ansible: update rhel7-s390x playbook and inventory (#2952)

Emergency rebuild of our RHEL 7 s390x instances after their VMs were
accidentally removed. Update the Ansible setup for RHEL 7 s390x to
eliminate previously manual steps (devtoolset installation).

Fixes: #2950

ansible/MANUAL_STEPS.md

@@ -6,8 +6,6 @@
   * [macOS release machines](#macos-release-machines)
     * [Full Xcode](#full-xcode)
     * [Signing certificates](#signing-certificates)
-* [RHEL7-S390X](#rhel7-s390x)
-  * [devtoolset-6 install](#devtoolset-6-install)
 * [macOS](#macos)
   * [Install Command Line Tools for Xcode](#install-command-line-tools-for-xcode)
 * [AIX 7.1](#aix-71)
@@ -137,28 +135,6 @@ Not Before: Jan 22 03:40:05 2020 GMT
 Not After : Jan 22 03:40:05 2025 GMT
 ```
 
-## RHEL7-S390X
-
-### devtoolset-6 install
-
-First copy the rpms from a machine that already has them
-
-```
-scp -r test-ibm-rhel7-s390x-1:/data/devtoolset-6-s390x-rpms/ ~/devtoolset-6-s390x-rpms
-```
-
-Then copy them over to the target machine
-
-```
-scp -r ~/devtoolset-6-s390x-rpms {target host}:~/devtoolset-6-s390x-rpms/
-```
-
-Then install the rpms
-
-```
-yum install -y devtoolset-6-s390x-rpms/*
-```
-
 ## macOS
 1. Update Sudoers file:
 

ansible/inventory.yml

@@ -47,7 +47,7 @@ hosts:
         aix71-ppc64_be-2:
             ip: 169.48.19.173
             server_jobs: 6
-        rhel7-s390x-1: {ip: 148.100.86.101, user: linux1}
+        rhel7-s390x-1: {ip: 148.100.84.166, user: linux1}
         rhel8-s390x-1: {ip: 148.100.84.45, user: linux1}
         rhel8-x64-1: {ip: 169.62.77.228}
         rhel8-x64-2: {ip: 50.97.245.10}
@@ -151,10 +151,10 @@ hosts:
         aix73-ppc64_be-1:
             ip: 163.68.64.114
             server_jobs: 6
-        rhel7-s390x-1: {ip: 148.100.86.21, user: linux1, build_test_v8: yes}
-        rhel7-s390x-2: {ip: 148.100.86.117, user: linux1, build_test_v8: yes}
-        rhel7-s390x-3: {ip: 148.100.86.28, user: linux1, build_test_v8: yes}
-        rhel7-s390x-4: {ip: 148.100.86.94, user: linux1, build_test_v8: yes}
+        rhel7-s390x-1: {ip: 148.100.84.221, user: linux1, build_test_v8: yes}
+        rhel7-s390x-2: {ip: 148.100.84.114, user: linux1, build_test_v8: yes}
+        rhel7-s390x-3: {ip: 148.100.84.50, user: linux1, build_test_v8: yes}
+        rhel7-s390x-4: {ip: 148.100.84.235, user: linux1, build_test_v8: yes}
         rhel8-s390x-1: {ip: 148.100.84.98, user: linux1, build_test_v8: yes}
         rhel8-s390x-2: {ip: 148.100.84.38, user: linux1, build_test_v8: yes}
         rhel8-s390x-3: {ip: 148.100.84.17, user: linux1, build_test_v8: yes}

ansible/roles/baselayout/tasks/partials/ccache/rhel7-s390x.yml

