Merge branch 'master' of /git/ansible

2018-08-29 08:32:47 +00:00 · 2018-08-29 08:32:47 +00:00 · bab1e587b6
commit bab1e587b6
parent c290bcf769 0da4b9b0fd
250 changed files with 4494 additions and 1510 deletions
--- a/.mailmap
+++ b/.mailmap
@ -0,0 +1,5 @@
+Rick Elrod <relrod@redhat.com> <codeblock@fedoraproject.org>
+Rick Elrod <relrod@redhat.com> Ricky Elrod
+Rick Elrod <relrod@redhat.com> Ricky Elrod <codeblock@lockbox01.phx2.fedoraproject.org>
+
+# ... others go here ...
--- a/files/common/mock
+++ b/files/common/mock
@ -1,6 +1,8 @@
 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 auth            sufficient      pam_succeed_if.so user ingroup mock use_uid quiet
+account sufficient pam_succeed_if.so user ingroup packager use_uid quiet
+auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 # Uncomment the following line to implicitly trust users in the "wheel" group.
 #auth           sufficient      pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the "wheel" group.
@ -10,6 +12,4 @@ account         sufficient      pam_succeed_if.so user ingroup mock use_uid quie
 account         include         system-auth
 password        include         system-auth
 session         include         system-auth
-account sufficient pam_succeed_if.so user ingroup packager use_uid quiet
-auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 session         optional        pam_xauth.so
--- a/files/openshift/openshift.repo
+++ b/files/openshift/openshift.repo
@ -5,11 +5,17 @@ baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 {% elif inventory_hostname.startswith('os') %}
+[rhel7-openshift-3.10]
+name = rhel7 openshift 3.10 $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.10-rpms/
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+enabled=1
+
 [rhel7-openshift-3.9]
 name = rhel7 openshift 3.9 $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.9-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=1
+enabled=0

 # 3.8 is needed to upgrade from 3.7 to 3.9
 [rhel7-openshift-3.8]
--- a/files/osbs/buildroot-Dockerfile-production.j2
+++ b/files/osbs/buildroot-Dockerfile-production.j2
@ -1,8 +1,7 @@
 FROM registry.fedoraproject.org/fedora
-ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
-RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\
-    python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\
-    libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo
+RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\
+    python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\
+    python3-gobject python3-modulemd python3-pdc-client ostree flatpak-module-tools flatpak skopeo && dnf clean all
 ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json
 ADD ./worker_customize.json /usr/share/osbs/worker_customize.json
 ADD ./krb5.conf /etc
@ -10,4 +9,4 @@ RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc
 ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/
 ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt
 RUN update-ca-trust
-CMD ["python2", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]
+CMD ["python3", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]
--- a/files/osbs/buildroot-Dockerfile-staging.j2
+++ b/files/osbs/buildroot-Dockerfile-staging.j2
@ -1,8 +1,7 @@
 FROM registry.fedoraproject.org/fedora
-ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
 RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\
    python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\
-    libmodulemd python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all
+    python3-gobject python3-modulemd python3-pdc-client ostree flatpak-module-tools flatpak skopeo && dnf clean all
 ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json
 ADD ./worker_customize.json /usr/share/osbs/worker_customize.json
 ADD ./krb5.conf /etc
--- a/files/osbs/orchestrator_customize.json
+++ b/files/osbs/orchestrator_customize.json
@ -3,13 +3,7 @@
        {
            "plugin_type": "exit_plugins",
            "plugin_name": "import_image"
-        },
-        {
-            "plugin_type": "prebuild_plugins",
-            "plugin_name": "flatpak_create_dockerfile"
        }
    ],
-
-    "enable_plugins": [
-    ]
-}
+    "enable_plugins": []
+}
--- a/files/osbs/worker_customize.json
+++ b/files/osbs/worker_customize.json
@ -3,13 +3,7 @@
        {
            "plugin_type": "prebuild_plugins",
            "plugin_name": "fetch_maven_artifacts"
-        },
-        {
-            "plugin_type": "prebuild_plugins",
-            "plugin_name": "flatpak_create_dockerfile"
        }
    ],
-
-    "enable_plugins": [
-    ]
-}
+    "enable_plugins": []
+}
--- a/inventory/backups
+++ b/inventory/backups
@ -22,6 +22,7 @@ copr-keygen.cloud.fedoraproject.org
 #copr-dist-git.fedorainfracloud.org
 value01.phx2.fedoraproject.org
 taiga.fedorainfracloud.org
+tang01.phx2.fedoraproject.org
 taskotron01.qa.fedoraproject.org
 nuancier01.phx2.fedoraproject.org
 magazine2.fedorainfracloud.org
--- a/inventory/builders
+++ b/inventory/builders
@ -77,8 +77,9 @@ buildvm-aarch64-19.arm.fedoraproject.org
 buildvm-aarch64-20.arm.fedoraproject.org
 buildvm-aarch64-21.arm.fedoraproject.org
 buildvm-aarch64-22.arm.fedoraproject.org
-buildvm-aarch64-23.arm.fedoraproject.org
-buildvm-aarch64-24.arm.fedoraproject.org
+# These two have been dropped to allow for osbs builders.
+#buildvm-aarch64-23.arm.fedoraproject.org
+#buildvm-aarch64-24.arm.fedoraproject.org

 [buildvm-armv7]
 buildvm-armv7-01.arm.fedoraproject.org
@ -232,8 +233,8 @@ buildvm-ppc64le-18.ppc.fedoraproject.org
 buildvm-ppc64le-19.ppc.fedoraproject.org

 [bkernel]
-bkernel01.phx2.fedoraproject.org
-bkernel02.phx2.fedoraproject.org
+bkernel03.phx2.fedoraproject.org
+bkernel04.phx2.fedoraproject.org

 #
 # These are misc 
--- a/inventory/cloud
+++ b/inventory/cloud
@ -10,14 +10,16 @@ commops.fedorainfracloud.org
 communityblog.fedorainfracloud.org
 copr-be.cloud.fedoraproject.org
 copr-be-dev.cloud.fedoraproject.org
-copr-dist-git-dev.fedorainfracloud.org
+copr-be-stg.fedorainfracloud.org
 copr-dist-git.fedorainfracloud.org
+copr-dist-git-dev.fedorainfracloud.org
+copr-dist-git-stg.fedorainfracloud.org
 copr-fe.cloud.fedoraproject.org
 copr-fe-dev.cloud.fedoraproject.org
 copr-keygen.cloud.fedoraproject.org
 copr-keygen-dev.cloud.fedoraproject.org
+copr-keygen-stg.fedorainfracloud.org
 developer.fedorainfracloud.org
-eclipse.fedorainfracloud.org
 elastic-dev.fedorainfracloud.org
 el6-test.fedorainfracloud.org
 el7-test.fedorainfracloud.org
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -45,6 +45,9 @@ custom_rules: []
 nat_rules: []
 custom6_rules: []

+# defaults for hw installs
+install_noc: none
+
 # defaults for virt installs
 ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
@ -261,7 +264,7 @@ createrepo: True

 # Nagios global variables
 nagios_Check_Services:
-  monitor: true
+  mail: true
  nrpe: true
  sshd: true
  named: false
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -23,7 +23,7 @@ custom_rules: [

 # TODO - remove modularity-wg membership here once it is not longer needed:
 # https://fedorahosted.org/fedora-infrastructure/ticket/5363
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst
+fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring

 #
 # This is a postfix gateway. This will pick up gateway postfix config in base
@ -55,3 +55,6 @@ csi_relationship: |
  - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here.
  - Bastion does not accept any mail outside phx2/vpn.

