From b0c8cfa51111fc9441ad01cb9f394b4063fbefb8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 7 Apr 2016 19:18:52 +0000 Subject: [PATCH 01/32] Out with the old compose messages, in with the new --- inventory/group_vars/releng-compose | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/inventory/group_vars/releng-compose b/inventory/group_vars/releng-compose index de27e5a190..e2bb66a258 100644 --- a/inventory/group_vars/releng-compose +++ b/inventory/group_vars/releng-compose @@ -39,27 +39,12 @@ fedmsg_certs: owner: root group: masher can_send: - - compose.branched.complete - - compose.branched.mash.complete - - compose.branched.mash.start - - compose.branched.image.complete - - compose.branched.image.start - - compose.branched.pungify.complete - - compose.branched.pungify.start - - compose.branched.rsync.complete - - compose.branched.rsync.start - - compose.branched.start - - compose.epelbeta.complete - - compose.rawhide.complete - - compose.rawhide.mash.complete - - compose.rawhide.mash.start - - compose.rawhide.image.complete - - compose.rawhide.image.start - - compose.rawhide.pungify.complete - - compose.rawhide.pungify.start - - compose.rawhide.rsync.complete - - compose.rawhide.rsync.start - - compose.rawhide.start + - pungi.compose.phase.start + - pungi.compose.phase.stop + - pungi.compose.status.change + - pungi.compose.createiso.targets + - pungi.compose.createiso.imagefail + - pungi.compose.createiso.imagedone # Then there are *all these* make-updates things from releng+cloudsig - compose.23.make-updates.start - compose.23.make-updates.done From 1171a378599e7e33754effadde4fc3c91f8c2c85 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 7 Apr 2016 19:29:52 +0000 Subject: [PATCH 02/32] Fix some more fedmsg senders. --- inventory/group_vars/pagure | 1 + inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org | 2 ++ 2 files changed, 3 insertions(+) diff --git a/inventory/group_vars/pagure b/inventory/group_vars/pagure index 410fb38331..69de302407 100644 --- a/inventory/group_vars/pagure +++ b/inventory/group_vars/pagure @@ -39,6 +39,7 @@ fedmsg_certs: - pagure.issue.tag.removed - pagure.project.edit - pagure.project.forked + - pagure.project.group.added - pagure.project.new - pagure.project.tag.edited - pagure.project.tag.removed diff --git a/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org b/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org index 97d0739dc2..1efe932444 100644 --- a/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org +++ b/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org @@ -38,6 +38,8 @@ fedmsg_certs: - bodhi.update.eject - bodhi.update.complete.testing - bodhi.update.complete.stable + - bodhi.update.request.stable + - bodhi.update.karma.threshold.reach - bodhi.buildroot_override.untag - service: ftpsync owner: root From 978de21bab2729d31a98a8806841973663ebd37f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 7 Apr 2016 20:00:05 +0000 Subject: [PATCH 03/32] Create an artificial rpms-checks/ dist-git namespace (in staging). --- roles/distgit/templates/genacls.pkgdb | 9 +++++++++ roles/distgit/templates/pkgdb_sync_git_branches.py | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/distgit/templates/genacls.pkgdb b/roles/distgit/templates/genacls.pkgdb index a90c4a3e40..81b65be678 100644 --- a/roles/distgit/templates/genacls.pkgdb +++ b/roles/distgit/templates/genacls.pkgdb @@ -5,6 +5,7 @@ # Takes no arguments! # +import copy import grp import sys @@ -69,6 +70,14 @@ if __name__ == '__main__': #print ' RW private- = @all' # dont' enable the above until we prevent building for real from private- +{% if env == 'staging' %} + # XXX - Insert an artificial namespace into the set of namespaces returned + # by pkgdb. We want to create a mirror of rpms/PKG in rpms-checks/PKG + # This hack occurs in two places. Here, and in the branch-creation script. + # https://github.com/fedora-infra/pkgdb2/issues/329#issuecomment-207050233 + data['rpms-checks'] = copy.copy(data['rpms']) +{% endif %} + # Get a list of all the packages for key in data: if key == 'title': diff --git a/roles/distgit/templates/pkgdb_sync_git_branches.py b/roles/distgit/templates/pkgdb_sync_git_branches.py index 1cbe94d3a5..0526744c29 100644 --- a/roles/distgit/templates/pkgdb_sync_git_branches.py +++ b/roles/distgit/templates/pkgdb_sync_git_branches.py @@ -38,6 +38,7 @@ Here are the different steps of this script: """ +import copy import itertools import multiprocessing.pool import os @@ -249,6 +250,14 @@ def main(): pkgdb_info = pkgdb_pkg_branch() +{% if env == 'staging' %} + # XXX - Insert an artificial namespace into the set of namespaces returned + # by pkgdb. We want to create a mirror of rpms/PKG in rpms-checks/PKG + # This hack occurs in two places. Here, and in genacls.pkgdb. + # https://github.com/fedora-infra/pkgdb2/issues/329#issuecomment-207050233 + pkgdb_info['rpms-checks'] = copy.copy(pkgdb_info['rpms']) +{% endif %} + for ns in pkgdb_info: namespace = ns if ns == 'packageAcls': From 05ef96a3aa9d6823ab431d458c88780fe8e2ef81 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 7 Apr 2016 20:15:53 +0000 Subject: [PATCH 04/32] Create directories. --- roles/distgit/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 