diff --git a/files/httpd/newvirtualhost.conf.j2 b/files/httpd/newvirtualhost.conf.j2
index 18c7a2e8ad..3bae09726b 100644
--- a/files/httpd/newvirtualhost.conf.j2
+++ b/files/httpd/newvirtualhost.conf.j2
@@ -1,75 +1,5 @@
-
- # Change this to the domain which points to your host.
- ServerName {{ item.name }}
-
- # Use separate log files for the SSL virtual host; note that LogLevel
- # is not inherited from httpd.conf.
- ErrorLog logs/{{ item.name }}_error_log
- TransferLog logs/{{ item.name }}_access_log
- LogLevel warn
-
- # SSL Engine Switch:
- # Enable/Disable SSL for this virtual host.
- SSLEngine on
-
- # SSL Protocol support:
- # List the enable protocol levels with which clients will be able to
- # connect. Disable SSLv2 access by default:
- SSLProtocol all -SSLv2
-
- # SSL Cipher Suite:
- # List the ciphers that the client is permitted to negotiate.
- # See the mod_ssl documentation for a complete list.
- #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
- # Server Certificate:
- # Point SSLCertificateFile at a PEM encoded certificate. If
- # the certificate is encrypted, then you will be prompted for a
- # pass phrase. Note that a kill -HUP will prompt again. A new
- # certificate can be generated using the genkey(1) command.
- SSLCertificateFile /etc/pki/tls/certs/{{ sslcertfile }}
-
- # Server Private Key:
- # If the key is not combined with the certificate, use this
- # directive to point at the key file. Keep in mind that if
- # you've both a RSA and a DSA private key you can configure
- # both in parallel (to also allow the use of DSA ciphers, etc.)
- SSLCertificateKeyFile /etc/pki/tls/private/{{ sslkeyfile }}
-
- # Server Certificate Chain:
- # Point SSLCertificateChainFile at a file containing the
- # concatenation of PEM encoded CA certificates which form the
- # certificate chain for the server certificate. Alternatively
- # the referenced file can be the same as SSLCertificateFile
- # when the CA certificates are directly appended to the server
- # certificate for convinience.
- #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
- {% if sslintermediatecertfile != '' %}
- SSLCertificateChainFile /etc/pki/tls/certs/{{ sslintermediatecertfile }}
- {% endif %}
-
- # Certificate Authority (CA):
- # Set the CA certificate verification path where to find CA
- # certificates for client authentication or alternatively one
- # huge file containing all of them (file must be PEM encoded)
- #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
- DocumentRoot {{ item.document_root }}
-
- Options Indexes FollowSymLinks
-
-
-
-
# Change this to the domain which points to your host.
ServerName {{ item.name }}
- {% if sslonly %}
- RewriteEngine On
- RewriteCond %{HTTPS} off
- RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
- {% else %}
- Options Indexes FollowSymLinks
- {% endif %}
+ Options Indexes FollowSymLinks
diff --git a/inventory/group_vars/composers b/inventory/group_vars/composers
index 61959c029a..7976593dbc 100644
--- a/inventory/group_vars/composers
+++ b/inventory/group_vars/composers
@@ -15,6 +15,8 @@ virt_install_command: "{{ virt_install_command_two_nic }}"
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
host_group: releng
# These are consumed by a task in roles/fedmsg/base/main.yml
diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa
index a7ca00aba3..a44b4c5e9d 100644
