diff --git a/files/common/fedora-updates-testing.repo b/files/common/fedora-updates-testing.repo index 5b195dc6a7..c6e1f2cf88 100644 --- a/files/common/fedora-updates-testing.repo +++ b/files/common/fedora-updates-testing.repo @@ -1,7 +1,7 @@ [updates-testing] name=Fedora $releasever - $basearch - Test Updates failovermethod=priority -baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/ +baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/ #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch enabled=0 gpgcheck=1 diff --git a/files/common/fedora-updates.repo b/files/common/fedora-updates.repo index ee6b7c8f4f..1f3959a1e3 100644 --- a/files/common/fedora-updates.repo +++ b/files/common/fedora-updates.repo @@ -1,7 +1,7 @@ [updates] name=Fedora $releasever - $basearch - Updates failovermethod=priority -baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/ +baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/ #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch enabled=1 gpgcheck=1 diff --git a/files/common/fedora.repo b/files/common/fedora.repo index 372580acdf..6c32df23d9 100644 --- a/files/common/fedora.repo +++ b/files/common/fedora.repo @@ -1,11 +1,11 @@ [fedora] name=Fedora $releasever - $basearch failovermethod=priority -baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ +baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch enabled=1 metadata_expire=7d -gpgcheck=0 +gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch [fedora-debuginfo] diff --git a/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org b/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org index a458007591..bb31af05bd 100644 --- a/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org @@ -2,3 +2,8 @@ vmhost: virthost04.phx2.fedoraproject.org eth0_ip: 10.5.128.84 gw: 10.5.128.254 + +# Override these from the stg group because we need more mem/cpus to do compose channel stuff. +mem_size: 15360 +max_mem_size: "{{ mem_size }}" +num_cpus: 6 diff --git a/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org b/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org index bd2a2de4cd..13230dcee3 100644 --- a/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org +++ b/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org @@ -7,8 +7,8 @@ dns: 10.5.126.21 # libdir: /usr/lib64 -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-27 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ virt_install_command: "{{ virt_install_command_two_nic }}" lvm_size: 30000 diff --git a/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org b/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org index ea60152f5e..a001d2c09a 100644 --- a/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org +++ b/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org @@ -7,8 +7,8 @@ dns: 10.5.126.21 # libdir: /usr/lib64 -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-27 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/ virt_install_command: "{{ virt_install_command_two_nic }}" lvm_size: 262144 diff --git a/inventory/host_vars/db01.phx2.fedoraproject.org b/inventory/host_vars/db01.phx2.fedoraproject.org index 1213f16d75..b8342fc30f 100644 --- a/inventory/host_vars/db01.phx2.fedoraproject.org +++ b/inventory/host_vars/db01.phx2.fedoraproject.org @@ -4,7 +4,7 @@ gw: 10.5.126.254 dns: 10.5.126.21 volgroup: /dev/vg_guests eth0_ip: 10.5.126.71 -vmhost: virthost02.phx2.fedoraproject.org +vmhost: virthost06.phx2.fedoraproject.org datacenter: phx2 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 diff --git a/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org b/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org index a960a4d80c..fce33723d2 100644 --- a/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org +++ b/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org @@ -9,6 +9,6 @@ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ eth0_ip: 10.5.126.130 volgroup: /dev/vg_guests -vmhost: virthost19.phx2.fedoraproject.org +vmhost: virthost21.phx2.fedoraproject.org datacenter: phx2 diff --git a/inventory/host_vars/pdc-web01.phx2.fedoraproject.org b/inventory/host_vars/pdc-web01.phx2.fedoraproject.org index 462a6d05aa..b084402229 100644 --- a/inventory/host_vars/pdc-web01.phx2.fedoraproject.org +++ b/inventory/host_vars/pdc-web01.phx2.fedoraproject.org @@ -3,8 +3,8 @@ nm: 255.255.255.0 gw: 10.5.126.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/ +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/ eth0_ip: 10.5.126.131 diff --git a/inventory/host_vars/proxy06.fedoraproject.org b/inventory/host_vars/proxy06.fedoraproject.org index ca26c6cab7..b1bfff95d6 100644 --- a/inventory/host_vars/proxy06.fedoraproject.org +++ b/inventory/host_vars/proxy06.fedoraproject.org @@ -24,3 +24,4 @@ postfix_group: vpn nrpe_procs_warn: 1200 nrpe_procs_crit: 1400 vpn: true +num_cpus: 8 diff --git a/inventory/inventory b/inventory/inventory index 3d0b532ac3..01f4f93c13 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -46,17 +46,13 @@ certgetter01.phx2.fedoraproject.org faf01.stg.phx2.fedoraproject.org [freshmaker-frontend] -# not prod yet, until patrick finishes his audit. -# https://pagure.io/fedora-infrastructure/issue/6183 -#freshmaker-frontend01.phx2.fedoraproject.org +freshmaker-frontend01.phx2.fedoraproject.org [freshmaker-frontend-stg] freshmaker-frontend01.stg.phx2.fedoraproject.org [freshmaker-backend] -# not prod yet, until patrick finishes his audit. -# https://pagure.io/fedora-infrastructure/issue/6183 -#freshmaker-backend01.phx2.fedoraproject.org +freshmaker-backend01.phx2.fedoraproject.org [freshmaker-backend-stg] freshmaker-backend01.stg.phx2.fedoraproject.org @@ -66,10 +62,8 @@ freshmaker-frontend-stg freshmaker-backend-stg [freshmaker:children] -# not prod yet, until patrick finishes his audit. -# https://pagure.io/fedora-infrastructure/issue/6183 -#freshmaker-frontend -#freshmaker-backend +freshmaker-frontend +freshmaker-backend [ask] ask01.phx2.fedoraproject.org @@ -495,14 +489,6 @@ memcached02.phx2.fedoraproject.org [memcached-stg] memcached01.stg.phx2.fedoraproject.org -[mirrorlist2] -mirrorlist-host1plus.fedoraproject.org -mirrorlist-ibiblio02.fedoraproject.org -mirrorlist-phx2.phx2.fedoraproject.org - -[mirrorlist2-stg] -mirrorlist-phx2.stg.phx2.fedoraproject.org - [mirrorlist-proxies] proxy01.phx2.fedoraproject.org proxy02.fedoraproject.org @@ -817,7 +803,6 @@ tagger01.stg.phx2.fedoraproject.org taskotron-stg01.qa.fedoraproject.org value01.stg.phx2.fedoraproject.org wiki01.stg.phx2.fedoraproject.org -mirrorlist-phx2.stg.phx2.fedoraproject.org mm-frontend01.stg.phx2.fedoraproject.org mm-backend01.stg.phx2.fedoraproject.org mm-crawler01.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 454e1e42c6..8ebba585f2 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -548,6 +548,20 @@ src: "{{files}}/osbs/cleanup-old-osbs-builds" dest: "/etc/cron.d/cleanup-old-osbs-builds" +- name: post-install osbs control tasks + hosts: osbs-control + tags: osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + tasks: + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT + tags: + - iptables + - name: post-install osbs tasks hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml index ab46342d19..6d1b6265ed 100644 --- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml @@ -50,16 +50,15 @@ roles: - basessh - - certbot - role: hubs main_user: fedora - hubs_url_hostname: hubs-dev.fedorainfracloud.org + hubs_url_hostname: "{{ ansible_fqdn }}" hubs_secret_key: demotestinghubsmachine hubs_db_type: sqlite hubs_dev_mode: false - hubs_ssl_cert: /etc/letsencrypt/live/hubs-dev.fedorainfracloud.org/cert.pem - hubs_ssl_key: /etc/letsencrypt/live/hubs-dev.fedorainfracloud.org/privkey.pem + hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem + hubs_ssl_key: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem tasks: diff --git a/playbooks/manual/upgrade/pdc.yml b/playbooks/manual/upgrade/pdc.yml index 1443d63a96..c40111b7b1 100644 --- a/playbooks/manual/upgrade/pdc.yml +++ b/playbooks/manual/upgrade/pdc.yml @@ -42,10 +42,10 @@ pre_tasks: - name: clean all metadata - command: dnf clean all + command: yum clean all check_mode: no - - name: dnf update PDC packages - dnf: name="{{item}}" state=latest + - name: yum update PDC packages + yum: name="{{item}}" state=latest with_items: - python-pdc - python-productmd diff --git a/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org b/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org index 34f0500df0..b39fb0ffc5 100644 --- a/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org +++ b/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org @@ -46,6 +46,10 @@ -A OUTPUT --dst 10.5.126.51 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT --dst 10.5.126.52 -p tcp -m tcp --dport 443 -j ACCEPT +# Allow VPN access +-A OUTPUT --dst 10.5.126.11 -p udp -m udp --dport 1194 -j ACCEPT +-A OUTPUT --dst 10.5.126.12 -p udp -m udp --dport 1194 -j ACCEPT + # otherwise kick everything out -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited diff --git a/roles/batcave/files/allows b/roles/batcave/files/allows index d2efe1f0ea..735b0701ea 100644 --- a/roles/batcave/files/allows +++ b/roles/batcave/files/allows @@ -102,6 +102,9 @@ require ip 8.43.85.67 require ip 8.43.85.68 require ip 8.43.85.69 +# bodhost +require ip 174.141.234.172 + # # We put this at the end because it fails for hosts with no reverse dns diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index a507f2e668..762e3d9d71 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -56,24 +56,8 @@ frontend mirror-lists-frontend backend mirror-lists-backend balance hdr(appserver) timeout connect 30s -{% if env == "staging" %} server mirrorlist-local1 localhost:18081 check inter 1s rise 2 fall 3 weight 100 server mirrorlist-local2 localhost:18082 check inter 1s rise 2 fall 3 weight 100 - server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup -{% endif %} -{% if env == "production" %} -{% if 'mirrorlist-proxies' in group_names %} - server mirrorlist-local1 localhost:18081 check inter 1s rise 2 fall 3 weight 100 - server mirrorlist-local2 localhost:18082 check inter 1s rise 2 fall 3 weight 100 - server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup - server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup - server mirrorlist-ibiblio02 mirrorlist-ibiblio02:80 check inter 5s rise 2 fall 3 backup -{% else %} - server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 - server mirrorlist-ibiblio02 mirrorlist-ibiblio02:80 check inter 5s rise 2 fall 3 - server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup -{% endif %} -{% endif %} option httpchk GET /mirrorlist option allbackups diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf index d2c6dea4e8..9e5341849f 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf @@ -5,6 +5,9 @@ SetEnv proxy-nokeepalive 1 {% if env != "staging" %} +# Checkins are slowish, unfortunately this needs to be on the Server Config level +ProxyTimeout 180 + ProxyPass "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc" ProxyPassReverse "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc" {% endif %} diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf deleted file mode 100644 index c805e3de34..0000000000 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf +++ /dev/null @@ -1,13 +0,0 @@ - -RequestHeader set CP-Location {{remotepath}} -SetEnv force-proxy-request-1.0 1 -SetEnv proxy-nokeepalive 1 - - -{% if env != "staging" %} -ProxyPass "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc" -ProxyPassReverse "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc" -{% endif %} - -ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} -ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} diff --git a/roles/hubs/meta/main.yml b/roles/hubs/meta/main.yml new file mode 100644 index 0000000000..a5f89de108 --- /dev/null +++ b/roles/hubs/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - certbot + - mongodb diff --git a/roles/hubs/tasks/main.yml b/roles/hubs/tasks/main.yml index 990aed7dd4..a06608abee 100644 --- a/roles/hubs/tasks/main.yml +++ b/roles/hubs/tasks/main.yml @@ -157,13 +157,27 @@ chdir: "{{ hubs_code_dir }}/hubs/static/client" - name: Build JavaScript assests - command: node_modules/.bin/webpack + command: npm run build become_user: "{{ main_user }}" args: chdir: "{{ hubs_code_dir }}/hubs/static/client" creates: "{{ hubs_code_dir }}/hubs/static/js/build/common.js" +- name: Fix permissions if necessary + file: + path: "{{ item }}" + state: directory + owner: "{{ main_user }}" + group: "{{ main_user }}" + recurse: yes + #setype: httpd_sys_content_rw_t + with_items: + - "{{ hubs_base_dir }}" + - "{{ hubs_conf_dir }}" + - "{{ hubs_var_dir }}" + + # Services - name: Disable the system-wide fedmsg-hub service: name=fedmsg-hub state=stopped enabled=no diff --git a/roles/hubs/tasks/webserver.yml b/roles/hubs/tasks/webserver.yml index 3359739aa5..3db6d340e4 100644 --- a/roles/hubs/tasks/webserver.yml +++ b/roles/hubs/tasks/webserver.yml @@ -8,17 +8,6 @@ - libsemanage-python -- name: Generate SSL certificate and key - shell: - echo -e "--\nSomeState\nSomeCity\nSomeOrganization\nSomeOrganizationalUnit\nlocalhost.localdomain\nroot@localhost.localdomain" - | openssl req -utf8 -newkey rsa:2048 - -keyout /etc/pki/tls/private/localhost.key - -nodes -x509 -days 365 - -out /etc/pki/tls/certs/localhost.crt - args: - creates: /etc/pki/tls/certs/localhost.crt - - - name: Gunicorn logging configuration copy: src: logging.ini @@ -48,6 +37,17 @@ - restart nginx +- name: install python2-certbot-nginx + dnf: name=python2-certbot-nginx state=present + +- name: get the letencrypt cert + command: certbot certonly -n --nginx -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org + args: + creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem + notify: + - restart nginx + + - name: Nginx proxy configuration copy: src: "{{ item }}" diff --git a/roles/hubs/templates/nginx_ssl_params b/roles/hubs/templates/nginx_ssl_params index c8ab38de24..9a411c4157 100644 --- a/roles/hubs/templates/nginx_ssl_params +++ b/roles/hubs/templates/nginx_ssl_params @@ -1,3 +1,5 @@ ssl on; ssl_certificate {{ hubs_ssl_cert }}; ssl_certificate_key {{ hubs_ssl_key }}; +include /etc/letsencrypt/options-ssl-nginx.conf; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; diff --git a/roles/mirrormanager/backend/templates/create_statistics.sh b/roles/mirrormanager/backend/templates/create_statistics.sh index 16ff660167..73200ef0e1 100644 --- a/roles/mirrormanager/backend/templates/create_statistics.sh +++ b/roles/mirrormanager/backend/templates/create_statistics.sh @@ -1,6 +1,5 @@ #!/bin/sh -MIRRORLIST_SERVERS="{% for host in groups['mirrorlist2'] %} {{ host }} {% endfor %}" MIRRORLIST_PROXIES="{% for host in groups['mirrorlist-proxies'] %} {{ host }} {% endfor %}" FRONTENDS="{% for host in groups['mm-frontend'] %} {{ host }} {% endfor %}" @@ -24,10 +23,6 @@ OUTPUT=`mktemp -d` trap "rm -f ${OUTPUT}/*; rmdir ${OUTPUT}" QUIT TERM INT HUP EXIT -# Fetch compressed log files -for s in ${MIRRORLIST_SERVERS}; do - ssh $s "( xzcat $INFILE | gzip -4 )" >> ${OUTPUT}/mirrorlist.log.gz -done for s in ${MIRRORLIST_PROXIES}; do ssh $s "( cat $CONTAINER1 | gzip -4 )" >> ${OUTPUT}/mirrorlist.log.gz ssh $s "( cat $CONTAINER2 | gzip -4 )" >> ${OUTPUT}/mirrorlist.log.gz diff --git a/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh b/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh index 9858bef7c7..dddd94fed9 100644 --- a/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh +++ b/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh @@ -1,12 +1,5 @@ #!/bin/bash -MIRRORLIST_SERVERS="{% for host in groups['mirrorlist2'] %} {{ host }} {% endfor %}" - -for s in ${MIRRORLIST_SERVERS}; do - rsync -az --delete-delay --delay-updates --delete /var/lib/mirrormanager/{*pkl,*txt} ${s}:/var/lib/mirrormanager/ - ssh $s 'kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid)' -done - # sync also to new mirrorlist containers on proxies MIRRORLIST_PROXY="{% for host in groups['mirrorlist-proxies'] %} {{ host }} {% endfor %}" diff --git a/roles/nagios_client/files/selinux/fi-nrpe.pp b/roles/nagios_client/files/selinux/fi-nrpe.pp index 1243b0e73e..0e71b44bab 100644 Binary files a/roles/nagios_client/files/selinux/fi-nrpe.pp and b/roles/nagios_client/files/selinux/fi-nrpe.pp differ diff --git a/roles/nagios_client/files/selinux/fi-nrpe.te b/roles/nagios_client/files/selinux/fi-nrpe.te index 91bcdcc972..b43802782a 100644 --- a/roles/nagios_client/files/selinux/fi-nrpe.te +++ b/roles/nagios_client/files/selinux/fi-nrpe.te @@ -1,11 +1,15 @@ -module fi-nrpe 1.0; +module fi-nrpe 1.1; require { type nagios_system_plugin_t; + type nagios_admin_plugin_t; type nrpe_exec_t; - class file getattr; + type bin_t; + class file { getattr map execute }; } #============= nagios_system_plugin_t ============== allow nagios_system_plugin_t nrpe_exec_t:file getattr; +# This is needed for e.g. check_file_age, which is a perl script +allow nagios_admin_plugin_t bin_t:file { map execute }; diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.pp b/roles/nagios_client/files/selinux/mirrormanager_container.pp new file mode 100644 index 0000000000..31b8435358 Binary files /dev/null and b/roles/nagios_client/files/selinux/mirrormanager_container.pp differ diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.te b/roles/nagios_client/files/selinux/mirrormanager_container.te new file mode 100644 index 0000000000..6180969c69 --- /dev/null +++ b/roles/nagios_client/files/selinux/mirrormanager_container.te @@ -0,0 +1,15 @@ +module mirrormanager_container 1.0; + +require { + type container_t; + type container_file_t; + type mirrormanager_log_t; + type nrpe_t; + class file { append getattr }; +} + +# Allow mirrorlist to append to its log +allow container_t mirrormanager_log_t:file append; +# Allow nrpe to check file age of mirrorlist pkl files +allow nrpe_t container_file_t:file getattr; + diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 0be1a09ef7..9699e09549 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -94,10 +94,35 @@ - name: copy over our custom selinux module copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/fi-nrpe.pp register: selinux_module + tags: + - config + - nagios_client + - selinux - name: install our custom selinux module command: semodule -i /usr/share/nrpe/fi-nrpe.pp when: ansible_distribution_major_version|int == 7 and selinux_module|changed + tags: + - config + - nagios_client + - selinux + +- name: copy over our custom selinux module for mirrorlist + copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp + register: selinux_module_mirrorlist + when: "'proxy' in inventory_hostname" + tags: + - config + - nagios_client + - selinux + +- name: install our custom selinux module for mirrorlist + command: semodule -i /usr/share/nrpe/mirrormanager_container.pp + when: "'proxy' in inventory_hostname and selinux_module|changed" + tags: + - config + - nagios_client + - selinux # Set up our base config. @@ -147,6 +172,7 @@ - check_koschei_watcher_proc.cfg - check_testcloud.cfg - check_mirrorlist_docker_proxy.cfg + - check_mirrorlist_cache.cfg - check_celery_redis_queue.cfg - check_odcs_backend_proc.cfg notify: diff --git a/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 index 94c58be10f..f19eab9534 100644 --- a/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 +++ b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 @@ -1 +1,2 @@ -command[check_mirrorlist_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /var/lib/mirrormanager/mirrorlist_cache.pkl +command[check_mirrorlist1_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.pkl +command[check_mirrorlist2_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist2/mirrorlist_cache.pkl diff --git a/roles/nagios_server/files/nagios/services/file_age.cfg b/roles/nagios_server/files/nagios/services/file_age.cfg index 5de18e7be7..c04ffa69f2 100644 --- a/roles/nagios_server/files/nagios/services/file_age.cfg +++ b/roles/nagios_server/files/nagios/services/file_age.cfg @@ -1,7 +1,16 @@ define service { - hostgroup_name mirrorlist2 - service_description Check MirrorList Cache - check_command check_by_nrpe!check_mirrorlist_cache + hostgroup_name proxies + service_description Check MirrorList 1 Cache + check_command check_by_nrpe!check_mirrorlist1_cache + use defaulttemplate + check_interval 120 + notification_interval 130 +} + +define service { + hostgroup_name proxies + service_description Check MirrorList 2 Cache + check_command check_by_nrpe!check_mirrorlist2_cache use defaulttemplate check_interval 120 notification_interval 130 diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 index 8aeaf9a75f..8e44071e63 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 @@ -1,6 +1,6 @@ define hostgroup { hostgroup_name nomail alias No Mail - members *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} + members *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} } diff --git a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev index 27567fc9b5..88dc792cbd 100644 --- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev +++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev @@ -1,7 +1,7 @@ --- - when: {message_type: KojiBuildPackageCompleted} do: - - {tasks: [rpmlint, rpmgrill]} + - {tasks: [rpmlint, rpmgrill, python-versions]} - when: message_type: KojiBuildPackageCompleted diff --git a/scripts/public-db-copy b/scripts/public-db-copy index 6bfd9a99d2..3dad0f1ab1 100755 --- a/scripts/public-db-copy +++ b/scripts/public-db-copy @@ -16,5 +16,5 @@ scp db01.phx2.fedoraproject.org:/backups/mailman-$(date +%F).dump.xz /srv/web/in scp db01.phx2.fedoraproject.org:/backups/mbs-$(date +%F).dump.xz /srv/web/infra/db-dumps/mbs.dump.xz scp db01.phx2.fedoraproject.org:/backups/odcs-$(date +%F).dump.xz /srv/web/infra/db-dumps/odcs.dump.xz scp db01.phx2.fedoraproject.org:/backups/hyperkitty-$(date +%F).dump.xz /srv/web/infra/db-dumps/hyperkitty.dump.xz -scp db-qa01.qa.fedoraproject.org:/backups/resultsdb-$(date +%F).dump.xz /srv/web/infra/db-dumps/resultsdb.dump.xz +scp db-qa02.qa.fedoraproject.org:/backups/resultsdb-$(date +%F).dump.xz /srv/web/infra/db-dumps/resultsdb.dump.xz scp db01.phx2.fedoraproject.org:/backups/waiverdb-$(date +%F).dump.xz /srv/web/infra/db-dumps/waiverdb.dump.xz