390db7d813..064b4ca264 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -61,6 +61,17 @@ - name: create the distgit root directory (/srv/git/repositories) file: dest=/srv/git/repositories state=directory mode=2775 group=packager +# These should all map to pkgdb namespaces +- name: create our namespace directories inside there.. + file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager + with_items: + - rpms + - docker + - modules + # Except for this one. This namespace is artificially created in the + # dist-git pkgdb sync scripts. + - rpms-checks + - name: install the distgit scripts copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 with_items: From da825870d12b19e38246ed110e08a59d7df50d2f Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:02:03 +0000 Subject: [PATCH 05/32] create docker-distribution-proxy to proxy the docker-distribution registry Signed-off-by: Adam Miller --- playbooks/groups/docker-registry.yml | 41 ++++++++++++++ .../defaults/main.yml | 19 +++++++ .../handlers/main.yml | 7 +++ .../docker-distribution-proxy/tasks/main.yml | 41 ++++++++++++++ .../templates/docker-registry-vhost.conf.j2 | 54 +++++++++++++++++++ 5 files changed, 162 insertions(+) create mode 100644 roles/docker-distribution-proxy/defaults/main.yml create mode 100644 roles/docker-distribution-proxy/handlers/main.yml create mode 100644 roles/docker-distribution-proxy/tasks/main.yml create mode 100644 roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/docker-registry.yml index e1b87c00e8..b25d685739 100644 --- a/playbooks/groups/docker-registry.yml +++ b/playbooks/groups/docker-registry.yml @@ -89,4 +89,45 @@ }, when: env == "production" } + - { + role: docker-distribution-proxy, + servername: registry.stg.fedorproject.org, + ssl: { + destdir: "/etc/pki/docker-distribution/", + certfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.pem", + certfile_dest: "docker-registry-internal.pem", + keyfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.key", + keyfile_dest: "docker-registry-internal.key", + }, + auth: { + type: basic, + basic: { + destdir: "/etc/httpd/" + userfile_src: "{{private}}/files/httpd/osbs.htpasswd" + userfile_dest: "osbs.htpasswd" + } + }, + when: env == "staging" + } + - { + role: docker-distribution-proxy, + servername: registry.fedorproject.org, + ssl: { + destdir: "/etc/pki/docker-distribution/", + certfile_src: "{{private}}/files/docker-registry/docker-registry-internal.pem", + certfile_dest: "docker-registry-internal.pem", + keyfile_src: "{{private}}/files/docker-registry/docker-registry-internal.key", + keyfile_dest: "docker-registry-internal.key", + }, + auth: { + type: basic, + basic: { + destdir: "/etc/httpd/" + userfile_src: "{{private}}/files/httpd/osbs.htpasswd" + userfile_dest: "osbs.htpasswd" + } + }, + when: env == "staging" + } + diff --git a/roles/docker-distribution-proxy/defaults/main.yml b/roles/docker-distribution-proxy/defaults/main.yml new file mode 100644 index 0000000000..d983dc1bde --- /dev/null +++ b/roles/docker-distribution-proxy/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# defaults file for docker-distribution-proxy +# +servername: "registry.example.com" +ssl: + destdir: "/etc/pki/docker-registry/" + certfile_src: "ssl.cert" + certfile_dest: "ssl.cert" + keyfile_src: "ssl.key" + keyfile_dest: "ssl.key" + +auth: + type: basic + basic: + dest_dir: + userfile_src: /etc/httpd/users.htpasswd + userfile_dest: /etc/httpd/users.htpasswd + + diff --git a/roles/docker-distribution-proxy/handlers/main.yml b/roles/docker-distribution-proxy/handlers/main.yml new file mode 100644 index 0000000000..ae13839e53 --- /dev/null +++ b/roles/docker-distribution-proxy/handlers/main.yml @@ -0,0 +1,7 @@ +--- +# handlers file for docker-distribution-proxy + +- name: reload httpd + service: + name: httpd + state: reloaded diff --git a/roles/docker-distribution-proxy/tasks/main.yml b/roles/docker-distribution-proxy/tasks/main.yml new file mode 100644 index 0000000000..354e7f89b0 --- /dev/null +++ b/roles/docker-distribution-proxy/tasks/main.yml @@ -0,0 +1,41 @@ +--- +# tasks file for docker-distribution-proxy +# +- name: Make sure httpd is installed + action: "{{ ansible_pkg_manager }} name=httpd state=installed" + +- name: Make sure mod_ssl is installed + action: "{{ ansible_pkg_manager }} name=mod_ssl state=installed" + +- name: ensure pki destination directory exists + file: + path: "{{ ssl.destdir }}" + +- name: install ssl certfile + copy: + src: "{{ ssl.certfile_src }}" + dest: "{{ ssl.destdir }}/{{ ssl.certfile_dest }}" + +- name: install ssl keyfile + copy: + src: "{{ ssl.keyfile_src }}" + dest: "{{ ssl.destdir }}/{{ ssl.keyfile_dest }}" + +- name: ensure htpasswd basic auth dest dir exists + file: + path: "{{ auth.basic.destdir }}" + state: directory + when: auth.type == "basic" + +- name: place htpasswd file + copy: + src: "{{ auth.basic.userfile_src }}" + dest: "{{ auth.basic.destdir }}/{{ auth.basic.userfile_dest }}" + when: auth.type == "basic" + +- name: Configure the vhost + template: + src: "docker-registry-vhost.conf.j2" + dest: "/etc/httpd/conf.d/docker-registry-vhost.conf" + notify: reload httpd + diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 new file mode 100644 index 0000000000..462578e485 --- /dev/null +++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 @@ -0,0 +1,54 @@ + + + ServerName {{ domainname }} + + SSLEngine on + SSLCertificateFile {{ sslcertfile }} + SSLCertificateKeyFile {{ sslkeyfile }} + + ## SSL settings recommandation from: https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html + # Anti CRIME + SSLCompression off + + # POODLE and other stuff + SSLProtocol all -SSLv2 -SSLv3 -TLSv1 + + # Secure cypher suites + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + SSLHonorCipherOrder on + + Header always set "Docker-Distribution-Api-Version" "registry/2.0" + Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0" + RequestHeader set X-Forwarded-Proto "https" + + ProxyRequests off + ProxyPreserveHost on + + # no proxy for /error/ (Apache HTTPd errors messages) + ProxyPass /error/ ! + + ProxyPass /v2 http://localhost:5000/v2 + ProxyPassReverse /v2 http://localhost:5000/v2 + + + Order deny,allow + Allow from all + AuthName "Registry Authentication" +{% if auth.type == "basic" } + AuthType basic + AuthUserFile {{ auth.basic.userfile_dest }} +{% endif %} + + ## Read access to authentified users + # + # Require valid-user + # + + # Write access restricted + + Require value-user + + + + + \ No newline at end of file From 79a170bfb068110935109872647b33e3bcf50b80 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:04:55 +0000 Subject: [PATCH 06/32] add missing commas to fix yaml syntax error Signed-off-by: Adam Miller --- playbooks/groups/docker-registry.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/docker-registry.yml index b25d685739..8fc30d3d63 100644 --- a/playbooks/groups/docker-registry.yml +++ b/playbooks/groups/docker-registry.yml @@ -102,9 +102,9 @@ auth: { type: basic, basic: { - destdir: "/etc/httpd/" - userfile_src: "{{private}}/files/httpd/osbs.htpasswd" - userfile_dest: "osbs.htpasswd" + destdir: "/etc/httpd/", + userfile_src: "{{private}}/files/httpd/osbs.htpasswd", + userfile_dest: "osbs.htpasswd", } }, when: env == "staging" @@ -122,9 +122,9 @@ auth: { type: basic, basic: { - destdir: "/etc/httpd/" - userfile_src: "{{private}}/files/httpd/osbs.htpasswd" - userfile_dest: "osbs.htpasswd" + destdir: "/etc/httpd/", + userfile_src: "{{private}}/files/httpd/osbs.htpasswd", + userfile_dest: "osbs.htpasswd", } }, when: env == "staging" From a5c41484a2f547292ce72586ca5f008f44decaed Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:14:58 +0000 Subject: [PATCH 07/32] fix ansible_pkg_manager -> ansible_pkg_mgr Signed-off-by: Adam Miller --- roles/docker-distribution-proxy/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker-distribution-proxy/tasks/main.yml b/roles/docker-distribution-proxy/tasks/main.yml index 354e7f89b0..ac690b7779 100644 --- a/roles/docker-distribution-proxy/tasks/main.yml +++ b/roles/docker-distribution-proxy/tasks/main.yml @@ -2,10 +2,10 @@ # tasks file for docker-distribution-proxy # - name: Make sure httpd is installed - action: "{{ ansible_pkg_manager }} name=httpd state=installed" + action: "{{ ansible_pkg_mgr }} name=httpd state=installed" - name: Make sure mod_ssl is installed - action: "{{ ansible_pkg_manager }} name=mod_ssl state=installed" + action: "{{ ansible_pkg_mgr }} name=mod_ssl state=installed" - name: ensure pki destination directory exists file: From 711628bd1eab3c0b6ce572d5816b6bd748eefc8e Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:17:53 +0000 Subject: [PATCH 08/32] add a state to the path we want to exist Signed-off-by: Adam Miller --- roles/docker-distribution-proxy/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/docker-distribution-proxy/tasks/main.yml b/roles/docker-distribution-proxy/tasks/main.yml index ac690b7779..e651519bf6 100644 --- a/roles/docker-distribution-proxy/tasks/main.yml +++ b/roles/docker-distribution-proxy/tasks/main.yml @@ -10,6 +10,7 @@ - name: ensure pki destination directory exists file: path: "{{ ssl.destdir }}" + state: directory - name: install ssl certfile copy: From 2c76117b607eb68e11afddf4cd4fd6c1149d736c Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:22:20 +0000 Subject: [PATCH 09/32] fix docker-registry-proxy vhost template to use new defaults key names Signed-off-by: Adam Miller --- .../templates/docker-registry-vhost.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 index 462578e485..bde78a5837 100644 --- a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 +++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 @@ -1,10 +1,10 @@ - ServerName {{ domainname }} + ServerName {{ servername }} SSLEngine on - SSLCertificateFile {{ sslcertfile }} - SSLCertificateKeyFile {{ sslkeyfile }} + SSLCertificateFile {{ ssl.destdir}}/{{ ssl.certfile_dest }} + SSLCertificateKeyFile {{ ssl.destdir}}/{{ ssl.keyfile_dest }} ## SSL settings recommandation from: https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html # Anti CRIME From 5d2b0bad469a22f871cf07a5398a20cb9b3e4e94 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:34:05 +0000 Subject: [PATCH 10/32] add missing % for jinja2 if statment in docker-registry-proxy template Signed-off-by: Adam Miller --- .../templates/docker-registry-vhost.