Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Stephen Smoogen 2015-03-20 17:08:42 +00:00
commit 7a093b827c
29 changed files with 423 additions and 1341 deletions
Download patch file Download diff file Expand all files Collapse all files

58
files/koschei/config.cfg.j2 Normal file
View file

@ -0,0 +1,58 @@
# This is a config file for Koschei that can override values in default
# configuration in /usr/share/koschei/config.cfg. It is a python file expecting
# assignment to config dictionary which will be recursively merged with the
# default one.
config = {
"database_config": {
"username": "koschei",
"password": "{{ koschei_pgsql_password }}",
"database": "koschei"
},
"koji_config": {
"cert": "/etc/koschei/koschei.pem",
"ca": "/etc/koschei/fedora-ca.cert",
"server_ca": "/etc/koschei/fedora-ca.cert",
},
"flask": {
"SECRET_KEY": "{{ koschei_flask_secret_key }}",
},
"logging": {
"loggers": {
"": {
"level": "DEBUG",
"handlers": ["stderr", "email"],
},
},
"handlers": {
"email": {
"class": "logging.handlers.SMTPHandler",
"level": "WARN",
"mailhost": "localhost",
"fromaddr": "koschei@fedoraproject.org",
"toaddrs": ['msimacek@redhat.com', 'mizdebsk@redhat.com'],
"subject": "Koschei warning",
},
},
},
"fedmsg-publisher": {
"enabled": True,
"modname": "koschei",
},
# "services": {
# "polling": {
# "interval": 60,
# },
# },
"dependency": {
"repo_chache_items": 5,
"keep_build_deps_for": 2
},
"koji_config": {
"max_builds": 30
},
}
# Local Variables:
# mode: Python
# End:
# vi: ft=python

13
files/koschei/koschei.repo Normal file
View file

@ -0,0 +1,13 @@
[koschei-mizdebsk]
name=Koschei repo
baseurl=https://mizdebsk.fedorapeople.org/koschei/repo/
enabled=1
gpgcheck=0
metadata_expire=60
[koschei-msimacek]
name=Koschei repo
baseurl=https://msimacek.fedorapeople.org/koschei/repo/
enabled=1
gpgcheck=0
metadata_expire=60

2
inventory/group_vars/koji-stg
View file

@ -12,7 +12,7 @@ tcp_ports: [ 80, 443, 111, 2049,
udp_ports: [ 111, 2049 ]
fas_client_groups: sysadmin-releng
fas_client_groups: sysadmin-releng,fi-apprentice
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

4
inventory/host_vars/mirrorlist-dedicatedsolutions.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 67.219.144.1
dns: 8.8.8.8
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-6
ks_repo: http://209.132.181.6/repo/rhel/RHEL6-x86_64/
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://209.132.181.6/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost
eth0_ip: 67.219.144.67
vmhost: dedicatedsolutions01.fedoraproject.org

4
inventory/host_vars/mirrorlist-ibiblio.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.128
gw: 152.19.134.129
dns: 152.2.21.1
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_ibiblio04
eth0_ip: 152.19.134.194
vmhost: ibiblio04.fedoraproject.org

4
inventory/host_vars/mirrorlist-osuosl.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.192
gw: 140.211.169.193
dns: 8.8.8.8
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-6
ks_repo: http://209.132.181.6/repo/rhel/RHEL6-x86_64/
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://209.132.181.6/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_server
eth0_ip: 140.211.169.228
vmhost: osuosl02.fedoraproject.org

8
inventory/inventory
View file

@ -343,13 +343,11 @@ fedoauth01.stg.phx2.fedoraproject.org
memcached01.phx2.fedoraproject.org
memcached02.phx2.fedoraproject.org
[mirrorlist]
mirrorlist-osuosl.fedoraproject.org
mirrorlist-ibiblio.fedoraproject.org
mirrorlist-dedicatedsolutions.fedoraproject.org
[mirrorlist2]
mirrorlist-dedicatedsolutions.fedoraproject.org
mirrorlist-host1plus.fedoraproject.org
mirrorlist-ibiblio.fedoraproject.org
mirrorlist-osuosl.fedoraproject.org
mirrorlist-phx2.phx2.fedoraproject.org
[mirrorlist2-stg]

