diff --git a/callback_plugins/logdetail.py b/callback_plugins/logdetail.py index 06c4bf8ccb..158b8ee45c 100644 --- a/callback_plugins/logdetail.py +++ b/callback_plugins/logdetail.py @@ -93,7 +93,7 @@ class LogMech(object): if self.playbook_id == 'ansible-cmd': res['task_userid'] = getlogin() for k in ("delegate_to", "environment", "first_available_file", - "local_action", "notified_by", "notify", "only_if", + "local_action", "notified_by", "notify", "register", "sudo", "sudo_user", "tags", "transport", "when"): v = getattr(task, k, None) diff --git a/files/copr/provision/files/mock/epel-5-i386.cfg b/files/copr/provision/files/mock/epel-5-i386.cfg index a8b03edf3f..38a425aba6 100644 --- a/files/copr/provision/files/mock/epel-5-i386.cfg +++ b/files/copr/provision/files/mock/epel-5-i386.cfg @@ -5,6 +5,7 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['releasever'] = '5' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/epel-5-x86_64.cfg b/files/copr/provision/files/mock/epel-5-x86_64.cfg index 0f59da54f6..2f26af0ba5 100644 --- a/files/copr/provision/files/mock/epel-5-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-5-x86_64.cfg @@ -5,6 +5,7 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['releasever'] = '5' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/epel-7-x86_64.cfg b/files/copr/provision/files/mock/epel-7-x86_64.cfg index eeee2d831e..91b72b8260 100644 --- a/files/copr/provision/files/mock/epel-7-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-7-x86_64.cfg @@ -11,6 +11,7 @@ config_opts['macros']['%rhel'] = '7' config_opts['macros']['%el7'] = '1' config_opts['macros']['%_topdir'] = '/builddir/build' config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm' +config_opts['releasever'] = '7' config_opts['plugin_conf']['root_cache_enable'] = False config_opts['plugin_conf']['yum_cache_enable'] = False diff --git a/files/copr/provision/files/mock/fedora-20-i386.cfg b/files/copr/provision/files/mock/fedora-20-i386.cfg index d04d180320..fde3c2754f 100644 --- a/files/copr/provision/files/mock/fedora-20-i386.cfg +++ b/files/copr/provision/files/mock/fedora-20-i386.cfg @@ -3,6 +3,7 @@ config_opts['target_arch'] = 'i686' config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/fedora-20-x86_64.cfg b/files/copr/provision/files/mock/fedora-20-x86_64.cfg index 0f56311e0b..fa7f6d4c42 100644 --- a/files/copr/provision/files/mock/fedora-20-x86_64.cfg +++ b/files/copr/provision/files/mock/fedora-20-x86_64.cfg @@ -3,6 +3,7 @@ config_opts['target_arch'] = 'x86_64' config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' config_opts['yum.conf'] = """ [main] diff --git a/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..23f9e40ac0 --- /dev/null +++ b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..6ba829d3d2 100644 --- a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts @@ -9,3 +9,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..23f9e40ac0 --- /dev/null +++ b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..6ba829d3d2 100644 --- a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts @@ -9,3 +9,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..23f9e40ac0 --- /dev/null +++ b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..6ba829d3d2 100644 --- a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts @@ -9,3 +9,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml new file mode 100644 index 0000000000..130e516828 --- /dev/null +++ b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml @@ -0,0 +1,24 @@ +hudson.plugins.warnings.WarningsPublisher.xml +============================================= + + + + + + pyflakes + ^(.*):([0-9]*):(.*)$ + + + https://pypi.python.org/pypi/pyflakes + pyflakes errors + + + diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 5fdb70786d..d0d895aa63 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -29,6 +29,9 @@ - name: restart jenkins action: service name=jenkins state=restarted +- name: restart kojid + action: service name=kojid state=restarted + - name: restart libvirtd action: service name=libvirtd state=restarted diff --git a/inventory/group_vars/buildvm b/inventory/group_vars/buildvm index 251322ba18..7f16b47df6 100644 --- a/inventory/group_vars/buildvm +++ b/inventory/group_vars/buildvm @@ -3,8 +3,8 @@ lvm_size: 150000 mem_size: 6144 num_cpus: 5 -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-20 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/20/Fedora/x86_64/os/ nm: 255.255.255.0 gw: 10.5.125.254 eth1_gw: 10.5.127.254 diff --git a/inventory/group_vars/kernel-qa b/inventory/group_vars/kernel-qa index 8e03331925..39e618921d 100644 --- a/inventory/group_vars/kernel-qa +++ b/inventory/group_vars/kernel-qa @@ -1,6 +1,5 @@ --- freezes: true resolvconf: "{{ files }}/resolv.conf/phx2" -rsyslogconf: "{{ files }}/rsyslog/rsyslog.conf.phx2" fas_client_groups: sysadmin-kernel sudoers: "{{ private }}/files/sudo/kernel-qa" diff --git a/inventory/group_vars/notifs-backend b/inventory/group_vars/notifs-backend new file mode 100644 index 0000000000..25492830cb --- /dev/null +++ b/inventory/group_vars/notifs-backend @@ -0,0 +1,10 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +fas_client_groups: sysadmin-noc,sysadmin-datanommer diff --git a/inventory/group_vars/notifs-web b/inventory/group_vars/notifs-web new file mode 100644 index 0000000000..bb20797c5f --- /dev/null +++ b/inventory/group_vars/notifs-web @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-datanommer diff --git a/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org b/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org new file mode 100644 index 0000000000..cfcc97757f --- /dev/null +++ b/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.168 + +volgroup: /dev/vg_virthost09 +vmhost: virthost09.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/notifs-web01.phx2.fedoraproject.org b/inventory/host_vars/notifs-web01.phx2.fedoraproject.org new file mode 100644 index 0000000000..416dc7e424 --- /dev/null +++ b/inventory/host_vars/notifs-web01.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.103 + +volgroup: /dev/vg_virthost04 +vmhost: virthost04.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/notifs-web02.phx2.fedoraproject.org b/inventory/host_vars/notifs-web02.phx2.fedoraproject.org new file mode 100644 index 0000000000..e384071ea6 --- /dev/null +++ b/inventory/host_vars/notifs-web02.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.119 + +volgroup: /dev/vg_virthost06 +vmhost: virthost06.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/inventory b/inventory/inventory index bcd63b9e6d..1e6f6241eb 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -158,7 +158,7 @@ collab03.fedoraproject.org collab04.fedoraproject.org [releng] -releng01.phx2.fedoraproject.org +#releng01.phx2.fedoraproject.org releng02.phx2.fedoraproject.org releng04.phx2.fedoraproject.org relepel01.phx2.fedoraproject.org @@ -258,9 +258,16 @@ lockbox-comm01.qa.fedoraproject.org noc01.phx2.fedoraproject.org noc02.fedoraproject.org +[notifs-backend] +notifs-backend01.phx2.fedoraproject.org + [notifs-backend-stg] notifs-backend01.stg.phx2.fedoraproject.org +[notifs-web] +notifs-web01.phx2.fedoraproject.org +notifs-web02.phx2.fedoraproject.org + [notifs-web-stg] notifs-web01.stg.phx2.fedoraproject.org notifs-web02.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index 4d44c54b75..969c4cbdf1 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -12,10 +12,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index 4193d22a47..68e7de91ec 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -12,10 +12,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml index 85ea2804ff..6c9190c663 100644 --- a/playbooks/groups/arm-releng.yml +++ b/playbooks/groups/arm-releng.yml @@ -12,11 +12,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client + - base + - fas_client + - rkhunter + - denyhosts + - nagios_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index dd36b743d0..8de5586f27 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -28,13 +28,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base - - /srv/web/infra/ansible/roles/ask + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - ask + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index a0fa56af28..500c08d860 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -15,11 +15,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index db6c80fafe..022e3e4769 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -58,8 +58,8 @@ accelerate: True roles: - - /srv/web/infra/ansible/roles/fedmsg-hub - - /srv/web/infra/ansible/roles/badges-backend + - fedmsg-hub + - badges-backend vars_files: - /srv/web/infra/ansible/vars/global.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index 737dcbbb74..fa0dec9b81 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/badges-frontend - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - badges-frontend + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index 8f55210b19..d3d6e9d3c4 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -29,11 +29,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/bkernel.yml b/playbooks/groups/bkernel.yml index bad914e36c..663f6ef836 100644 --- a/playbooks/groups/bkernel.yml +++ b/playbooks/groups/bkernel.yml @@ -13,10 +13,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base + - koji_builder tasks: - - include: "{{ tasks }}/koji/base_builder.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" - include: "{{ tasks }}/koji/bkernel-setup.yml" diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index 0dc109d973..be85d288d8 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -6,7 +6,6 @@ hosts: buildhw;buildppc;buildarm user: root gather_facts: True - accellerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -14,24 +13,20 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base + - koji_builder tasks: - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/base_builder.yml" handlers: - include: "{{ handlers }}/restart_services.yml" - - name: restart kojid - action: service name=kojid state=restarted - - name: make koji builder(s) on raw hw hosts: buildhw user: root gather_facts: True - accellerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -39,7 +34,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/hosts.yml" @@ -47,6 +42,3 @@ handlers: - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index aa3191e0d5..0222f61859 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -32,15 +32,16 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base + - koji_builder tasks: - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/base_builder.yml" + - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" + - name: make sure kojid is running + action: service name=kojid state=running + handlers: - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted diff --git a/playbooks/groups/docs-backend.yml b/playbooks/groups/docs-backend.yml index f0cb73d20e..657784627c 100644 --- a/playbooks/groups/docs-backend.yml +++ b/playbooks/groups/docs-backend.yml @@ -25,12 +25,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists diff --git a/playbooks/groups/elections.yml b/playbooks/groups/elections.yml index 5cf4819fb6..0e44193cab 100644 --- a/playbooks/groups/elections.yml +++ b/playbooks/groups/elections.yml @@ -27,11 +27,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/fedocal.yml b/playbooks/groups/fedocal.yml index 91ffcf861e..cb9ba4e356 100644 --- a/playbooks/groups/fedocal.yml +++ b/playbooks/groups/fedocal.yml @@ -32,11 +32,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" @@ -64,7 +64,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base handlers: - include: "{{ handlers }}/restart_services.yml" @@ -81,7 +81,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedocal + - fedocal handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index d41f03c520..ef8cff1588 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -62,7 +62,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/gallery + - gallery handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 595b9aa481..7b6b5e748c 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -28,7 +28,7 @@ - resolvconf: resolv.conf/jenkins-cloud roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" @@ -224,6 +224,7 @@ - asciidoc # Required by javapackages-tools - xmlto # Required by javapackages-tools - pycairo-devel # Required by dogtail + - pyflakes # Requested by user rholy (ticket #4175) tags: - packages @@ -299,6 +300,7 @@ - lvm2 - sshpass # End requires for Cockpit - tito # Requested by msrb for javapackages-tools and xmvn (ticket#4113) + - pyflakes # Requested by user rholy (ticket #4175) tags: - packages diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index ec57825d4b..860f82475c 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 425f374cd2..ef648fb73d 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -31,12 +31,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/koji_hub + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - koji_hub tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/lockbox.yml b/playbooks/groups/lockbox.yml index 979dd682bc..4fa95b640e 100644 --- a/playbooks/groups/lockbox.yml +++ b/playbooks/groups/lockbox.yml @@ -25,12 +25,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/ansible-server + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - ansible-server tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 81e65904a4..7826f1447b 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -32,12 +32,12 @@ - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists @@ -97,8 +97,7 @@ - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedmsg_base - - role: /srv/web/infra/ansible/roles/mailman + - role: mailman mailman_dbserver: db02.stg.phx2.fedoraproject.org mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" mailman_mm_db_pass: "{{ mailman_mm_db_pass }}" @@ -106,6 +105,7 @@ mailman_hk_db_pass: "{{ mailman_hk_db_pass }}" mailman_ks_admin_db_pass: "{{ mailman_ks_admin_db_pass }}" mailman_ks_db_pass: "{{ mailman_ks_db_pass }}" + - fedmsg_base tasks: - name: install more needed packages diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index c389d92f20..c3a7d891e6 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/geoip - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/mirrorlist + - base + - rkhunter + - denyhosts + - nagios_client + - geoip + - fas_client + - mirrorlist tasks: # this is how you include other task lists diff --git a/playbooks/groups/notifs-backend.yml b/playbooks/groups/notifs-backend.yml index 4d2dac3e2d..b3d159a144 100644 --- a/playbooks/groups/notifs-backend.yml +++ b/playbooks/groups/notifs-backend.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -45,8 +45,10 @@ - include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/motd.yml" - include: "{{ tasks }}/sudo.yml" - - include: "{{ tasks }}/openvpn_client.yml" - when: env != "staging" + # The proxies don't actually need to talk to these hosts so we won't bother + # putting them on the vpn. + #- include: "{{ tasks }}/openvpn_client.yml" + # when: env != "staging" handlers: - include: "{{ handlers }}/restart_services.yml" @@ -58,8 +60,8 @@ accelerate: True roles: - - /srv/web/infra/ansible/roles/fedmsg-hub - - /srv/web/infra/ansible/roles/notifs-backend + - fedmsg-hub + - notifs-backend vars_files: - /srv/web/infra/ansible/vars/global.yml diff --git a/playbooks/groups/notifs-web.yml b/playbooks/groups/notifs-web.yml index 01458e3038..d51c7e7738 100644 --- a/playbooks/groups/notifs-web.yml +++ b/playbooks/groups/notifs-web.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base - - /srv/web/infra/ansible/roles/notifs-frontend + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base + - notifs-frontend tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index 5a86f0673b..d2600f20cf 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -32,11 +32,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" @@ -64,7 +64,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base handlers: - include: "{{ handlers }}/restart_services.yml" @@ -81,7 +81,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/nuancier + - nuancier handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index 371a1453e9..fcf27859ea 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -33,12 +33,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/postgresql_server + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - postgresql_server tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/releng.yml b/playbooks/groups/releng.yml index 9773c70560..da0286713a 100644 --- a/playbooks/groups/releng.yml +++ b/playbooks/groups/releng.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/releng or from hostvars - name: make releng systems - hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org + hosts: releng02.phx2.fedoraproject.org user: root gather_facts: False accelerate: True @@ -23,7 +23,7 @@ # Once the instance exists, configure it. - name: make releng server system - hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org + hosts: releng02.phx2.fedoraproject.org user: root gather_facts: True accelerate: True @@ -34,8 +34,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/nagios_client + - base + - nagios_client tasks: - include: "{{ tasks }}/koji/releng_config.yml" diff --git a/playbooks/groups/taskotron.yml b/playbooks/groups/taskotron.yml index d79490fb26..7f0ca7e227 100644 --- a/playbooks/groups/taskotron.yml +++ b/playbooks/groups/taskotron.yml @@ -29,12 +29,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 08c2b71411..444e748a00 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -14,12 +14,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/iscsi_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - iscsi_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 4cd9919400..24ae5ec033 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -23,7 +23,7 @@ # Roles are run first, before tasks, regardless of where you place them here. roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" @@ -122,10 +122,10 @@ - restart lighttpd - name: start webserver - action: service state=running enabled=yes name=lighttpd + service: state=running enabled=yes name=lighttpd - name: start fail2ban - action: service state=running enabled=yes name=fail2ban + service: state=running enabled=yes name=fail2ban # setup dirs for the ansible execution off of provisioning - name: dirs from provision @@ -209,6 +209,6 @@ - name: chmod_key action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600 - name: restart copr-backend - action: service: name=copr-backend state=restarted + service: name=copr-backend state=restarted - name: restart lighttpd - action: service: name=lighttpd state=restarted + service: name=lighttpd state=restarted diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 5ca0caf0be..d8b44ec6d4 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -117,7 +117,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - role: /srv/web/infra/ansible/roles/mailman + - role: mailman mailman_dbserver: localhost mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/manual/kernel-qa.yml similarity index 77% rename from playbooks/groups/kernel-qa.yml rename to playbooks/manual/kernel-qa.yml index aadf88aba9..07d59fed40 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/manual/kernel-qa.yml @@ -13,11 +13,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/manual/sign.yml b/playbooks/manual/sign.yml index d696be8f6b..deadb217bf 100644 --- a/playbooks/manual/sign.yml +++ b/playbooks/manual/sign.yml @@ -17,8 +17,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter + - base + - rkhunter tasks: - include: "{{ tasks }}/serialgetty.yml" diff --git a/roles/base/files/rsyslog/rsyslog-audit.conf b/roles/base/files/rsyslog/rsyslog-audit.conf new file mode 100644 index 0000000000..8e6c2f5b18 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-audit.conf @@ -0,0 +1,13 @@ +# monitor auditd log and send out over local6 to central loghost +$ModLoad imfile.so + +# auditd audit.log +$InputFileName /var/log/audit/audit.log +$InputFileTag tag_audit_log: +$InputFileStateFile audit_log +$InputFileSeverity info +$InputFileFacility local6 +$InputRunFileMonitor + +:msg, !contains, "type=AVC" +local6.* @@log02:514 diff --git a/roles/base/files/rsyslog/rsyslog-disablerate.conf b/roles/base/files/rsyslog/rsyslog-disablerate.conf new file mode 100644 index 0000000000..e7c93530c2 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-disablerate.conf @@ -0,0 +1,3 @@ +# Disable rate limiting +$IMUXSockRateLimitInterval 0 +$SystemLogRateLimitInterval 0 diff --git a/roles/base/files/rsyslog/rsyslog-log02.conf b/roles/base/files/rsyslog/rsyslog-log02.conf new file mode 100644 index 0000000000..8338bfed72 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-log02.conf @@ -0,0 +1,4 @@ +# +# Send everything on to central log02 logger machines +# +cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 diff --git a/roles/base/files/rsyslog/rsyslog.conf.releng b/roles/base/files/rsyslog/rsyslog.conf.default similarity index 60% rename from roles/base/files/rsyslog/rsyslog.conf.releng rename to roles/base/files/rsyslog/rsyslog.conf.default index 2c2852ddd1..36cea98f0e 100644 --- a/roles/base/files/rsyslog/rsyslog.conf.releng +++ b/roles/base/files/rsyslog/rsyslog.conf.default @@ -1,20 +1,20 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 @@ -23,6 +23,14 @@ $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + + #### RULES #### # Log all kernel messages to the console. @@ -31,7 +39,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -52,6 +60,7 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple @@ -60,14 +69,12 @@ local7.* /var/log/boot.log # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.kojibuilder b/roles/base/files/rsyslog/rsyslog.conf.el6 similarity index 59% rename from roles/base/files/rsyslog/rsyslog.conf.kojibuilder rename to roles/base/files/rsyslog/rsyslog.conf.el6 index 9719770987..36cea98f0e 100644 --- a/roles/base/files/rsyslog/rsyslog.conf.kojibuilder +++ b/roles/base/files/rsyslog/rsyslog.conf.el6 @@ -1,38 +1,35 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) -$ModLoad imjournal # provides access to the systemd journal -$ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### -# Include all config files in /etc/rsyslog.d/ -$IncludeConfig /etc/rsyslog.d/*.conf - # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat -# Turn off message reception via local log socket; -# local messages are retrieved through imjournal now. -$OmitLocalLogging on +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf -# File to store the position in the journal -$StateFile imjournal.state #### RULES #### @@ -42,7 +39,7 @@ $StateFile imjournal.state # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -63,6 +60,7 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple @@ -71,14 +69,12 @@ local7.* /var/log/boot.log # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf b/roles/base/files/rsyslog/rsyslog.conf.f20 similarity index 55% rename from roles/base/files/rsyslog/rsyslog.conf rename to roles/base/files/rsyslog/rsyslog.conf.f20 index a1d425816f..6972b4d369 100644 --- a/roles/base/files/rsyslog/rsyslog.conf +++ b/roles/base/files/rsyslog/rsyslog.conf.f20 @@ -1,32 +1,47 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +# The imjournal module bellow is now used as a message source instead of imuxsock. +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imjournal # provides access to the systemd journal +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### +# Where to place auxiliary files +$WorkDirectory /var/lib/rsyslog + # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat -# File syncing capability is disabled by default. This feature is usually not required, +# File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + +# Turn off message reception via local log socket; +# local messages are retrieved through imjournal now. +$OmitLocalLogging on + +# File to store the position in the journal +$IMJournalStateFile imjournal.state + #### RULES #### @@ -36,7 +51,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -49,7 +64,7 @@ mail.* -/var/log/maillog cron.* /var/log/cron # Everybody gets emergency messages -*.emerg * +*.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler @@ -57,16 +72,6 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log -# monitor auditd log and send out over local6 to central loghost -$ModLoad imfile.so - -# auditd audit.log -$InputFileName /var/log/audit/audit.log -$InputFileTag tag_audit_log: -$InputFileStateFile audit_log -$InputFileSeverity info -$InputFileFacility local6 -$InputRunFileMonitor # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding @@ -76,22 +81,11 @@ $InputRunFileMonitor # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down - -# Disable rate limiting -$IMUXSockRateLimitInterval 0 -$SystemLogRateLimitInterval 0 - +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - -:msg, !contains, "type=AVC" ~ -local6.* @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.phx2 b/roles/base/files/rsyslog/rsyslog.conf.phx2 deleted file mode 100644 index a1d425816f..0000000000 --- a/roles/base/files/rsyslog/rsyslog.conf.phx2 +++ /dev/null @@ -1,97 +0,0 @@ -#rsyslog v3 config file - -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance - -#### MODULES #### - -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability - -# Provides UDP syslog reception -#$ModLoad imudp.so -#$UDPServerRun 514 - -# Provides TCP syslog reception -#$ModLoad imtcp.so -#$InputTCPServerRun 514 - - -#### GLOBAL DIRECTIVES #### - -# Use default timestamp format -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - -# File syncing capability is disabled by default. This feature is usually not required, -# not useful and an extreme performance hit -#$ActionFileEnableSync on - - -#### RULES #### - -# Log all kernel messages to the console. -# Logging much else clutters up the screen. -#kern.* /dev/console - -# Log anything (except mail) of level info or higher. -# Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages - -# The authpriv file has restricted access. -authpriv.* /var/log/secure - -# Log all the mail messages in one place. -mail.* -/var/log/maillog - - -# Log cron stuff -cron.* /var/log/cron - -# Everybody gets emergency messages -*.emerg * - -# Save news errors of level crit and higher in a special file. -uucp,news.crit /var/log/spooler - -# Save boot messages also to boot.log -local7.* /var/log/boot.log - -# monitor auditd log and send out over local6 to central loghost -$ModLoad imfile.so - -# auditd audit.log -$InputFileName /var/log/audit/audit.log -$InputFileTag tag_audit_log: -$InputFileStateFile audit_log -$InputFileSeverity info -$InputFileFacility local6 -$InputRunFileMonitor - -# ### begin forwarding rule ### -# The statement between the begin ... end define a SINGLE forwarding -# rule. They belong together, do NOT split them. If you create multiple -# forwarding rules, duplicate the whole block! -# Remote Logging (we use TCP for reliable delivery) -# -# An on-disk queue is created for this action. If the remote host is -# down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down - -# Disable rate limiting -$IMUXSockRateLimitInterval 0 -$SystemLogRateLimitInterval 0 - -# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional -#*.* @@remote-host:514 -# ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - -:msg, !contains, "type=AVC" ~ -local6.* @@log02:514 - diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 4d11550d88..b46dca12bc 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -32,7 +32,7 @@ user: name=root password={{ rootpw }} state=present tags: - rootpw - when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng')) + when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng') or inventory_hostname.startswith('arm')) - name: add ansible root key authorized_key: user=root key="{{ item }}" @@ -106,11 +106,8 @@ - name: rsyslog.conf copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 first_available_file: - - "{{ rsyslogconf }}" - - rsyslog/rsyslog.conf.{{ ansible_fqdn }} - - rsyslog/rsyslog.conf.{{ host_group }} - - rsyslog/rsyslog.conf.{{ datacenter }} - - rsyslog/rsyslog.conf + - rsyslog/rsyslog.conf.{{ dist_tag }} + - rsyslog/rsyslog.conf.default notify: - restart rsyslog @@ -118,6 +115,16 @@ - rsyslogd - config +- name: add rsyslog config to /etc/rsyslog.d + copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644 + with_fileglob: + - rsyslog/*.conf + notify: + - restart rsyslog + tags: + - rsyslogd + - config + - name: /etc/postfix/main.cf copy: src={{ item }} dest=/etc/postfix/main.cf first_available_file: diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index 613dd5c516..b64e116551 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -47,6 +47,12 @@ -A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22 -j ACCEPT +# for ansible accelerate mode - allow port 5099 from lockbox and it's ips +-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT + # git to pkgs -A OUTPUT -m tcp -p tcp --dport 9418 -d 10.5.125.44 -j ACCEPT -A OUTPUT -m udp -p udp --dport 9418 -d 10.5.125.44 -j ACCEPT diff --git a/roles/debug_env/tasks/main.yml b/roles/debug_env/tasks/main.yml new file mode 100644 index 0000000000..33dc4ebb8e --- /dev/null +++ b/roles/debug_env/tasks/main.yml @@ -0,0 +1,7 @@ +# +# This role can be added to a playbook to dump out all +# the env from ansible to see what variables and facts are. +# Taken from https://coderwall.com/p/13lh6w +# +- name: Dump all ansible vars + template: src=dumpall.j2 dest=/tmp/debug_env.out diff --git a/roles/debug_env/templates/dumpall.j2 b/roles/debug_env/templates/dumpall.j2 new file mode 100644 index 0000000000..470394828c --- /dev/null +++ b/roles/debug_env/templates/dumpall.j2 @@ -0,0 +1,19 @@ +Module Variables ("vars"): +-------------------------------- +{{ vars | to_nice_json }} + +Environment Variables ("environment"): +-------------------------------- +{{ environment | to_nice_json }} + +GROUP NAMES Variables ("group_names"): +-------------------------------- +{{ group_names | to_nice_json }} + +GROUPS Variables ("groups"): +-------------------------------- +{{ groups | to_nice_json }} + +HOST Variables ("hostvars"): +-------------------------------- +{{ hostvars | to_nice_json }} diff --git a/roles/fedmsg_base/files/selinux/fedmsg.mod b/roles/fedmsg_base/files/selinux/fedmsg.mod new file mode 100644 index 0000000000..13953aa520 Binary files /dev/null and b/roles/fedmsg_base/files/selinux/fedmsg.mod differ diff --git a/roles/fedmsg_base/files/selinux/fedmsg.pp b/roles/fedmsg_base/files/selinux/fedmsg.pp new file mode 100644 index 0000000000..7620bdf0fd Binary files /dev/null and b/roles/fedmsg_base/files/selinux/fedmsg.pp differ diff --git a/roles/fedmsg_base/files/selinux/fedmsg.te b/roles/fedmsg_base/files/selinux/fedmsg.te new file mode 100644 index 0000000000..ba2a3c12ff --- /dev/null +++ b/roles/fedmsg_base/files/selinux/fedmsg.te @@ -0,0 +1,11 @@ + +module fedmsg 1.0; + +require { + type anon_inodefs_t; + type httpd_t; + class file write; +} + +#============= httpd_t ============== +allow httpd_t anon_inodefs_t:file write; diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml index e2d73fca73..11afc58fc7 100644 --- a/roles/fedmsg_base/tasks/main.yml +++ b/roles/fedmsg_base/tasks/main.yml @@ -19,6 +19,7 @@ with_items: - ssl.py - endpoints.py + - endpoints-fedocal.py - endpoints-fedbadges.py - endpoints-nuancier.py - endpoints-mailman.py @@ -69,3 +70,15 @@ when: fedmsg_certs != [] tags: - config + +# Three tasks for handling our custom selinux module +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/local/share/fedmsg state=directory + +- name: copy over our custom selinux module + copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp + register: selinux_module + +- name: install our custom selinux module + command: semodule -i /usr/local/share/fedmsg/fedmsg.pp + when: selinux_module|changed diff --git a/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 b/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 new file mode 100644 index 0000000000..f213dcc25d --- /dev/null +++ b/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 @@ -0,0 +1,20 @@ +{% if env == 'staging' %} +suffix = 'stg.phx2.fedoraproject.org' +{% else %} +suffix = 'phx2.fedoraproject.org' +{% endif %} + +config = dict( + endpoints={ + "fedocal.fedocal01": [ + "tcp://fedocal01.%s:30%02i" % (suffix, i) + for i in range(2) + ], +{% if env != 'staging' %} + "fedocal.fedocal02": [ + "tcp://fedocal02.%s:30%02i" % (suffix, i) + for i in range(2) + ], +{% endif %} + }, +) diff --git a/files/kojibuilder/arm-koji.conf b/roles/koji_builder/files/arm-koji.conf similarity index 100% rename from files/kojibuilder/arm-koji.conf rename to roles/koji_builder/files/arm-koji.conf diff --git a/files/kojibuilder/arm-kojid.conf b/roles/koji_builder/files/arm-kojid.conf similarity index 100% rename from files/kojibuilder/arm-kojid.conf rename to roles/koji_builder/files/arm-kojid.conf diff --git a/files/kojibuilder/builder-infrastructure.repo b/roles/koji_builder/files/builder-infrastructure.repo similarity index 100% rename from files/kojibuilder/builder-infrastructure.repo rename to roles/koji_builder/files/builder-infrastructure.repo diff --git a/files/kojibuilder/builders/bkernel-eth0-network b/roles/koji_builder/files/builders/bkernel-eth0-network similarity index 100% rename from files/kojibuilder/builders/bkernel-eth0-network rename to roles/koji_builder/files/builders/bkernel-eth0-network diff --git a/files/kojibuilder/builders/bkernel-site-defaults.cfg b/roles/koji_builder/files/builders/bkernel-site-defaults.cfg similarity index 100% rename from files/kojibuilder/builders/bkernel-site-defaults.cfg rename to roles/koji_builder/files/builders/bkernel-site-defaults.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-i386.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-i386.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg diff --git a/files/kojibuilder/builders/site-defaults.cfg b/roles/koji_builder/files/builders/site-defaults.cfg similarity index 100% rename from files/kojibuilder/builders/site-defaults.cfg rename to roles/koji_builder/files/builders/site-defaults.cfg diff --git a/files/kojibuilder/ftbfs_auth_keys b/roles/koji_builder/files/ftbfs_auth_keys similarity index 100% rename from files/kojibuilder/ftbfs_auth_keys rename to roles/koji_builder/files/ftbfs_auth_keys diff --git a/files/kojibuilder/history_off.sh b/roles/koji_builder/files/history_off.sh similarity index 100% rename from files/kojibuilder/history_off.sh rename to roles/koji_builder/files/history_off.sh diff --git a/files/kojibuilder/idmapd.conf b/roles/koji_builder/files/idmapd.conf similarity index 100% rename from files/kojibuilder/idmapd.conf rename to roles/koji_builder/files/idmapd.conf diff --git a/files/kojibuilder/koji.conf b/roles/koji_builder/files/koji.conf similarity index 100% rename from files/kojibuilder/koji.conf rename to roles/koji_builder/files/koji.conf diff --git a/files/kojibuilder/kojid.conf b/roles/koji_builder/files/kojid.conf similarity index 100% rename from files/kojibuilder/kojid.conf rename to roles/koji_builder/files/kojid.conf diff --git a/files/kojibuilder/limits.conf b/roles/koji_builder/files/limits.conf similarity index 100% rename from files/kojibuilder/limits.conf rename to roles/koji_builder/files/limits.conf diff --git a/files/kojibuilder/mock_auth_keys b/roles/koji_builder/files/mock_auth_keys similarity index 100% rename from files/kojibuilder/mock_auth_keys rename to roles/koji_builder/files/mock_auth_keys diff --git a/files/kojibuilder/root_auth_keys b/roles/koji_builder/files/root_auth_keys similarity index 97% rename from files/kojibuilder/root_auth_keys rename to roles/koji_builder/files/root_auth_keys index a3a005ac0f..a3ffc24818 100644 --- a/files/kojibuilder/root_auth_keys +++ b/roles/koji_builder/files/root_auth_keys @@ -1,2 +1 @@ -#ansible key from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org diff --git a/files/kojibuilder/route-eth1 b/roles/koji_builder/files/route-eth1 similarity index 100% rename from files/kojibuilder/route-eth1 rename to roles/koji_builder/files/route-eth1 diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml new file mode 100644 index 0000000000..ffa95265d9 --- /dev/null +++ b/roles/koji_builder/tasks/main.yml @@ -0,0 +1,144 @@ +# +# This is a base koji_builder role. +# +- name: set root passwd + user: name=root password={{ builder_rootpw }} state=present + +- name: add mock user as 425 + user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + +- name: make mock homedir perms + file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock + +- name: add mock ssh dir + file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock + +- name: add mock ssh keys + copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock + +- name: add kojibuilder + user: name=kojibuilder groups=mock + +- name: add mockbuilder + user: name=mockbuilder groups=mock + +- name: mockbuilder .ssh dir + file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder + +- name: mockbuilder ssh key + copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder + +- name: make a bunch of dirs + file: state=directory path={{ item }} + with_items: + - /pub + - /mnt/fedora_koji + - /pub/fedora + - /pub/epel + +- name: add builder infra yum repo + copy: src=builder-infrastructure.repo dest=/etc/yum.repos.d/builder-infrastructure.repo + +- name: clean up packages we do not need + yum: state=removed pkg={{ item }} + with_items: + - 'cronie\*' + +- name: add pkgs + yum: state=installed pkg={{ item }} + with_items: + - yum-utils + - koji-builder + - strace + - mock + - nfs-utils + - kernel-firmware + - ntp + - ntpdate + - rsyslog + - audit + +- name: /etc/kojid/kojid.conf + copy: src=kojid.conf dest=/etc/kojid/kojid.conf + when: not inventory_hostname.startswith(('arm01','arm03')) + notify: + - restart kojid + +- name: arm /etc/kojid/kojid.conf + copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf + when: inventory_hostname.startswith(('arm01','arm03')) + notify: + - restart kojid + +- name: /etc/koji/koji.conf + copy: src=koji.conf dest=/etc/koji.conf + when: not inventory_hostname.startswith(('arm01','arm03')) + +- name: /etc/koji/koji.conf + copy: src=arm-koji.conf dest=/etc/koji.conf + when: inventory_hostname.startswith(('arm01','arm03')) + +- name: copy over koji ca cert + copy: src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem + +- name: copy over /etc/security/limits.conf + copy: src=limits.conf dest=/etc/security/limits.conf + +- name: copy over builder cert to /etc/kojid/kojibuilder.pem + copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 + +# idmapd and make sure it's set to run +- name: idmapd.conf + copy: src=idmapd.conf dest=/etc/idmapd.conf + tags: + - configs + +- name: route config for netapp network + copy: src=route-eth1 dest=/etc/sysconfig/network-scripts/route-eth1 + +- name: check for netapp route + command: ip route show + register: netapproute + always_run: yes + changed_when: "1 != 1" + +- name: run netapp route + command: /etc/sysconfig/network-scripts/ifup-routes eth1 + when: netapproute.stdout.find("10.5.88.0") == -1 and not inventory_hostname.startswith('arm') + +- name: nfs mount points + mount: name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted + when: inventory_hostname.startswith('build') + +- name: make a mnt/koji link + file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji + when: inventory_hostname.startswith('build') + +# mock configs for pungify job +- name: put extra special mock configs in + copy: src=builders/{{ item }} dest="/etc/mock/{{ item }}" mode=644 + with_items: + - fedora-branched-pungi-armhfp.cfg + - fedora-branched-pungi-i386.cfg + - fedora-branched-pungi-x86_64.cfg + - fedora-rawhide-pungi-i386.cfg + - fedora-rawhide-pungi-x86_64.cfg + - fedora-rawhide-pungi-armhfp.cfg + +- name: mock site-defaults.cfg + copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock + when: not inventory_hostname.startswith('bkernel') + +- name: ntp steptickers + copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers + +- name: ntp.conf + copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf + +- name: enable services and start them + service: name={{ item }} enabled=true state=started + with_items: + - ntpd + - nfs-lock + - nfs-idmap + - nfs-mountd diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index da18f8bc5d..40d0e164f5 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -56,6 +56,7 @@ - check_swap.cfg - check_postfix_queue.cfg - check_lock.cfg + - check_fedmsg_hub_proc.cfg notify: - restart nrpe tags: diff --git a/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 new file mode 100644 index 0000000000..17ec341c4a --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_hub_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub' -u fedmsg diff --git a/roles/notifs-frontend/files/fmn.web.wsgi b/roles/notifs-frontend/files/fmn.web.wsgi index 358d4b695e..3a2612b419 100644 --- a/roles/notifs-frontend/files/fmn.web.wsgi +++ b/roles/notifs-frontend/files/fmn.web.wsgi @@ -10,6 +10,9 @@ import pkg_resources import os os.environ['FMN_WEB_CONFIG'] = '/etc/fmn.web.cfg' +import logging +logging.basicConfig() + # The most import line to make the wsgi working from fmn.web.app import app as application # Dangerous.. only use when testing. diff --git a/roles/notifs-frontend/tasks/main.yml b/roles/notifs-frontend/tasks/main.yml index ef16ea38be..5bc5524772 100644 --- a/roles/notifs-frontend/tasks/main.yml +++ b/roles/notifs-frontend/tasks/main.yml @@ -17,6 +17,17 @@ notify: - restart apache +- name: destroy a bogus config file brought in by python-datanommer-models + file: dest=/etc/fedmsg.d/datanommer.py state=absent + notify: + - restart apache + +- name: setup symlink to fedora theme + file: > + src=/usr/share/fmn.web/static/bootstrap-3.0.2-fedora + dest=/usr/share/fmn.web/static/bootstrap + state=link + - name: copy fmn httpd config copy: > src=fmn.web.conf dest=/etc/httpd/conf.d/fmn.web.conf diff --git a/roles/notifs-frontend/templates/fmn.web.cfg b/roles/notifs-frontend/templates/fmn.web.cfg index 89eeb400b3..55d78bc080 100644 --- a/roles/notifs-frontend/templates/fmn.web.cfg +++ b/roles/notifs-frontend/templates/fmn.web.cfg @@ -13,6 +13,6 @@ FMN_FEDORA_OPENID = 'https://id.fedoraproject.org' {% endif %} FMN_ALLOW_FAS_OPENID = True -FMN_ALLOW_GOOGLE_OPENID = True -FMN_ALLOW_YAHOO_OPENID = True -FMN_ALLOW_GENERIC_OPENID = True +FMN_ALLOW_GOOGLE_OPENID = False +FMN_ALLOW_YAHOO_OPENID = False +FMN_ALLOW_GENERIC_OPENID = False diff --git a/roles/notifs-frontend/templates/fmn.web.py b/roles/notifs-frontend/templates/fmn.web.py index 8697214a7f..6edc02f884 100644 --- a/roles/notifs-frontend/templates/fmn.web.py +++ b/roles/notifs-frontend/templates/fmn.web.py @@ -1,3 +1,6 @@ config = { + # This is for *our* database "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", + # And this is for the datanommer database + "datanommer.sqlalchemy.url": "postgresql://{{datanommerDBUser}}:{{datanommerDBPassword}}@db-datanommer/datanommer", } diff --git a/scripts/ansible-playbook-check-diff b/scripts/ansible-playbook-check-diff new file mode 100755 index 0000000000..72c0d78b1c --- /dev/null +++ b/scripts/ansible-playbook-check-diff @@ -0,0 +1,25 @@ +#!/usr/bin/python -tt +import os +import os.path +import subprocess + +rootpath = "/srv/web/infra/ansible/playbooks" + +# +# Find all the .yml files under playbooks/groups and hosts and run ansible-playbook on them +# With --check and --diff for now. We don't run the 'manual' subdir ones. + +for dir in ("hosts", "groups"): + hostsplaybookspath = os.path.join(rootpath, dir) + for path, dirs, files in os.walk(hostsplaybookspath): + for file in files: + if not file.endswith(".yml"): + continue + playbookpath = os.path.join(path, file) + cmd = ("ansible-playbook", playbookpath, "--check", "--diff") + ansibleprocess = subprocess.Popen(cmd) + +# +# Add this if you want to run them one at a time instead of all forked off in a bunch. +# ansibleprocess.communicate() +# diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml deleted file mode 100644 index cc1a0d6110..0000000000 --- a/tasks/koji/base_builder.yml +++ /dev/null @@ -1,145 +0,0 @@ -- name: set root passwd - action: user name=root password={{ builder_rootpw }} state=present - -- name: add mock user as 425 - action: user name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes - -- name: make mock homedir perms - action: file state=directory path=/var/lib/mock mode=2775 owner=root group=mock - -- name: add mock ssh dir - action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock - -- name: add mock ssh keys - action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock - -- name: add kojibuilder - action: user name=kojibuilder groups=mock - -- name: add mockbuilder - action: user name=mockbuilder groups=mock - -- name: mockbuilder .ssh dir - action: file state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder - -- name: mockbuilder ssh key - action: copy src="{{ files }}/kojibuilder/ftbfs_auth_keys" dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder - -- name: make a bunch of dirs - action: file state=directory path={{ item }} - with_items: - - /pub - - /mnt/fedora_koji - - /pub/fedora - - /pub/epel - - /var/spool/rsyslog - -- name: add builder infra yum repo - action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo - -- name: clean up packages we do not need - action: yum state=removed pkg={{ item }} - with_items: - - audit - - 'cronie\*' - -- name: add pkgs - action: yum state=installed pkg={{ item }} - with_items: - - yum-utils - - koji-builder - - strace - - mock - - nfs-utils - - kernel-firmware - - ntp - - ntpdate - -- name: /etc/kojid/kojid.conf - action: copy src="{{ files }}/kojibuilder/kojid.conf" dest=/etc/kojid/kojid.conf - when: not inventory_hostname.startswith(('arm01','arm03')) - notify: - - restart kojid - - -- name: arm /etc/kojid/kojid.conf - action: copy src="{{ files }}/kojibuilder/arm-kojid.conf" dest=/etc/kojid/kojid.conf - when: inventory_hostname.startswith(('arm01','arm03')) - notify: - - restart kojid - -- name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf - when: not inventory_hostname.startswith(('arm01','arm03')) - -- name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/arm-koji.conf" dest=/etc/koji.conf - when: inventory_hostname.startswith(('arm01','arm03')) - -- name: copy over koji ca cert - action: copy src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem - -- name: copy over /etc/security/limits.conf - action: copy src="{{ files }}/kojibuilder/limits.conf" dest=/etc/security/limits.conf - -- name: copy over builder cert to /etc/kojid/kojibuilder.pem - action: copy src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 - -- name: chkconfig kojid on and leave it running - action: service name=kojid enabled=on -# action: service name=kojid enabled=on state=started - -- name: copy over authorized keys for root - action: copy src="{{ files }}/kojibuilder/root_auth_keys" dest=/root/.ssh/authorized_keys mode=644 - -# idmapd and make sure it's set to run -- name: idmapd.conf - action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf - tags: - - configs -- name: enable nfs-related services and run them - action: service name={{ item }} enabled=true state=started - with_items: - - rpcidmapd - - rpcbind - - nfs - - nfslock - -- name: route config for netapp network - action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 - -- name: run netapp route - command: /etc/sysconfig/network-scripts/ifup-routes eth1 - -- name: nfs mount points - action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted - when: inventory_hostname.startswith('build') - -- name: make a mnt/koji link - action: file state=link src=/mnt/fedora_koji/koji dest=/mnt/koji - when: inventory_hostname.startswith('build') - -# mock configs for pungify job -# TODO: restore this to "copy:", this is a temporary "fix" for https://github.com/ansible/ansible/issues/4377 -- name: put extra special mock configs in - template: src="{{ files }}/kojibuilder/builders/{{ item }}" dest="/etc/mock/{{ item }}" mode=644 - with_items: - - fedora-branched-pungi-armhfp.cfg - - fedora-branched-pungi-i386.cfg - - fedora-branched-pungi-x86_64.cfg - - fedora-rawhide-pungi-i386.cfg - - fedora-rawhide-pungi-x86_64.cfg - - fedora-rawhide-pungi-armhfp.cfg - -- name: mock site-defaults.cfg - action: copy src="{{ files }}/kojibuilder/builders/site-defaults.cfg" dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock - when: not inventory_hostname.startswith('bkernel') - -- name: ntp steptickers - action: copy src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers - -- name: ntp.conf - action: copy src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf - -- name: enable ntpd - action: service name=ntpd enabled=true state=started diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml index 239b4f16c9..b2b1ca31fc 100644 --- a/tasks/koji/builder_kernel_config.yml +++ b/tasks/koji/builder_kernel_config.yml @@ -1,8 +1,15 @@ #- name: set kernel params for loopback partitioning # action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 +# +- name: check for max_loop + command: cat /etc/grub2.cfg + register: max_loop + always_run: yes + changed_when: '1 != 1' - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 + when: max_loop.stdout.find("max_loop=64") == -1 - name: special pkgs for the x86_64 builders yum: state=installed pkg={{ item }} diff --git a/tasks/koji/releng_config.yml b/tasks/koji/releng_config.yml index 34ece6ad82..9f20f0433d 100644 --- a/tasks/koji/releng_config.yml +++ b/tasks/koji/releng_config.yml @@ -8,7 +8,7 @@ - name: add mock ssh dir action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock - name: add mock ssh keys - action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=644 owner=mock group=mock + action: copy src="{{ files }}/../roles/koji_builder/files//mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=644 owner=mock group=mock - name: add ftpsync group action: group name=ftpsync gid=263 system=yes state=present @@ -67,7 +67,7 @@ action: file src=/mnt/fedora_koji/compose/cache dest=/srv/pungi/cache state=link - name: add builder infra yum repo - action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo + action: copy src="{{ files }}/../roles/koji_builder/files/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo tags: - configs @@ -93,7 +93,7 @@ - pykickstart - name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf + action: copy src="{{ files }}//../roles/koji_builder/files/koji.conf" dest=/etc/koji.conf # mock configs @@ -109,7 +109,7 @@ # idmapd and make sure it's set to run - name: idmapd.conf - action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf + action: copy src="{{ files }}/../roles/koji_builder/files//idmapd.conf" dest=/etc/idmapd.conf tags: - configs @@ -123,7 +123,7 @@ - name: route to netapp network - action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 + action: copy src="{{ files }}/../roles/koji_builder/files/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 notify: - restart netapproute diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index 26fee37039..f92af0a840 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -4,7 +4,7 @@ with_items: - epel6.repo - rhel6.repo - when: is_rhel == 'True' + when: ansible_distribution == 'RedHat' tags: - config - packages @@ -15,18 +15,18 @@ - fedora.repo - fedora-updates.repo - fedora-updates-testing.repo - when: is_fedora == 'True' and ansible_architecture == 'x86_64' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' tags: - config - packages - name: put fedora repos on arm systems - action: copy src="{{ files }}/common/{{ item-arm }}" dest="/etc/yum.repos.d/{{ item }}" + action: copy src="{{ files }}/common/{{ item }}-arm" dest="/etc/yum.repos.d/{{ item }}" with_items: - fedora.repo - fedora-updates.repo - fedora-updates-testing.repo - when: is_fedora == 'True' and ansible_architecture == 'armv7l' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'armv7l' tags: - config - packages diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 42f54a6837..f60970d117 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -3,4 +3,4 @@ dist_tag: f{{ ansible_distribution_version }} base_pkgs_inst: ['iptables-services' ] base_pkgs_erase: ['firewalld', 'PackageKit*', 'sendmail', 'at'] service_disabled: [ ] -service_enabled: [ ] +service_enabled: ['auditd'] diff --git a/vars/global.yml b/vars/global.yml index fa760d29d6..49718f6d0f 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -24,8 +24,8 @@ f20_qcow_id: ami-00000038 hostbase: transient # root_auth_users for cloud instances is '' by default root_auth_users: '' -global_pkgs_inst: ['bind-utils', 'joe', 'mailx', 'nc', 'openssh-clients', - 'patch', 'postfix', 'rsync', 'strace', 'telnet', +global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients', + 'patch', 'postfix', 'rsync', 'strace', 'tmpwatch', 'traceroute', 'vim-enhanced', 'xz', 'zsh', 'libselinux-python', 'ntpdate' ]