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 index bde78a5837..bd4379cbb5 100644 --- a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 +++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 @@ -34,7 +34,7 @@ Order deny,allow Allow from all AuthName "Registry Authentication" -{% if auth.type == "basic" } +{% if auth.type == "basic" %} AuthType basic AuthUserFile {{ auth.basic.userfile_dest }} {% endif %} From 43f868cf02aa686838a89d16283b43fa0d431f52 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 7 Apr 2016 22:38:44 +0000 Subject: [PATCH 11/32] differentiate between prod and staging Signed-off-by: Adam Miller --- playbooks/groups/docker-registry.yml | 45 +++++++++++++++------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/docker-registry.yml index 8fc30d3d63..c5e11a2436 100644 --- a/playbooks/groups/docker-registry.yml +++ b/playbooks/groups/docker-registry.yml @@ -41,6 +41,7 @@ # on localhost and all external connections will be through httpd which # will be SSL enalbed. roles: + # STAGING - { role: docker-distribution, conf_path: "/etc/docker-distribution/registry/config.yml", @@ -65,6 +66,28 @@ }, when: env == "staging" } + - { + role: docker-distribution-proxy, + servername: registry.stg.fedorproject.org, + ssl: { + destdir: "/etc/pki/docker-distribution/", + certfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.pem", + certfile_dest: "docker-registry-internal.pem", + keyfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.key", + keyfile_dest: "docker-registry-internal.key", + }, + auth: { + type: basic, + basic: { + destdir: "/etc/httpd/", + userfile_src: "{{private}}/files/httpd/osbs.htpasswd", + userfile_dest: "osbs.htpasswd", + } + }, + when: env == "staging" + } + + # PROD - { role: docker-distribution, conf_path: "/etc/docker-distribution/registry/config.yml", @@ -89,26 +112,6 @@ }, when: env == "production" } - - { - role: docker-distribution-proxy, - servername: registry.stg.fedorproject.org, - ssl: { - destdir: "/etc/pki/docker-distribution/", - certfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.pem", - certfile_dest: "docker-registry-internal.pem", - keyfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.key", - keyfile_dest: "docker-registry-internal.key", - }, - auth: { - type: basic, - basic: { - destdir: "/etc/httpd/", - userfile_src: "{{private}}/files/httpd/osbs.htpasswd", - userfile_dest: "osbs.htpasswd", - } - }, - when: env == "staging" - } - { role: docker-distribution-proxy, servername: registry.fedorproject.org, @@ -127,7 +130,7 @@ userfile_dest: "osbs.htpasswd", } }, - when: env == "staging" + when: env == "production" } From 69a4d979d0ff479655d8cffc5d023e1dd297c1a8 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 10:08:00 +0000 Subject: [PATCH 12/32] add buildvm-s390 to builder group --- inventory/builders | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/builders b/inventory/builders index 6959c1328f..b40f301716 100644 --- a/inventory/builders +++ b/inventory/builders @@ -260,3 +260,4 @@ buildppcle buildarm buildaarch64 buildppc64 +buildvm-s390 From aa202a0c4379e32e45ccf3537e228853ae342da6 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 10:12:22 +0000 Subject: [PATCH 13/32] add virthost-s390 to buildvmhost --- inventory/builders | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/builders b/inventory/builders index b40f301716..c0cee5b387 100644 --- a/inventory/builders +++ b/inventory/builders @@ -56,6 +56,7 @@ buildvm-s390-01.s390.fedoraproject.org buildvmhost-10.phx2.fedoraproject.org buildvmhost-11.phx2.fedoraproject.org buildvmhost-12.phx2.fedoraproject.org +virthost-s390.qa.fedoraproject.org #ppc8-02.ppc.fedoraproject.org #ppc8-03.ppc.fedoraproject.org #ppc8-04.ppc.fedoraproject.org From 47d247e1a68541b8379ee05b18fe1722207971f6 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 10:24:38 +0000 Subject: [PATCH 14/32] add buildvm-s390 to the buildvm.yml --- inventory/builders | 1 - playbooks/groups/buildvm.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/inventory/builders b/inventory/builders index c0cee5b387..b40f301716 100644 --- a/inventory/builders +++ b/inventory/builders @@ -56,7 +56,6 @@ buildvm-s390-01.s390.fedoraproject.org buildvmhost-10.phx2.fedoraproject.org buildvmhost-11.phx2.fedoraproject.org buildvmhost-12.phx2.fedoraproject.org -virthost-s390.qa.fedoraproject.org #ppc8-02.ppc.fedoraproject.org #ppc8-03.ppc.fedoraproject.org #ppc8-04.ppc.fedoraproject.org diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index c1bda784ba..978511836d 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -3,7 +3,7 @@ # NOTE: make sure there is room/space for this builder on the buildvmhost # NOTE: most of these vars_path come from group_vars/buildvm or from hostvars -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc:buildvm-s390" - name: make koji builder(s) hosts: buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc From 4e3cfa6896cb4bbf614bec53f3c0f9ba1488ce68 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 10:50:44 +0000 Subject: [PATCH 15/32] virthost: update for RHEL 7.2 on ppc64le --- roles/virthost/files/rhel7-rhev-ppc64le.repo | 5 +++++ roles/virthost/tasks/main.yml | 21 +++++++++----------- 2 files changed, 14 insertions(+), 12 deletions(-) create mode 100644 roles/virthost/files/rhel7-rhev-ppc64le.repo diff --git a/roles/virthost/files/rhel7-rhev-ppc64le.repo b/roles/virthost/files/rhel7-rhev-ppc64le.repo new file mode 100644 index 0000000000..43f3f70580 --- /dev/null +++ b/roles/virthost/files/rhel7-rhev-ppc64le.repo @@ -0,0 +1,5 @@ +[rhel7-os] +name = rhel7 os $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-for-rhev-power-agents-rpms/ +includepkgs=qemu* +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release diff --git a/roles/virthost/tasks/main.yml b/roles/virthost/tasks/main.yml index ae81a13697..6463de5a86 100644 --- a/roles/virthost/tasks/main.yml +++ b/roles/virthost/tasks/main.yml @@ -21,7 +21,14 @@ - rhel7-os-repo when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 7 and ansible_architecture == 'x86_64' -- name: install libvirt packages on rhel7 virthosts (x86_64) +- name: install RHEV for el7 repo file + copy: src=rhel7-rhev-ppc64le.repo dest=/etc/yum.repos.d/rhel7-rhev-ppc64le.repo + tags: + - repos + - rhel7-rhev-ppc64le + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 7 and ansible_architecture == 'ppc64le' + +- name: install libvirt packages on rhel7 virthosts yum: pkg={{ item }} state=present with_items: - qemu-kvm-rhev @@ -31,17 +38,7 @@ - virt-install tags: - packages - when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 7 and ansible_architecture == 'x86_64' - -- name: install libvirt packages on rhel7 virthosts (not x86_64) - yum: pkg={{ item }} state=present - with_items: - - qemu-kvm - - libvirt - - virt-install - tags: - - packages - when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 7 and ansible_architecture == 'ppc64' + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 7 # install libvirtd.conf # From c46b3bab120f961c94abc879bb47f6eaf73a305e Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 11:39:11 +0000 Subject: [PATCH 16/32] buildvms: secondary: no need to have max mem as 5x, it kills most virt-installs due to large overcommit --- inventory/group_vars/buildppc | 1 + inventory/group_vars/buildppcle | 1 + inventory/group_vars/buildvm-ppc64 | 1 + inventory/group_vars/buildvm-ppc64le | 1 + inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org | 1 + 5 files changed, 5 insertions(+) diff --git a/inventory/group_vars/buildppc b/inventory/group_vars/buildppc index 76c7e4cc4e..ec549581fa 100644 --- a/inventory/group_vars/buildppc +++ b/inventory/group_vars/buildppc @@ -3,6 +3,7 @@ volgroup: /dev/vg_guests lvm_size: 150000 mem_size: 10240 +max_mem_size: "{{ mem_size }}" num_cpus: 4 ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-23-ppc64 ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/23/Server/ppc64/os/ diff --git a/inventory/group_vars/buildppcle b/inventory/group_vars/buildppcle index 9bafafe7a7..0ea9bbe53c 100644 --- a/inventory/group_vars/buildppcle +++ b/inventory/group_vars/buildppcle @@ -3,6 +3,7 @@ volgroup: /dev/vg_guests lvm_size: 150000 mem_size: 10240 +max_mem_size: "{{ mem_size }}" num_cpus: 4 ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-23-ppc64le ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/23/Server/ppc64le/os/ diff --git a/inventory/group_vars/buildvm-ppc64 b/inventory/group_vars/buildvm-ppc64 index 2776abb290..cab1c24ead 100644 --- a/inventory/group_vars/buildvm-ppc64 +++ b/inventory/group_vars/buildvm-ppc64 @@ -3,6 +3,7 @@ volgroup: /dev/vg_guests lvm_size: 150000 mem_size: 10240 +max_mem_size: "{{ mem_size }}" num_cpus: 4 ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-23-ppc64 ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/23/Server/ppc64/os/ diff --git a/inventory/group_vars/buildvm-ppc64le b/inventory/group_vars/buildvm-ppc64le index 1ef3610550..283d7cce4c 100644 --- a/inventory/group_vars/buildvm-ppc64le +++ b/inventory/group_vars/buildvm-ppc64le @@ -3,6 +3,7 @@ volgroup: /dev/vg_guests lvm_size: 150000 mem_size: 10240 +max_mem_size: "{{ mem_size }}" num_cpus: 4 ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-23-ppc64le ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/23/Server/ppc64le/os/ diff --git a/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org b/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org index 411b995997..818b75f43b 100644 --- a/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org +++ b/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org @@ -10,6 +10,7 @@ main_bridge: br1 volgroup: /dev/vg_guests lvm_size: 150000 mem_size: 10240 +max_mem_size: "{{ mem_size }}" num_cpus: 4 ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-23 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/23/Server/x86_64/os/ From 7097682fd34bf673b0b0e0d9795005c78cdaec44 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 12:39:14 +0000 Subject: [PATCH 17/32] buildvm: add buildvm-s390 to host list --- playbooks/groups/buildvm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 978511836d..f093034627 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -6,7 +6,7 @@ - include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc:buildvm-s390" - name: make koji builder(s) - hosts: buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc + hosts: buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc:buildvm-s390 user: root gather_facts: True From a5bd0e59ff717d2980b076e5a25c77b3a347304b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 12:51:08 +0000 Subject: [PATCH 18/32] buildvm: do nfs mounts based on groups, add s390 mount options --- playbooks/groups/buildvm.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index f093034627..694b3d7237 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -24,16 +24,19 @@ - hosts - apache - { role: nfs/client, - when: ( ansible_architecture == 'x86_64' or ansible_architecture == 'ppc64le' or ansible_architecture == 'ppc64' ) and not inventory_hostname.startswith('buildvm-ppc64'), + when: ( "'buildvm' in group_names" or "'buildppcle' in group_names" or "'buildppc' in group_names" ), mnt_dir: '/mnt/fedora_koji', nfs_src_dir: 'fedora_koji' } - { role: nfs/client, - when: inventory_hostname.startswith('aarch64') , + when: "'buildaarch64' in group_names" , mnt_dir: '/mnt/fedora_koji', nfs_src_dir: 'fedora_arm/data' } - { role: nfs/client, - when: inventory_hostname.startswith('buildvm-ppc64') , + when: ( "'buildvm-ppc64' in group_names" or "'buildvm-ppc64le' in group_names") , mnt_dir: '/mnt/fedora_koji', nfs_src_dir: 'fedora_ppc/data' } - { role: nfs/client, - when: datacenter == 'staging', mnt_dir: '/mnt/fedora_koji', nfs_src_dir: 'fedora_koji' } + when: "'buildvm-s390' in group_names" , + mnt_dir: '/mnt/fedora_koji', nfs_src_dir: 'fedora_s390/data' } + - { role: nfs/client, + when: "'buildvm-stg' in group_names", mnt_dir: '/mnt/fedora_koji', nfs_src_dir: 'fedora_koji' } - { role: fas_client, when: not inventory_hostname.startswith('bkernel') } - { role: sudo, when: not inventory_hostname.startswith('bkernel') } - koji_builder From fa65dc892e082f734e0ad79636bc322d07b524ad Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 13:02:21 +0000 Subject: [PATCH 19/32] koji builder: more s390 bits --- roles/koji_builder/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 7eabfeb7b6..0186ff5372 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -195,13 +195,13 @@ - name: make a mnt/koji link file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji - when: inventory_hostname.startswith(('build','arm04-builder00','arm04-builder01','arm02-builder21','arm02-builder23')) and not inventory_hostname.startswith('buildvm-ppc64') + when: inventory_hostname.startswith(('build','arm04-builder00','arm04-builder01','arm02-builder21','arm02-builder23')) and not inventory_hostname.startswith('buildvm-ppc64','buildvm-s390') tags: - koji_builder - name: make a mnt/koji link file: state=link src=/mnt/fedora_koji dest=/mnt/koji - when: inventory_hostname.startswith(('aarch64','ppc8','buildvm-ppc64')) + when: inventory_hostname.startswith(('aarch64','ppc8','buildvm-ppc64','buildvm-s390')) tags: - koji_builder From 5c5fce7b2254acd0186ca1f6305184df06a5102b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 13:11:42 +0000 Subject: [PATCH 20/32] koji builder: fix my ansible --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 0186ff5372..b5070399c1 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -195,7 +195,7 @@ - name: make a mnt/koji link file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji - when: inventory_hostname.startswith(('build','arm04-builder00','arm04-builder01','arm02-builder21','arm02-builder23')) and not inventory_hostname.startswith('buildvm-ppc64','buildvm-s390') + when: inventory_hostname.startswith(('build','arm04-builder00','arm04-builder01','arm02-builder21','arm02-builder23')) and not inventory_hostname.startswith(('buildvm-ppc64','buildvm-s390')) tags: - koji_builder From c86eaf43888828729dec08a6f095ea97a876fe14 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 8 Apr 2016 13:18:22 +0000 Subject: [PATCH 21/32] Do the rpms-checks virtual distgit namespace in prod. --- roles/distgit/templates/genacls.pkgdb | 2 -- roles/distgit/templates/pkgdb_sync_git_branches.py | 2 -- 2 files changed, 4 deletions(-) diff --git a/roles/distgit/templates/genacls.pkgdb b/roles/distgit/templates/genacls.pkgdb index 81b65be678..b4b52f238f 100644 --- a/roles/distgit/templates/genacls.pkgdb +++ b/roles/distgit/templates/genacls.pkgdb @@ -70,13 +70,11 @@ if __name__ == '__main__': #print ' RW private- = @all' # dont' enable the above until we prevent building for real from private- -{% if env == 'staging' %} # XXX - Insert an artificial namespace into the set of namespaces returned # by pkgdb. We want to create a mirror of rpms/PKG in rpms-checks/PKG # This hack occurs in two places. Here, and in the branch-creation script. # https://github.com/fedora-infra/pkgdb2/issues/329#issuecomment-207050233 data['rpms-checks'] = copy.copy(data['rpms']) -{% endif %} # Get a list of all the packages for key in data: diff --git a/roles/distgit/templates/pkgdb_sync_git_branches.py b/roles/distgit/templates/pkgdb_sync_git_branches.py index 0526744c29..38fd6b12da 100644 --- a/roles/distgit/templates/pkgdb_sync_git_branches.py +++ b/roles/distgit/templates/pkgdb_sync_git_branches.py @@ -250,13 +250,11 @@ def main(): pkgdb_info = pkgdb_pkg_branch() -{% if env == 'staging' %} # XXX - Insert an artificial namespace into the set of namespaces returned # by pkgdb. We want to create a mirror of rpms/PKG in rpms-checks/PKG # This hack occurs in two places. Here, and in genacls.pkgdb. # https://github.com/fedora-infra/pkgdb2/issues/329#issuecomment-207050233 