diff --git a/files/fedora-cloud/haproxy.cfg b/files/fedora-cloud/haproxy.cfg
index 8548645e9a..ee0938c303 100644
--- a/files/fedora-cloud/haproxy.cfg
+++ b/files/fedora-cloud/haproxy.cfg
@@ -68,44 +68,44 @@ defaults
frontend neutron
bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend neutron
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
frontend cinder
bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend cinder
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
frontend swift
bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend swift
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
frontend nova
bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend nova
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
frontend ceilometer
bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend ceilometer
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
frontend ec2
bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend ec2
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
frontend glance
bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend glance
- # HSTS (15768000 seconds = 6 months)
- rspadd Strict-Transport-Security:\ max-age=15768000
+ # HSTS (31536000 seconds = 365 days)
+ rspadd Strict-Transport-Security:\ max-age=31536000
backend neutron
server neutron 127.0.0.1:8696 check
diff --git a/inventory/backups b/inventory/backups
index 21d4790e40..b05a334433 100644
--- a/inventory/backups
+++ b/inventory/backups
@@ -13,6 +13,7 @@ people02.fedoraproject.org
pkgs02.phx2.fedoraproject.org
log01.phx2.fedoraproject.org
db-qa01.qa.fedoraproject.org
+db-qa02.qa.fedoraproject.org
db-koji01.phx2.fedoraproject.org
#copr-be.cloud.fedoraproject.org
copr-fe.cloud.fedoraproject.org
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 1adcf0d772..1673c86f44 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -42,6 +42,7 @@ use_default_epel: true
udp_ports: []
tcp_ports: []
custom_rules: []
+nat_rules: []
custom6_rules: []
# defaults for virt installs
@@ -78,7 +79,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio
- --autostart --noautoconsole --watchdog default
+ --autostart --noautoconsole --watchdog default --cpu host
virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
diff --git a/inventory/group_vars/fedimg-stg b/inventory/group_vars/fedimg-stg
index c6e7339a61..56bbd99801 100644
--- a/inventory/group_vars/fedimg-stg
+++ b/inventory/group_vars/fedimg-stg
@@ -3,6 +3,9 @@ lvm_size: 20000
mem_size: 6144
num_cpus: 2
+# Use infrastructure-tags-stg repo
+testing: True
+
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
diff --git a/inventory/group_vars/freshmaker-stg b/inventory/group_vars/freshmaker-stg
new file mode 100644
index 0000000000..8dc4dfb9ff
--- /dev/null
+++ b/inventory/group_vars/freshmaker-stg
@@ -0,0 +1,28 @@
+---
+# For app config
+freshmaker_messaging_topic_prefix:
+- org.fedoraproject.stg
+
+freshmaker_parsers:
+- freshmaker.parsers.git:GitReceiveParser
+
+freshmaker_handlers:
+- freshmaker.handlers.git:GitModuleMetadataChangeHandler
+- freshmaker.handlers.git:GitRPMSpecChangeHandler
+
+freshmaker_admins:
+ users:
+ - jkaluza
+ - cqi
+ - qwan
+ - sochotni
+ groups: []
+
+freshmaker_dry_run: True
+freshmaker_log_level: debug
+
+freshmaker_handler_build_whitelist:
+ global:
+ module:
+ - name:
+ - testmodule
diff --git a/inventory/group_vars/hubs-stg b/inventory/group_vars/hubs-stg
new file mode 100644
index 0000000000..f20d3d4134
--- /dev/null
+++ b/inventory/group_vars/hubs-stg
@@ -0,0 +1,12 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80 ]
+
+fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-hubs,sysadmin-veteran
diff --git a/inventory/group_vars/jenkins-slave b/inventory/group_vars/jenkins-slave
index 32582efe40..276c4f4927 100644
--- a/inventory/group_vars/jenkins-slave
+++ b/inventory/group_vars/jenkins-slave
@@ -278,3 +278,5 @@ f25_only:
f26_only:
- python2-koji # Needed for pyrpkg
- python3-koji # Needed for pyrpkg
+- python26
+- python35
diff --git a/inventory/group_vars/koschei-backend b/inventory/group_vars/koschei-backend
index 914da089da..be170dd1dd 100644
--- a/inventory/group_vars/koschei-backend
+++ b/inventory/group_vars/koschei-backend
@@ -12,6 +12,9 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
koschei_koji_hub: koji.fedoraproject.org
koschei_kojipkgs: kojipkgs.fedoraproject.org
koschei_koji_web: koji.fedoraproject.org
+koschei_copr_url: http://copr-fe.cloud.fedoraproject.org
+koschei_copr_login: NOT-USED-YET
+koschei_copr_token: NOT-USED-YET
host_group: koschei-backend
diff --git a/inventory/group_vars/koschei-backend-stg b/inventory/group_vars/koschei-backend-stg
index 7afe9c30ef..b12523ea24 100644
--- a/inventory/group_vars/koschei-backend-stg
+++ b/inventory/group_vars/koschei-backend-stg
@@ -12,6 +12,9 @@ koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
koschei_koji_hub: koji.stg.fedoraproject.org
koschei_kojipkgs: koji.stg.fedoraproject.org
koschei_koji_web: koji.stg.fedoraproject.org
+koschei_copr_url: http://copr-fe-dev.cloud.fedoraproject.org
+koschei_copr_login: "{{ koschei_copr_login_stg }}"
+koschei_copr_token: "{{ koschei_copr_token_stg }}"
tcp_ports: [
@@ -55,6 +58,7 @@ csi_relationship: |
- fedmsg hub
- bastion (for mail relay)
- memcached01
+ - Copr development instance
koschei_backend_services:
- koschei-polling
diff --git a/inventory/group_vars/koschei-web b/inventory/group_vars/koschei-web
index 9ddb030906..1f41f22520 100644
--- a/inventory/group_vars/koschei-web
+++ b/inventory/group_vars/koschei-web
@@ -1,7 +1,7 @@
---
# Define resources for this group of hosts here.
-lvm_size: 6000
-mem_size: 1024
+lvm_size: 8000
+mem_size: 2048
num_cpus: 1
# for systems that do not match the above - specify the same parameter in
@@ -12,9 +12,11 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
koschei_koji_hub: koji02.phx2.fedoraproject.org
koschei_kojipkgs: kojipkgs.fedoraproject.org
koschei_koji_web: koji.fedoraproject.org
-koschei_openid_provider: id.fedoraproject.org
+koschei_oidc_provider: id.fedoraproject.org
koschei_bugzilla: bugzilla.redhat.com
+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_prod }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_prod }}"
tcp_ports: [ 80, 443 ]
diff --git a/inventory/group_vars/koschei-web-stg b/inventory/group_vars/koschei-web-stg
index aabde7a764..c3692a7c30 100644
--- a/inventory/group_vars/koschei-web-stg
+++ b/inventory/group_vars/koschei-web-stg
@@ -11,9 +11,12 @@ koschei_topurl: https://apps.stg.fedoraproject.org/koschei
koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
koschei_kojipkgs: koji.stg.fedoraproject.org
koschei_koji_web: koji.stg.fedoraproject.org
-koschei_openid_provider: id.stg.fedoraproject.org
+koschei_oidc_provider: id.stg.fedoraproject.org
koschei_bugzilla: partner-bugzilla.redhat.com
+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_stg }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_stg }}"
+
tcp_ports: [ 80, 443 ]
custom_rules: [
diff --git a/inventory/group_vars/odcs-frontend b/inventory/group_vars/odcs-frontend
index bb9b350dfb..7907969c39 100644
--- a/inventory/group_vars/odcs-frontend
+++ b/inventory/group_vars/odcs-frontend
@@ -39,7 +39,9 @@ fedmsg_certs:
odcs_target_dir_url: https://odcs.fedoraproject.org/composes
# Give access to jscotka to be able to develop module testing integration
# for taskotron.
-odcs_allowed_clients_users: ["jscotka"]
+# Give access to sgallagh to be able to generate testing composes for new
+# modules.
+odcs_allowed_clients_users: ["jscotka", "sgallagh"]
# For the MOTD
csi_security_category: Low
diff --git a/inventory/group_vars/openqa-stg b/inventory/group_vars/openqa-stg
index 9b10299df8..63ad3a4839 100644
--- a/inventory/group_vars/openqa-stg
+++ b/inventory/group_vars/openqa-stg
@@ -26,8 +26,8 @@ openqa_dbname: openqa-stg
openqa_dbhost: db-qa01.qa.fedoraproject.org
openqa_dbuser: openqastg
openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
-openqa_assetsize: 300
-openqa_assetsize_updates: 50
+openqa_assetsize: 410
+openqa_assetsize_updates: 160
openqa_key: "{{ stg_openqa_apikey }}"
openqa_secret: "{{ stg_openqa_apisecret }}"
@@ -71,6 +71,14 @@ fedmsg_certs:
- openqa.jobs.restart
- openqa.job.update.result
- openqa.job.done
+- service: ci
+ owner: root
+ group: geekotest
+ can_send:
+ - ci.productmd-compose.test.queued
+ - ci.productmd-compose.test.running
+ - ci.productmd-compose.test.complete
+ - ci.productmd-compose.test.error
# we need this to log with fedmsg-logger
fedmsg_active: True
diff --git a/inventory/group_vars/openshift-pseudohosts-stg b/inventory/group_vars/openshift-pseudohosts-stg
new file mode 100644
index 0000000000..3d8f2c30da
--- /dev/null
+++ b/inventory/group_vars/openshift-pseudohosts-stg
@@ -0,0 +1,2 @@
+---
+freezes: false
diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs
index 525fb26aa9..9463129609 100644
--- a/inventory/group_vars/osbs
+++ b/inventory/group_vars/osbs
@@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443]
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"
diff --git a/inventory/group_vars/osbs-control b/inventory/group_vars/osbs-control
index 5777ead3da..75f1046a57 100644
--- a/inventory/group_vars/osbs-control
+++ b/inventory/group_vars/osbs-control
@@ -1,6 +1,6 @@
---
# Define resources for this group of hosts here.
-fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
osbs_url: "osbs.fedoraproject.org"
diff --git a/inventory/group_vars/osbs-control-stg b/inventory/group_vars/osbs-control-stg
index b6f29da32f..62e2d68748 100644
--- a/inventory/group_vars/osbs-control-stg
+++ b/inventory/group_vars/osbs-control-stg
@@ -1,6 +1,6 @@
---
# Define resources for this group of hosts here.
-fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
osbs_url: "osbs.stg.fedoraproject.org"
diff --git a/inventory/group_vars/osbs-masters b/inventory/group_vars/osbs-masters
index 127d511613..893e997c4a 100644
--- a/inventory/group_vars/osbs-masters
+++ b/inventory/group_vars/osbs-masters
@@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443]
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"
diff --git a/inventory/group_vars/osbs-nodes b/inventory/group_vars/osbs-nodes
index b05656f688..aad303bec1 100644
--- a/inventory/group_vars/osbs-nodes
+++ b/inventory/group_vars/osbs-nodes
@@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443, 10250]
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"
diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg
index 0da2a9434f..b896143aea 100644
--- a/inventory/group_vars/osbs-stg
+++ b/inventory/group_vars/osbs-stg
@@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443]
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
diff --git a/inventory/group_vars/packages b/inventory/group_vars/packages
index 576d9539b2..2058d81482 100644
--- a/inventory/group_vars/packages
+++ b/inventory/group_vars/packages
@@ -15,7 +15,9 @@ tcp_ports: [ 80, 443,
# Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
-fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran
+fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages
+
+sudoers: "{{ private }}/files/sudo/sysadmin-packages"
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
diff --git a/inventory/group_vars/packages-stg b/inventory/group_vars/packages-stg
index 4f3c2db809..139053ff9a 100644
--- a/inventory/group_vars/packages-stg
+++ b/inventory/group_vars/packages-stg
@@ -12,7 +12,9 @@ tcp_ports: [ 80, 443,
# Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
-fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran
+fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran,sysadmin-packages
+
+sudoers: "{{ private }}/files/sudo/sysadmin-packages"
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
diff --git a/inventory/group_vars/pagure-proxy b/inventory/group_vars/pagure-proxy
new file mode 100644
index 0000000000..0f28d4c963
--- /dev/null
+++ b/inventory/group_vars/pagure-proxy
@@ -0,0 +1,23 @@
+---
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 22, 25, 80, 443, 9418,
+ # Used for the eventsource
+ 8088,
+ # This is for the pagure public fedmsg relay
+ 9940]
+
+fas_client_groups: sysadmin-noc
+
+freezes: true
+postfix_group: vpn.pagure
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Proxy specific ports to OSUOSL for preventing slow peering
+csi_relationship: |
+ This box proxies traffic over to pagure01.fedoraproject.org
+
+ (This is done because OSUOSL has terribly slow peering to EU)
diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
index 55434c1f15..1d51c237d5 100644
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -3,12 +3,7 @@ lvm_size: 100000
mem_size: 4096
num_cpus: 4
-tcp_ports: [80, 443,
- # These 16 ports are used by fedmsg. One for each wsgi thread.
- 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
- 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
-
-custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']
+tcp_ports: [ 9418, 80, 443 ]
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
diff --git a/inventory/group_vars/pkgs-stg b/inventory/group_vars/pkgs-stg
index ca75ead3c4..a26704a8a6 100644
--- a/inventory/group_vars/pkgs-stg
+++ b/inventory/group_vars/pkgs-stg
@@ -3,11 +3,7 @@ lvm_size: 100000
mem_size: 4096
num_cpus: 4
-tcp_ports: [80, 443, 9418,
- # These 16 ports are used by fedmsg. One for each wsgi thread.
- 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
- 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
-
+tcp_ports: [ 9418, 80, 443 ]
# Definining these vars has a number of effects
# 1) mod_wsgi is configured to use the vars for its own setup
# 2) iptables opens enough ports for all threads for fedmsg
diff --git a/inventory/group_vars/taskotron-dev b/inventory/group_vars/taskotron-dev
index 3ea03b9f30..12a2ba5429 100644
--- a/inventory/group_vars/taskotron-dev
+++ b/inventory/group_vars/taskotron-dev
@@ -31,7 +31,7 @@ grokmirror_repos:
- { name: fedoraqa/rpmlint, url: 'https://pagure.io/taskotron/task-rpmlint.git'}
- { name: fedoraqa/upgradepath, url: 'https://pagure.io/taskotron/task-upgradepath.git'}
- { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
-grokmirror_default_branch: feature/ansiblize
+grokmirror_default_branch: develop
############################################################
diff --git a/inventory/group_vars/taskotron-stg b/inventory/group_vars/taskotron-stg
index 1bcff19741..b4211f2941 100644
--- a/inventory/group_vars/taskotron-stg
+++ b/inventory/group_vars/taskotron-stg
@@ -33,7 +33,7 @@ grokmirror_repos:
- { name: fedoraqa/rpmlint, url: 'https://pagure.io/taskotron/task-rpmlint.git'}
- { name: fedoraqa/upgradepath, url: 'https://pagure.io/taskotron/task-upgradepath.git'}
- { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
-grokmirror_default_branch: develop
+grokmirror_default_branch: master
############################################################
diff --git a/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org b/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org
index a6981c6b39..c85cc70f8f 100644
--- a/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org
@@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.125.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_host01
eth0_ip: 10.5.125.135
eth1_ip: 10.5.127.61
diff --git a/inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org b/inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org
index 14592e3bb5..b52771da0c 100644
--- a/inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org
+++ b/inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org
@@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.125.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_bvirthost06
eth0_ip: 10.5.125.136
eth1_ip: 10.5.127.62
diff --git a/inventory/host_vars/bodhi03.phx2.fedoraproject.org b/inventory/host_vars/bodhi03.phx2.fedoraproject.org
index 4978f13135..19dedb83b6 100644
--- a/inventory/host_vars/bodhi03.phx2.fedoraproject.org
+++ b/inventory/host_vars/bodhi03.phx2.fedoraproject.org
@@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_virthost01
eth0_ip: 10.5.126.115
vmhost: virthost01.phx2.fedoraproject.org
diff --git a/inventory/host_vars/bodhi04.phx2.fedoraproject.org b/inventory/host_vars/bodhi04.phx2.fedoraproject.org
index e7948f32e0..843366304a 100644
--- a/inventory/host_vars/bodhi04.phx2.fedoraproject.org
+++ b/inventory/host_vars/bodhi04.phx2.fedoraproject.org
@@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.116
vmhost: virthost02.phx2.fedoraproject.org
diff --git a/inventory/host_vars/commops.fedorainfracloud.org b/inventory/host_vars/commops.fedorainfracloud.org
index 7308615384..679851c81f 100644
--- a/inventory/host_vars/commops.fedorainfracloud.org
+++ b/inventory/host_vars/commops.fedorainfracloud.org
@@ -2,9 +2,9 @@
image: "{{ fedora27_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,all-icmp-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent,default
zone: nova
-tcp_ports: [22]
+tcp_ports: [22, 80, 443]
inventory_tenant: persistent
inventory_instance_name: commops
diff --git a/inventory/host_vars/hubs01.stg.phx2.fedoraproject.org b/inventory/host_vars/hubs01.stg.phx2.fedoraproject.org
new file mode 100644
index 0000000000..e242461907
--- /dev/null
+++ b/inventory/host_vars/hubs01.stg.phx2.fedoraproject.org
@@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.128.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.128.190
+vmhost: virthost05.phx2.fedoraproject.org
+datacenter: phx2
diff --git a/inventory/host_vars/koschei-web01.phx2.fedoraproject.org b/inventory/host_vars/koschei-web01.phx2.fedoraproject.org
index 59f61fbf25..01b93972ef 100644
--- a/inventory/host_vars/koschei-web01.phx2.fedoraproject.org
+++ b/inventory/host_vars/koschei-web01.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
gw: 10.5.125.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.140
diff --git a/inventory/host_vars/odcs-backend01.phx2.fedoraproject.org b/inventory/host_vars/odcs-backend01.phx2.fedoraproject.org
index 097be7b958..fe5603cb74 100644
--- a/inventory/host_vars/odcs-backend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/odcs-backend01.phx2.fedoraproject.org
@@ -7,7 +7,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
eth0_ip: 10.5.126.65
-eth1_ip: 10.5.127.114
+#eth1_ip: 10.5.127.114
volgroup: /dev/vg_guests
vmhost: virthost19.phx2.fedoraproject.org
diff --git a/inventory/host_vars/pagure-proxy01.fedoraproject.org b/inventory/host_vars/pagure-proxy01.fedoraproject.org
new file mode 100644
index 0000000000..ea6e9dffce
--- /dev/null
+++ b/inventory/host_vars/pagure-proxy01.fedoraproject.org
@@ -0,0 +1,55 @@
+---
+nm: 255.255.255.128
+gw: 152.19.134.129
+dns: 8.8.8.8
+
+custom_rules: ['-A FORWARD -j ACCEPT']
+
+nat_rules: [
+ # SSH
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 22 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
+ # SMTP
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 25 -j DNAT --to-destination 140.211.169.204:25',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 25 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 25 -j DNAT --to-destination 140.211.169.204:25',
+ # web-80
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 80 -j DNAT --to-destination 140.211.169.204:80',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 80 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 80 -j DNAT --to-destination 140.211.169.204:80',
+ # web-443
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 443 -j DNAT --to-destination 140.211.169.204:443',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 443 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 443 -j DNAT --to-destination 140.211.169.204:443',
+ # 9418
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 9418 -j DNAT --to-destination 140.211.169.204:9418',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 9418 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 9418 -j DNAT --to-destination 140.211.169.204:9418',
+ # Eventsource
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 8088 -j DNAT --to-destination 140.211.169.204:8088',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 8088 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 8088 -j DNAT --to-destination 140.211.169.204:8088',
+ # Fedmsg
+ '-A PREROUTING --dst 152.19.134.147 -p tcp --dport 9940 -j DNAT --to-destination 140.211.169.204:9940',
+ '-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 9940 -j SNAT --to-source 152.19.134.147',
+ '-A OUTPUT --dst 152.19.134.147 -p tcp --dport 9940 -j DNAT --to-destination 140.211.169.204:9940',
+]
+
+
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+
+volgroup: /dev/vg_guests
+
+eth0_ip: 152.19.134.146
+eth0_nm: 255.255.255.128
+has_ipv6: yes
+eth0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fe46"
+eth0_ipv6_gw: "2610:28:3090:3001::1"
+eth0_secondary_ip: 152.19.134.147
+
+sponsor: ibiblio
+datacenter: ibiblio
+postfix_group: vpn
+vmhost: ibiblio01.fedoraproject.org
diff --git a/inventory/host_vars/retrace01.qa.fedoraproject.org b/inventory/host_vars/retrace01.qa.fedoraproject.org
index b9cb203684..526c1e3621 100644
--- a/inventory/host_vars/retrace01.qa.fedoraproject.org
+++ b/inventory/host_vars/retrace01.qa.fedoraproject.org
@@ -3,8 +3,8 @@ faf_server_name: retrace.fedoraproject.org/faf
rs_use_faf_packages: true
# we do not have enough storage on stg
-rs_internal_fedora_vers: [25, 26, 27, rawhide]
-rs_internal_fedora_vers_removed: [24]
+rs_internal_fedora_vers: [26, 27, rawhide]
+rs_internal_fedora_vers_removed: [24, 25]
rs_internal_arch_list: [source, x86_64, i386]
nagios_Check_Services:
diff --git a/inventory/host_vars/retrace02.qa.fedoraproject.org b/inventory/host_vars/retrace02.qa.fedoraproject.org
new file mode 100644
index 0000000000..c20bf0226a
--- /dev/null
+++ b/inventory/host_vars/retrace02.qa.fedoraproject.org
@@ -0,0 +1,18 @@
+---
+faf_server_name: retrace.fedoraproject.org/faf
+rs_use_faf_packages: true
+
+# we do not have enough storage on stg
+rs_internal_fedora_vers: [rawhide]
+#rs_internal_fedora_vers_removed: [24, 25, 26, 27]
+rs_internal_arch_list: [source, x86_64, i386]
+
+nagios_Check_Services:
+ nrpe: true
+ sshd: true
+ named: false
+ dhcpd: false
+ httpd: false
+ swap: false
+
+faf_repos: []
diff --git a/inventory/inventory b/inventory/inventory
index 01f4f93c13..b289429fc7 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -496,7 +496,7 @@ proxy03.fedoraproject.org
proxy04.fedoraproject.org
proxy05.fedoraproject.org
proxy06.fedoraproject.org
-proxy07.fedoraproject.org
+#proxy07.fedoraproject.org
proxy08.fedoraproject.org
proxy09.fedoraproject.org
proxy10.phx2.fedoraproject.org
@@ -656,7 +656,7 @@ proxy03.fedoraproject.org
proxy04.fedoraproject.org
proxy05.fedoraproject.org
proxy06.fedoraproject.org
-proxy07.fedoraproject.org
+#proxy07.fedoraproject.org
proxy08.fedoraproject.org
proxy09.fedoraproject.org
proxy10.phx2.fedoraproject.org
@@ -708,6 +708,9 @@ smtp-mm-ib01.fedoraproject.org
smtp-mm-osuosl01.fedoraproject.org
smtp-mm-tummy01.fedoraproject.org
+[hubs-stg]
+hubs01.stg.phx2.fedoraproject.org
+
[spare]
#
# All staging hosts should be in this group too.
@@ -761,6 +764,7 @@ freshmaker-frontend01.stg.phx2.fedoraproject.org
freshmaker-backend01.stg.phx2.fedoraproject.org
github2fedmsg01.stg.phx2.fedoraproject.org
hotness01.stg.phx2.fedoraproject.org
+hubs01.stg.phx2.fedoraproject.org
kerneltest01.stg.phx2.fedoraproject.org
koji01.stg.phx2.fedoraproject.org
koschei-backend01.stg.phx2.fedoraproject.org
@@ -1318,6 +1322,9 @@ pagure01.fedoraproject.org
[pagure-stg]
pagure-stg01.fedoraproject.org
+[pagure-proxy]
+pagure-proxy01.fedoraproject.org
+
[twisted-buildbots]
twisted-fedora24-1.fedorainfracloud.org
twisted-fedora24-2.fedorainfracloud.org
diff --git a/master.yml b/master.yml
index c4217951f6..d7a99aa8df 100644
--- a/master.yml
+++ b/master.yml
@@ -74,7 +74,6 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/maintainer-test.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mariadb-server.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mdapi.yml
-- import_playbook: /srv/web/infra/ansible/playbooks/groups/mirrorlist2.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mirrormanager.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/memcached.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/modernpaste.yml
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index a5bfe816ea..eb77006429 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -1,7 +1,7 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=buildhw:buildaarch64:bkernel"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=buildhw:bkernel"
- name: make koji builder(s) on raw hw
- hosts: buildhw:buildaarch64:bkernel
+ hosts: buildhw:bkernel
remote_user: root
gather_facts: True
diff --git a/playbooks/groups/freshmaker.yml b/playbooks/groups/freshmaker.yml
index 37677c14f8..8eeb09cdff 100644
--- a/playbooks/groups/freshmaker.yml
+++ b/playbooks/groups/freshmaker.yml
@@ -46,7 +46,7 @@
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
-- name: Set up apache on the frontend MBS API app
+- name: set up Freshmaker frontend
hosts: freshmaker-frontend:freshmaker-frontend-stg
user: root
gather_facts: True
@@ -58,12 +58,16 @@
roles:
- mod_wsgi
+ - role: freshmaker/frontend
+ # TLS is terminated for us at the proxy layer (like for every other app).
+ freshmaker_force_ssl: False
+ freshmaker_servername: null
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
-- name: set up fedmsg configuration and common freshmaker files
- hosts: freshmaker:freshmaker-stg
+- name: set up Freshmaker backend
+ hosts: freshmaker-backend:freshmaker-backend-stg
user: root
gather_facts: True
@@ -74,6 +78,14 @@
roles:
- fedmsg/base
+ - role: freshmaker/backend
+ freshmaker_servername: freshmaker{{env_suffix}}.fedoraproject.org
+
+ - role: keytab/service
+ service: freshmaker
+ owner_user: fedmsg
+ owner_group: fedmsg
+ host: "freshmaker{{env_suffix}}.fedoraproject.org"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/groups/piwik.yml b/playbooks/groups/hubs.yml
similarity index 75%
rename from playbooks/groups/piwik.yml
rename to playbooks/groups/hubs.yml
index 9b740037d6..5838e8545e 100644
--- a/playbooks/groups/piwik.yml
+++ b/playbooks/groups/hubs.yml
@@ -1,9 +1,9 @@
-# These servers run piwik
-
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=piwik-stg"
+# create the hubs server
+# NOTE: should be used with --limit most of the time
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=hubs-stg"
- name: make the box be real
- hosts: piwik-stg
+ hosts: hubs-stg
user: root
gather_facts: True
@@ -19,10 +19,10 @@
- hosts
- fas_client
- collectd/base
- - apache
- - fedmsg/base
- - piwik
- sudo
+ - { role: openvpn/client,
+ when: env != "staging" }
+ - mod_wsgi
tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
diff --git a/playbooks/groups/mirrorlist2.yml b/playbooks/groups/mirrorlist2.yml
deleted file mode 100644
index 6ed5a182e8..0000000000
--- a/playbooks/groups/mirrorlist2.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-# create a new mirrorlist server
-# NOTE: should be used with --limit most of the time
-# NOTE: make sure there is room/space for this server on the vmhost
-# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars
-
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=mirrorlist2:mirrorlist2-stg:!mirrorlist-host1plus.fedoraproject.org"
-
-- name: make the box be real
- hosts: mirrorlist2:mirrorlist2-stg
- user: root
- gather_facts: True
-
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
- pre_tasks:
- - name: Install policycoreutils-python
- package: name=policycoreutils-python state=present
-
- - name: Create /srv/web/ for all the goodies.
