commit 89534c2b81af845c666e114a94a1ab7812f5baef
Author: Adrian Reber <adrian(a)lisas.de>
Date: Thu Aug 6 20:05:36 2020 +0200
Add our new mirrorlist-server configuration
With this RPM Fusion is now using only two mirrorlist-servers. Instead
of the old Python based code, this is now all implemented in Rust.
We have two mirrorlist-server processes on each host and an Apache httpd
in front of it as load balancer and SSL termination.
Signed-off-by: Adrian Reber <adrian(a)lisas.de>
files/httpd/h2.conf.j2 | 1 +
inventory/group_vars/mirrorlist_server | 18 ++
inventory/inventory | 4 +
.../files/common-scripts/conditional-reload.sh | 26 +++
.../files/common-scripts/conditional-restart.sh | 10 +
playbooks/groups/mirrorlist-server.yml | 47 +++++
.../mirrorlist-server/files/balance-manager.sh | 125 ++++++++++++
.../mirrorlist-server/files/download_caches | 23 +++
.../files/mirrorlist-server-ssl.conf | 17 ++
.../files/mirrorlist-server.common | 48 +++++
.../mirrorlist-server/files/mirrorlist-server.conf | 4 +
.../files/restart-mirrorlist-containers | 97 ++++++++++
.../files/restart-mirrorlist-containers.j2 | 91 +++++++++
.../mirrormanager/mirrorlist-server/tasks/main.yml | 202 ++++++++++++++++++++
.../templates/mirrorlist.service.j2 | 16 ++
.../mirrormanager/mirrorlist-server/vars/main.yml | 2 +
16 files changed, 731 insertions(+), 0 deletions(-)
---
diff --git a/files/httpd/h2.conf.j2 b/files/httpd/h2.conf.j2
new file mode 100644
index 0000000..2627ea8
--- /dev/null
+++ b/files/httpd/h2.conf.j2
@@ -0,0 +1 @@
+Protocols h2 {% if not inventory_hostname.startswith('proxy') %} h2c {% endif %}
http/1.1
diff --git a/inventory/group_vars/mirrorlist_server
b/inventory/group_vars/mirrorlist_server
new file mode 100644
index 0000000..2ae973e
--- /dev/null
+++ b/inventory/group_vars/mirrorlist_server
@@ -0,0 +1,18 @@
+---
+
+motd_custom: |
+ This is one of the (currently as of this writing) three mirrorlist
+ servers of RPM Fusion. Using
mirrors.rpmfusion.org is "load balanced"
+ using DNS to one of the existing mirrorlist servers. To check the
+ results following command can be used:
+
+ curl
"http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-rawhide&arch=x86_64"
+
+ Testing a specific mirrorlist can be done using:
+
+ curl "http://{{ inventory_hostname
}}/mirrorlist?repo=free-fedora-rawhide&arch=x86_64"
+
+ The server can be rebooted any time it is necessary without warning.
+ A short downtine of one of the mirrorlist servers can easily be
+ handled by the remaining servers. Longer downtimes require removal
+ of the IP address from the
mirrors.rpmfusion.org entry.
diff --git a/inventory/inventory b/inventory/inventory
index 7b7de4b..ae54afd 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -91,3 +91,7 @@
mirrorlist01.uase.rpmfusion.net
mirrorlist02.mv.rpmfusion.net
mirrorlist03.scaleway.rpmfusion.net
mirrorlist04.mv.rpmfusion.net
+
+[mirrorlist_server]
+mirrorlist06.hetzner.rpmfusion.net
+mirrorlist05.ovh.rpmfusion.net
diff --git a/playbooks/groups/files/common-scripts/conditional-reload.sh
b/playbooks/groups/files/common-scripts/conditional-reload.sh
new file mode 100644
index 0000000..988a08b
--- /dev/null
+++ b/playbooks/groups/files/common-scripts/conditional-reload.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# reload SERVICE only if PACKAGE is installed.
+# We use this throughout handlers/restart_services.yml
+
+SERVICE=$1
+PACKAGE=$2
+
+rpm -q $PACKAGE
+
+INSTALLED=$?
+
+if [ $INSTALLED -eq 0 ]; then
+ echo "Checking if $SERVICE is running"
+ /sbin/service $SERVICE status >& /dev/null
+ if [ $? == 0 ]; then
+ echo "Package $PACKAGE installed and running. Attempting reload of
$SERVICE."
+ /sbin/service $SERVICE reload
+ exit $? # Exit with the /sbin/service status code
+ fi
+ echo "Package $PACKAGE is install, but $SERVICE is not running,
skipping..."
+ exit 0
+fi
+
+# If the package wasn't installed, then pretend everything is fine.
+echo "Package $PACKAGE not installed. Skipping reload of $SERVICE."
+exit 0
diff --git a/playbooks/groups/files/common-scripts/conditional-restart.sh
b/playbooks/groups/files/common-scripts/conditional-restart.sh
new file mode 100644
index 0000000..8da52dc
--- /dev/null
+++ b/playbooks/groups/files/common-scripts/conditional-restart.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# We use this to try and restart a service.
+# If it's not running, do nothing.
+# If it is running, restart it.
+#
+
+SERVICE=$1
+# Check if service unit is present before trying to restart it
+/usr/bin/systemctl cat $1.service &>/dev/null && /usr/bin/systemctl
try-restart $1 || true
diff --git a/playbooks/groups/mirrorlist-server.yml
b/playbooks/groups/mirrorlist-server.yml
new file mode 100644
index 0000000..e88697b
--- /dev/null
+++ b/playbooks/groups/mirrorlist-server.yml
@@ -0,0 +1,47 @@
+- name: mirrorlist-server
+ hosts: mirrorlist_server
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ pre_tasks:
+ - name: global default packages to install
+ package:
+ name:
+ - wget
+ - curl
+ - cronie
+ state: present
+ tags:
+ - packages
+ - name: global packages to remove
+ package:
+ name:
+ - sssd-common
+ state: absent
+ tags:
+ - packages
+ - name: set hostname
+ hostname: name="{{inventory_hostname}}"
+ - name: Install common scripts
+ copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
+ with_fileglob:
+ - common-scripts/*
+ tags:
+ - common-scripts
+
+ - debug: msg="{{ansible_nodename}} {{ansible_domain}} {{inventory_hostname}}
{{ansible_distribution_major_version|int}}"
+
+ tasks:
+ - import_tasks: "{{ tasks_path }}/motd.yml"
+
+ roles:
+ - apache
+ - httpd/mod_ssl
+ - mirrormanager/mirrorlist-server
+
+ handlers:
+ - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/roles/mirrormanager/mirrorlist-server/files/balance-manager.sh
b/roles/mirrormanager/mirrorlist-server/files/balance-manager.sh
new file mode 100755
index 0000000..a9575c8
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/balance-manager.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+
+CURL=`which curl`
+if [ -z "$CURL" ]; then
+ echo "curl not found"
+ exit 1
+fi
+
+server="localhost"
+port="80"
+manager="balancer-manager"
+
+while getopts "s:p:m:" opt; do
+ case "$opt" in
+ s)
+ server=$OPTARG
+ ;;
+ p)
+ port=$OPTARG
+ ;;
+ m)
+ manager=$OPTARG
+ ;;
+ esac
+done
+
+shift $(($OPTIND - 1))
+action=$1
+
+
+list_balancers() {
+ $CURL -s "http://${server}:${port}/${manager}" | grep "balancer://"
| sed "s/.*balancer:\/\/\(.*\)<\/a>.*/\1/"
+}
+
+list_workers() {
+ balancer=$1
+ if [ -z "$balancer" ]; then
+ echo "Usage: $0 [-s host] [-p port] [-m balancer-manager] list-workers
balancer_name"
+ echo " balancer_name : balancer name"
+ exit 1
+ fi
+ $CURL -s "http://${server}:${port}/${manager}" | grep
"/balancer-manager?b=${balancer}&w" | sed
"s/.*href='\(.[^']*\).*/\1/" | sed "s/.*w=\(.*\)&.*/\1/"
+}
+
+enable() {
+ balancer=$1
+ worker=$2
+ if [ -z "$balancer" ] || [ -z "$worker" ]; then
+ echo "Usage: $0 [-s host] [-p port] [-m balancer-manager] enable balancer_name
worker_route"
+ echo " balancer_name : balancer/cluster name"
+ echo " worker_route : worker route e.g.) ajp://192.1.2.3:8009"
+ exit 1
+ fi
+
+ nonce=`$CURL -s "http://${server}:${port}/${manager}" | grep nonce | grep
"${balancer}" | sed "s/.*nonce=\(.*\)['\"].*/\1/" | tail -n
1`
+ if [ -z "$nonce" ]; then
+ echo "balancer_name ($balancer) not found"
+ exit 1
+ fi
+
+ echo "Enabling $2 of $1..."
+ $CURL -s -o /dev/null -XPOST "http://${server}:${port}/${manager}?" -d
b="${balancer}" -d w="${worker}" -d nonce="${nonce}" -d
w_status_D=0 -H "Referer: http://${server}:${port}/${manager}?"
+ sleep 2
+ status
+}
+
+disable() {
+ balancer=$1
+ worker=$2
+ if [ -z "$balancer" ] || [ -z "$worker" ]; then
+ echo "Usage: $0 [-s host] [-p port] [-m balancer-manager] disable
balancer_name worker_route"
+ echo " balancer_name : balancer/cluster name"
+ echo " worker_route : worker route e.g.) ajp://192.1.2.3:8009"
+ exit 1
+ fi
+
+ echo "Disabling $2 of $1..."
+ nonce=`$CURL -s "http://${server}:${port}/${manager}" | grep nonce | grep
"${balancer}" | sed "s/.*nonce=\(.*\)['\"].*/\1/" | tail -n
1`
+ if [ -z "$nonce" ]; then
+ echo "balancer_name ($balancer) not found"
+ exit 1
+ fi
+
+ $CURL -s -o /dev/null -XPOST "http://${server}:${port}/${manager}?" -d
b="${balancer}" -d w="${worker}" -d nonce="${nonce}" -d
w_status_D=1 -H "Referer: http://${server}:${port}/${manager}?"
+ sleep 2
+ status
+}
+
+status() {
+ $CURL -s "http://${server}:${port}/${manager}" | grep "href" | sed
"s/<[^>]*>/ /g"
+}
+
+case "$1" in
+ list-balancer)
+ list_balancers "${@:2}"
+ ;;
+ list-worker)
+ list_workers "${@:2}"
+ ;;
+ enable)
+ enable "${@:2}"
+ ;;
+ disable)
+ disable "${@:2}"
+ ;;
+ status)
+ status "${@:2}"
+ ;;
+ *)
+ echo "Usage: $0 {list-balancer|list-worker|enable|disable|status}"
+ echo ""
+ echo "Options: "
+ echo " -s server"
+ echo " -p port"
+ echo " -m balancer-manager-context-path"
+ echo ""
+ echo "Commands: "
+ echo " list-balancer"
+ echo " list-worker balancer-name"
+ echo " enable balancer_name worker_route"
+ echo " disable balancer_name worker_route"
+ exit 1
+esac
+
+exit $?
diff --git a/roles/mirrormanager/mirrorlist-server/files/download_caches
b/roles/mirrormanager/mirrorlist-server/files/download_caches
new file mode 100755
index 0000000..c7dd5c3
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/download_caches
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+CACHE=/srv/mirrorlist/data/mirrorlist1/
+
+cd $CACHE
+
+FILES="country_continent.csv mirrorlist_cache.proto global_netblocks.txt
i2_netblocks.txt"
+
+for i in ${FILES}; do
+ wget -q -N
http://lisas.de/mirrorlist-statistics/$i
+done
+
+FILES="pl.tar.gz"
+
+cd /var/www/mirrors.rpmfusion.org
+
+SUM_BEFORE=`cat ${FILES} | md5sum`
+wget -q -N
http://lisas.de/.cache/${FILES}
+SUM_AFTER=`cat ${FILES} | md5sum`
+
+if [[ "${SUM_AFTER}" != "${SUM_BEFORE}" ]]; then
+ tar xf ${FILES}
+fi
diff --git a/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server-ssl.conf
b/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server-ssl.conf
new file mode 100644
index 0000000..6ad8220
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server-ssl.conf
@@ -0,0 +1,17 @@
+<VirtualHost _default_:443>
+
+ SSLEngine on
+
+ # Intermediate configuration, tweak to your needs
+ SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ SSLHonorCipherOrder on
+
+ SSLOptions +StrictRequire
+ SSLCertificateFile /etc/letsencrypt/live/mirrors.rpmfusion.org/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/mirrors.rpmfusion.org/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/mirrors.rpmfusion.org/chain.pem
+
+ Include conf.d/mirrorlist-server.common
+
+</VirtualHost>
diff --git a/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server.common
b/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server.common
new file mode 100644
index 0000000..a911574
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server.common
@@ -0,0 +1,48 @@
+ServerAdmin webmaster(a)rpmfusion.org
+DocumentRoot /var/www/mirrors.rpmfusion.org
+
+RewriteEngine on
+RewriteOptions inherit
+
+SSLProxyEngine On
+
+RewriteRule ^/(free|nonfree)/(fedora|el)/updates/([^/]+)/([^/]+)/?$
http://mirrors.rpmfusion.org/mirrorlist?repo=$1-$2-updates-released-$3&am...