@@ -37,7 +37,7 @@
 
 - name: "ccache : compile"
   make:
-    chdir: "tmp/ccache-{{ ccache_latest }}"
+    chdir: "/tmp/ccache-{{ ccache_latest }}"
   when: not has_ccache.stat.exists
 
 - name: "ccache : install"

ansible/roles/baselayout/tasks/partials/repo/rhel7.yml

@@ -0,0 +1,11 @@
+---
+
+# Red Hat Enterprise Linux 7
+
+- name: Enable RHEL 7 repositories
+  community.general.rhsm_repository:
+    name:
+    - rhel-7-server-for-system-z-rhscl-rpms
+    - rhel-7-server-for-system-z-rhscl-debug-rpms
+    - rhel-7-server-for-system-z-rhscl-source-rpms
+    state: enabled

ansible/roles/baselayout/vars/main.yml

@@ -142,7 +142,7 @@ packages: {
   ],
 
   rhel7: [
-    'gcc-c++,sudo,git,zip,unzip,iptables-services,GConf2-devel,openssl-devel,python3',
+    'cmake,devtoolset-6,devtoolset-6-libatomic-devel,devtoolset-8,devtoolset-8-libatomic-devel,devtoolset-10,devtoolset-11,gcc-c++,sudo,git,make,zip,unzip,iptables-services,openssl-devel,python3',
   ],
 
   rhel8: [

ansible/roles/bootstrap/tasks/partials/rhel7-s390x.yml

@@ -0,0 +1,50 @@
+---
+
+# Red Hat Enterprise Linux 7 on s390x (LinuxONE)
+
+- name: run common RHEL 7 tasks
+  ansible.builtin.include_tasks: rhel7.yml
+
+- name: Firewall | install iptables-services
+  ansible.builtin.yum:
+    name: iptables-services
+    state: present
+
+- name: Firewall | enable iptables
+  ansible.builtin.systemd:
+    enabled: yes
+    name: iptables
+
+- name: Firewall | remove firewalld
+  ansible.builtin.yum:
+    name: firewalld
+    state: absent
+
+# The presence of /etc/sysconfig/iptables.save appears to be interfering
+# with rules being loaded after a system reboot, so remove.
+- name: Firewall | remove iptables.save
+  ansible.builtin.file:
+    path: /etc/sysconfig/iptables.save
+    state: absent
+  notify: restart iptables
+
+- name: Firewall | add rule to allow accepting multicast
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -m pkttype --pkt-type multicast -j ACCEPT"
+  notify: restart iptables
+
+- name: Firewall | add basic rule to allow communication locally
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT"
+  notify: restart iptables
+
+- name: Firewall | add additional rule to allow communication from 127.0.0.2
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -s 127.0.0.2/32 -d 127.0.0.1/32 -j ACCEPT"
+  notify: restart iptables

ansible/roles/build-test-v8/tasks/partials/rhel7-s390x.yml

@@ -4,6 +4,13 @@
 # Install packages for V8 builds.
 #
 
+# V8 builds still require Python 2.
+- name: install packages required to build V8
+  ansible.builtin.yum:
+    name: ['GConf2-devel', 'python', 'python3']