+nagios_Check_Services:
+  nrpe: true
+  mail: false
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@ -8,7 +8,7 @@ tcp_ports: [ 80, 443 ]
 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst
+fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring

 ansible_base: /srv/web/infra
 freezes: false
--- a/inventory/group_vars/builders
+++ b/inventory/group_vars/builders
@ -5,3 +5,4 @@
 nagios_Check_Services:
  nrpe: false
  swap: false
+  mail: false
--- a/inventory/group_vars/builders-stg
+++ b/inventory/group_vars/builders-stg
@ -5,3 +5,4 @@
 nagios_Check_Services:
  nrpe: false
  swap: false
+  mail: false
--- a/inventory/group_vars/cloud
+++ b/inventory/group_vars/cloud
@ -1,5 +1,6 @@
 ---
 nagios_Check_Services: 
+  mail: false
  nrpe: false
  swap: false
 datacenter: cloud
--- a/inventory/group_vars/copr-back-dev
+++ b/inventory/group_vars/copr-back-dev
@ -0,0 +1,29 @@
+---
+_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
+
+copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
+copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437"
+copr_nova_tenant_name: "coprdev"
+copr_nova_username: "copr"
+
+copr_builder_image_name: "builder-f24"
+copr_builder_flavor_name: "ms2.builder"
+copr_builder_network_name: "coprdev-net"
+copr_builder_key_name: "buildsys"
+copr_builder_security_groups: "ssh-anywhere-coprdev,default,ssh-from-persistent-coprdev"
+
+fedmsg_enabled: "true"
+
+do_sign: "true"
+
+spawn_in_advance: "false"
+frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should override them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+csi_security_category: Moderate
+csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys"
+csi_purpose: Provide the testing environment of copr's backend
+csi_relationship: This host is the testing environment for the cloud infrastructure of copr's backend
--- a/inventory/group_vars/copr-back-stg
+++ b/inventory/group_vars/copr-back-stg
@ -1,4 +1,6 @@
 ---
+resolvconf: "resolv.conf/cloud"
+
 _lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"

 copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
@ -17,7 +19,7 @@ fedmsg_enabled: "true"
 do_sign: "true"

 spawn_in_advance: "false"
-frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
+frontend_base_url: "https://copr.stg.fedoraproject.org"

 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
--- a/inventory/group_vars/copr-dev
+++ b/inventory/group_vars/copr-dev
@ -0,0 +1,19 @@
+---
+devel: true
+#_forward-src: "{{ files }}/copr/forward-dev"
+_forward_src: "forward_dev"
+
+# don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
+
+copr_backend_ips: ["172.25.32.232", "172.25.157.237"]
+keygen_host: "172.25.32.238"
+
+resolvconf: "resolv.conf/cloud"
+
+backend_base_url: "http://copr-be-dev.cloud.fedoraproject.org"
+postfix_maincf: "postfix/main.cf/main.cf.copr"
+
+frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
+dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"
+
+ansible_ifcfg_blacklist: true 
--- a/inventory/group_vars/copr-dist-git
+++ b/inventory/group_vars/copr-dist-git
@ -1,5 +1,4 @@
 ---
-tcp_ports: [22, 80]
+tcp_ports: [22, 80, 443]
 datacenter: cloud
 freezes: false
-custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']
--- a/inventory/group_vars/copr-dist-git-dev
+++ b/inventory/group_vars/copr-dist-git-dev
@ -0,0 +1,6 @@
+---
+tcp_ports: [22, 80]
+datacenter: cloud
+freezes: false
+devel: true
+custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']
--- a/inventory/group_vars/copr-dist-git-stg
+++ b/inventory/group_vars/copr-dist-git-stg
@ -1,6 +1,6 @@
 ---
-tcp_ports: [22, 80]
+resolvconf: "resolv.conf/cloud"
+
+tcp_ports: [22, 80, 443]
 datacenter: cloud
 freezes: false
-devel: true
-custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']
--- a/inventory/group_vars/copr-front-dev
+++ b/inventory/group_vars/copr-front-dev
@ -0,0 +1,9 @@
+---
+copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org"
+
+csi_security_category: Low
+csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys"
+csi_purpose: Provide the testing environment of copr's frontend
+csi_relationship: This host is the testing environment for copr's web interface
+
+copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv
--- a/inventory/group_vars/copr-front-stg
+++ b/inventory/group_vars/copr-front-stg
@ -1,9 +1,33 @@
 ---
-copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org"
+# Define resources for this group of hosts here.
+lvm_size: 10000
+mem_size: 2048
+num_cpus: 1

+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+copr_frontend_public_hostname: "copr.stg.fedoraproject.org"
+
+copruser_db_password: "{{ copruser_db_password_stg }}"
+
+tcp_ports: [ 80 ]
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+ ]
+
+fas_client_groups: sysadmin-copr,fi-apprentice,sysadmin-noc,sysadmin-veteran
+
+freezes: false
+
+# For the MOTD
 csi_security_category: Low
-csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys"
-csi_purpose: Provide the testing environment of copr's frontend
-csi_relationship: This host is the testing environment for copr's web interface
-
-copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Copr community build service
+csi_relationship: |
+    This machine depends on:
+    - PostgreSQL DB server
+    - bastion (for mail relay)
--- a/inventory/group_vars/copr-keygen-dev
+++ b/inventory/group_vars/copr-keygen-dev
@ -0,0 +1,13 @@
+---
+copr_hostbase: copr-keygen-dev
+tcp_ports: []
+
+# http + signd dest ports
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 5167 -j ACCEPT']
+
+datacenter: cloud
+
+freezes: false
--- a/inventory/group_vars/copr-keygen-stg
+++ b/inventory/group_vars/copr-keygen-stg
@ -1,12 +1,14 @@
 ---
-copr_hostbase: copr-keygen-dev
+resolvconf: "resolv.conf/cloud"
+
+copr_hostbase: copr-keygen-stg
 tcp_ports: []

 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 5167 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 5167 -j ACCEPT']
+custom_rules: ['-A INPUT -p tcp -m tcp -s 172.25.33.9 --dport 80 -j ACCEPT',
+               '-A INPUT -p tcp -m tcp -s 172.25.151.227 --dport 80 -j ACCEPT',
+               '-A INPUT -p tcp -m tcp -s 172.25.33.9 --dport 5167 -j ACCEPT',
+               '-A INPUT -p tcp -m tcp -s 172.25.151.227 --dport 5167 -j ACCEPT']

 datacenter: cloud

--- a/inventory/group_vars/copr-stg
+++ b/inventory/group_vars/copr-stg
@ -5,15 +5,11 @@ _forward_src: "forward_dev"

 # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules

-copr_backend_ips: ["172.25.32.232", "172.25.157.237"]
-keygen_host: "172.25.32.238"
+copr_backend_ips: ["172.25.33.9", "172.25.151.227"]
+keygen_host: "172.25.33.12"

-resolvconf: "resolv.conf/cloud"
+backend_base_url: "http://copr-be-stg.fedorainfracloud.org"
+frontend_base_url: "https://copr.stg.fedoraproject.org"
+dist_git_base_url: "copr-dist-git-stg.fedorainfracloud.org"

