From b1dfce5353c69bcb2d343b3bddf5b27182b288a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 15 Jan 2014 13:29:09 +0000 Subject: [PATCH 001/271] setup copr-be to use https selfigned certs, not stored here. It will be replaced in matter of days by properly signed certs, which we store in private repo --- files/copr/lighttpd/lighttpd.conf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/files/copr/lighttpd/lighttpd.conf b/files/copr/lighttpd/lighttpd.conf index 4b89ba4cd9..e154917436 100644 --- a/files/copr/lighttpd/lighttpd.conf +++ b/files/copr/lighttpd/lighttpd.conf @@ -90,7 +90,7 @@ server.port = 80 ## ## Use IPv6? ## -server.use-ipv6 = "enable" +server.use-ipv6 = "disable" ## ## bind to a specific IP @@ -445,3 +445,11 @@ server.upload-dirs = ( "/var/tmp" ) #include_shell "cat /etc/lighttpd/vhosts.d/*.conf" ## ####################################################################### + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/copr-be.pem" + ssl.ca-file = "/etc/lighttpd/copr-be.crt" + ssl.disable-client-renegotiation = "enable" + ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +} From 08b3569ed67d99f5eb3e2d1364230393f5408eee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 15 Jan 2014 13:31:55 +0000 Subject: [PATCH 002/271] setup copr-fe to use https selfigned certs, not stored here. It will be replaced in matter of days by properly signed certs, which we store in private repo --- files/copr/fe/httpd/coprs.conf | 25 +++++++++++++++++++ .../hosts/copr-fe.cloud.fedoraproject.org.yml | 1 + 2 files changed, 26 insertions(+) diff --git a/files/copr/fe/httpd/coprs.conf b/files/copr/fe/httpd/coprs.conf index 8ba86c60eb..bb0502c5f5 100644 --- a/files/copr/fe/httpd/coprs.conf +++ b/files/copr/fe/httpd/coprs.conf @@ -18,3 +18,28 @@ WSGISocketPrefix /var/run/wsgi Require all granted + + + SSLEngine on + SSLProtocol all -SSLv2 + #optimeize on speed + SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 + SSLHonorCipherOrder on + + SSLCertificateFile /etc/pki/tls/ca.crt + SSLCertificateKeyFile /etc/pki/tls/private/ca.key + ServerName copr-fe.cloud.fedoraproject.org:443 + + WSGIPassAuthorization On + #WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5 + WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + WSGIProcessGroup 127.0.0.1 + + ErrorLog logs/error_coprs + CustomLog logs/access_coprs common + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + + diff --git a/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml index 014574b5da..d44e933783 100644 --- a/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml @@ -47,6 +47,7 @@ - postgresql-server - bash-completion - fail2ban + - mod_ssl tags: - packages From d022f58e943ff1914338961a44888fbac7382da2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Jan 2014 16:30:46 +0000 Subject: [PATCH 003/271] Incease size of lists-dev and make f19 instance --- inventory/host_vars/lists-dev.cloud.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/lists-dev.cloud.fedoraproject.org b/inventory/host_vars/lists-dev.cloud.fedoraproject.org index 3c4d2556b0..bea082d83a 100644 --- a/inventory/host_vars/lists-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/lists-dev.cloud.fedoraproject.org @@ -1,6 +1,6 @@ --- -instance_type: m1.small -image: "{{ f18_qcow_id }}" +instance_type: m1.large +image: "{{ f19_qcow_id }}" keypair: fedora-admin-20130801 security_group: smtpserver zone: nova From 5e61d476e9321df255550ca177f11f7fb457866c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Jan 2014 16:50:37 +0000 Subject: [PATCH 004/271] Remove user_data until I can figure out how to make it work. --- tasks/persistent_cloud.yml | 2 +- vars/global.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tasks/persistent_cloud.yml b/tasks/persistent_cloud.yml index f7512d0982..50f69e5a91 100644 --- a/tasks/persistent_cloud.yml +++ b/tasks/persistent_cloud.yml @@ -5,7 +5,7 @@ ignore_errors: true - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ persist_access_key }} ec2_secret_key={{ persist_secret_key }} ec2_url={{ os_ec2_url }} user_data={{ ec2_userdata }} + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ persist_access_key }} ec2_secret_key={{ persist_secret_key }} ec2_url={{ os_ec2_url }} register: inst_res when: host_is_up|failed diff --git a/vars/global.yml b/vars/global.yml index 210bf5dcbc..fa760d29d6 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -20,8 +20,6 @@ f17_qcow_id: ami-00000001 f19_qcow_id: ami-00000020 # Fedora-20-TC4-x86_64 f20_qcow_id: ami-00000038 -# This disables the anoying requirement of logging in as fedora user on cloud images -ec2_userdata: '{"#cloud-config":"","disable_root":"0"}' # Set a default hostname base to transient. Override in host vars or command line. hostbase: transient # root_auth_users for cloud instances is '' by default From 50a49a537818b2d93162f3009e3bf3dedd03c114 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 16 Jan 2014 14:56:06 +0000 Subject: [PATCH 005/271] Modernize variables in the badges-frontend role. --- roles/badges-frontend/templates/tahrir.ini | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/badges-frontend/templates/tahrir.ini b/roles/badges-frontend/templates/tahrir.ini index 960b175804..a9b1277c64 100644 --- a/roles/badges-frontend/templates/tahrir.ini +++ b/roles/badges-frontend/templates/tahrir.ini @@ -27,7 +27,7 @@ pyramid.default_locale_name = en pyramid.includes = pyramid_tm -sqlalchemy.url = postgresql://${tahrirDBUser}:${tahrirDBPassword}@db-tahrir/tahrir +sqlalchemy.url = postgresql://{{tahrirDBUser}}:{{tahrirDBPassword}}@db-tahrir/tahrir mako.directories=tahrir:templates @@ -74,8 +74,8 @@ tahrir.social.twitter_user_hash = #fedora tahrir.social.gplus = True -session.secret="${tahrirSessionSecret}" -authnsecret="${tahrirAuthnSecret}" +session.secret="{{tahrirSessionSecret}}" +authnsecret="{{tahrirAuthnSecret}}" moksha.domain = fedoraproject.org From 25a1b7b53c8e7b03e78ec557cf6e03c32e67d040 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 16 Jan 2014 15:40:20 +0000 Subject: [PATCH 006/271] Add the new ronin badge to the oldschool script. --- roles/badges-backend/files/cron/award-oldschool-badges | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index 0f96476cbc..fa4b46f43a 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -91,6 +91,7 @@ def main(): 'sysadmin-badges': 'inside-job', 'sponsors': 'packager-sponsor', 'designteam': 'pixel-ninja', + 'fi-apprentice': 'no-longer-a-ronin', } # First, some validation that the badge ids actually exist. From 7b90a538eab48309a3af615d0fe9f4e1c5c32611 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Jan 2014 22:12:53 +0000 Subject: [PATCH 007/271] ask01.stg fixes. Add fedmsg_base, fix settings to include celery for now. --- playbooks/groups/ask.yml | 1 + roles/ask/tasks/main.yml | 1 + roles/ask/templates/settings.py | 6 +++++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index 6cfb7a7dd4..d255c9a467 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -33,6 +33,7 @@ - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client - /srv/web/infra/ansible/roles/fas_client + - /srv/web/infra/ansible/roles/fedmsg_base - /srv/web/infra/ansible/roles/ask tasks: diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index bc22356dfc..a4fe91e388 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -16,6 +16,7 @@ - python-django-post_office - python-django-compressor - django-authopenid + - django-celery tags: - packages diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 90b2df4780..a2e51556c3 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -116,6 +116,9 @@ MIDDLEWARE_CLASSES = ( 'django.contrib.auth.middleware.AuthenticationMiddleware', #'django.middleware.sqlprint.SqlPrintingMiddleware', + # Enable outgoing fedmsg messages + 'askbot_fedmsg.NOOPMiddleware', + #below is askbot stuff for this tuple 'askbot.middleware.anon_user.ConnectToSessionMessagesMiddleware', 'askbot.middleware.forum_mode.ForumModeMiddleware', @@ -184,12 +187,13 @@ INSTALLED_APPS = ( 'keyedcache', 'robots', 'django_countries', - #'djcelery', + 'djcelery', 'djkombu', 'followit', 'tinymce', 'group_messaging', #'avatar',#experimental use git clone git://github.com/ericflo/django-avatar.git$ + 'post_office', ) From 805310c8f3bcb358bd5d82a02652dd44d33784ce Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Jan 2014 22:21:09 +0000 Subject: [PATCH 008/271] Add fedmsg certs for ask01.stg --- inventory/group_vars/ask-stg | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/inventory/group_vars/ask-stg b/inventory/group_vars/ask-stg index 1ea6ee9fc5..17ef0f245d 100644 --- a/inventory/group_vars/ask-stg +++ b/inventory/group_vars/ask-stg @@ -7,3 +7,12 @@ num_cpus: 2 tcp_ports: [ 443 ] fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice + +# These are consumed by a task in roles/fedmsg_base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin +- service: askbot + owner: root + group: fedmsg From 1f0ee849973f78a56b7eb971e8ac77d2a38e90a2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 16 Jan 2014 22:24:11 +0000 Subject: [PATCH 009/271] apache group on the askbot cert --- inventory/group_vars/ask-stg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/ask-stg b/inventory/group_vars/ask-stg index 17ef0f245d..d9b898de11 100644 --- a/inventory/group_vars/ask-stg +++ b/inventory/group_vars/ask-stg @@ -15,4 +15,4 @@ fedmsg_certs: group: sysadmin - service: askbot owner: root - group: fedmsg + group: apache From 17f003db5b3de1314f0bce04baf3692866550a57 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 04:43:49 +0000 Subject: [PATCH 010/271] Drop user data here too. --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index d939abed96..77b4d3203f 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data={{ ec2_userdata }} + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} register: inst_res - name: add it to the special group From b2e8e6020ab5835ee34fc9cf5ce1600914ac5b0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 11:00:58 +0000 Subject: [PATCH 011/271] Use the mailman role for lists-dev --- files/lists-dev/aliases | 96 --- files/lists-dev/hyperkitty.apache.conf | 27 - files/lists-dev/hyperkitty.cfg | 3 - files/lists-dev/hyperkitty.logrotate.conf | 10 - .../lists-dev/hyperkitty.settings_local.py.j2 | 96 --- files/lists-dev/hyperkitty.urls.py | 37 - files/lists-dev/index.html | 8 - files/lists-dev/mailman.cfg.j2 | 25 - files/lists-dev/pgpass.j2 | 7 +- files/lists-dev/postorius.apache.conf | 26 - files/lists-dev/postorius.initial-user.json | 20 - .../lists-dev/postorius.settings_local.py.j2 | 34 - files/lists-dev/postorius.urls.py | 38 - .../lists-dev.cloud.fedoraproject.org.yml | 202 ++--- roles/mailman/files/postfix-main.cf | 694 ------------------ roles/mailman/tasks/main.yml | 7 +- .../templates/hyperkitty.cronjob.sh.j2 | 3 - roles/mailman/templates/mailman.cfg.j2 | 2 +- .../mailman/templates}/postfix-main.cf.j2 | 10 +- roles/mailman/vars/main.yml | 1 + 20 files changed, 70 insertions(+), 1276 deletions(-) delete mode 100644 files/lists-dev/aliases delete mode 100644 files/lists-dev/hyperkitty.apache.conf delete mode 100644 files/lists-dev/hyperkitty.cfg delete mode 100644 files/lists-dev/hyperkitty.logrotate.conf delete mode 100644 files/lists-dev/hyperkitty.settings_local.py.j2 delete mode 100644 files/lists-dev/hyperkitty.urls.py delete mode 100644 files/lists-dev/index.html delete mode 100644 files/lists-dev/mailman.cfg.j2 delete mode 100644 files/lists-dev/postorius.apache.conf delete mode 100644 files/lists-dev/postorius.initial-user.json delete mode 100644 files/lists-dev/postorius.settings_local.py.j2 delete mode 100755 files/lists-dev/postorius.urls.py delete mode 100644 roles/mailman/files/postfix-main.cf delete mode 100644 roles/mailman/templates/hyperkitty.cronjob.sh.j2 rename {files/lists-dev => roles/mailman/templates}/postfix-main.cf.j2 (99%) diff --git a/files/lists-dev/aliases b/files/lists-dev/aliases deleted file mode 100644 index eb6d0bf61d..0000000000 --- a/files/lists-dev/aliases +++ /dev/null @@ -1,96 +0,0 @@ -# -# Aliases in this file will NOT be expanded in the header from -# Mail, but WILL be visible over networks or from /bin/mail. -# -# >>>>>>>>>> The program "newaliases" must be run after -# >> NOTE >> this file is updated for any changes to -# >>>>>>>>>> show through to sendmail. -# - -# Basic system aliases -- these MUST be present. -mailer-daemon: postmaster -postmaster: root - -# General redirections for pseudo accounts. -bin: root -daemon: root -adm: root -lp: root -sync: root -shutdown: root -halt: root -mail: root -news: root -uucp: root -operator: root -games: root -gopher: root -ftp: root -nobody: root -radiusd: root -nut: root -dbus: root -vcsa: root -canna: root -wnn: root -rpm: root -nscd: root -pcap: root -apache: root -webalizer: root -dovecot: root -fax: root -quagga: root -radvd: root -pvm: root -amandabackup: root -privoxy: root -ident: root -named: root -xfs: root -gdm: root -mailnull: root -postgres: root -sshd: root -smmsp: root -postfix: root -netdump: root -ldap: root -squid: root -ntp: root -mysql: root -desktop: root -rpcuser: root -rpc: root -nfsnobody: root - -ingres: root -system: root -toor: root -manager: root -dumper: root -abuse: root - -newsadm: news -newsadmin: news -usenet: news -ftpadm: ftp -ftpadmin: ftp -ftp-adm: ftp -ftp-admin: ftp -www: webmaster -webmaster: root -noc: root -security: root -hostmaster: root -info: postmaster -marketing: postmaster -sales: postmaster -support: postmaster - - -# trap decode to catch security attacks -decode: root - -# Person who should get root's mail -root: abompard@fedoraproject.org diff --git a/files/lists-dev/hyperkitty.apache.conf b/files/lists-dev/hyperkitty.apache.conf deleted file mode 100644 index 5773918fbf..0000000000 --- a/files/lists-dev/hyperkitty.apache.conf +++ /dev/null @@ -1,27 +0,0 @@ -#Alias /robots.txt /etc/hyperkitty/sites/default/static/robots.txt -#Alias /favicon.ico /etc/hyperkitty/sites/default/static/favicon.ico -Alias /hyperkitty/static /var/lib/hyperkitty/sites/default/static - -#ErrorLog /var/log/httpd/hyperkitty_error.log -#CustomLog /var/log/httpd/hyperkitty_access.log combined - -WSGIScriptAlias /hyperkitty /etc/hyperkitty/sites/default/wsgi.py -WSGIDaemonProcess hyperkitty threads=25 python-path=/etc/hyperkitty/sites/default -# If using VirtualEnv -#WSGIDaemonProcess hyperkitty threads=25 python-path=/etc/hyperkitty/sites/default:/path/to/your/venv/lib/python2.X/site-packages -WSGISocketPrefix run/wsgi - - - - Order deny,allow - Allow from all - Require all granted - - WSGIProcessGroup hyperkitty - - - - Order deny,allow - Allow from all - Require all granted - diff --git a/files/lists-dev/hyperkitty.cfg b/files/lists-dev/hyperkitty.cfg deleted file mode 100644 index fa4fa16507..0000000000 --- a/files/lists-dev/hyperkitty.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[general] -base_url: http://lists-dev.cloud.fedoraproject.org/ -django_settings: /etc/hyperkitty/sites/default/settings.py diff --git a/files/lists-dev/hyperkitty.logrotate.conf b/files/lists-dev/hyperkitty.logrotate.conf deleted file mode 100644 index 3e5b70f0ae..0000000000 --- a/files/lists-dev/hyperkitty.logrotate.conf +++ /dev/null @@ -1,10 +0,0 @@ -/var/log/hyperkitty/*.log { - missingok - notifempty - sharedscripts - delaycompress - su root apache - postrotate - /sbin/service httpd reload > /dev/null 2>/dev/null || true - endscript -} diff --git a/files/lists-dev/hyperkitty.settings_local.py.j2 b/files/lists-dev/hyperkitty.settings_local.py.j2 deleted file mode 100644 index ccd5565aad..0000000000 --- a/files/lists-dev/hyperkitty.settings_local.py.j2 +++ /dev/null @@ -1,96 +0,0 @@ -#-*- coding: utf-8 -*- - -""" -Django local settings for the hyperkitty project. -""" - -DEBUG = True -TEMPLATE_DEBUG = DEBUG - -ADMINS = () -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': 'hyperkitty', - 'USER': 'hyperkitty', - 'PASSWORD': '{{ lists_dev_hk_db_pass }}', - 'HOST': 'localhost', - 'PORT': '', - } -} -# URL prefix for static files. -# Example: "http://media.lawrence.com/static/" -STATIC_URL = '/hyperkitty/static/' - -# Add Fedora to the authentication backends -AUTHENTICATION_BACKENDS = ( - 'social_auth.backends.browserid.BrowserIDBackend', - 'hyperkitty.lib.fedora.FedoraBackend', - 'social_auth.backends.google.GoogleBackend', - 'social_auth.backends.yahoo.YahooBackend', - #'social_auth.backends.OpenIDBackend', - 'django.contrib.auth.backends.ModelBackend', -) - -# Use the email address as the username (add associate_by_email). -SOCIAL_AUTH_PIPELINE = ( - 'social_auth.backends.pipeline.social.social_auth_user', - 'social_auth.backends.pipeline.associate.associate_by_email', - 'social_auth.backends.pipeline.user.get_username', - 'social_auth.backends.pipeline.user.create_user', - 'social_auth.backends.pipeline.social.associate_user', - 'social_auth.backends.pipeline.social.load_extra_data', - 'social_auth.backends.pipeline.user.update_user_details' -) - -# A sample logging configuration. The only tangible logging -# performed by this configuration is to send an email to -# the site admins on every HTTP 500 error. -# See http://docs.djangoproject.com/en/dev/topics/logging for -# more details on how to customize your logging configuration. -LOGGING = { - 'version': 1, - 'disable_existing_loggers': False, - 'handlers': { - 'mail_admins': { - 'level': 'ERROR', - 'class': 'django.utils.log.AdminEmailHandler' - }, - 'file':{ - 'level': 'DEBUG', - #'class': 'logging.handlers.RotatingFileHandler', - 'class': 'logging.FileHandler', - 'filename': '/var/log/hyperkitty/hyperkitty.log', - 'formatter': 'verbose', - }, - }, - 'loggers': { - 'django.request': { - 'handlers': ['file'], - 'level': 'ERROR', - 'propagate': True, - }, - 'django': { - 'handlers': ['file'], - 'level': 'ERROR', - 'propagate': True, - }, - 'hyperkitty': { - 'handlers': ['file'], - 'level': 'DEBUG', - 'propagate': True, - }, - }, - 'formatters': { - 'verbose': { - 'format': '%(levelname)s %(asctime)s %(module)s %(process)d %(thread)d %(message)s' - }, - 'simple': { - 'format': '%(levelname)s %(message)s' - }, - }, -} - -APP_NAME = 'Fedora list archives' -KITTYSTORE_URL = 'postgres://kittystore:{{ lists_dev_ks_db_pass }}@localhost/kittystore' -USE_MOCKUPS = False diff --git a/files/lists-dev/hyperkitty.urls.py b/files/lists-dev/hyperkitty.urls.py deleted file mode 100644 index 194a4e6a1b..0000000000 --- a/files/lists-dev/hyperkitty.urls.py +++ /dev/null @@ -1,37 +0,0 @@ -# -*- coding: utf-8 -*- -# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. -# -# This file is part of HyperKitty. -# -# HyperKitty is free software: you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free -# Software Foundation, either version 3 of the License, or (at your option) -# any later version. -# -# HyperKitty is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along with -# HyperKitty. If not, see . - -import hyperkitty - -from django.conf.urls.defaults import * -from django.conf import settings - -# Uncomment the next two lines to enable the admin: -from django.contrib import admin -admin.autodiscover() - -# Import mailman urls and set urlpatterns if you want to hook -# mailman_django into an existing django site. -# Otherwise set ROOT_URLCONF in settings.py to -# `mailman_django.urls`. -# from mailman_django import urls as mailman_urls - -urlpatterns = patterns('', - url(r'^$', 'hyperkitty.views.pages.index'), - url(r'', include('hyperkitty.urls')), -) diff --git a/files/lists-dev/index.html b/files/lists-dev/index.html deleted file mode 100644 index d6c2fbc392..0000000000 --- a/files/lists-dev/index.html +++ /dev/null @@ -1,8 +0,0 @@ - - - - - diff --git a/files/lists-dev/mailman.cfg.j2 b/files/lists-dev/mailman.cfg.j2 deleted file mode 100644 index bb1b6baa45..0000000000 --- a/files/lists-dev/mailman.cfg.j2 +++ /dev/null @@ -1,25 +0,0 @@ -# This is the absolute bare minimum base configuration file. User supplied -# configurations are pushed onto this. - -[mailman] -site_owner: root@localhost - -# Set the paths to be Fedora-compliant -layout: fhs -[paths.fhs] -var_dir: /srv/persist/mailman -bin_dir: /usr/libexec/mailman -lock_dir: /run/lock/mailman -pid_file: /run/mailman/master.pid - -[database] -class: mailman.database.postgresql.PostgreSQLDatabase -url: postgres://mailman:{{ lists_dev_mm_db_pass }}@localhost/mailman - -[archiver.hyperkitty] -class: hyperkitty.archiver.Archiver -enable: yes -configuration: /etc/mailman.d/hyperkitty.cfg - -#[archiver.prototype] -#enable: yes diff --git a/files/lists-dev/pgpass.j2 b/files/lists-dev/pgpass.j2 index 6cf70839ac..b0b2297296 100644 --- a/files/lists-dev/pgpass.j2 +++ b/files/lists-dev/pgpass.j2 @@ -1,4 +1,3 @@ -*:*:mailman:mailman:{{ lists_dev_mm_db_pass }} -*:*:hyperkitty:hyperkitty:{{ lists_dev_hk_db_pass }} -*:*:kittystore:kittystore:{{ lists_dev_ks_db_pass }} -*:*:postorius:postorius:{{ lists_dev_ps_db_pass }} +*:*:mailman:mailmanadmin:{{ lists_dev_mm_db_pass }} +*:*:hyperkitty:hyperkittyadmin:{{ lists_dev_hk_db_pass }} +*:*:kittystore:kittystoreadmin:{{ lists_dev_ks_db_pass }} diff --git a/files/lists-dev/postorius.apache.conf b/files/lists-dev/postorius.apache.conf deleted file mode 100644 index aab8565174..0000000000 --- a/files/lists-dev/postorius.apache.conf +++ /dev/null @@ -1,26 +0,0 @@ -#Alias /robots.txt /var/lib/postorius/sites/default/static/robots.txt -#Alias /favicon.ico /var/lib/postorius/sites/default/static/favicon.ico -Alias /postorius/static /var/lib/postorius/sites/default/static - -#ErrorLog /var/log/httpd/postorius_error.log -#CustomLog /var/log/httpd/postorius_access.log combined - -WSGIScriptAlias /postorius /etc/postorius/sites/default/srv/postorius.wsgi -WSGIDaemonProcess postorius threads=25 python-path=/etc/postorius/sites/default -# If using VirtualEnv -#WSGIDaemonProcess postorius threads=25 python-path=/etc/postorius/sites/default:/path/to/your/venv/lib/python2.X/site-packages - - - - Order deny,allow - Allow from all - Require all granted - - WSGIProcessGroup postorius - - - - Order deny,allow - Allow from all - Require all granted - diff --git a/files/lists-dev/postorius.initial-user.json b/files/lists-dev/postorius.initial-user.json deleted file mode 100644 index 00ee53f972..0000000000 --- a/files/lists-dev/postorius.initial-user.json +++ /dev/null @@ -1,20 +0,0 @@ -[ - { - "fields": { - "date_joined": "2013-04-10T10:25:49.996", - "email": "root@lists-dev.cloud.fedoraproject.org", - "first_name": "List Admin", - "groups": [], - "is_active": true, - "is_staff": true, - "is_superuser": true, - "last_login": "2013-04-10T10:25:49.996", - "last_name": "", - "password": "pbkdf2_sha256$10000$uXnbYx0visOx$yux8mAZ2H/sjyCEYBvO3JEtJ7dmWfNMnvekQjePbue0=", - "user_permissions": [], - "username": "listadmin" - }, - "model": "auth.user", - "pk": 1 - } -] diff --git a/files/lists-dev/postorius.settings_local.py.j2 b/files/lists-dev/postorius.settings_local.py.j2 deleted file mode 100644 index 274a098945..0000000000 --- a/files/lists-dev/postorius.settings_local.py.j2 +++ /dev/null @@ -1,34 +0,0 @@ -#-*- coding: utf-8 -*- - -""" -Django local settings for the postorious project. -""" - - -DEBUG = True -TEMPLATE_DEBUG = DEBUG - -ADMINS = () -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': 'postorius', - 'USER': 'postorius', - 'PASSWORD': '{{ lists_dev_ps_db_pass }}', - 'HOST': 'localhost', - 'PORT': '', - } -} - -# URL that handles the media served from STATIC_ROOT. Make sure to use a -STATIC_URL = '/postorius/static/' -# URL that handles the media served from MEDIA_ROOT. Make sure to use a -MEDIA_URL = '/postorius/media/' - -# URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a -# trailing slash. -# Examples: "http://foo.com/media/", "/media/". -ADMIN_MEDIA_PREFIX = '/postorius/static/admin/' - -# Make this unique, and don't share it with anybody. -SECRET_KEY = '$!-7^wl#wiifjbh)5@f7ji%x!vp7s1vwt26hxvixq0u0' diff --git a/files/lists-dev/postorius.urls.py b/files/lists-dev/postorius.urls.py deleted file mode 100755 index 643bf33023..0000000000 --- a/files/lists-dev/postorius.urls.py +++ /dev/null @@ -1,38 +0,0 @@ -# -*- coding: utf-8 -*- -# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. -# -# This file is part of Postorius. -# -# Postorius is free software: you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free -# Software Foundation, either version 3 of the License, or (at your option) -# any later version. -# -# Postorius is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along with -# Postorius. If not, see . - -import postorius - -from django.conf.urls import * -from django.conf import settings - -# Uncomment the next two lines to enable the admin: -from django.contrib import admin -admin.autodiscover() - -# Import mailman urls and set urlpatterns if you want to hook -# mailman_django into an existing django site. -# Otherwise set ROOT_URLCONF in settings.py to -# `mailman_django.urls`. -# from mailman_django import urls as mailman_urls - -urlpatterns = patterns('', - url(r'^$', 'postorius.views.list_index'), - url(r'', include('postorius.urls')), - url(r'', include('social_auth.urls')), -) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 8b5744839a..846d2626c7 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -36,7 +36,7 @@ - name: mount up bind mount for postgres action: mount src=/srv/persist/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted - name: mount up bind mount for mailman - action: mount src=/srv/persist/mailman name=/var/lib/mailman fstype=auto opts=bind state=mounted + action: mount src=/srv/persist/mailman name=/var/lib/mailman3 fstype=auto opts=bind state=mounted - name: get the repo file get_url: url=http://repos.fedorapeople.org/repos/abompard/hyperkitty/fedora-hyperkitty.repo @@ -58,15 +58,26 @@ - httpd-tools - cronie-noanacron - - - name: remove packages - yum: state=removed name=sendmail - - name: install apache and mod_wsgi yum: name=mod_wsgi state=installed notify: - restart apache + - name: erase packages + action: yum state=absent name={{ item }} + with_items: + - sendmail + - cronie-anacron + + # open up ports (22, 80, 443, 25) + - name: poke holes in the firewall + command: lokkit {{ item }} + with_items: + - --service=ssh + - --service=https + - --service=http + - --service=smtp + # Database - name: initialize postgresql command: /usr/bin/postgresql-setup initdb @@ -78,21 +89,6 @@ - name: start postgresql service: state=started name=postgresql - # open up ports (22, 80, 443, 25) - - name: poke holes in the firewall - command: lokkit {{ item }} - with_items: - - --service=ssh - - --service=https - - --service=http - - --service=smtp - - # packages needed to be gone - - name: erase packages - action: yum state=absent name={{ item }} - with_items: - - cronie-anacron - handlers: - include: "{{ handlers }}/restart_services.yml" @@ -112,21 +108,23 @@ tasks: + # mailman auto-updates its schema, there can only be one admin user - name: mailman DB user - postgresql_user: name=mailman password={{ lists_dev_mm_db_pass }} + postgresql_user: name=mailmanadmin password={{ lists_dev_mm_db_pass }} + - name: hyperkitty DB admin user + postgresql_user: name=hyperkittyadmin password={{ lists_dev_hk_db_pass }} - name: hyperkitty DB user - postgresql_user: name=hyperkitty password={{ lists_dev_hk_db_pass }} + postgresql_user: name=hyperkittyapp password={{ lists_dev_hk_db_pass }} + - name: kittystore DB admin user + postgresql_user: name=kittystoreadmin password={{ lists_dev_ks_db_pass }} - name: kittystore DB user - postgresql_user: name=kittystore password={{ lists_dev_ks_db_pass }} - - name: postorius DB user - postgresql_user: name=postorius password={{ lists_dev_ps_db_pass }} + postgresql_user: name=kittystoreapp password={{ lists_dev_ks_db_pass }} - name: databases creation - postgresql_db: name={{ item }} owner={{ item }} encoding=UTF-8 + postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 with_items: - mailman - hyperkitty - kittystore - - postorius - name: setup mailman and hyperkitty hosts: hyperkitty-stg @@ -136,129 +134,47 @@ - "{{ private }}/vars.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml" vars: - - mailman_vardir: /srv/persist/mailman + # override roles variables + - mailman_dbserver: localhost + - mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org + - mailman_mm_db_pass: {{ lists_dev_mm_db_pass }} + - mailman_hk_admin_db_pass: {{ lists_dev_hk_db_pass }} + - mailman_hk_db_pass: {{ lists_dev_hk_db_pass }} + - mailman_ks_admin_db_pass: {{ lists_dev_ks_db_pass }} + - mailman_ks_db_pass: {{ lists_dev_ks_db_pass }} + + roles: + - /srv/web/infra/ansible/roles/mailman tasks: - # Initialize mailman (must be done after settings up the DBs) - - name: add mailman to the apache group - user: name=mailman groups=apache append=yes - notify: - - restart mailman + - name: install more needed packages + yum: pkg={{ item }} state=installed + with_items: + - tar + - mailman # transition from mailman2.1 + tags: + - packages - - name: set the mailman conffile - template: src="{{ files }}/lists-dev/mailman.cfg.j2" dest=/etc/mailman.cfg - notify: - - restart mailman + #- name: easy access to the postgresql databases + # template: src="{{ files }}/lists-dev/pgpass.j2" dest=/root/.pgpass + # owner=root group=root mode=0600 - - name: install kittystore and hyperkitty - yum: state=installed name={{ item }} - with_items: - - kittystore - - hyperkitty - - postorius - - # Logging - - name: hyperkitty logging -- directory - file: path=/var/log/hyperkitty state=directory - owner=root group=apache mode=2775 - - name: hyperkitty logging -- file creation - copy: content="" dest=/var/log/hyperkitty/hyperkitty.log - force=no - - name: hyperkitty logging -- file permissions - file: path=/var/log/hyperkitty/hyperkitty.log state=file - owner=root group=apache mode=664 - - name: hyperkitty logging -- rotation - copy: src="{{ files }}/lists-dev/hyperkitty.logrotate.conf" - dest=/etc/logrotate.d/hyperkitty - - # settings / conf - - name: install the hyperkitty/postorius settings file - template: src="{{ files }}/lists-dev/{{ item.settings_local.py.j2 }}" - dest="/etc/{{ item }}/sites/default/settings_local.py" - owner=root group=apache mode=0640 - with_items: - - hyperkitty - - postorius - notify: - - reload apache - - restart mailman - - - name: install the hyperkitty/postorius urls file - copy: src="files/lists-dev/{{ item }}.urls.py" - dest="/etc/{{ item }}/sites/default/urls.py" - owner=root group=root mode=0644 - with_items: - - hyperkitty - - postorius - notify: - - reload apache - - restart mailman - - - name: install the hyperkitty/postorius httpd conf file - copy: src="{{ files }}/lists-dev/{{ item }}.apache.conf" - dest="/etc/httpd/conf.d/{{ item }}.conf" - with_items: - - hyperkitty - - postorius - notify: - - reload apache - - - name: set the hyperkitty conffile in mailman - copy: src="{{ files }}/lists-dev/hyperkitty.cfg" dest=/etc/mailman.d/hyperkitty.cfg - notify: - - restart mailman - - - name: set the postfix conffile - template: src="{{ files }}/lists-dev/postfix-main.cf.j2" dest=/etc/postfix/main.cf - notify: - - restart postfix - - - name: set the mail aliases - copy: src="{{ files }}/lists-dev/aliases" dest=/etc/aliases - notify: - - reload aliases - - - name: easy access to the postgresql databases - template: src="{{ files }}/lists-dev/pgpass.j2" dest=/root/.pgpass - owner=root group=root mode=0600 + - name: send root mail to abompard + lineinfile: dest=/etc/aliases regexp="^root:" + line="root: abompard@fedoraproject.org" + notify: + - reload aliases - # Sync databases - # FIXME the db migrations should happen no matter when the pkgs are updated - # so really this should be run once - # and then stored in a yum-post-transaction-action on the system(s) - # so no matter when it is run the right thing happens - - - name: run django syncdb - command: /usr/bin/django-admin syncdb --pythonpath="/etc/{{ item }}/sites/default" --settings=settings - with_items: - - hyperkitty - - postorius - - name: run django migrate - command: /usr/bin/django-admin migrate --pythonpath=/etc/hyperkitty/sites/default --settings=settings hyperkitty - - name: kittystore schema update - command: /usr/bin/kittystore-updatedb -s postgres://kittystore:{{ lists_dev_ks_db_pass }}@localhost/kittystore - - - name: copy the initial user fixture - copy: src="{{ files }}/lists-dev/postorius.initial-user.json" - dest=/etc/postorius/sites/default/initial-user.json - owner=root group=apache mode=0640 - - - name: load the inital user - command: /usr/bin/django-admin loaddata --pythonpath=/etc/postorius/sites/default --settings=settings /etc/postorius/sites/default/initial-user.json - - - name: html index - copy: src="{{ files }}/lists-dev/index.html" dest=/var/www/html/index.html - - # Start services - - name: start services - service: state=started enabled=yes name={{ item }} - with_items: - - httpd - - postgresql - - mailman - - postfix + # Start services + - name: start services + service: state=started enabled=yes name={{ item }} + with_items: + - httpd + - postgresql + - mailman3 + - postfix handlers: diff --git a/roles/mailman/files/postfix-main.cf b/roles/mailman/files/postfix-main.cf deleted file mode 100644 index 2bce62707d..0000000000 --- a/roles/mailman/files/postfix-main.cf +++ /dev/null @@ -1,694 +0,0 @@ -# "false" -# Global Postfix configuration file. This file lists only a subset -# of all parameters. For the syntax, and for a complete parameter -# list, see the postconf(5) manual page (command: "man 5 postconf"). -# -# For common configuration examples, see BASIC_CONFIGURATION_README -# and STANDARD_CONFIGURATION_README. To find these documents, use -# the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/. -# -# For best results, change no more than 2-3 parameters at a time, -# and test if Postfix still works after every change. - -# SOFT BOUNCE -# -# The soft_bounce parameter provides a limited safety net for -# testing. When soft_bounce is enabled, mail will remain queued that -# would otherwise bounce. This parameter disables locally-generated -# bounces, and prevents the SMTP server from rejecting mail permanently -# (by changing 5xx replies into 4xx replies). However, soft_bounce -# is no cure for address rewriting mistakes or mail routing mistakes. -# -#soft_bounce = no - -# LOCAL PATHNAME INFORMATION -# -# The queue_directory specifies the location of the Postfix queue. -# This is also the root directory of Postfix daemons that run chrooted. -# See the files in examples/chroot-setup for setting up Postfix chroot -# environments on different UNIX systems. -# -queue_directory = /var/spool/postfix - -# The command_directory parameter specifies the location of all -# postXXX commands. -# -command_directory = /usr/sbin - -# The daemon_directory parameter specifies the location of all Postfix -# daemon programs (i.e. programs listed in the master.cf file). This -# directory must be owned by root. -# -daemon_directory = /usr/libexec/postfix - -# QUEUE AND PROCESS OWNERSHIP -# -# The mail_owner parameter specifies the owner of the Postfix queue -# and of most Postfix daemon processes. Specify the name of a user -# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS -# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In -# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED -# USER. -# -mail_owner = postfix - -# The default_privs parameter specifies the default rights used by -# the local delivery agent for delivery to external file or command. -# These rights are used in the absence of a recipient user context. -# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. -# -#default_privs = nobody - -# INTERNET HOST AND DOMAIN NAMES -# -# The myhostname parameter specifies the internet hostname of this -# mail system. The default is to use the fully-qualified domain name -# from gethostname(). $myhostname is used as a default value for many -# other configuration parameters. -# -#myhostname = host.domain.tld -#myhostname = virtual.domain.tld - -# The mydomain parameter specifies the local internet domain name. -# The default is to use $myhostname minus the first component. -# $mydomain is used as a default value for many other configuration -# parameters. -# -#mydomain = domain.tld - -# SENDING MAIL -# -# The myorigin parameter specifies the domain that locally-posted -# mail appears to come from. The default is to append $myhostname, -# which is fine for small sites. If you run a domain with multiple -# machines, you should (1) change this to $mydomain and (2) set up -# a domain-wide alias database that aliases each user to -# user@that.users.mailhost. -# -# For the sake of consistency between sender and recipient addresses, -# myorigin also specifies the default domain name that is appended -# to recipient addresses that have no @domain part. -# -#myorigin = $myhostname -#myorigin = $mydomain - -mydomain = fedoraproject.org -myorigin = fedoraproject.org - -# RECEIVING MAIL - -# The inet_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on. By default, -# the software claims all active interfaces on the machine. The -# parameter also controls delivery of mail to user@[ip.address]. -# -# See also the proxy_interfaces parameter, for network addresses that -# are forwarded to us via a proxy or network address translator. -# -# Note: you need to stop/start Postfix when this parameter changes. -# -#inet_interfaces = all -#inet_interfaces = $myhostname -#inet_interfaces = $myhostname, localhost -inet_interfaces = all - -# The proxy_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on by way of a -# proxy or network address translation unit. This setting extends -# the address list specified with the inet_interfaces parameter. -# -# You must specify your proxy/NAT addresses when your system is a -# backup MX host for other domains, otherwise mail delivery loops -# will happen when the primary MX host is down. -# -#proxy_interfaces = -#proxy_interfaces = 1.2.3.4 - -# The mydestination parameter specifies the list of domains that this -# machine considers itself the final destination for. -# -# These domains are routed to the delivery agent specified with the -# local_transport parameter setting. By default, that is the UNIX -# compatible delivery agent that lookups all recipients in /etc/passwd -# and /etc/aliases or their equivalent. -# -# The default is $myhostname + localhost.$mydomain. On a mail domain -# gateway, you should also include $mydomain. -# -# Do not specify the names of virtual domains - those domains are -# specified elsewhere (see VIRTUAL_README). -# -# Do not specify the names of domains that this machine is backup MX -# host for. Specify those names via the relay_domains settings for -# the SMTP server, or use permit_mx_backup if you are lazy (see -# STANDARD_CONFIGURATION_README). -# -# The local machine is always the final destination for mail addressed -# to user@[the.net.work.address] of an interface that the mail system -# receives mail on (see the inet_interfaces parameter). -# -# Specify a list of host or domain names, /file/name or type:table -# patterns, separated by commas and/or whitespace. A /file/name -# pattern is replaced by its contents; a type:table is matched when -# a name matches a lookup key (the right-hand side is ignored). -# Continue long lines by starting the next line with whitespace. -# -# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". -# -mydestination = $myhostname, lists.fedoraproject.org, lists.stg.fedoraproject.org, - localhost.$mydomain, localhost -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, -# mail.$mydomain, www.$mydomain, ftp.$mydomain - -# REJECTING MAIL FOR UNKNOWN LOCAL USERS -# -# The local_recipient_maps parameter specifies optional lookup tables -# with all names or addresses of users that are local with respect -# to $mydestination, $inet_interfaces or $proxy_interfaces. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown local users. This parameter is defined by default. -# -# To turn off local recipient checking in the SMTP server, specify -# local_recipient_maps = (i.e. empty). -# -# The default setting assumes that you use the default Postfix local -# delivery agent for local delivery. You need to update the -# local_recipient_maps setting if: -# -# - You define $mydestination domain recipients in files other than -# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in -# the $virtual_mailbox_maps files. -# -# - You redefine the local delivery agent in master.cf. -# -# - You redefine the "local_transport" setting in main.cf. -# -# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" -# feature of the Postfix local delivery agent (see local(8)). -# -# Details are described in the LOCAL_RECIPIENT_README file. -# -# Beware: if the Postfix SMTP server runs chrooted, you probably have -# to access the passwd file via the proxymap service, in order to -# overcome chroot restrictions. The alternative, having a copy of -# the system passwd file in the chroot jail is just not practical. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify a bare username, an @domain.tld -# wild-card, or specify a user@domain.tld address. -# -#local_recipient_maps = unix:passwd.byname $alias_maps -#local_recipient_maps = proxy:unix:passwd.byname $alias_maps -#local_recipient_maps = - -# The unknown_local_recipient_reject_code specifies the SMTP server -# response code when a recipient domain matches $mydestination or -# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty -# and the recipient address or address local-part is not found. -# -# The default setting is 550 (reject mail) but it is safer to start -# with 450 (try again later) until you are certain that your -# local_recipient_maps settings are OK. -# -unknown_local_recipient_reject_code = 550 - -# TRUST AND RELAY CONTROL - -# The mynetworks parameter specifies the list of "trusted" SMTP -# clients that have more privileges than "strangers". -# -# In particular, "trusted" SMTP clients are allowed to relay mail -# through Postfix. See the smtpd_recipient_restrictions parameter -# in postconf(5). -# -# You can specify the list of "trusted" network addresses by hand -# or you can let Postfix do it for you (which is the default). -# -# By default (mynetworks_style = subnet), Postfix "trusts" SMTP -# clients in the same IP subnetworks as the local machine. -# On Linux, this does works correctly only with interfaces specified -# with the "ifconfig" command. -# -# Specify "mynetworks_style = class" when Postfix should "trust" SMTP -# clients in the same IP class A/B/C networks as the local machine. -# Don't do this with a dialup site - it would cause Postfix to "trust" -# your entire provider's network. Instead, specify an explicit -# mynetworks list by hand, as described below. -# -# Specify "mynetworks_style = host" when Postfix should "trust" -# only the local machine. -# -#mynetworks_style = class -#mynetworks_style = subnet -#mynetworks_style = host - -# Alternatively, you can specify the mynetworks list by hand, in -# which case Postfix ignores the mynetworks_style setting. -# -# Specify an explicit list of network/netmask patterns, where the -# mask specifies the number of bits in the network part of a host -# address. -# -# You can also specify the absolute pathname of a pattern file instead -# of listing the patterns here. Specify type:table for table-based lookups -# (the value on the table right-hand side is not used). -# -#mynetworks = 168.100.189.0/28, 127.0.0.0/8 -#mynetworks = $config_directory/mynetworks -#mynetworks = hash:/etc/postfix/network_table - - -# The relay_domains parameter restricts what destinations this system will -# relay mail to. See the smtpd_recipient_restrictions description in -# postconf(5) for detailed information. -# -# By default, Postfix relays mail -# - from "trusted" clients (IP address matches $mynetworks) to any destination, -# - from "untrusted" clients to destinations that match $relay_domains or -# subdomains thereof, except addresses with sender-specified routing. -# The default relay_domains value is $mydestination. -# -# In addition to the above, the Postfix SMTP server by default accepts mail -# that Postfix is final destination for: -# - destinations that match $inet_interfaces or $proxy_interfaces, -# - destinations that match $mydestination -# - destinations that match $virtual_alias_domains, -# - destinations that match $virtual_mailbox_domains. -# These destinations do not need to be listed in $relay_domains. -# -# Specify a list of hosts or domains, /file/name patterns or type:name -# lookup tables, separated by commas and/or whitespace. Continue -# long lines by starting the next line with whitespace. A file name -# is replaced by its contents; a type:name table is matched when a -# (parent) domain appears as lookup key. -# -# NOTE: Postfix will not automatically forward mail for domains that -# list this system as their primary or backup MX host. See the -# permit_mx_backup restriction description in postconf(5). -# -#relay_domains = $mydestination - - - -# INTERNET OR INTRANET - -# The relayhost parameter specifies the default host to send mail to -# when no entry is matched in the optional transport(5) table. When -# no relayhost is given, mail is routed directly to the destination. -# -# On an intranet, specify the organizational domain name. If your -# internal DNS uses no MX records, specify the name of the intranet -# gateway host instead. -# -# In the case of SMTP, specify a domain, host, host:port, [host]:port, -# [address] or [address]:port; the form [host] turns off MX lookups. -# -# If you're connected via UUCP, see also the default_transport parameter. -# -#relayhost = $mydomain -#relayhost = [gateway.my.domain] -#relayhost = [mailserver.isp.tld] -#relayhost = uucphost -#relayhost = [an.ip.add.ress] -relayhost = bastion - - -# REJECTING UNKNOWN RELAY USERS -# -# The relay_recipient_maps parameter specifies optional lookup tables -# with all addresses in the domains that match $relay_domains. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown relay users. This feature is off by default. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify an @domain.tld wild-card, or specify -# a user@domain.tld address. -# -#relay_recipient_maps = hash:/etc/postfix/relay_recipients - -# INPUT RATE CONTROL -# -# The in_flow_delay configuration parameter implements mail input -# flow control. This feature is turned on by default, although it -# still needs further development (it's disabled on SCO UNIX due -# to an SCO bug). -# -# A Postfix process will pause for $in_flow_delay seconds before -# accepting a new message, when the message arrival rate exceeds the -# message delivery rate. With the default 100 SMTP server process -# limit, this limits the mail inflow to 100 messages a second more -# than the number of messages delivered per second. -# -# Specify 0 to disable the feature. Valid delays are 0..10. -# -#in_flow_delay = 1s - -# ADDRESS REWRITING -# -# The ADDRESS_REWRITING_README document gives information about -# address masquerading or other forms of address rewriting including -# username->Firstname.Lastname mapping. - -masquerade_domains = redhat.com -masquerade_exceptions = root apache - -# ADDRESS REDIRECTION (VIRTUAL DOMAIN) -# -# The VIRTUAL_README document gives information about the many forms -# of domain hosting that Postfix supports. - -# "USER HAS MOVED" BOUNCE MESSAGES -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# TRANSPORT MAP -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# ALIAS DATABASE -# -# The alias_maps parameter specifies the list of alias databases used -# by the local delivery agent. The default list is system dependent. -# -# On systems with NIS, the default is to search the local alias -# database, then the NIS alias database. See aliases(5) for syntax -# details. -# -# If you change the alias database, run "postalias /etc/aliases" (or -# wherever your system stores the mail alias file), or simply run -# "newaliases" to build the necessary DBM or DB file. -# -# It will take a minute or so before changes become visible. Use -# "postfix reload" to eliminate the delay. -# -#alias_maps = dbm:/etc/aliases -alias_maps = hash:/etc/aliases -#alias_maps = hash:/etc/aliases, nis:mail.aliases -#alias_maps = netinfo:/aliases - -# The alias_database parameter specifies the alias database(s) that -# are built with "newaliases" or "sendmail -bi". This is a separate -# configuration parameter, because alias_maps (see above) may specify -# tables that are not necessarily all under control by Postfix. -# -#alias_database = dbm:/etc/aliases -#alias_database = dbm:/etc/mail/aliases -alias_database = hash:/etc/aliases -#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases - -# ADDRESS EXTENSIONS (e.g., user+foo) -# -# The recipient_delimiter parameter specifies the separator between -# user names and address extensions (user+foo). See canonical(5), -# local(8), relocated(5) and virtual(5) for the effects this has on -# aliases, canonical, virtual, relocated and .forward file lookups. -# Basically, the software tries user+foo and .forward+foo before -# trying user and .forward. -# -recipient_delimiter = + - -# DELIVERY TO MAILBOX -# -# The home_mailbox parameter specifies the optional pathname of a -# mailbox file relative to a user's home directory. The default -# mailbox file is /var/spool/mail/user or /var/mail/user. Specify -# "Maildir/" for qmail-style delivery (the / is required). -# -#home_mailbox = Mailbox -#home_mailbox = Maildir/ - -# The mail_spool_directory parameter specifies the directory where -# UNIX-style mailboxes are kept. The default setting depends on the -# system type. -# -#mail_spool_directory = /var/mail -#mail_spool_directory = /var/spool/mail - -# The mailbox_command parameter specifies the optional external -# command to use instead of mailbox delivery. The command is run as -# the recipient with proper HOME, SHELL and LOGNAME environment settings. -# Exception: delivery for root is done as $default_user. -# -# Other environment variables of interest: USER (recipient username), -# EXTENSION (address extension), DOMAIN (domain part of address), -# and LOCAL (the address localpart). -# -# Unlike other Postfix configuration parameters, the mailbox_command -# parameter is not subjected to $parameter substitutions. This is to -# make it easier to specify shell syntax (see example below). -# -# Avoid shell meta characters because they will force Postfix to run -# an expensive shell process. Procmail alone is expensive enough. -# -# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN -# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. -# -#mailbox_command = /usr/bin/procmail -#mailbox_command = /some/where/procmail -a "$EXTENSION" - -# The mailbox_transport specifies the optional transport in master.cf -# to use after processing aliases and .forward files. This parameter -# has precedence over the mailbox_command, fallback_transport and -# luser_relay parameters. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp - -# If using the cyrus-imapd IMAP server deliver local mail to the IMAP -# server using LMTP (Local Mail Transport Protocol), this is prefered -# over the older cyrus deliver program by setting the -# mailbox_transport as below: -# -# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp -# -# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via -# these settings. -# -# local_destination_recipient_limit = 300 -# local_destination_concurrency_limit = 5 -# -# Of course you should adjust these settings as appropriate for the -# capacity of the hardware you are using. The recipient limit setting -# can be used to take advantage of the single instance message store -# capability of Cyrus. The concurrency limit can be used to control -# how many simultaneous LMTP sessions will be permitted to the Cyrus -# message store. -# -# To use the old cyrus deliver program you have to set: -#mailbox_transport = cyrus - -# The fallback_transport specifies the optional transport in master.cf -# to use for recipients that are not found in the UNIX passwd database. -# This parameter has precedence over the luser_relay parameter. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp -#fallback_transport = - -#transport_maps = hash:/etc/postfix/transport -# The luser_relay parameter specifies an optional destination address -# for unknown recipients. By default, mail for unknown@$mydestination, -# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned -# as undeliverable. -# -# The following expansions are done on luser_relay: $user (recipient -# username), $shell (recipient shell), $home (recipient home directory), -# $recipient (full recipient address), $extension (recipient address -# extension), $domain (recipient domain), $local (entire recipient -# localpart), $recipient_delimiter. Specify ${name?value} or -# ${name:value} to expand value only when $name does (does not) exist. -# -# luser_relay works only for the default Postfix local delivery agent. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#luser_relay = $user@other.host -#luser_relay = $local@other.host -#luser_relay = admin+$local - -# JUNK MAIL CONTROLS -# -# The controls listed here are only a very small subset. The file -# SMTPD_ACCESS_README provides an overview. - -# The header_checks parameter specifies an optional table with patterns -# that each logical message header is matched against, including -# headers that span multiple physical lines. -# -# By default, these patterns also apply to MIME headers and to the -# headers of attached messages. With older Postfix versions, MIME and -# attached message headers were treated as body text. -# -# For details, see "man header_checks". -# -header_checks = regexp:/etc/postfix/header_checks - -# FAST ETRN SERVICE -# -# Postfix maintains per-destination logfiles with information about -# deferred mail, so that mail can be flushed quickly with the SMTP -# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". -# See the ETRN_README document for a detailed description. -# -# The fast_flush_domains parameter controls what destinations are -# eligible for this service. By default, they are all domains that -# this server is willing to relay mail to. -# -#fast_flush_domains = $relay_domains - -# SHOW SOFTWARE VERSION OR NOT -# -# The smtpd_banner parameter specifies the text that follows the 220 -# code in the SMTP server's greeting banner. Some people like to see -# the mail version advertised. By default, Postfix shows no version. -# -# You MUST specify $myhostname at the start of the text. That is an -# RFC requirement. Postfix itself does not care. -# -#smtpd_banner = $myhostname ESMTP $mail_name -#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) - -# PARALLEL DELIVERY TO THE SAME DESTINATION -# -# How many parallel deliveries to the same user or domain? With local -# delivery, it does not make sense to do massively parallel delivery -# to the same user, because mailbox updates must happen sequentially, -# and expensive pipelines in .forward files can cause disasters when -# too many are run at the same time. With SMTP deliveries, 10 -# simultaneous connections to the same domain could be sufficient to -# raise eyebrows. -# -# Each message delivery transport has its XXX_destination_concurrency_limit -# parameter. The default is $default_destination_concurrency_limit for -# most delivery transports. For the local delivery agent the default is 2. - -#local_destination_concurrency_limit = 2 -#default_destination_concurrency_limit = 20 - -# DEBUGGING CONTROL -# -# The debug_peer_level parameter specifies the increment in verbose -# logging level when an SMTP client or server host name or address -# matches a pattern in the debug_peer_list parameter. -# -debug_peer_level = 2 - -# The debug_peer_list parameter specifies an optional list of domain -# or network patterns, /file/name patterns or type:name tables. When -# an SMTP client or server host name or address matches a pattern, -# increase the verbose logging level by the amount specified in the -# debug_peer_level parameter. -# -#debug_peer_list = 127.0.0.1 -#debug_peer_list = some.domain - -# The debugger_command specifies the external command that is executed -# when a Postfix daemon program is run with the -D option. -# -# Use "command .. & sleep 5" so that the debugger can attach before -# the process marches on. If you use an X-based debugger, be sure to -# set up your XAUTHORITY environment variable before starting Postfix. -# -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - xxgdb $daemon_directory/$process_name $process_id & sleep 5 - -# If you can't use X, use this to capture the call stack when a -# daemon crashes. The result is in a file in the configuration -# directory, and is named after the process name and the process ID. -# -# debugger_command = -# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; -# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 -# >$config_directory/$process_name.$process_id.log & sleep 5 -# -# Another possibility is to run gdb under a detached screen session. -# To attach to the screen sesssion, su root and run "screen -r -# " where uniquely matches one of the detached -# sessions (from "screen -list"). -# -# debugger_command = -# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen -# -dmS $process_name gdb $daemon_directory/$process_name -# $process_id & sleep 1 - -# INSTALL-TIME CONFIGURATION INFORMATION -# -# The following parameters are used when installing a new Postfix version. -# -# sendmail_path: The full pathname of the Postfix sendmail command. -# This is the Sendmail-compatible mail posting interface. -# -sendmail_path = /usr/sbin/sendmail.postfix - -# newaliases_path: The full pathname of the Postfix newaliases command. -# This is the Sendmail-compatible command to build alias databases. -# -newaliases_path = /usr/bin/newaliases.postfix - -# mailq_path: The full pathname of the Postfix mailq command. This -# is the Sendmail-compatible mail queue listing command. -# -mailq_path = /usr/bin/mailq.postfix - -# setgid_group: The group for mail submission and queue management -# commands. This must be a group name with a numerical group ID that -# is not shared with other accounts, not even with the Postfix account. -# -setgid_group = postdrop - -# html_directory: The location of the Postfix HTML documentation. -# -html_directory = no - -# manpage_directory: The location of the Postfix on-line manual pages. -# -manpage_directory = /usr/share/man - -# sample_directory: The location of the Postfix sample configuration files. -# This parameter is obsolete as of Postfix 2.1. -# -sample_directory = /usr/share/doc/postfix-2.4.5/samples - -# readme_directory: The location of the Postfix README files. -# -readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES - -# add this to new postfix to get it to add proper message-id and other -# headers to outgoing emails via the gateway. - - -message_size_limit = 20971520 - - -# Mailman, see MTA.rst -owner_request_special = no -transport_maps = hash:/var/lib/mailman3/data/postfix_lmtp -local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp -relay_domains = hash:/var/lib/mailman3/data/postfix_domains diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index fa02c48af6..780515bfb6 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -158,11 +158,6 @@ file: path="{{ mailman_webui_basedir }}/static" state=directory owner=root group=root mode=0755 -- name: install the kittystore cache cronjob - template: src=hyperkitty.cronjob.sh.j2 - dest=/etc/cron.daily/hyperkitty - owner=root group=root mode=0755 - # # Plug HyperKitty into Mailman # @@ -225,7 +220,7 @@ # Postfix - name: set the postfix conffile - copy: src=postfix-main.cf dest=/etc/postfix/main.cf + template: src=postfix-main.cf.j2 dest=/etc/postfix/main.cf notify: - restart postfix diff --git a/roles/mailman/templates/hyperkitty.cronjob.sh.j2 b/roles/mailman/templates/hyperkitty.cronjob.sh.j2 deleted file mode 100644 index 18933a5960..0000000000 --- a/roles/mailman/templates/hyperkitty.cronjob.sh.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -kittystore-refresh-cache --pythonpath {{ mailman_webui_confdir }} --settings settings_admin diff --git a/roles/mailman/templates/mailman.cfg.j2 b/roles/mailman/templates/mailman.cfg.j2 index 3937dd3712..4130dff087 100644 --- a/roles/mailman/templates/mailman.cfg.j2 +++ b/roles/mailman/templates/mailman.cfg.j2 @@ -21,7 +21,7 @@ pid_file: /run/mailman3/master.pid [database] class: mailman.database.postgresql.PostgreSQLDatabase -url: postgres://mailmanadmin:{{ mailman_mm_db_pass }}@db02.stg.phx2.fedoraproject.org/mailman +url: postgres://mailmanadmin:{{ mailman_mm_db_pass }}@{{ mailman_dbserver }}/mailman [archiver.hyperkitty] class: hyperkitty.archiver.Archiver diff --git a/files/lists-dev/postfix-main.cf.j2 b/roles/mailman/templates/postfix-main.cf.j2 similarity index 99% rename from files/lists-dev/postfix-main.cf.j2 rename to roles/mailman/templates/postfix-main.cf.j2 index 06d5afb384..9d0c830dd9 100644 --- a/files/lists-dev/postfix-main.cf.j2 +++ b/roles/mailman/templates/postfix-main.cf.j2 @@ -156,7 +156,7 @@ inet_interfaces = all # # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # -mydestination = $myhostname, lists-dev.cloud.fedoraproject.org, +mydestination = $myhostname, {{ mailman_postfix_mydestination }}, localhost.$mydomain, localhost #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, @@ -314,7 +314,7 @@ unknown_local_recipient_reject_code = 550 #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] -relayhost = +relayhost = bastion # REJECTING UNKNOWN RELAY USERS @@ -689,6 +689,6 @@ message_size_limit = 20971520 # Mailman, see MTA.rst owner_request_special = no -transport_maps = hash:{{mailman_vardir}}/data/postfix_lmtp -local_recipient_maps = hash:{{mailman_vardir}}/data/postfix_lmtp -relay_domains = hash:{{mailman_vardir}}/data/postfix_domains +transport_maps = hash:/var/lib/mailman3/data/postfix_lmtp +local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp +relay_domains = hash:/var/lib/mailman3/data/postfix_domains diff --git a/roles/mailman/vars/main.yml b/roles/mailman/vars/main.yml index 5e4585e9c3..950feddc86 100644 --- a/roles/mailman/vars/main.yml +++ b/roles/mailman/vars/main.yml @@ -2,3 +2,4 @@ mailman_webui_basedir: /srv/webui mailman_webui_confdir: ${mailman_webui_basedir}/config mailman_dbserver: db02.stg.phx2.fedoraproject.org +mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" From eefdd1b23cb67027919bfcc07ea142579e411bd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 11:01:21 +0000 Subject: [PATCH 012/271] Minor syntax fixes --- playbooks/groups/mailman.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 74582c2d93..9f89bdb725 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -29,7 +29,7 @@ vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - /srv/web/infra/ansible/roles/base @@ -63,7 +63,7 @@ vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" tasks: # mailman auto-updates its schema, there can only be one admin user @@ -94,7 +94,7 @@ vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - /srv/web/infra/ansible/roles/mailman From 13b6d6f85a388b80c62d91b8869096e3c00d3be9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 11:10:52 +0000 Subject: [PATCH 013/271] Uniformize indentation (whitespaces only) --- playbooks/groups/mailman.yml | 58 ++++----- .../lists-dev.cloud.fedoraproject.org.yml | 112 +++++++++--------- 2 files changed, 85 insertions(+), 85 deletions(-) diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 9f89bdb725..e72f714277 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -9,9 +9,9 @@ accelerate: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - include: "{{ tasks }}/virt_instance_create.yml" @@ -27,9 +27,9 @@ accelerate: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - /srv/web/infra/ansible/roles/base @@ -61,28 +61,28 @@ sudo: yes sudo_user: postgres vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" tasks: - # mailman auto-updates its schema, there can only be one admin user - - name: mailman DB user - postgresql_user: name=mailmanadmin password={{ mailman_mm_db_pass }} - - name: hyperkitty DB admin user - postgresql_user: name=hyperkittyadmin password={{ mailman_hk_admin_db_pass }} - - name: hyperkitty DB user - postgresql_user: name=hyperkittyapp password={{ mailman_hk_db_pass }} - - name: kittystore DB admin user - postgresql_user: name=kittystoreadmin password={{ mailman_ks_admin_db_pass }} - - name: kittystore DB user - postgresql_user: name=kittystoreapp password={{ mailman_ks_db_pass }} - - name: databases creation - postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 - with_items: - - mailman - - hyperkitty - - kittystore + # mailman auto-updates its schema, there can only be one admin user + - name: mailman DB user + postgresql_user: name=mailmanadmin password={{ mailman_mm_db_pass }} + - name: hyperkitty DB admin user + postgresql_user: name=hyperkittyadmin password={{ mailman_hk_admin_db_pass }} + - name: hyperkitty DB user + postgresql_user: name=hyperkittyapp password={{ mailman_hk_db_pass }} + - name: kittystore DB admin user + postgresql_user: name=kittystoreadmin password={{ mailman_ks_admin_db_pass }} + - name: kittystore DB user + postgresql_user: name=kittystoreapp password={{ mailman_ks_db_pass }} + - name: databases creation + postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 + with_items: + - mailman + - hyperkitty + - kittystore # Real MM/HK-specific work @@ -92,9 +92,9 @@ gather_facts: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - /srv/web/infra/ansible/roles/mailman diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 846d2626c7..aac430f93e 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -4,8 +4,8 @@ gather_facts: False vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" tasks: - include: "{{ tasks }}/persistent_cloud.yml" @@ -16,11 +16,11 @@ gather_facts: True vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml vars: - - mailman_vardir: /srv/persist/mailman + - mailman_vardir: /srv/persist/mailman tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" @@ -45,23 +45,23 @@ - name: install packages yum: state=installed name={{ item }} with_items: - - httpd - - mod_ssl - - mod_wsgi - - mailman - - python-psycopg2 - - python-storm-postgresql - - postgresql-server - - system-config-firewall-base - - rsync - - openssh-clients - - httpd-tools - - cronie-noanacron + - httpd + - mod_ssl + - mod_wsgi + - mailman + - python-psycopg2 + - python-storm-postgresql + - postgresql-server + - system-config-firewall-base + - rsync + - openssh-clients + - httpd-tools + - cronie-noanacron - name: install apache and mod_wsgi yum: name=mod_wsgi state=installed notify: - - restart apache + - restart apache - name: erase packages action: yum state=absent name={{ item }} @@ -73,10 +73,10 @@ - name: poke holes in the firewall command: lokkit {{ item }} with_items: - - --service=ssh - - --service=https - - --service=http - - --service=smtp + - --service=ssh + - --service=https + - --service=http + - --service=smtp # Database - name: initialize postgresql @@ -85,7 +85,7 @@ - name: copy pg_hba.conf copy: src="{{ files }}/lists-dev/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf notify: - - restart postgresql + - restart postgresql - name: start postgresql service: state=started name=postgresql @@ -100,48 +100,48 @@ sudo: yes sudo_user: postgres vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "{{ vars_path }}/{{ ansible_distribution }}.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" vars: - - mailman_vardir: /srv/persist/mailman + - mailman_vardir: /srv/persist/mailman tasks: - # mailman auto-updates its schema, there can only be one admin user - - name: mailman DB user - postgresql_user: name=mailmanadmin password={{ lists_dev_mm_db_pass }} - - name: hyperkitty DB admin user - postgresql_user: name=hyperkittyadmin password={{ lists_dev_hk_db_pass }} - - name: hyperkitty DB user - postgresql_user: name=hyperkittyapp password={{ lists_dev_hk_db_pass }} - - name: kittystore DB admin user - postgresql_user: name=kittystoreadmin password={{ lists_dev_ks_db_pass }} - - name: kittystore DB user - postgresql_user: name=kittystoreapp password={{ lists_dev_ks_db_pass }} - - name: databases creation - postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 - with_items: - - mailman - - hyperkitty - - kittystore + # mailman auto-updates its schema, there can only be one admin user + - name: mailman DB user + postgresql_user: name=mailmanadmin password={{ lists_dev_mm_db_pass }} + - name: hyperkitty DB admin user + postgresql_user: name=hyperkittyadmin password={{ lists_dev_hk_db_pass }} + - name: hyperkitty DB user + postgresql_user: name=hyperkittyapp password={{ lists_dev_hk_db_pass }} + - name: kittystore DB admin user + postgresql_user: name=kittystoreadmin password={{ lists_dev_ks_db_pass }} + - name: kittystore DB user + postgresql_user: name=kittystoreapp password={{ lists_dev_ks_db_pass }} + - name: databases creation + postgresql_db: name={{ item }} owner="{{ item }}admin" encoding=UTF-8 + with_items: + - mailman + - hyperkitty + - kittystore - name: setup mailman and hyperkitty hosts: hyperkitty-stg gather_facts: no vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - "{{ vars_path }}/{{ ansible_distribution }}.yml" + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" vars: - # override roles variables - - mailman_dbserver: localhost - - mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org - - mailman_mm_db_pass: {{ lists_dev_mm_db_pass }} - - mailman_hk_admin_db_pass: {{ lists_dev_hk_db_pass }} - - mailman_hk_db_pass: {{ lists_dev_hk_db_pass }} - - mailman_ks_admin_db_pass: {{ lists_dev_ks_db_pass }} - - mailman_ks_db_pass: {{ lists_dev_ks_db_pass }} + # override roles variables + - mailman_dbserver: localhost + - mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org + - mailman_mm_db_pass: {{ lists_dev_mm_db_pass }} + - mailman_hk_admin_db_pass: {{ lists_dev_hk_db_pass }} + - mailman_hk_db_pass: {{ lists_dev_hk_db_pass }} + - mailman_ks_admin_db_pass: {{ lists_dev_ks_db_pass }} + - mailman_ks_db_pass: {{ lists_dev_ks_db_pass }} roles: - /srv/web/infra/ansible/roles/mailman From 5e51be733b883b745268c8d0cae7303a483b3481 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 17 Jan 2014 15:01:00 +0000 Subject: [PATCH 014/271] Correct the logic for checking group membership when awarding old group badges. Reviewed by Patrick Uiterwijk. --- .../files/cron/award-oldschool-badges | 34 +++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index fa4b46f43a..62e3dd6174 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -35,6 +35,35 @@ fedmsg.init(**fm_config) import fedbadges.utils +def user_in_group(user, group_name): + # First, bail out if they're not in the group at all + if not any([g.name == group_name for g in user.memberships]): + return False + + # Find the group_id of the group we're looking for.. + group_id = None + for g in user.memberships: + if g.name == group_name: + group_id = g.group_id + break + + if not group_id: + return False + + # For that group_id, find the relevant role + relevant_role = None + for role in user.roles: + if role.group_id == group_id: + relevant_role = role + break + + if not relevant_role: + return False + + # They must be actually 'approved' in that group for this to count + return relevant_role.role_status == 'approved': + + def get_fas_groupings(fas_credentials, lookup, **config): creds = fas_credentials @@ -60,10 +89,11 @@ def get_fas_groupings(fas_credentials, lookup, **config): for user in mega_list: # This is the main check. for group_name, badge_id in lookup.iteritems(): - if any([group.name == group_name for group in user.memberships]): + if user_in_group(user, group_name): results[group_name] = results.get(group_name, []) + [user] - # This is special.. we're checking for being a packager-sponsor + # Beyond the main check, here is a special check that makes sure they + # are a sponsor in the packager group. if not packager_id: for group in user.memberships: if group.name == 'packager': From 47e672cf3851cda15e836d6ea294afa838dbd580 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 15:37:35 +0000 Subject: [PATCH 015/271] Fix a syntax error --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index aac430f93e..78f695aacc 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -161,8 +161,7 @@ # owner=root group=root mode=0600 - name: send root mail to abompard - lineinfile: dest=/etc/aliases regexp="^root:" - line="root: abompard@fedoraproject.org" + lineinfile: dest=/etc/aliases regexp="^root:" line="root: abompard@fedoraproject.org" notify: - reload aliases From 34c38adfe01ff9a9e1daa4cb4628ba767bf3ab60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 15:39:23 +0000 Subject: [PATCH 016/271] Fix a syntax error, again --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 78f695aacc..745b192fcd 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -161,7 +161,7 @@ # owner=root group=root mode=0600 - name: send root mail to abompard - lineinfile: dest=/etc/aliases regexp="^root:" line="root: abompard@fedoraproject.org" + lineinfile: dest=/etc/aliases regexp='^root:' line='root: abompard@fedoraproject.org' notify: - reload aliases From 603ea16820efa319be3e30b0f22bb2bba4ffc72d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 16:02:18 +0000 Subject: [PATCH 017/271] Fix a syntax error, yet again --- .../hosts/lists-dev.cloud.fedoraproject.org.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 745b192fcd..bdb70331cd 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -137,11 +137,11 @@ # override roles variables - mailman_dbserver: localhost - mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org - - mailman_mm_db_pass: {{ lists_dev_mm_db_pass }} - - mailman_hk_admin_db_pass: {{ lists_dev_hk_db_pass }} - - mailman_hk_db_pass: {{ lists_dev_hk_db_pass }} - - mailman_ks_admin_db_pass: {{ lists_dev_ks_db_pass }} - - mailman_ks_db_pass: {{ lists_dev_ks_db_pass }} + - mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" + - mailman_hk_admin_db_pass: "{{ lists_dev_hk_db_pass }}" + - mailman_hk_db_pass: "{{ lists_dev_hk_db_pass }}" + - mailman_ks_admin_db_pass: "{{ lists_dev_ks_db_pass }}" + - mailman_ks_db_pass: "{{ lists_dev_ks_db_pass }}" roles: - /srv/web/infra/ansible/roles/mailman @@ -161,7 +161,7 @@ # owner=root group=root mode=0600 - name: send root mail to abompard - lineinfile: dest=/etc/aliases regexp='^root:' line='root: abompard@fedoraproject.org' + lineinfile: 'dest=/etc/aliases regexp=^root: line=root: abompard@fedoraproject.org' notify: - reload aliases From e66c937bf510c1d67c498e36547a509bdc94a492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 16:05:28 +0000 Subject: [PATCH 018/271] Fix the URL to the repo file --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index bdb70331cd..97ff67d66a 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -39,8 +39,8 @@ action: mount src=/srv/persist/mailman name=/var/lib/mailman3 fstype=auto opts=bind state=mounted - name: get the repo file - get_url: url=http://repos.fedorapeople.org/repos/abompard/hyperkitty/fedora-hyperkitty.repo - dest=/etc/yum.repos.d/fedora-hyperkitty.repo mode=0444 + get_url: url=http://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo + dest=/etc/yum.repos.d/hyperkitty.repo mode=0444 - name: install packages yum: state=installed name={{ item }} From a43be7abbb91e0ee9b66dfaa1d9602601eec3830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 16:09:57 +0000 Subject: [PATCH 019/271] Use the new-style variable substitution --- roles/mailman/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index 780515bfb6..e760df464c 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -10,13 +10,13 @@ yum: pkg=policycoreutils-python state=installed - name: set the SELinux policy for the configuration directory - command: semanage fcontext -a -t etc_t "${mailman_webui_confdir}(/.*)?" + command: semanage fcontext -a -t etc_t "{{ mailman_webui_confdir }}(/.*)?" - name: set the SELinux policy for the fulltext index - command: semanage fcontext -a -t httpd_sys_content_t "${mailman_webui_basedir}/kittystore_search_index(/.*)?" + command: semanage fcontext -a -t httpd_sys_content_t "{{ mailman_webui_basedir }}/kittystore_search_index(/.*)?" - name: set the SELinux policy for the static files directory - command: semanage fcontext -a -t httpd_sys_content_t "${mailman_webui_basedir}/static(/.*)?" + command: semanage fcontext -a -t httpd_sys_content_t "{{ mailman_webui_basedir }}/static(/.*)?" - name: set the SELinux policy for the log directory command: semanage fcontext -a -t httpd_log_t "/var/log/hyperkitty(/.*)?" From c6852a889ab5e762552aa478a34f726e35b01a94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 17:17:28 +0000 Subject: [PATCH 020/271] Make the lists-dev playbook closer to the mailman group --- .../lists-dev.cloud.fedoraproject.org.yml | 34 ++++--------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 97ff67d66a..4753fbae7d 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -25,6 +25,13 @@ tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" - include: "{{ tasks }}/postfix_basic.yml" + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/collectd/client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/apache.yml" + - include: "{{ tasks }}/mod_wsgi.yml" - name: mount up disk of persistent storage action: mount name=/srv/persist src='LABEL=lists-dev' fstype=ext4 state=mounted @@ -42,33 +49,6 @@ get_url: url=http://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo dest=/etc/yum.repos.d/hyperkitty.repo mode=0444 - - name: install packages - yum: state=installed name={{ item }} - with_items: - - httpd - - mod_ssl - - mod_wsgi - - mailman - - python-psycopg2 - - python-storm-postgresql - - postgresql-server - - system-config-firewall-base - - rsync - - openssh-clients - - httpd-tools - - cronie-noanacron - - - name: install apache and mod_wsgi - yum: name=mod_wsgi state=installed - notify: - - restart apache - - - name: erase packages - action: yum state=absent name={{ item }} - with_items: - - sendmail - - cronie-anacron - # open up ports (22, 80, 443, 25) - name: poke holes in the firewall command: lokkit {{ item }} From 48d9ebf52234a3a801b40c04956d275d342a43dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 17:50:56 +0000 Subject: [PATCH 021/271] lists-dev: add missing handler --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 4753fbae7d..681ca96f3b 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -71,6 +71,8 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + - name: restart postgresql + service: name=postgresql state=restarted From 429725e69e3aae01e397cf03694949ee193c1b9c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 17:52:28 +0000 Subject: [PATCH 022/271] Update settings to rid ourselves of depreciation notices. --- roles/ask/templates/settings.py | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index a2e51556c3..a0c28102af 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -86,11 +86,6 @@ PROJECT_ROOT = os.path.dirname(__file__) #STATIC_ROOT = os.path.join(PROJECT_ROOT, 'static') STATIC_ROOT = '/var/www/html/askbot/static' -# URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a -# trailing slash. -# Examples: "http://foo.com/media/", "/media/". -ADMIN_MEDIA_PREFIX = STATIC_URL + 'admin/' - # Make up some unique string, and don't share it with anybody. SECRET_KEY = '<%= askbotSecretKeyPassword %>' @@ -200,18 +195,23 @@ INSTALLED_APPS = ( #setup memcached for production use! #see http://docs.djangoproject.com/en/1.1/topics/cache/ for details {% if env == "staging" %} -CACHE_BACKEND = 'locmem://' +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', + 'LOCATION': 'ask-staging' + } +} {% else %} -CACHE_BACKEND='memcached://memcached04:11211/' +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'KEY_PREFIX': 'askfedora', + 'LOCATION': [ + 'memcached04:11211', + ] + } +} {% endif %} -#needed for django-keyedcache -CACHE_TIMEOUT = 6000 -#sets a special timeout for livesettings if you want to make them different -LIVESETTINGS_CACHE_TIMEOUT = CACHE_TIMEOUT -CACHE_PREFIX = 'askbot' #make this unique -CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True -#If you use memcache you may want to uncomment the following line to enable memcached based sessions -#SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db' AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', From 1fd81df74a2badce96144c5648daf54ec3548781 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 17 Jan 2014 17:56:23 +0000 Subject: [PATCH 023/271] mailman: typo --- roles/mailman/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index e760df464c..9e41f69b4f 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -124,7 +124,7 @@ - name: install the hyperkitty wsgi file copy: src=webui.wsgi - dest="{{ mailman_webui_confdir }/webui.wsgi" + dest="{{ mailman_webui_confdir }}/webui.wsgi" owner=root group=root mode=0644 tags: - config From 7f257b854dae27d7622cf56a893a41cfe37012c0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 17:56:46 +0000 Subject: [PATCH 024/271] askbot still does need this one. ;( --- roles/ask/templates/settings.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index a0c28102af..f30e82b583 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -86,6 +86,11 @@ PROJECT_ROOT = os.path.dirname(__file__) #STATIC_ROOT = os.path.join(PROJECT_ROOT, 'static') STATIC_ROOT = '/var/www/html/askbot/static' +# URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a +# trailing slash. +# Examples: "http://foo.com/media/", "/media/". +ADMIN_MEDIA_PREFIX = STATIC_URL + 'admin/' + # Make up some unique string, and don't share it with anybody. SECRET_KEY = '<%= askbotSecretKeyPassword %>' From 56cde2b40a3df9a314b271e48a7c24c64fbea2e8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 18:01:36 +0000 Subject: [PATCH 025/271] Add this too for askbot --- roles/ask/templates/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index f30e82b583..058e2b9a16 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -218,6 +218,8 @@ CACHES = { } {% endif %} +CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True + AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', 'askbot.deps.django_authopenid.backends.AuthBackend', From dfcac4ffa6020fc373a1a0064da02e7786ef5dcf Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 18:09:15 +0000 Subject: [PATCH 026/271] Remove identa.ca from ask.stg hopefully. --- roles/ask/files/login_providers.py | 3 +-- roles/ask/files/util.py | 23 ----------------------- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/roles/ask/files/login_providers.py b/roles/ask/files/login_providers.py index 758b3095e8..bd2e015796 100644 --- a/roles/ask/files/login_providers.py +++ b/roles/ask/files/login_providers.py @@ -81,10 +81,9 @@ providers = ( 'Vidoop', 'Verisign', 'Yahoo', - 'identi.ca', ) -need_extra_setup = ('Twitter', 'Facebook', 'LinkedIn', 'identi.ca',) +need_extra_setup = ('Twitter', 'Facebook', 'LinkedIn', ) for provider in providers: kwargs = { diff --git a/roles/ask/files/util.py b/roles/ask/files/util.py index 4c4e47b4e7..f05295a43c 100644 --- a/roles/ask/files/util.py +++ b/roles/ask/files/util.py @@ -433,26 +433,6 @@ def get_enabled_major_login_providers(): 'icon_media_path': '/jquery-openid/images/twitter.gif', 'get_user_id_function': lambda data: data['user_id'], } - def get_identica_user_id(data): - consumer = oauth.Consumer(data['consumer_key'], data['consumer_secret']) - token = oauth.Token(data['oauth_token'], data['oauth_token_secret']) - client = oauth.Client(consumer, token=token) - url = 'https://identi.ca/api/account/verify_credentials.json' - response, content = client.request(url, 'GET') - json = simplejson.loads(content) - return json['id'] - if askbot_settings.IDENTICA_KEY and askbot_settings.IDENTICA_SECRET: - data['identi.ca'] = { - 'name': 'identi.ca', - 'display_name': 'identi.ca', - 'type': 'oauth', - 'request_token_url': 'https://identi.ca/api/oauth/request_token', - 'access_token_url': 'https://identi.ca/api/oauth/access_token', - 'authorize_url': 'https://identi.ca/api/oauth/authorize', - 'authenticate_url': 'https://identi.ca/api/oauth/authorize', - 'icon_media_path': '/jquery-openid/images/identica.png', - 'get_user_id_function': get_identica_user_id, - } def get_linked_in_user_id(data): consumer = oauth.Consumer(data['consumer_key'], data['consumer_secret']) token = oauth.Token(data['oauth_token'], data['oauth_token_secret']) @@ -690,9 +670,6 @@ def get_oauth_parameters(provider_name): elif provider_name == 'linkedin': consumer_key = askbot_settings.LINKEDIN_KEY consumer_secret = askbot_settings.LINKEDIN_SECRET - elif provider_name == 'identi.ca': - consumer_key = askbot_settings.IDENTICA_KEY - consumer_secret = askbot_settings.IDENTICA_SECRET elif provider_name == 'facebook': consumer_key = askbot_settings.FACEBOOK_KEY consumer_secret = askbot_settings.FACEBOOK_SECRET From 52f4cbe59084dd6fb8bef7118104c426b5f93337 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 18:19:54 +0000 Subject: [PATCH 027/271] See if this gets rid of the identica share button. --- roles/ask/templates/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 058e2b9a16..46753ccc08 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -350,3 +350,4 @@ JINJA2_EXTENSIONS = ('compressor.contrib.jinja2ext.CompressorExtension',) SOUTH_TESTS_MIGRATE = False VERIFIER_EXPIRE_DAYS = 3 +ENABLE_SHARING_IDENTICA = False From 6822f97cdae1ed8685129dc4781eb26607bcb5a2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 18:28:53 +0000 Subject: [PATCH 028/271] Turns out we can disable identi.ca via settings. Also re-add cache timeout because it complains about it. --- roles/ask/templates/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 46753ccc08..0f0ea2aa58 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -219,6 +219,7 @@ CACHES = { {% endif %} CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True +CACHE_TIMEOUT = 600 AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', @@ -350,4 +351,3 @@ JINJA2_EXTENSIONS = ('compressor.contrib.jinja2ext.CompressorExtension',) SOUTH_TESTS_MIGRATE = False VERIFIER_EXPIRE_DAYS = 3 -ENABLE_SHARING_IDENTICA = False From 785ce4ff872ada455ebf5bf51e8bcdc511ba3dc8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 17 Jan 2014 18:59:43 +0000 Subject: [PATCH 029/271] Run collectstatic before trying to apply hotfixes. --- roles/ask/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index a4fe91e388..a164c1610d 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -68,6 +68,11 @@ - name: log ownership fix file: state=touch dest=/var/log/askbot/askfedora.log owner=apache group=apache +- name: run collectstatic + command: creates=/var/www/html/askbot/static python /etc/askbot/sites/ask/config/manage.py collectstatic --noinput + tags: + - config + #- name: setup default skin link needed for askbot # file: state=link src=/usr/lib64/python2.6/site-packages/askbot/skins/default dest=/usr/lib64/python2.6/site-packages/askbot/static/default # From f2f2093bd29e5a3ff5abf63ecc486d44cf39cc38 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 18 Jan 2014 18:43:51 +0000 Subject: [PATCH 030/271] Add settings needed for multi lang support --- roles/ask/templates/settings.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 0f0ea2aa58..4abb25ea7f 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -110,6 +110,7 @@ MIDDLEWARE_CLASSES = ( ## Enable the following middleware if you want to enable ## language selection in the site settings. #'askbot.middleware.locale.LocaleMiddleware', + 'django.middleware.locale.LocaleMiddleware', #'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.common.CommonMiddleware', #'django.middleware.cache.FetchFromCacheMiddleware', @@ -241,7 +242,7 @@ logging.basicConfig( # ASKBOT_URL = 'forum/' # ASKBOT_URL = '' #no leading slash, default = '' empty string -ASKBOT_TRANSLATE_URL = True #translate specific URLs +ASKBOT_TRANSLATE_URL = False #translate specific URLs _ = lambda v:v #fake translation function for the login url LOGIN_URL = '/%s%s%s' % (ASKBOT_URL,_('account/'),_('signin/')) LOGIN_REDIRECT_URL = ASKBOT_URL #adjust, if needed @@ -334,7 +335,7 @@ GROUP_MESSAGING = { 'BASE_URL_PARAMS': {'section': 'messages', 'sort': 'inbox'} } -ASKBOT_MULTILINGUAL = False +ASKBOT_MULTILINGUAL = True ASKBOT_CSS_DEVEL = False if 'ASKBOT_CSS_DEVEL' in locals() and ASKBOT_CSS_DEVEL == True: From 55a3e42c6229994e6ffe2df0040b1f1f24a6e58e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 19 Jan 2014 21:37:14 +0000 Subject: [PATCH 031/271] Add cron to delete old undelivered emails. Add subset of languages we want to support. --- roles/ask/files/cron-delete-old-emails | 2 ++ roles/ask/tasks/main.yml | 1 + roles/ask/templates/settings.py | 8 ++++++++ 3 files changed, 11 insertions(+) create mode 100644 roles/ask/files/cron-delete-old-emails diff --git a/roles/ask/files/cron-delete-old-emails b/roles/ask/files/cron-delete-old-emails new file mode 100644 index 0000000000..507dff8fb2 --- /dev/null +++ b/roles/ask/files/cron-delete-old-emails @@ -0,0 +1,2 @@ +0 * * * * root /usr/bin/python /etc/askbot/sites/ask/config/manage.py cleanup_mail -d 7 > /dev/null 2> /dev/null + diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index a164c1610d..c02cb4cae7 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -62,6 +62,7 @@ with_items: - cron-ask-send-reminders - cron-post-office-send-mail + - cron-delete-old-emails tags: - files diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 4abb25ea7f..e6978fa0b1 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -336,6 +336,14 @@ GROUP_MESSAGING = { } ASKBOT_MULTILINGUAL = True +LANGUAGES = { + 'zh-tw': 'Chinese', + 'en': 'English', + 'fr': 'French', + 'el': 'Greek', + 'ru': 'Russian', + 'es': 'Spanish', +} ASKBOT_CSS_DEVEL = False if 'ASKBOT_CSS_DEVEL' in locals() and ASKBOT_CSS_DEVEL == True: From 935277bfeae426fa8300eba3186b7c271c037079 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 19 Jan 2014 22:16:50 +0000 Subject: [PATCH 032/271] Adjust settings template some. Put stg/prod changes in one place. --- roles/ask/templates/settings.py | 64 +++++++++++++++++---------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index e6978fa0b1..9fdf996dfb 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -198,27 +198,6 @@ INSTALLED_APPS = ( ) -#setup memcached for production use! -#see http://docs.djangoproject.com/en/1.1/topics/cache/ for details -{% if env == "staging" %} -CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', - 'LOCATION': 'ask-staging' - } -} -{% else %} -CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', - 'KEY_PREFIX': 'askfedora', - 'LOCATION': [ - 'memcached04:11211', - ] - } -} -{% endif %} - CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True CACHE_TIMEOUT = 600 @@ -255,13 +234,46 @@ ASKBOT_USE_STACKEXCHANGE_URLS = False #mimic url scheme of stackexchange BROKER_TRANSPORT = "djkombu.transport.DatabaseTransport" CELERY_ALWAYS_EAGER = True - +# +# Only enable languages where we have active moderators +# In staging we have a few more for communities to test with before commiting. +# +# locmem cache in staging and use memcached04 in production. +# {% if env == "staging" %} DOMAIN_NAME = 'ask.stg.fedoraproject.org' +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', + 'LOCATION': 'ask-staging' + } +} +LANGUAGES = { + 'zh-tw': 'Chinese', + 'en': 'English', + 'fr': 'French', + 'el': 'Greek', + 'ru': 'Russian', + 'es': 'Spanish', +} {% else %} DOMAIN_NAME = 'ask.fedoraproject.org' +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'KEY_PREFIX': 'askfedora', + 'LOCATION': [ + 'memcached04:11211', + ] + } +} +LANGUAGES = { + 'en': 'English', + 'es': 'Spanish', +} {% endif %} + #https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ CSRF_COOKIE_DOMAIN = DOMAIN_NAME @@ -336,14 +348,6 @@ GROUP_MESSAGING = { } ASKBOT_MULTILINGUAL = True -LANGUAGES = { - 'zh-tw': 'Chinese', - 'en': 'English', - 'fr': 'French', - 'el': 'Greek', - 'ru': 'Russian', - 'es': 'Spanish', -} ASKBOT_CSS_DEVEL = False if 'ASKBOT_CSS_DEVEL' in locals() and ASKBOT_CSS_DEVEL == True: From 7b38b4087373fd40ce2dd68b4f118118930cb50f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 17:15:16 +0000 Subject: [PATCH 033/271] Fix languages setting for askbot --- roles/ask/templates/settings.py | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 9fdf996dfb..8cf0a1d68a 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -249,14 +249,14 @@ CACHES = { 'LOCATION': 'ask-staging' } } -LANGUAGES = { - 'zh-tw': 'Chinese', - 'en': 'English', - 'fr': 'French', - 'el': 'Greek', - 'ru': 'Russian', - 'es': 'Spanish', -} +LANGUAGES = ( + ('es', gettext('Spanish')), + ('en', gettext('English')), + ('ru', gettext('Russian')), + ('zh-tw', gettext('Chinese')), + ('fr', gettext('French')), + ('el', gettext('Greek')), +) {% else %} DOMAIN_NAME = 'ask.fedoraproject.org' CACHES = { @@ -268,10 +268,10 @@ CACHES = { ] } } -LANGUAGES = { - 'en': 'English', - 'es': 'Spanish', -} +LANGUAGES = ( + ('es', gettext('Spanish')), + ('en', gettext('English')), +) {% endif %} #https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ From 2bf861fb4da839ef20831d041a5c0e2e955aaed8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 17:21:59 +0000 Subject: [PATCH 034/271] Immport gettext --- roles/ask/templates/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 8cf0a1d68a..7ebb9f77c4 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -4,6 +4,7 @@ import logging import sys import askbot import site +import gettext #this line is added so that we can import pre-packaged askbot dependencies ASKBOT_ROOT = os.path.abspath(os.path.dirname(askbot.__file__)) From 193d5c83372e59ae79f5ae895315030c6ca62fc9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 17:26:28 +0000 Subject: [PATCH 035/271] Fix this lang thing the correct way. --- roles/ask/templates/settings.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 7ebb9f77c4..e24475b0aa 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -4,7 +4,6 @@ import logging import sys import askbot import site -import gettext #this line is added so that we can import pre-packaged askbot dependencies ASKBOT_ROOT = os.path.abspath(os.path.dirname(askbot.__file__)) @@ -250,6 +249,7 @@ CACHES = { 'LOCATION': 'ask-staging' } } +gettext = lambda s: s LANGUAGES = ( ('es', gettext('Spanish')), ('en', gettext('English')), @@ -269,6 +269,7 @@ CACHES = { ] } } +gettext = lambda s: s LANGUAGES = ( ('es', gettext('Spanish')), ('en', gettext('English')), From 2e2100319f3dcf7f132fe484c4e624e01a57f743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 20 Jan 2014 17:56:49 +0000 Subject: [PATCH 036/271] Mailman: parametrize the role --- playbooks/groups/mailman.yml | 9 ++++++++- .../lists-dev.cloud.fedoraproject.org.yml | 18 ++++++++---------- roles/mailman/defaults/main.yml | 10 ++++++++++ roles/mailman/vars/main.yml | 5 ----- 4 files changed, 26 insertions(+), 16 deletions(-) create mode 100644 roles/mailman/defaults/main.yml delete mode 100644 roles/mailman/vars/main.yml diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index e72f714277..25cee1a4af 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -97,8 +97,15 @@ - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/mailman - /srv/web/infra/ansible/roles/fedmsg_base + - role: /srv/web/infra/ansible/roles/mailman + mailman_dbserver: db02.stg.phx2.fedoraproject.org + mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" + mailman_mm_db_pass: "{{ mailman_mm_db_pass }}" + mailman_hk_admin_db_pass: "{{ mailman_hk_admin_db_pass }}" + mailman_hk_db_pass: "{{ mailman_hk_db_pass }}" + mailman_ks_admin_db_pass: "{{ mailman_ks_admin_db_pass }}" + mailman_ks_db_pass: "{{ mailman_ks_db_pass }}" tasks: - name: install more needed packages diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 681ca96f3b..e770e7048c 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -115,18 +115,16 @@ - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml" - vars: - # override roles variables - - mailman_dbserver: localhost - - mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org - - mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" - - mailman_hk_admin_db_pass: "{{ lists_dev_hk_db_pass }}" - - mailman_hk_db_pass: "{{ lists_dev_hk_db_pass }}" - - mailman_ks_admin_db_pass: "{{ lists_dev_ks_db_pass }}" - - mailman_ks_db_pass: "{{ lists_dev_ks_db_pass }}" roles: - - /srv/web/infra/ansible/roles/mailman + - role: /srv/web/infra/ansible/roles/mailman + mailman_dbserver: localhost + mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org + mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" + mailman_hk_admin_db_pass: "{{ lists_dev_hk_db_pass }}" + mailman_hk_db_pass: "{{ lists_dev_hk_db_pass }}" + mailman_ks_admin_db_pass: "{{ lists_dev_ks_db_pass }}" + mailman_ks_db_pass: "{{ lists_dev_ks_db_pass }}" tasks: diff --git a/roles/mailman/defaults/main.yml b/roles/mailman/defaults/main.yml new file mode 100644 index 0000000000..6fb905b432 --- /dev/null +++ b/roles/mailman/defaults/main.yml @@ -0,0 +1,10 @@ +--- +mailman_webui_basedir: /srv/webui +mailman_webui_confdir: ${mailman_webui_basedir}/config +mailman_dbserver: localhost +mailman_postfix_mydestination: "{{ ansible_fqdn }}" +mailman_mm_db_pass: changeme +mailman_hk_admin_db_pass: changeme +mailman_hk_db_pass: changeme +mailman_ks_admin_db_pass: changeme +mailman_ks_db_pass: changeme diff --git a/roles/mailman/vars/main.yml b/roles/mailman/vars/main.yml deleted file mode 100644 index 950feddc86..0000000000 --- a/roles/mailman/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -mailman_webui_basedir: /srv/webui -mailman_webui_confdir: ${mailman_webui_basedir}/config -mailman_dbserver: db02.stg.phx2.fedoraproject.org -mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" From fd38240f908b4809268731a57d3c9aea47e9f81e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 18:13:56 +0000 Subject: [PATCH 037/271] Commit ask02 stuff to ansible. --- files/hosts/ask02.phx2.fedoraproject.org-hosts | 7 +++++++ inventory/group_vars/ask | 18 ++++++++++++++++++ .../host_vars/ask02.phx2.fedoraproject.org | 10 ++++++++++ playbooks/groups/ask.yml | 4 ++-- 4 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 files/hosts/ask02.phx2.fedoraproject.org-hosts create mode 100644 inventory/group_vars/ask create mode 100644 inventory/host_vars/ask02.phx2.fedoraproject.org diff --git a/files/hosts/ask02.phx2.fedoraproject.org-hosts b/files/hosts/ask02.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..a5ea2bd3e7 --- /dev/null +++ b/files/hosts/ask02.phx2.fedoraproject.org-hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.71 db-ask diff --git a/inventory/group_vars/ask b/inventory/group_vars/ask new file mode 100644 index 0000000000..d9b898de11 --- /dev/null +++ b/inventory/group_vars/ask @@ -0,0 +1,18 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 2048 +num_cpus: 2 + +tcp_ports: [ 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice + +# These are consumed by a task in roles/fedmsg_base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin +- service: askbot + owner: root + group: apache diff --git a/inventory/host_vars/ask02.phx2.fedoraproject.org b/inventory/host_vars/ask02.phx2.fedoraproject.org new file mode 100644 index 0000000000..8ed13210c2 --- /dev/null +++ b/inventory/host_vars/ask02.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.57 +vmhost: virthost14.phx2.fedoraproject.org +datacenter: phx2 diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index d255c9a467..daab06a82f 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -1,5 +1,5 @@ - name: make ask - hosts: ask-stg + hosts: ask-stg:ask02.phx2.fedoraproject.org user: root gather_facts: False accelerate: True @@ -17,7 +17,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: ask-stg + hosts: ask-stg:ask02.phx2.fedoraproject.org user: root gather_facts: True accelerate: True From 697b3eddb718dcd52a0bfc79265c628eded74ad0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 20 Jan 2014 18:37:36 +0000 Subject: [PATCH 038/271] Mailman: improve post-update script --- roles/mailman/files/post-update.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/mailman/files/post-update.sh b/roles/mailman/files/post-update.sh index 616c1ef58d..b16d4dade0 100755 --- a/roles/mailman/files/post-update.sh +++ b/roles/mailman/files/post-update.sh @@ -12,8 +12,7 @@ INDEXDIR=$BASEDIR/kittystore_search_index django-admin collectstatic --clear --noinput --pythonpath $CONFDIR --settings settings django-admin assets build --parse-templates --pythonpath $CONFDIR --settings settings -django-admin syncdb --pythonpath $CONFDIR --settings settings_admin -django-admin migrate --pythonpath $CONFDIR --settings settings_admin +django-admin syncdb --pythonpath $CONFDIR --settings settings_admin --noinput --migrate django-admin loaddata /etc/postorius/sites/default/initial-user.json --pythonpath $CONFDIR --settings settings_admin kittystore-updatedb --pythonpath $CONFDIR --settings settings_admin chown mailman:mailman -R $INDEXDIR From 2ef37ad7401bea5e57a8b487bc77af3b28094f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 20 Jan 2014 18:47:46 +0000 Subject: [PATCH 039/271] Fix a YAML syntax problem --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index e770e7048c..6f53d04d3c 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -141,7 +141,7 @@ # owner=root group=root mode=0600 - name: send root mail to abompard - lineinfile: 'dest=/etc/aliases regexp=^root: line=root: abompard@fedoraproject.org' + lineinfile: dest=/etc/aliases regexp='^root:' line='root:\tabompard@fedoraproject.org' notify: - reload aliases From 51024371d36b6c00bfdae1ed6aac061c373936a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 20 Jan 2014 18:55:55 +0000 Subject: [PATCH 040/271] Mailman: update the variable substitution syntax --- .../hosts/lists-dev.cloud.fedoraproject.org.yml | 2 +- roles/mailman/templates/apache-dummy.conf.j2 | 2 +- roles/mailman/templates/apache.conf.j2 | 12 ++++++------ roles/mailman/templates/mailman-hyperkitty.cfg.j2 | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 6f53d04d3c..ecf74c7b41 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -141,7 +141,7 @@ # owner=root group=root mode=0600 - name: send root mail to abompard - lineinfile: dest=/etc/aliases regexp='^root:' line='root:\tabompard@fedoraproject.org' + lineinfile: dest=/etc/aliases regexp='^root:' line="root:\tabompard@fedoraproject.org" notify: - reload aliases diff --git a/roles/mailman/templates/apache-dummy.conf.j2 b/roles/mailman/templates/apache-dummy.conf.j2 index 37da0c4354..584a4f036d 100644 --- a/roles/mailman/templates/apache-dummy.conf.j2 +++ b/roles/mailman/templates/apache-dummy.conf.j2 @@ -1 +1 @@ -# See ${mailman_webui_confdir} +# See {{ mailman_webui_confdir }} diff --git a/roles/mailman/templates/apache.conf.j2 b/roles/mailman/templates/apache.conf.j2 index 5cc06c5648..58f8a0c5c2 100644 --- a/roles/mailman/templates/apache.conf.j2 +++ b/roles/mailman/templates/apache.conf.j2 @@ -1,18 +1,18 @@ -Alias /robots.txt ${mailman_webui_basedir}/static/hyperkitty/robots.txt -Alias /favicon.ico ${mailman_webui_basedir}/static/hyperkitty/favicon.ico -Alias /static ${mailman_webui_basedir}/static +Alias /robots.txt {{ mailman_webui_basedir }}/static/hyperkitty/robots.txt +Alias /favicon.ico {{ mailman_webui_basedir }}/static/hyperkitty/favicon.ico +Alias /static {{ mailman_webui_basedir }}/static #ErrorLog /var/log/httpd/webui_error.log #CustomLog /var/log/httpd/webui_access.log combined -WSGIScriptAlias / ${mailman_webui_confdir}/webui.wsgi +WSGIScriptAlias / {{ mailman_webui_confdir }}/webui.wsgi WSGIDaemonProcess webui display-name=webui maximum-requests=1000 processes=4 threads=4 WSGISocketPrefix run/wsgi WSGIRestrictStdout On WSGIRestrictSignal Off WSGIPythonOptimize 1 - + Order deny,allow Allow from all @@ -21,7 +21,7 @@ WSGIPythonOptimize 1 WSGIProcessGroup webui - + Order deny,allow Allow from all Require all granted diff --git a/roles/mailman/templates/mailman-hyperkitty.cfg.j2 b/roles/mailman/templates/mailman-hyperkitty.cfg.j2 index fb89efdf9e..b59c1f4689 100644 --- a/roles/mailman/templates/mailman-hyperkitty.cfg.j2 +++ b/roles/mailman/templates/mailman-hyperkitty.cfg.j2 @@ -9,4 +9,4 @@ [general] base_url: http://apps.stg.fedoraproject.org/lists -django_settings: ${mailman_webui_confdir}/settings.py +django_settings: {{ mailman_webui_confdir }}/settings.py From e5aad949140a3b9c483b551df78f33fae26a9514 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 19:01:12 +0000 Subject: [PATCH 041/271] Add mailman01/02 to production. --- inventory/group_vars/mailman | 29 +++++++++++++++++++ .../mailman01.phx2.fedoraproject.org | 10 +++++++ .../mailman02.phx2.fedoraproject.org | 10 +++++++ inventory/inventory | 4 +++ playbooks/groups/mailman.yml | 8 ++--- 5 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 inventory/group_vars/mailman create mode 100644 inventory/host_vars/mailman01.phx2.fedoraproject.org create mode 100644 inventory/host_vars/mailman02.phx2.fedoraproject.org diff --git a/inventory/group_vars/mailman b/inventory/group_vars/mailman new file mode 100644 index 0000000000..51b55f1011 --- /dev/null +++ b/inventory/group_vars/mailman @@ -0,0 +1,29 @@ +--- +# common items for the releng-* boxes +lvm_size: 250000 +mem_size: 4096 +num_cpus: 2 +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 25, 80, 443 ] +fas_client_groups: sysadmin-tools,sysadmin-main + +# These are consumed by a task in roles/fedmsg_base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin +- service: mailman + owner: mailman + group: mailman + +# default virt install command is for a single nic-device +# define in another group file for more nics (see buildvm) +virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }} + --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} + --vcpus={{ num_cpus }} -l {{ ks_repo }} -x + "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }} + gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0 + hostname={{ inventory_hostname }}" + --network=bridge=br0 --autostart --noautoconsole diff --git a/inventory/host_vars/mailman01.phx2.fedoraproject.org b/inventory/host_vars/mailman01.phx2.fedoraproject.org new file mode 100644 index 0000000000..e642df547c --- /dev/null +++ b/inventory/host_vars/mailman01.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-19 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.36 +vmhost: virthost08.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/mailman02.phx2.fedoraproject.org b/inventory/host_vars/mailman02.phx2.fedoraproject.org new file mode 100644 index 0000000000..03d3100633 --- /dev/null +++ b/inventory/host_vars/mailman02.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-19 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.37 +vmhost: virthost07.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/inventory b/inventory/inventory index 7b8617f51a..f6c0e533c7 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -146,6 +146,10 @@ fedocal01.stg.phx2.fedoraproject.org [gallery-stg] gallery01.stg.phx2.fedoraproject.org +[mailman] +mailman01.phx2.fedoraproject.org +mailman02.phx2.fedoraproject.org + [mailman-stg] mailman01.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 25cee1a4af..81e65904a4 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -3,7 +3,7 @@ # NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars - name: make mailman server - hosts: mailman-stg + hosts: mailman-stg:mailman user: root gather_facts: False accelerate: True @@ -21,7 +21,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: mailman-stg + hosts: mailman-stg:mailman user: root gather_facts: True accelerate: True @@ -56,7 +56,7 @@ # Database setup - name: setup the database - hosts: db02.stg.phx2.fedoraproject.org + hosts: db02.stg.phx2.fedoraproject.org:db01.phx2.fedoraproject.org gather_facts: no sudo: yes sudo_user: postgres @@ -87,7 +87,7 @@ # Real MM/HK-specific work - name: setup mailman and hyperkitty - hosts: mailman-stg + hosts: mailman-stg:mailman user: root gather_facts: True From 023eded3774009b900a8fa9d139673b1fbe54232 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 20 Jan 2014 19:01:22 +0000 Subject: [PATCH 042/271] Fix a YAML syntax problem, at last --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index ecf74c7b41..2a0c5774ed 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -141,7 +141,7 @@ # owner=root group=root mode=0600 - name: send root mail to abompard - lineinfile: dest=/etc/aliases regexp='^root:' line="root:\tabompard@fedoraproject.org" + lineinfile: dest=/etc/aliases regexp='^root:' line="root:abompard@fedoraproject.org" notify: - reload aliases From dbe1e5df674ddbc4816f720b6872d45d1a4a7ed2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Mon, 20 Jan 2014 20:45:21 +0000 Subject: [PATCH 043/271] apply change to mock epel5 config mock in epel6 changed, and we need this change (takend from F20 config of mock) to successfuly build el5 package addressing: DEBUG util.py:281: error: cannot write to %sourcedir /usr/src/redhat/SOURCES --- files/copr/provision/files/mock/epel-5-i386.cfg | 2 +- files/copr/provision/files/mock/epel-5-x86_64.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/files/copr/provision/files/mock/epel-5-i386.cfg b/files/copr/provision/files/mock/epel-5-i386.cfg index e3d3f4c2bf..a8b03edf3f 100644 --- a/files/copr/provision/files/mock/epel-5-i386.cfg +++ b/files/copr/provision/files/mock/epel-5-i386.cfg @@ -3,7 +3,7 @@ config_opts['target_arch'] = 'i386' config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst -config_opts['macros'] = {} +if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' config_opts['yum.conf'] = """ diff --git a/files/copr/provision/files/mock/epel-5-x86_64.cfg b/files/copr/provision/files/mock/epel-5-x86_64.cfg index a13cd4527a..0f59da54f6 100644 --- a/files/copr/provision/files/mock/epel-5-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-5-x86_64.cfg @@ -3,7 +3,7 @@ config_opts['target_arch'] = 'x86_64' config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst -config_opts['macros'] = {} +if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' config_opts['yum.conf'] = """ From 116e7006ec33175d3da649b37286034870ad2493 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 22:33:12 +0000 Subject: [PATCH 044/271] Add memcache sebool --- roles/ask/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index c02cb4cae7..84ef4fae04 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -25,6 +25,11 @@ state=true persistent=true +- name: set sebooleans so ask can talk to the memcache + action: seboolean name=httpd_can_network_memcache + state=true + persistent=true + - name: install askbot settings.py template template: > src={{ item }} dest="/etc/askbot/sites/ask/config/settings.py" From 1dc3f79b8607645fdbea5749ed4f766127e39663 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 22:58:53 +0000 Subject: [PATCH 045/271] Add ask01 to ansible too. --- files/hosts/ask01.phx2.fedoraproject.org-hosts | 7 +++++++ inventory/host_vars/ask01.phx2.fedoraproject.org | 10 ++++++++++ playbooks/groups/ask.yml | 4 ++-- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 files/hosts/ask01.phx2.fedoraproject.org-hosts create mode 100644 inventory/host_vars/ask01.phx2.fedoraproject.org diff --git a/files/hosts/ask01.phx2.fedoraproject.org-hosts b/files/hosts/ask01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..a5ea2bd3e7 --- /dev/null +++ b/files/hosts/ask01.phx2.fedoraproject.org-hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.71 db-ask diff --git a/inventory/host_vars/ask01.phx2.fedoraproject.org b/inventory/host_vars/ask01.phx2.fedoraproject.org new file mode 100644 index 0000000000..7bf45af874 --- /dev/null +++ b/inventory/host_vars/ask01.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests00 +eth0_ip: 10.5.126.79 +vmhost: virthost06.phx2.fedoraproject.org +datacenter: phx2 diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index daab06a82f..dd36b743d0 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -1,5 +1,5 @@ - name: make ask - hosts: ask-stg:ask02.phx2.fedoraproject.org + hosts: ask-stg:ask user: root gather_facts: False accelerate: True @@ -17,7 +17,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: ask-stg:ask02.phx2.fedoraproject.org + hosts: ask-stg:ask user: root gather_facts: True accelerate: True From dce6baa832b8ffbeb6192e8fff7295c246327de0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 20 Jan 2014 23:44:40 +0000 Subject: [PATCH 046/271] Hacky workaround for icon issue with fedora openid --- roles/ask/files/util.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ask/files/util.py b/roles/ask/files/util.py index f05295a43c..ae9a1fb457 100644 --- a/roles/ask/files/util.py +++ b/roles/ask/files/util.py @@ -397,8 +397,8 @@ def get_enabled_major_login_providers(): 'name': 'fasopenid', 'display_name': 'FAS-OpenID', 'type': 'openid-direct', - 'icon_media_path': '/jquery-openid/images/fedora-openid.png', - 'openid_endpoint': 'http://id.fedoraproject.org/', + 'icon_media_path': 'https://fedoraproject.org/w/uploads/d/d6/Guidelines-fedora-logo.jpg', + 'openid_endpoint': 'https://id.fedoraproject.org/', } From e6c2d426b367ad2e5529af7f29c25161000c1060 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 00:28:17 +0000 Subject: [PATCH 047/271] Add some more sebooleans for ask --- roles/ask/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index 84ef4fae04..512e8853cd 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -30,6 +30,16 @@ state=true persistent=true +- name: set sebooleans so ask can talk to fedmsg + action: seboolean name=allow_httpd_sys_script_anon_write + state=true + persistent=true + +- name: set sebooleans so ask can talk to fedmsg + action: seboolean name=allow_ypbind + state=true + persistent=true + - name: install askbot settings.py template template: > src={{ item }} dest="/etc/askbot/sites/ask/config/settings.py" From 9457dd2760d94926c4af4cc64073e16a05dd1ef7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Tue, 21 Jan 2014 13:50:29 +0000 Subject: [PATCH 048/271] add dist tag and rhel7 to el7 mock config --- files/copr/provision/files/mock/epel-7-x86_64.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/files/copr/provision/files/mock/epel-7-x86_64.cfg b/files/copr/provision/files/mock/epel-7-x86_64.cfg index 56f08bdee2..eeee2d831e 100644 --- a/files/copr/provision/files/mock/epel-7-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-7-x86_64.cfg @@ -6,6 +6,9 @@ config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'install bash bzip2 coreutils cpio diffutils findutils gawk gcc gcc-c++ grep gzip info make patch redhat-release-server redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz' config_opts['dist'] = 'el7' # only useful for --resultdir variable subst config_opts['macros'] = {} +config_opts['macros']['%dist'] = '.el7' +config_opts['macros']['%rhel'] = '7' +config_opts['macros']['%el7'] = '1' config_opts['macros']['%_topdir'] = '/builddir/build' config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm' From 7b8a7104bfd428bf0d022662d293c0dd04d877a6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 17:59:52 +0000 Subject: [PATCH 049/271] Add a askbot hotfix file. --- roles/ask/files/cancel.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 roles/ask/files/cancel.py diff --git a/roles/ask/files/cancel.py b/roles/ask/files/cancel.py new file mode 100644 index 0000000000..f13d8d697a --- /dev/null +++ b/roles/ask/files/cancel.py @@ -0,0 +1,14 @@ +from django.http import HttpResponseRedirect +from askbot.utils.forms import get_next_url +class CancelActionMiddleware(object): + def process_view(self, request, view_func, view_args, view_kwargs): + if 'cancel' in request.REQUEST: + #todo use session messages for the anonymous users + try: + msg = getattr(view_func,'CANCEL_MESSAGE') + except AttributeError: + msg = 'action canceled' + request.user.message_set.create(message=msg) + return HttpResponseRedirect(get_next_url(request)) + else: + return None From da98f8f0f383346937937f692eb5888c7ba9e553 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 18:00:36 +0000 Subject: [PATCH 050/271] Try a hotfix for the broken feedback issue. --- roles/ask/files/cancel.py | 2 +- roles/ask/tasks/main.yml | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/roles/ask/files/cancel.py b/roles/ask/files/cancel.py index f13d8d697a..ac2f3ded54 100644 --- a/roles/ask/files/cancel.py +++ b/roles/ask/files/cancel.py @@ -8,7 +8,7 @@ class CancelActionMiddleware(object): msg = getattr(view_func,'CANCEL_MESSAGE') except AttributeError: msg = 'action canceled' - request.user.message_set.create(message=msg) + request.user.message_set.create(message=unicode(msg)) return HttpResponseRedirect(get_next_url(request)) else: return None diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index 512e8853cd..c875688abc 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -167,3 +167,16 @@ - files notify: - restart httpd + +# +# fix for feedback +# + +- name: HOTFIX askbot/middleware/cancel.py + copy: > + src=cancel.py dest=/usr/lib/python2.6/site-packages/askbot/middleware/cancel.py + owner=root group=root mode=0644 + tags: + - files + notify: + - restart httpd From c47880a60f0ab75178ae242c2960d24c7666e5bf Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 18:11:35 +0000 Subject: [PATCH 051/271] Add some languages to staging to test --- roles/ask/templates/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index e24475b0aa..524791c5ac 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -251,12 +251,14 @@ CACHES = { } gettext = lambda s: s LANGUAGES = ( + ('pt-BR', gettext('Brazilian Portuguese')), ('es', gettext('Spanish')), ('en', gettext('English')), ('ru', gettext('Russian')), ('zh-tw', gettext('Chinese')), ('fr', gettext('French')), ('el', gettext('Greek')), + ('id', gettext('Indonesia')), ) {% else %} DOMAIN_NAME = 'ask.fedoraproject.org' From 3a196043c69afebbebb2249d25afaa578af2bc3f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 18:16:25 +0000 Subject: [PATCH 052/271] It's lower case br --- roles/ask/templates/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 524791c5ac..13707c57cc 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -251,7 +251,7 @@ CACHES = { } gettext = lambda s: s LANGUAGES = ( - ('pt-BR', gettext('Brazilian Portuguese')), + ('pt-br', gettext('Brazilian Portuguese')), ('es', gettext('Spanish')), ('en', gettext('English')), ('ru', gettext('Russian')), From 821aae53667724409cfc2541b9f2924507f36323 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 19:27:36 +0000 Subject: [PATCH 053/271] Setup basic lockbox-comm01.qa instance. --- inventory/group_vars/lockbox | 9 ++++ .../lockbox-comm01.qa.fedoraproject.org | 10 +++++ inventory/inventory | 3 ++ playbooks/groups/lockbox.yml | 45 +++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 inventory/group_vars/lockbox create mode 100644 inventory/host_vars/lockbox-comm01.qa.fedoraproject.org create mode 100644 playbooks/groups/lockbox.yml diff --git a/inventory/group_vars/lockbox b/inventory/group_vars/lockbox new file mode 100644 index 0000000000..7c82a435ae --- /dev/null +++ b/inventory/group_vars/lockbox @@ -0,0 +1,9 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 2048 +num_cpus: 2 + +tcp_ports: [ 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-qa,fi-apprentice diff --git a/inventory/host_vars/lockbox-comm01.qa.fedoraproject.org b/inventory/host_vars/lockbox-comm01.qa.fedoraproject.org new file mode 100644 index 0000000000..38ae35c563 --- /dev/null +++ b/inventory/host_vars/lockbox-comm01.qa.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.124.254 +dns: 10.5.124.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/Guests00 +eth0_ip: 10.5.124.210 +vmhost: virthost-comm01.qa.fedoraproject.org +datacenter: phx2 diff --git a/inventory/inventory b/inventory/inventory index f6c0e533c7..bcd63b9e6d 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -251,6 +251,9 @@ dhcp01.phx2.fedoraproject.org noc01.phx2.fedoraproject.org noc02.fedoraproject.org +[lockbox] +lockbox-comm01.qa.fedoraproject.org + [nagios] noc01.phx2.fedoraproject.org noc02.fedoraproject.org diff --git a/playbooks/groups/lockbox.yml b/playbooks/groups/lockbox.yml new file mode 100644 index 0000000000..c2ecaf5933 --- /dev/null +++ b/playbooks/groups/lockbox.yml @@ -0,0 +1,45 @@ +- name: make lockbox + hosts: lockbox + user: root + gather_facts: False + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + - include: "{{ tasks }}/accelerate_prep.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: lockbox + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - /srv/web/infra/ansible/roles/base + - /srv/web/infra/ansible/roles/rkhunter + - /srv/web/infra/ansible/roles/denyhosts + - /srv/web/infra/ansible/roles/nagios_client + - /srv/web/infra/ansible/roles/fas_client + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" From 2e909f82054f7b7eada2bcb757adff0bdbc40906 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 19:35:55 +0000 Subject: [PATCH 054/271] Add pt-br to production askbot. --- roles/ask/templates/settings.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 13707c57cc..ef9b1a9e0d 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -258,7 +258,7 @@ LANGUAGES = ( ('zh-tw', gettext('Chinese')), ('fr', gettext('French')), ('el', gettext('Greek')), - ('id', gettext('Indonesia')), + ('id', gettext('Indonesian')), ) {% else %} DOMAIN_NAME = 'ask.fedoraproject.org' @@ -275,6 +275,7 @@ gettext = lambda s: s LANGUAGES = ( ('es', gettext('Spanish')), ('en', gettext('English')), + ('pt-br', gettext('Brazilian Portuguese')), ) {% endif %} From 693f1ca2d06fc8a6c332b56d8d5d0e39dc8d5d9e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 21 Jan 2014 19:55:59 +0000 Subject: [PATCH 055/271] Add ansible-server role --- playbooks/groups/lockbox.yml | 4 +--- roles/ansible-server/tasks/main.yml | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 roles/ansible-server/tasks/main.yml diff --git a/playbooks/groups/lockbox.yml b/playbooks/groups/lockbox.yml index c2ecaf5933..979dd682bc 100644 --- a/playbooks/groups/lockbox.yml +++ b/playbooks/groups/lockbox.yml @@ -2,7 +2,6 @@ hosts: lockbox user: root gather_facts: False - accelerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -11,7 +10,6 @@ tasks: - include: "{{ tasks }}/virt_instance_create.yml" - - include: "{{ tasks }}/accelerate_prep.yml" handlers: - include: "{{ handlers }}/restart_services.yml" @@ -20,7 +18,6 @@ hosts: lockbox user: root gather_facts: True - accelerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -33,6 +30,7 @@ - /srv/web/infra/ansible/roles/denyhosts - /srv/web/infra/ansible/roles/nagios_client - /srv/web/infra/ansible/roles/fas_client + - /srv/web/infra/ansible/roles/ansible-server tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/roles/ansible-server/tasks/main.yml b/roles/ansible-server/tasks/main.yml new file mode 100644 index 0000000000..ab7f2d9951 --- /dev/null +++ b/roles/ansible-server/tasks/main.yml @@ -0,0 +1,18 @@ +--- +# +# Setup ansible-server instance +# +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - ansible + - git + tags: + - packages + +# +# TODO: +# cgit? +# rbac-playbook? +# zodbot notifications? +# From 7c40bb7e8abc776fed2b56664e5ecbf2568ec1a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Wed, 22 Jan 2014 10:38:43 +0000 Subject: [PATCH 056/271] lists-dev: setenforce and fix aliases perms --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 3 ++- roles/mailman/tasks/main.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 2a0c5774ed..5ca0caf0be 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -37,7 +37,7 @@ action: mount name=/srv/persist src='LABEL=lists-dev' fstype=ext4 state=mounted - name: selinux status - selinux: policy=targeted state=permissive + selinux: policy=targeted state=enforcing # /srv/persist - name: mount up bind mount for postgres @@ -133,6 +133,7 @@ with_items: - tar - mailman # transition from mailman2.1 + - vim tags: - packages diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index 9e41f69b4f..163f94fe6a 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -225,7 +225,8 @@ - restart postfix - name: create the postfix aliases - command: mailman3 aliases + command: sudo -u mailman mailman3 aliases + creates=/var/lib/mailman3/data/postfix_lmtp.db # Memcached - name: set the memcached sysconfig file From ea1dc270769c029d25622c9fc9a7f576e2d89a48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 22 Jan 2014 15:44:29 +0000 Subject: [PATCH 057/271] deploy real cers on copr-be --- files/copr/lighttpd/lighttpd.conf | 4 ++-- .../hosts/copr-be.cloud.fedoraproject.org.yml | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/files/copr/lighttpd/lighttpd.conf b/files/copr/lighttpd/lighttpd.conf index e154917436..5574eba646 100644 --- a/files/copr/lighttpd/lighttpd.conf +++ b/files/copr/lighttpd/lighttpd.conf @@ -448,8 +448,8 @@ server.upload-dirs = ( "/var/tmp" ) $SERVER["socket"] == ":443" { ssl.engine = "enable" - ssl.pemfile = "/etc/lighttpd/copr-be.pem" - ssl.ca-file = "/etc/lighttpd/copr-be.crt" + ssl.pemfile = "/etc/lighttpd/coprs-be.fedoraproject.org.pem" + ssl.ca-file = "/etc/lighttpd/coprs-be.fedoraproject.org.crt" ssl.disable-client-renegotiation = "enable" ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" } diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 712cf58026..91e2d19cc0 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -102,6 +102,16 @@ notify: - restart lighttpd + - name: copy httpd ssl certificates + action: copy src="{{ puppet_private }}/httpd/{{ item }}" dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=0600 + with_items: + - coprs-be.fedoraproject.org.key + - coprs-be.fedoraproject.org.crt + notify: + - concate ssl certs + tags: + - config + # mime default to text/plain and enable dirlisting for indexes - name: update lighttpd configs action: copy src="{{ files }}/copr/lighttpd/{{ item }}" dest="/etc/lighttpd/conf.d/{{ item }}" owner=root group=root mode=0644 @@ -191,3 +201,10 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + - name: concate ssl certs + action: command cat /etc/lighttpd/coprs-be.fedoraproject.org.key /etc/lighttpd/coprs-be.fedoraproject.org.key > /etc/lighttpd/coprs-be.fedoraproject.org.pem + notify: + - chmod_key + - restart lighttpd + - name: chmod_key + action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600 From b4ea2a7bcd07f9ebe6d68b62c57be2f671a9fbda Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 22 Jan 2014 16:06:41 +0000 Subject: [PATCH 058/271] Cache settings for the fmn backend. --- roles/notifs-backend/templates/fmn.consumer.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/notifs-backend/templates/fmn.consumer.py b/roles/notifs-backend/templates/fmn.consumer.py index 29548795da..a458ee6a77 100644 --- a/roles/notifs-backend/templates/fmn.consumer.py +++ b/roles/notifs-backend/templates/fmn.consumer.py @@ -22,6 +22,18 @@ config = { "fmn.consumer.enabled": True, "fmn.sqlalchemy.uri": "postgresql://${notifs_db_user}:${notifs_db_password}@db-notifs/notifications", + # Some configuration for the rule processors + "fmn.rules.utils.use_pkgdb2": False, + "fmn.rules.utils.pkgdb2_api_url": "http://209.132.184.188/api/", + "fmn.rules.cache": { + "backend": "dogpile.cache.dbm", + "expiration_time": 300, + "arguments": { + "filename": "/var/tmp/fmn-cache.dbm", + }, + }, + + ## Backend stuff ## # Email "fmn.email.mailserver": "bastion01.phx2.fedoraproject.org:25", From 782e80bc50237c66b3ffd47f5c1cbcc0a603e01e Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 22 Jan 2014 16:12:24 +0000 Subject: [PATCH 059/271] Modernize vars in fmn roles. --- roles/notifs-backend/templates/fmn.consumer.py | 2 +- roles/notifs-frontend/templates/fmn.web.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/notifs-backend/templates/fmn.consumer.py b/roles/notifs-backend/templates/fmn.consumer.py index a458ee6a77..be03d2038d 100644 --- a/roles/notifs-backend/templates/fmn.consumer.py +++ b/roles/notifs-backend/templates/fmn.consumer.py @@ -20,7 +20,7 @@ config = { # Consumer stuff "fmn.consumer.enabled": True, - "fmn.sqlalchemy.uri": "postgresql://${notifs_db_user}:${notifs_db_password}@db-notifs/notifications", + "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", # Some configuration for the rule processors "fmn.rules.utils.use_pkgdb2": False, diff --git a/roles/notifs-frontend/templates/fmn.web.py b/roles/notifs-frontend/templates/fmn.web.py index 0a05901ca9..8697214a7f 100644 --- a/roles/notifs-frontend/templates/fmn.web.py +++ b/roles/notifs-frontend/templates/fmn.web.py @@ -1,3 +1,3 @@ config = { - "fmn.sqlalchemy.uri": "postgresql://${notifs_db_user}:${notifs_db_password}@db-notifs/notifications", + "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", } From c323027b81a86728a206a6272dfe734dab5b60cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 22 Jan 2014 16:32:10 +0000 Subject: [PATCH 060/271] add coprs admin to .forward --- files/copr/forward | 3 +++ 1 file changed, 3 insertions(+) diff --git a/files/copr/forward b/files/copr/forward index da96eddab2..5f68f7ad39 100644 --- a/files/copr/forward +++ b/files/copr/forward @@ -1 +1,4 @@ msuchy+coprmachine@redhat.com +kevin@scrye.com +nb@fedoraproject.org +sgallagh@redhat.com From ec955a7b2e446d186bd761be76fca5ba6a499679 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 22 Jan 2014 16:35:00 +0000 Subject: [PATCH 061/271] add patched scl-utils to builder repo --- files/copr/provision/files/builder.repo | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/files/copr/provision/files/builder.repo b/files/copr/provision/files/builder.repo index accab91d11..f90e909422 100644 --- a/files/copr/provision/files/builder.repo +++ b/files/copr/provision/files/builder.repo @@ -12,3 +12,12 @@ baseurl=http://172.16.5.4/results/msuchy/Mock/epel-6-$basearch/ skip_if_unavailable=True gpgcheck=0 enabled=1 + +[msuchy-scl-utils] +name=Copr repo for scl-utils owned by msuchy +description=scl-utils with patch from https://bugzilla.redhat.com/show_bug.cgi?id=985233 +baseurl=http://172.16.5.4/results/msuchy/scl-utils/epel-6-$basearch/ +skip_if_unavailable=True +gpgcheck=0 +enabled=1 + From 72e1714301397362783e61784f98be3793c54980 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 22 Jan 2014 16:39:08 +0000 Subject: [PATCH 062/271] add missing handlers --- playbooks/hosts/copr-be.cloud.fedoraproject.org.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 91e2d19cc0..bc4566d4a5 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -208,3 +208,7 @@ - restart lighttpd - name: chmod_key action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600 + - name: restart copr-backend + action: service: name=copr-backend state=restarted + - name: restart lighttpd + action: service: name=lighttpd state=restarted From 95f02d899038611c1ea7e9a9677f1ec409be3bbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 22 Jan 2014 19:23:43 +0000 Subject: [PATCH 063/271] fix ownership of copr-be.conf and typo in generating pem file --- playbooks/hosts/copr-be.cloud.fedoraproject.org.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index bc4566d4a5..4cd9919400 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -169,7 +169,7 @@ - provision_config - name: copy copr-be.conf - template: src="{{ files }}/copr/copr-be.conf" dest=/etc/copr/copr-be.conf mode=640 + template: src="{{ files }}/copr/copr-be.conf" dest=/etc/copr/copr-be.conf owner=root group=copr mode=640 notify: - restart copr-backend tags: @@ -202,7 +202,7 @@ handlers: - include: "{{ handlers }}/restart_services.yml" - name: concate ssl certs - action: command cat /etc/lighttpd/coprs-be.fedoraproject.org.key /etc/lighttpd/coprs-be.fedoraproject.org.key > /etc/lighttpd/coprs-be.fedoraproject.org.pem + action: command cat /etc/lighttpd/coprs-be.fedoraproject.org.key /etc/lighttpd/coprs-be.fedoraproject.org.crt > /etc/lighttpd/coprs-be.fedoraproject.org.pem notify: - chmod_key - restart lighttpd From dfd57eb6ce354f14c29e81f5e11355d0aea731de Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Jan 2014 20:13:53 +0000 Subject: [PATCH 064/271] Enable greek and indonesian on ask.fedora production site --- roles/ask/templates/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index ef9b1a9e0d..6d9d4803ac 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -276,6 +276,8 @@ LANGUAGES = ( ('es', gettext('Spanish')), ('en', gettext('English')), ('pt-br', gettext('Brazilian Portuguese')), + ('id', gettext('Indonesian')), + ('el', gettext('Greek')), ) {% endif %} From ffcff93ce8453c20e264073c40c9c7592cb52738 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Jan 2014 20:32:05 +0000 Subject: [PATCH 065/271] Add check diff to ansible logging --- callback_plugins/logdetail.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/callback_plugins/logdetail.py b/callback_plugins/logdetail.py index 45b3b6e345..9fcc2528a8 100644 --- a/callback_plugins/logdetail.py +++ b/callback_plugins/logdetail.py @@ -133,7 +133,9 @@ class LogMech(object): if category == 'OK' and data.get('changed', False): category = 'CHANGED' - if self.play_info.get('check', False): + if self.play_info.get('check', False) and self.play_info.get('diff', False): + category = 'CHECK DIFF:' + category + elif self.play_info.get('check', False): category = 'CHECK:' + category fd = open(self.logpath_play + '/' + host + '.log', 'a') @@ -258,6 +260,7 @@ class CallbackModule(object): pb_info['inventory'] = play.playbook.inventory.host_list pb_info['playbook_checksum'] = utils.md5(path) pb_info['check'] = play.playbook.check + pb_info['diff'] = play.playbook.diff logmech.play_log(json.dumps(pb_info, indent=4)) self._play_count += 1 @@ -268,6 +271,7 @@ class CallbackModule(object): info['transport'] = play.transport info['number'] = self._play_count info['check'] = play.playbook.check + info['diff'] = play.playbook.diff logmech.play_info = info logmech.play_log(json.dumps(info, indent=4)) From 474fef86618ccf71a6d6d482cd440695f1975ec5 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 22 Jan 2014 20:47:56 +0000 Subject: [PATCH 066/271] Try to silence fedmsg for --check runs. --- callback_plugins/fedmsg_callback.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/callback_plugins/fedmsg_callback.py b/callback_plugins/fedmsg_callback.py index 3a892fe769..b7d4025405 100644 --- a/callback_plugins/fedmsg_callback.py +++ b/callback_plugins/fedmsg_callback.py @@ -53,6 +53,10 @@ class CallbackModule(object): # figure out where the playbook FILE is path = os.path.abspath(play.playbook.filename) + # Bail out early without publishing if we're in --check mode + if play.playbook.check: + return + if not self.playbook: fedmsg.publish( modname="ansible", topic="playbook.start", @@ -68,6 +72,9 @@ class CallbackModule(object): self.playbook = path def playbook_on_stats(self, stats): + if not self.playbook: + return + results = dict([(h, stats.summarize(h)) for h in stats.processed]) fedmsg.publish( modname="ansible", topic="playbook.complete", From 5a58c171f8f8f47893794ed40bf455d68a111938 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Jan 2014 21:16:39 +0000 Subject: [PATCH 067/271] Lets make this a _ to be nicer --- callback_plugins/logdetail.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/callback_plugins/logdetail.py b/callback_plugins/logdetail.py index 9fcc2528a8..06c4bf8ccb 100644 --- a/callback_plugins/logdetail.py +++ b/callback_plugins/logdetail.py @@ -134,7 +134,7 @@ class LogMech(object): category = 'CHANGED' if self.play_info.get('check', False) and self.play_info.get('diff', False): - category = 'CHECK DIFF:' + category + category = 'CHECK_DIFF:' + category elif self.play_info.get('check', False): category = 'CHECK:' + category From 1a1f1fb2cace36286253e41cf1505f526de2d1a2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Jan 2014 21:50:52 +0000 Subject: [PATCH 068/271] Try to clean this up so it doesn't show failed or changed when it isn't --- tasks/growroot_cloud.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/growroot_cloud.yml b/tasks/growroot_cloud.yml index e5e15a1413..1a4e9e5637 100644 --- a/tasks/growroot_cloud.yml +++ b/tasks/growroot_cloud.yml @@ -10,14 +10,14 @@ - packages - name: growpart the second partition (/) to full size - action: command growpart /dev/vda 2 - ignore_errors: true + command: growpart /dev/vda 2 register: growpart always_run: true changed_when: "growpart.rc != 1" + failed_when: "growpart.rc = 2" - name: reboot the box - action: command /sbin/reboot + command: /sbin/reboot when: growpart.rc == 0 ignore_errors: true @@ -26,5 +26,5 @@ when: growpart.rc == 0 - name: resize the /dev/vda 2 fs - action: command resize2fs /dev/vda2 + command: resize2fs /dev/vda2 when: growpart.rc == 0 From 18ec0ff1328d109fce5075c2806724d687107ea9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Jan 2014 21:51:53 +0000 Subject: [PATCH 069/271] equality --- tasks/growroot_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/growroot_cloud.yml b/tasks/growroot_cloud.yml index 1a4e9e5637..86c89cf198 100644 --- a/tasks/growroot_cloud.yml +++ b/tasks/growroot_cloud.yml @@ -14,7 +14,7 @@ register: growpart always_run: true changed_when: "growpart.rc != 1" - failed_when: "growpart.rc = 2" + failed_when: growpart.rc == 2 - name: reboot the box command: /sbin/reboot From 957851378e51d49109cae3016f1aec799c11db62 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 22 Jan 2014 21:53:50 +0000 Subject: [PATCH 070/271] Fix up these too. --- playbooks/f19_temp_instance.yml | 3 ++- playbooks/f20_temp_instance.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/playbooks/f19_temp_instance.yml b/playbooks/f19_temp_instance.yml index 08c95144c8..6a41071a96 100644 --- a/playbooks/f19_temp_instance.yml +++ b/playbooks/f19_temp_instance.yml @@ -31,9 +31,10 @@ tasks: - name: growpart /dev/vda1 partition (/) to full size action: command growpart /dev/vda 1 - ignore_errors: true register: growpart + always_run: true changed_when: "growpart.rc != 1" + failed_when: growpart.rc == 2 - name: resize the /dev/vda 1 fs action: command resize2fs /dev/vda1 diff --git a/playbooks/f20_temp_instance.yml b/playbooks/f20_temp_instance.yml index c2b4a1a865..9f4c4a7b93 100644 --- a/playbooks/f20_temp_instance.yml +++ b/playbooks/f20_temp_instance.yml @@ -31,9 +31,10 @@ tasks: - name: growpart /dev/vda1 partition (/) to full size action: command growpart /dev/vda 1 - ignore_errors: true register: growpart + always_run: true changed_when: "growpart.rc != 1" + failed_when: growpart.rc == 2 - name: resize the /dev/vda 1 fs action: command resize2fs /dev/vda1 From a692918cbb40c91be103e4efc71bdeb14ab6adb2 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Jan 2014 01:51:05 +0000 Subject: [PATCH 071/271] Supply fas credentials to the fmn backend. ..so that it can build a cache of fas usernames to ircnicks. --- roles/notifs-backend/templates/fmn.consumer.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/notifs-backend/templates/fmn.consumer.py b/roles/notifs-backend/templates/fmn.consumer.py index be03d2038d..fe361348ca 100644 --- a/roles/notifs-backend/templates/fmn.consumer.py +++ b/roles/notifs-backend/templates/fmn.consumer.py @@ -33,6 +33,12 @@ config = { }, }, + # The notification backend uses this to build a fas cache of ircnicks + # to fas usernames so it can act appropriately on certain message types. + "fas_credentials": { + "username": "{{fedoraDummyUser}}", + "password": "{{fedoraDummyUserPassword}}", + }, ## Backend stuff ## # Email From 3b4edc4adef1275fa0a335d8a29ef67d1107d822 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Thu, 23 Jan 2014 12:13:03 +0000 Subject: [PATCH 072/271] fine tune SpareServers on copr-fe and allow server-status so I can see what is happening there --- files/copr/copr-be.conf | 2 +- files/copr/fe/httpd/coprs.conf | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/files/copr/copr-be.conf b/files/copr/copr-be.conf index 680579b3a6..2c159cb99e 100644 --- a/files/copr/copr-be.conf +++ b/files/copr/copr-be.conf @@ -35,7 +35,7 @@ destdir=/var/lib/copr/public_html/results sleeptime=30 # default is 8 -num_workers=5 +num_workers=8 # path to log file # default is /var/log/copr/backend.log diff --git a/files/copr/fe/httpd/coprs.conf b/files/copr/fe/httpd/coprs.conf index bb0502c5f5..0cd63ea148 100644 --- a/files/copr/fe/httpd/coprs.conf +++ b/files/copr/fe/httpd/coprs.conf @@ -43,3 +43,22 @@ WSGISocketPrefix /var/run/wsgi Require all granted + + +ExtendedStatus On + + + SetHandler server-status + Require all denied + Require host localhost .redhat.com + + + + + StartServers 8 + MinSpareServers 8 + MaxSpareServers 20 + MaxClients 50 + MaxRequestsPerChild 10000 + + From de1c4695d4d73dbc65ae21e2b03be974546a4d41 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Jan 2014 16:25:27 +0000 Subject: [PATCH 073/271] Fix syntax errors in copr-be playbook --- playbooks/hosts/copr-be.cloud.fedoraproject.org.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 4cd9919400..89236956df 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -122,10 +122,10 @@ - restart lighttpd - name: start webserver - action: service state=running enabled=yes name=lighttpd + service: state=running enabled=yes name=lighttpd - name: start fail2ban - action: service state=running enabled=yes name=fail2ban + service: state=running enabled=yes name=fail2ban # setup dirs for the ansible execution off of provisioning - name: dirs from provision @@ -209,6 +209,6 @@ - name: chmod_key action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600 - name: restart copr-backend - action: service: name=copr-backend state=restarted + service: name=copr-backend state=restarted - name: restart lighttpd - action: service: name=lighttpd state=restarted + service: name=lighttpd state=restarted From dfbd43862b7898a7b378a34587627e5d80627c2c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Jan 2014 16:39:26 +0000 Subject: [PATCH 074/271] Disable releng01 for now, since we have no branched. --- inventory/inventory | 2 +- playbooks/groups/releng.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index bcd63b9e6d..95877edcde 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -158,7 +158,7 @@ collab03.fedoraproject.org collab04.fedoraproject.org [releng] -releng01.phx2.fedoraproject.org +#releng01.phx2.fedoraproject.org releng02.phx2.fedoraproject.org releng04.phx2.fedoraproject.org relepel01.phx2.fedoraproject.org diff --git a/playbooks/groups/releng.yml b/playbooks/groups/releng.yml index 9773c70560..6ed915b0a7 100644 --- a/playbooks/groups/releng.yml +++ b/playbooks/groups/releng.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/releng or from hostvars - name: make releng systems - hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org + hosts: releng02.phx2.fedoraproject.org user: root gather_facts: False accelerate: True @@ -23,7 +23,7 @@ # Once the instance exists, configure it. - name: make releng server system - hosts: releng01.phx2.fedoraproject.org:releng02.phx2.fedoraproject.org + hosts: releng02.phx2.fedoraproject.org user: root gather_facts: True accelerate: True From 406474a3743cce0dc5a41b08c40775005a74643c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Jan 2014 17:00:26 +0000 Subject: [PATCH 075/271] Move the kernel-qa playbook to manual. The kernel team manages those day to day. --- playbooks/{groups => manual}/kernel-qa.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename playbooks/{groups => manual}/kernel-qa.yml (100%) diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/manual/kernel-qa.yml similarity index 100% rename from playbooks/groups/kernel-qa.yml rename to playbooks/manual/kernel-qa.yml From 206ed3f7764f1ffd463e2e6c320e976ef1fd550e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Jan 2014 17:12:40 +0000 Subject: [PATCH 076/271] Now that we have roles_path, drop the long path on all the roles. --- playbooks/groups/arm-packager.yml | 8 ++++---- playbooks/groups/arm-qa.yml | 8 ++++---- playbooks/groups/arm-releng.yml | 10 +++++----- playbooks/groups/ask.yml | 14 +++++++------- playbooks/groups/backup-server.yml | 10 +++++----- playbooks/groups/badges-backend.yml | 16 ++++++++-------- playbooks/groups/badges-web.yml | 14 +++++++------- playbooks/groups/beaker.yml | 10 +++++----- playbooks/groups/bkernel.yml | 2 +- playbooks/groups/buildhw.yml | 4 ++-- playbooks/groups/buildvm.yml | 2 +- playbooks/groups/docs-backend.yml | 12 ++++++------ playbooks/groups/elections.yml | 10 +++++----- playbooks/groups/fedocal.yml | 14 +++++++------- playbooks/groups/gallery.yml | 14 +++++++------- playbooks/groups/jenkins-cloud.yml | 2 +- playbooks/groups/keyserver.yml | 12 ++++++------ playbooks/groups/koji-hub.yml | 12 ++++++------ playbooks/groups/lockbox.yml | 12 ++++++------ playbooks/groups/mailman.yml | 16 ++++++++-------- playbooks/groups/mirrorlist.yml | 14 +++++++------- playbooks/groups/notifs-backend.yml | 16 ++++++++-------- playbooks/groups/notifs-web.yml | 14 +++++++------- playbooks/groups/nuancier.yml | 14 +++++++------- playbooks/groups/postgresl-server.yml | 12 ++++++------ playbooks/groups/releng.yml | 4 ++-- playbooks/groups/taskotron.yml | 12 ++++++------ playbooks/groups/virthost.yml | 12 ++++++------ .../hosts/copr-be.cloud.fedoraproject.org.yml | 2 +- .../hosts/lists-dev.cloud.fedoraproject.org.yml | 2 +- playbooks/manual/kernel-qa.yml | 10 +++++----- playbooks/manual/sign.yml | 4 ++-- 32 files changed, 159 insertions(+), 159 deletions(-) diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index 4d44c54b75..969c4cbdf1 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -12,10 +12,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index 4193d22a47..68e7de91ec 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -12,10 +12,10 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml index 85ea2804ff..6c9190c663 100644 --- a/playbooks/groups/arm-releng.yml +++ b/playbooks/groups/arm-releng.yml @@ -12,11 +12,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client + - base + - fas_client + - rkhunter + - denyhosts + - nagios_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index dd36b743d0..faaedeec76 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -28,13 +28,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base - - /srv/web/infra/ansible/roles/ask + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base + - ask tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index a0fa56af28..500c08d860 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -15,11 +15,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index db6c80fafe..022e3e4769 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -58,8 +58,8 @@ accelerate: True roles: - - /srv/web/infra/ansible/roles/fedmsg-hub - - /srv/web/infra/ansible/roles/badges-backend + - fedmsg-hub + - badges-backend vars_files: - /srv/web/infra/ansible/vars/global.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index 737dcbbb74..fa0dec9b81 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/badges-frontend - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - badges-frontend + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index 8f55210b19..d3d6e9d3c4 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -29,11 +29,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/groups/bkernel.yml b/playbooks/groups/bkernel.yml index bad914e36c..0d0ce58017 100644 --- a/playbooks/groups/bkernel.yml +++ b/playbooks/groups/bkernel.yml @@ -13,7 +13,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/koji/base_builder.yml" diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index 0dc109d973..c15f185e47 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -14,7 +14,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/yumrepos.yml" @@ -39,7 +39,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index aa3191e0d5..3402bf0003 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -32,7 +32,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/docs-backend.yml b/playbooks/groups/docs-backend.yml index f0cb73d20e..657784627c 100644 --- a/playbooks/groups/docs-backend.yml +++ b/playbooks/groups/docs-backend.yml @@ -25,12 +25,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists diff --git a/playbooks/groups/elections.yml b/playbooks/groups/elections.yml index 5cf4819fb6..0e44193cab 100644 --- a/playbooks/groups/elections.yml +++ b/playbooks/groups/elections.yml @@ -27,11 +27,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/fedocal.yml b/playbooks/groups/fedocal.yml index 91ffcf861e..cb9ba4e356 100644 --- a/playbooks/groups/fedocal.yml +++ b/playbooks/groups/fedocal.yml @@ -32,11 +32,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" @@ -64,7 +64,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base handlers: - include: "{{ handlers }}/restart_services.yml" @@ -81,7 +81,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedocal + - fedocal handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index d41f03c520..ef8cff1588 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -62,7 +62,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/gallery + - gallery handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 595b9aa481..21d55b87b8 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -28,7 +28,7 @@ - resolvconf: resolv.conf/jenkins-cloud roles: - - /srv/web/infra/ansible/roles/base + - base tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index ec57825d4b..860f82475c 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 425f374cd2..ef648fb73d 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -31,12 +31,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/koji_hub + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - koji_hub tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/lockbox.yml b/playbooks/groups/lockbox.yml index 979dd682bc..4fa95b640e 100644 --- a/playbooks/groups/lockbox.yml +++ b/playbooks/groups/lockbox.yml @@ -25,12 +25,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/ansible-server + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - ansible-server tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 81e65904a4..7ea296d239 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -32,12 +32,12 @@ - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists @@ -97,8 +97,8 @@ - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/fedmsg_base - - role: /srv/web/infra/ansible/roles/mailman + - fedmsg_base + - role: mailman mailman_dbserver: db02.stg.phx2.fedoraproject.org mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" mailman_mm_db_pass: "{{ mailman_mm_db_pass }}" diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index c389d92f20..c3a7d891e6 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/geoip - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/mirrorlist + - base + - rkhunter + - denyhosts + - nagios_client + - geoip + - fas_client + - mirrorlist tasks: # this is how you include other task lists diff --git a/playbooks/groups/notifs-backend.yml b/playbooks/groups/notifs-backend.yml index 4d2dac3e2d..413689868f 100644 --- a/playbooks/groups/notifs-backend.yml +++ b/playbooks/groups/notifs-backend.yml @@ -32,12 +32,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" @@ -58,8 +58,8 @@ accelerate: True roles: - - /srv/web/infra/ansible/roles/fedmsg-hub - - /srv/web/infra/ansible/roles/notifs-backend + - fedmsg-hub + - notifs-backend vars_files: - /srv/web/infra/ansible/vars/global.yml diff --git a/playbooks/groups/notifs-web.yml b/playbooks/groups/notifs-web.yml index 01458e3038..d51c7e7738 100644 --- a/playbooks/groups/notifs-web.yml +++ b/playbooks/groups/notifs-web.yml @@ -32,13 +32,13 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/fedmsg_base - - /srv/web/infra/ansible/roles/notifs-frontend + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - fedmsg_base + - notifs-frontend tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index 5a86f0673b..d2600f20cf 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -32,11 +32,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: - include: "{{ tasks }}/hosts.yml" @@ -64,7 +64,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base handlers: - include: "{{ handlers }}/restart_services.yml" @@ -81,7 +81,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - /srv/web/infra/ansible/roles/nuancier + - nuancier handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index 371a1453e9..fcf27859ea 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -33,12 +33,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/postgresql_server + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - postgresql_server tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/releng.yml b/playbooks/groups/releng.yml index 6ed915b0a7..da0286713a 100644 --- a/playbooks/groups/releng.yml +++ b/playbooks/groups/releng.yml @@ -34,8 +34,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/nagios_client + - base + - nagios_client tasks: - include: "{{ tasks }}/koji/releng_config.yml" diff --git a/playbooks/groups/taskotron.yml b/playbooks/groups/taskotron.yml index d79490fb26..7f0ca7e227 100644 --- a/playbooks/groups/taskotron.yml +++ b/playbooks/groups/taskotron.yml @@ -29,12 +29,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/yum-cron + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - yum-cron tasks: # this is how you include other task lists diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 08c2b71411..444e748a00 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -14,12 +14,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client - - /srv/web/infra/ansible/roles/iscsi_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - iscsi_client tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 89236956df..24ae5ec033 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -23,7 +23,7 @@ # Roles are run first, before tasks, regardless of where you place them here. roles: - - /srv/web/infra/ansible/roles/fedmsg_base + - fedmsg_base tasks: - include: "{{ tasks }}/cloud_setup_basic.yml" diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 5ca0caf0be..d8b44ec6d4 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -117,7 +117,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - role: /srv/web/infra/ansible/roles/mailman + - role: mailman mailman_dbserver: localhost mailman_postfix_mydestination: lists-dev.cloud.fedoraproject.org mailman_mm_db_pass: "{{ lists_dev_mm_db_pass }}" diff --git a/playbooks/manual/kernel-qa.yml b/playbooks/manual/kernel-qa.yml index aadf88aba9..07d59fed40 100644 --- a/playbooks/manual/kernel-qa.yml +++ b/playbooks/manual/kernel-qa.yml @@ -13,11 +13,11 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter - - /srv/web/infra/ansible/roles/denyhosts - - /srv/web/infra/ansible/roles/nagios_client - - /srv/web/infra/ansible/roles/fas_client + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client tasks: # this is how you include other task lists diff --git a/playbooks/manual/sign.yml b/playbooks/manual/sign.yml index d696be8f6b..deadb217bf 100644 --- a/playbooks/manual/sign.yml +++ b/playbooks/manual/sign.yml @@ -17,8 +17,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - /srv/web/infra/ansible/roles/base - - /srv/web/infra/ansible/roles/rkhunter + - base + - rkhunter tasks: - include: "{{ tasks }}/serialgetty.yml" From 58b8b85ef0b2e07e639fd7affe40351b1aa91690 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 23 Jan 2014 18:15:18 +0000 Subject: [PATCH 077/271] Move fedmsg_base role to the last one to allow ownership of keys files to work right hopefully. --- playbooks/groups/ask.yml | 2 +- playbooks/groups/mailman.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index faaedeec76..8de5586f27 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -33,8 +33,8 @@ - denyhosts - nagios_client - fas_client - - fedmsg_base - ask + - fedmsg_base tasks: - include: "{{ tasks }}/hosts.yml" diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 7ea296d239..7826f1447b 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -97,7 +97,6 @@ - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" roles: - - fedmsg_base - role: mailman mailman_dbserver: db02.stg.phx2.fedoraproject.org mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" @@ -106,6 +105,7 @@ mailman_hk_db_pass: "{{ mailman_hk_db_pass }}" mailman_ks_admin_db_pass: "{{ mailman_ks_admin_db_pass }}" mailman_ks_db_pass: "{{ mailman_ks_db_pass }}" + - fedmsg_base tasks: - name: install more needed packages From 1a791a6e0ea96b075a2d4d59a65a6b1f48a80cd5 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Jan 2014 21:06:02 +0000 Subject: [PATCH 078/271] Point the fmn frontend at datanommer. --- files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts | 1 + roles/notifs-frontend/templates/fmn.web.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..6ba829d3d2 100644 --- a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts @@ -9,3 +9,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/roles/notifs-frontend/templates/fmn.web.py b/roles/notifs-frontend/templates/fmn.web.py index 8697214a7f..6edc02f884 100644 --- a/roles/notifs-frontend/templates/fmn.web.py +++ b/roles/notifs-frontend/templates/fmn.web.py @@ -1,3 +1,6 @@ config = { + # This is for *our* database "fmn.sqlalchemy.uri": "postgresql://{{notifs_db_user}}:{{notifs_db_password}}@db-notifs/notifications", + # And this is for the datanommer database + "datanommer.sqlalchemy.url": "postgresql://{{datanommerDBUser}}:{{datanommerDBPassword}}@db-datanommer/datanommer", } From 75d3b045fca4aa5bed7f491ff55ce861ae01e51f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Jan 2014 21:08:59 +0000 Subject: [PATCH 079/271] Add these two, too. --- files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts | 1 + files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts | 1 + 2 files changed, 2 insertions(+) diff --git a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..6ba829d3d2 100644 --- a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts @@ -9,3 +9,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts index 39a889c3e2..6ba829d3d2 100644 --- a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts @@ -9,3 +9,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg 10.5.126.85 db-notifs db-notifs +10.5.126.85 db-datanommer db-datanommer From d40a72f7f572a9255384ac21def4f47d8cd4c450 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Jan 2014 21:23:53 +0000 Subject: [PATCH 080/271] Initialize fmn logging. --- roles/notifs-frontend/files/fmn.web.wsgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/notifs-frontend/files/fmn.web.wsgi b/roles/notifs-frontend/files/fmn.web.wsgi index 358d4b695e..3a2612b419 100644 --- a/roles/notifs-frontend/files/fmn.web.wsgi +++ b/roles/notifs-frontend/files/fmn.web.wsgi @@ -10,6 +10,9 @@ import pkg_resources import os os.environ['FMN_WEB_CONFIG'] = '/etc/fmn.web.cfg' +import logging +logging.basicConfig() + # The most import line to make the wsgi working from fmn.web.app import app as application # Dangerous.. only use when testing. From 3b179a2ce6c08edfd687de767e5f8eb694fda904 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Jan 2014 21:34:32 +0000 Subject: [PATCH 081/271] Remove bogus config. --- roles/notifs-frontend/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/notifs-frontend/tasks/main.yml b/roles/notifs-frontend/tasks/main.yml index ef16ea38be..900b285be7 100644 --- a/roles/notifs-frontend/tasks/main.yml +++ b/roles/notifs-frontend/tasks/main.yml @@ -17,6 +17,11 @@ notify: - restart apache +- name: destroy a bogus config file brought in by python-datanommer-models + file: dest=/etc/fedmsg.d/datanommer.py state=absent + notify: + - restart apache + - name: copy fmn httpd config copy: > src=fmn.web.conf dest=/etc/httpd/conf.d/fmn.web.conf From 324721e3f32791949f6227f39aa35fb9097a3829 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 23 Jan 2014 21:41:59 +0000 Subject: [PATCH 082/271] Disable alternative openids for fmn for now. --- roles/notifs-frontend/templates/fmn.web.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/notifs-frontend/templates/fmn.web.cfg b/roles/notifs-frontend/templates/fmn.web.cfg index 89eeb400b3..55d78bc080 100644 --- a/roles/notifs-frontend/templates/fmn.web.cfg +++ b/roles/notifs-frontend/templates/fmn.web.cfg @@ -13,6 +13,6 @@ FMN_FEDORA_OPENID = 'https://id.fedoraproject.org' {% endif %} FMN_ALLOW_FAS_OPENID = True -FMN_ALLOW_GOOGLE_OPENID = True -FMN_ALLOW_YAHOO_OPENID = True -FMN_ALLOW_GENERIC_OPENID = True +FMN_ALLOW_GOOGLE_OPENID = False +FMN_ALLOW_YAHOO_OPENID = False +FMN_ALLOW_GENERIC_OPENID = False From 89a74383d7da812bc1376a9797eff703dc88393c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Fri, 24 Jan 2014 08:39:32 +0000 Subject: [PATCH 083/271] add releasever - BZ 1056039 --- files/copr/provision/files/mock/epel-5-i386.cfg | 1 + files/copr/provision/files/mock/epel-5-x86_64.cfg | 1 + files/copr/provision/files/mock/epel-7-x86_64.cfg | 1 + files/copr/provision/files/mock/fedora-20-i386.cfg | 1 + files/copr/provision/files/mock/fedora-20-x86_64.cfg | 1 + 5 files changed, 5 insertions(+) diff --git a/files/copr/provision/files/mock/epel-5-i386.cfg b/files/copr/provision/files/mock/epel-5-i386.cfg index a8b03edf3f..38a425aba6 100644 --- a/files/copr/provision/files/mock/epel-5-i386.cfg +++ b/files/copr/provision/files/mock/epel-5-i386.cfg @@ -5,6 +5,7 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['releasever'] = '5' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/epel-5-x86_64.cfg b/files/copr/provision/files/mock/epel-5-x86_64.cfg index 0f59da54f6..2f26af0ba5 100644 --- a/files/copr/provision/files/mock/epel-5-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-5-x86_64.cfg @@ -5,6 +5,7 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['releasever'] = '5' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/epel-7-x86_64.cfg b/files/copr/provision/files/mock/epel-7-x86_64.cfg index eeee2d831e..91b72b8260 100644 --- a/files/copr/provision/files/mock/epel-7-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-7-x86_64.cfg @@ -11,6 +11,7 @@ config_opts['macros']['%rhel'] = '7' config_opts['macros']['%el7'] = '1' config_opts['macros']['%_topdir'] = '/builddir/build' config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm' +config_opts['releasever'] = '7' config_opts['plugin_conf']['root_cache_enable'] = False config_opts['plugin_conf']['yum_cache_enable'] = False diff --git a/files/copr/provision/files/mock/fedora-20-i386.cfg b/files/copr/provision/files/mock/fedora-20-i386.cfg index d04d180320..fde3c2754f 100644 --- a/files/copr/provision/files/mock/fedora-20-i386.cfg +++ b/files/copr/provision/files/mock/fedora-20-i386.cfg @@ -3,6 +3,7 @@ config_opts['target_arch'] = 'i686' config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' config_opts['yum.conf'] = """ [main] diff --git a/files/copr/provision/files/mock/fedora-20-x86_64.cfg b/files/copr/provision/files/mock/fedora-20-x86_64.cfg index 0f56311e0b..fa7f6d4c42 100644 --- a/files/copr/provision/files/mock/fedora-20-x86_64.cfg +++ b/files/copr/provision/files/mock/fedora-20-x86_64.cfg @@ -3,6 +3,7 @@ config_opts['target_arch'] = 'x86_64' config_opts['legal_host_arches'] = ('x86_64',) config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' config_opts['yum.conf'] = """ [main] From 76951c0b1d0674090b9821e1dccb902ac739a0d3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:25:53 +0000 Subject: [PATCH 084/271] Test a roles_path idea. --- inventory/group_vars/ask-stg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/group_vars/ask-stg b/inventory/group_vars/ask-stg index d9b898de11..8929c5cc21 100644 --- a/inventory/group_vars/ask-stg +++ b/inventory/group_vars/ask-stg @@ -16,3 +16,5 @@ fedmsg_certs: - service: askbot owner: root group: apache + +roles_path: /home/fedora/kevin/ansible/roles:{{ roles_path }} From 76eb4b0f04f68684e0b984cd4770f86995b3f574 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:30:23 +0000 Subject: [PATCH 085/271] Sadly, this will not work. :( --- inventory/group_vars/ask-stg | 2 -- 1 file changed, 2 deletions(-) diff --git a/inventory/group_vars/ask-stg b/inventory/group_vars/ask-stg index 8929c5cc21..d9b898de11 100644 --- a/inventory/group_vars/ask-stg +++ b/inventory/group_vars/ask-stg @@ -16,5 +16,3 @@ fedmsg_certs: - service: askbot owner: root group: apache - -roles_path: /home/fedora/kevin/ansible/roles:{{ roles_path }} From 4e127e63eda5f258fa3e05fc7e50103002455fb5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:31:33 +0000 Subject: [PATCH 086/271] Add debug_env role for debugging needs down the road. --- roles/debug_env/tasks/main.yml | 9 +++++++++ roles/debug_env/templates/dumpall.j2 | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 roles/debug_env/tasks/main.yml create mode 100644 roles/debug_env/templates/dumpall.j2 diff --git a/roles/debug_env/tasks/main.yml b/roles/debug_env/tasks/main.yml new file mode 100644 index 0000000000..f67fe7227c --- /dev/null +++ b/roles/debug_env/tasks/main.yml @@ -0,0 +1,9 @@ +# +# This role can be added to a playbook to dump out all +# the env from ansible to see what variables and facts are. +# Taken from https://coderwall.com/p/13lh6w +# + +tasks: + - name: Dump all ansible vars + action: template src=templates/dumpall.j2 dest=/tmp/ansible.all diff --git a/roles/debug_env/templates/dumpall.j2 b/roles/debug_env/templates/dumpall.j2 new file mode 100644 index 0000000000..470394828c --- /dev/null +++ b/roles/debug_env/templates/dumpall.j2 @@ -0,0 +1,19 @@ +Module Variables ("vars"): +-------------------------------- +{{ vars | to_nice_json }} + +Environment Variables ("environment"): +-------------------------------- +{{ environment | to_nice_json }} + +GROUP NAMES Variables ("group_names"): +-------------------------------- +{{ group_names | to_nice_json }} + +GROUPS Variables ("groups"): +-------------------------------- +{{ groups | to_nice_json }} + +HOST Variables ("hostvars"): +-------------------------------- +{{ hostvars | to_nice_json }} From 389600314b5e5b4f88817415b881fbfbccab1dd4 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:34:05 +0000 Subject: [PATCH 087/271] only_if is going bye bye. --- callback_plugins/logdetail.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/callback_plugins/logdetail.py b/callback_plugins/logdetail.py index 06c4bf8ccb..158b8ee45c 100644 --- a/callback_plugins/logdetail.py +++ b/callback_plugins/logdetail.py @@ -93,7 +93,7 @@ class LogMech(object): if self.playbook_id == 'ansible-cmd': res['task_userid'] = getlogin() for k in ("delegate_to", "environment", "first_available_file", - "local_action", "notified_by", "notify", "only_if", + "local_action", "notified_by", "notify", "register", "sudo", "sudo_user", "tags", "transport", "when"): v = getattr(task, k, None) From 79bd4c3a211e65425bfe5bfedce2d2174f1474cc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:35:42 +0000 Subject: [PATCH 088/271] Test debug_env --- playbooks/groups/ask.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index 8de5586f27..2537b26bf3 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -28,6 +28,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: + - debug_env - base - rkhunter - denyhosts From 49c42fc8b2f0a073a523107b077ec530960bf8d6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:40:58 +0000 Subject: [PATCH 089/271] Adjust role --- roles/debug_env/tasks/main.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/debug_env/tasks/main.yml b/roles/debug_env/tasks/main.yml index f67fe7227c..33dc4ebb8e 100644 --- a/roles/debug_env/tasks/main.yml +++ b/roles/debug_env/tasks/main.yml @@ -3,7 +3,5 @@ # the env from ansible to see what variables and facts are. # Taken from https://coderwall.com/p/13lh6w # - -tasks: - - name: Dump all ansible vars - action: template src=templates/dumpall.j2 dest=/tmp/ansible.all +- name: Dump all ansible vars + template: src=dumpall.j2 dest=/tmp/debug_env.out From 083b631c29186b3dd1cab45c97f33b0fad84a51a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:43:57 +0000 Subject: [PATCH 090/271] Remove debug_env role from ask now. --- playbooks/groups/ask.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/groups/ask.yml b/playbooks/groups/ask.yml index 2537b26bf3..8de5586f27 100644 --- a/playbooks/groups/ask.yml +++ b/playbooks/groups/ask.yml @@ -28,7 +28,6 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - debug_env - base - rkhunter - denyhosts From 0494a018a691d6966ca83b70075433299b6062b8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 16:59:46 +0000 Subject: [PATCH 091/271] Add simple script that runs --check --diff playbook runs on all hosts/groups. --- scripts/ansible-playbook-check-diff | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 scripts/ansible-playbook-check-diff diff --git a/scripts/ansible-playbook-check-diff b/scripts/ansible-playbook-check-diff new file mode 100755 index 0000000000..72c0d78b1c --- /dev/null +++ b/scripts/ansible-playbook-check-diff @@ -0,0 +1,25 @@ +#!/usr/bin/python -tt +import os +import os.path +import subprocess + +rootpath = "/srv/web/infra/ansible/playbooks" + +# +# Find all the .yml files under playbooks/groups and hosts and run ansible-playbook on them +# With --check and --diff for now. We don't run the 'manual' subdir ones. + +for dir in ("hosts", "groups"): + hostsplaybookspath = os.path.join(rootpath, dir) + for path, dirs, files in os.walk(hostsplaybookspath): + for file in files: + if not file.endswith(".yml"): + continue + playbookpath = os.path.join(path, file) + cmd = ("ansible-playbook", playbookpath, "--check", "--diff") + ansibleprocess = subprocess.Popen(cmd) + +# +# Add this if you want to run them one at a time instead of all forked off in a bunch. +# ansibleprocess.communicate() +# From b7ff972cbd4976ab5ac6b38724b5f79df58be3e2 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 24 Jan 2014 19:47:07 +0000 Subject: [PATCH 092/271] Host definitions for the fmn prod nodes. --- inventory/group_vars/notifs-backend | 10 ++++++++++ inventory/group_vars/notifs-web | 12 ++++++++++++ .../notifs-backend01.phx2.fedoraproject.org | 14 ++++++++++++++ .../host_vars/notifs-web01.phx2.fedoraproject.org | 14 ++++++++++++++ .../host_vars/notifs-web02.phx2.fedoraproject.org | 14 ++++++++++++++ inventory/inventory | 7 +++++++ 6 files changed, 71 insertions(+) create mode 100644 inventory/group_vars/notifs-backend create mode 100644 inventory/group_vars/notifs-web create mode 100644 inventory/host_vars/notifs-backend01.phx2.fedoraproject.org create mode 100644 inventory/host_vars/notifs-web01.phx2.fedoraproject.org create mode 100644 inventory/host_vars/notifs-web02.phx2.fedoraproject.org diff --git a/inventory/group_vars/notifs-backend b/inventory/group_vars/notifs-backend new file mode 100644 index 0000000000..25492830cb --- /dev/null +++ b/inventory/group_vars/notifs-backend @@ -0,0 +1,10 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +fas_client_groups: sysadmin-noc,sysadmin-datanommer diff --git a/inventory/group_vars/notifs-web b/inventory/group_vars/notifs-web new file mode 100644 index 0000000000..bb20797c5f --- /dev/null +++ b/inventory/group_vars/notifs-web @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-noc,sysadmin-datanommer diff --git a/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org b/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org new file mode 100644 index 0000000000..cfcc97757f --- /dev/null +++ b/inventory/host_vars/notifs-backend01.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.168 + +volgroup: /dev/vg_virthost09 +vmhost: virthost09.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/notifs-web01.phx2.fedoraproject.org b/inventory/host_vars/notifs-web01.phx2.fedoraproject.org new file mode 100644 index 0000000000..416dc7e424 --- /dev/null +++ b/inventory/host_vars/notifs-web01.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.103 + +volgroup: /dev/vg_virthost04 +vmhost: virthost04.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/host_vars/notifs-web02.phx2.fedoraproject.org b/inventory/host_vars/notifs-web02.phx2.fedoraproject.org new file mode 100644 index 0000000000..e384071ea6 --- /dev/null +++ b/inventory/host_vars/notifs-web02.phx2.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ + +eth0_ip: 10.5.126.119 + +volgroup: /dev/vg_virthost06 +vmhost: virthost06.phx2.fedoraproject.org + +datacenter: phx2 diff --git a/inventory/inventory b/inventory/inventory index 95877edcde..1e6f6241eb 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -258,9 +258,16 @@ lockbox-comm01.qa.fedoraproject.org noc01.phx2.fedoraproject.org noc02.fedoraproject.org +[notifs-backend] +notifs-backend01.phx2.fedoraproject.org + [notifs-backend-stg] notifs-backend01.stg.phx2.fedoraproject.org +[notifs-web] +notifs-web01.phx2.fedoraproject.org +notifs-web02.phx2.fedoraproject.org + [notifs-web-stg] notifs-web01.stg.phx2.fedoraproject.org notifs-web02.stg.phx2.fedoraproject.org From 060f9f2eb943c5c73b0638cd0e778a8713629ab7 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 24 Jan 2014 19:50:40 +0000 Subject: [PATCH 093/271] hosts files for fmn prod nodes. --- files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts | 6 ++++++ files/hosts/notifs-web01.phx2.fedoraproject.org-hosts | 6 ++++++ files/hosts/notifs-web02.phx2.fedoraproject.org-hosts | 6 ++++++ 3 files changed, 18 insertions(+) create mode 100644 files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts create mode 100644 files/hosts/notifs-web01.phx2.fedoraproject.org-hosts create mode 100644 files/hosts/notifs-web02.phx2.fedoraproject.org-hosts diff --git a/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..23f9e40ac0 --- /dev/null +++ b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..23f9e40ac0 --- /dev/null +++ b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..23f9e40ac0 --- /dev/null +++ b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.71 db-notifs db-notifs +10.5.126.109 db-datanommer db-datanommer From d6afd943b298ac66cc453412b7f915d7c5570629 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 24 Jan 2014 20:04:18 +0000 Subject: [PATCH 094/271] No need for notifs backend to be on the vpn. --- playbooks/groups/notifs-backend.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/notifs-backend.yml b/playbooks/groups/notifs-backend.yml index 413689868f..b3d159a144 100644 --- a/playbooks/groups/notifs-backend.yml +++ b/playbooks/groups/notifs-backend.yml @@ -45,8 +45,10 @@ - include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/motd.yml" - include: "{{ tasks }}/sudo.yml" - - include: "{{ tasks }}/openvpn_client.yml" - when: env != "staging" + # The proxies don't actually need to talk to these hosts so we won't bother + # putting them on the vpn. + #- include: "{{ tasks }}/openvpn_client.yml" + # when: env != "staging" handlers: - include: "{{ handlers }}/restart_services.yml" From 54d88840d5d7617b1d8ed2d841aa0194ab99a905 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 24 Jan 2014 20:55:33 +0000 Subject: [PATCH 095/271] Add an nrpe command definition for checking the presence of the fedmsg hub. --- roles/nagios_client/tasks/main.yml | 1 + roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 | 1 + 2 files changed, 2 insertions(+) create mode 100644 roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index da18f8bc5d..40d0e164f5 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -56,6 +56,7 @@ - check_swap.cfg - check_postfix_queue.cfg - check_lock.cfg + - check_fedmsg_hub_proc.cfg notify: - restart nrpe tags: diff --git a/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 new file mode 100644 index 0000000000..17ec341c4a --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_hub_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub' -u fedmsg From 03be7b46c9d187d0fcd16bf51f8eed6d91959fb7 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 24 Jan 2014 21:17:50 +0000 Subject: [PATCH 096/271] Add symlink for fmn.web fedora theme. --- roles/notifs-frontend/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/notifs-frontend/tasks/main.yml b/roles/notifs-frontend/tasks/main.yml index 900b285be7..5bc5524772 100644 --- a/roles/notifs-frontend/tasks/main.yml +++ b/roles/notifs-frontend/tasks/main.yml @@ -22,6 +22,12 @@ notify: - restart apache +- name: setup symlink to fedora theme + file: > + src=/usr/share/fmn.web/static/bootstrap-3.0.2-fedora + dest=/usr/share/fmn.web/static/bootstrap + state=link + - name: copy fmn httpd config copy: > src=fmn.web.conf dest=/etc/httpd/conf.d/fmn.web.conf From de9c00f1ba8fcbb006f3b0d3a0d8456a0f385c49 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 21:34:24 +0000 Subject: [PATCH 097/271] Switch buildvm's over to f20 for reinstalling. --- inventory/group_vars/buildvm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/buildvm b/inventory/group_vars/buildvm index 251322ba18..7f16b47df6 100644 --- a/inventory/group_vars/buildvm +++ b/inventory/group_vars/buildvm @@ -3,8 +3,8 @@ lvm_size: 150000 mem_size: 6144 num_cpus: 5 -ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/19/Fedora/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-20 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/20/Fedora/x86_64/os/ nm: 255.255.255.0 gw: 10.5.125.254 eth1_gw: 10.5.127.254 From 588722a9e85021cb19e425e1838394b31bf52795 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 22:27:34 +0000 Subject: [PATCH 098/271] Cull global packages, add ansible accel mode to kojibuilders. --- roles/base/templates/iptables/iptables.kojibuilder | 6 ++++++ vars/global.yml | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index 613dd5c516..b64e116551 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -47,6 +47,12 @@ -A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22 -j ACCEPT +# for ansible accelerate mode - allow port 5099 from lockbox and it's ips +-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT + # git to pkgs -A OUTPUT -m tcp -p tcp --dport 9418 -d 10.5.125.44 -j ACCEPT -A OUTPUT -m udp -p udp --dport 9418 -d 10.5.125.44 -j ACCEPT diff --git a/vars/global.yml b/vars/global.yml index fa760d29d6..49718f6d0f 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -24,8 +24,8 @@ f20_qcow_id: ami-00000038 hostbase: transient # root_auth_users for cloud instances is '' by default root_auth_users: '' -global_pkgs_inst: ['bind-utils', 'joe', 'mailx', 'nc', 'openssh-clients', - 'patch', 'postfix', 'rsync', 'strace', 'telnet', +global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients', + 'patch', 'postfix', 'rsync', 'strace', 'tmpwatch', 'traceroute', 'vim-enhanced', 'xz', 'zsh', 'libselinux-python', 'ntpdate' ] From 31a46523a17dcf0363633feaa286571a947b9be4 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 22:49:01 +0000 Subject: [PATCH 099/271] Add yum repos setup to buildvm's --- playbooks/groups/buildvm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 3402bf0003..ad4f6cb8bb 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -36,6 +36,7 @@ tasks: - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/koji/base_builder.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" From d17fd8236a7fba12d274f500f084c640b09d3242 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 23:26:03 +0000 Subject: [PATCH 100/271] Work around this for now. --- tasks/yumrepos.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index 26fee37039..f3af6f7def 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -4,7 +4,7 @@ with_items: - epel6.repo - rhel6.repo - when: is_rhel == 'True' + when: ansible_distribution == 'RedHat' tags: - config - packages @@ -15,7 +15,7 @@ - fedora.repo - fedora-updates.repo - fedora-updates-testing.repo - when: is_fedora == 'True' and ansible_architecture == 'x86_64' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' tags: - config - packages @@ -26,7 +26,7 @@ - fedora.repo - fedora-updates.repo - fedora-updates-testing.repo - when: is_fedora == 'True' and ansible_architecture == 'armv7l' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'armv7l' tags: - config - packages From dfa9e5339e24c6f950ca8890d07a67d856074641 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 23:37:08 +0000 Subject: [PATCH 101/271] More idempotent --- tasks/koji/base_builder.yml | 17 ++++++++++++----- tasks/koji/builder_kernel_config.yml | 6 ++++++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index cc1a0d6110..be85caf170 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -89,8 +89,12 @@ action: service name=kojid enabled=on # action: service name=kojid enabled=on state=started -- name: copy over authorized keys for root - action: copy src="{{ files }}/kojibuilder/root_auth_keys" dest=/root/.ssh/authorized_keys mode=644 +- name: add root ssh key + authorized_key: user=root key="{{ item }}" + with_file: + - "{{ files }}/kojibuilder/root_auth_keys" + tags: + - config # idmapd and make sure it's set to run - name: idmapd.conf @@ -100,16 +104,19 @@ - name: enable nfs-related services and run them action: service name={{ item }} enabled=true state=started with_items: - - rpcidmapd - - rpcbind - nfs - - nfslock - name: route config for netapp network action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 +- name: check for netapp route + command: ip route show + register: netapproute + always_run: yes + - name: run netapp route command: /etc/sysconfig/network-scripts/ifup-routes eth1 + when: netapproute.stdout.find('10.5.88.0') != -1 - name: nfs mount points action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml index 239b4f16c9..94c10ae0a7 100644 --- a/tasks/koji/builder_kernel_config.yml +++ b/tasks/koji/builder_kernel_config.yml @@ -1,8 +1,14 @@ #- name: set kernel params for loopback partitioning # action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 +# +- name: check for max_loop + command: grep max_loop /etc/grub2.cfg + register: max_loop + always_run: yes - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 + when: max_loop.stdout.find('max_loop=64') != -1 - name: special pkgs for the x86_64 builders yum: state=installed pkg={{ item }} From fd6119bd4d11018e5a52996ef3493943650e9185 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 23:39:35 +0000 Subject: [PATCH 102/271] Still ssh keys comments issues. :( --- files/kojibuilder/root_auth_keys | 1 - 1 file changed, 1 deletion(-) diff --git a/files/kojibuilder/root_auth_keys b/files/kojibuilder/root_auth_keys index a3a005ac0f..a3ffc24818 100644 --- a/files/kojibuilder/root_auth_keys +++ b/files/kojibuilder/root_auth_keys @@ -1,2 +1 @@ -#ansible key from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org From 0f3395189ed574cfd1a98f640520556263b364f2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 23:46:07 +0000 Subject: [PATCH 103/271] Another attempt --- tasks/koji/base_builder.yml | 1 + tasks/koji/builder_kernel_config.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index be85caf170..7fab2751f9 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -113,6 +113,7 @@ command: ip route show register: netapproute always_run: yes + changed_when: "1 != 1" - name: run netapp route command: /etc/sysconfig/network-scripts/ifup-routes eth1 diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml index 94c10ae0a7..28f2c7d4a4 100644 --- a/tasks/koji/builder_kernel_config.yml +++ b/tasks/koji/builder_kernel_config.yml @@ -2,7 +2,7 @@ # action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 # - name: check for max_loop - command: grep max_loop /etc/grub2.cfg + command: cat /etc/grub2.cfg register: max_loop always_run: yes From 899cff949281598458337c83d1dd9a61c1e045c8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 24 Jan 2014 23:51:45 +0000 Subject: [PATCH 104/271] Some more cleanup. --- tasks/koji/base_builder.yml | 10 +--------- tasks/koji/builder_kernel_config.yml | 1 + 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index 7fab2751f9..18dc8c656a 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -86,15 +86,7 @@ action: copy src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 - name: chkconfig kojid on and leave it running - action: service name=kojid enabled=on -# action: service name=kojid enabled=on state=started - -- name: add root ssh key - authorized_key: user=root key="{{ item }}" - with_file: - - "{{ files }}/kojibuilder/root_auth_keys" - tags: - - config + action: service name=kojid enabled=on state=started # idmapd and make sure it's set to run - name: idmapd.conf diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml index 28f2c7d4a4..f9fc9aa5df 100644 --- a/tasks/koji/builder_kernel_config.yml +++ b/tasks/koji/builder_kernel_config.yml @@ -5,6 +5,7 @@ command: cat /etc/grub2.cfg register: max_loop always_run: yes + changed_when: '1 != 1' - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 From 0844a05bf0a44c497c74174fac562d3e3e0211a2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 17:45:38 +0000 Subject: [PATCH 105/271] Rework rsyslog stuff. Use default dist /etc/rsyslog.conf, add our stuff to /etc/rsyslog.d --- inventory/group_vars/kernel-qa | 1 - roles/base/files/rsyslog/rsyslog-audit.conf | 13 +++ .../files/rsyslog/rsyslog-disablerate.conf | 3 + roles/base/files/rsyslog/rsyslog-log02.conf | 4 + roles/base/files/rsyslog/rsyslog.conf | 55 ++++------- .../{rsyslog.conf.releng => rsyslog.conf.el6} | 41 ++++---- ...slog.conf.kojibuilder => rsyslog.conf.f20} | 51 +++++----- roles/base/files/rsyslog/rsyslog.conf.phx2 | 97 ------------------- roles/base/tasks/main.yml | 15 ++- 9 files changed, 103 insertions(+), 177 deletions(-) create mode 100644 roles/base/files/rsyslog/rsyslog-audit.conf create mode 100644 roles/base/files/rsyslog/rsyslog-disablerate.conf create mode 100644 roles/base/files/rsyslog/rsyslog-log02.conf rename roles/base/files/rsyslog/{rsyslog.conf.releng => rsyslog.conf.el6} (60%) rename roles/base/files/rsyslog/{rsyslog.conf.kojibuilder => rsyslog.conf.f20} (59%) delete mode 100644 roles/base/files/rsyslog/rsyslog.conf.phx2 diff --git a/inventory/group_vars/kernel-qa b/inventory/group_vars/kernel-qa index 8e03331925..39e618921d 100644 --- a/inventory/group_vars/kernel-qa +++ b/inventory/group_vars/kernel-qa @@ -1,6 +1,5 @@ --- freezes: true resolvconf: "{{ files }}/resolv.conf/phx2" -rsyslogconf: "{{ files }}/rsyslog/rsyslog.conf.phx2" fas_client_groups: sysadmin-kernel sudoers: "{{ private }}/files/sudo/kernel-qa" diff --git a/roles/base/files/rsyslog/rsyslog-audit.conf b/roles/base/files/rsyslog/rsyslog-audit.conf new file mode 100644 index 0000000000..8e6c2f5b18 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-audit.conf @@ -0,0 +1,13 @@ +# monitor auditd log and send out over local6 to central loghost +$ModLoad imfile.so + +# auditd audit.log +$InputFileName /var/log/audit/audit.log +$InputFileTag tag_audit_log: +$InputFileStateFile audit_log +$InputFileSeverity info +$InputFileFacility local6 +$InputRunFileMonitor + +:msg, !contains, "type=AVC" +local6.* @@log02:514 diff --git a/roles/base/files/rsyslog/rsyslog-disablerate.conf b/roles/base/files/rsyslog/rsyslog-disablerate.conf new file mode 100644 index 0000000000..e7c93530c2 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-disablerate.conf @@ -0,0 +1,3 @@ +# Disable rate limiting +$IMUXSockRateLimitInterval 0 +$SystemLogRateLimitInterval 0 diff --git a/roles/base/files/rsyslog/rsyslog-log02.conf b/roles/base/files/rsyslog/rsyslog-log02.conf new file mode 100644 index 0000000000..8338bfed72 --- /dev/null +++ b/roles/base/files/rsyslog/rsyslog-log02.conf @@ -0,0 +1,4 @@ +# +# Send everything on to central log02 logger machines +# +cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 diff --git a/roles/base/files/rsyslog/rsyslog.conf b/roles/base/files/rsyslog/rsyslog.conf index a1d425816f..36cea98f0e 100644 --- a/roles/base/files/rsyslog/rsyslog.conf +++ b/roles/base/files/rsyslog/rsyslog.conf @@ -1,20 +1,20 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 @@ -23,10 +23,13 @@ $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat -# File syncing capability is disabled by default. This feature is usually not required, +# File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + #### RULES #### @@ -36,7 +39,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -57,16 +60,6 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log -# monitor auditd log and send out over local6 to central loghost -$ModLoad imfile.so - -# auditd audit.log -$InputFileName /var/log/audit/audit.log -$InputFileTag tag_audit_log: -$InputFileStateFile audit_log -$InputFileSeverity info -$InputFileFacility local6 -$InputRunFileMonitor # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding @@ -76,22 +69,12 @@ $InputRunFileMonitor # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down - -# Disable rate limiting -$IMUXSockRateLimitInterval 0 -$SystemLogRateLimitInterval 0 - +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - -:msg, !contains, "type=AVC" ~ -local6.* @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.releng b/roles/base/files/rsyslog/rsyslog.conf.el6 similarity index 60% rename from roles/base/files/rsyslog/rsyslog.conf.releng rename to roles/base/files/rsyslog/rsyslog.conf.el6 index 2c2852ddd1..36cea98f0e 100644 --- a/roles/base/files/rsyslog/rsyslog.conf.releng +++ b/roles/base/files/rsyslog/rsyslog.conf.el6 @@ -1,20 +1,20 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 @@ -23,6 +23,14 @@ $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + + #### RULES #### # Log all kernel messages to the console. @@ -31,7 +39,7 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -52,6 +60,7 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple @@ -60,14 +69,12 @@ local7.* /var/log/boot.log # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.kojibuilder b/roles/base/files/rsyslog/rsyslog.conf.f20 similarity index 59% rename from roles/base/files/rsyslog/rsyslog.conf.kojibuilder rename to roles/base/files/rsyslog/rsyslog.conf.f20 index 9719770987..6972b4d369 100644 --- a/roles/base/files/rsyslog/rsyslog.conf.kojibuilder +++ b/roles/base/files/rsyslog/rsyslog.conf.f20 @@ -1,38 +1,47 @@ -#rsyslog v3 config file +# rsyslog v5 configuration file -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### -$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) -$ModLoad imjournal # provides access to the systemd journal -$ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability +# The imjournal module bellow is now used as a message source instead of imuxsock. +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imjournal # provides access to the systemd journal +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception -#$ModLoad imudp.so +#$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception -#$ModLoad imtcp.so +#$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### -# Include all config files in /etc/rsyslog.d/ -$IncludeConfig /etc/rsyslog.d/*.conf +# Where to place auxiliary files +$WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal -$StateFile imjournal.state +$IMJournalStateFile imjournal.state + #### RULES #### @@ -42,7 +51,7 @@ $StateFile imjournal.state # Log anything (except mail) of level info or higher. # Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages +*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure @@ -55,7 +64,7 @@ mail.* -/var/log/maillog cron.* /var/log/cron # Everybody gets emergency messages -*.emerg * +*.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler @@ -63,6 +72,7 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple @@ -71,14 +81,11 @@ local7.* /var/log/boot.log # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - diff --git a/roles/base/files/rsyslog/rsyslog.conf.phx2 b/roles/base/files/rsyslog/rsyslog.conf.phx2 deleted file mode 100644 index a1d425816f..0000000000 --- a/roles/base/files/rsyslog/rsyslog.conf.phx2 +++ /dev/null @@ -1,97 +0,0 @@ -#rsyslog v3 config file - -# if you experience problems, check -# http://www.rsyslog.com/troubleshoot for assistance - -#### MODULES #### - -$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) -$ModLoad imklog.so # provides kernel logging support (previously done by rklogd) -#$ModLoad immark.so # provides --MARK-- message capability - -# Provides UDP syslog reception -#$ModLoad imudp.so -#$UDPServerRun 514 - -# Provides TCP syslog reception -#$ModLoad imtcp.so -#$InputTCPServerRun 514 - - -#### GLOBAL DIRECTIVES #### - -# Use default timestamp format -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - -# File syncing capability is disabled by default. This feature is usually not required, -# not useful and an extreme performance hit -#$ActionFileEnableSync on - - -#### RULES #### - -# Log all kernel messages to the console. -# Logging much else clutters up the screen. -#kern.* /dev/console - -# Log anything (except mail) of level info or higher. -# Don't log private authentication messages! -*.info;local6.none;mail.none;authpriv.none;cron.none /var/log/messages - -# The authpriv file has restricted access. -authpriv.* /var/log/secure - -# Log all the mail messages in one place. -mail.* -/var/log/maillog - - -# Log cron stuff -cron.* /var/log/cron - -# Everybody gets emergency messages -*.emerg * - -# Save news errors of level crit and higher in a special file. -uucp,news.crit /var/log/spooler - -# Save boot messages also to boot.log -local7.* /var/log/boot.log - -# monitor auditd log and send out over local6 to central loghost -$ModLoad imfile.so - -# auditd audit.log -$InputFileName /var/log/audit/audit.log -$InputFileTag tag_audit_log: -$InputFileStateFile audit_log -$InputFileSeverity info -$InputFileFacility local6 -$InputRunFileMonitor - -# ### begin forwarding rule ### -# The statement between the begin ... end define a SINGLE forwarding -# rule. They belong together, do NOT split them. If you create multiple -# forwarding rules, duplicate the whole block! -# Remote Logging (we use TCP for reliable delivery) -# -# An on-disk queue is created for this action. If the remote host is -# down, messages are spooled to disk and sent when it is up again. -$WorkDirectory /var/lib/rsyslog # where to place spool files -$ActionQueueFileName fwdRule1 # unique name prefix for spool files -$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinite retries if host is down - -# Disable rate limiting -$IMUXSockRateLimitInterval 0 -$SystemLogRateLimitInterval 0 - -# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional -#*.* @@remote-host:514 -# ### end of the forwarding rule ### -cron.*;kern.*;authpriv.*;local7.*;*.info;local6.none @@log02:514 - -:msg, !contains, "type=AVC" ~ -local6.* @@log02:514 - diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 4d11550d88..7eeac12ec9 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -106,10 +106,7 @@ - name: rsyslog.conf copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 first_available_file: - - "{{ rsyslogconf }}" - - rsyslog/rsyslog.conf.{{ ansible_fqdn }} - - rsyslog/rsyslog.conf.{{ host_group }} - - rsyslog/rsyslog.conf.{{ datacenter }} + - rsyslog/rsyslog.conf.{{ dist_tag }} - rsyslog/rsyslog.conf notify: @@ -118,6 +115,16 @@ - rsyslogd - config +- name: add rsyslog config to /etc/rsyslog.d + copy: src={{ item }} dest=/etc/rsyslog.d/{{ item }} mode=644 + with_items: + - rsyslog-audit.conf + - rsyslog-disablerate.conf + - rsyslog-log02.conf + tags: + - rsyslogd + - config + - name: /etc/postfix/main.cf copy: src={{ item }} dest=/etc/postfix/main.cf first_available_file: From 3dbc402ec48e3dc9319091af3551d6d58088fc23 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 17:50:43 +0000 Subject: [PATCH 106/271] These are in a subdir. --- roles/base/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 7eeac12ec9..de20946ed2 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -118,9 +118,9 @@ - name: add rsyslog config to /etc/rsyslog.d copy: src={{ item }} dest=/etc/rsyslog.d/{{ item }} mode=644 with_items: - - rsyslog-audit.conf - - rsyslog-disablerate.conf - - rsyslog-log02.conf + - rsyslog/rsyslog-audit.conf + - rsyslog/rsyslog-disablerate.conf + - rsyslog/rsyslog-log02.conf tags: - rsyslogd - config From 9c0addf17c04b4fba5261733d1d4ba85e940c31c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 17:57:18 +0000 Subject: [PATCH 107/271] More cleanup, use fileglob --- .../rsyslog/{rsyslog.conf => rsyslog.conf.default} | 0 roles/base/tasks/main.yml | 10 ++++------ 2 files changed, 4 insertions(+), 6 deletions(-) rename roles/base/files/rsyslog/{rsyslog.conf => rsyslog.conf.default} (100%) diff --git a/roles/base/files/rsyslog/rsyslog.conf b/roles/base/files/rsyslog/rsyslog.conf.default similarity index 100% rename from roles/base/files/rsyslog/rsyslog.conf rename to roles/base/files/rsyslog/rsyslog.conf.default diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index de20946ed2..2f934b61e3 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -107,7 +107,7 @@ copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 first_available_file: - rsyslog/rsyslog.conf.{{ dist_tag }} - - rsyslog/rsyslog.conf + - rsyslog/rsyslog.conf.default notify: - restart rsyslog @@ -116,11 +116,9 @@ - config - name: add rsyslog config to /etc/rsyslog.d - copy: src={{ item }} dest=/etc/rsyslog.d/{{ item }} mode=644 - with_items: - - rsyslog/rsyslog-audit.conf - - rsyslog/rsyslog-disablerate.conf - - rsyslog/rsyslog-log02.conf + copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644 + with_fileglob: + - rsyslog/*.conf tags: - rsyslogd - config From 9d77ed603e5b900d00deebe80e6d574dd0611062 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 18:04:30 +0000 Subject: [PATCH 108/271] Notify rsyslog on adding new rsyslog.d snippets. --- roles/base/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 2f934b61e3..e99050fa91 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -119,6 +119,8 @@ copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644 with_fileglob: - rsyslog/*.conf + notify: + - restart rsyslog tags: - rsyslogd - config From 0542974bab461012db26e87486b4f0df2e2b55c0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 18:04:45 +0000 Subject: [PATCH 109/271] Try this on conditionals. --- tasks/koji/base_builder.yml | 2 +- tasks/koji/builder_kernel_config.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index 18dc8c656a..bf08f6aa9e 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -109,7 +109,7 @@ - name: run netapp route command: /etc/sysconfig/network-scripts/ifup-routes eth1 - when: netapproute.stdout.find('10.5.88.0') != -1 + when: netapproute.stdout.find("10.5.88.0") != -1 - name: nfs mount points action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml index f9fc9aa5df..a16c7ea2fc 100644 --- a/tasks/koji/builder_kernel_config.yml +++ b/tasks/koji/builder_kernel_config.yml @@ -9,7 +9,7 @@ - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 - when: max_loop.stdout.find('max_loop=64') != -1 + when: max_loop.stdout.find("max_loop=64") != -1 - name: special pkgs for the x86_64 builders yum: state=installed pkg={{ item }} From 5dd9b5f4a9440cc404555ae385e289b967b73b53 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 18:14:15 +0000 Subject: [PATCH 110/271] More tweaking to the buildvm tasks --- tasks/koji/base_builder.yml | 7 +++++-- tasks/koji/builder_kernel_config.yml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index bf08f6aa9e..82814f7625 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -96,7 +96,10 @@ - name: enable nfs-related services and run them action: service name={{ item }} enabled=true state=started with_items: - - nfs + - rpcbind + - nfs-lock + - nfs-idmap + - nfs-mountd - name: route config for netapp network action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 @@ -109,7 +112,7 @@ - name: run netapp route command: /etc/sysconfig/network-scripts/ifup-routes eth1 - when: netapproute.stdout.find("10.5.88.0") != -1 + when: netapproute.stdout.find("10.5.88.0") == -1 - name: nfs mount points action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml index a16c7ea2fc..b2b1ca31fc 100644 --- a/tasks/koji/builder_kernel_config.yml +++ b/tasks/koji/builder_kernel_config.yml @@ -9,7 +9,7 @@ - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 - when: max_loop.stdout.find("max_loop=64") != -1 + when: max_loop.stdout.find("max_loop=64") == -1 - name: special pkgs for the x86_64 builders yum: state=installed pkg={{ item }} From 2d9e1d1f10101cf3404678b8315a09e45784fe49 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 18:19:23 +0000 Subject: [PATCH 111/271] rpcbind is static in f20, no need to enable it. --- tasks/koji/base_builder.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index 82814f7625..85ea089454 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -96,7 +96,6 @@ - name: enable nfs-related services and run them action: service name={{ item }} enabled=true state=started with_items: - - rpcbind - nfs-lock - nfs-idmap - nfs-mountd From 4ce16944b981ffdf968f421699e6141e25f891ef Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 18:45:57 +0000 Subject: [PATCH 112/271] More cleanup, audit and rsyslog --- tasks/koji/base_builder.yml | 4 ++-- vars/Fedora.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index 85ea089454..dd649a2614 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -40,7 +40,6 @@ - name: clean up packages we do not need action: yum state=removed pkg={{ item }} with_items: - - audit - 'cronie\*' - name: add pkgs @@ -54,6 +53,8 @@ - kernel-firmware - ntp - ntpdate + - rsyslog + - audit - name: /etc/kojid/kojid.conf action: copy src="{{ files }}/kojibuilder/kojid.conf" dest=/etc/kojid/kojid.conf @@ -61,7 +62,6 @@ notify: - restart kojid - - name: arm /etc/kojid/kojid.conf action: copy src="{{ files }}/kojibuilder/arm-kojid.conf" dest=/etc/kojid/kojid.conf when: inventory_hostname.startswith(('arm01','arm03')) diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 42f54a6837..14ebc4cab1 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -3,4 +3,4 @@ dist_tag: f{{ ansible_distribution_version }} base_pkgs_inst: ['iptables-services' ] base_pkgs_erase: ['firewalld', 'PackageKit*', 'sendmail', 'at'] service_disabled: [ ] -service_enabled: [ ] +service_enabled: ['iptables','audit'] From cf270b1f6ed97e47cee85dc8f62cf6dfd02c5c84 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 18:47:42 +0000 Subject: [PATCH 113/271] d it's got a d --- vars/Fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 14ebc4cab1..616b06a3bd 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -3,4 +3,4 @@ dist_tag: f{{ ansible_distribution_version }} base_pkgs_inst: ['iptables-services' ] base_pkgs_erase: ['firewalld', 'PackageKit*', 'sendmail', 'at'] service_disabled: [ ] -service_enabled: ['iptables','audit'] +service_enabled: ['iptables','auditd'] From e1b256394020735f4d1eb54ca4aaf7f4c25ae26b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 19:12:29 +0000 Subject: [PATCH 114/271] Move base_builder task over to a new koji_builder role and clean up. --- playbooks/groups/bkernel.yml | 2 +- playbooks/groups/buildhw.yml | 8 +- playbooks/groups/buildvm.yml | 5 +- .../koji_builder/files}/arm-koji.conf | 0 .../koji_builder/files}/arm-kojid.conf | 0 .../files}/builder-infrastructure.repo | 0 .../files}/builders/bkernel-eth0-network | 0 .../files}/builders/bkernel-site-defaults.cfg | 0 .../builders/fedora-branched-pungi-armhfp.cfg | 0 .../builders/fedora-branched-pungi-i386.cfg | 0 .../builders/fedora-branched-pungi-x86_64.cfg | 0 .../builders/fedora-rawhide-pungi-armhfp.cfg | 0 .../builders/fedora-rawhide-pungi-i386.cfg | 0 .../builders/fedora-rawhide-pungi-x86_64.cfg | 0 .../files}/builders/site-defaults.cfg | 0 .../koji_builder/files}/ftbfs_auth_keys | 0 .../koji_builder/files}/history_off.sh | 0 .../koji_builder/files}/idmapd.conf | 0 .../koji_builder/files}/koji.conf | 0 .../koji_builder/files}/kojid.conf | 0 .../koji_builder/files}/limits.conf | 0 .../koji_builder/files}/mock_auth_keys | 0 .../koji_builder/files}/root_auth_keys | 0 .../koji_builder/files}/route-eth1 | 0 roles/koji_builder/tasks/main.yml | 146 +++++++++++++++++ tasks/koji/base_builder.yml | 147 ------------------ 26 files changed, 149 insertions(+), 159 deletions(-) rename {files/kojibuilder => roles/koji_builder/files}/arm-koji.conf (100%) rename {files/kojibuilder => roles/koji_builder/files}/arm-kojid.conf (100%) rename {files/kojibuilder => roles/koji_builder/files}/builder-infrastructure.repo (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/bkernel-eth0-network (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/bkernel-site-defaults.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/fedora-branched-pungi-armhfp.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/fedora-branched-pungi-i386.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/fedora-branched-pungi-x86_64.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/fedora-rawhide-pungi-armhfp.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/fedora-rawhide-pungi-i386.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/fedora-rawhide-pungi-x86_64.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/builders/site-defaults.cfg (100%) rename {files/kojibuilder => roles/koji_builder/files}/ftbfs_auth_keys (100%) rename {files/kojibuilder => roles/koji_builder/files}/history_off.sh (100%) rename {files/kojibuilder => roles/koji_builder/files}/idmapd.conf (100%) rename {files/kojibuilder => roles/koji_builder/files}/koji.conf (100%) rename {files/kojibuilder => roles/koji_builder/files}/kojid.conf (100%) rename {files/kojibuilder => roles/koji_builder/files}/limits.conf (100%) rename {files/kojibuilder => roles/koji_builder/files}/mock_auth_keys (100%) rename {files/kojibuilder => roles/koji_builder/files}/root_auth_keys (100%) rename {files/kojibuilder => roles/koji_builder/files}/route-eth1 (100%) create mode 100644 roles/koji_builder/tasks/main.yml delete mode 100644 tasks/koji/base_builder.yml diff --git a/playbooks/groups/bkernel.yml b/playbooks/groups/bkernel.yml index 0d0ce58017..663f6ef836 100644 --- a/playbooks/groups/bkernel.yml +++ b/playbooks/groups/bkernel.yml @@ -14,9 +14,9 @@ roles: - base + - koji_builder tasks: - - include: "{{ tasks }}/koji/base_builder.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" - include: "{{ tasks }}/koji/bkernel-setup.yml" diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index c15f185e47..ec756b50b1 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -15,18 +15,15 @@ roles: - base + - koji_builder tasks: - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/base_builder.yml" handlers: - include: "{{ handlers }}/restart_services.yml" - - name: restart kojid - action: service name=kojid state=restarted - - name: make koji builder(s) on raw hw hosts: buildhw user: root @@ -47,6 +44,3 @@ handlers: - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index ad4f6cb8bb..a6aff106fc 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -33,15 +33,12 @@ roles: - base + - koji_builder tasks: - include: "{{ tasks }}/hosts.yml" - include: "{{ tasks }}/yumrepos.yml" - - include: "{{ tasks }}/koji/base_builder.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" handlers: - include: "{{ handlers }}/restart_services.yml" - - - name: restart kojid - action: service name=kojid state=restarted diff --git a/files/kojibuilder/arm-koji.conf b/roles/koji_builder/files/arm-koji.conf similarity index 100% rename from files/kojibuilder/arm-koji.conf rename to roles/koji_builder/files/arm-koji.conf diff --git a/files/kojibuilder/arm-kojid.conf b/roles/koji_builder/files/arm-kojid.conf similarity index 100% rename from files/kojibuilder/arm-kojid.conf rename to roles/koji_builder/files/arm-kojid.conf diff --git a/files/kojibuilder/builder-infrastructure.repo b/roles/koji_builder/files/builder-infrastructure.repo similarity index 100% rename from files/kojibuilder/builder-infrastructure.repo rename to roles/koji_builder/files/builder-infrastructure.repo diff --git a/files/kojibuilder/builders/bkernel-eth0-network b/roles/koji_builder/files/builders/bkernel-eth0-network similarity index 100% rename from files/kojibuilder/builders/bkernel-eth0-network rename to roles/koji_builder/files/builders/bkernel-eth0-network diff --git a/files/kojibuilder/builders/bkernel-site-defaults.cfg b/roles/koji_builder/files/builders/bkernel-site-defaults.cfg similarity index 100% rename from files/kojibuilder/builders/bkernel-site-defaults.cfg rename to roles/koji_builder/files/builders/bkernel-site-defaults.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-armhfp.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-armhfp.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-i386.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-i386.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-i386.cfg diff --git a/files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg b/roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-branched-pungi-x86_64.cfg rename to roles/koji_builder/files/builders/fedora-branched-pungi-x86_64.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-armhfp.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-armhfp.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-i386.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-i386.cfg diff --git a/files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg b/roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg similarity index 100% rename from files/kojibuilder/builders/fedora-rawhide-pungi-x86_64.cfg rename to roles/koji_builder/files/builders/fedora-rawhide-pungi-x86_64.cfg diff --git a/files/kojibuilder/builders/site-defaults.cfg b/roles/koji_builder/files/builders/site-defaults.cfg similarity index 100% rename from files/kojibuilder/builders/site-defaults.cfg rename to roles/koji_builder/files/builders/site-defaults.cfg diff --git a/files/kojibuilder/ftbfs_auth_keys b/roles/koji_builder/files/ftbfs_auth_keys similarity index 100% rename from files/kojibuilder/ftbfs_auth_keys rename to roles/koji_builder/files/ftbfs_auth_keys diff --git a/files/kojibuilder/history_off.sh b/roles/koji_builder/files/history_off.sh similarity index 100% rename from files/kojibuilder/history_off.sh rename to roles/koji_builder/files/history_off.sh diff --git a/files/kojibuilder/idmapd.conf b/roles/koji_builder/files/idmapd.conf similarity index 100% rename from files/kojibuilder/idmapd.conf rename to roles/koji_builder/files/idmapd.conf diff --git a/files/kojibuilder/koji.conf b/roles/koji_builder/files/koji.conf similarity index 100% rename from files/kojibuilder/koji.conf rename to roles/koji_builder/files/koji.conf diff --git a/files/kojibuilder/kojid.conf b/roles/koji_builder/files/kojid.conf similarity index 100% rename from files/kojibuilder/kojid.conf rename to roles/koji_builder/files/kojid.conf diff --git a/files/kojibuilder/limits.conf b/roles/koji_builder/files/limits.conf similarity index 100% rename from files/kojibuilder/limits.conf rename to roles/koji_builder/files/limits.conf diff --git a/files/kojibuilder/mock_auth_keys b/roles/koji_builder/files/mock_auth_keys similarity index 100% rename from files/kojibuilder/mock_auth_keys rename to roles/koji_builder/files/mock_auth_keys diff --git a/files/kojibuilder/root_auth_keys b/roles/koji_builder/files/root_auth_keys similarity index 100% rename from files/kojibuilder/root_auth_keys rename to roles/koji_builder/files/root_auth_keys diff --git a/files/kojibuilder/route-eth1 b/roles/koji_builder/files/route-eth1 similarity index 100% rename from files/kojibuilder/route-eth1 rename to roles/koji_builder/files/route-eth1 diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml new file mode 100644 index 0000000000..faaa6cc6e7 --- /dev/null +++ b/roles/koji_builder/tasks/main.yml @@ -0,0 +1,146 @@ +# +# This is a base koji_builder role. +# +- name: set root passwd + user: name=root password={{ builder_rootpw }} state=present + +- name: add mock user as 425 + used: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + +- name: make mock homedir perms + file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock + +- name: add mock ssh dir + file: state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock + +- name: add mock ssh keys + copy: src=mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock + +- name: add kojibuilder + user: name=kojibuilder groups=mock + +- name: add mockbuilder + user: name=mockbuilder groups=mock + +- name: mockbuilder .ssh dir + file: state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder + +- name: mockbuilder ssh key + copy: src=ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder + +- name: make a bunch of dirs + file: state=directory path={{ item }} + with_items: + - /pub + - /mnt/fedora_koji + - /pub/fedora + - /pub/epel + +- name: add builder infra yum repo + copy: src=builder-infrastructure.repo dest=/etc/yum.repos.d/builder-infrastructure.repo + +- name: clean up packages we do not need + yum: state=removed pkg={{ item }} + with_items: + - 'cronie\*' + +- name: add pkgs + yum: state=installed pkg={{ item }} + with_items: + - yum-utils + - koji-builder + - strace + - mock + - nfs-utils + - kernel-firmware + - ntp + - ntpdate + - rsyslog + - audit + +- name: /etc/kojid/kojid.conf + copy: src=kojid.conf dest=/etc/kojid/kojid.conf + when: not inventory_hostname.startswith(('arm01','arm03')) + notify: + - restart kojid + +- name: arm /etc/kojid/kojid.conf + copy: src=arm-kojid.conf dest=/etc/kojid/kojid.conf + when: inventory_hostname.startswith(('arm01','arm03')) + notify: + - restart kojid + +- name: /etc/koji/koji.conf + copy: src=koji.conf dest=/etc/koji.conf + when: not inventory_hostname.startswith(('arm01','arm03')) + +- name: /etc/koji/koji.conf + copy: src=arm-koji.conf dest=/etc/koji.conf + when: inventory_hostname.startswith(('arm01','arm03')) + +- name: copy over koji ca cert + copy: src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem + +- name: copy over /etc/security/limits.conf + copy: src=limits.conf dest=/etc/security/limits.conf + +- name: copy over builder cert to /etc/kojid/kojibuilder.pem + copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 + +# idmapd and make sure it's set to run +- name: idmapd.conf + copy: src=idmapd.conf dest=/etc/idmapd.conf + tags: + - configs + +- name: route config for netapp network + copy: src=route-eth1 dest=/etc/sysconfig/network-scripts/route-eth1 + +- name: check for netapp route + command: ip route show + register: netapproute + always_run: yes + changed_when: "1 != 1" + +- name: run netapp route + command: /etc/sysconfig/network-scripts/ifup-routes eth1 + when: netapproute.stdout.find("10.5.88.0") == -1 + +- name: nfs mount points + mount: name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted + when: inventory_hostname.startswith('build') + +- name: make a mnt/koji link + file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji + when: inventory_hostname.startswith('build') + +# mock configs for pungify job +- name: put extra special mock configs in + copy: src=builders/{{ item }} dest="/etc/mock/{{ item }}" mode=644 + with_items: + - fedora-branched-pungi-armhfp.cfg + - fedora-branched-pungi-i386.cfg + - fedora-branched-pungi-x86_64.cfg + - fedora-rawhide-pungi-i386.cfg + - fedora-rawhide-pungi-x86_64.cfg + - fedora-rawhide-pungi-armhfp.cfg + +- name: mock site-defaults.cfg + copy: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock + when: not inventory_hostname.startswith('bkernel') + +- name: ntp steptickers + copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers + +- name: ntp.conf + copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf + +- name: enable services and start them + service: name={{ item }} enabled=true state=started + with_items: + - iptables + - kojid + - ntpd + - nfs-lock + - nfs-idmap + - nfs-mountd diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml deleted file mode 100644 index dd649a2614..0000000000 --- a/tasks/koji/base_builder.yml +++ /dev/null @@ -1,147 +0,0 @@ -- name: set root passwd - action: user name=root password={{ builder_rootpw }} state=present - -- name: add mock user as 425 - action: user name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes - -- name: make mock homedir perms - action: file state=directory path=/var/lib/mock mode=2775 owner=root group=mock - -- name: add mock ssh dir - action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock - -- name: add mock ssh keys - action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock - -- name: add kojibuilder - action: user name=kojibuilder groups=mock - -- name: add mockbuilder - action: user name=mockbuilder groups=mock - -- name: mockbuilder .ssh dir - action: file state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder - -- name: mockbuilder ssh key - action: copy src="{{ files }}/kojibuilder/ftbfs_auth_keys" dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder - -- name: make a bunch of dirs - action: file state=directory path={{ item }} - with_items: - - /pub - - /mnt/fedora_koji - - /pub/fedora - - /pub/epel - - /var/spool/rsyslog - -- name: add builder infra yum repo - action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo - -- name: clean up packages we do not need - action: yum state=removed pkg={{ item }} - with_items: - - 'cronie\*' - -- name: add pkgs - action: yum state=installed pkg={{ item }} - with_items: - - yum-utils - - koji-builder - - strace - - mock - - nfs-utils - - kernel-firmware - - ntp - - ntpdate - - rsyslog - - audit - -- name: /etc/kojid/kojid.conf - action: copy src="{{ files }}/kojibuilder/kojid.conf" dest=/etc/kojid/kojid.conf - when: not inventory_hostname.startswith(('arm01','arm03')) - notify: - - restart kojid - -- name: arm /etc/kojid/kojid.conf - action: copy src="{{ files }}/kojibuilder/arm-kojid.conf" dest=/etc/kojid/kojid.conf - when: inventory_hostname.startswith(('arm01','arm03')) - notify: - - restart kojid - -- name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf - when: not inventory_hostname.startswith(('arm01','arm03')) - -- name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/arm-koji.conf" dest=/etc/koji.conf - when: inventory_hostname.startswith(('arm01','arm03')) - -- name: copy over koji ca cert - action: copy src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem - -- name: copy over /etc/security/limits.conf - action: copy src="{{ files }}/kojibuilder/limits.conf" dest=/etc/security/limits.conf - -- name: copy over builder cert to /etc/kojid/kojibuilder.pem - action: copy src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600 - -- name: chkconfig kojid on and leave it running - action: service name=kojid enabled=on state=started - -# idmapd and make sure it's set to run -- name: idmapd.conf - action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf - tags: - - configs -- name: enable nfs-related services and run them - action: service name={{ item }} enabled=true state=started - with_items: - - nfs-lock - - nfs-idmap - - nfs-mountd - -- name: route config for netapp network - action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 - -- name: check for netapp route - command: ip route show - register: netapproute - always_run: yes - changed_when: "1 != 1" - -- name: run netapp route - command: /etc/sysconfig/network-scripts/ifup-routes eth1 - when: netapproute.stdout.find("10.5.88.0") == -1 - -- name: nfs mount points - action: mount name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted - when: inventory_hostname.startswith('build') - -- name: make a mnt/koji link - action: file state=link src=/mnt/fedora_koji/koji dest=/mnt/koji - when: inventory_hostname.startswith('build') - -# mock configs for pungify job -# TODO: restore this to "copy:", this is a temporary "fix" for https://github.com/ansible/ansible/issues/4377 -- name: put extra special mock configs in - template: src="{{ files }}/kojibuilder/builders/{{ item }}" dest="/etc/mock/{{ item }}" mode=644 - with_items: - - fedora-branched-pungi-armhfp.cfg - - fedora-branched-pungi-i386.cfg - - fedora-branched-pungi-x86_64.cfg - - fedora-rawhide-pungi-i386.cfg - - fedora-rawhide-pungi-x86_64.cfg - - fedora-rawhide-pungi-armhfp.cfg - -- name: mock site-defaults.cfg - action: copy src="{{ files }}/kojibuilder/builders/site-defaults.cfg" dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock - when: not inventory_hostname.startswith('bkernel') - -- name: ntp steptickers - action: copy src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers - -- name: ntp.conf - action: copy src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf - -- name: enable ntpd - action: service name=ntpd enabled=true state=started From 18a98f6ed150c19887b96736ad8cd2e01405f311 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 19:14:03 +0000 Subject: [PATCH 115/271] FIx typo --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index faaa6cc6e7..94e23d31b2 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -5,7 +5,7 @@ user: name=root password={{ builder_rootpw }} state=present - name: add mock user as 425 - used: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes + user: name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes - name: make mock homedir perms file: state=directory path=/var/lib/mock mode=2775 owner=root group=mock From 0c3a84f8417b5485e94667b74ce30c57fda04900 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 19:24:19 +0000 Subject: [PATCH 116/271] Add kojid handler --- handlers/restart_services.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 5fdb70786d..d0d895aa63 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -29,6 +29,9 @@ - name: restart jenkins action: service name=jenkins state=restarted +- name: restart kojid + action: service name=kojid state=restarted + - name: restart libvirtd action: service name=libvirtd state=restarted From 1ec4410d432e4411fb753cb299e3361c42315a83 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 19:29:37 +0000 Subject: [PATCH 117/271] Drop some iptables restarting thats not needed. --- roles/koji_builder/tasks/main.yml | 1 - vars/Fedora.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 94e23d31b2..a191d9e521 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -138,7 +138,6 @@ - name: enable services and start them service: name={{ item }} enabled=true state=started with_items: - - iptables - kojid - ntpd - nfs-lock diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 616b06a3bd..f60970d117 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -3,4 +3,4 @@ dist_tag: f{{ ansible_distribution_version }} base_pkgs_inst: ['iptables-services' ] base_pkgs_erase: ['firewalld', 'PackageKit*', 'sendmail', 'at'] service_disabled: [ ] -service_enabled: ['iptables','auditd'] +service_enabled: ['auditd'] From f1e5089967699352c5297748141bc4e9628c1654 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 19:39:56 +0000 Subject: [PATCH 118/271] Move kojid restart to after hosts file setup task --- playbooks/groups/buildvm.yml | 3 +++ roles/koji_builder/tasks/main.yml | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index a6aff106fc..cf6db7997e 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -40,5 +40,8 @@ - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" + - name: restart kojid + action: service name=kojid state=restarted + handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index a191d9e521..b83b3c9861 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -138,7 +138,6 @@ - name: enable services and start them service: name={{ item }} enabled=true state=started with_items: - - kojid - ntpd - nfs-lock - nfs-idmap From f2799983ecdb2c2cd54bfc8457e41840b06b78cc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 25 Jan 2014 19:42:21 +0000 Subject: [PATCH 119/271] Change this to just running. --- playbooks/groups/buildvm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index cf6db7997e..0222f61859 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -40,8 +40,8 @@ - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/koji/builder_kernel_config.yml" - - name: restart kojid - action: service name=kojid state=restarted + - name: make sure kojid is running + action: service name=kojid state=running handlers: - include: "{{ handlers }}/restart_services.yml" From 1a7fefbe68bd9a1f6f41fd00d51aa0e066483043 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 26 Jan 2014 01:10:38 +0000 Subject: [PATCH 120/271] Fix typo with arm repos --- tasks/yumrepos.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index f3af6f7def..f92af0a840 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -21,7 +21,7 @@ - packages - name: put fedora repos on arm systems - action: copy src="{{ files }}/common/{{ item-arm }}" dest="/etc/yum.repos.d/{{ item }}" + action: copy src="{{ files }}/common/{{ item }}-arm" dest="/etc/yum.repos.d/{{ item }}" with_items: - fedora.repo - fedora-updates.repo From 28c71b250103092c1b5e0d41f779aeac4baf2866 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 26 Jan 2014 01:30:36 +0000 Subject: [PATCH 121/271] Exclude arm here too. --- roles/base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index e99050fa91..1f1e39948c 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -32,7 +32,7 @@ user: name=root password={{ rootpw }} state=present tags: - rootpw - when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng')) + when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng')) or inventory_hostname.startswith('arm') - name: add ansible root key authorized_key: user=root key="{{ item }}" From b02fc093b264a170ecb4e9c98484aa4fd05ea828 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 26 Jan 2014 01:36:43 +0000 Subject: [PATCH 122/271] Move ) to the right place. --- roles/base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 1f1e39948c..b46dca12bc 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -32,7 +32,7 @@ user: name=root password={{ rootpw }} state=present tags: - rootpw - when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng')) or inventory_hostname.startswith('arm') + when: not (inventory_hostname.startswith('build') or inventory_hostname.startswith('releng') or inventory_hostname.startswith('arm')) - name: add ansible root key authorized_key: user=root key="{{ item }}" From 46e456de79dac087ce279c0847eb8ef54661c0ef Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 26 Jan 2014 01:57:30 +0000 Subject: [PATCH 123/271] Dont add netapp route on arm machines. --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index b83b3c9861..ffa95265d9 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -104,7 +104,7 @@ - name: run netapp route command: /etc/sysconfig/network-scripts/ifup-routes eth1 - when: netapproute.stdout.find("10.5.88.0") == -1 + when: netapproute.stdout.find("10.5.88.0") == -1 and not inventory_hostname.startswith('arm') - name: nfs mount points mount: name=/mnt/fedora_koji src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_koji fstype=nfs opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=mounted From 7461ae98702edc7f7ad48ad58d55ac7e8b30cac7 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Jan 2014 16:37:42 +0000 Subject: [PATCH 124/271] Gross hack for now until I figure a better way to share this --- tasks/koji/releng_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/koji/releng_config.yml b/tasks/koji/releng_config.yml index 34ece6ad82..7a5cb3f087 100644 --- a/tasks/koji/releng_config.yml +++ b/tasks/koji/releng_config.yml @@ -8,7 +8,7 @@ - name: add mock ssh dir action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock - name: add mock ssh keys - action: copy src="{{ files }}/kojibuilder/mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=644 owner=mock group=mock + action: copy src="{{ files }}/../roles/koji_builder/files//mock_auth_keys" dest=/var/lib/mock/.ssh/authorized_keys mode=644 owner=mock group=mock - name: add ftpsync group action: group name=ftpsync gid=263 system=yes state=present From 5e73d51832a124922a9748af9e0788e7110a9576 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Jan 2014 16:57:37 +0000 Subject: [PATCH 125/271] More hackery --- tasks/koji/releng_config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/koji/releng_config.yml b/tasks/koji/releng_config.yml index 7a5cb3f087..9f20f0433d 100644 --- a/tasks/koji/releng_config.yml +++ b/tasks/koji/releng_config.yml @@ -67,7 +67,7 @@ action: file src=/mnt/fedora_koji/compose/cache dest=/srv/pungi/cache state=link - name: add builder infra yum repo - action: copy src="{{ files }}/kojibuilder/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo + action: copy src="{{ files }}/../roles/koji_builder/files/builder-infrastructure.repo" dest=/etc/yum.repos.d/builder-infrastructure.repo tags: - configs @@ -93,7 +93,7 @@ - pykickstart - name: /etc/koji/koji.conf - action: copy src="{{ files }}/kojibuilder/koji.conf" dest=/etc/koji.conf + action: copy src="{{ files }}//../roles/koji_builder/files/koji.conf" dest=/etc/koji.conf # mock configs @@ -109,7 +109,7 @@ # idmapd and make sure it's set to run - name: idmapd.conf - action: copy src="{{ files }}/kojibuilder/idmapd.conf" dest=/etc/idmapd.conf + action: copy src="{{ files }}/../roles/koji_builder/files//idmapd.conf" dest=/etc/idmapd.conf tags: - configs @@ -123,7 +123,7 @@ - name: route to netapp network - action: copy src="{{ files }}/kojibuilder/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 + action: copy src="{{ files }}/../roles/koji_builder/files/route-eth1" dest=/etc/sysconfig/network-scripts/route-eth1 notify: - restart netapproute From 68be0f0f3c361e0c247608dcf46c781933152680 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Jan 2014 23:57:45 +0000 Subject: [PATCH 126/271] Drop accel from buildhw, the arm network isn't allowing it. --- playbooks/groups/buildhw.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index ec756b50b1..be85d288d8 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -6,7 +6,6 @@ hosts: buildhw;buildppc;buildarm user: root gather_facts: True - accellerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml @@ -28,7 +27,6 @@ hosts: buildhw user: root gather_facts: True - accellerate: True vars_files: - /srv/web/infra/ansible/vars/global.yml From 79773578b5d9f613dec53721d676dd80803af344 Mon Sep 17 00:00:00 2001 From: "janez.nemanic" Date: Mon, 27 Jan 2014 19:55:41 +0000 Subject: [PATCH 127/271] Add pyflakes parser to jenkins --- ...son.plugins.warnings.WarningsPublisher.xml | 24 +++++++++++++++++++ playbooks/groups/jenkins-cloud.yml | 2 ++ 2 files changed, 26 insertions(+) create mode 100644 files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml diff --git a/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml new file mode 100644 index 0000000000..130e516828 --- /dev/null +++ b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml @@ -0,0 +1,24 @@ +hudson.plugins.warnings.WarningsPublisher.xml +============================================= + + + + + + pyflakes + ^(.*):([0-9]*):(.*)$ + + + https://pypi.python.org/pypi/pyflakes + pyflakes errors + + + diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 21d55b87b8..7b6b5e748c 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -224,6 +224,7 @@ - asciidoc # Required by javapackages-tools - xmlto # Required by javapackages-tools - pycairo-devel # Required by dogtail + - pyflakes # Requested by user rholy (ticket #4175) tags: - packages @@ -299,6 +300,7 @@ - lvm2 - sshpass # End requires for Cockpit - tito # Requested by msrb for javapackages-tools and xmvn (ticket#4113) + - pyflakes # Requested by user rholy (ticket #4175) tags: - packages From e05439c3c657de6b68464cadc0244ec0cd8efd6d Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 28 Jan 2014 18:51:52 +0000 Subject: [PATCH 128/271] Add fedocal fedmsg endpoints. --- roles/fedmsg_base/tasks/main.yml | 1 + .../templates/endpoints-fedocal.py.j2 | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 roles/fedmsg_base/templates/endpoints-fedocal.py.j2 diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml index e2d73fca73..9b47e9f28b 100644 --- a/roles/fedmsg_base/tasks/main.yml +++ b/roles/fedmsg_base/tasks/main.yml @@ -19,6 +19,7 @@ with_items: - ssl.py - endpoints.py + - endpoints-fedocal.py - endpoints-fedbadges.py - endpoints-nuancier.py - endpoints-mailman.py diff --git a/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 b/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 new file mode 100644 index 0000000000..f213dcc25d --- /dev/null +++ b/roles/fedmsg_base/templates/endpoints-fedocal.py.j2 @@ -0,0 +1,20 @@ +{% if env == 'staging' %} +suffix = 'stg.phx2.fedoraproject.org' +{% else %} +suffix = 'phx2.fedoraproject.org' +{% endif %} + +config = dict( + endpoints={ + "fedocal.fedocal01": [ + "tcp://fedocal01.%s:30%02i" % (suffix, i) + for i in range(2) + ], +{% if env != 'staging' %} + "fedocal.fedocal02": [ + "tcp://fedocal02.%s:30%02i" % (suffix, i) + for i in range(2) + ], +{% endif %} + }, +) From 091a117c4f63e9655a7f3dafefa3868b855ffa6a Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 28 Jan 2014 19:51:26 +0000 Subject: [PATCH 129/271] A custom selinux module for fedmsg. --- roles/fedmsg_base/files/selinux/fedmsg.mod | Bin 0 -> 903 bytes roles/fedmsg_base/files/selinux/fedmsg.pp | Bin 0 -> 919 bytes roles/fedmsg_base/files/selinux/fedmsg.te | 11 +++++++++++ roles/fedmsg_base/tasks/main.yml | 12 ++++++++++++ 4 files changed, 23 insertions(+) create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.mod create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.pp create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.te diff --git a/roles/fedmsg_base/files/selinux/fedmsg.mod b/roles/fedmsg_base/files/selinux/fedmsg.mod new file mode 100644 index 0000000000000000000000000000000000000000..13953aa520e4f9bdb87bf6f34c71cda5aec5b365 GIT binary patch literal 903 zcmb`F%?`mp6orp}vEUUvf$#=4cC0)=gHEZ?icZ7AD|lcla+s5hM#aLHOlErTxp!_e z=X$@~dI08={xnYVbAOhG`OZ`UbO2NUwDF<|ATr@TTh{=L2E(yS_^^Ph?t=Q}PNH~c z8cuUM#@0x{TO>-CTeGsk(Z8VVOgJr9*Y!|O;@2&bGzsD)4Na5IOiz#(rjfl|BC+$&P&JA cojm)C#*`uXcFM_c@1|0gI}PScn+a literal 0 HcmV?d00001 diff --git a/roles/fedmsg_base/files/selinux/fedmsg.pp b/roles/fedmsg_base/files/selinux/fedmsg.pp new file mode 100644 index 0000000000000000000000000000000000000000..7620bdf0fd5e285f11443040ad35d048a52801cd GIT binary patch literal 919 zcmb_aOAY}+6fA$Sz!984xPgrwD+ichdKh6wXkpY8+2 z@8??q09PBp<$k`k08ECRQJfr3opBl-)}{!c;b?WdPz4Z~aI;^O0Q9@Pfou4XcG(s6 z&7FwiwW&Da<1V&F1l}T2I$N2!4R-zod1r!dxtdNxnuI?$P0}QYlQcBZKCm@6mB(IM zyA1>TRQUpp%RHePK?7Xs)2Qk`vOMwqA0VWyzToqI(aLi8s6!lO literal 0 HcmV?d00001 diff --git a/roles/fedmsg_base/files/selinux/fedmsg.te b/roles/fedmsg_base/files/selinux/fedmsg.te new file mode 100644 index 0000000000..ba2a3c12ff --- /dev/null +++ b/roles/fedmsg_base/files/selinux/fedmsg.te @@ -0,0 +1,11 @@ + +module fedmsg 1.0; + +require { + type anon_inodefs_t; + type httpd_t; + class file write; +} + +#============= httpd_t ============== +allow httpd_t anon_inodefs_t:file write; diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml index 9b47e9f28b..d97e30cd16 100644 --- a/roles/fedmsg_base/tasks/main.yml +++ b/roles/fedmsg_base/tasks/main.yml @@ -70,3 +70,15 @@ when: fedmsg_certs != [] tags: - config + +# Three tasks for handling our custom selinux module +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/local/share/fedmsg state=directory + +- name: copy over our custom selinux module + copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp + register: selinux_module + +- name: install our custom selinux module + command: semanage -i /usr/local/share/fedmsg/fedmsg.pp + when: selinux_module|changed From eb66da624b10f9c58f0d65e4700daf20b6894bf2 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 28 Jan 2014 19:57:21 +0000 Subject: [PATCH 130/271] s/semanage/semodule/ --- roles/fedmsg_base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml index d97e30cd16..11afc58fc7 100644 --- a/roles/fedmsg_base/tasks/main.yml +++ b/roles/fedmsg_base/tasks/main.yml @@ -80,5 +80,5 @@ register: selinux_module - name: install our custom selinux module - command: semanage -i /usr/local/share/fedmsg/fedmsg.pp + command: semodule -i /usr/local/share/fedmsg/fedmsg.pp when: selinux_module|changed From 14dc12d5c93cd7080fb9ce93fdcae8857dab81f1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 29 Jan 2014 01:10:07 +0000 Subject: [PATCH 131/271] Prepare for python-openid hotfix --- files/hotfix/python-openid/fetchers.py | 427 +++++++++++++++++++++++++ 1 file changed, 427 insertions(+) create mode 100644 files/hotfix/python-openid/fetchers.py diff --git a/files/hotfix/python-openid/fetchers.py b/files/hotfix/python-openid/fetchers.py new file mode 100644 index 0000000000..944e2157ae --- /dev/null +++ b/files/hotfix/python-openid/fetchers.py @@ -0,0 +1,427 @@ +# -*- test-case-name: openid.test.test_fetchers -*- +""" +This module contains the HTTP fetcher interface and several implementations. +""" + +__all__ = ['fetch', 'getDefaultFetcher', 'setDefaultFetcher', 'HTTPResponse', + 'HTTPFetcher', 'createHTTPFetcher', 'HTTPFetchingError', + 'HTTPError'] + +import urllib2 +import time +import cStringIO +import sys + +import openid +import openid.urinorm + +# Try to import httplib2 for caching support +# http://bitworking.org/projects/httplib2/ +try: + import httplib2 +except ImportError: + # httplib2 not available + httplib2 = None + +# try to import pycurl, which will let us use CurlHTTPFetcher +try: + import pycurl +except ImportError: + pycurl = None + +USER_AGENT = "python-openid/%s (%s)" % (openid.__version__, sys.platform) +MAX_RESPONSE_KB = 1024 + +def fetch(url, body=None, headers=None): + """Invoke the fetch method on the default fetcher. Most users + should need only this method. + + @raises Exception: any exceptions that may be raised by the default fetcher + """ + fetcher = getDefaultFetcher() + return fetcher.fetch(url, body, headers) + +def createHTTPFetcher(): + """Create a default HTTP fetcher instance + + prefers Curl to urllib2.""" + if pycurl is None: + fetcher = Urllib2Fetcher() + else: + fetcher = CurlHTTPFetcher() + + return fetcher + +# Contains the currently set HTTP fetcher. If it is set to None, the +# library will call createHTTPFetcher() to set it. Do not access this +# variable outside of this module. +_default_fetcher = None + +def getDefaultFetcher(): + """Return the default fetcher instance + if no fetcher has been set, it will create a default fetcher. + + @return: the default fetcher + @rtype: HTTPFetcher + """ + global _default_fetcher + + if _default_fetcher is None: + setDefaultFetcher(createHTTPFetcher()) + + return _default_fetcher + +def setDefaultFetcher(fetcher, wrap_exceptions=True): + """Set the default fetcher + + @param fetcher: The fetcher to use as the default HTTP fetcher + @type fetcher: HTTPFetcher + + @param wrap_exceptions: Whether to wrap exceptions thrown by the + fetcher wil HTTPFetchingError so that they may be caught + easier. By default, exceptions will be wrapped. In general, + unwrapped fetchers are useful for debugging of fetching errors + or if your fetcher raises well-known exceptions that you would + like to catch. + @type wrap_exceptions: bool + """ + global _default_fetcher + if fetcher is None or not wrap_exceptions: + _default_fetcher = fetcher + else: + _default_fetcher = ExceptionWrappingFetcher(fetcher) + +def usingCurl(): + """Whether the currently set HTTP fetcher is a Curl HTTP fetcher.""" + return isinstance(getDefaultFetcher(), CurlHTTPFetcher) + +class HTTPResponse(object): + """XXX document attributes""" + headers = None + status = None + body = None + final_url = None + + def __init__(self, final_url=None, status=None, headers=None, body=None): + self.final_url = final_url + self.status = status + self.headers = headers + self.body = body + + def __repr__(self): + return "<%s status %s for %s>" % (self.__class__.__name__, + self.status, + self.final_url) + +class HTTPFetcher(object): + """ + This class is the interface for openid HTTP fetchers. This + interface is only important if you need to write a new fetcher for + some reason. + """ + + def fetch(self, url, body=None, headers=None): + """ + This performs an HTTP POST or GET, following redirects along + the way. If a body is specified, then the request will be a + POST. Otherwise, it will be a GET. + + + @param headers: HTTP headers to include with the request + @type headers: {str:str} + + @return: An object representing the server's HTTP response. If + there are network or protocol errors, an exception will be + raised. HTTP error responses, like 404 or 500, do not + cause exceptions. + + @rtype: L{HTTPResponse} + + @raise Exception: Different implementations will raise + different errors based on the underlying HTTP library. + """ + raise NotImplementedError + +def _allowedURL(url): + return url.startswith('http://') or url.startswith('https://') + +class HTTPFetchingError(Exception): + """Exception that is wrapped around all exceptions that are raised + by the underlying fetcher when using the ExceptionWrappingFetcher + + @ivar why: The exception that caused this exception + """ + def __init__(self, why=None): + Exception.__init__(self, why) + self.why = why + +class ExceptionWrappingFetcher(HTTPFetcher): + """Fetcher that wraps another fetcher, causing all exceptions + + @cvar uncaught_exceptions: Exceptions that should be exposed to the + user if they are raised by the fetch call + """ + + uncaught_exceptions = (SystemExit, KeyboardInterrupt, MemoryError) + + def __init__(self, fetcher): + self.fetcher = fetcher + + def fetch(self, *args, **kwargs): + try: + return self.fetcher.fetch(*args, **kwargs) + except self.uncaught_exceptions: + raise + except: + exc_cls, exc_inst = sys.exc_info()[:2] + if exc_inst is None: + # string exceptions + exc_inst = exc_cls + + raise HTTPFetchingError(why=exc_inst) + +class Urllib2Fetcher(HTTPFetcher): + """An C{L{HTTPFetcher}} that uses urllib2. + """ + + # Parameterized for the benefit of testing frameworks, see + # http://trac.openidenabled.com/trac/ticket/85 + urlopen = staticmethod(urllib2.urlopen) + + def fetch(self, url, body=None, headers=None): + if not _allowedURL(url): + raise ValueError('Bad URL scheme: %r' % (url,)) + + if headers is None: + headers = {} + + headers.setdefault( + 'User-Agent', + "%s Python-urllib/%s" % (USER_AGENT, urllib2.__version__,)) + + req = urllib2.Request(url, data=body, headers=headers) + try: + f = self.urlopen(req) + try: + return self._makeResponse(f) + finally: + f.close() + except urllib2.HTTPError, why: + try: + return self._makeResponse(why) + finally: + why.close() + + def _makeResponse(self, urllib2_response): + resp = HTTPResponse() + resp.body = urllib2_response.read(MAX_RESPONSE_KB * 1024) + resp.final_url = urllib2_response.geturl() + resp.headers = dict(urllib2_response.info().items()) + + if hasattr(urllib2_response, 'code'): + resp.status = urllib2_response.code + else: + resp.status = 200 + + return resp + +class HTTPError(HTTPFetchingError): + """ + This exception is raised by the C{L{CurlHTTPFetcher}} when it + encounters an exceptional situation fetching a URL. + """ + pass + +# XXX: define what we mean by paranoid, and make sure it is. +class CurlHTTPFetcher(HTTPFetcher): + """ + An C{L{HTTPFetcher}} that uses pycurl for fetching. + See U{http://pycurl.sourceforge.net/}. + """ + ALLOWED_TIME = 20 # seconds + + def __init__(self): + HTTPFetcher.__init__(self) + if pycurl is None: + raise RuntimeError('Cannot find pycurl library') + + def _parseHeaders(self, header_file): + header_file.seek(0) + + # Remove the status line from the beginning of the input + unused_http_status_line = header_file.readline().lower () + if unused_http_status_line.startswith('http/1.1 100 '): + unused_http_status_line = header_file.readline() + unused_http_status_line = header_file.readline() + + lines = [line.strip() for line in header_file] + + # and the blank line from the end + empty_line = lines.pop() + if empty_line: + raise HTTPError("No blank line at end of headers: %r" % (line,)) + + headers = {} + for line in lines: + try: + name, value = line.split(':', 1) + except ValueError: + raise HTTPError( + "Malformed HTTP header line in response: %r" % (line,)) + + value = value.strip() + + # HTTP headers are case-insensitive + name = name.lower() + headers[name] = value + + return headers + + def _checkURL(self, url): + # XXX: document that this can be overridden to match desired policy + # XXX: make sure url is well-formed and routeable + return _allowedURL(url) + + def fetch(self, url, body=None, headers=None): + stop = int(time.time()) + self.ALLOWED_TIME + off = self.ALLOWED_TIME + + if headers is None: + headers = {} + + headers.setdefault('User-Agent', + "%s %s" % (USER_AGENT, pycurl.version,)) + + header_list = [] + if headers is not None: + for header_name, header_value in headers.iteritems(): + header_list.append('%s: %s' % (header_name, header_value)) + + c = pycurl.Curl() + try: + c.setopt(pycurl.NOSIGNAL, 1) + + if header_list: + c.setopt(pycurl.HTTPHEADER, header_list) + + # Presence of a body indicates that we should do a POST + if body is not None: + c.setopt(pycurl.POST, 1) + c.setopt(pycurl.POSTFIELDS, body) + + while off > 0: + if not self._checkURL(url): + raise HTTPError("Fetching URL not allowed: %r" % (url,)) + + data = cStringIO.StringIO() + def write_data(chunk): + if data.tell() > 1024*MAX_RESPONSE_KB: + return 0 + else: + return data.write(chunk) + + response_header_data = cStringIO.StringIO() + c.setopt(pycurl.WRITEFUNCTION, write_data) + c.setopt(pycurl.HEADERFUNCTION, response_header_data.write) + c.setopt(pycurl.TIMEOUT, off) + c.setopt(pycurl.URL, openid.urinorm.urinorm(url)) + + c.perform() + + response_headers = self._parseHeaders(response_header_data) + code = c.getinfo(pycurl.RESPONSE_CODE) + if code in [301, 302, 303, 307]: + url = response_headers.get('location') + if url is None: + raise HTTPError( + 'Redirect (%s) returned without a location' % code) + + # Redirects are always GETs + c.setopt(pycurl.POST, 0) + + # There is no way to reset POSTFIELDS to empty and + # reuse the connection, but we only use it once. + else: + resp = HTTPResponse() + resp.headers = response_headers + resp.status = code + resp.final_url = url + resp.body = data.getvalue() + return resp + + off = stop - int(time.time()) + + raise HTTPError("Timed out fetching: %r" % (url,)) + finally: + c.close() + +class HTTPLib2Fetcher(HTTPFetcher): + """A fetcher that uses C{httplib2} for performing HTTP + requests. This implementation supports HTTP caching. + + @see: http://bitworking.org/projects/httplib2/ + """ + + def __init__(self, cache=None): + """@param cache: An object suitable for use as an C{httplib2} + cache. If a string is passed, it is assumed to be a + directory name. + """ + if httplib2 is None: + raise RuntimeError('Cannot find httplib2 library. ' + 'See http://bitworking.org/projects/httplib2/') + + super(HTTPLib2Fetcher, self).__init__() + + # An instance of the httplib2 object that performs HTTP requests + self.httplib2 = httplib2.Http(cache) + + # We want httplib2 to raise exceptions for errors, just like + # the other fetchers. + self.httplib2.force_exception_to_status_code = False + + def fetch(self, url, body=None, headers=None): + """Perform an HTTP request + + @raises Exception: Any exception that can be raised by httplib2 + + @see: C{L{HTTPFetcher.fetch}} + """ + if body: + method = 'POST' + else: + method = 'GET' + + if headers is None: + headers = {} + + # httplib2 doesn't check to make sure that the URL's scheme is + # 'http' so we do it here. + if not (url.startswith('http://') or url.startswith('https://')): + raise ValueError('URL is not a HTTP URL: %r' % (url,)) + + httplib2_response, content = self.httplib2.request( + url, method, body=body, headers=headers) + + # Translate the httplib2 response to our HTTP response abstraction + + # When a 400 is returned, there is no "content-location" + # header set. This seems like a bug to me. I can't think of a + # case where we really care about the final URL when it is an + # error response, but being careful about it can't hurt. + try: + final_url = httplib2_response['content-location'] + except KeyError: + # We're assuming that no redirects occurred + assert not httplib2_response.previous + + # And this should never happen for a successful response + assert httplib2_response.status != 200 + final_url = url + + return HTTPResponse( + body=content, + final_url=final_url, + headers=dict(httplib2_response.items()), + status=httplib2_response.status, + ) From f1aa4ab7c120fede05030919aaf240018636c3a5 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 29 Jan 2014 01:11:17 +0000 Subject: [PATCH 132/271] Hotfix python-openid --- files/hotfix/python-openid/fetchers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/hotfix/python-openid/fetchers.py b/files/hotfix/python-openid/fetchers.py index 944e2157ae..d628a2ac54 100644 --- a/files/hotfix/python-openid/fetchers.py +++ b/files/hotfix/python-openid/fetchers.py @@ -250,7 +250,7 @@ class CurlHTTPFetcher(HTTPFetcher): # Remove the status line from the beginning of the input unused_http_status_line = header_file.readline().lower () - if unused_http_status_line.startswith('http/1.1 100 '): + while unused_http_status_line.startswith('http/1.1 100 '): unused_http_status_line = header_file.readline() unused_http_status_line = header_file.readline() From ed9133b7c041c8e4fbae7da3b7acabd1256d0a1b Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 29 Jan 2014 19:38:41 +0000 Subject: [PATCH 133/271] Reduce avatar cache expiry (badges) --- roles/badges-frontend/templates/tahrir.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/badges-frontend/templates/tahrir.ini b/roles/badges-frontend/templates/tahrir.ini index a9b1277c64..c208eacad0 100644 --- a/roles/badges-frontend/templates/tahrir.ini +++ b/roles/badges-frontend/templates/tahrir.ini @@ -35,7 +35,7 @@ tahrir.admin = ralph@fedoraproject.org, oddshocks@fedoraproject.org, puiterwijk@ tahrir.pngs.uri = /usr/share/badges/pngs dogpile.cache.backend = dogpile.cache.memcached -dogpile.cache.expiration_time = 10000 +dogpile.cache.expiration_time = 100 dogpile.cache.arguments.url = memcached03:11211 dogpile.cache.arguments.distributed_lock = True From 1ca4f5ed0d69f74d0a7aff46d085e4afb817f38b Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 29 Jan 2014 21:16:33 +0000 Subject: [PATCH 134/271] Fix copr fedmsg cert name. --- roles/fedmsg_base/templates/ssl.py.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/fedmsg_base/templates/ssl.py.j2 b/roles/fedmsg_base/templates/ssl.py.j2 index ac51ce850e..0f3df555e3 100644 --- a/roles/fedmsg_base/templates/ssl.py.j2 +++ b/roles/fedmsg_base/templates/ssl.py.j2 @@ -144,6 +144,7 @@ config = dict( # since it is an openstack node. This might be a little fragile. :/ # See https://github.com/fedora-infra/fedmsg/issues/199 for the plan. ("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"), + ("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"), ]), routing_policy={ # The gist here is that only messages signed by the From 99286867dbf363d1f9a04af132040de8bfb43290 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 29 Jan 2014 21:33:27 +0000 Subject: [PATCH 135/271] Need this for lokkit on f19. --- playbooks/hosts/copr-be.cloud.fedoraproject.org.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml index 24ae5ec033..86958a7e05 100644 --- a/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-be.cloud.fedoraproject.org.yml @@ -54,6 +54,7 @@ - git - screen - fail2ban + - system-config-firewall-base - name: make copr dirs From f33ed0f4fcc017b623ff3247912b6727aa39df35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 29 Jan 2014 21:59:47 +0000 Subject: [PATCH 136/271] enable fedmsg on copr-be --- files/copr/copr-be.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/copr/copr-be.conf b/files/copr/copr-be.conf index 2c159cb99e..b00db87ae2 100644 --- a/files/copr/copr-be.conf +++ b/files/copr/copr-be.conf @@ -51,7 +51,7 @@ worker_logdir=/var/log/copr/workers/ # publish fedmsg notifications from workers if true # default is false #fedmsg_enabled=false - +fedmsg_enabled=true [builder] # default is 1800 From 789e1d7814e70785f49bec70d39cd265c5a7f725 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 29 Jan 2014 21:58:59 +0000 Subject: [PATCH 137/271] Disable this relay endpoint since apparently copr-be.cloud can find it. --- roles/fedmsg_base/templates/relay.py.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fedmsg_base/templates/relay.py.j2 b/roles/fedmsg_base/templates/relay.py.j2 index 0b13e2ac92..c4694c3467 100644 --- a/roles/fedmsg_base/templates/relay.py.j2 +++ b/roles/fedmsg_base/templates/relay.py.j2 @@ -31,7 +31,7 @@ config = dict( "tcp://app01.%s:3998" % suffix, # Scripts from the vpn (people03) connect here - "tcp://app01.vpn.fedoraproject.org:3998", + #"tcp://app01.vpn.fedoraproject.org:3998", # Scripts from outside connect here (coprs, secondary arch composes) "tcp://busgateway01.%s:9941" % suffix, From 4effa2c2c0f5c8dfbf5f01f8fe8b95bf6fa07abf Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 30 Jan 2014 04:21:15 +0000 Subject: [PATCH 138/271] Do not backup the git_seed stuff on pkgs01 --- playbooks/rdiff-backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/rdiff-backup.yml b/playbooks/rdiff-backup.yml index d896a0ed63..23ee30b729 100644 --- a/playbooks/rdiff-backup.yml +++ b/playbooks/rdiff-backup.yml @@ -25,6 +25,6 @@ when: global_backup_targets is defined - name: run rdiff-backup hitting all the host targets - local_action: "shell rdiff-backup --exclude='**.snapshot' --create-full-path --print-statistics {{ inventory_hostname }}::{{ item }} /fedora_backups/{{ inventory_hostname }}/`basename {{ item }}` | mail -r sysadmin-backup-members@fedoraproject.org -s 'rdiff-backup: {{ inventory_hostname }}:{{ item }}' sysadmin-backup-members@fedoraproject.org" + local_action: "shell rdiff-backup --exclude='git-seed*.xz' --exclude='git_seed'--exclude='**.snapshot' --create-full-path --print-statistics {{ inventory_hostname }}::{{ item }} /fedora_backups/{{ inventory_hostname }}/`basename {{ item }}` | mail -r sysadmin-backup-members@fedoraproject.org -s 'rdiff-backup: {{ inventory_hostname }}:{{ item }}' sysadmin-backup-members@fedoraproject.org" with_items: host_backup_targets when: host_backup_targets is defined From 7da961cc1c1c5cb32542797cf9d0c1f7afa209b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Thu, 30 Jan 2014 10:41:50 +0000 Subject: [PATCH 139/271] Mailman: small fixes discovered with lists-dev --- playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 2 ++ roles/mailman/files/pg-give-rights.py | 2 +- roles/mailman/templates/settings.py.j2 | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index d8b44ec6d4..674fbae4d9 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -134,6 +134,8 @@ - tar - mailman # transition from mailman2.1 - vim + - tmux + - patch tags: - packages diff --git a/roles/mailman/files/pg-give-rights.py b/roles/mailman/files/pg-give-rights.py index e99dd77f2b..08031515ac 100755 --- a/roles/mailman/files/pg-give-rights.py +++ b/roles/mailman/files/pg-give-rights.py @@ -24,7 +24,7 @@ def give_rights(dbhost, dbuser, dbpasswd, dbname): cur.execute(dbrightsquery) # Table permissions cur.execute(""" - SELECT 'GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE ON ' || relname || ' TO %sapp;' + SELECT 'GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE ON "' || relname || '" TO %sapp;' FROM pg_class JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace WHERE nspname = 'public' AND relkind IN ('r', 'v'); diff --git a/roles/mailman/templates/settings.py.j2 b/roles/mailman/templates/settings.py.j2 index 1fd96f1f80..f819bb5d99 100644 --- a/roles/mailman/templates/settings.py.j2 +++ b/roles/mailman/templates/settings.py.j2 @@ -142,6 +142,7 @@ MIDDLEWARE_CLASSES = ( 'hyperkitty.middleware.KittyStoreDjangoMiddleware', 'hyperkitty.middleware.SSLRedirect', 'hyperkitty.middleware.TimezoneMiddleware', + 'hyperkitty.middleware.MailmanUserMetadata', ) ROOT_URLCONF = 'urls' From 274d7993ce1ac3a808d8673c8aa07234956118b0 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 30 Jan 2014 19:11:31 +0100 Subject: [PATCH 140/271] Instead of keeping the jenkins plugins in git, let's download them and check their sha256 --- playbooks/groups/jenkins-cloud.yml | 79 ++++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 4 deletions(-) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 7b6b5e748c..e68c62b3c5 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -100,10 +100,81 @@ - name: mkdir dir for jenkins data action: file state=directory path=/var/lib/jenkins/plugins/ owner=jenkins group=jenkins - - name: import jenkins plugins - action: copy src={{ item }} owner=jenkins group=jenkins dest=/var/lib/jenkins/plugins/ - with_fileglob: - - "{{ files }}/jenkins/master/plugins/*.hpi" + - name: Download jenkins plugins + get_url: url=https://updates.jenkins-ci.org/download/plugins/{{ item.name }}/{{ item.version }}/{{ item.name }}.hpi + dest=/var/lib/jenkins/plugins/{{ item.name }}.hpi + sha256sum={{ item.sha }} + with_items: + - name: bazaar + version: 1.22 + sha: d7ff0987c96e2a694257ecf897ceee376908c5f94abfd1d5efc32482e4d54141 + - name: chucknorris + version: 0.5 + sha: bd9df0507008255ad2ed046368d10a4d039a6cbcfefb53c71c1768cc0dcbf65b + - name: cobertura + version: 1.9.3 + sha: 3db93d70486b80a904a74ce40b0ac6a7812d1f522f820d0e5d7b538401bc2946 + - name: csv + version: 2.11 + sha: 7c917bc824019a81d54472c525e4d724dfb4ae10b59bf64e692a2fc59fcd33cc + - name: external-monitor-job + version: 1.2 + sha: 8dd2644271d0138839490342833e9ff7f82772038f673f5ac6220193c587747d + - name: git + version: 2.0.1 + sha: 68c7fa6f9e3e1e3991bbba67ca86c2590e425f80a7176171ad7c645d57abe839 + - name: git-client + version: 1.6.1 + sha: 6b5762e7f423e0c40b068f671a276e83e4093c019164f61959b83d98bc24dedd + - name: instant-messaging + version: 1.28 + sha: 0b84561fd72cb80d89c5c57548fe8b7270d448f66361dedd07e227fb1bd44f03 + - name: ldap + version: 1.8 + sha: 491905ec3675b6a5acf2098722c121732801fd6210e6ff54bc99d213b5b8ee58 + - name: maven-plugin + version: 2.1 + sha: 1f80592242251bd1c3ca7ba0290905567bba2883fdf828f66a6759d64d1a64bf + - name: mercurial + version: 1.49 + sha: c7af29d9af2071aa60fd82efc90d97f52c38b8911160796c1d9c0a89768f36e4 + - name: openid + version: 1.8 + sha: fed09c7da7762323cf55c3b725493622a4a2460eab8622230497e35914ac9d7e + - name: python + version: 1.2 + sha: e3358a945f21b84a8156237b0d621815a7822322e1180ae1e66d10798aaf1f56 + - name: scm-api + version: 0.2 + sha: cc856d8dc8b951cf9a195baa2bf7bbff0d12368534a6b973e43e2909141eff3f + - name: ssh-agent + version: 1.4.1 + sha: ae8227bf219e96a4d76f36dc6d6e652ddd0209e8d9c4cf4483a07858d707ce6e + - name: subversion + version: 1.54 + sha: 90c109cbecdf00fbe1a377770d735cf12dcae6f750c00b19b59eaee223a54aa2 + - name: translation + version: 1.11 + sha: 4d88b8d74ade119cef76827bd385693447fa68fa18fd1bfc8806aff9d931f00e + - name: violations + version: 0.7.11 + sha: f8eacb53eb01f83f3702009a41cef89e520a72933671ac1ee9154d88bde2d67a + - name: xunit + version: 1.81 + sha: 8749ef1b3861ea6a5166c7a6f443e20dca346f98aa58ab2bb3f3376b6392244e + - name: warnings + version: 4.28 + sha: cc2de4391030e15ffeee86269bdf1afc5a377d484690e4b3ad8fe1c1f2dfd18c + - name: multiple-scms + version: 0.3 + sha: e79d7e855ffe0ad060d11ae1ce0b39f68e7fa031c6e831f60fe33e5ddb3392ac + - name: credentials + version: 1.9.4 + sha: 2fedc41d977a166c1addd82cd0cc9b73cffd34b97f7c0756bad7dc198ccd98de + - name: mailer + version: 1.8 + sha: fb9c6d471c2fea97fc2ccb64bfac18f77c847e740bcc2d5a4de31c35e851728a + tags: - config From 8baa7720e78e738d5fb6c26b2ddb79c8b84b7e13 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 31 Jan 2014 16:10:47 +0000 Subject: [PATCH 141/271] Adjust backup excludes to be more right. --- playbooks/rdiff-backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/rdiff-backup.yml b/playbooks/rdiff-backup.yml index 23ee30b729..7e9046ea81 100644 --- a/playbooks/rdiff-backup.yml +++ b/playbooks/rdiff-backup.yml @@ -25,6 +25,6 @@ when: global_backup_targets is defined - name: run rdiff-backup hitting all the host targets - local_action: "shell rdiff-backup --exclude='git-seed*.xz' --exclude='git_seed'--exclude='**.snapshot' --create-full-path --print-statistics {{ inventory_hostname }}::{{ item }} /fedora_backups/{{ inventory_hostname }}/`basename {{ item }}` | mail -r sysadmin-backup-members@fedoraproject.org -s 'rdiff-backup: {{ inventory_hostname }}:{{ item }}' sysadmin-backup-members@fedoraproject.org" + local_action: "shell rdiff-backup --exclude='**git-seed*' --exclude='**git_seed' --exclude='**.snapshot' --create-full-path --print-statistics {{ inventory_hostname }}::{{ item }} /fedora_backups/{{ inventory_hostname }}/`basename {{ item }}` | mail -r sysadmin-backup-members@fedoraproject.org -s 'rdiff-backup: {{ inventory_hostname }}:{{ item }}' sysadmin-backup-members@fedoraproject.org" with_items: host_backup_targets when: host_backup_targets is defined From 16f3769117b815c5317c676ee210b783383ac4d9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 31 Jan 2014 18:32:58 +0000 Subject: [PATCH 142/271] Add armpkgs to hosts for arm builders. --- files/hosts/arm.fedoraproject.org-hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/files/hosts/arm.fedoraproject.org-hosts b/files/hosts/arm.fedoraproject.org-hosts index 7970c8d6b0..4ee48472bb 100644 --- a/files/hosts/arm.fedoraproject.org-hosts +++ b/files/hosts/arm.fedoraproject.org-hosts @@ -4,6 +4,7 @@ 10.5.125.36 kojipkgs.fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.124.138 arm.koji.fedoraproject.org +10.5.124.138 armpkgs.fedoraproject.org 10.5.125.44 pkgs.fedoraproject.org pkgs # # This is proxy01.phx2.fedoraproject.org From 5ee49f57fb8b66496b5a2a92f833b59a3953021e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 31 Jan 2014 22:31:33 +0000 Subject: [PATCH 143/271] This should just be zh I think. --- roles/ask/templates/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 6d9d4803ac..d3ff0bc6b3 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -255,7 +255,7 @@ LANGUAGES = ( ('es', gettext('Spanish')), ('en', gettext('English')), ('ru', gettext('Russian')), - ('zh-tw', gettext('Chinese')), + ('zh', gettext('Chinese')), ('fr', gettext('French')), ('el', gettext('Greek')), ('id', gettext('Indonesian')), From 203aff15b963d3f42669aee38def2160c49901c0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 31 Jan 2014 23:37:44 +0000 Subject: [PATCH 144/271] This is silly, but try it anyhow. --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index 77b4d3203f..18207e2928 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data='I2Nsb3VkLWNvbmZpZyAKZGlzYWJsZV9yb290OiAwCg==' register: inst_res - name: add it to the special group From 15f596183f147b11765434b2866b1727310b0087 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 31 Jan 2014 23:42:08 +0000 Subject: [PATCH 145/271] Perhaps this --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index 18207e2928..1c1f0d963b 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data='I2Nsb3VkLWNvbmZpZyAKZGlzYWJsZV9yb290OiAwCg==' + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data='I2Nsb3VkLWNvbmZpZwpkaXNhYmxlX3Jvb3Q6IDAK' register: inst_res - name: add it to the special group From 7fa2e11fa5aa018d9cc74337acd2675ef3029136 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 31 Jan 2014 23:51:11 +0000 Subject: [PATCH 146/271] One last try --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index 1c1f0d963b..e13bc73d8d 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data='I2Nsb3VkLWNvbmZpZwpkaXNhYmxlX3Jvb3Q6IDAK' + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data=I2Nsb3VkLWNvbmZpZwpkaXNhYmxlX3Jvb3Q6IDAK register: inst_res - name: add it to the special group From 0768a03c57f4b8727259be8a65657b4749a4b424 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 1 Feb 2014 00:08:44 +0000 Subject: [PATCH 147/271] Back to this to test more. --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index e13bc73d8d..18fb9863a2 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data=I2Nsb3VkLWNvbmZpZwpkaXNhYmxlX3Jvb3Q6IDAK + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data="#cloud-config\ndisable_root: 0" register: inst_res - name: add it to the special group From 3325113b5e344e9dd799f813559f8f445415d39c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 1 Feb 2014 00:10:02 +0000 Subject: [PATCH 148/271] Single quotes? --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index 18fb9863a2..5ab5a918a4 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data="#cloud-config\ndisable_root: 0" + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data='#cloud-config\ndisable_root: 0' register: inst_res - name: add it to the special group From 438aca00497306ee21cf039763021f04061ec07d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 1 Feb 2014 00:10:25 +0000 Subject: [PATCH 149/271] Give up for now. --- tasks/transient_cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/transient_cloud.yml b/tasks/transient_cloud.yml index 5ab5a918a4..77b4d3203f 100644 --- a/tasks/transient_cloud.yml +++ b/tasks/transient_cloud.yml @@ -1,6 +1,6 @@ --- - name: spin it up - local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} user_data='#cloud-config\ndisable_root: 0' + local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }} ec2_access_key={{ transient_access_key }} ec2_secret_key={{ transient_secret_key }} ec2_url={{ os_ec2_url }} register: inst_res - name: add it to the special group From 4a9ee86575507e40d92d6de5b4a1afe6d4cd9487 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 1 Feb 2014 17:43:40 +0000 Subject: [PATCH 150/271] Adjust ask01.stg zh locale. --- roles/ask/templates/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index d3ff0bc6b3..764840823f 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -255,7 +255,7 @@ LANGUAGES = ( ('es', gettext('Spanish')), ('en', gettext('English')), ('ru', gettext('Russian')), - ('zh', gettext('Chinese')), + ('zh-cn', gettext('Simplified Chinese')), ('fr', gettext('French')), ('el', gettext('Greek')), ('id', gettext('Indonesian')), From d83256b1065af6ce12befd68c07da12a0bd33790 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 3 Feb 2014 05:04:01 +0000 Subject: [PATCH 151/271] Make the ansible check diff run serial instead of parallel. --- scripts/ansible-playbook-check-diff | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/ansible-playbook-check-diff b/scripts/ansible-playbook-check-diff index 72c0d78b1c..0fe46b72a7 100755 --- a/scripts/ansible-playbook-check-diff +++ b/scripts/ansible-playbook-check-diff @@ -18,8 +18,4 @@ for dir in ("hosts", "groups"): playbookpath = os.path.join(path, file) cmd = ("ansible-playbook", playbookpath, "--check", "--diff") ansibleprocess = subprocess.Popen(cmd) - -# -# Add this if you want to run them one at a time instead of all forked off in a bunch. -# ansibleprocess.communicate() -# + ansibleprocess.communicate() From 999677b572f1d641f6d06fe30216f0648b072b0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Mon, 3 Feb 2014 09:55:13 +0000 Subject: [PATCH 152/271] define buildsys macros for some reason buildsys-macros is not installed in default buildroot it works localy, but not in Copr. I spent a lot of time debuging it But enough is enough. Lets solve it this way. --- files/copr/provision/files/mock/epel-5-i386.cfg | 3 +++ files/copr/provision/files/mock/epel-5-x86_64.cfg | 3 +++ 2 files changed, 6 insertions(+) diff --git a/files/copr/provision/files/mock/epel-5-i386.cfg b/files/copr/provision/files/mock/epel-5-i386.cfg index 38a425aba6..bd55bbcb52 100644 --- a/files/copr/provision/files/mock/epel-5-i386.cfg +++ b/files/copr/provision/files/mock/epel-5-i386.cfg @@ -5,6 +5,9 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['macros']['%rhel'] = '5' +config_opts['macros']['%dist'] = '.el5' +config_opts['macros']['%el5'] = '1' config_opts['releasever'] = '5' config_opts['yum.conf'] = """ diff --git a/files/copr/provision/files/mock/epel-5-x86_64.cfg b/files/copr/provision/files/mock/epel-5-x86_64.cfg index 2f26af0ba5..31351d53c3 100644 --- a/files/copr/provision/files/mock/epel-5-x86_64.cfg +++ b/files/copr/provision/files/mock/epel-5-x86_64.cfg @@ -5,6 +5,9 @@ config_opts['chroot_setup_cmd'] = 'install buildsys-build' config_opts['dist'] = 'el5' # only useful for --resultdir variable subst if not config_opts.has_key('macros'): config_opts['macros'] = {} config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['macros']['%rhel'] = '5' +config_opts['macros']['%dist'] = '.el5' +config_opts['macros']['%el5'] = '1' config_opts['releasever'] = '5' config_opts['yum.conf'] = """ From 159115f3d3650fe9f7450cf276a511b37f8d0b91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 3 Feb 2014 11:11:15 +0000 Subject: [PATCH 153/271] Mailman: the DB server is different in stg and prod --- inventory/group_vars/mailman | 3 +++ inventory/group_vars/mailman-stg | 3 +++ playbooks/groups/mailman.yml | 1 - 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/mailman b/inventory/group_vars/mailman index 51b55f1011..be7c2b61ae 100644 --- a/inventory/group_vars/mailman +++ b/inventory/group_vars/mailman @@ -27,3 +27,6 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }}" --network=bridge=br0 --autostart --noautoconsole + +# Used by the mailman role +mailman_dbserver: db01.phx2.fedoraproject.org diff --git a/inventory/group_vars/mailman-stg b/inventory/group_vars/mailman-stg index 51b55f1011..62acb4eacb 100644 --- a/inventory/group_vars/mailman-stg +++ b/inventory/group_vars/mailman-stg @@ -27,3 +27,6 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }}" --network=bridge=br0 --autostart --noautoconsole + +# Used by the mailman role +mailman_dbserver: db02.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 7826f1447b..761800d2f3 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -98,7 +98,6 @@ roles: - role: mailman - mailman_dbserver: db02.stg.phx2.fedoraproject.org mailman_postfix_mydestination: "lists.fedoraproject.org, lists.stg.fedoraproject.org" mailman_mm_db_pass: "{{ mailman_mm_db_pass }}" mailman_hk_admin_db_pass: "{{ mailman_hk_admin_db_pass }}" From b64262922c6e5507bd87dced366c958f27ef8493 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 3 Feb 2014 11:31:37 +0000 Subject: [PATCH 154/271] Install psycopg2 on the DB servers --- playbooks/groups/mailman.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 761800d2f3..9c1cda5a93 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -54,7 +54,21 @@ - include: "{{ handlers }}/restart_services.yml" +# # Database setup +# + +- name: prepare setting up the database + hosts: db02.stg.phx2.fedoraproject.org:db01.phx2.fedoraproject.org + gather_facts: no + user: root + + tasks: + - name: install psycopg2 for the postgresql ansible modules + yum: pkg=python-psycopg2 state=installed + tags: + - packages + - name: setup the database hosts: db02.stg.phx2.fedoraproject.org:db01.phx2.fedoraproject.org gather_facts: no From 42c77051f4bb2b87fe5ddd2ac92847ae7296816d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 3 Feb 2014 11:33:29 +0000 Subject: [PATCH 155/271] Use the new variable substitution syntax --- roles/mailman/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mailman/defaults/main.yml b/roles/mailman/defaults/main.yml index 6fb905b432..dffdecd16e 100644 --- a/roles/mailman/defaults/main.yml +++ b/roles/mailman/defaults/main.yml @@ -1,6 +1,6 @@ --- mailman_webui_basedir: /srv/webui -mailman_webui_confdir: ${mailman_webui_basedir}/config +mailman_webui_confdir: "{{ mailman_webui_basedir }}/config" mailman_dbserver: localhost mailman_postfix_mydestination: "{{ ansible_fqdn }}" mailman_mm_db_pass: changeme From d4ca13001a9a96a0fce75d5ef8ed04239a161934 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 3 Feb 2014 12:05:03 +0000 Subject: [PATCH 156/271] Mailman: sudo requires a tty --- roles/mailman/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index 163f94fe6a..75619c1ec5 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -225,7 +225,7 @@ - restart postfix - name: create the postfix aliases - command: sudo -u mailman mailman3 aliases + command: su mailman -s /bin/sh -c "mailman3 aliases" creates=/var/lib/mailman3/data/postfix_lmtp.db # Memcached From 5ab222ea2a3220fe38c45a281b0d0e933c787b9c Mon Sep 17 00:00:00 2001 From: Matt Domsch Date: Mon, 3 Feb 2014 16:23:21 +0000 Subject: [PATCH 157/271] use mirrorlist-server.conf from v1.4.4 --- roles/mirrorlist/files/mirrorlist-server.conf | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/roles/mirrorlist/files/mirrorlist-server.conf b/roles/mirrorlist/files/mirrorlist-server.conf index 1ee87bcc37..929578708d 100644 --- a/roles/mirrorlist/files/mirrorlist-server.conf +++ b/roles/mirrorlist/files/mirrorlist-server.conf @@ -4,8 +4,6 @@ Alias /static /var/lib/mirrormanager/mirrorlists/static/ Options Indexes FollowSymLinks - ExpiresActive On - ExpiresDefault "modification plus 1 day" WSGIDaemonProcess mirrorlist user=apache processes=45 threads=1 display-name=mirrorlist maximum-requests=1000 @@ -42,3 +40,15 @@ WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlis Allow from all + + + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + From 2caf90aed2633c335da8aaf3f9280cc2f934990b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 3 Feb 2014 17:15:26 +0000 Subject: [PATCH 158/271] Enable Simplified Chinese in production. Ticket 4208. --- roles/ask/templates/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 764840823f..ed9d2bbb88 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -278,6 +278,7 @@ LANGUAGES = ( ('pt-br', gettext('Brazilian Portuguese')), ('id', gettext('Indonesian')), ('el', gettext('Greek')), + ('zh-cn', gettext('Simplified Chinese')), ) {% endif %} From a941b10d63fc151597aba7eee73b57d7ab22dbb9 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 3 Feb 2014 19:50:52 +0000 Subject: [PATCH 159/271] Add hotfix for python-openid --- files/hotfix/python-openid/fetchers.py | 9 ++++++--- roles/ask/tasks/main.yml | 11 +++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/files/hotfix/python-openid/fetchers.py b/files/hotfix/python-openid/fetchers.py index d628a2ac54..928dadbaae 100644 --- a/files/hotfix/python-openid/fetchers.py +++ b/files/hotfix/python-openid/fetchers.py @@ -93,7 +93,10 @@ def setDefaultFetcher(fetcher, wrap_exceptions=True): def usingCurl(): """Whether the currently set HTTP fetcher is a Curl HTTP fetcher.""" - return isinstance(getDefaultFetcher(), CurlHTTPFetcher) + fetcher = getDefaultFetcher() + if isinstance(fetcher, ExceptionWrappingFetcher): + fetcher = fetcher.fetcher + return isinstance(fetcher, CurlHTTPFetcher) class HTTPResponse(object): """XXX document attributes""" @@ -250,7 +253,7 @@ class CurlHTTPFetcher(HTTPFetcher): # Remove the status line from the beginning of the input unused_http_status_line = header_file.readline().lower () - while unused_http_status_line.startswith('http/1.1 100 '): + while unused_http_status_line.startswith('http/1.1 1'): unused_http_status_line = header_file.readline() unused_http_status_line = header_file.readline() @@ -319,7 +322,7 @@ class CurlHTTPFetcher(HTTPFetcher): return 0 else: return data.write(chunk) - + response_header_data = cStringIO.StringIO() c.setopt(pycurl.WRITEFUNCTION, write_data) c.setopt(pycurl.HEADERFUNCTION, response_header_data.write) diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index c875688abc..33b9437294 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -20,6 +20,17 @@ tags: - packages +# https://github.com/openid/python-openid/pull/76 +- name: hotfix - copy over python-openid fixed messages + copy: src="{{ files }}/hotfix/python-openid/fetchers.py" dest=/usr/lib/python2.6/site-packages/openid/fetchers.py + owner=root group=root mode=0644 + notify: + - restart apache + tags: + - config + - hotfix + - python-openid + - name: set sebooleans so ask can talk to the db action: seboolean name=httpd_can_network_connect_db state=true From 578365bc34f8697d523efb5699b1cb0e19efaea7 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 3 Feb 2014 22:00:22 +0000 Subject: [PATCH 160/271] Bump fedmsg endpoints for fas and pkgdb to agree with the number of wsgi processes. --- roles/fedmsg_base/templates/endpoints.py.j2 | 8 ++++---- roles/fedmsg_base/templates/pkgdb.py.j2 | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/fedmsg_base/templates/endpoints.py.j2 b/roles/fedmsg_base/templates/endpoints.py.j2 index e3f9ccb62a..a75c8b9d26 100644 --- a/roles/fedmsg_base/templates/endpoints.py.j2 +++ b/roles/fedmsg_base/templates/endpoints.py.j2 @@ -66,20 +66,20 @@ config = dict( "tcp://relepel01.%s:3001" % suffix, ], {% endif %} - # FAS is a little out of the ordinary. It has 32 endpoints instead of + # FAS is a little out of the ordinary. It has 40 endpoints instead of # the usual 8 since there are so many mod_wsgi processes for it. "fas.fas01": [ "tcp://fas01.%s:30%02i" % (suffix, i) - for i in range(32) + for i in range(40) ], {% if env != 'staging' %} "fas.fas02": [ "tcp://fas02.%s:30%02i" % (suffix, i) - for i in range(32) + for i in range(40) ], "fas.fas03": [ "tcp://fas03.%s:30%02i" % (suffix, i) - for i in range(32) + for i in range(40) ], {% endif %} # Well, fedoratagger needs 32 endpoints too, just like FAS. diff --git a/roles/fedmsg_base/templates/pkgdb.py.j2 b/roles/fedmsg_base/templates/pkgdb.py.j2 index 4b5914b1be..bd3803fc5d 100644 --- a/roles/fedmsg_base/templates/pkgdb.py.j2 +++ b/roles/fedmsg_base/templates/pkgdb.py.j2 @@ -10,36 +10,36 @@ config = dict( endpoints={ "pkgdb.app01": [ "tcp://app01.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app02": [ "tcp://app02.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], {% if not env == 'staging' %} "pkgdb.app03": [ "tcp://app03.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app04": [ "tcp://app04.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app05": [ "tcp://app05.%s:301%i" % (non_phx_suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app06": [ "tcp://app06.%s:301%i" % (non_phx_suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app07": [ "tcp://app07.%s:301%i" % (suffix, i) - for i in range(6) + for i in range(10) ], "pkgdb.app08": [ "tcp://app08.%s:301%i" % (non_phx_suffix, i) - for i in range(6) + for i in range(10) ], {% endif %} }, From da287c5f1cdd5584ed4b14fcbafc6d1e29e55281 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 3 Feb 2014 22:03:01 +0000 Subject: [PATCH 161/271] Use chat.freenode.net over irc.freenode.net. --- roles/notifs-backend/templates/fmn.consumer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/notifs-backend/templates/fmn.consumer.py b/roles/notifs-backend/templates/fmn.consumer.py index fe361348ca..cf69c2d8d3 100644 --- a/roles/notifs-backend/templates/fmn.consumer.py +++ b/roles/notifs-backend/templates/fmn.consumer.py @@ -46,7 +46,7 @@ config = { "fmn.email.from_address": "notifications@" + domain, # IRC - "fmn.irc.network": "irc.freenode.net", + "fmn.irc.network": "chat.freenode.net", "fmn.irc.nickname": ircnick, "fmn.irc.port": 6667, "fmn.irc.timeout": 120, From 1d855876068f897ab7ae123afabe47a072ab84a7 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 3 Feb 2014 22:55:28 +0000 Subject: [PATCH 162/271] Enable hungarian in ask.stg to test. --- roles/ask/templates/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index ed9d2bbb88..7f9c27e6af 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -259,6 +259,7 @@ LANGUAGES = ( ('fr', gettext('French')), ('el', gettext('Greek')), ('id', gettext('Indonesian')), + ('hu', gettext('Hungarian')), ) {% else %} DOMAIN_NAME = 'ask.fedoraproject.org' From 234f2825beb7ee1c31a8f1b7efb1e999e1e5dca5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 3 Feb 2014 23:56:49 +0000 Subject: [PATCH 163/271] Add semanage for ports --- roles/nuancier/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 8fc088d16e..4ddb0a45f3 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -65,6 +65,9 @@ state=true persistent=true +- name: set ports so httpd can talk to fedmsg endpoints + command: semanage port -a -t http_port_t -p tcp 3001-3100 + - name: apply selinux type to static files file: > dest=/usr/lib/python2.6/site-packages/nuancier/static/ From e9faa5079e3f08ba6936886f5e7381947c4215bc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 4 Feb 2014 00:06:09 +0000 Subject: [PATCH 164/271] Fix this up some. --- roles/nuancier/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 4ddb0a45f3..681125452a 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -65,8 +65,13 @@ state=true persistent=true +- name: check semanage ports + command: semanage port -l + register: semanageoutput + - name: set ports so httpd can talk to fedmsg endpoints command: semanage port -a -t http_port_t -p tcp 3001-3100 + when: semanageoutput.stdout.find("3001-3100") == -1 - name: apply selinux type to static files file: > From 15503efdc92b223cb3abecdc11d6ab83510e7082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Tue, 4 Feb 2014 09:03:33 +0000 Subject: [PATCH 165/271] Mailman: don't auto-redirect to SSL In the Fedora infra, SSL is handled by the proxy and we can't detect it. --- roles/mailman/templates/settings.py.