├── .config └── ansible-lint.yml ├── .github └── workflows │ ├── lint.yml │ ├── release.yml │ └── slugger.yml ├── README.md ├── defaults └── main.yml ├── files ├── cvmfs_prune_snapshots.sh ├── cvmfs_remount_sync.c ├── cvmfs_remount_sync.el_6 ├── cvmfs_remount_sync.el_7 ├── cvmfs_remount_sync.el_8 ├── cvmfs_remount_sync.el_9 ├── cvmfs_wipecache.c ├── cvmfs_wipecache.el_6 ├── cvmfs_wipecache.el_7 ├── cvmfs_wipecache.el_8 └── cvmfs_wipecache.el_9 ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── apache.yml ├── client.yml ├── firewall.yml ├── gc.yml ├── init_debian.yml ├── init_redhat.yml ├── keys.yml ├── localproxy.yml ├── main.yml ├── options.yml ├── squid.yml ├── stratum0.yml ├── stratum1.yml └── stratumN.yml ├── templates ├── 01-manage-units.rules.j2 ├── localproxy_squid.conf.j2 └── stratum1_squid.conf.j2 ├── tests ├── inventory └── test.yml └── vars ├── debian.yml ├── main.yml └── redhat.yml /.config/ansible-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | skip_list: 3 | - no-handler 4 | -------------------------------------------------------------------------------- /.github/workflows/lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ansible-lint 3 | on: [pull_request_target, push] 4 | 5 | jobs: 6 | ansible-lint: 7 | name: ansible-lint 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v2 11 | 12 | - uses: actions/setup-python@v2 13 | with: 14 | python-version: '3.x' 15 | 16 | - name: ansible-lint 17 | uses: reviewdog/action-ansiblelint@v1 18 | with: 19 | github_token: ${{ secrets.GITHUB_TOKEN }} 20 | reporter: github-pr-review 21 | filter_mode: nofilter 22 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub 3 | # repository or organization. 4 | # 5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy 6 | # See: https://github.com/ansible/galaxy/issues/46 7 | 8 | name: Release (by Tag Push) 9 | 10 | 'on': 11 | push: 12 | tags: 13 | - '*' 14 | 15 | jobs: 16 | release: 17 | name: Release 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Check out the codebase. 21 | uses: actions/checkout@v2 22 | 23 | - name: Set up Python 3. 24 | uses: actions/setup-python@v2 25 | with: 26 | python-version: '3.x' 27 | 28 | - name: Install Ansible. 29 | run: pip3 install ansible-core 30 | 31 | - name: Trigger a new import on Galaxy. 32 | run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) --branch main 33 | -------------------------------------------------------------------------------- /.github/workflows/slugger.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub 3 | # repository or organization. 4 | # 5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy 6 | # See: https://github.com/ansible/galaxy/issues/46 7 | # 8 | # Note on the file name: 9 | # Reminding me (@hexylena) to make a release of a role was the last thing 10 | # @Slugger70 asked me our group chat. I'd forgotten to do it and he was 11 | # waiting on me for it, well, here's to you mate, none of us can forget to 12 | # make a point release again. 13 | 14 | name: "Automatic Regular Releases" 15 | 16 | on: 17 | workflow_dispatch: 18 | schedule: 19 | - cron: '0 0 * * 1' 20 | 21 | jobs: 22 | release: 23 | name: Release 24 | runs-on: ubuntu-latest 25 | steps: 26 | - name: Check out the codebase. 27 | uses: actions/checkout@v2 28 | with: 29 | fetch-depth: 0 30 | 31 | - name: Set up Python 3. 32 | uses: actions/setup-python@v2 33 | with: 34 | python-version: '3.x' 35 | 36 | - name: Install Ansible. 37 | run: pip3 install ansible-core 38 | 39 | - name: Check for changes 40 | run: | 41 | LATEST_TAG=$(git describe --tags --abbrev=0) 42 | echo "The last released tag was ${LATEST_TAG}" 43 | CHANGES=$(git diff ${LATEST_TAG} --name-only | wc -l) 44 | echo "Found ${CHANGES} changed files" 45 | git diff ${LATEST_TAG} --name-only 46 | echo "changed_files=${CHANGES}" >> $GITHUB_ENV 47 | 48 | - name: Create a new git tag 49 | run: | 50 | LATEST_TAG=$(git describe --tags --abbrev=0) 51 | major_minor=$(echo "$LATEST_TAG" | sed 's/\(.*\..*\.\)\(.*\)/\1/') 52 | patch=$(echo "$LATEST_TAG" | sed 's/\(.*\..*\.\)\(.*\)/\2/') 53 | newpatch=$(echo "$patch + 1" | bc) 54 | NEW_TAG="${major_minor}${newpatch}" 55 | echo "$LATEST_TAG -> $NEW_TAG" 56 | 57 | git config user.name github-actions 58 | git config user.email github-actions@github.com 59 | git tag "$NEW_TAG" 60 | git push --tags 61 | if: env.changed_files > 0 62 | 63 | # We have to do this step as GHA prevents triggering it's own actions, to 64 | # prevent runaway loops. 65 | - name: Trigger a new import on Galaxy. 66 | run: | 67 | org=$(echo ${{ github.repository }} | cut -d/ -f1) 68 | repo=$(echo ${{ github.repository }} | cut -d/ -f2) 69 | key=${{ secrets.GALAXY_API_KEY }} 70 | ansible-galaxy role import --api-key $key $org $repo --branch main 71 | if: env.changed_files > 0 72 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | CVMFS 2 | ===== 3 | 4 | Install and configure [CernVM-FS (CVMFS)][cvmfs], particularly for [Galaxy][galaxy] servers. 5 | 6 | [cvmfs]: https://cernvm.cern.ch/portal/filesystem 7 | [galaxy]: https://galaxyproject.org 8 | 9 | Requirements 10 | ------------ 11 | 12 | On Enterprise Linux (`ansible_os_family == "RedHat"`), it is assumed that you have enabled [Extra Packages for Enterprise 13 | Linux (EPEL)][epel] for CVMFS's dependencies. If you need to enable EPEL, [geerlingguy.repo-epel][repo-epel] can easily 14 | do this for you. 15 | 16 | [epel]: https://fedoraproject.org/wiki/EPEL 17 | [repo-epel]: https://galaxy.ansible.com/geerlingguy/repo-epel/ 18 | 19 | Role Variables 20 | -------------- 21 | 22 | All variables are optional. However, if unset, the role will essentially do nothing. See the [defaults][defaults] and 23 | [example playbook](#example-playbook) for examples. 24 | 25 | ## Galaxy Client 26 | 27 | Other than `cvmfs_role` as described below, [Galaxy][galaxy] administrators will most likely only need to set the 28 | `galaxy_cvmfs_repos_enabled` variable (disabled by default), which automatically configures the CVMFS client for 29 | [galaxyproject.org][galaxy] CVMFS repositories. 30 | 31 | The value of `galaxy_cvmfs_repos_enabled` can be either `config-repo` or any value that evaluates to `true` (or `false` 32 | to explcititly disable, although this is the default). Using `config-repo` is recommended since it causes the role to 33 | only install a minimal configuration needed to mount the `cvmfs-config.galaxyproject.org` CVMFS repository, and then 34 | uses CVMFS' [Config Repository][cvmfs-config-repo] support to obtain the configs for the other galaxyproject.org CVMFS 35 | repositories. This ensures you will always have up-to-date configs for all galaxyproject.org CVMFS repositories. 36 | 37 | Setting `galaxy_cvmfs_repos_enabled` to `config-repo` overrides the value of `cvmfs_config_repo` since there can be only 38 | one default config repo configured on the client. 39 | 40 | Setting `galaxy_cvmfs_repos_enabled` to any other truthy value will causes the role to create a static configuration 41 | where the full configurations for each galaxyproject.org CVMFS repository is installed on the target host. This option 42 | is retained for legacy purposes. 43 | 44 | You can override the defaults for Galaxy's `cvmfs_keys`, `cvmfs_server_urls`, and `cvmfs_repositories` by prepending 45 | `galaxy_` to the variable names. See the [defaults][defaults] for details. 46 | 47 | If `galaxy_cvmfs_repos_enabled` is not set, full configuration of non-Galaxy repositories can be performed using the set 48 | of variables described below. 49 | 50 | ## Client or shared client/server variables 51 | 52 | variable | type | description 53 | --- | --- | --- 54 | `cvmfs_role` | string | Type of CVMFS host: `client`, `stratum0`, `stratum1`, or `localproxy`. Alternatively, you may put hosts in to groups `cvmfsclients`, `cvmfsstratum0servers`, `cvmfsstratum1servers`, and `cvmfslocalproxies`. Controls what packages are installed and what configuration is performed. 55 | `cvmfs_keys` | list of dicts | Keys to install on hosts of all types. 56 | `cvmfs_server_urls` | list of dicts | CVMFS server URLs, the value of `CVMFS_SERVER_URL` in `/etc/cvmfs/domain.d/.conf`. 57 | `cvmfs_repositories` | list of dicts | CVMFS repository configurations, the value of `CVMFS_REPOSITORIES` in `/etc/cvmfs/default.local` plus additional settings in `/etc/cvmfs/repositories.d//{client,server}.conf`. 58 | `cvmfs_config_repo` | dict | CVMFS [Configuration Repository][cvmfs-config-repo] configuration, see the value of `galaxy_cvmfs_config_repo` in the [defaults][defaults] for syntax. 59 | `cvmfs_quota_limit` | integer in MB | Size of CVMFS client cache. Default is `4000`. 60 | `cvmfs_upgrade_client` | boolean | Upgrade CVMFS on clients to the latest version if it is already installed. Default is `false`. 61 | `cvmfs_preload_install` | boolean | Install the `cvmfs_preload` script for [preloading the CVMFS cache][preload]. 62 | `cvmfs_preload_path` | path | Directory where `cvmfs_preload` should be installed 63 | `cvmfs_install_setuid_cvmfs_wipecache` | boolean | Install a setuid binary on clients that allows unprivileged users to perform `cvmfs_config wipecache`. EL only (source is provided). 64 | `cvmfs_install_setuid_cvmfs_remount_sync` | boolean | Install a setuid binary on clients that allows unprivileged users to perform `cvmfs_talk remount sync`. EL only (source is provided). 65 | 66 | The complex (list of dict) variables have the following syntaxes: 67 | 68 | ```yaml 69 | cvmfs_keys: 70 | - path: 'absolute path to repo key.pub' 71 | owner: 'user owning key file (default: root)' 72 | key: | 73 | -----BEGIN PUBLIC KEY----- 74 | MIIBIjAN... 75 | 76 | cvmfs_server_urls: 77 | - domain: 'repo parent domain' 78 | urls: 79 | - 'repository URL' 80 | 81 | cvmfs_repositories: 82 | - repository: 'repo name' 83 | stratum0: 'stratum 0 hostname' 84 | owner: 'user owning repository (default: root)' 85 | key_dir: 'path to directory containing repo keys (default: /etc/cvmfs/keys)' 86 | server_options: 87 | - KEY=val 88 | client_options: 89 | - KEY=val 90 | ``` 91 | 92 | For Stratum 0 / Release Managers, you can automatically prune older snapshots using the `prune_snapshots_time`, a hash 93 | having keys that correspond to the [cron module 94 | options](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html). If 95 | `prune_snapshots_time` is unset, then snapshots are not automatically pruned. 96 | 97 | ``` 98 | cvmfs_repositories: 99 | - repository: repo.example.org 100 | owner: user1 101 | prune_snapshots_count: 20 102 | prune_snapshots_time: 103 | special_time: daily 104 | ``` 105 | 106 | The per-repository `prune_snapshots_count` option defaults to the value of `cvmfs_stratum0_prune_snapshots_count` in 107 | [defaults/main.yml][defaults] if unset. 108 | 109 | ## Server variables 110 | 111 | variable | type | description 112 | --- | --- | --- 113 | `cvmfs_private_keys` | list of dicts | Keys to install on Stratum 0 hosts. Separate from `cvmfs_keys` for vaultability and avoiding duplication. 114 | `cvmfs_config_apache` | boolean | Configure Apache on Stratum 0 and 1 servers. If disabled, you must configure it yourself. Default is `true`. 115 | `cvmfs_manage_firewall` | boolean | Attempt to configure firewalld (EL) or ufw (Debian) to permit traffic to configured ports. Default is `false`. 116 | `cvmfs_squid_conf_src` | path | Path to template Squid configuration file (for Stratum 1 and local proxy servers). Defaults are in the role `templates/` directory. 117 | `cvmfs_stratum0_http_ports` | list of integers | Port(s) to configure Apache on Stratum 0 servers to listen on. Default is `80`. 118 | `cvmfs_stratum1_http_ports` | list of integers | Port(s) to configure Squid on Stratum 1 servers to listen on. Default is `80` and `8000`. 119 | `cvmfs_stratum1_apache_port` | integer | Port to configure Apache on Stratum 1 servers to listen on. Default is `8008`. 120 | `cvmfs_stratum1_cache_mem` | integer in MB | Amount of memory for Squid to use for caching. Default is `128`. 121 | `cvmfs_stratum1_cache_dir` | list of dicts | 122 | `cvmfs_localproxy_http_ports` | list of integers | Port(s) to configure Squid on local proxy servers to listen on. Default is `3128`. 123 | `cvmfs_upgrade_server` | boolean | Upgrade CVMFS on servers to the latest version if it is already installed. Default is `false`. 124 | `cvmfs_srv_device` | path | Block device to create a filesystem on and mount for CVMFS data. Unset by default. 125 | `cvmfs_srv_fstype` | string | Filesystem to create on `cvmfs_srv_device`. Default is `ext4`. 126 | `cvmfs_srv_mount` | path | Path to mount CVMFS data volume on. Default is `/srv` (but is ignored if `cvmfs_srv_device` is unset). 127 | `cvmfs_union_fs` | string | Union filesystem type (`overlayfs` or `aufs`) for new repositories on Stratum 0 servers. 128 | `cvmfs_numfiles` | integer | Set the maximum number of open files in `/etc/security/limits.conf`. Useful with the `CVMFS_NFILES` client option on Stratum 0 servers. 129 | 130 | [defaults]: https://github.com/galaxyproject/ansible-cvmfs/blob/master/defaults/main.yml 131 | [cvmfs-config-repo]: https://cvmfs.readthedocs.io/en/stable/cpt-configure.html#the-config-repository 132 | [preload]: http://cvmfs.readthedocs.io/en/stable/cpt-hpc.html 133 | 134 | Dependencies 135 | ------------ 136 | 137 | None. 138 | 139 | Example Playbook 140 | ---------------- 141 | 142 | Configure all hosts as CVMFS clients with configurations for the Galaxy CVMFS repositories: 143 | 144 | ```yaml 145 | - name: CVMFS 146 | hosts: all 147 | vars: 148 | cvmfs_role: client 149 | galaxy_cvmfs_repos_enabled: config-repo 150 | roles: 151 | - geerlingguy.repo-epel 152 | - galaxyproject.cvmfs 153 | ``` 154 | 155 | Create a Stratum 1 (mirror) of the Galaxy CVMFS repositories and configure clients to prefer your Stratum 1 (assuming 156 | you have configured hosts in groups `cvmfsclients` and `cvmfsstratum1servers`): 157 | 158 | ```yaml 159 | - name: CVMFS 160 | hosts: cvmfsclients:cvmfsstratum1servers 161 | vars: 162 | cvmfs_srv_device: /dev/sdb 163 | galaxy_cvmfs_repos_enabled: true 164 | # override the default 165 | galaxy_cvmfs_server_urls: 166 | - domain: galaxyproject.org 167 | urls: 168 | - "http://cvmfs.example.org/cvmfs/@fqrn@" 169 | - "http://cvmfs1-psu0.galaxyproject.org/cvmfs/@fqrn@" 170 | - "http://cvmfs1-iu0.galaxyproject.org/cvmfs/@fqrn@" 171 | - "http://cvmfs1-tacc0.galaxyproject.org/cvmfs/@fqrn@" 172 | - "http://cvmfs1-mel0.gvl.org.au/cvmfs/@fqrn@" 173 | - "http://cvmfs1-ufr0.galaxyproject.eu/cvmfs/@fqrn@" 174 | roles: 175 | - galaxyproject.cvmfs 176 | ``` 177 | 178 | Create your own CVMFS infrastructure. Run once without keys (new keys will be generated on repo creation): 179 | 180 | ```yaml 181 | - name: CVMFS 182 | hosts: cvmfsstratum0servers 183 | vars: 184 | cvmfs_numfiles: 4096 185 | cvmfs_server_urls: 186 | - domain: example.org 187 | urls: 188 | - "http://cvmfs0.example.org/cvmfs/@fqrn@" 189 | cvmfs_repositories: 190 | - repository: foo.example.org 191 | stratum0: cvmfs0.example.org 192 | key_dir: /etc/cvmfs/keys/example.org 193 | server_options: 194 | - CVMFS_AUTO_TAG=false 195 | - CVMFS_GARBAGE_COLLECTION=true 196 | - CVMFS_AUTO_GC=false 197 | client_options: 198 | - CVMFS_NFILES=4096 199 | - repository: bar.example.org 200 | stratum0: cvmfs0.example.org 201 | key_dir: /etc/cvmfs/keys/example.org 202 | roles: 203 | - galaxyproject.cvmfs 204 | ``` 205 | 206 | Once keys have been created, add them to `cvmfs_keys` and run the same as above but `hosts: all` and `cvmfs_keys` 207 | defined as: 208 | 209 | ```yaml 210 | - name: CVMFS 211 | vars: 212 | cvmfs_keys: 213 | - path: /etc/cvmfs/keys/example.org/foo.example.org.pub 214 | key: | 215 | -----BEGIN PUBLIC KEY----- 216 | MIIBIjAN... 217 | - path: /etc/cvmfs/keys/example.org/bar.example.org.pub 218 | key: | 219 | -----BEGIN PUBLIC KEY----- 220 | MIIBIjAN... 221 | ``` 222 | 223 | License 224 | ------- 225 | 226 | MIT 227 | 228 | Author Information 229 | ------------------ 230 | 231 | [Nate Coraor](https://github.com/natefoo) 232 | [Helena Rasche](https://github.com/hexylena) 233 | 234 | [View contributors on GitHub](https://github.com/galaxyproject/ansible-cvmfs/graphs/contributors) 235 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for galaxyproject.cvmfs 3 | 4 | cvmfs_keys: [] 5 | cvmfs_private_keys: [] 6 | cvmfs_server_urls: [] 7 | cvmfs_repositories: [] 8 | cvmfs_http_proxies: 9 | - DIRECT 10 | 11 | cvmfs_manage_firewall: false 12 | 13 | cvmfs_stratum0_http_ports: 14 | - 80 15 | cvmfs_stratum1_http_ports: 16 | - 80 17 | - 8000 18 | cvmfs_localproxy_http_ports: 19 | - 3128 20 | 21 | cvmfs_stratum1_apache_port: "{{ cvmfs_stratum1_squid_enabled | ternary(8008, 80) }}" 22 | cvmfs_stratum1_cache_mem: 128 # MB 23 | 24 | cvmfs_stratum1_squid_enabled: true 25 | 26 | # Stratum 1 snapshot cron job timing, hash keys correspond to the cron module options: 27 | # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html 28 | # 29 | # cvmfs_stratum1_snapshot_time: 30 | # special_time: 31 | # hour: 32 | # minute: 33 | # day: 34 | # month: 35 | # weekday: 36 | # 37 | # e.g. for every 2 hours at 15 past: 38 | # cvmfs_stratum1_snapshot_time: 39 | # hour: */2 40 | # minute: 15 41 | # 42 | # Use @hourly by default: 43 | cvmfs_stratum1_snapshot_time: 44 | special_time: hourly 45 | 46 | # Number of snapshots to keep. Per the documentation, the recommended count is no more than 50. 