[R=301,last]
+RewriteRule ^/(free|nonfree)/(fedora|el)/(rawhide|development)/([^/]+)/?$
http://mirrors.rpmfusion.org/mirrorlist?repo=$1-$2-rawhide&arch=$4 [R=301,last]
+RewriteRule ^/(free|nonfree)/(fedora|el)/([^/]+)/([^/]+)/?$
http://mirrors.rpmfusion.org/mirrorlist?repo=$1-$2-$3&arch=$4 [R=301,last]
+
+RewriteCond %{HTTPS} !=on
+RewriteCond %{REQUEST_URI} ^/statistics(.*)
+RewriteRule ^/?(.*)
https://mirrors.rpmfusion.org/$1 [R,L]
+
+RewriteRule ^/statistics(.*)
https://lisas.de/mirrorlist-statistics$1 [P,L]
+ProxyPassReverse /statistics/
https://lisas.de/mirrorlist-statistics/
+
+RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge(.*)
+RewriteCond %{REQUEST_URI} !^/metalink(.*)
+RewriteCond %{REQUEST_URI} !^/logs(.*)
+RewriteCond %{REQUEST_URI} !^/mirrorlist(.*)
+RewriteCond %{REQUEST_URI} !^/mm/publiclist(.*)
+RewriteCond %{REQUEST_URI} !^/balancer-manager(.*)
+RewriteRule ^/(.*)$
http://rpmfusion.org/$1 [R=301]
+
+KeepAlive Off
+Alias /logs/ /var/log/mirrormanager/
+<Directory /var/log/mirrormanager/>
+ Require ip 129.143.116.10
+ Require ip 2001:7c0:700::10
+</Directory>
+
+<Proxy "balancer://mycluster">
+ BalancerMember "http://localhost:18081"
+ BalancerMember "http://localhost:18082"
+</Proxy>
+
+ProxyPass "/mirrorlist" "balancer://mycluster/mirrorlist"
+ProxyPassReverse "/mirrorlist" "balancer://mycluster/mirrorlist"
+ProxyPass "/metalink" "balancer://mycluster/metalink"
+ProxyPassReverse "/metalink" "balancer://mycluster/metalink"
+
+<Location "/balancer-manager">
+ SetHandler balancer-manager
+ Require local
+</Location>
diff --git a/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server.conf
b/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server.conf
new file mode 100644
index 0000000..41e6a27
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/mirrorlist-server.conf
@@ -0,0 +1,4 @@
+ServerLimit 900
+MaxRequestWorkers 900
+
+Include conf.d/mirrorlist-server.common
diff --git a/roles/mirrormanager/mirrorlist-server/files/restart-mirrorlist-containers
b/roles/mirrormanager/mirrorlist-server/files/restart-mirrorlist-containers
new file mode 100644
index 0000000..06760ef
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/restart-mirrorlist-containers
@@ -0,0 +1,97 @@
+#!/bin/bash
+
+## ports for mirrors
+mirrorlist1="http://localhost:18081/metalink?repo=free-fedora-rawhide&arch=x86_64"
+mirrorlist2="http://localhost:18082/metalink?repo=free-fedora-rawhide&arch=x86_64"
+
+TIME_DRAIN=30
+TIME_RESTART=5
+TIME_DISABLE=5
+
+if [ ! -f /srv/mirrorlist/data/mirrorlist2/global_netblocks.txt ];
+then
+ cp /srv/mirrorlist/data/mirrorlist1/* /srv/mirrorlist/data/mirrorlist2/
+fi
+
+## check mirrorlist1 running
+if [ `systemctl show mirrorlist1 -p ActiveState` != 'ActiveState=active' ]; then
+ # mirrorlist1 not running, there is a problem
+ echo "Error: mirrorlist1 is not running as expected"
+ exit 1
+fi
+
+## check mirrorlist2 running
+if [ `systemctl show mirrorlist2 -p ActiveState` != 'ActiveState=active' ]; then
+ # mirrorlist2 not running, maybe a new install
+ systemctl start mirrorlist2
+ touch /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto
+fi
+
+## Check that protbuf cache is newer than old protobuf cache
+if [ /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto -nt
/srv/mirrorlist/data/mirrorlist2/mirrorlist_cache.proto ]; then
+ # new proto
+ :
+else
+ # No new proto
+ exit 0
+fi
+
+# check mirrorlist2 (old protbuf cache and see that it's processing ok)
+curl -q -H
mirrors.rpmfusion.org ${mirrorlist2} -s -f --retry 50 --retry-delay 10
--retry-connrefused --retry-max-time 180 | grep "sha512" >/dev/null
+if [ $? != 0 ]; then
+ echo "ERROR: mirrorlist2 not processing correctly"
+ exit 1
+fi
+
+# Disable mirrorlist1
+/usr/local/bin/balance-manager.sh disable mycluster
http://localhost:18081 >&
/dev/null
+sleep ${TIME_DISABLE}
+
+# restart mirrorlist1 (new protbuf cache and make sure it's processing ok)
+systemctl stop mirrorlist1
+sleep 1
+systemctl start mirrorlist1
+if [[ ${?} -ne 0 ]]; then
+ systemctl start mirrorlist1
+ if [[ ${?} -ne 0 ]]; then
+ echo "Unable to start mirrorlist1"
+ exit 1
+ fi
+fi
+
+
+sleep ${TIME_RESTART}
+curl -q -H
mirrors.rpmfusion.org ${mirrorlist1} -s -f --retry 50 --retry-delay 10
--retry-connrefused --retry-max-time 180 | grep "sha512" >/dev/null
+if [ $? != 0 ]; then
+ echo "ERROR: mirrorlist1 did not restart correctly"
+ exit 1
+fi
+
+# New mirrorlist seems to be working, put it back into service
+/usr/local/bin/balance-manager.sh enable mycluster
http://localhost:18081 >&
/dev/null
+sleep ${TIME_RESTART}
+
+# copy new protbuf cache to mirrorlist2
+cp -a /srv/mirrorlist/data/mirrorlist1/* /srv/mirrorlist/data/mirrorlist2/
+
+# Disable mirrorlist2
+/usr/local/bin/balance-manager.sh disable mycluster
http://localhost:18082 >&
/dev/null
+sleep ${TIME_DISABLE}
+
+# restart mirrorlist2
+systemctl stop mirrorlist2
+sleep 1
+systemctl start mirrorlist2
+if [[ ${?} -ne 0 ]]; then
+ echo "Unable to start mirrorlist2"
+ exit 1
+fi
+
+sleep ${TIME_RESTART}
+curl -q -H
mirrors.rpmfusion.org ${mirrorlist2} -o/dev/null -s -f --retry 50
--retry-delay 10 --retry-connrefused --retry-max-time 180
+if [ $? != 0 ]; then
+ echo "ERROR: mirrorlist2 did not restart correctly"
+ exit 1
+fi
+
+/usr/local/bin/balance-manager.sh enable mycluster
http://localhost:18082 >&
/dev/null
diff --git a/roles/mirrormanager/mirrorlist-server/files/restart-mirrorlist-containers.j2
b/roles/mirrormanager/mirrorlist-server/files/restart-mirrorlist-containers.j2
new file mode 100644
index 0000000..951b230
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/files/restart-mirrorlist-containers.j2
@@ -0,0 +1,91 @@
+#!/bin/bash
+
+## ports for mirrors
+mirrorlist1="http://localhost:18081/metalink?repo=free-fedora-rawhide&arch=x86_64"
+mirrorlist2="http://localhost:18082/metalink?repo=free-fedora-rawhide&arch=x86_64"
+
+TIME_DRAIN=30
+TIME_RESTART=5
+TIME_DISABLE=5
+
+# Initial expected state is mirrorlist1 running, mirrorlist2 running and new protbuf
cache
+
+if [ ! -f /srv/mirrorlist/data/mirrorlist2/global_netblocks.txt ];
+then
+ cp /srv/mirrorlist/data/mirrorlist1/* /srv/mirrorlist/data/mirrorlist2/
+fi
+
+## Check that protbuf cache is newer than old protobuf cache
+if [ /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto -nt
/srv/mirrorlist/data/mirrorlist2/mirrorlist_cache.proto ]; then
+ # new proto
+ :
+else
+ # No new proto
+ exit 0
+fi
+## check mirrorlist1 running
+if [ `systemctl show mirrorlist1 -p ActiveState` != 'ActiveState=active' ]; then
+ # mirrorlist1 not running, there is a problem
+ echo "Error: mirrorlist1 is not running as expected"
+ exit 1
+fi
+
+# check mirrorlist2 (old protbuf cache and see that it's processing ok)
+curl -q -H
mirrors.rpmfusion.org ${mirrorlist2} -s -f --retry 50 --retry-delay 10
--retry-connrefused --retry-max-time 180 | grep "sha512" >/dev/null
+if [ $? != 0 ]; then
+ echo "ERROR: mirrorlist2 not processing correctly"
+ exit 1
+fi
+
+# Disable mirrorlist1
+echo /usr/local/bin/balance-manager.sh disable mycluster
http://localhost:18081 >&
/dev/null
+sleep ${TIME_DISABLE}
+
+# restart mirrorlist1 (new protbuf cache and make sure it's processing ok)
+systemctl stop mirrorlist1
+sleep 1
+systemctl start mirrorlist1
+if [[ ${?} -ne 0 ]]; then
+ systemctl start mirrorlist1
+ if [[ ${?} -ne 0 ]]; then
+ echo "Unable to start mirrorlist1"
+ exit 1
+ fi
+fi
+
+
+sleep ${TIME_RESTART}
+curl -q -H
mirrors.rpmfusion.org ${mirrorlist1} -s -f --retry 50 --retry-delay 10
--retry-connrefused --retry-max-time 180 | grep "sha512" >/dev/null
+if [ $? != 0 ]; then
+ echo "ERROR: mirrorlist1 did not restart correctly"
+ exit 1
+fi
+
+# New mirrorlist seems to be working, put it back into service
+echo /usr/local/bin/balance-manager.sh enable mycluster
http://localhost:18081 >&
/dev/null
+sleep ${TIME_RESTART}
+
+# copy new protbuf cache to mirrorlist2
+cp -a /srv/mirrorlist/data/mirrorlist1/* /srv/mirrorlist/data/mirrorlist2/
+
+# Disable mirrorlist2
+echo /usr/local/bin/balance-manager.sh disable mycluster
http://localhost:18082 >&
/dev/null
+sleep ${TIME_DISABLE}
+
+# restart mirrorlist2
+systemctl stop mirrorlist2
+sleep 1
+systemctl start mirrorlist2
+if [[ ${?} -ne 0 ]]; then
+ echo "Unable to start mirrorlist2"
+ exit 1
+fi
+
+sleep ${TIME_RESTART}
+curl -q -H
mirrors.rpmfusion.org ${mirrorlist2} -o/dev/null -s -f --retry 50
--retry-delay 10 --retry-connrefused --retry-max-time 180
+if [ $? != 0 ]; then
+ echo "ERROR: mirrorlist2 did not restart correctly"
+ exit 1
+fi
+
+echo /usr/local/bin/balance-manager.sh enable mycluster
http://localhost:18082 >&
/dev/null
diff --git a/roles/mirrormanager/mirrorlist-server/tasks/main.yml
b/roles/mirrormanager/mirrorlist-server/tasks/main.yml
new file mode 100644
index 0000000..744ed17
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/tasks/main.yml
@@ -0,0 +1,202 @@
+---
+# tasklist for setting up the mirrorlist-server components
+# create mirrormanager user
+# create mirrormanager user
+- name: add mirrormanager user - uid {{ mirrormanager_uid }}
+ user: name=mirrormanager uid={{ mirrormanager_uid }} state=present
home=/home/mirrormanager createhome=yes
+ tags:
+ - mirrorlist_server
+
+- name: install packages for mirrorlist-server
+ package:
+ state: present
+ name:
+ - mirrorlist-server
+ - geolite2-country
+ - certbot
+ tags:
+ - packages
+ - mirrorlist_server
+
+- name: setup directories
+ file: dest="{{item}}" mode=0755 state=directory
+ with_items:
+ - /srv/mirrorlist
+ - /srv/mirrorlist/data
+ - /srv/mirrorlist/data/mirrorlist1
+ - /srv/mirrorlist/data/mirrorlist2
+ - /var/log/mirrormanager
+ - /etc/letsencrypt/live
+ tags:
+ - mirrorlist_server
+
