First attempt at ODCS frontend

handlers/main.yml

@@ -1,2 +1,9 @@
-# Defaults handlers for
-role odcs-frontend
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart apache
+  command: /usr/local/bin/conditional-restart.sh httpd httpd
+
+- name: reload apache
+  action: service name=httpd state=reloaded
+

meta/main.yml

@@ -1,2 +1,2 @@
-# Defaults meta for
-role odcs-frontend
+# Standards: 1.7
+---

tasks/main.yml

@@ -1,2 +1,99 @@
-# Defaults tasks for
-role odcs-frontend
+---
+- name: install the packages required for ODCS
+  yum:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+    use_backend: yum
+  vars:
+    packages:
+    - odcs
+    - mod_auth_gssapi
+    - mod_wsgi
+    - python-qpid-proton
+    - python2-rhmsg
+    - python-psycopg2
+  tags:
+  - odcs
+
+- name: install the latest ODCS package
+  yum:
+    name: odcs
+    state: latest
+    update_cache: yes
+    use_backend: yum
+  when: odcs_upgrade
+  notify:
+  - restart httpd service
+  tags:
+  - odcs
+
+########
+# Need to add the messaging part
+
+- name: modify selinux so that httpd can serve data from NFS shares if needed
+  seboolean: 
+    name: httpd_use_nfs
+    state: yes
+    persistent: yes
+  when: "'enabled' in ansible_selinux.status"
+  tags:
+  - odcs
+
+- name: Add apache user to odcs-server group.	
+  user:	
+    name: apache	
+    groups: odcs-server	
+    append: yes
+
+- name: create ODCS_TARGET_DIR
+  file:
+    path: "{{ odcs_target_dir }}"
+    state: directory
+    owner: odcs-server
+    group: odcs-server
+    mode: 0775
+  tags:
+  - odcs
+
+- name: generate the ODCS app config
+  template:
+    src: etc/odcs/config.py.j2
+    dest: /etc/odcs/config.py
+    owner: odcs-server
+    group: odcs-server
+    mode: 0440
+  notify:
+  - reload httpd service
+  tags:
+  - odcs
+
+- name: generate the ODCS Apache config
+  template:
+    src: etc/httpd/conf.d/odcs.conf.j2
+    dest: /etc/httpd/conf.d/odcs.conf
+    owner: apache
+    group: apache
+    mode: 0440
+  notify:
+  - reload httpd service
+  tags:
+  - odcs
+
+- name: Disable PrivateTmp=true in httpd.service.
+  lineinfile:
+    path: /usr/lib/systemd/system/httpd.service
+    regexp: '^PrivateTmp'
+    line: 'PrivateTmp=false'
+  notify:
+  - reload systemd
+  - restart httpd service
+  tags:
+  - odcs
+
+- name: start ODCS frontend
+  systemd:
+    name: httpd
+    state: started
+  tags:
+  - odcs