47 | cvmfs_stratum0_prune_snapshots_count: 50 48 | 49 | # Whether the client or server should be upgraded or just installed if missing 50 | cvmfs_upgrade_client: false 51 | cvmfs_upgrade_server: false 52 | 53 | # Install a setuid binary allowing unprivileged users to call `cvmfs_config wipecache` or `cvmfs_talk remount sync`? 54 | cvmfs_install_setuid_cvmfs_wipecache: false 55 | cvmfs_install_setuid_cvmfs_remount_sync: false 56 | # Used to select the right binaries in files/ 57 | _cvmfs_install_setuid_platform: "{{ ((ansible_os_family == 'RedHat') | ternary('el', ansible_distribution)) | lower }}" 58 | 59 | # Block device to mkfs/mount on stratum0s/stratum1s 60 | # cvmfs_srv_device: false 61 | cvmfs_srv_mount: /srv 62 | 63 | cvmfs_union_fs: overlayfs 64 | cvmfs_config_apache: true 65 | 66 | # Setup an optional cache directory for squid. Otherwise in-memory cache is used. 67 | # cvmfs_stratum1_cache_dir: 68 | # dir: /var/cache/squid 69 | # size: 1024 # 1 GB 70 | 71 | # You can manually specify a role if you don't want to or cannot use the 72 | # group_names 73 | cvmfs_role: "" # (client, Or stratum1 or stratum0 or localproxy) 74 | 75 | # Specify whether `cvmfs_server gc -a` should be run from cron to garbage collect all repos on the server, disable this 76 | # option if your repos don't use CVMFS_AUTO_GC=false. 77 | cvmfs_gc_enabled: true 78 | 79 | # Garbage collection log path (directory will be created if necessary). This is the default path but CVMFS packages 80 | # don't precreate the directory for you so `cvmfs_server gc -a` will fail by default. 81 | # Also as of 2.9.4, -a and -L are incompatible when you have repos owned by multiple users: 82 | # https://github.com/cvmfs/cvmfs/issues/3045 83 | # 84 | # cvmfs_gc_log: /var/log/cvmfs/gc.log 85 | 86 | # User to run garbage collection as. This user must have permission to gc all repositories on the server (i.e. it should 87 | # be `root` if you have repositories owned by multiple users) 88 | cvmfs_gc_user: root 89 | 90 | # Specify the options passed to `cvmfs_server gc`. If you override these you will need to include `-a -f` in your value 91 | # or the job will fail 92 | cvmfs_gc_options: -a -f {{ '-L ' ~ cvmfs_gc_log if cvmfs_gc_log is defined else '' }} 93 | 94 | # Garbage collection cron job timing, see cvmfs_stratum1_snapshot_time for syntax 95 | # 96 | # Use @weekly by default: 97 | cvmfs_gc_time: 98 | special_time: weekly 99 | 100 | # Optionally download the preload utility 101 | cvmfs_preload_install: false 102 | cvmfs_preload_path: /usr/bin 103 | 104 | # Support for CVMFS config repositories - see galaxy_cvmfs_config_repo for syntax 105 | cvmfs_config_repo: {} 106 | # CVMFS_CONFIG_REPOSITORY is not supported on Debian < 9, Ubuntu LTS < 18.04 107 | cvmfs_config_repo_supported: >- 108 | {{ 109 | 'true' if ansible_os_family != 'Debian' else ( 110 | 'true' if (ansible_distribution == 'Debian' and ansible_distribution_version is version('9', '>=')) else ( 111 | 'true' if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '>=')) else 112 | 'false')) 113 | }} 114 | 115 | # When to update the GeoIP database, if cvmfs_geo_license_key is defined 116 | # cvmfs_geo_license_key: consult the CVMFS documentation 117 | cvmfs_geoip_db_update_minute: "{{ 59 | random(seed=inventory_hostname) }}" 118 | cvmfs_geoip_db_update_hour: "{{ 23 | random(seed=inventory_hostname) }}" 119 | cvmfs_geoip_db_update_day: "{{ 28 | random(seed=inventory_hostname) }}" 120 | 121 | # You can make Stratum 1s snapshot over HTTPS if 122 | # 1. the Stratum 0 is appropriately configured to serve HTTPS (this role does not handle such configuration for you), 123 | # 2. the entry in 'cvmfs_repositories' has 'stratum0_url_scheme' set to 'https', and 124 | # 3. this points to a cert bundle that contains CA certs for your Stratum 0 (the default here is valid for EL). 125 | # cvmfs_x509_cert_bundle: /etc/pki/tls/cert.pem 126 | 127 | # The role will deploy a PolicyKit rule that allows unprivileged users to manage the services in cvmfs_manage_units if 128 | # either of the following two options are set. 129 | 130 | # Either a list of usernames, or set to a boolean true to automatically use the 'owner's in cvmfs_repositories 131 | #cvmfs_manage_units_users: ... 132 | 133 | # A group name 134 | #cvmfs_manage_units_group: ... 135 | 136 | # The list of units that can be managed by users in the above group 137 | cvmfs_manage_units: 138 | - squid.service 139 | 140 | # 141 | # Galaxy-specific stuff follows 142 | # 143 | 144 | # Automatically configure Galaxy CVMFS repos 145 | galaxy_cvmfs_repos_enabled: false 146 | 147 | # Defaults for galaxyproject.org config repo, syntax for each key is the same as that of cvmfs_ 148 | galaxy_cvmfs_config_repo: 149 | domain: galaxyproject.org 150 | key: 151 | path: /etc/cvmfs/keys/galaxyproject.org/cvmfs-config.galaxyproject.org.pub 152 | key: | 153 | -----BEGIN PUBLIC KEY----- 154 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuJZTWTY3/dBfspFKifv8 155 | TWuuT2Zzoo1cAskKpKu5gsUAyDFbZfYBEy91qbLPC3TuUm2zdPNsjCQbbq1Liufk 156 | uNPZJ8Ubn5PR6kndwrdD13NVHZpXVml1+ooTSF5CL3x/KUkYiyRz94sAr9trVoSx 157 | THW2buV7ADUYivX7ofCvBu5T6YngbPZNIxDB4mh7cEal/UDtxV683A/5RL4wIYvt 158 | S5SVemmu6Yb8GkGwLGmMVLYXutuaHdMFyKzWm+qFlG5JRz4okUWERvtJ2QAJPOzL 159 | mAG1ceyBFowj/r3iJTa+Jcif2uAmZxg+cHkZG5KzATykF82UH1ojUzREMMDcPJi2 160 | dQIDAQAB 161 | -----END PUBLIC KEY----- 162 | urls: 163 | - http://cvmfs1-psu0.galaxyproject.org/cvmfs/@fqrn@ 164 | - http://cvmfs1-iu0.galaxyproject.org/cvmfs/@fqrn@ 165 | - http://cvmfs1-tacc0.galaxyproject.org/cvmfs/@fqrn@ 166 | - http://cvmfs1-ufr0.galaxyproject.eu/cvmfs/@fqrn@ 167 | - http://cvmfs1-mel0.gvl.org.au/cvmfs/@fqrn@ 168 | repository: 169 | repository: cvmfs-config.galaxyproject.org 170 | stratum0: cvmfs0-psu0.galaxyproject.org 171 | owner: "{{ cvmfs_repo_owner | default('root') }}" 172 | server_options: [] 173 | client_options: [] 174 | # Defaults for galaxyproject.org repos 175 | galaxy_cvmfs_keys: 176 | # This will become the key for all repos, currently cvmfs-config, singularity, and test 177 | - path: /etc/cvmfs/keys/galaxyproject.org/galaxyproject.org.pub 178 | key: | 179 | -----BEGIN PUBLIC KEY----- 180 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuJZTWTY3/dBfspFKifv8 181 | TWuuT2Zzoo1cAskKpKu5gsUAyDFbZfYBEy91qbLPC3TuUm2zdPNsjCQbbq1Liufk 182 | uNPZJ8Ubn5PR6kndwrdD13NVHZpXVml1+ooTSF5CL3x/KUkYiyRz94sAr9trVoSx 183 | THW2buV7ADUYivX7ofCvBu5T6YngbPZNIxDB4mh7cEal/UDtxV683A/5RL4wIYvt 184 | S5SVemmu6Yb8GkGwLGmMVLYXutuaHdMFyKzWm+qFlG5JRz4okUWERvtJ2QAJPOzL 185 | mAG1ceyBFowj/r3iJTa+Jcif2uAmZxg+cHkZG5KzATykF82UH1ojUzREMMDcPJi2 186 | dQIDAQAB 187 | -----END PUBLIC KEY----- 188 | - path: /etc/cvmfs/keys/galaxyproject.org/data.galaxyproject.org.pub 189 | key: | 190 | -----BEGIN PUBLIC KEY----- 191 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5LHQuKWzcX5iBbCGsXGt 192 | 6CRi9+a9cKZG4UlX/lJukEJ+3dSxVDWJs88PSdLk+E25494oU56hB8YeVq+W8AQE 193 | 3LWx2K2ruRjEAI2o8sRgs/IbafjZ7cBuERzqj3Tn5qUIBFoKUMWMSIiWTQe2Sfnj 194 | GzfDoswr5TTk7aH/FIXUjLnLGGCOzPtUC244IhHARzu86bWYxQJUw0/kZl5wVGcH 195 | maSgr39h1xPst0Vx1keJ95AH0wqxPbCcyBGtF1L6HQlLidmoIDqcCQpLsGJJEoOs 196 | NVNhhcb66OJHah5ppI1N3cZehdaKyr1XcF9eedwLFTvuiwTn6qMmttT/tHX7rcxT 197 | owIDAQAB 198 | -----END PUBLIC KEY----- 199 | - path: /etc/cvmfs/keys/galaxyproject.org/main.galaxyproject.org.pub 200 | key: | 201 | -----BEGIN PUBLIC KEY----- 202 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6S6Tugcv4kk4C06f574l 203 | YCXQdK6lv2m7mqCh60G0zL1+rAkkEBDWna0yMQLBbj+yDsHjcOe0yISzbTfzG6wk 204 | KnHZUQ/JOeK7lUAbDMxHqnjkEPAbAl4vXl2Y04MW2lzJtXcDKakmLirvV/dfUYqE 205 | gGGx0dc/Z+XmUTf1DvZFJknrBUUxO5+F6m7k/NGrlpAca+e9B0kwCclaE4NyaNWK 206 | Jv5rPWCYz5/sDNW4cNvBdBjwGf46etbczmJoTAbl0oM6LLGdebwkJStd0R1wkj+A 