From 576c4823b18602cabf128f3a1821a563aef30c4a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 16:31:11 +0000 Subject: [PATCH 001/308] take these out for a bit more --- inventory/inventory | 46 ++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 39356158ff..352a261347 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -769,10 +769,10 @@ mm-backend01.stg.phx2.fedoraproject.org mm-crawler01.stg.phx2.fedoraproject.org beaker-stg01.qa.fedoraproject.org zanata2fedmsg01.stg.phx2.fedoraproject.org -osbs-control01.stg.phx2.fedoraproject.org -osbs-master01.stg.phx2.fedoraproject.org -osbs-node01.stg.phx2.fedoraproject.org -osbs-node02.stg.phx2.fedoraproject.org +#osbs-control01.stg.phx2.fedoraproject.org +#osbs-master01.stg.phx2.fedoraproject.org +#osbs-node01.stg.phx2.fedoraproject.org +#osbs-node02.stg.phx2.fedoraproject.org docker-registry01.stg.phx2.fedoraproject.org docker-registry02.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org @@ -1310,25 +1310,25 @@ qa14.qa.fedoraproject.org taskotron-stg01.qa.fedoraproject.org taskotron01.qa.fedoraproject.org -[osbs-control] -osbs-control01.phx2.fedoraproject.org - -[osbs-control-stg] -osbs-control01.stg.phx2.fedoraproject.org - -[osbs-nodes] -osbs-node01.phx2.fedoraproject.org -osbs-node02.phx2.fedoraproject.org - -[osbs-masters] -osbs-master01.phx2.fedoraproject.org - -[osbs-masters-stg] -osbs-master01.stg.phx2.fedoraproject.org - -[osbs-nodes-stg] -osbs-node01.stg.phx2.fedoraproject.org -osbs-node02.stg.phx2.fedoraproject.org +#[osbs-control] +#osbs-control01.phx2.fedoraproject.org +# +#[osbs-control-stg] +#osbs-control01.stg.phx2.fedoraproject.org +# +#[osbs-nodes] +#osbs-node01.phx2.fedoraproject.org +#osbs-node02.phx2.fedoraproject.org +# +#[osbs-masters] +#osbs-master01.phx2.fedoraproject.org +# +#[osbs-masters-stg] +#osbs-master01.stg.phx2.fedoraproject.org +# +#[osbs-nodes-stg] +#osbs-node01.stg.phx2.fedoraproject.org +#osbs-node02.stg.phx2.fedoraproject.org [os-control-stg] os-control01.stg.phx2.fedoraproject.org From 5f87c6e08d0221bf3a41a085cbdfb4f83f50823f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 16:48:16 +0000 Subject: [PATCH 002/308] comment right hosts --- inventory/inventory | 56 ++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 352a261347..6083fc18fa 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1310,37 +1310,37 @@ qa14.qa.fedoraproject.org taskotron-stg01.qa.fedoraproject.org taskotron01.qa.fedoraproject.org -#[osbs-control] -#osbs-control01.phx2.fedoraproject.org -# -#[osbs-control-stg] -#osbs-control01.stg.phx2.fedoraproject.org -# -#[osbs-nodes] -#osbs-node01.phx2.fedoraproject.org -#osbs-node02.phx2.fedoraproject.org -# -#[osbs-masters] -#osbs-master01.phx2.fedoraproject.org -# -#[osbs-masters-stg] -#osbs-master01.stg.phx2.fedoraproject.org -# -#[osbs-nodes-stg] -#osbs-node01.stg.phx2.fedoraproject.org -#osbs-node02.stg.phx2.fedoraproject.org +[osbs-control] +osbs-control01.phx2.fedoraproject.org -[os-control-stg] -os-control01.stg.phx2.fedoraproject.org +[osbs-control-stg] +osbs-control01.stg.phx2.fedoraproject.org -[os-master-stg] -os-master01.stg.phx2.fedoraproject.org -os-master02.stg.phx2.fedoraproject.org -os-master03.stg.phx2.fedoraproject.org +[osbs-nodes] +osbs-node01.phx2.fedoraproject.org +osbs-node02.phx2.fedoraproject.org -[os-node-stg] -os-node01.stg.phx2.fedoraproject.org -os-node02.stg.phx2.fedoraproject.org +[osbs-masters] +osbs-master01.phx2.fedoraproject.org + +[osbs-masters-stg] +osbs-master01.stg.phx2.fedoraproject.org + +[osbs-nodes-stg] +osbs-node01.stg.phx2.fedoraproject.org +osbs-node02.stg.phx2.fedoraproject.org + +#[os-control-stg] +#os-control01.stg.phx2.fedoraproject.org +# +#[os-master-stg] +#os-master01.stg.phx2.fedoraproject.org +#os-master02.stg.phx2.fedoraproject.org +#os-master03.stg.phx2.fedoraproject.org +# +#[os-node-stg] +#os-node01.stg.phx2.fedoraproject.org +#os-node02.stg.phx2.fedoraproject.org # Docker (docker-distribution) registries [docker-registry] From 994621619e8ccd44655df003e251072e333d3539 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 17:08:29 +0000 Subject: [PATCH 003/308] add ci host in cc rdu --- .../host_vars/ci-cc-rdu01.fedoraproject.org | 14 +++++++ inventory/inventory | 2 + playbooks/groups/ci.yml | 39 +++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 inventory/host_vars/ci-cc-rdu01.fedoraproject.org create mode 100644 playbooks/groups/ci.yml diff --git a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org new file mode 100644 index 0000000000..a568e93263 --- /dev/null +++ b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 +datacenter: rdu-cc +eth0_ip: 8.43.85.69 +eth0_nm: 255.255.255.0 +gw: 8.43.85.254 +dns: 8.8.8.8 +postfix_group: vpn +vpn: true +volgroup: /dev/vg_guests +vmhost: virthost-cc-rdu01.fedoraproject.org +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ diff --git a/inventory/inventory b/inventory/inventory index 6083fc18fa..2761bb5a14 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1341,6 +1341,8 @@ osbs-node02.stg.phx2.fedoraproject.org #[os-node-stg] #os-node01.stg.phx2.fedoraproject.org #os-node02.stg.phx2.fedoraproject.org +[ci] +ci-cc-rdu01.fedoraproject.org # Docker (docker-distribution) registries [docker-registry] diff --git a/playbooks/groups/ci.yml b/playbooks/groups/ci.yml new file mode 100644 index 0000000000..a58e097743 --- /dev/null +++ b/playbooks/groups/ci.yml @@ -0,0 +1,39 @@ +--- +# create a new taskotron dev server +# NOTE: make sure there is room/space for this server on the vmhost +# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars + +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=ci-cc-rdu01.fedoraproject.org" + +- name: make the box be real + hosts: ci + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - { role: base, tags: ['base'] } + - { role: rkhunter, tags: ['rkhunter'] } + - { role: nagios_client, tags: ['nagios_client'] } + - { role: hosts, tags: ['hosts']} + - { role: fas_client, tags: ['fas_client'] } + - { role: collectd/base, tags: ['collectd_base'] } + - { role: dnf-automatic, tags: ['dnfautomatic'] } + - { role: sudo, tags: ['sudo'] } + - { role: openvpn/client, + when: deployment_type == "prod", tags: ['openvpn_client'] } + - apache + - { role: fedmsg/base } + + tasks: + # this is how you include other task lists + - include: "{{ tasks_path }}/yumrepos.yml" + - include: "{{ tasks_path }}/2fa_client.yml" + - include: "{{ tasks_path }}/motd.yml" + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" From b7dac358a447bdf03a3f535bd394589d8865b33e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 17:09:44 +0000 Subject: [PATCH 004/308] add nm --- inventory/host_vars/ci-cc-rdu01.fedoraproject.org | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org index a568e93263..9cfe56cc84 100644 --- a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org +++ b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org @@ -5,6 +5,7 @@ datacenter: rdu-cc eth0_ip: 8.43.85.69 eth0_nm: 255.255.255.0 gw: 8.43.85.254 +nm: 255.255.255.0 dns: 8.8.8.8 postfix_group: vpn vpn: true From e1abcd8a1ec8a69de1f6c240b9d3ccedcc49660e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 17:16:51 +0000 Subject: [PATCH 005/308] add nagios checks for fed-cloud09 --- inventory/host_vars/fed-cloud09.cloud.fedoraproject.org | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org index 591e9a6819..a72a6bb8ac 100644 --- a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org +++ b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org @@ -4,3 +4,7 @@ nrpe_procs_warn: 900 nrpe_procs_crit: 1000 host_group: openstack-compute ansible_ifcfg_blacklist: true + +nagios_Check_Services: + nrpe: true + sshd: true From 3d67e46d417bbfbb4e5bffe4551cb7f70e2eb673 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Wed, 10 May 2017 17:21:30 +0000 Subject: [PATCH 006/308] and we have a subzone thanks apprentices! --- roles/dns/files/named.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index 9b377bb29f..e41cc274d3 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -151,6 +151,11 @@ view "QA" { file "/var/named/master/built/phx2.fedoraproject.org.signed"; }; + zone "stg.phx2.fedoraproject.org" { + type master; + file "/var/named/master/built/stg.phx2.fedoraproject.org.signed"; + }; + zone "mgmt.fedoraproject.org" { type master; file "/var/named/master/built/mgmt.fedoraproject.org"; @@ -306,6 +311,11 @@ view "PHX2" { file "/var/named/master/built/phx2.fedoraproject.org.signed"; }; + zone "stg.phx2.fedoraproject.org" { + type master; + file "/var/named/master/built/stg.phx2.fedoraproject.org.signed"; + }; + zone "mgmt.fedoraproject.org" { type master; file "/var/named/master/built/mgmt.fedoraproject.org"; From ccd70620e74da6f691e216d44ce937a4164c6153 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Wed, 10 May 2017 17:32:15 +0000 Subject: [PATCH 007/308] and we didnt sign this --- roles/dns/files/named.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index e41cc274d3..487c1c4fc9 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -153,7 +153,7 @@ view "QA" { zone "stg.phx2.fedoraproject.org" { type master; - file "/var/named/master/built/stg.phx2.fedoraproject.org.signed"; + file "/var/named/master/built/stg.phx2.fedoraproject.org"; }; zone "mgmt.fedoraproject.org" { @@ -313,7 +313,7 @@ view "PHX2" { zone "stg.phx2.fedoraproject.org" { type master; - file "/var/named/master/built/stg.phx2.fedoraproject.org.signed"; + file "/var/named/master/built/stg.phx2.fedoraproject.org"; }; zone "mgmt.fedoraproject.org" { From cb186f25703fc8b38217263bfe2a2c2c6f055547 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 17:40:25 +0000 Subject: [PATCH 008/308] comment back things --- inventory/inventory | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 2761bb5a14..1129bfb6e4 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -769,10 +769,10 @@ mm-backend01.stg.phx2.fedoraproject.org mm-crawler01.stg.phx2.fedoraproject.org beaker-stg01.qa.fedoraproject.org zanata2fedmsg01.stg.phx2.fedoraproject.org -#osbs-control01.stg.phx2.fedoraproject.org -#osbs-master01.stg.phx2.fedoraproject.org -#osbs-node01.stg.phx2.fedoraproject.org -#osbs-node02.stg.phx2.fedoraproject.org +osbs-control01.stg.phx2.fedoraproject.org +osbs-master01.stg.phx2.fedoraproject.org +osbs-node01.stg.phx2.fedoraproject.org +osbs-node02.stg.phx2.fedoraproject.org docker-registry01.stg.phx2.fedoraproject.org docker-registry02.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org @@ -1330,17 +1330,18 @@ osbs-master01.stg.phx2.fedoraproject.org osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org -#[os-control-stg] -#os-control01.stg.phx2.fedoraproject.org -# -#[os-master-stg] -#os-master01.stg.phx2.fedoraproject.org -#os-master02.stg.phx2.fedoraproject.org -#os-master03.stg.phx2.fedoraproject.org -# -#[os-node-stg] -#os-node01.stg.phx2.fedoraproject.org -#os-node02.stg.phx2.fedoraproject.org +[os-control-stg] +os-control01.stg.phx2.fedoraproject.org + +[os-master-stg] +os-master01.stg.phx2.fedoraproject.org +os-master02.stg.phx2.fedoraproject.org +os-master03.stg.phx2.fedoraproject.org + +[os-node-stg] +os-node01.stg.phx2.fedoraproject.org +os-node02.stg.phx2.fedoraproject.org + [ci] ci-cc-rdu01.fedoraproject.org From a9c89fee57ed72328d49e7808a7b22bbfb3c19cc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 17:41:30 +0000 Subject: [PATCH 009/308] fix kickstart ip --- inventory/host_vars/ci-cc-rdu01.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org index 9cfe56cc84..95efa95bfe 100644 --- a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org +++ b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org @@ -11,5 +11,5 @@ postfix_group: vpn vpn: true volgroup: /dev/vg_guests vmhost: virthost-cc-rdu01.fedoraproject.org -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ +ks_url: http://209.132.181.6/repo/rhel/ks/buildvm-fedora-25 +ks_repo: http://209.132.181.6/pub/fedora/linux/releases/25/Server/x86_64/os/ From e956f973e651f38e809263faae879ed310e408dd Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 17:43:43 +0000 Subject: [PATCH 010/308] fix kickstarts --- inventory/host_vars/os-master02.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-master03.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-node01.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-node02.stg.phx2.fedoraproject.org | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org index 4ee9672b95..b77dea1de9 100644 --- a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.102 diff --git a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org index 741b8f3f12..271bbdd290 100644 --- a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.103 diff --git a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org index abddf35d54..2455330d7e 100644 --- a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.104 diff --git a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org index 3e06baf710..5b3242e416 100644 --- a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-host-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.105 From 4ba79d50c39f5f034b8a5bb3953681d8d4cfe110 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 18:17:09 +0000 Subject: [PATCH 011/308] fix plural --- inventory/inventory | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 1129bfb6e4..1b6651e04c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1333,12 +1333,12 @@ osbs-node02.stg.phx2.fedoraproject.org [os-control-stg] os-control01.stg.phx2.fedoraproject.org -[os-master-stg] +[os-masters-stg] os-master01.stg.phx2.fedoraproject.org os-master02.stg.phx2.fedoraproject.org os-master03.stg.phx2.fedoraproject.org -[os-node-stg] +[os-nodes-stg] os-node01.stg.phx2.fedoraproject.org os-node02.stg.phx2.fedoraproject.org From 74d69f944f2e29f1f8efe9067f96035e58ae992c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 18:30:55 +0000 Subject: [PATCH 012/308] change to rpm based for now --- inventory/host_vars/os-master01.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-master02.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-master03.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-node01.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-node02.stg.phx2.fedoraproject.org | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org index b3c0bf999e..33119e134d 100644 --- a/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.101 diff --git a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org index b77dea1de9..297ab847cd 100644 --- a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.102 diff --git a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org index 271bbdd290..9a46c928e6 100644 --- a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.103 diff --git a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org index 2455330d7e..90bcaa6e89 100644 --- a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.104 diff --git a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org index 5b3242e416..f5b394018d 100644 --- a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org @@ -2,7 +2,7 @@ nm: 255.255.255.0 gw: 10.5.128.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-atomic-rhel-7 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.105 From 0a596de716b2f79cdfc8f0ec846dcf9197dda10d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 18:37:38 +0000 Subject: [PATCH 013/308] move everything to vh05 --- inventory/host_vars/os-control01.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-master01.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-master02.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-master03.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-node01.stg.phx2.fedoraproject.org | 2 +- inventory/host_vars/os-node02.stg.phx2.fedoraproject.org | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org index 16602435ae..b0652797ec 100644 --- a/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-control01.stg.phx2.fedoraproject.org @@ -8,5 +8,5 @@ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.100 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 diff --git a/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org index 33119e134d..75490b155b 100644 --- a/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master01.stg.phx2.fedoraproject.org @@ -6,7 +6,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.101 -vmhost: virthost11.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-stg diff --git a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org index 297ab847cd..a74fbd91b0 100644 --- a/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master02.stg.phx2.fedoraproject.org @@ -6,7 +6,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.102 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-stg diff --git a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org index 9a46c928e6..4a67647798 100644 --- a/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-master03.stg.phx2.fedoraproject.org @@ -6,7 +6,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.103 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-stg diff --git a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org index 90bcaa6e89..bec3101515 100644 --- a/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node01.stg.phx2.fedoraproject.org @@ -6,7 +6,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.104 -vmhost: virthost11.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-nodes-stg diff --git a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org index f5b394018d..8da8ad342c 100644 --- a/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/os-node02.stg.phx2.fedoraproject.org @@ -6,7 +6,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ volgroup: /dev/vg_guests eth0_ip: 10.5.128.105 -vmhost: virthost04.phx2.fedoraproject.org +vmhost: virthost05.phx2.fedoraproject.org datacenter: phx2 host_group: os-nodes-stg From fa101ba51dfbc1cd889d5c09e651201bfd808077 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 10 May 2017 18:41:40 +0000 Subject: [PATCH 014/308] Make ansible-ansible-openshift-ansible more generic Previously the ansible-ansible-openshift-ansible role was extremely limited and wasn't very useful outside the scope of OSBS. This change makes it more generic so that it can be used to deploy a full OpenShift Container Platform cluster. Necessary updates for the osbs group playbook is also in this change Signed-off-by: Adam Miller --- inventory/group_vars/os-masters-stg | 4 + inventory/group_vars/os-nodes-stg | 4 + playbooks/groups/os-cluster.yml | 40 + playbooks/groups/osbs-cluster.yml | 18 + .../defaults/main.yml | 42 +- .../templates/cluster-inventory.j2 | 766 +++++++++++++++++- 6 files changed, 866 insertions(+), 8 deletions(-) create mode 100644 inventory/group_vars/os-masters-stg create mode 100644 inventory/group_vars/os-nodes-stg diff --git a/inventory/group_vars/os-masters-stg b/inventory/group_vars/os-masters-stg new file mode 100644 index 0000000000..63a4f230c3 --- /dev/null +++ b/inventory/group_vars/os-masters-stg @@ -0,0 +1,4 @@ +--- + +os_url: os.stg.fedoraproject.org +os_app_url: app.os.stg.fedoraproject.org diff --git a/inventory/group_vars/os-nodes-stg b/inventory/group_vars/os-nodes-stg new file mode 100644 index 0000000000..63a4f230c3 --- /dev/null +++ b/inventory/group_vars/os-nodes-stg @@ -0,0 +1,4 @@ +--- + +os_url: os.stg.fedoraproject.org +os_app_url: app.os.stg.fedoraproject.org diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 5d0185bb5e..8a786c60dd 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -156,3 +156,43 @@ copy: src: "{{files}}/os/docker-storage-setup" dest: "/etc/sysconfig/docker-storage-setup" + +- +- name: Deploy OpenShift cluster +hosts: os-control-stg + tags: + - os-cluster-deploy + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + + roles: + - { + role: ansible-ansible-openshift-ansible, + cluster_inventory_filename: "cluster-inventory-stg", + openshift_release: "v3.5", + openshift_ansible_path: "/root/openshift-ansible", + openshift_ansible_playbook: "playbooks/byo/config.yml", + openshift_ansible_version: "openshift-ansible-3.5.69-1", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: true, + openshift_ansible_containerized_deploy: true, + openshift_cluster_masters_group: "os-masters-stg", + openshift_cluster_nodes_group: "os-nodes-stg", + openshift_cluster_infra_group: "os-nodes-stg", + openshift_auth_profile: "fedoraidp", + openshift_cluster_url: "{{os_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_deployment_type: "origin", + openshift_cluster_url: "{{ os_url}}", + openshift_app_subdomain: "{{ os_app_url }}" + when: env == 'staging', + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + } + diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 726bb92795..7b1fce386d 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -205,8 +205,17 @@ openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_version: "openshift-ansible-3.3.57-1", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: false, + openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "osbs-masters-stg", openshift_cluster_nodes_group: "osbs-nodes-stg", + openshift_cluster_infra_group: "osbs-masters-stg", + openshift_auth_profile: "osbs", + openshift_cluster_url: "{{osbs_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_deployment_type: "origin" when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } @@ -219,8 +228,17 @@ openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_version: "openshift-ansible-3.3.57-1", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: false, + openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "osbs-masters", openshift_cluster_nodes_group: "osbs-nodes", + openshift_cluster_infra_group: "osbs-masters", + openshift_auth_profile: "osbs", + openshift_cluster_url: "{{osbs_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_deployment_type: "origin" when: env == 'production', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index ab724b1db4..9100c4569d 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -1,12 +1,51 @@ --- # defaults file for ansible-ansible-openshift-ansible # +# +# + +# Auth Profile +# These are Fedora Infra specific auth profiles +# +# Acceptable values: +# osbs - this will configure htpasswd for use with osbs +# fedoraidp - configure for fedora idp +openshift_auth_profile: osbs + +# Do we want OpenShift itself to be containerized? +# This is a requirement if using Atomic Host +openshift_ansible_containerized_deploy: true + +# OpenShift Cluster URL +# Example: openshift.fedoraproject.org +openshift_cluster_url: None + +# OpenShift Applications Ingress subdomain (OpenShift routes) +openshift_app_subdomain: None + +# Setup native OpenShift Master High Availability (true or false) +openshift_master_ha: false # Destination file name for template-generated cluster inventory cluster_inventory_filename: "cluster-inventory" +# Ansible user for use with openshift-ansible playbooks +openshift_ansible_ssh_user: root + +# OpenShift Debug level (Default is 2 upstream) +openshift_debug_level: 2 + # Release required as per the openshift-ansible -openshift_release: "v1.2" +openshift_release: "v1.5.0" + +# OpenShift Deployment Type +# Possible options: +# origin +# openshift-enterprise +openshift_deployment_type: origin + +# Install the OpenShift App Examples (value should be "true" or "false") +openshift_ansible_install_examples: false # Path to clone the openshift-ansible git repo into openshift_ansible_path: "/root/openshift-ansible" @@ -28,4 +67,5 @@ openshift_ansible_version: "openshift-ansible-3.2.35-1" # empty causing undesired effects. openshift_cluster_masters_group: "openshift-cluster-masters" openshift_cluster_nodes_group: "openshift-cluster-nodes" +openshift_cluster_infra_group: "openshift-cluster-nodes" diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 620cea2214..6c1d36adda 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -1,17 +1,766 @@ +# This is based on the example inventories provided by the upstream +# openshift-ansible project available: +# https://github.com/openshift/openshift-ansible/tree/master/inventory/byo + + +# Create an OSEv3 group that contains the masters and nodes groups [OSEv3:children] masters nodes etcd lb +# Add this if using nfs and have defined the nfs group +#nfs + +# Set variables common for all OSEv3 hosts [OSEv3:vars] -ansible_ssh_user=root -debug_level=2 -deployment_type=origin -openshift_release={{ openshift_release }} +# SSH user, this user should allow ssh based auth without requiring a +# password. If using ssh key based auth, then the key should be managed by an +# ssh agent. +ansible_ssh_user={{openshift_ansible_ssh_user}} + +# OpenShift Containerized deployment or not? +containerized={{openshift_ansible_containerized_deploy}} + +{% if openshift_ansible_ssh_user != "root" %} +# If ansible_ssh_user is not root, ansible_become must be set to true and the +# user must be configured for passwordless sudo +ansible_become=yes +{% endif %} + +# Debug level for all OpenShift components (Defaults to 2) +debug_level={{openshift_debug_level}} + +# Specify the deployment type. Valid values are origin and openshift-enterprise. +openshift_deployment_type={{openshift_deployment_type}} + +# Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we +# rely on the version running on the first master. Works best for containerized installs where we can usually +# use this to lookup the latest exact version of the container images, which is the tag actually used to configure +# the cluster. For RPM installations we just verify the version detected in your configured repos matches this +# release. +openshift_release={{openshift_release}} + +# Specify an exact container image tag to install or configure. +# WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_image_tag=v3.5.0 + +# Specify an exact rpm version to install or configure. +# WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. +# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. +#openshift_pkg_version=-3.5.0 + +# Install the openshift examples +{% if openshift_ansible_install_examples == "true" %} +openshift_install_examples={{openshift_ansible_install_examples}} +{% endif %} + +# Configure logoutURL in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#changing-the-logout-url +#openshift_master_logout_url=http://example.com + +# Configure extensionScripts in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#loading-custom-scripts-and-stylesheets +#openshift_master_extension_scripts=['/path/to/script1.js','/path/to/script2.js'] + +# Configure extensionStylesheets in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#loading-custom-scripts-and-stylesheets +#openshift_master_extension_stylesheets=['/path/to/stylesheet1.css','/path/to/stylesheet2.css'] + +# Configure extensions in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files +#openshift_master_extensions=[{'name': 'images', 'sourceDirectory': '/path/to/my_images'}] + +# Configure extensions in the master config for console customization +# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files +#openshift_master_oauth_template=/path/to/login-template.html + +# Configure imagePolicyConfig in the master config +# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig +#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true} + +# Docker Configuration +# Add additional, insecure, and blocked registries to global docker configuration +# For enterprise deployment types we ensure that registry.access.redhat.com is +# included if you do not include it +#openshift_docker_additional_registries=registry.example.com +#openshift_docker_insecure_registries=registry.example.com +#openshift_docker_blocked_registries=registry.hacker.com +# Disable pushing to dockerhub +#openshift_docker_disable_push_dockerhub=True +# Use Docker inside a System Container. Note that this is a tech preview and should +# not be used to upgrade! +# The following options for docker are ignored: +# - docker_version +# - docker_upgrade +# The following options must not be used +# - openshift_docker_options +#openshift_docker_use_system_container=False +# Force the registry to use for the system container. By default the registry +# will be built off of the deployment type and ansible_distribution. Only +# use this option if you are sure you know what you are doing! +#openshift_docker_systemcontainer_image_registry_override="registry.example.com" +# Items added, as is, to end of /etc/sysconfig/docker OPTIONS +# Default value: "--log-driver=journald" +#openshift_docker_options="-l warn --ipv6=false" + +# Specify exact version of Docker to configure or upgrade to. +# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. +# docker_version="1.12.1" + +# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone. +# docker_upgrade=False + +# Specify exact version of etcd to configure or upgrade to. +# etcd_version="3.1.0" +# Enable etcd debug logging, defaults to false +# etcd_debug=true +# Set etcd log levels by package +# etcd_log_package_levels="etcdserver=WARNING,security=DEBUG" + +# Upgrade Hooks +# +# Hooks are available to run custom tasks at various points during a cluster +# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using +# absolute paths, if not the path will be treated as relative to the file where the +# hook is actually used. +# +# Tasks to run before each master is upgraded. +# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml +# +# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible +# upgrade steps, but before we restart system/services. +# openshift_master_upgrade_hook=/usr/share/custom/master.yml +# +# Tasks to run after each master is upgraded and system/services have been restarted. +# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml + + +# Alternate image format string, useful if you've got your own registry mirror +#oreg_url=example.com/openshift3/ose-${component}:${version} +# If oreg_url points to a registry other than registry.access.redhat.com we can +# modify image streams to point at that registry by setting the following to true +#openshift_examples_modify_imagestreams=true + +# Additional yum repos to install +#openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://example.com/puddle/build/AtomicOpenShift/3.1/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] + +# htpasswd auth +openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '', 'user2': ''} +# or +#openshift_master_htpasswd_file= + +# OSBS Specific Auth +{% if openshift_auth_profile="osbs" %} openshift_master_manage_htpasswd=false openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] -openshift_master_public_api_url={{ openshift_master_public_api_url }} +{% endif %} + +{% if openshift_auth_profile="fedoraidp" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token"}, "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}] +{% endif %} + +# Allow all auth +#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] + +# LDAP auth +#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# +# Configure LDAP CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the LDAPPasswordIdentityProvider. +# +#openshift_master_ldap_ca= +# or +#openshift_master_ldap_ca_file= + +# OpenID auth +#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] +# +# Configure OpenID CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the OpenIDIdentityProvider. +# +#openshift_master_openid_ca= +# or +#openshift_master_openid_ca_file= + +# Request header auth +#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] +# +# Configure request header CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "clientCA" +# key set within the RequestHeaderIdentityProvider. +# +#openshift_master_request_header_ca= +# or +#openshift_master_request_header_ca_file= + +{% if openshift_master_ha %} +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has +# been preconfigured. For installation the value of +# openshift_master_cluster_hostname must resolve to the load balancer +# or to one or all of the masters defined in the inventory if no load +# balancer is present. +openshift_master_cluster_method=native +openshift_master_cluster_hostname={{openshift_cluster_url}} +openshift_master_cluster_public_hostname={{openshift_cluster_url}} +{% endif %} + +# Override the default controller lease ttl +#osm_controller_lease_ttl=30 + +# Configure controller arguments +#osm_controller_args={'resource-quota-sync-period': ['10s']} + +# Configure api server arguments +#osm_api_server_args={'max-requests-inflight': ['400']} + +# default subdomain to use for exposed routes +{% if openshift_app_subdomain %} +openshift_master_default_subdomain={{openshift_app_subdomain}} +{% endif %} + +# additional cors origins +#osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] + +# default project node selector +#osm_default_node_selector='region=primary' + +# Override the default pod eviction timeout +#openshift_master_pod_eviction_timeout=5m + +# Override the default oauth tokenConfig settings: +# openshift_master_access_token_max_seconds=86400 +# openshift_master_auth_token_max_seconds=500 + +# Override master servingInfo.maxRequestsInFlight +#openshift_master_max_requests_inflight=500 + +# Override master and node servingInfo.minTLSVersion and .cipherSuites +# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 +# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants +#openshift_master_min_tls_version=VersionTLS12 +#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] +# +#openshift_node_min_tls_version=VersionTLS12 +#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] + +# default storage plugin dependencies to install, by default the ceph and +# glusterfs plugin dependencies will be installed, if available. +#osn_storage_plugin_deps=['ceph','glusterfs'] + +# OpenShift Router Options +# +# An OpenShift router will be created during install if there are +# nodes present with labels matching the default router selector, +# "region=infra". Set openshift_node_labels per node as needed in +# order to label nodes. +# +# Example: +# [nodes] +# node.example.com openshift_node_labels="{'region': 'infra'}" +# +# Router selector (optional) +# Router will only be created if nodes matching this label are present. +# Default value: 'region=infra' +#openshift_hosted_router_selector='region=infra' +# +# Router replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift router selector. +#openshift_hosted_router_replicas=2 +# +# Router force subdomain (optional) +# A router path format to force on all routes used by this router +# (will ignore the route host value) +#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com' +# +# Router certificate (optional) +# Provide local certificate paths which will be configured as the +# router's default certificate. +#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} +# +# Disable management of the OpenShift Router +#openshift_hosted_manage_router=false +# +# Router sharding support has been added and can be achieved by supplying the correct +# data to the inventory. The variable to house the data is openshift_hosted_routers +# and is in the form of a list. If no data is passed then a default router will be +# created. There are multiple combinations of router sharding. The one described +# below supports routers on separate nodes. +#openshift_hosted_routers: +#- name: router1 +# stats_port: 1936 +# ports: +# - 80:80 +# - 443:443 +# replicas: 1 +# namespace: default +# serviceaccount: router +# selector: type=router1 +# images: "openshift3/ose-${component}:${version}" +# edits: [] +# certificates: +# certfile: /path/to/certificate/abc.crt +# keyfile: /path/to/certificate/abc.key +# cafile: /path/to/certificate/ca.crt +#- name: router2 +# stats_port: 1936 +# ports: +# - 80:80 +# - 443:443 +# replicas: 1 +# namespace: default +# serviceaccount: router +# selector: type=router2 +# images: "openshift3/ose-${component}:${version}" +# certificates: +# certfile: /path/to/certificate/xyz.crt +# keyfile: /path/to/certificate/xyz.key +# cafile: /path/to/certificate/ca.crt +# edits: +# # ROUTE_LABELS sets the router to listen for routes +# # tagged with the provided values +# - key: spec.template.spec.containers[0].env +# value: +# name: ROUTE_LABELS +# value: "route=external" +# action: append + +# OpenShift Registry Console Options +# Override the console image prefix for enterprise deployments, not used in origin +# default is "registry.access.redhat.com/openshift3/" and the image appended is "registry-console" +#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/ +# Override image version, defaults to latest for origin, matches the product version for enterprise +#openshift_cockpit_deployer_version=1.4.1 + +# Openshift Registry Options +# +# An OpenShift registry will be created during install if there are +# nodes present with labels matching the default registry selector, +# "region=infra". Set openshift_node_labels per node as needed in +# order to label nodes. +# +# Example: +# [nodes] +# node.example.com openshift_node_labels="{'region': 'infra'}" +# +# Registry selector (optional) +# Registry will only be created if nodes matching this label are present. +# Default value: 'region=infra' +#openshift_hosted_registry_selector='region=infra' +# +# Registry replicas (optional) +# Unless specified, openshift-ansible will calculate the replica count +# based on the number of nodes matching the openshift registry selector. +#openshift_hosted_registry_replicas=2 +# +# Validity of the auto-generated certificate in days (optional) +#openshift_hosted_registry_cert_expire_days=730 +# +# Disable management of the OpenShift Registry +#openshift_hosted_manage_registry=false + +# Registry Storage Options +# +# NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/registry" +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +# +# External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/registry" +#openshift_hosted_registry_storage_kind=nfs +#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] +#openshift_hosted_registry_storage_host=nfs.example.com +#openshift_hosted_registry_storage_nfs_directory=/exports +#openshift_hosted_registry_storage_volume_name=registry +#openshift_hosted_registry_storage_volume_size=10Gi +# +# Openstack +# Volume must already exist. +#openshift_hosted_registry_storage_kind=openstack +#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_registry_storage_openstack_filesystem=ext4 +#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57 +#openshift_hosted_registry_storage_volume_size=10Gi +# +# Native GlusterFS Registry Storage +#openshift_hosted_registry_storage_kind=glusterfs +# +# AWS S3 +# +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id +#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Any S3 service (Minio, ExoScale, ...): Basically the same as above +# but with regionendpoint configured +# S3 bucket must already exist. +#openshift_hosted_registry_storage_kind=object +#openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_accesskey=access_key_id +#openshift_hosted_registry_storage_s3_secretkey=secret_access_key +#openshift_hosted_registry_storage_s3_regionendpoint=https://myendpoint.example.com/ +#openshift_hosted_registry_storage_s3_bucket=bucket_name +#openshift_hosted_registry_storage_s3_region=bucket_region +#openshift_hosted_registry_storage_s3_chunksize=26214400 +#openshift_hosted_registry_storage_s3_rootdirectory=/registry +#openshift_hosted_registry_pullthrough=true +#openshift_hosted_registry_acceptschema2=true +#openshift_hosted_registry_enforcequota=true +# +# Additional CloudFront Options. When using CloudFront all three +# of the followingg variables must be defined. +#openshift_hosted_registry_storage_s3_cloudfront_baseurl=https://myendpoint.cloudfront.net/ +#openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile=/full/path/to/secret.pem +#openshift_hosted_registry_storage_s3_cloudfront_keypairid=yourpairid + +# Metrics deployment +# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html +# +# By default metrics are not automatically deployed, set this to enable them +# openshift_hosted_metrics_deploy=true +# +# Storage Options +# If openshift_hosted_metrics_storage_kind is unset then metrics will be stored +# in an EmptyDir volume and will be deleted when the cassandra pod terminates. +# Storage options A & B currently support only one cassandra pod which is +# generally enough for up to 1000 pods. Additional volumes can be created +# manually after the fact and metrics scaled per the docs. +# +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/metrics" +#openshift_hosted_metrics_storage_kind=nfs +#openshift_hosted_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_metrics_storage_nfs_directory=/exports +#openshift_hosted_metrics_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_metrics_storage_volume_name=metrics +#openshift_hosted_metrics_storage_volume_size=10Gi +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/metrics" +#openshift_hosted_metrics_storage_kind=nfs +#openshift_hosted_metrics_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_metrics_storage_host=nfs.example.com +#openshift_hosted_metrics_storage_nfs_directory=/exports +#openshift_hosted_metrics_storage_volume_name=metrics +#openshift_hosted_metrics_storage_volume_size=10Gi +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_hosted_metrics_storage_kind=dynamic +# +# Other Metrics Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_metrics/README.md +# +# Override metricsPublicURL in the master config for cluster metrics +# Defaults to https://hawkular-metrics.{{openshift_master_default_subdomain}}/hawkular/metrics +# Currently, you may only alter the hostname portion of the url, alterting the +# `/hawkular/metrics` path will break installation of metrics. +#openshift_hosted_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics + +# Logging deployment +# +# Currently logging deployment is disabled by default, enable it by setting this +#openshift_hosted_logging_deploy=true +# +# Logging storage config +# Option A - NFS Host Group +# An NFS volume will be created with path "nfs_directory/volume_name" +# on the host within the [nfs] host group. For example, the volume +# path using these options would be "/exports/logging" +#openshift_hosted_logging_storage_kind=nfs +#openshift_hosted_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_logging_storage_nfs_directory=/exports +#openshift_hosted_logging_storage_nfs_options='*(rw,root_squash)' +#openshift_hosted_logging_storage_volume_name=logging +#openshift_hosted_logging_storage_volume_size=10Gi +# +# Option B - External NFS Host +# NFS volume must already exist with path "nfs_directory/_volume_name" on +# the storage_host. For example, the remote volume path using these +# options would be "nfs.example.com:/exports/logging" +#openshift_hosted_logging_storage_kind=nfs +#openshift_hosted_logging_storage_access_modes=['ReadWriteOnce'] +#openshift_hosted_logging_storage_host=nfs.example.com +#openshift_hosted_logging_storage_nfs_directory=/exports +#openshift_hosted_logging_storage_volume_name=logging +#openshift_hosted_logging_storage_volume_size=10Gi +# +# Option C - Dynamic -- If openshift supports dynamic volume provisioning for +# your cloud platform use this. +#openshift_hosted_logging_storage_kind=dynamic +# +# Option D - none -- Logging will use emptydir volumes which are destroyed when +# pods are deleted +# +# Other Logging Options -- Common items you may wish to reconfigure, for the complete +# list of options please see roles/openshift_logging/README.md +# +# Configure loggingPublicURL in the master config for aggregate logging, defaults +# to kibana.{{ openshift_master_default_subdomain }} +#openshift_hosted_logging_hostname=logging.apps.example.com +# Configure the number of elastic search nodes, unless you're using dynamic provisioning +# this value must be 1 +#openshift_hosted_logging_elasticsearch_cluster_size=1 +# Configure the prefix and version for the component images +#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/ +#openshift_hosted_logging_deployer_version=3.5.0 + +# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') +# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' + +# Disable the OpenShift SDN plugin +# openshift_use_openshift_sdn=False + +# Configure SDN cluster network and kubernetes service CIDR blocks. These +# network blocks should be private and should not conflict with network blocks +# in your infrastructure that pods may require access to. Can not be changed +# after deployment. +# +# WARNING : Do not pick subnets that overlap with the default Docker bridge subnet of +# 172.17.0.0/16. Your installation will fail and/or your configuration change will +# cause the Pod SDN or Cluster SDN to fail. +# +# WORKAROUND : If you must use an overlapping subnet, you can configure a non conflicting +# docker0 CIDR range by adding '--bip=192.168.2.1/24' to DOCKER_NETWORK_OPTIONS +# environment variable located in /etc/sysconfig/docker-network. +#osm_cluster_network_cidr=10.128.0.0/14 +#openshift_portal_net=172.30.0.0/16 + +# ExternalIPNetworkCIDRs controls what values are acceptable for the +# service external IP field. If empty, no externalIP may be set. It +# may contain a list of CIDRs which are checked for access. If a CIDR +# is prefixed with !, IPs in that CIDR will be rejected. Rejections +# will be applied first, then the IP checked against one of the +# allowed CIDRs. You should ensure this range does not overlap with +# your nodes, pods, or service CIDRs for security reasons. +#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] + +# IngressIPNetworkCIDR controls the range to assign ingress IPs from for +# services of type LoadBalancer on bare metal. If empty, ingress IPs will not +# be assigned. It may contain a single CIDR that will be allocated from. For +# security reasons, you should ensure that this range does not overlap with +# the CIDRs reserved for external IPs, nodes, pods, or services. +#openshift_master_ingress_ip_network_cidr=172.46.0.0/16 + +# Configure number of bits to allocate to each host’s subnet e.g. 9 +# would mean a /23 network on the host. +#osm_host_subnet_length=9 + +# Configure master API and console ports. +#openshift_master_api_port=8443 +#openshift_master_console_port=8443 + +# set RPM version for debugging purposes +#openshift_pkg_version=-3.1.0.0 + +# Configure custom ca certificate +#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} +# +# NOTE: CA certificate will not be replaced with existing clusters. +# This option may only be specified when creating a new cluster or +# when redeploying cluster certificates with the redeploy-certificates +# playbook. + +# Configure custom named certificates (SNI certificates) +# +# https://docs.openshift.com/enterprise/latest/install_config/certificate_customization.html +# +# NOTE: openshift_master_named_certificates is cached on masters and is an +# additive fact, meaning that each run with a different set of certificates +# will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# +# If you would like openshift_master_named_certificates to be overwritten with +# the provided value, specify openshift_master_overwrite_named_certificates. +#openshift_master_overwrite_named_certificates=true +# +# Provide local certificate paths which will be deployed to masters +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] +# +# Detected names may be overridden by specifying the "names" key +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] + +# Session options +#openshift_master_session_name=ssn +#openshift_master_session_max_seconds=3600 + +# An authentication and encryption secret will be generated if secrets +# are not provided. If provided, openshift_master_session_auth_secrets +# and openshift_master_encryption_secrets must be equal length. +# +# Signing secrets, used to authenticate sessions using +# HMAC. Recommended to use secrets with 32 or 64 bytes. +#openshift_master_session_auth_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] +# +# Encrypting secrets, used to encrypt sessions. Must be 16, 24, or 32 +# characters long, to select AES-128, AES-192, or AES-256. +#openshift_master_session_encryption_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] + +# configure how often node iptables rules are refreshed +#openshift_node_iptables_sync_period=5s + +# Configure nodeIP in the node config +# This is needed in cases where node traffic is desired to go over an +# interface other than the default network interface. +#openshift_set_node_ip=True + +# Force setting of system hostname when configuring OpenShift +# This works around issues related to installations that do not have valid dns +# entries for the interfaces attached to the host. +#openshift_set_hostname=True + +# Configure dnsIP in the node config +#openshift_dns_ip=172.30.0.1 + +# Configure node kubelet arguments. pods-per-core is valid in OpenShift Origin 1.3 or OpenShift Container Platform 3.3 and later. +#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']} + +# Configure logrotate scripts +# See: https://github.com/nickhammond/ansible-logrotate +#logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true"}}] + +# openshift-ansible will wait indefinitely for your input when it detects that the +# value of openshift_hostname resolves to an IP address not bound to any local +# interfaces. This mis-configuration is problematic for any pod leveraging host +# networking and liveness or readiness probes. +# Setting this variable to true will override that check. +#openshift_override_hostname_check=true + +# Configure dnsmasq for cluster dns, switch the host's local resolver to use dnsmasq +# and configure node's dnsIP to point at the node's local dnsmasq instance. Defaults +# to True for Origin 1.2 and OSE 3.2. False for 1.1 / 3.1 installs, this cannot +# be used with 1.0 and 3.0. +#openshift_use_dnsmasq=False +# Define an additional dnsmasq.conf file to deploy to /etc/dnsmasq.d/openshift-ansible.conf +# This is useful for POC environments where DNS may not actually be available yet or to set +# options like 'strict-order' to alter dnsmasq configuration. +#openshift_node_dnsmasq_additional_config_file=/home/bob/ose-dnsmasq.conf + +# Global Proxy Configuration +# These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment +# variables for docker and master services. +#openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT +#openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT +#openshift_no_proxy='.hosts.example.com,some-host.com' +# +# Most environments don't require a proxy between openshift masters, nodes, and +# etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. +# If all of your hosts share a common domain you may wish to disable this and +# specify that domain above. +#openshift_generate_no_proxy_hosts=True +# +# These options configure the BuildDefaults admission controller which injects +# configuration into Builds. Proxy related values will default to the global proxy +# config values. You only need to set these if they differ from the global proxy settings. +# See BuildDefaults documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_builddefaults_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_no_proxy=mycorp.com +#openshift_builddefaults_git_http_proxy=http://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_https_proxy=https://USER:PASSWORD@HOST:PORT +#openshift_builddefaults_git_no_proxy=mycorp.com +#openshift_builddefaults_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'} +#openshift_builddefaults_resources_requests_cpu=100m +#openshift_builddefaults_resources_requests_memory=256m +#openshift_builddefaults_resources_limits_cpu=1000m +#openshift_builddefaults_resources_limits_memory=512m + +# Or you may optionally define your own build defaults configuration serialized as json +#openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}' + +# These options configure the BuildOverrides admission controller which injects +# configuration into Builds. +# See BuildOverrides documentation at +# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html +#openshift_buildoverrides_force_pull=true +#openshift_buildoverrides_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] +#openshift_buildoverrides_nodeselectors={'nodelabel1':'nodelabelvalue1'} +#openshift_buildoverrides_annotations={'annotationkey1':'annotationvalue1'} + +# Or you may optionally define your own build overrides configuration serialized as json +#openshift_buildoverrides_json='{"BuildOverrides":{"configuration":{"apiVersion":"v1","kind":"BuildDefaultsConfig","forcePull":"true"}}}' + +# masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default +#openshift_master_dynamic_provisioning_enabled=False + +# Admission plugin config +#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} + +# Configure usage of openshift_clock role. +#openshift_clock_enabled=true + +# OpenShift Per-Service Environment Variables +# Environment variables are added to /etc/sysconfig files for +# each OpenShift service: node, master (api and controllers). +# API and controllers environment variables are merged in single +# master environments. +#openshift_master_api_env_vars={"ENABLE_HTTP2": "true"} +#openshift_master_controllers_env_vars={"ENABLE_HTTP2": "true"} +#openshift_node_env_vars={"ENABLE_HTTP2": "true"} + +# Enable API service auditing, available as of 3.2 +#openshift_master_audit_config={"enabled": true} + +# Validity of the auto-generated OpenShift certificates in days. +# See also openshift_hosted_registry_cert_expire_days above. +# +#openshift_ca_cert_expire_days=1825 +#openshift_node_cert_expire_days=730 +#openshift_master_cert_expire_days=730 + +# Validity of the auto-generated external etcd certificates in days. +# Controls validity for etcd CA, peer, server and client certificates. +# +#etcd_ca_default_days=1825 + +# NOTE: Currently we require that masters be part of the SDN which requires that they also be nodes +# However, in order to ensure that your masters are not burdened with running pods you should +# make them unschedulable by adding openshift_schedulable=False any node that's also a master. [masters] {% for host in groups[openshift_cluster_masters_group] %} @@ -24,13 +773,16 @@ openshift_master_public_api_url={{ openshift_master_public_api_url }} {% endfor %} [lb] -{% for host in groups[openshift_cluster_masters_group] %} +{% for host in groups[openshift_cluster_infra_group] %} {{ host }} {% endfor %} [nodes] +{% for host in groups[openshift_cluster_infra_group] %} +{{ host }} openshift_node_labels="{'region':'infra'}" +{% endfor %} {% for host in groups[openshift_cluster_masters_group] %} -{{ host }} openshift_node_labels="{'region':'infra'}" openshift_schedulable=False +{{ host }} openshift_schedulable=False {% endfor %} {% for host in groups[openshift_cluster_nodes_group] %} {{ host }} openshift_node_labels="{'region': 'primary', 'zone': 'default'}" From c753bc1d09a1473566a466a2c902c6cb4274d457 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Wed, 10 May 2017 19:28:50 +0000 Subject: [PATCH 015/308] try kvm and ext Signed-off-by: Ricky Elrod --- inventory/host_vars/ci-cc-rdu01.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org index 95efa95bfe..57cdd98deb 100644 --- a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org +++ b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org @@ -11,5 +11,5 @@ postfix_group: vpn vpn: true volgroup: /dev/vg_guests vmhost: virthost-cc-rdu01.fedoraproject.org -ks_url: http://209.132.181.6/repo/rhel/ks/buildvm-fedora-25 +ks_url: http://209.132.181.6/repo/rhel/ks/kvm-fedora-25-ext ks_repo: http://209.132.181.6/pub/fedora/linux/releases/25/Server/x86_64/os/ From 4d1d7b84e9077e3c09b924b6cabed24092bc8314 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 19:34:51 +0000 Subject: [PATCH 016/308] fix up some syntax --- playbooks/groups/os-cluster.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 8a786c60dd..7befcd63a0 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -157,9 +157,8 @@ src: "{{files}}/os/docker-storage-setup" dest: "/etc/sysconfig/docker-storage-setup" -- - name: Deploy OpenShift cluster -hosts: os-control-stg + hosts: os-control-stg tags: - os-cluster-deploy user: root @@ -191,8 +190,8 @@ hosts: os-control-stg openshift_debug_level: 2, openshift_deployment_type: "origin", openshift_cluster_url: "{{ os_url}}", - openshift_app_subdomain: "{{ os_app_url }}" - when: env == 'staging', - tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + openshift_app_subdomain: "{{ os_app_url }}", + when: env == 'staging', + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } From 1f5e3ea40e0e09766ac80a825563c9c3f121f451 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Wed, 10 May 2017 19:56:43 +0000 Subject: [PATCH 017/308] add deployment_type here Signed-off-by: Ricky Elrod --- inventory/host_vars/ci-cc-rdu01.fedoraproject.org | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org index 57cdd98deb..0f1ee3ce57 100644 --- a/inventory/host_vars/ci-cc-rdu01.fedoraproject.org +++ b/inventory/host_vars/ci-cc-rdu01.fedoraproject.org @@ -11,5 +11,6 @@ postfix_group: vpn vpn: true volgroup: /dev/vg_guests vmhost: virthost-cc-rdu01.fedoraproject.org +deployment_type: prod ks_url: http://209.132.181.6/repo/rhel/ks/kvm-fedora-25-ext ks_repo: http://209.132.181.6/pub/fedora/linux/releases/25/Server/x86_64/os/ From 69e4d5c9df714f73e711497ba216916d221ee1e1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 10 May 2017 20:14:26 +0000 Subject: [PATCH 018/308] Add missing subnets to phx2net Signed-off-by: Patrick Uiterwijk --- roles/dns/files/named.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index 487c1c4fc9..9a4c44d9fc 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -22,7 +22,7 @@ acl "everyone" { 0.0.0.0/0; ::0/0; }; // acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; }; // -acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; 10.5.129.0/24; 10.16.0.0/24; }; +acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; 10.5.128.0/24; 10.5.129.0/24; 10.5.130.0/24; 10.16.0.0/24; }; acl "qanet" { 10.5.124.128/25; 10.5.131.0/24; }; acl "rh-slaves" { 10.5.30.78; 10.11.5.70; }; acl "rh" { 10.0.0.0/8; }; From 6b09124d2f0206a573aa905a24c8ea753dea3222 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Wed, 10 May 2017 20:19:34 +0000 Subject: [PATCH 019/308] add ccd for ci-cc-rdu01.fedoraproject.org Signed-off-by: Ricky Elrod --- roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org diff --git a/roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org b/roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org new file mode 100644 index 0000000000..7ffd2c47de --- /dev/null +++ b/roles/openvpn/server/files/ccd/ci-cc-rdu01.fedoraproject.org @@ -0,0 +1,2 @@ +# ifconfig-push actualIP PtPIP +ifconfig-push 192.168.1.167 192.168.0.167 From f01bbfbc49714f906b7bfc08b1af95958223b10b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 10 May 2017 20:24:49 +0000 Subject: [PATCH 020/308] prune cluster --- playbooks/groups/os-cluster.yml | 101 -------------------------------- 1 file changed, 101 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 7befcd63a0..de48b5d352 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -57,106 +57,6 @@ option: pipelining value: "True" -- name: Setup cluster masters pre-reqs - hosts: os-masters-stg:os-masters - tags: - - os-cluster-prereq - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: ensure origin conf dir exists - file: - path: "/etc/origin" - state: "directory" - - - name: create cert dir for openshift public facing REST API SSL - file: - path: "/etc/origin/master/named_certificates" - state: "directory" - - - name: install cert for openshift public facing REST API SSL - copy: - src: "{{private}}/files/os/{{env}}/os-internal.pem" - dest: "/etc/origin/master/named_certificates/{{os}}.pem" - - - name: install key for openshift public facing REST API SSL - copy: - src: "{{private}}/files/os/{{env}}/os-internal.key" - dest: "/etc/origin/master/named_certificates/{{os}}.key" - - - name: place htpasswd file - copy: - src: "{{private}}/files/httpd/os-{{env}}.htpasswd" - dest: /etc/origin/htpasswd - - -- name: Setup cluster hosts pre-reqs - hosts: os-masters-stg:os-nodes-stg:os-masters:os-nodes - tags: - - os-cluster-prereq - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - handlers: - - name: restart NetworkManager - service: - name: NetworkManager - state: restarted - - tasks: - - name: Install necessary packages that openshift-ansible needs - package: name="{{ item }}" state=installed - with_items: - - tar - - rsync - - dbus-python - - NetworkManager - - libselinux-python - - origin - - - name: Deploy controller public ssh keys to os cluster hosts - authorized_key: - user: root - key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}" - - # This is required for OpenShift built-in SkyDNS inside the overlay network - # of the cluster - - name: ensure NM_CONTROLLED is set to "yes" for os cluster - lineinfile: - dest: "/etc/sysconfig/network-scripts/ifcfg-eth0" - line: "NM_CONTROLLED=yes" - notify: - - restart NetworkManager - - # This is required for OpenShift built-in SkyDNS inside the overlay network - # of the cluster - - name: ensure NetworkManager is enabled and started - service: - name: NetworkManager - state: started - enabled: yes - - - name: cron entry to clean up docker storage - copy: - src: "{{files}}/os/cleanup-docker-storage" - dest: "/etc/cron.d/cleanup-docker-storage" - - - name: copy docker-storage-setup config - copy: - src: "{{files}}/os/docker-storage-setup" - dest: "/etc/sysconfig/docker-storage-setup" - - name: Deploy OpenShift cluster hosts: os-control-stg tags: @@ -169,7 +69,6 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - roles: - { role: ansible-ansible-openshift-ansible, From 2212685d6547a265048d33aab69c8c75e122b2e8 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 04:51:08 +0000 Subject: [PATCH 021/308] fix a-a-o-a template typos and unicode char Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 6c1d36adda..f98d79c10c 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -155,12 +155,12 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_master_htpasswd_file= # OSBS Specific Auth -{% if openshift_auth_profile="osbs" %} +{% if openshift_auth_profile == "osbs" %} openshift_master_manage_htpasswd=false openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] {% endif %} -{% if openshift_auth_profile="fedoraidp" %} +{% if openshift_auth_profile == "fedoraidp" %} openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token"}, "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}] {% endif %} @@ -581,7 +581,7 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} # the CIDRs reserved for external IPs, nodes, pods, or services. #openshift_master_ingress_ip_network_cidr=172.46.0.0/16 -# Configure number of bits to allocate to each host’s subnet e.g. 9 +# Configure number of bits to allocate to each host's subnet e.g. 9 # would mean a /23 network on the host. #osm_host_subnet_length=9 From ba1441b53a10270985f5ea4c867b00da182d9be5 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 11 May 2017 13:19:46 +0000 Subject: [PATCH 022/308] nuke old nagios reverseproxy, add redirect to new nagios Signed-off-by: Ricky Elrod --- playbooks/include/proxies-redirects.yml | 6 ++++++ playbooks/include/proxies-reverseproxy.yml | 7 ------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index 37dc108a5d..a29b119713 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -25,6 +25,12 @@ path: /community target: https://apps.fedoraproject.org/packages + - role: httpd/redirect + name: nagios + website: admin.fedoraproject.org + path: /nagios + target: https://nagios.fedoraproject.org/nagios/ + - role: httpd/redirect name: docs website: fedoraproject.org diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index b8d04a6b1b..5016da198b 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -37,13 +37,6 @@ remotepath: /api proxyurl: https://copr.fedorainfracloud.org - - role: httpd/reverseproxy - website: admin.fedoraproject.org - destname: nagios - localpath: /nagios - remotepath: /nagios - proxyurl: http://noc01 - - role: httpd/reverseproxy website: nagios.fedoraproject.org destname: nagios From ed52f99340a724e042d2f41528710ac49e7f09e5 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 13:27:23 +0000 Subject: [PATCH 023/308] add os-control-stg group inventory file Signed-off-by: Adam Miller --- inventory/group_vars/os-control-stg | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 inventory/group_vars/os-control-stg diff --git a/inventory/group_vars/os-control-stg b/inventory/group_vars/os-control-stg new file mode 100644 index 0000000000..63a4f230c3 --- /dev/null +++ b/inventory/group_vars/os-control-stg @@ -0,0 +1,4 @@ +--- + +os_url: os.stg.fedoraproject.org +os_app_url: app.os.stg.fedoraproject.org From 9b93c851f46415435f5b857cad41f1ea4b873dd0 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 13:29:37 +0000 Subject: [PATCH 024/308] fix syntax error in osbs-cluster.yml Signed-off-by: Adam Miller --- playbooks/groups/osbs-cluster.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 7b1fce386d..70ebd43d64 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -215,7 +215,7 @@ openshift_cluster_url: "{{osbs_url}}", openshift_master_ha: false, openshift_debug_level: 2, - openshift_deployment_type: "origin" + openshift_deployment_type: "origin", when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } @@ -238,7 +238,7 @@ openshift_cluster_url: "{{osbs_url}}", openshift_master_ha: false, openshift_debug_level: 2, - openshift_deployment_type: "origin" + openshift_deployment_type: "origin", when: env == 'production', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } From 16b2847127c1274755a7f68be313539660307df4 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 13:37:53 +0000 Subject: [PATCH 025/308] fix fedoraidp-stg for os-cluster Signed-off-by: Adam Miller --- playbooks/groups/os-cluster.yml | 2 +- roles/ansible-ansible-openshift-ansible/defaults/main.yml | 5 +++-- .../templates/cluster-inventory.j2 | 4 ++++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index de48b5d352..dc9ed63927 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -83,7 +83,7 @@ openshift_cluster_masters_group: "os-masters-stg", openshift_cluster_nodes_group: "os-nodes-stg", openshift_cluster_infra_group: "os-nodes-stg", - openshift_auth_profile: "fedoraidp", + openshift_auth_profile: "fedoraidp-stg", openshift_cluster_url: "{{os_url}}", openshift_master_ha: false, openshift_debug_level: 2, diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index 9100c4569d..960a2e7def 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -8,8 +8,9 @@ # These are Fedora Infra specific auth profiles # # Acceptable values: -# osbs - this will configure htpasswd for use with osbs -# fedoraidp - configure for fedora idp +# osbs - this will configure htpasswd for use with osbs +# fedoraidp - configure for fedora idp +# fedoraidp-stg - configure for fedora idp staging env openshift_auth_profile: osbs # Do we want OpenShift itself to be containerized? diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index f98d79c10c..e4f982427c 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -164,6 +164,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token"}, "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}] {% endif %} +{% if openshift_auth_profile == "fedoraidp-stg" %} +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_stg_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token"}, "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}] +{% endif %} + # Allow all auth #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] From cb0f3c4d018308ef736bae74c328b9dde21bd010 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 13:51:43 +0000 Subject: [PATCH 026/308] ensure that the openshift_app_subdomain var is defined in the a-a-o-a inventory template Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index e4f982427c..1c25e7f769 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -235,9 +235,11 @@ openshift_master_cluster_public_hostname={{openshift_cluster_url}} #osm_api_server_args={'max-requests-inflight': ['400']} # default subdomain to use for exposed routes +{% if openshift_app_subdomain is defined %} {% if openshift_app_subdomain %} openshift_master_default_subdomain={{openshift_app_subdomain}} {% endif %} +{% endif %} # additional cors origins #osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] From 7bdf500792d085dd8be88365647a2b565db7106f Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 11 May 2017 15:58:21 +0200 Subject: [PATCH 027/308] Add postgresql, resultsdb and execdb in ci-cc-rdu01 --- inventory/group_vars/ci | 78 +++++++++++++++++++++++++++++++++++++++++ playbooks/groups/ci.yml | 20 +++++++++++ 2 files changed, 98 insertions(+) create mode 100644 inventory/group_vars/ci diff --git a/inventory/group_vars/ci b/inventory/group_vars/ci new file mode 100644 index 0000000000..cf30c99375 --- /dev/null +++ b/inventory/group_vars/ci @@ -0,0 +1,78 @@ +--- +############################################################ +# general information +############################################################ +# common items for the releng-* boxes +lvm_size: 50000 +mem_size: 4096 +num_cpus: 4 +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443, "{{ resultsdb_db_port }}" ] +fas_client_groups: sysadmin-qa,sysadmin-noc,sysadmin-web +nrpe_procs_warn: 250 +nrpe_procs_crit: 300 + +external_hostname: resultsdb.ci.centos.org +deployment_type: prod + + +############################################################ +# resultsdb details +############################################################ + +# the db_host_machine bits are so that delegation continues to work, even if +# that db is localhost relative to resultsdb + +resultsdb_db_host_machine: ci-cc-rdu01.fedoraproject.org +resultsdb_db_host: "{{ resultsdb_db_host_machine }}" +resultsdb_db_port: 5432 +resultsdb_endpoint: 'resultsdb_api' +resultsdb_db_name: resultsdb +resultsdb_db_user: "{{ ci_resultsdb_db_user }}" +resultsdb_db_password: "{{ ci_resultsdb_db_password }}" +resultsdb_secret_key: "{{ ci_resultsdb_secret_key }}" + +allowed_hosts: + - 10.5.124 + - 10.5.131 + + +############################################################ +# resultsdb-frontend details +############################################################ +resultsdb_fe_endpoint: "resultsdb" +resultsdb_frontend_secret_key: "{{ ci_resultsdb_frontend_secret_key }}" + + +########################################################### +# execdb details +############################################################ +execdb_db_host_machine: ci-cc-rdu01.fedoraproject.org +execdb_db_host: "{{ execdb_db_host_machine }}" +execdb_db_port: 5432 +execdb_endpoint: 'execdb' +execdb_db_name: execdb +execdb_db_user: "{{ ci_execdb_db_user }}" +execdb_db_password: "{{ ci_execdb_db_password }}" +execdb_secret_key: "{{ ci_execdb_secret_key }}" + + +############################################################ +# fedmsg details +############################################################ +fedmsg_active: False +fedmsg_cert_prefix: ci.resultsdb + +fedmsg_certs: +- service: shell + owner: root + group: sysadmin + can_send: + - logger.log +- service: resultsdb + owner: root + group: apache + can_send: + - taskotron.result.new diff --git a/playbooks/groups/ci.yml b/playbooks/groups/ci.yml index a58e097743..0c580009d3 100644 --- a/playbooks/groups/ci.yml +++ b/playbooks/groups/ci.yml @@ -26,6 +26,7 @@ - { role: sudo, tags: ['sudo'] } - { role: openvpn/client, when: deployment_type == "prod", tags: ['openvpn_client'] } + - postgresql_server - apache - { role: fedmsg/base } @@ -37,3 +38,22 @@ handlers: - include: "{{ handlers_path }}/restart_services.yml" + +- name: configure resultsdb production + hosts: ci + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - { role: taskotron/resultsdb-fedmsg, tags: ['resultsdb-fedmsg']} + - { role: taskotron/resultsdb-backend, tags: ['resultsdb-be'] } + - { role: taskotron/resultsdb-frontend, tags: ['resultsdb-fe'] } + - { role: taskotron/execdb, tags: ['execdb'] } + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" From 711eb4b43815a6e6e5cd576517b165c5fb16b80a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 14:29:52 +0000 Subject: [PATCH 028/308] try dropping this --- .../templates/cluster-inventory.j2 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 1c25e7f769..572342c20f 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -236,10 +236,8 @@ openshift_master_cluster_public_hostname={{openshift_cluster_url}} # default subdomain to use for exposed routes {% if openshift_app_subdomain is defined %} -{% if openshift_app_subdomain %} openshift_master_default_subdomain={{openshift_app_subdomain}} {% endif %} -{% endif %} # additional cors origins #osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] @@ -792,4 +790,4 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} {% endfor %} {% for host in groups[openshift_cluster_nodes_group] %} {{ host }} openshift_node_labels="{'region': 'primary', 'zone': 'default'}" -{% endfor %} \ No newline at end of file +{% endfor %} From ad304f6899c031ad94af056485eebafec45fc7b8 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 11 May 2017 16:31:42 +0200 Subject: [PATCH 029/308] Add the postgresql config to ci --- inventory/group_vars/ci | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/inventory/group_vars/ci b/inventory/group_vars/ci index cf30c99375..67134f4033 100644 --- a/inventory/group_vars/ci +++ b/inventory/group_vars/ci @@ -18,6 +18,14 @@ external_hostname: resultsdb.ci.centos.org deployment_type: prod +# +# PostgreSQL configuration +# + +shared_buffers: "32MB" +effective_cache_size: "512MB" + + ############################################################ # resultsdb details ############################################################ From 270152b494f99e3d3533c01a96fc1e60ce76ce41 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 14:33:09 +0000 Subject: [PATCH 030/308] humm... --- .../templates/cluster-inventory.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 572342c20f..61ed82764c 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -235,9 +235,7 @@ openshift_master_cluster_public_hostname={{openshift_cluster_url}} #osm_api_server_args={'max-requests-inflight': ['400']} # default subdomain to use for exposed routes -{% if openshift_app_subdomain is defined %} openshift_master_default_subdomain={{openshift_app_subdomain}} -{% endif %} # additional cors origins #osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] From 1483c901244037ca317f0edf7458d582d577e003 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 14:40:44 +0000 Subject: [PATCH 031/308] no variables in comments --- .../templates/cluster-inventory.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 61ed82764c..af65a5f830 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -493,7 +493,7 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} # list of options please see roles/openshift_metrics/README.md # # Override metricsPublicURL in the master config for cluster metrics -# Defaults to https://hawkular-metrics.{{openshift_master_default_subdomain}}/hawkular/metrics +# Defaults to https://hawkular-metrics.openshift_master_default_subdomain/hawkular/metrics # Currently, you may only alter the hostname portion of the url, alterting the # `/hawkular/metrics` path will break installation of metrics. #openshift_hosted_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics @@ -537,7 +537,7 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} # list of options please see roles/openshift_logging/README.md # # Configure loggingPublicURL in the master config for aggregate logging, defaults -# to kibana.{{ openshift_master_default_subdomain }} +# to kibana.openshift_master_default_subdomain #openshift_hosted_logging_hostname=logging.apps.example.com # Configure the number of elastic search nodes, unless you're using dynamic provisioning # this value must be 1 From e9f38699737ed12b300e3b5e4c8ac66f7edea973 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 11 May 2017 16:41:08 +0200 Subject: [PATCH 032/308] Disable fedmsg for now on ci-cc-rdu01 --- playbooks/groups/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/ci.yml b/playbooks/groups/ci.yml index 0c580009d3..d8d3588b4f 100644 --- a/playbooks/groups/ci.yml +++ b/playbooks/groups/ci.yml @@ -28,7 +28,7 @@ when: deployment_type == "prod", tags: ['openvpn_client'] } - postgresql_server - apache - - { role: fedmsg/base } +# - { role: fedmsg/base } tasks: # this is how you include other task lists @@ -50,7 +50,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - { role: taskotron/resultsdb-fedmsg, tags: ['resultsdb-fedmsg']} +# - { role: taskotron/resultsdb-fedmsg, tags: ['resultsdb-fedmsg']} - { role: taskotron/resultsdb-backend, tags: ['resultsdb-be'] } - { role: taskotron/resultsdb-frontend, tags: ['resultsdb-fe'] } - { role: taskotron/execdb, tags: ['execdb'] } From 7176b472097d27dac8e9a6944925df9b1af9cf3b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 14:58:11 +0000 Subject: [PATCH 033/308] try and change this --- playbooks/groups/os-cluster.yml | 2 +- roles/ansible-ansible-openshift-ansible/defaults/main.yml | 2 +- .../templates/cluster-inventory.j2 | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index dc9ed63927..97cb121091 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -87,7 +87,7 @@ openshift_cluster_url: "{{os_url}}", openshift_master_ha: false, openshift_debug_level: 2, - openshift_deployment_type: "origin", + openshift_deployment_type: "openshift-enterprise", openshift_cluster_url: "{{ os_url}}", openshift_app_subdomain: "{{ os_app_url }}", when: env == 'staging', diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index 960a2e7def..afbafaed86 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -43,7 +43,7 @@ openshift_release: "v1.5.0" # Possible options: # origin # openshift-enterprise -openshift_deployment_type: origin +deployment_type: origin # Install the OpenShift App Examples (value should be "true" or "false") openshift_ansible_install_examples: false diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index af65a5f830..86c83ac688 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -33,7 +33,7 @@ ansible_become=yes debug_level={{openshift_debug_level}} # Specify the deployment type. Valid values are origin and openshift-enterprise. -openshift_deployment_type={{openshift_deployment_type}} +deployment_type={{openshift_deployment_type}} # Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we # rely on the version running on the first master. Works best for containerized installs where we can usually @@ -235,7 +235,11 @@ openshift_master_cluster_public_hostname={{openshift_cluster_url}} #osm_api_server_args={'max-requests-inflight': ['400']} # default subdomain to use for exposed routes +{% if openshift_app_subdomain is defined %} +{% if openshift_app_subdomain %} openshift_master_default_subdomain={{openshift_app_subdomain}} +{% endif %} +{% endif %} # additional cors origins #osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] From 77e117a8bfa0101bdf498b0a6085f53d050f1158 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 15:10:41 +0000 Subject: [PATCH 034/308] deploy ssh keys to os cluster hosts --- playbooks/groups/os-cluster.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 97cb121091..4572d1f969 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -23,6 +23,11 @@ - sudo tasks: + - name: Deploy controller public ssh keys to osbs cluster hosts + authorized_key: + user: root + key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}" + - include: "{{ tasks_path }}/yumrepos.yml" - include: "{{ tasks_path }}/2fa_client.yml" - include: "{{ tasks_path }}/motd.yml" From 6667996d4ef41963ab6ac063a2c41527e4f458d5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 15:14:05 +0000 Subject: [PATCH 035/308] install the _correct_ key --- playbooks/groups/os-cluster.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 4572d1f969..fb14f8ff94 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -26,7 +26,7 @@ - name: Deploy controller public ssh keys to osbs cluster hosts authorized_key: user: root - key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}" + key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}" - include: "{{ tasks_path }}/yumrepos.yml" - include: "{{ tasks_path }}/2fa_client.yml" From fb53a3430abf23c6e4e2f9803cdd83fada1f991e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 11 May 2017 17:28:48 +0200 Subject: [PATCH 036/308] Looks like checkpoint_segments is not liked by postgresql on Fedora --- roles/postgresql_server/templates/postgresql.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/postgresql_server/templates/postgresql.conf b/roles/postgresql_server/templates/postgresql.conf index 9947805fbe..b148442d99 100644 --- a/roles/postgresql_server/templates/postgresql.conf +++ b/roles/postgresql_server/templates/postgresql.conf @@ -177,8 +177,9 @@ wal_buffers = 64kB # min 32kB #commit_siblings = 5 # range 1-1000 # - Checkpoints - - +{% if ansible_distribution != "Fedora" %} checkpoint_segments = 30 # in logfile segments, min 1, 16MB each +{% endif %} checkpoint_timeout = 30min # range 30s-1h checkpoint_completion_target = 0.6 # checkpoint target duration, 0.0 - 1.0 checkpoint_warning = 180s # 0 is off From 412c8ce9c7eb894d061a83519f2123f57d1c126a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 15:44:51 +0000 Subject: [PATCH 037/308] fix hosts --- inventory/group_vars/os | 2 ++ inventory/inventory | 5 +++++ roles/hosts/files/os-hosts | 3 +++ 3 files changed, 10 insertions(+) create mode 100644 inventory/group_vars/os create mode 100644 roles/hosts/files/os-hosts diff --git a/inventory/group_vars/os b/inventory/group_vars/os new file mode 100644 index 0000000000..e837201446 --- /dev/null +++ b/inventory/group_vars/os @@ -0,0 +1,2 @@ +--- +host_group: os diff --git a/inventory/inventory b/inventory/inventory index 1b6651e04c..9c5c0e81a3 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1342,6 +1342,11 @@ os-master03.stg.phx2.fedoraproject.org os-node01.stg.phx2.fedoraproject.org os-node02.stg.phx2.fedoraproject.org +[os:children] +os-nodes-stg +os-masters-stg +os-control-stg + [ci] ci-cc-rdu01.fedoraproject.org diff --git a/roles/hosts/files/os-hosts b/roles/hosts/files/os-hosts new file mode 100644 index 0000000000..f07ce4176a --- /dev/null +++ b/roles/hosts/files/os-hosts @@ -0,0 +1,3 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +209.132.182.64 registery.access.redhat.com From 014fea7c51f1740567312b0ec766e95bf7a38a4a Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 16:14:17 +0000 Subject: [PATCH 038/308] switch os-cluster to use OCP v3.4 Signed-off-by: Adam Miller --- playbooks/groups/os-cluster.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index fb14f8ff94..cccf9c71f4 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -78,10 +78,10 @@ - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory-stg", - openshift_release: "v3.5", + openshift_release: "v3.4", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", - openshift_ansible_version: "openshift-ansible-3.5.69-1", + openshift_ansible_version: "openshift-ansible-3.4.88-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: true, openshift_ansible_containerized_deploy: true, From 05a67908b1e693e61cd9cadc8c1431217c41a4a1 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 11 May 2017 16:16:52 +0000 Subject: [PATCH 039/308] Koschei: add copr config for frontend --- roles/koschei/frontend/templates/config-frontend.cfg.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/koschei/frontend/templates/config-frontend.cfg.j2 b/roles/koschei/frontend/templates/config-frontend.cfg.j2 index 8569959b98..d89d61894b 100644 --- a/roles/koschei/frontend/templates/config-frontend.cfg.j2 +++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2 @@ -103,6 +103,11 @@ config = { "bugreport": { "url": "https://{{ koschei_bugzilla }}/enter_bug.cgi?{query}", }, + "copr": { + "require_admin": True, + "copr_owner": "mizdebsk", + "default_schedule_count": 8, + }, } # Local Variables: From 62854fc8934996b1ba630a2be2a22fe42afe34b7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 16:26:10 +0000 Subject: [PATCH 040/308] Add openshift repo Signed-off-by: Patrick Uiterwijk --- files/openshift/openshift.repo | 4 ++++ tasks/yumrepos.yml | 8 ++++++++ 2 files changed, 12 insertions(+) create mode 100644 files/openshift/openshift.repo diff --git a/files/openshift/openshift.repo b/files/openshift/openshift.repo new file mode 100644 index 0000000000..91dc0c0f07 --- /dev/null +++ b/files/openshift/openshift.repo @@ -0,0 +1,4 @@ +[rhel7-openshift-3.4] +name = rhel7 openshift 3.4 $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index b6031b1f75..af57783e79 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -15,6 +15,14 @@ - packages - yumrepos +- name: put openshift 3.4 repo on os- systems + copy: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo" + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == 7 and inventory_hostname.startswith('os-') + tags: + - config + - packages + - yumrepos + - name: put epel repos on el systems copy: src="{{ files }}/common/epel{{ ansible_distribution_major_version }}.repo" dest="/etc/yum.repos.d/epel{{ ansible_distribution_major_version }}.repo" when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and use_default_epel) From 3eb214c1849a6bcc8280dd43f8e105f728d3f8d0 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 17:10:39 +0000 Subject: [PATCH 041/308] fixing tickets for Amy and Randy --- roles/nagios_server/files/nagios/services/disk.cfg | 14 ++++++++++++++ .../files/nagios/services/websites.cfg | 9 +++++++++ 2 files changed, 23 insertions(+) diff --git a/roles/nagios_server/files/nagios/services/disk.cfg b/roles/nagios_server/files/nagios/services/disk.cfg index c927e973ed..ef0f21b09e 100644 --- a/roles/nagios_server/files/nagios/services/disk.cfg +++ b/roles/nagios_server/files/nagios/services/disk.cfg @@ -67,3 +67,17 @@ define service { check_command check_by_nrpe!check_disk_/ use retracetemplate } + +define service { + hostgroup_name people + service_description Disk space /projects + check_command check_by_nrpe!check_disk_/projects/ + use disktemplate +} + +define service { + hostgroup_name docker-registry + service_description Disk space /var/lib/registry + check_command check_by_nrpe!check_disk_/var/lib/registry + use disktemplate +} diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg index 126c0fa675..b0f75c6c47 100644 --- a/roles/nagios_server/files/nagios/services/websites.cfg +++ b/roles/nagios_server/files/nagios/services/websites.cfg @@ -138,6 +138,15 @@ define service { use internalwebsitetemplate } +define service { + hostgroup_name docker-registry + service_description http-docker-registry + check_command check_website!registry.fedoraproject.org!/v2/!{} + max_check_attempts 8 + use websitetemplate +} + + define service { hostgroup_name fas service_description http-accounts From 1d61d758d1e02e183a2ff5f59eaaa5d80036dc77 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 17:29:45 +0000 Subject: [PATCH 042/308] fix hosts file --- playbooks/groups/os-cluster.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index cccf9c71f4..55e9efc32b 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -48,6 +48,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: + - name: fix hosts file + copy: + src: "{{roles_path}}/hosts/files/os-hosts" + dest: "/etc/hosts" + owner: root + mode: 0644 + - name: deploy private key to control hosts copy: src: "{{private}}/files/os/{{env}}/control_key" From 8012204c6c535dfe8194900951f64ed1d4815a89 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 17:32:22 +0000 Subject: [PATCH 043/308] and I forgot to do this part --- roles/nagios_server/files/nrpe/nrpe.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg index daaec1e353..809d3566e1 100644 --- a/roles/nagios_server/files/nrpe/nrpe.cfg +++ b/roles/nagios_server/files/nrpe/nrpe.cfg @@ -301,6 +301,8 @@ command[check_disk_/srv/taskotron]=/usr/lib64/nagios/plugins/check_disk -w 20% - command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside +command[check_disk_/projects/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /projects/ +command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /projects/ command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 15 -c 25 -s Z command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 900 -c 1000 command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10% From 29a2d77756a4dcfbb13201925d0e3d9c874af6f6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 17:35:45 +0000 Subject: [PATCH 044/308] speeling is hard --- roles/hosts/files/os-hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hosts/files/os-hosts b/roles/hosts/files/os-hosts index f07ce4176a..c706d8a9c0 100644 --- a/roles/hosts/files/os-hosts +++ b/roles/hosts/files/os-hosts @@ -1,3 +1,3 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -209.132.182.64 registery.access.redhat.com +209.132.182.64 registry.access.redhat.com From b0e0f61d82337c274de9b6b037a541d822c4567e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 17:42:02 +0000 Subject: [PATCH 045/308] fix typo --- roles/hosts/files/os-hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hosts/files/os-hosts b/roles/hosts/files/os-hosts index c706d8a9c0..944b7908e7 100644 --- a/roles/hosts/files/os-hosts +++ b/roles/hosts/files/os-hosts @@ -1,3 +1,3 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -209.132.182.64 registry.access.redhat.com +209.132.182.63 registry.access.redhat.com From a8b9e72849a75489f9d4aed56414e8dadcbd9ebf Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 17:49:38 +0000 Subject: [PATCH 046/308] make a moby group and play moby music --- inventory/inventory | 9 +++++++++ roles/nagios/server/files/nagios/services/websites.cfg | 2 +- roles/nagios_server/files/nagios/services/disk.cfg | 2 +- roles/nagios_server/files/nagios/services/websites.cfg | 8 ++++---- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index 9c5c0e81a3..b0063c3e9d 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1360,6 +1360,15 @@ docker-registry01.stg.phx2.fedoraproject.org docker-registry02.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org +## Not the candidate just the top registry +[moby-registry] +docker-registry01.phx2.fedoraproject.org + +## Not the candidate just the top registry +[moby-registry-stg] +docker-registry01.phx2.fedoraproject.org + + [webservers:children] proxies ipsilon diff --git a/roles/nagios/server/files/nagios/services/websites.cfg b/roles/nagios/server/files/nagios/services/websites.cfg index 6f6cf90921..48266f32af 100644 --- a/roles/nagios/server/files/nagios/services/websites.cfg +++ b/roles/nagios/server/files/nagios/services/websites.cfg @@ -329,7 +329,7 @@ define service { } define service { - host_name docker-registry01 + hostgroup_name docker-registry01 service_description docker-registry check_command check_website!localhost:5000!/v2/!{} max_check_attempts 8 diff --git a/roles/nagios_server/files/nagios/services/disk.cfg b/roles/nagios_server/files/nagios/services/disk.cfg index ef0f21b09e..984cc2d01f 100644 --- a/roles/nagios_server/files/nagios/services/disk.cfg +++ b/roles/nagios_server/files/nagios/services/disk.cfg @@ -76,7 +76,7 @@ define service { } define service { - hostgroup_name docker-registry + hostgroup_name moby-registry service_description Disk space /var/lib/registry check_command check_by_nrpe!check_disk_/var/lib/registry use disktemplate diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg index b0f75c6c47..cb77793b1d 100644 --- a/roles/nagios_server/files/nagios/services/websites.cfg +++ b/roles/nagios_server/files/nagios/services/websites.cfg @@ -131,16 +131,16 @@ define service { } define service { - hostgroup_name docker-registry - service_description http-docker-registry + hostgroup_name moby-registry + service_description http-moby-registry check_command check_website!localhost:5000!/v2/!{} max_check_attempts 8 use internalwebsitetemplate } define service { - hostgroup_name docker-registry - service_description http-docker-registry + hostgroup_name moby-registry + service_description http-moby-registry check_command check_website!registry.fedoraproject.org!/v2/!{} max_check_attempts 8 use websitetemplate From 70e9b0dfd954574cc6981bb8f65c85eec9ecd842 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 17:53:36 +0000 Subject: [PATCH 047/308] make sure to not containerize load balancer bits in os-cluster Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 86c83ac688..52f27f8151 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -780,7 +780,7 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} [lb] {% for host in groups[openshift_cluster_infra_group] %} -{{ host }} +{{ host }} containerized=false {% endfor %} [nodes] From 157f3b24ddca7cf95fd97c2dfaba8a23a2171e97 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 18:07:15 +0000 Subject: [PATCH 048/308] Disable ansible running for now Signed-off-by: Patrick Uiterwijk --- .../tasks/main.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 33637099d8..bf1ef9b613 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -20,19 +20,19 @@ src: "cluster-inventory.j2" dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" -- name: run ansible - shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" - args: - chdir: "{{ openshift_ansible_path }}" - register: run_ansible_out +#- name: run ansible +# shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" +# args: +# chdir: "{{ openshift_ansible_path }}" +# register: run_ansible_out -- name: display run ansible stdout_lines - debug: - var: run_ansible_out.stdout_lines +#- name: display run ansible stdout_lines +# debug: +# var: run_ansible_out.stdout_lines -- name: display run ansible stderr - debug: - var: run_ansible_out.stderr +#- name: display run ansible stderr +# debug: +# var: run_ansible_out.stderr From 8cbfe3118a9acfd59798ebbd186e03963e9ff427 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 18:07:25 +0000 Subject: [PATCH 049/308] ADd repos Signed-off-by: Patrick Uiterwijk --- playbooks/groups/os-cluster.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 55e9efc32b..a42aa75bf1 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -23,6 +23,13 @@ - sudo tasks: + - name: put openshift 3.4 repo on os- systems + copy: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo" + tags: + - config + - packages + - yumrepos + - name: Deploy controller public ssh keys to osbs cluster hosts authorized_key: user: root From 9c65e7695822a876079fb085645e24d3e23c8786 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 18:10:33 +0000 Subject: [PATCH 050/308] and make sure you look at proxies for proxies stuff --- roles/nagios_server/files/nagios/services/websites.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg index cb77793b1d..5d9f92f6d1 100644 --- a/roles/nagios_server/files/nagios/services/websites.cfg +++ b/roles/nagios_server/files/nagios/services/websites.cfg @@ -139,7 +139,7 @@ define service { } define service { - hostgroup_name moby-registry + hostgroup_name proxies service_description http-moby-registry check_command check_website!registry.fedoraproject.org!/v2/!{} max_check_attempts 8 From 0d92052a75aaa0586850b74697d0a031f99b5a6d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 18:11:10 +0000 Subject: [PATCH 051/308] Containerized does not work Signed-off-by: Patrick Uiterwijk --- playbooks/groups/os-cluster.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index a42aa75bf1..8f68b79803 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -98,7 +98,7 @@ openshift_ansible_version: "openshift-ansible-3.4.88-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: true, - openshift_ansible_containerized_deploy: true, + openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "os-masters-stg", openshift_cluster_nodes_group: "os-nodes-stg", openshift_cluster_infra_group: "os-nodes-stg", From 780506c8368aa2ccc8380731ed4c51f43086e56c Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 18:48:24 +0000 Subject: [PATCH 052/308] and we have a bunch of fixes --- roles/nagios_server/files/nagios/services/websites.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg index 5d9f92f6d1..fcd94e6598 100644 --- a/roles/nagios_server/files/nagios/services/websites.cfg +++ b/roles/nagios_server/files/nagios/services/websites.cfg @@ -141,7 +141,7 @@ define service { define service { hostgroup_name proxies service_description http-moby-registry - check_command check_website!registry.fedoraproject.org!/v2/!{} + check_command check_website_ssl!registry.fedoraproject.org!/v2/!{} max_check_attempts 8 use websitetemplate } From 01208a60947aed095394cfc3afb662aab935f6ca Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 18:52:44 +0000 Subject: [PATCH 053/308] fix openshift_master_ha for os-cluster Signed-off-by: Adam Miller --- playbooks/groups/os-cluster.yml | 4 ++-- roles/ansible-ansible-openshift-ansible/defaults/main.yml | 8 +++++++- .../templates/cluster-inventory.j2 | 6 +++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 8f68b79803..0e6b05e9e3 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -61,7 +61,7 @@ dest: "/etc/hosts" owner: root mode: 0644 - + - name: deploy private key to control hosts copy: src: "{{private}}/files/os/{{env}}/control_key" @@ -104,7 +104,7 @@ openshift_cluster_infra_group: "os-nodes-stg", openshift_auth_profile: "fedoraidp-stg", openshift_cluster_url: "{{os_url}}", - openshift_master_ha: false, + openshift_master_ha: true, openshift_debug_level: 2, openshift_deployment_type: "openshift-enterprise", openshift_cluster_url: "{{ os_url}}", diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index afbafaed86..404e933379 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -15,7 +15,13 @@ openshift_auth_profile: osbs # Do we want OpenShift itself to be containerized? # This is a requirement if using Atomic Host -openshift_ansible_containerized_deploy: true +# +# As of v3.5.x this would mean that all our systems would completely go down +# in the event the docker daemon were to restart or crash. +# +# In the future (as of v3.6 devel branch), this is done with system containers +# and won't be bound to the docker daemon. +openshift_ansible_containerized_deploy: false # OpenShift Cluster URL # Example: openshift.fedoraproject.org diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 52f27f8151..69ef81bc0a 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -147,8 +147,6 @@ openshift_install_examples={{openshift_ansible_install_examples}} # Additional yum repos to install #openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://example.com/puddle/build/AtomicOpenShift/3.1/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] -# htpasswd auth -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] # Defining htpasswd users #openshift_master_htpasswd_users={'user1': '', 'user2': ''} # or @@ -165,7 +163,7 @@ openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "cha {% endif %} {% if openshift_auth_profile == "fedoraidp-stg" %} -openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_stg_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token"}, "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}] +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_stg_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] {% endif %} # Allow all auth @@ -213,6 +211,7 @@ openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "cha # or #openshift_master_request_header_ca_file= +{% if openshift_master_ha is defined %} {% if openshift_master_ha %} # Native high availability cluster method with optional load balancer. # If no lb group is defined, the installer assumes that a load balancer has @@ -224,6 +223,7 @@ openshift_master_cluster_method=native openshift_master_cluster_hostname={{openshift_cluster_url}} openshift_master_cluster_public_hostname={{openshift_cluster_url}} {% endif %} +{% endif %} # Override the default controller lease ttl #osm_controller_lease_ttl=30 From cdc02dafbf969e97511c40ec4a6ff6f3ada0c3b9 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 19:17:18 +0000 Subject: [PATCH 054/308] fix fedoraidp for os-cluster Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 69ef81bc0a..4effb9d7ad 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -159,7 +159,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', {% endif %} {% if openshift_auth_profile == "fedoraidp" %} -openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token"}, "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}] +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] {% endif %} {% if openshift_auth_profile == "fedoraidp-stg" %} From bbe6c25b6f46ab351462c655e69217b35532edbf Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 11 May 2017 19:49:31 +0000 Subject: [PATCH 055/308] try os-master proxy setup Signed-off-by: Ricky Elrod --- playbooks/include/proxies-reverseproxy.yml | 6 ++++++ playbooks/include/proxies-websites.yml | 6 ++++++ roles/haproxy/files/os-master.staging.pem | 18 ++++++++++++++++++ roles/haproxy/tasks/main.yml | 1 + roles/haproxy/templates/haproxy.cfg | 10 +++++++++- 5 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 roles/haproxy/files/os-master.staging.pem diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 5016da198b..e3de581376 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -608,6 +608,12 @@ proxyurl: http://localhost:10062 keephost: true + - role: httpd/reverseproxy + website: os.fedoraproject.org + destname: os + proxyurl: http://localhost:10064 + keephost: true + - role: httpd/reverseproxy website: data-analysis.fedoraproject.org destname: awstats diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 25492a02c3..25713e8b64 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -556,6 +556,12 @@ sslonly: true cert_name: "{{wildcard_cert_name}}" + - role: httpd/website + name: os.fedoraproject.org + server_aliases: [os.stg.fedoraproject.org] + sslonly: true + cert_name: "{{wildcard_cert_name}}" + - role: httpd/website name: registry.fedoraproject.org server_aliases: [registry.stg.fedoraproject.org] diff --git a/roles/haproxy/files/os-master.staging.pem b/roles/haproxy/files/os-master.staging.pem new file mode 100644 index 0000000000..a7670fd2c7 --- /dev/null +++ b/roles/haproxy/files/os-master.staging.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu +c2hpZnQtc2lnbmVyQDE0OTQ1MjgxNDAwHhcNMTcwNTExMTg0MjE5WhcNMjIwNTEw +MTg0MjIwWjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ1MjgxNDAw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjeVJrc9OaedEPF/TDYV5N ++p696vk3q7uFHm09gX7moMzf/IKxKhX3RNWdpJI9eThF2tlxXvP7j9aOb6kQWFih +FSgQmJuQ290hH+rVzlb/s157bqqcuaUogputpMd8a2PzrSMXIXfnF2H8Et3ls63H +fMB2uE5P24LKmsbXaTcaERyQjOOmf6+ApGJZvFb9y+1ZBJJ3b8P1tt+CKAklG7gl +/29TEw4wy6O/1zfGoY1Sb/hlViJi3DWluCn4Ps41w3r0tObjiCKXzdGDlyRoMyYY +Ckd4Z89LEnJ8tY+k/gUeLFRF5pQYv0eeej6JGq6p+ZCcDeDO2xPWNQhnp3/pLgQB +AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQAciUUjlfScGmF5z7RSEsIttA7sDHzwnOt0l+iWhCbtFXhl +yisMQLcPtsR0IprDCd8UQiuOH5c7em4BitZ0ulsgPak3nfO2o/IxA6hrFevCwGg7 +J5IAzvdfPhPb8jYxv1k7tBApEsKi6uiZyWowT1uFFbcWLeZvq1b2SDblV/cl/RrU +XP0tv6LhT/0lqabeWiBXxe4Bf8iVujJOdFMkasaXYKu859pGxbxDDF0GvvM87iPy +b4CYRdmIEJfQiP8nHJc+dfB9hYXH0Slq9o9NEeF0q2JwVt+C8bDCCQW0VaCY+6MB +LNUjceqD/+nenyps0KpzyuPEzVXU3sRMtIjYoskB +-----END CERTIFICATE----- diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 1552e9c1ba..fde8d317dd 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -36,6 +36,7 @@ owner=root group=root mode=0600 with_items: - { file: "ipa.{{env}}.pem", dest: /etc/haproxy/ipa.pem } + - { file: "os-master.{{env}}.pem", dest: /etc/haproxy/os-master.pem } tags: - haproxy diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index f94cacf222..462eea0f77 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -421,13 +421,21 @@ listen kojipkgs 0.0.0.0:10062 option httpchk GET / {% endif %} - listen mbs 0.0.0.0:10063 balance hdr(appserver) server mbs-frontend01 mbs-frontend01:80 check inter 20s rise 2 fall 3 server mbs-frontend02 mbs-frontend02:80 check inter 20s rise 2 fall 3 option httpchk GET /module-build-service/1/module-builds/ +{% if env == "staging" %} +listen ipa 0.0.0.0:10064 + balance hdr(appserver) + server os-master01 os-master01:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master01 os-master02:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master01 os-master02:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + option httpchk GET / +{% endif %} + # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. From 061cb575b44af88e60b9372d2173e57d915d02fd Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 11 May 2017 19:58:14 +0000 Subject: [PATCH 056/308] happy, puiterwijk? Signed-off-by: Ricky Elrod --- roles/haproxy/templates/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 462eea0f77..4c960699bf 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -428,7 +428,7 @@ listen mbs 0.0.0.0:10063 option httpchk GET /module-build-service/1/module-builds/ {% if env == "staging" %} -listen ipa 0.0.0.0:10064 +listen os-master 0.0.0.0:10064 balance hdr(appserver) server os-master01 os-master01:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem server os-master01 os-master02:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem From fe7802aa8a0a99d27d8570a9dcc214acc731b249 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 20:14:02 +0000 Subject: [PATCH 057/308] set s390x builders to use kojipkgs-cache01 locally --- roles/koji_builder/templates/kojid.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index e1594b932f..c268725408 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -18,7 +18,9 @@ rpmbuild_timeout=172800 use_createrepo_c=True -{% if koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} +{% if 'buildvm-s390x' in group_names %} +topurl = http://kojipkgs-cache.s390.fedoraproject.org +{% elif koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} ; add some additional urls for failover topurl = {{koji_topurl}} https://kojipkgs01.fedoraproject.org https://kojipkgs02.fedoraproject.org {% else %} From 0ef616444b97c4f1a378c43d572c1681bd71a8f1 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 20:25:31 +0000 Subject: [PATCH 058/308] add openshift port definitions to a-a-o-a role and os-cluster Signed-off-by: Adam Miller --- playbooks/groups/os-cluster.yml | 2 ++ .../defaults/main.yml | 5 +++++ .../templates/cluster-inventory.j2 | 10 ++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 0e6b05e9e3..13acb1cbb2 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -109,6 +109,8 @@ openshift_deployment_type: "openshift-enterprise", openshift_cluster_url: "{{ os_url}}", openshift_app_subdomain: "{{ os_app_url }}", + openshift_api_port: 443, + openshift_console_port: 443, when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index 404e933379..243d855e32 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -27,6 +27,11 @@ openshift_ansible_containerized_deploy: false # Example: openshift.fedoraproject.org openshift_cluster_url: None +# OpenShift Console and API listening ports +# These default to 8443 in openshift-ansible +openshift_api_port: 8443 +openshift_console_port: 8443 + # OpenShift Applications Ingress subdomain (OpenShift routes) openshift_app_subdomain: None diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 4effb9d7ad..cddce6d487 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -592,8 +592,14 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} #osm_host_subnet_length=9 # Configure master API and console ports. -#openshift_master_api_port=8443 -#openshift_master_console_port=8443 +# These will default to 8443 +{% if openshift_api_port is defined and openshift_console_port is defined %} +{% if openshift_api port and openshift_console_port %} +openshift_master_api_port={{openshift_api_port}} +openshift_master_console_port={{openshift_console_port}} +{% endif %} +{% endif %} + # set RPM version for debugging purposes #openshift_pkg_version=-3.1.0.0 From d0e264953b03c98eaafe414aed757b5879c43cee Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 20:35:48 +0000 Subject: [PATCH 059/308] fix typo in openshift port settings Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index cddce6d487..c5d911fb4e 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -594,7 +594,7 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} # Configure master API and console ports. # These will default to 8443 {% if openshift_api_port is defined and openshift_console_port is defined %} -{% if openshift_api port and openshift_console_port %} +{% if openshift_api_port and openshift_console_port %} openshift_master_api_port={{openshift_api_port}} openshift_master_console_port={{openshift_console_port}} {% endif %} From 64cf041fc2bd9f20596dda798153aba7a24c053e Mon Sep 17 00:00:00 2001 From: Brian Stinson Date: Thu, 11 May 2017 15:46:48 -0500 Subject: [PATCH 060/308] add the public fedmsg relay for ci.centos.org to the fedora staging infrastructure --- roles/fedmsg/base/tasks/main.yml | 1 + roles/fedmsg/base/templates/endpoints-cico.py.j2 | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 roles/fedmsg/base/templates/endpoints-cico.py.j2 diff --git a/roles/fedmsg/base/tasks/main.yml b/roles/fedmsg/base/tasks/main.yml index a2f855e78b..a79abefeb0 100644 --- a/roles/fedmsg/base/tasks/main.yml +++ b/roles/fedmsg/base/tasks/main.yml @@ -106,6 +106,7 @@ - ssl.py - endpoints.py - endpoints-anitya.py + - endpoints-cico.py - endpoints-pagure.py - endpoints-fedocal.py - endpoints-fedbadges.py diff --git a/roles/fedmsg/base/templates/endpoints-cico.py.j2 b/roles/fedmsg/base/templates/endpoints-cico.py.j2 new file mode 100644 index 0000000000..68b0da0617 --- /dev/null +++ b/roles/fedmsg/base/templates/endpoints-cico.py.j2 @@ -0,0 +1,11 @@ +# This tells nodes to pull messages from ci.centos.org + +config = dict( + {% if env == 'staging' %} + endpoints={ + "centos-ci-public-relay": [ + "tcp://fedmsg-relay.ci.centos.org:9940", + ], + }, + {% endif %} +) From ee347d51790edc7d7e176646ffb0f4e056e85644 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 21:13:25 +0000 Subject: [PATCH 061/308] Build all VMs at the same time Signed-off-by: Patrick Uiterwijk --- playbooks/groups/os-cluster.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 13acb1cbb2..9f76498e61 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -1,6 +1,5 @@ # create an os server -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-control-stg:os-control" -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-nodes-stg:os-masters-stg:os-nodes:os-masters" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-control-stg:os-control:os-nodes-stg:os-masters-stg:os-nodes:os-masters" - name: make the box be real hosts: os-control:os-control-stg:os-masters-stg:os-nodes-stg:os-masters:os-nodes From cd1157b42dce20aa0d0b39a1f13dfa4df31e0561 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 21:14:17 +0000 Subject: [PATCH 062/308] Remove duplicate entry Signed-off-by: Patrick Uiterwijk --- playbooks/groups/os-cluster.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 9f76498e61..86b388117b 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -102,7 +102,6 @@ openshift_cluster_nodes_group: "os-nodes-stg", openshift_cluster_infra_group: "os-nodes-stg", openshift_auth_profile: "fedoraidp-stg", - openshift_cluster_url: "{{os_url}}", openshift_master_ha: true, openshift_debug_level: 2, openshift_deployment_type: "openshift-enterprise", From bb880fdaef7ccd4debbac1bfcedc966b5a7785cf Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 21:16:32 +0000 Subject: [PATCH 063/308] and we need to use real directories --- roles/nagios_server/files/nagios/services/disk.cfg | 4 ++-- roles/nagios_server/files/nrpe/nrpe.cfg | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nagios_server/files/nagios/services/disk.cfg b/roles/nagios_server/files/nagios/services/disk.cfg index 984cc2d01f..c59ccbb27f 100644 --- a/roles/nagios_server/files/nagios/services/disk.cfg +++ b/roles/nagios_server/files/nagios/services/disk.cfg @@ -70,8 +70,8 @@ define service { define service { hostgroup_name people - service_description Disk space /projects - check_command check_by_nrpe!check_disk_/projects/ + service_description Disk space /project + check_command check_by_nrpe!check_disk_/project/ use disktemplate } diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg index 809d3566e1..e06f838856 100644 --- a/roles/nagios_server/files/nrpe/nrpe.cfg +++ b/roles/nagios_server/files/nrpe/nrpe.cfg @@ -301,7 +301,7 @@ command[check_disk_/srv/taskotron]=/usr/lib64/nagios/plugins/check_disk -w 20% - command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside -command[check_disk_/projects/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /projects/ +command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/ command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /projects/ command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 15 -c 25 -s Z command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 900 -c 1000 From 485147d6aa5ec79013fcbcb1f6d250b36cd17498 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 11 May 2017 21:16:39 +0000 Subject: [PATCH 064/308] switch os-cluster to openshift v3.5 Signed-off-by: Adam Miller --- playbooks/groups/os-cluster.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 86b388117b..db2f92822f 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -91,10 +91,10 @@ - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory-stg", - openshift_release: "v3.4", + openshift_release: "v3.5", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", - openshift_ansible_version: "openshift-ansible-3.4.88-1", + openshift_ansible_version: "openshift-ansible-3.5.70-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: true, openshift_ansible_containerized_deploy: false, From e69ba5c193c7eed7edd8e9ea8f64dee62352aadb Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 21:21:26 +0000 Subject: [PATCH 065/308] USe Openshift 3.5 Signed-off-by: Patrick Uiterwijk --- files/openshift/openshift.repo | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files/openshift/openshift.repo b/files/openshift/openshift.repo index 91dc0c0f07..172e19bb8d 100644 --- a/files/openshift/openshift.repo +++ b/files/openshift/openshift.repo @@ -1,4 +1,4 @@ -[rhel7-openshift-3.4] -name = rhel7 openshift 3.4 $basearch -baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/ +[rhel7-openshift-3.5] +name = rhel7 openshift 3.5 $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.5-rpms/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release From 572273d27725b30cc69df3bd3ee83fc56640f085 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 21:30:00 +0000 Subject: [PATCH 066/308] let us try this --- roles/nagios_server/files/nrpe/nrpe.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg index e06f838856..d7e1e4f8b1 100644 --- a/roles/nagios_server/files/nrpe/nrpe.cfg +++ b/roles/nagios_server/files/nrpe/nrpe.cfg @@ -302,7 +302,7 @@ command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/ -command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /projects/ +command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/registry command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 15 -c 25 -s Z command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 900 -c 1000 command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10% From 8f89c1bb654c23d97077a7f5033da11d9407f906 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 11 May 2017 21:41:03 +0000 Subject: [PATCH 067/308] can we put together disks --- .../nagios_client/templates/check_disk.cfg.j2 | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/roles/nagios_client/templates/check_disk.cfg.j2 b/roles/nagios_client/templates/check_disk.cfg.j2 index d2b64c5c88..de21bea478 100644 --- a/roles/nagios_client/templates/check_disk.cfg.j2 +++ b/roles/nagios_client/templates/check_disk.cfg.j2 @@ -1,7 +1,15 @@ -command[check_disk_/]={{ libdir }}/nagios/plugins/check_disk -w 14% -c 10% -p / -command[check_disk_/boot]={{ libdir }}/nagios/plugins/check_disk -w 15% -c 10% -p /boot -command[check_disk_/srv/cache/lookaside]={{ libdir }}/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside -command[check_disk_/srv]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv +command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / +command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot +command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git +command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji +command[check_disk_/postgreslogs]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /postgreslogs +command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/ command[check_disk_/srv/buildmaster]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/buildmaster +command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside +command[check_disk_/srv/diskimages]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/diskimages command[check_disk_/srv/taskotron]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/taskotron -command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 15% -p /var/log +command[check_disk_/srv]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv +command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01 +command[check_disk_/var/lib/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/registry +command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock +command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log From 03560df291bb1d87077bdd01f751ac34d01d41f8 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 21:27:51 +0000 Subject: [PATCH 068/308] Run the playbook Signed-off-by: Patrick Uiterwijk --- .../tasks/main.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index bf1ef9b613..33637099d8 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -20,19 +20,19 @@ src: "cluster-inventory.j2" dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" -#- name: run ansible -# shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" -# args: -# chdir: "{{ openshift_ansible_path }}" -# register: run_ansible_out +- name: run ansible + shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" + args: + chdir: "{{ openshift_ansible_path }}" + register: run_ansible_out -#- name: display run ansible stdout_lines -# debug: -# var: run_ansible_out.stdout_lines +- name: display run ansible stdout_lines + debug: + var: run_ansible_out.stdout_lines -#- name: display run ansible stderr -# debug: -# var: run_ansible_out.stderr +- name: display run ansible stderr + debug: + var: run_ansible_out.stderr From 4a5126fb84004396ee1aa4604e4241fe161a6835 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 11 May 2017 21:34:50 +0000 Subject: [PATCH 069/308] os api is moved to 443 Signed-off-by: Patrick Uiterwijk --- roles/haproxy/templates/haproxy.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 4c960699bf..f751f8dcd2 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -430,9 +430,9 @@ listen mbs 0.0.0.0:10063 {% if env == "staging" %} listen os-master 0.0.0.0:10064 balance hdr(appserver) - server os-master01 os-master01:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem - server os-master01 os-master02:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem - server os-master01 os-master02:8443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master01 os-master01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master01 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master01 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem option httpchk GET / {% endif %} From 5b223fd084f83bf5a550236b0882cee9b0e01e7c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 11 May 2017 21:49:11 +0000 Subject: [PATCH 070/308] revert it --- roles/koji_builder/templates/kojid.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index c268725408..e1594b932f 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -18,9 +18,7 @@ rpmbuild_timeout=172800 use_createrepo_c=True -{% if 'buildvm-s390x' in group_names %} -topurl = http://kojipkgs-cache.s390.fedoraproject.org -{% elif koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} +{% if koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} ; add some additional urls for failover topurl = {{koji_topurl}} https://kojipkgs01.fedoraproject.org https://kojipkgs02.fedoraproject.org {% else %} From 2a2a761f0ab02f664d50226c6a6a5810b52b6784 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 01:27:57 +0000 Subject: [PATCH 071/308] Redploy once more Signed-off-by: Patrick Uiterwijk --- .../tasks/main.yml | 22 +++++++++---------- .../templates/cluster-inventory.j2 | 2 +- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/tasks/main.yml b/roles/ansible-ansible-openshift-ansible/tasks/main.yml index 33637099d8..bf1ef9b613 100644 --- a/roles/ansible-ansible-openshift-ansible/tasks/main.yml +++ b/roles/ansible-ansible-openshift-ansible/tasks/main.yml @@ -20,19 +20,19 @@ src: "cluster-inventory.j2" dest: "{{ openshift_ansible_path }}/{{ cluster_inventory_filename }}" -- name: run ansible - shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" - args: - chdir: "{{ openshift_ansible_path }}" - register: run_ansible_out +#- name: run ansible +# shell: "ansible-playbook {{ openshift_ansible_playbook }} -i {{ cluster_inventory_filename }}" +# args: +# chdir: "{{ openshift_ansible_path }}" +# register: run_ansible_out -- name: display run ansible stdout_lines - debug: - var: run_ansible_out.stdout_lines +#- name: display run ansible stdout_lines +# debug: +# var: run_ansible_out.stdout_lines -- name: display run ansible stderr - debug: - var: run_ansible_out.stderr +#- name: display run ansible stderr +# debug: +# var: run_ansible_out.stderr diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index c5d911fb4e..0dbf9e3c6c 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -220,7 +220,7 @@ openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "cha # or to one or all of the masters defined in the inventory if no load # balancer is present. openshift_master_cluster_method=native -openshift_master_cluster_hostname={{openshift_cluster_url}} +openshift_master_cluster_hostname={{openshift_internal_cluster_url}} openshift_master_cluster_public_hostname={{openshift_cluster_url}} {% endif %} {% endif %} From 6082d50deeba70489444c291472774c207a255c2 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 01:33:00 +0000 Subject: [PATCH 072/308] Set interan lhostname Signed-off-by: Patrick Uiterwijk --- playbooks/groups/os-cluster.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index db2f92822f..7005c258b6 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -107,6 +107,7 @@ openshift_deployment_type: "openshift-enterprise", openshift_cluster_url: "{{ os_url}}", openshift_app_subdomain: "{{ os_app_url }}", + openshift_internal_cluster_url: "os-masters{{ env_suffix }}.phx2.fedoraproject.org", openshift_api_port: 443, openshift_console_port: 443, when: env == 'staging', From 7de4b6f0b71aa31440821cb69b423b41bdc3a370 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 02:21:51 +0000 Subject: [PATCH 073/308] Add ose3.4 Signed-off-by: Patrick Uiterwijk --- files/openshift/openshift.repo | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/files/openshift/openshift.repo b/files/openshift/openshift.repo index 172e19bb8d..b4dbadbd97 100644 --- a/files/openshift/openshift.repo +++ b/files/openshift/openshift.repo @@ -1,3 +1,8 @@ +[rhel7-openshift-3.4] +name = rhel7 openshift 3.4 $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + [rhel7-openshift-3.5] name = rhel7 openshift 3.5 $basearch baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.5-rpms/ From 2b365b3c3221a5ac346f5d16d5d36c31c9fa0910 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 02:34:39 +0000 Subject: [PATCH 074/308] Add the newest openshift cert Signed-off-by: Patrick Uiterwijk --- roles/haproxy/files/os-master.staging.pem | 28 +++++++++++------------ 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/haproxy/files/os-master.staging.pem b/roles/haproxy/files/os-master.staging.pem index a7670fd2c7..0607b940b9 100644 --- a/roles/haproxy/files/os-master.staging.pem +++ b/roles/haproxy/files/os-master.staging.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu -c2hpZnQtc2lnbmVyQDE0OTQ1MjgxNDAwHhcNMTcwNTExMTg0MjE5WhcNMjIwNTEw -MTg0MjIwWjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ1MjgxNDAw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjeVJrc9OaedEPF/TDYV5N -+p696vk3q7uFHm09gX7moMzf/IKxKhX3RNWdpJI9eThF2tlxXvP7j9aOb6kQWFih -FSgQmJuQ290hH+rVzlb/s157bqqcuaUogputpMd8a2PzrSMXIXfnF2H8Et3ls63H -fMB2uE5P24LKmsbXaTcaERyQjOOmf6+ApGJZvFb9y+1ZBJJ3b8P1tt+CKAklG7gl -/29TEw4wy6O/1zfGoY1Sb/hlViJi3DWluCn4Ps41w3r0tObjiCKXzdGDlyRoMyYY -Ckd4Z89LEnJ8tY+k/gUeLFRF5pQYv0eeej6JGq6p+ZCcDeDO2xPWNQhnp3/pLgQB +c2hpZnQtc2lnbmVyQDE0OTQ1NTQzNzUwHhcNMTcwNTEyMDE1OTM0WhcNMjIwNTEx +MDE1OTM1WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ1NTQzNzUw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+kFhvCc6l54obuGp8wUna +wxEbSh1K8Ogk1Y3vXszYP6QmPM+n1nHhNNcS+O3TOIQgC28hMkVngcAm+RM/gSA3 +NJ7WdEQVd5oh7rFccGsevFI/g5ZMFikPfTdUjRDIExt5p6o0XL5t4ILkKtShAy3d +dwDV3/XwpZmqakab08kRDEEbyk3EJnLgL/xYOzO2t9jqfjt6tKJ922KA6Er/HoEJ +rXrKiJpxeKZZ3pEOiMu+W22Jalw4fj6+zonlKTbpO8H56gCMqb0Nuw/gIWX6KNbw +e1GJ4Lbj/VMxJFbQcMMQFdgPfPDmM6VpTpW3O1glATBaNaAsjjctWOJ1mfePNqaZ AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG -SIb3DQEBCwUAA4IBAQAciUUjlfScGmF5z7RSEsIttA7sDHzwnOt0l+iWhCbtFXhl -yisMQLcPtsR0IprDCd8UQiuOH5c7em4BitZ0ulsgPak3nfO2o/IxA6hrFevCwGg7 -J5IAzvdfPhPb8jYxv1k7tBApEsKi6uiZyWowT1uFFbcWLeZvq1b2SDblV/cl/RrU -XP0tv6LhT/0lqabeWiBXxe4Bf8iVujJOdFMkasaXYKu859pGxbxDDF0GvvM87iPy -b4CYRdmIEJfQiP8nHJc+dfB9hYXH0Slq9o9NEeF0q2JwVt+C8bDCCQW0VaCY+6MB -LNUjceqD/+nenyps0KpzyuPEzVXU3sRMtIjYoskB +SIb3DQEBCwUAA4IBAQCjIxo8fjGccBQBlNjT6KMs5CstoI3WNdOGVAo4mRUkphJ7 +DadlL5dmRYv5V5f3srxMCqQAFiVZrXAftO0jX/KlH0dHl5cZvZZ+rQKdsJ0k7Qi5 +KX/NjSfkP3HwkS9OSC7ZEtHVbSLWO58fS9iiH9NOFnAWy6IjBxMw3uVx73Fn4VvV +5M2NXcd+Jm4iRsM6+qtzwRPFt9etvQc/UU/D6vywsYUYXNhgwUeNEZnlVZZKaUeP +3SYwGmQSwU4+7pnRCkZUoXBgBHDUN/FxDH5XXoKiq5sNoddaBEIvw7niAg2v/4eW +J25gb8Yp4/PHPAYeViSbm43bIwFMxiYND16kHwbC -----END CERTIFICATE----- From 1412c9c9871d99a2bc39b286540936b41e1be7b1 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 12 May 2017 03:19:04 +0000 Subject: [PATCH 075/308] properly handle shared infra nodes for openshift in a-a-o-a role template Signed-off-by: Adam Miller --- playbooks/groups/os-cluster.yml | 1 + playbooks/groups/osbs-cluster.yml | 2 + .../defaults/main.yml | 3 ++ .../templates/cluster-inventory.j2 | 40 +++++++++++++++++++ 4 files changed, 46 insertions(+) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 7005c258b6..312f938f0a 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -110,6 +110,7 @@ openshift_internal_cluster_url: "os-masters{{ env_suffix }}.phx2.fedoraproject.org", openshift_api_port: 443, openshift_console_port: 443, + openshift_shared_infra: true, when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 70ebd43d64..1a90db8473 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -215,6 +215,7 @@ openshift_cluster_url: "{{osbs_url}}", openshift_master_ha: false, openshift_debug_level: 2, + openshift_shared_infra: true, openshift_deployment_type: "origin", when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] @@ -238,6 +239,7 @@ openshift_cluster_url: "{{osbs_url}}", openshift_master_ha: false, openshift_debug_level: 2, + openshift_shared_infra: true, openshift_deployment_type: "origin", when: env == 'production', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] diff --git a/roles/ansible-ansible-openshift-ansible/defaults/main.yml b/roles/ansible-ansible-openshift-ansible/defaults/main.yml index 243d855e32..f0c635b58c 100644 --- a/roles/ansible-ansible-openshift-ansible/defaults/main.yml +++ b/roles/ansible-ansible-openshift-ansible/defaults/main.yml @@ -23,6 +23,9 @@ openshift_auth_profile: osbs # and won't be bound to the docker daemon. openshift_ansible_containerized_deploy: false +# This will co-host the infra nodes with the primary nodes +openshift_shared_infra: false + # OpenShift Cluster URL # Example: openshift.fedoraproject.org openshift_cluster_url: None diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 0dbf9e3c6c..8684e6f987 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -784,6 +784,24 @@ openshift_master_console_port={{openshift_console_port}} {{ host }} {% endfor %} +{% if openshift_shared_infra is defined %} +{% if openshift_shared_infra %} + +[lb] +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} containerized=false +{% endfor %} + +[nodes] +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} openshift_schedulable=False +{% endfor %} +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} openshift_node_labels="{'region': 'infra', 'zone': 'default'}" +{% endfor %} + +{% else %} + [lb] {% for host in groups[openshift_cluster_infra_group] %} {{ host }} containerized=false @@ -799,3 +817,25 @@ openshift_master_console_port={{openshift_console_port}} {% for host in groups[openshift_cluster_nodes_group] %} {{ host }} openshift_node_labels="{'region': 'primary', 'zone': 'default'}" {% endfor %} + +{% endif %} + +{% else %} + +[lb] +{% for host in groups[openshift_cluster_infra_group] %} +{{ host }} containerized=false +{% endfor %} + +[nodes] +{% for host in groups[openshift_cluster_infra_group] %} +{{ host }} openshift_node_labels="{'region':'infra'}" +{% endfor %} +{% for host in groups[openshift_cluster_masters_group] %} +{{ host }} openshift_schedulable=False +{% endfor %} +{% for host in groups[openshift_cluster_nodes_group] %} +{{ host }} openshift_node_labels="{'region': 'primary', 'zone': 'default'}" +{% endfor %} + +{% endif %} From 16585147d67bcfdb481f906ed22f26db56a3017c Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 12 May 2017 03:40:56 +0000 Subject: [PATCH 076/308] fix host group for shared_infra in a-a-o-a role Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 8684e6f987..29e4f0f2f5 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -788,7 +788,7 @@ openshift_master_console_port={{openshift_console_port}} {% if openshift_shared_infra %} [lb] -{% for host in groups[openshift_cluster_nodes_group] %} +{% for host in groups[openshift_cluster_masters_group] %} {{ host }} containerized=false {% endfor %} From 5e2fca70114465b61b02cf2823405da758919fc8 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 12 May 2017 03:47:24 +0000 Subject: [PATCH 077/308] remove lb group from a-a-o-a role template, we will never need it in the Infra Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 29e4f0f2f5..1208835225 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -8,7 +8,6 @@ masters nodes etcd -lb # Add this if using nfs and have defined the nfs group #nfs @@ -787,11 +786,6 @@ openshift_master_console_port={{openshift_console_port}} {% if openshift_shared_infra is defined %} {% if openshift_shared_infra %} -[lb] -{% for host in groups[openshift_cluster_masters_group] %} -{{ host }} containerized=false -{% endfor %} - [nodes] {% for host in groups[openshift_cluster_masters_group] %} {{ host }} openshift_schedulable=False @@ -802,11 +796,6 @@ openshift_master_console_port={{openshift_console_port}} {% else %} -[lb] -{% for host in groups[openshift_cluster_infra_group] %} -{{ host }} containerized=false -{% endfor %} - [nodes] {% for host in groups[openshift_cluster_infra_group] %} {{ host }} openshift_node_labels="{'region':'infra'}" @@ -822,11 +811,6 @@ openshift_master_console_port={{openshift_console_port}} {% else %} -[lb] -{% for host in groups[openshift_cluster_infra_group] %} -{{ host }} containerized=false -{% endfor %} - [nodes] {% for host in groups[openshift_cluster_infra_group] %} {{ host }} openshift_node_labels="{'region':'infra'}" From 042da8f0d7b9fcca02182dfd5575f97ef425d763 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Kalu=C5=BEa?= Date: Fri, 12 May 2017 10:13:54 +0000 Subject: [PATCH 078/308] MBS: Remove module-* targets one hour after build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan Kaluža --- roles/mbs/common/templates/config.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py index 0c488fd29f..488fc7377e 100644 --- a/roles/mbs/common/templates/config.py +++ b/roles/mbs/common/templates/config.py @@ -147,6 +147,9 @@ class ProdConfiguration(BaseConfiguration): NUM_CONSECUTIVE_BUILDS = 20 + # Delete module-* targets one hour after build + KOJI_TARGET_DELETE_TIME = 3600 + # These aren't really secret. OIDC_CLIENT_SECRETS = path.join(confdir, 'client_secrets.json') OIDC_REQUIRED_SCOPE = 'https://mbs.fedoraproject.org/oidc/submit-build' From 8aaaa29017b2eb5159c59c829448e16262f11c77 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 12 May 2017 13:41:48 +0000 Subject: [PATCH 079/308] bump repo_tasks_limit to allow an increase in repos repo_tasks_limit defaults to 10, it sets the maximum repo tasks in total, combining both the rpm repos and unused in fedora maven repos. max_repo_tasks in the config was set to 15 but in reality we never had more than 10 due to the extra limitation. Both are set to 15 now Signed-off-by: Dennis Gilmore --- roles/koji_hub/templates/kojira.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/koji_hub/templates/kojira.conf.j2 b/roles/koji_hub/templates/kojira.conf.j2 index 65bfee828d..214fad3651 100644 --- a/roles/koji_hub/templates/kojira.conf.j2 +++ b/roles/koji_hub/templates/kojira.conf.j2 @@ -27,6 +27,7 @@ with_src=no ; prevent kojira from flooding the build system with newRepo tasks max_repo_tasks=15 +repo_tasks_limit=15 ; Server certificate authority krb_rdns=false From 424ff4d41f8db37ed059b603d9b121856c5937ca Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 14:21:50 +0000 Subject: [PATCH 080/308] Add extra scopes Signed-off-by: Patrick Uiterwijk --- .../templates/cluster-inventory.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 1208835225..a8d13c2859 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -158,7 +158,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', {% endif %} {% if openshift_auth_profile == "fedoraidp" %} -openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] +openshift_master_identity_providers=[{"name": "fedoraidp", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "openshift", "client_secret": "{{openshift_client_secret}}", "extraScopes": ["profile", "email", "https://id.fedoraproject.org/scope/groups"], "claims": {"id": ["sub"], "preferredUsername": ["sub"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "token": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userInfo": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"}}] {% endif %} {% if openshift_auth_profile == "fedoraidp-stg" %} From 3fa5e3123bbe97fc02c673c565b48c14eb7c5f32 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 14:29:04 +0000 Subject: [PATCH 081/308] Create app.os.fp.o Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-reverseproxy.yml | 6 ++++++ playbooks/include/proxies-websites.yml | 6 ++++++ roles/haproxy/templates/haproxy.cfg | 10 ++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index e3de581376..2f5afdabe0 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -614,6 +614,12 @@ proxyurl: http://localhost:10064 keephost: true + - role: httpd/reverseproxy + website: app.os.fedoraproject.org + destname: app.os + proxyurl: http://localhost:10065 + keephost: true + - role: httpd/reverseproxy website: data-analysis.fedoraproject.org destname: awstats diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 25713e8b64..983f220eb0 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -562,6 +562,12 @@ sslonly: true cert_name: "{{wildcard_cert_name}}" + - role: httpd/website + name: app.os.fedoraproject.org + server_aliases: ["*.app.os.fedoraproject.org", "*.app.os.stg.fedoraproject.org"] + sslonly: true + cert_name: "{{wildcard_cert_name}}" + - role: httpd/website name: registry.fedoraproject.org server_aliases: [registry.stg.fedoraproject.org] diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index f751f8dcd2..c6ffbcd9cb 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -431,8 +431,14 @@ listen mbs 0.0.0.0:10063 listen os-master 0.0.0.0:10064 balance hdr(appserver) server os-master01 os-master01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem - server os-master01 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem - server os-master01 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master02 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-master03 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + option httpchk GET / + +listen os-master 0.0.0.0:10065 + balance hdr(appserver) + server os-node01 os-node01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-node02 os-node02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem option httpchk GET / {% endif %} From 331a664f1ead411057adccfcca072e683aa853d1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 15:03:41 +0000 Subject: [PATCH 082/308] Updatecert Signed-off-by: Patrick Uiterwijk --- roles/haproxy/files/os-master.staging.pem | 28 +++++++++++------------ 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/haproxy/files/os-master.staging.pem b/roles/haproxy/files/os-master.staging.pem index 0607b940b9..c00c217e42 100644 --- a/roles/haproxy/files/os-master.staging.pem +++ b/roles/haproxy/files/os-master.staging.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu -c2hpZnQtc2lnbmVyQDE0OTQ1NTQzNzUwHhcNMTcwNTEyMDE1OTM0WhcNMjIwNTEx -MDE1OTM1WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ1NTQzNzUw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+kFhvCc6l54obuGp8wUna -wxEbSh1K8Ogk1Y3vXszYP6QmPM+n1nHhNNcS+O3TOIQgC28hMkVngcAm+RM/gSA3 -NJ7WdEQVd5oh7rFccGsevFI/g5ZMFikPfTdUjRDIExt5p6o0XL5t4ILkKtShAy3d -dwDV3/XwpZmqakab08kRDEEbyk3EJnLgL/xYOzO2t9jqfjt6tKJ922KA6Er/HoEJ -rXrKiJpxeKZZ3pEOiMu+W22Jalw4fj6+zonlKTbpO8H56gCMqb0Nuw/gIWX6KNbw -e1GJ4Lbj/VMxJFbQcMMQFdgPfPDmM6VpTpW3O1glATBaNaAsjjctWOJ1mfePNqaZ +c2hpZnQtc2lnbmVyQDE0OTQ2MDA2OTIwHhcNMTcwNTEyMTQ1MTMxWhcNMjIwNTEx +MTQ1MTMyWjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ2MDA2OTIw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLSVE9kCsY8L8ehCNN/wSp +68oqHGODpWQfs4ROnromqpJWySp5JW2XpDDFtdmjAax/f1jzqZhIKiHmDjLd6jYH +9XJEFBqqnO6j4HOtHgxerTy5rlJDf+LynJzArkhyWKbt8Hq8COoGm3F9j8e+8M7o +nohsYAT5S8mRiL9XCLAVOdgV2ZagN9rJFsHVrfYGKraoNnCww8AKhoSl2OHntsNg +gZRTeovviiwDmxnTgtwyaa0LoXfJlm9dpz23XTFIlKswFms+viw58Izpwb6PisIU +VT/xVaD1fVwP+ko//ixz4g7ayJEKq1togtRdv7zBPWqo/yAfINDf6o+vC683Yv7F AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG -SIb3DQEBCwUAA4IBAQCjIxo8fjGccBQBlNjT6KMs5CstoI3WNdOGVAo4mRUkphJ7 -DadlL5dmRYv5V5f3srxMCqQAFiVZrXAftO0jX/KlH0dHl5cZvZZ+rQKdsJ0k7Qi5 -KX/NjSfkP3HwkS9OSC7ZEtHVbSLWO58fS9iiH9NOFnAWy6IjBxMw3uVx73Fn4VvV -5M2NXcd+Jm4iRsM6+qtzwRPFt9etvQc/UU/D6vywsYUYXNhgwUeNEZnlVZZKaUeP -3SYwGmQSwU4+7pnRCkZUoXBgBHDUN/FxDH5XXoKiq5sNoddaBEIvw7niAg2v/4eW -J25gb8Yp4/PHPAYeViSbm43bIwFMxiYND16kHwbC +SIb3DQEBCwUAA4IBAQA4qpitjNaKSQruPK/zlKigW0XKCJhI09h4xXXOC3mKgPTm +p3KkdwJ7oVOF29z+7EhVSu6TthOORLdIO0O3kfvUzOl4PFgH0Xy8E4Cqbmk+eE27 +muEnevOwdvJ8ktO/IzAdI6u8mVKb11pSvEdQJZbcHt0HRUlAx7bhhdWyiMp4/cHi +fKi2ZuQJnDHFASFhPUj08+/iTJdk2cYtZHDtGWDCK1JJ7HimxcggTQ9+Es3zzZ6L +74zWxlB8/4hEF16Q1FfYFfImUCpwUG7RENBDowcAsa5ck3S1i0ZgatJlYMbDBaGP +BppL2SaNEqogVFgF0L9dN6ma34dB1ohM1IqYaSdM -----END CERTIFICATE----- From 2975a7595a30323b625d874c1a3a290129f9561e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 15:12:54 +0000 Subject: [PATCH 083/308] Use our unbound servers for access.redhat.com Signed-off-by: Patrick Uiterwijk --- roles/dns/files/named.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index 9a4c44d9fc..a707f3449e 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -258,6 +258,12 @@ view "PHX2" { forwarders { 10.5.26.20; 10.5.26.21; }; }; + zone "access.redhat.com" { + type forward; + forward only; + forwarders { 152.19.134.150; 140.211.169.201; 66.35.62.163; }; + }; + zone "beaker-project.org" { type forward; forward only; From a92cf9122569ef7b262f4eea959f81113c1e7501 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 15:13:58 +0000 Subject: [PATCH 084/308] Allow infra nodes able to use unbound Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/unbound | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/unbound b/inventory/group_vars/unbound index 7b5e47785d..898edb8a3a 100644 --- a/inventory/group_vars/unbound +++ b/inventory/group_vars/unbound @@ -4,7 +4,10 @@ mem_size: 1024 num_cpus: 2 tcp_ports: [ 80, 443 ] -custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p udp -m tcp -s 209.132.181.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p udp -m udp -s 209.132.181.0/24 --dport 53 -j ACCEPT' ] fas_client_groups: sysadmin-dns freezes: false From cefbb400c38fce08a90bdfbc1f587633a9562c88 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 15:15:19 +0000 Subject: [PATCH 085/308] Be consistent with protocol Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/unbound | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/unbound b/inventory/group_vars/unbound index 898edb8a3a..7be065c033 100644 --- a/inventory/group_vars/unbound +++ b/inventory/group_vars/unbound @@ -6,7 +6,7 @@ num_cpus: 2 tcp_ports: [ 80, 443 ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT', - '-A INPUT -p udp -m tcp -s 209.132.181.0/24 --dport 53 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 209.132.181.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.181.0/24 --dport 53 -j ACCEPT' ] fas_client_groups: sysadmin-dns From 02df22e6c23f30b37c837972b121af7b775cf38d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 15:37:09 +0000 Subject: [PATCH 086/308] Fix cert validation Signed-off-by: Patrick Uiterwijk --- roles/haproxy/templates/haproxy.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index c6ffbcd9cb..8aab2534b1 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -435,10 +435,10 @@ listen os-master 0.0.0.0:10064 server os-master03 os-master02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem option httpchk GET / -listen os-master 0.0.0.0:10065 +listen os-nodes 0.0.0.0:10065 balance hdr(appserver) - server os-node01 os-node01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem - server os-node02 os-node02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem + server os-node01 os-node01:443 check inter 10s rise 1 fall 2 ssl verify none + server os-node02 os-node02:443 check inter 10s rise 1 fall 2 ssl verify none option httpchk GET / {% endif %} From f3b344d52fc7648e5b518fafa83144b910b98bb0 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 12 May 2017 15:42:22 +0000 Subject: [PATCH 087/308] We expect a 503 Signed-off-by: Patrick Uiterwijk --- roles/haproxy/templates/haproxy.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 8aab2534b1..1cd2032b69 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -440,6 +440,7 @@ listen os-nodes 0.0.0.0:10065 server os-node01 os-node01:443 check inter 10s rise 1 fall 2 ssl verify none server os-node02 os-node02:443 check inter 10s rise 1 fall 2 ssl verify none option httpchk GET / + http-check expect status 503 {% endif %} From 6c961cfbe3ff0fe5b393113c5c9c98651e178ae5 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 12 May 2017 17:06:05 +0000 Subject: [PATCH 088/308] fix openshift_install_examples in a-a-o-a template Signed-off-by: Adam Miller --- .../templates/cluster-inventory.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index a8d13c2859..c8a069b109 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -52,7 +52,7 @@ openshift_release={{openshift_release}} #openshift_pkg_version=-3.5.0 # Install the openshift examples -{% if openshift_ansible_install_examples == "true" %} +{% if openshift_ansible_install_examples is defined %} openshift_install_examples={{openshift_ansible_install_examples}} {% endif %} From 972c6512952ff78313045ed6518591eab8dd607a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 04:36:36 +0000 Subject: [PATCH 089/308] fix up virt instance create autostart --- tasks/virt_instance_create.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/tasks/virt_instance_create.yml b/tasks/virt_instance_create.yml index d8413c856f..5e3e886561 100644 --- a/tasks/virt_instance_create.yml +++ b/tasks/virt_instance_create.yml @@ -65,8 +65,8 @@ tags: - armv7-kernel -- name: start the vm up - virt: state=running name={{ inventory_hostname }} +- name: start the vm up and set it to autostart + virt: state=running name={{ inventory_hostname }} autostart=True delegate_to: "{{ vmhost }}" when: inventory_hostname not in result.list_vms @@ -76,11 +76,6 @@ tags: - armv7-kernel -- name: set it to autostart - virt: autostart=True name={{ inventory_hostname }} - delegate_to: "{{ vmhost }}" - when: inventory_hostname not in result.list_vms - - name: make sure there is no old ssh host key for the host still around local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=absent ignore_errors: True From d860015a289e36580f12a24dea31dc9093502189 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 18:30:14 +0000 Subject: [PATCH 090/308] lets try this s390 caching again --- roles/base/templates/iptables/iptables.kojibuilder | 3 +++ roles/koji_builder/templates/kojid.conf | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index 433f911a6e..a24963309a 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -30,6 +30,9 @@ # kojipkgs -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT +{% if host in groups['buildvm-s390x'] %} +-A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT +{% endif %} #koji.fp.o -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 80 -j ACCEPT diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index e1594b932f..fa4a362d44 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -18,7 +18,10 @@ rpmbuild_timeout=172800 use_createrepo_c=True -{% if koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} +{% if host in groups['buildvm-s390x'] %} +# s390x builders use a local varnish cache +topurl = http://kojipkgs-cache01.s390.fedoraproject.org https://kojipkgs01.fedoraproject.org https://kojipkgs02.fedoraproject.org +{% elif koji_topurl == 'https://kojipkgs.fedoraproject.org/' %} ; add some additional urls for failover topurl = {{koji_topurl}} https://kojipkgs01.fedoraproject.org https://kojipkgs02.fedoraproject.org {% else %} From 179cc4dd546204b8dd707a7e2703aabc542eb9c8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 19:01:17 +0000 Subject: [PATCH 091/308] switch openvpn to use seperate service units and directories for client and server, hopefully in a mostly transparent way that will not cause much outage --- roles/openvpn/client/tasks/main.yml | 23 ++++++++++++++++++----- roles/openvpn/server/tasks/main.yml | 13 ++++++++++--- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 63d0afa317..cf2858ac37 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -25,7 +25,7 @@ owner=root group=root mode={{ item.mode }} with_items: - { file: client.conf, - dest: /etc/openvpn/openvpn.conf, + dest: /etc/openvpn/client/openvpn.conf, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client.crt", @@ -48,17 +48,30 @@ - service - openvpn -- name: Make sure openvpn is running in rhel 7.1 - service: name=openvpn@openvpn state=started enabled=true +- name: Make sure old openvpn is not running in rhel 7 + service: name=openvpn@openvpn state=stopped enabled=false when: ansible_distribution_major_version|int == 7 tags: - service - openvpn -- name: enable openvpn service for Fedora - service: name=openvpn@openvpn state=started enabled=true +- name: Make sure openvpn is running in rhel 7 + service: name=openvpn-client@openvpn state=started enabled=true + when: ansible_distribution_major_version|int == 7 + tags: + - service + - openvpn + +- name: disable old openvpn service for Fedora + service: name=openvpn@openvpn state=stopped enabled=false when: is_fedora is defined tags: - service - openvpn +- name: enable openvpn service for Fedora + service: name=openvpn-client@openvpn state=started enabled=true + when: is_fedora is defined + tags: + - service + - openvpn diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index 64c6fa4f16..d9e70da4a6 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -25,7 +25,7 @@ owner=root group=root mode={{ item.mode }} with_items: - { file: server.conf, - dest: /etc/openvpn/openvpn.conf, + dest: /etc/openvpn/server/openvpn.conf, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/crl.pem", dest: /etc/openvpn/crl.pem, @@ -48,8 +48,15 @@ tags: - openvpn -- name: enable openvpn service for rhel 7 or Fedora - service: name=openvpn@openvpn state=started enabled=true +- name: disable old openvpn service for rhel 7 or Fedora + service: name=openvpn@openvpn state=stopped enabled=false + when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined + tags: + - service + - openvpn + +- name: enable openvpn service for rhel 7 or Fedora + service: name=openvpn-server@openvpn state=started enabled=true when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined tags: - service From deda13a640d2dcf85b2f42b239184ce8ccc1aa9e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 20:18:24 +0000 Subject: [PATCH 092/308] exclude httpd on buildvm-s390x-07 as it is running varnish --- playbooks/groups/buildvm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 6e76509162..1b9f27e7da 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -50,6 +50,7 @@ - name: make sure httpd is running service: name=httpd state=started enabled=yes + when: inventory_hostname != buildvm-s390x-07.s390.fedoraproject.org - name: make sure kojid is running service: name=kojid state=started enabled=yes From 7449edfceb9b63e8481017c08b93437ef7c5491b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 20:24:50 +0000 Subject: [PATCH 093/308] picky picky, try this --- playbooks/groups/buildvm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 1b9f27e7da..97983c8c03 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -50,7 +50,7 @@ - name: make sure httpd is running service: name=httpd state=started enabled=yes - when: inventory_hostname != buildvm-s390x-07.s390.fedoraproject.org + when: not inventory_hostname_short == "buildvm-s390x-07" - name: make sure kojid is running service: name=kojid state=started enabled=yes From 6005665db7e3624c6dc0ceaf99f3229557a4965e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 20:55:45 +0000 Subject: [PATCH 094/308] also need cert and key under client --- roles/openvpn/client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index cf2858ac37..4ff948537a 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -28,10 +28,10 @@ dest: /etc/openvpn/client/openvpn.conf, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", - dest: "/etc/openvpn/client.crt", + dest: "/etc/openvpn/client/client.crt", mode: '0600' } - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.key", - dest: "/etc/openvpn/client.key", + dest: "/etc/openvpn/client/client.key", mode: '0600' } tags: - install From 42b69d73f3ca21e57277c9a8c5c866b358a61e49 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 20:56:30 +0000 Subject: [PATCH 095/308] also the server files --- roles/openvpn/server/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index d9e70da4a6..907be968f9 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -28,16 +28,16 @@ dest: /etc/openvpn/server/openvpn.conf, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/crl.pem", - dest: /etc/openvpn/crl.pem, + dest: /etc/openvpn/server/crl.pem, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/server.crt", - dest: /etc/openvpn/server.crt, + dest: /etc/openvpn/server/server.crt, mode: '0644' } - { file: "{{ private }}/files/vpn/openvpn/keys/server.key", - dest: /etc/openvpn/server.key, + dest: /etc/openvpn/server/server.key, mode: '0600' } - { file: "{{ private }}/files/vpn/openvpn/keys/dh2048.pem", - dest: /etc/openvpn/dh2048.pem, + dest: /etc/openvpn/server/dh2048.pem, mode: '0644' } tags: - install From 4cc1b78ff38cf246525d2f5ec8d66cf6e19a4840 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 14 May 2017 20:57:30 +0000 Subject: [PATCH 096/308] Check the certificate key usage Signed-off-by: Patrick Uiterwijk --- roles/openvpn/client/files/client.conf | 1 + roles/openvpn/server/files/server.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index e807bdc7d9..5042ed6e25 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -22,6 +22,7 @@ auth SHA512 ca ca.crt cert client.crt key client.key +remote-cert-tls server comp-lzo diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf index e5cdd45180..add4425363 100644 --- a/roles/openvpn/server/files/server.conf +++ b/roles/openvpn/server/files/server.conf @@ -16,6 +16,7 @@ cipher AES-256-CBC auth SHA512 dh dh2048.pem crl-verify crl.pem +remote-cert-tls client keepalive 10 120 From 4629c0aa585baa450767d19d888cc6b42a891c7e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 21:02:27 +0000 Subject: [PATCH 097/308] also install the ca in the right place --- roles/openvpn/base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 28fe40ea50..f6b365e01e 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -19,7 +19,7 @@ - name: Install certificate and key copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt - dest=/etc/openvpn/ca.crt + dest=/etc/openvpn/client/ca.crt owner=root group=root mode=0600 tags: - install From f400f56c6bcd395d53d96a0c4f72481370954fb7 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 21:38:08 +0000 Subject: [PATCH 098/308] fix handlers and disable notify for now until we roll this out --- handlers/restart_services.yml | 4 ++-- roles/openvpn/base/tasks/main.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index a7c6ae20e5..5a32cb62a1 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -56,7 +56,7 @@ - name: restart openvpn (Fedora) when: ansible_distribution == "Fedora" - action: service name=openvpn@openvpn state=restarted + action: service name=openvpn-client@openvpn state=restarted #notify: #- fix openvpn routing @@ -68,7 +68,7 @@ - name: restart openvpn (RHEL7) when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7 - action: service name=openvpn@openvpn state=restarted + action: service name=openvpn-client@openvpn state=restarted #notify: #- fix openvpn routing diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index f6b365e01e..5e5271a58a 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -24,10 +24,10 @@ tags: - install - openvpn - notify: - - restart openvpn (Fedora) - - restart openvpn (RHEL7) - - restart openvpn (RHEL6) + #notify: + #- restart openvpn (Fedora) + #- restart openvpn (RHEL7) + #- restart openvpn (RHEL6) - name: install fix-routes.sh script copy: src=fix-routes.sh From 714506a90593d261f27c0ab985275354cbef8a11 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 21:51:47 +0000 Subject: [PATCH 099/308] handle poor old rhel6 --- roles/openvpn/base/tasks/main.yml | 20 ++++++++++++++++--- roles/openvpn/client/tasks/main.yml | 30 ++++++++++++++++++++++++++--- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 5e5271a58a..fcf43a7a0b 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -7,7 +7,7 @@ - openvpn tags: - packages - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 7 - name: Install needed package (dnf) dnf: pkg={{ item }} state=present @@ -15,9 +15,22 @@ - openvpn tags: - packages - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined -- name: Install certificate and key +- name: Install certificate and key (rhel6) + copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + dest=/etc/openvpn/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (Fedora) + #- restart openvpn (RHEL7) + #- restart openvpn (RHEL6) + when: ansible_distribution_major_version|int < 7 + +- name: Install certificate and key (rhel7 or fedora) copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt dest=/etc/openvpn/client/ca.crt owner=root group=root mode=0600 @@ -28,6 +41,7 @@ #- restart openvpn (Fedora) #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined - name: install fix-routes.sh script copy: src=fix-routes.sh diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 4ff948537a..7bdcfe2c42 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -8,7 +8,7 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 - name: Install needed packages dnf: pkg={{ item }} state=present @@ -17,9 +17,9 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined -- name: Install configuration files +- name: Install configuration files (rhel7 and fedora) copy: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }} @@ -40,6 +40,30 @@ # - restart openvpn (Fedora) # - restart openvpn (RHEL7) # - restart openvpn (RHEL6) + when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined + +- name: Install configuration files (rhel6) + copy: src={{ item.file }} + dest={{ item.dest }} + owner=root group=root mode={{ item.mode }} + with_items: + - { file: client.conf, + dest: /etc/openvpn/openvpn.conf, + mode: '0644' } + - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", + dest: "/etc/openvpn/client.crt", + mode: '0600' } + - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.key", + dest: "/etc/openvpn/client.key", + mode: '0600' } + tags: + - install + - openvpn +# notify: +# - restart openvpn (Fedora) +# - restart openvpn (RHEL7) +# - restart openvpn (RHEL6) + when: ansible_distribution_major_version|int < 7 and ansible_cmdline.ostree is not defined - name: enable openvpn service for rhel 6 service: name=openvpn state=started enabled=true From 8c4162eaa4e7d8f4448c0efdbd531fe1770d5c8a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 21:54:22 +0000 Subject: [PATCH 100/308] fix version for rhel --- roles/openvpn/base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index fcf43a7a0b..d84ac56f33 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -7,7 +7,7 @@ - openvpn tags: - packages - when: ansible_distribution_major_version|int < 7 + when: ansible_distribution_major_version|int < 8 - name: Install needed package (dnf) dnf: pkg={{ item }} state=present From 50c070a79b835d0f92265f5639edbe34b903e313 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 21:56:00 +0000 Subject: [PATCH 101/308] fix version here too --- roles/openvpn/client/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 7bdcfe2c42..faee496295 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -17,7 +17,7 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined - name: Install configuration files (rhel7 and fedora) copy: src={{ item.file }} From f12de13a1f62240ce9ddf437725ea7d87e755aeb Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 21:59:08 +0000 Subject: [PATCH 102/308] someday I will get these versions all right --- roles/openvpn/base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index d84ac56f33..589ccbf193 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -41,7 +41,7 @@ #- restart openvpn (Fedora) #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) - when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined - name: install fix-routes.sh script copy: src=fix-routes.sh From f3818652389120832064cd316ff41afa99551b3c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 22:31:19 +0000 Subject: [PATCH 103/308] handle server dh file --- roles/openvpn/base/tasks/main.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 589ccbf193..83dc4bcbae 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -30,7 +30,7 @@ #- restart openvpn (RHEL6) when: ansible_distribution_major_version|int < 7 -- name: Install certificate and key (rhel7 or fedora) +- name: Install certificate and key (rhel7 or fedora) for client copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt dest=/etc/openvpn/client/ca.crt owner=root group=root mode=0600 @@ -43,6 +43,19 @@ #- restart openvpn (RHEL6) when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined +- name: Install certificate and key (rhel7 or fedora) for server + copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt + dest=/etc/openvpn/server/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (Fedora) + #- restart openvpn (RHEL7) + #- restart openvpn (RHEL6) + when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined + - name: install fix-routes.sh script copy: src=fix-routes.sh dest=/etc/openvpn/fix-routes.sh From 52318bbc499987a5fe222ba4505c36f7a37fd71b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 23:26:45 +0000 Subject: [PATCH 104/308] try and handle cases for f24 not being updated to the new setup either --- roles/openvpn/base/tasks/main.yml | 6 +++--- roles/openvpn/client/tasks/main.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 83dc4bcbae..4f183d9555 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -17,7 +17,7 @@ - packages when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined -- name: Install certificate and key (rhel6) +- name: Install certificate and key (rhel6 and fedora24 and older) copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt dest=/etc/openvpn/ca.crt owner=root group=root mode=0600 @@ -28,7 +28,7 @@ #- restart openvpn (Fedora) #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) - when: ansible_distribution_major_version|int < 7 + when: ansible_distribution_major_version|int < 25 - name: Install certificate and key (rhel7 or fedora) for client copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt @@ -54,7 +54,7 @@ #- restart openvpn (Fedora) #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) - when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined + when: inventory_hostname.startswith('bastion0') - name: install fix-routes.sh script copy: src=fix-routes.sh diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index faee496295..56a2617697 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -40,7 +40,7 @@ # - restart openvpn (Fedora) # - restart openvpn (RHEL7) # - restart openvpn (RHEL6) - when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined + when: ( ansible_distribution_major_version|int != 6 or ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined - name: Install configuration files (rhel6) copy: src={{ item.file }} @@ -63,7 +63,7 @@ # - restart openvpn (Fedora) # - restart openvpn (RHEL7) # - restart openvpn (RHEL6) - when: ansible_distribution_major_version|int < 7 and ansible_cmdline.ostree is not defined + when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined - name: enable openvpn service for rhel 6 service: name=openvpn state=started enabled=true From 489dd32e32536fc54036075a99606f8d3aa90f56 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 23:30:27 +0000 Subject: [PATCH 105/308] and also handle it here --- roles/openvpn/base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 4f183d9555..ebde481980 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -41,7 +41,7 @@ #- restart openvpn (Fedora) #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) - when: ansible_distribution_major_version|int > 6 and ansible_cmdline.ostree is not defined + when: ( ansible_distribution_major_version|int != 6 or ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined - name: Install certificate and key (rhel7 or fedora) for server copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt From 636d7623ad2d11b1853a25b6ce89586e42ef72a7 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 23:36:21 +0000 Subject: [PATCH 106/308] try and use correct logic --- roles/openvpn/base/tasks/main.yml | 2 +- roles/openvpn/client/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index ebde481980..a5f52843e9 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -41,7 +41,7 @@ #- restart openvpn (Fedora) #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) - when: ( ansible_distribution_major_version|int != 6 or ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined + when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined - name: Install certificate and key (rhel7 or fedora) for server copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 56a2617697..f7f4b248a0 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -40,7 +40,7 @@ # - restart openvpn (Fedora) # - restart openvpn (RHEL7) # - restart openvpn (RHEL6) - when: ( ansible_distribution_major_version|int != 6 or ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined + when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined - name: Install configuration files (rhel6) copy: src={{ item.file }} From 5055c83e8537071c5005b74dc097e7b3a3f963e1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 23:39:39 +0000 Subject: [PATCH 107/308] and try and handle f24 here too --- roles/openvpn/client/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index f7f4b248a0..dddfbe8dc5 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -65,9 +65,9 @@ # - restart openvpn (RHEL6) when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined -- name: enable openvpn service for rhel 6 +- name: enable openvpn service for rhel 6 or fedora 24 service: name=openvpn state=started enabled=true - when: ansible_distribution_major_version|int == 6 + when: ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24 tags: - service - openvpn @@ -88,14 +88,14 @@ - name: disable old openvpn service for Fedora service: name=openvpn@openvpn state=stopped enabled=false - when: is_fedora is defined + when: is_fedora is defined and ansible_distribution_major_version|int != 24 tags: - service - openvpn - name: enable openvpn service for Fedora service: name=openvpn-client@openvpn state=started enabled=true - when: is_fedora is defined + when: is_fedora is defined and ansible_distribution_major_version|int != 24 tags: - service - openvpn From 881735b5eb5bb169cafe6bb7050a342ee1d54803 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 14 May 2017 23:45:27 +0000 Subject: [PATCH 108/308] another corner case since f24 has systemd and el6 does not --- roles/openvpn/client/tasks/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index dddfbe8dc5..87642d2aa3 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -65,9 +65,16 @@ # - restart openvpn (RHEL6) when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined -- name: enable openvpn service for rhel 6 or fedora 24 +- name: enable openvpn service for rhel 6 service: name=openvpn state=started enabled=true - when: ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24 + when: ansible_distribution_major_version|int == 6 + tags: + - service + - openvpn + +- name: enable openvpn service for fedora 24 + service: name=openvpn@openvpn state=started enabled=true + when: ansible_distribution_major_version|int == 24 tags: - service - openvpn From 273093ecbb769811a25326638f0a9eb3783a3682 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 02:34:31 +0000 Subject: [PATCH 109/308] put server ccd files under server subdir --- roles/openvpn/server/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml index 907be968f9..0d54151845 100644 --- a/roles/openvpn/server/tasks/main.yml +++ b/roles/openvpn/server/tasks/main.yml @@ -9,9 +9,9 @@ - packages - openvpn -- name: Create the /etc/openvpn/ccd/ directory +- name: Create the /etc/openvpn/server/ccd/ directory file: > - dest=/etc/openvpn/ccd/ + dest=/etc/openvpn/server/ccd/ mode=0755 owner=root group=root @@ -44,7 +44,7 @@ - openvpn - name: Install the ccd files - copy: src=ccd/ dest=/etc/openvpn/ccd/ + copy: src=ccd/ dest=/etc/openvpn/server/ccd/ tags: - openvpn From 9a8ab4f3570d40f69c72260e295f7809876b8fb2 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 15 May 2017 13:15:20 +0000 Subject: [PATCH 110/308] Add "freshmaker" to the FAS username blacklist. --- roles/fas_server/templates/fas.cfg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index 9d71432062..a2649ad3b3 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' # Usernames that are unavailable for fas allocation {% if env == "staging" %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% else %} -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" {% endif %} email_domain_blacklist = "{{ fas_blocked_emails }}" From ff79df0b948086d9e7a4ce8fba8aa029c1c697b8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:01:33 +0000 Subject: [PATCH 111/308] Drop prod/dev/stg specific playbooks for taskotron and switch to single one. --- master.yml | 4 +- playbooks/groups/taskotron-dev.yml | 59 ----------------------------- playbooks/groups/taskotron-prod.yml | 58 ---------------------------- playbooks/groups/taskotron-stg.yml | 56 --------------------------- 4 files changed, 1 insertion(+), 176 deletions(-) delete mode 100644 playbooks/groups/taskotron-dev.yml delete mode 100644 playbooks/groups/taskotron-prod.yml delete mode 100644 playbooks/groups/taskotron-stg.yml diff --git a/master.yml b/master.yml index d8bf06f949..4aad7065d6 100644 --- a/master.yml +++ b/master.yml @@ -107,10 +107,8 @@ - include: /srv/web/infra/ansible/playbooks/groups/summershum.yml - include: /srv/web/infra/ansible/playbooks/groups/sundries.yml - include: /srv/web/infra/ansible/playbooks/groups/tagger.yml +- include: /srv/web/infra/ansible/playbooks/groups/taskotron.yml - include: /srv/web/infra/ansible/playbooks/groups/taskotron-client-hosts.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-prod.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-dev.yml -- include: /srv/web/infra/ansible/playbooks/groups/taskotron-stg.yml - include: /srv/web/infra/ansible/playbooks/groups/torrent.yml - include: /srv/web/infra/ansible/playbooks/groups/twisted-buildbots.yml - include: /srv/web/infra/ansible/playbooks/groups/unbound.yml diff --git a/playbooks/groups/taskotron-dev.yml b/playbooks/groups/taskotron-dev.yml deleted file mode 100644 index a5ba557833..0000000000 --- a/playbooks/groups/taskotron-dev.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# create a new taskotron dev server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-dev" - -- name: make the box be real - hosts: taskotron-dev - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: dnf-automatic, tags: ['dnfautomatic'] } - - { role: sudo, tags: ['sudo'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-dev - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - { role: taskotron/taskotron-proxy, tags: ['taskotronproxy'] } - - { role: taskotron/ssl-taskotron, tags: ['ssltaskotron'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/taskotron-prod.yml b/playbooks/groups/taskotron-prod.yml deleted file mode 100644 index 2894c88620..0000000000 --- a/playbooks/groups/taskotron-prod.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# create a new taskotron production server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-prod" - -- name: make the box be real - hosts: taskotron-prod - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: sudo, tags: ['sudo'] } - - { role: openvpn/client, - when: env != "staging", tags: ['openvpn_client'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-prod - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/taskotron-stg.yml b/playbooks/groups/taskotron-stg.yml deleted file mode 100644 index 652583c59a..0000000000 --- a/playbooks/groups/taskotron-stg.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# create a new taskotron staging server -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=taskotron-stg" - -- name: make the box be real - hosts: taskotron-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: base, tags: ['base'] } - - { role: rkhunter, tags: ['rkhunter'] } - - { role: nagios_client, tags: ['nagios_client'] } - - { role: hosts, tags: ['hosts']} - - { role: fas_client, tags: ['fas_client'] } - - { role: collectd/base, tags: ['collectd_base'] } - - { role: sudo, tags: ['sudo'] } - - apache - - tasks: - # this is how you include other task lists - - include: "{{ tasks_path }}/yumrepos.yml" - - include: "{{ tasks_path }}/2fa_client.yml" - - include: "{{ tasks_path }}/motd.yml" - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" - -- name: configure taskotron master - hosts: taskotron-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - { role: taskotron/grokmirror, tags: ['grokmirror'] } -# - { role: taskotron/cgit, tags: ['cgit'] } - - { role: taskotron/buildmaster, tags: ['buildmaster'] } - - { role: taskotron/buildmaster-configure, tags: ['buildmasterconfig'] } - - { role: taskotron/taskotron-trigger, tags: ['trigger'] } - - { role: taskotron/taskotron-frontend, tags: ['frontend'] } - - handlers: - - include: "{{ handlers_path }}/restart_services.yml" From d863bb362909e52276146d5bde80d435aa460654 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:07:47 +0000 Subject: [PATCH 112/308] add modularity dev host to master --- master.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/master.yml b/master.yml index 4aad7065d6..f1253b134b 100644 --- a/master.yml +++ b/master.yml @@ -145,6 +145,7 @@ - include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml #- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml From 2df1d71510814dbc25c87094297b89dc5eb3bbd0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:33:51 +0000 Subject: [PATCH 113/308] clean up iptables in base to not apply to cloud compute/master, osbs or os --- inventory/group_vars/all | 4 +- inventory/group_vars/openstack-compute | 1 + inventory/group_vars/os | 1 + inventory/group_vars/os-stg | 3 + inventory/group_vars/osbs | 2 + inventory/group_vars/osbs-stg | 2 + .../fed-cloud09.cloud.fedoraproject.org | 2 + inventory/inventory | 12 +++- master.yml | 5 +- .../hosts/magazine.fedorainfracloud.org.yml | 55 ------------------- roles/base/tasks/main.yml | 6 +- 11 files changed, 32 insertions(+), 61 deletions(-) create mode 100644 inventory/group_vars/os-stg create mode 100644 inventory/group_vars/osbs-stg delete mode 100644 playbooks/hosts/magazine.fedorainfracloud.org.yml diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 98a057a63b..38c5f8be5d 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -266,4 +266,6 @@ nagios_Check_Services: dhcpd: false httpd: false - +# Set variable if we want to use our global iptables defaults +# Some things need to set their own. +baseiptables: True diff --git a/inventory/group_vars/openstack-compute b/inventory/group_vars/openstack-compute index af900eeef7..0fed5183fd 100644 --- a/inventory/group_vars/openstack-compute +++ b/inventory/group_vars/openstack-compute @@ -3,3 +3,4 @@ host_group: openstack-compute nrpe_procs_warn: 1100 nrpe_procs_crit: 1200 ansible_ifcfg_blacklist: true +baseiptables: False diff --git a/inventory/group_vars/os b/inventory/group_vars/os index e837201446..53196a3e9e 100644 --- a/inventory/group_vars/os +++ b/inventory/group_vars/os @@ -1,2 +1,3 @@ --- host_group: os +baseiptables: False diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg new file mode 100644 index 0000000000..53196a3e9e --- /dev/null +++ b/inventory/group_vars/os-stg @@ -0,0 +1,3 @@ +--- +host_group: os +baseiptables: False diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs index d337069253..ea03d3700e 100644 --- a/inventory/group_vars/osbs +++ b/inventory/group_vars/osbs @@ -19,3 +19,5 @@ osbs_koji_username: "kojibuilder" koji_url: "koji.fedoraproject.org" osbs_client_conf_path: /etc/osbs.conf + +baseiptables: False diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg new file mode 100644 index 0000000000..2e3e4d513d --- /dev/null +++ b/inventory/group_vars/osbs-stg @@ -0,0 +1,2 @@ +--- +baseiptables: False diff --git a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org index a72a6bb8ac..dee6f4e15b 100644 --- a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org +++ b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org @@ -8,3 +8,5 @@ ansible_ifcfg_blacklist: true nagios_Check_Services: nrpe: true sshd: true + +baseiptables: False diff --git a/inventory/inventory b/inventory/inventory index b0063c3e9d..aff5a23c35 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1330,6 +1330,16 @@ osbs-master01.stg.phx2.fedoraproject.org osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org +[osbs:children] +osbs-control +osbs-nodes +osbs-masters + +[osbs-stg:children] +osbs-control-stg +osbs-nodes-stg +osbs-masters-stg + [os-control-stg] os-control01.stg.phx2.fedoraproject.org @@ -1342,7 +1352,7 @@ os-master03.stg.phx2.fedoraproject.org os-node01.stg.phx2.fedoraproject.org os-node02.stg.phx2.fedoraproject.org -[os:children] +[os-stg:children] os-nodes-stg os-masters-stg os-control-stg diff --git a/master.yml b/master.yml index f1253b134b..4b433002cc 100644 --- a/master.yml +++ b/master.yml @@ -33,6 +33,7 @@ - include: /srv/web/infra/ansible/playbooks/groups/buildvm.yml - include: /srv/web/infra/ansible/playbooks/groups/bugyou.yml - include: /srv/web/infra/ansible/playbooks/groups/busgateway.yml +- include: /srv/web/infra/ansible/playbooks/groups/ci.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml - include: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml @@ -143,11 +144,11 @@ - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml -- include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/magazine2.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml -#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml +#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/shogun-ca.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/shumgrepper-dev.fedorainfracloud.org.yml diff --git a/playbooks/hosts/magazine.fedorainfracloud.org.yml b/playbooks/hosts/magazine.fedorainfracloud.org.yml deleted file mode 100644 index b0d219a85f..0000000000 --- a/playbooks/hosts/magazine.fedorainfracloud.org.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: check/create instance - hosts: magazine.fedorainfracloud.org - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml - - tasks: - - include: "{{ tasks_path }}/persistent_cloud.yml" - -- name: setup all the things - hosts: magazine.fedorainfracloud.org - gather_facts: True - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - pre_tasks: - - include: "{{ tasks_path }}/cloud_setup_basic.yml" - - name: set hostname (required by some services, at least postfix need it) - hostname: name="{{inventory_hostname}}" - - tasks: - - name: add packages - yum: state=present name={{ item }} - with_items: - - httpd - - php - - php-mysql - - mariadb-server - - mariadb - - mod_ssl - - php-mcrypt - - php-mbstring - - wget - - unzip - - postfix - - - name: enable httpd service - service: name=httpd enabled=yes state=started - - - name: configure postfix for ipv4 only - raw: postconf -e inet_protocols=ipv4 - - - name: enable local postfix service - service: name=postfix enabled=yes state=started - - roles: - - nagios_client - - mariadb_server diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 052ef2efb0..8f43f13ade 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -233,7 +233,7 @@ - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables - when: not inventory_hostname.startswith(('fed-cloud','osbs')) + when: baseiptables is true notify: - restart iptables - reload libvirtd @@ -248,6 +248,7 @@ - iptables - service - base + when: baseiptables is true - name: ip6tables template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes @@ -257,7 +258,7 @@ - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables - when: not inventory_hostname.startswith('fed-cloud09') + when: baseiptables is true notify: - restart ip6tables - reload libvirtd @@ -272,6 +273,7 @@ - ip6tables - service - base + when: baseiptables is true - name: enable journald persistence file: path=/var/log/journal state=directory From a60055fbaa5e6593d89bb718619989fd7ea65d9f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:37:56 +0000 Subject: [PATCH 114/308] oops, == here not is --- roles/base/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 8f43f13ade..4e5832743c 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -233,7 +233,7 @@ - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables - when: baseiptables is true + when: baseiptables == true notify: - restart iptables - reload libvirtd @@ -248,7 +248,7 @@ - iptables - service - base - when: baseiptables is true + when: baseiptables == true - name: ip6tables template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes @@ -258,7 +258,7 @@ - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables - when: baseiptables is true + when: baseiptables == true notify: - restart ip6tables - reload libvirtd @@ -273,7 +273,7 @@ - ip6tables - service - base - when: baseiptables is true + when: baseiptables == true - name: enable journald persistence file: path=/var/log/journal state=directory From 1cf12210761d2181a041bdf09e7fc8bb28a440b0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:44:43 +0000 Subject: [PATCH 115/308] adjust hubs playbook to ignore local changes in git repo --- playbooks/hosts/hubs-dev.fedorainfracloud.org.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml index f9fecc0989..dc59506661 100644 --- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml @@ -38,8 +38,7 @@ - git: repo=https://pagure.io/fedora-hubs.git dest=/srv/git/fedora-hubs version=develop - register: git_result - changed_when: "git_result.after|default('after') != git_result.before|default('before')" + ignore_errors: true - file: dest=/etc/fedmsg.d/ state=directory - name: copy around a number of files we want command: cp {{item.src}} {{item.dest}} From 123442b2f937232cf02c1b78e87e0d717b5151c6 Mon Sep 17 00:00:00 2001 From: Denis Nutiu Date: Sat, 6 May 2017 12:35:35 +0000 Subject: [PATCH 116/308] Adding logrotate for Jenkins --- roles/jenkins/master/files/jenkins.logrotate | 9 +++++++++ roles/jenkins/master/tasks/main.yml | 11 +++++++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/jenkins/master/files/jenkins.logrotate diff --git a/roles/jenkins/master/files/jenkins.logrotate b/roles/jenkins/master/files/jenkins.logrotate new file mode 100644 index 0000000000..7d74a85f5c --- /dev/null +++ b/roles/jenkins/master/files/jenkins.logrotate @@ -0,0 +1,9 @@ +/var/log/jenkins/jenkins.log { + rotate 5 + weekly + compress + delaycompress + missingok + notifempty + copytruncate +} diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml index a9a6a7a301..e2fd152330 100644 --- a/roles/jenkins/master/tasks/main.yml +++ b/roles/jenkins/master/tasks/main.yml @@ -56,6 +56,17 @@ - jenkins/master - config +- name: install jenkins logrotate file + copy: > + src="jenkins.logrotate" + dest="/etc/logrotate.d/jenkins" + notify: + - restart jenkins + tags: + - jenkins + - jenkins/master + - config + - name: install jenkins launcher config file copy: > src="jenkins.conf" From 7e5d134d5561a645289346f0a27b3eca2bf7096b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 15 May 2017 17:53:59 +0000 Subject: [PATCH 117/308] no need to restart when installing logrotate file --- roles/jenkins/master/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml index e2fd152330..226d321c69 100644 --- a/roles/jenkins/master/tasks/main.yml +++ b/roles/jenkins/master/tasks/main.yml @@ -60,8 +60,6 @@ copy: > src="jenkins.logrotate" dest="/etc/logrotate.d/jenkins" - notify: - - restart jenkins tags: - jenkins - jenkins/master From 8d1fe3ad6f2abf9ed62c128e5885c6325c9d3d5c Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Mon, 15 May 2017 18:12:44 +0000 Subject: [PATCH 118/308] Configure staging Bodhi to use the correct DB hostname. Signed-off-by: Randy Barlow --- roles/bodhi2/base/templates/staging.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2 index ef4fd557a4..71705f5944 100644 --- a/roles/bodhi2/base/templates/staging.ini.j2 +++ b/roles/bodhi2/base/templates/staging.ini.j2 @@ -397,7 +397,7 @@ debugtoolbar.hosts = 127.0.0.1 ::1 ## ## Database ## -sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@db-bodhi/bodhi2 +sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2 ## ## Templates From 8e6d0acaebda91f1336964461a7cf69b5413d6cd Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 15 May 2017 18:33:05 +0000 Subject: [PATCH 119/308] Enable f26 modular compose cronjob. --- roles/releng/files/branched | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/releng/files/branched b/roles/releng/files/branched index ea4fe29711..26fee6c33a 100644 --- a/roles/releng/files/branched +++ b/roles/releng/files/branched @@ -1,3 +1,4 @@ # branched compose MAILTO=releng-cron@lists.fedoraproject.org 15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f26 && LANG=en_US.UTF-8 ./nightly.sh && sudo -u ftpsync /usr/local/bin/update-fullfiletimelist -l /pub/fedora-secondary/update-fullfiletimelist.lock -t /pub fedora fedora-secondary +15 18 * * * root TMPDIR=`mktemp -d /tmp/branched-modular.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f26 && LANG=en_US.UTF-8 ./nightly-modular.sh From 7c2bbb13d9e40702231b7596d068e6f1889f967e Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Mon, 15 May 2017 19:44:24 +0000 Subject: [PATCH 120/308] Configure alembic.ini for BDR on staging. Signed-off-by: Randy Barlow --- roles/bodhi2/base/tasks/main.yml | 10 +++++ roles/bodhi2/base/templates/alembic.ini | 59 +++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 roles/bodhi2/base/templates/alembic.ini diff --git a/roles/bodhi2/base/tasks/main.yml b/roles/bodhi2/base/tasks/main.yml index f53f03b88e..068a632af2 100644 --- a/roles/bodhi2/base/tasks/main.yml +++ b/roles/bodhi2/base/tasks/main.yml @@ -33,6 +33,16 @@ - config - bodhi +- name: Configure alembic + template: + src: alembic.ini + dest: /etc/bodhi/alembic.ini + owner: bodhi + group: root + tags: + - config + - bodhi + - name: setup basic /etc/bodhi/ contents (production) template: > src="production.ini.j2" diff --git a/roles/bodhi2/base/templates/alembic.ini b/roles/bodhi2/base/templates/alembic.ini new file mode 100644 index 0000000000..b514ae7352 --- /dev/null +++ b/roles/bodhi2/base/templates/alembic.ini @@ -0,0 +1,59 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/bodhi/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +# Don't bother, this is obtained from the Bodhi config file +sqlalchemy.url = sqlite://bodhi.db + +# Set to true to aquire the global DDL lock for BDR +# See http://bdr-project.org/docs/stable/ddl-replication-advice.html +{% if env == 'staging' %} +bdr = true +{% else %} +bdr = false +{% endif %} + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S From f44727c3e2caf92ede61102c03e6c8a7f4a7c066 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 20:12:15 +0000 Subject: [PATCH 121/308] Adjust the FMN roles and playbook for FMN 1.2 Signed-off-by: Jeremy Cline --- playbooks/manual/upgrade/fmn.yml | 9 ++++++--- roles/notifs/backend/tasks/main.yml | 15 +-------------- roles/notifs/backend/templates/alembic.ini | 4 ---- 3 files changed, 7 insertions(+), 21 deletions(-) diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index 483eb7ae13..cbc4d0972b 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -15,7 +15,10 @@ command: yum clean all {%if testing%} --enablerepo=infrastructure-testing {%endif%} check_mode: no - name: yum update FMN packages from main repo - yum: name="python-fmn*" state=latest + yum: name={{ item }} state=latest + with_items: + - python-fmn + - python-fmn-web when: not testing - name: yum update FMN packages from testing repo yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing @@ -80,10 +83,10 @@ - fmn-worker@4 - name: Upgrade the database - command: /usr/bin/alembic -c /usr/share/fmn.lib/alembic.ini upgrade head + command: /usr/bin/alembic -c /usr/share/fmn/alembic.ini upgrade head when: env != "staging" args: - chdir: /usr/share/fmn.lib/ + chdir: /usr/share/fmn/ - name: Re-start the workers and the backend service: name={{ item }} state=started diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 4049940cda..470956dbbe 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -4,7 +4,7 @@ - name: install needed packages yum: pkg={{ item }} state=present with_items: - - python-fmn-consumer + - python-fmn - python-psycopg2 - libsemanage-python # Needed to produce nice long emails about koji builds @@ -16,7 +16,6 @@ - name: install backend and sse packages yum: pkg={{ item }} state=present with_items: - - python-fmn - python-fmn-sse when: env == "staging" tags: @@ -48,22 +47,10 @@ - notifs - notifs/backend -- name: copy the alembic configuration for DBAs - template: > - src=alembic.ini dest=/usr/share/fmn.lib/alembic.ini - owner=root group=sysadmin-dba mode=0660 - when: env != "staging" - notify: - - restart fedmsg-hub - tags: - - notifs - - notifs/backend - - name: copy the alembic configuration for DBAs template: > src=alembic.ini dest=/usr/share/fmn/alembic.ini owner=root group=sysadmin-dba mode=0660 - when: env == "staging" notify: - restart fedmsg-hub tags: diff --git a/roles/notifs/backend/templates/alembic.ini b/roles/notifs/backend/templates/alembic.ini index df1506d215..266b83da24 100644 --- a/roles/notifs/backend/templates/alembic.ini +++ b/roles/notifs/backend/templates/alembic.ini @@ -2,11 +2,7 @@ [alembic] # path to migration scripts -{% if env == 'staging' %} script_location = /usr/share/fmn/alembic/ -{% else %} -script_location = /usr/share/fmn.lib/alembic/ -{% endif %} # template used to generate migration files # file_template = %%(rev)s_%%(slug)s From a3b0b87fc72104cff235be74024008aa4f96838b Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Mon, 15 May 2017 20:59:43 +0000 Subject: [PATCH 122/308] add nagios check for mirrorlist container tcp. maybe. Or break everything, which is more likely. Signed-off-by: Ricky Elrod --- roles/nagios_client/tasks/main.yml | 14 ++++++++++++++ roles/nagios_server/files/nrpe/nrpe.cfg | 1 + .../nagios/services/mirrorlist-proxies.cfg.j2 | 8 ++++++++ 3 files changed, 23 insertions(+) create mode 100644 roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 7426943d75..8d5546bb23 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -37,6 +37,20 @@ - nagios_client when: ansible_distribution_major_version|int > 21 +- name: install nagios tcp check for mirrorlist proxies + yum: name=nagios-plugins-tcp state=present + tags: + - packages + - nagios/client + when: ansible_distribution_major_version|int < 22 and 'mirrorlist-proxies' in group_names + +- name: install nagios tcp check for mirrorlist proxies + dnf: name=nagios-plugins-tcp state=present + tags: + - packages + - nagios/client + when: ansible_distribution_major_version|int > 21 and 'mirrorlist-proxies' in group_names + - name: install local nrpe check scripts that are not packaged copy: src="scripts/{{ item }}" dest="{{ libdir }}/nagios/plugins/{{ item }}" mode=0755 owner=nagios group=nagios with_items: diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg index d7e1e4f8b1..478e04e8e6 100644 --- a/roles/nagios_server/files/nrpe/nrpe.cfg +++ b/roles/nagios_server/files/nrpe/nrpe.cfg @@ -343,6 +343,7 @@ command[check_koschei_build_resolver_proc]=/usr/lib64/nagios/plugins/check_procs command[check_koschei_repo_resolver_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-repo-re -c 1:1 command[check_koschei_scheduler_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-schedul -c 1:1 command[check_koschei_watcher_proc]=/usr/lib64/nagios/plugins/check_procs -s RSD -u koschei -C koschei-watcher -c 1:1 +command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081 # The following are fedmsg/datanommer checks to be run on busgateway01. # They check for the time since the latest message in any particular category. diff --git a/roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 b/roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 new file mode 100644 index 0000000000..ee8050ae02 --- /dev/null +++ b/roles/nagios_server/templates/nagios/services/mirrorlist-proxies.cfg.j2 @@ -0,0 +1,8 @@ +{% for host in groups['mirrorlist-proxies'] %} +define service { + host_name {{ host }} + service_description {{ host }} mirrorlist docker container + check_command check_by_nrpe!check_mirrorlist_docker_proxy + use defaulttemplate +} +{% endfor %} From e22ac77e8cb0fc7b71e83e34d8188064bb04a115 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Mon, 15 May 2017 21:06:57 +0000 Subject: [PATCH 123/308] _ not / Signed-off-by: Ricky Elrod --- roles/nagios_client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 8d5546bb23..1f52a308e9 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -41,14 +41,14 @@ yum: name=nagios-plugins-tcp state=present tags: - packages - - nagios/client + - nagios_client when: ansible_distribution_major_version|int < 22 and 'mirrorlist-proxies' in group_names - name: install nagios tcp check for mirrorlist proxies dnf: name=nagios-plugins-tcp state=present tags: - packages - - nagios/client + - nagios_client when: ansible_distribution_major_version|int > 21 and 'mirrorlist-proxies' in group_names - name: install local nrpe check scripts that are not packaged From b6baefa344117a7739ea0695de716b109785d9ea Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 21:09:11 +0000 Subject: [PATCH 124/308] Revert "Adjust the FMN roles and playbook for FMN 1.2" This reverts commit f44727c3e2caf92ede61102c03e6c8a7f4a7c066. --- playbooks/manual/upgrade/fmn.yml | 9 +++------ roles/notifs/backend/tasks/main.yml | 15 ++++++++++++++- roles/notifs/backend/templates/alembic.ini | 4 ++++ 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index cbc4d0972b..483eb7ae13 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -15,10 +15,7 @@ command: yum clean all {%if testing%} --enablerepo=infrastructure-testing {%endif%} check_mode: no - name: yum update FMN packages from main repo - yum: name={{ item }} state=latest - with_items: - - python-fmn - - python-fmn-web + yum: name="python-fmn*" state=latest when: not testing - name: yum update FMN packages from testing repo yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing @@ -83,10 +80,10 @@ - fmn-worker@4 - name: Upgrade the database - command: /usr/bin/alembic -c /usr/share/fmn/alembic.ini upgrade head + command: /usr/bin/alembic -c /usr/share/fmn.lib/alembic.ini upgrade head when: env != "staging" args: - chdir: /usr/share/fmn/ + chdir: /usr/share/fmn.lib/ - name: Re-start the workers and the backend service: name={{ item }} state=started diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 470956dbbe..4049940cda 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -4,7 +4,7 @@ - name: install needed packages yum: pkg={{ item }} state=present with_items: - - python-fmn + - python-fmn-consumer - python-psycopg2 - libsemanage-python # Needed to produce nice long emails about koji builds @@ -16,6 +16,7 @@ - name: install backend and sse packages yum: pkg={{ item }} state=present with_items: + - python-fmn - python-fmn-sse when: env == "staging" tags: @@ -47,10 +48,22 @@ - notifs - notifs/backend +- name: copy the alembic configuration for DBAs + template: > + src=alembic.ini dest=/usr/share/fmn.lib/alembic.ini + owner=root group=sysadmin-dba mode=0660 + when: env != "staging" + notify: + - restart fedmsg-hub + tags: + - notifs + - notifs/backend + - name: copy the alembic configuration for DBAs template: > src=alembic.ini dest=/usr/share/fmn/alembic.ini owner=root group=sysadmin-dba mode=0660 + when: env == "staging" notify: - restart fedmsg-hub tags: diff --git a/roles/notifs/backend/templates/alembic.ini b/roles/notifs/backend/templates/alembic.ini index 266b83da24..df1506d215 100644 --- a/roles/notifs/backend/templates/alembic.ini +++ b/roles/notifs/backend/templates/alembic.ini @@ -2,7 +2,11 @@ [alembic] # path to migration scripts +{% if env == 'staging' %} script_location = /usr/share/fmn/alembic/ +{% else %} +script_location = /usr/share/fmn.lib/alembic/ +{% endif %} # template used to generate migration files # file_template = %%(rev)s_%%(slug)s From dc3150567fb874c9d66272ca6832cc499b9bd7da Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 21:11:39 +0000 Subject: [PATCH 125/308] Ensure new python-fmn is gone Signed-off-by: Jeremy Cline --- roles/notifs/backend/tasks/main.yml | 3 +++ roles/notifs/frontend/tasks/main.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 4049940cda..cee58996a7 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -1,6 +1,9 @@ --- # Configuration for the notifications consumer +- name: remove new fmn + yum: pkg=python-fmn state=absent + - name: install needed packages yum: pkg={{ item }} state=present with_items: diff --git a/roles/notifs/frontend/tasks/main.yml b/roles/notifs/frontend/tasks/main.yml index c2f936d93a..6b57319f9e 100644 --- a/roles/notifs/frontend/tasks/main.yml +++ b/roles/notifs/frontend/tasks/main.yml @@ -1,6 +1,9 @@ --- # Configuration for the Fedora Notifications webapp +- name: remove new fmn + yum: pkg=python-fmn state=absent + - name: install needed packages yum: pkg={{ item }} state=present with_items: From 4233f7536b0e6906eaeab2d979db6a21fdde1354 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 21:16:15 +0000 Subject: [PATCH 126/308] fix python-fmn to python2-fmn Signed-off-by: Jeremy Cline --- playbooks/manual/upgrade/fmn.yml | 2 +- roles/notifs/backend/tasks/main.yml | 4 +++- roles/notifs/frontend/tasks/main.yml | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index 483eb7ae13..1390409395 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -15,7 +15,7 @@ command: yum clean all {%if testing%} --enablerepo=infrastructure-testing {%endif%} check_mode: no - name: yum update FMN packages from main repo - yum: name="python-fmn*" state=latest + yum: name="python-fmn-*" state=latest when: not testing - name: yum update FMN packages from testing repo yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index cee58996a7..27dd98d6b2 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -2,12 +2,14 @@ # Configuration for the notifications consumer - name: remove new fmn - yum: pkg=python-fmn state=absent + yum: pkg=python2-fmn state=absent - name: install needed packages yum: pkg={{ item }} state=present with_items: - python-fmn-consumer + - python-fmn-lib + - python-fmn-rules - python-psycopg2 - libsemanage-python # Needed to produce nice long emails about koji builds diff --git a/roles/notifs/frontend/tasks/main.yml b/roles/notifs/frontend/tasks/main.yml index 6b57319f9e..996df61d44 100644 --- a/roles/notifs/frontend/tasks/main.yml +++ b/roles/notifs/frontend/tasks/main.yml @@ -2,12 +2,14 @@ # Configuration for the Fedora Notifications webapp - name: remove new fmn - yum: pkg=python-fmn state=absent + yum: pkg=python2-fmn state=absent - name: install needed packages yum: pkg={{ item }} state=present with_items: - python-fmn-web + - python-fmn-lib + - python-fmn-rules - python-psycopg2 - libsemanage-python - python-memcached From 6da41e5b429314074a1742da22f303580e0f6c65 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Mon, 15 May 2017 21:21:03 +0000 Subject: [PATCH 127/308] add template here Signed-off-by: Ricky Elrod --- roles/nagios_server/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml index 21c425f03a..95c14f4b2e 100644 --- a/roles/nagios_server/tasks/main.yml +++ b/roles/nagios_server/tasks/main.yml @@ -271,6 +271,7 @@ template: src=nagios/services/{{item}}.j2 dest=/etc/nagios/services/{{item}} mode=0644 owner=root group=root with_items: - phx2-mgmt.cfg + - mirrorlist-proxies.cfg tags: - nagios_server From a6867db34f4d921b74da1e729930b913ee94e110 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Mon, 15 May 2017 21:30:35 +0000 Subject: [PATCH 128/308] try it here instead Signed-off-by: Ricky Elrod --- roles/nagios_client/tasks/main.yml | 1 + .../nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 | 1 + 2 files changed, 2 insertions(+) create mode 100644 roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 1f52a308e9..714be36154 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -145,6 +145,7 @@ - check_koschei_scheduler_proc.cfg - check_koschei_watcher_proc.cfg - check_testcloud.cfg + - check_mirrorlist_docker_proxy.cfg notify: - restart nrpe tags: diff --git a/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 new file mode 100644 index 0000000000..39c0099712 --- /dev/null +++ b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 @@ -0,0 +1 @@ +command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081 From 1d91cae257f40d3800098e22227f2fb03f03ff21 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 21:50:29 +0000 Subject: [PATCH 129/308] Revert "Ensure new python-fmn is gone" This reverts commit dc3150567fb874c9d66272ca6832cc499b9bd7da. Conflicts: roles/notifs/backend/tasks/main.yml roles/notifs/frontend/tasks/main.yml --- roles/notifs/backend/tasks/main.yml | 3 --- roles/notifs/frontend/tasks/main.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 27dd98d6b2..514b16a087 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -1,9 +1,6 @@ --- # Configuration for the notifications consumer -- name: remove new fmn - yum: pkg=python2-fmn state=absent - - name: install needed packages yum: pkg={{ item }} state=present with_items: diff --git a/roles/notifs/frontend/tasks/main.yml b/roles/notifs/frontend/tasks/main.yml index 996df61d44..87ff292e2d 100644 --- a/roles/notifs/frontend/tasks/main.yml +++ b/roles/notifs/frontend/tasks/main.yml @@ -1,9 +1,6 @@ --- # Configuration for the Fedora Notifications webapp -- name: remove new fmn - yum: pkg=python2-fmn state=absent - - name: install needed packages yum: pkg={{ item }} state=present with_items: From 71de1cd8eac36dc88b92ec5b53dceaae815fd39a Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 15 May 2017 21:52:38 +0000 Subject: [PATCH 130/308] Revert "Revert "Adjust the FMN roles and playbook for FMN 1.2"" This reverts commit b6baefa344117a7739ea0695de716b109785d9ea. Conflicts: playbooks/manual/upgrade/fmn.yml roles/notifs/backend/tasks/main.yml --- playbooks/manual/upgrade/fmn.yml | 6 +++--- roles/notifs/backend/tasks/main.yml | 17 +---------------- roles/notifs/backend/templates/alembic.ini | 4 ---- 3 files changed, 4 insertions(+), 23 deletions(-) diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index 1390409395..bfdc1610c1 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -15,7 +15,7 @@ command: yum clean all {%if testing%} --enablerepo=infrastructure-testing {%endif%} check_mode: no - name: yum update FMN packages from main repo - yum: name="python-fmn-*" state=latest + yum: name="python-fmn*" state=latest when: not testing - name: yum update FMN packages from testing repo yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing @@ -80,10 +80,10 @@ - fmn-worker@4 - name: Upgrade the database - command: /usr/bin/alembic -c /usr/share/fmn.lib/alembic.ini upgrade head + command: /usr/bin/alembic -c /usr/share/fmn/alembic.ini upgrade head when: env != "staging" args: - chdir: /usr/share/fmn.lib/ + chdir: /usr/share/fmn/ - name: Re-start the workers and the backend service: name={{ item }} state=started diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 514b16a087..470956dbbe 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -4,9 +4,7 @@ - name: install needed packages yum: pkg={{ item }} state=present with_items: - - python-fmn-consumer - - python-fmn-lib - - python-fmn-rules + - python-fmn - python-psycopg2 - libsemanage-python # Needed to produce nice long emails about koji builds @@ -18,7 +16,6 @@ - name: install backend and sse packages yum: pkg={{ item }} state=present with_items: - - python-fmn - python-fmn-sse when: env == "staging" tags: @@ -50,22 +47,10 @@ - notifs - notifs/backend -- name: copy the alembic configuration for DBAs - template: > - src=alembic.ini dest=/usr/share/fmn.lib/alembic.ini - owner=root group=sysadmin-dba mode=0660 - when: env != "staging" - notify: - - restart fedmsg-hub - tags: - - notifs - - notifs/backend - - name: copy the alembic configuration for DBAs template: > src=alembic.ini dest=/usr/share/fmn/alembic.ini owner=root group=sysadmin-dba mode=0660 - when: env == "staging" notify: - restart fedmsg-hub tags: diff --git a/roles/notifs/backend/templates/alembic.ini b/roles/notifs/backend/templates/alembic.ini index df1506d215..266b83da24 100644 --- a/roles/notifs/backend/templates/alembic.ini +++ b/roles/notifs/backend/templates/alembic.ini @@ -2,11 +2,7 @@ [alembic] # path to migration scripts -{% if env == 'staging' %} script_location = /usr/share/fmn/alembic/ -{% else %} -script_location = /usr/share/fmn.lib/alembic/ -{% endif %} # template used to generate migration files # file_template = %%(rev)s_%%(slug)s From 6f627523c64b3ba4a3b17204af14c84fb182ae92 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Mon, 15 May 2017 23:32:57 +0000 Subject: [PATCH 131/308] lets break some stuff --- roles/nagios_server/files/nagios/services/ping.cfg | 11 +++++++++-- .../templates/nagios/hostgroups/all.cfg.j2 | 14 +------------- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/roles/nagios_server/files/nagios/services/ping.cfg b/roles/nagios_server/files/nagios/services/ping.cfg index dae065e41d..368db101bf 100644 --- a/roles/nagios_server/files/nagios/services/ping.cfg +++ b/roles/nagios_server/files/nagios/services/ping.cfg @@ -1,14 +1,21 @@ define service { - hostgroup_name all + hostgroup_name *, !buildvm-armv7, !buildvm-s390x, !buildvm-s390 service_description ICMP-Ping4 check_command check_ping4!350.0,20%!500.0,60% use criticaltemplate } +define service { + hostgroup_name buildvm-armv7, buildvm-s390x, buildvm-s390 + service_description ICMP-Ping4-vm-builders + check_command check_ping4!350.0,20%!1000.0,80% + use criticaltemplate +} + # define service { # hostgroup_name all # service_description ICMP-Ping6 -# check_command check_ping6!350.0,20%!500.0,60% +# check_command check_ping6!350.0,20%!500.0,60% # use criticaltemplate # } diff --git a/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 index 7414ca3210..65ccbce1e9 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 @@ -3,19 +3,8 @@ ############### ## {{ env }} -{% if env == "staging" %} - -define hostgroup{ - hostgroup_name all - alias all - members {% for host in groups['all'] %}{% if (hostvars[host].env is defined) and (hostvars[host].env == 'staging') and ( hostvars[host].datacenter == 'phx2') %}{{host}}, {% endif %} {% endfor %} - -} - -{% else %} - {% for key, value in groups.iteritems() %} -{% if groups[key] %} +{% if groups[key] and key is not 'all' %} define hostgroup{ hostgroup_name {{ key }} alias {{ key }} @@ -25,7 +14,6 @@ define hostgroup{ {% endif %} {% endfor %} -{% endif %} ## ## Management hardware From ae8daeaa8547dffc509baaf6aee4b271a9367f04 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Mon, 15 May 2017 23:40:05 +0000 Subject: [PATCH 132/308] string comparisons are hard. lets go shipping --- roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 index 65ccbce1e9..19698a63d3 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/all.cfg.j2 @@ -4,7 +4,7 @@ ## {{ env }} {% for key, value in groups.iteritems() %} -{% if groups[key] and key is not 'all' %} +{% if groups[key] and key !='all' %} define hostgroup{ hostgroup_name {{ key }} alias {{ key }} From 633d341de32e30b1a47dfa173a08d5e170a52759 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 16 May 2017 03:46:01 +0000 Subject: [PATCH 133/308] changing buildmaster and buildslave dirs for qa-prod --- inventory/group_vars/qa-prod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/qa-prod b/inventory/group_vars/qa-prod index ca698cf00c..4f81620785 100644 --- a/inventory/group_vars/qa-prod +++ b/inventory/group_vars/qa-prod @@ -36,10 +36,10 @@ buildmaster_template: ci.master.cfg.j2 buildmaster_endpoint: buildmaster buildslave_ssh_pubkey: '' buildslave_port: 9989 -buildmaster_dir: /home/buildmaster/master -buildslave_dir: /home/buildslave/slave +buildmaster_dir: /srv/buildmaster/master +buildslave_dir: /srv/buildslave/slave buildslave_poll_interval: 1800 -buildmaster_home: /home/buildmaster +buildmaster_home: /srv/buildmaster buildmaster_user: buildmaster # build details From c99714335ba6419d9012abf51737508650edb837 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 14:18:58 +1000 Subject: [PATCH 134/308] waiverdb role: fix a typo --- roles/waiverdb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 6ba8ffae3d..40413c87c0 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -5,7 +5,7 @@ yum: pkg={{ item }} state=present with_items: - waiverdb - - gunicorn + - python-gunicorn - python-psycopg2 notify: - restart waiverdb From 09ca810590421c142b18b1ff8702e09d8cacbd90 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 14:25:51 +1000 Subject: [PATCH 135/308] waiverdb role: fix another typo --- roles/waiverdb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 40413c87c0..03c39d75b8 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -15,7 +15,7 @@ dnf: pkg={{ item }} state=present with_items: - waiverdb - - gunicorn + - python-gunicorn - python-psycopg2 notify: - restart waiverdb From 06630d2a0f6e406208b222bdc40f8de5b147a1fd Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 16 May 2017 05:06:18 +0000 Subject: [PATCH 136/308] run selinux context changes on qa prod/stg as well --- roles/taskotron/buildslave/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/taskotron/buildslave/tasks/main.yml b/roles/taskotron/buildslave/tasks/main.yml index acc747d59b..25e2256d08 100644 --- a/roles/taskotron/buildslave/tasks/main.yml +++ b/roles/taskotron/buildslave/tasks/main.yml @@ -60,10 +60,10 @@ - name: set the selinux fcontext type for the buildslave dir to var_lib_t command: semanage fcontext -a -t var_lib_t "{{ item.dir }}(/.*)?" with_items: "{{ slaves }}" - when: slaves is defined and deployment_type in ['dev', 'stg', 'prod'] + when: slaves is defined and deployment_type in ['dev', 'stg', 'prod', 'qa-prod', 'qa-stg'] - name: make sure the selinux fcontext is restored command: restorecon -R "{{ item.dir }}" with_items: "{{ slaves }}" - when: slaves is defined and deployment_type in ['dev', 'stg', 'prod'] + when: slaves is defined and deployment_type in ['dev', 'stg', 'prod', 'qa-prod', 'qa-stg'] From 7cd328384c086316b519c6af1409a078d19af35d Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 15:20:41 +1000 Subject: [PATCH 137/308] waiverdb role: set default OIDC client id and secret used for the dev instance --- roles/waiverdb/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml index a034212670..3aa22bebce 100644 --- a/roles/waiverdb/defaults/main.yml +++ b/roles/waiverdb/defaults/main.yml @@ -2,5 +2,7 @@ waiverdb_db_port: 5432 waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization' waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token' +waiverdb_oidc_client_id: 'D-eb5668aa-f962-4d9e-8131-4ef6d7840436' +waiverdb_oidc_client_secret: 'QctUSOfqot6-XQd7YG0DeIAI81wlc7oD' waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo' waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"' From e3121a38779a44c0247a99311e36d7049336d2ad Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 15:24:58 +1000 Subject: [PATCH 138/308] waiverdb role: fix one more typo --- roles/waiverdb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 03c39d75b8..7eac99c15d 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -29,7 +29,7 @@ - name: copy client secrets template: src: etc/waiverdb/client_secrets.json - dest: /etc/wavierdb/client_secrets.json + dest: /etc/waiverdb/client_secrets.json owner: root group: root mode: 0640 From c3f7563a61deb64fb39eb80423361e6827bf6c7c Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 15:34:36 +1000 Subject: [PATCH 139/308] waiverdb role: fix one syntax error --- roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index 67ce5c8b58..e1e1b99d68 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -1,2 +1,2 @@ SECRET_KEY = '{{ waiverdb_secret_key }}' -SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb +SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }}/waiverdb From fe08e4c782890937fddd961b6cc25e11fdc754f5 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 15:45:01 +1000 Subject: [PATCH 140/308] waiverdb role: set the secret key based on the env --- roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index e1e1b99d68..a7d71ffc50 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -1,2 +1,8 @@ -SECRET_KEY = '{{ waiverdb_secret_key }}' +{% if env == "production" %} +SECRET_KEY = '{{ prod_waiverdb_secret_key }}' +{% elif env == "staging" %} +SECRET_KEY = '{{ stg_waiverdb_secret_key }}' +{% else %} +SECRET_KEY = '{{ dev_waiverdb_secret_key }}' +{% endif %} SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }}/waiverdb From 7da96f92de976ed100f5b143cd9d0a7438264a10 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Tue, 16 May 2017 16:06:31 +1000 Subject: [PATCH 141/308] waiverdb role: fix db user name --- roles/waiverdb/tasks/psql_setup.yml | 2 +- roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/waiverdb/tasks/psql_setup.yml b/roles/waiverdb/tasks/psql_setup.yml index 9a099fe934..5bcfd3c720 100644 --- a/roles/waiverdb/tasks/psql_setup.yml +++ b/roles/waiverdb/tasks/psql_setup.yml @@ -58,6 +58,6 @@ become_user: postgres - name: Create db user - postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE + postgresql_user: db="waiverdb" name="waiverdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE become: yes become_user: postgres diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index a7d71ffc50..d54c53b8e9 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -5,4 +5,4 @@ SECRET_KEY = '{{ stg_waiverdb_secret_key }}' {% else %} SECRET_KEY = '{{ dev_waiverdb_secret_key }}' {% endif %} -SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }}/waiverdb +SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/waiverdb From 6fbd67ba52aad7e11a76fdf407bd630a8ac3ad42 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 16 May 2017 12:03:03 +0000 Subject: [PATCH 142/308] disabling buildbot on qa-prod - hasn't been working for a while --- playbooks/groups/qa.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/qa.yml b/playbooks/groups/qa.yml index 978ad8e0ba..bc81651986 100644 --- a/playbooks/groups/qa.yml +++ b/playbooks/groups/qa.yml @@ -57,8 +57,8 @@ - include: "{{ handlers_path }}/restart_services.yml" -- name: configure qa uildbot CI - hosts: qa-prod:qa-stg +- name: configure qa buildbot CI + hosts: qa-stg user: root gather_facts: True From 6e8f43f96c296e5fe05fc1b5c1986b159936503b Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 16 May 2017 12:30:22 +0000 Subject: [PATCH 143/308] removing imagefactory client - not needed w/o buildbot --- playbooks/groups/qa.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/playbooks/groups/qa.yml b/playbooks/groups/qa.yml index bc81651986..f76ef82ef6 100644 --- a/playbooks/groups/qa.yml +++ b/playbooks/groups/qa.yml @@ -108,10 +108,11 @@ tags: - qastaticsites - roles: - - { role: taskotron/imagefactory-client, - when: deployment_type != "qa-stg", tags: ['imagefactoryclient'] } - +# don't need this if buildbot is not enabled +# roles: +# - { role: taskotron/imagefactory-client, +# when: deployment_type != "qa-stg", tags: ['imagefactoryclient'] } +# handlers: - include: "{{ handlers_path }}/restart_services.yml" From eb1dd0ae0f4737cfb44ac4f31f5a8467c257bd78 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 16 May 2017 15:24:23 +0000 Subject: [PATCH 144/308] look, you can fix a error with 0s --- roles/haproxy/files/os-master.production.pem | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 roles/haproxy/files/os-master.production.pem diff --git a/roles/haproxy/files/os-master.production.pem b/roles/haproxy/files/os-master.production.pem new file mode 100644 index 0000000000..e69de29bb2 From d71f5442471e67beeb94b1398190b9fcdaf37e2f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 16 May 2017 19:37:01 +0200 Subject: [PATCH 145/308] Sign with sha256 Signed-off-by: Patrick Uiterwijk --- roles/fas_server/templates/fas.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index a2649ad3b3..513c6a6b59 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -235,7 +235,7 @@ gencert = "{{ gen_cert }}" makeexec = "/usr/bin/make" openssl_lockdir = "/var/lock/fedora-ca" -openssl_digest = "md5" +openssl_digest = "sha256" openssl_expire = 15552000 # 60*60*24*180 = 6 months openssl_ca_dir = "/var/lib/fedora-ca" openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts" From 896fa8079a618ca35f56db8a6304f3c83cee1c37 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 16 May 2017 19:54:30 +0200 Subject: [PATCH 146/308] Drop sqlalchemy.url from alembic.ini now we use what is in pagure.cfg --- roles/pagure/frontend/templates/alembic.ini | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/pagure/frontend/templates/alembic.ini b/roles/pagure/frontend/templates/alembic.ini index 06f2464252..7daf38c633 100644 --- a/roles/pagure/frontend/templates/alembic.ini +++ b/roles/pagure/frontend/templates/alembic.ini @@ -12,7 +12,6 @@ script_location = /usr/share/pagure/alembic # revision_environment = false #sqlalchemy.url = postgresql://<%= pkgdb_app %>:<%= pkgdb_appPassword %>@db-pkgdb/pkgdb -sqlalchemy.url = postgresql://{{ pagure_db_admin_user }}:{{ pagure_db_admin_pass }}@{{ pagure_db_host }}/{{ pagure_db_name }} # Logging configuration From 17698fc2750cadd9bb786a86f36702fb1f69212b Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 16 May 2017 20:16:11 +0200 Subject: [PATCH 147/308] Add logging config to pagure's configuration file --- roles/pagure/frontend/templates/pagure.cfg | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg index e2f95b961b..f25dc5dbe2 100644 --- a/roles/pagure/frontend/templates/pagure.cfg +++ b/roles/pagure/frontend/templates/pagure.cfg @@ -218,3 +218,45 @@ SSH_KEYS = { OLD_VIEW_COMMIT_ENABLED = True PAGURE_CI_SERVICES=['jenkins'] + +LOGGING = { + 'version': 1, + 'disable_existing_loggers': False, + 'formatters': { + 'standard': { + 'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s' + }, + }, + 'handlers': { + 'console': { + 'level': 'INFO', + 'formatter': 'standard', + 'class': 'logging.StreamHandler', + 'stream': 'ext://sys.stdout', + }, + }, + # The root logger configuration; this is a catch-all configuration + # that applies to all log messages not handled by a different logger + 'root': { + 'level': 'INFO', + 'handlers': ['console'], + }, + 'loggers': { + 'pagure': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False + }, + 'flask': { + 'handlers': ['console'], + 'level': 'INFO', + 'propagate': False + }, + 'sqlalchemy': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + } +} + From 6f1093f1f86be4a186d8db287d09dc209d109764 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 16 May 2017 18:49:19 +0000 Subject: [PATCH 148/308] Use fedora-modularity key Signed-off-by: Patrick Uiterwijk --- roles/robosignatory/files/robosignatory.production.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index c0ee0b326e..36715792ed 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -155,14 +155,14 @@ config = { # Any module built against the base-runtime master stream { "stream": "master", - "key": "fedora-27", - "keyid": "f5282ee4" + "key": "fedora-modularity", + "keyid": "a3cc4e62" }, # Any module built against the base-runtime f26 stream { "stream": "f26", - "key": "fedora-26", - "keyid": "64dab85d" + "key": "fedora-modularity", + "keyid": "a3cc4e62" }, ], }, From 893bc4a24112bf65cf1226fb64c36a4fdd8c1cbe Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 16 May 2017 18:53:37 +0000 Subject: [PATCH 149/308] Add python2-modulemd and python2-pdc-client for modular compose. --- roles/releng/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/releng/tasks/main.yml b/roles/releng/tasks/main.yml index 11d173d171..e8a2f2f4bc 100644 --- a/roles/releng/tasks/main.yml +++ b/roles/releng/tasks/main.yml @@ -86,6 +86,8 @@ - python-scandir - python2-productmd - ostree + - python2-modulemd + - python2-pdc-client - name: add pkgs dnf: state=present pkg={{ item }} From 0fed6af768db29878b3f104cdb6425c079b98c2b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 16 May 2017 19:07:12 +0000 Subject: [PATCH 150/308] Add robots.txt for Pagure Signed-off-by: Patrick Uiterwijk --- roles/pagure/frontend/files/robots.txt | 5 +++++ roles/pagure/frontend/tasks/main.yml | 5 +++++ roles/pagure/frontend/templates/0_pagure.conf | 2 ++ 3 files changed, 12 insertions(+) create mode 100644 roles/pagure/frontend/files/robots.txt diff --git a/roles/pagure/frontend/files/robots.txt b/roles/pagure/frontend/files/robots.txt new file mode 100644 index 0000000000..a70291b52e --- /dev/null +++ b/roles/pagure/frontend/files/robots.txt @@ -0,0 +1,5 @@ +User-agent: * +Disallow: /api +Disallow: /login +Disallow: /*/raw +Crawl-Delay: 2 diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index d005e64303..3f87d1639c 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -30,6 +30,11 @@ tags: - pagure +- name: Put in robots.txt + copy: src=robots.txt dest=/var/www/html/robots.txt + tags: + - pagure + # Set-up gitolite diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index 3c3f353a17..480b1ef1d7 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -59,6 +59,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ServerName pagure.io {% endif %} + Alias "/robots.txt" "/var/www/html/robots.txt" + WSGIScriptAlias / /var/www/pagure.wsgi ServerAdmin admin@fedoraproject.org From 0ed85cc46d70e97a9c3bb8ec936585b3ae3952e7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 16 May 2017 19:11:57 +0000 Subject: [PATCH 151/308] Temporarily disable this Signed-off-by: Patrick Uiterwijk --- roles/pagure/frontend/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index 3f87d1639c..df0f438bc9 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -87,13 +87,11 @@ file: name=/srv/git state=directory recurse=yes owner=git group=git tags: - gitolite - - pagure - name: Adjust permissions of /srv/git/.gitolite file: name=/srv/git/.gitolite state=directory recurse=yes owner=git group=git tags: - gitolite - - pagure - name: install our own gitolite configuration template: src=gitolite.rc From d05ec70a9b5b5c274c682dab15db3ac285f12f94 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 16 May 2017 23:11:19 +0200 Subject: [PATCH 152/308] More precise configuration for pagure logging --- roles/pagure/frontend/templates/pagure.cfg | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg index f25dc5dbe2..bc18c69434 100644 --- a/roles/pagure/frontend/templates/pagure.cfg +++ b/roles/pagure/frontend/templates/pagure.cfg @@ -245,6 +245,11 @@ LOGGING = { 'pagure': { 'handlers': ['console'], 'level': 'DEBUG', + 'propagate': True + }, + 'pagure.lib.encoding_utils': { + 'handlers': ['console'], + 'level': 'WARN', 'propagate': False }, 'flask': { @@ -257,6 +262,11 @@ LOGGING = { 'level': 'WARN', 'propagate': False }, + 'binaryornot': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': True + }, } } From d57e04b839f434341301f5cb2b0af40ea4a85a20 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 09:20:36 +1000 Subject: [PATCH 153/308] waiverdb role: miscellaneous fixes --- roles/waiverdb/defaults/main.yml | 2 +- roles/waiverdb/tasks/main.yml | 4 ++++ roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 5 ++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml index 3aa22bebce..21c008102c 100644 --- a/roles/waiverdb/defaults/main.yml +++ b/roles/waiverdb/defaults/main.yml @@ -5,4 +5,4 @@ waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token' waiverdb_oidc_client_id: 'D-eb5668aa-f962-4d9e-8131-4ef6d7840436' waiverdb_oidc_client_secret: 'QctUSOfqot6-XQd7YG0DeIAI81wlc7oD' waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo' -waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"' +waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo' diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 7eac99c15d..7de38017b5 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -1,6 +1,10 @@ --- - include: psql_setup.yml +# Need to set selinux to permissive for now due to https://bugzilla.redhat.com/show_bug.cgi?id=1291940 +- name: switch selinux to permissive + selinux: policy=targeted state=permissive + - name: install needed packages (yum) yum: pkg={{ item }} state=present with_items: diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index d54c53b8e9..154b494e45 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -5,4 +5,7 @@ SECRET_KEY = '{{ stg_waiverdb_secret_key }}' {% else %} SECRET_KEY = '{{ dev_waiverdb_secret_key }}' {% endif %} -SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/waiverdb +SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/waiverdb' +OIDC_CLIENT_SECRETS = '/etc/waiverdb/client_secrets.json' +OIDC_REQUIRED_SCOPE = 'https://waiverdb.fedoraproject.org/oidc/create-waiver' +OIDC_RESOURCE_SERVER_ONLY = True From 79559108cd37f6d855afd8c58b5e047af99ea5a3 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 09:54:27 +1000 Subject: [PATCH 154/308] waiverdb role: fix the nginx conf --- roles/waiverdb/tasks/main.yml | 11 ++++++++ .../etc/nginx/conf.d/waiverdb.conf.j2 | 28 ++++--------------- 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 7de38017b5..14006e8975 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -49,5 +49,16 @@ mode: 0660 backup: yes force: yes + +- name: install the nginx config + template: + src: etc/nginx/conf.d/waiverdb.conf.j2 + dest: /etc/nginx/conf.d/waiverdb.conf + owner: nginx + group: nginx + mode: 0640 + notify: + - restart nginx + notify: - restart waiverdb diff --git a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 index d5d013974a..0fe42b5eaa 100644 --- a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 +++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 @@ -1,29 +1,11 @@ # HTTP server -# rewrite to HTTPS server { - listen 80; - server_name {{service_name}}; - return 301 https://$server_name$request_uri; -} -# HTTPs server -server { - listen 443; - server_name {{ service_name }}; + listen 80 default_server; + server_name _; - ssl on; - ssl_certificate /etc/nginx/conf.d/ssl.pem; - ssl_certificate_key /etc/nginx/conf.d/ssl.key; - - ssl_session_timeout 5m; - - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # modern configuration. tweak to your needs. - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; + large_client_header_buffers 4 32k; + client_max_body_size 50M; + charset utf-8; location / { root /usr/share/nginx/html; From d0e6ccbd13b954aa6d7dc60699a8e0b743687bbd Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 10:07:33 +1000 Subject: [PATCH 155/308] waiverdb-dev playbook: add fedmsg role --- playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml index dae7fedfc7..c342a6e664 100644 --- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml @@ -26,5 +26,6 @@ hostname: name="{{inventory_hostname}}" roles: + - fedmsg/base - nginx - waiverdb From 7676b624176d2a231d23b985f10119fae03a5fdb Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 10:48:46 +1000 Subject: [PATCH 156/308] waiverdb role and playbook: add the global handlers in the playbook and fix a typo in the role --- playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml | 3 +++ roles/waiverdb/tasks/main.yml | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml index c342a6e664..05a4bd278d 100644 --- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml @@ -25,6 +25,9 @@ - name: set hostname (required by some services, at least postfix need it) hostname: name="{{inventory_hostname}}" + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + roles: - fedmsg/base - nginx diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml index 14006e8975..10c1cdba92 100644 --- a/roles/waiverdb/tasks/main.yml +++ b/roles/waiverdb/tasks/main.yml @@ -49,6 +49,8 @@ mode: 0660 backup: yes force: yes + notify: + - restart waiverdb - name: install the nginx config template: @@ -59,6 +61,4 @@ mode: 0640 notify: - restart nginx - - notify: - - restart waiverdb + \ No newline at end of file From 399bb3170a27a0f2e04ff1632130ca632d20265f Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 11:23:25 +1000 Subject: [PATCH 157/308] waiverdb-dev host_vars: set vars for fedmsg --- inventory/host_vars/waiverdb-dev.fedorainfracloud.org | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org index 52a72a9328..f842717173 100644 --- a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org +++ b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org @@ -16,3 +16,14 @@ description: waverdb development instance cloud_networks: # persistent-net - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" + +# These are consumed by a task in roles/fedmsg/base/main.yml +fedmsg_active: True +fedmsg_cert_prefix: waiverdb + +fedmsg_certs: +- service: waiverdb + owner: root + group: fedmsg + can_send: + - waiverdb.new From 00df0d9d3b4c53a4df9796fd12b86353c1eb4eba Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 11:37:07 +1000 Subject: [PATCH 158/308] waiverdb role: no fedmsg on dev --- inventory/host_vars/waiverdb-dev.fedorainfracloud.org | 11 ----------- playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml | 1 - roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 3 +++ 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org index f842717173..52a72a9328 100644 --- a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org +++ b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org @@ -16,14 +16,3 @@ description: waverdb development instance cloud_networks: # persistent-net - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" - -# These are consumed by a task in roles/fedmsg/base/main.yml -fedmsg_active: True -fedmsg_cert_prefix: waiverdb - -fedmsg_certs: -- service: waiverdb - owner: root - group: fedmsg - can_send: - - waiverdb.new diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml index 05a4bd278d..9c23e028fe 100644 --- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml @@ -29,6 +29,5 @@ - include: "{{ handlers_path }}/restart_services.yml" roles: - - fedmsg/base - nginx - waiverdb diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index 154b494e45..45220fc4df 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -9,3 +9,6 @@ SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/wa OIDC_CLIENT_SECRETS = '/etc/waiverdb/client_secrets.json' OIDC_REQUIRED_SCOPE = 'https://waiverdb.fedoraproject.org/oidc/create-waiver' OIDC_RESOURCE_SERVER_ONLY = True +{% if env == "dev" %} +ZEROMQ_PUBLISH = False +{% endif %} From 4a1e51c654b89462cf7ba5ffafbbab11ddc52b0b Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 11:42:54 +1000 Subject: [PATCH 159/308] waiverdb role: correct one condition check in the settings.py template --- roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index 45220fc4df..0ce4225333 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -9,6 +9,6 @@ SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/wa OIDC_CLIENT_SECRETS = '/etc/waiverdb/client_secrets.json' OIDC_REQUIRED_SCOPE = 'https://waiverdb.fedoraproject.org/oidc/create-waiver' OIDC_RESOURCE_SERVER_ONLY = True -{% if env == "dev" %} +{% if env != "production" and env != "staging" %} ZEROMQ_PUBLISH = False {% endif %} From 6da940f3fd9dd59b97ea608d587e532dc7fceb61 Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 11:59:57 +1000 Subject: [PATCH 160/308] waiverdb role:fix the conditional check in the settings.py template --- roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index 0ce4225333..df7d8084b9 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -9,6 +9,8 @@ SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/wa OIDC_CLIENT_SECRETS = '/etc/waiverdb/client_secrets.json' OIDC_REQUIRED_SCOPE = 'https://waiverdb.fedoraproject.org/oidc/create-waiver' OIDC_RESOURCE_SERVER_ONLY = True -{% if env != "production" and env != "staging" %} +{% if env == "production" or env == "staging" %} +ZEROMQ_PUBLISH = True +{% else %} ZEROMQ_PUBLISH = False {% endif %} From 2adc74f3d5fedf7e85c20847ca18260a8555482b Mon Sep 17 00:00:00 2001 From: Matt Jia Date: Wed, 17 May 2017 13:09:23 +1000 Subject: [PATCH 161/308] waiverdb role: fix the settings.py template --- inventory/host_vars/waiverdb-dev.fedorainfracloud.org | 1 + roles/waiverdb/templates/etc/waiverdb/settings.py.j2 | 8 +++----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org index 52a72a9328..aad3add4fc 100644 --- a/inventory/host_vars/waiverdb-dev.fedorainfracloud.org +++ b/inventory/host_vars/waiverdb-dev.fedorainfracloud.org @@ -12,6 +12,7 @@ hostbase: waverdb-dev public_ip: 209.132.184.51 root_auth_users: mjia description: waverdb development instance +deployment_type: dev cloud_networks: # persistent-net diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 index df7d8084b9..986a7f9520 100644 --- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -1,6 +1,6 @@ -{% if env == "production" %} +{% if deployment_type == "prod" %} SECRET_KEY = '{{ prod_waiverdb_secret_key }}' -{% elif env == "staging" %} +{% elif deployment_type == "stg" %} SECRET_KEY = '{{ stg_waiverdb_secret_key }}' {% else %} SECRET_KEY = '{{ dev_waiverdb_secret_key }}' @@ -9,8 +9,6 @@ SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb-user@:{{ waiverdb_db_port }}/wa OIDC_CLIENT_SECRETS = '/etc/waiverdb/client_secrets.json' OIDC_REQUIRED_SCOPE = 'https://waiverdb.fedoraproject.org/oidc/create-waiver' OIDC_RESOURCE_SERVER_ONLY = True -{% if env == "production" or env == "staging" %} -ZEROMQ_PUBLISH = True -{% else %} +{% if deployment_type == "dev" %} ZEROMQ_PUBLISH = False {% endif %} From b7c110b15740283c10eb7526f0251dc12def7131 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 17 May 2017 13:47:42 +0000 Subject: [PATCH 162/308] releng: remove unused branched/rawhide secondary compose cron jobs --- roles/releng/files/aarch64.branched | 3 --- roles/releng/files/aarch64.rawhide | 3 --- roles/releng/files/power64.branched | 3 --- roles/releng/files/power64.rawhide | 3 --- roles/releng/files/s390.rawhide | 3 --- 5 files changed, 15 deletions(-) delete mode 100644 roles/releng/files/aarch64.branched delete mode 100644 roles/releng/files/aarch64.rawhide delete mode 100644 roles/releng/files/power64.branched delete mode 100644 roles/releng/files/power64.rawhide delete mode 100644 roles/releng/files/s390.rawhide diff --git a/roles/releng/files/aarch64.branched b/roles/releng/files/aarch64.branched deleted file mode 100644 index 48b1d38902..0000000000 --- a/roles/releng/files/aarch64.branched +++ /dev/null @@ -1,3 +0,0 @@ -# branched devel compose -MAILTO=releng-cron@lists.fedoraproject.org -#15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f25-secondary-arch && LANG=en_US.UTF-8 ./nightly.sh arm diff --git a/roles/releng/files/aarch64.rawhide b/roles/releng/files/aarch64.rawhide deleted file mode 100644 index 81d4c5d51b..0000000000 --- a/roles/releng/files/aarch64.rawhide +++ /dev/null @@ -1,3 +0,0 @@ -# rawhide compose -MAILTO=releng-cron@lists.fedoraproject.org -# 15 5 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout secondary-arch && LANG=en_US.UTF-8 ./nightly.sh arm diff --git a/roles/releng/files/power64.branched b/roles/releng/files/power64.branched deleted file mode 100644 index f989b556f1..0000000000 --- a/roles/releng/files/power64.branched +++ /dev/null @@ -1,3 +0,0 @@ -# branched devel compose -MAILTO=releng-cron@lists.fedoraproject.org -#15 7 * * * root TMPDIR=`mktemp -d /tmp/branched.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f25-secondary-arch && LANG=en_US.UTF-8 ./nightly.sh ppc diff --git a/roles/releng/files/power64.rawhide b/roles/releng/files/power64.rawhide deleted file mode 100644 index c06bce488d..0000000000 --- a/roles/releng/files/power64.rawhide +++ /dev/null @@ -1,3 +0,0 @@ -# rawhide compose -MAILTO=releng-cron@lists.fedoraproject.org -# 15 5 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout secondary-arch && LANG=en_US.UTF-8 ./nightly.sh ppc diff --git a/roles/releng/files/s390.rawhide b/roles/releng/files/s390.rawhide deleted file mode 100644 index 1be4f4a863..0000000000 --- a/roles/releng/files/s390.rawhide +++ /dev/null @@ -1,3 +0,0 @@ -# rawhide compose -MAILTO=releng-cron@lists.fedoraproject.org -15 8 * * * root TMPDIR=`mktemp -d /tmp/rawhide.XXXXXX` && cd $TMPDIR && git clone https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout secondary-arch && LANG=en_US.UTF-8 ./nightly.sh s390 From 2c76cf8c3c8a1dfad443b727c647defbc2722808 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 17 May 2017 14:02:21 +0000 Subject: [PATCH 163/308] Add loopabull ociimage to staging composer Signed-off-by: Patrick Uiterwijk --- playbooks/groups/releng-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 1e1f7120e3..1b279a114f 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -42,6 +42,9 @@ - role: loopabull/target loopabull_role: koji when: "env == 'staging' and inventory_hostname == 'composer.stg.phx2.fedoraproject.org'" + - role: loopabull/target + loopabull_role: ociimage + when: "env == 'staging' and inventory_hostname == 'composer.stg.phx2.fedoraproject.org'" - { role: nfs/client, when: "'releng-stg' not in group_names", mnt_dir: '/mnt/fedora_koji', nfs_src_dir: "{{ koji_hub_nfs }}" } - { role: nfs/client, when: "'releng-compose' in group_names", mnt_dir: '/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' } - { role: nfs/client, when: "'releng-secondary' in group_names", mnt_dir: '/pub/fedora-secondary', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/fedora-secondary' } From c165ab5a39315364e5b6a865d9ab3c9a090d7cf7 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 17 May 2017 16:02:53 +0000 Subject: [PATCH 164/308] setup loopabull_ociimage user for stg Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 9 +++++++++ playbooks/groups/releng-compose.yml | 1 + 2 files changed, 10 insertions(+) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 192115e1f9..cc6a4c3ddd 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -45,6 +45,15 @@ git: repo: "https://pagure.io/releng-automation.git" dest: "/usr/local/loopabull-playbooks" + - name: ensure ~/.ssh dir exists + file: + path: "/home/root/.ssh/" + state: directory + - name: place loopabull_ociimage user private keys + copy: + src: "{{ private }}/files/loopabull/keys/{{ env }}_ociimage" + dest: "/home/root/.ssh/id_rsa.loopabull_ociimage" + mode: 0600 roles: - { diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index 1b279a114f..864431e44a 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -68,6 +68,7 @@ when: env == "staging" } + tasks: # this is how you include other task lists - include: "{{ tasks_path }}/2fa_client.yml" From 31c38b2e16b4356aed482018c9dbd6b02dea955c Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 17:18:42 +0000 Subject: [PATCH 165/308] adding upstreamfirst persistent cloud instance --- .../upstreamfirst.fedorainfracloud.org | 98 +++++++++++++++++++ .../upstreamfirst.fedorainfracloud.org.yml | 70 +++++++++++++ 2 files changed, 168 insertions(+) create mode 100644 inventory/host_vars/upstreamfirst.fedorainfracloud.org create mode 100644 playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org new file mode 100644 index 0000000000..e8a22ee4fe --- /dev/null +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -0,0 +1,98 @@ +--- + +instance_type: m1.medium +image: CentOS-7-x86_64-GenericCloud-1503 +keypair: fedora-admin-20130801 +security_group: default # NOTE: security_group MUST contain default. +zone: nova +tcp_ports: [ 22, 25, 80, 443, 9418, + # Used for the eventsource server + 8088, + # This is for the pagure public fedmsg relay + 9940] + +inventory_tenant: persistent +inventory_instance_name: upstreamfirst +hostbase: upstreamfirst +public_ip: 209.132.184.153 +root_auth_users: tflink roshi +description: upstream-first pagure server +security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent,mail-25-anywhere-persistent,allow-nagios-persistent,fedmsg-relay-persistent,pagure-ports + +volumes: + - volume_id: 81c1cb3e-5fb0-4abd-a252-b0102f1378de + device: /dev/vdc + +cloud_networks: + # persistent-net + - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" + +stunnel_service: "eventsource" +stunnel_source_port: 8088 +stunnel_destination_port: 8080 + +# not doing anything with fedmsg right now +## These are consumed by a task in roles/fedmsg/base/main.yml +#fedmsg_certs: +#- service: shell +# owner: root +# group: sysadmin +# can_send: +# - logger.log +#- service: pagure +# owner: git +# group: apache +# can_send: +# - pagure.issue.assigned.added +# - pagure.issue.assigned.reset +# - pagure.issue.comment.added +# - pagure.issue.dependency.added +# - pagure.issue.dependency.removed +# - pagure.issue.edit +# - pagure.issue.new +# - pagure.issue.tag.added +# - pagure.issue.tag.removed +# - pagure.project.edit +# - pagure.project.forked +# - pagure.project.new +# - pagure.project.tag.edited +# - pagure.project.tag.removed +# - pagure.project.user.added +# - pagure.pull-request.closed +# - pagure.pull-request.comment.added +# - pagure.pull-request.flag.added +# - pagure.pull-request.flag.updated +# - pagure.request.assigned.added +# - pagure.pull-request.new +# +#fedmsg_prefix: io.pagure +#fedmsg_env: stg + +fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-qa + +freezes: false +#env: pagure-staging +#postfix_group: vpn.pagure-stg + +# Configuration for the git-daemon/server +git_group: git +git_port: 9418 +git_server: /usr/libexec/git-core/git-daemon +git_server_args: --export-all --syslog --inetd --verbose +git_basepath: /srv/git/repositories +git_daemon_user: git + +# For the MOTD +csi_security_category: Low +csi_primary_contact: Fedora admins - admin@fedoraproject.org +csi_purpose: Stage testcases being submitted upstream to Fedora +csi_relationship: | + There are a few things running here: + + - The apache/mod_wsgi app for pagure + + - This host relies on: + - A postgres db server running locally + + - Things that rely on this host: + - nothing currently diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml new file mode 100644 index 0000000000..3aa43bf827 --- /dev/null +++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml @@ -0,0 +1,70 @@ +- name: check/create instance + hosts: upstreamfirst.fedorainfracloud.org + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/fedora-cloud.yml + - /srv/private/ansible/files/openstack/passwords.yml + + tasks: + - include: "{{ tasks_path }}/persistent_cloud.yml" + +- name: do base configuration + hosts: upstreamfirst.fedorainfracloud.org + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - sudo + - collectd/base + - openvpn/client + - postgresql_server + + tasks: + - include: "{{ tasks_path }}/yumrepos.yml" + - include: "{{ tasks_path }}/2fa_client.yml" + - include: "{{ tasks_path }}/motd.yml" + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + +- name: deploy pagure + hosts: upstreamfirst.fedorainfracloud.org + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" + + pre_tasks: + - name: install fedmsg-relay + yum: pkg=fedmsg-relay state=present + tags: + - pagure + - pagure/fedmsg + - name: and start it + service: name=fedmsg-relay state=started + tags: + - pagure + - pagure/fedmsg + + roles: + - pagure/frontend + - pagure/fedmsg + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" From 7ee5f30f3f4a26289212dac724a482d729161c65 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 17:39:08 +0000 Subject: [PATCH 166/308] adding upstreamfirst to cloud and reg. inventory --- inventory/cloud | 1 + inventory/inventory | 2 ++ 2 files changed, 3 insertions(+) diff --git a/inventory/cloud b/inventory/cloud index 0610f02a81..46e6bb3f00 100644 --- a/inventory/cloud +++ b/inventory/cloud @@ -81,3 +81,4 @@ twisted-fedora25-2.fedorainfracloud.org twisted-rhel7-1.fedorainfracloud.org twisted-rhel7-2.fedorainfracloud.org waiverdb-dev.fedorainfracloud.org +upstreamfirst.fedorainfracloud.org diff --git a/inventory/inventory b/inventory/inventory index aff5a23c35..f9589d1a67 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1159,6 +1159,8 @@ respins.fedorainfracloud.org waiverdb-dev.fedorainfracloud.org # hubs-dev hubs-dev.fedorainfracloud.org +# upstreamfirst - ticket 6066 +upstreamfirst.fedorainfracloud.org # # These are in the new cloud From d4fee26cbca8e7b20fe688563d5dc75069bbcaaf Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 18:05:28 +0000 Subject: [PATCH 167/308] don't need openvpn on cloud host --- playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml index 3aa43bf827..fba8323e2d 100644 --- a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml +++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml @@ -29,7 +29,6 @@ - fas_client - sudo - collectd/base - - openvpn/client - postgresql_server tasks: From af0409463df942e07c4b6a3f25dea38c3652a57f Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 18:09:00 +0000 Subject: [PATCH 168/308] adding missing postgres vars --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index e8a22ee4fe..a861e4e871 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -26,6 +26,16 @@ volumes: cloud_networks: # persistent-net - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" +# +# PostgreSQL configuration +# + +shared_buffers: "2GB" +effective_cache_size: "6GB" + +# +# Pagure Config +# stunnel_service: "eventsource" stunnel_source_port: 8088 From 82b80ef1cee225f44f423f4282542d5191c7f1be Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 18:26:22 +0000 Subject: [PATCH 169/308] adding vars tweak for upstreamfirst --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index a861e4e871..f8681aac52 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -37,6 +37,15 @@ effective_cache_size: "6GB" # Pagure Config # +pagure_db_admin_user: {{ upstreamfirst_pagure_db_admin_user }} +pagure_db_admin_pass: {{ upstreamfirst_pagure_db_admin_pass }} +pagure_db_user: {{ upstreamfirst_pagure_db_user }} +pagure_db_pass: {{ upstreamfirst_pagure_db_pass }} +pagure_db_host: {{ upstreamfirst_pagure_db_host }} +pagure_db_name: {{ upstreamfirst_pagure_db_name }} +pagure_secret_key: {{ upstreamfirst_pagure_db_admin_user }} +pagure_secret_salt_email: {{ upstreamfirst_pagure_secret_salt_email }} + stunnel_service: "eventsource" stunnel_source_port: 8088 stunnel_destination_port: 8080 From 8eb3174bc15a73fd0b058a311daf1cc42fca0d93 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 18:28:02 +0000 Subject: [PATCH 170/308] fixing syntax errors in host vars --- .../host_vars/upstreamfirst.fedorainfracloud.org | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index f8681aac52..eb415612bd 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -37,14 +37,14 @@ effective_cache_size: "6GB" # Pagure Config # -pagure_db_admin_user: {{ upstreamfirst_pagure_db_admin_user }} -pagure_db_admin_pass: {{ upstreamfirst_pagure_db_admin_pass }} -pagure_db_user: {{ upstreamfirst_pagure_db_user }} -pagure_db_pass: {{ upstreamfirst_pagure_db_pass }} -pagure_db_host: {{ upstreamfirst_pagure_db_host }} -pagure_db_name: {{ upstreamfirst_pagure_db_name }} -pagure_secret_key: {{ upstreamfirst_pagure_db_admin_user }} -pagure_secret_salt_email: {{ upstreamfirst_pagure_secret_salt_email }} +pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" +pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" +pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" +pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" +pagure_db_host: "{{ upstreamfirst_pagure_db_host }}" +pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" +pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" +pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" stunnel_service: "eventsource" stunnel_source_port: 8088 From f3bf1103b8f24a19c76ff8be354a736311ff0cf8 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 20:07:28 +0000 Subject: [PATCH 171/308] adding new role for upstreamfirst pagure instance --- .../upstreamfirst.fedorainfracloud.org | 61 +++- .../upstreamfirst.fedorainfracloud.org.yml | 28 +- .../upstreamfirst-frontend/files/aliases | 91 +++++ .../files/backup-database | 10 + .../files/pagure_ev.service | 15 + .../upstreamfirst-frontend/files/pg_hba.conf | 78 ++++ .../upstreamfirst-frontend/files/robots.txt | 5 + .../files/selinux/pagure.fc | 0 .../files/selinux/pagure.if | 1 + .../files/selinux/pagure.pp | Bin 0 -> 7261 bytes .../files/selinux/pagure.te | 11 + .../files/stunnel.service | 14 + .../upstreamfirst-frontend/handlers/main.yml | 3 + .../upstreamfirst-frontend/tasks/main.yml | 333 ++++++++++++++++++ .../templates/0_pagure.conf | 133 +++++++ .../templates/alembic.ini | 50 +++ .../templates/docs_pagure.wsgi | 22 ++ .../templates/gitolite.rc | 195 ++++++++++ .../templates/pagure.cfg | 233 ++++++++++++ .../templates/pagure.wsgi | 28 ++ .../templates/stunnel-conf.j2 | 8 + 21 files changed, 1287 insertions(+), 32 deletions(-) create mode 100644 roles/pagure/upstreamfirst-frontend/files/aliases create mode 100644 roles/pagure/upstreamfirst-frontend/files/backup-database create mode 100644 roles/pagure/upstreamfirst-frontend/files/pagure_ev.service create mode 100644 roles/pagure/upstreamfirst-frontend/files/pg_hba.conf create mode 100644 roles/pagure/upstreamfirst-frontend/files/robots.txt create mode 100644 roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc create mode 100644 roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if create mode 100644 roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp create mode 100644 roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te create mode 100644 roles/pagure/upstreamfirst-frontend/files/stunnel.service create mode 100644 roles/pagure/upstreamfirst-frontend/handlers/main.yml create mode 100644 roles/pagure/upstreamfirst-frontend/tasks/main.yml create mode 100644 roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf create mode 100644 roles/pagure/upstreamfirst-frontend/templates/alembic.ini create mode 100644 roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi create mode 100644 roles/pagure/upstreamfirst-frontend/templates/gitolite.rc create mode 100644 roles/pagure/upstreamfirst-frontend/templates/pagure.cfg create mode 100644 roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi create mode 100644 roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index eb415612bd..ec0913d153 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -1,15 +1,14 @@ --- +############################################################ +# Persistent Cloud +############################################################ + instance_type: m1.medium image: CentOS-7-x86_64-GenericCloud-1503 keypair: fedora-admin-20130801 security_group: default # NOTE: security_group MUST contain default. zone: nova -tcp_ports: [ 22, 25, 80, 443, 9418, - # Used for the eventsource server - 8088, - # This is for the pagure public fedmsg relay - 9940] inventory_tenant: persistent inventory_instance_name: upstreamfirst @@ -26,25 +25,51 @@ volumes: cloud_networks: # persistent-net - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" -# + +############################################################ +# General configuration +############################################################ + +tcp_ports: [ 22, 25, 80, 443, 9418, + # Used for the eventsource server + 8088, + # This is for the pagure public fedmsg relay + 9940] + +external_hostname: 'upstreamfirst.fedorainfracloud.org' + +############################################################ # PostgreSQL configuration -# +############################################################ shared_buffers: "2GB" effective_cache_size: "6GB" -# -# Pagure Config -# -pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" -pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" -pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" -pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" -pagure_db_host: "{{ upstreamfirst_pagure_db_host }}" -pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" -pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" -pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" +############################################################ +# Pagure Config +############################################################ + + +new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" +new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" +new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" +new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" +new_pagure_db_host: "{{ upstreamfirst_pagure_db_host }}" +new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" +new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" +new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" + +pagure_admin_email: 'tflink@fedoraproject.org' + +pagure_ssh_host_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/bYFmX8pthJHcM2J85+mmN8pGJ/EJMcsdwoazihcooIBONcUazYF/BVV5/3nK7H3shq2nLR7vmdd2NuFHOPNsaAMK6nlADEg2tsKMC3UHHnwo1/iIO21pvf7+w2KIKCNIhiYA70W1aIxFBMZ7oo0VXjZ19PBwg6huAh0CBrLBP+XU4QN6LgLd87T5qMN/7g/QVqDforeoL8NUSQXMfzYNbxXPdRvMc5vbEMS/QNu5I8Ycu6FDqChnWc5Qd2orVCNreEMKwkgW27+FTpxzAnq3avotb0Cv1WuZjd8q402ldvp+ELcS8WHc+Mx41KaR//QTlSIYeX4OlcX/pl6C+Sdz' + +# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub +pagure_ssh_host_fingerprint: '2048 6b:d8:48:27:5a:11:d1:14:e0:c1:91:23:45:c7:fb:6d (RSA)' + +# awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64_ +pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' + stunnel_service: "eventsource" stunnel_source_port: 8088 diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml index fba8323e2d..b09d0fa24b 100644 --- a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml +++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml @@ -49,21 +49,21 @@ - "/srv/private/ansible/vars.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml" - pre_tasks: - - name: install fedmsg-relay - yum: pkg=fedmsg-relay state=present - tags: - - pagure - - pagure/fedmsg - - name: and start it - service: name=fedmsg-relay state=started - tags: - - pagure - - pagure/fedmsg - +# pre_tasks: +# - name: install fedmsg-relay +# yum: pkg=fedmsg-relay state=present +# tags: +# - pagure +# - pagure/fedmsg +# - name: and start it +# service: name=fedmsg-relay state=started +# tags: +# - pagure +# - pagure/fedmsg +# roles: - - pagure/frontend - - pagure/fedmsg + - pagure/upstreamfirst-frontend + # - pagure/fedmsg handlers: - include: "{{ handlers_path }}/restart_services.yml" diff --git a/roles/pagure/upstreamfirst-frontend/files/aliases b/roles/pagure/upstreamfirst-frontend/files/aliases new file mode 100644 index 0000000000..193cf3f4a7 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/aliases @@ -0,0 +1,91 @@ +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /bin/mail. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to sendmail. +# + +# Basic system aliases -- these MUST be present. +mailer-daemon: postmaster +postmaster: sysadmin-main + +# General redirections for pseudo accounts. +bin: root +daemon: root +adm: root +lp: root +sync: root +shutdown: root +halt: root +mail: root +#news: root +uucp: root +operator: root +games: root +gopher: root +ftp: root +#nobody: root +radiusd: root +nut: root +dbus: root +vcsa: root +canna: root +wnn: root +rpm: root +nscd: root +pcap: root +apache: root +webalizer: root +dovecot: root +fax: root +quagga: root +radvd: root +pvm: root +amanda: root +privoxy: root +ident: root +named: root +xfs: root +gdm: root +mailnull: root +postgres: root +sshd: root +smmsp: root +postfix: root +netdump: root +ldap: root +squid: root +ntp: root +mysql: root +desktop: root +rpcuser: root +rpc: root +nfsnobody: root +notifications: root + +ingres: root +system: root +toor: root +manager: root +dumper: root +abuse: root +nagios: root + +newsadm: news +newsadmin: news +usenet: news +ftpadm: ftp +ftpadmin: ftp +ftp-adm: ftp +ftp-admin: ftp + +# trap decode to catch security attacks +decode: root + +# Person who should get root's mail +root: sysadmin-main + +pagure: /dev/null +reply: /dev/null diff --git a/roles/pagure/upstreamfirst-frontend/files/backup-database b/roles/pagure/upstreamfirst-frontend/files/backup-database new file mode 100644 index 0000000000..3f6e7d8fb1 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/backup-database @@ -0,0 +1,10 @@ +#!/bin/bash +# Backup a database *locally* to /backups/. + +DB=$1 + +# Make our latest backup +/usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz + +# Also, delete the backup from a few days ago. +rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz diff --git a/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service b/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service new file mode 100644 index 0000000000..f194b1b5cd --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service @@ -0,0 +1,15 @@ +[Unit] +Description=Pagure EventSource server (Allowing live refresh of the pages supporting it) +After=redis.target +Documentation=https://pagure.io/pagure + +[Service] +ExecStart=/usr/libexec/pagure-ev/pagure_stream_server.py +Type=simple +User=git +Group=git +Restart=on-failure +LimitNOFILE=40960 + +[Install] +WantedBy=multi-user.target diff --git a/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf b/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf new file mode 100644 index 0000000000..83aca29868 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf @@ -0,0 +1,78 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the PostgreSQL Administrator's Guide, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTION] +# host DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain socket, +# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an +# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", a database name, or +# a comma-separated list thereof. +# +# USER can be "all", a user name, a group name prefixed with "+", or +# a comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names from +# a separate file. +# +# CIDR-ADDRESS specifies the set of hosts the record matches. +# It is made up of an IP address and a CIDR mask that is an integer +# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies +# the number of significant bits in the mask. Alternatively, you can write +# an IP address and netmask in separate columns to specify the set of hosts. +# +# METHOD can be "trust", "reject", "md5", "crypt", "password", +# "krb5", "ident", or "pam". Note that "password" sends passwords +# in clear text; "md5" is preferred since it sends encrypted passwords. +# +# OPTION is the ident map or the name of the PAM service, depending on METHOD. +# +# Database and user names containing spaces, commas, quotes and other special +# characters must be quoted. Quoting one of the keywords "all", "sameuser" or +# "samerole" makes the name lose its special character, and just match a +# database or username with that name. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can use +# "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL listen +# on a non-local interface via the listen_addresses configuration parameter, +# or via the -i or -h command line switches. +# + +#@authcomment@ + +# TYPE DATABASE USER CIDR-ADDRESS METHOD + +#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only +#@remove-line-for-nolocal@local all all @authmethod@ +# IPv4 local connections: +#host all all 127.0.0.1/32 @authmethod@ +# IPv6 local connections: +#host all all ::1/128 @authmethod@ + +local all all ident +host koji koji 10.5.126.61 255.255.255.255 md5 +host all all 0.0.0.0 0.0.0.0 md5 +# Note, I can't think of a reason to make this more restrictive than ipv4 but +# only fakefas needs it so far +host all all ::1/128 md5 diff --git a/roles/pagure/upstreamfirst-frontend/files/robots.txt b/roles/pagure/upstreamfirst-frontend/files/robots.txt new file mode 100644 index 0000000000..a70291b52e --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/robots.txt @@ -0,0 +1,5 @@ +User-agent: * +Disallow: /api +Disallow: /login +Disallow: /*/raw +Crawl-Delay: 2 diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if new file mode 100644 index 0000000000..3eb6a3057b --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if @@ -0,0 +1 @@ +## diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp new file mode 100644 index 0000000000000000000000000000000000000000..a6248e701434dd597c2e25737da4ff156ec5e338 GIT binary patch literal 7261 zcmc&&OOM>R5mu7T1D!(*Vk90LnRPCUKwwLy7GsK3NU9%z z|3Z-bs{ALP9DJnMt?ua=_lzB;v}hUjASS9RynivMf?CMp4^&IV@Cm%7W#KuE2F(zI zh?4pZ*zn$Ky#0J|z_AzJTgc-t*#()!-?{XK9Z&JL=S1W21OqU{bFu*%^DU(}PP$?x zY@y_$@bE1$c8QFQjH0q@t#aH2(WJRXg=jW^xz7#G-P&a0=HsqDG5Y9EP!*8jCb2D}q`45mo;QkGn z9F6T&Jy=a}sn>Fos#A=;vCA-aCQYU^nbLLNb;f#XMQM$r+E{W3XH!!w&J?D_j)bnL zW7|sSq|p(d?;Gi2m2r*fRYgXtEj41r2hvBfu#gNsBH!?KGNn@JC~diB%ep*N5gqu_ z*s%}u2+7wq;4P$$WA~pEc+QaMo5nMgId$E6{v=ed?P%yrjqrRoEM(&n8W!B z&BC!=@dq_J)>T+(B$Zrhq3(#E9kZ^;a>;T9QO$mBEc%(SPw$iQIIN=g*C9&juk`%Y zx1k~=Ix}ykVV$mcJxY{NQK1Z3wQoaH_jyEMI_M2|E#WBw_hI99(61d5m{0Xo4mL); z)DazuT@MYbHU-tM=VYqn^>(s~D*wd5*o+NXPs3ARAfcEZbrRMKyshKa)5 z*S$Bb@UncchRdxMtt?NN4s(E!m%d?3oi!ypHv(vw<^PuMwTORY)v+D=hlH|gWbO4# z_ie7E^Yi&Uo}t2bv>1fXr2Ceu7lRMdV&m0?HP z_}Jh0MvjU}QLwI*)Law+&Z=+QZS)aaqSTJ9CqbIm;F=Tlj;l~?CsSf;J1e!%$(i76 zsfH!m6vMzeZc7}iG#B=H_ z*K(7SHHr(zKBrc>qT*Wg$}3*6ieIeIOU~(swsb`)JTHxv>{2IxCIt}S1g;Hu<7dNf z4x5g{VPhrzHa}_ROe4`sDRjXbF4M6D&%GCmc#UwM^T1>pTwWNXW&yJSoMI(ZA0p&_ zo`v}f?`Bsqhbk_WupyWOtay5i^eAUnkDkP%(gREY&KoB77_%c6thiu>*3vhqq*4ow zGEGvG)aax_|Ec?ytt`pdifv?ek4c#|JLG57(a2@P&WF4J-D|-BONci&yUJfgXyQB7 z*0h7SBWL$fIN&vV@j$q~5f1k|2zJ5>4+p;3^C+_p8y_Z@W_GWMjZX_}>C2G73-)Vf zP0sYTWa@Ckg!3M{G-X7EKpnoK&+HYGi)YeM+wY{1WzUQyQH3@Ubw24puiCPXYjmfU zy_()}j0VrP7A3nJ(P=ug!a}L-zK&b|M=vc?*ezmtq$X}mb+1bZ + src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }} + owner=root group=root mode=0600 + notify: restart stunnel + with_items: + - pagure.io.cert + - pagure.io.key + - pagure.io.intermediate.cert + - docs.pagure.org.crt + - docs.pagure.org.intermediate.crt + - docs.pagure.org.key + tags: + - config + - pagure + - httpd/certificate + +- name: Install the configuration file to activate https + template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} + owner=root group=root mode=0644 + with_items: + - 0_pagure.conf + tags: + - files + - config + - pagure + notify: + - restart apache + +- name: Install the wsgi file + template: src={{ item }} + dest=/var/www/{{ item }} + owner=git group=git mode=0644 + with_items: + - pagure.wsgi + - docs_pagure.wsgi + tags: + - config + - web + - pagure + notify: + - restart apache + +- name: Add default facl so apache can read git repos + acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present + register: acl_updates + tags: + - pagure + +- name: Manually fix current default ACLs since Ansible doesnt know recursive acls + when: acl_updates.changed + command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git + tags: + - pagure + +- name: Manually fix current ACLs since Ansible doesnt know recursive acls + when: acl_updates.changed + command: /usr/bin/setfacl -Rm user:apache:rx /srv/git + tags: + - pagure + +- name: copy over our custom selinux module + copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp + register: selinux_module + tags: + - pagure + +- name: install our custom selinux module + command: semodule -i /usr/local/share/pagure.pp + when: selinux_module|changed + tags: + - pagure + +- name: set sebooleans so pagure can talk to the network (db + redis) + seboolean: name=httpd_can_network_connect + state=true + persistent=true + tags: + - selinux + - web + - pagure + +- name: set sebooleans so apache can send emails + seboolean: name=httpd_can_sendmail + state=true + persistent=true + tags: + - selinux + - web + - pagure + + +# Ensure all the services are up and running + +- name: Start and enable httpd, postfix, pagure_milter + service: name={{ item }} enabled=yes state=started + with_items: + - httpd + - postfix + - stunnel + - redis + - pagure_ev + - pagure_ci + - pagure_loadjon + - pagure_logcom + - pagure_milter + - pagure_webhook + - fedmsg-relay + - haveged + ignore_errors: true + tags: + - pagure + - service + - postfix diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf new file mode 100644 index 0000000000..dfc53adbf3 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -0,0 +1,133 @@ +WSGISocketPrefix run/wsgi +#WSGIRestrictStdout On +WSGIRestrictSignal Off +WSGIPythonOptimize 1 +WSGIPassAuthorization On +WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300 +WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300 + +## Redirects http -> https + + + ServerName {{ external_hostname }} + Redirect permanent / https://{{ external_hostname }}/ + + + + ServerName docs.{{ external_hostname }} + Redirect permanent / https://docs.{{ external_hostname }}/ + + + + ServerName releases.{{ external_hostname }} + Redirect permanent / https://releases.{{ external_hostname }}/ + +# Added until we can get the cert out + DocumentRoot "/var/www/releases" + + + Options +Indexes + IndexOptions NameWidth=* + + + + + + +## End of redirects http -> https + + + + ServerName {{ external_hostname }} + + Alias "/robots.txt" "/var/www/html/robots.txt" + + WSGIScriptAlias / /var/www/pagure.wsgi + + ServerAdmin admin@fedoraproject.org + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + + SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert + SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert + SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key + + Alias /static /usr/lib/python2.7/site-packages/pagure/static/ + + SetEnv GIT_PROJECT_ROOT /srv/git/repositories + + AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1 + AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1 + ScriptAliasMatch \ + "(?x)^/(.*/(HEAD | \ + info/refs | \ + objects/info/[^/]+ | \ + git-(upload|receive)-pack))$" \ + /usr/libexec/git-core/git-http-backend/$1 + + + WSGIProcessGroup pagure + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + + + + Redirect "/releases" https://releases.{{ external_hostname }} + + + + + + + ServerName docs.{{ external_hostname }} + + WSGIScriptAlias / /var/www/docs_pagure.wsgi + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + + SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert + SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert + SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key + + Alias /static /usr/lib/python2.7/site-packages/pagure/static/ + + + WSGIProcessGroup paguredocs + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + + + + + DocumentRoot "/var/www/releases" + ServerName releases.{{ external_hostname }} + + + Options +Indexes + IndexOptions NameWidth=* + + + + diff --git a/roles/pagure/upstreamfirst-frontend/templates/alembic.ini b/roles/pagure/upstreamfirst-frontend/templates/alembic.ini new file mode 100644 index 0000000000..7daf38c633 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/alembic.ini @@ -0,0 +1,50 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/pagure/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +#sqlalchemy.url = postgresql://<%= pkgdb_app %>:<%= pkgdb_appPassword %>@db-pkgdb/pkgdb + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S diff --git a/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi b/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi new file mode 100644 index 0000000000..a9f8cea973 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi @@ -0,0 +1,22 @@ +#-*- coding: utf-8 -*- + +# The three lines below are required to run on EL6 as EL6 has +# two possible version of python-sqlalchemy and python-jinja2 +# These lines make sure the application uses the correct version. +import __main__ +__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4'] +import pkg_resources + +import os +## Set the environment variable pointing to the configuration file +os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg' + +## The following is only needed if you did not install pagure +## as a python module (for example if you run it from a git clone). +#import sys +#sys.path.insert(0, '/path/to/pagure/') + + +## The most import line to make the wsgi working +from pagure.docs_server import APP as application +#application.debug = True diff --git a/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc b/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc new file mode 100644 index 0000000000..1a20d4277c --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc @@ -0,0 +1,195 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0077, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => '', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # syslog options + # 1. leave this section as is for normal gitolite logging + # 2. uncomment this line to log only to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + #'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg new file mode 100644 index 0000000000..a536202776 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -0,0 +1,233 @@ +from datetime import timedelta + +### Set the time after which the admin session expires +# There are two sessions on pagure, login that holds for 31 days and +# the session defined here after which an user has to re-login. +# This session is used when accessing all administrative parts of pagure +# (ie: changing a project's or a user's settings) +ADMIN_SESSION_LIFETIME = timedelta(minutes=20) + +# Make the CSRF token not-time limited, this way it is valid for the entire +# duration of the session. +WTF_CSRF_TIME_LIMIT=None + +### Secret key for the Flask application +SECRET_KEY='{{ pagure_secret_key }}' +SALT_EMAIL='{{ pagure_secret_salt_email }}' + +EMAIL_SEND = True + +# This is required so that login specifies https +PREFERRED_URL_SCHEME='https' + +### url to the database server: +#DB_URL=mysql://user:pass@host/db_name +#DB_URL=postgres://user:pass@host/db_name +DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}' + +### The FAS group in which the admin of pagure are +ADMIN_GROUP = ['sysadmin-main'] + +### The email address to which the flask.log will send the errors (tracebacks) +EMAIL_ERROR = '{{ pagure_admin_email }}' + +### Default SMTP server to use for sending emails +SMTP_SERVER = 'localhost' + +### Email used to sent emails +FROM_EMAIL = 'pagure@{{ external_hostname }}' +DOMAIN_EMAIL_NOTIFICATIONS = '{{ external_hostname }}' + +### The URL at which the project is available. +APP_URL = 'https://{{ external_hostname }}/' +DOC_APP_URL = 'https://docs.{{ external_hostname }}' + +### Datagrepper info for the user profile +DATAGREPPER_URL = 'https://apps.fedoraproject.org/datagrepper' +DATAGREPPER_CATEGORY = 'pagure' + +### The URL to use to clone git repositories. +GIT_URL_SSH = 'ssh://git@{{ external_hostname }}/' +GIT_URL_GIT = 'https://{{ external_hostname }}/' + +### The IP addresses allowed for the internal endpoints +IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', '{{ public_ip }}'] + +# Redis configuration +EVENTSOURCE_SOURCE = 'https://{{ external_hostname }}:8088' +REDIS_HOST = '0.0.0.0' +REDIS_PORT = 6379 +REDIS_DB = 0 + +EV_STATS_PORT = '8888' + +WEBHOOK = True + +### Folder containing to the git repos +GIT_FOLDER = '/srv/git/repositories' + +### Folder containing the forks repos +FORK_FOLDER = '/srv/git/repositories/forks' + +### Folder containing the docs repos +DOCS_FOLDER = '/srv/git/repositories/docs' + +### Folder containing the pull-requests repos +REQUESTS_FOLDER = '/srv/git/repositories/requests' + +### Folder containing the tickets repos +TICKETS_FOLDER = '/srv/git/repositories/tickets' + +### Folder containing the clones of the remotes git repo +REMOTE_GIT_FOLDER = '/srv/git/remotes' + +### Configuration file for gitolite +GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf' + +### Path of the release folder +UPLOAD_FOLDER_URL = 'https://releases.{{ external_hostname }}/' +UPLOAD_FOLDER_PATH = '/var/www/releases/' + + +### Home folder of the gitolite user +### Folder where to run gl-compile-conf from +GITOLITE_HOME = '/srv/git/' + +### Folder containing all the public ssh keys for gitolite +GITOLITE_KEYDIR = '/srv/git/.gitolite/keydir/' + +### Path to the gitolite.rc file +GL_RC = '/srv/git/.gitolite.rc' + +### Path to the /bin directory where the gitolite tools can be found +GL_BINDIR = '/usr/bin/' + + +### Temp folder to be used to make the clones to work around bug in libgit2: +## refs: https://github.com/libgit2/libgit2/issues/2965 +## and https://github.com/libgit2/libgit2/issues/2797 +TMP_FOLDER = '/srv/tmp' + +# Optional configuration + +### Number of items displayed per page +# Used when listing items +ITEM_PER_PAGE = 50 + +### Maximum size of the uploaded content +# Used to limit the size of file attached to a ticket for example +MAX_CONTENT_LENGTH = 60 * 1024 * 1024 # 60 megabytes + +### Lenght for short commits ids or file hex +SHORT_LENGTH = 7 + +### List of blacklisted project names that can conflicts for pagure's URLs +### or other +BLACKLISTED_PROJECTS = [ + 'static', 'pv', 'releases', 'new', 'api', 'settings', + 'logout', 'login', 'users', 'groups', 'projects', 'ssh_info' + 'issues', 'pull-requests', 'commits', 'tree', 'forks', +] + +DISABLED_PLUGINS = ['IRC'] + + +# Authentication related configuration option + +### Switch the authentication method +# Specify which authentication method to use, defaults to `fas` can be or +# `local` +# Default: ``fas``. +PAGURE_AUTH = 'openid' + +# When this is set to True, the session cookie will only be returned to the +# server via ssl (https). If you connect to the server via plain http, the +# cookie will not be sent. This prevents sniffing of the cookie contents. +# This may be set to False when testing your application but should always +# be set to True in production. +# Default: ``True``. +SESSION_COOKIE_SECURE = True + +# The name of the cookie used to store the session id. +# Default: ``.pagure``. +SESSION_COOKIE_NAME = 'pagure' + +# Boolean specifying wether to check the user's IP address when retrieving +# its session. This make things more secure (thus is on by default) but +# under certain setup it might not work (for example is there are proxies +# in front of the application). +CHECK_SESSION_IP = True + +# Used by SESSION_COOKIE_PATH +APPLICATION_ROOT = '/' + +# Set the SSH certs/keys +{% if env == 'pagure-staging' %} +SSH_KEYS = { + 'RSA': { + 'fingerprint': '2048 69:50:46:24:c7:94:44:f8:8d:83:05:5c:eb:73:fb:c4 (RSA)', + 'pubkey': '{{ external_hostname }},{{ public_ip }} {{ pagure_ssh_host_pubkey }}', + 'SHA256': '{{ pagure_ssh_host_sha256 }}', + } +} + +# Allow the backward compatiblity endpoints for the old URLs schema to +# see the commits of a repo. This is only interesting if you pagure instance +# was running since before version 1.3 and if you care about backward +# compatibility in your URLs. +OLD_VIEW_COMMIT_ENABLED = False + +#PAGURE_CI_SERVICES=['jenkins'] +PAGURE_CI_SERVICES=[] + +LOGGING = { + 'version': 1, + 'disable_existing_loggers': False, + 'formatters': { + 'standard': { + 'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s' + }, + }, + 'handlers': { + 'console': { + 'level': 'INFO', + 'formatter': 'standard', + 'class': 'logging.StreamHandler', + 'stream': 'ext://sys.stdout', + }, + }, + # The root logger configuration; this is a catch-all configuration + # that applies to all log messages not handled by a different logger + 'root': { + 'level': 'INFO', + 'handlers': ['console'], + }, + 'loggers': { + 'pagure': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': True + }, + 'pagure.lib.encoding_utils': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + 'flask': { + 'handlers': ['console'], + 'level': 'INFO', + 'propagate': False + }, + 'sqlalchemy': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': False + }, + 'binaryornot': { + 'handlers': ['console'], + 'level': 'WARN', + 'propagate': True + }, + } +} + diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi b/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi new file mode 100644 index 0000000000..b04abac4d8 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi @@ -0,0 +1,28 @@ +#-*- coding: utf-8 -*- + +# The three lines below are required to run on EL6 as EL6 has +# two possible version of python-sqlalchemy and python-jinja2 +# These lines make sure the application uses the correct version. +import __main__ +__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4'] +import pkg_resources + +import os +## Set the environment variable pointing to the configuration file +os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg' + +## Set the environment variable if the tmp folder needs to be moved +## Is necessary to work around bug in libgit2: +## refs: https://github.com/libgit2/libgit2/issues/2965 +## and https://github.com/libgit2/libgit2/issues/2797 +os.environ['TEMP'] = '/srv/tmp/' + +## The following is only needed if you did not install pagure +## as a python module (for example if you run it from a git clone). +#import sys +#sys.path.insert(0, '/path/to/pagure/') + + +## The most import line to make the wsgi working +from pagure import APP as application +#application.debug = True diff --git a/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 b/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 new file mode 100644 index 0000000000..6dcf68a09d --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 @@ -0,0 +1,8 @@ +cert = /etc/pki/tls/certs/pagure.io.cert +key = /etc/pki/tls/certs/pagure.io.key +pid = /var/run/stunnel.pid + +[{{ stunnel_service }}] + +accept = {{ stunnel_source_port }} +connect = {{ stunnel_destination_port }} From 4bda987973afbfe7f5e729f81e048e8acdf90063 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 20:10:31 +0000 Subject: [PATCH 172/308] removing extra if block start from template --- roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index a536202776..143fd7426b 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -162,7 +162,6 @@ CHECK_SESSION_IP = True APPLICATION_ROOT = '/' # Set the SSH certs/keys -{% if env == 'pagure-staging' %} SSH_KEYS = { 'RSA': { 'fingerprint': '2048 69:50:46:24:c7:94:44:f8:8d:83:05:5c:eb:73:fb:c4 (RSA)', From e8031b1f65218388144948ec7b8a64504c2d285b Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 20:24:09 +0000 Subject: [PATCH 173/308] trying to get a local non-network postgresql connection --- roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index 143fd7426b..5377594b42 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -23,7 +23,8 @@ PREFERRED_URL_SCHEME='https' ### url to the database server: #DB_URL=mysql://user:pass@host/db_name #DB_URL=postgres://user:pass@host/db_name -DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}' +# removing host for local postgres connection +DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}/{{ new_pagure_db_name }}' ### The FAS group in which the admin of pagure are ADMIN_GROUP = ['sysadmin-main'] From 9174ff534af9bc1787cd8562bc4adedb730396a0 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 20:27:49 +0000 Subject: [PATCH 174/308] specifying local db connection correctly --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 2 +- roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index ec0913d153..e07f6f6dd5 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -55,7 +55,7 @@ new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" -new_pagure_db_host: "{{ upstreamfirst_pagure_db_host }}" +new_pagure_db_host: "" new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index 5377594b42..bc65629cc9 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -24,7 +24,7 @@ PREFERRED_URL_SCHEME='https' #DB_URL=mysql://user:pass@host/db_name #DB_URL=postgres://user:pass@host/db_name # removing host for local postgres connection -DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}/{{ new_pagure_db_name }}' +DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}' ### The FAS group in which the admin of pagure are ADMIN_GROUP = ['sysadmin-main'] From 55975911939cdf290e0e5a0fe2e401dba22c27bf Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Wed, 17 May 2017 20:42:29 +0000 Subject: [PATCH 175/308] putting pgsql host back into config --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index e07f6f6dd5..ec0913d153 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -55,7 +55,7 @@ new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" -new_pagure_db_host: "" +new_pagure_db_host: "{{ upstreamfirst_pagure_db_host }}" new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" From 600bde4aac0497b7fbae1eb8d4d756d4df296c12 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 17 May 2017 22:01:56 +0000 Subject: [PATCH 176/308] try 2 more threads here --- roles/mirrormanager/frontend2/templates/mirrormanager.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mirrormanager/frontend2/templates/mirrormanager.conf b/roles/mirrormanager/frontend2/templates/mirrormanager.conf index 89e8da075a..de4b3a41d2 100644 --- a/roles/mirrormanager/frontend2/templates/mirrormanager.conf +++ b/roles/mirrormanager/frontend2/templates/mirrormanager.conf @@ -5,7 +5,7 @@ Alias /mirrormanager/crawler /var/log/mirrormanager/crawler Alias /mirrormanager/data /var/www/mirrormanager-statistics/data Alias /mirrormanager/map /var/www/mirrormanager-statistics/map -WSGIDaemonProcess mirrormanager user=apache maximum-requests=100 display-name=mirrormanager processes=2 threads=2 +WSGIDaemonProcess mirrormanager user=apache maximum-requests=100 display-name=mirrormanager processes=2 threads=4 WSGISocketPrefix run/wsgi WSGIRestrictStdout On WSGIRestrictSignal Off From 07b1ccd40a2fff1f5246c43238b801ab069643de Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 17 May 2017 23:16:25 +0000 Subject: [PATCH 177/308] add sysadmin-secondary sudo to all secondary bits. ticket 6054 --- inventory/buildaarch64 | 2 ++ inventory/group_vars/buildppc | 2 +- inventory/group_vars/buildppcle | 2 +- inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org | 1 + inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org | 2 ++ inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org | 2 ++ inventory/host_vars/compose-s390-01.s390.fedoraproject.org | 2 ++ inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org | 2 +- 8 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 inventory/buildaarch64 diff --git a/inventory/buildaarch64 b/inventory/buildaarch64 new file mode 100644 index 0000000000..7a1af647fa --- /dev/null +++ b/inventory/buildaarch64 @@ -0,0 +1,2 @@ +--- +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/group_vars/buildppc b/inventory/group_vars/buildppc index 711b66838a..53dfc80057 100644 --- a/inventory/group_vars/buildppc +++ b/inventory/group_vars/buildppc @@ -17,7 +17,7 @@ virt_install_command: "{{ virt_install_command_one_nic }} --graphics none" # the host_vars/$hostname file host_group: kojibuilder fas_client_groups: sysadmin-releng,sysadmin-secondary -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" koji_hub_nfs: "fedora_ppc/data" koji_server_url: "https://ppc.koji.fedoraproject.org/kojihub" diff --git a/inventory/group_vars/buildppcle b/inventory/group_vars/buildppcle index 2067d3372f..8ef031bc9a 100644 --- a/inventory/group_vars/buildppcle +++ b/inventory/group_vars/buildppcle @@ -17,7 +17,7 @@ virt_install_command: "{{ virt_install_command_one_nic }} --graphics none" # the host_vars/$hostname file host_group: kojibuilder fas_client_groups: sysadmin-releng,sysadmin-secondary -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" koji_hub_nfs: "fedora_ppc/data" koji_server_url: "https://ppc.koji.fedoraproject.org/kojihub" diff --git a/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org b/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org index 10192d8d98..cfca08f267 100644 --- a/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org +++ b/inventory/host_vars/buildvm-s390-01.s390.fedoraproject.org @@ -16,3 +16,4 @@ ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Everything/x86_64/os/ virt_install_command: "{{ virt_install_command_one_nic }}" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org b/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org index 215e3ff118..91899e723d 100644 --- a/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org +++ b/inventory/host_vars/compose-ppc64-01.ppc.fedoraproject.org @@ -18,3 +18,5 @@ kojihub_scheme: https koji_server_url: "https://ppc.koji.fedoraproject.org/kojihub" koji_weburl: "https://ppc.koji.fedoraproject.org/koji" koji_topurl: "https://ppcpkgs.fedoraproject.org/" + +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org b/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org index 036b8e7357..2388b613ce 100644 --- a/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org +++ b/inventory/host_vars/compose-ppc64le-01.ppc.fedoraproject.org @@ -18,3 +18,5 @@ kojihub_scheme: https koji_server_url: "https://arm.koji.fedoraproject.org/kojihub" koji_weburl: "https://arm.koji.fedoraproject.org/koji" koji_topurl: "https://armpkgs.fedoraproject.org/" + +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/compose-s390-01.s390.fedoraproject.org b/inventory/host_vars/compose-s390-01.s390.fedoraproject.org index 626b574389..75297acabf 100644 --- a/inventory/host_vars/compose-s390-01.s390.fedoraproject.org +++ b/inventory/host_vars/compose-s390-01.s390.fedoraproject.org @@ -20,3 +20,5 @@ kojihub_scheme: https koji_server_url: "https://s390.koji.fedoraproject.org/kojihub" koji_weburl: "https://s390.koji.fedoraproject.org/koji" koji_topurl: "https://s390pkgs.fedoraproject.org/" + +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org b/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org index 64f2d3c4d8..c2d4de90a2 100644 --- a/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org +++ b/inventory/host_vars/db-ppc-koji01.ppc.fedoraproject.org @@ -22,7 +22,7 @@ dbs_to_backup: - koji fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-releng,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" # These are normally group variables, but in this case db servers are often different lvm_size: 500000 From 2f67682b2e28038c41522222679940fd76d303ea Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 17 May 2017 23:17:54 +0000 Subject: [PATCH 178/308] drop duplicate security groups define --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 1 - 1 file changed, 1 deletion(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index ec0913d153..268bf057f8 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -7,7 +7,6 @@ instance_type: m1.medium image: CentOS-7-x86_64-GenericCloud-1503 keypair: fedora-admin-20130801 -security_group: default # NOTE: security_group MUST contain default. zone: nova inventory_tenant: persistent From c2749db33200bce6f99cefe39750130c84b5d44a Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 14:40:21 +0000 Subject: [PATCH 179/308] creating database and user for pagure db --- roles/pagure/upstreamfirst-frontend/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml index df0f438bc9..a6ce456144 100644 --- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -208,6 +208,18 @@ notify: - restart apache +- name: create pagure database + delegate_to: "{{ new_pagure_db_host }}" + become: true + become_user: postgres + postgresql_db: db={{ new_pagure_db_name }} + +- name: ensure pagure db user has access to database + delegate_to: "{{ new_pagure_db_host }}" + become: true + become_user: postgres + postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_password }} role_attr_flags=NOSUPERUSER + - name: create the database scheme command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py changed_when: "1 != 1" From f3905e09defc1654efbdaa62b62b670dd94c9466 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 14:45:08 +0000 Subject: [PATCH 180/308] adding tags I forgot to the pagure role changes --- roles/pagure/upstreamfirst-frontend/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml index a6ce456144..debdfd3b4f 100644 --- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -213,12 +213,18 @@ become: true become_user: postgres postgresql_db: db={{ new_pagure_db_name }} + tags: + - web + - pagure - name: ensure pagure db user has access to database delegate_to: "{{ new_pagure_db_host }}" become: true become_user: postgres postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_password }} role_attr_flags=NOSUPERUSER + tags: + - web + - pagure - name: create the database scheme command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py From b3abdd35c3383d63f7a7112d2aeee3578df4ee7a Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 14:46:54 +0000 Subject: [PATCH 181/308] changing db host so that delegation of postgres commands works --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 268bf057f8..5e164da4fb 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -7,6 +7,7 @@ instance_type: m1.medium image: CentOS-7-x86_64-GenericCloud-1503 keypair: fedora-admin-20130801 +security_group: default # NOTE: security_group MUST contain default. zone: nova inventory_tenant: persistent @@ -54,7 +55,7 @@ new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" -new_pagure_db_host: "{{ upstreamfirst_pagure_db_host }}" +new_pagure_db_host: "{{ inventory_hostname }}" new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" From 429dad577bf02c5b12a9cdb4485ca198589089a4 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 14:48:13 +0000 Subject: [PATCH 182/308] changing variable name so that it matches role --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 5e164da4fb..38c7f60ca8 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -54,7 +54,7 @@ effective_cache_size: "6GB" new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" -new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" +new_pagure_db_password: "{{ upstreamfirst_pagure_db_pass }}" new_pagure_db_host: "{{ inventory_hostname }}" new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" From d3345b5ba25f04ee15b398317bc6e0462f15a18e Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 14:49:18 +0000 Subject: [PATCH 183/308] it helps if all the var names match --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 2 +- roles/pagure/upstreamfirst-frontend/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 38c7f60ca8..5e164da4fb 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -54,7 +54,7 @@ effective_cache_size: "6GB" new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" -new_pagure_db_password: "{{ upstreamfirst_pagure_db_pass }}" +new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" new_pagure_db_host: "{{ inventory_hostname }}" new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml index debdfd3b4f..db5597c109 100644 --- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -221,7 +221,7 @@ delegate_to: "{{ new_pagure_db_host }}" become: true become_user: postgres - postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_password }} role_attr_flags=NOSUPERUSER + postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_pass }} role_attr_flags=NOSUPERUSER tags: - web - pagure From 17a44d5b2fa1b8ff8fe575a85411465551877808 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 16:07:49 +0000 Subject: [PATCH 184/308] fixing db command delegation to play nice with pg_hba --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 9 ++++++++- roles/pagure/upstreamfirst-frontend/tasks/main.yml | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 5e164da4fb..2c8aae52d5 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -55,7 +55,14 @@ new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}" -new_pagure_db_host: "{{ inventory_hostname }}" + +# there are two db hosts here to work around the pg_hba that's in postgres_server +# we need to delegate postgres admin commands to a host that is remote from where +# this playbook is run but have to use localhost for the application to run in the +# case where we're using a local postgres instance +new_pagure_db_host: "127.0.0.1" +new_pagure_db_command_host: "{{ inventory_hostname }}" + new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml index db5597c109..ba1441dfcc 100644 --- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -209,7 +209,7 @@ - restart apache - name: create pagure database - delegate_to: "{{ new_pagure_db_host }}" + delegate_to: "{{ new_pagure_db_command_host }}" become: true become_user: postgres postgresql_db: db={{ new_pagure_db_name }} @@ -218,7 +218,7 @@ - pagure - name: ensure pagure db user has access to database - delegate_to: "{{ new_pagure_db_host }}" + delegate_to: "{{ new_pagure_db_command_host }}" become: true become_user: postgres postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_pass }} role_attr_flags=NOSUPERUSER From e3ab9901ae857465edf921766e0c01a31da3fd90 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 16:18:55 +0000 Subject: [PATCH 185/308] removing pagure.io certs, enabling letsencrypt --- .../upstreamfirst.fedorainfracloud.org.yml | 1 + .../upstreamfirst-frontend/tasks/main.yml | 17 ------------- .../templates/0_pagure.conf | 25 ++++++++++++++----- 3 files changed, 20 insertions(+), 23 deletions(-) diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml index b09d0fa24b..5b92522d44 100644 --- a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml +++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml @@ -30,6 +30,7 @@ - sudo - collectd/base - postgresql_server + - certbot tasks: - include: "{{ tasks_path }}/yumrepos.yml" diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml index ba1441dfcc..513c254ed4 100644 --- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -235,23 +235,6 @@ - web - pagure -- name: Install the SSL cert so that we can use https - copy: > - src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }} - owner=root group=root mode=0600 - notify: restart stunnel - with_items: - - pagure.io.cert - - pagure.io.key - - pagure.io.intermediate.cert - - docs.pagure.org.crt - - docs.pagure.org.intermediate.crt - - docs.pagure.org.key - tags: - - config - - pagure - - httpd/certificate - - name: Install the configuration file to activate https template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=0644 diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf index dfc53adbf3..83c32fc643 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -9,16 +9,22 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ## Redirects http -> https + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] ServerName {{ external_hostname }} Redirect permanent / https://{{ external_hostname }}/ + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] ServerName docs.{{ external_hostname }} Redirect permanent / https://docs.{{ external_hostname }}/ + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] ServerName releases.{{ external_hostname }} Redirect permanent / https://releases.{{ external_hostname }}/ @@ -52,9 +58,12 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" - SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert - SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert - SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key + SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 Alias /static /usr/lib/python2.7/site-packages/pagure/static/ @@ -100,9 +109,13 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" - SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert - SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert - SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key + + SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 Alias /static /usr/lib/python2.7/site-packages/pagure/static/ From a0c18f9c25e2ab63fdbc4990638d6c0685077447 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 18 May 2017 16:39:04 +0000 Subject: [PATCH 186/308] Add iptables rule for nrpe monitoring --- playbooks/groups/os-cluster.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml index 312f938f0a..6872173a62 100644 --- a/playbooks/groups/os-cluster.yml +++ b/playbooks/groups/os-cluster.yml @@ -115,3 +115,16 @@ tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } +- name: Post-Install setup + hosts: os-stg:os + tags: + - os-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT From 0c408b391e4f7cafb9a9c9233aba0157f679a5b7 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 16:42:31 +0000 Subject: [PATCH 187/308] making pagure admin groups a var and adding sysadmin-qa --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 1 + roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 2c8aae52d5..9aa5bbf9a3 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -77,6 +77,7 @@ pagure_ssh_host_fingerprint: '2048 6b:d8:48:27:5a:11:d1:14:e0:c1:91:23:45:c7:fb: # awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64_ pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' +new_pagure_admin_groups: ['sysadmin-main', 'sysadmin-qa'] stunnel_service: "eventsource" stunnel_source_port: 8088 diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index bc65629cc9..db3c79e68d 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -27,7 +27,7 @@ PREFERRED_URL_SCHEME='https' DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}' ### The FAS group in which the admin of pagure are -ADMIN_GROUP = ['sysadmin-main'] +ADMIN_GROUP = {{ new_pagure_admin_groups }} ### The email address to which the flask.log will send the errors (tracebacks) EMAIL_ERROR = '{{ pagure_admin_email }}' From b78c9c26289e9f3ca822492141fa33d398d12436 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 18:58:24 +0000 Subject: [PATCH 188/308] changing instance name and session cookie name for upstreamfirst pagure --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 3 ++- roles/pagure/upstreamfirst-frontend/defaults/main.yml | 2 ++ roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 roles/pagure/upstreamfirst-frontend/defaults/main.yml diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 9aa5bbf9a3..9fc6bb1f7d 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -7,7 +7,6 @@ instance_type: m1.medium image: CentOS-7-x86_64-GenericCloud-1503 keypair: fedora-admin-20130801 -security_group: default # NOTE: security_group MUST contain default. zone: nova inventory_tenant: persistent @@ -79,6 +78,8 @@ pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' new_pagure_admin_groups: ['sysadmin-main', 'sysadmin-qa'] +pagure_instance_name: "{{ pagure_instance_name }}" + stunnel_service: "eventsource" stunnel_source_port: 8088 stunnel_destination_port: 8080 diff --git a/roles/pagure/upstreamfirst-frontend/defaults/main.yml b/roles/pagure/upstreamfirst-frontend/defaults/main.yml new file mode 100644 index 0000000000..a9e248fb02 --- /dev/null +++ b/roles/pagure/upstreamfirst-frontend/defaults/main.yml @@ -0,0 +1,2 @@ +--- +pagure_instance_name: "Pagure" diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index db3c79e68d..eac700089e 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -1,5 +1,7 @@ from datetime import timedelta +INSTANCE_NAME= {{ pagure_instance_name }} + ### Set the time after which the admin session expires # There are two sessions on pagure, login that holds for 31 days and # the session defined here after which an user has to re-login. @@ -151,7 +153,7 @@ SESSION_COOKIE_SECURE = True # The name of the cookie used to store the session id. # Default: ``.pagure``. -SESSION_COOKIE_NAME = 'pagure' +SESSION_COOKIE_NAME = 'upstreamfirstpagure' # Boolean specifying wether to check the user's IP address when retrieving # its session. This make things more secure (thus is on by default) but From 3c6a6a63697959f9c91fabd020130396be3074b1 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 19:03:13 +0000 Subject: [PATCH 189/308] recursively defined vars tend not to work well --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 9fc6bb1f7d..30aaaa69eb 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -78,7 +78,7 @@ pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' new_pagure_admin_groups: ['sysadmin-main', 'sysadmin-qa'] -pagure_instance_name: "{{ pagure_instance_name }}" +pagure_instance_name: "Upstream First Pagure" stunnel_service: "eventsource" stunnel_source_port: 8088 From ee6fbb35df69cc99cc71b84a7db54ef96508bc14 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 18 May 2017 19:10:58 +0000 Subject: [PATCH 190/308] quoting instance name for pagure --- roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index eac700089e..7e1b68eb4f 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -1,6 +1,6 @@ from datetime import timedelta -INSTANCE_NAME= {{ pagure_instance_name }} +INSTANCE_NAME= '{{ pagure_instance_name }}' ### Set the time after which the admin session expires # There are two sessions on pagure, login that holds for 31 days and From 266e09257259d89893ac93355954af86466951ba Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 18 May 2017 19:18:09 +0000 Subject: [PATCH 191/308] clean up some commented hosts, fix a group file that was in the wrong place and add some comments to inventory --- inventory/buildaarch64 | 2 -- inventory/builders | 23 +---------------------- inventory/group_vars/buildaarch64 | 26 +------------------------- inventory/inventory | 15 +++------------ 4 files changed, 5 insertions(+), 61 deletions(-) delete mode 100644 inventory/buildaarch64 diff --git a/inventory/buildaarch64 b/inventory/buildaarch64 deleted file mode 100644 index 7a1af647fa..0000000000 --- a/inventory/buildaarch64 +++ /dev/null @@ -1,2 +0,0 @@ ---- -sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/builders b/inventory/builders index 21a661d319..5e2e283c8b 100644 --- a/inventory/builders +++ b/inventory/builders @@ -1,4 +1,3 @@ - [buildvm] buildvm-01.phx2.fedoraproject.org buildvm-02.phx2.fedoraproject.org @@ -169,24 +168,6 @@ buildhw-aarch64-01.arm.fedoraproject.org buildhw-aarch64-02.arm.fedoraproject.org buildhw-aarch64-03.arm.fedoraproject.org -[dell-fx-build] -# dell-fx01-01.phx2.fedoraproject.org -# dell-fx01-02.phx2.fedoraproject.org -# dell-fx01-03.phx2.fedoraproject.org -# dell-fx01-04.phx2.fedoraproject.org -# dell-fx01-05.phx2.fedoraproject.org -# dell-fx01-06.phx2.fedoraproject.org -# dell-fx01-07.phx2.fedoraproject.org -# dell-fx01-08.phx2.fedoraproject.org -# dell-fx02-01.phx2.fedoraproject.org -# dell-fx02-02.phx2.fedoraproject.org -# dell-fx02-03.phx2.fedoraproject.org -# dell-fx02-04.phx2.fedoraproject.org -# dell-fx02-05.phx2.fedoraproject.org -# dell-fx02-06.phx2.fedoraproject.org -# dell-fx02-07.phx2.fedoraproject.org -# dell-fx02-08.phx2.fedoraproject.org - # # These are primary koji builders. # @@ -259,9 +240,6 @@ arm01 arm02 arm04 -# -# These are secondary arch builders. -# [arm01] # 01 is in use as retrace instance arm01-builder00.arm.fedoraproject.org @@ -286,6 +264,7 @@ arm01-builder18.arm.fedoraproject.org arm01-builder19.arm.fedoraproject.org arm01-builder20.arm.fedoraproject.org arm01-builder21.arm.fedoraproject.org +# These two are using in staging #arm01-builder22.arm.fedoraproject.org #arm01-builder23.arm.fedoraproject.org diff --git a/inventory/group_vars/buildaarch64 b/inventory/group_vars/buildaarch64 index a878d1e3f8..7a1af647fa 100644 --- a/inventory/group_vars/buildaarch64 +++ b/inventory/group_vars/buildaarch64 @@ -1,26 +1,2 @@ --- -host_group: kojibuilder -fas_client_groups: sysadmin-releng,sysadmin-secondary -sudoers: "{{ private }}/files/sudo/buildsecondary-sudoers" -gw: 10.5.78.254 - -kojipkgs_url: armpkgs.fedoraproject.org -kojihub_url: arm.koji.fedoraproject.org/kojihub -kojihub_scheme: https - -koji_hub_nfs: "fedora_arm/data" -koji_server_url: "https://arm.koji.fedoraproject.org/kojihub" -koji_weburl: "https://arm.koji.fedoraproject.org/koji" -koji_topurl: "https://armpkgs.fedoraproject.org/" - -# These variables are pushed into /etc/system_identification by the base role. -# Groups and individual hosts should ovveride them with specific info. -# See http://infrastructure.fedoraproject.org/csi/security-policy/ - -csi_security_category: High -csi_primary_contact: Fedora Admins - admin@fedoraproject.org -csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This group builds packages for aarch64 architecture. -csi_relationship: | - * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios - * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver. - * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new +sudoers: "{{ private }}/files/sudo/sysadmin-secondary-sudoers" diff --git a/inventory/inventory b/inventory/inventory index f9589d1a67..4dbc58892d 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1,9 +1,3 @@ -# dummies until the multiple inventory group import issue is fixed in -# ansible -[builders] -[bkernel] -[buildvmhost] - [beaker] beaker01.qa.fedoraproject.org @@ -266,6 +260,9 @@ autocloud-backend01.stg.phx2.fedoraproject.org autocloud-backend02.stg.phx2.fedoraproject.org [autosign] +# +# autosign01 does not listen to ssh by default +# #autosign01.phx2.fedoraproject.org [autosign-stg] @@ -345,7 +342,6 @@ download-phx2 download-ibiblio download-rdu2 - [elections] elections01.phx2.fedoraproject.org elections02.phx2.fedoraproject.org @@ -372,7 +368,6 @@ hotness01.stg.phx2.fedoraproject.org [kerneltest] kerneltest01.phx2.fedoraproject.org -#kerneltest02.phx2.fedoraproject.org [kerneltest-stg] kerneltest01.stg.phx2.fedoraproject.org @@ -444,7 +439,6 @@ iddev.fedorainfracloud.org dhcp01.phx2.fedoraproject.org [nagios] -#noc01.phx2.fedoraproject.org noc02.fedoraproject.org [nagios-new] @@ -919,7 +913,6 @@ zanata2fedmsg01.stg.phx2.fedoraproject.org #[zanata2fedmsg] #zanata2fedmsg01.phx2.fedoraproject.org - # This is a convenience group listing the hosts that live on the QA network that # are allowed to send inbound fedmsg messages to our production fedmsg bus. # See also: @@ -938,7 +931,6 @@ openqa01.qa.fedoraproject.org resultsdb-stg01.qa.fedoraproject.org openqa-stg01.qa.fedoraproject.org - # assorted categories of fedmsg services, for convenience [fedmsg-hubs:children] autocloud-backend @@ -1380,7 +1372,6 @@ docker-registry01.phx2.fedoraproject.org [moby-registry-stg] docker-registry01.phx2.fedoraproject.org - [webservers:children] proxies ipsilon From 03ca9337d3a2bd8f3e5ea1357eb82fe88a901341 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 18 May 2017 20:28:59 +0000 Subject: [PATCH 192/308] Merge config changes back Signed-off-by: Patrick Uiterwijk --- roles/regcfp/tasks/main.yml | 22 +- roles/regcfp/templates/config.json | 409 ++++++++++++++++++++++++----- 2 files changed, 354 insertions(+), 77 deletions(-) diff --git a/roles/regcfp/tasks/main.yml b/roles/regcfp/tasks/main.yml index f9091da5e0..485c9411ec 100644 --- a/roles/regcfp/tasks/main.yml +++ b/roles/regcfp/tasks/main.yml @@ -9,17 +9,17 @@ tags: - packages -- name: Clone the regcfp master branch - git: repo=https://github.com/puiterwijk/regcfp.git - dest=/srv/regcfp - version=develop - clone=yes update=yes - register: git_result - changed_when: "git_result.after|default('after') != git_result.before|default('before')" - tags: - - regcfp - notify: - - restart regcfp +#- name: Clone the regcfp master branch +# git: repo=https://github.com/puiterwijk/regcfp.git +# dest=/srv/regcfp +# version=develop +# clone=yes update=yes +# register: git_result +# changed_when: "git_result.after|default('after') != git_result.before|default('before')" +# tags: +# - regcfp +# notify: +# - restart regcfp # TODO: Find EPEL packages for these - name: Install dependencies diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 23b084045b..c070b8d335 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -3,9 +3,10 @@ "site_url": "https://register.flocktofedora.org", "theming": { "theme": "fedora", - "site_name": "Flock 2016 Registration", - "event_name": "Flock 2016", - "logo": "" + "site_name": "Flock 2017 Registration", + "event_name": "Flock 2017", + "logo": "", + "event_location": "Hyannis, Cape Cod" }, "secret": "{{ regcfp_secret }}", "database": { @@ -58,18 +59,18 @@ "permissions": { "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org"], "papers": { - "submit": [], + "submit": ["*authenticated*"], "list": { "accepted": ["jwboyer@fedoraproject.org", "spot@fedoraproject.org"], "own": ["*authenticated*"], "all": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"] }, "edit": { - "own": [], + "own": ["*authenticated*"], "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org"] }, "delete": { - "own": [], + "own": ["*authenticated*"], "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org"] }, "tag": ["*authenticated*"], @@ -78,10 +79,10 @@ "accept": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "spot@fedoraproject.org"] }, "registration": { - "register": [], - "pay": [], + "register": ["*authenticated*"], + "pay": ["*authenticated*"], "request_receipt": [], - "view_public": ["*authenticated*"], + "view_public": [], "view_all": [""], "add_payment": [], "print_badge": [], @@ -90,18 +91,14 @@ "cancel_all": [] } }, - + "papers": { "enabled": true, "tracks": [ - "Building a Better Distro", - "Growing the Fedora Userbase", - "Making Life Better for Contributors", - "Prepared Lightning Talk", - "Workshop - Team Planning", - "Workshop - Hackfest", - "Workshop - Drop-in Clinic", - "Other" + "Talk (30 min)", + "Talk (60 min)", + "Do-Session (120 min)", + "Do-Session (180 min)" ] }, @@ -109,14 +106,18 @@ "registration": { "enabled": true, "fields": { + "reglegend": { + "type": "legend", + "display_name": "Registration Fee", + "split": 0 + }, "doc1": { "type": "documentation", "display_name": "", "html": [ - "We are excited to see you at this year's Flock!", - "We're doing things a little differently this year in order to make sure it is a", - "productive event that helps us achieve our goals as a community.", - "Explain regfee etc" + "The registration fee below is determined by your current country selection. ", + "This is in order to keep the fee fair and nominal across all regions. ", + "If your country isn't listed, please choose a country or region with a similar economic situation." ], "split": 0 }, @@ -125,33 +126,93 @@ "short_display_name": "Ctr", "type": "select", "required": true, - "message": "This will be kept private", + "message" : "Choose a region with a similar economic situation if your country is not listed.", + "privmsg": "This will be kept private.", "private": true, "placeholder": "Country of origin", "options": [ + "Argentina", + "Australia", + "Brazil", + "Britain", + "Canada", + "Chile", + "China", + "Colombia", + "Costa Rica", + "Czech Republic", + "Denmark", + "Egypt", + "Euro area", + "Hong Kong", + "Hungary", + "India", + "Indonesia", + "Israel", + "Japan", + "Malaysia", + "Mexico", + "New Zealand", + "Norway", + "Pakistan", + "Peru", + "Philippines", + "Poland", + "Russia", + "Saudi Arabia", + "Singapore", + "South Africa", + "South Korea", + "Sri Lanka", + "Sweden", + "Switzerland", + "Taiwan", + "Thailand", + "Turkey", + "UAE", + "Ukraine", "United States", - "Netherlands" + "Uruguay", + "Venezuela", + "Vietnam", + "Austria", + "Belgium", + "Estonia", + "Finland", + "France", + "Germany", + "Greece", + "Ireland", + "Italy", + "Netherlands", + "Portugal", + "Spain" ], - "onchange": "javascript:update_regfee();", + "onchange": "javascript:update_regfee(); javascript:update_estimates();", "split": 0 }, "regfee": { "display_name": "Registration Fee", "type": "string", - "required": true, + "required": false, "private": true, "placeholder": "25.00", - "readonly": true, - "split": 0 + "readonly": false, + "split": 0, + "onchange": "javascript:update_estimates();" }, "reason": { - "display_name": "Why are you interested in attending flock?", - "type": "string", + "display_name": "Why are you interested in attending Flock?", + "type": "textarea", "required": true, "private": true, - "placeholder": "", "split": 0 }, + "soclegend": { + "type": "legend", + "display_name": "Social Details", + "split": 1 + }, "ircnick": { "display_name": "IRC Nickname", @@ -171,13 +232,20 @@ "placeholder": "", "split": 1 }, + "reqslegend": { + "type": "legend", + "display_name": "Personal Requirements", + "split": 1 + }, + "veg": { "display_name": "Vegetarian", "short_display_name": "Veg", "type": "select", "required": true, - "message": "This will be kept private; note that a selection here does not guarantee availability of vegetarian options", - "private": true, + "message": "This does not guarantee availability of vegetarian options.", + "privmsg": "This will be kept private.", + "private": true, "placeholder": "", "options": [ "Yes", "No" @@ -189,7 +257,8 @@ "short_display_name": "Diet", "type": "string", "required": false, - "message": "This will be kept private; note that no guarantees are made, but we will do our best", + "message": "No guarantees are made here, but we will do our best!", + "privmsg": "This will be kept private.", "private": true, "placeholder": "", "split": 1 @@ -210,7 +279,7 @@ "display_name": "T-shirt size", "short_display_name": "Sz", "type": "select", - "message": "This will be kept private", + "message": "This will be kept private.", "required": false, "private": true, "placeholder": "", @@ -230,23 +299,38 @@ ], "split": 1 }, + "assistlegend": { + "type": "legend", + "display_name": "Financial Assistance", + "split": 2 + }, "needassistance": { "display_name": "Do you need financial assistance in order to attend Flock?", "short_display_name": "Sub", - "type": "boolean", + "type": "radio", "required": true, "private": true, + "onchange": "javascript:update_regfee(); javascript:update_estimates();", + "options": [ + "No, I / my employer can cover my expenses.", + "Yes, my attendance requires financial assistance." + ], "split": 2 }, "sponsor_additional": { "display_name": "Would you like to help sponsor a Fedora volunteer's attendance?", "short_display_name": "Spon", - "type": "boolean", + "type": "radio", "required": false, "private": true, - "shownifnot": "needassistance", + "shownifkey": "needassistance", + "shownifval": "No, I / my employer can cover my expenses.", + "options": [ + "No, thank you.", + "Yes, I will sponsor the amount that follows." + ], "split": 2 }, "sponsor_additional_amount": { @@ -255,42 +339,105 @@ "type": "string", "required": false, "private": true, - "shownif": "sponsor_additional", + "shownifkey": "sponsor_additional", + "shownifval": "Yes, I will sponsor the amount that follows.", + "split": 2 + }, + "circumlegend": { + "type": "legend", + "display_name": "Special Travel Circumstances", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, - "travel_circumstances": { - "display_name": "If there are any...", + "display_name": "If there are any special circumstances or logistics regarding your travel and/or funding for Flock, please note them here.", "short_display_name": "travel_circum", - "type": "string", + "type": "textarea", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "split": 2 + }, + "flightlegend": { + "type": "legend", + "display_name": "Flights", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, "flights_needed": { "display_name": "My trip to flock requires air travel", - "type": "boolean", + "type": "radio", "required": false, "private": true, - "shownif": "needassistance", + "onchange": "javascript:update_regfee(); javascript:update_estimates();", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "options": [ + "My trip to Flock requires air travel.", + "My trip to Flock does not require air travel." + ], "split": 2 }, "doc_flights": { "display_name": "", "type": "documentation", "html": [ - "Show calendar information here" - ], - "shownif": "flights_needed", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "
SatSunMonTueWedThuFriSatSun
Flock
Aug 26Aug 27Aug 28Aug 29Aug 30Aug 31Sep 01Sep 02Sep 03
", + "

First bus departs Logan Airport at 6:15 AM.

", + "

Last bus departs Logan Airport at 11:15 PM.

", + "		", + "

First bus arrives at Logan at 4:30 AM.

", + "

Last bus arrives at Logan at 10:30 PM.

", + "
" + ], + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", "split": 2 }, + "doc_research": { + "type": "documentation", + "display_name": "", + "html": [ + "

Please research round trip flights to Boston's Logan Airport for Flock. Note that there is a 2-hour long", + " bus ride from the airport to the conference site; we have provided a rough schedule of this bus above but ", + "please verify the schedule, particularly if you plan to ", + "ride on a weekend as the schedule may vary based on what we've posted above.

", + "

Plan to arrive in Hyannis, MA by the evening of Monday, August 28 and depart no sooner than 2 PM on Friday, ", + "keeping the bus times and schedule in account." + ], + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "split": 2 + }, + "flight_homeairport": { "display_name": "Preferred home airport codes", "type": "string", "required": false, "private": true, - "shownif": "flights_needed", + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "message": "Ex. 'PRG', 'BRQ'", "split": 2 }, "flight_price": { @@ -298,23 +445,53 @@ "type": "string", "required": false, "private": true, - "shownif": "flights_needed", + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "onchange": "javascript:update_estimates();", + "split": 2 + }, + "doc_research2": { + "type": "documentation", + "display_name": "", + "shownifkey": "flights_needed", + "shownifval": "My trip to Flock requires air travel.", + "html": [ + "

Please make your best guess on your estimated airfare cost based on your research. If you underestimate, ", + "there may not be enough funding for your trip; if you overestimate, other attendees may not receive funding. ", + "We rely on the honesty and integrity of our community members to fill this form out accurately." + ], + "split": 2 + }, + + + "othertransitlegend": { + "type": "legend", + "display_name": "Other Transit Costs", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, "busservice": { - "display_name": "Do you intend to use the Boston-to-Cape Cod bus service", - "type": "boolean", + "display_name": "Do you intend to use the Cape Cod bus service from Boston's Logan Airport?", + "type": "radio", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "options": [ + "Yes (+ $47 / roundtrip)", + "No" + ], + "onchange": "javascript:update_estimates();", "split": 2 }, "other_transit": { "display_name": "Please describe any other transit-related costs you anticipate", - "type": "string", + "type": "textarea", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", "split": 2 }, "total_othertransit": { @@ -322,24 +499,80 @@ "type": "string", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "onchange": "javascript:update_estimates();", "split": 2 }, + "lodginglegend": { + "type": "legend", + "display_name": "Lodging", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "split": 2 + }, + "lodging_needed": { "display_name": "I would like lodging to be part of my travel funding request", - "type": "boolean", + "type": "radio", "required": false, "private": true, - "shownif": "needassistance", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "options": [ + "I would like lodging to be part of my travel funding request.", + "I will make my own arrangements for lodging." + ], + "onchange": "javascript:update_estimates();", "split": 2 }, - "lodging_doc": { + "lodging_calendar": { "display_name": "", "type": "documentation", "html": [ - "Show lodging calendar and other info here..." + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "
SatSunMonTueWedThuFriSatSun
Flock
Aug 26Aug 27Aug 28Aug 29Aug 30Aug 31Sep 01Sep 02Sep 03
", + "

First bus departs Logan Airport at 6:15 AM.

", + "

Last bus departs Logan Airport at 11:15 PM.

", + "		", + "

First bus arrives at Logan at 4:30 AM.

", + "

Last bus arrives at Logan at 10:30 PM.

", + "
" + ], + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "split": 2 + }, + "doc_lodging": { + "type": "documentation", + "display_name": "", + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "html": [ + "

Please indicate below how many nights' lodging you anticipate needing based on your above travel estimate.

", + "

Note: We will fund up to four nights' stay for funded Flock attendees ", + "traveling domestically, and five nights' stay for international", + "travellers, with the exception of travel-related additional lodging requirements.

", + "

All funded attendees will share a double room with an attendee of the same gender. You may request an ", + "exception to this policy by emailing flock-staff@fedoraproject.org, ", + "which is a private address for Flock organizers." ], - "shownif": "lodgin_needed", "split": 2 }, "lodging_nights": { @@ -355,7 +588,9 @@ ], "required": false, "private": true, - "shownif": "lodging_needed", + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "onchange": "javascript:update_estimates();", "split": 2 }, "lodging_roommate": { @@ -363,12 +598,54 @@ "type": "string", "required": false, "private": true, - "shownif": "lodging_needed", + "shownifkey": "lodging_needed", + "shownifval": "I would like lodging to be part of my travel funding request.", + "message": "Provide name or FAS ID of a mutually-agreed upon roommate.", + "split": 2 + }, + + "doc_estimated_cost": { + "type": "documentation", + "display_name": "", + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "html": [ + "

Estimated costs for funding request

", + "

Estimated round trip airfare: $-- USD

", + "

Airfare booking fee: $--

", + "

Boston-to-Cape-Cod bus (round-trip): $--

", + "

Other transit-related costs: $--

", + "

Lodging, X nights x ($139.99 + 15.40): $--

", + "

Registration fee: $--

", + "
", + "

Total: $-- USD

" + ], + "split": 2 + }, + "afford_to_pay": { + "display_name": "If I am funded, I can afford to pay:", + "type": "radio", + "options": [20, 40, 60, 80, 90, "other"], + "required": false, + "private": true, + "shownifkey": "needassistance", + "shownifval": "Yes, my attendance requires financial assistance.", + "split": 2 + }, + "afford_to_pay_custom": { + "display_name": "Amount", + "short_display_name": "AffAmnt", + "type": "string", + "required": false, + "private": true, + "shownifkey": "afford_to_pay", + "shownifval": "other", "split": 2 } + }, "max_split": 2, - "payment_product_name": "My Event Registration Fee", + "payment_product_name": "Flock 2017 Registration Fee", "currencies": { "USD": { "symbol": "$", @@ -378,7 +655,7 @@ } }, "main_currency": "USD", - "paypal_experience_profile": "", + "paypal_experience_profile": "XP-KZGG-W7U6-E9QN-AHRF", "desk_word": "something", "paypal": { @@ -389,7 +666,7 @@ }, "profile": { - "name": "Event Registration Profile", + "name": "Flock 2017", "presentation": { "brand_name": "Fedora Project", "logo_image": "https://getfedora.org/static/images/fedora_infinity_140x140.png", From b0055e76f32ed9c03159d6a4d7f2156b2b0d04af Mon Sep 17 00:00:00 2001 From: Martin Krizek Date: Fri, 19 May 2017 10:38:05 +0000 Subject: [PATCH 193/308] taskotron: change to a new python-versions repo name --- inventory/group_vars/taskotron-dev | 2 +- inventory/group_vars/taskotron-prod | 2 +- inventory/group_vars/taskotron-stg | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/taskotron-dev b/inventory/group_vars/taskotron-dev index 5d398610c6..8858254366 100644 --- a/inventory/group_vars/taskotron-dev +++ b/inventory/group_vars/taskotron-dev @@ -29,7 +29,7 @@ grokmirror_repos: - { name: fedoraqa/abicheck, url: 'https://pagure.io/task-abicheck.git'} - { name: fedoraqa/rpmgrill, url: 'https://bitbucket.org/fedoraqa/task-rpmgrill.git'} - { name: fedoraqa/simpledocker, url: 'https://bitbucket.org/fedoraqa/task-simpledocker.git'} - - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/task-python-versions'} + - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/taskotron-python-versions'} - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/rpmdeplint, url: 'https://pagure.io/taskotron/task-rpmdeplint.git'} - { name: fedoraqa/rpmlint-scratch, url: 'https://bitbucket.org/fedoraqa/task-rpmlint-scratch.git'} diff --git a/inventory/group_vars/taskotron-prod b/inventory/group_vars/taskotron-prod index 4dd26ed75d..e457089181 100644 --- a/inventory/group_vars/taskotron-prod +++ b/inventory/group_vars/taskotron-prod @@ -23,7 +23,7 @@ grokmirror_repos: - { name: fedoraqa/dockerautotest, url: 'https://bitbucket.org/fedoraqa/task-dockerautotest.git'} - { name: fedoraqa/abicheck, url: 'https://pagure.io/task-abicheck.git'} - { name: fedoraqa/rpmgrill, url: 'https://bitbucket.org/fedoraqa/task-rpmgrill.git'} - - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/task-python-versions'} + - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/taskotron-python-versions'} - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'} - { name: fedoraqa/fedora-cloud-tests, url: 'https://pagure.io/taskotron/task-fedora-cloud-tests.git'} diff --git a/inventory/group_vars/taskotron-stg b/inventory/group_vars/taskotron-stg index 8988360813..6677ee3650 100644 --- a/inventory/group_vars/taskotron-stg +++ b/inventory/group_vars/taskotron-stg @@ -29,7 +29,7 @@ grokmirror_repos: - { name: fedoraqa/dockerautotest, url: 'https://bitbucket.org/fedoraqa/task-dockerautotest.git'} - { name: fedoraqa/abicheck, url: 'https://pagure.io/task-abicheck.git'} - { name: fedoraqa/rpmgrill, url: 'https://bitbucket.org/fedoraqa/task-rpmgrill.git'} - - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/task-python-versions'} + - { name: fedoraqa/python-versions, url: 'https://github.com/fedora-python/taskotron-python-versions'} - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/rpmdeplint, url: 'https://pagure.io/taskotron/task-rpmdeplint.git'} - { name: fedoraqa/rpmlint-scratch, url: 'https://bitbucket.org/fedoraqa/task-rpmlint-scratch.git'} From 502a5e7aac4f6143967d2743e66ab5777259d383 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 19 May 2017 17:44:27 +0000 Subject: [PATCH 194/308] move this to pre_tasks so fas_client can install --- playbooks/groups/taskotron-client-hosts.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/playbooks/groups/taskotron-client-hosts.yml b/playbooks/groups/taskotron-client-hosts.yml index dd4dedddd4..f04cedd598 100644 --- a/playbooks/groups/taskotron-client-hosts.yml +++ b/playbooks/groups/taskotron-client-hosts.yml @@ -14,6 +14,9 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + pre_tasks: + - include: "{{ tasks_path }}/yumrepos.yml" + roles: - base - rkhunter @@ -26,7 +29,6 @@ - { role: openvpn/client, when: datacenter != "phx2" } tasks: - - include: "{{ tasks_path }}/yumrepos.yml" - include: "{{ tasks_path }}/2fa_client.yml" - include: "{{ tasks_path }}/motd.yml" From e276c689cf11d9caac75415db395a0532c9319d3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 19 May 2017 19:44:34 +0000 Subject: [PATCH 195/308] fix jenkins to actually rotate logs --- roles/jenkins/master/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml index 226d321c69..b4a07d7126 100644 --- a/roles/jenkins/master/tasks/main.yml +++ b/roles/jenkins/master/tasks/main.yml @@ -65,6 +65,13 @@ - jenkins/master - config +- name: set /var/log/jenkins to not be writable by jenkins group + file: path=/var/log/jenkins mode=0700 owner=jenkins + tags: + - jenkins + - jenkins/master + - config + - name: install jenkins launcher config file copy: > src="jenkins.conf" From 2fd1d5e10ef1c1d9d3a715803aad2992ed4e225a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 19 May 2017 20:13:07 +0000 Subject: [PATCH 196/308] add keepalived scripts for pgbdr --- ...tify.sh.pgbdr01.stg.phx2.fedoraproject.org | 24 +++++++++++++++++++ ...tify.sh.pgbdr02.stg.phx2.fedoraproject.org | 24 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org create mode 100644 roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org diff --git a/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org b/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..76b2255aa4 --- /dev/null +++ b/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org @@ -0,0 +1,24 @@ +#!/bin/bash +TYPE=$1 +NAME=$2 +STATE=$3 + +# +# We are becoming master node +# +if [ $STATE == "MASTER" ]; then + logger "just became keepalived master" + +fi +# +# We are becoming the backup node +# +if [ $STATE == "BACKUP" ]; then + logger "just became keepalived backup" +fi +# +# something horrible has gone wrong +# +if [ $STATE == "FAULT" ]; then + logger "just had a keepalived fault" +fi diff --git a/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org b/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..76b2255aa4 --- /dev/null +++ b/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org @@ -0,0 +1,24 @@ +#!/bin/bash +TYPE=$1 +NAME=$2 +STATE=$3 + +# +# We are becoming master node +# +if [ $STATE == "MASTER" ]; then + logger "just became keepalived master" + +fi +# +# We are becoming the backup node +# +if [ $STATE == "BACKUP" ]; then + logger "just became keepalived backup" +fi +# +# something horrible has gone wrong +# +if [ $STATE == "FAULT" ]; then + logger "just had a keepalived fault" +fi From f4544647cfd2e8d6dc83277e54764618e9862961 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Fri, 19 May 2017 20:34:07 +0000 Subject: [PATCH 197/308] do backups for upstreamfirst pagure instance --- inventory/backups | 1 + .../host_vars/upstreamfirst.fedorainfracloud.org | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/inventory/backups b/inventory/backups index 8f46e5d857..35015e21db 100644 --- a/inventory/backups +++ b/inventory/backups @@ -25,3 +25,4 @@ nuancier01.phx2.fedoraproject.org piwik.fedorainfracloud.org #magazine.fedorainfracloud.org communityblog.fedorainfracloud.org +upstreamfirst.fedorainfracloud.org diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index 30aaaa69eb..dae17d4f0e 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -37,6 +37,18 @@ tcp_ports: [ 22, 25, 80, 443, 9418, external_hostname: 'upstreamfirst.fedorainfracloud.org' +############################################################ +# Backup +############################################################ + +dbs_to_backup: +- postgres +- pagure + +host_backup_targets: + - '/backups' + - '/srv/git' + ############################################################ # PostgreSQL configuration ############################################################ From c3324c88837dafcfae19c0d081fdb9fd88259086 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 19 May 2017 22:12:49 +0000 Subject: [PATCH 198/308] Also allow postgres shm file on ci-cc-rdu01. --- roles/rkhunter/templates/rkhunter.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index 75164abd09..4112ba1f50 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -404,7 +404,7 @@ ALLOWDEVFILE=/dev/shm/spice.* {% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %} ALLOWDEVFILE=/dev/shm/sem.slapd*.stats {% endif %} -{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr-stg'] %} +{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in groups['pgbdr-stg'] or inventory_hostname == 'ci-cc-rdu01.fedoraproject.org' %} ALLOWDEVFILE=/dev/shm/PostgreSQL* {% endif %} From cc95cd79abb30832cf629accc8a765c65261cac7 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 21 May 2017 02:55:11 +0000 Subject: [PATCH 199/308] enable backups of magazine2 --- inventory/backups | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/backups b/inventory/backups index 35015e21db..152064c74b 100644 --- a/inventory/backups +++ b/inventory/backups @@ -23,6 +23,6 @@ taiga.fedorainfracloud.org taskotron01.qa.fedoraproject.org nuancier01.phx2.fedoraproject.org piwik.fedorainfracloud.org -#magazine.fedorainfracloud.org +magazine2.fedorainfracloud.org communityblog.fedorainfracloud.org upstreamfirst.fedorainfracloud.org From cc29d3ed65ed88f7d67d5edeb8c6eb0fa148acb8 Mon Sep 17 00:00:00 2001 From: clime Date: Mon, 22 May 2017 09:25:39 +0200 Subject: [PATCH 200/308] pkgs-stg: employ the dist-git package setup_git_package and mkbranch scripts --- roles/distgit/tasks/main.yml | 4 ++-- roles/distgit/{files => templates}/pkgdb2-clone | 8 +++++++- roles/distgit/templates/pkgdb_sync_git_branches.py | 9 +++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) rename roles/distgit/{files => templates}/pkgdb2-clone (97%) diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 608a0e0e95..0eca9584a1 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -141,7 +141,6 @@ - setup_git_package - mkbranch - mkbranch_branching - - pkgdb2-clone tags: - config - distgit @@ -178,10 +177,11 @@ tags: - distgit -- name: install the pkgdb_sync_git_branches.py scripts +- name: install the pkgdb_sync_git_branches.py and pkgdb2-clone scripts template: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 with_items: - pkgdb_sync_git_branches.py + - pkgdb2-clone tags: - config - distgit diff --git a/roles/distgit/files/pkgdb2-clone b/roles/distgit/templates/pkgdb2-clone similarity index 97% rename from roles/distgit/files/pkgdb2-clone rename to roles/distgit/templates/pkgdb2-clone index daa7d88644..110cbb0386 100644 --- a/roles/distgit/files/pkgdb2-clone +++ b/roles/distgit/templates/pkgdb2-clone @@ -13,6 +13,12 @@ NEW_EPEL_VERSION = '7' NEW_EPEL_SOURCE_BRANCH = 'f19' RHEL_PKGS_PATH = '/var/lib/rhel/rhel' + NEW_EPEL_VERSION +{% if env == 'staging' -%} +MKBRANCH = '/usr/share/dist-git/mkbranch' +{%- else -%} +MKBRANCH = '/usr/local/bin/mkbranch' +{%- endif %} + # parse_page :: String -> IO (Map String String) # This returns a dictionary of {"pkg_name": "branch"} def parse_page(url): @@ -140,7 +146,7 @@ def main(args): "name, " + src_branchname + " -> " + dest_branchname else: if process_package(pkgdb, key, src_branchname, dest_branchname): - subprocess.call(["mkbranch", + subprocess.call([MKBRANCH, "-s", NEW_EPEL_SOURCE_BRANCH, "epel" + NEW_EPEL_VERSION, diff --git a/roles/distgit/templates/pkgdb_sync_git_branches.py b/roles/distgit/templates/pkgdb_sync_git_branches.py index f3d1d641d3..cef9d89365 100644 --- a/roles/distgit/templates/pkgdb_sync_git_branches.py +++ b/roles/distgit/templates/pkgdb_sync_git_branches.py @@ -70,8 +70,17 @@ PKGDB_URL = 'https://admin.fedoraproject.org/pkgdb' GIT_FOLDER = '/srv/git/repositories/' +{% if env == 'staging' -%} +MKBRANCH = '/usr/share/dist-git/mkbranch' +{%- else -%} MKBRANCH = '/usr/local/bin/mkbranch' +{%- endif %} + +{% if env == 'staging' -%} +SETUP_PACKAGE = '/usr/share/dist-git/setup_git_package' +{%- else -%} SETUP_PACKAGE = '/usr/local/bin/setup_git_package' +{%- endif %} THREADS = 20 VERBOSE = False From 45626dc9e22a476e4fa7bd67705cd743c7e0300e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 22 May 2017 17:33:32 +0000 Subject: [PATCH 201/308] show gz files on people instead of downloading them --- roles/people/templates/people.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf index b7652b5639..aec12b9f88 100644 --- a/roles/people/templates/people.conf +++ b/roles/people/templates/people.conf @@ -218,6 +218,11 @@ SetOutputFilter DEFLATE AddType video/webm .webm AddType text/plain .spec AddType application/vnd.android.package-archive .apk +AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript + + ForceType text/plain + Header set Content-Encoding: gzip + # Insert filter From 6f663fcf86e9767731a15cd49a835d4a3049c04b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 22 May 2017 17:44:34 +0000 Subject: [PATCH 202/308] update flock-staff alias --- roles/fas_client/files/aliases.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index bd5414d7c0..d972e57e24 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -144,7 +144,7 @@ fudcon-paper: fudcon-cfp # flock flockpress: bex,fpl flockinfo: bex,fpl -flock-staff: bex,fpl,jwboyer,duffy +flock-staff: bex,fpl,duffy # gnome backups gnomebackup: backups@gnome.org From a937644748d68ee103745a390da25f2a703a2eb0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 22 May 2017 18:41:29 +0000 Subject: [PATCH 203/308] add some missed redirects for bind-dyndb project. https://pagure.io/fedora-infrastructure/issue/5846 --- files/httpd/fedorahosted-redirects.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/files/httpd/fedorahosted-redirects.conf b/files/httpd/fedorahosted-redirects.conf index b209629edd..24545b6c61 100644 --- a/files/httpd/fedorahosted-redirects.conf +++ b/files/httpd/fedorahosted-redirects.conf @@ -178,6 +178,10 @@ RewriteRule ^/fedora-badges/report https://pagure.io/Fedora-Badges/issues [R=301 RewriteRule ^/fedora-badges/ticket/(.*) https://pagure.io/Fedora-Badges/issue/$1 [R=301] RewriteRule ^/fedora-badges https://pagure.io/Fedora-Badges [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki https://docs.pagure.io/bind-dyndb-ldap/ [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/ https://docs.pagure.io/bind-dyndb-ldap/ [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/(.*) https://docs.pagure.io/bind-dyndb-ldap/$1.html [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/(.*)/ https://docs.pagure.io/bind-dyndb-ldap/$1.html [R=301] RewriteRule ^/bind-dyndb-ldap/report https://pagure.io/bind-dyndb-ldap/issues [R=301] RewriteRule ^/bind-dyndb-ldap/ticket/(.*) https://pagure.io/bind-dyndb-ldap/issue/$1 [R=301] RewriteRule ^/bind-dyndb-ldap/changeset/(.*) https://pagure.io/bind-dyndb-ldap/c/$1 [R=301] From 9008988828ade3cae01e5c4e7c4c537d08c8791e Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Mon, 22 May 2017 21:07:56 +0000 Subject: [PATCH 204/308] adding custom theme and static folder to upstreamfirst pagure config --- roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index 7e1b68eb4f..7783d0c31e 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -2,6 +2,9 @@ from datetime import timedelta INSTANCE_NAME= '{{ pagure_instance_name }}' +THEME_TEMPLATE_FOLDER='/var/www/upstreamfirst-paguretheme/templates' +THEME_STATIC_FOLDER='/var/www/upstreamfirst-paguretheme/static' + ### Set the time after which the admin session expires # There are two sessions on pagure, login that holds for 31 days and # the session defined here after which an user has to re-login. From cce7351197160e156a85d6a037fd841462b01397 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 22 May 2017 22:20:40 +0000 Subject: [PATCH 205/308] it is docs.pagure.org, not docs.pagure.io --- files/httpd/fedorahosted-redirects.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/files/httpd/fedorahosted-redirects.conf b/files/httpd/fedorahosted-redirects.conf index 24545b6c61..a54574dabb 100644 --- a/files/httpd/fedorahosted-redirects.conf +++ b/files/httpd/fedorahosted-redirects.conf @@ -178,10 +178,10 @@ RewriteRule ^/fedora-badges/report https://pagure.io/Fedora-Badges/issues [R=301 RewriteRule ^/fedora-badges/ticket/(.*) https://pagure.io/Fedora-Badges/issue/$1 [R=301] RewriteRule ^/fedora-badges https://pagure.io/Fedora-Badges [R=301] -RewriteRule ^/bind-dyndb-ldap/wiki https://docs.pagure.io/bind-dyndb-ldap/ [R=301] -RewriteRule ^/bind-dyndb-ldap/wiki/ https://docs.pagure.io/bind-dyndb-ldap/ [R=301] -RewriteRule ^/bind-dyndb-ldap/wiki/(.*) https://docs.pagure.io/bind-dyndb-ldap/$1.html [R=301] -RewriteRule ^/bind-dyndb-ldap/wiki/(.*)/ https://docs.pagure.io/bind-dyndb-ldap/$1.html [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki https://docs.pagure.org/bind-dyndb-ldap/ [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/ https://docs.pagure.org/bind-dyndb-ldap/ [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/(.*) https://docs.pagure.org/bind-dyndb-ldap/$1.html [R=301] +RewriteRule ^/bind-dyndb-ldap/wiki/(.*)/ https://docs.pagure.org/bind-dyndb-ldap/$1.html [R=301] RewriteRule ^/bind-dyndb-ldap/report https://pagure.io/bind-dyndb-ldap/issues [R=301] RewriteRule ^/bind-dyndb-ldap/ticket/(.*) https://pagure.io/bind-dyndb-ldap/issue/$1 [R=301] RewriteRule ^/bind-dyndb-ldap/changeset/(.*) https://pagure.io/bind-dyndb-ldap/c/$1 [R=301] From 00adf33c689997201681c561e99892650c110f8e Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 23 May 2017 04:13:29 +0000 Subject: [PATCH 206/308] adjusting upstreamfirst pagure to use themes --- inventory/host_vars/upstreamfirst.fedorainfracloud.org | 2 ++ .../upstreamfirst-frontend/templates/0_pagure.conf | 9 ++++++++- roles/pagure/upstreamfirst-frontend/templates/pagure.cfg | 4 ++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index dae17d4f0e..abb9fc82d3 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -91,6 +91,8 @@ pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' new_pagure_admin_groups: ['sysadmin-main', 'sysadmin-qa'] pagure_instance_name: "Upstream First Pagure" +pagure_theme_static_dir:'/var/www/upstreamfirst-paguretheme/static' +pagure_theme_template_dir:'/var/www/upstreamfirst-paguretheme/templates' stunnel_service: "eventsource" stunnel_source_port: 8088 diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf index 83c32fc643..0ecbe9943a 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -117,7 +117,14 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SSLProtocol ALL -SSLv2 - Alias /static /usr/lib/python2.7/site-packages/pagure/static/ +# Configure static files so that a custom theme can override the defaults +# +RewriteCond "{{ pagure_theme_static_dir }}/$1" -f +RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] + +# Use the application default theme for files not customized + +RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pagure/static/$1" [L] WSGIProcessGroup paguredocs diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg index 7783d0c31e..b569395276 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg +++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg @@ -2,8 +2,8 @@ from datetime import timedelta INSTANCE_NAME= '{{ pagure_instance_name }}' -THEME_TEMPLATE_FOLDER='/var/www/upstreamfirst-paguretheme/templates' -THEME_STATIC_FOLDER='/var/www/upstreamfirst-paguretheme/static' +THEME_TEMPLATE_FOLDER='{{ pagure_theme_template_dir }}' +THEME_STATIC_FOLDER='{{ pagure_theme_static_dir }}' ### Set the time after which the admin session expires # There are two sessions on pagure, login that holds for 31 days and From acb5a6627a88b62a56f586351166e918ab2a4b57 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 23 May 2017 04:17:48 +0000 Subject: [PATCH 207/308] trying to fix custom theme changes --- .../host_vars/upstreamfirst.fedorainfracloud.org | 4 ++-- .../upstreamfirst-frontend/templates/0_pagure.conf | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org index abb9fc82d3..0e05d493a2 100644 --- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org +++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org @@ -91,8 +91,8 @@ pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI=' new_pagure_admin_groups: ['sysadmin-main', 'sysadmin-qa'] pagure_instance_name: "Upstream First Pagure" -pagure_theme_static_dir:'/var/www/upstreamfirst-paguretheme/static' -pagure_theme_template_dir:'/var/www/upstreamfirst-paguretheme/templates' +pagure_theme_static_dir: "/var/www/upstreamfirst-paguretheme/static" +pagure_theme_template_dir: "/var/www/upstreamfirst-paguretheme/templates" stunnel_service: "eventsource" stunnel_source_port: 8088 diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf index 0ecbe9943a..2b1f1bf688 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -117,14 +117,14 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SSLProtocol ALL -SSLv2 -# Configure static files so that a custom theme can override the defaults -# -RewriteCond "{{ pagure_theme_static_dir }}/$1" -f -RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] + # Configure static files so that a custom theme can override the defaults -# Use the application default theme for files not customized + RewriteCond "{{ pagure_theme_static_dir }}/$1" -f + RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] -RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pagure/static/$1" [L] + # Use the application default theme for files not customized + + RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pagure/static/$1" [L] WSGIProcessGroup paguredocs From 1efd997013bc267f81249d48924857c412a0a227 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 23 May 2017 04:21:27 +0000 Subject: [PATCH 208/308] add static rewrite rules to all the virtual hosts --- .../upstreamfirst-frontend/templates/0_pagure.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf index 2b1f1bf688..5398bb1271 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -78,6 +78,16 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na git-(upload|receive)-pack))$" \ /usr/libexec/git-core/git-http-backend/$1 + # Configure static files so that a custom theme can override the defaults + + RewriteCond "{{ pagure_theme_static_dir }}/$1" -f + RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] + + # Use the application default theme for files not customized + + RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pagure/static/$1" [L] + + WSGIProcessGroup pagure From 2fb93d39c49459f85274c5f682319ee12605708c Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 23 May 2017 04:24:32 +0000 Subject: [PATCH 209/308] turning on rewrite engine helps when using rewrites --- roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf index 5398bb1271..dc1dbefb4b 100644 --- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf +++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf @@ -79,6 +79,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na /usr/libexec/git-core/git-http-backend/$1 # Configure static files so that a custom theme can override the defaults + RewriteEngine on RewriteCond "{{ pagure_theme_static_dir }}/$1" -f RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] @@ -128,6 +129,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na SSLProtocol ALL -SSLv2 # Configure static files so that a custom theme can override the defaults + RewriteEngine on RewriteCond "{{ pagure_theme_static_dir }}/$1" -f RewriteRule "^/static/(.*)" "{{ pagure_theme_static_dir }}/$1" [L] From fedf0525b060bbba4c53512b9770e53e677cd633 Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 23 May 2017 11:21:05 +0200 Subject: [PATCH 210/308] copr-dist-git: make /tmp tmpfs mount larger in size --- roles/copr/dist_git/tasks/mount_fs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/copr/dist_git/tasks/mount_fs.yml b/roles/copr/dist_git/tasks/mount_fs.yml index bdfee5e599..865dbf82ea 100644 --- a/roles/copr/dist_git/tasks/mount_fs.yml +++ b/roles/copr/dist_git/tasks/mount_fs.yml @@ -12,4 +12,4 @@ when: not devel - name: mount tmp on tmpfs - mount: name=/tmp src=tmpfs fstype=tmpfs state=mounted opts=defaults,size=6G + mount: name=/tmp src=tmpfs fstype=tmpfs state=mounted opts=defaults,size=39G From f4f0d9338e73da7c5f562d9a187d7c4fe3462f7b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 22 May 2017 02:45:40 +0000 Subject: [PATCH 211/308] Unset Accept-Encoding for kojipkgs python-requests sets this to "gzip, deflate", and when it tries to download an aarch64 vmlinuz, it gets (correctly) reported as Encoding: gzip. This triggers automatic gzip decompression by urllib3, resulting in the following error: Expected to download 6529431 bytes, downloaded 15618560 Unsetting Accept-Encoding request header tells mod_deflate it should not send the Encoding: gzip header, avoiding the auto-decompression by urllib3. Signed-off-by: Patrick Uiterwijk --- roles/kojipkgs/files/kojipkgs.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/kojipkgs/files/kojipkgs.conf b/roles/kojipkgs/files/kojipkgs.conf index 5779a7406d..cf8ea56095 100644 --- a/roles/kojipkgs/files/kojipkgs.conf +++ b/roles/kojipkgs/files/kojipkgs.conf @@ -1,5 +1,7 @@ ServerName https://kojipkgs.fedoraproject.org +RequestHeader unset Accept-Encoding early + CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/kojipkgs01.fedoraproject.org-access.log.%Y-%m-%d 86400" combined ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/kojipkgs01.fedoraproject.org-error.log.%Y-%m-%d 86400" From 016f7ec5c24fd03ae3ccda0b8bc06573c924da29 Mon Sep 17 00:00:00 2001 From: clime Date: Tue, 23 May 2017 16:37:17 +0200 Subject: [PATCH 212/308] copr-mbs: module build fix --- roles/copr/mbs/templates/config.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/copr/mbs/templates/config.py b/roles/copr/mbs/templates/config.py index a9c3ed68da..911211da1a 100644 --- a/roles/copr/mbs/templates/config.py +++ b/roles/copr/mbs/templates/config.py @@ -37,6 +37,11 @@ class ProdConfiguration(base.ProdConfiguration): RPMS_ALLOW_CACHE = True MODULES_ALLOW_REPOSITORY = True + # Determines how many builds can be submitted to the builder + # and be in the build state at a time. Set this to 0 for no restrictions + # We can set some limit in the future, once we need it + NUM_CONSECUTIVE_BUILDS = 0 + class DevConfiguration(base.DevConfiguration): SYSTEM = 'copr' From bcfa71d2ab0013298892fde07d9392fcb83b5b60 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 23 May 2017 19:03:20 +0000 Subject: [PATCH 213/308] add fi-apprentice to packages stg --- inventory/group_vars/packages-stg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/packages-stg b/inventory/group_vars/packages-stg index d6b8e9940d..8fcfefa433 100644 --- a/inventory/group_vars/packages-stg +++ b/inventory/group_vars/packages-stg @@ -16,7 +16,7 @@ tcp_ports: [ 80, 443, # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-web +fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: From f1a5412acce1d9ef2f206e292b1ed97f3547c77b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 24 May 2017 10:33:01 +0000 Subject: [PATCH 214/308] Create Pagure attachments folder Signed-off-by: Patrick Uiterwijk --- roles/pagure/frontend/tasks/main.yml | 7 +++++++ roles/pagure/frontend/templates/pagure.cfg | 3 +++ 2 files changed, 10 insertions(+) diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index df0f438bc9..fc993175d6 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -83,6 +83,13 @@ - gitolite - pagure +- name: create the /attachments folder + file: state=diretory + path=/srv/attachments + owner=git group=git mode=0775 + tags: + - pagure + - name: Adjust owner of /srv/git file: name=/srv/git state=directory recurse=yes owner=git group=git tags: diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg index bc18c69434..601340e493 100644 --- a/roles/pagure/frontend/templates/pagure.cfg +++ b/roles/pagure/frontend/templates/pagure.cfg @@ -108,6 +108,9 @@ TICKETS_FOLDER = '/srv/git/repositories/tickets' ### Folder containing the clones of the remotes git repo REMOTE_GIT_FOLDER = '/srv/git/remotes' +### Folder containing out-of-git attachments cache +ATTACHMENTS_FOLDER = '/srv/attachments' + ### Configuration file for gitolite GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf' From 8c15cbaa829cabb9f8196da88d813075042bf7a4 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 24 May 2017 22:38:15 +0000 Subject: [PATCH 215/308] Enable fedmsg-rabbitmq-serializer for loopabull Signed-off-by: Adam Miller --- files/loopabull/serializer.py | 1 + playbooks/groups/loopabull.yml | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 files/loopabull/serializer.py diff --git a/files/loopabull/serializer.py b/files/loopabull/serializer.py new file mode 100644 index 0000000000..cdbbfd7f09 --- /dev/null +++ b/files/loopabull/serializer.py @@ -0,0 +1 @@ +config = { "rabbitmq.serializer.enabled": True } \ No newline at end of file diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index cc6a4c3ddd..837f3a5ddc 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -54,8 +54,14 @@ src: "{{ private }}/files/loopabull/keys/{{ env }}_ociimage" dest: "/home/root/.ssh/id_rsa.loopabull_ociimage" mode: 0600 + - name: Install required packages + package: + name: python-fedmsg-rabbitmq-serializer + state: latest roles: + - rabbitmq + - fedmsg/base - { role: loopabull, plugin: fedmsg, @@ -68,3 +74,18 @@ } +- name: Post Loopabull install configuration + hosts: loopabull-stg + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + + tasks: + - name: Enable fedmsg-rabbitmq-serializer + copy: + src: files/loopabull/serializer.py + dest: /etc/fedmsg.d/serializer.py From 57f02e9a603f87a53403f031401e506972629219 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 24 May 2017 22:48:45 +0000 Subject: [PATCH 216/308] include main handlers for all plays in loopabull Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 837f3a5ddc..8adaadfc07 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -40,6 +40,9 @@ - "/srv/private/ansible/vars.yml" - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + tasks: - name: git clone the releng-automation playbook repo git: @@ -84,6 +87,9 @@ - "/srv/private/ansible/vars.yml" - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + tasks: - name: Enable fedmsg-rabbitmq-serializer copy: From 547db8757f0de010eef53d6e372cc3db042e9e8c Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 24 May 2017 22:55:20 +0000 Subject: [PATCH 217/308] use the appropriate {{files}} location for loopabull src config Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 8adaadfc07..701d1ae725 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -93,5 +93,5 @@ tasks: - name: Enable fedmsg-rabbitmq-serializer copy: - src: files/loopabull/serializer.py - dest: /etc/fedmsg.d/serializer.py + src: "{{files}}/loopabull/serializer.py" + dest: "/etc/fedmsg.d/serializer.py" From da93821e5c1450adae6d88b581687eacbde18bc7 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 25 May 2017 15:35:26 +0000 Subject: [PATCH 218/308] adding python2-openidc-client to upstreamfirst pagure packages --- roles/pagure/upstreamfirst-frontend/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml index 513c254ed4..f328d54670 100644 --- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml +++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml @@ -18,6 +18,8 @@ - stunnel # Use haveged to ensure the server keeps some entropy - haveged + # make sure python2-openidc-client is installed + - python2-openidc-client tags: - pagure - packages From c40d6a5ebdb0a2f6b808e7e214b4f5a0127e6a7e Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 25 May 2017 15:51:18 +0000 Subject: [PATCH 219/308] adding main.cf for upstreamfirst.fedorainfracloud.org --- ...main.cf.upstreamfirst.fedorainfracloud.org | 687 ++++++++++++++++++ 1 file changed, 687 insertions(+) create mode 100644 roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org diff --git a/roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org b/roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org new file mode 100644 index 0000000000..293c0c1652 --- /dev/null +++ b/roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org @@ -0,0 +1,687 @@ +# "false" +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/libexec/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +mydomain = fedoraproject.org +myorigin = fedoraproject.org + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost +inet_interfaces = all + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain. On a mail domain +# gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +mydestination = $myhostname, localhost.$mydomain, fedora.redhat.com, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this does works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + + + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] +#relayhost = bastion + + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +masquerade_domains = redhat.com +masquerade_exceptions = root apache + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /usr/bin/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp + +# If using the cyrus-imapd IMAP server deliver local mail to the IMAP +# server using LMTP (Local Mail Transport Protocol), this is prefered +# over the older cyrus deliver program by setting the +# mailbox_transport as below: +# +# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp +# +# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via +# these settings. +# +# local_destination_recipient_limit = 300 +# local_destination_concurrency_limit = 5 +# +# Of course you should adjust these settings as appropriate for the +# capacity of the hardware you are using. The recipient limit setting +# can be used to take advantage of the single instance message store +# capability of Cyrus. The concurrency limit can be used to control +# how many simultaneous LMTP sessions will be permitted to the Cyrus +# message store. +# +# To use the old cyrus deliver program you have to set: +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp +#fallback_transport = + +#transport_maps = hash:/etc/postfix/transport +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + xxgdb $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen sesssion, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail.postfix + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases.postfix + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq.postfix + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /usr/share/doc/postfix-2.4.5/samples + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES + +# add this to new postfix to get it to add proper message-id and other +# headers to outgoing emails via the gateway. + + +message_size_limit = 20971520 +#inet_protocols = ipv4 From 03916461a88a8b0c995032d3dfe7e719e2a20875 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 25 May 2017 18:14:13 +0000 Subject: [PATCH 220/308] Bump ping4 builder RTA, since it keeps alerting and we can't do anything about it Signed-off-by: Ricky Elrod --- roles/nagios_server/files/nagios/services/ping.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios_server/files/nagios/services/ping.cfg b/roles/nagios_server/files/nagios/services/ping.cfg index 368db101bf..6ba317e85d 100644 --- a/roles/nagios_server/files/nagios/services/ping.cfg +++ b/roles/nagios_server/files/nagios/services/ping.cfg @@ -8,7 +8,7 @@ define service { define service { hostgroup_name buildvm-armv7, buildvm-s390x, buildvm-s390 service_description ICMP-Ping4-vm-builders - check_command check_ping4!350.0,20%!1000.0,80% + check_command check_ping4!1500.0,20%!2500.0,80% use criticaltemplate } From 04e93913b4b4b6b3758494285458422b2ca24e73 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 25 May 2017 19:35:48 +0000 Subject: [PATCH 221/308] update openshift ca from current install --- roles/haproxy/files/os-master.staging.pem | 28 +++++++++++------------ 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/haproxy/files/os-master.staging.pem b/roles/haproxy/files/os-master.staging.pem index c00c217e42..0acb14dad0 100644 --- a/roles/haproxy/files/os-master.staging.pem +++ b/roles/haproxy/files/os-master.staging.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu -c2hpZnQtc2lnbmVyQDE0OTQ2MDA2OTIwHhcNMTcwNTEyMTQ1MTMxWhcNMjIwNTEx -MTQ1MTMyWjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ2MDA2OTIw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLSVE9kCsY8L8ehCNN/wSp -68oqHGODpWQfs4ROnromqpJWySp5JW2XpDDFtdmjAax/f1jzqZhIKiHmDjLd6jYH -9XJEFBqqnO6j4HOtHgxerTy5rlJDf+LynJzArkhyWKbt8Hq8COoGm3F9j8e+8M7o -nohsYAT5S8mRiL9XCLAVOdgV2ZagN9rJFsHVrfYGKraoNnCww8AKhoSl2OHntsNg -gZRTeovviiwDmxnTgtwyaa0LoXfJlm9dpz23XTFIlKswFms+viw58Izpwb6PisIU -VT/xVaD1fVwP+ko//ixz4g7ayJEKq1togtRdv7zBPWqo/yAfINDf6o+vC683Yv7F +c2hpZnQtc2lnbmVyQDE0OTQ5ODA0MzgwHhcNMTcwNTE3MDAyMDM4WhcNMjIwNTE2 +MDAyMDM5WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE0OTQ5ODA0Mzgw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaK2gwEPAesGrhGCaDhQcw +P14KB0FtybxLEHB++/n+RUbO1Gb1/E/pxqVuJisCCj+MdX7Vw9VSExrMPmTNjnNo +N+aRN7etvod/OpncNmybUGmbp1FoJgFFaouniAckW4RAYMJFyGwnaRMZvpt2GB8a +BzC6ZNm7Ev7lXucH9YOm3TQ+cae8bLQQxAxTuf49vTg7aLw4wlsFsJC+p3QYvqhO +Yx/93/WJBy+oMy4sKncr9KRtrcN3+j1Rdzn7kPSidyZLvUsr9AI5IoZBfZMSgSGa +Z4z2ek9hiK3hAgQhn3lterJpmP3nmVUfoEqvmfVRCpyq4gN1SpJ8fqTyMH4M3l1p AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG -SIb3DQEBCwUAA4IBAQA4qpitjNaKSQruPK/zlKigW0XKCJhI09h4xXXOC3mKgPTm -p3KkdwJ7oVOF29z+7EhVSu6TthOORLdIO0O3kfvUzOl4PFgH0Xy8E4Cqbmk+eE27 -muEnevOwdvJ8ktO/IzAdI6u8mVKb11pSvEdQJZbcHt0HRUlAx7bhhdWyiMp4/cHi -fKi2ZuQJnDHFASFhPUj08+/iTJdk2cYtZHDtGWDCK1JJ7HimxcggTQ9+Es3zzZ6L -74zWxlB8/4hEF16Q1FfYFfImUCpwUG7RENBDowcAsa5ck3S1i0ZgatJlYMbDBaGP -BppL2SaNEqogVFgF0L9dN6ma34dB1ohM1IqYaSdM +SIb3DQEBCwUAA4IBAQARVmLKy3TwUOX7+rS6LtbJQgrty71BZsjuE7g4FZ2K4K9r +WqiVa7OJCneWDKWO2zeSUjI7hrOiKEFiG1bfgJPThTKpw7iwcuDq/UipXiIy54Kn +aALePUqv06Q05eZD9RgWX+ON/WXHnOflQY+RE1i6nHnH/bYwGMRkbaWmv/m9P+e3 +tUH+lva4efjow1KNdS2H7jfCIR0dkWIOVCU++K9csw7lQ6wFtDZPP5Yqrn1p37oU +kv9T+a4XzaPgao0QV4RT2NpxsFBksXyuxfNNsuhmQzRenMax1vhwc49/Fze40BGW +tCsncj89Tk7bfx3oFgC6rY/gt3ImwUooaxuOkbqt -----END CERTIFICATE----- From a2281d18eb044b73ffdd642f4e73fa3a1f7abcd9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 25 May 2017 22:43:16 +0000 Subject: [PATCH 222/308] fix easyfix --- roles/easyfix/gather/files/template.html | 2 +- .../gather/templates/gather_easyfix.py | 39 +------------------ 2 files changed, 2 insertions(+), 39 deletions(-) diff --git a/roles/easyfix/gather/files/template.html b/roles/easyfix/gather/files/template.html index 3e1ab6f02f..3efdf26eae 100644 --- a/roles/easyfix/gather/files/template.html +++ b/roles/easyfix/gather/files/template.html @@ -113,7 +113,7 @@
diff --git a/roles/easyfix/gather/templates/gather_easyfix.py b/roles/easyfix/gather/templates/gather_easyfix.py index 14bba92e1f..13c1d4d589 100755 --- a/roles/easyfix/gather/templates/gather_easyfix.py +++ b/roles/easyfix/gather/templates/gather_easyfix.py @@ -41,8 +41,7 @@ from kitchen.text.converters import to_bytes from jinja2 import Template __version__ = '0.1.1' -bzclient = RHBugzilla(url='https://bugzilla.redhat.com/xmlrpc.cgi', - cookiefile=None) +bzclient = RHBugzilla(url='https://bugzilla.redhat.com/xmlrpc.cgi', cookiefile=None, tokenfile=None) # So the bugzilla module has some way to complain logging.basicConfig() logger = logging.getLogger('bugzilla') @@ -173,27 +172,6 @@ def gather_project(): return projects -def get_open_tickets_for_keyword(project, keyword): - """ For a given project return the tickets ID which have the given - keyword attached. - :arg project, name of the project on fedorahosted.org - :arg keyword, search the trac for open tickets having this keyword - in the keywords field. - """ - tickets = [] - try: - server = xmlrpclib.ServerProxy( - 'https://fedorahosted.org/%s/rpc' % project) - query = 'status=assigned&status=new&status=reopened&' \ - 'keywords=~%s' % keyword - for ticket in server.ticket.query(query): - tickets.append(server.ticket.get(ticket)) - except xmlrpclib.Error, err: - print ' Could not retrieve information for project: %s' % project - print ' Error: %s' % err - return tickets - - def parse_arguments(): parser = argparse.ArgumentParser(__doc__) parser.add_argument( @@ -269,21 +247,6 @@ def main(): project.name, ticket['id']) ticketobj.status = ticket['status'] tickets.append(ticketobj) - else: - project.url = 'https://fedorahosted.org/%s/' % (project.name) - project.site = 'trac' - for ticket in get_open_tickets_for_keyword(project.name, - project.tag): - ticket_num = ticket_num + 1 - ticketobj = Ticket() - ticketobj.id = ticket[0] - ticketobj.title = ticket[3]['summary'] - ticketobj.url = 'https://fedorahosted.org/%s/ticket/%s' %( - project.name, ticket[0]) - ticketobj.status = ticket[3]['status'] - ticketobj.type = ticket[3]['type'] - ticketobj.component = ticket[3]['component'] - tickets.append(ticketobj) project.tickets = tickets bzbugs = gather_bugzilla_easyfix() From 85de66a9bae6ca1083509e36519be67c0de5efb6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 26 May 2017 18:24:44 +0000 Subject: [PATCH 223/308] disable copr-dist-git backups for now --- inventory/backups | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/backups b/inventory/backups index 152064c74b..eb23e03553 100644 --- a/inventory/backups +++ b/inventory/backups @@ -17,7 +17,7 @@ db-koji01.phx2.fedoraproject.org #copr-be.cloud.fedoraproject.org copr-fe.cloud.fedoraproject.org copr-keygen.cloud.fedoraproject.org -copr-dist-git.fedorainfracloud.org +#copr-dist-git.fedorainfracloud.org value01.phx2.fedoraproject.org taiga.fedorainfracloud.org taskotron01.qa.fedoraproject.org From 3a7972233a1ea2bc1b2329ae4b32535effdf8948 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 26 May 2017 19:20:41 +0000 Subject: [PATCH 224/308] do the right thing on failovers on pgbdr --- .../keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org | 2 ++ .../keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org b/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org index 76b2255aa4..69d8623ef1 100644 --- a/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org +++ b/roles/keepalived/files/keepalived-notify.sh.pgbdr01.stg.phx2.fedoraproject.org @@ -14,11 +14,13 @@ fi # We are becoming the backup node # if [ $STATE == "BACKUP" ]; then + systemctl restart posgresql-9.4 logger "just became keepalived backup" fi # # something horrible has gone wrong # if [ $STATE == "FAULT" ]; then + systemctl stop posgresql-9.4 logger "just had a keepalived fault" fi diff --git a/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org b/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org index 76b2255aa4..69d8623ef1 100644 --- a/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org +++ b/roles/keepalived/files/keepalived-notify.sh.pgbdr02.stg.phx2.fedoraproject.org @@ -14,11 +14,13 @@ fi # We are becoming the backup node # if [ $STATE == "BACKUP" ]; then + systemctl restart posgresql-9.4 logger "just became keepalived backup" fi # # something horrible has gone wrong # if [ $STATE == "FAULT" ]; then + systemctl stop posgresql-9.4 logger "just had a keepalived fault" fi From f207778a0e5aceba6c18885be7478317aaeab4b0 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Fri, 26 May 2017 23:09:02 +0000 Subject: [PATCH 225/308] add simple monitoring for pagure's celery redis queue Signed-off-by: Ricky Elrod --- .../files/scripts/check_redis_queue.sh | 23 +++++++++++++++++++ roles/nagios_client/tasks/main.yml | 2 ++ .../templates/check_celery_redis_queue.cfg.j2 | 1 + .../files/nagios/services/pagure_redis.cfg | 6 +++++ 4 files changed, 32 insertions(+) create mode 100644 roles/nagios_client/files/scripts/check_redis_queue.sh create mode 100644 roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 create mode 100644 roles/nagios_server/files/nagios/services/pagure_redis.cfg diff --git a/roles/nagios_client/files/scripts/check_redis_queue.sh b/roles/nagios_client/files/scripts/check_redis_queue.sh new file mode 100644 index 0000000000..ca1f186e06 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_redis_queue.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +. /usr/lib64/nagios/plugins/utils.sh + +if [[ "$#" -ne 3 ]]; then + echo "Arguments: key warn crit" + exit $STATE_UNKNOWN +fi + +tasks="$(redis-cli llen "$1" | awk '{print $1}')" + +check_range $tasks $2:$3 +status=$? + +if [[ "$status" == "$STATE_OK" ]]; then + echo "OK: $1 queue has $tasks tasks" +elif [[ "$status" == "$STATE_WARNING" ]]; then + echo "WARNING: $1 queue has $tasks tasks" +elif [[ "$status" == "$STATE_CRITICAL" ]]; then + echo "CRITICAL: $1 queue has $tasks tasks" +fi + +exit $status diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 714be36154..22ddd4f046 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -73,6 +73,7 @@ - check_osbs_builds.py - check_osbs_api.py - check_ipa_replication + - check_redis_queue.sh when: not inventory_hostname.startswith('noc') tags: - nagios_client @@ -146,6 +147,7 @@ - check_koschei_watcher_proc.cfg - check_testcloud.cfg - check_mirrorlist_docker_proxy.cfg + - check_celery_redis_queue.cfg notify: - restart nrpe tags: diff --git a/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 new file mode 100644 index 0000000000..56279f3fe3 --- /dev/null +++ b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 @@ -0,0 +1 @@ +command[check_celery_redis_queue]=/usr/lib64/nagios/plugins/check_redis_queue.sh celery 5 10 diff --git a/roles/nagios_server/files/nagios/services/pagure_redis.cfg b/roles/nagios_server/files/nagios/services/pagure_redis.cfg new file mode 100644 index 0000000000..d5387d08f2 --- /dev/null +++ b/roles/nagios_server/files/nagios/services/pagure_redis.cfg @@ -0,0 +1,6 @@ +define service { + host_name pagure01.fedoraproject.org + service_description Redis/celery queue + check_command check_by_nrpe!check_celery_redis_queue + use defaulttemplate +} From 51de15b8ccdd66083879bddf3dbe1e98a74dfe86 Mon Sep 17 00:00:00 2001 From: Robert Mayr Date: Mon, 29 May 2017 21:46:06 +0000 Subject: [PATCH 226/308] build stg websites from f26-beta branch --- roles/fedora-web/build/files/syncStatic.stg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fedora-web/build/files/syncStatic.stg.sh b/roles/fedora-web/build/files/syncStatic.stg.sh index 86198df5c3..270975e1d2 100644 --- a/roles/fedora-web/build/files/syncStatic.stg.sh +++ b/roles/fedora-web/build/files/syncStatic.stg.sh @@ -45,7 +45,7 @@ cd /srv/web/fedora-websites /usr/bin/git clean -q -fdx || exit 1 /usr/bin/git reset -q --hard || exit 1 -/usr/bin/git checkout -q f26-alpha || exit 1 +/usr/bin/git checkout -q f26-beta || exit 1 /usr/bin/git pull -q --ff-only || exit 1 build spins.fedoraproject.org From 1cb3a9ae199ff1834e9e3470e234821fda342ad2 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 30 May 2017 13:49:41 +0000 Subject: [PATCH 227/308] Make the CI host as not-freeze, at least for now --- inventory/group_vars/ci | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/group_vars/ci b/inventory/group_vars/ci index 67134f4033..36e573b726 100644 --- a/inventory/group_vars/ci +++ b/inventory/group_vars/ci @@ -17,6 +17,7 @@ nrpe_procs_crit: 300 external_hostname: resultsdb.ci.centos.org deployment_type: prod +freezes: false # # PostgreSQL configuration From 18e12646961c3e5cd693da17eb71297e5f427aa9 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 30 May 2017 17:18:53 +0200 Subject: [PATCH 228/308] Add the configuration and role for ccsdb --- inventory/group_vars/ci | 15 +++++- roles/ccsdb/tasks/main.yml | 82 ++++++++++++++++++++++++++++++++ roles/ccsdb/templates/ccsdb.cfg | 7 +++ roles/ccsdb/templates/ccsdb.wsgi | 4 ++ 4 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 roles/ccsdb/tasks/main.yml create mode 100644 roles/ccsdb/templates/ccsdb.cfg create mode 100644 roles/ccsdb/templates/ccsdb.wsgi diff --git a/inventory/group_vars/ci b/inventory/group_vars/ci index 36e573b726..5224b289a8 100644 --- a/inventory/group_vars/ci +++ b/inventory/group_vars/ci @@ -57,7 +57,7 @@ resultsdb_frontend_secret_key: "{{ ci_resultsdb_frontend_secret_key }}" ########################################################### # execdb details -############################################################ +########################################################### execdb_db_host_machine: ci-cc-rdu01.fedoraproject.org execdb_db_host: "{{ execdb_db_host_machine }}" execdb_db_port: 5432 @@ -68,6 +68,19 @@ execdb_db_password: "{{ ci_execdb_db_password }}" execdb_secret_key: "{{ ci_execdb_secret_key }}" +########################################################### +# ccsdb details +########################################################### +ccsdb_db_host_machine: ci-cc-rdu01.fedoraproject.org +ccsdb_db_host: "{{ ccsdb_db_host_machine }}" +ccsdb_db_port: 5432 +ccsdb_endpoint: 'ccsdb' +ccsdb_db_name: ccsdb +ccsdb_db_user: "{{ ci_ccsdb_db_user }}" +ccsdb_db_password: "{{ ci_ccsdb_db_password }}" +ccsdb_secret_key: "{{ ci_ccsdb_secret_key }}" + + ############################################################ # fedmsg details ############################################################ diff --git a/roles/ccsdb/tasks/main.yml b/roles/ccsdb/tasks/main.yml new file mode 100644 index 0000000000..f4022a0af6 --- /dev/null +++ b/roles/ccsdb/tasks/main.yml @@ -0,0 +1,82 @@ +--- +- name: install ccsdb and its dependencies + yum: name={{ item }} state=present + with_items: + - ccsdb + - mod_wsgi + - python-psycopg2 + - libsemanage-python + when: ansible_distribution_major_version|int < 22 + tags: + - ccsdb + +- name: install ccsdb and its dependencies + dnf: name={{ item }} state=present enablerepo={{ extra_enablerepos }} + with_items: + - ccsdb + - mod_wsgi + - python-psycopg2 + - libsemanage-python + when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + tags: + - ccsdb + +- name: ensure database is created + delegate_to: "{{ ccsdb_db_host_machine }}" + become_user: postgres + become: true + postgresql_db: db={{ ccsdb_db_name }} + tags: + - ccsdb + +- name: ensure ccsdb db user has access to database + delegate_to: "{{ ccsdb_db_host_machine }}" + become_user: postgres + become: true + postgresql_user: db={{ ccsdb_db_name }} + user={{ ccsdb_db_user }} + password={{ ccsdb_db_password }} + role_attr_flags=NOSUPERUSER + tags: + - ccsdb + +- name: ensure selinux lets httpd talk to postgres + seboolean: name=httpd_can_network_connect_db persistent=yes state=yes + tags: + - ccsdb + +- name: generate ccsdb config + template: src=ccsdb.cfg dest=/etc/ccsdb/ccsdb.cfg + owner=root group=root mode=0644 + notify: + - reload httpd + tags: + - ccsdb + +- name: generate ccsdb apache config + template: src=ccsdb.conf dest=/etc/httpd/conf.d/ccsdb.conf + owner=root group=root mode=0644 + notify: + - reload httpd + tags: + - ccsdb + +- name: create the /usr/share/ccsdb folder + file: state=directory + path=/usr/share/ccsdb + owner=root group=root mode=0755 + tags: + - ccsdb + +- name: install the wsgi file + template: src=ccsdb.wsgi dest=/usr/share/ccsdb/ccsdb.wsgi + owner=root group=root mode=0644 + notify: + - reload httpd + tags: + - ccsdb + +- name: initialize execdb database + shell: ccsdb-cli init_db + tags: + - ccsdb diff --git a/roles/ccsdb/templates/ccsdb.cfg b/roles/ccsdb/templates/ccsdb.cfg new file mode 100644 index 0000000000..4de44cf9e4 --- /dev/null +++ b/roles/ccsdb/templates/ccsdb.cfg @@ -0,0 +1,7 @@ +SECRET_KEY = '{{ ccsdb_secret_key }}' +SQLALCHEMY_DATABASE_URI = 'postgresql://{{ ccsdb_db_user }}:{{ ccsdb_db_password }}@{{ ccsdb_db_host }}:{{ ccsdb_db_port }}/{{ ccsdb_db_name }}' + +FILE_LOGGING = False +LOGFILR = '/var/log/ccsdb/ccsdb.log' +SYSLOG_LOGGING = False +STREAM_LOGGING = True diff --git a/roles/ccsdb/templates/ccsdb.wsgi b/roles/ccsdb/templates/ccsdb.wsgi new file mode 100644 index 0000000000..3df7ec863b --- /dev/null +++ b/roles/ccsdb/templates/ccsdb.wsgi @@ -0,0 +1,4 @@ +import os +os.environ['CCSDB_CONFIG'] = '/etc/ccsdb/ccsdb.cfg' + +from ccsdb.app import _app as application From b3621d5b634090fd7a6ca19935f9728672c0e8d0 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 31 May 2017 10:29:30 +0200 Subject: [PATCH 229/308] Add the ccsdb role to the ci group/host --- playbooks/groups/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/ci.yml b/playbooks/groups/ci.yml index d8d3588b4f..fcef5d185b 100644 --- a/playbooks/groups/ci.yml +++ b/playbooks/groups/ci.yml @@ -54,6 +54,7 @@ - { role: taskotron/resultsdb-backend, tags: ['resultsdb-be'] } - { role: taskotron/resultsdb-frontend, tags: ['resultsdb-fe'] } - { role: taskotron/execdb, tags: ['execdb'] } + - { role: ccsdb, tags: ['ccsdb'] } handlers: - include: "{{ handlers_path }}/restart_services.yml" From 6eb8e901e2f15755b0f853abbec2569c4f6f86c9 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 31 May 2017 10:33:30 +0200 Subject: [PATCH 230/308] Drop the tag, it's in the playbook and create /etc/ccsdb --- roles/ccsdb/tasks/main.yml | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/roles/ccsdb/tasks/main.yml b/roles/ccsdb/tasks/main.yml index f4022a0af6..9502668e9b 100644 --- a/roles/ccsdb/tasks/main.yml +++ b/roles/ccsdb/tasks/main.yml @@ -7,8 +7,6 @@ - python-psycopg2 - libsemanage-python when: ansible_distribution_major_version|int < 22 - tags: - - ccsdb - name: install ccsdb and its dependencies dnf: name={{ item }} state=present enablerepo={{ extra_enablerepos }} @@ -18,16 +16,12 @@ - python-psycopg2 - libsemanage-python when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined - tags: - - ccsdb - name: ensure database is created delegate_to: "{{ ccsdb_db_host_machine }}" become_user: postgres become: true postgresql_db: db={{ ccsdb_db_name }} - tags: - - ccsdb - name: ensure ccsdb db user has access to database delegate_to: "{{ ccsdb_db_host_machine }}" @@ -37,46 +31,37 @@ user={{ ccsdb_db_user }} password={{ ccsdb_db_password }} role_attr_flags=NOSUPERUSER - tags: - - ccsdb - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes - tags: - - ccsdb + +- name: create the /etc/ccsdb folder + file: state=directory + path=/etc/ccsdb + owner=root group=root mode=0755 - name: generate ccsdb config template: src=ccsdb.cfg dest=/etc/ccsdb/ccsdb.cfg owner=root group=root mode=0644 notify: - reload httpd - tags: - - ccsdb - name: generate ccsdb apache config template: src=ccsdb.conf dest=/etc/httpd/conf.d/ccsdb.conf owner=root group=root mode=0644 notify: - reload httpd - tags: - - ccsdb - name: create the /usr/share/ccsdb folder file: state=directory path=/usr/share/ccsdb owner=root group=root mode=0755 - tags: - - ccsdb - name: install the wsgi file template: src=ccsdb.wsgi dest=/usr/share/ccsdb/ccsdb.wsgi owner=root group=root mode=0644 notify: - reload httpd - tags: - - ccsdb - name: initialize execdb database shell: ccsdb-cli init_db - tags: - - ccsdb From b36d12b497da683b14f5d24aedcdb45496c352a6 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 31 May 2017 10:37:42 +0200 Subject: [PATCH 231/308] Add the ccsdb.conf apache config file --- roles/ccsdb/templates/ccsdb.conf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 roles/ccsdb/templates/ccsdb.conf diff --git a/roles/ccsdb/templates/ccsdb.conf b/roles/ccsdb/templates/ccsdb.conf new file mode 100644 index 0000000000..7863c4fcf8 --- /dev/null +++ b/roles/ccsdb/templates/ccsdb.conf @@ -0,0 +1,27 @@ +WSGIDaemonProcess ccsdb user=apache group=apache threads=5 +WSGIScriptAlias /{{ ccsdb_endpoint }} /usr/share/ccsdb/ccsdb.wsgi +WSGISocketPrefix run/wsgi + +# this isn't the best way to force SSL but it works for now +#RewriteEngine On +#RewriteCond %{HTTPS} !=on +#RewriteRule ^/execdb/admin/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + + WSGIProcessGroup ccsdb + WSGIApplicationGroup %{GLOBAL} + WSGIScriptReloading On + + # Apache 2.4 + + Require method GET + Require ip 127.0.0.1 ::1{% for host in allowed_hosts %} {{ host }}{% endfor %} + + + + + Order allow,deny + Allow from all + + + From 9ead5a41ae79b23ffd12506214174129ef666b4a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 31 May 2017 10:44:29 +0200 Subject: [PATCH 232/308] Fix initiating the DB and starting the services --- roles/ccsdb/tasks/main.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/ccsdb/tasks/main.yml b/roles/ccsdb/tasks/main.yml index 9502668e9b..06f3ef38d5 100644 --- a/roles/ccsdb/tasks/main.yml +++ b/roles/ccsdb/tasks/main.yml @@ -64,4 +64,11 @@ - reload httpd - name: initialize execdb database - shell: ccsdb-cli init_db + shell: CCSDB_CONFIG=/etc/ccsdb/ccsdb.cfg ccsdb-cli init_db + +- name: Start and enable the different services required + service: name={{ item }} enabled=yes state=started + with_items: + - httpd + - fedmsg-hub + From 0a1004b1ebc2bd973c6f165e3dcf3607264991aa Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 31 May 2017 14:15:00 +0000 Subject: [PATCH 233/308] Disable MBS CG interface until koji is ready. --- roles/mbs/common/templates/config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py index 488fc7377e..9ac72c9b52 100644 --- a/roles/mbs/common/templates/config.py +++ b/roles/mbs/common/templates/config.py @@ -125,6 +125,8 @@ class ProdConfiguration(BaseConfiguration): MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.stg'] PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1' SCMURLS = ["git://pkgs.stg.fedoraproject.org/modules/"] + # Blocked on https://pagure.io/releng/issue/6799 + KOJI_ENABLE_CONTENT_GENERATOR = False {% else %} KOJI_PROFILE = 'production' KOJI_ARCHES = ['aarch64', 'armv7hl', 'i686', 'ppc64', 'ppc64le', 'x86_64'] @@ -132,6 +134,8 @@ class ProdConfiguration(BaseConfiguration): MESSAGING_TOPIC_PREFIX = ['org.fedoraproject.prod'] PDC_URL = 'https://pdc.fedoraproject.org/rest_api/v1' SCMURLS = ["git://pkgs.fedoraproject.org/modules/"] + # Blocked on https://pagure.io/releng/issue/6799 + KOJI_ENABLE_CONTENT_GENERATOR = False {% endif %} # This is a whitelist of prefixes of koji tags we're allowed to manipulate From 7aca0c832892b77eab4f54d9c40b61805ab10e88 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 31 May 2017 14:57:22 +0000 Subject: [PATCH 234/308] up the timeouts on kojipkgs varnish to hopefully make up for slow storage issues --- roles/varnish/templates/kojipkgs.vcl.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/varnish/templates/kojipkgs.vcl.j2 b/roles/varnish/templates/kojipkgs.vcl.j2 index c3f7d51d14..8062d752bb 100644 --- a/roles/varnish/templates/kojipkgs.vcl.j2 +++ b/roles/varnish/templates/kojipkgs.vcl.j2 @@ -25,10 +25,12 @@ acl purge { backend localapache { .host = "127.0.0.1"; .port = "8080"; + .first_byte_timeout = 60s; + .between_bytes_timeout = 60s; .probe = { .url = "/"; .interval = 5s; - .timeout = 1s; + .timeout = 5s; .window = 5; .threshold = 3; } } From 70442e105d534ee398a15fa8f13d070be016d446 Mon Sep 17 00:00:00 2001 From: clime Date: Wed, 31 May 2017 18:07:53 +0200 Subject: [PATCH 235/308] dist-git: setup for production --- roles/distgit/tasks/main.yml | 99 ++----------------- .../templates/lookaside-upload-stg.conf | 66 ------------- roles/distgit/templates/lookaside-upload.conf | 4 +- roles/distgit/templates/pkgdb2-clone | 4 - .../templates/pkgdb_sync_git_branches.py | 9 -- 5 files changed, 11 insertions(+), 171 deletions(-) delete mode 100644 roles/distgit/templates/lookaside-upload-stg.conf diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 0eca9584a1..0cb1c93b38 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -17,25 +17,15 @@ tags: - distgit -- name: install the httpd config file - copy: src=pkgs.fedoraproject.org.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org.conf - when: env != "staging" - notify: - - reload httpd - tags: - - distgit - -- name: uninstall the httpd config file +- name: uninstall the httpd config file of non-packaged dist-git file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org.conf state=absent - when: env == "staging" notify: - reload httpd tags: - distgit -- name: install the httpd config directory - file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org state=directory - when: env != "staging" +- name: uninstall the httpd config directory of non-packaged dist-git + file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org state=absent notify: - reload httpd tags: @@ -81,13 +71,11 @@ with_items: - dist-git - dist-git-selinux - when: env == "staging" tags: - distgit - name: install the dist-git config copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf - when: env == "staging" tags: - config - distgit @@ -135,8 +123,8 @@ tags: - distgit -- name: install the distgit scripts - copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 +- name: uninstall the distgit scripts of non-packaged dist-git + file: dest=/usr/local/bin/{{item}} state=absent with_items: - setup_git_package - mkbranch @@ -145,25 +133,8 @@ - config - distgit -- name: install the Dist Git-related httpd config - copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/git-smart-http.conf - when: env != "staging" - notify: - - reload httpd - tags: - - distgit - -- name: install the Dist Git-related httpd config +- name: install the DistGit related httpd config copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf - when: env == "staging" - notify: - - reload httpd - tags: - - distgit - -- name: Symlink pkgs-git-repos-list - copy: src=repolist.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/repolist.conf - when: env != "staging" notify: - reload httpd tags: @@ -171,7 +142,6 @@ - name: Symlink pkgs-git-repos-list copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf - when: env == "staging" notify: - reload httpd tags: @@ -360,18 +330,8 @@ notify: - reload httpd -- name: install the CGit-related httpd redirect config - copy: src=redirect.conf dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/redirect.conf - when: env != "staging" - tags: - - distgit - - cgit - notify: - - reload httpd - - name: install the CGit-related httpd redirect config copy: src=redirect.conf dest=/etc/httpd/conf.d/dist-git/redirect.conf - when: env == "staging" tags: - distgit - cgit @@ -389,23 +349,11 @@ # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. -- name: install the Lookaside Cache httpd configs - template: src={{item}} dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/{{item}} - with_items: - - lookaside.conf - - lookaside-upload.conf - when: env != "staging" - notify: - - reload httpd - tags: - - distgit - - name: install the Lookaside Cache httpd configs template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}} with_items: - lookaside.conf - - lookaside-upload-stg.conf - when: env == "staging" + - lookaside-upload.conf notify: - reload httpd tags: @@ -499,42 +447,13 @@ tags: - distgit -- name: create /srv/web directory - file: dest=/srv/web state=directory - -- name: install the upload CGI script - copy: src=dist-git-upload.cgi dest=/srv/web/upload.cgi owner=root group=root mode=0755 +- name: uninstall the upload CGI script of non-packaged dist-git + file: dest=/srv/web/upload.cgi state=absent notify: - reload httpd tags: - distgit -- name: uninstall the httpd config directory - file: dest=/etc/httpd/conf.d/pkgs.fedoraproject.org state=absent - when: env == "staging" - notify: - - reload httpd - tags: - - distgit - -- name: check the selinux context of the upload CGI script - command: matchpathcon /srv/web/upload.cgi - register: upcgicontext - check_mode: no - changed_when: false - tags: - - config - - lookaside - - selinux - -- name: set the SELinux policy for the upload CGI script - command: semanage fcontext -a -t git_script_exec_t "/srv/web/upload.cgi" - when: upcgicontext.stdout.find('git_script_exec_t') == -1 - tags: - - config - - lookaside - - selinux - # Three tasks for handling our selinux policy for upload.cgi - name: ensure a directory exists for our SELinux policy file: dest=/usr/local/share/selinux/ state=directory diff --git a/roles/distgit/templates/lookaside-upload-stg.conf b/roles/distgit/templates/lookaside-upload-stg.conf deleted file mode 100644 index 16303344ef..0000000000 --- a/roles/distgit/templates/lookaside-upload-stg.conf +++ /dev/null @@ -1,66 +0,0 @@ -Alias /repo/ /srv/cache/lookaside/ - -# default SSL configuration... -Listen 443 - -SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) -SSLSessionCacheTimeout 300 - -Mutex default - -SSLRandomSeed startup file:/dev/urandom 256 -SSLRandomSeed connect builtin -SSLCryptoDevice builtin - - - ServerName pkgs.{{ env_suffix }}fedoraproject.org - #Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/" - # This is temporary for fixing Kojid because of firewall rules - Alias /repo/ /srv/cache/lookaside/ - - - - # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi - - Alias /repo/ /srv/cache/lookaside/ - ServerName pkgs{{ env_suffix }}.fedoraproject.org - ServerAdmin webmaster@fedoraproject.org - - SSLEngine on - - SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem - SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem - SSLCACertificateFile conf/cacert.pem - SSLCARevocationFile /etc/pki/tls/crl.pem - - SSLProtocol {{ ssl_protocols }} - SSLCipherSuite {{ ssl_ciphers }} - - Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/" - - -# Allow upload via src - - # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi - - Alias /repo/ /srv/cache/lookaside/ - ServerName src{{ env_suffix }}.fedoraproject.org - ServerAdmin webmaster@fedoraproject.org - - ErrorLog logs/ssl_error_log - - - Options +ExecCGI - - AuthType GSSAPI - GssapiSSLonly Off - AuthName "GSSAPI Single Sign On Login" - GssapiCredStore keytab:/etc/httpd.keytab - - Require valid-user - - - - diff --git a/roles/distgit/templates/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf index 4014f0a396..16303344ef 100644 --- a/roles/distgit/templates/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -21,7 +21,7 @@ SSLCryptoDevice builtin # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi + ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi Alias /repo/ /srv/cache/lookaside/ ServerName pkgs{{ env_suffix }}.fedoraproject.org @@ -43,7 +43,7 @@ SSLCryptoDevice builtin # Allow upload via src # This alias must come before the /repo/ one to avoid being overridden. - ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi + ScriptAlias /repo/pkgs/upload.cgi /var/lib/dist-git/web/upload.cgi Alias /repo/ /srv/cache/lookaside/ ServerName src{{ env_suffix }}.fedoraproject.org diff --git a/roles/distgit/templates/pkgdb2-clone b/roles/distgit/templates/pkgdb2-clone index 110cbb0386..6341ff4afe 100644 --- a/roles/distgit/templates/pkgdb2-clone +++ b/roles/distgit/templates/pkgdb2-clone @@ -13,11 +13,7 @@ NEW_EPEL_VERSION = '7' NEW_EPEL_SOURCE_BRANCH = 'f19' RHEL_PKGS_PATH = '/var/lib/rhel/rhel' + NEW_EPEL_VERSION -{% if env == 'staging' -%} MKBRANCH = '/usr/share/dist-git/mkbranch' -{%- else -%} -MKBRANCH = '/usr/local/bin/mkbranch' -{%- endif %} # parse_page :: String -> IO (Map String String) # This returns a dictionary of {"pkg_name": "branch"} diff --git a/roles/distgit/templates/pkgdb_sync_git_branches.py b/roles/distgit/templates/pkgdb_sync_git_branches.py index cef9d89365..be91335271 100644 --- a/roles/distgit/templates/pkgdb_sync_git_branches.py +++ b/roles/distgit/templates/pkgdb_sync_git_branches.py @@ -70,17 +70,8 @@ PKGDB_URL = 'https://admin.fedoraproject.org/pkgdb' GIT_FOLDER = '/srv/git/repositories/' -{% if env == 'staging' -%} MKBRANCH = '/usr/share/dist-git/mkbranch' -{%- else -%} -MKBRANCH = '/usr/local/bin/mkbranch' -{%- endif %} - -{% if env == 'staging' -%} SETUP_PACKAGE = '/usr/share/dist-git/setup_git_package' -{%- else -%} -SETUP_PACKAGE = '/usr/local/bin/setup_git_package' -{%- endif %} THREADS = 20 VERBOSE = False From d6db93833deac469e8e65c03fb98a7746ab2a7e5 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 31 May 2017 17:42:46 +0000 Subject: [PATCH 236/308] Prepare for a config field name switch. --- roles/mbs/common/templates/config.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py index 9ac72c9b52..c924a38b05 100644 --- a/roles/mbs/common/templates/config.py +++ b/roles/mbs/common/templates/config.py @@ -43,6 +43,9 @@ class BaseConfiguration(object): # Determines how many builds that can be submitted to the builder # and be in the build state at a time. Set this to 0 for no restrictions + # New name + NUM_CONCURRENT_BUILDS = 5 + # Old name https://pagure.io/fm-orchestrator/issue/574 NUM_CONSECUTIVE_BUILDS = 5 RPMS_DEFAULT_REPOSITORY = 'git://pkgs.fedoraproject.org/rpms/' @@ -149,6 +152,9 @@ class ProdConfiguration(BaseConfiguration): # If this is too long, we could change it to 'fm_' some day. DEFAULT_DIST_TAG_PREFIX = 'module_' + # New name + NUM_CONCURRENT_BUILDS = 20 + # Old name https://pagure.io/fm-orchestrator/issue/574 NUM_CONSECUTIVE_BUILDS = 20 # Delete module-* targets one hour after build From cc0a37c9d965c1fcb26b2cd28088e7cfaae21294 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Wed, 31 May 2017 21:39:17 +0000 Subject: [PATCH 237/308] Copy over the service file too... Signed-off-by: Ricky Elrod --- roles/nagios_server/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml index 95c14f4b2e..6756293aad 100644 --- a/roles/nagios_server/tasks/main.yml +++ b/roles/nagios_server/tasks/main.yml @@ -191,6 +191,7 @@ - nagios.cfg - nrpe.cfg - osbs.cfg + - pagure_redis.cfg - pgsql.cfg - ping.cfg - procs.cfg From 049effe2e2e2ccf3ae83381bcfa0bdc4c855f912 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 1 Jun 2017 03:42:42 +0000 Subject: [PATCH 238/308] Configure Content-Security-Policy for datagrepper, for the future. --- roles/datagrepper/templates/datagrepper-fedmsg.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/datagrepper/templates/datagrepper-fedmsg.py b/roles/datagrepper/templates/datagrepper-fedmsg.py index c6f0989b92..e8a9246319 100644 --- a/roles/datagrepper/templates/datagrepper-fedmsg.py +++ b/roles/datagrepper/templates/datagrepper-fedmsg.py @@ -17,4 +17,8 @@ config = { 'fedmenu_url': 'https://apps.fedoraproject.org/fedmenu', 'fedmenu_data_url': 'https://apps.fedoraproject.org/js/data.js', {% endif %} + + # Only allow ajax/websockets connections back to our domains. + # https://github.com/fedora-infra/datagrepper/pull/192 + 'content_security_policy': 'connect-src https://*.fedoraproject.org wss://*.fedoraproject.org' } From 88912f2ec99d8bafc516b248ac4a65e4c4b013ff Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 31 May 2017 16:31:37 +0530 Subject: [PATCH 239/308] Revert "Hotfix for the Autocloud fix" This reverts commit 78051dc038373fc0e5608ff215c19296ee90d343. --- files/hotfix/autocloud/__init__.py | 2 +- files/hotfix/autocloud/consumer.py | 6 ------ files/hotfix/autocloud/models.py | 3 +-- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/files/hotfix/autocloud/__init__.py b/files/hotfix/autocloud/__init__.py index 77cb9147aa..84d100516f 100644 --- a/files/hotfix/autocloud/__init__.py +++ b/files/hotfix/autocloud/__init__.py @@ -27,7 +27,7 @@ def produce_jobs(infox): session = init_model() timestamp = datetime.datetime.now() for info in infox: - image_name = info['path'].split('/')[-1].split(info['arch'])[0] + image_name = info['path'].split('.x86_64')[0].split('/')[-1] jd = ComposeJobDetails( arch=info['arch'], compose_id=info['compose']['id'], diff --git a/files/hotfix/autocloud/consumer.py b/files/hotfix/autocloud/consumer.py index 99b8b65805..1147b769c4 100644 --- a/files/hotfix/autocloud/consumer.py +++ b/files/hotfix/autocloud/consumer.py @@ -78,12 +78,6 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): for variant in compose_images_variants: compose_image = compose_images[variant] for arch, payload in compose_image.iteritems(): - - # aarch64 is not supported so filter if the arch is - # 'aarch64' - if arch == 'aarch64': - continue - for item in payload: relative_path = item['path'] if not is_valid_image(relative_path): diff --git a/files/hotfix/autocloud/models.py b/files/hotfix/autocloud/models.py index 43f75f6f83..4a6f35f5a5 100644 --- a/files/hotfix/autocloud/models.py +++ b/files/hotfix/autocloud/models.py @@ -86,8 +86,7 @@ class ComposeJobDetails(Base): ARCH_TYPES = ( ('i386', 'i386'), - ('x86_64', 'x86_64'), - ('aarch64', 'aarch64') + ('x86_64', 'x86_64') ) id = Column(Integer, primary_key=True) From 426a07abff5ee6f1d052369f69c26d2c7c77a749 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 31 May 2017 16:32:10 +0530 Subject: [PATCH 240/308] Revert "Add the original models and __init__.py files for hotfix" This reverts commit 44d0d33361602b49664a406386077bf34b4a9689. --- files/hotfix/autocloud/__init__.py | 89 ---------- files/hotfix/autocloud/consumer.py | 226 ++++++++++++++---------- files/hotfix/autocloud/models.py | 121 ------------- roles/autocloud/backend/tasks/main.yml | 16 -- roles/autocloud/frontend/tasks/main.yml | 15 -- 5 files changed, 130 insertions(+), 337 deletions(-) delete mode 100644 files/hotfix/autocloud/__init__.py delete mode 100644 files/hotfix/autocloud/models.py diff --git a/files/hotfix/autocloud/__init__.py b/files/hotfix/autocloud/__init__.py deleted file mode 100644 index 84d100516f..0000000000 --- a/files/hotfix/autocloud/__init__.py +++ /dev/null @@ -1,89 +0,0 @@ -# -*- coding: utf-8 -*- -from retask.task import Task -from retask.queue import Queue - -import autocloud -from autocloud.models import init_model, ComposeJobDetails -from autocloud.producer import publish_to_fedmsg - -import datetime - -import logging -log = logging.getLogger("fedmsg") - - -def produce_jobs(infox): - """ Queue the jobs into jobqueue - :args infox: list of dictionaries contains the image url and the buildid - """ - jobqueue = Queue('jobqueue') - jobqueue.connect() - - family_mapping = { - 'Cloud_Base': 'b', - 'Atomic': 'a' - } - - session = init_model() - timestamp = datetime.datetime.now() - for info in infox: - image_name = info['path'].split('.x86_64')[0].split('/')[-1] - jd = ComposeJobDetails( - arch=info['arch'], - compose_id=info['compose']['id'], - created_on=timestamp, - family=family_mapping[info['subvariant']], - image_url=info['absolute_path'], - last_updated=timestamp, - release=info['compose']['release'], - status='q', - subvariant=info['subvariant'], - user='admin', - image_format=info['format'], - image_type=info['type'], - image_name=image_name, - ) - session.add(jd) - session.commit() - - job_details_id = jd.id - log.info('Save {jd_id} to database'.format(jd_id=job_details_id)) - - info.update({'job_id': jd.id}) - task = Task(info) - jobqueue.enqueue(task) - log.info('Enqueue {jd_id} to redis'.format(jd_id=job_details_id)) - - publish_to_fedmsg(topic='image.queued', - compose_url=info['absolute_path'], - compose_id=info['compose']['id'], - image_name=image_name, - status='queued', - job_id=info['job_id'], - release=info['compose']['release'], - family=jd.family.value, - type=info['type']) - - session.close() - - -def is_valid_image(image_url): - if autocloud.VIRTUALBOX: - supported_image_ext = ('.vagrant-virtualbox.box',) - else: - supported_image_ext = ('.qcow2', '.vagrant-libvirt.box') - - if image_url.endswith(supported_image_ext): - return True - - return False - - -def get_image_name(image_name): - if 'vagrant' in image_name.lower(): - if autocloud.VIRTUALBOX: - image_name = '{image_name}-Virtualbox'.format( - image_name=image_name) - else: - image_name = '{image_name}-Libvirt'.format(image_name=image_name) - return image_name diff --git a/files/hotfix/autocloud/consumer.py b/files/hotfix/autocloud/consumer.py index 1147b769c4..c70cde9841 100644 --- a/files/hotfix/autocloud/consumer.py +++ b/files/hotfix/autocloud/consumer.py @@ -1,18 +1,11 @@ # -*- coding: utf-8 -*- -from datetime import datetime -import requests import fedmsg.consumers -import fedfind.release - -from sqlalchemy import exc +import koji +from autocloud.utils import get_image_url, produce_jobs, get_image_name import autocloud -from autocloud.models import init_model, ComposeDetails -from autocloud.producer import publish_to_fedmsg -from autocloud.utils import is_valid_image, produce_jobs - import logging log = logging.getLogger("fedmsg") @@ -20,110 +13,151 @@ DEBUG = autocloud.DEBUG class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): - """ - Fedmsg consumer for Autocloud - """ if DEBUG: topic = [ - 'org.fedoraproject.dev.__main__.pungi.compose.status.change' + 'org.fedoraproject.dev.__main__.buildsys.build.state.change', + 'org.fedoraproject.dev.__main__.buildsys.task.state.change', ] else: topic = [ - 'org.fedoraproject.prod.pungi.compose.status.change' + 'org.fedoraproject.prod.buildsys.build.state.change', + 'org.fedoraproject.prod.buildsys.task.state.change', ] config_key = 'autocloud.consumer.enabled' def __init__(self, *args, **kwargs): - log.info("Autocloud Consumer is ready for action.") super(AutoCloudConsumer, self).__init__(*args, **kwargs) + def _get_tasks(self, builds): + """ Takes a list of koji createImage task IDs and returns dictionary of + build ids and image url corresponding to that build ids""" + + if autocloud.VIRTUALBOX: + _supported_images = ('Fedora-Cloud-Base-Vagrant', + 'Fedora-Cloud-Atomic-Vagrant',) + else: + _supported_images = ('Fedora-Cloud-Base-Vagrant', + 'Fedora-Cloud-Atomic-Vagrant', + 'Fedora-Cloud-Atomic', 'Fedora-Cloud-Base',) + + for build in builds: + log.info('Got Koji build {0}'.format(build)) + + # Create a Koji connection to the Fedora Koji instance + koji_session = koji.ClientSession(autocloud.KOJI_SERVER_URL) + + image_files = [] # list of full URLs of files + + if len(builds) == 1: + task_result = koji_session.getTaskResult(builds[0]) + name = task_result.get('name') + #TODO: Change to get the release information from PDC instead + # of koji once it is set up + release = task_result.get('version') + if name in _supported_images: + task_relpath = koji.pathinfo.taskrelpath(int(builds[0])) + url = get_image_url(task_result.get('files'), task_relpath) + if url: + name = get_image_name(image_name=name) + data = { + 'buildid': builds[0], + 'image_url': url, + 'name': name, + 'release': release, + } + image_files.append(data) + elif len(builds) >= 2: + koji_session.multicall = True + for build in builds: + koji_session.getTaskResult(build) + results = koji_session.multiCall() + for result in results: + + if not result: + continue + + name = result[0].get('name') + if name not in _supported_images: + continue + + #TODO: Change to get the release information from PDC instead + # of koji once it is set up + release = result[0].get('version') + task_relpath = koji.pathinfo.taskrelpath( + int(result[0].get('task_id'))) + url = get_image_url(result[0].get('files'), task_relpath) + if url: + name = get_image_name(image_name=name) + data = { + 'buildid': result[0]['task_id'], + 'image_url': url, + 'name': name, + 'release': release, + } + image_files.append(data) + + return image_files + def consume(self, msg): """ This is called when we receive a message matching the topic. """ + if msg['topic'].endswith('.buildsys.task.state.change'): + # Do the thing you've always done... this will go away soon. + # releng is transitioning away from it. + self._consume_scratch_task(msg) + elif msg['topic'].endswith('.buildsys.build.state.change'): + # Do the new thing we need to do. handle a 'real build' from koji, + # not just a scratch task. + self._consume_real_build(msg) + else: + raise NotImplementedError("Should be impossible to get here...") + + def _consume_real_build(self, msg): + builds = list() # These will be the Koji task IDs to upload, if any. + + msg = msg['body']['msg'] + if msg['owner'] != 'releng': + log.debug("Dropping message. Owned by %r" % msg['owner']) + return + + if msg['instance'] != 'primary': + log.info("Dropping message. From %r instance." % msg['instance']) + return + + # Don't upload *any* images if one of them fails. + if msg['new'] != 1: + log.info("Dropping message. State is %r" % msg['new']) + return + + koji_session = koji.ClientSession(autocloud.KOJI_SERVER_URL) + children = koji_session.getTaskChildren(msg['task_id']) + for child in children: + if child["method"] == "createImage": + builds.append(child["id"]) + + if len(builds) > 0: + produce_jobs(self._get_tasks(builds)) + + def _consume_scratch_task(self, msg): + builds = list() # These will be the Koji build IDs to upload, if any. + + msg_info = msg["body"]["msg"]["info"] + log.info('Received %r %r' % (msg['topic'], msg['body']['msg_id'])) - STATUS_F = ('FINISHED_INCOMPLETE', 'FINISHED',) - VARIANTS_F = ('CloudImages',) + # If the build method is "image", we check to see if the child + # task's method is "createImage". + if msg_info["method"] == "image": + if isinstance(msg_info["children"], list): + for child in msg_info["children"]: + if child["method"] == "createImage": + # We only care about the image if the build + # completed successfully (with state code 2). + if child["state"] == 2: + builds.append(child["id"]) - images = [] - compose_db_update = False - msg_body = msg['body'] - status = msg_body['msg']['status'] - compose_images_json = None - - if status in STATUS_F: - location = msg_body['msg']['location'] - json_metadata = '{}/metadata/images.json'.format(location) - resp = requests.get(json_metadata) - compose_images_json = getattr(resp, 'json', False) - - if compose_images_json is not None: - compose_images_json = compose_images_json() - compose_images = compose_images_json['payload']['images'] - compose_details = compose_images_json['payload']['compose'] - compose_images = dict((variant, compose_images[variant]) - for variant in VARIANTS_F - if variant in compose_images) - compose_id = compose_details['id'] - rel = fedfind.release.get_release(cid=compose_id) - release = rel.release - compose_details.update({'release': release}) - - compose_images_variants = [variant for variant in VARIANTS_F - if variant in compose_images] - - for variant in compose_images_variants: - compose_image = compose_images[variant] - for arch, payload in compose_image.iteritems(): - for item in payload: - relative_path = item['path'] - if not is_valid_image(relative_path): - continue - absolute_path = '{}/{}'.format(location, relative_path) - item.update({ - 'compose': compose_details, - 'absolute_path': absolute_path, - }) - images.append(item) - compose_db_update = True - - if compose_db_update: - session = init_model() - compose_date = datetime.strptime(compose_details['date'], '%Y%m%d') - try: - cd = ComposeDetails( - date=compose_date, - compose_id=compose_details['id'], - respin=compose_details['respin'], - type=compose_details['type'], - status=u'q', - location=location, - ) - - session.add(cd) - session.commit() - - compose_details.update({ - 'status': 'queued', - 'compose_job_id': cd.id, - }) - publish_to_fedmsg(topic='compose.queued', - **compose_details) - except exc.IntegrityError: - session.rollback() - cd = session.query(ComposeDetails).filter_by( - compose_id=compose_details['id']).first() - log.info('Compose already exists %s: %s' % ( - compose_details['id'], - cd.id - )) - session.close() - - num_images = len(images) - for pos, image in enumerate(images): - image.update({'pos': (pos+1, num_images)}) - - produce_jobs(images) + if len(builds) > 0: + produce_jobs(self._get_tasks(builds)) diff --git a/files/hotfix/autocloud/models.py b/files/hotfix/autocloud/models.py deleted file mode 100644 index 4a6f35f5a5..0000000000 --- a/files/hotfix/autocloud/models.py +++ /dev/null @@ -1,121 +0,0 @@ -# -*- coding: utf-8 -*- - -import datetime - -from sqlalchemy import Column, Integer, String, DateTime, Text -from sqlalchemy.ext.declarative import declarative_base -from sqlalchemy import create_engine -from sqlalchemy.orm import sessionmaker -from sqlalchemy.orm import scoped_session -from sqlalchemy_utils import ChoiceType - -import autocloud - -Base = declarative_base() - - -class JobDetails(Base): - __tablename__ = 'job_details' - - STATUS_TYPES = ( - ('s', 'Success'), - ('f', 'Failed'), - ('a', 'Aborted'), - ('r', 'Running'), - ('q', 'Queued') - ) - - IMAGE_FAMILY_TYPES = ( - ('b', 'Base'), - ('a', 'Atomic') - ) - - ARCH_TYPES = ( - ('i386', 'i386'), - ('x86_64', 'x86_64') - ) - - id = Column(Integer, primary_key=True) - taskid = Column(String(255), nullable=False) - status = Column(ChoiceType(STATUS_TYPES)) - family = Column(ChoiceType(IMAGE_FAMILY_TYPES)) - arch = Column(ChoiceType(ARCH_TYPES)) - release = Column(String(255)) - output = Column(Text, nullable=False, default='') - created_on = Column(DateTime, default=datetime.datetime.utcnow) - last_updated = Column(DateTime, default=datetime.datetime.utcnow) - user = Column(String(255), nullable=False) - - -class ComposeDetails(Base): - __tablename__ = 'compose_details' - - STATUS_TYPES = ( - ('c', 'Complete'), - ('q', 'Queued'), - ('r', 'Running'), - ) - id = Column(Integer, primary_key=True) - date = Column(DateTime, nullable=False) - compose_id = Column(String(255), nullable=False, unique=True) - respin = Column(Integer, nullable=False) - type = Column(String(255), nullable=False) - passed = Column(Integer, nullable=True, default=0) - failed = Column(Integer, nullable=True, default=0) - status = Column(ChoiceType(STATUS_TYPES)) - created_on = Column(DateTime, default=datetime.datetime.utcnow) - last_updated = Column(DateTime, default=datetime.datetime.utcnow) - location = Column(String(255), nullable=False) - - -class ComposeJobDetails(Base): - __tablename__ = 'compose_job_details' - - STATUS_TYPES = ( - ('s', 'Success'), - ('f', 'Failed'), - ('a', 'Aborted'), - ('r', 'Running'), - ('q', 'Queued') - ) - - IMAGE_FAMILY_TYPES = ( - ('b', u'Base'), - ('a', u'Atomic') - ) - - ARCH_TYPES = ( - ('i386', 'i386'), - ('x86_64', 'x86_64') - ) - - id = Column(Integer, primary_key=True) - arch = Column(ChoiceType(ARCH_TYPES)) - compose_id = Column(String(255), nullable=False) - created_on = Column(DateTime, default=datetime.datetime.utcnow) - family = Column(ChoiceType(IMAGE_FAMILY_TYPES)) - image_url = Column(String(255), nullable=False) - last_updated = Column(DateTime, default=datetime.datetime.utcnow) - output = Column(Text, nullable=False, default='') - release = Column(String(255)) - status = Column(ChoiceType(STATUS_TYPES)) - subvariant = Column(String(255), nullable=False) - user = Column(String(255), nullable=False) - image_format = Column(String(255), nullable=False) - image_type = Column(String(255), nullable=False) - image_name = Column(String(255), nullable=False) - - -def create_tables(): - # Create an engine that stores data in the local directory - engine = create_engine(autocloud.SQLALCHEMY_URI) - - # Create all tables in the engine. This is equivalent to "Create Table" - # statements in raw SQL. - Base.metadata.create_all(engine) - - -def init_model(): - engine = create_engine(autocloud.SQLALCHEMY_URI) - scopedsession = scoped_session(sessionmaker(bind=engine)) - return scopedsession diff --git a/roles/autocloud/backend/tasks/main.yml b/roles/autocloud/backend/tasks/main.yml index 5e61d09479..a09c40cfd1 100644 --- a/roles/autocloud/backend/tasks/main.yml +++ b/roles/autocloud/backend/tasks/main.yml @@ -138,19 +138,3 @@ tags: - autocloud - autocloud/backend - -# -# Install hotfix to add the architecture to aarch64 -# See PR - https://github.com/kushaldas/autocloud/pull/56/ -# -- name: hotfix - copy over models.py to autocloud/models.py - copy: src='{{ files }}/{{ item.src }}' dest={{ item.dest }} - with_items: - - { src: 'hotfix/autocloud/models.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } - - { src: 'hotfix/autocloud/consumer.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } - - { src: 'hotfix/autocloud/__init__.py', dest: '/usr/lib/python2.7/site-packages/autocloud/utils' } - notify: - - restart fedmsg-hub - tags: - - autocloud - - hotfix diff --git a/roles/autocloud/frontend/tasks/main.yml b/roles/autocloud/frontend/tasks/main.yml index 3312fb52e8..1084b4c705 100644 --- a/roles/autocloud/frontend/tasks/main.yml +++ b/roles/autocloud/frontend/tasks/main.yml @@ -66,18 +66,3 @@ - autocloud - autocloud/frontend - selinux - -# -# Install hotfix to add the architecture to aarch64 -# See PR - https://github.com/kushaldas/autocloud/pull/56/ -# -- name: hotfix - copy over models.py to autocloud/models.py - copy: src='{{ files }}/{{ item.src }}' dest={{ item.dest }} - with_items: - - { src: 'hotfix/autocloud/models.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } - - { src: 'hotfix/autocloud/__init__.py', dest: '/usr/lib/python2.7/site-packages/autocloud/utils' } - notify: - - restart fedmsg-hub - tags: - - autocloud - - hotfix From ca268b131f849475876040c005347297483ae217 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 31 May 2017 16:38:23 +0530 Subject: [PATCH 241/308] Add the original consumer file for the hotfix --- files/hotfix/autocloud/consumer.py | 226 +++++++++++-------------- roles/autocloud/backend/tasks/main.yml | 14 ++ 2 files changed, 110 insertions(+), 130 deletions(-) diff --git a/files/hotfix/autocloud/consumer.py b/files/hotfix/autocloud/consumer.py index c70cde9841..1147b769c4 100644 --- a/files/hotfix/autocloud/consumer.py +++ b/files/hotfix/autocloud/consumer.py @@ -1,11 +1,18 @@ # -*- coding: utf-8 -*- +from datetime import datetime +import requests import fedmsg.consumers -import koji +import fedfind.release + +from sqlalchemy import exc -from autocloud.utils import get_image_url, produce_jobs, get_image_name import autocloud +from autocloud.models import init_model, ComposeDetails +from autocloud.producer import publish_to_fedmsg +from autocloud.utils import is_valid_image, produce_jobs + import logging log = logging.getLogger("fedmsg") @@ -13,151 +20,110 @@ DEBUG = autocloud.DEBUG class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): + """ + Fedmsg consumer for Autocloud + """ if DEBUG: topic = [ - 'org.fedoraproject.dev.__main__.buildsys.build.state.change', - 'org.fedoraproject.dev.__main__.buildsys.task.state.change', + 'org.fedoraproject.dev.__main__.pungi.compose.status.change' ] else: topic = [ - 'org.fedoraproject.prod.buildsys.build.state.change', - 'org.fedoraproject.prod.buildsys.task.state.change', + 'org.fedoraproject.prod.pungi.compose.status.change' ] config_key = 'autocloud.consumer.enabled' def __init__(self, *args, **kwargs): + log.info("Autocloud Consumer is ready for action.") super(AutoCloudConsumer, self).