From 0a0df18b19f09417bdf9061cd930b1df25aadda3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 8 Dec 2016 18:35:27 +0000 Subject: [PATCH 01/10] switch koji in stg to use proxy01.stg --- playbooks/include/proxies-reverseproxy.yml | 6 ++++++ playbooks/include/proxies-websites.yml | 7 +++++++ roles/haproxy/templates/haproxy.cfg | 8 ++++++++ 3 files changed, 21 insertions(+) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index a45c74d3c8..4966eea505 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -558,3 +558,9 @@ destname: modernpaste proxyurl: http://localhost:10055 when: env == "staging" + + - role: httpd/reverseproxy + website: koji.stg.fedoraproject.org + destname: koji + proxyurl: http://localhost:10056 + when: env == "staging" diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index aee7bc26a4..cf50bfbf3e 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -475,6 +475,13 @@ cert_name: "{{wildcard_cert_name}}" when: env == "staging" + - role: httpd/website + name: koji.stg..fedoraproject.org + server_aliases: + - koji.stg..stg.fedoraproject.org + cert_name: "{{wildcard_cert_name}}" + when: env == "staging" + - role: httpd/website name: apps.fedoraproject.org server_aliases: [apps.stg.fedoraproject.org] diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 56c88afa1f..a96720376a 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -358,6 +358,14 @@ listen modernpaste 0.0.0.0:10055 server modernpaste01 modernpaste01:80 check inter 10s rise 1 fall 2 option httpchk GET / +{% endif %} +{% if env == "staging" %} + +listen modernpaste 0.0.0.0:10056 + balance hdr(appserver) + server koji01 koji01:80 check inter 10s rise 1 fall 2 + option httpchk GET / + {% endif %} # Apache doesn't handle the initial connection here like the other proxy From 29aebf2427c057617aab587c537deba83580711c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 8 Dec 2016 18:51:34 +0000 Subject: [PATCH 02/10] fix .. --- playbooks/include/proxies-websites.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index cf50bfbf3e..c36a1286fe 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -476,9 +476,9 @@ when: env == "staging" - role: httpd/website - name: koji.stg..fedoraproject.org + name: koji.stg.fedoraproject.org server_aliases: - - koji.stg..stg.fedoraproject.org + - koji.stg.stg.fedoraproject.org cert_name: "{{wildcard_cert_name}}" when: env == "staging" From 72e0942e304607cd1a1f2658bda8f72651a01da4 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 8 Dec 2016 19:06:05 +0000 Subject: [PATCH 03/10] Move koji stg to auto-generated keytabs Signed-off-by: Patrick Uiterwijk --- playbooks/groups/koji-hub.yml | 7 +++++++ roles/koji_hub/tasks/main.yml | 1 + 2 files changed, 8 insertions(+) diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index dbc124e3a8..353ed9aa4a 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -31,6 +31,13 @@ - apache - fedmsg/base - koji_hub + - role: keytab/service + owner_user: apache + owner_group: apache + kt_location: /etc/koji-hub/koji-hub.keytab + service: host + host: "koji.stg.fedoraproject.org" + when: env == "staging" - { role: nfs/server, when: env == "staging" } - { role: keepalived, when: env == "production" and inventory_hostname.startswith('koji') } - role: nfs/client diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 41c189ddf4..c41c02c48d 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -85,6 +85,7 @@ - name: install koji-hub keytab copy: src={{ private }}/files/keytabs/{{ env }}/koji-hub dest=/etc/koji-hub/koji-hub.keytab owner=apache group=apache mode=0600 + when: env != "staging" notify: - reload httpd tags: From d07d4320f912d1c206643f51062215e5f66f9961 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 8 Dec 2016 19:10:35 +0000 Subject: [PATCH 04/10] We do not register host services Signed-off-by: Patrick Uiterwijk --- roles/keytab/service/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keytab/service/tasks/main.yml b/roles/keytab/service/tasks/main.yml index 441dac6619..a98c89604f 100644 --- a/roles/keytab/service/tasks/main.yml +++ b/roles/keytab/service/tasks/main.yml @@ -44,7 +44,7 @@ - keytab - config - krb5 - when: not keytab_status.stat.exists + when: not keytab_status.stat.exists and service != "host" - name: Grant host access to keytab delegate_to: "{{ ipa_server }}" From 154614301638b9039e38943136543969ff177e91 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 8 Dec 2016 19:14:17 +0000 Subject: [PATCH 05/10] Revert "Move koji stg to auto-generated keytabs" This reverts commit 72e0942e304607cd1a1f2658bda8f72651a01da4. --- playbooks/groups/koji-hub.yml | 7 ------- roles/koji_hub/tasks/main.yml | 1 - 2 files changed, 8 deletions(-) diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 353ed9aa4a..dbc124e3a8 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -31,13 +31,6 @@ - apache - fedmsg/base - koji_hub - - role: keytab/service - owner_user: apache - owner_group: apache - kt_location: /etc/koji-hub/koji-hub.keytab - service: host - host: "koji.stg.fedoraproject.org" - when: env == "staging" - { role: nfs/server, when: env == "staging" } - { role: keepalived, when: env == "production" and inventory_hostname.startswith('koji') } - role: nfs/client diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index c41c02c48d..41c189ddf4 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -85,7 +85,6 @@ - name: install koji-hub keytab copy: src={{ private }}/files/keytabs/{{ env }}/koji-hub dest=/etc/koji-hub/koji-hub.keytab owner=apache group=apache mode=0600 - when: env != "staging" notify: - reload httpd tags: From 9496ad5afdc4e023e44466658f5d85daa6d36914 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 8 Dec 2016 19:37:18 +0000 Subject: [PATCH 06/10] make koji ssl only --- playbooks/include/proxies-websites.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index c36a1286fe..3e5349891a 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -478,6 +478,7 @@ - role: httpd/website name: koji.stg.fedoraproject.org server_aliases: + sslonly: true - koji.stg.stg.fedoraproject.org cert_name: "{{wildcard_cert_name}}" when: env == "staging" From 3c20df3b47eaf24acca0d853b7769ab4985d7cd0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 8 Dec 2016 19:40:41 +0000 Subject: [PATCH 07/10] fix syntax error --- playbooks/include/proxies-websites.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 3e5349891a..dbeb040949 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -477,8 +477,8 @@ - role: httpd/website name: koji.stg.fedoraproject.org - server_aliases: sslonly: true + server_aliases: - koji.stg.stg.fedoraproject.org cert_name: "{{wildcard_cert_name}}" when: env == "staging" From 49655eec73f1bdaf8d2bd11d0d714e76314e277a Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 8 Dec 2016 19:59:49 +0000 Subject: [PATCH 08/10] switch infrastructure.repo to infra-tags.repo for OSBS buildroot Signed-off-by: Adam Miller --- files/osbs/buildroot-Dockerfile-production.j2 | 2 +- files/osbs/buildroot-Dockerfile-staging.j2 | 2 +- playbooks/groups/osbs-cluster.yml | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/files/osbs/buildroot-Dockerfile-production.j2 b/files/osbs/buildroot-Dockerfile-production.j2 index dc047fa184..fcc55681e2 100644 --- a/files/osbs/buildroot-Dockerfile-production.j2 +++ b/files/osbs/buildroot-Dockerfile-production.j2 @@ -1,5 +1,5 @@ FROM fedora:24 -ADD ./infrastructure.repo /etc/yum.repos.d/infrastructure.repo +ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/ diff --git a/files/osbs/buildroot-Dockerfile-staging.j2 b/files/osbs/buildroot-Dockerfile-staging.j2 index 5b69d5a990..17c15735c5 100644 --- a/files/osbs/buildroot-Dockerfile-staging.j2 +++ b/files/osbs/buildroot-Dockerfile-staging.j2 @@ -1,5 +1,5 @@ FROM fedora:24 -ADD ./infrastructure.repo /etc/yum.repos.d/infrastructure.repo +ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo RUN curl -o /etc/yum.repos.d/maxamillion-atomic-reactor-copr.repo https://copr.fedorainfracloud.org/coprs/maxamillion/atomic-reactor/repo/fedora-24/maxamillion-atomic-reactor-fedora-24.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 65105820b5..f305086844 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -625,24 +625,24 @@ - name: stat infra repofile stat: - path: "/etc/yum.repos.d/infrastructure.repo" + path: "/etc/yum.repos.d/infra-tags.repo" register: infra_repo_stat - name: stat /etc/osbs/buildroot/ infra repofile stat: - path: "/etc/osbs/buildroot/infrastructure.repo" + path: "/etc/osbs/buildroot/infra-tags.repo" register: etcosbs_infra_repo_stat - name: remove old /etc/osbs/buildroot/ infra repofile file: - path: "/etc/osbs/buildroot/infrastructure.repo" + path: "/etc/osbs/buildroot/infra-tags.repo" state: absent when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum - name: Copy repofile for buildroot container (because Docker) copy: - src: "/etc/yum.repos.d/infrastructure.repo" - dest: "/etc/osbs/buildroot/infrastructure.repo" + src: "/etc/yum.repos.d/infra-tags.repo" + dest: "/etc/osbs/buildroot/infra-tags.repo" remote_src: true notify: - buildroot container From ebed0f97571de3346afb02c23c32b7e14666ab7b Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 8 Dec 2016 23:41:55 +0000 Subject: [PATCH 09/10] set ansible-ansbile-openshfit-ansible cluter-inventory.j2 not to manage htpasswd Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 97f2fb7789..620cea2214 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -9,6 +9,7 @@ ansible_ssh_user=root debug_level=2 deployment_type=origin openshift_release={{ openshift_release }} +openshift_master_manage_htpasswd=false openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] openshift_master_public_api_url={{ openshift_master_public_api_url }} From ceae8027333a289c0e0dcd02c97d9c9cff444eb2 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 9 Dec 2016 00:10:54 +0000 Subject: [PATCH 10/10] fix koji_hub entry for prod buildvm osbs-client role Signed-off-by: Adam Miller --- playbooks/groups/buildvm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 6b10061be7..1290a79d39 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -123,7 +123,7 @@ source_registry_uri: 'https://{{ source_registry }}/v2', build_host: '{{ osbs_url }}', koji_root: 'http://{{ koji_root }}', - koji_hub: 'https://koji.stg.fedoraproject.org/kojihub', + koji_hub: 'https://koji.fedoraproject.org/kojihub', sources_command: 'fedpkg sources', build_type: 'prod', authoritative_registry: 'registry.example.com',