Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of ssh://pagure.io/fedora-infra/ansible

Browse source
This commit is contained in:
Nick Bebout 2021-04-21 16:39:59 -05:00
commit 832455904e
81 changed files with 501 additions and 450 deletions
Download patch file Download diff file Expand all files Collapse all files

16
files/debuginfod/sysconfig.debuginfod Normal file
View file

@ -0,0 +1,16 @@
#
DEBUGINFOD_PORT="8002"
DEBUGINFOD_VERBOSE="-vv"
DEBUGINFOD_PATHS="--fdcache-fds=512 -t3600 -R /mnt/fedora_koji_prod/koji/packages -X /data/ -I \.(module_f|fc)(32|33|34|35)[.+].*\.rpm"
# prefer reliability/durability over performance
#DEBUGINFOD_PRAGMAS="-D 'pragma synchronous=full;'"
# upstream debuginfods
#DEBUGINFOD_URLS="http://secondhost:8002 http://thirdhost:8002"
#DEBUGINFOD_TIMEOUT="5"
#DEBUGINFOD_CACHE_DIR=""
# Don't use tmpfs /tmp on scarce-RAM machine.
TMPDIR=/var/tmp

33
inventory/group_vars/all
View file

@ -91,7 +91,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -101,7 +101,7 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none'
@ -113,7 +113,7 @@ virt_install_command_one_nic_unsafe: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -123,7 +123,7 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
@ -135,7 +135,7 @@ virt_install_command_ppc64le_one_nic_unsafe: virt-install -n {{ inventory_hostna
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -145,7 +145,7 @@ virt_install_command_ppc64le_two_nic_unsafe: virt-install -n {{ inventory_hostna
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none'
@ -157,7 +157,7 @@ virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -167,7 +167,7 @@ virt_install_command_aarch64_one_nic_unsafe: virt-install -n {{ inventory_hostna
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -177,7 +177,7 @@ virt_install_command_aarch64_2nd_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address }}
@ -187,7 +187,7 @@ virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none'
@ -199,7 +199,7 @@ virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --a
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyAMA0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }}
@ -209,7 +209,7 @@ virt_install_command_armv7_one_nic_unsafe: virt-install -n {{ inventory_hostname
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyAMA0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }}
@ -219,7 +219,7 @@ virt_install_command_s390x_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -229,7 +229,7 @@ virt_install_command_s390x_one_nic_unsafe: virt-install -n {{ inventory_hostname
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@ -239,7 +239,7 @@ virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }}
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
"ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
"inst.ksdevice=eth0 inst.ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }}"
--network=bridge=br0 --autostart --noautoconsole --watchdog default
@ -426,3 +426,6 @@ sshd_sftp: false
# Autodetect python version
#
ansible_python_interpreter: auto
# set no x-forward header by default
x_forward: false

6
inventory/group_vars/buildvm_armv7_stg
View file

@ -2,12 +2,12 @@
# common items for the buildvm-* koji builders
volgroup: /dev/vg_guests
lvm_size: 140000
mem_size: 24576
mem_size: 40960
max_mem_size: "{{ mem_size }}"
num_cpus: 5
max_cpu: "{{ num_cpus }}"
ks_url: http://10.3.163.35/repo/rhel/ks/buildvm-fedora-33-armv7
ks_repo: http://10.3.163.35/pub/fedora/linux/releases/33/Server/armhfp/os/
ks_url: http://10.3.163.35/repo/rhel/ks/buildvm-fedora-34-armv7
ks_repo: http://10.3.163.35/pub/fedora/linux/development/34/Server/armhfp/os/
nm: 255.255.255.0
gw: 10.3.167.254
dns: 10.3.163.33

8
inventory/group_vars/vmhost_copr → inventory/group_vars/copr_hypervisor
View file

@ -1,6 +1,7 @@
---
virthost: true
vpn: true
primary_auth_source: ipa
ipa_host_group: vmhost-copr
ipa_host_group_desc: VM hosts for COPR
@ -9,15 +10,10 @@ ipa_client_shell_groups:
ipa_client_sudo_groups:
- sysadmin-copr
nrpe_procs_warn: 1400
nrpe_procs_crit: 1500
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
vpn: false
vpn: true
postfix_group: copr
postfix_maincf: "postfix/main.cf/main.cf.copr"

11
inventory/group_vars/maintainer_test
View file

@ -2,6 +2,15 @@
freezes: false
sudoers: "{{ private }}/files/sudo/arm-packager-sudoers"
sudoers_main: nopasswd
host_group: cloud
datacenter: aws
ansible_ifcfg_blocklist: true
vpn: true
primary_auth_source: ipa
ipa_host_group: maintainer_test
ipa_host_group_desc: Test hosts for package maintainers
ipa_client_shell_groups:
- packager
ipa_client_sudo_nopasswd_groups:
- sysadmin-main
- packager

1
inventory/group_vars/openqa
View file

@ -6,7 +6,6 @@ external_hostname: openqa.fedoraproject.org
openqa_dbname: openqa
openqa_dbuser: openqa
openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
openqa_assetsize: 500
openqa_key: "{{ prod_openqa_apikey }}"
openqa_secret: "{{ prod_openqa_apisecret }}"

4
inventory/group_vars/openqa_lab
View file

@ -17,9 +17,7 @@ external_hostname: openqa.stg.fedoraproject.org
openqa_dbname: openqa-stg
openqa_dbuser: openqastg
openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
openqa_assetsize: 400
openqa_assetsize_ppc: 150
openqa_assetsize_aarch64: 150
openqa_assetsize_ppc: 300
openqa_key: "{{ stg_openqa_apikey }}"
openqa_secret: "{{ stg_openqa_apisecret }}"

4
inventory/group_vars/openqa_servers_common
View file

@ -9,7 +9,9 @@ openqa_nickname: adamwill
openqa_fullname: Adam Williamson
openqa_userid: http://adamwill.id.fedoraproject.org/
openqa_assetsize_updates: 100
openqa_assetsize: 600
openqa_assetsize_aarch64: 300
openqa_assetsize_updates: 200
# stg and prod use the same database server
openqa_dbhost: db-openqa01.iad2.fedoraproject.org

2
inventory/group_vars/os_masters_stg
View file

@ -11,5 +11,5 @@ nagios_Check_Services:
# Set some bodhi variables here.
# Since they are used when running playbooks against the master nodes.
#
bodhi_version: "5.6.1"
bodhi_version: "5.7.0"
bodhi_openshift_pods: 1

1
inventory/host_vars/aarch64-test01.fedorainfracloud.org
View file

@ -1,3 +1,2 @@
datacenter: aws
inventory_hostname: "aarch64-test01.fedorainfracloud.org"

3
inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
View file

@ -6,13 +6,14 @@ dns1: 10.3.163.33
dns2: 10.3.163.34
has_ipv4: yes
eth0_ip: 10.3.167.46
eth0_ipv4: 10.3.167.46
eth0_ipv4_nm: 24
eth0_ipv4_gw: 10.3.167.254
has_ipv6: no
mac0: 52:54:00:d7:04:aa
mac0: 52:54:00:d4:6a:ca
network_connections:
- name: eth0

3
inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
View file

@ -5,13 +5,14 @@ dns1: 10.3.163.33
dns2: 10.3.163.34
has_ipv4: yes
eth0_ip: 10.3.171.53
eth0_ipv4: 10.3.171.53
eth0_ipv4_nm: 24
eth0_ipv4_gw: 10.3.171.254
has_ipv6: no
mac0: 52:54:00:f0:f0:eb
mac0: 52:54:00:36:bc:34
network_connections:
- name: eth0