-backend_base_url: "http://copr-be-dev.cloud.fedoraproject.org"
-postfix_maincf: "postfix/main.cf/main.cf.copr"
-
-frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
-dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"
-
-ansible_ifcfg_blacklist: true 
+ansible_ifcfg_blacklist: true
--- a/inventory/group_vars/faf-stg
+++ b/inventory/group_vars/faf-stg
@ -6,6 +6,7 @@ tcp_ports: [ 80, 443 ]
 sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"

 nagios_Check_Services:
+  mail: false
  nrpe: false
  swap: false

--- a/inventory/group_vars/nagios
+++ b/inventory/group_vars/nagios
@ -74,8 +74,6 @@ phx2_management_hosts:
  - cn-x86-64-02-01.mgmt.fedoraproject.org
  - cn-x86-64-02-02.mgmt.fedoraproject.org
  - cloud-fx02.mgmt.fedoraproject.org
-  - download01.mgmt.fedoraproject.org
-  - download02.mgmt.fedoraproject.org
  - download03.mgmt.fedoraproject.org
  - download04.mgmt.fedoraproject.org
  - download05.mgmt.fedoraproject.org
@ -129,8 +127,6 @@ phx2_management_hosts:
 # to test ping against. No http/https
 #
 phx2_management_limited:
-  - bkernel01.mgmt.fedoraproject.org
-  - bkernel02.mgmt.fedoraproject.org
  - fed-cloud-ppc01.mgmt.fedoraproject.org
  - fed-cloud-ppc02.mgmt.fedoraproject.org
  - moonshot01-ilo.mgmt.fedoraproject.org
@ -142,8 +138,6 @@ phx2_management_limited:
  - qa07.mgmt.fedoraproject.org
  - sign-vault03.mgmt.fedoraproject.org
  - sign-vault04.mgmt.fedoraproject.org
-  - virthost-comm02.mgmt.fedoraproject.org
-  - virthost14.mgmt.fedoraproject.org

 phx2_management_slowping:
  - ppc8-01-fsp.mgmt.fedoraproject.org
--- a/inventory/group_vars/newcloud
+++ b/inventory/group_vars/newcloud
@ -11,7 +11,7 @@ ansible_ifcfg_whitelist: ['eth1']
 baseiptables: false
 ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q cloud-noc01.cloud.fedoraproject.org"'
 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/group_vars/docker-registry
+++ b/inventory/group_vars/docker-registry
@ -1,6 +1,4 @@
 ---
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/

 fas_client_groups: sysadmin-releng

@ -8,7 +6,12 @@ sudoers: "{{ private }}/files/sudo/00releng-sudoers"

 tcp_ports: [
    5000,
-    # This is for the gluster server
-    6996]
+    # These ports all required for gluster
+    111, 24007, 24008, 24009, 24010, 24011,
+    49152, 49153, 49154, 49155,
+    ]
+
+# gluster
+udp_ports: [111]

 registry_gluster_username_prod: registry-prod
--- a/inventory/group_vars/docker-registry-stg
+++ b/inventory/group_vars/docker-registry-stg
@ -1,7 +1,4 @@
 ---
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
-
 fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-veteran

 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@ -44,8 +44,7 @@ tcp_ports: [80, 2049]
 # These people get told when something goes wrong.
 fedmsg_error_recipients:
 - adamwill@fedoraproject.org
- tflink@fedoraproject.org
- pschindl@fedoraproject.org
+- lruzicka@fedoraproject.org

 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
@ -69,6 +68,14 @@ fedmsg_certs:
  - openqa.jobs.restart
  - openqa.job.update.result
  - openqa.job.done
+- service: ci
+  owner: root
+  group: geekotest
+  can_send:
+  - ci.productmd-compose.test.queued
+  - ci.productmd-compose.test.running
+  - ci.productmd-compose.test.complete
+  - ci.productmd-compose.test.error

 # we need this to log with fedmsg-logger
 fedmsg_active: True
--- a/inventory/group_vars/openqa-stg
+++ b/inventory/group_vars/openqa-stg
@ -48,8 +48,7 @@ tcp_ports: [80, 2049]
 # These people get told when something goes wrong.
 fedmsg_error_recipients:
 - adamwill@fedoraproject.org
- tflink@fedoraproject.org
- pschindl@fedoraproject.org
+- lruzicka@fedoraproject.org

 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/os
+++ b/inventory/group_vars/os
@ -3,3 +3,4 @@ host_group: os
 baseiptables: False
 no_http2: True
 nm_controlled_resolv: True
+openshift_ansible_upgrading: True
--- a/inventory/group_vars/os-masters
+++ b/inventory/group_vars/os-masters
@ -6,3 +6,4 @@ swap: false
 nagios_Check_Services:
  swap: false
  nrpe: false
+  mail: false
--- a/inventory/group_vars/os-masters-stg
+++ b/inventory/group_vars/os-masters-stg
@ -6,3 +6,4 @@ os_app_url: app.os.stg.fedoraproject.org
 nagios_Check_Services:
  swap: false
  nrpe: false
+  mail: false
--- a/inventory/group_vars/os-nodes
+++ b/inventory/group_vars/os-nodes
@ -6,3 +6,4 @@ swap: false
 nagios_Check_Services:
  swap: false
  nrpe: false
+  mail: false
--- a/inventory/group_vars/os-nodes-stg
+++ b/inventory/group_vars/os-nodes-stg
@ -6,3 +6,4 @@ os_app_url: app.os.stg.fedoraproject.org
 nagios_Check_Services:
  swap: false
  nrpe: false
+  mail: false
--- a/inventory/group_vars/os-stg
+++ b/inventory/group_vars/os-stg
@ -3,3 +3,5 @@ host_group: os
 baseiptables: False
 no_http2: False
 nm_controlled_resolv: True
+# Only set this when upgrading
+#openshift_ansible_upgrading: True
--- a/inventory/group_vars/osbs-masters
+++ b/inventory/group_vars/osbs-masters
@ -132,7 +132,7 @@ _osbs_reactor_config_map:
    required_secrets:
    - kojisecret
    - v2-registry-dockercfg
-    # - odcs-oidc-secret
+    - odcs-oidc-secret

    worker_token_secrets:
    - x86-64-orchestrator
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@ -17,7 +17,7 @@ wsgi_fedmsg_service: pagure
 wsgi_procs: 6
 wsgi_threads: 6

-fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-veteran
 fas_client_restricted_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/share/gitolite3/gitolite-shell %(username)s
 fas_client_admin_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/share/gitolite3/gitolite-shell -s %(username)s
 fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran"
--- a/inventory/group_vars/retrace-stg
+++ b/inventory/group_vars/retrace-stg
@ -7,5 +7,6 @@ sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
 root_auth_users: msuchy

 nagios_Check_Services:
+  mail: false
  nrpe: false
  swap: false
--- a/inventory/group_vars/sign-vault
+++ b/inventory/group_vars/sign-vault
@ -3,3 +3,9 @@ freezes: true
 postfix_group: sign
 host_group: sign
 ansible_ifcfg_blacklist: true
+nagios_Check_Services:
+  mail: false
+  nrpe: false
+  sshd: false
+  swap: false
+  ping: true
--- a/inventory/group_vars/smtp-mm
+++ b/inventory/group_vars/smtp-mm
@ -14,3 +14,7 @@ fas_client_groups: sysadmin-noc,sysadmin-tools,fi-apprentice,sysadmin-veteran
 postfix_transport_filename: transports.mm-smtp
 postfix_group: smtp-mm
 vpn: true
+
+nagios_Check_Services:
+  nrpe: true
+  mail: false
--- a/inventory/group_vars/tang
+++ b/inventory/group_vars/tang
@ -0,0 +1,23 @@
+---
+nm: 255.255.255.0
+gw: 10.5.128.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
+
+host_backup_targets: ['/var/db/tang']
+
+datacenter: phx2
+
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [80]
+
+fas_client_groups: sysadmin-main
--- a/inventory/host_vars/batcave13.rdu2.fedoraproject.org
+++ b/inventory/host_vars/batcave13.rdu2.fedoraproject.org
@ -26,6 +26,7 @@ postfix_group: vpn
 vpn: true

 nagios_Check_Services:
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/bkernel03.phx2.fedoraproject.org
+++ b/inventory/host_vars/bkernel03.phx2.fedoraproject.org
@ -1,4 +1,4 @@
 ---
 gw: 10.5.125.254
 eth0_ip: 10.5.125.81
-eth1_ip: 10.5.127.133
+eth1_ip: 10.5.127.129
--- a/inventory/host_vars/bkernel04.phx2.fedoraproject.org
+++ b/inventory/host_vars/bkernel04.phx2.fedoraproject.org
@ -1,4 +1,4 @@
 ---
 gw: 10.5.125.254
 eth0_ip: 10.5.125.82
-eth1_ip: 10.5.127.134
+eth1_ip: 10.5.127.144
--- a/inventory/host_vars/branched-composer.phx2.fedoraproject.org
+++ b/inventory/host_vars/branched-composer.phx2.fedoraproject.org
@ -34,3 +34,8 @@ fedmsg_certs:
  - compose.branched.rsync.complete
  - compose.branched.rsync.start
  - compose.branched.start
+  - compose.29.start
+  - compose.29.complete
+  - compose.29.rsync.start
+  - compose.29.rsync.complete
+
--- a/inventory/host_vars/certgetter01.phx2.fedoraproject.org
+++ b/inventory/host_vars/certgetter01.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/