pkgdb_info['rpms-checks'] = copy.copy(pkgdb_info['rpms']) -{% endif %} for ns in pkgdb_info: namespace = ns From 70f30e73eb676b7fe50b6b4d47c3179096e07dd6 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 13:23:19 +0000 Subject: [PATCH 22/32] releng: add compose-s390-01.s390.fedoraproject.org to virt-create --- playbooks/groups/releng-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 13925212c1..2cf50226cc 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -3,7 +3,7 @@ # NOTE: make sure there is room/space for this instance on the buildvmhost # NOTE: most of these vars_path come from group_vars/releng or from hostvars -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=releng-compose:releng-stg:compose-ppc64-01.ppc.fedoraproject.org:compose-ppc64le-01.ppc.fedoraproject.org" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=releng-compose:releng-stg:compose-ppc64-01.ppc.fedoraproject.org:compose-ppc64le-01.ppc.fedoraproject.org:compose-s390-01.s390.fedoraproject.org" - name: Setup releng compose hosts hosts: releng-compose:releng-secondary:releng-stg From d8f637f9b0a37a374adadc7eef333ed0601bb14b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 13:32:59 +0000 Subject: [PATCH 23/32] releng: secondary: limit maxmem --- inventory/group_vars/releng-secondary | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/group_vars/releng-secondary b/inventory/group_vars/releng-secondary index ec8654e51d..1ab23edd70 100644 --- a/inventory/group_vars/releng-secondary +++ b/inventory/group_vars/releng-secondary @@ -2,6 +2,7 @@ # common items for the releng-* boxes lvm_size: 100000 mem_size: 8196 +max_mem_size: "{{ mem_size }}" num_cpus: 16 nm: 255.255.255.0 dns: 10.5.126.21 From 2b63919f4ea44370c2a206dde8f67a1f86c7765f Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 8 Apr 2016 14:02:59 +0000 Subject: [PATCH 24/32] add sysadmin-releng to sudo for docker-registry stg Signed-off-by: Adam Miller --- inventory/group_vars/docker-registry-stg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/group_vars/docker-registry-stg b/inventory/group_vars/docker-registry-stg index 97faec6be1..18f0c26015 100644 --- a/inventory/group_vars/docker-registry-stg +++ b/inventory/group_vars/docker-registry-stg @@ -3,3 +3,5 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ fas_client_groups: sysadmin-releng + +sudoers: "{{ private }}/files/sudo/00releng-sudoers" From 0d4b1e1d0df477ea32b60caf81517ff74d3159be Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 8 Apr 2016 14:06:05 +0000 Subject: [PATCH 25/32] docker-distribution-proxy: start/enable the service once configured Signed-off-by: Adam Miller --- roles/docker-distribution-proxy/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/docker-distribution-proxy/tasks/main.yml b/roles/docker-distribution-proxy/tasks/main.yml index e651519bf6..2bc0a915af 100644 --- a/roles/docker-distribution-proxy/tasks/main.yml +++ b/roles/docker-distribution-proxy/tasks/main.yml @@ -40,3 +40,8 @@ dest: "/etc/httpd/conf.d/docker-registry-vhost.conf" notify: reload httpd +- name: start and enable httpd + service: + name: httpd + state: started + enabled: yes From f6853128886fc26da34e61bf244920682d397b7e Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 8 Apr 2016 14:16:51 +0000 Subject: [PATCH 26/32] fix typo in docker-distribution-proxy template Signed-off-by: Adam Miller --- .../templates/docker-registry-vhost.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 index bd4379cbb5..b0044eac33 100644 --- a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 +++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 @@ -46,7 +46,7 @@ # Write access restricted - Require value-user + Require valid-user From c9605a38f0c5211916fae286adcf1a63aca6caaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Fri, 8 Apr 2016 16:28:49 +0200 Subject: [PATCH 27/32] list copr-dev machines in staging so staging variables are set - we use it on two places in copr.conf --- inventory/inventory | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/inventory/inventory b/inventory/inventory index ecdfbec06e..494a579b08 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -599,6 +599,10 @@ bugzilla2fedmsg01.stg.phx2.fedoraproject.org buildvm-01.stg.phx2.fedoraproject.org busgateway01.stg.phx2.fedoraproject.org composer.stg.phx2.fedoraproject.org +copr-be-dev.cloud.fedoraproject.org +copr-dist-git-dev.fedorainfracloud.org +copr-fe-dev.cloud.fedoraproject.org +copr-keygen-dev.cloud.fedoraproject.org darkserver-web01.stg.phx2.fedoraproject.org darkserver-web02.stg.phx2.fedoraproject.org darkserver-backend01.stg.phx2.fedoraproject.org From be7400b9f33e4991006d0947e7f6bdc697028ae7 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 8 Apr 2016 14:57:21 +0000 Subject: [PATCH 28/32] Note SOPs for pdc and github2fedmsg. --- roles/apps-fp-o/files/apps.