Merge branch 'master' of /git/ansible

2016-03-21 18:40:47 +00:00 · 2016-03-21 18:40:47 +00:00 · 948c542da5
commit 948c542da5
parent 134036a9b0 a4cd5dc179
17 changed files with 61 additions and 99 deletions
--- a/files/httpd/newvirtualhost.conf.j2
+++ b/files/httpd/newvirtualhost.conf.j2
@ -1,75 +1,5 @@
 <VirtualHost *:443>
  # Change this to the domain which points to your host.
  ServerName {{ item.name }}
  # Use separate log files for the SSL virtual host; note that LogLevel
  # is not inherited from httpd.conf.
  ErrorLog logs/{{ item.name }}_error_log
  TransferLog logs/{{ item.name }}_access_log
  LogLevel warn
  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on
  #   SSL Protocol support:
  # List the enable protocol levels with which clients will be able to
  # connect.  Disable SSLv2 access by default:
  SSLProtocol all -SSLv2
  #   SSL Cipher Suite:
  # List the ciphers that the client is permitted to negotiate.
  # See the mod_ssl documentation for a complete list.
  #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  #   Server Certificate:
  # Point SSLCertificateFile at a PEM encoded certificate.  If
  # the certificate is encrypted, then you will be prompted for a
  # pass phrase.  Note that a kill -HUP will prompt again.  A new
  # certificate can be generated using the genkey(1) command.
  SSLCertificateFile /etc/pki/tls/certs/{{ sslcertfile }}
  #   Server Private Key:
  #   If the key is not combined with the certificate, use this
  #   directive to point at the key file.  Keep in mind that if
  #   you've both a RSA and a DSA private key you can configure
  #   both in parallel (to also allow the use of DSA ciphers, etc.)
  SSLCertificateKeyFile /etc/pki/tls/private/{{ sslkeyfile }}
  #   Server Certificate Chain:
  #   Point SSLCertificateChainFile at a file containing the
  #   concatenation of PEM encoded CA certificates which form the
  #   certificate chain for the server certificate. Alternatively
  #   the referenced file can be the same as SSLCertificateFile
  #   when the CA certificates are directly appended to the server
  #   certificate for convinience.
  #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
  {% if sslintermediatecertfile != '' %}
  SSLCertificateChainFile /etc/pki/tls/certs/{{ sslintermediatecertfile }}
  {% endif %}
  #   Certificate Authority (CA):
  #   Set the CA certificate verification path where to find CA
  #   certificates for client authentication or alternatively one
  #   huge file containing all of them (file must be PEM encoded)
  #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
  DocumentRoot {{ item.document_root }}
  Options Indexes FollowSymLinks
 </VirtualHost>
 <VirtualHost *:80>
  # Change this to the domain which points to your host.
  ServerName {{ item.name }}
-  {% if sslonly %}
+  Options Indexes FollowSymLinks
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
  {% else %}
    Options Indexes FollowSymLinks
  {% endif %}
 </VirtualHost>
--- a/inventory/group_vars/composers
+++ b/inventory/group_vars/composers
@ -15,6 +15,8 @@ virt_install_command: "{{ virt_install_command_two_nic }}"
 nrpe_procs_warn: 900
 nrpe_procs_crit: 1000
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 host_group: releng
 # These are consumed by a task in roles/fedmsg/base/main.yml
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@ -3,6 +3,8 @@ virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough
 external_hostname: openqa.fedoraproject.org
 openqa_static_uid: 601
 openqa_hostname: localhost
 openqa_email: adamwill@fedoraproject.org
 openqa_nickname: adamwill
@ -13,6 +15,7 @@ openqa_dbname: openqa
 openqa_dbhost: db-qa01.qa.fedoraproject.org
 openqa_dbuser: openqa
 openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
 openqa_assetsize: 300
 openqa_key: "{{ prod_openqa_apikey }}"
 openqa_secret: "{{ prod_openqa_apisecret }}"
--- a/inventory/group_vars/openqa-stg
+++ b/inventory/group_vars/openqa-stg
@ -14,6 +14,8 @@ virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough
 external_hostname: openqa.stg.fedoraproject.org
 openqa_static_uid: 601
 openqa_hostname: localhost
 openqa_email: adamwill@fedoraproject.org
 openqa_nickname: adamwill
@ -24,6 +26,7 @@ openqa_dbname: openqa-stg
 openqa_dbhost: db-qa01.qa.fedoraproject.org
 openqa_dbuser: openqastg
 openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
 openqa_assetsize: 300
 openqa_workers: 3
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@ -18,7 +18,7 @@ git_group: packager
 git_port: 9418
 git_server: /usr/libexec/git-core/git-daemon
 git_server_args: --export-all --syslog --inetd --verbose
-git_basepath: /srv/git/repositories/rpms
+git_basepath: /srv/git/repositories
 git_daemon_user: nobody
 clamscan_mailto: admin@fedoraproject.org
--- a/playbooks/groups/composers.yml
+++ b/playbooks/groups/composers.yml
@ -37,6 +37,7 @@
    when: datacenter == 'staging'
  - releng
  - fedmsg/base
  - sudo
  tasks:
  - include: "{{ tasks }}/yumrepos.yml"
--- a/playbooks/groups/qa-stg.yml
+++ b/playbooks/groups/qa-stg.yml
@ -99,13 +99,13 @@
    - name: create dirs for static sites
      file: path={{ item.document_root }} state=directory owner=apache group=apache mode=1755
-      with_items: static_sites
+      with_items: "{{ static_sites }}"
      tags:
        - qastaticsites
    - name: generate virtualhosts for static sites
      template:  src={{ files }}/httpd/newvirtualhost.conf.j2 dest=/etc/httpd/conf.d/{{ item.name }}.conf owner=root group=root mode=0644
-      with_items: static_sites
+      with_items: "{{ static_sites }}"
      notify:
        - reload httpd
      tags:
--- a/roles/apps-fp-o/files/apps.yaml
+++ b/roles/apps-fp-o/files/apps.yaml
@ -328,10 +328,8 @@ children:
            source_url: https://github.com/fedora-infra/nuancier
            bugs_url:   https://github.com/fedora-infra/nuancier/issues
            docs_url:   http://nuancier.readthedocs.org/en/latest/
-            # TODO - write a SOP for nuancier
+            sops:
-            # https://fedorahosted.org/fedora-infrastructure/ticket/5155
+                - https://infrastructure.fedoraproject.org/infra/docs/nuancier.rst
            #sops:
            #    - url goes here
            description: >
                Nuancier is a simple voting application for the
                supplementary wallpapers included in Fedora.
--- a/roles/distgit/files/cgi-nfs.pp
+++ b/roles/distgit/files/cgi-nfs.pp
--- a/roles/distgit/files/cgi-nfs.te
+++ b/roles/distgit/files/cgi-nfs.te
@ -1,20 +1,20 @@
-policy_module(nfscgi, 1.0.0)
+policy_module(nfscgi, 1.0.1)
 require {
 	type httpd_git_script_t;
 	type git_script_t;
 	type git_system_t;
 	type httpd_git_content_t;
 	type git_user_content_t;
 	type nfs_t;
 	class dir { create write search add_name remove_name getattr open };
 	class file { create write rename setattr read open };
 }
 allow git_system_t httpd_git_content_t:dir { getattr read open };
 allow git_system_t httpd_git_content_t:file { read open getattr };
-
+allow git_system_t httpd_git_content_t:lnk_file { read open getattr };
-
+allow git_system_t git_user_content_t:lnk_file { read open getattr };
 allow httpd_git_script_t nfs_t:dir { write };
 allow git_system_t httpd_git_content_t:dir { search };
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@ -378,19 +378,24 @@
 # Three tasks for handling our selinux policy for upload.cgi
 - name: ensure a directory exists for our SELinux policy
  file: dest=/usr/local/share/selinux/ state=directory
  tags: selinux
 - name: copy over our custom selinux policy
  copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
  register: selinux_module
  tags: selinux
 - name: install our custom selinux policy
  command: semodule -i /usr/local/share/selinux/upload_cgi.pp
  when: selinux_module|changed
  tags: selinux
 - name: copy over our custom nfs selinux policy
  copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
  register: nfs_selinux_module
  tags: selinux
 - name: install our custom nfs selinux policy
  command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
  when: nfs_selinux_module|changed
  tags: selinux
--- a/roles/git/server/tasks/main.yml
+++ b/roles/git/server/tasks/main.yml
@ -3,11 +3,13 @@
 - name: install the git-daemon package
  yum: pkg=git-daemon state=present
  tags: git/server
 # If NOT using xinetd
 - name: delete stock git daemon config
  file: path="/usr/lib/systemd/system/git.service" state=absent
  when: ansible_distribution_major_version|int == 7
  tags: git/server
 - name: configure git daemon
  template: >
@ -15,11 +17,13 @@
    dest="/usr/lib/systemd/system/git@.service"
    mode=0644
