From e6603b3f7f0476502e84a1f35480dafa1ccddda5 Mon Sep 17 00:00:00 2001 From: Seth Vidal Date: Thu, 2 May 2013 18:52:07 +0000 Subject: [PATCH] move of the koji builders creation from builders repo to ansible public --- files/common-scripts/hardware-reinstall | 228 ++++++++++++++++++ files/common/ntp.conf | 24 ++ files/hosts/kojibuilder-hosts | 8 + files/iptables/kojibuilder | 6 + files/kojibuilder/arm-koji.conf | 23 ++ files/kojibuilder/arm-kojid.conf | 62 +++++ files/kojibuilder/builder-infrastructure.repo | 6 + .../kojibuilder/builders/bkernel-eth0-network | 11 + .../builders/bkernel-site-defaults.cfg | 2 + .../builders/fedora-devel-pungi-i386.cfg | 31 +++ .../builders/fedora-devel-pungi-x86_64.cfg | 34 +++ files/kojibuilder/ftbfs_auth_keys | 13 + files/kojibuilder/history_off.sh | 2 + files/kojibuilder/idmapd.conf | 114 +++++++++ files/kojibuilder/koji.conf | 23 ++ files/kojibuilder/kojid.conf | 59 +++++ files/kojibuilder/limits.conf | 53 ++++ files/kojibuilder/mock_auth_keys | 1 + files/kojibuilder/releng.repo | 6 + files/kojibuilder/root_auth_keys | 2 + files/kojibuilder/route-eth1 | 1 + playbooks/koji/config_builder.yml | 201 +++++++++++++++ playbooks/koji/make_builder.yml | 3 +- tasks/bkernel-setup.yml | 38 +++ 24 files changed, 950 insertions(+), 1 deletion(-) create mode 100755 files/common-scripts/hardware-reinstall create mode 100644 files/common/ntp.conf create mode 100644 files/hosts/kojibuilder-hosts create mode 100644 files/kojibuilder/arm-koji.conf create mode 100644 files/kojibuilder/arm-kojid.conf create mode 100644 files/kojibuilder/builder-infrastructure.repo create mode 100644 files/kojibuilder/builders/bkernel-eth0-network create mode 100644 files/kojibuilder/builders/bkernel-site-defaults.cfg create mode 100644 files/kojibuilder/builders/fedora-devel-pungi-i386.cfg create mode 100644 files/kojibuilder/builders/fedora-devel-pungi-x86_64.cfg create mode 100644 files/kojibuilder/ftbfs_auth_keys create mode 100644 files/kojibuilder/history_off.sh create mode 100644 files/kojibuilder/idmapd.conf create mode 100644 files/kojibuilder/koji.conf create mode 100644 files/kojibuilder/kojid.conf create mode 100644 files/kojibuilder/limits.conf create mode 100644 files/kojibuilder/mock_auth_keys create mode 100644 files/kojibuilder/releng.repo create mode 100644 files/kojibuilder/root_auth_keys create mode 100644 files/kojibuilder/route-eth1 create mode 100644 playbooks/koji/config_builder.yml create mode 100644 tasks/bkernel-setup.yml diff --git a/files/common-scripts/hardware-reinstall b/files/common-scripts/hardware-reinstall new file mode 100755 index 0000000000..794be0215f --- /dev/null +++ b/files/common-scripts/hardware-reinstall @@ -0,0 +1,228 @@ +#!/usr/bin/env python +# hardware-reinstall - Prepare a physical box in FI for re-install. +# (c) 2012 Red Hat, Inc. +# Ricky Elrod +# GPLv2+ + +import os +import sys +import urllib +import socket +import subprocess +import shlex +import platform +from optparse import OptionParser + +parser = OptionParser( + description='Prepare a physical box in FI for re-install.') +parser.add_option('-n', + '--noop', + action='store_true', + help="Don't actually modify/download anything, just " + "output stuff.") +parser.add_option('-y', + '--yes', + action='store_true', + default=False, + dest="yes", + help="Don't prompt to confirm, just do it.") +parser.add_option('--ip', + help="Override the IP of the box (passed to Grubby)") +parser.add_option('--gw', + help="Override the Gateway of the box (passed to Grubby)", + dest='gateway') +parser.add_option('--nm', + help="Override the Netmask of the box (passed to Grubby)", + dest='netmask') +parser.add_option('--dns', + help="Comma-delimited list of DNS resolvers (passed to " + "Grubby)", + dest='dns_resolvers') +parser.add_option('--ks-file', + help="Set the kickstart file to use (default:" + "hardware-rhel-6-nohd)", + default='hardware-rhel-6-nohd', + dest='ks_file') +(options, args) = parser.parse_args() + +if options.yes and options.noop: + print "Don't ask AND don't do anything? Cmon" + sys.exit(1) + +# 0. Get our hostname/primary ip +# Get our primary IP by resolving our hostname. +if options.ip: + if not options.netmask: + print 'You gave a custom IP and should specify a custom netmask too.' + sys.exit(1) + primary_ip = options.ip +else: + primary_ip = socket.gethostbyname(socket.gethostname()) + +# so - anaconda sometimes doesn't seem to listen to our dns +# when fetching kickstarts, etc - so if we give the ip of the host +# if we're in 10.5.X network (phx2) then things just work. +if primary_ip.startswith('10.5.'): + basehost = "http://10.5.126.23/" +else: + basehost = "http://infrastructure.fedoraproject.org/" + +arch = platform.machine() +VMLINUZ_URL = '%srepo/rhel/RHEL6-%s/images/pxeboot/vmlinuz' % (basehost, arch) +INITRD_URL = '%srepo/rhel/RHEL6-%s/images/pxeboot/initrd.img' % (basehost, + arch) + +# 1. Grab initrd and vmlinuz and throw them in /boot +# FIXME - more error catching here +if not options.noop: + print 'Fetching vmlinuz' + urllib.urlretrieve(VMLINUZ_URL, "/boot/vmlinuz-install") + + print 'Fetching initrd' + urllib.urlretrieve(INITRD_URL, "/boot/initrd-install.img") + + +# 