- file: >
- dest=/srv/web state=directory
- owner=root group=root mode=0755
- tags:
- - httpd
- - httpd/website
-
- - name: check the selinux context of webdir
- command: matchpathcon /srv/web
- register: webdir
- check_mode: no
- changed_when: "1 != 1"
- tags:
- - config
- - selinux
- - httpd
- - httpd/website
-
- - name: /srv/web file contexts
- command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
- when: webdir.stdout.find('httpd_sys_content_t') == -1
- tags:
- - config
- - selinux
- - httpd
- - httpd/website
-
- roles:
- - base
- - rkhunter
- - nagios_client
- - geoip
- - hosts
- - fas_client
- - collectd/base
- - mod_wsgi
- - httpd/mod_ssl
- - mirrormanager/mirrorlist2
- - sudo
- - { role: openvpn/client,
- when: env != "staging" }
-
- tasks:
- # this is how you include other task lists
- - import_tasks: "{{ tasks_path }}/yumrepos.yml"
- - import_tasks: "{{ tasks_path }}/2fa_client.yml"
- - import_tasks: "{{ tasks_path }}/motd.yml"
-
-
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/groups/pagure-proxy.yml b/playbooks/groups/pagure-proxy.yml
new file mode 100644
index 0000000000..68a650b397
--- /dev/null
+++ b/playbooks/groups/pagure-proxy.yml
@@ -0,0 +1,31 @@
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=pagure-proxy"
+
+- name: make the boxen be real for real
+ hosts: pagure-proxy
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - base
+ - rkhunter
+ - nagios_client
+ - hosts
+ - fas_client
+ - sudo
+ - collectd/base
+
+ tasks:
+ - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+ - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+ - import_tasks: "{{ tasks_path }}/motd.yml"
+
+ - name: Enable ipv4_forward in sysctl
+ sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
+
+ handlers:
+ - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml
index 78352cc77b..436c04814c 100644
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@@ -2,12 +2,12 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
# Once the instance exists, configure it.
- name: configure postgresql server system
- hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
+ hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
user: root
gather_facts: True
diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml
index 8474051fdd..90879c4dc4 100644
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@@ -36,6 +36,7 @@
- role: keytab/service
service: compose
host: "koji{{env_suffix}}.fedoraproject.org"
+ owner_group: releng-team
- role: keytab/service
service: mash
host: "koji{{env_suffix}}.fedoraproject.org"
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index ee20c955bd..6c309e1446 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -2,6 +2,8 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=virthost:bvirthost:buildvmhost:virthost-comm:colo-virt"
+
- name: make virthost server system
hosts: virthost:bvirthost:buildvmhost:virthost-comm:colo-virt
user: root
diff --git a/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml
deleted file mode 100644
index a5d0b48d41..0000000000
--- a/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-- name: check/create instance
- hosts: blockerbugs-dev.cloud.fedoraproject.org
- user: root
- gather_facts: False
-
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
-
- tasks:
- - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
- - import_tasks: "{{ tasks_path }}/growroot_cloud.yml"
-
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-- name: provision instance
- hosts: blockerbugs-dev.cloud.fedoraproject.org
- user: root
- gather_facts: True
- vars:
- - tcp_ports: [22, 80, 443]
- - udp_ports: []
-
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
- roles:
- - basessh
-
- tasks:
- - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
- - name: mount up blockerbugs-dev to /srv/persistent
- mount: name=/srv/persistent src='LABEL=blockerbugs-dev' fstype=ext4 state=mounted
-
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
index c81f259413..437d3bbc8c 100644
--- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
@@ -866,7 +866,18 @@
- { user: puiterwijk, tenant: transient }
- { user: puiterwijk, tenant: maintainertest }
- { user: puiterwijk, tenant: aos-ci-cd }
+ - { user: mizdebsk, tenant: aos-ci-cd }
+ - { user: mizdebsk, tenant: cloudintern }
+ - { user: mizdebsk, tenant: cloudsig }
+ - { user: mizdebsk, tenant: copr }
+ - { user: mizdebsk, tenant: coprdev }
- { user: mizdebsk, tenant: infrastructure }
+ - { user: mizdebsk, tenant: maintainertest }
+ - { user: mizdebsk, tenant: openshift }
+ - { user: mizdebsk, tenant: persistent }
+ - { user: mizdebsk, tenant: pythonbots }
+ - { user: mizdebsk, tenant: qa }
+ - { user: mizdebsk, tenant: scratch }
- { user: mizdebsk, tenant: transient }
- { user: clime, tenant: coprdev }
- { user: clime, tenant: persistent }
diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
index 6d1b6265ed..0c0fe030d9 100644
--- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
@@ -33,32 +33,22 @@
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- - dnf: name={{item}} state=present
- with_items:
- - git
-
- - name: create the code directory
- file: dest=/srv/hubs state=directory owner=fedora group=fedora
-
- - name: git clone the code
- git: repo=https://pagure.io/fedora-hubs.git
- dest=/srv/hubs/fedora-hubs
- version=develop
- become_user: fedora
- #ignore_errors: true
-
roles:
- basessh
- role: hubs
- main_user: fedora
+ main_user: hubs
hubs_url_hostname: "{{ ansible_fqdn }}"
hubs_secret_key: demotestinghubsmachine
- hubs_db_type: sqlite
+ hubs_db_type: postgresql
hubs_dev_mode: false
+ hubs_conf_dir: /etc/fedora-hubs
+ hubs_var_dir: /var/lib/fedora-hubs
hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
hubs_ssl_key: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
+ hubs_fas_username: "{{ fedoraDummyUser }}"
+ hubs_fas_password: "{{ fedoraDummyUserPassword }}"
tasks:
@@ -71,7 +61,7 @@
- name: add more hubs workers
service: name={{item}} enabled=yes state=started
with_items:
- - hubs-triage@3
- - hubs-triage@4
- - hubs-worker@3
- - hubs-worker@4
+ - fedora-hubs-triage@3
+ - fedora-hubs-triage@4
+ - fedora-hubs-worker@3
+ - fedora-hubs-worker@4
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 4cac5a18ac..a253e3851b 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -545,10 +545,21 @@
- role: httpd/reverseproxy
website: registry.fedoraproject.org
- destname: registry
+ destname: registry-fedora
# proxyurl in this one is totally ignored, because Docker.
# (turns out it uses PATCH requests that Varnish cannot deal with)
proxyurl: "{{ varnish_url }}"
+ tags:
+ - registry
+
+ - role: httpd/reverseproxy
+ website: registry.centos.org
+ destname: registry-centos
+ # proxyurl in this one is totally ignored, because Docker.
+ # (turns out it uses PATCH requests that Varnish cannot deal with)
+ proxyurl: "{{ varnish_url }}"
+ tags:
+ - registry
- role: httpd/reverseproxy
website: candidate-registry.fedoraproject.org
@@ -629,6 +640,13 @@
tags:
- odcs
+ - role: httpd/reverseproxy
+ website: freshmaker.fedoraproject.org
+ destname: freshmaker
+ proxyurl: http://localhost:10067
+ tags:
+ - freshmaker
+
- role: httpd/reverseproxy
website: data-analysis.fedoraproject.org
destname: awstats
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 6541f4c6de..2cf47850df 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -52,6 +52,7 @@
server_aliases:
- stg.fedoraproject.org
- localhost
+ - www.fedoraproject.org
# This is for all the other domains we own
# that redirect to https://fedoraproject.org
@@ -126,7 +127,6 @@
- www.fedoraproject.info
- www.fedoraproject.net
- www.fedoraproject.net.cn
- - www.fedoraproject.org
- www.fedoraproject.org.uk
- www.fedoraproject.pe
- www.fedoraproject.su
@@ -568,6 +568,12 @@
sslonly: true
cert_name: "{{wildcard_cert_name}}"
+ - role: httpd/website
+ name: registry.centos.org
+ server_aliases: [registry.stg.centos.org]
+ sslonly: true
+ cert_name: "{{wildcard_cert_name}}"
+
- role: httpd/website
name: candidate-registry.fedoraproject.org
server_aliases: [candidate-registry.stg.fedoraproject.org]
@@ -784,6 +790,14 @@
sslonly: true
server_aliases: [odcs.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
+ tags: odcs
+
+ - role: httpd/website
+ name: freshmaker.fedoraproject.org
+ sslonly: true
+ server_aliases: [freshmaker.stg.fedoraproject.org]
+ cert_name: "{{wildcard_cert_name}}"
+ tags: freshmaker
# fedorahosted is retired. We have the site here so we can redirect it.
diff --git a/playbooks/manual/rebuild/fedora-packages.yml b/playbooks/manual/rebuild/fedora-packages.yml
index a0cefa4b7f..e56fe26e58 100644
--- a/playbooks/manual/rebuild/fedora-packages.yml
+++ b/playbooks/manual/rebuild/fedora-packages.yml
@@ -39,9 +39,7 @@
tasks:
- name: Pull in the list of packages from pkgdb. Go get a snack. (2 hours)
- command: /usr/bin/fcomm-index-packages --index-db-dest /var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --tagger-url https://apps.stg.fedoraproject.org/tagger --pkgdb-url https://admin.stg.fedoraproject.org/pkgdb --mdapi-url https://apps.stg.fedoraproject.org/mdapi --icons-url http://download01.phx2.fedoraproject.org/pub/alt/screenshots/
- async: 12000
- poll: 60
+ command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps.stg.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps.stg.fedoraproject.org/tagger
when: install_packages_indexer
- name: Rebuild that search index on the side and install it. (just prod)
@@ -58,9 +56,7 @@
tasks:
- name: Pull in the list of packages from pkgdb. Go get a snack. (2 hours)
- command: /usr/bin/fcomm-index-packages --index-db-dest /var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --tagger-url https://apps.fedoraproject.org/tagger --pkgdb-url https://admin.fedoraproject.org/pkgdb --mdapi-url https://apps.fedoraproject.org/mdapi --icons-url http://download01.phx2.fedoraproject.org/pub/alt/screenshots/
- async: 12000
- poll: 60
+ command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps.fedoraproject.org/tagger
when: install_packages_indexer
- name: leave maintenance mode
@@ -74,8 +70,8 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- - name: Make sure the perms are straight
- file: path=/var/cache/fedoracommunity/packages/ state=directory owner=apache group=fedmsg mode="g+rw" recursive=yes
+ - name: Make sure the perms are straight
+ file: path=/var/cache/fedoracommunity/packages/ state=directory owner=apache group=fedmsg mode="g+rw" recurse=yes
- name: Restart the cache worker
service: name={{item}} state=started
diff --git a/playbooks/manual/staging-sync/koji.yml b/playbooks/manual/staging-sync/koji.yml
index 4ac9e96a18..d4172b61db 100644
--- a/playbooks/manual/staging-sync/koji.yml
+++ b/playbooks/manual/staging-sync/koji.yml
@@ -46,15 +46,14 @@
dest=/var/tmp/koji.dump.xz
owner=postgres
group=postgres
- - command: unxz /var/tmp/koji.dump.xz
- creates=/var/tmp/koji.dump
# TODO -- stop replication and wipe db's
- command: dropdb koji
- command: createdb -O koji koji
+# buildroot_listing is excluded from the sync to save some time
- name: Import the prod db. This will take quite a while. Go get a snack!
- shell: cat /var/tmp/koji.dump | psql koji
+ shell: xzcat /var/tmp/koji.dump.xz | sed '/COPY buildroot_listing /,/\./d' | psql koji
- name: repoint all the prod rpm entries at the secondary volume (and other stuff)
shell: psql koji < /var/lib/pgsql/koji-reset-staging.sql
diff --git a/playbooks/manual/staging-sync/templates/koji-reset-staging.sql b/playbooks/manual/staging-sync/templates/koji-reset-staging.sql
index f9b8d2f3ac..80367c53f9 100644
--- a/playbooks/manual/staging-sync/templates/koji-reset-staging.sql
+++ b/playbooks/manual/staging-sync/templates/koji-reset-staging.sql
@@ -24,6 +24,11 @@
-- [unset kojihub ServerOffline setting]
+-- wipe obsolete table that only causes problems with the sync, could
+-- even be dropped entirely (together with imageinfo table).
+select now() as time, 'wiping imageinfo listings' as msg;
+delete from imageinfo_listing;
+
-- bump sequences (not strictly needed anymore)
select now() as time, 'bumping sequences' as msg;
alter sequence task_id_seq restart with 90000000;
@@ -57,7 +62,7 @@ delete from rpminfo where build_id in (select id from build where state<>1);
-- expire any active buildroots
select now() as time, 'expiring active buildroots' as msg;
-update buildroot set state=3, retire_event=get_event() where state=0;
+update standard_buildroot set state=3, retire_event=get_event() where state=0;
-- enable/disable hosts
update host set enabled=False;
@@ -75,6 +80,8 @@ update repo set state = 3 where state in (0, 1, 2);
-- The koji hub is x86_64 and i386 and has createrepo ability
{% for host in groups['koji-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'i386 x86_64');
@@ -87,6 +94,8 @@ insert into host_channels (host_id, channel_id) values (
-- The buildvms are x86_64 and i386 and also have createrepo ability
{% for host in groups['buildvm-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'i386 x86_64');
@@ -100,6 +109,8 @@ insert into host_channels (host_id, channel_id) values (
{% for host in groups['buildvm-aarch64-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'aarch64');
@@ -113,6 +124,8 @@ insert into host_channels (host_id, channel_id) values (
{% for host in groups['buildvm-ppc64-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'ppc64');
@@ -126,6 +139,8 @@ insert into host_channels (host_id, channel_id) values (
{% for host in groups['buildvm-ppc64le-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'ppc64le');
@@ -137,7 +152,7 @@ insert into host_channels (host_id, channel_id) values (
-- Add some people to be admins, only in staging. Feel free to grow this list..
-{% for username in ['modularity', 'mizdebsk', 'ralph', 'psabata', 'puiterwijk', 'jkaluza', 'fivaldi', 'mprahl'] %}
+{% for username in ['modularity', 'mizdebsk', 'psabata', 'jkaluza', 'fivaldi', 'mprahl'] %}
select now() as time, 'adding staging admin {{username}}' as msg;
insert into user_perms (user_id, perm_id, active, creator_id) values (
(select id from users where name='{{username}}'),
@@ -152,7 +167,7 @@ insert into user_perms (user_id, perm_id, active, creator_id) values (
('hotness', 'hotness/hotness01.stg.phx2.fedoraproject.org'),
('containerbuild', 'osbs/osbs.stg.fedoraproject.org'),
('kojira', 'kojira/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG')] %}
-update users set krb_principal='{{principal}}@STG.FEDORAPROJECT.ORG' where username='{{username}}';
+update users set krb_principal='{{principal}}@STG.FEDORAPROJECT.ORG' where name='{{username}}';
{% endfor %}
update users set krb_principal=replace(krb_principal, '@FEDORAPROJECT.ORG', '@STG.FEDORAPROJECT.ORG');
diff --git a/playbooks/manual/upgrade/fedimg.yml b/playbooks/manual/upgrade/fedimg.yml
index 6a171603f1..9f0cdcbf64 100644
--- a/playbooks/manual/upgrade/fedimg.yml
+++ b/playbooks/manual/upgrade/fedimg.yml
@@ -1,12 +1,10 @@
- name: push packages out
hosts: fedimg:fedimg-stg
user: root
- vars_files:
+ vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- vars:
- testing: False
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
@@ -15,53 +13,18 @@
command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- name: yum update fedimg packages from main repo
- yum: name="python-fedimg" state=latest
+ yum: name="{{ item }}" state=latest
+ with_items:
+ - python-fedimg
+ - python2-libcloud
+ - python2-fedfind
when: not testing
- name: yum update fedimg packages from testing repo
- yum: name="python-fedimg" state=latest enablerepo=infrastructure-tags-stg
- when: testing
- - name: yum update libcloud from testing repo
- yum: name="python2-libcloud" state=latest enablerepo=epel-testing
- when: not testing
-
-- name: update fedfind
- hosts: fedimg:fedimg-stg
- user: root
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- vars:
- testing: False
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
- tasks:
- - name: yum update fedfind packages from main repo
- yum: name="fedfind" state=latest
- when: not testing
- - name: yum update fedfind packages from testing repo
- yum: name="fedfind" state=latest enablerepo=infrastructure-tags-stg
- when: testing
-
-- name: update python2-fedfind
- hosts: fedimg:fedimg-stg
- user: root
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- vars:
- testing: False
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
- tasks:
- - name: yum update fedfind packages from main repo
- yum: name="python2-fedfind" state=latest
- when: not testing
- - name: yum update fedfind packages from testing repo
- yum: name="python2-fedfind" state=latest enablerepo=infrastructure-tags-stg
+ yum: name="{{ item }}" state=latest enablerepo=infrastructure-tags-stg
+ with_items:
+ - python-fedimg
+ - python2-libcloud
+ - python2-fedfind
when: testing
- name: verify the backend and restart it
diff --git a/playbooks/manual/upgrade/fedmsg.yml b/playbooks/manual/upgrade/fedmsg.yml
index 56e4017831..68feebb2f3 100644
--- a/playbooks/manual/upgrade/fedmsg.yml
+++ b/playbooks/manual/upgrade/fedmsg.yml
@@ -40,16 +40,16 @@
command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- name: yum update fedmsg packages from the main repo
- yum: name={{item}} state=latest
+ package: name={{item}} state=latest
when: not testing
with_items: "{{packages}}"
- name: yum update fedmsg packages from testing repo
- yum: name={{item}} state=latest enablerepo=infrastructure-tags-stg
+ package: name={{item}} state=latest enablerepo=infrastructure-tags-stg
when: testing
with_items: "{{packages}}"
# Restart all the backend daemons
- - include_tasks: ../restart-fedmsg-services.yml
+ #- import_tasks: "{{tasks_path}}../restart-fedmsg-services.yml"
# Also restart the frontend web services
- name: bounce apache
diff --git a/playbooks/manual/upgrade/koschei.yml b/playbooks/manual/upgrade/koschei.yml
index cf572309d6..44d002e789 100644
--- a/playbooks/manual/upgrade/koschei.yml
+++ b/playbooks/manual/upgrade/koschei.yml
@@ -62,7 +62,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
fedora_repos:
- - epel
+ - updates
pre_tasks:
- name: schedule nagios downtime
nagios: action=downtime minutes=20 service=host host={{ inventory_hostname_short }}{{ env_suffix }}
diff --git a/playbooks/manual/upgrade/packages.yml b/playbooks/manual/upgrade/packages.yml
index 7e7c2479c3..7dfdbee10c 100644
--- a/playbooks/manual/upgrade/packages.yml
+++ b/playbooks/manual/upgrade/packages.yml
@@ -12,13 +12,13 @@
tasks:
- name: clean all metadata {%if testing%}(with infrastructure-testing on){%endif%}
- command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
+ command: dnf clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- - name: yum update fedora-packages packages from main repo
- yum: name="fedora-packages" state=latest
+ - name: dnf update fedora-packages packages from main repo
+ dnf: name="fedora-packages" state=latest
when: not testing
- - name: yum update fedora-packages packages from testing repo
- yum: name="fedora-packages" state=latest enablerepo=infrastructure-tags-stg
+ - name: dnf update fedora-packages packages from testing repo
+ dnf: name="fedora-packages" state=latest enablerepo=infrastructure-tags-stg
when: testing
- name: verify the config and restart it
diff --git a/playbooks/openshift-apps/transtats.yml b/playbooks/openshift-apps/transtats.yml
new file mode 100644
index 0000000000..237ca2839a
--- /dev/null
+++ b/playbooks/openshift-apps/transtats.yml
@@ -0,0 +1,24 @@
+- name: make the app be real
+ hosts: os-masters-stg
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - role: openshift/project
+ app: transtats
+ description: transtats
+ appowners:
+ - suanand
+ - { role: openshift/object, app: transtats, template: secret.yml }
+ - { role: openshift/object, app: transtats, file: imagestream.yml }
+ - { role: openshift/object, app: transtats, file: buildconfig.yml }
+ - { role: openshift/start-build, app: transtats, name: transtats-build }
+ - { role: openshift/object, app: transtats, file: service.yml }
+ - { role: openshift/object, app: transtats, file: route.yml }
+ - { role: openshift/object, app: transtats, file: deploymentconfig.yml }
+ - { role: openshift/rollout, app: transtats, name: transtats-web }
diff --git a/roles/abrt/faf-local/tasks/cron.yml b/roles/abrt/faf-local/tasks/cron.yml
index 5cad1d4cae..29eaba1fe3 100644
--- a/roles/abrt/faf-local/tasks/cron.yml
+++ b/roles/abrt/faf-local/tasks/cron.yml
@@ -49,7 +49,6 @@
state: present
when: not devel
with_items:
- - "25"
- "26"
- "27"
@@ -63,6 +62,7 @@
when: not devel
with_items:
- "24"
+ - "25"
- name: koops_to_xorg.py
cron:
@@ -82,7 +82,6 @@
state: present
when: not devel
with_items:
- - "25"
- "26"
- "27"
@@ -96,6 +95,7 @@
when: not devel
with_items:
- "24"
+ - "25"
- name: update BZ bugs fedora
cron:
diff --git a/roles/abrt/faf/defaults/main.yml b/roles/abrt/faf/defaults/main.yml
index 483de93023..969f3054b7 100644
--- a/roles/abrt/faf/defaults/main.yml
+++ b/roles/abrt/faf/defaults/main.yml
@@ -30,6 +30,7 @@ faf_migrate_db: true
faf_cron_jobs: true
faf_admin_mail: root@localhost
+faf_from: no-reply@localhost
faf_spool_dir: /var/spool/faf
diff --git a/roles/abrt/faf/meta/.galaxy_install_info b/roles/abrt/faf/meta/.galaxy_install_info
index 07e2295663..6d9514b460 100644
--- a/roles/abrt/faf/meta/.galaxy_install_info
+++ b/roles/abrt/faf/meta/.galaxy_install_info
@@ -1 +1 @@
-{install_date: 'Tue Jul 4 08:35:09 2017', version: ''}
+{install_date: 'Wed Feb 7 13:30:30 2018', version: ''}
diff --git a/roles/abrt/faf/meta/main.yml b/roles/abrt/faf/meta/main.yml
index 18b616d6d8..865e1230d0 100644
--- a/roles/abrt/faf/meta/main.yml
+++ b/roles/abrt/faf/meta/main.yml
@@ -12,8 +12,8 @@ galaxy_info:
- name: Fedora
versions:
- 25
- - 24
- - 23
+ - 26
+ - 27
categories:
- web
dependencies: []
diff --git a/roles/abrt/faf/tasks/celery.yml b/roles/abrt/faf/tasks/celery.yml
index 7c729a5512..c86cf84386 100644
--- a/roles/abrt/faf/tasks/celery.yml
+++ b/roles/abrt/faf/tasks/celery.yml
@@ -5,7 +5,7 @@
- packages
- name: install redis package
- yum : name={{ item }} state=present
+ package: name={{ item }} state=present
with_items:
- redis
- python-redis
diff --git a/roles/abrt/faf/tasks/web.yml b/roles/abrt/faf/tasks/web.yml
index 5a42615a51..b57497277c 100644
--- a/roles/abrt/faf/tasks/web.yml
+++ b/roles/abrt/faf/tasks/web.yml
@@ -8,7 +8,7 @@
when: not faf_web_on_root
- name: install faf-webui packages
- yum : name={{ item }} state=latest
+ package : name={{ item }} state=latest
with_items: "{{ faf_web_packages }}"
- import_tasks: celery.yml
diff --git a/roles/abrt/faf/templates/etc-faf-faf.conf.j2 b/roles/abrt/faf/templates/etc-faf-faf.conf.j2
index 9dc8cfd8eb..e62012e2f4 100644
--- a/roles/abrt/faf/templates/etc-faf-faf.conf.j2
+++ b/roles/abrt/faf/templates/etc-faf-faf.conf.j2
@@ -20,7 +20,8 @@ Server = {{ smtp_server }}
Port = {{ smtp_port }}
Username = {{ smtp_username|default("", true) }}
Password = {{ smtp_password|default("", true) }}
-From = {{ faf_admin_mail }}
+From = {{ faf_from }}
+
[uReport]
# The directory that holds 'reports' and 'attachments' subdirectories
Directory = {{ faf_spool_dir }}
diff --git a/roles/abrt/retrace-local/defaults/main.yml b/roles/abrt/retrace-local/defaults/main.yml
index cd32bde882..89b833be06 100644
--- a/roles/abrt/retrace-local/defaults/main.yml
+++ b/roles/abrt/retrace-local/defaults/main.yml
@@ -1,8 +1,8 @@
---
# List of fedora versions for reposync
-rs_internal_fedora_vers: [25, 26, 27, rawhide]
-rs_internal_fedora_vers_removed: [24]
+rs_internal_fedora_vers: [26, 27, rawhide]
+rs_internal_fedora_vers_removed: [24, 25]
# List of architectures for reposync
# armhfp disabled untill we get more space
diff --git a/roles/abrt/retrace/meta/.galaxy_install_info b/roles/abrt/retrace/meta/.galaxy_install_info
index 4e5f81968e..c754620b93 100644
--- a/roles/abrt/retrace/meta/.galaxy_install_info
+++ b/roles/abrt/retrace/meta/.galaxy_install_info
@@ -1 +1 @@
-{install_date: 'Tue Jul 4 08:34:40 2017', version: ''}
+{install_date: 'Wed Feb 7 13:30:31 2018', version: ''}
diff --git a/roles/abrt/retrace/meta/main.yml b/roles/abrt/retrace/meta/main.yml
index dc9c449d10..a9ce491470 100644
--- a/roles/abrt/retrace/meta/main.yml
+++ b/roles/abrt/retrace/meta/main.yml
@@ -10,9 +10,9 @@ galaxy_info:
- 7
- name: Fedora
versions:
- - 21
- - 22
- - 23
+ - 26
+ - 27
+ - 25
categories:
- system
#dependencies:
diff --git a/roles/abrt/retrace/tasks/install.yml b/roles/abrt/retrace/tasks/install.yml
index 7acb10f471..44afdc5526 100644
--- a/roles/abrt/retrace/tasks/install.yml
+++ b/roles/abrt/retrace/tasks/install.yml
@@ -4,4 +4,4 @@
when: rs_force_reinstall
- name: install retrace-server package
- yum : name=retrace-server state=present
+ package: name=retrace-server state=present
diff --git a/roles/abrt/retrace/tasks/usefafpkgs.yml b/roles/abrt/retrace/tasks/usefafpkgs.yml
index 5a589db84b..458c4f25b5 100644
--- a/roles/abrt/retrace/tasks/usefafpkgs.yml
+++ b/roles/abrt/retrace/tasks/usefafpkgs.yml
@@ -18,11 +18,15 @@
- name: ACL for user retrace
acl: path="{{ faf_spool_dir }}/lob" state=present recursive=yes
entity=retrace etype=user permissions=rwX
+ async: 21600
+ pool: 0
# for files/dirs created in future
- name: default ACL for user retrace
acl: path="{{ faf_spool_dir }}/lob" state=present recursive=yes default=yes
entity=retrace etype=user permissions=rwX
+ async: 21600
+ pool: 0
- name: check for hardlink dir
stat: path={{ rs_faf_link_dir }}
diff --git a/roles/anitya/frontend/templates/0_releasemonitoring.conf b/roles/anitya/frontend/templates/0_releasemonitoring.conf
index e05414777f..047aacf35e 100644
--- a/roles/anitya/frontend/templates/0_releasemonitoring.conf
+++ b/roles/anitya/frontend/templates/0_releasemonitoring.conf
@@ -9,7 +9,7 @@
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
SSLCertificateChainFile /etc/pki/tls/certs/release-monitoring.org.intermediate.cert
diff --git a/roles/badges/backend/files/edit-badge b/roles/badges/backend/files/edit-badge
index 2b9079c421..acfffb8951 100644
--- a/roles/badges/backend/files/edit-badge
+++ b/roles/badges/backend/files/edit-badge
@@ -27,12 +27,13 @@ def parse_args():
parser.add_argument('--description', default=None, help='Description..')
parser.add_argument('--criteria', default=None, help='Criteria link')
parser.add_argument('--image', default=None, help='Image link')
+ parser.add_argument('--tags', default=None, help='Badge Tags')
args = parser.parse_args()
if not args.badge:
print "You must specify a badge id."
sys.exit(1)
- if not args.name and not args.description and not args.criteria and not args.image:
- print "You must specify either name, description or criteria or image to edit."
+ if not args.name and not args.description and not args.criteria and not args.image and not args.tags:
+ print "You must specify either name, description or criteria, tags or image to edit."
sys.exit(1)
return args
@@ -51,7 +52,7 @@ def initialize():
return tahrir
-def main(tahrir, badge_id, name, description, criteria, image):
+def main(tahrir, badge_id, name, description, criteria, image, tags):
badge = tahrir.get_badge(badge_id)
if not badge:
@@ -75,6 +76,11 @@ def main(tahrir, badge_id, name, description, criteria, image):
if image:
badge.image = image
print "Setting image on %r to %r" % (badge_id, image)
+
+ if tags:
+ badge.tags = tags
+ print "Setting tags on %r to %r" % (badge_id, tags)
+
tahrir.session.commit()
transaction.commit()
@@ -82,4 +88,5 @@ def main(tahrir, badge_id, name, description, criteria, image):
if __name__ == '__main__':
args = parse_args()
tahrir = initialize()
- main(tahrir, args.badge, args.name, args.description, args.criteria, args.image)
+ main(tahrir, args.badge, args.name, args.description, args.criteria,
+ args.image, args.tags)
diff --git a/roles/base/files/syncHttpLogs.sh b/roles/base/files/syncHttpLogs.sh
index 7b3e0752f0..0e64b0b8d8 100644
--- a/roles/base/files/syncHttpLogs.sh
+++ b/roles/base/files/syncHttpLogs.sh
@@ -86,6 +86,7 @@ syncHttpLogs download03.phx2.fedoraproject.org
syncHttpLogs download04.phx2.fedoraproject.org
syncHttpLogs download05.phx2.fedoraproject.org
syncHttpLogs download-rdu01.vpn.fedoraproject.org
+syncHttpLogs download-ib01.vpn.fedoraproject.org
syncHttpLogs sundries01.phx2.fedoraproject.org
syncHttpLogs sundries02.phx2.fedoraproject.org
syncHttpLogs sundries01.stg.phx2.fedoraproject.org
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 406b4ec920..48d66facbd 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -108,12 +108,16 @@
- name: make sure hostname is set right on rhel7 hosts
hostname: name="{{inventory_hostname}}"
+#
+# We set builders root password in the koji_builder role, so do not set those here
+#
+
- name: set root passwd
user: name=root password={{ rootpw }} state=present
tags:
- rootpw
- base
- when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09') or inventory_hostname.startswith('ppc8-04'))
+ when: not inventory_hostname.startswith(('build','bkernel','koji01.stg','s390','fed-cloud09'))
- name: add ansible root key
authorized_key: user=root key="{{ item }}"
diff --git a/roles/base/templates/ifcfg.j2 b/roles/base/templates/ifcfg.j2
index 966803bc56..9656c35e4d 100644
--- a/roles/base/templates/ifcfg.j2
+++ b/roles/base/templates/ifcfg.j2
@@ -36,3 +36,6 @@ IPV6_DEFAULTDEV={{item}}
IPV6_DEFAULTGW={{ hostvars[inventory_hostname][item + '_ipv6_gw'] }}
IPV6_MTU=1280
{% endif %}
+{% if hostvars[inventory_hostname][item + '_secondary_ip'] is defined %}
+IPADDR1="{{ hostvars[inventory_hostname][item + '_secondary_ip'] }}"
+{% endif %}
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 0e2f4178ce..9e1876ef80 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -110,3 +110,16 @@
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
+
+{% if nat_rules %}
+*nat
+:PREROUTING ACCEPT [0:]
+:INPUT ACCEPT [0:]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+{% for rule in nat_rules %}
+{{ rule }}
+{% endfor %}
+COMMIT
+{% endif %}
diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder
index 8ae5fdf096..51daa98bd8 100644
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@@ -91,6 +91,7 @@
# git on pagure,io
-A OUTPUT -p tcp -m tcp -d 140.211.169.204 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 152.19.134.147 --dport 443 -j ACCEPT
# admin.fedoraproject.org for fas (proyx(1)01 and proxy(1)10)
-A OUTPUT -p tcp -m tcp -d 10.5.126.8 --dport 80 -j ACCEPT
diff --git a/roles/basessh/files/syncHttpLogs.sh b/roles/basessh/files/syncHttpLogs.sh
index 7b3e0752f0..0e64b0b8d8 100644
--- a/roles/basessh/files/syncHttpLogs.sh
+++ b/roles/basessh/files/syncHttpLogs.sh
@@ -86,6 +86,7 @@ syncHttpLogs download03.phx2.fedoraproject.org
syncHttpLogs download04.phx2.fedoraproject.org
syncHttpLogs download05.phx2.fedoraproject.org
syncHttpLogs download-rdu01.vpn.fedoraproject.org
+syncHttpLogs download-ib01.vpn.fedoraproject.org
syncHttpLogs sundries01.phx2.fedoraproject.org
syncHttpLogs sundries02.phx2.fedoraproject.org
syncHttpLogs sundries01.stg.phx2.fedoraproject.org
diff --git a/roles/batcave/files/sync-rhn b/roles/batcave/files/sync-rhn
index a450aa9f7a..5ecececcde 100644
--- a/roles/batcave/files/sync-rhn
+++ b/roles/batcave/files/sync-rhn
@@ -1,3 +1,2 @@
-30 1 * * * root /mnt/fedora/app/fi-repo/rhel/rhel5/rhel5-sync > /dev/null
30 2 * * * root /mnt/fedora/app/fi-repo/rhel/rhel6/rhel6-sync > /dev/null
30 3 * * * root /mnt/fedora/app/fi-repo/rhel/rhel7/rhel7-sync > /dev/null
diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml
index 2c220d9363..21efd7ab76 100644
--- a/roles/batcave/tasks/main.yml
+++ b/roles/batcave/tasks/main.yml
@@ -339,7 +339,8 @@
- config
when: inventory_hostname.startswith('batcave01')
#
-# Monday morning run a script to show all the packages we have in infra tags in koji.
