From da1d16de1b7b4f9ca115fcf8fcb8fc196a2db3b3 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 28 May 2018 12:46:29 +0200 Subject: [PATCH 01/11] Reserve the username 'anonymous'. Almost disappointed nobody took it yet Signed-off-by: Patrick Uiterwijk --- roles/fas_server/templates/fas.cfg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index 43e57e42ba..30625a3908 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' # Usernames that are unavailable for fas allocation {% if env == "staging" %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bexelbie,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,anonymous,apache,askfedora,asterisk,axk4545,bexelbie,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% else %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,anoynous,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% endif %} email_domain_blacklist = "{{ fas_blocked_emails }}" From 06c04a3fb9a235c2139f85c18fe8dbfb68a679d2 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 28 May 2018 15:08:10 +0200 Subject: [PATCH 02/11] Commit http push stuff Signed-off-by: Patrick Uiterwijk --- .../distgit/files/gitolite-suexec-wrapper.sh | 20 ++++++++++++ roles/distgit/files/httppush.conf | 32 +++++++++++++++++++ roles/distgit/pagure/templates/z_pagure.conf | 4 +-- roles/distgit/tasks/main.yml | 24 ++++++++++++++ roles/distgit/templates/auth_openidc.conf | 2 +- 5 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 roles/distgit/files/gitolite-suexec-wrapper.sh create mode 100644 roles/distgit/files/httppush.conf diff --git a/roles/distgit/files/gitolite-suexec-wrapper.sh b/roles/distgit/files/gitolite-suexec-wrapper.sh new file mode 100644 index 0000000000..eefe2c4108 --- /dev/null +++ b/roles/distgit/files/gitolite-suexec-wrapper.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# +# Suexec wrapper for gitolite-shell +# + +export GIT_PROJECT_ROOT="/srv/git/repositories" +export PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg +export HOME=/srv/git +export GITOLITE_HTTP_HOME=/srv/git + +# Hacky workaround because we set ScriptAlias more specific +export PATH_INFO="$SCRIPT_URL" + +if [ -z "$REMOTE_USER" ]; +then + # Fall back to default user + export REMOTE_USER="anonymous" +fi + +exec /usr/share/gitolite3/gitolite-shell diff --git a/roles/distgit/files/httppush.conf b/roles/distgit/files/httppush.conf new file mode 100644 index 0000000000..f4a118deaf --- /dev/null +++ b/roles/distgit/files/httppush.conf @@ -0,0 +1,32 @@ +SetEnv GIT_PROJECT_ROOT /srv/git/repositories + +AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1 +AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1 + + + AuthType oauth20 + Require all granted + + + AuthType oauth20 + Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)' + + + + + Require all granted + + + AuthType oauth20 + Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)' + + + +SuexecUserGroup pagure packager + +ScriptAliasMatch \ + "(?x)^/(.*/(HEAD | \ + info/refs | \ + objects/info/[^/]+ | \ + git-(upload|receive)-pack))$" \ + /var/www/bin/gitolite-suexec-wrapper.sh/ diff --git a/roles/distgit/pagure/templates/z_pagure.conf b/roles/distgit/pagure/templates/z_pagure.conf index 4c390130ad..c958a895ed 100644 --- a/roles/distgit/pagure/templates/z_pagure.conf +++ b/roles/distgit/pagure/templates/z_pagure.conf @@ -19,7 +19,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di Alias /static /usr/lib/python2.7/site-packages/pagure/static/ Alias /grokmirror /srv/git/grokmirror - +{% if env != "staging" %} SetEnv GIT_PROJECT_ROOT /srv/git/repositories AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1 @@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di objects/info/[^/]+ | \ git-(upload|receive)-pack))$" \ /usr/libexec/git-core/git-http-backend/$1 - +{% endif %} WSGIProcessGroup pagureproc diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 40c66d53b4..30ad1015e5 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -31,6 +31,30 @@ - distgit when: env == "staging" +- name: install the http push configuration + copy: src=htpppush.conf dest=/etc/httpd/conf.d/htppush.conf + notify: + - reload httpd + tags: + - distgit + when: env == "staging" + +- name: Create suexec wrapper directory + file: path=/var/www/bin state=directory owner=pagure group=packager + tags: + - distgit + when: env == "staging" + +- name: Install suexec wrapper + copy: + src=gitolite-suexec-wrapper.sh + dest=/var/www/bin/gitolite-suexec-wrapper.sh + owner=pagure + group=packager + tags: + - distgit + when: env == "staging" + - name: Put in git service config copy: src=git@.service dest=/etc/systemd/system/git@.service tags: diff --git a/roles/distgit/templates/auth_openidc.conf b/roles/distgit/templates/auth_openidc.conf index ffd564e9ab..22513d160f 100644 --- a/roles/distgit/templates/auth_openidc.conf +++ b/roles/distgit/templates/auth_openidc.conf @@ -9,4 +9,4 @@ OIDCOAuthIntrospectionEndpointAuth client_secret_basic OIDCOAuthIntrospectionEndpointMethod POST OIDCOAuthTokenIntrospectionInterval 60 OIDCOAuthSSLValidateServer On -OIDCOAuthAcceptTokenAs basic +OIDCOAuthAcceptTokenAs header From 6a8abd2306f05bcf55e191017ee278885e492573 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 28 May 2018 15:50:47 +0200 Subject: [PATCH 03/11] We are using basic auth Signed-off-by: Patrick Uiterwijk --- roles/distgit/templates/auth_openidc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/templates/auth_openidc.conf b/roles/distgit/templates/auth_openidc.conf index 22513d160f..ffd564e9ab 100644 --- a/roles/distgit/templates/auth_openidc.conf +++ b/roles/distgit/templates/auth_openidc.conf @@ -9,4 +9,4 @@ OIDCOAuthIntrospectionEndpointAuth client_secret_basic OIDCOAuthIntrospectionEndpointMethod POST OIDCOAuthTokenIntrospectionInterval 60 OIDCOAuthSSLValidateServer On -OIDCOAuthAcceptTokenAs header +OIDCOAuthAcceptTokenAs basic From ba2687ee0558b3eee00e6579fdc1852c0deb5a17 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 28 May 2018 18:53:57 +0000 Subject: [PATCH 04/11] See if librariessio2fedmsg can use the staging cert in stg. --- playbooks/openshift-apps/librariesio2fedmsg.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/playbooks/openshift-apps/librariesio2fedmsg.yml b/playbooks/openshift-apps/librariesio2fedmsg.yml index fa0bacd129..2e8c2dab54 100644 --- a/playbooks/openshift-apps/librariesio2fedmsg.yml +++ b/playbooks/openshift-apps/librariesio2fedmsg.yml @@ -19,11 +19,25 @@ secret_name: librariesio2fedmsg-fedmsg-key key: fedmsg-librariesio2fedmsg.key privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.key + when: env != "staging" - role: openshift/secret-file app: librariesio2fedmsg secret_name: librariesio2fedmsg-fedmsg-crt key: fedmsg-librariesio2fedmsg.crt privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.crt + when: env != "staging" + - role: openshift/secret-file + app: librariesio2fedmsg + secret_name: librariesio2fedmsg-fedmsg-key + key: fedmsg-librariesio2fedmsg.key + privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.stg.fedoraproject.key + when: env == "staging" + - role: openshift/secret-file + app: librariesio2fedmsg + secret_name: librariesio2fedmsg-fedmsg-crt + key: fedmsg-librariesio2fedmsg.crt + privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.stg.fedoraproject.crt + when: env == "staging" - role: openshift/object app: librariesio2fedmsg file: imagestream.yml From 0aa1028c1983deffa442d8ba8dfa481cf163c7d2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 28 May 2018 18:58:31 +0000 Subject: [PATCH 05/11] do I have order wrong here? --- inventory/group_vars/librariesio2fedmsg-stg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/librariesio2fedmsg-stg b/inventory/group_vars/librariesio2fedmsg-stg index dd238041b0..3eb3224109 100644 --- a/inventory/group_vars/librariesio2fedmsg-stg +++ b/inventory/group_vars/librariesio2fedmsg-stg @@ -9,4 +9,4 @@ fedmsg_certs: - service: librariesio2fedmsg can_send: - librariesio2fedmsg.sse2fedmsg.librariesio - - sse2fedmsg.librariesio + - librariesio.sse2fedmsg From 1d734a225c30632f4a4518b1368484a23e8019b7 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 28 May 2018 22:08:00 +0000 Subject: [PATCH 06/11] Tell mod_auth_oidc cache Koschei login sessions in cookies See https://pagure.io/fedora-infrastructure/issue/6994 --- roles/koschei/frontend/templates/httpd.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/koschei/frontend/templates/httpd.conf.j2 b/roles/koschei/frontend/templates/httpd.conf.j2 index 1dd652c575..d91b17e8f8 100644 --- a/roles/koschei/frontend/templates/httpd.conf.j2 +++ b/roles/koschei/frontend/templates/httpd.conf.j2 @@ -23,6 +23,7 @@ OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}" OIDCSSLValidateServer On OIDCResponseType "code" + OIDCSessionType client-cookie OIDCScope "openid profile" From eefa326cd31557322344c575c953a1187d8ff708 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 28 May 2018 23:17:46 +0000 Subject: [PATCH 07/11] also no indexes on tmp --- .../templates/infrastructure.fedoraproject.org.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 index 498f65fc7d..c5771c5059 100644 --- a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 +++ b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 @@ -72,6 +72,11 @@ DocumentRoot /srv/web Require all granted + + Options -Indexes -FollowSymLinks + Require all granted + + Options FollowSymLinks Require all granted @@ -173,6 +178,11 @@ DocumentRoot /srv/web Require all granted + + Options -Indexes -FollowSymLinks + Require all granted + + Options FollowSymLinks Require all granted From 543ffa4c20426c0950a49048da20bc2a30610e8a Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Mon, 28 May 2018 17:09:49 -0700 Subject: [PATCH 08/11] openqa/worker: add withlock to packages needed for createhdds Signed-off-by: Adam Williamson --- roles/openqa/worker/tasks/createhdds.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/openqa/worker/tasks/createhdds.yml b/roles/openqa/worker/tasks/createhdds.yml index dbf9a2ad30..c5c5a2bf02 100644 --- a/roles/openqa/worker/tasks/createhdds.yml +++ b/roles/openqa/worker/tasks/createhdds.yml @@ -10,6 +10,7 @@ - python3-fedfind - qemu-kvm - virt-install + - withlock tags: - packages From b13c98427399dd37386f2dbc1a246b7a1aa8e56f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 29 May 2018 01:54:51 +0000 Subject: [PATCH 09/11] Adjust parameters for staging greenwave rule, for testing bodhi development. --- roles/openshift-apps/greenwave/templates/configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openshift-apps/greenwave/templates/configmap.yml b/roles/openshift-apps/greenwave/templates/configmap.yml index 38bc196a05..d4023e0d2a 100644 --- a/roles/openshift-apps/greenwave/templates/configmap.yml +++ b/roles/openshift-apps/greenwave/templates/configmap.yml @@ -158,8 +158,8 @@ data: --- !Policy id: "remote_rule" product_versions: - - testing-in-staging - decision_context: testing_in_staging + - fedora-25 + decision_context: bodhi_update_push_stable blacklist: [] relevance_key: original_spec_nvr rules: From 8d460b558c4849bf8ee36b12dce58abeeccbe08f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 29 May 2018 02:19:33 +0000 Subject: [PATCH 10/11] Make something required in staging, to help with testing. --- roles/openshift-apps/greenwave/templates/configmap.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/openshift-apps/greenwave/templates/configmap.yml b/roles/openshift-apps/greenwave/templates/configmap.yml index d4023e0d2a..4559ce6b6e 100644 --- a/roles/openshift-apps/greenwave/templates/configmap.yml +++ b/roles/openshift-apps/greenwave/templates/configmap.yml @@ -101,7 +101,12 @@ data: decision_context: bodhi_update_push_testing blacklist: [] relevance_value: koji_build +{% if env == 'staging' %} + rules: + - !PassingTestCaseRule {test_case_name: dist.rpmdeplint} +{% else %} rules: [] +{% endif %} --- !Policy id: "taskotron_release_critical_tasks_for_stable" product_versions: @@ -111,7 +116,12 @@ data: decision_context: bodhi_update_push_stable blacklist: [] relevance_value: koji_build +{% if env == 'staging' %} + rules: + - !PassingTestCaseRule {test_case_name: dist.rpmdeplint} +{% else %} rules: [] +{% endif %} --- !Policy id: "no_requirements_testing" product_versions: From d6ce1dc842a2eab276f90bbcd5d70ae665ff6559 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 29 May 2018 02:37:33 +0000 Subject: [PATCH 11/11] Restore atomic CI rule in greenwave staging, for testing. --- .../greenwave/templates/configmap.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/openshift-apps/greenwave/templates/configmap.yml b/roles/openshift-apps/greenwave/templates/configmap.yml index 4559ce6b6e..a614681e29 100644 --- a/roles/openshift-apps/greenwave/templates/configmap.yml +++ b/roles/openshift-apps/greenwave/templates/configmap.yml @@ -147,23 +147,37 @@ data: # http://fedoraproject.org/wiki/CI id: "atomic_ci_pipeline_results" product_versions: + - fedora-28 - fedora-27 - fedora-26 decision_context: bodhi_update_push_testing blacklist: [] relevance_key: original_spec_nvr +{% if env == 'staging' %} + rules: + # List taken from https://github.com/CentOS-PaaS-SIG/ci-pipeline/blob/master/config/package_list + - !FedoraAtomicCi { test_case_name: org.centos.prod.ci.pipeline.complete, repos: ['acl', 'atk', 'atomic', 'atomic-devmode', 'attr', 'audit', 'audit-libs', 'authconfig', 'avahi', 'basesystem', 'bash', 'bash-completion', 'bind', 'bind99', 'biosdevname', 'boost', 'bridge-utils', 'bwidget', 'bzip2', 'ca-certificates', 'cairo', 'c-ares', 'ceph', 'checkpolicy', 'chkconfig', 'chrony', 'cloud-init', 'cloud-utils', 'cockpit', 'conntrack-tools', 'container-selinux', 'coreutils', 'cpio', 'cracklib', 'criu', 'crypto-policies', 'cryptsetup', 'cups', 'curl', 'cyrus-sasl', 'dbus', 'dbus-glib', 'dbus-python', 'dejavu-fonts', 'deltarpm', 'device-mapper-libs', 'device-mapper-multipath', 'device-mapper-persistent-data', 'dhcp', 'diffutils', 'ding-libs', 'dmidecode', 'dnf', 'dnsmasq', 'docker', 'dracut', 'dracut-network', 'e2fsprogs', 'efibootmgr', 'efivar', 'elfutils', 'emacs', 'etcd', 'ethtool', 'euca2ools', 'expat', 'fedora-logos', 'fedora-release', 'fedora-repos', 'file', 'filesystem', 'findutils', 'fipscheck', 'fipscheck-lib', 'flannel', 'fontconfig', 'fontpackages', 'freetype', 'fuse', 'gawk', 'gc', 'gcc', 'gdbm', 'gdisk', 'gdk-pixbuf2', 'GeoIP', 'GeoIP-GeoLite-data', 'gettext', 'glib2', 'glibc', 'glib-networking', 'glusterfs', 'gmp', 'gnupg', 'gnupg2', 'gnutls', 'gobject-introspection', 'gomtree', 'gperftools', 'gpgme', 'gpm', 'gpm-libs', 'graphite2', 'grep', 'grub2', 'gsettings-desktop-schemas', 'gssproxy', 'guile', 'gzip', 'harfbuzz', 'hawkey', 'hdparm', 'hicolor-icon-theme', 'hostname', 'http-parser', 'hwdata', 'initscripts', 'ipcalc', 'iproute', 'iptables', 'iputils', 'irqbalance', 'iscsi-initiator-utils', 'jansson', 'jasper', 'jbigkit', 'json-glib', 'kernel', 'kexec-tools', 'keyutils', 'keyutils-libs', 'kmod', 'krb5', 'krb5-libs', 'kubernetes', 'less', 'libacl', 'libaio', 'libarchive', 'libassuan', 'libatomic_ops', 'libblkid', 'libbsd', 'libcap', 'libcap-ng', 'libcgroup', 'libcom_err', 'libcomps', 'libcroco', 'libdatrie', 'libdb', 'libdrm', 'libedit', 'liberation-fonts', 'libev', 'libevent', 'libffi', 'libgcrypt', 'libglade2', 'libglvnd', 'libgpg-error', 'libgudev', 'libICE', 'libidn', 'libidn2', 'libiscsi', 'libjpeg-turbo', 'libksba', 'libldb', 'libmetalink', 'libmnl', 'libmodman', 'libmount', 'libndp', 'libnet', 'libnetfilter_conntrack', 'libnetfilter_cthelper', 'libnetfilter_cttimeout', 'libnetfilter_queue', 'libnfnetlink', 'libnfs', 'libnfsidmap', 'libnl3', 'libpcap', 'libpciaccess', 'libpng', 'libproxy', 'libpsl', 'libpwquality', 'librepo', 'libreport', 'libseccomp', 'libselinux', 'libsemanage', 'libsepol', 'libsigsegv', 'libSM', 'libsolv', 'libsoup', 'libssh2', 'libtalloc', 'libtasn1', 'libtdb', 'libtevent', 'libthai', 'libtiff', 'libtirpc', 'libtomcrypt', 'libtommath', 'libtool', 'libunistring', 'libunwind', 'libusb', 'libusbx', 'libuser', 'libutempter', 'libverto', 'libX11', 'libXau', 'libxcb', 'libXcomposite', 'libXcursor', 'libXdamage', 'libXext', 'libXfixes', 'libXft', 'libXi', 'libXinerama', 'libxml2', 'libXmu', 'libXrandr', 'libXrender', 'libxshmfence', 'libxslt', 'libXt', 'libXxf86misc', 'libXxf86vm', 'libyaml', 'linux-firmware', 'logrotate', 'lttng-ust', 'lua', 'lvm2', 'lz4', 'lzo', 'make', 'mcpp', 'mdadm', 'mesa', 'mokutil', 'mozjs17', 'mpfr', 'nano', 'ncurses', 'nettle', 'net-tools', 'NetworkManager', 'newt', 'nfs-utils', 'nghttp2', 'nmap', 'npth', 'nspr', 'nss', 'nss-pem', 'nss-softokn', 'nss-util', 'numactl', 'openldap', 'openssh', 'openssl', 'os-prober', 'ostree', 'p11-kit', 'pam', 'pango', 'passwd', 'pciutils', 'pcre', 'perl', 'perl-libs', 'pixman', 'policycoreutils', 'polkit', 'polkit-pkla-compat', 'popt', 'ppp', 'procps-ng', 'protobuf-c', 'publicsuffix-list', 'pygobject3', 'pyliblzma', 'pyserial', 'python', 'python3', 'python-beautifulsoup4', 'python-cffi', 'python-chardet', 'python-configobj', 'python-crypto', 'python-cryptography', 'python-cssselect', 'python-dateutil', 'python-decorator', 'python-dmidecode', 'python-docker-py', 'python-docker-pycreds', 'python-enum34', 'python-ethtool', 'python-html5lib', 'python-idna', 'python-iniparse', 'python-ipaddress', 'python-IPy', 'python-jinja2', 'python-jsonpatch', 'python-jsonpointer', 'python-lxml', 'python-markupsafe', 'python-oauthlib', 'python-paramiko', 'python-pip', 'python-ply', 'python-prettytable', 'python-progressbar', 'python-pyasn1', 'python-pycparser', 'python-pycurl', 'python-pygpgme', 'python-pysocks', 'python-pyudev', 'python-requestbuilder', 'python-requests', 'python-rhsm', 'python-setuptools', 'python-six', 'python-slip', 'python-urlgrabber', 'python-urllib3', 'python-websocket-client', 'pyxattr', 'PyYAML', 'qemu', 'qrencode', 'quota', 'readline', 'rpcbind', 'rpm', 'rpm-ostree', 'rsync', 'runc', 'samba', 'sed', 'selinux-policy', 'setools', 'setup', 'sgml-common', 'shadow-utils', 'shared-mime-info', 'shim-signed', 'skopeo', 'skopeo-containers', 'slang', 'snappy', 'socat', 'sqlite', 'sssd', 'subscription-manager', 'sudo', 'systemd', 'tar', 'tcl', 'tcp_wrappers', 'tcp_wrappers-libs', 'texinfo', 'tk', 'tmux', 'tuned', 'tzdata', 'usermode', 'userspace-rcu', 'ustr', 'util-linux', 'vim', 'virt-what', 'wayland', 'which', 'xfsprogs', 'xorg-x11-server-utils', 'xorg-x11-xauth', 'xorg-x11-xinit', 'xz', 'yum', 'yum-metadata-parser', 'zlib'] } +{% else %} rules: [] +{% endif %} --- !Policy # Fedora Atomic CI pipeline # http://fedoraproject.org/wiki/CI id: "atomic_ci_pipeline_results_stable" product_versions: + - fedora-28 - fedora-27 - fedora-26 decision_context: bodhi_update_push_stable blacklist: [] relevance_key: original_spec_nvr +{% if env == 'staging' %} + rules: + # List taken from https://github.com/CentOS-PaaS-SIG/ci-pipeline/blob/master/config/package_list + - !FedoraAtomicCi { test_case_name: org.centos.prod.ci.pipeline.complete, repos: ['acl', 'atk', 'atomic', 'atomic-devmode', 'attr', 'audit', 'audit-libs', 'authconfig', 'avahi', 'basesystem', 'bash', 'bash-completion', 'bind', 'bind99', 'biosdevname', 'boost', 'bridge-utils', 'bwidget', 'bzip2', 'ca-certificates', 'cairo', 'c-ares', 'ceph', 'checkpolicy', 'chkconfig', 'chrony', 'cloud-init', 'cloud-utils', 'cockpit', 'conntrack-tools', 'container-selinux', 'coreutils', 'cpio', 'cracklib', 'criu', 'crypto-policies', 'cryptsetup', 'cups', 'curl', 'cyrus-sasl', 'dbus', 'dbus-glib', 'dbus-python', 'dejavu-fonts', 'deltarpm', 'device-mapper-libs', 'device-mapper-multipath', 'device-mapper-persistent-data', 'dhcp', 'diffutils', 'ding-libs', 'dmidecode', 'dnf', 'dnsmasq', 'docker', 'dracut', 'dracut-network', 'e2fsprogs', 'efibootmgr', 'efivar', 'elfutils', 'emacs', 'etcd', 'ethtool', 'euca2ools', 'expat', 'fedora-logos', 'fedora-release', 'fedora-repos', 'file', 'filesystem', 'findutils', 'fipscheck', 'fipscheck-lib', 'flannel', 'fontconfig', 'fontpackages', 'freetype', 'fuse', 'gawk', 'gc', 'gcc', 'gdbm', 'gdisk', 'gdk-pixbuf2', 'GeoIP', 'GeoIP-GeoLite-data', 'gettext', 'glib2', 'glibc', 'glib-networking', 'glusterfs', 'gmp', 'gnupg', 'gnupg2', 'gnutls', 'gobject-introspection', 'gomtree', 'gperftools', 'gpgme', 'gpm', 'gpm-libs', 'graphite2', 'grep', 'grub2', 'gsettings-desktop-schemas', 'gssproxy', 'guile', 'gzip', 'harfbuzz', 'hawkey', 'hdparm', 'hicolor-icon-theme', 'hostname', 'http-parser', 'hwdata', 'initscripts', 'ipcalc', 'iproute', 'iptables', 'iputils', 'irqbalance', 'iscsi-initiator-utils', 'jansson', 'jasper', 'jbigkit', 'json-glib', 'kernel', 'kexec-tools', 'keyutils', 'keyutils-libs', 'kmod', 'krb5', 'krb5-libs', 'kubernetes', 'less', 'libacl', 'libaio', 'libarchive', 'libassuan', 'libatomic_ops', 'libblkid', 