__init__(*args, **kwargs) - def _get_tasks(self, builds): - """ Takes a list of koji createImage task IDs and returns dictionary of - build ids and image url corresponding to that build ids""" - - if autocloud.VIRTUALBOX: - _supported_images = ('Fedora-Cloud-Base-Vagrant', - 'Fedora-Cloud-Atomic-Vagrant',) - else: - _supported_images = ('Fedora-Cloud-Base-Vagrant', - 'Fedora-Cloud-Atomic-Vagrant', - 'Fedora-Cloud-Atomic', 'Fedora-Cloud-Base',) - - for build in builds: - log.info('Got Koji build {0}'.format(build)) - - # Create a Koji connection to the Fedora Koji instance - koji_session = koji.ClientSession(autocloud.KOJI_SERVER_URL) - - image_files = [] # list of full URLs of files - - if len(builds) == 1: - task_result = koji_session.getTaskResult(builds[0]) - name = task_result.get('name') - #TODO: Change to get the release information from PDC instead - # of koji once it is set up - release = task_result.get('version') - if name in _supported_images: - task_relpath = koji.pathinfo.taskrelpath(int(builds[0])) - url = get_image_url(task_result.get('files'), task_relpath) - if url: - name = get_image_name(image_name=name) - data = { - 'buildid': builds[0], - 'image_url': url, - 'name': name, - 'release': release, - } - image_files.append(data) - elif len(builds) >= 2: - koji_session.multicall = True - for build in builds: - koji_session.getTaskResult(build) - results = koji_session.multiCall() - for result in results: - - if not result: - continue - - name = result[0].get('name') - if name not in _supported_images: - continue - - #TODO: Change to get the release information from PDC instead - # of koji once it is set up - release = result[0].get('version') - task_relpath = koji.pathinfo.taskrelpath( - int(result[0].get('task_id'))) - url = get_image_url(result[0].get('files'), task_relpath) - if url: - name = get_image_name(image_name=name) - data = { - 'buildid': result[0]['task_id'], - 'image_url': url, - 'name': name, - 'release': release, - } - image_files.append(data) - - return image_files - def consume(self, msg): """ This is called when we receive a message matching the topic. """ - if msg['topic'].endswith('.buildsys.task.state.change'): - # Do the thing you've always done... this will go away soon. - # releng is transitioning away from it. - self._consume_scratch_task(msg) - elif msg['topic'].endswith('.buildsys.build.state.change'): - # Do the new thing we need to do. handle a 'real build' from koji, - # not just a scratch task. - self._consume_real_build(msg) - else: - raise NotImplementedError("Should be impossible to get here...") - - def _consume_real_build(self, msg): - builds = list() # These will be the Koji task IDs to upload, if any. - - msg = msg['body']['msg'] - if msg['owner'] != 'releng': - log.debug("Dropping message. Owned by %r" % msg['owner']) - return - - if msg['instance'] != 'primary': - log.info("Dropping message. From %r instance." % msg['instance']) - return - - # Don't upload *any* images if one of them fails. - if msg['new'] != 1: - log.info("Dropping message. State is %r" % msg['new']) - return - - koji_session = koji.ClientSession(autocloud.KOJI_SERVER_URL) - children = koji_session.getTaskChildren(msg['task_id']) - for child in children: - if child["method"] == "createImage": - builds.append(child["id"]) - - if len(builds) > 0: - produce_jobs(self._get_tasks(builds)) - - def _consume_scratch_task(self, msg): - builds = list() # These will be the Koji build IDs to upload, if any. - - msg_info = msg["body"]["msg"]["info"] - log.info('Received %r %r' % (msg['topic'], msg['body']['msg_id'])) - # If the build method is "image", we check to see if the child - # task's method is "createImage". - if msg_info["method"] == "image": - if isinstance(msg_info["children"], list): - for child in msg_info["children"]: - if child["method"] == "createImage": - # We only care about the image if the build - # completed successfully (with state code 2). - if child["state"] == 2: - builds.append(child["id"]) + STATUS_F = ('FINISHED_INCOMPLETE', 'FINISHED',) + VARIANTS_F = ('CloudImages',) - if len(builds) > 0: - produce_jobs(self._get_tasks(builds)) + images = [] + compose_db_update = False + msg_body = msg['body'] + status = msg_body['msg']['status'] + compose_images_json = None + + if status in STATUS_F: + location = msg_body['msg']['location'] + json_metadata = '{}/metadata/images.json'.format(location) + resp = requests.get(json_metadata) + compose_images_json = getattr(resp, 'json', False) + + if compose_images_json is not None: + compose_images_json = compose_images_json() + compose_images = compose_images_json['payload']['images'] + compose_details = compose_images_json['payload']['compose'] + compose_images = dict((variant, compose_images[variant]) + for variant in VARIANTS_F + if variant in compose_images) + compose_id = compose_details['id'] + rel = fedfind.release.get_release(cid=compose_id) + release = rel.release + compose_details.update({'release': release}) + + compose_images_variants = [variant for variant in VARIANTS_F + if variant in compose_images] + + for variant in compose_images_variants: + compose_image = compose_images[variant] + for arch, payload in compose_image.iteritems(): + for item in payload: + relative_path = item['path'] + if not is_valid_image(relative_path): + continue + absolute_path = '{}/{}'.format(location, relative_path) + item.update({ + 'compose': compose_details, + 'absolute_path': absolute_path, + }) + images.append(item) + compose_db_update = True + + if compose_db_update: + session = init_model() + compose_date = datetime.strptime(compose_details['date'], '%Y%m%d') + try: + cd = ComposeDetails( + date=compose_date, + compose_id=compose_details['id'], + respin=compose_details['respin'], + type=compose_details['type'], + status=u'q', + location=location, + ) + + session.add(cd) + session.commit() + + compose_details.update({ + 'status': 'queued', + 'compose_job_id': cd.id, + }) + publish_to_fedmsg(topic='compose.queued', + **compose_details) + except exc.IntegrityError: + session.rollback() + cd = session.query(ComposeDetails).filter_by( + compose_id=compose_details['id']).first() + log.info('Compose already exists %s: %s' % ( + compose_details['id'], + cd.id + )) + session.close() + + num_images = len(images) + for pos, image in enumerate(images): + image.update({'pos': (pos+1, num_images)}) + + produce_jobs(images) diff --git a/roles/autocloud/backend/tasks/main.yml b/roles/autocloud/backend/tasks/main.yml index a09c40cfd1..a9fa50e744 100644 --- a/roles/autocloud/backend/tasks/main.yml +++ b/roles/autocloud/backend/tasks/main.yml @@ -138,3 +138,17 @@ tags: - autocloud - autocloud/backend + +# +# Install hotfix to ignore new architectures +# See PR - https://github.com/kushaldas/autocloud/pull/56/ +# +- name: hotfix - copy over consumer files + copy: src='{{ files }}/{{ item.src }}' dest={{ item.dest }} + with_items: + - { src: 'hotfix/autocloud/consumer.py', dest: '/usr/lib/python2.7/site-packages/autocloud' } + notify: + - restart fedmsg-hub + tags: + - autocloud + - hotfix From b1d0f1ad07aaae4b0a363301895b02abf86ebabf Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 31 May 2017 16:48:37 +0530 Subject: [PATCH 242/308] Add the hotfix to ignore the new architectures --- files/hotfix/autocloud/consumer.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/files/hotfix/autocloud/consumer.py b/files/hotfix/autocloud/consumer.py index 1147b769c4..c216553251 100644 --- a/files/hotfix/autocloud/consumer.py +++ b/files/hotfix/autocloud/consumer.py @@ -9,7 +9,7 @@ from sqlalchemy import exc import autocloud -from autocloud.models import init_model, ComposeDetails +from autocloud.models import init_model, ComposeDetails, ComposeJobDetails from autocloud.producer import publish_to_fedmsg from autocloud.utils import is_valid_image, produce_jobs @@ -37,6 +37,8 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): config_key = 'autocloud.consumer.enabled' def __init__(self, *args, **kwargs): + self.supported_archs = [arch for arch, _ in ComposeJobDetails.ARCH_TYPES] + log.info("Autocloud Consumer is ready for action.") super(AutoCloudConsumer, self).__init__(*args, **kwargs) @@ -78,6 +80,10 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer): for variant in compose_images_variants: compose_image = compose_images[variant] for arch, payload in compose_image.iteritems(): + + if arch not in self.supported_archs: + continue + for item in payload: relative_path = item['path'] if not is_valid_image(relative_path): From 6c8f5e2e8153203c9506523bf5ee0b547c744397 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 1 Jun 2017 14:11:37 +0000 Subject: [PATCH 243/308] Install FMN from epel-testing in staging Signed-off-by: Jeremy Cline --- playbooks/manual/upgrade/fmn.yml | 9 ++++----- roles/notifs/backend/tasks/main.yml | 9 --------- roles/notifs/frontend/tasks/main.yml | 11 +++++++++++ 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/playbooks/manual/upgrade/fmn.yml b/playbooks/manual/upgrade/fmn.yml index bfdc1610c1..e731fa92a0 100644 --- a/playbooks/manual/upgrade/fmn.yml +++ b/playbooks/manual/upgrade/fmn.yml @@ -18,12 +18,11 @@ yum: name="python-fmn*" state=latest when: not testing - name: yum update FMN packages from testing repo - yum: pkg={{ item }} state=latest enablerepo=infrastructure-testing - with_items: - - python-fmn - - python-fmn-sse - - python-fmn-web + yum: pkg=python-fmn state=latest enablerepo=infrastructure-testing when: testing + - name: yum update FMN packages from testing repo + yum: pkg=python-fmn state=latest enablerepo=epel-testing + when: env == "staging" - name: verify the frontend and stop it hosts: notifs-web:notifs-web-stg diff --git a/roles/notifs/backend/tasks/main.yml b/roles/notifs/backend/tasks/main.yml index 470956dbbe..2bcea76a98 100644 --- a/roles/notifs/backend/tasks/main.yml +++ b/roles/notifs/backend/tasks/main.yml @@ -13,15 +13,6 @@ - notifs - notifs/backend -- name: install backend and sse packages - yum: pkg={{ item }} state=present - with_items: - - python-fmn-sse - when: env == "staging" - tags: - - notifs - - notifs/backend - - name: copy database configuration template: > src={{ item }} dest=/etc/fedmsg.d/{{ item }} diff --git a/roles/notifs/frontend/tasks/main.yml b/roles/notifs/frontend/tasks/main.yml index 87ff292e2d..d490e9aacc 100644 --- a/roles/notifs/frontend/tasks/main.yml +++ b/roles/notifs/frontend/tasks/main.yml @@ -17,6 +17,17 @@ - notifs - notifs/frontend +- name: Install epel-testing fmn on stage + yum: pkg={{ item }} state=present enablerepo=epel-testing + with_items: + - python-fmn + when: env == "staging" + notify: + - restart apache + tags: + - notifs + - notifs/frontend + - name: install packages needed from epel testing yum: pkg={{ item }} state=present enablerepo=epel-testing with_items: From a61d1b560eeb24b82cd6ef60729d7ba86bfc00a1 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 1 Jun 2017 14:18:15 +0000 Subject: [PATCH 244/308] Adjust symlinking bootstrap in staging for FMN Signed-off-by: Jeremy Cline --- roles/notifs/frontend/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/notifs/frontend/tasks/main.yml b/roles/notifs/frontend/tasks/main.yml index d490e9aacc..c6fb723a7c 100644 --- a/roles/notifs/frontend/tasks/main.yml +++ b/roles/notifs/frontend/tasks/main.yml @@ -63,6 +63,17 @@ src=/usr/share/fmn.web/static/bootstrap-3.3.4-fedora dest=/usr/share/fmn.web/static/bootstrap state=link + when: env != "staging" + tags: + - notifs + - notifs/frontend + +- name: setup symlink to fedora theme + file: > + src=/usr/share/fmn/static/bootstrap-3.3.4-fedora + dest=/usr/share/fmn/static/bootstrap + state=link + when: env == "staging" tags: - notifs - notifs/frontend From 16ea698b989a6b8ae1a390751b5ded98af502c99 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 19:32:42 +0000 Subject: [PATCH 245/308] fix loopabull template, add systemd template unit Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 17 +++++++++++ roles/loopabull/tasks/main.yml | 6 ---- roles/loopabull/templates/loopabull.yml.j2 | 34 +++++++++++++++++++--- 3 files changed, 47 insertions(+), 10 deletions(-) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 701d1ae725..478b75a42e 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -67,6 +67,7 @@ - fedmsg/base - { role: loopabull, + loglevel: info, plugin: fedmsg, routing_keys: [ "org.fedoraproject.prod.buildsys.build.state.change" @@ -95,3 +96,19 @@ copy: src: "{{files}}/loopabull/serializer.py" dest: "/etc/fedmsg.d/serializer.py" + - name: Install the loopabull@.service template + copy: + src: "{{files}}/loopabull/loopabull@.service" + dest: "/usr/lib/systemd/system/loopabull@.service" + - name: start and enable loopabull@ + service: + name: "{{ item }}" + state: started + enabled: yes + with_items: + - loopabull@1 + - loopabull@2 + - loopabull@3 + - loopabull@4 + - loopabull@5 + diff --git a/roles/loopabull/tasks/main.yml b/roles/loopabull/tasks/main.yml index a38513b9d9..ce911d9e89 100644 --- a/roles/loopabull/tasks/main.yml +++ b/roles/loopabull/tasks/main.yml @@ -17,9 +17,3 @@ repo: "https://pagure.io/releng-automation.git" dest: "{{playbooks_dir}}" -- name: start and enable loopabull - service: - name: loopabull - state: started - enabled: yes - diff --git a/roles/loopabull/templates/loopabull.yml.j2 b/roles/loopabull/templates/loopabull.yml.j2 index c93198afe9..fc3f02ead5 100644 --- a/roles/loopabull/templates/loopabull.yml.j2 +++ b/roles/loopabull/templates/loopabull.yml.j2 @@ -3,11 +3,37 @@ # There are three main definitions: ansible, routing_keys, plugin. These will be # explained in comments above each section below. -# plugin +# loglevel # -# This is the selected plugin that will interface with your prefered origin of -# events (message bus or otherwise). -plugin: {{plugin}} +# The defaul loglevel is "info" but the following log levels are available +# - info +# - warn +# - error +# - debug +{% if loglevel is defined %} + loglevel: {{ loglevel }} +{% else %} + loglevel: info +{% endif %} + +# plugin section +# +# loopabull has two types of plugins: +# +# looper: message bus python generator plugin that will interface with your +# prefered origin of events (message bus or otherwise). +# +# translator: routing key translator which allows for alternative layouts +# on-disk for routing_key mappings to playbooks the default of +# "rkname" simple means that your playbooks share the same parent +# dir and are all named after the routing_key they correspond to +# in the message bus. +# +plugins: + looper: + name: {{ plugin }} + translator: + name: rkname # routing_keys # From a5a803e31079841d00c10550ee08cb9c1dd84388 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 19:38:48 +0000 Subject: [PATCH 246/308] helps to include the loopabull unit template Signed-off-by: Adam Miller --- files/loopabull/loopabull@.service | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 files/loopabull/loopabull@.service diff --git a/files/loopabull/loopabull@.service b/files/loopabull/loopabull@.service new file mode 100644 index 0000000000..043c555762 --- /dev/null +++ b/files/loopabull/loopabull@.service @@ -0,0 +1,17 @@ +[Unit] +Description=loopabull worker #%i +After=network.target +Documentation=https://github.com/maxamillion/loopabull + +[Service] +ExecStart=/usr/bin/loopabull $CONFIG_FILE +User=root +Group=root +Restart=on-failure +Type=simple +EnvironmentFile=-/etc/sysconfig/loopabull +Restart=on-failure +PrivateTmp=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file From ca94ebc1d02c836ba862cf13f62ef4d2fba2fb58 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 21:06:27 +0000 Subject: [PATCH 247/308] fix the loopabull looper plugin Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 478b75a42e..ae7c3acc14 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -68,7 +68,7 @@ - { role: loopabull, loglevel: info, - plugin: fedmsg, + plugin: fedmsgrabbitmq, routing_keys: [ "org.fedoraproject.prod.buildsys.build.state.change" ], From 77ad6a2f658f63bb7e8f00401f56cd3e0a0210a6 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 21:27:59 +0000 Subject: [PATCH 248/308] add fedmsg/hub role to loopabull playbook Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index ae7c3acc14..1eede94e5a 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -65,6 +65,7 @@ roles: - rabbitmq - fedmsg/base + - fedmsg/hub - { role: loopabull, loglevel: info, From 8a1db42043bec8576deb7582826d1b4f37789fe6 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 21:47:17 +0000 Subject: [PATCH 249/308] fix loopabull template config location Signed-off-by: Adam Miller --- roles/loopabull/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/loopabull/tasks/main.yml b/roles/loopabull/tasks/main.yml index ce911d9e89..3aae328639 100644 --- a/roles/loopabull/tasks/main.yml +++ b/roles/loopabull/tasks/main.yml @@ -10,7 +10,7 @@ - name: configure loopabull template: src: loopabull.yml.j2 - dest: "{{ansible_cfg_path}}" + dest: /etc/loopabull.yml - name: clone the playbooks repo into playbooks dir git: From fc3c0fc11250553ec6fa97722ad569e29d57ef7c Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 22:25:42 +0000 Subject: [PATCH 250/308] move loopabull@ start into role, setup handler for template Signed-off-by: Adam Miller --- playbooks/groups/loopabull.yml | 17 +---------------- roles/loopabull/handlers/main.yml | 9 +++++++++ roles/loopabull/tasks/main.yml | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/playbooks/groups/loopabull.yml b/playbooks/groups/loopabull.yml index 1eede94e5a..59e65daae6 100644 --- a/playbooks/groups/loopabull.yml +++ b/playbooks/groups/loopabull.yml @@ -97,19 +97,4 @@ copy: src: "{{files}}/loopabull/serializer.py" dest: "/etc/fedmsg.d/serializer.py" - - name: Install the loopabull@.service template - copy: - src: "{{files}}/loopabull/loopabull@.service" - dest: "/usr/lib/systemd/system/loopabull@.service" - - name: start and enable loopabull@ - service: - name: "{{ item }}" - state: started - enabled: yes - with_items: - - loopabull@1 - - loopabull@2 - - loopabull@3 - - loopabull@4 - - loopabull@5 - + notify: restart fedmsg-hub diff --git a/roles/loopabull/handlers/main.yml b/roles/loopabull/handlers/main.yml index e222efcc5d..05534c6884 100644 --- a/roles/loopabull/handlers/main.yml +++ b/roles/loopabull/handlers/main.yml @@ -1,2 +1,11 @@ --- # handlers file for loopabull +- name: restart loopabull + name: "{{ item }}" + state: restarted + with_items: + - loopabull@1 + - loopabull@2 + - loopabull@3 + - loopabull@4 + - loopabull@5 diff --git a/roles/loopabull/tasks/main.yml b/roles/loopabull/tasks/main.yml index 3aae328639..bb2b1012b5 100644 --- a/roles/loopabull/tasks/main.yml +++ b/roles/loopabull/tasks/main.yml @@ -11,9 +11,28 @@ template: src: loopabull.yml.j2 dest: /etc/loopabull.yml + notify: restart loopabull - name: clone the playbooks repo into playbooks dir git: repo: "https://pagure.io/releng-automation.git" dest: "{{playbooks_dir}}" +- name: Install the loopabull@.service template + copy: + src: "files/loopabull@.service" + dest: "/usr/lib/systemd/system/loopabull@.service" + notify: restart loopabull + +- name: start and enable loopabull@ + service: + name: "{{ item }}" + state: started + enabled: yes + with_items: + - loopabull@1 + - loopabull@2 + - loopabull@3 + - loopabull@4 + - loopabull@5 + From 662fa93b982b6de66e75bb261e62c00cb9c90ab7 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 22:30:18 +0000 Subject: [PATCH 251/308] fix loopabull handler Signed-off-by: Adam Miller --- roles/loopabull/handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/loopabull/handlers/main.yml b/roles/loopabull/handlers/main.yml index 05534c6884..6af03246d2 100644 --- a/roles/loopabull/handlers/main.yml +++ b/roles/loopabull/handlers/main.yml @@ -1,6 +1,7 @@ --- # handlers file for loopabull - name: restart loopabull + service: name: "{{ item }}" state: restarted with_items: From c422fb5bfc8e15b0f0214c84c8cdd405b9ff2cc1 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 22:37:34 +0000 Subject: [PATCH 252/308] fix file path in loopabull role Signed-off-by: Adam Miller --- roles/loopabull/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/loopabull/tasks/main.yml b/roles/loopabull/tasks/main.yml index bb2b1012b5..c5439a4136 100644 --- a/roles/loopabull/tasks/main.yml +++ b/roles/loopabull/tasks/main.yml @@ -20,7 +20,7 @@ - name: Install the loopabull@.service template copy: - src: "files/loopabull@.service" + src: "loopabull@.service" dest: "/usr/lib/systemd/system/loopabull@.service" notify: restart loopabull From b4c2cf8881a6b19a7e88c48e98ae548ae703abe9 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 1 Jun 2017 22:42:23 +0000 Subject: [PATCH 253/308] helps to actually commit the file to git Signed-off-by: Adam Miller --- roles/loopabull/files/loopabull@.service | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 roles/loopabull/files/loopabull@.service diff --git a/roles/loopabull/files/loopabull@.service b/roles/loopabull/files/loopabull@.service new file mode 100644 index 0000000000..043c555762 --- /dev/null +++ b/roles/loopabull/files/loopabull@.service @@ -0,0 +1,17 @@ +[Unit] +Description=loopabull worker #%i +After=network.target +Documentation=https://github.com/maxamillion/loopabull + +[Service] +ExecStart=/usr/bin/loopabull $CONFIG_FILE +User=root +Group=root +Restart=on-failure +Type=simple +EnvironmentFile=-/etc/sysconfig/loopabull +Restart=on-failure +PrivateTmp=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file From cfcdc07b95f55fec042c689b6ecc621df4f64360 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 2 Jun 2017 14:31:29 +0000 Subject: [PATCH 254/308] pagure: up wsgi threads/processes to 6 from 4 and see if it makes things more stable --- roles/pagure/frontend/templates/0_pagure.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index 480b1ef1d7..4b76d209d1 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -3,7 +3,7 @@ WSGISocketPrefix run/wsgi WSGIRestrictSignal Off WSGIPythonOptimize 1 WSGIPassAuthorization On -WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300 +WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=6 threads=6 inactivity-timeout=300 WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300 ## Redirects http -> https From bf90483fe6231c773d13d8c5d3e4cc1b4a07bfe4 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 2 Jun 2017 14:40:18 +0000 Subject: [PATCH 255/308] fix typo --- roles/pagure/frontend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index fc993175d6..f79c4f4f9b 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -84,7 +84,7 @@ - pagure - name: create the /attachments folder - file: state=diretory + file: state=directory path=/srv/attachments owner=git group=git mode=0775 tags: From 5fb1ed978b83240b97f011d9160d6df2cffa29ac Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Fri, 2 Jun 2017 15:15:37 +0000 Subject: [PATCH 256/308] adding css filter for taskotron dev/stg --- .../taskotron-master/templates/artifacts.conf.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 b/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 index 031987dc6c..41727887de 100644 --- a/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 +++ b/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 @@ -32,6 +32,12 @@ ExtFilterDefine gz-to-html mode=output \ intype=application/x-gzip outtype=text/html \ cmd="/bin/gunzip -c -" +{% if deployment_type in ['dev', 'stg'] %} +ExtFilterDefine gz-to-css mode=output \ +intype=application/x-gzip outtype=text/css \ +cmd="/bin/gunzip -c -" +{% endif %} + RewriteEngine on @@ -44,6 +50,11 @@ cmd="/bin/gunzip -c -" SetOutputFilter gz-to-plain +{% if deployment_type in ['dev', 'stg'] %} + + SetOutputFilter gz-to-css + +{% endif %} SetOutputFilter gz-to-html From 6787e399bdc2f25acc73fa8ba26c43e504ec0ff2 Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Fri, 2 Jun 2017 15:29:59 +0000 Subject: [PATCH 257/308] re-enabling gzip for taskotron-dev artifacts --- .../buildmaster-configure/templates/taskotron.master.cfg.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 b/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 index e867d5617a..0dcd97702b 100644 --- a/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 +++ b/roles/taskotron/buildmaster-configure/templates/taskotron.master.cfg.j2 @@ -235,11 +235,9 @@ factory.addStep(MasterShellCommand(command=["mkdir", '-m', '0755', Interpolate(' factory.addStep(DirectoryUpload(slavesrc=Interpolate('/var/lib/taskotron/artifacts/%(prop:uuid)s/'), masterdest=Interpolate('{{ public_artifacts_dir }}/%(prop:uuid)s/task_output'))) -{% if deployment_type in ['stg', 'prod'] %} # gzip artifacts factory.addStep(MasterShellCommand(command=Interpolate('gzip -r {{ public_artifacts_dir }}/%(prop:uuid)s/task_output/*'), descriptionDone=['gzip artifacs dir content'])) -{% endif %} {% if deployment_type in ['local'] %} # copy taskotron log to master From 500ce3b92c1190de28581a6f97472556f99cfec5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 2 Jun 2017 20:13:28 +0000 Subject: [PATCH 258/308] add fcaic alias --- roles/fas_client/files/aliases.template | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index d972e57e24..b00bec5abf 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -343,5 +343,9 @@ blockerbugs: tflink+blockerbugs@redhat.com releng-team: ausil,mohanboddu,parasense containerbuild: maxamillion +# Fedora Community Action and Impact Coordinator +# https://fedoraproject.org/wiki/Community_Leader +fcaic: bex + #### The rest of this file is automatically generated - edit using the accounts system! From f9f125e814915d5e756ea50f623ab67806eec850 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 5 Jun 2017 12:59:28 +0000 Subject: [PATCH 259/308] Rename this playbook for consistency. --- playbooks/manual/{restart_pkgdb.yml => restart-pkgdb.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename playbooks/manual/{restart_pkgdb.yml => restart-pkgdb.yml} (100%) diff --git a/playbooks/manual/restart_pkgdb.yml b/playbooks/manual/restart-pkgdb.yml similarity index 100% rename from playbooks/manual/restart_pkgdb.yml rename to playbooks/manual/restart-pkgdb.yml From 96ba86eb27184b7909f5986d531b18e82023bd6e Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 5 Jun 2017 13:01:27 +0000 Subject: [PATCH 260/308] Add a little playbook for restarting pagure. --- playbooks/manual/restart-pagure.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 playbooks/manual/restart-pagure.yml diff --git a/playbooks/manual/restart-pagure.yml b/playbooks/manual/restart-pagure.yml new file mode 100644 index 0000000000..c0ff518233 --- /dev/null +++ b/playbooks/manual/restart-pagure.yml @@ -0,0 +1,19 @@ +- name: reload the frontend + hosts: pagure:pagure-stg + user: root + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + + tasks: + - name: Reload apache... + service: name="httpd" state=reloaded + + post_tasks: + - name: tell nagios to unshush w.r.t. apache + nagios: action=unsilence service=host host={{ inventory_hostname_short }}{{ env_suffix }} + delegate_to: noc01.phx2.fedoraproject.org + ignore_errors: true From 63812aa0c0f2c9ac78df63fad88b5c94a303b044 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 5 Jun 2017 14:23:40 +0000 Subject: [PATCH 261/308] Prompt for puiterwijk's attention first. --- playbooks/manual/restart-pagure.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/manual/restart-pagure.yml b/playbooks/manual/restart-pagure.yml index c0ff518233..7608cbe50a 100644 --- a/playbooks/manual/restart-pagure.yml +++ b/playbooks/manual/restart-pagure.yml @@ -9,6 +9,9 @@ - include: "{{ handlers_path }}/restart_services.yml" tasks: + - name: ask puiterwijk if he would like to capture debug info before restarting. + pause: seconds=30 prompt="Restarting pagure, abort if you want to get puiterwijk's attention first." + - name: Reload apache... service: name="httpd" state=reloaded From 1e6f6ebcf526f3df21c62c26781a5e5d94b23a5e Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 5 Jun 2017 19:30:19 +0000 Subject: [PATCH 262/308] Specify admin groups for MBS. --- roles/mbs/common/templates/config.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py index c924a38b05..b61eddeddf 100644 --- a/roles/mbs/common/templates/config.py +++ b/roles/mbs/common/templates/config.py @@ -92,6 +92,12 @@ class ProdConfiguration(BaseConfiguration): #'packager', ] + # These groups are allowed to cancel the builds of other users. + ADMIN_GROUPS = [ + 'factory2', + 'releng', + ] + {% if env == 'staging' %} SECRET_KEY = '{{ mbs_stg_secret_key }}' SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:{{mbs_stg_db_password}}@db-mbs/mbs' From 6d8a04cfe9382487a338ed9f0c9eb27858c7b4ab Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Tue, 6 Jun 2017 11:54:44 +0000 Subject: [PATCH 263/308] applying css serving fix to taskotron production --- roles/taskotron/taskotron-master/templates/artifacts.conf.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 b/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 index 41727887de..5262dc0d85 100644 --- a/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 +++ b/roles/taskotron/taskotron-master/templates/artifacts.conf.j2 @@ -32,11 +32,9 @@ ExtFilterDefine gz-to-html mode=output \ intype=application/x-gzip outtype=text/html \ cmd="/bin/gunzip -c -" -{% if deployment_type in ['dev', 'stg'] %} ExtFilterDefine gz-to-css mode=output \ intype=application/x-gzip outtype=text/css \ cmd="/bin/gunzip -c -" -{% endif %} RewriteEngine on @@ -50,11 +48,9 @@ cmd="/bin/gunzip -c -" SetOutputFilter gz-to-plain -{% if deployment_type in ['dev', 'stg'] %} SetOutputFilter gz-to-css -{% endif %} SetOutputFilter gz-to-html From 91ca4f03df1ef2bb6eb5de1e8edfdda06bbfd3ff Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Tue, 6 Jun 2017 16:46:55 +0000 Subject: [PATCH 264/308] Non freeze change: Update names for awstats logs --- roles/web-data-analysis/files/httpd_config.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/web-data-analysis/files/httpd_config.conf b/roles/web-data-analysis/files/httpd_config.conf index b922fe021d..cafa93fccc 100644 --- a/roles/web-data-analysis/files/httpd_config.conf +++ b/roles/web-data-analysis/files/httpd_config.conf @@ -6,5 +6,5 @@ # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS GssapiSSLonly Off GssapiLocalName on - Require user smooge kevin puiterwijk mattdm pfrields uraeus ryanlerch robyduck + Require user smooge kevin puiterwijk mattdm pfrields relrod uraeus ryanlerch robyduck From 01d25e6f95b1d7238865900bd633379bdf83d970 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Tue, 6 Jun 2017 19:00:12 +0000 Subject: [PATCH 265/308] Mailman: also run the unit tests for django_mailman3 --- roles/mailman/files/post-update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mailman/files/post-update.sh b/roles/mailman/files/post-update.sh index ffb59678b1..0b95d0a618 100755 --- a/roles/mailman/files/post-update.sh +++ b/roles/mailman/files/post-update.sh @@ -36,7 +36,7 @@ restorecon -r $BASEDIR/{bin,config,fulltext_index,static,templates} # Run unit tests echo "unit tests" -django-admin test --pythonpath $CONFDIR --settings settings_test hyperkitty postorius +django-admin test --pythonpath $CONFDIR --settings settings_test django_mailman3 hyperkitty postorius # Restart services systemctl start httpd mailman3 crond webui-qcluster From 5aa33a6fcc0e1de18d8e663331e774a414984f16 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 6 Jun 2017 19:25:12 +0000 Subject: [PATCH 266/308] Unfreeze modernpaste, pull some vars out to group Signed-off-by: Ricky Elrod --- inventory/group_vars/modernpaste | 5 +++++ inventory/host_vars/modernpaste01.phx2.fedoraproject.org | 2 -- inventory/host_vars/modernpaste02.phx2.fedoraproject.org | 2 -- 3 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 inventory/group_vars/modernpaste diff --git a/inventory/group_vars/modernpaste b/inventory/group_vars/modernpaste new file mode 100644 index 0000000000..50f33ae9ef --- /dev/null +++ b/inventory/group_vars/modernpaste @@ -0,0 +1,5 @@ +-- +freezes: false +mem_size: 4096 +num_cpus: 2 +tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/modernpaste01.phx2.fedoraproject.org b/inventory/host_vars/modernpaste01.phx2.fedoraproject.org index 6f3a286dc0..e56aee0a40 100644 --- a/inventory/host_vars/modernpaste01.phx2.fedoraproject.org +++ b/inventory/host_vars/modernpaste01.phx2.fedoraproject.org @@ -6,9 +6,7 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ -mem_size: 4096 volgroup: /dev/vg_virthost03 eth0_ip: 10.5.126.230 vmhost: virthost03.phx2.fedoraproject.org datacenter: phx2 -tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/modernpaste02.phx2.fedoraproject.org b/inventory/host_vars/modernpaste02.phx2.fedoraproject.org index 067c91a10a..46cfadf301 100644 --- a/inventory/host_vars/modernpaste02.phx2.fedoraproject.org +++ b/inventory/host_vars/modernpaste02.phx2.fedoraproject.org @@ -6,9 +6,7 @@ dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ -mem_size: 4096 volgroup: /dev/vg_virthost01 eth0_ip: 10.5.126.238 vmhost: virthost01.phx2.fedoraproject.org datacenter: phx2 -tcp_ports: [22, 80, 443] From 07d7e2e2d1afc8eb114d5505cdae3c5772f9cf84 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 1 Jun 2017 15:20:26 +0200 Subject: [PATCH 267/308] Update the pagure upgrade playbook to make it up to date --- playbooks/manual/upgrade/pagure.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/playbooks/manual/upgrade/pagure.yml b/playbooks/manual/upgrade/pagure.yml index 349aed29ee..eb429f3ae5 100644 --- a/playbooks/manual/upgrade/pagure.yml +++ b/playbooks/manual/upgrade/pagure.yml @@ -39,11 +39,6 @@ update_cache=yes when: testing - - name: Create new tables in the database - command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py - environment: - PAGURE_CONFIG: /etc/pagure/pagure.cfg - - name: Upgrade the database command: /usr/bin/alembic -c /etc/pagure/alembic.ini upgrade head args: @@ -51,12 +46,20 @@ environment: PAGURE_CONFIG: /etc/pagure/pagure.cfg + - name: call createdb + command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py + environment: + PAGURE_CONFIG: /etc/pagure/pagure.cfg + post_tasks: - service: name="httpd" state=restarted - service: name="pagure_ev" state=restarted - service: name="pagure_ci" state=restarted - service: name="pagure_webhook" state=restarted - service: name="pagure_milter" state=restarted + - service: name="pagure_worker" state=restarted + - service: name="pagure_logcom" state=restarted + - service: name="pagure_loadjson" state=restarted - name: tell nagios to unshush w.r.t. the frontend nagios: action=unsilence From e82e65dbc4e541df70147819e37eb49335a5dd56 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 7 Jun 2017 12:28:42 +0200 Subject: [PATCH 268/308] Sync the blacklist list with upstream's Got acked on IRC from Patrick and Peter --- roles/pagure/frontend/templates/pagure.cfg | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg index 601340e493..2344690142 100644 --- a/roles/pagure/frontend/templates/pagure.cfg +++ b/roles/pagure/frontend/templates/pagure.cfg @@ -158,9 +158,10 @@ SHORT_LENGTH = 7 ### List of blacklisted project names that can conflicts for pagure's URLs ### or other BLACKLISTED_PROJECTS = [ - 'static', 'pv', 'releases', 'new', 'api', 'settings', - 'logout', 'login', 'users', 'groups', 'projects', 'ssh_info' - 'issues', 'pull-requests', 'commits', 'tree', 'forks', + 'static', 'pv', 'releases', 'new', 'api', 'settings', 'search', 'fork', + 'logout', 'login', 'user', 'users', 'groups', 'projects', 'ssh_info', + 'issues', 'pull-requests', 'commits', 'tree', 'forks', 'admin', 'c', + 'wait', ] DISABLED_PLUGINS = ['IRC'] From 91d9beb07e40af450262b35107f33e6e045bf80f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 1 Jun 2017 12:50:32 +0000 Subject: [PATCH 269/308] Grant bex access to some things in regcfp Signed-off-by: Patrick Uiterwijk --- roles/regcfp/templates/config.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index c070b8d335..90baa7d3ba 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -57,13 +57,13 @@ }, "permissions": { - "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org"], + "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org"], "papers": { "submit": ["*authenticated*"], "list": { "accepted": ["jwboyer@fedoraproject.org", "spot@fedoraproject.org"], "own": ["*authenticated*"], - "all": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] }, "edit": { "own": ["*authenticated*"], @@ -83,7 +83,7 @@ "pay": ["*authenticated*"], "request_receipt": [], "view_public": [], - "view_all": [""], + "view_all": ["bex@fedoraproject.org"], "add_payment": [], "print_badge": [], "desk": [], From 9086bd755489bdf5b77616364d660ec45d1b92ad Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 7 Jun 2017 13:46:53 +0000 Subject: [PATCH 270/308] Grant mizmo access to regcfp Signed-off-by: Patrick Uiterwijk --- roles/regcfp/templates/config.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 90baa7d3ba..c0d0d9c9b4 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -57,7 +57,7 @@ }, "permissions": { - "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org"], + "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org", "duffy@fedoraproject.org"], "papers": { "submit": ["*authenticated*"], "list": { @@ -83,7 +83,8 @@ "pay": ["*authenticated*"], "request_receipt": [], "view_public": [], - "view_all": ["bex@fedoraproject.org"], + "view_all": ["bex@fedoraproject.org", "duffy@fedoraproject.org"], + "view_payment": ["bex@fedoraproject.org", "duffy@fedoraproject.org"], "add_payment": [], "print_badge": [], "desk": [], From a6fe2452113787b0b5c6dee967ba664aafbb8dd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Thu, 8 Jun 2017 07:55:40 +0000 Subject: [PATCH 271/308] Mailman: one more service to stop --- playbooks/manual/staging-sync/mailman.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/manual/staging-sync/mailman.yml b/playbooks/manual/staging-sync/mailman.yml index f10ef04d04..85b1dd649a 100644 --- a/playbooks/manual/staging-sync/mailman.yml +++ b/playbooks/manual/staging-sync/mailman.yml @@ -13,6 +13,7 @@ - include: "{{ handlers_path }}/restart_services.yml" tasks: + - service: name=webui-qcluster state=stopped - service: name=httpd state=stopped - service: name=mailman3 state=stopped From 154cb744ff23a4122c0d4aa0c3c6661bd1025533 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 8 Jun 2017 16:09:14 +0000 Subject: [PATCH 272/308] remove the mediawiki hooks for piwik --- roles/mediawiki/files/skins/Fedora.php | 16 ---------------- roles/mediawiki123/files/skins/Fedora.php | 16 ---------------- 2 files changed, 32 deletions(-) diff --git a/roles/mediawiki/files/skins/Fedora.php b/roles/mediawiki/files/skins/Fedora.php index fda1a78846..1956819b8c 100644 --- a/roles/mediawiki/files/skins/Fedora.php +++ b/roles/mediawiki/files/skins/Fedora.php @@ -91,22 +91,6 @@ class FedoraTemplate extends QuickTemplate { if($this->data['trackbackhtml']) print $this->data['trackbackhtml']; ?> html('headscripts') ?> - - - - data['body_ondblclick']) { ?>ondblclick="text('body_ondblclick') ?>" data['body_onload' ]) { ?>onload="text('body_onload') ?>" diff --git a/roles/mediawiki123/files/skins/Fedora.php b/roles/mediawiki123/files/skins/Fedora.php index fda1a78846..1956819b8c 100644 --- a/roles/mediawiki123/files/skins/Fedora.php +++ b/roles/mediawiki123/files/skins/Fedora.php @@ -91,22 +91,6 @@ class FedoraTemplate extends QuickTemplate { if($this->data['trackbackhtml']) print $this->data['trackbackhtml']; ?> html('headscripts') ?> - - - - data['body_ondblclick']) { ?>ondblclick="text('body_ondblclick') ?>" data['body_onload' ]) { ?>onload="text('body_onload') ?>" From 785ad3685f2f393b2a9dc3d1fe5be4525eaacafb Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 8 Jun 2017 19:21:39 +0000 Subject: [PATCH 273/308] [modernpaste] Update rewrite rules for puiterwijk patch, document the crap out of them Signed-off-by: Ricky Elrod --- roles/modernpaste/files/modern-paste.conf | 114 ++++++++++++++++++++-- 1 file changed, 107 insertions(+), 7 deletions(-) diff --git a/roles/modernpaste/files/modern-paste.conf b/roles/modernpaste/files/modern-paste.conf index a9fc0feea5..3a7e321083 100644 --- a/roles/modernpaste/files/modern-paste.conf +++ b/roles/modernpaste/files/modern-paste.conf @@ -2,7 +2,112 @@ WSGIDaemonProcess stickynotes2modernpaste user=apache group=apache threads=5 WSGIScriptAlias /stickynotes2modernpaste /usr/share/stickynotes2modernpaste/stickynotes2modernpaste.wsgi WSGISocketPrefix run/wsgi +# Grab a cup of coffee, a light snack, and turn on some classical music. +# You're in for a bit of a novel. +# +# The below rules are worthy of some comment so that later on when I (or +# heaven forbid anyone else) have to revisit them for some horrible reason, +# they can be referred to and maybe (but unlikely) useful. +# +# Chapter 1. Background. +# +# The rewrite rules exist solely for the purpose of continuing to support old +# `fpaste` (the CLI app). This is in the process of being rewritten, and one +# day we won't have to support it anymore. But for now, we do, because it's on +# live media (and, I believe, Desktop installs, by default), and when a user is +# having issues and asking for help in IRC, they need to be able to use +# `fpaste` to do so. So, that is why we care about `fpaste` in its current +# (F25-F26) form. +# +# You see, fpaste was written in such a way that it makes a lot of weird +# assumptions that don't hold anymore. I will not speculate on why it was +# written the way it was, but I _will_ briefly outline some of the intricacies +# of supporting it. +# +# First off the workflow is something like this: +# 1. User wants to paste some text. Who knows why they want to do this. Maybe +# they are bored and want to see how broken our rewrite rules are. Maybe +# they hate me and want to see me cry trying to fix them. Who knows?! +# +# 2. The fpaste client makes a POST on their behalf to /. This POST payload +# includes the text of the paste and some other information (paste +# language, etc). +# +# 3. The server sees the POST, matches it against our rules below, and +# decides that it needs to redirect them to stickynotes2modernpaste, a +# custom Flask app that I (relrod) wrote so that we could handle requests +# that are in the form our old stickynotes pastebin accepted, and proxy +# them to modernpaste. +# +# Note that this matches the first set of crazy RewriteConds below. We +# only want to send CLI users there, and only when they POST to /. At +# this point, at least. +# +# 4. sn2mp says "okay cool," proxies the paste to modernpaste via its JSON +# API, and returns back to fpaste a JSON blob that contains JSON with two +# keys that fpaste requires exists. In our response, one of them is always +# an empty string, and the other is the id of the paste, prefixed with +# "paste/". +# +# 5. At this point, fpaste has enough information to return a URL to the +# paste. However, things are not all okay in the world. You see, fpaste +# wants to show a short-url too. Apparently people don't like typing or +# something. To generate a short-url, the fpaste client sends another POST +# to us, at the path "/paste/[the paste id]//". In the past, when it would +# do this, stickynotes would return a JSON blob that included the +# short-url. In fact, it would always include the short-url at the +# third-line from the last in its JSON response, and the fpaste client +# hardcoded that assumption. See Chapter 2 for information about the "//". +# +# 6. When we get this second POST, we again send the client to sn2mp. We add +# a few more crazy RewriteConds to ensure that we only add this behavior +# for fpaste and not most users. We know paste IDs are 22-24 characters +# long (as per https://github.com/LINKIWI/modern-paste/pull/33) and that +# the client will always POST to "/paste/[the paste id]//". So we match on +# that. If we match, sn2mp will take everything after its name and append +# it to the URL that ultimately gets shipped to da.gd for shortening. Then +# it returns a (malformed) JSON blob that is written in exactly the way +# fpaste expects. +# +# 7. Then fpaste shows the user both URLs, and all is okay. +# +# Chapter 2. Trailing slashes. +# +# The fpaste client defaults to private mode, but modernpaste doesn't support +# that, per se. You can password-protect pastes, but that's about it. +# +# However, they way stickynotes worked, it used /[paste id]/[secret] when a +# paste was private. Since modernpaste does things differently, sn2mp never +# returns the [secret] part of that URL. Or rather, it returns the empty string +# in its place. This means, by default (private mode = true), fpaste will +# both render, and internally use, a URL that has /[paste id]/[secret]. But +# since [secret] is the empty string, this is equivalent to /[paste id]/, with +# the trailing slash. +# +# To make matters worse, this little gem is found in the fpaste procedure for +# doing the second POST (#5 and 6 above): +# +# eq = urllib.request.Request(url=long_url+'/', data=params.encode()) +# +# Yep, it adds a '/' for the second POST. So we get POSTs to +# /paste/[paste id]// during the second POST. +# +# Our capture of the paste ID below (the ".{22,24}" part) will match the first +# trailing slash, but not the second (because of the /$ that comes after). +# Nevertheless sn2mp handles all three cases anyway, and will STRIP OFF +# trailing slashes if they occur 0, 1, or 2 times. +# +# Lastly, the long url that fpaste shows the user contains one trailing slash +# (due to the /[secret] part from how stickynotes worked). So we add one final +# rewrite that redirects users who go to that, to the non-slash version. +# +# If you have made it this far, you are a champion. You should get a badge. +# +# Warm regards and good luck, +# relrod + RewriteEngine on +#LogLevel alert rewrite:trace6 RewriteRule login / [L,R] RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] @@ -13,15 +118,10 @@ RewriteRule ^/$ /stickynotes2modernpaste/$1 [L,PT] RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] RewriteCond %{HTTP_USER_AGENT} ^Python\-urllib.*$ RewriteCond %{REQUEST_METHOD} POST -RewriteRule ^/(.*)=/$ /stickynotes2modernpaste/$1= [L,PT] - -RewriteCond %{HTTP_USER_AGENT} ^fpaste\/0\.3.*$ [OR] -RewriteCond %{HTTP_USER_AGENT} ^Python\-urllib.*$ -RewriteCond %{REQUEST_METHOD} POST -RewriteRule ^/(.*)=//$ /stickynotes2modernpaste/$1= [L,PT] +RewriteRule ^/paste/(.{22,24})/$ /stickynotes2modernpaste/paste/$1 [L,PT] # Otherwise, if we're given a URL with a trailing slash, kill it. -RewriteRule ^/(.*)=/$ /$1= [R,L] +RewriteRule ^/paste/([^/]{22,24})/$ /paste/$1 [R,L] WSGIScriptAlias / /usr/share/modern-paste/modern_paste.wsgi From 754107bd80c558e7127f33bf9d38ed353cddd2ee Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 8 Jun 2017 19:48:07 +0000 Subject: [PATCH 274/308] fix a var --- inventory/group_vars/modernpaste | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/modernpaste b/inventory/group_vars/modernpaste index 50f33ae9ef..caee69f777 100644 --- a/inventory/group_vars/modernpaste +++ b/inventory/group_vars/modernpaste @@ -1,4 +1,4 @@ --- +--- freezes: false mem_size: 4096 num_cpus: 2 From bc79560132ecd6417294cede9c81ff6b9643ba5f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 8 Jun 2017 23:02:54 +0200 Subject: [PATCH 275/308] Fix fcontexts for Pagure git repos and releases Signed-off-by: Patrick Uiterwijk --- roles/pagure/frontend/tasks/main.yml | 37 ++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index f79c4f4f9b..ddb4248e5c 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -285,6 +285,43 @@ tags: - pagure +- name: check the selinux context of the git repo directory + command: matchpathcon /srv/git + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +- name: set the SELinux policy for the distgit root directory + command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" + when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 + tags: + - config + - pagure + - selinux + +- name: check the selinux context of the releases directory + command: matchpathcon /var/www/releases + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions? +- name: set the SELinux policy for the releases directory + command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" + when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 + tags: + - config + - pagure + - selinux + - name: copy over our custom selinux module copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp register: selinux_module From 11ba27ce11b98ba6dd2d4bae8b47b7523bc7e1d7 Mon Sep 17 00:00:00 2001 From: clime Date: Thu, 8 Jun 2017 14:56:52 +0200 Subject: [PATCH 276/308] copr-backend: prep for release + clean-up --- inventory/group_vars/copr-back | 1 - .../backend/files/provision/builderpb.yml | 95 ------------------- .../files/provision/builderpb_nova.yml | 3 +- .../provision/builderpb_nova_ppc64le.yml | 8 +- .../files/provision/builderpb_ppc64le.yml | 45 --------- roles/copr/backend/files/provision/copr.repo | 11 --- .../provision/files/mock/custom-1-i386.cfg | 24 ----- .../provision/files/mock/custom-1-ppc64le.cfg | 24 ----- .../provision/files/mock/custom-1-x86_64.cfg | 24 ----- .../provision/files/mock/fedora-26-i386.cfg | 72 -------------- .../files/mock/fedora-26-ppc64le.cfg | 72 -------------- .../provision/files/mock/fedora-26-x86_64.cfg | 72 -------------- .../provision/provision_builder_tasks.yml | 90 +++--------------- .../provision_builder_tasks_ppc64le.yml | 94 ------------------ .../backend/files/provision/terminatepb.yml | 17 ---- .../files/provision/terminatepb_ppc64le.yml | 30 ------ roles/copr/backend/tasks/main.yml | 7 +- roles/copr/backend/templates/copr-be.conf.j2 | 2 + .../provision/copr-rpmbuild/main.ini.j2 | 4 + .../templates/provision/fedpkg-copr.conf | 10 -- .../templates/provision/nova_cloud_vars.yml | 2 - .../provision/nova_cloud_vars_ppc64le.yml | 18 ---- 22 files changed, 28 insertions(+), 697 deletions(-) delete mode 100644 roles/copr/backend/files/provision/builderpb.yml delete mode 100644 roles/copr/backend/files/provision/builderpb_ppc64le.yml delete mode 100644 roles/copr/backend/files/provision/copr.repo delete mode 100644 roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg delete mode 100644 roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg delete mode 100644 roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg delete mode 100644 roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg delete mode 100644 roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg delete mode 100644 roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg delete mode 100644 roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml delete mode 100644 roles/copr/backend/files/provision/terminatepb.yml delete mode 100644 roles/copr/backend/files/provision/terminatepb_ppc64le.yml create mode 100644 roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 delete mode 100644 roles/copr/backend/templates/provision/fedpkg-copr.conf delete mode 100644 roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml diff --git a/inventory/group_vars/copr-back b/inventory/group_vars/copr-back index 909f14b97a..9a98c79961 100644 --- a/inventory/group_vars/copr-back +++ b/inventory/group_vars/copr-back @@ -7,7 +7,6 @@ copr_nova_tenant_name: "copr" copr_nova_username: "copr" # copr_builder_image_name: "Fedora-Cloud-Base-20141203-21" -copr_builder_image_name: "builder-f24" copr_builder_flavor_name: "ms2.builder" copr_builder_network_name: "copr-net" copr_builder_key_name: "buildsys" diff --git a/roles/copr/backend/files/provision/builderpb.yml b/roles/copr/backend/files/provision/builderpb.yml deleted file mode 100644 index 21b0bd242b..0000000000 --- a/roles/copr/backend/files/provision/builderpb.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -- name: check/create instance - hosts: localhost - user: copr - gather_facts: False - - vars_files: - - nova_cloud_vars.yml - - vars: - - security_group: builder - - image_id: cba0c766-84ac-4048-b0f5-6d4000af62f8 - - OS_USERNAME_OLD: msuchy - - OS_AUTH_URL_OLD: http://172.23.0.2:5000/v2.0 - # todo: remove after transition to new cloud - - tasks: - - name: generate builder name - local_action: command echo "Copr builder {{ 999999999 | random }}" - register: vm_name - - - name: spin it up - local_action: nova_compute auth_url={{OS_AUTH_URL_OLD}} flavor_id=6 image_id={{ image_id }} key_name=buildsys login_password={{OS_PASSWORD_OLD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME_OLD}} security_groups={{security_group}} wait=yes name="{{vm_name.stdout}}" - register: nova - - # should be able to use nova.private_ip, but it does not work with Fedora Cloud. - - debug: msg="IP={{ nova.info.addresses.vlannet_3[0].addr }}" - - - debug: msg="vm_name={{vm_name.stdout}}" - - - name: add it to the special group - local_action: add_host hostname={{ nova.info.addresses.vlannet_3[0].addr }} groupname=builder_temp_group - - - name: wait for the host to be hot - local_action: wait_for host={{ nova.info.addresses.vlannet_3[0].addr }} port=22 delay=5 timeout=600 - -- hosts: builder_temp_group - user: root - gather_facts: True - vars: - - files: files/ - - tasks: - - name: edit hostname to be instance name - shell: hostname `curl -s http://169.254.169.254/2009-04-04/meta-data/instance-id` - - - name: install pkgs - yum: state=present pkg={{ item }} - with_items: - - rsync - - openssh-clients - - libselinux-python - - libsemanage-python - - - name: add repos - copy: src={{ files }}/{{ item }} dest=/etc/yum.repos.d/{{ item }} - with_items: - - epel6.repo - - - name: install additional pkgs - yum: state=present pkg={{ item }} - with_items: - - mock - - createrepo - - yum-utils - - pyliblzma - - - name: make sure newest rpm - yum: name={{ item }} state=latest - with_items: - - rpm - - glib2 - - ca-certificates - - #- yum: name=mock enablerepo=epel-testing state=latest - - - name: mockbuilder user - user: name=mockbuilder groups=mock - - - name: mockbuilder .ssh - file: state=directory path=/home/mockbuilder/.ssh mode=0700 owner=mockbuilder group=mockbuilder - - - name: mockbuilder authorized_keys - authorized_key: user=mockbuilder key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' - - - name: put updated mock configs into /etc/mock - template: src={{ files }}/mock/{{ item }} dest=/etc/mock - with_items: - - site-defaults.cfg - - - lineinfile: dest=/etc/mock/fedora-rawhide-x86_64.cfg line="config_opts['package_manager'] = 'dnf'" state=absent - - lineinfile: dest=/etc/mock/fedora-rawhide-i386.cfg line="config_opts['package_manager'] = 'dnf'" state=absent - - - lineinfile: dest=/etc/security/limits.conf line="* soft nofile 10240" insertafter=EOF - - lineinfile: dest=/etc/security/limits.conf line="* hard nofile 10240" insertafter=EOF diff --git a/roles/copr/backend/files/provision/builderpb_nova.yml b/roles/copr/backend/files/provision/builderpb_nova.yml index 97b11e22ae..11c797e6e0 100644 --- a/roles/copr/backend/files/provision/builderpb_nova.yml +++ b/roles/copr/backend/files/provision/builderpb_nova.yml @@ -11,6 +11,7 @@ keypair: buildsys max_spawn_time: 600 spawning_vm_user: "fedora" + image_name: "copr-builder-f26-x86_64-beta" tasks: - name: generate builder name @@ -61,5 +62,5 @@ - nss-softokn-freebl.i686 # DNF module will not resolve the deps, we must install deps manualy! - name: install i686 version of nosync for multilib building - dnf: name=https://kojipkgs.fedoraproject.org//packages/nosync/1.0/5.fc24/i686/nosync-1.0-5.fc24.i686.rpm state=present + dnf: name=https://kojipkgs.fedoraproject.org/packages/nosync/1.0/6.fc26/i686/nosync-1.0-6.fc26.i686.rpm state=present when: prepare_base_image is defined diff --git a/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml b/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml index dc91142cf5..73c4606704 100644 --- a/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml +++ b/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml @@ -3,7 +3,7 @@ gather_facts: False vars_files: - - nova_cloud_vars_ppc64le.yml + - nova_cloud_vars.yml vars: # _OS_AUTH_OPTS: "--os-auth-url {{OS_AUTH_URL}} --os-username {{OS_USERNAME}} --os-password {{OS_PASSWORD}} --os-tenant-name {{OS_TENANT_NAME}} --os-tenant-id {{OS_TENANT_ID}} " @@ -11,6 +11,7 @@ keypair: buildsys max_spawn_time: 600 spawning_vm_user: "fedora" + image_name: "copr-builder-f26-ppc64le-beta" tasks: - name: generate builder name @@ -41,7 +42,10 @@ #prepare_base_image: True tasks: - - include: "provision_builder_tasks_ppc64le.yml" + - name: swap on /dev/vda 100GB volume for tmpfs mock plugin + command: swapon /dev/vda + + - include: "provision_builder_tasks.yml" - name: disable offloading command: ethtool -K eth0 tso off gro off gso off diff --git a/roles/copr/backend/files/provision/builderpb_ppc64le.yml b/roles/copr/backend/files/provision/builderpb_ppc64le.yml deleted file mode 100644 index af892422c1..0000000000 --- a/roles/copr/backend/files/provision/builderpb_ppc64le.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: check/create instance - hosts: 127.0.0.1 - gather_facts: False - - tasks: - - name: add hypervisor - local_action: add_host hostname=rh-power2.fit.vutbr.cz groupname=spinup_vm_group - - -- name: spinup vm - hosts: spinup_vm_group - gather_facts: False - user: msuchy - - tasks: - - name: spin up VM - shell: /home/msuchy/bin/get-one-vm.sh - register: get_one - - - debug: msg="{{ get_one.stdout }}" - - - set_fact: builder_ip="{{ get_one.stdout|extract_ip_from_stdout() }}" - - - name: wait for he host to be hot - local_action: wait_for host={{ builder_ip }} port=22 delay=1 timeout=600 - - - name: add builder ip to the special group - local_action: add_host hostname={{ builder_ip }} groupname=builder_temp_group - -- name: provision builder - hosts: builder_temp_group - gather_facts: True - user: root - - vars: - # pass this options if you need to create new base image from snapshot - #prepare_base_image: True - - tasks: - - include: "provision_builder_tasks.yml" - - - name: disable offloading - command: ethtool -K eth0 tso off gro off gso off - - - yum: state=latest enablerepo="updates-testing" name=mock diff --git a/roles/copr/backend/files/provision/copr.repo b/roles/copr/backend/files/provision/copr.repo deleted file mode 100644 index 90aa909168..0000000000 --- a/roles/copr/backend/files/provision/copr.repo +++ /dev/null @@ -1,11 +0,0 @@ -[Copr] -name=Copr -failovermethod=priority -baseurl=https://209.132.184.48/results/@copr/copr/fedora-$releasever-x86_64/ - https://copr-be.cloud.fedoraproject.org/results/@copr/copr/fedora-$releasever-x86_64/ - https://172.25.32.109/results/@copr/copr/fedora-$releasever-x86_64/ - -enabled=1 -gpgcheck=1 -gpgkey=https://copr-be.cloud.fedoraproject.org/results/@copr/copr/pubkey.gpg -skip_if_unavailable=1 diff --git a/roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg b/roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg deleted file mode 100644 index bccbdc9beb..0000000000 --- a/roles/copr/backend/files/provision/files/mock/custom-1-i386.cfg +++ /dev/null @@ -1,24 +0,0 @@ -config_opts['root'] = 'custom-1-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = '' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/dnf.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary - -""" diff --git a/roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg b/roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg deleted file mode 100644 index 8742102d82..0000000000 --- a/roles/copr/backend/files/provision/files/mock/custom-1-ppc64le.cfg +++ /dev/null @@ -1,24 +0,0 @@ -config_opts['root'] = 'custom-1-ppc64le' -config_opts['target_arch'] = 'ppc64le' -config_opts['legal_host_arches'] = ('ppc64le',) -config_opts['chroot_setup_cmd'] = '' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/dnf.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary - -""" diff --git a/roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg deleted file mode 100644 index 43554b106d..0000000000 --- a/roles/copr/backend/files/provision/files/mock/custom-1-x86_64.cfg +++ /dev/null @@ -1,24 +0,0 @@ -config_opts['root'] = 'custom-1-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = '' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/dnf.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary - -""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg b/roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg deleted file mode 100644 index bf5d9abc2f..0000000000 --- a/roles/copr/backend/files/provision/files/mock/fedora-26-i386.cfg +++ /dev/null @@ -1,72 +0,0 @@ -config_opts['root'] = 'fedora-26-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc26' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '26' -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary -best=1 - -# repos - -[fedora] -name=fedora -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates] -name=updates -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates-testing] -name=updates-testing -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=https://kojipkgs.fedoraproject.org/repos/f26-build/latest/i386/ -cost=2000 -enabled=0 - -[fedora-debuginfo] -name=fedora-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 -""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg b/roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg deleted file mode 100644 index dfb36e46e7..0000000000 --- a/roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg +++ /dev/null @@ -1,72 +0,0 @@ -config_opts['root'] = 'fedora-26-ppc64le' -config_opts['target_arch'] = 'ppc64le' -config_opts['legal_host_arches'] = ('ppc64le',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc26' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '26' -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary -best=1 - -# repos - -[fedora] -name=fedora -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates] -name=updates -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates-testing] -name=updates-testing -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=http://ppcpkgs.fedoraproject.org/repos/f26-build/latest/ppc64le/ -cost=2000 -enabled=0 - -[fedora-debuginfo] -name=fedora-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 -""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg deleted file mode 100644 index 6ba4d1eed0..0000000000 --- a/roles/copr/backend/files/provision/files/mock/fedora-26-x86_64.cfg +++ /dev/null @@ -1,72 +0,0 @@ -config_opts['root'] = 'fedora-26-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc26' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '26' -config_opts['package_manager'] = 'dnf' - -config_opts['yum.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -install_weak_deps=0 -metadata_expire=0 -mdpolicy=group:primary -best=1 - -# repos - -[fedora] -name=fedora -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates] -name=updates -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch -failovermethod=priority -gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary -gpgcheck=1 - -[updates-testing] -name=updates-testing -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=https://kojipkgs.fedoraproject.org/repos/f26-build/latest/x86_64/ -cost=2000 -enabled=0 - -[fedora-debuginfo] -name=fedora-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch -failovermethod=priority -enabled=0 -""" diff --git a/roles/copr/backend/files/provision/provision_builder_tasks.yml b/roles/copr/backend/files/provision/provision_builder_tasks.yml index f3de7bbe6d..982a1011e1 100644 --- a/roles/copr/backend/files/provision/provision_builder_tasks.yml +++ b/roles/copr/backend/files/provision/provision_builder_tasks.yml @@ -1,109 +1,51 @@ -- name: install copr repo - copy: src="copr.repo" dest="/etc/yum.repos.d/copr.repo" +- shell: dnf -y upgrade + when: prepare_base_image is defined - name: set bigger timeout for yum ini_file: dest=/etc/yum.conf section=main option=timeout value=1000 +- name: set bigger timeout for dnf + ini_file: dest=/etc/dnf/dnf.conf section=main option=timeout value=1000 + - name: install pkgs - yum: state=present pkg={{ item }} + dnf: state=present pkg={{ item }} with_items: - dnf - dnf-plugins-core - mock -# - mock-lvm - createrepo_c - yum-utils - pyliblzma - rsync - openssh-clients - - rsync - libselinux-python - libsemanage-python - yum - scl-utils-build - ethtool -# - fedpkg-copr - nosync - expect -- name: set bigger timeout for dnf - ini_file: dest=/etc/dnf/dnf.conf section=main option=timeout value=1000 - -# this comes from https://copr-be.cloud.fedoraproject.org/results/%40copr/copr/fedora-23-x86_64/00179756-fedpkg-copr/fedpkg-copr-0.3-1.fc23.noarch.rpm -# TODO put it in correct place -# BZ 1241507 -- shell: yum-deprecated install -y fedpkg-copr || yum install -y fedpkg-copr - -- shell: yum-deprecated install -y fedpkg || yum install -y fedpkg - -# This needs to be updated for python-fedora -- shell: yum-deprecated update -y python-requests || yum install -y python-requests +- name: enable @copr/copr for now + shell: dnf copr -y enable @copr/copr - name: make sure newest rpm - dnf: name={{ item }} state=latest + dnf: state=latest pkg={{ item }} with_items: - rpm - glib2 - ca-certificates - mock - dnf - - koji - - dnf-plugins-core - - libsolv - - hawkey - -- copy: src=files/fedpkg-copr.conf dest=/etc/rpkg/fedpkg-copr.conf + - copr-rpmbuild - name: put updated mock configs into /etc/mock template: src=files/mock/{{ item }} dest=/etc/mock with_items: - site-defaults.cfg - - custom-1-x86_64.cfg - - custom-1-i386.cfg - - custom-1-ppc64le.cfg - - fedora-26-x86_64.cfg - - fedora-26-i386.cfg -# TODO: file globs or ansible escaping works strange, now using predefined file location -#- name: "fix mock configs to use nearest mirror" -# # Affects only some fedora configs ... repo urls are tricky. TODO: add for epel -# shell: "ls -1 /etc/mock/fedora*.cfg" -# register: mock_fedora_configs_to_patch - -- name: "patch mock.cfg (updates)" - replace: > - dest={{ item }} - regexp='^metalink=https://mirrors.fedoraproject.org/metalink\?repo=updates-released-f\$releasever&arch=\$basearch' - replace='baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/' - with_items: #mock_fedora_configs_to_patch.stdout_lines - - /etc/mock/fedora-24-i386.cfg - - /etc/mock/fedora-24-x86_64.cfg - - /etc/mock/fedora-25-i386.cfg - - /etc/mock/fedora-25-x86_64.cfg - - /etc/mock/fedora-26-i386.cfg - - /etc/mock/fedora-26-x86_64.cfg - -- name: "patch mock.cfg (main)" - replace: > - dest={{ item }} - regexp='^metalink=https://mirrors.fedoraproject.org/metalink\?repo=fedora-f\$releasever&arch=\$basearch' - replace='baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/' - with_items: #mock_fedora_configs_to_patch.stdout_lines - - /etc/mock/fedora-24-i386.cfg - - /etc/mock/fedora-24-x86_64.cfg - - /etc/mock/fedora-25-i386.cfg - - /etc/mock/fedora-25-x86_64.cfg - - /etc/mock/fedora-26-i386.cfg - - /etc/mock/fedora-26-x86_64.cfg - - - -# ansible doesn't support simultaneously usage of async and with_* options -# it's not even planned for implementation, see https://github.com/ansible/ansible/issues/5841 -- name: prepare cache - when: prepare_base_image is defined - async: 14400 - shell: "for i in epel-5-i386 epel-5-x86_64 epel-6-i386 epel-6-x86_64 epel-7-x86_64 fedora-23-i386 fedora-23-x86_64 fedora-24-i386 fedora-24-x86_64 fedora-25-i386 fedora-25-x86_64 fedora-26-i386 fedora-26-x86_64 fedora-rawhide-i386 fedora-rawhide-x86_64; do mock --init -r $i; done" +- name: put copr-rpmbuild configuration file in the right place + copy: src=files/main.ini dest=/etc/copr-rpmbuild/main.ini - name: mockbuilder user user: name=mockbuilder groups=mock @@ -122,11 +64,3 @@ - name: disable core dumps ini_file: dest=/etc/systemd/coredump.conf section=Coredump option=Storage value=none -# notify: -# - systemctl daemon-reload - -- name: 'Remove %_install_langs from /etc/rpm/macros.image-language-conf so that `yum-deprecated --installroot= install glibc-all-langpacks` installs all possible locale into build chroots' - lineinfile: - dest: '/etc/rpm/macros.image-language-conf' - regexp: '^%_install_lang.*' - state: 'absent' diff --git a/roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml b/roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml deleted file mode 100644 index 5ef7791eb2..0000000000 --- a/roles/copr/backend/files/provision/provision_builder_tasks_ppc64le.yml +++ /dev/null @@ -1,94 +0,0 @@ -- name: install copr repo - copy: src="copr.repo" dest="/etc/yum.repos.d/copr.repo" - -- name: set bigger timeout for yum - ini_file: dest=/etc/yum.conf section=main option=timeout value=1000 - -- name: install pkgs - yum: state=present pkg={{ item }} - with_items: - - dnf - - dnf-plugins-core - - mock -# - mock-lvm - - createrepo_c - - yum-utils - - pyliblzma - - rsync - - openssh-clients - - rsync - - libselinux-python - - libsemanage-python - - yum - - scl-utils-build - - ethtool -# - fedpkg-copr - - nosync - - expect - -- name: set bigger timeout for dnf - ini_file: dest=/etc/dnf/dnf.conf section=main option=timeout value=1000 - -# this comes from https://copr-be.cloud.fedoraproject.org/results/%40copr/copr/fedora-23-x86_64/00179756-fedpkg-copr/fedpkg-copr-0.3-1.fc23.noarch.rpm -# TODO put it in correct place -# BZ 1241507 -- shell: yum-deprecated install -y fedpkg-copr || yum install -y fedpkg-copr - -- shell: yum-deprecated install -y fedpkg || yum install -y fedpkg - -# This needs to be updated for python-fedora -- shell: yum-deprecated update -y python-requests || yum install -y python-requests - -- name: make sure newest rpm - dnf: name={{ item }} state=latest - with_items: - - rpm - - glib2 - - ca-certificates - - mock - - dnf - - koji - - dnf-plugins-core - - libsolv - - hawkey - -- copy: src=files/fedpkg-copr.conf dest=/etc/rpkg/fedpkg-copr.conf - -- name: put updated mock configs into /etc/mock - template: src=files/mock/{{ item }} dest=/etc/mock - with_items: - - fedora-26-ppc64le.cfg - - site-defaults.cfg - -# ansible doesn't support simultaneously usage of async and with_* options -# it's not even planned for implementation, see https://github.com/ansible/ansible/issues/5841 -- name: prepare cache - when: prepare_base_image is defined - async: 14400 - shell: "for i in fedora-23-ppc64le fedora-24-ppc64le fedora-25-ppc64le fedora-26-ppc64le fedora-rawhide-ppc64le; do mock --init -r $i; done" - -- name: mockbuilder user - user: name=mockbuilder groups=mock - -- name: mockbuilder .ssh - file: state=directory path=/home/mockbuilder/.ssh mode=0700 owner=mockbuilder group=mockbuilder - -- name: mockbuilder authorized_keys - authorized_key: user=mockbuilder key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' - -- name: root authorized_keys - authorized_key: user=root key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' - -- lineinfile: dest=/etc/security/limits.conf line="* soft nofile 10240" insertafter=EOF -- lineinfile: dest=/etc/security/limits.conf line="* hard nofile 10240" insertafter=EOF - -- name: disable core dumps - ini_file: dest=/etc/systemd/coredump.conf section=Coredump option=Storage value=none -# notify: -# - systemctl daemon-reload - -- name: 'Remove %_install_langs from /etc/rpm/macros.image-language-conf so that `yum-deprecated --installroot= install glibc-all-langpacks` installs all possible locale into build chroots' - lineinfile: - dest: '/etc/rpm/macros.image-language-conf' - regexp: '^%_install_lang.*' - state: 'absent' diff --git a/roles/copr/backend/files/provision/terminatepb.yml b/roles/copr/backend/files/provision/terminatepb.yml deleted file mode 100644 index 372c503948..0000000000 --- a/roles/copr/backend/files/provision/terminatepb.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: terminate instance - hosts: all - user: root - gather_facts: False - - vars_files: - - nova_cloud_vars.yml - - vars: - - OS_USERNAME_OLD: msuchy - - OS_AUTH_URL_OLD: http://172.23.0.2:5000/v2.0 - # todo: remove after transition to new cloud - - tasks: - - name: terminate it - local_action: nova_compute auth_url={{OS_AUTH_URL_OLD}} login_password={{OS_PASSWORD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME_OLD}} name="{{copr_task.vm_name}}" state=absent diff --git a/roles/copr/backend/files/provision/terminatepb_ppc64le.yml b/roles/copr/backend/files/provision/terminatepb_ppc64le.yml deleted file mode 100644 index c04fabd876..0000000000 --- a/roles/copr/backend/files/provision/terminatepb_ppc64le.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: terminate instance - hosts: 127.0.0.1 - gather_facts: False - - tasks: - - name: add hypervisor - local_action: add_host hostname=rh-power2.fit.vutbr.cz groupname=terminate_vm_group - - -- name: terminate vm - hosts: terminate_vm_group - gather_facts: False - user: msuchy - - tasks: - - name: terminating vm26 - shell: /home/msuchy/bin/virsh-destroy-vm26.sh; /home/msuchy/bin/reinit-vm26.sh - when: copr_task.vm_name == "rh-power-vm26.fit.vutbr.cz" - - - name: terminating vm27 - shell: /home/msuchy/bin/virsh-destroy-vm27.sh; /home/msuchy/bin/reinit-vm27.sh - when: copr_task.vm_name == "rh-power-vm27.fit.vutbr.cz" - - - name: terminating vm28 - shell: /home/msuchy/bin/virsh-destroy-vm28.sh; /home/msuchy/bin/reinit-vm28.sh - when: copr_task.vm_name == "rh-power-vm28.fit.vutbr.cz" - - - name: terminating vm29 - shell: /home/msuchy/bin/virsh-destroy-vm29.sh; /home/msuchy/bin/reinit-vm29.sh - when: copr_task.vm_name == "rh-power-vm29.fit.vutbr.cz" diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml index 956decb248..2270dbf4a8 100644 --- a/roles/copr/backend/tasks/main.yml +++ b/roles/copr/backend/tasks/main.yml @@ -130,14 +130,11 @@ tags: - provision_config -- name: put some files into the provision subdir - template: src="provision/nova_cloud_vars_ppc64le.yml" dest="/home/copr/provision/nova_cloud_vars_ppc64le.yml" owner=copr group=copr +- name: put copr-rpmbuild configuration file into the provision subdir + template: src="provision/copr-rpmbuild/main.ini.j2" dest="/home/copr/provision/files/main.ini" owner=copr group=copr tags: - provision_config -- name: put fedpkg-copr.conf into the provision files - template: src="provision/fedpkg-copr.conf" dest="/home/copr/provision/files/fedpkg-copr.conf" owner=copr group=copr - - name: testing fixture copy: dest="/home/copr/cloud/ec2rc.variable" content="" when: devel diff --git a/roles/copr/backend/templates/copr-be.conf.j2 b/roles/copr/backend/templates/copr-be.conf.j2 index 0bed0583aa..f3276db882 100644 --- a/roles/copr/backend/templates/copr-be.conf.j2 +++ b/roles/copr/backend/templates/copr-be.conf.j2 @@ -110,5 +110,7 @@ timeout=86400 # utilized by /usr/bin/check_consecutive_build_fails.py consecutive_failure_threshold=30 +builder_perl=True + [ssh] builder_config=/home/copr/.ssh/config diff --git a/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 b/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 new file mode 100644 index 0000000000..9fa623ebc9 --- /dev/null +++ b/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 @@ -0,0 +1,4 @@ +[main] +frontend_url = http://{{ frontend_base_url }}/ +distgit_lookaside_url = http://{{ dist_git_base_url }}/repo/pkgs/ +distgit_clone_url = http://{{ dist_git_base_url }}/git/ diff --git a/roles/copr/backend/templates/provision/fedpkg-copr.conf b/roles/copr/backend/templates/provision/fedpkg-copr.conf deleted file mode 100644 index 5a13ca7ba7..0000000000 --- a/roles/copr/backend/templates/provision/fedpkg-copr.conf +++ /dev/null @@ -1,10 +0,0 @@ -[fedpkg-copr] -lookaside = http://{{ dist_git_base_url }}/repo/pkgs -lookasidehash = md5 -lookaside_cgi = http://{{ dist_git_base_url }}/repo/pkgs/upload.cgi -gitbaseurl = ssh://%(user)s@{{ dist_git_base_url }}/%(module)s -anongiturl = git://{{ dist_git_base_url }}/%(module)s -tracbaseurl = https://%(user)s:%(password)s@fedorahosted.org/rel-eng/login/xmlrpc -branchre = f\d$|f\d\d$|el\d$|olpc\d$|master$ -kojiconfig = /etc/koji.conf -build_client = koji diff --git a/roles/copr/backend/templates/provision/nova_cloud_vars.yml b/roles/copr/backend/templates/provision/nova_cloud_vars.yml index d426e8a4cc..1135504f40 100644 --- a/roles/copr/backend/templates/provision/nova_cloud_vars.yml +++ b/roles/copr/backend/templates/provision/nova_cloud_vars.yml @@ -10,8 +10,6 @@ OS_USERNAME: "{{ copr_nova_username }}" OS_PASSWORD_OLD: "{{ copr_nova_password|default('variable OS_PASSWORD_OLD is undefined') }}" OS_PASSWORD: "{{ copr_password|default('variable OS_PASSWORD is undefined')}}" - -image_name: "{{ copr_builder_image_name }}" flavor_name: "{{ copr_builder_flavor_name }}" network_name: "{{ copr_builder_network_name }}" key_name: "{{ copr_builder_key_name }}" diff --git a/roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml b/roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml deleted file mode 100644 index f84fa797e7..0000000000 --- a/roles/copr/backend/templates/provision/nova_cloud_vars_ppc64le.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -OS_AUTH_URL: "{{ copr_nova_auth_url }}" - -OS_TENANT_ID: "{{ copr_nova_tenant_id }}" -OS_TENANT_NAME: "{{ copr_nova_tenant_name }}" - -OS_USERNAME: "{{ copr_nova_username }}" - -# remove default values after transition to the new cloud is finished -OS_PASSWORD_OLD: "{{ copr_nova_password|default('variable OS_PASSWORD_OLD is undefined') }}" -OS_PASSWORD: "{{ copr_password|default('variable OS_PASSWORD is undefined')}}" - - -image_name: "builder-f24-ppc64le-swapmounted-freshmockconfigs" -flavor_name: "{{ copr_builder_flavor_name }}" -network_name: "{{ copr_builder_network_name }}" -key_name: "{{ copr_builder_key_name }}" -security_groups: "{{ copr_builder_security_groups }}" From aa871d38423052df868f0fe78f1bad77730ed29b Mon Sep 17 00:00:00 2001 From: clime Date: Fri, 9 Jun 2017 08:06:06 +0200 Subject: [PATCH 277/308] copr-dist-git: raise number of inodes for the mounted tmpfs volume --- roles/copr/dist_git/tasks/mount_fs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/copr/dist_git/tasks/mount_fs.yml b/roles/copr/dist_git/tasks/mount_fs.yml index 865dbf82ea..eca6600853 100644 --- a/roles/copr/dist_git/tasks/mount_fs.yml +++ b/roles/copr/dist_git/tasks/mount_fs.yml @@ -12,4 +12,4 @@ when: not devel - name: mount tmp on tmpfs - mount: name=/tmp src=tmpfs fstype=tmpfs state=mounted opts=defaults,size=39G + mount: name=/tmp src=tmpfs fstype=tmpfs state=mounted opts=defaults,size=39G,nr_inodes=2g From 82417064e4e7c285396963b396b2f436e02f2a3e Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Fri, 9 Jun 2017 06:30:47 +0000 Subject: [PATCH 278/308] Change static content caching from 5 days to 30 minutes Signed-off-by: Ricky Elrod --- roles/developer/website/files/developer.conf | 2 +- roles/fedora-docs/proxy/files/fedora-docs.conf | 2 +- roles/fedora-web/alt/files/alt.conf | 2 +- roles/fedora-web/arm/files/arm.conf | 2 +- roles/fedora-web/budget/files/budget.conf | 2 +- roles/fedora-web/flocktofedora/files/flocktofedora.org.conf | 2 +- roles/fedora-web/fudcon/files/fudcon.conf | 2 +- roles/fedora-web/getfedora/files/getfedora.org.conf | 2 +- roles/fedora-web/labs/files/labs.conf | 2 +- roles/fedora-web/spins/files/spins.conf | 2 +- .../reverseproxy/templates/reversepassproxy.pkgdb.conf | 6 +++--- roles/people/templates/people.conf | 2 +- roles/planet/templates/planet.conf | 4 ++-- 13 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/developer/website/files/developer.conf b/roles/developer/website/files/developer.conf index 5a4590dde5..49d0b71295 100644 --- a/roles/developer/website/files/developer.conf +++ b/roles/developer/website/files/developer.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-docs/proxy/files/fedora-docs.conf b/roles/fedora-docs/proxy/files/fedora-docs.conf index cd3d10000d..f48a2cee20 100644 --- a/roles/fedora-docs/proxy/files/fedora-docs.conf +++ b/roles/fedora-docs/proxy/files/fedora-docs.conf @@ -17,4 +17,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/alt/files/alt.conf b/roles/fedora-web/alt/files/alt.conf index 252b87a58d..b355733abf 100644 --- a/roles/fedora-web/alt/files/alt.conf +++ b/roles/fedora-web/alt/files/alt.conf @@ -8,4 +8,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/arm/files/arm.conf b/roles/fedora-web/arm/files/arm.conf index aa8f7ac630..09a99c8e14 100644 --- a/roles/fedora-web/arm/files/arm.conf +++ b/roles/fedora-web/arm/files/arm.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/budget/files/budget.conf b/roles/fedora-web/budget/files/budget.conf index 456500ae6b..17c01d1fc4 100644 --- a/roles/fedora-web/budget/files/budget.conf +++ b/roles/fedora-web/budget/files/budget.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf b/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf index e21b4af73b..0764129437 100644 --- a/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf +++ b/roles/fedora-web/flocktofedora/files/flocktofedora.org.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/fudcon/files/fudcon.conf b/roles/fedora-web/fudcon/files/fudcon.conf index 330d159349..1266a905c1 100644 --- a/roles/fedora-web/fudcon/files/fudcon.conf +++ b/roles/fedora-web/fudcon/files/fudcon.conf @@ -9,4 +9,4 @@ Redirect /design-suite http://fudcon.fedoraproject.org/design Redirect /electronic-lab http://fudcon.fedoraproject.org/fel ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/getfedora/files/getfedora.org.conf b/roles/fedora-web/getfedora/files/getfedora.org.conf index 6359f0c8a7..3a89898969 100644 --- a/roles/fedora-web/getfedora/files/getfedora.org.conf +++ b/roles/fedora-web/getfedora/files/getfedora.org.conf @@ -8,7 +8,7 @@ Alias /fmw /srv/web/fmw/ FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" AllowOverride FileInfo diff --git a/roles/fedora-web/labs/files/labs.conf b/roles/fedora-web/labs/files/labs.conf index b4254ea508..cc86d59966 100644 --- a/roles/fedora-web/labs/files/labs.conf +++ b/roles/fedora-web/labs/files/labs.conf @@ -6,4 +6,4 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application FileETag MTime Size ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/fedora-web/spins/files/spins.conf b/roles/fedora-web/spins/files/spins.conf index 91ffbc0f4e..4b486c7520 100644 --- a/roles/fedora-web/spins/files/spins.conf +++ b/roles/fedora-web/spins/files/spins.conf @@ -12,4 +12,4 @@ RedirectMatch /(.*)/design-suite/ http://spins.fedoraproject.org/$1/design RedirectMatch /(.*)/electronic-lab/ http://spins.fedoraproject.org/$1/fel ExpiresActive On -ExpiresDefault "access plus 5 days" +ExpiresDefault "access plus 30 minutes" diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf index c1cf163030..2393b86874 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf @@ -15,19 +15,19 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf index aec12b9f88..117950bc40 100644 --- a/roles/people/templates/people.conf +++ b/roles/people/templates/people.conf @@ -42,7 +42,7 @@ NameVirtualHost *:80 ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index a5591c3079..a010cfc502 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -20,12 +20,12 @@ ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" ExpiresActive On - ExpiresDefault "access plus 5 days" + ExpiresDefault "access plus 30 minutes" From 57eb6896defd551124a2fdbb8684136dee6cfd31 Mon Sep 17 00:00:00 2001 From: clime Date: Fri, 9 Jun 2017 08:51:26 +0200 Subject: [PATCH 279/308] copr-backend: fix main.ini.j2 --- .../copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 b/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 index 9fa623ebc9..5ae64796c7 100644 --- a/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 +++ b/roles/copr/backend/templates/provision/copr-rpmbuild/main.ini.j2 @@ -1,4 +1,4 @@ [main] -frontend_url = http://{{ frontend_base_url }}/ +frontend_url = {{ frontend_base_url }} distgit_lookaside_url = http://{{ dist_git_base_url }}/repo/pkgs/ distgit_clone_url = http://{{ dist_git_base_url }}/git/ From 461c72b6822aee2a5633be7aede3a09c6d474ad1 Mon Sep 17 00:00:00 2001 From: clime Date: Fri, 9 Jun 2017 17:05:03 +0200 Subject: [PATCH 280/308] copr-backend: disable updates-testing on builders --- roles/copr/backend/files/provision/provision_builder_tasks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/copr/backend/files/provision/provision_builder_tasks.yml b/roles/copr/backend/files/provision/provision_builder_tasks.yml index 982a1011e1..5d279bfa5f 100644 --- a/roles/copr/backend/files/provision/provision_builder_tasks.yml +++ b/roles/copr/backend/files/provision/provision_builder_tasks.yml @@ -1,3 +1,6 @@ +- name: disable updates-testing + shell: rm -f /etc/yum.repos.d/fedora-updates-testing.repo + - shell: dnf -y upgrade when: prepare_base_image is defined From 32318a4622312195b0eb175a7345e3f950a5d361 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Fri, 9 Jun 2017 16:36:36 +0000 Subject: [PATCH 281/308] and we have a new person to look at stats --- roles/web-data-analysis/files/httpd_config.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/web-data-analysis/files/httpd_config.conf b/roles/web-data-analysis/files/httpd_config.conf index cafa93fccc..6b007cea2b 100644 --- a/roles/web-data-analysis/files/httpd_config.conf +++ b/roles/web-data-analysis/files/httpd_config.conf @@ -6,5 +6,5 @@ # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS GssapiSSLonly Off GssapiLocalName on - Require user smooge kevin puiterwijk mattdm pfrields relrod uraeus ryanlerch robyduck + Require user smooge kevin puiterwijk mattdm pfrields relrod uraeus ryanlerch robyduck jibecfed From 40f603578d7b4f95af152d82b372600e30c5f5cd Mon Sep 17 00:00:00 2001 From: clime Date: Sat, 10 Jun 2017 17:28:35 +0200 Subject: [PATCH 282/308] copr-backend: fix fedora-26-ppc64le mock config --- .../files/mock/fedora-26-ppc64le.cfg | 72 +++++++++++++++++++ .../provision/provision_builder_tasks.yml | 1 + 2 files changed, 73 insertions(+) create mode 100644 roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg diff --git a/roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg b/roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg new file mode 100644 index 0000000000..dfb36e46e7 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-26-ppc64le.cfg @@ -0,0 +1,72 @@ +config_opts['root'] = 'fedora-26-ppc64le' +config_opts['target_arch'] = 'ppc64le' +config_opts['legal_host_arches'] = ('ppc64le',) +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'fc26' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '26' +config_opts['package_manager'] = 'dnf' + +config_opts['yum.conf'] = """ +[main] +keepcache=1 +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +install_weak_deps=0 +metadata_expire=0 +mdpolicy=group:primary +best=1 + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +failovermethod=priority +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary +gpgcheck=1 + +[updates] +name=updates +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +failovermethod=priority +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-26-primary +gpgcheck=1 + +[updates-testing] +name=updates-testing +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=http://ppcpkgs.fedoraproject.org/repos/f26-build/latest/ppc64le/ +cost=2000 +enabled=0 + +[fedora-debuginfo] +name=fedora-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/provision_builder_tasks.yml b/roles/copr/backend/files/provision/provision_builder_tasks.yml index 5d279bfa5f..36eef03b72 100644 --- a/roles/copr/backend/files/provision/provision_builder_tasks.yml +++ b/roles/copr/backend/files/provision/provision_builder_tasks.yml @@ -46,6 +46,7 @@ template: src=files/mock/{{ item }} dest=/etc/mock with_items: - site-defaults.cfg + - fedora-26-ppc64le.cfg - name: put copr-rpmbuild configuration file in the right place copy: src=files/main.ini dest=/etc/copr-rpmbuild/main.ini From 0350965efb79ef5181e0ab1dd1d6112c7d3d617e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 12 Jun 2017 10:15:34 +0000 Subject: [PATCH 283/308] Use the correct branch for regcfp Signed-off-by: Patrick Uiterwijk --- roles/regcfp/tasks/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/regcfp/tasks/main.yml b/roles/regcfp/tasks/main.yml index 485c9411ec..882eebada8 100644 --- a/roles/regcfp/tasks/main.yml +++ b/roles/regcfp/tasks/main.yml @@ -10,16 +10,16 @@ - packages #- name: Clone the regcfp master branch -# git: repo=https://github.com/puiterwijk/regcfp.git -# dest=/srv/regcfp -# version=develop -# clone=yes update=yes -# register: git_result -# changed_when: "git_result.after|default('after') != git_result.before|default('before')" -# tags: -# - regcfp -# notify: -# - restart regcfp + git: repo=https://github.com/puiterwijk/regcfp.git + dest=/srv/regcfp + version=flock2017 + clone=yes update=yes + register: git_result + changed_when: "git_result.after|default('after') != git_result.before|default('before')" + tags: + - regcfp + notify: + - restart regcfp # TODO: Find EPEL packages for these - name: Install dependencies From c5dcc9831119359782d03822fb4ba2ef30090719 Mon Sep 17 00:00:00 2001 From: "Paul W. Frields" Date: Mon, 12 Jun 2017 12:58:45 +0000 Subject: [PATCH 284/308] [regcfp] Add bex to papers permissions --- roles/regcfp/templates/config.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index c0d0d9c9b4..7bfaab80e3 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -61,22 +61,22 @@ "papers": { "submit": ["*authenticated*"], "list": { - "accepted": ["jwboyer@fedoraproject.org", "spot@fedoraproject.org"], + "accepted": ["jwboyer@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"], "own": ["*authenticated*"], "all": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] }, "edit": { "own": ["*authenticated*"], - "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org"] + "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] }, "delete": { "own": ["*authenticated*"], - "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org"] + "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] }, "tag": ["*authenticated*"], - "vote": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"], - "showvotes": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org"], - "accept": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "spot@fedoraproject.org"] + "vote": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"], + "showvotes": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"], + "accept": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] }, "registration": { "register": ["*authenticated*"], From 613c13b7851af819ad8dd853bde4f0a2cb0ee570 Mon Sep 17 00:00:00 2001 From: "Paul W. Frields" Date: Mon, 12 Jun 2017 14:36:54 +0000 Subject: [PATCH 285/308] [regcfp] Fix perms throughout, pruning old participants --- roles/regcfp/templates/config.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 7bfaab80e3..0c87e0e86c 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -57,26 +57,26 @@ }, "permissions": { - "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "duffy@fedoraproject.org", "decause@fedoraproject.org", "spot@fedoraproject.org", "robyduck@fedoraproject.org", "rsuehle@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org", "duffy@fedoraproject.org"], + "admin": ["puiterwijk@fedoraproject.org", "pfrields@fedoraproject.org", "duffy@fedoraproject.org", "robyduck@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org"], "papers": { "submit": ["*authenticated*"], "list": { - "accepted": ["jwboyer@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"], + "accepted": ["bex@fedoraproject.org", "mattdm@fedoraproject.org", "duffy@fedoraproject.org", "pfrields@fedoraproject.org"], "own": ["*authenticated*"], - "all": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "robyduck@fedoraproject.org", "bex@fedoraproject.org"] }, "edit": { "own": ["*authenticated*"], - "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "bex@fedoraproject.org", "mattdm@fedoraproject.org"] }, "delete": { "own": ["*authenticated*"], - "all": ["jwboyer@fedoraproject.org", "pfrields@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org"] }, "tag": ["*authenticated*"], - "vote": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"], - "showvotes": ["jwboyer@fedoraproject.org", "rsuehle@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "decause@fedoraproject.org", "robyduck@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"], - "accept": ["pfrields@fedoraproject.org", "jwboyer@fedoraproject.org", "spot@fedoraproject.org", "bex@fedoraproject.org"] + "vote": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org"], + "showvotes": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org"], + "accept": ["mattdm@fedoraproject.org", "bex@fedoraproject.org"] }, "registration": { "register": ["*authenticated*"], From d85988a915f7fa437088471fd48ec4c78c7c9b8b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 12 Jun 2017 14:40:44 +0000 Subject: [PATCH 286/308] Uncomment name Signed-off-by: Patrick Uiterwijk --- roles/regcfp/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/regcfp/tasks/main.yml b/roles/regcfp/tasks/main.yml index 882eebada8..9d055cf898 100644 --- a/roles/regcfp/tasks/main.yml +++ b/roles/regcfp/tasks/main.yml @@ -9,7 +9,7 @@ tags: - packages -#- name: Clone the regcfp master branch +- name: Clone the regcfp master branch git: repo=https://github.com/puiterwijk/regcfp.git dest=/srv/regcfp version=flock2017 From 93082dcbaf4f585104477af0b90081fb87021f06 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 12 Jun 2017 14:47:24 +0000 Subject: [PATCH 287/308] Update config Signed-off-by: Patrick Uiterwijk --- roles/regcfp/templates/config.json | 33 +++++++++++++++++++----------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 0c87e0e86c..396c95a99e 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -193,13 +193,14 @@ "split": 0 }, "regfee": { - "display_name": "Registration Fee", + "display_name": "Registration Fee in USD $", "type": "string", "required": false, "private": true, "placeholder": "25.00", "readonly": false, "split": 0, + "message": "All amounts are in US dollars.", "onchange": "javascript:update_estimates();" }, "reason": { @@ -448,6 +449,7 @@ "private": true, "shownifkey": "flights_needed", "shownifval": "My trip to Flock requires air travel.", + "message": "Please provide the amount in US dollars.", "onchange": "javascript:update_estimates();", "split": 2 }, @@ -493,6 +495,7 @@ "private": true, "shownifkey": "needassistance", "shownifval": "Yes, my attendance requires financial assistance.", + "message": "Please provide the amount in US dollars.", "split": 2 }, "total_othertransit": { @@ -611,27 +614,33 @@ "shownifkey": "needassistance", "shownifval": "Yes, my attendance requires financial assistance.", "html": [ - "

Estimated costs for funding request

", - "

Estimated round trip airfare: $-- USD

", - "

Airfare booking fee: $--

", - "

Boston-to-Cape-Cod bus (round-trip): $--

", - "

Other transit-related costs: $--

", - "

Lodging, X nights x ($139.99 + 15.40): $--

", - "

Registration fee: $--

", - "
", - "

Total: $-- USD

" + "

Estimated costs for funding request

", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "
Estimated round trip airfare: $-- USD
Airfare booking fee: $-- USD
Boston-to-Cape-Cod bus (round-trip): $-- USD
Other transit-related costs: $-- USD
Lodging, X nights x ($139.99 + 15.40): $-- USD
Registration fee: $-- USD
", + "

Total: $-- USD

" ], "split": 2 }, "afford_to_pay": { "display_name": "If I am funded, I can afford to pay:", "type": "radio", - "options": [20, 40, 60, 80, 90, "other"], + "options": [20, 40, 60, 80, 90, "Other"], "required": false, "private": true, "shownifkey": "needassistance", "shownifval": "Yes, my attendance requires financial assistance.", - "split": 2 + "message": "All amounts in US dollars.", }, "afford_to_pay_custom": { "display_name": "Amount", From 79ea33cb56c5bc3acff42f4af9c0894823e7d59b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 12 Jun 2017 14:49:06 +0000 Subject: [PATCH 288/308] Move to the correct block Signed-off-by: Patrick Uiterwijk --- roles/regcfp/templates/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 396c95a99e..44846cca42 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -495,7 +495,6 @@ "private": true, "shownifkey": "needassistance", "shownifval": "Yes, my attendance requires financial assistance.", - "message": "Please provide the amount in US dollars.", "split": 2 }, "total_othertransit": { @@ -505,6 +504,7 @@ "private": true, "shownifkey": "needassistance", "shownifval": "Yes, my attendance requires financial assistance.", + "message": "Please provide the amount in US dollars.", "onchange": "javascript:update_estimates();", "split": 2 }, From be0788e7e07c89c10b75112fb275d51cc305da8f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 12 Jun 2017 14:49:55 +0000 Subject: [PATCH 289/308] Add split info Signed-off-by: Patrick Uiterwijk --- roles/regcfp/templates/config.json | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index 44846cca42..a7eeca81fc 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -641,6 +641,7 @@ "shownifkey": "needassistance", "shownifval": "Yes, my attendance requires financial assistance.", "message": "All amounts in US dollars.", + "split": 2 }, "afford_to_pay_custom": { "display_name": "Amount", From ad0cd98a25a9e2619196574eb7b245d211f2e1b1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 12 Jun 2017 18:55:49 +0000 Subject: [PATCH 290/308] add in openshift staging wildcard cert, keep prod pointing to fpo until we deploy there --- inventory/group_vars/all | 6 ++++++ inventory/group_vars/staging | 5 +++++ playbooks/include/proxies-websites.yml | 3 ++- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 38c5f8be5d..9b71063dab 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -138,6 +138,12 @@ wildcard_crt_file: wildcard-2017.fedoraproject.org.cert wildcard_key_file: wildcard-2017.fedoraproject.org.key wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert +# This is the openshift wildcard cert. Until it exists set it equal to wildcard +os_wildcard_cert_name: wildcard-2017.fedoraproject.org +os_wildcard_crt_file: wildcard-2017.fedoraproject.org.cert +os_wildcard_key_file: wildcard-2017.fedoraproject.org.key +os_wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert + # Everywhere, always, we should sign messages and validate signatures. # However, we allow individual hosts and groups to override this. Use this very # carefully.. and never in production (good for testing stuff in staging). diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging index df0edaab7b..d298da88b5 100644 --- a/inventory/group_vars/staging +++ b/inventory/group_vars/staging @@ -10,6 +10,11 @@ wildcard_cert_file: wildcard-2017.stg.fedoraproject.org.cert wildcard_key_file: wildcard-2017.stg.fedoraproject.org.key wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert +# This is the openshift wildcard cert for stg +os_wildcard_cert_name: wildcard-2017.app.os.stg.fedoraproject.org +os_wildcard_cert_file: wildcard-2017.app.os.stg.fedoraproject.org.cert +os_wildcard_key_file: wildcard-2017.app.os.stg.fedoraproject.org.key +os_wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert # This only does anything if the host is not RHEL6 collectd_graphite: True diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 983f220eb0..cef7fa0a6c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -566,7 +566,8 @@ name: app.os.fedoraproject.org server_aliases: ["*.app.os.fedoraproject.org", "*.app.os.stg.fedoraproject.org"] sslonly: true - cert_name: "{{wildcard_cert_name}}" + cert_name: "{{os_wildcard_cert_name}}" + SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert - role: httpd/website name: registry.fedoraproject.org From 252c26a73951771fb55bdbfff79dff37af5c58cb Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 12 Jun 2017 19:05:55 +0000 Subject: [PATCH 291/308] install new cert only in staging --- playbooks/include/proxies-certificates.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml index f52c3d12be..8e6ca2f9e5 100644 --- a/playbooks/include/proxies-certificates.yml +++ b/playbooks/include/proxies-certificates.yml @@ -30,6 +30,12 @@ - role: httpd/certificate name: wildcard-2017.stg.fedoraproject.org SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert + when: env == "staging" + + - role: httpd/certificate + name: wildcard-2017.app.os.stg.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert + when: env == "staging" - role: httpd/certificate name: fedoramagazine.org From 010c405ec147fc7fb16a70c0af71f3a55a7e80dd Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Mon, 12 Jun 2017 19:25:15 +0000 Subject: [PATCH 292/308] and we have new certs for fedorapeople --- playbooks/groups/people.yml | 4 ++-- roles/people/templates/people.conf | 6 +++--- roles/planet/templates/planet.conf | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml index 7877950c07..769dbc8d70 100644 --- a/playbooks/groups/people.yml +++ b/playbooks/groups/people.yml @@ -75,8 +75,8 @@ - role: apache - role: httpd/certificate - name: wildcard-2014.fedorapeople.org - SSLCertificateChainFile: wildcard-2014.fedorapeople.org.intermediate.cert + name: wildcard-2017.fedorapeople.org + SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert - people diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf index 117950bc40..2f8dc1d0b8 100644 --- a/roles/people/templates/people.conf +++ b/roles/people/templates/people.conf @@ -27,9 +27,9 @@ NameVirtualHost *:80 DocumentRoot /srv/people/site SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedorapeople.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert + SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.cert + SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedorapeople.org.key + SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert SSLHonorCipherOrder On SSLCipherSuite {{ ssl_ciphers }} SSLProtocol {{ ssl_protocols }} diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index a010cfc502..319923d2a4 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -63,7 +63,7 @@ SSLEngine on SSLCertificateFile /etc/pki/tls/certs/planet.fedoraproject.org.cert SSLCertificateKeyFile /etc/pki/tls/private/planet.fedoraproject.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert + SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert SSLHonorCipherOrder On SSLProtocol {{ ssl_protocols }} SSLCipherSuite {{ ssl_ciphers }} From c217e26f73a6ffc2a8f515719362b01400f74796 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 12 Jun 2017 20:36:21 +0000 Subject: [PATCH 293/308] Update fmn Apache conf for staging Static files have moved from fmn.web to fmn, so this fixes the Apache httpd configuration to point to the new locations in staging. Signed-off-by: Jeremy Cline --- roles/notifs/frontend/templates/fmn.web.conf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/notifs/frontend/templates/fmn.web.conf b/roles/notifs/frontend/templates/fmn.web.conf index b99358d5de..13b72ba06b 100644 --- a/roles/notifs/frontend/templates/fmn.web.conf +++ b/roles/notifs/frontend/templates/fmn.web.conf @@ -1,4 +1,8 @@ -Alias /notifications/static /usr/share/fmn.web/static +{% if env == 'staging' %} +Alias /notifications/static /usr/share/fmn/static +{% else %} +Alias /notifications/static /usr/share/fmn/static +{% endif %} WSGIDaemonProcess fmn user=apache group=apache maximum-requests=1000 display-name=fmn processes={{ wsgi_procs }} threads={{ wsgi_threads }} WSGISocketPrefix run/wsgi @@ -6,7 +10,11 @@ WSGIRestrictStdout On WSGIRestrictSignal Off WSGIPythonOptimize 1 +{% if env == 'staging' %} +WSGIScriptAlias /notifications /usr/share/fmn/fmn.web.wsgi +{% else %} WSGIScriptAlias /notifications /usr/share/fmn.web/fmn.web.wsgi +{% endif %} WSGIProcessGroup fmn From fb0132a7ef9b0fb2d57f77873e9cf430b3a2c302 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Tue, 13 Jun 2017 12:27:45 +0000 Subject: [PATCH 294/308] fedimg: Add fedmsg debug loopback to test fedimg with prod messages Signed-off-by: Sayan Chowdhury --- inventory/group_vars/fedimg-stg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/group_vars/fedimg-stg b/inventory/group_vars/fedimg-stg index 22eea74296..c6e7339a61 100644 --- a/inventory/group_vars/fedimg-stg +++ b/inventory/group_vars/fedimg-stg @@ -15,6 +15,8 @@ tcp_ports: [ # TODO, restrict this down to just sysadmin-releng fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg,fi-apprentice,sysadmin-noc,sysadmin-veteran +fedmsg_debug_loopback: True + # These people get told when something goes wrong. fedmsg_error_recipients: - sysadmin-fedimg-members@fedoraproject.org From 878ee371031551ef27174ab4c8938790d7ecb62e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 13 Jun 2017 15:12:02 +0000 Subject: [PATCH 295/308] move download04 back to general pool --- inventory/host_vars/download04.phx2.fedoraproject.org | 2 -- 1 file changed, 2 deletions(-) diff --git a/inventory/host_vars/download04.phx2.fedoraproject.org b/inventory/host_vars/download04.phx2.fedoraproject.org index 98874984a3..6bec9b4c0b 100644 --- a/inventory/host_vars/download04.phx2.fedoraproject.org +++ b/inventory/host_vars/download04.phx2.fedoraproject.org @@ -2,5 +2,3 @@ gw: 10.5.126.254 eth0_ip: 10.5.126.96 eth1_ip: 10.5.127.104 -# This is a tier1 only host -rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}-tier1" From d643854458a748f6c80d791299a6a84c39114d9f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 13 Jun 2017 15:48:33 +0000 Subject: [PATCH 296/308] Block lftp from download servers today Signed-off-by: Patrick Uiterwijk --- roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf b/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf index c953cb29a9..d31dc1b495 100644 --- a/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf +++ b/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf @@ -1,4 +1,8 @@ RewriteEngine On + +RewriteCond %{HTTP_USER_AGENT} "lftp" +RewriteRule ^.*$ – [F,L] + RewriteRule ^/$ /pub [R=302,L] RedirectMatch 302 ^/pub/fedora/linux/atomic/(.*$) https://kojipkgs.fedoraproject.org/atomic/$1 From 8f10ff70f618343f149504946f57f76f7660a209 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 13 Jun 2017 15:50:46 +0000 Subject: [PATCH 297/308] Add play tags Signed-off-by: Patrick Uiterwijk --- roles/download/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 82d0757bbf..6df7386ecc 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -83,11 +83,17 @@ - name: Make sure apache autoindex.conf is replaced with ours copy: src=httpd/dl.fedoraproject.org/autoindex.conf dest=/etc/httpd/conf.d/autoindex.conf + tags: + - httpd + - config notify: - reload httpd - name: Configure httpd dl sub conf copy: src=httpd/dl.fedoraproject.org/ dest=/etc/httpd/conf.d/dl.fedoraproject.org/ + tags: + - httpd + - config notify: - reload httpd From 2117eff4227317d33d212264bafde4053eef535d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 13 Jun 2017 15:58:47 +0000 Subject: [PATCH 298/308] Add haveged to download* for entropy reasons Signed-off-by: Patrick Uiterwijk --- roles/download/tasks/main.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 6df7386ecc..11136d2b30 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -97,4 +97,17 @@ notify: - reload httpd +- name: Install haveged for entropy + yum: name=haveged state=installed + tags: + - httpd + - httpd/proxy + +- name: Set haveged running/enabled + service: name=haveged enabled=yes state=started + tags: + - service + - httpd + - httpd/proxy + ## From 46bd467ef98a7110284e4b1cff609cadc3b7edae Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 13 Jun 2017 16:41:07 +0000 Subject: [PATCH 299/308] Redirect lftp users to a page with tools to avoid Signed-off-by: Patrick Uiterwijk --- roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf b/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf index d31dc1b495..34d32100cd 100644 --- a/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf +++ b/roles/download/files/httpd/dl.fedoraproject.org/rewrite.conf @@ -1,7 +1,7 @@ RewriteEngine On RewriteCond %{HTTP_USER_AGENT} "lftp" -RewriteRule ^.*$ – [F,L] +RewriteRule ^.*$ https://fedoraproject.org/wiki/Infrastructure/Mirroring#Tools_to_avoid [R,L] RewriteRule ^/$ /pub [R=302,L] From b124753f39fe165a0fbf88d4f079449db1ddcb5b Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 13 Jun 2017 19:44:18 +0000 Subject: [PATCH 300/308] Add temporary workaround to reduce Koschei scheduler backlog Currently there are only 6 s390x builders and they are often busy running non-Koschei builds. ppc64le isn't much better with 11 hosts. armhfp seems to be more loaded than ppc64le, even thogut it has more builders - 18. --- .../backend/files/koschei-scheduler-hotfix.patch | 13 +++++++++++++ roles/koschei/backend/tasks/main.yml | 8 ++++++++ .../koschei/backend/templates/config-backend.cfg.j2 | 6 +++--- 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 roles/koschei/backend/files/koschei-scheduler-hotfix.patch diff --git a/roles/koschei/backend/files/koschei-scheduler-hotfix.patch b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch new file mode 100644 index 0000000000..8ca76ae7d9 --- /dev/null +++ b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch @@ -0,0 +1,13 @@ +--- /usr/lib/python2.7/site-packages/koschei/backend/__init__.py~ 2017-06-13 21:30:55.485685712 +0200 ++++ /usr/lib/python2.7/site-packages/koschei/backend/__init__.py 2017-06-13 21:32:44.862493921 +0200 +@@ -99,8 +99,8 @@ + build = Build(package_id=package.id, state=Build.RUNNING) + name = package.name + build_opts = {} +- if package.arch_override: +- override = package.arch_override ++ if True: ++ override = package.arch_override or '^' + if override.startswith('^'): + excludes = override[1:].split() + build_arches = get_config('koji_config').get('build_arches') diff --git a/roles/koschei/backend/tasks/main.yml b/roles/koschei/backend/tasks/main.yml index a7667ede17..5fed37bf4f 100644 --- a/roles/koschei/backend/tasks/main.yml +++ b/roles/koschei/backend/tasks/main.yml @@ -107,3 +107,11 @@ tags: - koschei - config + +- name: HOTFIX koschei scheduler + patch: src=koschei-scheduler-hotfix.patch basedir=/ + notify: + - restart koschei-scheduler + tags: + - koschei + - hotfix diff --git a/roles/koschei/backend/templates/config-backend.cfg.j2 b/roles/koschei/backend/templates/config-backend.cfg.j2 index 672c694eef..977896f53f 100644 --- a/roles/koschei/backend/templates/config-backend.cfg.j2 +++ b/roles/koschei/backend/templates/config-backend.cfg.j2 @@ -24,12 +24,12 @@ config = { }, {% if env == 'staging' %} "max_builds": 16, - "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le'], + "build_arches": ['x86_64'], "load_threshold": 1, {% else %} "max_builds": 60, - "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le', 's390x'], - "load_threshold": 0.65, + "build_arches": ['x86_64', 'aarch64', 'ppc64'], + "load_threshold": 0.75, {% endif %} "task_priority": 30, }, From d989d822de7f8c2980052892735dafc4f7c998e9 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 13 Jun 2017 19:55:55 +0000 Subject: [PATCH 301/308] Slightly rise priority of Koschei scratch builds in staging --- roles/koschei/backend/templates/config-backend.cfg.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/koschei/backend/templates/config-backend.cfg.j2 b/roles/koschei/backend/templates/config-backend.cfg.j2 index 977896f53f..78fd657775 100644 --- a/roles/koschei/backend/templates/config-backend.cfg.j2 +++ b/roles/koschei/backend/templates/config-backend.cfg.j2 @@ -26,12 +26,13 @@ config = { "max_builds": 16, "build_arches": ['x86_64'], "load_threshold": 1, + "task_priority": 25, {% else %} "max_builds": 60, "build_arches": ['x86_64', 'aarch64', 'ppc64'], "load_threshold": 0.75, - {% endif %} "task_priority": 30, + {% endif %} }, "dependency": { "build_group": "build", From ff4be42ff16ca53c45f4bf48c702896d2e17168f Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 13 Jun 2017 20:19:50 +0000 Subject: [PATCH 302/308] Koschei hotfix: try not to override arch of noarch packages --- .../files/koschei-scheduler-hotfix.patch | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/roles/koschei/backend/files/koschei-scheduler-hotfix.patch b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch index 8ca76ae7d9..e562a4ba35 100644 --- a/roles/koschei/backend/files/koschei-scheduler-hotfix.patch +++ b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch @@ -1,13 +1,31 @@ ---- /usr/lib/python2.7/site-packages/koschei/backend/__init__.py~ 2017-06-13 21:30:55.485685712 +0200 -+++ /usr/lib/python2.7/site-packages/koschei/backend/__init__.py 2017-06-13 21:32:44.862493921 +0200 -@@ -99,8 +99,8 @@ +--- /usr/lib/python2.7/site-packages/koschei/backend/__init__.py~ 2017-06-13 21:31:05.170580184 +0200 ++++ /usr/lib/python2.7/site-packages/koschei/backend/__init__.py 2017-06-13 22:16:19.333831662 +0200 +@@ -94,13 +94,15 @@ + return self._repo_cache + + +-def submit_build(session, package): ++def submit_build(session, package, arches=[]): + assert package.collection.latest_repo_id build = Build(package_id=package.id, state=Build.RUNNING) name = package.name build_opts = {} - if package.arch_override: -- override = package.arch_override + if True: -+ override = package.arch_override or '^' + override = package.arch_override ++ if not override and 'noarch' not in arches: ++ override = '^' if override.startswith('^'): excludes = override[1:].split() build_arches = get_config('koji_config').get('build_arches') +--- /usr/lib/python2.7/site-packages/koschei/backend/services/scheduler.py~ 2017-06-13 22:15:27.907396051 +0200 ++++ /usr/lib/python2.7/site-packages/koschei/backend/services/scheduler.py 2017-06-13 22:15:45.077207616 +0200 +@@ -72,7 +72,7 @@ + + self.log.info('Scheduling build for {}, priority {}' + .format(package.name, priority)) +- build = backend.submit_build(self.session, package) ++ build = backend.submit_build(self.session, package, arches) + package.current_priority = None + package.scheduler_skip_reason = None + package.manual_priority = 0 From 76a943ec112e97660e5084ead73887391cc91b53 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 13 Jun 2017 20:25:59 +0000 Subject: [PATCH 303/308] Fix null pointer dereference in koschei-scheduler-hotfix.patch --- .../backend/files/koschei-scheduler-hotfix.patch | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/koschei/backend/files/koschei-scheduler-hotfix.patch b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch index e562a4ba35..11445806f6 100644 --- a/roles/koschei/backend/files/koschei-scheduler-hotfix.patch +++ b/roles/koschei/backend/files/koschei-scheduler-hotfix.patch @@ -1,5 +1,5 @@ --- /usr/lib/python2.7/site-packages/koschei/backend/__init__.py~ 2017-06-13 21:31:05.170580184 +0200 -+++ /usr/lib/python2.7/site-packages/koschei/backend/__init__.py 2017-06-13 22:16:19.333831662 +0200 ++++ /usr/lib/python2.7/site-packages/koschei/backend/__init__.py 2017-06-13 22:24:19.798558738 +0200 @@ -94,13 +94,15 @@ return self._repo_cache @@ -11,10 +11,11 @@ name = package.name build_opts = {} - if package.arch_override: -+ if True: - override = package.arch_override -+ if not override and 'noarch' not in arches: -+ override = '^' +- override = package.arch_override ++ override = package.arch_override ++ if not override and 'noarch' not in arches: ++ override = '^' ++ if override: if override.startswith('^'): excludes = override[1:].split() build_arches = get_config('koji_config').get('build_arches') From cc7d8fd49f160e7df39be30a3573bed857ab25c5 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 13 Jun 2017 20:32:38 +0000 Subject: [PATCH 304/308] Enable Koschei hotfix only in staging for now --- roles/koschei/backend/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/koschei/backend/tasks/main.yml b/roles/koschei/backend/tasks/main.yml index 5fed37bf4f..27bc3e1878 100644 --- a/roles/koschei/backend/tasks/main.yml +++ b/roles/koschei/backend/tasks/main.yml @@ -110,6 +110,7 @@ - name: HOTFIX koschei scheduler patch: src=koschei-scheduler-hotfix.patch basedir=/ + when: env == 'staging' notify: - restart koschei-scheduler tags: From f4ac8bcd553037602c1aade4b4bc1c9be1d11fb5 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 14 Jun 2017 07:46:15 +0000 Subject: [PATCH 305/308] Make people send 30 minutes cache for everywhere Signed-off-by: Patrick Uiterwijk --- roles/people/templates/people.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf index 2f8dc1d0b8..eeb79e14dc 100644 --- a/roles/people/templates/people.conf +++ b/roles/people/templates/people.conf @@ -40,7 +40,7 @@ NameVirtualHost *:80 ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-error.log-%Y-%m-%d 86400 -l" CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-access.log-%Y-%m-%d 86400 -l" vcommon - + ExpiresActive On ExpiresDefault "access plus 30 minutes" From 261a28cae90dd51dd037ccb1e6d395ab848bfdd6 Mon Sep 17 00:00:00 2001 From: "Paul W. Frields" Date: Wed, 14 Jun 2017 12:51:25 +0000 Subject: [PATCH 306/308] [regcfp] Fix permissions for Flock 2017 paper committee --- roles/regcfp/templates/config.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index a7eeca81fc..d28d2772c1 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -61,22 +61,22 @@ "papers": { "submit": ["*authenticated*"], "list": { - "accepted": ["bex@fedoraproject.org", "mattdm@fedoraproject.org", "duffy@fedoraproject.org", "pfrields@fedoraproject.org"], + "accepted": ["bex@fedoraproject.org", "duffy@fedoraproject.org", "pfrields@fedoraproject.org", "mitzie@fedoraproject.org"], "own": ["*authenticated*"], - "all": ["pfrields@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "robyduck@fedoraproject.org", "bex@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "duffy@fedoraproject.org", "mattdm@fedoraproject.org", "robyduck@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org", "nb@fedoraproject.org", "mitzie@fedoraproject.org"] }, "edit": { "own": ["*authenticated*"], - "all": ["pfrields@fedoraproject.org", "bex@fedoraproject.org", "mattdm@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "bex@fedoraproject.org", "duffy@fedoraproject.org"] }, "delete": { "own": ["*authenticated*"], - "all": ["pfrields@fedoraproject.org", "mattdm@fedoraproject.org", "bex@fedoraproject.org"] + "all": ["pfrields@fedoraproject.org", "duffy@fedoraproject.org", "bex@fedoraproject.org"] }, "tag": ["*authenticated*"], - "vote": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org"], - "showvotes": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org"], - "accept": ["mattdm@fedoraproject.org", "bex@fedoraproject.org"] + "vote": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org", "robyduck@fedoraproject.org", "nb@fedoraproject.org"], + "showvotes": ["duffy@fedoraproject.org", "mattdm@fedoraproject.org", "pfrields@fedoraproject.org", "bex@fedoraproject.org", "cprofitt@fedoraproject.org", "robyduck@fedoraproject.org", "nb@fedoraproject.org"], + "accept": ["pfrields@fedoraproject.org", "bex@fedoraproject.org", "duffy@fedoraproject.org"] }, "registration": { "register": ["*authenticated*"], From 31af1a206e7946b8a4e44add57755a4d645251fb Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 14 Jun 2017 17:49:03 +0200 Subject: [PATCH 307/308] Turn around defaults Signed-off-by: Patrick Uiterwijk --- roles/regcfp/templates/config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/regcfp/templates/config.json b/roles/regcfp/templates/config.json index d28d2772c1..2fd29e95df 100644 --- a/roles/regcfp/templates/config.json +++ b/roles/regcfp/templates/config.json @@ -250,7 +250,7 @@ "private": true, "placeholder": "", "options": [ - "Yes", "No" + "No", "Yes" ], "split": 1 }, @@ -273,7 +273,7 @@ "private": false, "placeholder": "", "options": [ - "Yes", "No" + "No", "Yes" ], "split": 1 }, From 8ef9ccaacc727aceabfaf8e5025479c0f4c050bc Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 14 Jun 2017 15:55:22 +0000 Subject: [PATCH 308/308] Bump nagios threshold for mbs backend congestion alerts. --- roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 | 2 +- roles/nagios/server/files/nrpe.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 b/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 index ea32cab763..5d2f128ce2 100644 --- a/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 +++ b/roles/nagios/client/templates/check_fedmsg_consumers.cfg.j2 @@ -60,7 +60,7 @@ command[check_fedmsg_cbacklog_autocloud_backend]={{libdir}}/nagios/plugins/check command[check_fedmsg_cbacklog_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub CacheInvalidator 20000 30000 command[check_fedmsg_cbacklog_bugyou_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub BugyouConsumer 5000 10000 command[check_fedmsg_cbacklog_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub PDCUpdater 10000 20000 -command[check_fedmsg_cbacklog_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 1000 2000 +command[check_fedmsg_cbacklog_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 10000 20000 command[check_fedmsg_fmn_digest_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub DigestProducer 90 600 command[check_fedmsg_fmn_confirm_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub ConfirmationProducer 90 600 diff --git a/roles/nagios/server/files/nrpe.cfg b/roles/nagios/server/files/nrpe.cfg index db8bbb41b9..8810b5aa86 100644 --- a/roles/nagios/server/files/nrpe.cfg +++ b/roles/nagios/server/files/nrpe.cfg @@ -343,7 +343,7 @@ command[check_fedmsg_cbacklog_autocloud_backend_hub]=/usr/lib64/nagios/plugins/c command[check_fedmsg_cbacklog_packages_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub CacheInvalidator 5000 10000 command[check_fedmsg_cbacklog_bugyou_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub BugyouConsumer 5000 10000 command[check_fedmsg_cbacklog_pdc_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub PDCUpdater 10000 20000 -command[check_fedmsg_cbacklog_mbs_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 1000 2000 +command[check_fedmsg_cbacklog_mbs_backend_hub]=/usr/lib64/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 10000 20000 command[check_fedmsg_fmn_digest_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub DigestProducer 90 600 command[check_fedmsg_fmn_confirm_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub ConfirmationProducer 30 300