207 | torRYcoFZICTZqY9e/KsadHUeZnH3RvfMypH5oS1POzsFszoSxBhZIBkZbG3/f9Y 208 | OQIDAQAB 209 | -----END PUBLIC KEY----- 210 | 211 | galaxy_cvmfs_server_urls: 212 | - domain: galaxyproject.org 213 | use_geoapi: false 214 | urls: 215 | - http://cvmfs1-psu0.galaxyproject.org/cvmfs/@fqrn@ 216 | - http://cvmfs1-iu0.galaxyproject.org/cvmfs/@fqrn@ 217 | - http://cvmfs1-tacc0.galaxyproject.org/cvmfs/@fqrn@ 218 | - http://cvmfs1-mel0.gvl.org.au/cvmfs/@fqrn@ 219 | - http://cvmfs1-ufr0.galaxyproject.eu/cvmfs/@fqrn@ 220 | 221 | galaxy_cvmfs_repositories: 222 | - repository: test.galaxyproject.org 223 | stratum0: cvmfs0-psu1.galaxyproject.org 224 | owner: "{{ cvmfs_repo_owner | default('root') }}" 225 | key_dir: /etc/cvmfs/keys/galaxyproject.org 226 | server_options: 227 | - CVMFS_AUTO_GC=false 228 | client_options: [] 229 | - repository: main.galaxyproject.org 230 | stratum0: cvmfs0-tacc0.galaxyproject.org 231 | owner: "{{ cvmfs_repo_owner | default('root') }}" 232 | key_dir: /etc/cvmfs/keys/galaxyproject.org 233 | server_options: 234 | - CVMFS_AUTO_GC=false 235 | client_options: [] 236 | - repository: data.galaxyproject.org 237 | stratum0: cvmfs0-psu0.galaxyproject.org 238 | owner: "{{ cvmfs_repo_owner | default('root') }}" 239 | key_dir: /etc/cvmfs/keys/galaxyproject.org 240 | server_options: 241 | - CVMFS_AUTO_GC=false 242 | client_options: [] 243 | - repository: refgenomes-databio.galaxyproject.org 244 | stratum0: cvmfs0-psu0.galaxyproject.org 245 | owner: "{{ cvmfs_repo_owner | default('root') }}" 246 | key_dir: /etc/cvmfs/keys/galaxyproject.org 247 | server_options: 248 | - CVMFS_AUTO_GC=false 249 | client_options: [] 250 | - repository: sandbox.galaxyproject.org 251 | stratum0: cvmfs0-psu0.galaxyproject.org 252 | owner: "{{ cvmfs_repo_owner | default('root') }}" 253 | key_dir: /etc/cvmfs/keys/galaxyproject.org 254 | server_options: [] 255 | client_options: [] 256 | - repository: singularity.galaxyproject.org 257 | stratum0: cvmfs-stratum0.galaxyproject.eu 258 | owner: "{{ cvmfs_repo_owner | default('root') }}" 259 | key_dir: /etc/cvmfs/keys/galaxyproject.org 260 | server_options: [] 261 | client_options: [] 262 | - repository: usegalaxy.galaxyproject.org 263 | stratum0: cvmfs0-psu0.galaxyproject.org 264 | owner: "{{ cvmfs_repo_owner | default('root') }}" 265 | key_dir: /etc/cvmfs/keys/galaxyproject.org 266 | server_options: [] 267 | client_options: [] 268 | -------------------------------------------------------------------------------- /files/cvmfs_prune_snapshots.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Prune named snapshots on CVMFS release managers by age and count 4 | # 5 | set -euo pipefail 6 | 7 | COUNT=50 8 | VERBOSE=false 9 | DRYRUN=false 10 | MUTEX="${HOME}/.updaterepo.lock" 11 | MUTEX_ACQUIRED=false 12 | 13 | function help() { 14 | cat < 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #define CVMFS_SOCK_PREFIX "/var/lib/cvmfs/shared/cvmfs_io." 17 | #define CVMFS_REPO_DIR "/cvmfs" 18 | #define CVMFS_TALK_COMMAND "remount sync" 19 | 20 | void pdie(char *msg) { 21 | perror(msg); 22 | exit(1); 23 | } 24 | 25 | void die(char *msg, ...) { 26 | va_list args; 27 | va_start(args, msg); 28 | vprintf(msg, args); 29 | va_end(args); 30 | exit(1); 31 | } 32 | 33 | bool checkrepo(char *repo) { 34 | DIR *dir; 35 | struct dirent *ent; 36 | bool r = false; 37 | 38 | if ((dir = opendir(CVMFS_REPO_DIR)) == NULL) 39 | pdie("opendir() failed"); 40 | 41 | while ((ent = readdir(dir))) 42 | if (!strcmp(ent->d_name, repo)) 43 | r = true; 44 | 45 | closedir(dir); 46 | 47 | return r; 48 | } 49 | 50 | int main(int argc, char *argv[]) { 51 | int fd; 52 | struct sockaddr_un addr; 53 | char response[512]; 54 | ssize_t bytes; 55 | 56 | if (argc < 2) 57 | die("usage: %s \n", argv[0]); 58 | 59 | if ((strlen(CVMFS_SOCK_PREFIX) + strlen(argv[1])) > UNIX_PATH_MAX) 60 | die("error: repo name exceeds max length of %i\n", UNIX_PATH_MAX); 61 | 62 | if (!checkrepo(argv[1])) { 63 | printf("warning: not found, invalid repo or not mounted: %s/%s\n", CVMFS_REPO_DIR, argv[1]); 64 | return 0; 65 | } 66 | 67 | if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) 68 | pdie("error: socket() failed"); 69 | 70 | addr.sun_family = AF_UNIX; 71 | snprintf(addr.sun_path, UNIX_PATH_MAX, "%s%s", CVMFS_SOCK_PREFIX, argv[1]); 72 | 73 | //printf("connecting to socket: %s\n", addr.sun_path); 74 | 75 | if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) 76 | pdie("error: connect() failed"); 77 | 78 | write(fd, CVMFS_TALK_COMMAND, strlen(CVMFS_TALK_COMMAND)); 79 | bytes = read(fd, response, 512); 80 | close(fd); 81 | 82 | response[bytes] = '\0'; 83 | printf(response); 84 | 85 | return 0; 86 | } 87 | -------------------------------------------------------------------------------- /files/cvmfs_remount_sync.el_6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_remount_sync.el_6 -------------------------------------------------------------------------------- /files/cvmfs_remount_sync.el_7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_remount_sync.el_7 -------------------------------------------------------------------------------- /files/cvmfs_remount_sync.el_8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_remount_sync.el_8 -------------------------------------------------------------------------------- /files/cvmfs_remount_sync.el_9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_remount_sync.el_9 -------------------------------------------------------------------------------- /files/cvmfs_wipecache.c: -------------------------------------------------------------------------------- 1 | /* 2 | * setuid binary for calling cvmfs_config wipecache 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main(int argc, char *argv[]) { 10 | // must set the real uid (cvmfs_config checks it) 11 | setreuid(0, 0); 12 | if (execle("/usr/bin/cvmfs_config", "cvmfs_config", "wipecache", NULL) < 0) 13 | perror("cvmfs_wipecache: "); 14 | } 15 | -------------------------------------------------------------------------------- /files/cvmfs_wipecache.el_6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_wipecache.el_6 -------------------------------------------------------------------------------- /files/cvmfs_wipecache.el_7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_wipecache.el_7 -------------------------------------------------------------------------------- /files/cvmfs_wipecache.el_8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_wipecache.el_8 -------------------------------------------------------------------------------- /files/cvmfs_wipecache.el_9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galaxyproject/ansible-cvmfs/5fad83c922a8062710f72ad9588502be4c412456/files/cvmfs_wipecache.el_9 -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for galaxyproject.cvmfs 3 | 4 | - name: Reload autofs 5 | ansible.builtin.service: 6 | name: autofs 7 | state: reloaded 8 | 9 | - name: Restart squid 10 | ansible.builtin.service: 11 | name: "{{ cvmfs_squid_service_name }}" 12 | state: restarted 13 | 14 | - name: Restart apache 15 | ansible.builtin.service: 16 | name: "{{ cvmfs_apache_service_name }}" 17 | state: restarted 18 | 19 | - name: Reload apache 20 | ansible.builtin.service: 21 | name: "{{ cvmfs_apache_service_name }}" 22 | state: reloaded 23 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | role_name: cvmfs 4 | namespace: galaxyproject 5 | author: Nathan Coraor 6 | description: Install and configure CernVM-FS (CVMFS) 7 | company: Galaxy Project 8 | 9 | # If the issue tracker for your role is not on github, uncomment the 10 | # next line and provide a value 11 | issue_tracker_url: https://github.com/galaxyproject/ansible-cvmfs/issues 12 | 13 | # Some suggested licenses: 14 | # - BSD (default) 15 | # - MIT 16 | # - GPLv2 17 | # - GPLv3 18 | # - Apache 19 | # - CC-BY 20 | license: MIT 21 | 22 | min_ansible_version: "2.5" 23 | 24 | # If this a Container Enabled role, provide the minimum Ansible Container version. 25 | # min_ansible_container_version: 26 | 27 | # Optionally specify the branch Galaxy will use when accessing the GitHub 28 | # repo for this role. During role install, if no tags are available, 29 | # Galaxy will use this branch. During import Galaxy will access files on 30 | # this branch. If Travis integration is configured, only notifications for this 31 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 32 | # (usually master) will be used. 33 | # github_branch: 34 | 35 | # 36 | # platforms is a list of platforms, and each platform has a name and a list of versions. 