+# Monday morning run a script to show all the packages we have in infra
+# tags in koji.
#
- name: Install infra-tags-report script
diff --git a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
index 72b5c6b9ec..0f4d2334f7 100644
--- a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
+++ b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
@@ -114,7 +114,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLHonorCipherOrder On
diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync
index 142a735166..862541bc71 100755
--- a/roles/bodhi2/backend/files/new-updates-sync
+++ b/roles/bodhi2/backend/files/new-updates-sync
@@ -56,6 +56,9 @@ RELEASES = {'f27': {'topic': 'fedora',
'repos': {'updates': {
'from': 'f26-updates',
'ostrees': [{'ref': 'fedora/26/x86_64/updates/atomic-host',
+ 'dest': os.path.join(ATOMICDEST, '26')},
+ # Hack around for the fact that ostree on f25 doesn't know links
+ {'ref': 'fedora/26/x86_64/atomic-host',
'dest': os.path.join(ATOMICDEST, '26')}],
'to': [{'arches': ['x86_64', 'armhfp', 'source'],
'dest': os.path.join(FEDORADEST, '26')},
diff --git a/roles/bodhi2/backend/tasks/main.yml b/roles/bodhi2/backend/tasks/main.yml
index 795ee43b92..294a9db791 100644
--- a/roles/bodhi2/backend/tasks/main.yml
+++ b/roles/bodhi2/backend/tasks/main.yml
@@ -320,9 +320,9 @@
- name: bodhi-check-policies cron job.
cron: name="bodhi-check-policies" hour="*/6" minute=0 user="apache"
- job="/usr/bin/bodhi-check-policies > /dev/null"
+ job="/usr/bin/bodhi-check-policies >& /dev/null"
cron_file=bodhi-check-policies-job
- when: inventory_hostname.startswith('bodhi-backend01') and env == "staging"
+ when: (inventory_hostname.startswith('bodhi-backend01') and env == "staging") or (inventory_hostname.startswith('bodhi-backend02') and env == "production")
tags:
- config
- bodhi
@@ -330,7 +330,7 @@
- name: bodhi-expire-overrides cron job.
cron: name="bodhi-expire-overrides" hour="*" minute=0 user="apache"
- job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2> /dev/null"
+ job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2>&1 | logger -t bodhi-expire-overrides"
cron_file=bodhi-expire-overrides-job
when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
tags:
@@ -338,28 +338,14 @@
- bodhi
- cron
-- name: setup basic /etc/bodhi/ contents (staging)
- template: >
- src="{{ roles_path }}/bodhi2/base/templates/staging.ini.j2"
- dest="/etc/bodhi/production.ini"
- owner=apache
- group=apache
- mode=0600
- when: inventory_hostname.startswith('bodhi-backend') and env == 'staging'
- notify:
- - reload bodhi httpd
- tags:
- - config
- - bodhi
-
-- name: setup basic /etc/bodhi/ contents (production)
+- name: setup basic /etc/bodhi/ contents
template: >
src="{{ roles_path }}/bodhi2/base/templates/production.ini.j2"
dest="/etc/bodhi/production.ini"
owner=apache
group=apache
mode=0600
- when: inventory_hostname.startswith('bodhi-backend') and env == 'production'
+ when: inventory_hostname.startswith('bodhi-backend')
notify:
- reload bodhi httpd
tags:
diff --git a/roles/bodhi2/base/tasks/main.yml b/roles/bodhi2/base/tasks/main.yml
index 121525845f..2ebbb7e75e 100644
--- a/roles/bodhi2/base/tasks/main.yml
+++ b/roles/bodhi2/base/tasks/main.yml
@@ -19,14 +19,14 @@
- config
- bodhi
-- name: setup basic /etc/bodhi/ contents (staging)
+- name: setup basic /etc/bodhi/ contents
template: >
- src="staging.ini.j2"
+ src="production.ini.j2"
dest="/etc/bodhi/production.ini"
owner=bodhi
group=bodhi
mode=0600
- when: inventory_hostname.startswith('bodhi0') and env == 'staging'
+ when: inventory_hostname.startswith('bodhi0')
notify:
- reload bodhi httpd
tags:
@@ -43,20 +43,6 @@
- config
- bodhi
-- name: setup basic /etc/bodhi/ contents (production)
- template: >
- src="production.ini.j2"
- dest="/etc/bodhi/production.ini"
- owner=bodhi
- group=bodhi
- mode=0600
- when: inventory_hostname.startswith('bodhi0') and env == 'production'
- notify:
- - reload bodhi httpd
- tags:
- - config
- - bodhi
-
- name: Copy some fedmsg configuration of our own for fedmsg-hub
template: >
src={{item}}
diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
index dd70eed050..c19ac06d62 100644
--- a/roles/bodhi2/base/templates/production.ini.j2
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -1,3 +1,4 @@
+# The commented values in this config file represent the defaults.
[filter:proxy-prefix]
use = egg:PasteDeploy#prefix
prefix = /
@@ -7,138 +8,193 @@ scheme = https
use = egg:bodhi-server
filter-with = proxy-prefix
-# Release status
-# pre-beta enforces the 'Pre Beta' policy defined here:
-# https://fedoraproject.org/wiki/Updates_Policy
-f27.status = post_beta
-
-f27.post_beta.mandatory_days_in_testing = 7
-f27.post_beta.critpath.num_admin_approvals = 0
-f27.post_beta.critpath.min_karma = 2
-f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
-
-f27.pre_beta.mandatory_days_in_testing = 3
-f27.pre_beta.critpath.num_admin_approvals = 0
-f27.pre_beta.critpath.min_karma = 1
-
-##
-## Atomic OSTree support
-## This will compose Atomic OSTrees during the push process using the fedmsg-atomic-composer
-## https://github.com/fedora-infra/fedmsg-atomic-composer
-##
-compose_atomic_trees = true
-
##
## Messages
##
-# A notice to flash on the front page
-frontpage_notice =
+# The bodhi-approve-testing cron job will post this message as a comment from the bodhi user on
+# updates that reach the required time in testing if they are not stable yet. Positional
+# substitution is used, and the %d will be replaced with the time in testing required for the
+# update.
+# testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
-# A notice to flash on the New Update page
-newupdate_notice =
+# not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the Package Update Acceptance Criteria
-testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
-not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the Package Update Acceptance Criteria
-not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the EPEL Updates Policy
-stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
+# not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the EPEL Update Policy
-testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
-not_yet_tested_msg_based_on_karma = This update has not reached the stable karma threshold.
+# Bodhi will post this comment on Updates that don't use autokarma when they reach the stable
+# threshold.
+# testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
+
+# The comment that Bodhi will post on updates when a user posts negative karma.
+# disable_automatic_push_to_stable = Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
# Libravatar - If this is true libravatar will work as normal. Otherwise, all
# libravatar links will be replaced with the string "libravatar.org" so that
# the tests can still pass.
-libravatar_enabled = True
+# libravatar_enabled = True
+
# Set this to true if you want to do federated dns libravatar lookup
-libravatar_dns = False
+# libravatar_dns = False
+
+# If libravatar_dns is True, prefer_ssl will define what gets handed to
+# libravatar.libravatar_url()'s https setting. It may be set to True or False, but defaults to None,
+# which is effectively False.
+# prefer_ssl =
# Set this to True in order to send fedmsg messages.
+# fedmsg_enabled = False
fedmsg_enabled = True
-
-# Captcha - if 'captcha.secret' is not None, then it will be used for comments
-# captcha.secret must be 32 url-safe base64-encoded bytes
-# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
+# Captcha - if 'captcha.secret' is set, then it will be used for comments. Comment it to turn it
+# off. captcha.secret must be 32 url-safe base64-encoded bytes.
+# You can generate one with >>> cryptography.fernet.Fernet.generate_key()
+# captcha.secret = CHANGEME
captcha.secret = {{ bodhi2CaptchaSecret }}
-# Dimensions
-captcha.image_width = 300
-captcha.image_height = 80
-# Any truetype font will do.
-captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
-captcha.font_size = 36
-# Colors
-captcha.font_color = #000000
-captcha.background_color = #ffffff
-# In pixels
-captcha.padding = 5
-# If a captcha sits around for this many seconds, it will stop working.
-captcha.ttl = 300
-#datagrepper_url = http://localhost:5000
-datagrepper_url = https://apps.fedoraproject.org/datagrepper
-badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
+# Dimensions
+# captcha.image_width = 300
+# captcha.image_height = 80
+
+# Any truetype font will do.
+# /usr/share/fonts/liberation/LiberationMono-Regular.ttf lives in liberation-mono-fonts.
+# /usr/share/fonts/pcaro-hermit/Hermit-medium.otf lives in pcaro-hermit-fonts package.
+# captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
+# captcha.font_size = 36
+
+# Colors
+# captcha.font_color = #000000
+# captcha.background_color = #ffffff
+
+# In pixels
+# captcha.padding = 5
+
+# If a captcha sits around for this many seconds, it will stop working.
+# captcha.ttl = 300
+
+
+# The URL for a datagrepper to use in various templates.
+# datagrepper_url = https://apps.fedoraproject.org/datagrepper
+datagrepper_url = https://apps{{env_suffix}}.fedoraproject.org/datagrepper
+# badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
##
-## Wiki Test Cases
+## Testing
##
## Query the wiki for test cases
+# query_wiki_test_cases = False
query_wiki_test_cases = True
-wiki_url = https://fedoraproject.org/w/api.php
-test_case_base_url = https://fedoraproject.org/wiki/
+# wiki_url = https://fedoraproject.org/w/api.php
+# test_case_base_url = https://fedoraproject.org/wiki/
+wiki_url = https://{{env_suffix}}fedoraproject.org/w/api.php
+test_case_base_url = https://{{env_suffix}}fedoraproject.org/wiki/
+
+# URL of the resultsdb for integrating checks and stuff
+# resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/
+resultsdb_url = https://taskotron{{env_suffix}}.fedoraproject.org/resultsdb/
+
+# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to
+# True, be sure to add a cron job to run the bodhi-check-policies CLI periodically.
+# test_gating.required = False
+test_gating.required = True
+
+# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
+# to click and learn more.
+# test_gating.url =
+
+# The API url of Greenwave.
+# greenwave_api_url = https://greenwave.fedoraproject.org/api/v1.0
+greenwave_api_url = https://greenwave-web-greenwave.app.os{{env_suffix}}.fedoraproject.org/api/v1.0
+
+# The URL for waiverdb's API
+# waiverdb_api_url = https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0
+waiverdb_api_url = https://waiverdb-web-waiverdb.app.os{{env_suffix}}.fedoraproject.org/api/v1.0
+
+# An access token used to authenticate to waiverdb
+# waiverdb.access_token =
# Email domain to prepend usernames to
-default_email_domain = fedoraproject.org
+# default_email_domain = fedoraproject.org
+default_email_domain = {{env_suffix}}fedoraproject.org
# domain for generated message IDs
-message_id_email_domain = admin.fedoraproject.org
+# message_id_email_domain = admin.fedoraproject.org
+message_id_email_domain = admin{{env_suffix}}.fedoraproject.org
##
-## Mash settings
+## Masher settings
##
+releng_fedmsg_certname = shell-bodhi-backend01{{env_suffix}}.phx2.fedoraproject.org
-# If defined, the bodhi masher will ensure that messages are signed with the given cert
-{% if ansible_hostname == 'bodhi-backend01' %}
-releng_fedmsg_certname = shell-bodhi-backend01.phx2.fedoraproject.org
-{% else %}
-releng_fedmsg_certname = shell-bodhi-backend03.phx2.fedoraproject.org
-{% endif %}
-
-# The masher is a bodhi instance that is responsible for composing the update
-# repositories, regenerating metrics, sending update notices, closing bugs,
-# and other costly operations. To set an external masher, set the masher to
-# the baseurl of the bodhi instance. If set to None, this bodhi instance
-# will act as a masher as well.
-#masher = None
-
-{% if 'backend' in inventory_hostname %}
+# Where to initially mash repositories. You can use %(here)s to reference the location of this file.
+# mash_dir =
+{% if ansible_hostname.startswith('bodhi-backend') %}
mash_dir = /mnt/koji/compose/updates/
-mash_stage_dir = /mnt/koji/compose/updates/
+{% else %}
+# do not use on frontends as bodhi will check the mount and refuse to run without it.
+#mash_dir = /mnt/koji/compose/updates/
{% endif %}
-pungi.basepath = /etc/bodhi
-pungi.conf.rpm = pungi.rpm.conf.j2
-pungi.conf.module = pungi.module.conf.j2
-pungi.labeltype = Update
-pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
+
+# The max number of mash threads running at the same time
+# max_concurrent_mashes = 2
max_concurrent_mashes = 4
-## Our periodic jobs
-#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
-jobs = cache_release_data refresh_metrics approve_testing_updates
+# Where to symlink the latest repos by their tag name. You can use %(here)s to reference the
+# location of this file.
+# mash_stage_dir =
+{% if ansible_hostname.startswith('bodhi-backend') %}
+mash_stage_dir = /mnt/koji/compose/updates/
+{% else %}
+# do not use on frontends as bodhi will check the mount and refuse to run without it.
+#mash_stage_dir = /mnt/koji/compose/updates/
+{% endif %}
-## Comps configuration
-comps_dir = /var/cache/bodhi/comps
-comps_url = https://pagure.io/fedora-comps.git
+# The following jinja2 template variables are available for use to customize the Pungi configs and
+# variants files to the Release and Updates:
+#
+# * 'id': The id of the Release being mashed.
+# * 'release': The Release being mashed.
+# * 'request': The request being mashed.
+# * 'updates': The Updates being mashed.
+#
+# NOTE: The jinja2 configuration for these templates replaces the {'s and }'s with ['s and ]'.
+# e.g.: a block becomes [% if Package Update Acceptance Criteria
-not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the EPEL Updates Policy
-stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
-
-# Libravatar - If this is true libravatar will work as normal. Otherwise, all
-# libravatar links will be replaced with the string "libravatar.org" so that
-# the tests can still pass.
-libravatar_enabled = True
-# Set this to true if you want to do federated dns libravatar lookup
-libravatar_dns = False
-
-# Set this to True in order to send fedmsg messages.
-fedmsg_enabled = True
-
-
-# Captcha - if 'captcha.secret' is not None, then it will be used for comments
-# captcha.secret must be 32 url-safe base64-encoded bytes
-# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
-captcha.secret = {{ bodhi2CaptchaSecretSTG }}
-# Dimensions
-captcha.image_width = 300
-captcha.image_height = 80
-# Any truetype font will do.
-captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
-captcha.font_size = 36
-# Colors
-captcha.font_color = #000000
-captcha.background_color = #ffffff
-# In pixels
-captcha.padding = 5
-# If a captcha sits around for this many seconds, it will stop working.
-captcha.ttl = 300
-
-#datagrepper_url = http://localhost:5000
-datagrepper_url = https://apps.stg.fedoraproject.org/datagrepper
-badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
-
-
-##
-## Wiki Test Cases
-##
-
-## Query the wiki for test cases
-query_wiki_test_cases = False
-wiki_url = https://fedoraproject.org/w/api.php
-test_case_base_url = https://fedoraproject.org/wiki/
-
-# Email domain to prepend usernames to
-default_email_domain = fedoraproject.org
-
-# domain for generated message IDs
-message_id_email_domain = admin.stg.fedoraproject.org
-
-##
-## Mash settings
-##
-
-# If defined, the bodhi masher will ensure that messages are signed with the given cert
-releng_fedmsg_certname = shell-bodhi-backend01.stg.phx2.fedoraproject.org
-
-# The masher is a bodhi instance that is responsible for composing the update
-# repositories, regenerating metrics, sending update notices, closing bugs,
-# and other costly operations. To set an external masher, set the masher to
-# the baseurl of the bodhi instance. If set to None, this bodhi instance
-# will act as a masher as well.
-#masher = None
-
-{% if 'backend' in inventory_hostname %}
-mash_dir = /mnt/koji/compose/updates/
-mash_stage_dir = /mnt/koji/compose/updates/
-{% endif %}
-pungi.basepath = /etc/bodhi
-pungi.conf.rpm = pungi.rpm.conf.j2
-pungi.conf.module = pungi.module.conf.j2
-pungi.labeltype = Update
-pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
-
-## Our periodic jobs
-#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
-jobs = cache_release_data refresh_metrics approve_testing_updates
-
-## Comps configuration
-comps_dir = /var/cache/bodhi/comps
-comps_url = https://pagure.io/fedora-comps.git
-
-##
-## Mirror settings
-##
-file_url = http://download.fedoraproject.org/pub/fedora/linux/updates
-
-# {release}_{request}_master_repomd: This is used by the masher to determine when a
-# primary architecture push has been synchronized to the master mirror for a given release and
-# request. The masher will verify that the checksum of repomd.xml at the master URL matches the
-# expected value, and will poll the URL until this test passes. Substitute release and request
-# for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
-# arches listed in {release}_{version}_primary_arches when it is defined, else used for all
-# arches. You must put two %s's in this setting - the first will be replaced with the release
-# version and the second will be replaced with the architecture.
-fedora_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
-fedora_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
-fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
-fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
-fedora_modular_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates/compose/Everything/%s/os/repodata/repomd.xml
-fedora_modular_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
-
-# {release}_{request}_alt_master_repomd: This is used by the masher to determine when a
-# secondary architecture push has been synchronized to the master mirror for a given release and
-# request. The masher will verify that the checksum of repomd.xml at the master URL matches the
-# expected value, and will poll the URL until this test passes. Substitute release and request
-# for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
-# arches not listed in {release}_{version}_primary_arches if it is defined. You must put two %s's
-# in this setting - the first will be replaced with the release version and the second will be
-# replaced with the architecture.
-fedora_stable_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
-fedora_testing_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
-
-
-## The base url of this application
-base_address = https://bodhi.stg.fedoraproject.org/
-
-
-## Primary architechures by release
-##
-## {release}_{version}_primary_arches: Releases that have alternative arches must define their
-## primary arches here. Any arches found during mashing that are not present here are asssumed
-## to be alternative arches. This is used during the wait_for_repo() step of the mash where
-## Bodhi polls the master repo to find out whether the mash has made it to the repo or not.
-## Bodhi looks for primary arches with the {release}_{request}_master_repomd setting above, and
-## for alternative arches at the {release}_{request}_alt_master_repomd setting above. If this
-## is not set, Bodhi will assume the release only has primary arches.
-fedora_26_primary_arches = armhfp x86_64
-
-
-## Supported update types
-update_types = bugfix enhancement security newpackage
-
-## Supported architechures
-##
-## To handle arch name changes between releases, you
-## can also configure bodhi to support one arch *or*
-## another. For example, EPEL5 mashes produce 'ppc'
-## repos, where EPEL6 produces 'ppc64'. To handle this
-## scenario, you can specify something like:
-##
-## arches = ppc/ppc64
-##
-arches = i386 x86_64 armhfp
-
-##
-## Email setting
-##
-
-# Keep email disabled in staging so rube doesn't spam helpless packagers.
-#smtp_server = bastion
-
-# The updates system itself. This email address is used in fetching Bugzilla
-# information, as well as email notifications
-bodhi_email = updates@fedoraproject.org
-#bodhi_password =
-
-# The address that gets the requests
-release_team_address = bodhiadmin-members@fedoraproject.org
-
-# The address to notify when security updates are initially added to bodhi
-security_team = security_respons-members@fedoraproject.org
-
-# Public announcement lists
-fedora_announce_list = package-announce@lists.fedoraproject.org
-fedora_test_announce_list = test@lists.fedoraproject.org
-fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
-fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
-fedora_modular_announce_list = package-announce@lists.fedoraproject.org
-fedora_modular_test_announce_list = test@lists.fedoraproject.org
-
-# Superuser groups
-admin_groups = proventesters security_respons bodhiadmin sysadmin-main
-
-# Users that we don't want to show up in the "leaderboard(s)"
-stats_blacklist = bodhi anonymous autoqa taskotron
-
-# A list of non-person users
-system_users = bodhi autoqa taskotron
-
-# The max length for an update title before we truncate it in the web ui
-max_update_length_for_ui = 70
-
-# The number of days used for calculating the 'top testers' metric
-top_testers_timeframe = 900
-
-# The email address of the proventesters
-proventesters_email = proventesters-members@fedoraproject.org
-
-# Disabled for the initial release.
-stacks_enabled = False
-
-# These are the default requirements that we apply to stacks, packages, and
-# updates. Users have free-reign to override them for each kind of entity. At
-# the end of the day, we only consider the requirements defined by single
-# updates themselves when gating in the backend masher process.
-site_requirements = dist.rpmdeplint dist.upgradepath
-## Some day we'll have rpmgrill, and that will be cool. Ask tflink.
-#site_requirements = depcheck upgradepath rpmgrill
-
-# Where do we send update announcements to ?
-# These variables should be named per: Release.prefix_id.lower()_announce_list
-#fedora_announce_list =
-#fedora_test_announce_list =
-#fedora_epel_announce_list =
-#fedora_epel_test_announce_list =
-
-# Cache settings
-dogpile.cache.backend = dogpile.cache.dbm
-dogpile.cache.expiration_time = 100
-dogpile.cache.arguments.filename = /var/cache/bodhi/dogpile-cache.dbm
-
-# Exclude sending emails to these users
-exclude_mail = autoqa taskotron
-
-##
-## Buildsystem settings
-##
-
-# What buildsystem do we want to use? For development, we'll use a fake
-# buildsystem that always does what we tell it to do. For production, we'll
-# want to use 'koji'.
-buildsystem = koji
-
-# Koji's XML-RPC hub
-koji_hub = https://koji.stg.fedoraproject.org/kojihub
-
-# Root url of the Koji instance to point to. No trailing slash
-koji_url = http://koji.stg.fedoraproject.org
-
-# URL of where users should go to set up their notifications
-fmn_url = https://apps.stg.fedoraproject.org/notifications/
-
-# URL of the resultsdb for integrating checks and stuff
-resultsdb_url = https://taskotron.stg.fedoraproject.org/resultsdb/
-resultsdb_api_url = https://taskotron.stg.fedoraproject.org/resultsdb_api/
-
-# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to True,
-# be sure to add a cron job to run the bodhi-check-policies CLI periodically.
-test_gating.required = True
-
-# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
-# to click and learn more.
-# test_gating.url =
-
-# The API url of Greenwave.
-greenwave_api_url = https://greenwave-web-greenwave.app.os.stg.fedoraproject.org/api/v1.0
-
-fedmenu.url = https://apps.stg.fedoraproject.org/fedmenu
-fedmenu.data_url = https://apps.stg.fedoraproject.org/js/data.js
-
-# Koji Krb stuff
-krb_ccache = /tmp/krb5cc_%{uid}
-krb_principal = bodhi/bodhi{{ env_suffix }}.fedoraproject.org@{{ ipa_realm }}
-krb_keytab = /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab
-
-##
-## ACL system
-## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
-## 'pagure', which will query the pagure_url below, or 'dummy', which will
-## always return guest credentials (used for local development).
-##
-acl_system = pagure
-
-##
-## Package DB
-##
-pkgdb_url = https://admin.stg.fedoraproject.org/pkgdb
-
-##
-## Pagure
-##
-pagure_url = https://src.stg.fedoraproject.org/
-
-##
-## Product Definition Center (PDC)
-##
-pdc_url = https://pdc.stg.fedoraproject.org/
-
-
-# We used to get our package tags from pkgdb, but they come from tagger now.
-# https://github.com/fedora-infra/fedora-tagger/pull/74
-#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
-
-##
-## Bug tracker settings
-##
-#bugtracker = bugzilla
-
-initial_bug_msg = %s has been submitted as an update to %s. %s
-stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
-testing_bug_msg =
- If you want to test the update, you can install it with
- $ su -c 'dnf --enablerepo=updates-testing update %s'
- You can provide feedback for this update here: %s
-testing_bug_epel_msg =
- If you want to test the update, you can install it with
- $ su -c 'yum --enablerepo=epel-testing update %s'
- You can provide feedback for this update here: %s
-
-##
-## Bugzilla settings.
-##
-
-# The username/password for our bugzilla account comes
-# from the bodhi_{email,password} fields.
-
-bz_server = https://partner-bugzilla.redhat.com/xmlrpc.cgi
-#bz_cookie =
-
-# Bodhi will avoid touching bugs that are not against the following products
-bz_products = Fedora,Fedora EPEL
-
-buglink = https://partner-bugzilla.redhat.com/show_bug.cgi?id=%s
-
-##
-## Packages that should suggest a reboot
-##
-reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
-
-##
-## Critical Path Packages
-## https://fedoraproject.org/wiki/Critical_path_package
-##
-
-# You can allow Bodhi to query for critpath packages from the Fedora Package
-# Database by setting this value to `pkgdb` or the Product Definition
-# Center by setting this value to `pdc`. If it isn't set, it'll just use the
-# hardcoded list below.
-critpath.type = pdc
-
-# You can hardcode a list of critical path packages instead of using the PackageDB
-critpath_pkgs = kernel
-
-# The number of admin approvals it takes to be able to push a critical path
-# update to stable for a pending release.
-critpath.num_admin_approvals = 0
-
-# The net karma required to submit a critial path update to a pending release)
-critpath.min_karma = 2
-
-# Allow critpath to submit for stable after 2 weeks with no negative karma
-critpath.stable_after_days_without_negative_karma = 14
-
-# The minimum amount of time an update must spend in testing before
-# it can reach the stable repository
-fedora.mandatory_days_in_testing = 7
-fedora_epel.mandatory_days_in_testing = 14
-fedora_modular.mandatory_days_in_testing = 7
-
-##
-## Release status
-##
-
-# Pre-beta enforces the Pre Beta policy defined here:
-# https://fedoraproject.org/wiki/Updates_Policy
-f27.status = pre_beta
-
-f27.post_beta.mandatory_days_in_testing = 7
-f27.post_beta.critpath.num_admin_approvals = 0
-f27.post_beta.critpath.min_karma = 2
-f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
-
-f27.pre_beta.mandatory_days_in_testing = 3
-f27.pre_beta.critpath.num_admin_approvals = 0
-f27.pre_beta.critpath.min_karma = 1
-
-# The number of days worth of updates/comments to display
-feeds.num_days_to_show = 7
-feeds.max_entries = 20
-
-##
-## Buildroot Override
-##
-
-# Number of days before expiring overrides
-buildroot_overrides.expire_after = 1
-
-##
-## Groups
-##
-
-# FAS Groups that we want to pay attention to
-# When a user logs in, bodhi will look for any of these groups and associate #
-# them with the user. They will then appear as the users effective principals in
-# the format "group:groupname" and can be used in Pyramid ACE's.
-important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig
-
-# Groups that can push updates for any package
-admin_packager_groups = provenpackager releng-team security_respons
-
-# User must be a member of this group to submit updates
-mandatory_packager_groups = packager
-
-##
-## updateinfo.xml configuraiton
-##
-updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
-
-##
-## Authentication & Authorization
-##
-
-# pyramid.openid
-openid.success_callback = bodhi.server.security:remember_me
-openid.provider = https://id.stg.fedoraproject.org/openid/
-openid.url = https://id.stg.fedoraproject.org/
-openid_template = {username}.id.fedoraproject.org
-openid.sreg_required = email
-
-# CORS allowed origins for cornice services
-# This can be wide-open. read-only, we don't care as much about.
-cors_origins_ro = *
-# This should be more locked down to avoid cross-site request forgery.
-cors_origins_rw = https://bodhi.stg.fedoraproject.org
-cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/
-
-
-##
-## Pyramid settings
-##
-pyramid.reload_templates = false
-pyramid.debug_authorization = false
-pyramid.debug_notfound = false
-pyramid.debug_routematch = false
-pyramid.default_locale_name = en
-
-pyramid.includes =
- pyramid_tm
-
-debugtoolbar.hosts = 127.0.0.1 ::1
-
-##
-## Database
-##
-sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2
-
-##
-## Templates
-##
-mako.directories = bodhi:server/templates
-
-##
-## Authentication & Sessions
-##
-
-authtkt.secret = {{ bodhi2AuthTktSTG }}
-session.secret = {{ bodhi2SessionSecretSTG }}
-authtkt.secure = true
-# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
-authtkt.timeout = 1209600
-
-# pyramid_beaker
-session.type = file
-session.data_dir = /var/cache/bodhi/sessions/data
-session.lock_dir = /var/cache/bodhi/sessions/lock
-session.key = {{ bodhi2SessionKeySTG }}
-session.cookie_on_exception = true
-# Tell the browser to only send the cookie over TLS
-session.secure = true
-# Create a cookie that is only valid for one day
-session.timeout = 86400
-cache.regions = default_term, second, short_term, long_term
-cache.type = memory
-cache.second.expire = 1
-cache.short_term.expire = 60
-cache.default_term.expire = 300
-cache.long_term.expire = 3600
-
-[server:main]
-use = egg:waitress#main
-host = 0.0.0.0
-port = 6543
-
-
-[pshell]
-m = bodhi.server.models
-t = transaction
-
-# Begin logging configuration
-
-[loggers]
-keys = root, bodhi, sqlalchemy
-
-[handlers]
-keys = console
-
-[formatters]
-keys = generic
-
-[logger_root]
-level = INFO
-handlers = console
-
-[logger_bodhi]
-level = DEBUG
-handlers =
-qualname = bodhi
-
-[logger_sqlalchemy]
-level = WARN
-handlers =
-qualname = sqlalchemy.engine
-# "level = INFO" logs SQL queries.
-# "level = DEBUG" logs SQL queries and results.
-# "level = WARN" logs neither. (Recommended for production systems.)
