test: introduce GitLab-CI functionality

eee1a286 · Jörg Sachse · 05b1b1b1 · 05b1b1b1 · eee1a286 · eee1a286
Commit eee1a286 authored 2 years ago by Jörg Sachse
--- a/requirements.yml
+++ b/requirements.yml
---
-# https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-multiple-roles-from-a-file
- src: git+https://git.slub-dresden.de/digital-preservation/ansible_lza_install_common.git
-  scm: git
- src: git+https://git.slub-dresden.de/digital-preservation/ansible_lza_server_hardening.git
-  scm: git
- src: git+https://git.slub-dresden.de/digital-preservation/ansible_slub_osquery.git
-  scm: git
-#- src: git+
-#  scm: git
--- a/tasks/configure_repos.yml
+++ b/tasks/configure_repos.yml
@@ -2,24 +2,37 @@
 # Systems have to be subscribed with RedHat in order to be able to use software
 # repositories, install software and receive updates/support.
 - name: subscribe system with RedHat
-  redhat_subscription:
+  community.general.redhat_subscription:
    state: present
    username: "{{ vault_rhel_username }}"
    password: "{{ vault_rhel_password }}"
    auto_attach: true
+  # We cannot test this in Molecule, because subscribing requires a valid
+  # license, which we don't have.
+  tags: [molecule-notest]
 - name: activate RHEL repos
-  rhsm_repository:
+  community.general.rhsm_repository:
    name: "{{ item }}"
    state: enabled
  loop:
    - "rhel-7-server-optional-rpms"
    - "rhel-7-server-rh-common-rpms"
    - "rhel-7-server-extras-rpms"
+  # We cannot test this in Molecule because this can only be done on systems
+  # with a valid subscription (see previous task).
+  tags: [molecule-notest]
+
+- name: install additional GPG keys
+  ansible.builtin.rpm_key:
+    key: "{{ item }}"
+  loop:
+    # EPEL
+    - "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"

 # Additional software is made available through the EPEL (Extra Packages for
 # Enterprise Linux) repository, which is managed by the Fedora Special Interest
 # Group of the same name.
 - name: activate EPEL repos
-  yum:
-    name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
+  ansible.builtin.yum:
+    name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
    state: installed
--- a/tasks/configure_ssh_client.yml
+++ b/tasks/configure_ssh_client.yml
 ---
 - name: add SSH key
-  authorized_key:
+  ansible.builtin.authorized_key:
    comment: "{{ item.ssh_comment | default(omit) }}"
    key: "{{ item.ssh_key }}"
    user: "{{ item.name }}"

--- a/tasks/configure_users.yml
+++ b/tasks/configure_users.yml
 ---
 - name: create groups
-  group:
-    name: sudo
+  ansible.builtin.group:
+    name: "sudo"
    system: true

 - name: create users
-  user:
+  ansible.builtin.user:
    name: "{{ item.name }}"
    uid: "{{ item.uid | default(omit) }}"
    comment: "{{ item.comment | default(omit) }}"
@@ -14,9 +14,10 @@
    groups: "sudo"
    shell: "{{ item.shell | default('/bin/bash') }}"
  loop: "{{ vault_users }}"
+  no_log: true

 - name: grant sudo
-  blockinfile:
+  ansible.builtin.blockinfile:
    path: "/etc/sudoers.d/group_sudo"
    create: true
    owner: "root"

--- a/tasks/install_tsm_client.yml
+++ b/tasks/install_tsm_client.yml
 ---
- name: download IBM TSM Client setup checksum file
-  get_url:
+- name: Download IBM TSM Client setup checksum file.
+  ansible.builtin.get_url:
    url: "https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/{{ tsm_version_short | default(tsm_default_version_short) }}/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar.sha256sum.txt"
    dest: "/tmp/"
+    mode: "0644"
  delegate_to: 127.0.0.1

- name: extract IBM TSM Client setup archive checksum from file
-  set_fact:
+- name: >
+    Extract IBM TSM Client setup archive checksum from file. We want to use
+    this info later to verify the integrity of our download.
+  ansible.builtin.set_fact:
    tsm_checksum: "{{ lookup('file', '/tmp/'+ tsm_version_long | default(tsm_default_version_long) +'.0-TIV-TSMBAC-LinuxX86.tar.sha256sum.txt').split(' ')[0] | lower }}"

- name: download IBM TSM Client setup files
-  get_url:
+
+
+- name: >
+    Check if IBM TSM Client setup file has already been downloaded. If it has,
+    we can skip the next step, which might otherwise take very long.
+  ansible.builtin.stat:
+    path: "/tmp/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar"
+    checksum_algorithm: "sha256"
+  register: ibmsp_tar
+
+- name: >
+    Download IBM TSM Client setup file. (Be patient, IBM doesn't want to give
+    us appropriate download speeds. This will take about 6 minutes.)
+  ansible.builtin.get_url:
    url: "https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/{{ tsm_version_short | default(tsm_default_version_short) }}/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar"
    dest: "/tmp/"
+    mode: "0644"
    checksum: "sha256:{{ tsm_checksum | default(omit) }}"
+  when: (( not ibmsp_tar.stat.exists ) or 
+         ( not ibmsp_tar.stat.checksum == tsm_checksum ))
+
+

