diff --git a/callback_plugins/fedmsg_callback.py b/callback_plugins/fedmsg_callback.py index 3a892fe769..b7d4025405 100644 --- a/callback_plugins/fedmsg_callback.py +++ b/callback_plugins/fedmsg_callback.py @@ -53,6 +53,10 @@ class CallbackModule(object): # figure out where the playbook FILE is path = os.path.abspath(play.playbook.filename) + # Bail out early without publishing if we're in --check mode + if play.playbook.check: + return + if not self.playbook: fedmsg.publish( modname="ansible", topic="playbook.start", @@ -68,6 +72,9 @@ class CallbackModule(object): self.playbook = path def playbook_on_stats(self, stats): + if not self.playbook: + return + results = dict([(h, stats.summarize(h)) for h in stats.processed]) fedmsg.publish( modname="ansible", topic="playbook.complete", diff --git a/callback_plugins/logdetail.py b/callback_plugins/logdetail.py index 45b3b6e345..158b8ee45c 100644 --- a/callback_plugins/logdetail.py +++ b/callback_plugins/logdetail.py @@ -93,7 +93,7 @@ class LogMech(object): if self.playbook_id == 'ansible-cmd': res['task_userid'] = getlogin() for k in ("delegate_to", "environment", "first_available_file", - "local_action", "notified_by", "notify", "only_if", + "local_action", "notified_by", "notify", "register", "sudo", "sudo_user", "tags", "transport", "when"): v = getattr(task, k, None) @@ -133,7 +133,9 @@ class LogMech(object): if category == 'OK' and data.get('changed', False): category = 'CHANGED' - if self.play_info.get('check', False): + if self.play_info.get('check', False) and self.play_info.get('diff', False): + category = 'CHECK_DIFF:' + category + elif self.play_info.get('check', False): category = 'CHECK:' + category fd = open(self.logpath_play + '/' + host + '.log', 'a') @@ -258,6 +260,7 @@ class CallbackModule(object): pb_info['inventory'] = play.playbook.inventory.host_list pb_info['playbook_checksum'] = utils.md5(path) pb_info['check'] = play.playbook.check + pb_info['diff'] = play.playbook.diff logmech.play_log(json.dumps(pb_info, indent=4)) self._play_count += 1 @@ -268,6 +271,7 @@ class CallbackModule(object): info['transport'] = play.transport info['number'] = self._play_count info['check'] = play.playbook.check + info['diff'] = play.playbook.diff logmech.play_info = info logmech.play_log(json.dumps(info, indent=4)) diff --git a/files/copr/copr-be.conf b/files/copr/copr-be.conf index 680579b3a6..b00db87ae2 100644 --- a/files/copr/copr-be.conf +++ b/files/copr/copr-be.conf @@ -35,7 +35,7 @@ destdir=/var/lib/copr/public_html/results sleeptime=30 # default is 8 -num_workers=5 +num_workers=8 # path to log file # default is /var/log/copr/backend.log @@ -51,7 +51,7 @@ worker_logdir=/var/log/copr/workers/ # publish fedmsg notifications from workers if true # default is false #fedmsg_enabled=false - +fedmsg_enabled=true [builder] # default is 1800 diff --git a/files/copr/fe/httpd/coprs.conf b/files/copr/fe/httpd/coprs.conf index 8ba86c60eb..0cd63ea148 100644 --- a/files/copr/fe/httpd/coprs.conf +++ b/files/copr/fe/httpd/coprs.conf @@ -18,3 +18,47 @@ WSGISocketPrefix /var/run/wsgi Require all granted + + + SSLEngine on + SSLProtocol all -SSLv2 + #optimeize on speed + SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 + SSLHonorCipherOrder on + + SSLCertificateFile /etc/pki/tls/ca.crt + SSLCertificateKeyFile /etc/pki/tls/private/ca.key + ServerName copr-fe.cloud.fedoraproject.org:443 + + WSGIPassAuthorization On + #WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5 + WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + WSGIProcessGroup 127.0.0.1 + + ErrorLog logs/error_coprs + CustomLog logs/access_coprs common + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + + + + +ExtendedStatus On + + + SetHandler server-status + Require all denied + Require host localhost .redhat.com + + + + + StartServers 8 + MinSpareServers 8 + MaxSpareServers 20 + MaxClients 50 + MaxRequestsPerChild 10000 + + diff --git a/files/copr/forward b/files/copr/forward index da96eddab2..5f68f7ad39 100644 --- a/files/copr/forward +++ b/files/copr/forward @@ -1 +1,4 @@ msuchy+coprmachine@redhat.com +kevin@scrye.com +nb@fedoraproject.org +sgallagh@redhat.com diff --git a/files/copr/lighttpd/lighttpd.conf b/files/copr/lighttpd/lighttpd.conf index 4b89ba4cd9..5574eba646 100644 --- a/files/copr/lighttpd/lighttpd.conf +++ b/files/copr/lighttpd/lighttpd.conf @@ -90,7 +90,7 @@ server.port = 80 ## ## Use IPv6? ## -server.use-ipv6 = "enable" +server.use-ipv6 = "disable" ## ## bind to a specific IP @@ -445,3 +445,11 @@ server.upload-dirs = ( "/var/tmp" ) #include_shell "cat /etc/lighttpd/vhosts.d/*.conf" ## ####################################################################### + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/coprs-be.fedoraproject.org.pem" + ssl.ca-file = "/etc/lighttpd/coprs-be.fedoraproject.org.crt" + ssl.disable-client-renegotiation = "enable" + ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +} diff --git a/files/copr/provision/files/builder.repo b/files/copr/provision/files/builder.repo index accab91d11..f90e909422 100644 --- a/files/copr/provision/files/builder.repo +++ b/files/copr/provision/files/builder.repo @@ -12,3 +12,12 @@ baseurl=http://172.16.5.4/results/msuchy/Mock/epel-6-$basearch/ skip_if_unavailable=True gpgcheck=0 enabled=1 + +[msuchy-scl-utils] +name=Copr repo for scl-utils owned by msuchy +description=scl-utils with patch from https://bugzilla.redhat.com/show_bug.cgi?id=985233 +baseurl=http://172.16.5.4/results/msuchy/scl-utils/epel-6-$basearch/ +skip_if_unavailable=True +gpgcheck=0 +enabled=1 + diff --git a/files/copr/provision/files/mock/epel-5-i386.cfg b/files/copr/provision/files/mock/epel-5-i386.cfg index e3d3f4c2bf..bd55bbcb52 100644 --- a/files/copr/provision/files/mock/epel-5-i386.cfg +++ b/files/copr/provision/files/mock/epel-5-i386.cfg @@ -3,8 +3,12 @@ config_opts['target_arch'] = 'i386' config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst -config_opts['macros'] = {} +if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['macros']['%rhel'] = '5' +config_opts['macros']['%dist'] = '.el5' +config_opts['macros']['%el5'] = '1' +config_opts['releasever'] = '5' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/epel-5-x86_64.cfg b/files/copr/provision/files/mock/epel-5-x86_64.cfg index a13cd4527a..31351d53c3 100644 --- a/files/copr/provision/files/mock/epel-5-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-5-x86_64.cfg @@ -3,8 +3,12 @@ config_opts['target_arch'] = 'x86_64' config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst -config_opts['macros'] = {} +if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['macros']['%rhel'] = '5' +config_opts['macros']['%dist'] = '.el5' +config_opts['macros']['%el5'] = '1' +config_opts['releasever'] = '5' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/epel-7-x86_64.cfg b/files/copr/provision/files/mock/epel-7-x86_64.cfg index 56f08bdee2..91b72b8260 100644 --- a/files/copr/provision/files/mock/epel-7-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-7-x86_64.cfg @@ -6,8 +6,12 @@ config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'install bash bzip2 coreutils cpio diffutils findutils gawk gcc gcc-c++ grep gzip info make patch redhat-release-server redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz' config_opts['dist'] = 'el7' # only useful for --resultdir variable subst config_opts['macros'] = {} +config_opts['macros']['%dist'] = '.el7' +config_opts['macros']['%rhel'] = '7' +config_opts['macros']['%el7'] = '1' config_opts['macros']['%_topdir'] = '/builddir/build' config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm' +config_opts['releasever'] = '7' config_opts['plugin_conf']['root_cache_enable'] = False config_opts['plugin_conf']['yum_cache_enable'] = False diff --git a/files/copr/provision/files/mock/fedora-20-i386.cfg b/files/copr/provision/files/mock/fedora-20-i386.cfg index d04d180320..fde3c2754f 100644 --- a/files/copr/provision/files/mock/fedora-20-i386.cfg +++ b/files/copr/provision/files/mock/fedora-20-i386.cfg @@ -3,6 +3,7 @@ config_opts['target_arch'] = 'i686' config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/fedora-20-x86_64.cfg b/files/copr/provision/files/mock/fedora-20-x86_64.cfg index 0f56311e0b..fa7f6d4c42 100644 --- a/files/copr/provision/files/mock/fedora-20-x86_64.cfg +++ b/files/copr/provision/files/mock/fedora-20-x86_64.cfg @@ -3,6 +3,7 @@ config_opts['target_arch'] = 'x86_64' config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' config_opts['yum.conf'] = """ [main] diff --git a/files/hosts/arm.fedoraproject.org-hosts b/files/hosts/arm.fedoraproject.org-hosts index 7970c8d6b0..4ee48472bb 100644 --- a/files/hosts/arm.fedoraproject.org-hosts +++ b/files/hosts/arm.fedoraproject.org-hosts @@ -4,6 +4,7 @@ 10.5.125.36 kojipkgs.fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.124.138 arm.koji.fedoraproject.org +10.5.124.138 armpkgs.fedoraproject.org 10.5.125.44 pkgs.fedoraproject.org pkgs # # This is proxy01.phx2.fedoraproject.org diff --git a/files/hosts/ask01.phx2.fedoraproject.org-hosts b/files/hosts/ask01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..78678246c9 --- /dev/null +++ b/files/hosts/ask01.phx2.fedoraproject.org-hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.71 db-ask diff --git a/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts b/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts index 976ef96a0f..f051c5984b 100644 --- a/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/ask02.phx2.fedoraproject.org-hosts b/files/hosts/ask02.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..78678246c9 --- /dev/null +++ b/files/hosts/ask02.phx2.fedoraproject.org-hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.71 db-ask diff --git a/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts b/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts index 45c9b68d17..534823fa01 100644 --- a/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/badges-web01.phx2.fedoraproject.org-hosts b/files/hosts/badges-web01.phx2.fedoraproject.org-hosts index ef881d08c2..42463d54c5 100644 --- a/files/hosts/badges-web01.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-web01.phx2.fedoraproject.org-hosts @@ -1,5 +1,5 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-tahrir db-tahrir diff --git a/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts b/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts index 5004dc0f9c..9903f09a61 100644 --- a/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/badges-web02.phx2.fedoraproject.org-hosts b/files/hosts/badges-web02.phx2.fedoraproject.org-hosts index ef881d08c2..42463d54c5 100644 --- a/files/hosts/badges-web02.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-web02.phx2.fedoraproject.org-hosts @@ -1,5 +1,5 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-tahrir db-tahrir diff --git a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..9ac258248c --- /dev/null +++ b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts @@ -0,0 +1,9 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.89 admin.fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.81 memcached03 memcached03.stg app01 app01.stg diff --git a/files/hosts/fedocal01.phx2.fedoraproject.org-hosts b/files/hosts/fedocal01.phx2.fedoraproject.org-hosts index 0a4860a664..8b742db388 100644 --- a/files/hosts/fedocal01.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedocal01.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts index cb3bf792be..4a0f12bde9 100644 --- a/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/fedocal02.phx2.fedoraproject.org-hosts b/files/hosts/fedocal02.phx2.fedoraproject.org-hosts index 0a4860a664..8b742db388 100644 --- a/files/hosts/fedocal02.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedocal02.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..ec03ec269b --- /dev/null +++ b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..81694c1bc8 100644 --- a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts @@ -2,10 +2,11 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..ec03ec269b --- /dev/null +++ b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..81694c1bc8 100644 --- a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts @@ -2,10 +2,11 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..ec03ec269b --- /dev/null +++ b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..81694c1bc8 100644 --- a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts @@ -2,10 +2,11 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/hosts/nuancier01.phx2.fedoraproject.org-hosts b/files/hosts/nuancier01.phx2.fedoraproject.org-hosts index 7be9cc916f..83b17e48d8 100644 --- a/files/hosts/nuancier01.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier01.phx2.fedoraproject.org-hosts @@ -1,7 +1,7 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 nuancier_db nuancier_db diff --git a/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts b/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts index 19c2ac4cbe..5ddb542288 100644 --- a/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/nuancier02.phx2.fedoraproject.org-hosts b/files/hosts/nuancier02.phx2.fedoraproject.org-hosts index 7be9cc916f..83b17e48d8 100644 --- a/files/hosts/nuancier02.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier02.phx2.fedoraproject.org-hosts @@ -1,7 +1,7 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 nuancier_db nuancier_db diff --git a/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts b/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts index 19c2ac4cbe..5ddb542288 100644 --- a/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hotfix/python-openid/fetchers.py b/files/hotfix/python-openid/fetchers.py new file mode 100644 index 0000000000..bdacfb9410 --- /dev/null +++ b/files/hotfix/python-openid/fetchers.py @@ -0,0 +1,430 @@ +# -*- test-case-name: openid.test.test_fetchers -*- +""" +This module contains the HTTP fetcher interface and several implementations. +""" + +__all__ = ['fetch', 'getDefaultFetcher', 'setDefaultFetcher', 'HTTPResponse', + 'HTTPFetcher', 'createHTTPFetcher', 'HTTPFetchingError', + 'HTTPError'] + +import urllib2 +import time +import cStringIO +import sys + +import openid +import openid.urinorm + +# Try to import httplib2 for caching support +# http://bitworking.org/projects/httplib2/ +try: + import httplib2 +except ImportError: + # httplib2 not available + httplib2 = None + +# try to import pycurl, which will let us use CurlHTTPFetcher +try: + import pycurl +except ImportError: + pycurl = None + +USER_AGENT = "python-openid/%s (%s)" % (openid.__version__, sys.platform) +MAX_RESPONSE_KB = 1024 + +def fetch(url, body=None, headers=None): + """Invoke the fetch method on the default fetcher. Most users + should need only this method. + + @raises Exception: any exceptions that may be raised by the default fetcher + """ + fetcher = getDefaultFetcher() + return fetcher.fetch(url, body, headers) + +def createHTTPFetcher(): + """Create a default HTTP fetcher instance + + prefers Curl to urllib2.""" + if pycurl is None: + fetcher = Urllib2Fetcher() + else: + fetcher = CurlHTTPFetcher() + + return fetcher + +# Contains the currently set HTTP fetcher. If it is set to None, the +# library will call createHTTPFetcher() to set it. Do not access this +# variable outside of this module. +_default_fetcher = None + +def getDefaultFetcher(): + """Return the default fetcher instance + if no fetcher has been set, it will create a default fetcher. + + @return: the default fetcher + @rtype: HTTPFetcher + """ + global _default_fetcher + + if _default_fetcher is None: + setDefaultFetcher(createHTTPFetcher()) + + return _default_fetcher + +def setDefaultFetcher(fetcher, wrap_exceptions=True): + """Set the default fetcher + + @param fetcher: The fetcher to use as the default HTTP fetcher + @type fetcher: HTTPFetcher + + @param wrap_exceptions: Whether to wrap exceptions thrown by the + fetcher wil HTTPFetchingError so that they may be caught + easier. By default, exceptions will be wrapped. In general, + unwrapped fetchers are useful for debugging of fetching errors + or if your fetcher raises well-known exceptions that you would + like to catch. + @type wrap_exceptions: bool + """ + global _default_fetcher + if fetcher is None or not wrap_exceptions: + _default_fetcher = fetcher + else: + _default_fetcher = ExceptionWrappingFetcher(fetcher) + +def usingCurl(): + """Whether the currently set HTTP fetcher is a Curl HTTP fetcher.""" + fetcher = getDefaultFetcher() + if isinstance(fetcher, ExceptionWrappingFetcher): + fetcher = fetcher.fetcher + return isinstance(fetcher, CurlHTTPFetcher) + +class HTTPResponse(object): + """XXX document attributes""" + headers = None + status = None + body = None + final_url = None + + def __init__(self, final_url=None, status=None, headers=None, body=None): + self.final_url = final_url + self.status = status + self.headers = headers + self.body = body + + def __repr__(self): + return "<%s status %s for %s>" % (self.__class__.__name__, + self.status, + self.final_url) + +class HTTPFetcher(object): + """ + This class is the interface for openid HTTP fetchers. This + interface is only important if you need to write a new fetcher for + some reason. + """ + + def fetch(self, url, body=None, headers=None): + """ + This performs an HTTP POST or GET, following redirects along + the way. If a body is specified, then the request will be a + POST. Otherwise, it will be a GET. + + + @param headers: HTTP headers to include with the request + @type headers: {str:str} + + @return: An object representing the server's HTTP response. If + there are network or protocol errors, an exception will be + raised. HTTP error responses, like 404 or 500, do not + cause exceptions. + + @rtype: L{HTTPResponse} + + @raise Exception: Different implementations will raise + different errors based on the underlying HTTP library. + """ + raise NotImplementedError + +def _allowedURL(url): + return url.startswith('http://') or url.startswith('https://') + +class HTTPFetchingError(Exception): + """Exception that is wrapped around all exceptions that are raised + by the underlying fetcher when using the ExceptionWrappingFetcher + + @ivar why: The exception that caused this exception + """ + def __init__(self, why=None): + Exception.__init__(self, why) + self.why = why + +class ExceptionWrappingFetcher(HTTPFetcher): + """Fetcher that wraps another fetcher, causing all exceptions + + @cvar uncaught_exceptions: Exceptions that should be exposed to the + user if they are raised by the fetch call + """ + + uncaught_exceptions = (SystemExit, KeyboardInterrupt, MemoryError) + + def __init__(self, fetcher): + self.fetcher = fetcher + + def fetch(self, *args, **kwargs): + try: + return self.fetcher.fetch(*args, **kwargs) + except self.uncaught_exceptions: + raise + except: + exc_cls, exc_inst = sys.exc_info()[:2] + if exc_inst is None: + # string exceptions + exc_inst = exc_cls + + raise HTTPFetchingError(why=exc_inst) + +class Urllib2Fetcher(HTTPFetcher): + """An C{L{HTTPFetcher}} that uses urllib2. + """ + + # Parameterized for the benefit of testing frameworks, see + # http://trac.openidenabled.com/trac/ticket/85 + urlopen = staticmethod(urllib2.urlopen) + + def fetch(self, url, body=None, headers=None): + if not _allowedURL(url): + raise ValueError('Bad URL scheme: %r' % (url,)) + + if headers is None: + headers = {} + + headers.setdefault( + 'User-Agent', + "%s Python-urllib/%s" % (USER_AGENT, urllib2.__version__,)) + + req = urllib2.Request(url, data=body, headers=headers) + try: + f = self.urlopen(req) + try: + return self._makeResponse(f) + finally: + f.close() + except urllib2.HTTPError, why: + try: + return self._makeResponse(why) + finally: + why.close() + + def _makeResponse(self, urllib2_response): + resp = HTTPResponse() + resp.body = urllib2_response.read(MAX_RESPONSE_KB * 1024) + resp.final_url = urllib2_response.geturl() + resp.headers = dict(urllib2_response.info().items()) + + if hasattr(urllib2_response, 'code'): + resp.status = urllib2_response.code + else: + resp.status = 200 + + return resp + +class HTTPError(HTTPFetchingError): + """ + This exception is raised by the C{L{CurlHTTPFetcher}} when it + encounters an exceptional situation fetching a URL. + """ + pass + +# XXX: define what we mean by paranoid, and make sure it is. +class CurlHTTPFetcher(HTTPFetcher): + """ + An C{L{HTTPFetcher}} that uses pycurl for fetching. + See U{http://pycurl.sourceforge.net/}. + """ + ALLOWED_TIME = 20 # seconds + + def __init__(self): + HTTPFetcher.__init__(self) + if pycurl is None: + raise RuntimeError('Cannot find pycurl library') + + def _parseHeaders(self, header_file): + header_file.seek(0) + + # Remove the status line from the beginning of the input + unused_http_status_line = header_file.readline().lower () + while unused_http_status_line.lower().startswith('http/1.1 1'): + unused_http_status_line = header_file.readline() + unused_http_status_line = header_file.readline() + + lines = [line.strip() for line in header_file] + + # and the blank line from the end + empty_line = lines.pop() + if empty_line: + raise HTTPError("No blank line at end of headers: %r" % (line,)) + + headers = {} + for line in lines: + try: + name, value = line.split(':', 1) + except ValueError: + raise HTTPError( + "Malformed HTTP header line in response: %r" % (line,)) + + value = value.strip() + + # HTTP headers are case-insensitive + name = name.lower() + headers[name] = value + + return headers + + def _checkURL(self, url): + # XXX: document that this can be overridden to match desired policy + # XXX: make sure url is well-formed and routeable + return _allowedURL(url) + + def fetch(self, url, body=None, headers=None): + stop = int(time.time()) + self.ALLOWED_TIME + off = self.ALLOWED_TIME + + if headers is None: + headers = {} + + headers.setdefault('User-Agent', + "%s %s" % (USER_AGENT, pycurl.version,)) + + header_list = [] + if headers is not None: + for header_name, header_value in headers.iteritems(): + header_list.append('%s: %s' % (header_name, header_value)) + + c = pycurl.Curl() + try: + c.setopt(pycurl.NOSIGNAL, 1) + + if header_list: + c.setopt(pycurl.HTTPHEADER, header_list) + + # Presence of a body indicates that we should do a POST + if body is not None: + c.setopt(pycurl.POST, 1) + c.setopt(pycurl.POSTFIELDS, body) + + while off > 0: + if not self._checkURL(url): + raise HTTPError("Fetching URL not allowed: %r" % (url,)) + + data = cStringIO.StringIO() + def write_data(chunk): + if data.tell() > 1024*MAX_RESPONSE_KB: + return 0 + else: + return data.write(chunk) + + response_header_data = cStringIO.StringIO() + c.setopt(pycurl.WRITEFUNCTION, write_data) + c.setopt(pycurl.HEADERFUNCTION, response_header_data.write) + c.setopt(pycurl.TIMEOUT, off) + c.setopt(pycurl.URL, openid.urinorm.urinorm(url)) + + c.perform() + + response_headers = self._parseHeaders(response_header_data) + code = c.getinfo(pycurl.RESPONSE_CODE) + if code in [301, 302, 303, 307]: + url = response_headers.get('location') + if url is None: + raise HTTPError( + 'Redirect (%s) returned without a location' % code) + + # Redirects are always GETs + c.setopt(pycurl.POST, 0) + + # There is no way to reset POSTFIELDS to empty and + # reuse the connection, but we only use it once. + else: + resp = HTTPResponse() + resp.headers = response_headers + resp.status = code + resp.final_url = url + resp.body = data.getvalue() + return resp + + off = stop - int(time.time()) + + raise HTTPError("Timed out fetching: %r" % (url,)) + finally: + c.close() + +class HTTPLib2Fetcher(HTTPFetcher): + """A fetcher that uses C{httplib2} for performing HTTP + requests. This implementation supports HTTP caching. + + @see: http://bitworking.org/projects/httplib2/ + """ + + def __init__(self, cache=None): + """@param cache: An object suitable for use as an C{httplib2} + cache. If a string is passed, it is assumed to be a + directory name. + """ + if httplib2 is None: + raise RuntimeError('Cannot find httplib2 library. ' + 'See http://bitworking.org/projects/httplib2/') + + super(HTTPLib2Fetcher, self).__init__() + + # An instance of the httplib2 object that performs HTTP requests + self.httplib2 = httplib2.Http(cache) + + # We want httplib2 to raise exceptions for errors, just like + # the other fetchers. + self.httplib2.force_exception_to_status_code = False + + def fetch(self, url, body=None, headers=None): + """Perform an HTTP request + + @raises Exception: Any exception that can be raised by httplib2 + + @see: C{L{HTTPFetcher.fetch}} + """ + if body: + method = 'POST' + else: + method = 'GET' + + if headers is None: + headers = {} + + # httplib2 doesn't check to make sure that the URL's scheme is + # 'http' so we do it here. + if not (url.startswith('http://') or url.startswith('https://')): + raise ValueError('URL is not a HTTP URL: %r' % (url,)) + + httplib2_response, content = self.httplib2.request( + url, method, body=body, headers=headers) + + # Translate the httplib2 response to our HTTP response abstraction + + # When a 400 is returned, there is no "content-location" + # header set. This seems like a bug to me. I can't think of a + # case where we really care about the final URL when it is an + # error response, but being careful about it can't hurt. + try: + final_url = httplib2_response['content-location'] + except KeyError: + # We're assuming that no redirects occurred + assert not httplib2_response.previous + + # And this should never happen for a successful response + assert httplib2_response.status != 200 + final_url = url + + return HTTPResponse( + body=content, + final_url=final_url, + headers=dict(httplib2_response.items()), + status=httplib2_response.status, + ) diff --git a/files/jenkins/master/config.xml b/files/jenkins/master/config.xml index 2244e7222b..4da63a4193 100644 --- a/files/jenkins/master/config.xml +++ b/files/jenkins/master/config.xml @@ -78,6 +78,22 @@ class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/> + + Fedora20 + + /mnt/jenkins/ + 2 + NORMAL + + + 172.16.5.23 + 22 + 950d5dd7-acb2-402a-8670-21f152d04928 + + + + 5 0 diff --git a/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml new file mode 100644 index 0000000000..5594ea588d --- /dev/null +++ b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml @@ -0,0 +1,22 @@ + + + + + + pyflakes + ^(.*):([0-9]*):(.*)$ + + + https://pypi.python.org/pypi/pyflakes + pyflakes errors + + + diff --git a/files/lists-dev/aliases b/files/lists-dev/aliases deleted file mode 100644 index eb6d0bf61d..0000000000 --- a/files/lists-dev/aliases +++ /dev/null @@ -1,96 +0,0 @@ -# -# Aliases in this file will NOT be expanded in the header from -# Mail, but WILL be visible over networks or from /bin/mail. -# -# >>>>>>>>>> The program "newaliases" must be run after -# >> NOTE >> this file is updated for any changes to -# >>>>>>>>>> show through to sendmail. -# - -# Basic system aliases -- these MUST be present. -mailer-daemon: postmaster -postmaster: root - -# General redirections for pseudo accounts. -bin: root -daemon: root -adm: root -lp: root -sync: root -shutdown: root -halt: root -mail: root -news: root -uucp: root -operator: root -games: root -gopher: root -ftp: root -nobody: root -radiusd: root -nut: root -dbus: root -vcsa: root -canna: root -wnn: root -rpm: root -nscd: root -pcap: root -apache: root -webalizer: root -dovecot: root -fax: root -quagga: root -radvd: root -pvm: root -amandabackup: root -privoxy: root -ident: root -named: root -xfs: root -gdm: root -mailnull: root -postgres: root -sshd: root -smmsp: root -postfix: root -netdump: root -ldap: root -squid: root -ntp: root -mysql: root -desktop: root -rpcuser: root -rpc: root -nfsnobody: root - -ingres: root -system: root -toor: root -manager: root -dumper: root -abuse: root - -newsadm: news -newsadmin: news -usenet: news -ftpadm: ftp -ftpadmin: ftp -ftp-adm: ftp -ftp-admin: ftp -www: webmaster -webmaster: root -noc: root -security: root -hostmaster: root -info: postmaster -marketing: postmaster -sales: postmaster -support: postmaster - - -# trap decode to catch security attacks -decode: root - -# Person who should get root's mail -root: abompard@fedoraproject.org diff --git a/files/lists-dev/hyperkitty.apache.conf b/files/lists-dev/hyperkitty.apache.conf deleted file mode 100644 index 5773918fbf..0000000000 --- a/files/lists-dev/hyperkitty.apache.conf +++ /dev/null @@ -1,27 +0,0 @@ -#Alias /robots.txt /etc/hyperkitty/sites/default/static/robots.txt -#Alias /favicon.ico /etc/hyperkitty/sites/default/static/favicon.ico -Alias /hyperkitty/static /var/lib/hyperkitty/sites/default/static - -#ErrorLog /var/log/httpd/hyperkitty_error.log -#CustomLog /var/log/httpd/hyperkitty_access.log combined - -WSGIScriptAlias /hyperkitty /etc/hyperkitty/sites/default/wsgi.py -WSGIDaemonProcess hyperkitty threads=25 python-path=/etc/hyperkitty/sites/default -# If using VirtualEnv -#WSGIDaemonProcess hyperkitty threads=25 python-path=/etc/hyperkitty/sites/default:/path/to/your/venv/lib/python2.X/site-packages -WSGISocketPrefix run/wsgi - - - - Order deny,allow - Allow from all - Require all granted - - WSGIProcessGroup hyperkitty - - - - Order deny,allow - Allow from all - Require all granted - diff --git a/files/lists-dev/hyperkitty.cfg b/files/lists-dev/hyperkitty.cfg deleted file mode 100644 index fa4fa16507..0000000000 --- a/files/lists-dev/hyperkitty.