diff --git a/inventory/group_vars/sundries b/inventory/group_vars/sundries
index 556898d3fb..d511388d57 100644
--- a/inventory/group_vars/sundries
+++ b/inventory/group_vars/sundries
@@ -14,4 +14,4 @@ fas_client_groups: sysadmin-noc,fi-apprentice
master_sundries_node: False
# A host group for rsync config
-host_group: sundries
+rsync_group: sundries
diff --git a/inventory/group_vars/sundries-stg b/inventory/group_vars/sundries-stg
index 556898d3fb..d511388d57 100644
--- a/inventory/group_vars/sundries-stg
+++ b/inventory/group_vars/sundries-stg
@@ -14,4 +14,4 @@ fas_client_groups: sysadmin-noc,fi-apprentice
master_sundries_node: False
# A host group for rsync config
-host_group: sundries
+rsync_group: sundries
diff --git a/playbooks/groups/sundries.yml b/playbooks/groups/sundries.yml
index bdbb6970ff..8ece5d631d 100644
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@@ -47,6 +47,7 @@
- role: fedora_owner_change
when: master_sundries_node
- rsyncd
+ - mirrormanager/frontend
tasks:
- include: "{{ tasks }}/hosts.yml"
diff --git a/roles/badges/backend/templates/badges-awarder.py b/roles/badges/backend/templates/badges-awarder.py
index be4e4f0658..c95d8b5c29 100644
--- a/roles/badges/backend/templates/badges-awarder.py
+++ b/roles/badges/backend/templates/badges-awarder.py
@@ -32,7 +32,11 @@ config = {
# Stuff used for caching packagedb relations.
"fedbadges.rules.utils.use_pkgdb2": True,
- "fedbadges.rules.utils.pkgdb_url": "https://admin.fedoraproject.org/pkgdb",
+ {% if env == 'staging' %}
+ "fedbadges.rules.utils.pkgdb_url": "https://admin.stg.fedoraproject.org/pkgdb/api",
+ {% else %}
+ "fedbadges.rules.utils.pkgdb_url": "https://admin.fedoraproject.org/pkgdb/api",
+ {% endif %}
"fedbadges.rules.cache": {
"backend": "dogpile.cache.dbm",
"expiration_time": 300,
diff --git a/roles/base/files/common-scripts/conditional-restart.sh b/roles/base/files/common-scripts/conditional-restart.sh
index 6e77eb2983..f95ef741d7 100644
--- a/roles/base/files/common-scripts/conditional-restart.sh
+++ b/roles/base/files/common-scripts/conditional-restart.sh
@@ -5,7 +5,7 @@
SERVICE=$1
PACKAGE=$2
-/usr/bin/rpm -q $PACKAGE
+rpm -q $PACKAGE
INSTALLED=$?
