diff --git a/files/openshift/openshift.repo b/files/openshift/openshift.repo
index 77aa0895d9..b299e4525b 100644
--- a/files/openshift/openshift.repo
+++ b/files/openshift/openshift.repo
@@ -1,14 +1,3 @@
-[rhel7-openshift-3.4]
-name = rhel7 openshift 3.4 $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-
-[rhel7-openshift-3.5]
-name = rhel7 openshift 3.5 $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.5-rpms/
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-
-{% if env == 'staging' %}
[rhel7-openshift-3.6]
name = rhel7 openshift 3.6 $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.6-rpms/
@@ -19,4 +8,3 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
name = rhel7 fast datapath $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-fast-datapath/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-{% endif %}
diff --git a/inventory/group_vars/os b/inventory/group_vars/os
index c2897f8658..92656a93d5 100644
--- a/inventory/group_vars/os
+++ b/inventory/group_vars/os
@@ -2,3 +2,4 @@
host_group: os
baseiptables: False
no_http2: True
+nm_controlled_resolv: True
diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg
index c2897f8658..92656a93d5 100644
--- a/inventory/group_vars/os-stg
+++ b/inventory/group_vars/os-stg
@@ -2,3 +2,4 @@
host_group: os
baseiptables: False
no_http2: True
+nm_controlled_resolv: True
diff --git a/inventory/host_vars/db-koji02.stg.phx2.fedoraproject.org b/inventory/host_vars/db-koji02.stg.phx2.fedoraproject.org
index 9a5cd35549..c4f14f3aa6 100644
--- a/inventory/host_vars/db-koji02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/db-koji02.stg.phx2.fedoraproject.org
@@ -7,8 +7,8 @@ eth0_ip: 10.5.128.99
vmhost: virthost11.phx2.fedoraproject.org
datacenter: phx2
-ks_url: http://infrastructure.phx2.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://infrastructure.phx2.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
# This is a generic list, monitored by collectd
databases:
@@ -19,7 +19,7 @@ lvm_size: 500000
mem_size: 16384
max_mem_size: "{{ mem_size }}"
num_cpus: 8
-fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran,sysadmin-releng
# kernel SHMMAX value
kernel_shmmax: 68719476736
@@ -44,8 +44,8 @@ shared_buffers: "8GB"
effective_cache_size: "24GB"
# Keepalived variables
-keepalived_interface: eth0
-keepalived_priority: 50
-keepalived_ipaddress: 10.5.128.97/24
-keepalived_routerid: 18
+#keepalived_interface: eth0
+#keepalived_priority: 50
+#keepalived_ipaddress: 10.5.128.97/24
+#keepalived_routerid: 18
diff --git a/inventory/host_vars/os-master02.phx2.fedoraproject.org b/inventory/host_vars/os-master02.phx2.fedoraproject.org
index ab1a1b0746..a2b9372e4b 100644
--- a/inventory/host_vars/os-master02.phx2.fedoraproject.org
+++ b/inventory/host_vars/os-master02.phx2.fedoraproject.org
@@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
-eth0_ip: 10.5.126.247
+eth0_ip: 10.5.126.246
vmhost: virthost19.phx2.fedoraproject.org
datacenter: phx2
host_group: os
diff --git a/inventory/host_vars/os-master03.phx2.fedoraproject.org b/inventory/host_vars/os-master03.phx2.fedoraproject.org
index d7670e2917..1ed5d0156e 100644
--- a/inventory/host_vars/os-master03.phx2.fedoraproject.org
+++ b/inventory/host_vars/os-master03.phx2.fedoraproject.org
@@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost15
-eth0_ip: 10.5.126.164
+eth0_ip: 10.5.126.247
vmhost: virthost15.phx2.fedoraproject.org
datacenter: phx2
host_group: os
diff --git a/inventory/host_vars/os-node01.phx2.fedoraproject.org b/inventory/host_vars/os-node01.phx2.fedoraproject.org
index 77b7a58e25..c4b7faa5fe 100644
--- a/inventory/host_vars/os-node01.phx2.fedoraproject.org
+++ b/inventory/host_vars/os-node01.phx2.fedoraproject.org
@@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
