majic-ansible-roles Changeset

Changeset - a718023f9e76

Parent rev.

Child rev.

[Not reviewed]

0 9 0

Branko Majic (branko) - 9 months ago 2023-08-09 01:54:45
branko@majic.rs

MAR-181: Drop support for Debian 9 Stretch from the backup_client role:

- Provide more details on use of pexpect+sftp backed for
Duplicity (backend has to be used on Debian 10 Buster as well, not
just Debian 9 Stretch).
- Switch to using IPs from VirtualBox default allowed host-only
network subnets.

9 files changed with 37 insertions and 48 deletions:

roles/backup_client/molecule/default/group_vars/parameters-mandatory.yml

roles/backup_client/molecule/default/group_vars/parameters-optional.yml

roles/backup_client/molecule/default/molecule.yml

roles/backup_client/molecule/default/tests/data/ssh/parameters-mandatory-known_hosts

roles/backup_client/molecule/default/tests/data/ssh/parameters-optional-known_hosts

roles/backup_client/molecule/default/tests/test_parameters_mandatory.py

roles/backup_client/molecule/default/tests/test_parameters_optional.py

roles/backup_client/tasks/main.yml

roles/backup_client/templates/duply_main_conf.j2

0 comments (0 inline, 0 general)

roles/backup_client/molecule/default/group_vars/parameters-mandatory.yml

➞

Show inline comments

 ---
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"
-backup_server: 10.31.127.10
+backup_server: 192.168.56.10
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

roles/backup_client/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -6,7 +6,7 @@ backup_additional_encryption_keys: @@
   - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"
 backup_client_username: backupuser
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
-backup_server: 10.31.127.10
+backup_server: 192.168.56.10
 backup_server_destination: "/duplicity/{{ inventory_hostname }}"
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

roles/backup_client/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -23,7 +23,7 @@ platforms: @@
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.10
+        ip: 192.168.56.10
         network_name: private_network
         type: static
@@ @@ -35,7 +35,7 @@ platforms: @@
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.20
+        ip: 192.168.56.20
         network_name: private_network
         type: static
@@ @@ -47,31 +47,7 @@ platforms: @@
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.21
         network_name: private_network
         type: static
   - name: parameters-mandatory-s64
     groups:
       - parameters-mandatory
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.30
         network_name: private_network
         type: static
   - name: parameters-optional-s64
     groups:
       - parameters-optional
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.31
         ip: 192.168.56.21
         network_name: private_network
         type: static

roles/backup_client/molecule/default/tests/data/ssh/parameters-mandatory-known_hosts

➞

Show inline comments

 [10.31.127.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 .31.127.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 [10.31.127.10]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 .31.127.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 [10.31.127.10]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
 .31.127.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
 [192.168.56.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 .168.56.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 [192.168.56.10]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 .168.56.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 [192.168.56.10]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
 .168.56.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

roles/backup_client/molecule/default/tests/data/ssh/parameters-optional-known_hosts

➞

Show inline comments

 [10.31.127.10]:3333 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 .31.127.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 [10.31.127.10]:3333 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 .31.127.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 [10.31.127.10]:3333 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
 .31.127.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
 [192.168.56.10]:3333 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 .168.56.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ
 [192.168.56.10]:3333 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 .168.56.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
 [192.168.56.10]:3333 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
 .168.56.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

roles/backup_client/molecule/default/tests/test_parameters_mandatory.py

➞

Show inline comments

@@ @@ -70,7 +70,7 @@ def test_duply_configuration_content(host): @@
         assert "GPG_KEYS_ENC='59C26F031A129C54'" in duply_configuration.content_string
         assert "GPG_KEY_SIGN='59C26F031A129C54'" in duply_configuration.content_string
-        assert "TARGET='pexpect+sftp://bak-%s@10.31.127.10:2222//duplicity'" % hostname in duply_configuration.content_string
+        assert "TARGET='pexpect+sftp://bak-%s@192.168.56.10:2222//duplicity'" % hostname in duply_configuration.content_string
         assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
             "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content_string

roles/backup_client/molecule/default/tests/test_parameters_optional.py

➞

Show inline comments

@@ @@ -69,7 +69,7 @@ def test_duply_configuration_content(host): @@
         assert "GPG_KEYS_ENC='C4B2AE9F7A4F400A,3093C91BC3A9444B,86816FD928063B3F,8A14CD6C71223B72'" in duply_configuration.content_string
         assert "GPG_KEY_SIGN='C4B2AE9F7A4F400A'" in duply_configuration.content_string
-        assert "TARGET='pexpect+sftp://backupuser@10.31.127.10:3333//duplicity/%s'" % hostname in duply_configuration.content_string
+        assert "TARGET='pexpect+sftp://backupuser@192.168.56.10:3333//duplicity/%s'" % hostname in duply_configuration.content_string
         assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
             "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content_string

roles/backup_client/tasks/main.yml

➞

Show inline comments

 ---
 - name: Install pexpect for pexpect+sftp Duplicity backend (mainly needed on Stretch)
 # See duply_main_conf.j2 for details on why this is required (at least
 # on Debian 10 Buster). With newer versions of Debian it might be
 # possible to switch to Paramiko backend.
 - name: Install pexpect for pexpect+sftp Duplicity backend
   apt:
     name: "python-pexpect"
     state: present

roles/backup_client/templates/duply_main_conf.j2

➞

Show inline comments

@@ @@ -9,6 +9,14 @@ GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' @@
 GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always"
 # Destination where the backups are stored at.
+#
 # Use the pexpect+sftp backend for Duplicity so we can (see also
 # DUPL_PARAMS and --ssh-options):
+#
 #   - Pass in custom options for user/global known_hosts files (not
 #     possible with Duplicity shipping with Debian 10 Buster).
 #   - Reduce logging verbosity (avoiding output from sftp that mentions
 #     updates of user's known_hosts file with IP addresses).
 TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}'
 # Base directory to backup (root). File selection is done via include/exclude
@@ @@ -43,10 +51,12 @@ ARCH_DIR="/var/cache/duply/main/" @@
 # without any encryption, this effectively means no prompts.
 DUPL_PARAMS="$DUPL_PARAMS --use-agent"
 # Use the pexepct backend for Duplicity so we can pass in all the
 # ssh-options. Use dedicated known hosts and identity file when connecting over
 # SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly
 # to avoid output from sftp telling us it added IP address to known_hosts.
 # Rely only on global known_hosts file (which should only contain
 # resolvable names), bypassing addition of IP addresses to root's
 # known_hosts file. Log level is configured to reduce verbosity
 # (mentions of IP address additions to user's known_hosts file). Use
 # dedicated private key for performing logins towards the backup
 # server.
 DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'"
 # By default we exclude everything, and then include only specific patterns.

0 comments (0 inline, 0 general)