use ark repos for cernvm-fs and fixup defaults approach

sjpb · sjpb · commit fe98b91a2462 · 2025-08-07T09:48:32.000Z
diff --git a/ansible/roles/cvmfs_server/README.md b/ansible/roles/cvmfs_server/README.md
@@ -14,27 +14,24 @@ This feature is enabled by adding a node to the `cvmfs_server` group. The
 defaults provided are sufficent to implement the above configuration.
 
 This role wraps the [EESSI ansible-cvmfs](https://github.com/EESSI/ansible-cvmfs)
-role which provides additional functionality. Because of the intended use of
-this role by default it:
-- Uses https URLs for both dnf repositories and for the EESSI repository replication.
-- Uses the `aws-eu-west-s1-sync` EESSI server (which is the only one providing
+role, which provides additional functionality. The defaults here:
+- Use https URLs for both dnf repositories and for the EESSI repository replication.
+- Use the `aws-eu-west-s1-sync` EESSI server (which is the only one providing
   https replication).
-- Does not configure a squid proxy in front of the Stratum 1 server.
-- Does not configure a firewall (OpenStack security groups are expected to be
+- Do not configure a squid proxy in front of the Stratum 1 server.
+- Do not configure a firewall (OpenStack security groups are expected to be
   sufficent).
-- Does not configure the Geo API service.
+- Do not configure the Geo API service.
 
 Guidance on configuring a private Stratum 1 server for EESSI is provided [here](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1).
 
 **NB**: The initial replication will take a considerable amount of time. If
 this fails due to e.g. a network glitch you can recover it by sshing to the
-server node and running:
+`cvmfs_server` node and running:
 
     sudo cvmfs_server snapshot software.eessi.io
 
-# Requirements
-
-See also the example configuration below.
+## Requirements
 
 1. See the [EESSI Stratum 1 requirements](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1)
    for the server specification.
@@ -51,14 +48,14 @@ See also the example configuration below.
    Note the former will also require setting `dnf_repos_allow_insecure_creds: true`
    to allow Ark credentials to be templated into repofiles - this also requires 3.
    to avoid exposing these to cluster users.
- 
+
+See also the example configuration below.
+
 ## Role variables
 
 Any variables from the [EESSI ansible-cvmfs role](https://github.com/EESSI/ansible-cvmfs)
-may be used. Due to wrapping that role, this role's defaults are mostly in
-`environments/common/inventory/group_vars/all/cvmfs_server.yml`. The only
-override likely to be be needed is to set `cvmfs_srv_device` if CVMFS data
-should be be stored on a specific block device (e.g. a mounted volume).
+may set. Generally only `cvmfs_srv_device` is likely to be required, if CVMFS
+data should be be stored on a specific block device (e.g. a mounted volume).
 
 ## Example configuration
 
@@ -94,8 +91,8 @@ Configure the role to use the volume for CVMFS data:
 cvmfs_srv_device: /dev/vdb
 ```
 
-**NB:** Hardcoding the path is only safe if a single volume is attached, else
-the ordering of devices is not guaranteed after reboots etc.
+**NB:** Hardcoding the device path is only safe if a single volume is attached,
+else the ordering of devices is not guaranteed after reboots etc.
 
 Note Ark credentials or a local Pulp server must also be configured as referenced
 above.
diff --git a/ansible/roles/cvmfs_server/defaults/main.yml b/ansible/roles/cvmfs_server/defaults/main.yml
@@ -1,4 +1,55 @@
-# NB: Most defaults are set in
-# environments/common/inventory/group_vars/all/cvmfs_server.yml
-# as the wrapped role does not pick up defaults from here
+# NB: Most eessi.cvmfs variables cannot be set here, because they are not
+# applied when this role calls it via import_role.
+# Instead they are set in environments/common/inventory/group_vars/all/cvmfs_server.yml
+
 cvmfs_role: stratum1
+
+# Vars from eessi.cvmfs:vars/redhat.yml - required because *this* role does
+# not run eessi.cvmfs:tasks/main.yml which loads those vars. These therefore
+# *can* be set here, as they are not otherwise set at all.
+
+cvmfs_apache_service_name: httpd
+cvmfs_apache_conf_file: /etc/httpd/conf/httpd.conf
+cvmfs_dnf_repos: [] # provided by dnf_repos instead
+
+cvmfs_dnf_repo_key:
+  content: |
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: GnuPG v2.0.14 (GNU/Linux)
+
+    mQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4
+    wbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC
+    4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/
+    aMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87
+    HfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc
+    mmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd
+    6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK
+    IVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU
+    JGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk
+    bWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy
+    bi5jaD6IZAQTEQIAJAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCT18LigUJBbn/
+    ZAAKCRAjDTidiuRc5/BFAKCb13G8yxG75r3s63mHo5l9PNUKGwCfZpSlZrhBsVZ4
+    2DsKfLG1VQ+X8HW5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOE
+    ii66i9apPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwC
+    zKCPrIb7RQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1
+    u9UxrlzBH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGP
+    LEjvJFRi7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqX
+    VVqioobwg5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArG
+    aJxzWziKs7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKD
+    nGsTgFNpstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1G
+    YWt7DoseZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaM
+    eEe8Pkl+yyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4oh
+    dALRVl0tl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuG
+    CFyegf6jnOJU0AqITwQYEQIADwIbDAUCT18MOQUJBboAEQAKCRAjDTidiuRc53P2
+    AJ9e1y70yIKwx6YmpDnwqWSE07Q6lACdEnem0DbLg9t+gkX/98driCP9Ifg=
+    =S7Dt
+    -----END PGP PUBLIC KEY BLOCK-----
+  dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM
+
+cvmfs_packages:
+  stratum1-disk:
+    - httpd
+    - "{{ 'mod_wsgi' if ansible_distribution_major_version is version('8', '<') else 'python3-mod_wsgi' }}"
+    - "{{ 'squid' if cvmfs_stratum1_squid else omit }}"
+    - cvmfs-server
+    - cvmfs-config-default
diff --git a/ansible/roles/cvmfs_server/tasks/main.yml b/ansible/roles/cvmfs_server/tasks/main.yml
@@ -1,7 +1,3 @@
 - ansible.builtin.import_role:
     name: eessi.cvmfs
     tasks_from: "{{ cvmfs_role }}.yml"
-  vars:
-    # from ansible-cvmfs/vars/redhat.yml
-    cvmfs_apache_service_name: httpd
-    cvmfs_apache_conf_file: /etc/httpd/conf/httpd.conf
diff --git a/ansible/roles/dnf_repos/defaults/main.yml b/ansible/roles/dnf_repos/defaults/main.yml
@@ -19,6 +19,7 @@ dnf_repos_filenames:
 dnf_repos_version_filenames: "{{ dnf_repos_filenames[ansible_distribution_major_version] }}"
 
 # epel installed separately
+# NB: 'name' cannot have spaces
 dnf_repos_default_repolist:
 - file: "{{ dnf_repos_version_filenames.baseos }}"
   name: baseos
@@ -38,6 +39,12 @@ dnf_repos_default_repolist:
 - file: "{{ dnf_repos_version_filenames.grafana }}"
   name: grafana
   base_url: "{{ dnf_repos_pulp_content_url }}/{{ appliances_pulp_repos.grafana[ansible_distribution_major_version] | appliances_repo_to_subpath }}"
+- file: cernvm
+  name: cernvmfs_pkgs
+  base_url: "{{ dnf_repos_pulp_content_url }}/{{ appliances_pulp_repos.cernvmfs_pkgs[ansible_distribution_major_version] | appliances_repo_to_subpath }}"
+- file: cernvm
+  name: cernvmfs_cfg
+  base_url: "{{ dnf_repos_pulp_content_url }}/{{ appliances_pulp_repos.cernvmfs_cfg[ansible_distribution_major_version] | appliances_repo_to_subpath }}"
 
 dnf_repos_openhpc_repolist:
 - name: OpenHPC
diff --git a/ansible/roles/pulp_site/defaults/main.yml b/ansible/roles/pulp_site/defaults/main.yml
@@ -30,6 +30,11 @@ pulp_site_rpm_info:
   subpath: "{{ appliances_pulp_repos.ceph[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}"
 - name: "grafana-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.grafana[pulp_site_target_distribution_version_major].timestamp }}"