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@@ -3,6 +3,8 @@ virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough
external_hostname: openqa.fedoraproject.org
+openqa_static_uid: 601
+
openqa_hostname: localhost
openqa_email: adamwill@fedoraproject.org
openqa_nickname: adamwill
@@ -13,6 +15,7 @@ openqa_dbname: openqa
openqa_dbhost: db-qa01.qa.fedoraproject.org
openqa_dbuser: openqa
openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
+openqa_assetsize: 300
openqa_key: "{{ prod_openqa_apikey }}"
openqa_secret: "{{ prod_openqa_apisecret }}"
diff --git a/inventory/group_vars/openqa-stg b/inventory/group_vars/openqa-stg
index 4e498de56e..69671e76f2 100644
--- a/inventory/group_vars/openqa-stg
+++ b/inventory/group_vars/openqa-stg
@@ -14,6 +14,8 @@ virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough
external_hostname: openqa.stg.fedoraproject.org
+openqa_static_uid: 601
+
openqa_hostname: localhost
openqa_email: adamwill@fedoraproject.org
openqa_nickname: adamwill
@@ -24,6 +26,7 @@ openqa_dbname: openqa-stg
openqa_dbhost: db-qa01.qa.fedoraproject.org
openqa_dbuser: openqastg
openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
+openqa_assetsize: 300
openqa_workers: 3
diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
index 2ebef26685..fa294497a0 100644
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -18,7 +18,7 @@ git_group: packager
git_port: 9418
git_server: /usr/libexec/git-core/git-daemon
git_server_args: --export-all --syslog --inetd --verbose
-git_basepath: /srv/git/repositories/rpms
+git_basepath: /srv/git/repositories
git_daemon_user: nobody
clamscan_mailto: admin@fedoraproject.org
diff --git a/playbooks/groups/composers.yml b/playbooks/groups/composers.yml
index 0eb8a0a986..5978d22079 100644
--- a/playbooks/groups/composers.yml
+++ b/playbooks/groups/composers.yml
@@ -37,6 +37,7 @@
when: datacenter == 'staging'
- releng
- fedmsg/base
+ - sudo
tasks:
- include: "{{ tasks }}/yumrepos.yml"
diff --git a/playbooks/groups/qa-stg.yml b/playbooks/groups/qa-stg.yml
index 48b5b97c70..bfe9230bb7 100644
--- a/playbooks/groups/qa-stg.yml
+++ b/playbooks/groups/qa-stg.yml
@@ -99,13 +99,13 @@
- name: create dirs for static sites
file: path={{ item.document_root }} state=directory owner=apache group=apache mode=1755
- with_items: static_sites
+ with_items: "{{ static_sites }}"
tags:
- qastaticsites
- name: generate virtualhosts for static sites
template: src={{ files }}/httpd/newvirtualhost.conf.j2 dest=/etc/httpd/conf.d/{{ item.name }}.conf owner=root group=root mode=0644
- with_items: static_sites
+ with_items: "{{ static_sites }}"
notify:
- reload httpd
tags:
diff --git a/roles/apps-fp-o/files/apps.yaml b/roles/apps-fp-o/files/apps.yaml
index c1823de762..6b5d599e2e 100644
--- a/roles/apps-fp-o/files/apps.yaml
+++ b/roles/apps-fp-o/files/apps.yaml
@@ -328,10 +328,8 @@ children:
source_url: https://github.com/fedora-infra/nuancier
bugs_url: https://github.com/fedora-infra/nuancier/issues
docs_url: http://nuancier.readthedocs.org/en/latest/
- # TODO - write a SOP for nuancier
- # https://fedorahosted.org/fedora-infrastructure/ticket/5155
- #sops:
- # - url goes here
+ sops:
+ - https://infrastructure.fedoraproject.org/infra/docs/nuancier.rst
description: >
Nuancier is a simple voting application for the
supplementary wallpapers included in Fedora.