'libbsd', 'libcap', 'libcap-ng', 'libcgroup', 'libcom_err', 'libcomps', 'libcroco', 'libdatrie', 'libdb', 'libdrm', 'libedit', 'liberation-fonts', 'libev', 'libevent', 'libffi', 'libgcrypt', 'libglade2', 'libglvnd', 'libgpg-error', 'libgudev', 'libICE', 'libidn', 'libidn2', 'libiscsi', 'libjpeg-turbo', 'libksba', 'libldb', 'libmetalink', 'libmnl', 'libmodman', 'libmount', 'libndp', 'libnet', 'libnetfilter_conntrack', 'libnetfilter_cthelper', 'libnetfilter_cttimeout', 'libnetfilter_queue', 'libnfnetlink', 'libnfs', 'libnfsidmap', 'libnl3', 'libpcap', 'libpciaccess', 'libpng', 'libproxy', 'libpsl', 'libpwquality', 'librepo', 'libreport', 'libseccomp', 'libselinux', 'libsemanage', 'libsepol', 'libsigsegv', 'libSM', 'libsolv', 'libsoup', 'libssh2', 'libtalloc', 'libtasn1', 'libtdb', 'libtevent', 'libthai', 'libtiff', 'libtirpc', 'libtomcrypt', 'libtommath', 'libtool', 'libunistring', 'libunwind', 'libusb', 'libusbx', 'libuser', 'libutempter', 'libverto', 'libX11', 'libXau', 'libxcb', 'libXcomposite', 'libXcursor', 'libXdamage', 'libXext', 'libXfixes', 'libXft', 'libXi', 'libXinerama', 'libxml2', 'libXmu', 'libXrandr', 'libXrender', 'libxshmfence', 'libxslt', 'libXt', 'libXxf86misc', 'libXxf86vm', 'libyaml', 'linux-firmware', 'logrotate', 'lttng-ust', 'lua', 'lvm2', 'lz4', 'lzo', 'make', 'mcpp', 'mdadm', 'mesa', 'mokutil', 'mozjs17', 'mpfr', 'nano', 'ncurses', 'nettle', 'net-tools', 'NetworkManager', 'newt', 'nfs-utils', 'nghttp2', 'nmap', 'npth', 'nspr', 'nss', 'nss-pem', 'nss-softokn', 'nss-util', 'numactl', 'openldap', 'openssh', 'openssl', 'os-prober', 'ostree', 'p11-kit', 'pam', 'pango', 'passwd', 'pciutils', 'pcre', 'perl', 'perl-libs', 'pixman', 'policycoreutils', 'polkit', 'polkit-pkla-compat', 'popt', 'ppp', 'procps-ng', 'protobuf-c', 'publicsuffix-list', 'pygobject3', 'pyliblzma', 'pyserial', 'python', 'python3', 'python-beautifulsoup4', 'python-cffi', 'python-chardet', 'python-configobj', 'python-crypto', 'python-cryptography', 'python-cssselect', 'python-dateutil', 'python-decorator', 'python-dmidecode', 'python-docker-py', 'python-docker-pycreds', 'python-enum34', 'python-ethtool', 'python-html5lib', 'python-idna', 'python-iniparse', 'python-ipaddress', 'python-IPy', 'python-jinja2', 'python-jsonpatch', 'python-jsonpointer', 'python-lxml', 'python-markupsafe', 'python-oauthlib', 'python-paramiko', 'python-pip', 'python-ply', 'python-prettytable', 'python-progressbar', 'python-pyasn1', 'python-pycparser', 'python-pycurl', 'python-pygpgme', 'python-pysocks', 'python-pyudev', 'python-requestbuilder', 'python-requests', 'python-rhsm', 'python-setuptools', 'python-six', 'python-slip', 'python-urlgrabber', 'python-urllib3', 'python-websocket-client', 'pyxattr', 'PyYAML', 'qemu', 'qrencode', 'quota', 'readline', 'rpcbind', 'rpm', 'rpm-ostree', 'rsync', 'runc', 'samba', 'sed', 'selinux-policy', 'setools', 'setup', 'sgml-common', 'shadow-utils', 'shared-mime-info', 'shim-signed', 'skopeo', 'skopeo-containers', 'slang', 'snappy', 'socat', 'sqlite', 'sssd', 'subscription-manager', 'sudo', 'systemd', 'tar', 'tcl', 'tcp_wrappers', 'tcp_wrappers-libs', 'texinfo', 'tk', 'tmux', 'tuned', 'tzdata', 'usermode', 'userspace-rcu', 'ustr', 'util-linux', 'vim', 'virt-what', 'wayland', 'which', 'xfsprogs', 'xorg-x11-server-utils', 'xorg-x11-xauth', 'xorg-x11-xinit', 'xz', 'yum', 'yum-metadata-parser', 'zlib'] } +{% else %} rules: [] +{% endif %} {% if env == 'staging' %} --- !Policy id: "remote_rule"