-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathmain.yml
170 lines (147 loc) · 5.86 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
---
- name: "Upload tasks service installation script"
copy:
src: "{{ role_path }}/../../../tasks/install-service"
dest: /run/install-service
mode: preserve
- name: Create custom SELinux policy file contexts
copy:
dest: /tmp/cockpituous.fc
mode: 0644
content: |
/run/podman/podman.sock system_u:object_r:container_file_t:s0
register: selinux_policy_fc
- name: Create custom SELinux policy type enforcements
copy:
dest: /tmp/cockpituous.te
mode: 0644
content: |
module cockpituous 1.0;
require {
type container_t;
type container_file_t;
type container_runtime_t;
type init_t;
class process execheap;
class sock_file { create unlink setattr };
class unix_stream_socket { connectto };
}
# allow systemd to create the socket after changing its type
allow init_t container_file_t:sock_file { create unlink setattr };
# container can access that socket
allow container_t container_runtime_t:unix_stream_socket connectto;
# HACK: See https://github.com/cockpit-project/cockpituous/issues/579
allow container_t self:process execheap;
register: selinux_policy_te
- name: Install custom SELinux rules
shell: |
checkmodule -M -m -o /tmp/cockpituous.mod /tmp/cockpituous.te
semodule_package -o /tmp/cockpituous.pp -m /tmp/cockpituous.mod -f /tmp/cockpituous.fc
# needs to be higher than extra_varrun
semodule -v --priority=500 -i /tmp/cockpituous.pp
when: selinux_policy_fc.changed or selinux_policy_te.changed
# This only applies to RH VPN; make that optional if we ever deploy to public infrastructure
- name: Create npm configuration
copy:
dest: /etc/npmrc
mode: 0644
content: |
registry=https://repository.engineering.redhat.com/nexus/repository/registry.npmjs.org/
fetch-retries=6
fetch-timeout=600000
fetch-retry-mintimeout=60000
maxsockets=3
- name: Create podman.socket drop-in directory
file:
path: /etc/systemd/system/podman.socket.d
state: directory
# idmapped mount would be better, but did not figure out how
- name: Allow access to podman.socket to unprivileged container user
copy:
dest: /etc/systemd/system/podman.socket.d/container-access.conf
mode: 0644
content: |
[Socket]
SocketGroup=cockpituous
- name: Create job-runner configuration
copy:
dest: /etc/job-runner.toml
content: |
[logs]
driver='s3'
[forge.github]
token = [{file="/run/secrets/webhook/.config--github-token"}]
[logs.s3]
# bots lib/stores.py LOG_STORE
url = 'https://cockpit-logs.us-east-1.linodeobjects.com/'
key = [{file="/run/secrets/s3-keys/cockpit-logs.us-east-1.linodeobjects.com"}]
[container]
command = ['podman-remote', '--url=unix:///podman.sock']
run-args = [
# resources
'--device=/dev/kvm',
'--memory=24g',
'--pids-limit=16384',
'--shm-size=1024m',
# qcow overlays on tmpfs
'--tmpfs=/tmp:size=14g',
'--env=TEST_OVERLAY_DIR=/tmp',
# image cache
'--env=COCKPIT_IMAGES_DATA_DIR=/cache/images',
'--volume=/var/cache/cockpit-tasks/images:/cache/images:rw',
# persistent git-utils.sh cache
'--env=XDG_CACHE_HOME=/cache/',
'--volume=cockpituous-git-cache:/cache/cockpit-dev:rw',
# local image stores
'--env=COCKPIT_IMAGE_STORES_FILE=/config/image-stores',
'--volume=/var/cache/cockpit-tasks/image-stores:/config/image-stores:ro',
# generic secrets
'--volume=/var/lib/cockpit-secrets/tasks/npm-registry.crt:/run/secrets/tasks/npm-registry.crt:ro',
# various configuration
'--volume=/etc/npmrc:/etc/npmrc:ro',
'--env=NODE_EXTRA_CA_CERTS=/run/secrets/tasks/npm-registry.crt',
'--env=TEST_JOBS={{ TEST_JOBS | default(8) }}',
# copy git settings from main tasks container
'--env=GIT_COMMITTER_*',
'--env=GIT_AUTHOR_*',
]
[container.secrets]
# these are *host* paths, this is podman-remote
# secret from issue-scan for image refreshes
image-upload=[
'--volume=/var/lib/cockpit-secrets/s3-keys/:/run/secrets/s3-keys:ro',
'--env=COCKPIT_S3_KEY_DIR=/run/secrets/s3-keys',
# password for console.redhat.com when image-create'ing rhel4edge
'--volume=/var/lib/cockpit-secrets/tasks/crc_passwd:/run/secrets/crc_passwd:ro',
'--env=COCKPIT_CRC_PASSWORD=/run/secrets/crc_passwd',
]
# secret from tests-scan for downloading RHEL images
image-download=[
# FIXME: create a new "download only" S3 token
'--volume=/var/lib/cockpit-secrets/s3-keys/:/run/secrets/s3-keys:ro',
'--env=COCKPIT_S3_KEY_DIR=/run/secrets/s3-keys',
]
github-token=[
'--volume=/var/lib/cockpit-secrets/webhook/.config--github-token:/run/secrets/github-token:ro',
'--env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/github-token',
]
fedora-wiki=[
'--volume=/var/lib/cockpit-secrets/tasks/fedora-wiki.json:/run/secrets/fedora-wiki.json:ro',
'--env=COCKPIT_FEDORA_WIKI_TOKEN=/run/secrets/fedora-wiki.json',
]
- name: Create janitor service
copy:
src: "{{ role_path }}/cockpituous-janitor.service"
dest: /etc/systemd/system/cockpituous-janitor.service
mode: preserve
- name: Create janitor timer
copy:
src: "{{ role_path }}/cockpituous-janitor.timer"
dest: /etc/systemd/system/cockpituous-janitor.timer
mode: preserve
- name: Set up systemd service for cockpit/tasks
shell: |
export INSTANCES={{ instances | default(1) }}
export TEST_NOTIFICATION_MX={{ notification_mx | default('') }}
export TEST_NOTIFICATION_TO={{ notification_to | default('') }}
/run/install-service