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/roles/apps-fp-o/files/apps.yaml b/roles/apps-fp-o/files/apps.yaml index 5e82ba162b..0ba9659bcc 100644 --- a/roles/apps-fp-o/files/apps.yaml +++ b/roles/apps-fp-o/files/apps.yaml @@ -564,10 +564,8 @@ children: source_url: https://github.com/fedora-infra/github2fedmsg bugs_url: https://github.com/fedora-infra/github2fedmsg/issues docs_url: https://github.com/fedora-infra/github2fedmsg/blob/develop/README.rst#github2fedmsg - # TODO - write sop for github2fedmsg - # https://fedorahosted.org/fedora-infrastructure/ticket/5158 - #sops: - # - https://infrastructure.fedoraproject.org/infra/docs/github2fedmsg.rst + sops: + - https://infrastructure.fedoraproject.org/infra/docs/github2fedmsg.rst status_mappings: ['fedmsg'] description: > github2fedmsg is a web service that bridges upstream @@ -744,10 +742,8 @@ children: bugs_url: https://github.com/product-definition-center/product-definition-center/issues # Also, https://fedoraproject.org/wiki/Changes/PDC docs_url: https://github.com/product-definition-center/product-definition-center/issues/303 - # TODO - write SOP for PDC - # https://fedorahosted.org/fedora-infrastructure/ticket/5163 - #sops: - # - https://infrastructure.fedoraproject.org/infra/docs/pdc.rst + sops: + - https://infrastructure.fedoraproject.org/infra/docs/pdc.rst description: > The Product Definition Center (PDC) is a new app we're working on which will track 1) all of the artifacts that release From 1e71112e094c14ff80674ac0b48d188a4a7c1c40 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 8 Apr 2016 08:02:02 -0700 Subject: [PATCH 29/32] openqa/server: fix template load for non-infra I tweaked the playbook to not patch the templates for non-infra deployments, but then forgot to make test loading work using non-patched templates for non-infra... --- roles/openqa/server/tasks/main.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml index 720473630b..9148dfb8ef 100644 --- a/roles/openqa/server/tasks/main.yml +++ b/roles/openqa/server/tasks/main.yml @@ -224,11 +224,16 @@ # a correct 'changed' for this step is too difficult. Instead we have # the prior and following steps; when the templates actually changed, # the *following* step will register as changed. -- name: Load tests +- name: Load patched tests shell: "/tmp/templates --clean" - when: "gittests|changed" + when: "gittests|changed and deployment_type is defined" changed_when: "1 != 1" +- name: Load tests + shell: "/var/lib/openqa/share/tests/fedora/templates --clean" + when: "gittests|changed and deployment_type is not defined" + changed_when: "1 != 1 + - name: Check if the tests changed in previous step shell: "/usr/share/openqa/script/dump_templates --json > /tmp/tmpl-new.json && json_diff /tmp/tmpl-old.json /tmp/tmpl-new.json" when: "gittests|changed" From e06f8352aa47a070b5a15cfa94fe0746fa5c1e6e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 8 Apr 2016 15:17:39 +0000 Subject: [PATCH 30/32] Open port 443 for docker Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/docker-registry | 2 ++ inventory/group_vars/docker-registry-stg | 2 ++ 2 files changed, 4 insertions(+) diff --git a/inventory/group_vars/docker-registry b/inventory/group_vars/docker-registry index 97faec6be1..b1abe1225f 100644 --- a/inventory/group_vars/docker-registry +++ b/inventory/group_vars/docker-registry @@ -3,3 +3,5 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ fas_client_groups: sysadmin-releng + +tcp_ports: [443] diff --git a/inventory/group_vars/docker-registry-stg b/inventory/group_vars/docker-registry-stg index 18f0c26015..8a7cfeb66b 100644 --- a/inventory/group_vars/docker-registry-stg +++ b/inventory/group_vars/docker-registry-stg @@ -5,3 +5,5 @@ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ fas_client_groups: sysadmin-releng sudoers: "{{ private }}/files/sudo/00releng-sudoers" + +tcp_ports: [443] From 2dddd8271b7ea3dffc5cc608b10246f7d835c9f1 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 8 Apr 2016 15:36:32 +0000 Subject: [PATCH 31/32] update docker-distribution-proxy template to handle /_ping special Signed-off-by: Adam Miller --- .../templates/docker-registry-vhost.conf.j2 | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 index b0044eac33..0814b67d44 100644 --- a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 +++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 @@ -30,11 +30,20 @@ ProxyPass /v2 http://localhost:5000/v2 ProxyPassReverse /v2 http://localhost:5000/v2 + ProxyPass /_ping http://localhost:5000/_ping + ProxyPassReverse /_ping http://localhost:5000/_ping + + # Allow ping to run unauthenticated. + + Satisfy any + Allow from all + + Order deny,allow Allow from all - AuthName "Registry Authentication" {% if auth.type == "basic" %} + AuthName "Registry Authentication" AuthType basic AuthUserFile {{ auth.basic.userfile_dest }} {% endif %} From e1b4ecc674b0c20a03f31c1378a3175f4968990d Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 8 Apr 2016 15:52:13 +0000 Subject: [PATCH 32/32] koji builder: add s390 hub to firewall --- roles/base/templates/iptables/iptables.kojibuilder | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index ee2d5a3724..e94af36f1c 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -43,6 +43,10 @@ -A OUTPUT -p tcp -m tcp -d 10.5.124.182 --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.124.182 --dport 443 -j ACCEPT +#s390.koji.fp.o +-A OUTPUT -p tcp -m tcp -d 10.5.124.191 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.5.124.191 --dport 443 -j ACCEPT + # compose-x86-02.fp.o -A OUTPUT -p tcp -m tcp -d 10.5.125.42 --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.125.42 --dport 443 -j ACCEPT