 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.237
--- a/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org
+++ b/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org
@ -12,16 +12,16 @@ freezes: false
 resolvconf: "{{ files }}/resolv.conf/cloud-noc01.cloud.fedoraproject.org"

 tcp_ports: ['22']
-custom_rules: [ '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
-                '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
-                '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23  --dport 69 -j ACCEPT',
-                '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23  --dport 69 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
+                '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
+                '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
+                '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
+                '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
+                '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
+                '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
+                '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
+                '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23  --dport 69 -j ACCEPT',
+                '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
+                '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
+                '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23  --dport 69 -j ACCEPT' ]

--- a/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org
+++ b/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org
@ -35,3 +35,5 @@ fedmsg_certs:
  - pungi.compose.ostree
  - compose.29.complete
  - compose.29.start
+  - compose.29.rsync.start
+  - compose.29.rsync.complete
--- a/inventory/host_vars/copr-be-stg.fedorainfracloud.org
+++ b/inventory/host_vars/copr-be-stg.fedorainfracloud.org
@ -0,0 +1,26 @@
+---
+instance_type: m1.xlarge
+image: "{{ fedora27_x86_64 }}"
+keypair: fedora-admin-20130801
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent,fedmsg-relay-persistent
+zone: nova
+hostbase: copr-be-stg-
+public_ip: 209.132.184.44
+root_auth_users: msuchy pingou frostyx dturecek clime
+description: copr dispatcher and repo server - stg instance
+tcp_ports: ['22', '80', '443', '2003', '4001']
+# volumes: copr-be-stg-data
+volumes: [ {volume_id: 'a3325e22-bdc0-4eeb-bb73-45365ddb7a01', device: '/dev/vdc'} ]
+
+inventory_tenant: persistent
+# name of machine in OpenStack
+inventory_instance_name: copr-be-stg
+cloud_networks:
+  # persistent-net
+  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
+  # coprdev-net
+  - net-id: "a440568f-b90a-46af-8ca6-d8fa743a7e7a"
+
+# Copr vars
+copr_hostbase: copr-be-stg
+_copr_be_conf: copr-be.conf-stg
--- a/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org
@ -0,0 +1,22 @@
+---
+instance_type: ms1.small
+image: "{{ fedora27_x86_64 }}"
+keypair: fedora-admin-20130801
+security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
+zone: nova
+hostbase: copr-dist-git-stg-
+public_ip: 209.132.184.57
+root_auth_users:  ryanlerch pingou msuchy dturecek frostyx clime
+description: dist-git for copr service - stg instance
+tcp_ports: [22, 80]
+# volumes:  copr-dist-git-stg
+volumes: [ {volume_id: '0cb506b9-3931-47fa-b6d3-a0ad2614f221', device: '/dev/vdc'} ]
+inventory_tenant: persistent
+# name of machine in OpenStack
+inventory_instance_name: copr-dist-git-stg
+cloud_networks:
+  # persistent-net
+  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
+
+# Copr vars
+copr_hostbase: copr-dist-git-stg
--- a/inventory/host_vars/copr-dist-git.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git.fedorainfracloud.org
@ -6,7 +6,7 @@ security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-i
 zone: nova
 hostbase: copr-dist-git
 public_ip: 209.132.184.163
-root_auth_users:  msuchy asamalik clime frostyx
+root_auth_users:  msuchy clime frostyx
 description: dist-git for copr service - prod instance
 tcp_ports: [22, 80]
 # volumes:  copr-dist-git, copr-dist-git-log
--- a/inventory/host_vars/copr-fe.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-fe.cloud.fedoraproject.org
@ -9,7 +9,7 @@ security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywh
 zone: nova
 hostbase: copr-fe-
 public_ip: 209.132.184.54
-root_auth_users:  msuchy asamalik clime frostyx
+root_auth_users:  msuchy clime frostyx
 description: copr frontend server - prod instance
 tcp_ports: [22, 80, 443]
 volumes: [ {volume_id: '8f790db7-8294-4d2b-8bae-7af5961ce0f8', device: '/dev/vdc'} ]
--- a/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org
@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.128.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
+
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.128.49
+vmhost: virthost02.stg.phx2.fedoraproject.org
+datacenter: phx2
--- a/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org
@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.128.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
+
+volgroup: /dev/vg_virthost16
+eth0_ip: 10.5.128.50
+vmhost: virthost05.stg.phx2.fedoraproject.org
+datacenter: phx2
--- a/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org
+++ b/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org
@ -0,0 +1,22 @@
+---
+instance_type: ms1.small
+image: "{{ fedora27_x86_64 }}"
+keypair: fedora-admin-20130801
+# todo: remove some security groups ?
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
+zone: nova
+hostbase: copr-keygen-stg-
+public_ip: 209.132.184.56
+root_auth_users: msuchy clime frostyx dturecek
+volumes: [ {volume_id: '5424ff3c-b1c6-4291-a0ed-2d30924f4f88', device: '/dev/vdc'} ]
+description: copr keygen and sign host - stg instance
+
+inventory_tenant: persistent
+# name of machine in OpenStack
+inventory_instance_name: copr-keygen-stg
+cloud_networks:
+  # persistent-net
+  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
+
+# Copr vars
+copr_hostbase: copr-keygen-stg
--- a/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org
@ -7,8 +7,8 @@ eth0_ip: 10.5.128.98
 vmhost: bvirthost01.stg.phx2.fedoraproject.org
 datacenter: phx2

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/

 # This is a generic list, monitored by collectd
 databases:
--- a/inventory/host_vars/download-rdu01.fedoraproject.org
+++ b/inventory/host_vars/download-rdu01.fedoraproject.org
@ -13,3 +13,8 @@ eth1_ip: 172.31.1.1
 eth1_nm: 255.255.255.0