37 | # 38 | platforms: 39 | - name: EL 40 | versions: 41 | - all 42 | - name: Ubuntu 43 | versions: 44 | - all 45 | 46 | galaxy_tags: 47 | - system 48 | - filesystem 49 | # List tags for your role here, one per line. A tag is a keyword that describes 50 | # and categorizes the role. Users find roles by searching for tags. Be sure to 51 | # remove the '[]' above, if you add tags to this list. 52 | # 53 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 54 | # Maximum 20 tags per role. 55 | 56 | dependencies: [] 57 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 58 | # if you add dependencies to this list. 59 | -------------------------------------------------------------------------------- /tasks/apache.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure Apache is enabled and running 3 | ansible.builtin.service: 4 | name: "{{ cvmfs_apache_service_name }}" 5 | state: started 6 | enabled: true 7 | -------------------------------------------------------------------------------- /tasks/client.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include initial OS-specific tasks 3 | ansible.builtin.include_tasks: init_{{ ansible_os_family | lower }}.yml 4 | vars: 5 | _cvmfs_role: client 6 | _cvmfs_upgrade: "{{ cvmfs_upgrade_client }}" 7 | 8 | - name: Include key setup tasks 9 | ansible.builtin.include_tasks: keys.yml 10 | 11 | - name: Check CernVM-FS for setup 12 | ansible.builtin.command: cvmfs_config chksetup 13 | changed_when: false 14 | ignore_errors: true 15 | register: cvmfs_config_chksetup_out 16 | 17 | - name: Ensure AutoFS is enabled + running 18 | ansible.builtin.service: 19 | name: autofs 20 | enabled: true 21 | state: started 22 | 23 | - name: Perform AutoFS and FUSE configuration for CernVM-FS 24 | ansible.builtin.command: cvmfs_config setup 25 | notify: 26 | - Reload autofs 27 | when: not ansible_check_mode and "CernVM-FS map is not referenced" in cvmfs_config_chksetup_out.stdout 28 | 29 | - name: Configure CernVM-FS config repository 30 | when: cvmfs_config_repo and cvmfs_config_repo_supported 31 | block: 32 | - name: Create config repo config 33 | ansible.builtin.copy: 34 | content: | 35 | ## This file is maintained by Ansible - CHANGES WILL BE OVERWRITTEN 36 | CVMFS_SERVER_URL="{{ cvmfs_config_repo.urls | join(';') }}" 37 | CVMFS_PUBLIC_KEY="{{ cvmfs_config_repo.key.path }}" 38 | dest: /etc/cvmfs/config.d/{{ cvmfs_config_repo.repository.repository }}.conf 39 | owner: root 40 | group: root 41 | mode: 0444 42 | 43 | - name: Set config repo defaults 44 | ansible.builtin.copy: 45 | content: | 46 | ## This file is maintained by Ansible - CHANGES WILL BE OVERWRITTEN 47 | CVMFS_CONFIG_REPOSITORY="{{ cvmfs_config_repo.repository.repository }}" 48 | CVMFS_DEFAULT_DOMAIN="{{ cvmfs_config_repo.domain }}" 49 | CVMFS_USE_GEOAPI="{{ cvmfs_config_repo.use_geoapi | default(false) | ternary('yes', 'no') }}" 50 | dest: /etc/cvmfs/default.d/80-ansible-galaxyproject-cvmfs.conf 51 | owner: root 52 | group: root 53 | mode: 0444 54 | 55 | # This is here for transitioning from galaxy_cvmfs_repos_enabled == true config-repo 56 | - name: Remove domain configuration 57 | ansible.builtin.file: 58 | path: /etc/cvmfs/domain.d/{{ cvmfs_config_repo.domain }}.conf 59 | state: absent 60 | 61 | - name: Configure CernVM-FS domain 62 | ansible.builtin.copy: 63 | content: | 64 | ## This file is maintained by Ansible - CHANGES WILL BE OVERWRITTEN 65 | CVMFS_SERVER_URL="{{ item.urls | join(';') }}" 66 | CVMFS_KEYS_DIR=/etc/cvmfs/keys/{{ item.domain }} 67 | CVMFS_USE_GEOAPI="{{ item.use_geoapi | default(false) | ternary('yes', 'no') }}" 68 | dest: /etc/cvmfs/domain.d/{{ item.domain }}.conf 69 | owner: root 70 | group: root 71 | mode: 0444 72 | with_items: "{{ cvmfs_server_urls }}" 73 | 74 | - name: Configure CernVM-FS global client settings 75 | ansible.builtin.copy: 76 | content: | 77 | CVMFS_REPOSITORIES="{%- for repo in cvmfs_repositories -%}{{ ',' if loop.index0 > 0 else '' }}{{ repo.repository }}{%- endfor -%}" 78 | CVMFS_HTTP_PROXY="{{ cvmfs_http_proxies | join(';') }}" 79 | CVMFS_QUOTA_LIMIT="{{ cvmfs_quota_limit | default('4000') }}" 80 | CVMFS_CACHE_BASE="{{ cvmfs_cache_base | default('/var/lib/cvmfs') }}" 81 | dest: /etc/cvmfs/default.local 82 | owner: root 83 | group: root 84 | mode: 0644 85 | 86 | - name: Include repository client options tasks 87 | ansible.builtin.include_tasks: options.yml 88 | vars: 89 | _cvmfs_repo_option_key: client 90 | 91 | - name: Install cvmfs_wipecache setuid binary 92 | ansible.builtin.copy: 93 | src: cvmfs_wipecache.{{ _cvmfs_install_setuid_platform }}_{{ ansible_distribution_major_version }} 94 | dest: /usr/local/bin/cvmfs_wipecache 95 | owner: root 96 | group: root 97 | mode: 06755 98 | when: cvmfs_install_setuid_cvmfs_wipecache | bool 99 | 100 | - name: Remove cvmfs_wipecache setuid binary 101 | ansible.builtin.file: 102 | path: /usr/local/bin/cvmfs_wipecache 103 | state: absent 104 | when: not (cvmfs_install_setuid_cvmfs_wipecache | bool) 105 | 106 | - name: Install cvmfs_remount_sync setuid binary 107 | ansible.builtin.copy: 108 | src: cvmfs_remount_sync.{{ _cvmfs_install_setuid_platform }}_{{ ansible_distribution_major_version }} 109 | dest: /usr/local/bin/cvmfs_remount_sync 110 | owner: root 111 | group: root 112 | mode: 06755 113 | when: cvmfs_install_setuid_cvmfs_remount_sync | bool 114 | 115 | - name: Remove cvmfs_remount_sync setuid binary 116 | ansible.builtin.file: 117 | path: /usr/local/bin/cvmfs_remount_sync 118 | state: absent 119 | when: not (cvmfs_install_setuid_cvmfs_remount_sync | bool) 120 | 121 | - name: Download cvmfs_preload utility when desired 122 | ansible.builtin.get_url: 123 | url: https://cvmrepo.web.cern.ch/cvmrepo/preload/cvmfs_preload 124 | dest: "{{ cvmfs_preload_path }}/cvmfs_preload" 125 | owner: root 126 | group: root 127 | mode: 755 128 | when: cvmfs_preload_install | bool 129 | -------------------------------------------------------------------------------- /tasks/firewall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure http is not firewalled (firewalld) 3 | ansible.posix.firewalld: 4 | port: "{{ item }}/tcp" 5 | state: enabled 6 | permanent: true 7 | immediate: true 8 | with_items: "{{ _cvmfs_http_ports }}" 9 | when: ansible_os_family == "RedHat" 10 | 11 | - name: Ensure http is not firewalled (ufw) 12 | community.general.system.ufw: 13 | rule: allow 14 | port: "{{ item }}" 15 | proto: tcp 16 | with_items: "{{ _cvmfs_http_ports }}" 17 | when: ansible_os_family == "Debian" 18 | -------------------------------------------------------------------------------- /tasks/gc.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # gc -a support implemented in 2021/02, this task can be removed at some later date 3 | - name: Remove per-repository garbage collection cron jobs 4 | ansible.builtin.file: 5 | path: /etc/cron.d/cvmfs_gc_{{ item.repository }} 6 | state: absent 7 | mode: 0644 8 | loop: "{{ cvmfs_repositories }}" 9 | 10 | - name: Create garbage collection log directory 11 | ansible.builtin.file: 12 | path: "{{ (cvmfs_gc_log | default('/var/log/cvmfs/gc.log')) | dirname }}" 13 | state: directory 14 | owner: "{{ cvmfs_gc_user }}" 15 | mode: 0755 16 | 17 | - name: Schedule garbage collection 18 | ansible.builtin.cron: 19 | name: cvmfs_gc_all 20 | cron_file: ansible_cvmfs_gc_all 21 | user: "{{ cvmfs_gc_user }}" 22 | job: /usr/bin/cvmfs_server gc {{ cvmfs_gc_options }} 23 | hour: "{{ cvmfs_gc_time.hour | default(omit) }}" 24 | minute: "{{ cvmfs_gc_time.minute | default(omit) }}" 25 | day: "{{ cvmfs_gc_time.day | default(omit) }}" 26 | month: "{{ cvmfs_gc_time.month | default(omit) }}" 27 | weekday: "{{ cvmfs_gc_time.weekday | default(omit) }}" 28 | special_time: "{{ cvmfs_gc_time.special_time | default(omit) }}" 29 | -------------------------------------------------------------------------------- /tasks/init_debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install apt dependencies 3 | ansible.builtin.apt: 4 | name: 5 | - apt-transport-https 6 | - ca-certificates 7 | 8 | - name: Install CernVM apt key 9 | ansible.builtin.apt_key: 10 | url: https://cvmrepo.web.cern.ch/cvmrepo/apt/cernvm.gpg 11 | 12 | - name: Configure CernVM apt repository 13 | ansible.builtin.apt_repository: 14 | filename: cernvm.list 15 | mode: 422 16 | repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main 17 | when: ansible_distribution != 'Ubuntu' 18 | 19 | - name: Configure CernVM apt repository 20 | ansible.builtin.apt_repository: 21 | filename: cernvm.list 22 | mode: 422 23 | repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ {{ ansible_distribution_release }}-prod main 24 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_release in ('bionic', 'xenial', 'precise', 'focal', 'jammy', 'noble') 25 | 26 | # There are no packages for any of the non LTS versions so good 27 | # luck and have fun if that's you. 28 | - name: Configure CernVM apt repository 29 | ansible.builtin.apt_repository: 30 | filename: cernvm.list 31 | mode: 422 32 | repo: deb [allow-insecure=true] https://cvmrepo.web.cern.ch/cvmrepo/apt/ xenial-prod main 33 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_release not in ('bionic', 'xenial', 'precise', 'focal', 'jammy', 'noble') 34 | 35 | - name: Install CernVM-FS packages and dependencies (apt) 36 | ansible.builtin.apt: 37 | name: "{{ cvmfs_packages[_cvmfs_role] }}" 38 | state: "{{ 'latest' if _cvmfs_upgrade else 'present' }}" 39 | -------------------------------------------------------------------------------- /tasks/init_redhat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Remove legacy yum repo file if present 3 | ansible.builtin.yum_repository: 4 | file: cernvm.repo 5 | name: "{{ item }}" 6 | state: absent 7 | loop: 8 | - cernvm 9 | - cernvm-config 10 | 11 | - name: Configure CernVM yum repositories 12 | ansible.builtin.yum_repository: 13 | file: cernvm 14 | name: "{{ item.name }}" 15 | description: "{{ item.description }}" 16 | baseurl: "{{ item.baseurl }}" 17 | gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM 18 | gpgcheck: true 19 | enabled: true 20 | protect: true 21 | loop: 22 | - name: cernvm 23 | description: CernVM packages 24 | baseurl: http://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs/EL/$releasever/$basearch/ 25 | - name: cernvm-config 26 | description: CernVM-FS extra config packages 27 | baseurl: http://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs-config/EL/$releasever/$basearch/ 28 | 29 | - name: Install CernVM yum key 30 | ansible.builtin.copy: 31 | content: | 32 | -----BEGIN PGP PUBLIC KEY BLOCK----- 33 | Version: GnuPG v2.0.14 (GNU/Linux) 34 | 35 | mQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4 36 | wbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC 37 | 4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/ 38 | aMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87 39 | HfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc 40 | mmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd 41 | 6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK 42 | IVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU 43 | JGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk 44 | bWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy 45 | bi5jaD6IZAQTEQIAJAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCT18LigUJBbn/ 46 | ZAAKCRAjDTidiuRc5/BFAKCb13G8yxG75r3s63mHo5l9PNUKGwCfZpSlZrhBsVZ4 47 | 2DsKfLG1VQ+X8HW5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOE 48 | ii66i9apPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwC 49 | zKCPrIb7RQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1 50 | u9UxrlzBH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGP 51 | LEjvJFRi7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqX 52 | VVqioobwg5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArG 53 | aJxzWziKs7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKD 54 | nGsTgFNpstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1G 55 | YWt7DoseZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaM 56 | eEe8Pkl+yyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4oh 57 | dALRVl0tl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuG 58 | CFyegf6jnOJU0AqITwQYEQIADwIbDAUCT18MOQUJBboAEQAKCRAjDTidiuRc53P2 59 | AJ9e1y70yIKwx6YmpDnwqWSE07Q6lACdEnem0DbLg9t+gkX/98driCP9Ifg= 60 | =S7Dt 61 | -----END PGP PUBLIC KEY BLOCK----- 62 | dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM 63 | owner: root 64 | group: root 65 | mode: "0644" 66 | 67 | - name: Install CernVM-FS packages and dependencies (yum) 68 | ansible.builtin.yum: 69 | name: "{{ cvmfs_packages[_cvmfs_role] }}" 70 | state: "{{ 'latest' if _cvmfs_upgrade else 'present' }}" 71 | -------------------------------------------------------------------------------- /tasks/keys.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Make CernVM-FS key directories 3 | ansible.builtin.file: 4 | state: directory 5 | path: "{{ item }}" 6 | owner: root 7 | group: root 8 | mode: 0755 9 | loop: "{{ cvmfs_keys | map(attribute='path') | map('dirname') | unique }}" 10 | 11 | - name: Install CernVM-FS keys 12 | ansible.builtin.copy: 13 | content: "{{ item.key }}" 14 | dest: "{{ item.path }}" 15 | owner: "{{ item.owner | default('root') }}" 16 | group: root 17 | mode: 0444 18 | loop: "{{ cvmfs_keys }}" 19 | loop_control: 20 | label: "{{ item.path }}" 21 | -------------------------------------------------------------------------------- /tasks/localproxy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include initial OS-specific tasks 3 | ansible.builtin.include_tasks: init_{{ ansible_os_family | lower }}.yml 4 | vars: 5 | _cvmfs_role: localproxy 6 | _cvmfs_upgrade: "{{ cvmfs_upgrade_server }}" 7 | 8 | - name: Include squid tasks 9 | ansible.builtin.include_tasks: squid.yml 10 | vars: 11 | _cvmfs_squid_conf_src: "{{ cvmfs_squid_conf_src | default('localproxy_squid.conf.j2') }}" 12 | 13 | # Need to double check that this actually works (see the hosts_file directive) 14 | # - name: Create squid hosts file 15 | # copy: 16 | # content: | 17 | # {{ inventory_hostname }} 127.0.0.1 18 | # dest: /etc/squid/hosts 19 | # notify: 20 | # - Restart squid 21 | 22 | - name: Include firewall tasks 23 | ansible.builtin.include_tasks: firewall.yml 24 | vars: 25 | _cvmfs_http_ports: "{{ cvmfs_http_ports | default(cvmfs_localproxy_http_ports) }}" 26 | when: cvmfs_manage_firewall 27 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for galaxyproject.cvmfs 3 | 4 | - name: Set OS-specific variables 5 | ansible.builtin.include_vars: "{{ ansible_os_family | lower }}.yml" 6 | 7 | - name: Set facts for Galaxy CVMFS config repository, if enabled 8 | ansible.builtin.set_fact: 9 | cvmfs_config_repo: "{{ galaxy_cvmfs_config_repo }}" 10 | when: galaxy_cvmfs_repos_enabled and galaxy_cvmfs_repos_enabled == 'config-repo' 11 | 12 | - name: Set facts for Galaxy CVMFS static repositories, if enabled 13 | ansible.builtin.set_fact: 14 | cvmfs_keys: "{{ cvmfs_keys + galaxy_cvmfs_keys }}" 15 | cvmfs_repositories: "{{ cvmfs_repositories + galaxy_cvmfs_repositories }}" 16 | cvmfs_server_urls: "{{ cvmfs_server_urls + galaxy_cvmfs_server_urls }}" 17 | when: galaxy_cvmfs_repos_enabled and galaxy_cvmfs_repos_enabled != 'config-repo' 18 | 19 | - name: Set facts for CVMFS config repository, if enabled 20 | ansible.builtin.set_fact: 21 | cvmfs_keys: "{{ cvmfs_keys + [cvmfs_config_repo.key] }}" 22 | # In Ansible >= 2.10 this will be | truthy 23 | when: cvmfs_config_repo | length > 0 24 | 25 | - name: Include Client Tasks 26 | ansible.builtin.include_tasks: client.yml 27 | when: "'cvmfsclients' in group_names or cvmfs_role == 'client'" 28 | 29 | - name: Include Stratum1 Tasks 30 | ansible.builtin.include_tasks: stratum1.yml 31 | when: "'cvmfsstratum1servers' in group_names or cvmfs_role == 'stratum1'" 32 | 33 | - name: Include Stratum0 Tasks 34 | ansible.builtin.include_tasks: stratum0.yml 35 | when: "'cvmfsstratum0servers' in group_names or cvmfs_role == 'stratum0'" 36 | 37 | - name: Include localproxy Tasks 38 | ansible.builtin.include_tasks: localproxy.yml 39 | when: "'cvmfslocalproxies' in group_names or cvmfs_role == 'localproxy'" 40 | -------------------------------------------------------------------------------- /tasks/options.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure per-repository directories exist for repositories with options defined for {{ _cvmfs_repo_option_key }} 3 | ansible.builtin.file: 4 | path: /etc/cvmfs/repositories.d/{{ item.repository }} 5 | mode: 0755 6 | state: directory 7 | loop: "{{ cvmfs_repositories }}" 8 | loop_control: 9 | label: /etc/cvmfs/repositories.d/{{ item.repository }} 10 | when: _cvmfs_repo_option_key ~ '_options' in item 11 | 12 | - name: Set repository options for {{ _cvmfs_repo_option_key }} 13 | ansible.builtin.lineinfile: 14 | dest: /etc/cvmfs/repositories.d/{{ item.0.repository }}/{{ _cvmfs_repo_option_key }}.conf 15 | regexp: ^{{ item.1.split('=')[0] }}=.* 16 | line: "{{ item.1 }}" 17 | create: true 18 | mode: 0644 19 | loop: "{{ cvmfs_repositories | subelements(_cvmfs_repo_option_key ~ '_options', skip_missing=true) }}" 20 | -------------------------------------------------------------------------------- /tasks/squid.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Configure squid 3 | ansible.builtin.template: 4 | src: "{{ _cvmfs_squid_conf_src }}" 5 | dest: "{{ cvmfs_squid_conf_file }}" 6 | backup: true 7 | mode: 0644 8 | notify: 9 | - Restart squid 10 | 11 | - name: Fix cache directory permission 12 | ansible.builtin.file: 13 | path: "{{ cvmfs_stratum1_cache_dir.dir }}" 14 | owner: "{{ cvmfs_squid_user }}" 15 | group: "{{ cvmfs_squid_group }}" 16 | mode: 0755 17 | state: directory 18 | setype: squid_cache_t 19 | when: cvmfs_stratum1_cache_dir is defined 20 | 21 | - name: Create the cache directories for the first time 22 | become: true 23 | become_user: "{{ cvmfs_squid_user }}" 24 | ansible.builtin.command: squid -z 25 | args: 26 | creates: "{{ cvmfs_stratum1_cache_dir.dir }}/00" 27 | when: cvmfs_stratum1_cache_dir is defined 28 | 29 | - name: Ensure squid is enabled and started 30 | ansible.builtin.service: 31 | name: "{{ cvmfs_squid_service_name }}" 32 | state: started 33 | enabled: true 34 | -------------------------------------------------------------------------------- /tasks/stratum0.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # TODO: `systemctl unmask tmp.mount` to make /tmp tmpfs (`cvmfs_server import` 3 | # fails if /tmp is xfs, although for some reason was fine on the PSU stratum 0 4 | # w/ xfs /tmp). 5 | 6 | - name: Determine whether -p flag is needed for cvmfs_server mkfs or import 7 | ansible.builtin.set_fact: 8 | cvmfs_config_apache_flag: "{{ '-p' if not cvmfs_config_apache else '' }}" 9 | 10 | - name: Include initial OS-specific tasks 11 | ansible.builtin.include_tasks: init_{{ ansible_os_family | lower }}.yml 12 | vars: 13 | _cvmfs_role: stratum0 14 | _cvmfs_upgrade: "{{ cvmfs_upgrade_server }}" 15 | 16 | - name: Include key setup tasks 17 | ansible.builtin.include_tasks: keys.yml 18 | 19 | - name: Install CernVM-FS private keys 20 | ansible.builtin.copy: 21 | content: "{{ item.key }}" 22 | dest: "{{ item.path }}" 23 | owner: "{{ item.owner | default('root') }}" 24 | group: root 25 | mode: "0400" 26 | with_items: "{{ cvmfs_private_keys }}" 27 | loop_control: 28 | label: "{{ item.path }}" 29 | 30 | - name: Include stratumN tasks 31 | ansible.builtin.include_tasks: stratumN.yml 32 | 33 | - name: Include Apache tasks 34 | ansible.builtin.include_tasks: apache.yml 35 | 36 | - name: Include firewall tasks 37 | ansible.builtin.include_tasks: firewall.yml 38 | vars: 39 | _cvmfs_http_ports: "{{ cvmfs_stratum0_http_ports }}" 40 | when: cvmfs_manage_firewall 41 | 42 | - name: Create repositories 43 | ansible.builtin.command: | 44 | /usr/bin/cvmfs_server mkfs {{ cvmfs_config_apache_flag }} -o {{ item.owner | default('root') }} -f {{ cvmfs_union_fs }} {{ item.repository }} 45 | args: 46 | creates: /srv/cvmfs/{{ item.repository }} 47 | with_items: "{{ cvmfs_repositories }}" 48 | notify: 49 | - Restart apache 50 | 51 | - name: Ensure repositories are imported 52 | ansible.builtin.command: | 53 | /usr/bin/cvmfs_server import -r {{ cvmfs_config_apache_flag }} -o {{ item.owner | default('root') }} -f {{ cvmfs_union_fs }} {{ item.repository }} 54 | args: 55 | creates: /etc/cvmfs/repositories.d/{{ item.repository }} 56 | with_items: "{{ cvmfs_repositories }}" 57 | notify: 58 | - Restart apache 59 | 60 | - name: Include repository server options tasks 61 | ansible.builtin.include_tasks: options.yml 62 | vars: 63 | _cvmfs_repo_option_key: server 64 | 65 | - name: Include repository client options tasks 66 | ansible.builtin.include_tasks: options.yml 67 | vars: 68 | _cvmfs_repo_option_key: client 69 | 70 | - name: Increase default max file descriptor limit 71 | ansible.builtin.lineinfile: 72 | dest: /etc/security/limits.conf 73 | regexp: ^\*\s+{{ item }}\s+nofile\s+\d+$ 74 | line: "* {{ item }} nofile {{ cvmfs_numfiles }}" 75 | with_items: 76 | - soft 77 | - hard 78 | when: cvmfs_numfiles is defined 79 | 80 | - name: Schedule key resignings 81 | ansible.builtin.cron: 82 | name: Re-sign CVMFS keys 83 | cron_file: ansible_cvmfs_key_resign 84 | user: root 85 | hour: 11 86 | minute: 0 87 | weekday: 2 88 | job: /usr/bin/cvmfs_server resign {{ cvmfs_repositories | join(' ; /usr/bin/cvmfs_server resign ', attribute='repository') }} 89 | 90 | - name: Include garbage collection tasks 91 | ansible.builtin.include_tasks: gc.yml 92 | when: cvmfs_gc_enabled 93 | 94 | - name: Install cvmfs_prune_snapshots 95 | copy: 96 | src: cvmfs_prune_snapshots.sh 97 | dest: /usr/local/bin/cvmfs_prune_snapshots 98 | mode: 0755 99 | 100 | - name: Schedule snapshot pruning 101 | ansible.builtin.cron: 102 | name: cvmfs_prune_snapshots_{{ item.repository }} 103 | cron_file: ansible_cvmfs_stratum0_prune_snapshots 104 | user: "{{ item.owner | default('root') }}" 105 | job: >- 106 | output=$(/usr/local/bin/cvmfs_prune_snapshots 107 | -c {{ item.prune_snapshots_count | default(cvmfs_stratum0_prune_snapshots_count) }} 108 | '{{ item.repository }}' 2>&1) || echo "$output" 109 | hour: "{{ item.prune_snapshots_time.hour | default(omit) }}" 110 | minute: "{{ item.prune_snapshots_time.minute | default(omit) }}" 111 | day: "{{ item.prune_snapshots_time.day | default(omit) }}" 112 | month: "{{ item.prune_snapshots_time.month | default(omit) }}" 113 | weekday: "{{ item.prune_snapshots_time.weekday | default(omit) }}" 114 | special_time: "{{ item.prune_snapshots_time.special_time | default(omit) }}" 115 | loop: "{{ cvmfs_repositories }}" 116 | when: item.prune_snapshots_time is defined 117 | -------------------------------------------------------------------------------- /tasks/stratum1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include initial OS-specific tasks 3 | ansible.builtin.include_tasks: init_{{ ansible_os_family | lower }}.yml 4 | vars: 5 | _cvmfs_role: stratum1 6 | _cvmfs_upgrade: "{{ cvmfs_upgrade_server }}" 7 | 8 | - name: Include key setup tasks 9 | ansible.builtin.include_tasks: keys.yml 10 | 11 | - name: Change Apache listen port 12 | ansible.builtin.lineinfile: 13 | dest: "{{ cvmfs_apache_conf_file }}" 14 | line: Listen {{ cvmfs_stratum1_apache_port }} 15 | regexp: ^Listen\s+ 16 | backup: true 17 | when: cvmfs_config_apache 18 | notify: 19 | - Reload apache 20 | 21 | - name: Include stratumN tasks 22 | ansible.builtin.include_tasks: stratumN.yml 23 | 24 | - name: Include Apache tasks 25 | ansible.builtin.include_tasks: apache.yml 26 | 27 | - name: Include squid tasks 28 | ansible.builtin.include_tasks: squid.yml 29 | vars: 30 | _cvmfs_squid_conf_src: "{{ cvmfs_squid_conf_src | default('stratum1_squid.conf.j2') }}" 31 | when: cvmfs_stratum1_squid_enabled 32 | 33 | - name: Include firewall tasks 34 | ansible.builtin.include_tasks: firewall.yml 35 | vars: 36 | _cvmfs_http_ports: "{{ cvmfs_http_ports | default(cvmfs_stratum1_http_ports) }}" 37 | when: cvmfs_manage_firewall 38 | 39 | - name: Install GeoIP API key 40 | ansible.builtin.copy: 41 | content: | 42 | CVMFS_GEO_ACCOUNT_ID="{{ cvmfs_geo_account_id }}" 43 | CVMFS_GEO_LICENSE_KEY="{{ cvmfs_geo_license_key }}" 44 | mode: 0400 45 | dest: /etc/cvmfs/server.local 46 | when: cvmfs_geo_license_key is defined 47 | 48 | - name: Bypassing GeoIP API key 49 | ansible.builtin.copy: 50 | content: | 51 | CVMFS_GEO_DB_FILE=NONE 52 | mode: 0400 53 | dest: /etc/cvmfs/server.local 54 | when: cvmfs_geo_license_key is not defined 55 | 56 | - name: Ensure replicas are configured 57 | ansible.builtin.command: >- 58 | /usr/bin/cvmfs_server add-replica -o {{ item.owner | default('root') }} 59 | http://{{ item.stratum0 }}/cvmfs/{{ item.repository }} 60 | {{ item.key_dir | default('/etc/cvmfs/keys') }}/{{ item.repository }}.pub 61 | args: 62 | creates: /etc/cvmfs/repositories.d/{{ item.repository }} 63 | loop: "{{ cvmfs_repositories }}" 64 | register: __cvmfs_add_replica_result 65 | notify: 66 | - Restart apache 67 | 68 | # Ideally we could use item.stratum0_url_scheme directly in `cvmfs_server add-replica` above, but it appears not to 69 | # support it, so we instead have to change it after the fact 70 | - name: Configure replica stratum0 URLs 71 | ansible.builtin.lineinfile: 72 | path: /etc/cvmfs/repositories.d/{{ item.repository }}/server.conf 73 | regexp: ^CVMFS_STRATUM0=https?://[^/]+/(.