140 lines
4.3 KiB
YAML
140 lines
4.3 KiB
YAML
---
|
|
# Copyright 2017, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# NOTE(mhayden): GPG checking for local package installs is normally disabled
|
|
# by default in CentOS, but the openstack-ansible-security role enables GPG
|
|
# checking for local packages. The RDO repository package isn't signed, but the
|
|
# repos it installs have GPG checking enabled.
|
|
# Under CentOS, this will add the RDO repo and its key to the keyring
|
|
|
|
- name: Install EPEL and yum priorities plugin
|
|
package:
|
|
name: "{{ pip_epel_prep_distro_packages }}"
|
|
state: "{{ pip_install_package_state }}"
|
|
when:
|
|
- user_external_repo_key is not defined
|
|
tags:
|
|
- add-repo-keys
|
|
|
|
# Copy all factored-in GPG keys.
|
|
# KeyID 764429E6 from https://raw.githubusercontent.com/rdo-infra/centos-release-openstack/ocata-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud
|
|
# KeyID 61E8806C from keyserver for rdo-qemu-ev
|
|
- name: Copy validated GPG keys
|
|
copy:
|
|
src: "gpg/{{ item | basename }}"
|
|
dest: /etc/pki/rpm-gpg/
|
|
mode: '0644'
|
|
with_fileglob:
|
|
- "gpg/*"
|
|
|
|
- name: Ensure GPG keys have the correct SELinux contexts applied
|
|
command: restorecon -Rv /etc/pki/rpm-gpg/
|
|
changed_when: false
|
|
|
|
# Handle gpg keys manually
|
|
- name: Install gpg keys
|
|
rpm_key:
|
|
key: "{{ key.keyfile | default(key.key) }}"
|
|
validate_certs: "{{ key.validate_certs | default(omit) }}"
|
|
state: "{{ key.state | default('present') }}"
|
|
with_items: "{{ pip_install_rdo_repos_keys }}"
|
|
loop_control:
|
|
loop_var: key
|
|
register: _add_yum_keys
|
|
until: _add_yum_keys | success
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: Check for existing yum repositories
|
|
shell: "yum-config-manager | grep 'repo:'"
|
|
changed_when: False
|
|
register: existing_yum_repos
|
|
when:
|
|
- user_external_repo_key is not defined
|
|
tags:
|
|
- add-repo-keys
|
|
|
|
- name: Add yum repositories if they do not exist
|
|
yum_repository:
|
|
name: "{{ item.name }}"
|
|
description: "{{ item.description }}"
|
|
baseurl: "{{ item.baseurl }}"
|
|
file: "{{ item.file }}"
|
|
gpgcheck: "{{ item.gpgcheck }}"
|
|
enabled: "{{ item.enabled }}"
|
|
with_items:
|
|
- "{{ pip_install_rdo_repos }}"
|
|
when:
|
|
- item.name not in existing_yum_repos.stdout
|
|
- user_external_repo_key is not defined
|
|
tags:
|
|
- add-repo-keys
|
|
|
|
- name: Update yum repositories if they already exist
|
|
command: >
|
|
yum-config-manager
|
|
--enable {{ item.name }}
|
|
{% for key in item.keys() if key != 'file' %}
|
|
--setopt="{{ item.name }}.{{ key }}={{ item[key] }}"
|
|
{% endfor %}
|
|
changed_when: False
|
|
with_items:
|
|
- "{{ pip_install_rdo_repos }}"
|
|
when:
|
|
- item.name in existing_yum_repos.stdout
|
|
- user_external_repo_key is not defined
|
|
tags:
|
|
- add-repo-keys
|
|
|
|
- name: Enable and set repo priorities
|
|
command: >
|
|
yum-config-manager
|
|
{% for repo_priority in pip_install_repo_priorities %}
|
|
--enable {{ repo_priority['name'] }} \
|
|
--setopt="{{ repo_priority['name'] }}.priority={{ repo_priority['priority'] }}"
|
|
{% endfor %}
|
|
changed_when: False
|
|
tags:
|
|
- add-repo-keys
|
|
|
|
- name: Install external repo key manually
|
|
rpm_key:
|
|
key: "{{ item.key }}"
|
|
validate_certs: "{{ item.validate_certs | default(omit) }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
register: add_keys
|
|
until: add_keys|success
|
|
retries: 5
|
|
delay: 2
|
|
with_items: "{{ user_external_repo_keys_list }}"
|
|
tags:
|
|
- add-repo-keys
|
|
|
|
- name: Install external repo manually
|
|
yum_repository:
|
|
name: "{{ item.name }}"
|
|
description: "{{ item.description | default(omit) }}"
|
|
baseurl: "{{ item.baseurl | default(omit) }}"
|
|
gpgkey: "{{ item.gpgkey | default(omit) }}"
|
|
gpgcheck: "{{ item.gpgcheck | default(omit) }}"
|
|
enabled: "{{ item.enabled | default('yes') }}"
|
|
register: use_external_repo_yum
|
|
until: use_external_repo_yum|success
|
|
retries: 5
|
|
delay: 2
|
|
with_items: "{{ user_external_repos_list }}"
|
|
tags:
|
|
- add-external-repo
|