-eth0_ip: 10.5.126.246
+eth0_ip: 10.5.126.248
vmhost: virthost06.phx2.fedoraproject.org
datacenter: phx2
host_group: os-nodes
diff --git a/inventory/host_vars/os-node02.phx2.fedoraproject.org b/inventory/host_vars/os-node02.phx2.fedoraproject.org
index bcce8e0343..15c782a156 100644
--- a/inventory/host_vars/os-node02.phx2.fedoraproject.org
+++ b/inventory/host_vars/os-node02.phx2.fedoraproject.org
@@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
-eth0_ip: 10.5.126.248
+eth0_ip: 10.5.126.164
vmhost: virthost19.phx2.fedoraproject.org
datacenter: phx2
host_group: os-nodes
diff --git a/inventory/inventory b/inventory/inventory
index 8409ef6580..7e18e73372 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -109,6 +109,7 @@ basset01.stg.phx2.fedoraproject.org
bastion01.phx2.fedoraproject.org
bastion02.phx2.fedoraproject.org
bastion-comm01.qa.fedoraproject.org
+bastion13.fedoraproject.org
[blockerbugs]
blockerbugs01.phx2.fedoraproject.org
@@ -321,6 +322,7 @@ db-qa-stg01.qa.fedoraproject.org
db-fas01.stg.phx2.fedoraproject.org
db01.stg.phx2.fedoraproject.org
db03.stg.phx2.fedoraproject.org
+db-koji02.stg.phx2.fedoraproject.org
# postgresql bidirectional replication servers
[pgbdr]
@@ -328,7 +330,6 @@ db03.stg.phx2.fedoraproject.org
# postgresql bidirectional replication servers (stg)
[pgbdr-stg]
db-koji01.stg.phx2.fedoraproject.org
-db-koji02.stg.phx2.fedoraproject.org
pgbdr01.stg.phx2.fedoraproject.org
pgbdr02.stg.phx2.fedoraproject.org
diff --git a/playbooks/groups/bastion.yml b/playbooks/groups/bastion.yml
index 41a4054c35..368cbbd211 100644
--- a/playbooks/groups/bastion.yml
+++ b/playbooks/groups/bastion.yml
@@ -18,8 +18,9 @@
- fas_client
- sudo
- collectd/base
- - { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') }
- - { role: packager_alias, when: not inventory_hostname.startswith('bastion-comm01') }
+ - { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
+ - { role: openvpn/client, when: inventory_hostname.startswith('bastion13') }
+ - { role: packager_alias, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
- opendkim
tasks:
diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml
index be9aba664e..819af87e37 100644
--- a/playbooks/groups/os-cluster.yml
+++ b/playbooks/groups/os-cluster.yml
@@ -125,10 +125,10 @@
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory",
- openshift_release: "v3.5",
+ openshift_release: "v3.6",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml",
- openshift_ansible_version: "openshift-ansible-3.5.70-1",
+ openshift_ansible_version: "openshift-ansible-3.6.173.0.81-1",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: true,
openshift_ansible_containerized_deploy: false,
@@ -162,6 +162,8 @@
tasks:
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
+ tags:
+ - iptables
- name: Post-Install master setup
hosts: os-masters-stg:os-masters
diff --git a/playbooks/groups/postgresql-server-bdr.yml b/playbooks/groups/postgresql-server-bdr.yml
index ec3fe497c7..61cb8d0ea8 100644
--- a/playbooks/groups/postgresql-server-bdr.yml
+++ b/playbooks/groups/postgresql-server-bdr.yml
@@ -2,12 +2,12 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-koji01.stg.phx2.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-koji01.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org"
# Once the instance exists, configure it.
- name: configure postgresql server system
- hosts: db-koji01.stg.phx2.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org
+ hosts: db-koji01.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org
user: root
gather_facts: True
diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml
index 2557fe7c58..78352cc77b 100644
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@@ -2,12 +2,12 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
