From 04dfc56507caabed2051fbaa22aab18d2fc3eaae Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 16:29:17 +0000 Subject: [PATCH 001/289] update anitya in stg openshift and add zlopez as appowner --- playbooks/openshift-apps/release-monitoring.yml | 1 + roles/openshift-apps/release-monitoring/files/buildconfig.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/release-monitoring.yml b/playbooks/openshift-apps/release-monitoring.yml index 8aaadf6da7..2d5a536203 100644 --- a/playbooks/openshift-apps/release-monitoring.yml +++ b/playbooks/openshift-apps/release-monitoring.yml @@ -14,6 +14,7 @@ description: release-monitoring appowners: - jcline + - zlopez - role: openshift/object app: release-monitoring file: imagestream.yml diff --git a/roles/openshift-apps/release-monitoring/files/buildconfig.yml b/roles/openshift-apps/release-monitoring/files/buildconfig.yml index e66e49391c..24903d4fa4 100644 --- a/roles/openshift-apps/release-monitoring/files/buildconfig.yml +++ b/roles/openshift-apps/release-monitoring/files/buildconfig.yml @@ -41,7 +41,7 @@ items: dnf clean all -y RUN git clone https://github.com/release-monitoring/anitya.git && \ pushd anitya && \ - git checkout 0.12.0 && \ + git checkout 0.12.1 && \ pushd docs && \ sphinx-build-3 -b html . _build/html && \ mkdir -p ../anitya/static/docs/ && \ From 02410fca1637ac8950fdb429edb1b9071b0f1323 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 16:52:52 +0000 Subject: [PATCH 002/289] put stg.release-monitoring.org in staging proxy and get it a cert --- playbooks/include/proxies-reverseproxy.yml | 8 ++++++++ playbooks/include/proxies-websites.yml | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 104d2e8321..4b7eddf749 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -727,6 +727,14 @@ keephost: true tags: silverblue + - role: httpd/reverseproxy + website: release-monitoring.org + destname: release-monitoring + # haproxy entry for os-nodes-frontend + proxyurl: http://localhost:10065 + keephost: true + tags: release-montoring + - role: httpd/reverseproxy website: data-analysis.fedoraproject.org destname: awstats diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 731bf9e288..463fead344 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -867,6 +867,15 @@ server_aliases: [silverblue.stg.fedoraproject.org] cert_name: "{{wildcard_cert_name}}" + - role: httpd/website + site_name: release-monitoring.org + sslonly: true + server_aliases: [stg.release-monitoring.org] + certbot: true + tags: + - release-monitoring.org + when: env == "staging" + # fedorahosted is retired. We have the site here so we can redirect it. - role: httpd/website From ef7ac5f4b1d6cdee7ea354671715d2138b8f6967 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 16:54:49 +0000 Subject: [PATCH 003/289] fix tags to be consistent --- playbooks/include/proxies-reverseproxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 4b7eddf749..dc047262cb 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -733,7 +733,7 @@ # haproxy entry for os-nodes-frontend proxyurl: http://localhost:10065 keephost: true - tags: release-montoring + tags: release-montoring.org - role: httpd/reverseproxy website: data-analysis.fedoraproject.org From 5bcd52831b91d9f1ad4b1639f8f7757b14759c61 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 16:56:50 +0000 Subject: [PATCH 004/289] strike that. reverse it --- playbooks/include/proxies-websites.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 463fead344..6f2ec946d2 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -868,9 +868,9 @@ cert_name: "{{wildcard_cert_name}}" - role: httpd/website - site_name: release-monitoring.org + site_name: stg.release-monitoring.org sslonly: true - server_aliases: [stg.release-monitoring.org] + server_aliases: [release-monitoring.org] certbot: true tags: - release-monitoring.org From b3788e5bba94c3168db7266eae139ad0924cf929 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 17:30:19 +0000 Subject: [PATCH 005/289] ok, try this to get the cert working in stg --- playbooks/include/proxies-reverseproxy.yml | 4 ++-- playbooks/include/proxies-websites.yml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index dc047262cb..465799087d 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -728,8 +728,8 @@ tags: silverblue - role: httpd/reverseproxy - website: release-monitoring.org - destname: release-monitoring + website: stg.release-monitoring.org + destname: stg.release-monitoring # haproxy entry for os-nodes-frontend proxyurl: http://localhost:10065 keephost: true diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 6f2ec946d2..c45a9658e9 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -870,7 +870,6 @@ - role: httpd/website site_name: stg.release-monitoring.org sslonly: true - server_aliases: [release-monitoring.org] certbot: true tags: - release-monitoring.org From 35c5ce99daccbe128c93575dc24f6f8676fc1c7d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 17:45:44 +0000 Subject: [PATCH 006/289] change route to match dns for stg.release-monitoring.org --- roles/openshift-apps/release-monitoring/templates/route.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/release-monitoring/templates/route.yml b/roles/openshift-apps/release-monitoring/templates/route.yml index 97f90a67e4..a9f5b6c082 100644 --- a/roles/openshift-apps/release-monitoring/templates/route.yml +++ b/roles/openshift-apps/release-monitoring/templates/route.yml @@ -6,7 +6,7 @@ metadata: app: release-monitoring spec: {% if env == 'staging' %} - host: release-monitoring.app.os.stg.fedoraproject.org + host: stg.release-monitoring.org {% else %} host: release-monitoring.org {% endif %} From 90af73d2ad1ea2aeac5e5cdc0309a6e9c1366caf Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 18:21:19 +0000 Subject: [PATCH 007/289] try and enable release-monitoring cron in stg --- playbooks/openshift-apps/release-monitoring.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/openshift-apps/release-monitoring.yml b/playbooks/openshift-apps/release-monitoring.yml index 2d5a536203..ffe869b35d 100644 --- a/playbooks/openshift-apps/release-monitoring.yml +++ b/playbooks/openshift-apps/release-monitoring.yml @@ -45,3 +45,7 @@ - role: openshift/rollout app: release-monitoring dcname: release-monitoring-web + - role: openshift/object + app: release-monitoring + file: cron.yml + objectname: cron.yml From 7dd1f05bb41a984fbb857d561536862ef14828e8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 19:34:48 +0000 Subject: [PATCH 008/289] try and copy cert from proxy01 to pkgs --- roles/distgit/tasks/main.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 344ca5d147..fb62b8d012 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -347,6 +347,19 @@ notify: - reload httpd +# Get the letsencrypt ssl cert for pkgs.fedoraproject.org from proxy01 +# It's stored there because the role that requests/updates it is called +# via the proxy playbooks. + +- name: copy pkgs.fedoraproject.org ssl cert to pkgs machine + synchronize: + src: {{ item }} + dest: {{ item }} + with_items: + - /etc/pki/tls/certs/pkgs.fedoraproject.org.cert + - /etc/pki/tls/certs/pkgs.fedoraproject.org.intermediate.cert + - /etc/pki/tls/private/pkgs.fedoraproject.org.key + delegate_to: proxy01.phx2.fedoraproject.org # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. From 789310091cceff88ff997bfbfc39eb5209db17cf Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 19:36:04 +0000 Subject: [PATCH 009/289] add missing quotes --- roles/distgit/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index fb62b8d012..5db8548987 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -353,8 +353,8 @@ - name: copy pkgs.fedoraproject.org ssl cert to pkgs machine synchronize: - src: {{ item }} - dest: {{ item }} + src: "{{ item }}" + dest: "{{ item }}" with_items: - /etc/pki/tls/certs/pkgs.fedoraproject.org.cert - /etc/pki/tls/certs/pkgs.fedoraproject.org.intermediate.cert From 1b289a0382390ac6ae7dd2080ceb342aca93f571 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 19:54:01 +0000 Subject: [PATCH 010/289] let us try a more generic approach to copying around letsencrypt certs to additional hosts and just do it at the letsencrypt role level --- playbooks/include/proxies-websites.yml | 1 + roles/distgit/tasks/main.yml | 14 --------- roles/letsencrypt/tasks/main.yml | 42 ++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index c45a9658e9..deb7511be3 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -904,6 +904,7 @@ ssl: true sslonly: true certbot: true + certbot_addhost: pkgs02.fedoraproject.org tags: - pkgs.fedoraproject.org when: env == "production" and "phx2" in inventory_hostname diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 5db8548987..1247adaf04 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -347,20 +347,6 @@ notify: - reload httpd -# Get the letsencrypt ssl cert for pkgs.fedoraproject.org from proxy01 -# It's stored there because the role that requests/updates it is called -# via the proxy playbooks. - -- name: copy pkgs.fedoraproject.org ssl cert to pkgs machine - synchronize: - src: "{{ item }}" - dest: "{{ item }}" - with_items: - - /etc/pki/tls/certs/pkgs.fedoraproject.org.cert - - /etc/pki/tls/certs/pkgs.fedoraproject.org.intermediate.cert - - /etc/pki/tls/private/pkgs.fedoraproject.org.key - delegate_to: proxy01.phx2.fedoraproject.org - # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. - name: install the Lookaside Cache httpd configs diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 20b121c60b..d4cdffb959 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -68,3 +68,45 @@ - reload proxyhttpd tags: - letsencrypt + +- name: Install the certificate (additional host) + copy: > + dest=/etc/pki/tls/certs/{{site_name}}.cert + content="{{certbot_certificate.stdout}}" + owner=root + group=root + mode=0644 + notify: + - reload proxyhttpd + tags: + - letsencrypt + delegate_to: "{{ certbot_addhost }}" + when: certbot_addhost is defined + +- name: Install the intermediate/chain certificate (additional host) + copy: > + dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert + content="{{certbot_chain.stdout}}" + owner=root + group=root + mode=0644 + notify: + - reload proxyhttpd + tags: + - letsencrypt + delegate_to: "{{ certbot_addhost }}" + when: certbot_addhost is defined + +- name: Install the key (additional host) + copy: > + dest=/etc/pki/tls/private/{{site_name}}.key + content="{{certbot_key.stdout}}" + owner=root + group=root + mode=0600 + notify: + - reload proxyhttpd + tags: + - letsencrypt + delegate_to: "{{ certbot_addhost }}" + when: certbot_addhost is defined From ea635849cb9e12c5c36ce180e725374a45b375c5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 20:02:51 +0000 Subject: [PATCH 011/289] add staging in and fix up some hostnames --- playbooks/include/proxies-websites.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index deb7511be3..5941c8ec4c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -904,7 +904,17 @@ ssl: true sslonly: true certbot: true - certbot_addhost: pkgs02.fedoraproject.org + certbot_addhost: pkgs02.phx2.fedoraproject.org tags: - pkgs.fedoraproject.org when: env == "production" and "phx2" in inventory_hostname + + - role: httpd/website + site_name: pkgs.stg.fedoraproject.org + ssl: true + sslonly: true + certbot: true + certbot_addhost: pkgs01.stg.phx2.fedoraproject.org + tags: + - pkgs.fedoraproject.org + when: env == "staging" and "phx2" in inventory_hostname From 4f50c4d4102b4e1a5457d2c6edfe0fa752ac1d58 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Wed, 15 Aug 2018 10:21:57 -0400 Subject: [PATCH 012/289] bodhi-pungi: prevent NVR conflicts for image builds Use a different version string for the updates vs updates-testing so that NVRs don't conflict. --- roles/bodhi2/backend/templates/pungi.rpm.conf.j2 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 b/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 index fd1e775a34..4c436dbb1d 100644 --- a/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 +++ b/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 @@ -203,7 +203,11 @@ image_build = { 'image-build': { 'format': [('qcow2', 'qcow2'), ('raw-xz', 'raw.xz')], 'name': 'Fedora-AtomicHost', - 'version': '!VERSION_FROM_VERSION' + [% if request.name == 'stable' %] + # Use a different version string for the updates vs updates-testing + # runs so that NVRs don't conflict + 'version': '!VERSION_FROM_VERSION' + [% endif %] 'release': '!RELEASE_FROM_DATE_RESPIN' 'kickstart': 'fedora-atomic.ks', 'distro': 'Fedora-22', @@ -225,7 +229,11 @@ image_build = { 'image-build': { 'format': [('vagrant-libvirt','vagrant-libvirt.box'), ('vagrant-virtualbox','vagrant-virtualbox.box')], 'name': 'Fedora-AtomicHost-Vagrant', - 'version': '!VERSION_FROM_VERSION' + [% if request.name == 'stable' %] + # Use a different version string for the updates vs updates-testing + # runs so that NVRs don't conflict + 'version': '!VERSION_FROM_VERSION' + [% endif %] 'release': '!RELEASE_FROM_DATE_RESPIN' 'kickstart': 'fedora-atomic-vagrant.ks', 'distro': 'Fedora-22', From e1a8b796df56199caa3c0496b743b45977cab1c9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 20:33:00 +0000 Subject: [PATCH 013/289] fix pkgs redirect to work for letsencrypt --- roles/distgit/templates/lookaside-upload.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf index 62cd125d7b..1b20aa5ad8 100644 --- a/roles/distgit/templates/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -39,7 +39,7 @@ Alias /robots.txt /var/www/robots-src.txt RewriteEngine on - RewriteRule "^/.well-known/acme-challenge/(.*)$" "http://src{{ env_suffix }}.fedoraproject.org/$1" + RewriteRule "^/.well-known/acme-challenge/(.*)$" "http://src{{ env_suffix }}.fedoraproject.org/.well-known/acme-challenge/$1" RewriteRule "^/(.*)$" "https://src{{ env_suffix }}.fedoraproject.org/$1" RewriteRule "^/login/$" "https://src{{ env_suffix }}.fedoraproject.org/login/" From 785ecfc9a00d8c6482e2f2cca8f0e3bcde1b1b5c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 20:45:36 +0000 Subject: [PATCH 014/289] and finally use the new cert --- roles/distgit/templates/lookaside-upload.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf index 1b20aa5ad8..ac8c40dcc6 100644 --- a/roles/distgit/templates/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -54,10 +54,9 @@ Alias /robots.txt /var/www/robots-src.txt SSLEngine on - SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem - SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem - SSLCACertificateFile conf/cacert.pem - SSLCARevocationFile /etc/pki/tls/crl.pem + SSLCertificateFile /etc/pki/tls/certs/pkgs{{ env_suffix }}.fedoraproject.org.cert + SSLCertificateKeyFile c/etc/pki/tls/certs/pkgs{{ env_suffix }}.fedoraproject.org.key + SSLCertificateChainFile /etc/pki/tls/certs/pkgs{{ env_suffix }}.fedoraproject.org.intermediate.cert SSLProtocol {{ ssl_protocols }} SSLCipherSuite {{ ssl_ciphers }} From bb0793c9d5591b23d8b4b43dce35557ac07fe5e3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 20:59:21 +0000 Subject: [PATCH 015/289] typo city. fixing --- roles/distgit/templates/lookaside-upload.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf index ac8c40dcc6..20aeb316e4 100644 --- a/roles/distgit/templates/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -55,7 +55,7 @@ Alias /robots.txt /var/www/robots-src.txt SSLEngine on SSLCertificateFile /etc/pki/tls/certs/pkgs{{ env_suffix }}.fedoraproject.org.cert - SSLCertificateKeyFile c/etc/pki/tls/certs/pkgs{{ env_suffix }}.fedoraproject.org.key + SSLCertificateKeyFile /etc/pki/tls/private/pkgs{{ env_suffix }}.fedoraproject.org.key SSLCertificateChainFile /etc/pki/tls/certs/pkgs{{ env_suffix }}.fedoraproject.org.intermediate.cert SSLProtocol {{ ssl_protocols }} From 4581dd27115e932490e65d88d27a6faf7e31361a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Aug 2018 21:13:05 +0000 Subject: [PATCH 016/289] only setup stg.release-monitoring.org in stg --- playbooks/include/proxies-reverseproxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 465799087d..03a3c91f72 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -734,6 +734,7 @@ proxyurl: http://localhost:10065 keephost: true tags: release-montoring.org + when: env == "staging" - role: httpd/reverseproxy website: data-analysis.fedoraproject.org From 8d71022c19f6ac92a3030228715b158c1853151a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 08:26:23 +0000 Subject: [PATCH 017/289] Allow sysadmin-releasemonitoring access to batcave Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/batcave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index e1d7c820c4..5cd5219c6d 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -8,7 +8,7 @@ tcp_ports: [ 80, 443 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst +fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring ansible_base: /srv/web/infra freezes: false From 2cf7bacf325c0ba0d0721b64d921a27961c34a6f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 08:28:03 +0000 Subject: [PATCH 018/289] Allow sysadmin-releasemonitoring to bastion Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/bastion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index a321809379..28f79ebcf0 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -23,7 +23,7 @@ custom_rules: [ # TODO - remove modularity-wg membership here once it is not longer needed: # https://fedorahosted.org/fedora-infrastructure/ticket/5363 -fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst +fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring # # This is a postfix gateway. This will pick up gateway postfix config in base From 7bc1dc57a2dcb723bc03dd1ed82b224f0ee07c51 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 16 Aug 2018 09:29:44 +0000 Subject: [PATCH 019/289] mock: check user groups before asking for password --- files/common/mock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/common/mock b/files/common/mock index e307ff7216..347fc0c820 100644 --- a/files/common/mock +++ b/files/common/mock @@ -1,6 +1,8 @@ #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_succeed_if.so user ingroup mock use_uid quiet +account sufficient pam_succeed_if.so user ingroup packager use_uid quiet +auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. @@ -10,6 +12,4 @@ account sufficient pam_succeed_if.so user ingroup mock use_uid quie account include system-auth password include system-auth session include system-auth -account sufficient pam_succeed_if.so user ingroup packager use_uid quiet -auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet session optional pam_xauth.so From 75b5a8db6a8bf0f73bdf13c366d40b76db885df7 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 16 Aug 2018 12:15:16 +0000 Subject: [PATCH 020/289] A platform:f30 module (for MBS, staging) https://pagure.io/fedora-infrastructure/issue/7165 --- .../default-modules.staging/platform-f30.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 roles/mbs/common/files/default-modules.staging/platform-f30.yaml diff --git a/roles/mbs/common/files/default-modules.staging/platform-f30.yaml b/roles/mbs/common/files/default-modules.staging/platform-f30.yaml new file mode 100644 index 0000000000..d40fb4c60a --- /dev/null +++ b/roles/mbs/common/files/default-modules.staging/platform-f30.yaml @@ -0,0 +1,27 @@ +data: + description: Fedora 30 traditional base + license: + module: [MIT] + name: platform + profiles: + buildroot: + rpms: [bash, bzip2, coreutils, cpio, diffutils, fedora-release, findutils, gawk, + grep, gzip, info, make, patch, redhat-rpm-config, rpm-build, sed, shadow-utils, + tar, unzip, util-linux, which, xz] + srpm-buildroot: + rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, redhat-rpm-config, rpm-build, + shadow-utils] + stream: f30 + summary: Fedora 30 traditional base + context: 00000000 + version: 5 + xmd: + mbs: + buildrequires: {} + commit: f30 + requires: {} + koji_tag: module-f30-build + mse: TRUE +document: modulemd +version: 1 + From e47a2d8584b845ad22269522366a516b8f8b8671 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 16 Aug 2018 12:25:21 +0000 Subject: [PATCH 021/289] Add missing tags. --- roles/mbs/common/tasks/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/mbs/common/tasks/main.yml b/roles/mbs/common/tasks/main.yml index 431453488f..97f6017338 100644 --- a/roles/mbs/common/tasks/main.yml +++ b/roles/mbs/common/tasks/main.yml @@ -107,16 +107,23 @@ owner: root group: root mode: 0775 + tags: + - mbs + - mbs/common - name: copy default modules to /etc/module-build-service/default-modules copy: src={{ item }} dest=/etc/module-build-service/default-modules with_fileglob: - default-modules.{{ env }}/*.yaml + tags: + - mbs + - mbs/common - name: import default-modules command: /usr/bin/mbs-manager import_module /etc/module-build-service/default-modules/{{ item | basename }} with_fileglob: - default-modules.{{ env }}/*.yaml when: mbs_import_default_modules | default(True) - - + tags: + - mbs + - mbs/common From aebd10d51f18b10735a48982b89e20145ddd82f4 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 16 Aug 2018 12:28:46 +0000 Subject: [PATCH 022/289] Add platform:f30 module for MBS prod. https://pagure.io/fedora-infrastructure/issue/7165 --- .../platform-f30.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 roles/mbs/common/files/default-modules.production/platform-f30.yaml diff --git a/roles/mbs/common/files/default-modules.production/platform-f30.yaml b/roles/mbs/common/files/default-modules.production/platform-f30.yaml new file mode 100644 index 0000000000..d40fb4c60a --- /dev/null +++ b/roles/mbs/common/files/default-modules.production/platform-f30.yaml @@ -0,0 +1,27 @@ +data: + description: Fedora 30 traditional base + license: + module: [MIT] + name: platform + profiles: + buildroot: + rpms: [bash, bzip2, coreutils, cpio, diffutils, fedora-release, findutils, gawk, + grep, gzip, info, make, patch, redhat-rpm-config, rpm-build, sed, shadow-utils, + tar, unzip, util-linux, which, xz] + srpm-buildroot: + rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, redhat-rpm-config, rpm-build, + shadow-utils] + stream: f30 + summary: Fedora 30 traditional base + context: 00000000 + version: 5 + xmd: + mbs: + buildrequires: {} + commit: f30 + requires: {} + koji_tag: module-f30-build + mse: TRUE +document: modulemd +version: 1 + From 5260599ff82d88711238b361fd688897aa2c4699 Mon Sep 17 00:00:00 2001 From: Sinny Kumari Date: Thu, 16 Aug 2018 10:52:15 +0530 Subject: [PATCH 023/289] Stop building F28 AH twoweek nightly composes We have started building F28 AH twoweek nightly compose artifacts during bodhi updates run. Signed-off-by: Sinny Kumari --- roles/releng/files/twoweek-updates | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/releng/files/twoweek-updates b/roles/releng/files/twoweek-updates index 32a69fb6bc..6429c2c33a 100644 --- a/roles/releng/files/twoweek-updates +++ b/roles/releng/files/twoweek-updates @@ -1,6 +1,6 @@ #Fedora 28 two-week updates nightly compose -MAILTO=releng-cron@lists.fedoraproject.org -15 8 * * * root TMPDIR=`mktemp -d /tmp/twoweekF28.XXXXXX` && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f28 && LANG=en_US.UTF-8 ./twoweek-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR +#MAILTO=releng-cron@lists.fedoraproject.org +#15 8 * * * root TMPDIR=`mktemp -d /tmp/twoweekF28.XXXXXX` && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f28 && LANG=en_US.UTF-8 ./twoweek-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR #Fedora 27 two-week updates nightly compose #MAILTO=releng-cron@lists.fedoraproject.org From d47cf79b4d916a8a4daca6d821705ec2575e3559 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 16 Aug 2018 09:20:45 -0400 Subject: [PATCH 024/289] add comment on where to find f28AH composes They have been moved and are now run as part of the bodhi updates runs. --- roles/releng/files/twoweek-updates | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/releng/files/twoweek-updates b/roles/releng/files/twoweek-updates index 6429c2c33a..3cfae4f11f 100644 --- a/roles/releng/files/twoweek-updates +++ b/roles/releng/files/twoweek-updates @@ -1,4 +1,6 @@ #Fedora 28 two-week updates nightly compose +# XXX: this has been moved to the updates compose: +# https://kojipkgs.fedoraproject.org/compose/updates/f28-updates/ #MAILTO=releng-cron@lists.fedoraproject.org #15 8 * * * root TMPDIR=`mktemp -d /tmp/twoweekF28.XXXXXX` && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f28 && LANG=en_US.UTF-8 ./twoweek-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR From d5179509aa5bdef9d0651df9c5fffeab4500715e Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Thu, 16 Aug 2018 13:24:48 +0000 Subject: [PATCH 025/289] Upgrade staging back to Bodhi 3.9b1. Signed-off-by: Randy Barlow --- playbooks/openshift-apps/bodhi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/bodhi.yml b/playbooks/openshift-apps/bodhi.yml index fa6aff5862..4b08ac7c2a 100644 --- a/playbooks/openshift-apps/bodhi.yml +++ b/playbooks/openshift-apps/bodhi.yml @@ -51,7 +51,7 @@ app: bodhi template: buildconfig.yml objectname: buildconfig.yml - bodhi_version: 3.8.0-1.fc27 + bodhi_version: 3.9.0-0.1.beta.fc27 when: env == "staging" - role: openshift/object app: bodhi From d31019a4449570d4c4bdd14ef3d644a020b0c800 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 17:38:08 +0000 Subject: [PATCH 026/289] Renew SSH cert if it was last modified more than 10 months ago Signed-off-by: Patrick Uiterwijk --- roles/basessh/tasks/main.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index 0b60d87aec..0f2813bb3a 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -128,7 +128,18 @@ - sshd - base -# TODO: Get expired certificates, and add them to certs_to_sign +# Renew if last mod was more than 10 months ago +- name: Get soon-to-expire certificates to sign + set_fact: + certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" + when: "item.stat.exists and item.stat.mtime < (ansible_date_time.epoch - 25920000)" + tags: + - basessh + - sshd_cert + - sshd_config + - config + - sshd + - base - set_fact: pubkeydir: "/tmp/sshkeysign/{{inventory_hostname}}" From 9b48361d768d9c93e716cb1b30667a015f6a542d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 17:39:55 +0000 Subject: [PATCH 027/289] Do the loop Signed-off-by: Patrick Uiterwijk --- roles/basessh/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index 0f2813bb3a..8a8ae2f0e7 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -132,6 +132,7 @@ - name: Get soon-to-expire certificates to sign set_fact: certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" + with_items: "{{ssh_cert_files.results}}" when: "item.stat.exists and item.stat.mtime < (ansible_date_time.epoch - 25920000)" tags: - basessh From b35d4402e1e29584277ac7f9267e96ae2272be5e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 17:40:59 +0000 Subject: [PATCH 028/289] Try to convert this string to int Signed-off-by: Patrick Uiterwijk --- roles/basessh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index 8a8ae2f0e7..b57b770950 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -133,7 +133,7 @@ set_fact: certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" with_items: "{{ssh_cert_files.results}}" - when: "item.stat.exists and item.stat.mtime < (ansible_date_time.epoch - 25920000)" + when: "item.stat.exists and item.stat.mtime|int < (ansible_date_time.epoch - 25920000)" tags: - basessh - sshd_cert From 7cce79de07f0b6f0a5db85c9b3a0e9dfd93249fb Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 17:42:17 +0000 Subject: [PATCH 029/289] Also integer-ize the epoch Signed-off-by: Patrick Uiterwijk --- roles/basessh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index b57b770950..424a85d34f 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -133,7 +133,7 @@ set_fact: certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" with_items: "{{ssh_cert_files.results}}" - when: "item.stat.exists and item.stat.mtime|int < (ansible_date_time.epoch - 25920000)" + when: "item.stat.exists and item.stat.mtime|int < (ansible_date_time.epoch|int - 25920000)" tags: - basessh - sshd_cert From d33a6da7c0d079f13f07780fa1a829498516f533 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Aug 2018 19:16:13 +0000 Subject: [PATCH 030/289] make bkernel03 use uefi --- roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index 83800a4f99..d72adaf04e 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -74,7 +74,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.81; option host-name "bkernel03"; next-server 10.5.126.41; - filename "pxelinux.0"; + filename "uefi/bootx64.efi"; } host bkernel04 { From 0f6a18c0be0b0cb8abae4f58aece894793990f57 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 19:25:02 +0000 Subject: [PATCH 031/289] and we have dl01 now on vh01 --- .../download01.phx2.fedoraproject.org | 28 +++++++++++++++++++ inventory/inventory | 1 + 2 files changed, 29 insertions(+) diff --git a/inventory/host_vars/download01.phx2.fedoraproject.org b/inventory/host_vars/download01.phx2.fedoraproject.org index 0b4585f104..dec3de7042 100644 --- a/inventory/host_vars/download01.phx2.fedoraproject.org +++ b/inventory/host_vars/download01.phx2.fedoraproject.org @@ -2,3 +2,31 @@ gw: 10.5.126.254 eth0_ip: 10.5.126.93 eth1_ip: 10.5.127.101 + +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/ + +vmhost: virthost01.phx2.fedoraproject.org +volgroup: /dev/vg_guests +# +# We need this to install with 2 nics +# +virt_install_command: "{{ virt_install_command_two_nic }}" + +main_bridge: br0 +nfs_bridge: br1 + +datacenter: phx2 + +tcp_ports: [80, 443, 873] +rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}" + +nrpe_procs_warn: 1200 +nrpe_procs_crit: 1400 + +mem_size: 16384 +max_mem_size: 20480 +lvm_size: 20000 +num_cpus: 8 + +vpn: false diff --git a/inventory/inventory b/inventory/inventory index be90c8653d..3fe17a0bd7 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -361,6 +361,7 @@ download05.phx2.fedoraproject.org #download-rdu01.fedoraproject.org [download-phx2-virtual] +download01.phx2.fedoraproject.org download06.phx2.fedoraproject.org From 2458444a1082f991fb8b394222f7cce3bd770f81 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 19:30:44 +0000 Subject: [PATCH 032/289] Add tang0{1,2} to inventory Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/tang | 22 +++++++++++++++++++ .../host_vars/tang01.phx2.fedoraproject.org | 4 ++++ .../host_vars/tang02.phx2.fedoraproject.org | 4 ++++ inventory/inventory | 4 ++++ 4 files changed, 34 insertions(+) create mode 100644 inventory/group_vars/tang create mode 100644 inventory/host_vars/tang01.phx2.fedoraproject.org create mode 100644 inventory/host_vars/tang02.phx2.fedoraproject.org diff --git a/inventory/group_vars/tang b/inventory/group_vars/tang new file mode 100644 index 0000000000..7d72598af8 --- /dev/null +++ b/inventory/group_vars/tang @@ -0,0 +1,22 @@ +--- +nm: 255.255.255.0 +gw: 10.5.128.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ + +datacenter: phx2 + +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 4096 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ +] + +fas_client_groups: sysadmin-main diff --git a/inventory/host_vars/tang01.phx2.fedoraproject.org b/inventory/host_vars/tang01.phx2.fedoraproject.org new file mode 100644 index 0000000000..e6df38db0b --- /dev/null +++ b/inventory/host_vars/tang01.phx2.fedoraproject.org @@ -0,0 +1,4 @@ +--- +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.2 +vmhost: virthost12.stg.phx2.fedoraproject.org diff --git a/inventory/host_vars/tang02.phx2.fedoraproject.org b/inventory/host_vars/tang02.phx2.fedoraproject.org new file mode 100644 index 0000000000..9984ca68e5 --- /dev/null +++ b/inventory/host_vars/tang02.phx2.fedoraproject.org @@ -0,0 +1,4 @@ +--- +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.3 +vmhost: virthost14.stg.phx2.fedoraproject.org diff --git a/inventory/inventory b/inventory/inventory index 3fe17a0bd7..074f5aeef6 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -554,6 +554,10 @@ qa12.qa.fedoraproject.org qa13.qa.fedoraproject.org qa14.qa.fedoraproject.org +[tang] +tang01.phx2.fedoraproject.org +tang02.phx2.fedoraproject.org + [torrent] torrent02.fedoraproject.org From f031fd2c7fa5180a4ab65faa817698e2d873484f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 19:33:54 +0000 Subject: [PATCH 033/289] Start tang playbook and role Signed-off-by: Patrick Uiterwijk --- playbooks/groups/tang.yml | 31 +++++++++++++++++++++++++++++++ roles/tang/tasks/main.yml | 5 +++++ 2 files changed, 36 insertions(+) create mode 100644 playbooks/groups/tang.yml create mode 100644 roles/tang/tasks/main.yml diff --git a/playbooks/groups/tang.yml b/playbooks/groups/tang.yml new file mode 100644 index 0000000000..66de6524d4 --- /dev/null +++ b/playbooks/groups/tang.yml @@ -0,0 +1,31 @@ +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=tang" + +- name: make the box be real + hosts: -stg + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + pre_tasks: + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + roles: + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - rsyncd + - sudo + - tang + + tasks: + - import_tasks: "{{ tasks_path }}/2fa_client.yml" + - import_tasks: "{{ tasks_path }}/motd.yml" + + handlers: + - import_tasks: "{{ handlers_path }}/restart_services.yml" diff --git a/roles/tang/tasks/main.yml b/roles/tang/tasks/main.yml new file mode 100644 index 0000000000..38cc668dd1 --- /dev/null +++ b/roles/tang/tasks/main.yml @@ -0,0 +1,5 @@ +- name: install tang + package: name=tang state=present + tags: + - tang + - packages From 2189ba7643c6ee34a89625fcc6c161ac88882350 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 19:35:43 +0000 Subject: [PATCH 034/289] confirm download01 set correctly --- inventory/host_vars/download01.phx2.fedoraproject.org | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/download01.phx2.fedoraproject.org b/inventory/host_vars/download01.phx2.fedoraproject.org index dec3de7042..470bc545ee 100644 --- a/inventory/host_vars/download01.phx2.fedoraproject.org +++ b/inventory/host_vars/download01.phx2.fedoraproject.org @@ -1,7 +1,7 @@ --- +nm: 255.255.255.0 gw: 10.5.126.254 -eth0_ip: 10.5.126.93 -eth1_ip: 10.5.127.101 +dns: 10.5.126.21 ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/ @@ -13,6 +13,8 @@ volgroup: /dev/vg_guests # virt_install_command: "{{ virt_install_command_two_nic }}" +eth0_ip: 10.5.126.93 +eth1_ip: 10.5.127.101 main_bridge: br0 nfs_bridge: br1 From fb01406ec8913cb2e0c5755a95f04c8c840f70e2 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 19:42:13 +0000 Subject: [PATCH 035/289] These aren't stg virthosts Signed-off-by: Patrick Uiterwijk --- inventory/host_vars/tang01.phx2.fedoraproject.org | 2 +- inventory/host_vars/tang02.phx2.fedoraproject.org | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/tang01.phx2.fedoraproject.org b/inventory/host_vars/tang01.phx2.fedoraproject.org index e6df38db0b..fff7e1fd79 100644 --- a/inventory/host_vars/tang01.phx2.fedoraproject.org +++ b/inventory/host_vars/tang01.phx2.fedoraproject.org @@ -1,4 +1,4 @@ --- volgroup: /dev/vg_guests eth0_ip: 10.5.126.2 -vmhost: virthost12.stg.phx2.fedoraproject.org +vmhost: virthost12.phx2.fedoraproject.org diff --git a/inventory/host_vars/tang02.phx2.fedoraproject.org b/inventory/host_vars/tang02.phx2.fedoraproject.org index 9984ca68e5..66ebd9478f 100644 --- a/inventory/host_vars/tang02.phx2.fedoraproject.org +++ b/inventory/host_vars/tang02.phx2.fedoraproject.org @@ -1,4 +1,4 @@ --- volgroup: /dev/vg_guests eth0_ip: 10.5.126.3 -vmhost: virthost14.stg.phx2.fedoraproject.org +vmhost: virthost14.phx2.fedoraproject.org From 529b33e4a244a860437e77d3fa5a8c6c749ec6ff Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 19:49:27 +0000 Subject: [PATCH 036/289] remove those from hosts --- inventory/group_vars/nagios | 2 -- 1 file changed, 2 deletions(-) diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index 9b922aab2d..35f76c6cac 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -142,8 +142,6 @@ phx2_management_limited: - qa07.mgmt.fedoraproject.org - sign-vault03.mgmt.fedoraproject.org - sign-vault04.mgmt.fedoraproject.org - - virthost-comm02.mgmt.fedoraproject.org - - virthost14.mgmt.fedoraproject.org phx2_management_slowping: - ppc8-01-fsp.mgmt.fedoraproject.org From a8ccf00000491ce003d2439fe7258150fe9bb3c5 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 19:55:38 +0000 Subject: [PATCH 037/289] this may wokr --- .../download02.phx2.fedoraproject.org | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/inventory/host_vars/download02.phx2.fedoraproject.org b/inventory/host_vars/download02.phx2.fedoraproject.org index 03ff674206..a82c89030f 100644 --- a/inventory/host_vars/download02.phx2.fedoraproject.org +++ b/inventory/host_vars/download02.phx2.fedoraproject.org @@ -1,4 +1,34 @@ --- +nm: 255.255.255.0 gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/ + +vmhost: virthost02.phx2.fedoraproject.org +volgroup: /dev/vg_guests +# +# We need this to install with 2 nics +# +virt_install_command: "{{ virt_install_command_two_nic }}" + eth0_ip: 10.5.126.94 eth1_ip: 10.5.127.102 +main_bridge: br0 +nfs_bridge: br1 + +datacenter: phx2 + +tcp_ports: [80, 443, 873] +rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}" + +nrpe_procs_warn: 1200 +nrpe_procs_crit: 1400 + +mem_size: 16384 +max_mem_size: 20480 +lvm_size: 20000 +num_cpus: 8 + +vpn: false From f51eca6966cb18c7a520e33b48344a67edcd0e1c Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 20:00:06 +0000 Subject: [PATCH 038/289] USe the correct kickstart Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/tang | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/tang b/inventory/group_vars/tang index 7d72598af8..64217e22ed 100644 --- a/inventory/group_vars/tang +++ b/inventory/group_vars/tang @@ -3,7 +3,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ datacenter: phx2 From fd0dc154b11f6deebd14a1135ba08d2de1d4a093 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 20:06:03 +0000 Subject: [PATCH 039/289] hey you set up this group.. you should know to use it --- inventory/inventory | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/inventory b/inventory/inventory index 074f5aeef6..54f8717ad0 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -362,6 +362,7 @@ download05.phx2.fedoraproject.org [download-phx2-virtual] download01.phx2.fedoraproject.org +download02.phx2.fedoraproject.org download06.phx2.fedoraproject.org From 1368dd1a32e3ff9ecad72193026403e59cba40f3 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 20:23:36 +0000 Subject: [PATCH 040/289] Fix the off-by-eone in IPs Signed-off-by: Patrick Uiterwijk --- inventory/host_vars/tang01.phx2.fedoraproject.org | 2 +- inventory/host_vars/tang02.phx2.fedoraproject.org | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/tang01.phx2.fedoraproject.org b/inventory/host_vars/tang01.phx2.fedoraproject.org index fff7e1fd79..e76277b4e5 100644 --- a/inventory/host_vars/tang01.phx2.fedoraproject.org +++ b/inventory/host_vars/tang01.phx2.fedoraproject.org @@ -1,4 +1,4 @@ --- volgroup: /dev/vg_guests -eth0_ip: 10.5.126.2 +eth0_ip: 10.5.126.3 vmhost: virthost12.phx2.fedoraproject.org diff --git a/inventory/host_vars/tang02.phx2.fedoraproject.org b/inventory/host_vars/tang02.phx2.fedoraproject.org index 66ebd9478f..4a39e14829 100644 --- a/inventory/host_vars/tang02.phx2.fedoraproject.org +++ b/inventory/host_vars/tang02.phx2.fedoraproject.org @@ -1,4 +1,4 @@ --- volgroup: /dev/vg_guests -eth0_ip: 10.5.126.3 +eth0_ip: 10.5.126.4 vmhost: virthost14.phx2.fedoraproject.org From c362643f892be9671fd6929ffe0d9011dcfbe7d0 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 20:31:47 +0000 Subject: [PATCH 041/289] Fix names in the tang playbook Signed-off-by: Patrick Uiterwijk --- playbooks/groups/tang.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/tang.yml b/playbooks/groups/tang.yml index 66de6524d4..8c722cd94d 100644 --- a/playbooks/groups/tang.yml +++ b/playbooks/groups/tang.yml @@ -1,7 +1,7 @@ - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=tang" - name: make the box be real - hosts: -stg + hosts: tang user: root gather_facts: True From 9c2e78fb51229e69bc9e75900f8e713786b86f33 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 20:32:35 +0000 Subject: [PATCH 042/289] remove download06 --- inventory/inventory | 2 -- 1 file changed, 2 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 54f8717ad0..479c6b75c3 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -344,7 +344,6 @@ download02.phx2.fedoraproject.org download03.phx2.fedoraproject.org download04.phx2.fedoraproject.org download05.phx2.fedoraproject.org -download06.phx2.fedoraproject.org [download-ibiblio] download-ib01.fedoraproject.org @@ -363,7 +362,6 @@ download05.phx2.fedoraproject.org [download-phx2-virtual] download01.phx2.fedoraproject.org download02.phx2.fedoraproject.org -download06.phx2.fedoraproject.org [download:children] From 6d455355b57c2102b3cff8ee58eb6b2403f6d012 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 20:49:35 +0000 Subject: [PATCH 043/289] and this should remove 2 mgmt from nagios --- inventory/group_vars/nagios | 2 -- 1 file changed, 2 deletions(-) diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index 35f76c6cac..c53c8eb770 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -74,8 +74,6 @@ phx2_management_hosts: - cn-x86-64-02-01.mgmt.fedoraproject.org - cn-x86-64-02-02.mgmt.fedoraproject.org - cloud-fx02.mgmt.fedoraproject.org - - download01.mgmt.fedoraproject.org - - download02.mgmt.fedoraproject.org - download03.mgmt.fedoraproject.org - download04.mgmt.fedoraproject.org - download05.mgmt.fedoraproject.org From e86963be95f0a0dbcc34ca09a015142c8c83cd56 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 20:51:47 +0000 Subject: [PATCH 044/289] Start and enable tang Signed-off-by: Patrick Uiterwijk --- roles/tang/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/tang/tasks/main.yml b/roles/tang/tasks/main.yml index 38cc668dd1..d1d40dfab8 100644 --- a/roles/tang/tasks/main.yml +++ b/roles/tang/tasks/main.yml @@ -3,3 +3,8 @@ tags: - tang - packages + +- name: Enable and start tang + systemd: name=tangd.socket enabled=yes state=started + tags: + - tang From 587575843f648ae9c3c6882a48859cf6bc014228 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 20:52:50 +0000 Subject: [PATCH 045/289] Backup tang keys Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/tang | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/tang b/inventory/group_vars/tang index 64217e22ed..8e4850365c 100644 --- a/inventory/group_vars/tang +++ b/inventory/group_vars/tang @@ -6,6 +6,8 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ +host_backup_targets: ['/var/db/tang'] + datacenter: phx2 # Define resources for this group of hosts here. @@ -16,7 +18,6 @@ num_cpus: 2 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file -tcp_ports: [ -] +tcp_ports: [80] fas_client_groups: sysadmin-main From 6a4d1323cf8128a4c321de30d5e67c961af61193 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 16 Aug 2018 20:57:30 +0000 Subject: [PATCH 046/289] tang is available for staging Signed-off-by: Patrick Uiterwijk --- inventory/inventory | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/inventory b/inventory/inventory index 479c6b75c3..e0fe44ec19 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -864,6 +864,8 @@ proxy10.phx2.fedoraproject.org proxy101.phx2.fedoraproject.org proxy110.phx2.fedoraproject.org openqa-stg01.qa.fedoraproject.org +tang01.phx2.fedoraproject.org +tang02.phx2.fedoraproject.org [statscache:children] statscache-web From 5fd28b348b1009a8f244ac7cd9c3048f7a204fcb Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Thu, 16 Aug 2018 21:10:58 +0000 Subject: [PATCH 047/289] certgetter01 -> f28 Signed-off-by: Rick Elrod --- inventory/host_vars/certgetter01.phx2.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/certgetter01.phx2.fedoraproject.org b/inventory/host_vars/certgetter01.phx2.fedoraproject.org index 00bd41fde6..21a44dc613 100644 --- a/inventory/host_vars/certgetter01.phx2.fedoraproject.org +++ b/inventory/host_vars/certgetter01.phx2.fedoraproject.org @@ -3,8 +3,8 @@ nm: 255.255.255.0 gw: 10.5.126.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.126.237 From 8ad66857098816f896899421c8e9a2a3698c1eca Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Thu, 16 Aug 2018 21:27:53 +0000 Subject: [PATCH 048/289] move yumrepos to pre_tasks Signed-off-by: Rick Elrod --- playbooks/groups/certgetter.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/playbooks/groups/certgetter.yml b/playbooks/groups/certgetter.yml index 65c2e97a70..95290922d0 100644 --- a/playbooks/groups/certgetter.yml +++ b/playbooks/groups/certgetter.yml @@ -21,8 +21,10 @@ - { role: openvpn/client, when: env != "staging" } - tasks: + pre_tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + tasks: - import_tasks: "{{ tasks_path }}/2fa_client.yml" - import_tasks: "{{ tasks_path }}/motd.yml" From 9b284e379940662274e70c297d5c3178215d1eb2 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 16 Aug 2018 22:14:27 +0000 Subject: [PATCH 049/289] maybe this will make pxe boot work again? --- .../files/dhcpd.conf.noc01.phx2.fedoraproject.org | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index d72adaf04e..bc4b30c7d5 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -335,8 +335,18 @@ subnet 10.5.126.0 netmask 255.255.255.0 { fixed-address 10.5.126.142; next-server 10.5.126.41; option host-name "virthost02"; + filename "pxelinux.0"; } + host virthost03 { + hardware ethernet f0:1f:af:e1:d9:d8; + fixed-address 10.5.126.143; + next-server 10.5.126.41; + option host-name "virthost03"; + filename "pxelinux.0"; + } + + host virthost06 { hardware ethernet 18:66:da:f7:7a:58; fixed-address 10.5.126.146; From d458a087d8ae16dfd799ca5f1a3631baf53a24c3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Aug 2018 22:57:25 +0000 Subject: [PATCH 050/289] Drop bkernel01 and add bkernel03 --- inventory/builders | 2 +- inventory/group_vars/nagios | 2 +- inventory/host_vars/bkernel01.phx2.fedoraproject.org | 4 ---- inventory/inventory | 1 - 4 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 inventory/host_vars/bkernel01.phx2.fedoraproject.org diff --git a/inventory/builders b/inventory/builders index 301bd38488..1b64f7f8b1 100644 --- a/inventory/builders +++ b/inventory/builders @@ -232,8 +232,8 @@ buildvm-ppc64le-18.ppc.fedoraproject.org buildvm-ppc64le-19.ppc.fedoraproject.org [bkernel] -bkernel01.phx2.fedoraproject.org bkernel02.phx2.fedoraproject.org +bkernel03.phx2.fedoraproject.org # # These are misc diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index c53c8eb770..d9ffa3ae7d 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -127,8 +127,8 @@ phx2_management_hosts: # to test ping against. No http/https # phx2_management_limited: - - bkernel01.mgmt.fedoraproject.org - bkernel02.mgmt.fedoraproject.org + - bkernel03.mgmt.fedoraproject.org - fed-cloud-ppc01.mgmt.fedoraproject.org - fed-cloud-ppc02.mgmt.fedoraproject.org - moonshot01-ilo.mgmt.fedoraproject.org diff --git a/inventory/host_vars/bkernel01.phx2.fedoraproject.org b/inventory/host_vars/bkernel01.phx2.fedoraproject.org deleted file mode 100644 index c07c1e5ed4..0000000000 --- a/inventory/host_vars/bkernel01.phx2.fedoraproject.org +++ /dev/null @@ -1,4 +0,0 @@ ---- -gw: 10.5.125.254 -eth0_ip: 10.5.125.51 -eth1_ip: 10.5.127.30 diff --git a/inventory/inventory b/inventory/inventory index e0fe44ec19..287728a1c2 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -229,7 +229,6 @@ mdapi01.phx2.fedoraproject.org mdapi01.stg.phx2.fedoraproject.org [minimal] -bkernel03.phx2.fedoraproject.org bkernel04.phx2.fedoraproject.org [modernpaste] From b0fbba8b956cd88e97b838abadfdeaba580cb4ef Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Aug 2018 23:27:06 +0000 Subject: [PATCH 051/289] do not need bkernel03 in nagios vars twice --- inventory/group_vars/nagios | 1 - 1 file changed, 1 deletion(-) diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index d9ffa3ae7d..1c7060396f 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -128,7 +128,6 @@ phx2_management_hosts: # phx2_management_limited: - bkernel02.mgmt.fedoraproject.org - - bkernel03.mgmt.fedoraproject.org - fed-cloud-ppc01.mgmt.fedoraproject.org - fed-cloud-ppc02.mgmt.fedoraproject.org - moonshot01-ilo.mgmt.fedoraproject.org From 8cd0afc8a20fc409ae257b9c5dc7d0e7742dd3e5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Aug 2018 23:33:35 +0000 Subject: [PATCH 052/289] bkernel01 is back again --- inventory/builders | 1 + inventory/group_vars/nagios | 1 + inventory/host_vars/bkernel01.phx2.fedoraproject.org | 4 ++++ 3 files changed, 6 insertions(+) create mode 100644 inventory/host_vars/bkernel01.phx2.fedoraproject.org diff --git a/inventory/builders b/inventory/builders index 1b64f7f8b1..5454374819 100644 --- a/inventory/builders +++ b/inventory/builders @@ -232,6 +232,7 @@ buildvm-ppc64le-18.ppc.fedoraproject.org buildvm-ppc64le-19.ppc.fedoraproject.org [bkernel] +bkernel01.phx2.fedoraproject.org bkernel02.phx2.fedoraproject.org bkernel03.phx2.fedoraproject.org diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index 1c7060396f..c53c8eb770 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -127,6 +127,7 @@ phx2_management_hosts: # to test ping against. No http/https # phx2_management_limited: + - bkernel01.mgmt.fedoraproject.org - bkernel02.mgmt.fedoraproject.org - fed-cloud-ppc01.mgmt.fedoraproject.org - fed-cloud-ppc02.mgmt.fedoraproject.org diff --git a/inventory/host_vars/bkernel01.phx2.fedoraproject.org b/inventory/host_vars/bkernel01.phx2.fedoraproject.org new file mode 100644 index 0000000000..c07c1e5ed4 --- /dev/null +++ b/inventory/host_vars/bkernel01.phx2.fedoraproject.org @@ -0,0 +1,4 @@ +--- +gw: 10.5.125.254 +eth0_ip: 10.5.125.51 +eth1_ip: 10.5.127.30 From 255736f4a21decd559d5c4252d8049e961ce1871 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Aug 2018 23:53:46 +0000 Subject: [PATCH 053/289] add tang to master --- master.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/master.yml b/master.yml index 45677193cf..369a7c5f53 100644 --- a/master.yml +++ b/master.yml @@ -98,6 +98,7 @@ - import_playbook: /srv/web/infra/ansible/playbooks/groups/statscache.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/sundries.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/tagger.yml +- import_playbook: /srv/web/infra/ansible/playbooks/groups/tang.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/taskotron.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/taskotron-client-hosts.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/torrent.yml From f6b423f4f760f5c2aa1f667aecc63fe4ad160ef4 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Aug 2018 00:08:21 +0000 Subject: [PATCH 054/289] add tang01 to backups --- inventory/backups | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/backups b/inventory/backups index c6aa3d3d32..dfe122e765 100644 --- a/inventory/backups +++ b/inventory/backups @@ -22,6 +22,7 @@ copr-keygen.cloud.fedoraproject.org #copr-dist-git.fedorainfracloud.org value01.phx2.fedoraproject.org taiga.fedorainfracloud.org +tang01.phx2.fedoraproject.org taskotron01.qa.fedoraproject.org nuancier01.phx2.fedoraproject.org magazine2.fedorainfracloud.org From 4c7408a84001a75e3b69642d3cccfebbebe4da5d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Aug 2018 00:21:34 +0000 Subject: [PATCH 055/289] switch virthost03 to uefi --- roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index bc4b30c7d5..dc52712d53 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -343,7 +343,7 @@ subnet 10.5.126.0 netmask 255.255.255.0 { fixed-address 10.5.126.143; next-server 10.5.126.41; option host-name "virthost03"; - filename "pxelinux.0"; + filename "/uefi/bootx64.efi"; } From 84f4047823a4b262be17bae6c162c492a84af669 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 02:29:24 +0000 Subject: [PATCH 056/289] UEFI path names do not start with a slash Signed-off-by: Patrick Uiterwijk --- roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index dc52712d53..5fcd4f25b1 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -343,7 +343,7 @@ subnet 10.5.126.0 netmask 255.255.255.0 { fixed-address 10.5.126.143; next-server 10.5.126.41; option host-name "virthost03"; - filename "/uefi/bootx64.efi"; + filename "uefi/bootx64.efi"; } From 0b9a537bad70a332890ae213d0f7c3e59fc69ab0 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 03:15:50 +0000 Subject: [PATCH 057/289] Let's not do container builds on the bkernel's Signed-off-by: Patrick Uiterwijk --- roles/koji_builder/templates/kojid.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index d582eced1d..859680fc1e 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -138,7 +138,7 @@ plugins = runroot {% else %} -{% if ansible_architecture == 'x86_64' %} +{% if ansible_architecture == 'x86_64' and not ansible_inventory_hostname.startswith('bkernel') %} plugins = builder_containerbuild {% else %} plugins = From 6324505656ab351f6b3e89c3c92bd8c7ccf65beb Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 03:18:27 +0000 Subject: [PATCH 058/289] Install osbs client on builders where needed Signed-off-by: Patrick Uiterwijk --- roles/koji_builder/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 5392290d05..90efdcacee 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -214,6 +214,16 @@ tags: - koji_builder +# non-bkernel x86_64 builders run container_build, which needs osbs +- name: special pkgs for the x86_64 builders + package: state=present pkg={{ item }} + with_items: + - python2-osbs-client.noarch + - python3-osbs-client.noarch + when: "ansible_architecture == 'x86_64' and not ansible_inventory_hostname.startswith('bkernel')" + tags: + - koji_builder + # Before, the builders had the "apache" role. This is a temporary play to remove the httpd daemon everywhere - name: Uninstall httpd package: name=httpd From 7d27c45973016f54aafcfc229c0f472d6e06f504 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 03:20:07 +0000 Subject: [PATCH 059/289] This variable does not start with ansible_ Signed-off-by: Patrick Uiterwijk --- roles/koji_builder/tasks/main.yml | 2 +- roles/koji_builder/templates/kojid.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 90efdcacee..921daa8cc7 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -220,7 +220,7 @@ with_items: - python2-osbs-client.noarch - python3-osbs-client.noarch - when: "ansible_architecture == 'x86_64' and not ansible_inventory_hostname.startswith('bkernel')" + when: "ansible_architecture == 'x86_64' and not inventory_hostname.startswith('bkernel')" tags: - koji_builder diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index 859680fc1e..3c28a3372e 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -138,7 +138,7 @@ plugins = runroot {% else %} -{% if ansible_architecture == 'x86_64' and not ansible_inventory_hostname.startswith('bkernel') %} +{% if ansible_architecture == 'x86_64' and not inventory_hostname.startswith('bkernel') %} plugins = builder_containerbuild {% else %} plugins = From 758af3f7d61f0b48e5d6283113167fd2a4dc2860 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 04:28:14 +0000 Subject: [PATCH 060/289] Make bastion use new server cert Signed-off-by: Patrick Uiterwijk --- roles/openvpn/server/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index dd760b103c..5c1b1d8c5b 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -27,16 +27,16 @@ - { file: server.conf, dest: /etc/openvpn/server/openvpn.conf, mode: '0644' } - - { file: "{{ private }}/files/vpn/openvpn/keys/crl.pem", + - { file: "{{ private }}/files/vpn/pki/crl.pem", dest: /etc/openvpn/server/crl.pem, mode: '0644' } - - { file: "{{ private }}/files/vpn/openvpn/keys/server.crt", + - { file: "{{ private }}/files/vpn/pki/issued/bastion.fedoraproject.org.crt", dest: /etc/openvpn/server/server.crt, mode: '0644' } - - { file: "{{ private }}/files/vpn/openvpn/keys/server.key", + - { file: "{{ private }}/files/vpn/openvpn/private/bastion.fedoraproject.org.key", dest: /etc/openvpn/server/server.key, mode: '0600' } - - { file: "{{ private }}/files/vpn/openvpn/keys/dh2048.pem", + - { file: "{{ private }}/files/vpn/openvpn/dh2048.pem", dest: /etc/openvpn/server/dh2048.pem, mode: '0644' } tags: From a1b11705e70c7355d0c8a00d26bce57695659a34 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 04:30:09 +0000 Subject: [PATCH 061/289] Fix ca.crt path Signed-off-by: Patrick Uiterwijk --- roles/openvpn/base/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 3037fb4141..9a0ba8db1c 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -20,7 +20,7 @@ when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined - name: Install certificate and key (rhel6 and fedora24 and older) - copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + copy: src={{ private }}/files/vpn/pki/ca.crt dest=/etc/openvpn/ca.crt owner=root group=root mode=0600 tags: @@ -33,7 +33,7 @@ when: ansible_distribution_major_version|int < 25 - name: Install certificate and key (rhel7 or fedora) for client - copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + copy: src={{ private }}/files/vpn/pki/ca.crt dest=/etc/openvpn/client/ca.crt owner=root group=root mode=0600 tags: @@ -46,7 +46,7 @@ when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined - name: Install certificate and key (rhel7 or fedora) for server - copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + copy: src={{ private }}/files/vpn/pki/ca.crt dest=/etc/openvpn/server/ca.crt owner=root group=root mode=0600 tags: From 7016d073a09fdfddd764e483d558ab1bc2fa7837 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 04:31:42 +0000 Subject: [PATCH 062/289] Fix up dh2048 path Signed-off-by: Patrick Uiterwijk --- roles/openvpn/server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index 5c1b1d8c5b..c2c924b71a 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -36,7 +36,7 @@ - { file: "{{ private }}/files/vpn/openvpn/private/bastion.fedoraproject.org.key", dest: /etc/openvpn/server/server.key, mode: '0600' } - - { file: "{{ private }}/files/vpn/openvpn/dh2048.pem", + - { file: "{{ private }}/files/vpn/dh2048.pem", dest: /etc/openvpn/server/dh2048.pem, mode: '0644' } tags: From 7b90e30af8b4b3e5ceec956a433635c34661fad7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 04:32:29 +0000 Subject: [PATCH 063/289] Fix directory name Signed-off-by: Patrick Uiterwijk --- roles/openvpn/server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index c2c924b71a..2d763bd3ae 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -33,7 +33,7 @@ - { file: "{{ private }}/files/vpn/pki/issued/bastion.fedoraproject.org.crt", dest: /etc/openvpn/server/server.crt, mode: '0644' } - - { file: "{{ private }}/files/vpn/openvpn/private/bastion.fedoraproject.org.key", + - { file: "{{ private }}/files/vpn/pki/private/bastion.fedoraproject.org.key", dest: /etc/openvpn/server/server.key, mode: '0600' } - { file: "{{ private }}/files/vpn/dh2048.pem", From 78ae75ac8a5132145515f1c8a1d1b1b7a61682a3 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 04:39:50 +0000 Subject: [PATCH 064/289] Fix client cert paths Signed-off-by: Patrick Uiterwijk --- roles/openvpn/client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index ba2d215e49..ff1c571394 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -27,10 +27,10 @@ - { file: client.conf, dest: /etc/openvpn/client/openvpn.conf, mode: '0644' } - - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", + - { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client/client.crt", mode: '0600' } - - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.key", + - { file: "{{ private }}/files/vpn/pki/private/{{ inventory_hostname }}.key", dest: "/etc/openvpn/client/client.key", mode: '0600' } tags: From 64f17dd5f73b2f5ba9f450a4d919f265ae126df6 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 04:55:48 +0000 Subject: [PATCH 065/289] Also fix paths for el6 Signed-off-by: Patrick Uiterwijk --- roles/openvpn/client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index ff1c571394..27c150d16a 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -50,10 +50,10 @@ - { file: client.conf, dest: /etc/openvpn/openvpn.conf, mode: '0644' } - - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", + - { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client.crt", mode: '0600' } - - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.key", + - { file: "{{ private }}/files/vpn/pki/private/{{ inventory_hostname }}.key", dest: "/etc/openvpn/client.key", mode: '0600' } tags: From 212462fcc45f0038566d99ad3f03b788256833af Mon Sep 17 00:00:00 2001 From: clime Date: Fri, 17 Aug 2018 07:58:11 +0200 Subject: [PATCH 066/289] add updated mock-core-configs files for rawhide --- .../files/mock/fedora-rawhide-i386.cfg | 48 +++++++++++++++++++ .../files/mock/fedora-rawhide-ppc64le.cfg | 48 +++++++++++++++++++ .../files/mock/fedora-rawhide-x86_64.cfg | 48 +++++++++++++++++++ 3 files changed, 144 insertions(+) create mode 100644 roles/copr/backend/files/provision/files/mock/fedora-rawhide-i386.cfg create mode 100644 roles/copr/backend/files/provision/files/mock/fedora-rawhide-ppc64le.cfg create mode 100644 roles/copr/backend/files/provision/files/mock/fedora-rawhide-x86_64.cfg diff --git a/roles/copr/backend/files/provision/files/mock/fedora-rawhide-i386.cfg b/roles/copr/backend/files/provision/files/mock/fedora-rawhide-i386.cfg new file mode 100644 index 0000000000..0912b5e1b1 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-rawhide-i386.cfg @@ -0,0 +1,48 @@ +config_opts['root'] = 'fedora-rawhide-i386' +config_opts['target_arch'] = 'i686' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'rawhide' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '30' + +config_opts['package_manager'] = 'dnf' + +config_opts['yum.conf'] = """ +[main] +keepcache=1 +debuglevel=2 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +install_weak_deps=0 +metadata_expire=0 +best=1 + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-29-primary +gpgcheck=1 +skip_if_unavailable=False + +[local] +name=local +baseurl=https://kojipkgs.fedoraproject.org/repos/rawhide/latest/i386 +cost=2000 +enabled=0 +skip_if_unavailable=False + +[fedora-debuginfo] +name=Fedora Rawhide - i386 - Debug +metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-debug&arch=$basearch +enabled=0 +skip_if_unavailable=False +""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-rawhide-ppc64le.cfg b/roles/copr/backend/files/provision/files/mock/fedora-rawhide-ppc64le.cfg new file mode 100644 index 0000000000..9661c7120a --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-rawhide-ppc64le.cfg @@ -0,0 +1,48 @@ +config_opts['root'] = 'fedora-rawhide-ppc64le' +config_opts['target_arch'] = 'ppc64le' +config_opts['legal_host_arches'] = ('ppc64le',) +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'rawhide' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '30' + +config_opts['package_manager'] = 'dnf' + +config_opts['yum.conf'] = """ +[main] +keepcache=1 +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +install_weak_deps=0 +metadata_expire=0 +best=1 + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-29-primary +gpgcheck=1 +skip_if_unavailable=False + +[local] +name=local +baseurl=https://kojipkgs.fedoraproject.org/repos/rawhide/latest/ppc64le/ +cost=2000 +enabled=0 +skip_if_unavailable=False + +[fedora-debuginfo] +name=Fedora Rawhide - ppc64le - Debug +metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-debug&arch=$basearch +enabled=0 +skip_if_unavailable=False +""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-rawhide-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/fedora-rawhide-x86_64.cfg new file mode 100644 index 0000000000..cd2edfe037 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-rawhide-x86_64.cfg @@ -0,0 +1,48 @@ +config_opts['root'] = 'fedora-rawhide-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'rawhide' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '30' + +config_opts['package_manager'] = 'dnf' + +config_opts['yum.conf'] = """ +[main] +keepcache=1 +debuglevel=2 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +install_weak_deps=0 +metadata_expire=0 +best=1 + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-29-primary +gpgcheck=1 +skip_if_unavailable=False + +[local] +name=local +baseurl=https://kojipkgs.fedoraproject.org/repos/rawhide/latest/x86_64/ +cost=2000 +enabled=0 +skip_if_unavailable=False + +[fedora-debuginfo] +name=Fedora Rawhide - x86_64 - Debug +metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-debug&arch=$basearch +enabled=0 +skip_if_unavailable=False +""" From 97340c5144bfd459900bf11886163aa4a062939a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20P=C3=A1ral?= Date: Fri, 17 Aug 2018 13:32:10 +0200 Subject: [PATCH 067/289] taskotron: synchronize config with upstream changes --- .../templates/taskotron.yaml.j2 | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2 b/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2 index 1e0645f9ea..784bb190d0 100644 --- a/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2 +++ b/roles/taskotron/taskotron-client/templates/taskotron.yaml.j2 @@ -92,14 +92,6 @@ resultsdb_frontend: {{ resultsdb_external_url }} ## Please make sure the URL doesn't have a trailing slash. execdb_server: {{ execdb_external_url }} -## URL of taskotron buildmaster, to construct log URLs from. -## Please make sure the URL doesn't have a trailing slash. -taskotron_master: {{ taskotron_master }} - -## URL of artifacts base directory, to construct artifacts URLs from. -## Please make sure the URL doesn't have a trailing slash. -artifacts_baseurl: {{ artifacts_base_url }} - {% if deployment_type in ['dev'] %} ## URL of VAULT server API interface, which stores secrets. ## Please make sure the URL doesn't have a trailing slash. @@ -114,6 +106,16 @@ vault_username: {{ vault_api_username }} ## Password for vault server vault_password: {{ vault_api_password }} {% endif %} + +## URL of taskotron buildmaster, to construct log URLs from. +## Please make sure the URL doesn't have a trailing slash. +taskotron_master: {{ taskotron_master }} + +## URL of artifacts base directory, to construct artifacts URLs from. The final +## URL will be $artifacts_baseurl/. +## Please make sure the URL doesn't have a trailing slash. +artifacts_baseurl: {{ artifacts_base_url }} + ## Whether to cache downloaded files to speed up subsequent downloads. If True, ## files will be downloaded to a common directory specified by "cachedir". At ## the moment, Taskotron only supports Koji RPM downloads to be cached. @@ -154,7 +156,7 @@ imagesdir: {{ imagesdir }} force_imageurl: False ## Url of an image to download and use for disposable client, if force_imageurl was set -#imageurl: +#imageurl: http://download.fedoraproject.org/pub/fedora/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-27-1.6.x86_64.qcow2 ## Default distro/release/flavor/arch for the disposable images discovery #default_disposable_distro: fedora @@ -179,6 +181,10 @@ minion_repos: - copr:kparal/taskotron-dev {% endif %} +## If one or more minions repos fail to be added (e.g. not accessible), should +## we abort the execution or ignore the error and continue? +## [default: False] +minion_repos_ignore_errors: True ## ==== LOGGING section ==== ## This section contains configuration of logging. From 2f4b5cb94278e8dc0b3c2f0d56f0f50532fbd576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20P=C3=A1ral?