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[general] -base_url: http://lists-dev.cloud.fedoraproject.org/ -django_settings: /etc/hyperkitty/sites/default/settings.py diff --git a/files/lists-dev/hyperkitty.logrotate.conf b/files/lists-dev/hyperkitty.logrotate.conf deleted file mode 100644 index 3e5b70f0ae..0000000000 --- a/files/lists-dev/hyperkitty.logrotate.conf +++ /dev/null @@ -1,10 +0,0 @@ -/var/log/hyperkitty/*.log { - missingok - notifempty - sharedscripts - delaycompress - su root apache - postrotate - /sbin/service httpd reload > /dev/null 2>/dev/null || true - endscript -} diff --git a/files/lists-dev/hyperkitty.settings_local.py.j2 b/files/lists-dev/hyperkitty.settings_local.py.j2 deleted file mode 100644 index ccd5565aad..0000000000 --- a/files/lists-dev/hyperkitty.settings_local.py.j2 +++ /dev/null @@ -1,96 +0,0 @@ -#-*- coding: utf-8 -*- - -""" -Django local settings for the hyperkitty project. -""" - -DEBUG = True -TEMPLATE_DEBUG = DEBUG - -ADMINS = () -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': 'hyperkitty', - 'USER': 'hyperkitty', - 'PASSWORD': '{{ lists_dev_hk_db_pass }}', - 'HOST': 'localhost', - 'PORT': '', - } -} -# URL prefix for static files. -# Example: "http://media.lawrence.com/static/" -STATIC_URL = '/hyperkitty/static/' - -# Add Fedora to the authentication backends -AUTHENTICATION_BACKENDS = ( - 'social_auth.backends.browserid.BrowserIDBackend', - 'hyperkitty.lib.fedora.FedoraBackend', - 'social_auth.backends.google.GoogleBackend', - 'social_auth.backends.yahoo.YahooBackend', - #'social_auth.backends.OpenIDBackend', - 'django.contrib.auth.backends.ModelBackend', -) - -# Use the email address as the username (add associate_by_email). -SOCIAL_AUTH_PIPELINE = ( - 'social_auth.backends.pipeline.social.social_auth_user', - 'social_auth.backends.pipeline.associate.associate_by_email', - 'social_auth.backends.pipeline.user.get_username', - 'social_auth.backends.pipeline.user.create_user', - 'social_auth.backends.pipeline.social.associate_user', - 'social_auth.backends.pipeline.social.load_extra_data', - 'social_auth.backends.pipeline.user.update_user_details' -) - -# A sample logging configuration. The only tangible logging -# performed by this configuration is to send an email to -# the site admins on every HTTP 500 error. -# See http://docs.djangoproject.com/en/dev/topics/logging for -# more details on how to customize your logging configuration. -LOGGING = { - 'version': 1, - 'disable_existing_loggers': False, - 'handlers': { - 'mail_admins': { - 'level': 'ERROR', - 'class': 'django.utils.log.AdminEmailHandler' - }, - 'file':{ - 'level': 'DEBUG', - #'class': 'logging.handlers.RotatingFileHandler', - 'class': 'logging.FileHandler', - 'filename': '/var/log/hyperkitty/hyperkitty.log', - 'formatter': 'verbose', - }, - }, - 'loggers': { - 'django.request': { - 'handlers': ['file'], - 'level': 'ERROR', - 'propagate': True, - }, - 'django': { - 'handlers': ['file'], - 'level': 'ERROR', - 'propagate': True, - }, - 'hyperkitty': { - 'handlers': ['file'], - 'level': 'DEBUG', - 'propagate': True, - }, - }, - 'formatters': { - 'verbose': { - 'format': '%(levelname)s %(asctime)s %(module)s %(process)d %(thread)d %(message)s' - }, - 'simple': { - 'format': '%(levelname)s %(message)s' - }, - }, -} - -APP_NAME = 'Fedora list archives' -KITTYSTORE_URL = 'postgres://kittystore:{{ lists_dev_ks_db_pass }}@localhost/kittystore' -USE_MOCKUPS = False diff --git a/files/lists-dev/hyperkitty.urls.py b/files/lists-dev/hyperkitty.urls.py deleted file mode 100644 index 194a4e6a1b..0000000000 --- a/files/lists-dev/hyperkitty.urls.py +++ /dev/null @@ -1,37 +0,0 @@ -# -*- coding: utf-8 -*- -# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. -# -# This file is part of HyperKitty. -# -# HyperKitty is free software: you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free -# Software Foundation, either version 3 of the License, or (at your option) -# any later version. -# -# HyperKitty is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along with -# HyperKitty. If not, see . - -import hyperkitty - -from django.conf.urls.defaults import * -from django.conf import settings - -# Uncomment the next two lines to enable the admin: -from django.contrib import admin -admin.autodiscover() - -# Import mailman urls and set urlpatterns if you want to hook -# mailman_django into an existing django site. -# Otherwise set ROOT_URLCONF in settings.py to -# `mailman_django.urls`. -# from mailman_django import urls as mailman_urls - -urlpatterns = patterns('', - url(r'^$', 'hyperkitty.views.pages.index'), - url(r'', include('hyperkitty.urls')), -) diff --git a/files/lists-dev/index.html b/files/lists-dev/index.html deleted file mode 100644 index d6c2fbc392..0000000000 --- a/files/lists-dev/index.html +++ /dev/null @@ -1,8 +0,0 @@ - - - - - diff --git a/files/lists-dev/mailman.cfg.j2 b/files/lists-dev/mailman.cfg.j2 deleted file mode 100644 index bb1b6baa45..0000000000 --- a/files/lists-dev/mailman.cfg.j2 +++ /dev/null @@ -1,25 +0,0 @@ -# This is the absolute bare minimum base configuration file. User supplied -# configurations are pushed onto this. - -[mailman] -site_owner: root@localhost - -# Set the paths to be Fedora-compliant -layout: fhs -[paths.fhs] -var_dir: /srv/persist/mailman -bin_dir: /usr/libexec/mailman -lock_dir: /run/lock/mailman -pid_file: /run/mailman/master.pid - -[database] -class: mailman.database.postgresql.PostgreSQLDatabase -url: postgres://mailman:{{ lists_dev_mm_db_pass }}@localhost/mailman - -[archiver.hyperkitty] -class: hyperkitty.archiver.Archiver -enable: yes -configuration: /etc/mailman.d/hyperkitty.cfg - -#[archiver.prototype] -#enable: yes diff --git a/files/lists-dev/pgpass.j2 b/files/lists-dev/pgpass.j2 index 6cf70839ac..b0b2297296 100644 --- a/files/lists-dev/pgpass.j2 +++ b/files/lists-dev/pgpass.j2 @@ -1,4 +1,3 @@ -*:*:mailman:mailman:{{ lists_dev_mm_db_pass }} -*:*:hyperkitty:hyperkitty:{{ lists_dev_hk_db_pass }} -*:*:kittystore:kittystore:{{ lists_dev_ks_db_pass }} -*:*:postorius:postorius:{{ lists_dev_ps_db_pass }} +*:*:mailman:mailmanadmin:{{ lists_dev_mm_db_pass }} +*:*:hyperkitty:hyperkittyadmin:{{ lists_dev_hk_db_pass }} +*:*:kittystore:kittystoreadmin:{{ lists_dev_ks_db_pass }} diff --git a/files/lists-dev/postorius.apache.conf b/files/lists-dev/postorius.apache.conf deleted file mode 100644 index aab8565174..0000000000 --- a/files/lists-dev/postorius.apache.conf +++ /dev/null @@ -1,26 +0,0 @@ -#Alias /robots.txt /var/lib/postorius/sites/default/static/robots.txt -#Alias /favicon.ico /var/lib/postorius/sites/default/static/favicon.ico -Alias /postorius/static /var/lib/postorius/sites/default/static - -#ErrorLog /var/log/httpd/postorius_error.log -#CustomLog /var/log/httpd/postorius_access.log combined - -WSGIScriptAlias /postorius /etc/postorius/sites/default/srv/postorius.wsgi -WSGIDaemonProcess postorius threads=25 python-path=/etc/postorius/sites/default -# If using VirtualEnv -#WSGIDaemonProcess postorius threads=25 python-path=/etc/postorius/sites/default:/path/to/your/venv/lib/python2.X/site-packages - - - - Order deny,allow - Allow from all - Require all granted - - WSGIProcessGroup postorius - - - - Order deny,allow - Allow from all - Require all granted - diff --git a/files/lists-dev/postorius.initial-user.json b/files/lists-dev/postorius.initial-user.json deleted file mode 100644 index 00ee53f972..0000000000 --- a/files/lists-dev/postorius.initial-user.json +++ /dev/null @@ -1,20 +0,0 @@ -[ - { - "fields": { - "date_joined": "2013-04-10T10:25:49.996", - "email": "root@lists-dev.cloud.fedoraproject.org", - "first_name": "List Admin", - "groups": [], - "is_active": true, - "is_staff": true, - "is_superuser": true, - "last_login": "2013-04-10T10:25:49.996", - "last_name": "", - "password": "pbkdf2_sha256$10000$uXnbYx0visOx$yux8mAZ2H/sjyCEYBvO3JEtJ7dmWfNMnvekQjePbue0=", - "user_permissions": [], - "username": "listadmin" - }, - "model": "auth.user", - "pk": 1 - } -] diff --git a/files/lists-dev/postorius.settings_local.py.j2 b/files/lists-dev/postorius.settings_local.py.j2 deleted file mode 100644 index 274a098945..0000000000 --- a/files/lists-dev/postorius.settings_local.py.j2 +++ /dev/null @@ -1,34 +0,0 @@ -#-*- coding: utf-8 -*- - -""" -Django local settings for the postorious project. -""" - - -DEBUG = True -TEMPLATE_DEBUG = DEBUG - -ADMINS = () -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': 'postorius', - 'USER': 'postorius', - 'PASSWORD': '{{ lists_dev_ps_db_pass }}', - 'HOST': 'localhost', - 'PORT': '', - } -} - -# URL that handles the media served from STATIC_ROOT. Make sure to use a -STATIC_URL = '/postorius/static/' -# URL that handles the media served from MEDIA_ROOT. Make sure to use a -MEDIA_URL = '/postorius/media/' - -# URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a -# trailing slash. -# Examples: "http://foo.com/media/", "/media/". -ADMIN_MEDIA_PREFIX = '/postorius/static/admin/' - -# Make this unique, and don't share it with anybody. -SECRET_KEY = '$!-7^wl#wiifjbh)5@f7ji%x!vp7s1vwt26hxvixq0u0' diff --git a/files/lists-dev/postorius.urls.py b/files/lists-dev/postorius.urls.py deleted file mode 100755 index 643bf33023..0000000000 --- a/files/lists-dev/postorius.urls.py +++ /dev/null @@ -1,38 +0,0 @@ -# -*- coding: utf-8 -*- -# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. -# -# This file is part of Postorius. -# -# Postorius is free software: you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free -# Software Foundation, either version 3 of the License, or (at your option) -# any later version. -# -# Postorius is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along with -# Postorius. If not, see . - -import postorius - -from django.conf.urls import * -from django.conf import settings - -# Uncomment the next two lines to enable the admin: -from django.contrib import admin -admin.autodiscover() - -# Import mailman urls and set urlpatterns if you want to hook -# mailman_django into an existing django site. -# Otherwise set ROOT_URLCONF in settings.py to -# `mailman_django.urls`. -# from mailman_django import urls as mailman_urls - -urlpatterns = patterns('', - url(r'^$', 'postorius.views.list_index'), - url(r'', include('postorius.urls')), - url(r'', include('social_auth.urls')), -) diff --git a/files/releng/fedmsg/endpoints.py b/files/releng/fedmsg/endpoints.py index 364f3e7e63..f8bc91d34a 100644 --- a/files/releng/fedmsg/endpoints.py +++ b/files/releng/fedmsg/endpoints.py @@ -42,10 +42,6 @@ config = dict( "tcp://app05.%s:300%i" % (non_phx_suffix, i) for i in range(8) ], - "bodhi.app06": [ - "tcp://app06.%s:300%i" % (non_phx_suffix, i) - for i in range(8) - ], "bodhi.app07": [ "tcp://app07.%s:300%i" % (suffix, i) for i in range(8) diff --git a/files/releng/fedmsg/ssl.py b/files/releng/fedmsg/ssl.py index dfa5bc179f..10847852b2 100644 --- a/files/releng/fedmsg/ssl.py +++ b/files/releng/fedmsg/ssl.py @@ -6,7 +6,6 @@ app_hosts = [ "app03.phx2.fedoraproject.org", "app04.phx2.fedoraproject.org", "app05.fedoraproject.org", - "app06.fedoraproject.org", "app07.phx2.fedoraproject.org", "app08.fedoraproject.org", ] diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 5fdb70786d..74f863e1bc 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -29,6 +29,9 @@ - name: restart jenkins action: service name=jenkins state=restarted +- name: restart kojid + action: service name=kojid state=restarted + - name: restart libvirtd action: service name=libvirtd state=restarted @@ -79,3 +82,6 @@ - name: restart netapproute action: command /etc/sysconfig/network-scripts/ifup-routes eth1 + +- name: restart unbound + action: service name=unbound state=restarted diff --git a/handlers/semanage.yml b/handlers/semanage.yml new file mode 100644 index 0000000000..bb9db3f6a9 --- /dev/null +++ b/handlers/semanage.yml @@ -0,0 +1,8 @@ +- name: semanage dns80 + command: /usr/sbin/semanage port -m -t dns_port_t -p tcp 80 + +- name: semanage dns443 + command: /usr/sbin/semanage port -m -t dns_port_t -p tcp 443 + +- name: semanage dns8953 + command: /usr/sbin/semanage port -a -t dns_port_t -p tcp 8953 diff --git a/inventory/builders b/inventory/builders index ababf2c5dc..de985c2f4c 100644 --- a/inventory/builders +++ b/inventory/builders @@ -136,20 +136,21 @@ arm02-builder23.arm.fedoraproject.org # These are in use as arm03-packager01-02 #arm03-builder08.arm.fedoraproject.org #arm03-builder09.arm.fedoraproject.org -arm03-builder10.arm.fedoraproject.org -arm03-builder11.arm.fedoraproject.org -arm03-builder12.arm.fedoraproject.org -arm03-builder13.arm.fedoraproject.org -arm03-builder14.arm.fedoraproject.org -arm03-builder15.arm.fedoraproject.org -arm03-builder16.arm.fedoraproject.org -arm03-builder17.arm.fedoraproject.org -arm03-builder18.arm.fedoraproject.org -arm03-builder19.arm.fedoraproject.org -arm03-builder20.arm.fedoraproject.org -arm03-builder21.arm.fedoraproject.org -arm03-builder22.arm.fedoraproject.org -arm03-builder23.arm.fedoraproject.org +# These are off currently +#arm03-builder10.arm.fedoraproject.org +#arm03-builder11.arm.fedoraproject.org +#arm03-builder12.arm.fedoraproject.org +#arm03-builder13.arm.fedoraproject.org +#arm03-builder14.arm.fedoraproject.org +#arm03-builder15.arm.fedoraproject.org +#arm03-builder16.arm.fedoraproject.org +#arm03-builder17.arm.fedoraproject.org +#arm03-builder18.arm.fedoraproject.org +#arm03-builder19.arm.fedoraproject.org +#arm03-builder20.arm.fedoraproject.org +#arm03-builder21.arm.fedoraproject.org +#arm03-builder22.arm.fedoraproject.org +#arm03-builder23.arm.fedoraproject.org [arm04] arm04-builder00.arm.fedoraproject.org diff --git a/inventory/group_vars/ask b/inventory/group_vars/ask new file mode 100644 index 0000000000..d9b898de11 --- /dev/null +++ b/inventory/group_vars/ask @@ -0,0 +1,18 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 2048 +num_cpus: 2 + +tcp_ports: [ 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice + +# These are consumed by a task in roles/fedmsg_base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin +- service: askbot + owner: root + group: apache diff --git a/inventory/group_vars/ask-stg b/inventory/group_vars/ask-stg index 1ea6ee9fc5..d9b898de11 100644 --- a/inventory/group_vars/ask-stg +++ b/inventory/group_vars/ask-stg @@ -7,3 +7,12 @@ num_cpus: 2 tcp_ports: [ 443 ] fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice + +# These are consumed by a task in roles/fedmsg_base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin +- service: askbot + owner: root + group: apache diff --git a/inventory/group_vars/buildvm b/inventory/group_vars/buildvm index 251322ba18..7f16b47df6 100644 --- a/inventory/group_vars/buildvm +++ b/inventory/group_vars/buildvm @@ -3,8 +3,8 @@ lvm_size: 150000 mem_size: 6144 num_cpus: 5 -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-20 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/20/Fedora/x86_64/os/ nm: 255.255.255.0 gw: 10.5.125.254 eth1_gw: 10.5.127.254 diff --git a/inventory/group_vars/docs-backend b/inventory/group_vars/docs-backend index 15782b1c28..e82a860f93 100644 --- a/inventory/group_vars/docs-backend +++ b/inventory/group_vars/docs-backend @@ -6,4 +6,4 @@ num_cpus: 1 # the host_vars/$hostname file tcp_ports: [ 873 ] -fas_client_groups: sysadmin-noc +fas_client_groups: sysadmin-noc,sysadmin-docs diff --git a/inventory/group_vars/fedoauth b/inventory/group_vars/fedoauth new file mode 100644 index 0000000000..42ab8539a8 --- /dev/null +++ b/inventory/group_vars/fedoauth @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-main,sysadmin-accounts diff --git a/inventory/group_vars/fedoauth-stg b/inventory/group_vars/fedoauth-stg new file mode 100644 index 0000000000..42ab8539a8 --- /dev/null +++ b/inventory/group_vars/fedoauth-stg @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-main,sysadmin-accounts diff --git a/inventory/group_vars/kernel-qa b/inventory/group_vars/kernel-qa index 8e03331925..39e618921d 100644 --- a/inventory/group_vars/kernel-qa +++ b/inventory/group_vars/kernel-qa @@ -1,6 +1,5 @@ --- freezes: true resolvconf: "{{ files }}/resolv.conf/phx2" -rsyslogconf: "{{ files }}/rsyslog/rsyslog.conf.phx2" fas_client_groups: sysadmin-kernel sudoers: "{{ private }}/files/sudo/kernel-qa" diff --git a/inventory/group_vars/lockbox b/inventory/group_vars/lockbox new file mode 100644 index 0000000000..7c82a435ae --- /dev/null +++ b/inventory/group_vars/lockbox @@ -0,0 +1,9 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 2048 +num_cpus: 2 + +tcp_ports: [ 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-qa,fi-apprentice diff --git a/inventory/group_vars/mailman b/inventory/group_vars/mailman new file mode 100644 index 0000000000..be7c2b61ae --- /dev/null +++ b/inventory/group_vars/mailman @@ -0,0 +1,32 @@ +--- +# common items for the releng-* boxes +lvm_size: 250000 +mem_size: 4096 +num_cpus: 2 +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 25, 80, 443 ] +fas_client_groups: sysadmin-tools,sysadmin-main + +# These are consumed by a task in roles/fedmsg_base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin +- service: mailman + owner: mailman + group: mailman + +# default virt install command is for a single nic-device +# define in another group file for more nics (see buildvm) +virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }} + --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} + --vcpus={{ num_cpus }} -l {{ ks_repo }} -x + "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }} + gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0 + hostname={{ inventory_hostname }}" + --network=bridge=br0 --autostart --noautoconsole + +# Used by the mailman role +mailman_dbserver: db01.phx2.fedoraproject.org diff --git a/inventory/group_vars/mailman-stg b/inventory/group_vars/mailman-stg index 51b55f1011..62acb4eacb 100644 --- a/inventory/group_vars/mailman-stg +++ b/inventory/group_vars/mailman-stg @@ -27,3 +27,6 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }}" --network=bridge=br0 --autostart --noautoconsole + +# Used by the mailman role +mailman_dbserver: db02.stg.phx2.fedoraproject.org diff --git a/inventory/group_vars/notifs-backend b/inventory/group_vars/notifs-backend new file mode 100644 index 0000000000..25492830cb --- /dev/null +++ b/inventory/group_vars/notifs-backend @@ -0,0 +1,10 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +fas_client_groups: sysadmin-noc,sysadmin-datanommer diff --git a/inventory/group_vars/notifs-web b/inventory/group_vars/notifs-web new file mode 100644 index 0000000000..bb20797c5f --- /dev/null +++ b/inventory/group_vars/notifs-web @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-datanommer diff --git a/inventory/group_vars/nuancier b/inventory/group_vars/nuancier index 95d462cc57..10749d90ea 100644 --- a/inventory/group_vars/nuancier +++ b/inventory/group_vars/nuancier @@ -8,6 +8,8 @@ num_cpus: 2 # the host_vars/$hostname file tcp_ports: [ 80, 443, + # This port is required by gluster + 6996, # These 16 ports are used by fedmsg. One for each wsgi thread. 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] diff --git a/inventory/group_vars/nuancier-stg b/inventory/group_vars/nuancier-stg index 4cceba7e00..fcaa9e6040 100644 --- a/inventory/group_vars/nuancier-stg +++ b/inventory/group_vars/nuancier-stg @@ -8,6 +8,8 @@ num_cpus: 2 # the host_vars/$hostname file tcp_ports: [ 80, 443, + # This port is required by gluster + 6996, # These 16 ports are used by fedmsg. One for each wsgi thread. 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] diff --git a/inventory/group_vars/unbound b/inventory/group_vars/unbound new file mode 100644 index 0000000000..65cc771e6e --- /dev/null +++ b/inventory/group_vars/unbound @@ -0,0 +1,9 @@ +--- +lvm_size: 10000 +mem_size: 1024 +num_cpus: 2 + +tcp_ports: [ 80, 443 ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT' ] + +fas_client_groups: sysadmin-dns diff --git a/inventory/host_vars/ask01.phx2.fedoraproject.org b/inventory/host_vars/ask01.phx2.fedoraproject.org new file mode 100644 index 0000000000..7bf45af874 --- /dev/null +++ b/inventory/host_vars/ask01.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.79 +vmhost: virthost06.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/ask02.phx2.fedoraproject.org b/inventory/host_vars/ask02.phx2.fedoraproject.org new file mode 100644 index 0000000000..8ed13210c2 --- /dev/null +++ b/inventory/host_vars/ask02.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.57 +vmhost: virthost14.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/badges-web02.phx2.fedoraproject.org b/inventory/host_vars/badges-web02.phx2.fedoraproject.org index 63f076ca4c..5db61afc23 100644 --- a/inventory/host_vars/badges-web02.phx2.fedoraproject.org +++ b/inventory/host_vars/badges-web02.phx2.fedoraproject.org @@ -4,7 +4,7 @@ gw: 10.5.126.254 dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ -volgroup: /dev/VirtGuests00 +volgroup: /dev/vg_guests00 eth0_ip: 10.5.126.102 -vmhost: virthost01.phx2.fedoraproject.org +vmhost: virthost15.phx2.fedoraproject.org datacenter: phx2 diff --git a/inventory/host_vars/bodhi.dev.fedoraproject.org b/inventory/host_vars/bodhi.dev.fedoraproject.org new file mode 100644 index 0000000000..afa45a0fc2 --- /dev/null +++ b/inventory/host_vars/bodhi.dev.fedoraproject.org @@ -0,0 +1,11 @@ +--- +instance_type: m1.medium +image: "{{ el6_qcow_id }}" +keypair: fedora-admin-20130801 +security_group: webserver +zone: nova +hostbase: bodhi.dev +public_ip: 209.132.184.215 +root_auth_users: lmacken +description: bodhi2 dev instance +tcp_ports: ['22', '443'] diff --git a/inventory/host_vars/fedoauth01.phx2.fedoraproject.org b/inventory/host_vars/fedoauth01.phx2.fedoraproject.org new file mode 100644 index 0000000000..591d045bf3 --- /dev/null +++ b/inventory/host_vars/fedoauth01.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.240 +vmhost: virthost07.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org b/inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..6a91e2973c --- /dev/null +++ b/inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.28 +vmhost: virthost12.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/fedoauth02.phx2.fedoraproject.org b/inventory/host_vars/fedoauth02.phx2.fedoraproject.org new file mode 100644 index 0000000000..3a8cc1d508 --- /dev/null +++ b/inventory/host_vars/fedoauth02.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.241 +vmhost: virthost09.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/lists-dev.cloud.fedoraproject.org b/inventory/host_vars/lists-dev.cloud.fedoraproject.org index 3c4d2556b0..bea082d83a 100644 --- a/inventory/host_vars/lists-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/lists-dev.cloud.fedoraproject.org @@ -1,6 +1,6 @@ --- -instance_type: m1.small -image: "{{ f18_qcow_id }}" +instance_type: m1.large +image: "{{ f19_qcow_id }}" keypair: fedora-admin-20130801 security_group: smtpserver zone: nova diff --git a/inventory/host_vars/lockbox-comm01.qa.fedoraproject.org b/inventory/host_vars/lockbox-comm01.qa.fedoraproject.org new file mode 100644 index 0000000000..38ae35c563 --- /dev/null +++ b/inventory/host_vars/lockbox-comm01.qa.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.124.254 +dns: 10.5.124.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/Guests00 +eth0_ip: 10.5.124.210 +vmhost: virthost-comm01.qa.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/mailman01.phx2.fedoraproject.org b/inventory/host_vars/mailman01.phx2.fedoraproject.org new file mode 100644 index 0000000000..e642df547c --- /dev/null +++ b/inventory/host_vars/mailman01.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-19 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.36 +vmhost: virthost08.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/mailman02.phx2.fedoraproject.org b/inventory/host_vars/mailman02.phx2.fedoraproject.org new file mode 100644 index 0000000000..03d3100633 --- /dev/null +++ b/inventory/host_vars/mailman02.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-19 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.37 +vmhost: virthost07.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org b/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org new file mode 100644 index 0000000000..cfcc97757f --- /dev/null +++ b/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.168 + +volgroup: /dev/vg_virthost09 +vmhost: virthost09.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/notifs-web01.phx2.fedoraproject.org b/inventory/host_vars/notifs-web01.phx2.fedoraproject.org new file mode 100644 index 0000000000..416dc7e424 --- /dev/null +++ b/inventory/host_vars/notifs-web01.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.103 + +volgroup: /dev/vg_virthost04 +vmhost: virthost04.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/notifs-web02.phx2.fedoraproject.org b/inventory/host_vars/notifs-web02.phx2.fedoraproject.org new file mode 100644 index 0000000000..e384071ea6 --- /dev/null +++ b/inventory/host_vars/notifs-web02.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.119 + +volgroup: /dev/vg_virthost06 +vmhost: virthost06.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/releng02.phx2.fedoraproject.org b/inventory/host_vars/releng02.phx2.fedoraproject.org index f6667695ec..d0455c5a59 100644 --- a/inventory/host_vars/releng02.phx2.fedoraproject.org +++ b/inventory/host_vars/releng02.phx2.fedoraproject.org @@ -1,3 +1,8 @@ -vmhost: bvirthost05.phx2.fedoraproject.org +vmhost: buildvmhost-12.phx2.fedoraproject.org eth0_ip: 10.5.125.69 volgroup: /dev/xenGuests +mem_size: 65536 +num_cpus: 16 +# With 16 cpus, theres a bunch more kernel threads +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 diff --git a/inventory/host_vars/unbound-ib01.fedoraproject.org b/inventory/host_vars/unbound-ib01.fedoraproject.org new file mode 100644 index 0000000000..c46e9bfd6b --- /dev/null +++ b/inventory/host_vars/unbound-ib01.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.128 +gw: 152.19.134.129 +dns: 152.2.21.1 +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/ibiblio01_vg +eth0_ip: 152.19.134.150 +vmhost: ibiblio01.fedoraproject.org +datacenter: ibiblio diff --git a/inventory/host_vars/unbound-telia01.fedoraproject.org b/inventory/host_vars/unbound-telia01.fedoraproject.org new file mode 100644 index 0000000000..eff1ba2a92 --- /dev/null +++ b/inventory/host_vars/unbound-telia01.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.240 +gw: 80.239.156.209 +dns: 213.248.76.210 +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/VolGroup00 +eth0_ip: 80.239.156.220 +vmhost: telia01.fedoraproject.org +datacenter: telia diff --git a/inventory/host_vars/unbound-tummy01.fedoraproject.org b/inventory/host_vars/unbound-tummy01.fedoraproject.org new file mode 100644 index 0000000000..36bf45031b --- /dev/null +++ b/inventory/host_vars/unbound-tummy01.