56
playbooks/groups/mirrorlist.yml
View file

@ -1,56 +0,0 @@
# create a new mirrorlist server
# NOTE: should be used with --limit most of the time
# NOTE: make sure there is room/space for this server on the vmhost
# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars
- name: make mirrorlist app server
hosts: mirrorlist
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: mirrorlist
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- denyhosts
- nagios_client
- geoip
- hosts
- fas_client
- collectd/base
- mirrormanager/mirrorlist
- sudo
- { role: openvpn/client,
when: env != "staging" }
tasks:
# this is how you include other task lists
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/apache.yml"
- include: "{{ tasks }}/mod_wsgi.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"

2
playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
View file

@ -285,7 +285,7 @@
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{controller_hostname}}:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://{{controller_private_ip}}:8080' --internalurl 'https://{{controller_private_ip}}:8080/v1/AUTH_%(tenant_id)s' ) || true
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{controller_hostname}}:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://{{controller_hostname}}:8080' --internalurl 'https://{{controller_hostname}}:8080/v1/AUTH_%(tenant_id)s' ) || true
# swift_s3
- shell: source /root/keystonerc_admin && keystone service-list | grep 'swift_s3' | awk '{print $2}'
register: SERVICE_ID

80
playbooks/hosts/koschei.cloud.fedoraproject.org.yml
View file

@ -15,21 +15,101 @@
gather_facts: True
user: fedora
sudo: yes
tags: koschei
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
packages:
- koschei
services:
- koschei-polling
- koschei-resolver
- koschei-scheduler
- koschei-watcher
# httpd is here temporarly only, it will be removed once koschei
# implements "base" role
- httpd
# flag controlling whether koji PEM private key and certificate
# should be deployed by playbook
cert: false
tasks:
- include: "{{ tasks }}/growroot_cloud.yml"
- include: "{{ tasks }}/cloud_setup_basic.yml"
- include: "{{ tasks }}/postfix_basic.yml"
# Temporary yum repo hosted on fedorapeople, it will be replaced by
# Fedora infra repo once Koschei completes RFR. Copr can't be used
# because of limitations of Fedora cloud routing -- machines in
# different networks can't access each other, even through public IP
- name: add koschei yum repo
action: copy src="{{ files }}/koschei/koschei.repo" dest="/etc/yum.repos.d/koschei.repo"
- name: yum update koschei package
yum: name={{item}} state=latest
with_items: "{{packages}}"
register: yumupdate
# TODO: restart httpd
tags:
- packages
- name: stop koschei
action: service name={{item}} state=stopped
with_items: "{{services}}"
when: yumupdate.changed
- name: install /etc/koschei/config.cfg file
template: src="{{ files }}/koschei/config.cfg.j2" dest="/etc/koschei/config.cfg"
notify:
- restart koschei
# TODO: restart httpd
tags:
- config
- name: install koschei.pem koji key and cert
copy: >
src="{{ private }}/files/koschei/koschei.pem"
dest="/etc/koschei/koschei.pem"
owner=koschei
group=koschei
mode=0400
when: cert
tags:
- config
- name: install koji ca cert
copy: >
src="{{ puppet_private }}/fedora-ca.cert"
dest="/etc/koschei/fedora-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- name: run koschei migration
command: alembic -c /usr/share/koschei/alembic.ini upgrade head
sudo_user: koschei
when: yumupdate.changed
- name: enable koschei to start
action: service name={{item}} state=running enabled=true
with_items: "{{services}}"
tags:
- service
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: restart koschei
action: service name={{item}} state=restarted
with_items: "{{services}}"
- name: setup fedmsg
hosts: koschei.cloud.fedoraproject.org
user: root

4
playbooks/manual/restart-fedmsg-services.yml
View file

@ -58,8 +58,8 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: schedule a 10 minute downtime. give notifs backend time to start up.
nagios: action=downtime minutes=10 service=host host={{ inventory_hostname }}
- name: schedule a 15 minute downtime. give notifs backend time to start up.
nagios: action=downtime minutes=15 service=host host={{ inventory_hostname }}
delegate_to: noc01.phx2.fedoraproject.org
ignore_errors: true

