DSOS-2233: add epel role (#361)

* add epel role * fix * use role for installing epel * use role for installing epel * use role for installing epel * ansible-script fix * add ansible-script for testing * Commit changes made by code formatters --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
ministryofjustice · Oct 10, 2023 · 4adb8df · 4adb8df
1 parent 9f0b4ff
commit 4adb8df
Show file tree

Hide file tree

Showing 17 changed files with 132 additions and 83 deletions.
diff --git a/ansible/group_vars/server_type_base_rhel610.yml b/ansible/group_vars/server_type_base_rhel610.yml
@@ -7,5 +7,6 @@ server_type_roles_list:
   - domain-search
   - amazon-cloudwatch-agent
   - autoscale-group-hooks-state
+  - ansible-script
 
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
diff --git a/ansible/group_vars/server_type_base_rhel79.yml b/ansible/group_vars/server_type_base_rhel79.yml
@@ -6,6 +6,7 @@ server_type_roles_list:
   - set-ec2-hostname
   - domain-search
   - amazon-cloudwatch-agent
+  - ansible-script
   - autoscale-group-hooks-state
 
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
diff --git a/ansible/group_vars/server_type_base_rhel85.yml b/ansible/group_vars/server_type_base_rhel85.yml
@@ -7,6 +7,7 @@ server_type_roles_list:
   - set-ec2-hostname
   - domain-search
   - amazon-cloudwatch-agent
+  - ansible-script
   - autoscale-group-hooks-state
 
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
diff --git a/ansible/group_vars/server_type_nomis_db.yml b/ansible/group_vars/server_type_nomis_db.yml
@@ -5,6 +5,7 @@ server_type_roles_list:
   - get-ec2-facts
   - set-ec2-hostname
   - domain-search
+  - ansible-script
   - oracle-11g
   - oracle-secure-backup
   - oracle-db-backup

diff --git a/ansible/group_vars/server_type_nomis_web.yml b/ansible/group_vars/server_type_nomis_web.yml
@@ -5,6 +5,7 @@ server_type_roles_list:
   - autoscale-group-hooks
   - set-ec2-hostname
   - domain-search
+  - ansible-script
   - nomis-weblogic
   - nomis-release-deployment
   - collectd-service-metrics

diff --git a/ansible/group_vars/server_type_nomis_xtag.yml b/ansible/group_vars/server_type_nomis_xtag.yml
@@ -6,6 +6,7 @@ server_type_roles_list:
   - autoscale-group-hooks
   - set-ec2-hostname
   - domain-search
+  - ansible-script
   - nomis-xtag-weblogic
   - collectd-service-metrics
   - autoscale-group-hooks-state

diff --git a/ansible/roles/ansible-script/files/ansible.sh b/ansible/roles/ansible-script/files/ansible.sh
@@ -51,6 +51,7 @@ run_ansible() {
   else
     cd $ansible_dir/${ansible_repo}
     git pull
+    git checkout "$branch"
   fi
   cd $ansible_dir
 