+- name: make sure mirrormanager user can write new protobuf based cache file
+ file: dest="{{item}}" owner=mirrormanager group=mirrormanager
setype=_default
+ with_items:
+ - /srv/mirrorlist/data
+ - /srv/mirrorlist/data/mirrorlist1
+ - /srv/mirrorlist/data/mirrorlist2
+ - /var/log/mirrormanager
+ tags:
+ - mirrorlist_server
+
+- name: Ensure log file for content exists
+ file: dest="{{item}}" owner=mirrormanager group=mirrormanager mode=0755
state=touch setype=_default
+ with_items:
+ - /var/log/mirrormanager/mirrorlist1.service.log
+ - /var/log/mirrormanager/mirrorlist2.service.log
+ tags:
+ - mirrorlist_server
+
+- name: for the rust based mirrorlist server chown log files
+ file: dest="{{item}}" owner=mirrormanager group=mirrormanager
+ with_items:
+ - /var/log/mirrormanager/mirrorlist1.service.log
+ - /var/log/mirrormanager/mirrorlist2.service.log
+ tags:
+ - mirrorlist_server
+
+# We deploy two service files. Both listen on a different port, so that we can switch
+# them out as part of the protobuf cache deployment without having any local downtime.
+- name: Deploy service files
+ template: src=mirrorlist.service.j2 dest=/etc/systemd/system/mirrorlist{{ item
}}.service
+ with_items:
+ - 1
+ - 2
+ tags:
+ - mirrorlist_server
+ notify:
+ - reload systemd
+
+- name: Enable mirrorlist services
+ service: name=mirrorlist{{ item }} enabled=yes state=started
+ with_items:
+ - 1
+ - 2
+ tags:
+ - mirrorlist_server
+
+- name: make a /var/www/mirrors.rpmfusion.org directory
+ file:
dest=/var/www/mirrors.rpmfusion.org state=directory owner=mirrormanager
group=mirrormanager mode=0755
+ tags:
+ - mirrorlist_server
+
+- name: copy download_caches
+ copy: src=download_caches dest=/home/mirrormanager owner=mirrormanager
group=mirrormanager mode=0755
+ tags:
+ - mirrorlist_server
+
+- name: download caches cron
+ cron: name="download_caches" minute="*/5"
user="mirrormanager"
+ job="/home/mirrormanager/download_caches"
+ cron_file=download_caches
+ tags:
+ - mirrorlist_server
+
+- name: check for mirrorlist files
+ stat: path=/srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto
+ register: mirrorlist_cache_status
+ tags:
+ - mirrorlist_server
+
+- name: Deploy mirrorlist data files (if this is a initial install)
+ command: /home/mirrormanager/download_caches
+ become: yes
+ become_user: mirrormanager
+ when: not mirrorlist_cache_status.stat.exists
+ tags:
+ - mirrorlist_server
+
+- name: mirrorlist-server apache conf common
+ copy: src=mirrorlist-server.common dest=/etc/httpd/conf.d/mirrorlist-server.common
+ notify:
+ - restart apache
+ tags:
+ - config
+ - mirrorlist_server
+
+
+- name: mirrorlist-server apache conf
+ copy: src=mirrorlist-server.conf dest=/etc/httpd/conf.d/mirrorlist-server.conf
+ notify:
+ - restart apache
+ tags:
+ - config
+ - mirrorlist_server
+
+- name: mirrorlist-server-ssl apache conf
+ copy: src=mirrorlist-server-ssl.conf dest=/etc/httpd/conf.d/mirrorlist-server-ssl.conf
+ notify:
+ - restart apache
+ tags:
+ - config
+ - mirrorlist_server
+
+# Copy the mirrorlist log file every hour to be ready to be processed
+- name: mirrorlist copy cron
+ cron: name="copy-mirrorlist" minute="55" hour="*"
user="mirrormanager"
+ job="cat /var/log/mirrormanager/mirrorlist?.service.log >
/var/log/mirrormanager/mirrorlist.log.`date +\%Y-\%m-\%d`"
+ cron_file=copy-mirrorlist
+ tags:
+ - mirrorlist_server
+
+- name: mirrorlist move cron
+ cron: name="move-mirrorlist" minute="1" hour="0"
user="mirrormanager"
+ job="cat /var/log/mirrormanager/mirrorlist?.service.log >
/var/log/mirrormanager/mirrorlist.log.`date +\%Y-\%m-\%d --date='yesterday'`; rm
-f /var/log/mirrormanager/mirrorlist?.service.log; touch
/srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto"
+ cron_file=move-mirrorlist
+ tags:
+ - mirrorlist_server
+
+# Cleanup old mirrorlist logfile
+- name: mirrorlist clean cron
+ cron: name="clean-mirrorlist" minute="13" hour="13"
user="mirrormanager"
+ job="/usr/sbin/tmpwatch --mtime 7d /var/log/mirrormanager"
+ cron_file=clean-mirrorlist
+ tags:
+ - mirrorlist_server
+
+- name: install script to restart mirrorlist containers on protobuf cache changes
+ copy: src=restart-mirrorlist-containers
dest=/usr/local/bin/restart-mirrorlist-containers mode=0755
+ tags:
+ - mirrorlist_server
+
+- name: install script to control apache load balancer
+ copy: src=balance-manager.sh dest=/usr/local/bin/balance-manager.sh mode=0755
+ tags:
+ - mirrorlist_server
+
+- name: Setup hourly cron at for mirrorlist restarts
+ cron: name="restart-mirrorlist-containers" minute="*/6"
user="root"
+ job="/usr/local/bin/restart-mirrorlist-containers"
+ cron_file=restart-mirrorlist-containers
+ tags:
+ - mirrorlist_server
+
+- name: Set cron MAILTO for restart-mirrorlist-containers
+ cronvar:
+ name: MAILTO
+ value: "adrian(a)lisas.de"
+ cron_file: restart-mirrorlist-containers
+ tags:
+ - mirrorlist_server
+
+- name: Set httpd_can_network_connect flag on and keep it persistent across reboots
+ seboolean:
+ name: httpd_can_network_connect
+ state: yes
+ persistent: yes
+ tags:
+ - mirrorlist_server
+
+- name: Enable SELinux
+ selinux:
+ policy: targeted
+ state: enforcing
+ tags:
+ - mirrorlist_server
+
+- name: mask systemd-journald-audit.socket
+ systemd:
+ name: systemd-journald-audit.socket
+ enabled: no
+ masked: yes
diff --git a/roles/mirrormanager/mirrorlist-server/templates/mirrorlist.service.j2
b/roles/mirrormanager/mirrorlist-server/templates/mirrorlist.service.j2
new file mode 100644
index 0000000..af25879
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/templates/mirrorlist.service.j2
@@ -0,0 +1,16 @@
+[Unit]
+Description=Mirrorlist Server {{ item }}
+
+[Service]
+User=mirrormanager
+ExecStart=/usr/bin/mirrorlist-server \
+ --port 1808{{ item }} \
+ --listen 127.0.0.1 \
+ -l /var/log/mirrormanager/%n.log \
+ --cache /srv/mirrorlist/data/mirrorlist{{ item }}/mirrorlist_cache.proto \
+ --internet2_netblocks /srv/mirrorlist/data/mirrorlist{{ item
}}/i2_netblocks.txt \
+ --global_netblocks /srv/mirrorlist/data/mirrorlist{{ item
}}/global_netblocks.txt \
+ --cccsv /srv/mirrorlist/data/mirrorlist{{ item }}/country_continent.csv
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mirrormanager/mirrorlist-server/vars/main.yml
b/roles/mirrormanager/mirrorlist-server/vars/main.yml
new file mode 100644
index 0000000..0aad3f8
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist-server/vars/main.yml
@@ -0,0 +1,2 @@
+mirrormanager_uid: 441
+mirrormanager_gid: 441