= Date: Fri, 17 Aug 2018 13:37:40 +0200 Subject: [PATCH 068/289] taskotron: update rawhide number for imagefactory/base_images --- roles/taskotron/imagefactory-client/templates/config.ini.j2 | 2 +- roles/taskotron/imagefactory/tasks/main.yml | 1 + roles/taskotron/imagefactory/templates/config_server.ini.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/taskotron/imagefactory-client/templates/config.ini.j2 b/roles/taskotron/imagefactory-client/templates/config.ini.j2 index 4c72a120e4..226e7293a6 100644 --- a/roles/taskotron/imagefactory-client/templates/config.ini.j2 +++ b/roles/taskotron/imagefactory-client/templates/config.ini.j2 @@ -1,4 +1,4 @@ [default] imgfac_base_url={{imagefactory_baseurl}} -rawhide=29 +rawhide=30 diff --git a/roles/taskotron/imagefactory/tasks/main.yml b/roles/taskotron/imagefactory/tasks/main.yml index 67deaa2e27..f987c17bc1 100644 --- a/roles/taskotron/imagefactory/tasks/main.yml +++ b/roles/taskotron/imagefactory/tasks/main.yml @@ -85,6 +85,7 @@ with_items: - 27 - 28 + - 29 - rawhide - name: Create cronjob to report failed builds diff --git a/roles/taskotron/imagefactory/templates/config_server.ini.j2 b/roles/taskotron/imagefactory/templates/config_server.ini.j2 index 0d4e1c2914..b4d04f33a9 100644 --- a/roles/taskotron/imagefactory/templates/config_server.ini.j2 +++ b/roles/taskotron/imagefactory/templates/config_server.ini.j2 @@ -1,6 +1,6 @@ [default] imgfac_base_url=http://127.0.0.1:8075/imagefactory -rawhide=29 +rawhide=30 mail_from={{deployment_type}}.imagefactory@qa.fedoraproject.org mail_to=jskladan@redhat.com tflink@redhat.com From 7f1ef594654288baabe44f72100bdb788cc3e05f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 13:56:08 +0000 Subject: [PATCH 069/289] Enable ssl auth plugin Signed-off-by: Patrick Uiterwijk --- roles/rabbitmq_cluster/files/enabled_plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rabbitmq_cluster/files/enabled_plugins b/roles/rabbitmq_cluster/files/enabled_plugins index 352dfc4de1..6a9f28b93b 100644 --- a/roles/rabbitmq_cluster/files/enabled_plugins +++ b/roles/rabbitmq_cluster/files/enabled_plugins @@ -1 +1 @@ -[rabbitmq_management]. +[rabbitmq_management,rabbitmq_auth_mechanism_ssl]. From 29c479c291a0c23f99afdddce934c9f310fd9160 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Aug 2018 14:19:33 +0000 Subject: [PATCH 070/289] Use just the common name from client certs Signed-off-by: Patrick Uiterwijk --- roles/rabbitmq_cluster/templates/rabbitmq.config | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rabbitmq_cluster/templates/rabbitmq.config b/roles/rabbitmq_cluster/templates/rabbitmq.config index a12d27edd1..3fa421d26e 100644 --- a/roles/rabbitmq_cluster/templates/rabbitmq.config +++ b/roles/rabbitmq_cluster/templates/rabbitmq.config @@ -3,6 +3,7 @@ [ %% We do not want plain TCP, only TLS {tcp_listeners, []}, + {ssl_cert_login_from, common_name}, %% Here goes TLS {ssl_listeners, [5671]}, {ssl_options, [{cacertfile, "/etc/rabbitmq/ca.crt"}, From ba02f21e9400eedf8592233f7976139861b663eb Mon Sep 17 00:00:00 2001 From: Till Maas Date: Fri, 10 Aug 2018 18:11:31 +0200 Subject: [PATCH 071/289] Use https for MBS Signed-off-by: Till Maas --- roles/mbs/common/templates/config.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py index 61c23601fa..90e099e3fb 100644 --- a/roles/mbs/common/templates/config.py +++ b/roles/mbs/common/templates/config.py @@ -35,7 +35,7 @@ class BaseConfiguration(object): PDC_URL = 'http://modularity.fedorainfracloud.org:8080/rest_api/v1' PDC_INSECURE = True PDC_DEVELOP = True - SCMURLS = ["git://pkgs.stg.fedoraproject.org/modules/"] + SCMURLS = ["git+https://src.fedoraproject.org/modules/"] # How often should we resort to polling, in seconds # Set to zero to disable polling @@ -48,12 +48,12 @@ class BaseConfiguration(object): # Old name https://pagure.io/fm-orchestrator/issue/574 NUM_CONSECUTIVE_BUILDS = 5 - RPMS_DEFAULT_REPOSITORY = 'git://pkgs.fedoraproject.org/rpms/' + RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/' RPMS_ALLOW_REPOSITORY = False - RPMS_DEFAULT_CACHE = 'http://pkgs.fedoraproject.org/repo/pkgs/' + RPMS_DEFAULT_CACHE = 'https://src.fedoraproject.org/repo/pkgs/' RPMS_ALLOW_CACHE = False - MODULES_DEFAULT_REPOSITORY = 'git://pkgs.fedoraproject.org/modules/' + MODULES_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/modules/' MODULES_ALLOW_REPOSITORY = False # Available backends are: console, file, journal. @@ -135,11 +135,10 @@ class ProdConfiguration(BaseConfiguration): {% if env == 'staging' %} KOJI_PROFILE = 'staging' KOJI_ARCHES = ['x86_64', 'i686'] - KOJI_REPOSITORY_URL = 'http://kojipkgs.stg.fedoraproject.org/repos' + KOJI_REPOSITORY_URL = 'https://kojipkgs.stg.fedoraproject.org/repos' MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.stg'] PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1' - SCMURLS = ['git://pkgs.stg.fedoraproject.org/modules/', - 'git+https://src.stg.fedoraproject.org/modules/', + SCMURLS = ['git+https://src.stg.fedoraproject.org/modules/', 'https://src.stg.fedoraproject.org/modules/', 'https://src.stg.fedoraproject.org/git/modules/'] @@ -151,11 +150,10 @@ class ProdConfiguration(BaseConfiguration): # https://fedoraproject.org/wiki/Changes/DiscontinuePPC64 'platform:f28': ['aarch64', 'armv7hl', 'i686', 'ppc64', 'ppc64le', 'x86_64', 's390x'], } - KOJI_REPOSITORY_URL = 'http://kojipkgs.fedoraproject.org/repos' + KOJI_REPOSITORY_URL = 'https://kojipkgs.fedoraproject.org/repos' MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.prod'] PDC_URL = 'https://pdc.fedoraproject.org/rest_api/v1' - SCMURLS = ['git://pkgs.fedoraproject.org/modules/', - 'git+https://src.fedoraproject.org/modules/', + SCMURLS = ['git+https://src.fedoraproject.org/modules/', 'https://src.fedoraproject.org/modules/', 'https://src.fedoraproject.org/git/modules/'] {% endif %} From 0ec398946d6cc849854c89b380388eca5bd79a52 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 22 May 2018 14:41:39 +0000 Subject: [PATCH 072/289] Move db-koji01.stg to Fedora 28 --- inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org b/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org index 96d287f38e..e22412338d 100644 --- a/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org @@ -7,8 +7,8 @@ eth0_ip: 10.5.128.98 vmhost: bvirthost01.stg.phx2.fedoraproject.org datacenter: phx2 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ # This is a generic list, monitored by collectd databases: From 5a18a91ae385ef3b224114cc2f365447d78ba190 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 17 Aug 2018 16:28:58 +0000 Subject: [PATCH 073/289] Fix a typo in hosts spec --- playbooks/groups/postgresql-server.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml index 8d6cb1fe50..a9f2abbeaa 100644 --- a/playbooks/groups/postgresql-server.yml +++ b/playbooks/groups/postgresql-server.yml @@ -7,7 +7,7 @@ # Once the instance exists, configure it. - name: configure postgresql server system - hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.or:db-qa03.qa.fedoraproject.org + hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db-qa03.qa.fedoraproject.org user: root gather_facts: True From 4598a008b52c56f47adcb960657d6dc16432d108 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Fri, 17 Aug 2018 20:01:33 +0000 Subject: [PATCH 074/289] and now we see if we can make magic --- roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index 5fcd4f25b1..a081618aac 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -82,7 +82,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.82; option host-name "bkernel04"; next-server 10.5.126.41; - filename "pxelinux.0"; + filename "uefi/bootx64.efi"; } host bvirthost01 { From 7797e5ba42056a97d140d9f75d34c0589af6b816 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 00:32:25 +0000 Subject: [PATCH 075/289] Add bkernel04 as builder Signed-off-by: Patrick Uiterwijk --- inventory/builders | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/builders b/inventory/builders index 5454374819..ef0ef43106 100644 --- a/inventory/builders +++ b/inventory/builders @@ -235,6 +235,7 @@ buildvm-ppc64le-19.ppc.fedoraproject.org bkernel01.phx2.fedoraproject.org bkernel02.phx2.fedoraproject.org bkernel03.phx2.fedoraproject.org +bkernel04.phx2.fedoraproject.org # # These are misc From b8ce5b232d84e095efad466f21899906a2a0da33 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 11:34:23 +0000 Subject: [PATCH 076/289] Update sigul config Signed-off-by: Patrick Uiterwijk --- roles/sigul/bridge/files/koji-arm.conf | 22 --------------------- roles/sigul/bridge/files/koji-ppc.conf | 22 --------------------- roles/sigul/bridge/files/koji-s390.conf | 22 --------------------- roles/sigul/bridge/templates/bridge.conf.j2 | 13 ------------ roles/sigul/server/templates/server.conf.j2 | 9 ++------- 5 files changed, 2 insertions(+), 86 deletions(-) delete mode 100644 roles/sigul/bridge/files/koji-arm.conf delete mode 100644 roles/sigul/bridge/files/koji-ppc.conf delete mode 100644 roles/sigul/bridge/files/koji-s390.conf diff --git a/roles/sigul/bridge/files/koji-arm.conf b/roles/sigul/bridge/files/koji-arm.conf deleted file mode 100644 index 2341f04c82..0000000000 --- a/roles/sigul/bridge/files/koji-arm.conf +++ /dev/null @@ -1,22 +0,0 @@ -[koji] -realm = FEDORAPROJECT.ORG - -;configuration for koji cli tool - -;url of XMLRPC server -server = https://arm.koji.fedoraproject.org/kojihub - -;url of web interface -weburl = https://arm.koji.fedoraproject.org/koji - -;url of package download site -topurl = https://armpkgs.fedoraproject.org/ - -;path to the koji top directory -;topdir = /mnt/koji -serverca = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - -authtype = kerberos -principal = sigul/secondary-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG -keytab = /etc/krb5.sigul_secondary-bridge01.phx2.fedoraproject.org.keytab -krb_rdns = false diff --git a/roles/sigul/bridge/files/koji-ppc.conf b/roles/sigul/bridge/files/koji-ppc.conf deleted file mode 100644 index 1c5ac6d458..0000000000 --- a/roles/sigul/bridge/files/koji-ppc.conf +++ /dev/null @@ -1,22 +0,0 @@ -[koji] -realm = FEDORAPROJECT.ORG - -;configuration for koji cli tool - -;url of XMLRPC server -server = https://ppc.koji.fedoraproject.org/kojihub - -;url of web interface -weburl = https://ppc.koji.fedoraproject.org/koji - -;url of package download site -topurl = https://ppc.koji.fedoraproject.org/ - -;path to the koji top directory -;topdir = /mnt/koji -serverca = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - -authtype = kerberos -principal = sigul/secondary-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG -keytab = /etc/krb5.sigul_secondary-bridge01.phx2.fedoraproject.org.keytab -krb_rdns = false diff --git a/roles/sigul/bridge/files/koji-s390.conf b/roles/sigul/bridge/files/koji-s390.conf deleted file mode 100644 index d96564d864..0000000000 --- a/roles/sigul/bridge/files/koji-s390.conf +++ /dev/null @@ -1,22 +0,0 @@ -[koji] -realm = FEDORAPROJECT.ORG - -;configuration for koji cli tool - -;url of XMLRPC server -server = https://s390.koji.fedoraproject.org/kojihub - -;url of web interface -weburl = https://s390.koji.fedoraproject.org/koji - -;url of package download site -topurl = https://s390pkgs.fedoraproject.org/ - -;path to the koji top directory -;topdir = /mnt/koji -serverca = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - -authtype = kerberos -principal = sigul/secondary-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG -keytab = /etc/krb5.sigul_secondary-bridge01.phx2.fedoraproject.org.keytab -krb_rdns = false diff --git a/roles/sigul/bridge/templates/bridge.conf.j2 b/roles/sigul/bridge/templates/bridge.conf.j2 index 4912be5320..26afa9ef52 100644 --- a/roles/sigul/bridge/templates/bridge.conf.j2 +++ b/roles/sigul/bridge/templates/bridge.conf.j2 @@ -2,13 +2,7 @@ # [bridge] # Nickname of the bridge's certificate in the NSS database specified below -{% if env == "staging" %} bridge-cert-nickname: sigul-bridge-cert -{% elif inventory_hostname.startswith('sign') %} -bridge-cert-nickname: sign-bridge1 - Fedora Project -{% else %} -bridge-cert-nickname: secondary-signer - Fedora Project -{% endif %} # Maximum accepted total size of all RPM payloads stored on disk for one request max-rpms-payload-size: 70737418240 @@ -27,16 +21,9 @@ fas-password: {{ fedoraDummyUserPassword }} {% endif %} [koji] -{% if inventory_hostname.startswith('sign') %} koji-instances: primary koji-config-primary: /etc/koji-primary.conf koji-config: /etc/koji-primary.conf -{% else %} -koji-instances: ppc s390 arm -koji-config-ppc: /etc/koji-ppc.conf -koji-config-s390: /etc/koji-s390.conf -koji-config-arm: /etc/koji-arm.conf -{% endif %} [daemon] # The user to run as diff --git a/roles/sigul/server/templates/server.conf.j2 b/roles/sigul/server/templates/server.conf.j2 index f642ebc402..fc2ce8ff6e 100644 --- a/roles/sigul/server/templates/server.conf.j2 +++ b/roles/sigul/server/templates/server.conf.j2 @@ -3,13 +3,8 @@ [server] # Host name of the publically acessible bridge to clients -{% if inventory_hostname.startswith('sign') %} -bridge-hostname: sign-bridge1 -server-cert-nickname: sign-vault1 - Fedora Project -{% else %} -bridge-hostname: secondary-signer -server-cert-nickname: secondary-signer-server -{% endif %} +bridge-hostname: sign-bridge.phx2.fedoraproject.org +server-cert-nickname: sigul-vault-cert # Port on which the bridge expects server connections bridge-port: 44333 From 1b30f96241fd0323f672489d787713fcc4db49e9 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 11:51:14 +0000 Subject: [PATCH 077/289] Update sigul config for robosignatory Signed-off-by: Patrick Uiterwijk --- roles/robosignatory/files/sigul.production.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/robosignatory/files/sigul.production.conf b/roles/robosignatory/files/sigul.production.conf index 6524668d2b..66024b5905 100644 --- a/roles/robosignatory/files/sigul.production.conf +++ b/roles/robosignatory/files/sigul.production.conf @@ -1,6 +1,6 @@ [client] -bridge-hostname: sign-bridge1 -server-hostname: sign-vault1 +bridge-hostname: sign-bridge.phx2.fedoraproject.org +server-hostname: sign-vault.phx2.fedoraproject.org client-cert-nickname: sigul-client-cert user-name: autopen From 14ff13518a85883f1735bee6ffb1987cce364ab6 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 12:04:12 +0000 Subject: [PATCH 078/289] Change cert nickname Signed-off-by: Patrick Uiterwijk --- roles/robosignatory/files/sigul.production.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/robosignatory/files/sigul.production.conf b/roles/robosignatory/files/sigul.production.conf index 66024b5905..6b4865e079 100644 --- a/roles/robosignatory/files/sigul.production.conf +++ b/roles/robosignatory/files/sigul.production.conf @@ -1,7 +1,7 @@ [client] bridge-hostname: sign-bridge.phx2.fedoraproject.org server-hostname: sign-vault.phx2.fedoraproject.org -client-cert-nickname: sigul-client-cert +client-cert-nickname: autopen user-name: autopen [koji] From f1c8ecc125d2a597d7b2675acb68c33ea1c45da3 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 12:25:55 +0000 Subject: [PATCH 079/289] Add sigul tags Signed-off-by: Patrick Uiterwijk --- roles/sigul/bridge/tasks/main.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/roles/sigul/bridge/tasks/main.yml b/roles/sigul/bridge/tasks/main.yml index 57fb7b2e64..632d0c889a 100644 --- a/roles/sigul/bridge/tasks/main.yml +++ b/roles/sigul/bridge/tasks/main.yml @@ -2,25 +2,27 @@ package: state=present name=sigul-bridge tags: - packages + - sigul + - sigul/bridge - name: Setup sigul bridge.conf template: src=bridge.conf.j2 dest=/etc/sigul/bridge.conf owner=sigul group=sigul mode=0640 tags: - config + - sigul + - sigul/bridge - name: Setup primary koji config file template: src=koji-primary.conf.j2 dest=/etc/koji-primary.conf owner=root group=root mode=644 when: inventory_hostname.startswith('sign') and env == "production" + tags: + - sigul + - sigul/bridge - name: Setup primary stg koji config file copy: src=koji-primary.stg.conf dest=/etc/koji-primary.conf owner=root group=root mode=644 when: inventory_hostname.startswith('sign') and env == "staging" - -- name: Setup secondary koji config files - copy: src={{ item }} dest=/etc/{{ item }} owner=root group=root mode=644 - with_items: - - koji-arm.conf - - koji-ppc.conf - - koji-s390.conf - when: inventory_hostname.startswith('secondary') + tags: + - sigul + - sigul/bridge From 6ac30e264ec3594533d46f601f3dd81b3d6c12a5 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 12:26:58 +0000 Subject: [PATCH 080/289] Add new sigul node names Signed-off-by: Patrick Uiterwijk --- roles/hosts/files/sign-hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/hosts/files/sign-hosts b/roles/hosts/files/sign-hosts index 40bbd15766..d00369967c 100644 --- a/roles/hosts/files/sign-hosts +++ b/roles/hosts/files/sign-hosts @@ -4,8 +4,8 @@ # # Here for historical reasons due to cert names. # -10.5.125.75 sign-vault1 -10.5.125.71 sign-bridge1 +10.5.125.75 sign-vault1 sign-vault.phx2.fedoraproject.org +10.5.125.71 sign-bridge1 sign-bridge.phx2.fedoraproject.org # # Need to be able to talk to various kojis # From de90a8214c42351fa3b85907802f1b4153996459 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 18 Aug 2018 12:30:59 +0000 Subject: [PATCH 081/289] Update cert nickname Signed-off-by: Patrick Uiterwijk --- roles/sigul/bridge/templates/bridge.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sigul/bridge/templates/bridge.conf.j2 b/roles/sigul/bridge/templates/bridge.conf.j2 index 26afa9ef52..ce561a71ec 100644 --- a/roles/sigul/bridge/templates/bridge.conf.j2 +++ b/roles/sigul/bridge/templates/bridge.conf.j2 @@ -2,7 +2,7 @@ # [bridge] # Nickname of the bridge's certificate in the NSS database specified below -bridge-cert-nickname: sigul-bridge-cert +bridge-cert-nickname: sign-bridge.phx2.fedoraproject.org # Maximum accepted total size of all RPM payloads stored on disk for one request max-rpms-payload-size: 70737418240 From 2e5f34cc03ccf4422be5b8cb07e1de18016db10f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 18 Aug 2018 20:29:28 +0000 Subject: [PATCH 082/289] re-enable this to see where it failed and fix it --- roles/manage-container-images/tasks/main.yml | 52 ++++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/roles/manage-container-images/tasks/main.yml b/roles/manage-container-images/tasks/main.yml index 069ef82e0f..a4b0a5fb05 100644 --- a/roles/manage-container-images/tasks/main.yml +++ b/roles/manage-container-images/tasks/main.yml @@ -1,29 +1,29 @@ --- # tasks file for push-docker # -#- name: install necessary packages -# package: -# name: "{{item}}" -# state: present -# with_items: -# - skopeo -# -#- name: ensure cert dir exists -# file: -# path: "{{cert_dest_dir}}" -# state: directory -# -#- name: install docker client cert for registry -# copy: -# src: "{{cert_src}}" -# dest: "{{cert_dest_dir}}/client.cert" -# owner: root -# group: "{{ certs_group }}" -# mode: 0640 -# -#- name: install docker client key for registry -# copy: -# src: "{{key_src}}" -# dest: "{{cert_dest_dir}}/client.key" -# group: "{{ certs_group }}" -# mode: 0640 +- name: install necessary packages + package: + name: "{{item}}" + state: present + with_items: + - skopeo + +- name: ensure cert dir exists + file: + path: "{{cert_dest_dir}}" + state: directory + +- name: install docker client cert for registry + copy: + src: "{{cert_src}}" + dest: "{{cert_dest_dir}}/client.cert" + owner: root + group: "{{ certs_group }}" + mode: 0640 + +- name: install docker client key for registry + copy: + src: "{{key_src}}" + dest: "{{cert_dest_dir}}/client.key" + group: "{{ certs_group }}" + mode: 0640 From cca1124b47c98495ab2a86233e765827c0dce320 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Sun, 19 Aug 2018 21:22:51 +0000 Subject: [PATCH 083/289] wrong wrong wrong wrong --- inventory/host_vars/bkernel03.phx2.fedoraproject.org | 2 +- inventory/host_vars/bkernel04.phx2.fedoraproject.org | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/bkernel03.phx2.fedoraproject.org b/inventory/host_vars/bkernel03.phx2.fedoraproject.org index 963a4e7581..65fefce9ab 100644 --- a/inventory/host_vars/bkernel03.phx2.fedoraproject.org +++ b/inventory/host_vars/bkernel03.phx2.fedoraproject.org @@ -1,4 +1,4 @@ --- gw: 10.5.125.254 eth0_ip: 10.5.125.81 -eth1_ip: 10.5.127.133 +eth1_ip: 10.5.127.129 diff --git a/inventory/host_vars/bkernel04.phx2.fedoraproject.org b/inventory/host_vars/bkernel04.phx2.fedoraproject.org index ae72e8530b..1c0fb8dc01 100644 --- a/inventory/host_vars/bkernel04.phx2.fedoraproject.org +++ b/inventory/host_vars/bkernel04.phx2.fedoraproject.org @@ -1,4 +1,4 @@ --- gw: 10.5.125.254 eth0_ip: 10.5.125.82 -eth1_ip: 10.5.127.134 +eth1_ip: 10.5.127.144 From 0b476a1bc64a63e96082b7838dd890983df4f4e1 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Mon, 20 Aug 2018 08:46:25 +0200 Subject: [PATCH 084/289] Switch osbs atomic-reactor prod to python3 Signed-off-by: Clement Verna --- files/osbs/buildroot-Dockerfile-production.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/files/osbs/buildroot-Dockerfile-production.j2 b/files/osbs/buildroot-Dockerfile-production.j2 index b577681fc4..135e4a5581 100644 --- a/files/osbs/buildroot-Dockerfile-production.j2 +++ b/files/osbs/buildroot-Dockerfile-production.j2 @@ -1,8 +1,8 @@ FROM registry.fedoraproject.org/fedora ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo -RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\ - python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\ - libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo +RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\ + python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\ + libmodulemd python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json ADD ./worker_customize.json /usr/share/osbs/worker_customize.json ADD ./krb5.conf /etc @@ -10,4 +10,4 @@ RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/ ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt RUN update-ca-trust -CMD ["python2", "/usr/bin/atomic-reactor", "--verbose", "inside-build"] \ No newline at end of file +CMD ["python3", "/usr/bin/atomic-reactor", "--verbose", "inside-build"] From bfd549c917a79c5e1a26c4bc205c78da99204566 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Mon, 20 Aug 2018 08:47:17 +0200 Subject: [PATCH 085/289] Enable osbs flatpak plugin in prod Signed-off-by: Clement Verna --- files/osbs/orchestrator_customize.json | 10 ++-------- files/osbs/worker_customize.json | 10 ++-------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/files/osbs/orchestrator_customize.json b/files/osbs/orchestrator_customize.json index e8a69077dd..4726511b94 100644 --- a/files/osbs/orchestrator_customize.json +++ b/files/osbs/orchestrator_customize.json @@ -3,13 +3,7 @@ { "plugin_type": "exit_plugins", "plugin_name": "import_image" - }, - { - "plugin_type": "prebuild_plugins", - "plugin_name": "flatpak_create_dockerfile" } ], - - "enable_plugins": [ - ] -} \ No newline at end of file + "enable_plugins": [] +} diff --git a/files/osbs/worker_customize.json b/files/osbs/worker_customize.json index 5acab8544d..e47abdc18e 100644 --- a/files/osbs/worker_customize.json +++ b/files/osbs/worker_customize.json @@ -3,13 +3,7 @@ { "plugin_type": "prebuild_plugins", "plugin_name": "fetch_maven_artifacts" - }, - { - "plugin_type": "prebuild_plugins", - "plugin_name": "flatpak_create_dockerfile" } ], - - "enable_plugins": [ - ] -} \ No newline at end of file + "enable_plugins": [] +} From 87a5dd0bd6754a33171a5f5f5bc3d29c138257c4 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Mon, 20 Aug 2018 09:18:18 +0200 Subject: [PATCH 086/289] Clean the buildroot dockerfile Signed-off-by: Clement Verna --- files/osbs/buildroot-Dockerfile-production.j2 | 3 +-- files/osbs/buildroot-Dockerfile-staging.j2 | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/files/osbs/buildroot-Dockerfile-production.j2 b/files/osbs/buildroot-Dockerfile-production.j2 index 135e4a5581..54208240b0 100644 --- a/files/osbs/buildroot-Dockerfile-production.j2 +++ b/files/osbs/buildroot-Dockerfile-production.j2 @@ -1,8 +1,7 @@ FROM registry.fedoraproject.org/fedora -ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\ python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\ - libmodulemd python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all + python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json ADD ./worker_customize.json /usr/share/osbs/worker_customize.json ADD ./krb5.conf /etc diff --git a/files/osbs/buildroot-Dockerfile-staging.j2 b/files/osbs/buildroot-Dockerfile-staging.j2 index 135e4a5581..54208240b0 100644 --- a/files/osbs/buildroot-Dockerfile-staging.j2 +++ b/files/osbs/buildroot-Dockerfile-staging.j2 @@ -1,8 +1,7 @@ FROM registry.fedoraproject.org/fedora -ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\ python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\ - libmodulemd python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all + python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json ADD ./worker_customize.json /usr/share/osbs/worker_customize.json ADD ./krb5.conf /etc From 68a91cec377a1a2e18f1ce391329303665d6def2 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Mon, 20 Aug 2018 09:39:56 +0200 Subject: [PATCH 087/289] Add missing flatpak-module-tools dependency Signed-off-by: Clement Verna --- files/osbs/buildroot-Dockerfile-production.j2 | 2 +- files/osbs/buildroot-Dockerfile-staging.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/files/osbs/buildroot-Dockerfile-production.j2 b/files/osbs/buildroot-Dockerfile-production.j2 index 54208240b0..988a18068a 100644 --- a/files/osbs/buildroot-Dockerfile-production.j2 +++ b/files/osbs/buildroot-Dockerfile-production.j2 @@ -1,7 +1,7 @@ FROM registry.fedoraproject.org/fedora RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\ python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\ - python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all + python3-gobject python3-modulemd python3-pdc-client ostree flatpak-module-tools flatpak skopeo && dnf clean all ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json ADD ./worker_customize.json /usr/share/osbs/worker_customize.json ADD ./krb5.conf /etc diff --git a/files/osbs/buildroot-Dockerfile-staging.j2 b/files/osbs/buildroot-Dockerfile-staging.j2 index 54208240b0..988a18068a 100644 --- a/files/osbs/buildroot-Dockerfile-staging.j2 +++ b/files/osbs/buildroot-Dockerfile-staging.j2 @@ -1,7 +1,7 @@ FROM registry.fedoraproject.org/fedora RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\ python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\ - python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all + python3-gobject python3-modulemd python3-pdc-client ostree flatpak-module-tools flatpak skopeo && dnf clean all ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json ADD ./worker_customize.json /usr/share/osbs/worker_customize.json ADD ./krb5.conf /etc From ec78eae155d9b736caa862526c4b15b53c5fac34 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Mon, 20 Aug 2018 11:19:59 +0200 Subject: [PATCH 088/289] Enable ODCS in production OSBS Signed-off-by: Clement Verna --- inventory/group_vars/osbs-masters | 2 +- playbooks/groups/osbs-cluster.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/inventory/group_vars/osbs-masters b/inventory/group_vars/osbs-masters index 74baed899b..ad44511010 100644 --- a/inventory/group_vars/osbs-masters +++ b/inventory/group_vars/osbs-masters @@ -132,7 +132,7 @@ _osbs_reactor_config_map: required_secrets: - kojisecret - v2-registry-dockercfg - # - odcs-oidc-secret + - odcs-oidc-secret worker_token_secrets: - x86-64-orchestrator diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index b7ffd2dd50..dc88e66ac8 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -372,7 +372,6 @@ osbs_secret_files: - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token" dest: token - when: env == "staging" tags: - osbs-worker-namespace @@ -446,7 +445,6 @@ osbs_secret_files: - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token" dest: token - when: env == "staging" tags: - osbs-orchestrator-namespace From e86477ae608948cce4799e97c8d9c088f37a76cd Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 20 Aug 2018 11:49:54 +0000 Subject: [PATCH 089/289] Terminate eclipse cloud instance, #7171 --- inventory/cloud | 1 - .../host_vars/eclipse.fedorainfracloud.org | 18 ---------- inventory/inventory | 2 -- .../hosts/eclipse.fedorainfracloud.org.yml | 35 ------------------- 4 files changed, 56 deletions(-) delete mode 100644 inventory/host_vars/eclipse.fedorainfracloud.org delete mode 100644 playbooks/hosts/eclipse.fedorainfracloud.org.yml diff --git a/inventory/cloud b/inventory/cloud index 04e09200ba..87b642f0d5 100644 --- a/inventory/cloud +++ b/inventory/cloud @@ -17,7 +17,6 @@ copr-fe-dev.cloud.fedoraproject.org copr-keygen.cloud.fedoraproject.org copr-keygen-dev.cloud.fedoraproject.org developer.fedorainfracloud.org -eclipse.fedorainfracloud.org elastic-dev.fedorainfracloud.org el6-test.fedorainfracloud.org el7-test.fedorainfracloud.org diff --git a/inventory/host_vars/eclipse.fedorainfracloud.org b/inventory/host_vars/eclipse.fedorainfracloud.org deleted file mode 100644 index 7ffc7ff6ca..0000000000 --- a/inventory/host_vars/eclipse.fedorainfracloud.org +++ /dev/null @@ -1,18 +0,0 @@ ---- -image: "{{ fedora23_x86_64 }}" -instance_type: m1.small -keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent -zone: nova -tcp_ports: [22, 80, 443] - -inventory_tenant: persistent -inventory_instance_name: eclipse -hostbase: eclipse -public_ip: 209.132.184.121 -root_auth_users: mbooth sopotc akurtakov -description: eclipse help for fedora eclipse addons - -cloud_networks: - # persistent-net - - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" diff --git a/inventory/inventory b/inventory/inventory index 287728a1c2..843b832a39 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1215,8 +1215,6 @@ java-deptools.fedorainfracloud.org developer.fedorainfracloud.org # fedimg-dev development instance fedimg-dev.fedorainfracloud.org -# eclipse help center - ticket 5293 -eclipse.fedorainfracloud.org # iddev iddev.fedorainfracloud.org # commops - ticket 5380 diff --git a/playbooks/hosts/eclipse.fedorainfracloud.org.yml b/playbooks/hosts/eclipse.fedorainfracloud.org.yml deleted file mode 100644 index a6213b3bcd..0000000000 --- a/playbooks/hosts/eclipse.fedorainfracloud.org.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: check/create instance - hosts: eclipse.fedorainfracloud.org - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml - - tasks: - - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - - handlers: - - import_tasks: "{{ handlers_path }}/restart_services.yml" - -- name: setup all the things - hosts: eclipse.fedorainfracloud.org - gather_facts: True - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - pre_tasks: - - import_tasks: "{{ tasks_path }}/yumrepos.yml" - - roles: - - basessh - - tasks: - - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" - - name: set hostname (required by some services, at least postfix need it) - hostname: name="{{inventory_hostname}}" From dc91cba211f64b4fb497475eeae80a5963fbb858 Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Mon, 20 Aug 2018 15:21:39 +0200 Subject: [PATCH 090/289] Update the url for the website --- roles/openshift-apps/silverblue/templates/buildconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/silverblue/templates/buildconfig.yml b/roles/openshift-apps/silverblue/templates/buildconfig.yml index 4d71b2d35d..485ba44ea2 100644 --- a/roles/openshift-apps/silverblue/templates/buildconfig.yml +++ b/roles/openshift-apps/silverblue/templates/buildconfig.yml @@ -12,7 +12,7 @@ spec: source: type: Git git: - uri: https://github.com/teamsilverblue/silverblue-site.git + uri: https://github.com/fedora-silverblue/silverblue-site.git strategy: type: Source sourceStrategy: From 7da76ce369bf965b96eee37ee8bb4301955f309f Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 20 Aug 2018 17:05:29 +0000 Subject: [PATCH 091/289] java-deptools: query Koji for active targets --- roles/java-deptools/files/cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/java-deptools/files/cron b/roles/java-deptools/files/cron index 1269f67557..779ac8801b 100644 --- a/roles/java-deptools/files/cron +++ b/roles/java-deptools/files/cron @@ -3,6 +3,6 @@ set -e log=/var/log/java-deptools/backend.log cd /var/lib/java-deptools/repos/ date >$log -java-deptools-repogen f29 f28 f27 &>>$log +java-deptools-repogen $(curl -sXPOST -d 'getBuildTargets' https://koji.fedoraproject.org/kojihub | sed -n 's,^\(f[2-9][0-9]\)$,\1,;T;p' | sort -ru) &>>$log date >>$log echo 'Repo regeneration successful' >>$log From dcc9aa15d21ef114e804dbcd5b8eb87ae1ec2607 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 17:33:42 +0000 Subject: [PATCH 092/289] Use a date pipe lookup, since sometime ansible_date_Time seems to be undefined... Signed-off-by: Patrick Uiterwijk --- roles/basessh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index 424a85d34f..659f45fd61 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -133,7 +133,7 @@ set_fact: certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" with_items: "{{ssh_cert_files.results}}" - when: "item.stat.exists and item.stat.mtime|int < (ansible_date_time.epoch|int - 25920000)" + when: "item.stat.exists and item.stat.mtime|int < (lookup('pipe', 'date date +%s')|int - 25920000)" tags: - basessh - sshd_cert From 350110f7695f400095dbaf718f77021e6fa4e320 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 17:35:01 +0000 Subject: [PATCH 093/289] Only run date once Signed-off-by: Patrick Uiterwijk --- roles/basessh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index 659f45fd61..bab30a52d3 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -133,7 +133,7 @@ set_fact: certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" with_items: "{{ssh_cert_files.results}}" - when: "item.stat.exists and item.stat.mtime|int < (lookup('pipe', 'date date +%s')|int - 25920000)" + when: "item.stat.exists and item.stat.mtime|int < (lookup('pipe', 'date +%s')|int - 25920000)" tags: - basessh - sshd_cert From 9bacccb0769af7f20103c73ed7457ba3c31be063 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Aug 2018 20:24:07 +0000 Subject: [PATCH 094/289] try this to see if it works to avoid selinux problems with gluster mount --- roles/odcs/frontend/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/odcs/frontend/tasks/main.yml b/roles/odcs/frontend/tasks/main.yml index 3c061a74ce..391e15f930 100644 --- a/roles/odcs/frontend/tasks/main.yml +++ b/roles/odcs/frontend/tasks/main.yml @@ -24,6 +24,9 @@ mode: 0777 recurse: yes follow: no + seuser: system_u + serole: object_r + setype: fusefs_t tags: - odcs - odcs/frontend From c44bb085a19ab9c4088ab2a70096b8e51eb7f845 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Aug 2018 20:50:32 +0000 Subject: [PATCH 095/289] add fuse.glusterfs to list of special filesystems --- roles/ansible-server/templates/ansible.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-server/templates/ansible.cfg.j2 b/roles/ansible-server/templates/ansible.cfg.j2 index bff0fd5a43..d197372ffe 100644 --- a/roles/ansible-server/templates/ansible.cfg.j2 +++ b/roles/ansible-server/templates/ansible.cfg.j2 @@ -462,7 +462,7 @@ pipelining = True # file systems that require special treatment when dealing with security context # the default behaviour that copies the existing context or uses the user default # needs to be changed to use the file system dependent context. -#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p +special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,fuse.glusterfs # Set this to yes to allow libvirt_lxc connections to work without SELinux. #libvirt_lxc_noseclabel = yes From 72cd3aba209f47d0ef65f4db54afa9b2247a399d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Aug 2018 20:52:12 +0000 Subject: [PATCH 096/289] Narrator: It did not. Revert "try this to see if it works to avoid selinux problems with gluster mount" This reverts commit 9bacccb0769af7f20103c73ed7457ba3c31be063. --- roles/odcs/frontend/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/odcs/frontend/tasks/main.yml b/roles/odcs/frontend/tasks/main.yml index 391e15f930..3c061a74ce 100644 --- a/roles/odcs/frontend/tasks/main.yml +++ b/roles/odcs/frontend/tasks/main.yml @@ -24,9 +24,6 @@ mode: 0777 recurse: yes follow: no - seuser: system_u - serole: object_r - setype: fusefs_t tags: - odcs - odcs/frontend From d9264225b55d56cc7ce14f7683f521e940148c7a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 21:01:17 +0000 Subject: [PATCH 097/289] Start with host-specific install config generation Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/all | 3 ++ .../virthost01.stg.phx2.fedoraproject.org | 7 +++++ roles/tftp_server/tasks/main.yml | 7 +++++ roles/tftp_server/templates/grubhost.cfg.j2 | 28 +++++++++++++++++++ 4 files changed, 45 insertions(+) create mode 100644 roles/tftp_server/templates/grubhost.cfg.j2 diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 555fb58762..3388e07774 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -45,6 +45,9 @@ custom_rules: [] nat_rules: [] custom6_rules: [] +# defaults for hw installs +install_noc: none + # defaults for virt installs ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/ diff --git a/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org b/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org index ff86a10d32..89831a9add 100644 --- a/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org @@ -8,3 +8,10 @@ br0_ip: 10.5.128.40 br0_nm: 255.255.255.0 br1_ip: 10.5.127.202 br1_nm: 255.255.255.0 + +install_noc: noc01.phx2.fedoraproject.org +install_mac: 24-6E-96-B1-C7-F4 +# Inside this, expect /vmlinuz and /initrd.img +install_binpath: /uefi/x86_64/el7 +install_ks: http://10.5.126.23/repo/rhel/ks/hardware-rhel-7-08disk +install_repo: http://10.5.126.23/http://10.5.126.23/repo/rhel/RHEL7-x86_64/ diff --git a/roles/tftp_server/tasks/main.yml b/roles/tftp_server/tasks/main.yml index df6d157e48..beacefe15c 100644 --- a/roles/tftp_server/tasks/main.yml +++ b/roles/tftp_server/tasks/main.yml @@ -40,3 +40,10 @@ synchronize: src="{{ bigfiles }}/tftpboot/" dest=/var/lib/tftpboot/ tags: - tftp_server + +- name: generate custom configs + template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ item.install_mac }}" + with_items: groups['all'] + when: "hostvars[item].install_noc == ansible_inventory_hostname" + tags: + - tftp_server diff --git a/roles/tftp_server/templates/grubhost.cfg.j2 b/roles/tftp_server/templates/grubhost.cfg.j2 new file mode 100644 index 0000000000..b70cbf7b40 --- /dev/null +++ b/roles/tftp_server/templates/grubhost.cfg.j2 @@ -0,0 +1,28 @@ +set default="0" + +function load_video { + if [ x$feature_all_video_module = xy ]; then + insmod all_video + else + insmod efi_gop + insmod efi_uga + insmod ieee1275_fb + insmod vbe + insmod vga + insmod video_bochs + insmod video_cirrus + fi +} + +load_video +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=5 + +menuentry 'Install {{ item }}' --class red --class gnu-linux --class gnu --class os { + linux {{ hostvars[item].install_binpath }}/vmlinuz ip=dhcp biosdevname=0 ksdevice=eth0 net.ifnames=0 ks={{ hostvars[item].install_ks }} inst.repo={{ hostvars[item].install_repo }} nomodeset + initrd {{ hostvars[item].install_binpath }}/initrd.img +} From d9d83e046be4367a2a48227da58d392054f9dbc8 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 21:02:59 +0000 Subject: [PATCH 098/289] Use the value of this Signed-off-by: Patrick Uiterwijk --- roles/tftp_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tftp_server/tasks/main.yml b/roles/tftp_server/tasks/main.yml index beacefe15c..b468006853 100644 --- a/roles/tftp_server/tasks/main.yml +++ b/roles/tftp_server/tasks/main.yml @@ -43,7 +43,7 @@ - name: generate custom configs template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ item.install_mac }}" - with_items: groups['all'] + with_items: {{ groups['all'] }} when: "hostvars[item].install_noc == ansible_inventory_hostname" tags: - tftp_server From 933ae0aae1b67addbbce61beaaee7db9e3e62fb1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 21:04:30 +0000 Subject: [PATCH 099/289] Add quotes Signed-off-by: Patrick Uiterwijk --- roles/tftp_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tftp_server/tasks/main.yml b/roles/tftp_server/tasks/main.yml index b468006853..6e144cfe8c 100644 --- a/roles/tftp_server/tasks/main.yml +++ b/roles/tftp_server/tasks/main.yml @@ -43,7 +43,7 @@ - name: generate custom configs template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ item.install_mac }}" - with_items: {{ groups['all'] }} + with_items: "{{ groups['all'] }}" when: "hostvars[item].install_noc == ansible_inventory_hostname" tags: - tftp_server From 8dd249daac071420bbf7071cee1cb17782ba39af Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 21:05:15 +0000 Subject: [PATCH 100/289] I always forget that this is without ansible_ prefix Signed-off-by: Patrick Uiterwijk --- roles/tftp_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tftp_server/tasks/main.yml b/roles/tftp_server/tasks/main.yml index 6e144cfe8c..4236bef7f8 100644 --- a/roles/tftp_server/tasks/main.yml +++ b/roles/tftp_server/tasks/main.yml @@ -44,6 +44,6 @@ - name: generate custom configs template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ item.install_mac }}" with_items: "{{ groups['all'] }}" - when: "hostvars[item].install_noc == ansible_inventory_hostname" + when: "hostvars[item].install_noc == inventory_hostname" tags: - tftp_server From f671e1c4289fceb25cecb8b7991ffd37c5d1e153 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 21:06:12 +0000 Subject: [PATCH 101/289] Look up the mac in hostvars Signed-off-by: Patrick Uiterwijk --- roles/tftp_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tftp_server/tasks/main.yml b/roles/tftp_server/tasks/main.yml index 4236bef7f8..d3ba72696d 100644 --- a/roles/tftp_server/tasks/main.yml +++ b/roles/tftp_server/tasks/main.yml @@ -42,7 +42,7 @@ - tftp_server - name: generate custom configs - template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ item.install_mac }}" + template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ hostvars[item].install_mac }}" with_items: "{{ groups['all'] }}" when: "hostvars[item].install_noc == inventory_hostname" tags: From 2cd6c6beb07ced57498d334af9dc26b2a4beea49 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 20 Aug 2018 21:07:18 +0000 Subject: [PATCH 102/289] I had a .j2 in the file name Signed-off-by: Patrick Uiterwijk --- roles/tftp_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tftp_server/tasks/main.yml b/roles/tftp_server/tasks/main.yml index d3ba72696d..6b1fc27cf9 100644 --- a/roles/tftp_server/tasks/main.yml +++ b/roles/tftp_server/tasks/main.yml @@ -42,7 +42,7 @@ - tftp_server - name: generate custom configs - template: src=grubhost.cfg dest="/var/lib/tftpboot/uefi/{{ hostvars[item].install_mac }}" + template: src=grubhost.cfg.j2 dest="/var/lib/tftpboot/uefi/{{ hostvars[item].install_mac }}" with_items: "{{ groups['all'] }}" when: "hostvars[item].install_noc == inventory_hostname" tags: From 7488d2003ee5be53d4658b39d0fadbce38e07d7a Mon Sep 17 00:00:00 2001 From: Andrea Veri Date: Mon, 20 Aug 2018 21:08:38 +0000 Subject: [PATCH 103/289] GNOME Backups: drop git.gnome.org (superseded by gitlab.g.o) and land oscp-master01 --- roles/gnome_backups/files/backup.sh | 4 ++-- roles/gnome_backups/files/ssh_config | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/gnome_backups/files/backup.sh b/roles/gnome_backups/files/backup.sh index 94381b64cd..d41ebd3142 100644 --- a/roles/gnome_backups/files/backup.sh +++ b/roles/gnome_backups/files/backup.sh @@ -9,7 +9,6 @@ MACHINES='signal.gnome.org webapps2.gnome.org blogs.gnome.org palette.gnome.org - git.gnome.org webapps.gnome.org cloud.gnome.org bastion.gnome.org @@ -31,7 +30,8 @@ MACHINES='signal.gnome.org scale.gnome.org sdkbuilder.gnome.org webapps3.gnome.org - gitlab.gnome.org' + gitlab.gnome.org + oscp-master01.gnome.org' BACKUP_DIR='/gnome_backups' diff --git a/roles/gnome_backups/files/ssh_config b/roles/gnome_backups/files/ssh_config index e6ed7f9d59..630a6521c1 100644 --- a/roles/gnome_backups/files/ssh_config +++ b/roles/gnome_backups/files/ssh_config @@ -3,6 +3,11 @@ Host puppetmaster01.gnome.org cloud.gnome.org webapps3.gnome.org IdentityFile /usr/local/etc/gnome_backup_id.rsa ProxyCommand ssh -W %h:%p bastion.gnome.org -F /usr/local/etc/gnome_ssh_config +Host oscp-master01.gnome.org + User root + IdentityFile /usr/local/etc/gnome_backup_id.rsa + ProxyCommand ssh -W %h:%p gesture.gnome.org -F /usr/local/etc/gnome_ssh_config + Host *.gnome.org pentagon.gimp.org User root IdentityFile /usr/local/etc/gnome_backup_id.rsa From ff937987b8aba29bdd065515ecb55cd02ef6ecbd Mon Sep 17 00:00:00 2001 From: Andrea Veri Date: Mon, 20 Aug 2018 21:17:24 +0000 Subject: [PATCH 104/289] GNOME Backups: also create a directory for oscp-master --- roles/gnome_backups/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gnome_backups/tasks/main.yml b/roles/gnome_backups/tasks/main.yml index 39d17d1ee7..db309eee79 100644 --- a/roles/gnome_backups/tasks/main.yml +++ b/roles/gnome_backups/tasks/main.yml @@ -31,7 +31,7 @@ - view.gnome.org - puppetmaster01.gnome.org - palette.gnome.org - - git.gnome.org + - oscp-master01.gnome.org - webapps.gnome.org - socket.gnome.org - bugzilla.gnome.org From 4772f0a500b42967aa70834df6b267caf83f7604 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Aug 2018 21:40:03 +0000 Subject: [PATCH 105/289] Drop duplicate, incorrect looking image name that we don't even have. --- roles/openshift-apps/release-monitoring/files/cron.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/openshift-apps/release-monitoring/files/cron.yml b/roles/openshift-apps/release-monitoring/files/cron.yml index e597332a01..8d8c2f897e 100644 --- a/roles/openshift-apps/release-monitoring/files/cron.yml +++ b/roles/openshift-apps/release-monitoring/files/cron.yml @@ -14,7 +14,6 @@ spec: containers: - name: release-monitoring-web image: release-monitoring/release-monitoring-web:latest - image: perl command: ["/usr/share/anitya/anitya_cron.py"] env: - name: ANITYA_WEB_CONFIG From baf160d03bc2d21d7e6e64fcf0ffdef46df373e9 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 21 Aug 2018 11:35:28 +0200 Subject: [PATCH 106/289] Add a /etc/hosts file to blockerbugs01.stg so it resolves bugzilla Signed-off-by: Pierre-Yves Chibon --- .../blockerbugs01.stg.phx2.fedoraproject.org-hosts | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 roles/hosts/files/blockerbugs01.stg.phx2.fedoraproject.org-hosts diff --git a/roles/hosts/files/blockerbugs01.stg.phx2.fedoraproject.org-hosts b/roles/hosts/files/blockerbugs01.stg.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..c5f9bb6fac --- /dev/null +++ b/roles/hosts/files/blockerbugs01.stg.phx2.fedoraproject.org-hosts @@ -0,0 +1,10 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.128.177 proxy01.phx2.fedoraproject.org proxy01 proxy02 proxy03 proxy04 proxy05 proxy06 proxy07 proxy08 proxy09 proxy10 proxy11 proxy12 proxy13 proxy14 fedoraproject.org admin.fedoraproject.org admin.stg.fedoraproject.org apps.fedoraproject.org apps.stg.fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.128.175 pkgs.fedoraproject.org +10.5.128.148 memcached01.stg.phx2.fedoraproject.org memcached01 memcached02 memcached03 memcached04 +10.5.128.120 db01.stg.phx2.fedoraproject.org db-ask db-koji01 db-github2fedmsg tagger_dbdb-summershum nuancier_db db-notifs db-kerneltest db-pps +10.5.128.129 fas01.stg.phx2.fedoraproject.org fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all +209.132.183.72 bugzilla.redhat.com partner-bugzilla.redhat.com From 42355920a9c6db56deeb5b810b6ba5916ecf5004 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Aug 2018 17:16:28 +0000 Subject: [PATCH 107/289] lets see if this gets the cron job all happy --- .../release-monitoring/files/cron.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/roles/openshift-apps/release-monitoring/files/cron.yml b/roles/openshift-apps/release-monitoring/files/cron.yml index 8d8c2f897e..7eac536cb5 100644 --- a/roles/openshift-apps/release-monitoring/files/cron.yml +++ b/roles/openshift-apps/release-monitoring/files/cron.yml @@ -3,6 +3,7 @@ kind: CronJob metadata: name: anitya spec: + concurrencyPolicy: Forbid schedule: "10 */12 * * *" jobTemplate: spec: @@ -13,9 +14,18 @@ spec: spec: containers: - name: release-monitoring-web - image: release-monitoring/release-monitoring-web:latest - command: ["/usr/share/anitya/anitya_cron.py"] + image: docker-registry.default.svc:5000/release-monitoring/release-monitoring-web:latest + command: ["/usr/local/bin/anitya_cron.py"] env: - name: ANITYA_WEB_CONFIG - value: /etc/anitya/anitya.cfg + value: /etc/anitya/anitya.toml + volumeMounts: + - mountPath: /etc/anitya + name: config-volume + readOnly: true restartPolicy: OnFailure + volumes: + - configMap: + defaultMode: 420 + name: release-monitoring-configmap + name: config-volume From a792adea1329ed49d63c412fb3dc045af5960d1c Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Tue, 21 Aug 2018 17:24:58 +0000 Subject: [PATCH 108/289] add in selinux for nagios servers --- .../files/selinux/nagios_nrpe.mod | Bin 0 -> 1737 bytes .../files/selinux/nagios_nrpe.pp | Bin 0 -> 1753 bytes .../files/selinux/nagios_nrpe.te | 32 ++++++++++++++++++ roles/nagios_server/tasks/main.yml | 12 +++++++ 4 files changed, 44 insertions(+) create mode 100644 roles/nagios_server/files/selinux/nagios_nrpe.mod create mode 100644 roles/nagios_server/files/selinux/nagios_nrpe.pp create mode 100644 roles/nagios_server/files/selinux/nagios_nrpe.te diff --git a/roles/nagios_server/files/selinux/nagios_nrpe.mod b/roles/nagios_server/files/selinux/nagios_nrpe.mod new file mode 100644 index 0000000000000000000000000000000000000000..80aff88bebccf434b0ba108b4cd7619d0b46ee9e GIT binary patch literal 1737 zcmb_cOHKqK5H0_|7)@O1#yNq}8@O?&D-S?g8fS2NpaXQC7USDKfhw8Uqn~l823?$vE==Id3jm&%uHktJtFqo>|%2XtPNEkpHyf!gzW>d6d>n4Z;qVrXX zMt8yNWWS-YGn=fNV4I7<4EVbTqmv4ZGuJ3wCy_`s`_zQE%(&*j-N#^Dk% zhI&xO80sl<#Q3d_MPn?|s}iy|WzPJE|He7(>0QZZNIUvb#$$yk?L&Dmq~B$}{|l%M z0{A7We9L^(Su>>>-?(U&Kse!jmNb?vwqu5b&1FhjAz7LIQpgQv-94k~Oj(FxOb=@SP;WXry3d|_Ry zH;Cx!;_{kzW8gH#J{x6?83?K^e4~asY%%lMnV>g0pwnfw!&KynNEkrt8l}D8W|KF4 zV+V)>qHW6Hwd$PSW52F8BNL1rNX;k)-$3*5q*W+fTtefa$4Gg&9bjGz_`s`-eSs%y znbWgr4E%L}jgjj?8Y9)u+Rc={snl&>v;~N((5(p= Date: Tue, 21 Aug 2018 17:28:55 +0000 Subject: [PATCH 109/289] prep for docker reg rebuild Signed-off-by: Rick Elrod --- ...andidate-registry01.phx2.fedoraproject.org | 4 +-- .../docker-registry02.phx2.fedoraproject.org | 4 +-- .../docker-registry03.phx2.fedoraproject.org | 4 +-- inventory/inventory | 4 +++ playbooks/groups/docker-registry.yml | 25 +++++-------------- 5 files changed, 16 insertions(+), 25 deletions(-) diff --git a/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org b/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org index bd87883da8..a46f49a89c 100644 --- a/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org +++ b/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.57 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/inventory/host_vars/docker-registry02.phx2.fedoraproject.org b/inventory/host_vars/docker-registry02.phx2.fedoraproject.org index 0f13c692d8..a5f6d17c49 100644 --- a/inventory/host_vars/docker-registry02.phx2.fedoraproject.org +++ b/inventory/host_vars/docker-registry02.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.77 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/inventory/host_vars/docker-registry03.phx2.fedoraproject.org b/inventory/host_vars/docker-registry03.phx2.fedoraproject.org index db421414ba..1117fd37f5 100644 --- a/inventory/host_vars/docker-registry03.phx2.fedoraproject.org +++ b/inventory/host_vars/docker-registry03.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.78 vmhost: bvirthost04.phx2.fedoraproject.org diff --git a/inventory/inventory b/inventory/inventory index 843b832a39..27f2f584d4 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1447,6 +1447,10 @@ docker-registry02.phx2.fedoraproject.org docker-registry03.phx2.fedoraproject.org docker-candidate-registry01.phx2.fedoraproject.org +[docker-registry-gluster] +docker-registry02.phx2.fedoraproject.org +docker-registry03.phx2.fedoraproject.org + [docker-registry-gluster-stg] docker-registry01.stg.phx2.fedoraproject.org docker-registry02.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/docker-registry.yml index a35e6e2f2c..2229639b4e 100644 --- a/playbooks/groups/docker-registry.yml +++ b/playbooks/groups/docker-registry.yml @@ -66,25 +66,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - role: gluster/server - glusterservername: gluster - username: "{{ registry_gluster_username_prod }}" - password: "{{ registry_gluster_password_prod }}" - owner: root - group: root - datadir: /srv/glusterfs/registry - - - role: gluster/client - glusterservername: gluster - servers: - - docker-registry02.phx2.fedoraproject.org - - docker-registry03.phx2.fedoraproject.org - username: "{{ registry_gluster_username_prod }}" - password: "{{ registry_gluster_password_prod }}" - owner: root - group: root - mountdir: "/srv/docker" - + - role: gluster/consolidated + gluster_brick_dir: /srv/glusterfs/ + gluster_mount_dir: /srv/docker/ + gluster_brick_name: registry + gluster_server_group: docker-registry-gluster + tags: gluster - name: setup docker distribution registry hosts: docker-registry:docker-registry-stg From 171c5c1054d81c0af92ca9b6d1ac804e85cf5353 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 21 Aug 2018 18:08:02 +0000 Subject: [PATCH 110/289] docker->oci Signed-off-by: Rick Elrod --- .../{docker-registry => oci-registry} | 0 ...andidate-registry01.phx2.fedoraproject.org} | 0 ...g => oci-registry02.phx2.fedoraproject.org} | 0 ...g => oci-registry03.phx2.fedoraproject.org} | 0 inventory/inventory | 18 +++++++++--------- .../{docker-registry.yml => oci-registry.yml} | 12 ++++++------ 6 files changed, 15 insertions(+), 15 deletions(-) rename inventory/group_vars/{docker-registry => oci-registry} (100%) rename inventory/host_vars/{docker-candidate-registry01.phx2.fedoraproject.org => oci-candidate-registry01.phx2.fedoraproject.org} (100%) rename inventory/host_vars/{docker-registry02.phx2.fedoraproject.org => oci-registry02.phx2.fedoraproject.org} (100%) rename inventory/host_vars/{docker-registry03.phx2.fedoraproject.org => oci-registry03.phx2.fedoraproject.org} (100%) rename playbooks/groups/{docker-registry.yml => oci-registry.yml} (92%) diff --git a/inventory/group_vars/docker-registry b/inventory/group_vars/oci-registry similarity index 100% rename from inventory/group_vars/docker-registry rename to inventory/group_vars/oci-registry diff --git a/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org b/inventory/host_vars/oci-candidate-registry01.phx2.fedoraproject.org similarity index 100% rename from inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org rename to inventory/host_vars/oci-candidate-registry01.phx2.fedoraproject.org diff --git a/inventory/host_vars/docker-registry02.phx2.fedoraproject.org b/inventory/host_vars/oci-registry02.phx2.fedoraproject.org similarity index 100% rename from inventory/host_vars/docker-registry02.phx2.fedoraproject.org rename to inventory/host_vars/oci-registry02.phx2.fedoraproject.org diff --git a/inventory/host_vars/docker-registry03.phx2.fedoraproject.org b/inventory/host_vars/oci-registry03.phx2.fedoraproject.org similarity index 100% rename from inventory/host_vars/docker-registry03.phx2.fedoraproject.org rename to inventory/host_vars/oci-registry03.phx2.fedoraproject.org diff --git a/inventory/inventory b/inventory/inventory index 27f2f584d4..af93f79924 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1441,15 +1441,15 @@ os-control [ci] ci-cc-rdu01.fedoraproject.org -# Docker (docker-distribution) registries -[docker-registry] -docker-registry02.phx2.fedoraproject.org -docker-registry03.phx2.fedoraproject.org -docker-candidate-registry01.phx2.fedoraproject.org +# registries +[oci-registry] +oci-registry02.phx2.fedoraproject.org +oci-registry03.phx2.fedoraproject.org +oci-candidate-registry01.phx2.fedoraproject.org -[docker-registry-gluster] -docker-registry02.phx2.fedoraproject.org -docker-registry03.phx2.fedoraproject.org +[oci-registry-gluster] +oci-registry02.phx2.fedoraproject.org +oci-registry03.phx2.fedoraproject.org [docker-registry-gluster-stg] docker-registry01.stg.phx2.fedoraproject.org @@ -1462,7 +1462,7 @@ docker-candidate-registry01.stg.phx2.fedoraproject.org ## Not the candidate just the top registry [moby-registry] -docker-registry02.phx2.fedoraproject.org +oci-registry02.phx2.fedoraproject.org ## Not the candidate just the top registry [moby-registry-stg] diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/oci-registry.yml similarity index 92% rename from playbooks/groups/docker-registry.yml rename to playbooks/groups/oci-registry.yml index 2229639b4e..bc7a42808e 100644 --- a/playbooks/groups/docker-registry.yml +++ b/playbooks/groups/oci-registry.yml @@ -1,8 +1,8 @@ # create an osbs server -- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=docker-registry:docker-registry-stg" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci-registry:docker-registry-stg" - name: make the box be real - hosts: docker-registry:docker-registry-stg + hosts: oci-registry:docker-registry-stg user: root gather_facts: True @@ -55,8 +55,8 @@ - name: set up gluster on prod hosts: - - docker-registry02.phx2.fedoraproject.org - - docker-registry03.phx2.fedoraproject.org + - oci-registry02.phx2.fedoraproject.org + - oci-registry03.phx2.fedoraproject.org user: root gather_facts: True @@ -70,11 +70,11 @@ gluster_brick_dir: /srv/glusterfs/ gluster_mount_dir: /srv/docker/ gluster_brick_name: registry - gluster_server_group: docker-registry-gluster + gluster_server_group: oci-registry-gluster tags: gluster - name: setup docker distribution registry - hosts: docker-registry:docker-registry-stg + hosts: oci-registry:docker-registry-stg vars_files: - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml From 808bc48f9e33ff450818872d800495116dcd8a2b Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 21 Aug 2018 18:32:12 +0000 Subject: [PATCH 111/289] dammit. f28, not f27 Signed-off-by: Rick Elrod --- .../host_vars/oci-candidate-registry01.phx2.fedoraproject.org | 4 ++-- inventory/host_vars/oci-registry02.phx2.fedoraproject.org | 4 ++-- inventory/host_vars/oci-registry03.phx2.fedoraproject.org | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventory/host_vars/oci-candidate-registry01.phx2.fedoraproject.org b/inventory/host_vars/oci-candidate-registry01.phx2.fedoraproject.org index a46f49a89c..b3b2a45845 100644 --- a/inventory/host_vars/oci-candidate-registry01.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-candidate-registry01.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.57 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/inventory/host_vars/oci-registry02.phx2.fedoraproject.org b/inventory/host_vars/oci-registry02.phx2.fedoraproject.org index a5f6d17c49..f125b36f21 100644 --- a/inventory/host_vars/oci-registry02.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-registry02.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.77 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/inventory/host_vars/oci-registry03.phx2.fedoraproject.org b/inventory/host_vars/oci-registry03.phx2.fedoraproject.org index 1117fd37f5..b6cb4c4593 100644 --- a/inventory/host_vars/oci-registry03.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-registry03.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.78 vmhost: bvirthost04.phx2.fedoraproject.org From fa9d870a5840bf6baf40039d22d72e4593f8f88e Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 21 Aug 2018 18:37:32 +0000 Subject: [PATCH 112/289] might as well use 01 and 02, instead of 02 and 03 Signed-off-by: Rick Elrod --- ...oraproject.org => oci-registry01.phx2.fedoraproject.org} | 0 inventory/inventory | 6 +++--- playbooks/groups/oci-registry.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) rename inventory/host_vars/{oci-registry03.phx2.fedoraproject.org => oci-registry01.phx2.fedoraproject.org} (100%) diff --git a/inventory/host_vars/oci-registry03.phx2.fedoraproject.org b/inventory/host_vars/oci-registry01.phx2.fedoraproject.org similarity index 100% rename from inventory/host_vars/oci-registry03.phx2.fedoraproject.org rename to inventory/host_vars/oci-registry01.phx2.fedoraproject.org diff --git a/inventory/inventory b/inventory/inventory index af93f79924..418c1b3723 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1443,13 +1443,13 @@ ci-cc-rdu01.fedoraproject.org # registries [oci-registry] +oci-registry01.phx2.fedoraproject.org oci-registry02.phx2.fedoraproject.org -oci-registry03.phx2.fedoraproject.org oci-candidate-registry01.phx2.fedoraproject.org [oci-registry-gluster] +oci-registry01.phx2.fedoraproject.org oci-registry02.phx2.fedoraproject.org -oci-registry03.phx2.fedoraproject.org [docker-registry-gluster-stg] docker-registry01.stg.phx2.fedoraproject.org @@ -1462,7 +1462,7 @@ docker-candidate-registry01.stg.phx2.fedoraproject.org ## Not the candidate just the top registry [moby-registry] -oci-registry02.phx2.fedoraproject.org +oci-registry01.phx2.fedoraproject.org ## Not the candidate just the top registry [moby-registry-stg] diff --git a/playbooks/groups/oci-registry.yml b/playbooks/groups/oci-registry.yml index bc7a42808e..8c18d78c9c 100644 --- a/playbooks/groups/oci-registry.yml +++ b/playbooks/groups/oci-registry.yml @@ -55,8 +55,8 @@ - name: set up gluster on prod hosts: + - oci-registry01.phx2.fedoraproject.org - oci-registry02.phx2.fedoraproject.org - - oci-registry03.phx2.fedoraproject.org user: root gather_facts: True From 9a5b1cdc2986a1368adfa416095d9d6eab361dda Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 21 Aug 2018 18:54:46 +0000 Subject: [PATCH 113/289] update vpn creds Signed-off-by: Rick Elrod --- .../server/files/ccd/docker-registry01.phx2.fedoraproject.org | 2 -- ....fedoraproject.org => oci-registry01.phx2.fedoraproject.org} | 0 ....fedoraproject.org => oci-registry02.phx2.fedoraproject.org} | 0 3 files changed, 2 deletions(-) delete mode 100644 roles/openvpn/server/files/ccd/docker-registry01.phx2.fedoraproject.org rename roles/openvpn/server/files/ccd/{docker-registry02.phx2.fedoraproject.org => oci-registry01.phx2.fedoraproject.org} (100%) rename roles/openvpn/server/files/ccd/{docker-registry03.phx2.fedoraproject.org => oci-registry02.phx2.fedoraproject.org} (100%) diff --git a/roles/openvpn/server/files/ccd/docker-registry01.phx2.fedoraproject.org b/roles/openvpn/server/files/ccd/docker-registry01.phx2.fedoraproject.org deleted file mode 100644 index c2ccfa0d1b..0000000000 --- a/roles/openvpn/server/files/ccd/docker-registry01.phx2.fedoraproject.org +++ /dev/null @@ -1,2 +0,0 @@ -# ifconfig-push actualIP PtPIP -ifconfig-push 192.168.1.48 192.168.0.48 diff --git a/roles/openvpn/server/files/ccd/docker-registry02.phx2.fedoraproject.org b/roles/openvpn/server/files/ccd/oci-registry01.phx2.fedoraproject.org similarity index 100% rename from roles/openvpn/server/files/ccd/docker-registry02.phx2.fedoraproject.org rename to roles/openvpn/server/files/ccd/oci-registry01.phx2.fedoraproject.org diff --git a/roles/openvpn/server/files/ccd/docker-registry03.phx2.fedoraproject.org b/roles/openvpn/server/files/ccd/oci-registry02.phx2.fedoraproject.org similarity index 100% rename from roles/openvpn/server/files/ccd/docker-registry03.phx2.fedoraproject.org rename to roles/openvpn/server/files/ccd/oci-registry02.phx2.fedoraproject.org From 535091dc82e79bcea229ffbb988b846e0bc5df39 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 21 Aug 2018 19:51:24 +0000 Subject: [PATCH 114/289] open more ports... Signed-off-by: Rick Elrod --- inventory/group_vars/oci-registry | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/oci-registry b/inventory/group_vars/oci-registry index 0bb0d792e4..bf3de779b9 100644 --- a/inventory/group_vars/oci-registry +++ b/inventory/group_vars/oci-registry @@ -8,7 +8,12 @@ sudoers: "{{ private }}/files/sudo/00releng-sudoers" tcp_ports: [ 5000, - # This is for the gluster server - 6996] + # These ports all required for gluster + 111, 24007, 24008, 24009, 24010, 24011, + 49152, 49153, 49154, 49155, + ] + +# gluster +udp_ports: [111] registry_gluster_username_prod: registry-prod From 5840621a79a60de6d341b00a51cd1345877536db Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Tue, 21 Aug 2018 21:53:42 +0000 Subject: [PATCH 115/289] uhm we probably dont want that either? --- playbooks/include/proxies-websites.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 5941c8ec4c..7bd72ade3c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -137,7 +137,6 @@ - www.projectofedora.org - www.getfedora.com - getfedora.com - - www.getfedora.org - fedoraplayground.org - fedoraplayground.com From d370e3dc7af24949479aae5f883c389cf37e8dec Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 21 Aug 2018 22:19:54 +0000 Subject: [PATCH 116/289] update things for new names Signed-off-by: Rick Elrod --- inventory/host_vars/oci-registry01.phx2.fedoraproject.org | 2 +- inventory/host_vars/oci-registry02.phx2.fedoraproject.org | 2 +- master.yml | 2 +- playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml | 6 +++--- roles/haproxy/templates/haproxy.cfg | 6 +++--- .../templates/reversepassproxy.registry-generic.conf | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/inventory/host_vars/oci-registry01.phx2.fedoraproject.org b/inventory/host_vars/oci-registry01.phx2.fedoraproject.org index b6cb4c4593..c72afc5082 100644 --- a/inventory/host_vars/oci-registry01.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-registry01.phx2.fedoraproject.org @@ -5,7 +5,7 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests -eth0_ip: 10.5.125.78 +eth0_ip: 10.5.125.77 vmhost: bvirthost04.phx2.fedoraproject.org datacenter: phx2 diff --git a/inventory/host_vars/oci-registry02.phx2.fedoraproject.org b/inventory/host_vars/oci-registry02.phx2.fedoraproject.org index f125b36f21..1d6c44c915 100644 --- a/inventory/host_vars/oci-registry02.