# Once the instance exists, configure it.
- name: configure postgresql server system
- hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org
+ hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
user: root
gather_facts: True
diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml
index 68fc37bb6d..ef47bbca4a 100644
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@@ -89,5 +89,18 @@
- python2-dockerfile-parse
when: env == "staging" and ansible_architecture != "ppc64"
+ - name: set releng user keytab
+ copy:
+ src: "{{private}}/files/keytabs/{{env}}/releng"
+ dest: /etc/krb5.releng.keytab
+ when: env == "staging"
+
+ - name: copy releng ssh key for rebuild fedpkg/distgit pushes
+ copy:
+ src: "{{private}}/files/releng/sshkeys/container-rebuild-staging"
+ dest: /etc/pki/releng
+ when: env == "staging"
+
+
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 3f3935e9cf..bc270fef58 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -283,8 +283,7 @@
- role: httpd/website
name: copr.fedoraproject.org
ssl: true
- # We need sslonly=false because copr-cli hardcoded http
- sslonly: false
+ sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
diff --git a/playbooks/manual/push-badges.yml b/playbooks/manual/push-badges.yml
index 09f9137235..a7f0474d8a 100644
--- a/playbooks/manual/push-badges.yml
+++ b/playbooks/manual/push-badges.yml
@@ -2,7 +2,7 @@
#
# Badge artists and badge developers should be pushing stuff to this repo:
#
-# https://pagure.io/Fedora-Badges.git
+# https://pagure.io/fedora-badges.git
#
# This playbook will take any new content from there and push it out onto our
# servers.
@@ -19,7 +19,7 @@
vars:
tempdir: /var/tmp/badges-tempdir
- upstream: "https://pagure.io/Fedora-Badges.git"
+ upstream: "https://pagure.io/fedora-badges.git"
workingdir: /srv/web/infra/badges/
tasks:
diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml
index cc9e033147..b18f39865c 100644
--- a/playbooks/openshift-apps/waiverdb.yml
+++ b/playbooks/openshift-apps/waiverdb.yml
@@ -19,37 +19,35 @@
- mjia
- dcallagh
- { role: openshift/object, app: waiverdb, template: secret.yml }
- #- { role: openshift/secret-file
- # , app: waiverdb
- # , secret_name: waiverdb-stg-secret
- # , key: client_secrets.json
- # , template: client_secrets.json
- # }
- # These secret roles also break if the secret already exists. Can only be run once.
- #- role: openshift/secret-file
- # app: waiverdb
- # secret_name: waiverdb-fedmsg-key
- # key: fedmsg-waiverdb.key
- # privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.key
- # when: env == "staging"
- #- role: openshift/secret-file
- # app: waiverdb
- # secret_name: waiverdb-fedmsg-crt
- # key: fedmsg-waiverdb.crt
- # privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.crt
- # when: env == "staging"
- #- role: openshift/secret-file
- # app: waiverdb
- # secret_name: waiverdb-fedmsg-key
- # key: fedmsg-waiverdb.key
- # privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.key
- # when: env != "staging"
- #- role: openshift/secret-file
- # app: waiverdb
- # secret_name: waiverdb-fedmsg-crt
- # key: fedmsg-waiverdb.crt
- # privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
- # when: env != "staging"
+ - role: openshift/secret-file
+ app: waiverdb
+ secret_name: waiverdb-stg-secret