diff --git a/roles/distgit/files/cgi-nfs.pp b/roles/distgit/files/cgi-nfs.pp
index a0df2ccccc..116536a06b 100644
Binary files a/roles/distgit/files/cgi-nfs.pp and b/roles/distgit/files/cgi-nfs.pp differ
diff --git a/roles/distgit/files/cgi-nfs.te b/roles/distgit/files/cgi-nfs.te
index 5ba0dfe4f6..3274b1fcb3 100644
--- a/roles/distgit/files/cgi-nfs.te
+++ b/roles/distgit/files/cgi-nfs.te
@@ -1,20 +1,20 @@
-policy_module(nfscgi, 1.0.0)
+policy_module(nfscgi, 1.0.1)
require {
type httpd_git_script_t;
type git_script_t;
type git_system_t;
type httpd_git_content_t;
+ type git_user_content_t;
type nfs_t;
class dir { create write search add_name remove_name getattr open };
class file { create write rename setattr read open };
}
-
allow git_system_t httpd_git_content_t:dir { getattr read open };
allow git_system_t httpd_git_content_t:file { read open getattr };
-
-
+allow git_system_t httpd_git_content_t:lnk_file { read open getattr };
+allow git_system_t git_user_content_t:lnk_file { read open getattr };
allow httpd_git_script_t nfs_t:dir { write };
allow git_system_t httpd_git_content_t:dir { search };
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 8e20a18316..390db7d813 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -378,19 +378,24 @@
# Three tasks for handling our selinux policy for upload.cgi
- name: ensure a directory exists for our SELinux policy
file: dest=/usr/local/share/selinux/ state=directory
+ tags: selinux
- name: copy over our custom selinux policy
copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
register: selinux_module
+ tags: selinux
- name: install our custom selinux policy
command: semodule -i /usr/local/share/selinux/upload_cgi.pp
when: selinux_module|changed
+ tags: selinux
- name: copy over our custom nfs selinux policy
copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
register: nfs_selinux_module
+ tags: selinux
- name: install our custom nfs selinux policy
command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
when: nfs_selinux_module|changed
+ tags: selinux
diff --git a/roles/git/server/tasks/main.yml b/roles/git/server/tasks/main.yml
index f95ba428b6..ef9fe4f3e6 100644
--- a/roles/git/server/tasks/main.yml
+++ b/roles/git/server/tasks/main.yml
@@ -3,11 +3,13 @@
- name: install the git-daemon package
yum: pkg=git-daemon state=present
+ tags: git/server
# If NOT using xinetd
- name: delete stock git daemon config
file: path="/usr/lib/systemd/system/git.service" state=absent
when: ansible_distribution_major_version|int == 7
+ tags: git/server
- name: configure git daemon
template: >
@@ -15,11 +17,13 @@
dest="/usr/lib/systemd/system/git@.service"
mode=0644
when: ansible_distribution_major_version|int == 7
+ tags: git/server
# If using xinetd
- name: install xinetd
yum: pkg=xinetd state=present
when: ansible_distribution_major_version|int == 6
+ tags: git/server
- name: install the xinetd config file
template: >
@@ -27,5 +31,6 @@
dest="/etc/xinetd.d/git"
mode=0644
when: ansible_distribution_major_version|int == 6
+ tags: git/server
notify:
- restart xinetd
diff --git a/roles/openqa/dispatcher/files/openqa_consumer.py b/roles/openqa/dispatcher/files/openqa_consumer.py
deleted file mode 100644
index 80bb6160c7..0000000000
--- a/roles/openqa/dispatcher/files/openqa_consumer.py
+++ /dev/null
@@ -1,3 +0,0 @@
-config = {
- 'fedora_openqa_schedule.consumer.enabled': True,
-}
diff --git a/roles/openqa/dispatcher/tasks/main.yml b/roles/openqa/dispatcher/tasks/main.yml
index ac569b5992..c0642c1921 100644
--- a/roles/openqa/dispatcher/tasks/main.yml
+++ b/roles/openqa/dispatcher/tasks/main.yml
@@ -106,7 +106,7 @@
- config
- name: Enable fedmsg consumer
- copy: src=openqa_consumer.py dest=/etc/fedmsg.d/openqa_consumer.py owner=root group=root mode=0644
