Skip to content

C
configuration
Commit facaa038 by Arbab Nazar Committed by GitHub
Options

Merge pull request #3181 from edx/arbab/xserver-rewrite 

rewrite ansible tasks using YAML style
parents 36a140b6 437a1765
Showing with 169 additions and 133 deletions
playbooks/roles/xserver/handlers/main.yml
......@@ -15,10 +15,9 @@
#
- name: restart xserver
supervisorctl: >
name=xserver
supervisorctl_path={{ supervisor_ctl }}
config={{ supervisor_cfg }}
state=restarted
when: not disable_edx_services
supervisorctl:
name: xserver
supervisorctl_path: "{{ supervisor_ctl }}"
config: "{{ supervisor_cfg }}"
state: restarted
when: not disable_edx_services
\ No newline at end of file
playbooks/roles/xserver/tasks/deploy.yml
- name: "writing supervisor script"
template: >
src=xserver.conf.j2 dest={{ supervisor_available_dir }}/xserver.conf
owner={{ supervisor_user }} group={{ common_web_user }} mode=0644
- name: Writing supervisor script
template:
src: xserver.conf.j2
dest: "{{ supervisor_available_dir }}/xserver.conf"
owner: "{{ supervisor_user }}"
group: "{{ common_web_user }}"
mode: "0644"
- name: "enable supervisor script"
file: >
src={{ supervisor_available_dir }}/xserver.conf
dest={{ supervisor_cfg_dir }}/xserver.conf
owner={{ supervisor_user }} group={{ common_web_user }} mode=0644
state=link force=yes
- name: Enable supervisor script
file:
src: "{{ supervisor_available_dir }}/xserver.conf"
dest: "{{ supervisor_cfg_dir }}/xserver.conf"
owner: "{{ supervisor_user }}"
group: "{{ common_web_user }}"
mode: "0644"
state: link
force: yes
when: not disable_edx_services
- name: "add gunicorn configuration file"
template: >
src=xserver_gunicorn.py.j2 dest={{ xserver_app_dir }}/xserver_gunicorn.py
- name: Add gunicorn configuration file
template:
src: xserver_gunicorn.py.j2
dest: "{{ xserver_app_dir }}/xserver_gunicorn.py"
become_user: "{{ xserver_user }}"
notify:
- restart xserver
- name: checkout code
git_2_0_1: >
dest={{ xserver_code_dir }} repo={{ xserver_source_repo }} version={{xserver_version}}
accept_hostkey=yes
- name: Checkout code
git_2_0_1:
dest: "{{ xserver_code_dir }}"
repo: "{{ xserver_source_repo }}"
version: "{{xserver_version}}"
accept_hostkey: yes
become_user: "{{ xserver_user }}"
register: xserver_checkout
notify: restart xserver
notify:
- restart xserver
- name: install requirements
pip: >
requirements="{{ xserver_requirements_file }}" virtualenv="{{ xserver_venv_dir }}" state=present
extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
- name: Install requirements
pip:
requirements: "{{ xserver_requirements_file }}"
virtualenv: "{{ xserver_venv_dir }}"
state: present
extra_args: "-i {{ COMMON_PYPI_MIRROR_URL }}"
become_user: "{{ xserver_user }}"
notify: restart xserver
notify:
- restart xserver
- name: install sandbox requirements
pip: >
requirements="{{ xserver_requirements_file }}" virtualenv="{{ xserver_venv_sandbox_dir }}" state=present
extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
- name: Install sandbox requirements
pip:
requirements: "{{ xserver_requirements_file }}"
virtualenv: "{{ xserver_venv_sandbox_dir }}"
state: present
extra_args: "-i {{ COMMON_PYPI_MIRROR_URL }}"
become_user: "{{ xserver_user }}"
notify: restart xserver
notify:
- restart xserver
- name: create xserver application config
template: src=xserver.env.json.j2 dest={{ xserver_app_dir }}/env.json
- name: Create xserver application config
template:
src: xserver.env.json.j2
dest: "{{ xserver_app_dir }}/env.json"
become_user: "{{ xserver_user }}"
notify: restart xserver
notify:
- restart xserver
- name: install read-only ssh key for the content repo that is required for grading
