diff --git a/files/hotfix/autocloud/__init__.py b/files/hotfix/autocloud/__init__.py deleted file mode 100644 index 77cb9147aa..0000000000 --- a/files/hotfix/autocloud/__init__.py +++ /dev/null @@ -1,89 +0,0 @@ -# -*- coding: utf-8 -*- -from retask.task import Task -from retask.queue import Queue - -import autocloud -from autocloud.models import init_model, ComposeJobDetails -from autocloud.producer import publish_to_fedmsg - -import datetime - -import logging -log = logging.getLogger("fedmsg") - - -def produce_jobs(infox): - """ Queue the jobs into jobqueue - :args infox: list of dictionaries contains the image url and the buildid - """ - jobqueue = Queue('jobqueue') - jobqueue.connect() - - family_mapping = { - 'Cloud_Base': 'b', - 'Atomic': 'a' - } - - session = init_model() - timestamp = datetime.datetime.now() - for info in infox: - image_name = info['path'].split('/')[-1].split(info['arch'])[0] - jd = ComposeJobDetails( - arch=info['arch'], - compose_id=info['compose']['id'], - created_on=timestamp, - family=family_mapping[info['subvariant']], - image_url=info['absolute_path'], - last_updated=timestamp, - release=info['compose']['release'], - status='q', - subvariant=info['subvariant'], - user='admin', - image_format=info['format'], - image_type=info['type'], - image_name=image_name, - ) - session.add(jd) - session.commit() - - job_details_id = jd.id - log.info('Save {jd_id} to database'.format(jd_id=job_details_id)) - - info.update({'job_id': jd.id}) - task = Task(info) - jobqueue.enqueue(task) - log.info('Enqueue {jd_id} to redis'.format(jd_id=job_details_id)) - - publish_to_fedmsg(topic='image.queued', - compose_url=info['absolute_path'], - compose_id=info['compose']['id'], - image_name=image_name, - status='queued', - job_id=info['job_id'], - release=info['compose']['release'], - family=jd.family.value, - type=info['type']) - - session.close() - - -def is_valid_image(image_url): - if autocloud.VIRTUALBOX: - supported_image_ext = ('.vagrant-virtualbox.box',) - else: - supported_image_ext = ('.qcow2', '.vagrant-libvirt.box') - - if image_url.endswith(supported_image_ext): - return True - - return False - - -def get_image_name(image_name): - if 'vagrant' in image_name.lower(): - if autocloud.VIRTUALBOX: - image_name = '{image_name}-Virtualbox'.format( - image_name=image_name) - else: - image_name = '{image_name}-Libvirt'.format(image_name=image_name) - return image_name diff --git a/files/hotfix/autocloud/consumer.py b/files/hotfix/autocloud/consumer.py index 99b8b65805..c216553251 100644 --- a/files/hotfix/autocloud/consumer.py +++ b/files/hotfix/autocloud/consumer.py @@ -9,7 +9,7 @@ from sqlalchemy import exc import autocloud -from autocloud.models import init_model, ComposeDetails +from autocloud.models import init_model, ComposeDetails, ComposeJobDetails from autocloud.producer import publish_to_fedmsg from autocloud.utils import is_valid_image, produce_jobs @@ -37,6 +37,8 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): config_key = 'autocloud.consumer.enabled' def __init__(self, *args, **kwargs): + self.supported_archs = [arch for arch, _ in ComposeJobDetails.ARCH_TYPES] + log.info("Autocloud Consumer is ready for action.") super(AutoCloudConsumer, self).__init__(*args, **kwargs) @@ -79,9 +81,7 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): compose_image = compose_images[variant] for arch, payload in compose_image.iteritems(): - # aarch64 is not supported so filter if the arch is - # 'aarch64' - if arch == 'aarch64': + if arch not in self.supported_archs: continue for item in payload: diff --git a/files/hotfix/autocloud/models.py b/files/hotfix/autocloud/models.py deleted file mode 100644 index 43f75f6f83..0000000000 --- a/files/hotfix/autocloud/models.py +++ /dev/null @@ -1,122 +0,0 @@ -# -*- coding: utf-8 -*- - -import datetime - -from sqlalchemy import Column, Integer, String, DateTime, Text -from sqlalchemy.ext.declarative import declarative_base -from sqlalchemy import create_engine -from sqlalchemy.orm import sessionmaker -from sqlalchemy.orm import scoped_session -from sqlalchemy_utils import ChoiceType - -import autocloud - -Base = declarative_base() - - -class JobDetails(Base): - __tablename__ = 'job_details' - - STATUS_TYPES = ( - ('s', 'Success'), - ('f', 'Failed'), - ('a', 'Aborted'), - ('r', 'Running'), - ('q', 'Queued') - ) - - IMAGE_FAMILY_TYPES = ( - ('b', 'Base'), - ('a', 'Atomic') - ) - - ARCH_TYPES = ( - ('i386', 'i386'), - ('x86_64', 'x86_64') - ) - - id = Column(Integer, primary_key=True) - taskid = Column(String(255), nullable=False) - status = Column(ChoiceType(STATUS_TYPES)) - family = Column(ChoiceType(IMAGE_FAMILY_TYPES)) - arch = Column(ChoiceType(ARCH_TYPES)) - release = Column(String(255)) - output = Column(Text, nullable=False, default='') - created_on = Column(DateTime, default=datetime.datetime.utcnow) - last_updated = Column(DateTime, default=datetime.datetime.utcnow) - user = Column(String(255), nullable=False) - - -class ComposeDetails(Base): - __tablename__ = 'compose_details' - - STATUS_TYPES = ( - ('c', 'Complete'), - ('q', 'Queued'), - ('r', 'Running'), - ) - id = Column(Integer, primary_key=True) - date = Column(DateTime, nullable=False) - compose_id = Column(String(255), nullable=False, unique=True) - respin = Column(Integer, nullable=False) - type = Column(String(255), nullable=False) - passed = Column(Integer, nullable=True, default=0) - failed = Column(Integer, nullable=True, default=0) - status = Column(ChoiceType(STATUS_TYPES)) - created_on = Column(DateTime, default=datetime.datetime.utcnow) - last_updated = Column(DateTime, default=datetime.datetime.utcnow) - location = Column(String(255), nullable=False) - - -class ComposeJobDetails(Base): - __tablename__ = 'compose_job_details' - - STATUS_TYPES = ( - ('s', 'Success'), - ('f', 'Failed'), - ('a', 'Aborted'), - ('r', 'Running'), - ('q', 'Queued') - ) - - IMAGE_FAMILY_TYPES = ( - ('b', u'Base'), - ('a', u'Atomic') - ) - - ARCH_TYPES = ( - ('i386', 'i386'), - ('x86_64', 'x86_64'), - ('aarch64', 'aarch64') - ) - - id = Column(Integer, primary_key=True) - arch = Column(ChoiceType(ARCH_TYPES)) - compose_id = Column(String(255), nullable=False) - created_on = Column(DateTime, default=datetime.datetime.utcnow) - family = Column(ChoiceType(IMAGE_FAMILY_TYPES)) - image_url = Column(String(255), nullable=False) - last_updated = Column(DateTime, default=datetime.datetime.utcnow) - output = Column(Text, nullable=False, default='') - release = Column(String(255)) - status = Column(ChoiceType(STATUS_TYPES)) - subvariant = Column(String(255), nullable=False) - user = Column(String(255), nullable=False) - image_format = Column(String(255), nullable=False) - image_type = Column(String(255), nullable=False) - image_name = Column(String(255), nullable=False) - - -def create_tables(): - # Create an engine that stores data in the local directory - engine = create_engine(autocloud.SQLALCHEMY_URI) - - # Create all tables in the engine. This is equivalent to "Create Table" - # statements in raw SQL. - Base.metadata.create_all(engine) - - -def init_model(): - engine = create_engine(autocloud.SQLALCHEMY_URI) - scopedsession = scoped_session(sessionmaker(bind=engine)) - return scopedsession diff --git a/files/httpd/fedorahosted-redirects.conf b/files/httpd/fedorahosted-redirects.conf index b209629edd..a54574dabb 100644 --- a/files/httpd/fedorahosted-redirects.conf +++ b/files/httpd/fedorahosted-redirects.conf @@ -178,6 +178,10 @@ RewriteRule ^/fedora-badges/report https://pagure.io/Fedora-Badges/issues [R=301 RewriteRule ^/fedora-badges/ticket/(.*) https://pagure.io/Fedora-Badges/issue/$1 [R=301] RewriteRule ^/fedora-badges https://pagure.io/Fedora-Badges [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki https://docs.pagure.org/bind-dyndb-ldap/ [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/ https://docs.pagure.org/bind-dyndb-ldap/ [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/(.*) https://docs.pagure.org/bind-dyndb-ldap/$1.html [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/(.*)/ https://docs.pagure.org/bind-dyndb-ldap/$1.html [R=301] RewriteRule ^/bind-dyndb-ldap/report https://pagure.io/bind-dyndb-ldap/issues [R=301] RewriteRule ^/bind-dyndb-ldap/ticket/(.*) https://pagure.io/bind-dyndb-ldap/issue/$1 [R=301] RewriteRule ^/bind-dyndb-ldap/changeset/(.*) https://pagure.io/bind-dyndb-ldap/c/$1 [R=301] diff --git a/files/loopabull/loopabull@.service b/files/loopabull/loopabull@.service new file mode 100644 index 0000000000..043c555762 --- /dev/null +++ b/files/loopabull/loopabull@.service @@ -0,0 +1,17 @@ +[Unit] +Description=loopabull worker #%i +After=network.target +Documentation=https://github.com/maxamillion/loopabull + +[Service] +ExecStart=/usr/bin/loopabull $CONFIG_FILE +User=root +Group=root +Restart=on-failure +Type=simple +EnvironmentFile=-/etc/sysconfig/loopabull +Restart=on-failure +PrivateTmp=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/files/loopabull/serializer.py b/files/loopabull/serializer.py new file mode 100644 index 0000000000..cdbbfd7f09 --- /dev/null +++ b/files/loopabull/serializer.py @@ -0,0 +1 @@ +config = { "rabbitmq.serializer.enabled": True } \ No newline at end of file diff --git a/files/openshift/openshift.repo b/files/openshift/openshift.repo new file mode 100644 index 0000000000..b4dbadbd97 --- /dev/null +++ b/files/openshift/openshift.repo @@ -0,0 +1,9 @@ +[rhel7-openshift-3.4] +name = rhel7 openshift 3.4 $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + +[rhel7-openshift-3.5] +name = rhel7 openshift 3.5 $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.5-rpms/ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index a7c6ae20e5..5a32cb62a1 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -56,7 +56,7 @@ - name: restart openvpn (Fedora) when: ansible_distribution == "Fedora" - action: service name=openvpn@openvpn state=restarted + action: service name=openvpn-client@openvpn state=restarted #notify: #- fix openvpn routing @@ -68,7 +68,7 @@ - name: restart openvpn (RHEL7) when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7 - action: service name=openvpn@openvpn state=restarted + action: service name=openvpn-client@openvpn state=restarted #notify: #- fix openvpn routing diff --git a/inventory/backups b/inventory/backups index 8f46e5d857..eb23e03553 100644 --- a/inventory/backups +++ b/inventory/backups @@ -17,11 +17,12 @@ db-koji01.phx2.fedoraproject.org #copr-be.cloud.fedoraproject.org copr-fe.cloud.fedoraproject.org copr-keygen.cloud.fedoraproject.org -copr-dist-git.fedorainfracloud.org +#copr-dist-git.fedorainfracloud.org value01.phx2.fedoraproject.org taiga.fedorainfracloud.org taskotron01.qa.fedoraproject.org nuancier01.phx2.fedoraproject.org piwik.fedorainfracloud.org -#magazine.fedorainfracloud.org +magazine2.fedorainfracloud.org communityblog.fedorainfracloud.org +upstreamfirst.fedorainfracloud.org diff --git a/inventory/builders b/inventory/builders index 21a661d319..5e2e283c8b 100644 --- a/inventory/builders +++ b/inventory/builders @@ -1,4 +1,3 @@ - [buildvm] buildvm-01.phx2.fedoraproject.org buildvm-02.phx2.fedoraproject.org @@ -169,24 +168,6 @@ buildhw-aarch64-01.arm.fedoraproject.org buildhw-aarch64-02.arm.fedoraproject.org buildhw-aarch64-03.arm.fedoraproject.org -[dell-fx-build] -# dell-fx01-01.phx2.fedoraproject.org -# dell-fx01-02.phx2.fedoraproject.org -# dell-fx01-03.phx2.fedoraproject.org -# dell-fx01-04.phx2.fedoraproject.org -# dell-fx01-05.phx2.fedoraproject.org -# dell-fx01-06.phx2.fedoraproject.org -# dell-fx01-07.phx2.fedoraproject.org -# dell-fx01-08.phx2.fedoraproject.org -# dell-fx02-01.phx2.fedoraproject.org -# dell-fx02-02.phx2.fedoraproject.org -# dell-fx02-03.phx2.fedoraproject.org -# dell-fx02-04.phx2.fedoraproject.org -# dell-fx02-05.phx2.fedoraproject.org -# dell-fx02-06.phx2.fedoraproject.org -# dell-fx02-07.phx2.fedoraproject.org -# dell-fx02-08.phx2.fedoraproject.org - # # These are primary koji builders. # @@ -259,9 +240,6 @@ arm01 arm02 arm04 -# -# These are secondary arch builders. -# [arm01] # 01 is in use as retrace instance arm01-builder00.arm.fedoraproject.org @@ -286,6 +264,7 @@ arm01-builder18.arm.fedoraproject.org arm01-builder19.arm.fedoraproject.org arm01-builder20.arm.fedoraproject.org arm01-builder21.arm.fedoraproject.org +# These two are using in staging #arm01-builder22.arm.fedoraproject.org #arm01-builder23.arm.fedoraproject.org diff --git a/inventory/cloud b/inventory/cloud index 0610f02a81..46e6bb3f00 100644 --- a/inventory/cloud +++ b/inventory/cloud @@ -81,3 +81,4 @@ twisted-fedora25-2.fedorainfracloud.org twisted-rhel7-1.fedorainfracloud.org twisted-rhel7-2.fedorainfracloud.org waiverdb-dev.fedorainfracloud.org +upstreamfirst.fedorainfracloud.org diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 98a057a63b..9b71063dab 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -138,6 +138,12 @@ wildcard_crt_file: wildcard-2017.fedoraproject.org.cert wildcard_key_file: wildcard-2017.fedoraproject.org.key wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert +# This is the openshift wildcard cert. Until it exists set it equal to wildcard +os_wildcard_cert_name: wildcard-2017.fedoraproject.org +os_wildcard_crt_file: wildcard-2017.fedoraproject.org.cert +os_wildcard_key_file: wildcard-2017.fedoraproject.org.key +os_wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert + # Everywhere, always, we should sign messages and validate signatures. # However, we allow individual hosts and groups to override this. Use this very # carefully.. and never in production (good for testing stuff in staging). @@ -266,4 +272,6 @@ nagios_Check_Services: dhcpd: false httpd: false - +# Set variable if we want to use our global iptables defaults +# Some things need to set their own. +baseiptables: True diff --git a/inventory/group_vars/buildaarch64 b/inventory/group_vars/buildaarch64 index a878d1e3f8..7a1af647fa 100644 --- a/inventory/group_vars/buildaarch64 +++ b/inventory/group_vars/buildaarch64 @@ -1,26 +1,2 @@ --- -host_group: kojibuilder -fas_client_groups: sysadmin-releng,sysadmin-secondary -sudoers: "{{ private }}/files/sudo/buildsecondary-sudoers" -gw: 10.5.78.254 - -kojipkgs_url: armpkgs.fedoraproject.org -kojihub_url: arm.koji.fedoraproject.org/kojihub -kojihub_scheme: https - -koji_hub_nfs: "fedora_arm/data" -koji_server_url: "https://arm.koji.fedoraproject.org/kojihub" -koji_weburl: "https://arm.koji.fedoraproject.org/koji" -koji_topurl: "https://armpkgs.fedoraproject.org/" - -# These variables are pushed into /etc/system_identification by the base role. -# Groups and individual hosts should ovveride them with specific info. -# See http://infrastructure.fedoraproject.org/csi/security-policy/ - -csi_security_category: High -csi_primary_contact: Fedora Admins - admin@fedoraproject.org -csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This group builds packages for aarch64 architecture. -csi_relationship: | - * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios - * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver. - * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/group_vars/buildppc b/inventory/group_vars/buildppc index 711b66838a..53dfc80057 100644 --- a/inventory/group_vars/buildppc +++ b/inventory/group_vars/buildppc @@ -17,7 +17,7 @@ virt_install_command: "{{ virt_install_command_one_nic }} --graphics none" # the host_vars/$hostname file host_group: kojibuilder fas_client_groups: sysadmin-releng,sysadmin-secondary -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" koji_hub_nfs: "fedora_ppc/data" koji_server_url: "https://ppc.koji.fedoraproject.org/kojihub" diff --git a/inventory/group_vars/buildppcle b/inventory/group_vars/buildppcle index 2067d3372f..8ef031bc9a 100644 --- a/inventory/group_vars/buildppcle +++ b/inventory/group_vars/buildppcle @@ -17,7 +17,7 @@ virt_install_command: "{{ virt_install_command_one_nic }} --graphics none" # the host_vars/$hostname file host_group: kojibuilder fas_client_groups: sysadmin-releng,sysadmin-secondary -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" koji_hub_nfs: "fedora_ppc/data" koji_server_url: "https://ppc.koji.fedoraproject.org/kojihub" diff --git a/inventory/group_vars/ci b/inventory/group_vars/ci new file mode 100644 index 0000000000..5224b289a8 --- /dev/null +++ b/inventory/group_vars/ci @@ -0,0 +1,100 @@ +--- +############################################################ +# general information +############################################################ +# common items for the releng-* boxes +lvm_size: 50000 +mem_size: 4096 +num_cpus: 4 +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443, "{{ resultsdb_db_port }}" ] +fas_client_groups: sysadmin-qa,sysadmin-noc,sysadmin-web +nrpe_procs_warn: 250 +nrpe_procs_crit: 300 + +external_hostname: resultsdb.ci.centos.org +deployment_type: prod + +freezes: false + +# +# PostgreSQL configuration +# + +shared_buffers: "32MB" +effective_cache_size: "512MB" + + +############################################################ +# resultsdb details +############################################################ + +# the db_host_machine bits are so that delegation continues to work, even if +# that db is localhost relative to resultsdb + +resultsdb_db_host_machine: ci-cc-rdu01.fedoraproject.org +resultsdb_db_host: "{{ resultsdb_db_host_machine }}" +resultsdb_db_port: 5432 +resultsdb_endpoint: 'resultsdb_api' +resultsdb_db_name: resultsdb +resultsdb_db_user: "{{ ci_resultsdb_db_user }}" +resultsdb_db_password: "{{ ci_resultsdb_db_password }}" +resultsdb_secret_key: "{{ ci_resultsdb_secret_key }}" + +allowed_hosts: + - 10.5.124 + - 10.5.131 + + +############################################################ +# resultsdb-frontend details +############################################################ +resultsdb_fe_endpoint: "resultsdb" +resultsdb_frontend_secret_key: "{{ ci_resultsdb_frontend_secret_key }}" + + +########################################################### +# execdb details +########################################################### +execdb_db_host_machine: ci-cc-rdu01.fedoraproject.org +execdb_db_host: "{{ execdb_db_host_machine }}" +execdb_db_port: 5432 +execdb_endpoint: 'execdb' +execdb_db_name: execdb +execdb_db_user: "{{ ci_execdb_db_user }}" +execdb_db_password: "{{ ci_execdb_db_password }}" +execdb_secret_key: "{{ ci_execdb_secret_key }}" + + +########################################################### +# ccsdb details +########################################################### +ccsdb_db_host_machine: ci-cc-rdu01.fedoraproject.org +ccsdb_db_host: "{{ ccsdb_db_host_machine }}" +ccsdb_db_port: 5432 +ccsdb_endpoint: 'ccsdb' +ccsdb_db_name: ccsdb +ccsdb_db_user: "{{ ci_ccsdb_db_user }}" +ccsdb_db_password: "{{ ci_ccsdb_db_password }}" +ccsdb_secret_key: "{{ ci_ccsdb_secret_key }}" + + +############################################################ +# fedmsg details +############################################################ +fedmsg_active: False +fedmsg_cert_prefix: ci.resultsdb + +fedmsg_certs: +- service: shell + owner: root + group: sysadmin + can_send: + - logger.log +- service: resultsdb + owner: root + group: apache + can_send: + - taskotron.result.new diff --git a/inventory/group_vars/copr-back b/inventory/group_vars/copr-back index 909f14b97a..9a98c79961 100644 --- a/inventory/group_vars/copr-back +++ b/inventory/group_vars/copr-back @@ -7,7 +7,6 @@ copr_nova_tenant_name: "copr" copr_nova_username: "copr" # copr_builder_image_name: "Fedora-Cloud-Base-20141203-21" -copr_builder_image_name: "builder-f24" copr_builder_flavor_name: "ms2.builder" copr_builder_network_name: "copr-net" copr_builder_key_name: "buildsys" diff --git a/inventory/group_vars/fedimg-stg b/inventory/group_vars/fedimg-stg index 22eea74296..c6e7339a61 100644 --- a/inventory/group_vars/fedimg-stg +++ b/inventory/group_vars/fedimg-stg @@ -15,6 +15,8 @@ tcp_ports: [ # TODO, restrict this down to just sysadmin-releng fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg,fi-apprentice,sysadmin-noc,sysadmin-veteran +fedmsg_debug_loopback: True + # These people get told when something goes wrong. fedmsg_error_recipients: - sysadmin-fedimg-members@fedoraproject.org diff --git a/inventory/group_vars/modernpaste b/inventory/group_vars/modernpaste new file mode 100644 index 0000000000..caee69f777 --- /dev/null +++ b/inventory/group_vars/modernpaste @@ -0,0 +1,5 @@ +--- +freezes: false +mem_size: 4096 +num_cpus: 2 +tcp_ports: [22, 80, 443] diff --git a/inventory/group_vars/openstack-compute b/inventory/group_vars/openstack-compute index af900eeef7..0fed5183fd 100644 --- a/inventory/group_vars/openstack-compute +++ b/inventory/group_vars/openstack-compute @@ -3,3 +3,4 @@ host_group: openstack-compute nrpe_procs_warn: 1100 nrpe_procs_crit: 1200 ansible_ifcfg_blacklist: true +baseiptables: False diff --git a/inventory/group_vars/os b/inventory/group_vars/os new file mode 100644 index 0000000000..53196a3e9e --- /dev/null +++ b/inventory/group_vars/os @@ -0,0 +1,3 @@ +--- +host_group: os +baseiptables: False diff --git a/inventory/group_vars/os-control-stg b/inventory/group_vars/os-control-stg new file mode 100644 index 0000000000..63a4f230c3 --- /dev/null +++ b/inventory/group_vars/os-control-stg @@ -0,0 +1,4 @@ +--- + +os_url: os.stg.fedoraproject.org +os_app_url: app.os.stg.fedoraproject.org diff --git a/inventory/group_vars/os-masters-stg b/inventory/group_vars/os-masters-stg new file mode 100644 index 0000000000..63a4f230c3 --- /dev/null +++ b/inventory/group_vars/os-masters-stg @@ -0,0 +1,4 @@ +--- + +os_url: os.stg.fedoraproject.org +os_app_url: app.os.stg.fedoraproject.org diff --git a/inventory/group_vars/os-nodes-stg b/inventory/group_vars/os-nodes-stg new file mode 100644 index 0000000000..63a4f230c3 --- /dev/null +++ b/inventory/group_vars/os-nodes-stg @@ -0,0 +1,4 @@ +--- + +os_url: os.stg.fedoraproject.org +os_app_url: app.os.stg.fedoraproject.org diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg new file mode 100644 index 0000000000..53196a3e9e --- /dev/null +++ b/inventory/group_vars/os-stg @@ -0,0 +1,3 @@ +--- +host_group: os +baseiptables: False diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs index d337069253..ea03d3700e 100644 --- a/inventory/group_vars/osbs +++ b/inventory/group_vars/osbs @@ -19,3 +19,5 @@ osbs_koji_username: "kojibuilder" koji_url: "koji.fedoraproject.org" osbs_client_conf_path: /etc/osbs.conf + +baseiptables: False diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg new file mode 100644 index 0000000000..2e3e4d513d --- /dev/null +++ b/inventory/group_vars/osbs-stg @@ -0,0 +1,2 @@ +--- +baseiptables: False diff --git a/inventory/group_vars/packages-stg b/inventory/group_vars/packages-stg index 8edbd9b68b..a7a2e3829c 100644 --- a/inventory/group_vars/packages-stg +++ b/inventory/group_vars/packages-stg @@ -16,7 +16,7 @@ tcp_ports: [ 80, 443, # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran +fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/qa-prod b/inventory/group_vars/qa-prod index ca698cf00c..4f81620785 100644 --- a/inventory/group_vars/qa-prod +++ b/inventory/group_vars/qa-prod @@ -36,10 +36,10 @@ buildmaster_template: ci.master.cfg.j2 buildmaster_endpoint: buildmaster buildslave_ssh_pubkey: '' buildslave_port: 9989 -buildmaster_dir: /home/buildmaster/master -buildslave_dir: /home/buildslave/slave +buildmaster_dir: /srv/buildmaster/master +buildslave_dir: /srv/buildslave/slave buildslave_poll_interval: 1800 -buildmaster_home: /home/buildmaster +buildmaster_home: /srv/buildmaster buildmaster_user: buildmaster # build details diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging index df0edaab7b..d298da88b5 100644 --- a/inventory/group_vars/staging +++ b/inventory/group_vars/staging @@ -10,6 +10,11 @@ wildcard_cert_file: wildcard-2017.stg.fedoraproject.org.cert wildcard_key_file: wildcard-2017.stg.fedoraproject.org.key wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert +# This is the openshift wildcard cert for stg +os_wildcard_cert_name: wildcard-2017.app.os.stg.fedoraproject.org +os_wildcard_cert_file: wildcard-2017.app.os.stg.fedoraproject.org.cert +os_wildcard_key_file: wildcard-2017.app.os.stg.fedoraproject.org.key +os_wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert # This only does anything if the host is not RHEL6 collectd_graphite: True diff --git a/inventory/group_vars/taskotron-dev b/inventory/group_vars/taskotron-dev index 5d398610c6..8858254366 100644 --- a/inventory/group_vars/taskotron-dev +++ b/inventory/group_vars/taskotron-dev @@ -29,7 +29,7 @@ grokmirror_repos: - { name: fedoraqa/abicheck, url: 'https://pagure.io/task-abicheck.git'} - { name: fedoraqa/rpmgrill, url: 'https://bitbucket.org/fedoraqa/task-rpmgrill.git'} - { name: fedoraqa/simpledocker, url: 'https://bitbucket.org/fedoraqa/task-simpledocker.git'} - - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/task-python-versions'} + - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/taskotron-python-versions'} - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/rpmdeplint, url: 'https://pagure.io/taskotron/task-rpmdeplint.git'} - { name: fedoraqa/rpmlint-scratch, url: 'https://bitbucket.org/fedoraqa/task-rpmlint-scratch.git'} diff --git a/inventory/group_vars/taskotron-prod b/inventory/group_vars/taskotron-prod index 4dd26ed75d..e457089181 100644 --- a/inventory/group_vars/taskotron-prod +++ b/inventory/group_vars/taskotron-prod @@ -23,7 +23,7 @@ grokmirror_repos: - { name: fedoraqa/dockerautotest, url: 'https://bitbucket.org/fedoraqa/task-dockerautotest.git'} - { name: fedoraqa/abicheck, url: 'https://pagure.io/task-abicheck.git'} - { name: fedoraqa/rpmgrill, url: 'https://bitbucket.org/fedoraqa/task-rpmgrill.git'} - - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/task-python-versions'} + - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/taskotron-python-versions'} - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'} - { name: fedoraqa/fedora-cloud-tests, url: 'https://pagure.io/taskotron/task-fedora-cloud-tests.git'} diff --git a/inventory/group_vars/taskotron-stg b/inventory/group_vars/taskotron-stg index 8988360813..6677ee3650 100644 --- a/inventory/group_vars/taskotron-stg +++ b/inventory/group_vars/taskotron-stg @@ -29,7 +29,7 @@ grokmirror_repos: - { name: fedoraqa/dockerautotest, url: 'https://bitbucket.org/fedoraqa/task-dockerautotest.git'} - { name: fedoraqa/abicheck, url: 'https://pagure.io/task-abicheck.git'} - { name: fedoraqa/rpmgrill, url: 'https://bitbucket.org/fedoraqa/task-rpmgrill.git'} - - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/task-python-versions'} + - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/taskotron-python-versions'} - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/rpmdeplint, url: 'https://pagure.io/taskotron/task-rpmdeplint.git'} - { name: fedoraqa/rpmlint-scratch, url: 'https://bitbucket.org/fedoraqa/task-rpmlint-scratch.git'} diff --git a/inventory/group_vars/unbound b/inventory/group_vars/unbound index 7b5e47785d..7be065c033 100644 --- a/inventory/group_vars/unbound +++ b/inventory/group_vars/unbound @@ -4,7 +4,10 @@ mem_size: 1024 num_cpus: 2 tcp_ports: [ 80, 443 ] -custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 209.132.181.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p udp -m udp -s 209.132.181.0/24 --dport 53 -j ACCEPT' ] fas_client_groups: sysadmin-dns freezes: false diff --git a/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org b/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org index 10192d8d98..cfca08f267 100644 --- a/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org +++ b/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org @@ -16,3 +16,4 @@ ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Everything/x86_64/os/ virt_install_command: "{{ virt_install_command_one_nic }}" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org new file mode 100644 index 0000000000..0f1ee3ce57 --- /dev/null +++ b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org @@ -0,0 +1,16 @@ +--- +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 +datacenter: rdu-cc +eth0_ip: 8.43.85.69 +eth0_nm: 255.255.255.0 +gw: 8.43.85.254 +nm: 255.255.255.0 +dns: 8.8.8.8 +postfix_group: vpn +vpn: true +volgroup: /dev/vg_guests +vmhost: virthost-cc-rdu01.fedoraproject.org +deployment_type: prod +ks_url: http://209.132.181.6/repo/rhel/ks/kvm-fedora-25-ext +ks_repo: http://209.132.181.6/pub/fedora/linux/releases/25/Server/x86_64/os/ diff --git a/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org b/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org index 215e3ff118..91899e723d 100644 --- a/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org +++ b/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org @@ -18,3 +18,5 @@ kojihub_scheme: https koji_server_url: "https://ppc.koji.fedoraproject.org/kojihub" koji_weburl: "https://ppc.koji.fedoraproject.org/koji" koji_topurl: "https://ppcpkgs.fedoraproject.org/" + +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org b/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org index 036b8e7357..2388b613ce 100644 --- a/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org +++ b/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org @@ -18,3 +18,5 @@ kojihub_scheme: https koji_server_url: "https://arm.koji.fedoraproject.org/kojihub" koji_weburl: "https://arm.koji.fedoraproject.org/koji" koji_topurl: "https://armpkgs.fedoraproject.org/" + +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/compose-s390-01.s390.fedoraproject.org b/inventory/host_vars/compose-s390-01.s390.fedoraproject.org index 626b574389..75297acabf 100644 --- a/inventory/host_vars/compose-s390-01.s390.fedoraproject.org +++ b/inventory/host_vars/compose-s390-01.s390.fedoraproject.org @@ -20,3 +20,5 @@ kojihub_scheme: https koji_server_url: "https://s390.koji.fedoraproject.org/kojihub" koji_weburl: "https://s390.koji.fedoraproject.org/koji" koji_topurl: "https://s390pkgs.fedoraproject.org/" + +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org b/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org index 64f2d3c4d8..c2d4de90a2 100644 --- a/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org +++ b/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org @@ -22,7 +22,7 @@ dbs_to_backup: - koji fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-releng,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" # These are normally group variables, but in this case db servers are often different lvm_size: 500000 diff --git a/inventory/host_vars/download04.phx2.fedoraproject.org b/inventory/host_vars/download04.phx2.fedoraproject.org index 98874984a3..6bec9b4c0b 100644 --- a/inventory/host_vars/download04.phx2.fedoraproject.org +++ b/inventory/host_vars/download04.phx2.fedoraproject.org @@ -2,5 +2,3 @@ gw: 10.5.126.254 eth0_ip: 10.5.126.96 eth1_ip: 10.5.127.104 -# This is a tier1 only host -rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}-tier1" diff --git a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org index 591e9a6819..dee6f4e15b 100644 --- a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org +++ b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org @@ -4,3 +4,9 @@ nrpe_procs_warn: 900 nrpe_procs_crit: 1000 host_group: openstack-compute ansible_ifcfg_blacklist: true + +nagios_Check_Services: + nrpe: true + sshd: true + +baseiptables: False diff --git a/inventory/host_vars/modernpaste01.phx2.fedoraproject.org b/inventory/host_vars/modernpaste01.phx2.fedoraproject.org index 6f3a286dc0..e56aee0a40 100644 --- a/inventory/host_vars/modernpaste01.phx2.fedoraproject.org +++ b/inventory/host_vars/modernpaste01.phx2.fedoraproject.org @@ -6,9 +6,7 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ -mem_size: 4096 volgroup: /dev/vg_virthost03 eth0_ip: 10.5.126.230 vmhost: virthost03.phx2.fedoraproject.org datacenter: phx2 -tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/modernpaste02.phx2.fedoraproject.org b/inventory/host_vars/modernpaste02.phx2.fedoraproject.org index 067c91a10a..46cfadf301 100644 --- a/inventory/host_vars/modernpaste02.phx2.fedoraproject.org +++ b/inventory/host_vars/modernpaste02.phx2.fedoraproject.org @@ -6,9 +6,7 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ -mem_size: 4096 volgroup: /dev/vg_virthost01 eth0_ip: 10.5.126.238 vmhost: virthost01.phx2.fedoraproject.org datacenter: phx2 -tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org index 16602435ae..b0652797ec 100644 --- a/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org @@ -8,5 +8,5 @@ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.100 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 diff --git a/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org index b3c0bf999e..75490b155b 100644 --- a/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org @@ -2,11 +2,11 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.101 -vmhost: virthost11.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-stg diff --git a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org index 4ee9672b95..a74fbd91b0 100644 --- a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org @@ -2,11 +2,11 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.102 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-stg diff --git a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org index 741b8f3f12..4a67647798 100644 --- a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org @@ -2,11 +2,11 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.103 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-stg diff --git a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org index abddf35d54..bec3101515 100644 --- a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org @@ -2,11 +2,11 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.104 -vmhost: virthost11.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-nodes-stg diff --git a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org index 3e06baf710..8da8ad342c 100644 --- a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org @@ -2,11 +2,11 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.105 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-nodes-stg diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org new file mode 100644 index 0000000000..0e05d493a2 --- /dev/null +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -0,0 +1,165 @@ +--- + +############################################################ +# Persistent Cloud +############################################################ + +instance_type: m1.medium +image: CentOS-7-x86_64-GenericCloud-1503 +keypair: fedora-admin-20130801 +zone: nova + +inventory_tenant: persistent +inventory_instance_name: upstreamfirst +hostbase: upstreamfirst +public_ip: 209.132.184.153 +root_auth_users: tflink roshi +description: upstream-first pagure server +security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent,mail-25-anywhere-persistent,allow-nagios-persistent,fedmsg-relay-persistent,pagure-ports + +volumes: + - volume_id: 81c1cb3e-5fb0-4abd-a252-b0102f1378de + device: /dev/vdc + +cloud_networks: + # persistent-net + - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" + +############################################################ +# General configuration +############################################################ + +tcp_ports: [ 22, 25, 80, 443, 9418, + # Used for the eventsource server + 8088, + # This is for the pagure public fedmsg relay + 9940] + +external_hostname: 'upstreamfirst.fedorainfracloud.org' + +############################################################ +# Backup +############################################################ + +dbs_to_backup: +- postgres +- pagure + +host_backup_targets: + - '/backups' + - '/srv/git' + +############################################################ +# PostgreSQL configuration +############################################################ + +shared_buffers: "2GB" +effective_cache_size: "6GB" + + +############################################################ +# Pagure Config +############################################################ + + +new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" +new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" +new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" +new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" + +# there are two db hosts here to work around the pg_hba that's in postgres_server +# we need to delegate postgres admin commands to a host that is remote from where +# this playbook is run but have to use localhost for the application to run in the +# case where we're using a local postgres instance +new_pagure_db_host: "127.0.0.1" +new_pagure_db_command_host: "{{ inventory_hostname }}" + +new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" +new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" +new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" + +pagure_admin_email: 'tflink@fedoraproject.org' + +pagure_ssh_host_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/bYFmX8pthJHcM2J85+mmN8pGJ/EJMcsdwoazihcooIBONcUazYF/BVV5/3nK7H3shq2nLR7vmdd2NuFHOPNsaAMK6nlADEg2tsKMC3UHHnwo1/iIO21pvf7+w2KIKCNIhiYA70W1aIxFBMZ7oo0VXjZ19PBwg6huAh0CBrLBP+XU4QN6LgLd87T5qMN/7g/QVqDforeoL8NUSQXMfzYNbxXPdRvMc5vbEMS/QNu5I8Ycu6FDqChnWc5Qd2orVCNreEMKwkgW27+FTpxzAnq3avotb0Cv1WuZjd8q402ldvp+ELcS8WHc+Mx41KaR//QTlSIYeX4OlcX/pl6C+Sdz' + +# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub +pagure_ssh_host_fingerprint: '2048 6b:d8:48:27:5a:11:d1:14:e0:c1:91:23:45:c7:fb:6d (RSA)' + +# awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64_ +pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' + +new_pagure_admin_groups: ['sysadmin-main', 'sysadmin-qa'] + +pagure_instance_name: "Upstream First Pagure" +pagure_theme_static_dir: "/var/www/upstreamfirst-paguretheme/static" +pagure_theme_template_dir: "/var/www/upstreamfirst-paguretheme/templates" + +stunnel_service: "eventsource" +stunnel_source_port: 8088 +stunnel_destination_port: 8080 + +# not doing anything with fedmsg right now +## These are consumed by a task in roles/fedmsg/base/main.yml +#fedmsg_certs: +#- service: shell +# owner: root +# group: sysadmin +# can_send: +# - logger.log +#- service: pagure +# owner: git +# group: apache +# can_send: +# - pagure.issue.assigned.added +# - pagure.issue.assigned.reset +# - pagure.issue.comment.added +# - pagure.issue.dependency.added +# - pagure.issue.dependency.removed +# - pagure.issue.edit +# - pagure.issue.new +# - pagure.issue.tag.added +# - pagure.issue.tag.removed +# - pagure.project.edit +# - pagure.project.forked +# - pagure.project.new +# - pagure.project.tag.edited +# - pagure.project.tag.removed +# - pagure.project.user.added +# - pagure.pull-request.closed +# - pagure.pull-request.comment.added +# - pagure.pull-request.flag.added +# - pagure.pull-request.flag.updated +# - pagure.request.assigned.added +# - pagure.pull-request.new +# +#fedmsg_prefix: io.pagure +#fedmsg_env: stg + +fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-qa + +freezes: false +#env: pagure-staging +#postfix_group: vpn.pagure-stg + +# Configuration for the git-daemon/server +git_group: git +git_port: 9418 +git_server: /usr/libexec/git-core/git-daemon +git_server_args: --export-all --syslog --inetd --verbose +git_basepath: /srv/git/repositories +git_daemon_user: git + +# For the MOTD +csi_security_category: Low +csi_primary_contact: Fedora admins - admin@fedoraproject.org +csi_purpose: Stage testcases being submitted upstream to Fedora +csi_relationship: | + There are a few things running here: + + - The apache/mod_wsgi app for pagure + + - This host relies on: + - A postgres db server running locally + + - Things that rely on this host: + - nothing currently diff --git a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org index 52a72a9328..aad3add4fc 100644 --- a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org +++ b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org @@ -12,6 +12,7 @@ hostbase: waverdb-dev public_ip: 209.132.184.51 root_auth_users: mjia description: waverdb development instance +deployment_type: dev cloud_networks: # persistent-net diff --git a/inventory/inventory b/inventory/inventory index 39356158ff..4dbc58892d 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1,9 +1,3 @@ -# dummies until the multiple inventory group import issue is fixed in -# ansible -[builders] -[bkernel] -[buildvmhost] - [beaker] beaker01.qa.fedoraproject.org @@ -266,6 +260,9 @@ autocloud-backend01.stg.phx2.fedoraproject.org autocloud-backend02.stg.phx2.fedoraproject.org [autosign] +# +# autosign01 does not listen to ssh by default +# #autosign01.phx2.fedoraproject.org [autosign-stg] @@ -345,7 +342,6 @@ download-phx2 download-ibiblio download-rdu2 - [elections] elections01.phx2.fedoraproject.org elections02.phx2.fedoraproject.org @@ -372,7 +368,6 @@ hotness01.stg.phx2.fedoraproject.org [kerneltest] kerneltest01.phx2.fedoraproject.org -#kerneltest02.phx2.fedoraproject.org [kerneltest-stg] kerneltest01.stg.phx2.fedoraproject.org @@ -444,7 +439,6 @@ iddev.fedorainfracloud.org dhcp01.phx2.fedoraproject.org [nagios] -#noc01.phx2.fedoraproject.org noc02.fedoraproject.org [nagios-new] @@ -919,7 +913,6 @@ zanata2fedmsg01.stg.phx2.fedoraproject.org #[zanata2fedmsg] #zanata2fedmsg01.phx2.fedoraproject.org - # This is a convenience group listing the hosts that live on the QA network that # are allowed to send inbound fedmsg messages to our production fedmsg bus. # See also: @@ -938,7 +931,6 @@ openqa01.qa.fedoraproject.org resultsdb-stg01.qa.fedoraproject.org openqa-stg01.qa.fedoraproject.org - # assorted categories of fedmsg services, for convenience [fedmsg-hubs:children] autocloud-backend @@ -1159,6 +1151,8 @@ respins.fedorainfracloud.org waiverdb-dev.fedorainfracloud.org # hubs-dev hubs-dev.fedorainfracloud.org +# upstreamfirst - ticket 6066 +upstreamfirst.fedorainfracloud.org # # These are in the new cloud @@ -1330,18 +1324,36 @@ osbs-master01.stg.phx2.fedoraproject.org osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org +[osbs:children] +osbs-control +osbs-nodes +osbs-masters + +[osbs-stg:children] +osbs-control-stg +osbs-nodes-stg +osbs-masters-stg + [os-control-stg] os-control01.stg.phx2.fedoraproject.org -[os-master-stg] +[os-masters-stg] os-master01.stg.phx2.fedoraproject.org os-master02.stg.phx2.fedoraproject.org os-master03.stg.phx2.fedoraproject.org -[os-node-stg] +[os-nodes-stg] os-node01.stg.phx2.fedoraproject.org os-node02.stg.phx2.fedoraproject.org +[os-stg:children] +os-nodes-stg +os-masters-stg +os-control-stg + +[ci] +ci-cc-rdu01.fedoraproject.org + # Docker (docker-distribution) registries [docker-registry] docker-registry01.phx2.fedoraproject.org @@ -1352,6 +1364,14 @@ docker-registry01.stg.phx2.fedoraproject.org docker-registry02.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org +## Not the candidate just the top registry +[moby-registry] +docker-registry01.phx2.fedoraproject.org + +## Not the candidate just the top registry +[moby-registry-stg] +docker-registry01.phx2.fedoraproject.org + [webservers:children] proxies ipsilon diff --git a/master.yml b/master.yml index d8bf06f949..4b433002cc 100644 --- a/master.yml +++ b/master.yml @@ -33,6 +33,7 @@ - include: /srv/web/infra/ansible/playbooks/groups/buildvm.yml - include: /srv/web/infra/ansible/playbooks/groups/bugyou.yml - include: /srv/web/infra/ansible/playbooks/groups/busgateway.yml +- include: /srv/web/infra/ansible/playbooks/groups/ci.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml @@ -107,10 +108,8 @@ - include: /srv/web/infra/ansible/playbooks/groups/summershum.yml - include: /srv/web/infra/ansible/playbooks/groups/sundries.yml - include: /srv/web/infra/ansible/playbooks/groups/tagger.yml +- include: /srv/web/infra/ansible/playbooks/groups/taskotron.yml - include: /srv/web/infra/ansible/playbooks/groups/taskotron-client-hosts.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-prod.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-dev.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-stg.yml - include: /srv/web/infra/ansible/playbooks/groups/torrent.yml - include: /srv/web/infra/ansible/playbooks/groups/twisted-buildbots.yml - include: /srv/web/infra/ansible/playbooks/groups/unbound.yml @@ -145,10 +144,11 @@ - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml -- include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/magazine2.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml -#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml +#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/shogun-ca.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/shumgrepper-dev.fedorainfracloud.org.yml diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 6e76509162..97983c8c03 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -50,6 +50,7 @@ - name: make sure httpd is running service: name=httpd state=started enabled=yes + when: not inventory_hostname_short == "buildvm-s390x-07" - name: make sure kojid is running service: name=kojid state=started enabled=yes diff --git a/playbooks/groups/taskotron-dev.yml b/playbooks/groups/ci.yml similarity index 69% rename from playbooks/groups/taskotron-dev.yml rename to playbooks/groups/ci.yml index a5ba557833..fcef5d185b 100644 --- a/playbooks/groups/taskotron-dev.yml +++ b/playbooks/groups/ci.yml @@ -3,10 +3,10 @@ # NOTE: make sure there is room/space for this server on the vmhost # NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-dev" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=ci-cc-rdu01.fedoraproject.org" - name: make the box be real - hosts: taskotron-dev + hosts: ci user: root gather_facts: True @@ -24,7 +24,11 @@ - { role: collectd/base, tags: ['collectd_base'] } - { role: dnf-automatic, tags: ['dnfautomatic'] } - { role: sudo, tags: ['sudo'] } + - { role: openvpn/client, + when: deployment_type == "prod", tags: ['openvpn_client'] } + - postgresql_server - apache +# - { role: fedmsg/base } tasks: # this is how you include other task lists @@ -35,8 +39,8 @@ handlers: - include: "{{ handlers_path }}/restart_services.yml" -- name: configure taskotron master - hosts: taskotron-dev +- name: configure resultsdb production + hosts: ci user: root gather_facts: True @@ -46,14 +50,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - { role: taskotron/taskotron-proxy, tags: ['taskotronproxy'] } - - { role: taskotron/ssl-taskotron, tags: ['ssltaskotron'] } +# - { role: taskotron/resultsdb-fedmsg, tags: ['resultsdb-fedmsg']} + - { role: taskotron/resultsdb-backend, tags: ['resultsdb-be'] } + - { role: taskotron/resultsdb-frontend, tags: ['resultsdb-fe'] } + - { role: taskotron/execdb, tags: ['execdb'] } + - { role: ccsdb, tags: ['ccsdb'] } handlers: - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 192115e1f9..59e65daae6 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -40,16 +40,36 @@ - "/srv/private/ansible/vars.yml" - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + tasks: - name: git clone the releng-automation playbook repo git: repo: "https://pagure.io/releng-automation.git" dest: "/usr/local/loopabull-playbooks" + - name: ensure ~/.ssh dir exists + file: + path: "/home/root/.ssh/" + state: directory + - name: place loopabull_ociimage user private keys + copy: + src: "{{ private }}/files/loopabull/keys/{{ env }}_ociimage" + dest: "/home/root/.ssh/id_rsa.loopabull_ociimage" + mode: 0600 + - name: Install required packages + package: + name: python-fedmsg-rabbitmq-serializer + state: latest roles: + - rabbitmq + - fedmsg/base + - fedmsg/hub - { role: loopabull, - plugin: fedmsg, + loglevel: info, + plugin: fedmsgrabbitmq, routing_keys: [ "org.fedoraproject.prod.buildsys.build.state.change" ], @@ -59,3 +79,22 @@ } +- name: Post Loopabull install configuration + hosts: loopabull-stg + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + + tasks: + - name: Enable fedmsg-rabbitmq-serializer + copy: + src: "{{files}}/loopabull/serializer.py" + dest: "/etc/fedmsg.d/serializer.py" + notify: restart fedmsg-hub diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 5d0185bb5e..6872173a62 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -1,6 +1,5 @@ # create an os server -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-control-stg:os-control" -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-nodes-stg:os-masters-stg:os-nodes:os-masters" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-control-stg:os-control:os-nodes-stg:os-masters-stg:os-nodes:os-masters" - name: make the box be real hosts: os-control:os-control-stg:os-masters-stg:os-nodes-stg:os-masters:os-nodes @@ -23,6 +22,18 @@ - sudo tasks: + - name: put openshift 3.4 repo on os- systems + copy: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo" + tags: + - config + - packages + - yumrepos + + - name: Deploy controller public ssh keys to osbs cluster hosts + authorized_key: + user: root + key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}" + - include: "{{ tasks_path }}/yumrepos.yml" - include: "{{ tasks_path }}/2fa_client.yml" - include: "{{ tasks_path }}/motd.yml" @@ -43,6 +54,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: + - name: fix hosts file + copy: + src: "{{roles_path}}/hosts/files/os-hosts" + dest: "/etc/hosts" + owner: root + mode: 0644 + - name: deploy private key to control hosts copy: src: "{{private}}/files/os/{{env}}/control_key" @@ -57,10 +75,10 @@ option: pipelining value: "True" -- name: Setup cluster masters pre-reqs - hosts: os-masters-stg:os-masters +- name: Deploy OpenShift cluster + hosts: os-control-stg tags: - - os-cluster-prereq + - os-cluster-deploy user: root gather_facts: True @@ -69,90 +87,44 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - tasks: - - name: ensure origin conf dir exists - file: - path: "/etc/origin" - state: "directory" + roles: + - { + role: ansible-ansible-openshift-ansible, + cluster_inventory_filename: "cluster-inventory-stg", + openshift_release: "v3.5", + openshift_ansible_path: "/root/openshift-ansible", + openshift_ansible_playbook: "playbooks/byo/config.yml", + openshift_ansible_version: "openshift-ansible-3.5.70-1", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: true, + openshift_ansible_containerized_deploy: false, + openshift_cluster_masters_group: "os-masters-stg", + openshift_cluster_nodes_group: "os-nodes-stg", + openshift_cluster_infra_group: "os-nodes-stg", + openshift_auth_profile: "fedoraidp-stg", + openshift_master_ha: true, + openshift_debug_level: 2, + openshift_deployment_type: "openshift-enterprise", + openshift_cluster_url: "{{ os_url}}", + openshift_app_subdomain: "{{ os_app_url }}", + openshift_internal_cluster_url: "os-masters{{ env_suffix }}.phx2.fedoraproject.org", + openshift_api_port: 443, + openshift_console_port: 443, + openshift_shared_infra: true, + when: env == 'staging', + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + } - - name: create cert dir for openshift public facing REST API SSL - file: - path: "/etc/origin/master/named_certificates" - state: "directory" - - - name: install cert for openshift public facing REST API SSL - copy: - src: "{{private}}/files/os/{{env}}/os-internal.pem" - dest: "/etc/origin/master/named_certificates/{{os}}.pem" - - - name: install key for openshift public facing REST API SSL - copy: - src: "{{private}}/files/os/{{env}}/os-internal.key" - dest: "/etc/origin/master/named_certificates/{{os}}.key" - - - name: place htpasswd file - copy: - src: "{{private}}/files/httpd/os-{{env}}.htpasswd" - dest: /etc/origin/htpasswd - - -- name: Setup cluster hosts pre-reqs - hosts: os-masters-stg:os-nodes-stg:os-masters:os-nodes +- name: Post-Install setup + hosts: os-stg:os tags: - - os-cluster-prereq - user: root - gather_facts: True - + - os-post-install vars_files: - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - handlers: - - name: restart NetworkManager - service: - name: NetworkManager - state: restarted - tasks: - - name: Install necessary packages that openshift-ansible needs - package: name="{{ item }}" state=installed - with_items: - - tar - - rsync - - dbus-python - - NetworkManager - - libselinux-python - - origin - - - name: Deploy controller public ssh keys to os cluster hosts - authorized_key: - user: root - key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}" - - # This is required for OpenShift built-in SkyDNS inside the overlay network - # of the cluster - - name: ensure NM_CONTROLLED is set to "yes" for os cluster - lineinfile: - dest: "/etc/sysconfig/network-scripts/ifcfg-eth0" - line: "NM_CONTROLLED=yes" - notify: - - restart NetworkManager - - # This is required for OpenShift built-in SkyDNS inside the overlay network - # of the cluster - - name: ensure NetworkManager is enabled and started - service: - name: NetworkManager - state: started - enabled: yes - - - name: cron entry to clean up docker storage - copy: - src: "{{files}}/os/cleanup-docker-storage" - dest: "/etc/cron.d/cleanup-docker-storage" - - - name: copy docker-storage-setup config - copy: - src: "{{files}}/os/docker-storage-setup" - dest: "/etc/sysconfig/docker-storage-setup" + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 726bb92795..1a90db8473 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -205,8 +205,18 @@ openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_version: "openshift-ansible-3.3.57-1", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: false, + openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "osbs-masters-stg", openshift_cluster_nodes_group: "osbs-nodes-stg", + openshift_cluster_infra_group: "osbs-masters-stg", + openshift_auth_profile: "osbs", + openshift_cluster_url: "{{osbs_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_shared_infra: true, + openshift_deployment_type: "origin", when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } @@ -219,8 +229,18 @@ openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_version: "openshift-ansible-3.3.57-1", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: false, + openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "osbs-masters", openshift_cluster_nodes_group: "osbs-nodes", + openshift_cluster_infra_group: "osbs-masters", + openshift_auth_profile: "osbs", + openshift_cluster_url: "{{osbs_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_shared_infra: true, + openshift_deployment_type: "origin", when: env == 'production', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml index 7877950c07..769dbc8d70 100644 --- a/playbooks/groups/people.yml +++ b/playbooks/groups/people.yml @@ -75,8 +75,8 @@ - role: apache - role: httpd/certificate - name: wildcard-2014.fedorapeople.org - SSLCertificateChainFile: wildcard-2014.fedorapeople.org.intermediate.cert + name: wildcard-2017.fedorapeople.org + SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert - people diff --git a/playbooks/groups/qa.yml b/playbooks/groups/qa.yml index 978ad8e0ba..f76ef82ef6 100644 --- a/playbooks/groups/qa.yml +++ b/playbooks/groups/qa.yml @@ -57,8 +57,8 @@ - include: "{{ handlers_path }}/restart_services.yml" -- name: configure qa uildbot CI - hosts: qa-prod:qa-stg +- name: configure qa buildbot CI + hosts: qa-stg user: root gather_facts: True @@ -108,10 +108,11 @@ tags: - qastaticsites - roles: - - { role: taskotron/imagefactory-client, - when: deployment_type != "qa-stg", tags: ['imagefactoryclient'] } - +# don't need this if buildbot is not enabled +# roles: +# - { role: taskotron/imagefactory-client, +# when: deployment_type != "qa-stg", tags: ['imagefactoryclient'] } +# handlers: - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 1e1f7120e3..864431e44a 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -42,6 +42,9 @@ - role: loopabull/target loopabull_role: koji when: "env == 'staging' and inventory_hostname == 'composer.stg.phx2.fedoraproject.org'" + - role: loopabull/target + loopabull_role: ociimage + when: "env == 'staging' and inventory_hostname == 'composer.stg.phx2.fedoraproject.org'" - { role: nfs/client, when: "'releng-stg' not in group_names", mnt_dir: '/mnt/fedora_koji', nfs_src_dir: "{{ koji_hub_nfs }}" } - { role: nfs/client, when: "'releng-compose' in group_names", mnt_dir: '/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' } - { role: nfs/client, when: "'releng-secondary' in group_names", mnt_dir: '/pub/fedora-secondary', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/fedora-secondary' } @@ -65,6 +68,7 @@ when: env == "staging" } + tasks: # this is how you include other task lists - include: "{{ tasks_path }}/2fa_client.yml" diff --git a/playbooks/groups/taskotron-client-hosts.yml b/playbooks/groups/taskotron-client-hosts.yml index dd4dedddd4..f04cedd598 100644 --- a/playbooks/groups/taskotron-client-hosts.yml +++ b/playbooks/groups/taskotron-client-hosts.yml @@ -14,6 +14,9 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + pre_tasks: + - include: "{{ tasks_path }}/yumrepos.yml" + roles: - base - rkhunter @@ -26,7 +29,6 @@ - { role: openvpn/client, when: datacenter != "phx2" } tasks: - - include: "{{ tasks_path }}/yumrepos.yml" - include: "{{ tasks_path }}/2fa_client.yml" - include: "{{ tasks_path }}/motd.yml" diff --git a/playbooks/groups/taskotron-prod.yml b/playbooks/groups/taskotron-prod.yml deleted file mode 100644 index 2894c88620..0000000000 --- a/playbooks/groups/taskotron-prod.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# create a new taskotron production server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-prod" - -- name: make the box be real - hosts: taskotron-prod - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: sudo, tags: ['sudo'] } - - { role: openvpn/client, - when: env != "staging", tags: ['openvpn_client'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-prod - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/taskotron-stg.yml b/playbooks/groups/taskotron-stg.yml deleted file mode 100644 index 652583c59a..0000000000 --- a/playbooks/groups/taskotron-stg.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# create a new taskotron staging server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-stg" - -- name: make the box be real - hosts: taskotron-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: sudo, tags: ['sudo'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml index f9fecc0989..dc59506661 100644 --- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml @@ -38,8 +38,7 @@ - git: repo=https://pagure.io/fedora-hubs.git dest=/srv/git/fedora-hubs version=develop - register: git_result - changed_when: "git_result.after|default('after') != git_result.before|default('before')" + ignore_errors: true - file: dest=/etc/fedmsg.d/ state=directory - name: copy around a number of files we want command: cp {{item.src}} {{item.dest}} diff --git a/playbooks/hosts/magazine.fedorainfracloud.org.yml b/playbooks/hosts/magazine.fedorainfracloud.org.yml deleted file mode 100644 index b0d219a85f..0000000000 --- a/playbooks/hosts/magazine.fedorainfracloud.org.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: check/create instance - hosts: magazine.fedorainfracloud.org - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml - - tasks: - - include: "{{ tasks_path }}/persistent_cloud.yml" - -- name: setup all the things - hosts: magazine.fedorainfracloud.org - gather_facts: True - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - pre_tasks: - - include: "{{ tasks_path }}/cloud_setup_basic.yml" - - name: set hostname (required by some services, at least postfix need it) - hostname: name="{{inventory_hostname}}" - - tasks: - - name: add packages - yum: state=present name={{ item }} - with_items: - - httpd - - php - - php-mysql - - mariadb-server - - mariadb - - mod_ssl - - php-mcrypt - - php-mbstring - - wget - - unzip - - postfix - - - name: enable httpd service - service: name=httpd enabled=yes state=started - - - name: configure postfix for ipv4 only - raw: postconf -e inet_protocols=ipv4 - - - name: enable local postfix service - service: name=postfix enabled=yes state=started - - roles: - - nagios_client - - mariadb_server diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml new file mode 100644 index 0000000000..5b92522d44 --- /dev/null +++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml @@ -0,0 +1,70 @@ +- name: check/create instance + hosts: upstreamfirst.fedorainfracloud.org + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/fedora-cloud.yml + - /srv/private/ansible/files/openstack/passwords.yml + + tasks: + - include: "{{ tasks_path }}/persistent_cloud.yml" + +- name: do base configuration + hosts: upstreamfirst.fedorainfracloud.org + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - sudo + - collectd/base + - postgresql_server + - certbot + + tasks: + - include: "{{ tasks_path }}/yumrepos.yml" + - include: "{{ tasks_path }}/2fa_client.yml" + - include: "{{ tasks_path }}/motd.yml" + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + +- name: deploy pagure + hosts: upstreamfirst.fedorainfracloud.org + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" + +# pre_tasks: +# - name: install fedmsg-relay +# yum: pkg=fedmsg-relay state=present +# tags: +# - pagure +# - pagure/fedmsg +# - name: and start it +# service: name=fedmsg-relay state=started +# tags: +# - pagure +# - pagure/fedmsg +# + roles: + - pagure/upstreamfirst-frontend + # - pagure/fedmsg + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml index dae7fedfc7..9c23e028fe 100644 --- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml @@ -25,6 +25,9 @@ - name: set hostname (required by some services, at least postfix need it) hostname: name="{{inventory_hostname}}" + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + roles: - nginx - waiverdb diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml index f52c3d12be..8e6ca2f9e5 100644 --- a/playbooks/include/proxies-certificates.yml +++ b/playbooks/include/proxies-certificates.yml @@ -30,6 +30,12 @@ - role: httpd/certificate name: wildcard-2017.stg.fedoraproject.org SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert + when: env == "staging" + + - role: httpd/certificate + name: wildcard-2017.app.os.stg.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert + when: env == "staging" - role: httpd/certificate name: fedoramagazine.org diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index 37dc108a5d..a29b119713 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -25,6 +25,12 @@ path: /community target: https://apps.fedoraproject.org/packages + - role: httpd/redirect + name: nagios + website: admin.fedoraproject.org + path: /nagios + target: https://nagios.fedoraproject.org/nagios/ + - role: httpd/redirect name: docs website: fedoraproject.org diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index b8d04a6b1b..2f5afdabe0 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -37,13 +37,6 @@ remotepath: /api proxyurl: https://copr.fedorainfracloud.org - - role: httpd/reverseproxy - website: admin.fedoraproject.org - destname: nagios - localpath: /nagios - remotepath: /nagios - proxyurl: http://noc01 - - role: httpd/reverseproxy website: nagios.fedoraproject.org destname: nagios @@ -615,6 +608,18 @@ proxyurl: http://localhost:10062 keephost: true + - role: httpd/reverseproxy + website: os.fedoraproject.org + destname: os + proxyurl: http://localhost:10064 + keephost: true + + - role: httpd/reverseproxy + website: app.os.fedoraproject.org + destname: app.os + proxyurl: http://localhost:10065 + keephost: true + - role: httpd/reverseproxy website: data-analysis.fedoraproject.org destname: awstats diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 25492a02c3..cef7fa0a6c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -556,6 +556,19 @@ sslonly: true cert_name: "{{wildcard_cert_name}}" + - role: httpd/website + name: os.fedoraproject.org + server_aliases: [os.stg.fedoraproject.org] + sslonly: true + cert_name: "{{wildcard_cert_name}}" + + - role: httpd/website + name: app.os.fedoraproject.org + server_aliases: ["*.app.os.fedoraproject.org", "*.app.os.stg.fedoraproject.org"] + sslonly: true + cert_name: "{{os_wildcard_cert_name}}" + SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert + - role: httpd/website name: registry.fedoraproject.org server_aliases: [registry.stg.fedoraproject.org] diff --git a/playbooks/manual/restart-pagure.yml b/playbooks/manual/restart-pagure.yml new file mode 100644 index 0000000000..7608cbe50a --- /dev/null +++ b/playbooks/manual/restart-pagure.yml @@ -0,0 +1,22 @@ +- name: reload the frontend + hosts: pagure:pagure-stg + user: root + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + + tasks: + - name: ask puiterwijk if he would like to capture debug info before restarting. + pause: seconds=30 prompt="Restarting pagure, abort if you want to get puiterwijk's attention first." + + - name: Reload apache... + service: name="httpd" state=reloaded + + post_tasks: + - name: tell nagios to unshush w.r.t. apache + nagios: action=unsilence service=host host={{ inventory_hostname_short }}{{ env_suffix }} + delegate_to: noc01.phx2.fedoraproject.org + ignore_errors: true diff --git a/playbooks/manual/restart_pkgdb.yml b/playbooks/manual/restart-pkgdb.yml similarity index 100% rename from playbooks/manual/restart_pkgdb.yml rename to playbooks/manual/restart-pkgdb.yml diff --git a/playbooks/manual/staging-sync/mailman.yml b/playbooks/manual/staging-sync/mailman.yml index f10ef04d04..85b1dd649a 100644 --- a/playbooks/manual/staging-sync/mailman.yml +++ b/playbooks/manual/staging-sync/mailman.yml @@ -13,6 +13,7 @@ - include: "{{ handlers_path }}/restart_services.yml" tasks: + - service: name=webui-qcluster state=stopped - service: name=httpd state=stopped - service: name=mailman3 state=stopped diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index 483eb7ae13..e731fa92a0 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -18,12 +18,11 @@ yum: name="python-fmn*" state=latest when: not testing - name: yum update FMN packages from testing repo - yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing - with_items: - - python-fmn - - python-fmn-sse - - python-fmn-web + yum: pkg=python-fmn state=latest enablerepo=infrastructure-testing when: testing + - name: yum update FMN packages from testing repo + yum: pkg=python-fmn state=latest enablerepo=epel-testing + when: env == "staging" - name: verify the frontend and stop it hosts: notifs-web:notifs-web-stg @@ -80,10 +79,10 @@ - fmn-worker@4 - name: Upgrade the database - command: /usr/bin/alembic -c /usr/share/fmn.lib/alembic.ini upgrade head + command: /usr/bin/alembic -c /usr/share/fmn/alembic.ini upgrade head when: env != "staging" args: - chdir: /usr/share/fmn.lib/ + chdir: /usr/share/fmn/ - name: Re-start the workers and the backend service: name={{ item }} state=started diff --git a/playbooks/manual/upgrade/pagure.yml b/playbooks/manual/upgrade/pagure.yml index 349aed29ee..eb429f3ae5 100644 --- a/playbooks/manual/upgrade/pagure.yml +++ b/playbooks/manual/upgrade/pagure.yml @@ -39,11 +39,6 @@ update_cache=yes when: testing - - name: Create new tables in the database - command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py - environment: - PAGURE_CONFIG: /etc/pagure/pagure.cfg - - name: Upgrade the database command: /usr/bin/alembic -c /etc/pagure/alembic.ini upgrade head args: @@ -51,12 +46,20 @@ environment: PAGURE_CONFIG: /etc/pagure/pagure.cfg + - name: call createdb + command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py + environment: + PAGURE_CONFIG: /etc/pagure/pagure.cfg + post_tasks: - service: name="httpd" state=restarted - service: name="pagure_ev" state=restarted - service: name="pagure_ci" state=restarted - service: name="pagure_webhook" state=restarted - service: name="pagure_milter" state=restarted + - service: name="pagure_worker" state=restarted + - service: name="pagure_logcom" state=restarted + - service: name="pagure_loadjson" state=restarted - name: tell nagios to unshush w.r.t. the frontend nagios: action=unsilence diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index ab724b1db4..f0c635b58c 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -1,12 +1,66 @@ --- # defaults file for ansible-ansible-openshift-ansible # +# +# + +# Auth Profile +# These are Fedora Infra specific auth profiles +# +# Acceptable values: +# osbs - this will configure htpasswd for use with osbs +# fedoraidp - configure for fedora idp +# fedoraidp-stg - configure for fedora idp staging env +openshift_auth_profile: osbs + +# Do we want OpenShift itself to be containerized? +# This is a requirement if using Atomic Host +# +# As of v3.5.x this would mean that all our systems would completely go down +# in the event the docker daemon were to restart or crash. +# +# In the future (as of v3.6 devel branch), this is done with system containers +# and won't be bound to the docker daemon. +openshift_ansible_containerized_deploy: false + +# This will co-host the infra nodes with the primary nodes +openshift_shared_infra: false + +# OpenShift Cluster URL +# Example: openshift.fedoraproject.org +openshift_cluster_url: None + +# OpenShift Console and API listening ports +# These default to 8443 in openshift-ansible +openshift_api_port: 8443 +openshift_console_port: 8443 + +# OpenShift Applications Ingress subdomain (OpenShift routes) +openshift_app_subdomain: None + +# Setup native OpenShift Master High Availability (true or false) +openshift_master_ha: false # Destination file name for template-generated cluster inventory cluster_inventory_filename: "cluster-inventory" +# Ansible user for use with openshift-ansible playbooks +openshift_ansible_ssh_user: root + +# OpenShift Debug level (Default is 2 upstream) +openshift_debug_level: 2 + # Release required as per the openshift-ansible -openshift_release: "v1.2" +openshift_release: "v1.5.0" + +# OpenShift Deployment Type +# Possible options: +# origin +# openshift-enterprise +deployment_type: origin + +# Install the OpenShift App Examples (value should be "true" or "false") +openshift_ansible_install_examples: false # Path to clone the openshift-ansible git repo into openshift_ansible_path: "/root/openshift-ansible" @@ -28,4 +82,5 @@ openshift_ansible_version: "openshift-ansible-3.2.35-1" # empty causing undesired effects. openshift_cluster_masters_group: "openshift-cluster-masters" openshift_cluster_nodes_group: "openshift-cluster-nodes" +openshift_cluster_infra_group: "openshift-cluster-nodes" diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 33637099d8..bf1ef9b613 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -20,19 +20,19 @@ src: "cluster-inventory.j2" dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" -- name: run ansible - shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" - args: - chdir: "{{ openshift_ansible_path }}" - register: run_ansible_out +#- name: run ansible +# shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" +# args: +# chdir: "{{ openshift_ansible_path }}" +# register: run_ansible_out -- name: display run ansible stdout_lines - debug: - var: run_ansible_out.stdout_lines +#- name: display run ansible stdout_lines +# debug: +# var: run_ansible_out.stdout_lines -- name: display run ansible stderr - debug: - var: run_ansible_out.stderr +#- name: display run ansible stderr +# debug: +# var: run_ansible_out.stderr diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 620cea2214..c8a069b109 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -1,17 +1,777 @@ +# This is based on the example inventories provided by the upstream +# openshift-ansible project available: +# https://github.com/openshift/openshift-ansible/tree/master/inventory/byo + + +# Create an OSEv3 group that contains the masters and nodes groups [OSEv3:children] masters nodes etcd -lb +# Add this if using nfs and have defined the nfs group +#nfs + +# Set variables common for all OSEv3 hosts [OSEv3:vars] -ansible_ssh_user=root -debug_level=2 -deployment_type=origin -openshift_release={{ openshift_release }} +# SSH user, this user should allow ssh based auth without requiring a +# password. If using ssh key based auth, then the key should be managed by an +# ssh agent. +ansible_ssh_user={{openshift_ansible_ssh_user}} + +# OpenShift Containerized deployment or not? +containerized={{openshift_ansible_containerized_deploy}} + +{% if openshift_ansible_ssh_user != "root" %} +# If ansible_ssh_user is not root, ansible_become must be set to true and the +# user must be configured for passwordless sudo +ansible_become=yes +{% endif %} + +# Debug level for all OpenShift components (Defaults to 2) +debug_level={{openshift_debug_level}} + +# Specify the deployment type. Valid values are origin and openshift-enterprise. +deployment_type={{openshift_deployment_type}} + +# Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we +# rely on the version running on the first master. Works best for containerized installs where we can usually +# use this to lookup the latest exact version of the container images, which is the tag actually used to configure +# the cluster. For RPM installations we just verify the version detected in your configured repos matches this +# release. +openshift_release={{openshift_release}} + +# Specify an exact container image tag to install or configure. +# WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_image_tag=v3.5.0 + +# Specify an exact rpm version to install or configure. +# WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_pkg_version=-3.5.0 + +# Install the openshift examples +{% if openshift_ansible_install_examples is defined %} +openshift_install_examples={{openshift_ansible_install_examples}} +{% endif %} + +# Configure logoutURL in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#changing-the-logout-url +#openshift_master_logout_url=http://example.com + +# Configure extensionScripts in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#loading-custom-scripts-and-stylesheets +#openshift_master_extension_scripts=['/path/to/script1.js','/path/to/script2.js'] + +# Configure extensionStylesheets in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#loading-custom-scripts-and-stylesheets +#openshift_master_extension_stylesheets=['/path/to/stylesheet1.css','/path/to/stylesheet2.css'] + +# Configure extensions in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files +#openshift_master_extensions=[{'name': 'images', 'sourceDirectory': '/path/to/my_images'}] + +# Configure extensions in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files +#openshift_master_oauth_template=/path/to/login-template.html + +# Configure imagePolicyConfig in the master config +# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig +#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true} + +# Docker Configuration +# Add additional, insecure, and blocked registries to global docker configuration +# For enterprise deployment types we ensure that registry.access.redhat.com is +# included if you do not include it +#openshift_docker_additional_registries=registry.example.com +#openshift_docker_insecure_registries=registry.example.com +#openshift_docker_blocked_registries=registry.hacker.com +# Disable pushing to dockerhub +#openshift_docker_disable_push_dockerhub=True +# Use Docker inside a System Container. Note that this is a tech preview and should +# not be used to upgrade! +# The following options for docker are ignored: +# - docker_version +# - docker_upgrade +# The following options must not be used +# - openshift_docker_options +#openshift_docker_use_system_container=False +# Force the registry to use for the system container. By default the registry +# will be built off of the deployment type and ansible_distribution. Only +# use this option if you are sure you know what you are doing! +#openshift_docker_systemcontainer_image_registry_override="registry.example.com" +# Items added, as is, to end of /etc/sysconfig/docker OPTIONS +# Default value: "--log-driver=journald" +#openshift_docker_options="-l warn --ipv6=false" + +# Specify exact version of Docker to configure or upgrade to. +# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. +# docker_version="1.12.1" + +# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone. +# docker_upgrade=False + +# Specify exact version of etcd to configure or upgrade to. +# etcd_version="3.1.0" +# Enable etcd debug logging, defaults to false +# etcd_debug=true +# Set etcd log levels by package +# etcd_log_package_levels="etcdserver=WARNING,security=DEBUG" + +# Upgrade Hooks +# +# Hooks are available to run custom tasks at various points during a cluster +# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using +# absolute paths, if not the path will be treated as relative to the file where the +# hook is actually used. +# +# Tasks to run before each master is upgraded. +# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml +# +# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible +# upgrade steps, but before we restart system/services. +# openshift_master_upgrade_hook=/usr/share/custom/master.yml +# +# Tasks to run after each master is upgraded and system/services have been restarted. +# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml + + +# Alternate image format string, useful if you've got your own registry mirror +#oreg_url=example.com/openshift3/ose-${component}:${version} +# If oreg_url points to a registry other than registry.access.redhat.com we can +# modify image streams to point at that registry by setting the following to true +#openshift_examples_modify_imagestreams=true + +# Additional yum repos to install +#openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://example.com/puddle/build/AtomicOpenShift/3.1/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] + +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '', 'user2': ''} +# or +#openshift_master_htpasswd_file= + +# OSBS Specific Auth +{% if openshift_auth_profile == "osbs" %} openshift_master_manage_htpasswd=false openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] -openshift_master_public_api_url={{ openshift_master_public_api_url }} +{% endif %} + +{% if openshift_auth_profile == "fedoraidp" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "extraScopes": ["profile", "email", "https://id.fedoraproject.org/scope/groups"], "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +{% endif %} + +{% if openshift_auth_profile == "fedoraidp-stg" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_stg_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +{% endif %} + +# Allow all auth +#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] + +# LDAP auth +#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# +# Configure LDAP CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the LDAPPasswordIdentityProvider. +# +#openshift_master_ldap_ca= +# or +#openshift_master_ldap_ca_file= + +# OpenID auth +#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] +# +# Configure OpenID CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the OpenIDIdentityProvider. +# +#openshift_master_openid_ca= +# or +#openshift_master_openid_ca_file= + +# Request header auth +#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] +# +# Configure request header CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "clientCA" +# key set within the RequestHeaderIdentityProvider. +# +#openshift_master_request_header_ca= +# or +#openshift_master_request_header_ca_file= + +{% if openshift_master_ha is defined %} +{% if openshift_master_ha %} +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has +# been preconfigured. For installation the value of +# openshift_master_cluster_hostname must resolve to the load balancer +# or to one or all of the masters defined in the inventory if no load +# balancer is present. +openshift_master_cluster_method=native +openshift_master_cluster_hostname={{openshift_internal_cluster_url}} +openshift_master_cluster_public_hostname={{openshift_cluster_url}} +{% endif %} +{% endif %} + +# Override the default controller lease ttl +#osm_controller_lease_ttl=30 + +# Configure controller arguments +#osm_controller_args={'resource-quota-sync-period': ['10s']} + +# Configure api server arguments +#osm_api_server_args={'max-requests-inflight': ['400']} + +# default subdomain to use for exposed routes +{% if openshift_app_subdomain is defined %} +{% if openshift_app_subdomain %} +openshift_master_default_subdomain={{openshift_app_subdomain}} +{% endif %} +{% endif %} + +# additional cors origins +#osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] + +# default project node selector +#osm_default_node_selector='region=primary' + +# Override the default pod eviction timeout +#openshift_master_pod_eviction_timeout=5m + +# Override the default oauth tokenConfig settings: +# openshift_master_access_token_max_seconds=86400 +# openshift_master_auth_token_max_seconds=500 + +# Override master servingInfo.maxRequestsInFlight +#openshift_master_max_requests_inflight=500 + +# Override master and node servingInfo.minTLSVersion and .cipherSuites +# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 +# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants +#openshift_master_min_tls_version=VersionTLS12 +#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] +# +#openshift_node_min_tls_version=VersionTLS12 +#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] + +# default storage plugin dependencies to install, by default the ceph and +# glusterfs plugin dependencies will be installed, if available. +#osn_storage_plugin_deps=['ceph','glusterfs'] + +# OpenShift Router Options +# +# An OpenShift router will be created during install if there are +# nodes present with labels matching the default router selector, +# "region=infra". Set openshift_node_labels per node as needed in +# order to label nodes. +# +# Example: +# [nodes] +# node.example.com openshift_node_labels="{'region': 'infra'}" +# +# Router selector (optional) +# Router will only be created if nodes matching this label are present. +# Default value: 'region=infra' +#openshift_hosted_router_selector='region=infra' +# +# Router replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift router selector. +#openshift_hosted_router_replicas=2 +# +# Router force subdomain (optional) +# A router path format to force on all routes used by this router +# (will ignore the route host value) +#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com' +# +# Router certificate (optional) +# Provide local certificate paths which will be configured as the +# router's default certificate. +#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} +# +# Disable management of the OpenShift Router +#openshift_hosted_manage_router=false +# +# Router sharding support has been added and can be achieved by supplying the correct +# data to the inventory. The variable to house the data is openshift_hosted_routers +# and is in the form of a list. If no data is passed then a default router will be +# created. There are multiple combinations of router sharding. The one described +# below supports routers on separate nodes. +#openshift_hosted_routers: +#- name: router1 +# stats_port: 1936 +# ports: +# - 80:80 +# - 443:443 +# replicas: 1 +# namespace: default +# serviceaccount: router +# selector: type=router1 +# images: "openshift3/ose-${component}:${version}" +# edits: [] +# certificates: +# certfile: /path/to/certificate/abc.crt +# keyfile: /path/to/certificate/abc.key +# cafile: /path/to/certificate/ca.crt +#- name: router2 +# stats_port: 1936 +# ports: +# - 80:80 +# - 443:443 +# replicas: 1 +# namespace: default +# serviceaccount: router +# selector: type=router2 +# images: "openshift3/ose-${component}:${version}" +# certificates: +# certfile: /path/to/certificate/xyz.crt +# keyfile: /path/to/certificate/xyz.key +# cafile: /path/to/certificate/ca.crt +# edits: +# # ROUTE_LABELS sets the router to listen for routes +# # tagged with the provided values +# - key: spec.template.spec.containers[0].env +# value: +# name: ROUTE_LABELS +# value: "route=external" +# action: append + +# OpenShift Registry Console Options +# Override the console image prefix for enterprise deployments, not used in origin +# default is "registry.access.redhat.com/openshift3/" and the image appended is "registry-console" +#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/ +# Override image version, defaults to latest for origin, matches the product version for enterprise +#openshift_cockpit_deployer_version=1.4.1 + +# Openshift Registry Options +# +# An OpenShift registry will be created during install if there are +# nodes present with labels matching the default registry selector, +# "region=infra". Set openshift_node_labels per node as needed in +# order to label nodes. +# +# Example: +# [nodes] +# node.example.com openshift_node_labels="{'region': 'infra'}" +# +# Registry selector (optional) +# Registry will only be created if nodes matching this label are present. +# Default value: 'region=infra' +#openshift_hosted_registry_selector='region=infra' +# +# Registry replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift registry selector. +#openshift_hosted_registry_replicas=2 +# +# Validity of the auto-generated certificate in days (optional) +#openshift_hosted_registry_cert_expire_days=730 +# +# Disable management of the OpenShift Registry +#openshift_hosted_manage_registry=false + +# Registry Storage Options +# +# NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/registry" +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +# +# External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/registry" +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +#openshift_hosted_registry_storage_host=nfs.example.com +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +# +# Openstack +# Volume must already exist. +#openshift_hosted_registry_storage_kind=openstack +#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_registry_storage_openstack_filesystem=ext4 +#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57 +#openshift_hosted_registry_storage_volume_size=10Gi +# +# Native GlusterFS Registry Storage +#openshift_hosted_registry_storage_kind=glusterfs +# +# AWS S3 +# +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id +#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Any S3 service (Minio, ExoScale, ...): Basically the same as above +# but with regionendpoint configured +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_accesskey=access_key_id +#openshift_hosted_registry_storage_s3_secretkey=secret_access_key +#openshift_hosted_registry_storage_s3_regionendpoint=https://myendpoint.example.com/ +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Additional CloudFront Options. When using CloudFront all three +# of the followingg variables must be defined. +#openshift_hosted_registry_storage_s3_cloudfront_baseurl=https://myendpoint.cloudfront.net/ +#openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile=/full/path/to/secret.pem +#openshift_hosted_registry_storage_s3_cloudfront_keypairid=yourpairid + +# Metrics deployment +# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html +# +# By default metrics are not automatically deployed, set this to enable them +# openshift_hosted_metrics_deploy=true +# +# Storage Options +# If openshift_hosted_metrics_storage_kind is unset then metrics will be stored +# in an EmptyDir volume and will be deleted when the cassandra pod terminates. +# Storage options A & B currently support only one cassandra pod which is +# generally enough for up to 1000 pods. Additional volumes can be created +# manually after the fact and metrics scaled per the docs. +# +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/metrics" +#openshift_hosted_metrics_storage_kind=nfs +#openshift_hosted_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_metrics_storage_nfs_directory=/exports +#openshift_hosted_metrics_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_metrics_storage_volume_name=metrics +#openshift_hosted_metrics_storage_volume_size=10Gi +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/metrics" +#openshift_hosted_metrics_storage_kind=nfs +#openshift_hosted_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_metrics_storage_host=nfs.example.com +#openshift_hosted_metrics_storage_nfs_directory=/exports +#openshift_hosted_metrics_storage_volume_name=metrics +#openshift_hosted_metrics_storage_volume_size=10Gi +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_hosted_metrics_storage_kind=dynamic +# +# Other Metrics Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_metrics/README.md +# +# Override metricsPublicURL in the master config for cluster metrics +# Defaults to https://hawkular-metrics.openshift_master_default_subdomain/hawkular/metrics +# Currently, you may only alter the hostname portion of the url, alterting the +# `/hawkular/metrics` path will break installation of metrics. +#openshift_hosted_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics + +# Logging deployment +# +# Currently logging deployment is disabled by default, enable it by setting this +#openshift_hosted_logging_deploy=true +# +# Logging storage config +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/logging" +#openshift_hosted_logging_storage_kind=nfs +#openshift_hosted_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_logging_storage_nfs_directory=/exports +#openshift_hosted_logging_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_logging_storage_volume_name=logging +#openshift_hosted_logging_storage_volume_size=10Gi +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/logging" +#openshift_hosted_logging_storage_kind=nfs +#openshift_hosted_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_logging_storage_host=nfs.example.com +#openshift_hosted_logging_storage_nfs_directory=/exports +#openshift_hosted_logging_storage_volume_name=logging +#openshift_hosted_logging_storage_volume_size=10Gi +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_hosted_logging_storage_kind=dynamic +# +# Option D - none -- Logging will use emptydir volumes which are destroyed when +# pods are deleted +# +# Other Logging Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_logging/README.md +# +# Configure loggingPublicURL in the master config for aggregate logging, defaults +# to kibana.openshift_master_default_subdomain +#openshift_hosted_logging_hostname=logging.apps.example.com +# Configure the number of elastic search nodes, unless you're using dynamic provisioning +# this value must be 1 +#openshift_hosted_logging_elasticsearch_cluster_size=1 +# Configure the prefix and version for the component images +#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/ +#openshift_hosted_logging_deployer_version=3.5.0 + +# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') +# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' + +# Disable the OpenShift SDN plugin +# openshift_use_openshift_sdn=False + +# Configure SDN cluster network and kubernetes service CIDR blocks. These +# network blocks should be private and should not conflict with network blocks +# in your infrastructure that pods may require access to. Can not be changed +# after deployment. +# +# WARNING : Do not pick subnets that overlap with the default Docker bridge subnet of +# 172.17.0.0/16. Your installation will fail and/or your configuration change will +# cause the Pod SDN or Cluster SDN to fail. +# +# WORKAROUND : If you must use an overlapping subnet, you can configure a non conflicting +# docker0 CIDR range by adding '--bip=192.168.2.1/24' to DOCKER_NETWORK_OPTIONS +# environment variable located in /etc/sysconfig/docker-network. +#osm_cluster_network_cidr=10.128.0.0/14 +#openshift_portal_net=172.30.0.0/16 + +# ExternalIPNetworkCIDRs controls what values are acceptable for the +# service external IP field. If empty, no externalIP may be set. It +# may contain a list of CIDRs which are checked for access. If a CIDR +# is prefixed with !, IPs in that CIDR will be rejected. Rejections +# will be applied first, then the IP checked against one of the +# allowed CIDRs. You should ensure this range does not overlap with +# your nodes, pods, or service CIDRs for security reasons. +#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] + +# IngressIPNetworkCIDR controls the range to assign ingress IPs from for +# services of type LoadBalancer on bare metal. If empty, ingress IPs will not +# be assigned. It may contain a single CIDR that will be allocated from. For +# security reasons, you should ensure that this range does not overlap with +# the CIDRs reserved for external IPs, nodes, pods, or services. +#openshift_master_ingress_ip_network_cidr=172.46.0.0/16 + +# Configure number of bits to allocate to each host's subnet e.g. 9 +# would mean a /23 network on the host. +#osm_host_subnet_length=9 + +# Configure master API and console ports. +# These will default to 8443 +{% if openshift_api_port is defined and openshift_console_port is defined %} +{% if openshift_api_port and openshift_console_port %} +openshift_master_api_port={{openshift_api_port}} +openshift_master_console_port={{openshift_console_port}} +{% endif %} +{% endif %} + + +# set RPM version for debugging purposes +#openshift_pkg_version=-3.1.0.0 + +# Configure custom ca certificate +#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} +# +# NOTE: CA certificate will not be replaced with existing clusters. +# This option may only be specified when creating a new cluster or +# when redeploying cluster certificates with the redeploy-certificates +# playbook. + +# Configure custom named certificates (SNI certificates) +# +# https://docs.openshift.com/enterprise/latest/install_config/certificate_customization.html +# +# NOTE: openshift_master_named_certificates is cached on masters and is an +# additive fact, meaning that each run with a different set of certificates +# will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# +# If you would like openshift_master_named_certificates to be overwritten with +# the provided value, specify openshift_master_overwrite_named_certificates. +#openshift_master_overwrite_named_certificates=true +# +# Provide local certificate paths which will be deployed to masters +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] +# +# Detected names may be overridden by specifying the "names" key +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] + +# Session options +#openshift_master_session_name=ssn +#openshift_master_session_max_seconds=3600 + +# An authentication and encryption secret will be generated if secrets +# are not provided. If provided, openshift_master_session_auth_secrets +# and openshift_master_encryption_secrets must be equal length. +# +# Signing secrets, used to authenticate sessions using +# HMAC. Recommended to use secrets with 32 or 64 bytes. +#openshift_master_session_auth_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] +# +# Encrypting secrets, used to encrypt sessions. Must be 16, 24, or 32 +# characters long, to select AES-128, AES-192, or AES-256. +#openshift_master_session_encryption_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] + +# configure how often node iptables rules are refreshed +#openshift_node_iptables_sync_period=5s + +# Configure nodeIP in the node config +# This is needed in cases where node traffic is desired to go over an +# interface other than the default network interface. +#openshift_set_node_ip=True + +# Force setting of system hostname when configuring OpenShift +# This works around issues related to installations that do not have valid dns +# entries for the interfaces attached to the host. +#openshift_set_hostname=True + +# Configure dnsIP in the node config +#openshift_dns_ip=172.30.0.1 + +# Configure node kubelet arguments. pods-per-core is valid in OpenShift Origin 1.3 or OpenShift Container Platform 3.3 and later. +#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']} + +# Configure logrotate scripts +# See: https://github.com/nickhammond/ansible-logrotate +#logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true"}}] + +# openshift-ansible will wait indefinitely for your input when it detects that the +# value of openshift_hostname resolves to an IP address not bound to any local +# interfaces. This mis-configuration is problematic for any pod leveraging host +# networking and liveness or readiness probes. +# Setting this variable to true will override that check. +#openshift_override_hostname_check=true + +# Configure dnsmasq for cluster dns, switch the host's local resolver to use dnsmasq +# and configure node's dnsIP to point at the node's local dnsmasq instance. Defaults +# to True for Origin 1.2 and OSE 3.2. False for 1.1 / 3.1 installs, this cannot +# be used with 1.0 and 3.0. +#openshift_use_dnsmasq=False +# Define an additional dnsmasq.conf file to deploy to /etc/dnsmasq.d/openshift-ansible.conf +# This is useful for POC environments where DNS may not actually be available yet or to set +# options like 'strict-order' to alter dnsmasq configuration. +#openshift_node_dnsmasq_additional_config_file=/home/bob/ose-dnsmasq.conf + +# Global Proxy Configuration +# These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment +# variables for docker and master services. +#openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT +#openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT +#openshift_no_proxy='.hosts.example.com,some-host.com' +# +# Most environments don't require a proxy between openshift masters, nodes, and +# etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. +# If all of your hosts share a common domain you may wish to disable this and +# specify that domain above. +#openshift_generate_no_proxy_hosts=True +# +# These options configure the BuildDefaults admission controller which injects +# configuration into Builds. Proxy related values will default to the global proxy +# config values. You only need to set these if they differ from the global proxy settings. +# See BuildDefaults documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_builddefaults_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_no_proxy=mycorp.com +#openshift_builddefaults_git_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_no_proxy=mycorp.com +#openshift_builddefaults_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'} +#openshift_builddefaults_resources_requests_cpu=100m +#openshift_builddefaults_resources_requests_memory=256m +#openshift_builddefaults_resources_limits_cpu=1000m +#openshift_builddefaults_resources_limits_memory=512m + +# Or you may optionally define your own build defaults configuration serialized as json +#openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}' + +# These options configure the BuildOverrides admission controller which injects +# configuration into Builds. +# See BuildOverrides documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_buildoverrides_force_pull=true +#openshift_buildoverrides_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_buildoverrides_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_buildoverrides_annotations={'annotationkey1':'annotationvalue1'} + +# Or you may optionally define your own build overrides configuration serialized as json +#openshift_buildoverrides_json='{"BuildOverrides":{"configuration":{"apiVersion":"v1","kind":"BuildDefaultsConfig","forcePull":"true"}}}' + +# masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default +#openshift_master_dynamic_provisioning_enabled=False + +# Admission plugin config +#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} + +# Configure usage of openshift_clock role. +#openshift_clock_enabled=true + +# OpenShift Per-Service Environment Variables +# Environment variables are added to /etc/sysconfig files for +# each OpenShift service: node, master (api and controllers). +# API and controllers environment variables are merged in single +# master environments. +#openshift_master_api_env_vars={"ENABLE_HTTP2": "true"} +#openshift_master_controllers_env_vars={"ENABLE_HTTP2": "true"} +#openshift_node_env_vars={"ENABLE_HTTP2": "true"} + +# Enable API service auditing, available as of 3.2 +#openshift_master_audit_config={"enabled": true} + +# Validity of the auto-generated OpenShift certificates in days. +# See also openshift_hosted_registry_cert_expire_days above. +# +#openshift_ca_cert_expire_days=1825 +#openshift_node_cert_expire_days=730 +#openshift_master_cert_expire_days=730 + +# Validity of the auto-generated external etcd certificates in days. +# Controls validity for etcd CA, peer, server and client certificates. +# +#etcd_ca_default_days=1825 + +# NOTE: Currently we require that masters be part of the SDN which requires that they also be nodes +# However, in order to ensure that your masters are not burdened with running pods you should +# make them unschedulable by adding openshift_schedulable=False any node that's also a master. [masters] {% for host in groups[openshift_cluster_masters_group] %} @@ -23,15 +783,43 @@ openshift_master_public_api_url={{ openshift_master_public_api_url }} {{ host }} {% endfor %} -[lb] -{% for host in groups[openshift_cluster_masters_group] %} -{{ host }} -{% endfor %} +{% if openshift_shared_infra is defined %} +{% if openshift_shared_infra %} [nodes] {% for host in groups[openshift_cluster_masters_group] %} -{{ host }} openshift_node_labels="{'region':'infra'}" openshift_schedulable=False +{{ host }} openshift_schedulable=False +{% endfor %} +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} openshift_node_labels="{'region': 'infra', 'zone': 'default'}" +{% endfor %} + +{% else %} + +[nodes] +{% for host in groups[openshift_cluster_infra_group] %} +{{ host }} openshift_node_labels="{'region':'infra'}" +{% endfor %} +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} openshift_schedulable=False {% endfor %} {% for host in groups[openshift_cluster_nodes_group] %} {{ host }} openshift_node_labels="{'region': 'primary', 'zone': 'default'}" -{% endfor %} \ No newline at end of file +{% endfor %} + +{% endif %} + +{% else %} + +[nodes] +{% for host in groups[openshift_cluster_infra_group] %} +{{ host }} openshift_node_labels="{'region':'infra'}" +{% endfor %} +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} openshift_schedulable=False +{% endfor %} +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} openshift_node_labels="{'region': 'primary', 'zone': 'default'}" +{% endfor %} + +{% endif %} diff --git a/roles/autocloud/backend/tasks/main.yml b/roles/autocloud/backend/tasks/main.yml index 5e61d09479..a9fa50e744 100644 --- a/roles/autocloud/backend/tasks/main.yml +++ b/roles/autocloud/backend/tasks/main.yml @@ -140,15 +140,13 @@ - autocloud/backend # -# Install hotfix to add the architecture to aarch64 +# Install hotfix to ignore new architectures # See PR - https://github.com/kushaldas/autocloud/pull/56/ # -- name: hotfix - copy over models.py to autocloud/models.py +- name: hotfix - copy over consumer files copy: src='{{ files }}/{{ item.src }}' dest={{ item.dest }} with_items: - - { src: 'hotfix/autocloud/models.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } - { src: 'hotfix/autocloud/consumer.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } - - { src: 'hotfix/autocloud/__init__.py', dest: '/usr/lib/python2.7/site-packages/autocloud/utils' } notify: - restart fedmsg-hub tags: diff --git a/roles/autocloud/frontend/tasks/main.yml b/roles/autocloud/frontend/tasks/main.yml index 3312fb52e8..1084b4c705 100644 --- a/roles/autocloud/frontend/tasks/main.yml +++ b/roles/autocloud/frontend/tasks/main.yml @@ -66,18 +66,3 @@ - autocloud - autocloud/frontend - selinux - -# -# Install hotfix to add the architecture to aarch64 -# See PR - https://github.com/kushaldas/autocloud/pull/56/ -# -- name: hotfix - copy over models.py to autocloud/models.py - copy: src='{{ files }}/{{ item.src }}' dest={{ item.dest }} - with_items: - - { src: 'hotfix/autocloud/models.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } - - { src: 'hotfix/autocloud/__init__.py', dest: '/usr/lib/python2.7/site-packages/autocloud/utils' } - notify: - - restart fedmsg-hub - tags: - - autocloud - - hotfix diff --git a/roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org b/roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org new file mode 100644 index 0000000000..293c0c1652 --- /dev/null +++ b/roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org @@ -0,0 +1,687 @@ +# "false" +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/libexec/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +mydomain = fedoraproject.org +myorigin = fedoraproject.org + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost +inet_interfaces = all + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain. On a mail domain +# gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +mydestination = $myhostname, localhost.$mydomain, fedora.redhat.com, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this does works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + + + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] +#relayhost = bastion + + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +masquerade_domains = redhat.com +masquerade_exceptions = root apache + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /usr/bin/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp + +# If using the cyrus-imapd IMAP server deliver local mail to the IMAP +# server using LMTP (Local Mail Transport Protocol), this is prefered +# over the older cyrus deliver program by setting the +# mailbox_transport as below: +# +# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp +# +# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via +# these settings. +# +# local_destination_recipient_limit = 300 +# local_destination_concurrency_limit = 5 +# +# Of course you should adjust these settings as appropriate for the +# capacity of the hardware you are using. The recipient limit setting +# can be used to take advantage of the single instance message store +# capability of Cyrus. The concurrency limit can be used to control +# how many simultaneous LMTP sessions will be permitted to the Cyrus +# message store. +# +# To use the old cyrus deliver program you have to set: +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp +#fallback_transport = + +#transport_maps = hash:/etc/postfix/transport +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + xxgdb $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen sesssion, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail.postfix + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases.postfix + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq.postfix + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /usr/share/doc/postfix-2.4.5/samples + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES + +# add this to new postfix to get it to add proper message-id and other +# headers to outgoing emails via the gateway. + + +message_size_limit = 20971520 +#inet_protocols = ipv4 diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 052ef2efb0..4e5832743c 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -233,7 +233,7 @@ - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables - when: not inventory_hostname.startswith(('fed-cloud','osbs')) + when: baseiptables == true notify: - restart iptables - reload libvirtd @@ -248,6 +248,7 @@ - iptables - service - base + when: baseiptables == true - name: ip6tables template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes @@ -257,7 +258,7 @@ - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables - when: not inventory_hostname.startswith('fed-cloud09') + when: baseiptables == true notify: - restart ip6tables - reload libvirtd @@ -272,6 +273,7 @@ - ip6tables - service - base + when: baseiptables == true - name: enable journald persistence file: path=/var/log/journal state=directory diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index 433f911a6e..a24963309a 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -30,6 +30,9 @@ # kojipkgs -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT +{% if host in groups['buildvm-s390x'] %} +-A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT +{% endif %} #koji.fp.o -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 80 -j ACCEPT diff --git a/roles/bodhi2/base/tasks/main.yml b/roles/bodhi2/base/tasks/main.yml index f53f03b88e..068a632af2 100644 --- a/roles/bodhi2/base/tasks/main.yml +++ b/roles/bodhi2/base/tasks/main.yml @@ -33,6 +33,16 @@ - config - bodhi +- name: Configure alembic + template: + src: alembic.ini + dest: /etc/bodhi/alembic.ini + owner: bodhi + group: root + tags: + - config + - bodhi + - name: setup basic /etc/bodhi/ contents (production) template: > src="production.ini.j2" diff --git a/roles/bodhi2/base/templates/alembic.ini b/roles/bodhi2/base/templates/alembic.ini new file mode 100644 index 0000000000..b514ae7352 --- /dev/null +++ b/roles/bodhi2/base/templates/alembic.ini @@ -0,0 +1,59 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/bodhi/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +# Don't bother, this is obtained from the Bodhi config file +sqlalchemy.url = sqlite://bodhi.db + +# Set to true to aquire the global DDL lock for BDR +# See http://bdr-project.org/docs/stable/ddl-replication-advice.html +{% if env == 'staging' %} +bdr = true +{% else %} +bdr = false +{% endif %} + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2 index ef4fd557a4..71705f5944 100644 --- a/roles/bodhi2/base/templates/staging.ini.j2 +++ b/roles/bodhi2/base/templates/staging.ini.j2 @@ -397,7 +397,7 @@ debugtoolbar.hosts = 127.0.0.1 ::1 ## ## Database ## -sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@db-bodhi/bodhi2 +sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2 ## ## Templates diff --git a/roles/ccsdb/tasks/main.yml b/roles/ccsdb/tasks/main.yml new file mode 100644 index 0000000000..06f3ef38d5 --- /dev/null +++ b/roles/ccsdb/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: install ccsdb and its dependencies + yum: name={{ item }} state=present + with_items: + - ccsdb + - mod_wsgi + - python-psycopg2 + - libsemanage-python + when: ansible_distribution_major_version|int < 22 + +- name: install ccsdb and its dependencies + dnf: name={{ item }} state=present enablerepo={{ extra_enablerepos }} + with_items: + - ccsdb + - mod_wsgi + - python-psycopg2 + - libsemanage-python + when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + +- name: ensure database is created + delegate_to: "{{ ccsdb_db_host_machine }}" + become_user: postgres + become: true + postgresql_db: db={{ ccsdb_db_name }} + +- name: ensure ccsdb db user has access to database + delegate_to: "{{ ccsdb_db_host_machine }}" + become_user: postgres + become: true + postgresql_user: db={{ ccsdb_db_name }} + user={{ ccsdb_db_user }} + password={{ ccsdb_db_password }} + role_attr_flags=NOSUPERUSER + +- name: ensure selinux lets httpd talk to postgres + seboolean: name=httpd_can_network_connect_db persistent=yes state=yes + +- name: create the /etc/ccsdb folder + file: state=directory + path=/etc/ccsdb + owner=root group=root mode=0755 + +- name: generate ccsdb config + template: src=ccsdb.cfg dest=/etc/ccsdb/ccsdb.cfg + owner=root group=root mode=0644 + notify: + - reload httpd + +- name: generate ccsdb apache config + template: src=ccsdb.conf dest=/etc/httpd/conf.d/ccsdb.conf + owner=root group=root mode=0644 + notify: + - reload httpd + +- name: create the /usr/share/ccsdb folder + file: state=directory + path=/usr/share/ccsdb + owner=root group=root mode=0755 + +- name: install the wsgi file + template: src=ccsdb.wsgi dest=/usr/share/ccsdb/ccsdb.wsgi + owner=root group=root mode=0644 + notify: + - reload httpd + +- name: initialize execdb database + shell: CCSDB_CONFIG=/etc/ccsdb/ccsdb.cfg ccsdb-cli init_db + +- name: Start and enable the different services required + service: name={{ item }} enabled=yes state=started + with_items: + - httpd + - fedmsg-hub + diff --git a/roles/ccsdb/templates/ccsdb.cfg b/roles/ccsdb/templates/ccsdb.cfg new file mode 100644 index 0000000000..4de44cf9e4 --- /dev/null +++ b/roles/ccsdb/templates/ccsdb.cfg @@ -0,0 +1,7 @@ +SECRET_KEY = '{{ ccsdb_secret_key }}' +SQLALCHEMY_DATABASE_URI = 'postgresql://{{ ccsdb_db_user }}:{{ ccsdb_db_password }}@{{ ccsdb_db_host }}:{{ ccsdb_db_port }}/{{ ccsdb_db_name }}' + +FILE_LOGGING = False +LOGFILR = '/var/log/ccsdb/ccsdb.log' +SYSLOG_LOGGING = False +STREAM_LOGGING = True diff --git a/roles/ccsdb/templates/ccsdb.conf b/roles/ccsdb/templates/ccsdb.conf new file mode 100644 index 0000000000..7863c4fcf8 --- /dev/null +++ b/roles/ccsdb/templates/ccsdb.conf @@ -0,0 +1,27 @@ +WSGIDaemonProcess ccsdb user=apache group=apache threads=5 +WSGIScriptAlias /{{ ccsdb_endpoint }} /usr/share/ccsdb/ccsdb.wsgi +WSGISocketPrefix run/wsgi + +# this isn't the best way to force SSL but it works for now +#RewriteEngine On +#RewriteCond %{HTTPS} !=on +#RewriteRule ^/execdb/admin/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + + WSGIProcessGroup ccsdb + WSGIApplicationGroup %{GLOBAL} + WSGIScriptReloading On + + # Apache 2.4 + + Require method GET + Require ip 127.0.0.1 ::1{% for host in allowed_hosts %} {{ host }}{% endfor %} + + + + + Order allow,deny + Allow from all + + + diff --git a/roles/ccsdb/templates/ccsdb.wsgi b/roles/ccsdb/templates/ccsdb.wsgi new file mode 100644 index 0000000000..3df7ec863b --- /dev/null +++ b/roles/ccsdb/templates/ccsdb.wsgi @@ -0,0 +1,4 @@ +import os +os.environ['CCSDB_CONFIG'] = '/etc/ccsdb/ccsdb.cfg' + +from ccsdb.app import _app as application diff --git a/roles/copr/backend/files/provision/builderpb.yml b/roles/copr/backend/files/provision/builderpb.yml deleted file mode 100644 index 21b0bd242b..0000000000 --- a/roles/copr/backend/files/provision/builderpb.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -- name: check/create instance - hosts: localhost - user: copr - gather_facts: False - - vars_files: - - nova_cloud_vars.yml - - vars: - - security_group: builder - - image_id: cba0c766-84ac-4048-b0f5-6d4000af62f8 - - OS_USERNAME_OLD: msuchy - - OS_AUTH_URL_OLD: http://172.23.0.2:5000/v2.0 - # todo: remove after transition to new cloud - - tasks: - - name: generate builder name - local_action: command echo "Copr builder {{ 999999999 | random }}" - register: vm_name - - - name: spin it up - local_action: nova_compute auth_url={{OS_AUTH_URL_OLD}} flavor_id=6 image_id={{ image_id }} key_name=buildsys login_password={{OS_PASSWORD_OLD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME_OLD}} security_groups={{security_group}} wait=yes name="{{vm_name.stdout}}" - register: nova - - # should be able to use nova.private_ip, but it does not work with Fedora Cloud. - - debug: msg="IP={{ nova.info.addresses.vlannet_3[0].addr }}" - - - debug: msg="vm_name={{vm_name.stdout}}" - - - name: add it to the special group - local_action: add_host hostname={{ nova.info.addresses.vlannet_3[0].addr }} groupname=builder_temp_group - - - name: wait for the host to be hot - local_action: wait_for host={{ nova.info.addresses.vlannet_3[0].addr }} port=22 delay=5 timeout=600 - -- hosts: builder_temp_group - user: root - gather_facts: True - vars: - - files: files/ - - tasks: - - name: edit hostname to be instance name - shell: hostname `curl -s http://169.254.169.254/2009-04-04/meta-data/instance-id` - - - name: install pkgs - yum: state=present pkg={{ item }} - with_items: - - rsync - - openssh-clients - - libselinux-python - - libsemanage-python - - - name: add repos - copy: src={{ files }}/{{ item }} dest=/etc/yum.repos.d/{{ item }} - with_items: - - epel6.repo - - - name: install additional pkgs - yum: state=present pkg={{ item }} - with_items: - - mock - - createrepo - - yum-utils - - pyliblzma - - - name: make sure newest rpm - yum: name={{ item }} state=latest - with_items: - - rpm - - glib2 - - ca-certificates - - #- yum: name=mock enablerepo=epel-testing state=latest - - - name: mockbuilder user - user: name=mockbuilder groups=mock - - - name: mockbuilder .ssh - file: state=directory path=/home/mockbuilder/.ssh mode=0700 owner=mockbuilder group=mockbuilder - - - name: mockbuilder authorized_keys - authorized_key: user=mockbuilder key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' - - - name: put updated mock configs into /etc/mock - template: src={{ files }}/mock/{{ item }} dest=/etc/mock - with_items: - - site-defaults.cfg - - - lineinfile: dest=/etc/mock/fedora-rawhide-x86_64.cfg line="config_opts['package_manager'] = 'dnf'" state=absent - - lineinfile: dest=/etc/mock/fedora-rawhide-i386.cfg line="config_opts['package_manager'] = 'dnf'" state=absent - - - lineinfile: dest=/etc/security/limits.conf line="* soft nofile 10240" insertafter=EOF - - lineinfile: dest=/etc/security/limits.conf line="* hard nofile 10240" insertafter=EOF diff --git a/roles/copr/backend/files/provision/builderpb_nova.yml b/roles/copr/backend/files/provision/builderpb_nova.yml index 97b11e22ae..11c797e6e0 100644 --- a/roles/copr/backend/files/provision/builderpb_nova.yml +++ b/roles/copr/backend/files/provision/builderpb_nova.yml @@ -11,6 +11,7 @@ keypair: buildsys max_spawn_time: 600 spawning_vm_user: "fedora" + image_name: "copr-builder-f26-x86_64-beta" tasks: - name: generate builder name @@ -61,5 +62,5 @@ - nss-softokn-freebl.i686 # DNF module will not resolve the deps, we must install deps manualy! - name: install i686 version of nosync for multilib building - dnf: name=https://kojipkgs.fedoraproject.org//packages/nosync/1.0/5.fc24/i686/nosync-1.0-5.fc24.i686.rpm state=present + dnf: name=https://kojipkgs.fedoraproject.org/packages/nosync/1.0/6.fc26/i686/nosync-1.0-6.fc26.i686.rpm state=present when: prepare_base_image is defined diff --git a/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml b/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml index dc91142cf5..73c4606704 100644 --- a/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml +++ b/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml @@ -3,7 +3,7 @@ gather_facts: False vars_files: - - nova_cloud_vars_ppc64le.yml + - nova_cloud_vars.yml vars: # _OS_AUTH_OPTS: "--os-auth-url {{OS_AUTH_URL}} --os-username {{OS_USERNAME}} --os-password {{OS_PASSWORD}} --os-tenant-name {{OS_TENANT_NAME}} --os-tenant-id {{OS_TENANT_ID}} " @@ -11,6 +11,7 @@ keypair: buildsys max_spawn_time: 600 spawning_vm_user: "fedora" + image_name: "copr-builder-f26-ppc64le-beta" tasks: - name: generate builder name @@ -41,7 +42,10 @@ #prepare_base_image: True tasks: - - include: "provision_builder_tasks_ppc64le.yml" + - name: swap on /dev/vda 100GB volume for tmpfs mock plugin + command: swapon /dev/vda + + - include: "provision_builder_tasks.yml" - name: disable offloading command: ethtool -K eth0 tso off gro off gso off diff --git a/roles/copr/backend/files/provision/builderpb_ppc64le.yml b/roles/copr/backend/files/provision/builderpb_ppc64le.yml deleted file mode 100644 index af892422c1..0000000000 --- a/roles/copr/backend/files/provision/builderpb_ppc64le.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: check/create instance - hosts: 127.0.0.1 - gather_facts: False - - tasks: - - name: add hypervisor - local_action: add_host hostname=rh-power2.fit.vutbr.cz groupname=spinup_vm_group - - -- name: spinup vm - hosts: spinup_vm_group - gather_facts: False - user: msuchy - - tasks: - - name: spin up VM - shell: /home/msuchy/bin/get-one-vm.sh - register: get_one - - - debug: msg="{{ get_one.stdout }}" - - - set_fact: builder_ip="{{ get_one.stdout|extract_ip_from_stdout() }}" - - - name: wait for he host to be hot - local_action: wait_for host={{ builder_ip }} port=22 delay=1 timeout=600 - - - name: add builder ip to the special group - local_action: add_host hostname={{ builder_ip }} groupname=builder_temp_group - -- name: provision builder - hosts: builder_temp_group - gather_facts: True - user: root - - vars: - # pass this options if you need to create new base image from snapshot - #prepare_base_image: True - - tasks: - - include: "provision_builder_tasks.yml" - - - name: disable offloading - command: ethtool -K eth0 tso off gro off gso off - - - yum: state=latest enablerepo="updates-testing" name=mock diff --git a/roles/copr/backend/files/provision/copr.repo b/roles/copr/backend/files/provision/copr.repo deleted file mode 100644 index 90aa909168..0000000000 --- a/roles/copr/backend/files/provision/copr.repo +++ /dev/null @@ -1,11 +0,0 @@ -[Copr] -name=Copr -failovermethod=priority -baseurl=https://209.132.184.48/results/@copr/copr/fedora-$releasever-x86_64/ - https://copr-be.cloud.fedoraproject.org/results/@copr/copr/fedora-$releasever-x86_64/ - https://172.25.32.109/results/@copr/copr/fedora-$releasever-x86_64/ - -enabled=1 -gpgcheck=1 -gpgkey=https://copr-be.cloud.fedoraproject.org/results/@copr/copr/pubkey.gpg -skip_if_unavailable=1 diff --git a/roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg b/roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg deleted file mode 100644 index bccbdc9beb..0000000000 --- a/roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg +++ /dev/null @@ -1,24 +0,0 @@ -config_opts['root'] = 'custom-1-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = '' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/dnf.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary - -""" diff --git a/roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg b/roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg deleted file mode 100644 index 8742102d82..0000000000 --- a/roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg +++ /dev/null @@ -1,24 +0,0 @@ -config_opts['root'] = 'custom-1-ppc64le' -config_opts['target_arch'] = 'ppc64le' -config_opts['legal_host_arches'] = ('ppc64le',) -config_opts['chroot_setup_cmd'] = '' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/dnf.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary - -""" diff --git a/roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg deleted file mode 100644 index 43554b106d..0000000000 --- a/roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg +++ /dev/null @@ -1,24 +0,0 @@ -config_opts['root'] = 'custom-1-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = '' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/dnf.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary - -""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg b/roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg deleted file mode 100644 index bf5d9abc2f..0000000000 --- a/roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg +++ /dev/null @@ -1,72 +0,0 @@ -config_opts['root'] = 'fedora-26-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc26' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '26' -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary -best=1 - -# repos - -[fedora] -name=fedora -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates] -name=updates -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates-testing] -name=updates-testing -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=https://kojipkgs.fedoraproject.org/repos/f26-build/latest/i386/ -cost=2000 -enabled=0 - -[fedora-debuginfo] -name=fedora-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 -""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg deleted file mode 100644 index 6ba4d1eed0..0000000000 --- a/roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg +++ /dev/null @@ -1,72 +0,0 @@ -config_opts['root'] = 'fedora-26-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc26' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '26' -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary -best=1 - -# repos - -[fedora] -name=fedora -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates] -name=updates -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates-testing] -name=updates-testing -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=https://kojipkgs.fedoraproject.org/repos/f26-build/latest/x86_64/ -cost=2000 -enabled=0 - -[fedora-debuginfo] -name=fedora-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 -""" diff --git a/roles/copr/backend/files/provision/provision_builder_tasks.yml b/roles/copr/backend/files/provision/provision_builder_tasks.yml index f3de7bbe6d..36eef03b72 100644 --- a/roles/copr/backend/files/provision/provision_builder_tasks.yml +++ b/roles/copr/backend/files/provision/provision_builder_tasks.yml @@ -1,109 +1,55 @@ -- name: install copr repo - copy: src="copr.repo" dest="/etc/yum.repos.d/copr.repo" +- name: disable updates-testing + shell: rm -f /etc/yum.repos.d/fedora-updates-testing.repo + +- shell: dnf -y upgrade + when: prepare_base_image is defined - name: set bigger timeout for yum ini_file: dest=/etc/yum.conf section=main option=timeout value=1000 +- name: set bigger timeout for dnf + ini_file: dest=/etc/dnf/dnf.conf section=main option=timeout value=1000 + - name: install pkgs - yum: state=present pkg={{ item }} + dnf: state=present pkg={{ item }} with_items: - dnf - dnf-plugins-core - mock -# - mock-lvm - createrepo_c - yum-utils - pyliblzma - rsync - openssh-clients - - rsync - libselinux-python - libsemanage-python - yum - scl-utils-build - ethtool -# - fedpkg-copr - nosync - expect -- name: set bigger timeout for dnf - ini_file: dest=/etc/dnf/dnf.conf section=main option=timeout value=1000 - -# this comes from https://copr-be.cloud.fedoraproject.org/results/%40copr/copr/fedora-23-x86_64/00179756-fedpkg-copr/fedpkg-copr-0.3-1.fc23.noarch.rpm -# TODO put it in correct place -# BZ 1241507 -- shell: yum-deprecated install -y fedpkg-copr || yum install -y fedpkg-copr - -- shell: yum-deprecated install -y fedpkg || yum install -y fedpkg - -# This needs to be updated for python-fedora -- shell: yum-deprecated update -y python-requests || yum install -y python-requests +- name: enable @copr/copr for now + shell: dnf copr -y enable @copr/copr - name: make sure newest rpm - dnf: name={{ item }} state=latest + dnf: state=latest pkg={{ item }} with_items: - rpm - glib2 - ca-certificates - mock - dnf - - koji - - dnf-plugins-core - - libsolv - - hawkey - -- copy: src=files/fedpkg-copr.conf dest=/etc/rpkg/fedpkg-copr.conf + - copr-rpmbuild - name: put updated mock configs into /etc/mock template: src=files/mock/{{ item }} dest=/etc/mock with_items: - site-defaults.cfg - - custom-1-x86_64.cfg - - custom-1-i386.cfg - - custom-1-ppc64le.cfg - - fedora-26-x86_64.cfg - - fedora-26-i386.cfg + - fedora-26-ppc64le.cfg -# TODO: file globs or ansible escaping works strange, now using predefined file location -#- name: "fix mock configs to use nearest mirror" -# # Affects only some fedora configs ... repo urls are tricky. TODO: add for epel -# shell: "ls -1 /etc/mock/fedora*.cfg" -# register: mock_fedora_configs_to_patch - -- name: "patch mock.cfg (updates)" - replace: > - dest={{ item }} - regexp='^metalink=https://mirrors.fedoraproject.org/metalink\?repo=updates-released-f\$releasever&arch=\$basearch' - replace='baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/' - with_items: #mock_fedora_configs_to_patch.stdout_lines - - /etc/mock/fedora-24-i386.cfg - - /etc/mock/fedora-24-x86_64.cfg - - /etc/mock/fedora-25-i386.cfg - - /etc/mock/fedora-25-x86_64.cfg - - /etc/mock/fedora-26-i386.cfg - - /etc/mock/fedora-26-x86_64.cfg - -- name: "patch mock.cfg (main)" - replace: > - dest={{ item }} - regexp='^metalink=https://mirrors.fedoraproject.org/metalink\?repo=fedora-f\$releasever&arch=\$basearch' - replace='baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/' - with_items: #mock_fedora_configs_to_patch.stdout_lines - - /etc/mock/fedora-24-i386.cfg - - /etc/mock/fedora-24-x86_64.cfg - - /etc/mock/fedora-25-i386.cfg - - /etc/mock/fedora-25-x86_64.cfg - - /etc/mock/fedora-26-i386.cfg - - /etc/mock/fedora-26-x86_64.cfg - - - -# ansible doesn't support simultaneously usage of async and with_* options -# it's not even planned for implementation, see https://github.com/ansible/ansible/issues/5841 -- name: prepare cache - when: prepare_base_image is defined - async: 14400 - shell: "for i in epel-5-i386 epel-5-x86_64 epel-6-i386 epel-6-x86_64 epel-7-x86_64 fedora-23-i386 fedora-23-x86_64 fedora-24-i386 fedora-24-x86_64 fedora-25-i386 fedora-25-x86_64 fedora-26-i386 fedora-26-x86_64 fedora-rawhide-i386 fedora-rawhide-x86_64; do mock --init -r $i; done" +- name: put copr-rpmbuild configuration file in the right place + copy: src=files/main.ini dest=/etc/copr-rpmbuild/main.ini - name: mockbuilder user user: name=mockbuilder groups=mock @@ -122,11 +68,3 @@ - name: disable core dumps ini_file: dest=/etc/systemd/coredump.conf section=Coredump option=Storage value=none -# notify: -# - systemctl daemon-reload - -- name: 'Remove %_install_langs from /etc/rpm/macros.image-language-conf so that `yum-deprecated --installroot= install glibc-all-langpacks` installs all possible locale into build chroots' - lineinfile: - dest: '/etc/rpm/macros.image-language-conf' - regexp: '^%_install_lang.*' - state: 'absent' diff --git a/roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml b/roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml deleted file mode 100644 index 5ef7791eb2..0000000000 --- a/roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml +++ /dev/null @@ -1,94 +0,0 @@ -- name: install copr repo - copy: src="copr.repo" dest="/etc/yum.repos.d/copr.repo" - -- name: set bigger timeout for yum - ini_file: dest=/etc/yum.conf section=main option=timeout value=1000 - -- name: install pkgs - yum: state=present pkg={{ item }} - with_items: - - dnf - - dnf-plugins-core - - mock -# - mock-lvm - - createrepo_c - - yum-utils - - pyliblzma - - rsync - - openssh-clients - - rsync - - libselinux-python - - libsemanage-python - - yum - - scl-utils-build - - ethtool -# - fedpkg-copr - - nosync - - expect - -- name: set bigger timeout for dnf - ini_file: dest=/etc/dnf/dnf.conf section=main option=timeout value=1000 - -# this comes from https://copr-be.cloud.fedoraproject.org/results/%40copr/copr/fedora-23-x86_64/00179756-fedpkg-copr/fedpkg-copr-0.3-1.fc23.noarch.rpm -# TODO put it in correct place -# BZ 1241507 -- shell: yum-deprecated install -y fedpkg-copr || yum install -y fedpkg-copr - -- shell: yum-deprecated install -y fedpkg || yum install -y fedpkg - -# This needs to be updated for python-fedora -- shell: yum-deprecated update -y python-requests || yum install -y python-requests - -- name: make sure newest rpm - dnf: name={{ item }} state=latest - with_items: - - rpm - - glib2 - - ca-certificates - - mock - - dnf - - koji - - dnf-plugins-core - - libsolv - - hawkey - -- copy: src=files/fedpkg-copr.conf dest=/etc/rpkg/fedpkg-copr.conf - -- name: put updated mock configs into /etc/mock - template: src=files/mock/{{ item }} dest=/etc/mock - with_items: - - fedora-26-ppc64le.cfg - - site-defaults.cfg - -# ansible doesn't support simultaneously usage of async and with_* options -# it's not even planned for implementation, see https://github.com/ansible/ansible/issues/5841 -- name: prepare cache - when: prepare_base_image is defined - async: 14400 - shell: "for i in fedora-23-ppc64le fedora-24-ppc64le fedora-25-ppc64le fedora-26-ppc64le fedora-rawhide-ppc64le; do mock --init -r $i; done" - -- name: mockbuilder user - user: name=mockbuilder groups=mock - -- name: mockbuilder .ssh - file: state=directory path=/home/mockbuilder/.ssh mode=0700 owner=mockbuilder group=mockbuilder - -- name: mockbuilder authorized_keys - authorized_key: user=mockbuilder key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' - -- name: root authorized_keys - authorized_key: user=root key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' - -- lineinfile: dest=/etc/security/limits.conf line="* soft nofile 10240" insertafter=EOF -- lineinfile: dest=/etc/security/limits.conf line="* hard nofile 10240" insertafter=EOF - -- name: disable core dumps - ini_file: dest=/etc/systemd/coredump.conf section=Coredump option=Storage value=none -# notify: -# - systemctl daemon-reload - -- name: 'Remove %_install_langs from /etc/rpm/macros.image-language-conf so that `yum-deprecated --installroot= install glibc-all-langpacks` installs all possible locale into build chroots' - lineinfile: - dest: '/etc/rpm/macros.image-language-conf' - regexp: '^%_install_lang.*' - state: 'absent' diff --git a/roles/copr/backend/files/provision/terminatepb.yml b/roles/copr/backend/files/provision/terminatepb.yml deleted file mode 100644 index 372c503948..0000000000 --- a/roles/copr/backend/files/provision/terminatepb.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: terminate instance - hosts: all - user: root - gather_facts: False - - vars_files: - - nova_cloud_vars.yml - - vars: - - OS_USERNAME_OLD: msuchy - - OS_AUTH_URL_OLD: http://172.23.0.2:5000/v2.0 - # todo: remove after transition to new cloud - - tasks: - - name: terminate it - local_action: nova_compute auth_url={{OS_AUTH_URL_OLD}} login_password={{OS_PASSWORD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME_OLD}} name="{{copr_task.vm_name}}" state=absent diff --git a/roles/copr/backend/files/provision/terminatepb_ppc64le.yml b/roles/copr/backend/files/provision/terminatepb_ppc64le.yml deleted file mode 100644 index c04fabd876..0000000000 --- a/roles/copr/backend/files/provision/terminatepb_ppc64le.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: terminate instance - hosts: 127.0.0.1 - gather_facts: False - - tasks: - - name: add hypervisor - local_action: add_host hostname=rh-power2.fit.vutbr.cz groupname=terminate_vm_group - - -- name: terminate vm - hosts: terminate_vm_group - gather_facts: False - user: msuchy - - tasks: - - name: terminating vm26 - shell: /home/msuchy/bin/virsh-destroy-vm26.sh; /home/msuchy/bin/reinit-vm26.sh - when: copr_task.vm_name == "rh-power-vm26.fit.vutbr.cz" - - - name: terminating vm27 - shell: /home/msuchy/bin/virsh-destroy-vm27.sh; /home/msuchy/bin/reinit-vm27.sh - when: copr_task.vm_name == "rh-power-vm27.fit.vutbr.cz" - - - name: terminating vm28 - shell: /home/msuchy/bin/virsh-destroy-vm28.sh; /home/msuchy/bin/reinit-vm28.sh - when: copr_task.vm_name == "rh-power-vm28.fit.vutbr.cz" - - - name: terminating vm29 - shell: /home/msuchy/bin/virsh-destroy-vm29.sh; /home/msuchy/bin/reinit-vm29.sh - when: copr_task.vm_name == "rh-power-vm29.fit.vutbr.cz" diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml index 956decb248..2270dbf4a8 100644 --- a/roles/copr/backend/tasks/main.yml +++ b/roles/copr/backend/tasks/main.yml @@ -130,14 +130,11 @@ tags: - provision_config -- name: put some files into the provision subdir - template: src="provision/nova_cloud_vars_ppc64le.yml" dest="/home/copr/provision/nova_cloud_vars_ppc64le.yml" owner=copr group=copr +- name: put copr-rpmbuild configuration file into the provision subdir + template: src="provision/copr-rpmbuild/main.ini.j2" dest="/home/copr/provision/files/main.ini" owner=copr group=copr tags: - provision_config -- name: put fedpkg-copr.conf into the provision files - template: src="provision/fedpkg-copr.conf" dest="/home/copr/provision/files/fedpkg-copr.conf" owner=copr group=copr - - name: testing fixture copy: dest="/home/copr/cloud/ec2rc.variable" content="" when: devel diff --git a/roles/copr/backend/templates/copr-be.conf.j2 b/roles/copr/backend/templates/copr-be.conf.j2 index 0bed0583aa..f3276db882 100644 --- a/roles/copr/backend/templates/copr-be.conf.j2 +++ b/roles/copr/backend/templates/copr-be.conf.j2 @@ -110,5 +110,7 @@ timeout=86400 # utilized by /usr/bin/check_consecutive_build_fails.py consecutive_failure_threshold=30 +builder_perl=True + [ssh] builder_config=/home/copr/.ssh/config diff --git a/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 b/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 new file mode 100644 index 0000000000..5ae64796c7 --- /dev/null +++ b/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 @@ -0,0 +1,4 @@ +[main] +frontend_url = {{ frontend_base_url }} +distgit_lookaside_url = http://{{ dist_git_base_url }}/repo/pkgs/ +distgit_clone_url = http://{{ dist_git_base_url }}/git/ diff --git a/roles/copr/backend/templates/provision/fedpkg-copr.conf b/roles/copr/backend/templates/provision/fedpkg-copr.conf deleted file mode 100644 index 5a13ca7ba7..0000000000 --- a/roles/copr/backend/templates/provision/fedpkg-copr.conf +++ /dev/null @@ -1,10 +0,0 @@ -[fedpkg-copr] -lookaside = http://{{ dist_git_base_url }}/repo/pkgs -lookasidehash = md5 -lookaside_cgi = http://{{ dist_git_base_url }}/repo/pkgs/upload.cgi -gitbaseurl = ssh://%(user)s@{{ dist_git_base_url }}/%(module)s -anongiturl = git://{{ dist_git_base_url }}/%(module)s -tracbaseurl = https://%(user)s:%(password)s@fedorahosted.org/rel-eng/login/xmlrpc -branchre = f\d$|f\d\d$|el\d$|olpc\d$|master$ -kojiconfig = /etc/koji.conf -build_client = koji diff --git a/roles/copr/backend/templates/provision/nova_cloud_vars.yml b/roles/copr/backend/templates/provision/nova_cloud_vars.yml index d426e8a4cc..1135504f40 100644 --- a/roles/copr/backend/templates/provision/nova_cloud_vars.yml +++ b/roles/copr/backend/templates/provision/nova_cloud_vars.yml @@ -10,8 +10,6 @@ OS_USERNAME: "{{ copr_nova_username }}" OS_PASSWORD_OLD: "{{ copr_nova_password|default('variable OS_PASSWORD_OLD is undefined') }}" OS_PASSWORD: "{{ copr_password|default('variable OS_PASSWORD is undefined')}}" - -image_name: "{{ copr_builder_image_name }}" flavor_name: "{{ copr_builder_flavor_name }}" network_name: "{{ copr_builder_network_name }}" key_name: "{{ copr_builder_key_name }}" diff --git a/roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml b/roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml deleted file mode 100644 index f84fa797e7..0000000000 --- a/roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -OS_AUTH_URL: "{{ copr_nova_auth_url }}" - -OS_TENANT_ID: "{{ copr_nova_tenant_id }}" -OS_TENANT_NAME: "{{ copr_nova_tenant_name }}" - -OS_USERNAME: "{{ copr_nova_username }}" - -# remove default values after transition to the new cloud is finished -OS_PASSWORD_OLD: "{{ copr_nova_password|default('variable OS_PASSWORD_OLD is undefined') }}" -OS_PASSWORD: "{{ copr_password|default('variable OS_PASSWORD is undefined')}}" - - -image_name: "builder-f24-ppc64le-swapmounted-freshmockconfigs" -flavor_name: "{{ copr_builder_flavor_name }}" -network_name: "{{ copr_builder_network_name }}" -key_name: "{{ copr_builder_key_name }}" -security_groups: "{{ copr_builder_security_groups }}" diff --git a/roles/copr/dist_git/tasks/mount_fs.yml b/roles/copr/dist_git/tasks/mount_fs.yml index bdfee5e599..eca6600853 100644 --- a/roles/copr/dist_git/tasks/mount_fs.yml +++ b/roles/copr/dist_git/tasks/mount_fs.yml @@ -12,4 +12,4 @@ when: not devel - name: mount tmp on tmpfs - mount: name=/tmp src=tmpfs fstype=tmpfs state=mounted opts=defaults,size=6G + mount: name=/tmp src=tmpfs fstype=tmpfs state=mounted opts=defaults,size=39G,nr_inodes=2g diff --git a/roles/copr/mbs/templates/config.py b/roles/copr/mbs/templates/config.py index a9c3ed68da..911211da1a 100644 --- a/roles/copr/mbs/templates/config.py +++ b/roles/copr/mbs/templates/config.py @@ -37,6 +37,11 @@ class ProdConfiguration(base.ProdConfiguration): RPMS_ALLOW_CACHE = True MODULES_ALLOW_REPOSITORY = True + # Determines how many builds can be submitted to the builder + # and be in the build state at a time. Set this to 0 for no restrictions + # We can set some limit in the future, once we need it + NUM_CONSECUTIVE_BUILDS = 0 + class DevConfiguration(base.DevConfiguration): SYSTEM = 'copr' diff --git a/roles/datagrepper/templates/datagrepper-fedmsg.py b/roles/datagrepper/templates/datagrepper-fedmsg.py index c6f0989b92..e8a9246319 100644 --- a/roles/datagrepper/templates/datagrepper-fedmsg.py +++ b/roles/datagrepper/templates/datagrepper-fedmsg.py @@ -17,4 +17,8 @@ config = { 'fedmenu_url': 'https://apps.fedoraproject.org/fedmenu', 'fedmenu_data_url': 'https://apps.fedoraproject.org/js/data.js', {% endif %} + + # Only allow ajax/websockets connections back to our domains. + # https://github.com/fedora-infra/datagrepper/pull/192 + 'content_security_policy': 'connect-src https://*.fedoraproject.org wss://*.fedoraproject.org' } diff --git a/roles/developer/website/files/developer.conf b/roles/developer/website/files/developer.conf index 5a4590dde5..49d0b71295 100644 --- a/roles/developer/website/files/developer.conf +++ b/roles/developer/website/files/developer.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 608a0e0e95..0cb1c93b38 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -17,25 +17,15 @@ tags: - distgit -- name: install the httpd config file - copy: src=pkgs.fedoraproject.org.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org.conf - when: env != "staging" - notify: - - reload httpd - tags: - - distgit - -- name: uninstall the httpd config file +- name: uninstall the httpd config file of non-packaged dist-git file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org.conf state=absent - when: env == "staging" notify: - reload httpd tags: - distgit -- name: install the httpd config directory - file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org state=directory - when: env != "staging" +- name: uninstall the httpd config directory of non-packaged dist-git + file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org state=absent notify: - reload httpd tags: @@ -81,13 +71,11 @@ with_items: - dist-git - dist-git-selinux - when: env == "staging" tags: - distgit - name: install the dist-git config copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf - when: env == "staging" tags: - config - distgit @@ -135,36 +123,18 @@ tags: - distgit -- name: install the distgit scripts - copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 +- name: uninstall the distgit scripts of non-packaged dist-git + file: dest=/usr/local/bin/{{item}} state=absent with_items: - setup_git_package - mkbranch - mkbranch_branching - - pkgdb2-clone tags: - config - distgit -- name: install the Dist Git-related httpd config - copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/git-smart-http.conf - when: env != "staging" - notify: - - reload httpd - tags: - - distgit - -- name: install the Dist Git-related httpd config +- name: install the DistGit related httpd config copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf - when: env == "staging" - notify: - - reload httpd - tags: - - distgit - -- name: Symlink pkgs-git-repos-list - copy: src=repolist.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/repolist.conf - when: env != "staging" notify: - reload httpd tags: @@ -172,16 +142,16 @@ - name: Symlink pkgs-git-repos-list copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf - when: env == "staging" notify: - reload httpd tags: - distgit -- name: install the pkgdb_sync_git_branches.py scripts +- name: install the pkgdb_sync_git_branches.py and pkgdb2-clone scripts template: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 with_items: - pkgdb_sync_git_branches.py + - pkgdb2-clone tags: - config - distgit @@ -360,18 +330,8 @@ notify: - reload httpd -- name: install the CGit-related httpd redirect config - copy: src=redirect.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/redirect.conf - when: env != "staging" - tags: - - distgit - - cgit - notify: - - reload httpd - - name: install the CGit-related httpd redirect config copy: src=redirect.conf dest=/etc/httpd/conf.d/dist-git/redirect.conf - when: env == "staging" tags: - distgit - cgit @@ -389,23 +349,11 @@ # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. -- name: install the Lookaside Cache httpd configs - template: src={{item}} dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/{{item}} - with_items: - - lookaside.conf - - lookaside-upload.conf - when: env != "staging" - notify: - - reload httpd - tags: - - distgit - - name: install the Lookaside Cache httpd configs template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}} with_items: - lookaside.conf - - lookaside-upload-stg.conf - when: env == "staging" + - lookaside-upload.conf notify: - reload httpd tags: @@ -499,42 +447,13 @@ tags: - distgit -- name: create /srv/web directory - file: dest=/srv/web state=directory - -- name: install the upload CGI script - copy: src=dist-git-upload.cgi dest=/srv/web/upload.cgi owner=root group=root mode=0755 +- name: uninstall the upload CGI script of non-packaged dist-git + file: dest=/srv/web/upload.cgi state=absent notify: - reload httpd tags: - distgit -- name: uninstall the httpd config directory - file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org state=absent - when: env == "staging" - notify: - - reload httpd - tags: - - distgit - -- name: check the selinux context of the upload CGI script - command: matchpathcon /srv/web/upload.cgi - register: upcgicontext - check_mode: no - changed_when: false - tags: - - config - - lookaside - - selinux - -- name: set the SELinux policy for the upload CGI script - command: semanage fcontext -a -t git_script_exec_t "/srv/web/upload.cgi" - when: upcgicontext.stdout.find('git_script_exec_t') == -1 - tags: - - config - - lookaside - - selinux - # Three tasks for handling our selinux policy for upload.cgi - name: ensure a directory exists for our SELinux policy file: dest=/usr/local/share/selinux/ state=directory diff --git a/roles/distgit/templates/lookaside-upload-stg.conf b/roles/distgit/templates/lookaside-upload-stg.conf deleted file mode 100644 index 16303344ef..0000000000 --- a/roles/distgit/templates/lookaside-upload-stg.conf +++ /dev/null @@ -1,66 +0,0 @@ -Alias /repo/ /srv/cache/lookaside/ - -# default SSL configuration... -Listen 443 - -SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) -SSLSessionCacheTimeout 300 - -Mutex default - -SSLRandomSeed startup file:/dev/urandom 256 -SSLRandomSeed connect builtin -SSLCryptoDevice builtin - - - ServerName pkgs.{{ env_suffix }}fedoraproject.org - #Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/" - # This is temporary for fixing Kojid because of firewall rules - Alias /repo/ /srv/cache/lookaside/ - - - - # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi - - Alias /repo/ /srv/cache/lookaside/ - ServerName pkgs{{ env_suffix }}.fedoraproject.org - ServerAdmin webmaster@fedoraproject.org - - SSLEngine on - - SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem - SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem - SSLCACertificateFile conf/cacert.pem - SSLCARevocationFile /etc/pki/tls/crl.pem - - SSLProtocol {{ ssl_protocols }} - SSLCipherSuite {{ ssl_ciphers }} - - Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/" - - -# Allow upload via src - - # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi - - Alias /repo/ /srv/cache/lookaside/ - ServerName src{{ env_suffix }}.fedoraproject.org - ServerAdmin webmaster@fedoraproject.org - - ErrorLog logs/ssl_error_log - - - Options +ExecCGI - - AuthType GSSAPI - GssapiSSLonly Off - AuthName "GSSAPI Single Sign On Login" - GssapiCredStore keytab:/etc/httpd.keytab - - Require valid-user - - - - diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf index 4014f0a396..16303344ef 100644 --- a/roles/distgit/templates/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -21,7 +21,7 @@ SSLCryptoDevice builtin # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi + ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi Alias /repo/ /srv/cache/lookaside/ ServerName pkgs{{ env_suffix }}.fedoraproject.org @@ -43,7 +43,7 @@ SSLCryptoDevice builtin # Allow upload via src # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi + ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi Alias /repo/ /srv/cache/lookaside/ ServerName src{{ env_suffix }}.fedoraproject.org diff --git a/roles/distgit/files/pkgdb2-clone b/roles/distgit/templates/pkgdb2-clone similarity index 98% rename from roles/distgit/files/pkgdb2-clone rename to roles/distgit/templates/pkgdb2-clone index daa7d88644..6341ff4afe 100644 --- a/roles/distgit/files/pkgdb2-clone +++ b/roles/distgit/templates/pkgdb2-clone @@ -13,6 +13,8 @@ NEW_EPEL_VERSION = '7' NEW_EPEL_SOURCE_BRANCH = 'f19' RHEL_PKGS_PATH = '/var/lib/rhel/rhel' + NEW_EPEL_VERSION +MKBRANCH = '/usr/share/dist-git/mkbranch' + # parse_page :: String -> IO (Map String String) # This returns a dictionary of {"pkg_name": "branch"} def parse_page(url): @@ -140,7 +142,7 @@ def main(args): "name, " + src_branchname + " -> " + dest_branchname else: if process_package(pkgdb, key, src_branchname, dest_branchname): - subprocess.call(["mkbranch", + subprocess.call([MKBRANCH, "-s", NEW_EPEL_SOURCE_BRANCH, "epel" + NEW_EPEL_VERSION, diff --git a/roles/distgit/templates/pkgdb_sync_git_branches.py b/roles/distgit/templates/pkgdb_sync_git_branches.py index f3d1d641d3..be91335271 100644 --- a/roles/distgit/templates/pkgdb_sync_git_branches.py +++ b/roles/distgit/templates/pkgdb_sync_git_branches.py @@ -70,8 +70,8 @@ PKGDB_URL = 'https://admin.fedoraproject.org/pkgdb' GIT_FOLDER = '/srv/git/repositories/' -MKBRANCH = '/usr/local/bin/mkbranch' -SETUP_PACKAGE = '/usr/local/bin/setup_git_package' +MKBRANCH = '/usr/share/dist-git/mkbranch' +SETUP_PACKAGE = '/usr/share/dist-git/setup_git_package' THREADS = 20 VERBOSE = False diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index 9b377bb29f..a707f3449e 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -22,7 +22,7 @@ acl "everyone" { 0.0.0.0/0; ::0/0; }; // acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; }; // -acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; 10.5.129.0/24; 10.16.0.0/24; }; +acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; 10.5.128.0/24; 10.5.129.0/24; 10.5.130.0/24; 10.16.0.0/24; }; acl "qanet" { 10.5.124.128/25; 10.5.131.0/24; }; acl "rh-slaves" { 10.5.30.78; 10.11.5.70; }; acl "rh" { 10.0.0.0/8; }; @@ -151,6 +151,11 @@ view "QA" { file "/var/named/master/built/phx2.fedoraproject.org.signed"; }; + zone "stg.phx2.fedoraproject.org" { + type master; + file "/var/named/master/built/stg.phx2.fedoraproject.org"; + }; + zone "mgmt.fedoraproject.org" { type master; file "/var/named/master/built/mgmt.fedoraproject.org"; @@ -253,6 +258,12 @@ view "PHX2" { forwarders { 10.5.26.20; 10.5.26.21; }; }; + zone "access.redhat.com" { + type forward; + forward only; + forwarders { 152.19.134.150; 140.211.169.201; 66.35.62.163; }; + }; + zone "beaker-project.org" { type forward; forward only; @@ -306,6 +317,11 @@ view "PHX2" { file "/var/named/master/built/phx2.fedoraproject.org.signed"; }; + zone "stg.phx2.fedoraproject.org" { + type master; + file "/var/named/master/built/stg.phx2.fedoraproject.org"; + }; + zone "mgmt.fedoraproject.org" { type master; file "/var/named/master/built/mgmt.fedoraproject.org"; diff --git a/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf b/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf index c953cb29a9..34d32100cd 100644 --- a/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf +++ b/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf @@ -1,4 +1,8 @@ RewriteEngine On + +RewriteCond %{HTTP_USER_AGENT} "lftp" +RewriteRule ^.*$ https://fedoraproject.org/wiki/Infrastructure/Mirroring#Tools_to_avoid [R,L] + RewriteRule ^/$ /pub [R=302,L] RedirectMatch 302 ^/pub/fedora/linux/atomic/(.*$) https://kojipkgs.fedoraproject.org/atomic/$1 diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 82d0757bbf..11136d2b30 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -83,12 +83,31 @@ - name: Make sure apache autoindex.conf is replaced with ours copy: src=httpd/dl.fedoraproject.org/autoindex.conf dest=/etc/httpd/conf.d/autoindex.conf + tags: + - httpd + - config notify: - reload httpd - name: Configure httpd dl sub conf copy: src=httpd/dl.fedoraproject.org/ dest=/etc/httpd/conf.d/dl.fedoraproject.org/ + tags: + - httpd + - config notify: - reload httpd +- name: Install haveged for entropy + yum: name=haveged state=installed + tags: + - httpd + - httpd/proxy + +- name: Set haveged running/enabled + service: name=haveged enabled=yes state=started + tags: + - service + - httpd + - httpd/proxy + ## diff --git a/roles/easyfix/gather/files/template.html b/roles/easyfix/gather/files/template.html index 3e1ab6f02f..3efdf26eae 100644 --- a/roles/easyfix/gather/files/template.html +++ b/roles/easyfix/gather/files/template.html @@ -113,7 +113,7 @@
diff --git a/roles/easyfix/gather/templates/gather_easyfix.py b/roles/easyfix/gather/templates/gather_easyfix.py index 14bba92e1f..13c1d4d589 100755 --- a/roles/easyfix/gather/templates/gather_easyfix.py +++ b/roles/easyfix/gather/templates/gather_easyfix.py @@ -41,8 +41,7 @@ from kitchen.text.converters import to_bytes from jinja2 import Template __version__ = '0.1.1' -bzclient = RHBugzilla(url='https://bugzilla.redhat.com/xmlrpc.cgi', - cookiefile=None) +bzclient = RHBugzilla(url='https://bugzilla.redhat.com/xmlrpc.cgi', cookiefile=None, tokenfile=None) # So the bugzilla module has some way to complain logging.basicConfig() logger = logging.getLogger('bugzilla') @@ -173,27 +172,6 @@ def gather_project(): return projects -def get_open_tickets_for_keyword(project, keyword): - """ For a given project return the tickets ID which have the given - keyword attached. - :arg project, name of the project on fedorahosted.org - :arg keyword, search the trac for open tickets having this keyword - in the keywords field. - """ - tickets = [] - try: - server = xmlrpclib.ServerProxy( - 'https://fedorahosted.org/%s/rpc' % project) - query = 'status=assigned&status=new&status=reopened&' \ - 'keywords=~%s' % keyword - for ticket in server.ticket.query(query): - tickets.append(server.ticket.get(ticket)) - except xmlrpclib.Error, err: - print ' Could not retrieve information for project: %s' % project - print ' Error: %s' % err - return tickets - - def parse_arguments(): parser = argparse.ArgumentParser(__doc__) parser.add_argument( @@ -269,21 +247,6 @@ def main(): project.name, ticket['id']) ticketobj.status = ticket['status'] tickets.append(ticketobj) - else: - project.url = 'https://fedorahosted.org/%s/' % (project.name) - project.site = 'trac' - for ticket in get_open_tickets_for_keyword(project.name, - project.tag): - ticket_num = ticket_num + 1 - ticketobj = Ticket() - ticketobj.id = ticket[0] - ticketobj.title = ticket[3]['summary'] - ticketobj.url = 'https://fedorahosted.org/%s/ticket/%s' %( - project.name, ticket[0]) - ticketobj.status = ticket[3]['status'] - ticketobj.type = ticket[3]['type'] - ticketobj.component = ticket[3]['component'] - tickets.append(ticketobj) project.tickets = tickets bzbugs = gather_bugzilla_easyfix() diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index bd5414d7c0..b00bec5abf 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -144,7 +144,7 @@ fudcon-paper: fudcon-cfp # flock flockpress: bex,fpl flockinfo: bex,fpl -flock-staff: bex,fpl,jwboyer,duffy +flock-staff: bex,fpl,duffy # gnome backups gnomebackup: backups@gnome.org @@ -343,5 +343,9 @@ blockerbugs: tflink+blockerbugs@redhat.com releng-team: ausil,mohanboddu,parasense containerbuild: maxamillion +# Fedora Community Action and Impact Coordinator +# https://fedoraproject.org/wiki/Community_Leader +fcaic: bex + #### The rest of this file is automatically generated - edit using the accounts system! diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index 9d71432062..513c6a6b59 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' # Usernames that are unavailable for fas allocation {% if env == "staging" %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% else %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% endif %} email_domain_blacklist = "{{ fas_blocked_emails }}" @@ -235,7 +235,7 @@ gencert = "{{ gen_cert }}" makeexec = "/usr/bin/make" openssl_lockdir = "/var/lock/fedora-ca" -openssl_digest = "md5" +openssl_digest = "sha256" openssl_expire = 15552000 # 60*60*24*180 = 6 months openssl_ca_dir = "/var/lib/fedora-ca" openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts" diff --git a/roles/fedmsg/base/tasks/main.yml b/roles/fedmsg/base/tasks/main.yml index a2f855e78b..a79abefeb0 100644 --- a/roles/fedmsg/base/tasks/main.yml +++ b/roles/fedmsg/base/tasks/main.yml @@ -106,6 +106,7 @@ - ssl.py - endpoints.py - endpoints-anitya.py + - endpoints-cico.py - endpoints-pagure.py - endpoints-fedocal.py - endpoints-fedbadges.py diff --git a/roles/fedmsg/base/templates/endpoints-cico.py.j2 b/roles/fedmsg/base/templates/endpoints-cico.py.j2 new file mode 100644 index 0000000000..68b0da0617 --- /dev/null +++ b/roles/fedmsg/base/templates/endpoints-cico.py.j2 @@ -0,0 +1,11 @@ +# This tells nodes to pull messages from ci.centos.org + +config = dict( + {% if env == 'staging' %} + endpoints={ + "centos-ci-public-relay": [ + "tcp://fedmsg-relay.ci.centos.org:9940", + ], + }, + {% endif %} +) diff --git a/roles/fedora-docs/proxy/files/fedora-docs.conf b/roles/fedora-docs/proxy/files/fedora-docs.conf index cd3d10000d..f48a2cee20 100644 --- a/roles/fedora-docs/proxy/files/fedora-docs.conf +++ b/roles/fedora-docs/proxy/files/fedora-docs.conf @@ -17,4 +17,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/alt/files/alt.conf b/roles/fedora-web/alt/files/alt.conf index 252b87a58d..b355733abf 100644 --- a/roles/fedora-web/alt/files/alt.conf +++ b/roles/fedora-web/alt/files/alt.conf @@ -8,4 +8,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/arm/files/arm.conf b/roles/fedora-web/arm/files/arm.conf index aa8f7ac630..09a99c8e14 100644 --- a/roles/fedora-web/arm/files/arm.conf +++ b/roles/fedora-web/arm/files/arm.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/budget/files/budget.conf b/roles/fedora-web/budget/files/budget.conf index 456500ae6b..17c01d1fc4 100644 --- a/roles/fedora-web/budget/files/budget.conf +++ b/roles/fedora-web/budget/files/budget.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/build/files/syncStatic.stg.sh b/roles/fedora-web/build/files/syncStatic.stg.sh index 86198df5c3..270975e1d2 100644 --- a/roles/fedora-web/build/files/syncStatic.stg.sh +++ b/roles/fedora-web/build/files/syncStatic.stg.sh @@ -45,7 +45,7 @@ cd /srv/web/fedora-websites /usr/bin/git clean -q -fdx || exit 1 /usr/bin/git reset -q --hard || exit 1 -/usr/bin/git checkout -q f26-alpha || exit 1 +/usr/bin/git checkout -q f26-beta || exit 1 /usr/bin/git pull -q --ff-only || exit 1 build spins.fedoraproject.org diff --git a/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf b/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf index e21b4af73b..0764129437 100644 --- a/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf +++ b/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/fudcon/files/fudcon.conf b/roles/fedora-web/fudcon/files/fudcon.conf index 330d159349..1266a905c1 100644 --- a/roles/fedora-web/fudcon/files/fudcon.conf +++ b/roles/fedora-web/fudcon/files/fudcon.conf @@ -9,4 +9,4 @@ Redirect /design-suite http://fudcon.fedoraproject.org/design Redirect /electronic-lab http://fudcon.fedoraproject.org/fel ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/getfedora/files/getfedora.org.conf b/roles/fedora-web/getfedora/files/getfedora.org.conf index 6359f0c8a7..3a89898969 100644 --- a/roles/fedora-web/getfedora/files/getfedora.org.conf +++ b/roles/fedora-web/getfedora/files/getfedora.org.conf @@ -8,7 +8,7 @@ Alias /fmw /srv/web/fmw/ FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" AllowOverride FileInfo diff --git a/roles/fedora-web/labs/files/labs.conf b/roles/fedora-web/labs/files/labs.conf index b4254ea508..cc86d59966 100644 --- a/roles/fedora-web/labs/files/labs.conf +++ b/roles/fedora-web/labs/files/labs.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/spins/files/spins.conf b/roles/fedora-web/spins/files/spins.conf index 91ffbc0f4e..4b486c7520 100644 --- a/roles/fedora-web/spins/files/spins.conf +++ b/roles/fedora-web/spins/files/spins.conf @@ -12,4 +12,4 @@ RedirectMatch /(.*)/design-suite/ http://spins.fedoraproject.org/$1/design RedirectMatch /(.*)/electronic-lab/ http://spins.fedoraproject.org/$1/fel ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/haproxy/files/os-master.production.pem b/roles/haproxy/files/os-master.production.pem new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/haproxy/files/os-master.staging.pem b/roles/haproxy/files/os-master.staging.pem new file mode 100644 index 0000000000..0acb14dad0 --- /dev/null +++ b/roles/haproxy/files/os-master.staging.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu +c2hpZnQtc2lnbmVyQDE0OTQ5ODA0MzgwHhcNMTcwNTE3MDAyMDM4WhcNMjIwNTE2 +MDAyMDM5WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ5ODA0Mzgw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaK2gwEPAesGrhGCaDhQcw +P14KB0FtybxLEHB++/n+RUbO1Gb1/E/pxqVuJisCCj+MdX7Vw9VSExrMPmTNjnNo +N+aRN7etvod/OpncNmybUGmbp1FoJgFFaouniAckW4RAYMJFyGwnaRMZvpt2GB8a +BzC6ZNm7Ev7lXucH9YOm3TQ+cae8bLQQxAxTuf49vTg7aLw4wlsFsJC+p3QYvqhO +Yx/93/WJBy+oMy4sKncr9KRtrcN3+j1Rdzn7kPSidyZLvUsr9AI5IoZBfZMSgSGa +Z4z2ek9hiK3hAgQhn3lterJpmP3nmVUfoEqvmfVRCpyq4gN1SpJ8fqTyMH4M3l1p +AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQARVmLKy3TwUOX7+rS6LtbJQgrty71BZsjuE7g4FZ2K4K9r +WqiVa7OJCneWDKWO2zeSUjI7hrOiKEFiG1bfgJPThTKpw7iwcuDq/UipXiIy54Kn +aALePUqv06Q05eZD9RgWX+ON/WXHnOflQY+RE1i6nHnH/bYwGMRkbaWmv/m9P+e3 +tUH+lva4efjow1KNdS2H7jfCIR0dkWIOVCU++K9csw7lQ6wFtDZPP5Yqrn1p37oU +kv9T+a4XzaPgao0QV4RT2NpxsFBksXyuxfNNsuhmQzRenMax1vhwc49/Fze40BGW +tCsncj89Tk7bfx3oFgC6rY/gt3ImwUooaxuOkbqt +-----END CERTIFICATE----- diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 1552e9c1ba..fde8d317dd 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -36,6 +36,7 @@ owner=root group=root mode=0600 with_items: - { file: "ipa.{{env}}.pem", dest: /etc/haproxy/ipa.pem } + - { file: "os-master.{{env}}.pem", dest: /etc/haproxy/os-master.pem } tags: - haproxy diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index f94cacf222..1cd2032b69 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -421,13 +421,28 @@ listen kojipkgs 0.0.0.0:10062 option httpchk GET / {% endif %} - listen mbs 0.0.0.0:10063 balance hdr(appserver) server mbs-frontend01 mbs-frontend01:80 check inter 20s rise 2 fall 3 server mbs-frontend02 mbs-frontend02:80 check inter 20s rise 2 fall 3 option httpchk GET /module-build-service/1/module-builds/ +{% if env == "staging" %} +listen os-master 0.0.0.0:10064 + balance hdr(appserver) + server os-master01 os-master01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master02 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master03 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + option httpchk GET / + +listen os-nodes 0.0.0.0:10065 + balance hdr(appserver) + server os-node01 os-node01:443 check inter 10s rise 1 fall 2 ssl verify none + server os-node02 os-node02:443 check inter 10s rise 1 fall 2 ssl verify none + option httpchk GET / + http-check expect status 503 +{% endif %} + # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. diff --git a/roles/hosts/files/os-hosts b/roles/hosts/files/os-hosts new file mode 100644 index 0000000000..944b7908e7 --- /dev/null +++ b/roles/hosts/files/os-hosts @@ -0,0 +1,3 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +209.132.182.63 registry.access.redhat.com diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf index c1cf163030..2393b86874 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf @@ -15,19 +15,19 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript diff --git a/roles/jenkins/master/files/jenkins.logrotate b/roles/jenkins/master/files/jenkins.logrotate new file mode 100644 index 0000000000..7d74a85f5c --- /dev/null +++ b/roles/jenkins/master/files/jenkins.logrotate @@ -0,0 +1,9 @@ +/var/log/jenkins/jenkins.log { + rotate 5 + weekly + compress + delaycompress + missingok + notifempty + copytruncate +} diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml index a9a6a7a301..b4a07d7126 100644 --- a/roles/jenkins/master/tasks/main.yml +++ b/roles/jenkins/master/tasks/main.yml @@ -56,6 +56,22 @@ - jenkins/master - config +- name: install jenkins logrotate file + copy: > + src="jenkins.logrotate" + dest="/etc/logrotate.d/jenkins" + tags: + - jenkins + - jenkins/master + - config + +- name: set /var/log/jenkins to not be writable by jenkins group + file: path=/var/log/jenkins mode=0700 owner=jenkins + tags: + - jenkins + - jenkins/master + - config + - name: install jenkins launcher config file copy: > src="jenkins.conf" diff --git a/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org b/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..69d8623ef1 --- /dev/null +++ b/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org @@ -0,0 +1,26 @@ +#!/bin/bash +TYPE=$1 +NAME=$2 +STATE=$3 + +# +# We are becoming master node +# +if [ $STATE == "MASTER" ]; then + logger "just became keepalived master" + +fi +# +# We are becoming the backup node +# +if [ $STATE == "BACKUP" ]; then + systemctl restart posgresql-9.4 + logger "just became keepalived backup" +fi +# +# something horrible has gone wrong +# +if [ $STATE == "FAULT" ]; then + systemctl stop posgresql-9.4 + logger "just had a keepalived fault" +fi diff --git a/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org b/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..69d8623ef1 --- /dev/null +++ b/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org @@ -0,0 +1,26 @@ +#!/bin/bash +TYPE=$1 +NAME=$2 +STATE=$3 + +# +# We are becoming master node +# +if [ $STATE == "MASTER" ]; then + logger "just became keepalived master" + +fi +# +# We are becoming the backup node +# +if [ $STATE == "BACKUP" ]; then + systemctl restart posgresql-9.4 + logger "just became keepalived backup" +fi +# +# something horrible has gone wrong +# +if [ $STATE == "FAULT" ]; then + systemctl stop posgresql-9.4 + logger "just had a keepalived fault" +fi diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index e1594b932f..fa4a362d44 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -18,7 +18,10 @@ rpmbuild_timeout=172800 use_createrepo_c=True -{% if koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} +{% if host in groups['buildvm-s390x'] %} +# s390x builders use a local varnish cache +topurl = http://kojipkgs-cache01.s390.fedoraproject.org https://kojipkgs01.fedoraproject.org https://kojipkgs02.fedoraproject.org +{% elif koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} ; add some additional urls for failover topurl = {{koji_topurl}} https://kojipkgs01.fedoraproject.org https://kojipkgs02.fedoraproject.org {% else %} diff --git a/roles/koji_hub/templates/kojira.conf.j2 b/roles/koji_hub/templates/kojira.conf.j2 index 65bfee828d..214fad3651 100644 --- a/roles/koji_hub/templates/kojira.conf.j2 +++ b/roles/koji_hub/templates/kojira.conf.j2 @@ -27,6 +27,7 @@ with_src=no ; prevent kojira from flooding the build system with newRepo tasks max_repo_tasks=15 +repo_tasks_limit=15 ; Server certificate authority krb_rdns=false diff --git a/roles/kojipkgs/files/kojipkgs.conf b/roles/kojipkgs/files/kojipkgs.conf index 5779a7406d..cf8ea56095 100644 --- a/roles/kojipkgs/files/kojipkgs.conf +++ b/roles/kojipkgs/files/kojipkgs.conf @@ -1,5 +1,7 @@ ServerName https://kojipkgs.fedoraproject.org +RequestHeader unset Accept-Encoding early + CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/kojipkgs01.fedoraproject.org-access.log.%Y-%m-%d 86400" combined ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/kojipkgs01.fedoraproject.org-error.log.%Y-%m-%d 86400" diff --git a/roles/koschei/backend/files/koschei-scheduler-hotfix.patch b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch new file mode 100644 index 0000000000..11445806f6 --- /dev/null +++ b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch @@ -0,0 +1,32 @@ +--- /usr/lib/python2.7/site-packages/koschei/backend/__init__.py~ 2017-06-13 21:31:05.170580184 +0200 ++++ /usr/lib/python2.7/site-packages/koschei/backend/__init__.py 2017-06-13 22:24:19.798558738 +0200 +@@ -94,13 +94,15 @@ + return self._repo_cache + + +-def submit_build(session, package): ++def submit_build(session, package, arches=[]): + assert package.collection.latest_repo_id + build = Build(package_id=package.id, state=Build.RUNNING) + name = package.name + build_opts = {} +- if package.arch_override: +- override = package.arch_override ++ override = package.arch_override ++ if not override and 'noarch' not in arches: ++ override = '^' ++ if override: + if override.startswith('^'): + excludes = override[1:].split() + build_arches = get_config('koji_config').get('build_arches') +--- /usr/lib/python2.7/site-packages/koschei/backend/services/scheduler.py~ 2017-06-13 22:15:27.907396051 +0200 ++++ /usr/lib/python2.7/site-packages/koschei/backend/services/scheduler.py 2017-06-13 22:15:45.077207616 +0200 +@@ -72,7 +72,7 @@ + + self.log.info('Scheduling build for {}, priority {}' + .format(package.name, priority)) +- build = backend.submit_build(self.session, package) ++ build = backend.submit_build(self.session, package, arches) + package.current_priority = None + package.scheduler_skip_reason = None + package.manual_priority = 0 diff --git a/roles/koschei/backend/tasks/main.yml b/roles/koschei/backend/tasks/main.yml index a7667ede17..27bc3e1878 100644 --- a/roles/koschei/backend/tasks/main.yml +++ b/roles/koschei/backend/tasks/main.yml @@ -107,3 +107,12 @@ tags: - koschei - config + +- name: HOTFIX koschei scheduler + patch: src=koschei-scheduler-hotfix.patch basedir=/ + when: env == 'staging' + notify: + - restart koschei-scheduler + tags: + - koschei + - hotfix diff --git a/roles/koschei/backend/templates/config-backend.cfg.j2 b/roles/koschei/backend/templates/config-backend.cfg.j2 index 672c694eef..78fd657775 100644 --- a/roles/koschei/backend/templates/config-backend.cfg.j2 +++ b/roles/koschei/backend/templates/config-backend.cfg.j2 @@ -24,14 +24,15 @@ config = { }, {% if env == 'staging' %} "max_builds": 16, - "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le'], + "build_arches": ['x86_64'], "load_threshold": 1, + "task_priority": 25, {% else %} "max_builds": 60, - "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le', 's390x'], - "load_threshold": 0.65, - {% endif %} + "build_arches": ['x86_64', 'aarch64', 'ppc64'], + "load_threshold": 0.75, "task_priority": 30, + {% endif %} }, "dependency": { "build_group": "build", diff --git a/roles/koschei/frontend/templates/config-frontend.cfg.j2 b/roles/koschei/frontend/templates/config-frontend.cfg.j2 index 8569959b98..d89d61894b 100644 --- a/roles/koschei/frontend/templates/config-frontend.cfg.j2 +++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2 @@ -103,6 +103,11 @@ config = { "bugreport": { "url": "https://{{ koschei_bugzilla }}/enter_bug.cgi?{query}", }, + "copr": { + "require_admin": True, + "copr_owner": "mizdebsk", + "default_schedule_count": 8, + }, } # Local Variables: diff --git a/roles/loopabull/files/loopabull@.service b/roles/loopabull/files/loopabull@.service new file mode 100644 index 0000000000..043c555762 --- /dev/null +++ b/roles/loopabull/files/loopabull@.service @@ -0,0 +1,17 @@ +[Unit] +Description=loopabull worker #%i +After=network.target +Documentation=https://github.com/maxamillion/loopabull + +[Service] +ExecStart=/usr/bin/loopabull $CONFIG_FILE +User=root +Group=root +Restart=on-failure +Type=simple +EnvironmentFile=-/etc/sysconfig/loopabull +Restart=on-failure +PrivateTmp=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/loopabull/handlers/main.yml b/roles/loopabull/handlers/main.yml index e222efcc5d..6af03246d2 100644 --- a/roles/loopabull/handlers/main.yml +++ b/roles/loopabull/handlers/main.yml @@ -1,2 +1,12 @@ --- # handlers file for loopabull +- name: restart loopabull + service: + name: "{{ item }}" + state: restarted + with_items: + - loopabull@1 + - loopabull@2 + - loopabull@3 + - loopabull@4 + - loopabull@5 diff --git a/roles/loopabull/tasks/main.yml b/roles/loopabull/tasks/main.yml index a38513b9d9..c5439a4136 100644 --- a/roles/loopabull/tasks/main.yml +++ b/roles/loopabull/tasks/main.yml @@ -10,16 +10,29 @@ - name: configure loopabull template: src: loopabull.yml.j2 - dest: "{{ansible_cfg_path}}" + dest: /etc/loopabull.yml + notify: restart loopabull - name: clone the playbooks repo into playbooks dir git: repo: "https://pagure.io/releng-automation.git" dest: "{{playbooks_dir}}" -- name: start and enable loopabull +- name: Install the loopabull@.service template + copy: + src: "loopabull@.service" + dest: "/usr/lib/systemd/system/loopabull@.service" + notify: restart loopabull + +- name: start and enable loopabull@ service: - name: loopabull + name: "{{ item }}" state: started enabled: yes + with_items: + - loopabull@1 + - loopabull@2 + - loopabull@3 + - loopabull@4 + - loopabull@5 diff --git a/roles/loopabull/templates/loopabull.yml.j2 b/roles/loopabull/templates/loopabull.yml.j2 index c93198afe9..fc3f02ead5 100644 --- a/roles/loopabull/templates/loopabull.yml.j2 +++ b/roles/loopabull/templates/loopabull.yml.j2 @@ -3,11 +3,37 @@ # There are three main definitions: ansible, routing_keys, plugin. These will be # explained in comments above each section below. -# plugin +# loglevel # -# This is the selected plugin that will interface with your prefered origin of -# events (message bus or otherwise). -plugin: {{plugin}} +# The defaul loglevel is "info" but the following log levels are available +# - info +# - warn +# - error +# - debug +{% if loglevel is defined %} + loglevel: {{ loglevel }} +{% else %} + loglevel: info +{% endif %} + +# plugin section +# +# loopabull has two types of plugins: +# +# looper: message bus python generator plugin that will interface with your +# prefered origin of events (message bus or otherwise). +# +# translator: routing key translator which allows for alternative layouts +# on-disk for routing_key mappings to playbooks the default of +# "rkname" simple means that your playbooks share the same parent +# dir and are all named after the routing_key they correspond to +# in the message bus. +# +plugins: + looper: + name: {{ plugin }} + translator: + name: rkname # routing_keys # diff --git a/roles/mailman/files/post-update.sh b/roles/mailman/files/post-update.sh index ffb59678b1..0b95d0a618 100755 --- a/roles/mailman/files/post-update.sh +++ b/roles/mailman/files/post-update.sh @@ -36,7 +36,7 @@ restorecon -r $BASEDIR/{bin,config,fulltext_index,static,templates} # Run unit tests echo "unit tests" -django-admin test --pythonpath $CONFDIR --settings settings_test hyperkitty postorius +django-admin test --pythonpath $CONFDIR --settings settings_test django_mailman3 hyperkitty postorius # Restart services systemctl start httpd mailman3 crond webui-qcluster diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py index 0c488fd29f..b61eddeddf 100644 --- a/roles/mbs/common/templates/config.py +++ b/roles/mbs/common/templates/config.py @@ -43,6 +43,9 @@ class BaseConfiguration(object): # Determines how many builds that can be submitted to the builder # and be in the build state at a time. Set this to 0 for no restrictions + # New name + NUM_CONCURRENT_BUILDS = 5 + # Old name https://pagure.io/fm-orchestrator/issue/574 NUM_CONSECUTIVE_BUILDS = 5 RPMS_DEFAULT_REPOSITORY = 'git://pkgs.fedoraproject.org/rpms/' @@ -89,6 +92,12 @@ class ProdConfiguration(BaseConfiguration): #'packager', ] + # These groups are allowed to cancel the builds of other users. + ADMIN_GROUPS = [ + 'factory2', + 'releng', + ] + {% if env == 'staging' %} SECRET_KEY = '{{ mbs_stg_secret_key }}' SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:{{mbs_stg_db_password}}@db-mbs/mbs' @@ -125,6 +134,8 @@ class ProdConfiguration(BaseConfiguration): MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.stg'] PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1' SCMURLS = ["git://pkgs.stg.fedoraproject.org/modules/"] + # Blocked on https://pagure.io/releng/issue/6799 + KOJI_ENABLE_CONTENT_GENERATOR = False {% else %} KOJI_PROFILE = 'production' KOJI_ARCHES = ['aarch64', 'armv7hl', 'i686', 'ppc64', 'ppc64le', 'x86_64'] @@ -132,6 +143,8 @@ class ProdConfiguration(BaseConfiguration): MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.prod'] PDC_URL = 'https://pdc.fedoraproject.org/rest_api/v1' SCMURLS = ["git://pkgs.fedoraproject.org/modules/"] + # Blocked on https://pagure.io/releng/issue/6799 + KOJI_ENABLE_CONTENT_GENERATOR = False {% endif %} # This is a whitelist of prefixes of koji tags we're allowed to manipulate @@ -145,8 +158,14 @@ class ProdConfiguration(BaseConfiguration): # If this is too long, we could change it to 'fm_' some day. DEFAULT_DIST_TAG_PREFIX = 'module_' + # New name + NUM_CONCURRENT_BUILDS = 20 + # Old name https://pagure.io/fm-orchestrator/issue/574 NUM_CONSECUTIVE_BUILDS = 20 + # Delete module-* targets one hour after build + KOJI_TARGET_DELETE_TIME = 3600 + # These aren't really secret. OIDC_CLIENT_SECRETS = path.join(confdir, 'client_secrets.json') OIDC_REQUIRED_SCOPE = 'https://mbs.fedoraproject.org/oidc/submit-build' diff --git a/roles/mediawiki/files/skins/Fedora.php b/roles/mediawiki/files/skins/Fedora.php index fda1a78846..1956819b8c 100644 --- a/roles/mediawiki/files/skins/Fedora.php +++ b/roles/mediawiki/files/skins/Fedora.php @@ -91,22 +91,6 @@ class FedoraTemplate extends QuickTemplate { if($this->data['trackbackhtml']) print $this->data['trackbackhtml']; ?> html('headscripts') ?> - - - - data['body_ondblclick']) { ?>ondblclick="text('body_ondblclick') ?>" data['body_onload' ]) { ?>onload="text('body_onload') ?>" diff --git a/roles/mediawiki123/files/skins/Fedora.php b/roles/mediawiki123/files/skins/Fedora.php index fda1a78846..1956819b8c 100644 --- a/roles/mediawiki123/files/skins/Fedora.php +++ b/roles/mediawiki123/files/skins/Fedora.php @@ -91,22 +91,6 @@ class FedoraTemplate extends QuickTemplate { if($this->data['trackbackhtml']) print $this->data['trackbackhtml']; ?> html('headscripts') ?> - - - - data['body_ondblclick']) { ?>ondblclick="text('body_ondblclick') ?>" data['body_onload' ]) { ?>onload="text('body_onload') ?>" diff --git a/roles/mirrormanager/frontend2/templates/mirrormanager.conf b/roles/mirrormanager/frontend2/templates/mirrormanager.conf index 89e8da075a..de4b3a41d2 100644 --- a/roles/mirrormanager/frontend2/templates/mirrormanager.conf +++ b/roles/mirrormanager/frontend2/templates/mirrormanager.conf @@ -5,7 +5,7 @@ Alias /mirrormanager/crawler /var/log/mirrormanager/crawler Alias /mirrormanager/data /var/www/mirrormanager-statistics/data Alias /mirrormanager/map /var/www/mirrormanager-statistics/map -WSGIDaemonProcess mirrormanager user=apache maximum-requests=100 display-name=mirrormanager processes=2 threads=2 +WSGIDaemonProcess mirrormanager user=apache maximum-requests=100 display-name=mirrormanager processes=2 threads=4 WSGISocketPrefix run/wsgi WSGIRestrictStdout On WSGIRestrictSignal Off diff --git a/roles/modernpaste/files/modern-paste.conf b/roles/modernpaste/files/modern-paste.conf index a9fc0feea5..3a7e321083 100644 --- a/roles/modernpaste/files/modern-paste.conf +++ b/roles/modernpaste/files/modern-paste.conf @@ -2,7 +2,112 @@ WSGIDaemonProcess stickynotes2modernpaste user=apache group=apache threads=5 WSGIScriptAlias /stickynotes2modernpaste /usr/share/stickynotes2modernpaste/stickynotes2modernpaste.wsgi WSGISocketPrefix run/wsgi +# Grab a cup of coffee, a light snack, and turn on some classical music. +# You're in for a bit of a novel. +# +# The below rules are worthy of some comment so that later on when I (or +# heaven forbid anyone else) have to revisit them for some horrible reason, +# they can be referred to and maybe (but unlikely) useful. +# +# Chapter 1. Background. +# +# The rewrite rules exist solely for the purpose of continuing to support old +# `fpaste` (the CLI app). This is in the process of being rewritten, and one +# day we won't have to support it anymore. But for now, we do, because it's on +# live media (and, I believe, Desktop installs, by default), and when a user is +# having issues and asking for help in IRC, they need to be able to use +# `fpaste` to do so. So, that is why we care about `fpaste` in its current +# (F25-F26) form. +# +# You see, fpaste was written in such a way that it makes a lot of weird +# assumptions that don't hold anymore. I will not speculate on why it was +# written the way it was, but I _will_ briefly outline some of the intricacies +# of supporting it. +# +# First off the workflow is something like this: +# 1. User wants to paste some text. Who knows why they want to do this. Maybe +# they are bored and want to see how broken our rewrite rules are. Maybe +# they hate me and want to see me cry trying to fix them. Who knows?! +# +# 2. The fpaste client makes a POST on their behalf to /. This POST payload +# includes the text of the paste and some other information (paste +# language, etc). +# +# 3. The server sees the POST, matches it against our rules below, and +# decides that it needs to redirect them to stickynotes2modernpaste, a +# custom Flask app that I (relrod) wrote so that we could handle requests +# that are in the form our old stickynotes pastebin accepted, and proxy +# them to modernpaste. +# +# Note that this matches the first set of crazy RewriteConds below. We +# only want to send CLI users there, and only when they POST to /. At +# this point, at least. +# +# 4. sn2mp says "okay cool," proxies the paste to modernpaste via its JSON +# API, and returns back to fpaste a JSON blob that contains JSON with two +# keys that fpaste requires exists. In our response, one of them is always +# an empty string, and the other is the id of the paste, prefixed with +# "paste/". +# +# 5. At this point, fpaste has enough information to return a URL to the +# paste. However, things are not all okay in the world. You see, fpaste +# wants to show a short-url too. Apparently people don't like typing or +# something. To generate a short-url, the fpaste client sends another POST +# to us, at the path "/paste/[the paste id]//". In the past, when it would +# do this, stickynotes would return a JSON blob that included the +# short-url. In fact, it would always include the short-url at the +# third-line from the last in its JSON response, and the fpaste client +# hardcoded that assumption. See Chapter 2 for information about the "//". +# +# 6. When we get this second POST, we again send the client to sn2mp. We add +# a few more crazy RewriteConds to ensure that we only add this behavior +# for fpaste and not most users. We know paste IDs are 22-24 characters +# long (as per https://github.com/LINKIWI/modern-paste/pull/33) and that +# the client will always POST to "/paste/[the paste id]//". So we match on +# that. If we match, sn2mp will take everything after its name and append +# it to the URL that ultimately gets shipped to da.gd for shortening. Then +# it returns a (malformed) JSON blob that is written in exactly the way +# fpaste expects. +# +# 7. Then fpaste shows the user both URLs, and all is okay. +# +# Chapter 2. Trailing slashes. +# +# The fpaste client defaults to private mode, but modernpaste doesn't support +# that, per se. You can password-protect pastes, but that's about it. +# +# However, they way stickynotes worked, it used /[paste id]/[secret] when a +# paste was private. Since modernpaste does things differently, sn2mp never +# returns the [secret] part of that URL. Or rather, it returns the empty string +# in its place. This means, by default (private mode = true), fpaste will +# both render, and internally use, a URL that has /[paste id]/[secret]. But +# since [secret] is the empty string, this is equivalent to /[paste id]/, with +# the trailing slash. +# +# To make matters worse, this little gem is found in the fpaste procedure for +# doing the second POST (#5 and 6 above): +# +# eq = urllib.request.Request(url=long_url+'/', data=params.encode()) +# +# Yep, it adds a '/' for the second POST. So we get POSTs to +# /paste/[paste id]// during the second POST. +# +# Our capture of the paste ID below (the ".{22,24}" part) will match the first +# trailing slash, but not the second (because of the /$ that comes after). +# Nevertheless sn2mp handles all three cases anyway, and will STRIP OFF +# trailing slashes if they occur 0, 1, or 2 times. +# +# Lastly, the long url that fpaste shows the user contains one trailing slash +# (due to the /[secret] part from how stickynotes worked). So we add one final +# rewrite that redirects users who go to that, to the non-slash version. +# +# If you have made it this far, you are a champion. You should get a badge. +# +# Warm regards and good luck, +# relrod + RewriteEngine on +#LogLevel alert rewrite:trace6 RewriteRule login / [L,R] RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] @@ -13,15 +118,10 @@ RewriteRule ^/$ /stickynotes2modernpaste/$1 [L,PT] RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] RewriteCond %{HTTP_USER_AGENT} ^Python\-urllib.*$ RewriteCond %{REQUEST_METHOD} POST -RewriteRule ^/(.*)=/$ /stickynotes2modernpaste/$1= [L,PT] - -RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] -RewriteCond %{HTTP_USER_AGENT} ^Python\-urllib.*$ -RewriteCond %{REQUEST_METHOD} POST -RewriteRule ^/(.*)=//$ /stickynotes2modernpaste/$1= [L,PT] +RewriteRule ^/paste/(.{22,24})/$ /stickynotes2modernpaste/paste/$1 [L,PT] # Otherwise, if we're given a URL with a trailing slash, kill it. -RewriteRule ^/(.*)=/$ /$1= [R,L] +RewriteRule ^/paste/([^/]{22,24})/$ /paste/$1 [R,L] WSGIScriptAlias / /usr/share/modern-paste/modern_paste.wsgi diff --git a/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 b/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 index ea32cab763..5d2f128ce2 100644 --- a/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 +++ b/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 @@ -60,7 +60,7 @@ command[check_fedmsg_cbacklog_autocloud_backend]={{libdir}}/nagios/plugins/check command[check_fedmsg_cbacklog_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub CacheInvalidator 20000 30000 command[check_fedmsg_cbacklog_bugyou_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub BugyouConsumer 5000 10000 command[check_fedmsg_cbacklog_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub PDCUpdater 10000 20000 -command[check_fedmsg_cbacklog_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 1000 2000 +command[check_fedmsg_cbacklog_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 10000 20000 command[check_fedmsg_fmn_digest_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub DigestProducer 90 600 command[check_fedmsg_fmn_confirm_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub ConfirmationProducer 90 600 diff --git a/roles/nagios/server/files/nagios/services/websites.cfg b/roles/nagios/server/files/nagios/services/websites.cfg index 6f6cf90921..48266f32af 100644 --- a/roles/nagios/server/files/nagios/services/websites.cfg +++ b/roles/nagios/server/files/nagios/services/websites.cfg @@ -329,7 +329,7 @@ define service { } define service { - host_name docker-registry01 + hostgroup_name docker-registry01 service_description docker-registry check_command check_website!localhost:5000!/v2/!{} max_check_attempts 8 diff --git a/roles/nagios/server/files/nrpe.cfg b/roles/nagios/server/files/nrpe.cfg index db8bbb41b9..8810b5aa86 100644 --- a/roles/nagios/server/files/nrpe.cfg +++ b/roles/nagios/server/files/nrpe.cfg @@ -343,7 +343,7 @@ command[check_fedmsg_cbacklog_autocloud_backend_hub]=/usr/lib64/nagios/plugins/c command[check_fedmsg_cbacklog_packages_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub CacheInvalidator 5000 10000 command[check_fedmsg_cbacklog_bugyou_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub BugyouConsumer 5000 10000 command[check_fedmsg_cbacklog_pdc_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub PDCUpdater 10000 20000 -command[check_fedmsg_cbacklog_mbs_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 1000 2000 +command[check_fedmsg_cbacklog_mbs_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 10000 20000 command[check_fedmsg_fmn_digest_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub DigestProducer 90 600 command[check_fedmsg_fmn_confirm_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub ConfirmationProducer 30 300 diff --git a/roles/nagios_client/files/scripts/check_redis_queue.sh b/roles/nagios_client/files/scripts/check_redis_queue.sh new file mode 100644 index 0000000000..ca1f186e06 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_redis_queue.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +. /usr/lib64/nagios/plugins/utils.sh + +if [[ "$#" -ne 3 ]]; then + echo "Arguments: key warn crit" + exit $STATE_UNKNOWN +fi + +tasks="$(redis-cli llen "$1" | awk '{print $1}')" + +check_range $tasks $2:$3 +status=$? + +if [[ "$status" == "$STATE_OK" ]]; then + echo "OK: $1 queue has $tasks tasks" +elif [[ "$status" == "$STATE_WARNING" ]]; then + echo "WARNING: $1 queue has $tasks tasks" +elif [[ "$status" == "$STATE_CRITICAL" ]]; then + echo "CRITICAL: $1 queue has $tasks tasks" +fi + +exit $status diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 7426943d75..22ddd4f046 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -37,6 +37,20 @@ - nagios_client when: ansible_distribution_major_version|int > 21 +- name: install nagios tcp check for mirrorlist proxies + yum: name=nagios-plugins-tcp state=present + tags: + - packages + - nagios_client + when: ansible_distribution_major_version|int < 22 and 'mirrorlist-proxies' in group_names + +- name: install nagios tcp check for mirrorlist proxies + dnf: name=nagios-plugins-tcp state=present + tags: + - packages + - nagios_client + when: ansible_distribution_major_version|int > 21 and 'mirrorlist-proxies' in group_names + - name: install local nrpe check scripts that are not packaged copy: src="scripts/{{ item }}" dest="{{ libdir }}/nagios/plugins/{{ item }}" mode=0755 owner=nagios group=nagios with_items: @@ -59,6 +73,7 @@ - check_osbs_builds.py - check_osbs_api.py - check_ipa_replication + - check_redis_queue.sh when: not inventory_hostname.startswith('noc') tags: - nagios_client @@ -131,6 +146,8 @@ - check_koschei_scheduler_proc.cfg - check_koschei_watcher_proc.cfg - check_testcloud.cfg + - check_mirrorlist_docker_proxy.cfg + - check_celery_redis_queue.cfg notify: - restart nrpe tags: diff --git a/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 new file mode 100644 index 0000000000..56279f3fe3 --- /dev/null +++ b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 @@ -0,0 +1 @@ +command[check_celery_redis_queue]=/usr/lib64/nagios/plugins/check_redis_queue.sh celery 5 10 diff --git a/roles/nagios_client/templates/check_disk.cfg.j2 b/roles/nagios_client/templates/check_disk.cfg.j2 index d2b64c5c88..de21bea478 100644 --- a/roles/nagios_client/templates/check_disk.cfg.j2 +++ b/roles/nagios_client/templates/check_disk.cfg.j2 @@ -1,7 +1,15 @@ -command[check_disk_/]={{ libdir }}/nagios/plugins/check_disk -w 14% -c 10% -p / -command[check_disk_/boot]={{ libdir }}/nagios/plugins/check_disk -w 15% -c 10% -p /boot -command[check_disk_/srv/cache/lookaside]={{ libdir }}/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside -command[check_disk_/srv]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv +command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / +command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot +command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git +command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji +command[check_disk_/postgreslogs]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /postgreslogs +command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/ command[check_disk_/srv/buildmaster]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/buildmaster +command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside +command[check_disk_/srv/diskimages]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/diskimages command[check_disk_/srv/taskotron]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/taskotron -command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 15% -p /var/log +command[check_disk_/srv]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv +command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01 +command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/registry +command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock +command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log diff --git a/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 new file mode 100644 index 0000000000..39c0099712 --- /dev/null +++ b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 @@ -0,0 +1 @@ +command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081 diff --git a/roles/nagios_server/files/nagios/services/disk.cfg b/roles/nagios_server/files/nagios/services/disk.cfg index c927e973ed..c59ccbb27f 100644 --- a/roles/nagios_server/files/nagios/services/disk.cfg +++ b/roles/nagios_server/files/nagios/services/disk.cfg @@ -67,3 +67,17 @@ define service { check_command check_by_nrpe!check_disk_/ use retracetemplate } + +define service { + hostgroup_name people + service_description Disk space /project + check_command check_by_nrpe!check_disk_/project/ + use disktemplate +} + +define service { + hostgroup_name moby-registry + service_description Disk space /var/lib/registry + check_command check_by_nrpe!check_disk_/var/lib/registry + use disktemplate +} diff --git a/roles/nagios_server/files/nagios/services/pagure_redis.cfg b/roles/nagios_server/files/nagios/services/pagure_redis.cfg new file mode 100644 index 0000000000..d5387d08f2 --- /dev/null +++ b/roles/nagios_server/files/nagios/services/pagure_redis.cfg @@ -0,0 +1,6 @@ +define service { + host_name pagure01.fedoraproject.org + service_description Redis/celery queue + check_command check_by_nrpe!check_celery_redis_queue + use defaulttemplate +} diff --git a/roles/nagios_server/files/nagios/services/ping.cfg b/roles/nagios_server/files/nagios/services/ping.cfg index dae065e41d..6ba317e85d 100644 --- a/roles/nagios_server/files/nagios/services/ping.cfg +++ b/roles/nagios_server/files/nagios/services/ping.cfg @@ -1,14 +1,21 @@ define service { - hostgroup_name all + hostgroup_name *, !buildvm-armv7, !buildvm-s390x, !buildvm-s390 service_description ICMP-Ping4 check_command check_ping4!350.0,20%!500.0,60% use criticaltemplate } +define service { + hostgroup_name buildvm-armv7, buildvm-s390x, buildvm-s390 + service_description ICMP-Ping4-vm-builders + check_command check_ping4!1500.0,20%!2500.0,80% + use criticaltemplate +} + # define service { # hostgroup_name all # service_description ICMP-Ping6 -# check_command check_ping6!350.0,20%!500.0,60% +# check_command check_ping6!350.0,20%!500.0,60% # use criticaltemplate # } diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg index 126c0fa675..fcd94e6598 100644 --- a/roles/nagios_server/files/nagios/services/websites.cfg +++ b/roles/nagios_server/files/nagios/services/websites.cfg @@ -131,13 +131,22 @@ define service { } define service { - hostgroup_name docker-registry - service_description http-docker-registry + hostgroup_name moby-registry + service_description http-moby-registry check_command check_website!localhost:5000!/v2/!{} max_check_attempts 8 use internalwebsitetemplate } +define service { + hostgroup_name proxies + service_description http-moby-registry + check_command check_website_ssl!registry.fedoraproject.org!/v2/!{} + max_check_attempts 8 + use websitetemplate +} + + define service { hostgroup_name fas service_description http-accounts diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg index daaec1e353..478e04e8e6 100644 --- a/roles/nagios_server/files/nrpe/nrpe.cfg +++ b/roles/nagios_server/files/nrpe/nrpe.cfg @@ -301,6 +301,8 @@ command[check_disk_/srv/taskotron]=/usr/lib64/nagios/plugins/check_disk -w 20% - command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside +command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/ +command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/registry command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 15 -c 25 -s Z command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 900 -c 1000 command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10% @@ -341,6 +343,7 @@ command[check_koschei_build_resolver_proc]=/usr/lib64/nagios/plugins/check_procs command[check_koschei_repo_resolver_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-repo-re -c 1:1 command[check_koschei_scheduler_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-schedul -c 1:1 command[check_koschei_watcher_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-watcher -c 1:1 +command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081 # The following are fedmsg/datanommer checks to be run on busgateway01. # They check for the time since the latest message in any particular category. diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml index 21c425f03a..6756293aad 100644 --- a/roles/nagios_server/tasks/main.yml +++ b/roles/nagios_server/tasks/main.yml @@ -191,6 +191,7 @@ - nagios.cfg - nrpe.cfg - osbs.cfg + - pagure_redis.cfg - pgsql.cfg - ping.cfg - procs.cfg @@ -271,6 +272,7 @@ template: src=nagios/services/{{item}}.j2 dest=/etc/nagios/services/{{item}} mode=0644 owner=root group=root with_items: - phx2-mgmt.cfg + - mirrorlist-proxies.cfg tags: - nagios_server diff --git a/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 index 7414ca3210..19698a63d3 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 @@ -3,19 +3,8 @@ ############### ## {{ env }} -{% if env == "staging" %} - -define hostgroup{ - hostgroup_name all - alias all - members {% for host in groups['all'] %}{% if (hostvars[host].env is defined) and (hostvars[host].env == 'staging') and ( hostvars[host].datacenter == 'phx2') %}{{host}}, {% endif %} {% endfor %} - -} - -{% else %} - {% for key, value in groups.iteritems() %} -{% if groups[key] %} +{% if groups[key] and key !='all' %} define hostgroup{ hostgroup_name {{ key }} alias {{ key }} @@ -25,7 +14,6 @@ define hostgroup{ {% endif %} {% endfor %} -{% endif %} ## ## Management hardware diff --git a/roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 b/roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 new file mode 100644 index 0000000000..ee8050ae02 --- /dev/null +++ b/roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 @@ -0,0 +1,8 @@ +{% for host in groups['mirrorlist-proxies'] %} +define service { + host_name {{ host }} + service_description {{ host }} mirrorlist docker container + check_command check_by_nrpe!check_mirrorlist_docker_proxy + use defaulttemplate +} +{% endfor %} diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 4049940cda..2bcea76a98 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -4,7 +4,7 @@ - name: install needed packages yum: pkg={{ item }} state=present with_items: - - python-fmn-consumer + - python-fmn - python-psycopg2 - libsemanage-python # Needed to produce nice long emails about koji builds @@ -13,16 +13,6 @@ - notifs - notifs/backend -- name: install backend and sse packages - yum: pkg={{ item }} state=present - with_items: - - python-fmn - - python-fmn-sse - when: env == "staging" - tags: - - notifs - - notifs/backend - - name: copy database configuration template: > src={{ item }} dest=/etc/fedmsg.d/{{ item }} @@ -48,22 +38,10 @@ - notifs - notifs/backend -- name: copy the alembic configuration for DBAs - template: > - src=alembic.ini dest=/usr/share/fmn.lib/alembic.ini - owner=root group=sysadmin-dba mode=0660 - when: env != "staging" - notify: - - restart fedmsg-hub - tags: - - notifs - - notifs/backend - - name: copy the alembic configuration for DBAs template: > src=alembic.ini dest=/usr/share/fmn/alembic.ini owner=root group=sysadmin-dba mode=0660 - when: env == "staging" notify: - restart fedmsg-hub tags: diff --git a/roles/notifs/backend/templates/alembic.ini b/roles/notifs/backend/templates/alembic.ini index df1506d215..266b83da24 100644 --- a/roles/notifs/backend/templates/alembic.ini +++ b/roles/notifs/backend/templates/alembic.ini @@ -2,11 +2,7 @@ [alembic] # path to migration scripts -{% if env == 'staging' %} script_location = /usr/share/fmn/alembic/ -{% else %} -script_location = /usr/share/fmn.lib/alembic/ -{% endif %} # template used to generate migration files # file_template = %%(rev)s_%%(slug)s diff --git a/roles/notifs/frontend/tasks/main.yml b/roles/notifs/frontend/tasks/main.yml index c2f936d93a..c6fb723a7c 100644 --- a/roles/notifs/frontend/tasks/main.yml +++ b/roles/notifs/frontend/tasks/main.yml @@ -5,6 +5,8 @@ yum: pkg={{ item }} state=present with_items: - python-fmn-web + - python-fmn-lib + - python-fmn-rules - python-psycopg2 - libsemanage-python - python-memcached @@ -15,6 +17,17 @@ - notifs - notifs/frontend +- name: Install epel-testing fmn on stage + yum: pkg={{ item }} state=present enablerepo=epel-testing + with_items: + - python-fmn + when: env == "staging" + notify: + - restart apache + tags: + - notifs + - notifs/frontend + - name: install packages needed from epel testing yum: pkg={{ item }} state=present enablerepo=epel-testing with_items: @@ -50,6 +63,17 @@ src=/usr/share/fmn.web/static/bootstrap-3.3.4-fedora dest=/usr/share/fmn.web/static/bootstrap state=link + when: env != "staging" + tags: + - notifs + - notifs/frontend + +- name: setup symlink to fedora theme + file: > + src=/usr/share/fmn/static/bootstrap-3.3.4-fedora + dest=/usr/share/fmn/static/bootstrap + state=link + when: env == "staging" tags: - notifs - notifs/frontend diff --git a/roles/notifs/frontend/templates/fmn.web.conf b/roles/notifs/frontend/templates/fmn.web.conf index b99358d5de..13b72ba06b 100644 --- a/roles/notifs/frontend/templates/fmn.web.conf +++ b/roles/notifs/frontend/templates/fmn.web.conf @@ -1,4 +1,8 @@ -Alias /notifications/static /usr/share/fmn.web/static +{% if env == 'staging' %} +Alias /notifications/static /usr/share/fmn/static +{% else %} +Alias /notifications/static /usr/share/fmn/static +{% endif %} WSGIDaemonProcess fmn user=apache group=apache maximum-requests=1000 display-name=fmn processes={{ wsgi_procs }} threads={{ wsgi_threads }} WSGISocketPrefix run/wsgi @@ -6,7 +10,11 @@ WSGIRestrictStdout On WSGIRestrictSignal Off WSGIPythonOptimize 1 +{% if env == 'staging' %} +WSGIScriptAlias /notifications /usr/share/fmn/fmn.web.wsgi +{% else %} WSGIScriptAlias /notifications /usr/share/fmn.web/fmn.web.wsgi +{% endif %} WSGIProcessGroup fmn diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 28fe40ea50..a5f52843e9 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -7,7 +7,7 @@ - openvpn tags: - packages - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 - name: Install needed package (dnf) dnf: pkg={{ item }} state=present @@ -15,19 +15,46 @@ - openvpn tags: - packages - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined -- name: Install certificate and key +- name: Install certificate and key (rhel6 and fedora24 and older) copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt dest=/etc/openvpn/ca.crt owner=root group=root mode=0600 tags: - install - openvpn - notify: - - restart openvpn (Fedora) - - restart openvpn (RHEL7) - - restart openvpn (RHEL6) + #notify: + #- restart openvpn (Fedora) + #- restart openvpn (RHEL7) + #- restart openvpn (RHEL6) + when: ansible_distribution_major_version|int < 25 + +- name: Install certificate and key (rhel7 or fedora) for client + copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + dest=/etc/openvpn/client/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (Fedora) + #- restart openvpn (RHEL7) + #- restart openvpn (RHEL6) + when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined + +- name: Install certificate and key (rhel7 or fedora) for server + copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + dest=/etc/openvpn/server/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (Fedora) + #- restart openvpn (RHEL7) + #- restart openvpn (RHEL6) + when: inventory_hostname.startswith('bastion0') - name: install fix-routes.sh script copy: src=fix-routes.sh diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index e807bdc7d9..5042ed6e25 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -22,6 +22,7 @@ auth SHA512 ca ca.crt cert client.crt key client.key +remote-cert-tls server comp-lzo diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 63d0afa317..87642d2aa3 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -8,7 +8,7 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 - name: Install needed packages dnf: pkg={{ item }} state=present @@ -17,9 +17,32 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined -- name: Install configuration files +- name: Install configuration files (rhel7 and fedora) + copy: src={{ item.file }} + dest={{ item.dest }} + owner=root group=root mode={{ item.mode }} + with_items: + - { file: client.conf, + dest: /etc/openvpn/client/openvpn.conf, + mode: '0644' } + - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", + dest: "/etc/openvpn/client/client.crt", + mode: '0600' } + - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.key", + dest: "/etc/openvpn/client/client.key", + mode: '0600' } + tags: + - install + - openvpn +# notify: +# - restart openvpn (Fedora) +# - restart openvpn (RHEL7) +# - restart openvpn (RHEL6) + when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined + +- name: Install configuration files (rhel6) copy: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }} @@ -40,6 +63,7 @@ # - restart openvpn (Fedora) # - restart openvpn (RHEL7) # - restart openvpn (RHEL6) + when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined - name: enable openvpn service for rhel 6 service: name=openvpn state=started enabled=true @@ -48,17 +72,37 @@ - service - openvpn -- name: Make sure openvpn is running in rhel 7.1 +- name: enable openvpn service for fedora 24 service: name=openvpn@openvpn state=started enabled=true + when: ansible_distribution_major_version|int == 24 + tags: + - service + - openvpn + +- name: Make sure old openvpn is not running in rhel 7 + service: name=openvpn@openvpn state=stopped enabled=false when: ansible_distribution_major_version|int == 7 tags: - service - openvpn -- name: enable openvpn service for Fedora - service: name=openvpn@openvpn state=started enabled=true - when: is_fedora is defined +- name: Make sure openvpn is running in rhel 7 + service: name=openvpn-client@openvpn state=started enabled=true + when: ansible_distribution_major_version|int == 7 tags: - service - openvpn +- name: disable old openvpn service for Fedora + service: name=openvpn@openvpn state=stopped enabled=false + when: is_fedora is defined and ansible_distribution_major_version|int != 24 + tags: + - service + - openvpn + +- name: enable openvpn service for Fedora + service: name=openvpn-client@openvpn state=started enabled=true + when: is_fedora is defined and ansible_distribution_major_version|int != 24 + tags: + - service + - openvpn diff --git a/roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org b/roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org new file mode 100644 index 0000000000..7ffd2c47de --- /dev/null +++ b/roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org @@ -0,0 +1,2 @@ +# ifconfig-push actualIP PtPIP +ifconfig-push 192.168.1.167 192.168.0.167 diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf index e5cdd45180..add4425363 100644 --- a/roles/openvpn/server/files/server.conf +++ b/roles/openvpn/server/files/server.conf @@ -16,6 +16,7 @@ cipher AES-256-CBC auth SHA512 dh dh2048.pem crl-verify crl.pem +remote-cert-tls client keepalive 10 120 diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index 64c6fa4f16..0d54151845 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -9,9 +9,9 @@ - packages - openvpn -- name: Create the /etc/openvpn/ccd/ directory +- name: Create the /etc/openvpn/server/ccd/ directory file: > - dest=/etc/openvpn/ccd/ + dest=/etc/openvpn/server/ccd/ mode=0755 owner=root group=root @@ -25,31 +25,38 @@ owner=root group=root mode={{ item.mode }} with_items: - { file: server.conf, - dest: /etc/openvpn/openvpn.conf, + dest: /etc/openvpn/server/openvpn.conf, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/crl.pem", - dest: /etc/openvpn/crl.pem, + dest: /etc/openvpn/server/crl.pem, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/server.crt", - dest: /etc/openvpn/server.crt, + dest: /etc/openvpn/server/server.crt, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/server.key", - dest: /etc/openvpn/server.key, + dest: /etc/openvpn/server/server.key, mode: '0600' } - { file: "{{ private }}/files/vpn/openvpn/keys/dh2048.pem", - dest: /etc/openvpn/dh2048.pem, + dest: /etc/openvpn/server/dh2048.pem, mode: '0644' } tags: - install - openvpn - name: Install the ccd files - copy: src=ccd/ dest=/etc/openvpn/ccd/ + copy: src=ccd/ dest=/etc/openvpn/server/ccd/ tags: - openvpn -- name: enable openvpn service for rhel 7 or Fedora - service: name=openvpn@openvpn state=started enabled=true +- name: disable old openvpn service for rhel 7 or Fedora + service: name=openvpn@openvpn state=stopped enabled=false + when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined + tags: + - service + - openvpn + +- name: enable openvpn service for rhel 7 or Fedora + service: name=openvpn-server@openvpn state=started enabled=true when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined tags: - service diff --git a/roles/pagure/frontend/files/robots.txt b/roles/pagure/frontend/files/robots.txt new file mode 100644 index 0000000000..a70291b52e --- /dev/null +++ b/roles/pagure/frontend/files/robots.txt @@ -0,0 +1,5 @@ +User-agent: * +Disallow: /api +Disallow: /login +Disallow: /*/raw +Crawl-Delay: 2 diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index d005e64303..ddb4248e5c 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -30,6 +30,11 @@ tags: - pagure +- name: Put in robots.txt + copy: src=robots.txt dest=/var/www/html/robots.txt + tags: + - pagure + # Set-up gitolite @@ -78,17 +83,22 @@ - gitolite - pagure +- name: create the /attachments folder + file: state=directory + path=/srv/attachments + owner=git group=git mode=0775 + tags: + - pagure + - name: Adjust owner of /srv/git file: name=/srv/git state=directory recurse=yes owner=git group=git tags: - gitolite - - pagure - name: Adjust permissions of /srv/git/.gitolite file: name=/srv/git/.gitolite state=directory recurse=yes owner=git group=git tags: - gitolite - - pagure - name: install our own gitolite configuration template: src=gitolite.rc @@ -275,6 +285,43 @@ tags: - pagure +- name: check the selinux context of the git repo directory + command: matchpathcon /srv/git + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +- name: set the SELinux policy for the distgit root directory + command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" + when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 + tags: + - config + - pagure + - selinux + +- name: check the selinux context of the releases directory + command: matchpathcon /var/www/releases + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions? +- name: set the SELinux policy for the releases directory + command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" + when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 + tags: + - config + - pagure + - selinux + - name: copy over our custom selinux module copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp register: selinux_module diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index 3c3f353a17..4b76d209d1 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -3,7 +3,7 @@ WSGISocketPrefix run/wsgi WSGIRestrictSignal Off WSGIPythonOptimize 1 WSGIPassAuthorization On -WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300 +WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=6 threads=6 inactivity-timeout=300 WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300 ## Redirects http -> https @@ -59,6 +59,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ServerName pagure.io {% endif %} + Alias "/robots.txt" "/var/www/html/robots.txt" + WSGIScriptAlias / /var/www/pagure.wsgi ServerAdmin admin@fedoraproject.org diff --git a/roles/pagure/frontend/templates/alembic.ini b/roles/pagure/frontend/templates/alembic.ini index 06f2464252..7daf38c633 100644 --- a/roles/pagure/frontend/templates/alembic.ini +++ b/roles/pagure/frontend/templates/alembic.ini @@ -12,7 +12,6 @@ script_location = /usr/share/pagure/alembic # revision_environment = false #sqlalchemy.url = postgresql://<%= pkgdb_app %>:<%= pkgdb_appPassword %>@db-pkgdb/pkgdb -sqlalchemy.url = postgresql://{{ pagure_db_admin_user }}:{{ pagure_db_admin_pass }}@{{ pagure_db_host }}/{{ pagure_db_name }} # Logging configuration diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg index e2f95b961b..2344690142 100644 --- a/roles/pagure/frontend/templates/pagure.cfg +++ b/roles/pagure/frontend/templates/pagure.cfg @@ -108,6 +108,9 @@ TICKETS_FOLDER = '/srv/git/repositories/tickets' ### Folder containing the clones of the remotes git repo REMOTE_GIT_FOLDER = '/srv/git/remotes' +### Folder containing out-of-git attachments cache +ATTACHMENTS_FOLDER = '/srv/attachments' + ### Configuration file for gitolite GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf' @@ -155,9 +158,10 @@ SHORT_LENGTH = 7 ### List of blacklisted project names that can conflicts for pagure's URLs ### or other BLACKLISTED_PROJECTS = [ - 'static', 'pv', 'releases', 'new', 'api', 'settings', - 'logout', 'login', 'users', 'groups', 'projects', 'ssh_info' - 'issues', 'pull-requests', 'commits', 'tree', 'forks', + 'static', 'pv', 'releases', 'new', 'api', 'settings', 'search', 'fork', + 'logout', 'login', 'user', 'users', 'groups', 'projects', 'ssh_info', + 'issues', 'pull-requests', 'commits', 'tree', 'forks', 'admin', 'c', + 'wait', ] DISABLED_PLUGINS = ['IRC'] @@ -218,3 +222,55 @@ SSH_KEYS = { OLD_VIEW_COMMIT_ENABLED = True PAGURE_CI_SERVICES=['jenkins'] + +LOGGING = { + 'version': 1, + 'disable_existing_loggers': False, + 'formatters': { + 'standard': { + 'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s' + }, + }, + 'handlers': { + 'console': { + 'level': 'INFO', + 'formatter': 'standard', + 'class': 'logging.StreamHandler', + 'stream': 'ext://sys.stdout', + }, + }, + # The root logger configuration; this is a catch-all configuration + # that applies to all log messages not handled by a different logger + 'root': { + 'level': 'INFO', + 'handlers': ['console'], + }, + 'loggers': { + 'pagure': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': True + }, + 'pagure.lib.encoding_utils': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + 'flask': { + 'handlers': ['console'], + 'level': 'INFO', + 'propagate': False + }, + 'sqlalchemy': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + 'binaryornot': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': True + }, + } +} + diff --git a/roles/pagure/upstreamfirst-frontend/defaults/main.yml b/roles/pagure/upstreamfirst-frontend/defaults/main.yml new file mode 100644 index 0000000000..a9e248fb02 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/defaults/main.yml @@ -0,0 +1,2 @@ +--- +pagure_instance_name: "Pagure" diff --git a/roles/pagure/upstreamfirst-frontend/files/aliases b/roles/pagure/upstreamfirst-frontend/files/aliases new file mode 100644 index 0000000000..193cf3f4a7 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/aliases @@ -0,0 +1,91 @@ +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /bin/mail. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to sendmail. +# + +# Basic system aliases -- these MUST be present. +mailer-daemon: postmaster +postmaster: sysadmin-main + +# General redirections for pseudo accounts. +bin: root +daemon: root +adm: root +lp: root +sync: root +shutdown: root +halt: root +mail: root +#news: root +uucp: root +operator: root +games: root +gopher: root +ftp: root +#nobody: root +radiusd: root +nut: root +dbus: root +vcsa: root +canna: root +wnn: root +rpm: root +nscd: root +pcap: root +apache: root +webalizer: root +dovecot: root +fax: root +quagga: root +radvd: root +pvm: root +amanda: root +privoxy: root +ident: root +named: root +xfs: root +gdm: root +mailnull: root +postgres: root +sshd: root +smmsp: root +postfix: root +netdump: root +ldap: root +squid: root +ntp: root +mysql: root +desktop: root +rpcuser: root +rpc: root +nfsnobody: root +notifications: root + +ingres: root +system: root +toor: root +manager: root +dumper: root +abuse: root +nagios: root + +newsadm: news +newsadmin: news +usenet: news +ftpadm: ftp +ftpadmin: ftp +ftp-adm: ftp +ftp-admin: ftp + +# trap decode to catch security attacks +decode: root + +# Person who should get root's mail +root: sysadmin-main + +pagure: /dev/null +reply: /dev/null diff --git a/roles/pagure/upstreamfirst-frontend/files/backup-database b/roles/pagure/upstreamfirst-frontend/files/backup-database new file mode 100644 index 0000000000..3f6e7d8fb1 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/backup-database @@ -0,0 +1,10 @@ +#!/bin/bash +# Backup a database *locally* to /backups/. + +DB=$1 + +# Make our latest backup +/usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz + +# Also, delete the backup from a few days ago. +rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz diff --git a/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service b/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service new file mode 100644 index 0000000000..f194b1b5cd --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service @@ -0,0 +1,15 @@ +[Unit] +Description=Pagure EventSource server (Allowing live refresh of the pages supporting it) +After=redis.target +Documentation=https://pagure.io/pagure + +[Service] +ExecStart=/usr/libexec/pagure-ev/pagure_stream_server.py +Type=simple +User=git +Group=git +Restart=on-failure +LimitNOFILE=40960 + +[Install] +WantedBy=multi-user.target diff --git a/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf b/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf new file mode 100644 index 0000000000..83aca29868 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf @@ -0,0 +1,78 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the PostgreSQL Administrator's Guide, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTION] +# host DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain socket, +# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an +# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", a database name, or +# a comma-separated list thereof. +# +# USER can be "all", a user name, a group name prefixed with "+", or +# a comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names from +# a separate file. +# +# CIDR-ADDRESS specifies the set of hosts the record matches. +# It is made up of an IP address and a CIDR mask that is an integer +# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies +# the number of significant bits in the mask. Alternatively, you can write +# an IP address and netmask in separate columns to specify the set of hosts. +# +# METHOD can be "trust", "reject", "md5", "crypt", "password", +# "krb5", "ident", or "pam". Note that "password" sends passwords +# in clear text; "md5" is preferred since it sends encrypted passwords. +# +# OPTION is the ident map or the name of the PAM service, depending on METHOD. +# +# Database and user names containing spaces, commas, quotes and other special +# characters must be quoted. Quoting one of the keywords "all", "sameuser" or +# "samerole" makes the name lose its special character, and just match a +# database or username with that name. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can use +# "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL listen +# on a non-local interface via the listen_addresses configuration parameter, +# or via the -i or -h command line switches. +# + +#@authcomment@ + +# TYPE DATABASE USER CIDR-ADDRESS METHOD + +#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only +#@remove-line-for-nolocal@local all all @authmethod@ +# IPv4 local connections: +#host all all 127.0.0.1/32 @authmethod@ +# IPv6 local connections: +#host all all ::1/128 @authmethod@ + +local all all ident +host koji koji 10.5.126.61 255.255.255.255 md5 +host all all 0.0.0.0 0.0.0.0 md5 +# Note, I can't think of a reason to make this more restrictive than ipv4 but +# only fakefas needs it so far +host all all ::1/128 md5 diff --git a/roles/pagure/upstreamfirst-frontend/files/robots.txt b/roles/pagure/upstreamfirst-frontend/files/robots.txt new file mode 100644 index 0000000000..a70291b52e --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/robots.txt @@ -0,0 +1,5 @@ +User-agent: * +Disallow: /api +Disallow: /login +Disallow: /*/raw +Crawl-Delay: 2 diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if new file mode 100644 index 0000000000..3eb6a3057b --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if @@ -0,0 +1 @@ +## diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp new file mode 100644 index 0000000000..a6248e7014 Binary files /dev/null and b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp differ diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te new file mode 100644 index 0000000000..d661e611e9 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te @@ -0,0 +1,11 @@ +module pagure 1.0; + +require { + type httpd_t; + type gitosis_var_lib_t; + class dir { add_name remove_name write }; + class file { create link setattr unlink write }; +} + +allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write }; +allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write }; diff --git a/roles/pagure/upstreamfirst-frontend/files/stunnel.service b/roles/pagure/upstreamfirst-frontend/files/stunnel.service new file mode 100644 index 0000000000..8701ba266f --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/stunnel.service @@ -0,0 +1,14 @@ +[Unit] +Description=stunnel +After=network.target +Documentation=https://infrastructure.fedoraproject.org/infra/docs/fedmsg-websocket.txt + +[Service] +ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf +Type=forking +User=root +Group=root +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/pagure/upstreamfirst-frontend/handlers/main.yml b/roles/pagure/upstreamfirst-frontend/handlers/main.yml new file mode 100644 index 0000000000..62b144e24b --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart pagure_milter + service: name=pagure_milter state=restarted diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml new file mode 100644 index 0000000000..f328d54670 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -0,0 +1,336 @@ +--- +# Configuration for the pagure webapp + +- name: install needed packages + yum: pkg={{ item }} state=present + with_items: + - pagure + - pagure-ci + - pagure-ev + - pagure-loadjson + - pagure-logcom + - pagure-milters + - pagure-webhook + - python-psycopg2 + - redis + - libsemanage-python + - mod_ssl + - stunnel + # Use haveged to ensure the server keeps some entropy + - haveged + # make sure python2-openidc-client is installed + - python2-openidc-client + tags: + - pagure + - packages + +- name: Initialize postgres if necessary + command: /usr/bin/postgresql-setup initdb + creates=/var/lib/pgsql/data + notify: + - restart postgresql + tags: + - pagure + +- name: Put in robots.txt + copy: src=robots.txt dest=/var/www/html/robots.txt + tags: + - pagure + + +# Set-up gitolite + +- name: install needed packages + yum: pkg=gitolite3 state=present + tags: + - pagure + - gitolite + - packages + +- name: Rename the user gitolite into git + command: usermod --move-home --login git --home /srv/git/ gitolite3 + creates=/srv/git/ + tags: + - gitolite + - pagure + +- name: Rename the group gitolite into git + command: groupmod --new-name git gitolite3 + creates=/srv/git/.gitolite/conf + tags: + - gitolite + - pagure + +- name: create the /srv/git/.gitolite/conf folder + file: state=directory + path=/srv/git/.gitolite/conf + owner=git group=git mode=0775 + tags: + - gitolite + - pagure + +- name: create the /srv/git/.gitolite/keydir folder + file: state=directory + path=/srv/git/.gitolite/keydir + owner=git group=git mode=0775 + tags: + - gitolite + - pagure + +- name: create the /srv/git/.gitolite/logs folder + file: state=directory + path=/srv/git/.gitolite/logs + owner=git group=git mode=0775 + tags: + - gitolite + - pagure + +- name: Adjust owner of /srv/git + file: name=/srv/git state=directory recurse=yes owner=git group=git + tags: + - gitolite + +- name: Adjust permissions of /srv/git/.gitolite + file: name=/srv/git/.gitolite state=directory recurse=yes owner=git group=git + tags: + - gitolite + +- name: install our own gitolite configuration + template: src=gitolite.rc + dest=/srv/git/.gitolite.rc + owner=git group=git mode=0755 + tags: + - gitolite + - pagure + +- name: create all the directories where we store the git repos + file: state=directory + path={{ item }} + owner=git group=git mode=0775 + with_items: + - /srv/git/repositories/ + - /srv/git/repositories/forks + - /srv/git/repositories/docs + - /srv/git/repositories/tickets + - /srv/git/repositories/requests + - /srv/git/remotes + tags: + - gitolite + - pagure + +- name: create the /srv/tmp folder where to clone repos + file: state=directory + path=/srv/tmp + owner=git group=git mode=0775 + tags: + - gitolite + - pagure + + +# Set-up postfix and the milter for postfix + +- name: Add the /etc/aliases file + copy: src=aliases dest=/etc/aliases owner=root mode=644 + tags: + - config + - pagure + - postfix + notify: + - restart postfix + - restart pagure_milter + +# Override pagure_ev systemd service file + +- name: install pagure_ev service definition + copy: src=pagure_ev.service + dest=/usr/lib/systemd/system/pagure_ev.service + owner=root group=root mode=0644 + notify: + - reload systemd + - restart pagure_ev + tags: + - pagure + - pagure_ev + +# Set-up stunnel for the event source server + +- name: install stunnel service definition + copy: src=stunnel.service + dest=/usr/lib/systemd/system/stunnel.service + owner=root group=root mode=0644 + notify: + - reload systemd + - restart stunnel + tags: + - pagure + - stunnel + +- name: ensure old stunnel init file is gone + file: dest=/etc/init.d/stunnel/stunnel.init state=absent + tags: + - pagure + - stunnel + - config + +- name: install stunnel.conf + template: src={{ item.file }} + dest={{ item.dest }} + owner=root group=root mode=0600 + with_items: + - { file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf } + notify: restart stunnel + tags: + - pagure + - stunnel + - config + + +# Set-up Pagure + +- name: create the /var/www/releases folder + file: state=directory + path=/var/www/releases + owner=git group=git mode=0775 + tags: + - pagure + - web + +- name: copy sundry pagure configuration + template: src={{ item.file }} + dest={{ item.location }}/{{ item.file }} + owner=git group=postfix mode=0640 + with_items: + - { file: pagure.cfg, location: /etc/pagure } + - { file: alembic.ini, location: /etc/pagure } + changed_when: "1 != 1" + tags: + - config + - web + - pagure + notify: + - restart apache + +- name: create pagure database + delegate_to: "{{ new_pagure_db_command_host }}" + become: true + become_user: postgres + postgresql_db: db={{ new_pagure_db_name }} + tags: + - web + - pagure + +- name: ensure pagure db user has access to database + delegate_to: "{{ new_pagure_db_command_host }}" + become: true + become_user: postgres + postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_pass }} role_attr_flags=NOSUPERUSER + tags: + - web + - pagure + +- name: create the database scheme + command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py + changed_when: "1 != 1" + environment: + PAGURE_CONFIG: /etc/pagure/pagure.cfg + tags: + - web + - pagure + +- name: Install the configuration file to activate https + template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} + owner=root group=root mode=0644 + with_items: + - 0_pagure.conf + tags: + - files + - config + - pagure + notify: + - restart apache + +- name: Install the wsgi file + template: src={{ item }} + dest=/var/www/{{ item }} + owner=git group=git mode=0644 + with_items: + - pagure.wsgi + - docs_pagure.wsgi + tags: + - config + - web + - pagure + notify: + - restart apache + +- name: Add default facl so apache can read git repos + acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present + register: acl_updates + tags: + - pagure + +- name: Manually fix current default ACLs since Ansible doesnt know recursive acls + when: acl_updates.changed + command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git + tags: + - pagure + +- name: Manually fix current ACLs since Ansible doesnt know recursive acls + when: acl_updates.changed + command: /usr/bin/setfacl -Rm user:apache:rx /srv/git + tags: + - pagure + +- name: copy over our custom selinux module + copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp + register: selinux_module + tags: + - pagure + +- name: install our custom selinux module + command: semodule -i /usr/local/share/pagure.pp + when: selinux_module|changed + tags: + - pagure + +- name: set sebooleans so pagure can talk to the network (db + redis) + seboolean: name=httpd_can_network_connect + state=true + persistent=true + tags: + - selinux + - web + - pagure + +- name: set sebooleans so apache can send emails + seboolean: name=httpd_can_sendmail + state=true + persistent=true + tags: + - selinux + - web + - pagure + + +# Ensure all the services are up and running + +- name: Start and enable httpd, postfix, pagure_milter + service: name={{ item }} enabled=yes state=started + with_items: + - httpd + - postfix + - stunnel + - redis + - pagure_ev + - pagure_ci + - pagure_loadjon + - pagure_logcom + - pagure_milter + - pagure_webhook + - fedmsg-relay + - haveged + ignore_errors: true + tags: + - pagure + - service + - postfix diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf new file mode 100644 index 0000000000..dc1dbefb4b --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -0,0 +1,165 @@ +WSGISocketPrefix run/wsgi +#WSGIRestrictStdout On +WSGIRestrictSignal Off +WSGIPythonOptimize 1 +WSGIPassAuthorization On +WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300 +WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300 + +## Redirects http -> https + + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + ServerName {{ external_hostname }} + Redirect permanent / https://{{ external_hostname }}/ + + + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + ServerName docs.{{ external_hostname }} + Redirect permanent / https://docs.{{ external_hostname }}/ + + + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + ServerName releases.{{ external_hostname }} + Redirect permanent / https://releases.{{ external_hostname }}/ + +# Added until we can get the cert out + DocumentRoot "/var/www/releases" + + + Options +Indexes + IndexOptions NameWidth=* + + + + + + +## End of redirects http -> https + + + + ServerName {{ external_hostname }} + + Alias "/robots.txt" "/var/www/html/robots.txt" + + WSGIScriptAlias / /var/www/pagure.wsgi + + ServerAdmin admin@fedoraproject.org + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + + SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 + + Alias /static /usr/lib/python2.7/site-packages/pagure/static/ + + SetEnv GIT_PROJECT_ROOT /srv/git/repositories + + AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1 + AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1 + ScriptAliasMatch \ + "(?x)^/(.*/(HEAD | \ + info/refs | \ + objects/info/[^/]+ | \ + git-(upload|receive)-pack))$" \ + /usr/libexec/git-core/git-http-backend/$1 + + # Configure static files so that a custom theme can override the defaults + RewriteEngine on + + RewriteCond "{{ pagure_theme_static_dir }}/$1" -f + RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] + + # Use the application default theme for files not customized + + RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pagure/static/$1" [L] + + + + WSGIProcessGroup pagure + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + + + + Redirect "/releases" https://releases.{{ external_hostname }} + + + + + + + ServerName docs.{{ external_hostname }} + + WSGIScriptAlias / /var/www/docs_pagure.wsgi + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + + + SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 + + # Configure static files so that a custom theme can override the defaults + RewriteEngine on + + RewriteCond "{{ pagure_theme_static_dir }}/$1" -f + RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] + + # Use the application default theme for files not customized + + RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pagure/static/$1" [L] + + + WSGIProcessGroup paguredocs + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + + + + + DocumentRoot "/var/www/releases" + ServerName releases.{{ external_hostname }} + + + Options +Indexes + IndexOptions NameWidth=* + + + + diff --git a/roles/pagure/upstreamfirst-frontend/templates/alembic.ini b/roles/pagure/upstreamfirst-frontend/templates/alembic.ini new file mode 100644 index 0000000000..7daf38c633 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/alembic.ini @@ -0,0 +1,50 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/pagure/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +#sqlalchemy.url = postgresql://<%= pkgdb_app %>:<%= pkgdb_appPassword %>@db-pkgdb/pkgdb + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S diff --git a/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi b/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi new file mode 100644 index 0000000000..a9f8cea973 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi @@ -0,0 +1,22 @@ +#-*- coding: utf-8 -*- + +# The three lines below are required to run on EL6 as EL6 has +# two possible version of python-sqlalchemy and python-jinja2 +# These lines make sure the application uses the correct version. +import __main__ +__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4'] +import pkg_resources + +import os +## Set the environment variable pointing to the configuration file +os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg' + +## The following is only needed if you did not install pagure +## as a python module (for example if you run it from a git clone). +#import sys +#sys.path.insert(0, '/path/to/pagure/') + + +## The most import line to make the wsgi working +from pagure.docs_server import APP as application +#application.debug = True diff --git a/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc b/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc new file mode 100644 index 0000000000..1a20d4277c --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc @@ -0,0 +1,195 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0077, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => '', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # syslog options + # 1. leave this section as is for normal gitolite logging + # 2. uncomment this line to log only to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + #'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg new file mode 100644 index 0000000000..b569395276 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -0,0 +1,238 @@ +from datetime import timedelta + +INSTANCE_NAME= '{{ pagure_instance_name }}' + +THEME_TEMPLATE_FOLDER='{{ pagure_theme_template_dir }}' +THEME_STATIC_FOLDER='{{ pagure_theme_static_dir }}' + +### Set the time after which the admin session expires +# There are two sessions on pagure, login that holds for 31 days and +# the session defined here after which an user has to re-login. +# This session is used when accessing all administrative parts of pagure +# (ie: changing a project's or a user's settings) +ADMIN_SESSION_LIFETIME = timedelta(minutes=20) + +# Make the CSRF token not-time limited, this way it is valid for the entire +# duration of the session. +WTF_CSRF_TIME_LIMIT=None + +### Secret key for the Flask application +SECRET_KEY='{{ pagure_secret_key }}' +SALT_EMAIL='{{ pagure_secret_salt_email }}' + +EMAIL_SEND = True + +# This is required so that login specifies https +PREFERRED_URL_SCHEME='https' + +### url to the database server: +#DB_URL=mysql://user:pass@host/db_name +#DB_URL=postgres://user:pass@host/db_name +# removing host for local postgres connection +DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}' + +### The FAS group in which the admin of pagure are +ADMIN_GROUP = {{ new_pagure_admin_groups }} + +### The email address to which the flask.log will send the errors (tracebacks) +EMAIL_ERROR = '{{ pagure_admin_email }}' + +### Default SMTP server to use for sending emails +SMTP_SERVER = 'localhost' + +### Email used to sent emails +FROM_EMAIL = 'pagure@{{ external_hostname }}' +DOMAIN_EMAIL_NOTIFICATIONS = '{{ external_hostname }}' + +### The URL at which the project is available. +APP_URL = 'https://{{ external_hostname }}/' +DOC_APP_URL = 'https://docs.{{ external_hostname }}' + +### Datagrepper info for the user profile +DATAGREPPER_URL = 'https://apps.fedoraproject.org/datagrepper' +DATAGREPPER_CATEGORY = 'pagure' + +### The URL to use to clone git repositories. +GIT_URL_SSH = 'ssh://git@{{ external_hostname }}/' +GIT_URL_GIT = 'https://{{ external_hostname }}/' + +### The IP addresses allowed for the internal endpoints +IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', '{{ public_ip }}'] + +# Redis configuration +EVENTSOURCE_SOURCE = 'https://{{ external_hostname }}:8088' +REDIS_HOST = '0.0.0.0' +REDIS_PORT = 6379 +REDIS_DB = 0 + +EV_STATS_PORT = '8888' + +WEBHOOK = True + +### Folder containing to the git repos +GIT_FOLDER = '/srv/git/repositories' + +### Folder containing the forks repos +FORK_FOLDER = '/srv/git/repositories/forks' + +### Folder containing the docs repos +DOCS_FOLDER = '/srv/git/repositories/docs' + +### Folder containing the pull-requests repos +REQUESTS_FOLDER = '/srv/git/repositories/requests' + +### Folder containing the tickets repos +TICKETS_FOLDER = '/srv/git/repositories/tickets' + +### Folder containing the clones of the remotes git repo +REMOTE_GIT_FOLDER = '/srv/git/remotes' + +### Configuration file for gitolite +GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf' + +### Path of the release folder +UPLOAD_FOLDER_URL = 'https://releases.{{ external_hostname }}/' +UPLOAD_FOLDER_PATH = '/var/www/releases/' + + +### Home folder of the gitolite user +### Folder where to run gl-compile-conf from +GITOLITE_HOME = '/srv/git/' + +### Folder containing all the public ssh keys for gitolite +GITOLITE_KEYDIR = '/srv/git/.gitolite/keydir/' + +### Path to the gitolite.rc file +GL_RC = '/srv/git/.gitolite.rc' + +### Path to the /bin directory where the gitolite tools can be found +GL_BINDIR = '/usr/bin/' + + +### Temp folder to be used to make the clones to work around bug in libgit2: +## refs: https://github.com/libgit2/libgit2/issues/2965 +## and https://github.com/libgit2/libgit2/issues/2797 +TMP_FOLDER = '/srv/tmp' + +# Optional configuration + +### Number of items displayed per page +# Used when listing items +ITEM_PER_PAGE = 50 + +### Maximum size of the uploaded content +# Used to limit the size of file attached to a ticket for example +MAX_CONTENT_LENGTH = 60 * 1024 * 1024 # 60 megabytes + +### Lenght for short commits ids or file hex +SHORT_LENGTH = 7 + +### List of blacklisted project names that can conflicts for pagure's URLs +### or other +BLACKLISTED_PROJECTS = [ + 'static', 'pv', 'releases', 'new', 'api', 'settings', + 'logout', 'login', 'users', 'groups', 'projects', 'ssh_info' + 'issues', 'pull-requests', 'commits', 'tree', 'forks', +] + +DISABLED_PLUGINS = ['IRC'] + + +# Authentication related configuration option + +### Switch the authentication method +# Specify which authentication method to use, defaults to `fas` can be or +# `local` +# Default: ``fas``. +PAGURE_AUTH = 'openid' + +# When this is set to True, the session cookie will only be returned to the +# server via ssl (https). If you connect to the server via plain http, the +# cookie will not be sent. This prevents sniffing of the cookie contents. +# This may be set to False when testing your application but should always +# be set to True in production. +# Default: ``True``. +SESSION_COOKIE_SECURE = True + +# The name of the cookie used to store the session id. +# Default: ``.pagure``. +SESSION_COOKIE_NAME = 'upstreamfirstpagure' + +# Boolean specifying wether to check the user's IP address when retrieving +# its session. This make things more secure (thus is on by default) but +# under certain setup it might not work (for example is there are proxies +# in front of the application). +CHECK_SESSION_IP = True + +# Used by SESSION_COOKIE_PATH +APPLICATION_ROOT = '/' + +# Set the SSH certs/keys +SSH_KEYS = { + 'RSA': { + 'fingerprint': '2048 69:50:46:24:c7:94:44:f8:8d:83:05:5c:eb:73:fb:c4 (RSA)', + 'pubkey': '{{ external_hostname }},{{ public_ip }} {{ pagure_ssh_host_pubkey }}', + 'SHA256': '{{ pagure_ssh_host_sha256 }}', + } +} + +# Allow the backward compatiblity endpoints for the old URLs schema to +# see the commits of a repo. This is only interesting if you pagure instance +# was running since before version 1.3 and if you care about backward +# compatibility in your URLs. +OLD_VIEW_COMMIT_ENABLED = False + +#PAGURE_CI_SERVICES=['jenkins'] +PAGURE_CI_SERVICES=[] + +LOGGING = { + 'version': 1, + 'disable_existing_loggers': False, + 'formatters': { + 'standard': { + 'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s' + }, + }, + 'handlers': { + 'console': { + 'level': 'INFO', + 'formatter': 'standard', + 'class': 'logging.StreamHandler', + 'stream': 'ext://sys.stdout', + }, + }, + # The root logger configuration; this is a catch-all configuration + # that applies to all log messages not handled by a different logger + 'root': { + 'level': 'INFO', + 'handlers': ['console'], + }, + 'loggers': { + 'pagure': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': True + }, + 'pagure.lib.encoding_utils': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + 'flask': { + 'handlers': ['console'], + 'level': 'INFO', + 'propagate': False + }, + 'sqlalchemy': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + 'binaryornot': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': True + }, + } +} + diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi b/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi new file mode 100644 index 0000000000..b04abac4d8 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi @@ -0,0 +1,28 @@ +#-*- coding: utf-8 -*- + +# The three lines below are required to run on EL6 as EL6 has +# two possible version of python-sqlalchemy and python-jinja2 +# These lines make sure the application uses the correct version. +import __main__ +__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4'] +import pkg_resources + +import os +## Set the environment variable pointing to the configuration file +os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg' + +## Set the environment variable if the tmp folder needs to be moved +## Is necessary to work around bug in libgit2: +## refs: https://github.com/libgit2/libgit2/issues/2965 +## and https://github.com/libgit2/libgit2/issues/2797 +os.environ['TEMP'] = '/srv/tmp/' + +## The following is only needed if you did not install pagure +## as a python module (for example if you run it from a git clone). +#import sys +#sys.path.insert(0, '/path/to/pagure/') + + +## The most import line to make the wsgi working +from pagure import APP as application +#application.debug = True diff --git a/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 b/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 new file mode 100644 index 0000000000..6dcf68a09d --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 @@ -0,0 +1,8 @@ +cert = /etc/pki/tls/certs/pagure.io.cert +key = /etc/pki/tls/certs/pagure.io.key +pid = /var/run/stunnel.pid + +[{{ stunnel_service }}] + +accept = {{ stunnel_source_port }} +connect = {{ stunnel_destination_port }} diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf index b7652b5639..eeb79e14dc 100644 --- a/roles/people/templates/people.conf +++ b/roles/people/templates/people.conf @@ -27,9 +27,9 @@ NameVirtualHost *:80 DocumentRoot /srv/people/site SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedorapeople.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert + SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.cert + SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedorapeople.org.key + SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert SSLHonorCipherOrder On SSLCipherSuite {{ ssl_ciphers }} SSLProtocol {{ ssl_protocols }} @@ -40,9 +40,9 @@ NameVirtualHost *:80 ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-error.log-%Y-%m-%d 86400 -l" CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-access.log-%Y-%m-%d 86400 -l" vcommon - + ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" @@ -218,6 +218,11 @@ SetOutputFilter DEFLATE AddType video/webm .webm AddType text/plain .spec AddType application/vnd.android.package-archive .apk +AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript + + ForceType text/plain + Header set Content-Encoding: gzip + # Insert filter diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index a5591c3079..319923d2a4 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -20,12 +20,12 @@ ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" @@ -63,7 +63,7 @@ SSLEngine on SSLCertificateFile /etc/pki/tls/certs/planet.fedoraproject.org.cert SSLCertificateKeyFile /etc/pki/tls/private/planet.fedoraproject.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert + SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert SSLHonorCipherOrder On SSLProtocol {{ ssl_protocols }} SSLCipherSuite {{ ssl_ciphers }} diff --git a/roles/postgresql_server/templates/postgresql.conf b/roles/postgresql_server/templates/postgresql.conf index 9947805fbe..b148442d99 100644 --- a/roles/postgresql_server/templates/postgresql.conf +++ b/roles/postgresql_server/templates/postgresql.conf @@ -177,8 +177,9 @@ wal_buffers = 64kB # min 32kB #commit_siblings = 5 # range 1-1000 # - Checkpoints - - +{% if ansible_distribution != "Fedora" %} checkpoint_segments = 30 # in logfile segments, min 1, 16MB each +{% endif %} checkpoint_timeout = 30min # range 30s-1h checkpoint_completion_target = 0.6 # checkpoint target duration, 0.0 - 1.0 checkpoint_warning = 180s # 0 is off diff --git a/roles/regcfp/tasks/main.yml b/roles/regcfp/tasks/main.yml index f9091da5e0..9d055cf898 100644 --- a/roles/regcfp/tasks/main.yml +++ b/roles/regcfp/tasks/main.yml @@ -12,7 +12,7 @@ - name: Clone the regcfp master branch git: repo=https://github.com/puiterwijk/regcfp.git dest=/srv/regcfp - version=develop + version=flock2017 clone=yes update=yes register: git_result changed_when: "git_result.after|default('after') != git_result.before|default('before')" diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 23b084045b..2fd29e95df 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -3,9 +3,10 @@ "site_url": "https://register.flocktofedora.org", "theming": { "theme": "fedora", - "site_name": "Flock 2016 Registration", - "event_name": "Flock 2016", - "logo": "" + "site_name": "Flock 2017 Registration", + "event_name": "Flock 2017", + "logo": "", + "event_location": "Hyannis, Cape Cod" }, "secret": "{{ regcfp_secret }}", "database": { @@ -56,33 +57,34 @@ }, "permissions": { - "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org"], + "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "duffy@fedoraproject.org", "robyduck@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org"], "papers": { - "submit": [], + "submit": ["*authenticated*"], "list": { - "accepted": ["jwboyer@fedoraproject.org", "spot@fedoraproject.org"], + "accepted": ["bex@fedoraproject.org", "duffy@fedoraproject.org", "pfrields@fedoraproject.org", "mitzie@fedoraproject.org"], "own": ["*authenticated*"], - "all": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "robyduck@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org", "nb@fedoraproject.org", "mitzie@fedoraproject.org"] }, "edit": { - "own": [], - "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org"] + "own": ["*authenticated*"], + "all": ["pfrields@fedoraproject.org", "bex@fedoraproject.org", "duffy@fedoraproject.org"] }, "delete": { - "own": [], - "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org"] + "own": ["*authenticated*"], + "all": ["pfrields@fedoraproject.org", "duffy@fedoraproject.org", "bex@fedoraproject.org"] }, "tag": ["*authenticated*"], - "vote": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"], - "showvotes": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"], - "accept": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "spot@fedoraproject.org"] + "vote": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org", "robyduck@fedoraproject.org", "nb@fedoraproject.org"], + "showvotes": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org", "robyduck@fedoraproject.org", "nb@fedoraproject.org"], + "accept": ["pfrields@fedoraproject.org", "bex@fedoraproject.org", "duffy@fedoraproject.org"] }, "registration": { - "register": [], - "pay": [], + "register": ["*authenticated*"], + "pay": ["*authenticated*"], "request_receipt": [], - "view_public": ["*authenticated*"], - "view_all": [""], + "view_public": [], + "view_all": ["bex@fedoraproject.org", "duffy@fedoraproject.org"], + "view_payment": ["bex@fedoraproject.org", "duffy@fedoraproject.org"], "add_payment": [], "print_badge": [], "desk": [], @@ -90,18 +92,14 @@ "cancel_all": [] } }, - + "papers": { "enabled": true, "tracks": [ - "Building a Better Distro", - "Growing the Fedora Userbase", - "Making Life Better for Contributors", - "Prepared Lightning Talk", - "Workshop - Team Planning", - "Workshop - Hackfest", - "Workshop - Drop-in Clinic", - "Other" + "Talk (30 min)", + "Talk (60 min)", + "Do-Session (120 min)", + "Do-Session (180 min)" ] }, @@ -109,14 +107,18 @@ "registration": { "enabled": true, "fields": { + "reglegend": { + "type": "legend", + "display_name": "Registration Fee", + "split": 0 + }, "doc1": { "type": "documentation", "display_name": "", "html": [ - "We are excited to see you at this year's Flock!", - "We're doing things a little differently this year in order to make sure it is a", - "productive event that helps us achieve our goals as a community.", - "Explain regfee etc" + "The registration fee below is determined by your current country selection. ", + "This is in order to keep the fee fair and nominal across all regions. ", + "If your country isn't listed, please choose a country or region with a similar economic situation." ], "split": 0 }, @@ -125,33 +127,94 @@ "short_display_name": "Ctr", "type": "select", "required": true, - "message": "This will be kept private", + "message" : "Choose a region with a similar economic situation if your country is not listed.", + "privmsg": "This will be kept private.", "private": true, "placeholder": "Country of origin", "options": [ + "Argentina", + "Australia", + "Brazil", + "Britain", + "Canada", + "Chile", + "China", + "Colombia", + "Costa Rica", + "Czech Republic", + "Denmark", + "Egypt", + "Euro area", + "Hong Kong", + "Hungary", + "India", + "Indonesia", + "Israel", + "Japan", + "Malaysia", + "Mexico", + "New Zealand", + "Norway", + "Pakistan", + "Peru", + "Philippines", + "Poland", + "Russia", + "Saudi Arabia", + "Singapore", + "South Africa", + "South Korea", + "Sri Lanka", + "Sweden", + "Switzerland", + "Taiwan", + "Thailand", + "Turkey", + "UAE", + "Ukraine", "United States", - "Netherlands" + "Uruguay", + "Venezuela", + "Vietnam", + "Austria", + "Belgium", + "Estonia", + "Finland", + "France", + "Germany", + "Greece", + "Ireland", + "Italy", + "Netherlands", + "Portugal", + "Spain" ], - "onchange": "javascript:update_regfee();", + "onchange": "javascript:update_regfee(); javascript:update_estimates();", "split": 0 }, "regfee": { - "display_name": "Registration Fee", + "display_name": "Registration Fee in USD $", "type": "string", - "required": true, + "required": false, "private": true, "placeholder": "25.00", - "readonly": true, - "split": 0 + "readonly": false, + "split": 0, + "message": "All amounts are in US dollars.", + "onchange": "javascript:update_estimates();" }, "reason": { - "display_name": "Why are you interested in attending flock?", - "type": "string", + "display_name": "Why are you interested in attending Flock?", + "type": "textarea", "required": true, "private": true, - "placeholder": "", "split": 0 }, + "soclegend": { + "type": "legend", + "display_name": "Social Details", + "split": 1 + }, "ircnick": { "display_name": "IRC Nickname", @@ -171,16 +234,23 @@ "placeholder": "", "split": 1 }, + "reqslegend": { + "type": "legend", + "display_name": "Personal Requirements", + "split": 1 + }, + "veg": { "display_name": "Vegetarian", "short_display_name": "Veg", "type": "select", "required": true, - "message": "This will be kept private; note that a selection here does not guarantee availability of vegetarian options", - "private": true, + "message": "This does not guarantee availability of vegetarian options.", + "privmsg": "This will be kept private.", + "private": true, "placeholder": "", "options": [ - "Yes", "No" + "No", "Yes" ], "split": 1 }, @@ -189,7 +259,8 @@ "short_display_name": "Diet", "type": "string", "required": false, - "message": "This will be kept private; note that no guarantees are made, but we will do our best", + "message": "No guarantees are made here, but we will do our best!", + "privmsg": "This will be kept private.", "private": true, "placeholder": "", "split": 1 @@ -202,7 +273,7 @@ "private": false, "placeholder": "", "options": [ - "Yes", "No" + "No", "Yes" ], "split": 1 }, @@ -210,7 +281,7 @@ "display_name": "T-shirt size", "short_display_name": "Sz", "type": "select", - "message": "This will be kept private", + "message": "This will be kept private.", "required": false, "private": true, "placeholder": "", @@ -230,23 +301,38 @@ ], "split": 1 }, + "assistlegend": { + "type": "legend", + "display_name": "Financial Assistance", + "split": 2 + }, "needassistance": { "display_name": "Do you need financial assistance in order to attend Flock?", "short_display_name": "Sub", - "type": "boolean", + "type": "radio", "required": true, "private": true, + "onchange": "javascript:update_regfee(); javascript:update_estimates();", + "options": [ + "No, I / my employer can cover my expenses.", + "Yes, my attendance requires financial assistance." + ], "split": 2 }, "sponsor_additional": { "display_name": "Would you like to help sponsor a Fedora volunteer's attendance?", "short_display_name": "Spon", - "type": "boolean", + "type": "radio", "required": false, "private": true, - "shownifnot": "needassistance", + "shownifkey": "needassistance", + "shownifval": "No, I / my employer can cover my expenses.", + "options": [ + "No, thank you.", + "Yes, I will sponsor the amount that follows." + ], "split": 2 }, "sponsor_additional_amount": { @@ -255,42 +341,105 @@ "type": "string", "required": false, "private": true, - "shownif": "sponsor_additional", + "shownifkey": "sponsor_additional", + "shownifval": "Yes, I will sponsor the amount that follows.", + "split": 2 + }, + "circumlegend": { + "type": "legend", + "display_name": "Special Travel Circumstances", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, - "travel_circumstances": { - "display_name": "If there are any...", + "display_name": "If there are any special circumstances or logistics regarding your travel and/or funding for Flock, please note them here.", "short_display_name": "travel_circum", - "type": "string", + "type": "textarea", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "split": 2 + }, + "flightlegend": { + "type": "legend", + "display_name": "Flights", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, "flights_needed": { "display_name": "My trip to flock requires air travel", - "type": "boolean", + "type": "radio", "required": false, "private": true, - "shownif": "needassistance", + "onchange": "javascript:update_regfee(); javascript:update_estimates();", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "options": [ + "My trip to Flock requires air travel.", + "My trip to Flock does not require air travel." + ], "split": 2 }, "doc_flights": { "display_name": "", "type": "documentation", "html": [ - "Show calendar information here" - ], - "shownif": "flights_needed", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "
SatSunMonTueWedThuFriSatSun
Flock
Aug 26Aug 27Aug 28Aug 29Aug 30Aug 31Sep 01Sep 02Sep 03
", + "

First bus departs Logan Airport at 6:15 AM.

", + "

Last bus departs Logan Airport at 11:15 PM.

", + "		", + "

First bus arrives at Logan at 4:30 AM.

", + "

Last bus arrives at Logan at 10:30 PM.

", + "
" + ], + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", "split": 2 }, + "doc_research": { + "type": "documentation", + "display_name": "", + "html": [ + "

Please research round trip flights to Boston's Logan Airport for Flock. Note that there is a 2-hour long", + " bus ride from the airport to the conference site; we have provided a rough schedule of this bus above but ", + "please verify the schedule, particularly if you plan to ", + "ride on a weekend as the schedule may vary based on what we've posted above.

", + "

Plan to arrive in Hyannis, MA by the evening of Monday, August 28 and depart no sooner than 2 PM on Friday, ", + "keeping the bus times and schedule in account." + ], + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "split": 2 + }, + "flight_homeairport": { "display_name": "Preferred home airport codes", "type": "string", "required": false, "private": true, - "shownif": "flights_needed", + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "message": "Ex. 'PRG', 'BRQ'", "split": 2 }, "flight_price": { @@ -298,23 +447,54 @@ "type": "string", "required": false, "private": true, - "shownif": "flights_needed", + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "message": "Please provide the amount in US dollars.", + "onchange": "javascript:update_estimates();", + "split": 2 + }, + "doc_research2": { + "type": "documentation", + "display_name": "", + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "html": [ + "

Please make your best guess on your estimated airfare cost based on your research. If you underestimate, ", + "there may not be enough funding for your trip; if you overestimate, other attendees may not receive funding. ", + "We rely on the honesty and integrity of our community members to fill this form out accurately." + ], + "split": 2 + }, + + + "othertransitlegend": { + "type": "legend", + "display_name": "Other Transit Costs", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, "busservice": { - "display_name": "Do you intend to use the Boston-to-Cape Cod bus service", - "type": "boolean", + "display_name": "Do you intend to use the Cape Cod bus service from Boston's Logan Airport?", + "type": "radio", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "options": [ + "Yes (+ $47 / roundtrip)", + "No" + ], + "onchange": "javascript:update_estimates();", "split": 2 }, "other_transit": { "display_name": "Please describe any other transit-related costs you anticipate", - "type": "string", + "type": "textarea", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, "total_othertransit": { @@ -322,24 +502,81 @@ "type": "string", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "message": "Please provide the amount in US dollars.", + "onchange": "javascript:update_estimates();", "split": 2 }, + "lodginglegend": { + "type": "legend", + "display_name": "Lodging", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "split": 2 + }, + "lodging_needed": { "display_name": "I would like lodging to be part of my travel funding request", - "type": "boolean", + "type": "radio", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "options": [ + "I would like lodging to be part of my travel funding request.", + "I will make my own arrangements for lodging." + ], + "onchange": "javascript:update_estimates();", "split": 2 }, - "lodging_doc": { + "lodging_calendar": { "display_name": "", "type": "documentation", "html": [ - "Show lodging calendar and other info here..." + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "
SatSunMonTueWedThuFriSatSun
Flock
Aug 26Aug 27Aug 28Aug 29Aug 30Aug 31Sep 01Sep 02Sep 03
", + "

First bus departs Logan Airport at 6:15 AM.

", + "

Last bus departs Logan Airport at 11:15 PM.

", + "		", + "

First bus arrives at Logan at 4:30 AM.

", + "

Last bus arrives at Logan at 10:30 PM.

", + "
" + ], + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "split": 2 + }, + "doc_lodging": { + "type": "documentation", + "display_name": "", + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "html": [ + "

Please indicate below how many nights' lodging you anticipate needing based on your above travel estimate.

", + "

Note: We will fund up to four nights' stay for funded Flock attendees ", + "traveling domestically, and five nights' stay for international", + "travellers, with the exception of travel-related additional lodging requirements.

", + "

All funded attendees will share a double room with an attendee of the same gender. You may request an ", + "exception to this policy by emailing flock-staff@fedoraproject.org, ", + "which is a private address for Flock organizers." ], - "shownif": "lodgin_needed", "split": 2 }, "lodging_nights": { @@ -355,7 +592,9 @@ ], "required": false, "private": true, - "shownif": "lodging_needed", + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "onchange": "javascript:update_estimates();", "split": 2 }, "lodging_roommate": { @@ -363,12 +602,61 @@ "type": "string", "required": false, "private": true, - "shownif": "lodging_needed", + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "message": "Provide name or FAS ID of a mutually-agreed upon roommate.", + "split": 2 + }, + + "doc_estimated_cost": { + "type": "documentation", + "display_name": "", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "html": [ + "

Estimated costs for funding request

", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "
Estimated round trip airfare: $-- USD
Airfare booking fee: $-- USD
Boston-to-Cape-Cod bus (round-trip): $-- USD
Other transit-related costs: $-- USD
Lodging, X nights x ($139.99 + 15.40): $-- USD
Registration fee: $-- USD
", + "

Total: $-- USD

" + ], + "split": 2 + }, + "afford_to_pay": { + "display_name": "If I am funded, I can afford to pay:", + "type": "radio", + "options": [20, 40, 60, 80, 90, "Other"], + "required": false, + "private": true, + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "message": "All amounts in US dollars.", + "split": 2 + }, + "afford_to_pay_custom": { + "display_name": "Amount", + "short_display_name": "AffAmnt", + "type": "string", + "required": false, + "private": true, + "shownifkey": "afford_to_pay", + "shownifval": "other", "split": 2 } + }, "max_split": 2, - "payment_product_name": "My Event Registration Fee", + "payment_product_name": "Flock 2017 Registration Fee", "currencies": { "USD": { "symbol": "$", @@ -378,7 +666,7 @@ } }, "main_currency": "USD", - "paypal_experience_profile": "", + "paypal_experience_profile": "XP-KZGG-W7U6-E9QN-AHRF", "desk_word": "something", "paypal": { @@ -389,7 +677,7 @@ }, "profile": { - "name": "Event Registration Profile", + "name": "Flock 2017", "presentation": { "brand_name": "Fedora Project", "logo_image": "https://getfedora.org/static/images/fedora_infinity_140x140.png", diff --git a/roles/releng/files/aarch64.branched b/roles/releng/files/aarch64.branched deleted file mode 100644 index 48b1d38902..0000000000 --- a/roles/releng/files/aarch64.branched +++ /dev/null @@ -1,3 +0,0 @@ -# branched devel compose -MAILTO=releng-cron@lists.fedoraproject.org -#15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f25-secondary-arch && LANG=en_US.UTF-8 ./nightly.sh arm diff --git a/roles/releng/files/aarch64.rawhide b/roles/releng/files/aarch64.rawhide deleted file mode 100644 index 81d4c5d51b..0000000000 --- a/roles/releng/files/aarch64.rawhide +++ /dev/null @@ -1,3 +0,0 @@ -# rawhide compose -MAILTO=releng-cron@lists.fedoraproject.org -# 15 5 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout secondary-arch && LANG=en_US.UTF-8 ./nightly.sh arm diff --git a/roles/releng/files/branched b/roles/releng/files/branched index ea4fe29711..26fee6c33a 100644 --- a/roles/releng/files/branched +++ b/roles/releng/files/branched @@ -1,3 +1,4 @@ # branched compose MAILTO=releng-cron@lists.fedoraproject.org 15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f26 && LANG=en_US.UTF-8 ./nightly.sh && sudo -u ftpsync /usr/local/bin/update-fullfiletimelist -l /pub/fedora-secondary/update-fullfiletimelist.lock -t /pub fedora fedora-secondary +15 18 * * * root TMPDIR=`mktemp -d /tmp/branched-modular.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f26 && LANG=en_US.UTF-8 ./nightly-modular.sh diff --git a/roles/releng/files/power64.branched b/roles/releng/files/power64.branched deleted file mode 100644 index f989b556f1..0000000000 --- a/roles/releng/files/power64.branched +++ /dev/null @@ -1,3 +0,0 @@ -# branched devel compose -MAILTO=releng-cron@lists.fedoraproject.org -#15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f25-secondary-arch && LANG=en_US.UTF-8 ./nightly.sh ppc diff --git a/roles/releng/files/power64.rawhide b/roles/releng/files/power64.rawhide deleted file mode 100644 index c06bce488d..0000000000 --- a/roles/releng/files/power64.rawhide +++ /dev/null @@ -1,3 +0,0 @@ -# rawhide compose -MAILTO=releng-cron@lists.fedoraproject.org -# 15 5 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout secondary-arch && LANG=en_US.UTF-8 ./nightly.sh ppc diff --git a/roles/releng/files/s390.rawhide b/roles/releng/files/s390.rawhide deleted file mode 100644 index 1be4f4a863..0000000000 --- a/roles/releng/files/s390.rawhide +++ /dev/null @@ -1,3 +0,0 @@ -# rawhide compose -MAILTO=releng-cron@lists.fedoraproject.org -15 8 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout secondary-arch && LANG=en_US.UTF-8 ./nightly.sh s390 diff --git a/roles/releng/tasks/main.yml b/roles/releng/tasks/main.yml index 11d173d171..e8a2f2f4bc 100644 --- a/roles/releng/tasks/main.yml +++ b/roles/releng/tasks/main.yml @@ -86,6 +86,8 @@ - python-scandir - python2-productmd - ostree + - python2-modulemd + - python2-pdc-client - name: add pkgs dnf: state=present pkg={{ item }} diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index 75164abd09..4112ba1f50 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -404,7 +404,7 @@ ALLOWDEVFILE=/dev/shm/spice.* {% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %} ALLOWDEVFILE=/dev/shm/sem.slapd*.stats {% endif %} -{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr-stg'] %} +{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr-stg'] or inventory_hostname == 'ci-cc-rdu01.fedoraproject.org' %} ALLOWDEVFILE=/dev/shm/PostgreSQL* {% endif %} diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index c0ee0b326e..36715792ed 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -155,14 +155,14 @@ config = { # Any module built against the base-runtime master stream { "stream": "master", - "key": "fedora-27", - "keyid": "f5282ee4" + "key": "fedora-modularity", + "keyid": "a3cc4e62" }, # Any module built against the base-runtime f26 stream { "stream": "f26", - "key": "fedora-26", - "keyid": "64dab85d" + "key": "fedora-modularity", + "keyid": "a3cc4e62" }, ], }, diff --git a/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 b/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 index e867d5617a..0dcd97702b 100644 --- a/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 +++ b/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 @@ -235,11 +235,9 @@ factory.addStep(MasterShellCommand(command=["mkdir", '-m', '0755', Interpolate(' factory.addStep(DirectoryUpload(slavesrc=Interpolate('/var/lib/taskotron/artifacts/%(prop:uuid)s/'), masterdest=Interpolate('{{ public_artifacts_dir }}/%(prop:uuid)s/task_output'))) -{% if deployment_type in ['stg', 'prod'] %} # gzip artifacts factory.addStep(MasterShellCommand(command=Interpolate('gzip -r {{ public_artifacts_dir }}/%(prop:uuid)s/task_output/*'), descriptionDone=['gzip artifacs dir content'])) -{% endif %} {% if deployment_type in ['local'] %} # copy taskotron log to master diff --git a/roles/taskotron/buildslave/tasks/main.yml b/roles/taskotron/buildslave/tasks/main.yml index acc747d59b..25e2256d08 100644 --- a/roles/taskotron/buildslave/tasks/main.yml +++ b/roles/taskotron/buildslave/tasks/main.yml @@ -60,10 +60,10 @@ - name: set the selinux fcontext type for the buildslave dir to var_lib_t command: semanage fcontext -a -t var_lib_t "{{ item.dir }}(/.*)?" with_items: "{{ slaves }}" - when: slaves is defined and deployment_type in ['dev', 'stg', 'prod'] + when: slaves is defined and deployment_type in ['dev', 'stg', 'prod', 'qa-prod', 'qa-stg'] - name: make sure the selinux fcontext is restored command: restorecon -R "{{ item.dir }}" with_items: "{{ slaves }}" - when: slaves is defined and deployment_type in ['dev', 'stg', 'prod'] + when: slaves is defined and deployment_type in ['dev', 'stg', 'prod', 'qa-prod', 'qa-stg'] diff --git a/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 b/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 index 031987dc6c..5262dc0d85 100644 --- a/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 +++ b/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 @@ -32,6 +32,10 @@ ExtFilterDefine gz-to-html mode=output \ intype=application/x-gzip outtype=text/html \ cmd="/bin/gunzip -c -" +ExtFilterDefine gz-to-css mode=output \ +intype=application/x-gzip outtype=text/css \ +cmd="/bin/gunzip -c -" + RewriteEngine on @@ -44,6 +48,9 @@ cmd="/bin/gunzip -c -" SetOutputFilter gz-to-plain + + SetOutputFilter gz-to-css + SetOutputFilter gz-to-html diff --git a/roles/varnish/templates/kojipkgs.vcl.j2 b/roles/varnish/templates/kojipkgs.vcl.j2 index c3f7d51d14..8062d752bb 100644 --- a/roles/varnish/templates/kojipkgs.vcl.j2 +++ b/roles/varnish/templates/kojipkgs.vcl.j2 @@ -25,10 +25,12 @@ acl purge { backend localapache { .host = "127.0.0.1"; .port = "8080"; + .first_byte_timeout = 60s; + .between_bytes_timeout = 60s; .probe = { .url = "/"; .interval = 5s; - .timeout = 1s; + .timeout = 5s; .window = 5; .threshold = 3; } } diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml index a034212670..21c008102c 100644 --- a/roles/waiverdb/defaults/main.yml +++ b/roles/waiverdb/defaults/main.yml @@ -2,5 +2,7 @@ waiverdb_db_port: 5432 waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization' waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token' +waiverdb_oidc_client_id: 'D-eb5668aa-f962-4d9e-8131-4ef6d7840436' +waiverdb_oidc_client_secret: 'QctUSOfqot6-XQd7YG0DeIAI81wlc7oD' waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo' -waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"' +waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo' diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 6ba8ffae3d..10c1cdba92 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -1,11 +1,15 @@ --- - include: psql_setup.yml +# Need to set selinux to permissive for now due to https://bugzilla.redhat.com/show_bug.cgi?id=1291940 +- name: switch selinux to permissive + selinux: policy=targeted state=permissive + - name: install needed packages (yum) yum: pkg={{ item }} state=present with_items: - waiverdb - - gunicorn + - python-gunicorn - python-psycopg2 notify: - restart waiverdb @@ -15,7 +19,7 @@ dnf: pkg={{ item }} state=present with_items: - waiverdb - - gunicorn + - python-gunicorn - python-psycopg2 notify: - restart waiverdb @@ -29,7 +33,7 @@ - name: copy client secrets template: src: etc/waiverdb/client_secrets.json - dest: /etc/wavierdb/client_secrets.json + dest: /etc/waiverdb/client_secrets.json owner: root group: root mode: 0640 @@ -47,3 +51,14 @@ force: yes notify: - restart waiverdb + +- name: install the nginx config + template: + src: etc/nginx/conf.d/waiverdb.conf.j2 + dest: /etc/nginx/conf.d/waiverdb.conf + owner: nginx + group: nginx + mode: 0640 + notify: + - restart nginx + \ No newline at end of file diff --git a/roles/waiverdb/tasks/psql_setup.yml b/roles/waiverdb/tasks/psql_setup.yml index 9a099fe934..5bcfd3c720 100644 --- a/roles/waiverdb/tasks/psql_setup.yml +++ b/roles/waiverdb/tasks/psql_setup.yml @@ -58,6 +58,6 @@ become_user: postgres - name: Create db user - postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE + postgresql_user: db="waiverdb" name="waiverdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE become: yes become_user: postgres diff --git a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 index d5d013974a..0fe42b5eaa 100644 --- a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 +++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 @@ -1,29 +1,11 @@ # HTTP server -# rewrite to HTTPS server { - listen 80; - server_name {{service_name}}; - return 301 https://$server_name$request_uri; -} -# HTTPs server -server { - listen 443; - server_name {{ service_name }}; + listen 80 default_server; + server_name _; - ssl on; - ssl_certificate /etc/nginx/conf.d/ssl.pem; - ssl_certificate_key /etc/nginx/conf.d/ssl.key; - - ssl_session_timeout 5m; - - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # modern configuration. tweak to your needs. - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; + large_client_header_buffers 4 32k; + client_max_body_size 50M; + charset utf-8; location / { root /usr/share/nginx/html; diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index 67ce5c8b58..986a7f9520 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -1,2 +1,14 @@ -SECRET_KEY = '{{ waiverdb_secret_key }}' -SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb +{% if deployment_type == "prod" %} +SECRET_KEY = '{{ prod_waiverdb_secret_key }}' +{% elif deployment_type == "stg" %} +SECRET_KEY = '{{ stg_waiverdb_secret_key }}' +{% else %} +SECRET_KEY = '{{ dev_waiverdb_secret_key }}' +{% endif %} +SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/waiverdb' +OIDC_CLIENT_SECRETS = '/etc/waiverdb/client_secrets.json' +OIDC_REQUIRED_SCOPE = 'https://waiverdb.fedoraproject.org/oidc/create-waiver' +OIDC_RESOURCE_SERVER_ONLY = True +{% if deployment_type == "dev" %} +ZEROMQ_PUBLISH = False +{% endif %} diff --git a/roles/web-data-analysis/files/httpd_config.conf b/roles/web-data-analysis/files/httpd_config.conf index b922fe021d..6b007cea2b 100644 --- a/roles/web-data-analysis/files/httpd_config.conf +++ b/roles/web-data-analysis/files/httpd_config.conf @@ -6,5 +6,5 @@ # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS GssapiSSLonly Off GssapiLocalName on - Require user smooge kevin puiterwijk mattdm pfrields uraeus ryanlerch robyduck + Require user smooge kevin puiterwijk mattdm pfrields relrod uraeus ryanlerch robyduck jibecfed diff --git a/tasks/virt_instance_create.yml b/tasks/virt_instance_create.yml index d8413c856f..5e3e886561 100644 --- a/tasks/virt_instance_create.yml +++ b/tasks/virt_instance_create.yml @@ -65,8 +65,8 @@ tags: - armv7-kernel -- name: start the vm up - virt: state=running name={{ inventory_hostname }} +- name: start the vm up and set it to autostart + virt: state=running name={{ inventory_hostname }} autostart=True delegate_to: "{{ vmhost }}" when: inventory_hostname not in result.list_vms @@ -76,11 +76,6 @@ tags: - armv7-kernel -- name: set it to autostart - virt: autostart=True name={{ inventory_hostname }} - delegate_to: "{{ vmhost }}" - when: inventory_hostname not in result.list_vms - - name: make sure there is no old ssh host key for the host still around local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=absent ignore_errors: True diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index b6031b1f75..af57783e79 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -15,6 +15,14 @@ - packages - yumrepos +- name: put openshift 3.4 repo on os- systems + copy: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo" + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == 7 and inventory_hostname.startswith('os-') + tags: + - config + - packages + - yumrepos + - name: put epel repos on el systems copy: src="{{ files }}/common/epel{{ ansible_distribution_major_version }}.repo" dest="/etc/yum.repos.d/epel{{ ansible_distribution_major_version }}.repo" when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and use_default_epel)