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-registry02.phx2.fedoraproject.org @@ -5,7 +5,7 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests -eth0_ip: 10.5.125.77 +eth0_ip: 10.5.125.78 vmhost: bvirthost01.phx2.fedoraproject.org datacenter: phx2 diff --git a/master.yml b/master.yml index 369a7c5f53..c4857d619e 100644 --- a/master.yml +++ b/master.yml @@ -38,7 +38,7 @@ - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-keygen.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/datagrepper.yml -- import_playbook: /srv/web/infra/ansible/playbooks/groups/docker-registry.yml +- import_playbook: /srv/web/infra/ansible/playbooks/groups/oci-registry.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/dns.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/download.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/elections.yml diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml index 437d3bbc8c..e54fc7a776 100644 --- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml @@ -1142,15 +1142,15 @@ remote_ip_prefix: "0.0.0.0/0" with_items: "{{all_tenants}}" - - name: "Create 'docker-registry-5000-anywhere' security group" + - name: "Create 'oci-registry-5000-anywhere' security group" neutron_sec_group: login_username: "admin" login_password: "{{ ADMIN_PASS }}" login_tenant_name: "admin" auth_url: "https://{{controller_publicname}}:35357/v2.0" state: "present" - name: 'docker-registry-5000-anywhere-{{item}}' - description: "allow docker-registry-5000 from anywhere" + name: 'oci-registry-5000-anywhere-{{item}}' + description: "allow oci-registry-5000 from anywhere" tenant_name: "{{item}}" rules: - direction: "ingress" diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 839862f201..5891fd5f66 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -366,7 +366,6 @@ backend osbs-backend balance hdr(appserver) server osbs-master01 osbs-master01:8443 check inter 10s rise 1 fall 2 check ssl verify none -# This is silly, but basically, stg has registry01/02, prod has registry02/03 frontend docker-registry-frontend bind 0.0.0.0:10048 default_backend docker-registry-backend @@ -375,10 +374,11 @@ backend docker-registry-backend balance hdr(appserver) {% if env == "staging" %} server docker-registry01 docker-registry01:5000 check inter 10s rise 1 fall 2 -{% endif %} server docker-registry02 docker-registry02:5000 check inter 10s rise 1 fall 2 +{% endif %} {% if env == "production" %} - server docker-registry03 docker-registry03:5000 check inter 10s rise 1 fall 2 + server oci-registry01 oci-registry01:5000 check inter 10s rise 1 fall 2 + server oci-registry02 oci-registry02:5000 check inter 10s rise 1 fall 2 {% endif %} {% if env == "staging" %} diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf index b291c0ad73..0e4ef7524e 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf @@ -12,7 +12,7 @@ RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.o # This is terible, but Docker. RewriteCond %{REQUEST_METHOD} ^(PATCH|POST|PUT|DELETE)$ -RewriteRule ^/v2/(.*)$ http://docker-registry02:5000/v2/$1 [P,L] +RewriteRule ^/v2/(.*)$ http://oci-registry02:5000/v2/$1 [P,L] RewriteRule ^/v2/(.*)$ http://localhost:6081/v2/$1 [P,L] DocumentRoot /srv/web/registry-index/ From 6c3dc368cd85e2d8128aeda554c3961d5828bf38 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 00:00:21 +0000 Subject: [PATCH 117/289] pkgs is now a letsencrypt cert, so we do not need to monitor it for 60 days --- roles/nagios_server/files/nagios/services/ssl.cfg | 7 ------- 1 file changed, 7 deletions(-) diff --git a/roles/nagios_server/files/nagios/services/ssl.cfg b/roles/nagios_server/files/nagios/services/ssl.cfg index 16b6fe281a..38dc24eb4c 100644 --- a/roles/nagios_server/files/nagios/services/ssl.cfg +++ b/roles/nagios_server/files/nagios/services/ssl.cfg @@ -26,13 +26,6 @@ define service { use defaulttemplate } -define service { - hostgroup_name pkgs - service_description https-Pkgs-cert - check_command check_ssl_cert!pkgs.fedoraproject.org!60 - use defaulttemplate -} - define service { hostgroup_name proxies service_description https-whatcanidoforfedora-cert From 5a52f6c728e6a757f5a50d61aafcc5dd37e4234a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 00:14:12 +0000 Subject: [PATCH 118/289] adjust master --- master.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/master.yml b/master.yml index c4857d619e..361badfc7f 100644 --- a/master.yml +++ b/master.yml @@ -133,7 +133,6 @@ - import_playbook: /srv/web/infra/ansible/playbooks/hosts/commops.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/developer.fedorainfracloud.org.yml -- import_playbook: /srv/web/infra/ansible/playbooks/hosts/eclipse.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/elastic-dev.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas2-dev.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas3-dev.fedorainfracloud.org.yml From 1a0009d700ae29188bbf1152a282857305424710 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 22 Aug 2018 11:16:13 +0200 Subject: [PATCH 119/289] Rename the candidate registry hostname with oci instead of docker Signed-off-by: Clement Verna --- roles/haproxy/templates/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 5891fd5f66..71b0094554 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -451,7 +451,7 @@ frontend docker-candidate-registry-frontend backend docker-candidate-registry-backend balance hdr(appserver) - server docker-candidate-registry01 docker-candidate-registry01:5000 check inter 10s rise 1 fall 2 + server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2 frontend modernpaste-frontend bind 0.0.0.0:10055 From da05e0a4545330b11696a0138b0d4fa440552373 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 22 Aug 2018 16:21:25 +0200 Subject: [PATCH 120/289] Bring support for gitlab from upstream into easyfix Signed-off-by: Pierre-Yves Chibon --- .../gather/templates/gather_easyfix.py | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/roles/easyfix/gather/templates/gather_easyfix.py b/roles/easyfix/gather/templates/gather_easyfix.py index d0074282a8..4ebd4c9b7b 100755 --- a/roles/easyfix/gather/templates/gather_easyfix.py +++ b/roles/easyfix/gather/templates/gather_easyfix.py @@ -247,6 +247,27 @@ def main(): project.name, ticket['id']) ticketobj.status = ticket['status'] tickets.append(ticketobj) + elif project.name.startswith('gitlab.com:'): + # https://docs.gitlab.com/ee/api/issues.html#list-project-issues + project.name = project.name.split('gitlab.com:')[1] + project.url = 'https://gitlab.com/%s/' % (project.name) + project.site = 'gitlab.com' + url = 'https://gitlab.com/api/v4/projects/%s/issues' \ + '?state=opened&labels=%s' % (urllib2.quote(project.name, + safe=''), + project.tag) + stream = urllib2.urlopen(url) + output = stream.read() + jsonobj = json.loads(output) + if jsonobj: + for ticket in jsonobj: + ticket_num = ticket_num + 1 + ticketobj = Ticket() + ticketobj.id = ticket['id'] + ticketobj.title = ticket['title'] + ticketobj.url = ticket['web_url'] + ticketobj.status = ticket['state'] + tickets.append(ticketobj) project.tickets = tickets bzbugs = gather_bugzilla_easyfix() From d84e1df8962a38ea4bc6bd247c28d693f071eccc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 14:49:04 +0000 Subject: [PATCH 121/289] Rename the openvpn ccd file so the new oci-candidate-registry01 gets the right vpn ip --- ...roject.org => oci-candidate-registry01.phx2.fedoraproject.org} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/openvpn/server/files/ccd/{docker-candidate-registry01.phx2.fedoraproject.org => oci-candidate-registry01.phx2.fedoraproject.org} (100%) diff --git a/roles/openvpn/server/files/ccd/docker-candidate-registry01.phx2.fedoraproject.org b/roles/openvpn/server/files/ccd/oci-candidate-registry01.phx2.fedoraproject.org similarity index 100% rename from roles/openvpn/server/files/ccd/docker-candidate-registry01.phx2.fedoraproject.org rename to roles/openvpn/server/files/ccd/oci-candidate-registry01.phx2.fedoraproject.org From 450230aa75c55d5c4c35b809f85aa95b53fa914c Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 22 Aug 2018 17:02:17 +0200 Subject: [PATCH 122/289] Staging still does use docker in the regsitry hostname Signed-off-by: Clement Verna --- roles/haproxy/templates/haproxy.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 71b0094554..4a34046b22 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -451,7 +451,12 @@ frontend docker-candidate-registry-frontend backend docker-candidate-registry-backend balance hdr(appserver) +{% if env == "staging" %} + server docker-candidate-registry01 docker-candidate-registry01:5000 check inter 10s rise 1 fall 2 +{% endif %} +{% if env == "production" %} server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2 +{% endif %} frontend modernpaste-frontend bind 0.0.0.0:10055 From 7d793164e79c369a237a8f83d47d5c7274c8b60d Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Wed, 22 Aug 2018 15:48:13 +0000 Subject: [PATCH 123/289] remove sysadmin-build from hosts --- inventory/group_vars/bastion | 2 +- inventory/group_vars/batcave | 2 +- inventory/group_vars/pkgs | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index 28f79ebcf0..f005363510 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -23,7 +23,7 @@ custom_rules: [ # TODO - remove modularity-wg membership here once it is not longer needed: # https://fedorahosted.org/fedora-infrastructure/ticket/5363 -fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring +fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring # # This is a postfix gateway. This will pick up gateway postfix config in base diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index 5cd5219c6d..55b873de89 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -8,7 +8,7 @@ tcp_ports: [ 80, 443 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring +fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring ansible_base: /srv/web/infra freezes: false diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs index 6510e6214f..0aeb444155 100644 --- a/inventory/group_vars/pkgs +++ b/inventory/group_vars/pkgs @@ -17,7 +17,7 @@ wsgi_fedmsg_service: pagure wsgi_procs: 6 wsgi_threads: 6 -fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-veteran +fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-veteran fas_client_restricted_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/share/gitolite3/gitolite-shell %(username)s fas_client_admin_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/share/gitolite3/gitolite-shell -s %(username)s fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran" From 2d555fcf11006d3748ccad303212b2dd34979c98 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 16:47:19 +0000 Subject: [PATCH 124/289] Trailing slashes might be the problem here. --- playbooks/groups/oci-registry.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/oci-registry.yml b/playbooks/groups/oci-registry.yml index 8c18d78c9c..9086f85686 100644 --- a/playbooks/groups/oci-registry.yml +++ b/playbooks/groups/oci-registry.yml @@ -47,7 +47,7 @@ roles: - role: gluster/consolidated - gluster_brick_dir: /srv/glusterfs/ + gluster_brick_dir: /srv/glusterfs gluster_mount_dir: /srv/docker/ gluster_brick_name: registry gluster_server_group: docker-registry-gluster-stg @@ -67,7 +67,7 @@ roles: - role: gluster/consolidated - gluster_brick_dir: /srv/glusterfs/ + gluster_brick_dir: /srv/glusterfs gluster_mount_dir: /srv/docker/ gluster_brick_name: registry gluster_server_group: oci-registry-gluster From c95e23507986f307a35bf6b2912b7a8273ed779e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 16:55:50 +0000 Subject: [PATCH 125/289] do not show these commands as changed --- roles/gluster/consolidated/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/gluster/consolidated/tasks/main.yml b/roles/gluster/consolidated/tasks/main.yml index b35c9ec109..584911efcd 100644 --- a/roles/gluster/consolidated/tasks/main.yml +++ b/roles/gluster/consolidated/tasks/main.yml @@ -15,12 +15,14 @@ command: gluster peer probe {{ item }} with_items: '{{groups[gluster_server_group]}}' ignore_errors: true + changed_when: false tags: - gluster - name: Servers discover each other, pass two. command: gluster peer probe {{ item }} with_items: '{{groups[gluster_server_group]}}' + changed_when: false ignore_errors: true tags: - gluster From 46b318382c74ce941165251c27eb907bf48e8331 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 16:59:17 +0000 Subject: [PATCH 126/289] Drop trailing / here as well --- playbooks/groups/odcs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/odcs.yml b/playbooks/groups/odcs.yml index 36c639c00c..ea821fa672 100644 --- a/playbooks/groups/odcs.yml +++ b/playbooks/groups/odcs.yml @@ -58,14 +58,14 @@ roles: - role: gluster/consolidated - gluster_brick_dir: /srv/glusterfs/ + gluster_brick_dir: /srv/glusterfs gluster_mount_dir: /srv/odcs gluster_brick_name: odcs gluster_server_group: odcs-stg tags: gluster when: env == 'staging' - role: gluster/consolidated - gluster_brick_dir: /srv/glusterfs/ + gluster_brick_dir: /srv/glusterfs gluster_mount_dir: /srv/odcs gluster_brick_name: odcs gluster_server_group: odcs From 417cb6e216f58cc30234775b0956e66f7b69d0a1 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Wed, 22 Aug 2018 17:33:06 +0000 Subject: [PATCH 127/289] Enable autosign for f29-infra and f30-infra --- .../robosignatory/files/robosignatory.production.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index d4c8277bad..14c7e85ace 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -98,6 +98,18 @@ config = { "key": "fedora-infra", "keyid": "47dd8ef9" }, + { + "from": "f29-infra-candidate", + "to": "f29-infra-stg", + "key": "fedora-infra", + "keyid": "47dd8ef9" + }, + { + "from": "f30-infra-candidate", + "to": "f30-infra-stg", + "key": "fedora-infra", + "keyid": "47dd8ef9" + }, # Gated rawhide and branched { From a70029174db95610af5d4770f29e38ab333a55da Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 22 Aug 2018 17:35:29 +0000 Subject: [PATCH 128/289] Use the new CA structure Signed-off-by: Patrick Uiterwijk --- .../candidate-registry/tasks/main.yml | 19 ------------------- .../registry/files/passwd-production | 2 +- roles/fedora-web/registry/tasks/main.yml | 2 +- 3 files changed, 2 insertions(+), 21 deletions(-) diff --git a/roles/fedora-web/candidate-registry/tasks/main.yml b/roles/fedora-web/candidate-registry/tasks/main.yml index 26616cc8a0..60621934cc 100644 --- a/roles/fedora-web/candidate-registry/tasks/main.yml +++ b/roles/fedora-web/candidate-registry/tasks/main.yml @@ -1,22 +1,3 @@ -- name: Copy over the Fedora Server CA cert - copy: src="{{ private }}/files/fedora-ca.cert" dest=/etc/pki/httpd/fedora-server-ca.cert - owner=root group=root mode=0644 - notify: - - reload proxyhttpd - tags: - - fedora-web - - fedora-web/candidate-registry - -- name: Copy over the registry CA - copy: src="{{private}}/files/docker-registry/{{env}}/docker-registry-ca.pem" - dest="/etc/pki/httpd/registry-ca-{{env}}.cert" - owner=root group=root mode=0644 - notify: - - reload proxyhttpd - tags: - - fedora-web - - fedora-web/candidate-registry - - name: Copy over the registry passwd copy: src="{{private}}/files/docker-registry/{{env}}/candidate-htpasswd" dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd owner=root group=root mode=0644 diff --git a/roles/fedora-web/registry/files/passwd-production b/roles/fedora-web/registry/files/passwd-production index acc4e47062..edba1bff2e 100644 --- a/roles/fedora-web/registry/files/passwd-production +++ b/roles/fedora-web/registry/files/passwd-production @@ -1 +1 @@ -/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=containerstable/emailAddress=buildsys@fedoraproject.org:xxj31ZMTZzkVA +/CN=containerstable:xxj31ZMTZzkVA diff --git a/roles/fedora-web/registry/tasks/main.yml b/roles/fedora-web/registry/tasks/main.yml index 1476b1961a..cab50ae756 100644 --- a/roles/fedora-web/registry/tasks/main.yml +++ b/roles/fedora-web/registry/tasks/main.yml @@ -36,7 +36,7 @@ - fedora-web/registry - name: Copy over the registry CA - copy: src="{{private}}/files/docker-registry/{{env}}/docker-registry-ca.pem" + copy: src="{{private}}/files/docker-registry/{{env}}/pki/ca.crt" dest="/etc/pki/httpd/registry-ca-{{env}}.cert" owner=root group=root mode=0644 notify: From 1a6490a084fa2dc52220817b279cbf2daa15e431 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 22 Aug 2018 17:40:50 +0000 Subject: [PATCH 129/289] Update bodhi-backend and releng-compose to new certs Signed-off-by: Patrick Uiterwijk --- playbooks/groups/bodhi-backend.yml | 4 ++-- playbooks/groups/releng-compose.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml index 23b056d7b7..d92c64c847 100644 --- a/playbooks/groups/bodhi-backend.yml +++ b/playbooks/groups/bodhi-backend.yml @@ -66,8 +66,8 @@ when: env == "staging" - role: manage-container-images cert_dest_dir: "/etc/docker/certs.d/registry{{ env_suffix }}.fedoraproject.org" - cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem" - key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key" + cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.pem", + key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", certs_group: apache diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 33a5e82c0c..7110208f90 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -71,8 +71,8 @@ - { role: "manage-container-images", cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org", - cert_src: "{{private}}/files/koji/containerstable.cert.pem", - key_src: "{{private}}/files/koji/containerstable.key.pem", + cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.pem", + key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", when: env == "production" } From fe668782e34d9f0b6bc1eacad1d6740b44af558f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 22 Aug 2018 17:43:55 +0000 Subject: [PATCH 130/289] Add tags Signed-off-by: Patrick Uiterwijk --- roles/manage-container-images/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/manage-container-images/tasks/main.yml b/roles/manage-container-images/tasks/main.yml index a4b0a5fb05..2577494813 100644 --- a/roles/manage-container-images/tasks/main.yml +++ b/roles/manage-container-images/tasks/main.yml @@ -7,11 +7,15 @@ state: present with_items: - skopeo + tags: + - manage-container-images - name: ensure cert dir exists file: path: "{{cert_dest_dir}}" state: directory + tags: + - manage-container-images - name: install docker client cert for registry copy: @@ -20,6 +24,8 @@ owner: root group: "{{ certs_group }}" mode: 0640 + tags: + - manage-container-images - name: install docker client key for registry copy: @@ -27,3 +33,5 @@ dest: "{{cert_dest_dir}}/client.key" group: "{{ certs_group }}" mode: 0640 + tags: + - manage-container-images From 76a5a10145ad4cc6d41369c1a305dc03adfcf78c Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 22 Aug 2018 17:45:59 +0000 Subject: [PATCH 131/289] Seemingly different suffix Signed-off-by: Patrick Uiterwijk --- playbooks/groups/bodhi-backend.yml | 2 +- playbooks/groups/releng-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml index d92c64c847..3fb7045bbb 100644 --- a/playbooks/groups/bodhi-backend.yml +++ b/playbooks/groups/bodhi-backend.yml @@ -66,7 +66,7 @@ when: env == "staging" - role: manage-container-images cert_dest_dir: "/etc/docker/certs.d/registry{{ env_suffix }}.fedoraproject.org" - cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.pem", + cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt", key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", certs_group: apache diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 7110208f90..637283d00d 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -71,7 +71,7 @@ - { role: "manage-container-images", cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org", - cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.pem", + cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt", key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", when: env == "production" } From 9e95b1994071ceca8dad054d0a280f8ef7f28c95 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 22 Aug 2018 17:47:36 +0000 Subject: [PATCH 132/289] This is the other yaml syntax Signed-off-by: Patrick Uiterwijk --- playbooks/groups/bodhi-backend.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml index 3fb7045bbb..b9c790f957 100644 --- a/playbooks/groups/bodhi-backend.yml +++ b/playbooks/groups/bodhi-backend.yml @@ -66,8 +66,8 @@ when: env == "staging" - role: manage-container-images cert_dest_dir: "/etc/docker/certs.d/registry{{ env_suffix }}.fedoraproject.org" - cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt", - key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", + cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt" + key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key" certs_group: apache From 7b127ff637b0c918595f55e93e9283981db37893 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Wed, 22 Aug 2018 18:52:20 +0000 Subject: [PATCH 133/289] Update staging to bodhi-3.9.0b2. Signed-off-by: Randy Barlow --- playbooks/openshift-apps/bodhi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/bodhi.yml b/playbooks/openshift-apps/bodhi.yml index 4b08ac7c2a..5c90a40ba0 100644 --- a/playbooks/openshift-apps/bodhi.yml +++ b/playbooks/openshift-apps/bodhi.yml @@ -51,7 +51,7 @@ app: bodhi template: buildconfig.yml objectname: buildconfig.yml - bodhi_version: 3.9.0-0.1.beta.fc27 + bodhi_version: 3.9.0-0.2.beta.fc27 when: env == "staging" - role: openshift/object app: bodhi From 7c9d54cc6f8de5ca3a99ada0a234ae30949efd97 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Wed, 22 Aug 2018 19:04:29 +0000 Subject: [PATCH 134/289] Don't worry about interrupting composes in staging Bodhi. Signed-off-by: Randy Barlow --- playbooks/manual/upgrade/bodhi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/manual/upgrade/bodhi.yml b/playbooks/manual/upgrade/bodhi.yml index 57e3518386..59a1cae7bc 100644 --- a/playbooks/manual/upgrade/bodhi.yml +++ b/playbooks/manual/upgrade/bodhi.yml @@ -15,7 +15,7 @@ fail: msg: "There are composes in progress." any_errors_fatal: true - when: "composes.stdout != '{\"composes\": []}'" + when: "composes.stdout != '{\"composes\": []}' and env != 'staging'" - name: push packages out hosts: bodhi-backend:bodhi-backend-stg:bodhi2:bodhi2-stg From 1bd763f43e8adcbd831f595503218b07c7a42c61 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 20:17:39 +0000 Subject: [PATCH 135/289] We need a closing ' here or else it just errors. --- roles/bodhi2/backend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bodhi2/backend/tasks/main.yml b/roles/bodhi2/backend/tasks/main.yml index f9cf08b6d4..2f9521231f 100644 --- a/roles/bodhi2/backend/tasks/main.yml +++ b/roles/bodhi2/backend/tasks/main.yml @@ -177,7 +177,7 @@ # bodhi2/backend/files/koji-sync-listener.py # This cronjob runs only once a day. The listener script runs reactively. cron: name="owner-sync" minute="15" hour="4" user="root" - job="/usr/local/bin/lock-wrapper owner-sync '/usr/local/bin/owner-sync-pagure f30 f30-container f30-modular f29 f28 f27 f29-container f28-container f27-container f28-docker f27-docker f29-modular f28-modular f27-modular epel7 dist-6E-epel module-package-list modular" + job="/usr/local/bin/lock-wrapper owner-sync '/usr/local/bin/owner-sync-pagure f30 f30-container f30-modular f29 f28 f27 f29-container f28-container f27-container f28-docker f27-docker f29-modular f28-modular f27-modular epel7 dist-6E-epel module-package-list modular'" cron_file=update-koji-owner when: inventory_hostname.startswith('bodhi-backend01') and env == "production" tags: From c862c5ebb5eb6b385d41f00d543a2ed95715b23c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 20:42:42 +0000 Subject: [PATCH 136/289] try and update openshift in stg only to 3.10... --- files/openshift/openshift.repo | 8 +- playbooks/groups/os-cluster.yml | 4 +- .../tasks/main.yml | 10 + .../templates/cluster-inventory-stg.j2 | 1152 +++++++++++++++++ 4 files changed, 1171 insertions(+), 3 deletions(-) create mode 100644 roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 diff --git a/files/openshift/openshift.repo b/files/openshift/openshift.repo index 5a37adbdcb..af21a47a88 100644 --- a/files/openshift/openshift.repo +++ b/files/openshift/openshift.repo @@ -5,11 +5,17 @@ baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release enabled=1 {% elif inventory_hostname.startswith('os') %} +[rhel7-openshift-3.10] +name = rhel7 openshift 3.10 $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.10-rpms/ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +enabled=1 + [rhel7-openshift-3.9] name = rhel7 openshift 3.9 $basearch baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.9-rpms/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -enabled=1 +enabled=0 # 3.8 is needed to upgrade from 3.7 to 3.9 [rhel7-openshift-3.8] diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 7f85649310..8b813a0f58 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -103,11 +103,11 @@ - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory-stg", - openshift_release: "v3.9", + openshift_release: "v3.10", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_pre_playbook: "playbooks/prerequisites.yml", openshift_ansible_playbook: "playbooks/deploy_cluster.yml", - openshift_ansible_version: "openshift-ansible-3.9.30-1", + openshift_ansible_version: "openshift-ansible-3.10.33-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 989bd0a391..ba3b1abc7a 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -21,6 +21,15 @@ - ansible-ansible-openshift-ansible - ansible-ansible-openshift-ansible-config +- name: generate the inventory file + template: + src: "cluster-inventory-stg.j2" + dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" + tags: + - ansible-ansible-openshift-ansible + - ansible-ansible-openshift-ansible-config + when: env == 'staging' and inventory_hostname.startswith('os-') + - name: generate the inventory file template: src: "cluster-inventory.j2" @@ -28,6 +37,7 @@ tags: - ansible-ansible-openshift-ansible - ansible-ansible-openshift-ansible-config + when: env == 'production' or inventory_hostname.startswith('osbs-') - name: run ansible prereqs playbook shell: "ansible-playbook {{ openshift_ansible_pre_playbook }} -i {{ cluster_inventory_filename }}" diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 new file mode 100644 index 0000000000..bb266ae26b --- /dev/null +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -0,0 +1,1152 @@ +# This is an example of an OpenShift-Ansible host inventory that provides the +# minimum recommended configuration for production use. This includes 3 masters, +# two infra nodes, two compute nodes, and an haproxy load balancer to load +# balance traffic to the API servers. For a truly production environment you +# should use an external load balancing solution that itself is highly available. + +[masters] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} +{% endfor %} + +[etcd] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} +{% endfor %} + +[nodes] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} openshift_node_group_name='node-config-master' +{% endfor %} +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} openshift_node_group_name='node-config-compute' +{% endfor %} + +#[nfs] +#ose3-master1.test.example.com + +#[lb] +#ose3-lb.test.example.com + +# Create an OSEv3 group that contains the masters and nodes groups +[OSEv3:children] +masters +nodes +etcd +#lb +#nfs + +[OSEv3:vars] + +openshift_node_groups=[{'name': 'node-config-master', 'labels': ['node-role.kubernetes.io/master=true']}, {'name': 'node-config-infra', 'labels': ['node-role.kubernetes.io/infra=true',]}, {'name': 'node-config-compute', 'labels': ['node-role.kubernetes.io/compute=true'], 'edits': [{ 'key': 'kubeletArguments.pods-per-core','value': ['20']}]}] +############################################################################### +# Common/ Required configuration variables follow # +############################################################################### +# SSH user, this user should allow ssh based auth without requiring a +# password. If using ssh key based auth, then the key should be managed by an +# ssh agent. +ansible_user={{openshift_ansible_ssh_user}} + +# If ansible_user is not root, ansible_become must be set to true and the +# user must be configured for passwordless sudo +#ansible_become=yes + +# Specify the deployment type. Valid values are origin and openshift-enterprise. +#openshift_deployment_type=origin +openshift_deployment_type={{openshift_deployment_type}} + +# Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we +# rely on the version running on the first master. Works best for containerized installs where we can usually +# use this to lookup the latest exact version of the container images, which is the tag actually used to configure +# the cluster. For RPM installations we just verify the version detected in your configured repos matches this +# release. +openshift_release={{openshift_release}} + +# default subdomain to use for exposed routes, you should have wildcard dns +# for *.apps.test.example.com that points at your infra nodes which will run +# your router +{% if openshift_app_subdomain is defined %} +{% if openshift_app_subdomain %} +openshift_master_default_subdomain={{openshift_app_subdomain}} +{% endif %} +{% endif %} + +#Set cluster_hostname to point at your load balancer +openshift_master_cluster_hostname=ose3-lb.test.example.com + + + +############################################################################### +# Additional configuration variables follow # +############################################################################### + +# Debug level for all OpenShift components (Defaults to 2) +debug_level={{openshift_debug_level}} + +# Specify an exact container image tag to install or configure. +# WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_image_tag=v3.10.0 +openshift_image_tag=v{{openshift_release}} + +# Specify an exact rpm version to install or configure. +# WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_pkg_version=-3.10.0 +openshift_pkg_version=-{{openshift_release}} + +# If using Atomic Host, you may specify system container image registry for the nodes: +#system_images_registry="docker.io" +# when openshift_deployment_type=='openshift-enterprise' +#system_images_registry="registry.access.redhat.com" + +# Manage openshift example imagestreams and templates during install and upgrade +#openshift_install_examples=true +{% if openshift_ansible_install_examples is defined %} +openshift_install_examples={{openshift_ansible_install_examples}} +{% endif %} + +# Configure logoutURL in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#changing-the-logout-url +#openshift_master_logout_url=http://example.com + +# Configure extensions in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files +#openshift_master_oauth_templates={'login': '/path/to/login-template.html'} +# openshift_master_oauth_template is deprecated. Use openshift_master_oauth_templates instead. +#openshift_master_oauth_template=/path/to/login-template.html + +# Configure imagePolicyConfig in the master config +# See: https://docs.openshift.org/latest/admin_guide/image_policy.html +#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true} + +# Configure master API rate limits for external clients +#openshift_master_external_ratelimit_qps=200 +#openshift_master_external_ratelimit_burst=400 +# Configure master API rate limits for loopback clients +#openshift_master_loopback_ratelimit_qps=300 +#openshift_master_loopback_ratelimit_burst=600 + +# Install and run cri-o. +#openshift_use_crio=False +#openshift_use_crio_only=False +{% if openshift_ansible_use_crio is defined %} +openshift_use_crio={{ openshift_ansible_use_crio }} +{% endif %} +{% if openshift_ansible_use_crio_only is defined %} +openshift_use_crio_only={{ openshift_ansible_crio_only }} +{% endif %} +# The following two variables are used when openshift_use_crio is True +# and cleans up after builds that pass through docker. When openshift_use_crio is True +# these variables are set to the defaults shown. You may override them here. +# NOTE: You will still need to tag crio nodes with your given label(s)! +# Enable docker garbage collection when using cri-o +#openshift_crio_enable_docker_gc=True +# Node Selectors to run the garbage collection +#openshift_crio_docker_gc_node_selector={'runtime': 'cri-o'} + +# Items added, as is, to end of /etc/sysconfig/docker OPTIONS +# Default value: "--log-driver=journald" +#openshift_docker_options="-l warn --ipv6=false" + +# Specify exact version of Docker to configure or upgrade to. +# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. +# docker_version="1.12.1" + +# Specify whether to run Docker daemon with SELinux enabled in containers. Default is True. +# Uncomment below to disable; for example if your kernel does not support the +# Docker overlay/overlay2 storage drivers with SELinux enabled. +#openshift_docker_selinux_enabled=False + +# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone. +# docker_upgrade=False + +# Specify a list of block devices to be formatted and mounted on the nodes +# during prerequisites.yml. For each hash, "device", "path", "filesystem" are +# required. To add devices only on certain classes of node, redefine +# container_runtime_extra_storage as a group var. +#container_runtime_extra_storage='[{"device":"/dev/vdc","path":"/var/lib/origin/openshift.local.volumes","filesystem":"xfs","options":"gquota"}]' + +# Enable etcd debug logging, defaults to false +# etcd_debug=true +# Set etcd log levels by package +# etcd_log_package_levels="etcdserver=WARNING,security=DEBUG" + +# Upgrade Hooks +# +# Hooks are available to run custom tasks at various points during a cluster +# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using +# absolute paths, if not the path will be treated as relative to the file where the +# hook is actually used. +# +# Tasks to run before each master is upgraded. +# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml +# +# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible +# upgrade steps, but before we restart system/services. +# openshift_master_upgrade_hook=/usr/share/custom/master.yml +# +# Tasks to run after each master is upgraded and system/services have been restarted. +# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml + +# Cluster Image Source (registry) configuration +# openshift-enterprise default is 'registry.access.redhat.com/openshift3/ose-${component}:${version}' +# origin default is 'docker.io/openshift/origin-${component}:${version}' +#oreg_url=example.com/openshift3/ose-${component}:${version} +# If oreg_url points to a registry other than registry.access.redhat.com we can +# modify image streams to point at that registry by setting the following to true +#openshift_examples_modify_imagestreams=true +# Add insecure and blocked registries to global docker configuration +#openshift_docker_insecure_registries=registry.example.com +#openshift_docker_blocked_registries=registry.hacker.com +# You may also configure additional default registries for docker, however this +# is discouraged. Instead you should make use of fully qualified image names. +#openshift_docker_additional_registries=registry.example.com + +# If oreg_url points to a registry requiring authentication, provide the following: +#oreg_auth_user=some_user +#oreg_auth_password='my-pass' +# NOTE: oreg_url must be defined by the user for oreg_auth_* to have any affect. +# oreg_auth_pass should be generated from running docker login. +# To update registry auth credentials, uncomment the following: +#oreg_auth_credentials_replace: True + +# OpenShift repository configuration +#openshift_additional_repos=[{'id': 'openshift-origin-copr', 'name': 'OpenShift Origin COPR', 'baseurl': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/', 'enabled': 1, 'gpgcheck': 1, 'gpgkey': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg'}] +#openshift_repos_enable_testing=false + +# If the image for etcd needs to be pulled from anywhere else than registry.access.redhat.com, e.g. in +# a disconnected and containerized installation, use osm_etcd_image to specify the image to use: +#osm_etcd_image=rhel7/etcd + +# htpasswd auth +#openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '', 'user2': ''} +# or +#openshift_master_htpasswd_file= + +{% if openshift_auth_profile == "osbs" %} +openshift_master_manage_htpasswd=false +openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] +{% endif %} + +{% if openshift_auth_profile == "fedoraidp" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_prod_client_secret}}", "extraScopes": ["profile", "email", "https://id.fedoraproject.org/scope/groups"], "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +{% endif %} + +{% if openshift_auth_profile == "fedoraidp-stg" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_stg_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +{% endif %} + +# Allow all auth +#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] + +# LDAP auth +#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# +# Configure LDAP CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the LDAPPasswordIdentityProvider. +# +#openshift_master_ldap_ca= +# or +#openshift_master_ldap_ca_file= + +# OpenID auth +#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] +# +# Configure OpenID CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the OpenIDIdentityProvider. +# +#openshift_master_openid_ca= +# or +#openshift_master_openid_ca_file= + +# Request header auth +#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] +# +# Configure request header CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "clientCA" +# key set within the RequestHeaderIdentityProvider. +# +#openshift_master_request_header_ca= +# or +#openshift_master_request_header_ca_file= + +# CloudForms Management Engine (ManageIQ) App Install +# +# Enables installation of MIQ server. Recommended for dedicated +# clusters only. See roles/openshift_management/README.md for instructions +# and requirements. +#openshift_management_install_management=False + +# Cloud Provider Configuration +# +# Note: You may make use of environment variables rather than store +# sensitive configuration within the ansible inventory. +# For example: +#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}" +#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}" +# +# AWS +#openshift_cloudprovider_kind=aws +# Note: IAM profiles may be used instead of storing API credentials on disk. +#openshift_cloudprovider_aws_access_key=aws_access_key_id +#openshift_cloudprovider_aws_secret_key=aws_secret_access_key +# +# Openstack +#openshift_cloudprovider_kind=openstack +#openshift_cloudprovider_openstack_auth_url=http://openstack.example.com:35357/v2.0/ +#openshift_cloudprovider_openstack_username=username +#openshift_cloudprovider_openstack_password=password +#openshift_cloudprovider_openstack_domain_id=domain_id +#openshift_cloudprovider_openstack_domain_name=domain_name +#openshift_cloudprovider_openstack_tenant_id=tenant_id +#openshift_cloudprovider_openstack_tenant_name=tenant_name +#openshift_cloudprovider_openstack_region=region +#openshift_cloudprovider_openstack_lb_subnet_id=subnet_id +# +# Note: If you're getting a "BS API version autodetection failed" when provisioning cinder volumes you may need this setting +#openshift_cloudprovider_openstack_blockstorage_version=v2 +# +# GCE +#openshift_cloudprovider_kind=gce +# Note: When using GCE, openshift_gcp_project and openshift_gcp_prefix must be +# defined. +# openshift_gcp_project is the project-id +#openshift_gcp_project= +# openshift_gcp_prefix is a unique string to identify each openshift cluster. +#openshift_gcp_prefix= +#openshift_gcp_multizone=False +# Note: To enable nested virtualization in gcp use the following variable and url +#openshift_gcp_licenses="https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx" +# Additional details regarding nested virtualization are available: +# https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances +# +# vSphere +#openshift_cloudprovider_kind=vsphere +#openshift_cloudprovider_vsphere_username=username +#openshift_cloudprovider_vsphere_password=password +#openshift_cloudprovider_vsphere_host=vcenter_host or vsphere_host +#openshift_cloudprovider_vsphere_datacenter=datacenter +#openshift_cloudprovider_vsphere_datastore=datastore +#openshift_cloudprovider_vsphere_folder=optional_folder_name + + +# Project Configuration +#osm_project_request_message='' +#osm_project_request_template='' +#osm_mcs_allocator_range='s0:/2' +#osm_mcs_labels_per_project=5 +#osm_uid_allocator_range='1000000000-1999999999/10000' + +# Configure additional projects +#openshift_additional_projects={'my-project': {'default_node_selector': 'label=value'}} + +# Enable cockpit +#osm_use_cockpit=true +# +# Set cockpit plugins +#osm_cockpit_plugins=['cockpit-kubernetes'] + +{% if openshift_master_ha is defined %} +{% if openshift_master_ha %} +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has +# been preconfigured. For installation the value of +# openshift_master_cluster_hostname must resolve to the load balancer +# or to one or all of the masters defined in the inventory if no load +# balancer is present. +openshift_master_cluster_method=native +openshift_master_cluster_hostname={{openshift_internal_cluster_url}} +openshift_master_cluster_public_hostname={{openshift_cluster_url}} +{% endif %} +{% endif %} + +# If an external load balancer is used public hostname should resolve to +# external load balancer address +#openshift_master_cluster_public_hostname=openshift-ansible.public.example.com + +# Configure controller arguments +#osm_controller_args={'resource-quota-sync-period': ['10s']} + +# Configure api server arguments +#osm_api_server_args={'max-requests-inflight': ['400']} + +# additional cors origins +#osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] + +# default project node selector +#osm_default_node_selector='region=primary' + +# Override the default pod eviction timeout +#openshift_master_pod_eviction_timeout=5m + +# Override the default oauth tokenConfig settings: +# openshift_master_access_token_max_seconds=86400 +# openshift_master_auth_token_max_seconds=500 + +# Override master servingInfo.maxRequestsInFlight +#openshift_master_max_requests_inflight=500 + +# Override master and node servingInfo.minTLSVersion and .cipherSuites +# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 +# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants +#openshift_master_min_tls_version=VersionTLS12 +#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] +# +#openshift_node_min_tls_version=VersionTLS12 +#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] + +# default storage plugin dependencies to install, by default the ceph and +# glusterfs plugin dependencies will be installed, if available. +#osn_storage_plugin_deps=['ceph','glusterfs','iscsi'] + +# OpenShift Router Options +# +# An OpenShift router will be created during install if there are +# nodes present with labels matching the default router selector, +# "node-role.kubernetes.io/infra=true". +# +# Example: +# [nodes] +# node.example.com openshift_node_group_name="node-config-infra" +# +# Router selector (optional) +# Router will only be created if nodes matching this label are present. +# Default value: 'node-role.kubernetes.io/infra=true' +#openshift_hosted_router_selector='node-role.kubernetes.io/infra=true' +# +# Router replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift router selector. +#openshift_hosted_router_replicas=2 +# +# Router force subdomain (optional) +# A router path format to force on all routes used by this router +# (will ignore the route host value) +#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com' +# +# Router certificate (optional) +# Provide local certificate paths which will be configured as the +# router's default certificate. +#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} +# +# Manage the OpenShift Router (optional) +#openshift_hosted_manage_router=true +# +# Router sharding support has been added and can be achieved by supplying the correct +# data to the inventory. The variable to house the data is openshift_hosted_routers +# and is in the form of a list. If no data is passed then a default router will be +# created. There are multiple combinations of router sharding. The one described +# below supports routers on separate nodes. +# +#openshift_hosted_routers=[{'name': 'router1', 'certificate': {'certfile': '/path/to/certificate/abc.crt', 'keyfile': '/path/to/certificate/abc.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router1', 'ports': ['80:80', '443:443']}, {'name': 'router2', 'certificate': {'certfile': '/path/to/certificate/xyz.crt', 'keyfile': '/path/to/certificate/xyz.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [{'action': 'append', 'key': 'spec.template.spec.containers[0].env', 'value': {'name': 'ROUTE_LABELS', 'value': 'route=external'}}], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router2', 'ports': ['80:80', '443:443']}] + +# OpenShift Registry Console Options +# Override the console image prefix: +# origin default is "cockpit/", enterprise default is "openshift3/" +#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/ +# origin default is "kubernetes", enterprise default is "registry-console" +#openshift_cockpit_deployer_basename=my-console +# Override image version, defaults to latest for origin, vX.Y product version for enterprise +#openshift_cockpit_deployer_version=1.4.1 + +# Openshift Registry Options +# +# An OpenShift registry will be created during install if there are +# nodes present with labels matching the default registry selector, +# "node-role.kubernetes.io/infra=true". +# +# Example: +# [nodes] +# node.example.com openshift_node_group_name="node-config-infra" +# +# Registry selector (optional) +# Registry will only be created if nodes matching this label are present. +# Default value: 'node-role.kubernetes.io/infra=true' +#openshift_hosted_registry_selector='node-role.kubernetes.io/infra=true' +# +# Registry replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift registry selector. +#openshift_hosted_registry_replicas=2 +# +# Validity of the auto-generated certificate in days (optional) +#openshift_hosted_registry_cert_expire_days=730 +# +# Manage the OpenShift Registry (optional) +#openshift_hosted_manage_registry=true +# Manage the OpenShift Registry Console (optional) +#openshift_hosted_manage_registry_console=true +# +# Registry Storage Options +# +# NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/registry". "exports" is +# is the name of the export served by the nfs server. "registry" is +# the name of a directory inside of "/exports". +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +# nfs_directory must conform to DNS-1123 subdomain must consist of lower case +# alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +# +# External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/registry". "exports" is +# is the name of the export served by the nfs server. "registry" is +# the name of a directory inside of "/exports". +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +#openshift_hosted_registry_storage_host=nfs.example.com +# nfs_directory must conform to DNS-1123 subdomain must consist of lower case +# alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +{% if env == "staging" %} +openshift_hosted_registry_storage_kind=nfs +openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +openshift_hosted_registry_storage_host=ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com +openshift_hosted_registry_storage_nfs_directory=/ +openshift_hosted_registry_storage_volume_name=openshift-stg-registry +openshift_hosted_registry_storage_volume_size=10Gi +{% else %} +openshift_hosted_registry_storage_kind=nfs +openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +openshift_hosted_registry_storage_host=ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com +openshift_hosted_registry_storage_nfs_directory=/ +openshift_hosted_registry_storage_volume_name=openshift-prod-registry +openshift_hosted_registry_storage_volume_size=10Gi +{% endif %} +# +# Openstack +# Volume must already exist. +#openshift_hosted_registry_storage_kind=openstack +#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_registry_storage_openstack_filesystem=ext4 +#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57 +#openshift_hosted_registry_storage_volume_size=10Gi +# +# hostPath (local filesystem storage) +# Suitable for "all-in-one" or proof of concept deployments +# Must not be used for high-availability and production deployments +#openshift_hosted_registry_storage_kind=hostpath +#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_registry_storage_hostpath_path=/var/lib/openshift_volumes +#openshift_hosted_registry_storage_volume_size=10Gi +# +# AWS S3 +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_encrypt=false +#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id +#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id +#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Any S3 service (Minio, ExoScale, ...): Basically the same as above +# but with regionendpoint configured +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_accesskey=access_key_id +#openshift_hosted_registry_storage_s3_secretkey=secret_access_key +#openshift_hosted_registry_storage_s3_regionendpoint=https://myendpoint.example.com/ +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Additional CloudFront Options. When using CloudFront all three +# of the followingg variables must be defined. +#openshift_hosted_registry_storage_s3_cloudfront_baseurl=https://myendpoint.cloudfront.net/ +#openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile=/full/path/to/secret.pem +#openshift_hosted_registry_storage_s3_cloudfront_keypairid=yourpairid +# vSphere Volume with vSphere Cloud Provider +# openshift_hosted_registry_storage_kind=vsphere +# openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +# openshift_hosted_registry_storage_annotations=['volume.beta.kubernetes.io/storage-provisioner: kubernetes.io/vsphere-volume'] +# +# GCS Storage Bucket +#openshift_hosted_registry_storage_provider=gcs +#openshift_hosted_registry_storage_gcs_bucket=bucket01 +#openshift_hosted_registry_storage_gcs_keyfile=test.key +#openshift_hosted_registry_storage_gcs_rootdirectory=/registry + +# Metrics deployment +# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html +# +# By default metrics are not automatically deployed, set this to enable them +#openshift_metrics_install_metrics=true +{% if openshift_metrics_deploy is defined %} +{% if openshift_metrics_deploy %} +openshift_hosted_metrics_deploy=true +# +# Storage Options +# If openshift_metrics_storage_kind is unset then metrics will be stored +# in an EmptyDir volume and will be deleted when the cassandra pod terminates. +# Storage options A & B currently support only one cassandra pod which is +# generally enough for up to 1000 pods. Additional volumes can be created +# manually after the fact and metrics scaled per the docs. +# +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/metrics". "exports" is +# is the name of the export served by the nfs server. "metrics" is +# the name of a directory inside of "/exports". +#openshift_metrics_storage_kind=nfs +#openshift_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_metrics_storage_nfs_directory=/exports +#openshift_metrics_storage_nfs_options='*(rw,root_squash)' +#openshift_metrics_storage_volume_name=metrics +#openshift_metrics_storage_volume_size=10Gi +#openshift_metrics_storage_labels={'storage': 'metrics'} +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/metrics". "exports" is +# is the name of the export served by the nfs server. "metrics" is +# the name of a directory inside of "/exports". +#openshift_metrics_storage_kind=nfs +#openshift_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_metrics_storage_host=nfs.example.com +#openshift_metrics_storage_nfs_directory=/exports +#openshift_metrics_storage_volume_name=metrics +#openshift_metrics_storage_volume_size=10Gi +#openshift_metrics_storage_labels={'storage': 'metrics'} +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_metrics_storage_kind=dynamic +# +# Other Metrics Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_metrics/README.md +# +# Override metricsPublicURL in the master config for cluster metrics +# Defaults to https://hawkular-metrics.{{openshift_master_default_subdomain}}/hawkular/metrics +# Currently, you may only alter the hostname portion of the url, alterting the +# `/hawkular/metrics` path will break installation of metrics. +#openshift_metrics_hawkular_hostname=hawkular-metrics.example.com +# Configure the metrics component images # Note, these will be modified by oreg_url by default +#openshift_metrics_cassandra_image="docker.io/openshift/origin-metrics-cassandra:{{ openshift_image_tag }}" +#openshift_metrics_hawkular_agent_image="docker.io/openshift/origin-metrics-hawkular-openshift-agent:{{ openshift_image_tag }}" +#openshift_metrics_hawkular_metrics_image="docker.io/openshift/origin-metrics-hawkular-metrics:{{ openshift_image_tag }}" +#openshift_metrics_schema_installer_image="docker.io/openshift/origin-metrics-schema-installer:{{ openshift_image_tag }}" +#openshift_metrics_heapster_image="docker.io/openshift/origin-metrics-heapster:{{ openshift_image_tag }}" +# when openshift_deployment_type=='openshift-enterprise' +#openshift_metrics_cassandra_image="registry.access.redhat.com/openshift3/metrics-cassandra:{{ openshift_image_tag }}" +#openshift_metrics_hawkular_agent_image="registry.access.redhat.com/openshift3/metrics-hawkular-openshift-agent:{{ openshift_image_tag }}" +#openshift_metrics_hawkular_metrics_image="registry.access.redhat.com/openshift3/metrics-hawkular-metrics:{{ openshift_image_tag }}" +#openshift_metrics_schema_installer_image="registry.access.redhat.com/openshift3/metrics-schema-installer:{{ openshift_image_tag }}" +#openshift_metrics_heapster_image="registry.access.redhat.com/openshift3/metrics-heapster:{{ openshift_image_tag }}" +# +# StorageClass +# openshift_storageclass_name=gp2 +# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': 'false'} +# openshift_storageclass_mount_options=['dir_mode=0777', 'file_mode=0777'] +# openshift_storageclass_reclaim_policy="Delete" +# +# PersistentLocalStorage +# If Persistent Local Storage is wanted, this boolean can be defined to True. +# This will create all necessary configuration to use persistent storage on nodes. +#openshift_persistentlocalstorage_enabled=False +#openshift_persistentlocalstorage_classes=[] +#openshift_persistentlocalstorage_path=/mnt/local-storage +#openshift_persistentlocalstorage_provisionner_image=quay.io/external_storage/local-volume-provisioner:v1.0.1 + +# Logging deployment +# +# Currently logging deployment is disabled by default, enable it by setting this +#openshift_logging_install_logging=true +# +# Logging storage config +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/logging". "exports" is +# is the name of the export served by the nfs server. "logging" is +# the name of a directory inside of "/exports". +#openshift_logging_storage_kind=nfs +#openshift_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_logging_storage_nfs_directory=/exports +#openshift_logging_storage_nfs_options='*(rw,root_squash)' +#openshift_logging_storage_volume_name=logging +#openshift_logging_storage_volume_size=10Gi +#openshift_logging_storage_labels={'storage': 'logging'} +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/logging". "exports" is +# is the name of the export served by the nfs server. "logging" is +# the name of a directory inside of "/exports". +#openshift_logging_storage_kind=nfs +#openshift_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_logging_storage_host=nfs.example.com +#openshift_logging_storage_nfs_directory=/exports +#openshift_logging_storage_volume_name=logging +#openshift_logging_storage_volume_size=10Gi +#openshift_logging_storage_labels={'storage': 'logging'} +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_logging_storage_kind=dynamic +# +# Option D - none -- Logging will use emptydir volumes which are destroyed when +# pods are deleted +# +# Other Logging Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_logging/README.md +# +# Configure loggingPublicURL in the master config for aggregate logging, defaults +# to kibana.{{ openshift_master_default_subdomain }} +#openshift_logging_kibana_hostname=logging.apps.example.com +# Configure the number of elastic search nodes, unless you're using dynamic provisioning +# this value must be 1 +#openshift_logging_es_cluster_size=1 + +# Prometheus deployment +# +# Currently prometheus deployment is disabled by default, enable it by setting this +#openshift_hosted_prometheus_deploy=true +# +# Prometheus storage config +# By default prometheus uses emptydir storage, if you want to persist you should +# configure it to use pvc storage type. Each volume must be ReadWriteOnce. +#openshift_prometheus_storage_type=emptydir +#openshift_prometheus_alertmanager_storage_type=emptydir +#openshift_prometheus_alertbuffer_storage_type=emptydir +# Use PVCs for persistence +#openshift_prometheus_storage_type=pvc +#openshift_prometheus_alertmanager_storage_type=pvc +#openshift_prometheus_alertbuffer_storage_type=pvc + +# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') +# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' + +# Disable the OpenShift SDN plugin +# openshift_use_openshift_sdn=False + +# Configure SDN cluster network and kubernetes service CIDR blocks. These +# network blocks should be private and should not conflict with network blocks +# in your infrastructure that pods may require access to. Can not be changed +# after deployment. +# +# WARNING : Do not pick subnets that overlap with the default Docker bridge subnet of +# 172.17.0.0/16. Your installation will fail and/or your configuration change will +# cause the Pod SDN or Cluster SDN to fail. +# +# WORKAROUND : If you must use an overlapping subnet, you can configure a non conflicting +# docker0 CIDR range by adding '--bip=192.168.2.1/24' to DOCKER_NETWORK_OPTIONS +# environment variable located in /etc/sysconfig/docker-network. +# When upgrading or scaling up the following must match whats in your master config! +# Inventory: master yaml field +# osm_cluster_network_cidr: clusterNetworkCIDR +# openshift_portal_net: serviceNetworkCIDR +# When installing osm_cluster_network_cidr and openshift_portal_net must be set. +# Sane examples are provided below. +#osm_cluster_network_cidr=10.128.0.0/14 +#openshift_portal_net=172.30.0.0/16 + +# ExternalIPNetworkCIDRs controls what values are acceptable for the +# service external IP field. If empty, no externalIP may be set. It +# may contain a list of CIDRs which are checked for access. If a CIDR +# is prefixed with !, IPs in that CIDR will be rejected. Rejections +# will be applied first, then the IP checked against one of the +# allowed CIDRs. You should ensure this range does not overlap with +# your nodes, pods, or service CIDRs for security reasons. +#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] + +# IngressIPNetworkCIDR controls the range to assign ingress IPs from for +# services of type LoadBalancer on bare metal. If empty, ingress IPs will not +# be assigned. It may contain a single CIDR that will be allocated from. For +# security reasons, you should ensure that this range does not overlap with +# the CIDRs reserved for external IPs, nodes, pods, or services. +#openshift_master_ingress_ip_network_cidr=172.46.0.0/16 + +# Configure number of bits to allocate to each host's subnet e.g. 9 +# would mean a /23 network on the host. +# When upgrading or scaling up the following must match whats in your master config! +# Inventory: master yaml field +# osm_host_subnet_length: hostSubnetLength +# When installing osm_host_subnet_length must be set. A sane example is provided below. +#osm_host_subnet_length=9 + +# Configure master API and console ports. +#openshift_master_api_port=8443 +#openshift_master_console_port=8443 +{% if openshift_api_port is defined and openshift_console_port is defined %} +{% if openshift_api_port and openshift_console_port %} +openshift_master_api_port={{openshift_api_port}} +openshift_master_console_port={{openshift_console_port}} +{% endif %} +{% endif %} + +# set exact RPM version (include - prefix) +#openshift_pkg_version=-3.9.0 +# you may also specify version and release, ie: +#openshift_pkg_version=-3.9.0-0.126.0.git.0.9351aae.el7 + +# Configure custom ca certificate +#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} +# +# NOTE: CA certificate will not be replaced with existing clusters. +# This option may only be specified when creating a new cluster or +# when redeploying cluster certificates with the redeploy-certificates +# playbook. + +# Configure custom named certificates (SNI certificates) +# +# https://docs.openshift.org/latest/install_config/certificate_customization.html +# https://docs.openshift.com/enterprise/latest/install_config/certificate_customization.html +# +# NOTE: openshift_master_named_certificates is cached on masters and is an +# additive fact, meaning that each run with a different set of certificates +# will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# +# If you would like openshift_master_named_certificates to be overwritten with +# the provided value, specify openshift_master_overwrite_named_certificates. +#openshift_master_overwrite_named_certificates=true +# +# Provide local certificate paths which will be deployed to masters +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] +# +# Detected names may be overridden by specifying the "names" key +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] +# +# Add a trusted CA to all pods, copies from the control host, may be multiple +# certs in one file +#openshift_additional_ca=/path/to/additional-ca.crt + +# Session options +#openshift_master_session_name=ssn +#openshift_master_session_max_seconds=3600 + +# An authentication and encryption secret will be generated if secrets +# are not provided. If provided, openshift_master_session_auth_secrets +# and openshift_master_encryption_secrets must be equal length. +# +# Signing secrets, used to authenticate sessions using +# HMAC. Recommended to use secrets with 32 or 64 bytes. +#openshift_master_session_auth_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] +# +# Encrypting secrets, used to encrypt sessions. Must be 16, 24, or 32 +# characters long, to select AES-128, AES-192, or AES-256. +#openshift_master_session_encryption_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] + +# configure how often node iptables rules are refreshed +#openshift_node_iptables_sync_period=5s + +# Configure nodeIP in the node config +# This is needed in cases where node traffic is desired to go over an +# interface other than the default network interface. +#openshift_set_node_ip=True + +#openshift_node_kubelet_args is deprecated, use node config edits instead + +# Configure logrotate scripts +# See: https://github.com/nickhammond/ansible-logrotate +#logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true"}}] + +# The OpenShift-Ansible installer will fail when it detects that the +# value of openshift_hostname resolves to an IP address not bound to any local +# interfaces. This mis-configuration is problematic for any pod leveraging host +# networking and liveness or readiness probes. +# Setting this variable to false will override that check. +#openshift_hostname_check=true + +# openshift_use_dnsmasq is deprecated. This must be true, or installs will fail +# in versions >= 3.6 +#openshift_use_dnsmasq=False + +# Define an additional dnsmasq.conf file to deploy to /etc/dnsmasq.d/openshift-ansible.conf +# This is useful for POC environments where DNS may not actually be available yet or to set +# options like 'strict-order' to alter dnsmasq configuration. +#openshift_node_dnsmasq_additional_config_file=/home/bob/ose-dnsmasq.conf + +# Global Proxy Configuration +# These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment +# variables for docker and master services. +# +# Hosts in the openshift_no_proxy list will NOT use any globally +# configured HTTP(S)_PROXYs. openshift_no_proxy accepts domains +# (.example.com), hosts (example.com), and IP addresses. +#openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT +#openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT +#openshift_no_proxy='.hosts.example.com,some-host.com' +# +# Most environments don't require a proxy between openshift masters, nodes, and +# etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. +# If all of your hosts share a common domain you may wish to disable this and +# specify that domain above instead. +# +# For example, having hosts with FQDNs: m1.ex.com, n1.ex.com, and +# n2.ex.com, one would simply add '.ex.com' to the openshift_no_proxy +# variable (above) and set this value to False +#openshift_generate_no_proxy_hosts=True +# +# These options configure the BuildDefaults admission controller which injects +# configuration into Builds. Proxy related values will default to the global proxy +# config values. You only need to set these if they differ from the global proxy settings. +# See BuildDefaults documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_builddefaults_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_no_proxy=mycorp.com +#openshift_builddefaults_git_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_no_proxy=mycorp.com +#openshift_builddefaults_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'} +#openshift_builddefaults_resources_requests_cpu=100m +#openshift_builddefaults_resources_requests_memory=256Mi +#openshift_builddefaults_resources_limits_cpu=1000m +#openshift_builddefaults_resources_limits_memory=512Mi + +# Or you may optionally define your own build defaults configuration serialized as json +#openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}' + +# These options configure the BuildOverrides admission controller which injects +# configuration into Builds. +# See BuildOverrides documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_buildoverrides_force_pull=true +#openshift_buildoverrides_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_buildoverrides_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_buildoverrides_annotations={'annotationkey1':'annotationvalue1'} +#openshift_buildoverrides_tolerations=[{'key':'mykey1','value':'myvalue1','effect':'NoSchedule','operator':'Equal'}] + +# Or you may optionally define your own build overrides configuration serialized as json +#openshift_buildoverrides_json='{"BuildOverrides":{"configuration":{"apiVersion":"v1","kind":"BuildDefaultsConfig","forcePull":"true"}}}' + +# Enable service catalog +#openshift_enable_service_catalog=true + +# Enable template service broker (requires service catalog to be enabled, above) +#template_service_broker_install=true + +# Specify an openshift_service_catalog image +# (defaults for origin and openshift-enterprise, repsectively) +#openshift_service_catalog_image="docker.io/openshift/origin-service-catalog:{{ openshift_image_tag }}"" +#openshift_service_catalog_image="registry.access.redhat.com/openshift3/ose-service-catalog:{{ openshift_image_tag }}" + +# TSB image tag +#template_service_broker_version='v3.9' + +# Configure one of more namespaces whose templates will be served by the TSB +#openshift_template_service_broker_namespaces=['openshift'] + +# masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default +#openshift_master_dynamic_provisioning_enabled=True + +# Admission plugin config +#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} + +# Configure usage of openshift_clock role. +#openshift_clock_enabled=true + +# OpenShift Per-Service Environment Variables +# Environment variables are added to /etc/sysconfig files for +# each OpenShift node. +# API and controllers environment variables are merged in single +# master environments. +#openshift_node_env_vars={"ENABLE_HTTP2": "true"} +{% if no_http2 is defined %} +{% if no_http2 %} +openshift_master_api_env_vars={"ENABLE_HTTP2": "true"} +openshift_master_controllers_env_vars={"ENABLE_HTTP2": "true"} +openshift_node_env_vars={"ENABLE_HTTP2": "true"} +{% endif %} +{% endif %} + +# Enable API service auditing +#openshift_master_audit_config={"enabled": "true"} +# +# In case you want more advanced setup for the auditlog you can +# use this line. +# The directory in "auditFilePath" will be created if it's not +# exist +#openshift_master_audit_config={"enabled": "true", "auditFilePath": "/var/lib/origin/openpaas-oscp-audit/openpaas-oscp-audit.log", "maximumFileRetentionDays": "14", "maximumFileSizeMegabytes": "500", "maximumRetainedFiles": "5"} + +# Enable origin repos that point at Centos PAAS SIG, defaults to true, only used +# by openshift_deployment_type=origin +#openshift_enable_origin_repo=false + +# Validity of the auto-generated OpenShift certificates in days. +# See also openshift_hosted_registry_cert_expire_days above. +# +#openshift_ca_cert_expire_days=1825 +#openshift_node_cert_expire_days=730 +#openshift_master_cert_expire_days=730 + +# Validity of the auto-generated external etcd certificates in days. +# Controls validity for etcd CA, peer, server and client certificates. +# +#etcd_ca_default_days=1825 +# +# ServiceAccountConfig:LimitSecretRefences rejects pods that reference secrets their service accounts do not reference +# openshift_master_saconfig_limitsecretreferences=false + +# Upgrade Control +# +# By default nodes are upgraded in a serial manner one at a time and all failures +# are fatal, one set of variables for normal nodes, one set of variables for +# nodes that are part of control plane as the number of hosts may be different +# in those two groups. +#openshift_upgrade_nodes_serial=1 +#openshift_upgrade_nodes_max_fail_percentage=0 +#openshift_upgrade_control_plane_nodes_serial=1 +#openshift_upgrade_control_plane_nodes_max_fail_percentage=0 +# +# You can specify the number of nodes to upgrade at once. We do not currently +# attempt to verify that you have capacity to drain this many nodes at once +# so please be careful when specifying these values. You should also verify that +# the expected number of nodes are all schedulable and ready before starting an +# upgrade. If it's not possible to drain the requested nodes the upgrade will +# stall indefinitely until the drain is successful. +# +# If you're upgrading more than one node at a time you can specify the maximum +# percentage of failure within the batch before the upgrade is aborted. Any +# nodes that do fail are ignored for the rest of the playbook run and you should +# take care to investigate the failure and return the node to service so that +# your cluster. +# +# The percentage must exceed the value, this would fail on two failures +# openshift_upgrade_nodes_serial=4 openshift_upgrade_nodes_max_fail_percentage=49 +# where as this would not +# openshift_upgrade_nodes_serial=4 openshift_upgrade_nodes_max_fail_percentage=50 +# +# A timeout to wait for nodes to drain pods can be specified to ensure that the +# upgrade continues even if nodes fail to drain pods in the allowed time. The +# default value of 0 will wait indefinitely allowing the admin to investigate +# the root cause and ensuring that disruption budgets are respected. If the +# a timeout of 0 is used there will also be one attempt to re-try draining the +# node. If a non zero timeout is specified there will be no attempt to retry. +#openshift_upgrade_nodes_drain_timeout=0 +# +# Multiple data migrations take place and if they fail they will fail the upgrade +# You may wish to disable these or make them non fatal +# +# openshift_upgrade_pre_storage_migration_enabled=true +# openshift_upgrade_pre_storage_migration_fatal=true +# openshift_upgrade_post_storage_migration_enabled=true +# openshift_upgrade_post_storage_migration_fatal=false + +###################################################################### +# CloudForms/ManageIQ (CFME/MIQ) Configuration + +# See the readme for full descriptions and getting started +# instructions: ../../roles/openshift_management/README.md or go directly to +# their definitions: ../../roles/openshift_management/defaults/main.yml +# ../../roles/openshift_management/vars/main.yml +# +# Namespace for the CFME project +#openshift_management_project: openshift-management + +# Namespace/project description +#openshift_management_project_description: CloudForms Management Engine + +# Choose 'miq-template' for a podified database install +# Choose 'miq-template-ext-db' for an external database install +# +# If you are using the miq-template-ext-db template then you must add +# the required database parameters to the +# openshift_management_template_parameters variable. +#openshift_management_app_template: miq-template + +# Allowed options: nfs, nfs_external, preconfigured, cloudprovider. +#openshift_management_storage_class: nfs + +# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a +# netapp appliance, then you must set the hostname here. Leave the +# value as 'false' if you are not using external NFS. +#openshift_management_storage_nfs_external_hostname: false + +# [OPTIONAL] - If you are using external NFS then you must set the base +# path to the exports location here. +# +# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports +# that will back the application PV and optionally the database +# pv. Export path definitions, relative to +# {{ openshift_management_storage_nfs_base_dir }} +# +# LOCAL NFS NOTE: +# +# You may may also change this value if you want to change the default +# path used for local NFS exports. +#openshift_management_storage_nfs_base_dir: /exports + +# LOCAL NFS NOTE: +# +# You may override the automatically selected LOCAL NFS server by +# setting this variable. Useful for testing specific task files. +#openshift_management_storage_nfs_local_hostname: false + +# These are the default values for the username and password of the +# management app. Changing these values in your inventory will not +# change your username or password. You should only need to change +# these values in your inventory if you already changed the actual +# name and password AND are trying to use integration scripts. +# +# For example, adding this cluster as a container provider, +# playbooks/openshift-management/add_container_provider.yml +#openshift_management_username: admin +#openshift_management_password: smartvm + +# A hash of parameters you want to override or set in the +# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in +# your inventory file as a simple hash. Acceptable values are defined +# under the .parameters list in files/miq-template{-ext-db}.yaml +# Example: +# +# openshift_management_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} +#openshift_management_template_parameters: {} + +# Firewall configuration +# You can open additional firewall ports by defining them as a list. of service +# names and ports/port ranges for either masters or nodes. +#openshift_master_open_ports=[{"service":"svc1","port":"11/tcp"}] +#openshift_node_open_ports=[{"service":"svc2","port":"12-13/tcp"},{"service":"svc3","port":"14/udp"}] + +# Service port node range +#openshift_node_port_range=30000-32767 + +# Enable unsupported configurations, things that will yield a partially +# functioning cluster but would not be supported for production use +#openshift_enable_unsupported_configurations=false From 24bb29ff911f17de24f43bf5a5b15aad1de26eb6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 20:47:17 +0000 Subject: [PATCH 137/289] do not run normal install playbooks, we will run upgrading playbook --- inventory/group_vars/os-stg | 1 + roles/ansible-ansible-openshift-ansible/tasks/main.