From 1284267f489d4d7ad6454f22ab186e50e4eb276f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Tue, 6 Apr 2021 17:28:09 +0200
Subject: [PATCH 01/72] Noggin: set the password expiration to 30 minutes

---
 roles/openshift-apps/noggin/templates/noggin.cfg.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/openshift-apps/noggin/templates/noggin.cfg.py b/roles/openshift-apps/noggin/templates/noggin.cfg.py
index 70e8de5e30..ca02f9479d 100644
--- a/roles/openshift-apps/noggin/templates/noggin.cfg.py
+++ b/roles/openshift-apps/noggin/templates/noggin.cfg.py
@@ -25,7 +25,7 @@ SESSION_COOKIE_SECURE = True
 FREEIPA_ADMIN_USER = "noggin"
 
 # How many minutes before a password reset request expires
-PASSWORD_RESET_EXPIRATION = 10
+PASSWORD_RESET_EXPIRATION = 30
 
 # Email
 MAIL_FROM = "Fedora Account System <fas@fedoraproject.org>"

From 5db5700936264ed072f97aa6d9270a5f741f5314 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@smoogespace.com>
Date: Tue, 6 Apr 2021 12:25:44 -0400
Subject: [PATCH 02/72] This will allow for X forwarded to be set for hosts
 which need it. [Currently only debuginfod]

---
 playbooks/include/proxies-websites.yml     | 1 +
 roles/httpd/website/templates/website.conf | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index a47c1c693a..12a7b6cea4 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -973,6 +973,7 @@
     site_name: debuginfod.fedoraproject.org
     sslonly: true
     server_aliases: [debuginfod.stg.fedoraproject.org]
+    x_forward: true
     cert_name: "{{wildcard_cert_name}}"
     tags: debuginfod
 
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index d759139128..705fee06ee 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -6,7 +6,11 @@
   ServerAdmin {{ server_admin }}
   TraceEnable Off
 
+{% if x_forward %}
+#  RequestHeader unset X-Forwarded-For
+{% else %}
   RequestHeader unset X-Forwarded-For
+{% endif %}
 
 {% if gzip %}
   SetOutputFilter DEFLATE
@@ -46,7 +50,11 @@
 {% endif %}
   ServerAdmin {{ server_admin }}
 
+{% if x_forward %}
+#  RequestHeader unset X-Forwarded-For
+{% else %}
   RequestHeader unset X-Forwarded-For
+{% endif %}
 
 {% if ansible_distribution == 'Fedora' and use_h2 %}
   Protocols h2 http/1.1

From 255b10c92231db27852164430c0fef6ed22e44cb Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@smoogespace.com>
Date: Tue, 6 Apr 2021 13:11:31 -0400
Subject: [PATCH 03/72] Add in roles for f34-f39 and epel9 for counting with
 old stat program

---
 roles/web-data-analysis/files/mirrorlist.py   | 18 +++++++++++
 .../web-data-analysis/files/mirrors-data.awk  | 32 +++++++++++++++++--
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/roles/web-data-analysis/files/mirrorlist.py b/roles/web-data-analysis/files/mirrorlist.py
index 618c6f6b5a..dae6299412 100644
--- a/roles/web-data-analysis/files/mirrorlist.py
+++ b/roles/web-data-analysis/files/mirrorlist.py
@@ -214,6 +214,12 @@ repo_dict = {
     "31" : "f31",
     "32" : "f32",
     "33" : "f33",
+    "34" : "f34",
+    "35" : "f35",
+    "36" : "f36",
+    "37" : "f37",
+    "38" : "f38",
+    "39" : "f39",
     "6.89" : "f07",
     "6.90" : "f07",
     "6.91" : "f07",
@@ -320,6 +326,12 @@ repo_dict = {
     'f31'       : 'f31',
     'f32'       : 'f32',
     'f33'       : 'f33',
+    'f34'       : 'f34',
+    'f35'       : 'f35',
+    'f36'       : 'f36',
+    'f37'       : 'f37',
+    'f38'       : 'f38',
+    'f39'       : 'f39',
     'fmodular27' : 'modular_f27',
     'fmodular28' : 'modular_f28',
     'fmodular29' : 'modular_f29',
@@ -334,6 +346,12 @@ repo_dict = {
     'modularf31' : 'modular_f31',
     'modularf32' : 'modular_f32',
     'modularf33' : 'modular_f33',
+    'modularf34' : 'modular_f34',
+    'modularf35' : 'modular_f35',
+    'modularf36' : 'modular_f36',
+    'modularf37' : 'modular_f37',
+    'modularf38' : 'modular_f38',
+    'modularf39' : 'modular_f39',
     'rhel4'     : 'rhel4',
     'rhel5'     : 'rhel5',
     'rhel6'     : 'rhel6',
diff --git a/roles/web-data-analysis/files/mirrors-data.awk b/roles/web-data-analysis/files/mirrors-data.awk
index d70154fa87..3034e63db5 100644
--- a/roles/web-data-analysis/files/mirrors-data.awk
+++ b/roles/web-data-analysis/files/mirrors-data.awk
@@ -7,6 +7,7 @@ BEGIN{
     epel6=0;
     epel7=0;
     epel8=0;
+    epel9=0;
     f03=0;
     f04=0;
     f05=0;
@@ -38,6 +39,12 @@ BEGIN{
     f31=0;
     f32=0;
     f33=0;
+    f34=0;
+    f35=0;
+    f36=0;
+    f37=0;
+    f38=0;
+    f39=0;
     rawhide=0;
     rawhide_modular=0;
     modular_f27=0;
@@ -47,6 +54,12 @@ BEGIN{
     modular_f31=0;
     modular_f32=0;
     modular_f33=0;
+    modular_f34=0;
+    modular_f35=0;
+    modular_f36=0;
+    modular_f37=0;
+    modular_f38=0;
+    modular_f39=0;
     modular=0;
     unknown_release = 0;
     # arch
@@ -73,7 +86,7 @@ BEGIN{
     unknown_arch = 0;
     centos = 0;
     rhel = 0;
-    print olddate ",02-epel4,03-epel5,04-epel6,05-epel7,06-f03,07-f04,08-f05,09-f06,10-f07,11-f08,12-f09,13-f10,14-f11,15-f12,16-f13,17-f14,18-f15,19-f16,20-f17,21-f18,22-f19,23-f20,24-f21,25-f22,26-f23,27-f24,28-f25,29-f26,30-f27,31-f28,32-f29,33-rawhide,34-unk_rel,35-epel,36-fedora,37-alpha,38-arm,39-arm64,40-ia64,41-mips,42-ppc,43-s390,44-sparc,45-tilegx,46-x86_32,47-x86_64,48-x86_32_e,49-x86_32_f,50-x86_64_e,51-x86_64_f,52-ppc_e,53-ppc_f,54-unk_arc,55-centos,56-rhel,57-ppc64,58-ppc64le,59-modular,60-modular_rawhide,61-modular_f27,62-modular_f28,63-modular_f29,64-modular_f30,65-f30,66-f31,67-f32,68-f33,69-modular_f31,70-modular_f32,71-modular_f33,72-epel8";
+    print olddate ",02-epel4,03-epel5,04-epel6,05-epel7,06-f03,07-f04,08-f05,09-f06,10-f07,11-f08,12-f09,13-f10,14-f11,15-f12,16-f13,17-f14,18-f15,19-f16,20-f17,21-f18,22-f19,23-f20,24-f21,25-f22,26-f23,27-f24,28-f25,29-f26,30-f27,31-f28,32-f29,33-rawhide,34-unk_rel,35-epel,36-fedora,37-alpha,38-arm,39-arm64,40-ia64,41-mips,42-ppc,43-s390,44-sparc,45-tilegx,46-x86_32,47-x86_64,48-x86_32_e,49-x86_32_f,50-x86_64_e,51-x86_64_f,52-ppc_e,53-ppc_f,54-unk_arc,55-centos,56-rhel,57-ppc64,58-ppc64le,59-modular,60-modular_rawhide,61-modular_f27,62-modular_f28,63-modular_f29,64-modular_f30,65-f30,66-f31,67-f32,68-f33,69-modular_f31,70-modular_f32,71-modular_f33,72-epel8,73-epel9,74-f34,75-f35,76-f36,77-f37,78-f38,79-f39,80-modular_f34,81-modular_f35,82-modular_f36,83-modular_f37,84-modular_f38,85-modular_f39";
     olddate="1970-01-02";
 }
 
@@ -84,6 +97,7 @@ BEGIN{
 	else if ($3 ~"epel6")  { epel6=epel6+1; epel=epel+1}
 	else if ($3 ~"epel7")  { epel7=epel7+1; epel=epel+1}
 	else if ($3 ~"epel8")  { epel8=epel8+1; epel=epel+1}
+	else if ($3 ~"epel9")  { epel9=epel9+1; epel=epel+1}
 	else if ($3 ~"modular_f27") { modular_f27=modular_f27+1; modular=modular+1; }
 	else if ($3 ~"modular_f28") { modular_f28=modular_f28+1; modular=modular+1; }
 	else if ($3 ~"modular_f29") { modular_f29=modular_f29+1; modular=modular+1; }
@@ -91,6 +105,12 @@ BEGIN{
 	else if ($3 ~"modular_f31") { modular_f31=modular_f31+1; modular=modular+1; }
 	else if ($3 ~"modular_f32") { modular_f32=modular_f32+1; modular=modular+1; }
 	else if ($3 ~"modular_f33") { modular_f33=modular_f33+1; modular=modular+1; }
+	else if ($3 ~"modular_f34") { modular_f34=modular_f34+1; modular=modular+1; }
+	else if ($3 ~"modular_f35") { modular_f35=modular_f35+1; modular=modular+1; }
+	else if ($3 ~"modular_f36") { modular_f36=modular_f36+1; modular=modular+1; }
+	else if ($3 ~"modular_f37") { modular_f37=modular_f37+1; modular=modular+1; }
+	else if ($3 ~"modular_f38") { modular_f38=modular_f38+1; modular=modular+1; }
+	else if ($3 ~"modular_f39") { modular_f39=modular_f39+1; modular=modular+1; }
 	else if ($3 ~"f03")     { f03=f03+1; fedora=fedora+1}
 	else if ($3 ~"f04")     { f04=f04+1; fedora=fedora+1}
 	else if ($3 ~"f05")     { f05=f05+1; fedora=fedora+1}
@@ -122,6 +142,12 @@ BEGIN{
 	else if ($3 ~"f31")     { f31=f31+1; fedora=fedora+1}
 	else if ($3 ~"f32")     { f32=f32+1; fedora=fedora+1}
 	else if ($3 ~"f33")     { f33=f33+1; fedora=fedora+1}
+	else if ($3 ~"f34")     { f34=f34+1; fedora=fedora+1}
+	else if ($3 ~"f35")     { f35=f35+1; fedora=fedora+1}
+	else if ($3 ~"f36")     { f36=f36+1; fedora=fedora+1}
+	else if ($3 ~"f37")     { f37=f37+1; fedora=fedora+1}
+	else if ($3 ~"f38")     { f38=f38+1; fedora=fedora+1}
+	else if ($3 ~"f39")     { f39=f39+1; fedora=fedora+1}
 	else if ($3 ~"rawhide_modular") { rawhide_modular=rawhide_modular+1; rawhide=rawhide+1; modular=modular+1; fedora=fedora+1}
 	else if ($3 ~"rawhide") { rawhide=rawhide+1; fedora=fedora+1}
 	else if ($3 ~"modular") { modular=modular+1; fedora=fedora+1 }
@@ -165,7 +191,7 @@ BEGIN{
 	else                   {unknown_arch = unknown_arch +1; };
     } else {
 	if ( olddate !~ "1970-01-01" ) {
-	  print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29  "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 ;
+	  print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29  "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 "," epel9 "," f34 "," f35 "," f36 "," f37 "," f38 "," f39 "," modular_f34 "," modular_f35 "," modular_f36 "," modular_f37 "," modular_f38 "," modular_f39 ;
 	};
 	olddate=$1
     epel=0;
@@ -246,7 +272,7 @@ BEGIN{
 }
 
 END {
-	  print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29  "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 ;
+	  print olddate "," epel4 "," epel5 "," epel6 "," epel7 "," f03 "," f04 "," f05 "," f06 "," f07 "," f08 "," f09 "," f10 "," f11 "," f12 "," f13 "," f14 "," f15 "," f16 "," f17 "," f18 "," f19 "," f20 "," f21 "," f22 "," f23 "," f24 "," f25 "," f26 "," f27 "," f28 "," f29 "," rawhide "," unknown_release "," epel "," fedora "," alpha "," arm "," arm64 "," ia64 "," mips "," ppc "," s390 "," sparc "," tilegx "," x86_32 "," x86_64 "," x86_32_e "," x86_32_f "," x86_64_e "," x86_64_f "," ppc_e "," ppc_f "," unknown_arch "," centos "," rhel "," ppc64 "," ppc64le "," modular "," rawhide_modular "," modular_f27 "," modular_f28 "," modular_f29  "," modular_f30 "," f30 "," f31 "," f32 "," f33 "," modular_f31 "," modular_f32 "," modular_f33 "," epel8 "," epel9 "," f34 "," f35 "," f36 "," f37 "," f38 "," f39 "," modular_f34 "," modular_f35 "," modular_f36 "," modular_f37 "," modular_f38 "," modular_f39 ;
 
 }
 

From 12dc83f767273d90470dc368967c11ec36a28806 Mon Sep 17 00:00:00 2001
From: "Frank Ch. Eigler" <fche@redhat.com>
Date: Mon, 5 Apr 2021 21:15:33 -0400
Subject: [PATCH 04/72] debuginfod: vm configuration for running service with
 ansible-based config file

---
 files/debuginfod/sysconfig.debuginfod | 16 ++++++++++++++++
 playbooks/groups/debuginfod.yml       | 12 ++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 files/debuginfod/sysconfig.debuginfod

diff --git a/files/debuginfod/sysconfig.debuginfod b/files/debuginfod/sysconfig.debuginfod
new file mode 100644
index 0000000000..5e8d2f1e9d
--- /dev/null
+++ b/files/debuginfod/sysconfig.debuginfod
@@ -0,0 +1,16 @@
+#
+DEBUGINFOD_PORT="8002"
+DEBUGINFOD_VERBOSE="-vv"
+
+DEBUGINFOD_PATHS="--fdcache-fds=512 -t3600 -R /mnt/fedora_koji_prod/koji/packages -X /data/ -I \.(module_f|fc)(32|33|34|35)[.+].*\.rpm"
+
+# prefer reliability/durability over performance
+#DEBUGINFOD_PRAGMAS="-D 'pragma synchronous=full;'"
+
+# upstream debuginfods
+#DEBUGINFOD_URLS="http://secondhost:8002 http://thirdhost:8002"
+#DEBUGINFOD_TIMEOUT="5"
+#DEBUGINFOD_CACHE_DIR=""
+
+# Don't use tmpfs /tmp on scarce-RAM machine.
+TMPDIR=/var/tmp
diff --git a/playbooks/groups/debuginfod.yml b/playbooks/groups/debuginfod.yml
index cb847a86fd..45057df029 100644
--- a/playbooks/groups/debuginfod.yml
+++ b/playbooks/groups/debuginfod.yml
@@ -28,6 +28,18 @@
 
   tasks:
   - import_tasks: "{{ tasks_path }}/motd.yml"
+    
+  - name: install debuginfod
+    package: name=elfutils-debuginfod state=present
 
