From 230039a0362a91ad9295bc1d6119152d54b04da6 Mon Sep 17 00:00:00 2001 From: Leopold Talirz Date: Thu, 20 Jan 2022 15:32:42 +0100 Subject: [PATCH 1/5] test role via molecule Add continuous integration tests via the `molecule` package that run on Github actions. --- .github/workflows/ci.yml | 65 +++++++++++++++++++++++++++++++++++ defaults/main.yml | 2 +- molecule/default/converge.yml | 18 ++++++++++ molecule/default/molecule.yml | 20 +++++++++++ molecule/default/verify.yml | 9 +++++ requirements.txt | 4 +++ 6 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/ci.yml create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml create mode 100644 requirements.txt diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..d552555 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,65 @@ +--- + +name: CI + +on: + push: + pull_request: + +env: + galaxy-name: "cvmfs_contrib.cvmfs_client" + +jobs: + + molecule: + runs-on: ubuntu-latest + + strategy: + matrix: + distro: [centos8] + fail-fast: false + + steps: + + - uses: actions/checkout@v2 + with: + path: ${{ env.galaxy-name }} + + - name: Set up Python 3.8 + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Upgrade pip + run: | + pip install --upgrade pip wheel + pip --version + + - name: Install requirements + run: | + pip install --use-feature=2020-resolver -r requirements.txt + working-directory: ${{ env.galaxy-name }} + + # See https://github.com/geerlingguy/raspberry-pi-dramble/issues/166 + - name: Force GitHub Actions' docker daemon to use vfs. + run: | + sudo systemctl stop docker + echo '{"cgroup-parent":"/actions_job","storage-driver":"vfs"}' | sudo tee /etc/docker/daemon.json + sudo systemctl start docker + + - name: Run molecule + run: molecule test + working-directory: ${{ env.galaxy-name }} + env: + MOLECULE_DISTRO: ${{ matrix.distro }} + + # release: + # name: Publish to ansible-galaxy + # if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') + # needs: [pre-commit, molecule] + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v2 + # - uses: robertdebock/galaxy-action@1.0.3 + # with: + # galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/defaults/main.yml b/defaults/main.yml index 5866d0f..645e851 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,7 +30,7 @@ cvmfs_force_unmount: false # according to cvmfs_client_pv_name, cvmfs_client_vg_name, and # cvmfs_client_lv_name as described below. If false, you will need to # configure the cache storage yourself instead, and also ensure it is the required size. -cvmfs_client_configure_storage: true +cvmfs_client_configure_storage: false # If this block device name is defined, then a volume group, logical volume, and filesystem will be created on it. # If it is not defined, then a volume group is assumed to already exist and will be used instead. diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..50140fa --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,18 @@ +--- + +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + + roles: + - role: cvmfs_contrib.cvmfs_client + vars: + cvmfs_cache_size: "1000" # small cache size for CI + cvmfs_http_proxy: "DIRECT" + cvmfs_configuration: + - "cvmfs-config-computecanada" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..cc1d989 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,20 @@ +--- + +dependency: + name: galaxy + options: + role-file: ansible-role-requirements.yml +driver: + name: docker +platforms: +- name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu1804}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: converge.yml diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..029c2e6 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,9 @@ +--- + +- name: Verify + hosts: all + become: true + + tasks: + - name: Test loading the Compute Canda module environment + shell: source /cvmfs/soft.computecanada.ca/config/profile/bash.sh diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..07e9196 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +# for running tests +molecule[docker]~=3.3.0 +docker~=4.4.4 +ansible~=4.8.0 From bd7574a39afbcec3ee5e0043cfa474d137f0ec41 Mon Sep 17 00:00:00 2001 From: Leopold Talirz Date: Sat, 22 Jan 2022 01:15:56 +0100 Subject: [PATCH 2/5] undo change of default value --- defaults/main.yml | 2 +- molecule/default/converge.