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.240 +gw: 66.35.62.174 +dns: 198.49.126.1 66.35.36.133 +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/VolGroup00 +eth0_ip: 66.35.62.163 +vmhost: tummy01.fedoraproject.org +datacenter: tummy diff --git a/inventory/inventory b/inventory/inventory index 7b8617f51a..316317b6dc 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -29,7 +29,6 @@ app02.phx2.fedoraproject.org app03.phx2.fedoraproject.org app04.phx2.fedoraproject.org app05.fedoraproject.org -app06.fedoraproject.org app08.fedoraproject.org [app-stg] @@ -146,6 +145,10 @@ fedocal01.stg.phx2.fedoraproject.org [gallery-stg] gallery01.stg.phx2.fedoraproject.org +[mailman] +mailman01.phx2.fedoraproject.org +mailman02.phx2.fedoraproject.org + [mailman-stg] mailman01.stg.phx2.fedoraproject.org @@ -154,7 +157,7 @@ collab03.fedoraproject.org collab04.fedoraproject.org [releng] -releng01.phx2.fedoraproject.org +#releng01.phx2.fedoraproject.org releng02.phx2.fedoraproject.org releng04.phx2.fedoraproject.org relepel01.phx2.fedoraproject.org @@ -247,13 +250,23 @@ dhcp01.phx2.fedoraproject.org noc01.phx2.fedoraproject.org noc02.fedoraproject.org +[lockbox] +lockbox-comm01.qa.fedoraproject.org + [nagios] noc01.phx2.fedoraproject.org noc02.fedoraproject.org +[notifs-backend] +notifs-backend01.phx2.fedoraproject.org + [notifs-backend-stg] notifs-backend01.stg.phx2.fedoraproject.org +[notifs-web] +notifs-web01.phx2.fedoraproject.org +notifs-web02.phx2.fedoraproject.org + [notifs-web-stg] notifs-web01.stg.phx2.fedoraproject.org notifs-web02.stg.phx2.fedoraproject.org @@ -269,6 +282,13 @@ nuancier02.stg.phx2.fedoraproject.org [fedocal-stg] fedocal01.stg.phx2.fedoraproject.org +[fedoauth] +fedoauth01.phx2.fedoraproject.org +fedoauth02.phx2.fedoraproject.org + +[fedoauth-stg] +fedoauth01.stg.phx2.fedoraproject.org + [memcached] memcached03.phx2.fedoraproject.org memcached04.phx2.fedoraproject.org @@ -283,7 +303,6 @@ openid01.phx2.fedoraproject.org openid02.phx2.fedoraproject.org [other] -mm3test.fedoraproject.org people03.fedoraproject.org survey01.dev.fedoraproject.org secondary01.phx2.fedoraproject.org @@ -326,7 +345,6 @@ proxy01.phx2.fedoraproject.org proxy02.fedoraproject.org proxy03.fedoraproject.org proxy04.fedoraproject.org -proxy05.fedoraproject.org proxy06.fedoraproject.org proxy07.fedoraproject.org proxy08.fedoraproject.org @@ -354,6 +372,7 @@ db02.stg.phx2.fedoraproject.org db-fas01.stg.phx2.fedoraproject.org elections01.stg.phx2.fedoraproject.org fas01.stg.phx2.fedoraproject.org +fedoauth01.stg.phx2.fedoraproject.org fedocal01.stg.phx2.fedoraproject.org fedocal01.stg.phx2.fedoraproject.org koji01.stg.phx2.fedoraproject.org @@ -363,7 +382,6 @@ notifs-web01.stg.phx2.fedoraproject.org notifs-web02.stg.phx2.fedoraproject.org nuancier01.stg.phx2.fedoraproject.org nuancier02.stg.phx2.fedoraproject.org -openid01.stg.phx2.fedoraproject.org packages01.stg.phx2.fedoraproject.org paste01.stg.phx2.fedoraproject.org pkgs01.stg.phx2.fedoraproject.org @@ -374,7 +392,7 @@ value01.stg.phx2.fedoraproject.org [taskotron] taskotron-dev01.qa.fedoraproject.org -[unbound-dns] +[unbound] unbound-ib01.fedoraproject.org unbound-telia01.fedoraproject.org unbound-tummy01.fedoraproject.org @@ -386,9 +404,9 @@ value03.phx2.fedoraproject.org value01.stg.phx2.fedoraproject.org [virthost] -virthost01.phx2.fedoraproject.org +#virthost01.phx2.fedoraproject.org virthost02.phx2.fedoraproject.org -virthost03.phx2.fedoraproject.org +#virthost03.phx2.fedoraproject.org virthost04.phx2.fedoraproject.org virthost05.phx2.fedoraproject.org virthost06.phx2.fedoraproject.org @@ -424,7 +442,8 @@ copr-fe-dev.cloud.fedoraproject.org hrf.cloud.fedoraproject.org #shogun-ca.cloud.fedoraproject.org 209.132.184.157 - +# bodhi.dev.fedoraproject.org +bodhi.dev.fedoraproject.org [cloud] jenkins-slaves @@ -490,7 +509,7 @@ colo-virt [groupc:children] value qa -unbound-dns +unbound dev staging builders diff --git a/playbooks/f19_temp_instance.yml b/playbooks/f19_temp_instance.yml index 08c95144c8..6a41071a96 100644 --- a/playbooks/f19_temp_instance.yml +++ b/playbooks/f19_temp_instance.yml @@ -31,9 +31,10 @@ tasks: - name: growpart /dev/vda1 partition (/) to full size action: command growpart /dev/vda 1 - ignore_errors: true register: growpart + always_run: true changed_when: "growpart.rc != 1" + failed_when: growpart.rc == 2 - name: resize the /dev/vda 1 fs action: command resize2fs /dev/vda1 diff --git a/playbooks/f20_temp_instance.yml b/playbooks/f20_temp_instance.yml index c2b4a1a865..9f4c4a7b93 100644 --- a/playbooks/f20_temp_instance.yml +++ b/playbooks/f20_temp_instance.yml @@ -31,9 +31,10 @@ tasks: - name: growpart /dev/vda1 partition (/) to full size action: command growpart /dev/vda 1 - ignore_errors: true register: growpart + always_run: true changed_when: "growpart.rc != 1" + failed_when: growpart.rc == 2 - name: resize the /dev/vda 1 fs action: command resize2fs /dev/vda1 diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index 4d44c54b75..969c4cbdf1 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -12,10 +12,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index 4193d22a47..68e7de91ec 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -12,10 +12,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml index 85ea2804ff..6c9190c663 100644 --- a/playbooks/groups/arm-releng.yml +++ b/playbooks/groups/arm-releng.yml @@ -12,11 +12,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client + - base + - fas_client + - rkhunter + - denyhosts + - nagios_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index 6cfb7a7dd4..8de5586f27 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -1,5 +1,5 @@ - name: make ask - hosts: ask-stg + hosts: ask-stg:ask user: root gather_facts: False accelerate: True @@ -17,7 +17,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: ask-stg + hosts: ask-stg:ask user: root gather_facts: True accelerate: True @@ -28,12 +28,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/ask + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - ask + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index 11f5cab524..1c29569fa6 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -15,11 +15,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index db6c80fafe..022e3e4769 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -58,8 +58,8 @@ accelerate: True roles: - - /srv/web/infra/ansible/roles/fedmsg-hub - - /srv/web/infra/ansible/roles/badges-backend + - fedmsg-hub + - badges-backend vars_files: - /srv/web/infra/ansible/vars/global.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index 737dcbbb74..fa0dec9b81 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/badges-frontend - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - badges-frontend + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index 8f55210b19..d3d6e9d3c4 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -29,11 +29,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/bkernel.yml b/playbooks/groups/bkernel.yml index bad914e36c..663f6ef836 100644 --- a/playbooks/groups/bkernel.yml +++ b/playbooks/groups/bkernel.yml @@ -13,10 +13,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base + - koji_builder tasks: - - include: "{{ tasks }}/koji/base_builder.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" - include: "{{ tasks }}/koji/bkernel-setup.yml" diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index 0dc109d973..ccd72ed32e 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -6,7 +6,6 @@ hosts: buildhw;buildppc;buildarm user: root gather_facts: True - accellerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -14,39 +13,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base + - koji_builder tasks: - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/base_builder.yml" handlers: - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted - -- name: make koji builder(s) on raw hw - hosts: buildhw - user: root - gather_facts: True - accellerate: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - /srv/web/infra/ansible/roles/base - - tasks: - - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/builder_kernel_config.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index aa3191e0d5..0222f61859 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -32,15 +32,16 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base + - koji_builder tasks: - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/base_builder.yml" + - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" + - name: make sure kojid is running + action: service name=kojid state=running + handlers: - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted diff --git a/playbooks/groups/docs-backend.yml b/playbooks/groups/docs-backend.yml index f0cb73d20e..657784627c 100644 --- a/playbooks/groups/docs-backend.yml +++ b/playbooks/groups/docs-backend.yml @@ -25,12 +25,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists diff --git a/playbooks/groups/elections.yml b/playbooks/groups/elections.yml index 5cf4819fb6..0e44193cab 100644 --- a/playbooks/groups/elections.yml +++ b/playbooks/groups/elections.yml @@ -27,11 +27,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml new file mode 100644 index 0000000000..62c75bb0c1 --- /dev/null +++ b/playbooks/groups/fedoauth.yml @@ -0,0 +1,70 @@ +# create a new FedOAuth server +# NOTE: should be used with --limit most of the time +# NOTE: make sure there is room/space for this server on the vmhost +# NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars + +- name: make fedoauth + hosts: fedoauth-stg:fedoauth + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + - include: "{{ tasks }}/accelerate_prep.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: fedoauth-stg:fedoauth + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/openvpn_client.yml" + when: env != "staging" + - include: "{{ tasks }}/apache.yml" + - include: "{{ tasks }}/mod_wsgi.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: deploy fedoauth itself + hosts: fedoauth-stg:fedoauth + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" + + roles: + - fedoauth + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/fedocal.yml b/playbooks/groups/fedocal.yml index 91ffcf861e..cb9ba4e356 100644 --- a/playbooks/groups/fedocal.yml +++ b/playbooks/groups/fedocal.yml @@ -32,11 +32,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" @@ -64,7 +64,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base handlers: - include: "{{ handlers }}/restart_services.yml" @@ -81,7 +81,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedocal + - fedocal handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index d41f03c520..ef8cff1588 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -62,7 +62,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/gallery + - gallery handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 595b9aa481..fcc359f31c 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -5,7 +5,7 @@ tags: - jenkins_master - vars_files: + vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" @@ -20,7 +20,7 @@ tags: - jenkins_master - vars_files: + vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml @@ -28,7 +28,7 @@ - resolvconf: resolv.conf/jenkins-cloud roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" @@ -69,7 +69,7 @@ - name: enable apache action: service name=httpd state=running enabled=true - - name: add jenkins upstream repo + - name: add jenkins upstream repo action: copy src="{{ files }}/jenkins/master/jenkins.repo" dest=/etc/yum.repos.d/jenkins.repo owner=root group=root tags: - config @@ -100,10 +100,92 @@ - name: mkdir dir for jenkins data action: file state=directory path=/var/lib/jenkins/plugins/ owner=jenkins group=jenkins - - name: import jenkins plugins - action: copy src={{ item }} owner=jenkins group=jenkins dest=/var/lib/jenkins/plugins/ - with_fileglob: - - "{{ files }}/jenkins/master/plugins/*.hpi" + - name: Download jenkins plugins + get_url: url=https://updates.jenkins-ci.org/download/plugins/{{ item.name }}/{{ item.version }}/{{ item.name }}.hpi + dest=/var/lib/jenkins/plugins/{{ item.name }}.hpi + sha256sum={{ item.sha }} + with_items: + - name: bazaar + version: 1.22 + sha: d7ff0987c96e2a694257ecf897ceee376908c5f94abfd1d5efc32482e4d54141 + - name: chucknorris + version: 0.5 + sha: bd9df0507008255ad2ed046368d10a4d039a6cbcfefb53c71c1768cc0dcbf65b + - name: cobertura + version: 1.9.3 + sha: 3db93d70486b80a904a74ce40b0ac6a7812d1f522f820d0e5d7b538401bc2946 + - name: cvs + version: 2.11 + sha: 7c917bc824019a81d54472c525e4d724dfb4ae10b59bf64e692a2fc59fcd33cc + - name: external-monitor-job + version: 1.2 + sha: 8dd2644271d0138839490342833e9ff7f82772038f673f5ac6220193c587747d + - name: git + version: 2.0.1 + sha: 68c7fa6f9e3e1e3991bbba67ca86c2590e425f80a7176171ad7c645d57abe839 + - name: git-client + version: 1.6.1 + sha: 6b5762e7f423e0c40b068f671a276e83e4093c019164f61959b83d98bc24dedd + - name: instant-messaging + version: 1.28 + sha: 0b84561fd72cb80d89c5c57548fe8b7270d448f66361dedd07e227fb1bd44f03 + - name: ldap + version: 1.8 + sha: 491905ec3675b6a5acf2098722c121732801fd6210e6ff54bc99d213b5b8ee58 + - name: maven-plugin + version: 2.1 + sha: 1f80592242251bd1c3ca7ba0290905567bba2883fdf828f66a6759d64d1a64bf + - name: mercurial + version: 1.49 + sha: c7af29d9af2071aa60fd82efc90d97f52c38b8911160796c1d9c0a89768f36e4 + - name: openid + version: 1.8 + sha: fed09c7da7762323cf55c3b725493622a4a2460eab8622230497e35914ac9d7e + - name: python + version: 1.2 + sha: e3358a945f21b84a8156237b0d621815a7822322e1180ae1e66d10798aaf1f56 + - name: scm-api + version: 0.2 + sha: cc856d8dc8b951cf9a195baa2bf7bbff0d12368534a6b973e43e2909141eff3f + - name: ssh-agent + version: 1.4.1 + sha: ae8227bf219e96a4d76f36dc6d6e652ddd0209e8d9c4cf4483a07858d707ce6e + - name: subversion + version: 1.54 + sha: 90c109cbecdf00fbe1a377770d735cf12dcae6f750c00b19b59eaee223a54aa2 + - name: translation + version: 1.11 + sha: 4d88b8d74ade119cef76827bd385693447fa68fa18fd1bfc8806aff9d931f00e + - name: violations + version: 0.7.11 + sha: f8eacb53eb01f83f3702009a41cef89e520a72933671ac1ee9154d88bde2d67a + - name: xunit + version: 1.81 + sha: 8749ef1b3861ea6a5166c7a6f443e20dca346f98aa58ab2bb3f3376b6392244e + - name: multiple-scms + version: 0.3 + sha: e79d7e855ffe0ad060d11ae1ce0b39f68e7fa031c6e831f60fe33e5ddb3392ac + - name: credentials + version: 1.9.4 + sha: 2fedc41d977a166c1addd82cd0cc9b73cffd34b97f7c0756bad7dc198ccd98de + - name: mailer + version: 1.8 + sha: fb9c6d471c2fea97fc2ccb64bfac18f77c847e740bcc2d5a4de31c35e851728a + notify: + - restart jenkins + tags: + - config + + - name: Download additional jenkins plugins (from the maven repo) + get_url: url=http://maven.jenkins-ci.org/content/repositories/releases/org/jvnet/hudson/plugins/{{ item.name }}/{{ item.version }}/{{ item.name }}-{{ item.version }}.hpi + dest=/var/lib/jenkins/plugins/{{ item.name }}.hpi + sha256sum={{ item.sha }} + with_items: + - name: warnings + version: 4.39 + sha: 7652b7ed8971de932f46323aa8e0ddee2bcf4f14839296481ae79590e09f7606 + notify: + - restart jenkins tags: - config @@ -136,7 +218,7 @@ copy: src={{ item }} dest=/var/lib/jenkins/plugins/openid/WEB-INF/lib/ group=jenkins mode=655 with_fileglob: - "{{ bigfiles }}/hotfixes/jenkins/openid/*.jar" - notify: + notify: - restart jenkins handlers: @@ -205,7 +287,7 @@ - python-bugzilla - python-straight-plugin - python-pip - - python-virtualenv + - python-virtualenv - python-coverage - pylint - python-argparse @@ -224,6 +306,7 @@ - asciidoc # Required by javapackages-tools - xmlto # Required by javapackages-tools - pycairo-devel # Required by dogtail + - pyflakes # Requested by user rholy (ticket #4175) tags: - packages @@ -299,6 +382,7 @@ - lvm2 - sshpass # End requires for Cockpit - tito # Requested by msrb for javapackages-tools and xmvn (ticket#4113) + - pyflakes # Requested by user rholy (ticket #4175) tags: - packages @@ -330,7 +414,7 @@ - name: setup jenkins_slave user action: user name=jenkins_slave state=present createhome=yes system=no tags: - - jenkinsuser + - jenkinsuser - name: setup jenkins_slave ssh key action: authorized_key user=jenkins_slave key="{{ item }}" @@ -339,12 +423,12 @@ - name: jenkins_slave to mock group action: user name=jenkins_slave groups=mock - + - name: add .gitconfig for jenkins_slave user action: copy src="{{ files }}/jenkins/gitconfig" dest=/home/jenkins_slave/.gitconfig owner=jenkins_slave group=jenkins_slave mode=664 tags: - config - + - name: template sshd_config action: copy src={{ item }} dest=/etc/ssh/sshd_config mode=0600 owner=root group=root first_available_file: @@ -354,7 +438,7 @@ - restart sshd tags: - config - + - name: mkdir dir for jenkins data action: file state=directory path=/mnt/jenkins owner=jenkins_slave group=jenkins_slave diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index ec57825d4b..860f82475c 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 425f374cd2..ef648fb73d 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -31,12 +31,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/koji_hub + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - koji_hub tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/lockbox.yml b/playbooks/groups/lockbox.yml new file mode 100644 index 0000000000..4fa95b640e --- /dev/null +++ b/playbooks/groups/lockbox.yml @@ -0,0 +1,43 @@ +- name: make lockbox + hosts: lockbox + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: lockbox + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - ansible-server + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 74582c2d93..9c1cda5a93 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -3,15 +3,15 @@ # NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - name: make mailman server - hosts: mailman-stg + hosts: mailman-stg:mailman user: root gather_facts: False accelerate: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - include: "{{ tasks }}/virt_instance_create.yml" @@ -21,23 +21,23 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: mailman-stg + hosts: mailman-stg:mailman user: root gather_facts: True accelerate: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists @@ -54,51 +54,71 @@ - include: "{{ handlers }}/restart_services.yml" +# # Database setup +# + +- name: prepare setting up the database + hosts: db02.stg.phx2.fedoraproject.org:db01.phx2.fedoraproject.org + gather_facts: no + user: root + + tasks: + - name: install psycopg2 for the postgresql ansible modules + yum: pkg=python-psycopg2 state=installed + tags: + - packages + - name: setup the database - hosts: db02.stg.phx2.fedoraproject.org + hosts: db02.stg.phx2.fedoraproject.org:db01.phx2.fedoraproject.org gather_facts: no sudo: yes sudo_user: postgres vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" tasks: - # mailman auto-updates its schema, there can only be one admin user - - name: mailman DB user - postgresql_user: name=mailmanadmin password={{ mailman_mm_db_pass }} - - name: hyperkitty DB admin user - postgresql_user: name=hyperkittyadmin password={{ mailman_hk_admin_db_pass }} - - name: hyperkitty DB user - postgresql_user: name=hyperkittyapp password={{ mailman_hk_db_pass }} - - name: kittystore DB admin user - postgresql_user: name=kittystoreadmin password={{ mailman_ks_admin_db_pass }} - - name: kittystore DB user - postgresql_user: name=kittystoreapp password={{ mailman_ks_db_pass }} - - name: databases creation - postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 - with_items: - - mailman - - hyperkitty - - kittystore + # mailman auto-updates its schema, there can only be one admin user + - name: mailman DB user + postgresql_user: name=mailmanadmin password={{ mailman_mm_db_pass }} + - name: hyperkitty DB admin user + postgresql_user: name=hyperkittyadmin password={{ mailman_hk_admin_db_pass }} + - name: hyperkitty DB user + postgresql_user: name=hyperkittyapp password={{ mailman_hk_db_pass }} + - name: kittystore DB admin user + postgresql_user: name=kittystoreadmin password={{ mailman_ks_admin_db_pass }} + - name: kittystore DB user + postgresql_user: name=kittystoreapp password={{ mailman_ks_db_pass }} + - name: databases creation + postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 + with_items: + - mailman + - hyperkitty + - kittystore # Real MM/HK-specific work - name: setup mailman and hyperkitty - hosts: mailman-stg + hosts: mailman-stg:mailman user: root gather_facts: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/mailman - - /srv/web/infra/ansible/roles/fedmsg_base + - role: mailman + mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" + mailman_mm_db_pass: "{{ mailman_mm_db_pass }}" + mailman_hk_admin_db_pass: "{{ mailman_hk_admin_db_pass }}" + mailman_hk_db_pass: "{{ mailman_hk_db_pass }}" + mailman_ks_admin_db_pass: "{{ mailman_ks_admin_db_pass }}" + mailman_ks_db_pass: "{{ mailman_ks_db_pass }}" + - fedmsg_base tasks: - name: install more needed packages diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index c389d92f20..c3a7d891e6 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/geoip - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/mirrorlist + - base + - rkhunter + - denyhosts + - nagios_client + - geoip + - fas_client + - mirrorlist tasks: # this is how you include other task lists diff --git a/playbooks/groups/notifs-backend.yml b/playbooks/groups/notifs-backend.yml index 4d2dac3e2d..b3d159a144 100644 --- a/playbooks/groups/notifs-backend.yml +++ b/playbooks/groups/notifs-backend.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -45,8 +45,10 @@ - include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/motd.yml" - include: "{{ tasks }}/sudo.yml" - - include: "{{ tasks }}/openvpn_client.yml" - when: env != "staging" + # The proxies don't actually need to talk to these hosts so we won't bother + # putting them on the vpn. + #- include: "{{ tasks }}/openvpn_client.yml" + # when: env != "staging" handlers: - include: "{{ handlers }}/restart_services.yml" @@ -58,8 +60,8 @@ accelerate: True roles: - - /srv/web/infra/ansible/roles/fedmsg-hub - - /srv/web/infra/ansible/roles/notifs-backend + - fedmsg-hub + - notifs-backend vars_files: - /srv/web/infra/ansible/vars/global.yml diff --git a/playbooks/groups/notifs-web.yml b/playbooks/groups/notifs-web.yml index 01458e3038..d51c7e7738 100644 --- a/playbooks/groups/notifs-web.yml +++ b/playbooks/groups/notifs-web.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base - - /srv/web/infra/ansible/roles/notifs-frontend + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base + - notifs-frontend tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index 5a86f0673b..a74f1b5749 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -32,11 +32,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" @@ -64,11 +64,42 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base handlers: - include: "{{ handlers }}/restart_services.yml" +- name: set up gluster + hosts: nuancier-stg + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: gluster/server + name: gluster + username: "{{ nuancier_gluster_username }}" + password: "{{ nuancier_gluster_password }}" + owner: root + group: root + datadir: /srv/glusterfs/nuancier + + - role: gluster/client + name: gluster + servers: + - nuancier01.stg.phx2.fedoraproject.org + - nuancier02.stg.phx2.fedoraproject.org + username: "{{ nuancier_gluster_username }}" + password: "{{ nuancier_gluster_password }}" + owner: apache + group: root + mountdir: /var/cache/nuancier + - name: deploy nuancier itself hosts: nuancier;nuancier-stg user: root @@ -81,7 +112,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/nuancier + - nuancier handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index 371a1453e9..fcf27859ea 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -33,12 +33,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/postgresql_server + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - postgresql_server tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/releng.yml b/playbooks/groups/releng.yml index 9773c70560..da0286713a 100644 --- a/playbooks/groups/releng.yml +++ b/playbooks/groups/releng.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/releng or from hostvars - name: make releng systems - hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org + hosts: releng02.phx2.fedoraproject.org user: root gather_facts: False accelerate: True @@ -23,7 +23,7 @@ # Once the instance exists, configure it. - name: make releng server system - hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org + hosts: releng02.phx2.fedoraproject.org user: root gather_facts: True accelerate: True @@ -34,8 +34,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/nagios_client + - base + - nagios_client tasks: - include: "{{ tasks }}/koji/releng_config.yml" diff --git a/playbooks/groups/taskotron.yml b/playbooks/groups/taskotron.yml index d79490fb26..7f0ca7e227 100644 --- a/playbooks/groups/taskotron.yml +++ b/playbooks/groups/taskotron.yml @@ -29,12 +29,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists diff --git a/playbooks/groups/unbound.yml b/playbooks/groups/unbound.yml new file mode 100644 index 0000000000..a0ffc54980 --- /dev/null +++ b/playbooks/groups/unbound.yml @@ -0,0 +1,48 @@ +- name: make unbound + hosts: unbound + user: root + gather_facts: False + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + - include: "{{ tasks }}/accelerate_prep.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: unbound + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - unbound + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/openvpn_client.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + - include: "{{ handlers }}/semanage.yml" diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 08c2b71411..444e748a00 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -14,12 +14,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/iscsi_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - iscsi_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/hosts/bodhi.dev.fedoraproject.org.yml b/playbooks/hosts/bodhi.dev.fedoraproject.org.yml new file mode 100644 index 0000000000..5d47fbef8e --- /dev/null +++ b/playbooks/hosts/bodhi.dev.fedoraproject.org.yml @@ -0,0 +1,38 @@ +- name: check/create instance + hosts: bodhi.dev.fedoraproject.org + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + + tasks: + - include: "{{ tasks }}/persistent_cloud.yml" + - include: "{{ tasks }}/growroot_cloud.yml" + +- name: provision instance + hosts: bodhi.dev.fedoraproject.org + user: root + gather_facts: True + vars: + - tcp_ports: [22, 443] + - udp_ports: [] + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/cloud_setup_basic.yml" + - include: "{{ tasks }}/postfix_basic.yml" + + # open up tcp ports + - name: poke holes in the firewall + action: command lokkit -p '{{ item }}:tcp' + with_items: + - "{{ tcp_ports }}" + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 712cf58026..86958a7e05 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -23,7 +23,7 @@ # Roles are run first, before tasks, regardless of where you place them here. roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" @@ -54,6 +54,7 @@ - git - screen - fail2ban + - system-config-firewall-base - name: make copr dirs @@ -102,6 +103,16 @@ notify: - restart lighttpd + - name: copy httpd ssl certificates + action: copy src="{{ puppet_private }}/httpd/{{ item }}" dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=0600 + with_items: + - coprs-be.fedoraproject.org.key + - coprs-be.fedoraproject.org.crt + notify: + - concate ssl certs + tags: + - config + # mime default to text/plain and enable dirlisting for indexes - name: update lighttpd configs action: copy src="{{ files }}/copr/lighttpd/{{ item }}" dest="/etc/lighttpd/conf.d/{{ item }}" owner=root group=root mode=0644 @@ -112,10 +123,10 @@ - restart lighttpd - name: start webserver - action: service state=running enabled=yes name=lighttpd + service: state=running enabled=yes name=lighttpd - name: start fail2ban - action: service state=running enabled=yes name=fail2ban + service: state=running enabled=yes name=fail2ban # setup dirs for the ansible execution off of provisioning - name: dirs from provision @@ -159,7 +170,7 @@ - provision_config - name: copy copr-be.conf - template: src="{{ files }}/copr/copr-be.conf" dest=/etc/copr/copr-be.conf mode=640 + template: src="{{ files }}/copr/copr-be.conf" dest=/etc/copr/copr-be.conf owner=root group=copr mode=640 notify: - restart copr-backend tags: @@ -191,3 +202,14 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + - name: concate ssl certs + action: command cat /etc/lighttpd/coprs-be.fedoraproject.org.key /etc/lighttpd/coprs-be.fedoraproject.org.crt > /etc/lighttpd/coprs-be.fedoraproject.org.pem + notify: + - chmod_key + - restart lighttpd + - name: chmod_key + action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600 + - name: restart copr-backend + service: name=copr-backend state=restarted + - name: restart lighttpd + service: name=lighttpd state=restarted diff --git a/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml index 014574b5da..d44e933783 100644 --- a/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml @@ -47,6 +47,7 @@ - postgresql-server - bash-completion - fail2ban + - mod_ssl tags: - packages diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 8b5744839a..674fbae4d9 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -4,8 +4,8 @@ gather_facts: False vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" tasks: - include: "{{ tasks }}/persistent_cloud.yml" @@ -16,56 +16,47 @@ gather_facts: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml vars: - - mailman_vardir: /srv/persist/mailman + - mailman_vardir: /srv/persist/mailman tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" - include: "{{ tasks }}/postfix_basic.yml" + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/collectd/client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/apache.yml" + - include: "{{ tasks }}/mod_wsgi.yml" - name: mount up disk of persistent storage action: mount name=/srv/persist src='LABEL=lists-dev' fstype=ext4 state=mounted - name: selinux status - selinux: policy=targeted state=permissive + selinux: policy=targeted state=enforcing # /srv/persist - name: mount up bind mount for postgres action: mount src=/srv/persist/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted - name: mount up bind mount for mailman - action: mount src=/srv/persist/mailman name=/var/lib/mailman fstype=auto opts=bind state=mounted + action: mount src=/srv/persist/mailman name=/var/lib/mailman3 fstype=auto opts=bind state=mounted - name: get the repo file - get_url: url=http://repos.fedorapeople.org/repos/abompard/hyperkitty/fedora-hyperkitty.repo - dest=/etc/yum.repos.d/fedora-hyperkitty.repo mode=0444 + get_url: url=http://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo + dest=/etc/yum.repos.d/hyperkitty.repo mode=0444 - - name: install packages - yum: state=installed name={{ item }} + # open up ports (22, 80, 443, 25) + - name: poke holes in the firewall + command: lokkit {{ item }} with_items: - - httpd - - mod_ssl - - mod_wsgi - - mailman - - python-psycopg2 - - python-storm-postgresql - - postgresql-server - - system-config-firewall-base - - rsync - - openssh-clients - - httpd-tools - - cronie-noanacron - - - - name: remove packages - yum: state=removed name=sendmail - - - name: install apache and mod_wsgi - yum: name=mod_wsgi state=installed - notify: - - restart apache + - --service=ssh + - --service=https + - --service=http + - --service=smtp # Database - name: initialize postgresql @@ -74,27 +65,14 @@ - name: copy pg_hba.conf copy: src="{{ files }}/lists-dev/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf notify: - - restart postgresql + - restart postgresql - name: start postgresql service: state=started name=postgresql - # open up ports (22, 80, 443, 25) - - name: poke holes in the firewall - command: lokkit {{ item }} - with_items: - - --service=ssh - - --service=https - - --service=http - - --service=smtp - - # packages needed to be gone - - name: erase packages - action: yum state=absent name={{ item }} - with_items: - - cronie-anacron - handlers: - include: "{{ handlers }}/restart_services.yml" + - name: restart postgresql + service: name=postgresql state=restarted @@ -104,161 +82,81 @@ sudo: yes sudo_user: postgres vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "{{ vars_path }}/{{ ansible_distribution }}.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" vars: - - mailman_vardir: /srv/persist/mailman + - mailman_vardir: /srv/persist/mailman tasks: - - name: mailman DB user - postgresql_user: name=mailman password={{ lists_dev_mm_db_pass }} - - name: hyperkitty DB user - postgresql_user: name=hyperkitty password={{ lists_dev_hk_db_pass }} - - name: kittystore DB user - postgresql_user: name=kittystore password={{ lists_dev_ks_db_pass }} - - name: postorius DB user - postgresql_user: name=postorius password={{ lists_dev_ps_db_pass }} - - name: databases creation - postgresql_db: name={{ item }} owner={{ item }} encoding=UTF-8 - with_items: - - mailman - - hyperkitty - - kittystore - - postorius + # mailman auto-updates its schema, there can only be one admin user + - name: mailman DB user + postgresql_user: name=mailmanadmin password={{ lists_dev_mm_db_pass }} + - name: hyperkitty DB admin user + postgresql_user: name=hyperkittyadmin password={{ lists_dev_hk_db_pass }} + - name: hyperkitty DB user + postgresql_user: name=hyperkittyapp password={{ lists_dev_hk_db_pass }} + - name: kittystore DB admin user + postgresql_user: name=kittystoreadmin password={{ lists_dev_ks_db_pass }} + - name: kittystore DB user + postgresql_user: name=kittystoreapp password={{ lists_dev_ks_db_pass }} + - name: databases creation + postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 + with_items: + - mailman + - hyperkitty + - kittystore - name: setup mailman and hyperkitty hosts: hyperkitty-stg gather_facts: no vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "{{ vars_path }}/{{ ansible_distribution }}.yml" - vars: - - mailman_vardir: /srv/persist/mailman + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" + + roles: + - role: mailman + mailman_dbserver: localhost + mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org + mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" + mailman_hk_admin_db_pass: "{{ lists_dev_hk_db_pass }}" + mailman_hk_db_pass: "{{ lists_dev_hk_db_pass }}" + mailman_ks_admin_db_pass: "{{ lists_dev_ks_db_pass }}" + mailman_ks_db_pass: "{{ lists_dev_ks_db_pass }}" tasks: - # Initialize mailman (must be done after settings up the DBs) - - name: add mailman to the apache group - user: name=mailman groups=apache append=yes - notify: - - restart mailman + - name: install more needed packages + yum: pkg={{ item }} state=installed + with_items: + - tar + - mailman # transition from mailman2.1 + - vim + - tmux + - patch + tags: + - packages - - name: set the mailman conffile - template: src="{{ files }}/lists-dev/mailman.cfg.j2" dest=/etc/mailman.cfg - notify: - - restart mailman + #- name: easy access to the postgresql databases + # template: src="{{ files }}/lists-dev/pgpass.j2" dest=/root/.pgpass + # owner=root group=root mode=0600 - - name: install kittystore and hyperkitty - yum: state=installed name={{ item }} - with_items: - - kittystore - - hyperkitty - - postorius - - # Logging - - name: hyperkitty logging -- directory - file: path=/var/log/hyperkitty state=directory - owner=root group=apache mode=2775 - - name: hyperkitty logging -- file creation - copy: content="" dest=/var/log/hyperkitty/hyperkitty.log - force=no - - name: hyperkitty logging -- file permissions - file: path=/var/log/hyperkitty/hyperkitty.log state=file - owner=root group=apache mode=664 - - name: hyperkitty logging -- rotation - copy: src="{{ files }}/lists-dev/hyperkitty.logrotate.conf" - dest=/etc/logrotate.d/hyperkitty - - # settings / conf - - name: install the hyperkitty/postorius settings file - template: src="{{ files }}/lists-dev/{{ item.settings_local.py.j2 }}" - dest="/etc/{{ item }}/sites/default/settings_local.py" - owner=root group=apache mode=0640 - with_items: - - hyperkitty - - postorius - notify: - - reload apache - - restart mailman - - - name: install the hyperkitty/postorius urls file - copy: src="files/lists-dev/{{ item }}.urls.py" - dest="/etc/{{ item }}/sites/default/urls.py" - owner=root group=root mode=0644 - with_items: - - hyperkitty - - postorius - notify: - - reload apache - - restart mailman - - - name: install the hyperkitty/postorius httpd conf file - copy: src="{{ files }}/lists-dev/{{ item }}.apache.conf" - dest="/etc/httpd/conf.d/{{ item }}.conf" - with_items: - - hyperkitty - - postorius - notify: - - reload apache - - - name: set the hyperkitty conffile in mailman - copy: src="{{ files }}/lists-dev/hyperkitty.cfg" dest=/etc/mailman.d/hyperkitty.cfg - notify: - - restart mailman - - - name: set the postfix conffile - template: src="{{ files }}/lists-dev/postfix-main.cf.j2" dest=/etc/postfix/main.cf - notify: - - restart postfix - - - name: set the mail aliases - copy: src="{{ files }}/lists-dev/aliases" dest=/etc/aliases - notify: - - reload aliases - - - name: easy access to the postgresql databases - template: src="{{ files }}/lists-dev/pgpass.j2" dest=/root/.pgpass - owner=root group=root mode=0600 + - name: send root mail to abompard + lineinfile: dest=/etc/aliases regexp='^root:' line="root:abompard@fedoraproject.org" + notify: + - reload aliases - # Sync databases - # FIXME the db migrations should happen no matter when the pkgs are updated - # so really this should be run once - # and then stored in a yum-post-transaction-action on the system(s) - # so no matter when it is run the right thing happens - - - name: run django syncdb - command: /usr/bin/django-admin syncdb --pythonpath="/etc/{{ item }}/sites/default" --settings=settings - with_items: - - hyperkitty - - postorius - - name: run django migrate - command: /usr/bin/django-admin migrate --pythonpath=/etc/hyperkitty/sites/default --settings=settings hyperkitty - - name: kittystore schema update - command: /usr/bin/kittystore-updatedb -s postgres://kittystore:{{ lists_dev_ks_db_pass }}@localhost/kittystore - - - name: copy the initial user fixture - copy: src="{{ files }}/lists-dev/postorius.initial-user.json" - dest=/etc/postorius/sites/default/initial-user.json - owner=root group=apache mode=0640 - - - name: load the inital user - command: /usr/bin/django-admin loaddata --pythonpath=/etc/postorius/sites/default --settings=settings /etc/postorius/sites/default/initial-user.json - - - name: html index - copy: src="{{ files }}/lists-dev/index.html" dest=/var/www/html/index.html - - # Start services - - name: start services - service: state=started enabled=yes name={{ item }} - with_items: - - httpd - - postgresql - - mailman - - postfix + # Start services + - name: start services + service: state=started enabled=yes name={{ item }} + with_items: + - httpd + - postgresql + - mailman3 + - postfix handlers: diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/manual/kernel-qa.yml similarity index 77% rename from playbooks/groups/kernel-qa.yml rename to playbooks/manual/kernel-qa.yml index aadf88aba9..07d59fed40 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/manual/kernel-qa.yml @@ -13,11 +13,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/manual/sign.yml b/playbooks/manual/sign.yml index d696be8f6b..deadb217bf 100644 --- a/playbooks/manual/sign.yml +++ b/playbooks/manual/sign.yml @@ -17,8 +17,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter + - base + - rkhunter tasks: - include: "{{ tasks }}/serialgetty.yml" diff --git a/playbooks/rdiff-backup.yml b/playbooks/rdiff-backup.yml index d896a0ed63..7e9046ea81 100644 --- a/playbooks/rdiff-backup.yml +++ b/playbooks/rdiff-backup.yml @@ -25,6 +25,6 @@ when: global_backup_targets is defined - name: run rdiff-backup hitting all the host targets - local_action: "shell rdiff-backup --exclude='**.snapshot' --create-full-path --print-statistics {{ inventory_hostname }}::{{ item }} /fedora_backups/{{ inventory_hostname }}/`basename {{ item }}` | mail -r sysadmin-backup-members@fedoraproject.org -s 'rdiff-backup: {{ inventory_hostname }}:{{ item }}' sysadmin-backup-members@fedoraproject.org" + local_action: "shell rdiff-backup --exclude='**git-seed*' --exclude='**git_seed' --exclude='**.snapshot' --create-full-path --print-statistics {{ inventory_hostname }}::{{ item }} /fedora_backups/{{ inventory_hostname }}/`basename {{ item }}` | mail -r sysadmin-backup-members@fedoraproject.org -s 'rdiff-backup: {{ inventory_hostname }}:{{ item }}' sysadmin-backup-members@fedoraproject.org" with_items: host_backup_targets when: host_backup_targets is defined diff --git a/playbooks/sign_and_import.yml b/playbooks/sign_and_import.yml index d252e0ecc4..738817376b 100644 --- a/playbooks/sign_and_import.yml +++ b/playbooks/sign_and_import.yml @@ -1,10 +1,13 @@ # This playbook takes new rpms specified with a fileglob, signs them, and adds # them to the infrastructure repo. # +# To push to infra-testing: +# requires --extra-vars="rpmdir='/home/fedora/ralph/rpms/' testing=True" +# +# To push to infra: # requires --extra-vars="rpmdir='/home/fedora/ralph/rpms/'" # TODO -- grab rpms from koji build/task ids beforehand? -# TODO -- how do make it easy to select the infra-testing repo? # TODO -- other arches than x86_64? - name: batch sign and import a directory full of rpms @@ -16,8 +19,8 @@ # repo. Since we're in freeze right now, we'll default to the testing repo. # It would be nice to be able to toggle this from the command line. vars: - #- repodir: /mnt/fedora/app/fi-repo/testing/6 - - repodir: /mnt/fedora/app/fi-repo/6 + - repodir: /mnt/fedora/app/fi-repo/{% if testing %}testing/{% endif %}6 + - testing: False tasks: - name: Fail if no rpmdir provided @@ -32,7 +35,7 @@ - name: make a directory where we store the rpms afterwards file: path={{ rpmdir }}-old state=directory - - name: copy the source rpms to the SRPMS dir + - name: copy the source rpms to the SRPMS dir of {{ repodir }} copy: src={{ item }} dest={{ repodir }}/SRPMS/ with_fileglob: - "{{ rpmdir }}/*.src.rpm" @@ -42,10 +45,11 @@ - name: move processed srpms out to {{ rpmdir }}-old command: /bin/mv {{ item }} {{ rpmdir }}-old/ + when: not testing with_fileglob: - "{{ rpmdir }}/*.src.rpm" - - name: copy the binary rpms to the x86_64 dir + - name: copy the binary rpms to the x86_64 dir of {{ repodir }} copy: src={{ item }} dest={{ repodir }}/x86_64/ with_fileglob: - "{{ rpmdir }}/*.rpm" @@ -55,5 +59,6 @@ - name: move processed rpms out to {{ rpmdir }}-old command: /bin/mv {{ item }} {{ rpmdir }}-old/ + when: not testing with_fileglob: - "{{ rpmdir }}/*.rpm" diff --git a/playbooks/update_packages.yml b/playbooks/update_packages.yml index a7c2673b31..3e0a55caa1 100644 --- a/playbooks/update_packages.yml +++ b/playbooks/update_packages.yml @@ -1,18 +1,23 @@ -# requires --extra-vars="target='host1;host2;group etc' package='python-tahrir' +# requires --extra-vars="target='host1;host2;group etc' package='python-tahrir'" # # Alternatively, you could update a group of packages like -# --extra-vars="package='python-t*'" - -# TODO -- how do make it easy to select the infra-testing repo? +# --extra-vars="target='host1;host2' package='python-t*'" +# +# To update from testing, adjust as follow: +# --extra-vars="target='host1;host2' package='python-t*' testing=True" - name: push packages out hosts: "{{ target }}" user: root + vars: + testing: False + tasks: - - name: expire-caches - command: yum clean expire-cache + - name: expire-caches {% if testing %}(with infrastructure-testing on){% endif %} + command: yum clean expire-cache {% if testing %} --enablerepo=infrastructure-testing {% endif %} + always_run: yes - - name: yum update {{ package }} - yum: name={{ package }} state=latest + - name: yum update {{ package }} {% if testing %}(with infrastructure-testing on){% endif %} + yum: name={{ package }} state=latest {% if testing %}enablerepo=infrastructure-testing{% endif %} diff --git a/playbooks/vhost_reboot.yml b/playbooks/vhost_reboot.yml index 4f3d8191cf..dd75a38b73 100644 --- a/playbooks/vhost_reboot.yml +++ b/playbooks/vhost_reboot.yml @@ -79,8 +79,8 @@ - name: reboot the virthost command: /sbin/reboot - - name: wait for virthost to come back - up to 6 minutes - local_action: wait_for host={{ target }} port=22 delay=120 timeout=420 + - name: wait for virthost to come back - up to 10 minutes + local_action: wait_for host={{ target }} port=22 delay=120 timeout=600 - name: wait for libvirtd to come back on the virthost wait_for: path=/var/run/libvirtd.pid state=present diff --git a/roles/ansible-server/tasks/main.yml b/roles/ansible-server/tasks/main.yml new file mode 100644 index 0000000000..ab7f2d9951 --- /dev/null +++ b/roles/ansible-server/tasks/main.yml @@ -0,0 +1,18 @@ +--- +# +# Setup ansible-server instance +# +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - ansible + - git + tags: + - packages + +# +# TODO: +# cgit? +# rbac-playbook? +# zodbot notifications? +# diff --git a/roles/ask/files/cancel.py b/roles/ask/files/cancel.py new file mode 100644 index 0000000000..ac2f3ded54 --- /dev/null +++ b/roles/ask/files/cancel.py @@ -0,0 +1,14 @@ +from django.http import HttpResponseRedirect +from askbot.utils.forms import get_next_url +class CancelActionMiddleware(object): + def process_view(self, request, view_func, view_args, view_kwargs): + if 'cancel' in request.REQUEST: + #todo use session messages for the anonymous users + try: + msg = getattr(view_func,'CANCEL_MESSAGE') + except AttributeError: + msg = 'action canceled' + request.user.message_set.create(message=unicode(msg)) + return HttpResponseRedirect(get_next_url(request)) + else: + return None diff --git a/roles/ask/files/cron-delete-old-emails b/roles/ask/files/cron-delete-old-emails new file mode 100644 index 0000000000..507dff8fb2 --- /dev/null +++ b/roles/ask/files/cron-delete-old-emails @@ -0,0 +1,2 @@ +0 * * * * root /usr/bin/python /etc/askbot/sites/ask/config/manage.py cleanup_mail -d 7 > /dev/null 2> /dev/null + diff --git a/roles/ask/files/cron-delete-unused-tags b/roles/ask/files/cron-delete-unused-tags new file mode 100644 index 0000000000..e9875478fc --- /dev/null +++ b/roles/ask/files/cron-delete-unused-tags @@ -0,0 +1,2 @@ +0 22 * * * root /usr/bin/python /etc/askbot/sites/ask/config/manage.py delete_unused_tags > /dev/null 2> /dev/null + diff --git a/roles/ask/files/login_providers.py b/roles/ask/files/login_providers.py index 758b3095e8..bd2e015796 100644 --- a/roles/ask/files/login_providers.py +++ b/roles/ask/files/login_providers.py @@ -81,10 +81,9 @@ providers = ( 'Vidoop', 'Verisign', 'Yahoo', - 'identi.ca', ) -need_extra_setup = ('Twitter', 'Facebook', 'LinkedIn', 'identi.ca',) +need_extra_setup = ('Twitter', 'Facebook', 'LinkedIn', ) for provider in providers: kwargs = { diff --git a/roles/ask/files/util.py b/roles/ask/files/util.py index 4c4e47b4e7..ae9a1fb457 100644 --- a/roles/ask/files/util.py +++ b/roles/ask/files/util.py @@ -397,8 +397,8 @@ def get_enabled_major_login_providers(): 'name': 'fasopenid', 'display_name': 'FAS-OpenID', 'type': 'openid-direct', - 'icon_media_path': '/jquery-openid/images/fedora-openid.png', - 'openid_endpoint': 'http://id.fedoraproject.org/', + 'icon_media_path': 'https://fedoraproject.org/w/uploads/d/d6/Guidelines-fedora-logo.jpg', + 'openid_endpoint': 'https://id.fedoraproject.org/', } @@ -433,26 +433,6 @@ def get_enabled_major_login_providers(): 'icon_media_path': '/jquery-openid/images/twitter.gif', 'get_user_id_function': lambda data: data['user_id'], } - def get_identica_user_id(data): - consumer = oauth.Consumer(data['consumer_key'], data['consumer_secret']) - token = oauth.Token(data['oauth_token'], data['oauth_token_secret']) - client = oauth.Client(consumer, token=token) - url = 'https://identi.ca/api/account/verify_credentials.json' - response, content = client.request(url, 'GET') - json = simplejson.loads(content) - return json['id'] - if askbot_settings.IDENTICA_KEY and askbot_settings.IDENTICA_SECRET: - data['identi.ca'] = { - 'name': 'identi.ca', - 'display_name': 'identi.ca', - 'type': 'oauth', - 'request_token_url': 'https://identi.ca/api/oauth/request_token', - 'access_token_url': 'https://identi.ca/api/oauth/access_token', - 'authorize_url': 'https://identi.ca/api/oauth/authorize', - 'authenticate_url': 'https://identi.ca/api/oauth/authorize', - 'icon_media_path': '/jquery-openid/images/identica.png', - 'get_user_id_function': get_identica_user_id, - } def get_linked_in_user_id(data): consumer = oauth.Consumer(data['consumer_key'], data['consumer_secret']) token = oauth.Token(data['oauth_token'], data['oauth_token_secret']) @@ -690,9 +670,6 @@ def get_oauth_parameters(provider_name): elif provider_name == 'linkedin': consumer_key = askbot_settings.LINKEDIN_KEY consumer_secret = askbot_settings.LINKEDIN_SECRET - elif provider_name == 'identi.ca': - consumer_key = askbot_settings.IDENTICA_KEY - consumer_secret = askbot_settings.IDENTICA_SECRET elif provider_name == 'facebook': consumer_key = askbot_settings.FACEBOOK_KEY consumer_secret = askbot_settings.FACEBOOK_SECRET diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index bc22356dfc..03a4feac3a 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -16,14 +16,41 @@ - python-django-post_office - python-django-compressor - django-authopenid + - django-celery tags: - packages +# https://github.com/openid/python-openid/pull/76 +- name: hotfix - copy over python-openid fixed messages + copy: src="{{ files }}/hotfix/python-openid/fetchers.py" dest=/usr/lib/python2.6/site-packages/openid/fetchers.py + owner=root group=root mode=0644 + notify: + - restart apache + tags: + - config + - hotfix + - python-openid + - name: set sebooleans so ask can talk to the db action: seboolean name=httpd_can_network_connect_db state=true persistent=true +- name: set sebooleans so ask can talk to the memcache + action: seboolean name=httpd_can_network_memcache + state=true + persistent=true + +- name: set sebooleans so ask can talk to fedmsg + action: seboolean name=allow_httpd_sys_script_anon_write + state=true + persistent=true + +- name: set sebooleans so ask can talk to fedmsg + action: seboolean name=allow_ypbind + state=true + persistent=true + - name: install askbot settings.py template template: > src={{ item }} dest="/etc/askbot/sites/ask/config/settings.py" @@ -61,12 +88,19 @@ with_items: - cron-ask-send-reminders - cron-post-office-send-mail + - cron-delete-old-emails + - cron-delete-unused-tags tags: - files - name: log ownership fix file: state=touch dest=/var/log/askbot/askfedora.log owner=apache group=apache +- name: run collectstatic + command: creates=/var/www/html/askbot/static python /etc/askbot/sites/ask/config/manage.py collectstatic --noinput + tags: + - config + #- name: setup default skin link needed for askbot # file: state=link src=/usr/lib64/python2.6/site-packages/askbot/skins/default dest=/usr/lib64/python2.6/site-packages/askbot/static/default # @@ -145,3 +179,16 @@ - files notify: - restart httpd + +# +# fix for feedback +# + +- name: HOTFIX askbot/middleware/cancel.py + copy: > + src=cancel.py dest=/usr/lib/python2.6/site-packages/askbot/middleware/cancel.py + owner=root group=root mode=0644 + tags: + - files + notify: + - restart httpd diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 90b2df4780..db06d514dd 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -110,12 +110,16 @@ MIDDLEWARE_CLASSES = ( ## Enable the following middleware if you want to enable ## language selection in the site settings. #'askbot.middleware.locale.LocaleMiddleware', + 'django.middleware.locale.LocaleMiddleware', #'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.common.CommonMiddleware', #'django.middleware.cache.FetchFromCacheMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', #'django.middleware.sqlprint.SqlPrintingMiddleware', + # Enable outgoing fedmsg messages + 'askbot_fedmsg.NOOPMiddleware', + #below is askbot stuff for this tuple 'askbot.middleware.anon_user.ConnectToSessionMessagesMiddleware', 'askbot.middleware.forum_mode.ForumModeMiddleware', @@ -184,30 +188,18 @@ INSTALLED_APPS = ( 'keyedcache', 'robots', 'django_countries', - #'djcelery', + 'djcelery', 'djkombu', 'followit', 'tinymce', 'group_messaging', #'avatar',#experimental use git clone git://github.com/ericflo/django-avatar.git$ + 'post_office', ) -#setup memcached for production use! -#see http://docs.djangoproject.com/en/1.1/topics/cache/ for details -{% if env == "staging" %} -CACHE_BACKEND = 'locmem://' -{% else %} -CACHE_BACKEND='memcached://memcached04:11211/' -{% endif %} -#needed for django-keyedcache -CACHE_TIMEOUT = 6000 -#sets a special timeout for livesettings if you want to make them different -LIVESETTINGS_CACHE_TIMEOUT = CACHE_TIMEOUT -CACHE_PREFIX = 'askbot' #make this unique CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True -#If you use memcache you may want to uncomment the following line to enable memcached based sessions -#SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db' +CACHE_TIMEOUT = 600 AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', @@ -229,7 +221,7 @@ logging.basicConfig( # ASKBOT_URL = 'forum/' # ASKBOT_URL = '' #no leading slash, default = '' empty string -ASKBOT_TRANSLATE_URL = True #translate specific URLs +ASKBOT_TRANSLATE_URL = False #translate specific URLs _ = lambda v:v #fake translation function for the login url LOGIN_URL = '/%s%s%s' % (ASKBOT_URL,_('account/'),_('signin/')) LOGIN_REDIRECT_URL = ASKBOT_URL #adjust, if needed @@ -242,13 +234,56 @@ ASKBOT_USE_STACKEXCHANGE_URLS = False #mimic url scheme of stackexchange BROKER_TRANSPORT = "djkombu.transport.DatabaseTransport" CELERY_ALWAYS_EAGER = True - +# +# Only enable languages where we have active moderators +# In staging we have a few more for communities to test with before commiting. +# +# locmem cache in staging and use memcached04 in production. +# {% if env == "staging" %} DOMAIN_NAME = 'ask.stg.fedoraproject.org' +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', + 'LOCATION': 'ask-staging' + } +} +gettext = lambda s: s +LANGUAGES = ( + ('pt-br', gettext('Brazilian Portuguese')), + ('es', gettext('Spanish')), + ('en', gettext('English')), + ('ru', gettext('Russian')), + ('zh-cn', gettext('Simplified Chinese')), + ('fr', gettext('French')), + ('el', gettext('Greek')), + ('id', gettext('Indonesian')), + ('hu', gettext('Hungarian')), +) {% else %} DOMAIN_NAME = 'ask.fedoraproject.org' +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'KEY_PREFIX': 'askfedora', + 'LOCATION': [ + 'memcached04:11211', + ] + } +} +gettext = lambda s: s +LANGUAGES = ( + ('es', gettext('Spanish')), + ('en', gettext('English')), + ('pt-br', gettext('Brazilian Portuguese')), + ('id', gettext('Indonesian')), + ('el', gettext('Greek')), + ('zh-cn', gettext('Simplified Chinese')), + ('hu', gettext('Hungarian')), +) {% endif %} + #https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ CSRF_COOKIE_DOMAIN = DOMAIN_NAME @@ -322,7 +357,7 @@ GROUP_MESSAGING = { 'BASE_URL_PARAMS': {'section': 'messages', 'sort': 'inbox'} } -ASKBOT_MULTILINGUAL = False +ASKBOT_MULTILINGUAL = True ASKBOT_CSS_DEVEL = False if 'ASKBOT_CSS_DEVEL' in locals() and ASKBOT_CSS_DEVEL == True: diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index 0f96476cbc..8afea8d184 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -35,6 +35,35 @@ fedmsg.init(**fm_config) import fedbadges.utils +def user_in_group(user, group_name): + # First, bail out if they're not in the group at all + if not any([g.name == group_name for g in user.memberships]): + return False + + # Find the group_id of the group we're looking for.. + group_id = None + for g in user.memberships: + if g.name == group_name: + group_id = g.id + break + + if not group_id: + return False + + # For that group_id, find the relevant role + relevant_role = None + for role in user.roles: + if role.group_id == group_id: + relevant_role = role + break + + if not relevant_role: + return False + + # They must be actually 'approved' in that group for this to count + return relevant_role.role_status == 'approved' + + def get_fas_groupings(fas_credentials, lookup, **config): creds = fas_credentials @@ -56,24 +85,34 @@ def get_fas_groupings(fas_credentials, lookup, **config): mega_list = request['people'] results = {} - packager_id = None + packager_id, ambassadors_id = None, None for user in mega_list: # This is the main check. for group_name, badge_id in lookup.iteritems(): - if any([group.name == group_name for group in user.memberships]): + if user_in_group(user, group_name): results[group_name] = results.get(group_name, []) + [user] - # This is special.. we're checking for being a packager-sponsor + # Beyond the main check, here is a special check that makes sure they + # are a sponsor in the packager group. if not packager_id: for group in user.memberships: if group.name == 'packager': packager_id = group.id + if not ambassadors_id: + for group in user.memberships: + if group.name == 'ambassadors': + ambassadors_id = group.id + for role in user.roles: if role.group_id == packager_id: if role.role_type == 'sponsor' and role.role_status == 'approved': results['sponsors'] = results.get('sponsors', []) + [user] + if role.group_id == ambassadors_id: + if role.role_type == 'sponsor' and role.role_status == 'approved': + results['ambassadors_sponsors'] = results.get('ambassadors_sponsors', []) + [user] + return results @@ -87,10 +126,13 @@ def main(): 'provenpackager': 'proven-packager', 'proventesters': 'proven-tester', 'ambassadors': 'ambassador', + 'videos': 'videographer', 'sysadmin-main': 'trust-me,-i-know-what-i-am-doing', 'sysadmin-badges': 'inside-job', 'sponsors': 'packager-sponsor', + 'ambassadors_sponsors': 'ambassadors-sponsor', 'designteam': 'pixel-ninja', + 'fi-apprentice': 'no-longer-a-ronin', } # First, some validation that the badge ids actually exist. diff --git a/roles/badges-frontend/templates/tahrir.ini b/roles/badges-frontend/templates/tahrir.ini index 960b175804..66b2b04bf8 100644 --- a/roles/badges-frontend/templates/tahrir.ini +++ b/roles/badges-frontend/templates/tahrir.ini @@ -27,7 +27,7 @@ pyramid.default_locale_name = en pyramid.includes = pyramid_tm -sqlalchemy.url = postgresql://${tahrirDBUser}:${tahrirDBPassword}@db-tahrir/tahrir +sqlalchemy.url = postgresql://{{tahrirDBUser}}:{{tahrirDBPassword}}@db-tahrir/tahrir mako.directories=tahrir:templates @@ -35,7 +35,7 @@ tahrir.admin = ralph@fedoraproject.org, oddshocks@fedoraproject.org, puiterwijk@ tahrir.pngs.uri = /usr/share/badges/pngs dogpile.cache.backend = dogpile.cache.memcached -dogpile.cache.expiration_time = 10000 +dogpile.cache.expiration_time = 100 dogpile.cache.arguments.url = memcached03:11211 dogpile.cache.arguments.distributed_lock = True @@ -44,12 +44,14 @@ dogpile.cache.arguments.distributed_lock = True tahrir.title = Fedora Badges (staging!) tahrir.base_url = https://badges.stg.fedoraproject.org tahrir.openid_identifier = http://id.stg.fedoraproject.org/ +tahrir.trusted_openid = ^http(s)?:\/\/([a-zA-Z0-9]+\.)