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg index 7e31e1985c..126e16d4f1 100644 --- a/inventory/group_vars/os-stg +++ b/inventory/group_vars/os-stg @@ -3,3 +3,4 @@ host_group: os baseiptables: False no_http2: False nm_controlled_resolv: True +openshift_ansible_upgrading: True diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index ba3b1abc7a..93608689e0 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -44,7 +44,7 @@ args: chdir: "{{ openshift_ansible_path }}" register: run_ansible_out - when: openshift_ansible_pre_playbook is defined + when: openshift_ansible_pre_playbook is defined and not openshift_ansible_upgrading is defined tags: - ansible-ansible-openshift-ansible @@ -55,6 +55,7 @@ register: run_ansible_out tags: - ansible-ansible-openshift-ansible + when: not openshift_ansible_upgrading is defined - name: display run ansible stdout_lines debug: From 723a7c35d80a67c119c3d404605aca986a1ac523 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 20:54:06 +0000 Subject: [PATCH 138/289] missing endifs --- .../templates/cluster-inventory-stg.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index bb266ae26b..69f0e87889 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -610,6 +610,8 @@ openshift_hosted_registry_storage_volume_size=10Gi {% if openshift_metrics_deploy is defined %} {% if openshift_metrics_deploy %} openshift_hosted_metrics_deploy=true +{% endif %} +{% endif %} # # Storage Options # If openshift_metrics_storage_kind is unset then metrics will be stored From 6c88b24e10ce0629eb97b3fb5b021378a794db21 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 21:11:39 +0000 Subject: [PATCH 139/289] move some things around --- .../templates/cluster-inventory-stg.j2 | 33 ++++++++----------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 69f0e87889..5273e721e1 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -62,6 +62,20 @@ openshift_deployment_type={{openshift_deployment_type}} # release. openshift_release={{openshift_release}} +{% if openshift_master_ha is defined %} +{% if openshift_master_ha %} +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has +# been preconfigured. For installation the value of +# openshift_master_cluster_hostname must resolve to the load balancer +# or to one or all of the masters defined in the inventory if no load +# balancer is present. +openshift_master_cluster_method=native +openshift_master_cluster_hostname={{openshift_internal_cluster_url}} +openshift_master_cluster_public_hostname={{openshift_cluster_url}} +{% endif %} +{% endif %} + # default subdomain to use for exposed routes, you should have wildcard dns # for *.apps.test.example.com that points at your infra nodes which will run # your router @@ -71,11 +85,6 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} {% endif %} {% endif %} -#Set cluster_hostname to point at your load balancer -openshift_master_cluster_hostname=ose3-lb.test.example.com - - - ############################################################################### # Additional configuration variables follow # ############################################################################### @@ -360,20 +369,6 @@ openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "cha # Set cockpit plugins #osm_cockpit_plugins=['cockpit-kubernetes'] -{% if openshift_master_ha is defined %} -{% if openshift_master_ha %} -# Native high availability cluster method with optional load balancer. -# If no lb group is defined, the installer assumes that a load balancer has -# been preconfigured. For installation the value of -# openshift_master_cluster_hostname must resolve to the load balancer -# or to one or all of the masters defined in the inventory if no load -# balancer is present. -openshift_master_cluster_method=native -openshift_master_cluster_hostname={{openshift_internal_cluster_url}} -openshift_master_cluster_public_hostname={{openshift_cluster_url}} -{% endif %} -{% endif %} - # If an external load balancer is used public hostname should resolve to # external load balancer address #openshift_master_cluster_public_hostname=openshift-ansible.public.example.com From f3a72d10395ab768aa455e04f6e6fe984d7d25a8 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Wed, 22 Aug 2018 21:15:13 +0000 Subject: [PATCH 140/289] remove all instances of bkernel01/02 Signed-off-by: Rick Elrod --- inventory/builders | 2 -- inventory/group_vars/nagios | 2 -- roles/basessh/tasks/main.yml | 2 +- .../dhcpd.conf.dhcp01.phx2.fedoraproject.org | 17 ----------------- .../dhcpd.conf.noc01.phx2.fedoraproject.org | 17 ----------------- 5 files changed, 1 insertion(+), 39 deletions(-) diff --git a/inventory/builders b/inventory/builders index ef0ef43106..7192649b29 100644 --- a/inventory/builders +++ b/inventory/builders @@ -232,8 +232,6 @@ buildvm-ppc64le-18.ppc.fedoraproject.org buildvm-ppc64le-19.ppc.fedoraproject.org [bkernel] -bkernel01.phx2.fedoraproject.org -bkernel02.phx2.fedoraproject.org bkernel03.phx2.fedoraproject.org bkernel04.phx2.fedoraproject.org diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index c53c8eb770..b0fc314ef4 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -127,8 +127,6 @@ phx2_management_hosts: # to test ping against. No http/https # phx2_management_limited: - - bkernel01.mgmt.fedoraproject.org - - bkernel02.mgmt.fedoraproject.org - fed-cloud-ppc01.mgmt.fedoraproject.org - fed-cloud-ppc02.mgmt.fedoraproject.org - moonshot01-ilo.mgmt.fedoraproject.org diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index bab30a52d3..3b8166aeb5 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -25,7 +25,7 @@ - /root/.ssh/known_hosts when: birthday is defined -- name: make sure linselinux-python is installed +- name: make sure libselinux-python is installed package: name=libselinux-python state=present tags: - basessh diff --git a/roles/dhcp_server/files/dhcpd.conf.dhcp01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.dhcp01.phx2.fedoraproject.org index b26b1e21f9..c05d1608d1 100644 --- a/roles/dhcp_server/files/dhcpd.conf.dhcp01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.dhcp01.phx2.fedoraproject.org @@ -36,23 +36,6 @@ subnet 10.5.125.0 netmask 255.255.255.0 { filename "pxelinux.0"; } - host bkernel01 { - hardware ethernet 6c:ae:8b:1e:fd:82; - fixed-address 10.5.125.51; - option host-name "bkernel01"; - next-server 10.5.126.41; - filename "pxelinux.0"; - } - - host bkernel02 { - hardware ethernet 6c:ae:8b:1e:fd:6a; - fixed-address 10.5.125.52; - option host-name "bkernel02"; - next-server 10.5.126.41; - filename "pxelinux.0"; - } - - host bkernel03 { hardware ethernet D0:94:66:45:8C:0F; fixed-address 10.5.125.81; diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index a081618aac..ae05626c95 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -52,23 +52,6 @@ subnet 10.5.125.0 netmask 255.255.255.0 { filename "pxelinux.0"; } - host bkernel01 { - hardware ethernet 6c:ae:8b:1e:fd:82; - fixed-address 10.5.125.51; - option host-name "bkernel01"; - next-server 10.5.126.41; - filename "pxelinux.0"; - } - - host bkernel02 { - hardware ethernet 6c:ae:8b:1e:fd:6a; - fixed-address 10.5.125.52; - option host-name "bkernel02"; - next-server 10.5.126.41; - filename "pxelinux.0"; - } - - host bkernel03 { hardware ethernet D0:94:66:45:8C:0F; fixed-address 10.5.125.81; From da67c7a9af35a569afb42881351809adaa85bce8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 21:19:06 +0000 Subject: [PATCH 141/289] add debug --- roles/ansible-ansible-openshift-ansible/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 93608689e0..a2dc03d297 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -21,6 +21,9 @@ - ansible-ansible-openshift-ansible - ansible-ansible-openshift-ansible-config +- debug: + var: openshift_master_default_subdomain + - name: generate the inventory file template: src: "cluster-inventory-stg.j2" From dec505049a896f86d9c5f8ca277803ddfc15db5e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 21:25:14 +0000 Subject: [PATCH 142/289] mor debug --- roles/ansible-ansible-openshift-ansible/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index a2dc03d297..23c8460964 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -21,6 +21,12 @@ - ansible-ansible-openshift-ansible - ansible-ansible-openshift-ansible-config +- debug: + var: os_app_url + +- debug: + var: openshift_app_subdomain + - debug: var: openshift_master_default_subdomain From 2fd02f7efcf5a6636193f1d1bc5251f4723640d2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 21:34:03 +0000 Subject: [PATCH 143/289] This shouldn't matter, but... --- .../templates/cluster-inventory-stg.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 5273e721e1..1b32153b04 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -80,10 +80,8 @@ openshift_master_cluster_public_hostname={{openshift_cluster_url}} # for *.apps.test.example.com that points at your infra nodes which will run # your router {% if openshift_app_subdomain is defined %} -{% if openshift_app_subdomain %} openshift_master_default_subdomain={{openshift_app_subdomain}} {% endif %} -{% endif %} ############################################################################### # Additional configuration variables follow # From 2aaf12ea1b1bd057fade6e68c2739d2a8cd6c5a1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 22 Aug 2018 21:43:01 +0000 Subject: [PATCH 144/289] This is a comment. Don't use it Signed-off-by: Patrick Uiterwijk --- .../templates/cluster-inventory-stg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 1b32153b04..02ea9acd29 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -649,7 +649,7 @@ openshift_hosted_metrics_deploy=true # list of options please see roles/openshift_metrics/README.md # # Override metricsPublicURL in the master config for cluster metrics -# Defaults to https://hawkular-metrics.{{openshift_master_default_subdomain}}/hawkular/metrics +# Defaults to https://hawkular-metrics.{openshift_master_default_subdomain}/hawkular/metrics # Currently, you may only alter the hostname portion of the url, alterting the # `/hawkular/metrics` path will break installation of metrics. #openshift_metrics_hawkular_hostname=hawkular-metrics.example.com @@ -725,7 +725,7 @@ openshift_hosted_metrics_deploy=true # list of options please see roles/openshift_logging/README.md # # Configure loggingPublicURL in the master config for aggregate logging, defaults -# to kibana.{{ openshift_master_default_subdomain }} +# to kibana.{ openshift_master_default_subdomain } #openshift_logging_kibana_hostname=logging.apps.example.com # Configure the number of elastic search nodes, unless you're using dynamic provisioning # this value must be 1 From e908d88b395387bf8fc49b0f8cb721abdc7ecdc8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 21:50:44 +0000 Subject: [PATCH 145/289] fix a bunch more variables in comments --- .../templates/cluster-inventory-stg.j2 | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 02ea9acd29..4bf9e25412 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -303,8 +303,8 @@ openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "cha # Note: You may make use of environment variables rather than store # sensitive configuration within the ansible inventory. # For example: -#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}" -#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}" +#openshift_cloudprovider_aws_access_key="{ lookup('env','AWS_ACCESS_KEY_ID') }" +#openshift_cloudprovider_aws_secret_key="{ lookup('env','AWS_SECRET_ACCESS_KEY') }" # # AWS #openshift_cloudprovider_kind=aws @@ -654,17 +654,17 @@ openshift_hosted_metrics_deploy=true # `/hawkular/metrics` path will break installation of metrics. #openshift_metrics_hawkular_hostname=hawkular-metrics.example.com # Configure the metrics component images # Note, these will be modified by oreg_url by default -#openshift_metrics_cassandra_image="docker.io/openshift/origin-metrics-cassandra:{{ openshift_image_tag }}" -#openshift_metrics_hawkular_agent_image="docker.io/openshift/origin-metrics-hawkular-openshift-agent:{{ openshift_image_tag }}" -#openshift_metrics_hawkular_metrics_image="docker.io/openshift/origin-metrics-hawkular-metrics:{{ openshift_image_tag }}" -#openshift_metrics_schema_installer_image="docker.io/openshift/origin-metrics-schema-installer:{{ openshift_image_tag }}" -#openshift_metrics_heapster_image="docker.io/openshift/origin-metrics-heapster:{{ openshift_image_tag }}" +#openshift_metrics_cassandra_image="docker.io/openshift/origin-metrics-cassandra:{ openshift_image_tag }" +#openshift_metrics_hawkular_agent_image="docker.io/openshift/origin-metrics-hawkular-openshift-agent:{ openshift_image_tag }" +#openshift_metrics_hawkular_metrics_image="docker.io/openshift/origin-metrics-hawkular-metrics:{ openshift_image_tag }" +#openshift_metrics_schema_installer_image="docker.io/openshift/origin-metrics-schema-installer:{ openshift_image_tag }" +#openshift_metrics_heapster_image="docker.io/openshift/origin-metrics-heapster:{ openshift_image_tag }" # when openshift_deployment_type=='openshift-enterprise' -#openshift_metrics_cassandra_image="registry.access.redhat.com/openshift3/metrics-cassandra:{{ openshift_image_tag }}" -#openshift_metrics_hawkular_agent_image="registry.access.redhat.com/openshift3/metrics-hawkular-openshift-agent:{{ openshift_image_tag }}" -#openshift_metrics_hawkular_metrics_image="registry.access.redhat.com/openshift3/metrics-hawkular-metrics:{{ openshift_image_tag }}" -#openshift_metrics_schema_installer_image="registry.access.redhat.com/openshift3/metrics-schema-installer:{{ openshift_image_tag }}" -#openshift_metrics_heapster_image="registry.access.redhat.com/openshift3/metrics-heapster:{{ openshift_image_tag }}" +#openshift_metrics_cassandra_image="registry.access.redhat.com/openshift3/metrics-cassandra:{ openshift_image_tag }" +#openshift_metrics_hawkular_agent_image="registry.access.redhat.com/openshift3/metrics-hawkular-openshift-agent:{ openshift_image_tag }" +#openshift_metrics_hawkular_metrics_image="registry.access.redhat.com/openshift3/metrics-hawkular-metrics:{ openshift_image_tag }" +#openshift_metrics_schema_installer_image="registry.access.redhat.com/openshift3/metrics-schema-installer:{ openshift_image_tag }" +#openshift_metrics_heapster_image="registry.access.redhat.com/openshift3/metrics-heapster:{ openshift_image_tag }" # # StorageClass # openshift_storageclass_name=gp2 @@ -958,8 +958,8 @@ openshift_master_console_port={{openshift_console_port}} # Specify an openshift_service_catalog image # (defaults for origin and openshift-enterprise, repsectively) -#openshift_service_catalog_image="docker.io/openshift/origin-service-catalog:{{ openshift_image_tag }}"" -#openshift_service_catalog_image="registry.access.redhat.com/openshift3/ose-service-catalog:{{ openshift_image_tag }}" +#openshift_service_catalog_image="docker.io/openshift/origin-service-catalog:{ openshift_image_tag }"" +#openshift_service_catalog_image="registry.access.redhat.com/openshift3/ose-service-catalog:{ openshift_image_tag }" # TSB image tag #template_service_broker_version='v3.9' @@ -1099,7 +1099,7 @@ openshift_node_env_vars={"ENABLE_HTTP2": "true"} # Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports # that will back the application PV and optionally the database # pv. Export path definitions, relative to -# {{ openshift_management_storage_nfs_base_dir }} +# { openshift_management_storage_nfs_base_dir} # # LOCAL NFS NOTE: # From 173ad287eb7389c3dd1f09f6101ca8c81ed7a9c3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 22:21:22 +0000 Subject: [PATCH 146/289] no v here --- .../templates/cluster-inventory-stg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 4bf9e25412..3154f1d471 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -94,7 +94,7 @@ debug_level={{openshift_debug_level}} # WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed. # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. #openshift_image_tag=v3.10.0 -openshift_image_tag=v{{openshift_release}} +openshift_image_tag={{openshift_release}} # Specify an exact rpm version to install or configure. # WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. From 0d47c73b634f1c3bcab691c62762c9d4b377626b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 22:27:34 +0000 Subject: [PATCH 147/289] use this hard coded because the var has a v in it --- .../templates/cluster-inventory-stg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 3154f1d471..d7954bbde7 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -100,7 +100,7 @@ openshift_image_tag={{openshift_release}} # WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. #openshift_pkg_version=-3.10.0 -openshift_pkg_version=-{{openshift_release}} +openshift_pkg_version=-3.10.0 # If using Atomic Host, you may specify system container image registry for the nodes: #system_images_registry="docker.io" From c8750eeea79c2a4328179ea814ae579a8c220617 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 23:46:40 +0000 Subject: [PATCH 148/289] quotes are needed --- .../templates/cluster-inventory-stg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index d7954bbde7..40e6dee70d 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -100,7 +100,7 @@ openshift_image_tag={{openshift_release}} # WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. #openshift_pkg_version=-3.10.0 -openshift_pkg_version=-3.10.0 +openshift_pkg_version="-3.10" # If using Atomic Host, you may specify system container image registry for the nodes: #system_images_registry="docker.io" From cfb59de75d2f1818065a9e9abd62a10cb15cdf47 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Aug 2018 23:50:24 +0000 Subject: [PATCH 149/289] have to set this because nfs is unsupported --- .../templates/cluster-inventory-stg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 40e6dee70d..09487902b9 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -1145,3 +1145,4 @@ openshift_node_env_vars={"ENABLE_HTTP2": "true"} # Enable unsupported configurations, things that will yield a partially # functioning cluster but would not be supported for production use #openshift_enable_unsupported_configurations=false +openshift_enable_unsupported_configurations=True From 5d05b86be55a795c7c3f2f092e7b5b8f6f096932 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 01:07:24 +0000 Subject: [PATCH 150/289] no longer upgrading --- inventory/group_vars/os-stg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg index 126e16d4f1..81a49b62d5 100644 --- a/inventory/group_vars/os-stg +++ b/inventory/group_vars/os-stg @@ -3,4 +3,4 @@ host_group: os baseiptables: False no_http2: False nm_controlled_resolv: True -openshift_ansible_upgrading: True +openshift_ansible_upgrading: False From 534aafee0655083d333cb967124cba197bcb64dc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 01:15:56 +0000 Subject: [PATCH 151/289] undefine the upgrading thing entirely --- inventory/group_vars/os-stg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg index 81a49b62d5..ae4a2ed9f1 100644 --- a/inventory/group_vars/os-stg +++ b/inventory/group_vars/os-stg @@ -3,4 +3,5 @@ host_group: os baseiptables: False no_http2: False nm_controlled_resolv: True -openshift_ansible_upgrading: False +# Only set this when upgrading +#openshift_ansible_upgrading: True From db459d66e96e7ba6242048fbed1711fa899d5446 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 01:25:05 +0000 Subject: [PATCH 152/289] forgot to push this --- .../templates/cluster-inventory-stg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 index 09487902b9..31e8db2c46 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-stg.j2 @@ -100,7 +100,7 @@ openshift_image_tag={{openshift_release}} # WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. #openshift_pkg_version=-3.10.0 -openshift_pkg_version="-3.10" +openshift_pkg_version="-3.10.14" # If using Atomic Host, you may specify system container image registry for the nodes: #system_images_registry="docker.io" From 58590df4212b772d18b9a3368f1161d17c3b4ce1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 23 Aug 2018 10:34:47 +0000 Subject: [PATCH 153/289] Setup robosignatory for f30 iot Signed-off-by: Patrick Uiterwijk --- .../robosignatory/files/robosignatory.production.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index 14c7e85ace..effd4f0f68 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -222,6 +222,18 @@ config = { }, 'robosignatory.ostree_refs': { + 'fedora/30/x86_64/iot': { + 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', + 'key': 'fedora-30' + }, + 'fedora/30/aarch64/iot': { + 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', + 'key': 'fedora-30' + }, + 'fedora/30/armhfp/iot': { + 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', + 'key': 'fedora-30' + }, 'fedora/29/x86_64/iot': { 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', 'key': 'fedora-29' From 19e100a4726a0f26b9844e694e61cc4191c62260 Mon Sep 17 00:00:00 2001 From: clime Date: Thu, 23 Aug 2018 14:45:19 +0200 Subject: [PATCH 154/289] copr-be-dev: fix lighttpd conf --- roles/copr/backend/files/lighttpd/lighttpd_dev.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/copr/backend/files/lighttpd/lighttpd_dev.conf b/roles/copr/backend/files/lighttpd/lighttpd_dev.conf index ba3d6b7482..1bf908e09f 100644 --- a/roles/copr/backend/files/lighttpd/lighttpd_dev.conf +++ b/roles/copr/backend/files/lighttpd/lighttpd_dev.conf @@ -456,7 +456,7 @@ server.upload-dirs = ( "/var/tmp" ) ## custom includes like vhosts. ## #include "conf.d/config.conf" -include_shell "cat /etc/lighttpd/vhosts.d/*.conf" +#include_shell "cat /etc/lighttpd/vhosts.d/*.conf" ## ####################################################################### From 73af5682baba4bce7a2d7d4b803b276f49d10f47 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Aug 2018 14:56:37 +0000 Subject: [PATCH 155/289] Greenwave: update to a more modern memcached image. --- roles/openshift-apps/greenwave/templates/deploymentconfig.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/openshift-apps/greenwave/templates/deploymentconfig.yml b/roles/openshift-apps/greenwave/templates/deploymentconfig.yml index 5d3188cfe3..82f93e709a 100644 --- a/roles/openshift-apps/greenwave/templates/deploymentconfig.yml +++ b/roles/openshift-apps/greenwave/templates/deploymentconfig.yml @@ -144,9 +144,7 @@ spec: spec: containers: - name: greenwave-memcached - # XXX: change it to registry.fedoraproject.org/f26/memcached once the - # image gets promoted from candidate-registry to registry. - image: candidate-registry.fedoraproject.org/f26/memcached + image: registry.fedoraproject.org/f28/memcached ports: - containerPort: 11211 resources: From f693446da5e391f94069ed94f6c00f93d8492f18 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Thu, 23 Aug 2018 16:07:26 +0000 Subject: [PATCH 156/289] Upgrade staging to Bodhi 3.9.0 final. Signed-off-by: Randy Barlow --- playbooks/openshift-apps/bodhi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/bodhi.yml b/playbooks/openshift-apps/bodhi.yml index 5c90a40ba0..7fe094daa9 100644 --- a/playbooks/openshift-apps/bodhi.yml +++ b/playbooks/openshift-apps/bodhi.yml @@ -51,7 +51,7 @@ app: bodhi template: buildconfig.yml objectname: buildconfig.yml - bodhi_version: 3.9.0-0.2.beta.fc27 + bodhi_version: 3.9.0-1.fc27 when: env == "staging" - role: openshift/object app: bodhi From fa772dd7b2ac90e3f7e47bf7925809cfc6da278d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 16:55:44 +0000 Subject: [PATCH 157/289] Lets try and upgrade prod to 3.10 as well. Hopefully leaving osbs alone. --- playbooks/groups/os-cluster.yml | 6 +- .../tasks/main.yml | 15 +- .../templates/cluster-inventory-prod.j2 | 1148 +++++++++++++++++ 3 files changed, 1163 insertions(+), 6 deletions(-) create mode 100644 roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-prod.j2 diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 8b813a0f58..798c070df2 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -107,7 +107,7 @@ openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_pre_playbook: "playbooks/prerequisites.yml", openshift_ansible_playbook: "playbooks/deploy_cluster.yml", - openshift_ansible_version: "openshift-ansible-3.10.33-1", + openshift_ansible_version: "openshift-ansible-3.10.35-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, @@ -132,11 +132,11 @@ - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory", - openshift_release: "v3.9", + openshift_release: "v3.10", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_pre_playbook: "playbooks/prerequisites.yml", openshift_ansible_playbook: "playbooks/deploy_cluster.yml", - openshift_ansible_version: "openshift-ansible-3.9.30-1", + openshift_ansible_version: "openshift-ansible-3.10.35-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 23c8460964..03d7600b0e 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -30,7 +30,7 @@ - debug: var: openshift_master_default_subdomain -- name: generate the inventory file +- name: generate the inventory file (staging) template: src: "cluster-inventory-stg.j2" dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" @@ -39,14 +39,23 @@ - ansible-ansible-openshift-ansible-config when: env == 'staging' and inventory_hostname.startswith('os-') -- name: generate the inventory file +- name: generate the inventory file (production) + template: + src: "cluster-inventory-prod.j2" + dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" + tags: + - ansible-ansible-openshift-ansible + - ansible-ansible-openshift-ansible-config + when: env == 'production' and inventory_hostname.startswith('os-') + +- name: generate the inventory file (osbs) template: src: "cluster-inventory.j2" dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" tags: - ansible-ansible-openshift-ansible - ansible-ansible-openshift-ansible-config - when: env == 'production' or inventory_hostname.startswith('osbs-') + when: inventory_hostname.startswith('osbs-') - name: run ansible prereqs playbook shell: "ansible-playbook {{ openshift_ansible_pre_playbook }} -i {{ cluster_inventory_filename }}" diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-prod.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-prod.j2 new file mode 100644 index 0000000000..31e8db2c46 --- /dev/null +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory-prod.j2 @@ -0,0 +1,1148 @@ +# This is an example of an OpenShift-Ansible host inventory that provides the +# minimum recommended configuration for production use. This includes 3 masters, +# two infra nodes, two compute nodes, and an haproxy load balancer to load +# balance traffic to the API servers. For a truly production environment you +# should use an external load balancing solution that itself is highly available. + +[masters] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} +{% endfor %} + +[etcd] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} +{% endfor %} + +[nodes] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} openshift_node_group_name='node-config-master' +{% endfor %} +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} openshift_node_group_name='node-config-compute' +{% endfor %} + +#[nfs] +#ose3-master1.test.example.com + +#[lb] +#ose3-lb.test.example.com + +# Create an OSEv3 group that contains the masters and nodes groups +[OSEv3:children] +masters +nodes +etcd +#lb +#nfs + +[OSEv3:vars] + +openshift_node_groups=[{'name': 'node-config-master', 'labels': ['node-role.kubernetes.io/master=true']}, {'name': 'node-config-infra', 'labels': ['node-role.kubernetes.io/infra=true',]}, {'name': 'node-config-compute', 'labels': ['node-role.kubernetes.io/compute=true'], 'edits': [{ 'key': 'kubeletArguments.pods-per-core','value': ['20']}]}] +############################################################################### +# Common/ Required configuration variables follow # +############################################################################### +# SSH user, this user should allow ssh based auth without requiring a +# password. If using ssh key based auth, then the key should be managed by an +# ssh agent. +ansible_user={{openshift_ansible_ssh_user}} + +# If ansible_user is not root, ansible_become must be set to true and the +# user must be configured for passwordless sudo +#ansible_become=yes + +# Specify the deployment type. Valid values are origin and openshift-enterprise. +#openshift_deployment_type=origin +openshift_deployment_type={{openshift_deployment_type}} + +# Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we +# rely on the version running on the first master. Works best for containerized installs where we can usually +# use this to lookup the latest exact version of the container images, which is the tag actually used to configure +# the cluster. For RPM installations we just verify the version detected in your configured repos matches this +# release. +openshift_release={{openshift_release}} + +{% if openshift_master_ha is defined %} +{% if openshift_master_ha %} +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has +# been preconfigured. For installation the value of +# openshift_master_cluster_hostname must resolve to the load balancer +# or to one or all of the masters defined in the inventory if no load +# balancer is present. +openshift_master_cluster_method=native +openshift_master_cluster_hostname={{openshift_internal_cluster_url}} +openshift_master_cluster_public_hostname={{openshift_cluster_url}} +{% endif %} +{% endif %} + +# default subdomain to use for exposed routes, you should have wildcard dns +# for *.apps.test.example.com that points at your infra nodes which will run +# your router +{% if openshift_app_subdomain is defined %} +openshift_master_default_subdomain={{openshift_app_subdomain}} +{% endif %} + +############################################################################### +# Additional configuration variables follow # +############################################################################### + +# Debug level for all OpenShift components (Defaults to 2) +debug_level={{openshift_debug_level}} + +# Specify an exact container image tag to install or configure. +# WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_image_tag=v3.10.0 +openshift_image_tag={{openshift_release}} + +# Specify an exact rpm version to install or configure. +# WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_pkg_version=-3.10.0 +openshift_pkg_version="-3.10.14" + +# If using Atomic Host, you may specify system container image registry for the nodes: +#system_images_registry="docker.io" +# when openshift_deployment_type=='openshift-enterprise' +#system_images_registry="registry.access.redhat.com" + +# Manage openshift example imagestreams and templates during install and upgrade +#openshift_install_examples=true +{% if openshift_ansible_install_examples is defined %} +openshift_install_examples={{openshift_ansible_install_examples}} +{% endif %} + +# Configure logoutURL in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#changing-the-logout-url +#openshift_master_logout_url=http://example.com + +# Configure extensions in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files +#openshift_master_oauth_templates={'login': '/path/to/login-template.html'} +# openshift_master_oauth_template is deprecated. Use openshift_master_oauth_templates instead. +#openshift_master_oauth_template=/path/to/login-template.html + +# Configure imagePolicyConfig in the master config +# See: https://docs.openshift.org/latest/admin_guide/image_policy.html +#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true} + +# Configure master API rate limits for external clients +#openshift_master_external_ratelimit_qps=200 +#openshift_master_external_ratelimit_burst=400 +# Configure master API rate limits for loopback clients +#openshift_master_loopback_ratelimit_qps=300 +#openshift_master_loopback_ratelimit_burst=600 + +# Install and run cri-o. +#openshift_use_crio=False +#openshift_use_crio_only=False +{% if openshift_ansible_use_crio is defined %} +openshift_use_crio={{ openshift_ansible_use_crio }} +{% endif %} +{% if openshift_ansible_use_crio_only is defined %} +openshift_use_crio_only={{ openshift_ansible_crio_only }} +{% endif %} +# The following two variables are used when openshift_use_crio is True +# and cleans up after builds that pass through docker. When openshift_use_crio is True +# these variables are set to the defaults shown. You may override them here. +# NOTE: You will still need to tag crio nodes with your given label(s)! +# Enable docker garbage collection when using cri-o +#openshift_crio_enable_docker_gc=True +# Node Selectors to run the garbage collection +#openshift_crio_docker_gc_node_selector={'runtime': 'cri-o'} + +# Items added, as is, to end of /etc/sysconfig/docker OPTIONS +# Default value: "--log-driver=journald" +#openshift_docker_options="-l warn --ipv6=false" + +# Specify exact version of Docker to configure or upgrade to. +# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. +# docker_version="1.12.1" + +# Specify whether to run Docker daemon with SELinux enabled in containers. Default is True. +# Uncomment below to disable; for example if your kernel does not support the +# Docker overlay/overlay2 storage drivers with SELinux enabled. +#openshift_docker_selinux_enabled=False + +# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone. +# docker_upgrade=False + +# Specify a list of block devices to be formatted and mounted on the nodes +# during prerequisites.yml. For each hash, "device", "path", "filesystem" are +# required. To add devices only on certain classes of node, redefine +# container_runtime_extra_storage as a group var. +#container_runtime_extra_storage='[{"device":"/dev/vdc","path":"/var/lib/origin/openshift.local.volumes","filesystem":"xfs","options":"gquota"}]' + +# Enable etcd debug logging, defaults to false +# etcd_debug=true +# Set etcd log levels by package +# etcd_log_package_levels="etcdserver=WARNING,security=DEBUG" + +# Upgrade Hooks +# +# Hooks are available to run custom tasks at various points during a cluster +# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using +# absolute paths, if not the path will be treated as relative to the file where the +# hook is actually used. +# +# Tasks to run before each master is upgraded. +# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml +# +# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible +# upgrade steps, but before we restart system/services. +# openshift_master_upgrade_hook=/usr/share/custom/master.yml +# +# Tasks to run after each master is upgraded and system/services have been restarted. +# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml + +# Cluster Image Source (registry) configuration +# openshift-enterprise default is 'registry.access.redhat.com/openshift3/ose-${component}:${version}' +# origin default is 'docker.io/openshift/origin-${component}:${version}' +#oreg_url=example.com/openshift3/ose-${component}:${version} +# If oreg_url points to a registry other than registry.access.redhat.com we can +# modify image streams to point at that registry by setting the following to true +#openshift_examples_modify_imagestreams=true +# Add insecure and blocked registries to global docker configuration +#openshift_docker_insecure_registries=registry.example.com +#openshift_docker_blocked_registries=registry.hacker.com +# You may also configure additional default registries for docker, however this +# is discouraged. Instead you should make use of fully qualified image names. +#openshift_docker_additional_registries=registry.example.com + +# If oreg_url points to a registry requiring authentication, provide the following: +#oreg_auth_user=some_user +#oreg_auth_password='my-pass' +# NOTE: oreg_url must be defined by the user for oreg_auth_* to have any affect. +# oreg_auth_pass should be generated from running docker login. +# To update registry auth credentials, uncomment the following: +#oreg_auth_credentials_replace: True + +# OpenShift repository configuration +#openshift_additional_repos=[{'id': 'openshift-origin-copr', 'name': 'OpenShift Origin COPR', 'baseurl': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/', 'enabled': 1, 'gpgcheck': 1, 'gpgkey': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg'}] +#openshift_repos_enable_testing=false + +# If the image for etcd needs to be pulled from anywhere else than registry.access.redhat.com, e.g. in +# a disconnected and containerized installation, use osm_etcd_image to specify the image to use: +#osm_etcd_image=rhel7/etcd + +# htpasswd auth +#openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '', 'user2': ''} +# or +#openshift_master_htpasswd_file= + +{% if openshift_auth_profile == "osbs" %} +openshift_master_manage_htpasswd=false +openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] +{% endif %} + +{% if openshift_auth_profile == "fedoraidp" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_prod_client_secret}}", "extraScopes": ["profile", "email", "https://id.fedoraproject.org/scope/groups"], "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +{% endif %} + +{% if openshift_auth_profile == "fedoraidp-stg" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_stg_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +{% endif %} + +# Allow all auth +#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] + +# LDAP auth +#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# +# Configure LDAP CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the LDAPPasswordIdentityProvider. +# +#openshift_master_ldap_ca= +# or +#openshift_master_ldap_ca_file= + +# OpenID auth +#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] +# +# Configure OpenID CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the OpenIDIdentityProvider. +# +#openshift_master_openid_ca= +# or +#openshift_master_openid_ca_file= + +# Request header auth +#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] +# +# Configure request header CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "clientCA" +# key set within the RequestHeaderIdentityProvider. +# +#openshift_master_request_header_ca= +# or +#openshift_master_request_header_ca_file= + +# CloudForms Management Engine (ManageIQ) App Install +# +# Enables installation of MIQ server. Recommended for dedicated +# clusters only. See roles/openshift_management/README.md for instructions +# and requirements. +#openshift_management_install_management=False + +# Cloud Provider Configuration +# +# Note: You may make use of environment variables rather than store +# sensitive configuration within the ansible inventory. +# For example: +#openshift_cloudprovider_aws_access_key="{ lookup('env','AWS_ACCESS_KEY_ID') }" +#openshift_cloudprovider_aws_secret_key="{ lookup('env','AWS_SECRET_ACCESS_KEY') }" +# +# AWS +#openshift_cloudprovider_kind=aws +# Note: IAM profiles may be used instead of storing API credentials on disk. +#openshift_cloudprovider_aws_access_key=aws_access_key_id +#openshift_cloudprovider_aws_secret_key=aws_secret_access_key +# +# Openstack +#openshift_cloudprovider_kind=openstack +#openshift_cloudprovider_openstack_auth_url=http://openstack.example.com:35357/v2.0/ +#openshift_cloudprovider_openstack_username=username +#openshift_cloudprovider_openstack_password=password +#openshift_cloudprovider_openstack_domain_id=domain_id +#openshift_cloudprovider_openstack_domain_name=domain_name +#openshift_cloudprovider_openstack_tenant_id=tenant_id +#openshift_cloudprovider_openstack_tenant_name=tenant_name +#openshift_cloudprovider_openstack_region=region +#openshift_cloudprovider_openstack_lb_subnet_id=subnet_id +# +# Note: If you're getting a "BS API version autodetection failed" when provisioning cinder volumes you may need this setting +#openshift_cloudprovider_openstack_blockstorage_version=v2 +# +# GCE +#openshift_cloudprovider_kind=gce +# Note: When using GCE, openshift_gcp_project and openshift_gcp_prefix must be +# defined. +# openshift_gcp_project is the project-id +#openshift_gcp_project= +# openshift_gcp_prefix is a unique string to identify each openshift cluster. +#openshift_gcp_prefix= +#openshift_gcp_multizone=False +# Note: To enable nested virtualization in gcp use the following variable and url +#openshift_gcp_licenses="https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx" +# Additional details regarding nested virtualization are available: +# https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances +# +# vSphere +#openshift_cloudprovider_kind=vsphere +#openshift_cloudprovider_vsphere_username=username +#openshift_cloudprovider_vsphere_password=password +#openshift_cloudprovider_vsphere_host=vcenter_host or vsphere_host +#openshift_cloudprovider_vsphere_datacenter=datacenter +#openshift_cloudprovider_vsphere_datastore=datastore +#openshift_cloudprovider_vsphere_folder=optional_folder_name + + +# Project Configuration +#osm_project_request_message='' +#osm_project_request_template='' +#osm_mcs_allocator_range='s0:/2' +#osm_mcs_labels_per_project=5 +#osm_uid_allocator_range='1000000000-1999999999/10000' + +# Configure additional projects +#openshift_additional_projects={'my-project': {'default_node_selector': 'label=value'}} + +# Enable cockpit +#osm_use_cockpit=true +# +# Set cockpit plugins +#osm_cockpit_plugins=['cockpit-kubernetes'] + +# If an external load balancer is used public hostname should resolve to +# external load balancer address +#openshift_master_cluster_public_hostname=openshift-ansible.public.example.com + +# Configure controller arguments +#osm_controller_args={'resource-quota-sync-period': ['10s']} + +# Configure api server arguments +#osm_api_server_args={'max-requests-inflight': ['400']} + +# additional cors origins +#osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] + +# default project node selector +#osm_default_node_selector='region=primary' + +# Override the default pod eviction timeout +#openshift_master_pod_eviction_timeout=5m + +# Override the default oauth tokenConfig settings: +# openshift_master_access_token_max_seconds=86400 +# openshift_master_auth_token_max_seconds=500 + +# Override master servingInfo.maxRequestsInFlight +#openshift_master_max_requests_inflight=500 + +# Override master and node servingInfo.minTLSVersion and .cipherSuites +# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 +# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants +#openshift_master_min_tls_version=VersionTLS12 +#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] +# +#openshift_node_min_tls_version=VersionTLS12 +#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] + +# default storage plugin dependencies to install, by default the ceph and +# glusterfs plugin dependencies will be installed, if available. +#osn_storage_plugin_deps=['ceph','glusterfs','iscsi'] + +# OpenShift Router Options +# +# An OpenShift router will be created during install if there are +# nodes present with labels matching the default router selector, +# "node-role.kubernetes.io/infra=true". +# +# Example: +# [nodes] +# node.example.com openshift_node_group_name="node-config-infra" +# +# Router selector (optional) +# Router will only be created if nodes matching this label are present. +# Default value: 'node-role.kubernetes.io/infra=true' +#openshift_hosted_router_selector='node-role.kubernetes.io/infra=true' +# +# Router replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift router selector. +#openshift_hosted_router_replicas=2 +# +# Router force subdomain (optional) +# A router path format to force on all routes used by this router +# (will ignore the route host value) +#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com' +# +# Router certificate (optional) +# Provide local certificate paths which will be configured as the +# router's default certificate. +#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} +# +# Manage the OpenShift Router (optional) +#openshift_hosted_manage_router=true +# +# Router sharding support has been added and can be achieved by supplying the correct +# data to the inventory. The variable to house the data is openshift_hosted_routers +# and is in the form of a list. If no data is passed then a default router will be +# created. There are multiple combinations of router sharding. The one described +# below supports routers on separate nodes. +# +#openshift_hosted_routers=[{'name': 'router1', 'certificate': {'certfile': '/path/to/certificate/abc.crt', 'keyfile': '/path/to/certificate/abc.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router1', 'ports': ['80:80', '443:443']}, {'name': 'router2', 'certificate': {'certfile': '/path/to/certificate/xyz.crt', 'keyfile': '/path/to/certificate/xyz.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [{'action': 'append', 'key': 'spec.template.spec.containers[0].env', 'value': {'name': 'ROUTE_LABELS', 'value': 'route=external'}}], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router2', 'ports': ['80:80', '443:443']}] + +# OpenShift Registry Console Options +# Override the console image prefix: +# origin default is "cockpit/", enterprise default is "openshift3/" +#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/ +# origin default is "kubernetes", enterprise default is "registry-console" +#openshift_cockpit_deployer_basename=my-console +# Override image version, defaults to latest for origin, vX.Y product version for enterprise +#openshift_cockpit_deployer_version=1.4.1 + +# Openshift Registry Options +# +# An OpenShift registry will be created during install if there are +# nodes present with labels matching the default registry selector, +# "node-role.kubernetes.io/infra=true". +# +# Example: +# [nodes] +# node.example.com openshift_node_group_name="node-config-infra" +# +# Registry selector (optional) +# Registry will only be created if nodes matching this label are present. +# Default value: 'node-role.kubernetes.io/infra=true' +#openshift_hosted_registry_selector='node-role.kubernetes.io/infra=true' +# +# Registry replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift registry selector. +#openshift_hosted_registry_replicas=2 +# +# Validity of the auto-generated certificate in days (optional) +#openshift_hosted_registry_cert_expire_days=730 +# +# Manage the OpenShift Registry (optional) +#openshift_hosted_manage_registry=true +# Manage the OpenShift Registry Console (optional) +#openshift_hosted_manage_registry_console=true +# +# Registry Storage Options +# +# NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/registry". "exports" is +# is the name of the export served by the nfs server. "registry" is +# the name of a directory inside of "/exports". +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +# nfs_directory must conform to DNS-1123 subdomain must consist of lower case +# alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +# +# External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/registry". "exports" is +# is the name of the export served by the nfs server. "registry" is +# the name of a directory inside of "/exports". +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +#openshift_hosted_registry_storage_host=nfs.example.com +# nfs_directory must conform to DNS-1123 subdomain must consist of lower case +# alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +{% if env == "staging" %} +openshift_hosted_registry_storage_kind=nfs +openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +openshift_hosted_registry_storage_host=ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com +openshift_hosted_registry_storage_nfs_directory=/ +openshift_hosted_registry_storage_volume_name=openshift-stg-registry +openshift_hosted_registry_storage_volume_size=10Gi +{% else %} +openshift_hosted_registry_storage_kind=nfs +openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +openshift_hosted_registry_storage_host=ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com +openshift_hosted_registry_storage_nfs_directory=/ +openshift_hosted_registry_storage_volume_name=openshift-prod-registry +openshift_hosted_registry_storage_volume_size=10Gi +{% endif %} +# +# Openstack +# Volume must already exist. +#openshift_hosted_registry_storage_kind=openstack +#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_registry_storage_openstack_filesystem=ext4 +#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57 +#openshift_hosted_registry_storage_volume_size=10Gi +# +# hostPath (local filesystem storage) +# Suitable for "all-in-one" or proof of concept deployments +# Must not be used for high-availability and production deployments +#openshift_hosted_registry_storage_kind=hostpath +#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_registry_storage_hostpath_path=/var/lib/openshift_volumes +#openshift_hosted_registry_storage_volume_size=10Gi +# +# AWS S3 +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_encrypt=false +#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id +#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id +#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Any S3 service (Minio, ExoScale, ...): Basically the same as above +# but with regionendpoint configured +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_accesskey=access_key_id +#openshift_hosted_registry_storage_s3_secretkey=secret_access_key +#openshift_hosted_registry_storage_s3_regionendpoint=https://myendpoint.example.com/ +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Additional CloudFront Options. When using CloudFront all three +# of the followingg variables must be defined. +#openshift_hosted_registry_storage_s3_cloudfront_baseurl=https://myendpoint.cloudfront.net/ +#openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile=/full/path/to/secret.pem +#openshift_hosted_registry_storage_s3_cloudfront_keypairid=yourpairid +# vSphere Volume with vSphere Cloud Provider +# openshift_hosted_registry_storage_kind=vsphere +# openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +# openshift_hosted_registry_storage_annotations=['volume.beta.kubernetes.io/storage-provisioner: kubernetes.io/vsphere-volume'] +# +# GCS Storage Bucket +#openshift_hosted_registry_storage_provider=gcs +#openshift_hosted_registry_storage_gcs_bucket=bucket01 +#openshift_hosted_registry_storage_gcs_keyfile=test.key +#openshift_hosted_registry_storage_gcs_rootdirectory=/registry + +# Metrics deployment +# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html +# +# By default metrics are not automatically deployed, set this to enable them +#openshift_metrics_install_metrics=true +{% if openshift_metrics_deploy is defined %} +{% if openshift_metrics_deploy %} +openshift_hosted_metrics_deploy=true +{% endif %} +{% endif %} +# +# Storage Options +# If openshift_metrics_storage_kind is unset then metrics will be stored +# in an EmptyDir volume and will be deleted when the cassandra pod terminates. +# Storage options A & B currently support only one cassandra pod which is +# generally enough for up to 1000 pods. Additional volumes can be created +# manually after the fact and metrics scaled per the docs. +# +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/metrics". "exports" is +# is the name of the export served by the nfs server. "metrics" is +# the name of a directory inside of "/exports". +#openshift_metrics_storage_kind=nfs +#openshift_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_metrics_storage_nfs_directory=/exports +#openshift_metrics_storage_nfs_options='*(rw,root_squash)' +#openshift_metrics_storage_volume_name=metrics +#openshift_metrics_storage_volume_size=10Gi +#openshift_metrics_storage_labels={'storage': 'metrics'} +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/metrics". "exports" is +# is the name of the export served by the nfs server. "metrics" is +# the name of a directory inside of "/exports". +#openshift_metrics_storage_kind=nfs +#openshift_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_metrics_storage_host=nfs.example.com +#openshift_metrics_storage_nfs_directory=/exports +#openshift_metrics_storage_volume_name=metrics +#openshift_metrics_storage_volume_size=10Gi +#openshift_metrics_storage_labels={'storage': 'metrics'} +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_metrics_storage_kind=dynamic +# +# Other Metrics Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_metrics/README.md +# +# Override metricsPublicURL in the master config for cluster metrics +# Defaults to https://hawkular-metrics.{openshift_master_default_subdomain}/hawkular/metrics +# Currently, you may only alter the hostname portion of the url, alterting the +# `/hawkular/metrics` path will break installation of metrics. +#openshift_metrics_hawkular_hostname=hawkular-metrics.example.com +# Configure the metrics component images # Note, these will be modified by oreg_url by default +#openshift_metrics_cassandra_image="docker.io/openshift/origin-metrics-cassandra:{ openshift_image_tag }" +#openshift_metrics_hawkular_agent_image="docker.io/openshift/origin-metrics-hawkular-openshift-agent:{ openshift_image_tag }" +#openshift_metrics_hawkular_metrics_image="docker.io/openshift/origin-metrics-hawkular-metrics:{ openshift_image_tag }" +#openshift_metrics_schema_installer_image="docker.io/openshift/origin-metrics-schema-installer:{ openshift_image_tag }" +#openshift_metrics_heapster_image="docker.io/openshift/origin-metrics-heapster:{ openshift_image_tag }" +# when openshift_deployment_type=='openshift-enterprise' +#openshift_metrics_cassandra_image="registry.access.redhat.com/openshift3/metrics-cassandra:{ openshift_image_tag }" +#openshift_metrics_hawkular_agent_image="registry.access.redhat.com/openshift3/metrics-hawkular-openshift-agent:{ openshift_image_tag }" +#openshift_metrics_hawkular_metrics_image="registry.access.redhat.com/openshift3/metrics-hawkular-metrics:{ openshift_image_tag }" +#openshift_metrics_schema_installer_image="registry.access.redhat.com/openshift3/metrics-schema-installer:{ openshift_image_tag }" +#openshift_metrics_heapster_image="registry.access.redhat.com/openshift3/metrics-heapster:{ openshift_image_tag }" +# +# StorageClass +# openshift_storageclass_name=gp2 +# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': 'false'} +# openshift_storageclass_mount_options=['dir_mode=0777', 'file_mode=0777'] +# openshift_storageclass_reclaim_policy="Delete" +# +# PersistentLocalStorage +# If Persistent Local Storage is wanted, this boolean can be defined to True. +# This will create all necessary configuration to use persistent storage on nodes. +#openshift_persistentlocalstorage_enabled=False +#openshift_persistentlocalstorage_classes=[] +#openshift_persistentlocalstorage_path=/mnt/local-storage +#openshift_persistentlocalstorage_provisionner_image=quay.io/external_storage/local-volume-provisioner:v1.0.1 + +# Logging deployment +# +# Currently logging deployment is disabled by default, enable it by setting this +#openshift_logging_install_logging=true +# +# Logging storage config +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/logging". "exports" is +# is the name of the export served by the nfs server. "logging" is +# the name of a directory inside of "/exports". +#openshift_logging_storage_kind=nfs +#openshift_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_logging_storage_nfs_directory=/exports +#openshift_logging_storage_nfs_options='*(rw,root_squash)' +#openshift_logging_storage_volume_name=logging +#openshift_logging_storage_volume_size=10Gi +#openshift_logging_storage_labels={'storage': 'logging'} +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/logging". "exports" is +# is the name of the export served by the nfs server. "logging" is +# the name of a directory inside of "/exports". +#openshift_logging_storage_kind=nfs +#openshift_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_logging_storage_host=nfs.example.com +#openshift_logging_storage_nfs_directory=/exports +#openshift_logging_storage_volume_name=logging +#openshift_logging_storage_volume_size=10Gi +#openshift_logging_storage_labels={'storage': 'logging'} +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_logging_storage_kind=dynamic +# +# Option D - none -- Logging will use emptydir volumes which are destroyed when +# pods are deleted +# +# Other Logging Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_logging/README.md +# +# Configure loggingPublicURL in the master config for aggregate logging, defaults +# to kibana.{ openshift_master_default_subdomain } +#openshift_logging_kibana_hostname=logging.apps.example.com +# Configure the number of elastic search nodes, unless you're using dynamic provisioning +# this value must be 1 +#openshift_logging_es_cluster_size=1 + +# Prometheus deployment +# +# Currently prometheus deployment is disabled by default, enable it by setting this +#openshift_hosted_prometheus_deploy=true +# +# Prometheus storage config +# By default prometheus uses emptydir storage, if you want to persist you should +# configure it to use pvc storage type. Each volume must be ReadWriteOnce. +#openshift_prometheus_storage_type=emptydir +#openshift_prometheus_alertmanager_storage_type=emptydir +#openshift_prometheus_alertbuffer_storage_type=emptydir +# Use PVCs for persistence +#openshift_prometheus_storage_type=pvc +#openshift_prometheus_alertmanager_storage_type=pvc +#openshift_prometheus_alertbuffer_storage_type=pvc + +# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') +# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' + +# Disable the OpenShift SDN plugin +# openshift_use_openshift_sdn=False + +# Configure SDN cluster network and kubernetes service CIDR blocks. These +# network blocks should be private and should not conflict with network blocks +# in your infrastructure that pods may require access to. Can not be changed +# after deployment. +# +# WARNING : Do not pick subnets that overlap with the default Docker bridge subnet of +# 172.17.0.0/16. Your installation will fail and/or your configuration change will +# cause the Pod SDN or Cluster SDN to fail. +# +# WORKAROUND : If you must use an overlapping subnet, you can configure a non conflicting +# docker0 CIDR range by adding '--bip=192.168.2.1/24' to DOCKER_NETWORK_OPTIONS +# environment variable located in /etc/sysconfig/docker-network. +# When upgrading or scaling up the following must match whats in your master config! +# Inventory: master yaml field +# osm_cluster_network_cidr: clusterNetworkCIDR +# openshift_portal_net: serviceNetworkCIDR +# When installing osm_cluster_network_cidr and openshift_portal_net must be set. +# Sane examples are provided below. +#osm_cluster_network_cidr=10.128.0.0/14 +#openshift_portal_net=172.30.0.0/16 + +# ExternalIPNetworkCIDRs controls what values are acceptable for the +# service external IP field. If empty, no externalIP may be set. It +# may contain a list of CIDRs which are checked for access. If a CIDR +# is prefixed with !, IPs in that CIDR will be rejected. Rejections +# will be applied first, then the IP checked against one of the +# allowed CIDRs. You should ensure this range does not overlap with +# your nodes, pods, or service CIDRs for security reasons. +#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] + +# IngressIPNetworkCIDR controls the range to assign ingress IPs from for +# services of type LoadBalancer on bare metal. If empty, ingress IPs will not +# be assigned. It may contain a single CIDR that will be allocated from. For +# security reasons, you should ensure that this range does not overlap with +# the CIDRs reserved for external IPs, nodes, pods, or services. +#openshift_master_ingress_ip_network_cidr=172.46.0.0/16 + +# Configure number of bits to allocate to each host's subnet e.g. 9 +# would mean a /23 network on the host. +# When upgrading or scaling up the following must match whats in your master config! +# Inventory: master yaml field +# osm_host_subnet_length: hostSubnetLength +# When installing osm_host_subnet_length must be set. A sane example is provided below. +#osm_host_subnet_length=9 + +# Configure master API and console ports. +#openshift_master_api_port=8443 +#openshift_master_console_port=8443 +{% if openshift_api_port is defined and openshift_console_port is defined %} +{% if openshift_api_port and openshift_console_port %} +openshift_master_api_port={{openshift_api_port}} +openshift_master_console_port={{openshift_console_port}} +{% endif %} +{% endif %} + +# set exact RPM version (include - prefix) +#openshift_pkg_version=-3.9.0 +# you may also specify version and release, ie: +#openshift_pkg_version=-3.9.0-0.126.0.git.0.9351aae.el7 + +# Configure custom ca certificate +#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} +# +# NOTE: CA certificate will not be replaced with existing clusters. +# This option may only be specified when creating a new cluster or +# when redeploying cluster certificates with the redeploy-certificates +# playbook. + +# Configure custom named certificates (SNI certificates) +# +# https://docs.openshift.org/latest/install_config/certificate_customization.html +# https://docs.openshift.com/enterprise/latest/install_config/certificate_customization.html +# +# NOTE: openshift_master_named_certificates is cached on masters and is an +# additive fact, meaning that each run with a different set of certificates +# will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# +# If you would like openshift_master_named_certificates to be overwritten with +# the provided value, specify openshift_master_overwrite_named_certificates. +#openshift_master_overwrite_named_certificates=true +# +# Provide local certificate paths which will be deployed to masters +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] +# +# Detected names may be overridden by specifying the "names" key +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] +# +# Add a trusted CA to all pods, copies from the control host, may be multiple +# certs in one file +#openshift_additional_ca=/path/to/additional-ca.crt + +# Session options +#openshift_master_session_name=ssn +#openshift_master_session_max_seconds=3600 + +# An authentication and encryption secret will be generated if secrets +# are not provided. If provided, openshift_master_session_auth_secrets +# and openshift_master_encryption_secrets must be equal length. +# +# Signing secrets, used to authenticate sessions using +# HMAC. Recommended to use secrets with 32 or 64 bytes. +#openshift_master_session_auth_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] +# +# Encrypting secrets, used to encrypt sessions. Must be 16, 24, or 32 +# characters long, to select AES-128, AES-192, or AES-256. +#openshift_master_session_encryption_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] + +# configure how often node iptables rules are refreshed +#openshift_node_iptables_sync_period=5s + +# Configure nodeIP in the node config +# This is needed in cases where node traffic is desired to go over an +# interface other than the default network interface. +#openshift_set_node_ip=True + +#openshift_node_kubelet_args is deprecated, use node config edits instead + +# Configure logrotate scripts +# See: https://github.com/nickhammond/ansible-logrotate +#logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true"}}] + +# The OpenShift-Ansible installer will fail when it detects that the +# value of openshift_hostname resolves to an IP address not bound to any local +# interfaces. This mis-configuration is problematic for any pod leveraging host +# networking and liveness or readiness probes. +# Setting this variable to false will override that check. +#openshift_hostname_check=true + +# openshift_use_dnsmasq is deprecated. This must be true, or installs will fail +# in versions >= 3.6 +#openshift_use_dnsmasq=False + +# Define an additional dnsmasq.conf file to deploy to /etc/dnsmasq.d/openshift-ansible.conf +# This is useful for POC environments where DNS may not actually be available yet or to set +# options like 'strict-order' to alter dnsmasq configuration. +#openshift_node_dnsmasq_additional_config_file=/home/bob/ose-dnsmasq.conf + +# Global Proxy Configuration +# These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment +# variables for docker and master services. +# +# Hosts in the openshift_no_proxy list will NOT use any globally +# configured HTTP(S)_PROXYs. openshift_no_proxy accepts domains +# (.example.com), hosts (example.com), and IP addresses. +#openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT +#openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT +#openshift_no_proxy='.hosts.example.com,some-host.com' +# +# Most environments don't require a proxy between openshift masters, nodes, and +# etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. +# If all of your hosts share a common domain you may wish to disable this and +# specify that domain above instead. +# +# For example, having hosts with FQDNs: m1.ex.com, n1.ex.com, and +# n2.ex.com, one would simply add '.ex.com' to the openshift_no_proxy +# variable (above) and set this value to False +#openshift_generate_no_proxy_hosts=True +# +# These options configure the BuildDefaults admission controller which injects +# configuration into Builds. Proxy related values will default to the global proxy +# config values. You only need to set these if they differ from the global proxy settings. +# See BuildDefaults documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_builddefaults_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_no_proxy=mycorp.com +#openshift_builddefaults_git_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_no_proxy=mycorp.com +#openshift_builddefaults_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'} +#openshift_builddefaults_resources_requests_cpu=100m +#openshift_builddefaults_resources_requests_memory=256Mi +#openshift_builddefaults_resources_limits_cpu=1000m +#openshift_builddefaults_resources_limits_memory=512Mi + +# Or you may optionally define your own build defaults configuration serialized as json +#openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}' + +# These options configure the BuildOverrides admission controller which injects +# configuration into Builds. +# See BuildOverrides documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_buildoverrides_force_pull=true +#openshift_buildoverrides_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_buildoverrides_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_buildoverrides_annotations={'annotationkey1':'annotationvalue1'} +#openshift_buildoverrides_tolerations=[{'key':'mykey1','value':'myvalue1','effect':'NoSchedule','operator':'Equal'}] + +# Or you may optionally define your own build overrides configuration serialized as json +#openshift_buildoverrides_json='{"BuildOverrides":{"configuration":{"apiVersion":"v1","kind":"BuildDefaultsConfig","forcePull":"true"}}}' + +# Enable service catalog +#openshift_enable_service_catalog=true + +# Enable template service broker (requires service catalog to be enabled, above) +#template_service_broker_install=true + +# Specify an openshift_service_catalog image +# (defaults for origin and openshift-enterprise, repsectively) +#openshift_service_catalog_image="docker.io/openshift/origin-service-catalog:{ openshift_image_tag }"" +#openshift_service_catalog_image="registry.access.redhat.com/openshift3/ose-service-catalog:{ openshift_image_tag }" + +# TSB image tag +#template_service_broker_version='v3.9' + +# Configure one of more namespaces whose templates will be served by the TSB +#openshift_template_service_broker_namespaces=['openshift'] + +# masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default +#openshift_master_dynamic_provisioning_enabled=True + +# Admission plugin config +#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} + +# Configure usage of openshift_clock role. +#openshift_clock_enabled=true + +# OpenShift Per-Service Environment Variables +# Environment variables are added to /etc/sysconfig files for +# each OpenShift node. +# API and controllers environment variables are merged in single +# master environments. +#openshift_node_env_vars={"ENABLE_HTTP2": "true"} +{% if no_http2 is defined %} +{% if no_http2 %} +openshift_master_api_env_vars={"ENABLE_HTTP2": "true"} +openshift_master_controllers_env_vars={"ENABLE_HTTP2": "true"} +openshift_node_env_vars={"ENABLE_HTTP2": "true"} +{% endif %} +{% endif %} + +# Enable API service auditing +#openshift_master_audit_config={"enabled": "true"} +# +# In case you want more advanced setup for the auditlog you can +# use this line. +# The directory in "auditFilePath" will be created if it's not +# exist +#openshift_master_audit_config={"enabled": "true", "auditFilePath": "/var/lib/origin/openpaas-oscp-audit/openpaas-oscp-audit.log", "maximumFileRetentionDays": "14", "maximumFileSizeMegabytes": "500", "maximumRetainedFiles": "5"} + +# Enable origin repos that point at Centos PAAS SIG, defaults to true, only used +# by openshift_deployment_type=origin +#openshift_enable_origin_repo=false + +# Validity of the auto-generated OpenShift certificates in days. +# See also openshift_hosted_registry_cert_expire_days above. +# +#openshift_ca_cert_expire_days=1825 +#openshift_node_cert_expire_days=730 +#openshift_master_cert_expire_days=730 + +# Validity of the auto-generated external etcd certificates in days. +# Controls validity for etcd CA, peer, server and client certificates. +# +#etcd_ca_default_days=1825 +# +# ServiceAccountConfig:LimitSecretRefences rejects pods that reference secrets their service accounts do not reference +# openshift_master_saconfig_limitsecretreferences=false + +# Upgrade Control +# +# By default nodes are upgraded in a serial manner one at a time and all failures +# are fatal, one set of variables for normal nodes, one set of variables for +# nodes that are part of control plane as the number of hosts may be different +# in those two groups. +#openshift_upgrade_nodes_serial=1 +#openshift_upgrade_nodes_max_fail_percentage=0 +#openshift_upgrade_control_plane_nodes_serial=1 +#openshift_upgrade_control_plane_nodes_max_fail_percentage=0 +# +# You can specify the number of nodes to upgrade at once. We do not currently +# attempt to verify that you have capacity to drain this many nodes at once +# so please be careful when specifying these values. You should also verify that +# the expected number of nodes are all schedulable and ready before starting an +# upgrade. If it's not possible to drain the requested nodes the upgrade will +# stall indefinitely until the drain is successful. +# +# If you're upgrading more than one node at a time you can specify the maximum +# percentage of failure within the batch before the upgrade is aborted. Any +# nodes that do fail are ignored for the rest of the playbook run and you should +# take care to investigate the failure and return the node to service so that +# your cluster. +# +# The percentage must exceed the value, this would fail on two failures +# openshift_upgrade_nodes_serial=4 openshift_upgrade_nodes_max_fail_percentage=49 +# where as this would not +# openshift_upgrade_nodes_serial=4 openshift_upgrade_nodes_max_fail_percentage=50 +# +# A timeout to wait for nodes to drain pods can be specified to ensure that the +# upgrade continues even if nodes fail to drain pods in the allowed time. The +# default value of 0 will wait indefinitely allowing the admin to investigate +# the root cause and ensuring that disruption budgets are respected. If the +# a timeout of 0 is used there will also be one attempt to re-try draining the +# node. If a non zero timeout is specified there will be no attempt to retry. +#openshift_upgrade_nodes_drain_timeout=0 +# +# Multiple data migrations take place and if they fail they will fail the upgrade +# You may wish to disable these or make them non fatal +# +# openshift_upgrade_pre_storage_migration_enabled=true +# openshift_upgrade_pre_storage_migration_fatal=true +# openshift_upgrade_post_storage_migration_enabled=true +# openshift_upgrade_post_storage_migration_fatal=false + +###################################################################### +# CloudForms/ManageIQ (CFME/MIQ) Configuration + +# See the readme for full descriptions and getting started +# instructions: ../../roles/openshift_management/README.md or go directly to +# their definitions: ../../roles/openshift_management/defaults/main.yml +# ../../roles/openshift_management/vars/main.yml +# +# Namespace for the CFME project +#openshift_management_project: openshift-management + +# Namespace/project description +#openshift_management_project_description: CloudForms Management Engine + +# Choose 'miq-template' for a podified database install +# Choose 'miq-template-ext-db' for an external database install +# +# If you are using the miq-template-ext-db template then you must add +# the required database parameters to the +# openshift_management_template_parameters variable. +#openshift_management_app_template: miq-template + +# Allowed options: nfs, nfs_external, preconfigured, cloudprovider. +#openshift_management_storage_class: nfs + +# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a +# netapp appliance, then you must set the hostname here. Leave the +# value as 'false' if you are not using external NFS. +#openshift_management_storage_nfs_external_hostname: false + +# [OPTIONAL] - If you are using external NFS then you must set the base +# path to the exports location here. +# +# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports +# that will back the application PV and optionally the database +# pv. Export path definitions, relative to +# { openshift_management_storage_nfs_base_dir} +# +# LOCAL NFS NOTE: +# +# You may may also change this value if you want to change the default +# path used for local NFS exports. +#openshift_management_storage_nfs_base_dir: /exports + +# LOCAL NFS NOTE: +# +# You may override the automatically selected LOCAL NFS server by +# setting this variable. Useful for testing specific task files. +#openshift_management_storage_nfs_local_hostname: false + +# These are the default values for the username and password of the +# management app. Changing these values in your inventory will not +# change your username or password. You should only need to change +# these values in your inventory if you already changed the actual +# name and password AND are trying to use integration scripts. +# +# For example, adding this cluster as a container provider, +# playbooks/openshift-management/add_container_provider.yml +#openshift_management_username: admin +#openshift_management_password: smartvm + +# A hash of parameters you want to override or set in the +# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in +# your inventory file as a simple hash. Acceptable values are defined +# under the .parameters list in files/miq-template{-ext-db}.yaml +# Example: +# +# openshift_management_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} +#openshift_management_template_parameters: {} + +# Firewall configuration +# You can open additional firewall ports by defining them as a list. of service +# names and ports/port ranges for either masters or nodes. +#openshift_master_open_ports=[{"service":"svc1","port":"11/tcp"}] +#openshift_node_open_ports=[{"service":"svc2","port":"12-13/tcp"},{"service":"svc3","port":"14/udp"}] + +# Service port node range +#openshift_node_port_range=30000-32767 + +# Enable unsupported configurations, things that will yield a partially +# functioning cluster but would not be supported for production use +#openshift_enable_unsupported_configurations=false +openshift_enable_unsupported_configurations=True From cbd944d3d0717d1e135f4d41c5fc1148be04e86c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 16:56:48 +0000 Subject: [PATCH 158/289] upgrading prod --- inventory/group_vars/os | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/group_vars/os b/inventory/group_vars/os index 92656a93d5..325ae29082 100644 --- a/inventory/group_vars/os +++ b/inventory/group_vars/os @@ -3,3 +3,4 @@ host_group: os baseiptables: False no_http2: True nm_controlled_resolv: True +openshift_ansible_upgrading: True From 6af8e0172037de6516fe6cd35bbc68b483236590 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 23 Aug 2018 10:16:54 -0700 Subject: [PATCH 159/289] Also allow openQA prod to send out 'ci' fedmsgs Since this message format spec is public now: https://pagure.io/fedora-ci/messages Let's have production send out messages in that format as well as staging (well, more or less that format...actually a sort of 'pre-production' version of an addition to that format). Signed-off-by: Adam Williamson --- inventory/group_vars/openqa | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa index 7654a57186..eff21ebcef 100644 --- a/inventory/group_vars/openqa +++ b/inventory/group_vars/openqa @@ -69,6 +69,14 @@ fedmsg_certs: - openqa.jobs.restart - openqa.job.update.result - openqa.job.done +- service: ci + owner: root + group: geekotest + can_send: + - ci.productmd-compose.test.queued + - ci.productmd-compose.test.running + - ci.productmd-compose.test.complete + - ci.productmd-compose.test.error # we need this to log with fedmsg-logger fedmsg_active: True From 73e7e166e1240574f88e693b1413aca00fccd963 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 19:10:56 +0000 Subject: [PATCH 160/289] Create koschei project in staging OpenShift --- master.yml | 1 + playbooks/openshift-apps/koschei.yml | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 playbooks/openshift-apps/koschei.yml diff --git a/master.yml b/master.yml index 361badfc7f..642e0d22b1 100644 --- a/master.yml +++ b/master.yml @@ -118,6 +118,7 @@ - import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/waiverdb.yml - import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/coreos.yml # These need work to finish and complete and are all stg currently. +#- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/koschei.yml #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/modernpaste.yml #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/rats.yml #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/release-monitoring.yml diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml new file mode 100644 index 0000000000..74b516fcdc --- /dev/null +++ b/playbooks/openshift-apps/koschei.yml @@ -0,0 +1,16 @@ +- name: provision koschei + hosts: os-masters-stg[0] + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: openshift/project + app: koschei + description: koschei + appowners: + - mizdebsk From 53b40839ff3e327d51543f86a43526868ff48553 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 19:54:54 +0000 Subject: [PATCH 161/289] update apiGroups --- .../project/templates/role-appowners.yml | 28 ++++++++----------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml index 36554c791b..eedf0e5abd 100644 --- a/roles/openshift/project/templates/role-appowners.yml +++ b/roles/openshift/project/templates/role-appowners.yml @@ -1,11 +1,5 @@ apiVersion: v1 -{% if env == "staging" %} kind: Role -{% else %} -# Namespace-local roles did not work until openshift 3.6 -# https://github.com/openshift/origin/issues/14078 -kind: ClusterRole -{% endif %} metadata: annotations: openshift.io/description: An application owner. Can view everything but ConfigMaps. @@ -13,7 +7,7 @@ metadata: namespace: "{{ app }}" rules: - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - endpoints @@ -34,7 +28,7 @@ rules: - update {% endif %} - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - bindings @@ -151,7 +145,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - imagestreamimages @@ -163,7 +157,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - imagestreams/status @@ -172,14 +166,14 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - projects verbs: - get - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - appliedclusterresourcequotas @@ -188,7 +182,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - routes @@ -197,7 +191,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - routes/status @@ -206,7 +200,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - processedtemplates @@ -217,7 +211,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - buildlogs @@ -226,7 +220,7 @@ rules: - list - watch - apiGroups: - - "" + - "*" attributeRestrictions: null resources: - resourcequotausages From cb2b51c0b80f37cad11261250a3143589da225b5 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 19:58:27 +0000 Subject: [PATCH 162/289] Add ImageStream for koschei app --- playbooks/openshift-apps/koschei.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 74b516fcdc..2603dbfc48 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -14,3 +14,6 @@ description: koschei appowners: - mizdebsk + - role: openshift/imagestream + app: koschei + imagename: koschei-web From c712da42f8e1cb7591db4c5d0cc24b1ea02d0684 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 20:03:40 +0000 Subject: [PATCH 163/289] Add initial BuildConfig for koschei --- playbooks/openshift-apps/koschei.yml | 4 +++ .../koschei/templates/buildconfig.yml | 27 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 roles/openshift-apps/koschei/templates/buildconfig.yml diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 2603dbfc48..fce52c86fc 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -17,3 +17,7 @@ - role: openshift/imagestream app: koschei imagename: koschei-web + - role: openshift/object + app: koschei + template: buildconfig.yml + objectname: buildconfig.yml diff --git a/roles/openshift-apps/koschei/templates/buildconfig.yml b/roles/openshift-apps/koschei/templates/buildconfig.yml new file mode 100644 index 0000000000..1e1795abc1 --- /dev/null +++ b/roles/openshift-apps/koschei/templates/buildconfig.yml @@ -0,0 +1,27 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: BuildConfig + metadata: + labels: + build: koschei-web + name: koschei-web + spec: + runPolicy: Serial + source: + dockerfile: |- + FROM fedora-minimal:28 + RUN microdnf install koschei-frontend-fedora + EXPOSE 80 + CMD httpd -DFOREGROUND + type: Dockerfile + strategy: + type: Docker + dockerStrategy: + noCache: false + output: + to: + kind: ImageStreamTag + name: koschei-web:latest +kind: List +metadata: {} From c0b53f5bd8ee00c471485a8d7236a67ccd5aeb4d Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 20:25:29 +0000 Subject: [PATCH 164/289] Reorganize os appowners role yaml --- .../project/templates/role-appowners.yml | 188 ++++-------------- 1 file changed, 38 insertions(+), 150 deletions(-) diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml index eedf0e5abd..97bc786b9f 100644 --- a/roles/openshift/project/templates/role-appowners.yml +++ b/roles/openshift/project/templates/role-appowners.yml @@ -31,20 +31,55 @@ rules: - "*" attributeRestrictions: null resources: + - appliedclusterresourcequotas - bindings + - buildconfigs + - buildconfigs/webhooks + - buildlogs + - builds + - builds/log + - deploymentconfigs + - deploymentconfigs/log + - deploymentconfigs/scale + - deploymentconfigs/status + - deployments + - deployments/scale - events + - horizontalpodautoscalers + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreams/status + - imagestreamtags + - jobs - limitranges - namespaces - namespaces/status - pods/log - pods/status + - processedtemplates + - replicasets + - replicasets/scale - replicationcontrollers/status - resourcequotas - resourcequotas/status + - resourcequotausages + - routes + - routes/status + - statefulsets + - templateconfigs + - templates verbs: - get - list - watch +- apiGroups: + - "*" + attributeRestrictions: null + resources: + - projects + verbs: + - get - apiGroups: - autoscaling attributeRestrictions: null @@ -66,19 +101,12 @@ rules: - list - watch - apiGroups: - - "*" + - build.openshift.io attributeRestrictions: null resources: - - deployments - - deployments/scale - - horizontalpodautoscalers - - jobs - - replicasets - - replicasets/scale + - jenkins verbs: - - get - - list - - watch + - view - apiGroups: - extensions attributeRestrictions: null @@ -88,143 +116,3 @@ rules: - get - list - watch -- apiGroups: - - apps - attributeRestrictions: null - resources: - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - buildconfigs - - buildconfigs/webhooks - - builds - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - builds/log - verbs: - - get - - list - - watch -- apiGroups: - - build.openshift.io - attributeRestrictions: null - resources: - - jenkins - verbs: - - view -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - deploymentconfigs - - deploymentconfigs/scale - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - deploymentconfigs/log - - deploymentconfigs/status - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - imagestreamimages - - imagestreammappings - - imagestreams - - imagestreamtags - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - imagestreams/status - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - projects - verbs: - - get -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - appliedclusterresourcequotas - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - routes - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - routes/status - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - processedtemplates - - templateconfigs - - templates - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - buildlogs - verbs: - - get - - list - - watch -- apiGroups: - - "*" - attributeRestrictions: null - resources: - - resourcequotausages - verbs: - - get - - list - - watch From bbdceb24c68740291ee3d2991c39b38006743400 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 20:27:59 +0000 Subject: [PATCH 165/289] Allow appowners to run builds (create buildconfigs/instantiate) --- roles/openshift/project/templates/role-appowners.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml index 97bc786b9f..a335224c58 100644 --- a/roles/openshift/project/templates/role-appowners.yml +++ b/roles/openshift/project/templates/role-appowners.yml @@ -73,6 +73,13 @@ rules: - get - list - watch +- apiGroups: + - "*" + attributeRestrictions: null + resources: + - buildconfigs/instantiate + verbs: + - create - apiGroups: - "*" attributeRestrictions: null From d30f35eca438c93d0861ac34c116c808ed8b6b9e Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 20:36:54 +0000 Subject: [PATCH 166/289] Add explicit registry to koschei buildconfig dockerfile --- roles/openshift-apps/koschei/templates/buildconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/koschei/templates/buildconfig.yml b/roles/openshift-apps/koschei/templates/buildconfig.yml index 1e1795abc1..39ddfc555e 100644 --- a/roles/openshift-apps/koschei/templates/buildconfig.yml +++ b/roles/openshift-apps/koschei/templates/buildconfig.yml @@ -10,7 +10,7 @@ items: runPolicy: Serial source: dockerfile: |- - FROM fedora-minimal:28 + FROM registry.fedoraproject.org/fedora-minimal:28 RUN microdnf install koschei-frontend-fedora EXPOSE 80 CMD httpd -DFOREGROUND From f0ad01c4a7d1b63fede8d07041151ed83f84e1d5 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 23 Aug 2018 20:49:19 +0000 Subject: [PATCH 167/289] Add Kevin and Stephen to infra-security Signed-off-by: Patrick Uiterwijk --- roles/fas_client/files/aliases.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index 045b2e52d2..73844f12e2 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -166,7 +166,7 @@ security: security-private@lists.fedoraproject.org secalert: security-private@lists.fedoraproject.org # Infrastructure security officer -infra-security: puiterwijk +infra-security: puiterwijk,kevin,smooge webmaster: websites@lists.fedoraproject.org logo: rlerch@redhat.com,duffy@redhat.com From b8c31335fd72ddfc725d12e84ad916fbde0fda00 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 20:51:22 +0000 Subject: [PATCH 168/289] Initial DeploymentConfig for koschei --- playbooks/openshift-apps/koschei.yml | 8 +++ .../koschei/templates/deploymentconfig.yml | 55 +++++++++++++++++++ .../koschei/templates/service.yml | 15 +++++ 3 files changed, 78 insertions(+) create mode 100644 roles/openshift-apps/koschei/templates/deploymentconfig.yml create mode 100644 roles/openshift-apps/koschei/templates/service.yml diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index fce52c86fc..7e2fc0e8e0 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -21,3 +21,11 @@ app: koschei template: buildconfig.yml objectname: buildconfig.yml + - role: openshift/object + app: koschei + template: service.yml + objectname: service.yml + - role: openshift/object + app: koschei + template: deploymentconfig.yml + objectname: deploymentconfig.yml diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml new file mode 100644 index 0000000000..4436629fb1 --- /dev/null +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -0,0 +1,55 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: DeploymentConfig + metadata: + labels: + app: koschei + service: web + name: koschei-web + spec: + replicas: 1 + selector: + deploymentconfig: koschei-web + strategy: + activeDeadlineSeconds: 21600 + recreateParams: + timeoutSeconds: 600 + resources: {} + rollingParams: + intervalSeconds: 1 + maxSurge: 25% + maxUnavailable: 25% + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + creationTimestamp: null + labels: + app: koschei-web + deploymentconfig: koschei-web + spec: + containers: + - name: koschei-web + image: koschei-web:latest + ports: + - containerPort: 80 + resources: {} + volumeMounts: {} + readinessProbe: + timeoutSeconds: 10 + initialDelaySeconds: 5 + httpGet: + path: / + port: 80 + livenessProbe: + timeoutSeconds: 10 + initialDelaySeconds: 30 + httpGet: + path: / + port: 80 + volumes: {} + triggers: {} +kind: List +metadata: {} diff --git a/roles/openshift-apps/koschei/templates/service.yml b/roles/openshift-apps/koschei/templates/service.yml new file mode 100644 index 0000000000..cbb579534e --- /dev/null +++ b/roles/openshift-apps/koschei/templates/service.yml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: koschei-web + labels: + app: koschei + service: web + namespace: koschei +spec: + ports: + - name: web + port: 80 + targetPort: 80 + selector: + deploymentconfig: koschei-web From b9de5a45aa1306fbbe68a341d4b103620835988b Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 21:40:46 +0000 Subject: [PATCH 169/289] Add koschei route --- playbooks/openshift-apps/koschei.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 7e2fc0e8e0..da53100241 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -29,3 +29,9 @@ app: koschei template: deploymentconfig.yml objectname: deploymentconfig.yml + - role: openshift/route + app: koschei + routename: koschei-web + host: "koschei{{ env_suffix }}.fedoraproject.org" + serviceport: web + servicename: koschei-web From 868a8e83d0ddf47fd681c9741541bc8405e52f88 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 21:48:26 +0000 Subject: [PATCH 170/289] Configure proxies for koschei route --- playbooks/include/proxies-reverseproxy.yml | 8 ++++++++ playbooks/include/proxies-websites.yml | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 03a3c91f72..51fc8a7834 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -293,6 +293,14 @@ remotepath: /koschei proxyurl: "{{ varnish_url }}" + - role: httpd/reverseproxy + website: koschei.fedoraproject.org + destname: koschei + # haproxy entry for os-nodes-frontend + proxyurl: http://localhost:10065 + keephost: true + tags: koschei + - role: httpd/reverseproxy website: apps.fedoraproject.org destname: mdapi diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 7bd72ade3c..2977456c8d 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -842,6 +842,12 @@ server_aliases: [greenwave.stg.fedoraproject.org] cert_name: "{{wildcard_cert_name}}" + - role: httpd/website + site_name: koschei.fedoraproject.org + sslonly: true + server_aliases: [koschei.stg.fedoraproject.org] + cert_name: "{{wildcard_cert_name}}" + - role: httpd/website site_name: waiverdb.fedoraproject.org sslonly: true From 8dab540148e5ab421113ad79cc52bb9ed55d9352 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 23 Aug 2018 21:59:34 +0000 Subject: [PATCH 171/289] add relrod too Signed-off-by: Patrick Uiterwijk --- roles/fas_client/files/aliases.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index 73844f12e2..626bcb65f5 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -166,7 +166,7 @@ security: security-private@lists.fedoraproject.org secalert: security-private@lists.fedoraproject.org # Infrastructure security officer -infra-security: puiterwijk,kevin,smooge +infra-security: puiterwijk,kevin,smooge,codeblock webmaster: websites@lists.fedoraproject.org logo: rlerch@redhat.com,duffy@redhat.com From 939d94ed414ee323b05a39aef1f79cde6cdf9079 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 22:07:45 +0000 Subject: [PATCH 172/289] Add rollout action for Koschei --- playbooks/openshift-apps/koschei.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index da53100241..397ca6c202 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -35,3 +35,6 @@ host: "koschei{{ env_suffix }}.fedoraproject.org" serviceport: web servicename: koschei-web + - role: openshift/rollout + app: koschei + dcname: koschei-web From 79c7169ff47f0dd0ac4520aab88e0285c20e61e5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 22:29:05 +0000 Subject: [PATCH 173/289] lets try out some polyinstantiated tmp and var/tmp on batcave01 --- roles/batcave/files/namespace.conf | 28 ++++++++++++++++++++++++++++ roles/batcave/tasks/main.yml | 20 ++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 roles/batcave/files/namespace.conf diff --git a/roles/batcave/files/namespace.conf b/roles/batcave/files/namespace.conf new file mode 100644 index 0000000000..6c0a761cc4 --- /dev/null +++ b/roles/batcave/files/namespace.conf @@ -0,0 +1,28 @@ + /etc/security/namespace.conf +# +# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. +# +# Uncommenting the following three lines will polyinstantiate +# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will +# be polyinstantiated based on the MLS level part of the security context as well as user +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# The user name and context is appended to the instance prefix. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. +# +/tmp /tmp-inst/ level root,adm +/var/tmp /var/tmp-inst/ level root,adm +#$HOME $HOME/$USER.inst/ level diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml index 2dccc4d29c..9cc97f2394 100644 --- a/roles/batcave/tasks/main.yml +++ b/roles/batcave/tasks/main.yml @@ -507,3 +507,23 @@ - koji - batcave +- name: create some tmp dirs + file: path=/tmp-inst mode=000 user=root group=root state=directory + tags: + - config + - batcave + - selinux + +- name: create some tmp dirs + file: path=/var/tmp-inst mode=000 user=root group=root state=directory + tags: + - config + - batcave + - selinux + +- name: put in place namespace.conf file + copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 user=root group=root + tags: + - config + - batcave + - selinux From c5860885062cd9489b99e56da030733b854a3ade Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 22:44:05 +0000 Subject: [PATCH 174/289] this is owner --- roles/batcave/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml index 9cc97f2394..2f391c4323 100644 --- a/roles/batcave/tasks/main.yml +++ b/roles/batcave/tasks/main.yml @@ -508,14 +508,14 @@ - batcave - name: create some tmp dirs - file: path=/tmp-inst mode=000 user=root group=root state=directory + file: path=/tmp-inst mode=000 owner=root group=root state=directory tags: - config - batcave - selinux - name: create some tmp dirs - file: path=/var/tmp-inst mode=000 user=root group=root state=directory + file: path=/var/tmp-inst mode=000 owner=root group=root state=directory tags: - config - batcave From 6dd6590089369a4e742e452d875aa95b756e05b9 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 22:50:05 +0000 Subject: [PATCH 175/289] Add empty configmap for koschei --- playbooks/openshift-apps/koschei.yml | 4 ++++ roles/openshift-apps/koschei/templates/configmap.yml | 8 ++++++++ .../openshift-apps/koschei/templates/deploymentconfig.yml | 5 ++++- 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 roles/openshift-apps/koschei/templates/configmap.yml diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 397ca6c202..730f0b7f5d 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -21,6 +21,10 @@ app: koschei template: buildconfig.yml objectname: buildconfig.yml + - role: openshift/object + app: koschei + template: configmap.yml + objectname: configmap.yml - role: openshift/object app: koschei template: service.yml diff --git a/roles/openshift-apps/koschei/templates/configmap.yml b/roles/openshift-apps/koschei/templates/configmap.yml new file mode 100644 index 0000000000..9dbea01916 --- /dev/null +++ b/roles/openshift-apps/koschei/templates/configmap.yml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: koschei-configmap + labels: + app: koschei +data: {} diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index 4436629fb1..7fba6d2dbb 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -49,7 +49,10 @@ items: httpGet: path: / port: 80 - volumes: {} + volumes: + - name: config-volume + configMap: + name: bodhi-configmap triggers: {} kind: List metadata: {} From a6e7c40837f111dd6f19c00914d5b2cf1b3dce6e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 22:52:32 +0000 Subject: [PATCH 176/289] owner here too --- roles/batcave/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml index 2f391c4323..b0570d1f76 100644 --- a/roles/batcave/tasks/main.yml +++ b/roles/batcave/tasks/main.yml @@ -522,7 +522,7 @@ - selinux - name: put in place namespace.conf file - copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 user=root group=root + copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 owner=root group=root tags: - config - batcave From aef71a8d69f550a9a10d7c09e2b255665759a597 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 22:56:38 +0000 Subject: [PATCH 177/289] untabify --- roles/openshift-apps/koschei/templates/deploymentconfig.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index 7fba6d2dbb..4b9d46006d 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -50,8 +50,8 @@ items: path: / port: 80 volumes: - - name: config-volume - configMap: + - name: config-volume + configMap: name: bodhi-configmap triggers: {} kind: List From 0c41b833fedb35a53f57ec5f4e7e7358fbc64660 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 22:59:19 +0000 Subject: [PATCH 178/289] Correct copy-paste error --- roles/openshift-apps/koschei/templates/deploymentconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index 4b9d46006d..089722c95e 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -52,7 +52,7 @@ items: volumes: - name: config-volume configMap: - name: bodhi-configmap + name: koschei-configmap triggers: {} kind: List metadata: {} From a047fbaab824d14eb05b5b3eb9a60f99393ca142 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 23:01:41 +0000 Subject: [PATCH 179/289] Try mounting empty koschei configmap volume --- roles/openshift-apps/koschei/templates/deploymentconfig.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index 089722c95e..bc1e6924d3 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -36,7 +36,10 @@ items: ports: - containerPort: 80 resources: {} - volumeMounts: {} + volumeMounts: + - name: config-volume + mountPath: /dummy + readOnly: true readinessProbe: timeoutSeconds: 10 initialDelaySeconds: 5 From 493cfed8e6e53826744d6f22167b0da2b02a1a8c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 23:07:45 +0000 Subject: [PATCH 180/289] fix copy paste error --- roles/batcave/files/namespace.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/batcave/files/namespace.conf b/roles/batcave/files/namespace.conf index 6c0a761cc4..9637798028 100644 --- a/roles/batcave/files/namespace.conf +++ b/roles/batcave/files/namespace.conf @@ -1,4 +1,4 @@ - /etc/security/namespace.conf +# /etc/security/namespace.conf # # See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. # From d4bfa8b132876a53c4fcadba852cb21d996a5619 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 23:17:01 +0000 Subject: [PATCH 181/289] Remove dummy koschei configmap --- playbooks/openshift-apps/koschei.yml | 4 ---- roles/openshift-apps/koschei/templates/configmap.yml | 8 -------- .../koschei/templates/deploymentconfig.yml | 10 ++-------- 3 files changed, 2 insertions(+), 20 deletions(-) delete mode 100644 roles/openshift-apps/koschei/templates/configmap.yml diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 730f0b7f5d..397ca6c202 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -21,10 +21,6 @@ app: koschei template: buildconfig.yml objectname: buildconfig.yml - - role: openshift/object - app: koschei - template: configmap.yml - objectname: configmap.yml - role: openshift/object app: koschei template: service.yml diff --git a/roles/openshift-apps/koschei/templates/configmap.yml b/roles/openshift-apps/koschei/templates/configmap.yml deleted file mode 100644 index 9dbea01916..0000000000 --- a/roles/openshift-apps/koschei/templates/configmap.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: koschei-configmap - labels: - app: koschei -data: {} diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index bc1e6924d3..4436629fb1 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -36,10 +36,7 @@ items: ports: - containerPort: 80 resources: {} - volumeMounts: - - name: config-volume - mountPath: /dummy - readOnly: true + volumeMounts: {} readinessProbe: timeoutSeconds: 10 initialDelaySeconds: 5 @@ -52,10 +49,7 @@ items: httpGet: path: / port: 80 - volumes: - - name: config-volume - configMap: - name: koschei-configmap + volumes: {} triggers: {} kind: List metadata: {} From 944740b70d93a1de8fa476511915b6391d6aee70 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 23:20:08 +0000 Subject: [PATCH 182/289] Add start-build action to koschei OS playbook --- playbooks/openshift-apps/koschei.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 397ca6c202..4f853d3c0e 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -21,6 +21,9 @@ app: koschei template: buildconfig.yml objectname: buildconfig.yml + - role: openshift/start-build + app: koschei + buildname: koschei-web - role: openshift/object app: koschei template: service.yml From dd2f6dd9b1e3c22ba49fd2eb32f2cc9fd4017585 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Aug 2018 23:30:44 +0000 Subject: [PATCH 183/289] add polyinstantiation_enabled bool --- roles/batcave/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml index b0570d1f76..8a4d6b4e69 100644 --- a/roles/batcave/tasks/main.yml +++ b/roles/batcave/tasks/main.yml @@ -129,6 +129,7 @@ - httpd_can_network_connect - httpd_use_nfs - httpd_can_network_relay + - polyinstantiation_enabled tags: - batcave - config From 78eefb4e73c851ccaebdf2504000efc5567dba74 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 23 Aug 2018 23:35:22 +0000 Subject: [PATCH 184/289] Remove start-build and rollout actions for koschei --- playbooks/openshift-apps/koschei.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/playbooks/openshift-apps/koschei.yml b/playbooks/openshift-apps/koschei.yml index 4f853d3c0e..da53100241 100644 --- a/playbooks/openshift-apps/koschei.yml +++ b/playbooks/openshift-apps/koschei.yml @@ -21,9 +21,6 @@ app: koschei template: buildconfig.yml objectname: buildconfig.yml - - role: openshift/start-build - app: koschei - buildname: koschei-web - role: openshift/object app: koschei template: service.yml @@ -38,6 +35,3 @@ host: "koschei{{ env_suffix }}.fedoraproject.org" serviceport: web servicename: koschei-web - - role: openshift/rollout - app: koschei - dcname: koschei-web From 7313d8627a2e0130fff672460ef766466f792726 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 24 Aug 2018 03:38:36 +0000 Subject: [PATCH 185/289] Add explicit registry address in koschei deploymentconfig --- roles/openshift-apps/koschei/templates/deploymentconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index 4436629fb1..e9dc0f8d2d 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -32,7 +32,7 @@ items: spec: containers: - name: koschei-web - image: koschei-web:latest + image: docker-registry.default.svc:5000/koschei-web:latest ports: - containerPort: 80 resources: {} From 7eff19b4e353211e4058c1571ac43b43d3e6eb61 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 24 Aug 2018 03:50:20 +0000 Subject: [PATCH 186/289] Don't forget about including project name in image url --- roles/openshift-apps/koschei/templates/deploymentconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/koschei/templates/deploymentconfig.yml b/roles/openshift-apps/koschei/templates/deploymentconfig.yml index e9dc0f8d2d..125f8fa61a 100644 --- a/roles/openshift-apps/koschei/templates/deploymentconfig.yml +++ b/roles/openshift-apps/koschei/templates/deploymentconfig.yml @@ -32,7 +32,7 @@ items: spec: containers: - name: koschei-web - image: docker-registry.default.svc:5000/koschei-web:latest + image: docker-registry.default.svc:5000/koschei/koschei-web:latest ports: - containerPort: 80 resources: {} From d9be2c02ec29b8f5211e7a12c7c06a84a66ebaf8 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 24 Aug 2018 09:59:32 +0200 Subject: [PATCH 187/289] Tweak the config of our two pagure instance for the upcoming 5.0 release Signed-off-by: Pierre-Yves Chibon --- roles/distgit/pagure/templates/pagure.cfg | 3 +++ roles/pagure/frontend/templates/pagure.cfg | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg index 32dd8dccd3..d0f34b4dac 100644 --- a/roles/distgit/pagure/templates/pagure.cfg +++ b/roles/distgit/pagure/templates/pagure.cfg @@ -266,6 +266,9 @@ ALLOW_DELETE_BRANCH = False ALLOWED_PREFIX = ['rpms', 'modules', 'container', 'tests'] EXCLUDE_GROUP_INDEX = ['packager'] EMAIL_ON_WATCHCOMMITS = False +PRIVATE_PROJECTS = False +FEDMSG_NOTIFICATIONS = True +PR_TARGET_MATCHING_BRANCH = True DISABLED_PLUGINS = ['IRC', 'Pagure tickets', 'Read the Doc', 'Fedmsg'] diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg index abcbcb3c56..3db2cf708d 100644 --- a/roles/pagure/frontend/templates/pagure.cfg +++ b/roles/pagure/frontend/templates/pagure.cfg @@ -306,3 +306,6 @@ GITOLITE_CELERY_QUEUE = 'gitolite_queue' FAST_CELERY_QUEUE = 'fast_workers' MEDIUM_CELERY_QUEUE = 'medium_workers' SLOW_CELERY_QUEUE = 'slow_workers' +PRIVATE_PROJECTS = False +FEDMSG_NOTIFICATIONS = True +THEME = 'pagureio' From 62039a5ff1d04ea62242e65a3e22b7c95d964237 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 24 Aug 2018 10:03:05 +0200 Subject: [PATCH 188/289] Install the pagure theme on stg.pagure.io Signed-off-by: Pierre-Yves Chibon --- roles/pagure/frontend/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index 0412771f0c..59b925b782 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -23,6 +23,15 @@ - pagure - packages +- name: install needed packages + package: name={{ item }} state=present + when: env == 'pagure-staging' + with_items: + - pagure-theme-pagureio + tags: + - pagure + - packages + - name: Initialize postgres if necessary command: /usr/bin/postgresql-setup initdb creates=/var/lib/pgsql/data From 0589f3790a631507eab8f609058b16041db37173 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 10:35:36 +0200 Subject: [PATCH 189/289] Remove commented out play Signed-off-by: Clement Verna --- roles/push-docker/tasks/main.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/roles/push-docker/tasks/main.yml b/roles/push-docker/tasks/main.yml index 5e7cbaabe9..3225da850d 100644 --- a/roles/push-docker/tasks/main.yml +++ b/roles/push-docker/tasks/main.yml @@ -12,24 +12,6 @@ path: "{{docker_cert_dir}}" state: directory -#- name: install docker client cert for registry -# copy: -# src: "{{private}}/files/koji/{{docker_cert_name}}.cert.pem" -# dest: "{{docker_cert_dir}}/client.cert" -# owner: root -# group: "releng-team" -# mode: 0640 -# when: docker_cert_name is defined -# -#- name: install docker client key for registry -# copy: -# src: "{{private}}/files/koji/{{docker_cert_name}}.key.pem" -# dest: "{{docker_cert_dir}}/client.key" -# owner: root -# group: "releng-team" -# mode: 0640 -# when: docker_cert_name is defined - - name: start and enable docker service: name=docker state=started enabled=yes From 098ccc4075d12522cab1ba98954786749c18eb66 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 11:38:29 +0200 Subject: [PATCH 190/289] Cleanup the push-docker role and add some comment about the role Signed-off-by: Clement Verna --- playbooks/groups/oci-registry.yml | 4 ---- playbooks/groups/releng-compose.yml | 22 ++++++++++++++-------- roles/push-docker/tasks/main.yml | 12 ++++-------- 3 files changed, 18 insertions(+), 20 deletions(-) diff --git a/playbooks/groups/oci-registry.yml b/playbooks/groups/oci-registry.yml index 9086f85686..905309c641 100644 --- a/playbooks/groups/oci-registry.yml +++ b/playbooks/groups/oci-registry.yml @@ -109,8 +109,6 @@ # Setup compose-x86-01 push docker images to registry - { role: push-docker, - docker_cert_name: "containerstable", - docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org", candidate_registry: "candidate-registry.stg.fedoraproject.org", candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}", candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}", @@ -119,8 +117,6 @@ } - { role: push-docker, - docker_cert_name: "containerstable", - docker_cert_dir: "/etc/docker/certs.d/registry.fedoraproject.org", candidate_registry: "candidate-registry.fedoraproject.org", candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}", candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}", diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 637283d00d..1635140ebd 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -60,14 +60,6 @@ key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", when: env == "staging" } - - { - role: push-docker, - candidate_registry: "candidate-registry.fedoraproject.org", - candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}", - candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}", - docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org", - when: env == "production" - } - { role: "manage-container-images", cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org", @@ -75,6 +67,20 @@ key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", when: env == "production" } + - { + role: push-docker, + candidate_registry: "candidate-registry.stg.fedoraproject.org", + candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}", + candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}", + when: env == "staging" + } + - { + role: push-docker, + candidate_registry: "candidate-registry.fedoraproject.org", + candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}", + candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}", + when: env == "production" + } tasks: diff --git a/roles/push-docker/tasks/main.yml b/roles/push-docker/tasks/main.yml index 3225da850d..dc9433d1b6 100644 --- a/roles/push-docker/tasks/main.yml +++ b/roles/push-docker/tasks/main.yml @@ -1,16 +1,12 @@ --- -# tasks file for push-docker -# +# tasks file for push-docker role +# This role is used to login to a registry using the +# docker client. + - name: install docker and python-docker package: name="{{ item }}" state=present with_items: - docker - - python-docker - -- name: ensure docker daemon cert dir exists - file: - path: "{{docker_cert_dir}}" - state: directory - name: start and enable docker service: name=docker state=started enabled=yes From 98632f004976cc687f073c490d4d8204822511ae Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 11:50:56 +0200 Subject: [PATCH 191/289] Rename manage-container-images and document it. This commit renames the manage-container-images role to push-container-registry. It also adds some doc to describe what the role is used for. Signed-off-by: Clement Verna --- playbooks/groups/bodhi-backend.yml | 2 +- playbooks/groups/osbs-cluster.yml | 7 ------- playbooks/groups/releng-compose.yml | 4 ++-- .../manage-container-images/defaults/main.yml | 5 ----- .../push-container-registry/defaults/main.yml | 5 +++++ .../tasks/main.yml | 20 +++++++++++-------- 6 files changed, 20 insertions(+), 23 deletions(-) delete mode 100644 roles/manage-container-images/defaults/main.yml create mode 100644 roles/push-container-registry/defaults/main.yml rename roles/{manage-container-images => push-container-registry}/tasks/main.yml (52%) diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml index b9c790f957..22c66701a8 100644 --- a/playbooks/groups/bodhi-backend.yml +++ b/playbooks/groups/bodhi-backend.yml @@ -64,7 +64,7 @@ service: bodhi host: "bodhi.stg.fedoraproject.org" when: env == "staging" - - role: manage-container-images + - role: push-container-registry cert_dest_dir: "/etc/docker/certs.d/registry{{ env_suffix }}.fedoraproject.org" cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt" key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key" diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index dc88e66ac8..b014198c38 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -295,13 +295,6 @@ candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}", when: env == "production" } - - { - role: "manage-container-images", - cert_dest_dir: "/etc/docker/certs.d/candidate-registry{{ env_suffix }}.fedoraproject.org", - cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem", - key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", - when: env == "staging" - } handlers: diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 1635140ebd..b6adc0211c 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -54,14 +54,14 @@ tags: - releng - { - role: "manage-container-images", + role: "push-container-registry", cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org", cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem", key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", when: env == "staging" } - { - role: "manage-container-images", + role: "push-container-registry", cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org", cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt", key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key", diff --git a/roles/manage-container-images/defaults/main.yml b/roles/manage-container-images/defaults/main.yml deleted file mode 100644 index c1f21c78bf..0000000000 --- a/roles/manage-container-images/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# defaults file for manage-container-images -# - -certs_group: "releng-team" \ No newline at end of file diff --git a/roles/push-container-registry/defaults/main.yml b/roles/push-container-registry/defaults/main.yml new file mode 100644 index 0000000000..6c059deb19 --- /dev/null +++ b/roles/push-container-registry/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for push-container-registry role +# + +certs_group: "releng-team" diff --git a/roles/manage-container-images/tasks/main.yml b/roles/push-container-registry/tasks/main.yml similarity index 52% rename from roles/manage-container-images/tasks/main.yml rename to roles/push-container-registry/tasks/main.yml index 2577494813..3b5fa6cc58 100644 --- a/roles/manage-container-images/tasks/main.yml +++ b/roles/push-container-registry/tasks/main.yml @@ -1,6 +1,10 @@ --- -# tasks file for push-docker -# +# tasks file for push-container-registry +# This role install skopeo and the certificates +# needed to push container images to our production registry. +# Note : push to the candidate-registry is done using docker login +# see the push-docker role. + - name: install necessary packages package: name: "{{item}}" @@ -8,16 +12,16 @@ with_items: - skopeo tags: - - manage-container-images + - push-container-registry - name: ensure cert dir exists file: path: "{{cert_dest_dir}}" state: directory tags: - - manage-container-images + - push-container-registry -- name: install docker client cert for registry +- name: install client cert for registry copy: src: "{{cert_src}}" dest: "{{cert_dest_dir}}/client.cert" @@ -25,13 +29,13 @@ group: "{{ certs_group }}" mode: 0640 tags: - - manage-container-images + - push-container-registry -- name: install docker client key for registry +- name: install client key for registry copy: src: "{{key_src}}" dest: "{{cert_dest_dir}}/client.key" group: "{{ certs_group }}" mode: 0640 tags: - - manage-container-images + - push-container-registry From ae58597b7e348633fb8b92c063baa72c814242b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= Date: Fri, 3 Aug 2018 00:33:29 +0200 Subject: [PATCH 192/289] Move the WSGIDaemonProcess outside of VirtualHost so it can be used in https config https://stackoverflow.com/a/11995769/3285282 --- roles/copr/frontend/files/httpd/coprs.conf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/copr/frontend/files/httpd/coprs.conf b/roles/copr/frontend/files/httpd/coprs.conf index 054d507e06..5f992a9ca1 100644 --- a/roles/copr/frontend/files/httpd/coprs.conf +++ b/roles/copr/frontend/files/httpd/coprs.conf @@ -3,17 +3,18 @@ LoadModule wsgi_module modules/mod_wsgi.so WSGISocketPrefix /var/run/wsgi Alias /robots.txt /var/www/html/robots.txt +WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=15 display-name=other maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess api user=copr-fe group=copr-fe threads=15 display-name=api maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess backend user=copr-fe group=copr-fe threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20 +WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + ServerName copr.fedorainfracloud.org ServerAlias copr-fe.cloud.fedoraproject.org WSGIPassAuthorization On - WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=15 display-name=other maximum-requests=8000 graceful-timeout=20 - WSGIDaemonProcess api user=copr-fe group=copr-fe threads=15 display-name=api maximum-requests=8000 graceful-timeout=20 - WSGIDaemonProcess backend user=copr-fe group=copr-fe threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20 - WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20 - WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20 - WSGIScriptAlias / /usr/share/copr/coprs_frontend/application WSGIProcessGroup 127.0.0.1 From 80a6c7b8857423625b824615932d86cdb6bc433a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= Date: Tue, 31 Jul 2018 13:38:07 +0200 Subject: [PATCH 193/289] Add https support for copr-fe-dev --- roles/copr/frontend/files/httpd/coprs.conf | 8 +++++ roles/copr/frontend/tasks/main.yml | 29 +++++++++++++++---- .../templates/httpd/coprs_ssl.conf.j2 | 21 ++++++++++++-- 3 files changed, 49 insertions(+), 9 deletions(-) diff --git a/roles/copr/frontend/files/httpd/coprs.conf b/roles/copr/frontend/files/httpd/coprs.conf index 5f992a9ca1..453144a8ac 100644 --- a/roles/copr/frontend/files/httpd/coprs.conf +++ b/roles/copr/frontend/files/httpd/coprs.conf @@ -28,6 +28,14 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application +{% if devel %} + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE] + +{% endif %} + ExtendedStatus On diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 250f8215ca..bdb75fcf41 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -59,12 +59,6 @@ state: yes persistent: yes -- name: install copr-frontend ssl vhost for production - template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/copr_ssl.conf" - when: not devel - tags: - - config - - import_tasks: "psql_setup.yml" - name: upgrade db to head @@ -101,6 +95,29 @@ tags: - config +- name: letsencrypt cert + include_role: name=certbot + when: devel + tags: + - config + +- name: Check that cert file exists + stat: + path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem" + register: stat_cert + +- name: Should admin run certbot? + fail: + msg: Please see roles/certbot/README step (2) and manually run certbot + when: + - stat_cert.stat.exists == False + - devel + +- name: install copr-frontend ssl vhost + template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf" + tags: + - config + - name: enable services service: state=started enabled=yes name={{ item }} with_items: diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 index 5d4612efcc..601d3977f4 100644 --- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 +++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 @@ -1,3 +1,6 @@ +Listen 443 https + + SSLEngine on SSLProtocol {{ ssl_protocols }} @@ -6,11 +9,17 @@ SSLHonorCipherOrder on Header always add Strict-Transport-Security "max-age=31536000; preload" + {% if not devel %} SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt + {% else %} + SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem + {% endif %} - ServerName copr.fedorainfracloud.org + ServerName {{ inventory_hostname }} WSGIPassAuthorization On WSGIScriptAlias / /usr/share/copr/coprs_frontend/application @@ -54,13 +63,19 @@ SSLHonorCipherOrder on Header always add Strict-Transport-Security "max-age=31536000; preload" + {% if not devel %} SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt + {% else %} + SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem + {% endif %} - ServerAlias copr.fedoraproject.org + ServerAlias {{ inventory_hostname }} - Redirect 302 / https://copr.fedorainfracloud.org/ + Redirect 302 / https://{{ inventory_hostname }}/ From e78f97bfbb785cc9ec0c5e36254a162993563ea6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= Date: Mon, 20 Aug 2018 15:02:13 +0200 Subject: [PATCH 194/289] Move copr.conf to templates, it has jinja2 macros --- roles/copr/frontend/tasks/main.yml | 6 ++++++ roles/copr/frontend/{files => templates}/httpd/coprs.conf | 0 2 files changed, 6 insertions(+) rename roles/copr/frontend/{files => templates}/httpd/coprs.conf (100%) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index bdb75fcf41..558f07a2b8 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -48,6 +48,12 @@ copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" with_items: - "welcome.conf" + tags: + - config + +- name: copy apache files to conf.d (templates) + template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" + with_items: - "coprs.conf" tags: - config diff --git a/roles/copr/frontend/files/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf similarity index 100% rename from roles/copr/frontend/files/httpd/coprs.conf rename to roles/copr/frontend/templates/httpd/coprs.conf From c892543dc36dfde18564664ee6a168a248f18a2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= Date: Mon, 20 Aug 2018 18:53:47 +0200 Subject: [PATCH 195/289] Use copr_frontend_public_hostname instead of inventory_hostname Because inventory_hostname is set to copr-fe.cloud.fedoraproject.org on frontend production instance. However, we want a variable that is evaluated to copr.fedorainfracloud.org --- roles/copr/frontend/tasks/main.yml | 2 +- .../frontend/templates/httpd/coprs_ssl.conf.j2 | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 558f07a2b8..9a08f8b9cd 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -109,7 +109,7 @@ - name: Check that cert file exists stat: - path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem" + path: "/etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem" register: stat_cert - name: Should admin run certbot? diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 index 601d3977f4..f440be853f 100644 --- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 +++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 @@ -14,12 +14,12 @@ Listen 443 https SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt {% else %} - SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem + SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem {% endif %} - ServerName {{ inventory_hostname }} + ServerName {{ copr_frontend_public_hostname }} WSGIPassAuthorization On WSGIScriptAlias / /usr/share/copr/coprs_frontend/application @@ -68,14 +68,14 @@ Listen 443 https SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt {% else %} - SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem + SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem {% endif %} - ServerAlias {{ inventory_hostname }} + ServerAlias {{ copr_frontend_public_hostname }} - Redirect 302 / https://{{ inventory_hostname }}/ + Redirect 302 / https://{{ copr_frontend_public_hostname }}/ From 51573754bfbf2961cd923961440ea95fa0c1cf6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= Date: Mon, 20 Aug 2018 19:35:55 +0200 Subject: [PATCH 196/289] Fix redirect from copr.fedoraproject.org to copr.fedorainfracloud.org --- roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 index f440be853f..176ad700c1 100644 --- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 +++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 @@ -73,9 +73,10 @@ Listen 443 https SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem {% endif %} - ServerAlias {{ copr_frontend_public_hostname }} - - Redirect 302 / https://{{ copr_frontend_public_hostname }}/ + {% if not devel %} + ServerAlias copr.fedoraproject.org + Redirect 302 / https://copr.fedorainfracloud.org/ + {% endif %} From b2583fae337ce513a23f09a02dae9d5978bdccff Mon Sep 17 00:00:00 2001 From: clime Date: Fri, 24 Aug 2018 12:05:28 +0200 Subject: [PATCH 197/289] copr-fe: move index rebuilding to the bottom of the playbook --- roles/copr/frontend/tasks/main.yml | 14 +++++++------- .../frontend/templates/httpd/coprs_ssl.conf.j2 | 2 -- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 9a08f8b9cd..61b91f1ea0 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -88,13 +88,6 @@ - nb - kevin -- name: rebuild indexes - command: ./manage.py update_indexes - become: yes - become_user: copr-fe - args: - chdir: /usr/share/copr/coprs_frontend/ - - name: install ssl certificates for production import_tasks: "install_certs.yml" when: not devel @@ -136,3 +129,10 @@ - name: disallow robots on dev instance when: devel copy: src=robots.txt dest=/var/www/html/ + +- name: rebuild indexes + command: ./manage.py update_indexes + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 index 176ad700c1..846d8d85dd 100644 --- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 +++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 @@ -78,5 +78,3 @@ Listen 443 https Redirect 302 / https://copr.fedorainfracloud.org/ {% endif %} - - From f77d40ebad5148d5433f0585a8f8968f623b6d32 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 14:06:29 +0200 Subject: [PATCH 198/289] Fix ansible-lint errors in osbs-cluster playbook Signed-off-by: Clement Verna --- playbooks/groups/osbs-cluster.