CLE-Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Nick Bebout 2014-08-28 22:58:58 +00:00
commit b264af1c3d
165 changed files with 8810 additions and 495 deletions
Download patch file Download diff file Expand all files Collapse all files

4
files/copr/copr-be.conf
View file

@ -2,12 +2,12 @@
# URL where are results visible
# default is http://copr
results_baseurl=http://copr-be.cloud.fedoraproject.org/results
results_baseurl=https://copr-be.cloud.fedoraproject.org/results
# ??? What is this
# default is http://coprs/rest/api
#frontend_url=http://copr-fe.cloud.fedoraproject.org/backend
frontend_url=http://172.16.5.31/backend
frontend_url=https://172.16.5.31/backend
# must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
# default is PASSWORDHERE but you really should change it. really.

10
files/jenkins/slaves/sbt.repo
View file

@ -1,6 +1,6 @@
[sbt-fedorapeople]
name=SBT Fedorapeople Repo
baseurl=http://repos.fedorapeople.org/repos/codeblock/sbt/fedora-18/RPMS/
enabled=1
skip_if_unavailable=1
[codeblock-sbt-extras]
name=Copr repo for sbt-extras owned by codeblock
baseurl=http://copr-be.cloud.fedoraproject.org/results/codeblock/sbt-extras/fedora-$releasever-$basearch/
skip_if_unavailable=True
gpgcheck=0
enabled=1

16
files/scripts/confine-ssh.sh Normal file
View file

@ -0,0 +1,16 @@
#!/bin/sh
# Confine ssh commands
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
rsync\ --server\ --sender*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

3
handlers/restart_services.yml
View file

@ -121,3 +121,6 @@
- name: restart memcached
service: name=memcached state=restarted
- name: reload systemd
command: systemctl daemon-reload

1
inventory/group_vars/arm-releng
View file

@ -1,4 +1,5 @@
---
host_group: releng
fas_client_groups: sysadmin-releng
freezes: false
#

2
inventory/group_vars/beaker
View file

@ -11,3 +11,5 @@ udp_ports: [ 69 ]
fas_client_groups: sysadmin-qa
nrpe_procs_warn: 250
nrpe_procs_crit: 300
freezes: false

2
inventory/group_vars/fedimg
View file

@ -9,7 +9,7 @@ num_cpus: 2
tcp_ports: [ 3000 ]
# TODO, restrict this down to just sysadmin-releng
fas_client_groups: sysadmin-datanommer,sysadmin-releng
fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

2
inventory/group_vars/fedimg-stg
View file

@ -9,7 +9,7 @@ num_cpus: 2
tcp_ports: [ 3000 ]
# TODO, restrict this down to just sysadmin-releng
fas_client_groups: sysadmin-datanommer,sysadmin-releng
fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

2
inventory/group_vars/jenkins-cloud
View file

@ -1,5 +1,7 @@
postfix_group: jenkins-cloud
tcp_ports: [22, 80, 443]
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell

2
inventory/group_vars/kernel-qa
View file

@ -1,5 +1,5 @@
---
freezes: true
freezes: false
resolvconf: "{{ files }}/resolv.conf/phx2"
fas_client_groups: sysadmin-kernel
sudoers: "{{ private }}/files/sudo/kernel-qa"

47
inventory/group_vars/pkgs Normal file
View file

@ -0,0 +1,47 @@
---
lvm_size: 100000
mem_size: 4096
num_cpus: 4
tcp_ports: [80, 443, 9418,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
fas_client_restricted_app: /usr/bin/gl-auth-command
fas_client_admin_app: /usr/bin/gl-auth-command -s
fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc"
git_group: packager
git_port: 9418
git_server: /usr/libexec/git-core/git-daemon
git_server_args: --export-all --syslog --inetd --verbose
git_basepath: /srv/git/rpms
clamscan_mailto: admin@fedoraproject.org
clamscan_paths:
- /srv/cache/lookaside/pkgs
clamscan_excludes:
- clamav-
- amavisd-new-2.3.3.tar.gz
- bro-20080804.tgz
- mailman-
- sagator-
- nicotine
- fwsnort-1.0.6.tar.gz
- psad-2.1.7.tar.bz2
- pymilter-
- linkchecker-
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: sysadmin
- service: scm
owner: root
group: packager
- service: lookaside
owner: root
group: apache

47
inventory/group_vars/pkgs-stg Normal file
View file

@ -0,0 +1,47 @@
---
lvm_size: 100000
mem_size: 4096
num_cpus: 4
tcp_ports: [80, 443, 9418,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
fas_client_restricted_app: /usr/share/gitolite3/gitolite-shell user
fas_client_admin_app: /usr/share/gitolite3/gitolite-shell admin
fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc"
git_group: packager
git_port: 9418
git_server: /usr/libexec/git-core/git-daemon
git_server_args: --export-all --syslog --inetd --verbose
git_basepath: /srv/git/rpms
clamscan_mailto: admin@fedoraproject.org
clamscan_paths:
- /srv/cache/lookaside/pkgs
clamscan_excludes:
- clamav-
- amavisd-new-2.3.3.tar.gz
- bro-20080804.tgz
- mailman-
- sagator-
- nicotine
- fwsnort-1.0.6.tar.gz
- psad-2.1.7.tar.bz2
- pymilter-
- linkchecker-
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: sysadmin
- service: scm
owner: root
group: packager
- service: lookaside
owner: root
group: apache

21
inventory/group_vars/qadevel
View file

@ -18,3 +18,24 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }}"
--network=bridge=br0 --autostart --noautoconsole
buildmaster_db_host: localhost
buildmaster_template: ci.master.cfg.j2
buildmaster_endpoint: buildmaster
buildslave_ssh_pubkey: ''
buildslave_port: 9989
buildmaster_dir: /home/buildmaster/master
buildslave_dir: /home/buildslave/slave
buildslave_poll_interval: 1800
master_dir: /home/buildmaster/master
master_user: buildmaster
external_hostname: qadevel.qa.fedoraproject.org
deployment_type: qadevel-prod
tcp_ports: [ 80, 443, "{{ buildslave_port }}" ]
# for now, we're just doing a local slave so we need the slave vars in here
slave_home: /home/buildslave/
slave_dir: /home/buildslave/slave
slave_user: buildslave
freezes: false

16
inventory/group_vars/qadevel-stg
View file

@ -18,3 +18,19 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }}"
--network=bridge=br0 --autostart --noautoconsole
buildmaster_db_host: localhost
buildmaster_template: ci.master.cfg.j2
buildmaster_endpoint: taskmaster
buildslave_ssh_pubkey: ''
buildslave_port: 9989
buildmaster_dir: /home/buildmaster/master
buildslave_dir: /home/buildslave/slave
buildslave_poll_interval: 1800
master_dir: /home/buildmaster/master
master_user: buildmaster
external_hostname: qadevel-stg.qa.fedoraproject.org
deployment_type: qadevel-stg
tcp_ports: [ 80, 443, "{{ buildslave_port }}" ]
freezes: false

2
inventory/group_vars/resultsdb-dev
View file

@ -26,3 +26,5 @@ resultsdb_fe_endpoint: '/resultsdb'
resultsdb_db_name: resultsdb_dev
allowed_hosts:
- 10.5.124
freezes: false

2
inventory/group_vars/resultsdb-stg
View file

@ -27,3 +27,5 @@ resultsdb_fe_endpoint: '/resultsdb'
resultsdb_db_name: resultsdb_stg
allowed_hosts:
- 10.5.124
freezes: false

4
inventory/group_vars/arm-retrace → inventory/group_vars/retrace
View file

@ -1,10 +1,6 @@
---
fas_client_groups: retrace
freezes: false
#
# These are 32bit
#
libdir: /usr/lib
sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
tcp_ports: [ 80 ]

1
inventory/group_vars/taskotron-dev
View file

@ -34,3 +34,4 @@ fakefedorainfra_db_name: dev_fakefedorainfra
fakefedorainfra_endpoint: fakefedorainfra
fakefedorainfra_url: https://taskotron-dev.fedoraproject.org/fakefedorainfra
taskotron_docs_url: https://docs.qadevel.cloud.fedoraproject.org/libtaskotron/latest/
freezes: false

1
inventory/group_vars/taskotron-dev-clients
View file

@ -21,3 +21,4 @@ buildslave_public_sshkey_file: dev-buildslave-sshkey/dev_buildslave.pub
taskotron_admin_email: taskotron-admin-members@fedoraproject.org
sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
buildmaster_pubkey: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK4M03mLIZ0Wf9CzoJtUfOV8pcSxYLSsd4zxaFovDIHZGZH3ifg5Ocwut6L6lBalR3iepa/9EuFvgosi90WM3iI="
freezes: false

1
inventory/group_vars/taskotron-stg
View file

@ -30,3 +30,4 @@ fakefedorainfra_db_name: fakefedorainfra_stg
fakefedorainfra_endpoint: fakefedorainfra
fakefedorainfra_url: https://taskotron.stg.fedoraproject.org/fakefedorainfra
taskotron_docs_url: https://docs.qadevel.cloud.fedoraproject.org/libtaskotron/latest/
freezes: false

1
inventory/group_vars/taskotron-stg-clients
View file

@ -21,3 +21,4 @@ buildslave_public_sshkey_file: stg-buildslave-sshkey/stg_buildslave.pub
taskotron_admin_email: taskotron-admin-members@fedoraproject.org
sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
buildmaster_pubkey: 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJJ4xAImruf8x0ghwxfq0DM6S00pSoEhpI1VZiG2DT14xD+eMubFQcUMpoQ3IBs3eaatlwVr2qjM4EEBfds/1Zs='
freezes: false

1
inventory/host_vars/209.132.184.137
View file

@ -8,3 +8,4 @@ hostbase: jenkins-el7b
public_ip: 209.132.184.137
root_auth_users: pingou
description: jenkins el7b worker/slave
freezes: false

1
inventory/host_vars/209.132.184.143
View file

@ -9,3 +9,4 @@ public_ip: 209.132.184.143
root_auth_users: duffy kevin
description: artboard cloud instance for the fedora art group
volumes: ['-d /dev/vdb vol-00000009']
freezes: false

1
inventory/host_vars/209.132.184.144
View file

@ -9,3 +9,4 @@ public_ip: 209.132.184.144
root_auth_users: bkabrda ryanlerch pingou msuchy sgallagh nb asamalik
description: copr frontend server
volumes: ['-d /dev/vdb vol-0000000f']
tcp_ports: [22, 80, 443]

1
inventory/host_vars/209.132.184.146
View file

@ -9,3 +9,4 @@ public_ip: 209.132.184.146
root_auth_users: lmacken
description: cloud instance for developing/testing logstash
volumes: ['-d /dev/vdb vol-0000000d']
freezes: false

2
inventory/host_vars/209.132.184.147
View file

@ -9,4 +9,4 @@ public_ip: 209.132.184.147
root_auth_users: pingou
description: fedocal dev server
volumes: ['-d /dev/vdb vol-00000010']
freezes: false

2
inventory/host_vars/209.132.184.148
View file

@ -13,4 +13,4 @@ public_ip: 209.132.184.148
# users/groups who should have root ssh access
root_auth_users: kushal @sysadmin-main sayanchowdhury
description: darkserver dev server
freezes: false

1
inventory/host_vars/209.132.184.153
View file

@ -9,3 +9,4 @@ public_ip: 209.132.184.153
root_auth_users: pingou puiterwijk
description: jenkins cloud master
volumes: ['-d /dev/vdb vol-00000011']
freezes: false

1
inventory/host_vars/209.132.184.157
View file

@ -9,3 +9,4 @@ public_ip: 209.132.184.157
root_auth_users: besser82
description: shogun-ca instance, see ticket 4032, besser82 contact
volumes: ['-d /dev/vdb vol-00000026']
freezes: false

1
inventory/host_vars/209.132.184.158
View file

@ -8,3 +8,4 @@ hostbase: jenkins-f19
public_ip: 209.132.184.158
root_auth_users: pingou
description: jenkins f19 worker/slave
freezes: false

1
inventory/host_vars/209.132.184.162
View file

@ -9,3 +9,4 @@ public_ip: 209.132.184.162
root_auth_users: toshio fchiulli
description: cloud instance for developing the next version of the elections app
volumes: ['-d /dev/vdb vol-0000000e']
freezes: false

1
inventory/host_vars/209.132.184.165
View file

@ -8,3 +8,4 @@ hostbase: jenkins-el6
public_ip: 209.132.184.165
root_auth_users: pingou
description: jenkins el6 worker/slave
freezes: false

1
inventory/host_vars/209.132.184.166
View file

@ -8,3 +8,4 @@ hostbase: jenkins-f18
public_ip: 209.132.184.166
root_auth_users: pingou
description: jenkins f18 worker/slave
freezes: false

1
inventory/host_vars/209.132.184.209
View file

@ -8,3 +8,4 @@ hostbase: jenkins-f20
public_ip: 209.132.184.209
root_auth_users: pingou
description: jenkins f20 worker/slave
freezes: false

3
inventory/host_vars/arm01-retrace01.arm.fedoraproject.org Normal file
View file

@ -0,0 +1,3 @@
---
# This is a 32bit host
libdir: /usr/lib

9
inventory/host_vars/branched-composer.phx2.fedoraproject.org
View file

@ -3,3 +3,12 @@ vmhost: bvirthost08.phx2.fedoraproject.org
eth0_ip: 10.5.125.66
eth1_ip: 10.5.127.53
volgroup: /dev/vg_bvirthost08
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: root
- service: bodhi
owner: root
group: masher

11
inventory/host_vars/cloud-noc01.phx2.fedoraproject.org Normal file
View file

@ -0,0 +1,11 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
datacenter: cloud
nm: 255.255.255.0
gw: 209.132.184.254
fas_client_groups: sysadmin-main
dns: 8.8.8.8
eth0_ip: 209.132.184.17
eth1_ip: 172.23.0.17
freezes: false

2
inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
View file

@ -8,4 +8,4 @@ hostbase: copr-fe-dev-
public_ip: 209.132.184.183
root_auth_users: bkabrda ryanlerch pingou msuchy tradej asamalik
description: copr frontend server - dev instance
tcp_ports: ['22', '80', '443']
tcp_ports: [22, 80, 443]

2
inventory/host_vars/log01.phx2.fedoraproject.org
View file

@ -20,4 +20,4 @@ mem_size: 16384
num_cpus: 16
host_backup_targets: ['/var/log']
fas_client_groups: fi-apprentice,sysadmin-logs
fas_client_groups: fi-apprentice,sysadmin-logs,sysadmin-noc

3
inventory/host_vars/pkgs01.phx2.fedoraproject.org
View file

@ -1,2 +1,5 @@
---
host_backup_targets: ['/srv']
nm: 255.255.255.0
eth1_ip: 10.5.127.67

10
inventory/host_vars/pkgs01.stg.phx2.fedoraproject.org Normal file
View file

@ -0,0 +1,10 @@
---
eth0_ip: 10.5.126.83
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost16
vmhost: virthost16.phx2.fedoraproject.org
datacenter: phx2

17
inventory/host_vars/qadevel-stg.qa.fedoraproject.org
View file

@ -8,3 +8,20 @@ volgroup: /dev/Guests00
eth0_ip: 10.5.124.181
vmhost: virthost-comm01.qa.fedoraproject.org
datacenter: phx2
fas_client_groups: sysadmin-qa,sysadmin-main
# default virt install command is for a single nic-device
# define in another group file for more nics (see buildvm)
virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }} -l {{ ks_repo }} -x
"ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }}"
--network=bridge=br0 --autostart --noautoconsole
public_hostname: qadevel-stg.qa.fedoraproject.org
buildmaster: 10.5.124.181
buildslaves:
- qadevel-stg

21
inventory/host_vars/qadevel.qa.fedoraproject.org
View file

@ -8,3 +8,24 @@ volgroup: /dev/Guests00
eth0_ip: 10.5.124.180
vmhost: virthost-comm01.qa.fedoraproject.org
datacenter: phx2
fas_client_groups: sysadmin-qa,sysadmin-main
# default virt install command is for a single nic-device
# define in another group file for more nics (see buildvm)
virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }} -l {{ ks_repo }} -x
"ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }}"
--network=bridge=br0 --autostart --noautoconsole
public_hostname: qadevel.qa.fedoraproject.org
buildmaster: 10.5.124.180
buildslaves:
- qadevel
# needed for local buildslave
buildslave_name: 'qadevel'

9
inventory/host_vars/rawhide-composer.phx2.fedoraproject.org
View file

@ -2,3 +2,12 @@ vmhost: bvirthost06.phx2.fedoraproject.org
eth0_ip: 10.5.125.69
eth1_ip: 10.5.127.54
volgroup: /dev/vg_bvirthost06
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: root
- service: bodhi
owner: root
group: masher

23
inventory/inventory
View file

@ -25,8 +25,10 @@ arm03-qa01.cloud.fedoraproject.org
arm01-releng00.arm.fedoraproject.org
compose-x86-02.phx2.fedoraproject.org
[arm-retrace]
[retrace]
arm01-retrace01.arm.fedoraproject.org
retrace03.qa.fedoraproject.org
retrace04.qa.fedoraproject.org
[app-stg]
app01.stg.phx2.fedoraproject.org
@ -575,6 +577,25 @@ wiki01.stg.phx2.fedoraproject.org
wiki01.phx2.fedoraproject.org
wiki02.phx2.fedoraproject.org
[cloud-hardware]
fed-cloud01.cloud.fedoraproject.org
fed-cloud02.cloud.fedoraproject.org
fed-cloud03.cloud.fedoraproject.org
fed-cloud04.cloud.fedoraproject.org
fed-cloud05.cloud.fedoraproject.org
fed-cloud06.cloud.fedoraproject.org
fed-cloud07.cloud.fedoraproject.org
fed-cloud08.cloud.fedoraproject.org
fed-cloud09.cloud.fedoraproject.org
fed-cloud10.cloud.fedoraproject.org
fed-cloud11.cloud.fedoraproject.org
#fed-cloud12.cloud.fedoraproject.org
#fed-cloud13.cloud.fedoraproject.org
#fed-cloud14.cloud.fedoraproject.org
#fed-cloud15.cloud.fedoraproject.org
#fed-cloud16.cloud.fedoraproject.org
cloud-noc01.cloud.fedoraproject.org
[persistent-cloud]
#fedocal.dev.fedoraproject.org
209.132.184.147

2
master.yml
View file

@ -15,7 +15,6 @@
- include: /srv/web/infra/ansible/playbooks/groups/arm-packager.yml
- include: /srv/web/infra/ansible/playbooks/groups/arm-qa.yml
- include: /srv/web/infra/ansible/playbooks/groups/arm-releng.yml
- include: /srv/web/infra/ansible/playbooks/groups/arm-retrace.yml
- include: /srv/web/infra/ansible/playbooks/groups/ask.yml
- include: /srv/web/infra/ansible/playbooks/groups/atomic.yml
- include: /srv/web/infra/ansible/playbooks/groups/autosign.yml
@ -58,6 +57,7 @@
- include: /srv/web/infra/ansible/playbooks/groups/resultsdb-prod.yml
- include: /srv/web/infra/ansible/playbooks/groups/resultsdb-dev.yml
- include: /srv/web/infra/ansible/playbooks/groups/resultsdb-stg.yml
- include: /srv/web/infra/ansible/playbooks/groups/retrace.yml
- include: /srv/web/infra/ansible/playbooks/groups/smtp-mm.yml
- include: /srv/web/infra/ansible/playbooks/groups/summershum.yml
- include: /srv/web/infra/ansible/playbooks/groups/sundries.yml

2
playbooks/groups/fedimg.yml
View file

@ -30,9 +30,9 @@
- base
- rkhunter
- { role: denyhosts, when: ansible_distribution_major_version != '7' }
- fas_client
- nagios_client
- hosts
- fas_client
- collectd/base
- fedmsg/base
- sudo

99
playbooks/groups/jenkins-cloud.yml
View file

@ -39,13 +39,6 @@
- name: mount our persistent space
action: mount name=/var/lib/jenkins src='LABEL=jenkins' fstype=ext4 state=mounted
- name: poke firewall holes
action: command lokkit {{ item }}
with_items:
- --service=ssh
- --service=https
- --service=http
- name: install pkgs for jenkins
action: yum state=installed pkg={{ item }}
with_items:
@ -56,11 +49,14 @@
- httpd
- openssh-clients
- git
- nrpe
tags:
- packages
- name: add jenkins proxy config file for apache
action: copy src="{{ files }}/jenkins/master/jenkins-apache.conf" dest=/etc/httpd/conf.d/jenkins-apache.conf owner=root group=root mode=0644
action: copy src="{{ files }}/jenkins/master/jenkins-apache.conf"
dest=/etc/httpd/conf.d/jenkins-apache.conf
owner=root group=root mode=0644
notify:
- restart httpd
tags:
@ -70,12 +66,16 @@
action: service name=httpd state=running enabled=true
- name: add jenkins upstream repo
action: copy src="{{ files }}/jenkins/master/jenkins.repo" dest=/etc/yum.repos.d/jenkins.repo owner=root group=root
action: copy src="{{ files }}/jenkins/master/jenkins.repo"
dest=/etc/yum.repos.d/jenkins.repo
owner=root group=root
tags:
- config
- name: import jenkins upstream gpg key
action: copy src="{{ files }}/jenkins/master/jenkins-ci.org.key" dest=/etc/pki/rpm-gpg/RPM-GPG-KEY-jenkins-ci.org owner=root group=root
action: copy src="{{ files }}/jenkins/master/jenkins-ci.org.key"
dest=/etc/pki/rpm-gpg/RPM-GPG-KEY-jenkins-ci.org
owner=root group=root
tags:
- config
@ -106,71 +106,77 @@
sha256sum={{ item.sha }}
with_items:
- name: bazaar
version: 1.22
version: '1.22'
sha: d7ff0987c96e2a694257ecf897ceee376908c5f94abfd1d5efc32482e4d54141
- name: chucknorris
version: 0.5
version: '0.5'
sha: bd9df0507008255ad2ed046368d10a4d039a6cbcfefb53c71c1768cc0dcbf65b
- name: cobertura
version: 1.9.3
sha: 3db93d70486b80a904a74ce40b0ac6a7812d1f522f820d0e5d7b538401bc2946
version: '1.9.5'
sha: a76bc1524efc5ba05672638001c0e951edd2a853d222efcfb035e02169e4252a
- name: cvs
version: 2.11
sha: 7c917bc824019a81d54472c525e4d724dfb4ae10b59bf64e692a2fc59fcd33cc
version: '2.12'
sha: 6e6dfd35e8501bf5f84a9d43d210db61165ce51a606327fc81f2efc5208478ba
- name: external-monitor-job
version: 1.2
version: '1.2'
sha: 8dd2644271d0138839490342833e9ff7f82772038f673f5ac6220193c587747d
- name: git
version: 2.2.1
sha: 4ba2185688a8e1ffdce43916448ff3a25a8ef845feebb3c95f47a0bb65e11252
version: '2.2.5'
sha: 92c51f33fbcbe858d05b40083d3c628f03b6ba5218626ee22db9a367947b7670
- name: git-client
version: 1.8.0
sha: 091df903bf1ed2b0c531714199ff8bb9225deaa2096520753554a39f2557d9e8
version: '1.10.1'
sha: 19de6979a1360bc022bba9e061c4f946e51f252912234453d7f70af62d089e65
- name: instant-messaging
version: 1.28
sha: 0b84561fd72cb80d89c5c57548fe8b7270d448f66361dedd07e227fb1bd44f03
version: '1.29'
sha: b8fc1bff0c6f899f60d2d02b4ed321baf045fc0e5d4e0c3676d99197f94a8e5c
- name: ldap
version: 1.8
version: '1.8'
sha: 491905ec3675b6a5acf2098722c121732801fd6210e6ff54bc99d213b5b8ee58
- name: maven-plugin
version: 2.2
sha: b373d99ffbdec45375fcf00be329d7b5029ab195f5b48d2d7518c776ed4bf1b8
version: '2.6'
sha: 3a3a1e1d7e3416ea85ec09f953f5b8e37d943ca55b8e4224bbcfd702bed72fa5
- name: mercurial
version: '1.50'
sha: 934a6bd38e2109b97c915d80fdb6abc74a8ef4aff882b94ef0b1a274919ea407
- name: openid
version: 1.8
version: '1.8'
sha: fed09c7da7762323cf55c3b725493622a4a2460eab8622230497e35914ac9d7e
- name: python
version: 1.2
version: '1.2'
sha: e3358a945f21b84a8156237b0d621815a7822322e1180ae1e66d10798aaf1f56
- name: scm-api
version: 0.2
version: '0.2'
sha: cc856d8dc8b951cf9a195baa2bf7bbff0d12368534a6b973e43e2909141eff3f
- name: ssh-agent
version: 1.4.1
version: '1.4.1'
sha: ae8227bf219e96a4d76f36dc6d6e652ddd0209e8d9c4cf4483a07858d707ce6e
- name: subversion
version: 2.2
version: '2.2'
sha: 221ed61c8e4ef959bb316ea93d188e19c8f980edac0f1e45a6cd8d7e13808b51
- name: translation
version: 1.11
version: '1.11'
sha: 4d88b8d74ade119cef76827bd385693447fa68fa18fd1bfc8806aff9d931f00e
- name: violations
version: 0.7.11
version: '0.7.11'
sha: f8eacb53eb01f83f3702009a41cef89e520a72933671ac1ee9154d88bde2d67a
- name: xunit
version: 1.84
sha: d06679ec0f3e2540615109789219404d602c98beda7be555dda7732a463c096b
version: '1.90'
sha: 2beade6d7769db9d52ff147c7a491cd1e7c53b01c07b9eeb44daa27ee75b25ca
- name: multiple-scms
version: 0.3
version: '0.3'
sha: e79d7e855ffe0ad060d11ae1ce0b39f68e7fa031c6e831f60fe33e5ddb3392ac
- name: credentials
version: 1.9.4
sha: 2fedc41d977a166c1addd82cd0cc9b73cffd34b97f7c0756bad7dc198ccd98de
version: '1.16.1'
sha: ae7e8ab317c03355390135d5eec683db7dceb5d513717d9fab624238a5ffe2bf
- name: mailer
version: 1.8
sha: fb9c6d471c2fea97fc2ccb64bfac18f77c847e740bcc2d5a4de31c35e851728a
version: '1.11'
sha: 9217be3008f323ac0535d4fb34118ed2681d6170d2d7de2f38b99ba331c4a256
- name: matrix-auth
version: '1.2'
sha: a773c2fd6b2d70b2ff1c0466308290326d97f05b6fa72a217922997750aef39a
- name: javadoc
version: '1.2'
sha: 4bde54b288b24d5deaa7f809df78373d3b37d683d4693ab42278f019252c86b9
notify:
- restart jenkins
tags:
@ -182,7 +188,7 @@
sha256sum={{ item.sha }}
with_items:
- name: warnings
version: 4.39
version: '4.39'
sha: 7652b7ed8971de932f46323aa8e0ddee2bcf4f14839296481ae79590e09f7606
notify:
- restart jenkins
@ -196,6 +202,10 @@
tags:
- config
- name: Give the user jenkins the ownership of the /var/lib/jenkins
file: path=/var/lib/jenkins/
owner=jenkins group=jenkins recurse=yes
- name: add jenkins ssh priv key so it can connect to clients
action: copy src="{{ private }}/files/jenkins/ssh/jenkins_master" dest=/var/tmp/jenkins_master_id_rsa mode=600 owner=jenkins group=jenkins
tags:
@ -339,6 +349,12 @@
tags:
- packages
- name: install pkgs for jenkins for fedora systems > F19
action: yum state=installed pkg={{ item }}
when: is_fedora is defined and ansible_distribution_major_version > 20
with_items:
- sbt-extras
- name: install pkgs for jenkins for fedora systems
action: yum state=installed pkg={{ item }}
when: is_fedora is defined
@ -346,7 +362,6 @@
- python3
- python-nose-cover3
- python3-nose-cover3
- sbt
- glibc.i686
- glibc-devel.i686
- libstdc++.i686

3
playbooks/groups/keyserver.yml
View file

@ -38,12 +38,11 @@
- nagios_client
- hosts
- fas_client
- fedmsg/base
- keyserver
- sudo
- collectd/base
- { role: openvpn/client,
when: env != "staging" }
- keyserver
tasks:
- include: "{{ tasks }}/yumrepos.yml"

72
playbooks/groups/pkgs.yml Normal file
View file

@ -0,0 +1,72 @@
- name: make pkgs
hosts: pkgs-stg
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: pkgs-stg
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- { role: denyhosts, when: ansible_distribution_major_version != '7' }
- nagios_client
- fas_client
- collectd/base
- sudo
- git/hooks
- git/make_checkout_seed
- git/server
- gitolite/base
- gitolite/check_fedmsg_hooks
- cgit/base
- cgit/clean_lock_cron
- cgit/make_pkgs_list
- clamav
- distgit
tasks:
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/apache.yml"
- include: "{{ tasks }}/drbackupkey.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: setup fedmsg on pkgs
hosts: pkgs-stg
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- fedmsg/base
- fedmsg/hub
handlers:
- include: "{{ handlers }}/restart_services.yml"

70
playbooks/groups/qadevel-stg.yml Normal file
View file

@ -0,0 +1,70 @@
---
# create a new taskotron CI stg server
# NOTE: make sure there is room/space for this server on the vmhost
# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars
- name: make taskotron-ci staging
hosts: qadevel-stg
user: root
gather_facts: False
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: qadevel-stg
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- { role: base, tags:['base'] }
- { role: rkhunter, tags:['rkhunter'] }
- { role: nagios_client, tags:['nagios_client'] }
- hosts
- { role: fas_client, tags:['fas_client'] }
- { role: collectd/base, tags:['collectd_base'] }
- { role: yum-cron, tags:['yumcron'] }
- { role: sudo, tags:['sudo'] }
tasks:
# this is how you include other task lists
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/apache.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: configure taskotron-ci master
hosts: qadevel-stg
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- { role: taskotron/buildmaster, tags: ['buildmaster'] }
- { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] }
handlers:
- include: "{{ handlers }}/restart_services.yml"

88
playbooks/groups/qadevel.yml Normal file
View file

@ -0,0 +1,88 @@
---
# create a new qadevel server
# NOTE: make sure there is room/space for this server on the vmhost
# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars
- name: make taskotron-ci staging
hosts: qadevel
user: root
gather_facts: False
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: qadevel
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- { role: base, tags:['base'] }
- { role: rkhunter, tags:['rkhunter'] }
- { role: nagios_client, tags:['nagios_client'] }
- hosts
- { role: fas_client, tags:['fas_client'] }
- { role: collectd/base, tags:['collectd_base'] }
- { role: yum-cron, tags:['yumcron'] }
- { role: sudo, tags:['sudo'] }
tasks:
# this is how you include other task lists
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/apache.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: configure taskotron-ci master
hosts: qadevel
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- { role: taskotron/buildmaster, tags: ['buildmaster'] }
- { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] }
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: configure taskotron-ci local slave
hosts: qadevel
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- { role: taskotron/buildslave, tags: ['buildslave'] }
- { role: taskotron/buildslave-configure, tags: ['buildslaveconfig'] }
handlers:
- include: "{{ handlers }}/restart_services.yml"

9
playbooks/groups/arm-retrace.yml → playbooks/groups/retrace.yml
View file

@ -1,10 +1,8 @@
- name: Setup arm-retrace hosts
hosts: arm-retrace
- name: Setup retrace hosts
hosts: retrace
user: root
gather_facts: True
tags:
- arm-retrace
vars_files:
- /srv/web/infra/ansible/vars/global.yml
@ -16,12 +14,11 @@
- hosts
- fas_client
- rkhunter
- denyhosts
- { role: denyhosts, when: ansible_distribution_major_version != '7' }
- nagios_client
- sudo
tasks:
# this is how you include other task lists
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/common_scripts.yml"

34
playbooks/hosts/cloud-noc01.cloud.fedoraproject.org.yml Normal file
View file

@ -0,0 +1,34 @@
# This is a basic playbook
- name: make cloud noc hardware
hosts: cloud-noc01.cloud.fedoraproject.org
user: root
accelerate: "{{ accelerated }}"
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- { role: denyhosts, when: ansible_distribution_major_version != '7' }
- nagios_client
- hosts
- fas_client
- collectd/base
- sudo
- dhcp_server
- tftp_server
tasks:
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- include: "{{ handlers }}/semanage.yml"

8
playbooks/hosts/copr-fe-dev.cloud.fedoraproject.org.yml
View file

@ -67,14 +67,6 @@
- name: copy pg_hba.conf
action: copy src="{{ files }}/copr/fe/pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
# open up ports (22, 80, 443)
- name: poke holes in the firewall
action: command lokkit {{ item }}
with_items:
- --service=ssh
- --service=https
- --service=http
- name: copy httpd ssl certificates (crt)
action: copy src="{{ puppet_private }}/httpd/copr-fe.fedoraproject.org.crt" dest="/etc/pki/tls/certs/" owner=root group=root mode=0600
tags:

8
playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml
View file

@ -73,14 +73,6 @@
- name: copy pg_hba.conf
action: copy src="{{ files }}/copr/fe/pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
# open up ports (22, 80, 443)
- name: poke holes in the firewall
action: command lokkit {{ item }}
with_items:
- --service=ssh
- --service=https
- --service=http
- name: copy httpd ssl certificates (crt)
action: copy src="{{ puppet_private }}/httpd/copr-fe.fedoraproject.org.crt" dest="/etc/pki/tls/certs/" owner=root group=root mode=0600
tags:

17
playbooks/run_fasClient.yml
View file

@ -1,15 +1,24 @@
# Run `fasClient` on all hosts, 3 hosts at a time
# Run `fasClient` on all hosts, N hosts at a time
#
# We exclude builders, persistent-cloud and jenkins-cloud as they don't have fasclient
#
- name: run fasClient
hosts: all
- name: run fasClient -i
hosts: all:!builders:!persistent-cloud:!jenkins-cloud:!bkernel:!*composer*
user: root
serial: 15
serial: 25
gather_facts: False
tasks:
- name: actually run fasClient -i
command: fasClient -i
- name: run fasClient -a
hosts: bastion01.phx2.fedoraproject.org:bastion02.phx2.fedoraproject.org
user: root
gather_facts: False
tasks:
- name: actually run fasClient -a
command: fasClient -a
when: inventory_hostname_short.startswith('bastion0')

16
playbooks/run_pkgdb_sync_git.yml Normal file
View file

@ -0,0 +1,16 @@
# Run `pkgdb2branch` on
#
#To update from testing, adjust as follow:
# --extra-vars="package='pkg1;pkg2;pkg3'"
- name: run pkgdb_sync_git_branches.py
hosts: pkgs01.phx2.fedoraproject.org
user: root
serial: 25
gather_facts: False
tasks:
- name: call pkgdb_sync_git_branches.py
command: /usr/local/bin/pkgdb_sync_git_branches.py

2
playbooks/vhost_reboot.yml
View file

@ -83,7 +83,7 @@
local_action: wait_for host={{ target }} port=22 delay=120 timeout=900 search_regex=OpenSSH
- name: wait for libvirtd to come back on the virthost
wait_for: path=/var/run/libvirtd.pid state=present
wait_for: path=/var/run/libvirtd.pid state=present delay=10
- name: look up vmlist
virt: command=list_vms

4
roles/badges/backend/files/cron/award-flock-paparazzi-badge
View file

@ -197,11 +197,11 @@ def make_fas_cache(username, password):
def get_persons():
for person in get_g_plus_persons('Fedora FLOCK'):
yield person
for person in get_g_plus_persons('flock2fedora'):
for person in get_g_plus_persons('flocktofedora'):
yield person
for person in get_flickr_persons('fedora,flock'):
yield person
for person in get_flickr_persons('flock2fedora'):
for person in get_flickr_persons('flocktofedora'):
yield person

76
roles/badges/backend/files/grant-authorization Normal file
View file

@ -0,0 +1,76 @@
#!/usr/bin/env python
"""
This is a CLI script for granting authorization on a single badge to somebody.
"""
import __main__
__main__.__requires__ = __requires__ = ["tahrir-api", "sqlalchemy>=0.7"];
import pkg_resources
pkg_resources.require(__requires__)
import argparse
import transaction
import sys
from tahrir_api.dbapi import TahrirDatabase
import fedmsg
import fedmsg.config
import fedbadges.utils
def parse_args():
parser = argparse.ArgumentParser(__doc__)
parser.add_argument('--user', default=None, help="A FAS username")
parser.add_argument('--badge', default=None, help="A badge id")
args = parser.parse_args()
if not args.user:
print "You must specify a FAS username."
sys.exit(1)
if not args.badge:
print "You must specify a badge id."
sys.exit(1)
return args
def initialize():
fm_config = fedmsg.config.load_config()
fm_config['cert_prefix'] = 'fedbadges'
fm_config['name'] = 'relay_inbound'
fm_config['active'] = True
fedmsg.init(**fm_config)
uri = fm_config['badges_global']['database_uri']
tahrir = TahrirDatabase(
uri,
notification_callback=fedbadges.utils.notification_callback,
)
return tahrir
def main(tahrir, nickname, badge_id):
person = tahrir.get_person(nickname=nickname)
badge = tahrir.get_badge(badge_id)
if not person:
print "No such person %r" % nickname
sys.exit(1)
if not badge:
print "No such badge %r" % badge_id
sys.exit(1)
print "granting", person.nickname, "rights to %r." % badge_id
try:
transaction.begin()
tahrir.add_authorization(badge_id, person.email)
transaction.commit()
except Exception as e:
transaction.abort()
print "Failure:", e
if __name__ == '__main__':
args = parse_args()
tahrir = initialize()
main(tahrir, args.user, args.badge)

94
roles/badges/backend/files/revoke-badge Normal file
View file

@ -0,0 +1,94 @@
#!/usr/bin/env python
""" This is a CLI script for revoking a single badge from a single person.
The intent is to use it to batch revoke a badge from a list of people.
"""
import __main__
__main__.__requires__ = __requires__ = ["tahrir-api", "sqlalchemy>=0.7"];
import pkg_resources
pkg_resources.require(__requires__)
import argparse
import transaction
import sys
from tahrir_api.dbapi import TahrirDatabase
import fedmsg
import fedmsg.config
import fedbadges.utils
def parse_args():
parser = argparse.ArgumentParser(__doc__)
parser.add_argument('--user', default=None, help="A FAS username")
parser.add_argument('--badge', default=None, help="A badge id")
args = parser.parse_args()
if not args.user:
print "You must specify a FAS username."
sys.exit(1)
if not args.badge:
print "You must specify a badge id."
sys.exit(1)
return args
def initialize():
fm_config = fedmsg.config.load_config()
fm_config['cert_prefix'] = 'fedbadges'
fm_config['name'] = 'relay_inbound'
fm_config['active'] = True
fedmsg.init(**fm_config)
uri = fm_config['badges_global']['database_uri']
tahrir = TahrirDatabase(
uri,
notification_callback=fedbadges.utils.notification_callback,
)
return tahrir
def main(tahrir, nickname, badge_id):
person = tahrir.get_person(nickname=nickname)
badge = tahrir.get_badge(badge_id)
if not person:
print "No such person %r" % nickname
sys.exit(1)
if not badge:
print "No such badge %r" % badge_id
sys.exit(1)
already_has_it = [assertion.person for assertion in badge.assertions]
if person not in already_has_it:
print "%r does not actually have the %r badge..." % (nickname, badge_id)
return
print "removing", person.nickname, "from the %r badge." % badge_id
try:
transaction.begin()
to_delete = None
for assertion in person.assertions:
if assertion.badge == badge:
to_delete = assertion
break
if to_delete:
#person.assertions.remove(to_delete)
tahrir.session.delete(to_delete)
tahrir.session.commit()
else:
raise ValueError("no such assertion found. weird.")
transaction.commit()
except Exception as e:
transaction.abort()
print "Failure:", e
if __name__ == '__main__':
args = parse_args()
tahrir = initialize()
main(tahrir, args.user, args.badge)

2
roles/badges/backend/tasks/main.yml
View file

@ -148,6 +148,8 @@
mode=750
with_items:
- award-badge
- revoke-badge
- grant-authorization
- get-badges-person-id
tags:
- scripts

121
roles/base/files/ssh/sshd_config.pkgs Normal file
View file

@ -0,0 +1,121 @@
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

9
roles/base/templates/iptables/iptables
View file

@ -30,6 +30,15 @@
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
# ban staging from non-staging hosts
{% if env != 'staging' %}
{% for host in groups['staging'] %}
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
{% else %}# {{ host }} has no 'eth0_ip' listed
{% endif %}
{% endfor %}
{% endif %}
# if the host/group defines incoming tcp_ports - allow them
{% if tcp_ports is defined %}

6
roles/base/templates/iptables/iptables.kojibuilder
View file

@ -7,6 +7,8 @@
# loopback allowed
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i virbr0 -j ACCEPT
-A OUTPUT -o virbr0 -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
@ -29,6 +31,10 @@
-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 443 -j ACCEPT
# compose-x86-02.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.125.42 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.125.42 --dport 443 -j ACCEPT
# DNS
-A OUTPUT -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT

3
roles/bugzilla2fedmsg/templates/bugzilla2fedmsg.ini
View file

@ -20,7 +20,8 @@ bugzilla.password = {{ bugzilla_password }}
# Stomp broker configuration.
{% if env == 'staging' %}
stomp_uri = fuse-fabric-01-stg.jboss.org:61617,fuse-fabric-02-stg.jboss.org:61617,fuse-fabric-03-stg.jboss.org:61617
#stomp_uri = fuse-fabric-01-stg.jboss.org:61617,fuse-fabric-02-stg.jboss.org:61617,fuse-fabric-03-stg.jboss.org:61617
stomp_uri = 10.34.40.176:61617,10.34.40.177:61617,10.34.40.178:61617
stomp_ssl_crt = /etc/pki/fedmsg/fedora.devel.engineering.redhat.com.crt
stomp_ssl_key = /etc/pki/fedmsg/fedora.devel.engineering.redhat.com.key
{% else %}

664
roles/cgit/base/files/cgit-fedora.css Normal file
View file

@ -0,0 +1,664 @@
body, table, form {
padding: 0em;
margin: 0em;
}
a {
color: blue;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
table {
background: none;
border-collapse: collapse;
}
table#header {
width: 100%;
margin-bottom: 1em;
}
table#header td.logo {
width: 96px;
}
table#header td.main {
font-size: 250%;
margin-top: 10px;
white-space: nowrap;
padding-left: 50px;
}
table#header td.main a {
color: #000;
}
table#header td.form {
text-align: right;
vertical-align: bottom;
padding-right: 1em;
padding-bottom: 2px;
white-space: nowrap;
}
table#header td.form form,
table#header td.form input,
table#header td.form select {
font-size: 90%;
}
table#header td.sub {
color: #777;
border-top: solid 1px #ccc;
padding-left: 60px;
}
table.tabs {
/* border-bottom: solid 2px #ccc; */
border-collapse: collapse;
margin-top: 2em;
margin-bottom: 0px;
width: 100%;
}
table.tabs td {
padding: 0px 1em;
vertical-align: bottom;
}
table.tabs td a {
padding: 2px 0.75em;
color: #777;
font-size: 110%;
}
table.tabs td a.active {
color: #000;
background-color: #ccc;
}
table.tabs td.form {
text-align: right;
}
table.tabs td.form form {
padding-bottom: 2px;
font-size: 90%;
white-space: nowrap;
}
table.tabs td.form input,
table.tabs td.form select {
font-size: 90%;
}
div.path {
margin: 0px;
padding: 5px 2em 2px 2em;
color: #000;
background-color: #eee;
}
div.content {
margin: 0px;
padding-top: 2em;
border-top: solid 3px #ccc;
}
table.list {
width: 100%;
border: none;
border-collapse: collapse;
}
table.list tr {
background: none;
}
table.list tr.logheader {
background: #eee;
}
table.list tr:hover {
background: #eee;
}
table.list tr.nohover:hover {
background: white;
}
table.list th {
font-weight: bold;
/* color: #888;
border-top: dashed 1px #888;
border-bottom: dashed 1px #888;
*/
padding: 0.1em 0.5em 0.05em 0.5em;
vertical-align: baseline;
}
table.list td {
border: none;
padding: 0.1em 0.5em 0.1em 0.5em;
}
table.list td.commitgraph {
font-family: monospace;
white-space: pre;
}
table.list td.commitgraph .column1 {
color: #a00;
}
table.list td.commitgraph .column2 {
color: #0a0;
}
table.list td.commitgraph .column3 {
color: #aa0;
}
table.list td.commitgraph .column4 {
color: #00a;
}
table.list td.commitgraph .column5 {
color: #a0a;
}
table.list td.commitgraph .column6 {
color: #0aa;
}
table.list td.logsubject {
font-family: monospace;
font-weight: bold;
}
table.list td.logmsg {
font-family: monospace;
white-space: pre;
padding: 0 0.5em;
}
table.list td a {
color: black;
}
table.list td a.ls-dir {
font-weight: bold;
color: #00f;
}
table.list td a:hover {
color: #00f;
}
img {
border: none;
}
input#switch-btn {
margin: 2px 0px 0px 0px;
}
td#sidebar input.txt {
width: 100%;
margin: 2px 0px 0px 0px;
}
table#grid {
margin: 0px;
}
td#content {
vertical-align: top;
padding: 1em 2em 1em 1em;
border: none;
}
div#summary {
vertical-align: top;
margin-bottom: 1em;
}
table#downloads {
float: right;
border-collapse: collapse;
border: solid 1px #777;
margin-left: 0.5em;
margin-bottom: 0.5em;
}
table#downloads th {
background-color: #ccc;
}
div#blob {
border: solid 1px black;
}
div.error {
color: red;
font-weight: bold;
margin: 1em 2em;
}
a.ls-blob, a.ls-dir, a.ls-mod {
font-family: monospace;
}
td.ls-size {
text-align: right;
font-family: monospace;
width: 10em;
}
td.ls-mode {
font-family: monospace;
width: 10em;
}
table.blob {
margin-top: 0.5em;
border-top: solid 1px black;
}
table.blob td.lines {
margin: 0; padding: 0 0 0 0.5em;
vertical-align: top;
color: black;
}
table.blob td.linenumbers {
margin: 0; padding: 0 0.5em 0 0.5em;
vertical-align: top;
text-align: right;
border-right: 1px solid gray;
background-color: #eee;
}
table.blob pre {
padding: 0; margin: 0;
}
table.blob a.no, table.ssdiff a.no {
color: gray;
text-align: right;
text-decoration: none;
}
table.blob a.no a:hover {
color: black;
}
table.bin-blob {
margin-top: 0.5em;
border: solid 1px black;
}
table.bin-blob th {
font-family: monospace;
white-space: pre;
border: solid 1px #777;
padding: 0.5em 1em;
}
table.bin-blob td {
font-family: monospace;
white-space: pre;
border-left: solid 1px #777;
padding: 0em 1em;
}
table.nowrap td {
white-space: nowrap;
}
table.commit-info {
border-collapse: collapse;
margin-top: 1.5em;
}
table.commit-info th {
text-align: left;
font-weight: normal;
padding: 0.1em 1em 0.1em 0.1em;
vertical-align: top;
}
table.commit-info td {
font-weight: normal;
padding: 0.1em 1em 0.1em 0.1em;
}
div.commit-subject {
font-weight: bold;
font-size: 125%;
margin: 1.5em 0em 0.5em 0em;
padding: 0em;
}
div.commit-msg {
white-space: pre;
font-family: monospace;
}
div.notes-header {
font-weight: bold;
padding-top: 1.5em;
}
div.notes {
white-space: pre;
font-family: monospace;
border: solid 1px #ee9;
background-color: #ffd;
padding: 0.3em 2em 0.3em 1em;
float: left;
}
div.notes-footer {
clear: left;
}
div.diffstat-header {
font-weight: bold;
padding-top: 1.5em;
}
table.diffstat {
border-collapse: collapse;
border: solid 1px #aaa;
background-color: #eee;
}
table.diffstat th {
font-weight: normal;
text-align: left;
text-decoration: underline;
padding: 0.1em 1em 0.1em 0.1em;
font-size: 100%;
}
table.diffstat td {
padding: 0.2em 0.2em 0.1em 0.1em;
font-size: 100%;
border: none;
}
table.diffstat td.mode {
white-space: nowrap;
}
table.diffstat td span.modechange {
padding-left: 1em;
color: red;
}
table.diffstat td.add a {
color: green;
}
table.diffstat td.del a {
color: red;
}
table.diffstat td.upd a {
color: blue;
}
table.diffstat td.graph {
width: 500px;
vertical-align: middle;
}
table.diffstat td.graph table {
border: none;
}
table.diffstat td.graph td {
padding: 0px;
border: 0px;
height: 7pt;
}
table.diffstat td.graph td.add {
background-color: #5c5;
}
table.diffstat td.graph td.rem {
background-color: #c55;
}
div.diffstat-summary {
color: #888;
padding-top: 0.5em;
}
table.diff {
width: 100%;
}
table.diff td {
font-family: monospace;
white-space: pre;
font-size: 12px;
}
table.diff td div.head {
font-weight: bold;
margin-top: 1em;
color: black;
}
table.diff td div.hunk {
color: #009;
}
table.diff td div.add {
color: green;
}
table.diff td div.del {
color: red;
}
.sha1 {
font-family: monospace;
font-size: 90%;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
table.list td.reposection {
font-style: italic;
color: #888;
}
a.button {
font-size: 80%;
padding: 0em 0.5em;
}
a.primary {
font-size: 100%;
}
a.secondary {
font-size: 90%;
}
td.toplevel-repo {
}
table.list td.sublevel-repo {
padding-left: 1.5em;
}
div.pager {
text-align: center;
margin: 1em 0em 0em 0em;
}
div.pager a {
color: #777;
margin: 0em 0.5em;
}
span.age-mins {
font-weight: bold;
color: #080;
}
span.age-hours {
color: #080;
}
span.age-days {
color: #040;
}
span.age-weeks {
color: #444;
}
span.age-months {
color: #888;
}
span.age-years {
color: #bbb;
}
div.footer {
margin-top: 0.5em;
text-align: center;
font-size: 80%;
color: #ccc;
}
a.branch-deco {
margin: 0px 0.5em;
padding: 0px 0.25em;
background-color: #88ff88;
border: solid 1px #007700;
}
a.tag-deco {
margin: 0px 0.5em;
padding: 0px 0.25em;
background-color: #ffff88;
border: solid 1px #777700;
}
a.remote-deco {
margin: 0px 0.5em;
padding: 0px 0.25em;
background-color: #ccccff;
border: solid 1px #000077;
}
a.deco {
margin: 0px 0.5em;
padding: 0px 0.25em;
background-color: #ff8888;
border: solid 1px #770000;
}
div.commit-subject a {
margin-left: 1em;
font-size: 75%;
}
table.stats {
border: solid 1px black;
border-collapse: collapse;
}
table.stats th {
text-align: left;
padding: 1px 0.5em;
background-color: #eee;
border: solid 1px black;
}
table.stats td {
text-align: right;
padding: 1px 0.5em;
border: solid 1px black;
}
table.stats td.total {
font-weight: bold;
text-align: left;
}
table.stats td.sum {
color: #c00;
font-weight: bold;
/* background-color: #eee; */
}
table.stats td.left {
text-align: left;
}
table.vgraph {
border-collapse: separate;
border: solid 1px black;
height: 200px;
}
table.vgraph th {
background-color: #eee;
font-weight: bold;
border: solid 1px white;
padding: 1px 0.5em;
}
table.vgraph td {
vertical-align: bottom;
padding: 0px 10px;
}
table.vgraph div.bar {
background-color: #eee;
}
table.hgraph {
border: solid 1px black;
width: 800px;
}
table.hgraph th {
background-color: #eee;
font-weight: bold;
border: solid 1px black;
padding: 1px 0.5em;
}
table.hgraph td {
vertical-align: center;
padding: 2px 2px;
}
table.hgraph div.bar {
background-color: #eee;
height: 1em;
}
table.ssdiff {
width: 100%;
}
tbody {
width: 100%;
}

253
roles/cgit/base/files/cgit.css Normal file
View file

@ -0,0 +1,253 @@
/* First include the Fedora style sheets. */
@import "fedora-layout.css";
@import "fedora-style.css";
/* Then include the cgit style sheet */
@import "cgit-fedora.css";
div#cgit span.libravatar img.onhover {
display: none;
border: 1px solid gray;
padding: 0px;
-webkit-border-radius: 4px;
-moz-border-radius: 4px;
border-radius: 4px;
width: 128px;
height: 128px;
}
div#cgit span.libravatar img.inline {
-webkit-border-radius: 3px;
-moz-border-radius: 3px;
border-radius: 3px;
width: 13px;
height: 13px;
margin-right: 0.2em;
opacity: 0.4;
}
div#cgit span.libravatar:hover > img.onhover {
display: block;
position: absolute;
margin-left: 1.5em;
background-color: #eeeeee;
box-shadow: 5px 5px 3px #bbb;
}
table#header td.logo {
height: 72px;
width: 274px;
}
/* Removing padding around body */
body {
padding: 0px;
background: url(/cgit-data/images/html-bg.png) repeat-x scroll 0 10px #FFFFFF;
height: 100%;
margin-bottom: 0px;
color: #2E3436;
font-family: Cantarell,'Droid Sans','DejaVu Sans',Arial,sans-serif;
font-size: 13px;
line-height: 1.5;
width: 100%;
}
#page {
width: 100%;
}
/* Make link colors more gnome-ish */
a, a:visited, a:hover, table.list td a:hover {
color: #3465A4;
}
/* global domain bar */
#global_domain_bar .maxwidth {
position: relative;
}
.maxwidth {
margin: 0 auto;
width: 98%;
}
#global_domain_bar .tab {
background: none repeat scroll 0 0 #FFFFFF;
border-radius: 5px 5px 5px 5px;
box-shadow: 0 4px 2px -2px #8FB3D9;
float: right;
font-size: 9px;
line-height: 16px;
padding: 4px;
margin-top: -17px;
right: 0;
white-space: nowrap;
}
#global_domain_bar .tab a.root:last-child {
border-right: 0 none;
margin-right: 0;
padding-right: 0;
}
#global_domain_bar .tab a.root {
background: url(cgit-data/images/favicon.png) no-repeat scroll 0 0 #FFFFFF;
border-right: 1px solid #CCCCCC;
color: #555753;
font-weight: bold;
margin-right: 3px;
padding-left: 18px;
padding-right: 6px;
text-decoration: none;
}
/* Kill some space in the cgit header, and mark it clear */
table#header {
margin-top: 3em;
margin-bottom: 2em;
clear: both;
}
/* Drop the font size for the heading down */
table#header td.main {
font-size: 250%;
}
/* When we killed the body padding, this cell is at the screen edge, move it back */
table#header td.right {
padding-right: 4px;
}
/* kill some more vertical space in the cgit header */
table.tabs {
margin-top: 0em;
}
/* FOOTER */
#footer {
background: none repeat scroll 0 0 #D3D7CF;
clear: left;
color: #555753;
padding: 14px 0 230px;
margin: auto;
font-size: 11px;
line-height: 1.5em;
}
/* Make the branch/tag decoration a little smaller */
a.branch-deco, a.tag-deco {
display: inline-block;
font-size: 90%;
padding: 1px 0.25em;
}
/*top bar*/
#top_bar ul {
list-style: none outside none;
margin: 0;
padding: 0 5px;
}
#top_bar ul li {
display: inline;
margin: 0 5px 0 0;
}
#top_bar a {
-moz-transition: background 100ms linear 0s;
border-radius: 4px 4px 4px 4px;
color: #FFFFFF;
outline: 0 none;
padding: 4px 14px;
text-decoration: none;
text-shadow: 0 1px 0 #000000;
}
.hidden {
display: none;
}
table.tabs td.form input, table.tabs td.form select {
font-size: 90%;
}
input, textarea {
border: 25px solid #6F6F6F;
}
button, input[type="reset"], input[type="button"], input[type="submit"] {
-moz-appearance: button;
-moz-binding: none;
-moz-box-sizing: border-box;
-moz-user-select: none;
background-color: buttonface;
border: 2px outset buttonface;
color: buttontext;
cursor: default;
font: ;
line-height: normal;
padding: 0 6px;
text-align: center;
text-shadow: none;
white-space: pre;
}
input {
-moz-appearance: textfield;
-moz-binding: url("chrome://global/content/platformHTMLBindings.xml#inputFields");
-moz-user-select: text;
background-color: -moz-field;
border: 2px inset threedface;
color: -moz-fieldtext;
cursor: text;
font: ;
letter-spacing: normal;
line-height: normal !important;
padding: 1px 0;
text-align: start;
text-indent: 0;
text-rendering: optimizelegibility;
text-shadow: none;
text-transform: none;
word-spacing: normal;
}
/*logo*/
#header #logo {
float: left;
}
#header #logo img {
-moz-transition: opacity 200ms ease-out 0s;
height: 78px;
margin-left: 10px;
opacity: 1;
width: 250px;
left: 10px;
margin-top: 5px;
}
#header {
margin: 50px auto 30px;
width: 960px;
float: center;
font-size: 75%;
}
#cgit {
margin: auto;
width: 96%;
}
#top_bar .left {
float: left;
margin: 10px;
padding: 0;
}
#top_bar .right {
float: right;
margin: 10px;
padding: 0;
}

BIN
roles/cgit/base/files/cgit.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 16 KiB

15
roles/cgit/base/files/email-libravatar-korg.lua Normal file
View file

@ -0,0 +1,15 @@
local md5 = require("md5")
function filter_open(email, page)
buffer = ""
hexdigest = md5.sumhexa(email:sub(2, -2):lower())
end
function filter_close()
html("<span class='libravatar'><img class='inline' src='https://seccdn.libravatar.org/avatar/" .. hexdigest .. "?s=20&amp;d=retro' /><img class='onhover' src='https://seccdn.libravatar.org/avatar/" .. hexdigest .. "?s=128&amp;d=retro' /></span>" .. buffer)
return 0
end
function filter_write(str)
buffer = buffer .. str
end

300
roles/cgit/base/files/fedora-layout.css Normal file
View file

@ -0,0 +1,300 @@
/* Basic tags */
#body {
margin: 90px 230px 0px 10px;
padding: 0px;
}
a img {
border: 0px;
}
/* Anchors */
a {
color: #0000ff;
}
a:visited {
color: #551a8b;
}
a:active {
color: #ff0000;
}
/* Basic classes */
.none { /* to add paragraph spacing to various elements for ttys */
margin: 0px;
padding: 0px;
}
.invisible { /* stuff that should appear when this css isn't used */
margin: 0px;
border: 0px;
padding: 0px;
height: 0px;
visibility: hidden;
}
/*
.left {
margin: 10px;
padding: 0px;
float: left;
}
.right {
margin: 10px;
padding: 0px;
float: right;
}
.center {
text-align: center;
}
*/
/* Common page elements: Header, footer, etc. */
#logo {
border: 0 none;
height: 100px;
left: 0;
margin-top: 39px;
position: relative;
width: 64px;
z-index: 10;
}
#logo a img {
width: 274px;
height: 72px;
position: relative;
}
#hdr {
position: absolute;
z-index: 5;
top: 0px;
left: 0px;
right: 0px;
width: 100%;
height: 48px;
text-align: right;
background-color: #e3ffc3;
border-bottom: 1px solid #807d74;
}
#banner {
position: absolute;
z-index: 10;
top: 0px;
right: 0px;
border: 0px;
width: 300px;
height: 48px;
}
#banner a img {
width: 300px;
height: 48px;
}
#hdrNav {
position: absolute;
top: 54px;
left: 0px;
margin-left: 84px;
text-align: left;
vertical-align: middle;
font-size: small;
}
#hdrNav a {
color: #000000;
}
#hdrTitle {
height: 48px;
padding: 10px 10px 0px 0px;
font-weight: bold;
}
/* Search thingy */
#search {
font-size: small;
margin-bottom: 10px;
padding: 10px;
background-color: #dddddd;
}
#search input {
border: 1px solid #666666;
background-color: #ffffff;
vertical-align: middle;
}
/* Sidebar */
#sidebar {
position: absolute;
top: 90px;
right: 0px;
width: 210px;
/*margin-right: 10px;*/
padding-right: 10px;
padding-bottom: 0px;
border-left: 1px dashed #dddddd;
background-color: #ffffff;
}
#sidebar p {
margin-top: 0px;
padding-left: 10px;
padding-right: 10px;
}
#sidebar p.section {
text-align: center;
font-weight: bold;
padding-top: 3px;
padding-bottom: 3px;
color: #999999;
background-color: #eeeeee;
}
#sidebar ul {
margin: 0em;
margin-bottom: 15px;
padding-left: 10px;
padding-right: 10px;
list-style-type: none;
}
#sidebar ul ul {
padding-left: 2em;
padding-right: 0em;
list-style-type: square;
}
/* Copyright footer */
#copyright {
text-align: center;
font-size: small;
clear: both;
margin-top: 10px;
padding: 5px 0px 5px 0px;
color: #aaaaaa;
}
#copyright a {
color: #aaaaff;
}
#copyright a:visited {
color: #ffaaaa;
}
/* News Sections */
p.newsitem {
clear: left;
margin-bottom: 20px;
}
p.newsitem img.newsicon {
float: left;
margin: 0px 10px 10px 10px;
border: 0px;
}
/* Generic Classes */
div.code {
background-color: #e0e0e0;
color: #000000;
white-space: pre;
font-family: monospace;
}
#page {
margin: 0px;
padding: 0px;
}
div.in-column {
margin: 0 0 2em 1em;
float: right;
max-width: 12em;
}
hr {
color: #888;
background: #888;
border: 0;
height: 1px;
width: 90%;
text-align: center;
clear: both;
}
div.body {
clear: both;
}
div.sidebar {
position: absolute;
text-align: left;
right: 0px;
top: 60px;
width: 27ex;
padding-left: 1ex;
border-left: 1ex solid #eee;
margin-top: 4em;
}
div.sidebar h2 {
margin-top: 0;
padding: 5px 2ex 5px 2ex;
background: url(cgit-data/images/t.png) top left repeat-y;
font-size: 100%;
}
ul.toc {
padding: 0;
padding-left: 20px;
margin-left: 0;
margin-right: 10px;
list-style: none;
}
ul.toc li {
list-style: circle;
}
ul.toc li a {
text-decoration: none;
color: black;
}
ul.toc li a:hover {
text-decoration: underline;
}
/* page content */
div#content {
clear: both;
padding: 1em;
margin: 1em;
}

225
roles/cgit/base/files/fedora-style.css Normal file
View file

@ -0,0 +1,225 @@
/**
* Styles that are not a part of page layout.
*
* For example:
* Fonts
* Sizes
* Decoration
* Separators
*/
body {
font-family: verdana, arial, sans-serif;
}
/*div#content {
max-width: 50em;
}*/
div#global_domain_bar a {
color: #2E3436;
font-family: Cantarell,'Droid Sans','DejaVu Sans',Arial,sans-serif;
font-size: 14px;
line-height: 1.6;
}
div#content a {
color: #3465a4;
border-bottom: 1px dotted #888;
text-decoration: none;
}
div#content a:hover {
border-bottom: 1px solid #888;
}
body {
font-family: Cantarell, 'Droid Sans', 'DejaVu Sans', Arial, sans-serif;
font-size: 14px;
line-height: 1.6;
color: #2e3436;
}
body.win {
font-family: Verdana, Arial, sans-serif;
font-size: 14px;
line-height: 1.6;
color: #2e3436;
}
body.win h1, body.win h2, body.win h3, body.win h4, body.win h5, body.win h6 {
font-family: "Trebuchet MS";
}
h1, h2, h3, h4, h5, h6, dt {
color: #0489B7;
}
h1 {
font-size: 42px;
}
h2 {
font-size: 25px;
}
h3, dt {
font-size: 21px;
margin: 0.4em 0 0.5em;
color: #2E3436;
}
dt {
color: #E36615;
}
dt a:hover {
color: #fa7721;
}
h4 {
font-size: 16px;
color: #ce5c00;
}
h5 {
font-size: 14px;
}
h6 {
font-size: 12px;
}
ol {
list-style:decimal;
}
ul {
list-style:square;
}
li {
margin-left:30px;
}
dl,dt,h1,h2,h3,h4,h5,h6,pre,table,address,fieldset {
margin: 0.8em 0 0.4em;
}
p, dd, .action_box, ul, ol {
margin: 0.4em 0 1em;
}
/* comment this out for now. See: https://fedorahosted.org/fedora-infrastructure/ticket/4235
code {
background: #ececec;
background: rgba(0,0,0,0.1);
padding: 1px;
}
*/
/* Text classes */
/* ========================================================================== */
.highlight {
background: yellow;
}
.main_feature {
font-size: 16pt;
line-height: 130%;
}
.footnotes {
font-size: 11px;
color: #888a85;
}
.footnotes a {
color: #888a85;
}
#footer {
font-size: 11px;
line-height: 1.5em;
}
/* lists */
div#page .list {
margin-top:.5em;
}
div#page .list tr td {
padding:.2em;
text-align:left;
}
div#page .list td label {
border-bottom:1px dashed #999;
font-weight:normal;
}
div#page .list th {
background: #ccf;
border: 1px solid #000;
font-weight: bold;
padding: 2px;
}
div#page .list th a {
display: block;
padding:.2em 1.2em .2em .2em;
text-align: left;
}
div#page .list th a:hover {
background-color: #fff;
}
.row1 {
background-color: #eee;
}
.row2 {
background-color: #ddd;
}
.row1:hover, .row2:hover {
background-color: #fff;
}
.record th {
text-align: right;
}
/* styling page content */
h1 {
font-size: 1.5em;
color: #3f3f3f;
}
/* styling form widgets like bugzilla.gnome.org */
input,textarea {
border: 1px solid #6f6f6f;
/* background: #dddddd; */
}
input.login_small {
border-style: none;
}
input:focus,textarea:focus {
background-color: #f7f2d0;
color: #000000;
}
/* select {
border: groove
} */
option {
border: 0px none #ffffff;
}
input[type=radio] {
margin-left: 1em;
}
/* Syntax highlighting */
table.blob .num { color:#2928ff; }
table.blob .esc { color:#ff00ff; }
table.blob .str { color:#ff0000; }
table.blob .dstr { color:#818100; }
table.blob .slc { color:#838183; font-style:italic; }
table.blob .com { color:#838183; font-style:italic; }
table.blob .dir { color:#008200; }
table.blob .sym { color:#000000; }
table.blob .kwa { color:#000000; font-weight:bold; }
table.blob .kwb { color:#830000; }
table.blob .kwc { color:#000000; font-weight:bold; }
table.blob .kwd { color:#010181; }
table.list td a.ls-dir {
color: #0000FF;
font-weight: bold;
}

BIN
roles/cgit/base/files/images/favicon.ico Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.6 KiB

BIN
roles/cgit/base/files/images/html-bg.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 312 B

BIN
roles/cgit/base/files/images/t.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 317 B