   subpath: "{{ appliances_pulp_repos.grafana[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}"
+- name: "cernvmfs_pkgs-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.cernvmfs_pkgs.timestamp[pulp_site_target_distribution_version_major].timestamp }}
+  subpath: "{{ appliances_pulp_repos.cernvmfs_pkgs[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}"
+- name: "cernvmfs_cfg-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.cernvmfs_pkgs.timestamp[pulp_site_target_distribution_version_major].timestamp }}
+  subpath: "{{ appliances_pulp_repos.cernvmfs_cfg[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}"
+
 
 pulp_site_rpm_repo_defaults:
   remote_username: "{{ pulp_site_upstream_username }}"
diff --git a/environments/common/inventory/group_vars/all/cvmfs_server.yml b/environments/common/inventory/group_vars/all/cvmfs_server.yml
@@ -2,21 +2,9 @@
 
 # cvmfs_srv_device: # block device to use for CVMFS data. /srv/cvmfs is used if not set.
 
-cvmfs_dnf_repo_protocol: https
-
-cvmfs_dnf_repos:
-  - name: cernvm
-    file: cernvm
-    baseurl: "{{ cvmfs_dnf_repo_protocol }}://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs/EL/$releasever/$basearch/"
-    description: CernVM packages
-  - name: cernvm-config
-    file: cernvm
-    baseurl: "{{ cvmfs_dnf_repo_protocol }}://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs-config/EL/$releasever/$basearch/"
-    description: CernVM-FS extra config packages
-
 cvmfs_keys:
-  - path: /etc/cvmfs/keys/eessi.io/eessi.io.pub
     # from /cvmfs/cvmfs-config.cern.ch/etc/cvmfs/keys/eessi.io/eessi.io.pub on client
+  - path: /etc/cvmfs/keys/eessi.io/eessi.io.pub
     key: |
       -----BEGIN PUBLIC KEY-----
       MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyau1UFUcoiqpE5U9StON
@@ -38,48 +26,3 @@ cvmfs_repositories:
     repository: software.eessi.io
     key_dir: /etc/cvmfs/keys/eessi.io
     owner: root
-
-
-# Below taken from ansible-cvmfs/vars/redhat.yml and are needed because the
-# cvmfs_server role does not run ansible-cvmfs/tasks/main.yml:
-cvmfs_dnf_repo_key:
-  content: |
-    -----BEGIN PGP PUBLIC KEY BLOCK-----
-    Version: GnuPG v2.0.14 (GNU/Linux)
-
-    mQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4
-    wbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC
-    4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/
-    aMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87
-    HfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc
-    mmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd
-    6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK
-    IVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU
-    JGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk
-    bWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy
-    bi5jaD6IZAQTEQIAJAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCT18LigUJBbn/
-    ZAAKCRAjDTidiuRc5/BFAKCb13G8yxG75r3s63mHo5l9PNUKGwCfZpSlZrhBsVZ4
-    2DsKfLG1VQ+X8HW5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOE
-    ii66i9apPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwC
-    zKCPrIb7RQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1
-    u9UxrlzBH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGP
-    LEjvJFRi7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqX
-    VVqioobwg5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArG
-    aJxzWziKs7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKD
-    nGsTgFNpstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1G
-    YWt7DoseZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaM
-    eEe8Pkl+yyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4oh
-    dALRVl0tl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuG
-    CFyegf6jnOJU0AqITwQYEQIADwIbDAUCT18MOQUJBboAEQAKCRAjDTidiuRc53P2
-    AJ9e1y70yIKwx6YmpDnwqWSE07Q6lACdEnem0DbLg9t+gkX/98driCP9Ifg=
-    =S7Dt
-    -----END PGP PUBLIC KEY BLOCK-----
-  dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM
-
-cvmfs_packages:
-  stratum1-disk:
-    - httpd
-    - "{{ 'mod_wsgi' if ansible_distribution_major_version is version('8', '<') else 'python3-mod_wsgi' }}"
-    - "{{ 'squid' if cvmfs_stratum1_squid else omit }}"
-    - cvmfs-server
-    - cvmfs-config-default
diff --git a/environments/common/inventory/group_vars/all/timestamps.yml b/environments/common/inventory/group_vars/all/timestamps.yml
@@ -6,10 +6,12 @@
 #   WITHOUT the trailing slash
 # - timestamp is the the Ark timestamp to use
 
-# See also ansible/roles/pulp_site/defaults/main.yml
+# See also:
+# - ansible/roles/dnf_repos/defaults/main.yml
+# - ansible/roles/pulp_site/defaults/main.yml
 
 # Note that with Ark creds in the active environment all timestamps can be
-# updated to the latest avaialble using
+# updated to the latest available using
 #   ansible-playbook ansible/ci/update_timestamps.yml
 # but it doesn't check they are functional!
 
@@ -89,3 +91,17 @@ appliances_pulp_repos:
     '9':
       path: OpenHPC/3/updates/EL_9
       timestamp: 20250510T003301
+  cernvmfs_pkgs:
+    '8':
+      path: cvmfs/EL/8/x86_64
+      timestamp: 20250806T121654
+    '9':
+      path: cvmfs/EL/9/x86_64
+      timestamp: 20250806T121654
+  cernvmfs_cfg:
+    '8':
+      path: cvmfs-config/EL/8/x86_64
+      timestamp: 20250805T130249
+    '9':
+      path: cvmfs-config/EL/9/x86_64
+      timestamp: 20250805T130249
