--- # Copyright 2017, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # NOTE(mhayden): GPG checking for local package installs is normally disabled # by default in CentOS, but the openstack-ansible-security role enables GPG # checking for local packages. The RDO repository package isn't signed, but the # repos it installs have GPG checking enabled. # Under CentOS, this will add the RDO repo and its key to the keyring - name: Install EPEL and yum priorities plugin package: name: "{{ pip_epel_prep_distro_packages }}" state: "{{ pip_install_package_state }}" when: - user_external_repo_key is not defined tags: - add-repo-keys # Copy all factored-in GPG keys. # KeyID 764429E6 from https://raw.githubusercontent.com/rdo-infra/centos-release-openstack/ocata-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud # KeyID 61E8806C from keyserver for rdo-qemu-ev - name: Copy validated GPG keys copy: src: "gpg/{{ item | basename }}" dest: /etc/pki/rpm-gpg/ mode: '0644' with_fileglob: - "gpg/*" - name: Ensure GPG keys have the correct SELinux contexts applied command: restorecon -Rv /etc/pki/rpm-gpg/ changed_when: false # Handle gpg keys manually - name: Install gpg keys rpm_key: key: "{{ key.keyfile | default(key.key) }}" validate_certs: "{{ key.validate_certs | default(omit) }}" state: "{{ key.state | default('present') }}" with_items: "{{ pip_install_rdo_repos_keys }}" loop_control: loop_var: key register: _add_yum_keys until: _add_yum_keys | success retries: 5 delay: 2 - name: Check for existing yum repositories shell: "yum-config-manager | grep 'repo:'" changed_when: False register: existing_yum_repos when: - user_external_repo_key is not defined tags: - add-repo-keys - name: Add yum repositories if they do not exist yum_repository: name: "{{ item.name }}" description: "{{ item.description }}" baseurl: "{{ item.baseurl }}" file: "{{ item.file }}" gpgcheck: "{{ item.gpgcheck }}" enabled: "{{ item.enabled }}" with_items: - "{{ pip_install_rdo_repos }}" when: - item.name not in existing_yum_repos.stdout - user_external_repo_key is not defined tags: - add-repo-keys - name: Update yum repositories if they already exist command: > yum-config-manager --enable {{ item.name }} {% for key in item.keys() if key != 'file' %} --setopt="{{ item.name }}.{{ key }}={{ item[key] }}" {% endfor %} changed_when: False with_items: - "{{ pip_install_rdo_repos }}" when: - item.name in existing_yum_repos.stdout - user_external_repo_key is not defined tags: - add-repo-keys - name: Enable and set repo priorities command: > yum-config-manager {% for repo_priority in pip_install_repo_priorities %} --enable {{ repo_priority['name'] }} \ --setopt="{{ repo_priority['name'] }}.priority={{ repo_priority['priority'] }}" {% endfor %} changed_when: False tags: - add-repo-keys - name: Install external repo key manually rpm_key: key: "{{ item.key }}" validate_certs: "{{ item.validate_certs | default(omit) }}" state: "{{ item.state | default('present') }}" register: add_keys until: add_keys|success retries: 5 delay: 2 with_items: "{{ user_external_repo_keys_list }}" tags: - add-repo-keys - name: Install external repo manually yum_repository: name: "{{ item.name }}" description: "{{ item.description | default(omit) }}" baseurl: "{{ item.baseurl | default(omit) }}" gpgkey: "{{ item.gpgkey | default(omit) }}" gpgcheck: "{{ item.gpgcheck | default(omit) }}" enabled: "{{ item.enabled | default('yes') }}" register: use_external_repo_yum until: use_external_repo_yum|success retries: 5 delay: 2 with_items: "{{ user_external_repos_list }}" tags: - add-external-repo