2. Find our network info. +if options.netmask: + primary_netmask = options.netmask + +# We still have to get the MAC address, of the primary NIC +# even if we specify a custom IP/NM. +cmd = subprocess.Popen('/sbin/ifconfig', stdout=subprocess.PIPE) +stdout = cmd.communicate()[0] +i = 0 +lines = stdout.split("\n") +for line in lines: + if socket.gethostbyname(socket.gethostname()) in line: + # Somewhere between EL6 and F17, ifconfig output has changed. + # We accommodate for both. + if ':' in line: + # We are EL6 + if not options.netmask: + # inet addr:10.5.127.51 Bcast:10.5.127.255 Mask:255.255.255.0 + primary_netmask = line.split('Mask:')[1] + + # On EL6 MAC addr is always one line before the IP address line + primary_mac = lines[i - 1].split('HWaddr ')[1] + else: + # We are likely something newer + if not options.netmask: + # inet 10.10.10.113 netmask 255.255.255.0 broadcast + # 10.10.10.255 # (cont. from above comment) + primary_netmask = line.split('netmask ')[1].split(' ')[0] + + # On newer things, life gets harder. We have to continue + # parsing lines until we get one with 'ether ' in it. + # The range is the line we're on now -> the last line. + for y in xrange(i, len(lines) - 1): + if 'ether ' in lines[y]: + primary_mac = lines[y].split('ether ')[1].split(' ')[0] + break + break + i += 1 + +# Gateway +if options.gateway: + primary_gateway = options.gateway +else: + cmd = subprocess.Popen(['/sbin/ip', 'route'], stdout=subprocess.PIPE) + stdout = cmd.communicate()[0] + for line in stdout.split("\n"): + if 'default' in line: + # default via 10.10.10.1 dev wlan0 proto static + primary_gateway = line.split('via ')[1].split(' ')[0] + break + +# And DNS servers +if options.dns_resolvers: + dns_resolvers = options.dns_resolvers +else: + dns_servers = [] + with open('/etc/resolv.conf', 'r') as f: + for line in f.readlines(): + if 'nameserver' in line: + dns = line.split(' ') + if len(dns) == 2: + dns_servers.append(dns[1].strip()) + dns_resolvers = ','.join(dns_servers) + +print '-' * 30 +print 'Primary IP: ' + primary_ip +print 'Primary Netmask: ' + primary_netmask +print 'Primary Gateway: ' + primary_gateway +print 'Primary MAC Address: ' + primary_mac +print 'DNS Resolvers: ' + dns_resolvers +print '-' * 30 + +# 3. Construct the grubby line. +# grubby --add-kernel=/boot/vmlinuz-install \ +# --args="ks=http://infrastructure.fedoraproject.org/\ +# repo/rhel/ks/hardware-rhel-6-nohd \ +# repo=http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ \ +# ksdevice=link ip=$IP gateway=$GATEWAY netmask=$NETMASK dns=$DNS" \ +# --title="install el6" --initrd=/boot/initrd-install.img +grubby_command = '/sbin/grubby --add-kernel=/boot/vmlinuz-install ' \ + '--args="ks=%srepo/rhel/ks/%s ksdevice=%s ' \ + 'ip=%s gateway=%s netmask=%s dns=%s repo=%srepo/rhel/RHEL6-x86_64/" ' \ + '--title="install el6" --initrd=/boot/initrd-install.img' % (basehost, + options.ks_file, + primary_mac, + primary_ip, + primary_gateway, + primary_netmask, + dns_resolvers, + basehost) + +print 'This grubby command seems like it will work:' +print '-' * 30 +print grubby_command +print '-' * 30 +print 'Check the command and be sure that it looks correct.' + +if not options.noop: + if not options.yes: + print 'Type yes to continue, anything else to abort.' + print 'By continuing, I will run the above command.' + if raw_input('> ') != 'yes': + print 'Removing downloaded files.' + os.unlink('/boot/vmlinuz-install') + os.unlink('/boot/initrd-install.img') + print 'Aborting.' + sys.exit(1) + + cmd = subprocess.Popen(shlex.split(grubby_command), + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + stdout, stderr = cmd.communicate() + if stdout: + print stdout + if stderr: + print "[STDERR output]" + print stderr + + if not options.yes: + raw_input( + 'Examine the above output, if it looks sane, press enter to ' + 'continue.') +print 'The next command I will run is:' +print 'echo "savedefault --default=0 --once" | grub --batch' + +if not options.noop: + cmd = subprocess.Popen(['/sbin/grub', '--batch'], + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + stdout = cmd.communicate(input='savedefault --default=0 --once\n') + print stdout[0] + +print 'Done.' +print 'When you are ready, run: `shutdown -r now` to reboot.' +print 'Go here:' +print 'http://infrastructure.fedoraproject.org/infra/docs/kickstarts.txt' +print 'And control-f for "Installation" (no quotes). Continue from there.' + +if options.noop: + print '-' * 30 + print 'Script was run in "no-op" mode - none of the above commands ' \ + 'actually ran.' + print '-' * 30 diff --git a/files/common/ntp.conf b/files/common/ntp.conf new file mode 100644 index 0000000000..9cfa2c1a63 --- /dev/null +++ b/files/common/ntp.conf @@ -0,0 +1,24 @@ +## Set up restrictions for services. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery +restrict 127.0.0.1 +restrict -6 ::1 + +# setup a set of servers that we all look at. +server 66.187.233.4 # [clock.redhat.com] +server 192.43.244.18 # [time.nist.gov] +server 128.118.25.5 # [otc1.psu.edu] +server 204.152.184.72 # [clock.isc.org] + +# [localhost] +# Undisciplined Local Clock. This is a fake driver intended for backup +# and when no outside source of synchronized time is available. +server 127.127.1.0 # local clock +fudge 127.127.1.0 stratum 10 + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +keys /etc/ntp/keys + +# Watch drift +driftfile /var/lib/ntp/drift diff --git a/files/hosts/kojibuilder-hosts b/files/hosts/kojibuilder-hosts new file mode 100644 index 0000000000..e4220c3160 --- /dev/null +++ b/files/hosts/kojibuilder-hosts @@ -0,0 +1,8 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.23 infrastructure.fedoraproject.org +10.5.125.63 koji.fedoraproject.org +10.5.125.36 kojipkgs.fedoraproject.org +10.5.124.138 arm.koji.fedoraproject.org armpkgs.fedoraproject.org +10.5.125.44 pkgs.fedoraproject.org pkgs +10.5.126.52 mirrors.fedoraproject.org admin.fedoraproject.org diff --git a/files/iptables/kojibuilder b/files/iptables/kojibuilder index d7069b14ee..4153a9aa80 100644 --- a/files/iptables/kojibuilder +++ b/files/iptables/kojibuilder @@ -24,6 +24,10 @@ -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 443 -j ACCEPT +#arm.koji.fp.o +-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 443 -j ACCEPT + # DNS -A OUTPUT -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT @@ -64,4 +68,6 @@ -A OUTPUT -m udp -p udp --dport 123 -d 128.118.25.5 -j ACCEPT -A OUTPUT -m udp -p udp --dport 123 -d 204.152.184.72 -j ACCEPT +# dhcp +-A OUTPUT -m udp -p udp --dport 67 -d 10.5.126.41 -j ACCEP COMMIT diff --git a/files/kojibuilder/arm-koji.conf b/files/kojibuilder/arm-koji.conf new file mode 100644 index 0000000000..83eaa2dbef --- /dev/null +++ b/files/kojibuilder/arm-koji.conf @@ -0,0 +1,23 @@ +[koji] + +;configuration for koji cli tool + +;url of XMLRPC server +server = http://arm.koji.fedoraproject.org/kojihub + +;url of web interface +weburl = http://arm.koji.fedoraproject.org/koji + +;path to the koji top directory +;topdir = /mnt/koji + +;configuration for SSL athentication + +;client certificate +;cert = ~/.koji/client.crt + +;certificate of the CA that issued the client certificate +;ca = ~/.koji/clientca.crt + +;certificate of the CA that issued the HTTP server certificate +;serverca = ~/.koji/serverca.crt diff --git a/files/kojibuilder/arm-kojid.conf b/files/kojibuilder/arm-kojid.conf new file mode 100644 index 0000000000..c99e72ae74 --- /dev/null +++ b/files/kojibuilder/arm-kojid.conf @@ -0,0 +1,62 @@ +[kojid] +; The number of seconds to sleep between tasks +; sleeptime=15 + +; The maximum number of jobs that kojid will handle at a time +; maxjobs=10 + +; The minimum amount of free space (in MBs) required for each build root +; minspace=8192 + +; The directory root where work data can be found from the koji hub +; topdir=/mnt/koji + +;url of package download site +topurl = http://armpkgs.fedoraproject.org/ + +; The directory root for temporary storage +; workdir=/tmp/koji + +; The directory root for mock +; mockdir=/var/lib/mock + +; The user to run as when doing builds +; mockuser=kojibuilder + +; The vendor to use in rpm headers +vendor=Fedora Project + +; The packager to use in rpm headers +packager=Fedora Project + +; the distribution to use in rpm headers +distribution=Fedora Project + +; The _host string to use in mock +mockhost=redhat-linux-gnu + +; The URL for the xmlrpc server +server=http://arm.koji.fedoraproject.org/kojihub + +; The URL for the packages tree +pkgurl=http://armpkgs.fedoraproject.org/packages + +; A space-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes) +allowed_scms=pkgs.fedoraproject.org:/*:false:fedpkg,sources git.fedorahosted.org:/git/spin-kickstarts.git:false + +; The mail host to use for sending email notifications +smtphost=bastion.phx2.fedoraproject.org + +; The From address used when sending email notifications +from_addr=Fedora Koji Build System + +;configuration for SSL athentication + +;client certificate - puppet generated +cert = /etc/kojid/kojibuilder.pem + +;certificate of the CA that issued the client certificate +ca = /etc/kojid/cacert.pem + +;certificate of the CA that issued the HTTP server certificate +serverca = /etc/kojid/cacert.pem diff --git a/files/kojibuilder/builder-infrastructure.repo b/files/kojibuilder/builder-infrastructure.repo new file mode 100644 index 0000000000..ef6b4f23a4 --- /dev/null +++ b/files/kojibuilder/builder-infrastructure.repo @@ -0,0 +1,6 @@ +[builder-infrastructure] +name=Builder Packages from Fedora Infrastructure $releasever - $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/builder-rpms/$releasever/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE diff --git a/files/kojibuilder/builders/bkernel-eth0-network b/files/kojibuilder/builders/bkernel-eth0-network new file mode 100644 index 0000000000..3ba815a9b7 --- /dev/null +++ b/files/kojibuilder/builders/bkernel-eth0-network @@ -0,0 +1,11 @@ +DEVICE={{ ansible_eth0["device"] }} +BOOTPROTO="static" +DNS1="10.5.126.21" +DNS2="10.5.126.22" +GATEWAY="10.5.125.254" +HWADDR={{ ansible_eth0["macaddress"] }} +IPADDR={{ ansible_eth0["ipv4"]["address"] }} +NETMASK={{ ansible_eth0["ipv4"]["netmask"] }} +NM_CONTROLLED="yes" +ONBOOT="yes" +TYPE="Ethernet" diff --git