Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Patrick Uiterwijk 2014-01-29 01:10:40 +00:00
commit 3dad76a61e
105 changed files with 702 additions and 530 deletions
Download patch file Download diff file Expand all files Collapse all files

2
callback_plugins/logdetail.py
View file

@ -93,7 +93,7 @@ class LogMech(object):
if self.playbook_id == 'ansible-cmd': if self.playbook_id == 'ansible-cmd':
res['task_userid'] = getlogin() res['task_userid'] = getlogin()
for k in ("delegate_to", "environment", "first_available_file", for k in ("delegate_to", "environment", "first_available_file",
"local_action", "notified_by", "notify", "only_if", "local_action", "notified_by", "notify",
"register", "sudo", "sudo_user", "tags", "register", "sudo", "sudo_user", "tags",
"transport", "when"): "transport", "when"):
v = getattr(task, k, None) v = getattr(task, k, None)

1
files/copr/provision/files/mock/epel-5-i386.cfg
View file

@ -5,6 +5,7 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build'
config_opts['dist'] = 'el5' # only useful for --resultdir variable subst config_opts['dist'] = 'el5' # only useful for --resultdir variable subst
if not config_opts.has_key('macros'): config_opts['macros'] = {} if not config_opts.has_key('macros'): config_opts['macros'] = {}
config_opts['macros']['%__arch_install_post'] = '%{nil}' config_opts['macros']['%__arch_install_post'] = '%{nil}'
config_opts['releasever'] = '5'
config_opts['yum.conf'] = """ config_opts['yum.conf'] = """
[main] [main]

1
files/copr/provision/files/mock/epel-5-x86_64.cfg
View file

@ -5,6 +5,7 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build'
config_opts['dist'] = 'el5' # only useful for --resultdir variable subst config_opts['dist'] = 'el5' # only useful for --resultdir variable subst
if not config_opts.has_key('macros'): config_opts['macros'] = {} if not config_opts.has_key('macros'): config_opts['macros'] = {}
config_opts['macros']['%__arch_install_post'] = '%{nil}' config_opts['macros']['%__arch_install_post'] = '%{nil}'
config_opts['releasever'] = '5'
config_opts['yum.conf'] = """ config_opts['yum.conf'] = """
[main] [main]

1
files/copr/provision/files/mock/epel-7-x86_64.cfg
View file

@ -11,6 +11,7 @@ config_opts['macros']['%rhel'] = '7'
config_opts['macros']['%el7'] = '1' config_opts['macros']['%el7'] = '1'
config_opts['macros']['%_topdir'] = '/builddir/build' config_opts['macros']['%_topdir'] = '/builddir/build'
config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm' config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm'
config_opts['releasever'] = '7'
config_opts['plugin_conf']['root_cache_enable'] = False config_opts['plugin_conf']['root_cache_enable'] = False
config_opts['plugin_conf']['yum_cache_enable'] = False config_opts['plugin_conf']['yum_cache_enable'] = False

1
files/copr/provision/files/mock/fedora-20-i386.cfg
View file

@ -3,6 +3,7 @@ config_opts['target_arch'] = 'i686'
config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64')
config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build'
config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst
config_opts['releasever'] = '20'
config_opts['yum.conf'] = """ config_opts['yum.conf'] = """
[main] [main]

1
files/copr/provision/files/mock/fedora-20-x86_64.cfg
View file

@ -3,6 +3,7 @@ config_opts['target_arch'] = 'x86_64'
config_opts['legal_host_arches'] = ('x86_64',) config_opts['legal_host_arches'] = ('x86_64',)
config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build'
config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst
config_opts['releasever'] = '20'
config_opts['yum.conf'] = """ config_opts['yum.conf'] = """
[main] [main]

6
files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts Normal file
View file

@ -0,0 +1,6 @@
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org
10.5.126.23 infrastructure.fedoraproject.org
10.5.126.71 db-notifs db-notifs
10.5.126.109 db-datanommer db-datanommer

1
files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts
View file

@ -9,3 +9,4 @@
10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.81 memcached03 memcached03.stg app01 app01.stg
10.5.126.85 db-notifs db-notifs 10.5.126.85 db-notifs db-notifs
10.5.126.85 db-datanommer db-datanommer

6
files/hosts/notifs-web01.phx2.fedoraproject.org-hosts Normal file
View file

@ -0,0 +1,6 @@
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org
10.5.126.23 infrastructure.fedoraproject.org
10.5.126.71 db-notifs db-notifs
10.5.126.109 db-datanommer db-datanommer

1
files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts
View file

@ -9,3 +9,4 @@
10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.81 memcached03 memcached03.stg app01 app01.stg
10.5.126.85 db-notifs db-notifs 10.5.126.85 db-notifs db-notifs
10.5.126.85 db-datanommer db-datanommer

6
files/hosts/notifs-web02.phx2.fedoraproject.org-hosts Normal file
View file

@ -0,0 +1,6 @@
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org
10.5.126.23 infrastructure.fedoraproject.org
10.5.126.71 db-notifs db-notifs
10.5.126.109 db-datanommer db-datanommer

1
files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts
View file

@ -9,3 +9,4 @@
10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.81 memcached03 memcached03.stg app01 app01.stg
10.5.126.85 db-notifs db-notifs 10.5.126.85 db-notifs db-notifs
10.5.126.85 db-datanommer db-datanommer

24
files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml Normal file
View file

@ -0,0 +1,24 @@
hudson.plugins.warnings.WarningsPublisher.xml
=============================================
<?xml version='1.0' encoding='UTF-8'?>
<!-- plugin requested by user rholy (ticket #4175) -->
<hudson.plugins.warnings.WarningsDescriptor plugin="warnings@4.38">
<groovyParsers>
<hudson.plugins.warnings.GroovyParser>
<name>pyflakes</name>
<regexp>^(.*):([0-9]*):(.*)$</regexp>
<script>import hudson.plugins.warnings.parser.Warning
import hudson.plugins.analysis.util.model.Priority
String fileName = matcher.group(1)
String category = &quot;PyFlakes Error&quot;
String lineNumber = matcher.group(2)
String message = matcher.group(3)
return new Warning(fileName, Integer.parseInt(lineNumber), category, &quot;PyFlakes Parser&quot;, message, Priority.NORMAL);</script>
<example></example>
<linkName>https://pypi.python.org/pypi/pyflakes</linkName>
<trendName>pyflakes errors</trendName>
</hudson.plugins.warnings.GroovyParser>
</groovyParsers>
</hudson.plugins.warnings.WarningsDescriptor>

3
handlers/restart_services.yml
View file

@ -29,6 +29,9 @@
- name: restart jenkins - name: restart jenkins
action: service name=jenkins state=restarted action: service name=jenkins state=restarted
- name: restart kojid
action: service name=kojid state=restarted
- name: restart libvirtd - name: restart libvirtd
action: service name=libvirtd state=restarted action: service name=libvirtd state=restarted

4
inventory/group_vars/buildvm
View file

@ -3,8 +3,8 @@
lvm_size: 150000 lvm_size: 150000
mem_size: 6144 mem_size: 6144
num_cpus: 5 num_cpus: 5
ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-20
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ ks_repo: http://10.5.126.23/pub/fedora/linux/releases/20/Fedora/x86_64/os/
nm: 255.255.255.0 nm: 255.255.255.0
gw: 10.5.125.254 gw: 10.5.125.254
eth1_gw: 10.5.127.254 eth1_gw: 10.5.127.254

1
inventory/group_vars/kernel-qa
View file

@ -1,6 +1,5 @@
--- ---
freezes: true freezes: true
resolvconf: "{{ files }}/resolv.conf/phx2" resolvconf: "{{ files }}/resolv.conf/phx2"
rsyslogconf: "{{ files }}/rsyslog/rsyslog.conf.phx2"
fas_client_groups: sysadmin-kernel fas_client_groups: sysadmin-kernel
sudoers: "{{ private }}/files/sudo/kernel-qa" sudoers: "{{ private }}/files/sudo/kernel-qa"

10
inventory/group_vars/notifs-backend Normal file
View file

@ -0,0 +1,10 @@
---
# Define resources for this group of hosts here.
lvm_size: 20000
mem_size: 1024
num_cpus: 2
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
fas_client_groups: sysadmin-noc,sysadmin-datanommer

12
inventory/group_vars/notifs-web Normal file
View file

@ -0,0 +1,12 @@
---
# Define resources for this group of hosts here.
lvm_size: 20000
mem_size: 1024
num_cpus: 2
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [ 80, 443 ]
fas_client_groups: sysadmin-noc,sysadmin-datanommer

14
inventory/host_vars/notifs-backend01.phx2.fedoraproject.org Normal file
View file

@ -0,0 +1,14 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
eth0_ip: 10.5.126.168
volgroup: /dev/vg_virthost09
vmhost: virthost09.phx2.fedoraproject.org
datacenter: phx2

14
inventory/host_vars/notifs-web01.phx2.fedoraproject.org Normal file
View file

@ -0,0 +1,14 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
eth0_ip: 10.5.126.103
volgroup: /dev/vg_virthost04
vmhost: virthost04.phx2.fedoraproject.org
datacenter: phx2

14
inventory/host_vars/notifs-web02.phx2.fedoraproject.org Normal file
View file

@ -0,0 +1,14 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
eth0_ip: 10.5.126.119
volgroup: /dev/vg_virthost06
vmhost: virthost06.phx2.fedoraproject.org
datacenter: phx2

9
inventory/inventory
View file

@ -158,7 +158,7 @@ collab03.fedoraproject.org
collab04.fedoraproject.org collab04.fedoraproject.org
[releng] [releng]
releng01.phx2.fedoraproject.org #releng01.phx2.fedoraproject.org
releng02.phx2.fedoraproject.org releng02.phx2.fedoraproject.org
releng04.phx2.fedoraproject.org releng04.phx2.fedoraproject.org
relepel01.phx2.fedoraproject.org relepel01.phx2.fedoraproject.org
@ -258,9 +258,16 @@ lockbox-comm01.qa.fedoraproject.org
noc01.phx2.fedoraproject.org noc01.phx2.fedoraproject.org
noc02.fedoraproject.org noc02.fedoraproject.org
[notifs-backend]
notifs-backend01.phx2.fedoraproject.org
[notifs-backend-stg] [notifs-backend-stg]
notifs-backend01.stg.phx2.fedoraproject.org notifs-backend01.stg.phx2.fedoraproject.org
[notifs-web]
notifs-web01.phx2.fedoraproject.org
notifs-web02.phx2.fedoraproject.org
[notifs-web-stg] [notifs-web-stg]
notifs-web01.stg.phx2.fedoraproject.org notifs-web01.stg.phx2.fedoraproject.org
notifs-web02.stg.phx2.fedoraproject.org notifs-web02.stg.phx2.fedoraproject.org

8
playbooks/groups/arm-packager.yml
View file

@ -12,10 +12,10 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

8
playbooks/groups/arm-qa.yml
View file

@ -12,10 +12,10 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

10
playbooks/groups/arm-releng.yml
View file

@ -12,11 +12,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

14
playbooks/groups/ask.yml
View file

@ -28,13 +28,13 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/fedmsg_base - ask
- /srv/web/infra/ansible/roles/ask - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

10
playbooks/groups/backup-server.yml
View file

@ -15,11 +15,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

16
playbooks/groups/badges-backend.yml
View file

@ -32,12 +32,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
@ -58,8 +58,8 @@
accelerate: True accelerate: True
roles: roles:
- /srv/web/infra/ansible/roles/fedmsg-hub - fedmsg-hub
- /srv/web/infra/ansible/roles/badges-backend - badges-backend
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml

14
playbooks/groups/badges-web.yml
View file

@ -32,13 +32,13 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/badges-frontend - badges-frontend
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

10
playbooks/groups/beaker.yml
View file

@ -29,11 +29,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

4
playbooks/groups/bkernel.yml
View file

@ -13,10 +13,10 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- koji_builder
tasks: tasks:
- include: "{{ tasks }}/koji/base_builder.yml"
- include: "{{ tasks }}/koji/builder_kernel_config.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml"
- include: "{{ tasks }}/koji/bkernel-setup.yml" - include: "{{ tasks }}/koji/bkernel-setup.yml"

14
playbooks/groups/buildhw.yml
View file

@ -6,7 +6,6 @@
hosts: buildhw;buildppc;buildarm hosts: buildhw;buildppc;buildarm
user: root user: root
gather_facts: True gather_facts: True
accellerate: True
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
@ -14,24 +13,20 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- koji_builder
tasks: tasks:
- include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
- include: "{{ tasks }}/koji/base_builder.yml"
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
- name: restart kojid
action: service name=kojid state=restarted
- name: make koji builder(s) on raw hw - name: make koji builder(s) on raw hw
hosts: buildhw hosts: buildhw
user: root user: root
gather_facts: True gather_facts: True
accellerate: True
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
@ -39,7 +34,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
@ -47,6 +42,3 @@
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
- name: restart kojid
action: service name=kojid state=restarted

11
playbooks/groups/buildvm.yml
View file

@ -32,15 +32,16 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- koji_builder
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
- include: "{{ tasks }}/koji/base_builder.yml" - include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/koji/builder_kernel_config.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml"
- name: make sure kojid is running
action: service name=kojid state=running
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
- name: restart kojid
action: service name=kojid state=restarted

12
playbooks/groups/docs-backend.yml
View file

@ -25,12 +25,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/yum-cron - yum-cron
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

10
playbooks/groups/elections.yml
View file

@ -27,11 +27,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

14
playbooks/groups/fedocal.yml
View file

@ -32,11 +32,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
@ -64,7 +64,7 @@
- "{{ vars_path }}/{{ ansible_distribution }}.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml"
roles: roles:
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
@ -81,7 +81,7 @@
- "{{ vars_path }}/{{ ansible_distribution }}.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml"
roles: roles:
- /srv/web/infra/ansible/roles/fedocal - fedocal
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"

14
playbooks/groups/gallery.yml
View file

@ -32,12 +32,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
@ -62,7 +62,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/gallery - gallery
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"

4
playbooks/groups/jenkins-cloud.yml
View file

@ -28,7 +28,7 @@
- resolvconf: resolv.conf/jenkins-cloud - resolvconf: resolv.conf/jenkins-cloud
roles: roles:
- /srv/web/infra/ansible/roles/base - base
tasks: tasks:
- include: "{{ tasks }}/cloud_setup_basic.yml" - include: "{{ tasks }}/cloud_setup_basic.yml"
@ -224,6 +224,7 @@
- asciidoc # Required by javapackages-tools - asciidoc # Required by javapackages-tools
- xmlto # Required by javapackages-tools - xmlto # Required by javapackages-tools
- pycairo-devel # Required by dogtail - pycairo-devel # Required by dogtail
- pyflakes # Requested by user rholy (ticket #4175)
tags: tags:
- packages - packages
@ -299,6 +300,7 @@
- lvm2 - lvm2
- sshpass # End requires for Cockpit - sshpass # End requires for Cockpit
- tito # Requested by msrb for javapackages-tools and xmvn (ticket#4113) - tito # Requested by msrb for javapackages-tools and xmvn (ticket#4113)
- pyflakes # Requested by user rholy (ticket #4175)
tags: tags:
- packages - packages

12
playbooks/groups/keyserver.yml
View file

@ -32,12 +32,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

12
playbooks/groups/koji-hub.yml
View file

@ -31,12 +31,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/koji_hub - koji_hub
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

12
playbooks/groups/lockbox.yml
View file

@ -25,12 +25,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/ansible-server - ansible-server
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

16
playbooks/groups/mailman.yml
View file

@ -32,12 +32,12 @@
- "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml"
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/yum-cron - yum-cron
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists
@ -97,8 +97,7 @@
- "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml"
roles: roles:
- /srv/web/infra/ansible/roles/fedmsg_base - role: mailman
- role: /srv/web/infra/ansible/roles/mailman
mailman_dbserver: db02.stg.phx2.fedoraproject.org mailman_dbserver: db02.stg.phx2.fedoraproject.org
mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org"
mailman_mm_db_pass: "{{ mailman_mm_db_pass }}" mailman_mm_db_pass: "{{ mailman_mm_db_pass }}"
@ -106,6 +105,7 @@
mailman_hk_db_pass: "{{ mailman_hk_db_pass }}" mailman_hk_db_pass: "{{ mailman_hk_db_pass }}"
mailman_ks_admin_db_pass: "{{ mailman_ks_admin_db_pass }}" mailman_ks_admin_db_pass: "{{ mailman_ks_admin_db_pass }}"
mailman_ks_db_pass: "{{ mailman_ks_db_pass }}" mailman_ks_db_pass: "{{ mailman_ks_db_pass }}"
- fedmsg_base
tasks: tasks:
- name: install more needed packages - name: install more needed packages

14
playbooks/groups/mirrorlist.yml
View file

@ -32,13 +32,13 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/geoip - geoip
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/mirrorlist - mirrorlist
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

22
playbooks/groups/notifs-backend.yml
View file

@ -32,12 +32,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
@ -45,8 +45,10 @@
- include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml" - include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/sudo.yml" - include: "{{ tasks }}/sudo.yml"
- include: "{{ tasks }}/openvpn_client.yml" # The proxies don't actually need to talk to these hosts so we won't bother
when: env != "staging" # putting them on the vpn.
#- include: "{{ tasks }}/openvpn_client.yml"
# when: env != "staging"
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
@ -58,8 +60,8 @@
accelerate: True accelerate: True
roles: roles:
- /srv/web/infra/ansible/roles/fedmsg-hub - fedmsg-hub
- /srv/web/infra/ansible/roles/notifs-backend - notifs-backend
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml

14
playbooks/groups/notifs-web.yml
View file

@ -32,13 +32,13 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
- /srv/web/infra/ansible/roles/notifs-frontend - notifs-frontend
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

14
playbooks/groups/nuancier.yml
View file

@ -32,11 +32,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"
@ -64,7 +64,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
@ -81,7 +81,7 @@
- "{{ vars_path }}/{{ ansible_distribution }}.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml"
roles: roles:
- /srv/web/infra/ansible/roles/nuancier - nuancier
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"

12
playbooks/groups/postgresl-server.yml
View file

@ -33,12 +33,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/postgresql_server - postgresql_server
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

8
playbooks/groups/releng.yml
View file

@ -4,7 +4,7 @@
# NOTE: most of these vars_path come from group_vars/releng or from hostvars # NOTE: most of these vars_path come from group_vars/releng or from hostvars
- name: make releng systems - name: make releng systems
hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org hosts: releng02.phx2.fedoraproject.org
user: root user: root
gather_facts: False gather_facts: False
accelerate: True accelerate: True
@ -23,7 +23,7 @@
# Once the instance exists, configure it. # Once the instance exists, configure it.
- name: make releng server system - name: make releng server system
hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org hosts: releng02.phx2.fedoraproject.org
user: root user: root
gather_facts: True gather_facts: True
accelerate: True accelerate: True
@ -34,8 +34,8 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
tasks: tasks:
- include: "{{ tasks }}/koji/releng_config.yml" - include: "{{ tasks }}/koji/releng_config.yml"

12
playbooks/groups/taskotron.yml
View file

@ -29,12 +29,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/yum-cron - yum-cron
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

12
playbooks/groups/virthost.yml
View file

@ -14,12 +14,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
- /srv/web/infra/ansible/roles/iscsi_client - iscsi_client
tasks: tasks:
- include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/hosts.yml"

10
playbooks/hosts/copr-be.cloud.fedoraproject.org.yml
View file

@ -23,7 +23,7 @@
# Roles are run first, before tasks, regardless of where you place them here. # Roles are run first, before tasks, regardless of where you place them here.
roles: roles:
- /srv/web/infra/ansible/roles/fedmsg_base - fedmsg_base
tasks: tasks:
- include: "{{ tasks }}/cloud_setup_basic.yml" - include: "{{ tasks }}/cloud_setup_basic.yml"
@ -122,10 +122,10 @@
- restart lighttpd - restart lighttpd
- name: start webserver - name: start webserver
action: service state=running enabled=yes name=lighttpd service: state=running enabled=yes name=lighttpd
- name: start fail2ban - name: start fail2ban
action: service state=running enabled=yes name=fail2ban service: state=running enabled=yes name=fail2ban
# setup dirs for the ansible execution off of provisioning # setup dirs for the ansible execution off of provisioning
- name: dirs from provision - name: dirs from provision
@ -209,6 +209,6 @@
- name: chmod_key - name: chmod_key
action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600 action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600
- name: restart copr-backend - name: restart copr-backend
action: service: name=copr-backend state=restarted service: name=copr-backend state=restarted
- name: restart lighttpd - name: restart lighttpd
action: service: name=lighttpd state=restarted service: name=lighttpd state=restarted

2
playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
View file

@ -117,7 +117,7 @@
- "{{ vars_path }}/{{ ansible_distribution }}.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml"
roles: roles:
- role: /srv/web/infra/ansible/roles/mailman - role: mailman
mailman_dbserver: localhost mailman_dbserver: localhost
mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org
mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}"

10
playbooks/groups/kernel-qa.yml → playbooks/manual/kernel-qa.yml
View file

@ -13,11 +13,11 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
- /srv/web/infra/ansible/roles/denyhosts - denyhosts
- /srv/web/infra/ansible/roles/nagios_client - nagios_client
- /srv/web/infra/ansible/roles/fas_client - fas_client
tasks: tasks:
# this is how you include other task lists # this is how you include other task lists

4
playbooks/manual/sign.yml
View file

@ -17,8 +17,8 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- /srv/web/infra/ansible/roles/base - base
- /srv/web/infra/ansible/roles/rkhunter - rkhunter
tasks: tasks:
- include: "{{ tasks }}/serialgetty.yml" - include: "{{ tasks }}/serialgetty.yml"

13
roles/base/files/rsyslog/rsyslog-audit.conf Normal file
View file

@ -0,0 +1,13 @@
# monitor auditd log and send out over local6 to central loghost
$ModLoad imfile.so
# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
:msg, !contains, "type=AVC"
local6.* @@log02:514

3
roles/base/files/rsyslog/rsyslog-disablerate.conf Normal file
View file

@ -0,0 +1,3 @@
# Disable rate limiting
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0

4
roles/base/files/rsyslog/rsyslog-log02.conf Normal file
View file

@ -0,0 +1,4 @@
#
# Send everything on to central log02 logger machines
#
cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514

41
roles/base/files/rsyslog/rsyslog.conf.releng → roles/base/files/rsyslog/rsyslog.conf.default
View file

@ -1,20 +1,20 @@
#rsyslog v3 config file # rsyslog v5 configuration file
# if you experience problems, check # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# http://www.rsyslog.com/troubleshoot for assistance # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES #### #### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability #$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception # Provides UDP syslog reception
#$ModLoad imudp.so #$ModLoad imudp
#$UDPServerRun 514 #$UDPServerRun 514
# Provides TCP syslog reception # Provides TCP syslog reception
#$ModLoad imtcp.so #$ModLoad imtcp
#$InputTCPServerRun 514 #$InputTCPServerRun 514
@ -23,6 +23,14 @@ $ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
# Use default timestamp format # Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES #### #### RULES ####
# Log all kernel messages to the console. # Log all kernel messages to the console.
@ -31,7 +39,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Log anything (except mail) of level info or higher. # Log anything (except mail) of level info or higher.
# Don't log private authentication messages! # Don't log private authentication messages!
*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access. # The authpriv file has restricted access.
authpriv.* /var/log/secure authpriv.* /var/log/secure
@ -52,6 +60,7 @@ uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log # Save boot messages also to boot.log
local7.* /var/log/boot.log local7.* /var/log/boot.log
# ### begin forwarding rule ### # ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding # The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple # rule. They belong together, do NOT split them. If you create multiple
@ -60,14 +69,12 @@ local7.* /var/log/boot.log
# #
# An on-disk queue is created for this action. If the remote host is # An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again. # down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files #$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously #$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down #$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514 #*.* @@remote-host:514
# ### end of the forwarding rule ### # ### end of the forwarding rule ###
cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514

48
roles/base/files/rsyslog/rsyslog.conf.kojibuilder → roles/base/files/rsyslog/rsyslog.conf.el6
View file

@ -1,38 +1,35 @@
#rsyslog v3 config file # rsyslog v5 configuration file
# if you experience problems, check # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# http://www.rsyslog.com/troubleshoot for assistance # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES #### #### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal $ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability
#$ModLoad immark.so # provides --MARK-- message capability
# Provides UDP syslog reception # Provides UDP syslog reception
#$ModLoad imudp.so #$ModLoad imudp
#$UDPServerRun 514 #$UDPServerRun 514
# Provides TCP syslog reception # Provides TCP syslog reception
#$ModLoad imtcp.so #$ModLoad imtcp
#$InputTCPServerRun 514 #$InputTCPServerRun 514
#### GLOBAL DIRECTIVES #### #### GLOBAL DIRECTIVES ####
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Use default timestamp format # Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Turn off message reception via local log socket; # File syncing capability is disabled by default. This feature is usually not required,
# local messages are retrieved through imjournal now. # not useful and an extreme performance hit
$OmitLocalLogging on #$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# File to store the position in the journal
$StateFile imjournal.state
#### RULES #### #### RULES ####
@ -42,7 +39,7 @@ $StateFile imjournal.state
# Log anything (except mail) of level info or higher. # Log anything (except mail) of level info or higher.
# Don't log private authentication messages! # Don't log private authentication messages!
*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access. # The authpriv file has restricted access.
authpriv.* /var/log/secure authpriv.* /var/log/secure
@ -63,6 +60,7 @@ uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log # Save boot messages also to boot.log
local7.* /var/log/boot.log local7.* /var/log/boot.log
# ### begin forwarding rule ### # ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding # The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple # rule. They belong together, do NOT split them. If you create multiple
@ -71,14 +69,12 @@ local7.* /var/log/boot.log
# #
# An on-disk queue is created for this action. If the remote host is # An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again. # down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files #$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously #$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down #$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514 #*.* @@remote-host:514
# ### end of the forwarding rule ### # ### end of the forwarding rule ###
cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514

68
roles/base/files/rsyslog/rsyslog.conf → roles/base/files/rsyslog/rsyslog.conf.f20
View file

@ -1,32 +1,47 @@
#rsyslog v3 config file # rsyslog v5 configuration file
# if you experience problems, check # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# http://www.rsyslog.com/troubleshoot for assistance # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES #### #### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) # The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
#$ModLoad immark.so # provides --MARK-- message capability $ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception # Provides UDP syslog reception
#$ModLoad imudp.so #$ModLoad imudp
#$UDPServerRun 514 #$UDPServerRun 514
# Provides TCP syslog reception # Provides TCP syslog reception
#$ModLoad imtcp.so #$ModLoad imtcp
#$InputTCPServerRun 514 #$InputTCPServerRun 514
#### GLOBAL DIRECTIVES #### #### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format # Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required, # File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit # not useful and an extreme performance hit
#$ActionFileEnableSync on #$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES #### #### RULES ####
@ -36,7 +51,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Log anything (except mail) of level info or higher. # Log anything (except mail) of level info or higher.
# Don't log private authentication messages! # Don't log private authentication messages!
*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access. # The authpriv file has restricted access.
authpriv.* /var/log/secure authpriv.* /var/log/secure
@ -49,7 +64,7 @@ mail.* -/var/log/maillog
cron.* /var/log/cron cron.* /var/log/cron
# Everybody gets emergency messages # Everybody gets emergency messages
*.emerg * *.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file. # Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler uucp,news.crit /var/log/spooler
@ -57,16 +72,6 @@ uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log # Save boot messages also to boot.log
local7.* /var/log/boot.log local7.* /var/log/boot.log
# monitor auditd log and send out over local6 to central loghost
$ModLoad imfile.so
# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
# ### begin forwarding rule ### # ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding # The statement between the begin ... end define a SINGLE forwarding
@ -76,22 +81,11 @@ $InputRunFileMonitor
# #
# An on-disk queue is created for this action. If the remote host is # An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again. # down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously
$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down
$ActionResumeRetryCount -1 # infinite retries if host is down
# Disable rate limiting
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514 #*.* @@remote-host:514
# ### end of the forwarding rule ### # ### end of the forwarding rule ###
cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514
:msg, !contains, "type=AVC" ~
local6.* @@log02:514

97
roles/base/files/rsyslog/rsyslog.conf.phx2
View file

@ -1,97 +0,0 @@
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# monitor auditd log and send out over local6 to central loghost
$ModLoad imfile.so
# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# Disable rate limiting
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514
:msg, !contains, "type=AVC" ~
local6.* @@log02:514

19
roles/base/tasks/main.yml
View file

@ -32,7 +32,7 @@
user: name=root password={{ rootpw }} state=present user: name=root password={{ rootpw }} state=present
tags: tags:
- rootpw - rootpw
when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng')) when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng') or inventory_hostname.startswith('arm'))
- name: add ansible root key - name: add ansible root key
authorized_key: user=root key="{{ item }}" authorized_key: user=root key="{{ item }}"
@ -106,11 +106,8 @@
- name: rsyslog.conf - name: rsyslog.conf
copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 copy: src={{ item }} dest=/etc/rsyslog.conf mode=644
first_available_file: first_available_file:
- "{{ rsyslogconf }}" - rsyslog/rsyslog.conf.{{ dist_tag }}
- rsyslog/rsyslog.conf.{{ ansible_fqdn }} - rsyslog/rsyslog.conf.default
- rsyslog/rsyslog.conf.{{ host_group }}
- rsyslog/rsyslog.conf.{{ datacenter }}
- rsyslog/rsyslog.conf
notify: notify:
- restart rsyslog - restart rsyslog
@ -118,6 +115,16 @@
- rsyslogd - rsyslogd
- config - config
- name: add rsyslog config to /etc/rsyslog.d
copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
with_fileglob:
- rsyslog/*.conf
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- name: /etc/postfix/main.cf - name: /etc/postfix/main.cf
copy: src={{ item }} dest=/etc/postfix/main.cf copy: src={{ item }} dest=/etc/postfix/main.cf
first_available_file: first_available_file:

6
roles/base/templates/iptables/iptables.kojibuilder
View file

@ -47,6 +47,12 @@
-A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22 -j ACCEPT
# for ansible accelerate mode - allow port 5099 from lockbox and it's ips
-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
# git to pkgs # git to pkgs
-A OUTPUT -m tcp -p tcp --dport 9418 -d 10.5.125.44 -j ACCEPT -A OUTPUT -m tcp -p tcp --dport 9418 -d 10.5.125.44 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 9418 -d 10.5.125.44 -j ACCEPT -A OUTPUT -m udp -p udp --dport 9418 -d 10.5.125.44 -j ACCEPT

7
roles/debug_env/tasks/main.yml Normal file
View file

@ -0,0 +1,7 @@
#
# This role can be added to a playbook to dump out all
# the env from ansible to see what variables and facts are.
# Taken from https://coderwall.com/p/13lh6w
#
- name: Dump all ansible vars
template: src=dumpall.j2 dest=/tmp/debug_env.out

19
roles/debug_env/templates/dumpall.j2 Normal file
View file

@ -0,0 +1,19 @@
Module Variables ("vars"):
--------------------------------
{{ vars | to_nice_json }}
Environment Variables ("environment"):
--------------------------------
{{ environment | to_nice_json }}
GROUP NAMES Variables ("group_names"):
--------------------------------
{{ group_names | to_nice_json }}
GROUPS Variables ("groups"):
--------------------------------
{{ groups | to_nice_json }}
HOST Variables ("hostvars"):
--------------------------------
{{ hostvars | to_nice_json }}

BIN
roles/fedmsg_base/files/selinux/fedmsg.mod Normal file
View file

Binary file not shown.

BIN
roles/fedmsg_base/files/selinux/fedmsg.pp Normal file
View file

Binary file not shown.

11
roles/fedmsg_base/files/selinux/fedmsg.te Normal file
View file

@ -0,0 +1,11 @@
module fedmsg 1.0;
require {
type anon_inodefs_t;
type httpd_t;
class file write;
}
#============= httpd_t ==============
allow httpd_t anon_inodefs_t:file write;

13
roles/fedmsg_base/tasks/main.yml
View file

@ -19,6 +19,7 @@
with_items: with_items:
- ssl.py - ssl.py
- endpoints.py - endpoints.py
- endpoints-fedocal.py
- endpoints-fedbadges.py - endpoints-fedbadges.py
- endpoints-nuancier.py - endpoints-nuancier.py
- endpoints-mailman.py - endpoints-mailman.py
@ -69,3 +70,15 @@
when: fedmsg_certs != [] when: fedmsg_certs != []
tags: tags:
- config - config
# Three tasks for handling our custom selinux module
- name: ensure a directory exists for our custom selinux module
file: dest=/usr/local/share/fedmsg state=directory
- name: copy over our custom selinux module
copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
register: selinux_module
- name: install our custom selinux module
command: semodule -i /usr/local/share/fedmsg/fedmsg.pp
when: selinux_module|changed

20
roles/fedmsg_base/templates/endpoints-fedocal.py.j2 Normal file
View file

@ -0,0 +1,20 @@
{% if env == 'staging' %}
suffix = 'stg.phx2.fedoraproject.org'
{% else %}
suffix = 'phx2.fedoraproject.org'
{% endif %}
config = dict(
endpoints={
"fedocal.fedocal01": [
"tcp://fedocal01.%s:30%02i" % (suffix, i)
for i in range(2)
],
{% if env != 'staging' %}
"fedocal.fedocal02": [
"tcp://fedocal02.%s:30%02i" % (suffix, i)
for i in range(2)
],
{% endif %}
},
)

0
files/kojibuilder/arm-koji.conf → roles/koji_builder/files/arm-koji.conf
View file

0
files/kojibuilder/arm-kojid.conf → roles/koji_builder/files/arm-kojid.conf
View file

0
files/kojibuilder/builder-infrastructure.repo → roles/koji_builder/files/builder-infrastructure.repo
View file

0
files/kojibuilder/builders/bkernel-eth0-network → roles/koji_builder/files/builders/bkernel-eth0-network
View file

0
files/kojibuilder/builders/bkernel-site-defaults.cfg → roles/koji_builder/files/builders/bkernel-site-defaults.cfg
View file

0
files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg → roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg
View file

0
files/kojibuilder/builders/fedora-branched-pungi-i386.cfg → roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg
View file

0
files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg → roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg
View file

0
files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg → roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg
View file

0
files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg → roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg
View file

0
files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg → roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg
View file

0
files/kojibuilder/builders/site-defaults.cfg → roles/koji_builder/files/builders/site-defaults.cfg
View file

0
files/kojibuilder/ftbfs_auth_keys → roles/koji_builder/files/ftbfs_auth_keys
View file

0
files/kojibuilder/history_off.sh → roles/koji_builder/files/history_off.sh
View file

0
files/kojibuilder/idmapd.conf → roles/koji_builder/files/idmapd.conf
View file

0
files/kojibuilder/koji.conf → roles/koji_builder/files/koji.conf
View file

0
files/kojibuilder/kojid.conf → roles/koji_builder/files/kojid.conf
View file

0
files/kojibuilder/limits.conf → roles/koji_builder/files/limits.conf
View file

0
files/kojibuilder/mock_auth_keys → roles/koji_builder/files/mock_auth_keys
View file

1
files/kojibuilder/root_auth_keys → roles/koji_builder/files/root_auth_keys
View file

@ -1,2 +1 @@
#ansible key
from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org

0
files/kojibuilder/route-eth1 → roles/koji_builder/files/route-eth1
View file

144
roles/koji_builder/tasks/main.yml Normal file
View file

@ -0,0 +1,144 @@
#
# This is a base koji_builder role.
#
- name: set root passwd
user: name=root password={{ builder_rootpw }} state=present
- name: add mock user as 425
user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes
- name: make mock homedir perms
file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock
- name: add mock ssh dir
file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock
- name: add mock ssh keys
copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock
- name: add kojibuilder
user: name=kojibuilder groups=mock
- name: add mockbuilder
user: name=mockbuilder groups=mock
- name: mockbuilder .ssh dir
file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder
- name: mockbuilder ssh key
copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder
- name: make a bunch of dirs
file: state=directory path={{ item }}
with_items:
- /pub
- /mnt/fedora_koji
- /pub/fedora
- /pub/epel
- name: add builder infra yum repo
copy: src=builder-infrastructure.repo dest=/etc/yum.repos.d/builder-infrastructure.repo
- name: clean up packages we do not need
yum: state=removed pkg={{ item }}
with_items:
- 'cronie\*'
- name: add pkgs
yum: state=installed pkg={{ item }}
with_items:
- yum-utils
- koji-builder
- strace
- mock
- nfs-utils
- kernel-firmware
- ntp
- ntpdate
- rsyslog
- audit
- name: /etc/kojid/kojid.conf
copy: src=kojid.conf dest=/etc/kojid/kojid.conf
when: not inventory_hostname.startswith(('arm01','arm03'))
notify:
- restart kojid
- name: arm /etc/kojid/kojid.conf
copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf
when: inventory_hostname.startswith(('arm01','arm03'))
notify:
- restart kojid
- name: /etc/koji/koji.conf
copy: src=koji.conf dest=/etc/koji.conf
when: not inventory_hostname.startswith(('arm01','arm03'))
- name: /etc/koji/koji.conf
copy: src=arm-koji.conf dest=/etc/koji.conf
when: inventory_hostname.startswith(('arm01','arm03'))
- name: copy over koji ca cert
copy: src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem
- name: copy over /etc/security/limits.conf
copy: src=limits.conf dest=/etc/security/limits.conf
- name: copy over builder cert to /etc/kojid/kojibuilder.pem
copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600
# idmapd and make sure it's set to run
- name: idmapd.conf
copy: src=idmapd.conf dest=/etc/idmapd.conf
tags:
- configs
- name: route config for netapp network
copy: src=route-eth1 dest=/etc/sysconfig/network-scripts/route-eth1
- name: check for netapp route
command: ip route show
register: netapproute
always_run: yes
changed_when: "1 != 1"
- name: run netapp route
command: /etc/sysconfig/network-scripts/ifup-routes eth1
when: netapproute.stdout.find("10.5.88.0") == -1 and not inventory_hostname.startswith('arm')
- name: nfs mount points
mount: name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted
when: inventory_hostname.startswith('build')
- name: make a mnt/koji link
file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
when: inventory_hostname.startswith('build')
# mock configs for pungify job
- name: put extra special mock configs in
copy: src=builders/{{ item }} dest="/etc/mock/{{ item }}" mode=644
with_items:
- fedora-branched-pungi-armhfp.cfg
- fedora-branched-pungi-i386.cfg
- fedora-branched-pungi-x86_64.cfg
- fedora-rawhide-pungi-i386.cfg
- fedora-rawhide-pungi-x86_64.cfg
- fedora-rawhide-pungi-armhfp.cfg
- name: mock site-defaults.cfg
copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
when: not inventory_hostname.startswith('bkernel')
- name: ntp steptickers
copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers
- name: ntp.conf
copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf
- name: enable services and start them
service: name={{ item }} enabled=true state=started
with_items:
- ntpd
- nfs-lock
- nfs-idmap
- nfs-mountd

1
roles/nagios_client/tasks/main.yml
View file

@ -56,6 +56,7 @@
- check_swap.cfg - check_swap.cfg
- check_postfix_queue.cfg - check_postfix_queue.cfg
- check_lock.cfg - check_lock.cfg
- check_fedmsg_hub_proc.cfg
notify: notify:
- restart nrpe - restart nrpe
tags: tags:

1
roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 Normal file
View file

@ -0,0 +1 @@
command[check_fedmsg_hub_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub' -u fedmsg

3
roles/notifs-frontend/files/fmn.web.wsgi
View file

@ -10,6 +10,9 @@ import pkg_resources
import os import os
os.environ['FMN_WEB_CONFIG'] = '/etc/fmn.web.cfg' os.environ['FMN_WEB_CONFIG'] = '/etc/fmn.web.cfg'
import logging
logging.basicConfig()
# The most import line to make the wsgi working # The most import line to make the wsgi working
from fmn.web.app import app as application from fmn.web.app import app as application
# Dangerous.. only use when testing. # Dangerous.. only use when testing.

11
roles/notifs-frontend/tasks/main.yml
View file

@ -17,6 +17,17 @@
notify: notify:
- restart apache - restart apache
- name: destroy a bogus config file brought in by python-datanommer-models
file: dest=/etc/fedmsg.d/datanommer.py state=absent
notify:
- restart apache
- name: setup symlink to fedora theme
file: >
src=/usr/share/fmn.web/static/bootstrap-3.0.2-fedora
dest=/usr/share/fmn.web/static/bootstrap
state=link
- name: copy fmn httpd config - name: copy fmn httpd config
copy: > copy: >
src=fmn.web.conf dest=/etc/httpd/conf.d/fmn.web.conf src=fmn.web.conf dest=/etc/httpd/conf.d/fmn.web.conf

6
roles/notifs-frontend/templates/fmn.web.cfg
View file

@ -13,6 +13,6 @@ FMN_FEDORA_OPENID = 'https://id.fedoraproject.org'
{% endif %} {% endif %}
FMN_ALLOW_FAS_OPENID = True FMN_ALLOW_FAS_OPENID = True
FMN_ALLOW_GOOGLE_OPENID = True FMN_ALLOW_GOOGLE_OPENID = False
FMN_ALLOW_YAHOO_OPENID = True FMN_ALLOW_YAHOO_OPENID = False
FMN_ALLOW_GENERIC_OPENID = True FMN_ALLOW_GENERIC_OPENID = False

3
roles/notifs-frontend/templates/fmn.web.py
View file

@ -1,3 +1,6 @@
config = { config = {
# This is for *our* database
"fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications",
# And this is for the datanommer database
"datanommer.sqlalchemy.url": "postgresql://{{datanommerDBUser}}:{{datanommerDBPassword}}@db-datanommer/datanommer",
} }

25
scripts/ansible-playbook-check-diff Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/python -tt
import os
import os.path
import subprocess
rootpath = "/srv/web/infra/ansible/playbooks"
#
# Find all the .yml files under playbooks/groups and hosts and run ansible-playbook on them
# With --check and --diff for now. We don't run the 'manual' subdir ones.
for dir in ("hosts", "groups"):
hostsplaybookspath = os.path.join(rootpath, dir)
for path, dirs, files in os.walk(hostsplaybookspath):
for file in files:
if not file.endswith(".yml"):
continue
playbookpath = os.path.join(path, file)
cmd = ("ansible-playbook", playbookpath, "--check", "--diff")
ansibleprocess = subprocess.Popen(cmd)
#
# Add this if you want to run them one at a time instead of all forked off in a bunch.
# ansibleprocess.communicate()
#

145
tasks/koji/base_builder.yml
View file

@ -1,145 +0,0 @@
- name: set root passwd
action: user name=root password={{ builder_rootpw }} state=present
- name: add mock user as 425
action: user name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes
- name: make mock homedir perms
action: file state=directory path=/var/lib/mock mode=2775 owner=root group=mock
- name: add mock ssh dir
action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock
- name: add mock ssh keys
action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock
- name: add kojibuilder
action: user name=kojibuilder groups=mock
- name: add mockbuilder
action: user name=mockbuilder groups=mock
- name: mockbuilder .ssh dir
action: file state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder
- name: mockbuilder ssh key
action: copy src="{{ files }}/kojibuilder/ftbfs_auth_keys" dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder
- name: make a bunch of dirs
action: file state=directory path={{ item }}
with_items:
- /pub
- /mnt/fedora_koji
- /pub/fedora
- /pub/epel
- /var/spool/rsyslog
- name: add builder infra yum repo
action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo
- name: clean up packages we do not need
action: yum state=removed pkg={{ item }}
with_items:
- audit
- 'cronie\*'
- name: add pkgs
action: yum state=installed pkg={{ item }}
with_items:
- yum-utils
- koji-builder
- strace
- mock
- nfs-utils
- kernel-firmware
- ntp
- ntpdate
- name: /etc/kojid/kojid.conf
action: copy src="{{ files }}/kojibuilder/kojid.conf" dest=/etc/kojid/kojid.conf
when: not inventory_hostname.startswith(('arm01','arm03'))
notify:
- restart kojid
- name: arm /etc/kojid/kojid.conf
action: copy src="{{ files }}/kojibuilder/arm-kojid.conf" dest=/etc/kojid/kojid.conf
when: inventory_hostname.startswith(('arm01','arm03'))
notify:
- restart kojid
- name: /etc/koji/koji.conf
action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf
when: not inventory_hostname.startswith(('arm01','arm03'))
- name: /etc/koji/koji.conf
action: copy src="{{ files }}/kojibuilder/arm-koji.conf" dest=/etc/koji.conf
when: inventory_hostname.startswith(('arm01','arm03'))
- name: copy over koji ca cert
action: copy src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem
- name: copy over /etc/security/limits.conf
action: copy src="{{ files }}/kojibuilder/limits.conf" dest=/etc/security/limits.conf
- name: copy over builder cert to /etc/kojid/kojibuilder.pem
action: copy src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600
- name: chkconfig kojid on and leave it running
action: service name=kojid enabled=on
# action: service name=kojid enabled=on state=started
- name: copy over authorized keys for root
action: copy src="{{ files }}/kojibuilder/root_auth_keys" dest=/root/.ssh/authorized_keys mode=644
# idmapd and make sure it's set to run
- name: idmapd.conf
action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf
tags:
- configs
- name: enable nfs-related services and run them
action: service name={{ item }} enabled=true state=started
with_items:
- rpcidmapd
- rpcbind
- nfs
- nfslock
- name: route config for netapp network
action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1
- name: run netapp route
command: /etc/sysconfig/network-scripts/ifup-routes eth1
- name: nfs mount points
action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted
when: inventory_hostname.startswith('build')
- name: make a mnt/koji link
action: file state=link src=/mnt/fedora_koji/koji dest=/mnt/koji
when: inventory_hostname.startswith('build')
# mock configs for pungify job
# TODO: restore this to "copy:", this is a temporary "fix" for https://github.com/ansible/ansible/issues/4377
- name: put extra special mock configs in
template: src="{{ files }}/kojibuilder/builders/{{ item }}" dest="/etc/mock/{{ item }}" mode=644
with_items:
- fedora-branched-pungi-armhfp.cfg
- fedora-branched-pungi-i386.cfg
- fedora-branched-pungi-x86_64.cfg
- fedora-rawhide-pungi-i386.cfg
- fedora-rawhide-pungi-x86_64.cfg
- fedora-rawhide-pungi-armhfp.cfg
- name: mock site-defaults.cfg
action: copy src="{{ files }}/kojibuilder/builders/site-defaults.cfg" dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
when: not inventory_hostname.startswith('bkernel')
- name: ntp steptickers
action: copy src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers
- name: ntp.conf
action: copy src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf
- name: enable ntpd
action: service name=ntpd enabled=true state=started

Some files were not shown because too many files have changed in this diff Show more