Merge branch 'master' of /git/ansible

inventory/group_vars/sundries

@@ -14,4 +14,4 @@ fas_client_groups: sysadmin-noc,fi-apprentice
 master_sundries_node: False
 
 # A host group for rsync config
-host_group: sundries
+rsync_group: sundries

inventory/group_vars/sundries-stg

@@ -14,4 +14,4 @@ fas_client_groups: sysadmin-noc,fi-apprentice
 master_sundries_node: False
 
 # A host group for rsync config
-host_group: sundries
+rsync_group: sundries

playbooks/groups/sundries.yml

@@ -47,6 +47,7 @@
   - role: fedora_owner_change
     when: master_sundries_node
   - rsyncd
+  - mirrormanager/frontend
 
   tasks:
   - include: "{{ tasks }}/hosts.yml"

roles/badges/backend/templates/badges-awarder.py

@@ -32,7 +32,11 @@ config = {
 
     # Stuff used for caching packagedb relations.
     "fedbadges.rules.utils.use_pkgdb2": True,
-    "fedbadges.rules.utils.pkgdb_url": "https://admin.fedoraproject.org/pkgdb",
+    {% if env == 'staging' %}
+    "fedbadges.rules.utils.pkgdb_url": "https://admin.stg.fedoraproject.org/pkgdb/api",
+    {% else %}
+    "fedbadges.rules.utils.pkgdb_url": "https://admin.fedoraproject.org/pkgdb/api",
+    {% endif %}
     "fedbadges.rules.cache": {
         "backend": "dogpile.cache.dbm",
         "expiration_time": 300,

roles/base/files/common-scripts/conditional-restart.sh

@@ -5,7 +5,7 @@
 SERVICE=$1
 PACKAGE=$2
 
-/usr/bin/rpm -q $PACKAGE
+rpm -q $PACKAGE
 
 INSTALLED=$?
 

roles/base/files/common-scripts/needs-reboot.py

@@ -0,0 +1,36 @@
+#!/usr/bin/python -tt
+
+import yum
+import sys
+import time
+import fnmatch
+
+result = 0
+now = time.time()
+uptime = float(open('/proc/uptime', 'r').read().split()[0])
+
+rebootcausers = ('glibc', 'kernel*')
+
+my = yum.YumBase()
+my.preconf.init_plugins=False
+my.preconf.debuglevel=1
+my.preconf.errorlevel=1
+pkgs = my.rpmdb.returnPackages(patterns=rebootcausers)
+
+does='no'
+for pkg in pkgs:
+    if (now - pkg.installtime) < uptime:
+        does='yes'
+        break
+
+if len(sys.argv) > 1 and sys.argv[1] == 'after-updates':
+    for (n, a, e, v, r) in my.up.getUpdatesList():
+        for i in rebootcausers:
+            if fnmatch.fnmatch(n, i):
+                does='yes'
+
+
+print does
+sys.exit(0)
+
+

roles/easyfix/tasks/main.yml

@@ -57,6 +57,6 @@
 - name: Install the easyfix cronjob
   copy: >
     src=easyfix.cron dest=/etc/cron.d/easyfix.cron
-    owner=root group=root mode=0755
+    owner=root group=root mode=0644
   tags:
   - files

roles/fedora_owner_change/tasks/main.yml

@@ -23,6 +23,6 @@
 - name: Install the fedora-owner-change cronjob
   copy: >
     src=fedora-owner-change.cron dest=/etc/cron.d/fedora-owner-change.cron
-    owner=root group=root mode=0755
+    owner=root group=root mode=0644
   tags:
   - files

roles/mirrormanager/frontend/files/mirrormanager-app.conf

@@ -0,0 +1,35 @@
+Alias /mirrormanager/static /usr/share/mirrormanager/server/mirrormanager/static
+Alias /mirrormanager/crawler /var/log/mirrormanager/crawler
+
+WSGISocketPrefix /var/run/mirrormanager/wsgi
+WSGIRestrictSignal Off
+
+WSGIDaemonProcess mirrormanager user=mirrormanager group=mirrormanager display-name=mirrormanager maximum-requests=1000 processes=4 threads=1 umask=0007
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /mirrormanager /usr/share/mirrormanager/server/mirrormanager.wsgi/mirrormanager
+
+<Directory /usr/share/mirrormanager/server>
+    WSGIProcessGroup mirrormanager
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Allow from all
+    </IfModule>
+</Directory>
+
+<Directory /var/log/mirrormanager/crawler>
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Allow from all
+    </IfModule>
+</Directory>

roles/mirrormanager/frontend/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: mirrormanager/package }

roles/mirrormanager/frontend/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+# tasklist for setting up the mirrormanager app components
+
+- name: set sebooleans so mirrormanager can connect to its db
+  action: seboolean name=httpd_can_network_connect_db
+                    state=true
+                    persistent=true
+
+- name: install /etc/httpd/conf.d/mirrormanager-app.conf
+  copy: >
+    src="mirrormanager-app.conf"
+    dest="/etc/httpd/conf.d/mirrormanager.conf"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - config

roles/mirrormanager/package/tasks/main.yml

@@ -0,0 +1,69 @@
+---
+# tasklist for setting up the mirrormanager package components
+
+- name: set sebooleans so mirrormanager can read its homedir
+  action: seboolean name=httpd_enable_homedirs
+                    state=true
+                    persistent=true
+
+- name: add mirrormanager group - gid 441
+  group: name=mirrormanager gid=441
+
+- name: add mirrors group - gid 263
+  group: name=mirrors gid=263
+
+- name: add mirrors2 group - gid 529
+  group: name=mirrors2 gid=529
+
+- name: add mirrormanager user - uid 441
+  user: >
+    name=mirrormanager 
+    uid=441 
+    group=mirrormanager 
+    groups=mirrors,mirrors2,apache 
+    state=present 
+    home=/home/mirrormanager 
+    createhome=yes 
+    shell=/bin/bash
+
+- name: install mirrormanager package
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - mirrormanager
+  tags:
+  - packages
+
+- name: install /etc/mirrormanager/prod.cfg
+  template: >
+    src="mirrormanager-prod.cfg.j2"
+    dest="/etc/mirrormanager/prod.cfg"
+    owner=mirrormanager
+    group=mirrormanager
+    mode=0600
+  notify:
+  - restart httpd
+  tags:
+  - config
+
+- name: setup mirrormanager directories
+  file: path="{{ item }}" owner=mirrormanager group=mirrormanager mode=0755 state=directory
+  with_items:
+  - /var/lock/mirrormanager
+  - /var/lib/mirrormanager
+  - /var/run/mirrormanager
+  - /var/log/mirrormanager
+  - /var/log/mirrormanager/crawler
+  - /home/mirrormanager
+  tags:
+  - config
+
+- name: setup /home/mirrormanager/.ssh directory
+  copy: >
+    src="{{ puppet_private }}/mirrormanager/"
+    dest="/home/mirrormanager/.ssh"
+    directory_mode=yes
+    owner=mirrormanager
+    group=mirrormanager
+    mode=0700
+  tags:
+  - config

roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2

@@ -0,0 +1,131 @@
+[global]
+# This is where all of your settings go for your development environment
+# Settings that are the same for both development and production
+# (such as template engine, encodings, etc.) all go in 
+# mirrormanager/config/app.cfg
+
+# pick the form for your database
+# sqlobject.dburi="postgres://username@hostname/databasename"
+# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
+# sqlobject.dburi="sqlite:///file_name_and_path"
+
+# If you have sqlite, here's a simple default to get you started
+# in development
+#sqlobject.dburi="postgres://mirrormanager@127.0.0.1/mirrormanager"
+
+# This is for local development purposes.  It won't be used for
+# production.
+{% if env == "staging" %}
+sqlobject.dburi="notrans_postgres://mirroradmin:{{ mirrorPassword }}@db-mirrormanager.stg:5432/mirrormanager"
+{% else %}
+sqlobject.dburi="notrans_postgres://mirroradmin:{{ mirrorPassword }}@db-mirrormanager:5432/mirrormanager"
+{% endif %}
+
+# if you are using a database or table type without transactions
+# (MySQL default, for example), you should turn off transactions
+# by prepending notrans_ on the uri
+# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
+
+# for Windows users, sqlite URIs look like:
+# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
+
+# SERVER
+
+# Some server parameters that you may want to tweak
+# running as a WSGI under apache.  This is used by TG when it generates a redirect.
+server.socket_port=80
+
+server.socket_timeout = 60
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# Enable the debug output at the end on pages.
+# log_debug_info_filter.on = False
+
+server.environment="production"
+server.webpath="/mirrormanager"
+autoreload.package="mirrormanager"
+
+# session_filter.on = True
+
+# Set to True if you'd like to abort execution if a controller gets an
+# unexpected parameter. False by default
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+##############################
+# Fedora Account System config
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+visit.cookie.httponly = True
+
+mirrormanager.admin_group = 'sysadmin-web'
+mirrormanager.max_stale_days = 2
+mirrormanager.max_propogation_days = 1
+mirrormanager.report_problems_to_email = 'mirror-admin at fedoraproject.org'
+
+##############################
+# update-master-directory-list category list and master locations
+# be very careful here.  Trailing slashes on url directory names are necessary.
+umdl.master_directories = ''' [
+	{ 'type':'directory', 'path':'/pub/fedora/linux/', 'category':'Fedora Linux' },
+	{ 'type':'directory', 'path':'/pub/archive/', 'category':'Fedora Archive' },
+ 	{ 'type':'directory', 'path':'/pub/epel/', 'category':'Fedora EPEL' },
+	{ 'type':'directory', 'path':'/pub/fedora-secondary/', 'category':'Fedora Secondary Arches' },
+	{ 'type':'directory', 'path':'/pub/alt/', 'category':'Fedora Other',
+          'excludes':['.*/stage$']},
+	{ 'type':'directory', 'path':'/pub/redhat/rhel/', 'category':'RHEL' },
+	] '''
+
+# manage-repo-redirects (mrr) repository definition
+# this can be used to define a repository redirect
+# for example from an upcoming release to the current development tree
+mrr.repos = ''' {
+	'fedora-%s':'rawhide',
+	'fedora-debug-%s':'rawhide-debug',
+	'fedora-source-%s':'rawhide-source',
+	'updates-released-f%s':'rawhide',
+	'updates-released-debug-f%s':'rawhide-debug',
+	'updates-released-source-f%s':'rawhide-source',
+	'updates-testing-f%s':'rawhide',
+	'updates-testing-debug-f%s':'rawhide-debug',
+	'updates-testing-source-f%s':'rawhide-source'
+	} '''
+
+base_url_filter.on = True
+{% if env == "staging" %}
+base_url_filter.base_url = "https://admin.stg.fedoraproject.org"
+{% else %}
+base_url_filter.base_url = "https://admin.fedoraproject.org"
+{% endif %}
+base_url_filter.use_x_forwarded_host = False
+
+[/xmlrpc]
+xmlrpc_filter.on = True
+
+# LOGGING
+# Logging configuration generally follows the style of the standard
+# Python logging module configuration. Note that when specifying
+# log format messages, you need to use *() for formatting variables.
+# Deployment independent log configuration is in mirrormanager/config/log.cfg
+[logging]
+
+[[loggers]]
+[[[mirrormanager]]]
+level='DEBUG'
+qualname='mirrormanager'
+handlers=['debug_out']
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+
+[[[access]]]
+level='WARN'
+qualname='turbogears.access'
+handlers=['access_out']
+propagate=0

roles/notifs/backend/templates/fmn.consumer.py

@@ -24,7 +24,11 @@ config = {
 
     # Some configuration for the rule processors
     "fmn.rules.utils.use_pkgdb2": True,
+    {% if env == 'staging' %}
+    "fmn.rules.utils.pkgdb_url": "https://admin.stg.fedoraproject.org/pkgdb/api",
+    {% else %}
     "fmn.rules.utils.pkgdb_url": "https://admin.fedoraproject.org/pkgdb/api",
+    {% endif %}
     "fmn.rules.cache": {
         "backend": "dogpile.cache.dbm",
         "expiration_time": 300,

roles/packages/templates/packages-app.ini.j2

@@ -22,9 +22,15 @@ fedoracommunity.extensions_dir = {{ pythonsitelib }}/fedoracommunity/plugins/ext
 fedoracommunity.connector.kojihub.baseurl = http://koji.fedoraproject.org/kojihub
 fedoracommunity.connector.bugzilla.baseurl = https://bugzilla.redhat.com/xmlrpc.cgi
 fedoracommunity.connector.bugzilla.cookiefile = /var/cache/fedoracommunity/bugzillacookies
+{% if env == "staging" %}
+fedoracommunity.connector.fas.baseurl = https://admin.stg.fedoraproject.org/accounts/
+fedoracommunity.connector.bodhi.baseurl = https://admin.stg.fedoraproject.org/updates
+fedoracommunity.connector.pkgdb.baseurl = https://admin.stg.fedoraproject.org/pkgdb
+{% else %}
 fedoracommunity.connector.fas.baseurl = https://admin.fedoraproject.org/accounts/
 fedoracommunity.connector.bodhi.baseurl = https://admin.fedoraproject.org/updates
 fedoracommunity.connector.pkgdb.baseurl = https://admin.fedoraproject.org/pkgdb
+{% endif %}
 
 fedoracommunity.rpm_cache = /var/cache/fedoracommunity/rpm_cache/
 
@@ -50,7 +56,11 @@ fedoracommunity.connector.fas.minimal_user_password={{ fcommFasPassword }}
 fedora.clients.check_certs = True
 
 # URL for getting message history
+{% if env == "staging" %}
+datagrepper_url = https://apps.stg.fedoraproject.org/datagrepper/raw
+{% else %}
 datagrepper_url = https://apps.fedoraproject.org/datagrepper/raw
+{% endif %}
 
 ##
 ## Moksha-specific configuration options

roles/pkgdb2/templates/pkgdb2.cfg

@@ -48,8 +48,10 @@ PKGDB2_BUGZILLA_PASSWORD = None
 {% if env == 'staging' %}
 PKGDB2_FAS_URL = 'https://admin.stg.fedoraproject.org/accounts'
 PKGDB2_FAS_INSECURE = True
+SITE_URL = 'https://admin.stg.fedoraproject.org'
 {% else %}
 PKGDB2_FAS_URL = 'https://admin.fedoraproject.org/accounts'
+SITE_URL = 'https://admin.fedoraproject.org'
 {% endif %}
 ## name of the user the pkgdb application can log in to FAS with
 PKGDB2_FAS_USER = '{{ fedorathirdpartyUser }}'

roles/rsyncd/tasks/main.yml

@@ -19,6 +19,7 @@
     - "{{ rsyncd_conf }}"
     - rsyncd.conf.{{ ansible_fqdn }}
     - rsyncd.conf.{{ host_group }}
+    - rsyncd.conf.{{ rsync_group }}
     - rsyncd.conf.default
   notify:
   - restart xinetd
@@ -31,6 +32,7 @@
     - "{{ rsync }}"
     - rsync.{{ ansible_fqdn }}
     - rsync.{{ host_group }}
+    - rsync.{{ rsync_group }}
     - rsync.default
   notify:
   - restart xinetd
@@ -41,3 +43,9 @@
   service: name=xinetd state=started
   tags:
   - services
+
+- name: set sebooleans so rsync can read dirs
+  action: seboolean name=rsync_export_all_ro
+                    state=true
+                    persistent=true
+