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 645e851..5866d0f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,7 +30,7 @@ cvmfs_force_unmount: false # according to cvmfs_client_pv_name, cvmfs_client_vg_name, and # cvmfs_client_lv_name as described below. If false, you will need to # configure the cache storage yourself instead, and also ensure it is the required size. -cvmfs_client_configure_storage: false +cvmfs_client_configure_storage: true # If this block device name is defined, then a volume group, logical volume, and filesystem will be created on it. # If it is not defined, then a volume group is assumed to already exist and will be used instead. diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 50140fa..c1d1c6b 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -12,6 +12,7 @@ roles: - role: cvmfs_contrib.cvmfs_client vars: + cvmfs_client_configure_storage: false cvmfs_cache_size: "1000" # small cache size for CI cvmfs_http_proxy: "DIRECT" cvmfs_configuration: From 020a7a15fea8803531a3e765878de3b03953d885 Mon Sep 17 00:00:00 2001 From: Leopold Talirz Date: Thu, 20 Jan 2022 15:32:42 +0100 Subject: [PATCH 3/5] test role via molecule Add continuous integration tests via the `molecule` package that run on Github actions. --- .github/workflows/ci.yml | 1 - defaults/main.yml | 2 +- molecule/default/converge.yml | 1 - molecule/default/molecule.yml | 1 - molecule/default/verify.yml | 1 - tasks/test.yml | 2 -- 6 files changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d552555..7501f8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,4 @@ --- - name: CI on: diff --git a/defaults/main.yml b/defaults/main.yml index 5866d0f..645e851 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,7 +30,7 @@ cvmfs_force_unmount: false # according to cvmfs_client_pv_name, cvmfs_client_vg_name, and # cvmfs_client_lv_name as described below. If false, you will need to # configure the cache storage yourself instead, and also ensure it is the required size. -cvmfs_client_configure_storage: true +cvmfs_client_configure_storage: false # If this block device name is defined, then a volume group, logical volume, and filesystem will be created on it. # If it is not defined, then a volume group is assumed to already exist and will be used instead. diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index c1d1c6b..904f113 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,5 +1,4 @@ --- - - name: Converge hosts: all become: true diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index cc1d989..fa916a5 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,5 +1,4 @@ --- - dependency: name: galaxy options: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 029c2e6..754eb99 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,5 +1,4 @@ --- - - name: Verify hosts: all become: true diff --git a/tasks/test.yml b/tasks/test.yml index fd24a41..3cc99df 100644 --- a/tasks/test.yml +++ b/tasks/test.yml @@ -1,5 +1,3 @@ ---- - # TODO improve this: it may print warnings, but the output is not shown - name: CVMFS check setup command: /usr/bin/cvmfs_config chksetup From 47ee4a9f496d0f004373e9b0e05794c6c48c8553 Mon Sep 17 00:00:00 2001 From: Leopold Talirz Date: Thu, 20 Jan 2022 18:59:33 +0100 Subject: [PATCH 4/5] dirty commit --- .github/workflows/ci.yml | 4 ++- tasks/debian.yml | 61 ++++++++++++++++++++++++++++++++++++++++ tasks/keys.yml | 26 ----------------- tasks/main.yml | 5 ++-- tasks/packages.yml | 7 ----- tasks/yum.yml | 28 ------------------ 6 files changed, 66 insertions(+), 65 deletions(-) create mode 100644 tasks/debian.yml delete mode 100644 tasks/keys.yml delete mode 100644 tasks/packages.yml delete mode 100644 tasks/yum.