+ key: client_secrets.json
+ template: client_secrets.json
+ - role: openshift/secret-file
+ app: waiverdb
+ secret_name: waiverdb-fedmsg-key
+ key: fedmsg-waiverdb.key
+ privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.key
+ when: env == "staging"
+ - role: openshift/secret-file
+ app: waiverdb
+ secret_name: waiverdb-fedmsg-crt
+ key: fedmsg-waiverdb.crt
+ privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.crt
+ when: env == "staging"
+ - role: openshift/secret-file
+ app: waiverdb
+ secret_name: waiverdb-fedmsg-key
+ key: fedmsg-waiverdb.key
+ privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.key
+ when: env != "staging"
+ - role: openshift/secret-file
+ app: waiverdb
+ secret_name: waiverdb-fedmsg-crt
+ key: fedmsg-waiverdb.crt
+ privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
+ when: env != "staging"
- { role: openshift/object, app: waiverdb, file: imagestream.yml }
- { role: openshift/object, app: waiverdb, file: buildconfig.yml }
- { role: openshift/object, app: waiverdb, template: configmap.yml }
diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync
index 86864ce739..c8a64dce9c 100755
--- a/roles/bodhi2/backend/files/new-updates-sync
+++ b/roles/bodhi2/backend/files/new-updates-sync
@@ -26,7 +26,12 @@ RELEASES = {'f27': {'topic': 'fedora',
'from': 'f27-updates',
'ostrees': [{'ref': 'fedora/27/%(arch)s/updates/atomic-host',
'dest': os.path.join(ATOMICDEST, '27'),
- 'arches': ['x86_64', 'ppc64le', 'aarch64']}],
+ 'arches': ['x86_64', 'ppc64le', 'aarch64']},
+ {'ref': 'fedora/27/x86_64/updates/workstation',
+ 'dest': os.path.join(ATOMICDEST, 'workstation')},
+ # Hack around for the fact that ostree on f25 doesn't know links
+ {'ref': 'fedora/27/x86_64/workstation',
+ 'dest': os.path.join(ATOMICDEST, 'workstation')}],
'to': [{'arches': ['x86_64', 'armhfp', 'source'],
'dest': os.path.join(FEDORADEST, '27')},
{'arches': ['aarch64', 'i386', 'ppc64', 'ppc64le', 's390x'],
@@ -36,7 +41,9 @@ RELEASES = {'f27': {'topic': 'fedora',
'from': 'f27-updates-testing',
'ostrees': [{'ref': 'fedora/27/%(arch)s/testing/atomic-host',
'dest': os.path.join(ATOMICDEST, '27'),
- 'arches': ['x86_64', 'ppc64le', 'aarch64']}],
+ 'arches': ['x86_64', 'ppc64le', 'aarch64']},
+ {'ref': 'fedora/27/x86_64/testing/workstation',
+ 'dest': os.path.join(ATOMICDEST, 'workstation')}],
'to': [{'arches': ['x86_64', 'armhfp', 'source'],
'dest': os.path.join(FEDORADEST, 'testing', '27')},
{'arches': ['aarch64', 'i386', 'ppc64', 'ppc64le', 's390x'],
diff --git a/roles/haproxy/files/os-master.production.pem b/roles/haproxy/files/os-master.production.pem
index 12027535aa..561f71b208 100644
--- a/roles/haproxy/files/os-master.production.pem
+++ b/roles/haproxy/files/os-master.production.pem
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu
-c2hpZnQtc2lnbmVyQDE1MDM0MjY1MDcwHhcNMTcwODIyMTgyODI2WhcNMjIwODIx
-MTgyODI3WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1MDM0MjY1MDcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8x8mVwkQA0pPPcMNUKwuz
-nthngidbnIK1KPN9OLEkudgxASVMYmNNjAMc1vz5YxGgRURr6AL+tQPLnFfn5GWD
-LbP3FkniCpkg5OAgZTTm9MWXQoO+HmFY7wGdBd9VQXOoVLovSL3IvrFqE9CReRLU
-FPA8/z7sZ+4fDSB9+Clk7BoVLiJ7NeD8BzcKHqe7CFt9PYgH2WtK5nOlduVDRjwv
-yOjACtzy1TXxAXec+1m0WkIfPdQ34enbd7U5b9T/jiuQVGp7RcrcQfHTqhyPeiXk