16
playbooks/manual/upgrade/fmn.yml
View file

@ -33,7 +33,7 @@
pre_tasks:
- name: tell nagios to shush w.r.t. the frontend
nagios: action=downtime minutes=60 service=host host={{ inventory_hostname }}
nagios: action=downtime minutes=15 service=host host={{ inventory_hostname }}
delegate_to: noc01.phx2.fedoraproject.org
ignore_errors: true
@ -55,7 +55,7 @@
pre_tasks:
- name: tell nagios to shush w.r.t. the backend
nagios: action=downtime minutes=60 service=host host={{ inventory_hostname }}
nagios: action=downtime minutes=15 service=host host={{ inventory_hostname }}
delegate_to: noc01.phx2.fedoraproject.org
ignore_errors: true
@ -76,11 +76,13 @@
- name: And... start the backend again
service: name="fedmsg-hub" state=started
post_tasks:
- name: tell nagios to unshush w.r.t. the backend
nagios: action=unsilence service=host host={{ inventory_hostname }}
delegate_to: noc01.phx2.fedoraproject.org
ignore_errors: true
# Don't bother unshushing the backend here. it takes a few minutes to start
# up anyways, so just let the downtime expire.
#post_tasks:
#- name: tell nagios to unshush w.r.t. the backend
# nagios: action=unsilence service=host host={{ inventory_hostname }}
# delegate_to: noc01.phx2.fedoraproject.org
# ignore_errors: true
- name: restart the frontend
hosts: notifs-web;notifs-web-stg

3
roles/base/files/resolv.conf/dedicatedsolutions Normal file
View file

@ -0,0 +1,3 @@
search vpn.fedoraproject.org fedoraproject.org
nameserver 8.8.8.8
nameserver 8.8.4.4

151
roles/base/files/ssh/sshd_config.21 Normal file
View file

@ -0,0 +1,151 @@
# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
StrictModes yes
PasswordAuthentication no
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
#UsePAM no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Uncomment this if you want to use .local domain
#Host *.local
# CheckHostIP no
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

29
roles/git/hooks/files/post-receive-fedmsg Normal file → Executable file
View file

@ -2,6 +2,7 @@
import getpass
import os
import subprocess as sp
import sys
from collections import defaultdict
@ -26,15 +27,19 @@ config['active'] = True
config['endpoints']['relay_inbound'] = config['relay_inbound']
fedmsg.init(name='relay_inbound', cert_prefix='scm', **config)
def revs_between(head, base):
""" Yield revisions between HEAD and BASE. """
# XXX REALLY, just yield head.
# We used to try to navigate the git history and return all the commits in
# between, but we got into infinite loops more than once because git.
# We could shell out to 'git rev-list head...base', but I'm just not ready
# to do that yet.
yield head.id
# pygit2 can't do a rev-list yet, so we have to shell out.. silly.
cmd = '/usr/bin/git rev-list %s...%s' % (head.id, base.id)
proc = sp.Popen(cmd.split(), stdout=sp.PIPE, stderr=sp.PIPE, cwd=abspath)
stdout, stderr = proc.communicate()
if proc.returncode != 0:
raise IOError('git rev-list failed: %r, err: %r' % (stdout, stderr))
for line in stdout.strip().split('\n'):
yield line.strip()
def build_stats(commit):
@ -62,6 +67,8 @@ def build_stats(commit):
return files, total
seen = []
# Read in all the rev information git-receive-pack hands us.
lines = [line.split() for line in sys.stdin.readlines()]
for line in lines:
@ -112,6 +119,16 @@ for line in lines:
print "* Publishing information for %i commits" % len(commits)
for commit in commits:
# Keep track of whether or not we have already published this commit on
# another branch or not. It is conceivable that someone could make a
# commit to a number of branches, and push them all at the same time.
# Make a note in the fedmsg payload so we can try to reduce spam at a
# later stage.
if commit['rev'] in seen:
commit['seen'] = True
else:
commit['seen'] = False
seen.append(commit['rev'])
if commit is None:
continue

6
roles/haproxy/files/haproxy.cfg.stg
View file

@ -93,10 +93,10 @@ listen totpcgiprovision 0.0.0.0:10019
server fas01 fas01:8444 check inter 5s rise 1 fall 2
option httpchk GET /index.cgi
listen fedoauth 0.0.0.0:10020
listen ipsilon 0.0.0.0:10020
balance hdr(appserver)
server fedoauth01 fedoauth01:80 check inter 10s rise 1 fall 2
option httpchk GET /static/fedora/fedora-authn-logo-white.png
server ipsilon01 ipsilon01:80 check inter 10s rise 1 fall 2
option httpchk GET /ui/fedora/repeater.png
listen askbot 0.0.0.0:10021
balance hdr(appserver)

