| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 |
- ---
- # Tasks required by 10-quay-deploy.adoc.
- - name: Prepare registry VM to run Quay services.
- hosts: registry.ocp4.example.com
- gather_subset: min
- tasks:
- - name: Ensure firewall allows HTTP/HTTPS.
- become: yes
- ansible.posix.firewalld:
- immediate: yes
- permanent: yes
- zone: public
- service: "{{ item }}"
- state: enabled
- loop:
- - http
- - https
- - name: Ensure unpriv users can open ports from 80 onwards.
- become: yes
- ansible.posix.sysctl:
- name: net.ipv4.ip_unprivileged_port_start
- value: "80"
- state: present
- sysctl_file: /etc/sysctl.d/quay-low-ports.conf
- reload: yes
- - name: Ensure user quay exists.
- become: yes
- ansible.builtin.user:
- name: quay
- create_home: yes
- state: present
- - name: Have the quay user accept student's SSH key.
- become: yes
- ansible.posix.authorized_key:
- key: "{{ lookup('ansible.builtin.file', '/home/student/.ssh/lab_rsa.pub') }}"
- user: quay
- state: present
- - name: Ensure user quay will linger.
- become: yes
- ansible.builtin.command:
- cmd: loginctl enable-linger quay
- creates: /var/lib/systemd/linger/quay
- - name: Ensure PG data directory is there.
- become: yes
- ansible.builtin.file:
- path: /local/quay-pg
- mode: 0770
- owner: quay
- group: quay
- state: directory
- - name: Ensure .docker directory is there
- become: yes
- ansible.builtin.file:
- path: "/home/quay/.docker"
- mode: 0700
- owner: quay
- group: quay
- state: directory
- # TODO: figure out how to customise this with registry host changes
- - name: Ensure podman will be able to log into the upstream registry
- become: yes
- ansible.builtin.copy:
- dest: "/home/quay/.docker/config.json"
- content: |
- {"auths":{"registry.redhat.io":{"auth":"fHVoYy1wb29sLTlmMDA1Mzc2LTM2YTItNDJhMS1hNTQwLTA0NzNkYzg3MzYzMzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVPRGc1WVdFeFl6Qm1PV0kwWmpVM1lqazNObUk1WldFeU16SXdaalUwTUNKOS5zWmQ5VE1RbzBXREc2NUc5Qk1ObmtuYlBjRkIzNmhyRFhkMThfdTNLeHFaczdlOG1hQ19QeEFReGpwdVk0YVM2VERIbkxDNWpGYjRRNXFYVEpWbjJCOGE4cDFuY08tM24ySG5QdDg3NmktVUFDU3lldWtpb3k4aHI0V3d1ZkhReFVYMmxxWFhYdjN6blE3am1URUNBc25rWkNRSFU1dFNpRnNUZHhFZGZkeU42Z20xN3VqY2thZG5NbFBZcTZfU1I2bUtLaUpUdFQ3SFlDWXJBVk5zZ0tfNGFkZ2MtRXBlbEtHbGNERWkzNGhYbzFqbEIzRERyUWkxSUxCV0UwZkdXb1czZy1ZUzFGMFlEXzc0bm1XSU5mUE1jM25UOERaQWl0OEw0VlFPTnZnUE51YnVfTVVGUGhqX29VUjF3VUR0a1BRNktJdm82UWYyRkdwMndLM1B6YnRBRFFzRVZTZDlITzQ3a0RKdGFobk95YTFmRmdqZVk1bFNxLW1vT2RqUldCZ3U2XzNIX25lZExJR1lQRHRBZnp5cGJ1eHZ1cEd1M2hYWnVzeWN0aURtR203SkR5RW5KdjF1RFZmYVduU2EzSV9NcFRSVVcyZWU1RF9CanJleTdlU2I0bEpGcmp1eC1nY2JVaHFsWGJZc2l6azdXWHpvRmtrVFlMdXFDQ1FvS1J0OFdSN1UzTmh3c3Q2ckV3eEFOaWJFTlNzUVB3MGg4X0NDRm5qTHFSTl82cWpTc0tpeWRGT2tHVFliT0taTktaSVVhYkZFTjRhYVRVYmlYTVdPS2Eyak1xLUhwazBMNEowUmtOM2JkQVVqWmtERHE0ZFY1ZVFjdXNIeV9LY29nd1VKSjZ4MDNObnM4b0xBdjRJZ3RKeXlxcmE1YUJHSkxReHNjRXVSNzQwWQ=="}}}
- mode: 0600
- owner: quay
- group: quay
- - name: Configure containers and their environment on registry VM.
- hosts: registry.ocp4.example.com
- gather_subset: min
- remote_user: quay
- tasks:
- - name: Create a podman network, if necessary.
- containers.podman.podman_network:
- name: quay
- state: present
- - name: Pull all the images if necessary.
- containers.podman.podman_image:
- name: "{{ registry_host }}/{{ item }}"
- pull: yes
- state: present
- loop:
- - rhel9/postgresql-15:latest
- - rhel9/redis-7:latest
- # TODO: recursive!
- - name: Ensure PG datadir is owned by the correct user.
- become_method: containers.podman.podman_unshare
- become: yes
- ansible.builtin.file:
- path: /local/quay-pg
- state: directory
- owner: 26
- mode: 0770
- - name: Start postgres container if necessary.
- containers.podman.podman_container:
- name: postgresql
- image: "{{ registry_host }}/rhel9/postgresql-15:latest"
- rm: yes
- detach: yes
- env:
- POSTGRESQL_USER: quay
- POSTGRESQL_PASSWORD: secret
- POSTGRESQL_DATABASE: quay
- POSTGRESQL_ADMIN_PASSWORD: verysecret
- network:
- - quay
- volumes:
- - /local/quay-pg:/var/lib/pgsql/data:Z
- state: started
- register: pg_started
- - name: Wait for the PostgreSQL container to become ready if it was changed in any way.
- containers.podman.podman_container_info:
- name: postgresql
- when: pg_started.changed
- register: pg_info
- until: pg_info.containers[0].State.Running
- retries: 12
- delay: 5
- - name: Wait for the server inside container to start up.
- containers.podman.podman_container_exec:
- name: postgresql
- command: 'psql -d quay -U postgres -c "SELECT 1"'
- when: pg_started.changed
- changed_when: no
- register: pg_rdy
- until: pg_rdy.rc == 0
- retries: 10
- delay: 3
- - name: Create the trigram extension if necessary.
- containers.podman.podman_container_exec:
- name: postgresql
- command: 'psql -d quay -U postgres -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"'
- register: pg_ext
- changed_when:
- - not "already exists" in pg_ext.stderr
- - name: If we started the PG container and created the extension, stop the container now.
- containers.podman.podman_container:
- name: postgresql
- state: stopped
- when:
- - pg_started.changed
- - pg_ext.changed
- - name: Ensure systemd user dir is there.
- ansible.builtin.file:
- path: "{{ ansible_facts['user_dir'] }}/.config/systemd/user"
- state: directory
- - name: Deploy service units.
- ansible.builtin.template:
- dest: "{{ ansible_facts['user_dir'] }}/.config/systemd/user/{{ item }}"
- src: "templates/{{ item }}.j2"
- loop:
- - quay-pg.service
- - quay-redis.service
- - name: Reload systemd.
- ansible.builtin.systemd_service:
- daemon_reload: yes
- scope: user
- - name: Enable services and start them.
- ansible.builtin.systemd_service:
- name: "{{ item }}"
- scope: user
- state: started
- enabled: yes
- loop:
- - quay-pg
- - quay-redis
- ...
|