 public_ip: 209.132.190.4
+
+nagios_Check_Services:
+  mail: false
+  nrpe: false
+  ping: true
--- a/inventory/host_vars/download01.phx2.fedoraproject.org
+++ b/inventory/host_vars/download01.phx2.fedoraproject.org
@ -1,4 +1,34 @@
 ---
+nm: 255.255.255.0
 gw: 10.5.126.254
+dns: 10.5.126.21
+
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+
+vmhost: virthost01.phx2.fedoraproject.org
+volgroup: /dev/vg_guests
+#
+# We need this to install with 2 nics
+#
+virt_install_command: "{{ virt_install_command_two_nic }}"
+
 eth0_ip: 10.5.126.93
 eth1_ip: 10.5.127.101
+main_bridge: br0
+nfs_bridge: br1
+
+datacenter: phx2
+
+tcp_ports: [80, 443, 873]
+rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}"
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
+
+mem_size: 16384
+max_mem_size: 20480
+lvm_size: 20000
+num_cpus: 8
+
+vpn: false
--- a/inventory/host_vars/download02.phx2.fedoraproject.org
+++ b/inventory/host_vars/download02.phx2.fedoraproject.org
@ -1,4 +1,34 @@
 ---
+nm: 255.255.255.0
 gw: 10.5.126.254
+dns: 10.5.126.21
+
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+
+vmhost: virthost02.phx2.fedoraproject.org
+volgroup: /dev/vg_guests
+#
+# We need this to install with 2 nics
+#
+virt_install_command: "{{ virt_install_command_two_nic }}"
+
 eth0_ip: 10.5.126.94
 eth1_ip: 10.5.127.102
+main_bridge: br0
+nfs_bridge: br1
+
+datacenter: phx2
+
+tcp_ports: [80, 443, 873]
+rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}"
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
+
+mem_size: 16384
+max_mem_size: 20480
+lvm_size: 20000
+num_cpus: 8
+
+vpn: false
--- a/inventory/host_vars/eclipse.fedorainfracloud.org
+++ b/inventory/host_vars/eclipse.fedorainfracloud.org
@ -1,18 +0,0 @@
---
-image: "{{ fedora23_x86_64 }}"
-instance_type: m1.small
-keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
-zone: nova
-tcp_ports: [22, 80, 443]
-
-inventory_tenant: persistent
-inventory_instance_name: eclipse
-hostbase: eclipse
-public_ip: 209.132.184.121
-root_auth_users: mbooth sopotc akurtakov
-description: eclipse help for fedora eclipse addons
-
-cloud_networks:
-  # persistent-net
-  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
--- a/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
@ -12,6 +12,7 @@ vmhost: virthost04.stg.phx2.fedoraproject.org
 datacenter: phx2

 nagios_Check_Services: 
+  mail: false
  nrpe: false
  swap: false

--- a/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org
+++ b/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org
@ -1,4 +1,5 @@
 ---
 nagios_Check_Services:
+  mail: false
  nrpe: false
  swap: false
--- a/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org
+++ b/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org
@ -1,4 +1,5 @@
 ---
 nagios_Check_Services:
+  mail: false
  nrpe: false
  swap: false
--- a/inventory/host_vars/ns13.rdu2.fedoraproject.org
+++ b/inventory/host_vars/ns13.rdu2.fedoraproject.org
@ -28,6 +28,7 @@ ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q root@bastion13.fedora

 nagios_Check_Services:
  nrpe: false
+  mail: false
  sshd: false
  swap: false
  ping: false
--- a/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.125.57
 vmhost: bvirthost01.phx2.fedoraproject.org
--- a/inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.122
 vmhost: virthost04.stg.phx2.fedoraproject.org
--- a/inventory/host_vars/docker-registry03.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry03.phx2.fedoraproject.org
@ -2,10 +2,10 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
-eth0_ip: 10.5.125.78
+eth0_ip: 10.5.125.77
 vmhost: bvirthost04.phx2.fedoraproject.org
 datacenter: phx2

--- a/inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.123
 vmhost: virthost04.stg.phx2.fedoraproject.org
--- a/inventory/host_vars/docker-registry02.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry02.phx2.fedoraproject.org
@ -2,10 +2,10 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
-eth0_ip: 10.5.125.77
+eth0_ip: 10.5.125.78
 vmhost: bvirthost01.phx2.fedoraproject.org
 datacenter: phx2

--- a/inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.124
 vmhost: virthost01.stg.phx2.fedoraproject.org
--- a/inventory/host_vars/osbs-control01.phx2.fedoraproject.org
+++ b/inventory/host_vars/osbs-control01.phx2.fedoraproject.org
@ -13,3 +13,7 @@ datacenter: phx2

 mem_size: 4096
 max_mem_size: 4096
+
+nagios_Check_Services:
+  nrpe: false
+  mail: false
--- a/inventory/host_vars/relay-stg.ci.centos.org
+++ b/inventory/host_vars/relay-stg.ci.centos.org
@ -62,7 +62,7 @@ fedmsg_prefix: org.centos
 fedmsg_env: stg

 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/relay.ci.centos.org
+++ b/inventory/host_vars/relay.ci.centos.org
@ -62,7 +62,7 @@ fedmsg_prefix: org.centos
 fedmsg_env: prod

 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/sign-vault05.phx2.fedoraproject.org
+++ b/inventory/host_vars/sign-vault05.phx2.fedoraproject.org
@ -0,0 +1,10 @@
+---
+gw: 10.5.125.254
+eth0_ip: 10.5.125.83
+
+install_noc: noc01.phx2.fedoraproject.org
+install_mac: D0:94:66:45:87:C1
+# Inside this, expect /vmlinuz and /initrd.img
+install_binpath: /uefi/x86_64/f28
+install_ks: http://10.5.126.23/repo/rhel/ks/buildhw-f28
+install_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
--- a/inventory/host_vars/sign-vault06.phx2.fedoraproject.org
+++ b/inventory/host_vars/sign-vault06.phx2.fedoraproject.org
@ -0,0 +1,10 @@
+---
+gw: 10.5.125.254
+eth0_ip: 10.5.125.84
+
+install_noc: noc01.phx2.fedoraproject.org
+install_mac: D0:94:66:45:A1:62
+# Inside this, expect /vmlinuz and /initrd.img
+install_binpath: /uefi/x86_64/f28
+install_ks: http://10.5.126.23/repo/rhel/ks/buildhw-f28
+install_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
--- a/inventory/host_vars/tang01.phx2.fedoraproject.org
+++ b/inventory/host_vars/tang01.phx2.fedoraproject.org
@ -0,0 +1,4 @@
+---
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.3
+vmhost: virthost12.phx2.fedoraproject.org
--- a/inventory/host_vars/tang02.phx2.fedoraproject.org
+++ b/inventory/host_vars/tang02.phx2.fedoraproject.org
@ -0,0 +1,4 @@
+---
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.4
+vmhost: virthost14.phx2.fedoraproject.org
--- a/inventory/host_vars/undercloud02.cloud.fedoraproject.org
+++ b/inventory/host_vars/undercloud02.cloud.fedoraproject.org
@ -17,7 +17,7 @@ vmhost: cloud-noc01.cloud.fedoraproject.org
 datacenter: newcloud

 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/virthost-rdu01.fedoraproject.org
+++ b/inventory/host_vars/virthost-rdu01.fedoraproject.org
@ -13,3 +13,7 @@ br1_nm: 255.255.255.0
 vpn: true

 public_ip: 209.132.190.11
+
+nagios_Check_Services:
+  nrpe: false
+  mail: false
--- a/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org
@ -8,3 +8,10 @@ br0_ip: 10.5.128.40
 br0_nm: 255.255.255.0
 br1_ip: 10.5.127.202
 br1_nm: 255.255.255.0
+
+install_noc: noc01.phx2.fedoraproject.org
+install_mac: 24-6E-96-B1-C7-F4
+# Inside this, expect /vmlinuz and /initrd.img
+install_binpath: /uefi/x86_64/el7
+install_ks: http://10.5.126.23/repo/rhel/ks/hardware-rhel-7-08disk
+install_repo: http://10.5.126.23/http://10.5.126.23/repo/rhel/RHEL7-x86_64/
--- a/inventory/inventory
+++ b/inventory/inventory
@ -229,7 +229,6 @@ mdapi01.phx2.fedoraproject.org
 mdapi01.stg.phx2.fedoraproject.org

 [minimal]
-bkernel03.phx2.fedoraproject.org
 bkernel04.phx2.fedoraproject.org

 [modernpaste]
@ -260,6 +259,8 @@ sign-bridge01.stg.phx2.fedoraproject.org
 #sign-vault03.phx2.fedoraproject.org
 #sign-vault04.phx2.fedoraproject.org
 #sign-vault01.stg.phx2.fedoraproject.org
+sign-vault05.phx2.fedoraproject.org
+sign-vault06.phx2.fedoraproject.org