*) 74 | line: CVMFS_STRATUM0={{ item.stratum0_url_scheme | default("http") }}://{{ item.stratum0 }}/\1 75 | backrefs: true 76 | loop: "{{ cvmfs_repositories }}" 77 | 78 | - name: Include repository server options tasks 79 | ansible.builtin.include_tasks: options.yml 80 | vars: 81 | _cvmfs_repo_option_key: server 82 | 83 | - name: Perform initial snapshot 84 | ansible.builtin.command: /usr/bin/cvmfs_server snapshot {{ item.item.repository }} 85 | loop: "{{ __cvmfs_add_replica_result.results }}" 86 | loop_control: 87 | label: "{{ item.item.repository }}" 88 | environment: 89 | X509_CERT_BUNDLE: "{{ cvmfs_x509_cert_bundle | default(ansible_env.X509_CERT_BUNDLE | default('')) }}" 90 | when: item is changed 91 | 92 | - name: Create CVMFS stratum1 logrotate configuration 93 | ansible.builtin.copy: 94 | content: | 95 | /var/log/cvmfs/*.log { 96 | weekly 97 | missingok 98 | notifempty 99 | } 100 | mode: 0644 101 | dest: /etc/logrotate.d/cvmfs 102 | 103 | - name: Schedule stratum1 snapshots 104 | ansible.builtin.cron: 105 | name: cvmfs_snapshot_all 106 | cron_file: ansible_cvmfs_stratum1_snapshot 107 | user: root 108 | job: >- 109 | output=$( 110 | {{- ("X509_CERT_BUNDLE=" ~ cvmfs_x509_cert_bundle | quote) ~ " " if cvmfs_x509_cert_bundle is defined else "" -}} 111 | /usr/bin/cvmfs_server snapshot -a -i 2>&1) || echo "$output" 112 | hour: "{{ cvmfs_stratum1_snapshot_time.hour | default(omit) }}" 113 | minute: "{{ cvmfs_stratum1_snapshot_time.minute | default(omit) }}" 114 | day: "{{ cvmfs_stratum1_snapshot_time.day | default(omit) }}" 115 | month: "{{ cvmfs_stratum1_snapshot_time.month | default(omit) }}" 116 | weekday: "{{ cvmfs_stratum1_snapshot_time.weekday | default(omit) }}" 117 | special_time: "{{ cvmfs_stratum1_snapshot_time.special_time | default(omit) }}" 118 | 119 | - name: Schedule GeoIP database updates 120 | ansible.builtin.cron: 121 | name: cvmfs_geoip_db_update 122 | cron_file: ansible_cvmfs_geoip_db_update 123 | user: root 124 | job: /usr/bin/cvmfs_server update-geodb 125 | minute: "{{ cvmfs_geoip_db_update_minute }}" 126 | hour: "{{ cvmfs_geoip_db_update_hour }}" 127 | day: "{{ cvmfs_geoip_db_update_day }}" 128 | when: cvmfs_geo_license_key is defined 129 | 130 | - name: Include garbage collection tasks 131 | ansible.builtin.include_tasks: gc.yml 132 | when: cvmfs_gc_enabled 133 | 134 | # allow unprivileged users to restart squid 135 | - name: Allow users to manage services 136 | ansible.builtin.template: 137 | src: 01-manage-units.rules.j2 138 | dest: /etc/polkit-1/rules.d/01-manage-units.rules 139 | mode: 0644 140 | when: cvmfs_manage_units_users is defined or cvmfs_manage_units_group is defined 141 | -------------------------------------------------------------------------------- /tasks/stratumN.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create /srv filesystem 3 | community.general.filesystem: 4 | dev: "{{ cvmfs_srv_device }}" 5 | force: false 6 | fstype: "{{ cvmfs_srv_fstype | default('ext4') }}" 7 | when: cvmfs_srv_device is defined 8 | 9 | - name: Mount /srv 10 | ansible.posix.mount: 11 | name: "{{ cvmfs_srv_mount }}" 12 | src: "{{ cvmfs_srv_device }}" 13 | fstype: "{{ cvmfs_srv_fstype | default('ext4') }}" 14 | state: mounted 15 | when: cvmfs_srv_device is defined 16 | -------------------------------------------------------------------------------- /templates/01-manage-units.rules.j2: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is managed by Ansible. ALL CHANGES WILL BE OVERWRITTEN. 3 | */ 4 | 5 | // Allow CVMFS repo owners to manage related services 6 | polkit.addRule(function(action, subject) { 7 | var allowedUnits = {{ cvmfs_manage_units | to_json }}; 8 | {% if cvmfs_manage_units_users is defined and cvmfs_manage_units_users is true %} 9 | var allowedUsers = {{ cvmfs_repositories | map(attribute='owner') | unique | to_json }}; 10 | {% elif cvmfs_manage_units_users is defined %} 11 | var allowedUsers = {{ cvmfs_manage_units_users | to_json }}; 12 | {% endif %} 13 | if (action.id == "org.freedesktop.systemd1.manage-units" && 14 | allowedUnits.includes(action.lookup("unit")) && 15 | {% if cvmfs_manage_units_users is defined and cvmfs_manage_units_group is defined %} 16 | (allowedUsers.includes(subject.user) || subject.isInGroup("{{ cvmfs_manage_units_group }}"))) { 17 | {% elif cvmfs_manage_units_users is defined %} 18 | allowedUsers.includes(subject.user)) { 19 | {% elif cvmfs_manage_units_group is defined %} 20 | subject.isInGroup("{{ cvmfs_manage_units_group }}")) { 21 | {% endif %} 22 | return polkit.Result.YES; 23 | } 24 | }); 25 | -------------------------------------------------------------------------------- /templates/localproxy_squid.conf.j2: -------------------------------------------------------------------------------- 1 | ## 2 | ## This file is managed by Ansible. ALL CHANGES WILL BE OVERWRITTEN. 3 | ## 4 | 5 | http_port 3128 accel 6 | http_access allow all 7 | 8 | always_direct allow all 9 | 10 | {% if cvmfs_localproxy_cache_dir is defined %} 11 | cache_dir ufs {{ cvmfs_localproxy_cache_dir.dir }} {{ cvmfs_localproxy_cache_dir.size }} 16 256 12 | {% endif %} 13 | 14 | cache_mem {{ cvmfs_localproxy_cache_mem }} MB 15 | 16 | minimum_expiry_time 0 17 | # This is for the disk cache 18 | #maximum_object_size 1024 MB 19 | maximum_object_size_in_memory {{ cvmfs_localproxy_maximum_object_size_in_memory }} MB 20 | 21 | # visible_hostname {{ inventory_hostname }} 22 | -------------------------------------------------------------------------------- /templates/stratum1_squid.conf.j2: -------------------------------------------------------------------------------- 1 | ## 2 | ## This file is managed by Ansible. ALL CHANGES WILL BE OVERWRITTEN. 3 | ## 4 | 5 | http_port 80 accel 6 | http_port 3128 accel 7 | http_access allow all 8 | cache_peer 127.0.0.1 parent {{ cvmfs_stratum1_apache_port }} 0 no-query originserver 9 | 10 | {% if cvmfs_stratum1_cache_dir is defined %} 11 | cache_dir ufs {{ cvmfs_stratum1_cache_dir.dir }} {{ cvmfs_stratum1_cache_dir.size }} 16 256 12 | {% endif %} 13 | #maximum_object_size 1024 MB 14 | 15 | cache_mem {{ cvmfs_stratum1_cache_mem }} MB 16 | # CERN config examples use 128 KB for both local proxies and stratum 1, but 17 | # data objects are larger than this 18 | maximum_object_size_in_memory 4 MB 19 | 20 | visible_hostname {{ inventory_hostname }} 21 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - galaxyproject.cvmfs 6 | -------------------------------------------------------------------------------- /vars/debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | cvmfs_apache_service_name: apache2 3 | cvmfs_apache_conf_file: /etc/apache2/apache2.conf 4 | 5 | cvmfs_squid_service_name: squid 6 | cvmfs_squid_conf_file: /etc/squid/squid.conf 7 | cvmfs_squid_user: proxy 8 | cvmfs_squid_group: proxy 9 | 10 | cvmfs_packages: 11 | stratum0: 12 | - apache2 13 | - cvmfs-server 14 | - cvmfs-config-default 15 | stratum1: 16 | - apache2 17 | - cvmfs-server 18 | - cvmfs-config-default 19 | localproxy: 20 | - squid 21 | client: 22 | - cvmfs 23 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for galaxyproject.cvmfs 3 | -------------------------------------------------------------------------------- /vars/redhat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | cvmfs_apache_service_name: httpd 3 | cvmfs_apache_conf_file: /etc/httpd/conf/httpd.conf 4 | 5 | cvmfs_squid_service_name: squid 6 | cvmfs_squid_conf_file: /etc/squid/squid.conf 7 | cvmfs_squid_user: squid 8 | cvmfs_squid_group: squid 9 | 10 | cvmfs_packages: 11 | stratum0: 12 | - httpd 13 | - cvmfs-server 14 | - cvmfs-config-default 15 | - cvmfs 16 | stratum1: 17 | - httpd 18 | - "{{ 'mod_wsgi' if ansible_distribution_major_version is version('8', '<') else 'python3-mod_wsgi' }}" 19 | - squid 20 | - cvmfs-server 21 | - cvmfs-config-default 22 | localproxy: 23 | - squid 24 | client: 25 | - cvmfs 26 | --------------------------------------------------------------------------------