        - name: Ensure the pgpass file is owned by postgres user of the container.
          become_method: containers.podman.podman_unshare
          become: yes
          ansible.builtin.file:
            path: /tmp/pgpass
            state: file 
            owner: 26

        - name: Run pg_restore in a clair_import container.
          containers.podman.podman_container:
            name: clair_import
            image: "{{ registry_host }}/rhel9/postgresql-15:latest"
            rm: yes
            detach: no
            network:
              - quay
            volumes:
              - /local/backups/clair.backup:/clair.backup:Z
              - /tmp/pgpass:/var/lib/pgsql/.pgpass:Z
            command:
              - pg_restore
              - -dclair
              - -Upostgres
              - -hpostgresql
              - -c
              - /clair.backup
            state: started
          register: clair_import
          ignore_errors: yes
          failed_when: "FATAL" in clair_import.stderr_lines
          # TODO: probably use a regex here

        - debug: var=clair_import

        - name: Restore the ownership of the file.
          become_method: containers.podman.podman_unshare
          become: yes
          ansible.builtin.file:
            path: /tmp/pgpass
            state: file
            owner: 0

        - name: Remove the pgpass file
          ansible.builtin.file:
            path: /tmp/pgpass
            state: absent

      when:
        - clair_nvuln < 5000000

    - name: Enable services and start them.
      ansible.builtin.systemd_service:
        name: clair
        scope: user
        state: started
        enabled: yes

  handlers:
    - name: restart quay
      listen: restart quay and wait for ready
      ansible.builtin.systemd_service:
        name: quay
        scope: user
        state: restarted

    - name: wait for quay to become ready again
      listen: restart quay and wait for ready
      ansible.builtin.uri:
        method: GET
        url: https://registry.ocp4.example.com/
        headers:
          Accept: application/json
          Content-Type: application/json
        validate_certs: no
        status_code:
          - 200
          - 404
          - 502
      register: startup_wait
      until: startup_wait.status == 200
      retries: 30
      delay: 5

    - name: restart clair
      ansible.builtin.systemd_service:
        name: clair
        scope: user
        state: restarted
...