+    state: present
+  notify: package updated
+
 # RHEL 7 doesn't have a package for pip and EPEL 7 doesn't support s390x.
 # Install pip via `get-pip.py`.
 - name: download pip install script

ansible/roles/jenkins-worker/tasks/main.yml

@@ -39,33 +39,6 @@
   when: "'scaleway-ubuntu1804-armv7l' in inventory_hostname"
   include: "{{ role_path }}/tasks/partials/scaleway-armv7.yml"
 
-- name: rhel7 install cmake - create directory
-  when: os|startswith("rhel7")
-  file:
-    path: "/tmp/cmake"
-    state: directory
-
-- name: rhel7 install cmake - download tarball
-  when: os|startswith("rhel7")
-  shell:
-    chdir: "/tmp/cmake"
-    cmd: "curl -sL -o cmake-3.17.2.tar.gz https://github.com/Kitware/CMake/releases/download/v3.17.2/cmake-3.17.2.tar.gz"
-    creates:  "/tmp/cmake/cmake-3.17.2.tar.gz"
-
-- name: rhel7 install cmake - extract tarball
-  when: os|startswith("rhel7")
-  shell:
-    chdir: "/tmp/cmake"
-    cmd: "tar -xzf cmake-3.17.2.tar.gz"
-    creates:  "/tmp/cmake/cmake-3.17.2"
-
-- name: rhel7 install cmake - build
-  when: os|startswith("rhel7")
-  shell:
-    chdir: "/tmp/cmake/cmake-3.17.2"
-    cmd: "./bootstrap --verbose && make -j6 VERBOSE=1 && make install"
-    creates: "/usr/local/bin/cmake"
-
 - name: prepare installing tap2junit
   when: type != "release"
   include: "{{ pip_include }}"
@@ -78,39 +51,6 @@
         - "{{ role_path }}/tasks/partials/tap2junit/pip.yml"
       skip: true
 
-- name: Firewall | enable iptables
-  command: systemctl enable iptables
-  when: "'rhel7-s390x' in inventory_hostname"
-
-- name: Firewall | remove firewalld
-  raw: yum remove -y firewalld
-  when: "'rhel7-s390x' in inventory_hostname"
-
-- name: Firewall | add rule to allow accepting multicast
-  lineinfile:
-    dest: /etc/sysconfig/iptables
-    insertafter: ":OUTPUT ACCEPT.*]"
-    line: "-A INPUT -m pkttype --pkt-type multicast -j ACCEPT"
-  when: "'rhel7-s390x' in inventory_hostname"
-
-- name: Firewall | add basic rule to allow communication locally
-  lineinfile:
-    dest: /etc/sysconfig/iptables
-    insertafter: ":OUTPUT ACCEPT.*]"
-    line: "-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT"
-  when: "'rhel7-s390x' in inventory_hostname"
-
-- name: Firewall | add additional rule to allow communication from 127.0.0.2
-  lineinfile:
-    dest: /etc/sysconfig/iptables
-    insertafter: ":OUTPUT ACCEPT.*]"
-    line: "-A INPUT -s 127.0.0.2/32 -d 127.0.0.1/32 -j ACCEPT"
-  when: "'rhel7-s390x' in inventory_hostname"
-
-- name: Firewall | make the new firewall rules take effect
-  command: systemctl restart iptables
-  when: "'rhel7-s390x' in inventory_hostname"
-
 - name: install root certificates
   copy:
     dest: "{{ home }}/{{ server_user }}/ca-bundle.crt"
@@ -216,7 +156,7 @@
     owner: "{{ server_user }}"
     path: "{{ git_reference_path | dirname }}"
     state: directory
-  when: os == 'rhel8'
+  when: os == 'rhel8' or os == 'rhel7'
 
 - name: create git reference repository
   ansible.builtin.command:
@@ -225,7 +165,7 @@
     creates: "{{ git_reference_path }}"
   become: yes
   become_user: "{{ server_user }}"
-  when: os == 'rhel8'
+  when: os == 'rhel8' or os == 'rhel7'
 
 - name: render init script into place
   notify: restart Jenkins

ansible/roles/jenkins-worker/vars/main.yml

@@ -11,8 +11,7 @@ init: {
   freebsd: 'freebsd',
   ibmi: 'ibmi73',
   macos: 'macos',
-  rhel7: 'rhel7',
-  systemd: ['centos7', 'debian8', 'debian9', 'debian10', 'fedora', 'rhel8', 'ubuntu1604', 'ubuntu1804'],
+  systemd: ['centos7', 'debian8', 'debian9', 'debian10', 'fedora', 'rhel7', 'rhel8', 'ubuntu1604', 'ubuntu1804'],
   svc: 'smartos',
   upstart: ['ubuntu12', 'ubuntu1404'],
   zos_start: 'zos'
@@ -44,11 +43,6 @@ jenkins_init: {
     src: 'org.nodejs.osx.jenkins.plist',
     mode: '0755'
     },
-  rhel7: {
-    dest: '/usr/lib/systemd/system/jenkins.service',
-    src: 'systemd.service.j2',
-    mode: '0644'
-    },
   svc: {
     dest: '/home/{{ server_user }}/jenkins_manifest.xml',
     src: 'jenkins_manifest.xml.j2'