1048
roles/mirrormanager/mirrorlist/files/mirrorlist_server.py
View file

File diff suppressed because it is too large Load diff

1
roles/mirrormanager/mirrorlist/files/mm-authorized_key
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA1+Mq0V8RPuCZrjsSz2y56tVR+hykwoYSodhs6ivqkuf16PHo1Aq2PR+I7xnxnJ/fqF20UEV4bmRFs9k4y/QnMOwi90O32vC3WZmfLfoY9S9dzUYXXOYy0lQZPMjmB+yOYZhhGIu2HTc4/CHKjVpCUZKHXwgkouEwsAEHQI86TrepvPwt5GrmAeZjcRp8T3maaFlRf8UFgcajF9ztgiEnBpWBEKaemtUtQ/g9cr/SwNMT3GK+M4qMVaXkuTCeiKwqxueZmTgn76aQ11sfoWYi1lVCyYt02iMDoBLaLERbwBLt3WpY/l3tQaZiPVoRPDH2EQb6v/XISsXNsqGtnc8APfhkVniURNwW/Qz8eXhpnd7GlU90iWPExvGo/Eaj2cNemgiNZH7/U7OKe3/7Li+IpPDhLCfJ8ue7Nqn+2uqhEWvzZXvamzcvEg89PBbgrdHDvJqVLnfsMDuDEo93KZ2pCfTGmjbYjbV3nnArhimLjkkb2E86489F09p65e4AoZw3HFgeW8yA3ecXtXd9FmYYkL0urT1AZFuJ/9B364h4gOqUt0oO7aW0vqhS1hW+7brIJ2DzM/vn90ONk8JVt1T3DvmgmVLxtuo1wu1PkDtekZNtJPGuGzvt5TYDjGPwZzrkYdYazLow3NMCyrhV6oNm8sxuZCLxeyZdM83Q7xty5nM= toshio@puppet1.fedora.phx.redhat.com

4
roles/mirrormanager/mirrorlist/files/mm_sync_data
View file

@ -1,4 +0,0 @@
#!/bin/bash
rsync -az --delete-delay --delay-updates --delete mirrormanager@bapp02:/var/lib/mirrormanager/ /var/lib/mirrormanager/
kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid)

67
roles/mirrormanager/mirrorlist/files/supervisord.conf
View file

@ -1,67 +0,0 @@
[supervisord]
http_port=/var/tmp/supervisor.sock ; (default is to run a UNIX domain socket server)
;http_port=127.0.0.1:9001 ; (alternately, ip_address:port specifies AF_INET)
;sockchmod=0700 ; AF_UNIX socketmode (AF_INET ignore, default 0700)
;sockchown=nobody.nogroup ; AF_UNIX socket uid.gid owner (AF_INET ignores)
;umask=022 ; (process file creation umask;default 022)
logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB)
logfile_backups=10 ; (num of main logfile rotation backups;default 10)
loglevel=info ; (logging level;default info; others: debug,warn)
pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
nodaemon=false ; (start in foreground if true;default false)
minfds=1024 ; (min. avail startup file descriptors;default 1024)
minprocs=200 ; (min. avail process descriptors;default 200)
;nocleanup=true ; (don't clean up tempfiles at start;default false)
;http_username=user ; (default is no username (open system))
;http_password=123 ; (default is no password (open system))
;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP)
;user=chrism ; (default is current user, required if root)
;directory=/tmp ; (default is not to cd during start)
;environment=KEY=value ; (key value pairs to add to environment)
[supervisorctl]
serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket
;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
;username=chris ; should be same as http_username if set
;password=123 ; should be same as http_password if set
;prompt=mysupervisor ; cmd line prompt (default "supervisor")
; The below sample program section shows all possible program subsection values,
; create one or more 'real' program: sections to be able to control them under
; supervisor.
;[program:theprogramname]
;command=/bin/cat ; the program (relative uses PATH, can take args)
;priority=999 ; the relative start priority (default 999)
;autostart=true ; start at supervisord start (default: true)
;autorestart=true ; retstart at unexpected quit (default: true)
;startsecs=10 ; number of secs prog must stay running (def. 10)
;startretries=3 ; max # of serial start failures (default 3)
;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
;stopsignal=QUIT ; signal used to kill process (default TERM)
;stopwaitsecs=10 ; max num secs to wait before SIGKILL (default 10)
;user=chrism ; setuid to this UNIX account to run the program
;log_stdout=true ; if true, log program stdout (default true)
;log_stderr=true ; if true, log program stderr (def false)
;logfile=/var/log/cat.log ; child log path, use NONE for none; default AUTO
;logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB)
;logfile_backups=10 ; # of logfile backups (default 10)
[program:mirrorlist_server]
command=/usr/share/mirrormanager/mirrorlist-server/mirrorlist_server.py
priority=1
autostart=true
autorestart=true
startsecs=10
startretries=5
stopsignal=TERM
stopwaitsecs=10
user=mirrormanager
log_stderr=true
log_stdout=true
logfile=/var/log/mirrormanager/mirrorlist-server.log
logfile_maxbytes=50MB
logfile_backups=10