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index b014198c38..ada09bb620 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -495,7 +495,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml pre_tasks: - - set_fact: + - name: Create the username:password string needed by the template + set_fact: auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}" auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}" @@ -533,7 +534,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml pre_tasks: - - set_fact: + - name: Create the username:password string needed by the template + set_fact: auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}" auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}" @@ -697,7 +699,7 @@ src: "{{item}}" dest: "/etc/osbs/buildroot/" owner: root - mode: 600 + mode: 0600 with_items: - "{{files}}/osbs/worker_customize.json" - "{{files}}/osbs/orchestrator_customize.json" From 2ed0bdc53a3fa9ac8c26b225a848b7c0e1d092a0 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 14:08:22 +0200 Subject: [PATCH 199/289] Remove unused tasks from osbs-cluster playbook Signed-off-by: Clement Verna --- playbooks/groups/osbs-cluster.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index ada09bb620..c124e0af0d 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -796,11 +796,6 @@ register: docker_pull_fedora changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" - - name: register origin_version_out rpm query - command: "rpm -q origin --qf '%{Version}'" - register: origin_version_out - check_mode: no - changed_when: False - name: Post-Install image stream refresh From 0c43e5a9260ba2334ded20bc78360f7a4c3b0676 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 14:48:11 +0200 Subject: [PATCH 200/289] osbs-on-openshift role is not used anymore. bye bye Signed-off-by: Clement Verna --- roles/osbs-on-openshift/README.md | 19 --- roles/osbs-on-openshift/defaults/main.yml | 53 ------- roles/osbs-on-openshift/handlers/main.yml | 17 --- roles/osbs-on-openshift/meta/main.yml | 22 --- roles/osbs-on-openshift/tasks/main.yml | 141 ------------------ roles/osbs-on-openshift/tasks/registry.yml | 54 ------- roles/osbs-on-openshift/tasks/yum_proxy.yml | 36 ----- .../templates/openshift-limitrange.yml.j2 | 9 -- .../templates/openshift-resourcequota.yml.j2 | 7 - .../templates/openshift-rolebinding.yml.j2 | 24 --- .../templates/openshift-serviceaccount.yml.j2 | 4 - .../templates/openshift-yumproxy-dc.yml.j2 | 31 ---- .../templates/openshift-yumproxy-svc.yml.j2 | 15 -- .../templates/role-osbs-custom-build.yml.j2 | 10 -- 14 files changed, 442 deletions(-) delete mode 100644 roles/osbs-on-openshift/README.md delete mode 100644 roles/osbs-on-openshift/defaults/main.yml delete mode 100644 roles/osbs-on-openshift/handlers/main.yml delete mode 100644 roles/osbs-on-openshift/meta/main.yml delete mode 100644 roles/osbs-on-openshift/tasks/main.yml delete mode 100644 roles/osbs-on-openshift/tasks/registry.yml delete mode 100644 roles/osbs-on-openshift/tasks/yum_proxy.yml delete mode 100644 roles/osbs-on-openshift/templates/openshift-limitrange.yml.j2 delete mode 100644 roles/osbs-on-openshift/templates/openshift-resourcequota.yml.j2 delete mode 100644 roles/osbs-on-openshift/templates/openshift-rolebinding.yml.j2 delete mode 100644 roles/osbs-on-openshift/templates/openshift-serviceaccount.yml.j2 delete mode 100644 roles/osbs-on-openshift/templates/openshift-yumproxy-dc.yml.j2 delete mode 100644 roles/osbs-on-openshift/templates/openshift-yumproxy-svc.yml.j2 delete mode 100644 roles/osbs-on-openshift/templates/role-osbs-custom-build.yml.j2 diff --git a/roles/osbs-on-openshift/README.md b/roles/osbs-on-openshift/README.md deleted file mode 100644 index 1ccfb2dc7d..0000000000 --- a/roles/osbs-on-openshift/README.md +++ /dev/null @@ -1,19 +0,0 @@ -osbs-on-openshift -================= - -Role for deploying OSBS on top of a pre-existing [OpenShift](https://openshift.org) -cluster where we do not have cluster admin. - -- [OpenShift build service](https://github.com/projectatomic/osbs-client/), -service for building layered Docker images. - -This role is based on -[ansible-role-osbs-common](https://github.com/projectatomic/ansible-role-osbs-common) -upstream but the `osbs-common` role in Fedora Infra was pre-existing and used as -a location for common tasks required of all nodes in an osbs cluster. - -This role is part of -[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) -playbook for deploying OpenShift build service. Please refer to that github -repository for [documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) -and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). diff --git a/roles/osbs-on-openshift/defaults/main.yml b/roles/osbs-on-openshift/defaults/main.yml deleted file mode 100644 index 818a49d248..0000000000 --- a/roles/osbs-on-openshift/defaults/main.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -osbs_openshift_home: /var/lib/origin - -osbs_namespace: default -osbs_namespace_create: false - -osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - -osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - -osbs_service_accounts: [] - -# openshift authorization - which users should be assigned the view (readonly), -# osbs-builder (readwrite), and cluster-admin (admin) roles -# in default configuration, everyone has read/write access -osbs_readonly_users: [] -osbs_readonly_groups: [] -osbs_readwrite_users: [] -osbs_readwrite_groups: -- system:authenticated -- system:unauthenticated -osbs_admin_users: [] -osbs_admin_groups: [] - -## development w/ auth proxy: -#osbs_readonly_users: [] -#osbs_readonly_groups: [] -#osbs_readwrite_users: [] -#osbs_readwrite_groups: -# - system:authenticated -#osbs_admin_users: [] -#osbs_admin_groups: [] - -## example production configuration: -#osbs_readonly_users: [] -#osbs_readonly_groups: -# - system:authenticated -#osbs_readwrite_groups: [] -#osbs_readwrite_users: -# - kojibuilder -# - "{{ ansible_hostname }}" -# - system:serviceaccount:default:default -#osbs_admin_users: -# - foo@EXAMPLE.COM -# - bar@EXAMPLE.COM -#osbs_admin_groups: [] - -# limit on the number of running pods - undefine or set to -1 to remove limit -#osbs_master_max_pods: 3 - -osbs_docker_registry: false -osbs_docker_registry_storage: /opt/openshift-registry diff --git a/roles/osbs-on-openshift/handlers/main.yml b/roles/osbs-on-openshift/handlers/main.yml deleted file mode 100644 index 54df6fc488..0000000000 --- a/roles/osbs-on-openshift/handlers/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: restart openshift-master - service: - name: "{{ osbs_deployment_type }}-master" - state: restarted - -- name: restart httpd - service: name=httpd state=restarted - -- name: restart firewalld - service: name=firewalld state=restarted - -- name: convert privkey to rsa - command: openssl rsa -in {{ osbs_proxy_key_file }} -out {{ osbs_proxy_key_file }} - -- name: concatenate cert and key - shell: cat {{ osbs_proxy_cert_file }} {{ osbs_proxy_key_file }} > {{ osbs_proxy_certkey_file }} diff --git a/roles/osbs-on-openshift/meta/main.yml b/roles/osbs-on-openshift/meta/main.yml deleted file mode 100644 index ba52c1124c..0000000000 --- a/roles/osbs-on-openshift/meta/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -# Standards: 1.2 ---- -galaxy_info: - author: Martin Milata - description: OpenShift build service common role - builder of layered Docker images - company: Red Hat - issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues - license: BSD - min_ansible_version: 1.9 - platforms: - - name: EL - versions: - - 7 - - name: Fedora - versions: - - 24 - - 25 - categories: - - cloud - - development - - packaging -dependencies: [] diff --git a/roles/osbs-on-openshift/tasks/main.yml b/roles/osbs-on-openshift/tasks/main.yml deleted file mode 100644 index 228008a873..0000000000 --- a/roles/osbs-on-openshift/tasks/main.yml +++ /dev/null @@ -1,141 +0,0 @@ ---- -### openshift service ### - -- name: create osbs namespace - command: > - oc new-project {{ osbs_namespace }} - register: new_project - failed_when: new_project.rc != 0 and ('already exists' not in new_project.stderr) - changed_when: new_project.rc == 0 - environment: "{{osbs_environment}}" - when: osbs_namespace_create - -- name: copy service accounts - template: src=openshift-serviceaccount.yml.j2 dest={{ osbs_openshift_home }}/serviceaccount-{{ item }}.yml - with_items: "{{ osbs_service_accounts }}" - register: yaml_sa - -- name: import service accounts - command: > - oc create - --namespace={{ osbs_namespace }} - --filename={{ osbs_openshift_home }}/serviceaccount-{{ item.item }}.yml - register: service_account_import - failed_when: service_account_import.rc != 0 and ('already exists' not in service_account_import.stderr) - environment: "{{osbs_environment}}" - with_items: "{{ yaml_sa.results | default([]) }}" - when: item.changed - -- name: copy role bindings - template: src=openshift-rolebinding.yml.j2 dest={{ osbs_openshift_home }}/rolebinding-{{ item.name }}.yml - with_items: - - name: osbs-readonly - role: view - users: "{{ osbs_readonly_users }}" - groups: "{{ osbs_readonly_groups }}" - - name: osbs-readwrite - role: edit - users: "{{ osbs_readwrite_users }}" - groups: "{{ osbs_readwrite_groups }}" - - name: osbs-admin - role: admin - users: "{{ osbs_admin_users }}" - groups: "{{ osbs_admin_groups }}" - register: yaml_rolebindings - -- name: import the role bindings - command: > - oc replace - --namespace={{ osbs_namespace }} - --force=true - --filename={{ osbs_openshift_home }}/rolebinding-{{ item.item.name }}.yml - environment: "{{osbs_environment}}" - with_items: "{{ yaml_rolebindings.results }}" - when: item.changed - -- name: copy resource quotas - template: src=openshift-resourcequota.yml.j2 dest={{ osbs_openshift_home }}/resourcequota.yml - when: osbs_master_max_pods is defined and osbs_master_max_pods >= 0 - register: yaml_resourcequotas - tags: - - resourcequotas - -- name: import resource quotas - command: > - oc replace - --namespace={{ osbs_namespace }} - --force=true - --filename={{ osbs_openshift_home }}/resourcequota.yml - environment: "{{osbs_environment}}" - when: osbs_master_max_pods is defined and osbs_master_max_pods >= 0 and yaml_resourcequotas.changed - tags: - - resourcequotas - -- name: delete resource quotas - command: > - oc delete - --namespace={{ osbs_namespace }} - --ignore-not-found=true - resourcequota concurrentbuilds - environment: "{{osbs_environment}}" - when: osbs_master_max_pods is not defined or osbs_master_max_pods < 0 - tags: - - resourcequotas - -- name: copy cpu limitrange - template: - src: openshift-limitrange.yml.j2 - dest: "{{ osbs_openshift_home }}/limitrange.yml" - when: osbs_master_cpu_limitrange is defined and osbs_master_cpu_limitrange - register: yaml_limitrange - tags: - - limitranges - -- name: import cpu limitrange - command: > - oc replace - --namespace={{ osbs_namespace }} - --force=true - --filename={{ osbs_openshift_home }}/limitrange.yml - environment: "{{osbs_environment}}" - when: osbs_master_cpu_limitrange is defined and osbs_master_cpu_limitrange and yaml_limitrange.changed - tags: - - limitranges - -- name: delete cpu limitrange - command: > - oc delete - --namespace={{ osbs_namespace }} - --ignore-not-found=true - limitrange cpureq - environment: "{{osbs_environment}}" - when: osbs_master_cpu_limitrange is not defined or not osbs_master_cpu_limitrange - tags: - - limitranges - -# Setup custom build role -- name: copy custom build role - template: - src: role-osbs-custom-build.yml.j2 - dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-role-osbs-custom-build.yml" - environment: "{{ osbs_environment }}" - register: yaml_role - tags: - - oc - -- name: import custom build role - command: > - oc replace - --namespace={{ osbs_namespace }} - --force=true - --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-role-osbs-custom-build.yml - environment: "{{ osbs_environment }}" - when: yaml_role.changed - tags: - - oc - -- import_tasks: yum_proxy.yml - when: osbs_yum_proxy_image is defined - -- import_tasks: registry.yml - when: osbs_docker_registry is defined and osbs_docker_registry diff --git a/roles/osbs-on-openshift/tasks/registry.yml b/roles/osbs-on-openshift/tasks/registry.yml deleted file mode 100644 index e56aaa8e73..0000000000 --- a/roles/osbs-on-openshift/tasks/registry.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -- name: copy registry service account - template: - src: openshift-serviceaccount.yml.j2 - dest: "{{ osbs_openshift_home }}/serviceaccount-{{ item }}.yml" - with_items: - - registry - register: yaml_sa - tags: - - oc - -- name: import registry service account - command: > - oc create - --namespace=default - --filename={{ osbs_openshift_home }}/serviceaccount-{{ item.item }}.yml - register: service_account_import - failed_when: service_account_import.rc != 0 and ('already exists' not in service_account_import.stderr) - environment: "{{osbs_environment}}" - with_items: "{{ yaml_sa.results | default([]) }}" - when: item.changed - tags: - - oc - -- name: make registry serviceaccount privileged - command: > - oadm policy - --namespace=default - add-scc-to-user - privileged -z registry - environment: "{{osbs_environment}}" - tags: - - oc - -- name: create registry storage - file: - path: "{{ osbs_docker_registry_storage }}" - owner: 1001 - group: root - mode: "0770" - state: directory - -- name: set up internal registry - command: > - oadm registry - --namespace=default - --service-account registry - --credentials /etc/origin/master/openshift-registry.kubeconfig - --mount-host {{ osbs_docker_registry_storage }} - register: create_registry - changed_when: "'service exists' not in create_registry.stdout" - environment: "{{osbs_environment}}" - tags: - - oc diff --git a/roles/osbs-on-openshift/tasks/yum_proxy.yml b/roles/osbs-on-openshift/tasks/yum_proxy.yml deleted file mode 100644 index be2940852b..0000000000 --- a/roles/osbs-on-openshift/tasks/yum_proxy.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: copy yum proxy deployment config - template: src=openshift-yumproxy-dc.yml.j2 dest={{ osbs_openshift_home }}/yumproxy-dc.yml - register: yaml_dc - tags: - - oc - - yumproxy - -- name: import yum proxy deployment config - command: > - oc replace - --force=true - --namespace={{ osbs_namespace }} - --filename={{ osbs_openshift_home }}/yumproxy-dc.yml - when: yaml_dc.changed - tags: - - oc - - yumproxy - -- name: copy yum proxy service - template: src=openshift-yumproxy-svc.yml.j2 dest={{ osbs_openshift_home }}/yumproxy-svc.yml - register: yaml_svc - tags: - - oc - - yumproxy - -- name: import yum proxy service - command: > - oc replace - --force=true - --namespace={{ osbs_namespace }} - --filename={{ osbs_openshift_home }}/yumproxy-svc.yml - when: yaml_svc.changed - tags: - - oc - - yumproxy diff --git a/roles/osbs-on-openshift/templates/openshift-limitrange.yml.j2 b/roles/osbs-on-openshift/templates/openshift-limitrange.yml.j2 deleted file mode 100644 index 4beb22c5d1..0000000000 --- a/roles/osbs-on-openshift/templates/openshift-limitrange.yml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - name: cpureq -spec: - limits: - - type: Container - defaultRequest: - cpu: {{ osbs_master_cpu_limitrange }} diff --git a/roles/osbs-on-openshift/templates/openshift-resourcequota.yml.j2 b/roles/osbs-on-openshift/templates/openshift-resourcequota.yml.j2 deleted file mode 100644 index cc62a6017f..0000000000 --- a/roles/osbs-on-openshift/templates/openshift-resourcequota.yml.j2 +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ResourceQuota -metadata: - name: concurrentbuilds -spec: - hard: - pods: {{ osbs_master_max_pods }} diff --git a/roles/osbs-on-openshift/templates/openshift-rolebinding.yml.j2 b/roles/osbs-on-openshift/templates/openshift-rolebinding.yml.j2 deleted file mode 100644 index 12174cc36c..0000000000 --- a/roles/osbs-on-openshift/templates/openshift-rolebinding.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: RoleBinding -metadata: - name: {{ item.name }} -roleRef: - name: {{ item.role }} - -{% if item.users == [] %} -userNames: [] -{% else %} -userNames: -{% for u in item.users %} -- {{ u }} -{% endfor %} -{% endif %} - -{% if item.groups == [] %} -groupNames: [] -{% else %} -groupNames: -{% for g in item.groups %} -- {{ g }} -{% endfor %} -{% endif %} diff --git a/roles/osbs-on-openshift/templates/openshift-serviceaccount.yml.j2 b/roles/osbs-on-openshift/templates/openshift-serviceaccount.yml.j2 deleted file mode 100644 index 931e249f9d..0000000000 --- a/roles/osbs-on-openshift/templates/openshift-serviceaccount.yml.j2 +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ item }} diff --git a/roles/osbs-on-openshift/templates/openshift-yumproxy-dc.yml.j2 b/roles/osbs-on-openshift/templates/openshift-yumproxy-dc.yml.j2 deleted file mode 100644 index a8dd047b72..0000000000 --- a/roles/osbs-on-openshift/templates/openshift-yumproxy-dc.yml.j2 +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: DeploymentConfig -metadata: - name: {{ osbs_yum_proxy_name }} - labels: - app: {{ osbs_yum_proxy_name }} -spec: - replicas: 1 - selector: - app: {{ osbs_yum_proxy_name }} - deploymentconfig: {{ osbs_yum_proxy_name }} - template: - metadata: - labels: - app: {{ osbs_yum_proxy_name }} - deploymentconfig: {{ osbs_yum_proxy_name }} - spec: - containers: - - name: {{ osbs_yum_proxy_name }} - image: {{ osbs_yum_proxy_image }} - ports: - - containerPort: 3128 - protocol: TCP - volumeMounts: - - mountPath: /squid - name: {{ osbs_yum_proxy_name }}-volume-1 - volumes: - - emptyDir: {} - name: {{ osbs_yum_proxy_name }}-volume-1 - triggers: - - type: ConfigChange diff --git a/roles/osbs-on-openshift/templates/openshift-yumproxy-svc.yml.j2 b/roles/osbs-on-openshift/templates/openshift-yumproxy-svc.yml.j2 deleted file mode 100644 index 930297631f..0000000000 --- a/roles/osbs-on-openshift/templates/openshift-yumproxy-svc.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ osbs_yum_proxy_name }} - labels: - app: {{ osbs_yum_proxy_name }} -spec: - ports: - - name: 3128-tcp - protocol: TCP - port: 3128 - targetPort: 3128 - selector: - app: {{ osbs_yum_proxy_name }} - deploymentconfig: {{ osbs_yum_proxy_name }} diff --git a/roles/osbs-on-openshift/templates/role-osbs-custom-build.yml.j2 b/roles/osbs-on-openshift/templates/role-osbs-custom-build.yml.j2 deleted file mode 100644 index 7beaba0ec7..0000000000 --- a/roles/osbs-on-openshift/templates/role-osbs-custom-build.yml.j2 +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Role -metadata: - name: osbs-custom-build - namespace: {{ osbs_namespace }} -rules: - - verbs: - - create - resources: - - builds/custom \ No newline at end of file From 852baa14ad3a897d6d89778302ed26b5fddb56f4 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 14:51:06 +0200 Subject: [PATCH 201/289] osbs-common role is not needed either. bye bye Signed-off-by: Clement Verna --- playbooks/groups/osbs-cluster.yml | 4 ---- roles/osbs-common/defaults/main.yml | 6 ----- roles/osbs-common/tasks/main.yml | 37 ----------------------------- roles/osbs-common/vars/main.yml | 2 -- 4 files changed, 49 deletions(-) delete mode 100644 roles/osbs-common/defaults/main.yml delete mode 100644 roles/osbs-common/tasks/main.yml delete mode 100644 roles/osbs-common/vars/main.yml diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index c124e0af0d..107a53272a 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -277,10 +277,6 @@ state: absent roles: - - { - role: osbs-common, - osbs_manage_firewalld: false, - } - { role: push-docker, candidate_registry: "{{docker_registry}}", diff --git a/roles/osbs-common/defaults/main.yml b/roles/osbs-common/defaults/main.yml deleted file mode 100644 index 0436b5c48b..0000000000 --- a/roles/osbs-common/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# set hostname of the machine -#hostname: example.org - -# set to false if you don't use firewalld or do not want the playbook to modify it -osbs_manage_firewalld: true diff --git a/roles/osbs-common/tasks/main.yml b/roles/osbs-common/tasks/main.yml deleted file mode 100644 index 73fa498d69..0000000000 --- a/roles/osbs-common/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: set hostname - hostname: name={{ hostname }} - when: hostname is defined - -- name: install basic packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" - with_items: - - vim - - tmux - - wget - - git - - net-tools - - tree - -- name: install yum-utils when using yum - package: name=yum-utils state=present - when: ansible_pkg_mgr == "yum" - -- name: enable rhel7 repos - command: yum-config-manager --enable {{ item }} - with_items: - - rhel-7-server-optional-rpms - - rhel-7-server-extras-rpms - when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7' - -- name: enable epel7 - package: name={{ epel7_url }} state=present - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' - -- name: install firewalld - action: "{{ ansible_pkg_mgr }} name=firewalld state=present" - when: osbs_manage_firewalld - -- name: enable firewalld - service: name=firewalld state=started enabled=yes - when: osbs_manage_firewalld diff --git a/roles/osbs-common/vars/main.yml b/roles/osbs-common/vars/main.yml deleted file mode 100644 index 948958a46b..0000000000 --- a/roles/osbs-common/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -epel7_url: http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm From ae59a7229f3935966e5e2fe1104c443d084685b7 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Fri, 24 Aug 2018 15:19:26 +0200 Subject: [PATCH 202/289] Cleaning osbs-cluster playbook Signed-off-by: Clement Verna --- playbooks/groups/osbs-cluster.yml | 74 ------------------------------- 1 file changed, 74 deletions(-) diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 107a53272a..6030bfbb1c 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -270,35 +270,6 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - pre_tasks: - - name: Make sure python2-docker-py is not installed - dnf: - name: python2-docker-py - state: absent - - roles: - - { - role: push-docker, - candidate_registry: "{{docker_registry}}", - candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}", - candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}", - when: env == "staging" - } - - { - role: push-docker, - candidate_registry: "{{docker_registry}}", - candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}", - candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}", - when: env == "production" - } - - - handlers: - - name: restart dnsmasq - service: - name: dnsmasq - state: restarted - tasks: - name: Ensures /etc/dnsmasq.d/ dir exists file: path="/etc/dnsmasq.d/" state=directory @@ -577,36 +548,7 @@ koji_builder_user: dockerbuilder osbs_builder_user: builder - - handlers: - - name: oc secrets new - command: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}" - environment: "{{ osbs_environment }}" - notify: oc secrets add - - - name: oc secrets add - command: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount" - environment: "{{ osbs_environment }}" - tasks: - - name: Ensure koji dockerbuilder cert path exists - file: - path: "{{ koji_pki_dir }}" - state: "directory" - mode: 0400 - - - name: Add koji dockerbuilder cert for Content Generator import - copy: - src: "{{private}}/files/koji/containerbuild.pem" - dest: "{{ koji_cert_path }}" - notify: oc secrets new - - - name: Add koji dockerbuilder ca cert for Content Generator import - copy: - src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" - dest: "{{ koji_ca_cert_path }}" - notify: oc secrets new - - name: cron entry to clean up old builds copy: src: "{{files}}/osbs/cleanup-old-osbs-builds" @@ -792,21 +734,5 @@ register: docker_pull_fedora changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" - - -- name: Post-Install image stream refresh - hosts: osbs-masters[0]:osbs-masters-stg[0] - tags: - - osbs-post-install - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - name: enable nrpe for monitoring (noc01) iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT - -# - name: enable nrpe for monitoring (noc01.stg) -# iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT From a12d66c9fc4a6d6af54fe56128d0d3d3614f5c54 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 24 Aug 2018 13:55:43 -0400 Subject: [PATCH 203/289] robosig: move rawhide x86_64 AH ostree config with the others --- roles/robosignatory/files/robosignatory.production.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index effd4f0f68..6609f49dec 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -346,10 +346,6 @@ config = { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-28' }, - 'fedora/rawhide/x86_64/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', - 'key': 'fedora-29' - }, 'fedora/28/x86_64/workstation': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-28' @@ -362,6 +358,10 @@ config = { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-28' }, + 'fedora/rawhide/x86_64/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, 'fedora/rawhide/ppc64le/atomic-host': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-29' From 6f68334116f7b0376a3091e54067df5c877fb2fe Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 24 Aug 2018 13:56:44 -0400 Subject: [PATCH 204/289] robosig: make rawhide get signed by f30 key --- roles/robosignatory/files/robosignatory.production.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index 6609f49dec..1b47fbfb36 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -360,19 +360,19 @@ config = { }, 'fedora/rawhide/x86_64/atomic-host': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', - 'key': 'fedora-29' + 'key': 'fedora-30' }, 'fedora/rawhide/ppc64le/atomic-host': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', - 'key': 'fedora-29' + 'key': 'fedora-30' }, 'fedora/rawhide/aarch64/atomic-host': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', - 'key': 'fedora-29' + 'key': 'fedora-30' }, 'fedora/rawhide/x86_64/workstation': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', - 'key': 'fedora-29' + 'key': 'fedora-30' }, } } From 1fed288d30c32e3ff6b32700876af427eab718b0 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 24 Aug 2018 13:58:46 -0400 Subject: [PATCH 205/289] robosig: add in config for FAH FAW f29 refs --- .../files/robosignatory.production.py | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index 1b47fbfb36..e91357a58f 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -358,6 +358,54 @@ config = { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-28' }, + 'fedora/29/x86_64/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/ppc64le/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/aarch64/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/x86_64/updates/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/ppc64le/updates/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/aarch64/updates/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/x86_64/testing/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/ppc64le/testing/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/aarch64/testing/atomic-host': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/x86_64/workstation': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/x86_64/updates/workstation': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, + 'fedora/29/x86_64/testing/workstation': { + 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', + 'key': 'fedora-29' + }, 'fedora/rawhide/x86_64/atomic-host': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-30' From 311a8e46daabb1884007c45606bb5bc9d7011807 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Aug 2018 19:49:18 +0000 Subject: [PATCH 206/289] add initial sign-vault05 info for initial install --- .../host_vars/sign-vault05.phx2.fedoraproject.org | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 inventory/host_vars/sign-vault05.phx2.fedoraproject.org diff --git a/inventory/host_vars/sign-vault05.phx2.fedoraproject.org b/inventory/host_vars/sign-vault05.phx2.fedoraproject.org new file mode 100644 index 0000000000..640cf9e319 --- /dev/null +++ b/inventory/host_vars/sign-vault05.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +gw: 10.5.125.254 +eth0_ip: 10.5.125.83 + +install_noc: noc01.phx2.fedoraproject.org +install_mac: D0:94:66:45:87:C1 +# Inside this, expect /vmlinuz and /initrd.img +install_binpath: /uefi/x86_64/f28 +install_ks: http://10.5.126.23/repo/rhel/ks/buildhw-f28 +install_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ From 65113edddef5ee0e23e497fac62634bec8e08e18 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Aug 2018 20:24:01 +0000 Subject: [PATCH 207/289] need to change this to uefi too --- .../dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index ae05626c95..0ffaf3aa39 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -41,7 +41,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.83; option host-name "sign-vault05"; next-server 10.5.126.41; - filename "pxelinux.0"; + filename "uefi/bootx64.efi"; } host sign-vault06 { @@ -49,7 +49,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.84; option host-name "sign-vault06"; next-server 10.5.126.41; - filename "pxelinux.0"; + filename "uefi/bootx64.efi"; } host bkernel03 { From c231d6b389ed9a5fc8f9bfda2f986ea38d11d043 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Aug 2018 20:43:31 +0000 Subject: [PATCH 208/289] this is grubx64.efi --- .../files/dhcpd.conf.noc01.phx2.fedoraproject.org | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org index 0ffaf3aa39..c875b6d399 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org @@ -41,7 +41,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.83; option host-name "sign-vault05"; next-server 10.5.126.41; - filename "uefi/bootx64.efi"; + filename "uefi/grubx64.efi"; } host sign-vault06 { @@ -49,7 +49,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.84; option host-name "sign-vault06"; next-server 10.5.126.41; - filename "uefi/bootx64.efi"; + filename "uefi/grubx64.efi"; } host bkernel03 { @@ -57,7 +57,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.81; option host-name "bkernel03"; next-server 10.5.126.41; - filename "uefi/bootx64.efi"; + filename "uefi/grubx64.efi"; } host bkernel04 { @@ -65,7 +65,7 @@ subnet 10.5.125.0 netmask 255.255.255.0 { fixed-address 10.5.125.82; option host-name "bkernel04"; next-server 10.5.126.41; - filename "uefi/bootx64.efi"; + filename "uefi/grubx64.efi"; } host bvirthost01 { @@ -326,7 +326,7 @@ subnet 10.5.126.0 netmask 255.255.255.0 { fixed-address 10.5.126.143; next-server 10.5.126.41; option host-name "virthost03"; - filename "uefi/bootx64.efi"; + filename "uefi/grubx64.efi"; } From aaaf5845eed769f6d1ef44c166a8cefb666ec1f8 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Fri, 24 Aug 2018 20:17:16 +0000 Subject: [PATCH 209/289] if we block /archive, we should block the API endpoint it gets its data from too... Signed-off-by: Rick Elrod --- roles/modernpaste/templates/modern-paste.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/modernpaste/templates/modern-paste.conf b/roles/modernpaste/templates/modern-paste.conf index 2c55e79d8e..790cec7436 100644 --- a/roles/modernpaste/templates/modern-paste.conf +++ b/roles/modernpaste/templates/modern-paste.conf @@ -112,6 +112,7 @@ RewriteEngine on {% if env != 'staging' %} RewriteRule login / [L,R] RewriteRule archive /login/ [L,R] +RewriteRule api/paste/recent /login/ [L,R] {% endif %} RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] From c3e8e5e4cf97f5cc281396acaafe938c6e1de50c Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Fri, 24 Aug 2018 20:51:25 +0000 Subject: [PATCH 210/289] block "top" pastes api endpoint too Signed-off-by: Rick Elrod --- roles/modernpaste/templates/modern-paste.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/modernpaste/templates/modern-paste.conf b/roles/modernpaste/templates/modern-paste.conf index 790cec7436..b9c4737b45 100644 --- a/roles/modernpaste/templates/modern-paste.conf +++ b/roles/modernpaste/templates/modern-paste.conf @@ -113,6 +113,7 @@ RewriteEngine on RewriteRule login / [L,R] RewriteRule archive /login/ [L,R] RewriteRule api/paste/recent /login/ [L,R] +RewriteRule api/paste/top /login/ [L,R] {% endif %} RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] From 563b4720223c5472734fb70f404fa53a94313e23 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Aug 2018 21:33:02 +0000 Subject: [PATCH 211/289] Add sign-vault06 info and add both to inventory for initial config. --- .../host_vars/sign-vault06.phx2.fedoraproject.org | 10 ++++++++++ inventory/inventory | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 inventory/host_vars/sign-vault06.phx2.fedoraproject.org diff --git a/inventory/host_vars/sign-vault06.phx2.fedoraproject.org b/inventory/host_vars/sign-vault06.phx2.fedoraproject.org new file mode 100644 index 0000000000..b2a9e8d90b --- /dev/null +++ b/inventory/host_vars/sign-vault06.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +gw: 10.5.125.254 +eth0_ip: 10.5.125.84 + +install_noc: noc01.phx2.fedoraproject.org +install_mac: D0:94:66:45:A1:62 +# Inside this, expect /vmlinuz and /initrd.img +install_binpath: /uefi/x86_64/f28 +install_ks: http://10.5.126.23/repo/rhel/ks/buildhw-f28 +install_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ diff --git a/inventory/inventory b/inventory/inventory index 418c1b3723..f9b17ede8c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -259,6 +259,8 @@ sign-bridge01.stg.phx2.fedoraproject.org #sign-vault03.phx2.fedoraproject.org #sign-vault04.phx2.fedoraproject.org #sign-vault01.stg.phx2.fedoraproject.org +sign-vault05.phx2.fedoraproject.org +sign-vault06.phx2.fedoraproject.org [autocloud-web] autocloud-web01.phx2.fedoraproject.org From 49b55c8d46e320c67b3059e62548bd423d22d1ee Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Aug 2018 22:04:28 +0000 Subject: [PATCH 212/289] disable sigul-server role for now until we land 1.0 stuff --- playbooks/manual/sign-vault.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/manual/sign-vault.yml b/playbooks/manual/sign-vault.yml index 9a54454211..8b33245d6b 100644 --- a/playbooks/manual/sign-vault.yml +++ b/playbooks/manual/sign-vault.yml @@ -36,7 +36,7 @@ - base - rkhunter - serial-console - - sigul/server +# - sigul/server tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml" From 88b9913b1ea268c6e2cb35ae9154b67b26e7fc9e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Aug 2018 22:19:08 +0000 Subject: [PATCH 213/289] this is grub2-efi.cfg on uefi installs --- roles/serial-console/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/serial-console/tasks/main.yml b/roles/serial-console/tasks/main.yml index a333188fb8..a203439399 100644 --- a/roles/serial-console/tasks/main.yml +++ b/roles/serial-console/tasks/main.yml @@ -2,7 +2,7 @@ # This role sets up serial console on ttyS0 # - name: check for grub serial setup - command: cat /etc/grub2.cfg + command: cat /etc/grub2-efi.cfg register: serial check_mode: no changed_when: '1 != 1' From bd74eda10cada986d6bc1de414b84a0873a318af Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Aug 2018 01:09:08 +0000 Subject: [PATCH 214/289] try adjusting the archive link on email footers --- .../files/mailman-template-list-member-generic-footer.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mailman/files/mailman-template-list-member-generic-footer.txt b/roles/mailman/files/mailman-template-list-member-generic-footer.txt index 9d8f9765c6..657147962f 100644 --- a/roles/mailman/files/mailman-template-list-member-generic-footer.txt +++ b/roles/mailman/files/mailman-template-list-member-generic-footer.txt @@ -3,4 +3,4 @@ $display_name mailing list -- $listname To unsubscribe send an email to ${short_listname}-leave@${domain} Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines -List Archives: ${hyperkitty_url} +List Archives: https://${domain}/archives/list/${listname} From 2efe6dd3d9a958d3cc66105265cc88ce8d2141c3 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Sun, 26 Aug 2018 17:10:53 +0000 Subject: [PATCH 215/289] remove openshift items from batcave not used anymore --- roles/batcave/tasks/main.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml index 8a4d6b4e69..d4abe539b5 100644 --- a/roles/batcave/tasks/main.yml +++ b/roles/batcave/tasks/main.yml @@ -167,27 +167,6 @@ - batcave - config -# -# Script to sync ssh keys from fas to openshift instances. -# - -- name: setup python module for openshift sync script - copy: src=oshift_mod.py dest=/usr/local/bin/oshift_mod.py mode=0644 - tags: - - batcave - - config - -- name: setup setup sync-openshift-keys config - template: src=sync-openshift-keys.conf.j2 dest=/etc/sync-openshift-keys.conf mode=0600 - tags: - - batcave - - config - -- name: setup setup sync-openshift-keys script - copy: src=sync-openshift-keys.py dest=/usr/local/bin/sync-openshift-keys.py mode=0755 - tags: - - batcave - - config # The zodbot server must allow TCP on whatever port zodbot is listening on # for this to work (currently TCP port 5050). From 01bf759629a3ca8283dfe6078bca58c9bded2ec2 Mon Sep 17 00:00:00 2001 From: clime Date: Mon, 27 Aug 2018 10:02:52 +0200 Subject: [PATCH 216/289] copr: create frontend-cloud role, rename stg host group to dev --- inventory/inventory | 18 +-- playbooks/groups/copr-backend.yml | 6 +- playbooks/groups/copr-dist-git.yml | 6 +- playbooks/groups/copr-frontend-cloud.yml | 42 ++++++ playbooks/groups/copr-keygen.yml | 6 +- .../copr/frontend-cloud/files/DigiCertCA.crt | 28 ++++ .../frontend-cloud/files/banner-include.html | 8 + .../frontend-cloud/files/httpd/welcome.conf | 1 + .../copr/frontend-cloud/files/pg/pg_hba.conf | 13 ++ roles/copr/frontend-cloud/files/robots.txt | 2 + roles/copr/frontend-cloud/handlers/main.yml | 5 + roles/copr/frontend-cloud/meta/main.yml | 3 + .../frontend-cloud/tasks/install_certs.yml | 14 ++ roles/copr/frontend-cloud/tasks/main.yml | 138 ++++++++++++++++++ roles/copr/frontend-cloud/tasks/mount_fs.yml | 6 + .../copr/frontend-cloud/tasks/psql_setup.yml | 110 ++++++++++++++ roles/copr/frontend-cloud/templates/copr.conf | 81 ++++++++++ .../frontend-cloud/templates/httpd/coprs.conf | 56 +++++++ .../templates/httpd/coprs_ssl.conf.j2 | 80 ++++++++++ 19 files changed, 605 insertions(+), 18 deletions(-) create mode 100644 playbooks/groups/copr-frontend-cloud.yml create mode 100644 roles/copr/frontend-cloud/files/DigiCertCA.crt create mode 100644 roles/copr/frontend-cloud/files/banner-include.html create mode 100644 roles/copr/frontend-cloud/files/httpd/welcome.conf create mode 100644 roles/copr/frontend-cloud/files/pg/pg_hba.conf create mode 100644 roles/copr/frontend-cloud/files/robots.txt create mode 100644 roles/copr/frontend-cloud/handlers/main.yml create mode 100644 roles/copr/frontend-cloud/meta/main.yml create mode 100644 roles/copr/frontend-cloud/tasks/install_certs.yml create mode 100644 roles/copr/frontend-cloud/tasks/main.yml create mode 100644 roles/copr/frontend-cloud/tasks/mount_fs.yml create mode 100644 roles/copr/frontend-cloud/tasks/psql_setup.yml create mode 100644 roles/copr/frontend-cloud/templates/copr.conf create mode 100644 roles/copr/frontend-cloud/templates/httpd/coprs.conf create mode 100644 roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 diff --git a/inventory/inventory b/inventory/inventory index f9b17ede8c..ed43de9859 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1296,13 +1296,13 @@ bvirthost buildvmhost virthost-comm -[copr-front-stg] +[copr-front-dev] copr-fe-dev.cloud.fedoraproject.org -[copr-back-stg] +[copr-back-dev] copr-be-dev.cloud.fedoraproject.org -[copr-keygen-stg] +[copr-keygen-dev] copr-keygen-dev.cloud.fedoraproject.org [copr-keygen] @@ -1317,7 +1317,7 @@ copr-be.cloud.fedoraproject.org [copr-dist-git] copr-dist-git.fedorainfracloud.org -[copr-dist-git-stg] +[copr-dist-git-dev] copr-dist-git-dev.fedorainfracloud.org [copr:children] @@ -1326,11 +1326,11 @@ copr-back copr-keygen copr-dist-git -[copr-stg:children] -copr-front-stg -copr-back-stg -copr-keygen-stg -copr-dist-git-stg +[copr-dev:children] +copr-front-dev +copr-back-dev +copr-keygen-dev +copr-dist-git-dev [pagure] pagure01.fedoraproject.org diff --git a/playbooks/groups/copr-backend.yml b/playbooks/groups/copr-backend.yml index 67fe7d8772..f11a188f3e 100644 --- a/playbooks/groups/copr-backend.yml +++ b/playbooks/groups/copr-backend.yml @@ -1,6 +1,6 @@ - name: check/create instance #hosts: copr-back - hosts: copr-back:copr-back-stg + hosts: copr-back:copr-back-dev user: root gather_facts: False @@ -13,7 +13,7 @@ - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - name: cloud basic setup - hosts: copr-back:copr-back-stg + hosts: copr-back:copr-back-dev user: root gather_facts: True vars_files: @@ -28,7 +28,7 @@ hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - name: provision instance - hosts: copr-back:copr-back-stg + hosts: copr-back:copr-back-dev user: root gather_facts: True diff --git a/playbooks/groups/copr-dist-git.yml b/playbooks/groups/copr-dist-git.yml index fd6224cb5a..4a3dff1eb3 100644 --- a/playbooks/groups/copr-dist-git.yml +++ b/playbooks/groups/copr-dist-git.yml @@ -1,5 +1,5 @@ - name: check/create instance - hosts: copr-dist-git-stg:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git user: root gather_facts: False @@ -13,7 +13,7 @@ - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - name: cloud basic setup - hosts: copr-dist-git-stg:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git user: root gather_facts: True vars_files: @@ -27,7 +27,7 @@ hostname: name="{{copr_hostbase}}.fedorainfracloud.org" - name: provision instance - hosts: copr-dist-git-stg:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git user: root gather_facts: True diff --git a/playbooks/groups/copr-frontend-cloud.yml b/playbooks/groups/copr-frontend-cloud.yml new file mode 100644 index 0000000000..82cc92d16e --- /dev/null +++ b/playbooks/groups/copr-frontend-cloud.yml @@ -0,0 +1,42 @@ +- name: check/create instance + hosts: copr-front-dev:copr-front + # hosts: copr-front + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/fedora-cloud.yml + - /srv/private/ansible/files/openstack/passwords.yml + + tasks: + - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" + +- name: cloud basic setup + hosts: copr-front-dev:copr-front + # hosts: copr-front + gather_facts: True + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + + tasks: + - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + - name: set hostname (required by some services, at least postfix need it) + hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" + +- name: provision instance + hosts: copr-front:copr-front-dev + # hosts: copr-front + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - copr/frontend + - nagios_client diff --git a/playbooks/groups/copr-keygen.yml b/playbooks/groups/copr-keygen.yml index 4ec2e5afe4..ae40ed8f5b 100644 --- a/playbooks/groups/copr-keygen.yml +++ b/playbooks/groups/copr-keygen.yml @@ -1,5 +1,5 @@ - name: check/create instance - hosts: copr-keygen-stg:copr-keygen + hosts: copr-keygen-dev:copr-keygen #hosts: copr-keygen gather_facts: False @@ -21,7 +21,7 @@ when: facts is failed - name: cloud basic setup - hosts: copr-keygen-stg:copr-keygen + hosts: copr-keygen-dev:copr-keygen # hosts: copr-keygen gather_facts: True vars_files: @@ -35,7 +35,7 @@ hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - name: provision instance - hosts: copr-keygen:copr-keygen-stg + hosts: copr-keygen:copr-keygen-dev #hosts: copr-keygen gather_facts: True diff --git a/roles/copr/frontend-cloud/files/DigiCertCA.crt b/roles/copr/frontend-cloud/files/DigiCertCA.crt new file mode 100644 index 0000000000..d08b961f22 --- /dev/null +++ b/roles/copr/frontend-cloud/files/DigiCertCA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy +YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 +4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC +Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 +itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn +4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X +sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft +bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA +MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy +dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t +L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG +BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ +UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D +aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd +aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH +E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly +/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu +xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF +0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae +cPUeybQ= +-----END CERTIFICATE----- diff --git a/roles/copr/frontend-cloud/files/banner-include.html b/roles/copr/frontend-cloud/files/banner-include.html new file mode 100644 index 0000000000..2b539819d1 --- /dev/null +++ b/roles/copr/frontend-cloud/files/banner-include.html @@ -0,0 +1,8 @@ +
+

+ Warning! This is a development server. +

+

+ Production instance: https://copr.fedoraproject.org/ +

+
diff --git a/roles/copr/frontend-cloud/files/httpd/welcome.conf b/roles/copr/frontend-cloud/files/httpd/welcome.conf new file mode 100644 index 0000000000..3b15c42b9f --- /dev/null +++ b/roles/copr/frontend-cloud/files/httpd/welcome.conf @@ -0,0 +1 @@ +#commented out so it doesn't do that stupid index page diff --git a/roles/copr/frontend-cloud/files/pg/pg_hba.conf b/roles/copr/frontend-cloud/files/pg/pg_hba.conf new file mode 100644 index 0000000000..3cf2f2cb65 --- /dev/null +++ b/roles/copr/frontend-cloud/files/pg/pg_hba.conf @@ -0,0 +1,13 @@ +local coprdb copr-fe md5 +host coprdb copr-fe 127.0.0.1/8 md5 +host coprdb copr-fe ::1/128 md5 +local coprdb postgres ident + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 ident +# IPv6 local connections: +host all all ::1/128 ident diff --git a/roles/copr/frontend-cloud/files/robots.txt b/roles/copr/frontend-cloud/files/robots.txt new file mode 100644 index 0000000000..1f53798bb4 --- /dev/null +++ b/roles/copr/frontend-cloud/files/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: / diff --git a/roles/copr/frontend-cloud/handlers/main.yml b/roles/copr/frontend-cloud/handlers/main.yml new file mode 100644 index 0000000000..4585db853a --- /dev/null +++ b/roles/copr/frontend-cloud/handlers/main.yml @@ -0,0 +1,5 @@ +- import_tasks: "{{ handlers_path }}/restart_services.yml" + +- name: restart postgresql + service: name=postgresql + state=restarted diff --git a/roles/copr/frontend-cloud/meta/main.yml b/roles/copr/frontend-cloud/meta/main.yml new file mode 100644 index 0000000000..a774579b1d --- /dev/null +++ b/roles/copr/frontend-cloud/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: copr/base } diff --git a/roles/copr/frontend-cloud/tasks/install_certs.yml b/roles/copr/frontend-cloud/tasks/install_certs.yml new file mode 100644 index 0000000000..ea8714d423 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/install_certs.yml @@ -0,0 +1,14 @@ +- name: copy httpd ssl certificates (crt) + copy: src="{{ private }}/files/httpd/{{item}}" + dest="/etc/pki/tls/certs/" + owner=root group=root mode=0600 + with_items: + - copr.fedorainfracloud.org.crt + - copr.fedorainfracloud.org.intermediate.crt + tags: + - config + +- name: copy httpd ssl certificates (key) + copy: src="{{ private }}/files/httpd/copr.fedorainfracloud.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600 + tags: + - config diff --git a/roles/copr/frontend-cloud/tasks/main.yml b/roles/copr/frontend-cloud/tasks/main.yml new file mode 100644 index 0000000000..61b91f1ea0 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/main.yml @@ -0,0 +1,138 @@ +--- +- import_tasks: "mount_fs.yml" + +- command: "ls -dZ /var/lib/pgsql" + register: pgsql_ls + +- name: update selinux context for postgress db dir if it's wrong + command: "restorecon -vvRF /var/lib/pgsql" + when: pgsql_ls.stdout is defined and 'postgresql_db_t' not in pgsql_ls.stdout + +- name: install copr-frontend and copr-selinux + dnf: state=latest name={{ item }} + with_items: + - copr-frontend + - copr-selinux + tags: + - packages + + # we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058 +- name: install additional pkgs for copr-frontend + dnf: state=present pkg={{ item }} + with_items: + - "bash-completion" + - "mod_ssl" + - redis + - pxz + - python3-alembic + tags: + - packages + +- name: install a newer version of xstatic-jquery-ui-common + command: dnf install -y https://kojipkgs.fedoraproject.org//packages/python-XStatic-jquery-ui/1.12.0.1/2.fc26/noarch/xstatic-jquery-ui-common-1.12.0.1-2.fc26.noarch.rpm + +- name: install copr configs + template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 + notify: + - reload httpd + tags: + - config + +- name: enable and start redis # TODO: .service in copr-backend should depend on redis + service: name=redis enabled=yes state=started + +- name: enable and start pagure-events + service: name=pagure-events enabled=yes state=started + +- name: copy apache files to conf.d + copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" + with_items: + - "welcome.conf" + tags: + - config + +- name: copy apache files to conf.d (templates) + template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" + with_items: + - "coprs.conf" + tags: + - config + +# https://bugzilla.redhat.com/show_bug.cgi?id=1535689 +- name: Allow execmem for Apache + seboolean: + name: httpd_execmem + state: yes + persistent: yes + +- import_tasks: "psql_setup.yml" + +- name: upgrade db to head + command: alembic-3 upgrade head + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ + +- name: set up admins + command: ./manage.py alter_user --admin {{ item }} + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ + ignore_errors: yes + with_items: + - msuchy + - sgallagh + - spot + - nb + - kevin + +- name: install ssl certificates for production + import_tasks: "install_certs.yml" + when: not devel + tags: + - config + +- name: letsencrypt cert + include_role: name=certbot + when: devel + tags: + - config + +- name: Check that cert file exists + stat: + path: "/etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem" + register: stat_cert + +- name: Should admin run certbot? + fail: + msg: Please see roles/certbot/README step (2) and manually run certbot + when: + - stat_cert.stat.exists == False + - devel + +- name: install copr-frontend ssl vhost + template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf" + tags: + - config + +- name: enable services + service: state=started enabled=yes name={{ item }} + with_items: + - httpd + +- name: set dev banner for dev instance + when: devel + copy: src=banner-include.html dest=/var/lib/copr/ + +- name: disallow robots on dev instance + when: devel + copy: src=robots.txt dest=/var/www/html/ + +- name: rebuild indexes + command: ./manage.py update_indexes + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ diff --git a/roles/copr/frontend-cloud/tasks/mount_fs.yml b/roles/copr/frontend-cloud/tasks/mount_fs.yml new file mode 100644 index 0000000000..e355d38ff6 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/mount_fs.yml @@ -0,0 +1,6 @@ +- name: mount up disk of copr fe + mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted + +- name: mount up bind mount for postgres + mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted + diff --git a/roles/copr/frontend-cloud/tasks/psql_setup.yml b/roles/copr/frontend-cloud/tasks/psql_setup.yml new file mode 100644 index 0000000000..b5116f6218 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/psql_setup.yml @@ -0,0 +1,110 @@ +- name: install postresql + package: state=present pkg={{ item }} + with_items: + - "postgresql-server" + - "postgresql-contrib" + + +- name: See if postgreSQL is installed + stat: path=/var/lib/pgsql/initdb.log + register: pgsql_installed + +- name: init postgresql + shell: "postgresql-setup initdb" + when: not pgsql_installed.stat.exists + +- name: copy pg_hba.conf + copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 + notify: + - restart postgresql + tags: + - config + +- name: Ensure postgres has a place to backup to + file: dest=/backups state=directory owner=postgres + tags: + - config + +# TODO: I think we missing user creation, check it we do it somewhere else ... + +- name: Copy over backup scriplet + copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755 + tags: + - config + +- name: Set up some cronjobs to backup databases as configured + template: > + src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database" + dest="/etc/cron.d/cron-backup-database-{{ item }}" + with_items: + - "{{ dbs_to_backup }}" + when: dbs_to_backup != [] + tags: + - config + +- name: enable Pg service + service: state=started enabled=yes name=postgresql + +- name: Create db + postgresql_db: name="coprdb" encoding='UTF-8' + become: yes + become_user: postgres + +- name: Create db user + postgresql_user: db="coprdb" name="copr-fe" password="{{ copr_database_password }}" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE + become: yes + become_user: postgres + +- name: set shared_buffers for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^shared_buffers =' + line: 'shared_buffers = 1024MB' + notify: restart postgresql + tags: + - config + +- name: set effective_cache_size for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^effective_cache_size =' + line: 'effective_cache_size = 2048MB' + notify: restart postgresql + tags: + - config + +- name: set work_mem for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^work_mem =' + line: 'work_mem = 4MB' + notify: restart postgresql + tags: + - config + +- name: set maintenance_work_mem for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^maintenance_work_mem =' + line: 'maintenance_work_mem = 1GB' + notify: restart postgresql + tags: + - config + +- name: set checkpoint_completion_target for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^checkpoint_completion_target =' + line: 'checkpoint_completion_target = 0.9' + notify: restart postgresql + tags: + - config + +- name: set log_min_duration_statement for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^log_min_duration_statement =' + line: 'log_min_duration_statement = 500' + notify: restart postgresql + tags: + - config diff --git a/roles/copr/frontend-cloud/templates/copr.conf b/roles/copr/frontend-cloud/templates/copr.conf new file mode 100644 index 0000000000..b66f1514d1 --- /dev/null +++ b/roles/copr/frontend-cloud/templates/copr.conf @@ -0,0 +1,81 @@ +# Directory and files where is stored Copr database files +DATA_DIR = '/var/lib/copr/data' +DATABASE = '/var/lib/copr/data/copr.db' +OPENID_STORE = '/var/lib/copr/data/openid_store' +WHOOSHEE_DIR = '/var/lib/copr/data/whooshee' +WHOOSHEE_MIN_STRING_LEN = 2 +WHOOSHEE_WRITER_TIMEOUT = 10 + +SECRET_KEY = '{{ copr_secret_key }}' +BACKEND_PASSWORD = '{{ copr_backend_password }}' +BACKEND_BASE_URL = '{{ backend_base_url }}' + +# restrict access to a set of users +#USE_ALLOWED_USERS = False +#ALLOWED_USERS = ['bonnie', 'clyde'] + +SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copr-fe:{{ copr_database_password }}@/coprdb' + +# Token length, defaults to 30 (max 255) +#API_TOKEN_LENGTH = 30 + +# Expiration of API token in days +#API_TOKEN_EXPIRATION = 180 + +# logging options +#SEND_LOGS_TO = ['root@localhost'] +#LOGGING_LEVEL = logging.ERROR + +DEBUG = False +SQLALCHEMY_ECHO = False + +CSRF_ENABLED = True +WTF_CSRF_ENABLED = True + +# send emails when user's perms change in project? +SEND_EMAILS = True + +PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}" + +LOG_FILENAME = "/var/log/copr-frontend/frontend.log" +LOG_DIR = "/var/log/copr-frontend/" + +# to accept stat events from logstash +INTRANET_IPS = {{ copr_backend_ips }} + +REPO_GPGCHECK = {% if devel %} 0 {% else %} 1 {% endif %} + +{% if env == 'staging' %} +PUBLIC_COPR_BASE_URL = "http://copr-fe-dev.cloud.fedoraproject.org" +{% else %} +PUBLIC_COPR_BASE_URL = "https://copr.fedorainfracloud.org" +{% endif %} + +{% if env == 'staging' %} +# Staging URLs for fedmenu +FEDMENU_URL = "https://apps.stg.fedoraproject.org/fedmenu/" +FEDMENU_DATA_URL = "https://apps.stg.fedoraproject.org/js/data.js" +{% else %} +# Production URLs for fedmenu +FEDMENU_URL = "https://apps.fedoraproject.org/fedmenu/" +FEDMENU_DATA_URL = "https://apps.fedoraproject.org/js/data.js" +{% endif %} + +# todo: check that ansible variable is used correctly +{% if env == 'staging' %} +ENFORCE_PROTOCOL_FOR_BACKEND_URL = "http" +ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "http" +{% else %} +ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https" +ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https" +{% endif %} + +DIST_GIT_URL="https://{{ dist_git_base_url }}/cgit" +DIST_GIT_CLONE_URL="https://{{ dist_git_base_url }}/git" +COPR_DIST_GIT_LOGS_URL = "https://{{ dist_git_base_url }}/per-task-logs" +MBS_URL = "http://localhost/module/1/module-builds/" + +# no need to filter cla_* groups, they are already filtered by fedora openid +BLACKLISTED_GROUPS = ['fedorabugs', 'packager', 'provenpackager'] + +DEFER_BUILD_SECONDS = 300 diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs.conf b/roles/copr/frontend-cloud/templates/httpd/coprs.conf new file mode 100644 index 0000000000..453144a8ac --- /dev/null +++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf @@ -0,0 +1,56 @@ +NameVirtualHost *:80 +LoadModule wsgi_module modules/mod_wsgi.so +WSGISocketPrefix /var/run/wsgi +Alias /robots.txt /var/www/html/robots.txt + +WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=15 display-name=other maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess api user=copr-fe group=copr-fe threads=15 display-name=api maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess backend user=copr-fe group=copr-fe threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20 +WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + + + ServerName copr.fedorainfracloud.org + ServerAlias copr-fe.cloud.fedoraproject.org + WSGIPassAuthorization On + + + WSGIProcessGroup 127.0.0.1 + + + #ErrorLog logs/error_coprs + #CustomLog logs/access_coprs common + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + + + +{% if devel %} + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE] + +{% endif %} + + +ExtendedStatus On + + + SetHandler server-status + Require all denied + Require host localhost .redhat.com + + + + + StartServers 8 + MinSpareServers 8 + MaxSpareServers 20 + MaxClients 50 + MaxRequestsPerChild 10000 + + diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 new file mode 100644 index 0000000000..846d8d85dd --- /dev/null +++ b/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 @@ -0,0 +1,80 @@ +Listen 443 https + + + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLCipherSuite {{ ssl_ciphers }} + SSLHonorCipherOrder on + Header always add Strict-Transport-Security "max-age=31536000; preload" + + {% if not devel %} + SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt + SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key + SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt + {% else %} + SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem + {% endif %} + + ServerName {{ copr_frontend_public_hostname }} + + WSGIPassAuthorization On + WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + WSGIProcessGroup 127.0.0.1 + + + WSGIProcessGroup api + + + WSGIProcessGroup backend + + + WSGIProcessGroup stats + + + WSGIProcessGroup tmp + + + #ErrorLog logs/error_coprs + #CustomLog logs/access_coprs common + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + + + RewriteEngine on + RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301] + RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301] + + # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work + RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT] + RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT] + + + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLCipherSuite {{ ssl_ciphers }} + SSLHonorCipherOrder on + Header always add Strict-Transport-Security "max-age=31536000; preload" + + {% if not devel %} + SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt + SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key + SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt + {% else %} + SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem + {% endif %} + + {% if not devel %} + ServerAlias copr.fedoraproject.org + Redirect 302 / https://copr.fedorainfracloud.org/ + {% endif %} + From f937315e14b501ca06a16432e30190ea5d5def10 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 08:11:05 +0000 Subject: [PATCH 217/289] copr/frontend role should not depend on copr/base --- roles/copr/frontend/meta/main.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 roles/copr/frontend/meta/main.yml diff --git a/roles/copr/frontend/meta/main.yml b/roles/copr/frontend/meta/main.yml deleted file mode 100644 index a774579b1d..0000000000 --- a/roles/copr/frontend/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - { role: copr/base } From e198c71bc9dc8455c4c0ba6ee42e5a1d487c0df4 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 08:20:01 +0000 Subject: [PATCH 218/289] Initial cleanup of copr/frontend role --- roles/copr/frontend/files/DigiCertCA.crt | 28 ----- roles/copr/frontend/files/banner-include.html | 2 +- roles/copr/frontend/files/httpd/welcome.conf | 1 - roles/copr/frontend/files/pg/pg_hba.conf | 13 --- roles/copr/frontend/files/robots.txt | 2 - roles/copr/frontend/handlers/main.yml | 5 - roles/copr/frontend/tasks/install_certs.yml | 14 --- roles/copr/frontend/tasks/main.yml | 71 +---------- roles/copr/frontend/tasks/mount_fs.yml | 6 - roles/copr/frontend/tasks/psql_setup.yml | 110 ------------------ .../copr/frontend/templates/httpd/coprs.conf | 8 -- .../templates/httpd/coprs_ssl.conf.j2 | 80 ------------- 12 files changed, 3 insertions(+), 337 deletions(-) delete mode 100644 roles/copr/frontend/files/DigiCertCA.crt delete mode 100644 roles/copr/frontend/files/httpd/welcome.conf delete mode 100644 roles/copr/frontend/files/pg/pg_hba.conf delete mode 100644 roles/copr/frontend/files/robots.txt delete mode 100644 roles/copr/frontend/handlers/main.yml delete mode 100644 roles/copr/frontend/tasks/install_certs.yml delete mode 100644 roles/copr/frontend/tasks/mount_fs.yml delete mode 100644 roles/copr/frontend/tasks/psql_setup.yml delete mode 100644 roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 diff --git a/roles/copr/frontend/files/DigiCertCA.crt b/roles/copr/frontend/files/DigiCertCA.crt deleted file mode 100644 index d08b961f22..0000000000 --- a/roles/copr/frontend/files/DigiCertCA.crt +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL -MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 -LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy -YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 -4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC -Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 -itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn -4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X -sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft -bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA -MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy -dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t -L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG -BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ -UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D -aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd -aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH -E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly -/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu -xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF -0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae -cPUeybQ= ------END CERTIFICATE----- diff --git a/roles/copr/frontend/files/banner-include.html b/roles/copr/frontend/files/banner-include.html index 2b539819d1..78ada661ed 100644 --- a/roles/copr/frontend/files/banner-include.html +++ b/roles/copr/frontend/files/banner-include.html @@ -1,6 +1,6 @@

- Warning! This is a development server. + Warning! This is a staging server.