-yz/QGqXB4h9M0SZJVdx47zXVW+t8kA5i8VajDqFdZe8iwR7IIEEG+6WMJk/2JkaP
+c2hpZnQtc2lnbmVyQDE1MTE5MzYxMDUwHhcNMTcxMTI5MDYxNTA0WhcNMjIxMTI4
+MDYxNTA1WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1MTE5MzYxMDUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuURmWOArUMpoL5jg6YDrG
+xB2QarYLedX7C/iAheCn/LlRZue/gzmWcv/QFXOlZNZl6xyhzCxj36J73f0wNGI3
+nbulv6bkHefPLWSh0OgC26S1GhkwDzbZhm/XBXeUqvCtczAFplGvXOAjk5+OKj7Z
+busvm+QhFy4TAl31gwwVKGoRfA/VerKaM2MeWwqMb1vjd0jPUhIMZ0+lanwLqZ/u
+yvJuVxdzjCXR+KytGKiSLYgU7kS25zqj/55yvUujiLNOI3jVDvm9FoynlGzvDoA8
+e4DvAsWosqdJhZAkXJuXUtSWBZDPQgGNAzxkdrXY1wRDxXchUPgaqzOvma7FhwzJ
AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
-SIb3DQEBCwUAA4IBAQBIjnRqG7kc2x24F4fJoUKDOwmHXPpuwVNZwR/8PnBs1KWM
-xmvst3ZJJ7+ZgVuLxauO9pAK9aqlWTC0LkJIskIT6Jj5vbENDSycuxty7eadYVDM
-zvJdtR4vuxQ4qdMzM9xcAaY5hfyDzK3c8wzAPzq++blzcxJzVcszKp8+sVRy0o0g
-/4MVFPN0ddKqDXrBV5gQt+c3FLg7a2RVUhED523V3dRlui4nxy9C1M8BqMs6RDu9
-b9AA8KQCVwHTb/FWgKkEyZDcDK+Ph5Qrn6v9eKCyKpYabqbqc1W0Ugi93+JYdn5z
-vXDoM/KSvt0NR1JWEy3n3dATp4eHJAbGkCNNW5pW
+SIb3DQEBCwUAA4IBAQCUzIEDQDNrbu0DfGXtGwPzrE1m146C4K6ft3vVyOW2TdXb
+etak2gEsvTayNTyOBQGtgcvp+HhQhaJaHei5FzLqvmGXKpa8Q+od8NW7V5PZVZFN
+RyTOmxAH4Y9+4SOqvclR4zT/Wy89tw5vr34rfN/sxcNW3iB/5/ZAGbaYwoSK96wZ
+3zHgjLPBFTYMgeRjgw+RPr7TRP6w2Mko/wLPXw/Ki2lFNuCyBsBvY98j8viV4eBi
+xXe6ZdUd4zAOtStHWT6gVQVj3aEBTsPlYxpWsmczLPijoKoa7KKYxwfJPfFpLwQX
+ANtgvRRtXEysQ3fKEOyzkPCv2YQlmcNuErrMIvkA
-----END CERTIFICATE-----
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf
new file mode 100644
index 0000000000..e7d258a722
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf
@@ -0,0 +1,36 @@
+{% if rewrite %}
+RewriteEngine On
+RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
+
+{% endif %}
+{% if header_scheme %}
+RequestHeader set X-Forwarded-Scheme https early
+RequestHeader set X-Scheme https early
+RequestHeader set X-Forwarded-Proto https early
+
+{% endif %}
+{% if header_expect %}
+RequestHeader unset Expect early
+
+{% endif %}
+{% if keephost %}
+ProxyPreserveHost On
+{% endif %}
+
+{% if 'phx2' in inventory_hostname %}
+
+{% if balancer_name is defined %}
+
+ {% for member in balancer_members %}
+ BalancerMember "{{ member }}/{{remotepath}}"
+ {% endfor %}
+
+ProxyPass {{ localpath }} "balancer://{{balancer_name}}"
+{% else %}
+ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
+{% endif %}
+ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
+
+{% else %}
+Redirect 421 /
+{% endif %}
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index 29da36f6b1..a58c6d4b61 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -111,6 +111,7 @@ Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild
tag =
user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
+ user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
user bodhi && tag *-override && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
diff --git a/roles/manage-container-images/tasks/main.yml b/roles/manage-container-images/tasks/main.yml
index bd7e9e75f6..64c88cb071 100644
--- a/roles/manage-container-images/tasks/main.yml
+++ b/roles/manage-container-images/tasks/main.yml
@@ -18,11 +18,12 @@
src: "{{cert_src}}"
dest: "{{cert_dest_dir}}/client.cert"
owner: root
- mode: 0600
+ group: "releng-team"
+ mode: 0640