32
roles/cgit/base/tasks/main.yml Normal file
View file

@ -0,0 +1,32 @@
---
# tasklist for setting up CGit
- name: install the needed packages
yum: pkg={{item}} state=present
with_items:
- cgit
- mod_ssl
# https://bugzilla.redhat.com/show_bug.cgi?id=1134103
# - lua-md5
# See https://github.com/robyduck/cgit-custom
- name: Make sure cgit directory exists
file: dest=/usr/share/cgit state=directory owner=root group=root mode=0755
- name: Make sure cgit images directory exists
file: dest=/usr/share/cgit/images state=directory owner=root group=root mode=0755
- name: Copy cgit them into place.
copy: src={{item}} dest=/usr/share/cgit/{{item}} owner=root group=root mode=0644
with_items:
- cgit.css
- cgit.png
- cgit-fedora.css
- fedora-layout.css
- fedora-style.css
- images/favicon.ico
- images/html-bg.png
- images/t.png
- name: install the libravatar filter
copy: src=email-libravatar-korg.lua dest=/usr/libexec/cgit/filters/email-libravatar-korg.lua owner=root group=root mode=0755

2
roles/cgit/clean_lock_cron/files/clean-lock.cron Normal file
View file

@ -0,0 +1,2 @@
*/15 * * * * root find /var/cache/cgit/ -cmin +60 -name '*.lock' -type f -delete -maxdepth 1

5
roles/cgit/clean_lock_cron/tasks/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
# tasklist for setting up the Cron job cleaning CGit locks
- name: install the cron file
copy: src=clean-lock.cron dest=/etc/cron.d/cgit-clean-lock.cron mode=0644

13
roles/cgit/make_pkgs_list/files/make-cgit-pkgs-list.sh Normal file
View file

@ -0,0 +1,13 @@
#!/bin/sh
#
# This simple script lists out the current pkgs git repos to a file.
# This speeds up cgit as it doesn't have to recurse into all dirs
# Looking for git repos.
#
newfile=`mktemp`
cd /srv/git/rpms
ls > $newfile
mv $newfile /srv/git/pkgs-git-repos-list
chmod 644 /srv/git/pkgs-git-repos-list

55
roles/cgit/make_pkgs_list/tasks/main.yml Normal file
View file

@ -0,0 +1,55 @@
---
# tasklist for setting up the CGit file list
- name: install the script and schedule its execution
copy: src=make-cgit-pkgs-list.sh dest=/usr/local/bin/make-cgit-pkgs-list.sh mode=0755
- name: install the cron job
cron: >
name="make-cgit-pkgs-list" cron_file="ansible-make-cgit-pkgs-list"
minute=*/10
user=root
job="/usr/local/bin/lock-wrapper make-cgit-pkgs-list '/usr/local/bin/make-cgit-pkgs-list.sh | /usr/local/bin/nag-once fassync 1d 2>&1'"

17
roles/clamav/files/freshclam-cron Normal file
View file

@ -0,0 +1,17 @@
#!/bin/sh
### A simple update script for the clamav virus database.
### This could as well be replaced by a SysV script.
### fix log file if needed
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
touch "$LOG_FILE"
chmod 644 "$LOG_FILE"
chown clam.clam "$LOG_FILE"
fi
/usr/bin/freshclam \
--quiet \
--datadir="/var/lib/clamav" \
--log="$LOG_FILE"

24
roles/clamav/files/freshclam-sysconfig Normal file
View file

@ -0,0 +1,24 @@
## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * * ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=
## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn' ... disables the automatic freshclam update and
## gives out a warning
## 'disabled' ... disables the automatic freshclam silently
# FRESHCLAM_DELAY=
### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
#FRESHCLAM_DELAY=disabled-warn # REMOVE ME

197
roles/clamav/files/freshclam.conf Normal file
View file

@ -0,0 +1,197 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
# UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav
# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
#DatabaseMirror db.XY.clamav.net
# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60
# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# This feature requires LogTime and LogFile to be enabled in clamd.conf.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf
# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code
# This option enables support for our "Personal Statistics" service.
# When this option is enabled, the information on malware detected by
# your clamd installation is made available to you through our website.
# To get your HostID, log on http://www.stats.clamav.net and add a new
# host to your host list. Once you have the HostID, uncomment this option
# and paste the HostID here. As soon as your freshclam starts submitting
# information to our stats collecting service, you will be able to view
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
# http://www.clamav.net/support/faq/faq-cctts/
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it's mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://code.google.com/support/bin/answer.py?answer=70015
# and http://safebrowsing.clamav.net for more information.
# Default: disabled
#SafeBrowsing yes
#
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes

49
roles/clamav/tasks/main.yml Normal file
View file

@ -0,0 +1,49 @@
---
# tasklist for setting up a ClamAV scanner
#
# The following variables control the scan:
# - clamscan_mailto
# - clamscan_paths
# - clamscan_excludes (optional)
#
# The following variables control scheduling of the cron job:
# - clamscan_minute (optional)
# - clamscan_hour (optional)
# - clamscan_day (optional)
# - clamscan_month (optional)
# - clamscan_weekday (optional)
- name: install the needed packages
yum: pkg={{item}} state=present
with_items:
- clamav
- clamav-data
- clamav-update
- cronie-anacron
- name: setup the freshclam configuration
copy: src=freshclam.conf dest=/etc/freshclam.conf
- name: enable freshclam by fixing the stupid default sysconfig
copy: src=freshclam-sysconfig dest=/etc/sysconfig/freshclam
- name: setup the freshclam cron job
copy: src=freshclam-cron dest=/etc/cron.daily/freshclam
- name: setup the periodic clam scan script
template: >
src=clamscan.sh.j2
dest=/usr/local/bin/clamscan.sh
mode=0755
- name: setup cron job for clam scan
cron: >
name="clamscan"
user=root
minute="{{ clamscan_minute | default(35) }}"
hour="{{ clamscan_hour | default(4) }}"
day="{{ clamscan_day | default(*) }}"
month="{{ clamscan_month | default(*) }}"
weekday="{{ clamscan_weekday | default(5) }}"
job="/usr/local/bin/clamscan.sh"
cron_file="ansible-clamscan"

36
roles/clamav/templates/clamscan.sh.j2 Normal file
View file

@ -0,0 +1,36 @@
#!/bin/bash
# Scans various directories for baddies
# Fri Jul 22 2011 athmane: modified to scan files older than $DAYS days
LOGFILE="/var/log/clamscan.log"
MAILTO="{{ clamscan_mailto }}"
DAYS=7
FILELIST="/tmp/clamscan_filelist.$$"
rm -f $LOGFILE
# Build file list to scan
{% for path in clamscan_paths %}
find {{ path }} -ctime -${DAYS} -type f >> $FILELIST
{% endfor %}
/bin/nice -5 /usr/bin/clamscan --infected --quiet --file-list=$FILELIST --log=$LOGFILE \
{% for path in clamscan_excludes|default([]) %}
--exclude={{ path }} \
{% endfor %}
2> /dev/null
RESULT=$?
if [ "$RESULT" -eq "1" ]
then
mail -s "Virus found! on $(hostname)" $MAILTO -- < $LOGFILE
fi
if [ "$RESULT" -eq "2" ]
then
mail -s "Virus scanning error on $(hostname)" $MAILTO -- < $LOGFILE
fi
rm -f $FILELIST

339
roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org Normal file
View file

@ -0,0 +1,339 @@
server-identifier cloud-noc01.cloud.fedoraproject.org;
ddns-update-style none;
#subnet 172.16.1.0 netmask 255.255.255.0 {
#}
#subnet 172.16.2.0 netmask 255.255.255.0 {
#}
#subnet 172.16.3.0 netmask 255.255.255.0 {
#}
#subnet 172.16.4.0 netmask 255.255.255.0 {
#}
#subnet 172.16.5.0 netmask 255.255.255.0 {
#}
#subnet 172.16.6.0 netmask 255.255.255.0 {
#}
#subnet 172.16.7.0 netmask 255.255.255.0 {
#}
#subnet 172.16.8.0 netmask 255.255.255.0 {
#}
#subnet 172.16.9.0 netmask 255.255.255.0 {
#}
# ARM MGMT VLAN
subnet 172.23.0.0 netmask 255.255.255.0 {
allow booting;
allow bootp;
option domain-name "cloud.fedoraproject.org";
option domain-name-servers 66.35.62.163, 152.19.134.150;
option routers 172.23.0.2;
option log-servers 172.23.0.2;
host arm03-packager00-mgmt {
hardware ethernet fc:2f:40:1b:64:4e;
fixed-address 172.23.0.70;
option host-name "arm03-packager00-mgmt";
next-server 172.23.0.17;
}
host arm03-packager01-mgmt {
hardware ethernet fc:2f:40:08:d7:e2;
fixed-address 172.23.0.71;
option host-name "arm03-packager01-mgmt";
next-server 172.23.0.17;
}
host arm03-qa00-mgmt {
hardware ethernet fc:2f:40:a1:f8:36;
fixed-address 172.23.0.72;
option host-name "arm03-qa00-mgmt";
next-server 172.23.0.17;
}
host arm03-qa01-mgmt {
hardware ethernet fc:2f:40:1b:f6:da;
fixed-address 172.23.0.73;
option host-name "arm03-qa01-mgmt";
next-server 172.23.0.17;
}
host arm03-soc04-mgmt {
hardware ethernet fc:2f:40:16:c8:3a;
fixed-address 172.23.0.74;
option host-name "arm03-soc04-mgmt";
next-server 172.23.0.17;
}
host arm03-soc05-mgmt {
hardware ethernet fc:2f:40:9b:1d:da;
fixed-address 172.23.0.75;
option host-name "arm03-soc05-mgmt";
next-server 172.23.0.17;
}
host arm03-soc06-mgmt {
hardware ethernet fc:2f:40:00:4c:e2;
fixed-address 172.23.0.76;
option host-name "arm03-soc06-mgmt";
next-server 172.23.0.17;
}
host arm03-soc07-mgmt {
hardware ethernet fc:2f:40:57:cb:b6;
fixed-address 172.23.0.77;
option host-name "arm03-soc07-mgmt";
next-server 172.23.0.17;
}
host arm03-soc08-mgmt {
hardware ethernet fc:2f:40:12:6a:26;
fixed-address 172.23.0.78;
option host-name "arm03-soc08-mgmt";
next-server 172.23.0.17;
}
host arm03-soc09-mgmt {
hardware ethernet fc:2f:40:5d:85:8a;
fixed-address 172.23.0.79;
option host-name "arm03-soc09-mgmt";
next-server 172.23.0.17;
}
host arm03-soc10-mgmt {
hardware ethernet fc:2f:40:a5:5f:42;
fixed-address 172.23.0.80;
option host-name "arm03-soc10-mgmt";
next-server 172.23.0.17;
}
host arm03-soc11-mgmt {
hardware ethernet fc:2f:40:d2:a1:0e;
fixed-address 172.23.0.81;
option host-name "arm03-soc11-mgmt";
next-server 172.23.0.17;
}
host arm03-soc12-mgmt {
hardware ethernet fc:2f:40:00:a4:c6;
fixed-address 172.23.0.82;
option host-name "arm03-soc12-mgmt";
next-server 172.23.0.17;
}
host arm03-soc13-mgmt {
hardware ethernet fc:2f:40:59:27:ba;
fixed-address 172.23.0.83;
option host-name "arm03-soc13-mgmt";
next-server 172.23.0.17;
}
host arm03-soc14-mgmt {
hardware ethernet fc:2f:40:7b:ab:f6;
fixed-address 172.23.0.84;
option host-name "arm03-soc14-mgmt";
next-server 172.23.0.17;
}
host arm03-soc15-mgmt {
hardware ethernet fc:2f:40:8a:99:96;
fixed-address 172.23.0.85;
option host-name "arm03-soc15-mgmt";
next-server 172.23.0.17;
}
host arm03-soc16-mgmt {
hardware ethernet fc:2f:40:ea:ff:16;
fixed-address 172.23.0.86;
option host-name "arm03-soc16-mgmt";
next-server 172.23.0.17;
}
host arm03-soc17-mgmt {
hardware ethernet fc:2f:40:79:e3:8e;
fixed-address 172.23.0.87;
option host-name "arm03-soc17-mgmt";
next-server 172.23.0.17;
}
host arm03-soc18-mgmt {
hardware ethernet fc:2f:40:7d:0c:9a;
fixed-address 172.23.0.88;
option host-name "arm03-soc18-mgmt";
next-server 172.23.0.17;
}
host arm03-soc19-mgmt {
hardware ethernet fc:2f:40:04:29:9a;
fixed-address 172.23.0.89;
option host-name "arm03-soc19-mgmt";
next-server 172.23.0.17;
}
host arm03-soc20-mgmt {
hardware ethernet fc:2f:40:3c:50:26;
fixed-address 172.23.0.90;
option host-name "arm03-soc20-mgmt";
next-server 172.23.0.17;
}
host arm03-soc21-mgmt {
hardware ethernet fc:2f:40:cb:4f:66;
fixed-address 172.23.0.91;
option host-name "arm03-soc21-mgmt";
next-server 172.23.0.17;
}
host arm03-soc22-mgmt {
hardware ethernet fc:2f:40:17:c0:ee;
fixed-address 172.23.0.92;
option host-name "arm03-soc22-mgmt";
next-server 172.23.0.17;
}
host arm03-soc23-mgmt {
hardware ethernet fc:2f:40:00:47:3e;
fixed-address 172.23.0.93;
option host-name "arm03-soc23-mgmt";
next-server 172.23.0.17;
}
}
# ARM VLAN
subnet 209.132.184.0 netmask 255.255.255.0 {
allow booting;
allow bootp;
option domain-name "cloud.fedoraproject.org fedoraproject.org";
option domain-name-servers 66.35.62.163, 152.19.134.150;
option routers 209.132.184.254;
option log-servers 209.132.184.2;
host fed-cloud09 {
hardware ethernet f0:1f:af:e3:5f:0c;
fixed-address 209.132.184.9;
option host-name "fed-cloud09.cloud.fedoraproject.org";
next-server 209.132.184.17;
filename "pxelinux.0";
}
host arm03-packager00 {
hardware ethernet fc:2f:40:1b:64:4c;
fixed-address 209.132.184.70;
option host-name "arm03-packager00";
next-server 209.132.184.17;
}
host arm03-packager01 {
hardware ethernet fc:2f:40:08:d7:e0;
fixed-address 209.132.184.71;
option host-name "arm03-packager01";
next-server 209.132.184.17;
}
host arm03-qa00 {
hardware ethernet fc:2f:40:a1:f8:34;
fixed-address 209.132.184.72;
option host-name "arm03-qa00";
next-server 209.132.184.17;
}
host arm03-qa01 {
hardware ethernet fc:2f:40:1b:f6:d8;
fixed-address 209.132.184.73;
option host-name "arm03-qa01";
next-server 209.132.184.17;
}
host arm03-soc04 {
hardware ethernet fc:2f:40:16:c8:38;
fixed-address 209.132.184.74;
option host-name "arm03-soc04";
next-server 209.132.184.17;
}
host arm03-soc05 {
hardware ethernet fc:2f:40:9b:1d:d8;
fixed-address 209.132.184.75;
option host-name "arm03-soc05";
next-server 209.132.184.17;
}
host arm03-soc06 {
hardware ethernet fc:2f:40:00:4c:e0;
fixed-address 209.132.184.76;
option host-name "arm03-soc06";
next-server 209.132.184.17;
}
host arm03-soc07 {
hardware ethernet fc:2f:40:57:cb:b4;
fixed-address 209.132.184.77;
option host-name "arm03-soc07";
next-server 209.132.184.17;
}
host arm03-soc08 {
hardware ethernet fc:2f:40:12:6a:24;
fixed-address 209.132.184.78;
option host-name "arm03-soc08";
next-server 209.132.184.17;
}
host arm03-soc09 {
hardware ethernet fc:2f:40:5d:85:88;
fixed-address 209.132.184.79;
option host-name "arm03-soc09";
next-server 209.132.184.17;
}
host arm03-soc10 {
hardware ethernet fc:2f:40:a5:5f:40;
fixed-address 209.132.184.80;
option host-name "arm03-soc10";
next-server 209.132.184.17;
}
host arm03-soc11 {
hardware ethernet fc:2f:40:d2:a1:0c;
fixed-address 209.132.184.81;
option host-name "arm03-soc11";
next-server 209.132.184.17;
}
host arm03-soc12 {
hardware ethernet fc:2f:40:00:a4:c4;
fixed-address 209.132.184.82;
option host-name "arm03-soc12";
next-server 209.132.184.17;
}
host arm03-soc13 {
hardware ethernet fc:2f:40:59:27:b8;
fixed-address 209.132.184.83;
option host-name "arm03-soc13";
next-server 209.132.184.17;
}
host arm03-soc14 {
hardware ethernet fc:2f:40:7b:ab:f4;
fixed-address 209.132.184.84;
option host-name "arm03-soc14";
next-server 209.132.184.17;
}
host arm03-soc15 {
hardware ethernet fc:2f:40:8a:99:94;
fixed-address 209.132.184.85;
option host-name "arm03-soc15";
next-server 209.132.184.17;
}
host arm03-soc16 {
hardware ethernet fc:2f:40:ea:ff:14;
fixed-address 209.132.184.86;
option host-name "arm03-soc16";
next-server 209.132.184.17;
}
host arm03-soc17 {
hardware ethernet fc:2f:40:79:e3:8c;
fixed-address 209.132.184.87;
option host-name "arm03-soc17";
next-server 209.132.184.17;
}
host arm03-soc18 {
hardware ethernet fc:2f:40:7d:0c:98;
fixed-address 209.132.184.88;
option host-name "arm03-soc18";
next-server 209.132.184.17;
}
host arm03-soc19 {
hardware ethernet fc:2f:40:04:29:98;
fixed-address 209.132.184.89;
option host-name "arm03-soc19";
next-server 209.132.184.17;
}
host arm03-soc20 {
hardware ethernet fc:2f:40:3c:50:24;
fixed-address 209.132.184.90;
option host-name "arm03-soc20";
next-server 209.132.184.17;
}
host arm03-soc21 {
hardware ethernet fc:2f:40:cb:4f:64;
fixed-address 209.132.184.91;
option host-name "arm03-soc21";
next-server 209.132.184.17;
}
host arm03-soc22 {
hardware ethernet fc:2f:40:17:c0:ec;
fixed-address 209.132.184.92;
option host-name "arm03-soc22";
next-server 209.132.184.17;
}
host arm03-soc23 {
hardware ethernet fc:2f:40:00:47:3c;
fixed-address 209.132.184.93;
option host-name "arm03-soc23";
next-server 209.132.184.17;
}
}