3
inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
View file

@ -5,13 +5,14 @@ dns1: 10.3.163.33
dns2: 10.3.163.34
has_ipv4: yes
eth0_ip: 10.3.171.55
eth0_ipv4: 10.3.171.55
eth0_ipv4_nm: 24
eth0_ipv4_gw: 10.3.171.254
has_ipv6: no
mac0: 52:54:00:1e:dc:92
mac0: 52:54:00:68:64:dc
network_connections:
- name: eth0

3
inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
View file

@ -5,13 +5,14 @@ dns1: 10.3.163.33
dns2: 10.3.163.34
has_ipv4: yes
eth0_ip: 10.3.171.56
eth0_ipv4: 10.3.171.56
eth0_ipv4_nm: 24
eth0_ipv4_gw: 10.3.171.254
has_ipv6: no
mac0: 52:54:00:a0:6b:4f
mac0: 52:54:00:cb:57:ef
network_connections:
- name: eth0

3
inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
View file

@ -5,13 +5,14 @@ dns1: 10.3.163.33
dns2: 10.3.163.34
has_ipv4: yes
eth0_ip: 10.3.171.60
eth0_ipv4: 10.3.171.60
eth0_ipv4_nm: 24
eth0_ipv4_gw: 10.3.171.254
has_ipv6: no
mac0: 52:54:00:1e:bf:c1
mac0: 52:54:00:e0:0f:d5
network_connections:
- name: eth0

19
inventory/host_vars/el6-test.fedorainfracloud.org
View file

@ -1,19 +0,0 @@
---
tcp_ports: [22]
datacenter: aws
nagios_Check_Services:
mail: false
nrpe: false
sshd: false
named: false
dhcpd: false
httpd: false
swap: false
ping: false
raid: false
ansible_ssh_user: centos
ansible_become: true
ansible_become_user: root
ansible_become_method: sudo

12
inventory/host_vars/ipa02.stg.iad2.fedoraproject.org Normal file
View file

@ -0,0 +1,12 @@
---
nm: 255.255.255.0
gw: 10.3.166.254
dns: 10.3.163.33
ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2
ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.3.166.63
vmhost: vmhost-x86-02.stg.iad2.fedoraproject.org
datacenter: iad2
## REMEMBER ONLY SET THIS TO TRUE WHEN WIPING SYSTEM TO MINIMUM
ipa_initial: false

11
inventory/inventory
View file

@ -115,12 +115,6 @@ virthost-cc-rdu03.fedoraproject.org
vmhost-x86-cc06.rdu-cc.fedoraproject.org
vmhost-x86-cc05.rdu-cc.fedoraproject.org
[vmhost_copr]
vmhost-x86-copr01.rdu-cc.fedoraproject.org
vmhost-x86-copr02.rdu-cc.fedoraproject.org
vmhost-x86-copr03.rdu-cc.fedoraproject.org
vmhost-x86-copr04.rdu-cc.fedoraproject.org
[datagrepper]
datagrepper01.iad2.fedoraproject.org
datagrepper02.iad2.fedoraproject.org
@ -308,6 +302,7 @@ ipa03.iad2.fedoraproject.org
[ipa_stg]
ipa01.stg.iad2.fedoraproject.org
ipa02.stg.iad2.fedoraproject.org
[ipsilon_stg]
ipsilon01.stg.iad2.fedoraproject.org
@ -669,6 +664,7 @@ oci-registry01.stg.iad2.fedoraproject.org
# fedimg01.stg.iad2.fedoraproject.org
github2fedmsg01.stg.iad2.fedoraproject.org
ipa01.stg.iad2.fedoraproject.org
ipa02.stg.iad2.fedoraproject.org
ipsilon01.stg.iad2.fedoraproject.org
koji01.stg.iad2.fedoraproject.org
#mailman01.stg.iad2.fedoraproject.org
@ -998,6 +994,9 @@ copr_dev_aws
[copr_hypervisor]
vmhost-x86-copr01.rdu-cc.fedoraproject.org
vmhost-x86-copr02.rdu-cc.fedoraproject.org
vmhost-x86-copr03.rdu-cc.fedoraproject.org
vmhost-x86-copr04.rdu-cc.fedoraproject.org
[copr_db_all:children]
copr_db_stg

4
playbooks/groups/bodhi-backend.yml
View file

@ -68,6 +68,10 @@
mnt_dir: '/pub/'
nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/'
- role: nfs/client
mnt_dir: '/pub/archive'
nfs_src_dir: 'fedora_ftp_archive'
- role: keytab/service
owner_user: apache
owner_group: apache

4
playbooks/groups/copr-hypervisor.yml
View file

@ -14,13 +14,11 @@
tasks:
- import_role: name=base
- import_role: name=hosts
- import_role: name=fas_client
- import_role: name=rkhunter
- import_role: name=nagios_client
- import_role: name=openvpn/client
- import_role: name=sudo
- import_role: name=ipa/client
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:

18
playbooks/groups/debuginfod.yml
View file

@ -28,6 +28,24 @@
tasks:
- import_tasks: "{{ tasks_path }}/motd.yml"
- name: install debuginfod
package: name=elfutils-debuginfod state=present
- name: install sqlite for diagnostics
package: name=sqlite state=present
- name: install rsync for data backups
package: name=rsync state=present
- name: install debuginfod configuration
copy: src="{{ files }}/debuginfod/sysconfig.debuginfod" dest=/etc/sysconfig/debuginfod owner=root group=root mode=644
- name: ensure debuginfod is enabled and started
service:
name: debuginfod
state: started
enabled: yes
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

1
playbooks/groups/download.yml
View file

@ -38,6 +38,7 @@
- download
- rsyncd
- { role: nfs/client, when: datacenter == "iad2" or datacenter == "rdu", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
- { role: nfs/client, when: datacenter == "iad2" or datacenter == "rdu", mnt_dir: '/srv/pub/archive', nfs_src_dir: 'fedora_ftp_archive' }
- { role: nfs/client, when: datacenter == "iad2", mnt_dir: '/mnt/koji', nfs_src_dir: 'fedora_koji/koji/' } # needed for internal sync and odcs
- { role: nfs/client, when: datacenter == "iad2", mnt_dir: '/srv/odcs', nfs_src_dir: 'fedora_odcs' } # needed for internal sync
- sudo

61
playbooks/groups/maintainer-test.yml
View file

@ -1,58 +1,5 @@
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=aarch64_test:armv7_test"
- name: Do some basic cloud setup on them
hosts: maintainer_test:aarch64_test:armv7_test
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
- name: setup second disk on aws maintainer-test instances
hosts: maintainer_test:\!ppc64le-test.fedorainfracloud.org
gather_facts: True
tags:
- maintainer-test
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: make a partition on first disk
parted: device=/dev/nvme0n1 number=1 state=present
tags:
- maintainer-test
when: inventory_hostname.startswith(('f30-test'))
- name: format the partition if it's not already
filesystem: dev=/dev/nvme0n1p1 fstype=ext4
tags:
- maintainer-test
when: inventory_hostname.startswith(('f30-test'))
ignore_errors: true
- name: mount cache filesystem on /var/cache/mock
mount: path=/var/cache/mock state=mounted src=/dev/nvme0n1p1 fstype=ext4
tags:
- maintainer-test
when: inventory_hostname.startswith(('f30-test'))
- name: bind mount cache filesystem on /var/lib/mock
mount: path=/var/lib/mock state=mounted src=/var/cache/mock fstype=none opts=bind
tags:
- maintainer-test
when: inventory_hostname.startswith(('f30-test'))
- name: Setup maintainer test hosts
hosts: maintainer_test:aarch64_test:armv7_test
hosts: maintainer_test
gather_facts: True
tags:
- maintainer-test
@ -70,8 +17,8 @@
- base
- rkhunter
- hosts
- fas_client
- sudo
- openvpn/client
- ipa/client
tasks:
# this is how you include other task lists
@ -81,7 +28,7 @@
dnf: state=present pkg={{ item }}
with_items:
- fedora-packager
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
when: ansible_distribution == 'Fedora'
tags:
- packages

