From 2ad34d91b21b8a5d78e8cb9ac15824aa25b00d22 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 5 Jun 2015 18:49:11 +0000 Subject: [PATCH] Add a first cut at a s390 koji hub and db. These are using the normal koji hub and postgresql playbooks and will live on virthost-s390.qa. --- .../db-s390-koji01.qa.fedoraproject.org | 42 ++++ .../s390-koji01.qa.fedoraproject.org | 12 + inventory/inventory | 2 + master.yml | 4 +- playbooks/groups/koji-hub.yml | 12 +- playbooks/groups/postgresql-server.yml | 4 +- roles/koji_hub/files/koji-ssl.conf.s390 | 226 ++++++++++++++++++ roles/koji_hub/tasks/main.yml | 54 ++++- roles/koji_hub/templates/hub.conf.j2 | 15 ++ roles/koji_hub/templates/web.conf.j2 | 4 +- 10 files changed, 363 insertions(+), 12 deletions(-) create mode 100644 inventory/host_vars/db-s390-koji01.qa.fedoraproject.org create mode 100644 inventory/host_vars/s390-koji01.qa.fedoraproject.org create mode 100644 roles/koji_hub/files/koji-ssl.conf.s390 diff --git a/inventory/host_vars/db-s390-koji01.qa.fedoraproject.org b/inventory/host_vars/db-s390-koji01.qa.fedoraproject.org new file mode 100644 index 0000000000..62e4d4aaca --- /dev/null +++ b/inventory/host_vars/db-s390-koji01.qa.fedoraproject.org @@ -0,0 +1,42 @@ +--- +nm: 255.255.255.0 +gw: 10.5.131.254 +dns: 10.5.126.21 +volgroup: /dev/vg_guests +eth0_ip: 10.5.131.16 +vmhost: virthost-ss390.qa.fedoraproject.org +datacenter: phx2 + +ks_url: http://infrastructure.phx2.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://infrastructure.phx2.fedoraproject.org/repo/rhel/RHEL7-x86_64/ + +# This is a generic list, monitored by collectd +databases: +- koji + +# This is a more strict list, to be made publicly available +dbs_to_backup: +- koji + +# These are normally group variables, but in this case db servers are often different +lvm_size: 500000 +mem_size: 25165 +num_cpus: 12 +fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-secondary + +# kernel SHMMAX value +kernel_shmmax: 68719476736 + +# +# Only allow postgresql access from the frontend node. +# +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.131.15 --dport 5432 -j ACCEPT' ] + +# +# Large updates pushes cause lots of db threads doing the tag moves, so up this from default. +# +nrpe_procs_warn: 600 +nrpe_procs_crit: 700 + +host_backup_targets: ['/backups'] +shared_buffers: "4GB" diff --git a/inventory/host_vars/s390-koji01.qa.fedoraproject.org b/inventory/host_vars/s390-koji01.qa.fedoraproject.org new file mode 100644 index 0000000000..cc6760964c --- /dev/null +++ b/inventory/host_vars/s390-koji01.qa.fedoraproject.org @@ -0,0 +1,12 @@ +--- +nm: 255.255.255.0 +gw: 10.5.131.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.131.15 +vmhost: virthost-s390.phx2.fedoraproject.org +datacenter: phx2 +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 diff --git a/inventory/inventory b/inventory/inventory index 985a9f25e5..608e0b588d 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -223,6 +223,7 @@ db05.phx2.fedoraproject.org db-fas01.phx2.fedoraproject.org db-datanommer02.phx2.fedoraproject.org db-koji01.phx2.fedoraproject.org +db-s390-koji01.qa.fedoraproject.org db-qa01.qa.fedoraproject.org [dbserver-stg] @@ -298,6 +299,7 @@ keys02.fedoraproject.org [koji] koji01.phx2.fedoraproject.org koji02.phx2.fedoraproject.org +s390-koji01.qa.fedoraproject.org [koji-stg] koji01.stg.phx2.fedoraproject.org diff --git a/master.yml b/master.yml index 2ea73a5f3c..502b6b4fa1 100644 --- a/master.yml +++ b/master.yml @@ -68,7 +68,7 @@ - include: /srv/web/infra/ansible/playbooks/groups/notifs-backend.yml - include: /srv/web/infra/ansible/playbooks/groups/notifs-web.yml - include: /srv/web/infra/ansible/playbooks/groups/nuancier.yml -- include: /srv/web/infra/ansible/playbooks/groups/openstack-compute-nodes.yml +#- include: /srv/web/infra/ansible/playbooks/groups/openstack-compute-nodes.yml - include: /srv/web/infra/ansible/playbooks/groups/packages.yml - include: /srv/web/infra/ansible/playbooks/groups/pagure.yml - include: /srv/web/infra/ansible/playbooks/groups/paste.yml @@ -114,7 +114,7 @@ - include: /srv/web/infra/ansible/playbooks/hosts/devpi.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/darkserver-dev.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/elections-dev.cloud.fedoraproject.org.yml -- include: /srv/web/infra/ansible/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml +#- include: /srv/web/infra/ansible/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/fedocal.dev.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/junk01.phx2.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/koschei.cloud.fedoraproject.org.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 1bc6fa9d32..09d1c9b9d6 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -3,7 +3,7 @@ # NOTE: most of these vars_path come from group_vars/koji-hub or from hostvars - name: make koji hub - hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org + hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org:s390-koji01.qa.fedoraproject.org user: root gather_facts: False @@ -21,7 +21,7 @@ # Once the instance exists, configure it. - name: make koji_hub server system - hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org + hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org:s390-koji01.qa.fedoraproject.org user: root gather_facts: True @@ -43,11 +43,15 @@ - koji_hub - { role: koji_builder, when: env == "staging" } - { role: nfs/server, when: env == "staging" } - - { role: keepalived, when: env != "staging" } + - { role: keepalived, when: env == "production" and inventory_hostname.startswith('koji') } - role: nfs/client mnt_dir: '/mnt/fedora_koji' nfs_src_dir: 'fedora_koji' - when: env != 'staging' + when: env == 'production' and inventory_hostname.startswith('koji') + - role: nfs/client + mnt_dir: '/mnt/koji' + nfs_src_dir: 'fedora_s390/data' + when: env == 'production' and inventory_hostname.startswith('s390') - sudo tasks: diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml index ef66ce975e..5df0341368 100644 --- a/playbooks/groups/postgresql-server.yml +++ b/playbooks/groups/postgresql-server.yml @@ -3,7 +3,7 @@ # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars - name: make postgresql-server instance - hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org + hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.qa.fedoraproject.org user: root gather_facts: False @@ -21,7 +21,7 @@ # Once the instance exists, configure it. - name: configure postgresql server system - hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org + hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.qa.fedoraproject.org user: root gather_facts: True diff --git a/roles/koji_hub/files/koji-ssl.conf.s390 b/roles/koji_hub/files/koji-ssl.conf.s390 new file mode 100644 index 0000000000..40c0a028c8 --- /dev/null +++ b/roles/koji_hub/files/koji-ssl.conf.s390 @@ -0,0 +1,226 @@ +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(1024000) +SSLSessionCacheTimeout 600 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + +# Speed-optimized SSL Cipher configuration: +# If speed is your main concern (on busy HTTPS servers e.g.), +# you might want to force clients to specific, performance +# optimized ciphers. In this case, prepend those ciphers +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. +# Caveat: by giving precedence to RC4-SHA and AES128-SHA +# (as in the example below), most connections will no longer +# have perfect forward secrecy - if the server's key is +# compromised, captures of past or future traffic must be +# considered compromised, too. +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 +#SSLHonorCipherOrder on + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +#SSLCertificateFile /etc/pki/tls/certs/localhost.crt +SSLCertificateFile /etc/pki/tls/certs/koji_cert.pem + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key +SSLCertificateKeyFile /etc/pki/tls/private/koji_key.pem + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt +SSLCertificateChainFile /etc/pki/tls/certs/extras_cacert.pem + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +SSLCACertificateFile /etc/pki/tls/certs/extras_upload_cacert.pem + +SSLCARevocationFile /etc/pki/tls/crl.pem +SSLCARevocationCheck chain + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +RewriteEngine on +RewriteRule ^/$ /koji [R,L] + + diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 3d228793f7..5af8101d55 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -76,6 +76,9 @@ - config - koji_hub +# +# install production certs and keys +# - name: install kojiweb_cert_key.pem copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600 notify: @@ -83,7 +86,7 @@ tags: - config - koji_hub - when: env != 'staging' + when: env != 'staging' and ansible_hostname.startswith('koji') - name: install production koji_cert.pem copy: src={{ puppet_private }}/koji/koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600 @@ -92,7 +95,7 @@ tags: - config - koji_hub - when: env != 'staging' + when: env != 'staging' and ansible_hostname.startswith('koji') - name: install production koji_key.pem copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600 @@ -101,8 +104,41 @@ tags: - config - koji_hub - when: env != 'staging' + when: env != 'staging' and ansible_hostname.startswith('koji') +# +# install production s390 certs and keys +# +- name: install s390 kojiweb_cert_key.pem + copy: src={{ private }}/files/koji/s390.koji.fedoraproject.org_key_and_cert.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600 + notify: + - restart httpd + tags: + - config + - koji_hub + when: ansible_hostname.startswith('s390') + +- name: install s390 production koji_cert.pem + copy: src={{ private }}/files/koji/s390_koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600 + notify: + - restart httpd + tags: + - config + - koji_hub + when: ansible_hostname.startswith('s390') + +- name: install s390 production koji_key.pem + copy: src={{ private }}/files/koji/s390_koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600 + notify: + - restart httpd + tags: + - config + - koji_hub + when: ansible_hostname.startswith('s390') + +# +# install staging certs and keys +# - name: Install staging koji ssl cert copy: src={{ puppet_private }}/koji/koji.stg_cert.pem dest=/etc/pki/tls/certs/koji.stg_cert.pem notify: @@ -137,6 +173,14 @@ tags: - config - koji_hub + when: ansible_hostname.startswith('koji') + +- name: install s390 kojira_cert_key + copy: src={{ private }}/files/koji/s390_kojira_cert_key.pem dest=/etc/kojira/kojira_cert_key.pem owner=apache mode=600 + tags: + - config + - koji_hub + when: ansible_hostname.startswith('s390') - name: updatecrl script copy: src=updatecrl.sh dest=/usr/local/bin/updatecrl.sh owner=root mode=755 @@ -258,21 +302,25 @@ tags: - service - koji_hub + when: env != 'staging' and ansible_hostname.startswith('koji') - name: install cert for oscar (garbage collector) user copy: src={{ puppet_private }}/koji/gc/oscar_key_and_cert.pem dest=/etc/koji-gc/client.crt tags: - koji_hub + when: env != 'staging' and ansible_hostname.startswith('koji') - name: install serverca cert for oscar (garbage collector) user copy: src={{ puppet_private }}/fedora-ca.cert dest=/etc/koji-gc/serverca.crt tags: - koji_hub + when: env != 'staging' and ansible_hostname.startswith('koji') - name: install clientca cert for oscar (garbage collector) user copy: src={{ puppet_private }}/fedora-ca.cert dest=/etc/koji-gc/clientca.crt tags: - koji_hub + when: env != 'staging' and ansible_hostname.startswith('koji') - name: install koji-gc.conf copy: src=koji-gc.conf dest=/etc/koji-gc/koji-gc.conf diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 2737835425..0d423ca82a 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -3,8 +3,13 @@ ## Basic options ## DBName = koji DBUser = koji +{% if ansible_hostname.startswith('koji') %} DBHost = db-koji01 DBPass = {{ kojiPassword }} +{% elseif ansible_hostname == 's390-koji01.qa.fedoraproject.org' %} +DBHost = db-s390-koji01 +DBPass = {{ s390kojiPassword }} +{% endif %} KojiDir = /mnt/koji MemoryWarnThreshold = 10000 MaxRequestLength = 83886080 @@ -14,8 +19,12 @@ MaxRequestLength = 83886080 ## the client username is the common name of the subject of their client certificate DNUsernameComponent = CN +{% if ansible_hostname.startswith('koji') %} ## separate multiple DNs with | ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US +{% elseif ansible_hostname == 's390-koji01.qa.fedoraproject.org' %} +ProxyDNs = /C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=s390.koji.fedoraproject.org/emailAddress=buildsys@fedoraproject.org|/C=US/ST=North Carolina/O=Fedora Project/OU=secondary arch/CN=secondary-signer/emailAddress=ausil@fedoraproject.org +{% endif %} ## end SSL client certificate auth configuration @@ -23,7 +32,11 @@ ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders ## Other options ## LoginCreatesUser = On +{% if ansible_hostname.startswith('koji') %} KojiWebURL = http://koji.fedoraproject.org/koji +{% elseif ansible_hostname == 's390-koji01.qa.fedoraproject.org' %} +KojiWebURL = http://s390.koji.fedoraproject.org/koji +{% endif %} # The domain name that will be appended to Koji usernames # when creating email notifications EmailDomain = fedoraproject.org @@ -57,6 +70,7 @@ DisableNotifications = True #Plugins = darkserver-plugin Plugins = fedmsg-koji-plugin +{% if ansible_hostname.startswith('koji') %} [policy] @@ -96,3 +110,4 @@ build_from_srpm = tag el6-docs && has_perm docs :: allow all :: deny +{% endif %} diff --git a/roles/koji_hub/templates/web.conf.j2 b/roles/koji_hub/templates/web.conf.j2 index 0509d67f3b..71929b18ce 100644 --- a/roles/koji_hub/templates/web.conf.j2 +++ b/roles/koji_hub/templates/web.conf.j2 @@ -6,6 +6,9 @@ SiteName = koji {% if env == 'staging' %} KojiHubURL = http://koji.stg.fedoraproject.org/kojihub KojiFilesURL = https://kojipkgs.stg.fedoraproject.org/ +{% else if ansible_hostname == 's390-koji01.qa.fedoraproject.org' %} +KojiHubURL = http://s390.koji.fedoraproject.org/kojihub +KojiFilesURL = http://s390.koji.fedoraproject.org/kojifiles {% else %} KojiHubURL = http://koji.fedoraproject.org/kojihub KojiFilesURL = https://kojipkgs.fedoraproject.org/ @@ -16,7 +19,6 @@ WebCert = /etc/pki/tls/private/kojiweb_cert_key.pem ClientCA = /etc/pki/tls/certs/upload_cacert.pem KojiHubCA = /etc/pki/tls/certs/extras_cacert.pem - LoginTimeout = 72 # This must be changed and uncommented before deployment