 [autocloud-web]
 autocloud-web01.phx2.fedoraproject.org
@ -329,6 +330,8 @@ badges-web01.stg.phx2.fedoraproject.org
 blockerbugs01.stg.phx2.fedoraproject.org
 bodhi-backend01.stg.phx2.fedoraproject.org
 busgateway01.stg.phx2.fedoraproject.org
+copr-frontend01.stg.phx2.fedoraproject.org
+copr-frontend02.stg.phx2.fedoraproject.org
 datagrepper01.stg.phx2.fedoraproject.org
 elections01.stg.phx2.fedoraproject.org
 fedocal01.stg.phx2.fedoraproject.org
@ -344,7 +347,6 @@ download02.phx2.fedoraproject.org
 download03.phx2.fedoraproject.org
 download04.phx2.fedoraproject.org
 download05.phx2.fedoraproject.org
-download06.phx2.fedoraproject.org

 [download-ibiblio]
 download-ib01.fedoraproject.org
@ -361,7 +363,8 @@ download05.phx2.fedoraproject.org
 #download-rdu01.fedoraproject.org

 [download-phx2-virtual]
-download06.phx2.fedoraproject.org
+download01.phx2.fedoraproject.org
+download02.phx2.fedoraproject.org


 [download:children]
@ -553,6 +556,10 @@ qa12.qa.fedoraproject.org
 qa13.qa.fedoraproject.org
 qa14.qa.fedoraproject.org

+[tang]
+tang01.phx2.fedoraproject.org
+tang02.phx2.fedoraproject.org
+
 [torrent]
 torrent02.fedoraproject.org

@ -751,17 +758,22 @@ buildvm-s390x-01.stg.s390.fedoraproject.org
 busgateway01.stg.phx2.fedoraproject.org
 composer.stg.phx2.fedoraproject.org
 copr-be-dev.cloud.fedoraproject.org
+copr-be-stg.fedorainfracloud.org
 copr-dist-git-dev.fedorainfracloud.org
+copr-dist-git-stg.fedorainfracloud.org
 copr-fe-dev.cloud.fedoraproject.org
+copr-frontend01.stg.phx2.fedoraproject.org
+copr-frontend02.stg.phx2.fedoraproject.org
 copr-keygen-dev.cloud.fedoraproject.org
+copr-keygen-stg.fedorainfracloud.org
 datagrepper01.stg.phx2.fedoraproject.org
 db-fas01.stg.phx2.fedoraproject.org
 db-koji01.stg.phx2.fedoraproject.org
 db01.stg.phx2.fedoraproject.org
 db03.stg.phx2.fedoraproject.org
-docker-candidate-registry01.stg.phx2.fedoraproject.org
-docker-registry01.stg.phx2.fedoraproject.org
-docker-registry02.stg.phx2.fedoraproject.org
+oci-candidate-registry01.stg.phx2.fedoraproject.org
+oci-registry01.stg.phx2.fedoraproject.org
+oci-registry02.stg.phx2.fedoraproject.org
 elections01.stg.phx2.fedoraproject.org
 fas01.stg.phx2.fedoraproject.org
 fedimg01.stg.phx2.fedoraproject.org
@ -860,6 +872,8 @@ proxy10.phx2.fedoraproject.org
 proxy101.phx2.fedoraproject.org
 proxy110.phx2.fedoraproject.org
 openqa-stg01.qa.fedoraproject.org
+tang01.phx2.fedoraproject.org
+tang02.phx2.fedoraproject.org

 [statscache:children]
 statscache-web
@ -1210,8 +1224,6 @@ java-deptools.fedorainfracloud.org
 developer.fedorainfracloud.org
 # fedimg-dev development instance
 fedimg-dev.fedorainfracloud.org
-# eclipse help center - ticket 5293
-eclipse.fedorainfracloud.org
 # iddev
 iddev.fedorainfracloud.org
 # commops - ticket 5380
@ -1291,15 +1303,6 @@ bvirthost
 buildvmhost
 virthost-comm

-[copr-front-stg]
-copr-fe-dev.cloud.fedoraproject.org
-
-[copr-back-stg]
-copr-be-dev.cloud.fedoraproject.org
-
-[copr-keygen-stg]
-copr-keygen-dev.cloud.fedoraproject.org
-
 [copr-keygen]
 copr-keygen.cloud.fedoraproject.org

@ -1312,9 +1315,31 @@ copr-be.cloud.fedoraproject.org
 [copr-dist-git]
 copr-dist-git.fedorainfracloud.org

-[copr-dist-git-stg]
+[copr-front-dev]
+copr-fe-dev.cloud.fedoraproject.org
+
+[copr-back-dev]
+copr-be-dev.cloud.fedoraproject.org
+
+[copr-keygen-dev]
+copr-keygen-dev.cloud.fedoraproject.org
+
+[copr-dist-git-dev]
 copr-dist-git-dev.fedorainfracloud.org

+[copr-front-stg]
+copr-frontend01.stg.phx2.fedoraproject.org
+copr-frontend02.stg.phx2.fedoraproject.org
+
+[copr-back-stg]
+copr-be-stg.fedorainfracloud.org
+
+[copr-keygen-stg]
+copr-keygen-stg.fedorainfracloud.org
+
+[copr-dist-git-stg]
+copr-dist-git-stg.fedorainfracloud.org
+
 [copr:children]
 copr-front
 copr-back
@ -1327,6 +1352,12 @@ copr-back-stg
 copr-keygen-stg
 copr-dist-git-stg

+[copr-dev:children]
+copr-front-dev
+copr-back-dev
+copr-keygen-dev
+copr-dist-git-dev
+
 [pagure]
 pagure01.fedoraproject.org

@ -1438,28 +1469,32 @@ os-control
 [ci]
 ci-cc-rdu01.fedoraproject.org

-# Docker (docker-distribution) registries
-[docker-registry]
-docker-registry02.phx2.fedoraproject.org
-docker-registry03.phx2.fedoraproject.org
-docker-candidate-registry01.phx2.fedoraproject.org
+# registries
+[oci-registry]
+oci-registry01.phx2.fedoraproject.org
+oci-registry02.phx2.fedoraproject.org
+oci-candidate-registry01.phx2.fedoraproject.org

-[docker-registry-gluster-stg]
-docker-registry01.stg.phx2.fedoraproject.org
-docker-registry02.stg.phx2.fedoraproject.org
+[oci-registry-gluster]
+oci-registry01.phx2.fedoraproject.org
+oci-registry02.phx2.fedoraproject.org

-[docker-registry-stg]
-docker-registry01.stg.phx2.fedoraproject.org
-docker-registry02.stg.phx2.fedoraproject.org
-docker-candidate-registry01.stg.phx2.fedoraproject.org
+[oci-registry-gluster-stg]
+oci-registry01.stg.phx2.fedoraproject.org
+oci-registry02.stg.phx2.fedoraproject.org
+
+[oci-registry-stg]
+oci-registry01.stg.phx2.fedoraproject.org
+oci-registry02.stg.phx2.fedoraproject.org
+oci-candidate-registry01.stg.phx2.fedoraproject.org

 ## Not the candidate just the top registry
 [moby-registry]
-docker-registry02.phx2.fedoraproject.org
+oci-registry01.phx2.fedoraproject.org

 ## Not the candidate just the top registry
 [moby-registry-stg]
-docker-registry01.stg.phx2.fedoraproject.org
+oci-registry01.stg.phx2.fedoraproject.org