  when: ansible_distribution_major_version|int == 7
  tags: git/server
 # If using xinetd
 - name: install xinetd
  yum: pkg=xinetd state=present
  when: ansible_distribution_major_version|int == 6
  tags: git/server
 - name: install the xinetd config file
  template: >
@ -27,5 +31,6 @@
    dest="/etc/xinetd.d/git"
    mode=0644
  when: ansible_distribution_major_version|int == 6
  tags: git/server
  notify:
  - restart xinetd
--- a/roles/openqa/dispatcher/files/openqa_consumer.py
+++ b/roles/openqa/dispatcher/files/openqa_consumer.py
@ -1,3 +0,0 @@
 config = {
    'fedora_openqa_schedule.consumer.enabled': True,
 }
--- a/roles/openqa/dispatcher/tasks/main.yml
+++ b/roles/openqa/dispatcher/tasks/main.yml
@ -106,7 +106,7 @@
  - config
 - name: Enable fedmsg consumer
-  copy: src=openqa_consumer.py dest=/etc/fedmsg.d/openqa_consumer.py owner=root group=root mode=0644
+  template: src=openqa_consumer.py.j2 dest=/etc/fedmsg.d/openqa_consumer.py owner=root group=root mode=0644
  notify:
  - restart fedmsg-hub
  tags:
--- a/roles/openqa/dispatcher/templates/openqa_consumer.py.j2
+++ b/roles/openqa/dispatcher/templates/openqa_consumer.py.j2
@ -0,0 +1,10 @@
 config = {
    'fedora_openqa_schedule.consumer.enabled': True,
 {% if wikitcms_user is defined and wikitcms_password is defined %}
 {% if deployment_type == 'stg' %}
    'fedora_openqa_schedule.wiki.consumer.stg.enabled': True,
 {% else %}
    'fedora_openqa_schedule.wiki.consumer.prod.enabled': True,
 {% endif %}
 {% endif %}
 }
--- a/roles/openqa/server/tasks/main.yml
+++ b/roles/openqa/server/tasks/main.yml
@ -18,6 +18,9 @@
 ##       default - ansible_nodename
 # Optional vars
 # - openqa_static_uid
 ##       int - a static ID for the geekotest user and group if desired
 ##             this is useful for NFS mounting openQA data files
 # - openqa_dbname
 ##       string - The name of the database to use
 # - openqa_dbhost
@ -26,29 +29,30 @@
 ##       string - The database username
 # - openqa_dbpassword
 ##       string - The database password
 # - openqa_assetsize
 ##       int - the asset size limit to set in GB (upstream default is 100GB)
 ##             higher is recommended for normal Fedora testing, 300GB is good
 #
 # If openqa_dbhost is set, the others must be too, and the server will be
 # configured to use a pgsql database accordingly. If openqa_dbhost is not
 # set, the server will use a local SQLite database and the other values
 # are ignored.
-# As we want to store some geekotest-owned files in shared storage, we
+- name: Create geekotest group with static GID
-# need to ensure geekotest always has the same uid/gid if we re-deploy
+  group: "name=geekotest gid={{ openqa_static_uid }} system=yes"
-# the servers. So we create the account here with uid/gid 601.
+  when: "openqa_static_uid is defined"
- name: Create geekotest group with static GID 601
+- name: Create geekotest user with static UID
  group: name=geekotest gid=601 system=yes
 - name: Create geekotest user with static UID 601
  user:
    name: geekotest
    comment: "openQA user"
-    uid: 601
+    uid: "{{ openqa_static_uid }}"
    group: geekotest
    home: "/var/lib/openqa"
    createhome: no
    system: yes
    shell: /sbin/nologin
  when: "openqa_static_uid is defined"
 # note: we need updates-testing until fedfind 2.x and openQA 4.3-21 go stable
 - name: Install required packages (testing)
@ -224,3 +228,12 @@
  register: testsdiff
  changed_when: "testsdiff.rc > 0"
  failed_when: "1 != 1"
 - name: Set asset size limit (if specified) (pgsql)
  delegate_to: "{{ openqa_dbhost }}"
  become_user: postgres
  become: true
  command: "psql -d {{ openqa_dbname }} -c \"UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize }} WHERE size_limit_gb != {{ openqa_assetsize }};\""
  when: "openqa_dbhost is defined and openqa_assetsize is defined"
  register: pgsqlsize
  changed_when: "pgsqlsize.stdout.find('UPDATE 0') == -1"
--- a/roles/planet/files/people_base_config
+++ b/roles/planet/files/people_base_config
@ -39,11 +39,6 @@ fasname = admin
 name = Fedora University Tour
 fasname = admin
 [http://www.archive.org/services/collection-rss.php]
 name = Fedora Videos
 filters = regexp_sifter.py?require=[Ff]edora
 fasname = admin
 [http://www.projetofedora.org/rss.xml]
 name = Projeto Fedora Brasil
 face = http://fedoraplanet.org/images/heads/map_brazil_fedora_small.png