Merge branch 'master' of /git/ansible

files/fedora-cloud/haproxy.cfg

@@ -35,6 +35,10 @@ global
     # turn on stats unix socket
     stats socket /var/lib/haproxy/stats
 
+    tune.ssl.default-dh-param 1024
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+
 #---------------------------------------------------------------------
 # common defaults that all the 'listen' and 'backend' sections will
 # use if not designated in their block
@@ -62,32 +66,46 @@ defaults
 #frontend keystone_admin *:35357
 #  default_backend keystone_admin
 frontend neutron
-  bind 0.0.0.0:9696 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend neutron
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend cinder
-  bind 0.0.0.0:8776 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend cinder
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend swift
-  bind 0.0.0.0:8080 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend swift
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend nova
-  bind 0.0.0.0:8774 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend nova
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend ceilometer
-  bind 0.0.0.0:8777 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend ceilometer
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend ec2
-  bind 0.0.0.0:8773 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend ec2
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend glance
-  bind 0.0.0.0:9292 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend glance
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 backend neutron
   server neutron 127.0.0.1:8696 check

roles/fas_client/files/aliases.template

@@ -111,7 +111,6 @@ pkgdb: /dev/null
 vendors: distribution-members
 
 legal: spot@redhat.com
-chair: mattdm
 fpl: chair
 board: advisory-board@lists.fedoraproject.org
 chairman: chair
@@ -214,7 +213,6 @@ taskotron: /dev/null
 famsco: famsco-members@fedoraproject.org
 fedora-marketing: famsco
 info: marketing@lists.fedoraproject.org
-press: chair, kbakis@redhat.com, rsuehle, aeusebio@redhat.com
 fedorarewards: famsco@lists.fedoraproject.org
 openvideo: tchung
 freemedia: tchung,susmit

roles/openvpn/client/tasks/main.yml

@@ -38,23 +38,8 @@
   - service
   - openvpn
 
-#
-# this is a workaround for a rhel7.1 bug: 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1206007
-# Go back to using the service module when thats fixed. 
-#
-
-- name: enable openvpn service for rhel 7.1
-  file: state=link src=/usr/lib/systemd/system/openvpn@.service dest=/etc/systemd/system/multi-user.target.wants/openvpn@.service owner=root group=root
-  when: ansible_distribution_major_version == '7'
-  notify:
-  - reload systemd
-  tags:
-  - service
-  - openvpn
-
 - name: Make sure openvpn is running in rhel 7.1
-  service: name=openvpn@openvpn state=running
+  service: name=openvpn@openvpn state=running enabled=true
   when: ansible_distribution_major_version == '7'
   tags:
   - service

tasks/virt_instance_create.yml

@@ -37,6 +37,21 @@
   delegate_to: "{{ vmhost }}"
   when: inventory_hostname not in result.list_vms
 
+- name: make sure there is no old ssh host key for the host still around
+  local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=absent
+  ignore_errors: True
+  with_items:
+  - /root/.ssh/known_hosts
+  - /etc/ssh/ssh_known_hosts
+  when: inventory_hostname not in result.list_vms
+
+- name: Add new ssh_host_key for newly installed host
+  local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=present
+  ignore_errors: True
+  with_items:
+  - /root/.ssh/known_hosts
+  when: inventory_hostname not in result.list_vms
+
 - name: wait for ssh on the vm to start back
   local_action: wait_for delay=10 host={{ inventory_hostname }} port=22 state=started timeout=1200
   when: inventory_hostname not in result.list_vms

tasks/virthost.yml

@@ -38,6 +38,12 @@
 - name: enable libvirtd
   service: name=libvirtd state=started enabled=yes
 
+#
+# Disable lvmetad as it causes lots of problems with iscsi shared lvm and caching. 
+#
+- name: disable lvmetad
+  lineinfile: dest=/etc/lvm/lvm.conf regexp="^    use_lvmetad = 1" line="    use_lvmetad = 0" backrefs=yes
+
 - name: set bridging to work right - 
   copy: src="{{ files }}/virthost/99-bridge.rules" dest=/etc/udev/rules.d/99-bridge.rules
   notify: