Merge branch 'master' of /git/ansible

2018-08-29 08:32:47 +00:00 · 2018-08-29 08:32:47 +00:00 · bab1e587b6
commit bab1e587b6
parent c290bcf769 0da4b9b0fd
250 changed files with 4494 additions and 1510 deletions
--- a/.mailmap
+++ b/.mailmap
@ -0,0 +1,5 @@
 Rick Elrod <relrod@redhat.com> <codeblock@fedoraproject.org>
 Rick Elrod <relrod@redhat.com> Ricky Elrod
 Rick Elrod <relrod@redhat.com> Ricky Elrod <codeblock@lockbox01.phx2.fedoraproject.org>
 # ... others go here ...
--- a/files/common/mock
+++ b/files/common/mock
@ -1,6 +1,8 @@
 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 auth            sufficient      pam_succeed_if.so user ingroup mock use_uid quiet
 account sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 # Uncomment the following line to implicitly trust users in the "wheel" group.
 #auth           sufficient      pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the "wheel" group.
@ -10,6 +12,4 @@ account         sufficient      pam_succeed_if.so user ingroup mock use_uid quie
 account         include         system-auth
 password        include         system-auth
 session         include         system-auth
 account sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 session         optional        pam_xauth.so
--- a/files/openshift/openshift.repo
+++ b/files/openshift/openshift.repo
@ -5,11 +5,17 @@ baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 {% elif inventory_hostname.startswith('os') %}
 [rhel7-openshift-3.10]
 name = rhel7 openshift 3.10 $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.10-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 [rhel7-openshift-3.9]
 name = rhel7 openshift 3.9 $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.9-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=1
+enabled=0
 # 3.8 is needed to upgrade from 3.7 to 3.9
 [rhel7-openshift-3.8]
--- a/files/osbs/buildroot-Dockerfile-production.j2
+++ b/files/osbs/buildroot-Dockerfile-production.j2
@ -1,8 +1,7 @@
 FROM registry.fedoraproject.org/fedora
-ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
+RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\
-RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\
+    python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\
-    python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\
+    python3-gobject python3-modulemd python3-pdc-client ostree flatpak-module-tools flatpak skopeo && dnf clean all
    libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo
 ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json
 ADD ./worker_customize.json /usr/share/osbs/worker_customize.json
 ADD ./krb5.conf /etc
@ -10,4 +9,4 @@ RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc
 ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/
 ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt
 RUN update-ca-trust
-CMD ["python2", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]
+CMD ["python3", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]
--- a/files/osbs/buildroot-Dockerfile-staging.j2
+++ b/files/osbs/buildroot-Dockerfile-staging.j2
@ -1,8 +1,7 @@
 FROM registry.fedoraproject.org/fedora
 ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
 RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-setuptools e2fsprogs koji osbs-client\
    python3-osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man python3-productmd\
-    libmodulemd python3-gobject python3-modulemd python3-pdc-client ostree flatpak skopeo && dnf clean all
+    python3-gobject python3-modulemd python3-pdc-client ostree flatpak-module-tools flatpak skopeo && dnf clean all
 ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json
 ADD ./worker_customize.json /usr/share/osbs/worker_customize.json
 ADD ./krb5.conf /etc
--- a/files/osbs/orchestrator_customize.json
+++ b/files/osbs/orchestrator_customize.json
@ -3,13 +3,7 @@
        {
            "plugin_type": "exit_plugins",
            "plugin_name": "import_image"
        },
        {
            "plugin_type": "prebuild_plugins",
            "plugin_name": "flatpak_create_dockerfile"
        }
    ],
-
+    "enable_plugins": []
    "enable_plugins": [
    ]
 }
--- a/files/osbs/worker_customize.json
+++ b/files/osbs/worker_customize.json
@ -3,13 +3,7 @@
        {
            "plugin_type": "prebuild_plugins",
            "plugin_name": "fetch_maven_artifacts"
        },
        {
            "plugin_type": "prebuild_plugins",
            "plugin_name": "flatpak_create_dockerfile"
        }
    ],
-
+    "enable_plugins": []
    "enable_plugins": [
    ]
 }
--- a/inventory/backups
+++ b/inventory/backups
@ -22,6 +22,7 @@ copr-keygen.cloud.fedoraproject.org
 #copr-dist-git.fedorainfracloud.org
 value01.phx2.fedoraproject.org
 taiga.fedorainfracloud.org
 tang01.phx2.fedoraproject.org
 taskotron01.qa.fedoraproject.org
 nuancier01.phx2.fedoraproject.org
 magazine2.fedorainfracloud.org
--- a/inventory/builders
+++ b/inventory/builders
@ -77,8 +77,9 @@ buildvm-aarch64-19.arm.fedoraproject.org
 buildvm-aarch64-20.arm.fedoraproject.org
 buildvm-aarch64-21.arm.fedoraproject.org
 buildvm-aarch64-22.arm.fedoraproject.org
-buildvm-aarch64-23.arm.fedoraproject.org
+# These two have been dropped to allow for osbs builders.
-buildvm-aarch64-24.arm.fedoraproject.org
+#buildvm-aarch64-23.arm.fedoraproject.org
 #buildvm-aarch64-24.arm.fedoraproject.org
 [buildvm-armv7]
 buildvm-armv7-01.arm.fedoraproject.org
@ -232,8 +233,8 @@ buildvm-ppc64le-18.ppc.fedoraproject.org
 buildvm-ppc64le-19.ppc.fedoraproject.org
 [bkernel]
-bkernel01.phx2.fedoraproject.org
+bkernel03.phx2.fedoraproject.org
-bkernel02.phx2.fedoraproject.org
+bkernel04.phx2.fedoraproject.org
 #
 # These are misc 
--- a/inventory/cloud
+++ b/inventory/cloud
@ -10,14 +10,16 @@ commops.fedorainfracloud.org
 communityblog.fedorainfracloud.org
 copr-be.cloud.fedoraproject.org
 copr-be-dev.cloud.fedoraproject.org
-copr-dist-git-dev.fedorainfracloud.org
+copr-be-stg.fedorainfracloud.org
 copr-dist-git.fedorainfracloud.org
 copr-dist-git-dev.fedorainfracloud.org
 copr-dist-git-stg.fedorainfracloud.org
 copr-fe.cloud.fedoraproject.org
 copr-fe-dev.cloud.fedoraproject.org
 copr-keygen.cloud.fedoraproject.org
 copr-keygen-dev.cloud.fedoraproject.org
 copr-keygen-stg.fedorainfracloud.org
 developer.fedorainfracloud.org
 eclipse.fedorainfracloud.org
 elastic-dev.fedorainfracloud.org
 el6-test.fedorainfracloud.org
 el7-test.fedorainfracloud.org
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -45,6 +45,9 @@ custom_rules: []
 nat_rules: []
 custom6_rules: []
 # defaults for hw installs
 install_noc: none
 # defaults for virt installs
 ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
@ -261,7 +264,7 @@ createrepo: True
 # Nagios global variables
 nagios_Check_Services:
-  monitor: true
+  mail: true
  nrpe: true
  sshd: true
  named: false
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -23,7 +23,7 @@ custom_rules: [
 # TODO - remove modularity-wg membership here once it is not longer needed:
 # https://fedorahosted.org/fedora-infrastructure/ticket/5363
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst
+fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring
 #
 # This is a postfix gateway. This will pick up gateway postfix config in base
@ -55,3 +55,6 @@ csi_relationship: |
  - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here.