+  - name: install debuginfod configuration
+    copy: src="{{ files }}/debuginfod/sysconfig.debuginfod" dest=/etc/sysconfig/debuginfod owner=root group=root mode=644
+
+  - name: ensure debuginfod is enabled and started
+    service:
+      name: debuginfod
+      state: started
+      enabled: yes
+    
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"

From ed70717dcc60a7abc56ce95b5dcff2b062226f52 Mon Sep 17 00:00:00 2001
From: "Frank Ch. Eigler" <fche@redhat.com>
Date: Mon, 5 Apr 2021 21:30:09 -0400
Subject: [PATCH 05/72] debuginfod vms: add a few more useful packages

---
 playbooks/groups/debuginfod.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/playbooks/groups/debuginfod.yml b/playbooks/groups/debuginfod.yml
index 45057df029..b4bb16a3fa 100644
--- a/playbooks/groups/debuginfod.yml
+++ b/playbooks/groups/debuginfod.yml
@@ -32,6 +32,12 @@
   - name: install debuginfod
     package: name=elfutils-debuginfod state=present
 
+  - name: install sqlite for diagnostics
+    package: name=sqlite state=present
+
+  - name: install rsync for data backups
+    package: name=rsync state=present
+    
   - name: install debuginfod configuration
     copy: src="{{ files }}/debuginfod/sysconfig.debuginfod" dest=/etc/sysconfig/debuginfod owner=root group=root mode=644
 

From 3d06840a0fc7e925d52c2befd31a4a1592b549bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Tue, 6 Apr 2021 21:24:59 +0200
Subject: [PATCH 06/72] oraculum: Enable Private Bugs

---
 .../oraculum/templates/deploymentconfig.yml               | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
index 667804a2f7..66d4bb65a1 100644
--- a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
@@ -77,6 +77,8 @@ spec:
 {% else %}
           value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
 {% endif %}
+        - name: BZ_API_KEY
+          value: "{{ oraculum_bz_api_key }}"
         volumeMounts:
         - name: oraculum-secret-volume
           mountPath: /opt/app-root/secret/
@@ -176,6 +178,8 @@ spec:
 {% else %}
           value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
 {% endif %}
+        - name: BZ_API_KEY
+          value: "{{ oraculum_bz_api_key }}"
         volumeMounts:
         - name: oraculum-secret-volume
           mountPath: /opt/app-root/secret/
@@ -259,6 +263,8 @@ spec:
 {% else %}
           value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
 {% endif %}
+        - name: BZ_API_KEY
+          value: "{{ oraculum_bz_api_key }}"
         volumeMounts:
         - name: oraculum-secret-volume
           mountPath: /opt/app-root/secret/
@@ -344,6 +350,8 @@ spec:
 {% else %}
           value: "bastion.iad2.fedoraproject.org;;;watchdog@packager-dashboard.fedoraproject.org;"
 {% endif %}
+        - name: BZ_API_KEY
+          value: "{{ oraculum_bz_api_key }}"
         volumeMounts:
         - name: oraculum-secret-volume
           mountPath: /opt/app-root/secret/

From d7769069863ae57785afb3c39410669cd6d19c75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Wed, 7 Apr 2021 11:48:06 +0200
Subject: [PATCH 07/72] oraculum: Use 4 workers per container

---
 roles/openshift-apps/oraculum/templates/deploymentconfig.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
index 66d4bb65a1..a74dc5c396 100644
--- a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
@@ -135,7 +135,7 @@ spec:
       containers:
       - name: oraculum-worker
         image: packager-dashboard:latest
-        command: ["celery", "-A", "oraculum.celery_app", "worker", "-c", "8", "--loglevel=INFO"]
+        command: ["celery", "-A", "oraculum.celery_app", "worker", "-c", "4", "--loglevel=INFO"]
         resources: {}
         env:
         # Database

From b05efc7091e7959588e4e355ecdf0e0c5c031053 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Wed, 7 Apr 2021 12:06:43 +0200
Subject: [PATCH 08/72] oraculum: Try 1 worker per container

---
 roles/openshift-apps/oraculum/templates/deploymentconfig.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
index a74dc5c396..0e07eeb0ae 100644
--- a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
@@ -135,7 +135,7 @@ spec:
       containers:
       - name: oraculum-worker
         image: packager-dashboard:latest
-        command: ["celery", "-A", "oraculum.celery_app", "worker", "-c", "4", "--loglevel=INFO"]
+        command: ["celery", "-A", "oraculum.celery_app", "worker", "-c", "1", "--loglevel=INFO"]
         resources: {}
         env:
         # Database

From 26bfef78536fd7efe73ef959569f2a640f562c61 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 7 Apr 2021 12:12:39 +0200
Subject: [PATCH 09/72] fedocal: build in staging from the staging branch again

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/openshift-apps/fedocal/templates/buildconfig.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/openshift-apps/fedocal/templates/buildconfig.yml b/roles/openshift-apps/fedocal/templates/buildconfig.yml
index 91c32940a5..19f8e9e614 100644
--- a/roles/openshift-apps/fedocal/templates/buildconfig.yml
+++ b/roles/openshift-apps/fedocal/templates/buildconfig.yml
@@ -14,7 +14,7 @@ spec:
     git:
       uri: https://pagure.io/fedocal.git
 {% if env == 'staging' %}
-      ref: "debug"
+      ref: "staging"
 {% else %}
       ref: "production"
 {% endif %}

From 5323f6d5fceffe186004ebee2f46463001a71415 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Wed, 7 Apr 2021 12:36:52 +0200
Subject: [PATCH 10/72] oraculum: Set workers back to 8 per container

---
 roles/openshift-apps/oraculum/templates/deploymentconfig.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
index 0e07eeb0ae..66d4bb65a1 100644
--- a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
@@ -135,7 +135,7 @@ spec:
       containers:
       - name: oraculum-worker
         image: packager-dashboard:latest
-        command: ["celery", "-A", "oraculum.celery_app", "worker", "-c", "1", "--loglevel=INFO"]
+        command: ["celery", "-A", "oraculum.celery_app", "worker", "-c", "8", "--loglevel=INFO"]
         resources: {}
         env:
         # Database

From 764ef65e9821f86af761442ba8574ed92b49abe1 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@smoogespace.com>
Date: Wed, 7 Apr 2021 10:24:11 -0400
Subject: [PATCH 11/72] Change named settings for tcp connections

In order to try and fix the number of TCP connections allowed to get
to the dns servers by increasing from the default 100 to 1000. This
will hopefully help fix the issue in
https://pagure.io/fedora-infrastructure/issue/9850 where the name
servers are not able to answer TCP connections after a while.

Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
---
 roles/dns/files/named.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf
index ffee5d389e..14af8f83b4 100644
--- a/roles/dns/files/named.conf
+++ b/roles/dns/files/named.conf
@@ -37,9 +37,11 @@ options {
         pid-file "/var/run/named/named.pid";
         statistics-file "/var/log/named.stats";
         provide-ixfr no;
+	tcp-clients 1000;
 
         version "cowbell++";
-        listen-on port 53 {
+
+	listen-on port 53 {
                 any;
         };
         listen-on-v6 port 53 {

From a81783e13edf15410e2584c90a929f1380dd0614 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@smoogespace.com>
Date: Wed, 7 Apr 2021 10:32:16 -0400
Subject: [PATCH 12/72] Update per pspacek to 100k TCP connections

Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
---
 roles/dns/files/named.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf
index 14af8f83b4..2e65c75ec1 100644
--- a/roles/dns/files/named.conf
+++ b/roles/dns/files/named.conf
@@ -37,7 +37,7 @@ options {
         pid-file "/var/run/named/named.pid";
         statistics-file "/var/log/named.stats";
         provide-ixfr no;
-	tcp-clients 1000;
+	tcp-clients 100000;
 
         version "cowbell++";
 

From a67c6ed272cde3e0a4f3eb903498b2b886856361 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@smoogespace.com>
Date: Wed, 7 Apr 2021 10:40:45 -0400
Subject: [PATCH 13/72] Did not read pspaceks comment correctly. If we were
 running fedora on nameservers we could go to 100k. For EL8/7 we can go to
 1000

Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
---
 roles/dns/files/named.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf
index 2e65c75ec1..14af8f83b4 100644
--- a/roles/dns/files/named.conf
+++ b/roles/dns/files/named.conf
@@ -37,7 +37,7 @@ options {
         pid-file "/var/run/named/named.pid";
         statistics-file "/var/log/named.stats";
         provide-ixfr no;
-	tcp-clients 100000;
+	tcp-clients 1000;
 
         version "cowbell++";
 

From cb4524e34f6a3eb115232407b5cf985c804d3040 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 7 Apr 2021 12:43:18 -0700
Subject: [PATCH 14/72] releng-compose / compose-rawhide: add mount for ftp
 archive volume

We are going to sync the contents from fedora_ftp/pub/archive over to
fedora_ftp_archive volume. This will free up 17TB or so on the SSD
aggregate that fedora_ftp is on.

This will mean more mirror churn when we archive old releases, but
there's not much else we can do besides this or more ssd storage.

This is ok to do during freeze as compose-rawhide is not frozen. :)

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 playbooks/groups/releng-compose.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml
index 5b6c4de611..9b7a070a0e 100644
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@@ -74,6 +74,11 @@
     mnt_dir: '/pub'
     nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub'
     when: "'releng_compose' in group_names"
+
+  - role: nfs/client
+    mnt_dir: '/srv/fedora_ftp_archive'
+    nfs_src_dir: 'fedora_ftp_archive'
+    when: inventory_hostname.startswith('compose-rawhide')
 #
 # mount archive volumes on composer so we can run the archiving script there.
 #

From 692647ed866d22f8b5a65e07c12706a671f2bf78 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 7 Apr 2021 10:50:49 +0200
Subject: [PATCH 15/72] people: when making the people page account for home
 directory we can't get into

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/people/files/make-people-page.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/roles/people/files/make-people-page.py b/roles/people/files/make-people-page.py
index a38ea04ea1..295a70c41f 100644
--- a/roles/people/files/make-people-page.py
+++ b/roles/people/files/make-people-page.py
@@ -178,8 +178,14 @@ for hdir in homedirs:
         continue
 
     user["name"] = pwentry.pw_gecos
-    user["has_public_html"] = (hdir / "public_html").is_dir()
-    user["has_public_git"] = (hdir / "public_git").is_dir()
+    try:
+        user["has_public_html"] = (hdir / "public_html").is_dir()
+    except PermissionError:
+        user["has_public_html"] = False
+    try:
+        user["has_public_git"] = (hdir / "public_git").is_dir()
+    except PermissionError:
+        user["has_public_git"] = False
     user["email_hash"] = hashlib.md5(
         f"{user['name'].lower()}@fedoraproject.org".encode("utf-8")
     ).hexdigest()

From 26ca32d11d49c0e332c33607e4b0cac7e264f9c7 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 7 Apr 2021 21:39:17 +0200
Subject: [PATCH 16/72] people: Do not try to chown the file, the cron already
 runs as apache

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/people/files/make-people-page.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/roles/people/files/make-people-page.py b/roles/people/files/make-people-page.py
index 295a70c41f..d5240d197c 100644
--- a/roles/people/files/make-people-page.py
+++ b/roles/people/files/make-people-page.py
@@ -207,11 +207,16 @@ out_file_grp = grp.getgrnam("web").gr_gid
 with open(out_file, "w", encoding="utf-8") as handle:
     handle.write(page_output)
 
-# keep current owner uid
-st = out_file.stat()
-out_file_uid = st.st_uid
+# The code below was present originally, however the cron job is ran under the
+# `apache` user so it is not clear what this was meant to do.
+# This is being kept here for convenience in case we need to re-activate this
+# code, down the line this should just be removed.
 
+# keep current owner uid
+#st = out_file.stat()
+#out_file_uid = st.st_uid
+#
 # give write permissions to group
-out_file.chmod(st.st_mode | stat.S_IWGRP)
+#out_file.chmod(st.st_mode | stat.S_IWGRP)
 # chown out file to group
-os.chown(out_file, out_file_uid, out_file_grp)
+#os.chown(out_file, out_file_uid, out_file_grp)

From 1b362400f54017efdd445c3a48a6aaebecd17357 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Thu, 8 Apr 2021 12:00:41 +0200
Subject: [PATCH 17/72] oraculum: Increase timeouts of probes

---
 roles/openshift-apps/oraculum/templates/deploymentconfig.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
index 66d4bb65a1..a4b7f71a1a 100644
--- a/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/deploymentconfig.yml
@@ -84,13 +84,13 @@ spec:
           mountPath: /opt/app-root/secret/
           readOnly: true
         readinessProbe:
-          timeoutSeconds: 1
+          timeoutSeconds: 5
           initialDelaySeconds: 5
           httpGet:
             path: /
             port: 8080
         livenessProbe:
-          timeoutSeconds: 1
+          timeoutSeconds: 15
           initialDelaySeconds: 30
           httpGet:
             path: /

From a889649c468fcb2acb51669a91e8306b1cf9a33d Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 8 Apr 2021 09:18:25 -0700
Subject: [PATCH 18/72] openqa: bump asset size allocations a bit

We have more space on the IAD servers, so let's use it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 inventory/group_vars/openqa                | 1 -
 inventory/group_vars/openqa_lab            | 4 +---
 inventory/group_vars/openqa_servers_common | 4 +++-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa
index 6334538249..ae0e78f4fb 100644
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@@ -6,7 +6,6 @@ external_hostname: openqa.fedoraproject.org
 openqa_dbname: openqa
 openqa_dbuser: openqa
 openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
-openqa_assetsize: 500
 
 openqa_key: "{{ prod_openqa_apikey }}"
 openqa_secret: "{{ prod_openqa_apisecret }}"
diff --git a/inventory/group_vars/openqa_lab b/inventory/group_vars/openqa_lab
index 3559ab3ed5..826ab24922 100644
--- a/inventory/group_vars/openqa_lab
+++ b/inventory/group_vars/openqa_lab
@@ -17,9 +17,7 @@ external_hostname: openqa.stg.fedoraproject.org
 openqa_dbname: openqa-stg
 openqa_dbuser: openqastg
 openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
-openqa_assetsize: 400
-openqa_assetsize_ppc: 150
-openqa_assetsize_aarch64: 150
+openqa_assetsize_ppc: 300
 
 openqa_key: "{{ stg_openqa_apikey }}"
 openqa_secret: "{{ stg_openqa_apisecret }}"
diff --git a/inventory/group_vars/openqa_servers_common b/inventory/group_vars/openqa_servers_common
index 194cae6a7b..024ce80efc 100644
--- a/inventory/group_vars/openqa_servers_common
+++ b/inventory/group_vars/openqa_servers_common
@@ -9,7 +9,9 @@ openqa_nickname: adamwill
 openqa_fullname: Adam Williamson
 openqa_userid: http://adamwill.id.fedoraproject.org/
 
-openqa_assetsize_updates: 100
+openqa_assetsize: 600
+openqa_assetsize_aarch64: 300
+openqa_assetsize_updates: 200
 
