From 4fd88f61f48e7838d724e8e4600e5bbe5bdf297b Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 10 Mar 2016 18:28:18 +0000 Subject: [PATCH 01/33] Friends. --- roles/base/templates/iptables/iptables | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 4e42a834d0..9f2a082139 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -24,6 +24,12 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT +{% if inventory_hostname in groups['proxies'] %} +{% for friend in friends %} +-A INPUT --src {{ friend }} -j DROP +{% endfor %} +{% endif %} + {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %} # # In the phx2 datacenter, both production and staging hosts are in the same From e36d15bbbef0f5c36a7dabef9620ff890bec35e8 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 10 Mar 2016 18:32:28 +0000 Subject: [PATCH 02/33] Distinguish between ipv4 and ipv6. --- roles/base/templates/iptables/ip6tables | 6 ++++++ roles/base/templates/iptables/iptables | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables index 49db2f7851..e3dba2ac03 100644 --- a/roles/base/templates/iptables/ip6tables +++ b/roles/base/templates/iptables/ip6tables @@ -20,6 +20,12 @@ # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +{% if inventory_hostname in groups['proxies'] %} +{% for friend in friends6 %} +-A INPUT --src {{ friend }} -j DROP +{% endfor %} +{% endif %} + # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} {% for port in tcp_ports %} diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 9f2a082139..cf49cdf411 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -25,7 +25,7 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT {% if inventory_hostname in groups['proxies'] %} -{% for friend in friends %} +{% for friend in friends4 %} -A INPUT --src {{ friend }} -j DROP {% endfor %} {% endif %} From c31771d0de38e5e14890783abae99ffcb92e4fe8 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 10 Mar 2016 18:54:44 +0000 Subject: [PATCH 03/33] Also the osuosl proxies. --- roles/base/templates/iptables/iptables.osuosl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/base/templates/iptables/iptables.osuosl b/roles/base/templates/iptables/iptables.osuosl index ad82724e5b..102ee7c394 100644 --- a/roles/base/templates/iptables/iptables.osuosl +++ b/roles/base/templates/iptables/iptables.osuosl @@ -29,6 +29,11 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT +{% if inventory_hostname in groups['proxies'] %} +{% for friend in friends4 %} +-A INPUT --src {{ friend }} -j DROP +{% endfor %} +{% endif %} # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} From 4043d326b5081b6fab1ad080e8055cee0e4dc873 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 10 Mar 2016 20:21:02 +0000 Subject: [PATCH 04/33] No more friends. --- roles/base/templates/iptables/ip6tables | 6 ------ roles/base/templates/iptables/iptables | 6 ------ roles/base/templates/iptables/iptables.osuosl | 6 ------ 3 files changed, 18 deletions(-) diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables index e3dba2ac03..49db2f7851 100644 --- a/roles/base/templates/iptables/ip6tables +++ b/roles/base/templates/iptables/ip6tables @@ -20,12 +20,6 @@ # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -{% if inventory_hostname in groups['proxies'] %} -{% for friend in friends6 %} --A INPUT --src {{ friend }} -j DROP -{% endfor %} -{% endif %} - # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} {% for port in tcp_ports %} diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index cf49cdf411..4e42a834d0 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -24,12 +24,6 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -{% if inventory_hostname in groups['proxies'] %} -{% for friend in friends4 %} --A INPUT --src {{ friend }} -j DROP -{% endfor %} -{% endif %} - {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %} # # In the phx2 datacenter, both production and staging hosts are in the same diff --git a/roles/base/templates/iptables/iptables.osuosl b/roles/base/templates/iptables/iptables.osuosl index 102ee7c394..9efba777f6 100644 --- a/roles/base/templates/iptables/iptables.osuosl +++ b/roles/base/templates/iptables/iptables.osuosl @@ -29,12 +29,6 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -{% if inventory_hostname in groups['proxies'] %} -{% for friend in friends4 %} --A INPUT --src {{ friend }} -j DROP -{% endfor %} -{% endif %} - # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} {% for port in tcp_ports %} From be61b3c1cf86970915acae4f37109846323e1150 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 10 Mar 2016 21:26:08 +0000 Subject: [PATCH 05/33] Let openqa-stg01 talk to the staging fedmsg relay. --- inventory/group_vars/proxies-stg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg index b3303659c9..6fbf1b242c 100644 --- a/inventory/group_vars/proxies-stg +++ b/inventory/group_vars/proxies-stg @@ -67,6 +67,9 @@ custom_rules: [ # Allow resultsdb talk to the inbound fedmsg relay. '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.147 -j ACCEPT', + + # Allow openqa to talk to the inbound fedmsg relay. + '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.72 -j ACCEPT', ] fas_client_groups: sysadmin-noc,fi-apprentice From 7f5bfecaa7410aa08fc81f543fbba1089c9e3c67 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 14:04:57 -0800 Subject: [PATCH 06/33] openqa: freeze status in group vars not host vars seems more common. --- inventory/group_vars/openqa | 1 + inventory/group_vars/openqa-stg | 1 + inventory/group_vars/openqa-stg-workers | 1 + inventory/group_vars/openqa-workers | 1 + inventory/host_vars/openqa-stg01.qa.fedoraproject.org | 2 -- inventory/host_vars/openqa01.qa.fedoraproject.org | 2 -- inventory/host_vars/qa05.qa.fedoraproject.org | 1 - inventory/host_vars/qa06.qa.fedoraproject.org | 1 - inventory/host_vars/qa07.qa.fedoraproject.org | 1 - 9 files changed, 4 insertions(+), 7 deletions(-) diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa index ffc08d0ee1..dc941e4bee 100644 --- a/inventory/group_vars/openqa +++ b/inventory/group_vars/openqa @@ -28,6 +28,7 @@ checkcompose_smtp: bastion.phx2.fedoraproject.org checkcompose_url: "https://{{ external_hostname }}" deployment_type: prod +freezes: false # http and NFS tcp_ports: [ 80, 2049 ] diff --git a/inventory/group_vars/openqa-stg b/inventory/group_vars/openqa-stg index e6ba67b269..cc110ba9c3 100644 --- a/inventory/group_vars/openqa-stg +++ b/inventory/group_vars/openqa-stg @@ -35,6 +35,7 @@ wikitcms_password: "{{ stg_wikitcms_password }}" checkcompose_url: "https://{{ external_hostname }}" deployment_type: stg +freezes: false # http and NFS tcp_ports: [80, 2049] diff --git a/inventory/group_vars/openqa-stg-workers b/inventory/group_vars/openqa-stg-workers index 88f8c1bab8..8d8a1fb587 100644 --- a/inventory/group_vars/openqa-stg-workers +++ b/inventory/group_vars/openqa-stg-workers @@ -6,3 +6,4 @@ openqa_key: "{{ stg_openqa_apikey }}" openqa_secret: "{{ stg_openqa_apisecret }}" deployment_type: stg +freezes: false diff --git a/inventory/group_vars/openqa-workers b/inventory/group_vars/openqa-workers index b1cb1ddf01..6d17e09bd2 100644 --- a/inventory/group_vars/openqa-workers +++ b/inventory/group_vars/openqa-workers @@ -6,3 +6,4 @@ openqa_key: "{{ prod_openqa_apikey }}" openqa_secret: "{{ prod_openqa_apisecret }}" deployment_type: prod +freezes: false diff --git a/inventory/host_vars/openqa-stg01.qa.fedoraproject.org b/inventory/host_vars/openqa-stg01.qa.fedoraproject.org index 6c31e11b4d..34c26cf5d1 100644 --- a/inventory/host_vars/openqa-stg01.qa.fedoraproject.org +++ b/inventory/host_vars/openqa-stg01.qa.fedoraproject.org @@ -30,5 +30,3 @@ num_cpus: 4 nrpe_procs_warn: 250 nrpe_procs_crit: 300 - -freezes: false diff --git a/inventory/host_vars/openqa01.qa.fedoraproject.org b/inventory/host_vars/openqa01.qa.fedoraproject.org index 34abe43243..11dfc95cac 100644 --- a/inventory/host_vars/openqa01.qa.fedoraproject.org +++ b/inventory/host_vars/openqa01.qa.fedoraproject.org @@ -30,5 +30,3 @@ num_cpus: 4 nrpe_procs_warn: 250 nrpe_procs_crit: 300 - -freezes: false diff --git a/inventory/host_vars/qa05.qa.fedoraproject.org b/inventory/host_vars/qa05.qa.fedoraproject.org index 7d1dc10d93..5b414a03cf 100644 --- a/inventory/host_vars/qa05.qa.fedoraproject.org +++ b/inventory/host_vars/qa05.qa.fedoraproject.org @@ -1,5 +1,4 @@ --- -freezes: false fas_client_groups: sysadmin-qa,sysadmin-main sudoers: "{{ private }}/files/sudo/qavirt-sudoers" eth0_ip: 10.5.124.155 diff --git a/inventory/host_vars/qa06.qa.fedoraproject.org b/inventory/host_vars/qa06.qa.fedoraproject.org index c860bc3498..4cf2798810 100644 --- a/inventory/host_vars/qa06.qa.fedoraproject.org +++ b/inventory/host_vars/qa06.qa.fedoraproject.org @@ -1,5 +1,4 @@ --- -freezes: false fas_client_groups: sysadmin-qa,sysadmin-main sudoers: "{{ private }}/files/sudo/qavirt-sudoers" eth0_ip: 10.5.124.156 diff --git a/inventory/host_vars/qa07.qa.fedoraproject.org b/inventory/host_vars/qa07.qa.fedoraproject.org index 93229f8fd1..502827d88f 100644 --- a/inventory/host_vars/qa07.qa.fedoraproject.org +++ b/inventory/host_vars/qa07.qa.fedoraproject.org @@ -1,5 +1,4 @@ --- -freezes: false fas_client_groups: sysadmin-qa,sysadmin-main sudoers: "{{ private }}/files/sudo/qavirt-sudoers" eth0_ip: 10.5.124.157 From c0b7382df2ad09bd9f1281eb3e61bf206d2df7fd Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 10 Mar 2016 22:07:29 +0000 Subject: [PATCH 07/33] Allow to keep the host header through a setting Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-reverseproxy.yml | 1 + roles/httpd/reverseproxy/tasks/main.yml | 1 + roles/httpd/reverseproxy/templates/reversepassproxy.conf | 5 +++++ roles/httpd/reverseproxy/vars/main.yml | 1 + 4 files changed, 8 insertions(+) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 4825f9bd6a..e029b30db7 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -455,6 +455,7 @@ destname: qa-stg-phab # Talk directly to the app server, not haproxy proxyurl: http://phab.qa-stg01.qa.fedoraproject.org + keephost: true when: env == "staging" - role: httpd/reverseproxy diff --git a/roles/httpd/reverseproxy/tasks/main.yml b/roles/httpd/reverseproxy/tasks/main.yml index c4fa7bb0c0..bb69f55c11 100644 --- a/roles/httpd/reverseproxy/tasks/main.yml +++ b/roles/httpd/reverseproxy/tasks/main.yml @@ -4,6 +4,7 @@ # - remotepath.. # - proxyurl # - rewrite +# - keephost - name: Copy in ProxyPassReverse for {{destname}} ({{website}}{{remotepath}}) template: > diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf index 4304709d4c..b7d6ff06d0 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -9,5 +9,10 @@ RequestHeader set X-Scheme https early RequestHeader set X-Forwarded-Proto https early {% endif %} + +{% if keephost %} +ProxyPreserveHost On +{% endif %} + ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} diff --git a/roles/httpd/reverseproxy/vars/main.yml b/roles/httpd/reverseproxy/vars/main.yml index 61ee936ff3..751fac42b6 100644 --- a/roles/httpd/reverseproxy/vars/main.yml +++ b/roles/httpd/reverseproxy/vars/main.yml @@ -3,3 +3,4 @@ localpath: / destname: reversepassproxy rewrite: false header_scheme: false +keephost: false From f3adb758c8f0556f65ec34f7a46dc6625819ccee Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 14:08:40 -0800 Subject: [PATCH 08/33] install fedmsg certs for openqa server hosts --- inventory/group_vars/openqa | 20 ++++++++++++++++++++ inventory/group_vars/openqa-stg | 23 +++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa index dc941e4bee..4a1ce0b186 100644 --- a/inventory/group_vars/openqa +++ b/inventory/group_vars/openqa @@ -32,3 +32,23 @@ freezes: false # http and NFS tcp_ports: [ 80, 2049 ] + +# These are consumed by a task in roles/fedmsg/base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin + can_send: + - logger.log +- service: openqa + owner: root + group: geekotest + can_send: + - openqa.job.create + - openqa.job.delete + - openqa.job.cancel + - openqa.job.duplicate + - openqa.job.restart + - openqa.jobs.restart + - openqa.job.update.result + - openqa.job.done diff --git a/inventory/group_vars/openqa-stg b/inventory/group_vars/openqa-stg index cc110ba9c3..d2717572da 100644 --- a/inventory/group_vars/openqa-stg +++ b/inventory/group_vars/openqa-stg @@ -39,3 +39,26 @@ freezes: false # http and NFS tcp_ports: [80, 2049] + +# These are consumed by a task in roles/fedmsg/base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin + can_send: + - logger.log +- service: openqa + owner: root + group: geekotest + can_send: + - openqa.job.create + - openqa.job.delete + - openqa.job.cancel + - openqa.job.duplicate + - openqa.job.restart + - openqa.jobs.restart + - openqa.job.update.result + - openqa.job.done + +# makes sure it sends stg not prod fedmsgs +fedmsg_env: stg From 9db962050d9ff793c1b97c9d85a9f45462b52bdc Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 10 Mar 2016 22:31:44 +0000 Subject: [PATCH 09/33] changing qa-stg to use stg proxies instead of self host --- inventory/group_vars/qa-stg | 9 +++++---- roles/phabricator/tasks/main.yml | 4 +++- roles/phabricator/templates/local.json.j2 | 1 + roles/phabricator/templates/phabricator.conf.j2 | 15 +++++++++++++++ 4 files changed, 24 insertions(+), 5 deletions(-) diff --git a/inventory/group_vars/qa-stg b/inventory/group_vars/qa-stg index 5f80116cd7..c59919f1c6 100644 --- a/inventory/group_vars/qa-stg +++ b/inventory/group_vars/qa-stg @@ -15,11 +15,12 @@ extra_enablerepos: 'infrastructure-testing' sshd_config: ssh/sshd_config.qa-stg sshd_port: 222 -external_hostname: qadevel-stg.cloud.fedoraproject.org +external_hostname: qa.stg.fedoraproject.org -sslcertfile: qa-stg.qa.fedoraproject.org.cert -sslkeyfile: qa-stg.qa.fedoraproject.org.key -sslintermediatecertfile: '' +# not needed with new setup +#sslcertfile: qa-stg.qa.fedoraproject.org.cert +#sslkeyfile: qa-stg.qa.fedoraproject.org.key +#sslintermediatecertfile: '' mariadb_host: localhost mariadb_config: my.cnf.phabricator diff --git a/roles/phabricator/tasks/main.yml b/roles/phabricator/tasks/main.yml index 8a41de01f3..a2ab80ed5f 100644 --- a/roles/phabricator/tasks/main.yml +++ b/roles/phabricator/tasks/main.yml @@ -173,6 +173,7 @@ owner: root group: root mode: 0600 + when: deployment_type == 'qadevel-prod' - name: Install the SSL key copy: @@ -181,6 +182,7 @@ owner: root group: root mode: 0600 + when: deployment_type == 'qadevel-prod' - name: Install the SSL intermediate cert copy: @@ -189,7 +191,7 @@ owner: root group: root mode: 0600 - when: sslintermediatecertfile != '' + when: sslintermediatecertfile != '' and deployment_type == 'qadevel-prod' - name: copy phabricator httpd config diff --git a/roles/phabricator/templates/local.json.j2 b/roles/phabricator/templates/local.json.j2 index 48809e7df1..a4c3dbd7fd 100644 --- a/roles/phabricator/templates/local.json.j2 +++ b/roles/phabricator/templates/local.json.j2 @@ -1,5 +1,6 @@ { "phabricator.base-uri" : "https:\/\/phab.{{ external_hostname }}\/", + "phabricator.allowed-uris": ["http:\/\/phab.{{ inventory_hostname }}\/"], "log.ssh.path" : "\/var\/log\/phabricator\/ssh.log", "log.access.path" : "\/var\/log\/phabricator\/access.log", "mysql.host" : "{{ mariadb_host }}", diff --git a/roles/phabricator/templates/phabricator.conf.j2 b/roles/phabricator/templates/phabricator.conf.j2 index c3cf2612a9..8db09e0659 100644 --- a/roles/phabricator/templates/phabricator.conf.j2 +++ b/roles/phabricator/templates/phabricator.conf.j2 @@ -1,3 +1,4 @@ +{% if deployment_type == "qadevel-prod" %} # Change this to the domain which points to your host. ServerName phab.{{external_hostname}} @@ -75,7 +76,21 @@ RewriteEngine on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] +{% if deployment_type == "qadevel-prod" %} +{% else %} + + # Change this to the domain which points to your host. + ServerName phab.{{external_hostname}} + # Make sure you include "/webroot" at the end! + DocumentRoot {{phabroot}}/phabricator/webroot + + RewriteEngine on + RewriteRule ^/rsrc/(.*) - [L,QSA] + RewriteRule ^/favicon.ico - [L,QSA] + RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA] + +{% endif %} AllowOverride None From f96e38db7902f7fe4fe2528f3b4c5ceeae656d71 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 10 Mar 2016 22:40:46 +0000 Subject: [PATCH 10/33] putting a group var back needed for phabricator playbook --- inventory/group_vars/qa-stg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/qa-stg b/inventory/group_vars/qa-stg index c59919f1c6..0640b5daee 100644 --- a/inventory/group_vars/qa-stg +++ b/inventory/group_vars/qa-stg @@ -20,7 +20,7 @@ external_hostname: qa.stg.fedoraproject.org # not needed with new setup #sslcertfile: qa-stg.qa.fedoraproject.org.cert #sslkeyfile: qa-stg.qa.fedoraproject.org.key -#sslintermediatecertfile: '' +sslintermediatecertfile: '' mariadb_host: localhost mariadb_config: my.cnf.phabricator From 4706f17f024cf861119ef90e09cc815d73d7df59 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 10 Mar 2016 22:42:30 +0000 Subject: [PATCH 11/33] fixing stray if statement in template --- roles/phabricator/templates/phabricator.