60
roles/mirrormanager/mirrorlist/tasks/main.yml
View file

@ -1,60 +0,0 @@
---
# tasklist for setting up the mirrorlist app components
# create mirrormanager user
- name: add mirrormanager user - uid {{ mirrormanager_uid }}
user: name=mirrormanager uid={{ mirrormanager_uid }} state=present home=/home/mirrormanager createhome=yes
- name: install supervisor and mirrormanager
yum: pkg={{ item }} state=present
with_items:
- supervisor
- mirrormanager
tags:
- packages
# Put in the HOTFIX
- name: HOTFIX mirrorlist_server.py
copy: >
src=mirrorlist_server.py dest=/usr/share/mirrormanager/mirrorlist-server/mirrorlist_server.py
owner=root group=root mode=0755
tags:
- files
notify:
- restart httpd
- restart supervisord
# mirrormanager user ssh key(s)
- name: add authorized_keys for mirrormanager
authorized_key: key="{{ item }}" user=mirrormanager state=present
with_file:
- mm-authorized_key
# install mirrorlist-server.conf apache config
- name: mirrorlist-server apache conf
template: src=mirrorlist-server.conf dest=/etc/httpd/conf.d/mirrorlist-server.conf
notify:
- restart apache
tags:
- config
# nuke mirrormanager.conf so that it doesn't start up
- name: kill /etc/httpd/conf.d/mirrrormanager.conf
copy: 'content="#blanked on purpose" dest=/etc/httpd/conf.d/mirrormanager.conf'
when: inventory_hostname.startswith('mirrorlist')
notify:
- restart apache
tags:
- config
# selinux policy - mirrormanager - put in place - for the sockfile
#
# setup and configure supervisord
- name: /etc/supervisord.conf
copy: src=supervisord.conf dest=/etc/supervisord.conf mode=0644
notify:
- restart supervisord
- name: enable supervisord
service: name=supervisord state=started enabled=yes

56
roles/mirrormanager/mirrorlist/templates/mirrorlist-server.conf
View file

@ -1,56 +0,0 @@
KeepAlive off
Alias /mirrorlists /var/lib/mirrormanager/mirrorlists/
Alias /publiclist /var/lib/mirrormanager/mirrorlists/publiclist/
Alias /static /var/lib/mirrormanager/mirrorlists/static/
<Directory /var/lib/mirrormanager/mirrorlists>
Options Indexes FollowSymLinks
</Directory>
WSGIDaemonProcess mirrorlist user=apache processes={{ mirrorlist_procs }} threads=1 display-name=mirrorlist maximum-requests=1000
WSGIScriptAlias /metalink /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
# Set this if you do not have a Reverse Proxy (HTTP Accelerator) that
# is in front of your application server running this code.
# SetEnv mirrorlist_client.noreverseproxy 1
<Location /mirrorlist>
WSGIProcessGroup mirrorlist
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
<Location /metalink>
WSGIProcessGroup mirrorlist
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
<Location /publiclist>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>

4
roles/mirrormanager/mirrorlist/vars/main.yml
View file

@ -1,4 +0,0 @@
mirrormanager_uid: 441
mirrormanager_gid: 441
mirrors_gid: 263
mirrors2_gid: 529

16
roles/mirrormanager/mirrorlist2/tasks/main.yml
View file

@ -58,14 +58,14 @@
- mirrorlist2
- selinux
- name: check to see if its even installed yet
shell: semodule -l | grep mirrorlist2 | wc -l
register: ficgeneral_grep
always_run: true
changed_when: "'0' in ficgeneral_grep.stdout"
tags:
- mirrorlist2
- selinux
#- name: check to see if its even installed yet
# shell: semodule -l | grep mirrorlist2 | wc -l
# register: ficgeneral_grep
# always_run: true
# changed_when: "'0' in ficgeneral_grep.stdout"
# tags:
# - mirrorlist2
# - selinux
#- name: install our general mirrorlist2 selinux module
# command: semodule -i /usr/share/mirrorlist2/mirrorlist2.pp