 # stg and prod use the same database server
 openqa_dbhost: db-openqa01.iad2.fedoraproject.org

From 61af6f34cae2678d8fd08514ad328ed89410bbf5 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 8 Apr 2021 09:23:28 -0700
Subject: [PATCH 19/72] openQA: update server config (disable audit, tweak
 cleanup)

We never use the auditing stuff, so let's turn it off (and set
short limits for audit event duration so we can run the cleanup
and get rid of existing audit events). Let's also use the new
setting that only runs asset cleanup if free space is low.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 roles/openqa/server/templates/openqa.ini.j2 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/roles/openqa/server/templates/openqa.ini.j2 b/roles/openqa/server/templates/openqa.ini.j2
index aa87a2e9c7..d2b5faca24 100644
--- a/roles/openqa/server/templates/openqa.ini.j2
+++ b/roles/openqa/server/templates/openqa.ini.j2
@@ -1,4 +1,5 @@
 [global]
+audit_enabled = 0
 branding = plain
 base_url = https://{{ external_hostname }}
 download_domains = fedoraproject.org
@@ -13,12 +14,26 @@ topic_prefix = {{ openqa_amqp_publisher_prefix }}
 url = {{ openqa_amqp_publisher_url }}
 exchange = {{ openqa_amqp_publisher_exchange }}
 
+[audit/storage_duration]
+startup = 7
+jobgroup = 7
+jobtemplate = 7
+table = 7
+iso = 7
+user = 7
+asset = 7
+needle = 7
+other = 7
+
 [auth]
 method=OpenID
 
 [logging]
 level=info
 
+[misc_limits]
+asset_cleanup_max_free_percentage = 20
+
 [openid]
 provider = https://id.fedoraproject.org/
 httpsonly = 1

From c37d51d236c444055b7d2bc94ca546ccb0104d5b Mon Sep 17 00:00:00 2001
From: "Frank Ch. Eigler" <fche@redhat.com>
Date: Thu, 8 Apr 2021 12:17:07 -0400
Subject: [PATCH 20/72] proxies/debuginfod: allow proxyopts

debuginfod can take O(60s) to run certain webapi queries, so the httpd
mod_proxy default timeouts are too short.  Introduce an ansible
variable "proxyopts", expanded into the httpd ProxyPass and
ProxyPassReverse configuration lines.  Default to "", but set it
with pretty generous limits for debuginfod only.
---
 playbooks/include/proxies-reverseproxy.yml               | 1 +
 roles/httpd/reverseproxy/tasks/main.yml                  | 1 +
 roles/httpd/reverseproxy/templates/reversepassproxy.conf | 4 ++--
 roles/httpd/reverseproxy/vars/main.yml                   | 1 +
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 74afa85e09..867bb724fa 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -754,5 +754,6 @@
     remotepath: /
     localpath: /
     proxyurl: http://debuginfod01:8002
+    proxyopts: "connectiontimeout=600 timeout=600 keepalive=on"
     tags: debuginfod
 
diff --git a/roles/httpd/reverseproxy/tasks/main.yml b/roles/httpd/reverseproxy/tasks/main.yml
index 23e37d9399..9ed5604877 100644
--- a/roles/httpd/reverseproxy/tasks/main.yml
+++ b/roles/httpd/reverseproxy/tasks/main.yml
@@ -5,6 +5,7 @@
 # - proxyurl
 # - rewrite
 # - keephost
+# - proxyopts
 
 - name: Set OpenShift information if not preconfigured
   set_fact:
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
index 2c3a2dd956..148175b004 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@@ -64,6 +64,6 @@ RewriteRule .* "balancer://{{ balancer_name }}-websocket%{REQUEST_URI}" [P]
 ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
 ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
 {% else %}
-ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
-ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
+ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
+ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
 {% endif %}
diff --git a/roles/httpd/reverseproxy/vars/main.yml b/roles/httpd/reverseproxy/vars/main.yml
index 7bf5f2354f..d88f2e67d1 100644
--- a/roles/httpd/reverseproxy/vars/main.yml
+++ b/roles/httpd/reverseproxy/vars/main.yml
@@ -7,3 +7,4 @@ header_scheme: false
 keephost: false
 targettype: plain
 http_not_https_yes_this_is_insecure_and_i_feel_bad: false
+proxyopts: ""

From a93b8d24c01c1bd6af116ae7b596fd0baf2605dd Mon Sep 17 00:00:00 2001
From: "Frank Ch. Eigler" <fche@redhat.com>
Date: Thu, 8 Apr 2021 12:18:29 -0400
Subject: [PATCH 21/72] debuginfod proxies: enable gzip

elf/dwarf/source-code data from debuginfod is highly compressible.
Let's trade proxy CPU for reduce network traffic.
---
 playbooks/include/proxies-websites.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 12a7b6cea4..69b84346d9 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -975,6 +975,7 @@
     server_aliases: [debuginfod.stg.fedoraproject.org]
     x_forward: true
     cert_name: "{{wildcard_cert_name}}"
+    gzip: true
     tags: debuginfod
 
   - role: httpd/website

From 596af2682b715a65067c95e516ef764223dbc3b7 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 14:12:39 -0700
Subject: [PATCH 22/72] Default x_forward to false to make last commit work

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/all | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index b2abe1f99b..fdfbafff86 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -426,3 +426,6 @@ sshd_sftp: false
 # Autodetect python version
 #
 ansible_python_interpreter: auto
+
+# set no x-forward header by default
+x_forward: false

From 469cc3e027b1f1afb5c22612f3f705d5c3b1ae89 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 14:47:21 -0700
Subject: [PATCH 23/72] buildvm-a32-01.stg: switch to f34 and see if OOM bug is
 still there

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/buildvm_armv7_stg | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/inventory/group_vars/buildvm_armv7_stg b/inventory/group_vars/buildvm_armv7_stg
index 88e0c4ee94..2999c07f00 100644
--- a/inventory/group_vars/buildvm_armv7_stg
+++ b/inventory/group_vars/buildvm_armv7_stg
@@ -2,12 +2,12 @@
 # common items for the buildvm-* koji builders
 volgroup: /dev/vg_guests
 lvm_size: 140000
-mem_size: 24576
+mem_size: 40960
 max_mem_size: "{{ mem_size }}"
 num_cpus: 5
 max_cpu: "{{ num_cpus }}"
-ks_url: http://10.3.163.35/repo/rhel/ks/buildvm-fedora-33-armv7
-ks_repo: http://10.3.163.35/pub/fedora/linux/releases/33/Server/armhfp/os/
+ks_url: http://10.3.163.35/repo/rhel/ks/buildvm-fedora-34-armv7
+ks_repo: http://10.3.163.35/pub/fedora/linux/releases/34/Server/armhfp/os/
 nm: 255.255.255.0
 gw: 10.3.167.254
 dns: 10.3.163.33

From 1d57a0787686ba4c883723faa4ef13af50f41e72 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 14:51:25 -0700
Subject: [PATCH 24/72] buildvm-a32-01.stg: need to define eth0_ip also for
 virt-install

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org b/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
index 6b98c1a399..f9549bc198 100644
--- a/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
@@ -6,6 +6,7 @@ dns1: 10.3.163.33
 dns2: 10.3.163.34
  
 has_ipv4: yes
+eth0_ip: 10.3.167.46
 eth0_ipv4: 10.3.167.46
 eth0_ipv4_nm: 24
 eth0_ipv4_gw: 10.3.167.254

From 77d79cfe8a52953a66ce1a0b65a4fcac9587be64 Mon Sep 17 00:00:00 2001
From: "Frank Ch. Eigler" <fche@redhat.com>
Date: Thu, 8 Apr 2021 17:49:25 -0400
Subject: [PATCH 25/72] debuginfod proxy: fix ProxyPassReverse typo (no
 proxyopts there)

---
 roles/httpd/reverseproxy/templates/reversepassproxy.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
index 148175b004..28b72b0473 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@@ -65,5 +65,5 @@ ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
 ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
 {% else %}
 ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
-ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
+ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
 {% endif %}

From 18bc52df65470092c5f9b23bd132fcc259443689 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 14:55:00 -0700
Subject: [PATCH 26/72] buildvm-a32-01.stg: f34 is not released yet

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/buildvm_armv7_stg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/group_vars/buildvm_armv7_stg b/inventory/group_vars/buildvm_armv7_stg
index 2999c07f00..c86a9dcc96 100644
--- a/inventory/group_vars/buildvm_armv7_stg
+++ b/inventory/group_vars/buildvm_armv7_stg
@@ -7,7 +7,7 @@ max_mem_size: "{{ mem_size }}"
 num_cpus: 5
 max_cpu: "{{ num_cpus }}"
 ks_url: http://10.3.163.35/repo/rhel/ks/buildvm-fedora-34-armv7
-ks_repo: http://10.3.163.35/pub/fedora/linux/releases/34/Server/armhfp/os/
+ks_repo: http://10.3.163.35/pub/fedora/linux/development/34/Server/armhfp/os/
 nm: 255.255.255.0
 gw: 10.3.167.254
 dns: 10.3.163.33

From e9966e543c556854eac1d0832ac6e9451766ed15 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 15:28:44 -0700
Subject: [PATCH 27/72] virt-install: use inst. in front of anaconda parameters

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/all | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index fdfbafff86..527db55b48 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -91,7 +91,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -101,7 +101,7 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none'
@@ -113,7 +113,7 @@ virt_install_command_one_nic_unsafe: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -123,7 +123,7 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
@@ -135,7 +135,7 @@ virt_install_command_ppc64le_one_nic_unsafe: virt-install -n {{ inventory_hostna
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -145,7 +145,7 @@ virt_install_command_ppc64le_two_nic_unsafe: virt-install -n {{ inventory_hostna
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none'
@@ -157,7 +157,7 @@ virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -167,7 +167,7 @@ virt_install_command_aarch64_one_nic_unsafe: virt-install -n {{ inventory_hostna
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -177,7 +177,7 @@ virt_install_command_aarch64_2nd_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address }}
@@ -187,7 +187,7 @@ virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none'
@@ -199,7 +199,7 @@ virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --a
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyAMA0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }}
@@ -209,7 +209,7 @@ virt_install_command_armv7_one_nic_unsafe: virt-install -n {{ inventory_hostname
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyAMA0
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }}
@@ -219,7 +219,7 @@ virt_install_command_s390x_one_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -229,7 +229,7 @@ virt_install_command_s390x_one_nic_unsafe: virt-install -n {{ inventory_hostname
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
+                 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
@@ -239,7 +239,7 @@ virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }}
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
-                 "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
+                 "inst.ksdevice=eth0 inst.ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
                   gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
                   hostname={{ inventory_hostname }}"
                  --network=bridge=br0 --autostart --noautoconsole --watchdog default

From 5c397154fcccfc554bc1a72dcfb8b57af1aa5e5e Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 15:44:37 -0700
Subject: [PATCH 28/72] buildvm-a32-01.stg: new install, new mac

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org b/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
index f9549bc198..5619cec3a7 100644
--- a/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-a32-01.stg.iad2.fedoraproject.org
@@ -13,7 +13,7 @@ eth0_ipv4_gw: 10.3.167.254
 
 has_ipv6: no
  
-mac0: 52:54:00:d7:04:aa
+mac0: 52:54:00:d4:6a:ca
 
 network_connections:
 - name: eth0

From cc736849e2606552b07ed1b0d62a2d6c59ae6a3e Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 8 Apr 2021 17:15:51 -0700
Subject: [PATCH 29/72] ipa/client: split out prod and stg ipa user/group
 ignore file

We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/ipa/client/files/fedora-nss-ignore.conf.staging |  6 ++++++
 roles/ipa/client/tasks/main.yml                       | 11 +++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 roles/ipa/client/files/fedora-nss-ignore.conf.staging

diff --git a/roles/ipa/client/files/fedora-nss-ignore.conf.staging b/roles/ipa/client/files/fedora-nss-ignore.conf.staging
new file mode 100644
index 0000000000..d0d0023615
--- /dev/null
+++ b/roles/ipa/client/files/fedora-nss-ignore.conf.staging
@@ -0,0 +1,6 @@
+## This file contains users who are in ipa to stop people from
+## creating restricted accounts but we want to make sure the id in
+## /etc/passwd and /etc/group are used.
+[nss]
+filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd,named,mock
+filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd,named,mock
diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 1aa1e7691a..b83257387d 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -79,3 +79,14 @@
   notify:
     - restart sssd
     - clean sss caches
+  when: env == "production"
+
+- name: Ensure that nss knows to skip certain users
+  copy: src=fedora-nss-ignore.conf.staging dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=root
+  tags:
+  - ipa/client
+  - config
+  notify:
+    - restart sssd
+    - clean sss caches
+  when: env == "staging"

From d4894b011c4c21183f8215a8fbe7f2446d56abd1 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Fri, 9 Apr 2021 09:37:51 +0200
Subject: [PATCH 30/72] proxies: redirect apps.fp.o/calendar to calendar.fp.o
 in openshift

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 playbooks/include/proxies-redirects.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml
index 17a5361496..49f2bb418a 100644
--- a/playbooks/include/proxies-redirects.yml
+++ b/playbooks/include/proxies-redirects.yml
@@ -111,6 +111,12 @@
     regex: /voting
     target: https://elections.fedoraproject.org/
 
+  - role: httpd/redirectmatch
+    shortname: calendar
+    website: apps.fedoraproject.org
+    regex: /calendar
+    target: https://calendar.fedoraproject.org/
+
   - role: httpd/redirectmatch
     shortname: mailman
     website: admin.fedoraproject.org

From 8513861bb8722b396f323def8e88302c2d4b2e3d Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Fri, 9 Apr 2021 14:04:46 +0200
Subject: [PATCH 31/72] copr-frontend: keep httpd going on child's OOM kill

---
 roles/copr/frontend-cloud/tasks/httpd.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/copr/frontend-cloud/tasks/httpd.yml b/roles/copr/frontend-cloud/tasks/httpd.yml
index e97fc0f407..b2a853ae1a 100644
--- a/roles/copr/frontend-cloud/tasks/httpd.yml
+++ b/roles/copr/frontend-cloud/tasks/httpd.yml
@@ -82,3 +82,10 @@
     regexp: '^LoadModule substitute_module modules/mod_substitute.so'
     line: '#LoadModule substitute_module modules/mod_substitute.so'
 
+- name: Keep httpd master running when child is OOM killed, rhbz#1947475
+  ini_file:
+    path: /usr/lib/systemd/system/httpd.service
+    section: Service
+    option: OOMPolicy
+    value: continue
+    backup: yes

From 4406d8dfeb60aa1dc1cc3445d40362e68196023b Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Fri, 9 Apr 2021 14:09:26 +0200
Subject: [PATCH 32/72] copr-frontend: restart apache on service file change

---
 roles/copr/frontend-cloud/tasks/httpd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/copr/frontend-cloud/tasks/httpd.yml b/roles/copr/frontend-cloud/tasks/httpd.yml
index b2a853ae1a..c50198e33e 100644
--- a/roles/copr/frontend-cloud/tasks/httpd.yml
+++ b/roles/copr/frontend-cloud/tasks/httpd.yml
@@ -89,3 +89,4 @@
     option: OOMPolicy
     value: continue
     backup: yes
+  notify: restart apache

From 599ead04f36d8ac21cce086b78d274dbef1b96be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Fri, 9 Apr 2021 14:59:47 +0200
Subject: [PATCH 33/72] testdays: use resultsdb from develop instead of a
 separate branch