templates/etc/httpd/conf.d/odcs.conf.j2

@@ -0,0 +1,87 @@
+{% if odcs_force_ssl %}
+# Force SSL
+RewriteEngine On
+# allow http access for zabbix status checks
+RewriteCond %{REQUEST_URI} !=/server-status
+RewriteCond %{HTTPS} off
+RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+{% endif %}
+
+WSGIDaemonProcess odcs user=odcs group=fedmsg threads=5
+WSGIScriptAlias /{{ odcs_endpoint }} /usr/share/odcs/odcs.wsgi
+
+# By default, do not require SSL verification.
+SSLVerifyClient none
+SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+<Directory /usr/share/odcs>
+    WSGIProcessGroup odcs
+    WSGIApplicationGroup %{GLOBAL}
+
+    {% if odcs_allowed_named_hosts or odcs_allowed_hosts %}
+    <RequireAny>
+        Require method GET
+        {{ 'Require host ' ~ odcs_allowed_named_hosts|join(' ') if odcs_allowed_named_hosts else '' }}
+
+        {{ 'Require ip ' ~ odcs_allowed_hosts|join(' ') if odcs_allowed_hosts else '' }}
+
+    </RequireAny>
+    {% endif %}
+
+    {% if odcs_auth_backend == "kerberos" or odcs_auth_backend == "kerberos_or_ssl" %}
+    AuthType GSSAPI
+    AuthName "Kerberos negotiate authentication based on GSSAPI"
+    GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
+    {% endif %}
+
+    {% if odcs_auth_backend == "kerberos_or_ssl" or odcs_auth_backend == "ssl" %}
+    SSLVerifyClient optional
+    SSLVerifyDepth 10
+    SSLOptions +stdEnvVars
+    {% endif %}
+
+    <RequireAny>
+        {% if odcs_auth_backend == "kerberos" or odcs_auth_backend == "kerberos_or_ssl" %}
+        Require valid-user
+        {% endif %}
+
+        {% if odcs_auth_backend == "kerberos_or_ssl" or odcs_auth_backend == "ssl" %}
+        Require ssl-verify-client
+        {% endif %}
+
+        {% if odcs_auth_backend == "noauth" and not odcs_allowed_named_hosts and not odcs_allowed_hosts %}
+        Require all granted
+        {% endif %}
+    </RequireAny>
+
+</Directory>
+
+Alias "/composes" "{{ odcs_target_dir }}"
+<Directory {{ odcs_target_dir }}>
+    {% if odcs_allowed_named_hosts or odcs_allowed_hosts %}
+    <RequireAny>
+        Require method GET
+        {{ 'Require host ' ~ odcs_allowed_named_hosts|join(' ') if odcs_allowed_named_hosts else '' }}
+
+        {{ 'Require ip ' ~ odcs_allowed_hosts|join(' ') if odcs_allowed_hosts else '' }}
+
+    </RequireAny>
+    {% else %}
+    Require all granted
+    {% endif %}
+
+    Options +Indexes
+    IndexOptions NameWidth=* FancyIndexing
+</Directory>
+
+# Enable access to metrics to unauthenticated users
+<Location "/api/1/metrics">
+  SSLVerifyClient none
+  Require all granted
+</Location>
+
+# to enable zabbix apache stats collection
+<Location "/server-status">
+   Require all granted
+   Require ip 127.0.0.1
+</Location>