  - Bastion does not accept any mail outside phx2/vpn.
 nagios_Check_Services:
  nrpe: true
  mail: false
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@ -8,7 +8,7 @@ tcp_ports: [ 80, 443 ]
 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst
+fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring
 ansible_base: /srv/web/infra
 freezes: false
--- a/inventory/group_vars/builders
+++ b/inventory/group_vars/builders
@ -5,3 +5,4 @@
 nagios_Check_Services:
  nrpe: false
  swap: false
  mail: false
--- a/inventory/group_vars/builders-stg
+++ b/inventory/group_vars/builders-stg
@ -5,3 +5,4 @@
 nagios_Check_Services:
  nrpe: false
  swap: false
  mail: false
--- a/inventory/group_vars/cloud
+++ b/inventory/group_vars/cloud
@ -1,5 +1,6 @@
 ---
 nagios_Check_Services: 
  mail: false
  nrpe: false
  swap: false
 datacenter: cloud
--- a/inventory/group_vars/copr-back-dev
+++ b/inventory/group_vars/copr-back-dev
@ -0,0 +1,29 @@
 ---
 _lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
 copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
 copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437"
 copr_nova_tenant_name: "coprdev"
 copr_nova_username: "copr"
 copr_builder_image_name: "builder-f24"
 copr_builder_flavor_name: "ms2.builder"
 copr_builder_network_name: "coprdev-net"
 copr_builder_key_name: "buildsys"
 copr_builder_security_groups: "ssh-anywhere-coprdev,default,ssh-from-persistent-coprdev"
 fedmsg_enabled: "true"
 do_sign: "true"
 spawn_in_advance: "false"
 frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: Moderate
 csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide the testing environment of copr's backend
 csi_relationship: This host is the testing environment for the cloud infrastructure of copr's backend
--- a/inventory/group_vars/copr-back-stg
+++ b/inventory/group_vars/copr-back-stg
@ -1,4 +1,6 @@
 ---
 resolvconf: "resolv.conf/cloud"
 _lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
 copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
@ -17,7 +19,7 @@ fedmsg_enabled: "true"
 do_sign: "true"
 spawn_in_advance: "false"
-frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
+frontend_base_url: "https://copr.stg.fedoraproject.org"
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
--- a/inventory/group_vars/copr-dev
+++ b/inventory/group_vars/copr-dev
@ -0,0 +1,19 @@
 ---
 devel: true
 #_forward-src: "{{ files }}/copr/forward-dev"
 _forward_src: "forward_dev"
 # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
 copr_backend_ips: ["172.25.32.232", "172.25.157.237"]
 keygen_host: "172.25.32.238"
 resolvconf: "resolv.conf/cloud"
 backend_base_url: "http://copr-be-dev.cloud.fedoraproject.org"
 postfix_maincf: "postfix/main.cf/main.cf.copr"
 frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
 dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"
 ansible_ifcfg_blacklist: true 
--- a/inventory/group_vars/copr-dist-git
+++ b/inventory/group_vars/copr-dist-git
@ -1,5 +1,4 @@
 ---
-tcp_ports: [22, 80]
+tcp_ports: [22, 80, 443]
 datacenter: cloud
 freezes: false
 custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']
--- a/inventory/group_vars/copr-dist-git-dev
+++ b/inventory/group_vars/copr-dist-git-dev
@ -0,0 +1,6 @@
 ---
 tcp_ports: [22, 80]
 datacenter: cloud
 freezes: false
 devel: true
 custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']
--- a/inventory/group_vars/copr-dist-git-stg
+++ b/inventory/group_vars/copr-dist-git-stg
@ -1,6 +1,6 @@
 ---
-tcp_ports: [22, 80]
+resolvconf: "resolv.conf/cloud"
 tcp_ports: [22, 80, 443]
 datacenter: cloud
 freezes: false
 devel: true
 custom_rules: ['-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT']
--- a/inventory/group_vars/copr-front-dev
+++ b/inventory/group_vars/copr-front-dev
@ -0,0 +1,9 @@
 ---
 copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org"
 csi_security_category: Low
 csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide the testing environment of copr's frontend
 csi_relationship: This host is the testing environment for copr's web interface
 copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv
--- a/inventory/group_vars/copr-front-stg
+++ b/inventory/group_vars/copr-front-stg
@ -1,9 +1,33 @@
 ---
-copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org"
+# Define resources for this group of hosts here.
 lvm_size: 10000
 mem_size: 2048
 num_cpus: 1
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 copr_frontend_public_hostname: "copr.stg.fedoraproject.org"
 copruser_db_password: "{{ copruser_db_password_stg }}"
 tcp_ports: [ 80 ]
 custom_rules: [
    # Need for rsync from log01 for logs.
    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
 ]
 fas_client_groups: sysadmin-copr,fi-apprentice,sysadmin-noc,sysadmin-veteran
 freezes: false
 # For the MOTD
 csi_security_category: Low
-csi_primary_contact: "msuchy (mirek), clime, frostyx, dturecek IRC #fedora-admin, #fedora-buildsys"
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
-csi_purpose: Provide the testing environment of copr's frontend
+csi_purpose: Copr community build service
-csi_relationship: This host is the testing environment for copr's web interface
+csi_relationship: |
-
+    This machine depends on:
-copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv
+    - PostgreSQL DB server
    - bastion (for mail relay)
--- a/inventory/group_vars/copr-keygen-dev
+++ b/inventory/group_vars/copr-keygen-dev
@ -0,0 +1,13 @@
 ---
 copr_hostbase: copr-keygen-dev
 tcp_ports: []
 # http + signd dest ports
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 80 -j ACCEPT',
                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 80 -j ACCEPT',
                '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 5167 -j ACCEPT',
                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 5167 -j ACCEPT']
 datacenter: cloud
 freezes: false
--- a/inventory/group_vars/copr-keygen-stg
+++ b/inventory/group_vars/copr-keygen-stg
@ -1,12 +1,14 @@
 ---
-copr_hostbase: copr-keygen-dev
+resolvconf: "resolv.conf/cloud"
 copr_hostbase: copr-keygen-stg
 tcp_ports: []
 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 80 -j ACCEPT',
+custom_rules: ['-A INPUT -p tcp -m tcp -s 172.25.33.9 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 80 -j ACCEPT',
+               '-A INPUT -p tcp -m tcp -s 172.25.151.227 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.32.232 --dport 5167 -j ACCEPT',
+               '-A INPUT -p tcp -m tcp -s 172.25.33.9 --dport 5167 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.157.237 --dport 5167 -j ACCEPT']
+               '-A INPUT -p tcp -m tcp -s 172.25.151.227 --dport 5167 -j ACCEPT']
 datacenter: cloud
--- a/inventory/group_vars/copr-stg
+++ b/inventory/group_vars/copr-stg
@ -5,15 +5,11 @@ _forward_src: "forward_dev"
 # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
-copr_backend_ips: ["172.25.32.232", "172.25.157.237"]
+copr_backend_ips: ["172.25.33.9", "172.25.151.227"]
-keygen_host: "172.25.32.238"
+keygen_host: "172.25.33.12"
-resolvconf: "resolv.conf/cloud"
+backend_base_url: "http://copr-be-stg.fedorainfracloud.org"
-
+frontend_base_url: "https://copr.stg.fedoraproject.org"
-backend_base_url: "http://copr-be-dev.cloud.fedoraproject.org"
+dist_git_base_url: "copr-dist-git-stg.fedorainfracloud.org"
 postfix_maincf: "postfix/main.cf/main.cf.copr"
 frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
 dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"
 ansible_ifcfg_blacklist: true
--- a/inventory/group_vars/faf-stg
+++ b/inventory/group_vars/faf-stg
@ -6,6 +6,7 @@ tcp_ports: [ 80, 443 ]
 sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
 nagios_Check_Services:
  mail: false
  nrpe: false
  swap: false
--- a/inventory/group_vars/nagios
+++ b/inventory/group_vars/nagios
@ -74,8 +74,6 @@ phx2_management_hosts:
  - cn-x86-64-02-01.mgmt.fedoraproject.org
  - cn-x86-64-02-02.mgmt.fedoraproject.org
  - cloud-fx02.mgmt.fedoraproject.org
  - download01.mgmt.fedoraproject.org
  - download02.mgmt.fedoraproject.org
  - download03.mgmt.fedoraproject.org
  - download04.mgmt.fedoraproject.org
  - download05.mgmt.fedoraproject.org
@ -129,8 +127,6 @@ phx2_management_hosts:
 # to test ping against. No http/https
 #
 phx2_management_limited:
  - bkernel01.mgmt.fedoraproject.org
  - bkernel02.mgmt.fedoraproject.org
  - fed-cloud-ppc01.mgmt.fedoraproject.org
  - fed-cloud-ppc02.mgmt.fedoraproject.org
  - moonshot01-ilo.mgmt.fedoraproject.org
@ -142,8 +138,6 @@ phx2_management_limited:
  - qa07.mgmt.fedoraproject.org
  - sign-vault03.mgmt.fedoraproject.org
  - sign-vault04.mgmt.fedoraproject.org
  - virthost-comm02.mgmt.fedoraproject.org
  - virthost14.mgmt.fedoraproject.org
 phx2_management_slowping:
  - ppc8-01-fsp.mgmt.fedoraproject.org
--- a/inventory/group_vars/newcloud
+++ b/inventory/group_vars/newcloud
@ -11,7 +11,7 @@ ansible_ifcfg_whitelist: ['eth1']
 baseiptables: false
 ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q cloud-noc01.cloud.fedoraproject.org"'
 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/group_vars/docker-registry
+++ b/inventory/group_vars/docker-registry
@ -1,6 +1,4 @@
 ---
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
 fas_client_groups: sysadmin-releng
@ -8,7 +6,12 @@ sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 tcp_ports: [
    5000,
-    # This is for the gluster server
+    # These ports all required for gluster
-    6996]
+    111, 24007, 24008, 24009, 24010, 24011,
    49152, 49153, 49154, 49155,
    ]
 # gluster
 udp_ports: [111]
 registry_gluster_username_prod: registry-prod
--- a/inventory/group_vars/docker-registry-stg
+++ b/inventory/group_vars/docker-registry-stg
@ -1,7 +1,4 @@
 ---
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
 fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-veteran
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@ -44,8 +44,7 @@ tcp_ports: [80, 2049]
 # These people get told when something goes wrong.
 fedmsg_error_recipients:
 - adamwill@fedoraproject.org
- tflink@fedoraproject.org
+- lruzicka@fedoraproject.org
 - pschindl@fedoraproject.org
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
@ -69,6 +68,14 @@ fedmsg_certs:
  - openqa.jobs.restart
  - openqa.job.update.result
  - openqa.job.done
 - service: ci
  owner: root
  group: geekotest
  can_send:
  - ci.productmd-compose.test.queued
  - ci.productmd-compose.test.running
  - ci.productmd-compose.test.complete
  - ci.productmd-compose.test.error
 # we need this to log with fedmsg-logger
 fedmsg_active: True
--- a/inventory/group_vars/openqa-stg
+++ b/inventory/group_vars/openqa-stg
@ -48,8 +48,7 @@ tcp_ports: [80, 2049]
 # These people get told when something goes wrong.
 fedmsg_error_recipients:
 - adamwill@fedoraproject.org
- tflink@fedoraproject.org
+- lruzicka@fedoraproject.org
 - pschindl@fedoraproject.org
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/os
+++ b/inventory/group_vars/os
@ -3,3 +3,4 @@ host_group: os
 baseiptables: False
 no_http2: True
 nm_controlled_resolv: True
 openshift_ansible_upgrading: True
--- a/inventory/group_vars/os-masters
+++ b/inventory/group_vars/os-masters
@ -6,3 +6,4 @@ swap: false
 nagios_Check_Services:
  swap: false
  nrpe: false
  mail: false
--- a/inventory/group_vars/os-masters-stg
+++ b/inventory/group_vars/os-masters-stg
@ -6,3 +6,4 @@ os_app_url: app.os.stg.fedoraproject.org
 nagios_Check_Services:
  swap: false
  nrpe: false
  mail: false
--- a/inventory/group_vars/os-nodes
+++ b/inventory/group_vars/os-nodes
@ -6,3 +6,4 @@ swap: false
 nagios_Check_Services:
  swap: false
  nrpe: false
  mail: false
--- a/inventory/group_vars/os-nodes-stg
+++ b/inventory/group_vars/os-nodes-stg
@ -6,3 +6,4 @@ os_app_url: app.os.stg.fedoraproject.org
 nagios_Check_Services:
  swap: false
  nrpe: false
  mail: false
--- a/inventory/group_vars/os-stg
+++ b/inventory/group_vars/os-stg
@ -3,3 +3,5 @@ host_group: os
 baseiptables: False
 no_http2: False
 nm_controlled_resolv: True
 # Only set this when upgrading
 #openshift_ansible_upgrading: True
--- a/inventory/group_vars/osbs-masters
+++ b/inventory/group_vars/osbs-masters
@ -132,7 +132,7 @@ _osbs_reactor_config_map:
    required_secrets:
    - kojisecret
    - v2-registry-dockercfg
-    # - odcs-oidc-secret
+    - odcs-oidc-secret
    worker_token_secrets:
    - x86-64-orchestrator
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@ -17,7 +17,7 @@ wsgi_fedmsg_service: pagure
 wsgi_procs: 6
 wsgi_threads: 6
-fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-veteran
 fas_client_restricted_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/share/gitolite3/gitolite-shell %(username)s
 fas_client_admin_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/share/gitolite3/gitolite-shell -s %(username)s
 fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran"
--- a/inventory/group_vars/retrace-stg
+++ b/inventory/group_vars/retrace-stg
@ -7,5 +7,6 @@ sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
 root_auth_users: msuchy
 nagios_Check_Services:
  mail: false
  nrpe: false
  swap: false
--- a/inventory/group_vars/sign-vault
+++ b/inventory/group_vars/sign-vault
@ -3,3 +3,9 @@ freezes: true
 postfix_group: sign
 host_group: sign
 ansible_ifcfg_blacklist: true
 nagios_Check_Services:
  mail: false
  nrpe: false
  sshd: false
  swap: false
  ping: true
--- a/inventory/group_vars/smtp-mm
+++ b/inventory/group_vars/smtp-mm
@ -14,3 +14,7 @@ fas_client_groups: sysadmin-noc,sysadmin-tools,fi-apprentice,sysadmin-veteran
 postfix_transport_filename: transports.mm-smtp
 postfix_group: smtp-mm
 vpn: true
 nagios_Check_Services:
  nrpe: true
  mail: false
--- a/inventory/group_vars/tang
+++ b/inventory/group_vars/tang
@ -0,0 +1,23 @@
 ---
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 host_backup_targets: ['/var/db/tang']