1
playbooks/groups/mirrormanager.yml
View file

@ -20,6 +20,7 @@
- sudo
- collectd/base
- { role: nfs/client, when: inventory_hostname.startswith('mm-backend01'), mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
- { role: nfs/client, when: inventory_hostname.startswith('mm-backend01'), mnt_dir: '/srv/pub/archive', nfs_src_dir: 'fedora_ftp_archive' }
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"

5
playbooks/groups/releng-compose.yml
View file

@ -74,6 +74,11 @@
mnt_dir: '/pub'
nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub'
when: "'releng_compose' in group_names"
- role: nfs/client
mnt_dir: '/srv/fedora_ftp_archive'
nfs_src_dir: 'fedora_ftp_archive'
when: inventory_hostname.startswith('compose-rawhide')
#
# mount archive volumes on composer so we can run the archiving script there.
#

2
playbooks/groups/secondary.yml
View file

@ -22,7 +22,7 @@
- sudo
- { role: nfs/client,
mnt_dir: '/srv/pub/archive',
nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/archive' }
nfs_src_dir: 'fedora_ftp_archive' }
- { role: nfs/client,
mnt_dir: '/srv/pub/alt',
nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3",

2
playbooks/groups/sundries.yml
View file

@ -39,6 +39,8 @@
when: master_sundries_node|bool
- role: fedora-web/build
when: master_sundries_node|bool
- role: fedora-web/translation
when: master_sundries_node|bool
- role: fedora-budget/build
when: master_sundries_node|bool
- role: fedora-docs/build

37
playbooks/groups/vmhost_copr.yml
View file

@ -1,37 +0,0 @@
# create a new virthost server system
# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org"
- name: make virthost server system
hosts: vmhost_copr
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
- base
- rkhunter
- nagios_client
- hosts
- { role: openvpn/client, when: vpn|bool }
- virthost
- ipa/client
- collectd/base
- sudo
tasks:
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

6
playbooks/include/proxies-redirects.yml
View file

@ -111,6 +111,12 @@
regex: /voting
target: https://elections.fedoraproject.org/
- role: httpd/redirectmatch
shortname: calendar
website: apps.fedoraproject.org
regex: /calendar
target: https://calendar.fedoraproject.org/
- role: httpd/redirectmatch
shortname: mailman
website: admin.fedoraproject.org

1
playbooks/include/proxies-reverseproxy.yml
View file

@ -754,5 +754,6 @@
remotepath: /
localpath: /
proxyurl: http://debuginfod01:8002
proxyopts: "connectiontimeout=600 timeout=600 keepalive=on"
tags: debuginfod

2
playbooks/include/proxies-websites.yml
View file

@ -973,7 +973,9 @@
site_name: debuginfod.fedoraproject.org
sslonly: true
server_aliases: [debuginfod.stg.fedoraproject.org]
x_forward: true
cert_name: "{{wildcard_cert_name}}"
gzip: true
tags: debuginfod
- role: httpd/website

6
playbooks/manual/staging-sync/bodhi.yml
View file

@ -13,7 +13,7 @@
- service: name=httpd state=stopped
- name: bring staging services down (OpenShift web services)
hosts: os-master01.stg.phx2.fedoraproject.org
hosts: os-master01.stg.iad2.fedoraproject.org
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
@ -43,7 +43,7 @@
# Here's the meaty part in the middle
- name: drop and re-create the staging db entirely
hosts: pgbdr01.stg.phx2.fedoraproject.org
hosts: pgbdr01.stg.iad2.fedoraproject.org
user: root
become: yes
become_user: postgres
@ -68,7 +68,7 @@
- file: path=/var/tmp/bodhi2.dump state=absent
- name: bring staging services up (OpenShift web services)
hosts: os-master01.stg.phx2.fedoraproject.org
hosts: os-master01.stg.iad2.fedoraproject.org
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml

2
playbooks/manual/upgrade/bodhi.yml
View file

@ -76,7 +76,7 @@
tasks:
- set_fact:
# This will be a bool that indicates whether we need to run migrations or not.
migrations: "'(head)' not in hostvars['bodhi-backend01{{ env_suffix }}.phx2.fedoraproject.org']['current_migration_version'].stdout"
migrations: "'(head)' not in hostvars['bodhi-backend01{{ env_suffix }}.iad2.fedoraproject.org']['current_migration_version'].stdout"
- name: Scale down to 0 pods
command: oc -n bodhi scale dc/bodhi-web --replicas=0
when: migrations

8
playbooks/openshift-apps/languages.yml
View file

@ -71,28 +71,28 @@
post_tasks:
- name: run initial f.10 import
command: "oc create job stats-10-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-10"
command: "oc -n languages create job stats-10-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-10"
tags:
- never
- init
- f10
- name: run initial f.20 import
command: "oc create job stats-20-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-20"
command: "oc -n languages create job stats-20-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-20"
tags:
- never
- init
- f20
- name: run initial f.30 import
command: "oc create job stats-30-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-30"
command: "oc -n languages create job stats-30-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-30"
tags:
- never
- init
- f30
- name: run initial f.latest import
command: "oc create job stats-latest-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-latest"
command: "oc -n languages create job stats-latest-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-latest"
tags:
- never
- init

16
playbooks/openshift-apps/solr.yml
View file

@ -35,9 +35,21 @@
file: service.yml
objectname: service.yml
- command: "oc adm pod-network join-projects --to=solr fedora-packages-static"
- role: openshift/object
app: solr
file: deploymentconfig.yml
objectname: deploymentconfig.yml
- name: Link solr and fedora-packages-static networks
hosts: os_masters_stg[0]
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: Run oc adm command to link solr to other projects
command: "oc adm pod-network join-projects --to=solr fedora-packages-static"

2
roles/badges/frontend/templates/tahrir.ini
View file

@ -31,7 +31,7 @@ sqlalchemy.url = postgresql://{{tahrirDBUser}}:{{tahrirDBPassword}}@db-tahrir/ta
mako.directories=tahrir:templates
tahrir.admin = ralph@fedoraproject.org, puiterwijk@fedoraproject.org, nb@fedoraproject.org, cydrobolt@fedoraproject.org, aikidouke@fedoraproject.org, sayanchowdhury@fedoraproject.org, kevin@fedoraproject.org, jflory7@fedoraproject.org, codeblock@fedoraproject.org, mleonova@fedoraproject.org, churchyard@fedoraproject.org, bex@fedoraproject.org, asamalik@fedoraproject.org, cverna@fedoraproject.org, misc@fedoraproject.org, nasirhm@fedoraproject.org, computerkid@fedoraproject.org
tahrir.admin = nb@fedoraproject.org, sayanchowdhury@fedoraproject.org, kevin@fedoraproject.org, jflory7@fedoraproject.org, codeblock@fedoraproject.org, churchyard@fedoraproject.org, misc@fedoraproject.org, computerkid@fedoraproject.org
tahrir.pngs.uri = /usr/share/badges/pngs

4
roles/base/templates/ifcfg.j2
View file

@ -10,8 +10,10 @@ OPTIONS="layer2=1 portno=0"
DEFROUTE=yes
GATEWAY="{{ gw }}"
{% endif %}
{% if hostvars[inventory_hostname].datacenter == 'iad2' %}
{% if hostvars[inventory_hostname].datacenter == 'iad2' and env == 'production' %}
DOMAIN="iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org"
{% elif hostvars[inventory_hostname].datacenter == 'iad2' and env == 'staging' %}
DOMAIN="stg.iad2.fedoraproject.org iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org"
{% else %}
DOMAIN="vpn.fedoraproject.org fedoraproject.org"
{% endif %}