copy: >
content="{{ XSERVER_GIT_IDENTITY }}" dest={{ xserver_git_identity }}
owner={{ xserver_user }} group={{ xserver_user }} mode=0600
notify: restart xserver
- name: Install read-only ssh key for the content repo that is required for grading
copy:
content: "{{ XSERVER_GIT_IDENTITY }}"
dest: "{{ xserver_git_identity }}"
owner: "{{ xserver_user }}"
group: "{{ xserver_user }}"
mode: "0600"
notify:
- restart xserver
- name: upload ssh script
template: >
src=git_ssh.sh.j2 dest=/tmp/git_ssh.sh
owner={{ xserver_user }} mode=750
notify: restart xserver
- name: Upload ssh script
template:
src: git_ssh.sh.j2
dest: "/tmp/git_ssh.sh"
owner: "{{ xserver_user }}"
mode: "0750"
notify:
- restart xserver
- name: checkout grader code
git_2_0_1: >
dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
accept_hostkey=yes
- name: Checkout grader code
git_2_0_1:
dest: "{{ XSERVER_GRADER_DIR }}"
repo: "{{ XSERVER_GRADER_SOURCE }}"
version: "{{ xserver_grader_version }}"
accept_hostkey: yes
environment:
GIT_SSH: /tmp/git_ssh.sh
notify: restart xserver
GIT_SSH: "/tmp/git_ssh.sh"
notify:
- restart xserver
register: xserver_grader_checkout
become_user: "{{ xserver_user }}"
- name: remove read-only ssh key for the content repo
file: path={{ xserver_git_identity }} state=absent
notify: restart xserver
- name: Remove read-only ssh key for the content repo
file:
path: "{{ xserver_git_identity }}"
state: absent
notify:
- restart xserver
# call supervisorctl update. this reloads
# the supervisorctl config and restarts
# the services if any of the configurations
# have changed.
#
- name: update supervisor configuration
- name: Update supervisor configuration
shell: "{{ supervisor_ctl }} -c {{ supervisor_cfg }} update"
register: supervisor_update
changed_when: supervisor_update.stdout is defined and supervisor_update.stdout != ""
when: not disable_edx_services
- name: ensure xserver is started
supervisorctl: >
name=xserver
supervisorctl_path={{ supervisor_ctl }}
config={{ supervisor_cfg }}
state=started
- name: Ensure xserver is started
supervisorctl:
name: xserver
supervisorctl_path: "{{ supervisor_ctl }}"
config: "{{ supervisor_cfg }}"
state: started
when: not disable_edx_services
- name: create a symlink for venv python
file: >
src="{{ xserver_venv_bin }}/{{ item }}"
dest={{ COMMON_BIN_DIR }}/{{ item }}.xserver
state=link
- name: Create a symlink for venv python
file:
src: "{{ xserver_venv_bin }}/{{ item }}"
dest: "{{ COMMON_BIN_DIR }}/{{ item }}.xserver"
state: link
with_items:
- python
- pip
- python
- pip
- name: enforce app-armor rules
command: aa-enforce {{ xserver_venv_sandbox_dir }}
- name: Enforce app-armor rules
command: "aa-enforce {{ xserver_venv_sandbox_dir }}"
- include: ec2.yml tags=deploy
- include: ec2.yml
when: COMMON_TAG_EC2_INSTANCE
tags:
- deploy
playbooks/roles/xserver/tasks/ec2.yml
---
- name: get instance information
- name: Get instance information
action: ec2_facts
- name: tag instance for xserver
ec2_tag: resource={{ ansible_ec2_instance_id }} region={{ ansible_ec2_placement_region }}
args:
tags:
"version:xserver" : "{{ xserver_source_repo }} {{ xserver_checkout.after|truncate(7,True,'') }}"
- name: Tag instance for xserver
ec2_tag:
resource: "{{ ansible_ec2_instance_id }}"
region: "{{ ansible_ec2_placement_region }}"
tags:
"version:xserver" : "{{ xserver_source_repo }} {{ xserver_checkout.after|truncate(7,True,'') }}"
when: xserver_checkout.after is defined
- name: tag instance for xserver grader
ec2_tag: resource={{ ansible_ec2_instance_id }} region={{ ansible_ec2_placement_region }}
args:
tags:
"version:xserver_grader" : "{{ XSERVER_GRADER_SOURCE }} {{ xserver_grader_checkout.after|truncate(7,True,'') }}"
- name: Tag instance for xserver grader
ec2_tag:
resource: "{{ ansible_ec2_instance_id }}"
region: "{{ ansible_ec2_placement_region }}"
tags:
"version:xserver_grader" : "{{ XSERVER_GRADER_SOURCE }} {{ xserver_grader_checkout.after|truncate(7,True,'') }}"
when: xserver_grader_checkout.after is defined
playbooks/roles/xserver/tasks/main.yml
......@@ -2,37 +2,25 @@
# As of right now this role requires
# access to the edX 6.00x repo which is not public
---
- name: Create application user
user:
name: "{{ xserver_user }}"
home: "{{ xserver_app_dir }}"
createhome: no
shell: /bin/false
- name: checking for grader info
fail: msg="You must define XSERVER_GRADER_DIR"
when: XSERVER_GRADER_DIR|length == 0
- name: Create application sandbox user
user:
name: "{{ xserver_sandbox_user }}"
createhome: no
shell: /bin/false
- fail: msg="You must define XSERVER_GRADER_SOURCE"
when: XSERVER_GRADER_SOURCE|length == 0
- name: checking for git identity
fail: msg="You must define XSERVER_GIT_IDENTITY to use this role"
when: XSERVER_GIT_IDENTITY|length == 0
- name: create application user
user: >
name="{{ xserver_user }}"
home="{{ xserver_app_dir }}"
createhome=no
shell=/bin/false
- name: create application sandbox user
user: >
name="{{ xserver_sandbox_user }}"
createhome=no
shell=/bin/false
- name: create xserver app and data dirs
file: >
path="{{ item }}"
state=directory
owner="{{ xserver_user }}"
group="{{ common_web_group }}"
- name: Create xserver app and data dirs
file:
path: "{{ item }}"
state: directory
owner: "{{ xserver_user }}"
group: "{{ common_web_group }}"
with_items:
- "{{ xserver_app_dir }}"
# needed for the ansible 1.5 git module
......@@ -41,30 +29,43 @@
- "{{ xserver_data_dir }}"
- "{{ xserver_data_dir }}/data"
- name: create sandbox sudoers file
template: src=99-sandbox.j2 dest=/etc/sudoers.d/99-sandbox owner=root group=root mode=0440
- name: Create sandbox sudoers file
template:
src: 99-sandbox.j2
dest: "/etc/sudoers.d/99-sandbox"
owner: root
group: root
mode: "0440"
# Make sure this line is in the common-session file.
- name: ensure pam-limits module is loaded
- name: Ensure pam-limits module is loaded
lineinfile:
dest=/etc/pam.d/common-session
regexp="session required pam_limits.so"
line="session required pam_limits.so"
dest: /etc/pam.d/common-session
regexp: "session required pam_limits.so"
line: "session required pam_limits.so"
- name: set sandbox limits
template: src={{ item }} dest=/etc/security/limits.d/sandbox.conf
- name: Set sandbox limits
template:
src: "{{ item }}"
dest: "/etc/security/limits.d/sandbox.conf"
first_available_file:
- "{{ secure_dir }}/sandbox.conf.j2"
- "sandbox.conf.j2"
- "{{ secure_dir }}/sandbox.conf.j2"
- "sandbox.conf.j2"
- name: install system dependencies of xserver
apt: pkg={{ item }} state=present
with_items: xserver_debian_pkgs
- name: Install system dependencies of xserver
apt:
name: "{{ item }}"
state: present
with_items: "{{ xserver_debian_pkgs }}"
- name: load python-sandbox apparmor profile
template: src={{ item }} dest=/etc/apparmor.d/edx_apparmor_sandbox
- name: Load python-sandbox apparmor profile
template:
src: "{{ item }}"
dest: "/etc/apparmor.d/edx_apparmor_sandbox"
first_available_file:
- "{{ secure_dir }}/files/edx_apparmor_sandbox.j2"
- "usr.bin.python-sandbox.j2"
- "{{ secure_dir }}/files/edx_apparmor_sandbox.j2"
- "usr.bin.python-sandbox.j2"
- include: deploy.yml tags=deploy
- include: deploy.yml
tags:
- deploy
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment