Merge branch 'master' of /git/ansible

2018-01-12 07:47:08 +00:00 · 2018-01-12 07:47:08 +00:00 · 2a34aa7736
commit 2a34aa7736
parent f5d64be174 50be6a9b9c
42 changed files with 129 additions and 2310 deletions
--- a/inventory/group_vars/copr-keygen-stg
+++ b/inventory/group_vars/copr-keygen-stg
@ -3,7 +3,7 @@ copr_hostbase: copr-keygen-dev
 tcp_ports: []

 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.11 --dport 80 -j ACCEPT',
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.211 --dport 80 -j ACCEPT',
                '-A INPUT -p tcp -m tcp -s 172.25.153.203 --dport 80 -j ACCEPT',
                '-A INPUT -p tcp -m tcp -s 172.25.32.211 --dport 5167 -j ACCEPT',
                '-A INPUT -p tcp -m tcp -s 172.25.153.203 --dport 5167 -j ACCEPT']
--- a/inventory/group_vars/qa-prod
+++ b/inventory/group_vars/qa-prod
@ -1,6 +1,6 @@
 ---
 # Define resources for this group of hosts here. 
-lvm_size: 40000
+lvm_size: 500000
 mem_size: 8196
 max_mem_size: 16384
 num_cpus: 2
@ -51,34 +51,6 @@ buildslave_name: 'qa-prod01-1'
 buildslave_password: '{{ qa_prod_buildslave_password }}'


-################################################################################
-# MariaDB Settings
-################################################################################
-
-mariadb_host: localhost
-mariadb_config: my.cnf.phabricator
-mariadb_user: '{{ qa_prod_mariadb_user }}'
-mariadb_password: '{{ qa_prod_mariadb_password }}'
-
-################################################################################
-# Phabricator Settings
-################################################################################
-phabricator_db_prefix: 'phabricator'
-enable_phabricator_git: False
-phabricator_vcs_user: git
-phabricator_vcs_user_password: '{{ qa_prod_vcs_user_password }}'
-phabricator_daemon_user: phabricator
-phabroot: /usr/share/
-phabricator_filedir: /var/lib/phabricator/files
-phabricator_repodir: /var/lib/phabricator/repos
-phabricator_config_filename: qaconfig
-phabricator_header_color: 'blue'
-phabricator_mail_enabled: True
-phabricator_mail_domain: fedoraproject.org
-phabricator_mysqldump_filename: 'qa-prod_phabricator.sql'
-ircnick: fedoraqabot
-
-
 ################################################################################
 # Backup Settings
 ################################################################################
@ -86,7 +58,7 @@ ircnick: fedoraqabot
 backup_dir: /srv/backup
 backup_username: root
 backup_ssh_pubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAJr3xqn/hHIXeth+NuXPu9P91FG9jozF3Q1JaGmg6szo770rrmhiSsxso/Ibm2mObqQLCyfm/qSOQRynv6tL3tQVHA6EEx0PNacnBcOV7UowR5kd4AYv82K1vQhof3YTxOMmNIOrdy6deDqIf4sLz1TDHvEDwjrxtFf8ugyZWNbTAAAAFQCS5puRZF4gpNbaWxe6gLzm3rBeewAAAIBcEd6pRatE2Qc/dW0YwwudTEaOCUnHmtYs2PHKbOPds0+Woe1aWH38NiE+CmklcUpyRsGEf3O0l5vm3VrVlnfuHpgt/a/pbzxm0U6DGm2AebtqEmaCX3CIuYzKhG5wmXqJ/z+Hc5MDj2mn2TchHqsk1O8VZM+1Ml6zX3Hl4vvBsQAAAIALDt5NFv6GLuid8eik/nn8NORd9FJPDBJxgVqHNIm08RMC6aI++fqwkBhVPFKBra5utrMKQmnKs/sOWycLYTqqcSMPdWSkdWYjBCSJ/QNpyN4laCmPWLgb3I+2zORgR0EjeV2e/46geS0MWLmeEsFwztpSj4Tv4e18L8Dsp2uB2Q==  root@backup03-rdiff-backup
-host_backup_targets: ['/var/lib/phabricator/files', '/var/lib/phabricator/repos', '/srv/backup']
+host_backup_targets: ['/srv/backup']


 ################################################################################
--- a/inventory/host_vars/hubs-dev.fedorainfracloud.org
+++ b/inventory/host_vars/hubs-dev.fedorainfracloud.org
@ -1,5 +1,5 @@
 ---
-image: "{{ fedora25_x86_64 }}"
+image: "{{ fedora27_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
 security_group: ssh-anywhere-persistent,all-icmp-persistent,default,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent
--- a/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
@ -7,12 +7,19 @@ gw: 10.5.126.254
 dns: 10.5.126.21
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
-volgroup: /dev/vg_guests00
+volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.187
-vmhost: virthost15.phx2.fedoraproject.org
+vmhost: virthost06.phx2.fedoraproject.org
 datacenter: phx2

 tcp_ports: [ 80, 443 ]
 fedmsg_certs: []

 mm2_checkin: true
+
+csi_security_category: High
+csi_primary_contact: Fedora Admins - admin@fedoraproject.org
+csi_purpose: MirrorManager Checkin endpoint
+csi_relationship: |
+    Has a very restricted set of in/out communication allowed, due to
+    special circumstances. For details, ask puiterwijk.
--- a/inventory/host_vars/pdc-web01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/pdc-web01.stg.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/

 eth0_ip: 10.5.128.170

--- a/inventory/host_vars/pdc-web02.phx2.fedoraproject.org
+++ b/inventory/host_vars/pdc-web02.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/

 eth0_ip: 10.5.126.132

--- a/inventory/host_vars/qa-prod01.qa.fedoraproject.org
+++ b/inventory/host_vars/qa-prod01.qa.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.124.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-24
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/24/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 volgroup: /dev/VirtGuests

 eth0_ip: 10.5.124.231
@ -14,16 +14,14 @@ datacenter: phx2
 fas_client_groups: sysadmin-qa,sysadmin-main
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"

-mariadb_root_password: "{{ qadevel_mariadb_root_password }}"
-
 public_hostname: qa.fedoraproject.org
-short_hostname: qa-prod01.qa
+short_hostname: qa-prod01
 buildmaster: 127.0.0.1

 buildslaves:
    - qa-prod01-1

 slaves:
-  - { user: "{{ short_hostname }}-1", home: "/home/{{ short_hostname }}-1", dir: "/home/{{ short_hostname }}-1/slave" }
+  - { user: "{{ short_hostname }}-1", home: "/srv/buildslaves/{{ short_hostname }}-1", dir: "/srv/buildslaves/{{ short_hostname }}-1/slave" }

 extra_enablerepos: ''
--- a/inventory/host_vars/resultsdb01.qa.fedoraproject.org
+++ b/inventory/host_vars/resultsdb01.qa.fedoraproject.org
@ -13,8 +13,8 @@ eth0_nm: 255.255.255.128
 # install
 ############################################################

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/

 volgroup: /dev/VirtGuests
 datacenter: phx2
--- a/playbooks/destroy_virt_inst.yml
+++ b/playbooks/destroy_virt_inst.yml
@ -27,6 +27,11 @@
  - name: pause for 30s before doing it
    pause: seconds=30 prompt="Destroying (and lvremove for) vm now {{ target }}, abort if this is wrong"

+  - name: schedule 30m host downtime in nagios
+    nagios: action=downtime minutes=30 service=host host={{ inventory_hostname_short }}{{ env_suffix }}
+    delegate_to: noc01.phx2.fedoraproject.org
+    ignore_errors: true
+
  - name: destroy the vm
    virt: name={{ inventory_hostname }} command=destroy
    delegate_to: "{{ vmhost }}"
--- a/playbooks/groups/bodhi-backend.yml
+++ b/playbooks/groups/bodhi-backend.yml
@ -35,7 +35,6 @@
  - role: nfs/client
    mnt_dir: '/mnt/fedora_koji'
    nfs_src_dir: 'fedora_koji'
-    when: env != 'staging'

    # In staging, we mount fedora_koji as read only (see nfs_mount_opts)
  - role: nfs/client
--- a/playbooks/groups/qa.yml
+++ b/playbooks/groups/qa.yml
@ -38,25 +38,6 @@
  handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"

- name: configure phabricator
-  hosts: qa-prod:qa-stg
-  user: root
-
-  gather_facts: True
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  roles:
-   - { role: mariadb_server, tags: ['mariadb'] }
-   - { role: phabricator, tags: ['phabricator'] }
-
-  handlers:
-   - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-
 - name: configure qa buildbot CI
  hosts: qa-stg
  user: root
--- a/playbooks/hosts/magazine2.fedorainfracloud.org.yml
+++ b/playbooks/hosts/magazine2.fedorainfracloud.org.yml
@ -76,3 +76,6 @@
    cron: name="Wordpress nightly update check"
          special_time="daily"
          job="yum -y -q update wordpress"
+
+  handlers:
+  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/hosts/modernpaste.fedorainfracloud.org.yml
+++ b/playbooks/hosts/modernpaste.fedorainfracloud.org.yml
@ -37,3 +37,6 @@
  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
  - name: set hostname (required by some services, at least postfix need it)
    hostname: name="{{inventory_hostname}}"
+
+  handlers:
+  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org
@ -0,0 +1,55 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW --src 10.5.126.23 -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
+
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# Allow connection to the database
+-A OUTPUT --dst 10.5.126.71 -p tcp -m tcp --dport 5432 -j ACCEPT
+
+# Allow DNS
+-A OUTPUT --dst 10.5.126.21 -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT --dst 10.5.126.21 -p tcp -m tcp --dport 53 -j ACCEPT
+-A OUTPUT --dst 10.5.126.22 -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT --dst 10.5.126.22 -p tcp -m tcp --dport 53 -j ACCEPT
+
+# Allow infrastructure.fp.o http and https
+-A OUTPUT --dst 10.5.126.23 -p tcp -m tcp --dport 80 -j ACCEPT
+-A OUTPUT --dst 10.5.126.23 -p tcp -m tcp --dport 443 -j ACCEPT
+
+# Allow https to proxies
+-A OUTPUT --dst 10.5.126.8 -p tcp -m tcp --dport 443 -j ACCEPT
+-A OUTPUT --dst 10.5.126.9 -p tcp -m tcp --dport 443 -j ACCEPT
+-A OUTPUT --dst 10.5.126.51 -p tcp -m tcp --dport 443 -j ACCEPT
+-A OUTPUT --dst 10.5.126.52 -p tcp -m tcp --dport 443 -j ACCEPT
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+
+# This box is special in that it also has OUTPUT filtered
+-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT
--- a/roles/bodhi2/backend/templates/owner-sync-pagure.j2
+++ b/roles/bodhi2/backend/templates/owner-sync-pagure.j2
@ -174,9 +174,7 @@ def get_branch_and_arches(tag, version):
        if STAGING:
            arches = ["primary"]
        else:
-            if version <= "25":
-                arches = ["primary", "arm", "ppc", "s390"]
-            elif version <= "26":
+            if version <= "26":
                arches = ["primary", "s390"]
            else:
                # Yay!  Everything in primary.
@ -306,6 +304,11 @@ def set_koji_ownership(tag, packages, arches, verbose=False):
        'timeout': 60 * 10,
    }
    for arch in arches:
+
+        # Something weird here.  Where do 'arm' and 'ppc' come from?
+        if arch in ['arm', 'ppc']:
+            arch = 'primary'
+
        if arch == 'primary':
            session = koji.ClientSession(
                'https://koji{0}.fedoraproject.org/kojihub'.format(ENV_SUFFIX),
--- a/roles/copr/backend/files/provision/files/mock/site-defaults.cfg
+++ b/roles/copr/backend/files/provision/files/mock/site-defaults.cfg
@ -23,3 +23,9 @@ config_opts['plugin_conf']['tmpfs_opts']['keep_mounted'] = False

 config_opts['yum_command'] = '/usr/bin/yum-deprecated'
 config_opts['nosync'] = True
+
+config_opts['plugin_conf']['chroot_scan_enable'] = True
+config_opts['plugin_conf']['chroot_scan_opts'] = {
+    'regexes': [ "dnf.*log$" ],
+    'only_failed': False,
+}
--- a/roles/epylog/files/merged/weed_local.cf
+++ b/roles/epylog/files/merged/weed_local.cf
@ -57,6 +57,7 @@ dnf-automatic:.*
 docker.*
 dracut.*
 etcd.*
+.*EDAC sbridge.*
 fedmsg-hub.*
 moksha-hub.*
 mailman3.*
@ -145,12 +146,14 @@ kernel: Hardware name.*
 kernel: task.*
 kernel: kauditd_printk_skb.*
 kernel: sd 7.*
+kernel: Using.*as fallback implementation.
 kojid.*
 koschei.*
 kojira.*
 logrotate.*
 lvm.*: Another thread is handling an event. Waiting...*
 libvirtd:.*debug.*
+libvirtd.*:.*is tainted.*
 nagios.*
 named.*: .* general: info:.*
 named.*: .* notify: info:.*
@ -419,6 +422,8 @@ systemd.*: Startup finished in.*
 systemd.*: Started User Manager for UID.*
 systemd.*: Started Process Core Dump
 systemd.*: Starting Exit the Session...
+systemd.*:.*Network Manager Script Dispatcher Service.*
+systemd.*: Started Virtual Machine.*
 supybot.*
 twistd.*
 unix_chkpwd.*: account .* has password changed in future
--- a/roles/mediawiki/templates/LocalSettings.php.fp.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.fp.j2
@ -386,8 +386,8 @@ $wgSquidServersNoPurge = array(
    "192.168.1.63",

    # proxy07
-    "174.141.234.172",
-    "192.168.1.52",
+#    "174.141.234.172",
+#    "192.168.1.52",

    # proxy08
    "67.203.2.67",
@ -440,7 +440,7 @@ $wgSquidServers = array(
    # proxy06
    "192.168.1.63:6081",
    # proxy07
-    "192.168.1.52:6081",
+#    "192.168.1.52:6081",
    # proxy08
    "192.168.1.78:6081",
    # proxy10
@ -455,7 +455,7 @@ $wgSquidServers = array(
    "192.168.1.159:6081",
 {% endif %}
 );
-$wgSquidMaxage = 432000;
+$wgSquidMaxage = 21600;

 # Don't add rel="nofollow" 
 $wgNoFollowLinks = false; 
--- a/roles/nfs/client/tasks/main.yml
+++ b/roles/nfs/client/tasks/main.yml
@ -74,7 +74,7 @@
        passno=0
        dump=0
        state=mounted
-  when: datacenter == 'phx2'
+  when: datacenter == 'phx2' and env != 'staging'
  tags:
  - nfs/client

@ -108,7 +108,7 @@
        passno=0
        dump=0
        state=mounted
-  when: datacenter == 'staging' and 'koji' in mnt_dir
+  when: env == 'staging' and 'koji' in mnt_dir
  tags:
  - nfs/client

@ -121,6 +121,6 @@
        passno=0
        dump=0
        state=mounted
-  when: datacenter == 'staging' and 'koji' in mnt_dir
+  when: env == 'staging' and 'koji' in mnt_dir
  tags:
  - nfs/client
--- a/roles/openshift-apps/greenwave/templates/configmap.yml
+++ b/roles/openshift-apps/greenwave/templates/configmap.yml
@ -133,7 +133,7 @@ data:
    id: "atomic_ci_pipeline_results"
    product_versions:
      - fedora-26
-    decision_context: bodhi_update_push_stable
+    decision_context: bodhi_update_push_testing
    blacklist: []
    relevance_key: original_spec_nvr
    rules:
--- a/roles/pdc/frontend/tasks/main.yml
+++ b/roles/pdc/frontend/tasks/main.yml
@ -7,7 +7,7 @@
  tags: pdc

 - name: install needed packages
-  dnf: pkg={{ item }} state=present
+  package: pkg={{ item }} state=present
  with_items:
  - patternfly1
  - python-pdc
--- a/roles/phabricator/files/10-opcache.ini
+++ b/roles/phabricator/files/10-opcache.ini
@ -1,95 +0,0 @@
-; Enable Zend OPcache extension module
-zend_extension=opcache.so
-
-; Determines if Zend OPCache is enabled
-opcache.enable=1
-
-; Determines if Zend OPCache is enabled for the CLI version of PHP
-;opcache.enable_cli=0
-
-; The OPcache shared memory storage size.
-opcache.memory_consumption=128
-
-; The amount of memory for interned strings in Mbytes.
-opcache.interned_strings_buffer=8
-
-; The maximum number of keys (scripts) in the OPcache hash table.
-; Only numbers between 200 and 100000 are allowed.
-opcache.max_accelerated_files=4000
-
-; The maximum percentage of "wasted" memory until a restart is scheduled.
-;opcache.max_wasted_percentage=5
-
-; When this directive is enabled, the OPcache appends the current working
-; directory to the script key, thus eliminating possible collisions between
-; files with the same name (basename). Disabling the directive improves
-; performance, but may break existing applications.
-;opcache.use_cwd=1
-
-; When disabled, you must reset the OPcache manually or restart the
-; webserver for changes to the filesystem to take effect.
-opcache.validate_timestamps=0
-
-; How often (in seconds) to check file timestamps for changes to the shared
-; memory storage allocation. ("1" means validate once per second, but only
-; once per request. "0" means always validate)
-;opcache.revalidate_freq=2
-
-; Enables or disables file search in include_path optimization
-;opcache.revalidate_path=0
-
-; If disabled, all PHPDoc comments are dropped from the code to reduce the
-; size of the optimized code.
-;opcache.save_comments=1
-
-; If disabled, PHPDoc comments are not loaded from SHM, so "Doc Comments"
-; may be always stored (save_comments=1), but not loaded by applications
-; that don't need them anyway.
-;opcache.load_comments=1
-
-; If enabled, a fast shutdown sequence is used for the accelerated code
-;opcache.fast_shutdown=0
-
-; Allow file existence override (file_exists, etc.) performance feature.
-;opcache.enable_file_override=0
-
-; A bitmask, where each bit enables or disables the appropriate OPcache
-; passes
-;opcache.optimization_level=0xffffffff
-
-;opcache.inherited_hack=1
-;opcache.dups_fix=0
-
-; The location of the OPcache blacklist file (wildcards allowed).
-; Each OPcache blacklist file is a text file that holds the names of files
-; that should not be accelerated.
-opcache.blacklist_filename=/etc/php.d/opcache*.blacklist
-
-; Allows exclusion of large files from being cached. By default all files
-; are cached.
-;opcache.max_file_size=0
-
-; Check the cache checksum each N requests.
-; The default value of "0" means that the checks are disabled.
-;opcache.consistency_checks=0
-
-; How long to wait (in seconds) for a scheduled restart to begin if the cache
-; is not being accessed.
-;opcache.force_restart_timeout=180
-
-; OPcache error_log file name. Empty string assumes "stderr".
-;opcache.error_log=
-
-; All OPcache errors go to the Web server log.
-; By default, only fatal errors (level 0) or errors (level 1) are logged.
-; You can also enable warnings (level 2), info messages (level 3) or
-; debug messages (level 4).
-;opcache.log_verbosity_level=1
-
-; Preferred Shared Memory back-end. Leave empty and let the system decide.
-;opcache.preferred_memory_model=
-
-; Protect the shared memory from unexpected writing during script execution.
-; Useful for internal debugging only.
-;opcache.protect_memory=0
-
--- a/roles/phabricator/files/20-curl.ini
+++ b/roles/phabricator/files/20-curl.ini
@ -1,5 +0,0 @@
-; Enable curl extension module
-extension=curl.so
-
-; set alternate cacert location
-curl.cainfo=/etc/pki/tls/certs/ca-bundle.crt
--- a/roles/phabricator/files/apc.ini
+++ b/roles/phabricator/files/apc.ini
@ -1,70 +0,0 @@
-; Enable apc extension module
-extension = apc.so
-
-; Options for the APC module version >= 3.1.3
-; See http://www.php.net/manual/en/apc.configuration.php
-
-; This can be set to 0 to disable APC. 
-apc.enabled=1
-; The number of shared memory segments to allocate for the compiler cache. 
-apc.shm_segments=1
-; The size of each shared memory segment, with M/G suffix
-apc.shm_size=64M
-; A "hint" about the number of distinct source files that will be included or 
-; requested on your web server. Set to zero or omit if you are not sure;
-apc.num_files_hint=1024
-; Just like num_files_hint, a "hint" about the number of distinct user cache
-; variables to store.  Set to zero or omit if you are not sure;
-apc.user_entries_hint=4096
-; The number of seconds a cache entry is allowed to idle in a slot in case this
-; cache entry slot is needed by another entry.
-apc.ttl=7200
-; use the SAPI request start time for TTL
-apc.use_request_time=1
-; The number of seconds a user cache entry is allowed to idle in a slot in case
-; this cache entry slot is needed by another entry.
-apc.user_ttl=7200
-; The number of seconds that a cache entry may remain on the garbage-collection list. 
-apc.gc_ttl=3600
-; On by default, but can be set to off and used in conjunction with positive
-; apc.filters so that files are only cached if matched by a positive filter.
-apc.cache_by_default=1
-; A comma-separated list of POSIX extended regular expressions.
-apc.filters
-; The mktemp-style file_mask to pass to the mmap module 
-apc.mmap_file_mask=/tmp/apc.XXXXXX
-; This file_update_protection setting puts a delay on caching brand new files.
-apc.file_update_protection=2
-; Setting this enables APC for the CLI version of PHP (Mostly for testing and debugging).
-apc.enable_cli=0
-; Prevents large files from being cached
-apc.max_file_size=1M
-; Whether to stat the main script file and the fullpath includes.
-apc.stat=0
-; Vertification with ctime will avoid problems caused by programs such as svn or rsync by making 
-; sure inodes have not changed since the last stat. APC will normally only check mtime.
-apc.stat_ctime=0
-; Whether to canonicalize paths in stat=0 mode or fall back to stat behaviour
-apc.canonicalize=0
-; With write_lock enabled, only one process at a time will try to compile an 
-; uncached script while the other processes will run uncached
-apc.write_lock=1
-; Logs any scripts that were automatically excluded from being cached due to early/late binding issues.
-apc.report_autofilter=0
-; RFC1867 File Upload Progress hook handler
-apc.rfc1867=0
-apc.rfc1867_prefix =upload_
-apc.rfc1867_name=APC_UPLOAD_PROGRESS
-apc.rfc1867_freq=0
-apc.rfc1867_ttl=3600
-; Optimize include_once and require_once calls and avoid the expensive system calls used.
-apc.include_once_override=0
-apc.lazy_classes=0
-apc.lazy_functions=0
-; Enables APC handling of signals, such as SIGSEGV, that write core files when signaled. 
-; APC will attempt to unmap the shared memory segment in order to exclude it from the core file
-apc.coredump_unmap=0
-; Records a md5 hash of files. 
-apc.file_md5=0
-; not documented
-apc.preload_path
--- a/roles/phabricator/files/phabricator-preamble.php
+++ b/roles/phabricator/files/phabricator-preamble.php
@ -1,3 +0,0 @@
-<?php
-
-$_SERVER['HTTPS'] = true;
--- a/roles/phabricator/files/phabricator-welcome.html
+++ b/roles/phabricator/files/phabricator-welcome.html
@ -1,24 +0,0 @@
-<h1>Fedora QA Devel Phabricator</h1>
-
-<p>The Fedora QA Devel team uses this phabricator instance for tracking issues,
-code reviews and some documentation. We can be reached through
-<a href='https://admin.fedoraproject.org/mailman/listinfo/qa-devel'>our mailing list</a>
-or in the <a href='http://webchat.freenode.net/?channels=#fedora-qa'> #fedora-qa channel on Freenode</a>.
-</p>
-
-<br>
-
-<h2>Useful Links</h2>
-
-<ul>
-    <li><a href='https://phab.qadevel.cloud.fedoraproject.org/w/contributing/'>Contribution guide</a></li>
-    <li><a href='https://docs.qadevel.cloud.fedoraproject.org/libtaskotron/latest/'>Libtaskotron Documentation</a></li>
-    <li><a href='https://pagure.io/group/taskotron'>Canonical Taskotron git repos</a></li>
-
-    <li><a href='https://pagure.io/fedora-qa/os-autoinst-distri-fedora'>Canonical os-autoinst-distri-fedora (previously openqa_fedora) git repo</a></li>
-    <li><a href='https://bitbucket.org/rajcze/openqa_fedora_tools'>Canonical openqa_fedora_tools (previously openqa_fedora) git repo</a></li>
-
-    <li><a href='https://pagure.io/fedora-qa/fedfind'>Canonical fedfind repo</a></li>
-    <li><a href='https://pagure.io/fedora-qa/python-wikitcms'>Canonical python-wikitcms repo</a></li>
-    <li><a href='https://pagure.io/fedora-qa/relval'>Canonical r repo</a></li>
-</ul>
--- a/roles/phabricator/files/php.ini
+++ b/roles/phabricator/files/php.ini
--- a/roles/phabricator/handlers/main.yml
+++ b/roles/phabricator/handlers/main.yml
@ -1,7 +0,0 @@
-##########################################################
-# Handlers for restarting services specific to phabricator
-#
-
- name: restart phd
-  service: name=phd state=restarted
-
--- a/roles/phabricator/tasks/main.yml
+++ b/roles/phabricator/tasks/main.yml
@ -1,180 +0,0 @@
---
- name: start httpd (provided in the apache role)
-  service: name=httpd state=started
-
- name: ensure packages required for phabricator are installed (yum)
-  package: name={{ item }} state=present enablerepo={{ extra_enablerepos }}
-  with_items:
-    - MySQL-python
-    - git
-    - httpd
-    - mod_ssl
-    - php
-    - php-cli
-    - php-mysql
-    - php-process
-    - php-devel
-    - php-gd
-    - php-mbstring
-    - php-opcache
-    - python-pygments
-    - libphutil
-    - arcanist
-    - phabricator
-  when: ansible_distribution_major_version|int < 22
-
- name: ensure packages required for phabricator are installed (dnf)
-  dnf: name={{ item }} state=present enablerepo={{ extra_enablerepos }}
-  with_items:
-    - MySQL-python
-    - git
-    - httpd
-    - mod_ssl
-    - php
-    - php-cli
-    - php-process
-    - php-devel
-    - php-gd
-    - php-mbstring
-    - php-opcache
-    - python-pygments
-    - libphutil
-    - arcanist
-    - phabricator
-  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
-
- name: create mariadb user for phabricator
-  mysql_user:
-    name: "{{ mariadb_user }}"
-    host: 'localhost'
-    password: "{{ mariadb_password }}"
-    priv: "*.*:ALL"
-    state: present
-    login_user: root
-    login_password: "{{ mariadb_root_password }}"
-    login_host: "127.0.0.1"
-  delegate_to: "{{ inventory_hostname }}"
-
- name: ensure backup directory exists
-  file: path={{ backup_dir }} state=directory owner=root group=root mode=1755
-
- name: generate phabricator mysql backup cronjob
-  template: src=phabricator-mariadb-dump.cron.j2 dest=/etc/cron.d/phabricator-mariadb-dump.cron owner=root group=root mode=0644
-
- name: create phabricator daemon user
-  user: name={{ phabricator_daemon_user }}
-
- name: add apache user to daemon user group
-  user: name=apache groups={{ phabricator_daemon_user }}
-
- name: create vcs user
-  user: name={{ phabricator_vcs_user }} password={{ phabricator_vcs_user_password }} groups={{ phabricator_daemon_user }}
-  when: enable_phabricator_git
-
- name: add vcs user to sudoers to write as daemon user with restrictions for git
-  lineinfile: "dest=/etc/sudoers state=present line='{{ phabricator_vcs_user }} ALL=({{ phabricator_daemon_user }}) SETENV: NOPASSWD: /usr/libexec/git-core/git-upload-pack, /usr/libexec/git-core/git-receive-pack'"
-
- name: remove tty requirement for sudo by git user
-  lineinfile: "dest=/etc/sudoers state=present line='Defaults:{{phabricator_vcs_user }} !requiretty'"
-
- name: add apache user to sudoers to write as daemon user with restrictions for git
-  lineinfile: "dest=/etc/sudoers state=present line='apache ALL=({{ phabricator_daemon_user }}) SETENV: NOPASSWD: /usr/libexec/git-core/git-http-backend'"
-
- name: remove tty requirement for sudo by git user
-  lineinfile: "dest=/etc/sudoers state=present line='Defaults:apache !requiretty'"
-
- name: update php.ini
-  copy: src=php.ini dest=/etc/php.d/php.ini owner=root group=root mode=0644
-  notify:
-  - reload httpd
-
- name: update php-opcache config
-  copy:
-    src: "10-opcache.ini"
-    dest: /etc/php.d/10-opcache.ini
-    owner: root
-    group: root
-    mode: 0644
-
- name: update php-curl config
-  copy:
-    src: "20-curl.ini"
-    dest: /etc/php.d/20-curl.ini
-    owner: root
-    group: root
-    mode: 0644
-
- name: clone phabricator-extension-ipsilonoauth
-  git:
-      repo: 'https://pagure.io/phabricator-extension-ipsilonoauth.git'
-      dest: /var/www/phabricator-extension-ipsilonoauth
-      version: c70333b0d2d4d348b429e82e39d634071accf939
-
- name: create git repo root for phabricator
-  file: path={{ phabricator_repodir }} state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1755
-  when: enable_phabricator_git
-
- name: create file directory for phabricator
-  file: path={{ phabricator_filedir }} state=directory owner=apache group=apache mode=1755
-
- name: create log directory for phabricator
-  file: path=/var/log/phabricator state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1775
-
-# disabling phabricator env
-#- name: generate phabricator environment
-#  template: src=ENVIRONMENT.j2 dest={{ phabroot }}/phabricator/conf/local/ENVIRONMENT owner=apache group=apache mode=0644
-
- name: copy phabricator configuration settings
-  template: src=local.json.j2 dest={{ phabroot }}/phabricator/conf/local/local.json owner=apache group=apache mode=0644
-  notify:
-   - restart phd
-
- name: copy phabricator preamble
-  copy: src=phabricator-preamble.php dest={{ phabroot }}/phabricator/support/preamble.php owner=apache group=apache mode=0644
-
- name: copy phabricator custom login plugin
-  template: src=CustomLoginHandler.php.j2 dest={{ phabroot }}/phabricator/src/extensions/CustomLoginHandler.php owner=apache group=apache mode=0644
-  notify:
-   - restart phd
-
-# this isn't well supported upstream right now, disabling
-#- name: generate chatbot config
-#  template: src=chatbot-config.json.j2 dest={{ phabroot }}/phabricator/resources/chatbot/config.json owner=apache group=apache mode=0644
-
-# long story short, I need to let this fail for now until something is fixed, will re-enable. tflink - 2016-12-15
-#- name: upgrade phabricator storage
-#  command: chdir={{ phabroot }}/phabricator bin/storage upgrade --force
-
- name: generate phabricator git hook
-  template: src=phabricator-ssh-hook.sh.j2 dest=/etc/phabricator-ssh-hook.sh owner=root group=root mode=0755
-  when: enable_phabricator_git
-
- name: generate phabricator ssh config for vcs
-  template: src=phabricator-sshd.conf.j2 dest=/etc/ssh/phabricator-sshd.conf owner=root group=root mode=0600
-  when: enable_phabricator_git
-
- name: generate phabricator ssh service file
-  template: src=phabricator-sshd.service.j2 dest=/lib/systemd/system/phabricator-sshd.service owner=root group=root mode=0644
-  when: enable_phabricator_git
-
- name: start and enable phabricator sshd service
-  service: name=phabricator-sshd enabled=yes state=started
-  when: enable_phabricator_git
-
- name: generate phabricator phd service file
-  template: src=phd.service.j2 dest=/lib/systemd/system/phd.service owner=root group=root mode=0644
-
- name: create directory for phd pids
-  file: path=/var/run/phabricator state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1755
-
- name: start and enable phabricator phd service
-  service: name=phd enabled=yes state=started
-
- name: copy phabricator httpd config
-  template: src=phabricator.conf.j2 dest=/etc/httpd/conf.d/phabricator.conf owner=root group=root mode=0644
-  tags:
-  - httpd
-  notify:
-  - reload httpd
-
-
--- a/roles/phabricator/templates/CustomLoginHandler.php.j2
+++ b/roles/phabricator/templates/CustomLoginHandler.php.j2
@ -1,19 +0,0 @@
-<?php
-
-final class CustomLoginHandler
-    extends PhabricatorAuthLoginHandler {
-
-    public function getAuthLoginHeaderContent() {
-        return phutil_safe_html("
-<center><h1>Logging in to Fedora QA Devel Phabricator</h1></center>
-<p style='max-width: 508px;margin: 16px auto;'>
-  This phabricator instance is only setup for authentication with <a href='https://admin.fedoraproject.org/accounts'>the Fedora Accounts System</a>. If you have previously logged in to this instance, click o    n the 'Login or Register' button to log in again. If you are new to this system, please follow the follow
-  ing guidelines:
-  <ul style='list-style-type: disc; margin: auto; max-width:508px;'>
-    <li style='list-style-type: disc;'>When you login with Persona, make sure to use your <b>fasusername@fedoraproject.org</b> email alias (replacing 'fasusername' with your FAS user)</li>
-    <li>When creating a phabricator user account, please match the account name with your FAS username for less confusion on everyone elses' part</li>
-    <li>If you have any questions, come find us in #fedora-qa on Freenode or on the <a href='https://admin.fedoraproject.org/mailman/listinfo/qa-devel'>Fedora QA Devel mailing list</a>.</li>
-  </ul>
-</p>");
-    }
-}
--- a/roles/phabricator/templates/ENVIRONMENT.j2
+++ b/roles/phabricator/templates/ENVIRONMENT.j2
@ -1 +0,0 @@
-{{ phabricator_config_filename }}
--- a/roles/phabricator/templates/chatbot-config.json.j2
+++ b/roles/phabricator/templates/chatbot-config.json.j2
@ -1,27 +0,0 @@
-{
-  "server" : "irc.freenode.net",
-  "port" : 6667,
-  "nick" : "{{ ircnick }}",
-  "nickpass" : "{{ ircnickpass }}",
-  "join" : [
-    "#fedora-qa-devel"
-  ],
-  "handlers" : [
-    "PhabricatorBotObjectNameHandler",
-    "PhabricatorBotSymbolHandler",
-    "PhabricatorBotLogHandler",
-    "PhabricatorBotWhatsNewHandler",
-    "PhabricatorBotDifferentialNotificationHandler",
-    "PhabricatorBotMacroHandler"
-  ],
-
-  "conduit.uri" : "https://phab.{{ external_hostname }}/",
-  "conduit.user" : "{{ ircnick }}",
-  "conduit.cert" : "{{ irc_conduit_cert }}",
-
-  "macro.size" : 48,
-  "macro.aspect" : 0.66,
-
-  "notification.channels" : ["#fedora-qa-devel"]
-}
-
--- a/roles/phabricator/templates/local.json.j2
+++ b/roles/phabricator/templates/local.json.j2
@ -1,44 +0,0 @@
-{
-  "phabricator.base-uri" : "https:\/\/phab.{{ external_hostname }}\/",
-  "phabricator.allowed-uris": ["http:\/\/phab.{{ inventory_hostname }}\/"],
-  "log.ssh.path"  : "\/var\/log\/phabricator\/ssh.log",
-  "log.access.path" : "\/var\/log\/phabricator\/access.log",
-  "mysql.host" : "{{ mariadb_host }}",
-  "mysql.user" : "{{ mariadb_user }}",
-  "mysql.pass" : "{{ mariadb_password }}",
-  "log.access.path" : "/var/log/phabricator/access.log",
-  "log.ssh.path" : "/var/log/phabricator/ssh.log",
-  "phd.pid-directory" : "/var/run/phabricator/",
-  "phd.log-directory" : "/var/log/phabricator/",
-  "phd.user" : "{{ phabricator_daemon_user }}",
-  "pygments.enabled" : true,
-  "storage.local-disk.path" : "{{ phabricator_filedir }}",
-  "repository.default-local-path" : "{{ phabricator_repodir }}",
-  "environment.append-paths" : ["/usr/libexec/git-core/"],
-  "diffusion.ssh-user" : "{{ phabricator_vcs_user }}",
-  "diffusion.ssh-host" : "git.{{ external_hostname }}",
-  "ui.header-color" : "{{ phabricator_header_color }}",
-  "metamta.default-address" : "phabricator@{{ phabricator_mail_domain }}",
-  "metamta.domain" : "{{ phabricator_mail_domain }}",
-  "metamta.reply-handler-domain" : "{{ phabricator_mail_domain }}",
-  "metamta.mail-adapter" : "{{ "PhabricatorMailImplementationPHPMailerAdapter" if phabricator_mail_enabled else "PhabricatorMailImplementationTestAdapter"}}",
-  "phpmailer.smtp-host" : "bastion.fedoraproject.org",
-  "phpmailer.smtp-protocol" : "",
-  "phabricator.uninstalled-applications" : {
-        "PhabricatorApplicationPhame" : true,
-        "PhabricatorApplicationDiviner" : true,
-        "PhabricatorApplicationLegalpad" : true,
-        "PhabricatorApplicationDrydock" : true,
-        "PhabricatorApplicationHarbormaster" : true,
-        "PhabricatorApplicationOAuthServer" : true,
-        "PhabricatorApplicationPhortune" : true
-        },
-{% if deployment_type == "qadevel-prod"%}
-  "load-libraries":{}
-{% else %}
-  "load-libraries": {
-    "ipsilonoauth": "/var/www/phabricator-extension-ipsilonoauth/src"
-  }
-{% endif %}
-}
-
--- a/roles/phabricator/templates/phabricator-mariadb-dump.cron.j2
+++ b/roles/phabricator/templates/phabricator-mariadb-dump.cron.j2
@ -1,2 +0,0 @@
-# backup phabricator related mysql databases
-0 2 * * * root mysql -u root -e "show databases" | grep -v Database | grep -v mysql| grep -v information_schema| grep -v test | grep -v OLD | grep {{ phabricator_db_prefix }} | tr '\n' ' ' | sed i\ 'mysqldump -u root --databases ' | tr '\n' ' ' | sed a\ ' >  {{ backup_dir }}/{{ phabricator_mysqldump_filename }}' | tr '\n' ' ' | sh
--- a/roles/phabricator/templates/phabricator-ssh-hook.sh.j2
+++ b/roles/phabricator/templates/phabricator-ssh-hook.sh.j2
@ -1,14 +0,0 @@
-#!/bin/sh
-
-# NOTE: Replace this with the username that you expect users to connect with.
-VCSUSER="{{ phabricator_vcs_user }}"
-
-# NOTE: Replace this with the path to your Phabricator directory.
-ROOT="{{ phabroot }}/phabricator"
-
-if [ "$1" != "$VCSUSER" ];
-then
-exit 1
-fi
-
-exec "$ROOT/bin/ssh-auth" $@
--- a/roles/phabricator/templates/phabricator-sshd.conf.j2
+++ b/roles/phabricator/templates/phabricator-sshd.conf.j2
@ -1,21 +0,0 @@
-# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
-# was added in this version.
-
-# NOTE: Edit these to the correct values for your setup.
-
-AuthorizedKeysCommand /etc/phabricator-ssh-hook.sh
-AuthorizedKeysCommandUser {{ phabricator_vcs_user }}
-
-# You may need to tweak these options, but mostly they just turn off everything
-# dangerous.
-
-Protocol 2
-PermitRootLogin no
-AllowAgentForwarding no
-AllowTcpForwarding no
-PrintMotd no
-PrintLastLog no
-PasswordAuthentication no
-AuthorizedKeysFile none
-
-PidFile /var/run/sshd-phabricator.pid
--- a/roles/phabricator/templates/phabricator-sshd.service.j2
+++ b/roles/phabricator/templates/phabricator-sshd.service.j2
@ -1,12 +0,0 @@
-[Unit]
-Description=OpenSSH server daemon for Phabricator
-After=syslog.target network.target auditd.service
-
-[Service]
-ExecStartPre=/usr/sbin/sshd-keygen
-ExecStart=/usr/sbin/sshd -f /etc/ssh/phabricator-sshd.conf -D $OPTIONS
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target
--- a/roles/phabricator/templates/phabricator-sshd.socket.j2
+++ b/roles/phabricator/templates/phabricator-sshd.socket.j2
@ -1,10 +0,0 @@
-[Unit]
-Description=OpenSSH Server Socket
-Conflicts=sshd.service
-
-[Socket]
-ListenStream=22
-Accept=yes
-
-[Install]
-WantedBy=sockets.target
--- a/roles/phabricator/templates/phabricator.conf.j2
+++ b/roles/phabricator/templates/phabricator.conf.j2
@ -1,26 +0,0 @@
-<VirtualHost *:80>
-  # Change this to the domain which points to your host.
-  ServerName phab.{{external_hostname}}
-  ServerAlias phab.{{inventory_hostname}}
-
-  # Make sure you include "/webroot" at the end!
-  DocumentRoot {{phabroot}}/phabricator/webroot
-
-  RewriteEngine on
-  RewriteRule ^/rsrc/(.*)     -                       [L,QSA]
-  RewriteRule ^/favicon.ico   -                       [L,QSA]
-  RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]
-</VirtualHost>
-
-<Directory "{{ phabroot }}/phabricator/webroot">
-  AllowOverride None
-  #Require all granted
-  <IfModule mod_authz_core.c>
-      # Apache 2.4
-      Require all granted
-  </IfModule>
-  <IfModule !mod_auth_core.c>
-      Order allow,deny
-      Allow from all
-  </IfModule>
-</Directory>
--- a/roles/phabricator/templates/phd.service.j2
+++ b/roles/phabricator/templates/phd.service.j2
@ -1,11 +0,0 @@
-[Unit]
-Description=Phabricator Daemons
-After=httpd.service
-
-[Service]
-Type=forking
-ExecStart={{ phabroot }}/phabricator/bin/phd start
-ExecStop={{ phabroot }}/phabricator/bin/phd stop
-ExecRestart={{ phabroot}}/phabricator/bin/phd restart
-User={{ phabricator_daemon_user }}
-Group={{ phabricator_daemon_user }}
--- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
+++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
@ -2,3 +2,10 @@
 - when: {message_type: KojiBuildPackageCompleted}
  do:
    - {tasks: [rpmlint, rpmgrill]}
+
+- when:
+    message_type: KojiBuildPackageCompleted
+    name:
+      $nin: [{{ trigger_abicheck_blacklist | join(',') }}]
+  do:
+    - {tasks: [abicheck]}
--- a/scripts/vhost-info
+++ b/scripts/vhost-info
@ -71,6 +71,8 @@ loader = DataLoader()
 inv = InventoryManager(loader=loader, sources=opts.host_file)
 variable_manager = VariableManager(loader=loader, inventory=inv)

+unpatched_spectre = loader.load_from_file('/srv/private/ansible/vars.yml')['non_spectre_patched']
+
 # create play with tasks
 play_source =  dict(
        name = "vhost-info",
@ -99,5 +101,8 @@ finally:
 for vhostname in sorted(cb.mem_per_host):
    freemem = cb.mem_per_host[vhostname] - cb.mem_used_in_vm[vhostname]
    freecpu = cb.cpu_per_host[vhostname] - cb.cpu_used_in_vm[vhostname]
-    print '%s:\t%s/%s mem(unused/total)\t%s/%s cpus(unused/total)' % (
-        vhostname, freemem, cb.mem_per_host[vhostname], freecpu, cb.cpu_per_host[vhostname])
+    insecure = ''
+    if vhostname in unpatched_spectre:
+        insecure = ' (NOT PATCHED FOR SPECTRE)'
+    print '%s:\t%s/%s mem(unused/total)\t%s/%s cpus(unused/total) %s' % (
+        vhostname, freemem, cb.mem_per_host[vhostname], freecpu, cb.cpu_per_host[vhostname], insecure)