-
Notifications
You must be signed in to change notification settings - Fork 35
/
install-service
executable file
·76 lines (64 loc) · 2.71 KB
/
install-service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/bin/sh
# deploy changes to this script with:
# ansible -i inventory -m include_role -a name=tasks-systemd -e instances=12 tag_ServiceComponent_Tasks
# ansible -i inventory -m include_role -a name=tasks-systemd openstack_tasks
#
# See ansible/{aws,psi}/launch-tasks.yml for the parameters.
set -eufx
SECRETS=/var/lib/cockpit-secrets
CACHE=/var/cache/cockpit-tasks
IMAGE_STORES=${CACHE}/image-stores
INSTANCES=${INSTANCES:-4}
systemctl stop 'cockpit-tasks@*.service'
mkdir -p $SECRETS/tasks $SECRETS/webhook $CACHE
chown -R cockpituous:cockpituous $SECRETS $CACHE
chcon -R -t container_file_t $SECRETS $CACHE
if [ $INSTANCES -eq 1 ]; then
# just use the hostname without prefix
CONTAINER_HOSTNAME="%l"
else
# prefix the host name with the unit instance, so we can tell them apart in GitHub statuses
CONTAINER_HOSTNAME="%i-%l"
fi
# ensure this always exists
touch "$IMAGE_STORES"
cat <<EOF > /etc/systemd/system/[email protected]
[Unit]
Description=Cockpit Tasks %i
Requires=podman.socket
After=podman.socket
Wants=cockpituous-janitor.timer
[Service]
Restart=always
RestartSec=60
# give image pull enough time
TimeoutStartSec=10min
ExecStartPre=-/usr/bin/podman rm -f cockpit-tasks-%i
# HACK: sometimes images get an MCS category which makes them undeletable by the container
ExecStartPre=/usr/bin/chcon -R -l s0 ${CACHE}/images/
ExecStartPre=/usr/bin/flock /tmp/cockpit-image-pull podman pull ghcr.io/cockpit-project/tasks
# job-runner doesn't need /images, but we still need it for the run-queue store-tests task
ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOSTNAME} \
--volume=${CACHE}/images:/cache/images:rw \
--volume=${SECRETS}/tasks:/run/secrets/tasks:ro \
--volume=${SECRETS}/s3-keys:/run/secrets/s3-keys:ro \
--volume=${SECRETS}/webhook:/run/secrets/webhook:ro \
--volume=/etc/job-runner.toml:/config/job-runner.toml:ro \
--volume=%t/podman/podman.sock:/podman.sock:rw \
--env=JOB_RUNNER_CONFIG=/config/job-runner.toml \
--env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \
--env=COCKPIT_S3_KEY_DIR=/run/secrets/s3-keys \
--env=COCKPIT_IMAGES_DATA_DIR=/cache/images \
--env=GIT_COMMITTER_NAME=Cockpituous \
--env=GIT_AUTHOR_NAME=Cockpituous \
--env=TEST_NOTIFICATION_MX=${TEST_NOTIFICATION_MX} \
--env=TEST_NOTIFICATION_TO=${TEST_NOTIFICATION_TO} \
ghcr.io/cockpit-project/tasks cockpit-tasks --verbose
ExecStop=/usr/bin/podman rm -f cockpit-tasks-%i
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
for i in `seq $INSTANCES`; do systemctl enable --now cockpit-tasks@$i; done