 - name: create temporary extraction dir
-  file:
-    path: "/tmp/tsm/"
+  ansible.builtin.file:
+    path: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/"
    state: directory
+    mode: "0755"

 - name: extract IBM TSM Client setup files
-  unarchive:
+  ansible.builtin.unarchive:
    src: "/tmp/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar"
-    dest: "/tmp/tsm/"
-    copy: false
+    dest: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/"
+    remote_src: true
+    owner: "root"
+    group: "root"
+
+- name: >
+    Install GPG keys for IBMSP and GSKit. They can't be grabbed online, so we
+    have to use the files that come with the tar archive.
+  ansible.builtin.rpm_key:
+    key: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/{{ item }}"
+  loop:
+    - "GSKit.pub2.pgp"
+    - "RPM-GPG-KEY-ibmpkg"

-# https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.12/client/t_inst_linuxx86client.html
+
+
+- name: >
+    Find all extracted RPM packages, so we don't have to hardcode their names.
+    That's cool, because some of them contain version numbers that we don't
+    want to constantly keep updated. Also, passing a list to
+    ansible.builtin.yum later on is much faster than looping through the
+    packages individually, and it saves us from dependency hell.
+  ansible.builtin.find:
+    path: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/"
+    pattern: "*.rpm"
+  register: rpm_packages
+  failed_when: rpm_packages.matched == 0
+
+# NOTE:
+#   - We need to install 'lsof' along with those, because it's a requirement
+#     for 'TIVsm-WebUI', but doesn't seem to get resolved correctly. The
+#     workaround is to install it separately first to satisfy the dependency.
+#     Only then we use the second loop iteration to install the rest of the
+#     packages.
+#   - We remove the 'TIVsm-JBB.x86_64.rpm' package from the list of install
+#     candidates, because we don't need it and it requires 'TIVsm-filepath',
+#     which we would have to compile on our own. So that's a big NOPE!
+# OFFICIAL IBM INSTALL DOCUMENTATION:
+#   - https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.15/client/t_inst_linuxx86client.html
+#   - https://www.ibm.com/docs/en/spectrum-protect/8.1.15?topic=clients-installing-linux-x86-64-client
+# LIST CREATION MAGIC STOLEN FROM:
+#   - https://stackoverflow.com/a/62197473
+#   - https://stackoverflow.com/a/60721624
 - name: install IBM TSM Client
-  yum:
-    name: [
-      '/tmp/tsm/gskcrypt64-8.0.55.21.linux.x86_64.rpm',
-      '/tmp/tsm/gskssl64-8.0.55.21.linux.x86_64.rpm',
-      '/tmp/tsm/TIVsm-API64.x86_64.rpm',
-      '/tmp/tsm/TIVsm-APIcit.x86_64.rpm',
-      '/tmp/tsm/TIVsm-BA.x86_64.rpm',
-      '/tmp/tsm/TIVsm-BAcit.x86_64.rpm',
-      '/tmp/tsm/TIVsm-BAhdw.x86_64.rpm'
-    ]
-  become: true
+  ansible.builtin.yum:
+    name: "{{ item }}"
+  loop:
+    - "lsof"
+    - "{{ rpm_packages.files | json_query('[*].path') | reject('match', '.*TIVsm-JBB.x86_64.rpm') | list | flatten }}"
+
+

 - name: make sure IBM Spectrum Protect backup service is active and running
-  systemd:
+  ansible.builtin.systemd:
    name: "dsmcad.service"
    enabled: true
  become: true

--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # tasks file for ansible_lza_bootstrap_rhel_server
 - name: include Ansible Vaults
-  include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
+  ansible.builtin.include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
  loop:
    - "redhat.vault"
    - "users.vault"
  tags: [always]

 - name: create users
-  import_tasks: configure_users.yml
+  ansible.builtin.import_tasks: configure_users.yml
  tags: [users]

 - name: prepare SSH access
-  import_tasks: configure_ssh_client.yml
+  ansible.builtin.import_tasks: configure_ssh_client.yml
  tags: [ssh]

 - name: activate software repositories
-  import_tasks: configure_repos.yml
+  ansible.builtin.import_tasks: configure_repos.yml
  tags: [repos]

 - name: install IBM Spectrum Protect Backup Client (formerly IBM TSM Client)
-  import_tasks: install_tsm_client.yml
+  ansible.builtin.import_tasks: install_tsm_client.yml
  tags: [tsm, ibmsp, backup]
--- a/vars/main.yml
+++ b/vars/main.yml
 ---
 # vars file for ansible_lza_bootstrap_rhel_server

-tsm_version_short: "v8112"
-tsm_version_long: "8.1.12"
+tsm_version_short: "v8115"
+tsm_version_long: "8.1.15"