 datacenter: phx2
 # Define resources for this group of hosts here. 
 lvm_size: 20000
 mem_size: 4096
 num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 tcp_ports: [80]
 fas_client_groups: sysadmin-main
--- a/inventory/host_vars/batcave13.rdu2.fedoraproject.org
+++ b/inventory/host_vars/batcave13.rdu2.fedoraproject.org
@ -26,6 +26,7 @@ postfix_group: vpn
 vpn: true
 nagios_Check_Services:
  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/bkernel03.phx2.fedoraproject.org
+++ b/inventory/host_vars/bkernel03.phx2.fedoraproject.org
@ -1,4 +1,4 @@
 ---
 gw: 10.5.125.254
 eth0_ip: 10.5.125.81
-eth1_ip: 10.5.127.133
+eth1_ip: 10.5.127.129
--- a/inventory/host_vars/bkernel04.phx2.fedoraproject.org
+++ b/inventory/host_vars/bkernel04.phx2.fedoraproject.org
@ -1,4 +1,4 @@
 ---
 gw: 10.5.125.254
 eth0_ip: 10.5.125.82
-eth1_ip: 10.5.127.134
+eth1_ip: 10.5.127.144
--- a/inventory/host_vars/branched-composer.phx2.fedoraproject.org
+++ b/inventory/host_vars/branched-composer.phx2.fedoraproject.org
@ -34,3 +34,8 @@ fedmsg_certs:
  - compose.branched.rsync.complete
  - compose.branched.rsync.start
  - compose.branched.start
  - compose.29.start
  - compose.29.complete
  - compose.29.rsync.start
  - compose.29.rsync.complete
--- a/inventory/host_vars/certgetter01.phx2.fedoraproject.org
+++ b/inventory/host_vars/certgetter01.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.237
--- a/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org
+++ b/inventory/host_vars/cloud-noc01.cloud.fedoraproject.org
@ -12,16 +12,16 @@ freezes: false
 resolvconf: "{{ files }}/resolv.conf/cloud-noc01.cloud.fedoraproject.org"
 tcp_ports: ['22']
-custom_rules: [ '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
+custom_rules: [ '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
+                '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth0 -p tcp -m tcp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
+                '-A INPUT -i br0 -p tcp -m tcp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
-                '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
+                '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
+                '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth0 -p udp -m udp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
+                '-A INPUT -i br0 -p udp -m udp -s 209.132.184.0/24  --dport 69 -j ACCEPT',
-                '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
+                '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
+                '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth1 -p tcp -m tcp -s 172.23.0.0/23  --dport 69 -j ACCEPT',
+                '-A INPUT -i br1 -p tcp -m tcp -s 172.23.0.0/23  --dport 69 -j ACCEPT',
-                '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
+                '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23  --dport 67 -j ACCEPT',
-                '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
+                '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23  --dport 68 -j ACCEPT',
-                '-A INPUT -i eth1 -p udp -m udp -s 172.23.0.0/23  --dport 69 -j ACCEPT' ]
+                '-A INPUT -i br1 -p udp -m udp -s 172.23.0.0/23  --dport 69 -j ACCEPT' ]
--- a/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org
+++ b/inventory/host_vars/compose-iot-01.phx2.fedoraproject.org
@ -35,3 +35,5 @@ fedmsg_certs:
  - pungi.compose.ostree
  - compose.29.complete
  - compose.29.start
  - compose.29.rsync.start
  - compose.29.rsync.complete
--- a/inventory/host_vars/copr-be-stg.fedorainfracloud.org
+++ b/inventory/host_vars/copr-be-stg.fedorainfracloud.org
@ -0,0 +1,26 @@
 ---
 instance_type: m1.xlarge
 image: "{{ fedora27_x86_64 }}"
 keypair: fedora-admin-20130801
 security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent,fedmsg-relay-persistent
 zone: nova
 hostbase: copr-be-stg-
 public_ip: 209.132.184.44
 root_auth_users: msuchy pingou frostyx dturecek clime
 description: copr dispatcher and repo server - stg instance
 tcp_ports: ['22', '80', '443', '2003', '4001']
 # volumes: copr-be-stg-data
 volumes: [ {volume_id: 'a3325e22-bdc0-4eeb-bb73-45365ddb7a01', device: '/dev/vdc'} ]
 inventory_tenant: persistent
 # name of machine in OpenStack
 inventory_instance_name: copr-be-stg
 cloud_networks:
  # persistent-net
  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
  # coprdev-net
  - net-id: "a440568f-b90a-46af-8ca6-d8fa743a7e7a"
 # Copr vars
 copr_hostbase: copr-be-stg
 _copr_be_conf: copr-be.conf-stg
--- a/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git-stg.fedorainfracloud.org
@ -0,0 +1,22 @@
 ---
 instance_type: ms1.small
 image: "{{ fedora27_x86_64 }}"
 keypair: fedora-admin-20130801
 security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-dist-git-stg-
 public_ip: 209.132.184.57
 root_auth_users:  ryanlerch pingou msuchy dturecek frostyx clime
 description: dist-git for copr service - stg instance
 tcp_ports: [22, 80]
 # volumes:  copr-dist-git-stg
 volumes: [ {volume_id: '0cb506b9-3931-47fa-b6d3-a0ad2614f221', device: '/dev/vdc'} ]
 inventory_tenant: persistent
 # name of machine in OpenStack
 inventory_instance_name: copr-dist-git-stg
 cloud_networks:
  # persistent-net
  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
 # Copr vars
 copr_hostbase: copr-dist-git-stg
--- a/inventory/host_vars/copr-dist-git.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git.fedorainfracloud.org
@ -6,7 +6,7 @@ security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-i
 zone: nova
 hostbase: copr-dist-git
 public_ip: 209.132.184.163
-root_auth_users:  msuchy asamalik clime frostyx
+root_auth_users:  msuchy clime frostyx
 description: dist-git for copr service - prod instance
 tcp_ports: [22, 80]
 # volumes:  copr-dist-git, copr-dist-git-log
--- a/inventory/host_vars/copr-fe.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-fe.cloud.fedoraproject.org
@ -9,7 +9,7 @@ security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywh
 zone: nova
 hostbase: copr-fe-
 public_ip: 209.132.184.54
-root_auth_users:  msuchy asamalik clime frostyx
+root_auth_users:  msuchy clime frostyx
 description: copr frontend server - prod instance
 tcp_ports: [22, 80, 443]
 volumes: [ {volume_id: '8f790db7-8294-4d2b-8bae-7af5961ce0f8', device: '/dev/vdc'} ]
--- a/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/copr-frontend01.stg.phx2.fedoraproject.org
@ -0,0 +1,12 @@
 ---
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.49
 vmhost: virthost02.stg.phx2.fedoraproject.org
 datacenter: phx2
--- a/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/copr-frontend02.stg.phx2.fedoraproject.org
@ -0,0 +1,12 @@
 ---
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_virthost16
 eth0_ip: 10.5.128.50
 vmhost: virthost05.stg.phx2.fedoraproject.org
 datacenter: phx2
--- a/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org
+++ b/inventory/host_vars/copr-keygen-stg.fedorainfracloud.org
@ -0,0 +1,22 @@
 ---
 instance_type: ms1.small
 image: "{{ fedora27_x86_64 }}"