- name: install docker client key for registry
copy:
src: "{{key_src}}"
dest: "{{cert_dest_dir}}/client.key"
- owner: root
- mode: 0600
+ group: "releng-team"
+ mode: 0640
diff --git a/roles/nagios_client/templates/check_disk.cfg.j2 b/roles/nagios_client/templates/check_disk.cfg.j2
index de21bea478..79f7c8906e 100644
--- a/roles/nagios_client/templates/check_disk.cfg.j2
+++ b/roles/nagios_client/templates/check_disk.cfg.j2
@@ -1,4 +1,8 @@
+{% if inventory_hostname.startswith('openqa') %}
+command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /
+{% else %}
command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
+{% endif %}
command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot
command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git
command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji
diff --git a/roles/nagios_server/templates/nagios/services/websites.cfg.j2 b/roles/nagios_server/templates/nagios/services/websites.cfg.j2
index dc329742da..4e657b486b 100644
--- a/roles/nagios_server/templates/nagios/services/websites.cfg.j2
+++ b/roles/nagios_server/templates/nagios/services/websites.cfg.j2
@@ -121,7 +121,7 @@ define service {
define service {
host_name status
service_description http-status.fedoraproject.org
- check_command check_website!d6tcqd4og8l21.cloudfront.net!/index.html!All systems go
+ check_command check_website_ssl!www.fedorastatus.org!/index.html!All systems go
use websitetemplate
}
diff --git a/roles/packages3/web/files/packages-httpd.conf b/roles/packages3/web/files/packages-httpd.conf
index c298d7bc77..ab381256aa 100644
--- a/roles/packages3/web/files/packages-httpd.conf
+++ b/roles/packages3/web/files/packages-httpd.conf
@@ -27,6 +27,22 @@ Alias /packages/images/icons /var/cache/fedoracommunity/packages/icons
Alias /packages/images /usr/share/fedoracommunity/public/images
Alias /packages/_res /usr/share/fedoracommunity/public/toscawidgets/resources/
+Alias /packages/tw2/resources/tw2.jqplugins.ui/static /usr/lib/python2.7/site-packages/tw2/jqplugins/ui/static
+Alias /packages/tw2/resources/tw2.jquery/static /usr/lib/python2.7/site-packages/tw2/jquery/static
+Alias /packages/tw2/resources/fedoracommunity.connectors.widgets.widgets/static /usr/lib/python2.7/site-packages/fedoracommunity/connectors/widgets/static
+
+
+ Require all granted
+
+
+
+ Require all granted
+
+
+
+ Require all granted
+
+
# Temporarily disabled until we can figure out how to get the moksha
# javascript resources pulled in with `python setup.py archive_tw_resources`
#Alias /community/toscawidgets /usr/share/fedoracommunity/public/toscawidgets
diff --git a/roles/push-docker/tasks/main.yml b/roles/push-docker/tasks/main.yml
index 0fec869d83..56325014eb 100644
--- a/roles/push-docker/tasks/main.yml
+++ b/roles/push-docker/tasks/main.yml
@@ -14,14 +14,16 @@
src: "{{private}}/files/koji/{{docker_cert_name}}.cert.pem"
dest: "{{docker_cert_dir}}/client.cert"
owner: root
- mode: 0600
+ group: "releng-team"
+ mode: 0640
- name: install docker client key for registry
copy:
src: "{{private}}/files/koji/{{docker_cert_name}}.key.pem"
dest: "{{docker_cert_dir}}/client.key"
owner: root
- mode: 0600
+ group: "releng-team"
+ mode: 0640
- name: start and enable docker
service: name=docker state=started enabled=yes