diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-08-30 17:20:40 +0100 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-10-27 15:17:25 +0100 |
commit | b76058177d73b2973c29dcfecfabd8fe1ab9a6d2 (patch) | |
tree | 1486f4c713eaf9bdc5a8201d2eb231d6a4241f3d | |
parent | 6e96e97a39880e07f90eea44e6a0562b20cf802e (diff) | |
download | infrastructure-b76058177d73b2973c29dcfecfabd8fe1ab9a6d2.tar.gz |
baserock_ostree: Add 'releases' repo
This is different from the existing 'cache' repo in that we should
be careful what we push to it, and we should never delete things
from it once they have been made public.
Pushing to the releases repo should be done with ostree-push/receive
rather than BuildStream. I've set up the receive hook on the server.
The upstream repo of ostree-push/receive seems abandoned so I have
been using a fork: https://github.com/ssssam/ostree-push
See also:
https://listmaster.pepperfish.net/pipermail/baserock-dev-baserock.org/2017-September/013811.html
https://gitlab.com/baserock/definitions/merge_requests/58
-rw-r--r-- | baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service (renamed from baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service) | 2 | ||||
-rw-r--r-- | baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer (renamed from baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer) | 2 | ||||
-rw-r--r-- | baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service | 11 | ||||
-rw-r--r-- | baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer | 8 | ||||
-rw-r--r-- | baserock_ostree/image-config.yml | 12 | ||||
-rw-r--r-- | baserock_ostree/instance-config.yml | 32 | ||||
-rw-r--r-- | baserock_ostree/ostree-access-config.yml | 12 |
7 files changed, 72 insertions, 7 deletions
diff --git a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service index d070aec8..70f4e708 100644 --- a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service +++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service @@ -1,5 +1,5 @@ [Unit] -Description = Update OSTree summary file for cache +Description = Update OSTree summary files for 'cache' repo [Service] Type = oneshot diff --git a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer index 0be7bc51..3696b028 100644 --- a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer +++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer @@ -1,5 +1,5 @@ [Unit] -Description = Update OSTree summary file for cache +Description = Update OSTree summary files for 'cache' repo [Timer] OnUnitActiveSec = 5min diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service new file mode 100644 index 00000000..fdb557f1 --- /dev/null +++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service @@ -0,0 +1,11 @@ +[Unit] +Description = Update OSTree summary files for 'releases' repo + +[Service] +Type = oneshot +ExecStart = /usr/bin/ostree --repo=/srv/ostree/releases/ summary -u +User = ostree-releases +Group = ostree-releases + +[Install] +WantedBy=default.target diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer new file mode 100644 index 00000000..eea6dd5a --- /dev/null +++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer @@ -0,0 +1,8 @@ +[Unit] +Description = Update OSTree summary files for 'releases' repo + +[Timer] +OnUnitActiveSec = 5min + +[Install] +WantedBy = default.target diff --git a/baserock_ostree/image-config.yml b/baserock_ostree/image-config.yml index 1152d846..1bfb90df 100644 --- a/baserock_ostree/image-config.yml +++ b/baserock_ostree/image-config.yml @@ -49,6 +49,18 @@ chdir: /home/fedora/buildstream creates: /usr/bin/bst-artifact-receive + # We also install ostree-push/receive, which is used for pushing to the + # releases/ repo. + - name: ostree-push/receive sources + git: dest=/home/fedora/ostree-push repo=https://github.com/ssssam/ostree-push version=9aa82b67325786a810653155b952a17b7ccc436a + become_user: fedora + + - name: ostree-push/receive installed + command: make PREFIX=/usr/ install + args: + chdir: /home/fedora/ostree-push + creates: /usr/bin/ostree-receive + - name: disable SELinux on subsequent boots selinux: state=disabled diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml index 768deb1a..1f218fc0 100644 --- a/baserock_ostree/instance-config.yml +++ b/baserock_ostree/instance-config.yml @@ -11,9 +11,13 @@ tasks: - import_tasks: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv + # This should perhaps have been called ostree-cache - name: ostree user user: name=ostree + - name: ostree-releases user + user: name=ostree-releases + - name: data directory file: mode=0755 owner=ostree group=ostree path=/srv/ostree/ state=directory @@ -23,6 +27,15 @@ args: creates: /srv/ostree/cache/config + - name: releases directory + file: mode=0755 owner=ostree-releases group=ostree-releases path=/srv/ostree/releases state=directory + + - name: releases repository + command: ostree init --repo=/srv/ostree/releases --mode=archive-z2 + become_user: ostree-releases + args: + creates: /srv/ostree/releases/config + - name: lighttpd configuration copy: src: lighttpd.conf @@ -38,17 +51,28 @@ - name: sshd configuration for ostree user -- disable password auth lineinfile: state="present" line=" PasswordAuthentication no" insertafter="Match user ostree" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree-releases user -- header + lineinfile: state="present" line="Match user ostree-releases" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree-releases user -- force command + lineinfile: state="present" line=" ForceCommand ostree-receive -v --repo /srv/ostree/releases" insertafter="Match user ostree-releases" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree-releases user -- disable password auth + lineinfile: state="present" line=" PasswordAuthentication no" insertafter="Match user ostree-releases" path=/etc/ssh/sshd_config + - name: restart sshd server service: name=sshd enabled=yes state=restarted - name: install systemd units copy: src=./{{item}} dest=/{{item}} with_items: - - etc/systemd/system/ostree-cache-update-summary.service - - etc/systemd/system/ostree-cache-update-summary.timer + - etc/systemd/system/ostree-update-summary-cache.service + - etc/systemd/system/ostree-update-summary-cache.timer + - etc/systemd/system/ostree-update-summary-releases.service + - etc/systemd/system/ostree-update-summary-releases.timer - name: enable systemd units systemd: name={{item}} enabled=yes daemon_reload=yes state=started with_items: - - ostree-cache-update-summary.service - - ostree-cache-update-summary.timer + - ostree-update-summary-cache.service + - ostree-update-summary-cache.timer + - ostree-update-summary-releases.service + - ostree-update-summary-releases.timer diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml index ff8c7def..f23cc5f9 100644 --- a/baserock_ostree/ostree-access-config.yml +++ b/baserock_ostree/ostree-access-config.yml @@ -4,7 +4,7 @@ gather_facts: false sudo: yes tasks: - - name: access for Baserock GitLab CI key + - name: authorized SSH keys for ostree (cache) user authorized_key: user: ostree key: '{{ lookup("file", "{{item}}") }}' @@ -14,3 +14,13 @@ - keys/jonathanmaw.key.pub - keys/pedroalvarez.key.pub - keys/samthursfield.key.pub + + - name: authorized SSH keys for ostree-releases user + authorized_key: + user: ostree-releases + key: '{{ lookup("file", "{{item}}") }}' + with_items: + - keys/baserock-gitlab-ci.key.pub + - keys/garyperkins.key.pub + - keys/pedroalvarez.key.pub + - keys/samthursfield.key.pub |