107
roles/batcave/files/retrieve-security-question.py
View file

@ -1,107 +0,0 @@
#!/usr/bin/python -tt
# -*- coding: utf-8 -*-
# Use this script to retrieve the security_question and security_answer from FAS (requires FAS >= 0.8.14)
# Author: Patrick Uiterwijk <puiterwijk@fedoraproject.org>
#
# Copyright 2012-2021 Patrick Uiterwijk. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE FEDORA PROJECT ''AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# The views and conclusions contained in the software and documentation are those
# of the authors and should not be interpreted as representing official policies,
# either expressed or implied, of the Fedora Project.
import os
import getpass
import sys
import gpg.core
from fedora.client import AccountSystem
from fedora.client import AuthError
from fedora.client import ServerError
import argparse
from io import BytesIO
parser = argparse.ArgumentParser()
parser.add_argument('admin_user', help='The user as which to log in to retrieve the question and answer')
parser.add_argument('target_user', help='The user of which to retrieve the security question and answer')
parser.add_argument('--verbose', action='store_true')
parser.add_argument('--no-answer', action='store_true', help='Only show the question, do not decrypt the answer')
parser.add_argument('--site', help='The FAS URL to get the information from')
parser.add_argument('--insecure', action='store_true', default=False,
help='Do not check the certificate for the server. *WARNING*: Only use this for testing')
parser.add_argument('--gpg_home', help='The directory where secring.gpg and pubring.gpg reside')
args = parser.parse_args()
args.admin_pass = getpass.getpass()
if args.site == None:
args.site = 'https://admin.fedoraproject.org/accounts/'
if args.verbose:
print('Using site: %(site)s' % {'site': args.site})
if args.verbose:
if args.gpg_home == None:
print('Using default gpg_home')
else:
print('Using gpg_home: %(gpghome)s' % {'gpghome': args.gpg_home})
if args.gpg_home != None:
os.putenv('GNUPGHOME', args.gpg_home)
fas = AccountSystem(args.site, username=args.admin_user, password=args.admin_pass, insecure=args.insecure)
if args.verbose:
print('Getting user details...')
try:
details = fas.person_by_username(args.target_user)
except AuthError:
print('Failed to login to FAS. Please check admin_user and admin_pass!')
sys.exit(2)
except ServerError:
print('Failed to retrieve user details: the server reported an error!')
sys.exit(3)
if not 'username' in list(details.keys()):
print('Error: user %(username)s is not known on this FAS site!' % {'username': args.target_user})
sys.exit(4)
if not 'security_question' in list(details.keys()):
print('Error: security_question was not retrieved by FAS! Are you sure you are using FAS >= 0.8.14, and that admin_user has the privileges to retrieve security_question?')
sys.exit(5)
if details.security_question == None or details.security_answer == None:
print('Error: unable to retrieve security_question or security_answer. Are you sure you have privileges to return this information?')
sys.exit(6)
if not args.no_answer:
if args.verbose:
print('Decrypting answer...')
cipher = BytesIO(details.security_answer.encode('utf-8'))
ctx = gpg.core.Context()
plain = ctx.decrypt(cipher)[0].decode('utf8')
details.security_answer = plain
print('Security question: %(question)s' % {'question': details.security_question})
if not args.no_answer:
print('Security answer: %(answer)s' % {'answer': details.security_answer})

11
roles/batcave/tasks/main.yml
View file

@ -238,17 +238,6 @@
- config
#
# Script used to gather encrypted security questions from fas
#
- name: setup /usr/local/bin/retrieve-security-question.py
copy: src=retrieve-security-question.py dest=/usr/local/bin/retrieve-security-question.py mode=0755
tags:
- batcave
- config
# The zodbot server must allow TCP on whatever port zodbot is listening on
# for this to work (currently TCP port 5050).
# Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py

5
roles/bodhi2/base/templates/production.ini.j2
View file

@ -592,10 +592,7 @@ f{{ FedoraBranchedNumber }}.pre_beta.critpath.min_karma = 1
f{{ FedoraBranchedNumber }}.pre_beta.critpath.stable_after_days_without_negative_karma = 14
{% elif FedoraBranchedBodhi is defined and FedoraBranchedBodhi == 'postbeta' %}
f{{ FedoraBranchedNumber }}.status = post_beta
#f{{ FedoraBranchedNumber }}.post_beta.mandatory_days_in_testing = 7
#fesco has decided that since this cycle is so short, we will keep 3 days in testing until release.
#This should change to 7 after release.
f{{ FedoraBranchedNumber }}.post_beta.mandatory_days_in_testing = 3
f{{ FedoraBranchedNumber }}.post_beta.mandatory_days_in_testing = 7
f{{ FedoraBranchedNumber }}.post_beta.critpath.min_karma = 2
f{{ FedoraBranchedNumber }}.post_beta.critpath.stable_after_days_without_negative_karma = 14
{% endif %}

4
roles/copr/backend/templates/lighttpd/dir-generator.php.j2
View file

@ -244,7 +244,7 @@ if($path != "./") {
// Print folder information
foreach($folderlist as $folder) {
print "<tr><td class='n'><a href='" . addslashes($folder['name']). "'>" .htmlentities($folder['name']). "</a>/</td>";
print "<td class='m'>" . date('Y-M-d H:m:s', $folder['modtime']) . "</td>";
print "<td class='m'>" . date('Y-M-d H:i:s', $folder['modtime']) . "</td>";
print "<td class='s'>" . (($calculate_folder_size)?format_bytes($folder['size'], 2):'--') . "&nbsp;</td>";
print "<td class='t'>" . $folder['file_type'] . "</td></tr>";
}
@ -255,7 +255,7 @@ foreach($folderlist as $folder) {
// Print file information
foreach($filelist as $file) {
print "<tr><td class='n'><a href='" . addslashes($file['name']). "'>" .htmlentities($file['name']). "</a></td>";
print "<td class='m'>" . date('Y-M-d H:m:s', $file['modtime']) . "</td>";
print "<td class='m'>" . date('Y-M-d H:i:s', $file['modtime']) . "</td>";
print "<td class='s'>" . format_bytes($file['size'],2) . "&nbsp;</td>";
print "<td class='t'>" . $file['file_type'] . "</td></tr>";
}

8
roles/copr/frontend-cloud/tasks/httpd.yml
View file

@ -82,3 +82,11 @@
regexp: '^LoadModule substitute_module modules/mod_substitute.so'
line: '#LoadModule substitute_module modules/mod_substitute.so'
- name: Keep httpd master running when child is OOM killed, rhbz#1947475
ini_file:
path: /usr/lib/systemd/system/httpd.service
section: Service
option: OOMPolicy
value: continue
backup: yes
notify: restart apache

4
roles/copr/frontend-cloud/templates/httpd/coprs.conf
View file

@ -4,6 +4,7 @@ Alias "/db_dumps/" "/var/www/html/db_dumps/"
WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe processes=4 threads=5 display-name=other maximum-requests=8000 restart-interval=300 graceful-timeout=20
WSGIDaemonProcess api user=copr-fe group=copr-fe processes=2 threads=15 display-name=api maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess api-memory-leak user=copr-fe group=copr-fe processes=2 threads=1 display-name=api-memory-leak maximum-requests=10 graceful-timeout=20
WSGIDaemonProcess backend user=copr-fe group=copr-fe processes=2 threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess stats user=copr-fe group=copr-fe processes=2 threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess tmp user=copr-fe group=copr-fe processes=2 threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
@ -71,6 +72,9 @@ WSGIApplicationGroup %{GLOBAL}
<LocationMatch "^/api.*upload.*">
WSGIProcessGroup upload
</LocationMatch>
<LocationMatch "^/api_3/package/list.*">
WSGIProcessGroup api-memory-leak
</LocationMatch>
<LocationMatch "^/coprs.*new_build_upload.*">
WSGIProcessGroup upload
</LocationMatch>

4
roles/dns/files/named.conf
View file

@ -37,9 +37,11 @@ options {
pid-file "/var/run/named/named.pid";
statistics-file "/var/log/named.stats";
provide-ixfr no;
tcp-clients 1000;
version "cowbell++";
listen-on port 53 {
listen-on port 53 {
any;
};
listen-on-v6 port 53 {

3
roles/fas_client/files/aliases.template
View file

@ -141,7 +141,7 @@ cvs-sysadmin: fedora-sysadmin-list@redhat.com
# this email address no longer exists internally (2020-06?) and is
# causing large amounts of bouncebacks and weighing email down from
# our servers in the RH scanners.
# our servers in the RH scanners.
legal-cla-archive: /dev/null
vendors: distribution-members
@ -255,6 +255,7 @@ rbergeron: rbergero
jwf: jflory7
axk4545: abkahrs
bexelbie: bex
bt0dotninja: bt0
# Mirror admin alias
mirror-admin: mirror-admin@lists.fedoraproject.org

3
roles/fasjson/files/aliases.static
View file

@ -141,7 +141,7 @@ cvs-sysadmin: fedora-sysadmin-list@redhat.com
# this email address no longer exists internally (2020-06?) and is
# causing large amounts of bouncebacks and weighing email down from
# our servers in the RH scanners.
# our servers in the RH scanners.
legal-cla-archive: /dev/null
vendors: distribution-members
@ -255,6 +255,7 @@ rbergeron: rbergero
jwf: jflory7
axk4545: abkahrs
bexelbie: bex
bt0dotninja: bt0
# Mirror admin alias
mirror-admin: mirror-admin@lists.fedoraproject.org

45
roles/fasjson/templates/fasjson-aliases.j2
View file

@ -2,6 +2,7 @@
import os
import sys
import tempfile
import subprocess
from fasjson_client import Client, errors
@ -17,7 +18,7 @@ def gen_all_aliases():
client = Client(url=fasjson_url)
try:
users = client.list_users().result
users = client.list_group_members(groupname="fedora-contributor").result
groups = client.list_groups().result
temporary_file = tempfile.NamedTemporaryFile(
"w+", delete=False, dir=os.getcwd()
@ -29,26 +30,24 @@ def gen_all_aliases():
temp.write(line)
for user in users:
username = user['username']
email = user['emails'][0]
userinfo = client.get_user(username=username).result
email = userinfo['emails'][0]
temp.write(f'{username}: {email} \n')
for group in groups:
groupname = group['groupname']
# even though there are no admins of groups anymore
# we should probably leave this here and just
# link to the sponsors list
temp.write(
f'{groupname}-administrators: {groupname}-sponsors \n'
)
sponsor_list = ','.join(
sponsor['username']
for sponsor in client.list_group_sponsors(
groupname=groupname).result
)
temp.write(f"{groupname}-sponsors: {sponsor_list} \n")
if sponsor_list:
temp.write(
f'{groupname}-administrators: {groupname}-sponsors \n'
)
temp.write(f"{groupname}-sponsors: {sponsor_list} \n")
member_list = ','.join(
member['username']
@ -56,7 +55,9 @@ def gen_all_aliases():
groupname=groupname).result
)
temp.write(f"{groupname}-members: {member_list} \n")
if member_list:
temp.write(f"{groupname}-members: {member_list} \n")
rename(temporary_file.name, aliases_file)
except errors.APIError as e:
print(f"Something went wrong querying the fasjson API. {e}", file=sys.stderr)
@ -114,16 +115,18 @@ def main():
# Use the system's keytab for authentication
os.environ["KRB5_CLIENT_KTNAME"] = "/etc/krb5.keytab"
try:
if not args:
gen_all_aliases()
elif len(args) == 2 and args[0] == "update":
update_user(args[1])
else:
print(f"Usage: {sys.argv[0]} [update <username>]", file=sys.stderr)
raise RuntimeError()
except Exception:
sys.exit(1)
if not args:
gen_all_aliases()
# call newaliases script so postfix gets updated
subprocess.check_call(['/usr/bin/newaliases'])
elif len(args) == 2 and args[0] == "update":
update_user(args[1])
# call newaliases script so postfix gets updated
subprocess.check_call(['/usr/bin/newaliases'])
else:
print(f"Usage: {sys.argv[0]} [update <username>]", file=sys.stderr)
exit(1)
if __name__ == "__main__":
main()

1
roles/httpd/reverseproxy/tasks/main.yml
View file

@ -5,6 +5,7 @@
# - proxyurl
# - rewrite
# - keephost
# - proxyopts
- name: Set OpenShift information if not preconfigured
set_fact:

2
roles/httpd/reverseproxy/templates/reversepassproxy.conf
View file

@ -64,6 +64,6 @@ RewriteRule .* "balancer://{{ balancer_name }}-websocket%{REQUEST_URI}" [P]
ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
{% else %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% endif %}

1
roles/httpd/reverseproxy/vars/main.yml
View file

@ -7,3 +7,4 @@ header_scheme: false
keephost: false
targettype: plain
http_not_https_yes_this_is_insecure_and_i_feel_bad: false
proxyopts: ""

8
roles/httpd/website/templates/website.conf
View file

@ -6,7 +6,11 @@
ServerAdmin {{ server_admin }}
TraceEnable Off
{% if x_forward %}
# RequestHeader unset X-Forwarded-For
{% else %}
RequestHeader unset X-Forwarded-For
{% endif %}
{% if gzip %}
SetOutputFilter DEFLATE
@ -46,7 +50,11 @@
{% endif %}
ServerAdmin {{ server_admin }}
{% if x_forward %}
# RequestHeader unset X-Forwarded-For
{% else %}
RequestHeader unset X-Forwarded-For
{% endif %}
{% if ansible_distribution == 'Fedora' and use_h2 %}
Protocols h2 http/1.1

6
roles/ipa/client/files/fedora-nss-ignore.conf.staging Normal file
View file

@ -0,0 +1,6 @@
## This file contains users who are in ipa to stop people from
## creating restricted accounts but we want to make sure the id in
## /etc/passwd and /etc/group are used.
[nss]
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd,named,mock
filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd,named,mock

11
roles/ipa/client/tasks/main.yml
View file

@ -79,3 +79,14 @@
notify:
- restart sssd
- clean sss caches
when: env == "production"
- name: Ensure that nss knows to skip certain users
copy: src=fedora-nss-ignore.conf.staging dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=root
tags:
- ipa/client
- config
notify:
- restart sssd
- clean sss caches
when: env == "staging"

5
roles/ipa/client/tasks/prepare-ipa-info.yml
View file

@ -40,6 +40,7 @@
# "host_group_1": {
# "shell_groups": [...],
# "sudo_groups": [...],
# "sudo_nopasswd_groups": [...],
# "hosts": { # <-- This could be a list with Ansible >= 2.10
# "host_1": true,
# ...,
@ -85,6 +86,8 @@
(ipa_hosts_combined_shell_groups_dict[item] | length > 0)
| ternary(ipa_hosts_combined_shell_groups_dict[item], omit),
'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
'sudo_nopasswd_groups':
hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default(omit),
'hosts': {item: true},
}
}
@ -99,6 +102,8 @@
hostvars[item]['ipa_server']: {
'groups': ipa_hosts_combined_shell_groups_dict[item] | union(
hostvars[item]['ipa_client_sudo_groups'] | default([])
) | union(
hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default([])
),
'hosts': {item: True},
}

17
roles/ipa/client/tasks/sudo.yml
View file

@ -34,3 +34,20 @@
notify: clean sss caches
loop: "{{ ipa_server_host_groups }}"
when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_groups'] is defined
- name: Give certain groups passwordless sudo access to anything per host group
delegate_to: "{{ item[0] }}"
ipasudorule:
name: "hostgroup/{{ item[1] }}/nopasswd"
description: "Grant passwordless sudo access to anything on host group {{ item[1] }}"
ipaadmin_password: "{{ ipa_server_admin_passwords[item[0]] }}"
state: present
group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] }}"
hostgroup: "{{ item[1] }}"
cmdcategory: "all"
runasusercategory: "all"
runasgroupcategory: "all"
options: "!authenticate"
notify: clean sss caches
loop: "{{ ipa_server_host_groups }}"
when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] is defined

17
roles/ipa/server/tasks/main.yml
View file

@ -629,3 +629,20 @@
copy:
src: data-only-backup
dest: "/etc/cron.d/data-only-backup"
- name: Ensure python dep is present
pip:
name: python-freeipa
tags:
- ipa/server
- otp_script
- name: Copy file for checking if sysadmins have otp set
template:
src: check_sysadmin_otp.py.j2
dest: /root/check_sysadmin_otp.py
owner: root
group: root
tags:
- ipa/server
- otp_script

80
roles/ipa/server/templates/check_sysadmin_otp.py.j2 Normal file
View file

@ -0,0 +1,80 @@
import argparse
import json
from python_freeipa import ClientMeta
def login(args):
client = ClientMeta(host=args.server_address, verify_ssl=args.cert_path)
client.login(args.username, args.password)
return client
def get_sysadmins(client):
groups = client.group_find('sysadmin-')
sysadmins = []
print('Gethering all members from sysadmin-* groups')
for group in groups['result']:
try:
sysadmins = sysadmins + list(set(group['member_user']) - set(sysadmins))
except KeyError:
print('No members of group: ' + group['cn'][0])
return sysadmins
def checkotp_tokens(client):
sysadmins = get_sysadmins(client)
print("There is " + str(len(sysadmins)) + " sysadmins in the system")
tokenless = []
print('Checking which users have an otp token assigned')
for sysadmin in sysadmins:
is_token = client.otptoken_find(o_ipatokenowner=sysadmin)
if len(is_token['result']) == 0:
tokenless.append(sysadmin)
print("There are " + str(len(tokenless)) + " sysadmins without otptokens")
return tokenless
def get_email(client, users):
print('Gathering emails of the users with no tokens')
user_details = []
for user in users:
email = client.user_show(user)['result']['mail'][0]
user_details.append({'user': user, 'email': email})
return user_details
def parse_args():
parser = argparse.ArgumentParser(description="Check for sysadmin users with no otp token set, admin credentials are required to run script")
parser.add_argument("-u", "--username", default="admin", help="ipa user to use")
parser.add_argument("-c", "--cert-path", default="/etc/ipa/ca.crt", help="location of ipa cert")
parser.add_argument("-s", "--server-address", default="ipa01{{ env_suffix }}.iad2.fedoraproject.org", help="server to run against")
parser.add_argument("-p", "--password", help="ipa user password", required=True)
args = parser.parse_args()
return args
def do_it(client):
tokenless_sysadmins = checkotp_tokens(client)
user_details = get_email(client, tokenless_sysadmins)
print("Details are in the file tokenless_users.json")
with open('tokenless_users.json', 'w') as outfile:
json.dump(user_details, outfile)
if __name__ == "__main__":
args = parse_args()
client = login(args)
do_it(client)

35
roles/koji_builder/tasks/main.yml
View file

@ -62,7 +62,7 @@
tags:
- koji_builder
- name: add pkgs
- name: add pkgs (production)
package:
state: present
name:
@ -93,9 +93,42 @@
- imagefactory-plugins-RHEVM
- pykickstart
- nosync
when: env == "production"
tags:
- koji_builder
- name: add pkgs (staging)
package:
state: present
name:
- koji-builder
- koji-builder-plugins
- python3-koji
- koji-containerbuild-builder
- strace
- mock
- kernel-firmware
- kernel-modules
- rsyslog
- audit
- pycdio
- python3-kickstart
- libvirt-client
- oz
- imagefactory
- imagefactory-plugins-TinMan
- imagefactory-plugins-Docker
- imagefactory-plugins-GCE
- imagefactory-plugins-vSphere
- imagefactory-plugins-ovfcommon
- imagefactory-plugins
- imagefactory-plugins-OVA
- imagefactory-plugins-RHEVM
- pykickstart
- nosync
when: env == "staging"
tags:
- koji_builder
#
# rpmautospec plugin
#

15
roles/openqa/server/templates/openqa.ini.j2
View file

@ -1,4 +1,5 @@
[global]
audit_enabled = 0
branding = plain
base_url = https://{{ external_hostname }}
download_domains = fedoraproject.org
@ -13,12 +14,26 @@ topic_prefix = {{ openqa_amqp_publisher_prefix }}
url = {{ openqa_amqp_publisher_url }}
exchange = {{ openqa_amqp_publisher_exchange }}
[audit/storage_duration]
startup = 7
jobgroup = 7
jobtemplate = 7
table = 7
iso = 7
user = 7
asset = 7
needle = 7
other = 7
[auth]
method=OpenID
[logging]
level=info
[misc_limits]
asset_cleanup_max_free_percentage = 20
[openid]
provider = https://id.fedoraproject.org/
httpsonly = 1

2
roles/openshift-apps/fedocal/templates/buildconfig.yml
View file

@ -14,7 +14,7 @@ spec:
git:
uri: https://pagure.io/fedocal.git
{% if env == 'staging' %}
ref: "debug"
ref: "staging"
{% else %}
ref: "production"
{% endif %}

2
roles/openshift-apps/noggin/templates/noggin.cfg.py
View file

@ -25,7 +25,7 @@ SESSION_COOKIE_SECURE = True
FREEIPA_ADMIN_USER = "noggin"
# How many minutes before a password reset request expires
PASSWORD_RESET_EXPIRATION = 10
PASSWORD_RESET_EXPIRATION = 30
# Email
MAIL_FROM = "Fedora Account System <fas@fedoraproject.org>"

12
roles/openshift-apps/oraculum/templates/deploymentconfig.yml
View file

@ -77,18 +77,20 @@ spec:
{% else %}
value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
{% endif %}
- name: BZ_API_KEY
value: "{{ oraculum_bz_api_key }}"
volumeMounts:
- name: oraculum-secret-volume
mountPath: /opt/app-root/secret/
readOnly: true
readinessProbe:
timeoutSeconds: 1
timeoutSeconds: 5
initialDelaySeconds: 5
httpGet:
path: /
port: 8080
livenessProbe:
timeoutSeconds: 1
timeoutSeconds: 15
initialDelaySeconds: 30
httpGet:
path: /
@ -176,6 +178,8 @@ spec:
{% else %}
value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
{% endif %}
- name: BZ_API_KEY
value: "{{ oraculum_bz_api_key }}"
volumeMounts:
- name: oraculum-secret-volume
mountPath: /opt/app-root/secret/
@ -259,6 +263,8 @@ spec:
{% else %}
value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
{% endif %}
- name: BZ_API_KEY
value: "{{ oraculum_bz_api_key }}"
volumeMounts:
- name: oraculum-secret-volume
mountPath: /opt/app-root/secret/
@ -344,6 +350,8 @@ spec:
{% else %}
value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
{% endif %}
- name: BZ_API_KEY
value: "{{ oraculum_bz_api_key }}"
volumeMounts:
- name: oraculum-secret-volume
mountPath: /opt/app-root/secret/

6
roles/openshift-apps/testdays/templates/buildconfig.yml
View file

@ -44,11 +44,7 @@ spec:
type: Git
git:
uri: https://pagure.io/taskotron/resultsdb.git
{% if env == 'staging' %}
ref: "openshift_WIP"
{% else %}
ref: "openshift_WIP"
{% endif %}
ref: "develop"
strategy:
type: Source
sourceStrategy:

2
roles/openshift-apps/toddlers/templates/fedora-messaging.toml
View file

@ -91,7 +91,7 @@ dist_git_token = "private random string to change"
email_overrides_file = "/etc/fedora-messaging/email_overrides.toml"
# List of accounts we do not want to report about
ignorable_accounts = ["packagerbot", "zuul"]
ignorable_accounts = ["packagerbot", "zuul", "cockpit"]
# Temp folder to use for toddlers temp files
temp_folder = "/var/tmp"

50
roles/openvpn/base/tasks/main.yml
View file

@ -9,30 +9,8 @@
tags:
- openvpn
- packages
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: Install needed package (dnf)
package:
state: present
name:
- openvpn
tags:
- openvpn
- packages
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
- name: Install certificate and key (rhel6)
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/ca.crt
owner=root group=root mode=0600
tags:
- install
- openvpn
#notify:
#- restart openvpn (RHEL6)
when: ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat'
- name: Install certificate and key (rhel7+) for client
- name: Install ca for client
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/client/ca.crt
owner=root group=root mode=0600
@ -41,20 +19,8 @@
- openvpn
#notify:
#- restart openvpn (RHEL7+)
when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat' ) and ansible_cmdline.ostree is not defined
- name: Install certificate and key (Fedora) for client
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/client/ca.crt
owner=root group=root mode=0600
tags:
- install
- openvpn
#notify:
#- restart openvpn (Fedora)
when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' ) and ansible_cmdline.ostree is not defined
- name: Install certificate and key (fedora) for server
- name: Install ca for server
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/server/ca.crt
owner=root group=root mode=0600
@ -63,18 +29,6 @@
- openvpn
#notify:
#- restart openvpn (Fedora)
when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' ) and ansible_cmdline.ostree is not defined
- name: Install certificate and key (rhel7+) for server
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/server/ca.crt
owner=root group=root mode=0600
tags:
- install
- openvpn
#notify:
#- restart openvpn (RHEL7+)
when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat' ) and ansible_cmdline.ostree is not defined
- name: Install certificate and key (rhel7 or fedora) for server
copy: src={{ private }}/files/vpn/pki/ca.crt

61
roles/openvpn/client/tasks/main.yml
View file

@ -9,29 +9,8 @@
tags:
- packages
- openvpn
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: Install needed packages
package:
state: present
name:
- openvpn
tags:
- packages
- openvpn
when: ansible_distribution_major_version|int > 7 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
- name: Install needed packages
package:
state: present
name:
- openvpn
tags:
- packages
- openvpn
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: Install main config file (rhel7 and fedora)
- name: Install main config file
template: src=client.conf
dest=/etc/openvpn/client/openvpn.conf
owner=root group=root mode=0644
@ -41,7 +20,6 @@
# notify:
# - restart openvpn (Fedora)
# - restart openvpn (RHEL6+)
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora') and ansible_cmdline.ostree is not defined
- name: Install configuration files (rhel7 and fedora)
copy: src={{ item.file }}
@ -60,46 +38,9 @@
# notify:
# - restart openvpn (Fedora)
# - restart openvpn (RHEL7)
when: (ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat') or (ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora') and ansible_cmdline.ostree is not defined
- name: Install configuration files (rhel6)
copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode={{ item.mode }}
with_items:
- { file: client.conf,
dest: /etc/openvpn/openvpn.conf,
mode: '0644' }
- { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt",
dest: "/etc/openvpn/client.crt",
mode: '0600' }
- { file: "{{ private }}/files/vpn/pki/private/{{ inventory_hostname }}.key",
dest: "/etc/openvpn/client.key",
mode: '0600' }
tags:
- install
- openvpn
# notify:
# - restart openvpn (RHEL6)
when: (ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat') and ansible_cmdline.ostree is not defined
- name: enable openvpn service for rhel 6
service: name=openvpn state=started enabled=true
when: ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat'
tags:
- service
- openvpn
- name: Make sure old openvpn is not running in rhel 7
service: name=openvpn@openvpn state=stopped enabled=false
when: ansible_distribution_major_version|int == 7 and ansible_distribution == 'RedHat'
tags:
- service
- openvpn
- name: Make sure openvpn is running in rhel 7+
service: name=openvpn-client@openvpn state=started enabled=true
when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat'
tags:
- service
- openvpn

2
roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.21 192.168.100.21

2
roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.18 192.168.100.18

2
roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.19 192.168.100.19

2
roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.14 192.168.100.14

2
roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.15 192.168.100.15

2
roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.16 192.168.100.16

2
roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.20 192.168.100.20

2
roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.17 192.168.100.17

2
roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.22 192.168.100.22

2
roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.23 192.168.100.23

2
roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.24 192.168.100.24

2
roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org Normal file
View file

@ -0,0 +1,2 @@
# ifconfig-push actualIP PtPIP
ifconfig-push 192.168.100.25 192.168.100.25

25
roles/people/files/make-people-page.py
View file

@ -178,8 +178,14 @@ for hdir in homedirs:
continue
user["name"] = pwentry.pw_gecos
user["has_public_html"] = (hdir / "public_html").is_dir()
user["has_public_git"] = (hdir / "public_git").is_dir()
try:
user["has_public_html"] = (hdir / "public_html").is_dir()
except PermissionError:
user["has_public_html"] = False
try:
user["has_public_git"] = (hdir / "public_git").is_dir()
except PermissionError:
user["has_public_git"] = False
user["email_hash"] = hashlib.md5(
f"{user['name'].lower()}@fedoraproject.org".encode("utf-8")
).hexdigest()
@ -201,11 +207,16 @@ out_file_grp = grp.getgrnam("web").gr_gid
with open(out_file, "w", encoding="utf-8") as handle:
handle.write(page_output)
# keep current owner uid
st = out_file.stat()
out_file_uid = st.st_uid
# The code below was present originally, however the cron job is ran under the
# `apache` user so it is not clear what this was meant to do.
# This is being kept here for convenience in case we need to re-activate this
# code, down the line this should just be removed.
# keep current owner uid
#st = out_file.stat()
#out_file_uid = st.st_uid
#
# give write permissions to group
out_file.chmod(st.st_mode | stat.S_IWGRP)
#out_file.chmod(st.st_mode | stat.S_IWGRP)
# chown out file to group
os.chown(out_file, out_file_uid, out_file_grp)
#os.chown(out_file, out_file_uid, out_file_grp)

18
roles/web-data-analysis/files/mirrorlist.py
View file

@ -214,6 +214,12 @@ repo_dict = {
"31" : "f31",
"32" : "f32",
"33" : "f33",
"34" : "f34",
"35" : "f35",
"36" : "f36",
"37" : "f37",
"38" : "f38",
"39" : "f39",
"6.89" : "f07",
"6.90" : "f07",
"6.91" : "f07",
@ -320,6 +326,12 @@ repo_dict = {
'f31' : 'f31',
'f32' : 'f32',
'f33' : 'f33',
'f34' : 'f34',
'f35' : 'f35',
'f36' : 'f36',
'f37' : 'f37',
'f38' : 'f38',
'f39' : 'f39',
'fmodular27' : 'modular_f27',
'fmodular28' : 'modular_f28',
'fmodular29' : 'modular_f29',
@ -334,6 +346,12 @@ repo_dict = {
'modularf31' : 'modular_f31',
'modularf32' : 'modular_f32',
'modularf33' : 'modular_f33',
'modularf34' : 'modular_f34',
'modularf35' : 'modular_f35',
'modularf36' : 'modular_f36',
'modularf37' : 'modular_f37',
'modularf38' : 'modular_f38',
'modularf39' : 'modular_f39',
'rhel4' : 'rhel4',
'rhel5' : 'rhel5',
'rhel6' : 'rhel6',

