ansible: add RHEL 8

Extend Ansible and Jenkins scripts for Red Hat Enterprise Linux 8.
Also add new `release-builder` role, for setting up ssh config and
keys to upload to the staging server, and changes to make the
playbook idempotent.

Author: richardlau

ansible/README.md

@@ -234,10 +234,10 @@ debugging problems, see the
 
 Unsorted stuff of things we need to do/think about
 
-- [ ] playbook: copy keys and config to release machines
+- [x] playbook: copy keys and config to release machines
 - [ ] avoid messing with keys on machines that has multiple usage such as jump
       hosts (or set up a new jump host)
-- [ ] copy release (staging) keys to release machines
+- [x] copy release (staging) keys to release machines
 - [ ] backup host: generate config, install rsnapshot
 - [ ] switch to slaveLog for all jenkins instances lacking stdout redirection
       (note: this depends on init type!)
@@ -262,7 +262,7 @@ Unsorted stuff of things we need to do/think about
       setup/raspberry-pi/README.md, some of these can be automated)
 - [ ] epel-release for centos - required for centos7 on packet.net arm64
       before ccache can be installed
-- [ ] make .ssh/config and .ssh/id_rsa for release machines, adding config
+- [x] make .ssh/config and .ssh/id_rsa for release machines, adding config
       for `node-www` and record host key for node-www
 - [ ] add explicit ARCH and DESTCPU for release machines (RV: I'm adding
       "arm64" manually for both to force the right thing, from memory I've

ansible/inventory.yml

@@ -46,6 +46,7 @@ hosts:
             ip: 169.48.19.173
             server_jobs: 6
         rhel7-s390x-1: {ip: 148.100.86.101, user: linux1}
+        rhel8-s390x-1: {ip: 148.100.84.27, user: linux1}
 
     - iinthecloud:
         ibmi73-ppc64_be-1: {ip: 65.183.160.62, user: nodejs}
@@ -152,6 +153,9 @@ hosts:
         rhel7-s390x-2: {ip: 148.100.86.117, user: linux1, build_test_v8: yes}
         rhel7-s390x-3: {ip: 148.100.86.28, user: linux1, build_test_v8: yes}
         rhel7-s390x-4: {ip: 148.100.86.94, user: linux1, build_test_v8: yes}
+        rhel8-s390x-1: {ip: 148.100.84.112, user: linux1, build_test_v8: yes}
+        rhel8-s390x-2: {ip: 148.100.84.240, user: linux1, build_test_v8: yes}
+        rhel8-s390x-3: {ip: 148.100.84.56, user: linux1, build_test_v8: yes}
         ubuntu1804-x64-1: {ip: 52.117.26.14, alias: jenkins-workspace-6}
         ubuntu1804-x64-2: {ip: 50.97.245.9}
 

ansible/playbooks/jenkins/worker/create.yml

@@ -16,6 +16,8 @@
     - { role: 'benchmarking',
         when: is_benchmark is defined and is_benchmark|bool == True }
     - jenkins-worker
+    - { role: release-builder,
+        when: '"release" in group_names' }
 
   pre_tasks:
 # Requires `secret: XXX` to be in the ansible/host_vars/HOST

ansible/roles/baselayout/tasks/main.yml

@@ -141,6 +141,16 @@
     state: link
     src: "/usr/local/bin/python2"
 
+# Required for V8 builds
+- name: rhel8 | update python package alternatives
+  community.general.alternatives:
+    link: /usr/bin/python
+    name: python
+    path: /usr/bin/python2
+  when:
+    - os == "rhel8"
+    - build_test_v8|default(False)
+
 - name: smartos17 | update gcc symlinks
   when: os == "smartos17"
   file:

ansible/roles/baselayout/tasks/partials/repo/rhel8.yml

@@ -0,0 +1,14 @@
+---
+
+# Red Hat Enterprise Linux 8
+
+- name: install GPG key for EPEL 8
+  become: yes
+  ansible.builtin.rpm_key:
+    key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
+    state: present
+
+- name: install EPEL 8
+  ansible.builtin.dnf:
+    name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+    state: present

ansible/roles/baselayout/vars/main.yml

@@ -144,6 +144,14 @@ packages: {
     'gcc-c++,sudo,git,zip,unzip,iptables-services,GConf2-devel,openssl-devel,python3',
   ],
 
+  rhel8_s390x: [
+    'GConf2-devel,python2' # Needed for V8 builds
+  ],
+
+  rhel8: [
+    'ccache,cmake,gcc-c++,gcc-toolset-11,git,make,python3',
+  ],
+
   smartos: [
     'gccmakedep',
     'git',

ansible/roles/bootstrap/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart iptables
+  ansible.builtin.service:
+    name: iptables
+    state: restarted

ansible/roles/bootstrap/tasks/main.yml

@@ -10,6 +10,7 @@
       loop_var: bootstrap_include
     with_first_found:
       - files:
+        - "{{ role_path }}/tasks/partials/{{ os }}-{{ arch }}.yml"
         - "{{ role_path }}/tasks/partials/{{ os }}.yml"
         - "{{ role_path }}/tasks/partials/{{ os|stripversion }}.yml"
         skip: true

ansible/roles/bootstrap/tasks/partials/rhel8-s390x.yml

@@ -0,0 +1,42 @@
+---
+
+# Red Hat Enterprise Linux 8 on s390x (LinuxONE)
+
+- name: run common RHEL 8 tasks
+  ansible.builtin.include_tasks: rhel8.yml
+
+- name: Firewall | install iptables-services
+  ansible.builtin.dnf:
+    name: iptables-services
+    state: present
+
+- name: Firewall | enable iptables
+  ansible.builtin.systemd:
+    enabled: yes
+    name: iptables
+
+- name: Firewall | remove firewalld
+  ansible.builtin.dnf:
+    name: firewalld
+    state: absent
+
+- name: Firewall | add rule to allow accepting multicast
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -m pkttype --pkt-type multicast -j ACCEPT"
+  notify: restart iptables
+
+- name: Firewall | add basic rule to allow communication locally
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT"
+  notify: restart iptables
+
+- name: Firewall | add additional rule to allow communication from 127.0.0.2
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -s 127.0.0.2/32 -d 127.0.0.1/32 -j ACCEPT"
+  notify: restart iptables

ansible/roles/bootstrap/tasks/partials/rhel8.yml

@@ -0,0 +1,9 @@
+---
+
+# Red Hat Enterprise Linux 8
+
+- name: register Red Hat subscription
+  community.general.redhat_subscription:
+    activationkey: "{{ type }}"
+    org_id: "{{ rh_org }}"
+    state: present