?stg.id\.fedoraproject\.org(/)?$ tahrir.openid_realm = https://badges.stg.fedoraproject.org tahrir.websocket.topic = org.fedoraproject.stg.fedbadges.badge.award {% else %} tahrir.title = Fedora Badges tahrir.base_url = https://badges.fedoraproject.org tahrir.openid_identifier = http://id.fedoraproject.org/ +tahrir.trusted_openid = ^http(s)?:\/\/([a-zA-Z0-9]+\.)?id\.fedoraproject\.org(/)?$ tahrir.openid_realm = https://badges.fedoraproject.org tahrir.websocket.topic = org.fedoraproject.prod.fedbadges.badge.award {% endif %} @@ -74,8 +76,8 @@ tahrir.social.twitter_user_hash = #fedora tahrir.social.gplus = True -session.secret="${tahrirSessionSecret}" -authnsecret="${tahrirAuthnSecret}" +session.secret="{{tahrirSessionSecret}}" +authnsecret="{{tahrirAuthnSecret}}" moksha.domain = fedoraproject.org diff --git a/roles/base/files/resolv.conf/telia b/roles/base/files/resolv.conf/telia new file mode 100644 index 0000000000..11dff40bd1 --- /dev/null +++ b/roles/base/files/resolv.conf/telia @@ -0,0 +1,4 @@ +search vpn.fedoraproject.org fedoraproject.org +nameserver 213.248.76.210 +nameserver 152.3.182.5 +options rotate timeout:1 diff --git a/roles/base/files/resolv.conf/tummy b/roles/base/files/resolv.conf/tummy new file mode 100644 index 0000000000..246626e3f0 --- /dev/null +++ b/roles/base/files/resolv.conf/tummy @@ -0,0 +1,4 @@ +search vpn.fedoraproject.org fedoraproject.org +nameserver 198.49.126.1 +nameserver 66.35.36.133 +options rotate timeout:1 diff --git a/roles/base/files/rsyslog/rsyslog-audit.conf b/roles/base/files/rsyslog/rsyslog-audit.conf new file mode 100644 index 0000000000..8e6c2f5b18 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-audit.conf @@ -0,0 +1,13 @@ +# monitor auditd log and send out over local6 to central loghost +$ModLoad imfile.so + +# auditd audit.log +$InputFileName /var/log/audit/audit.log +$InputFileTag tag_audit_log: +$InputFileStateFile audit_log +$InputFileSeverity info +$InputFileFacility local6 +$InputRunFileMonitor + +:msg, !contains, "type=AVC" +local6.* @@log02:514 diff --git a/roles/base/files/rsyslog/rsyslog-disablerate.conf b/roles/base/files/rsyslog/rsyslog-disablerate.conf new file mode 100644 index 0000000000..e7c93530c2 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-disablerate.conf @@ -0,0 +1,3 @@ +# Disable rate limiting +$IMUXSockRateLimitInterval 0 +$SystemLogRateLimitInterval 0 diff --git a/roles/base/files/rsyslog/rsyslog-log02.conf b/roles/base/files/rsyslog/rsyslog-log02.conf new file mode 100644 index 0000000000..8338bfed72 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-log02.conf @@ -0,0 +1,4 @@ +# +# Send everything on to central log02 logger machines +# +cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 diff --git a/roles/base/files/rsyslog/rsyslog.conf.releng b/roles/base/files/rsyslog/rsyslog.conf.default similarity index 60% rename from roles/base/files/rsyslog/rsyslog.conf.releng rename to roles/base/files/rsyslog/rsyslog.conf.default index 2c2852ddd1..36cea98f0e 100644 --- a/roles/base/files/rsyslog/rsyslog.conf.releng +++ b/roles/base/files/rsyslog/rsyslog.conf.default @@ -1,20 +1,20 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 @@ -23,6 +23,14 @@ $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + + #### RULES #### # Log all kernel messages to the console. @@ -31,7 +39,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -52,6 +60,7 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple @@ -60,14 +69,12 @@ local7.* /var/log/boot.log # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.kojibuilder b/roles/base/files/rsyslog/rsyslog.conf.el6 similarity index 59% rename from roles/base/files/rsyslog/rsyslog.conf.kojibuilder rename to roles/base/files/rsyslog/rsyslog.conf.el6 index 9719770987..36cea98f0e 100644 --- a/roles/base/files/rsyslog/rsyslog.conf.kojibuilder +++ b/roles/base/files/rsyslog/rsyslog.conf.el6 @@ -1,38 +1,35 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) -$ModLoad imjournal # provides access to the systemd journal -$ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### -# Include all config files in /etc/rsyslog.d/ -$IncludeConfig /etc/rsyslog.d/*.conf - # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat -# Turn off message reception via local log socket; -# local messages are retrieved through imjournal now. -$OmitLocalLogging on +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf -# File to store the position in the journal -$StateFile imjournal.state #### RULES #### @@ -42,7 +39,7 @@ $StateFile imjournal.state # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -63,6 +60,7 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple @@ -71,14 +69,12 @@ local7.* /var/log/boot.log # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf b/roles/base/files/rsyslog/rsyslog.conf.f20 similarity index 55% rename from roles/base/files/rsyslog/rsyslog.conf rename to roles/base/files/rsyslog/rsyslog.conf.f20 index a1d425816f..6972b4d369 100644 --- a/roles/base/files/rsyslog/rsyslog.conf +++ b/roles/base/files/rsyslog/rsyslog.conf.f20 @@ -1,32 +1,47 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +# The imjournal module bellow is now used as a message source instead of imuxsock. +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imjournal # provides access to the systemd journal +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### +# Where to place auxiliary files +$WorkDirectory /var/lib/rsyslog + # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat -# File syncing capability is disabled by default. This feature is usually not required, +# File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + +# Turn off message reception via local log socket; +# local messages are retrieved through imjournal now. +$OmitLocalLogging on + +# File to store the position in the journal +$IMJournalStateFile imjournal.state + #### RULES #### @@ -36,7 +51,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -49,7 +64,7 @@ mail.* -/var/log/maillog cron.* /var/log/cron # Everybody gets emergency messages -*.emerg * +*.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler @@ -57,16 +72,6 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log -# monitor auditd log and send out over local6 to central loghost -$ModLoad imfile.so - -# auditd audit.log -$InputFileName /var/log/audit/audit.log -$InputFileTag tag_audit_log: -$InputFileStateFile audit_log -$InputFileSeverity info -$InputFileFacility local6 -$InputRunFileMonitor # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding @@ -76,22 +81,11 @@ $InputRunFileMonitor # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down - -# Disable rate limiting -$IMUXSockRateLimitInterval 0 -$SystemLogRateLimitInterval 0 - +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - -:msg, !contains, "type=AVC" ~ -local6.* @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.phx2 b/roles/base/files/rsyslog/rsyslog.conf.phx2 deleted file mode 100644 index a1d425816f..0000000000 --- a/roles/base/files/rsyslog/rsyslog.conf.phx2 +++ /dev/null @@ -1,97 +0,0 @@ -#rsyslog v3 config file - -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance - -#### MODULES #### - -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability - -# Provides UDP syslog reception -#$ModLoad imudp.so -#$UDPServerRun 514 - -# Provides TCP syslog reception -#$ModLoad imtcp.so -#$InputTCPServerRun 514 - - -#### GLOBAL DIRECTIVES #### - -# Use default timestamp format -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - -# File syncing capability is disabled by default. This feature is usually not required, -# not useful and an extreme performance hit -#$ActionFileEnableSync on - - -#### RULES #### - -# Log all kernel messages to the console. -# Logging much else clutters up the screen. -#kern.* /dev/console - -# Log anything (except mail) of level info or higher. -# Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages - -# The authpriv file has restricted access. -authpriv.* /var/log/secure - -# Log all the mail messages in one place. -mail.* -/var/log/maillog - - -# Log cron stuff -cron.* /var/log/cron - -# Everybody gets emergency messages -*.emerg * - -# Save news errors of level crit and higher in a special file. -uucp,news.crit /var/log/spooler - -# Save boot messages also to boot.log -local7.* /var/log/boot.log - -# monitor auditd log and send out over local6 to central loghost -$ModLoad imfile.so - -# auditd audit.log -$InputFileName /var/log/audit/audit.log -$InputFileTag tag_audit_log: -$InputFileStateFile audit_log -$InputFileSeverity info -$InputFileFacility local6 -$InputRunFileMonitor - -# ### begin forwarding rule ### -# The statement between the begin ... end define a SINGLE forwarding -# rule. They belong together, do NOT split them. If you create multiple -# forwarding rules, duplicate the whole block! -# Remote Logging (we use TCP for reliable delivery) -# -# An on-disk queue is created for this action. If the remote host is -# down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down - -# Disable rate limiting -$IMUXSockRateLimitInterval 0 -$SystemLogRateLimitInterval 0 - -# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional -#*.* @@remote-host:514 -# ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - -:msg, !contains, "type=AVC" ~ -local6.* @@log02:514 - diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 4d11550d88..b46dca12bc 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -32,7 +32,7 @@ user: name=root password={{ rootpw }} state=present tags: - rootpw - when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng')) + when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng') or inventory_hostname.startswith('arm')) - name: add ansible root key authorized_key: user=root key="{{ item }}" @@ -106,11 +106,8 @@ - name: rsyslog.conf copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 first_available_file: - - "{{ rsyslogconf }}" - - rsyslog/rsyslog.conf.{{ ansible_fqdn }} - - rsyslog/rsyslog.conf.{{ host_group }} - - rsyslog/rsyslog.conf.{{ datacenter }} - - rsyslog/rsyslog.conf + - rsyslog/rsyslog.conf.{{ dist_tag }} + - rsyslog/rsyslog.conf.default notify: - restart rsyslog @@ -118,6 +115,16 @@ - rsyslogd - config +- name: add rsyslog config to /etc/rsyslog.d + copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644 + with_fileglob: + - rsyslog/*.conf + notify: + - restart rsyslog + tags: + - rsyslogd + - config + - name: /etc/postfix/main.cf copy: src={{ item }} dest=/etc/postfix/main.cf first_available_file: diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index 613dd5c516..b64e116551 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -47,6 +47,12 @@ -A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22 -j ACCEPT +# for ansible accelerate mode - allow port 5099 from lockbox and it's ips +-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT + # git to pkgs -A OUTPUT -m tcp -p tcp --dport 9418 -d 10.5.125.44 -j ACCEPT -A OUTPUT -m udp -p udp --dport 9418 -d 10.5.125.44 -j ACCEPT diff --git a/roles/debug_env/tasks/main.yml b/roles/debug_env/tasks/main.yml new file mode 100644 index 0000000000..33dc4ebb8e --- /dev/null +++ b/roles/debug_env/tasks/main.yml @@ -0,0 +1,7 @@ +# +# This role can be added to a playbook to dump out all +# the env from ansible to see what variables and facts are. +# Taken from https://coderwall.com/p/13lh6w +# +- name: Dump all ansible vars + template: src=dumpall.j2 dest=/tmp/debug_env.out diff --git a/roles/debug_env/templates/dumpall.j2 b/roles/debug_env/templates/dumpall.j2 new file mode 100644 index 0000000000..470394828c --- /dev/null +++ b/roles/debug_env/templates/dumpall.j2 @@ -0,0 +1,19 @@ +Module Variables ("vars"): +-------------------------------- +{{ vars | to_nice_json }} + +Environment Variables ("environment"): +-------------------------------- +{{ environment | to_nice_json }} + +GROUP NAMES Variables ("group_names"): +-------------------------------- +{{ group_names | to_nice_json }} + +GROUPS Variables ("groups"): +-------------------------------- +{{ groups | to_nice_json }} + +HOST Variables ("hostvars"): +-------------------------------- +{{ hostvars | to_nice_json }} diff --git a/roles/fedmsg_base/files/selinux/fedmsg.mod b/roles/fedmsg_base/files/selinux/fedmsg.mod new file mode 100644 index 0000000000..13953aa520 Binary files /dev/null and b/roles/fedmsg_base/files/selinux/fedmsg.mod differ diff --git a/roles/fedmsg_base/files/selinux/fedmsg.pp b/roles/fedmsg_base/files/selinux/fedmsg.pp new file mode 100644 index 0000000000..7620bdf0fd Binary files /dev/null and b/roles/fedmsg_base/files/selinux/fedmsg.pp differ diff --git a/roles/fedmsg_base/files/selinux/fedmsg.te b/roles/fedmsg_base/files/selinux/fedmsg.te new file mode 100644 index 0000000000..ba2a3c12ff --- /dev/null +++ b/roles/fedmsg_base/files/selinux/fedmsg.te @@ -0,0 +1,11 @@ + +module fedmsg 1.0; + +require { + type anon_inodefs_t; + type httpd_t; + class file write; +} + +#============= httpd_t ============== +allow httpd_t anon_inodefs_t:file write; diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml index e2d73fca73..11afc58fc7 100644 --- a/roles/fedmsg_base/tasks/main.yml +++ b/roles/fedmsg_base/tasks/main.yml @@ -19,6 +19,7 @@ with_items: - ssl.py - endpoints.py + - endpoints-fedocal.py - endpoints-fedbadges.py - endpoints-nuancier.py - endpoints-mailman.py @@ -69,3 +70,15 @@ when: fedmsg_certs != [] tags: - config + +# Three tasks for handling our custom selinux module +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/local/share/fedmsg state=directory + +- name: copy over our custom selinux module + copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp + register: selinux_module + +- name: install our custom selinux module + command: semodule -i /usr/local/share/fedmsg/fedmsg.pp + when: selinux_module|changed diff --git a/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 b/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 new file mode 100644 index 0000000000..f213dcc25d --- /dev/null +++ b/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 @@ -0,0 +1,20 @@ +{% if env == 'staging' %} +suffix = 'stg.phx2.fedoraproject.org' +{% else %} +suffix = 'phx2.fedoraproject.org' +{% endif %} + +config = dict( + endpoints={ + "fedocal.fedocal01": [ + "tcp://fedocal01.%s:30%02i" % (suffix, i) + for i in range(2) + ], +{% if env != 'staging' %} + "fedocal.fedocal02": [ + "tcp://fedocal02.%s:30%02i" % (suffix, i) + for i in range(2) + ], +{% endif %} + }, +) diff --git a/roles/fedmsg_base/templates/endpoints.py.j2 b/roles/fedmsg_base/templates/endpoints.py.j2 index e3f9ccb62a..ca867b88cb 100644 --- a/roles/fedmsg_base/templates/endpoints.py.j2 +++ b/roles/fedmsg_base/templates/endpoints.py.j2 @@ -45,10 +45,6 @@ config = dict( "tcp://app05.%s:300%i" % (non_phx_suffix, i) for i in range(8) ], - "bodhi.app06": [ - "tcp://app06.%s:300%i" % (non_phx_suffix, i) - for i in range(8) - ], "bodhi.app07": [ "tcp://app07.%s:300%i" % (suffix, i) for i in range(8) @@ -66,20 +62,20 @@ config = dict( "tcp://relepel01.%s:3001" % suffix, ], {% endif %} - # FAS is a little out of the ordinary. It has 32 endpoints instead of + # FAS is a little out of the ordinary. It has 40 endpoints instead of # the usual 8 since there are so many mod_wsgi processes for it. "fas.fas01": [ "tcp://fas01.%s:30%02i" % (suffix, i) - for i in range(32) + for i in range(40) ], {% if env != 'staging' %} "fas.fas02": [ "tcp://fas02.%s:30%02i" % (suffix, i) - for i in range(32) + for i in range(40) ], "fas.fas03": [ "tcp://fas03.%s:30%02i" % (suffix, i) - for i in range(32) + for i in range(40) ], {% endif %} # Well, fedoratagger needs 32 endpoints too, just like FAS. diff --git a/roles/fedmsg_base/templates/pkgdb.py.j2 b/roles/fedmsg_base/templates/pkgdb.py.j2 index 4b5914b1be..cef1d8fe0e 100644 --- a/roles/fedmsg_base/templates/pkgdb.py.j2 +++ b/roles/fedmsg_base/templates/pkgdb.py.j2 @@ -10,36 +10,32 @@ config = dict( endpoints={ "pkgdb.app01": [ "tcp://app01.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app02": [ "tcp://app02.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], {% if not env == 'staging' %} "pkgdb.app03": [ "tcp://app03.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app04": [ "tcp://app04.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app05": [ "tcp://app05.%s:301%i" % (non_phx_suffix, i) - for i in range(6) - ], - "pkgdb.app06": [ - "tcp://app06.%s:301%i" % (non_phx_suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app07": [ "tcp://app07.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app08": [ "tcp://app08.%s:301%i" % (non_phx_suffix, i) - for i in range(6) + for i in range(10) ], {% endif %} }, diff --git a/roles/fedmsg_base/templates/relay.py.j2 b/roles/fedmsg_base/templates/relay.py.j2 index 0b13e2ac92..c4694c3467 100644 --- a/roles/fedmsg_base/templates/relay.py.j2 +++ b/roles/fedmsg_base/templates/relay.py.j2 @@ -31,7 +31,7 @@ config = dict( "tcp://app01.%s:3998" % suffix, # Scripts from the vpn (people03) connect here - "tcp://app01.vpn.fedoraproject.org:3998", + #"tcp://app01.vpn.fedoraproject.org:3998", # Scripts from outside connect here (coprs, secondary arch composes) "tcp://busgateway01.%s:9941" % suffix, diff --git a/roles/fedmsg_base/templates/ssl.py.j2 b/roles/fedmsg_base/templates/ssl.py.j2 index ac51ce850e..f3455dc9c1 100644 --- a/roles/fedmsg_base/templates/ssl.py.j2 +++ b/roles/fedmsg_base/templates/ssl.py.j2 @@ -14,7 +14,6 @@ app_hosts = [ "app03.phx2.fedoraproject.org", "app04.phx2.fedoraproject.org", "app05.fedoraproject.org", - "app06.fedoraproject.org", "app07.phx2.fedoraproject.org", "app08.fedoraproject.org", ] @@ -144,6 +143,7 @@ config = dict( # since it is an openstack node. This might be a little fragile. :/ # See https://github.com/fedora-infra/fedmsg/issues/199 for the plan. ("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"), + ("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"), ]), routing_policy={ # The gist here is that only messages signed by the diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml new file mode 100644 index 0000000000..2c59658164 --- /dev/null +++ b/roles/fedoauth/tasks/main.yml @@ -0,0 +1,64 @@ +--- +# Configuration for the fedoauth webapp + +- name: clean yum metadata + command: yum clean all + tags: + - packages + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - fedoauth + - fedoauth-template-fedora + - fedoauth-backend-fedora + - python-psycopg2 + - libsemanage-python + tags: + - packages + +- name: copy fedoauth configuration + template: src=fedoauth.cfg + dest=/etc/fedoauth/fedoauth.cfg + owner=fedoauth group=fedoauth mode=0600 + when: env != "staging" + tags: + - config + notify: + - restart apache + +- name: copy fedoauth STG configuration + template: src=fedoauth.stg.cfg + dest=/etc/fedoauth/fedoauth.cfg + owner=fedoauth group=fedoauth mode=0600 + when: env == "staging" + tags: + - config + notify: + - restart apache + +- name: copy fedoauth private key + copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key + owner=fedoauth group=fedoauth mode=0600 + when: env != "staging" + +- name: copy fedoauth STG private key + copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key + owner=fedoauth group=fedoauth mode=0600 + when: env == "staging" + +- name: create the database scheme + hosts: fedoauth01.phx2.fedoraproject.org:fedoauth01.stg.phx2.fedoraproject.org + command: /usr/bin/python2 /usr/share/fedoauth/createdb.py + environment: + FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg + +- name: set sebooleans so fedoauth can talk to the db + action: seboolean name=httpd_can_network_connect_db + state=true + persistent=true + +- name: apply selinux type to the wsgi file + file: > + dest=/usr/share/fedoauth/fedoauth.wsgi + setype=httpd_sys_content_t diff --git a/roles/fedoauth/templates/fedoauth.cfg b/roles/fedoauth/templates/fedoauth.cfg new file mode 100644 index 0000000000..9241352565 --- /dev/null +++ b/roles/fedoauth/templates/fedoauth.cfg @@ -0,0 +1,52 @@ +# Beware that the quotes around the values are mandatory + +# GENERAL CONFIGURATION +### url to the database server: +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" +#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' +#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' +#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' + +# This is the OpenID endpoint url, at which the server is available +WEBSITE_ROOT = 'https://id.fedoraproject.org' +COOKIE_DOMAIN = 'id.fedoraproject.org' +COOKIE_SECURE = True +OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/' + +# Modules to use +AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' + +# FAS PROVIDER CONFIGURATION +FAS_USER_AGENT = 'FAS-OpenID' +FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' +FAS_CHECK_CERT=False +FAS_HTTPS_REQUIRED=False + +# Enable a filter to make this only available to a specific list of users +FAS_AVAILABLE_FILTER = False +FAS_AVAILABLE_TO = [] + +# PERSONA CONFIGURATION +# This is the domain for which we are willing to sign +PERSONA_DOMAIN = 'fedoraproject.org' +PERSONA_ISSUER = 'id.fedoraproject.org' +PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' +PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' + +# OPENID CONFIGURATION +# This is the OpenID url provided to users. Add %(username)s where the username should be entered +# A list of trust roots for which the user will not need to confirm again +OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', + 'https://ask.fedoraproject.org/', + 'https://fedorahosted.org/', + 'https://badges.fedoraproject.org', + 'https://apps.fedoraproject.org/tagger/', + 'https://apps.fedoraproject.org/nuancier/', + 'https://apps.fedoraproject.org/datagrepper/', + 'https://apps.fedoraproject.org/calendar/', + 'https://apps.fedoraproject.org/notifications/', + 'http://copr.fedoraproject.org/', + 'http://copr-fe.cloud.fedoraproject.org/'] +OPENID_NON_TRUSTED_ROOTS = [] +### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) +OPENID_MAX_AUTH_TIME = 120 diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg new file mode 100644 index 0000000000..bd2bc27ca6 --- /dev/null +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -0,0 +1,52 @@ +# Beware that the quotes around the values are mandatory + +# GENERAL CONFIGURATION +### url to the database server: +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" +#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' +#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' +#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' + +# This is the OpenID endpoint url, at which the server is available +WEBSITE_ROOT = 'https://id.stg.fedoraproject.org' +COOKIE_DOMAIN = 'id.stg.fedoraproject.org' +COOKIE_SECURE = True +OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' + +# Modules to use +AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' + +# FAS PROVIDER CONFIGURATION +FAS_USER_AGENT = 'FAS-OpenID' +FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' +FAS_CHECK_CERT=False +FAS_HTTPS_REQUIRED=False + +# Enable a filter to make this only available to a specific list of users +FAS_AVAILABLE_FILTER = False +FAS_AVAILABLE_TO = [] + +# PERSONA CONFIGURATION +# This is the domain for which we are willing to sign +PERSONA_DOMAIN = 'stg.fedoraproject.org' +PERSONA_ISSUER = 'id.stg.fedoraproject.org' +PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key' +PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' + +# OPENID CONFIGURATION +# This is the OpenID url provided to users. Add %(username)s where the username should be entered +# A list of trust roots for which the user will not need to confirm again +OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', + 'https://ask.fedoraproject.org/', + 'https://fedorahosted.org/', + 'https://badges.fedoraproject.org', + 'https://apps.fedoraproject.org/tagger/', + 'https://apps.fedoraproject.org/nuancier/', + 'https://apps.fedoraproject.org/datagrepper/', + 'https://apps.fedoraproject.org/calendar/', + 'https://apps.fedoraproject.org/notifications/', + 'http://copr.fedoraproject.org/', + 'http://copr-fe.cloud.fedoraproject.org/'] +OPENID_NON_TRUSTED_ROOTS = [] +### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) +OPENID_MAX_AUTH_TIME = 120 diff --git a/roles/gluster/client/tasks/main.yml b/roles/gluster/client/tasks/main.yml new file mode 100644 index 0000000000..b8364bd4e9 --- /dev/null +++ b/roles/gluster/client/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - glusterfs-fuse + tags: + - packages + +- name: make the mountdir + file: dest={{ mountdir }} owner={{ owner }} group={{ group }} + +- name: copy over the client config + template: src=client.config dest=/etc/glusterfs/glusterfs.{{name}}.vol + #notify: + #- remount? no idea... + +- name: mount it up + mount: > + src=/etc/glusterfs/glusterfs.