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/phabricator/templates/phabricator.conf.j2 b/roles/phabricator/templates/phabricator.conf.j2 index 8db09e0659..ad7cb59687 100644 --- a/roles/phabricator/templates/phabricator.conf.j2 +++ b/roles/phabricator/templates/phabricator.conf.j2 @@ -76,7 +76,6 @@ RewriteEngine on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] -{% if deployment_type == "qadevel-prod" %} {% else %} # Change this to the domain which points to your host. From c9827a793b31867435e2bb91be41c3ff1a146432 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 10 Mar 2016 22:44:46 +0000 Subject: [PATCH 12/33] Let openqa01 publish to the bus. --- inventory/group_vars/proxies | 2 ++ roles/fedmsg/base/tasks/main.yml | 6 +++--- roles/fedmsg/base/templates/relay.py.j2 | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index 53a291b4d6..3122f29b8d 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -63,6 +63,8 @@ custom_rules: [ # Allow resultsdb talk to the inbound fedmsg relay. '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.207 -j ACCEPT', + # Allow openqa01 to talk to the inbound fedmsg relay. + '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.71 -j ACCEPT', ] fas_client_groups: sysadmin-noc,fi-apprentice diff --git a/roles/fedmsg/base/tasks/main.yml b/roles/fedmsg/base/tasks/main.yml index c4bbe6391d..16d751df01 100644 --- a/roles/fedmsg/base/tasks/main.yml +++ b/roles/fedmsg/base/tasks/main.yml @@ -119,7 +119,7 @@ - relay.py - logging.py - base.py - when: "'persistent-cloud' not in group_names" + when: "'persistent-cloud' not in group_names and 'qa-isolated' not in group_names" tags: - config - fedmsgdconfig @@ -152,7 +152,7 @@ - restart fedmsg-irc - restart fedmsg-relay -- name: setup basic /etc/fedmsg.d/ contents for cloud hosts +- name: setup basic /etc/fedmsg.d/ contents for firewalled/external hosts template: > src="{{ item }}.j2" dest="/etc/fedmsg.d/{{ item }}" @@ -165,7 +165,7 @@ - relay.py - logging.py - base.py - when: "'persistent-cloud' in group_names" + when: "'persistent-cloud' in group_names or 'qa-isolated' in group_names" tags: - config - fedmsgdconfig diff --git a/roles/fedmsg/base/templates/relay.py.j2 b/roles/fedmsg/base/templates/relay.py.j2 index 79733297bd..82cd0f957c 100644 --- a/roles/fedmsg/base/templates/relay.py.j2 +++ b/roles/fedmsg/base/templates/relay.py.j2 @@ -24,7 +24,7 @@ config = dict( # It is also used by the mediawiki php plugin which, due to the oddities of # php, can't maintain a single passive-bind endpoint of it's own. relay_inbound=[ - {% if 'persistent-cloud' in group_names or 'jenkins-master' in group_names %} + {% if 'persistent-cloud' in group_names or 'jenkins-master' in group_names or 'qa-isolated' in group_names %} # Stuff from the cloud has to go through our external proxy first.. #"tcp://hub.fedoraproject.org:9941", From 2c02c9fa94f5cdee9889abae55bcb229881bce82 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 15:53:23 -0800 Subject: [PATCH 13/33] openqa: enable fedmsg/base role, set up NFS for prod threebean fixed it up so fedmsg/base should be OK for us now, and we need the NFS mounts for prod (it's rebuilding atm). --- playbooks/groups/openqa.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index b2ba8e49ca..7e56147373 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -43,14 +43,14 @@ roles: - { role: openqa/server, tags: ['openqa_server'] } - { role: openqa/dispatcher, tags: ['openqa_dispatcher'] } - - { role: fedmsg/hub, tags: ['fedmsg_hub'] } - { role: check-compose, tags: ['check-compose'] } + - { role: fedmsg/base, tags: ['fedmsg_hub'] } + - { role: fedmsg/hub, tags: ['fedmsg_hub'] } handlers: - include: "{{ handlers }}/restart_services.yml" -# for now just stg while we're testing -- name: set up openQA server data NFS mounts +- name: set up openQA server data NFS mounts (staging) hosts: openqa-stg roles: - role: nfs/client @@ -58,22 +58,22 @@ nfs_src_dir: 'fedora_openqa_stg/testresults' nfs_mount_opts: 'rw,bg,nfsvers=3' tags: ['nfs_client'] - -- name: set up openQA server data NFS mounts - hosts: openqa-stg - roles: - role: nfs/client mnt_dir: '/var/lib/openqa/images' nfs_src_dir: 'fedora_openqa_stg/images' nfs_mount_opts: 'rw,bg,nfsvers=3' tags: ['nfs_client'] -# set up prod temp mount -- name: set up openQA server data NFS mounts +- name: set up openQA server data NFS mounts (prod) hosts: openqa roles: - role: nfs/client - mnt_dir: '/mnt/temp' - nfs_src_dir: 'fedora_openqa' + mnt_dir: '/var/lib/openqa/testresults' + nfs_src_dir: 'fedora_openqa/testresults' + nfs_mount_opts: 'rw,bg,nfsvers=3' + tags: ['nfs_client'] + - role: nfs/client + mnt_dir: '/var/lib/openqa/images' + nfs_src_dir: 'fedora_openqa/images' nfs_mount_opts: 'rw,bg,nfsvers=3' tags: ['nfs_client'] From 48450457831383a46ebb3a7d3d57b69f60cb80c1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 10 Mar 2016 23:54:28 +0000 Subject: [PATCH 14/33] Bring budget site live in prod --- playbooks/include/proxies-fedora-web.yml | 1 - playbooks/include/proxies-websites.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/playbooks/include/proxies-fedora-web.yml b/playbooks/include/proxies-fedora-web.yml index c39f04e6a9..37e7114d73 100644 --- a/playbooks/include/proxies-fedora-web.yml +++ b/playbooks/include/proxies-fedora-web.yml @@ -41,7 +41,6 @@ website: arm.fedoraproject.org - role: fedora-web/budget website: budget.fedoraproject.org - when: env == "staging" # Some other static content, not strictly part of "fedora-web" goes below here - role: fedora-docs/proxy diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index fb62408781..d2d83db678 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -203,7 +203,6 @@ - budget.stg.fedoraproject.org sslonly: true cert_name: "{{wildcard_cert_name}}" - when: env == "staging" - role: httpd/website name: boot.fedoraproject.org From 78df044b87bb5e4769a12999e4a77670b8268251 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 16:23:30 -0800 Subject: [PATCH 15/33] openqa: need fedmsg-relay too --- playbooks/groups/openqa.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index 7e56147373..333c89eacc 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -44,8 +44,9 @@ - { role: openqa/server, tags: ['openqa_server'] } - { role: openqa/dispatcher, tags: ['openqa_dispatcher'] } - { role: check-compose, tags: ['check-compose'] } - - { role: fedmsg/base, tags: ['fedmsg_hub'] } - - { role: fedmsg/hub, tags: ['fedmsg_hub'] } + - { role: fedmsg/base, tags: ['fedmsg_base', 'fedmsg'] } + - { role: fedmsg/relay, tags: ['fedmsg_relay', 'fedmsg'] } + - { role: fedmsg/hub, tags: ['fedmsg_hub', 'fedmsg'] } handlers: - include: "{{ handlers }}/restart_services.yml" From 5e65aab8607e6f0192153f2faaaa71ae1722adc8 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 16:34:45 -0800 Subject: [PATCH 16/33] fix fedmsg/relay for DNF (F>21) nothing that freezes uses this, so I'm OK to send it, according to nirik. --- roles/fedmsg/relay/tasks/main.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/fedmsg/relay/tasks/main.yml b/roles/fedmsg/relay/tasks/main.yml index b0de6f5e5b..89ecc219bf 100644 --- a/roles/fedmsg/relay/tasks/main.yml +++ b/roles/fedmsg/relay/tasks/main.yml @@ -1,11 +1,19 @@ # This is a *very* simple role. The config needed for fedmsg-relay to operate # correctly is actually included as part of the fedmsg/base role. -- name: install fedmsg-relay +- name: install fedmsg-relay (yum) yum: pkg=fedmsg-relay state=present tags: - packages - fedmsg/relay + when: ansible_distribution_major_version|int < 22 + +- name: install fedmsg-relay (dnf) + dnf: pkg=fedmsg-relay state=present + tags: + - packages + - fedmsg/relay + when: ansible_distribution_major_version|int > 21 - name: ensure that nrpe has rights to monitor us file: > From 7e914a1d7b51bf7c1df97c7c330fe8ff0c824926 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 16:35:09 -0800 Subject: [PATCH 17/33] openqa: set fedmsg_active True --- inventory/group_vars/openqa | 3 +++ inventory/group_vars/openqa-stg | 3 +++ 2 files changed, 6 insertions(+) diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa index 4a1ce0b186..a7ca00aba3 100644 --- a/inventory/group_vars/openqa +++ b/inventory/group_vars/openqa @@ -52,3 +52,6 @@ fedmsg_certs: - openqa.jobs.restart - openqa.job.update.result - openqa.job.done + +# we need this to log with fedmsg-logger +fedmsg_active: True diff --git a/inventory/group_vars/openqa-stg b/inventory/group_vars/openqa-stg index d2717572da..4e498de56e 100644 --- a/inventory/group_vars/openqa-stg +++ b/inventory/group_vars/openqa-stg @@ -60,5 +60,8 @@ fedmsg_certs: - openqa.job.update.result - openqa.job.done +# we need this to log with fedmsg-logger +fedmsg_active: True + # makes sure it sends stg not prod fedmsgs fedmsg_env: stg From aa8cf397eed5a319e16f206fe76e049dfa22eb4b Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 16:55:31 -0800 Subject: [PATCH 18/33] openqa: add a dumb 'fixes' role to tweak fedmsg config Ralph *mostly* fixed it, but the config we get from fedmsg/base still doesn't quite work, so this just hacks it up after that role's done. This will go away with a couple more fixes to the fedmsg/base role. --- playbooks/groups/openqa.yml | 1 + roles/openqa/fixes/tasks/main.yml | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 roles/openqa/fixes/tasks/main.yml diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index 333c89eacc..5e42fd646b 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -47,6 +47,7 @@ - { role: fedmsg/base, tags: ['fedmsg_base', 'fedmsg'] } - { role: fedmsg/relay, tags: ['fedmsg_relay', 'fedmsg'] } - { role: fedmsg/hub, tags: ['fedmsg_hub', 'fedmsg'] } + - { role: openqa/fixes, tags: ['openqa_fixes'] } handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/openqa/fixes/tasks/main.yml b/roles/openqa/fixes/tasks/main.yml new file mode 100644 index 0000000000..aa1902e36b --- /dev/null +++ b/roles/openqa/fixes/tasks/main.yml @@ -0,0 +1,14 @@ +# This file contains some temporary fixes for the fedmsg config on openQA +# hosts, since the roles still aren't quite right for firewalled systems. + +- name: remove internal message source policy + file: path=/etc/fedmsg.d/policy.py state=absent + +- name: use packaged relay.py, not ansible one (which doesn't work) + command: cp /etc/fedmsg.d/relay.py.rpmnew /etc/fedmsg.d/relay.py + +- name: restart fedmsg services + service: name={{ item }} state=restarted + with_items: + - fedmsg-hub + - fedmsg-relay From 5de040a201da8c2a7e29ac861bc0901a88192e77 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 16:56:47 -0800 Subject: [PATCH 19/33] openqa/server: enable fedmsg plugin --- roles/openqa/server/templates/openqa.ini.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/openqa/server/templates/openqa.ini.j2 b/roles/openqa/server/templates/openqa.ini.j2 index e333cedad9..0ecca1610c 100644 --- a/roles/openqa/server/templates/openqa.ini.j2 +++ b/roles/openqa/server/templates/openqa.ini.j2 @@ -2,6 +2,7 @@ branding = plain base_url = https://{{ external_hostname }} download_domains = fedoraproject.org +plugins = Fedmsg [auth] method=OpenID From bebc2e63d1a787f001e7f3dd6fb9ee001e591a12 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 16:57:39 -0800 Subject: [PATCH 20/33] openqa: tag the fixes role with 'fedmsg' tag --- playbooks/groups/openqa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index 5e42fd646b..c356d36d02 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -47,7 +47,7 @@ - { role: fedmsg/base, tags: ['fedmsg_base', 'fedmsg'] } - { role: fedmsg/relay, tags: ['fedmsg_relay', 'fedmsg'] } - { role: fedmsg/hub, tags: ['fedmsg_hub', 'fedmsg'] } - - { role: openqa/fixes, tags: ['openqa_fixes'] } + - { role: openqa/fixes, tags: ['openqa_fixes', 'fedmsg'] } handlers: - include: "{{ handlers }}/restart_services.yml" From 1a33048416b5784949aa06e705d26d8af5b7fe4f Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 17:07:13 -0800 Subject: [PATCH 21/33] openqa: install openqa-plugin-fedmsg --- roles/openqa/server/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml index 4c33d1d239..2031fcb286 100644 --- a/roles/openqa/server/tasks/main.yml +++ b/roles/openqa/server/tasks/main.yml @@ -68,6 +68,7 @@ - python2-fedfind - openqa - openqa-httpd + - openqa-plugin-fedmsg tags: - packages @@ -75,7 +76,6 @@ dnf: name={{ item }} state=present enablerepo=adamwill-openQA with_items: - libselinux-python - - openqa - git - json_diff - libselinux-utils @@ -88,7 +88,6 @@ - libguestfs-xfs - python2-pexpect - python-libguestfs - - python2-fedfind tags: - packages From 52c2bb1cc05b9826b8cc97485275a79f388a8fb7 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 17:18:51 -0800 Subject: [PATCH 22/33] openqa/fixes: don't do the relay fix on prod i think the relay 'fix' is only needed for stg, because there was a firewall rule added for prod but not stg. It's not really a 'fix' either (it'll stop messages getting out) but it at least prevents fedmsg-relay failing, so keep it for now. --- roles/openqa/fixes/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/openqa/fixes/tasks/main.yml b/roles/openqa/fixes/tasks/main.yml index aa1902e36b..ea33b5964d 100644 --- a/roles/openqa/fixes/tasks/main.yml +++ b/roles/openqa/fixes/tasks/main.yml @@ -4,8 +4,9 @@ - name: remove internal message source policy file: path=/etc/fedmsg.d/policy.py state=absent -- name: use packaged relay.py, not ansible one (which doesn't work) +- name: use packaged relay.py, not ansible one (just till firewall is fixed) command: cp /etc/fedmsg.d/relay.py.rpmnew /etc/fedmsg.d/relay.py + when: fedmsg_env == "stg" - name: restart fedmsg services service: name={{ item }} state=restarted From d7c79c5cb00c1ea5afc55e7a70be9d46b3b26d4d Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 17:30:09 -0800 Subject: [PATCH 23/33] openqa/fixes: try a custom relay.py for prod... seems like we need the internal inbound relay but the public outbound relay? I don't even know...but we definitely can't connect to busgateway01.phx2.fedoraproject.org:3999 --- roles/openqa/fixes/files/relay.py | 19 +++++++++++++++++++ roles/openqa/fixes/tasks/main.yml | 4 ++++ 2 files changed, 23 insertions(+) create mode 100644 roles/openqa/fixes/files/relay.py diff --git a/roles/openqa/fixes/files/relay.py b/roles/openqa/fixes/files/relay.py new file mode 100644 index 0000000000..3a0e66845a --- /dev/null +++ b/roles/openqa/fixes/files/relay.py @@ -0,0 +1,19 @@ +config = dict( + endpoints={ + # This is the output side of the relay to which all other + # services can listen. + "relay_outbound": [ + "tcp://127.0.0.1:4001", + ], + }, + relay_inbound=[ + + # Stuff from the cloud has to go through our external proxy first.. + #"tcp://hub.fedoraproject.org:9941", + + # ...and normally, we'd like them to go through round-robin, but we're + # not getting messages in from proxies across the vpn. So, only use + # proxy01 for now. + "tcp://209.132.181.16:9941", + ], +) diff --git a/roles/openqa/fixes/tasks/main.yml b/roles/openqa/fixes/tasks/main.yml index ea33b5964d..86c96d275e 100644 --- a/roles/openqa/fixes/tasks/main.yml +++ b/roles/openqa/fixes/tasks/main.yml @@ -8,6 +8,10 @@ command: cp /etc/fedmsg.d/relay.py.rpmnew /etc/fedmsg.d/relay.py when: fedmsg_env == "stg" +- name: use custom relay.py (external outbound, internal inbound) + copy: src=relay.py dest=/etc/fedmsg.d/relay.py owner=root group=root mode=0644 + when: fedmsg_env != "stg" + - name: restart fedmsg services service: name={{ item }} state=restarted with_items: From 2d5b6329ef384dfd9752679dd14ef8f656586c26 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 18:54:08 -0800 Subject: [PATCH 24/33] openqa: drop fedmsg/relay role (not needed), drop relay 'fixes' let's start over and see where we're at. --- playbooks/groups/openqa.yml | 1 - roles/openqa/fixes/tasks/main.yml | 15 ++------------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index c356d36d02..a730be3216 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -45,7 +45,6 @@ - { role: openqa/dispatcher, tags: ['openqa_dispatcher'] } - { role: check-compose, tags: ['check-compose'] } - { role: fedmsg/base, tags: ['fedmsg_base', 'fedmsg'] } - - { role: fedmsg/relay, tags: ['fedmsg_relay', 'fedmsg'] } - { role: fedmsg/hub, tags: ['fedmsg_hub', 'fedmsg'] } - { role: openqa/fixes, tags: ['openqa_fixes', 'fedmsg'] } diff --git a/roles/openqa/fixes/tasks/main.yml b/roles/openqa/fixes/tasks/main.yml index 86c96d275e..a2d0fe60ea 100644 --- a/roles/openqa/fixes/tasks/main.yml +++ b/roles/openqa/fixes/tasks/main.yml @@ -4,16 +4,5 @@ - name: remove internal message source policy file: path=/etc/fedmsg.d/policy.py state=absent -- name: use packaged relay.py, not ansible one (just till firewall is fixed) - command: cp /etc/fedmsg.d/relay.py.rpmnew /etc/fedmsg.d/relay.py - when: fedmsg_env == "stg" - -- name: use custom relay.py (external outbound, internal inbound) - copy: src=relay.py dest=/etc/fedmsg.d/relay.py owner=root group=root mode=0644 - when: fedmsg_env != "stg" - -- name: restart fedmsg services - service: name={{ item }} state=restarted - with_items: - - fedmsg-hub - - fedmsg-relay +- name: restart fedmsg service + service: name=fedmsg-hub state=restarted From 5e36f333fa93aa23f796f6797e501d715010e504 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 11 Mar 2016 03:01:48 +0000 Subject: [PATCH 25/33] Hopefully only one further change to get openqa connectivity working. --- inventory/inventory | 2 ++ roles/fedmsg/base/templates/relay.py.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventory/inventory b/inventory/inventory index b50680197d..8ff2d231e8 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -805,9 +805,11 @@ retrace02.qa.fedoraproject.org s390-koji01.qa.fedoraproject.org arm-koji01.qa.fedoraproject.org resultsdb01.qa.fedoraproject.org +openqa01.qa.fedoraproject.org [fedmsg-qa-network-stg] resultsdb-stg01.qa.fedoraproject.org +openqa-stg01.qa.fedoraproject.org # assorted categories of fedmsg services, for convenience diff --git a/roles/fedmsg/base/templates/relay.py.j2 b/roles/fedmsg/base/templates/relay.py.j2 index 82cd0f957c..79733297bd 100644 --- a/roles/fedmsg/base/templates/relay.py.j2 +++ b/roles/fedmsg/base/templates/relay.py.j2 @@ -24,7 +24,7 @@ config = dict( # It is also used by the mediawiki php plugin which, due to the oddities of # php, can't maintain a single passive-bind endpoint of it's own. relay_inbound=[ - {% if 'persistent-cloud' in group_names or 'jenkins-master' in group_names or 'qa-isolated' in group_names %} + {% if 'persistent-cloud' in group_names or 'jenkins-master' in group_names %} # Stuff from the cloud has to go through our external proxy first.. #"tcp://hub.fedoraproject.org:9941", From 8d4a492b0287a2d4f811f251da0f2a732ed5f1b2 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 20:06:02 -0800 Subject: [PATCH 26/33] drop the openqa/fixes role, threebean says it's unneeded apparently the policy.py file shouldn't cause any problems. --- playbooks/groups/openqa.yml | 1 - roles/openqa/fixes/files/relay.py | 19 ------------------- roles/openqa/fixes/tasks/main.yml | 8 -------- 3 files changed, 28 deletions(-) delete mode 100644 roles/openqa/fixes/files/relay.py delete mode 100644 roles/openqa/fixes/tasks/main.yml diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index a730be3216..06ff236131 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -46,7 +46,6 @@ - { role: check-compose, tags: ['check-compose'] } - { role: fedmsg/base, tags: ['fedmsg_base', 'fedmsg'] } - { role: fedmsg/hub, tags: ['fedmsg_hub', 'fedmsg'] } - - { role: openqa/fixes, tags: ['openqa_fixes', 'fedmsg'] } handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/openqa/fixes/files/relay.py b/roles/openqa/fixes/files/relay.py deleted file mode 100644 index 3a0e66845a..0000000000 --- a/roles/openqa/fixes/files/relay.py +++ /dev/null @@ -1,19 +0,0 @@ -config = dict( - endpoints={ - # This is the output side of the relay to which all other - # services can listen. - "relay_outbound": [ - "tcp://127.0.0.1:4001", - ], - }, - relay_inbound=[ - - # Stuff from the cloud has to go through our external proxy first.. - #"tcp://hub.fedoraproject.org:9941", - - # ...and normally, we'd like them to go through round-robin, but we're - # not getting messages in from proxies across the vpn. So, only use - # proxy01 for now. - "tcp://209.132.181.16:9941", - ], -) diff --git a/roles/openqa/fixes/tasks/main.yml b/roles/openqa/fixes/tasks/main.yml deleted file mode 100644 index a2d0fe60ea..0000000000 --- a/roles/openqa/fixes/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -# This file contains some temporary fixes for the fedmsg config on openQA -# hosts, since the roles still aren't quite right for firewalled systems. - -- name: remove internal message source policy - file: path=/etc/fedmsg.d/policy.py state=absent - -- name: restart fedmsg service - service: name=fedmsg-hub state=restarted From 39c72cc3e4dae1a0b53d16ffe97f752a57baa215 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 20:19:39 -0800 Subject: [PATCH 27/33] clean up openqa/server a bit more I'd like to revise this a bit to be usable outside infra again, but tomorrow...or later... --- roles/openqa/server/tasks/main.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml index 2031fcb286..1fc626fccb 100644 --- a/roles/openqa/server/tasks/main.yml +++ b/roles/openqa/server/tasks/main.yml @@ -36,15 +36,6 @@ # need to ensure geekotest always has the same uid/gid if we re-deploy # the servers. So we create the account here with uid/gid 601. -# this first one is just to make sure I don't screw up prod while I'm -# fiddling with this stuff on stg -- name: Check if geekotest already exists (temp) - command: "getent passwd geekotest" - register: gotgeeko - failed_when: "1 != 1" - changed_when: "1 != 1" - always_run: true - - name: Create geekotest group with static GID 601 group: name=geekotest gid=601 system=yes when: "gotgeeko.rc > 0" @@ -61,7 +52,7 @@ shell: /sbin/nologin when: "gotgeeko.rc > 0" -# note: we need updates-testing until fedfind 2.x and openQA 4.3-18 go stable +# note: we need updates-testing until fedfind 2.x and openQA 4.3-21 go stable - name: Install required packages (testing) dnf: name={{ item }} state=present enablerepo="updates-testing" with_items: From c588b55419de941766bd24aa7b90d69baaae49df Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 10 Mar 2016 20:20:31 -0800 Subject: [PATCH 28/33] openqa/server: whoops, gotta clean this too --- roles/openqa/server/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml index 1fc626fccb..df3b1a5daf 100644 --- a/roles/openqa/server/tasks/main.yml +++ b/roles/openqa/server/tasks/main.yml @@ -38,7 +38,6 @@ - name: Create geekotest group with static GID 601 group: name=geekotest gid=601 system=yes - when: "gotgeeko.rc > 0" - name: Create geekotest user with static UID 601 user: @@ -50,7 +49,6 @@ createhome: no system: yes shell: /sbin/nologin - when: "gotgeeko.rc > 0" # note: we need updates-testing until fedfind 2.x and openQA 4.3-21 go stable - name: Install required packages (testing) From 7ec2f02e71dec91f1a845c90a5c7aa8b6952dfd2 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 11 Mar 2016 09:54:19 +0000 Subject: [PATCH 29/33] Move koschei.stg to f25 build target --- inventory/group_vars/koschei-stg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/koschei-stg b/inventory/group_vars/koschei-stg index 194519d61e..e0a3321906 100644 --- a/inventory/group_vars/koschei-stg +++ b/inventory/group_vars/koschei-stg @@ -12,7 +12,7 @@ koschei_pgsql_hostname: db01.stg.phx2.fedoraproject.org koschei_koji_hub: koji01.stg.phx2.fedoraproject.org koschei_kojipkgs: koji01.stg.phx2.fedoraproject.org koschei_koji_web: koji.stg.fedoraproject.org -koschei_koji_tag: f24 +koschei_koji_tag: f25 koschei_openid_provider: id.stg.fedoraproject.org koschei_bugzilla: partner-bugzilla.redhat.com From b07cd2dd1fe5e4fee77e908908eef57ff873b8e2 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 11 Mar 2016 10:53:46 +0000 Subject: [PATCH 30/33] The osbs plugin won't work on arm builders Signed-off-by: Patrick Uiterwijk --- roles/koji_builder/templates/kojid.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index 75594efa2c..8fe4d6d897 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -85,7 +85,7 @@ plugins = runroot {% else %} -{% if env == 'staging' %} +{% if env == 'staging' and not inventory_hostname.startswith('arm') %} plugins = builder_containerbuild {% else %} plugins = From e7f2d02480c55f94400442023b279594381fa3fe Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 11 Mar 2016 14:21:12 +0000 Subject: [PATCH 31/33] install the runroot koji plugin on the arm and ppc compose boxes Signed-off-by: Dennis Gilmore --- inventory/builders | 3 +++ 1 file changed, 3 insertions(+) diff --git a/inventory/builders b/inventory/builders index 50dc58d3f6..105a2cd62a 100644 --- a/inventory/builders +++ b/inventory/builders @@ -241,6 +241,9 @@ arm04-builder00.arm.fedoraproject.org arm04-builder01.arm.fedoraproject.org arm02-builder21.arm.fedoraproject.org arm02-builder23.arm.fedoraproject.org +aarch64-02a.arm.fedoraproject.org +buildvm-ppc64-01.ppc.fedoraproject.org +buildvm-ppc64le-01.ppc.fedoraproject.org [builders:children] buildhw From 464bd300a116b1fae34aed127e5a936ae01f630d Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 11 Mar 2016 15:54:34 +0000 Subject: [PATCH 32/33] Change PDC error email recipients. --- inventory/group_vars/pdc-backend | 4 +++- inventory/group_vars/pdc-backend-stg | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/pdc-backend b/inventory/group_vars/pdc-backend index 0773885c9e..9c2bd0ad2c 100644 --- a/inventory/group_vars/pdc-backend +++ b/inventory/group_vars/pdc-backend @@ -13,4 +13,6 @@ fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-datanommer # These people get told when something goes wrong. fedmsg_error_recipients: -- releng-cron@lists.fedoraproject.org +- ralph@fedoraproject.org +- ausil@fedoraproject.org +- adamwill@fedoraproject.org diff --git a/inventory/group_vars/pdc-backend-stg b/inventory/group_vars/pdc-backend-stg index 8186869dd2..94825a1bf4 100644 --- a/inventory/group_vars/pdc-backend-stg +++ b/inventory/group_vars/pdc-backend-stg @@ -13,4 +13,6 @@ fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-datanommer # These people get told when something goes wrong. fedmsg_error_recipients: -- releng-cron@lists.fedoraproject.org +- ralph@fedoraproject.org +- ausil@fedoraproject.org +- adamwill@fedoraproject.org From 746bab7ea9f90d3bdfa3aa65b20e2e27bda69f35 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 11 Mar 2016 16:11:49 +0000 Subject: [PATCH 33/33] Actually use the correct captcha key Signed-off-by: Patrick Uiterwijk --- roles/fas_server/templates/fas.cfg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index 262d5e1a6d..a5232f7d2d 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -54,8 +54,8 @@ default_language = 'en' country_blacklist = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC", "CU", "CV", "CX", "DM", "FK", "FO", "GF", "GG", "GP", "GS", "GW", "HM", "IO", "IR", "IQ", "JE", "KI", "KP", "MF", "MP", "MS", "MW", "NF", "NR", "NU", "PM", "PN", "RE", "SB", "SD", "SH", "SJ", "SY", "TC", "TF", "TK", "TL", "TV", "UM", "VC", "VG", "WF", "YT"] # Captcha -tgcaptcha.key = '{{ fasCaptchaSecret }}' -tgcaptcha.jpeg_generator = 'vanasco_dowty' +tgcaptcha2.key = '{{ fasCaptchaSecret }}' +tgcaptcha2.jpeg_generator = 'vanasco_dowty' ### ### Administrative settings