Production instance: https://copr.fedoraproject.org/ diff --git a/roles/copr/frontend/files/httpd/welcome.conf b/roles/copr/frontend/files/httpd/welcome.conf deleted file mode 100644 index 3b15c42b9f..0000000000 --- a/roles/copr/frontend/files/httpd/welcome.conf +++ /dev/null @@ -1 +0,0 @@ -#commented out so it doesn't do that stupid index page diff --git a/roles/copr/frontend/files/pg/pg_hba.conf b/roles/copr/frontend/files/pg/pg_hba.conf deleted file mode 100644 index 3cf2f2cb65..0000000000 --- a/roles/copr/frontend/files/pg/pg_hba.conf +++ /dev/null @@ -1,13 +0,0 @@ -local coprdb copr-fe md5 -host coprdb copr-fe 127.0.0.1/8 md5 -host coprdb copr-fe ::1/128 md5 -local coprdb postgres ident - -# TYPE DATABASE USER ADDRESS METHOD - -# "local" is for Unix domain socket connections only -local all all peer -# IPv4 local connections: -host all all 127.0.0.1/32 ident -# IPv6 local connections: -host all all ::1/128 ident diff --git a/roles/copr/frontend/files/robots.txt b/roles/copr/frontend/files/robots.txt deleted file mode 100644 index 1f53798bb4..0000000000 --- a/roles/copr/frontend/files/robots.txt +++ /dev/null @@ -1,2 +0,0 @@ -User-agent: * -Disallow: / diff --git a/roles/copr/frontend/handlers/main.yml b/roles/copr/frontend/handlers/main.yml deleted file mode 100644 index 4585db853a..0000000000 --- a/roles/copr/frontend/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- import_tasks: "{{ handlers_path }}/restart_services.yml" - -- name: restart postgresql - service: name=postgresql - state=restarted diff --git a/roles/copr/frontend/tasks/install_certs.yml b/roles/copr/frontend/tasks/install_certs.yml deleted file mode 100644 index ea8714d423..0000000000 --- a/roles/copr/frontend/tasks/install_certs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: copy httpd ssl certificates (crt) - copy: src="{{ private }}/files/httpd/{{item}}" - dest="/etc/pki/tls/certs/" - owner=root group=root mode=0600 - with_items: - - copr.fedorainfracloud.org.crt - - copr.fedorainfracloud.org.intermediate.crt - tags: - - config - -- name: copy httpd ssl certificates (key) - copy: src="{{ private }}/files/httpd/copr.fedorainfracloud.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600 - tags: - - config diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 61b91f1ea0..a302a3e7c4 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -1,13 +1,4 @@ --- -- import_tasks: "mount_fs.yml" - -- command: "ls -dZ /var/lib/pgsql" - register: pgsql_ls - -- name: update selinux context for postgress db dir if it's wrong - command: "restorecon -vvRF /var/lib/pgsql" - when: pgsql_ls.stdout is defined and 'postgresql_db_t' not in pgsql_ls.stdout - - name: install copr-frontend and copr-selinux dnf: state=latest name={{ item }} with_items: @@ -20,17 +11,11 @@ - name: install additional pkgs for copr-frontend dnf: state=present pkg={{ item }} with_items: - - "bash-completion" - - "mod_ssl" - redis - - pxz - python3-alembic tags: - packages -- name: install a newer version of xstatic-jquery-ui-common - command: dnf install -y https://kojipkgs.fedoraproject.org//packages/python-XStatic-jquery-ui/1.12.0.1/2.fc26/noarch/xstatic-jquery-ui-common-1.12.0.1-2.fc26.noarch.rpm - - name: install copr configs template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 notify: @@ -38,19 +23,9 @@ tags: - config -- name: enable and start redis # TODO: .service in copr-backend should depend on redis - service: name=redis enabled=yes state=started - - name: enable and start pagure-events service: name=pagure-events enabled=yes state=started -- name: copy apache files to conf.d - copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" - with_items: - - "welcome.conf" - tags: - - config - - name: copy apache files to conf.d (templates) template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" with_items: @@ -65,15 +40,6 @@ state: yes persistent: yes -- import_tasks: "psql_setup.yml" - -- name: upgrade db to head - command: alembic-3 upgrade head - become: yes - become_user: copr-fe - args: - chdir: /usr/share/copr/coprs_frontend/ - - name: set up admins command: ./manage.py alter_user --admin {{ item }} become: yes @@ -88,48 +54,15 @@ - nb - kevin -- name: install ssl certificates for production - import_tasks: "install_certs.yml" - when: not devel - tags: - - config - -- name: letsencrypt cert - include_role: name=certbot - when: devel - tags: - - config - -- name: Check that cert file exists - stat: - path: "/etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem" - register: stat_cert - -- name: Should admin run certbot? - fail: - msg: Please see roles/certbot/README step (2) and manually run certbot - when: - - stat_cert.stat.exists == False - - devel - -- name: install copr-frontend ssl vhost - template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf" - tags: - - config - - name: enable services service: state=started enabled=yes name={{ item }} with_items: - httpd -- name: set dev banner for dev instance - when: devel +- name: set staging banner for staging instance + when: when: env == 'staging' copy: src=banner-include.html dest=/var/lib/copr/ -- name: disallow robots on dev instance - when: devel - copy: src=robots.txt dest=/var/www/html/ - - name: rebuild indexes command: ./manage.py update_indexes become: yes diff --git a/roles/copr/frontend/tasks/mount_fs.yml b/roles/copr/frontend/tasks/mount_fs.yml deleted file mode 100644 index e355d38ff6..0000000000 --- a/roles/copr/frontend/tasks/mount_fs.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: mount up disk of copr fe - mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted - -- name: mount up bind mount for postgres - mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted - diff --git a/roles/copr/frontend/tasks/psql_setup.yml b/roles/copr/frontend/tasks/psql_setup.yml deleted file mode 100644 index b5116f6218..0000000000 --- a/roles/copr/frontend/tasks/psql_setup.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: install postresql - package: state=present pkg={{ item }} - with_items: - - "postgresql-server" - - "postgresql-contrib" - - -- name: See if postgreSQL is installed - stat: path=/var/lib/pgsql/initdb.log - register: pgsql_installed - -- name: init postgresql - shell: "postgresql-setup initdb" - when: not pgsql_installed.stat.exists - -- name: copy pg_hba.conf - copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 - notify: - - restart postgresql - tags: - - config - -- name: Ensure postgres has a place to backup to - file: dest=/backups state=directory owner=postgres - tags: - - config - -# TODO: I think we missing user creation, check it we do it somewhere else ... - -- name: Copy over backup scriplet - copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755 - tags: - - config - -- name: Set up some cronjobs to backup databases as configured - template: > - src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database" - dest="/etc/cron.d/cron-backup-database-{{ item }}" - with_items: - - "{{ dbs_to_backup }}" - when: dbs_to_backup != [] - tags: - - config - -- name: enable Pg service - service: state=started enabled=yes name=postgresql - -- name: Create db - postgresql_db: name="coprdb" encoding='UTF-8' - become: yes - become_user: postgres - -- name: Create db user - postgresql_user: db="coprdb" name="copr-fe" password="{{ copr_database_password }}" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE - become: yes - become_user: postgres - -- name: set shared_buffers for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^shared_buffers =' - line: 'shared_buffers = 1024MB' - notify: restart postgresql - tags: - - config - -- name: set effective_cache_size for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^effective_cache_size =' - line: 'effective_cache_size = 2048MB' - notify: restart postgresql - tags: - - config - -- name: set work_mem for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^work_mem =' - line: 'work_mem = 4MB' - notify: restart postgresql - tags: - - config - -- name: set maintenance_work_mem for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^maintenance_work_mem =' - line: 'maintenance_work_mem = 1GB' - notify: restart postgresql - tags: - - config - -- name: set checkpoint_completion_target for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^checkpoint_completion_target =' - line: 'checkpoint_completion_target = 0.9' - notify: restart postgresql - tags: - - config - -- name: set log_min_duration_statement for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^log_min_duration_statement =' - line: 'log_min_duration_statement = 500' - notify: restart postgresql - tags: - - config diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf index 453144a8ac..5f992a9ca1 100644 --- a/roles/copr/frontend/templates/httpd/coprs.conf +++ b/roles/copr/frontend/templates/httpd/coprs.conf @@ -28,14 +28,6 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application -{% if devel %} - - RewriteEngine on - RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] - RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE] - -{% endif %} - ExtendedStatus On diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 deleted file mode 100644 index 846d8d85dd..0000000000 --- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 +++ /dev/null @@ -1,80 +0,0 @@ -Listen 443 https - - - - SSLEngine on - SSLProtocol {{ ssl_protocols }} - # Use secure TLSv1.1 and TLSv1.2 ciphers - SSLCipherSuite {{ ssl_ciphers }} - SSLHonorCipherOrder on - Header always add Strict-Transport-Security "max-age=31536000; preload" - - {% if not devel %} - SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt - SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key - SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt - {% else %} - SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem - {% endif %} - - ServerName {{ copr_frontend_public_hostname }} - - WSGIPassAuthorization On - WSGIScriptAlias / /usr/share/copr/coprs_frontend/application - WSGIProcessGroup 127.0.0.1 - - - WSGIProcessGroup api - - - WSGIProcessGroup backend - - - WSGIProcessGroup stats - - - WSGIProcessGroup tmp - - - #ErrorLog logs/error_coprs - #CustomLog logs/access_coprs common - - - WSGIApplicationGroup %{GLOBAL} - Require all granted - - - RewriteEngine on - RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301] - RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301] - - # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work - RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT] - RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT] - - - - SSLEngine on - SSLProtocol {{ ssl_protocols }} - # Use secure TLSv1.1 and TLSv1.2 ciphers - SSLCipherSuite {{ ssl_ciphers }} - SSLHonorCipherOrder on - Header always add Strict-Transport-Security "max-age=31536000; preload" - - {% if not devel %} - SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt - SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key - SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt - {% else %} - SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem - {% endif %} - - {% if not devel %} - ServerAlias copr.fedoraproject.org - Redirect 302 / https://copr.fedorainfracloud.org/ - {% endif %} - From b62e306345cd40f2b0cbede10c29cfc6ab7c2939 Mon Sep 17 00:00:00 2001 From: clime Date: Mon, 27 Aug 2018 10:30:13 +0200 Subject: [PATCH 219/289] copr: stg->dev renames in group_vars --- inventory/group_vars/{copr-back-stg => copr-back-dev} | 0 inventory/group_vars/{copr-stg => copr-dev} | 0 .../group_vars/{copr-dist-git-stg => copr-dist-git-dev} | 0 inventory/group_vars/copr-front-dev | 9 +++++++++ .../group_vars/{copr-keygen-stg => copr-keygen-dev} | 0 5 files changed, 9 insertions(+) rename inventory/group_vars/{copr-back-stg => copr-back-dev} (100%) rename inventory/group_vars/{copr-stg => copr-dev} (100%) rename inventory/group_vars/{copr-dist-git-stg => copr-dist-git-dev} (100%) create mode 100644 inventory/group_vars/copr-front-dev rename inventory/group_vars/{copr-keygen-stg => copr-keygen-dev} (100%) diff --git a/inventory/group_vars/copr-back-stg b/inventory/group_vars/copr-back-dev similarity index 100% rename from inventory/group_vars/copr-back-stg rename to inventory/group_vars/copr-back-dev diff --git a/inventory/group_vars/copr-stg b/inventory/group_vars/copr-dev similarity index 100% rename from inventory/group_vars/copr-stg rename to inventory/group_vars/copr-dev diff --git a/inventory/group_vars/copr-dist-git-stg b/inventory/group_vars/copr-dist-git-dev similarity index 100% rename from inventory/group_vars/copr-dist-git-stg rename to inventory/group_vars/copr-dist-git-dev diff --git a/inventory/group_vars/copr-front-dev b/inventory/group_vars/copr-front-dev new file mode 100644 index 0000000000..27a5e4194b --- /dev/null +++ b/inventory/group_vars/copr-front-dev @@ -0,0 +1,9 @@ +--- +copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org" + +csi_security_category: Low +csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys" +csi_purpose: Provide the testing environment of copr's frontend +csi_relationship: This host is the testing environment for copr's web interface + +copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv diff --git a/inventory/group_vars/copr-keygen-stg b/inventory/group_vars/copr-keygen-dev similarity index 100% rename from inventory/group_vars/copr-keygen-stg rename to inventory/group_vars/copr-keygen-dev From 50b18e5af4659beb2706df7937fc1cbbf8beab28 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 08:29:53 +0000 Subject: [PATCH 220/289] Add new staging Copr to inventory --- inventory/cloud | 5 ++++- inventory/inventory | 42 +++++++++++++++++++++++++++++++++--------- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/inventory/cloud b/inventory/cloud index 87b642f0d5..24e7f51d46 100644 --- a/inventory/cloud +++ b/inventory/cloud @@ -10,12 +10,15 @@ commops.fedorainfracloud.org communityblog.fedorainfracloud.org copr-be.cloud.fedoraproject.org copr-be-dev.cloud.fedoraproject.org -copr-dist-git-dev.fedorainfracloud.org +copr-be-stg.fedorainfracloud.org copr-dist-git.fedorainfracloud.org +copr-dist-git-dev.fedorainfracloud.org +copr-dist-git-stg.fedorainfracloud.org copr-fe.cloud.fedoraproject.org copr-fe-dev.cloud.fedoraproject.org copr-keygen.cloud.fedoraproject.org copr-keygen-dev.cloud.fedoraproject.org +copr-keygen-stg.fedorainfracloud.org developer.fedorainfracloud.org elastic-dev.fedorainfracloud.org el6-test.fedorainfracloud.org diff --git a/inventory/inventory b/inventory/inventory index ed43de9859..b4d682db47 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -756,9 +756,14 @@ buildvm-s390x-01.stg.s390.fedoraproject.org busgateway01.stg.phx2.fedoraproject.org composer.stg.phx2.fedoraproject.org copr-be-dev.cloud.fedoraproject.org +copr-be-stg.fedorainfracloud.org copr-dist-git-dev.fedorainfracloud.org +copr-dist-git-stg.fedorainfracloud.org copr-fe-dev.cloud.fedoraproject.org +copr-frontend01.stg.phx2.fedorainfracloud.org +copr-frontend02.stg.phx2.fedorainfracloud.org copr-keygen-dev.cloud.fedoraproject.org +copr-keygen-stg.fedorainfracloud.org datagrepper01.stg.phx2.fedoraproject.org db-fas01.stg.phx2.fedoraproject.org db-koji01.stg.phx2.fedoraproject.org @@ -1296,15 +1301,6 @@ bvirthost buildvmhost virthost-comm -[copr-front-dev] -copr-fe-dev.cloud.fedoraproject.org - -[copr-back-dev] -copr-be-dev.cloud.fedoraproject.org - -[copr-keygen-dev] -copr-keygen-dev.cloud.fedoraproject.org - [copr-keygen] copr-keygen.cloud.fedoraproject.org @@ -1317,15 +1313,43 @@ copr-be.cloud.fedoraproject.org [copr-dist-git] copr-dist-git.fedorainfracloud.org +[copr-front-dev] +copr-fe-dev.cloud.fedoraproject.org + +[copr-back-dev] +copr-be-dev.cloud.fedoraproject.org + +[copr-keygen-dev] +copr-keygen-dev.cloud.fedoraproject.org + [copr-dist-git-dev] copr-dist-git-dev.fedorainfracloud.org +[copr-front-stg] +copr-frontend01.stg.phx2.fedorainfracloud.org +copr-frontend02.stg.phx2.fedorainfracloud.org + +[copr-back-stg] +copr-be-stg.fedorainfracloud.org + +[copr-keygen-stg] +copr-keygen-stg.fedorainfracloud.org + +[copr-dist-git-stg] +copr-dist-git-stg.fedorainfracloud.org + [copr:children] copr-front copr-back copr-keygen copr-dist-git +[copr-stg:children] +copr-front-stg +copr-back-stg +copr-keygen-stg +copr-dist-git-stg + [copr-dev:children] copr-front-dev copr-back-dev From 8c62133aa78c0ae2bb5cd158c594354592bee70e Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 08:37:26 +0000 Subject: [PATCH 221/289] Fix a typo in copr/frontend --- roles/copr/frontend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index a302a3e7c4..4c74d9d949 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -60,7 +60,7 @@ - httpd - name: set staging banner for staging instance - when: when: env == 'staging' + when: env == 'staging' copy: src=banner-include.html dest=/var/lib/copr/ - name: rebuild indexes From 5a4dc7cab2af52b9b7707d838a63d6b6b235f5a1 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 08:42:37 +0000 Subject: [PATCH 222/289] Fix copr-fe-stg domain names --- inventory/inventory | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index b4d682db47..780fdc7755 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -760,8 +760,8 @@ copr-be-stg.fedorainfracloud.org copr-dist-git-dev.fedorainfracloud.org copr-dist-git-stg.fedorainfracloud.org copr-fe-dev.cloud.fedoraproject.org -copr-frontend01.stg.phx2.fedorainfracloud.org -copr-frontend02.stg.phx2.fedorainfracloud.org +copr-frontend01.stg.phx2.fedoraproject.org +copr-frontend02.stg.phx2.fedoraproject.org copr-keygen-dev.cloud.fedoraproject.org copr-keygen-stg.fedorainfracloud.org datagrepper01.stg.phx2.fedoraproject.org @@ -1326,8 +1326,8 @@ copr-keygen-dev.cloud.fedoraproject.org copr-dist-git-dev.fedorainfracloud.org [copr-front-stg] -copr-frontend01.stg.phx2.fedorainfracloud.org -copr-frontend02.stg.phx2.fedorainfracloud.org +copr-frontend01.stg.phx2.fedoraproject.org +copr-frontend02.stg.phx2.fedoraproject.org [copr-back-stg] copr-be-stg.fedorainfracloud.org From 38c20fb57ceb4a2980b621954dc748a70bd5d72a Mon Sep 17 00:00:00 2001 From: clime Date: Mon, 27 Aug 2018 10:47:39 +0200 Subject: [PATCH 223/289] copr-fe-cloud: fix role name --- playbooks/groups/copr-frontend-cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/copr-frontend-cloud.yml b/playbooks/groups/copr-frontend-cloud.yml index 82cc92d16e..b1ccfa9fca 100644 --- a/playbooks/groups/copr-frontend-cloud.yml +++ b/playbooks/groups/copr-frontend-cloud.yml @@ -38,5 +38,5 @@ roles: - base - - copr/frontend + - copr/frontend-cloud - nagios_client From 3ca845b57778ad80c4b16655de769c8dac8d2620 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 09:00:57 +0000 Subject: [PATCH 224/289] Provision copr stg cloud machines --- inventory/group_vars/copr-back-stg | 29 ++++++++++++++++++++++++++ inventory/group_vars/copr-dist-git-stg | 6 ++++++ inventory/group_vars/copr-keygen-stg | 13 ++++++++++++ playbooks/groups/copr-backend.yml | 7 +++---- playbooks/groups/copr-dist-git.yml | 6 +++--- playbooks/groups/copr-keygen.yml | 9 +++----- 6 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 inventory/group_vars/copr-back-stg create mode 100644 inventory/group_vars/copr-dist-git-stg create mode 100644 inventory/group_vars/copr-keygen-stg diff --git a/inventory/group_vars/copr-back-stg b/inventory/group_vars/copr-back-stg new file mode 100644 index 0000000000..c144801e78 --- /dev/null +++ b/inventory/group_vars/copr-back-stg @@ -0,0 +1,29 @@ +--- +_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf" + +copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" +copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437" +copr_nova_tenant_name: "coprdev" +copr_nova_username: "copr" + +copr_builder_image_name: "builder-f24" +copr_builder_flavor_name: "ms2.builder" +copr_builder_network_name: "coprdev-net" +copr_builder_key_name: "buildsys" +copr_builder_security_groups: "ssh-anywhere-coprdev,default,ssh-from-persistent-coprdev" + +fedmsg_enabled: "true" + +do_sign: "true" + +spawn_in_advance: "false" +frontend_base_url: "https://copr.stg.fedoraproject.org" + +# These variables are pushed into /etc/system_identification by the base role. +# Groups and individual hosts should override them with specific info. +# See http://infrastructure.fedoraproject.org/csi/security-policy/ + +csi_security_category: Moderate +csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys" +csi_purpose: Provide the testing environment of copr's backend +csi_relationship: This host is the testing environment for the cloud infrastructure of copr's backend diff --git a/inventory/group_vars/copr-dist-git-stg b/inventory/group_vars/copr-dist-git-stg new file mode 100644 index 0000000000..28b1b79cb2 --- /dev/null +++ b/inventory/group_vars/copr-dist-git-stg @@ -0,0 +1,6 @@ +--- +tcp_ports: [22, 80] +datacenter: cloud +freezes: false +devel: true +custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'] diff --git a/inventory/group_vars/copr-keygen-stg b/inventory/group_vars/copr-keygen-stg new file mode 100644 index 0000000000..d66d69a691 --- /dev/null +++ b/inventory/group_vars/copr-keygen-stg @@ -0,0 +1,13 @@ +--- +copr_hostbase: copr-keygen-dev +tcp_ports: [] + +# http + signd dest ports +#custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 80 -j ACCEPT', +# '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 80 -j ACCEPT', +# '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 5167 -j ACCEPT', +# '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 5167 -j ACCEPT'] + +datacenter: cloud + +freezes: false diff --git a/playbooks/groups/copr-backend.yml b/playbooks/groups/copr-backend.yml index f11a188f3e..4b9a03e312 100644 --- a/playbooks/groups/copr-backend.yml +++ b/playbooks/groups/copr-backend.yml @@ -1,6 +1,5 @@ - name: check/create instance - #hosts: copr-back - hosts: copr-back:copr-back-dev + hosts: copr-back-dev:copr-back-stg:copr-back user: root gather_facts: False @@ -13,7 +12,7 @@ - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - name: cloud basic setup - hosts: copr-back:copr-back-dev + hosts: copr-back-dev:copr-back-stg:copr-back user: root gather_facts: True vars_files: @@ -28,7 +27,7 @@ hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - name: provision instance - hosts: copr-back:copr-back-dev + hosts: copr-back-dev:copr-back-stg:copr-back user: root gather_facts: True diff --git a/playbooks/groups/copr-dist-git.yml b/playbooks/groups/copr-dist-git.yml index 4a3dff1eb3..658c7aa442 100644 --- a/playbooks/groups/copr-dist-git.yml +++ b/playbooks/groups/copr-dist-git.yml @@ -1,5 +1,5 @@ - name: check/create instance - hosts: copr-dist-git-dev:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git user: root gather_facts: False @@ -13,7 +13,7 @@ - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - name: cloud basic setup - hosts: copr-dist-git-dev:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git user: root gather_facts: True vars_files: @@ -27,7 +27,7 @@ hostname: name="{{copr_hostbase}}.fedorainfracloud.org" - name: provision instance - hosts: copr-dist-git-dev:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git user: root gather_facts: True diff --git a/playbooks/groups/copr-keygen.yml b/playbooks/groups/copr-keygen.yml index ae40ed8f5b..f0f82127e8 100644 --- a/playbooks/groups/copr-keygen.yml +++ b/playbooks/groups/copr-keygen.yml @@ -1,6 +1,5 @@ - name: check/create instance - hosts: copr-keygen-dev:copr-keygen - #hosts: copr-keygen + hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen gather_facts: False vars_files: @@ -21,8 +20,7 @@ when: facts is failed - name: cloud basic setup - hosts: copr-keygen-dev:copr-keygen - # hosts: copr-keygen + hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -35,8 +33,7 @@ hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - name: provision instance - hosts: copr-keygen:copr-keygen-dev - #hosts: copr-keygen + hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen gather_facts: True vars_files: From f2bc21a373a3e7edcde03d53b42647ebfc09eb6f Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 09:16:09 +0000 Subject: [PATCH 225/289] Provision Copr frontend staging --- playbooks/groups/copr-frontend.yml | 58 +++++++++++++----------------- 1 file changed, 25 insertions(+), 33 deletions(-) diff --git a/playbooks/groups/copr-frontend.yml b/playbooks/groups/copr-frontend.yml index f669bbc15d..8ee89b721d 100644 --- a/playbooks/groups/copr-frontend.yml +++ b/playbooks/groups/copr-frontend.yml @@ -1,34 +1,9 @@ -- name: check/create instance - hosts: copr-front-stg:copr-front - # hosts: copr-front - gather_facts: False +--- +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=copr-front-stg" - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml - - tasks: - - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - -- name: cloud basic setup - hosts: copr-front-stg:copr-front - # hosts: copr-front - gather_facts: True - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - tasks: - - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" - - import_tasks: "{{ tasks_path }}/yumrepos.yml" - - name: set hostname (required by some services, at least postfix need it) - hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - -- name: provision instance - hosts: copr-front:copr-front-stg - # hosts: copr-front +- name: provision copr frontend + hosts: copr-front-stg + user: root gather_facts: True vars_files: @@ -36,7 +11,24 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + pre_tasks: + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + roles: - - base - - copr/frontend - - nagios_client + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - collectd/base + - { role: openvpn/client, when: env != "staging" } + - redis + - mod_wsgi + - copr/frontend + + tasks: + - import_tasks: "{{ tasks_path }}/2fa_client.yml" + - import_tasks: "{{ tasks_path }}/motd.yml" + + handlers: + - import_tasks: "{{ handlers_path }}/restart_services.yml" From f7642b1e3de2e490250ddbb5a615bd8e81d35085 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 09:28:06 +0000 Subject: [PATCH 226/289] Update copr-front-stg group vars --- inventory/group_vars/copr-front-stg | 34 ++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/inventory/group_vars/copr-front-stg b/inventory/group_vars/copr-front-stg index 27a5e4194b..d327316d74 100644 --- a/inventory/group_vars/copr-front-stg +++ b/inventory/group_vars/copr-front-stg @@ -1,9 +1,31 @@ --- -copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org" +# Define resources for this group of hosts here. +lvm_size: 10000 +mem_size: 2048 +num_cpus: 1 +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +copr_frontend_public_hostname: "copr.stg.fedoraproject.org" + +tcp_ports: [ 80 ] + +custom_rules: [ + # Need for rsync from log01 for logs. + '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', + ] + +fas_client_groups: sysadmin-copr,fi-apprentice,sysadmin-noc,sysadmin-veteran + +freezes: false + +# For the MOTD csi_security_category: Low -csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys" -csi_purpose: Provide the testing environment of copr's frontend -csi_relationship: This host is the testing environment for copr's web interface - -copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv +csi_primary_contact: Fedora admins - admin@fedoraproject.org +csi_purpose: Copr community build service +csi_relationship: | + This machine depends on: + - PostgreSQL DB server + - bastion (for mail relay) From 36a2e5b9b13349f8e06cf28e6d6a83eb191b7550 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 09:38:42 +0000 Subject: [PATCH 227/289] Add host vars for copr-front-stg --- .../copr-frontend01.stg.phx2.fedoraproject.org | 12 ++++++++++++ .../copr-frontend02.stg.phx2.fedoraproject.org | 12 ++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org create mode 100644 inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org diff --git a/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org b/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..f45bf57fce --- /dev/null +++ b/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org @@ -0,0 +1,12 @@ +--- +nm: 255.255.255.0 +gw: 10.5.128.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ + +volgroup: /dev/vg_guests +eth0_ip: 10.5.128.49 +vmhost: virthost02.stg.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org b/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..25af190ed6 --- /dev/null +++ b/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org @@ -0,0 +1,12 @@ +--- +nm: 255.255.255.0 +gw: 10.5.128.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ + +volgroup: /dev/vg_virthost16 +eth0_ip: 10.5.128.50 +vmhost: virthost05.stg.phx2.fedoraproject.org +datacenter: phx2 From 961704ced05aa9fec8451c35bf4ece990777e5f0 Mon Sep 17 00:00:00 2001 From: clime Date: Mon, 27 Aug 2018 11:52:00 +0200 Subject: [PATCH 228/289] copr: add cloud stg vars --- inventory/group_vars/copr-keygen-stg | 2 +- inventory/group_vars/copr-stg | 19 ++++++++++++++ .../copr-be-stg.fedorainfracloud.org | 26 +++++++++++++++++++ .../copr-dist-git-stg.fedorainfracloud.org | 22 ++++++++++++++++ .../copr-keygen-stg.fedorainfracloud.org | 22 ++++++++++++++++ 5 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 inventory/group_vars/copr-stg create mode 100644 inventory/host_vars/copr-be-stg.fedorainfracloud.org create mode 100644 inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org create mode 100644 inventory/host_vars/copr-keygen-stg.fedorainfracloud.org diff --git a/inventory/group_vars/copr-keygen-stg b/inventory/group_vars/copr-keygen-stg index d66d69a691..b8427517a1 100644 --- a/inventory/group_vars/copr-keygen-stg +++ b/inventory/group_vars/copr-keygen-stg @@ -1,5 +1,5 @@ --- -copr_hostbase: copr-keygen-dev +copr_hostbase: copr-keygen-stg tcp_ports: [] # http + signd dest ports diff --git a/inventory/group_vars/copr-stg b/inventory/group_vars/copr-stg new file mode 100644 index 0000000000..9ae4666c8f --- /dev/null +++ b/inventory/group_vars/copr-stg @@ -0,0 +1,19 @@ +--- +devel: true +#_forward-src: "{{ files }}/copr/forward-dev" +_forward_src: "forward_dev" + +# don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules + +copr_backend_ips: ["172.25.32.232", "172.25.157.237"] +keygen_host: "172.25.32.238" + +resolvconf: "resolv.conf/cloud" + +backend_base_url: "http://copr-be-stg.fedorainfracloud.org" +postfix_maincf: "postfix/main.cf/main.cf.copr" + +frontend_base_url: "https://copr.stg.fedoraproject.org" +dist_git_base_url: "copr-dist-git-stg.fedorainfracloud.org" + +ansible_ifcfg_blacklist: true diff --git a/inventory/host_vars/copr-be-stg.fedorainfracloud.org b/inventory/host_vars/copr-be-stg.fedorainfracloud.org new file mode 100644 index 0000000000..f940f52aab --- /dev/null +++ b/inventory/host_vars/copr-be-stg.fedorainfracloud.org @@ -0,0 +1,26 @@ +--- +instance_type: m1.xlarge +image: "{{ fedora27_x86_64 }}" +keypair: fedora-admin-20130801 +security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent,fedmsg-relay-persistent +zone: nova +hostbase: copr-be-stg- +public_ip: 209.132.184.53 +root_auth_users: msuchy pingou frostyx dturecek clime +description: copr dispatcher and repo server - stg instance +tcp_ports: ['22', '80', '443', '2003', '4001'] +# volumes: copr-be-stg-data +volumes: [ {volume_id: 'a3325e22-bdc0-4eeb-bb73-45365ddb7a01', device: '/dev/vdc'} ] + +inventory_tenant: persistent +# name of machine in OpenStack +inventory_instance_name: copr-be-stg +cloud_networks: + # persistent-net + - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" + # coprdev-net + - net-id: "a440568f-b90a-46af-8ca6-d8fa743a7e7a" + +# Copr vars +copr_hostbase: copr-be-stg +_copr_be_conf: copr-be.conf-stg diff --git a/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org b/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org new file mode 100644 index 0000000000..7726d38b67 --- /dev/null +++ b/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org @@ -0,0 +1,22 @@ +--- +instance_type: ms1.small +image: "{{ fedora27_x86_64 }}" +keypair: fedora-admin-20130801 +security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent +zone: nova +hostbase: copr-dist-git-stg- +public_ip: 209.132.184.179 +root_auth_users: ryanlerch pingou msuchy dturecek frostyx clime +description: dist-git for copr service - stg instance +tcp_ports: [22, 80] +# volumes: copr-dist-git-stg +volumes: [ {volume_id: '0cb506b9-3931-47fa-b6d3-a0ad2614f221', device: '/dev/vdc'} ] +inventory_tenant: persistent +# name of machine in OpenStack +inventory_instance_name: copr-dist-git-stg +cloud_networks: + # persistent-net + - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" + +# Copr vars +copr_hostbase: copr-dist-git-stg diff --git a/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org b/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org new file mode 100644 index 0000000000..c997b24910 --- /dev/null +++ b/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org @@ -0,0 +1,22 @@ +--- +instance_type: ms1.small +image: "{{ fedora27_x86_64 }}" +keypair: fedora-admin-20130801 +# todo: remove some security groups ? +security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent +zone: nova +hostbase: copr-keygen-stg- +public_ip: 209.132.184.46 +root_auth_users: msuchy clime frostyx dturecek +volumes: [ {volume_id: '5424ff3c-b1c6-4291-a0ed-2d30924f4f88', device: '/dev/vdc'} ] +description: copr keygen and sign host - stg instance + +inventory_tenant: persistent +# name of machine in OpenStack +inventory_instance_name: copr-keygen-stg +cloud_networks: + # persistent-net + - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" + +# Copr vars +copr_hostbase: copr-keygen-stg From 733a61819491170a1157b05b85c8c618420e0865 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 09:53:12 +0000 Subject: [PATCH 229/289] Allow copr-front-stg to talk to db01.stg --- inventory/inventory | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/inventory b/inventory/inventory index 780fdc7755..c7c01f2c03 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -330,6 +330,8 @@ badges-web01.stg.phx2.fedoraproject.org blockerbugs01.stg.phx2.fedoraproject.org bodhi-backend01.stg.phx2.fedoraproject.org busgateway01.stg.phx2.fedoraproject.org +copr-frontend01.stg.phx2.fedoraproject.org +copr-frontend02.stg.phx2.fedoraproject.org datagrepper01.stg.phx2.fedoraproject.org elections01.stg.phx2.fedoraproject.org fedocal01.stg.phx2.fedoraproject.org From a3c87e6cf831a8c97144967ab3dd747ddf1055ea Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 10:41:49 +0000 Subject: [PATCH 230/289] Fix confusing task name in fas_client role --- roles/fas_client/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml index 22836c1b9b..ce67889b45 100644 --- a/roles/fas_client/tasks/main.yml +++ b/roles/fas_client/tasks/main.yml @@ -8,7 +8,7 @@ # fas-clients is in the infrastructure repo. # nss_db is needed to store user/group info. # -- name: install package needed for fas-client (yum) +- name: install package needed for fas-client package: state=present name={{ item }} with_items: - fas-clients From e6893f5a7ba784688ad10047eb61ee56a754ed88 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:00:44 +0000 Subject: [PATCH 231/289] Update db URI for copr stg --- inventory/group_vars/copr-front-stg | 2 ++ roles/copr/frontend/templates/copr.conf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/copr-front-stg b/inventory/group_vars/copr-front-stg index d327316d74..31b5bbb8f8 100644 --- a/inventory/group_vars/copr-front-stg +++ b/inventory/group_vars/copr-front-stg @@ -9,6 +9,8 @@ num_cpus: 1 copr_frontend_public_hostname: "copr.stg.fedoraproject.org" +copr_database_password: "{{ copruser_db_password_stg }}" + tcp_ports: [ 80 ] custom_rules: [ diff --git a/roles/copr/frontend/templates/copr.conf b/roles/copr/frontend/templates/copr.conf index b66f1514d1..b5f0aa3611 100644 --- a/roles/copr/frontend/templates/copr.conf +++ b/roles/copr/frontend/templates/copr.conf @@ -14,7 +14,7 @@ BACKEND_BASE_URL = '{{ backend_base_url }}' #USE_ALLOWED_USERS = False #ALLOWED_USERS = ['bonnie', 'clyde'] -SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copr-fe:{{ copr_database_password }}@/coprdb' +SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copruser:{{ copr_database_password }}@db01/copr' # Token length, defaults to 30 (max 255) #API_TOKEN_LENGTH = 30 From ee979ae87589157a4222df2e0c6eb9b68d44dd74 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:02:26 +0000 Subject: [PATCH 232/289] Don't install custom resolv.conf cor copr-front-stg --- inventory/group_vars/copr-back-stg | 2 ++ inventory/group_vars/copr-dist-git-stg | 3 ++- inventory/group_vars/copr-keygen-stg | 2 ++ inventory/group_vars/copr-stg | 2 -- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/copr-back-stg b/inventory/group_vars/copr-back-stg index c144801e78..f514be113b 100644 --- a/inventory/group_vars/copr-back-stg +++ b/inventory/group_vars/copr-back-stg @@ -1,4 +1,6 @@ --- +resolvconf: "resolv.conf/cloud" + _lighttpd_conf_src: "lighttpd/lighttpd_dev.conf" copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0" diff --git a/inventory/group_vars/copr-dist-git-stg b/inventory/group_vars/copr-dist-git-stg index 28b1b79cb2..4e8368f0b2 100644 --- a/inventory/group_vars/copr-dist-git-stg +++ b/inventory/group_vars/copr-dist-git-stg @@ -1,6 +1,7 @@ --- +resolvconf: "resolv.conf/cloud" + tcp_ports: [22, 80] datacenter: cloud freezes: false -devel: true custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'] diff --git a/inventory/group_vars/copr-keygen-stg b/inventory/group_vars/copr-keygen-stg index b8427517a1..7c690fb4ea 100644 --- a/inventory/group_vars/copr-keygen-stg +++ b/inventory/group_vars/copr-keygen-stg @@ -1,4 +1,6 @@ --- +devel: true + copr_hostbase: copr-keygen-stg tcp_ports: [] diff --git a/inventory/group_vars/copr-stg b/inventory/group_vars/copr-stg index 9ae4666c8f..5bbbf0a2d0 100644 --- a/inventory/group_vars/copr-stg +++ b/inventory/group_vars/copr-stg @@ -8,8 +8,6 @@ _forward_src: "forward_dev" copr_backend_ips: ["172.25.32.232", "172.25.157.237"] keygen_host: "172.25.32.238" -resolvconf: "resolv.conf/cloud" - backend_base_url: "http://copr-be-stg.fedorainfracloud.org" postfix_maincf: "postfix/main.cf/main.cf.copr" From 6ac8ee95fe0f861f06c19d7427d13ce97d98e1b7 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:07:34 +0000 Subject: [PATCH 233/289] Don't use custom postfix conf for copr-fe-stg --- inventory/group_vars/copr-stg | 2 -- 1 file changed, 2 deletions(-) diff --git a/inventory/group_vars/copr-stg b/inventory/group_vars/copr-stg index 5bbbf0a2d0..f5af3f2bea 100644 --- a/inventory/group_vars/copr-stg +++ b/inventory/group_vars/copr-stg @@ -9,8 +9,6 @@ copr_backend_ips: ["172.25.32.232", "172.25.157.237"] keygen_host: "172.25.32.238" backend_base_url: "http://copr-be-stg.fedorainfracloud.org" -postfix_maincf: "postfix/main.cf/main.cf.copr" - frontend_base_url: "https://copr.stg.fedoraproject.org" dist_git_base_url: "copr-dist-git-stg.fedorainfracloud.org" From 0311569778a7126e0eaa5a15ad4fa586c4921cbf Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:15:54 +0000 Subject: [PATCH 234/289] Haproxy config for copr-frontend --- roles/haproxy/templates/haproxy.cfg | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 4a34046b22..55c7f51a6c 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -601,6 +601,16 @@ backend freshmaker-backend server freshmaker-frontend01 freshmaker-frontend01:80 check inter 20s rise 2 fall 3 option httpchk GET /api/1/builds/ +frontend copr-frontend + bind 0.0.0.0:10070 + default_backend copr-backend + +backend copr-backend + balance hdr(appserver) + server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 + server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 + option httpchk GET /api_3/ + # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. # stunnel should be sitting on port 9939 (public) and redirecting From b0477f63dfe8e8b5351f9741080a658e2632a58c Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:21:49 +0000 Subject: [PATCH 235/289] Disable pagure-events copr stg service for now --- roles/copr/frontend/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 4c74d9d949..b81d072af6 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -25,6 +25,7 @@ - name: enable and start pagure-events service: name=pagure-events enabled=yes state=started + when: not 'pagure-events.service is missing in latest copr-frontend rpm in f28 repos' - name: copy apache files to conf.d (templates) template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" From 2753bc3a8307a7e412f8f2f628c7c5421a9c6b80 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:33:45 +0000 Subject: [PATCH 236/289] Install python-requests on copr-fe as a workaround --- roles/copr/frontend/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index b81d072af6..b4c9b5bb98 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -4,6 +4,8 @@ with_items: - copr-frontend - copr-selinux + # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1622513 + - python3-requests tags: - packages From b2e2c82ba361580224ffca271ee38402ed6c3820 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:44:40 +0000 Subject: [PATCH 237/289] Fix copr-front-stg db password --- inventory/group_vars/copr-front-stg | 2 +- roles/copr/frontend/templates/copr.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/copr-front-stg b/inventory/group_vars/copr-front-stg index 31b5bbb8f8..b74c2a88db 100644 --- a/inventory/group_vars/copr-front-stg +++ b/inventory/group_vars/copr-front-stg @@ -9,7 +9,7 @@ num_cpus: 1 copr_frontend_public_hostname: "copr.stg.fedoraproject.org" -copr_database_password: "{{ copruser_db_password_stg }}" +copruser_db_password: "{{ copruser_db_password_stg }}" tcp_ports: [ 80 ] diff --git a/roles/copr/frontend/templates/copr.conf b/roles/copr/frontend/templates/copr.conf index b5f0aa3611..c39f0700a2 100644 --- a/roles/copr/frontend/templates/copr.conf +++ b/roles/copr/frontend/templates/copr.conf @@ -14,7 +14,7 @@ BACKEND_BASE_URL = '{{ backend_base_url }}' #USE_ALLOWED_USERS = False #ALLOWED_USERS = ['bonnie', 'clyde'] -SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copruser:{{ copr_database_password }}@db01/copr' +SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copruser:{{ copruser_db_password }}@db01/copr' # Token length, defaults to 30 (max 255) #API_TOKEN_LENGTH = 30 From e634f0c9c7963eb00e6208b1ee1c560d94cbab0f Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 11:46:27 +0000 Subject: [PATCH 238/289] Reverseproxy config for copr stg --- playbooks/include/proxies-reverseproxy.yml | 9 +++++++++ playbooks/include/proxies-websites.yml | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 51fc8a7834..2ed1a09d6c 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -36,6 +36,15 @@ localpath: /api remotepath: /api proxyurl: https://copr.fedorainfracloud.org + when: env != "staging" + tags: copr + + - role: httpd/reverseproxy + website: copr.fedoraproject.org + destname: copr + proxyurl: http://localhost:10070 + when: env == "staging" + tags: copr - role: httpd/reverseproxy website: nagios.fedoraproject.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 2977456c8d..25ca1e4571 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -291,9 +291,10 @@ - role: httpd/website site_name: copr.fedoraproject.org - ssl: true sslonly: true + server_aliases: [copr.stg.fedoraproject.org] cert_name: "{{wildcard_cert_name}}" + tags: copr - role: httpd/website site_name: bugz.fedoraproject.org From af0f0d9c05addef2c0d6b36af641a92bd5297389 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 12:18:13 +0000 Subject: [PATCH 239/289] Remove copr.fp.o to fedorainfracloud redirect in stg --- playbooks/include/proxies-redirects.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index 17e5c1d6f9..91c167b8df 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -189,6 +189,8 @@ shortname: copr website: copr.fedoraproject.org target: https://copr.fedorainfracloud.org/ + when: env != "staging" + tags: copr - role: httpd/redirect shortname: join-fedora From 503bcc57c8a581acea96eb2c0684a7cb69bf686d Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 12:31:32 +0000 Subject: [PATCH 240/289] haproxy: use API v2 endpoint to check copr-frontend --- roles/haproxy/templates/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 55c7f51a6c..89c5f3e1b7 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -609,7 +609,7 @@ backend copr-backend balance hdr(appserver) server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 - option httpchk GET /api_3/ + option httpchk GET /api_2/ # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. From dbf227b155835c903fa46f3959e5199970d7885c Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 14:25:37 +0000 Subject: [PATCH 241/289] Add copr upgrade playbook --- playbooks/manual/upgrade/copr.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 playbooks/manual/upgrade/copr.yml diff --git a/playbooks/manual/upgrade/copr.yml b/playbooks/manual/upgrade/copr.yml new file mode 100644 index 0000000000..8dd756718e --- /dev/null +++ b/playbooks/manual/upgrade/copr.yml @@ -0,0 +1,30 @@ +- name: upgrade copr packages + hosts: copr-front-stg + tasks: + - name: clean dnf metadata + command: dnf clean all + warn: False + - name: create dnf metadata cache + command: dnf makecache + warn: False + - name: lits installed copr packages + dnf: + list: "copr*" + disablerepo: "*" + register: copr_packages + - name: update copr packages + dnf: + name: "{{ item.name }}" + state: latest + register: copr_upgrade + with_items: "{{ copr_packages.results }}" + - name: stop httpd + service: name="httpd" state=stopped + - name: run db migration + become: yes + become_user: copr-fe + command: alembic-3 upgrade head + args: + chdir: /usr/share/copr/coprs_frontend/ + - name: start httpd + service: name="httpd" state=started From 4a6481eaad9e45812ccc3a58f4b7581e50a8fca8 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 14:31:22 +0000 Subject: [PATCH 242/289] Revert "haproxy: use API v2 endpoint to check copr-frontend" This reverts commit 503bcc57c8a581acea96eb2c0684a7cb69bf686d. --- roles/haproxy/templates/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 89c5f3e1b7..55c7f51a6c 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -609,7 +609,7 @@ backend copr-backend balance hdr(appserver) server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 - option httpchk GET /api_2/ + option httpchk GET /api_3/ # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. From ba7a67726ac3355b870a39543c806df4293d82c0 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 14:43:52 +0000 Subject: [PATCH 243/289] Enable sudo for sysadmin-copr on copr-front-stg --- playbooks/groups/copr-frontend.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/copr-frontend.yml b/playbooks/groups/copr-frontend.yml index 8ee89b721d..7a2028d382 100644 --- a/playbooks/groups/copr-frontend.yml +++ b/playbooks/groups/copr-frontend.yml @@ -22,6 +22,7 @@ - fas_client - collectd/base - { role: openvpn/client, when: env != "staging" } + - { role: sudo, sudoers: "{{ private }}/files/sudo/copr-sudoers" } - redis - mod_wsgi - copr/frontend From 5d363d4c3b2a4570277b98569b3e867a03471fd4 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 15:05:10 +0000 Subject: [PATCH 244/289] Add copr-frontend-cloud.yml to master playbook --- master.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/master.yml b/master.yml index 642e0d22b1..036b3056ce 100644 --- a/master.yml +++ b/master.yml @@ -36,6 +36,7 @@ - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml +- import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend-cloud.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-keygen.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/datagrepper.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/oci-registry.yml From af7e8f8a26d7f0475f637fd5d2f197b03ec0788b Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Sun, 26 Aug 2018 22:49:18 -0400 Subject: [PATCH 245/289] robosig: rename atomic workstation to silverblue --- roles/robosignatory/files/robosignatory.production.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index e91357a58f..99e7dd7f72 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -394,15 +394,15 @@ config = { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-29' }, - 'fedora/29/x86_64/workstation': { + 'fedora/29/x86_64/silverblue': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-29' }, - 'fedora/29/x86_64/updates/workstation': { + 'fedora/29/x86_64/updates/silverblue': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-29' }, - 'fedora/29/x86_64/testing/workstation': { + 'fedora/29/x86_64/testing/silverblue': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-29' }, @@ -418,7 +418,7 @@ config = { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-30' }, - 'fedora/rawhide/x86_64/workstation': { + 'fedora/rawhide/x86_64/silverblue': { 'directory': '/mnt/fedora_koji/koji/compose/atomic/repo/', 'key': 'fedora-30' }, From 5f4ac4bd1334cdb6de8c0d0ff4d75612cc87df67 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Aug 2018 17:12:51 +0000 Subject: [PATCH 246/289] disable the namespacing for now as it breaks too many things --- roles/batcave/files/namespace.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/batcave/files/namespace.conf b/roles/batcave/files/namespace.conf index 9637798028..04b8bce01e 100644 --- a/roles/batcave/files/namespace.conf +++ b/roles/batcave/files/namespace.conf @@ -23,6 +23,6 @@ # caution, as it will reduce security and isolation achieved by # polyinstantiation. # -/tmp /tmp-inst/ level root,adm -/var/tmp /var/tmp-inst/ level root,adm +#/tmp /tmp-inst/ level root,adm +#/var/tmp /var/tmp-inst/ level root,adm #$HOME $HOME/$USER.inst/ level From eb8a700b4c021bdcdeefcafc01b203b58a69162a Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Mon, 27 Aug 2018 17:20:08 +0000 Subject: [PATCH 247/289] Upgrade production to bodhi-3.9.0-1.fc27. Signed-off-by: Randy Barlow --- playbooks/openshift-apps/bodhi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/bodhi.yml b/playbooks/openshift-apps/bodhi.yml index 7fe094daa9..cf1366a076 100644 --- a/playbooks/openshift-apps/bodhi.yml +++ b/playbooks/openshift-apps/bodhi.yml @@ -57,7 +57,7 @@ app: bodhi template: buildconfig.yml objectname: buildconfig.yml - bodhi_version: 3.8.0-1.fc27 + bodhi_version: 3.9.0-1.fc27 when: env != "staging" - role: openshift/start-build app: bodhi From b905b04519ce58aa344e218c3bf4176db97ba75a Mon Sep 17 00:00:00 2001 From: "Justin W. Flory" Date: Mon, 27 Aug 2018 14:18:11 -0400 Subject: [PATCH 248/289] Rename fedmsg IRC bot for new Community Blog posts --- roles/fedmsg/irc/templates/ircbot.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/fedmsg/irc/templates/ircbot.py b/roles/fedmsg/irc/templates/ircbot.py index a89c80637b..669548421d 100644 --- a/roles/fedmsg/irc/templates/ircbot.py +++ b/roles/fedmsg/irc/templates/ircbot.py @@ -109,9 +109,9 @@ config = dict( make_terse=True, {% if env == 'staging' %} - nickname='commopsbot-s', + nickname='commops-bot-s', {% else %} - nickname='commopsbot', + nickname='commops-bot', {% endif %} channel='fedora-commops', filters=dict( @@ -128,9 +128,9 @@ config = dict( make_terse=True, {% if env == 'staging' %} - nickname='commopswatch-s', + nickname='commops-watch-s', {% else %} - nickname='commopswatch', + nickname='commops-watch', {% endif %} channel='fedora-commops', filters=dict( @@ -140,7 +140,7 @@ config = dict( body=['^((?!fedora-commops).)*$'], ), ), - # A third one! for that commops crew that watches for the admin user to post on planet + # A third one to listen for new Community Blog posts dict( network='chat.freenode.net', port=6667, @@ -148,9 +148,9 @@ config = dict( make_terse=True, {% if env == 'staging' %} - nickname='commopsplanet-s', + nickname='fm-commblog-s', {% else %} - nickname='commopslanet', + nickname='fm-commblog', {% endif %} channel='fedora-commops', filters=dict( From ca3b247c3ca9d64d8429285eb27521feadb89a47 Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Mon, 27 Aug 2018 19:08:39 +0000 Subject: [PATCH 249/289] Adding ostree sync for rawhide Changing atomic workstation to silverblue Signed-off-by: Mohan Boddu --- roles/bodhi2/backend/files/new-updates-sync | 24 +++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync index 3bcfbea131..9ddc591004 100755 --- a/roles/bodhi2/backend/files/new-updates-sync +++ b/roles/bodhi2/backend/files/new-updates-sync @@ -20,7 +20,23 @@ FEDORAALTDEST = '/pub/fedora-secondary/updates/' EPELDEST = '/pub/epel/' ATOMICSOURCE = '/mnt/koji/compose/atomic/repo/' ATOMICDEST = '/mnt/koji/atomic/repo/' -RELEASES = {'f29': {'topic': 'fedora', +RELEASES = {'f30': {'topic': 'fedora', + 'version': '30', + 'modules': ['fedora', 'fedora-secondary'], + 'repos': {'rawhide': { + 'from': 'f30', + 'ostrees': [{'ref': 'fedora/rawhide/%(arch)s/atomic-host', + 'dest': ATOMICDEST, + 'arches': ['x86_64', 'ppc64le', 'aarch64']}, + {'ref': 'fedora/rawhide/x86_64/silverblue', + 'dest': ATOMICDEST}], + 'to': [{'arches': ['x86_64', 'armhfp', 'aarch64', 'source'], + 'dest': os.path.join(FEDORADEST, '30', 'Everything')}, + {'arches': ['i386', 'ppc64le', 's390x'], + 'dest': os.path.join(FEDORAALTDEST, '30', 'Everything')} + ]}}, + }, + 'f29': {'topic': 'fedora', 'version': '29', 'modules': ['fedora', 'fedora-secondary'], 'repos': {'updates': { @@ -28,10 +44,10 @@ RELEASES = {'f29': {'topic': 'fedora', 'ostrees': [{'ref': 'fedora/29/%(arch)s/updates/atomic-host', 'dest': ATOMICDEST, 'arches': ['x86_64', 'ppc64le', 'aarch64']}, - {'ref': 'fedora/29/x86_64/updates/workstation', + {'ref': 'fedora/29/x86_64/updates/silverblue', 'dest': ATOMICDEST}, # Hack around for the fact that ostree on f25 doesn't know links - {'ref': 'fedora/29/x86_64/workstation', + {'ref': 'fedora/29/x86_64/silverblue', 'dest': ATOMICDEST}], 'to': [{'arches': ['x86_64', 'armhfp', 'aarch64', 'source'], 'dest': os.path.join(FEDORADEST, '29', 'Everything')}, @@ -43,7 +59,7 @@ RELEASES = {'f29': {'topic': 'fedora', 'ostrees': [{'ref': 'fedora/29/%(arch)s/testing/atomic-host', 'dest': ATOMICDEST, 'arches': ['x86_64', 'ppc64le', 'aarch64']}, - {'ref': 'fedora/29/x86_64/testing/workstation', + {'ref': 'fedora/29/x86_64/testing/silverblue', 'dest': ATOMICDEST}], 'to': [{'arches': ['x86_64', 'aarch64', 'armhfp', 'source'], 'dest': os.path.join(FEDORADEST, 'testing', '29', 'Everything')}, From 9f8b52eb320c5ff54979b60927ef3409d194f46e Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 19:29:48 +0000 Subject: [PATCH 250/289] Copr upgrade: don't stop httpd unless packages were actually upgraded --- playbooks/manual/upgrade/copr.