{{name}}.vol + state=mounted + fstype=glusterfs + name={{mountdir}} diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config new file mode 100644 index 0000000000..668aa6aea2 --- /dev/null +++ b/roles/gluster/client/templates/client.config @@ -0,0 +1,55 @@ +# Config for {{ name }} +# Generated by ansible + +{% for server in servers %} +volume vol-{{ servers.index(server) }} + type protocol/client + option transport-type tcp + option remote-host {{ server }} + option transport.socket.nodelay on + option remote-port 6996 + option remote-subvolume iothreads + option username {{ username }} + option password {{ password }} +end-volume + +{% endfor %} + +volume mirror-0 + type cluster/replicate + subvolumes {% for server in servers %}vol-{{loop.index - 1}} {% endfor %} + {% if servers.index(inventory_hostname) %} + option read-subvolume vol-{{ servers.index(inventory_hostname)}}{% endif %} + +end-volume + +volume writebehind + type performance/write-behind + option cache-size 4MB + # option flush-behind on # olecam: increasing the performance of handling lots of small files + subvolumes mirror-0 +end-volume + +volume iothreads + type performance/io-threads + option thread-count 16 # default is 16 + subvolumes writebehind +end-volume + +volume iocache + type performance/io-cache + option cache-size `grep 'MemTotal' /proc/meminfo | awk '{print $2 * 0.2 / 1024}' | cut -f1 -d.`MB + option cache-timeout 30 + subvolumes iothreads +end-volume + +volume statprefetch + type performance/stat-prefetch + subvolumes iocache +end-volume + +#volume nfs-server +# type nfs/server +# option nfs.dynamic-volumes on +# subvolumes mirror-0 +#end-volume diff --git a/roles/gluster/server/handlers/main.yml b/roles/gluster/server/handlers/main.yml new file mode 100644 index 0000000000..6cec6a15b2 --- /dev/null +++ b/roles/gluster/server/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart glusterd + service: name=glusterd state=restarted diff --git a/roles/gluster/server/tasks/main.yml b/roles/gluster/server/tasks/main.yml new file mode 100644 index 0000000000..9bf0a0c96b --- /dev/null +++ b/roles/gluster/server/tasks/main.yml @@ -0,0 +1,27 @@ +--- + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - glusterfs-server + tags: + - packages + +- name: glusterd service + service: name=glusterd state=started enabled=yes + +- name: make the datadir + file: dest={{ datadir }} owner={{ owner }} group={{ group }} state=directory + notify: + - restart glusterd + +- name: make the datapath + file: dest={{ datadir }}/{{ name }} owner={{ owner }} group={{ group }} state=directory + notify: + - restart glusterd + +- name: copy over the server config + template: src=server.config dest=/etc/glusterfs/glusterd.vol + notify: + - restart glusterd + diff --git a/roles/gluster/server/templates/server.config b/roles/gluster/server/templates/server.config new file mode 100644 index 0000000000..787494c235 --- /dev/null +++ b/roles/gluster/server/templates/server.config @@ -0,0 +1,29 @@ +# Config for {{ name }} +# Generated by ansible + +volume posix + type storage/posix + option directory {{ datadir }}/{{ name }} +end-volume + +volume locks + type features/locks + option mandatory-locks on + subvolumes posix +end-volume + +volume iothreads + type performance/io-threads + option thread-count 16 + subvolumes locks +end-volume + +volume server-tcp + type protocol/server + subvolumes iothreads + option transport-type tcp + option auth.login.iothreads.allow {{ username }} + option auth.login.{{ username }}.password {{ password }} + option transport.socket.listen-port 6996 + option transport.socket.nodelay on +end-volume diff --git a/files/kojibuilder/arm-koji.conf b/roles/koji_builder/files/arm-koji.conf similarity index 100% rename from files/kojibuilder/arm-koji.conf rename to roles/koji_builder/files/arm-koji.conf diff --git a/files/kojibuilder/arm-kojid.conf b/roles/koji_builder/files/arm-kojid.conf similarity index 100% rename from files/kojibuilder/arm-kojid.conf rename to roles/koji_builder/files/arm-kojid.conf diff --git a/files/kojibuilder/builder-infrastructure.repo b/roles/koji_builder/files/builder-infrastructure.repo similarity index 100% rename from files/kojibuilder/builder-infrastructure.repo rename to roles/koji_builder/files/builder-infrastructure.repo diff --git a/files/kojibuilder/builders/bkernel-eth0-network b/roles/koji_builder/files/builders/bkernel-eth0-network similarity index 100% rename from files/kojibuilder/builders/bkernel-eth0-network rename to roles/koji_builder/files/builders/bkernel-eth0-network diff --git a/files/kojibuilder/builders/bkernel-site-defaults.cfg b/roles/koji_builder/files/builders/bkernel-site-defaults.cfg similarity index 100% rename from files/kojibuilder/builders/bkernel-site-defaults.cfg rename to roles/koji_builder/files/builders/bkernel-site-defaults.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-i386.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-i386.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg diff --git a/files/kojibuilder/builders/site-defaults.cfg b/roles/koji_builder/files/builders/site-defaults.cfg similarity index 100% rename from files/kojibuilder/builders/site-defaults.cfg rename to roles/koji_builder/files/builders/site-defaults.cfg diff --git a/files/kojibuilder/ftbfs_auth_keys b/roles/koji_builder/files/ftbfs_auth_keys similarity index 100% rename from files/kojibuilder/ftbfs_auth_keys rename to roles/koji_builder/files/ftbfs_auth_keys diff --git a/files/kojibuilder/history_off.sh b/roles/koji_builder/files/history_off.sh similarity index 100% rename from files/kojibuilder/history_off.sh rename to roles/koji_builder/files/history_off.sh diff --git a/files/kojibuilder/idmapd.conf b/roles/koji_builder/files/idmapd.conf similarity index 100% rename from files/kojibuilder/idmapd.conf rename to roles/koji_builder/files/idmapd.conf diff --git a/files/kojibuilder/koji.conf b/roles/koji_builder/files/koji.conf similarity index 100% rename from files/kojibuilder/koji.conf rename to roles/koji_builder/files/koji.conf diff --git a/files/kojibuilder/kojid.conf b/roles/koji_builder/files/kojid.conf similarity index 100% rename from files/kojibuilder/kojid.conf rename to roles/koji_builder/files/kojid.conf diff --git a/files/kojibuilder/limits.conf b/roles/koji_builder/files/limits.conf similarity index 100% rename from files/kojibuilder/limits.conf rename to roles/koji_builder/files/limits.conf diff --git a/files/kojibuilder/mock_auth_keys b/roles/koji_builder/files/mock_auth_keys similarity index 100% rename from files/kojibuilder/mock_auth_keys rename to roles/koji_builder/files/mock_auth_keys diff --git a/files/kojibuilder/root_auth_keys b/roles/koji_builder/files/root_auth_keys similarity index 97% rename from files/kojibuilder/root_auth_keys rename to roles/koji_builder/files/root_auth_keys index a3a005ac0f..a3ffc24818 100644 --- a/files/kojibuilder/root_auth_keys +++ b/roles/koji_builder/files/root_auth_keys @@ -1,2 +1 @@ -#ansible key from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org diff --git a/files/kojibuilder/route-eth1 b/roles/koji_builder/files/route-eth1 similarity index 100% rename from files/kojibuilder/route-eth1 rename to roles/koji_builder/files/route-eth1 diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml new file mode 100644 index 0000000000..a15f2155e3 --- /dev/null +++ b/roles/koji_builder/tasks/main.yml @@ -0,0 +1,187 @@ +# +# This is a base koji_builder role. +# +- name: set root passwd + user: name=root password={{ builder_rootpw }} state=present + +- name: add mock user as 425 + user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + +- name: make mock homedir perms + file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock + +- name: add mock ssh dir + file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock + +- name: add mock ssh keys + copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock + +- name: add kojibuilder + user: name=kojibuilder groups=mock + +- name: add mockbuilder + user: name=mockbuilder groups=mock + +- name: mockbuilder .ssh dir + file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder + +- name: mockbuilder ssh key + copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder + +- name: make a bunch of dirs + file: state=directory path={{ item }} + with_items: + - /pub + - /mnt/fedora_koji + - /pub/fedora + - /pub/epel + +- name: add builder infra yum repo + copy: src=builder-infrastructure.repo dest=/etc/yum.repos.d/builder-infrastructure.repo + +- name: clean up packages we do not need + yum: state=removed pkg={{ item }} + with_items: + - 'cronie\*' + +- name: add pkgs + yum: state=installed pkg={{ item }} + with_items: + - yum-utils + - koji-builder + - strace + - mock + - nfs-utils + - kernel-firmware + - ntp + - ntpdate + - rsyslog + - audit + +- name: /etc/kojid/kojid.conf + copy: src=kojid.conf dest=/etc/kojid/kojid.conf + when: not inventory_hostname.startswith(('arm01','arm03')) + notify: + - restart kojid + +- name: arm /etc/kojid/kojid.conf + copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf + when: inventory_hostname.startswith(('arm01','arm03')) + notify: + - restart kojid + +- name: /etc/koji/koji.conf + copy: src=koji.conf dest=/etc/koji.conf + when: not inventory_hostname.startswith(('arm01','arm03')) + +- name: /etc/koji/koji.conf + copy: src=arm-koji.conf dest=/etc/koji.conf + when: inventory_hostname.startswith(('arm01','arm03')) + +- name: copy over koji ca cert + copy: src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem + +- name: copy over /etc/security/limits.conf + copy: src=limits.conf dest=/etc/security/limits.conf + +- name: copy over builder cert to /etc/kojid/kojibuilder.pem + copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 + +# idmapd and make sure it's set to run +- name: idmapd.conf + copy: src=idmapd.conf dest=/etc/idmapd.conf + tags: + - configs + +- name: route config for netapp network + copy: src=route-eth1 dest=/etc/sysconfig/network-scripts/route-eth1 + +- name: check for netapp route + command: ip route show + register: netapproute + always_run: yes + changed_when: "1 != 1" + +- name: run netapp route + command: /etc/sysconfig/network-scripts/ifup-routes eth1 + when: netapproute.stdout.find("10.5.88.0") == -1 and not inventory_hostname.startswith('arm') + +- name: nfs mount points + mount: name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted + when: inventory_hostname.startswith('build') + +- name: make a mnt/koji link + file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji + when: inventory_hostname.startswith('build') + +# mock configs for pungify job +- name: put extra special mock configs in + copy: src=builders/{{ item }} dest="/etc/mock/{{ item }}" mode=644 + with_items: + - fedora-branched-pungi-armhfp.cfg + - fedora-branched-pungi-i386.cfg + - fedora-branched-pungi-x86_64.cfg + - fedora-rawhide-pungi-i386.cfg + - fedora-rawhide-pungi-x86_64.cfg + - fedora-rawhide-pungi-armhfp.cfg + +- name: mock site-defaults.cfg + copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock + when: not inventory_hostname.startswith('bkernel') + +- name: ntp steptickers + copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers + +- name: ntp.conf + copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf + +# +# We want more loop devices on builders to allow more image creates +# + +- name: check for max_loop with grub2 + command: cat /etc/grub2.cfg + register: max_loop + always_run: yes + changed_when: '1 != 1' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' + +- name: check for max_loop with grub1 + command: cat /etc/grub.conf + register: max_loop + always_run: yes + changed_when: '1 != 1' + when: ansible_distribution == 'RedHat' and ansible_architecture == 'x86_64' + +- name: set kernel params for more loops + action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 + when: max_loop is defined and max_loop.stdout.find("max_loop=64") == -1 + +# +# x86_64 builders run pungify, that needs hfs module in order to make +# The efi/mac images. This module is only needed on rhel. +# + +- name: special pkgs for the x86_64 builders + yum: state=installed pkg={{ item }} + with_items: + - kmod-hfsplus + when: is_rhel == 'True' + +- name: enable services and start them on Fedora systems + service: name={{ item }} enabled=true state=started + with_items: + - ntpd + - nfs-lock + - nfs-idmap + - nfs-mountd + when: ansible_distribution == 'Fedora' + +- name: enable services and start them on RHEL systems + service: name={{ item }} enabled=true state=started + with_items: + - rpcbind + - ntpd + - nfslock + - nfs + when: ansible_distribution == 'RedHat' diff --git a/roles/mailman/defaults/main.yml b/roles/mailman/defaults/main.yml new file mode 100644 index 0000000000..dffdecd16e --- /dev/null +++ b/roles/mailman/defaults/main.yml @@ -0,0 +1,10 @@ +--- +mailman_webui_basedir: /srv/webui +mailman_webui_confdir: "{{ mailman_webui_basedir }}/config" +mailman_dbserver: localhost +mailman_postfix_mydestination: "{{ ansible_fqdn }}" +mailman_mm_db_pass: changeme +mailman_hk_admin_db_pass: changeme +mailman_hk_db_pass: changeme +mailman_ks_admin_db_pass: changeme +mailman_ks_db_pass: changeme diff --git a/roles/mailman/files/pg-give-rights.py b/roles/mailman/files/pg-give-rights.py index e99dd77f2b..08031515ac 100755 --- a/roles/mailman/files/pg-give-rights.py +++ b/roles/mailman/files/pg-give-rights.py @@ -24,7 +24,7 @@ def give_rights(dbhost, dbuser, dbpasswd, dbname): cur.execute(dbrightsquery) # Table permissions cur.execute(""" - SELECT 'GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE ON ' || relname || ' TO %sapp;' + SELECT 'GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE ON "' || relname || '" TO %sapp;' FROM pg_class JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace WHERE nspname = 'public' AND relkind IN ('r', 'v'); diff --git a/roles/mailman/files/post-update.sh b/roles/mailman/files/post-update.sh index 616c1ef58d..f04228f6cf 100755 --- a/roles/mailman/files/post-update.sh +++ b/roles/mailman/files/post-update.sh @@ -12,8 +12,7 @@ INDEXDIR=$BASEDIR/kittystore_search_index django-admin collectstatic --clear --noinput --pythonpath $CONFDIR --settings settings django-admin assets build --parse-templates --pythonpath $CONFDIR --settings settings -django-admin syncdb --pythonpath $CONFDIR --settings settings_admin -django-admin migrate --pythonpath $CONFDIR --settings settings_admin +django-admin syncdb --pythonpath $CONFDIR --settings settings_admin --noinput --migrate django-admin loaddata /etc/postorius/sites/default/initial-user.json --pythonpath $CONFDIR --settings settings_admin kittystore-updatedb --pythonpath $CONFDIR --settings settings_admin chown mailman:mailman -R $INDEXDIR @@ -22,6 +21,9 @@ chmod g+w -R $INDEXDIR # Give database rights to the non-admin user $BASEDIR/bin/pg-give-rights.py +# SELinux contexts +restorecon -r "$BASEDIR" + # Reload Apache to flush the python cache systemctl reload httpd # Restart Mailman3 since kittystore was updated diff --git a/roles/mailman/files/postfix-main.cf b/roles/mailman/files/postfix-main.cf deleted file mode 100644 index 2bce62707d..0000000000 --- a/roles/mailman/files/postfix-main.cf +++ /dev/null @@ -1,694 +0,0 @@ -# "false" -# Global Postfix configuration file. This file lists only a subset -# of all parameters. For the syntax, and for a complete parameter -# list, see the postconf(5) manual page (command: "man 5 postconf"). -# -# For common configuration examples, see BASIC_CONFIGURATION_README -# and STANDARD_CONFIGURATION_README. To find these documents, use -# the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/. -# -# For best results, change no more than 2-3 parameters at a time, -# and test if Postfix still works after every change. - -# SOFT BOUNCE -# -# The soft_bounce parameter provides a limited safety net for -# testing. When soft_bounce is enabled, mail will remain queued that -# would otherwise bounce. This parameter disables locally-generated -# bounces, and prevents the SMTP server from rejecting mail permanently -# (by changing 5xx replies into 4xx replies). However, soft_bounce -# is no cure for address rewriting mistakes or mail routing mistakes. -# -#soft_bounce = no - -# LOCAL PATHNAME INFORMATION -# -# The queue_directory specifies the location of the Postfix queue. -# This is also the root directory of Postfix daemons that run chrooted. -# See the files in examples/chroot-setup for setting up Postfix chroot -# environments on different UNIX systems. -# -queue_directory = /var/spool/postfix - -# The command_directory parameter specifies the location of all -# postXXX commands. -# -command_directory = /usr/sbin - -# The daemon_directory parameter specifies the location of all Postfix -# daemon programs (i.e. programs listed in the master.cf file). This -# directory must be owned by root. -# -daemon_directory = /usr/libexec/postfix - -# QUEUE AND PROCESS OWNERSHIP -# -# The mail_owner parameter specifies the owner of the Postfix queue -# and of most Postfix daemon processes. Specify the name of a user -# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS -# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In -# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED -# USER. -# -mail_owner = postfix - -# The default_privs parameter specifies the default rights used by -# the local delivery agent for delivery to external file or command. -# These rights are used in the absence of a recipient user context. -# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. -# -#default_privs = nobody - -# INTERNET HOST AND DOMAIN NAMES -# -# The myhostname parameter specifies the internet hostname of this -# mail system. The default is to use the fully-qualified domain name -# from gethostname(). $myhostname is used as a default value for many -# other configuration parameters. -# -#myhostname = host.domain.tld -#myhostname = virtual.domain.tld - -# The mydomain parameter specifies the local internet domain name. -# The default is to use $myhostname minus the first component. -# $mydomain is used as a default value for many other configuration -# parameters. -# -#mydomain = domain.tld - -# SENDING MAIL -# -# The myorigin parameter specifies the domain that locally-posted -# mail appears to come from. The default is to append $myhostname, -# which is fine for small sites. If you run a domain with multiple -# machines, you should (1) change this to $mydomain and (2) set up -# a domain-wide alias database that aliases each user to -# user@that.users.mailhost. -# -# For the sake of consistency between sender and recipient addresses, -# myorigin also specifies the default domain name that is appended -# to recipient addresses that have no @domain part. -# -#myorigin = $myhostname -#myorigin = $mydomain - -mydomain = fedoraproject.org -myorigin = fedoraproject.org - -# RECEIVING MAIL - -# The inet_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on. By default, -# the software claims all active interfaces on the machine. The -# parameter also controls delivery of mail to user@[ip.address]. -# -# See also the proxy_interfaces parameter, for network addresses that -# are forwarded to us via a proxy or network address translator. -# -# Note: you need to stop/start Postfix when this parameter changes. -# -#inet_interfaces = all -#inet_interfaces = $myhostname -#inet_interfaces = $myhostname, localhost -inet_interfaces = all - -# The proxy_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on by way of a -# proxy or network address translation unit. This setting extends -# the address list specified with the inet_interfaces parameter. -# -# You must specify your proxy/NAT addresses when your system is a -# backup MX host for other domains, otherwise mail delivery loops -# will happen when the primary MX host is down. -# -#proxy_interfaces = -#proxy_interfaces = 1.2.3.4 - -# The mydestination parameter specifies the list of domains that this -# machine considers itself the final destination for. -# -# These domains are routed to the delivery agent specified with the -# local_transport parameter setting. By default, that is the UNIX -# compatible delivery agent that lookups all recipients in /etc/passwd -# and /etc/aliases or their equivalent. -# -# The default is $myhostname + localhost.$mydomain. On a mail domain -# gateway, you should also include $mydomain. -# -# Do not specify the names of virtual domains - those domains are -# specified elsewhere (see VIRTUAL_README). -# -# Do not specify the names of domains that this machine is backup MX -# host for. Specify those names via the relay_domains settings for -# the SMTP server, or use permit_mx_backup if you are lazy (see -# STANDARD_CONFIGURATION_README). -# -# The local machine is always the final destination for mail addressed -# to user@[the.net.work.address] of an interface that the mail system -# receives mail on (see the inet_interfaces parameter). -# -# Specify a list of host or domain names, /file/name or type:table -# patterns, separated by commas and/or whitespace. A /file/name -# pattern is replaced by its contents; a type:table is matched when -# a name matches a lookup key (the right-hand side is ignored). -# Continue long lines by starting the next line with whitespace. -# -# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". -# -mydestination = $myhostname, lists.fedoraproject.org, lists.stg.fedoraproject.org, - localhost.$mydomain, localhost -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, -# mail.$mydomain, www.$mydomain, ftp.$mydomain - -# REJECTING MAIL FOR UNKNOWN LOCAL USERS -# -# The local_recipient_maps parameter specifies optional lookup tables -# with all names or addresses of users that are local with respect -# to $mydestination, $inet_interfaces or $proxy_interfaces. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown local users. This parameter is defined by default. -# -# To turn off local recipient checking in the SMTP server, specify -# local_recipient_maps = (i.e. empty). -# -# The default setting assumes that you use the default Postfix local -# delivery agent for local delivery. You need to update the -# local_recipient_maps setting if: -# -# - You define $mydestination domain recipients in files other than -# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in -# the $virtual_mailbox_maps files. -# -# - You redefine the local delivery agent in master.cf. -# -# - You redefine the "local_transport" setting in main.cf. -# -# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" -# feature of the Postfix local delivery agent (see local(8)). -# -# Details are described in the LOCAL_RECIPIENT_README file. -# -# Beware: if the Postfix SMTP server runs chrooted, you probably have -# to access the passwd file via the proxymap service, in order to -# overcome chroot restrictions. The alternative, having a copy of -# the system passwd file in the chroot jail is just not practical. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify a bare username, an @domain.tld -# wild-card, or specify a user@domain.tld address. -# -#local_recipient_maps = unix:passwd.byname $alias_maps -#local_recipient_maps = proxy:unix:passwd.byname $alias_maps -#local_recipient_maps = - -# The unknown_local_recipient_reject_code specifies the SMTP server -# response code when a recipient domain matches $mydestination or -# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty -# and the recipient address or address local-part is not found. -# -# The default setting is 550 (reject mail) but it is safer to start -# with 450 (try again later) until you are certain that your -# local_recipient_maps settings are OK. -# -unknown_local_recipient_reject_code = 550 - -# TRUST AND RELAY CONTROL - -# The mynetworks parameter specifies the list of "trusted" SMTP -# clients that have more privileges than "strangers". -# -# In particular, "trusted" SMTP clients are allowed to relay mail -# through Postfix. See the smtpd_recipient_restrictions parameter -# in postconf(5). -# -# You can specify the list of "trusted" network addresses by hand -# or you can let Postfix do it for you (which is the default). -# -# By default (mynetworks_style = subnet), Postfix "trusts" SMTP -# clients in the same IP subnetworks as the local machine. -# On Linux, this does works correctly only with interfaces specified -# with the "ifconfig" command. -# -# Specify "mynetworks_style = class" when Postfix should "trust" SMTP -# clients in the same IP class A/B/C networks as the local machine. -# Don't do this with a dialup site - it would cause Postfix to "trust" -# your entire provider's network. Instead, specify an explicit -# mynetworks list by hand, as described below. -# -# Specify "mynetworks_style = host" when Postfix should "trust" -# only the local machine. -# -#mynetworks_style = class -#mynetworks_style = subnet -#mynetworks_style = host - -# Alternatively, you can specify the mynetworks list by hand, in -# which case Postfix ignores the mynetworks_style setting. -# -# Specify an explicit list of network/netmask patterns, where the -# mask specifies the number of bits in the network part of a host -# address. -# -# You can also specify the absolute pathname of a pattern file instead -# of listing the patterns here. Specify type:table for table-based lookups -# (the value on the table right-hand side is not used). -# -#mynetworks = 168.100.189.0/28, 127.0.0.0/8 -#mynetworks = $config_directory/mynetworks -#mynetworks = hash:/etc/postfix/network_table - - -# The relay_domains parameter restricts what destinations this system will -# relay mail to. See the smtpd_recipient_restrictions description in -# postconf(5) for detailed information. -# -# By default, Postfix relays mail -# - from "trusted" clients (IP address matches $mynetworks) to any destination, -# - from "untrusted" clients to destinations that match $relay_domains or -# subdomains thereof, except addresses with sender-specified routing. -# The default relay_domains value is $mydestination. -# -# In addition to the above, the Postfix SMTP server by default accepts mail -# that Postfix is final destination for: -# - destinations that match $inet_interfaces or $proxy_interfaces, -# - destinations that match $mydestination -# - destinations that match $virtual_alias_domains, -# - destinations that match $virtual_mailbox_domains. -# These destinations do not need to be listed in $relay_domains. -# -# Specify a list of hosts or domains, /file/name patterns or type:name -# lookup tables, separated by commas and/or whitespace. Continue -# long lines by starting the next line with whitespace. A file name -# is replaced by its contents; a type:name table is matched when a -# (parent) domain appears as lookup key. -# -# NOTE: Postfix will not automatically forward mail for domains that -# list this system as their primary or backup MX host. See the -# permit_mx_backup restriction description in postconf(5). -# -#relay_domains = $mydestination - - - -# INTERNET OR INTRANET - -# The relayhost parameter specifies the default host to send mail to -# when no entry is matched in the optional transport(5) table. When -# no relayhost is given, mail is routed directly to the destination. -# -# On an intranet, specify the organizational domain name. If your -# internal DNS uses no MX records, specify the name of the intranet -# gateway host instead. -# -# In the case of SMTP, specify a domain, host, host:port, [host]:port, -# [address] or [address]:port; the form [host] turns off MX lookups. -# -# If you're connected via UUCP, see also the default_transport parameter. -# -#relayhost = $mydomain -#relayhost = [gateway.my.domain] -#relayhost = [mailserver.isp.tld] -#relayhost = uucphost -#relayhost = [an.ip.add.ress] -relayhost = bastion - - -# REJECTING UNKNOWN RELAY USERS -# -# The relay_recipient_maps parameter specifies optional lookup tables -# with all addresses in the domains that match $relay_domains. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown relay users. This feature is off by default. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify an @domain.tld wild-card, or specify -# a user@domain.tld address. -# -#relay_recipient_maps = hash:/etc/postfix/relay_recipients - -# INPUT RATE CONTROL -# -# The in_flow_delay configuration parameter implements mail input -# flow control. This feature is turned on by default, although it -# still needs further development (it's disabled on SCO UNIX due -# to an SCO bug). -# -# A Postfix process will pause for $in_flow_delay seconds before -# accepting a new message, when the message arrival rate exceeds the -# message delivery rate. With the default 100 SMTP server process -# limit, this limits the mail inflow to 100 messages a second more -# than the number of messages delivered per second. -# -# Specify 0 to disable the feature. Valid delays are 0..10. -# -#in_flow_delay = 1s - -# ADDRESS REWRITING -# -# The ADDRESS_REWRITING_README document gives information about -# address masquerading or other forms of address rewriting including -# username->Firstname.Lastname mapping. - -masquerade_domains = redhat.com -masquerade_exceptions = root apache - -# ADDRESS REDIRECTION (VIRTUAL DOMAIN) -# -# The VIRTUAL_README document gives information about the many forms -# of domain hosting that Postfix supports. - -# "USER HAS MOVED" BOUNCE MESSAGES -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# TRANSPORT MAP -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# ALIAS DATABASE -# -# The alias_maps parameter specifies the list of alias databases used -# by the local delivery agent. The default list is system dependent. -# -# On systems with NIS, the default is to search the local alias -# database, then the NIS alias database. See aliases(5) for syntax -# details. -# -# If you change the alias database, run "postalias /etc/aliases" (or -# wherever your system stores the mail alias file), or simply run -# "newaliases" to build the necessary DBM or DB file. -# -# It will take a minute or so before changes become visible. Use -# "postfix reload" to eliminate the delay. -# -#alias_maps = dbm:/etc/aliases -alias_maps = hash:/etc/aliases -#alias_maps = hash:/etc/aliases, nis:mail.aliases -#alias_maps = netinfo:/aliases - -# The alias_database parameter specifies the alias database(s) that -# are built with "newaliases" or "sendmail -bi". This is a separate -# configuration parameter, because alias_maps (see above) may specify -# tables that are not necessarily all under control by Postfix. -# -#alias_database = dbm:/etc/aliases -#alias_database = dbm:/etc/mail/aliases -alias_database = hash:/etc/aliases -#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases - -# ADDRESS EXTENSIONS (e.g., user+foo) -# -# The recipient_delimiter parameter specifies the separator between -# user names and address extensions (user+foo). See canonical(5), -# local(8), relocated(5) and virtual(5) for the effects this has on -# aliases, canonical, virtual, relocated and .forward file lookups. -# Basically, the software tries user+foo and .forward+foo before -# trying user and .forward. -# -recipient_delimiter = + - -# DELIVERY TO MAILBOX -# -# The home_mailbox parameter specifies the optional pathname of a -# mailbox file relative to a user's home directory. The default -# mailbox file is /var/spool/mail/user or /var/mail/user. Specify -# "Maildir/" for qmail-style delivery (the / is required). -# -#home_mailbox = Mailbox -#home_mailbox = Maildir/ - -# The mail_spool_directory parameter specifies the directory where -# UNIX-style mailboxes are kept. The default setting depends on the -# system type. -# -#mail_spool_directory = /var/mail -#mail_spool_directory = /var/spool/mail - -# The mailbox_command parameter specifies the optional external -# command to use instead of mailbox delivery. The command is run as -# the recipient with proper HOME, SHELL and LOGNAME environment settings. -# Exception: delivery for root is done as $default_user. -# -# Other environment variables of interest: USER (recipient username), -# EXTENSION (address extension), DOMAIN (domain part of address), -# and LOCAL (the address localpart). -# -# Unlike other Postfix configuration parameters, the mailbox_command -# parameter is not subjected to $parameter substitutions. This is to -# make it easier to specify shell syntax (see example below). -# -# Avoid shell meta characters because they will force Postfix to run -# an expensive shell process. Procmail alone is expensive enough. -# -# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN -# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. -# -#mailbox_command = /usr/bin/procmail -#mailbox_command = /some/where/procmail -a "$EXTENSION" - -# The mailbox_transport specifies the optional transport in master.cf -# to use after processing aliases and .forward files. This parameter -# has precedence over the mailbox_command, fallback_transport and -# luser_relay parameters. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp - -# If using the cyrus-imapd IMAP server deliver local mail to the IMAP -# server using LMTP (Local Mail Transport Protocol), this is prefered -# over the older cyrus deliver program by setting the -# mailbox_transport as below: -# -# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp -# -# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via -# these settings. -# -# local_destination_recipient_limit = 300 -# local_destination_concurrency_limit = 5 -# -# Of course you should adjust these settings as appropriate for the -# capacity of the hardware you are using. The recipient limit setting -# can be used to take advantage of the single instance message store -# capability of Cyrus. The concurrency limit can be used to control -# how many simultaneous LMTP sessions will be permitted to the Cyrus -# message store. -# -# To use the old cyrus deliver program you have to set: -#mailbox_transport = cyrus - -# The fallback_transport specifies the optional transport in master.cf -# to use for recipients that are not found in the UNIX passwd database. -# This parameter has precedence over the luser_relay parameter. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp -#fallback_transport = - -#transport_maps = hash:/etc/postfix/transport -# The luser_relay parameter specifies an optional destination address -# for unknown recipients. By default, mail for unknown@$mydestination, -# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned -# as undeliverable. -# -# The following expansions are done on luser_relay: $user (recipient -# username), $shell (recipient shell), $home (recipient home directory), -# $recipient (full recipient address), $extension (recipient address -# extension), $domain (recipient domain), $local (entire recipient -# localpart), $recipient_delimiter. Specify ${name?value} or -# ${name:value} to expand value only when $name does (does not) exist. -# -# luser_relay works only for the default Postfix local delivery agent. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#luser_relay = $user@other.host -#luser_relay = $local@other.host -#luser_relay = admin+$local - -# JUNK MAIL CONTROLS -# -# The controls listed here are only a very small subset. The file -# SMTPD_ACCESS_README provides an overview. - -# The header_checks parameter specifies an optional table with patterns -# that each logical message header is matched against, including -# headers that span multiple physical lines. -# -# By default, these patterns also apply to MIME headers and to the -# headers of attached messages. With older Postfix versions, MIME and -# attached message headers were treated as body text. -# -# For details, see "man header_checks". -# -header_checks = regexp:/etc/postfix/header_checks - -# FAST ETRN SERVICE -# -# Postfix maintains per-destination logfiles with information about -# deferred mail, so that mail can be flushed quickly with the SMTP -# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". -# See the ETRN_README document for a detailed description. -# -# The fast_flush_domains parameter controls what destinations are -# eligible for this service. By default, they are all domains that -# this server is willing to relay mail to. -# -#fast_flush_domains = $relay_domains - -# SHOW SOFTWARE VERSION OR NOT -# -# The smtpd_banner parameter specifies the text that follows the 220 -# code in the SMTP server's greeting banner. Some people like to see -# the mail version advertised. By default, Postfix shows no version. -# -# You MUST specify $myhostname at the start of the text. That is an -# RFC requirement. Postfix itself does not care. -# -#smtpd_banner = $myhostname ESMTP $mail_name -#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) - -# PARALLEL DELIVERY TO THE SAME DESTINATION -# -# How many parallel deliveries to the same user or domain? With local -# delivery, it does not make sense to do massively parallel delivery -# to the same user, because mailbox updates must happen sequentially, -# and expensive pipelines in .forward files can cause disasters when -# too many are run at the same time. With SMTP deliveries, 10 -# simultaneous connections to the same domain could be sufficient to -# raise eyebrows. -# -# Each message delivery transport has its XXX_destination_concurrency_limit -# parameter. The default is $default_destination_concurrency_limit for -# most delivery transports. For the local delivery agent the default is 2. - -#local_destination_concurrency_limit = 2 -#default_destination_concurrency_limit = 20 - -# DEBUGGING CONTROL -# -# The debug_peer_level parameter specifies the increment in verbose -# logging level when an SMTP client or server host name or address -# matches a pattern in the debug_peer_list parameter. -# -debug_peer_level = 2 - -# The debug_peer_list parameter specifies an optional list of domain -# or network patterns, /file/name patterns or type:name tables. When -# an SMTP client or server host name or address matches a pattern, -# increase the verbose logging level by the amount specified in the -# debug_peer_level parameter. -# -#debug_peer_list = 127.0.0.1 -#debug_peer_list = some.domain - -# The debugger_command specifies the external command that is executed -# when a Postfix daemon program is run with the -D option. -# -# Use "command .. & sleep 5" so that the debugger can attach before -# the process marches on. If you use an X-based debugger, be sure to -# set up your XAUTHORITY environment variable before starting Postfix. -# -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - xxgdb $daemon_directory/$process_name $process_id & sleep 5 - -# If you can't use X, use this to capture the call stack when a -# daemon crashes. The result is in a file in the configuration -# directory, and is named after the process name and the process ID. -# -# debugger_command = -# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; -# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 -# >$config_directory/$process_name.$process_id.log & sleep 5 -# -# Another possibility is to run gdb under a detached screen session. -# To attach to the screen sesssion, su root and run "screen -r -# " where uniquely matches one of the detached -# sessions (from "screen -list"). -# -# debugger_command = -# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen -# -dmS $process_name gdb $daemon_directory/$process_name -# $process_id & sleep 1 - -# INSTALL-TIME CONFIGURATION INFORMATION -# -# The following parameters are used when installing a new Postfix version. -# -# sendmail_path: The full pathname of the Postfix sendmail command. -# This is the Sendmail-compatible mail posting interface. -# -sendmail_path = /usr/sbin/sendmail.postfix - -# newaliases_path: The full pathname of the Postfix newaliases command. -# This is the Sendmail-compatible command to build alias databases. -# -newaliases_path = /usr/bin/newaliases.postfix - -# mailq_path: The full pathname of the Postfix mailq command. This -# is the Sendmail-compatible mail queue listing command. -# -mailq_path = /usr/bin/mailq.postfix - -# setgid_group: The group for mail submission and queue management -# commands. This must be a group name with a numerical group ID that -# is not shared with other accounts, not even with the Postfix account. -# -setgid_group = postdrop - -# html_directory: The location of the Postfix HTML documentation. -# -html_directory = no - -# manpage_directory: The location of the Postfix on-line manual pages. -# -manpage_directory = /usr/share/man - -# sample_directory: The location of the Postfix sample configuration files. -# This parameter is obsolete as of Postfix 2.1. -# -sample_directory = /usr/share/doc/postfix-2.4.5/samples - -# readme_directory: The location of the Postfix README files. -# -readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES - -# add this to new postfix to get it to add proper message-id and other -# headers to outgoing emails via the gateway. - - -message_size_limit = 20971520 - - -# Mailman, see MTA.rst -owner_request_special = no -transport_maps = hash:/var/lib/mailman3/data/postfix_lmtp -local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp -relay_domains = hash:/var/lib/mailman3/data/postfix_domains diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index fa02c48af6..75619c1ec5 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -10,13 +10,13 @@ yum: pkg=policycoreutils-python state=installed - name: set the SELinux policy for the configuration directory - command: semanage fcontext -a -t etc_t "${mailman_webui_confdir}(/.*)?" + command: semanage fcontext -a -t etc_t "{{ mailman_webui_confdir }}(/.*)?" - name: set the SELinux policy for the fulltext index - command: semanage fcontext -a -t httpd_sys_content_t "${mailman_webui_basedir}/kittystore_search_index(/.*)?" + command: semanage fcontext -a -t httpd_sys_content_t "{{ mailman_webui_basedir }}/kittystore_search_index(/.*)?" - name: set the SELinux policy for the static files directory - command: semanage fcontext -a -t httpd_sys_content_t "${mailman_webui_basedir}/static(/.*)?" + command: semanage fcontext -a -t httpd_sys_content_t "{{ mailman_webui_basedir }}/static(/.*)?" - name: set the SELinux policy for the log directory command: semanage fcontext -a -t httpd_log_t "/var/log/hyperkitty(/.*)?" @@ -124,7 +124,7 @@ - name: install the hyperkitty wsgi file copy: src=webui.wsgi - dest="{{ mailman_webui_confdir }/webui.wsgi" + dest="{{ mailman_webui_confdir }}/webui.wsgi" owner=root group=root mode=0644 tags: - config @@ -158,11 +158,6 @@ file: path="{{ mailman_webui_basedir }}/static" state=directory owner=root group=root mode=0755 -- name: install the kittystore cache cronjob - template: src=hyperkitty.cronjob.sh.j2 - dest=/etc/cron.daily/hyperkitty - owner=root group=root mode=0755 - # # Plug HyperKitty into Mailman # @@ -225,12 +220,13 @@ # Postfix - name: set the postfix conffile - copy: src=postfix-main.cf dest=/etc/postfix/main.cf + template: src=postfix-main.cf.j2 dest=/etc/postfix/main.cf notify: - restart postfix - name: create the postfix aliases - command: mailman3 aliases + command: su mailman -s /bin/sh -c "mailman3 aliases" + creates=/var/lib/mailman3/data/postfix_lmtp.db # Memcached - name: set the memcached sysconfig file diff --git a/roles/mailman/templates/apache-dummy.conf.j2 b/roles/mailman/templates/apache-dummy.conf.j2 index 37da0c4354..584a4f036d 100644 --- a/roles/mailman/templates/apache-dummy.conf.j2 +++ b/roles/mailman/templates/apache-dummy.conf.j2 @@ -1 +1 @@ -# See ${mailman_webui_confdir} +# See {{ mailman_webui_confdir }} diff --git a/roles/mailman/templates/apache.conf.j2 b/roles/mailman/templates/apache.conf.j2 index 5cc06c5648..58f8a0c5c2 100644 --- a/roles/mailman/templates/apache.conf.j2 +++ b/roles/mailman/templates/apache.conf.j2 @@ -1,18 +1,18 @@ -Alias /robots.txt ${mailman_webui_basedir}/static/hyperkitty/robots.txt -Alias /favicon.ico ${mailman_webui_basedir}/static/hyperkitty/favicon.ico -Alias /static ${mailman_webui_basedir}/static +Alias /robots.txt {{ mailman_webui_basedir }}/static/hyperkitty/robots.txt +Alias /favicon.ico {{ mailman_webui_basedir }}/static/hyperkitty/favicon.ico +Alias /static {{ mailman_webui_basedir }}/static #ErrorLog /var/log/httpd/webui_error.log #CustomLog /var/log/httpd/webui_access.log combined -WSGIScriptAlias / ${mailman_webui_confdir}/webui.wsgi +WSGIScriptAlias / {{ mailman_webui_confdir }}/webui.wsgi WSGIDaemonProcess webui display-name=webui maximum-requests=1000 processes=4 threads=4 WSGISocketPrefix run/wsgi WSGIRestrictStdout On WSGIRestrictSignal Off WSGIPythonOptimize 1 - + Order deny,allow Allow from all @@ -21,7 +21,7 @@ WSGIPythonOptimize 1 WSGIProcessGroup webui - + Order deny,allow Allow from all Require all granted diff --git a/roles/mailman/templates/hyperkitty.cronjob.sh.j2 b/roles/mailman/templates/hyperkitty.cronjob.sh.j2 deleted file mode 100644 index 18933a5960..0000000000 --- a/roles/mailman/templates/hyperkitty.cronjob.sh.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -kittystore-refresh-cache --pythonpath {{ mailman_webui_confdir }} --settings settings_admin diff --git a/roles/mailman/templates/mailman-hyperkitty.cfg.j2 b/roles/mailman/templates/mailman-hyperkitty.cfg.j2 index fb89efdf9e..b59c1f4689 100644 --- a/roles/mailman/templates/mailman-hyperkitty.cfg.j2 +++ b/roles/mailman/templates/mailman-hyperkitty.cfg.j2 @@ -9,4 +9,4 @@ [general] base_url: http://apps.stg.fedoraproject.org/lists -django_settings: ${mailman_webui_confdir}/settings.py +django_settings: {{ mailman_webui_confdir }}/settings.py diff --git a/roles/mailman/templates/mailman.cfg.j2 b/roles/mailman/templates/mailman.cfg.j2 index 3937dd3712..4130dff087 100644 --- a/roles/mailman/templates/mailman.cfg.j2 +++ b/roles/mailman/templates/mailman.cfg.j2 @@ -21,7 +21,7 @@ pid_file: /run/mailman3/master.pid [database] class: mailman.database.postgresql.PostgreSQLDatabase -url: postgres://mailmanadmin:{{ mailman_mm_db_pass }}@db02.stg.phx2.fedoraproject.org/mailman +url: postgres://mailmanadmin:{{ mailman_mm_db_pass }}@{{ mailman_dbserver }}/mailman [archiver.hyperkitty] class: hyperkitty.archiver.Archiver diff --git a/files/lists-dev/postfix-main.cf.j2 b/roles/mailman/templates/postfix-main.cf.j2 similarity index 98% rename from files/lists-dev/postfix-main.cf.j2 rename to roles/mailman/templates/postfix-main.cf.j2 index 06d5afb384..3d50a7390e 100644 --- a/files/lists-dev/postfix-main.cf.j2 +++ b/roles/mailman/templates/postfix-main.cf.j2 @@ -156,7 +156,7 @@ inet_interfaces = all # # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # -mydestination = $myhostname, lists-dev.cloud.fedoraproject.org, +mydestination = $myhostname, {{ mailman_postfix_mydestination }}, localhost.$mydomain, localhost #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, @@ -314,7 +314,7 @@ unknown_local_recipient_reject_code = 550 #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] -relayhost = +relayhost = bastion.phx2.fedoraproject.org # REJECTING UNKNOWN RELAY USERS @@ -689,6 +689,6 @@ message_size_limit = 20971520 # Mailman, see MTA.rst owner_request_special = no -transport_maps = hash:{{mailman_vardir}}/data/postfix_lmtp -local_recipient_maps = hash:{{mailman_vardir}}/data/postfix_lmtp -relay_domains = hash:{{mailman_vardir}}/data/postfix_domains +transport_maps = hash:/var/lib/mailman3/data/postfix_lmtp +local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp +relay_domains = hash:/var/lib/mailman3/data/postfix_domains diff --git a/roles/mailman/templates/settings.py.j2 b/roles/mailman/templates/settings.py.j2 index 1fd96f1f80..3499638129 100644 --- a/roles/mailman/templates/settings.py.j2 +++ b/roles/mailman/templates/settings.py.j2 @@ -142,6 +142,7 @@ MIDDLEWARE_CLASSES = ( 'hyperkitty.middleware.KittyStoreDjangoMiddleware', 'hyperkitty.middleware.SSLRedirect', 'hyperkitty.middleware.TimezoneMiddleware', + 'hyperkitty.middleware.MailmanUserMetadata', ) ROOT_URLCONF = 'urls' @@ -326,7 +327,9 @@ KITTYSTORE_URL = 'postgres://kittystoreapp:{{ mailman_ks_db_pass }}@{{ mailman_d KITTYSTORE_SEARCH_INDEX = '{{ mailman_webui_basedir }}/kittystore_search_index' # Use SSL when logged in -USE_SSL = True +#USE_SSL = True +# In the Fedora infra, SSL is handled by the proxy and we can't detect it +USE_SSL = False # Only display mailing-lists from the same virtual host as the webserver FILTER_VHOST = False diff --git a/roles/mailman/vars/main.yml b/roles/mailman/vars/main.yml deleted file mode 100644 index 5e4585e9c3..0000000000 --- a/roles/mailman/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -mailman_webui_basedir: /srv/webui -mailman_webui_confdir: ${mailman_webui_basedir}/config -mailman_dbserver: db02.stg.phx2.fedoraproject.org diff --git a/roles/mirrorlist/files/mirrorlist-server.conf b/roles/mirrorlist/files/mirrorlist-server.conf index 1ee87bcc37..929578708d 100644 --- a/roles/mirrorlist/files/mirrorlist-server.conf +++ b/roles/mirrorlist/files/mirrorlist-server.conf @@ -4,8 +4,6 @@ Alias /static /var/lib/mirrormanager/mirrorlists/static/ Options Indexes FollowSymLinks - ExpiresActive On - ExpiresDefault "modification plus 1 day" WSGIDaemonProcess mirrorlist user=apache processes=45 threads=1 display-name=mirrorlist maximum-requests=1000 @@ -42,3 +40,15 @@ WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlis Allow from all + + + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index da18f8bc5d..60a64dd588 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -56,11 +56,31 @@ - check_swap.cfg - check_postfix_queue.cfg - check_lock.cfg + - check_fedmsg_hub_proc.cfg notify: - restart nrpe tags: - config +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe openvpn check config + template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/check_openvpn_link.cfg + when: datacenter != 'phx2' + notify: + - restart nrpe +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe unbound check config + template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/check_unbound_proc.cfg + when: inventory_hostname.startswith('unbound') + notify: + - restart nrpe + - name: nrpe service start service: name=nrpe state=running enabled=true tags: diff --git a/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 new file mode 100644 index 0000000000..17ec341c4a --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_hub_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub' -u fedmsg diff --git a/roles/nagios_client/templates/check_openvpn_link.cfg.j2 b/roles/nagios_client/templates/check_openvpn_link.cfg.j2 new file mode 100644 index 0000000000..a584a972e4 --- /dev/null +++ b/roles/nagios_client/templates/check_openvpn_link.cfg.j2 @@ -0,0 +1 @@ +command[check_openvpn_link]={{ libdir }}/nagios/plugins/check_ping -H 192.168.1.58 -w 375.0,20% -c 500,60% diff --git a/roles/nagios_client/templates/check_unbound_proc.cfg.j2 b/roles/nagios_client/templates/check_unbound_proc.cfg.j2 new file mode 100644 index 0000000000..cbae839cfd --- /dev/null +++ b/roles/nagios_client/templates/check_unbound_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_unbound_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'unbound' -u unbound diff --git a/roles/notifs-backend/templates/fmn.consumer.py b/roles/notifs-backend/templates/fmn.consumer.py index 29548795da..cf69c2d8d3 100644 --- a/roles/notifs-backend/templates/fmn.consumer.py +++ b/roles/notifs-backend/templates/fmn.consumer.py @@ -20,7 +20,25 @@ config = { # Consumer stuff "fmn.consumer.enabled": True, - "fmn.sqlalchemy.uri": "postgresql://${notifs_db_user}:${notifs_db_password}@db-notifs/notifications", + "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", + + # Some configuration for the rule processors + "fmn.rules.utils.use_pkgdb2": False, + "fmn.rules.utils.pkgdb2_api_url": "http://209.132.184.188/api/", + "fmn.rules.cache": { + "backend": "dogpile.cache.dbm", + "expiration_time": 300, + "arguments": { + "filename": "/var/tmp/fmn-cache.dbm", + }, + }, + + # The notification backend uses this to build a fas cache of ircnicks + # to fas usernames so it can act appropriately on certain message types. + "fas_credentials": { + "username": "{{fedoraDummyUser}}", + "password": "{{fedoraDummyUserPassword}}", + }, ## Backend stuff ## # Email @@ -28,7 +46,7 @@ config = { "fmn.email.from_address": "notifications@" + domain, # IRC - "fmn.irc.network": "irc.freenode.net", + "fmn.irc.network": "chat.freenode.net", "fmn.irc.nickname": ircnick, "fmn.irc.port": 6667, "fmn.irc.timeout": 120, diff --git a/roles/notifs-frontend/files/fmn.web.wsgi b/roles/notifs-frontend/files/fmn.web.wsgi index 358d4b695e..3a2612b419 100644 --- a/roles/notifs-frontend/files/fmn.web.wsgi +++ b/roles/notifs-frontend/files/fmn.web.wsgi @@ -10,6 +10,9 @@ import pkg_resources import os os.environ['FMN_WEB_CONFIG'] = '/etc/fmn.web.cfg' +import logging +logging.basicConfig() + # The most import line to make the wsgi working from fmn.web.app import app as application # Dangerous.. only use when testing. diff --git a/roles/notifs-frontend/tasks/main.yml b/roles/notifs-frontend/tasks/main.yml index ef16ea38be..5bc5524772 100644 --- a/roles/notifs-frontend/tasks/main.yml +++ b/roles/notifs-frontend/tasks/main.yml @@ -17,6 +17,17 @@ notify: - restart apache +- name: destroy a bogus config file brought in by python-datanommer-models + file: dest=/etc/fedmsg.d/datanommer.py state=absent + notify: + - restart apache + +- name: setup symlink to fedora theme + file: > + src=/usr/share/fmn.web/static/bootstrap-3.0.2-fedora + dest=/usr/share/fmn.web/static/bootstrap + state=link + - name: copy fmn httpd config copy: > src=fmn.web.conf dest=/etc/httpd/conf.d/fmn.web.conf diff --git a/roles/notifs-frontend/templates/fmn.web.cfg b/roles/notifs-frontend/templates/fmn.web.cfg index 89eeb400b3..55d78bc080 100644 --- a/roles/notifs-frontend/templates/fmn.web.cfg +++ b/roles/notifs-frontend/templates/fmn.web.cfg @@ -13,6 +13,6 @@ FMN_FEDORA_OPENID = 'https://id.fedoraproject.org' {% endif %} FMN_ALLOW_FAS_OPENID = True -FMN_ALLOW_GOOGLE_OPENID = True -FMN_ALLOW_YAHOO_OPENID = True -FMN_ALLOW_GENERIC_OPENID = True +FMN_ALLOW_GOOGLE_OPENID = False +FMN_ALLOW_YAHOO_OPENID = False +FMN_ALLOW_GENERIC_OPENID = False diff --git a/roles/notifs-frontend/templates/fmn.web.py b/roles/notifs-frontend/templates/fmn.web.py index 0a05901ca9..6edc02f884 100644 --- a/roles/notifs-frontend/templates/fmn.web.py +++ b/roles/notifs-frontend/templates/fmn.web.py @@ -1,3 +1,6 @@ config = { - "fmn.sqlalchemy.uri": "postgresql://${notifs_db_user}:${notifs_db_password}@db-notifs/notifications", + # This is for *our* database + "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", + # And this is for the datanommer database + "datanommer.sqlalchemy.url": "postgresql://{{datanommerDBUser}}:{{datanommerDBPassword}}@db-datanommer/datanommer", } diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 8fc088d16e..b0affeb7a7 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -9,12 +9,13 @@ - name: install needed packages yum: pkg={{ item }} state=installed with_items: - - nuancier-lite + - nuancier - python-psycopg2 - python-openid-cla - python-openid-teams - python-memcached - libsemanage-python + - python-alembic tags: - packages @@ -23,36 +24,38 @@ dest="{{ item.location }}/{{ item.dest }}" owner=apache group=apache mode=0600 with_items: - - { file: nuancier_admin.cfg, location: /etc/nuancier, dest: nuancier-lite.cfg } + - { file: nuancier_admin.cfg, location: /etc/nuancier, dest: nuancier.cfg } + - { file: alembic.ini, location: /etc/nuancier, dest: alembic.ini } tags: - config notify: - restart apache -- name: create pictures folder where we upload the pictures - action: file state=directory - path=/var/www/nuancier/pictures - tags: - - setup - -- name: create the cache folder where nuancier creates the thumbnails - action: file state=directory - path=/var/www/nuancier/cache - owner=apache group=apache - tags: - - setup +#- name: create pictures folder where we upload the pictures +# action: file state=directory +# path=/var/cache/nuancier/pictures +# owner=apache group=apache mode=0600 +# tags: +# - setup +# +#- name: create the cache folder where nuancier creates the thumbnails +# action: file state=directory +# path=/var/cache/nuancier/cache +# owner=apache group=apache mode=0600 +# tags: +# - setup - name: create the database scheme - command: /usr/bin/python2 /usr/share/nuancier/nuancier-lite_createdb.py + command: /usr/bin/python2 /usr/share/nuancier/nuancier_createdb.py environment: - NUANCIER_CONFIG: /etc/nuancier/nuancier-lite.cfg + NUANCIER_CONFIG: /etc/nuancier/nuancier.cfg - name: replace the nuancier configuration file by the one with the normal user template: src={{ item.file }} dest="{{ item.location }}/{{ item.file }}" owner=apache group=apache mode=0600 with_items: - - { file: nuancier-lite.cfg, location: /etc/nuancier } + - { file: nuancier.cfg, location: /etc/nuancier } - { file: nuancier.conf, location: /etc/httpd/conf.d } - { file: nuancier.wsgi, location: /usr/share/nuancier } tags: @@ -65,6 +68,14 @@ state=true persistent=true +- name: check semanage ports + command: semanage port -l + register: semanageoutput + +- name: set ports so httpd can talk to fedmsg endpoints + command: semanage port -a -t http_port_t -p tcp 3001-3100 + when: semanageoutput.stdout.find("3001-3100") == -1 + - name: apply selinux type to static files file: > dest=/usr/lib/python2.6/site-packages/nuancier/static/ @@ -72,6 +83,11 @@ state=directory recurse=yes +- name: set sebooleans so apache can use glustergs + action: seboolean name=httpd_use_fusefs + state=true + persistent=true + - name: apply selinux type to the wsgi file file: > dest=/usr/share/nuancier/nuancier.wsgi diff --git a/roles/nuancier/templates/alembic.ini b/roles/nuancier/templates/alembic.ini new file mode 100644 index 0000000000..5ac41c9c68 --- /dev/null +++ b/roles/nuancier/templates/alembic.ini @@ -0,0 +1,50 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/nuancier/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +sqlalchemy.url = postgresql://{{ nuancier_db_admin_user }}:{{ nuancier_db_admin_pass }}@{{ nuancier_db_host }}/{{ nuancier_db_name }} + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S diff --git a/roles/nuancier/templates/nuancier-lite.cfg b/roles/nuancier/templates/nuancier.cfg similarity index 95% rename from roles/nuancier/templates/nuancier-lite.cfg rename to roles/nuancier/templates/nuancier.cfg index f2be484279..c56f23fab6 100644 --- a/roles/nuancier/templates/nuancier-lite.cfg +++ b/roles/nuancier/templates/nuancier.cfg @@ -8,7 +8,7 @@ SECRET_KEY='{{ nuancier_secret_key }}' ### url to the database server: DB_URL='postgresql://{{ nuancier_db_user }}:{{ nuancier_db_pass }}@{{ nuancier_db_host }}/{{ nuancier_db_name }}' -### The FAS groups in which the admin of nuancier-lite are +### The FAS groups in which the admin of nuancier are ### This can either be a single group or multiple, defined between ### parenthesis. ADMIN_GROUP=('sysadmin-nuancier', 'sysadmin-main') @@ -19,7 +19,7 @@ ADMIN_GROUP=('sysadmin-nuancier', 'sysadmin-main') ### candidates and the cache of those pictures. ### This directory should be somewhere where apache can access, it's ### proposed in '/var/www/nuancier' -STATIC_FOLDER = '/var/www/nuancier' +STATIC_FOLDER = '/var/cache/nuancier' ### Pictures folder ### The folder in which are located the pictures of the different elections. diff --git a/roles/nuancier/templates/nuancier.wsgi b/roles/nuancier/templates/nuancier.wsgi index 182804b10d..83f9f0f7c1 100644 --- a/roles/nuancier/templates/nuancier.wsgi +++ b/roles/nuancier/templates/nuancier.wsgi @@ -9,7 +9,7 @@ import pkg_resources import os # Set the environment variable pointing to the configuration file -os.environ['NUANCIER_CONFIG'] = '/etc/nuancier/nuancier-lite.cfg' +os.environ['NUANCIER_CONFIG'] = '/etc/nuancier/nuancier.cfg' # The most import line to make the wsgi working from nuancier import APP as application diff --git a/roles/nuancier/templates/nuancier_admin.cfg b/roles/nuancier/templates/nuancier_admin.cfg index 95288741ec..604c0756df 100644 --- a/roles/nuancier/templates/nuancier_admin.cfg +++ b/roles/nuancier/templates/nuancier_admin.cfg @@ -8,7 +8,7 @@ SECRET_KEY='{{ nuancier_secret_key }}' ### url to the database server: DB_URL='postgresql://{{ nuancier_db_admin_user }}:{{ nuancier_db_admin_pass }}@{{ nuancier_db_host }}/{{ nuancier_db_name }}' -### The FAS groups in which the admin of nuancier-lite are +### The FAS groups in which the admin of nuancier are ### This can either be a single group or multiple, defined between ### parenthesis. ADMIN_GROUP=('sysadmin-nuancier', 'sysadmin-main') diff --git a/roles/unbound/files/unbound.conf b/roles/unbound/files/unbound.conf new file mode 100644 index 0000000000..76f0fc7007 --- /dev/null +++ b/roles/unbound/files/unbound.conf @@ -0,0 +1,528 @@ +# +# See unbound.conf(5) man page. +# +# this is a comment. + +#Use this to include other text into the file. +#include: "otherfile.conf" + +# The server clause sets the main parameters. +server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needed for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needed for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # printed from unbound-control. default off, because of speed. + # Needed for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + num-threads: 2 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 2001:DB8::5 + #interface: 80.239.156.220@53 + #interface: 80.239.156.220@80 + #interface: 80.239.156.220@443 + #interface: 0.0.0.0@53 + interface: 0.0.0.0@80 + interface: 0.0.0.0@443 + interface: 0.0.0.0@53 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # interface-automatic: yes + interface-automatic: no + + # port to answer queries from + # port: 53 + + # specify the interfaces to send outgoing queries to authoritative + # server from by ip-address. If none, the default (all) interface + # is used. Specify every interface on a 'outgoing-interface:' line. + # outgoing-interface: 192.0.2.153 + # outgoing-interface: 2001:DB8::5 + # outgoing-interface: 2001:DB8::6 + + # number of ports to allocate per thread, determines the size of the + # port range that can be open simultaneously. + # outgoing-range: 4096 + + # permit unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # outgoing-port-permit: 32768 + + # deny unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. + # Use this to make sure unbound does not grab a UDP port that some + # other server on this computer needs. The default is to avoid + # IANA-assigned port numbers. + # outgoing-port-avoid: "3200-3208" + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # edns-buffer-size: 4096 + + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 + + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + + # the time to live (TTL) value for cached roundtrip times, lameness + # and EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 + + # the number of slabs to use for the Infrastructure cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 + + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). + # infra-cache-numhosts: 10000 + + # Enable IPv4, "yes" or "no". + # do-ip4: yes + + # Enable IPv6, "yes" or "no". + # do-ip6: yes + + # Enable UDP, "yes" or "no". + # avoids this open resolver from becoming target for DNS Amplification + do-udp: yes + + # Enable TCP, "yes" or "no". + # do-tcp: yes + + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + + # Detach from the terminal, run in background, "yes" or "no". + # do-daemonize: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # access-control: 0.0.0.0/0 refuse + # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + access-control: 0.0.0.0/0 allow + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, + # for extra security, but make sure all files are in that directory. + # + # If chroot is enabled, you should pass the configfile (from the + # commandline) as a full path from the original root. After the + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. + # + # All other file paths (working dir, logfile, roothints, and + # key files) can be specified in several ways: + # o as an absolute path relative to the new root. + # o as a relative path to the working directory. + # o as an absolute path relative to the original root. + # In the last case the path is adjusted to remove the unused portion. + # + # The pid file can be absolute and outside of the chroot, it is + # written just prior to performing the chroot and dropping permissions. + # + # Additionally, unbound may need to access /dev/random (for entropy). + # How to do this is specific to your OS. + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/var/lib/unbound" + chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + username: "unbound" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory + # is not changed. + directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". + # logfile: "" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # log to, with identity "unbound". If yes, it overrides the logfile. + # use-syslog: yes + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # the pid file. Can be an absolute path outside of chroot/work dir. + pidfile: "/var/run/unbound/unbound.pid" + + # file to read root hints from. + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # root-hints: "" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + + # enable to not answer version.server and version.bind queries. + # hide-version: no + + # the identity to report. Leave "" or default to return hostname. + # identity: "" + + # the version to report. Leave "" or default to return package version. + # version: "" + + # the target fetch policy. + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency + # depth the recursor will pursue before giving up. Each integer means: + # -1 : fetch all targets opportunistically, + # 0: fetch on demand, + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" + + # Harden against very small EDNS buffer sizes. + # harden-short-bufsize: no + + # Harden against unseemly large queries. + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. + harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + # (this now fails on all GoDaddy customer domains, so disabled) + use-caps-for-id: no + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 192.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + + # Allow the domain (and its subdomains) to contain private addresses. + # local-data statements are allowed to contain private addresses too. + # private-domain: "example.com" + + # If nonzero, unwanted replies are not only reported in statistics, + # but also a running total is kept per thread. If it reaches the + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. "iterator" or "validator iterator" + # module-config: "validator iterator" + + # File with DLV trusted keys. Same format as trust-anchor-file. + # There can be only one DLV configured, it is trusted from root down. + # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key + dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # trust-anchor-file: "" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # auto-trust-anchor-file: "" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. Like trust-anchor-file + # but has a different file format. Format is BIND-9 style format, + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # trusted-keys-file: "" + trusted-keys-file: /etc/unbound/root.key + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + + # Override the date for validation with a specific fixed date. + # Do not set this unless you are debugging signature inception + # and expiration. "" or "0" turns the feature off. + # val-override-date: "" + + # The time to live for bogus data, rrsets and messages. This avoids + # some of the revalidation, until the time interval expires. in secs. + # val-bogus-ttl: 60 + + # The signature inception and expiration dates are allowed to be off + # by 10% of the lifetime of the signature from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. + # A message with an NSEC3 with larger count is marked insecure. + # List in ascending order the keysize and count values. + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 + + # the amount of memory to use for the negative cache (used for DLV). + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m + + # a number of locally served zones can be configured. + # local-zone: + # local-data: "" + # o deny serves local data (if any), else, drops queries. + # o refuse serves local data (if any), else, replies with error. + # o static serves local data, else, nxdomain or nodata answer. + # o transparent serves local data, but resolves normally for other names + # o redirect serves the zone data for any subdomain in the zone. + # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names + # + # defaults are localhost address, reverse for 127.0.0.1 and ::1 + # and nxdomain for AS112 zones. If you configure one of these zones + # the default content is omitted, or you can omit it with 'nodefault'. + # + # If you configure local-data without specifying local-zone, by + # default a transparent local-zone is created for the data. + # + # You can add locally served data with + # local-zone: "local." static + # local-data: "mycomputer.local. IN A 192.0.2.51" + # local-data: 'mytext.local TXT "content of text record"' + # + # You can override certain queries with + # local-data: "adserver.example.com A 127.0.0.1" + # + # You can redirect a domain to a fixed address with + # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) + # local-zone: "example.com" redirect + # local-data: "example.com A 192.0.2.3" + # + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". + # You can also add PTR records using local-data directly, but then + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + ssl-service-key: "/etc/unbound/unbound_server.key" + ssl-service-pem: "/etc/unbound/unbound_server.pem" + ssl-port: 443 + + # request upstream over SSL (with plain DNS inside the SSL stream). + # Default is no. Can be turned on and off with unbound-control. + # ssl-upstream: no + +## Python config section. To enable: +## o use --with-pythonmodule to configure before compiling. +## o list python in the module-config string (above) to enable. +## o and give a python-script to run. +#python: +# # Script file to load +# # python-script: "/etc/unbound/ubmodule-tst.py" + + +# Remote control config section. +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + # Note: required for unbound-munin package + control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations. + # control-port: 953 + + # unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: "no" +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. + +# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000000..3a6eab08b7 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,43 @@ +- name: install unbound package + yum: pkg={{ item }} state=installed + with_items: + - unbound + - policycoreutils-python + +- name: install unbound config + copy: src=unbound.conf dest=/etc/unbound/unbound.conf mode=644 + notify: + - restart unbound + +- name: setup SELinux dns 80 + command: touch /root/dns80 creates=/root/dns80 + notify: + - semanage dns80 + +- name: setup SELinux dns 443 + command: touch /root/dns443 creates=/root/dns443 + notify: + - semanage dns443 + +- name: setup SELinux dns 8953 + command: touch /root/dns8953 creates=/root/dns8953 + notify: + - semanage dns8953 + +- name: copying unbound control key + copy: src="{{ private }}/files/unbound/unbound_control.key" dest=/etc/unbound/unbound_control.key owner=root group=unbound mode=640 + +- name: copying unbound control pem + copy: src="{{ private }}/files/unbound/unbound_control.pem" dest=/etc/unbound/unbound_control.pem owner=root group=unbound mode=640 + +- name: copying unbound server key + copy: src="{{ private }}/files/unbound/unbound_server.key" dest=/etc/unbound/unbound_server.key owner=root group=unbound mode=640 + +- name: copying unbound server pem + copy: src="{{ private }}/files/unbound/unbound_server.pem" dest=/etc/unbound/unbound_server.pem owner=root group=unbound mode=640 + +- name: Enable and start unbound service + service: state=running enabled=true name=unbound + tags: + - service + - config diff --git a/scripts/ansible-playbook-check-diff b/scripts/ansible-playbook-check-diff new file mode 100755 index 0000000000..0fe46b72a7 --- /dev/null +++ b/scripts/ansible-playbook-check-diff @@ -0,0 +1,21 @@ +#!/usr/bin/python -tt +import os +import os.path +import subprocess + +rootpath = "/srv/web/infra/ansible/playbooks" + +# +# Find all the .yml files under playbooks/groups and hosts and run ansible-playbook on them +# With --check and --diff for now. We don't run the 'manual' subdir ones. + +for dir in ("hosts", "groups"): + hostsplaybookspath = os.path.join(rootpath, dir) + for path, dirs, files in os.walk(hostsplaybookspath): + for file in files: + if not file.endswith(".yml"): + continue + playbookpath = os.path.join(path, file) + cmd = ("ansible-playbook", playbookpath, "--check", "--diff") + ansibleprocess = subprocess.Popen(cmd) + ansibleprocess.communicate() diff --git a/tasks/growroot_cloud.yml b/tasks/growroot_cloud.yml index e5e15a1413..86c89cf198 100644 --- a/tasks/growroot_cloud.yml +++ b/tasks/growroot_cloud.yml @@ -10,14 +10,14 @@ - packages - name: growpart the second partition (/) to full size - action: command growpart /dev/vda 2 - ignore_errors: true + command: growpart /dev/vda 2 register: growpart always_run: true changed_when: "growpart.rc != 1" + failed_when: growpart.rc == 2 - name: reboot the box - action: command /sbin/reboot + command: /sbin/reboot when: growpart.rc == 0 ignore_errors: true @@ -26,5 +26,5 @@ when: growpart.rc == 0 - name: resize the /dev/vda 2 fs - action: command resize2fs /dev/vda2 + command: resize2fs /dev/vda2 when: growpart.rc == 0 diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml deleted file mode 100644 index cc1a0d6110..0000000000 --- a/tasks/koji/base_builder.yml +++ /dev/null @@ -1,145 +0,0 @@ -- name: set root passwd - action: user name=root password={{ builder_rootpw }} state=present - -- name: add mock user as 425 - action: user name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes - -- name: make mock homedir perms - action: file state=directory path=/var/lib/mock mode=2775 owner=root group=mock - -- name: add mock ssh dir - action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock - -- name: add mock ssh keys - action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock - -- name: add kojibuilder - action: user name=kojibuilder groups=mock - -- name: add mockbuilder - action: user name=mockbuilder groups=mock - -- name: mockbuilder .ssh dir - action: file state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder - -- name: mockbuilder ssh key - action: copy src="{{ files }}/kojibuilder/ftbfs_auth_keys" dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder - -- name: make a bunch of dirs - action: file state=directory path={{ item }} - with_items: - - /pub - - /mnt/fedora_koji - - /pub/fedora - - /pub/epel - - /var/spool/rsyslog - -- name: add builder infra yum repo - action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo - -- name: clean up packages we do not need - action: yum state=removed pkg={{ item }} - with_items: - - audit - - 'cronie\*' - -- name: add pkgs - action: yum state=installed pkg={{ item }} - with_items: - - yum-utils - - koji-builder - - strace - - mock - - nfs-utils - - kernel-firmware - - ntp - - ntpdate - -- name: /etc/kojid/kojid.conf - action: copy src="{{ files }}/kojibuilder/kojid.conf" dest=/etc/kojid/kojid.conf - when: not inventory_hostname.startswith(('arm01','arm03')) - notify: - - restart kojid - - -- name: arm /etc/kojid/kojid.conf - action: copy src="{{ files }}/kojibuilder/arm-kojid.conf" dest=/etc/kojid/kojid.conf - when: inventory_hostname.startswith(('arm01','arm03')) - notify: - - restart kojid - -- name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf - when: not inventory_hostname.startswith(('arm01','arm03')) - -- name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/arm-koji.conf" dest=/etc/koji.conf - when: inventory_hostname.startswith(('arm01','arm03')) - -- name: copy over koji ca cert - action: copy src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem - -- name: copy over /etc/security/limits.conf - action: copy src="{{ files }}/kojibuilder/limits.conf" dest=/etc/security/limits.conf - -- name: copy over builder cert to /etc/kojid/kojibuilder.pem - action: copy src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 - -- name: chkconfig kojid on and leave it running - action: service name=kojid enabled=on -# action: service name=kojid enabled=on state=started - -- name: copy over authorized keys for root - action: copy src="{{ files }}/kojibuilder/root_auth_keys" dest=/root/.ssh/authorized_keys mode=644 - -# idmapd and make sure it's set to run -- name: idmapd.conf - action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf - tags: - - configs -- name: enable nfs-related services and run them - action: service name={{ item }} enabled=true state=started - with_items: - - rpcidmapd - - rpcbind - - nfs - - nfslock - -- name: route config for netapp network - action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 - -- name: run netapp route - command: /etc/sysconfig/network-scripts/ifup-routes eth1 - -- name: nfs mount points - action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted - when: inventory_hostname.startswith('build') - -- name: make a mnt/koji link - action: file state=link src=/mnt/fedora_koji/koji dest=/mnt/koji - when: inventory_hostname.startswith('build') - -# mock configs for pungify job -# TODO: restore this to "copy:", this is a temporary "fix" for https://github.com/ansible/ansible/issues/4377 -- name: put extra special mock configs in - template: src="{{ files }}/kojibuilder/builders/{{ item }}" dest="/etc/mock/{{ item }}" mode=644 - with_items: - - fedora-branched-pungi-armhfp.cfg - - fedora-branched-pungi-i386.cfg - - fedora-branched-pungi-x86_64.cfg - - fedora-rawhide-pungi-i386.cfg - - fedora-rawhide-pungi-x86_64.cfg - - fedora-rawhide-pungi-armhfp.cfg - -- name: mock site-defaults.cfg - action: copy src="{{ files }}/kojibuilder/builders/site-defaults.cfg" dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock - when: not inventory_hostname.startswith('bkernel') - -- name: ntp steptickers - action: copy src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers - -- name: ntp.conf - action: copy src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf - -- name: enable ntpd - action: service name=ntpd enabled=true state=started diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml deleted file mode 100644 index 239b4f16c9..0000000000 --- a/tasks/koji/builder_kernel_config.yml +++ /dev/null @@ -1,11 +0,0 @@ -#- name: set kernel params for loopback partitioning -# action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 - -- name: set kernel params for more loops - action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 - -- name: special pkgs for the x86_64 builders - yum: state=installed pkg={{ item }} - with_items: - - kmod-hfsplus - when: is_rhel == 'True' diff --git a/tasks/koji/releng_config.yml b/tasks/koji/releng_config.yml index 34ece6ad82..9f20f0433d 100644 --- a/tasks/koji/releng_config.yml +++ b/tasks/koji/releng_config.yml @@ -8,7 +8,7 @@ - name: add mock ssh dir action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock - name: add mock ssh keys - action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=644 owner=mock group=mock + action: copy src="{{ files }}/../roles/koji_builder/files//mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=644 owner=mock group=mock - name: add ftpsync group action: group name=ftpsync gid=263 system=yes state=present @@ -67,7 +67,7 @@ action: file src=/mnt/fedora_koji/compose/cache dest=/srv/pungi/cache state=link - name: add builder infra yum repo - action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo + action: copy src="{{ files }}/../roles/koji_builder/files/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo tags: - configs @@ -93,7 +93,7 @@ - pykickstart - name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf + action: copy src="{{ files }}//../roles/koji_builder/files/koji.conf" dest=/etc/koji.conf # mock configs @@ -109,7 +109,7 @@ # idmapd and make sure it's set to run - name: idmapd.conf - action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf + action: copy src="{{ files }}/../roles/koji_builder/files//idmapd.conf" dest=/etc/idmapd.conf tags: - configs @@ -123,7 +123,7 @@ - name: route to netapp network - action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 + action: copy src="{{ files }}/../roles/koji_builder/files/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 notify: - restart netapproute diff --git a/tasks/persistent_cloud.yml b/tasks/persistent_cloud.yml index f7512d0982..50f69e5a91 100644 --- a/tasks/persistent_cloud.yml +++ b/tasks/persistent_cloud.yml @@ -5,7 +5,7 @@ ignore_errors: true - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ persist_access_key }} ec2_secret_key={{ persist_secret_key }} ec2_url={{ os_ec2_url }} user_data={{ ec2_userdata }} + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ persist_access_key }} ec2_secret_key={{ persist_secret_key }} ec2_url={{ os_ec2_url }} register: inst_res when: host_is_up|failed diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index d939abed96..77b4d3203f 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data={{ ec2_userdata }} + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} register: inst_res - name: add it to the special group diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index 26fee37039..f92af0a840 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -4,7 +4,7 @@ with_items: - epel6.repo - rhel6.repo - when: is_rhel == 'True' + when: ansible_distribution == 'RedHat' tags: - config - packages @@ -15,18 +15,18 @@ - fedora.repo - fedora-updates.repo - fedora-updates-testing.repo - when: is_fedora == 'True' and ansible_architecture == 'x86_64' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' tags: - config - packages - name: put fedora repos on arm systems - action: copy src="{{ files }}/common/{{ item-arm }}" dest="/etc/yum.repos.d/{{ item }}" + action: copy src="{{ files }}/common/{{ item }}-arm" dest="/etc/yum.repos.d/{{ item }}" with_items: - fedora.repo - fedora-updates.repo - fedora-updates-testing.repo - when: is_fedora == 'True' and ansible_architecture == 'armv7l' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'armv7l' tags: - config - packages diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 42f54a6837..f60970d117 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -3,4 +3,4 @@ dist_tag: f{{ ansible_distribution_version }} base_pkgs_inst: ['iptables-services' ] base_pkgs_erase: ['firewalld', 'PackageKit*', 'sendmail', 'at'] service_disabled: [ ] -service_enabled: [ ] +service_enabled: ['auditd'] diff --git a/vars/global.yml b/vars/global.yml index 210bf5dcbc..49718f6d0f 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -20,14 +20,12 @@ f17_qcow_id: ami-00000001 f19_qcow_id: ami-00000020 # Fedora-20-TC4-x86_64 f20_qcow_id: ami-00000038 -# This disables the anoying requirement of logging in as fedora user on cloud images -ec2_userdata: '{"#cloud-config":"","disable_root":"0"}' # Set a default hostname base to transient. Override in host vars or command line. hostbase: transient # root_auth_users for cloud instances is '' by default root_auth_users: '' -global_pkgs_inst: ['bind-utils', 'joe', 'mailx', 'nc', 'openssh-clients', - 'patch', 'postfix', 'rsync', 'strace', 'telnet', +global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients', + 'patch', 'postfix', 'rsync', 'strace', 'tmpwatch', 'traceroute', 'vim-enhanced', 'xz', 'zsh', 'libselinux-python', 'ntpdate' ]