688
roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org
View file

@ -157,330 +157,6 @@ subnet 10.5.126.0 netmask 255.255.255.0 {
filename "pxelinux.0";
}
subnet 10.5.124.128 netmask 255.255.255.128 {
option domain-name "qa.fedoraproject.org phx2.fedoraproject.org fedoraproject.org";
option domain-name-servers 10.5.126.21, 10.5.126.22;
option log-servers 10.5.126.29;
option routers 10.5.124.254;
range 10.5.124.240 10.5.124.249;
next-server 10.5.126.41;
filename "pxelinux.0";
host virthost-comm01 {
hardware ethernet 5c:f3:fc:4d:db:fc;
fixed-address 10.5.124.131;
option host-name "virthost-comm01";
}
#
# All staticly assigned, but listed here for completeness.
#
# 5C:F3:FC:85:64:34 - ppc-hub.qa.fedoraproject.org - 10.5.124.182
# 5C:F3:FC:85:64:33 - ppc-builder1.qa.fedoraproject.org - 10.5.124.213
# 5C:F3:FC:85:64:36 - ppc-builder2.qa.fedoraproject.org - 10.5.124.214
# 5C:F3:FC:85:64:37 - ppc-builder3.qa.fedoraproject.org - 10.5.124.215
# 5C:F3:FC:85:64:38 - ppc-builder4.qa.fedoraproject.org - 10.5.124.216
# 5C:F3:FC:85:64:35 - ppc-composer.qa.fedoraproject.org - 10.5.124.217
host ppc-comm01-mgmt {
hardware ethernet 5c:f3:fc:2e:93:72;
fixed-address 10.5.124.231;
option host-name "ppc-comm01-mgmt";
}
host ppc-comm01 {
hardware ethernet 6c:ae:8b:00:0f:f0;
fixed-address 10.5.124.219;
option host-name "ppc-comm01";
filename "yaboot";
next-server 10.5.126.41;
}
host qa01 {
hardware ethernet 00:21:5E:C7:5C:84;
fixed-address 10.5.124.151;
}
host qa02 {
hardware ethernet 00:21:5e:c6:cc:9c;
fixed-address 10.5.124.152;
}
host qa03 {
hardware ethernet 00:21:5E:C6:CD:48;
fixed-address 10.5.124.153;
}
host qa04 {
hardware ethernet 00:21:5E:C7:2A:1C;
fixed-address 10.5.124.154;
}
host qa05 {
hardware ethernet 00:21:5E:C7:5F:04;
fixed-address 10.5.124.155;
}
host qa06 {
hardware ethernet 00:21:5E:C6:57:08;
fixed-address 10.5.124.156;
}
host qa07 {
hardware ethernet E4:1F:13:E5:53:94;
fixed-address 10.5.124.157;
}
host qa08 {
hardware ethernet E4:1F:13:E5:46:80;
fixed-address 10.5.124.158;
}
host virt01 {
hardware ethernet 52:54:00:a2:de:30;
fixed-address 10.5.124.159;
option host-name "virt01";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt02 {
hardware ethernet 52:54:00:fe:22:ff;
fixed-address 10.5.124.160;
option host-name "virt02";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt03 {
hardware ethernet 52:54:00:c5:04:14;
fixed-address 10.5.124.161;
option host-name "virt03";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt04 {
hardware ethernet 52:54:00:b5:97:30;
fixed-address 10.5.124.162;
option host-name "virt04";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt05 {
hardware ethernet 52:54:00:9a:25:d3;
fixed-address 10.5.124.163;
option host-name "virt05";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt06 {
hardware ethernet 52:54:00:78:ae:44;
fixed-address 10.5.124.164;
option host-name "virt06";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt07 {
hardware ethernet 52:54:00:00:eb:e9;
fixed-address 10.5.124.165;
option host-name "virt07";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt08 {
hardware ethernet 52:54:00:24:dd:72;
fixed-address 10.5.124.166;
option host-name "virt08";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt09 {
hardware ethernet 52:54:00:a1:a0:23;
fixed-address 10.5.124.167;
option host-name "virt09";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt10 {
hardware ethernet 52:54:00:88:a2:9d;
fixed-address 10.5.124.168;
option host-name "virt10";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt11 {
hardware ethernet 52:54:00:1c:de:bf;
fixed-address 10.5.124.169;
option host-name "virt11";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt12 {
hardware ethernet 52:54:00:28:90:26;
fixed-address 10.5.124.170;
option host-name "virt12";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt13 {
hardware ethernet 52:54:00:2c:5e:61;
fixed-address 10.5.124.192;
option host-name "virt13";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt14 {
hardware ethernet 52:54:00:45:7f:9d;
fixed-address 10.5.124.193;
option host-name "virt14";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt15 {
hardware ethernet 52:54:00:1d:15:85;
fixed-address 10.5.124.194;
option host-name "virt15";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt16 {
hardware ethernet 52:54:00:f2:cc:2a;
fixed-address 10.5.124.195;
option host-name "virt16";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt17 {
hardware ethernet 52:54:00:58:9b:0e;
fixed-address 10.5.124.196;
option host-name "virt17";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt18 {
hardware ethernet 52:54:00:22:3b:07;
fixed-address 10.5.124.197;
option host-name "virt18";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt19 {
hardware ethernet 52:54:00:27:35:92;
fixed-address 10.5.124.198;
option host-name "virt19";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt20 {
hardware ethernet 52:54:00:60:97:00;
fixed-address 10.5.124.199;
option host-name "virt20";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt21 {
hardware ethernet 52:54:00:58:76:db;
fixed-address 10.5.124.200;
option host-name "virt21";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt22 {
hardware ethernet 52:54:00:41:5a:1a;
fixed-address 10.5.124.183;
option host-name "virt22";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt23 {
hardware ethernet 52:54:00:7c:79:63;
fixed-address 10.5.124.184;
option host-name "virt23";
option ntp-servers 66.187.233.4,192.43.244.18,128.118.25.5,204.152.184.72;
}
host virt24 {
hardware ethernet 52:54:00:8d:7d:96;
fixed-address 10.5.124.185;
option host-name "virt24";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt25 {
hardware ethernet 52:54:00:f4:76:92;
fixed-address 10.5.124.186;
option host-name "virt25";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt26 {
hardware ethernet 52:54:00:76:a4:31;
fixed-address 10.5.124.187;
option host-name "virt26";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt27 {
hardware ethernet 52:54:00:bc:e8:47;
fixed-address 10.5.124.188;
option host-name "virt27";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt28 {
hardware ethernet 52:54:00:3f:eb:29;
fixed-address 10.5.124.189;
option host-name "virt28";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt29 {
hardware ethernet 52:54:00:ab:7f:ac;
fixed-address 10.5.124.190;
option host-name "virt29";
option ntp-servers 66.18.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host retrace01 {
hardware ethernet e4:1f:13:ba:ad:88;
fixed-address 10.5.124.171;
next-server 10.5.126.41;
option host-name "retrace01";
filename "pxelinux.0";
}
host kernel01 {
hardware ethernet 90:b1:1c:31:c9:ca;
fixed-address 10.5.124.173;
option host-name "kernel01";
filename "pxelinux.0";
}
host kernel02 {
hardware ethernet 90:b1:1c:31:bf:27;
fixed-address 10.5.124.175;
option host-name "kernel02";
filename "pxelinux.0";
}
host cosmos01 {
hardware ethernet 40:f2:e9:1b:a7:98;
fixed-address 10.5.124.134;
option host-name "cosmos01";
filename "pxelinux.0";
}
}
subnet 10.5.127.0 netmask 255.255.255.0 {
allow booting;
allow bootp;
@ -1732,3 +1408,367 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
}
}
shared-network qa {
option domain-name "qa.fedoraproject.org phx2.fedoraproject.org fedoraproject.org";
option domain-name-servers 10.5.126.21, 10.5.126.22;
option log-servers 10.5.126.29;
subnet 10.5.124.128 netmask 255.255.255.128 {
option routers 10.5.124.254;
range 10.5.124.240 10.5.124.249;
next-server 10.5.126.41;
filename "pxelinux.0";
host virthost-comm01 {
hardware ethernet 5c:f3:fc:4d:db:fc;
fixed-address 10.5.124.131;
option host-name "virthost-comm01";
}
#
# All staticly assigned, but listed here for completeness.
#
# 5C:F3:FC:85:64:34 - ppc-hub.qa.fedoraproject.org - 10.5.124.182
# 5C:F3:FC:85:64:33 - ppc-builder1.qa.fedoraproject.org - 10.5.124.213
# 5C:F3:FC:85:64:36 - ppc-builder2.qa.fedoraproject.org - 10.5.124.214
# 5C:F3:FC:85:64:37 - ppc-builder3.qa.fedoraproject.org - 10.5.124.215
# 5C:F3:FC:85:64:38 - ppc-builder4.qa.fedoraproject.org - 10.5.124.216
# 5C:F3:FC:85:64:35 - ppc-composer.qa.fedoraproject.org - 10.5.124.217
host ppc-comm01-mgmt {
hardware ethernet 5c:f3:fc:2e:93:72;
fixed-address 10.5.124.231;
option host-name "ppc-comm01-mgmt";
}
host ppc-comm01 {
hardware ethernet 6c:ae:8b:00:0f:f0;
fixed-address 10.5.124.219;
option host-name "ppc-comm01";
filename "yaboot";
}
host ppc-comm04.qa.fedoraproject.org {
hardware ethernet 5c:f3:fc:89:bd:c0;
fixed-address 10.5.124.221;
next-server ppc-builder7.qa.fedoraproject.org;
option host-name "ppc-comm04";
filename "ppccomm04";
}
host qa01 {
hardware ethernet 00:21:5E:C7:5C:84;
fixed-address 10.5.124.151;
}
host qa02 {
hardware ethernet 00:21:5e:c6:cc:9c;
fixed-address 10.5.124.152;
}
host qa03 {
hardware ethernet 00:21:5E:C6:CD:48;
fixed-address 10.5.124.153;
}
host qa04 {
hardware ethernet 00:21:5E:C7:2A:1C;
fixed-address 10.5.124.154;
}
host qa05 {
hardware ethernet 00:21:5E:C7:5F:04;
fixed-address 10.5.124.155;
}
host qa06 {
hardware ethernet 00:21:5E:C6:57:08;
fixed-address 10.5.124.156;
}
host qa07 {
hardware ethernet E4:1F:13:E5:53:94;
fixed-address 10.5.124.157;
}
host qa08 {
hardware ethernet E4:1F:13:E5:46:80;
fixed-address 10.5.124.158;
}
host virt01 {
hardware ethernet 52:54:00:a2:de:30;
fixed-address 10.5.124.159;
option host-name "virt01";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt02 {
hardware ethernet 52:54:00:fe:22:ff;
fixed-address 10.5.124.160;
option host-name "virt02";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt03 {
hardware ethernet 52:54:00:c5:04:14;
fixed-address 10.5.124.161;
option host-name "virt03";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt04 {
hardware ethernet 52:54:00:b5:97:30;
fixed-address 10.5.124.162;
option host-name "virt04";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt05 {
hardware ethernet 52:54:00:9a:25:d3;
fixed-address 10.5.124.163;
option host-name "virt05";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt06 {
hardware ethernet 52:54:00:78:ae:44;
fixed-address 10.5.124.164;
option host-name "virt06";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt07 {
hardware ethernet 52:54:00:00:eb:e9;
fixed-address 10.5.124.165;
option host-name "virt07";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt08 {
hardware ethernet 52:54:00:24:dd:72;
fixed-address 10.5.124.166;
option host-name "virt08";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt09 {
hardware ethernet 52:54:00:a1:a0:23;
fixed-address 10.5.124.167;
option host-name "virt09";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt10 {
hardware ethernet 52:54:00:88:a2:9d;
fixed-address 10.5.124.168;
option host-name "virt10";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt11 {
hardware ethernet 52:54:00:1c:de:bf;
fixed-address 10.5.124.169;
option host-name "virt11";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt12 {
hardware ethernet 52:54:00:28:90:26;
fixed-address 10.5.124.170;
option host-name "virt12";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt13 {
hardware ethernet 52:54:00:2c:5e:61;
fixed-address 10.5.124.192;
option host-name "virt13";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt14 {
hardware ethernet 52:54:00:45:7f:9d;
fixed-address 10.5.124.193;
option host-name "virt14";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt15 {
hardware ethernet 52:54:00:1d:15:85;
fixed-address 10.5.124.194;
option host-name "virt15";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt16 {
hardware ethernet 52:54:00:f2:cc:2a;
fixed-address 10.5.124.195;
option host-name "virt16";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt17 {
hardware ethernet 52:54:00:58:9b:0e;
fixed-address 10.5.124.196;
option host-name "virt17";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt18 {
hardware ethernet 52:54:00:22:3b:07;
fixed-address 10.5.124.197;
option host-name "virt18";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
next-server 10.5.124.228;
filename "pxelinux.0";
}
host virt19 {
hardware ethernet 52:54:00:27:35:92;
fixed-address 10.5.124.198;
option host-name "virt19";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt20 {
hardware ethernet 52:54:00:60:97:00;
fixed-address 10.5.124.199;
option host-name "virt20";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt21 {
hardware ethernet 52:54:00:58:76:db;
fixed-address 10.5.124.200;
option host-name "virt21";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt22 {
hardware ethernet 52:54:00:41:5a:1a;
fixed-address 10.5.124.183;
option host-name "virt22";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt23 {
hardware ethernet 52:54:00:7c:79:63;
fixed-address 10.5.124.184;
option host-name "virt23";
option ntp-servers 66.187.233.4,192.43.244.18,128.118.25.5,204.152.184.72;
}
host virt24 {
hardware ethernet 52:54:00:8d:7d:96;
fixed-address 10.5.124.185;
option host-name "virt24";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt25 {
hardware ethernet 52:54:00:f4:76:92;
fixed-address 10.5.124.186;
option host-name "virt25";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt26 {
hardware ethernet 52:54:00:76:a4:31;
fixed-address 10.5.124.187;
option host-name "virt26";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt27 {
hardware ethernet 52:54:00:bc:e8:47;
fixed-address 10.5.124.188;
option host-name "virt27";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt28 {
hardware ethernet 52:54:00:3f:eb:29;
fixed-address 10.5.124.189;
option host-name "virt28";
option ntp-servers 66.187.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host virt29 {
hardware ethernet 52:54:00:ab:7f:ac;
fixed-address 10.5.124.190;
option host-name "virt29";
option ntp-servers 66.18.233.4, 192.43.244.18, 128.118.25.5, 204.152.184.72;
}
host retrace01 {
hardware ethernet e4:1f:13:ba:ad:88;
fixed-address 10.5.124.171;
next-server 10.5.126.41;
option host-name "retrace01";
filename "pxelinux.0";
}
host kernel01 {
hardware ethernet 90:b1:1c:31:c9:ca;
fixed-address 10.5.124.173;
option host-name "kernel01";
filename "pxelinux.0";
}
host kernel02 {
hardware ethernet 90:b1:1c:31:bf:27;
fixed-address 10.5.124.175;
option host-name "kernel02";
filename "pxelinux.0";
}
host cosmos01 {
hardware ethernet 40:f2:e9:1b:a7:98;
fixed-address 10.5.124.134;
option host-name "cosmos01";
filename "pxelinux.0";
}
}
subnet 10.5.131.0 netmask 255.255.255.0 {
option routers 10.5.131.254;
range 10.5.131.240 10.5.131.249;
next-server 10.5.126.41;
filename "pxelinux.0";
host retrace03 {
hardware ethernet ec:f4:bb:c0:38:a0;
fixed-address 10.5.131.13;
option host-name "retrace03.qa.fedoraproject.org";
next-server 10.5.126.41;
filename "pxelinux.0";
}
host retrace04 {
hardware ethernet ec:f4:bb:c0:46:38;
fixed-address 10.5.131.14;
option host-name "retrace04.qa.fedoraproject.org";
next-server 10.5.126.41;
filename "pxelinux.0";
}
}
}