 keypair: fedora-admin-20130801
 # todo: remove some security groups ?
 security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-keygen-stg-
 public_ip: 209.132.184.56
 root_auth_users: msuchy clime frostyx dturecek
 volumes: [ {volume_id: '5424ff3c-b1c6-4291-a0ed-2d30924f4f88', device: '/dev/vdc'} ]
 description: copr keygen and sign host - stg instance
 inventory_tenant: persistent
 # name of machine in OpenStack
 inventory_instance_name: copr-keygen-stg
 cloud_networks:
  # persistent-net
  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
 # Copr vars
 copr_hostbase: copr-keygen-stg
--- a/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/db-koji01.stg.phx2.fedoraproject.org
@ -7,8 +7,8 @@ eth0_ip: 10.5.128.98
 vmhost: bvirthost01.stg.phx2.fedoraproject.org
 datacenter: phx2
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 # This is a generic list, monitored by collectd
 databases:
--- a/inventory/host_vars/download-rdu01.fedoraproject.org
+++ b/inventory/host_vars/download-rdu01.fedoraproject.org
@ -13,3 +13,8 @@ eth1_ip: 172.31.1.1
 eth1_nm: 255.255.255.0
 public_ip: 209.132.190.4
 nagios_Check_Services:
  mail: false
  nrpe: false
  ping: true
--- a/inventory/host_vars/download01.phx2.fedoraproject.org
+++ b/inventory/host_vars/download01.phx2.fedoraproject.org
@ -1,4 +1,34 @@
 ---
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
 ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
 vmhost: virthost01.phx2.fedoraproject.org
 volgroup: /dev/vg_guests
 #
 # We need this to install with 2 nics
 #
 virt_install_command: "{{ virt_install_command_two_nic }}"
 eth0_ip: 10.5.126.93
 eth1_ip: 10.5.127.101
 main_bridge: br0
 nfs_bridge: br1
 datacenter: phx2
 tcp_ports: [80, 443, 873]
 rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}"
 nrpe_procs_warn: 1200
 nrpe_procs_crit: 1400
 mem_size: 16384
 max_mem_size: 20480
 lvm_size: 20000
 num_cpus: 8
 vpn: false
--- a/inventory/host_vars/download02.phx2.fedoraproject.org
+++ b/inventory/host_vars/download02.phx2.fedoraproject.org
@ -1,4 +1,34 @@
 ---
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
 ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
 vmhost: virthost02.phx2.fedoraproject.org
 volgroup: /dev/vg_guests
 #
 # We need this to install with 2 nics
 #
 virt_install_command: "{{ virt_install_command_two_nic }}"
 eth0_ip: 10.5.126.94
 eth1_ip: 10.5.127.102
 main_bridge: br0
 nfs_bridge: br1
 datacenter: phx2
 tcp_ports: [80, 443, 873]
 rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}"
 nrpe_procs_warn: 1200
 nrpe_procs_crit: 1400
 mem_size: 16384
 max_mem_size: 20480
 lvm_size: 20000
 num_cpus: 8
 vpn: false
--- a/inventory/host_vars/eclipse.fedorainfracloud.org
+++ b/inventory/host_vars/eclipse.fedorainfracloud.org
@ -1,18 +0,0 @@
 ---
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
 security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 inventory_tenant: persistent
 inventory_instance_name: eclipse
 hostbase: eclipse
 public_ip: 209.132.184.121
 root_auth_users: mbooth sopotc akurtakov
 description: eclipse help for fedora eclipse addons
 cloud_networks:
  # persistent-net
  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
--- a/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
@ -12,6 +12,7 @@ vmhost: virthost04.stg.phx2.fedoraproject.org
 datacenter: phx2
 nagios_Check_Services: 
  mail: false
  nrpe: false
  swap: false
--- a/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org
+++ b/inventory/host_vars/fed-cloud01.cloud.fedoraproject.org
@ -1,4 +1,5 @@
 ---
 nagios_Check_Services:
  mail: false
  nrpe: false
  swap: false
--- a/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org
+++ b/inventory/host_vars/fed-cloud02.cloud.fedoraproject.org
@ -1,4 +1,5 @@
 ---
 nagios_Check_Services:
  mail: false
  nrpe: false
  swap: false
--- a/inventory/host_vars/ns13.rdu2.fedoraproject.org
+++ b/inventory/host_vars/ns13.rdu2.fedoraproject.org
@ -28,6 +28,7 @@ ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q root@bastion13.fedora
 nagios_Check_Services:
  nrpe: false
  mail: false
  sshd: false
  swap: false
  ping: false
--- a/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-candidate-registry01.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.125.57
 vmhost: bvirthost01.phx2.fedoraproject.org
--- a/inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-candidate-registry01.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.122
 vmhost: virthost04.stg.phx2.fedoraproject.org
--- a/inventory/host_vars/docker-registry03.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry03.phx2.fedoraproject.org
@ -2,10 +2,10 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
-eth0_ip: 10.5.125.78
+eth0_ip: 10.5.125.77
 vmhost: bvirthost04.phx2.fedoraproject.org
 datacenter: phx2
--- a/inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry01.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.123
 vmhost: virthost04.stg.phx2.fedoraproject.org
--- a/inventory/host_vars/docker-registry02.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry02.phx2.fedoraproject.org
@ -2,10 +2,10 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-docker-reg
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
-eth0_ip: 10.5.125.77
+eth0_ip: 10.5.125.78
 vmhost: bvirthost01.phx2.fedoraproject.org
 datacenter: phx2
--- a/inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/docker-registry02.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27-docker-reg
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-docker-reg
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.124
 vmhost: virthost01.stg.phx2.fedoraproject.org
--- a/inventory/host_vars/osbs-control01.phx2.fedoraproject.org
+++ b/inventory/host_vars/osbs-control01.phx2.fedoraproject.org
@ -13,3 +13,7 @@ datacenter: phx2
 mem_size: 4096
 max_mem_size: 4096
 nagios_Check_Services:
  nrpe: false
  mail: false
--- a/inventory/host_vars/relay-stg.ci.centos.org
+++ b/inventory/host_vars/relay-stg.ci.centos.org
@ -62,7 +62,7 @@ fedmsg_prefix: org.centos
 fedmsg_env: stg
 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/relay.ci.centos.org
+++ b/inventory/host_vars/relay.ci.centos.org
@ -62,7 +62,7 @@ fedmsg_prefix: org.centos
 fedmsg_env: prod
 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/sign-vault05.phx2.fedoraproject.org
+++ b/inventory/host_vars/sign-vault05.phx2.fedoraproject.org
@ -0,0 +1,10 @@
 ---
 gw: 10.5.125.254
 eth0_ip: 10.5.125.83
 install_noc: noc01.phx2.fedoraproject.org
 install_mac: D0:94:66:45:87:C1
 # Inside this, expect /vmlinuz and /initrd.img
 install_binpath: /uefi/x86_64/f28
 install_ks: http://10.5.126.23/repo/rhel/ks/buildhw-f28
 install_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
--- a/inventory/host_vars/sign-vault06.phx2.fedoraproject.org
+++ b/inventory/host_vars/sign-vault06.phx2.fedoraproject.org
@ -0,0 +1,10 @@
 ---
 gw: 10.5.125.254
 eth0_ip: 10.5.125.84
 install_noc: noc01.phx2.fedoraproject.org
 install_mac: D0:94:66:45:A1:62
 # Inside this, expect /vmlinuz and /initrd.img
 install_binpath: /uefi/x86_64/f28
 install_ks: http://10.5.126.23/repo/rhel/ks/buildhw-f28
 install_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
--- a/inventory/host_vars/tang01.phx2.fedoraproject.org
+++ b/inventory/host_vars/tang01.phx2.fedoraproject.org
@ -0,0 +1,4 @@
 ---
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.3
 vmhost: virthost12.phx2.fedoraproject.org
--- a/inventory/host_vars/tang02.phx2.fedoraproject.org
+++ b/inventory/host_vars/tang02.phx2.fedoraproject.org
@ -0,0 +1,4 @@
 ---
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.4
 vmhost: virthost14.phx2.fedoraproject.org
--- a/inventory/host_vars/undercloud02.cloud.fedoraproject.org
+++ b/inventory/host_vars/undercloud02.cloud.fedoraproject.org
@ -17,7 +17,7 @@ vmhost: cloud-noc01.cloud.fedoraproject.org
 datacenter: newcloud
 nagios_Check_Services:
-  monitor: false
+  mail: false
  nrpe: false
  sshd: false
  swap: false
--- a/inventory/host_vars/virthost-rdu01.fedoraproject.org
+++ b/inventory/host_vars/virthost-rdu01.fedoraproject.org
@ -13,3 +13,7 @@ br1_nm: 255.255.255.0
 vpn: true
 public_ip: 209.132.190.11
 nagios_Check_Services:
  nrpe: false
  mail: false
--- a/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/virthost01.stg.phx2.fedoraproject.org
@ -8,3 +8,10 @@ br0_ip: 10.5.128.40
 br0_nm: 255.255.255.0
 br1_ip: 10.5.127.202
 br1_nm: 255.255.255.0
 install_noc: noc01.phx2.fedoraproject.org
 install_mac: 24-6E-96-B1-C7-F4
 # Inside this, expect /vmlinuz and /initrd.img
 install_binpath: /uefi/x86_64/el7
 install_ks: http://10.5.126.23/repo/rhel/ks/hardware-rhel-7-08disk
 install_repo: http://10.5.126.23/http://10.5.126.23/repo/rhel/RHEL7-x86_64/
--- a/inventory/inventory
+++ b/inventory/inventory
@ -229,7 +229,6 @@ mdapi01.phx2.fedoraproject.org
 mdapi01.stg.phx2.fedoraproject.org
 [minimal]
 bkernel03.phx2.fedoraproject.org
 bkernel04.phx2.fedoraproject.org
 [modernpaste]
@ -260,6 +259,8 @@ sign-bridge01.stg.phx2.fedoraproject.org
 #sign-vault03.phx2.fedoraproject.org
 #sign-vault04.phx2.fedoraproject.org
 #sign-vault01.stg.phx2.fedoraproject.org
 sign-vault05.phx2.fedoraproject.org
 sign-vault06.phx2.fedoraproject.org
 [autocloud-web]
 autocloud-web01.phx2.fedoraproject.org
@ -329,6 +330,8 @@ badges-web01.stg.phx2.fedoraproject.org
 blockerbugs01.stg.phx2.fedoraproject.org
 bodhi-backend01.stg.phx2.fedoraproject.org
 busgateway01.stg.phx2.fedoraproject.org
 copr-frontend01.stg.phx2.fedoraproject.org
 copr-frontend02.stg.phx2.fedoraproject.org
 datagrepper01.stg.phx2.fedoraproject.org
 elections01.stg.phx2.fedoraproject.org
 fedocal01.stg.phx2.fedoraproject.org
@ -344,7 +347,6 @@ download02.phx2.fedoraproject.org
 download03.phx2.fedoraproject.org
 download04.phx2.fedoraproject.org
 download05.phx2.fedoraproject.org
 download06.phx2.fedoraproject.org
 [download-ibiblio]
 download-ib01.fedoraproject.org
@ -361,7 +363,8 @@ download05.phx2.fedoraproject.org
 #download-rdu01.fedoraproject.org
 [download-phx2-virtual]
-download06.phx2.fedoraproject.org
+download01.phx2.fedoraproject.org
 download02.phx2.fedoraproject.org
 [download:children]
@ -553,6 +556,10 @@ qa12.qa.fedoraproject.org
 qa13.qa.fedoraproject.org
 qa14.qa.fedoraproject.org
 [tang]
 tang01.phx2.fedoraproject.org
 tang02.phx2.fedoraproject.org
 [torrent]
 torrent02.fedoraproject.org
@ -751,17 +758,22 @@ buildvm-s390x-01.stg.s390.fedoraproject.org
 busgateway01.stg.phx2.fedoraproject.org
 composer.stg.phx2.fedoraproject.org
 copr-be-dev.cloud.fedoraproject.org
 copr-be-stg.fedorainfracloud.org
 copr-dist-git-dev.fedorainfracloud.org
 copr-dist-git-stg.fedorainfracloud.org
 copr-fe-dev.cloud.fedoraproject.org
 copr-frontend01.stg.phx2.fedoraproject.org
 copr-frontend02.stg.phx2.fedoraproject.org
 copr-keygen-dev.cloud.fedoraproject.org
 copr-keygen-stg.fedorainfracloud.org
 datagrepper01.stg.phx2.fedoraproject.org
 db-fas01.stg.phx2.fedoraproject.org
 db-koji01.stg.phx2.fedoraproject.org
 db01.stg.phx2.fedoraproject.org
 db03.stg.phx2.fedoraproject.org
-docker-candidate-registry01.stg.phx2.fedoraproject.org
+oci-candidate-registry01.stg.phx2.fedoraproject.org
-docker-registry01.stg.phx2.fedoraproject.org
+oci-registry01.stg.phx2.fedoraproject.org
-docker-registry02.stg.phx2.fedoraproject.org
+oci-registry02.stg.phx2.fedoraproject.org
 elections01.stg.phx2.fedoraproject.org
 fas01.stg.phx2.fedoraproject.org
 fedimg01.stg.phx2.fedoraproject.org
@ -860,6 +872,8 @@ proxy10.phx2.fedoraproject.org
 proxy101.phx2.fedoraproject.org
 proxy110.phx2.fedoraproject.org
 openqa-stg01.qa.fedoraproject.org
 tang01.phx2.fedoraproject.org
 tang02.phx2.fedoraproject.org
 [statscache:children]
 statscache-web
@ -1210,8 +1224,6 @@ java-deptools.fedorainfracloud.org
 developer.fedorainfracloud.org
 # fedimg-dev development instance
 fedimg-dev.fedorainfracloud.org
 # eclipse help center - ticket 5293
 eclipse.fedorainfracloud.org
 # iddev
 iddev.fedorainfracloud.org
 # commops - ticket 5380
@ -1291,15 +1303,6 @@ bvirthost
 buildvmhost
 virthost-comm
 [copr-front-stg]
 copr-fe-dev.cloud.fedoraproject.org
 [copr-back-stg]
 copr-be-dev.cloud.fedoraproject.org
 [copr-keygen-stg]
 copr-keygen-dev.cloud.fedoraproject.org
 [copr-keygen]
 copr-keygen.cloud.fedoraproject.org
@ -1312,9 +1315,31 @@ copr-be.cloud.fedoraproject.org
 [copr-dist-git]
 copr-dist-git.fedorainfracloud.org
-[copr-dist-git-stg]
+[copr-front-dev]
 copr-fe-dev.cloud.fedoraproject.org
 [copr-back-dev]
 copr-be-dev.cloud.fedoraproject.org
 [copr-keygen-dev]
 copr-keygen-dev.cloud.fedoraproject.org
 [copr-dist-git-dev]
 copr-dist-git-dev.fedorainfracloud.org
 [copr-front-stg]
 copr-frontend01.stg.phx2.fedoraproject.org
 copr-frontend02.stg.phx2.fedoraproject.org
 [copr-back-stg]
 copr-be-stg.fedorainfracloud.org
 [copr-keygen-stg]
 copr-keygen-stg.fedorainfracloud.org
 [copr-dist-git-stg]
 copr-dist-git-stg.fedorainfracloud.org
 [copr:children]
 copr-front
 copr-back
@ -1327,6 +1352,12 @@ copr-back-stg
 copr-keygen-stg
 copr-dist-git-stg
 [copr-dev:children]
 copr-front-dev
 copr-back-dev
 copr-keygen-dev
 copr-dist-git-dev
 [pagure]
 pagure01.fedoraproject.org
@ -1438,28 +1469,32 @@ os-control
 [ci]
 ci-cc-rdu01.fedoraproject.org
-# Docker (docker-distribution) registries
+# registries
-[docker-registry]
+[oci-registry]
-docker-registry02.phx2.fedoraproject.org
+oci-registry01.phx2.fedoraproject.org
-docker-registry03.phx2.fedoraproject.org
+oci-registry02.phx2.fedoraproject.org
-docker-candidate-registry01.phx2.fedoraproject.org
+oci-candidate-registry01.phx2.fedoraproject.org
-[docker-registry-gluster-stg]
+[oci-registry-gluster]
-docker-registry01.stg.phx2.fedoraproject.org
+oci-registry01.phx2.fedoraproject.org
-docker-registry02.stg.phx2.fedoraproject.org
+oci-registry02.phx2.fedoraproject.org
-[docker-registry-stg]
+[oci-registry-gluster-stg]
-docker-registry01.stg.phx2.fedoraproject.org
+oci-registry01.stg.phx2.fedoraproject.org
-docker-registry02.stg.phx2.fedoraproject.org
+oci-registry02.stg.phx2.fedoraproject.org
-docker-candidate-registry01.stg.phx2.fedoraproject.org
+
 [oci-registry-stg]
 oci-registry01.stg.phx2.fedoraproject.org
 oci-registry02.stg.phx2.fedoraproject.org
 oci-candidate-registry01.stg.phx2.fedoraproject.org
 ## Not the candidate just the top registry
 [moby-registry]
-docker-registry02.phx2.fedoraproject.org
+oci-registry01.phx2.fedoraproject.org
 ## Not the candidate just the top registry
 [moby-registry-stg]
-docker-registry01.stg.phx2.fedoraproject.org
+oci-registry01.stg.phx2.fedoraproject.org
 [webservers:children]
 proxies
--- a/master.yml
+++ b/master.yml
@ -36,9 +36,10 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-frontend-cloud.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/copr-keygen.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/datagrepper.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/docker-registry.yml
+- import_playbook: /srv/web/infra/ansible/playbooks/groups/oci-registry.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/dns.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/download.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/elections.yml
@ -98,6 +99,7 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/statscache.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/sundries.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/tagger.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/tang.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/taskotron.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/taskotron-client-hosts.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/torrent.yml
@ -117,6 +119,7 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/waiverdb.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/coreos.yml
 # These need work to finish and complete and are all stg currently.
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/koschei.yml
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/modernpaste.yml
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/rats.yml
 #- import_playbook: /srv/web/infra/ansible/playbooks/openshift-apps/release-monitoring.yml
@ -132,7 +135,6 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/commops.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/developer.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/eclipse.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/elastic-dev.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas2-dev.fedorainfracloud.org.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas3-dev.fedorainfracloud.org.yml
--- a/playbooks/groups/bodhi-backend.yml
+++ b/playbooks/groups/bodhi-backend.yml
@ -64,10 +64,10 @@
    service: bodhi
    host: "bodhi.stg.fedoraproject.org"
    when: env == "staging"
-  - role: manage-container-images
+  - role: push-container-registry
    cert_dest_dir: "/etc/docker/certs.d/registry{{ env_suffix }}.fedoraproject.org"
-    cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem"
+    cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt"
-    key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key"
+    key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key"
    certs_group: apache
--- a/playbooks/groups/certgetter.yml
+++ b/playbooks/groups/certgetter.yml
@ -21,8 +21,10 @@
  - { role: openvpn/client,
      when: env != "staging" }
-  tasks:
+  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"
--- a/playbooks/groups/copr-backend.yml
+++ b/playbooks/groups/copr-backend.yml
@ -1,6 +1,5 @@
 - name: check/create instance
-  #hosts: copr-back
+  hosts: copr-back-dev:copr-back-stg:copr-back
  hosts: copr-back:copr-back-stg
  user: root
  gather_facts: False
@ -13,7 +12,7 @@
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
 - name: cloud basic setup
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back-dev:copr-back-stg:copr-back
  user: root
  gather_facts: True
  vars_files:
@ -28,7 +27,7 @@
    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
 - name: provision instance
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back-dev:copr-back-stg:copr-back
  user: root
  gather_facts: True
--- a/playbooks/groups/copr-dist-git.yml
+++ b/playbooks/groups/copr-dist-git.yml
@ -1,5 +1,5 @@
 - name: check/create instance
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git
  user: root
  gather_facts: False
@ -13,7 +13,7 @@
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
 - name: cloud basic setup
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git
  user: root
  gather_facts: True
  vars_files:
@ -27,7 +27,7 @@
    hostname: name="{{copr_hostbase}}.fedorainfracloud.org"
 - name: provision instance
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git-stg:copr-dist-git
  user: root
  gather_facts: True
--- a/playbooks/hosts/eclipse.fedorainfracloud.org.yml
+++ b/playbooks/hosts/eclipse.fedorainfracloud.org.yml
@ -1,35 +1,42 @@
 - name: check/create instance
-  hosts: eclipse.fedorainfracloud.org
+  hosts: copr-front-dev:copr-front
  # hosts: copr-front
  gather_facts: False
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
+   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/fedora-cloud.yml
   - /srv/private/ansible/files/openstack/passwords.yml
  tasks:
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
-  handlers:
+- name: cloud basic setup
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
+  hosts: copr-front-dev:copr-front
-
+  # hosts: copr-front
 - name: setup all the things
  hosts: eclipse.fedorainfracloud.org
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
+   - "/srv/private/ansible/vars.yml"
   - /srv/private/ansible/files/openstack/passwords.yml
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  roles:
  - basessh
  tasks:
  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  - name: set hostname (required by some services, at least postfix need it)
-    hostname: name="{{inventory_hostname}}"
+    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
 - name: provision instance
  hosts: copr-front:copr-front-dev
  # hosts: copr-front
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  roles:
   - base
   - copr/frontend-cloud
   - nagios_client
--- a/playbooks/groups/copr-frontend.yml
+++ b/playbooks/groups/copr-frontend.yml
@ -1,34 +1,9 @@
- name: check/create instance
+---
-  hosts: copr-front-stg:copr-front
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=copr-front-stg"
  # hosts: copr-front
  gather_facts: False
-  vars_files:
+- name: provision copr frontend
-   - /srv/web/infra/ansible/vars/global.yml
+  hosts: copr-front-stg
-   - "/srv/private/ansible/vars.yml"
+  user: root
   - /srv/web/infra/ansible/vars/fedora-cloud.yml
   - /srv/private/ansible/files/openstack/passwords.yml
  tasks:
  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
 - name: cloud basic setup
  hosts: copr-front-stg:copr-front
  # hosts: copr-front
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  - name: set hostname (required by some services, at least postfix need it)
    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
 - name: provision instance
  hosts: copr-front:copr-front-stg
  # hosts: copr-front
  gather_facts: True
  vars_files:
@ -36,7 +11,25 @@
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  roles:
-   - base
+  - base
-   - copr/frontend
+  - rkhunter
-   - nagios_client
+  - nagios_client
  - hosts
  - fas_client
  - collectd/base
  - { role: openvpn/client, when: env != "staging" }
  - { role: sudo, sudoers: "{{ private }}/files/sudo/copr-sudoers" }
  - redis
  - mod_wsgi
  - copr/frontend
  tasks:
  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/copr-keygen.yml
+++ b/playbooks/groups/copr-keygen.yml
@ -1,6 +1,5 @@
 - name: check/create instance
-  hosts: copr-keygen-stg:copr-keygen
+  hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen
  #hosts: copr-keygen
  gather_facts: False
  vars_files:
@ -21,8 +20,7 @@
    when: facts is failed
 - name: cloud basic setup
-  hosts: copr-keygen-stg:copr-keygen
+  hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen
  # hosts: copr-keygen
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
@ -35,8 +33,7 @@
    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
 - name: provision instance
-  hosts: copr-keygen:copr-keygen-stg
+  hosts: copr-keygen-dev:copr-keygen-stg:copr-keygen
  #hosts: copr-keygen
  gather_facts: True
  vars_files:
--- a/playbooks/groups/docker-registry.yml
+++ b/playbooks/groups/docker-registry.yml
@ -1,8 +1,8 @@
 # create an osbs server
- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=docker-registry:docker-registry-stg"
+- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci-registry:oci-registry-stg"
 - name: make the box be real
-  hosts: docker-registry:docker-registry-stg
+  hosts: oci-registry:oci-registry-stg
  user: root
  gather_facts: True
@ -35,8 +35,8 @@
 - name: set up gluster on stg
  hosts:
-  - docker-registry01.stg.phx2.fedoraproject.org
+  - oci-registry01.stg.phx2.fedoraproject.org
-  - docker-registry02.stg.phx2.fedoraproject.org
+  - oci-registry02.stg.phx2.fedoraproject.org
  user: root
  gather_facts: True
@ -47,16 +47,16 @@
  roles:
  - role: gluster/consolidated
-    gluster_brick_dir: /srv/glusterfs/
+    gluster_brick_dir: /srv/glusterfs
    gluster_mount_dir: /srv/docker/
    gluster_brick_name: registry
-    gluster_server_group: docker-registry-gluster-stg
+    gluster_server_group: oci-registry-gluster-stg
    tags: gluster
 - name: set up gluster on prod
  hosts:
-  - docker-registry02.phx2.fedoraproject.org
+  - oci-registry01.phx2.fedoraproject.org
-  - docker-registry03.phx2.fedoraproject.org
+  - oci-registry02.phx2.fedoraproject.org
  user: root
  gather_facts: True
@ -66,28 +66,15 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  roles:
-  - role: gluster/server
+  - role: gluster/consolidated
-    glusterservername: gluster
+    gluster_brick_dir: /srv/glusterfs
-    username: "{{ registry_gluster_username_prod }}"
+    gluster_mount_dir: /srv/docker/
-    password: "{{ registry_gluster_password_prod }}"
+    gluster_brick_name: registry
-    owner: root
+    gluster_server_group: oci-registry-gluster
-    group: root
+    tags: gluster
    datadir: /srv/glusterfs/registry
  - role: gluster/client
    glusterservername: gluster
    servers:
    - docker-registry02.phx2.fedoraproject.org