templates/etc/odcs/config.py.j2

@@ -0,0 +1,125 @@
+from os import path
+
+confdir = path.abspath(path.dirname(__file__))
+# use parent dir as dbdir else fallback to current dir
+dbdir = path.abspath(path.join(confdir, '..')) if confdir.endswith('conf') \
+    else confdir
+
+class BaseConfiguration(object):
+    # Make this random (used to generate session keys)
+    SECRET_KEY = '74d9e9f9cd40e66fc6c4c2e9987dce48df3ce98542529fd0'
+    SQLALCHEMY_DATABASE_URI = 'sqlite:///{0}'.format(path.join(
+        dbdir, 'odcs.db'))
+    SQLALCHEMY_TRACK_MODIFICATIONS = False
+
+    HOST = '127.0.0.1'
+    PORT = 5005
+
+    DEBUG = False
+    # Global network-related values, in seconds
+    NET_TIMEOUT = 120
+    NET_RETRY_INTERVAL = 30
+
+    # Available backends are: console, file, journal.
+    LOG_BACKEND = 'journal'
+
+    # Path to log file when LOG_BACKEND is set to "file".
+    LOG_FILE = 'odcs.log'
+
+    # Available log levels are: debug, info, warn, error.
+    LOG_LEVEL = 'info'
+
+    SSL_ENABLED = False
+
+
+class DevConfiguration(BaseConfiguration):
+    DEBUG = True
+    LOG_BACKEND = 'console'
+    LOG_LEVEL = 'debug'
+
+    # Global network-related values, in seconds
+    NET_TIMEOUT = 5
+    NET_RETRY_INTERVAL = 1
+
+
+class TestConfiguration(BaseConfiguration):
+    LOG_BACKEND = 'console'
+    LOG_LEVEL = 'debug'
+    DEBUG = True
+
+    SQLALCHEMY_DATABASE_URI = 'sqlite:///{0}'.format(
+        path.join(dbdir, 'tests', 'test_odcs.db'))
+
+    # Global network-related values, in seconds
+    NET_TIMEOUT = 3
+    NET_RETRY_INTERVAL = 1
+
+
+class ProdConfiguration(BaseConfiguration):
+    SECRET_KEY = "{{ odcs_secret_key }}"
+    SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://{{ odcs_db_username }}:{{ odcs_db_password }}@{{ odcs_db_host }}:{{ odcs_db_port }}/{{ odcs_db_name }}{{ '?sslmode=require' if odcs_force_postgres_ssl else '' }}'
+    KOJI_PROFILE = "{{ odcs_koji_profile }}"
+    MBS_URL = "{{ odcs_mbs_url }}"
+    TARGET_DIR = "{{ odcs_target_dir }}"
+    TARGET_DIR_URL = "{{ odcs_target_url }}"
+
+    AUTH_BACKEND = "{{ odcs_auth_backend }}"
+    AUTH_LDAP_SERVER = "{{ odcs_auth_ldap_server }}"
+    AUTH_LDAP_GROUP_BASE = "{{ odcs_auth_ldap_group_base }}"
+
+    MESSAGING_BACKEND = "{{ odcs_messaging_backend }}"
+    MESSAGING_BROKER_URLS = {{ odcs_messaging_producer_broker_urls }}
+    MESSAGING_CERT_FILE = "/etc/ssl/odcs/umb-client.crt"
+    MESSAGING_KEY_FILE = "/etc/ssl/odcs/umb-client.key"
+    MESSAGING_CA_CERT = "{{ odcs_messaging_ca_cert }}"
+    MESSAGING_TOPIC_PREFIX = "{{ odcs_messaging_topic_prefix }}"
+    MESSAGING_TOPIC = "VirtualTopic.eng.odcs.state.change"
+    INTERNAL_MESSAGING_TOPIC = "VirtualTopic.eng.odcs.internal.msg"
+
+    ALLOWED_CLIENTS = {{ odcs_allowed_clients }}
+    ADMINS = {{ odcs_admins }}
+
+    PULP_SERVER_URL = "{{ odcs_pulp_server_url }}"
+    PULP_USERNAME = "{{ odcs_pulp_username }}"
+    PULP_PASSWORD = "{{ odcs_pulp_password }}"
+
+{% if odcs_allowed_source_types %}
+    ALLOWED_SOURCE_TYPES = {{ odcs_allowed_source_types }}
+{% endif %}
+{% if odcs_allowed_flags %}
+    ALLOWED_FLAGS = {{ odcs_allowed_flags }}
+{% endif %}
+{% if odcs_allowed_arches %}
+    ALLOWED_ARCHES = {{ odcs_allowed_arches }}
+{% endif %}
+{% if odcs_allowed_results %}
+    ALLOWED_RESULTS = {{ odcs_allowed_results }}
+{% endif %}
+{% if odcs_allowed_sources %}
+    ALLOWED_SOURCES = {{ odcs_allowed_sources }}
+{% endif %}
+
+{% if odcs_raw_config_urls %}
+    RAW_CONFIG_URLS = {{ odcs_raw_config_urls }}
+{% endif %}
+
+{% if odcs_extra_target_dirs %}
+    EXTRA_TARGET_DIRS = {{ odcs_extra_target_dirs }}
+{% endif %}
+
+    ARCHES = {{ odcs_arches }}
+    SIGKEYS = {{ odcs_sigkeys }}
+    SECONDS_TO_LIVE = {{ odcs_seconds_to_live }}
+    MAX_SECONDS_TO_LIVE = {{ odcs_max_seconds_to_live }}
+
+{% if odcs_celery_broker_host %}
+    CELERY_BROKER_URL = "amqps://{{ odcs_celery_broker_username }}:{{ odcs_celery_broker_password }}@{{ odcs_celery_broker_host }}:{{ odcs_celery_broker_port }}/{{ odcs_celery_broker_vhost }}"
+{% endif %}
+
+    CELERY_CONFIG = {
+        "server_hostname": True,
+    }
+
+{% if odcs_celery_router_config %}
+    CELERY_ROUTER_CONFIG = {{ odcs_celery_router_config }}
+{% endif %}