---
 roles/openshift-apps/testdays/templates/buildconfig.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/roles/openshift-apps/testdays/templates/buildconfig.yml b/roles/openshift-apps/testdays/templates/buildconfig.yml
index cf3e59d114..a0870f2ef9 100644
--- a/roles/openshift-apps/testdays/templates/buildconfig.yml
+++ b/roles/openshift-apps/testdays/templates/buildconfig.yml
@@ -44,11 +44,7 @@ spec:
     type: Git
     git:
       uri: https://pagure.io/taskotron/resultsdb.git
-{% if env == 'staging' %}
-      ref: "openshift_WIP"
-{% else %}
-      ref: "openshift_WIP"
-{% endif %}
+      ref: "develop"
   strategy:
     type: Source
     sourceStrategy:

From e3e490786cf5ea19edf3ebbc01e4425ed2b2d7df Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 9 Apr 2021 10:21:40 -0700
Subject: [PATCH 34/72] koji_builder / staging: drop ntp/ntpdate for f34

Split out the koji_builder package installs so we can drop ntp/ntpdate
for f34 (they were replaced by ntpsec and we use chrony anyhow).
After we move prod to f34 we should merge these back.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/koji_builder/tasks/main.yml | 35 ++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 809c151144..0fa411b608 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -62,7 +62,7 @@
   tags:
   - koji_builder
 
-- name: add pkgs
+- name: add pkgs (production)
   package:
     state: present
     name:
@@ -93,9 +93,42 @@
     - imagefactory-plugins-RHEVM
     - pykickstart
     - nosync
+  when: env == "production"
   tags:
   - koji_builder
 
+- name: add pkgs (staging)
+  package:
+    state: present
+    name:
+    - koji-builder
+    - koji-builder-plugins
+    - python3-koji
+    - koji-containerbuild-builder
+    - strace
+    - mock
+    - kernel-firmware
+    - kernel-modules
+    - rsyslog
+    - audit
+    - pycdio
+    - python3-kickstart
+    - libvirt-client
+    - oz
+    - imagefactory
+    - imagefactory-plugins-TinMan
+    - imagefactory-plugins-Docker
+    - imagefactory-plugins-GCE
+    - imagefactory-plugins-vSphere
+    - imagefactory-plugins-ovfcommon
+    - imagefactory-plugins
+    - imagefactory-plugins-OVA
+    - imagefactory-plugins-RHEVM
+    - pykickstart
+    - nosync
+  when: env == "staging"
+  tags:
+  - koji_builder
 #
 # rpmautospec plugin
 #

From 457622b732db0e2e61c7be0d9dab03c750cf7821 Mon Sep 17 00:00:00 2001
From: Nick Bebout <nebebout@JTYVN53.usi.edu>
Date: Sat, 10 Apr 2021 20:14:05 -0500
Subject: [PATCH 35/72] Remove people who didn't respond to sysadmin-badges
 ticket from tahrir.admin

---
 roles/badges/frontend/templates/tahrir.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/badges/frontend/templates/tahrir.ini b/roles/badges/frontend/templates/tahrir.ini
index 6dba25849d..7ef6f45382 100644
--- a/roles/badges/frontend/templates/tahrir.ini
+++ b/roles/badges/frontend/templates/tahrir.ini
@@ -31,7 +31,7 @@ sqlalchemy.url = postgresql://{{tahrirDBUser}}:{{tahrirDBPassword}}@db-tahrir/ta
 
 mako.directories=tahrir:templates
 
-tahrir.admin = ralph@fedoraproject.org, puiterwijk@fedoraproject.org, nb@fedoraproject.org, cydrobolt@fedoraproject.org, aikidouke@fedoraproject.org, sayanchowdhury@fedoraproject.org, kevin@fedoraproject.org, jflory7@fedoraproject.org, codeblock@fedoraproject.org, mleonova@fedoraproject.org, churchyard@fedoraproject.org, bex@fedoraproject.org, asamalik@fedoraproject.org, cverna@fedoraproject.org, misc@fedoraproject.org, nasirhm@fedoraproject.org, computerkid@fedoraproject.org
+tahrir.admin = nb@fedoraproject.org, sayanchowdhury@fedoraproject.org, kevin@fedoraproject.org, jflory7@fedoraproject.org, codeblock@fedoraproject.org, churchyard@fedoraproject.org, misc@fedoraproject.org, computerkid@fedoraproject.org
 
 tahrir.pngs.uri = /usr/share/badges/pngs
 

From db93fb75cc90206b578fdd72a47cb3640afb5b4e Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mon, 12 Apr 2021 08:05:26 -0700
Subject: [PATCH 36/72] buildvm-ppc64le: need eth0_ip for now for installs

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org | 1 +
 inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org | 1 +
 inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org | 1 +
 inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org | 1 +
 4 files changed, 4 insertions(+)

diff --git a/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
index 553798b4a0..42e2f1400a 100644
--- a/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
@@ -5,6 +5,7 @@ dns1: 10.3.163.33
 dns2: 10.3.163.34
  
 has_ipv4: yes
+eth0_ip: 10.3.171.53
 eth0_ipv4: 10.3.171.53
 eth0_ipv4_nm: 24
 eth0_ipv4_gw: 10.3.171.254
diff --git a/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
index 815adcf78b..5474c45f3e 100644
--- a/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
@@ -5,6 +5,7 @@ dns1: 10.3.163.33
 dns2: 10.3.163.34
  
 has_ipv4: yes
+eth0_ip: 10.3.171.55
 eth0_ipv4: 10.3.171.55
 eth0_ipv4_nm: 24
 eth0_ipv4_gw: 10.3.171.254
diff --git a/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
index 8d16a70d13..d5b6fc253f 100644
--- a/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
@@ -5,6 +5,7 @@ dns1: 10.3.163.33
 dns2: 10.3.163.34
  
 has_ipv4: yes
+eth0_ip: 10.3.171.56
 eth0_ipv4: 10.3.171.56
 eth0_ipv4_nm: 24
 eth0_ipv4_gw: 10.3.171.254
diff --git a/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
index 658dbc6470..a9abcc2bad 100644
--- a/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
@@ -5,6 +5,7 @@ dns1: 10.3.163.33
 dns2: 10.3.163.34
  
 has_ipv4: yes
+eth0_ip: 10.3.171.60
 eth0_ipv4: 10.3.171.60
 eth0_ipv4_nm: 24
 eth0_ipv4_gw: 10.3.171.254

From 5a7bf06620f56e9631624c4f60f3e681b0165022 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mon, 12 Apr 2021 08:30:31 -0700
Subject: [PATCH 37/72] buildvm-ppc64le: update mac addresses on hosts being
 reinstalled after bvmhost-p09-02 raid rebuild

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org | 2 +-
 inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org | 2 +-
 inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org | 2 +-
 inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
index 42e2f1400a..2699cf0021 100644
--- a/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-13.iad2.fedoraproject.org
@@ -12,7 +12,7 @@ eth0_ipv4_gw: 10.3.171.254
 
 has_ipv6: no
  
-mac0: 52:54:00:f0:f0:eb
+mac0: 52:54:00:36:bc:34
 
 network_connections:
 - name: eth0
diff --git a/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
index 5474c45f3e..84fd3cd550 100644
--- a/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-15.iad2.fedoraproject.org
@@ -12,7 +12,7 @@ eth0_ipv4_gw: 10.3.171.254
 
 has_ipv6: no
  
-mac0: 52:54:00:1e:dc:92
+mac0: 52:54:00:68:64:dc
 
 network_connections:
 - name: eth0
diff --git a/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
index d5b6fc253f..a778a66c33 100644
--- a/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-16.iad2.fedoraproject.org
@@ -12,7 +12,7 @@ eth0_ipv4_gw: 10.3.171.254
 
 has_ipv6: no
  
-mac0: 52:54:00:a0:6b:4f
+mac0: 52:54:00:cb:57:ef
 
 network_connections:
 - name: eth0
diff --git a/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org b/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
index a9abcc2bad..6539e5cc65 100644
--- a/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64le-20.iad2.fedoraproject.org
@@ -12,7 +12,7 @@ eth0_ipv4_gw: 10.3.171.254
 
 has_ipv6: no
  
-mac0: 52:54:00:1e:bf:c1
+mac0: 52:54:00:e0:0f:d5
 
 network_connections:
 - name: eth0

From 88b6b0e0b652351344f917d4e8b542ed6f0a339e Mon Sep 17 00:00:00 2001
From: Stephen Coady <scoady@redhat.com>
Date: Thu, 8 Apr 2021 14:45:44 +0100
Subject: [PATCH 38/72] 2 bug fixes in the fasjson email aliases script

Signed-off-by: Stephen Coady <scoady@redhat.com>
---
 roles/fasjson/templates/fasjson-aliases.j2 | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/roles/fasjson/templates/fasjson-aliases.j2 b/roles/fasjson/templates/fasjson-aliases.j2
index 1ee1356e24..02de9efba4 100644
--- a/roles/fasjson/templates/fasjson-aliases.j2
+++ b/roles/fasjson/templates/fasjson-aliases.j2
@@ -2,6 +2,7 @@
 import os
 import sys
 import tempfile
+import subprocess
 
 from fasjson_client import Client, errors
 
@@ -36,19 +37,16 @@ def gen_all_aliases():
                 for group in groups:
                     groupname = group['groupname']
 
-                    # even though there are no admins of groups anymore
-                    # we should probably leave this here and just
-                    # link to the sponsors list
-                    temp.write(
-                        f'{groupname}-administrators: {groupname}-sponsors \n'
-                    )
-
                     sponsor_list = ','.join(
                         sponsor['username']
                         for sponsor in client.list_group_sponsors(
                             groupname=groupname).result
                     )
-                    temp.write(f"{groupname}-sponsors: {sponsor_list} \n")
+                    if sponsor_list:
+                        temp.write(
+                            f'{groupname}-administrators: {groupname}-sponsors \n'
+                        )
+                        temp.write(f"{groupname}-sponsors: {sponsor_list} \n")
 
                     member_list = ','.join(
                         member['username']
@@ -56,7 +54,9 @@ def gen_all_aliases():
                             groupname=groupname).result
                     )
 
-                    temp.write(f"{groupname}-members: {member_list} \n")
+                    if member_list:
+                        temp.write(f"{groupname}-members: {member_list} \n")
+
             rename(temporary_file.name, aliases_file)
         except errors.APIError as e:
             print(f"Something went wrong querying the fasjson API. {e}", file=sys.stderr)
@@ -117,8 +117,12 @@ def main():
     try:
         if not args:
             gen_all_aliases()
+            # call newaliases script so postfix gets updated
+            subprocess.check_call(['/usr/bin/newaliases'])
         elif len(args) == 2 and args[0] == "update":
             update_user(args[1])
+            # call newaliases script so postfix gets updated
+            subprocess.check_call(['/usr/bin/newaliases'])
         else:
             print(f"Usage: {sys.argv[0]} [update <username>]", file=sys.stderr)
             raise RuntimeError()

From 535b396f9507e1bfb3de75a51fdc114f6ee980a5 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@redhat.com>
Date: Fri, 9 Apr 2021 22:45:13 +0200
Subject: [PATCH 39/72] Add the role for translation on sundries

---
 playbooks/groups/sundries.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/playbooks/groups/sundries.yml b/playbooks/groups/sundries.yml
index fdaa65f44e..068d4b7999 100644
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@@ -39,6 +39,8 @@
     when: master_sundries_node|bool
   - role: fedora-web/build
     when: master_sundries_node|bool
+  - role: fedora-web/translation
+    when: master_sundries_node|bool
   - role: fedora-budget/build
     when: master_sundries_node|bool
   - role: fedora-docs/build

From c062941d0a0f2b710477784fd0039d813fb63d91 Mon Sep 17 00:00:00 2001
From: Mohan Boddu <mboddu@bhujji.com>
Date: Mon, 12 Apr 2021 09:36:07 -0400
Subject: [PATCH 40/72] Revert "bodhi / backend: fesco wants to keep 3 days to
 stable until final"

Now that F33 is released, we should revert back to original.

Fixes: https://pagure.io/releng/issue/10087

This reverts commit df8e13732d2d9412366b212b59a951705adb4cef.
---
 roles/bodhi2/base/templates/production.ini.j2 | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
index 5791879f31..47535f00d1 100644
--- a/roles/bodhi2/base/templates/production.ini.j2
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -592,10 +592,7 @@ f{{ FedoraBranchedNumber }}.pre_beta.critpath.min_karma = 1
 f{{ FedoraBranchedNumber }}.pre_beta.critpath.stable_after_days_without_negative_karma = 14
 {% elif FedoraBranchedBodhi is defined and FedoraBranchedBodhi == 'postbeta' %}
 f{{ FedoraBranchedNumber }}.status = post_beta
-#f{{ FedoraBranchedNumber }}.post_beta.mandatory_days_in_testing = 7
-#fesco has decided that since this cycle is so short, we will keep 3 days in testing until release.
-#This should change to 7 after release.
-f{{ FedoraBranchedNumber }}.post_beta.mandatory_days_in_testing = 3
+f{{ FedoraBranchedNumber }}.post_beta.mandatory_days_in_testing = 7
 f{{ FedoraBranchedNumber }}.post_beta.critpath.min_karma = 2
 f{{ FedoraBranchedNumber }}.post_beta.critpath.stable_after_days_without_negative_karma = 14
 {% endif %}

From 41580c6a22e5fd153bc446b914ad63bd79c43ee1 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 15 Apr 2021 10:56:01 +0200
Subject: [PATCH 41/72] copr-vmhost: try to fix sudo

---
 playbooks/groups/vmhost_copr.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/playbooks/groups/vmhost_copr.yml b/playbooks/groups/vmhost_copr.yml
index cc2e781c2b..843230452e 100644
--- a/playbooks/groups/vmhost_copr.yml
+++ b/playbooks/groups/vmhost_copr.yml
@@ -32,6 +32,7 @@
 
   tasks:
   - import_tasks: "{{ tasks_path }}/motd.yml"
+  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
 
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"

From 8091926e719314c4db5ce2706222e24f0730cba9 Mon Sep 17 00:00:00 2001
From: Mark O'Brien <markobri@redhat.com>
Date: Thu, 15 Apr 2021 15:35:08 +0100
Subject: [PATCH 42/72] ipa: add second stg server

---
 inventory/host_vars/ipa02.stg.iad2.fedoraproject.org | 12 ++++++++++++
 inventory/inventory                                  |  2 ++
 2 files changed, 14 insertions(+)
 create mode 100644 inventory/host_vars/ipa02.stg.iad2.fedoraproject.org

diff --git a/inventory/host_vars/ipa02.stg.iad2.fedoraproject.org b/inventory/host_vars/ipa02.stg.iad2.fedoraproject.org
new file mode 100644
index 0000000000..c3fc212639
--- /dev/null
+++ b/inventory/host_vars/ipa02.stg.iad2.fedoraproject.org
@@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.3.166.254
+dns: 10.3.163.33
+ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2
+ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/
+volgroup: /dev/vg_guests
+eth0_ip: 10.3.166.63
+vmhost: vmhost-x86-02.stg.iad2.fedoraproject.org
+datacenter: iad2
+## REMEMBER ONLY SET THIS TO TRUE WHEN WIPING SYSTEM TO MINIMUM
+ipa_initial: false
diff --git a/inventory/inventory b/inventory/inventory
index e645a3f1fc..119cf5c7e5 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -308,6 +308,7 @@ ipa03.iad2.fedoraproject.org
 
