Merge pull request #22 from charlieok/ansible_tweaks

Ansible tweaks and additional README notes
2018-04-02 17:11:47 -06:00 · 2018-04-02 17:11:47 -06:00 · c6123f5c1e
parent 559153b676 89587e715d
commit c6123f5c1e
6 changed files with 144 additions and 30 deletions
--- a/README.md
+++ b/README.md
@ -5,7 +5,7 @@ This is a deterministic build environment for [Zcash](https://github.com/zcash/z

 Gitian provides a way to be reasonably certain that the Zcash executables are really built from the exact source on GitHub and have not been tampered with. It also makes sure that the same, tested dependencies are used and statically built into the executable.

-Multiple developers build from source code by following a specific descriptor ("recipe"), cryptographically sign the result, and upload the resulting signature. These results are compared and only if they match is the build is accepted.
+Multiple developers build from source code by following a specific descriptor ("recipe"), cryptographically sign the result, and upload the resulting signature. These results are compared and only if they match is the build accepted.

 More independent Gitian builders are needed, which is why this guide exists.

@ -34,6 +34,116 @@ Install prerequisites first: `sudo apt-get install build-essential libssl-dev li

    sudo pip install -U ansible

+#### GnuPG 2.x
+
+Make sure GNU privacy guard is installed.
+
+    sudo apt-get install gnupg2
+
+If installing via some other method, such as building directly from git source or using a different
+package manager, make sure it is callable using the command 'gpg2'. For instance, if it installs as
+'gpg' you could create a symlink from gpg2 to gpg.
+
+
+## Decide on a gpg keypair to use for gitian
+
+You'll be asked to (optionally) refer to a gpg key in gitian.yml.
+
+You can generate a keypair specifically for zcash gitian builds with a command like the one below.
+
+```
+gpg2 --quick-gen-key --batch --passphrase '' "Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>"
+gpg: directory '/Users/hpotter/.gnupg' created
+gpg: keybox '/Users/hpotter/.gnupg/pubring.kbx' created
+gpg: /Users/hpotter/.gnupg/trustdb.gpg: trustdb created
+gpg: key 5B52696EF083A700 marked as ultimately trusted
+gpg: directory '/Users/hpotter/.gnupg/openpgp-revocs.d' created
+gpg: revocation certificate stored as '/Users/hpotter/.gnupg/openpgp-revocs.d/564CDA5C132B8CAB54B7BDE65B52696EF083A700.rev'
+```
+This will generate a primary key and subkey without passphrases, and set default values for
+algorithm, key length, usage, and expiration time which should be fine.
+
+
+Some explanation of the arguments used in the above example:
+
+    --quick-generate-key --batch   This combination of options allows options to be given on the
+                                   command line. Other key generation options use interative
+                                   prompts.
+
+    --passphrase ''                Passphrase for the generated key. An empty string as shown here
+                                   means save the private key unencrypted.
+
+    "Name (Comment) <Email>"       The user id (also called uid) to associate with the generated
+                                   keys. Concatenating a name, an optional comment, and an email
+                                   address using this format is a gpg convention.
+
+
+You can check that the key was generated and added to your local gpg key database, and see its
+fingerprint value, like this:
+```
+$ gpg2 --list-keys
+/Users/hpotter/.gnupg/pubring.kbx
+-----------------------------------
+pub   rsa2048 2018-03-14 [SC] [expires: 2020-03-13]
+      564CDA5C132B8CAB54B7BDE65B52696EF083A700
+uid           [ultimate] Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>
+sub   rsa2048 2018-03-14 [E]
+```
+
+We'll use two values from the above output in our gitian.yml file:
+- For gpg_key_id we'll use the id for the 'pub' key. In the example output shown here, that is a 40
+character value. Other versions of gpg may truncate this value, e.g. to 8 or 16 characters. In those
+cases you should be able to use the truncated value and it should still work.
+- For gpg_key_name we'll use the the part before the @ symbol of the associated email address.
+
+Continuing the above example, we would set the two fields in gitian.yml as follows:
+```
+gpg_key_id: 564CDA5C132B8CAB54B7BDE65B52696EF083A700
+gpg_key_name: hpotter
+```
+
+## Decide on an ssh keypair to use for gitian
+
+You'll be asked to (optionally) provide an ssh key's filename in gitian.yml. In this example I'm
+using "zcash_gitian_id_rsa".
+
+You can generate a keypair specifically for zcash gitian builds like this:
+
+```
+$ ssh-keygen -t rsa -C "hpotter@hogwarts.wiz" -f ~/.ssh/zcash_gitian_id_rsa -N ''
+Generating public/private rsa key pair.
+Your identification has been saved in /Users/hpotter/.ssh/zcash_gitian_id_rsa.
+Your public key has been saved in /Users/hpotter/.ssh/zcash_gitian_id_rsa.pub.
+The key fingerprint is:
+SHA256:w1ZAgf+Ge+R662PU18ASqx8sZYfg9OxKhE/ZFf9zwvE hpotter@hogwarts.wiz
+The key's randomart image is:
+---[RSA 2048]----+
+|       o+.    .. |
+|      .  .o . .. |
+|       . +.* *. .|
+|       .o.= X.+o.|
+|        S* B oo+E|
+|       ...X = ..+|
+|         B + o   |
+|        . B .    |
+|        .*oo     |
+----[SHA256]-----+
+```
+
+Some explanation of the arguments used in the above example:
+
+    -t rsa                         Use a key type of RSA
+
+    -C "hpotter@hogwarts.wiz"      Provide an identity to associate with the key (default is
+                                   user@host in the local environment)
+
+    -f ~/.ssh/zcash_gitian_id_rsa  Path to the private key to generate. The corresponding public key
+                                   will be saved at ~/.ssh/zcash_gitian_id_rsa.pub
+
+    -N ''                          Passphrase for the generated key. An empty string as shown here
+                                   means save the private key unencrypted.
+
+
 How to get started
 ------------------

