From b44af2e6ce4c53875a8901b2ed1f62e0411fece9 Mon Sep 17 00:00:00 2001 From: Nick Bebout Date: Tue, 21 Oct 2014 00:00:38 +0000 Subject: [PATCH 1/7] Try disabling SSLv3 in the individual SKS virtualhost bloks --- roles/keyserver/files/sks.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf index f7963acd1a..3e83e4dbd5 100644 --- a/roles/keyserver/files/sks.conf +++ b/roles/keyserver/files/sks.conf @@ -54,6 +54,7 @@ NameVirtualHost *:443 SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 ProxyPass / http://localhost:11371/ ProxyPassReverse / http://localhost:11371/ SetEnv proxy-nokeepalive 1 @@ -68,6 +69,7 @@ NameVirtualHost *:443 SSLEngine on SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 ProxyPass / http://localhost:11371/ ProxyPassReverse / http://localhost:11371/ SetEnv proxy-nokeepalive 1 From 499ab100c9695cc8ba6314e60b771e4d5342baea Mon Sep 17 00:00:00 2001 From: Nick Bebout Date: Tue, 21 Oct 2014 00:07:37 +0000 Subject: [PATCH 2/7] Finish SSL changes for sks --- roles/keyserver/files/sks.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf index 3e83e4dbd5..bc359b3814 100644 --- a/roles/keyserver/files/sks.conf +++ b/roles/keyserver/files/sks.conf @@ -48,13 +48,15 @@ NameVirtualHost *:443 ServerAdmin sysadmin-keys-members@fedoraproject.org ServerName keys.fedoraproject.org - ServerAlias keys01.fedoraproject.org + ServerAlias keys02.fedoraproject.org SSLEngine on SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + ProxyPass / http://localhost:11371/ ProxyPassReverse / http://localhost:11371/ SetEnv proxy-nokeepalive 1 @@ -70,6 +72,8 @@ NameVirtualHost *:443 SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + ProxyPass / http://localhost:11371/ ProxyPassReverse / http://localhost:11371/ SetEnv proxy-nokeepalive 1 From 1e6db06f9036d63ff6e518ffab4711027d69ab0b Mon Sep 17 00:00:00 2001 From: Valentin Gologuzov Date: Tue, 21 Oct 2014 12:13:20 +0200 Subject: [PATCH 3/7] [copr] fix configs location for backend --- roles/copr/backend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml index 1ab18497ea..ad92eaa105 100644 --- a/roles/copr/backend/tasks/main.yml +++ b/roles/copr/backend/tasks/main.yml @@ -106,7 +106,7 @@ - provision_config - name: put provisioning files - copy: src="provision/files" dest="/home/copr/provision/files" + synchronize: src="provision/files" dest="/home/copr/provision/" tags: - provision_config From e3f1abadf1d85d1859656672fe954deca285cd98 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 21 Oct 2014 18:04:42 +0200 Subject: [PATCH 4/7] Wrap the anitya_cron job into lock-wrapper --- roles/anitya/backend/files/anitya.cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/anitya/backend/files/anitya.cron b/roles/anitya/backend/files/anitya.cron index 036a48325f..9ba6e88d08 100644 --- a/roles/anitya/backend/files/anitya.cron +++ b/roles/anitya/backend/files/anitya.cron @@ -1,3 +1,3 @@ # Checks bi-daily for new versions # -10 */12 * * * root ANITYA_WEB_CONFIG=/etc/anitya/anitya.cfg /usr/bin/python2 /usr/share/anitya/anitya_cron.py +10 */12 * * * root ANITYA_WEB_CONFIG=/etc/anitya/anitya.cfg /usr/local/bin/lock-wrapper /usr/bin/python2 /usr/share/anitya/anitya_cron.py From 09a4d956b74e9d5dc0f95500dea05c3585915b01 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 21 Oct 2014 18:07:41 +0200 Subject: [PATCH 5/7] Tag installing the cron job as: cron --- roles/anitya/backend/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/anitya/backend/tasks/main.yml b/roles/anitya/backend/tasks/main.yml index 0caf67986e..622eaff49e 100644 --- a/roles/anitya/backend/tasks/main.yml +++ b/roles/anitya/backend/tasks/main.yml @@ -108,5 +108,6 @@ with_items: - { file: 'anitya.cron', location: /etc/cron.d } tags: + - cron - config - anitya_backend From d9568029c3bed904d8680f34c69a7c31795d78f8 Mon Sep 17 00:00:00 2001 From: Valentin Gologuzov Date: Tue, 21 Oct 2014 18:29:23 +0200 Subject: [PATCH 6/7] [copr] bugfix for copr-be-dev config --- roles/copr/backend/templates/copr-be.conf-dev | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/copr/backend/templates/copr-be.conf-dev b/roles/copr/backend/templates/copr-be.conf-dev index dd25385fc6..705dcad18a 100644 --- a/roles/copr/backend/templates/copr-be.conf-dev +++ b/roles/copr/backend/templates/copr-be.conf-dev @@ -28,6 +28,8 @@ spawn_playbook=/home/copr/provision/builderpb.yml # default is /etc/copr/terminate_playbook.yml terminate_playbook=/home/copr/provision/terminatepb.yml +terminate_vars=vm_name + # directory where jobs are stored # no defaults jobsdir=/var/lib/copr/jobs From b610e29a23dcbb36d955fb51e5095de7d1cf1454 Mon Sep 17 00:00:00 2001 From: Valentin Gologuzov Date: Tue, 21 Oct 2014 19:39:20 +0200 Subject: [PATCH 7/7] [copr] polishing frontend role-base playbooks --- playbooks/groups/copr-frontend.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/playbooks/groups/copr-frontend.yml b/playbooks/groups/copr-frontend.yml index 367e7ffb31..1f9c291b35 100644 --- a/playbooks/groups/copr-frontend.yml +++ b/playbooks/groups/copr-frontend.yml @@ -1,7 +1,6 @@ - name: check/create instance #hosts: copr-front-stg:copr-front - #hosts: copr-front-stg - hosts: copr-fe-dev.cloud.fedoraproject.org + hosts: copr-front-stg user: root gather_facts: False @@ -15,7 +14,7 @@ - name: cloud basic setup - hosts: copr-back-stg + hosts: copr-front-stg vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" @@ -25,8 +24,7 @@ - name: provision instance #hosts: copr-front:copr-front-stg - #hosts: copr-front-stg - hosts: copr-fe-dev.cloud.fedoraproject.org + hosts: copr-front-stg user: root gather_facts: True