summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam Thursfield <sam.thursfield@codethink.co.uk>2017-08-30 17:20:40 +0100
committerSam Thursfield <sam.thursfield@codethink.co.uk>2017-10-27 15:17:25 +0100
commitb76058177d73b2973c29dcfecfabd8fe1ab9a6d2 (patch)
tree1486f4c713eaf9bdc5a8201d2eb231d6a4241f3d
parent6e96e97a39880e07f90eea44e6a0562b20cf802e (diff)
downloadinfrastructure-b76058177d73b2973c29dcfecfabd8fe1ab9a6d2.tar.gz
baserock_ostree: Add 'releases' repo
This is different from the existing 'cache' repo in that we should be careful what we push to it, and we should never delete things from it once they have been made public. Pushing to the releases repo should be done with ostree-push/receive rather than BuildStream. I've set up the receive hook on the server. The upstream repo of ostree-push/receive seems abandoned so I have been using a fork: https://github.com/ssssam/ostree-push See also: https://listmaster.pepperfish.net/pipermail/baserock-dev-baserock.org/2017-September/013811.html https://gitlab.com/baserock/definitions/merge_requests/58
-rw-r--r--baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service (renamed from baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service)2
-rw-r--r--baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer (renamed from baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer)2
-rw-r--r--baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service11
-rw-r--r--baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer8
-rw-r--r--baserock_ostree/image-config.yml12
-rw-r--r--baserock_ostree/instance-config.yml32
-rw-r--r--baserock_ostree/ostree-access-config.yml12
7 files changed, 72 insertions, 7 deletions
diff --git a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service
index d070aec8..70f4e708 100644
--- a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service
@@ -1,5 +1,5 @@
[Unit]
-Description = Update OSTree summary file for cache
+Description = Update OSTree summary files for 'cache' repo
[Service]
Type = oneshot
diff --git a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer
index 0be7bc51..3696b028 100644
--- a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer
@@ -1,5 +1,5 @@
[Unit]
-Description = Update OSTree summary file for cache
+Description = Update OSTree summary files for 'cache' repo
[Timer]
OnUnitActiveSec = 5min
diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service
new file mode 100644
index 00000000..fdb557f1
--- /dev/null
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service
@@ -0,0 +1,11 @@
+[Unit]
+Description = Update OSTree summary files for 'releases' repo
+
+[Service]
+Type = oneshot
+ExecStart = /usr/bin/ostree --repo=/srv/ostree/releases/ summary -u
+User = ostree-releases
+Group = ostree-releases
+
+[Install]
+WantedBy=default.target
diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer
new file mode 100644
index 00000000..eea6dd5a
--- /dev/null
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description = Update OSTree summary files for 'releases' repo
+
+[Timer]
+OnUnitActiveSec = 5min
+
+[Install]
+WantedBy = default.target
diff --git a/baserock_ostree/image-config.yml b/baserock_ostree/image-config.yml
index 1152d846..1bfb90df 100644
--- a/baserock_ostree/image-config.yml
+++ b/baserock_ostree/image-config.yml
@@ -49,6 +49,18 @@
chdir: /home/fedora/buildstream
creates: /usr/bin/bst-artifact-receive
+ # We also install ostree-push/receive, which is used for pushing to the
+ # releases/ repo.
+ - name: ostree-push/receive sources
+ git: dest=/home/fedora/ostree-push repo=https://github.com/ssssam/ostree-push version=9aa82b67325786a810653155b952a17b7ccc436a
+ become_user: fedora
+
+ - name: ostree-push/receive installed
+ command: make PREFIX=/usr/ install
+ args:
+ chdir: /home/fedora/ostree-push
+ creates: /usr/bin/ostree-receive
+
- name: disable SELinux on subsequent boots
selinux: state=disabled
diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml
index 768deb1a..1f218fc0 100644
--- a/baserock_ostree/instance-config.yml
+++ b/baserock_ostree/instance-config.yml
@@ -11,9 +11,13 @@
tasks:
- import_tasks: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv
+ # This should perhaps have been called ostree-cache
- name: ostree user
user: name=ostree
+ - name: ostree-releases user
+ user: name=ostree-releases
+
- name: data directory
file: mode=0755 owner=ostree group=ostree path=/srv/ostree/ state=directory
@@ -23,6 +27,15 @@
args:
creates: /srv/ostree/cache/config
+ - name: releases directory
+ file: mode=0755 owner=ostree-releases group=ostree-releases path=/srv/ostree/releases state=directory
+
+ - name: releases repository
+ command: ostree init --repo=/srv/ostree/releases --mode=archive-z2
+ become_user: ostree-releases
+ args:
+ creates: /srv/ostree/releases/config
+
- name: lighttpd configuration
copy:
src: lighttpd.conf
@@ -38,17 +51,28 @@
- name: sshd configuration for ostree user -- disable password auth
lineinfile: state="present" line=" PasswordAuthentication no" insertafter="Match user ostree" path=/etc/ssh/sshd_config
+ - name: sshd configuration for ostree-releases user -- header
+ lineinfile: state="present" line="Match user ostree-releases" path=/etc/ssh/sshd_config
+ - name: sshd configuration for ostree-releases user -- force command
+ lineinfile: state="present" line=" ForceCommand ostree-receive -v --repo /srv/ostree/releases" insertafter="Match user ostree-releases" path=/etc/ssh/sshd_config
+ - name: sshd configuration for ostree-releases user -- disable password auth
+ lineinfile: state="present" line=" PasswordAuthentication no" insertafter="Match user ostree-releases" path=/etc/ssh/sshd_config
+
- name: restart sshd server
service: name=sshd enabled=yes state=restarted
- name: install systemd units
copy: src=./{{item}} dest=/{{item}}
with_items:
- - etc/systemd/system/ostree-cache-update-summary.service
- - etc/systemd/system/ostree-cache-update-summary.timer
+ - etc/systemd/system/ostree-update-summary-cache.service
+ - etc/systemd/system/ostree-update-summary-cache.timer
+ - etc/systemd/system/ostree-update-summary-releases.service
+ - etc/systemd/system/ostree-update-summary-releases.timer
- name: enable systemd units
systemd: name={{item}} enabled=yes daemon_reload=yes state=started
with_items:
- - ostree-cache-update-summary.service
- - ostree-cache-update-summary.timer
+ - ostree-update-summary-cache.service
+ - ostree-update-summary-cache.timer
+ - ostree-update-summary-releases.service
+ - ostree-update-summary-releases.timer
diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml
index ff8c7def..f23cc5f9 100644
--- a/baserock_ostree/ostree-access-config.yml
+++ b/baserock_ostree/ostree-access-config.yml
@@ -4,7 +4,7 @@
gather_facts: false
sudo: yes
tasks:
- - name: access for Baserock GitLab CI key
+ - name: authorized SSH keys for ostree (cache) user
authorized_key:
user: ostree
key: '{{ lookup("file", "{{item}}") }}'
@@ -14,3 +14,13 @@
- keys/jonathanmaw.key.pub
- keys/pedroalvarez.key.pub
- keys/samthursfield.key.pub
+
+ - name: authorized SSH keys for ostree-releases user
+ authorized_key:
+ user: ostree-releases
+ key: '{{ lookup("file", "{{item}}") }}'
+ with_items:
+ - keys/baserock-gitlab-ci.key.pub
+ - keys/garyperkins.key.pub
+ - keys/pedroalvarez.key.pub
+ - keys/samthursfield.key.pub