diff --git a/roles/base/files/common-scripts/needs-reboot.py b/roles/base/files/common-scripts/needs-reboot.py
new file mode 100755
index 0000000000..a39c9ea788
--- /dev/null
+++ b/roles/base/files/common-scripts/needs-reboot.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python -tt
+
+import yum
+import sys
+import time
+import fnmatch
+
+result = 0
+now = time.time()
+uptime = float(open('/proc/uptime', 'r').read().split()[0])
+
+rebootcausers = ('glibc', 'kernel*')
+
+my = yum.YumBase()
+my.preconf.init_plugins=False
+my.preconf.debuglevel=1
+my.preconf.errorlevel=1
+pkgs = my.rpmdb.returnPackages(patterns=rebootcausers)
+
+does='no'
+for pkg in pkgs:
+ if (now - pkg.installtime) < uptime:
+ does='yes'
+ break
+
+if len(sys.argv) > 1 and sys.argv[1] == 'after-updates':
+ for (n, a, e, v, r) in my.up.getUpdatesList():
+ for i in rebootcausers:
+ if fnmatch.fnmatch(n, i):
+ does='yes'
+
+
+print does
+sys.exit(0)
+
+
diff --git a/roles/easyfix/tasks/main.yml b/roles/easyfix/tasks/main.yml
index 12c9ff90fc..ec79a6f41c 100644
--- a/roles/easyfix/tasks/main.yml
+++ b/roles/easyfix/tasks/main.yml
@@ -57,6 +57,6 @@
- name: Install the easyfix cronjob
copy: >
src=easyfix.cron dest=/etc/cron.d/easyfix.cron
- owner=root group=root mode=0755
+ owner=root group=root mode=0644
tags:
- files
diff --git a/roles/fedora_owner_change/tasks/main.yml b/roles/fedora_owner_change/tasks/main.yml
index 822bd4029e..c5d06a8627 100644
--- a/roles/fedora_owner_change/tasks/main.yml
+++ b/roles/fedora_owner_change/tasks/main.yml
@@ -23,6 +23,6 @@
- name: Install the fedora-owner-change cronjob
copy: >
src=fedora-owner-change.cron dest=/etc/cron.d/fedora-owner-change.cron
- owner=root group=root mode=0755
+ owner=root group=root mode=0644
tags:
- files
diff --git a/roles/mirrormanager/frontend/files/mirrormanager-app.conf b/roles/mirrormanager/frontend/files/mirrormanager-app.conf
new file mode 100644
index 0000000000..9aa2c2c1e0
--- /dev/null
+++ b/roles/mirrormanager/frontend/files/mirrormanager-app.conf
@@ -0,0 +1,35 @@
+Alias /mirrormanager/static /usr/share/mirrormanager/server/mirrormanager/static
+Alias /mirrormanager/crawler /var/log/mirrormanager/crawler
+
+WSGISocketPrefix /var/run/mirrormanager/wsgi
+WSGIRestrictSignal Off
+
+WSGIDaemonProcess mirrormanager user=mirrormanager group=mirrormanager display-name=mirrormanager maximum-requests=1000 processes=4 threads=1 umask=0007
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /mirrormanager /usr/share/mirrormanager/server/mirrormanager.wsgi/mirrormanager
+
+
+ WSGIProcessGroup mirrormanager
+
+ # Apache 2.4
+ Require all granted
+
+
+ # Apache 2.2
+ Order deny,allow
+ Allow from all
+
+
+
+
+
+ # Apache 2.4
+ Require all granted
+
+
+ # Apache 2.2
+ Order deny,allow
+ Allow from all
+
+
diff --git a/roles/mirrormanager/frontend/meta/main.yml b/roles/mirrormanager/frontend/meta/main.yml
new file mode 100644
index 0000000000..4590c3dc7f
--- /dev/null
+++ b/roles/mirrormanager/frontend/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: mirrormanager/package }
diff --git a/roles/mirrormanager/frontend/tasks/main.yml b/roles/mirrormanager/frontend/tasks/main.yml
new file mode 100644
index 0000000000..7ed2b992a9
--- /dev/null
+++ b/roles/mirrormanager/frontend/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+# tasklist for setting up the mirrormanager app components
+
+- name: set sebooleans so mirrormanager can connect to its db
+ action: seboolean name=httpd_can_network_connect_db
+ state=true
+ persistent=true
+
+- name: install /etc/httpd/conf.d/mirrormanager-app.conf
+ copy: >
+ src="mirrormanager-app.conf"
+ dest="/etc/httpd/conf.d/mirrormanager.conf"
+ owner=root
+ group=root
+ mode=0644
+ notify:
+ - restart httpd
+ tags:
+ - config
diff --git a/roles/mirrormanager/package/tasks/main.yml b/roles/mirrormanager/package/tasks/main.yml
new file mode 100644
index 0000000000..7e775cd6af
--- /dev/null
+++ b/roles/mirrormanager/package/tasks/main.yml
@@ -0,0 +1,69 @@
+---
+# tasklist for setting up the mirrormanager package components
+
+- name: set sebooleans so mirrormanager can read its homedir
+ action: seboolean name=httpd_enable_homedirs
+ state=true
+ persistent=true
+
+- name: add mirrormanager group - gid 441
+ group: name=mirrormanager gid=441
+
+- name: add mirrors group - gid 263
+ group: name=mirrors gid=263
+
+- name: add mirrors2 group - gid 529
+ group: name=mirrors2 gid=529
+
+- name: add mirrormanager user - uid 441
+ user: >
+ name=mirrormanager
+ uid=441
+ group=mirrormanager
+ groups=mirrors,mirrors2,apache
+ state=present
+ home=/home/mirrormanager
+ createhome=yes
+ shell=/bin/bash
+
+- name: install mirrormanager package
+ yum: pkg={{ item }} state=installed
+ with_items:
+ - mirrormanager
+ tags:
+ - packages
+
+- name: install /etc/mirrormanager/prod.cfg
+ template: >
+ src="mirrormanager-prod.cfg.j2"
+ dest="/etc/mirrormanager/prod.cfg"
+ owner=mirrormanager
+ group=mirrormanager
+ mode=0600
+ notify:
+ - restart httpd
+ tags:
+ - config
+
+- name: setup mirrormanager directories
+ file: path="{{ item }}" owner=mirrormanager group=mirrormanager mode=0755 state=directory
+ with_items:
+ - /var/lock/mirrormanager
+ - /var/lib/mirrormanager
+ - /var/run/mirrormanager
+ - /var/log/mirrormanager
+ - /var/log/mirrormanager/crawler
+ - /home/mirrormanager
+ tags:
+ - config
+
+- name: setup /home/mirrormanager/.ssh directory
+ copy: >
+ src="{{ puppet_private }}/mirrormanager/"
+ dest="/home/mirrormanager/.ssh"
+ directory_mode=yes
+ owner=mirrormanager
+ group=mirrormanager
+ mode=0700
+ tags:
+ - config
diff --git a/roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2 b/roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2
new file mode 100644
index 0000000000..07f713fae4
--- /dev/null
+++ b/roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2
@@ -0,0 +1,131 @@
+[global]
+# This is where all of your settings go for your development environment
+# Settings that are the same for both development and production
+# (such as template engine, encodings, etc.) all go in
+# mirrormanager/config/app.cfg
+
+# pick the form for your database
+# sqlobject.dburi="postgres://username@hostname/databasename"
+# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
+# sqlobject.dburi="sqlite:///file_name_and_path"
+
+# If you have sqlite, here's a simple default to get you started
+# in development
+#sqlobject.dburi="postgres://mirrormanager@127.0.0.1/mirrormanager"
+
+# This is for local development purposes. It won't be used for
+# production.
+{% if env == "staging" %}
+sqlobject.dburi="notrans_postgres://mirroradmin:{{ mirrorPassword }}@db-mirrormanager.stg:5432/mirrormanager"
+{% else %}
+sqlobject.dburi="notrans_postgres://mirroradmin:{{ mirrorPassword }}@db-mirrormanager:5432/mirrormanager"
+{% endif %}
+
+# if you are using a database or table type without transactions
+# (MySQL default, for example), you should turn off transactions
+# by prepending notrans_ on the uri
+# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
+
+# for Windows users, sqlite URIs look like:
+# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
+
+# SERVER
+
+# Some server parameters that you may want to tweak
+# running as a WSGI under apache. This is used by TG when it generates a redirect.
+server.socket_port=80
+
+server.socket_timeout = 60
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# Enable the debug output at the end on pages.
+# log_debug_info_filter.on = False
+
+server.environment="production"
+server.webpath="/mirrormanager"
+autoreload.package="mirrormanager"
+
+# session_filter.on = True
+
+# Set to True if you'd like to abort execution if a controller gets an
+# unexpected parameter. False by default
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+##############################
+# Fedora Account System config
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+visit.cookie.httponly = True
+
+mirrormanager.admin_group = 'sysadmin-web'
+mirrormanager.max_stale_days = 2
+mirrormanager.max_propogation_days = 1
+mirrormanager.report_problems_to_email = 'mirror-admin at fedoraproject.org'
+
+##############################
+# update-master-directory-list category list and master locations
+# be very careful here. Trailing slashes on url directory names are necessary.
+umdl.master_directories = ''' [
+ { 'type':'directory', 'path':'/pub/fedora/linux/', 'category':'Fedora Linux' },
+ { 'type':'directory', 'path':'/pub/archive/', 'category':'Fedora Archive' },
+ { 'type':'directory', 'path':'/pub/epel/', 'category':'Fedora EPEL' },
+ { 'type':'directory', 'path':'/pub/fedora-secondary/', 'category':'Fedora Secondary Arches' },
+ { 'type':'directory', 'path':'/pub/alt/', 'category':'Fedora Other',
+ 'excludes':['.*/stage$']},
+ { 'type':'directory', 'path':'/pub/redhat/rhel/', 'category':'RHEL' },
+ ] '''
+
+# manage-repo-redirects (mrr) repository definition
+# this can be used to define a repository redirect
+# for example from an upcoming release to the current development tree
+mrr.repos = ''' {
+ 'fedora-%s':'rawhide',
+ 'fedora-debug-%s':'rawhide-debug',
+ 'fedora-source-%s':'rawhide-source',
+ 'updates-released-f%s':'rawhide',
+ 'updates-released-debug-f%s':'rawhide-debug',
+ 'updates-released-source-f%s':'rawhide-source',
+ 'updates-testing-f%s':'rawhide',
+ 'updates-testing-debug-f%s':'rawhide-debug',
+ 'updates-testing-source-f%s':'rawhide-source'
+ } '''
+
+base_url_filter.on = True
+{% if env == "staging" %}
+base_url_filter.base_url = "https://admin.stg.fedoraproject.org"
+{% else %}
+base_url_filter.base_url = "https://admin.fedoraproject.org"
+{% endif %}
+base_url_filter.use_x_forwarded_host = False
+
+[/xmlrpc]
+xmlrpc_filter.on = True
+
+# LOGGING
+# Logging configuration generally follows the style of the standard
+# Python logging module configuration. Note that when specifying
+# log format messages, you need to use *() for formatting variables.
+# Deployment independent log configuration is in mirrormanager/config/log.cfg
+[logging]
+
+[[loggers]]
+[[[mirrormanager]]]
+level='DEBUG'
+qualname='mirrormanager'
+handlers=['debug_out']
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+
+[[[access]]]
+level='WARN'
+qualname='turbogears.access'
+handlers=['access_out']
+propagate=0
diff --git a/roles/notifs/backend/templates/fmn.consumer.py b/roles/notifs/backend/templates/fmn.consumer.py
index 824f680af0..da3b64fcc6 100644
--- a/roles/notifs/backend/templates/fmn.consumer.py
+++ b/roles/notifs/backend/templates/fmn.consumer.py
@@ -24,7 +24,11 @@ config = {
# Some configuration for the rule processors
"fmn.rules.utils.use_pkgdb2": True,
+ {% if env == 'staging' %}
+ "fmn.rules.utils.pkgdb_url": "https://admin.stg.fedoraproject.org/pkgdb/api",
+ {% else %}
"fmn.rules.utils.pkgdb_url": "https://admin.fedoraproject.org/pkgdb/api",
+ {% endif %}
"fmn.rules.cache": {
"backend": "dogpile.cache.dbm",
"expiration_time": 300,
diff --git a/roles/packages/templates/packages-app.ini.j2 b/roles/packages/templates/packages-app.ini.j2
index 20b0be66f3..73dc0a2b62 100644
--- a/roles/packages/templates/packages-app.ini.j2
+++ b/roles/packages/templates/packages-app.ini.j2
@@ -22,9 +22,15 @@ fedoracommunity.extensions_dir = {{ pythonsitelib }}/fedoracommunity/plugins/ext
fedoracommunity.connector.kojihub.baseurl = http://koji.fedoraproject.org/kojihub
fedoracommunity.connector.bugzilla.baseurl = https://bugzilla.redhat.com/xmlrpc.cgi
fedoracommunity.connector.bugzilla.cookiefile = /var/cache/fedoracommunity/bugzillacookies
+{% if env == "staging" %}
+fedoracommunity.connector.fas.baseurl = https://admin.stg.fedoraproject.org/accounts/
+fedoracommunity.connector.bodhi.baseurl = https://admin.stg.fedoraproject.org/updates
+fedoracommunity.connector.pkgdb.baseurl = https://admin.stg.fedoraproject.org/pkgdb
+{% else %}
fedoracommunity.connector.fas.baseurl = https://admin.fedoraproject.org/accounts/
fedoracommunity.connector.bodhi.baseurl = https://admin.fedoraproject.org/updates
fedoracommunity.connector.pkgdb.baseurl = https://admin.fedoraproject.org/pkgdb
+{% endif %}
fedoracommunity.rpm_cache = /var/cache/fedoracommunity/rpm_cache/
@@ -50,7 +56,11 @@ fedoracommunity.connector.fas.minimal_user_password={{ fcommFasPassword }}
fedora.clients.check_certs = True
# URL for getting message history
+{% if env == "staging" %}
+datagrepper_url = https://apps.stg.fedoraproject.org/datagrepper/raw
+{% else %}
datagrepper_url = https://apps.fedoraproject.org/datagrepper/raw
+{% endif %}
##
## Moksha-specific configuration options
diff --git a/roles/pkgdb2/templates/pkgdb2.cfg b/roles/pkgdb2/templates/pkgdb2.cfg
index 971c1529ad..44435e9b6e 100644
--- a/roles/pkgdb2/templates/pkgdb2.cfg
+++ b/roles/pkgdb2/templates/pkgdb2.cfg
@@ -48,8 +48,10 @@ PKGDB2_BUGZILLA_PASSWORD = None
{% if env == 'staging' %}
PKGDB2_FAS_URL = 'https://admin.stg.fedoraproject.org/accounts'
PKGDB2_FAS_INSECURE = True
+SITE_URL = 'https://admin.stg.fedoraproject.org'
{% else %}
PKGDB2_FAS_URL = 'https://admin.fedoraproject.org/accounts'
+SITE_URL = 'https://admin.fedoraproject.org'
{% endif %}
## name of the user the pkgdb application can log in to FAS with
PKGDB2_FAS_USER = '{{ fedorathirdpartyUser }}'
diff --git a/roles/rsyncd/tasks/main.yml b/roles/rsyncd/tasks/main.yml
index ea195925d9..e43f49bf01 100644
--- a/roles/rsyncd/tasks/main.yml
+++ b/roles/rsyncd/tasks/main.yml
@@ -19,6 +19,7 @@
- "{{ rsyncd_conf }}"
- rsyncd.conf.{{ ansible_fqdn }}
- rsyncd.conf.{{ host_group }}
+ - rsyncd.conf.{{ rsync_group }}
- rsyncd.conf.default
notify:
- restart xinetd
@@ -31,6 +32,7 @@
- "{{ rsync }}"
- rsync.{{ ansible_fqdn }}
- rsync.{{ host_group }}
+ - rsync.{{ rsync_group }}
- rsync.default
notify:
- restart xinetd
@@ -41,3 +43,9 @@
service: name=xinetd state=started
tags:
- services
+
+- name: set sebooleans so rsync can read dirs
+ action: seboolean name=rsync_export_all_ro
+ state=true
+ persistent=true
+