From 273093ecbb769811a25326638f0a9eb3783a3682 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 02:34:31 +0000 Subject: [PATCH 01/13] put server ccd files under server subdir --- roles/openvpn/server/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index 907be968f9..0d54151845 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -9,9 +9,9 @@ - packages - openvpn -- name: Create the /etc/openvpn/ccd/ directory +- name: Create the /etc/openvpn/server/ccd/ directory file: > - dest=/etc/openvpn/ccd/ + dest=/etc/openvpn/server/ccd/ mode=0755 owner=root group=root @@ -44,7 +44,7 @@ - openvpn - name: Install the ccd files - copy: src=ccd/ dest=/etc/openvpn/ccd/ + copy: src=ccd/ dest=/etc/openvpn/server/ccd/ tags: - openvpn From 9a8ab4f3570d40f69c72260e295f7809876b8fb2 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 15 May 2017 13:15:20 +0000 Subject: [PATCH 02/13] Add "freshmaker" to the FAS username blacklist. --- roles/fas_server/templates/fas.cfg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index 9d71432062..a2649ad3b3 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' # Usernames that are unavailable for fas allocation {% if env == "staging" %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% else %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% endif %} email_domain_blacklist = "{{ fas_blocked_emails }}" From ff79df0b948086d9e7a4ce8fba8aa029c1c697b8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:01:33 +0000 Subject: [PATCH 03/13] Drop prod/dev/stg specific playbooks for taskotron and switch to single one. --- master.yml | 4 +- playbooks/groups/taskotron-dev.yml | 59 ----------------------------- playbooks/groups/taskotron-prod.yml | 58 ---------------------------- playbooks/groups/taskotron-stg.yml | 56 --------------------------- 4 files changed, 1 insertion(+), 176 deletions(-) delete mode 100644 playbooks/groups/taskotron-dev.yml delete mode 100644 playbooks/groups/taskotron-prod.yml delete mode 100644 playbooks/groups/taskotron-stg.yml diff --git a/master.yml b/master.yml index d8bf06f949..4aad7065d6 100644 --- a/master.yml +++ b/master.yml @@ -107,10 +107,8 @@ - include: /srv/web/infra/ansible/playbooks/groups/summershum.yml - include: /srv/web/infra/ansible/playbooks/groups/sundries.yml - include: /srv/web/infra/ansible/playbooks/groups/tagger.yml +- include: /srv/web/infra/ansible/playbooks/groups/taskotron.yml - include: /srv/web/infra/ansible/playbooks/groups/taskotron-client-hosts.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-prod.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-dev.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-stg.yml - include: /srv/web/infra/ansible/playbooks/groups/torrent.yml - include: /srv/web/infra/ansible/playbooks/groups/twisted-buildbots.yml - include: /srv/web/infra/ansible/playbooks/groups/unbound.yml diff --git a/playbooks/groups/taskotron-dev.yml b/playbooks/groups/taskotron-dev.yml deleted file mode 100644 index a5ba557833..0000000000 --- a/playbooks/groups/taskotron-dev.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# create a new taskotron dev server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-dev" - -- name: make the box be real - hosts: taskotron-dev - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: dnf-automatic, tags: ['dnfautomatic'] } - - { role: sudo, tags: ['sudo'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-dev - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - { role: taskotron/taskotron-proxy, tags: ['taskotronproxy'] } - - { role: taskotron/ssl-taskotron, tags: ['ssltaskotron'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/taskotron-prod.yml b/playbooks/groups/taskotron-prod.yml deleted file mode 100644 index 2894c88620..0000000000 --- a/playbooks/groups/taskotron-prod.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# create a new taskotron production server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-prod" - -- name: make the box be real - hosts: taskotron-prod - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: sudo, tags: ['sudo'] } - - { role: openvpn/client, - when: env != "staging", tags: ['openvpn_client'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-prod - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/taskotron-stg.yml b/playbooks/groups/taskotron-stg.yml deleted file mode 100644 index 652583c59a..0000000000 --- a/playbooks/groups/taskotron-stg.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# create a new taskotron staging server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-stg" - -- name: make the box be real - hosts: taskotron-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: sudo, tags: ['sudo'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" From d863bb362909e52276146d5bde80d435aa460654 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:07:47 +0000 Subject: [PATCH 04/13] add modularity dev host to master --- master.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/master.yml b/master.yml index 4aad7065d6..f1253b134b 100644 --- a/master.yml +++ b/master.yml @@ -145,6 +145,7 @@ - include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml #- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml From 2df1d71510814dbc25c87094297b89dc5eb3bbd0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:33:51 +0000 Subject: [PATCH 05/13] clean up iptables in base to not apply to cloud compute/master, osbs or os --- inventory/group_vars/all | 4 +- inventory/group_vars/openstack-compute | 1 + inventory/group_vars/os | 1 + inventory/group_vars/os-stg | 3 + inventory/group_vars/osbs | 2 + inventory/group_vars/osbs-stg | 2 + .../fed-cloud09.cloud.fedoraproject.org | 2 + inventory/inventory | 12 +++- master.yml | 5 +- .../hosts/magazine.fedorainfracloud.org.yml | 55 ------------------- roles/base/tasks/main.yml | 6 +- 11 files changed, 32 insertions(+), 61 deletions(-) create mode 100644 inventory/group_vars/os-stg create mode 100644 inventory/group_vars/osbs-stg delete mode 100644 playbooks/hosts/magazine.fedorainfracloud.org.yml diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 98a057a63b..38c5f8be5d 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -266,4 +266,6 @@ nagios_Check_Services: dhcpd: false httpd: false - +# Set variable if we want to use our global iptables defaults +# Some things need to set their own. +baseiptables: True diff --git a/inventory/group_vars/openstack-compute b/inventory/group_vars/openstack-compute index af900eeef7..0fed5183fd 100644 --- a/inventory/group_vars/openstack-compute +++ b/inventory/group_vars/openstack-compute @@ -3,3 +3,4 @@ host_group: openstack-compute nrpe_procs_warn: 1100 nrpe_procs_crit: 1200 ansible_ifcfg_blacklist: true +baseiptables: False diff --git a/inventory/group_vars/os b/inventory/group_vars/os index e837201446..53196a3e9e 100644 --- a/inventory/group_vars/os +++ b/inventory/group_vars/os @@ -1,2 +1,3 @@ --- host_group: os +baseiptables: False diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg new file mode 100644 index 0000000000..53196a3e9e --- /dev/null +++ b/inventory/group_vars/os-stg @@ -0,0 +1,3 @@ +--- +host_group: os +baseiptables: False diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs index d337069253..ea03d3700e 100644 --- a/inventory/group_vars/osbs +++ b/inventory/group_vars/osbs @@ -19,3 +19,5 @@ osbs_koji_username: "kojibuilder" koji_url: "koji.fedoraproject.org" osbs_client_conf_path: /etc/osbs.conf + +baseiptables: False diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg new file mode 100644 index 0000000000..2e3e4d513d --- /dev/null +++ b/inventory/group_vars/osbs-stg @@ -0,0 +1,2 @@ +--- +baseiptables: False diff --git a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org index a72a6bb8ac..dee6f4e15b 100644 --- a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org +++ b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org @@ -8,3 +8,5 @@ ansible_ifcfg_blacklist: true nagios_Check_Services: nrpe: true sshd: true + +baseiptables: False diff --git a/inventory/inventory b/inventory/inventory index b0063c3e9d..aff5a23c35 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1330,6 +1330,16 @@ osbs-master01.stg.phx2.fedoraproject.org osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org +[osbs:children] +osbs-control +osbs-nodes +osbs-masters + +[osbs-stg:children] +osbs-control-stg +osbs-nodes-stg +osbs-masters-stg + [os-control-stg] os-control01.stg.phx2.fedoraproject.org @@ -1342,7 +1352,7 @@ os-master03.stg.phx2.fedoraproject.org os-node01.stg.phx2.fedoraproject.org os-node02.stg.phx2.fedoraproject.org -[os:children] +[os-stg:children] os-nodes-stg os-masters-stg os-control-stg diff --git a/master.yml b/master.yml index f1253b134b..4b433002cc 100644 --- a/master.yml +++ b/master.yml @@ -33,6 +33,7 @@ - include: /srv/web/infra/ansible/playbooks/groups/buildvm.yml - include: /srv/web/infra/ansible/playbooks/groups/bugyou.yml - include: /srv/web/infra/ansible/playbooks/groups/busgateway.yml +- include: /srv/web/infra/ansible/playbooks/groups/ci.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml @@ -143,11 +144,11 @@ - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml -- include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/magazine2.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml -#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml +#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/shogun-ca.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/shumgrepper-dev.fedorainfracloud.org.yml diff --git a/playbooks/hosts/magazine.fedorainfracloud.org.yml b/playbooks/hosts/magazine.fedorainfracloud.org.yml deleted file mode 100644 index b0d219a85f..0000000000 --- a/playbooks/hosts/magazine.fedorainfracloud.org.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: check/create instance - hosts: magazine.fedorainfracloud.org - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml - - tasks: - - include: "{{ tasks_path }}/persistent_cloud.yml" - -- name: setup all the things - hosts: magazine.fedorainfracloud.org - gather_facts: True - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - pre_tasks: - - include: "{{ tasks_path }}/cloud_setup_basic.yml" - - name: set hostname (required by some services, at least postfix need it) - hostname: name="{{inventory_hostname}}" - - tasks: - - name: add packages - yum: state=present name={{ item }} - with_items: - - httpd - - php - - php-mysql - - mariadb-server - - mariadb - - mod_ssl - - php-mcrypt - - php-mbstring - - wget - - unzip - - postfix - - - name: enable httpd service - service: name=httpd enabled=yes state=started - - - name: configure postfix for ipv4 only - raw: postconf -e inet_protocols=ipv4 - - - name: enable local postfix service - service: name=postfix enabled=yes state=started - - roles: - - nagios_client - - mariadb_server diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 052ef2efb0..8f43f13ade 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -233,7 +233,7 @@ - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables - when: not inventory_hostname.startswith(('fed-cloud','osbs')) + when: baseiptables is true notify: - restart iptables - reload libvirtd @@ -248,6 +248,7 @@ - iptables - service - base + when: baseiptables is true - name: ip6tables template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes @@ -257,7 +258,7 @@ - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables - when: not inventory_hostname.startswith('fed-cloud09') + when: baseiptables is true notify: - restart ip6tables - reload libvirtd @@ -272,6 +273,7 @@ - ip6tables - service - base + when: baseiptables is true - name: enable journald persistence file: path=/var/log/journal state=directory From a60055fbaa5e6593d89bb718619989fd7ea65d9f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:37:56 +0000 Subject: [PATCH 06/13] oops, == here not is --- roles/base/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 8f43f13ade..4e5832743c 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -233,7 +233,7 @@ - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables - when: baseiptables is true + when: baseiptables == true notify: - restart iptables - reload libvirtd @@ -248,7 +248,7 @@ - iptables - service - base - when: baseiptables is true + when: baseiptables == true - name: ip6tables template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes @@ -258,7 +258,7 @@ - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables - when: baseiptables is true + when: baseiptables == true notify: - restart ip6tables - reload libvirtd @@ -273,7 +273,7 @@ - ip6tables - service - base - when: baseiptables is true + when: baseiptables == true - name: enable journald persistence file: path=/var/log/journal state=directory From 1cf12210761d2181a041bdf09e7fc8bb28a440b0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:44:43 +0000 Subject: [PATCH 07/13] adjust hubs playbook to ignore local changes in git repo --- playbooks/hosts/hubs-dev.fedorainfracloud.org.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml index f9fecc0989..dc59506661 100644 --- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml @@ -38,8 +38,7 @@ - git: repo=https://pagure.io/fedora-hubs.git dest=/srv/git/fedora-hubs version=develop - register: git_result - changed_when: "git_result.after|default('after') != git_result.before|default('before')" + ignore_errors: true - file: dest=/etc/fedmsg.d/ state=directory - name: copy around a number of files we want command: cp {{item.src}} {{item.dest}} From 123442b2f937232cf02c1b78e87e0d717b5151c6 Mon Sep 17 00:00:00 2001 From: Denis Nutiu Date: Sat, 6 May 2017 12:35:35 +0000 Subject: [PATCH 08/13] Adding logrotate for Jenkins --- roles/jenkins/master/files/jenkins.logrotate | 9 +++++++++ roles/jenkins/master/tasks/main.yml | 11 +++++++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/jenkins/master/files/jenkins.logrotate diff --git a/roles/jenkins/master/files/jenkins.logrotate b/roles/jenkins/master/files/jenkins.logrotate new file mode 100644 index 0000000000..7d74a85f5c --- /dev/null +++ b/roles/jenkins/master/files/jenkins.logrotate @@ -0,0 +1,9 @@ +/var/log/jenkins/jenkins.log { + rotate 5 + weekly + compress + delaycompress + missingok + notifempty + copytruncate +} diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml index a9a6a7a301..e2fd152330 100644 --- a/roles/jenkins/master/tasks/main.yml +++ b/roles/jenkins/master/tasks/main.yml @@ -56,6 +56,17 @@ - jenkins/master - config +- name: install jenkins logrotate file + copy: > + src="jenkins.logrotate" + dest="/etc/logrotate.d/jenkins" + notify: + - restart jenkins + tags: + - jenkins + - jenkins/master + - config + - name: install jenkins launcher config file copy: > src="jenkins.conf" From 7e5d134d5561a645289346f0a27b3eca2bf7096b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:53:59 +0000 Subject: [PATCH 09/13] no need to restart when installing logrotate file --- roles/jenkins/master/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml index e2fd152330..226d321c69 100644 --- a/roles/jenkins/master/tasks/main.yml +++ b/roles/jenkins/master/tasks/main.yml @@ -60,8 +60,6 @@ copy: > src="jenkins.logrotate" dest="/etc/logrotate.d/jenkins" - notify: - - restart jenkins tags: - jenkins - jenkins/master From 8d1fe3ad6f2abf9ed62c128e5885c6325c9d3d5c Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Mon, 15 May 2017 18:12:44 +0000 Subject: [PATCH 10/13] Configure staging Bodhi to use the correct DB hostname. Signed-off-by: Randy Barlow --- roles/bodhi2/base/templates/staging.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2 index ef4fd557a4..71705f5944 100644 --- a/roles/bodhi2/base/templates/staging.ini.j2 +++ b/roles/bodhi2/base/templates/staging.ini.j2 @@ -397,7 +397,7 @@ debugtoolbar.hosts = 127.0.0.1 ::1 ## ## Database ## -sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@db-bodhi/bodhi2 +sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2 ## ## Templates From 8e6d0acaebda91f1336964461a7cf69b5413d6cd Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 15 May 2017 18:33:05 +0000 Subject: [PATCH 11/13] Enable f26 modular compose cronjob. --- roles/releng/files/branched | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/releng/files/branched b/roles/releng/files/branched index ea4fe29711..26fee6c33a 100644 --- a/roles/releng/files/branched +++ b/roles/releng/files/branched @@ -1,3 +1,4 @@ # branched compose MAILTO=releng-cron@lists.fedoraproject.org 15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f26 && LANG=en_US.UTF-8 ./nightly.sh && sudo -u ftpsync /usr/local/bin/update-fullfiletimelist -l /pub/fedora-secondary/update-fullfiletimelist.lock -t /pub fedora fedora-secondary +15 18 * * * root TMPDIR=`mktemp -d /tmp/branched-modular.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f26 && LANG=en_US.UTF-8 ./nightly-modular.sh From 7c2bbb13d9e40702231b7596d068e6f1889f967e Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Mon, 15 May 2017 19:44:24 +0000 Subject: [PATCH 12/13] Configure alembic.ini for BDR on staging. Signed-off-by: Randy Barlow --- roles/bodhi2/base/tasks/main.yml | 10 +++++ roles/bodhi2/base/templates/alembic.ini | 59 +++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 roles/bodhi2/base/templates/alembic.ini diff --git a/roles/bodhi2/base/tasks/main.yml b/roles/bodhi2/base/tasks/main.yml index f53f03b88e..068a632af2 100644 --- a/roles/bodhi2/base/tasks/main.yml +++ b/roles/bodhi2/base/tasks/main.yml @@ -33,6 +33,16 @@ - config - bodhi +- name: Configure alembic + template: + src: alembic.ini + dest: /etc/bodhi/alembic.ini + owner: bodhi + group: root + tags: + - config + - bodhi + - name: setup basic /etc/bodhi/ contents (production) template: > src="production.ini.j2" diff --git a/roles/bodhi2/base/templates/alembic.ini b/roles/bodhi2/base/templates/alembic.ini new file mode 100644 index 0000000000..b514ae7352 --- /dev/null +++ b/roles/bodhi2/base/templates/alembic.ini @@ -0,0 +1,59 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/bodhi/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +# Don't bother, this is obtained from the Bodhi config file +sqlalchemy.url = sqlite://bodhi.db + +# Set to true to aquire the global DDL lock for BDR +# See http://bdr-project.org/docs/stable/ddl-replication-advice.html +{% if env == 'staging' %} +bdr = true +{% else %} +bdr = false +{% endif %} + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S From f44727c3e2caf92ede61102c03e6c8a7f4a7c066 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 20:12:15 +0000 Subject: [PATCH 13/13] Adjust the FMN roles and playbook for FMN 1.2 Signed-off-by: Jeremy Cline --- playbooks/manual/upgrade/fmn.yml | 9 ++++++--- roles/notifs/backend/tasks/main.yml | 15 +-------------- roles/notifs/backend/templates/alembic.ini | 4 ---- 3 files changed, 7 insertions(+), 21 deletions(-) diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index 483eb7ae13..cbc4d0972b 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -15,7 +15,10 @@ command: yum clean all {%if testing%} --enablerepo=infrastructure-testing {%endif%} check_mode: no - name: yum update FMN packages from main repo - yum: name="python-fmn*" state=latest + yum: name={{ item }} state=latest + with_items: + - python-fmn + - python-fmn-web when: not testing - name: yum update FMN packages from testing repo yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing @@ -80,10 +83,10 @@ - fmn-worker@4 - name: Upgrade the database - command: /usr/bin/alembic -c /usr/share/fmn.lib/alembic.ini upgrade head + command: /usr/bin/alembic -c /usr/share/fmn/alembic.ini upgrade head when: env != "staging" args: - chdir: /usr/share/fmn.lib/ + chdir: /usr/share/fmn/ - name: Re-start the workers and the backend service: name={{ item }} state=started diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 4049940cda..470956dbbe 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -4,7 +4,7 @@ - name: install needed packages yum: pkg={{ item }} state=present with_items: - - python-fmn-consumer + - python-fmn - python-psycopg2 - libsemanage-python # Needed to produce nice long emails about koji builds @@ -16,7 +16,6 @@ - name: install backend and sse packages yum: pkg={{ item }} state=present with_items: - - python-fmn - python-fmn-sse when: env == "staging" tags: @@ -48,22 +47,10 @@ - notifs - notifs/backend -- name: copy the alembic configuration for DBAs - template: > - src=alembic.ini dest=/usr/share/fmn.lib/alembic.ini - owner=root group=sysadmin-dba mode=0660 - when: env != "staging" - notify: - - restart fedmsg-hub - tags: - - notifs - - notifs/backend - - name: copy the alembic configuration for DBAs template: > src=alembic.ini dest=/usr/share/fmn/alembic.ini owner=root group=sysadmin-dba mode=0660 - when: env == "staging" notify: - restart fedmsg-hub tags: diff --git a/roles/notifs/backend/templates/alembic.ini b/roles/notifs/backend/templates/alembic.ini index df1506d215..266b83da24 100644 --- a/roles/notifs/backend/templates/alembic.ini +++ b/roles/notifs/backend/templates/alembic.ini @@ -2,11 +2,7 @@ [alembic] # path to migration scripts -{% if env == 'staging' %} script_location = /usr/share/fmn/alembic/ -{% else %} -script_location = /usr/share/fmn.lib/alembic/ -{% endif %} # template used to generate migration files # file_template = %%(rev)s_%%(slug)s