diff --git a/ansible/roles/collectd/meta/main.yml b/ansible/roles/collectd/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: get-ec2-facts
+  - role: epel
diff --git a/ansible/roles/collectd/tasks/collectd_install.yml b/ansible/roles/collectd/tasks/collectd_install.yml
@@ -1,84 +1,5 @@
 ---
-- name: is collectd installed
+- name: Install collectd
   ansible.builtin.yum:
-    list: collectd
+    name: "collectd"
     state: present
-  register: collectd_installed_state
-  check_mode: no
-  changed_when: false
-  ignore_errors: true
-
-- name: set fact for collectd installed or not
-  set_fact:
-    collectd_installed: "{{ collectd_installed_state.results is defined and collectd_installed_state.results | length > 0 and 'installed' in collectd_installed_state.results[0].yumstate }}"
-
-- name: debug collectd_installed
-  ansible.builtin.debug:
-    msg: "{{ collectd_installed }}"
-
-- name: Ensure the EPEL repository is available on Rhel 6
-  block:
-    - name: Ensure the EPEL repository is available on Rhel 6
-      ansible.builtin.package:
-        name: epel-release
-        state: installed
-      register: epel_release_installed
-      ignore_errors: true
-
-    - name: Add epel-release to repolist on Rhel 6
-      ansible.builtin.shell: |
-        wget https://dl.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm
-        yum install -y epel-release-6-8.noarch.rpm
-      when: epel_release_installed is failed
-      ignore_errors: true # role to be re-run without failing
-
-    # using shell as yum module doesn't run on Rhel6 due to old python version
-    - name: Install collectd agent
-      ansible.builtin.shell: |
-        yum install -y collectd
-  # block
-  when: (ansible_distribution_major_version == '6') and (not collectd_installed)
-
-- name: Ensure the EPEL repository is available on Rhel 7
-  block:
-    - name: Ensure the EPEL repository is available
-      ansible.builtin.package:
-        name: epel-release
-        state: installed
-      register: epel_release_installed
-      ignore_errors: true
-
-    - name: Add epel-release to repolist
-      ansible.builtin.shell: |
-        yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
-      when: epel_release_installed is failed
-      ignore_errors: true
-
-    - name: install collectd from epel-release
-      ansible.builtin.package:
-        name: collectd
-        state: installed
-  # block
-  when: (ansible_distribution_major_version == '7') and (not collectd_installed)
-
-- name: Ensure the EPEL repository is available on Rhel 8
-  block:
-    - name: Ensure the EPEL repository is available on Rhel 8
-      ansible.builtin.package:
-        name: epel-release
-        state: installed
-      register: epel_release_installed
-      ignore_errors: true
-
-    - name: Add epel-release to repolist on Rhel 8
-      ansible.builtin.shell: |
-        wget https://dl.fedoraproject.org/pub/archive/epel/8.5/Everything/x86_64/Packages/e/epel-release-8-15.el8.noarch.rpm
-        yum install -y epel-release-8-15.el8.noarch.rpm
-      when: epel_release_installed is failed
-
-    - name: Install collectd agent
-      ansible.builtin.dnf:
-        name: collectd
-        state: installed
-  # block
-  when: ansible_distribution_major_version >= "8" and not collectd_installed
diff --git a/ansible/roles/epel/README.md b/ansible/roles/epel/README.md
@@ -0,0 +1,3 @@
+Enable epel repo
+
+I've seen occasional 403 errors on the URLs hence the option to download from S3.
diff --git a/ansible/roles/epel/defaults/main.yml b/ansible/roles/epel/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+artefacts_s3_bucket_name: mod-platform-image-artefact-bucket20230203091453221500000001
+artefacts_s3_bucket_path: hmpps/epel
diff --git a/ansible/roles/epel/tasks/install-from-rpm.yml b/ansible/roles/epel/tasks/install-from-rpm.yml
@@ -0,0 +1,92 @@
+---
+- name: Set RHEL6 epel facts
+  set_fact:
+    epel_rpm_filename: epel-release-6-8.noarch.rpm
+    epel_rpm_url: https://dl.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm
+    epel_gpg_key_filename: RPM-GPG-KEY-EPEL-6.txt
+    epel_gpg_key_url: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6.txt
+  when: ansible_distribution_major_version == '6'
+
+- name: Set RHEL7+ epel facts
+  set_fact:
+    epel_rpm_filename: "epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
+    epel_rpm_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
+    epel_gpg_key_filename: "RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}.txt"
+    epel_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}.txt"
+  when: ansible_distribution_major_version in ['7', '8', '9']
+
+- name: Fail if unexpected OS
+  fail:
+    msg: "Unsupported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
+  when: ansible_distribution_major_version not in ['6', '7', '8', '9']
+
+- name: Get SELinux state
+  ansible.builtin.shell: getenforce || true
+  changed_when: false
+  check_mode: false
+  register: epel_selinux_mode
+
+# The fedoraproject URL sometimes gives 403s so safer to use S3 method
+- name: Install from S3
+  block:
+    - name: Create rpm directory
+      ansible.builtin.file:
+        path: "/root/epel"
+        state: directory
+
+    - name: Copy from S3
+      amazon.aws.aws_s3:
+        bucket: "{{ artefacts_s3_bucket_name }}"
+        object: "{{ artefacts_s3_bucket_path }}/{{ item }}"
+        dest: "/root/epel/{{ item }}"
+        mode: get
+        overwrite: latest
+      loop:
+        - "{{ epel_rpm_filename }}"
+        - "{{ epel_gpg_key_filename }}"
+
+    - name: Temporarily set SELinux state to Permissive
+      ansible.builtin.shell: setenforce Permissive
+      when: epel_selinux_mode.stdout|lower == "enforcing"
+
+    - name: Import rpm key from S3
+      ansible.builtin.rpm_key:
+        state: present
+        key: "/root/epel/{{ epel_gpg_key_filename }}"
+
+    - name: Install epel RPM from S3
+      ansible.builtin.yum:
+        state: present
+        name: "/root/epel/{{ epel_rpm_filename }}"
+
+  always:
+    - name: Restore SELinux state to Enforcing
+      ansible.builtin.shell: setenforce Enforcing
+      when: epel_selinux_mode.stdout|lower == "enforcing"
+
+  # block
+  when: artefacts_s3_bucket_name is defined
+
+- name: Install from URL
+  block:
+    - name: Set SELinux state to Permissive
+      ansible.builtin.shell: setenforce Permissive
+      when: epel_selinux_mode.stdout|lower == "enforcing"
+
+    - name: Import rpm key from URL
+      ansible.builtin.rpm_key:
+        state: present
+        key: "{{ epel_gpg_key_url }}"
+
+    - name: Install epel RPM from URL
+      ansible.builtin.yum:
+        state: present
+        name: "{{ epel_rpm_url }}"
+
+  always:
+    - name: Restore SELinux state to Enforcing
+      ansible.builtin.shell: setenforce Enforcing
+      when: epel_selinux_mode.stdout|lower == "enforcing"
+
+  # block
+  when: artefacts_s3_bucket_name is not defined
diff --git a/ansible/roles/epel/tasks/main.yml b/ansible/roles/epel/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+# try the easy way first
+- name: Add EPEL repository
+  ansible.builtin.yum:
+    name: epel-release
+    state: present
+  ignore_errors: yes
+  register: epel_yum
+  tags:
+    - amibuild
+    - ec2provision
+    - ec2patch
+
+# otherwise install from RPM
+- import_tasks: install-from-rpm.yml
+  tags:
+    - amibuild
+    - ec2provision
+    - ec2patch
+  when: ansible_distribution in ['RedHat', 'OracleLinux'] and epel_yum is failed
diff --git a/ansible/roles/secretsmanager-passwords/meta/main.yml b/ansible/roles/secretsmanager-passwords/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: get-modernisation-platform-facts
+  - role: epel
diff --git a/ansible/roles/secretsmanager-passwords/tasks/main.yml b/ansible/roles/secretsmanager-passwords/tasks/main.yml
@@ -13,7 +13,6 @@
   ansible.builtin.yum:
     name: "jq"
     state: present
-    enablerepo: "epel"
 
 # Using the cli instead of native ansible as we need to assume a role
 # to access secrets in other accounts

diff --git a/ansible/roles/ssm-passwords/meta/main.yml b/ansible/roles/ssm-passwords/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: epel
diff --git a/ansible/roles/ssm-passwords/tasks/main.yml b/ansible/roles/ssm-passwords/tasks/main.yml
@@ -8,7 +8,6 @@
   ansible.builtin.yum:
     name: "jq"
     state: present
-    enablerepo: "epel"
 
 - name: Get SSM Parameters
   set_fact:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Enable epel repo

		I've seen occasional 403 errors on the URLs hence the option to download from S3.