    - docker-registry03.phx2.fedoraproject.org
    username: "{{ registry_gluster_username_prod }}"
    password: "{{ registry_gluster_password_prod }}"
    owner: root
    group: root
    mountdir: "/srv/docker"
 - name: setup docker distribution registry
-  hosts: docker-registry:docker-registry-stg
+  hosts: oci-registry:oci-registry-stg
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
@ -122,8 +109,6 @@
    # Setup compose-x86-01 push docker images to registry
    - {
      role: push-docker,
        docker_cert_name: "containerstable",
        docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
        candidate_registry: "candidate-registry.stg.fedoraproject.org",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
@ -132,8 +117,6 @@
    }
    - {
      role: push-docker,
        docker_cert_name: "containerstable",
        docker_cert_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
        candidate_registry: "candidate-registry.fedoraproject.org",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
--- a/playbooks/groups/odcs.yml
+++ b/playbooks/groups/odcs.yml
@ -58,14 +58,14 @@
  roles:
  - role: gluster/consolidated
-    gluster_brick_dir: /srv/glusterfs/
+    gluster_brick_dir: /srv/glusterfs
    gluster_mount_dir: /srv/odcs
    gluster_brick_name: odcs
    gluster_server_group: odcs-stg
    tags: gluster
    when: env == 'staging'
  - role: gluster/consolidated
-    gluster_brick_dir: /srv/glusterfs/
+    gluster_brick_dir: /srv/glusterfs
    gluster_mount_dir: /srv/odcs
    gluster_brick_name: odcs
    gluster_server_group: odcs
--- a/playbooks/groups/os-cluster.yml
+++ b/playbooks/groups/os-cluster.yml
@ -103,11 +103,11 @@
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory-stg",
-        openshift_release: "v3.9",
+        openshift_release: "v3.10",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
-        openshift_ansible_version: "openshift-ansible-3.9.30-1",
+        openshift_ansible_version: "openshift-ansible-3.10.38-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: false,
        openshift_ansible_containerized_deploy: false,
@ -132,11 +132,11 @@
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory",
-        openshift_release: "v3.9",
+        openshift_release: "v3.10",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
-        openshift_ansible_version: "openshift-ansible-3.9.30-1",
+        openshift_ansible_version: "openshift-ansible-3.10.35-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: false,
        openshift_ansible_containerized_deploy: false,
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@ -270,46 +270,6 @@
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  pre_tasks:
    - name: Make sure python2-docker-py is not installed
      dnf:
        name: python2-docker-py
        state: absent
  roles:
    - {
      role: osbs-common,
        osbs_manage_firewalld: false,
      }
    - {
      role: push-docker,
        candidate_registry: "{{docker_registry}}",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
      when: env == "staging"
    }
    - {
      role: push-docker,
        candidate_registry: "{{docker_registry}}",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
      when: env == "production"
    }
    - {
      role: "manage-container-images",
        cert_dest_dir: "/etc/docker/certs.d/candidate-registry{{ env_suffix }}.fedoraproject.org",
        cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
        key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
      when: env == "staging"
    }
  handlers:
    - name: restart dnsmasq
      service:
        name: dnsmasq
        state: restarted
  tasks:
    - name: Ensures /etc/dnsmasq.d/ dir exists
      file: path="/etc/dnsmasq.d/" state=directory
@ -372,7 +332,6 @@
    osbs_secret_files:
    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
    when: env == "staging"
  tags:
    - osbs-worker-namespace
@ -446,7 +405,6 @@
    osbs_secret_files:
    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace
@ -504,7 +462,8 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  pre_tasks:
-    - set_fact:
+    - name: Create the username:password string needed by the template
      set_fact:
        auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
        auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
@ -542,7 +501,8 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  pre_tasks:
-    - set_fact:
+    - name: Create the username:password string needed by the template
      set_fact:
        auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
        auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
@ -588,36 +548,7 @@
    koji_builder_user: dockerbuilder
    osbs_builder_user: builder
  handlers:
    - name: oc secrets new
      command: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
      environment: "{{ osbs_environment }}"
      notify: oc secrets add
    - name: oc secrets add
      command: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
      environment: "{{ osbs_environment }}"
  tasks:
    - name: Ensure koji dockerbuilder cert path exists
      file:
        path: "{{ koji_pki_dir }}"
        state: "directory"
        mode: 0400
    - name: Add koji dockerbuilder cert for Content Generator import
      copy:
        src: "{{private}}/files/koji/containerbuild.pem"
        dest: "{{ koji_cert_path }}"
      notify: oc secrets new
    - name: Add koji dockerbuilder ca cert for Content Generator import
      copy:
        src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
        dest: "{{ koji_ca_cert_path }}"
      notify: oc secrets new
    - name: cron entry to clean up old builds
      copy:
        src: "{{files}}/osbs/cleanup-old-osbs-builds"
@ -706,7 +637,7 @@
        src: "{{item}}"
        dest: "/etc/osbs/buildroot/"
        owner: root
-        mode: 600
+        mode: 0600
      with_items:
        - "{{files}}/osbs/worker_customize.json"
        - "{{files}}/osbs/orchestrator_customize.json"
@ -803,26 +734,5 @@
      register: docker_pull_fedora
      changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
    - name: register origin_version_out rpm query
      command: "rpm -q origin --qf '%{Version}'"
      register: origin_version_out
      check_mode: no
      changed_when: False
 - name: Post-Install image stream refresh
  hosts: osbs-masters[0]:osbs-masters-stg[0]
  tags:
    - osbs-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  tasks:
    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 #    - name: enable nrpe for monitoring (noc01.stg)
 #      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@ -7,7 +7,7 @@
 # Once the instance exists, configure it.
 - name: configure postgresql server system
-  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.or:db-qa03.qa.fedoraproject.org
+  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji01.stg.phx2.fedoraproject.org:db-qa03.qa.fedoraproject.org
  user: root
  gather_facts: True
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@ -54,25 +54,31 @@
    tags:
    - releng
  - {
-    role: "manage-container-images",
+    role: "push-container-registry",
      cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
      cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
      key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
    when: env == "staging"
  }
  - {
    role: "push-container-registry",
      cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
      cert_src: "{{private}}/files/docker-registry/{{env}}/pki/issued/containerstable.crt",
      key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key",
    when: env == "production"
  }
  - {
    role: push-docker,
      candidate_registry: "candidate-registry.stg.fedoraproject.org",
      candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
      candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
    when: env == "staging"
  }
  - {
    role: push-docker,
      candidate_registry: "candidate-registry.fedoraproject.org",
      candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
      candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
      docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org",
    when: env == "production"
  }
  - {
    role: "manage-container-images",
      cert_dest_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
      cert_src: "{{private}}/files/koji/containerstable.cert.pem",
      key_src: "{{private}}/files/koji/containerstable.key.pem",
    when: env == "production"
  }
--- a/Show more
+++ b/Show more