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7501f8e..2ccb6df 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,9 @@ jobs: strategy: matrix: - distro: [centos8] + distro: + - centos8 + - ubuntu2004 fail-fast: false steps: diff --git a/tasks/debian.yml b/tasks/debian.yml new file mode 100644 index 0000000..53ca23f --- /dev/null +++ b/tasks/debian.yml @@ -0,0 +1,61 @@ + +--- + +# The CERNVM GPG key is the trust anchor for the secure installation of the CVMFS client. +# +# The Compute Canada CVMFS GPG key is the trust anchor for the secure distribution of the Compute Canada software stack (and other content), as follows: +# - the Compute Canada CVMFS GPG key verifies the authenticity of the computecanada-release RPM +# - the computecanada-release RPM configures a yum repository which distributes the cvmfs-config-computecanada RPM +# - the cvmfs-config-computecanada RPM contains the public CVMFS key for the cvmfs-config.computecanada.ca CVMFS configuration repository +# - the CVMFS configuration repository contains the public CVMFS keys for all other Compute Canada CVMFS repositories +# - the other CVMFS repositories contain all Compute Canada software (and other content) + +- name: Install CernVM GPG key + apt_key: + key: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg + state: present + validate_certs: yes + fingerprint: "70B9 8904 8820 8E31 5ED4 5208 230D 389D 8AE4 5CE7" + +# Also available at https://git.computecanada.ca/cc-cvmfs-public/cvmfs-config/raw/master/RPM-GPG-KEY-CC-CVMFS-1 +- name: Install Compute Canada CVMFS GPG key + apt_key: + key: https://package.computecanada.ca/yum/cc-cvmfs-public/RPM-GPG-KEY-CC-CVMFS-1 + state: present + validate_certs: yes + fingerprint: "C0C4 0F04 70A3 6AF2 7CC4 4D5A 3B9F C55A CF21 4CFC" + when: '"cvmfs-config-computecanada" in cvmfs_configuration' + +# Target hosts will need internet access anyway to install the actual packages via yum, so we might as well +# install the yum config from the internet as well - if a version is not already installed. +# There is no benefit to abstracting this with the yum_repository module, and doing so would break idempotence +# because these packages update themselves via their own yum repositories. + +- name: Install CernVM apt repository + yum: + name: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-latest_all.deb + state: present + validate_certs: yes + when: ansible_facts.packages['cvmfs-release'] is not defined + +- name: Install Compute Canada apt repository + yum: + name: https://package.computecanada.ca/yum/cc-cvmfs-public/prod/RPM/computecanada-release-latest.noarch.rpm + state: present + validate_certs: yes + when: + - '"cvmfs-config-computecanada" in cvmfs_configuration' + - ansible_facts.packages['computecanada-release'] is not defined + +- name: Install other prerequisite packages + yum: + name: [ 'lvm2' ] + when: cvmfs_client_configure_storage | bool + + +- name: Install CVMFS client and configuration packages + yum: + name: "['cvmfs'] + {{ cvmfs_auto_setup_package }} + {{ cvmfs_configuration }}" + vars: + cvmfs_auto_setup_package: "{{ ['cvmfs-auto-setup'] if cvmfs_auto_setup|bool else [] }}" + diff --git a/tasks/keys.yml b/tasks/keys.yml deleted file mode 100644 index fc5f80f..0000000 --- a/tasks/keys.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -# The CERNVM GPG key is the trust anchor for the secure installation of the CVMFS client. -# -# The Compute Canada CVMFS GPG key is the trust anchor for the secure distribution of the Compute Canada software stack (and other content), as follows: -# - the Compute Canada CVMFS GPG key verifies the authenticity of the computecanada-release RPM -# - the computecanada-release RPM configures a yum repository which distributes the cvmfs-config-computecanada RPM -# - the cvmfs-config-computecanada RPM contains the public CVMFS key for the cvmfs-config.computecanada.ca CVMFS configuration repository -# - the CVMFS configuration repository contains the public CVMFS keys for all other Compute Canada CVMFS repositories -# - the other CVMFS repositories contain all Compute Canada software (and other content) - -- name: Install CernVM GPG key - rpm_key: - key: https://cvmrepo.web.cern.ch/cvmrepo/yum/RPM-GPG-KEY-CernVM - state: present - validate_certs: yes - fingerprint: "70B9 8904 8820 8E31 5ED4 5208 230D 389D 8AE4 5CE7" - -# Also available at https://git.computecanada.ca/cc-cvmfs-public/cvmfs-config/raw/master/RPM-GPG-KEY-CC-CVMFS-1 -- name: Install Compute Canada CVMFS GPG key - rpm_key: - key: https://package.computecanada.ca/yum/cc-cvmfs-public/RPM-GPG-KEY-CC-CVMFS-1 - state: present - validate_certs: yes - fingerprint: "C0C4 0F04 70A3 6AF2 7CC4 4D5A 3B9F C55A CF21 4CFC" - when: '"cvmfs-config-computecanada" in cvmfs_configuration' diff --git a/tasks/main.yml b/tasks/main.yml index 4fb9fcd..993e974 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,11 +6,10 @@ tags: - yum -- { import_tasks: keys.yml, tags: ['cvmfs', 'keys'] } -- { import_tasks: yum.yml, tags: ['cvmfs', 'yum'] } - { import_tasks: users.yml, tags: ['cvmfs', 'users'] } - { import_tasks: storage.yml, tags: ['cvmfs', 'storage'], when: cvmfs_client_configure_storage | bool } -- { import_tasks: packages.yml, tags: ['cvmfs', 'packages'] } +- { import_tasks: redhat.yml, tags: ['cvmfs', 'packages','keys','yum'], when: ansible_os_family == 'RedHat' } +- { import_tasks: debian.yml, tags: ['cvmfs', 'packages','keys','apt'], when: ansible_os_family == 'Debian' } - { import_tasks: config.yml, tags: ['cvmfs', 'config'] } - { import_tasks: test.yml, tags: ['cvmfs', 'test'] } diff --git a/tasks/packages.yml b/tasks/packages.yml deleted file mode 100644 index aace0ca..0000000 --- a/tasks/packages.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Install CVMFS client and configuration packages - yum: - name: "['cvmfs'] + {{ cvmfs_auto_setup_package }} + {{ cvmfs_configuration }}" - vars: - cvmfs_auto_setup_package: "{{ ['cvmfs-auto-setup'] if cvmfs_auto_setup|bool else [] }}" diff --git a/tasks/yum.yml b/tasks/yum.yml deleted file mode 100644 index 02daba3..0000000 --- a/tasks/yum.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -# Target hosts will need internet access anyway to install the actual packages via yum, so we might as well -# install the yum config from the internet as well - if a version is not already installed. -# There is no benefit to abstracting this with the yum_repository module, and doing so would break idempotence -# because these packages update themselves via their own yum repositories. - -- name: Install CernVM yum repository - yum: - name: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-latest.noarch.rpm - state: present - validate_certs: yes - when: ansible_facts.packages['cvmfs-release'] is not defined - -- name: Install Compute Canada yum repository - yum: - name: https://package.computecanada.ca/yum/cc-cvmfs-public/prod/RPM/computecanada-release-latest.noarch.rpm - state: present - validate_certs: yes - when: - - '"cvmfs-config-computecanada" in cvmfs_configuration' - - ansible_facts.packages['computecanada-release'] is not defined - -- name: Install other prerequisite packages - yum: - name: [ 'lvm2' ] - when: cvmfs_client_configure_storage | bool - From 604e1d6a74472ac1c5c02ed0f04f4c3b446ede3c Mon Sep 17 00:00:00 2001 From: Leopold Talirz Date: Thu, 20 Jan 2022 19:24:46 +0100 Subject: [PATCH 5/5] add debian support * seems apt_key has no fingerprints * add gpg-agent for ubuntu * update apt cache * reload autofs service * run config --- meta/main.yml | 4 +++ tasks/config.yml | 6 +++++ tasks/debian.yml | 65 +++++++++++++++++++++++++----------------------- tasks/main.yml | 2 +- tasks/redhat.yml | 58 ++++++++++++++++++++++++++++++++++++++++++ tasks/test.yml | 1 - 6 files changed, 103 insertions(+), 33 deletions(-) create mode 100644 tasks/redhat.yml diff --git a/meta/main.yml b/meta/main.yml index b15b917..a7c0999 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -51,6 +51,10 @@ galaxy_info: versions: - 6 - 7 + - 8 + - name: Ubuntu + versions: + - bionic galaxy_tags: [] # List tags for your role here, one per line. A tag is a keyword that describes diff --git a/tasks/config.yml b/tasks/config.yml index 9af603d..4f48067 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -8,6 +8,7 @@ owner: "root" group: "root" mode: "0644" + register: cvmfs_config_file - name: Set autofs timeout ansible.builtin.lineinfile: @@ -27,3 +28,8 @@ state: "{% if not cvmfs_auto_setup %}mounted{% elif cvmfs_force_unmount %}absent{% endif %}" when: (not cvmfs_auto_setup) or (cvmfs_force_unmount) loop: "{{ cvmfs_repositories }}" + +# cvmfs-auto-setup package not available for Debian so we have to run it manually... +- name: Configure AutoFS + command: cvmfs_config setup + when: cvmfs_config_file.changed