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/playbooks/manual/upgrade/copr.yml b/playbooks/manual/upgrade/copr.yml index 8dd756718e..2e87172b07 100644 --- a/playbooks/manual/upgrade/copr.yml +++ b/playbooks/manual/upgrade/copr.yml @@ -3,10 +3,12 @@ tasks: - name: clean dnf metadata command: dnf clean all - warn: False + args: + warn: False - name: create dnf metadata cache command: dnf makecache - warn: False + args: + warn: False - name: lits installed copr packages dnf: list: "copr*" @@ -20,11 +22,13 @@ with_items: "{{ copr_packages.results }}" - name: stop httpd service: name="httpd" state=stopped + when: copr_upgrade.changed - name: run db migration become: yes become_user: copr-fe command: alembic-3 upgrade head args: chdir: /usr/share/copr/coprs_frontend/ + when: copr_upgrade.changed - name: start httpd service: name="httpd" state=started From 79d8cc3bc3ddc790fd82687d410e0487f8c63792 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Aug 2018 19:50:54 +0000 Subject: [PATCH 251/289] drop 2 buildvm-aarch64s so we can try osbs-aarch64 --- inventory/builders | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/inventory/builders b/inventory/builders index 7192649b29..1654f406df 100644 --- a/inventory/builders +++ b/inventory/builders @@ -77,8 +77,9 @@ buildvm-aarch64-19.arm.fedoraproject.org buildvm-aarch64-20.arm.fedoraproject.org buildvm-aarch64-21.arm.fedoraproject.org buildvm-aarch64-22.arm.fedoraproject.org -buildvm-aarch64-23.arm.fedoraproject.org -buildvm-aarch64-24.arm.fedoraproject.org +# These two have been dropped to allow for osbs builders. +#buildvm-aarch64-23.arm.fedoraproject.org +#buildvm-aarch64-24.arm.fedoraproject.org [buildvm-armv7] buildvm-armv7-01.arm.fedoraproject.org From 672d0063e8f7a07c8f925f23c77edd884a787c55 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 19:49:06 +0000 Subject: [PATCH 252/289] Further cleanup of copr/frontend role --- roles/copr/frontend/tasks/main.yml | 56 +++++++++---------- .../frontend/templates/{httpd => }/coprs.conf | 0 2 files changed, 27 insertions(+), 29 deletions(-) rename roles/copr/frontend/templates/{httpd => }/coprs.conf (100%) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index b4c9b5bb98..d3b43db0c3 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: install copr-frontend and copr-selinux - dnf: state=latest name={{ item }} +- name: install copr-frontend packages + package: name={{ item }} state=present with_items: - copr-frontend - copr-selinux @@ -9,30 +9,23 @@ tags: - packages - # we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058 -- name: install additional pkgs for copr-frontend - dnf: state=present pkg={{ item }} - with_items: - - redis - - python3-alembic - tags: - - packages - - name: install copr configs - template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 + template: src=copr.conf dest=/etc/copr/copr.conf mode=600 notify: - reload httpd tags: - config -- name: enable and start pagure-events - service: name=pagure-events enabled=yes state=started - when: not 'pagure-events.service is missing in latest copr-frontend rpm in f28 repos' - - name: copy apache files to conf.d (templates) - template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" - with_items: - - "coprs.conf" + template: src=coprs.conf dest=/etc/httpd/conf.d/coprs.conf + notify: + - reload httpd + tags: + - config + +- name: set staging banner for staging instance + when: env == 'staging' + copy: src=banner-include.html dest=/var/lib/copr/ tags: - config @@ -42,6 +35,19 @@ name: httpd_execmem state: yes persistent: yes + tags: + - selinux + +- name: enable and start httpd + service: name=httpd state=started enabled=yes + tags: + - service + +- name: enable and start pagure-events + service: name=pagure-events enabled=yes state=started + when: not 'pagure-events.service is missing in latest copr-frontend rpm in f28 repos' + tags: + - service - name: set up admins command: ./manage.py alter_user --admin {{ item }} @@ -49,7 +55,7 @@ become_user: copr-fe args: chdir: /usr/share/copr/coprs_frontend/ - ignore_errors: yes + when: False with_items: - msuchy - sgallagh @@ -57,18 +63,10 @@ - nb - kevin -- name: enable services - service: state=started enabled=yes name={{ item }} - with_items: - - httpd - -- name: set staging banner for staging instance - when: env == 'staging' - copy: src=banner-include.html dest=/var/lib/copr/ - - name: rebuild indexes command: ./manage.py update_indexes become: yes become_user: copr-fe args: chdir: /usr/share/copr/coprs_frontend/ + when: False diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/coprs.conf similarity index 100% rename from roles/copr/frontend/templates/httpd/coprs.conf rename to roles/copr/frontend/templates/coprs.conf From 75778f3beb07d8a36e3ee08a850a32b668a955d0 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 19:50:47 +0000 Subject: [PATCH 253/289] httpd config cleanup for copr-frontend-stg --- roles/copr/frontend/tasks/main.yml | 2 +- .../templates/{coprs.conf => httpd.conf} | 39 +++++-------------- 2 files changed, 10 insertions(+), 31 deletions(-) rename roles/copr/frontend/templates/{coprs.conf => httpd.conf} (56%) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index d3b43db0c3..681c894c4e 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -17,7 +17,7 @@ - config - name: copy apache files to conf.d (templates) - template: src=coprs.conf dest=/etc/httpd/conf.d/coprs.conf + template: src=httpd.conf dest=/etc/httpd/conf.d/coprs.conf notify: - reload httpd tags: diff --git a/roles/copr/frontend/templates/coprs.conf b/roles/copr/frontend/templates/httpd.conf similarity index 56% rename from roles/copr/frontend/templates/coprs.conf rename to roles/copr/frontend/templates/httpd.conf index 5f992a9ca1..eaed6e248e 100644 --- a/roles/copr/frontend/templates/coprs.conf +++ b/roles/copr/frontend/templates/httpd.conf @@ -1,8 +1,3 @@ -NameVirtualHost *:80 -LoadModule wsgi_module modules/mod_wsgi.so -WSGISocketPrefix /var/run/wsgi -Alias /robots.txt /var/www/html/robots.txt - WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=15 display-name=other maximum-requests=8000 graceful-timeout=20 WSGIDaemonProcess api user=copr-fe group=copr-fe threads=15 display-name=api maximum-requests=8000 graceful-timeout=20 WSGIDaemonProcess backend user=copr-fe group=copr-fe threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20 @@ -10,33 +5,17 @@ WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20 WSGIScriptAlias / /usr/share/copr/coprs_frontend/application - - ServerName copr.fedorainfracloud.org - ServerAlias copr-fe.cloud.fedoraproject.org - WSGIPassAuthorization On +ServerName {{ inventory_hostname }} +WSGIPassAuthorization On - - WSGIProcessGroup 127.0.0.1 - - - #ErrorLog logs/error_coprs - #CustomLog logs/access_coprs common - - - WSGIApplicationGroup %{GLOBAL} - Require all granted - - - - -ExtendedStatus On - - - SetHandler server-status - Require all denied - Require host localhost .redhat.com + + WSGIProcessGroup 127.0.0.1 - + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + StartServers 8 From b996789ba94cdd14663c954d65ae5e5966ecdfbc Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 20:07:26 +0000 Subject: [PATCH 254/289] Cleanup copr.conf --- roles/copr/frontend/templates/copr.conf | 26 +++++-------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/roles/copr/frontend/templates/copr.conf b/roles/copr/frontend/templates/copr.conf index c39f0700a2..1d00502212 100644 --- a/roles/copr/frontend/templates/copr.conf +++ b/roles/copr/frontend/templates/copr.conf @@ -43,32 +43,16 @@ LOG_DIR = "/var/log/copr-frontend/" # to accept stat events from logstash INTRANET_IPS = {{ copr_backend_ips }} -REPO_GPGCHECK = {% if devel %} 0 {% else %} 1 {% endif %} +REPO_GPGCHECK = 1 -{% if env == 'staging' %} -PUBLIC_COPR_BASE_URL = "http://copr-fe-dev.cloud.fedoraproject.org" -{% else %} -PUBLIC_COPR_BASE_URL = "https://copr.fedorainfracloud.org" -{% endif %} +PUBLIC_COPR_BASE_URL = "https://{{ copr_frontend_public_hostname }}" -{% if env == 'staging' %} -# Staging URLs for fedmenu -FEDMENU_URL = "https://apps.stg.fedoraproject.org/fedmenu/" -FEDMENU_DATA_URL = "https://apps.stg.fedoraproject.org/js/data.js" -{% else %} -# Production URLs for fedmenu -FEDMENU_URL = "https://apps.fedoraproject.org/fedmenu/" -FEDMENU_DATA_URL = "https://apps.fedoraproject.org/js/data.js" -{% endif %} +# URLs for fedmenu +FEDMENU_URL = "https://apps{{ env_prefix }}.fedoraproject.org/fedmenu/" +FEDMENU_DATA_URL = "https://apps{{ env_prefix }}.fedoraproject.org/js/data.js" -# todo: check that ansible variable is used correctly -{% if env == 'staging' %} -ENFORCE_PROTOCOL_FOR_BACKEND_URL = "http" -ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "http" -{% else %} ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https" ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https" -{% endif %} DIST_GIT_URL="https://{{ dist_git_base_url }}/cgit" DIST_GIT_CLONE_URL="https://{{ dist_git_base_url }}/git" From 4b511a2c705ae3eaca5f95b8759ed4b3c62df9b3 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 20:08:41 +0000 Subject: [PATCH 255/289] Tag tasks in copr/frontend role --- roles/copr/frontend/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 681c894c4e..c93fb6951e 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -7,6 +7,7 @@ # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1622513 - python3-requests tags: + - copr - packages - name: install copr configs @@ -14,6 +15,7 @@ notify: - reload httpd tags: + - copr - config - name: copy apache files to conf.d (templates) @@ -21,12 +23,14 @@ notify: - reload httpd tags: + - copr - config - name: set staging banner for staging instance when: env == 'staging' copy: src=banner-include.html dest=/var/lib/copr/ tags: + - copr - config # https://bugzilla.redhat.com/show_bug.cgi?id=1535689 @@ -36,17 +40,20 @@ state: yes persistent: yes tags: + - copr - selinux - name: enable and start httpd service: name=httpd state=started enabled=yes tags: + - copr - service - name: enable and start pagure-events service: name=pagure-events enabled=yes state=started when: not 'pagure-events.service is missing in latest copr-frontend rpm in f28 repos' tags: + - copr - service - name: set up admins From 3abf9194b02655d2a7bfba0fa81455576c316016 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 27 Aug 2018 20:13:01 +0000 Subject: [PATCH 256/289] Use env_prefix not env_suffix --- roles/copr/frontend/templates/copr.conf | 4 ++-- roles/koschei/frontend/templates/config-frontend.cfg.j2 | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/copr/frontend/templates/copr.conf b/roles/copr/frontend/templates/copr.conf index 1d00502212..2207ce99db 100644 --- a/roles/copr/frontend/templates/copr.conf +++ b/roles/copr/frontend/templates/copr.conf @@ -48,8 +48,8 @@ REPO_GPGCHECK = 1 PUBLIC_COPR_BASE_URL = "https://{{ copr_frontend_public_hostname }}" # URLs for fedmenu -FEDMENU_URL = "https://apps{{ env_prefix }}.fedoraproject.org/fedmenu/" -FEDMENU_DATA_URL = "https://apps{{ env_prefix }}.fedoraproject.org/js/data.js" +FEDMENU_URL = "https://apps{{ env_suffix }}.fedoraproject.org/fedmenu/" +FEDMENU_DATA_URL = "https://apps{{ env_suffix }}.fedoraproject.org/js/data.js" ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https" ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https" diff --git a/roles/koschei/frontend/templates/config-frontend.cfg.j2 b/roles/koschei/frontend/templates/config-frontend.cfg.j2 index d5ab5612d6..79028342a1 100644 --- a/roles/koschei/frontend/templates/config-frontend.cfg.j2 +++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2 @@ -2,7 +2,6 @@ # configuration in /usr/share/koschei/config.cfg. It is a python file expecting # assignment to config dictionary which will be recursively merged with the # default one. -{% set env_prefix = ".stg" if env == "staging" else "" %} config = { "database_config": { "host": "{{ koschei_pgsql_hostname }}", @@ -56,7 +55,7 @@ config = { }, }, "pagure": { - "api_url": "https://src{{ env_prefix }}.fedoraproject.org/api/0", + "api_url": "https://src{{ env_suffix }}.fedoraproject.org/api/0", }, "frontend": { "builds_per_page": 8, @@ -70,11 +69,11 @@ config = { }, "links": [ {"name": "Packages", - "url": "https://apps{{ env_prefix }}.fedoraproject.org/packages/{package.name}"}, + "url": "https://apps{{ env_suffix }}.fedoraproject.org/packages/{package.name}"}, {"name": "Bodhi", - "url": "https://bodhi{{ env_prefix }}.fedoraproject.org/updates?packages={package.name}"}, + "url": "https://bodhi{{ env_suffix }}.fedoraproject.org/updates?packages={package.name}"}, {"name": "Dist-git", - "url": "https://src{{ env_prefix }}.fedoraproject.org/rpms/{package.name}"}, + "url": "https://src{{ env_suffix }}.fedoraproject.org/rpms/{package.name}"}, {"name": "Bugzilla", "url": "https://{{ koschei_bugzilla }}/buglist.cgi?product={package.collection.bugzilla_product}&component={package.name}"}, {"name": "Koji", From a37e2d5a4071629d0672309dcc56e211bc6a1a6b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Aug 2018 20:27:58 +0000 Subject: [PATCH 257/289] do not check much on sign-vaults --- inventory/group_vars/sign-vault | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/inventory/group_vars/sign-vault b/inventory/group_vars/sign-vault index 8b63ff97a2..59912071ee 100644 --- a/inventory/group_vars/sign-vault +++ b/inventory/group_vars/sign-vault @@ -3,3 +3,9 @@ freezes: true postfix_group: sign host_group: sign ansible_ifcfg_blacklist: true +nagios_Check_Services: + monitor: false + nrpe: false + sshd: false + swap: false + ping: true From d6ba1f5b54fdcd6708221561994272bca403feea Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Mon, 27 Aug 2018 20:46:41 +0000 Subject: [PATCH 258/289] Adding rawhide source for ostree sync Signed-off-by: Mohan Boddu --- roles/bodhi2/backend/files/new-updates-sync | 22 +++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync index 9ddc591004..194e2bda13 100755 --- a/roles/bodhi2/backend/files/new-updates-sync +++ b/roles/bodhi2/backend/files/new-updates-sync @@ -14,6 +14,7 @@ logger = logging.getLogger('updates-sync') SOURCE = '/mnt/koji/compose/updates/' +RAWHIDESOURCE = '/mnt/koji/compose/rawhide/' FEDORADEST = '/pub/fedora/linux/updates/' FEDORAMODDEST = '/pub/fedora/linux/modular/updates/' FEDORAALTDEST = '/pub/fedora-secondary/updates/' @@ -24,7 +25,7 @@ RELEASES = {'f30': {'topic': 'fedora', 'version': '30', 'modules': ['fedora', 'fedora-secondary'], 'repos': {'rawhide': { - 'from': 'f30', + 'from': 'latest-Fedora-Rawhide', 'ostrees': [{'ref': 'fedora/rawhide/%(arch)s/atomic-host', 'dest': ATOMICDEST, 'arches': ['x86_64', 'ppc64le', 'aarch64']}, @@ -291,9 +292,14 @@ def to_human(num_bytes): def sync_single_repo_arch(release, repo, arch, dest_path): - source_path = os.path.join(SOURCE, - RELEASES[release]['repos'][repo]['from'], - 'compose', 'Everything', arch) + if repo == 'rawhide': + source_path = os.path.join(RAWHIDESOURCE, + RELEASES[release]['repos'][repo]['from'], + 'compose', 'Everything', arch) + else: + source_path = os.path.join(SOURCE, + RELEASES[release]['repos'][repo]['from'], + 'compose', 'Everything', arch) maindir = 'tree' if arch == 'source' else 'os' @@ -356,8 +362,12 @@ def sync_single_repo(release, repo): def determine_last_link(release, repo): - source_path = os.path.join(SOURCE, - RELEASES[release]['repos'][repo]['from']) + if repo == 'rawhide': + source_path = os.path.join(RAWHIDESOURCE, + RELEASES[release]['repos'][repo]['from']) + else: + source_path = os.path.join(SOURCE, + RELEASES[release]['repos'][repo]['from']) target = os.readlink(source_path) logger.info('Release %s, repo %s, target %s', release, repo, target) RELEASES[release]['repos'][repo]['from'] = target From 99fc4985c9bce5e7deffa1d66c575104df598089 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Aug 2018 21:08:06 +0000 Subject: [PATCH 259/289] Update branched-composer and compose-iot to be able to send various compose.29 messages. --- inventory/host_vars/branched-composer.phx2.fedoraproject.org | 5 +++++ inventory/host_vars/compose-iot-01.phx2.fedoraproject.org | 2 ++ 2 files changed, 7 insertions(+) diff --git a/inventory/host_vars/branched-composer.phx2.fedoraproject.org b/inventory/host_vars/branched-composer.phx2.fedoraproject.org index 7cf1effb61..8658b53e88 100644 --- a/inventory/host_vars/branched-composer.phx2.fedoraproject.org +++ b/inventory/host_vars/branched-composer.phx2.fedoraproject.org @@ -34,3 +34,8 @@ fedmsg_certs: - compose.branched.rsync.complete - compose.branched.rsync.start - compose.branched.start + - compose.29.start + - compose.29.complete + - compose.29.rsync.start + - compose.29.rsync.complete + diff --git a/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org b/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org index 4bfa20d70d..efc4b6c1be 100644 --- a/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org +++ b/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org @@ -35,3 +35,5 @@ fedmsg_certs: - pungi.compose.ostree - compose.29.complete - compose.29.start + - compose.29.rsync.start + - compose.29.rsync.complete From fc9b896beda5782cae8c0acbd9f17e32c9957d77 Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Mon, 27 Aug 2018 21:36:24 +0000 Subject: [PATCH 260/289] Fixes for rawhide ostree sync Signed-off-by: Mohan Boddu --- roles/bodhi2/backend/files/new-updates-sync | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync index 194e2bda13..3619e6c13b 100755 --- a/roles/bodhi2/backend/files/new-updates-sync +++ b/roles/bodhi2/backend/files/new-updates-sync @@ -18,11 +18,13 @@ RAWHIDESOURCE = '/mnt/koji/compose/rawhide/' FEDORADEST = '/pub/fedora/linux/updates/' FEDORAMODDEST = '/pub/fedora/linux/modular/updates/' FEDORAALTDEST = '/pub/fedora-secondary/updates/' +RAWHIDEDEST = '/pub/fedora/linux/development/' +RAWHIDEALTDEST = '/pub/fedora-secondary/development/' EPELDEST = '/pub/epel/' ATOMICSOURCE = '/mnt/koji/compose/atomic/repo/' ATOMICDEST = '/mnt/koji/atomic/repo/' -RELEASES = {'f30': {'topic': 'fedora', - 'version': '30', +RELEASES = {'rawhide': {'topic': 'fedora', + 'version': 'rawhide', 'modules': ['fedora', 'fedora-secondary'], 'repos': {'rawhide': { 'from': 'latest-Fedora-Rawhide', @@ -32,9 +34,9 @@ RELEASES = {'f30': {'topic': 'fedora', {'ref': 'fedora/rawhide/x86_64/silverblue', 'dest': ATOMICDEST}], 'to': [{'arches': ['x86_64', 'armhfp', 'aarch64', 'source'], - 'dest': os.path.join(FEDORADEST, '30', 'Everything')}, + 'dest': os.path.join(RAWHIDEDEST, 'rawhide', 'Everything')}, {'arches': ['i386', 'ppc64le', 's390x'], - 'dest': os.path.join(FEDORAALTDEST, '30', 'Everything')} + 'dest': os.path.join(RAWHIDEALTDEST, 'rawhide', 'Everything')} ]}}, }, 'f29': {'topic': 'fedora', From 28d323bfcf46196655a1984cff2f5eff9c62e332 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Mon, 27 Aug 2018 21:44:14 +0000 Subject: [PATCH 261/289] try to make nomail better --- inventory/group_vars/bastion | 2 ++ inventory/host_vars/download-rdu01.fedoraproject.org | 4 ++++ inventory/host_vars/osbs-control01.phx2.fedoraproject.org | 3 +++ inventory/host_vars/virthost-rdu01.fedoraproject.org | 3 +++ .../nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 | 5 +++-- 5 files changed, 15 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index f005363510..3d150c111e 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -55,3 +55,5 @@ csi_relationship: | - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here. - Bastion does not accept any mail outside phx2/vpn. +nagios_Check_Services: + nrpe: false diff --git a/inventory/host_vars/download-rdu01.fedoraproject.org b/inventory/host_vars/download-rdu01.fedoraproject.org index 9cb0cbe8a4..aaa4f83e02 100644 --- a/inventory/host_vars/download-rdu01.fedoraproject.org +++ b/inventory/host_vars/download-rdu01.fedoraproject.org @@ -13,3 +13,7 @@ eth1_ip: 172.31.1.1 eth1_nm: 255.255.255.0 public_ip: 209.132.190.4 + +nagios_Check_Services: + nrpe: false + ping: true diff --git a/inventory/host_vars/osbs-control01.phx2.fedoraproject.org b/inventory/host_vars/osbs-control01.phx2.fedoraproject.org index c9788e04e7..87afbeea9a 100644 --- a/inventory/host_vars/osbs-control01.phx2.fedoraproject.org +++ b/inventory/host_vars/osbs-control01.phx2.fedoraproject.org @@ -13,3 +13,6 @@ datacenter: phx2 mem_size: 4096 max_mem_size: 4096 + +nagios_Check_Services: + nrpe: false diff --git a/inventory/host_vars/virthost-rdu01.fedoraproject.org b/inventory/host_vars/virthost-rdu01.fedoraproject.org index 70bf538d09..2334323bd0 100644 --- a/inventory/host_vars/virthost-rdu01.fedoraproject.org +++ b/inventory/host_vars/virthost-rdu01.fedoraproject.org @@ -13,3 +13,6 @@ br1_nm: 255.255.255.0 vpn: true public_ip: 209.132.190.11 + +nagios_Check_Services: + nrpe: false diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 index 881b950617..0fc9323c61 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 @@ -1,6 +1,7 @@ define hostgroup { hostgroup_name nomail - alias No Mail - members *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion']|sort %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm']|sort %}!{{host}}, {% endfor %} {% for host in groups['builders']|sort %}!{{host}},{% endfor %} {% for host in groups['builders-stg']|sort %}!{{host}},{% endfor %} {% for host in groups['cloud']|sort %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited']|sort %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts']|sort %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} + alias Detect For 0 Mail In Queue +# members *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion']|sort %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm']|sort %}!{{host}}, {% endfor %} {% for host in groups['builders']|sort %}!{{host}},{% endfor %} {% for host in groups['builders-stg']|sort %}!{{host}},{% endfor %} {% for host in groups['cloud']|sort %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited']|sort %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts']|sort %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} + members {% for host in groups['all']|sort %}{% if hostvars[host].nagios_Check_Services['nrpe'] == true %}{{host}}, {% endif %}{% endfor %} } From 8f742a90d527ab3a71ccff89ae107ddf7c45b433 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Mon, 27 Aug 2018 22:07:56 +0000 Subject: [PATCH 262/289] you cant comment out jinja2 silly --- roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 index 0fc9323c61..b6187aedbc 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 @@ -1,7 +1,6 @@ define hostgroup { hostgroup_name nomail alias Detect For 0 Mail In Queue -# members *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion']|sort %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm']|sort %}!{{host}}, {% endfor %} {% for host in groups['builders']|sort %}!{{host}},{% endfor %} {% for host in groups['builders-stg']|sort %}!{{host}},{% endfor %} {% for host in groups['cloud']|sort %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited']|sort %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts']|sort %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} members {% for host in groups['all']|sort %}{% if hostvars[host].nagios_Check_Services['nrpe'] == true %}{{host}}, {% endif %}{% endfor %} } From 81ffb2d7fd99084e5057c8efb726be3e409fab4d Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Mon, 27 Aug 2018 15:42:11 -0700 Subject: [PATCH 263/289] openqa/dispatcher: Correct wikitcms OIDC token permissions These were correct in relvalconsumer, but not here... Signed-off-by: Adam Williamson --- roles/openqa/dispatcher/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openqa/dispatcher/tasks/main.yml b/roles/openqa/dispatcher/tasks/main.yml index b27537df33..070931cc45 100644 --- a/roles/openqa/dispatcher/tasks/main.yml +++ b/roles/openqa/dispatcher/tasks/main.yml @@ -153,7 +153,7 @@ - config - name: Write wikitcms token file for fedmsg - copy: src={{ wikitcms_token }} dest=/usr/share/fedmsg/.openidc/oidc_wikitcms.json owner=root group=fedmsg mode=0640 + copy: src={{ wikitcms_token }} dest=/usr/share/fedmsg/.openidc/oidc_wikitcms.json owner=root group=fedmsg mode=0660 when: "wikitcms_token is defined" tags: - config From 330a8e4a1dee915f6a7dbab9e96b61fad4013f1e Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Mon, 27 Aug 2018 22:44:54 +0000 Subject: [PATCH 264/289] and this should make our mail easier to read --- inventory/group_vars/all | 2 +- inventory/group_vars/bastion | 3 ++- inventory/group_vars/builders | 1 + inventory/group_vars/builders-stg | 1 + inventory/group_vars/cloud | 1 + inventory/group_vars/faf-stg | 1 + inventory/group_vars/newcloud | 2 +- inventory/group_vars/os-masters | 1 + inventory/group_vars/os-masters-stg | 1 + inventory/group_vars/os-nodes | 1 + inventory/group_vars/os-nodes-stg | 1 + inventory/group_vars/retrace-stg | 1 + inventory/group_vars/sign-vault | 2 +- inventory/group_vars/smtp-mm | 4 ++++ inventory/host_vars/batcave13.rdu2.fedoraproject.org | 1 + inventory/host_vars/download-rdu01.fedoraproject.org | 1 + inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org | 1 + inventory/host_vars/fed-cloud01.cloud.fedoraproject.org | 1 + inventory/host_vars/fed-cloud02.cloud.fedoraproject.org | 1 + inventory/host_vars/ns13.rdu2.fedoraproject.org | 1 + inventory/host_vars/osbs-control01.phx2.fedoraproject.org | 1 + inventory/host_vars/relay-stg.ci.centos.org | 2 +- inventory/host_vars/relay.ci.centos.org | 2 +- inventory/host_vars/undercloud02.cloud.fedoraproject.org | 2 +- inventory/host_vars/virthost-rdu01.fedoraproject.org | 1 + roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 | 2 +- 26 files changed, 30 insertions(+), 8 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 3388e07774..8c8d881145 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -264,7 +264,7 @@ createrepo: True # Nagios global variables nagios_Check_Services: - monitor: true + mail: true nrpe: true sshd: true named: false diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index 3d150c111e..1e8e32c923 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -56,4 +56,5 @@ csi_relationship: | - Bastion does not accept any mail outside phx2/vpn. nagios_Check_Services: - nrpe: false + nrpe: true + mail: false diff --git a/inventory/group_vars/builders b/inventory/group_vars/builders index c22c3870a9..f286a2fb97 100644 --- a/inventory/group_vars/builders +++ b/inventory/group_vars/builders @@ -5,3 +5,4 @@ nagios_Check_Services: nrpe: false swap: false + mail: false diff --git a/inventory/group_vars/builders-stg b/inventory/group_vars/builders-stg index c22c3870a9..f286a2fb97 100644 --- a/inventory/group_vars/builders-stg +++ b/inventory/group_vars/builders-stg @@ -5,3 +5,4 @@ nagios_Check_Services: nrpe: false swap: false + mail: false diff --git a/inventory/group_vars/cloud b/inventory/group_vars/cloud index daa307cee8..705a2186e4 100644 --- a/inventory/group_vars/cloud +++ b/inventory/group_vars/cloud @@ -1,5 +1,6 @@ --- nagios_Check_Services: + mail: false nrpe: false swap: false datacenter: cloud diff --git a/inventory/group_vars/faf-stg b/inventory/group_vars/faf-stg index fda1fc1650..8a062493c6 100644 --- a/inventory/group_vars/faf-stg +++ b/inventory/group_vars/faf-stg @@ -6,6 +6,7 @@ tcp_ports: [ 80, 443 ] sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers" nagios_Check_Services: + mail: false nrpe: false swap: false diff --git a/inventory/group_vars/newcloud b/inventory/group_vars/newcloud index 45b6b607b6..7c44caf35c 100644 --- a/inventory/group_vars/newcloud +++ b/inventory/group_vars/newcloud @@ -11,7 +11,7 @@ ansible_ifcfg_whitelist: ['eth1'] baseiptables: false ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q cloud-noc01.cloud.fedoraproject.org"' nagios_Check_Services: - monitor: false + mail: false nrpe: false sshd: false swap: false diff --git a/inventory/group_vars/os-masters b/inventory/group_vars/os-masters index 4f9891d8ad..16298ca729 100644 --- a/inventory/group_vars/os-masters +++ b/inventory/group_vars/os-masters @@ -6,3 +6,4 @@ swap: false nagios_Check_Services: swap: false nrpe: false + mail: false diff --git a/inventory/group_vars/os-masters-stg b/inventory/group_vars/os-masters-stg index 3b850a08b4..661aafd42b 100644 --- a/inventory/group_vars/os-masters-stg +++ b/inventory/group_vars/os-masters-stg @@ -6,3 +6,4 @@ os_app_url: app.os.stg.fedoraproject.org nagios_Check_Services: swap: false nrpe: false + mail: false diff --git a/inventory/group_vars/os-nodes b/inventory/group_vars/os-nodes index 4f9891d8ad..16298ca729 100644 --- a/inventory/group_vars/os-nodes +++ b/inventory/group_vars/os-nodes @@ -6,3 +6,4 @@ swap: false nagios_Check_Services: swap: false nrpe: false + mail: false diff --git a/inventory/group_vars/os-nodes-stg b/inventory/group_vars/os-nodes-stg index 3b850a08b4..661aafd42b 100644 --- a/inventory/group_vars/os-nodes-stg +++ b/inventory/group_vars/os-nodes-stg @@ -6,3 +6,4 @@ os_app_url: app.os.stg.fedoraproject.org nagios_Check_Services: swap: false nrpe: false + mail: false diff --git a/inventory/group_vars/retrace-stg b/inventory/group_vars/retrace-stg index 5701a48b07..1546b890bc 100644 --- a/inventory/group_vars/retrace-stg +++ b/inventory/group_vars/retrace-stg @@ -7,5 +7,6 @@ sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers" root_auth_users: msuchy nagios_Check_Services: + mail: false nrpe: false swap: false diff --git a/inventory/group_vars/sign-vault b/inventory/group_vars/sign-vault index 59912071ee..6ca3adcbd3 100644 --- a/inventory/group_vars/sign-vault +++ b/inventory/group_vars/sign-vault @@ -4,7 +4,7 @@ postfix_group: sign host_group: sign ansible_ifcfg_blacklist: true nagios_Check_Services: - monitor: false + mail: false nrpe: false sshd: false swap: false diff --git a/inventory/group_vars/smtp-mm b/inventory/group_vars/smtp-mm index 5026f332f7..ac51a7938a 100644 --- a/inventory/group_vars/smtp-mm +++ b/inventory/group_vars/smtp-mm @@ -14,3 +14,7 @@ fas_client_groups: sysadmin-noc,sysadmin-tools,fi-apprentice,sysadmin-veteran postfix_transport_filename: transports.mm-smtp postfix_group: smtp-mm vpn: true + +nagios_Check_Services: + nrpe: true + mail: false diff --git a/inventory/host_vars/batcave13.rdu2.fedoraproject.org b/inventory/host_vars/batcave13.rdu2.fedoraproject.org index dcbd9c85bc..54dddc5115 100644 --- a/inventory/host_vars/batcave13.rdu2.fedoraproject.org +++ b/inventory/host_vars/batcave13.rdu2.fedoraproject.org @@ -26,6 +26,7 @@ postfix_group: vpn vpn: true nagios_Check_Services: + mail: false nrpe: false sshd: false swap: false diff --git a/inventory/host_vars/download-rdu01.fedoraproject.org b/inventory/host_vars/download-rdu01.fedoraproject.org index aaa4f83e02..b191d87481 100644 --- a/inventory/host_vars/download-rdu01.fedoraproject.org +++ b/inventory/host_vars/download-rdu01.fedoraproject.org @@ -15,5 +15,6 @@ eth1_nm: 255.255.255.0 public_ip: 209.132.190.4 nagios_Check_Services: + mail: false nrpe: false ping: true diff --git a/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org index 8ea089496d..032f6906ac 100644 --- a/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org @@ -12,6 +12,7 @@ vmhost: virthost04.stg.phx2.fedoraproject.org datacenter: phx2 nagios_Check_Services: + mail: false nrpe: false swap: false diff --git a/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org index 3589a63061..ce54999840 100644 --- a/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org +++ b/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org @@ -1,4 +1,5 @@ --- nagios_Check_Services: + mail: false nrpe: false swap: false diff --git a/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org index 3589a63061..ce54999840 100644 --- a/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org +++ b/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org @@ -1,4 +1,5 @@ --- nagios_Check_Services: + mail: false nrpe: false swap: false diff --git a/inventory/host_vars/ns13.rdu2.fedoraproject.org b/inventory/host_vars/ns13.rdu2.fedoraproject.org index 42d5ae003e..db8de347ea 100644 --- a/inventory/host_vars/ns13.rdu2.fedoraproject.org +++ b/inventory/host_vars/ns13.rdu2.fedoraproject.org @@ -28,6 +28,7 @@ ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q root@bastion13.fedora nagios_Check_Services: nrpe: false + mail: false sshd: false swap: false ping: false diff --git a/inventory/host_vars/osbs-control01.phx2.fedoraproject.org b/inventory/host_vars/osbs-control01.phx2.fedoraproject.org index 87afbeea9a..664fdec6b3 100644 --- a/inventory/host_vars/osbs-control01.phx2.fedoraproject.org +++ b/inventory/host_vars/osbs-control01.phx2.fedoraproject.org @@ -16,3 +16,4 @@ max_mem_size: 4096 nagios_Check_Services: nrpe: false + mail: false diff --git a/inventory/host_vars/relay-stg.ci.centos.org b/inventory/host_vars/relay-stg.ci.centos.org index d24ffdb3d5..50248bcf68 100644 --- a/inventory/host_vars/relay-stg.ci.centos.org +++ b/inventory/host_vars/relay-stg.ci.centos.org @@ -62,7 +62,7 @@ fedmsg_prefix: org.centos fedmsg_env: stg nagios_Check_Services: - monitor: false + mail: false nrpe: false sshd: false swap: false diff --git a/inventory/host_vars/relay.ci.centos.org b/inventory/host_vars/relay.ci.centos.org index 8c98190eb6..2648a8d162 100644 --- a/inventory/host_vars/relay.ci.centos.org +++ b/inventory/host_vars/relay.ci.centos.org @@ -62,7 +62,7 @@ fedmsg_prefix: org.centos fedmsg_env: prod nagios_Check_Services: - monitor: false + mail: false nrpe: false sshd: false swap: false diff --git a/inventory/host_vars/undercloud02.cloud.fedoraproject.org b/inventory/host_vars/undercloud02.cloud.fedoraproject.org index 7e7d3b0e27..1adcb27f86 100644 --- a/inventory/host_vars/undercloud02.cloud.fedoraproject.org +++ b/inventory/host_vars/undercloud02.cloud.fedoraproject.org @@ -17,7 +17,7 @@ vmhost: cloud-noc01.cloud.fedoraproject.org datacenter: newcloud nagios_Check_Services: - monitor: false + mail: false nrpe: false sshd: false swap: false diff --git a/inventory/host_vars/virthost-rdu01.fedoraproject.org b/inventory/host_vars/virthost-rdu01.fedoraproject.org index 2334323bd0..50b5998788 100644 --- a/inventory/host_vars/virthost-rdu01.fedoraproject.org +++ b/inventory/host_vars/virthost-rdu01.fedoraproject.org @@ -16,3 +16,4 @@ public_ip: 209.132.190.11 nagios_Check_Services: nrpe: false + mail: false diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 index b6187aedbc..53df68536c 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 @@ -1,6 +1,6 @@ define hostgroup { hostgroup_name nomail alias Detect For 0 Mail In Queue - members {% for host in groups['all']|sort %}{% if hostvars[host].nagios_Check_Services['nrpe'] == true %}{{host}}, {% endif %}{% endfor %} + members {% for host in groups['all']|sort %}{% if hostvars[host].nagios_Check_Services['nrpe'] == true and hostvars[host].nagios_Check_Services['mail'] == true%}{{host}}, {% endif %}{% endfor %} } From 189aa8bbb808d5b35173d15c2b2212603068446f Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Mon, 27 Aug 2018 15:47:15 -0700 Subject: [PATCH 265/289] Update list of recipients of openQA error mails Tim's away ATM and Lukas replaced Petr on this beat. Signed-off-by: Adam Williamson --- inventory/group_vars/openqa | 3 +-- inventory/group_vars/openqa-stg | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa index eff21ebcef..f6a4988f5e 100644 --- a/inventory/group_vars/openqa +++ b/inventory/group_vars/openqa @@ -44,8 +44,7 @@ tcp_ports: [80, 2049] # These people get told when something goes wrong. fedmsg_error_recipients: - adamwill@fedoraproject.org -- tflink@fedoraproject.org -- pschindl@fedoraproject.org +- lruzicka@fedoraproject.org # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/openqa-stg b/inventory/group_vars/openqa-stg index 971a34887f..eb63b3e05f 100644 --- a/inventory/group_vars/openqa-stg +++ b/inventory/group_vars/openqa-stg @@ -48,8 +48,7 @@ tcp_ports: [80, 2049] # These people get told when something goes wrong. fedmsg_error_recipients: - adamwill@fedoraproject.org -- tflink@fedoraproject.org -- pschindl@fedoraproject.org +- lruzicka@fedoraproject.org # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: From 6e1721ca8ccde4e89d8c4433c233e0c98ea7b989 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Mon, 27 Aug 2018 22:56:55 +0000 Subject: [PATCH 266/289] Add a .mailmap to map all my commits to one author in git shortlog. This is purely for my sanity, but also demonstrates how someone else could do similarly if needed. Signed-off-by: Rick Elrod --- .mailmap | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .mailmap diff --git a/.mailmap b/.mailmap new file mode 100644 index 0000000000..af8eb2f941 --- /dev/null +++ b/.mailmap @@ -0,0 +1,5 @@ +Rick Elrod +Rick Elrod Ricky Elrod +Rick Elrod Ricky Elrod + +# ... others go here ... From 8f3f89fc638d8d8bd3b3a874603d762efdaeae00 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Mon, 27 Aug 2018 23:19:56 +0000 Subject: [PATCH 267/289] add these back to dhcp config for now Signed-off-by: Rick Elrod --- ...d.conf.cloud-noc01.cloud.fedoraproject.org | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org index 16511d0b67..16c2d5504c 100644 --- a/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org @@ -31,6 +31,30 @@ shared-network cloud { option routers 172.23.1.254; + host rhev01 { + hardware ethernet 48:4D:7E:05:4E:F4; + fixed-address 172.23.1.5; + option host-name "rhev01.fedoraproject.org"; + next-server 172.23.1.1; + filename "pxelinux.0"; + } + + host rhev02 { + hardware ethernet 48:4D:7E:05:4F:E2; + fixed-address 172.23.1.6; + option host-name "rhev01.fedoraproject.org"; + next-server 172.23.1.1; + filename "pxelinux.0"; + } + + host rhev03 { + hardware ethernet 48:4D:7E:05:4F:5C; + fixed-address 172.23.1.7; + option host-name "rhev01.fedoraproject.org"; + next-server 172.23.1.1; + filename "pxelinux.0"; + } + # Transitional host arm03-packager00-mgmt { hardware ethernet fc:2f:40:1b:64:4e; From 2735d46895668db496946da04598036abfdb4abc Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 28 Aug 2018 01:58:07 +0000 Subject: [PATCH 268/289] Pin greenwave to 0.9.4 This is for: - https://github.com/fedora-infra/bodhi/issues/2554 - https://pagure.io/greenwave/issue/287 --- roles/openshift-apps/greenwave/templates/imagestream.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/openshift-apps/greenwave/templates/imagestream.yml b/roles/openshift-apps/greenwave/templates/imagestream.yml index 9c564644fb..bd35237806 100644 --- a/roles/openshift-apps/greenwave/templates/imagestream.yml +++ b/roles/openshift-apps/greenwave/templates/imagestream.yml @@ -20,5 +20,9 @@ spec: name: quay.io/factory2/greenwave:latest {% else %} # This is 'prod' tag is maintained by hand. - name: quay.io/factory2/greenwave:prod + #name: quay.io/factory2/greenwave:prod + # But, pin it to 0.9.4 until we can resolve + # https://github.com/fedora-infra/bodhi/issues/2554 + # https://pagure.io/greenwave/issue/287 + name: quay.io/factory2/greenwave:0.9.4 {% endif %} From d03bdfecbf91e3fb0e983dae2bcd6563cc4765b2 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 28 Aug 2018 09:09:08 +0000 Subject: [PATCH 269/289] Fix copr stg IP addresses --- inventory/host_vars/copr-be-stg.fedorainfracloud.org | 2 +- inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org | 2 +- inventory/host_vars/copr-keygen-stg.fedorainfracloud.org | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/host_vars/copr-be-stg.fedorainfracloud.org b/inventory/host_vars/copr-be-stg.fedorainfracloud.org index f940f52aab..f000c0d26c 100644 --- a/inventory/host_vars/copr-be-stg.fedorainfracloud.org +++ b/inventory/host_vars/copr-be-stg.fedorainfracloud.org @@ -5,7 +5,7 @@ keypair: fedora-admin-20130801 security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent,fedmsg-relay-persistent zone: nova hostbase: copr-be-stg- -public_ip: 209.132.184.53 +public_ip: 209.132.184.44 root_auth_users: msuchy pingou frostyx dturecek clime description: copr dispatcher and repo server - stg instance tcp_ports: ['22', '80', '443', '2003', '4001'] diff --git a/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org b/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org index 7726d38b67..d02c129dfb 100644 --- a/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org +++ b/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org @@ -5,7 +5,7 @@ keypair: fedora-admin-20130801 security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent zone: nova hostbase: copr-dist-git-stg- -public_ip: 209.132.184.179 +public_ip: 209.132.184.57 root_auth_users: ryanlerch pingou msuchy dturecek frostyx clime description: dist-git for copr service - stg instance tcp_ports: [22, 80] diff --git a/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org b/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org index c997b24910..e97eae9c0f 100644 --- a/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org +++ b/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org @@ -6,7 +6,7 @@ keypair: fedora-admin-20130801 security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent zone: nova hostbase: copr-keygen-stg- -public_ip: 209.132.184.46 +public_ip: 209.132.184.56 root_auth_users: msuchy clime frostyx dturecek volumes: [ {volume_id: '5424ff3c-b1c6-4291-a0ed-2d30924f4f88', device: '/dev/vdc'} ] description: copr keygen and sign host - stg instance From ae190a6f65ad8e54d173cdceda5282b42507e1af Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 28 Aug 2018 13:30:33 +0200 Subject: [PATCH 270/289] copr-keygen-stg: add explicit resolvconf definition --- inventory/group_vars/copr-keygen-stg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/group_vars/copr-keygen-stg b/inventory/group_vars/copr-keygen-stg index 7c690fb4ea..2b576f943a 100644 --- a/inventory/group_vars/copr-keygen-stg +++ b/inventory/group_vars/copr-keygen-stg @@ -1,4 +1,6 @@ --- +resolvconf: "resolv.conf/cloud" + devel: true copr_hostbase: copr-keygen-stg From 658df40ee870107fb357095cd980c6001301e27b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Tue, 28 Aug 2018 15:39:20 +0200 Subject: [PATCH 271/289] copr: remove asamalik and add clime,jkadlcik to forward files --- inventory/host_vars/copr-dist-git.fedorainfracloud.org | 2 +- inventory/host_vars/copr-fe.cloud.fedoraproject.org | 2 +- roles/copr/base/files/forward | 2 ++ roles/copr/base/files/forward_dev | 3 ++- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/inventory/host_vars/copr-dist-git.fedorainfracloud.org b/inventory/host_vars/copr-dist-git.fedorainfracloud.org index e88f14097e..7e427a7f5d 100644 --- a/inventory/host_vars/copr-dist-git.fedorainfracloud.org +++ b/inventory/host_vars/copr-dist-git.fedorainfracloud.org @@ -6,7 +6,7 @@ security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-i zone: nova hostbase: copr-dist-git public_ip: 209.132.184.163 -root_auth_users: msuchy asamalik clime frostyx +root_auth_users: msuchy clime frostyx description: dist-git for copr service - prod instance tcp_ports: [22, 80] # volumes: copr-dist-git, copr-dist-git-log diff --git a/inventory/host_vars/copr-fe.cloud.fedoraproject.org b/inventory/host_vars/copr-fe.cloud.fedoraproject.org index 0f296321a2..b2ff09faac 100644 --- a/inventory/host_vars/copr-fe.cloud.fedoraproject.org +++ b/inventory/host_vars/copr-fe.cloud.fedoraproject.org @@ -9,7 +9,7 @@ security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywh zone: nova hostbase: copr-fe- public_ip: 209.132.184.54 -root_auth_users: msuchy asamalik clime frostyx +root_auth_users: msuchy clime frostyx description: copr frontend server - prod instance tcp_ports: [22, 80, 443] volumes: [ {volume_id: '8f790db7-8294-4d2b-8bae-7af5961ce0f8', device: '/dev/vdc'} ] diff --git a/roles/copr/base/files/forward b/roles/copr/base/files/forward index 2e1b36e41d..6026f0decc 100644 --- a/roles/copr/base/files/forward +++ b/roles/copr/base/files/forward @@ -3,3 +3,5 @@ kfenzi@redhat.com nb@fedoraproject.org sgallagh@redhat.com tcallawa@redhat.com +clime@redhat.com +jkadlcik@redhat.com diff --git a/roles/copr/base/files/forward_dev b/roles/copr/base/files/forward_dev index e25b03e22b..dd2c4e6759 100644 --- a/roles/copr/base/files/forward_dev +++ b/roles/copr/base/files/forward_dev @@ -1,2 +1,3 @@ msuchy+coprmachine@redhat.com -asamalik@redhat.com +clime@redhat.com +jkadlcik@redhat.com From 2e6abc8f1be8e2b6ef4692191775a2d433202b62 Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 28 Aug 2018 16:34:25 +0200 Subject: [PATCH 272/289] copr-stg: update config --- inventory/group_vars/copr-dist-git-stg | 3 +-- inventory/group_vars/copr-keygen-stg | 10 ++++------ inventory/group_vars/copr-stg | 4 ++-- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/inventory/group_vars/copr-dist-git-stg b/inventory/group_vars/copr-dist-git-stg index 4e8368f0b2..502e4fc16a 100644 --- a/inventory/group_vars/copr-dist-git-stg +++ b/inventory/group_vars/copr-dist-git-stg @@ -1,7 +1,6 @@ --- resolvconf: "resolv.conf/cloud" -tcp_ports: [22, 80] +tcp_ports: [22, 80, 443] datacenter: cloud freezes: false -custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'] diff --git a/inventory/group_vars/copr-keygen-stg b/inventory/group_vars/copr-keygen-stg index 2b576f943a..082582668b 100644 --- a/inventory/group_vars/copr-keygen-stg +++ b/inventory/group_vars/copr-keygen-stg @@ -1,16 +1,14 @@ --- resolvconf: "resolv.conf/cloud" -devel: true - copr_hostbase: copr-keygen-stg tcp_ports: [] # http + signd dest ports -#custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 80 -j ACCEPT', -# '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 80 -j ACCEPT', -# '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 5167 -j ACCEPT', -# '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 5167 -j ACCEPT'] +custom_rules: ['-A INPUT -p tcp -m tcp -s 172.25.33.9 --dport 80 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 172.25.151.227 --dport 80 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 172.25.33.9 --dport 5167 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 172.25.151.227 --dport 5167 -j ACCEPT'] datacenter: cloud diff --git a/inventory/group_vars/copr-stg b/inventory/group_vars/copr-stg index f5af3f2bea..4f5be7d34d 100644 --- a/inventory/group_vars/copr-stg +++ b/inventory/group_vars/copr-stg @@ -5,8 +5,8 @@ _forward_src: "forward_dev" # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules -copr_backend_ips: ["172.25.32.232", "172.25.157.237"] -keygen_host: "172.25.32.238" +copr_backend_ips: ["172.25.33.9", "172.25.151.227"] +keygen_host: "172.25.33.12" backend_base_url: "http://copr-be-stg.fedorainfracloud.org" frontend_base_url: "https://copr.stg.fedoraproject.org" From bb4340c727306ba6cee55831c2be8c47f9f31894 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 28 Aug 2018 14:37:46 +0000 Subject: [PATCH 273/289] cloud-noc: eth0/eth1 -> br0/br1, from a long time ago Signed-off-by: Rick Elrod --- .../cloud-noc01.cloud.fedoraproject.org | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org b/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org index 69c19d7777..2305cebee2 100644 --- a/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org +++ b/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org @@ -12,16 +12,16 @@ freezes: false resolvconf: "{{ files }}/resolv.conf/cloud-noc01.cloud.fedoraproject.org" tcp_ports: ['22'] -custom_rules: [ '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24 --dport 67 -j ACCEPT', - '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24 --dport 68 -j ACCEPT', - '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24 --dport 69 -j ACCEPT', - '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24 --dport 67 -j ACCEPT', - '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24 --dport 68 -j ACCEPT', - '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24 --dport 69 -j ACCEPT', - '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23 --dport 67 -j ACCEPT', - '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23 --dport 68 -j ACCEPT', - '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23 --dport 69 -j ACCEPT', - '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23 --dport 67 -j ACCEPT', - '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23 --dport 68 -j ACCEPT', - '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23 --dport 69 -j ACCEPT' ] +custom_rules: [ '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24 --dport 67 -j ACCEPT', + '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24 --dport 68 -j ACCEPT', + '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24 --dport 69 -j ACCEPT', + '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24 --dport 67 -j ACCEPT', + '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24 --dport 68 -j ACCEPT', + '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24 --dport 69 -j ACCEPT', + '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23 --dport 67 -j ACCEPT', + '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23 --dport 68 -j ACCEPT', + '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23 --dport 69 -j ACCEPT', + '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23 --dport 67 -j ACCEPT', + '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23 --dport 68 -j ACCEPT', + '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23 --dport 69 -j ACCEPT' ] From 4e47bf4e118d4620bb85853cc3797f0e91e1d7a9 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 28 Aug 2018 15:06:04 +0000 Subject: [PATCH 274/289] Add zlopez to the list of anitya admins --- roles/anitya/frontend/templates/anitya.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/anitya/frontend/templates/anitya.cfg b/roles/anitya/frontend/templates/anitya.cfg index e947dcf431..c9bda4fdc0 100644 --- a/roles/anitya/frontend/templates/anitya.cfg +++ b/roles/anitya/frontend/templates/anitya.cfg @@ -18,6 +18,7 @@ ANITYA_WEB_ADMINS = [ 'http://ralph.id.fedoraproject.org/', 'http://pingou.id.fedoraproject.org/', 'http://jcline.id.fedoraproject.org/', + 'http://zlopez.id.fedoraproject.org/', 'http://tibbs.id.fedoraproject.org/', 'http://carlwgeorge.id.fedoraproject.org/', ] From 1ad20afac018337a5961233dc6a9384b41ddb2bb Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 28 Aug 2018 16:21:30 +0000 Subject: [PATCH 275/289] except set the right hostname Signed-off-by: Rick Elrod --- .../files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org index 16c2d5504c..4a2789e139 100644 --- a/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.cloud-noc01.cloud.fedoraproject.org @@ -42,7 +42,7 @@ shared-network cloud { host rhev02 { hardware ethernet 48:4D:7E:05:4F:E2; fixed-address 172.23.1.6; - option host-name "rhev01.fedoraproject.org"; + option host-name "rhev02.fedoraproject.org"; next-server 172.23.1.1; filename "pxelinux.0"; } @@ -50,7 +50,7 @@ shared-network cloud { host rhev03 { hardware ethernet 48:4D:7E:05:4F:5C; fixed-address 172.23.1.7; - option host-name "rhev01.fedoraproject.org"; + option host-name "rhev03.fedoraproject.org"; next-server 172.23.1.1; filename "pxelinux.0"; } From 9a3e055741083c39434d30f26b389f3ea87d2153 Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Tue, 28 Aug 2018 14:03:38 +0000 Subject: [PATCH 276/289] Bodhi is activated for F29 Signed-off-by: Mohan Boddu --- roles/openshift-apps/greenwave/templates/configmap.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/openshift-apps/greenwave/templates/configmap.yml b/roles/openshift-apps/greenwave/templates/configmap.yml index dd297c4898..05041da763 100644 --- a/roles/openshift-apps/greenwave/templates/configmap.yml +++ b/roles/openshift-apps/greenwave/templates/configmap.yml @@ -97,6 +97,7 @@ data: --- !Policy id: "taskotron_release_critical_tasks_for_testing" product_versions: + - fedora-29 - fedora-28 - fedora-27 - fedora-26 @@ -114,6 +115,7 @@ data: --- !Policy id: "taskotron_release_critical_tasks_for_stable" product_versions: + - fedora-29 - fedora-28 - fedora-27 - fedora-26 @@ -131,6 +133,7 @@ data: --- !Policy id: "no_requirements_testing" product_versions: + - fedora-29-modular - fedora-28-modular - fedora-epel-7 - fedora-epel-6 @@ -142,6 +145,7 @@ data: --- !Policy id: "no_requirements_for_stable" product_versions: + - fedora-29-modular - fedora-28-modular - fedora-epel-7 - fedora-epel-6 @@ -155,6 +159,7 @@ data: # http://fedoraproject.org/wiki/CI id: "atomic_ci_pipeline_results" product_versions: + - fedora-29 - fedora-28 - fedora-27 - fedora-26 @@ -174,6 +179,7 @@ data: # http://fedoraproject.org/wiki/CI id: "atomic_ci_pipeline_results_stable" product_versions: + - fedora-29 - fedora-28 - fedora-27 - fedora-26 From d874aa1742caf6c255108fe6db9516a657da4f6e Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 28 Aug 2018 18:58:15 +0200 Subject: [PATCH 277/289] copr-fe-cloud: remove no longer needed direct xstatic-jquery-ui-common install --- roles/copr/frontend-cloud/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/copr/frontend-cloud/tasks/main.yml b/roles/copr/frontend-cloud/tasks/main.yml index 61b91f1ea0..43bd33a0af 100644 --- a/roles/copr/frontend-cloud/tasks/main.yml +++ b/roles/copr/frontend-cloud/tasks/main.yml @@ -28,9 +28,6 @@ tags: - packages -- name: install a newer version of xstatic-jquery-ui-common - command: dnf install -y https://kojipkgs.fedoraproject.org//packages/python-XStatic-jquery-ui/1.12.0.1/2.fc26/noarch/xstatic-jquery-ui-common-1.12.0.1-2.fc26.noarch.rpm - - name: install copr configs template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 notify: From 719af627b776459d5f4eee5a575b7f19ac026eb1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 28 Aug 2018 17:38:24 +0000 Subject: [PATCH 278/289] upgrade to 3.10.38 --- playbooks/groups/os-cluster.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 798c070df2..f0d20f4ee3 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -107,7 +107,7 @@ openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_pre_playbook: "playbooks/prerequisites.yml", openshift_ansible_playbook: "playbooks/deploy_cluster.yml", - openshift_ansible_version: "openshift-ansible-3.10.35-1", + openshift_ansible_version: "openshift-ansible-3.10.38-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, From c3b5fd2737aa0de886328386ca0b12d077fe3b5f Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 28 Aug 2018 20:00:10 +0200 Subject: [PATCH 279/289] copr-keygen: update custom selinux policy --- roles/copr/keygen/selinux/copr_rules.mod | Bin 968 -> 982 bytes roles/copr/keygen/selinux/copr_rules.pp | Bin 984 -> 998 bytes roles/copr/keygen/selinux/copr_rules.te | 3 ++- 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/copr/keygen/selinux/copr_rules.mod b/roles/copr/keygen/selinux/copr_rules.mod index b65038ad848c6004e28ab382284b0e95425f9eb7..4fcd337ab89c4a03e6c024cc4f31f8fa97b76215 100644 GIT binary patch delta 75 zcmX@XevN%Xh7t<{0|N+yKyiL@c6?f9PAVHzFu5o-v1DUSDI+8QL`UI??|CMhG6_sx W$tW_}lqrUhfAT!0=*e%HZUX?A!W0Jp delta 50 zcmcb{eu8~Mh6pnQ0|N+yKyiL@c6?f9&c?1%Mn?9Dj=~fF@=TUzYG7pFynxA!5db;4 B4G91M diff --git a/roles/copr/keygen/selinux/copr_rules.pp b/roles/copr/keygen/selinux/copr_rules.pp index 0642cc91e692c56fb547a20fb7b4abbc549f551f..0c09d8d38af7abc6db2826770d7d1dbc2d23ec86 100644 GIT binary patch delta 75 zcmcb?{)~M>g%S$`0|N+yKyiL@c6?f9PAVHzFu5o-v1DUUDI+8Q#6aPR|9K|6G6_uH W$tW_}l_`difATt}=*fSXZUX?Xaul}! delta 51 zcmaFHeuI5Ng$OeP0|N+yKyiL@c6?f9&c<1#jEw9P1BEB^GV)B;XKG+%-@Jjzj1d4s Cc?^sI diff --git a/roles/copr/keygen/selinux/copr_rules.te b/roles/copr/keygen/selinux/copr_rules.te index 42d15bbd61..46116ead3b 100644 --- a/roles/copr/keygen/selinux/copr_rules.te +++ b/roles/copr/keygen/selinux/copr_rules.te @@ -6,7 +6,8 @@ require { class sock_file getattr; class sock_file unlink; class sock_file write; + class sock_file create; } #============= httpd_t ============== -allow httpd_t httpd_var_lib_t:sock_file { getattr unlink write }; +allow httpd_t httpd_var_lib_t:sock_file { getattr unlink write create }; From 3ea1a0c3d6072c37be4101b8e0fedf346d080c30 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 28 Aug 2018 18:47:13 +0000 Subject: [PATCH 280/289] Try enabling persistent copr-front sessions --- roles/haproxy/templates/haproxy.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 55c7f51a6c..cec85d201a 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -607,8 +607,14 @@ frontend copr-frontend backend copr-backend balance hdr(appserver) +{% if env == "production" %} server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 +{% else %} + cookie SERVERID insert indirect nocache + server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 cookie copr-frontend01 + server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 cookie copr-frontend02 +{% endif %} option httpchk GET /api_3/ # Apache doesn't handle the initial connection here like the other proxy From 227bc5f27f02220a4c444b6fe3a98e0f08c4c476 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 28 Aug 2018 19:39:52 +0000 Subject: [PATCH 281/289] Add a reminder comment to update haproxy.cfg after freeze --- roles/haproxy/templates/haproxy.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index cec85d201a..f58e3e9f6c 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -611,6 +611,7 @@ backend copr-backend server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 {% else %} + # XXX mizdebsk 2018-08-28: kill this conditional after F29 beta freeze is litfed cookie SERVERID insert indirect nocache server copr-frontend01 copr-frontend01:80 check inter 10s rise 1 fall 2 cookie copr-frontend01 server copr-frontend02 copr-frontend02:80 check inter 10s rise 1 fall 2 cookie copr-frontend02 From 2da175571cf91cb5c7f1aa8abb3e7941f523019a Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Tue, 28 Aug 2018 19:40:10 +0000 Subject: [PATCH 282/289] Fixes for rawhide ostree sync Signed-off-by: Mohan Boddu --- roles/bodhi2/backend/files/new-updates-sync | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync index 3619e6c13b..e625f50853 100755 --- a/roles/bodhi2/backend/files/new-updates-sync +++ b/roles/bodhi2/backend/files/new-updates-sync @@ -367,10 +367,14 @@ def determine_last_link(release, repo): if repo == 'rawhide': source_path = os.path.join(RAWHIDESOURCE, RELEASES[release]['repos'][repo]['from']) + #Since latest-Fedora-Rawhide is a symlink pointing to just the + #compose dir rather than its full path, we need the absolute path + #of the compose rather than relative path + target = os.path.realpath(source_path) else: source_path = os.path.join(SOURCE, RELEASES[release]['repos'][repo]['from']) - target = os.readlink(source_path) + target = os.readlink(source_path) logger.info('Release %s, repo %s, target %s', release, repo, target) RELEASES[release]['repos'][repo]['from'] = target return target From 883b7fa874b77f4dcd45fcbdf5dd5a0194130b88 Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 28 Aug 2018 21:41:31 +0200 Subject: [PATCH 283/289] copr-fe-cloud: add crond setup for MAILTO --- roles/copr/frontend-cloud/files/crond | 4 ++++ roles/copr/frontend-cloud/tasks/main.yml | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 roles/copr/frontend-cloud/files/crond diff --git a/roles/copr/frontend-cloud/files/crond b/roles/copr/frontend-cloud/files/crond new file mode 100644 index 0000000000..25483f778e --- /dev/null +++ b/roles/copr/frontend-cloud/files/crond @@ -0,0 +1,4 @@ +# Settings for the CRON daemon. +# CRONDARGS= : any extra command-line startup arguments for crond +CRONDARGS= +MAILTO=sysadmin-copr-members@fedoraproject.org diff --git a/roles/copr/frontend-cloud/tasks/main.yml b/roles/copr/frontend-cloud/tasks/main.yml index 43bd33a0af..353495fabf 100644 --- a/roles/copr/frontend-cloud/tasks/main.yml +++ b/roles/copr/frontend-cloud/tasks/main.yml @@ -48,6 +48,9 @@ tags: - config +- name: copy crond conf + copy: src="crond" dest="/etc/sysconfig/crond" + - name: copy apache files to conf.d (templates) template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" with_items: From 7216dc14a8d86939a104d190ca374f3d5ef876ab Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 28 Aug 2018 20:29:20 +0000 Subject: [PATCH 284/289] ignore errors here since theres a local patch --- roles/ansible-ansible-openshift-ansible/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 03d7600b0e..6beb1f7a58 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -20,6 +20,7 @@ tags: - ansible-ansible-openshift-ansible - ansible-ansible-openshift-ansible-config + ignore_errors: true - debug: var: os_app_url From ae630a42ea39d134f22101573ed61a3bca5ec60f Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 28 Aug 2018 22:08:42 +0000 Subject: [PATCH 285/289] rename stg docker* to oci* Signed-off-by: Rick Elrod --- inventory/group_vars/oci-registry | 2 -- .../{docker-registry-stg => oci-registry-stg} | 3 --- ...date-registry01.stg.phx2.fedoraproject.org} | 4 ++-- ... oci-registry01.stg.phx2.fedoraproject.org} | 4 ++-- ... oci-registry02.stg.phx2.fedoraproject.org} | 4 ++-- inventory/inventory | 18 +++++++++--------- playbooks/groups/oci-registry.yml | 12 ++++++------ 7 files changed, 21 insertions(+), 26 deletions(-) rename inventory/group_vars/{docker-registry-stg => oci-registry-stg} (75%) rename inventory/host_vars/{docker-candidate-registry01.stg.phx2.fedoraproject.org => oci-candidate-registry01.stg.phx2.fedoraproject.org} (69%) rename inventory/host_vars/{docker-registry01.stg.phx2.fedoraproject.org => oci-registry01.stg.phx2.fedoraproject.org} (69%) rename inventory/host_vars/{docker-registry02.stg.phx2.fedoraproject.org => oci-registry02.stg.phx2.fedoraproject.org} (69%) diff --git a/inventory/group_vars/oci-registry b/inventory/group_vars/oci-registry index bf3de779b9..c6d6efaaca 100644 --- a/inventory/group_vars/oci-registry +++ b/inventory/group_vars/oci-registry @@ -1,6 +1,4 @@ --- -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ fas_client_groups: sysadmin-releng diff --git a/inventory/group_vars/docker-registry-stg b/inventory/group_vars/oci-registry-stg similarity index 75% rename from inventory/group_vars/docker-registry-stg rename to inventory/group_vars/oci-registry-stg index 13aacb4f1b..680732381c 100644 --- a/inventory/group_vars/docker-registry-stg +++ b/inventory/group_vars/oci-registry-stg @@ -1,7 +1,4 @@ --- -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ - fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-veteran sudoers: "{{ private }}/files/sudo/00releng-sudoers" diff --git a/inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org b/inventory/host_vars/oci-candidate-registry01.stg.phx2.fedoraproject.org similarity index 69% rename from inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org rename to inventory/host_vars/oci-candidate-registry01.stg.phx2.fedoraproject.org index e833527ea2..e7a3d5e905 100644 --- a/inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-candidate-registry01.stg.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.122 vmhost: virthost04.stg.phx2.fedoraproject.org diff --git a/inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org b/inventory/host_vars/oci-registry01.stg.phx2.fedoraproject.org similarity index 69% rename from inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org rename to inventory/host_vars/oci-registry01.stg.phx2.fedoraproject.org index 351e7b0428..57bb8eacab 100644 --- a/inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-registry01.stg.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.123 vmhost: virthost04.stg.phx2.fedoraproject.org diff --git a/inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org b/inventory/host_vars/oci-registry02.stg.phx2.fedoraproject.org similarity index 69% rename from inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org rename to inventory/host_vars/oci-registry02.stg.phx2.fedoraproject.org index 446f9f6015..04cb1a4bcc 100644 --- a/inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/oci-registry02.stg.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.124 vmhost: virthost01.stg.phx2.fedoraproject.org diff --git a/inventory/inventory b/inventory/inventory index c7c01f2c03..6c0390f00b 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -772,8 +772,8 @@ db-koji01.stg.phx2.fedoraproject.org db01.stg.phx2.fedoraproject.org db03.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org -docker-registry01.stg.phx2.fedoraproject.org -docker-registry02.stg.phx2.fedoraproject.org +oci-registry01.stg.phx2.fedoraproject.org +oci-registry02.stg.phx2.fedoraproject.org elections01.stg.phx2.fedoraproject.org fas01.stg.phx2.fedoraproject.org fedimg01.stg.phx2.fedoraproject.org @@ -1479,13 +1479,13 @@ oci-candidate-registry01.phx2.fedoraproject.org oci-registry01.phx2.fedoraproject.org oci-registry02.phx2.fedoraproject.org -[docker-registry-gluster-stg] -docker-registry01.stg.phx2.fedoraproject.org -docker-registry02.stg.phx2.fedoraproject.org +[oci-registry-gluster-stg] +oci-registry01.stg.phx2.fedoraproject.org +oci-registry02.stg.phx2.fedoraproject.org -[docker-registry-stg] -docker-registry01.stg.phx2.fedoraproject.org -docker-registry02.stg.phx2.fedoraproject.org +[oci-registry-stg] +oci-registry01.stg.phx2.fedoraproject.org +oci-registry02.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org ## Not the candidate just the top registry @@ -1494,7 +1494,7 @@ oci-registry01.phx2.fedoraproject.org ## Not the candidate just the top registry [moby-registry-stg] -docker-registry01.stg.phx2.fedoraproject.org +oci-registry01.stg.phx2.fedoraproject.org [webservers:children] proxies diff --git a/playbooks/groups/oci-registry.yml b/playbooks/groups/oci-registry.yml index 905309c641..5dd4b10d15 100644 --- a/playbooks/groups/oci-registry.yml +++ b/playbooks/groups/oci-registry.yml @@ -1,8 +1,8 @@ # create an osbs server -- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci-registry:docker-registry-stg" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci-registry:oci-registry-stg" - name: make the box be real - hosts: oci-registry:docker-registry-stg + hosts: oci-registry:oci-registry-stg user: root gather_facts: True @@ -35,8 +35,8 @@ - name: set up gluster on stg hosts: - - docker-registry01.stg.phx2.fedoraproject.org - - docker-registry02.stg.phx2.fedoraproject.org + - oci-registry01.stg.phx2.fedoraproject.org + - oci-registry02.stg.phx2.fedoraproject.org user: root gather_facts: True @@ -50,7 +50,7 @@ gluster_brick_dir: /srv/glusterfs gluster_mount_dir: /srv/docker/ gluster_brick_name: registry - gluster_server_group: docker-registry-gluster-stg + gluster_server_group: oci-registry-gluster-stg tags: gluster - name: set up gluster on prod @@ -74,7 +74,7 @@ tags: gluster - name: setup docker distribution registry - hosts: oci-registry:docker-registry-stg + hosts: oci-registry:oci-registry-stg vars_files: - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml From 31d617fdc0e86ece3c6e8f6afc160df414c20d87 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 28 Aug 2018 22:13:37 +0000 Subject: [PATCH 286/289] update haproxy too Signed-off-by: Rick Elrod --- roles/haproxy/templates/haproxy.cfg | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index f58e3e9f6c..ac866d03d0 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -366,20 +366,15 @@ backend osbs-backend balance hdr(appserver) server osbs-master01 osbs-master01:8443 check inter 10s rise 1 fall 2 check ssl verify none -frontend docker-registry-frontend +frontend oci-registry-frontend bind 0.0.0.0:10048 - default_backend docker-registry-backend + default_backend oci-registry-backend -backend docker-registry-backend +backend oci-registry-backend balance hdr(appserver) -{% if env == "staging" %} - server docker-registry01 docker-registry01:5000 check inter 10s rise 1 fall 2 - server docker-registry02 docker-registry02:5000 check inter 10s rise 1 fall 2 -{% endif %} -{% if env == "production" %} server oci-registry01 oci-registry01:5000 check inter 10s rise 1 fall 2 server oci-registry02 oci-registry02:5000 check inter 10s rise 1 fall 2 -{% endif %} + {% if env == "staging" %} frontend retrace-frontend @@ -445,18 +440,13 @@ backend krb5-backend # server ipa02 ipa02:88 weight 1 maxconn 16384 {% endif %} -frontend docker-candidate-registry-frontend +frontend oci-candidate-registry-frontend bind 0.0.0.0:10054 - default_backend docker-candidate-registry-backend + default_backend oci-candidate-registry-backend -backend docker-candidate-registry-backend +backend oci-candidate-registry-backend balance hdr(appserver) -{% if env == "staging" %} - server docker-candidate-registry01 docker-candidate-registry01:5000 check inter 10s rise 1 fall 2 -{% endif %} -{% if env == "production" %} server oci-candidate-registry01 oci-candidate-registry01:5000 check inter 10s rise 1 fall 2 -{% endif %} frontend modernpaste-frontend bind 0.0.0.0:10055 From 24bf5b56df7f86fc36aa07f6e0a024465b4cb2f9 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Tue, 28 Aug 2018 22:35:33 +0000 Subject: [PATCH 287/289] missed these Signed-off-by: Rick Elrod --- inventory/inventory | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 6c0390f00b..c86a45d613 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -771,7 +771,7 @@ db-fas01.stg.phx2.fedoraproject.org db-koji01.stg.phx2.fedoraproject.org db01.stg.phx2.fedoraproject.org db03.stg.phx2.fedoraproject.org -docker-candidate-registry01.stg.phx2.fedoraproject.org +oci-candidate-registry01.stg.phx2.fedoraproject.org oci-registry01.stg.phx2.fedoraproject.org oci-registry02.stg.phx2.fedoraproject.org elections01.stg.phx2.fedoraproject.org @@ -1486,7 +1486,7 @@ oci-registry02.stg.phx2.fedoraproject.org [oci-registry-stg] oci-registry01.stg.phx2.fedoraproject.org oci-registry02.stg.phx2.fedoraproject.org -docker-candidate-registry01.stg.phx2.fedoraproject.org +oci-candidate-registry01.stg.phx2.fedoraproject.org ## Not the candidate just the top registry [moby-registry] From b0f37902db5d46b9aac5af8ebaa92639e9d43f8f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 28 Aug 2018 23:03:28 +0000 Subject: [PATCH 288/289] Add docs.teamsilverblue.org and redirect to docs.fp.o/silverblue Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-redirects.yml | 9 +++++++++ playbooks/include/proxies-websites.yml | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index 91c167b8df..21b1583857 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -762,3 +762,12 @@ website: cloud.fedoraproject.org path: /fedora-atomic-latest.x86_64.qcow2 target: https://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22-20150521.x86_64.qcow2 + + # Team Silverblue + - role: httpd/redirect + shortname: docsteamsilverblue + website: docs.teamsilverblue.org + path: / + target: https://docs.fedoraproject.org/en-US/fedora-silverblue/ + tags: + - docs.teamsilverblue.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 25ca1e4571..8013c539ec 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -417,6 +417,14 @@ tags: - whatcanidoforfedora.org + - role: httpd/website + site_name: docs.teamsilverblue.org + ssl: true + sslonly: true + certbot: true + tags: + - docs.teamsilverblue.org + - role: httpd/website site_name: fedoramagazine.org server_aliases: [www.fedoramagazine.org stg.fedoramagazine.org] From 0da4b9b0fd42935cc4f6f6a188b4c5ae7d8f09a9 Mon Sep 17 00:00:00 2001 From: clime Date: Wed, 29 Aug 2018 10:12:27 +0200 Subject: [PATCH 289/289] copr-dist-git: use tcp_ports configuration instead of custom firewall rules --- inventory/group_vars/copr-dist-git | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/inventory/group_vars/copr-dist-git b/inventory/group_vars/copr-dist-git index 29d3b4cc35..e165d75b91 100644 --- a/inventory/group_vars/copr-dist-git +++ b/inventory/group_vars/copr-dist-git @@ -1,5 +1,4 @@ --- -tcp_ports: [22, 80] +tcp_ports: [22, 80, 443] datacenter: cloud freezes: false -custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']