a/files/kojibuilder/builders/bkernel-site-defaults.cfg b/files/kojibuilder/builders/bkernel-site-defaults.cfg new file mode 100644 index 0000000000..6290807f28 --- /dev/null +++ b/files/kojibuilder/builders/bkernel-site-defaults.cfg @@ -0,0 +1,2 @@ +# mount the pesign socket into the chroot +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' )) diff --git a/files/kojibuilder/builders/fedora-devel-pungi-i386.cfg b/files/kojibuilder/builders/fedora-devel-pungi-i386.cfg new file mode 100644 index 0000000000..2bbc104e37 --- /dev/null +++ b/files/kojibuilder/builders/fedora-devel-pungi-i386.cfg @@ -0,0 +1,31 @@ +config_opts['root'] = 'fedora-development-pungi-i386' +config_opts['target_arch'] = 'i386' +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc9' +config_opts['plugin_conf']['root_cache_enable'] = False +config_opts['internal_dev_setup'] = False +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev', '/dev' )) +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev/pts', '/dev/pts' )) + + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 + +# repos + +[fedora] +name=fedora +baseurl=http://kojipkgs.fedoraproject.org/mash/branched/i386/os + +[buildroot] +name=buildroot +baseurl=http://kojipkgs.fedoraproject.org/repos/f19-build/latest/i386/ +""" diff --git a/files/kojibuilder/builders/fedora-devel-pungi-x86_64.cfg b/files/kojibuilder/builders/fedora-devel-pungi-x86_64.cfg new file mode 100644 index 0000000000..090caea77b --- /dev/null +++ b/files/kojibuilder/builders/fedora-devel-pungi-x86_64.cfg @@ -0,0 +1,34 @@ +config_opts['root'] = 'fedora-development-pungi-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc9' +config_opts['plugin_conf']['root_cache_enable'] = False +config_opts['internal_dev_setup'] = False +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev', '/dev' )) +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev/pts', '/dev/pts' )) + + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all +# .i?86 packages except these. +exclude=[!g]*.i*86 g[!l]*.i?86 gl[!i]*.i?86 gli[!b]*.i?86 glib[!c]*.i?86 + +# repos + +[fedora] +name=fedora +baseurl=http://kojipkgs.fedoraproject.org/mash/branched/x86_64/os + +[buildroot] +name=buildroot +baseurl=http://kojipkgs.fedoraproject.org/repos/f19-build/latest/x86_64/ +""" diff --git a/files/kojibuilder/ftbfs_auth_keys b/files/kojibuilder/ftbfs_auth_keys new file mode 100644 index 0000000000..bb560a48ef --- /dev/null +++ b/files/kojibuilder/ftbfs_auth_keys @@ -0,0 +1,13 @@ +#skvidal +from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjlnCEiFMrKpkiIBjs5IW1+RXDald3aKvTszj0hUw9Gl6w3vt3RAiqTD/XRKcNdP0+pVIK/I4KexKfZzemNZ8UYmZ+a9EK+Gj7OQbJv7TQDeR0zyJ8ZgFXaWoN+CnWXLO2mp9poysUR6CILjaDJt4GDxJaD+bebRu+zxUQSlgrjObhIUTSfwsEJu++zK+fy4+xSEMG7SANEJHd+zOAw6+isLnnbp8qY2fs3reKpc8XPkyJscLU4BQV2cGXwlPUhzPVv/itUUV/uWHeAqoz2i5XG4C0/BXk6D85qkGIyE08Nl3COxn6giivrdTIH6W4dUtBdYgTMZ3RgMHL9ClLpS17 skvidal@opus +#dgilmore +from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAD9QDskl41P2f4wqBuDBRD3VJ7MfKD6gMetMEaOy2b/CzfxN1vzeoxEvUxefi4+uh5b5ht5+BhQVhvBV7sTxxYftEH+B7IRmWigqcS1Ndnw+ML6zCbSTCJOqDvTLxmkZic0NUBIBP907ztMCoZjaOW9SSCrdA9Vp87V3x/KEQaeSNntmnFqtnpQI/N0NlmqxB78p97W/QDpLuftqJ33sM0uyvxXSusThLSFBHjisezsWox49nEKY8HW+Kwkmw+k7EF4tsDWymPB+S0gMsMlTxzjutNASVDmn6H+lgkzns+5Xxii4/mZWrcjqfLuH7vCI2mWykZJ6ek0LiQea9tNN+KZomqX6NbTUK3riaDPrZPNexa4I83Fp+DYNmYgnGMInqn+cZ5PoUJ3u3LaqZGBQeuuONTw0yQ8Pkkn5xibpPO6qblHKcet0pfmWQ5ab+5BDrsyLcPXolMci5h45GNWebr7UMuXT6+q+EolnYgbgDzzGJ4xPohF04OW8CwflK64KEnYcqlGs+DF4TNgGFlhKiyCWfXSjizmQusxn17ayi6+yrkiGeqfz72qyZ1pSKlwA8XRYC2VkAAquJP6zAtAKjCUdmRTSyYgCpoIAlMwBO07BiPLLov6lKdphZYY1DI7pTXA98fhVU04PDqJJYR1GKkttmCsjbRWnxjkPl/Zka1+ei3k9DNidT6j4hFj+uTj8SS70qZUtKLNpc5IcedHaGEK0vcXJm9lIEKBIEnN0PCLZCa4kQZnfdsbuep1fbXNf4WYPXea29aRKJc4hiqsdrccTp4KueHgWt1Jj6CZDZcFgX+NlUVWwk6djgjRzHUryExtsjCcgGMPRJWdUnVcpgkQ1qJhEXng3W+nFFboArWfwU8u1pXEdeE1Z+m+ows3nJHdEgQevyy/cUx6BPNPZkBh10MWskSV8Z+vb02vJB+QikRMwQs3Ywf6RMaZFrBkWD4FfUaU24f4wgtPQN7j5xxJ2rWLJ/s9ZOWSl9yrytC6ZUQwmayLmiPUdm4u/7ZZmaly39K1YWqFDl3eUrRAZwf1L/NAqFu/qcQQ3Xf20K0nI55nVbZ8ODyx6BtfwoioblnTEcehK0uud5Vamc5mfpErFY0agEecsc0sMZO+ky9pf/gCUdM7je7kMDI2hdx61fOa8Wypb5u9WNBWKRKx8xT1XUKhb2uFumm3sR1iNm1Qhj92mo/NO2aETOA1lsYSL0XK571Yy0iFK3X1nOqp/gCsEGLI8OPQk6XuFqv8hmfiIXNKV8IwuDStw7eIvuQIgT7bmMkj+1Ca25foSmg3w5FqJux1gO9t5F018LeQZ6LVlYHZaQnaN+eTU7KfoCozhWw1H9pprDz Dennis Gilmore +#kfenzi +from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJH1lA7WHRCbaFtvzbw0HxHYJstZjuXhax1+eL+SUJ5fFRGosEc4fLrSCP0gSFDfXmNzuspoBgcQTqnNO8FdIUwkJLDEu0vTQls1aT9YUXb+RVwKB7ULA3b1dqFkmOgLEjTJL9AplK4OJ9Su0kq6QBV4mXCxMsgEML/gn6r8muZmu2L/LdzUnxKKggyq7O5q1K/eW5Yy21fpvbHt2UPQX1f6gt4ty7E9Nnuhi7SHCI7fNIa+kHyIesfTm/SzeK/PY9rDwZKjuyS8o22GJXGEScJomK1cjMESH/J+t8Hffaj88BjGHNczvcnXAjq6y73VJQ9DiGLD4zmFquQMxDu0Tf kevin@jelerak.scrye.com +#smooge +from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAxnzCHH11nDM1m7yvqo6Uanq5vcZjBcs/mr3LccxwJ59ENzSXwUgEQy/P8vby9VKMwsskoaqZcvJdOSZBFhNV970NTPb69OIXPQAl/xhaLwiJOn606fB+/S8WepeuntS0qLiebbEiA9vIQLteZ+bWl1s/didD/sFo3/wItoTGA4GuShUu1AyWJx5Ue7Y34rwGR+kIvDoy2GHUcunn2PjGt4r3v2vpiR8GuK0JRupJAGYbYCiMBDRMkR0cgEyHW6+QQNqMlA6nRJjp94PcUMKaZK6Tc+6h5v8kLLtzuZ6ZupwMMC4X8sh85YcxqoW9DynrvO28pzaMNBHm7qr9LeY9PIhXscSa35GAcGZ7UwPK4aJAAuIzCf8BzazyvUM3Ye7GPCXHxUwY0kdXk+MHMVKFzZDChNp/ovgdhxNrw9Xzcs4yw7XYambN9Bk567cI6/tWcPuYLYD4ZJQP0qSXVzVgFEPss1lDcgd0k4if+pINyxM8eVFZVAqU+BMeDC+6W8HUUPgv6LiyTWs+xTXTuORwBTSF1pOqWB4LjqsCGIiMAc6n/xdALBGUN7qsuKDU6Q7bwPppaxypi4KCvuJsqW+8sDtMUaZ34I5Zo1q7cu03wqnOljUGoAY6IDn3J66F2KlPPyb/q3PDV3WbY/jnH16L29/xUA73nFUW1p+WXutwmSU= ssmoogen@ponyo.int.smoogespace.com +#codeblock +from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAACAEAstHxky7hl1inyHBy+q/9M+Aen2HSfy8IoW+sAO6HSuHEUT7qWB8AlSNjHhahjXx7sy/BUkUed+NB/177rjlThokZDJ0yoM9KKymp26ETGaamBSkWBxZatTj96BWfD0P2K9jc/9vxtgKBq3VK9UaOt6VtJ9q6mKY3DdWLZn+K6iGQAKMCAgd8cCMgD6epBB5/litz7WhYv+aYTyjZGUGbBojQUiWgXDv9lR7p0w+VP7pnZEeb3//k4pZhsPrKFwwRVRLxBvWgVKNvA6nMXmsdikHCLLj8YAevhEY1xAba+iCKOpTqT7Bu+1Fnb9St8u5iDod21gRmN7MGGWYsO+Iu2MNAW9sw2nsA/sdNR0HEEgBqJLhERjGv399fWKyiZaF90n59lg8Pb6EzE6wHRs6rSB+9uKApBzPk99BEHLvC6mhn6RjrOC+TWSTcmXojAwQYCadqIdgWUaBsxaugKEXBFcmRuDWtpDfsqmM1kjeGU6MiaMlqPW0KjsMaVVChLO5ZvB/T7qW4wr5ZjLri475MuHocCMP0ECSUk7I3YW2h8RU6FEFmTpuULFRQo01iPreY5XJ7l0+xy2eggAWo+X2h3nGjXhCPOelBg+LYe0WOmPgB5oc1m5HZtFTcFzYbhAE+xQKlbwNeYT8HmNmEMhPjVoNyOOV7NAap+ueS2u/7li5D59O5Iy8aa5n/WiuYfkqH4pG796nFyLr5L/LVudzyaYFb/Gk8C1j/NAWYw53D/9aOA277HHe5t0/daJhbo98u0asF5mvPld3swPuPqkEZzgUfmNgH5CkvcQcMzaOvj6qr6xNmQfgsHroCShb46kplQ2uSf1pMAqsjN7jGhk6l+Bu6hKHnJKhZJVLiuAZtgYvkCB1ahaO3wRVozA1VKCAlqHOqoCq4YLIobUL95H08Kwcz7vIRIadX1TkOoLb2EwPkE/xrhDp4BySh+j6YNklSBkiRHvJMBNnRIj8NTRjYyj2o1Om7kJ770lEdryg2og8QBaFWCmFkwzg1QVrBOuu0dN7kt2l7VI7Ib4lavKSVTrqUdxdSbthUlu/b4Qif+pbyEtUFgykRsHVs+5Ofg7FZpsgCJ8rLFjzeVF/hAYX7t3XaIPLu+DL8kzamb/CRy1b7+iAw9nJbd7ED2SGyU6+c2coMPG23y6+YxgEmNG/rkCLCypkEEDOZe4DuMerZQ/RxMo06+glC6HC/3VN2dHlVLtEEV33B04/6Z0plAhqtjG7PVs08f8a5msV/VYn5ifa4z0oIXX1r5CIg3Ejp1JguLhBHpWa7YbS2Mwu6GAbD+hQfCYrsUkFonoOLu5czpITLo7ceJFTQmAt7OxZEoZBfmtYfzADQsQVYQb6J4QwvM3iKJOn30dgtYnJOVlDZEn+0fivedxoBAt9jHJ8lVp2ov/dOFnimi5V+2QIMB0fKTkChsk10zsDZ/KUk6zfijjEju0WfjRHCd357KswNv3aXHazfRIw77S2UOenD+xmUDZ6WgnxservUSDNDz7NldLf/gdPOMO4uSwKZixzsoCNioeLEmQv4gomNK7DyZBLMHLlWlbliqP+QWuIJO1rfoH2vaxzzA7l5tJW1gfnxm87RrrwIf9v5kpdJM6gQZxqmBCRsKQd5VkrEJ/xaFfkv080pWNV0drWTZW8fAAgfUNYB260Hyk3rHsjQlVtQxGJ1aAcgjMi3eGKQMwptbUMYHqct75czX6xp6zgXPiC/glX6AtuiZQ5bOI07imil20ien/ks/dnel8L+dmYDasL9m0B2jZ3lbl3eR1Dy7UhqGyERx//vYQapEBuwFcqQ9UdIWCGGG2Pte1I39BSehUUGSCOOD38a/GCu0l7OWZKdwq80MK/Ixgz4neiZQZ7MD2wPy6vk6Num18PZPN7OynMrI2UG5MViQ0GAhRgxwbUCvc7uKnGRqZo9q2mCabCxLbv+hJ4bppxpHHJxMDDXilTKMfZb0YRbvjBUi7LFKLN3MBMK2U1jHE+PjBgweqF8Jtuw04CQMxK3unajZOVkYAIq8IdMbw0oBVP4++eGB9z0x1eH+IsqL6IgknbbyoMgQqW9/8atm8HW2QYCX47oPd4FHs8rgJZk3bz8MwN3tp8WCRtYnJuwkWGWSq77ans0Ycl/tUfSSwUjnSvMsJnuSbxvdX0XbP5eRWikk0pJz5lM9sjYFOPHrQ44/U254yBa0N6UhyNTQnMGzRvY+fADE49b10hXZwCCrxpY9KvGr1XNJMnMcUke+4p9RS5LUwcZ8A6v7oWtZaZwnuBzvKk+HAn2gevD7Stjto+TnRCx1qcbx8iOhAEC6nvbLl+U313TmawrO/usrI5w3EFKP/4BnlKJDtNBeklJ0MpU3R1fmisqfegjuBW2bbaxq8Uo6m7uqPsYuAl7E6rOyZHLbtA8szvbQ46MSqAHezqxHJajWn2oZXMtbddgO5vlkxbRp3SSVKaPOeIj3XOGl78Owp4gFNRE0RY2EuUvrwUhXZR4wx1VHYjS6o9HAwOx3dH+pf1OiblUEanLQ9HLuOBkLhP8wn1M2slsSw+A1gyuI0ayjRujYFXdw6Mqp6XKTdU8vNue2c3d0I+TMifBypP0oJtxXmEoPp/VsU9yLKA2FF7Xvv/Xq1gtZcuZWAbSwMok/ENY1xeIFyjV+0yBidmax3jaf9yus/XEpyeBS3iIz63ymU10Kb2vrWjubg/sa2yd+q0y96dLdDRbnbwGwMmg6mXvTlVXf8c= ricky@padlock01.home.elrod.me +#ftbfs +from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmareXr00ufdupdcu71ma3vZdFSyBDHOKyHOZarWp77Zf4eUU7GgXBQSgf6lxvz+KvgItW3p71C0VwpAB9O3y+CalxiO4vwLHLDeo2kNipS8UBDeCipI0NUydLVuAyV/Z73Xi5O28xBtTOjQcUQqrG86sHDhQqZbxMHN+V3VnrKNj0i0Ik9beiaeuYbttXF6qqoNA04piywYQAlHo+CX9t27mx+2HD59P5wCToUpU+MiITKthGGWYU0QZg6i7h3t9vJJvzmVNTLAQXvXRIqmhvdSamT7pNggbQIZD0dA1nJoBaOSAOej8q+3qsaZdzE1tyJTADF02rlXSXqsNVrYJQQ== skvidal@lockbox01.phx2.fedoraproject.org + diff --git a/files/kojibuilder/history_off.sh b/files/kojibuilder/history_off.sh new file mode 100644 index 0000000000..be7ee75a3e --- /dev/null +++ b/files/kojibuilder/history_off.sh @@ -0,0 +1,2 @@ +unset HISTFILE +set HISTSIZE=0 diff --git a/files/kojibuilder/idmapd.conf b/files/kojibuilder/idmapd.conf new file mode 100644 index 0000000000..b430778607 --- /dev/null +++ b/files/kojibuilder/idmapd.conf @@ -0,0 +1,114 @@ +[General] +#Verbosity = 0 +# The following should be set to the local NFSv4 domain name +# The default is the host's DNS domain name. +Domain = fedoraproject.org + +# The following is a comma-separated list of Kerberos realm +# names that should be considered to be equivalent to the +# local realm, such that @REALM.A can be assumed to +# be the same user as @REALM.B +# If not specified, the default local realm is the domain name, +# which defaults to the host's DNS domain name, +# translated to upper-case. +# Note that if this value is specified, the local realm name +# must be included in the list! +#Local-Realms = + +[Mapping] + +#Nobody-User = nobody +#Nobody-Group = nobody + +[Translation] + +# Translation Method is an comma-separated, ordered list of +# translation methods that can be used. Distributed methods +# include "nsswitch", "umich_ldap", and "static". Each method +# is a dynamically loadable plugin library. +# New methods may be defined and inserted in the list. +# The default is "nsswitch". +Method = nsswitch + +# Optional. This is a comma-separated, ordered list of +# translation methods to be used for translating GSS +# authenticated names to ids. +# If this option is omitted, the same methods as those +# specified in "Method" are used. +#GSS-Methods = + +#-------------------------------------------------------------------# +# The following are used only for the "static" Translation Method. +#-------------------------------------------------------------------# +[Static] + +# A "static" list of GSS-Authenticated names to +# local user name mappings + +#someuser@REALM = localuser + + +#-------------------------------------------------------------------# +# The following are used only for the "umich_ldap" Translation Method. +#-------------------------------------------------------------------# + +[UMICH_SCHEMA] + +# server information (REQUIRED) +LDAP_server = ldap-server.local.domain.edu + +# the default search base (REQUIRED) +LDAP_base = dc=local,dc=domain,dc=edu + +#-----------------------------------------------------------# +# The remaining options have defaults (as shown) +# and are therefore not required. +#-----------------------------------------------------------# + +# whether or not to perform canonicalization on the +# name given as LDAP_server +#LDAP_canonicalize_name = true + +# absolute search base for (people) accounts +#LDAP_people_base = + +# absolute search base for groups +#LDAP_group_base = + +# Set to true to enable SSL - anything else is not enabled +#LDAP_use_ssl = false + +# You must specify a CA certificate location if you enable SSL +#LDAP_ca_cert = /etc/ldapca.cert + +# Objectclass mapping information + +# Mapping for the person (account) object class +#NFSv4_person_objectclass = NFSv4RemotePerson + +# Mapping for the nfsv4name attribute the person object +#NFSv4_name_attr = NFSv4Name + +# Mapping for the UID number +#NFSv4_uid_attr = UIDNumber + +# Mapping for the GSSAPI Principal name +#GSS_principal_attr = GSSAuthName + +# Mapping for the account name attribute (usually uid) +# The value for this attribute must match the value of +# the group member attribute - NFSv4_member_attr +#NFSv4_acctname_attr = uid + +# Mapping for the group object class +#NFSv4_group_objectclass = NFSv4RemoteGroup + +# Mapping for the GID attribute +#NFSv4_gid_attr = GIDNumber + +# Mapping for the Group NFSv4 name +#NFSv4_group_attr = NFSv4Name + +# Mapping for the Group member attribute (usually memberUID) +# The value of this attribute must match the value of NFSv4_acctname_attr +#NFSv4_member_attr = memberUID diff --git a/files/kojibuilder/koji.conf b/files/kojibuilder/koji.conf new file mode 100644 index 0000000000..6a152035ce --- /dev/null +++ b/files/kojibuilder/koji.conf @@ -0,0 +1,23 @@ +[koji] + +;configuration for koji cli tool + +;url of XMLRPC server +server = http://koji.fedoraproject.org/kojihub + +;url of web interface +weburl = http://koji.fedoraproject.org/koji + +;path to the koji top directory +;topdir = /mnt/koji + +;configuration for SSL athentication + +;client certificate +;cert = ~/.koji/client.crt + +;certificate of the CA that issued the client certificate +;ca = ~/.koji/clientca.crt + +;certificate of the CA that issued the HTTP server certificate +;serverca = ~/.koji/serverca.crt diff --git a/files/kojibuilder/kojid.conf b/files/kojibuilder/kojid.conf new file mode 100644 index 0000000000..4719bfffa1 --- /dev/null +++ b/files/kojibuilder/kojid.conf @@ -0,0 +1,59 @@ +[kojid] +; The number of seconds to sleep between tasks +; sleeptime=15 + +; The maximum number of jobs that kojid will handle at a time +; maxjobs=10 + +; The minimum amount of free space (in MBs) required for each build root +; minspace=8192 + +; The directory root where work data can be found from the koji hub +; topdir=/mnt/koji + +;url of package download site +topurl = http://kojipkgs.fedoraproject.org/ + +; The directory root for temporary storage +; workdir=/tmp/koji + +; The directory root for mock +; mockdir=/var/lib/mock + +; The user to run as when doing builds +; mockuser=kojibuilder + +; The vendor to use in rpm headers +vendor=Fedora Project + +; The packager to use in rpm headers +packager=Fedora Project + +; the distribution to use in rpm headers +distribution=Fedora Project + +; The _host string to use in mock +mockhost=redhat-linux-gnu + +; The URL for the xmlrpc server +server=http://koji.fedoraproject.org/kojihub + +; A space-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes) +allowed_scms=pkgs.fedoraproject.org:/*:false:fedpkg,sources git.fedorahosted.org:/git/spin-kickstarts.git:false + +; The mail host to use for sending email notifications +smtphost=bastion.phx2.fedoraproject.org + +; The From address used when sending email notifications +from_addr=Fedora Koji Build System + +;configuration for SSL athentication + +;client certificate - puppet generated +cert = /etc/kojid/kojibuilder.pem + +;certificate of the CA that issued the client certificate +ca = /etc/kojid/cacert.pem + +;certificate of the CA that issued the HTTP server certificate +serverca = /etc/kojid/cacert.pem diff --git a/files/kojibuilder/limits.conf b/files/kojibuilder/limits.conf new file mode 100644 index 0000000000..0950791467 --- /dev/null +++ b/files/kojibuilder/limits.conf @@ -0,0 +1,53 @@ +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - an user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open files +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to +# - rtprio - max realtime priority +# +# +# + +* - nofile 4096 + +#* soft core 0 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#@student - maxlogins 4 + +# End of file + diff --git a/files/kojibuilder/mock_auth_keys b/files/kojibuilder/mock_auth_keys new file mode 100644 index 0000000000..63fc360115 --- /dev/null +++ b/files/kojibuilder/mock_auth_keys @@ -0,0 +1 @@ +from="10.5.125.64,10.5.125.66,10.5.125.67,10.5.125.68" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA8qg9fzb6pbl15hUdIB8vcUIIK4LcoY30iwL/eJ/8PJRtWc0MJloAfhjGGmmgf7sJl5Lt5VGoZqBw5x1thUfLpxN6FasEQnAnjsBCJM3dfF3OybOtdMAX7+2f29V4xJ+r1djdJnBM7FeXQ6zDFLAmGjFF4flUNmKa0PPmHjJqXWPoLvQq3mLWTCkscanWEA2WL+ceQ/0Bac3ZuHJQ7yPY+lD3p/hHTnQlito+rJVItGzLTkSxmiZaS3UwUSkxPBB3Tms8e7coALaY3AM9K91mnFi0oFFW+pCPdccjBUfHuzT6Khx0SrbKVUI57riUZs2+FDLiBSST7OT8nDlIgBwMWiwfjgURfvp5HOh46hc3gb0+DCxScXlocRMs6a47rC/EACN7HB4HjbrvBbfQts3GegU67Ia7d3vgDNRknp1sR/RjhYeTPxFAPqXJN5/hFyuHyFYTjavw0BZpSvZvQHgAVvUIZsHwEshvlwFkMU5qnqgnR6oMJxlZHqYw63K3iKeUsKsFJepSV5xb+r9pTtHL/bmsTuaEaPhUOiW4kgq8E0RQ5K20FERFsGNCEgfMoAOnLYYQX0vaYIemnGHTA0Y4bqgo39opVBj7dKipVp3uENmxeYTBSQJ9pRJhlmQxxfk0AupQbs77+K9dSLvMo0E10gHK3fa8r1FigAA4T/IDtLs= masher@releng2.fedora.phx.redhat.com diff --git a/files/kojibuilder/releng.repo b/files/kojibuilder/releng.repo new file mode 100644 index 0000000000..f4cc5bb4bb --- /dev/null +++ b/files/kojibuilder/releng.repo @@ -0,0 +1,6 @@ +[releng] +name=Rel-Eng Packages from Fedora Infrastructure $releasever - $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/releng/$releasever/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE diff --git a/files/kojibuilder/root_auth_keys b/files/kojibuilder/root_auth_keys new file mode 100644 index 0000000000..a3a005ac0f --- /dev/null +++ b/files/kojibuilder/root_auth_keys @@ -0,0 +1,2 @@ +#ansible key +from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org diff --git a/files/kojibuilder/route-eth1 b/files/kojibuilder/route-eth1 new file mode 100644 index 0000000000..ee53d2ae2f --- /dev/null +++ b/files/kojibuilder/route-eth1 @@ -0,0 +1 @@ +10.5.88.0/24 dev eth1 diff --git a/playbooks/koji/config_builder.yml b/playbooks/koji/config_builder.yml new file mode 100644 index 0000000000..a72c58ff35 --- /dev/null +++ b/playbooks/koji/config_builder.yml @@ -0,0 +1,201 @@ +- hosts: + - builders + user: root + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - ${private}/vars.yml + - ${vars}/${ansible_distribution}.yml + + + tasks: + - name: enforce certain packages previously assumed from kickstarts + action: yum name=$item state=installed + with_items: + - postfix + - joe + - perl + + - name: set root passwd + action: user name=root password=$rootpw state=present + + - name: add mock user as 425 + action: user name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + + - name: make mock homedir perms + action: file state=directory path=/var/lib/mock mode=2775 owner=root group=mock + + - name: add mock ssh dir + action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock + + - name: add mock ssh keys + action: copy src=$files/kojibuilder/mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock + + - name: add kojibuilder + action: user name=kojibuilder groups=mock + + - name: add mockbuilder + action: user name=mockbuilder groups=mock + + - name: mockbuilder .ssh dir + action: file state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder + + - name: mockbuilder ssh key + action: copy src=$files/kojibuilder/ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder + + - name: iptables + action: copy src=$files/iptables/kojibuilder dest=/etc/sysconfig/iptables mode=600 + notify: + - restart iptables + + - name: sshd_config + action: copy src=$files/ssh/sshd_config.kojibuilder dest=/etc/ssh/sshd_config mode=600 + notify: + - restart sshd + + - name: /etc/resolv.conf + action: copy src=$files/resolv.conf/kojibuilder dest=/etc/resolv.conf + + - name: add to hosts + action: copy src=$files/hosts/kojibuilder-hosts dest=/etc/hosts + + - name: rsyslog.conf + action: copy src=$files/rsyslog.conf.kojibuilder dest=/etc/rsyslog.conf mode=644 + notify: + - restart rsyslogd + + - name: /etc/postfix/main.cf + action: copy src=$files/postfix/main.cf.kojibuilder dest=/etc/postfix/main.cf + notify: + - restart postfix + + - name: make a bunch of dirs + action: file state=directory path=$item + with_items: + - /pub + - /mnt/koji + - /pub/fedora + - /pub/epel + - /var/spool/rsyslog + + - name: add builder infra yum repo + action: copy src=$files/kojibuilder/builder-infrastructure.repo dest=/etc/yum.repos.d/builder-infrastructure.repo + + - name: clean up packages we do not need + action: yum state=removed pkg=$item + with_items: + - audit + - 'cronie\*' + + - name: add pkgs + action: yum state=installed pkg=$item + with_items: + - yum-utils + - koji-builder + - strace + - mock + - nfs-utils + - kernel-firmware + - ntp + - ntpdate + + - name: update latest + action: command /usr/bin/yum -y update + + - name: /etc/kojid/kojid.conf + action: copy src=$files/kojibuilder/kojid.conf dest=/etc/kojid/kojid.conf + only_if: "not '${ansible_fqdn}'.startswith(('arm01','arm03','arm04')" + notify: + - restart kojid + + + - name: arm /etc/kojid/kojid.conf + action: copy src=$files/kojibuilder/arm-kojid.conf dest=/etc/kojid/kojid.conf + only_if: "'${ansible_fqdn}'.startswith(('arm01','arm03','arm04')" + notify: + - restart kojid + + - name: /etc/koji/koji.conf + action: copy src=$files/kojibuilder/koji.conf dest=/etc/koji.conf + only_if: "not '${ansible_fqdn}'.startswith(('arm01','arm03','arm04')" + + - name: /etc/koji/koji.conf + action: copy src=$files/kojibuilder/arm-koji.conf dest=/etc/koji.conf + only_if: "'${ansible_fqdn}'.startswith(('arm01','arm03','arm04')" + + - name: copy over koji ca cert + action: copy src=$private/files/koji/buildercerts/fedora-ca.cert dest=/etc/kojid/cacert.pem + + - name: copy over /etc/security/limits.conf + action: copy src=$files/kojibuilder/limits.conf dest=/etc/security/limits.conf + + - name: copy over builder cert to /etc/kojid/kojibuilder.pem + action: copy src=$private/files/koji/buildercerts/${ansible_fqdn}.pem dest=/etc/kojid/kojibuilder.pem mode=600 + ignore_errors: true + + - name: chkconfig kojid on + action: service name=kojid enabled=on + + - name: copy over authorized keys for root + action: copy src=$files/kojibuilder/root_auth_keys dest=/root/.ssh/authorized_keys mode=644 + + - name: nfs mount points + action: mount name=/mnt/koji src=nfs01.phx2.fedoraproject.org:/ fstype=nfs4 opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=present + only_if: "not '${ansible_fqdn}'.startswith('bkernel')" + + # mock configs for pungify job + - name: put extra special mock configs in + action: copy src=$files/kojibuilder/builders/$item dest=/etc/mock/$item mode=644 + with_items: + - fedora-devel-pungi-i386.cfg + - fedora-devel-pungi-x86_64.cfg + + - name: ntp steptickers + action: copy src=$files/common/step-tickers dest=/etc/ntp/step-tickers + + - name: ntp.conf + action: copy src=$files/common/ntp.conf dest=/etc/ntp.conf + + - name: enable ntpd + action: service name=ntpd enabled=true state=started + + + handlers: + - include: $handlers/restart_services.yml + + - name: restart kojid + action: service name=kojid state=restarted + +- hosts: + - bkernel* + - buildvm-* + - buildhw* + user: root + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - ${private}/vars.yml + - ${vars}/${ansible_distribution}.yml + + + tasks: + - name: set kernel params for loopback partitioning + action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 + + - name: set kernel params for more loops + action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 + + - name: special pkgs for the x86_64 builders + action: yum state=installed pkg=$item + with_items: + - kmod-hfsplus + +- hosts: + - bkernel* + user: root + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - ${private}/vars.yml + - ${vars}/${ansible_distribution}.yml + + tasks: + - include: $tasks/bkernel-setup.yml diff --git a/playbooks/koji/make_builder.yml b/playbooks/koji/make_builder.yml index ccf0185fb1..8c6c72e0d6 100644 --- a/playbooks/koji/make_builder.yml +++ b/playbooks/koji/make_builder.yml @@ -51,6 +51,7 @@ # include postinstall playbook -# - include: $playbooks/koji/build_postinstall.yml +- include: $playbooks/koji/config_builder.yml + diff --git a/tasks/bkernel-setup.yml b/tasks/bkernel-setup.yml new file mode 100644 index 0000000000..29ce0e7681 --- /dev/null +++ b/tasks/bkernel-setup.yml @@ -0,0 +1,38 @@ +--- +- name: add pkgs for bkernel boxes + action: yum state=latest pkg=$item enablerepo=epel-test + with_items: + - pesign + - ccid + - pcsc-lite + - pcsc-lite-libs + - opensc + - nss-tools + +- name: enable pcscd + action: service name=pcscd state=running enabled=1 + +- name: setup opensc in pcscd + action: shell modutil -dbdir /etc/pki/pesign -list | grep -q Fedora || modutil -force -dbdir /etc/pki/pesign -add opensc -libfile /usr/lib64/pkcs11/opensc-pkcs11.so + +- name: /var/run/pesign perms + action: file state=directory path=/var/run/pesign owner=pesign group=pesign mode=0770 + +- name: enable pesign + action: service name=pesign state=started enabled=true + +- name: when you awake you will remember nothing + action: copy src=$files/kojibuilder/history_off.sh dest=/etc/profile.d/history_off.sh mode=0644 + +- name: mock site-defaults.cfg + action: copy src=$files/kojibuilder/builders/bkernel-site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock + +- name: put hw reinstall onto bkernel boxes since they are raw hw + action: copy src=$files/common-scriptshardware-reinstall dest=/usr/local/bin/hardware-reinstall mode=0750 owner=root group=root + +- name: no nfs mounts on bkernel boxes + action: mount name=/mnt/koji src=nfs01.phx2.fedoraproject.org:/ fstype=nfs4 state=absent + +- name: make sure our bkernel boxes have static ip + action: template src=$files/kojibuilder/builders/bkernel-eth0-network dest=/etc/sysconfig/network-scripts/ifcfg-eth0 +