--- a/roles/common/tasks/add_github_ssh_hostkey.yml
+++ b/roles/common/tasks/add_github_ssh_hostkey.yml
@ -3,7 +3,7 @@
  local_action: command ssh-keyscan -t rsa github.com
  register: github_ssh_keyscan_result
  changed_when: false
-  always_run: yes
+  check_mode: no
  run_once: yes
  become: no

--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,10 +1,10 @@
 ---
- include: repartition.yml
- include: update_everything.yml
- include: packages.yml
- include: make_swap.yml
- include: add_github_ssh_hostkey.yml
- include: hostname.yml
- include: motd.yml
- include: vim.yml
- include: auto_upgrades.yml
+- include_tasks: repartition.yml
+- include_tasks: update_everything.yml
+- include_tasks: packages.yml
+- include_tasks: make_swap.yml
+- include_tasks: add_github_ssh_hostkey.yml
+- include_tasks: hostname.yml
+- include_tasks: motd.yml
+- include_tasks: vim.yml
+- include_tasks: auto_upgrades.yml
--- a/roles/common/tasks/repartition.yml
+++ b/roles/common/tasks/repartition.yml
@ -17,19 +17,26 @@
    state: absent

 - name: Remove partition number 5
-  command: parted --script /dev/sda rm 5
-  become: yes
+  parted:
+    device: /dev/sda
+    number: 5
+    state: absent

 - name: Remove partition number 2
-  command: parted --script /dev/sda rm 2
-  become: yes
+  parted:
+    device: /dev/sda
+    number: 2
+    state: absent
+  register: rm_part_2_sda_info

- name: Resize partition number 1 to fill the available space on the disk
+- name: Resize partition 1 to reach end of disk if it does not already
  command: parted ---pretend-input-tty /dev/sda unit % resizepart 1 yes 100
  become: yes
+  when: rm_part_2_sda_info['disk']['size'] != rm_part_2_sda_info['partitions'][0]['end']
  register: parted_resize

 - name: Resize filesystem on /dev/sda1 to fill the available space on the partition
-  command: resize2fs /dev/sda1
-  become: yes
-  register: resize2fs
+  filesystem:
+    dev: /dev/sda1
+    fstype: ext4
+    resizefs: true
--- a/roles/common/tasks/update_everything.yml
+++ b/roles/common/tasks/update_everything.yml
@ -8,7 +8,7 @@
  failed_when: false
  changed_when: false
  # Necessary to support --check mode
-  always_run: true
+  check_mode: no

 - name: Install sudo.
  apt:
@ -38,7 +38,6 @@
  tags: apt

 - name: Remove unneeded packages.
-  command: apt-get autoremove -y
-  register: autoremove_result
-  changed_when: "'0 upgraded' not in autoremove_result.stdout"
+  apt:
+    autoremove: yes
  tags: apt
--- a/roles/gitian/tasks/main.yml
+++ b/roles/gitian/tasks/main.yml
@ -25,7 +25,6 @@
    - kpartx
    - lintian
    - make
-    - parted
    - python-cheetah
    - qemu-utils
    - ruby
@ -129,7 +128,7 @@
    force: yes
  become_user: "{{ gitian_user }}"

- include: keys.yml
+- include_tasks: keys.yml
  tags: keys

 - name: Clone git repository for Zcash.
@ -204,16 +203,15 @@
    executable: /bin/bash

 - name: Clean the apt cache to free up space.
-  command: apt-get autoclean
-  register: autoclean_result
-  changed_when: "'Del' in autoclean_result.stdout"
+  apt:
+    autoclean: yes

- include: gpg.yml
+- include_tasks: gpg.yml
  tags: gpg
  become: no
  when: gpg_key_id is defined and gpg_key_id != ''

- include: ssh.yml
+- include_tasks: ssh.yml
  tags: ssh
  become: no
  when: ssh_key_name is defined and ssh_key_name != ''