71
roles/distgit/files/cgitrc Normal file
View file

@ -0,0 +1,71 @@
#
# See cgitrc(5) or /usr/share/doc/cgit-*/cgitrc.5.html for details
#
# Enable caching of up to 1000 output entries
cache-size=1000
# Specify some default clone prefixes
clone-prefix=git://pkgs.fedoraproject.org ssh://pkgs.fedoraproject.org http://pkgs.fedoraproject.org/git
# Specify the css url
css=/cgit-data/cgit.css
# Show extra links for each repository on the index page
enable-index-links=1
# Enable ASCII art commit history graph on the log pages
enable-commit-graph=1
# Show number of affected files per commit on the log pages
enable-log-filecount=1
# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1
# Add a cgit favicon
#favicon=/favicon.ico
# Use a custom logo
logo=/cgit-data/cgit.png
# Enable statistics per week, month and quarter
max-stats=quarter
# Set the title and heading of the repository index page
root-title=Fedora Project Packages GIT repositories
# Set a subheading for the repository index page
#root-desc=tracking the foobar development
# Include some more info about this site on the index page
#root-readme=/var/www/html/about.html
# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz tar.xz zip
##
## List of common mimetypes
##
mimetype.gif=image/gif
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml
# Enable syntax highlighting (requires the highlight package)
#source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh
email-filter=lua:/usr/libexec/cgit/filters/email-libravatar-korg.lua
##
## List of repositories.
## PS: Any repositories listed when section is unset will not be
## displayed under a section heading
## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos')
## and included like this:
project-list=/srv/git/pkgs-git-repos-list
scan-path=/srv/git/rpms/

219
roles/distgit/files/dist-git-upload.cgi Normal file
View file

@ -0,0 +1,219 @@
#!/usr/bin/python
#
# CGI script to handle file updates for the rpms git repository. There
# is nothing really complex here other than tedious checking of our
# every step along the way...
#
# License: GPL
import os
import sys
import cgi
import tempfile
import grp
import pwd
import syslog
import smtplib
import fedmsg
import fedmsg.config
from email import Header, Utils
try:
from email.mime.text import MIMEText
except ImportError:
from email.MIMEText import MIMEText
try:
import hashlib
md5_constructor = hashlib.md5
except ImportError:
import md5
md5_constructor = md5.new
# Reading buffer size
BUFFER_SIZE = 4096
# We check modules exist from this dircetory
GITREPO = '/srv/git/rpms'
# Lookaside cache directory
CACHE_DIR = '/srv/cache/lookaside/pkgs'
# Fedora Packager Group
PACKAGER_GROUP = 'packager'
def send_error(text):
print text
sys.exit(1)
def check_form(form, var):
ret = form.getvalue(var, None)
if ret is None:
send_error('Required field "%s" is not present.' % var)
if isinstance(ret, list):
send_error('Multiple values given for "%s". Aborting.' % var)
return ret
def check_auth(username):
authenticated = False
try:
if username in grp.getgrnam(PACKAGER_GROUP)[3]:
authenticated = True
except KeyError:
pass
return authenticated
def send_email(pkg, md5, filename, username):
text = """A file has been added to the lookaside cache for %(pkg)s:
%(md5)s %(filename)s""" % locals()
msg = MIMEText(text)
try:
sender_name = pwd.getpwnam(username)[4]
sender_email = '%s@fedoraproject.org' % username
except KeyError:
sender_name = ''
sender_email = 'nobody@fedoraproject.org'
syslog.syslog('Unable to find account info for %s (uploading %s)' %
(username, filename))
if sender_name:
try:
sender_name = unicode(sender_name, 'ascii')
except UnicodeDecodeError:
sender_name = Header.Header(sender_name, 'utf-8').encode()
msg.set_charset('utf-8')
sender = Utils.formataddr((sender_name, sender_email))
recipients = ['%s-owner@fedoraproject.org' % pkg,
'scm-commits@lists.fedoraproject.org']
msg['Subject'] = 'File %s uploaded to lookaside cache by %s' % (
filename, username)
msg['From'] = sender
msg['To'] = ', '.join(recipients)
msg['X-Fedora-Upload'] = '%s, %s' % (pkg, filename)
try:
s = smtplib.SMTP('bastion')
s.sendmail(sender, recipients, msg.as_string())
except:
syslog.syslog('sending mail for upload of %s failed!' % filename)
def main():
os.umask(002)
username = os.environ.get('SSL_CLIENT_S_DN_CN', None)
if not check_auth(username):
print 'Status: 403 Forbidden'
print 'Content-type: text/plain'
print
print 'You must connect with a valid certificate and be in the %s group to upload.' % PACKAGER_GROUP
sys.exit(0)
print 'Content-Type: text/plain'
print
assert os.environ['REQUEST_URI'].split('/')[1] == 'repo'
form = cgi.FieldStorage()
name = check_form(form, 'name')
md5sum = check_form(form, 'md5sum')
action = None
upload_file = None
filename = None
# Is this a submission or a test?
# in a test, we don't get a file, just a filename.
# In a submission, we don;t get a filename, just the file.
if form.has_key('filename'):
action = 'check'
filename = check_form(form, 'filename')
filename = os.path.basename(filename)
print >> sys.stderr, '[username=%s] Checking file status: NAME=%s FILENAME=%s MD5SUM=%s' % (username, name, filename, md5sum)
else:
action = 'upload'
if form.has_key('file'):
upload_file = form['file']
if not upload_file.file:
send_error('No file given for upload. Aborting.')
filename = os.path.basename(upload_file.filename)
else:
send_error('Required field "file" is not present.')
print >> sys.stderr, '[username=%s] Processing upload request: NAME=%s FILENAME=%s MD5SUM=%s' % (username, name, filename, md5sum)
module_dir = os.path.join(CACHE_DIR, name)
md5_dir = os.path.join(module_dir, filename, md5sum)
# first test if the module really exists
git_dir = os.path.join(GITREPO, '%s.git' % name)
if not os.path.isdir(git_dir):
print >> sys.stderr, '[username=%s] Unknown module: %s' % (username, name)
send_error('Module "%s" does not exist!' % name)
# try to see if we already have this file...
dest_file = os.path.join(md5_dir, filename)
if os.path.exists(dest_file):
if action == 'check':
print 'Available'
else:
upload_file.file.close()
dest_file_stat = os.stat(dest_file)
print 'File %s already exists' % filename
print 'File: %s Size: %d' % (dest_file, dest_file_stat.st_size)
sys.exit(0)
elif action == 'check':
print 'Missing'
sys.exit(0)
# check that all directories are in place
if not os.path.isdir(module_dir):
os.makedirs(module_dir, 02775)
# grab a temporary filename and dump our file in there
tempfile.tempdir = module_dir
tmpfile = tempfile.mkstemp(md5sum)[1]
tmpfd = open(tmpfile, 'w')
# now read the whole file in
m = md5_constructor()
filesize = 0
while True:
data = upload_file.file.read(BUFFER_SIZE)
if not data:
break
tmpfd.write(data)
m.update(data)
filesize += len(data)
# now we're done reading, check the MD5 sum of what we got
tmpfd.close()
check_md5sum = m.hexdigest()
if md5sum != check_md5sum:
send_error("MD5 check failed. Received %s instead of %s." % (check_md5sum, md5sum))
# wow, even the MD5SUM matches. make sure full path is valid now
if not os.path.isdir(md5_dir):
os.makedirs(md5_dir, 02775)
print >> sys.stderr, '[username=%s] mkdir %s' % (username, md5_dir)
os.rename(tmpfile, dest_file)
os.chmod(dest_file, 0644)
print >> sys.stderr, '[username=%s] Stored %s (%d bytes)' % (username, dest_file, filesize)
print 'File %s size %d MD5 %s stored OK' % (filename, filesize, md5sum)
send_email(name, md5sum, filename, username)
# Emit a fedmsg message. Load the config to talk to the fedmsg-relay.
try:
config = fedmsg.config.load_config([], None)
config['active'] = True
config['endpoints']['relay_inbound'] = config['relay_inbound']
fedmsg.init(name="relay_inbound", cert_prefix="lookaside", **config)
topic = "lookaside.new"
msg = dict(name=name, md5sum=md5sum, filename=filename, agent=username)
fedmsg.publish(modname="git", topic=topic, msg=msg)
except Exception as e:
print "Error with fedmsg", str(e)
if __name__ == '__main__':
main()

4
roles/distgit/files/fedmsg-genacls-config.py Normal file
View file

@ -0,0 +1,4 @@
config = {
'genacls.consumer.enabled': True,
'genacls.consumer.delay': 5, # 5 seconds
}

118
roles/distgit/files/genacls.pkgdb Normal file
View file

@ -0,0 +1,118 @@
#!/usr/bin/python -t
#
# Create an /etc/gitolog/conf/getolog.conf file with acls for dist-git
#
# Takes no arguments!
#
import grp
import sys
import requests
if __name__ == '__main__':
# Get the users in various groups
TRUSTED = grp.getgrnam('cvsadmin')[3]
ARM = grp.getgrnam('fedora-arm')[3]
SPARC = grp.getgrnam('fedora-sparc')[3]
IA64 = grp.getgrnam('fedora-ia64')[3]
S390 = grp.getgrnam('fedora-s390')[3]
PPC = grp.getgrnam('fedora-ppc')[3]
PROVEN = grp.getgrnam('provenpackager')[3]
# Set the active branches to create ACLs for
# Give them the git branch eqiv until pkgdb follows suite
ACTIVE = {'OLPC-2': 'olpc2', 'OLPC-3': 'olpc3', 'EL-4': 'el4',
'EL-5': 'el5', 'el5': 'el5', 'el6': 'el6', 'EL-6': 'el6',
'epel7': 'epel7',
'F-11': 'f11', 'F-12': 'f12', 'F-13': 'f13', 'f14': 'f14', 'f15':
'f15', 'f16': 'f16', 'f17': 'f17', 'f18': 'f18', 'f19': 'f19',
'f20': 'f20', 'devel': 'master', 'master': 'master'}
# Create a "regex"ish list 0f the reserved branches
RESERVED = ['f[0-9][0-9]', 'epel[0-9]', 'epel[0-9][0-9]', 'el[0-9]', 'olpc[0-9]']
# Read the ACL information from the packageDB
data = requests.get('https://admin.fedoraproject.org/pkgdb/api/vcs?format=json').json()
# Get a list of all the packages
acls = data['packageAcls']
pkglist = data['packageAcls'].keys()
pkglist.sort()
# sanity check
if len(pkglist) < 2500:
sys.exit(1)
# print out our user groups
print '@admins = %s' % ' '.join(TRUSTED)
print '@provenpackager = %s' % ' '.join(PROVEN)
print '@fedora-arm = %s' % ' '.join(ARM)
print '@fedora-s390 = %s' % ' '.join(S390)
print '@fedora-ppc = %s' % ' '.join(PPC)
# print our default permissions
print 'repo @all'
print ' RWC = @admins @fedora-arm @fedora-s390 @fedora-ppc'
print ' R = @all'
#print ' RW private- = @all'
# dont' enable the above until we prevent building for real from private-
for pkg in pkglist:
branchAcls = {} # Check whether we need to set separate per branch acls
buffer = [] # Buffer the output per package
masters = [] # Folks that have commit to master
writers = [] # Anybody that has write access
# Examine each branch in the package
branches = acls[pkg].keys()
branches.sort()
for branch in branches:
if not branch in ACTIVE.keys():
continue
if 'packager' in acls[pkg][branch]['commit']['groups']:
# If the packager group is defined, everyone has access
buffer.append(' RWC %s = @all' % (ACTIVE[branch]))
branchAcls.setdefault('@all', []).append((pkg,
ACTIVE[branch]))
if branch == 'master':
masters.append('@all')
if '@all' not in writers:
writers.append('@all')
else:
# Extract the owners
committers = []
owners = acls[pkg][branch]['commit']['people']
owners.sort()
for owner in owners:
committers.append(owner)
if 'provenpackager' in acls[pkg][branch]['commit']['groups']:
committers.append('@provenpackager')
if branch == 'master':
masters.extend(committers)
# add all the committers to the top writers list
for committer in committers:
if not committer in writers:
writers.append(committer)
# Print the committers to the acl for this package-branch
committers = ' '.join(committers)
buffer.append(' RWC %s = %s' %
(ACTIVE[branch], committers))
branchAcls.setdefault(committers, []).append((pkg,
ACTIVE[branch]))
print
print 'repo %s' % pkg
#if len(branchAcls.keys()) == 1:
# acl = branchAcls.keys()[0]
# print ' RW = %s' % acl
#else:
print '\n'.join(buffer)
for reserved in RESERVED:
print ' - %s = @all' % reserved
print ' RWC refs/tags/ = %s' % ' '.join(writers)
if masters:
print ' RWC = %s' % ' '.join(masters)
sys.exit(0)

14
roles/distgit/files/genacls.sh Normal file
View file

@ -0,0 +1,14 @@
#!/bin/sh
TEMPDIR=`mktemp -d -p /var/tmp genacls.XXXXX`
export GL_RC=/etc/gitolite/gitolite.rc
export GL_BINDIR=/usr/bin
cd $TEMPDIR
# Only replace the acls if genacls completes successfully
if /usr/local/bin/genacls.pkgdb > gitolite.conf ; then
mv gitolite.conf /etc/gitolite/conf/
/usr/bin/gl-compile-conf
fi
cd /
rm -rf $TEMPDIR

3
roles/distgit/files/git-smart-http.conf Normal file
View file

@ -0,0 +1,3 @@
SetEnv GIT_PROJECT_ROOT /srv/git/rpms
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/

