From 7683fa11b3e89cb355494751a41073d7cf029a6d Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Mon, 18 Jan 2021 15:30:35 +1100
Subject: [PATCH] openafs-server : add ansible roles for OpenAFS servers

This starts at migrating OpenAFS server setup to Ansible.

Firstly we split up the groups and explicitly name hosts, as we will
me migrating each one step-by-step.  We split out 1.8 hosts into a new
afs-1.8 group; the first host is afs01.ord.openstack.org which already
has openafs 1.8 installed manually.

An openafs-server role is introduced that does the same setup as the
extant puppet.

The AFS job is renamed to infra-prod-afs as the puppet component will
eventually disappear.  Otherwise it runs in the same way, but also
runs the openafs-server role for the 1.8 servers.

Once this is merged, we can run it against afs01.ord.openstack.org to
ensure it works and is idempotent.  We can then take on upgrading the
other file servers, and work further on the database servers.

Change-Id: I7998af43961999412f58a78214f4b5387713d30e
---
 inventory/service/groups.yaml                 | 20 +++--
 playbooks/roles/openafs-server/README.rst     |  1 +
 .../roles/openafs-server/files/CellServDB     |  3 +
 playbooks/roles/openafs-server/files/ThisCell |  1 +
 .../roles/openafs-server/tasks/main.yaml      | 85 +++++++++++++++++++
 ...emote_puppet_afs.yaml => service-afs.yaml} |  5 ++
 zuul.d/infra-prod.yaml                        |  9 +-
 zuul.d/project.yaml                           |  4 +-
 8 files changed, 117 insertions(+), 11 deletions(-)
 create mode 100644 playbooks/roles/openafs-server/README.rst
 create mode 100644 playbooks/roles/openafs-server/files/CellServDB
 create mode 100644 playbooks/roles/openafs-server/files/ThisCell
 create mode 100644 playbooks/roles/openafs-server/tasks/main.yaml
 rename playbooks/{remote_puppet_afs.yaml => service-afs.yaml} (88%)

diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
index 83320faecc..6adddfaee8 100644
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@@ -1,7 +1,13 @@
 plugin: yamlgroup
 groups:
   adns: adns*.open*.org
-  afs: afs[0-9]*.open*.org
+  afs-1.8:
+    - afs01.ord.openstack.org
+  afs:
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
   afs-client:
     - review-dev[0-9]*.open*.org
     - mirror[0-9]*.opendev.org
@@ -139,8 +145,10 @@ groups:
   pbx:
     - pbx[0-9]*.opendev.org
   puppet:
-    - afs[0-9]*.open*.org
-    - afsdb[0-9]*.open*.org
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
     - ask*.open*.org
     - backup[0-9]*.openstack.org
     - cacti[0-9]*.open*.org
@@ -173,8 +181,10 @@ groups:
     - wiki-dev[0-9]*.openstack.org
     - wiki[0-9]*.openstack.org
   puppet4:
-    - afs[0-9]*.open*.org
-    - afsdb[0-9]*.open*.org
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
     - ask*.open*.org
     - ask-staging[0-9]*.open*.org
     - cacti[0-9]*.open*.org
diff --git a/playbooks/roles/openafs-server/README.rst b/playbooks/roles/openafs-server/README.rst
new file mode 100644
index 0000000000..9878b44648
--- /dev/null
+++ b/playbooks/roles/openafs-server/README.rst
@@ -0,0 +1 @@
+Install openafs server components
diff --git a/playbooks/roles/openafs-server/files/CellServDB b/playbooks/roles/openafs-server/files/CellServDB
new file mode 100644
index 0000000000..28c01bf3ac
--- /dev/null
+++ b/playbooks/roles/openafs-server/files/CellServDB
@@ -0,0 +1,3 @@
+>openstack.org  #Cell name
+104.130.136.20  #afsdb01.openstack.org
+23.253.200.228  #afsdb02.openstack.org
diff --git a/playbooks/roles/openafs-server/files/ThisCell b/playbooks/roles/openafs-server/files/ThisCell
new file mode 100644
index 0000000000..3178e3d42c
--- /dev/null
+++ b/playbooks/roles/openafs-server/files/ThisCell
@@ -0,0 +1 @@
+openstack.org
diff --git a/playbooks/roles/openafs-server/tasks/main.yaml b/playbooks/roles/openafs-server/tasks/main.yaml
new file mode 100644
index 0000000000..47dd9d7fb6
--- /dev/null
+++ b/playbooks/roles/openafs-server/tasks/main.yaml
@@ -0,0 +1,85 @@
+- name: Install pre-reqs
+  package:
+    name: '{{ item }}'
+    state: present
+  loop:
+    - apt-transport-https
+    - software-properties-common
+
+- name: Ensure server directory
+  file:
+    state: directory
+    path: /etc/openafs/server
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy configuration files
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/openafs/server'
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - CellServDB
+    - ThisCell
+
+- name: Install rxkad.keytab
+  shell: 'echo "{{ openafs_server_rxkad_keytab }}" | base64 -d > /etc/openafs/server/rxkad.keytab'
+  args:
+    creates: '/etc/openafs/server/rxkad.keytab'
+  no_log: True
+
+- name: Ensure permissions rxkad.keytab
+  file:
+    path: '/etc/openafs/server/rxkad.keytab'
+    owner: root
+    group: root
+    mode: '0400'
+
+# This is generated by aconvert from rxkad.keytab; or if we ever need
+# to regenerate everything see asetkey(8) man page, which creates this
+# from a keytab.  It's used by openafs 1.8 instead of keytabs to
+# reduce kerberos library dependencies or some such.
+- name: Install KeyfileExt
+  shell: 'echo "{{ openafs_server_keyfileext }}" | base64 -d > /etc/openafs/server/KeyFileExt'
+  args:
+    creates: '/etc/openafs/server/KeyFileExt'
+  no_log: True
+
+- name: Ensure permissions on KeyFileExt
+  file:
+    path: '/etc/openafs/server/KeyFileExt'
+    owner: root
+    group: root
+    mode: '0400'
+
+- name: Install openstackci openafs PPA
+  apt_repository:
+    repo: 'ppa:openstack-ci-core/openafs'
+
+- name: Install kernel headers dependency
+  package:
+    name:
+      - linux-headers-{{ ansible_kernel }}
+    state: present
+  become: yes
+
+# NOTE(ianw) : Need to do this first and separately so that the
+# modules are ready for the openafs server/client package to start.
+# Avoid recommends because that drags in the client, which can't start
+# without the modules which are building in this step (we do it next)
+- name: Install openafs kernel modules
+  apt:
+    name: openafs-modules-dkms
+    state: latest
+    install_recommends: no
+
+- name: Install packages
+  package:
+    name:
+      - openafs-fileserver
+      - openafs-client
+      - openafs-krb5
+    state: latest
diff --git a/playbooks/remote_puppet_afs.yaml b/playbooks/service-afs.yaml
similarity index 88%
rename from playbooks/remote_puppet_afs.yaml
rename to playbooks/service-afs.yaml
index 6f98aa5014..366a4f0746 100644
--- a/playbooks/remote_puppet_afs.yaml
+++ b/playbooks/service-afs.yaml
@@ -10,6 +10,11 @@
   roles:
     - puppet-run
 
+- hosts: "afs-1.8:!disabled"
+  name: "Configure AFS server"
+  roles:
+    - openafs-server
+
 - hosts: "mirror-update:!disabled"
   name: "Create key for remote vos release"
   tasks:
diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml
index 45848f1b32..8a08606815 100644
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@@ -555,18 +555,18 @@
 # Run AFS changes separately so we can make sure to only do one at a time
 # (turns out quorum is nice to have)
 - job:
-    name: infra-prod-remote-puppet-afs
+    name: infra-prod-service-afs
     parent: infra-prod-service-base
-    description: Run remote-puppet-afs.yaml playbook.
+    description: Run AFS playbook.
     vars:
-      playbook_name: remote_puppet_afs.yaml
+      playbook_name: service-afs.yaml
       infra_prod_ansible_forks: 1
     required-projects:
       - opendev/ansible-role-puppet
       - opendev/system-config
     files:
       - inventory/
-      - playbooks/remote_puppet_afs.yaml
+      - playbooks/service-afs.yaml
       - inventory/service/group_vars/afs
       - inventory/service/group_vars/mirror-update
       - inventory/service/group_vars/puppet
@@ -576,6 +576,7 @@
       - playbooks/roles/disable-puppet-agent/
       - playbooks/roles/iptables/
       - playbooks/roles/vos-release/
+      - playbooks/roles/openafs-server/
       - modules/
       - manifests/
 
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index d8e3a23e32..4923dc1e3b 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -274,7 +274,7 @@
               - infra-prod-service-eavesdrop
               - name: system-config-promote-image-accessbot
                 soft: true
-        - infra-prod-remote-puppet-afs
+        - infra-prod-service-afs
         - infra-prod-remote-puppet-else
         - infra-prod-run-cloud-launcher
     periodic:
@@ -310,7 +310,7 @@
         - infra-prod-service-codesearch
         - infra-prod-service-eavesdrop
         - infra-prod-run-accessbot
-        - infra-prod-remote-puppet-afs
+        - infra-prod-service-afs
     opendev-prod-hourly:
       jobs:
         - infra-prod-install-ansible