+ template: src=openqa_consumer.py.j2 dest=/etc/fedmsg.d/openqa_consumer.py owner=root group=root mode=0644
notify:
- restart fedmsg-hub
tags:
diff --git a/roles/openqa/dispatcher/templates/openqa_consumer.py.j2 b/roles/openqa/dispatcher/templates/openqa_consumer.py.j2
new file mode 100644
index 0000000000..7e7d12c51d
--- /dev/null
+++ b/roles/openqa/dispatcher/templates/openqa_consumer.py.j2
@@ -0,0 +1,10 @@
+config = {
+ 'fedora_openqa_schedule.consumer.enabled': True,
+{% if wikitcms_user is defined and wikitcms_password is defined %}
+{% if deployment_type == 'stg' %}
+ 'fedora_openqa_schedule.wiki.consumer.stg.enabled': True,
+{% else %}
+ 'fedora_openqa_schedule.wiki.consumer.prod.enabled': True,
+{% endif %}
+{% endif %}
+}
diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml
index 1725e26586..f2865b03e7 100644
--- a/roles/openqa/server/tasks/main.yml
+++ b/roles/openqa/server/tasks/main.yml
@@ -18,6 +18,9 @@
## default - ansible_nodename
# Optional vars
+# - openqa_static_uid
+## int - a static ID for the geekotest user and group if desired
+## this is useful for NFS mounting openQA data files
# - openqa_dbname
## string - The name of the database to use
# - openqa_dbhost
@@ -26,29 +29,30 @@
## string - The database username
# - openqa_dbpassword
## string - The database password
+# - openqa_assetsize
+## int - the asset size limit to set in GB (upstream default is 100GB)
+## higher is recommended for normal Fedora testing, 300GB is good
#
# If openqa_dbhost is set, the others must be too, and the server will be
# configured to use a pgsql database accordingly. If openqa_dbhost is not
# set, the server will use a local SQLite database and the other values
# are ignored.
-# As we want to store some geekotest-owned files in shared storage, we
-# need to ensure geekotest always has the same uid/gid if we re-deploy
-# the servers. So we create the account here with uid/gid 601.
+- name: Create geekotest group with static GID
+ group: "name=geekotest gid={{ openqa_static_uid }} system=yes"
+ when: "openqa_static_uid is defined"
-- name: Create geekotest group with static GID 601
- group: name=geekotest gid=601 system=yes
-
-- name: Create geekotest user with static UID 601
+- name: Create geekotest user with static UID
user:
name: geekotest
comment: "openQA user"
- uid: 601
+ uid: "{{ openqa_static_uid }}"
group: geekotest
home: "/var/lib/openqa"
createhome: no
system: yes
shell: /sbin/nologin
+ when: "openqa_static_uid is defined"
# note: we need updates-testing until fedfind 2.x and openQA 4.3-21 go stable
- name: Install required packages (testing)
@@ -224,3 +228,12 @@
register: testsdiff
changed_when: "testsdiff.rc > 0"
failed_when: "1 != 1"
+
+- name: Set asset size limit (if specified) (pgsql)
+ delegate_to: "{{ openqa_dbhost }}"
+ become_user: postgres
+ become: true
+ command: "psql -d {{ openqa_dbname }} -c \"UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize }} WHERE size_limit_gb != {{ openqa_assetsize }};\""
+ when: "openqa_dbhost is defined and openqa_assetsize is defined"
+ register: pgsqlsize
+ changed_when: "pgsqlsize.stdout.find('UPDATE 0') == -1"
diff --git a/roles/planet/files/people_base_config b/roles/planet/files/people_base_config
index b629ad3a9d..52fbbd423d 100644
--- a/roles/planet/files/people_base_config
+++ b/roles/planet/files/people_base_config
@@ -39,11 +39,6 @@ fasname = admin
name = Fedora University Tour
fasname = admin
-[http://www.archive.org/services/collection-rss.php]
-name = Fedora Videos
-filters = regexp_sifter.py?require=[Ff]edora
-fasname = admin
-
[http://www.projetofedora.org/rss.xml]
name = Projeto Fedora Brasil
face = http://fedoraplanet.org/images/heads/map_brazil_fedora_small.png