233
roles/distgit/files/gitolite.rc Normal file
View file

@ -0,0 +1,233 @@
# paths and configuration variables for gitolite
# please read comments before editing
# this file is meant to be pulled into a perl program using "do" or "require".
# You do NOT need to know perl to edit the paths; it should be fairly
# self-explanatory and easy to maintain perl syntax :-)
# --------------------------------------
# Do not uncomment these values unless you know what you're doing
# $GL_PACKAGE_CONF = "";
# $GL_PACKAGE_HOOKS = "";
# --------------------------------------
# --------------------------------------
# this is where the repos go. If you provide a relative path (not starting
# with "/"), it's relative to your $HOME. You may want to put in something
# like "/bigdisk" or whatever if your $HOME is too small for the repos, for
# example
$REPO_BASE="/srv/git/rpms/";
# the default umask for repositories is 0077; change this if you run stuff
# like gitweb and find it can't read the repos. Please note the syntax; the
# leading 0 is required
$REPO_UMASK = 0002;
# $REPO_UMASK = 0027; # gets you 'rwxr-x---'
# $REPO_UMASK = 0022; # gets you 'rwxr-xr-x'
# part of the setup of gitweb is a variable called $projects_list (please see
# gitweb documentation for more on this). Set this to the same value:
$PROJECTS_LIST = $ENV{HOME} . "/projects.list";
# --------------------------------------
# I see no reason anyone may want to change the gitolite admin directory, but
# feel free to do so. However, please note that it *must* be an *absolute*
# path (i.e., starting with a "/" character)
# gitolite admin directory, files, etc
$GL_ADMINDIR="/etc/gitolite";
# --------------------------------------
# templates for location of the log files and format of their names
# I prefer this template (note the %y and %m placeholders)
# it produces files like `~/.gitolite/logs/gitolite-2009-09.log`
$GL_LOGT="/var/log/gitolite/gitolite-%y-%m.log";
# other choices are below, or you can make your own -- but PLEASE MAKE SURE
# the directory exists and is writable; gitolite won't do that for you (unless
# it is the default, which is "$GL_ADMINDIR/logs")
# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log";
# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log";
# --------------------------------------
# Please DO NOT change these three paths
$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf";
$GL_KEYDIR="$GL_ADMINDIR/keydir";
$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm";
# --------------------------------------
# if git on your server is on a standard path (that is
# ssh git@server git --version
# works), leave this setting as is. Otherwise, choose one of the
# alternatives, or write your own
$GIT_PATH="";
# $GIT_PATH="/opt/bin/";
# --------------------------------------
# ----------------------------------------------------------------------
# BIG CONFIG SETTINGS
# Please read doc/big-config.mkd for details
$GL_BIG_CONFIG = 1;
$GL_NO_DAEMON_NO_GITWEB = 1;
$GL_NO_CREATE_REPOS = 1;
$GL_NO_SETUP_AUTHKEYS = 1;
# ----------------------------------------------------------------------
# SECURITY SENSITIVE SETTINGS
#
# Settings below this point may have security implications. That
# usually means that I have not thought hard enough about all the
# possible ways to crack security if these settings are enabled.
# Please see details on each setting for specifics, if any.
# ----------------------------------------------------------------------
# --------------------------------------
# ALLOW REPO ADMIN TO SET GITCONFIG KEYS
#
# Gitolite allows you to set git repo options using the "config" keyword; see
# conf/example.conf for details and syntax.
#
# However, if you are in an installation where the repo admin does not (and
# should not) have shell access to the server, then allowing him to set
# arbitrary repo config options *may* be a security risk -- some config
# settings may allow executing arbitrary commands.
#
# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which
# completely disables this feature (meaning you cannot set git configs from
# the repo config).
$GL_GITCONFIG_KEYS = "";
# The second choice is to give it a space separated list of settings you
# consider safe. (These are actually treated as a set of regular expression
# patterns, and any one of them must match). For example:
# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression";
# allows repo admins to set one of those 3 config keys (yes, that second
# pattern matches two settings from "man git-config", if you look)
#
# The third choice (which you may have guessed already if you're familiar with
# regular expressions) is to allow anything and everything:
# $GL_GITCONFIG_KEYS = ".*";
# --------------------------------------
# EXTERNAL COMMAND HELPER -- HTPASSWD
# security note: runs an external command (htpasswd) with specific arguments,
# including a user-chosen "password".
# if you want to enable the "htpasswd" command, give this the absolute path to
# whatever file apache (etc) expect to find the passwords in.
$HTPASSWD_FILE = "";
# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section)
# for more details on using this feature.
# --------------------------------------
# EXTERNAL COMMAND HELPER -- RSYNC
# security note: runs an external command (rsync) with specific arguments, all
# presumably filled in correctly by the client-side rsync.
# base path of all the files that are accessible via rsync. Must be an
# absolute path. Leave it undefined or set to the empty string to disable the
# rsync helper.
$RSYNC_BASE = "";
# $RSYNC_BASE = "/home/git/up-down";
# $RSYNC_BASE = "/tmp/up-down";
# --------------------------------------
# EXTERNAL COMMAND HELPER -- SVNSERVE
# security note: runs an external command (svnserve) with specific arguments,
# as specified below. %u is substituted with the username.
# This setting allows launching svnserve when requested by the ssh client.
# This allows using the same SSH setup (hostname/username/public key) for both
# SVN and git access. Leave it undefined or set to the empty string to disable
# svnserve access.
$SVNSERVE = "";
# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u";
# --------------------------------------
# ALLOW REPO CONFIG TO USE WILDCARDS
# security note: this used to in a separate "wildrepos" branch. You can
# create repositories based on wild cards, give "ownership" to the specific
# user who created it, allow him/her to hand out R and RW permissions to other
# users to collaborate, etc. This is powerful stuff, and I've made it as
# secure as I can, but it hasn't had the kind of rigorous line-by-line
# analysis that the old "master" branch had.
# This has now been rolled into master, with all the functionality gated by
# this variable. Set this to 1 if you want to enable the wildrepos features.
# Please see doc/4-wildcard-repositories.mkd for details.
$GL_WILDREPOS = 0;
# --------------------------------------
# DEFAULT WILDCARD PERMISSIONS
# If set, this value will be used as the default user-level permission rule of
# new wildcard repositories. The user can change this value with the setperms command
# as desired after repository creation; it is only a default. Note that @all can be
# used here but is special; no other groups can be used in user-level permissions.
# $GL_WILDREPOS_DEFPERMS = 'R = @all';
# --------------------------------------
# HOOK CHAINING
# by default, the update hook in every repo chains to "update.secondary".
# Similarly, the post-update hook in the admin repo chains to
# "post-update.secondary". If you're fine with the defaults, there's no need
# to do anything here. However, if you want to use different names or paths,
# change these variables
# $UPDATE_CHAINS_TO = "hooks/update.secondary";
# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
# --------------------------------------
# ADMIN DEFINED COMMANDS
# WARNING: Use this feature only if (a) you really really know what you're
# doing or (b) you really don't care too much about security. Please read
# doc/admin-defined-commands.mkd for details.
# $GL_ADC_PATH = "";
# --------------------------------------
# per perl rules, this should be the last line in such a file:
1;
# Local variables:
# mode: perl
# End:
# vim: set syn=perl:

69
roles/distgit/files/lookaside-upload.conf Normal file
View file

@ -0,0 +1,69 @@
Alias /repo/ /srv/cache/lookaside/
# default SSL configuration...
Listen 443
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
Mutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# SSL host
<VirtualHost _default_:443>
# This alias must come before the /repo/ one to avoid being overridden.
ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi
Alias /repo/ /srv/cache/lookaside/
ServerName pkgs.fedoraproject.org
ServerAdmin webmaster@fedoraproject.org
SSLEngine on
SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem
SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem
SSLCACertificateFile conf/cacert.pem
SSLCARevocationFile /etc/pki/tls/crl.pem
SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH
# Must be 'optional' everywhere in order to have POST operations work to upload.cgi
SSLVerifyClient optional
# Must be here for POST operations to upload.cgi
SSLOptions +OptRenegotiate
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b"
<Directory /repo/pkgs/>
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
# require that the client auth cert was created by us and signed by us
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
</Directory>
<Location /repo/pkgs/upload.cgi>
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
# require that the access comes from internal or that
# the client auth cert was created by us and signed by us
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
</Location>
</VirtualHost>

6
roles/distgit/files/lookaside.conf Normal file
View file

@ -0,0 +1,6 @@
Alias /lookaside /srv/cache/lookaside
<Directory /srv/cache/lookaside>
Options Indexes FollowSymLinks
AllowOverride None
</Directory>

181
roles/distgit/files/mkbranch Normal file
View file

@ -0,0 +1,181 @@
#!/bin/bash
#
# Create a new development branch for a module.
# THIS HAS TO BE RUN ON THE GIT SERVER!
# WARNING:
# This file is maintained within puppet?
# All local changes will be lost.
# Figure out the environment we're running in
RUNDIR=$(cd $(dirname $0) && pwd)
GITROOT=/srv/git/rpms
# check if a moron is driving me
if [ ! -d $GITROOT ] ; then
# we're not on the git server (this check is fragile)
echo "ERROR: This script has to be run on the git server."
echo "ERROR: Homer sez 'Duh'."
exit -9
fi
# where are the packages kept
TOPLEVEL=rpms
# Local variables
VERBOSE=0
TEST=
IGNORE=
BRANCH=""
PACKAGES=""
SRC_BRANCH="master"
AUTHOR="Fedora Release Engineering <rel-eng@lists.fedoraproject.org>"
Usage() {
cat <<EOF
Usage:
$0 [ -s <src_branch>] <branch> <package_name>...
Creates a new branch <branch> for the list of <package_name>s.
The /master suffix on branch names is assumed.
Options:
-s,--source=<src_branch> Use <src_branch> as the source branch.
Defaults is master
/master suffix on other branches assumed
-n,--test Don't do nothing, only test
-i,--ignore Ignore erroneous modules
-h,--help This help message
-v,--verbose Increase verbosity
EOF
}
# parse the arguments
while [ -n "$1" ] ; do
case "$1" in
-h | --help )
Usage
exit 0
;;
-v | --verbose )
VERBOSE=$(($VERBOSE + 1))
;;
-i | --ignore )
IGNORE="yes"
;;
-n | --test )
TEST="yes"
;;
-s | --source )
shift
SRC_BRANCH=$1
;;
-b | --branch )
shift
BRANCH=$1/master
;;
* )
if [ -z "$BRANCH" ] ; then
BRANCH="$1"
else
PACKAGES="$PACKAGES $1"
fi
;;
esac
shift
done
# check the arguments
if [ -z "$BRANCH" -o -z "$PACKAGES" ] ; then
Usage
exit -1
fi
# Sanity checks before we start doing damage
NEWP=
for p in $PACKAGES ; do
[ $VERBOSE -gt 1 ] && echo "Checking package $p..."
if [ ! -d $GITROOT/$p.git ] ; then
echo "ERROR: Package module $p is invalid" >&2
[ "$IGNORE" = "yes" ] && continue || exit -1
fi
if [ -z "$(GIT_DIR=$GITROOT/$p.git git rev-parse -q --verify $SRC_BRANCH)" ] ; then \
echo "ERROR: Invalid source branch '$SRC_BRANCH' for package $p" >&2; \
if [ $SRC_BRANCH == 'master' ]; then
[ "$IGNORE" = "yes" ] && continue
else
SRC_BRANCH=master
fi
fi
$(GIT_DIR=$GITROOT/$p.git git rev-parse -q --verify \
$BRANCH >/dev/null) && \
(echo "IGNORING: Package module $p already has a branch $BRANCH" >&2; \
[ "$IGNORE" = "yes" ] && continue || exit -1)
NEWP="$NEWP $p"
done
PACKAGES="$(echo $NEWP)"
if [ -z "$PACKAGES" ] ; then
echo "NOOP: no valid packages found to process"
exit -1
fi
if [ -n "$TEST" ] ; then
echo "Branch $BRANCH valid for $PACKAGES"
exit 0
fi
# This account must have the proper permissions as to not screw up the
# repository work.
if [ "$(id -un)" = "root" ] ; then
echo "Please run this script as yourself"
exit -3
fi
#### Change this to check for proper git-admin rights
# "global" permissions check
if [ ! -w $GITROOT ] ; then
echo "ERROR: You can not write to $GITROOT"
echo "ERROR: You can not perform branching operations"
exit -1
fi
# Now start working on creating those branches
# For every module, "create" the branch
for NAME in $PACKAGES ; do
echo
echo "Creating new module branch '$BRANCH' for '$NAME' from branch '$SRC_BRANCH'..."
# permissions checks for this particular module
if [ ! -w $GITROOT/$NAME.git/refs/heads/ ] ; then
echo "ERROR: You can not write to $d"
echo "ERROR: $NAME can not be branched by you"
continue
fi
#### Replace the above with a gitolite permission check
#[ $VERBOSE -gt 0 ] && echo "Creating $BRANCH-split tag for $NAME/$SRC_BRANCH..."
# Is the above needed?
#cvs -Q rtag -f "$BRANCH-split" $TOPLEVEL/$NAME/$SRC_BRANCH || {
#echo "ERROR: Branch split tag for $NAME/$SRC_BRANCH could not be created" >&2
#exit -2
#}
[ $VERBOSE -gt 0 ] && echo "Creating $NAME $BRANCH from $NAME $SRC_BRANCH..."
$(pushd $GITROOT/$NAME.git >/dev/null && \
git branch --no-track $BRANCH $SRC_BRANCH && \
popd >/dev/null) || {
echo "ERROR: Branch $NAME $BRANCH could not be created" >&2
popd >/dev/null
exit -2
}
done
echo
echo "Done."

152
roles/distgit/files/pkgdb2-clone Normal file
View file

@ -0,0 +1,152 @@
#!/usr/bin/env python
import re
import requests
import sys
import getpass
import pkgdb2client
import subprocess
#PAGE_URL = 'https://fedoraproject.org/w/api.php?format=json&action=query&rvprop=content&prop=revisions&titles=User:Codeblock/RequestsSANDBOX'
PAGE_URL = 'https://fedoraproject.org/w/api.php?format=json&action=query&rvprop=content&prop=revisions&titles=EPEL/epel7/Requests'
NEW_EPEL_VERSION = '7'
NEW_EPEL_SOURCE_BRANCH = 'f19'
RHEL_PKGS_PATH = '/var/lib/rhel/rhel' + NEW_EPEL_VERSION
# parse_page :: String -> IO (Map String String)
# This returns a dictionary of {"pkg_name": "branch"}
def parse_page(url):
r = requests.get(url).json()
text = r['query']['pages'][r['query']['pages'].keys()[0]]['revisions'][0]['*']
lines = text.split("\n")
pkgs = filter(lambda y: y.startswith('| '), lines)
__pkgs_list__ = map(lambda y: ''.join(y.split())[1:].split('||'), pkgs)
pkgs_list = filter(lambda y: y[0] != 'foo', __pkgs_list__)
pkgs_dict = dict(pkgs_list)
return pkgs_dict
# is_in_rhel :: String -> IO Bool
def is_in_rhel(pkg):
with open(RHEL_PKGS_PATH) as f:
pkgs = map(lambda x: x.strip(), f.readlines())
return (pkg in pkgs)
# These tuples will be used to substitute one pattern for another.
# Every transform will be run on every branch name so be sure the
# pattern cannot match if you don't want it to be triggered.
transforms = (
(re.compile(r'^devel$'), 'master'),
(re.compile(r'-'), ''),
(re.compile(r'^fc([0-9])'), r'f\1'),
(re.compile(r'^epel([456])$'), r'el\1'),
(re.compile(r'^el([789]|[1-9][0-9])'), r'epel\1'),
)
branch_replacements = {'devel': (re.compile(r'^devel$'), 'master'),}
# generate_collection_cache :: PkgDB -> IO [String]
def generate_collection_cache(pkgdb):
raw_collections = pkgdb.get_collections(clt_status=(
'Active',
'Under Development'))
collection_cache = frozenset(map(lambda y: y['branchname'],
raw_collections['collections']))
return collection_cache
# normalize_branch :: [String] -> String -> IO (Option String)
def normalize_branch(collection_cache, branch):
# I originally had this implemented as a foldRight (which it really is).
# But Python doesn't eliminate tail calls. It probably would have been fine
# because "transforms" above is only 5 elements, but instead I will deal
# with the local mutation and wish that I had a type system to reason with.
# -rbe
norm_branch = branch.lower()
for transform in transforms:
norm_branch = re.sub(transform[0], transform[1], norm_branch)
# Ugh, here we break purity. Where is the option type when you need it?
if not (norm_branch in collection_cache):
print('Unknown collection specified: {0}'.format(branch))
return None
return norm_branch
# process_package :: PkgDB -> String -> String -> IO Bool
def process_package(pkgdb, pkg, src, dest):
data = pkgdb.get_package(pkg)
pkg_list = data['packages']
maybe_source = filter(lambda y: y['collection']['branchname'] == src,
pkg_list)
maybe_dest = filter(lambda y: y['collection']['branchname'] == dest,
pkg_list)
if len(maybe_source) == 0:
print "Source branch `" + src + "' not found. Please "\
"branch" + pkg + "manually."
return False
if len(maybe_dest) != 0:
print "Package `" + pkg + "' was already branched for `" + dest + "'."\
" Not overwriting branch."
return False
acls = filter(lambda y: y['fas_name'] != 'group::provenpackager',
maybe_source[0]['acls'])
map(lambda acl: pkgdb.update_acl(pkg, dest, acl['acl'], acl['status'],
acl['fas_name']), acls)
return True
# main :: [String] -> IO Unit
def main(args):
new_epel_requests = "epel" + NEW_EPEL_VERSION + "-requests"
if len(args) < 1 or (len(args) < 3 and args[0] != new_epel_requests) or\
len(args) > 3 or (len(args) > 1 and args[0] == new_epel_requests):
print "Usage: pkgdb2-clone " + new_epel_requests
print " - OR -"
print " pkgdb2-clone <source branch> <dest branch> <pkgs ...>"
sys.exit(1)
pkgdb = pkgdb2client.PkgDB()
username = raw_input('Username: ')
password = getpass.getpass()
pkgdb.login(username, password, True)
collection_cache = generate_collection_cache(pkgdb)
if args[0] == new_epel_requests:
pkgs = parse_page(PAGE_URL)
for key in pkgs:
if is_in_rhel(key):
continue
src_branchname = normalize_branch(collection_cache, pkgs[key])
dest_branchname = normalize_branch(collection_cache,
'epel' + NEW_EPEL_VERSION)
if not src_branchname or not dest_branchname:
print "[" + key + "] Invalid source or destination branch "\
"name, " + src_branchname + " -> " + dest_branchname
else:
if process_package(pkgdb, key, src_branchname, dest_branchname):
subprocess.call(["mkbranch",
"-s",
NEW_EPEL_SOURCE_BRANCH,
"epel" + NEW_EPEL_VERSION,
key])
print "[" + key + "] Success"
else:
print "[" + key + "] Error"
print "Done."
else:
src_branchname = normalize_branch(collection_cache, args[0])
dest_branchname = normalize_branch(collection_cache, args[1])
if not src_branchname or not dest_branchname:
print "[" + key + "] Invalid source or destination branch "\
"name, " + src_branchname + " -> " + dest_branchname
for pkg in args[2:]:
if process_package(pkgdb, key, src_branchname, dest_branchname):
print "[" + key + "] Success"
else:
print "[" + key + "] Error"
if __name__ == '__main__':
main(sys.argv[1:])

1
roles/distgit/files/pkgdb_sync_git_branches.cron Normal file
View file

@ -0,0 +1 @@
00 45 * * * root /usr/local/bin/pkgdb_sync_git_branches.py

Some files were not shown because too many files have changed in this diff Show more