-
-[handler_console]
-class = StreamHandler
-args = (sys.stderr,)
-level = NOTSET
-formatter = generic
-
-[formatter_generic]
-format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
-
-# End logging configuration
diff --git a/roles/copr/backend/tasks/mount_fs.yml b/roles/copr/backend/tasks/mount_fs.yml
index 3e3cbcb248..bbd1411dc7 100644
--- a/roles/copr/backend/tasks/mount_fs.yml
+++ b/roles/copr/backend/tasks/mount_fs.yml
@@ -3,7 +3,6 @@
- name: mount up disk of copr repo
mount: name=/var/lib/copr/public_html src='LABEL=copr-repo' fstype=ext4 state=mounted
- when: env != "staging"
- name: mount /tmp/
mount: name=/tmp src='tmpfs' fstype=tmpfs state=mounted
diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml
index b20e2043a4..b708a34dd7 100644
--- a/roles/copr/frontend/tasks/main.yml
+++ b/roles/copr/frontend/tasks/main.yml
@@ -16,11 +16,7 @@
tags:
- packages
-- name: ensure python2-flask-whooshee is latest
- dnf: state=latest name=python2-flask-whooshee
- tags:
- - packages
-
+ # we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058
- name: install additional pkgs for copr-frontend
dnf: state=present pkg={{ item }}
with_items:
@@ -28,6 +24,7 @@
- "mod_ssl"
- redis
- pxz
+ - python-alembic
tags:
- packages
@@ -60,12 +57,12 @@
- import_tasks: "psql_setup.yml"
-#- name: upgrade db to head
-# command: alembic upgrade head
-# become: yes
-# become_user: copr-fe
-# args:
-# chdir: /usr/share/copr/coprs_frontend/
+- name: upgrade db to head
+ command: alembic upgrade head
+ become: yes
+ become_user: copr-fe
+ args:
+ chdir: /usr/share/copr/coprs_frontend/
- name: set up admins
command: ./manage.py alter_user --admin {{ item }}
diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2
index 4b79dc48ad..18643d9c97 100644
--- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2
+++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2
@@ -4,7 +4,7 @@
# Use secure TLSv1.1 and TLSv1.2 ciphers
SSLCipherSuite {{ ssl_ciphers }}
SSLHonorCipherOrder on
- Header always add Strict-Transport-Security "max-age=15768000; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; preload"
SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
@@ -48,7 +48,7 @@
# Use secure TLSv1.1 and TLSv1.2 ciphers
SSLCipherSuite {{ ssl_ciphers }}
SSLHonorCipherOrder on
- Header always add Strict-Transport-Security "max-age=15768000; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; preload"
SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org
index 250a3b040b..6253bcb375 100644
--- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org
+++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org
@@ -202,6 +202,11 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
option routers 10.5.129.254;
option log-servers 10.5.126.29;
+ range 10.5.129.200 10.5.129.209;
+ next-server 10.5.126.41;
+ filename "/uefi/grubaa64.efi";
+
+
host ppc8-01 {
hardware ethernet 40:f2:e9:5d:39:43;
fixed-address 10.5.129.20;
@@ -235,7 +240,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.101;
next-server 10.5.126.41;
option host-name "aarch64-c01n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c02n1 {
@@ -243,7 +248,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.102;
next-server 10.5.126.41;
option host-name "aarch64-c02n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c03n1 {
@@ -251,7 +256,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.103;
next-server 10.5.126.41;
option host-name "aarch64-c03n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c04n1 {
@@ -259,7 +264,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.104;
next-server 10.5.126.41;
option host-name "aarch64-c04n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c05n1 {
@@ -267,7 +272,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.105;
next-server 10.5.126.41;
option host-name "aarch64-c05n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c06n1 {
@@ -275,7 +280,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.106;
next-server 10.5.126.41;
option host-name "aarch64-c06n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c07n1 {
@@ -283,7 +288,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.107;
next-server 10.5.126.41;
option host-name "aarch64-c07n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c08n1 {
@@ -291,15 +296,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.108;
next-server 10.5.126.41;
option host-name "aarch64-c08n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c09n1 {
- hardware ethernet 14:58:D0:58:E5:B2;
+ hardware ethernet 14:58:D0:58:A5:52;
fixed-address 10.5.129.109;
next-server 10.5.126.41;
option host-name "aarch64-c09n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c10n1 {
@@ -307,7 +312,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.110;
next-server 10.5.126.41;
option host-name "aarch64-c10n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c11n1 {
@@ -315,7 +320,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.111;
next-server 10.5.126.41;
option host-name "aarch64-c11n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c12n1 {
@@ -323,7 +328,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.112;
next-server 10.5.126.41;
option host-name "aarch64-c12n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c13n1 {
@@ -331,15 +336,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.113;
next-server 10.5.126.41;
option host-name "aarch64-c13n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c14n1 {
- hardware ethernet 14:58:D0:58:75:32;
+ hardware ethernet 14:58:D0:58:65:E2;
fixed-address 10.5.129.114;
next-server 10.5.126.41;
option host-name "aarch64-c14n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c15n1 {
@@ -347,7 +352,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.115;
next-server 10.5.126.41;
option host-name "aarch64-c15n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c16n1 {
@@ -355,15 +360,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.116;
next-server 10.5.126.41;
option host-name "aarch64-c16n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c17n1 {
- hardware ethernet 14:58:D0:58:C4:F2;
+ hardware ethernet 14:58:d0:58:e5:32;
fixed-address 10.5.129.117;
next-server 10.5.126.41;
option host-name "aarch64-c17n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c18n1 {
@@ -371,7 +376,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.118;
next-server 10.5.126.41;
option host-name "aarch64-c18n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c19n1 {
@@ -379,7 +384,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.119;
next-server 10.5.126.41;
option host-name "aarch64-c19n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c20n1 {
@@ -387,7 +392,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.120;
next-server 10.5.126.41;
option host-name "aarch64-c20n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c21n1 {
@@ -395,7 +400,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.121;
next-server 10.5.126.41;
option host-name "aarch64-c21n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c22n1 {
@@ -403,7 +408,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.122;
next-server 10.5.126.41;
option host-name "aarch64-c22n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c23n1 {
@@ -411,7 +416,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.123;
next-server 10.5.126.41;
option host-name "aarch64-c23n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c24n1 {
@@ -419,7 +424,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.124;
next-server 10.5.126.41;
option host-name "aarch64-c24n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-c25n1 {
@@ -427,7 +432,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.125;
next-server 10.5.126.41;
option host-name "aarch64-c25n1";
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
}
@@ -1777,7 +1782,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.70;
option host-name "compose-aarch64-01";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-02a {
@@ -1785,7 +1790,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.75;
option host-name "aarch64-02a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-03a {
@@ -1793,7 +1798,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.80;
option host-name "aarch64-03a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-04a {
@@ -1801,7 +1806,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.85;
option host-name "aarch64-04a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-05a {
@@ -1809,7 +1814,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.150;
option host-name "aarch64-05a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-06a {
@@ -1817,7 +1822,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.155;
option host-name "aarch64-06a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-07a {
@@ -1825,7 +1830,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.160;
option host-name "aarch64-07a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-08a {
@@ -1833,7 +1838,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.165;
option host-name "aarch64-08a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-09a {
@@ -1841,7 +1846,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.170;
option host-name "aarch64-09a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-10a {
@@ -1849,7 +1854,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.175;
option host-name "aarch64-10a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-11a {
@@ -1857,7 +1862,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.180;
option host-name "aarch64-11a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-12a {
@@ -1865,7 +1870,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.185;
option host-name "aarch64-12a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-13a {
@@ -1873,7 +1878,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.190;
option host-name "aarch64-13a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-14a {
@@ -1881,7 +1886,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.195;
option host-name "aarch64-14a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
host aarch64-15a {
@@ -1889,7 +1894,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.200;
option host-name "aarch64-15a";
next-server 10.5.126.41;
- filename "grubaa64.efi";
+ filename "/uefi/grubaa64.efi";
}
}
diff --git a/roles/distgit/files/robots-pkgs.txt b/roles/distgit/files/robots-pkgs.txt
new file mode 100644
index 0000000000..1f53798bb4
--- /dev/null
+++ b/roles/distgit/files/robots-pkgs.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
diff --git a/roles/distgit/files/robots-src.txt b/roles/distgit/files/robots-src.txt
new file mode 100644
index 0000000000..437658ade1
--- /dev/null
+++ b/roles/distgit/files/robots-src.txt
@@ -0,0 +1,8 @@
+User-agent: *
+Disallow: /cgit/
+
+User-agent: *
+Disallow: /git/
+
+User-agent: *
+Disallow: /repo/
diff --git a/roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2 b/roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2
index 17893492c7..0a55a86992 100644
--- a/roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2
+++ b/roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2
@@ -96,8 +96,6 @@ BUGZILLA_OVERRIDE_REPO = 'releng/fedora-scm-requests'
NOTIFYEMAIL = [
'kevin@fedoraproject.org',
'pingou@fedoraproject.org',
- 'ralph@fedoraproject.org',
- 'mprahl@fedoraproject.org',
]
VERBOSE = False
DRYRUN = False
diff --git a/roles/distgit/pagure/templates/z_pagure.conf b/roles/distgit/pagure/templates/z_pagure.conf
index 64ae6d4571..4c390130ad 100644
--- a/roles/distgit/pagure/templates/z_pagure.conf
+++ b/roles/distgit/pagure/templates/z_pagure.conf
@@ -11,7 +11,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
# SSLEngine on
# SSLProtocol all -SSLv2 -SSLv3
# # Use secure TLSv1.1 and TLSv1.2 ciphers
-# Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+# Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
# SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index ac3972171b..9d8c949bf0 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -114,6 +114,14 @@
tags:
- distgit
+- name: Install robots.txt files
+ copy: src={{item}} dest=/var/www/{{item}}
+ with_items:
+ - robots-pkgs.txt
+ - robots-src.txt
+ tags:
+ - distgit
+
- name: install the DistGit related httpd config
copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf
notify:
diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf
index eab5f169f1..dc2b8826c1 100644
--- a/roles/distgit/templates/lookaside-upload.conf
+++ b/roles/distgit/templates/lookaside-upload.conf
@@ -12,12 +12,32 @@ SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
+Alias /robots.txt /var/www/robots-src.txt
+
+ Require all granted
+
+
ServerName pkgs{{ env_suffix }}.fedoraproject.org
- #Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/"
- # This is temporary for fixing Kojid because of firewall rules
+ #RewriteCond expr "! -R '192.168.0.0/16'"
+ #RewriteCond expr "! -R '10.0.0.0/8'"
+ #RewriteRule ^(.*)$ https://src.fedoraproject.org/$1 [L,R]
Alias /repo/ /srv/cache/lookaside/
+
+ Require ip 127.0.0.1
+ Require ip ::1
+ Require ip 10.0.0.0/8
+ Require ip 192.168.0.0/16
+
+
+ CustomLog "logs/pkgs-access.log" combined
+ ErrorLog "logs/pkgs-error.log"
+ Alias /robots.txt /var/www/robots-pkgs.txt
+
+ Require all granted
+
+
RewriteEngine on
RewriteRule "^/$" "https://src{{ env_suffix }}.fedoraproject.org/"
RewriteRule "^/login/$" "https://src{{ env_suffix }}.fedoraproject.org/login/"
diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2
index bd8801ad5c..c0853eb9ae 100644
--- a/roles/fas_server/templates/fas.cfg.j2
+++ b/roles/fas_server/templates/fas.cfg.j2
@@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
# Usernames that are unavailable for fas allocation
{% if env == "staging" %}
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% else %}
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% endif %}
email_domain_blacklist = "{{ fas_blocked_emails }}"
diff --git a/roles/fedmsg/base/templates/ssl.py.j2 b/roles/fedmsg/base/templates/ssl.py.j2
index bbd338fdcd..d94fda8e5f 100644
--- a/roles/fedmsg/base/templates/ssl.py.j2
+++ b/roles/fedmsg/base/templates/ssl.py.j2
@@ -4,8 +4,10 @@ config = dict(
ssldir="/etc/pki/fedmsg",
{% if env == 'staging' %}
+ ca_cert_location="https://stg.fedoraproject.org/fedmsg/ca.crt",
crl_location="https://stg.fedoraproject.org/fedmsg/crl.pem",
{% else %}
+ ca_cert_location="https://fedoraproject.org/fedmsg/ca.crt",
crl_location="https://fedoraproject.org/fedmsg/crl.pem",
{% endif %}
crl_cache="/var/run/fedmsg/crl.pem",
diff --git a/roles/fedora-web/registry/files/passwd-staging b/roles/fedora-web/registry/files/passwd-staging
index 90e491f810..fa402e79a6 100644
--- a/roles/fedora-web/registry/files/passwd-staging
+++ b/roles/fedora-web/registry/files/passwd-staging
@@ -1 +1,2 @@
-/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora Project/CN=docker-registry-internal-stg:xxj31ZMTZzkVA
+/C=US/ST=North Carolina/L=Raleigh/O=Fedora Project/OU=INTERNAL certificates/CN=Fedora STAGING registry push:xxj31ZMTZzkVA
+/C=US/ST=North Carolina/L=Raleigh/O=Fedora Project/OU=INTERNAL certificates/CN=CentOS STAGING registry push:xxj31ZMTZzkVA
diff --git a/roles/freshmaker/backend/defaults/main.yml b/roles/freshmaker/backend/defaults/main.yml
new file mode 100644
index 0000000000..1adc701cc4
--- /dev/null
+++ b/roles/freshmaker/backend/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+freshmaker_upgrade: False
+freshmaker_migrate_db: False
diff --git a/roles/freshmaker/backend/meta/main.yml b/roles/freshmaker/backend/meta/main.yml
new file mode 100644
index 0000000000..4a5c132f49
--- /dev/null
+++ b/roles/freshmaker/backend/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: freshmaker/base }
diff --git a/roles/freshmaker/backend/tasks/main.yml b/roles/freshmaker/backend/tasks/main.yml
new file mode 100644
index 0000000000..febb901756
--- /dev/null
+++ b/roles/freshmaker/backend/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+- name: install the latest Freshmaker package
+ yum:
+ name: freshmaker
+ state: latest
+ update_cache: yes
+ with_items:
+ - freshmaker
+ - python2-odcs-client
+ when: freshmaker_upgrade
+ notify:
+ - restart fedmsg-hub
+ tags:
+ - freshmaker
+ - freshmaker/backend
+
+- name: generate the Freshmaker koji config
+ template:
+ src: etc/koji.conf.d/freshmaker.conf.j2
+ dest: /etc/koji.conf.d/freshmaker.conf
+ owner: fedmsg
+ group: fedmsg
+ mode: 0440
+ notify:
+ - restart fedmsg-hub
+ tags:
+ - freshmaker
+ - freshmaker/backend
+
+- name: ensure fedmsg-hub starts on boot
+ service:
+ name: "fedmsg-hub"
+ enabled: yes
+
+# This will initialize Alembic if the database is empty, and migrate to the
+# latest revision
+- name: migrate the database
+ command: "{{ item }}"
+ with_items:
+ - freshmaker-manager upgradedb
+ - freshmaker-manager db migrate
+ become: yes
+ become_user: fedmsg
+ when: freshmaker_migrate_db
+ tags:
+ - freshmaker
+ - freshmaker/backend
diff --git a/roles/freshmaker/backend/templates/etc/koji.conf.d/freshmaker.conf.j2 b/roles/freshmaker/backend/templates/etc/koji.conf.d/freshmaker.conf.j2
new file mode 100644
index 0000000000..ed2dcc8653
--- /dev/null
+++ b/roles/freshmaker/backend/templates/etc/koji.conf.d/freshmaker.conf.j2
@@ -0,0 +1,13 @@
+[freshmaker_prod]
+server = https://koji.fedoraproject.org/kojihub
+weburl = https://koji.fedoraproject.org/koji
+topurl = https://kojipkgs.fedoraproject.org/
+authtype = kerberos
+krb_rdns = false
+
+[freshmaker_stg]
+server = https://koji.stg.fedoraproject.org/kojihub
+weburl = https://koji.stg.fedoraproject.org/koji
+topurl = https://kojipkgs.stg.fedoraproject.org/
+authtype = kerberos
+krb_rdns = false
diff --git a/roles/freshmaker/base/defaults/main.yml b/roles/freshmaker/base/defaults/main.yml
new file mode 100644
index 0000000000..450f70b940
--- /dev/null
+++ b/roles/freshmaker/base/defaults/main.yml
@@ -0,0 +1,29 @@
+---
+freshmaker_force_postgres_ssl: False
+freshmaker_handler_build_whitelist: null
+freshmaker_handler_build_blacklist: null
+freshmaker_pdc_insecure: False
+freshmaker_stg_krb_auth_client_keytab: "/etc/krb5.freshmaker_freshmaker.stg.fedoraproject.org.keytab"
+freshmaker_stg_krb_auth_principal: "freshmaker/freshmaker.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG"
+freshmaker_prod_krb_auth_client_keytab: "/etc/krb5.freshmaker_freshmaker.fedoraproject.org.keytab"
+freshmaker_prod_krb_auth_principal: "freshmaker/freshmaker.fedoraproject.org@FEDORAPROJECT.ORG"
+freshmaker_stg_git_base_url: git://pkgs.stg.fedoraproject.org
+freshmaker_stg_git_ssh_base_url: ssh://%s@pkgs.stg.fedoraproject.org
+freshmaker_stg_git_user: null
+freshmaker_prod_git_base_url: git://pkgs.fedoraproject.org
+freshmaker_prod_git_ssh_base_url: ssh://%s@pkgs.fedoraproject.org
+freshmaker_prod_git_user: null
+freshmaker_stg_odcs_server_url: https://odcs.fedoraproject.org
+freshmaker_prod_odcs_server_url: https://odcs.stg.fedoraproject.org
+freshmaker_stg_odcs_sigkeys: []
+freshmaker_prod_odcs_sigkeys: []
+freshmaker_stg_mbs_auth_token: null
+freshmaker_prod_mbs_auth_token: null
+freshmaker_dry_run: False
+freshmaker_admins: {"users": [], "groups": []}
+freshmaker_log_level: info
+freshmaker_servername: localhost
+
+freshmaker_messaging_topic_prefix: []
+freshmaker_parsers: []
+freshmaker_handlers: []
diff --git a/roles/freshmaker/base/handlers/main.yml b/roles/freshmaker/base/handlers/main.yml
new file mode 100644
index 0000000000..a536a3b7a7
--- /dev/null
+++ b/roles/freshmaker/base/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart fedmsg-hub daemon
+ command: /usr/local/bin/conditional-restart.sh fedmsg-hub python2-fedmsg
diff --git a/roles/freshmaker/base/tasks/main.yml b/roles/freshmaker/base/tasks/main.yml
new file mode 100644
index 0000000000..0493b360be
--- /dev/null
+++ b/roles/freshmaker/base/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: install the packages required for Freshmaker frontend
+ yum:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - httpd
+ - mod_wsgi
+ - mod_auth_openidc
+ - libsemanage-python
+ - python-psycopg2
+ - freshmaker
+ when: inventory_hostname.startswith('freshmaker-frontend')
+ tags:
+ - freshmaker
+
+- name: install the packages required for Freshmaker backend
+ yum:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - python-psycopg2
+ - freshmaker
+ when: inventory_hostname.startswith('freshmaker-backend')
+ tags:
+ - freshmaker
+
+- name: generate Freshmaker app config
+ template:
+ src: etc/freshmaker/config.py.j2
+ dest: /etc/freshmaker/config.py
+ owner: fedmsg
+ group: fedmsg
+ mode: 0440
+ notify:
+ - restart apache
+ - restart fedmsg-hub daemon
+ tags:
+ - freshmaker
diff --git a/roles/freshmaker/base/templates/etc/freshmaker/config.py.j2 b/roles/freshmaker/base/templates/etc/freshmaker/config.py.j2
new file mode 100644
index 0000000000..4b38a8e5cc
--- /dev/null
+++ b/roles/freshmaker/base/templates/etc/freshmaker/config.py.j2
@@ -0,0 +1,263 @@
+# -*- coding: utf-8 -*-
+
+from os import path, environ
+
+confdir = path.abspath(path.dirname(__file__))
+# use parent dir as dbdir else fallback to current dir
+dbdir = path.abspath(path.join(confdir, '..')) if confdir.endswith('conf') \
+ else confdir
+
+
+class BaseConfiguration(object):
+ # Make this random (used to generate session keys)
+ SECRET_KEY = '74d9e9f9cd40e66fc6c4c2e9987dce48df3ce98542529fd0'
+ SQLALCHEMY_DATABASE_URI = 'sqlite:///{0}'.format(path.join(
+ dbdir, 'freshmaker.db'))
+ SQLALCHEMY_TRACK_MODIFICATIONS = False
+
+ HOST = '0.0.0.0'
+ PORT = 5001
+
+ DEBUG = False
+ # Global network-related values, in seconds
+ NET_TIMEOUT = 120
+ NET_RETRY_INTERVAL = 30
+
+ SYSTEM = 'koji'
+ MESSAGING = 'fedmsg' # or amq
+
+ # Available backends are: console, file, journal.
+ LOG_BACKEND = 'journal'
+
+ # Path to log file when LOG_BACKEND is set to "file".
+ LOG_FILE = 'freshmaker.log'
+
+ # Available log levels are: debug, info, warn, error.
+ LOG_LEVEL = 'info'
+
+ MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.prod']
+
+ # Parsers defined for parse specific messages
+ PARSERS = [
+ 'freshmaker.parsers.bodhi:BodhiUpdateCompleteStableParser',
+ 'freshmaker.parsers.git:GitReceiveParser',
+ 'freshmaker.parsers.koji:KojiTaskStateChangeParser',
+ 'freshmaker.parsers.mbs:MBSModuleStateChangeParser',
+ ]
+
+ # List of enabled composing handlers.
+ HANDLERS = [
+ "freshmaker.handlers.bodhi:BodhiUpdateCompleteStableHandler",
+ "freshmaker.handlers.git:GitDockerfileChangeHandler",
+ "freshmaker.handlers.git:GitModuleMetadataChangeHandler",
+ "freshmaker.handlers.git:GitRPMSpecChangeHandler",
+ "freshmaker.handlers.koji:KojiTaskStateChangeHandler",
+ "freshmaker.handlers.mbs:MBSModuleStateChangeHandler",
+ ]
+
+ # Base URL of git repository with source artifacts.
+ GIT_BASE_URL = "git://pkgs.fedoraproject.org"
+
+ # SSH base URL of git repository
+ GIT_SSH_BASE_URL = "ssh://%s@pkgs.fedoraproject.org/"
+
+ # GIT user for cloning and pushing repo
+ GIT_USER = ""
+
+ # PDC API URL
+ PDC_URL = 'http://pdc.fedoraproject.org/rest_api/v1'
+
+ # Read Koji configuration from profile instead of reading them from
+ # configuration file directly. For staging Koji, it is stg.
+ KOJI_PROFILE = 'koji'
+ KOJI_PROXYUSER = False
+ KOJI_BUILD_OWNER = 'freshmaker'
+
+ # Settings for docker image rebuild handler
+ KOJI_CONTAINER_SCRATCH_BUILD = False
+
+ SSL_ENABLED = False
+
+ # whitelist and blacklist for handlers to decide whether an artifact
+ # can be built.
+ #
+ # In format of:
+ #
+ # { :
+ # { : }
+ # }
+ #
+ # Here is an example of allowing MBSModuleStateChangeHandler to build
+ # any module that module name matches 'base-.*' but not:
+ # 1. module name matches 'base-test-module'
+ # or:
+ # 2. module from branch 'rawhide'
+ #
+ # HANDLER_BUILD_WHITELIST = {
+ # "MBSModuleStateChangeHandler": {
+ # "module": [
+ # {
+ # 'name': 'base-.*',
+ # },
+ # ],
+ # },
+ # }
+ # HANDLER_BUILD_BLACKLIST = {
+ # "MBSModuleStateChangeHandler": {
+ # "module": [
+ # {
+ # 'name': 'base-test-module',
+ # },
+ # {
+ # 'branch': 'rawhide',
+ # },
+ # ],
+ # },
+ # }
+
+
+class DevConfiguration(BaseConfiguration):
+ DEBUG = True
+ LOG_BACKEND = 'console'
+ LOG_LEVEL = 'debug'
+
+ MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.dev', 'org.fedoraproject.stg']
+
+ # Global network-related values, in seconds
+ NET_TIMEOUT = 5
+ NET_RETRY_INTERVAL = 1
+
+ KOJI_CONTAINER_SCRATCH_BUILD = True
+
+ LIGHTBLUE_VERIFY_SSL = False
+
+
+class TestConfiguration(BaseConfiguration):
+ LOG_BACKEND = 'console'
+ LOG_LEVEL = 'debug'
+ DEBUG = True
+
+ SQLALCHEMY_DATABASE_URI = 'sqlite:///{0}'.format(
+ path.join(dbdir, 'tests', 'test_freshmaker.db'))
+
+ MESSAGING = 'in_memory'
+ PDC_URL = 'http://pdc.fedoraproject.org/rest_api/v1'
+
+ # Global network-related values, in seconds
+ NET_TIMEOUT = 3
+ NET_RETRY_INTERVAL = 1
+ MBS_AUTH_TOKEN = "testingtoken"
+
+ KOJI_CONTAINER_SCRATCH_BUILD = True
+
+ LIGHTBLUE_SERVER_URL = '' # replace with real dev server url
+ LIGHTBLUE_VERIFY_SSL = False
+
+
+class ProdConfiguration(BaseConfiguration):
+ AUTH_BACKEND = 'openidc'
+ # use kerberos for talking to koji
+ KRB_AUTH_USE_KEYTAB = True
+
+ PDC_INSECURE = {{ freshmaker_pdc_insecure }}
+ # No auth is required by Freshmaker, read-only PDC accesss is enough.
+ PDC_DEVELOP = True
+
+{% if env == 'staging' %}
+ SECRET_KEY = "{{ freshmaker_stg_secret_key }}"
+
+ AUTH_OPENIDC_USERINFO_URI = 'https://id.stg.fedoraproject.org/openidc/UserInfo'
+
+ SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://freshmaker:{{freshmaker_stg_db_password}}@db-freshmaker/freshmaker{{ '?sslmode=require' if freshmaker_force_postgres_ssl else '' }}'
+
+ KOJI_PROFILE = 'freshmaker_stg'
+
+ MBS_BASE_URL = "https://mbs.stg.fedoraproject.org"
+ MBS_AUTH_TOKEN = "{{ freshmaker_stg_mbs_auth_token }}"
+
+ PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1'
+
+ GIT_BASE_URL = "{{ freshmaker_stg_git_base_url }}"
+ GIT_SSH_BASE_URL = "{{ freshmaker_stg_git_ssh_base_url }}"
+ GIT_USER = "{{ freshmaker_stg_git_user }}"
+
+ ODCS_SERVER_URL = "{{ freshmaker_prod_odcs_server_url }}"
+ ODCS_SIGKEYS = {{ freshmaker_prod_odcs_sigkeys }}
+
+ KRB_AUTH_CLIENT_KEYTAB = "{{ freshmaker_stg_krb_auth_client_keytab }}"
+ KRB_AUTH_PRINCIPAL = "{{ freshmaker_stg_krb_auth_principal }}"
+{% else %}
+ SECRET_KEY = "{{ freshmaker_prod_secret_key }}"
+
+ AUTH_OPENIDC_USERINFO_URI = 'https://id.fedoraproject.org/openidc/UserInfo'
+
+ SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://freshmaker:{{freshmaker_prod_db_password}}@db-freshmaker/freshmaker{{ '?sslmode=require' if freshmaker_force_postgres_ssl else '' }}'
+
+ KOJI_PROFILE = "freshmaker_production"
+
+ MBS_BASE_URL = "https://mbs.fedoraproject.org"
+ MBS_AUTH_TOKEN = "{{ freshmaker_prod_mbs_auth_token }}"
+
+ PDC_URL = 'https://pdc.fedoraproject.org/rest_api/v1'
+
+ GIT_BASE_URL = "{{ freshmaker_prod_git_base_url }}"
+ GIT_SSH_BASE_URL = "{{ freshmaker_prod_git_ssh_base_url }}"
+ GIT_USER = "{{ freshmaker_prod_git_user }}"
+
+ ODCS_SERVER_URL = "{{ freshmaker_prod_odcs_server_url }}"
+ ODCS_SIGKEYS = {{ freshmaker_prod_odcs_sigkeys }}
+
+ KRB_AUTH_CLIENT_KEYTAB = "{{ freshmaker_prod_krb_auth_client_keytab }}"
+ KRB_AUTH_PRINCIPAL = "{{ freshmaker_prod_krb_auth_principal }}"
+{% endif %}
+
+ # requests_kerberos module does not support setting keytab, but the krb5
+ # library checks the KRB5_CLIENT_KTNAME environment variable to set the
+ # path to keytab.
+ environ["KRB5_CLIENT_KTNAME"] = KRB_AUTH_CLIENT_KEYTAB
+
+ MESSAGING = 'fedmsg'
+ MESSAGING_SENDER = 'fedmsg'
+ MESSAGING_BACKENDS = {
+ 'fedmsg': {
+ 'SERVICE': 'freshmaker',
+ },
+ 'in_memory': {
+ 'SERVICE': 'freshmaker',
+ }
+ }
+
+ MESSAGING_TOPIC_PREFIX = [
+ {% for prefix in freshmaker_messaging_topic_prefix %}
+ '{{ prefix }}',
+ {% endfor %}
+ ]
+
+ PARSERS = [
+ {% for parser in freshmaker_parsers %}
+ '{{ parser }}',
+ {% endfor %}
+ ]
+
+ HANDLERS = [
+ {% for handler in freshmaker_handlers %}
+ '{{ handler }}',
+ {% endfor %}
+ ]
+
+{% if freshmaker_handler_build_whitelist %}
+ HANDLER_BUILD_WHITELIST = {{ freshmaker_handler_build_whitelist }}
+{% endif %}
+
+{% if freshmaker_handler_build_blacklist %}
+ HANDLER_BUILD_BLACKLIST = {{ freshmaker_handler_build_blacklist }}
+{% endif %}
+
+ DRY_RUN = {{ freshmaker_dry_run }}
+
+ ADMINS = {{ freshmaker_admins }}
+
+ LOG_LEVEL = "{{ freshmaker_log_level }}"
+{% if freshmaker_servername %}
+ SERVER_NAME = "{{ freshmaker_servername }}"
+{% endif %}
diff --git a/roles/freshmaker/frontend/defaults/main.yml b/roles/freshmaker/frontend/defaults/main.yml
new file mode 100644
index 0000000000..fde213d7fe
--- /dev/null
+++ b/roles/freshmaker/frontend/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+freshmaker_upgrade: False
+freshmaker_migrate_db: False
+freshmaker_force_ssl: True
+freshmaker_endpoint: ''
+freshmaker_allowed_named_hosts: []
+freshmaker_allowed_hosts: []
+freshmaker_servername: localhost
+freshmaker_stg_oidc_client_id: 'unset'
+freshmaker_stg_oidc_client_secret: 'unset'
+
diff --git a/roles/freshmaker/frontend/meta/main.yml b/roles/freshmaker/frontend/meta/main.yml
new file mode 100644
index 0000000000..4a5c132f49
--- /dev/null
+++ b/roles/freshmaker/frontend/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: freshmaker/base }
diff --git a/roles/freshmaker/frontend/tasks/main.yml b/roles/freshmaker/frontend/tasks/main.yml
new file mode 100644
index 0000000000..8da7c575eb
--- /dev/null
+++ b/roles/freshmaker/frontend/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+- name: install the latest Freshmaker package
+ yum:
+ name: freshmaker
+ state: latest
+ update_cache: yes
+ with_items:
+ - freshmaker
+ when: freshmaker_upgrade
+ notify:
+ - restart apache
+ tags:
+ - freshmaker
+ - freshmaker/frontend
+
+- name: ensure selinux lets httpd talk to postgres
+ seboolean: name={{item}} state=yes persistent=yes
+ with_items:
+ - httpd_can_network_connect_db
+ - httpd_can_network_connect
+ when: "'enabled' in ansible_selinux.status"
+ tags:
+ - freshmaker
+ - freshmaker/frontend
+ - selinux
+
+- name: make httpd logs world readable
+ file:
+ name: /var/log/httpd
+ state: directory
+ mode: 0755
+ tags:
+ - freshmaker
+ - freshmaker/frontend
+
+- name: generate the Freshmaker httpd config
+ template:
+ src: etc/httpd/conf.d/freshmaker.conf.j2
+ dest: /etc/httpd/conf.d/freshmaker.conf
+ owner: apache
+ group: apache
+ mode: 0440
+ notify:
+ - restart apache
+ tags:
+ - freshmaker
+ - freshmaker/frontend
diff --git a/roles/freshmaker/frontend/templates/etc/httpd/conf.d/freshmaker.conf.j2 b/roles/freshmaker/frontend/templates/etc/httpd/conf.d/freshmaker.conf.j2
new file mode 100644
index 0000000000..9045aac568
--- /dev/null
+++ b/roles/freshmaker/frontend/templates/etc/httpd/conf.d/freshmaker.conf.j2
@@ -0,0 +1,49 @@
+{% if freshmaker_force_ssl %}
+# Force SSL
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+{% endif %}
+
+WSGIDaemonProcess freshmaker user=fedmsg group=fedmsg processes={{wsgi_procs}} threads={{wsgi_threads}} home=/usr/share/freshmaker
+WSGIScriptAlias /{{ freshmaker_endpoint }} /usr/share/freshmaker/freshmaker.wsgi
+
+{% if freshmaker_servername != inventory_hostname and freshmaker_servername != None %}
+# Redirect from the hostname of this machine to user-visible hostname.
+RewriteEngine On
+
+RewriteRule (.*) "%{REQUEST_SCHEME}://{{ freshmaker_servername }}%{REQUEST_URI}" [R,L]
+
+{% endif %}
+
+{% if env == 'staging' %}
+OIDCOAuthClientID {{ freshmaker_stg_oidc_client_id }}
+OIDCOAuthClientSecret {{ freshmaker_stg_oidc_client_secret }}
+OIDCOAuthIntrospectionEndpoint https://id.stg.fedoraproject.org/openidc/TokenInfo
+{% else %}
+OIDCOAuthClientID {{ freshmaker_prod_oidc_client_id }}
+OIDCOAuthClientSecret {{ freshmaker_prod_oidc_client_secret }}
+OIDCOAuthIntrospectionEndpoint https://id.fedoraproject.org/openidc/TokenInfo
+{% endif %}
+
+OIDCOAuthIntrospectionEndpointAuth client_secret_post
+OIDCOAuthIntrospectionEndpointParams token_type_hint=Bearer
+
+
+ WSGIProcessGroup freshmaker
+ WSGIApplicationGroup %{GLOBAL}
+
+ {% if freshmaker_allowed_named_hosts or freshmaker_allowed_hosts %}
+ # Only requests from following hosts/ips are allowed.
+
+ {{ 'Require host ' ~ freshmaker_allowed_named_hosts|join(' ') if freshmaker_allowed_named_hosts else '' }}
+ {{ 'Require ip ' ~ freshmaker_allowed_hosts|join(' ') if freshmaker_allowed_hosts else '' }}
+
+ {% endif %}
+
+ {% if not freshmaker_allowed_named_hosts and not freshmaker_allowed_hosts %}
+ # No auth mechanism configured, so everyone is allowed to access Freshmaker.
+ Require all granted
+ {% endif %}
+
+
diff --git a/roles/git/hooks/files/post-receive-alternativearch b/roles/git/hooks/files/post-receive-alternativearch
index 16d8cef4dd..7bc4a9a6a0 100755
--- a/roles/git/hooks/files/post-receive-alternativearch
+++ b/roles/git/hooks/files/post-receive-alternativearch
@@ -66,7 +66,7 @@ def read_output(cmd, abspath, input=None, keepends=False, **kw):
print(err)
if not keepends:
out = out.rstrip('\n\r')
- return out
+ return out.decode('utf-8')
def read_git_output(args, abspath, input=None, keepends=False, **kw):
@@ -164,7 +164,7 @@ def run_as_post_receive_hook():
if DEBUG:
print('List of commits:', new_commits_list)
- full_change = ''
+ full_change = u''
exclude_arch = {}
for commit in new_commits_list:
if DEBUG:
diff --git a/roles/gnome_backups/files/backup.sh b/roles/gnome_backups/files/backup.sh
index ede7629c32..4931806d3a 100644
--- a/roles/gnome_backups/files/backup.sh
+++ b/roles/gnome_backups/files/backup.sh
@@ -9,28 +9,26 @@ MACHINES='signal.gnome.org
webapps2.gnome.org
clutter.gnome.org
blogs.gnome.org
- chooser.gnome.org
+ palette.gnome.org
git.gnome.org
webapps.gnome.org
cloud.gnome.org
bastion.gnome.org
spinner.gnome.org
master.gnome.org
- combobox.gnome.org
restaurant.gnome.org
expander.gnome.org
- live.gnome.org
- extensions.gnome.org
+ wiki.gnome.org
view.gnome.org
- puppet.gnome.org
+ puppetmaster01.gnome.org
accelerator.gnome.org
range.gnome.org
pentagon.gimp.org
account.gnome.org
- bugzilla-new.gnome.org
+ bugzilla.gnome.org
socket.gnome.org
odrs.gnome.org
- ghispano.gnome.org
+ gnome-hispano.gnome.org
scale.gnome.org
sdkbuilder.gnome.org
webapps3.gnome.org
diff --git a/roles/gnome_backups/files/ssh_config b/roles/gnome_backups/files/ssh_config
index c75e148077..e6ed7f9d59 100644
--- a/roles/gnome_backups/files/ssh_config
+++ b/roles/gnome_backups/files/ssh_config
@@ -1,4 +1,4 @@
-Host live.gnome.org extensions.gnome.org puppet.gnome.org cloud.gnome.org webapps3.gnome.org
+Host puppetmaster01.gnome.org cloud.gnome.org webapps3.gnome.org
User root
IdentityFile /usr/local/etc/gnome_backup_id.rsa
ProxyCommand ssh -W %h:%p bastion.gnome.org -F /usr/local/etc/gnome_ssh_config
diff --git a/roles/gnome_backups/tasks/main.yml b/roles/gnome_backups/tasks/main.yml
index 84dde09352..d95aa7a02a 100644
--- a/roles/gnome_backups/tasks/main.yml
+++ b/roles/gnome_backups/tasks/main.yml
@@ -30,29 +30,26 @@
- clutter.gnome.org
- blogs.gnome.org
- view.gnome.org
- - puppet.gnome.org
- - extensions.gnome.org
- - chooser.gnome.org
+ - puppetmaster01.gnome.org
+ - palette.gnome.org
- git.gnome.org
- webapps.gnome.org
- socket.gnome.org
- - bugzilla-web.gnome.org
+ - bugzilla.gnome.org
- progress.gnome.org
- cloud.gnome.org
- bastion.gnome.org
- spinner.gnome.org
- master.gnome.org
- - live.gnome.org
- - combobox.gnome.org
+ - wiki.gnome.org
- restaurant.gnome.org
- expander.gnome.org
- accelerator.gnome.org
- range.gnome.org
- pentagon.gimp.org
- account.gnome.org
- - bugzilla-new.gnome.org
- odrs.gnome.org
- - ghispano.gnome.org
+ - gnome-hispano.gnome.org
- scale.gnome.org
- sdkbuilder.gnome.org
- webapps3.gnome.org
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 762e3d9d71..32f7aedd9d 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -428,7 +428,7 @@ frontend retrace-frontend
backend retrace-backend
balance hdr(appserver)
- server retrace01 retrace01:80 check inter 10s rise 1 fall 2
+ server retrace02.qa.fedoraproject.org retrace02.qa.fedoraproject.org:80 check inter 10s rise 1 fall 2
{% endif %}
{% if env == "staging" %}
@@ -642,6 +642,15 @@ backend odcs-backend
server odcs-frontend01 odcs-frontend01:80 check inter 20s rise 2 fall 3
option httpchk GET /api/1/composes/
+frontend freshmaker-frontend
+ bind 0.0.0.0:10067
+ default_backend freshmaker-backend
+
+backend freshmaker-backend
+ balance hdr(appserver)
+ server freshmaker-frontend01 freshmaker-frontend01:80 check inter 20s rise 2 fall 3
+ option httpchk GET /api/1/builds/
+
# Apache doesn't handle the initial connection here like the other proxy
# entries. This proxy also doesn't use the http mode like the others.
# stunnel should be sitting on port 9939 (public) and redirecting
diff --git a/roles/hosts/files/pagure01.fedoraproject.org-hosts b/roles/hosts/files/pagure01.fedoraproject.org-hosts
index f61e44f312..aafff66e5d 100644
--- a/roles/hosts/files/pagure01.fedoraproject.org-hosts
+++ b/roles/hosts/files/pagure01.fedoraproject.org-hosts
@@ -1,3 +1,4 @@
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 db-pagure db-pagure
+127.0.0.1 pagure.io
diff --git a/roles/hotness/tasks/main.yml b/roles/hotness/tasks/main.yml
index a81b2c956d..846da3ef1b 100644
--- a/roles/hotness/tasks/main.yml
+++ b/roles/hotness/tasks/main.yml
@@ -35,8 +35,6 @@
owner=fedmsg group=fedmsg mode=0600
with_items:
- hotness.py
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
notify:
- restart fedmsg-hub
tags:
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
index a319b7baed..115fed5d03 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@@ -5,7 +5,7 @@ RequestHeader set X-Forwarded-Proto https early
# Cannot redirect to HTTPS for *.id.fedoraproject.org or set
# "includeSubdomains", because relying parties need to be able to access
# username.id.fedoraproject.org via plain HTTP
-Header always add Strict-Transport-Security "max-age=15768000; preload"
+Header always add Strict-Transport-Security "max-age=31536000; preload"
RewriteEngine on
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-centos.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-centos.conf
new file mode 100644
index 0000000000..eaf39b36c2
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-centos.conf
@@ -0,0 +1,33 @@
+RewriteEngine on
+
+RewriteRule ^/v2/latest/(.*) /v2/f27/$1 [R,L]
+
+{% if env == "staging" %}
+RewriteRule ^/v2/(.*) /v2/centos/$1
+{% endif %}
+
+RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]
+
+
+ Require all granted
+
+
+{% include './reversepassproxy.registry-generic.conf' %}
+
+# Write access to docker-deployer only
+{% if env == "staging" %}
+
+
+ Require user docker-registry-internal-stg
+
+
+
+ Require all denied
+
+
+{% else %}
+
+
+ require valid-user
+
+{% endif %}
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-fedora.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-fedora.conf
new file mode 100644
index 0000000000..abe388b26f
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-fedora.conf
@@ -0,0 +1,33 @@
+RewriteEngine on
+
+RewriteRule ^/v2/latest/(.*) /v2/f27/$1 [R,L]
+
+{% if env == "staging" %}
+RewriteRule ^/v2/(.*) /v2/fedora/$1
+{% endif %}
+
+RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]
+
+
+ Require all granted
+
+
+{% include './reversepassproxy.registry-generic.conf' %}
+
+# Write access to docker-deployer only
+{% if env == "staging" %}
+
+
+ Require user docker-registry-internal-stg
+
+
+
+ Require all denied
+
+
+{% else %}
+
+
+ require valid-user
+
+{% endif %}
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
similarity index 70%
rename from roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
rename to roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
index 4b65819173..da8b016c4a 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
@@ -3,10 +3,6 @@ RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
ProxyPreserveHost On
-RewriteEngine on
-RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]
-
-RewriteRule ^/v2/latest/(.*) /v2/f27/$1 [R,L]
{% if env == "production" %}
RewriteCond %{HTTP:VIA} !cdn77
@@ -30,26 +26,9 @@ SSLVerifyDepth 1
SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
SSLOptions +FakeBasicAuth
-
- Require all granted
-
-
- Order deny,allow
- Allow from all
AuthName "Registry Authentication"
AuthType Basic
AuthUserFile /etc/httpd/conf.d/registry.fedoraproject.org/passwd
-
- # Anyone can read
-
- Require all granted
-
-
- # Write access to docker-deployer only
-
- Require valid-user
-
-
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index ff5bcae024..1c747fbc6a 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -55,7 +55,7 @@
SSLCipherSuite {{ ssl_ciphers }}
{% if sslonly %}
- Header always add Strict-Transport-Security "max-age=15768000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
+ Header always add Strict-Transport-Security "max-age=31536000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
{% endif %}
Include "conf.d/{{ name }}/*.conf"
diff --git a/roles/hubs/defaults/main.yml b/roles/hubs/defaults/main.yml
index 2ee32214e4..8eb42b7a21 100644
--- a/roles/hubs/defaults/main.yml
+++ b/roles/hubs/defaults/main.yml
@@ -4,11 +4,13 @@ hubs_secret_key: changeme
hubs_base_dir: "/srv/hubs"
hubs_code_dir: "{{ hubs_base_dir }}/fedora-hubs"
hubs_conf_dir: "{{ hubs_base_dir }}/config"
-hubs_venv_dir: "{{ hubs_base_dir }}/venv"
hubs_var_dir: "{{ hubs_base_dir }}/var"
hubs_db_type: sqlite
hubs_db_password: changeme
-hubs_url_hostname: localhost
+hubs_url_hostname: "{{ ansible_fqdn }}"
hubs_url: http{% if not hubs_dev_mode %}s{% endif %}://{{ hubs_url_hostname }}{% if hubs_dev_mode %}:5000{% endif %}
-hubs_ssl_cert: /etc/pki/tls/certs/localhost.crt
-hubs_ssl_key: /etc/pki/tls/private/localhost.key
+hubs_ssl_cert: /etc/pki/tls/certs/{{ hubs_url_hostname }}.crt
+hubs_ssl_key: /etc/pki/tls/private/{{ hubs_url_hostname }}.key
+hubs_fas_username: null
+hubs_fas_password: null
+hubs_oidc_url: iddev.fedorainfracloud.org
diff --git a/roles/hubs/files/logging.ini b/roles/hubs/files/logging.ini
deleted file mode 100644
index 3512fa6ee9..0000000000
--- a/roles/hubs/files/logging.ini
+++ /dev/null
@@ -1,23 +0,0 @@
-# From https://docs.python.org/2/howto/logging.html
-[loggers]
-keys=root
-
-[handlers]
-keys=console
-
-[formatters]
-keys=simple
-
-[logger_root]
-level=DEBUG
-handlers=console
-
-[handler_console]
-class=StreamHandler
-level=DEBUG
-formatter=simple
-args=(sys.stdout,)
-
-[formatter_simple]
-format=[%(asctime)s][%(process)d][%(levelname)s] (%(name)s) %(message)s
-datefmt=%H:%M:%S
diff --git a/roles/hubs/handlers/main.yml b/roles/hubs/handlers/main.yml
index c6935af51c..4bc0f93892 100644
--- a/roles/hubs/handlers/main.yml
+++ b/roles/hubs/handlers/main.yml
@@ -1,21 +1,26 @@
- name: restart postgresql
service: name=postgresql state=restarted
-- name: restart the hubs-specific fedmsg-hub
- service: name=hubs-fedmsg-hub state=restarted
- listen: "hubs configuration change"
-
- name: restart hubs triage
- service: name=hubs-triage@* state=restarted
+ service: name=fedora-hubs-triage@* state=restarted
listen: "hubs configuration change"
+ when: not hubs_dev_mode
- name: restart hubs workers
- service: name=hubs-worker@* state=restarted
+ service: name=fedora-hubs-worker@* state=restarted
listen: "hubs configuration change"
+ when: not hubs_dev_mode
- name: restart hubs SSE server
- service: name=hubs-sse state=restarted
+ service: name=fedora-hubs-sse state=restarted
listen: "hubs configuration change"
+ when: not hubs_dev_mode
# Webserver
-- import_tasks: webserver.yml
+- name: restart hubs webapp
+ service: name=fedora-hubs-webapp state=restarted
+ listen: "hubs configuration change"
+ when: not hubs_dev_mode
+
+- name: restart nginx
+ service: name=nginx state=restarted
diff --git a/roles/hubs/handlers/webserver.yml b/roles/hubs/handlers/webserver.yml
deleted file mode 100644
index e6cb871791..0000000000
--- a/roles/hubs/handlers/webserver.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: restart hubs webapp
- service: name=hubs-webapp state=restarted
- listen: "hubs configuration change"
- when: not hubs_dev_mode
-
-- name: restart nginx
- service: name=nginx state=restarted
diff --git a/roles/hubs/tasks/db-postgresql.yml b/roles/hubs/tasks/db-postgresql.yml
index e8a560105c..aabb48a80d 100644
--- a/roles/hubs/tasks/db-postgresql.yml
+++ b/roles/hubs/tasks/db-postgresql.yml
@@ -4,6 +4,8 @@
dnf: name={{ item }} state=present
with_items:
- postgresql-server
+ - python3-psycopg2
+ # For the ansible module
- python-psycopg2
- name: Set up postgresql database
@@ -28,6 +30,7 @@
name: hubs
password: "{{ hubs_db_password }}"
role_attr_flags: NOSUPERUSER,NOCREATEROLE,NOCREATEDB
+ become: true
become_user: postgres
- name: Create the database
@@ -35,22 +38,15 @@
name: hubs
owner: hubs
register: db_creation
+ become: true
become_user: postgres
-- name: Ease local access to the database
- copy:
- content: "*:*:hubs:hubs:{{ hubs_db_password }}"
- dest: /home/{{ main_user }}/.pgpass
- mode: 600
- owner: "{{ main_user }}"
- group: "{{ main_user }}"
-
- name: Populate the Fedora Hubs database
- command: "{{ hubs_venv_dir }}/bin/python {{ hubs_code_dir }}/populate.py"
+ command: "python3 {{ hubs_code_dir }}/populate.py"
args:
chdir: "{{ hubs_code_dir }}"
environment:
- HUBS_CONFIG: "{{ hubs_conf_dir }}/hubs_config.py"
+ HUBS_CONFIG: "{{ hubs_conf_dir }}/hubs.py"
+ become: true
become_user: "{{ main_user }}"
- when: db_creation|succeeded
-
+ when: db_creation|succeeded and db_creation|changed and hubs_dev_mode
diff --git a/roles/hubs/tasks/db-sqlite.yml b/roles/hubs/tasks/db-sqlite.yml
index 624c726019..e8397277e8 100644
--- a/roles/hubs/tasks/db-sqlite.yml
+++ b/roles/hubs/tasks/db-sqlite.yml
@@ -1,8 +1,9 @@
- name: Create and populate the Fedora Hubs database
- command: "{{ hubs_venv_dir }}/bin/python {{ hubs_code_dir }}/populate.py"
+ command: "python3 {{ hubs_code_dir }}/populate.py"
args:
creates: "{{ hubs_var_dir }}/hubs.db"
chdir: "{{ hubs_code_dir }}"
environment:
- HUBS_CONFIG: "{{ hubs_conf_dir }}/hubs_config.py"
+ HUBS_CONFIG: "{{ hubs_conf_dir }}/hubs.py"
+ become: true
become_user: "{{ main_user }}"
diff --git a/roles/hubs/tasks/dev.yml b/roles/hubs/tasks/dev.yml
new file mode 100644
index 0000000000..2b09949be8
--- /dev/null
+++ b/roles/hubs/tasks/dev.yml
@@ -0,0 +1,82 @@
+# Set up the Python development environment
+
+- name: Install Fedora Hubs requirements.txt into hubs virtualenv
+ pip:
+ requirements: "{{ hubs_code_dir }}/requirements.txt"
+ executable: pip3
+
+- name: Install Fedora Hubs test-requirements.txt into hubs virtualenv
+ pip:
+ requirements: "{{ hubs_code_dir }}/test-requirements.txt"
+ executable: pip3
+
+- name: Install other packages into hubs virtualenv
+ pip:
+ name: "{{ item }}"
+ executable: pip3
+ with_items:
+ - bleach
+
+- name: Install Fedora Hubs into the virtualenv
+ command: "pip3 install -e {{ hubs_code_dir }}"
+ args:
+ creates: "/usr/lib/python3.6/site-packages/fedora-hubs.egg-link"
+
+
+# Set up JavaScript requirements
+
+- name: Install npm packages
+ command: npm install
+ become: true
+ become_user: "{{ main_user }}"
+ args:
+ creates: node_modules
+ chdir: "{{ hubs_code_dir }}/hubs/static/client"
+
+- name: Build JavaScript assets
+ command: npm run build
+ become: true
+ become_user: "{{ main_user }}"
+ args:
+ chdir: "{{ hubs_code_dir }}/hubs/static/client"
+ creates: "{{ hubs_code_dir }}/hubs/static/js/build/common.js"
+
+
+# Development tools
+
+- name: Install helpful development packages
+ dnf: name={{ item }} state=present
+ with_items:
+ - git
+ - vim-enhanced
+
+- name: Install Fedora Hubs development tools
+ dnf: name={{ item }} state=present
+ with_items:
+ - python3-honcho
+ - python3-tox
+
+- name: Ease local access to the database
+ copy:
+ content: "*:*:hubs:hubs:{{ hubs_db_password }}"
+ dest: /home/{{ main_user }}/.pgpass
+ mode: 600
+ owner: "{{ main_user }}"
+ group: "{{ main_user }}"
+ when: hubs_db_type == "postgresql"
+
+- name: Install a custom bashrc
+ template: src=bashrc dest=/home/{{ main_user }}/.bashrc
+
+- name: Install Honcho's env file
+ template: src=honcho-env dest={{ hubs_base_dir }}/.env
+
+- name: Install Honcho's procfile
+ template: src=honcho-procfile dest={{ hubs_base_dir }}/Procfile
+
+- name: Link to the FAS credentials file if any
+ file:
+ state: link
+ path: "/etc/fedmsg.d/fas_credentials.py"
+ src: "{{ hubs_code_dir }}/fedmsg.d/fas_credentials.py"
+ notify: "hubs configuration change"
diff --git a/roles/hubs/tasks/dev_deps.yml b/roles/hubs/tasks/dev_deps.yml
new file mode 100644
index 0000000000..38ba4ba7f1
--- /dev/null
+++ b/roles/hubs/tasks/dev_deps.yml
@@ -0,0 +1,64 @@
+- name: Install Fedora Hubs development packages
+ dnf: name={{ item }} state=present
+ with_items:
+ - gcc
+ - gcc-c++
+ - libffi-devel
+ - openssl-devel
+ - python-sphinx
+ - python2-devel
+ - python3-devel
+ - python3-virtualenv
+ - python3-flask-oidc
+ - python3-moksha-common
+ - redhat-rpm-config
+ - sqlite-devel
+ - npm
+ - fedmsg-hub
+
+- name: Install the distribution versions of requirements.txt
+ dnf: name={{ item }} state=present
+ with_items:
+ - python3-alembic
+ - python3-arrow
+ - python3-beautifulsoup4
+ - python3-bleach
+ - python3-blinker
+ - python3-dateutil
+ - python3-decorator
+ - python3-dogpile-cache
+ - python3-fedmsg
+ - python3-fedmsg-meta-fedora-infrastructure
+ - python3-fedora
+ - python3-flask
+ - python3-flask-oidc
+ - python3-html5lib
+ - python3-humanize
+ - python3-iso3166
+ - python3-markdown
+ - python3-munch
+ - python3-pkgwat-api
+ - python3-pygments
+ - python3-pygments-markdown-lexer
+ - python3-pymongo
+ - python3-pytz
+ - python3-redis
+ - python3-requests
+ - python3-retask
+ - python3-six
+ - python3-sqlalchemy
+ - python3-twisted
+
+
+- name: Create the directory structure
+ file:
+ path: "{{ item.path }}"
+ state: directory
+ owner: "{{ main_user }}"
+ group: "{{ main_user }}"
+ mode: "{{ item.mode }}"
+ #setype: httpd_sys_content_rw_t
+ with_items:
+ - {path: "{{ hubs_base_dir }}", mode: 755}
+ - {path: "{{ hubs_conf_dir }}", mode: 750}
+ - {path: "{{ hubs_var_dir }}", mode: 750}
diff --git a/roles/hubs/tasks/main.yml b/roles/hubs/tasks/main.yml
index a06608abee..6f858e896f 100644
--- a/roles/hubs/tasks/main.yml
+++ b/roles/hubs/tasks/main.yml
@@ -1,214 +1,82 @@
---
-- name: Install helpful development packages
- dnf: name={{ item }} state=present
- with_items:
- - git
- - vim-enhanced
-
- name: Install external dependencies
dnf: name={{ item }} state=present
with_items:
- - npm
- redis
- - fedmsg-hub
- - python-virtualenv
- - python3-flask-oidc
+ - python3-fedmsg
+ - postfix
-- name: Install Fedora Hubs development packages
- dnf: name={{ item }} state=present
- with_items:
- - gcc
- - gcc-c++
- - libffi-devel
- - openssl-devel
- - python-sphinx
- - python2-devel
- - python3-devel
- - redhat-rpm-config
- - sqlite-devel
+
+- include_tasks: dev_deps.yml
when: hubs_dev_mode
-- name: Install the distribution versions of requirements.txt
- dnf: name={{ item }} state=present
- with_items:
- - python-alembic
- - python-arrow
- - python-bleach
- - python-decorator
- - python-dogpile-cache
- - python-fedmsg-core
- - python-fedmsg-meta-fedora-infrastructure
- - python-flask
- - python-flask-oidc
- - python-fmn-lib
- - python-fmn-rules
- - python-futures
- - python-html5lib
- - python-munch
- - pytz
- - python-sqlalchemy
- - python-markdown
- - python2-pkgwat-api
- - python-six
- - python-pygments
- - python-pygments-markdown-lexer
- - python-retask
+- include_tasks: prod_deps.yml
+ when: not hubs_dev_mode
-# Add various helpful configuration files
-- name: Install a custom bashrc
- template: src=bashrc dest=/home/{{ main_user }}/.bashrc
- when: hubs_dev_mode
-
-
-# Create directory structure
-
-- name: Create the directory structure
- file:
- path: "{{ item.path }}"
- state: directory
- owner: "{{ main_user }}"
- group: "{{ main_user }}"
- mode: "{{ item.mode }}"
- #setype: httpd_sys_content_rw_t
- with_items:
- - {path: "{{ hubs_base_dir }}", mode: 755}
- - {path: "{{ hubs_conf_dir }}", mode: 750}
- - {path: "{{ hubs_var_dir }}", mode: 750}
-
-
-# Set up the Python development environment
-- name: Install Fedora Hubs requirements.txt into hubs virtualenv
- become_user: "{{ main_user }}"
- pip:
- requirements: "{{ hubs_code_dir }}/requirements.txt"
- virtualenv: "{{ hubs_venv_dir}}"
- virtualenv_site_packages: yes
-
-- name: Install Fedora Hubs test-requirements.txt into hubs virtualenv
- become_user: "{{ main_user }}"
- pip:
- requirements: "{{ hubs_code_dir }}/test-requirements.txt"
- virtualenv: "{{ hubs_venv_dir}}"
- virtualenv_site_packages: yes
-
-- name: Install other packages into hubs virtualenv
- become_user: "{{ main_user }}"
- pip:
- name: "{{ item }}"
- virtualenv: "{{ hubs_venv_dir }}"
- virtualenv_site_packages: yes
- with_items:
- - bleach
-
-- name: Install Fedora Hubs into the virtualenv
- become_user: "{{ main_user }}"
- command: "{{ hubs_venv_dir }}/bin/pip install -e {{ hubs_code_dir }}"
- args:
- creates: "{{ hubs_venv_dir }}/lib/python2.7/site-packages/fedora-hubs.egg-link"
-
-- name: Set bin file context in the virtualenv
- become_user: "{{ main_user }}"
- file:
- path: "{{ hubs_venv_dir }}/bin"
- state: directory
- recurse: true
- setype: bin_t
-
- name: Add a basic Hubs configuration file
template:
src: "{{ item }}"
- dest: "{{ hubs_conf_dir }}/hubs_config.py"
+ dest: "{{ hubs_conf_dir }}/hubs.py"
+ owner: root
+ group: "{{ main_user }}"
+ mode: 0640
with_first_found:
- hubs_config.{{ ansible_hostname }}
- hubs_config
- become_user: "{{ main_user }}"
notify: "hubs configuration change"
+
- name: Add a basic fedmsg configuration file
template:
src: "{{ item }}"
- dest: "/etc/fedmsg.d/hubs_config.py"
+ dest: "/etc/fedmsg.d/fedora-hubs.py"
with_first_found:
- fedmsg_config.{{ ansible_hostname }}
- fedmsg_config
notify: "hubs configuration change"
+
- name: Configure application to authenticate with iddev.fedorainfracloud.org
command:
oidc-register
--output-file {{ hubs_conf_dir }}/client_secrets.json
- https://iddev.fedorainfracloud.org/ {{ hubs_url }}
- become_user: "{{ main_user }}"
+ https://{{ hubs_oidc_url }}/ {{ hubs_url }}
args:
creates: "{{ hubs_conf_dir }}/client_secrets.json"
-
-# Set up, create, and populate the database.
-- import_tasks: db-{{ hubs_db_type }}.yml
-
-
-# Set up JavaScript requirements
-- name: Install npm packages
- command: npm install
- become_user: "{{ main_user }}"
- args:
- creates: node_modules
- chdir: "{{ hubs_code_dir }}/hubs/static/client"
-
-- name: Build JavaScript assests
- command: npm run build
- become_user: "{{ main_user }}"
- args:
- chdir: "{{ hubs_code_dir }}/hubs/static/client"
- creates: "{{ hubs_code_dir }}/hubs/static/js/build/common.js"
-
-
-- name: Fix permissions if necessary
+- name: Set permissions on the oidc credentials file
file:
- path: "{{ item }}"
- state: directory
- owner: "{{ main_user }}"
+ path: "{{ hubs_conf_dir }}/client_secrets.json"
+ owner: root
group: "{{ main_user }}"
- recurse: yes
- #setype: httpd_sys_content_rw_t
- with_items:
- - "{{ hubs_base_dir }}"
- - "{{ hubs_conf_dir }}"
- - "{{ hubs_var_dir }}"
+ mode: 0640
-# Services
-- name: Disable the system-wide fedmsg-hub
- service: name=fedmsg-hub state=stopped enabled=no
-
-- name: Install the service files
- template:
- src: "{{ item }}.service"
- dest: /etc/systemd/system/{{ item }}.service
- with_items:
- - hubs-triage@
- - hubs-worker@
- - hubs-sse
- - hubs-fedmsg-hub
- register: service_installed
-
-- name: reload systemd
- command: systemctl daemon-reload
- when: service_installed|changed
-
-- name: Start and enable the services
+- name: Start and enable the common services
service: name={{ item }} state=started enabled=yes
with_items:
- redis
- - hubs-triage@1
- - hubs-triage@2
- - hubs-worker@1
- - hubs-worker@2
- - hubs-sse
- - hubs-fedmsg-hub
+ - postfix
+
+# Set up, create, and populate the database.
+- include_tasks: db-{{ hubs_db_type }}.yml
-# Webserver
-- import_tasks: webserver.yml
+# Services
+- name: Disable the system-wide fedmsg daemons
+ service: name={{ item }} state=stopped enabled=no
+ with_items:
+ # We use honcho in dev mode and fedmsg-hub-3 in prod mode
+ - fedmsg-hub
+ # We use honcho in dev mode and fedmsg-relay-3 in prod mode
+ - fedmsg-relay
+
+
+# Include mode-specific tasks
+
+- include_tasks: dev.yml
+ when: hubs_dev_mode
+
+- include_tasks: prod.yml
when: not hubs_dev_mode
diff --git a/roles/hubs/tasks/prod.yml b/roles/hubs/tasks/prod.yml
new file mode 100644
index 0000000000..31c29dff2a
--- /dev/null
+++ b/roles/hubs/tasks/prod.yml
@@ -0,0 +1,19 @@
+- name: Install the service environment file
+ template:
+ src: env
+ dest: /etc/sysconfig/fedora-hubs
+
+- name: Start and enable the services in prod mode
+ service: name={{ item }} state=started enabled=yes
+ with_items:
+ - fedmsg-relay-3
+ - fedmsg-hub-3
+ - fedora-hubs-triage@1
+ - fedora-hubs-triage@2
+ - fedora-hubs-worker@1
+ - fedora-hubs-worker@2
+ - fedora-hubs-worker@3
+ - fedora-hubs-worker@4
+ - fedora-hubs-sse
+
+- include_tasks: webserver.yml
diff --git a/roles/hubs/tasks/prod_deps.yml b/roles/hubs/tasks/prod_deps.yml
new file mode 100644
index 0000000000..b078a6470f
--- /dev/null
+++ b/roles/hubs/tasks/prod_deps.yml
@@ -0,0 +1,2 @@
+- name: Install the Fedora Hubs package
+ dnf: name=fedora-hubs state=present
diff --git a/roles/hubs/tasks/webserver.yml b/roles/hubs/tasks/webserver.yml
index 3db6d340e4..4224cd2b7f 100644
--- a/roles/hubs/tasks/webserver.yml
+++ b/roles/hubs/tasks/webserver.yml
@@ -3,25 +3,26 @@
- name: Install the webserver packages
dnf: name={{ item }} state=present
with_items:
- - python-gunicorn
+ - python3-gunicorn
- nginx
- libsemanage-python
-- name: Gunicorn logging configuration
- copy:
- src: logging.ini
- dest: "{{ hubs_conf_dir }}/logging.ini"
- owner: "{{ main_user }}"
- group: "{{ main_user }}"
+- name: install python3-certbot-nginx
+ dnf: name=python3-certbot-nginx state=present
+
+- name: get the letsencrypt cert
+ command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org
+ args:
+ creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
notify:
- - restart hubs webapp
+ - restart nginx
- name: Nginx configuration for hubs
template:
src: nginx.conf
- dest: /etc/nginx/conf.d/hubs.conf
+ dest: /etc/nginx/conf.d/fedora-hubs.conf
notify:
- restart nginx
@@ -37,17 +38,6 @@
- restart nginx
-- name: install python2-certbot-nginx
- dnf: name=python2-certbot-nginx state=present
-
-- name: get the letencrypt cert
- command: certbot certonly -n --nginx -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org
- args:
- creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
- notify:
- - restart nginx
-
-
- name: Nginx proxy configuration
copy:
src: "{{ item }}"
@@ -66,22 +56,8 @@
persistent: yes
-- name: Install the service files
- template:
- src: "{{ item }}.service"
- dest: /etc/systemd/system/{{ item }}.service
- with_items:
- - hubs-webapp
- register: service_installed
-
-
-- name: reload systemd
- command: systemctl daemon-reload
- when: service_installed|changed
-
-
- name: Start and enable the services
service: name={{ item }} state=started enabled=yes
with_items:
- - hubs-webapp
+ - fedora-hubs-webapp
- nginx
diff --git a/roles/hubs/templates/bashrc b/roles/hubs/templates/bashrc
index 89027290a4..eaaf5d4c49 100644
--- a/roles/hubs/templates/bashrc
+++ b/roles/hubs/templates/bashrc
@@ -5,6 +5,9 @@ if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
+alias vi=vim
+
+
# Uncomment the following line if you don't like systemctl's auto-paging feature:
# export SYSTEMD_PAGER=
@@ -13,24 +16,22 @@ fi
# by defining a variable with name __help containing the help text
-export HUBS_CONFIG={{ hubs_conf_dir }}/hubs_config.py
+# Honcho has issues outputing UTF-8 in Vagrant SSH
+# https://github.com/nickstenning/honcho/issues/51
+export PYTHONIOENCODING=utf-8
+
+export HUBS_CONFIG={{ hubs_conf_dir }}/hubs.py
export FLASK_APP={{ hubs_code_dir }}/hubs/app.py
workon() {
[ "$1" == "hubs" ] || ( echo "No such virtualenv."; exit 1 )
- source {{ hubs_venv_dir }}/bin/activate
cd {{ hubs_code_dir }}
}
-hup() {
- source {{ hubs_venv_dir }}/bin/activate
- pushd {{ hubs_code_dir }}
- FLASK_DEBUG=1 flask run --host 0.0.0.0 --port 5000
-}
+alias hup="pushd ~ ; honcho start ; popd"
hreset() {
- source {{ hubs_venv_dir }}/bin/activate
{% if hubs_db_type == "postgresql" %}
sudo -u postgres dropdb hubs
sudo -u postgres createdb -O hubs hubs
@@ -39,7 +40,6 @@ hreset() {
{% endif %}
rm {{ hubs_var_dir }}/cache.db
pushd {{ hubs_code_dir }}
- python populate.py
+ python3 populate.py
popd
- deactivate
}
diff --git a/roles/hubs/templates/env b/roles/hubs/templates/env
new file mode 100644
index 0000000000..e3c748125f
--- /dev/null
+++ b/roles/hubs/templates/env
@@ -0,0 +1,2 @@
+HUBS_CONFIG={{ hubs_conf_dir }}/hubs.py
+LOGGING_CONFIG={{ hubs_conf_dir }}/logging.ini
diff --git a/roles/hubs/templates/fedmsg_config b/roles/hubs/templates/fedmsg_config
index 064401878d..a5562dd8d1 100644
--- a/roles/hubs/templates/fedmsg_config
+++ b/roles/hubs/templates/fedmsg_config
@@ -16,14 +16,14 @@ config = {
},
},
- # Fedmsg hub consumer
- 'hubs.consumer.enabled': True,
- 'hubs.redis.triage-queue-name': 'fedora-hubs-triage-queue',
-
- # FAS
+ {% if hubs_fas_username and hubs_fas_password %}
+ # FAS credentials
'fas_credentials': {
- 'username': '{{ fedoraDummyUser }}',
- 'password': '{{ fedoraDummyUserPassword }}',
+ 'username': '{{ hubs_fas_username }}',
+ 'password': '{{ hubs_fas_password }}',
},
-}
+ {% endif %}
+ # Use fedmsg-relay to publish messages
+ 'active': True,
+}
diff --git a/roles/hubs/templates/honcho-env b/roles/hubs/templates/honcho-env
new file mode 100644
index 0000000000..a9d806fdd7
--- /dev/null
+++ b/roles/hubs/templates/honcho-env
@@ -0,0 +1,3 @@
+FLASK_DEBUG=1
+FLASK_APP={{ hubs_code_dir }}/hubs/app.py
+HUBS_CONFIG={{ hubs_conf_dir }}/hubs.py
diff --git a/roles/hubs/templates/honcho-procfile b/roles/hubs/templates/honcho-procfile
new file mode 100644
index 0000000000..893a514f66
--- /dev/null
+++ b/roles/hubs/templates/honcho-procfile
@@ -0,0 +1,7 @@
+web: /usr/bin/flask-3 run --host 0.0.0.0 --port 5000
+triage: fedora-hubs-triage
+worker: fedora-hubs-worker
+sse: /usr/bin/twistd-3 -l - --pidfile= -n hubs-sse
+fedmsg_hub: /usr/bin/fedmsg-hub-3
+fedmsg_relay: /usr/bin/fedmsg-relay-3
+js_build: cd {{ hubs_code_dir }}/hubs/static/client && npm run dev
diff --git a/roles/hubs/templates/hubs-fedmsg-hub.service b/roles/hubs/templates/hubs-fedmsg-hub.service
deleted file mode 100644
index ca56996ca5..0000000000
--- a/roles/hubs/templates/hubs-fedmsg-hub.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Hubs-specific fedmsg processing hub
-After=network.target
-Documentation=https://fedmsg.readthedocs.org/
-
-[Service]
-ExecStart={{ hubs_venv_dir }}/bin/python /usr/bin/fedmsg-hub
-Type=simple
-User=fedmsg
-Group=fedmsg
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/hubs/templates/hubs-sse.service b/roles/hubs/templates/hubs-sse.service
deleted file mode 100644
index 5ff68a2522..0000000000
--- a/roles/hubs/templates/hubs-sse.service
+++ /dev/null
@@ -1,18 +0,0 @@
-[Unit]
-Description=fedora-hubs SSE server
-After=network.target
-Documentation=https://pagure.io/fedora-hubs/
-
-[Service]
-ExecStart= \
- {{ hubs_venv_dir }}/bin/python \
- /usr/bin/twistd -l - --pidfile= \
- -ny {{ hubs_code_dir }}/hubs/backend/sse_server.tac
-Environment=HUBS_CONFIG={{ hubs_conf_dir }}/hubs_config.py
-Type=simple
-User={{ main_user }}
-Group={{ main_user }}
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/hubs/templates/hubs-triage@.service b/roles/hubs/templates/hubs-triage@.service
deleted file mode 100644
index 06ccacc05d..0000000000
--- a/roles/hubs/templates/hubs-triage@.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=fedora-hubs triage worker #%i
-After=network.target
-Documentation=https://pagure.io/fedora-hubs/
-
-[Service]
-ExecStart={{ hubs_venv_dir }}/bin/fedora-hubs-triage
-Environment=HUBS_CONFIG={{ hubs_conf_dir }}/hubs_config.py
-Type=simple
-User={{ main_user }}
-Group={{ main_user }}
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/hubs/templates/hubs-webapp.service b/roles/hubs/templates/hubs-webapp.service
deleted file mode 100644
index 59586d35b4..0000000000
--- a/roles/hubs/templates/hubs-webapp.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=fedora-hubs frontend webapp
-After=network.target
-Documentation=https://pagure.io/fedora-hubs/
-
-[Service]
-ExecStart= \
- {{ hubs_venv_dir }}/bin/python \
- /usr/bin/gunicorn -b 127.0.0.1:8000 --threads 12 \
- --log-config {{ hubs_conf_dir }}/logging.ini \
- {% if hubs_dev_mode %}--reload{% endif %} \
- hubs.app:app
-Environment=HUBS_CONFIG={{ hubs_conf_dir }}/hubs_config.py
-Type=simple
-User={{ main_user }}
-Group={{ main_user }}
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/hubs/templates/hubs-worker@.service b/roles/hubs/templates/hubs-worker@.service
deleted file mode 100644
index 8f597f15b7..0000000000
--- a/roles/hubs/templates/hubs-worker@.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=fedora-hubs cache worker #%i
-After=network.target
-Documentation=https://pagure.io/fedora-hubs/
-
-[Service]
-ExecStart={{ hubs_venv_dir }}/bin/fedora-hubs-worker
-Environment=HUBS_CONFIG={{ hubs_conf_dir }}/hubs_config.py
-Type=simple
-User={{ main_user }}
-Group={{ main_user }}
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/hubs/templates/nginx.conf b/roles/hubs/templates/nginx.conf
index aa34310d32..853ba747e0 100644
--- a/roles/hubs/templates/nginx.conf
+++ b/roles/hubs/templates/nginx.conf
@@ -34,14 +34,16 @@ server {
include ssl_params;
keepalive_timeout 5;
- # path for static files
- root {{ hubs_code_dir }}/hubs/static;
-
location / {
# checks for static file, if not found proxy to app
try_files $uri @proxy_to_app;
}
+ # path for static files
+ location /static {
+ alias /usr/lib/python3.6/site-packages/hubs/static;
+ }
+
location /sse/ {
include proxy_params;
proxy_pass http://hubs-sse/;
diff --git a/roles/infinote/templates/infinote.fedoraproject.org.conf b/roles/infinote/templates/infinote.fedoraproject.org.conf
index da6f179302..c09cd3016d 100644
--- a/roles/infinote/templates/infinote.fedoraproject.org.conf
+++ b/roles/infinote/templates/infinote.fedoraproject.org.conf
@@ -75,7 +75,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
SSLCertificateKeyFile /etc/pki/tls/private/infinote.fedoraproject.org.key
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLHonorCipherOrder On
diff --git a/roles/ipsilon/files/oidc_scopes/freshmaker.py b/roles/ipsilon/files/oidc_scopes/freshmaker.py
new file mode 100644
index 0000000000..ac1b44fef7
--- /dev/null
+++ b/roles/ipsilon/files/oidc_scopes/freshmaker.py
@@ -0,0 +1,14 @@
+from __future__ import absolute_import
+
+from ipsilon.providers.openidc.plugins.common import OpenidCExtensionBase
+
+
+class OpenidCExtension(OpenidCExtensionBase):
+ name = 'freshmaker'
+ display_name = 'Freshmaker Rebuilds'
+ scopes = {
+ 'https://pagure.io/freshmaker/submit-build': {
+ 'display_name': 'Permission to submit manual triggers of rebuilds',
+ 'claims': [],
+ },
+ }
diff --git a/roles/ipsilon/files/oidc_scopes/src.py b/roles/ipsilon/files/oidc_scopes/src.py
new file mode 100644
index 0000000000..eed4eaca4f
--- /dev/null
+++ b/roles/ipsilon/files/oidc_scopes/src.py
@@ -0,0 +1,14 @@
+from __future__ import absolute_import
+
+from ipsilon.providers.openidc.plugins.common import OpenidCExtensionBase
+
+
+class OpenidCExtension(OpenidCExtensionBase):
+ name = 'src'
+ display_name = 'Dist-Git'
+ scopes = {
+ 'https://src.fedoraproject.org/push': {
+ 'display_name': 'Push to Fedora Dist-Git',
+ 'claims': [],
+ },
+ }
diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index eefec73036..0aeb5d8805 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -48,6 +48,8 @@
- waiverdb
- odcs
- wiki
+ - freshmaker
+ - src
notify:
- reload apache
tags:
diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf
index 3cc50dbc29..fd41a8d732 100644
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@@ -23,9 +23,9 @@ global enabled=allow
global enabled=persona,openid,saml2,openidc
{% if env == "production" %}
-openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki
+openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,freshmaker,src
{% else %}
-openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki
+openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,freshmaker,src
{% endif %}
{% if env == 'staging' %}
diff --git a/roles/keyserver/templates/sks.conf b/roles/keyserver/templates/sks.conf
index a64adf5a7a..14ebe838fb 100644
--- a/roles/keyserver/templates/sks.conf
+++ b/roles/keyserver/templates/sks.conf
@@ -49,14 +49,14 @@ NameVirtualHost *:443
RewriteCond %{HTTPS} off
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
ServerAlias keys02.fedoraproject.org
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/keys.fedoraproject.org/cert.pem
diff --git a/roles/keytab/service/tasks/main.yml b/roles/keytab/service/tasks/main.yml
index a98c89604f..6ccc61e703 100644
--- a/roles/keytab/service/tasks/main.yml
+++ b/roles/keytab/service/tasks/main.yml
@@ -149,7 +149,7 @@
- krb5
- name: Set keytab permissions
- file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0600 state=file
+ file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0640 state=file
tags:
- keytab
- config
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 2cc469a234..038e3efb17 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -287,3 +287,10 @@
tags:
- koji_builder
when: env == "staging"
+
+# https://pagure.io/fedora-infrastructure/issue/6636
+- name: install libkcapi to get increased sockets on armv7
+ dnf: name=libkcapi enablerepo=updates-testing state=present
+ tags:
+ - koji_builder
+ when: ansible_architecture == 'armv7l'
diff --git a/roles/kojipkgs/templates/kojipkgs.conf b/roles/kojipkgs/templates/kojipkgs.conf
index 434d9adf8a..57f62bdd2c 100644
--- a/roles/kojipkgs/templates/kojipkgs.conf
+++ b/roles/kojipkgs/templates/kojipkgs.conf
@@ -129,4 +129,4 @@ RewriteCond %{HTTP:X-Forwarded-For} !10.5.125.71
RewriteRule ".*/.*openh264.*.(x86_64|armv7hl|i686|ppc64|ppc64le|aarch64|s390x).rpm$" "https://fedoraproject.org/wiki/non-distributable-rpms" [R=302,L]
# Set HSTS header via HTTP since it cannot be easily set in squid, which terminates HTTPS
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
diff --git a/roles/koschei/backend/files/koschei-track-group b/roles/koschei/backend/files/koschei-track-group
new file mode 100755
index 0000000000..3961b662ab
--- /dev/null
+++ b/roles/koschei/backend/files/koschei-track-group
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Mark all packages in global group as tracked
+# Usage: koschei-track-group
+
+set -e
+test -n "$1"
+
+exec koschei-admin psql <<<"UPDATE package SET tracked = TRUE WHERE id IN (SELECT p.id FROM package p JOIN package_group_relation pgr ON p.base_id = pgr.base_id JOIN package_group g ON g.id = pgr.group_id WHERE NOT p.tracked AND g.name = '$1' AND g.namespace IS NULL)"
diff --git a/roles/koschei/backend/tasks/main.yml b/roles/koschei/backend/tasks/main.yml
index ce9b44744d..39d9e3cc66 100644
--- a/roles/koschei/backend/tasks/main.yml
+++ b/roles/koschei/backend/tasks/main.yml
@@ -56,7 +56,6 @@
src=systemd-environment.conf.j2
dest=/etc/systemd/system/{{ item }}.service.d/environment.conf
with_items: "{{ koschei_backend_services }}"
- when: env == 'staging'
notify:
- reload systemd
- restart koschei backend services
@@ -75,6 +74,7 @@
with_items:
- config-admin.cfg
- config-backend.cfg
+ - copr-config
notify:
- restart koschei backend services
tags:
@@ -90,8 +90,6 @@
- config
- fedmsgdconfig
-# TODO install copr config, /etc/koschei/copr-config
-
- name: install koji client config file
template: >
src="koji.conf.j2"
@@ -122,6 +120,7 @@
- koschei-refresh-group
- koschei-refresh-distgit-group
- koschei-refresh-module
+ - koschei-track-group
tags:
- koschei
- config
diff --git a/roles/koschei/backend/templates/config-backend.cfg.j2 b/roles/koschei/backend/templates/config-backend.cfg.j2
index e34c230d66..aeedd14005 100644
--- a/roles/koschei/backend/templates/config-backend.cfg.j2
+++ b/roles/koschei/backend/templates/config-backend.cfg.j2
@@ -14,18 +14,7 @@ config = {
"server": "https://{{ koschei_koji_hub }}/kojihub",
"weburl": "https://{{ koschei_koji_web }}/koji",
"topurl": "https://{{ koschei_kojipkgs }}",
- {% if env == 'staging' %}
"login_method": "gssapi_login",
- {% else %}
- "login_method": "krb_login",
- "login_args": {
- "keytab": "/etc/krb5.koschei_{{ inventory_hostname }}.keytab",
- "principal": "koschei/{{ inventory_hostname }}@{{ ipa_realm }}",
- },
- "session_opts": {
- "krb_rdns": False,
- },
- {% endif %}
{% if env == 'staging' %}
"max_builds": 16,
"build_arches": ['x86_64'],
@@ -74,7 +63,8 @@ config = {
"logging": {
"loggers": {
"": {
- "handlers": ["stderr", "email"],
+ # "handlers": ["stderr", "email"],
+ "handlers": ["stderr"],
},
"fedmsg": {
"level": "ERROR",
@@ -113,7 +103,6 @@ config = {
"expiration_time": None,
"arguments": {
"url": "memcached01",
- "distributed_lock": True,
},
},
},
diff --git a/roles/koschei/backend/templates/copr-config.j2 b/roles/koschei/backend/templates/copr-config.j2
new file mode 100644
index 0000000000..f5489af5fa
--- /dev/null
+++ b/roles/koschei/backend/templates/copr-config.j2
@@ -0,0 +1,5 @@
+[copr-cli]
+login = {{ koschei_copr_login }}
+username = koschei
+token = {{ koschei_copr_token }}
+copr_url = {{ koschei_copr_url }}
diff --git a/roles/koschei/backend/templates/cron-refresh-groups.j2 b/roles/koschei/backend/templates/cron-refresh-groups.j2
index a8cd97020d..ff931f32b8 100644
--- a/roles/koschei/backend/templates/cron-refresh-groups.j2
+++ b/roles/koschei/backend/templates/cron-refresh-groups.j2
@@ -1,8 +1,10 @@
SHELL=/bin/bash
MAILTO=sysadmin-koschei-members@fedoraproject.org
0 0-23/3 * * * koschei /usr/local/bin/koschei-refresh-group php 'php*'
-{%- if env != 'stg' %}{# rust packages are not synced on stg yet #}
+
+{% if env != 'stg' %}{# rust packages are not synced on stg yet #}
5 0-23/3 * * * koschei /usr/local/bin/koschei-refresh-distgit-group rust-sig rust-sig
+15 0-23/3 * * * koschei /usr/local/bin/koschei-track-group rust-sig
{%- endif %}
# I'd use dnf clean, but it leaves stuff behind
diff --git a/roles/koschei/backend/templates/koji.conf.j2 b/roles/koschei/backend/templates/koji.conf.j2
index efaa5f37ad..b12fe932bd 100644
--- a/roles/koschei/backend/templates/koji.conf.j2
+++ b/roles/koschei/backend/templates/koji.conf.j2
@@ -1,11 +1,7 @@
[koji]
-server = http://{{ koschei_koji_hub }}/kojihub
-topurl = http://{{ koschei_kojipkgs }}
-weburl = http://{{ koschei_koji_web }}/koji
+server = https://{{ koschei_koji_hub }}/kojihub
+topurl = https://{{ koschei_kojipkgs }}
+weburl = https://{{ koschei_koji_web }}/koji
topdir = /mnt/koji
authtype = kerberos
krbservice = host
-principal = koschei/{{ inventory_hostname }}@{{ ipa_realm }}
-keytab = /etc/krb5.koschei_{{ inventory_hostname }}.keytab
-ccache = /tmp/koschei-koji-krb-ccache
-krb_rdns = False
diff --git a/roles/koschei/common/tasks/main.yml b/roles/koschei/common/tasks/main.yml
index a9d7cdc82d..94cfb6d267 100644
--- a/roles/koschei/common/tasks/main.yml
+++ b/roles/koschei/common/tasks/main.yml
@@ -1,14 +1,4 @@
---
-# FIXME workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1513704
-# See also: https://pagure.io/fedora-infrastructure/issue/6540
-- name: Put SELinux in permissive mode
- selinux: state=permissive policy=targeted
- when: ansible_distribution_major_version|int > 26
- tags:
- - koschei
- - config
- - selinux
-
- name: Add koschei copr dev repo on stg
when: env == "staging"
template: src=copr.repo.j2 dest=/etc/yum.repos.d/copr.repo
@@ -18,20 +8,10 @@
- packages
- yumrepos
-- name: Install common packages (Fedora >= 27)
+- name: Install common packages
package: name={{ item }} state=present
with_items:
- python3-memcached
- when: ansible_distribution_major_version|int > 26
- tags:
- - koschei
- - packages
-
-- name: Install common packages (not Fedora or Fedora <= 26)
- package: name={{ item }} state=present
- with_items:
- - python-memcached
- when: ansible_distribution_major_version|int < 27
tags:
- koschei
- packages
diff --git a/roles/koschei/common/templates/copr.repo.j2 b/roles/koschei/common/templates/copr.repo.j2
index a614a7ddb2..fccacb922f 100644
--- a/roles/koschei/common/templates/copr.repo.j2
+++ b/roles/koschei/common/templates/copr.repo.j2
@@ -1,10 +1,6 @@
[msimacek-koschei]
name=Copr repo for koschei owned by msimacek
-{% if is_fedora is defined %}
baseurl=https://copr-be.cloud.fedoraproject.org/results/msimacek/koschei/fedora-$releasever-$basearch/
-{% else %}
-baseurl=https://copr-be.cloud.fedoraproject.org/results/msimacek/koschei/epel-7-$basearch/
-{% endif %}
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/msimacek/koschei/pubkey.gpg
diff --git a/roles/koschei/frontend/tasks/main.yml b/roles/koschei/frontend/tasks/main.yml
index dc8f201c00..7427e7e5b1 100644
--- a/roles/koschei/frontend/tasks/main.yml
+++ b/roles/koschei/frontend/tasks/main.yml
@@ -4,7 +4,7 @@
- koschei-frontend
- koschei-frontend-fedora
- koschei-frontend-copr
- - "{{ 'mod_auth_openidc' if env == 'staging' else 'mod_auth_openid' }}"
+ - mod_auth_openidc
tags:
- koschei
- packages
@@ -40,6 +40,7 @@
- httpd_can_network_connect
- httpd_can_network_connect_db
- httpd_can_network_memcache
+ - httpd_execmem
notify:
- reload httpd
tags:
diff --git a/roles/koschei/frontend/templates/config-frontend.cfg.j2 b/roles/koschei/frontend/templates/config-frontend.cfg.j2
index dd18b0005c..d5ab5612d6 100644
--- a/roles/koschei/frontend/templates/config-frontend.cfg.j2
+++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2
@@ -21,7 +21,8 @@ config = {
"loggers": {
"": {
"level": "INFO",
- "handlers": ["stderr", "email"],
+ # "handlers": ["stderr", "email"],
+ "handlers": ["stderr"],
},
"requests": {
"level": "WARN",
@@ -47,10 +48,9 @@ config = {
"pagure": {
"users": {
"backend": "dogpile.cache.memcached",
- "expiration_time": 300,
+ "expiration_time": 21600, # 6 hours
"arguments": {
"url": "memcached01:11211",
- "distributed_lock": True,
},
},
},
@@ -61,20 +61,13 @@ config = {
"frontend": {
"builds_per_page": 8,
"auth": {
- {% if env == 'staging' %}
"user_re": "(.+)",
"user_env": "OIDC_CLAIM_nickname",
- {% else %}
- "user_re": "http://(.+)\\.id{{ env_prefix }}\\.fedoraproject\\.org/",
- {% endif %}
},
"fedora_assets_url": "/global",
"fedmenu_url": "/fedmenu",
"fedmenu_data_url": "/js/data.js",
},
- "openid": {
- "openid_provider": "{{ koschei_openid_provider }}",
- },
"links": [
{"name": "Packages",
"url": "https://apps{{ env_prefix }}.fedoraproject.org/packages/{package.name}"},
diff --git a/roles/koschei/frontend/templates/httpd.conf.j2 b/roles/koschei/frontend/templates/httpd.conf.j2
index 67032217b4..1dd652c575 100644
--- a/roles/koschei/frontend/templates/httpd.conf.j2
+++ b/roles/koschei/frontend/templates/httpd.conf.j2
@@ -16,17 +16,11 @@
Require all granted
-{% if env == 'staging' %}
OIDCRedirectURI "{{ koschei_topurl }}/login/redirect_uri"
- OIDCProviderMetadataURL "https://{{ koschei_openid_provider }}/openidc/wellknown_openid_configuration"
+ OIDCProviderMetadataURL "https://{{ koschei_oidc_provider }}/openidc/wellknown_openid_configuration"
OIDCClientID "koschei"
- {% if env == 'staging' %}
- OIDCClientSecret "{{ koschei_oidc_client_secret_stg }}"
- OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret_stg }}"
- {% else %}
OIDCClientSecret "{{ koschei_oidc_client_secret }}"
OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}"
- {% endif %}
OIDCSSLValidateServer On
OIDCResponseType "code"
@@ -36,14 +30,4 @@
AuthType openid-connect
Require valid-user
-{% else %}
-
- Require valid-user
- AuthType OpenID
- AuthOpenIDSingleIdP https://{{ koschei_openid_provider }}/
- AuthOpenIDServerName https://apps.fedoraproject.org
- AuthOpenIDTrustRoot https://apps.fedoraproject.org/koschei/
- AuthOpenIDUseCookie off
-
-{% endif %}
diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py
index a57a6351b1..97a909739e 100644
--- a/roles/mbs/common/templates/config.py
+++ b/roles/mbs/common/templates/config.py
@@ -96,6 +96,7 @@ class ProdConfiguration(BaseConfiguration):
'releng',
]
+ REBUILD_STRATEGY = 'only-changed'
REBUILD_STRATEGY_ALLOW_OVERRIDE = True
{% if env == 'staging' %}
diff --git a/roles/mediawiki/tasks/main.yml b/roles/mediawiki/tasks/main.yml
index ac6608f629..673d872de5 100644
--- a/roles/mediawiki/tasks/main.yml
+++ b/roles/mediawiki/tasks/main.yml
@@ -49,6 +49,7 @@
- mediawiki-OpenIDConnect
- mediawiki-OpenIDConnectAPI
- php-rmccue-requests
+ - mediawiki-fedoradocsredirect
tags:
- packages
- mediawiki
diff --git a/roles/mediawiki/templates/LocalSettings.php.fp.j2 b/roles/mediawiki/templates/LocalSettings.php.fp.j2
index 78ffe5eab0..c815f6b97c 100644
--- a/roles/mediawiki/templates/LocalSettings.php.fp.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.fp.j2
@@ -328,6 +328,7 @@ require_once "$IP/extensions/fedmsg-emit.php";
require_once "$IP/extensions/HTTP302Found/HTTP302Found.php";
require_once "$IP/extensions/RSS/RSS.php";
require_once "$IP/extensions/BassetSubmitter.php";
+require_once "$IP/extensions/FedoraDocsRedirect/FedoraDocsRedirect.php";
{% if env == "staging" %}
$basset_url = 'http://basset01.stg.phx2.fedoraproject.org/basset';
diff --git a/roles/mirrormanager/mirrorlist_proxy/defaults/main.yml b/roles/mirrormanager/mirrorlist_proxy/defaults/main.yml
index b845b9b98d..dc1238dd34 100644
--- a/roles/mirrormanager/mirrorlist_proxy/defaults/main.yml
+++ b/roles/mirrormanager/mirrorlist_proxy/defaults/main.yml
@@ -1 +1 @@
-mirrorlist_container_image: "candidate-registry.fedoraproject.org/f25/mirrormanager2-mirrorlist:f25-docker-candidate-20170426172654"
+mirrorlist_container_image: "candidate-registry.fedoraproject.org/f27/mirrormanager2-mirrorlist:0.8.3-1"
diff --git a/roles/mirrormanager/mirrorlist_proxy/files/restart-mirrorlist-containers b/roles/mirrormanager/mirrorlist_proxy/files/restart-mirrorlist-containers
index fdf5385412..5ef79ccf1f 100644
--- a/roles/mirrormanager/mirrorlist_proxy/files/restart-mirrorlist-containers
+++ b/roles/mirrormanager/mirrorlist_proxy/files/restart-mirrorlist-containers
@@ -28,7 +28,7 @@ fi
# start mirrorlist2 (old pkl and see that it's processing ok)
systemctl start mirrorlist2
-echo "enable server mirror-lists/mirrorlist-local2" | nc -U /var/run/haproxy-admin >& /dev/null
+echo "enable server mirror-lists-backend/mirrorlist-local2" | nc -U /var/run/haproxy-admin >& /dev/null
sleep 5
curl -q -H mirrors.fedoraproject.org "http://localhost:18082/metalink?repo=rawhide&arch=x86_64" -o/dev/null -s -f --retry 50 --retry-delay 10 --retry-connrefused --retry-max-time 180
@@ -38,13 +38,13 @@ if [ $? != 0 ]; then
fi
# Drain mirrorlist1. This is safe since we assured that local2 is serving
-echo "disable server mirror-lists/mirrorlist-local1" | nc -U /var/run/haproxy-admin >& /dev/null
+echo "disable server mirror-lists-backend/mirrorlist-local1" | nc -U /var/run/haproxy-admin >& /dev/null
sleep 1
# restart mirrorlist1 (new pkl and make sure it's processing ok)
systemctl restart mirrorlist1
sleep 1
-echo "enable server mirror-lists/mirrorlist-local1" | nc -U /var/run/haproxy-admin >& /dev/null
+echo "enable server mirror-lists-backend/mirrorlist-local1" | nc -U /var/run/haproxy-admin >& /dev/null
sleep 5
curl -q -H mirrors.fedoraproject.org "http://localhost:18081/metalink?repo=rawhide&arch=x86_64" -o/dev/null -s -f --retry 50 --retry-delay 10 --retry-connrefused --retry-max-time 180
@@ -57,7 +57,7 @@ fi
cp -a /srv/mirrorlist/data/mirrorlist1/* /srv/mirrorlist/data/mirrorlist2/
# Drain mirrorlist2
-echo "disable server mirror-lists/mirrorlist-local2" | nc -U /var/run/haproxy-admin >& /dev/null
+echo "disable server mirror-lists-backend/mirrorlist-local2" | nc -U /var/run/haproxy-admin >& /dev/null
sleep 1
# stop mirrorlist2
@@ -65,4 +65,4 @@ systemctl stop mirrorlist2
# Now that it's stopped, we can re-enable it. That makes sure that if anything went wrong, we
# still have it enabled
-echo "enable server mirror-lists/mirrorlist-local2" | nc -U /var/run/haproxy-admin >& /dev/null
+echo "enable server mirror-lists-backend/mirrorlist-local2" | nc -U /var/run/haproxy-admin >& /dev/null
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 9699e09549..ed0c119999 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -17,39 +17,13 @@
tags:
- packages
- nagios_client
- when: ansible_distribution_major_version|int < 22
-
-# install pkgs:
-- name: install nagios client pkgs
- dnf: name={{ item }} state=present
- with_items:
- - nrpe
- - nagios-plugins
- - nagios-plugins-disk
- - nagios-plugins-file_age
- - nagios-plugins-users
- - nagios-plugins-procs
- - nagios-plugins-swap
- - nagios-plugins-load
- - nagios-plugins-ping
- tags:
- - packages
- - nagios_client
- when: ansible_distribution_major_version|int > 21
- name: install nagios tcp check for mirrorlist proxies
package: name=nagios-plugins-tcp state=present
tags:
- packages
- nagios_client
- when: ansible_distribution_major_version|int < 22 and 'mirrorlist-proxies' in group_names
-
-- name: install nagios tcp check for mirrorlist proxies
- dnf: name=nagios-plugins-tcp state=present
- tags:
- - packages
- - nagios_client
- when: ansible_distribution_major_version|int > 21 and 'mirrorlist-proxies' in group_names
+ when: "'mailman' in group_names or 'mirrorlist-proxies' in group_names"
- name: install local nrpe check scripts that are not packaged
copy: src="scripts/{{ item }}" dest="{{ libdir }}/nagios/plugins/{{ item }}" mode=0755 owner=nagios group=nagios
@@ -124,7 +98,6 @@
- nagios_client
- selinux
-
# Set up our base config.
- name: /etc/nagios/nrpe.cfg
template: src=nrpe.cfg.j2 dest=/etc/nagios/nrpe.cfg
@@ -238,6 +211,16 @@
tags:
- nagios_client
+- name: install nrpe checks for mailman01
+ template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }}
+ with_items:
+ - check_mailman_api.cfg
+ when: inventory_hostname.startswith('mailman01')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
- name: install nrpe checks for proxies
template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }}
with_items:
diff --git a/roles/nagios_client/templates/check_datanommer_history.cfg.j2 b/roles/nagios_client/templates/check_datanommer_history.cfg.j2
index 2b1c6cbbec..85bacf91af 100644
--- a/roles/nagios_client/templates/check_datanommer_history.cfg.j2
+++ b/roles/nagios_client/templates/check_datanommer_history.cfg.j2
@@ -41,6 +41,8 @@ command[check_datanommer_faf]={{libdir}}/nagios/plugins/check_datanommer_timesin
command[check_datanommer_koschei]={{libdir}}/nagios/plugins/check_datanommer_timesince.py koschei 86400 604800
command[check_datanommer_autocloud]={{libdir}}/nagios/plugins/check_datanommer_timesince.py autocloud 259200 1814400
command[check_datanommer_twoweekatomic]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py org.fedoraproject.prod.releng.atomic.twoweek.complete 1296000 1382400
+command[check_datanommer_mdapi]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py mdapi 14400 86400
+command[check_datanommer_greenwave]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py greenwave 14400 86400
# This one is retired since it times out all the time. Too few messages.
#command[check_datanommer_nuancier]={{libdir}}/nagios/plugins/check_datanommer_timesince.py nuancier 23652000 31536000
diff --git a/roles/nagios_client/templates/check_mailman_api.cfg.j2 b/roles/nagios_client/templates/check_mailman_api.cfg.j2
new file mode 100644
index 0000000000..95213f335f
--- /dev/null
+++ b/roles/nagios_client/templates/check_mailman_api.cfg.j2
@@ -0,0 +1 @@
+command[check_mailman_api]=/usr/lib64/nagios/plugins/check_http -H localhost -p 8001 -u /3.0 -e 'HTTP/1.0 401 Unauthorized'
diff --git a/roles/nagios_server/files/httpd/robots.txt b/roles/nagios_server/files/httpd/robots.txt
new file mode 100644
index 0000000000..c6742d8a8c
--- /dev/null
+++ b/roles/nagios_server/files/httpd/robots.txt
@@ -0,0 +1,2 @@
+User-Agent: *
+Disallow: /
diff --git a/roles/nagios_server/files/nagios/commands/mailman.cfg b/roles/nagios_server/files/nagios/commands/mailman.cfg
new file mode 100644
index 0000000000..8d31c1b601
--- /dev/null
+++ b/roles/nagios_server/files/nagios/commands/mailman.cfg
@@ -0,0 +1,29 @@
+################################################################################
+# COMMAND DEFINITIONS
+#
+# SYNTAX:
+#
+# define command{
+# template
+# name
+# command_name
+# command_line
+# }
+#
+# WHERE:
+#
+# = object name of another command definition that should be
+# used as a template for this definition (optional)
+# = object name of command definition, referenced by other
+# command definitions that use it as a template (optional)
+# = name of the command, as recognized/used by Nagios
+# = command line
+#
+################################################################################
+
+# 'check_mailman_api'
+define command{
+ command_name check_mailman_api
+ command_line $USER1$/check_http -H localhost -p 8001 -u /3.0
+}
+
diff --git a/roles/nagios_server/files/nagios/services/fedmsg.cfg b/roles/nagios_server/files/nagios/services/fedmsg.cfg
index d7eb667e17..de71e68fd7 100644
--- a/roles/nagios_server/files/nagios/services/fedmsg.cfg
+++ b/roles/nagios_server/files/nagios/services/fedmsg.cfg
@@ -347,6 +347,18 @@ define service {
check_command check_by_nrpe!check_datanommer_twoweekatomic
use defaulttemplate
}
+define service {
+ host_name busgateway01.phx2.fedoraproject.org
+ service_description Check datanommer for recent mdapi messages
+ check_command check_by_nrpe!check_datanommer_mdapi
+ use defaulttemplate
+}
+define service {
+ host_name busgateway01.phx2.fedoraproject.org
+ service_description Check datanommer for recent greenwave messages
+ check_command check_by_nrpe!check_datanommer_greenwave
+ use defaulttemplate
+}
# BEGIN, check consumers and producers
diff --git a/roles/nagios_server/files/nagios/services/fmn.cfg b/roles/nagios_server/files/nagios/services/fmn.cfg
index 1faf0f0aa1..5df39f288b 100644
--- a/roles/nagios_server/files/nagios/services/fmn.cfg
+++ b/roles/nagios_server/files/nagios/services/fmn.cfg
@@ -1,7 +1,14 @@
define service {
host_name notifs-backend01.phx2.fedoraproject.org
- service_description Check backend queue size
- check_command check_by_nrpe!check_fmn_backend_queue
+ service_description Check backend irc queue size
+ check_command check_by_nrpe!check_fmn_backend_irc_queue
+ use defaulttemplate
+}
+
+define service {
+ host_name notifs-backend01.phx2.fedoraproject.org
+ service_description Check backend email queue size
+ check_command check_by_nrpe!check_fmn_backend_email_queue
use defaulttemplate
}
diff --git a/roles/nagios_server/files/nagios/services/mailman.cfg b/roles/nagios_server/files/nagios/services/mailman.cfg
new file mode 100644
index 0000000000..27dc5768b1
--- /dev/null
+++ b/roles/nagios_server/files/nagios/services/mailman.cfg
@@ -0,0 +1,7 @@
+define service {
+ host_name mailman01.phx2.fedoraproject.org
+ service_description check mailman api
+ check_command check_by_nrpe!check_mailman_api
+ max_check_attempts 5
+ use defaulttemplate
+}
diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg
index dcec90b25e..39235b7771 100644
--- a/roles/nagios_server/files/nrpe/nrpe.cfg
+++ b/roles/nagios_server/files/nrpe/nrpe.cfg
@@ -344,6 +344,7 @@ command[check_koschei_repo_resolver_proc]=/usr/lib64/nagios/plugins/check_procs
command[check_koschei_scheduler_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-schedul -c 1:1
command[check_koschei_watcher_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-watcher -c 1:1
command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081
+command[check_mailman_api]=/usr/lib64/nagios/plugins/check_http -H localhost -p 8001 -u /3.0
command[check_odcs_backend_proc]=/usr/lib64/nagios/plugins/check_procs -c 1:1 -C 'odcs-bakend' -u odcs
# The following are fedmsg/datanommer checks to be run on busgateway01.
diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml
index d1779248b4..a110f2aa09 100644
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@@ -137,6 +137,7 @@
- httpd.cfg
- koji.cfg
- local.cfg
+ - mailman.cfg
- misc.cfg
- notify.cfg
- nrpe.cfg
@@ -197,6 +198,7 @@
- koschei.cfg
- locking.cfg
- mail_queue.cfg
+ - mailman.cfg
- memcached.cfg
- nagios.cfg
- nrpe.cfg
@@ -272,6 +274,11 @@
- nagios_server
+- name: Copy robots.txt
+ copy: src=httpd/robots.txt dest=/var/www/robots.txt
+ tags:
+ - nagios_server
+
## Build template files
# This one may go to being just a regular config file if we can make remote monitoring work
- name: Template out the nagios httpd conf
diff --git a/roles/nagios_server/templates/httpd/0_nagios-external.conf.j2 b/roles/nagios_server/templates/httpd/0_nagios-external.conf.j2
index b868f5a449..c9c3124792 100644
--- a/roles/nagios_server/templates/httpd/0_nagios-external.conf.j2
+++ b/roles/nagios_server/templates/httpd/0_nagios-external.conf.j2
@@ -9,7 +9,7 @@
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/noc02.fedoraproject.org.cert
SSLCertificateChainFile /etc/pki/tls/certs/noc02.fedoraproject.org.intermediate.cert
diff --git a/roles/nagios_server/templates/httpd/nagios.conf.j2 b/roles/nagios_server/templates/httpd/nagios.conf.j2
index c3735e898d..1287c9267a 100644
--- a/roles/nagios_server/templates/httpd/nagios.conf.j2
+++ b/roles/nagios_server/templates/httpd/nagios.conf.j2
@@ -2,6 +2,8 @@
ScriptAlias /nagios/cgi-bin/ /usr/lib64/nagios/cgi-bin/
ScriptAlias /tac.cgi /usr/lib64/nagios/cgi-bin/tac.cgi
+Alias /robots.txt /var/www/robots.txt
+
# Set up the authorization
@@ -16,13 +18,25 @@ ScriptAlias /tac.cgi /usr/lib64/nagios/cgi-bin/tac.cgi
{% endif %}
GssapiLocalName on
AuthType GSSAPI
- Require valid-user
+
+ Require all granted
+
+
+ Require valid-user
+
Options ExecCGI
+
+ Require valid-user
+
+
+ Require valid-user
+
+
SetHandler server-status
{% if vars['nagios_location'] == 'external' %}
diff --git a/roles/nagios_server/templates/nagios/configs/cgi.cfg.j2 b/roles/nagios_server/templates/nagios/configs/cgi.cfg.j2
index dfd306c239..44c583afc5 100644
--- a/roles/nagios_server/templates/nagios/configs/cgi.cfg.j2
+++ b/roles/nagios_server/templates/nagios/configs/cgi.cfg.j2
@@ -173,9 +173,9 @@ authorized_for_all_hosts=*
#authorized_for_all_service_commands=nagiosadmin
#authorized_for_all_host_commands=nagiosadmin
-authorized_for_all_service_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillion,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,pbrobinson,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek,stickster
+authorized_for_all_service_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillion,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,pbrobinson,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek,stickster,cverna
-authorized_for_all_host_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillion,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,pbrobinson,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek,stickster
+authorized_for_all_host_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillion,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,pbrobinson,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek,stickster,cverna
diff --git a/roles/nginx/templates/example_ssl.conf.2 b/roles/nginx/templates/example_ssl.conf.2
index 42bc897225..e4c3a703d2 100644
--- a/roles/nginx/templates/example_ssl.conf.2
+++ b/roles/nginx/templates/example_ssl.conf.2
@@ -19,8 +19,8 @@
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# ssl_prefer_server_ciphers on;
#
-# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-# add_header Strict-Transport-Security max-age=15768000;
+# # HSTS (ngx_http_headers_module is required) (31536000 seconds = 365 days)
+# add_header Strict-Transport-Security max-age=31536000;
# location / {
# root /usr/share/nginx/html;
diff --git a/roles/odcs/base/files/pungi.conf b/roles/odcs/base/files/pungi.conf
index 3b01255259..8cd558e841 100644
--- a/roles/odcs/base/files/pungi.conf
+++ b/roles/odcs/base/files/pungi.conf
@@ -23,9 +23,13 @@ sigkeys = [None]
hashed_directories = True
# RUNROOT settings
+{%- if config.bootable %}
runroot = True
runroot_tag = "f26-build"
runroot_channel = "compose"
+{%- else %}
+runroot = False
+{%- endif %}
# PDC settings
pdc_url = '{{ config.pdc_url }}'
@@ -83,7 +87,11 @@ skip_phases = [
"ostree"]
translate_paths = [
+{%- if config.koji_profile == "odcs_stg" %}
+ ('/mnt/koji/compose/', 'http://kojipkgs.stg.fedoraproject.org/compose/'),
+{%- else %}
('/mnt/koji/compose/', 'http://kojipkgs.fedoraproject.org/compose/'),
+{%- endif %}
]
koji_profile = '{{ config.koji_profile }}'
diff --git a/roles/odcs/base/templates/etc/odcs/raw_config_wrapper.conf.j2 b/roles/odcs/base/templates/etc/odcs/raw_config_wrapper.conf.j2
index 30bbed4058..c498c13c69 100644
--- a/roles/odcs/base/templates/etc/odcs/raw_config_wrapper.conf.j2
+++ b/roles/odcs/base/templates/etc/odcs/raw_config_wrapper.conf.j2
@@ -12,9 +12,12 @@ createrepo_deltas = False
# In runroot, we cannot use guestmount, but have to use mount -o loop.
buildinstall_use_guestmount=False
+{% if env == 'staging' %}
# We cannot use hardlinks on stg, because it uses different volume and copy
# just takes lot of storage.
-{% if env == 'staging' %}
link_type = 'symlink'
+
+# Staging is used only for testing, so allow only x86_64 composes
+tree_arches = ['x86_64']
{% endif %}
diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml
index 676c8ebb7e..5b44bb454d 100644
--- a/roles/openqa/server/tasks/main.yml
+++ b/roles/openqa/server/tasks/main.yml
@@ -142,8 +142,13 @@
- /var/lib/openqa/share/factory/repo
- /var/lib/openqa/share/factory/other
-- name: Set up createhdds cron job
- copy: src=createhdds dest=/etc/cron.daily/createhdds owner=root group=root mode=0755
+#- name: Set up createhdds cron job
+# copy: src=createhdds dest=/etc/cron.daily/createhdds owner=root group=root mode=0755
+
+# While #1539330 is a thing, we probably don't want the servers
+# crashing every day...
+- name: Remove createhdds cron job (#1539330)
+ file: path=/etc/cron.daily/createhdds state=absent
- name: Check if any hard disk images need (re)building
command: "/root/createhdds/createhdds.py check"
diff --git a/roles/openqa/worker/tasks/createhdds.yml b/roles/openqa/worker/tasks/createhdds.yml
index 20a637999d..44addbb6fb 100644
--- a/roles/openqa/worker/tasks/createhdds.yml
+++ b/roles/openqa/worker/tasks/createhdds.yml
@@ -39,8 +39,13 @@
repo: https://pagure.io/fedora-qa/createhdds.git
dest: /root/createhdds
-- name: Set up createhdds cron job
- copy: src=createhdds dest=/etc/cron.daily/createhdds owner=root group=root mode=0755
+#- name: Set up createhdds cron job
+# copy: src=createhdds dest=/etc/cron.daily/createhdds owner=root group=root mode=0755
+
+# While #1539330 is a thing, we probably don't want these boxes
+# crashing every day...
+- name: Remove createhdds cron job (#1539330)
+ file: path=/etc/cron.daily/createhdds state=absent
- name: Check if any hard disk images need (re)building
command: "/root/createhdds/createhdds.py check"
diff --git a/roles/openshift-apps/greenwave/templates/buildconfig.yml b/roles/openshift-apps/greenwave/templates/buildconfig.yml
index 1dbc14e7cd..5717b136cf 100644
--- a/roles/openshift-apps/greenwave/templates/buildconfig.yml
+++ b/roles/openshift-apps/greenwave/templates/buildconfig.yml
@@ -39,7 +39,7 @@ spec:
RUN chmod 777 /var/run/fedmsg/
ENV USER=openshift
EXPOSE 8080
- ENTRYPOINT gunicorn --bind 0.0.0.0:8080 --access-logfile=- greenwave.wsgi:app
+ ENTRYPOINT gunicorn --workers 8 --bind 0.0.0.0:8080 --access-logfile=- greenwave.wsgi:app
strategy:
type: Docker
output:
diff --git a/roles/openshift-apps/greenwave/templates/configmap.yml b/roles/openshift-apps/greenwave/templates/configmap.yml
index b80fbe5ba4..6f882b3573 100644
--- a/roles/openshift-apps/greenwave/templates/configmap.yml
+++ b/roles/openshift-apps/greenwave/templates/configmap.yml
@@ -111,22 +111,23 @@ data:
rules:
- !PassingTestCaseRule {test_case_name: dist.rpmdeplint}
--- !Policy
- id: "taskotron_release_critical_tasks_for_stable_with_blacklist"
+ id: "no_requirements_for_epel_testing"
product_versions:
- - fedora-27
- - fedora-26
- - fedora-25
- decision_context: bodhi_update_push_stable
+ - fedora-epel-7
+ - fedora-epel-6
+ decision_context: bodhi_update_push_testing
+ blacklist: []
relevance_value: koji_build
- # abicheck only runs on a subset of all packages. We borrow the list from
- # taskotron's ansible vars. See discussion in https://pagure.io/greenwave/issue/68
-{% if env == 'staging' %}
- blacklist: [{{ hostvars[groups['taskotron-stg'][0]]['trigger_abicheck_blacklist'] | join (',') }}]
-{% else %}
- blacklist: [{{ hostvars[groups['taskotron-prod'][0]]['trigger_abicheck_blacklist'] | join (',') }}]
-{% endif %}
- rules:
- - !PassingTestCaseRule {test_case_name: dist.abicheck}
+ rules: []
+ --- !Policy
+ id: "no_requirements_for_epel_stable"
+ product_versions:
+ - fedora-epel-7
+ - fedora-epel-6
+ decision_context: bodhi_update_push_stable
+ blacklist: []
+ relevance_value: koji_build
+ rules: []
--- !Policy
# Fedora Atomic CI pipeline
# http://fedoraproject.org/wiki/CI
diff --git a/roles/openshift-apps/release-monitoring/files/buildconfig.yml b/roles/openshift-apps/release-monitoring/files/buildconfig.yml
index 3fcfc8a61a..436c5d0a2e 100644
--- a/roles/openshift-apps/release-monitoring/files/buildconfig.yml
+++ b/roles/openshift-apps/release-monitoring/files/buildconfig.yml
@@ -49,5 +49,50 @@ items:
to:
kind: ImageStreamTag
name: release-monitoring-web:latest
+- apiVersion: v1
+ kind: BuildConfig
+ metadata:
+ labels:
+ build: fedmsg-hub-build
+ name: fedmsg-hub-build
+ spec:
+ runPolicy: Serial
+ source:
+ dockerfile: |-
+ FROM fedora:27
+ LABEL \
+ name="fedmsg-hub" \
+ vendor="Fedora Infrastructure" \
+ license="MIT"
+ RUN dnf install -y \
+ git \
+ python3-blinker \
+ python3-dateutil \
+ python3-fedmsg \
+ python3-flask \
+ python3-flask-wtf \
+ python3-flask-login \
+ python3-flask-restful \
+ python3-flask-openid \
+ python3-gunicorn \
+ python3-openid \
+ python3-pip \
+ python3-psycopg2 \
+ python3-setuptools \
+ python3-straight-plugin \
+ python3-sqlalchemy \
+ python3-wtforms && \
+ dnf autoremove -y && \
+ dnf clean all -y
+ RUN pip-3 install git+https://github.com/release-monitoring/anitya.git@master
+ ENV USER=fedmsg
+ ENTRYPOINT fedmsg-hub
+ type: Dockerfile
+ strategy:
+ type: Docker
+ output:
+ to:
+ kind: ImageStreamTag
+ name: fedmsg-hub:latest
kind: List
metadata: {}
diff --git a/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml b/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml
index cdf826edc0..ba3ad2a846 100644
--- a/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml
+++ b/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml
@@ -67,5 +67,58 @@ items:
namespace: release-monitoring
type: ImageChange
- type: ConfigChange
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ labels:
+ app: fedmsg-hub
+ service: fedmsg
+ name: fedmsg-hub
+ spec:
+ replicas: 1
+ selector:
+ deploymentconfig: fedmsg-hub
+ strategy:
+ activeDeadlineSeconds: 21600
+ recreateParams:
+ timeoutSeconds: 600
+ resources: {}
+ rollingParams:
+ intervalSeconds: 1
+ maxSurge: 25%
+ maxUnavailable: 25%
+ timeoutSeconds: 600
+ updatePeriodSeconds: 1
+ type: Rolling
+ template:
+ metadata:
+ creationTimestamp: null
+ labels:
+ app: fedmsg-hub
+ deploymentconfig: fedmsg-hub
+ spec:
+ containers:
+ - name: fedmsg-hub
+ image: release-monitoring/fedmsg-hub:latest
+ resources: {}
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/anitya
+ readOnly: true
+ volumes:
+ - name: config-volume
+ configMap:
+ name: release-monitoring-configmap
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - fedmsg-hub
+ from:
+ kind: ImageStreamTag
+ name: fedmsg-hub:latest
+ namespace: release-monitoring
+ type: ImageChange
+ - type: ConfigChange
kind: List
metadata: {}
diff --git a/roles/openshift-apps/release-monitoring/files/imagestream.yml b/roles/openshift-apps/release-monitoring/files/imagestream.yml
index 44856d1c34..f09d401176 100644
--- a/roles/openshift-apps/release-monitoring/files/imagestream.yml
+++ b/roles/openshift-apps/release-monitoring/files/imagestream.yml
@@ -6,5 +6,11 @@ items:
name: release-monitoring-web
labels:
build: release-monitoring-web
+- apiVersion: v1
+ kind: ImageStream
+ metadata:
+ name: fedmsg-hub
+ labels:
+ build: fedmsg-hub
kind: List
metadata: {}
diff --git a/roles/openshift-apps/transtats/files/buildconfig.yml b/roles/openshift-apps/transtats/files/buildconfig.yml
new file mode 100644
index 0000000000..ae14813c24
--- /dev/null
+++ b/roles/openshift-apps/transtats/files/buildconfig.yml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: BuildConfig
+metadata:
+ name: "transtats-build"
+ labels:
+ environment: "transtats"
+spec:
+ runPolicy: Serial
+ source:
+ git:
+ ref: master
+ uri: https://github.com/transtats/transtats.git
+ secrets: null
+ type: Git
+ strategy:
+ sourceStrategy:
+ from:
+ kind: ImageStreamTag
+ name: python:3.5
+ namespace: openshift
+ env:
+ - name: UPGRADE_PIP_TO_LATEST
+ value: "true"
+ - name: PIP_INDEX_URL
+ - name: TS_AUTH_SYSTEM
+ value: fedora
+ - name: OIDC_RP_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: transtats-secret
+ key: oidc-client-secret
+ type: Source
+ output:
+ to:
+ kind: ImageStreamTag
+ name: transtats:latest
diff --git a/roles/openshift-apps/transtats/files/deploymentconfig.yml b/roles/openshift-apps/transtats/files/deploymentconfig.yml
new file mode 100644
index 0000000000..56b1db8c4d
--- /dev/null
+++ b/roles/openshift-apps/transtats/files/deploymentconfig.yml
@@ -0,0 +1,74 @@
+
+apiVersion: v1
+kind: DeploymentConfig
+metadata:
+ name: transtats-web
+ labels:
+ app: transtats
+ service: web
+spec:
+ replicas: 2
+ selector:
+ app: transtats
+ service: web
+ template:
+ metadata:
+ labels:
+ app: transtats
+ service: web
+ spec:
+ containers:
+ - name: web
+ image: transtats
+ ports:
+ - containerPort: 8080
+ env:
+ - name: DATABASE_SERVICE_NAME
+ valueFrom:
+ secretKeyRef:
+ name: transtats-secret
+ key: database-host
+ - name: DATABASE_ENGINE
+ value: postgresql
+ - name: DATABASE_NAME
+ value: transtats
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ name: transtats-secret
+ key: database-user
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: transtats-secret
+ key: database-password
+ - name: DJANGO_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: transtats-secret
+ key: django-secret-key
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ httpGet:
+ path: /health
+ port: 8080
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ httpGet:
+ path: /health
+ port: 8080
+ resources:
+ limits:
+ memory: 384Mi
+ triggers:
+ - type: ImageChange
+ imageChangeParams:
+ automatic: true
+ containerNames:
+ - web
+ from:
+ kind: ImageStreamTag
+ name: transtats:latest
+ - type: ConfigChange
diff --git a/roles/openshift-apps/transtats/files/imagestream.yml b/roles/openshift-apps/transtats/files/imagestream.yml
new file mode 100644
index 0000000000..c2b22a5e23
--- /dev/null
+++ b/roles/openshift-apps/transtats/files/imagestream.yml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ImageStream
+metadata:
+ name: transtats
+spec:
+ tags:
+ - name: latest
+---
+apiVersion: v1
+kind: ImageStream
+metadata:
+ name: transtats
diff --git a/roles/openshift-apps/transtats/files/route.yml b/roles/openshift-apps/transtats/files/route.yml
new file mode 100644
index 0000000000..7e01795b29
--- /dev/null
+++ b/roles/openshift-apps/transtats/files/route.yml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Route
+metadata:
+ name: transtats-web
+ labels:
+ app: transtats
+spec:
+ #host: transtats.stg.fedoraproject.org
+ port:
+ targetPort: web
+ to:
+ kind: Service
+ name: transtats-web
+ tls:
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
diff --git a/roles/openshift-apps/transtats/files/service.yml b/roles/openshift-apps/transtats/files/service.yml
new file mode 100644
index 0000000000..ca5a770c4e
--- /dev/null
+++ b/roles/openshift-apps/transtats/files/service.yml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: transtats-web
+ labels:
+ app: transtats
+spec:
+ selector:
+ app: transtats
+ service: web
+ ports:
+ - name: web
+ port: 8080
+ targetPort: 8080
diff --git a/roles/openshift-apps/transtats/templates/secret.yml b/roles/openshift-apps/transtats/templates/secret.yml
new file mode 100644
index 0000000000..3c2c9f8e6a
--- /dev/null
+++ b/roles/openshift-apps/transtats/templates/secret.yml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "transtats-secret"
+ labels:
+ app: "transtats"
+stringData:
+{% if env == 'staging' %}
+ django-secret-key: "{{transtats_stg_django_secret_key}}"
+ database-password: "{{transtats_stg_database_password}}"
+ oidc-client-secret: ""
+ database-host: db01.stg.phx2.fedoraproject.org
+ database-user: transtats
+{% endif %}
diff --git a/roles/packages3/web/files/packages-httpd.conf b/roles/packages3/web/files/packages-httpd.conf
index 4d255a9bc2..ae873c3acb 100644
--- a/roles/packages3/web/files/packages-httpd.conf
+++ b/roles/packages3/web/files/packages-httpd.conf
@@ -61,6 +61,10 @@ WSGIScriptAlias /packages /usr/share/fedoracommunity/production/apache/fedoracom
WSGIProcessGroup fedoracommunity
+
+ Require all granted
+
+
# If someone tries to access an icon that doesn't exist,
# then send them to the default icon. This is used by
diff --git a/roles/packages3/web/tasks/main.yml b/roles/packages3/web/tasks/main.yml
index 3fd9d13adc..6310eb8bec 100644
--- a/roles/packages3/web/tasks/main.yml
+++ b/roles/packages3/web/tasks/main.yml
@@ -1,33 +1,14 @@
---
# Configuration for the fedora-packages webapp
-
-- name: Set require selinux booleans
- seboolean: name={{item}} persistent=yes state=yes
- with_items:
- - httpd_use_nfs
- - httpd_execmem
- tags:
- - packages
- - packages/web
- - selinux
-
- name: install needed packages
package: name={{ item }} state=present
with_items:
- fedora-packages
- - python-psycopg2
- python-memcached
tags:
- packages
- packages/web
-- name: install python-sqlalchemy0.8 only on rhel6
- package: name=python-sqlalchemy0.8 state=present
- tags:
- - packages
- - packages/web
- when: ansible_distribution_major_version|int < 7
-
- name: Create some directories
file:
path={{ item }}
@@ -39,7 +20,6 @@
- /etc/fedoracommunity
- /var/cache/fedoracommunity # the gluster role usually creates this one
- /var/tmp/fedoracommunity
- - /var/log/fedoracommunity
tags:
- packages
- packages/web
@@ -156,16 +136,6 @@
- hotfix
when: ansible_distribution_major_version|int < 7
-# Our fedmsg updater should handle everything, no more need for cron.
-#- name: Copy the indexer cronjobs
-# copy: src="{{item}}" dest="/etc/cron.d/{{item}}"
-# with_items:
-# - cron-sync-package-index
-# when: install_packages_indexer
-# tags:
-# - packages
-# - packages/web
-
# Lastly, here's some selinux stuff.
- name: set some selinux booleans
seboolean: name={{item}} persistent=yes state=yes
@@ -174,11 +144,19 @@
- httpd_can_network_memcache
- httpd_can_network_connect
- httpd_use_fusefs
+ - httpd_use_nfs
+ - httpd_execmem
tags:
- packages
- packages/web
- selinux
+- name: /var/cache/fedoracommunity/git.fedoraproject.org file contexts
+ sefcontext:
+ target: '/var/cache/fedoracommunity/git.fedoraproject.org(/.*)?'
+ setype: httpd_sys_rw_content_t
+ state: present
+
- name: Build the database the first time. This takes a while
command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps{{env_suffix}}.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps{{env_suffix}}.fedoraproject.org/tagger creates=/var/cache/fedoracommunity/packages/xapian/search/termlist.glass
tags:
diff --git a/roles/packages3/web/templates/packages-app.ini.j2 b/roles/packages3/web/templates/packages-app.ini.j2
index a0ad8bcfb8..cfdb5be884 100644
--- a/roles/packages3/web/templates/packages-app.ini.j2
+++ b/roles/packages3/web/templates/packages-app.ini.j2
@@ -21,24 +21,17 @@ fedoracommunity.extensions_dir = {{ pythonsitelib }}/fedoracommunity/plugins/ext
fedoracommunity.script_name = /packages
fedoracommunity.connector.kojihub.baseurl = https://koji{{env_suffix}}.fedoraproject.org/kojihub
-fedoracommunity.connector.bugzilla.baseurl = https://bugzilla.redhat.com/xmlrpc.cgi
-fedoracommunity.connector.bugzilla.cookiefile = /var/cache/fedoracommunity/bugzillacookies
+fedoracommunity.connector.bodhi.baseurl = https://bodhi{{env_suffix}}.fedoraproject.org/
+fedoracommunity.connector.mdapi.baseurl = https://apps{{env_suffix}}.fedoraproject.org/mdapi
+fedoracommunity.connector.tagger.baseurl = https://apps{{env_suffix}}.fedoraproject.org/tagger
+fedoracommunity.connector.fas.baseurl = https://admin{{env_suffix}}.fedoraproject.org/accounts/
+fedoracommunity.connector.icons.baseurl = http://download01.phx2.fedoraproject.org/pub/alt/screenshots
{% if env == "staging" %}
-fedoracommunity.connector.fas.baseurl = https://admin.stg.fedoraproject.org/accounts/
-fedoracommunity.connector.bodhi.baseurl = https://bodhi.stg.fedoraproject.org/
-fedoracommunity.connector.pkgdb.baseurl = https://admin.stg.fedoraproject.org/pkgdb
-fedoracommunity.connector.tagger.baseurl = https://apps.stg.fedoraproject.org/tagger
-fedoracommunity.connector.mdapi.baseurl = https://apps.stg.fedoraproject.org/mdapi
-fedoracommunity.connector.icons.baseurl = http://download01.phx2.fedoraproject.org/pub/alt/screenshots
+fedoracommunity.connector.bugzilla.baseurl = https://partner-bugzilla.redhat.com/xmlrpc.cgi
{% else %}
-fedoracommunity.connector.fas.baseurl = https://admin.fedoraproject.org/accounts/
-fedoracommunity.connector.bodhi.baseurl = https://bodhi.fedoraproject.org/
-fedoracommunity.connector.pkgdb.baseurl = https://admin.fedoraproject.org/pkgdb
-fedoracommunity.connector.tagger.baseurl = https://apps.fedoraproject.org/tagger
-fedoracommunity.connector.mdapi.baseurl = https://apps.fedoraproject.org/mdapi
-fedoracommunity.connector.icons.baseurl = http://download01.phx2.fedoraproject.org/pub/alt/screenshots
+fedoracommunity.connector.bugzilla.baseurl = https://bugzilla.redhat.com/xmlrpc.cgi
{% endif %}
-
+fedoracommunity.connector.bugzilla.cookiefile = /var/cache/fedoracommunity/bugzillacookies
fedoracommunity.connector.xapian.package-search.db = /var/cache/fedoracommunity/packages/xapian/search
fedoracommunity.resource_path_prefix = /packages/_res/
diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf
index 8b3cda870d..b51d77cba2 100644
--- a/roles/pagure/frontend/templates/0_pagure.conf
+++ b/roles/pagure/frontend/templates/0_pagure.conf
@@ -69,7 +69,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
@@ -119,7 +119,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/docs.pagure.org.crt
SSLCertificateChainFile /etc/pki/tls/certs/docs.pagure.org.intermediate.crt
@@ -145,7 +145,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
index dc1dbefb4b..0d61a08504 100644
--- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
+++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
@@ -56,7 +56,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
@@ -118,7 +118,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
diff --git a/roles/pdc/frontend/templates/pdc.conf b/roles/pdc/frontend/templates/pdc.conf
index 17add4bf7a..8bedf17966 100644
--- a/roles/pdc/frontend/templates/pdc.conf
+++ b/roles/pdc/frontend/templates/pdc.conf
@@ -1,7 +1,7 @@
Alias /docs/ /usr/share/doc/pdc/docs/build/html/
Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
-WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes={{ wsgi_procs - 1}} threads={{ wsgi_threads }}
+WSGIDaemonProcess pdc user=apache group=apache maximum-requests=100 display-name=pdc processes={{ wsgi_procs - 1}} threads={{ wsgi_threads }}
WSGISocketPrefix run/wsgi
WSGIRestrictStdout On
WSGIRestrictSignal Off
diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf
index 6df7672854..ca57fa3a8c 100644
--- a/roles/people/templates/people.conf
+++ b/roles/people/templates/people.conf
@@ -34,7 +34,7 @@ NameVirtualHost *:80
SSLCipherSuite {{ ssl_ciphers }}
SSLProtocol {{ ssl_protocols }}
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
# ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-error.log-%Y%m%d 86400 -l"
diff --git a/roles/releng/files/rawhide b/roles/releng/files/rawhide
index d91d0d86a0..2ba2cdcfc8 100644
--- a/roles/releng/files/rawhide
+++ b/roles/releng/files/rawhide
@@ -2,4 +2,4 @@
MAILTO=releng-cron@lists.fedoraproject.org
15 5 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && LANG=en_US.UTF-8 ./nightly.sh && sudo -u ftpsync /usr/local/bin/update-fullfiletimelist -l /pub/fedora-secondary/update-fullfiletimelist.lock -t /pub fedora fedora-secondary
#15 17 * * * root TMPDIR=$(mktemp -d /tmp/rawhide-dnf.XXXXXX) && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && LANG=en_US.UTF-8 ./nightly-dnf.sh
-15 18 * * * root TMPDIR=$(mktemp -d /tmp/rawhide-modular.XXXXXX) && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && LANG=en_US.UTF-8 ./nightly-modular.sh
+#15 18 * * * root TMPDIR=$(mktemp -d /tmp/rawhide-modular.XXXXXX) && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && LANG=en_US.UTF-8 ./nightly-modular.sh
diff --git a/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 b/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2
index cabe0cd97c..66b946ffb3 100644
--- a/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2
+++ b/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2
@@ -214,18 +214,25 @@ factory.addStep(ShellCommand(command=["runtask",
{% endif %}
descriptionDone=[Interpolate('%(prop:taskname)s on %(prop:item)s')],
name='runtask',
- timeout=2400,
-{% if deployment_type in ['dev', 'stg', 'prod'] %}
+ timeout=20*60,
+{% if deployment_type in ['dev'] %}
+ sigtermTime=5*60,
+ lazylogfiles=True,
+ logfiles={
+ 'heartbeat.log': {'filename': Interpolate('/var/lib/taskotron/artifacts/%(prop:uuid)s/taskotron/heartbeat.log')}
+ }
+{% endif %}
+{% if deployment_type in ['stg', 'prod'] %}
logfiles={
'taskotron-overlord.log': {'filename': Interpolate('/var/lib/taskotron/artifacts/%(prop:uuid)s/taskotron-overlord.log')},
'taskotron-stdio.log': {'filename': Interpolate('/var/lib/taskotron/artifacts/%(prop:uuid)s/taskotron-stdio.log')},
'taskotron.log': {'filename': Interpolate('/var/lib/taskotron/artifacts/%(prop:uuid)s/taskotron.log')}
}
-))
{% endif %}
{% if deployment_type in ['local'] %}
- logfiles={'taskotron.log': {'filename': '/var/log/taskotron/taskotron.log', }}))
+ logfiles={'taskotron.log': {'filename': '/var/log/taskotron/taskotron.log', }}
{% endif %}
+))
factory.addStep(ShellCommand(command=Interpolate('testcloud instance remove --force taskotron-%(prop:uuid)s; true'),
@@ -240,7 +247,7 @@ factory.addStep(DirectoryUpload(slavesrc=Interpolate('/var/lib/taskotron/artifac
masterdest=Interpolate('{{ public_artifacts_dir }}/%(prop:uuid)s/task_output')))
# gzip artifacts
-factory.addStep(MasterShellCommand(command=Interpolate('gzip -r {{ public_artifacts_dir }}/%(prop:uuid)s/task_output/*'),
+factory.addStep(MasterShellCommand(command=Interpolate('find {{ public_artifacts_dir }}/%(prop:uuid)s/task_output/ -type f -exec gzip {} \;'),
descriptionDone=['gzip artifacs dir content']))
{% if deployment_type in ['local'] %}
@@ -317,7 +324,7 @@ distgit_factory.addStep(DirectoryUpload(slavesrc=Interpolate('/var/lib/taskotron
masterdest=Interpolate('{{ public_artifacts_dir }}/%(prop:uuid)s/task_output')))
# gzip artifacts
-distgit_factory.addStep(MasterShellCommand(command=Interpolate('gzip -r {{ public_artifacts_dir }}/%(prop:uuid)s/task_output/*'),
+distgit_factory.addStep(MasterShellCommand(command=Interpolate('find {{ public_artifacts_dir }}/%(prop:uuid)s/task_output/ -type f -exec gzip {} \;'),
descriptionDone=['gzip artifacs dir content']))
{% endif %}
diff --git a/roles/taskotron/execdb/templates/settings.py.j2 b/roles/taskotron/execdb/templates/settings.py.j2
index eeb44775c3..688dc451b5 100644
--- a/roles/taskotron/execdb/templates/settings.py.j2
+++ b/roles/taskotron/execdb/templates/settings.py.j2
@@ -2,7 +2,7 @@ SECRET_KEY = '{{ execdb_secret_key }}'
SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://{{ execdb_db_user }}:{{ execdb_db_password }}@{{ execdb_db_host }}:{{ execdb_db_port }}/{{ execdb_db_name }}'
FILE_LOGGING = False
-LOGFILR = '/var/log/execdb/execdb.log'
+LOGFILE = '/var/log/execdb/execdb.log'
SYSLOG_LOGGING = False
STREAM_LOGGING = True
diff --git a/roles/taskotron/imagefactory/files/imagefactoryd.service b/roles/taskotron/imagefactory/files/imagefactoryd.service
new file mode 100644
index 0000000000..762959314b
--- /dev/null
+++ b/roles/taskotron/imagefactory/files/imagefactoryd.service
@@ -0,0 +1,13 @@
+# Workaround for https://github.com/redhat-imaging/imagefactory/issues/417
+[Unit]
+Requires=libvirtd.service
+After=libvirtd.service
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/imagefactoryd
+ExecStop=/usr/bin/killall imagefactoryd
+PIDFile=/var/run/imagefactoryd.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/taskotron/imagefactory/tasks/main.yml b/roles/taskotron/imagefactory/tasks/main.yml
index a25061a11c..85a5ec8b51 100644
--- a/roles/taskotron/imagefactory/tasks/main.yml
+++ b/roles/taskotron/imagefactory/tasks/main.yml
@@ -16,6 +16,17 @@
- name: hotfix imagefactory's REST api to allow file download
copy: src=hotfix_imgfac_RESTv2.py dest=/usr/lib/python2.7/site-packages/imgfac/rest/RESTv2.py owner=root group=root mode=0644
+# Workaround for https://github.com/redhat-imaging/imagefactory/issues/417
+- name: fix issues in imagefactoryd.service
+ copy:
+ src: imagefactoryd.service
+ dest: /etc/systemd/system/imagefactoryd.service
+ register: imagefactory_service
+
+- name: reload systemd
+ command: systemctl daemon-reload
+ when: imagefactory_service.changed
+
- name: enable imagefactory
service: name=imagefactoryd state=started enabled=yes
diff --git a/roles/taskotron/resultsdb-backend/templates/settings.py.j2 b/roles/taskotron/resultsdb-backend/templates/settings.py.j2
index daa6e02a98..8da290f859 100644
--- a/roles/taskotron/resultsdb-backend/templates/settings.py.j2
+++ b/roles/taskotron/resultsdb-backend/templates/settings.py.j2
@@ -1,7 +1,7 @@
SECRET_KEY = '{{ resultsdb_secret_key }}'
SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://{{ resultsdb_db_user }}:{{ resultsdb_db_password }}@{{ resultsdb_db_host }}:{{ resultsdb_db_port }}/{{ resultsdb_db_name }}'
FILE_LOGGING = False
-LOGFILR = '/var/log/resultsdb/resultsdb.log'
+LOGFILE = '/var/log/resultsdb/resultsdb.log'
SYSLOG_LOGGING = False
STREAM_LOGGING = True
diff --git a/roles/taskotron/resultsdb-frontend/templates/settings.py.j2 b/roles/taskotron/resultsdb-frontend/templates/settings.py.j2
index 6c6042e071..29b6df89cc 100644
--- a/roles/taskotron/resultsdb-frontend/templates/settings.py.j2
+++ b/roles/taskotron/resultsdb-frontend/templates/settings.py.j2
@@ -4,6 +4,6 @@ RDB_URL = 'http://127.0.0.1/{{ resultsdb_endpoint }}/api/v2.0'
SECRET_KEY = '{{ resultsdb_frontend_secret_key }}'
FILE_LOGGING = False
-LOGFILR = '/var/log/resultsdb_frontend/resultsdb_frontend.log'
+LOGFILE = '/var/log/resultsdb_frontend/resultsdb_frontend.log'
SYSLOG_LOGGING = False
STREAM_LOGGING = True
diff --git a/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2 b/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2
index 7a5d012326..0d026cad41 100644
--- a/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2
+++ b/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2
@@ -2,7 +2,7 @@
## The file is in YAML syntax, read more about it at:
## http://en.wikipedia.org/wiki/Yaml
## libtaskotron docs live at:
-## https://docs.qadevel.cloud.fedoraproject.org/libtaskotron/latest/
+## https://docs.qa.fedoraproject.org/libtaskotron/latest/
## ==== GENERAL section ====
@@ -38,6 +38,12 @@ runtask_mode: libvirt
runtask_mode: local
{% endif %}
+## Supported machine architectures. This is mostly used by generic,
+## arch-independent tasks to determine which arches to test and report against.
+## You can still run an arch-specific task on any other arch using the command
+## line.
+#supported_arches: ['x86_64', 'armhfp']
+
## ==== SCHEDULING section ====
## This section holds options related to the scheduling and execution system,
@@ -51,8 +57,8 @@ buildbot_task_step: 'runtask'
## This section controls which result reports you want to send after the test
## execution is complete.
-## Whether to send test results to the configured ResultsDB server. See also
-## 'reporting_enabled' option.
+## Whether to send test results to the configured ResultsDB server.
+## [default: True for production, False for development]
report_to_resultsdb: True
@@ -101,16 +107,6 @@ artifacts_baseurl: {{ artifacts_base_url }}
#download_cache_enabled: False
-## ==== BODHI EMAIL section ====
-## These configuration options affect how Taskotron decideds to send emails
-## through Bodhi in specific situations.
-
-## How long (in minutes) should we wait before allowing consequent test to
-## re-post a 'FAILED' comment into Bodhi once again.
-## By default 3 days (3*24*60 = 4320).
-#bodhi_posting_comments_span: 4320
-
-
## ==== PATHS section ====
## Location of various pieces of the project.
@@ -133,7 +129,7 @@ artifacts_baseurl: {{ artifacts_base_url }}
## File names need to adhere to the naming standard of:
## YYMMDD_HHMM-fedora-RELEASE-FLAVOR-ARCH.(qcow2|raw|img)
## For example:
-## 160301_1030-fedora-23-taskotron_cloud-x86_64.img
+## 160301_1030-fedora-25-taskotron_cloud-x86_64.img
## Variables disposable_(release|flavor|arch) set in this config file
## define what kind of image is looked for.
## The newest (by YYMMDD_HHMM) image of the respective R-F-A is used.
@@ -148,11 +144,10 @@ force_imageurl: False
## Default distro/release/flavor/arch for the disposable images discovery
#default_disposable_distro: fedora
-default_disposable_release: "26"
+default_disposable_release: '26'
#default_disposable_flavor: taskotron_cloud
#default_disposable_arch: x86_64
-
## Additional repos for minion to install packages from
minion_repos:
- https://fedorapeople.org/groups/qa/taskotron-repos/taskotron-production-override/taskotron-production-override.repo
diff --git a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2 b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
index da91b20a27..fa6d5cb93f 100644
--- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
+++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
@@ -1,49 +1,71 @@
---
-- when: {message_type: KojiBuildPackageCompleted}
+- when:
+ message_type: KojiBuildPackageCompleted
do:
- - {tasks: [rpmlint, rpmgrill, python-versions]}
-
-- when: {message_type: KojiBuildPackageCompleted, name: docker}
- do:
- - {tasks: [dockerautotest]}
+ - tasks:
+ - python-versions
+ - rpmgrill
+ - rpmlint
- when:
message_type: KojiBuildPackageCompleted
name:
- $nin: [{{ trigger_abicheck_blacklist | join(',') }}]
+ $nin:
+ - "{{ trigger_abicheck_blacklist | join(',') }}"
do:
- - {tasks: [abicheck]}
+ - tasks:
+ - abicheck
- when:
message_type: KojiTagChanged
- tag: {$regex: '/^f[0-9]{2}-updates(-testing)?-pending$$/'}
+ tag:
+ $regex: '/^f[0-9]{2}-updates(-testing)?-pending$$/'
do:
- - {tasks: [rpmdeplint]}
-
-- when: {message_type: DistGitCommit, namespace: modules}
- do:
- - {tasks: [check_modulemd]}
+ - tasks:
+ - rpmdeplint
- when:
- message_type: ModuleBuildComplete
+ message_type: DistGitCommit
+ namespace: modules
do:
- - {tasks: [modularity-testing-framework]}
+ - tasks:
+ - check_modulemd
- when:
message_type: GitHubPullRequestOpened
- repo_name: {$regex: '/^container-images\/.+/'}
+ repo_name:
+ $regex: '/^container-images\/.+/'
do:
- - {tasks: [mtf-containers]}
+ - tasks:
+ - mtf-containers
+
+{% if deployment_type in ['stg', 'prod'] %}
+{# these tasks are not ansiblized yet #}
+- when:
+ message_type: ModuleBuildComplete
+ do:
+ - tasks:
+ - modularity-testing-framework
+
+- when:
+ message_type: KojiBuildPackageCompleted
+ name: docker
+ do:
+ - tasks:
+ - dockerautotest
+{% endif %}
{# disabled due to missing nested virt: https://pagure.io/taskotron/issue/239
- when:
message_type: AtomicCompose
do:
- - {tasks: [upstream-atomic, fedora-cloud-tests]}
+ - tasks:
+ - upstream-atomic
+ - fedora-cloud-tests
- when:
message_type: CloudCompose
do:
- - {tasks: [fedora-cloud-tests]}
+ - tasks:
+ - fedora-cloud-tests
#}
-
diff --git a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
deleted file mode 100644
index 43da94c0fb..0000000000
--- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
+++ /dev/null
@@ -1,27 +0,0 @@
----
-- when: {message_type: KojiBuildPackageCompleted}
- do:
- - {tasks: [rpmlint, rpmgrill, python-versions]}
-
-- when:
- message_type: KojiBuildPackageCompleted
- name:
- $nin: [{{ trigger_abicheck_blacklist | join(',') }}]
- do:
- - {tasks: [abicheck]}
-
-- when:
- message_type: KojiTagChanged
- tag: {$regex: '/^f[0-9]{2}-updates(-testing)?-pending$$/'}
- do:
- - {tasks: [rpmdeplint]}
-
-- when: {message_type: DistGitCommit, namespace: modules}
- do:
- - {tasks: [check_modulemd]}
-
-- when:
- message_type: GitHubPullRequestOpened
- repo_name: {$regex: '/^container-images\/.+/'}
- do:
- - {tasks: [mtf-containers]}
diff --git a/roles/testdays/templates/settings.py.j2 b/roles/testdays/templates/settings.py.j2
index 6f3b2354de..fd7d2cefe6 100644
--- a/roles/testdays/templates/settings.py.j2
+++ b/roles/testdays/templates/settings.py.j2
@@ -6,6 +6,6 @@ SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://{{ testdays_db_user }}:{{ testd
SHOW_DB_URI = False
PRODUCTION = True
FILE_LOGGING = False
-LOGFILR = '/var/log/testdays/testdays.log'
+LOGFILE = '/var/log/testdays/testdays.log'
SYSLOG_LOGGING = False
STREAM_LOGGING = True
diff --git a/roles/ufmonitor/templates/ufmonitor.conf.j2 b/roles/ufmonitor/templates/ufmonitor.conf.j2
index 265e5faf8d..3e56041ac8 100644
--- a/roles/ufmonitor/templates/ufmonitor.conf.j2
+++ b/roles/ufmonitor/templates/ufmonitor.conf.j2
@@ -19,7 +19,7 @@
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+ Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
diff --git a/roles/web-data-analysis/files/run-daily-awstats.sh b/roles/web-data-analysis/files/run-daily-awstats.sh
index 8b559d2051..12f16f8fad 100644
--- a/roles/web-data-analysis/files/run-daily-awstats.sh
+++ b/roles/web-data-analysis/files/run-daily-awstats.sh
@@ -33,6 +33,7 @@ DAY=$(/bin/date -d "-${NUMDAYS} days" +%d)
LOGDIR=/mnt/fedora_stats/combined-http/
CONFDIR=/mnt/fedora_stats/awstats/conf
+STORDIR=/mnt/fedora_stats/awstats/storage
OUTDIR=/var/www/html/awstats-reports
TREEDIR=${LOGDIR}/${YEAR}/${MONTH}/${DAY}
@@ -43,11 +44,21 @@ HTMLDOC=/usr/bin/htmldoc
#SITES="apps.fedoraproject.org codecs.fedoraproject.org communityblog.fedoraproject.org docs.fedoraproject.org download.fedoraproject.org fedoramagazine.org fedoraproject.org geoip.fedoraproject.org get.fedoraproject.org getfedora.org labs.fedoraproject.org mirrors.fedoraproject.org spins.fedoraproject.org start.fedoraproject.org"
-SITES="admin.fedoraproject.org apps.fedoraproject.org arm.fedoraproject.org ask.fedoraproject.org badges.fedoraproject.org bodhi.fedoraproject.org boot.fedoraproject.org budget.fedoraproject.org bugz.fedoraproject.org cloud.fedoraproject.org codecs.fedoraproject.org communityblog.fedoraproject.org copr.fedoraproject.org darkserver.fedoraproject.org developer.fedoraproject.org developers.fedoraproject.org dl.fedoraproject.org docs.fedoraproject.org download.fedoraproject.org fas.fedoraproject.org fedora.my fedoracommunity.org fedoramagazine.org fedoraproject.com fedoraproject.org flocktofedora.net flocktofedora.org fonts.fedoraproject.org fpaste.org fudcon.fedoraproject.org geoip.fedoraproject.org get.fedoraproject.org getfedora.org help.fedoraproject.org id.fedoraproject.org it.fedoracommunity.org join.fedoraproject.org k12linux.org kde.fedoraproject.org l10n.fedoraproject.org labs.fedoraproject.org lists.fedorahosted.org lists.fedoraproject.org meetbot-raw.fedoraproject.org meetbot.fedoraproject.org mirrors.fedoraproject.org nightly.fedoraproject.org osbs.fedoraproject.org paste.fedoraproject.org pdc.fedoraproject.org people.fedoraproject.org port389.org qa.fedoraproject.org redirect.fedoraproject.org registry.fedoraproject.org smolts.org spins.fedoraproject.org src.fedoraproject.org start.fedoraproject.org store.fedoraproject.org taskotron.fedoraproject.org translate.fedoraproject.org uk.fedoracommunity.org "
+SITES="admin.fedoraproject.org apps.fedoraproject.org arm.fedoraproject.org ask.fedoraproject.org badges.fedoraproject.org bodhi.fedoraproject.org boot.fedoraproject.org budget.fedoraproject.org bugz.fedoraproject.org cloud.fedoraproject.org codecs.fedoraproject.org communityblog.fedoraproject.org copr.fedoraproject.org darkserver.fedoraproject.org developer.fedoraproject.org developers.fedoraproject.org dl.fedoraproject.org docs.fedoraproject.org docs-old.fedoraproject.org download.fedoraproject.org fas.fedoraproject.org fedora.my fedoracommunity.org fedoramagazine.org fedoraproject.com fedoraproject.org flocktofedora.net flocktofedora.org fonts.fedoraproject.org fpaste.org fudcon.fedoraproject.org geoip.fedoraproject.org get.fedoraproject.org getfedora.org help.fedoraproject.org id.fedoraproject.org it.fedoracommunity.org join.fedoraproject.org k12linux.org kde.fedoraproject.org l10n.fedoraproject.org labs.fedoraproject.org lists.fedorahosted.org lists.fedoraproject.org meetbot-raw.fedoraproject.org meetbot.fedoraproject.org mirrors.fedoraproject.org nightly.fedoraproject.org osbs.fedoraproject.org paste.fedoraproject.org pdc.fedoraproject.org people.fedoraproject.org port389.org qa.fedoraproject.org redirect.fedoraproject.org registry.fedoraproject.org smolts.org spins.fedoraproject.org src.fedoraproject.org start.fedoraproject.org store.fedoraproject.org taskotron.fedoraproject.org translate.fedoraproject.org uk.fedoracommunity.org "
pushd ${CONFDIR}
for SITE in ${SITES}; do
- perl /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=${CONFDIR}/${SITE} -update -Logfile=${TREEDIR}/${SITE}-access.log
- perl /mnt/fedora_stats/awstats/conf/awstats_buildstaticpages.pl -awstatsprog=${AWSTATS} -config=${SITE} -month=all -year=${YEAR} -dir=${OUTDIR}/${YEAR} ;
+ if [[ -f ${CONFDIR/${SITE} ]]; then
+ if [[ -d ${STORDIR}/${SITE} ]]; then
+ mkdir -p ${STORDIR}/${SITE}
+ fi
+ if [[ -d ${OUTDIR}/${YEAR} ]]; then
+ mkdir -p ${OUTDIR}/${YEAR}
+ fi
+ perl /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=${CONFDIR}/${SITE} -update -Logfile=${TREEDIR}/${SITE}-access.log
+ perl /mnt/fedora_stats/awstats/conf/awstats_buildstaticpages.pl -awstatsprog=${AWSTATS} -config=${SITE} -month=all -year=${YEAR} -dir=${OUTDIR}/${YEAR} ;
+ else
+ echo "Site ${SITE} does not have config file"
+ fi
done
popd