32
roles/web-data-analysis/files/mirrors-data.awk
View file

@ -7,6 +7,7 @@ BEGIN{
epel6=0;
epel7=0;
epel8=0;
epel9=0;
f03=0;
f04=0;
f05=0;
@ -38,6 +39,12 @@ BEGIN{
f31=0;
f32=0;
f33=0;
f34=0;
f35=0;
f36=0;
f37=0;
f38=0;
f39=0;
rawhide=0;
rawhide_modular=0;
modular_f27=0;
@ -47,6 +54,12 @@ BEGIN{
modular_f31=0;
modular_f32=0;
modular_f33=0;
modular_f34=0;
modular_f35=0;
modular_f36=0;
modular_f37=0;
modular_f38=0;
modular_f39=0;
modular=0;
unknown_release = 0;
# arch
@ -73,7 +86,7 @@ BEGIN{
unknown_arch = 0;
centos = 0;
rhel = 0;
print olddate ",02-epel4,03-epel5,04-epel6,05-epel7,06-f03,07-f04,08-f05,09-f06,10-f07,11-f08,12-f09,13-f10,14-f11,15-f12,16-f13,17-f14,18-f15,19-f16,20-f17,21-f18,22-f19,23-f20,24-f21,25-f22,26-f23,27-f24,28-f25,29-f26,30-f27,31-f28,32-f29,33-rawhide,34-unk_rel,35-epel,36-fedora,37-alpha,38-arm,39-arm64,40-ia64,41-mips,42-ppc,43-s390,44-sparc,45-tilegx,46-x86_32,47-x86_64,48-x86_32_e,49-x86_32_f,50-x86_64_e,51-x86_64_f,52-ppc_e,53-ppc_f,54-unk_arc,55-centos,56-rhel,57-ppc64,58-ppc64le,59-modular,60-modular_rawhide,61-modular_f27,62-modular_f28,63-modular_f29,64-modular_f30,65-f30,66-f31,67-f32,68-f33,69-modular_f31,70-modular_f32,71-modular_f33,72-epel8";
print olddate ",02-epel4,03-epel5,04-epel6,05-epel7,06-f03,07-f04,08-f05,09-f06,10-f07,11-f08,12-f09,13-f10,14-f11,15-f12,16-f13,17-f14,18-f15,19-f16,20-f17,21-f18,22-f19,23-f20,24-f21,25-f22,26-f23,27-f24,28-f25,29-f26,30-f27,31-f28,32-f29,33-rawhide,34-unk_rel,35-epel,36-fedora,37-alpha,38-arm,39-arm64,40-ia64,41-mips,42-ppc,43-s390,44-sparc,45-tilegx,46-x86_32,47-x86_64,48-x86_32_e,49-x86_32_f,50-x86_64_e,51-x86_64_f,52-ppc_e,53-ppc_f,54-unk_arc,55-centos,56-rhel,57-ppc64,58-ppc64le,59-modular,60-modular_rawhide,61-modular_f27,62-modular_f28,63-modular_f29,64-modular_f30,65-f30,66-f31,67-f32,68-f33,69-modular_f31,70-modular_f32,71-modular_f33,72-epel8,73-epel9,74-f34,75-f35,76-f36,77-f37,78-f38,79-f39,80-modular_f34,81-modular_f35,82-modular_f36,83-modular_f37,84-modular_f38,85-modular_f39";
olddate="1970-01-02";
}
@ -84,6 +97,7 @@ BEGIN{
else if ($3 ~"epel6") { epel6=epel6+1; epel=epel+1}
else if ($3 ~"epel7") { epel7=epel7+1; epel=epel+1}
else if ($3 ~"epel8") { epel8=epel8+1; epel=epel+1}
else if ($3 ~"epel9") { epel9=epel9+1; epel=epel+1}
else if ($3 ~"modular_f27") { modular_f27=modular_f27+1; modular=modular+1; }
else if ($3 ~"modular_f28") { modular_f28=modular_f28+1; modular=modular+1; }
else if ($3 ~"modular_f29") { modular_f29=modular_f29+1; modular=modular+1; }
@ -91,6 +105,12 @@ BEGIN{
else if ($3 ~"modular_f31") { modular_f31=modular_f31+1; modular=modular+1; }
else if ($3 ~"modular_f32") { modular_f32=modular_f32+1; modular=modular+1; }
else if ($3 ~"modular_f33") { modular_f33=modular_f33+1; modular=modular+1; }
else if ($3 ~"modular_f34") { modular_f34=modular_f34+1; modular=modular+1; }
else if ($3 ~"modular_f35") { modular_f35=modular_f35+1; modular=modular+1; }
else if ($3 ~"modular_f36") { modular_f36=modular_f36+1; modular=modular+1; }
else if ($3 ~"modular_f37") { modular_f37=modular_f37+1; modular=modular+1; }
else if ($3 ~"modular_f38") { modular_f38=modular_f38+1; modular=modular+1; }
else if ($3 ~"modular_f39") { modular_f39=modular_f39+1; modular=modular+1; }
else if ($3 ~"f03") { f03=f03+1; fedora=fedora+1}
else if ($3 ~"f04") { f04=f04+1; fedora=fedora+1}
else if ($3 ~"f05") { f05=f05+1; fedora=fedora+1}
@ -122,6 +142,12 @@ BEGIN{
else if ($3 ~"f31") { f31=f31+1; fedora=fedora+1}
else if ($3 ~"f32") { f32=f32+1; fedora=fedora+1}
else if ($3 ~"f33") { f33=f33+1; fedora=fedora+1}
else if ($3 ~"f34") { f34=f34+1; fedora=fedora+1}
else if ($3 ~"f35") { f35=f35+1; fedora=fedora+1}
else if ($3 ~"f36") { f36=f36+1; fedora=fedora+1}
else if ($3 ~"f37") { f37=f37+1; fedora=fedora+1}
else if ($3 ~"f38") { f38=f38+1; fedora=fedora+1}
else if ($3 ~"f39") { f39=f39+1; fedora=fedora+1}
else if ($3 ~"rawhide_modular") { rawhide_modular=rawhide_modular+1; rawhide=rawhide+1; modular=modular+1; fedora=fedora+1}
else if ($3 ~"rawhide") { rawhide=rawhide+1; fedora=fedora+1}
else if ($3 ~"modular") { modular=modular+1; fedora=fedora+1 }
@ -165,7 +191,7 @@ BEGIN{
else {unknown_arch = unknown_arch +1; };
} else {
if ( olddate !~ "1970-01-01" ) {
print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29 "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 ;
print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29 "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 "," epel9 "," f34 "," f35 "," f36 "," f37 "," f38 "," f39 "," modular_f34 "," modular_f35 "," modular_f36 "," modular_f37 "," modular_f38 "," modular_f39 ;
};
olddate=$1
epel=0;
@ -246,7 +272,7 @@ BEGIN{
}
END {
print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29 "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 ;
print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29 "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 "," epel9 "," f34 "," f35 "," f36 "," f37 "," f38 "," f39 "," modular_f34 "," modular_f35 "," modular_f36 "," modular_f37 "," modular_f38 "," modular_f39 ;
}