and ansible_os_family == 'Debian' \ No newline at end of file diff --git a/tasks/debian.yml b/tasks/debian.yml index 53ca23f..7864028 100644 --- a/tasks/debian.yml +++ b/tasks/debian.yml @@ -1,61 +1,64 @@ - ---- - # The CERNVM GPG key is the trust anchor for the secure installation of the CVMFS client. # # The Compute Canada CVMFS GPG key is the trust anchor for the secure distribution of the Compute Canada software stack (and other content), as follows: # - the Compute Canada CVMFS GPG key verifies the authenticity of the computecanada-release RPM -# - the computecanada-release RPM configures a yum repository which distributes the cvmfs-config-computecanada RPM -# - the cvmfs-config-computecanada RPM contains the public CVMFS key for the cvmfs-config.computecanada.ca CVMFS configuration repository +# - the computecanada-release configures an apt repository which distributes the cvmfs-config-computecanada deb +# - the cvmfs-config-computecanada deb contains the public CVMFS key for the cvmfs-config.computecanada.ca CVMFS configuration repository # - the CVMFS configuration repository contains the public CVMFS keys for all other Compute Canada CVMFS repositories # - the other CVMFS repositories contain all Compute Canada software (and other content) +- name: Install gpg agent + apt: + name: ['gpg-agent'] + - name: Install CernVM GPG key apt_key: - key: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg + url: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg state: present validate_certs: yes - fingerprint: "70B9 8904 8820 8E31 5ED4 5208 230D 389D 8AE4 5CE7" # Also available at https://git.computecanada.ca/cc-cvmfs-public/cvmfs-config/raw/master/RPM-GPG-KEY-CC-CVMFS-1 - name: Install Compute Canada CVMFS GPG key apt_key: - key: https://package.computecanada.ca/yum/cc-cvmfs-public/RPM-GPG-KEY-CC-CVMFS-1 + url: https://package.computecanada.ca/yum/cc-cvmfs-public/RPM-GPG-KEY-CC-CVMFS-1 state: present validate_certs: yes - fingerprint: "C0C4 0F04 70A3 6AF2 7CC4 4D5A 3B9F C55A CF21 4CFC" when: '"cvmfs-config-computecanada" in cvmfs_configuration' -# Target hosts will need internet access anyway to install the actual packages via yum, so we might as well -# install the yum config from the internet as well - if a version is not already installed. -# There is no benefit to abstracting this with the yum_repository module, and doing so would break idempotence -# because these packages update themselves via their own yum repositories. +# Target hosts will need internet access anyway to install the actual packages via apt, so we might as well +# install the apt config from the internet as well - if a version is not already installed. +# There is no benefit to abstracting this with the apt_repository module, and doing so would break idempotence +# because these packages update themselves via their own apt repositories. - name: Install CernVM apt repository - yum: - name: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-latest_all.deb + apt: + deb: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-latest_all.deb state: present - validate_certs: yes when: ansible_facts.packages['cvmfs-release'] is not defined -- name: Install Compute Canada apt repository - yum: - name: https://package.computecanada.ca/yum/cc-cvmfs-public/prod/RPM/computecanada-release-latest.noarch.rpm - state: present - validate_certs: yes +# Todo: repository configuration for apt missing +# - name: Install Compute Canada apt repository +# apt: +# name: https://package.computecanada.ca/yum/cc-cvmfs-public/prod/other/computecanada-release-latest.noarch.rpm +# state: present +# validate_certs: yes +# when: +# - '"cvmfs-config-computecanada" in cvmfs_configuration' +# - ansible_facts.packages['computecanada-release'] is not defined + +# This task can be removed once the Compute Canada apt repository is configured +- name: Workaround - install compute canada config package directly from URL + apt: + deb: "https://package.computecanada.ca/yum/cc-cvmfs-public/prod/other/cvmfs-config-computecanada-latest.all.deb" + update_cache: true when: - - '"cvmfs-config-computecanada" in cvmfs_configuration' - - ansible_facts.packages['computecanada-release'] is not defined + - '"cvmfs-config-computecanada" in cvmfs_configuration' - name: Install other prerequisite packages - yum: - name: [ 'lvm2' ] + apt: + name: ['lvm2'] when: cvmfs_client_configure_storage | bool - - name: Install CVMFS client and configuration packages - yum: - name: "['cvmfs'] + {{ cvmfs_auto_setup_package }} + {{ cvmfs_configuration }}" - vars: - cvmfs_auto_setup_package: "{{ ['cvmfs-auto-setup'] if cvmfs_auto_setup|bool else [] }}" - + apt: + name: "['cvmfs'] + {{ cvmfs_configuration }}" \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 993e974..13174a6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,6 +5,7 @@ check_mode: no tags: - yum + - apt - { import_tasks: users.yml, tags: ['cvmfs', 'users'] } - { import_tasks: storage.yml, tags: ['cvmfs', 'storage'], when: cvmfs_client_configure_storage | bool } @@ -12,4 +13,3 @@ - { import_tasks: debian.yml, tags: ['cvmfs', 'packages','keys','apt'], when: ansible_os_family == 'Debian' } - { import_tasks: config.yml, tags: ['cvmfs', 'config'] } - { import_tasks: test.yml, tags: ['cvmfs', 'test'] } - diff --git a/tasks/redhat.yml b/tasks/redhat.yml new file mode 100644 index 0000000..9bca6f6 --- /dev/null +++ b/tasks/redhat.yml @@ -0,0 +1,58 @@ +--- + +# The CERNVM GPG key is the trust anchor for the secure installation of the CVMFS client. +# +# The Compute Canada CVMFS GPG key is the trust anchor for the secure distribution of the Compute Canada software stack (and other content), as follows: +# - the Compute Canada CVMFS GPG key verifies the authenticity of the computecanada-release RPM +# - the computecanada-release RPM configures a yum repository which distributes the cvmfs-config-computecanada RPM +# - the cvmfs-config-computecanada RPM contains the public CVMFS key for the cvmfs-config.computecanada.ca CVMFS configuration repository +# - the CVMFS configuration repository contains the public CVMFS keys for all other Compute Canada CVMFS repositories +# - the other CVMFS repositories contain all Compute Canada software (and other content) + +- name: Install CernVM GPG key + rpm_key: + key: https://cvmrepo.web.cern.ch/cvmrepo/yum/RPM-GPG-KEY-CernVM + state: present + validate_certs: yes + fingerprint: "70B9 8904 8820 8E31 5ED4 5208 230D 389D 8AE4 5CE7" + +# Also available at https://git.computecanada.ca/cc-cvmfs-public/cvmfs-config/raw/master/RPM-GPG-KEY-CC-CVMFS-1 +- name: Install Compute Canada CVMFS GPG key + rpm_key: + key: https://package.computecanada.ca/yum/cc-cvmfs-public/RPM-GPG-KEY-CC-CVMFS-1 + state: present + validate_certs: yes + fingerprint: "C0C4 0F04 70A3 6AF2 7CC4 4D5A 3B9F C55A CF21 4CFC" + when: '"cvmfs-config-computecanada" in cvmfs_configuration' + +# Target hosts will need internet access anyway to install the actual packages via yum, so we might as well +# install the yum config from the internet as well - if a version is not already installed. +# There is no benefit to abstracting this with the yum_repository module, and doing so would break idempotence +# because these packages update themselves via their own yum repositories. + +- name: Install CernVM yum repository + yum: + name: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-latest.noarch.rpm + state: present + validate_certs: yes + when: ansible_facts.packages['cvmfs-release'] is not defined + +- name: Install Compute Canada yum repository + yum: + name: https://package.computecanada.ca/yum/cc-cvmfs-public/prod/RPM/computecanada-release-latest.noarch.rpm + state: present + validate_certs: yes + when: + - '"cvmfs-config-computecanada" in cvmfs_configuration' + - ansible_facts.packages['computecanada-release'] is not defined + +- name: Install other prerequisite packages + yum: + name: [ 'lvm2' ] + when: cvmfs_client_configure_storage | bool + +- name: Install CVMFS client and configuration packages + yum: + name: "['cvmfs'] + {{ cvmfs_auto_setup_package }} + {{ cvmfs_configuration }}" + vars: + cvmfs_auto_setup_package: "{{ ['cvmfs-auto-setup'] if cvmfs_auto_setup|bool else [] }}" diff --git a/tasks/test.yml b/tasks/test.yml index 3cc99df..87b2bca 100644 --- a/tasks/test.yml +++ b/tasks/test.yml @@ -7,4 +7,3 @@ command: /usr/bin/cvmfs_config probe changed_when: false check_mode: no -