 [webservers:children]
 proxies
--- a/master.yml
+++ b/master.yml
@ -36,9 +36,10 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml
+- import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend-cloud.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-keygen.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/datagrepper.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/docker-registry.yml
+- import_playbook: /srv/web/infra/ansible/playbooks/groups/oci-registry.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/dns.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/download.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/elections.yml
@ -98,6 +99,7 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/statscache.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/sundries.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/tagger.yml
+- import_playbook: /srv/web/infra/ansible/playbooks/groups/tang.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/taskotron.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/taskotron-client-hosts.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/torrent.yml
@ -117,6 +119,7 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/waiverdb.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/coreos.yml
 # These need work to finish and complete and are all stg currently.
+#- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/koschei.yml
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/modernpaste.yml
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/rats.yml
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/release-monitoring.yml
@ -132,7 +135,6 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/commops.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/developer.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/eclipse.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/elastic-dev.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas2-dev.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas3-dev.fedorainfracloud.org.yml
--- a/playbooks/groups/bodhi-backend.yml
+++ b/playbooks/groups/bodhi-backend.yml
@ -64,10 +64,10 @@
    service: bodhi
    host: "bodhi.stg.fedoraproject.org"
    when: env == "staging"
-  - role: manage-container-images
+  - role: push-container-registry
    cert_dest_dir: "/etc/docker/certs.d/registry{{ env_suffix }}.fedoraproject.org"
-    cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem"
-    key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key"
+    cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt"
+    key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key"
    certs_group: apache


--- a/playbooks/groups/certgetter.yml
+++ b/playbooks/groups/certgetter.yml
@ -21,8 +21,10 @@
  - { role: openvpn/client,
      when: env != "staging" }

-  tasks:
+  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+  tasks:
  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"

--- a/playbooks/groups/copr-backend.yml
+++ b/playbooks/groups/copr-backend.yml
@ -1,6 +1,5 @@
 - name: check/create instance
-  #hosts: copr-back
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back-dev:copr-back-stg:copr-back
  user: root
  gather_facts: False

@ -13,7 +12,7 @@
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"

 - name: cloud basic setup
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back-dev:copr-back-stg:copr-back
  user: root
  gather_facts: True
  vars_files:
@ -28,7 +27,7 @@
    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"

 - name: provision instance
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back-dev:copr-back-stg:copr-back
  user: root
  gather_facts: True

--- a/playbooks/groups/copr-dist-git.yml
+++ b/playbooks/groups/copr-dist-git.yml
@ -1,5 +1,5 @@
 - name: check/create instance
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git
  user: root
  gather_facts: False

@ -13,7 +13,7 @@
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"

 - name: cloud basic setup
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git
  user: root
  gather_facts: True
  vars_files:
@ -27,7 +27,7 @@
    hostname: name="{{copr_hostbase}}.fedorainfracloud.org"

 - name: provision instance
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git
  user: root
  gather_facts: True

--- a/playbooks/hosts/eclipse.fedorainfracloud.org.yml
+++ b/playbooks/hosts/eclipse.fedorainfracloud.org.yml
@ -1,35 +1,42 @@
 - name: check/create instance
-  hosts: eclipse.fedorainfracloud.org
+  hosts: copr-front-dev:copr-front
+  # hosts: copr-front
  gather_facts: False

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
+   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/fedora-cloud.yml
   - /srv/private/ansible/files/openstack/passwords.yml

  tasks:
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"

-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
- name: setup all the things
-  hosts: eclipse.fedorainfracloud.org
+- name: cloud basic setup
+  hosts: copr-front-dev:copr-front
+  # hosts: copr-front
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
-   - /srv/private/ansible/files/openstack/passwords.yml
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-
-  roles:
-  - basessh
+   - "/srv/private/ansible/vars.yml"

  tasks:
  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
+  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  - name: set hostname (required by some services, at least postfix need it)
-    hostname: name="{{inventory_hostname}}"
+    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
+
+- name: provision instance
+  hosts: copr-front:copr-front-dev
+  # hosts: copr-front
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+   - base
+   - copr/frontend-cloud
+   - nagios_client
--- a/playbooks/groups/copr-frontend.yml
+++ b/playbooks/groups/copr-frontend.yml
@ -1,34 +1,9 @@
- name: check/create instance
-  hosts: copr-front-stg:copr-front
-  # hosts: copr-front
-  gather_facts: False
+---
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=copr-front-stg"

-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/fedora-cloud.yml
-   - /srv/private/ansible/files/openstack/passwords.yml
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
-
- name: cloud basic setup
-  hosts: copr-front-stg:copr-front
-  # hosts: copr-front
-  gather_facts: True
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
-  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-  - name: set hostname (required by some services, at least postfix need it)
-    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
-
- name: provision instance
-  hosts: copr-front:copr-front-stg
-  # hosts: copr-front
+- name: provision copr frontend
+  hosts: copr-front-stg
+  user: root
  gather_facts: True

  vars_files:
@ -36,7 +11,25 @@
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

+  pre_tasks:
+  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
  roles:
-   - base
-   - copr/frontend
-   - nagios_client
+  - base
+  - rkhunter
+  - nagios_client
+  - hosts
+  - fas_client
+  - collectd/base
+  - { role: openvpn/client, when: env != "staging" }
+  - { role: sudo, sudoers: "{{ private }}/files/sudo/copr-sudoers" }
+  - redis
+  - mod_wsgi
+  - copr/frontend
+
+  tasks:
+  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+  - import_tasks: "{{ tasks_path }}/motd.yml"
+
+  handlers:
+  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/copr-keygen.yml
+++ b/playbooks/groups/copr-keygen.yml
@ -1,6 +1,5 @@
 - name: check/create instance
-  hosts: copr-keygen-stg:copr-keygen
-  #hosts: copr-keygen
+  hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen
  gather_facts: False

  vars_files:
@ -21,8 +20,7 @@
    when: facts is failed

 - name: cloud basic setup
-  hosts: copr-keygen-stg:copr-keygen
-  # hosts: copr-keygen
+  hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
@ -35,8 +33,7 @@
    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"

 - name: provision instance
-  hosts: copr-keygen:copr-keygen-stg
-  #hosts: copr-keygen
+  hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen
  gather_facts: True

  vars_files:
--- a/playbooks/groups/docker-registry.yml
+++ b/playbooks/groups/docker-registry.yml
@ -1,8 +1,8 @@
 # create an osbs server
- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=docker-registry:docker-registry-stg"
+- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci-registry:oci-registry-stg"

 - name: make the box be real
-  hosts: docker-registry:docker-registry-stg
+  hosts: oci-registry:oci-registry-stg
  user: root
  gather_facts: True

@ -35,8 +35,8 @@

 - name: set up gluster on stg
  hosts:
-  - docker-registry01.stg.phx2.fedoraproject.org
-  - docker-registry02.stg.phx2.fedoraproject.org
+  - oci-registry01.stg.phx2.fedoraproject.org
+  - oci-registry02.stg.phx2.fedoraproject.org
  user: root
  gather_facts: True

@ -47,16 +47,16 @@

  roles:
  - role: gluster/consolidated
-    gluster_brick_dir: /srv/glusterfs/
+    gluster_brick_dir: /srv/glusterfs
    gluster_mount_dir: /srv/docker/
    gluster_brick_name: registry
-    gluster_server_group: docker-registry-gluster-stg
+    gluster_server_group: oci-registry-gluster-stg
    tags: gluster

 - name: set up gluster on prod
  hosts:
-  - docker-registry02.phx2.fedoraproject.org
-  - docker-registry03.phx2.fedoraproject.org
+  - oci-registry01.phx2.fedoraproject.org
+  - oci-registry02.phx2.fedoraproject.org
  user: root
  gather_facts: True