 [ipa_stg]
 ipa01.stg.iad2.fedoraproject.org
+ipa02.stg.iad2.fedoraproject.org
 
 [ipsilon_stg]
 ipsilon01.stg.iad2.fedoraproject.org
@@ -669,6 +670,7 @@ oci-registry01.stg.iad2.fedoraproject.org
 # fedimg01.stg.iad2.fedoraproject.org
 github2fedmsg01.stg.iad2.fedoraproject.org
 ipa01.stg.iad2.fedoraproject.org
+ipa02.stg.iad2.fedoraproject.org
 ipsilon01.stg.iad2.fedoraproject.org
 koji01.stg.iad2.fedoraproject.org
 #mailman01.stg.iad2.fedoraproject.org

From b8515e6bcecdf27495d2eacfcc8cb0ce94ac75da Mon Sep 17 00:00:00 2001
From: Mark O'Brien <markobri@redhat.com>
Date: Thu, 15 Apr 2021 14:44:37 +0100
Subject: [PATCH 43/72] ipa: add script to check which sysadmins do not have
 otp tokens

---
 roles/ipa/server/tasks/main.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 8f688332dd..ecdea31ccd 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -629,3 +629,14 @@
   copy:
     src: data-only-backup
     dest: "/etc/cron.d/data-only-backup"
+
+- name: Ensure python dep is present
+  pip:
+    name: python-freeipa
+
+- name: Copy file for checking if sysadmins have otp set
+  template:
+    src: check_sysadmin_otp.py.j2
+    dest: /root
+    owner: root
+    group: root

From ecf0dadc3b180e06c71d69b5cbd2c00110d9f1f2 Mon Sep 17 00:00:00 2001
From: Mark O'Brien <markobri@redhat.com>
Date: Thu, 15 Apr 2021 14:46:21 +0100
Subject: [PATCH 44/72] add script

---
 .../server/templates/check_sysadmin_otp.py.j2 | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 roles/ipa/server/templates/check_sysadmin_otp.py.j2

diff --git a/roles/ipa/server/templates/check_sysadmin_otp.py.j2 b/roles/ipa/server/templates/check_sysadmin_otp.py.j2
new file mode 100644
index 0000000000..ed00002aa4
--- /dev/null
+++ b/roles/ipa/server/templates/check_sysadmin_otp.py.j2
@@ -0,0 +1,80 @@
+import argparse
+import json
+from python_freeipa import ClientMeta
+
+
+
+
+def login(args):
+    client = ClientMeta(host=args.server_address, verify_ssl=args.cert_path)
+    client.login(args.username, args.password)
+
+    return client
+
+def get_sysadmins(client):
+    groups = client.group_find('sysadmin-')
+
+    sysadmins = []
+
+    print('Gethering all members from sysadmin-* groups')
+
+    for group in groups['result']:
+        try:
+            sysadmins = sysadmins + list(set(group['member_user']) - set(sysadmins))
+        except KeyError:
+            print('No members of group: ' + group['cn'][0])
+
+    return sysadmins
+
+def checkotp_tokens(client):
+
+    sysadmins = get_sysadmins(client)
+    print("There is " + str(len(sysadmins)) + " sysadmins in the system")
+
+    tokenless = []
+
+    print('Checking which users have an otp token assigned')
+
+    for sysadmin in sysadmins:
+         is_token = client.otptoken_find(o_ipatokenowner=sysadmin)
+         if len(is_token['result']) == 0:
+             tokenless.append(sysadmin)
+
+    print("There are " + str(len(tokenless)) + " sysadmins without otptokens")
+
+    return tokenless
+
+def get_email(client, users):
+
+    print('Gathering emails of the users with no tokens')
+
+    user_details = []
+    for user in users:
+        email = client.user_show(user)['result']['mail'][0]
+        user_details.append({'user': user, 'email': email})
+
+    return user_details
+
+def parse_args():
+    parser = argparse.ArgumentParser(description="Check for sysadmin users with no otp token set, admin credentials are required to run script")
+    parser.add_argument("-u", "--username", default="admin", help="ipa user to use")
+    parser.add_argument("-c", "--cert-path", default="/etc/ipa/ca.crt", help="location of ipa cert")
+    parser.add_argument("-s", "--server-address", default="ipa01{{ env_suffix }}.iad2.fedoraproject.org", help="server to run against")
+    parser.add_argument("-p", "--password", help="ipa user password", required=True)
+
+
+    args = parser.parse_args()
+    return args
+
+def do_it(client):
+
+    tokenless_sysadmins = checkotp_tokens(client)
+    user_details = get_email(client, tokenless_sysadmins)
+    print("Details are in the file tokenless_users.json")
+    with open('tokenless_users.json', 'w') as outfile:
+            json.dump(user_details, outfile)
+
+if __name__ == "__main__":
+    args = parse_args()
+    client = login(args)
+    do_it(client)

From d3927bb3c978ec30b09a11a03ed7f241b4e4abe7 Mon Sep 17 00:00:00 2001
From: Mark O'Brien <markobri@redhat.com>
Date: Thu, 15 Apr 2021 20:29:11 +0100
Subject: [PATCH 45/72] ipa: otp script add tags

---
 roles/ipa/server/tasks/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index ecdea31ccd..0d3929eebc 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -633,6 +633,9 @@
 - name: Ensure python dep is present
   pip:
     name: python-freeipa
+  tags:
+  - ipa/server
+  - otp_script
 
 - name: Copy file for checking if sysadmins have otp set
   template:
@@ -640,3 +643,6 @@
     dest: /root
     owner: root
     group: root
+  tags:
+  - ipa/server
+  - otp_script

From fd72c228577b07fc6d31b7852ce3be8ff0e692e9 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mon, 12 Apr 2021 13:18:20 -0700
Subject: [PATCH 46/72] Freeze break request: move /pub/archive from fedora_ftp
 to fedora_ftp_archive volume

Our fedora_ftp volume is on an SSD aggregate thats running out of space.
So, lets move /pub/archive (17TB) off it on to it's own volume on a
SAS aggregate. archive gets less traffic that other releases, so it
shouldn't be a problem. This will mean however when we archive a release
it will cause a bunch of deletes and re-downloads for mirrors because we
can no longer hardlink content over and then delete it, but there is no
help for that.

I will also notify mirror-admins list about this pending action.
There shouldn't be any short term issues.

Once this PR is merged, we need to run playbooks, then go to a host with
rw access to fedora_ftp and rm the archive tree on it.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 playbooks/groups/download.yml      | 1 +
 playbooks/groups/mirrormanager.yml | 1 +
 playbooks/groups/secondary.yml     | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/playbooks/groups/download.yml b/playbooks/groups/download.yml
index 945f6dc9bc..a5238e8ec9 100644
--- a/playbooks/groups/download.yml
+++ b/playbooks/groups/download.yml
@@ -38,6 +38,7 @@
   - download
   - rsyncd
   - { role: nfs/client, when: datacenter == "iad2" or datacenter == "rdu", mnt_dir: '/srv/pub',  nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
+  - { role: nfs/client, when: datacenter == "iad2" or datacenter == "rdu", mnt_dir: '/srv/pub/archive',  nfs_src_dir: 'fedora_ftp_archive' }
   - { role: nfs/client, when: datacenter == "iad2", mnt_dir: '/mnt/koji',  nfs_src_dir: 'fedora_koji/koji/' } # needed for internal sync and odcs
   - { role: nfs/client, when: datacenter == "iad2", mnt_dir: '/srv/odcs',  nfs_src_dir: 'fedora_odcs' } # needed for internal sync
   - sudo
diff --git a/playbooks/groups/mirrormanager.yml b/playbooks/groups/mirrormanager.yml
index 676a52aa83..dd215a98e4 100644
--- a/playbooks/groups/mirrormanager.yml
+++ b/playbooks/groups/mirrormanager.yml
@@ -20,6 +20,7 @@
   - sudo
   - collectd/base
   - { role: nfs/client, when: inventory_hostname.startswith('mm-backend01'), mnt_dir: '/srv/pub',  nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
+  - { role: nfs/client, when: inventory_hostname.startswith('mm-backend01'), mnt_dir: '/srv/pub/archive',  nfs_src_dir: 'fedora_ftp_archive' }
 
   pre_tasks:
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
diff --git a/playbooks/groups/secondary.yml b/playbooks/groups/secondary.yml
index 3814fdb095..82505432c4 100644
--- a/playbooks/groups/secondary.yml
+++ b/playbooks/groups/secondary.yml
@@ -22,7 +22,7 @@
   - sudo
   - { role: nfs/client,
       mnt_dir: '/srv/pub/archive',
-      nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/archive' }
+      nfs_src_dir: 'fedora_ftp_archive' }
   - { role: nfs/client,
       mnt_dir: '/srv/pub/alt',
       nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3",

From cba637c5c20c6b8632bd508bf8ffdfc8fe17ef29 Mon Sep 17 00:00:00 2001
From: Mark O'Brien <markobri@redhat.com>
Date: Thu, 15 Apr 2021 21:01:46 +0100
Subject: [PATCH 47/72] ipa: otp script fix dest name

---
 roles/ipa/server/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 0d3929eebc..ff4cce3816 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -640,7 +640,7 @@
 - name: Copy file for checking if sysadmins have otp set
   template:
     src: check_sysadmin_otp.py.j2
-    dest: /root
+    dest: /root/check_sysadmin_otp.py
     owner: root
     group: root
   tags:

From eddb753a8abebb53795586e407b0e9d3e0993959 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 15 Apr 2021 15:45:26 -0700
Subject: [PATCH 48/72] bodhi-backend: mount new fedora_ftp_archive volume here

We need this volume here also because this is where the cron job that
calculates the DIRECTORY_SIZES.txt file lives.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 playbooks/groups/bodhi-backend.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml
index c9afc0a5b1..a904962032 100644
--- a/playbooks/groups/bodhi-backend.yml
+++ b/playbooks/groups/bodhi-backend.yml
@@ -68,6 +68,10 @@
     mnt_dir: '/pub/'
     nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/'
 
+  - role: nfs/client
+    mnt_dir: '/pub/archive'
+    nfs_src_dir: 'fedora_ftp_archive'
+
   - role: keytab/service
     owner_user: apache
     owner_group: apache

From 8a59695693ad57af173809c3e6b3b6fa9f40ec2c Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 10:41:58 -0700
Subject: [PATCH 49/72] Add maintainer_test and copr vmhosts to vpn

We need to add these hosts to the vpn to use ipa for auth on them.
They are in the 192.168.100 network, which is the 'more restricted'
subnet of vpn. After the freeze we will probibly want to lock this down
more with a rule on all hosts except ipa* to reject everything from
them. In the mean time the firewall rules blocking most things should be
ok for now.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../{vmhost_copr => copr_hypervisor}          |  8 +---
 inventory/group_vars/maintainer_test          |  9 +++++
 inventory/inventory                           |  9 ++---
 playbooks/groups/copr-hypervisor.yml          |  2 +-
 playbooks/groups/maintainer-test.yml          |  3 +-
 playbooks/groups/vmhost_copr.yml              | 38 -------------------
 .../ccd/aarch64-test01.fedorainfracloud.org   |  2 +
 .../files/ccd/el7-test.fedorainfracloud.org   |  2 +
 .../files/ccd/el8-test.fedorainfracloud.org   |  2 +
 .../files/ccd/f32-test.fedorainfracloud.org   |  2 +
 .../files/ccd/f33-test.fedorainfracloud.org   |  2 +
 .../files/ccd/f34-test.fedorainfracloud.org   |  2 +
 .../ccd/ppc64le-test.fedorainfracloud.org     |  2 +
 .../ccd/rawhide-test.fedorainfracloud.org     |  2 +
 ...vmhost-x86-copr01.rdu-cc.fedoraproject.org |  2 +
 ...vmhost-x86-copr02.rdu-cc.fedoraproject.org |  2 +
 ...vmhost-x86-copr03.rdu-cc.fedoraproject.org |  2 +
 ...vmhost-x86-copr04.rdu-cc.fedoraproject.org |  2 +
 18 files changed, 41 insertions(+), 52 deletions(-)
 rename inventory/group_vars/{vmhost_copr => copr_hypervisor} (76%)
 delete mode 100644 playbooks/groups/vmhost_copr.yml
 create mode 100644 roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org

diff --git a/inventory/group_vars/vmhost_copr b/inventory/group_vars/copr_hypervisor
similarity index 76%
rename from inventory/group_vars/vmhost_copr
rename to inventory/group_vars/copr_hypervisor
index 13742732f5..3b9f1b06d8 100644
--- a/inventory/group_vars/vmhost_copr
+++ b/inventory/group_vars/copr_hypervisor
@@ -1,6 +1,7 @@
 ---
 virthost: true
 
+vpn: true
 primary_auth_source: ipa
 ipa_host_group: vmhost-copr
 ipa_host_group_desc: VM hosts for COPR
@@ -9,15 +10,10 @@ ipa_client_shell_groups:
 ipa_client_sudo_groups:
 - sysadmin-copr
 
-
 nrpe_procs_warn: 1400
 nrpe_procs_crit: 1500
 
-# These variables are pushed into /etc/system_identification by the base role.
-# Groups and individual hosts should override them with specific info.
-# See http://infrastructure.fedoraproject.org/csi/security-policy/
-
-vpn: false
+vpn: true
 postfix_group: copr
 postfix_maincf: "postfix/main.cf/main.cf.copr"
 
diff --git a/inventory/group_vars/maintainer_test b/inventory/group_vars/maintainer_test
index f264f5c325..8b15d8ac5f 100644
--- a/inventory/group_vars/maintainer_test
+++ b/inventory/group_vars/maintainer_test
@@ -5,3 +5,12 @@ sudoers_main: nopasswd
 host_group: cloud
 datacenter: aws
 ansible_ifcfg_blocklist: true 
+
+vpn: true
+primary_auth_source: ipa
+ipa_host_group: maintainer_test
+ipa_host_group_desc: Test hosts for package maintainers
+ipa_client_shell_groups:
+- packager
+ipa_client_sudo_groups:
+- packager
diff --git a/inventory/inventory b/inventory/inventory
index 119cf5c7e5..28aca94c6b 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -115,12 +115,6 @@ virthost-cc-rdu03.fedoraproject.org
 vmhost-x86-cc06.rdu-cc.fedoraproject.org
 vmhost-x86-cc05.rdu-cc.fedoraproject.org
 
-[vmhost_copr]
-vmhost-x86-copr01.rdu-cc.fedoraproject.org
-vmhost-x86-copr02.rdu-cc.fedoraproject.org
-vmhost-x86-copr03.rdu-cc.fedoraproject.org
-vmhost-x86-copr04.rdu-cc.fedoraproject.org
-
 [datagrepper]
 datagrepper01.iad2.fedoraproject.org
 datagrepper02.iad2.fedoraproject.org
@@ -1000,6 +994,9 @@ copr_dev_aws
 
 [copr_hypervisor]
 vmhost-x86-copr01.rdu-cc.fedoraproject.org
+vmhost-x86-copr02.rdu-cc.fedoraproject.org
+vmhost-x86-copr03.rdu-cc.fedoraproject.org
+vmhost-x86-copr04.rdu-cc.fedoraproject.org
 
 [copr_db_all:children]
 copr_db_stg
diff --git a/playbooks/groups/copr-hypervisor.yml b/playbooks/groups/copr-hypervisor.yml
index 5f9413c180..0592d93912 100644
--- a/playbooks/groups/copr-hypervisor.yml
+++ b/playbooks/groups/copr-hypervisor.yml
@@ -14,10 +14,10 @@
   tasks:
     - import_role: name=base
     - import_role: name=hosts
-    - import_role: name=fas_client
     - import_role: name=rkhunter
     - import_role: name=nagios_client
     - import_role: name=openvpn/client
+    - import_role: name=ipa/client
     - import_role: name=sudo
 
     - import_tasks: "{{ tasks_path }}/2fa_client.yml"
diff --git a/playbooks/groups/maintainer-test.yml b/playbooks/groups/maintainer-test.yml
index 1314e97283..124ac0ae93 100644
--- a/playbooks/groups/maintainer-test.yml
+++ b/playbooks/groups/maintainer-test.yml
@@ -70,7 +70,8 @@
   - base
   - rkhunter
   - hosts
-  - fas_client
+  - openvpn/client
+  - ipa/client
   - sudo
 
   tasks:
diff --git a/playbooks/groups/vmhost_copr.yml b/playbooks/groups/vmhost_copr.yml
deleted file mode 100644
index 843230452e..0000000000
--- a/playbooks/groups/vmhost_copr.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-# create a new virthost server system
-# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac
-# NOTE: should be used with --limit most of the time
-# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
-
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org"
-
-- name: make virthost server system
-  hosts: vmhost_copr
-  user: root
-  gather_facts: True
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
-  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-
-  roles:
-  - base
-  - rkhunter
-  - nagios_client
-  - hosts
-  - { role: openvpn/client, when: vpn|bool }
-  - virthost
-  - ipa/client
-  - collectd/base
-  - sudo
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org b/roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org
new file mode 100644
index 0000000000..9e5ec009a4
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.21 192.168.100.21
diff --git a/roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7d9fe85722
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.18 192.168.100.18
diff --git a/roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org
new file mode 100644
index 0000000000..5ca0f994a6
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.19 192.168.100.19
diff --git a/roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7cc82fd473
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.14 192.168.100.14
diff --git a/roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org
new file mode 100644
index 0000000000..9a6abce2ec
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.15 192.168.100.15
diff --git a/roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7c1846e40e
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.16 192.168.100.16
diff --git a/roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7b363216c4
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.20 192.168.100.20
diff --git a/roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org
new file mode 100644
index 0000000000..494afd4149
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.17 192.168.100.17
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..699cc301f2
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.22 192.168.100.22
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..c87181776b
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.23 192.168.100.23
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..474130a007
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.24 192.168.100.24
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..d6fef8d48f
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.25 192.168.100.25

From 548e3b53324d7d87a8c601c8bf6f1aff17875f1a Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 13:03:25 -0700
Subject: [PATCH 50/72] maintainer-test / copr-hypervisor: clean up playbook
 and variables.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/maintainer_test          |  1 -
 .../aarch64-test01.fedorainfracloud.org       |  1 -
 .../host_vars/el6-test.fedorainfracloud.org   | 19 ------
 playbooks/groups/copr-hypervisor.yml          |  2 -
 playbooks/groups/maintainer-test.yml          | 58 +------------------
 5 files changed, 2 insertions(+), 79 deletions(-)
 delete mode 100644 inventory/host_vars/el6-test.fedorainfracloud.org

diff --git a/inventory/group_vars/maintainer_test b/inventory/group_vars/maintainer_test
index 8b15d8ac5f..1838bd8a6f 100644
--- a/inventory/group_vars/maintainer_test
+++ b/inventory/group_vars/maintainer_test
@@ -2,7 +2,6 @@
 freezes: false
 sudoers: "{{ private }}/files/sudo/arm-packager-sudoers"
 sudoers_main: nopasswd
-host_group: cloud
 datacenter: aws
 ansible_ifcfg_blocklist: true 
 
diff --git a/inventory/host_vars/aarch64-test01.fedorainfracloud.org b/inventory/host_vars/aarch64-test01.fedorainfracloud.org
index b61f03b019..25136dfcea 100644
--- a/inventory/host_vars/aarch64-test01.fedorainfracloud.org
+++ b/inventory/host_vars/aarch64-test01.fedorainfracloud.org
@@ -1,3 +1,2 @@
 datacenter: aws
 inventory_hostname: "aarch64-test01.fedorainfracloud.org"
-
diff --git a/inventory/host_vars/el6-test.fedorainfracloud.org b/inventory/host_vars/el6-test.fedorainfracloud.org
deleted file mode 100644
index 94698808d1..0000000000
--- a/inventory/host_vars/el6-test.fedorainfracloud.org
+++ /dev/null
@@ -1,19 +0,0 @@
----
-tcp_ports: [22]
-
-datacenter: aws
-nagios_Check_Services:
-  mail: false
-  nrpe: false
-  sshd: false
-  named: false
-  dhcpd: false
-  httpd: false
-  swap: false
-  ping: false
-  raid: false
-
-ansible_ssh_user: centos
-ansible_become: true
-ansible_become_user: root
-ansible_become_method: sudo
diff --git a/playbooks/groups/copr-hypervisor.yml b/playbooks/groups/copr-hypervisor.yml
index 0592d93912..d13708ec4a 100644
--- a/playbooks/groups/copr-hypervisor.yml
+++ b/playbooks/groups/copr-hypervisor.yml
@@ -18,9 +18,7 @@
     - import_role: name=nagios_client
     - import_role: name=openvpn/client
     - import_role: name=ipa/client
-    - import_role: name=sudo
 
-    - import_tasks: "{{ tasks_path }}/2fa_client.yml"
     - import_tasks: "{{ tasks_path }}/motd.yml"
 
   handlers:
diff --git a/playbooks/groups/maintainer-test.yml b/playbooks/groups/maintainer-test.yml
index 124ac0ae93..79fcc74fc5 100644
--- a/playbooks/groups/maintainer-test.yml
+++ b/playbooks/groups/maintainer-test.yml
@@ -1,58 +1,5 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=aarch64_test:armv7_test"
-
-- name: Do some basic cloud setup on them
-  hosts: maintainer_test:aarch64_test:armv7_test
-  gather_facts: True
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
-  - name: set hostname (required by some services, at least postfix need it)
-    hostname: name="{{inventory_hostname}}"
-
-- name: setup second disk on aws maintainer-test instances
-  hosts: maintainer_test:\!ppc64le-test.fedorainfracloud.org
-  gather_facts: True
-  tags:
-   - maintainer-test
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
-
-  - name: make a partition on first disk
-    parted: device=/dev/nvme0n1 number=1 state=present
-    tags:
-     - maintainer-test
-    when: inventory_hostname.startswith(('f30-test'))
-
-  - name: format the partition if it's not already
-    filesystem: dev=/dev/nvme0n1p1 fstype=ext4
-    tags:
-     - maintainer-test
-    when: inventory_hostname.startswith(('f30-test'))
-    ignore_errors: true
-
-  - name: mount cache filesystem on /var/cache/mock
-    mount: path=/var/cache/mock state=mounted src=/dev/nvme0n1p1 fstype=ext4
-    tags:
-     - maintainer-test
-    when: inventory_hostname.startswith(('f30-test'))
-
-  - name: bind mount cache filesystem on /var/lib/mock
-    mount: path=/var/lib/mock state=mounted src=/var/cache/mock fstype=none opts=bind
-    tags:
-     - maintainer-test
-    when: inventory_hostname.startswith(('f30-test'))
-
 - name: Setup maintainer test hosts
-  hosts: maintainer_test:aarch64_test:armv7_test
+  hosts: maintainer_test
   gather_facts: True
   tags:
    - maintainer-test
@@ -72,7 +19,6 @@
   - hosts
   - openvpn/client
   - ipa/client
-  - sudo
 
   tasks:
   # this is how you include other task lists
@@ -82,7 +28,7 @@
     dnf: state=present pkg={{ item }}
     with_items:
     - fedora-packager
-    when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
+    when: ansible_distribution == 'Fedora'
     tags:
     - packages
 

From 9403ed23092a3639b876712f45626022a6cd9ed9 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 14:09:33 -0700
Subject: [PATCH 51/72] openvpn / client: drop tons of old cruft for el6 and
 old openvpn

We had a bunch of old el6 conditionals in here, and we have 0 el6
machines. We also now have some CentOS instances, so we shouldn't check
for RedHat or Fedora anymore. Also, everything is using the newer
openvpn now so no need to make sure the old one is stopped.
This should not affect the vast majority of hosts, but it should allow
the el7/el8-test instances vpns to actually work.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/openvpn/client/tasks/main.yml | 59 +----------------------------
 1 file changed, 1 insertion(+), 58 deletions(-)

diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index d382c50a86..a3ca8a8da7 100644
--- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -9,29 +9,8 @@
   tags:
   - packages
   - openvpn
-  when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
 
-- name: Install needed packages
-  package:
-    state: present
-    name:
-    - openvpn
-  tags:
-  - packages
-  - openvpn
-  when: ansible_distribution_major_version|int > 7 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
-
-- name: Install needed packages
-  package:
-    state: present
-    name:
-    - openvpn
-  tags:
-  - packages
-  - openvpn
-  when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
-
-- name: Install main config file (rhel7 and fedora)
+- name: Install main config file
   template: src=client.conf
             dest=/etc/openvpn/client/openvpn.conf
             owner=root group=root mode=0644
@@ -41,7 +20,6 @@
 #  notify:
 #  - restart openvpn (Fedora)
 #  - restart openvpn (RHEL6+)
-  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora') and ansible_cmdline.ostree is not defined
 
 - name: Install configuration files (rhel7 and fedora)
   copy: src={{ item.file }}
@@ -62,41 +40,6 @@
 #  - restart openvpn (RHEL7)
   when: (ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat') or (ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora') and ansible_cmdline.ostree is not defined
 
-- name: Install configuration files (rhel6)
-  copy: src={{ item.file }}
-        dest={{ item.dest }}
-        owner=root group=root mode={{ item.mode }}
-  with_items:
-  - { file: client.conf,
-      dest: /etc/openvpn/openvpn.conf,
-      mode: '0644' }
-  - { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt",
-      dest: "/etc/openvpn/client.crt",
-      mode: '0600' }
-  - { file: "{{ private }}/files/vpn/pki/private/{{ inventory_hostname }}.key",
-      dest: "/etc/openvpn/client.key",
-      mode: '0600' }
-  tags:
-  - install
-  - openvpn
-#  notify:
-#  - restart openvpn (RHEL6)
-  when: (ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat') and ansible_cmdline.ostree is not defined
-
-- name: enable openvpn service for rhel 6
-  service: name=openvpn state=started enabled=true
-  when: ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat'
-  tags:
-  - service
-  - openvpn
-
-- name: Make sure old openvpn is not running in rhel 7
-  service: name=openvpn@openvpn state=stopped enabled=false
-  when: ansible_distribution_major_version|int == 7 and ansible_distribution == 'RedHat'
-  tags:
-  - service
-  - openvpn
-
 - name: Make sure openvpn is running in rhel 7+
   service: name=openvpn-client@openvpn state=started enabled=true
   when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat'

From 519b756751ba08277fd2b61ca53c2aab28f27b15 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 14:20:19 -0700
Subject: [PATCH 52/72] openvpn / client: drop another unneeded conditional

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/openvpn/client/tasks/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index a3ca8a8da7..781afd1d60 100644
--- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -42,7 +42,6 @@
 
 - name: Make sure openvpn is running in rhel 7+
   service: name=openvpn-client@openvpn state=started enabled=true
-  when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat'
   tags:
   - service
   - openvpn

From c0eba5712b670e2a100afbe51f9e25305e0da481 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 14:25:17 -0700
Subject: [PATCH 53/72] openvpn /client: drop another unneeded conditional

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/openvpn/client/tasks/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index 781afd1d60..404518d56b 100644
--- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -38,7 +38,6 @@
 #  notify:
 #  - restart openvpn (Fedora)
 #  - restart openvpn (RHEL7)
-  when: (ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat') or (ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora') and ansible_cmdline.ostree is not defined
 
 - name: Make sure openvpn is running in rhel 7+
   service: name=openvpn-client@openvpn state=started enabled=true

From c902575f4959aa4680ac7ed0dd4ee19c8eb067c5 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 14:32:36 -0700
Subject: [PATCH 54/72] openvpn / base: clean up more RedHat and el6
 conditionals

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/openvpn/base/tasks/main.yml | 50 ++-----------------------------
 1 file changed, 2 insertions(+), 48 deletions(-)

diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml
index 11b5985f4f..749dcb8e58 100644
--- a/roles/openvpn/base/tasks/main.yml
+++ b/roles/openvpn/base/tasks/main.yml
@@ -9,30 +9,8 @@
   tags:
   - openvpn
   - packages
-  when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
 
-- name: Install needed package (dnf)
-  package:
-    state: present
-    name:
-    - openvpn
-  tags:
-  - openvpn
-  - packages
-  when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
-
-- name: Install certificate and key (rhel6)
-  copy: src={{ private }}/files/vpn/pki/ca.crt
-        dest=/etc/openvpn/ca.crt
-        owner=root group=root mode=0600
-  tags:
-  - install
-  - openvpn
-  #notify:
-  #- restart openvpn (RHEL6)
-  when: ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat'
-
-- name: Install certificate and key (rhel7+) for client
+- name: Install ca for client
   copy: src={{ private }}/files/vpn/pki/ca.crt
         dest=/etc/openvpn/client/ca.crt
         owner=root group=root mode=0600
@@ -41,20 +19,8 @@
   - openvpn
   #notify:
   #- restart openvpn (RHEL7+)
-  when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat' ) and ansible_cmdline.ostree is not defined
 
-- name: Install certificate and key (Fedora) for client
-  copy: src={{ private }}/files/vpn/pki/ca.crt
-        dest=/etc/openvpn/client/ca.crt
-        owner=root group=root mode=0600
-  tags:
-  - install
-  - openvpn
-  #notify:
-  #- restart openvpn (Fedora)
-  when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' ) and ansible_cmdline.ostree is not defined
-
-- name: Install certificate and key (fedora) for server
+- name: Install ca for server
   copy: src={{ private }}/files/vpn/pki/ca.crt
         dest=/etc/openvpn/server/ca.crt
         owner=root group=root mode=0600
@@ -63,18 +29,6 @@
   - openvpn
   #notify:
   #- restart openvpn (Fedora)
-  when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' ) and ansible_cmdline.ostree is not defined
-
-- name: Install certificate and key (rhel7+) for server
-  copy: src={{ private }}/files/vpn/pki/ca.crt
-        dest=/etc/openvpn/server/ca.crt
-        owner=root group=root mode=0600
-  tags:
-  - install
-  - openvpn
-  #notify:
-  #- restart openvpn (RHEL7+)
-  when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat' ) and ansible_cmdline.ostree is not defined
 
 - name: Install certificate and key (rhel7 or fedora) for server
   copy: src={{ private }}/files/vpn/pki/ca.crt