1
roles/nagios_server/files/irc-colorize.py
View file

@ -29,6 +29,7 @@ mirc_colors = {
mapping = {
'RECOVERY': 'green',
'OK': 'green',
'ACKNOWLEDGEMENT': 'yellow',
'UNKNOWN': 'purple',
'WARNING': 'teal',
# 'red' probably makes the most sense here, but it behaved oddly

47
roles/notifs/backend/files/bin/fmn-disable-account Executable file
View file

@ -0,0 +1,47 @@
#!/usr/bin/env python
""" fmn-disable-account USER
Disables the FMN account for a user.
"""
import argparse
import fedmsg
import fedmsg.config
import fmn.lib
import fmn.lib.models
def parse_args():
parser = argparse.ArgumentParser(__doc__)
parser.add_argument('user', help='FAS username to disable.')
parser.add_argument('--context', nargs='+', default=['irc', 'email'],
help="Contexts to disable. Defaults to all.")
return parser.parse_args()
def disable(session, user, contexts):
openid = '%s.id.fedoraproject.org' % user
for context in contexts:
pref = fmn.lib.models.Preference.load(session, openid, context)
if pref:
print "Disabling %r for %r" % (context, openid)
pref.set_enabled(session, False)
else:
print "No context %r found for %r" % (context, openid)
if __name__ == '__main__':
args = parse_args()
config = fedmsg.config.load_config()
config.update({
'active': True,
'name': 'relay_inbound',
'cert_prefix': 'fmn',
})
fedmsg.init(**config)
session = fmn.lib.models.init(config['fmn.sqlalchemy.uri'])
disable(session, args.user, args.context)

6
roles/notifs/backend/tasks/main.yml
View file

@ -34,3 +34,9 @@
tags:
- notifs
- notifs/backend
- name: copy over admin utility scripts
synchronize: src=bin/ dest=/usr/local/bin/
tags:
- notifs
- notifs/backend

6
tasks/persistent_cloud_new.yml
View file

@ -61,5 +61,7 @@
# local_action: "shell nova --insecure {{_OS_AUTH_OPTS}} volume-attach {{inventory_hostname}} {{item}} "
# with_items: volumes
# when: volumes is defined and vm_status.stdout != "ACTIVE"
nova --os-username=admin --os-password=c24da73c18e7880cbb6f --os-tenant-name=copr --os-auth-url="https://fed-cloud09.cloud.fedoraproject.org:5000/v2.0" volume-attach test ff735862-ac95-4b7f-82ba-081583e46898
nova --os-username=admin --os-password=c24da73c18e7880cbb6f --os-tenant-name=copr --os-auth-url="https://fed-cloud09.cloud.fedoraproject.org:5000/v2.0" volume-list |grep foo
# instance can be both id and name, volume must be id
- shell: source keystonerc_admin && nova --os-tenant-name={{inventory_tenant}} volume-list | grep ' {{item}} ' | grep 'available' && nova --os-tenant-name={{inventory_tenant}} volume-attach "{{inventory_instance_name}}" "{{item}}"
with_items: inventory_volumes

8
tasks/postfix_basic.yml
View file

@ -8,10 +8,10 @@
action: copy src={{ item }} dest=/etc/postfix/main.cf
with_first_found:
- "{{ postfix_maincf }}"
- "{{ roles }}/base/files/postfix/main.cf.{{ ansible_fqdn }}"
- "{{ roles }}/base/files/postfix/main.cf.{{ inventory_hostname }}"
- "{{ roles }}/base/files/postfix/main.cf.{{ host_group }}"
- "{{ roles }}/base/files/postfix/main.cf.{{ postfix_group }}"
- "{{ roles }}/base/files/postfix/main.cf/main.cf.{{ ansible_fqdn }}"
- "{{ roles }}/base/files/postfix/main.cf/main.cf.{{ inventory_hostname }}"
- "{{ roles }}/base/files/postfix/main.cf/main.cf.{{ host_group }}"
- "{{ roles }}/base/files/postfix/main.cf/main.cf.{{ postfix_group }}"
- "{{ roles }}/base/files/postfix/main.cf/main.cf"
notify:
- restart postfix