@ -66,28 +66,15 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
-  - role: gluster/server
-    glusterservername: gluster
-    username: "{{ registry_gluster_username_prod }}"
-    password: "{{ registry_gluster_password_prod }}"
-    owner: root
-    group: root
-    datadir: /srv/glusterfs/registry
-
-  - role: gluster/client
-    glusterservername: gluster
-    servers:
-    - docker-registry02.phx2.fedoraproject.org
-    - docker-registry03.phx2.fedoraproject.org
-    username: "{{ registry_gluster_username_prod }}"
-    password: "{{ registry_gluster_password_prod }}"
-    owner: root
-    group: root
-    mountdir: "/srv/docker"
-
+  - role: gluster/consolidated
+    gluster_brick_dir: /srv/glusterfs
+    gluster_mount_dir: /srv/docker/
+    gluster_brick_name: registry
+    gluster_server_group: oci-registry-gluster
+    tags: gluster

 - name: setup docker distribution registry
-  hosts: docker-registry:docker-registry-stg
+  hosts: oci-registry:oci-registry-stg
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
@ -122,8 +109,6 @@
    # Setup compose-x86-01 push docker images to registry
    - {
      role: push-docker,
-        docker_cert_name: "containerstable",
-        docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
        candidate_registry: "candidate-registry.stg.fedoraproject.org",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
@ -132,8 +117,6 @@
    }
    - {
      role: push-docker,
-        docker_cert_name: "containerstable",
-        docker_cert_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
        candidate_registry: "candidate-registry.fedoraproject.org",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
--- a/playbooks/groups/odcs.yml
+++ b/playbooks/groups/odcs.yml
@ -58,14 +58,14 @@

  roles:
  - role: gluster/consolidated
-    gluster_brick_dir: /srv/glusterfs/
+    gluster_brick_dir: /srv/glusterfs
    gluster_mount_dir: /srv/odcs
    gluster_brick_name: odcs
    gluster_server_group: odcs-stg
    tags: gluster
    when: env == 'staging'
  - role: gluster/consolidated
-    gluster_brick_dir: /srv/glusterfs/
+    gluster_brick_dir: /srv/glusterfs
    gluster_mount_dir: /srv/odcs
    gluster_brick_name: odcs
    gluster_server_group: odcs
--- a/playbooks/groups/os-cluster.yml
+++ b/playbooks/groups/os-cluster.yml
@ -103,11 +103,11 @@
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory-stg",
-        openshift_release: "v3.9",
+        openshift_release: "v3.10",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
-        openshift_ansible_version: "openshift-ansible-3.9.30-1",
+        openshift_ansible_version: "openshift-ansible-3.10.38-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: false,
        openshift_ansible_containerized_deploy: false,
@ -132,11 +132,11 @@
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory",
-        openshift_release: "v3.9",
+        openshift_release: "v3.10",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
-        openshift_ansible_version: "openshift-ansible-3.9.30-1",
+        openshift_ansible_version: "openshift-ansible-3.10.35-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: false,
        openshift_ansible_containerized_deploy: false,
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@ -270,46 +270,6 @@
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

-  pre_tasks:
-    - name: Make sure python2-docker-py is not installed
-      dnf:
-        name: python2-docker-py
-        state: absent
-
-  roles:
-    - {
-      role: osbs-common,
-        osbs_manage_firewalld: false,
-      }
-    - {
-      role: push-docker,
-        candidate_registry: "{{docker_registry}}",
-        candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
-        candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
-      when: env == "staging"
-    }
-    - {
-      role: push-docker,
-        candidate_registry: "{{docker_registry}}",
-        candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
-        candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
-      when: env == "production"
-    }
-    - {
-      role: "manage-container-images",
-        cert_dest_dir: "/etc/docker/certs.d/candidate-registry{{ env_suffix }}.fedoraproject.org",
-        cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
-        key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
-      when: env == "staging"
-    }
-
-
-  handlers:
-    - name: restart dnsmasq
-      service:
-        name: dnsmasq
-        state: restarted
-
  tasks:
    - name: Ensures /etc/dnsmasq.d/ dir exists
      file: path="/etc/dnsmasq.d/" state=directory
@ -372,7 +332,6 @@
    osbs_secret_files:
    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
-    when: env == "staging"
  tags:
    - osbs-worker-namespace

@ -446,7 +405,6 @@
    osbs_secret_files:
    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace

@ -504,7 +462,8 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  pre_tasks:
-    - set_fact:
+    - name: Create the username:password string needed by the template
+      set_fact:
        auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
        auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"

@ -542,7 +501,8 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  pre_tasks:
-    - set_fact:
+    - name: Create the username:password string needed by the template
+      set_fact:
        auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
        auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"

@ -588,36 +548,7 @@
    koji_builder_user: dockerbuilder
    osbs_builder_user: builder

-
-  handlers:
-    - name: oc secrets new
-      command: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
-      environment: "{{ osbs_environment }}"
-      notify: oc secrets add
-
-    - name: oc secrets add
-      command: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
-      environment: "{{ osbs_environment }}"
-
  tasks:
-    - name: Ensure koji dockerbuilder cert path exists
-      file:
-        path: "{{ koji_pki_dir }}"
-        state: "directory"
-        mode: 0400
-
-    - name: Add koji dockerbuilder cert for Content Generator import
-      copy:
-        src: "{{private}}/files/koji/containerbuild.pem"
-        dest: "{{ koji_cert_path }}"
-      notify: oc secrets new
-
-    - name: Add koji dockerbuilder ca cert for Content Generator import
-      copy:
-        src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
-        dest: "{{ koji_ca_cert_path }}"
-      notify: oc secrets new
-
    - name: cron entry to clean up old builds
      copy:
        src: "{{files}}/osbs/cleanup-old-osbs-builds"
@ -706,7 +637,7 @@
        src: "{{item}}"
        dest: "/etc/osbs/buildroot/"
        owner: root
-        mode: 600
+        mode: 0600
      with_items:
        - "{{files}}/osbs/worker_customize.json"
        - "{{files}}/osbs/orchestrator_customize.json"
@ -803,26 +734,5 @@
      register: docker_pull_fedora
      changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"

-    - name: register origin_version_out rpm query
-      command: "rpm -q origin --qf '%{Version}'"
-      register: origin_version_out
-      check_mode: no
-      changed_when: False
-
-
- name: Post-Install image stream refresh
-  hosts: osbs-masters[0]:osbs-masters-stg[0]
-  tags:
-    - osbs-post-install
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - /srv/private/ansible/vars.yml
-    - /srv/private/ansible/files/openstack/passwords.yml
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
-
-#    - name: enable nrpe for monitoring (noc01.stg)
-#      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@ -7,7 +7,7 @@
 # Once the instance exists, configure it.

 - name: configure postgresql server system
-  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.or:db-qa03.qa.fedoraproject.org
+  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db-qa03.qa.fedoraproject.org
  user: root
  gather_facts: True

--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@ -54,25 +54,31 @@
    tags:
    - releng
  - {
-    role: "manage-container-images",
+    role: "push-container-registry",
      cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
      cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
      key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
    when: env == "staging"
  }
+  - {
+    role: "push-container-registry",
+      cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
+      cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt",
+      key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key",
+    when: env == "production"
+  }
+  - {
+    role: push-docker,
+      candidate_registry: "candidate-registry.stg.fedoraproject.org",
+      candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
+      candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
+    when: env == "staging"
+  }
  - {
    role: push-docker,
      candidate_registry: "candidate-registry.fedoraproject.org",
      candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
      candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
-      docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org",
-    when: env == "production"
-  }
-  - {
-    role: "manage-container-images",
-      cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
-      cert_src: "{{private}}/files/koji/containerstable.cert.pem",
-      key_src: "{{private}}/files/koji/containerstable.key.pem",
    when: env == "production"
  }

--- a/Show more
+++ b/Show more