From 9a11a95feb7025e536473f0a5bb8ea4827db3d77 Mon Sep 17 00:00:00 2001
From: Ryan Lerch <rlerch@redhat.com>
Date: Mon, 20 Jul 2020 21:08:25 +1000
Subject: [PATCH 55/72] remove batcave's retrieve-security-question.py

Removes the batcave script, retrieve-security-question.py
which is no longer needed with Noggin / FreeIPA-FAS

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
---
 .../files/retrieve-security-question.py       | 107 ------------------
 roles/batcave/tasks/main.yml                  |  11 --
 2 files changed, 118 deletions(-)
 delete mode 100755 roles/batcave/files/retrieve-security-question.py

diff --git a/roles/batcave/files/retrieve-security-question.py b/roles/batcave/files/retrieve-security-question.py
deleted file mode 100755
index 22ceaaad57..0000000000
--- a/roles/batcave/files/retrieve-security-question.py
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/usr/bin/python -tt
-# -*- coding: utf-8 -*-
-# Use this script to retrieve the security_question and security_answer from FAS (requires FAS >= 0.8.14)
-# Author: Patrick Uiterwijk <puiterwijk@fedoraproject.org>
-#
-# Copyright 2012-2021 Patrick Uiterwijk. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# 1. Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright notice,
-# this list of conditions and the following disclaimer in the documentation
-# and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE FEDORA PROJECT ''AS IS'' AND ANY EXPRESS OR
-# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
-# EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# The views and conclusions contained in the software and documentation are those
-# of the authors and should not be interpreted as representing official policies,
-# either expressed or implied, of the Fedora Project.
-
-
-import os
-import getpass
-import sys
-import gpg.core
-from fedora.client import AccountSystem
-from fedora.client import AuthError
-from fedora.client import ServerError
-import argparse
-from io import BytesIO
-
-
-parser = argparse.ArgumentParser()
-parser.add_argument('admin_user', help='The user as which to log in to retrieve the question and answer')
-parser.add_argument('target_user', help='The user of which to retrieve the security question and answer')
-parser.add_argument('--verbose', action='store_true')
-parser.add_argument('--no-answer', action='store_true', help='Only show the question, do not decrypt the answer')
-parser.add_argument('--site', help='The FAS URL to get the information from')
-parser.add_argument('--insecure', action='store_true', default=False,
-        help='Do not check the certificate for the server.  *WARNING*: Only use this for testing')
-parser.add_argument('--gpg_home', help='The directory where secring.gpg and pubring.gpg reside')
-args = parser.parse_args()
-
-args.admin_pass = getpass.getpass()
-
-if args.site == None:
-    args.site = 'https://admin.fedoraproject.org/accounts/'
-
-if args.verbose:
-    print('Using site: %(site)s' % {'site': args.site})
-
-if args.verbose:
-    if args.gpg_home == None:
-        print('Using default gpg_home')
-    else:
-        print('Using gpg_home: %(gpghome)s' % {'gpghome': args.gpg_home})
-
-if args.gpg_home != None:
-    os.putenv('GNUPGHOME', args.gpg_home)
-
-fas = AccountSystem(args.site, username=args.admin_user, password=args.admin_pass, insecure=args.insecure)
-
-if args.verbose:
-    print('Getting user details...')
-try:
-    details = fas.person_by_username(args.target_user)
-except AuthError:
-    print('Failed to login to FAS. Please check admin_user and admin_pass!')
-    sys.exit(2)
-except ServerError:
-    print('Failed to retrieve user details: the server reported an error!')
-    sys.exit(3)
-
-if not 'username' in list(details.keys()):
-    print('Error: user %(username)s is not known on this FAS site!' % {'username': args.target_user})
-    sys.exit(4)
-
-if not 'security_question' in list(details.keys()):
-    print('Error: security_question was not retrieved by FAS! Are you sure you are using FAS >= 0.8.14, and that admin_user has the privileges to retrieve security_question?')
-    sys.exit(5)
-
-if details.security_question == None or details.security_answer == None:
-    print('Error: unable to retrieve security_question or security_answer. Are you sure you have privileges to return this information?')
-    sys.exit(6)
-
-if not args.no_answer:
-    if args.verbose:
-        print('Decrypting answer...')
-    cipher = BytesIO(details.security_answer.encode('utf-8'))
-    ctx = gpg.core.Context()
-    plain = ctx.decrypt(cipher)[0].decode('utf8')
-    details.security_answer = plain
-
-print('Security question: %(question)s' % {'question': details.security_question})
-if not args.no_answer:
-    print('Security answer: %(answer)s' % {'answer': details.security_answer})
diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml
index d466533057..8dae52bbbe 100644
--- a/roles/batcave/tasks/main.yml
+++ b/roles/batcave/tasks/main.yml
@@ -238,17 +238,6 @@
   - config
 
 
-#
-# Script used to gather encrypted security questions from fas
-#
-
-- name: setup /usr/local/bin/retrieve-security-question.py
-  copy: src=retrieve-security-question.py dest=/usr/local/bin/retrieve-security-question.py mode=0755
-  tags:
-  - batcave
-  - config
-
-
 # The zodbot server must allow TCP on whatever port zodbot is listening on
 # for this to work (currently TCP port 5050).
 # Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py

From 44ba9627ebce582ae973efed91fdcecbdea6327d Mon Sep 17 00:00:00 2001
From: Ryan Lerch <rlerch@redhat.com>
Date: Thu, 15 Apr 2021 19:29:53 +1000
Subject: [PATCH 56/72] prepare for deploying bodhi 5.7.0 to staging

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
---
 inventory/group_vars/os_masters_stg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/group_vars/os_masters_stg b/inventory/group_vars/os_masters_stg
index 37ccee7102..830be75bd2 100644
--- a/inventory/group_vars/os_masters_stg
+++ b/inventory/group_vars/os_masters_stg
@@ -11,5 +11,5 @@ nagios_Check_Services:
 # Set some bodhi variables here.
 # Since they are used when running playbooks against the master nodes.
 #
-bodhi_version: "5.6.1"
+bodhi_version: "5.7.0"
 bodhi_openshift_pods: 1

From 31cc6b81aeb2b7c95dcd0004a331b1e044b0cdb6 Mon Sep 17 00:00:00 2001
From: Ryan Lerch <rlerch@redhat.com>
Date: Mon, 19 Apr 2021 09:15:42 +1000
Subject: [PATCH 57/72] update bodhi upgrade migration bool phx2 -> iad2

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
---
 playbooks/manual/upgrade/bodhi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/playbooks/manual/upgrade/bodhi.yml b/playbooks/manual/upgrade/bodhi.yml
index 2527a16f33..06339d2717 100644
--- a/playbooks/manual/upgrade/bodhi.yml
+++ b/playbooks/manual/upgrade/bodhi.yml
@@ -76,7 +76,7 @@
   tasks:
   - set_fact:
       # This will be a bool that indicates whether we need to run migrations or not.
-      migrations: "'(head)' not in hostvars['bodhi-backend01{{ env_suffix }}.phx2.fedoraproject.org']['current_migration_version'].stdout"
+      migrations: "'(head)' not in hostvars['bodhi-backend01{{ env_suffix }}.iad2.fedoraproject.org']['current_migration_version'].stdout"
   - name: Scale down to 0 pods
     command: oc -n bodhi scale dc/bodhi-web --replicas=0
     when: migrations

From 182b4e2ba6245c38891505eb6211673ebe6be1c5 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Mon, 19 Apr 2021 11:48:26 +0200
Subject: [PATCH 58/72] copr-backend: fix directory listing mtime

Fixes: https://pagure.io/copr/copr/issue/1649
---
 roles/copr/backend/templates/lighttpd/dir-generator.php.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/copr/backend/templates/lighttpd/dir-generator.php.j2 b/roles/copr/backend/templates/lighttpd/dir-generator.php.j2
index 53f2964ddb..b149c7606c 100755
--- a/roles/copr/backend/templates/lighttpd/dir-generator.php.j2
+++ b/roles/copr/backend/templates/lighttpd/dir-generator.php.j2
@@ -244,7 +244,7 @@ if($path != "./") {
 // Print folder information
 foreach($folderlist as $folder) {
 	print "<tr><td class='n'><a href='" . addslashes($folder['name']). "'>" .htmlentities($folder['name']). "</a>/</td>";
-	print "<td class='m'>" . date('Y-M-d H:m:s', $folder['modtime']) . "</td>";
+	print "<td class='m'>" . date('Y-M-d H:i:s', $folder['modtime']) . "</td>";
 	print "<td class='s'>" . (($calculate_folder_size)?format_bytes($folder['size'], 2):'--') . "&nbsp;</td>";
 	print "<td class='t'>" . $folder['file_type']                    . "</td></tr>";
 }
@@ -255,7 +255,7 @@ foreach($folderlist as $folder) {
 // Print file information
 foreach($filelist as $file) {
 	print "<tr><td class='n'><a href='" . addslashes($file['name']). "'>" .htmlentities($file['name']). "</a></td>";
-	print "<td class='m'>" . date('Y-M-d H:m:s', $file['modtime'])   . "</td>";
+	print "<td class='m'>" . date('Y-M-d H:i:s', $file['modtime'])   . "</td>";
 	print "<td class='s'>" . format_bytes($file['size'],2)           . "&nbsp;</td>";
 	print "<td class='t'>" . $file['file_type']                      . "</td></tr>";
 }

From 8ccd03835692f32e997dee515c6e573f05a6e2ae Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Mon, 19 Apr 2021 14:12:28 +0200
Subject: [PATCH 59/72] toddlers: ignore the cockpit account as we do for a
 couple of others

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/openshift-apps/toddlers/templates/fedora-messaging.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/openshift-apps/toddlers/templates/fedora-messaging.toml b/roles/openshift-apps/toddlers/templates/fedora-messaging.toml
index efa779cb69..a879c43a84 100644
--- a/roles/openshift-apps/toddlers/templates/fedora-messaging.toml
+++ b/roles/openshift-apps/toddlers/templates/fedora-messaging.toml
@@ -91,7 +91,7 @@ dist_git_token = "private random string to change"
 email_overrides_file = "/etc/fedora-messaging/email_overrides.toml"
 
 # List of accounts we do not want to report about
-ignorable_accounts = ["packagerbot", "zuul"]
+ignorable_accounts = ["packagerbot", "zuul", "cockpit"]
 
 # Temp folder to use for toddlers temp files
 temp_folder = "/var/tmp"

From 08b2e1370e38a03ddf9edffd35502cb33a79b172 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
Date: Mon, 19 Apr 2021 16:03:25 +0200
Subject: [PATCH 60/72] copr: workaround memory leak

/api_3/package/list/ is leaking a memory. Even after two days of investigation, I did not find why.
Just recycle it more frequent to avoid oomkiller.
---
 roles/copr/frontend-cloud/templates/httpd/coprs.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs.conf b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
index 7f437c44b7..400fce245f 100644
--- a/roles/copr/frontend-cloud/templates/httpd/coprs.conf
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
@@ -4,6 +4,7 @@ Alias "/db_dumps/" "/var/www/html/db_dumps/"
 
 WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe processes=4 threads=5 display-name=other maximum-requests=8000 restart-interval=300 graceful-timeout=20
 WSGIDaemonProcess api user=copr-fe group=copr-fe processes=2 threads=15 display-name=api maximum-requests=8000 graceful-timeout=20
+WSGIDaemonProcess api-memory-leak user=copr-fe group=copr-fe processes=2 threads=1 display-name=api-memory-leak maximum-requests=10 graceful-timeout=20
 WSGIDaemonProcess backend user=copr-fe group=copr-fe processes=2 threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20
 WSGIDaemonProcess stats user=copr-fe group=copr-fe processes=2 threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20
 WSGIDaemonProcess tmp user=copr-fe group=copr-fe processes=2 threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
@@ -71,6 +72,9 @@ WSGIApplicationGroup %{GLOBAL}
     <LocationMatch "^/api.*upload.*">
         WSGIProcessGroup upload
     </LocationMatch>
+    <LocationMatch "^/api_3/package/list.**">
+        WSGIProcessGroup api-memory-leak
+    </LocationMatch>
     <LocationMatch "^/coprs.*new_build_upload.*">
         WSGIProcessGroup upload
     </LocationMatch>

From b57d7d40283b9a06f3483d711d52a488dcf91756 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
Date: Mon, 19 Apr 2021 16:29:57 +0200
Subject: [PATCH 61/72] copr: typo

---
 roles/copr/frontend-cloud/templates/httpd/coprs.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs.conf b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
index 400fce245f..9812588ba2 100644
--- a/roles/copr/frontend-cloud/templates/httpd/coprs.conf
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
@@ -72,7 +72,7 @@ WSGIApplicationGroup %{GLOBAL}
     <LocationMatch "^/api.*upload.*">
         WSGIProcessGroup upload
     </LocationMatch>
-    <LocationMatch "^/api_3/package/list.**">
+    <LocationMatch "^/api_3/package/list.*">
         WSGIProcessGroup api-memory-leak
     </LocationMatch>
     <LocationMatch "^/coprs.*new_build_upload.*">

From 4a2f31b0ca89765a5f101326274eeafbe9b41bdd Mon Sep 17 00:00:00 2001
From: Brendan Early <mymindstorm@evermiss.net>
Date: Mon, 12 Apr 2021 10:46:22 -0500
Subject: [PATCH 62/72] Fix syntax issue in solr playbook

---
 playbooks/openshift-apps/solr.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/playbooks/openshift-apps/solr.yml b/playbooks/openshift-apps/solr.yml
index 3238d32c22..3def20137b 100644
--- a/playbooks/openshift-apps/solr.yml
+++ b/playbooks/openshift-apps/solr.yml
@@ -35,9 +35,21 @@
     file: service.yml
     objectname: service.yml
 
-  - command: "oc adm pod-network join-projects --to=solr fedora-packages-static"
-
   - role: openshift/object
     app: solr
     file: deploymentconfig.yml
     objectname: deploymentconfig.yml
+
+- name: Link solr and fedora-packages-static networks
+  hosts: os_masters_stg[0]
+  user: root
+  gather_facts: False
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - name: Run oc adm command to link solr to other projects
+    command: "oc adm pod-network join-projects --to=solr fedora-packages-static"

From a34c6f699225937e190b4f4f6fdba3aff6374175 Mon Sep 17 00:00:00 2001
From: Francois Andrieu <darknao@fedoraproject.org>
Date: Wed, 14 Apr 2021 16:04:04 +0200
Subject: [PATCH 63/72] languages: namespace missing in oc commands

---
 playbooks/openshift-apps/languages.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/playbooks/openshift-apps/languages.yml b/playbooks/openshift-apps/languages.yml
index 3e143ff25f..afd8fb49d2 100644
--- a/playbooks/openshift-apps/languages.yml
+++ b/playbooks/openshift-apps/languages.yml
@@ -71,28 +71,28 @@
 
   post_tasks:
   - name: run initial f.10 import
-    command: "oc create job stats-10-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-10"
+    command: "oc -n languages create job stats-10-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-10"
     tags:
     - never
     - init
     - f10
  
   - name: run initial f.20 import
-    command: "oc create job stats-20-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-20"
+    command: "oc -n languages create job stats-20-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-20"
     tags:
     - never
     - init
     - f20
 
   - name: run initial f.30 import
-    command: "oc create job stats-30-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-30"
+    command: "oc -n languages create job stats-30-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-30"
     tags:
     - never
     - init
     - f30
 
   - name: run initial f.latest import
-    command: "oc create job stats-latest-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-latest"
+    command: "oc -n languages create job stats-latest-{{ lookup('pipe','date +%s') }}-init --from=cronjob/stats-latest"
     tags:
     - never
     - init

From 63015e6bd36b2dc46ff597a17d5e300aeca19116 Mon Sep 17 00:00:00 2001
From: Ryan Lerch <rlerch@redhat.com>
Date: Mon, 19 Apr 2021 10:17:51 +1000
Subject: [PATCH 64/72] Update bodhi staging sync playbook phx2 -> iad2

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
---
 playbooks/manual/staging-sync/bodhi.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/playbooks/manual/staging-sync/bodhi.yml b/playbooks/manual/staging-sync/bodhi.yml
index c658939171..c3e44023f3 100644
--- a/playbooks/manual/staging-sync/bodhi.yml
+++ b/playbooks/manual/staging-sync/bodhi.yml
@@ -13,7 +13,7 @@
   - service: name=httpd state=stopped
 
 - name: bring staging services down (OpenShift web services)
-  hosts: os-master01.stg.phx2.fedoraproject.org
+  hosts: os-master01.stg.iad2.fedoraproject.org
   user: root
   vars_files:
    - /srv/web/infra/ansible/vars/global.yml
@@ -43,7 +43,7 @@
 
 # Here's the meaty part in the middle
 - name: drop and re-create the staging db entirely
-  hosts: pgbdr01.stg.phx2.fedoraproject.org
+  hosts: pgbdr01.stg.iad2.fedoraproject.org
   user: root
   become: yes
   become_user: postgres
@@ -68,7 +68,7 @@
   - file: path=/var/tmp/bodhi2.dump state=absent
 
 - name: bring staging services up (OpenShift web services)
-  hosts: os-master01.stg.phx2.fedoraproject.org
+  hosts: os-master01.stg.iad2.fedoraproject.org
   user: root
   vars_files:
    - /srv/web/infra/ansible/vars/global.yml

From a20bb1afdd9688404acf1175b0a2bbbc616970df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Tue, 20 Apr 2021 14:00:30 +0200
Subject: [PATCH 65/72] oraculum: Use feature branch to test out FAS on stg

---
 roles/openshift-apps/oraculum/templates/buildconfig.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/openshift-apps/oraculum/templates/buildconfig.yml b/roles/openshift-apps/oraculum/templates/buildconfig.yml
index 697bbdd6f6..d5186bd53d 100644
--- a/roles/openshift-apps/oraculum/templates/buildconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/buildconfig.yml
@@ -14,7 +14,11 @@ spec:
     type: Git
     git:
       uri: https://pagure.io/fedora-qa/oraculum
+{% if env == 'staging' %}
+      ref: "feature/much_login"
+{% else %}
       ref: "master"
+{% endif %}
   strategy:
     type: Source
     sourceStrategy:

From ffb00b941f1fbbdb0f364ff17be8e277164cdd7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Tue, 20 Apr 2021 23:25:11 +0200
Subject: [PATCH 66/72] Revert "oraculum: Use feature branch to test out FAS on
 stg"

This reverts commit a20bb1afdd9688404acf1175b0a2bbbc616970df.
---
 roles/openshift-apps/oraculum/templates/buildconfig.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/roles/openshift-apps/oraculum/templates/buildconfig.yml b/roles/openshift-apps/oraculum/templates/buildconfig.yml
index d5186bd53d..697bbdd6f6 100644
--- a/roles/openshift-apps/oraculum/templates/buildconfig.yml
+++ b/roles/openshift-apps/oraculum/templates/buildconfig.yml
@@ -14,11 +14,7 @@ spec:
     type: Git
     git:
       uri: https://pagure.io/fedora-qa/oraculum
-{% if env == 'staging' %}
-      ref: "feature/much_login"
-{% else %}
       ref: "master"
-{% endif %}
   strategy:
     type: Source
     sourceStrategy:

From 3cd2bf8929e6b5c983f257aeb72b26120909c472 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 21 Apr 2021 17:54:01 +0200
Subject: [PATCH 67/72] fasjson: Only create an alias for Fedora contributors

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/fasjson/templates/fasjson-aliases.j2 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/fasjson/templates/fasjson-aliases.j2 b/roles/fasjson/templates/fasjson-aliases.j2
index 02de9efba4..4b05a7ec4c 100644
--- a/roles/fasjson/templates/fasjson-aliases.j2
+++ b/roles/fasjson/templates/fasjson-aliases.j2
@@ -18,7 +18,7 @@ def gen_all_aliases():
         client = Client(url=fasjson_url)
 
         try:
-            users = client.list_users().result
+            users = client.list_group_members(groupname="fedora-contributor").result
             groups = client.list_groups().result
             temporary_file = tempfile.NamedTemporaryFile(
                 "w+", delete=False, dir=os.getcwd()
@@ -30,7 +30,8 @@ def gen_all_aliases():
                         temp.write(line)
                     for user in users:
                         username = user['username']
-                        email = user['emails'][0]
+                        userinfo = client.get_user(username=username)
+                        email = userinfo['emails'][0]
 
                         temp.write(f'{username}: {email} \n')
 

From a83685e80a1137dfbe52ea273d73f1353ac843ce Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 21 Apr 2021 17:57:22 +0200
Subject: [PATCH 68/72] fasjson: fix typo, we need to access .result to have
 the dict

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/fasjson/templates/fasjson-aliases.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/fasjson/templates/fasjson-aliases.j2 b/roles/fasjson/templates/fasjson-aliases.j2
index 4b05a7ec4c..c9fb5b473f 100644
--- a/roles/fasjson/templates/fasjson-aliases.j2
+++ b/roles/fasjson/templates/fasjson-aliases.j2
@@ -30,7 +30,7 @@ def gen_all_aliases():
                         temp.write(line)
                     for user in users:
                         username = user['username']
-                        userinfo = client.get_user(username=username)
+                        userinfo = client.get_user(username=username).result
                         email = userinfo['emails'][0]
 
                         temp.write(f'{username}: {email} \n')

From 7e4543be97ed2724f37c5abbd6a86096da660844 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Wed, 21 Apr 2021 18:06:10 +0200
Subject: [PATCH 69/72] fasjson: do not make the fasjson-aliases silently catch
 all the exception

This just makes it much harder to debug anything as it silently crashes.
With this, it will crash, show a stacktrace and still have a return code
different from 0.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/fasjson/templates/fasjson-aliases.j2 | 26 ++++++++++------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/roles/fasjson/templates/fasjson-aliases.j2 b/roles/fasjson/templates/fasjson-aliases.j2
index c9fb5b473f..d01f54da37 100644
--- a/roles/fasjson/templates/fasjson-aliases.j2
+++ b/roles/fasjson/templates/fasjson-aliases.j2
@@ -115,20 +115,18 @@ def main():
     # Use the system's keytab for authentication
     os.environ["KRB5_CLIENT_KTNAME"] = "/etc/krb5.keytab"
 
-    try:
-        if not args:
-            gen_all_aliases()
-            # call newaliases script so postfix gets updated
-            subprocess.check_call(['/usr/bin/newaliases'])
-        elif len(args) == 2 and args[0] == "update":
-            update_user(args[1])
-            # call newaliases script so postfix gets updated
-            subprocess.check_call(['/usr/bin/newaliases'])
-        else:
-            print(f"Usage: {sys.argv[0]} [update <username>]", file=sys.stderr)
-            raise RuntimeError()
-    except Exception:
-        sys.exit(1)
+    if not args:
+       gen_all_aliases()
+       # call newaliases script so postfix gets updated
+       subprocess.check_call(['/usr/bin/newaliases'])
+    elif len(args) == 2 and args[0] == "update":
+        update_user(args[1])
+        # call newaliases script so postfix gets updated
+        subprocess.check_call(['/usr/bin/newaliases'])
+    else:
+        print(f"Usage: {sys.argv[0]} [update <username>]", file=sys.stderr)
+        exit(1)
+
 
 if __name__ == "__main__":
     main()

From 6e1ab9cd21af60e55afeec077e960dfc71fd6791 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Tue, 20 Apr 2021 14:40:49 -0700
Subject: [PATCH 70/72] ipa / client: setup nopasswd sudo groups for maintainer
 test

For the maintainer_tests instances we just want to allow anyone with
shell access ability to sudo with no password. In this case asking for
password/tokens could provide a MITM attack vector. This matches up with
the way they were setup before with fas2.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/maintainer_test        |  3 ++-
 roles/ipa/client/tasks/prepare-ipa-info.yml |  5 +++++
 roles/ipa/client/tasks/sudo.yml             | 17 +++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/inventory/group_vars/maintainer_test b/inventory/group_vars/maintainer_test
index 1838bd8a6f..a8c36c90c0 100644
--- a/inventory/group_vars/maintainer_test
+++ b/inventory/group_vars/maintainer_test
@@ -11,5 +11,6 @@ ipa_host_group: maintainer_test
 ipa_host_group_desc: Test hosts for package maintainers
 ipa_client_shell_groups:
 - packager
-ipa_client_sudo_groups:
+ipa_client_sudo_nopasswd_groups:
+- sysadmin-main
 - packager
diff --git a/roles/ipa/client/tasks/prepare-ipa-info.yml b/roles/ipa/client/tasks/prepare-ipa-info.yml
index 1a518df9a4..ead4fbeda1 100644
--- a/roles/ipa/client/tasks/prepare-ipa-info.yml
+++ b/roles/ipa/client/tasks/prepare-ipa-info.yml
@@ -40,6 +40,7 @@
 #       "host_group_1": {
 #         "shell_groups": [...],
 #         "sudo_groups": [...],
+#         "sudo_nopasswd_groups": [...],
 #         "hosts": {        # <-- This could be a list with Ansible >= 2.10
 #           "host_1": true,
 #           ...,
@@ -85,6 +86,8 @@
                   (ipa_hosts_combined_shell_groups_dict[item] | length > 0)
                   | ternary(ipa_hosts_combined_shell_groups_dict[item], omit),
                 'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
+                'sudo_nopasswd_groups':
+                    hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default(omit),
                 'hosts': {item: true},
               }
             }
@@ -99,6 +102,8 @@
             hostvars[item]['ipa_server']: {
               'groups': ipa_hosts_combined_shell_groups_dict[item] | union(
                 hostvars[item]['ipa_client_sudo_groups'] | default([])
+              ) | union(
+                hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default([])
               ),
               'hosts': {item: True},
             }
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
index 33a7fda035..31c6d536ab 100644
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -34,3 +34,20 @@
   notify: clean sss caches
   loop: "{{ ipa_server_host_groups }}"
   when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_groups'] is defined
+
+- name: Give certain groups passwordless sudo access to anything per host group
+  delegate_to: "{{ item[0] }}"
+  ipasudorule:
+    name: "hostgroup/{{ item[1] }}/nopasswd"
+    description: "Grant passwordless sudo access to anything on host group {{ item[1] }}"
+    ipaadmin_password: "{{ ipa_server_admin_passwords[item[0]] }}"
+    state: present
+    group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] }}"
+    hostgroup: "{{ item[1] }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    options: "!authenticate"
+  notify: clean sss caches
+  loop: "{{ ipa_server_host_groups }}"
+  when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] is defined

From 6a2bff7af9daab0ebcd15f49545b99b914e8c4f9 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 21 Apr 2021 12:13:06 -0700
Subject: [PATCH 71/72] base / ifcfg: make sure and set staging to use
 stg.iad2.fedoraproject.org domain

This should only affect stg hosts.
We had set all of iad2 the same, prod and stg both.
We need to make sure stg resolves to stg hosts first.
This worked somewhat until now because we replace the resolv.conf on stg
hosts, but without this they are borken right after boot and until we
replace the resolv.conf and restart httpd or other services.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/templates/ifcfg.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/base/templates/ifcfg.j2 b/roles/base/templates/ifcfg.j2
index 807b0325fc..c6c578f3b2 100644
--- a/roles/base/templates/ifcfg.j2
+++ b/roles/base/templates/ifcfg.j2
@@ -10,8 +10,10 @@ OPTIONS="layer2=1 portno=0"
 DEFROUTE=yes
 GATEWAY="{{ gw }}"
 {% endif %}
-{% if hostvars[inventory_hostname].datacenter == 'iad2' %}
+{% if hostvars[inventory_hostname].datacenter == 'iad2' and env == 'production' %}
 DOMAIN="iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org"
+{% elif hostvars[inventory_hostname].datacenter == 'iad2' and env == 'staging' %}
+DOMAIN="stg.iad2.fedoraproject.org iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org"
 {% else %}
 DOMAIN="vpn.fedoraproject.org fedoraproject.org"
 {% endif %}

From 2effdae9a7faa305fd4e7be50b65b205e1eda2e5 Mon Sep 17 00:00:00 2001
From: "Justin W. Flory (he/him) [Fedora Project]" <jwf@fedoraproject.org>
Date: Wed, 21 Apr 2021 10:49:53 -0400
Subject: [PATCH 72/72] fasjson: Add custom email alias `bt0` for FAS
 @bt0dotninja

This commit creates a custom email address, `bt0@fp.o` to redirect to
@bt0dotninja's FAS email address. As folks who work with Alberto know,
his IRC/Matrix nick is `bt0` and frequently in chats and mailing lists,
his short-hand version of his name is used. So, as @nb did for me
previously with aliasing `jwf@fp.o` to @jflory7, I am doing the same for
@bt0dotninja.

Signed-off-by: Justin W. Flory (he/him) [Fedora Project] <jwf@fedoraproject.org>
---
 roles/fas_client/files/aliases.template | 3 ++-
 roles/fasjson/files/aliases.static      | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template
index 8789b30f3d..228319afc7 100644
--- a/roles/fas_client/files/aliases.template
+++ b/roles/fas_client/files/aliases.template
@@ -141,7 +141,7 @@ cvs-sysadmin: fedora-sysadmin-list@redhat.com
 
 # this email address no longer exists internally (2020-06?) and is
 # causing large amounts of bouncebacks and weighing email down from
-# our servers in the RH scanners. 
+# our servers in the RH scanners.
 legal-cla-archive: /dev/null
 
 vendors: distribution-members
@@ -255,6 +255,7 @@ rbergeron: rbergero
 jwf: jflory7
 axk4545: abkahrs
 bexelbie: bex
+bt0dotninja: bt0
 
 # Mirror admin alias
 mirror-admin: mirror-admin@lists.fedoraproject.org
diff --git a/roles/fasjson/files/aliases.static b/roles/fasjson/files/aliases.static
index 6c763b9dfe..3e54475bf1 100644
--- a/roles/fasjson/files/aliases.static
+++ b/roles/fasjson/files/aliases.static
@@ -141,7 +141,7 @@ cvs-sysadmin: fedora-sysadmin-list@redhat.com
 
 # this email address no longer exists internally (2020-06?) and is
 # causing large amounts of bouncebacks and weighing email down from
-# our servers in the RH scanners. 
+# our servers in the RH scanners.
 legal-cla-archive: /dev/null
 
 vendors: distribution-members
@@ -255,6 +255,7 @@ rbergeron: rbergero
 jwf: jflory7
 axk4545: abkahrs
 bexelbie: bex
+bt0dotninja: bt0
 
 # Mirror admin alias
 mirror-admin: mirror-admin@lists.fedoraproject.org