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/mailman/templates/settings.py.j2 b/roles/mailman/templates/settings.py.j2 index f819bb5d99..3499638129 100644 --- a/roles/mailman/templates/settings.py.j2 +++ b/roles/mailman/templates/settings.py.j2 @@ -327,7 +327,9 @@ KITTYSTORE_URL = 'postgres://kittystoreapp:{{ mailman_ks_db_pass }}@{{ mailman_d KITTYSTORE_SEARCH_INDEX = '{{ mailman_webui_basedir }}/kittystore_search_index' # Use SSL when logged in -USE_SSL = True +#USE_SSL = True +# In the Fedora infra, SSL is handled by the proxy and we can't detect it +USE_SSL = False # Only display mailing-lists from the same virtual host as the webserver FILTER_VHOST = False From 25e545ed5dd22cbbfea7cf47ba415e255da189f1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 4 Feb 2014 19:07:07 +0000 Subject: [PATCH 166/271] Enable Hungarian in ask production. Ticket 4214 --- roles/ask/templates/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ask/templates/settings.py b/roles/ask/templates/settings.py index 7f9c27e6af..db06d514dd 100644 --- a/roles/ask/templates/settings.py +++ b/roles/ask/templates/settings.py @@ -280,6 +280,7 @@ LANGUAGES = ( ('id', gettext('Indonesian')), ('el', gettext('Greek')), ('zh-cn', gettext('Simplified Chinese')), + ('hu', gettext('Hungarian')), ) {% endif %} From 417471d97898a1c7cdf01e9e42d914258b3ea277 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Tue, 4 Feb 2014 20:59:01 +0000 Subject: [PATCH 167/271] Now remove proxy05/proxy5 app06/app6 from ansible. --- files/hosts/ask01.phx2.fedoraproject.org-hosts | 2 +- files/hosts/ask01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/ask02.phx2.fedoraproject.org-hosts | 2 +- files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/badges-web01.phx2.fedoraproject.org-hosts | 2 +- files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/badges-web02.phx2.fedoraproject.org-hosts | 2 +- files/hosts/fedocal01.phx2.fedoraproject.org-hosts | 2 +- files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/fedocal02.phx2.fedoraproject.org-hosts | 2 +- files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts | 2 +- files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/notifs-web01.phx2.fedoraproject.org-hosts | 2 +- files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/notifs-web02.phx2.fedoraproject.org-hosts | 2 +- files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/nuancier01.phx2.fedoraproject.org-hosts | 2 +- files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts | 2 +- files/hosts/nuancier02.phx2.fedoraproject.org-hosts | 2 +- files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts | 2 +- files/releng/fedmsg/endpoints.py | 4 ---- files/releng/fedmsg/ssl.py | 1 - inventory/inventory | 2 -- roles/fedmsg_base/templates/endpoints.py.j2 | 4 ---- roles/fedmsg_base/templates/pkgdb.py.j2 | 4 ---- roles/fedmsg_base/templates/ssl.py.j2 | 1 - 26 files changed, 20 insertions(+), 36 deletions(-) diff --git a/files/hosts/ask01.phx2.fedoraproject.org-hosts b/files/hosts/ask01.phx2.fedoraproject.org-hosts index a5ea2bd3e7..78678246c9 100644 --- a/files/hosts/ask01.phx2.fedoraproject.org-hosts +++ b/files/hosts/ask01.phx2.fedoraproject.org-hosts @@ -1,7 +1,7 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-ask diff --git a/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts b/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts index 976ef96a0f..f051c5984b 100644 --- a/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/ask01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/ask02.phx2.fedoraproject.org-hosts b/files/hosts/ask02.phx2.fedoraproject.org-hosts index a5ea2bd3e7..78678246c9 100644 --- a/files/hosts/ask02.phx2.fedoraproject.org-hosts +++ b/files/hosts/ask02.phx2.fedoraproject.org-hosts @@ -1,7 +1,7 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-ask diff --git a/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts b/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts index 45c9b68d17..534823fa01 100644 --- a/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/badges-web01.phx2.fedoraproject.org-hosts b/files/hosts/badges-web01.phx2.fedoraproject.org-hosts index ef881d08c2..42463d54c5 100644 --- a/files/hosts/badges-web01.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-web01.phx2.fedoraproject.org-hosts @@ -1,5 +1,5 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-tahrir db-tahrir diff --git a/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts b/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts index 5004dc0f9c..9903f09a61 100644 --- a/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/badges-web02.phx2.fedoraproject.org-hosts b/files/hosts/badges-web02.phx2.fedoraproject.org-hosts index ef881d08c2..42463d54c5 100644 --- a/files/hosts/badges-web02.phx2.fedoraproject.org-hosts +++ b/files/hosts/badges-web02.phx2.fedoraproject.org-hosts @@ -1,5 +1,5 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-tahrir db-tahrir diff --git a/files/hosts/fedocal01.phx2.fedoraproject.org-hosts b/files/hosts/fedocal01.phx2.fedoraproject.org-hosts index 0a4860a664..8b742db388 100644 --- a/files/hosts/fedocal01.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedocal01.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts index cb3bf792be..4a0f12bde9 100644 --- a/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/fedocal02.phx2.fedoraproject.org-hosts b/files/hosts/fedocal02.phx2.fedoraproject.org-hosts index 0a4860a664..8b742db388 100644 --- a/files/hosts/fedocal02.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedocal02.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts index 23f9e40ac0..ec03ec269b 100644 --- a/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-backend01.phx2.fedoraproject.org-hosts @@ -1,6 +1,6 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-notifs db-notifs 10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts index 6ba829d3d2..81694c1bc8 100644 --- a/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts index 23f9e40ac0..ec03ec269b 100644 --- a/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web01.phx2.fedoraproject.org-hosts @@ -1,6 +1,6 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-notifs db-notifs 10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts index 6ba829d3d2..81694c1bc8 100644 --- a/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts index 23f9e40ac0..ec03ec269b 100644 --- a/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web02.phx2.fedoraproject.org-hosts @@ -1,6 +1,6 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 db-notifs db-notifs 10.5.126.109 db-datanommer db-datanommer diff --git a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts index 6ba829d3d2..81694c1bc8 100644 --- a/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/nuancier01.phx2.fedoraproject.org-hosts b/files/hosts/nuancier01.phx2.fedoraproject.org-hosts index 7be9cc916f..83b17e48d8 100644 --- a/files/hosts/nuancier01.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier01.phx2.fedoraproject.org-hosts @@ -1,7 +1,7 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 nuancier_db nuancier_db diff --git a/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts b/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts index 19c2ac4cbe..5ddb542288 100644 --- a/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/hosts/nuancier02.phx2.fedoraproject.org-hosts b/files/hosts/nuancier02.phx2.fedoraproject.org-hosts index 7be9cc916f..83b17e48d8 100644 --- a/files/hosts/nuancier02.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier02.phx2.fedoraproject.org-hosts @@ -1,7 +1,7 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.52 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.71 nuancier_db nuancier_db diff --git a/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts b/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts index 19c2ac4cbe..5ddb542288 100644 --- a/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts @@ -2,7 +2,7 @@ ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.5.126.89 admin.fedoraproject.org -10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy5 proxy01 proxy02 proxy03 proxy04 proxy05 fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org 10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all 10.5.126.23 infrastructure.fedoraproject.org diff --git a/files/releng/fedmsg/endpoints.py b/files/releng/fedmsg/endpoints.py index 364f3e7e63..f8bc91d34a 100644 --- a/files/releng/fedmsg/endpoints.py +++ b/files/releng/fedmsg/endpoints.py @@ -42,10 +42,6 @@ config = dict( "tcp://app05.%s:300%i" % (non_phx_suffix, i) for i in range(8) ], - "bodhi.app06": [ - "tcp://app06.%s:300%i" % (non_phx_suffix, i) - for i in range(8) - ], "bodhi.app07": [ "tcp://app07.%s:300%i" % (suffix, i) for i in range(8) diff --git a/files/releng/fedmsg/ssl.py b/files/releng/fedmsg/ssl.py index dfa5bc179f..10847852b2 100644 --- a/files/releng/fedmsg/ssl.py +++ b/files/releng/fedmsg/ssl.py @@ -6,7 +6,6 @@ app_hosts = [ "app03.phx2.fedoraproject.org", "app04.phx2.fedoraproject.org", "app05.fedoraproject.org", - "app06.fedoraproject.org", "app07.phx2.fedoraproject.org", "app08.fedoraproject.org", ] diff --git a/inventory/inventory b/inventory/inventory index 1e6f6241eb..f1cc1c8a3b 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -29,7 +29,6 @@ app02.phx2.fedoraproject.org app03.phx2.fedoraproject.org app04.phx2.fedoraproject.org app05.fedoraproject.org -app06.fedoraproject.org app08.fedoraproject.org [app-stg] @@ -340,7 +339,6 @@ proxy01.phx2.fedoraproject.org proxy02.fedoraproject.org proxy03.fedoraproject.org proxy04.fedoraproject.org -proxy05.fedoraproject.org proxy06.fedoraproject.org proxy07.fedoraproject.org proxy08.fedoraproject.org diff --git a/roles/fedmsg_base/templates/endpoints.py.j2 b/roles/fedmsg_base/templates/endpoints.py.j2 index a75c8b9d26..ca867b88cb 100644 --- a/roles/fedmsg_base/templates/endpoints.py.j2 +++ b/roles/fedmsg_base/templates/endpoints.py.j2 @@ -45,10 +45,6 @@ config = dict( "tcp://app05.%s:300%i" % (non_phx_suffix, i) for i in range(8) ], - "bodhi.app06": [ - "tcp://app06.%s:300%i" % (non_phx_suffix, i) - for i in range(8) - ], "bodhi.app07": [ "tcp://app07.%s:300%i" % (suffix, i) for i in range(8) diff --git a/roles/fedmsg_base/templates/pkgdb.py.j2 b/roles/fedmsg_base/templates/pkgdb.py.j2 index bd3803fc5d..cef1d8fe0e 100644 --- a/roles/fedmsg_base/templates/pkgdb.py.j2 +++ b/roles/fedmsg_base/templates/pkgdb.py.j2 @@ -29,10 +29,6 @@ config = dict( "tcp://app05.%s:301%i" % (non_phx_suffix, i) for i in range(10) ], - "pkgdb.app06": [ - "tcp://app06.%s:301%i" % (non_phx_suffix, i) - for i in range(10) - ], "pkgdb.app07": [ "tcp://app07.%s:301%i" % (suffix, i) for i in range(10) diff --git a/roles/fedmsg_base/templates/ssl.py.j2 b/roles/fedmsg_base/templates/ssl.py.j2 index 0f3df555e3..f3455dc9c1 100644 --- a/roles/fedmsg_base/templates/ssl.py.j2 +++ b/roles/fedmsg_base/templates/ssl.py.j2 @@ -14,7 +14,6 @@ app_hosts = [ "app03.phx2.fedoraproject.org", "app04.phx2.fedoraproject.org", "app05.fedoraproject.org", - "app06.fedoraproject.org", "app07.phx2.fedoraproject.org", "app08.fedoraproject.org", ] From d2ea2b1e63e9fbc68ca53503c7a7456ea64a0c91 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 16:57:18 +0000 Subject: [PATCH 168/271] Pull builder kernel task into koji_builder role. --- playbooks/groups/buildhw.yml | 20 ----------------- roles/koji_builder/tasks/main.yml | 33 ++++++++++++++++++++++++++++ tasks/koji/builder_kernel_config.yml | 18 --------------- 3 files changed, 33 insertions(+), 38 deletions(-) delete mode 100644 tasks/koji/builder_kernel_config.yml diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index be85d288d8..ccd72ed32e 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -22,23 +22,3 @@ handlers: - include: "{{ handlers }}/restart_services.yml" - -- name: make koji builder(s) on raw hw - hosts: buildhw - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - base - - tasks: - - include: "{{ tasks }}/hosts.yml" - - include: "{{ tasks }}/koji/builder_kernel_config.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index ffa95265d9..9c666c4a25 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -135,6 +135,39 @@ - name: ntp.conf copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf +# +# We want more loop devices on builders to allow more image creates +# + +- name: check for max_loop with grub2 + command: cat /etc/grub2.cfg + register: max_loop + always_run: yes + changed_when: '1 != 1' + when: is_fedora == 'True' + +- name: check for max_loop with grub1 + command: cat /etc/grub.cfg + register: max_loop + always_run: yes + changed_when: '1 != 1' + when: is_rhel == 'True' + +- name: set kernel params for more loops + action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 + when: max_loop.stdout.find("max_loop=64") == -1 + +# +# x86_64 builders run pungify, that needs hfs module in order to make +# The efi/mac images. This module is only needed on rhel. +# + +- name: special pkgs for the x86_64 builders + yum: state=installed pkg={{ item }} + with_items: + - kmod-hfsplus + when: is_rhel == 'True' + - name: enable services and start them service: name={{ item }} enabled=true state=started with_items: diff --git a/tasks/koji/builder_kernel_config.yml b/tasks/koji/builder_kernel_config.yml deleted file mode 100644 index b2b1ca31fc..0000000000 --- a/tasks/koji/builder_kernel_config.yml +++ /dev/null @@ -1,18 +0,0 @@ -#- name: set kernel params for loopback partitioning -# action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 -# -- name: check for max_loop - command: cat /etc/grub2.cfg - register: max_loop - always_run: yes - changed_when: '1 != 1' - -- name: set kernel params for more loops - action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 - when: max_loop.stdout.find("max_loop=64") == -1 - -- name: special pkgs for the x86_64 builders - yum: state=installed pkg={{ item }} - with_items: - - kmod-hfsplus - when: is_rhel == 'True' From 7dc5b9151e589a71986892fe7260bceb2e8b4632 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 17:02:18 +0000 Subject: [PATCH 169/271] Need to sort this out, but this should work fine for now. --- roles/koji_builder/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 9c666c4a25..643c129fa6 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -144,14 +144,14 @@ register: max_loop always_run: yes changed_when: '1 != 1' - when: is_fedora == 'True' + when: ansible_distribution == 'Fedora' - name: check for max_loop with grub1 command: cat /etc/grub.cfg register: max_loop always_run: yes changed_when: '1 != 1' - when: is_rhel == 'True' + when: ansible_distribution == 'RedHat' - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 From 6e4e48d8b3e0d2a8bbd893a6f9a4e508b4d792ff Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 17:04:04 +0000 Subject: [PATCH 170/271] It's conf with grub1 --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 643c129fa6..bbd42d8a09 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -147,7 +147,7 @@ when: ansible_distribution == 'Fedora' - name: check for max_loop with grub1 - command: cat /etc/grub.cfg + command: cat /etc/grub.conf register: max_loop always_run: yes changed_when: '1 != 1' From d2ba50fc294f179b0812d130b26b0d10db496e94 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 17:09:46 +0000 Subject: [PATCH 171/271] No grub2 on arm --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index bbd42d8a09..e9c528a1a8 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -144,7 +144,7 @@ register: max_loop always_run: yes changed_when: '1 != 1' - when: ansible_distribution == 'Fedora' + when: ansible_distribution == 'Fedora' and ansible_architecture == 'x86_64' - name: check for max_loop with grub1 command: cat /etc/grub.conf From cddcb75d84f5c039775c537742a55769f024812b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 17:18:07 +0000 Subject: [PATCH 172/271] This isn't defined on arm --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index e9c528a1a8..8d09bdb903 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -155,7 +155,7 @@ - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 - when: max_loop.stdout.find("max_loop=64") == -1 + when: max_loop is defined and max_loop.stdout.find("max_loop=64") == -1 # # x86_64 builders run pungify, that needs hfs module in order to make From 902afe8a72cba45bc75b3f8d02ef676b92277b78 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 17:26:32 +0000 Subject: [PATCH 173/271] Only check grub1 on x86 hw, not ppc --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 8d09bdb903..d00a6410e9 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -151,7 +151,7 @@ register: max_loop always_run: yes changed_when: '1 != 1' - when: ansible_distribution == 'RedHat' + when: ansible_distribution == 'RedHat' and ansible_architecture == 'x86_64' - name: set kernel params for more loops action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 From 77c7ea987f015c9cd0ba3a0349b9bd3da57af04c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 17:53:16 +0000 Subject: [PATCH 174/271] Adjust services for rhel buildhw --- roles/koji_builder/tasks/main.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index d00a6410e9..a15f2155e3 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -168,10 +168,20 @@ - kmod-hfsplus when: is_rhel == 'True' -- name: enable services and start them +- name: enable services and start them on Fedora systems service: name={{ item }} enabled=true state=started with_items: - ntpd - nfs-lock - nfs-idmap - nfs-mountd + when: ansible_distribution == 'Fedora' + +- name: enable services and start them on RHEL systems + service: name={{ item }} enabled=true state=started + with_items: + - rpcbind + - ntpd + - nfslock + - nfs + when: ansible_distribution == 'RedHat' From 5dcb09537dbbc4c0ca9453c5bfdd56824f9ed551 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 21:14:12 +0000 Subject: [PATCH 175/271] Add bodhi.dev cloud instance --- .../host_vars/bodhi.dev.fedoraproject.org | 11 +++++ inventory/inventory | 3 +- .../hosts/bodhi.dev.fedoraproject.org.yml | 41 +++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 inventory/host_vars/bodhi.dev.fedoraproject.org create mode 100644 playbooks/hosts/bodhi.dev.fedoraproject.org.yml diff --git a/inventory/host_vars/bodhi.dev.fedoraproject.org b/inventory/host_vars/bodhi.dev.fedoraproject.org new file mode 100644 index 0000000000..afa45a0fc2 --- /dev/null +++ b/inventory/host_vars/bodhi.dev.fedoraproject.org @@ -0,0 +1,11 @@ +--- +instance_type: m1.medium +image: "{{ el6_qcow_id }}" +keypair: fedora-admin-20130801 +security_group: webserver +zone: nova +hostbase: bodhi.dev +public_ip: 209.132.184.215 +root_auth_users: lmacken +description: bodhi2 dev instance +tcp_ports: ['22', '443'] diff --git a/inventory/inventory b/inventory/inventory index f1cc1c8a3b..cc9a6a4c83 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -436,7 +436,8 @@ copr-fe-dev.cloud.fedoraproject.org hrf.cloud.fedoraproject.org #shogun-ca.cloud.fedoraproject.org 209.132.184.157 - +# bodhi.dev.fedoraproject.org +bodhi.dev.fedoraproject.org [cloud] jenkins-slaves diff --git a/playbooks/hosts/bodhi.dev.fedoraproject.org.yml b/playbooks/hosts/bodhi.dev.fedoraproject.org.yml new file mode 100644 index 0000000000..2b02c99956 --- /dev/null +++ b/playbooks/hosts/bodhi.dev.fedoraproject.org.yml @@ -0,0 +1,41 @@ +- name: check/create instance + hosts: bodhi.dev.fedoraproject.org + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + + tasks: + - include: "{{ tasks }}/persistent_cloud.yml" + - include: "{{ tasks }}/growroot_cloud.yml" + +- name: provision instance + hosts: bodhi.dev.fedoraproject.org + user: root + gather_facts: True + vars: + - tcp_ports: [22, 443] + - udp_ports: [] + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/cloud_setup_basic.yml" + - include: "{{ tasks }}/postfix_basic.yml" + + - name: mount up disk of fedocal persistent storage + action: mount name=/srv/persist src='LABEL=fedocal.dev' fstype=ext4 state=mounted + + # open up tcp ports + - name: poke holes in the firewall + action: command lokkit -p '{{ item }}:tcp' + with_items: + - "{{ tcp_ports }}" + + handlers: + - include: "{{ handlers }}/restart_services.yml" From 00de58c594f1ff446f50e80a17d8af591b1b60c3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 6 Feb 2014 21:22:09 +0000 Subject: [PATCH 176/271] Fix copypasta --- playbooks/hosts/bodhi.dev.fedoraproject.org.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/playbooks/hosts/bodhi.dev.fedoraproject.org.yml b/playbooks/hosts/bodhi.dev.fedoraproject.org.yml index 2b02c99956..5d47fbef8e 100644 --- a/playbooks/hosts/bodhi.dev.fedoraproject.org.yml +++ b/playbooks/hosts/bodhi.dev.fedoraproject.org.yml @@ -28,9 +28,6 @@ - include: "{{ tasks }}/cloud_setup_basic.yml" - include: "{{ tasks }}/postfix_basic.yml" - - name: mount up disk of fedocal persistent storage - action: mount name=/srv/persist src='LABEL=fedocal.dev' fstype=ext4 state=mounted - # open up tcp ports - name: poke holes in the firewall action: command lokkit -p '{{ item }}:tcp' From 55b08d5a5283ac67b16098a03a0206c1dd80af37 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:36:24 +0000 Subject: [PATCH 177/271] First stab at a gluster role for the nuancier staging nodes. --- playbooks/groups/nuancier.yml | 29 +++++++++++ roles/gluster/client/tasks/main.yml | 23 +++++++++ roles/gluster/client/templates/client.config | 54 ++++++++++++++++++++ roles/gluster/server/tasks/main.yml | 23 +++++++++ roles/gluster/server/templates/server.config | 29 +++++++++++ 5 files changed, 158 insertions(+) create mode 100644 roles/gluster/client/tasks/main.yml create mode 100644 roles/gluster/client/templates/client.config create mode 100644 roles/gluster/server/tasks/main.yml create mode 100644 roles/gluster/server/templates/server.config diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index d2600f20cf..64c0a51942 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -69,6 +69,35 @@ handlers: - include: "{{ handlers }}/restart_services.yml" +- name: set up gluster + hosts: nuancier-stg + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: gluster/server + username: {{ nuancier_gluster_username }} + password: {{ nuancier_gluster_password }} + owner: root + group: root + datadir: /srv/glusterfs/nuancier + + - role: gluster/client + servers: + - nuancier01.stg.phx2.fedoraproject.org + - nuancier02.stg.phx2.fedoraproject.org + username: {{ nuancier_gluster_username }} + password: {{ nuancier_gluster_password }} + owner: apache + group: root + mountdir: /var/cache/nuancier + - name: deploy nuancier itself hosts: nuancier;nuancier-stg user: root diff --git a/roles/gluster/client/tasks/main.yml b/roles/gluster/client/tasks/main.yml new file mode 100644 index 0000000000..065161139e --- /dev/null +++ b/roles/gluster/client/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - glusterfs-fuse + tags: + - packages + +- name: make the mountdir + file: dest={{ mountdir }} owner={{ owner }} group={{ group }} + +- name: copy over the client config + template: src=client.config dest=/etc/glusterfs/glusterfs.{{name}}.vol + #notify: + #- remount? no idea... + +- name: mount it up + mount: > + src=/etc/glusterfs/glusterfs.{{name}}.vol + state=mounted + fstype=glusterfs + opts=noatime diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config new file mode 100644 index 0000000000..65c414a3c1 --- /dev/null +++ b/roles/gluster/client/templates/client.config @@ -0,0 +1,54 @@ +# Config for {{ name }} +# Generated by ansible + +{% for server in servers %} +volume vol-<%= servers.index(server) %> + type protocol/client + option transport-type tcp + option remote-host <%= server %> + option transport.socket.nodelay on + option remote-port 6996 + option remote-subvolume iothreads + option username <%= username %> + option password <%= password %> +end-volume +{% endfor %} + +volume mirror-0 + type cluster/replicate + subvolumes {% for i in range(len(servers)) %}vol-#{{i}} {% endfor %} + {% if servers.index(ansible_hostname) %} + option read-subvolume vol-{{ servers.index(ansible_hostname)}} + {% endif %} +end-volume + +volume writebehind + type performance/write-behind + option cache-size 4MB + # option flush-behind on # olecam: increasing the performance of handling lots of small files + subvolumes mirror-0 +end-volume + +volume iothreads + type performance/io-threads + option thread-count 16 # default is 16 + subvolumes writebehind +end-volume + +volume iocache + type performance/io-cache + option cache-size `grep 'MemTotal' /proc/meminfo | awk '{print $2 * 0.2 / 1024}' | cut -f1 -d.`MB + option cache-timeout 30 + subvolumes iothreads +end-volume + +volume statprefetch + type performance/stat-prefetch + subvolumes iocache +end-volume + +#volume nfs-server +# type nfs/server +# option nfs.dynamic-volumes on +# subvolumes mirror-0 +#end-volume diff --git a/roles/gluster/server/tasks/main.yml b/roles/gluster/server/tasks/main.yml new file mode 100644 index 0000000000..7dbb045754 --- /dev/null +++ b/roles/gluster/server/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - glusterfs-server + tags: + - packages + +- name: glusterd service + service: name=glusterd state=started enabled=yes + +- name: make the datadir + file: dest={{ datadir }} owner={{ owner }} group={{ group }} + +- name: make the datapath + file: dest={{ datadir }}/{{ name }} owner={{ owner }} group={{ group }} + +- name: copy over the server config + template: src=server.config dest=/etc/glusterfs/glusterd.vol + notify: + - restart glusterd + diff --git a/roles/gluster/server/templates/server.config b/roles/gluster/server/templates/server.config new file mode 100644 index 0000000000..15a43aa86d --- /dev/null +++ b/roles/gluster/server/templates/server.config @@ -0,0 +1,29 @@ +# Config for {{ name }} +# Generated by ansible + +volume posix + type storage/posix + option directory {{ datapath }} +end-volume + +volume locks + type features/locks + option mandatory-locks on + subvolumes posix +end-volume + +volume iothreads + type performance/io-threads + option thread-count 16 + subvolumes locks +end-volume + +volume server-tcp + type protocol/server + subvolumes iothreads + option transport-type tcp + option auth.login.iothreads.allow {{ username }} + option auth.login.{{ username }}.password {{ password }} + option transport.socket.listen-port 6996 + option transport.socket.nodelay on +end-volume From 8a61b7791abb08c148c72cfa6cb04be87e6aef6f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:41:47 +0000 Subject: [PATCH 178/271] Remove indentation. --- playbooks/groups/nuancier.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index 64c0a51942..8c89f3b75c 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -80,23 +80,23 @@ - "{{ private }}/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - roles: - - role: gluster/server - username: {{ nuancier_gluster_username }} - password: {{ nuancier_gluster_password }} - owner: root - group: root - datadir: /srv/glusterfs/nuancier + roles: + - role: gluster/server + username: {{ nuancier_gluster_username }} + password: {{ nuancier_gluster_password }} + owner: root + group: root + datadir: /srv/glusterfs/nuancier - - role: gluster/client - servers: - - nuancier01.stg.phx2.fedoraproject.org - - nuancier02.stg.phx2.fedoraproject.org - username: {{ nuancier_gluster_username }} - password: {{ nuancier_gluster_password }} - owner: apache - group: root - mountdir: /var/cache/nuancier + - role: gluster/client + servers: + - nuancier01.stg.phx2.fedoraproject.org + - nuancier02.stg.phx2.fedoraproject.org + username: {{ nuancier_gluster_username }} + password: {{ nuancier_gluster_password }} + owner: apache + group: root + mountdir: /var/cache/nuancier - name: deploy nuancier itself hosts: nuancier;nuancier-stg From 3de2b17204f4e7459ab76e82f21c9ec4c21dc76f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:42:33 +0000 Subject: [PATCH 179/271] Quote those. --- playbooks/groups/nuancier.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index 8c89f3b75c..bc5039e42c 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -82,8 +82,8 @@ roles: - role: gluster/server - username: {{ nuancier_gluster_username }} - password: {{ nuancier_gluster_password }} + username: "{{ nuancier_gluster_username }}" + password: "{{ nuancier_gluster_password }}" owner: root group: root datadir: /srv/glusterfs/nuancier @@ -92,8 +92,8 @@ servers: - nuancier01.stg.phx2.fedoraproject.org - nuancier02.stg.phx2.fedoraproject.org - username: {{ nuancier_gluster_username }} - password: {{ nuancier_gluster_password }} + username: "{{ nuancier_gluster_username }}" + password: "{{ nuancier_gluster_password }}" owner: apache group: root mountdir: /var/cache/nuancier From b070ef772b62ec02acbbb7fbe59f6d782c0e6b31 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:48:53 +0000 Subject: [PATCH 180/271] Supply a "name". --- playbooks/groups/nuancier.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/groups/nuancier.yml b/playbooks/groups/nuancier.yml index bc5039e42c..a74f1b5749 100644 --- a/playbooks/groups/nuancier.yml +++ b/playbooks/groups/nuancier.yml @@ -82,6 +82,7 @@ roles: - role: gluster/server + name: gluster username: "{{ nuancier_gluster_username }}" password: "{{ nuancier_gluster_password }}" owner: root @@ -89,6 +90,7 @@ datadir: /srv/glusterfs/nuancier - role: gluster/client + name: gluster servers: - nuancier01.stg.phx2.fedoraproject.org - nuancier02.stg.phx2.fedoraproject.org From e462a294ecff8362d8581136cf2109fca8debf3c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:50:17 +0000 Subject: [PATCH 181/271] Construct this correctly. --- roles/gluster/server/templates/server.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gluster/server/templates/server.config b/roles/gluster/server/templates/server.config index 15a43aa86d..787494c235 100644 --- a/roles/gluster/server/templates/server.config +++ b/roles/gluster/server/templates/server.config @@ -3,7 +3,7 @@ volume posix type storage/posix - option directory {{ datapath }} + option directory {{ datadir }}/{{ name }} end-volume volume locks From f38b34d8c44f0578f467c56bbfff08d1d430c19b Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:54:15 +0000 Subject: [PATCH 182/271] Add a handler to restart glusterd. --- roles/gluster/server/handlers/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/gluster/server/handlers/main.yml diff --git a/roles/gluster/server/handlers/main.yml b/roles/gluster/server/handlers/main.yml new file mode 100644 index 0000000000..6cec6a15b2 --- /dev/null +++ b/roles/gluster/server/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart glusterd + service: name=glusterd state=restarted From c983f6202bb194cb5593e95d4947586b50150eaf Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:55:47 +0000 Subject: [PATCH 183/271] Restrictive jinja disallowed "len()" --- roles/gluster/client/templates/client.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index 65c414a3c1..85cfccc5d5 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -16,7 +16,7 @@ end-volume volume mirror-0 type cluster/replicate - subvolumes {% for i in range(len(servers)) %}vol-#{{i}} {% endfor %} + subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} {% if servers.index(ansible_hostname) %} option read-subvolume vol-{{ servers.index(ansible_hostname)}} {% endif %} From ff73e633e8d65ca8a1171a402b1300c90530f08c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 21:58:33 +0000 Subject: [PATCH 184/271] Fix some more jinja errors and use ansible_ssh_host over ansible_hostname. --- roles/gluster/client/templates/client.config | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index 85cfccc5d5..6584efc924 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -2,23 +2,23 @@ # Generated by ansible {% for server in servers %} -volume vol-<%= servers.index(server) %> +volume vol-{{ servers.index(server) }} type protocol/client option transport-type tcp - option remote-host <%= server %> + option remote-host {{ server }} option transport.socket.nodelay on option remote-port 6996 option remote-subvolume iothreads - option username <%= username %> - option password <%= password %> + option username {{ username }} + option password {{ password }} end-volume {% endfor %} volume mirror-0 type cluster/replicate subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} - {% if servers.index(ansible_hostname) %} - option read-subvolume vol-{{ servers.index(ansible_hostname)}} + {% if servers.index(ansible_ssh_host) %} + option read-subvolume vol-{{ servers.index(ansible_ssh_host)}} {% endif %} end-volume From 75799a5f32115c698543493f1bdf6ff19f53491f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 22:02:16 +0000 Subject: [PATCH 185/271] Use some hostvars trickery. --- roles/gluster/client/templates/client.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index 6584efc924..430964208a 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -17,8 +17,8 @@ end-volume volume mirror-0 type cluster/replicate subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} - {% if servers.index(ansible_ssh_host) %} - option read-subvolume vol-{{ servers.index(ansible_ssh_host)}} + {% if servers.index(hostvars[inventory_hostname]['ansible_ssh_host']) %} + option read-subvolume vol-{{ servers.index(hostvars[inventory_hostname]['ansible_ssh_host'])}} {% endif %} end-volume From 0b3078763100bb5ef759ce66fb311ad6d0ea0225 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Feb 2014 22:03:46 +0000 Subject: [PATCH 186/271] Well that didn't work. --- roles/gluster/client/templates/client.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index 430964208a..c42ec3646a 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -17,8 +17,8 @@ end-volume volume mirror-0 type cluster/replicate subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} - {% if servers.index(hostvars[inventory_hostname]['ansible_ssh_host']) %} - option read-subvolume vol-{{ servers.index(hostvars[inventory_hostname]['ansible_ssh_host'])}} + {% if servers.index(inventory_hostname) %} + option read-subvolume vol-{{ servers.index(inventory_hostname)}} {% endif %} end-volume From 1bc4c1a4068a36ec121b155dd180bc22d80bfe93 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:12:50 +0100 Subject: [PATCH 187/271] Specify where to do the mount --- roles/gluster/client/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/gluster/client/tasks/main.yml b/roles/gluster/client/tasks/main.yml index 065161139e..ce90331083 100644 --- a/roles/gluster/client/tasks/main.yml +++ b/roles/gluster/client/tasks/main.yml @@ -14,10 +14,11 @@ template: src=client.config dest=/etc/glusterfs/glusterfs.{{name}}.vol #notify: #- remount? no idea... - + - name: mount it up mount: > src=/etc/glusterfs/glusterfs.{{name}}.vol state=mounted fstype=glusterfs opts=noatime + name={{mountdir}} From 167e776d36737ddcdaa1918b0e6ab9b68184367a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:16:44 +0100 Subject: [PATCH 188/271] Let's comment it out for now --- roles/gluster/client/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gluster/client/tasks/main.yml b/roles/gluster/client/tasks/main.yml index ce90331083..b3ddb73a2a 100644 --- a/roles/gluster/client/tasks/main.yml +++ b/roles/gluster/client/tasks/main.yml @@ -20,5 +20,5 @@ src=/etc/glusterfs/glusterfs.{{name}}.vol state=mounted fstype=glusterfs - opts=noatime name={{mountdir}} + #opts=noatime From d032393f523c1943948f8e574005c7c9577cf156 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:17:59 +0100 Subject: [PATCH 189/271] Remove for now --- roles/gluster/client/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/gluster/client/tasks/main.yml b/roles/gluster/client/tasks/main.yml index b3ddb73a2a..b8364bd4e9 100644 --- a/roles/gluster/client/tasks/main.yml +++ b/roles/gluster/client/tasks/main.yml @@ -21,4 +21,3 @@ state=mounted fstype=glusterfs name={{mountdir}} - #opts=noatime From 06990b223478736ac377ce3839503833b554efd0 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:23:37 +0100 Subject: [PATCH 190/271] Give it some space --- roles/gluster/client/templates/client.config | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index c42ec3646a..b7cac8df95 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -17,6 +17,7 @@ end-volume volume mirror-0 type cluster/replicate subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} + {% if servers.index(inventory_hostname) %} option read-subvolume vol-{{ servers.index(inventory_hostname)}} {% endif %} From 280c773ae7425efcddb9f8d27d1ad88487291025 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:25:16 +0100 Subject: [PATCH 191/271] Jinja and yaml are fun together --- roles/gluster/client/templates/client.config | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index b7cac8df95..15a0aaa817 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -17,10 +17,9 @@ end-volume volume mirror-0 type cluster/replicate subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} - {% if servers.index(inventory_hostname) %} - option read-subvolume vol-{{ servers.index(inventory_hostname)}} - {% endif %} + option read-subvolume vol-{{ servers.index(inventory_hostname)}}{% endif %} + end-volume volume writebehind From e5fe0ff6d9951c992dea0e3fb9f696bece4750d5 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:27:36 +0100 Subject: [PATCH 192/271] She said she needed space --- roles/gluster/client/templates/client.config | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index 15a0aaa817..72aaf267e4 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -12,6 +12,7 @@ volume vol-{{ servers.index(server) }} option username {{ username }} option password {{ password }} end-volume + {% endfor %} volume mirror-0 From 2fa4233e674b79dcf2bb8d5f227606b8821106fb Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:29:52 +0100 Subject: [PATCH 193/271] Ruby hacks does not work on python --- roles/gluster/client/templates/client.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index 72aaf267e4..d8fe1c0021 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -17,7 +17,7 @@ end-volume volume mirror-0 type cluster/replicate - subvolumes {% for server in servers %}vol-#{{loop.index}} {% endfor %} + subvolumes {% for server in servers %}vol-{{loop.index}} {% endfor %} {% if servers.index(inventory_hostname) %} option read-subvolume vol-{{ servers.index(inventory_hostname)}}{% endif %} From db7116ca3324a37cbf4add78ca7accf5f7ef7a69 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:31:36 +0100 Subject: [PATCH 194/271] Really jinja, 1? --- roles/gluster/client/templates/client.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gluster/client/templates/client.config b/roles/gluster/client/templates/client.config index d8fe1c0021..668aa6aea2 100644 --- a/roles/gluster/client/templates/client.config +++ b/roles/gluster/client/templates/client.config @@ -17,7 +17,7 @@ end-volume volume mirror-0 type cluster/replicate - subvolumes {% for server in servers %}vol-{{loop.index}} {% endfor %} + subvolumes {% for server in servers %}vol-{{loop.index - 1}} {% endfor %} {% if servers.index(inventory_hostname) %} option read-subvolume vol-{{ servers.index(inventory_hostname)}}{% endif %} From 70fdcdc594a83a554b5b12ccd38fb430030214d6 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:37:48 +0100 Subject: [PATCH 195/271] Add port 6996 on nuancier and nuancier-stg --- inventory/group_vars/nuancier | 2 ++ inventory/group_vars/nuancier-stg | 2 ++ 2 files changed, 4 insertions(+) diff --git a/inventory/group_vars/nuancier b/inventory/group_vars/nuancier index 95d462cc57..10749d90ea 100644 --- a/inventory/group_vars/nuancier +++ b/inventory/group_vars/nuancier @@ -8,6 +8,8 @@ num_cpus: 2 # the host_vars/$hostname file tcp_ports: [ 80, 443, + # This port is required by gluster + 6996, # These 16 ports are used by fedmsg. One for each wsgi thread. 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] diff --git a/inventory/group_vars/nuancier-stg b/inventory/group_vars/nuancier-stg index 4cceba7e00..fcaa9e6040 100644 --- a/inventory/group_vars/nuancier-stg +++ b/inventory/group_vars/nuancier-stg @@ -8,6 +8,8 @@ num_cpus: 2 # the host_vars/$hostname file tcp_ports: [ 80, 443, + # This port is required by gluster + 6996, # These 16 ports are used by fedmsg. One for each wsgi thread. 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] From eae98a55dacb641dd7ccbeec9fda4d2ecb09a209 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:53:41 +0100 Subject: [PATCH 196/271] Ask nicely that they are directory --- roles/gluster/server/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/gluster/server/tasks/main.yml b/roles/gluster/server/tasks/main.yml index 7dbb045754..795863930d 100644 --- a/roles/gluster/server/tasks/main.yml +++ b/roles/gluster/server/tasks/main.yml @@ -11,10 +11,10 @@ service: name=glusterd state=started enabled=yes - name: make the datadir - file: dest={{ datadir }} owner={{ owner }} group={{ group }} + file: dest={{ datadir }} owner={{ owner }} group={{ group }} state=directory - name: make the datapath - file: dest={{ datadir }}/{{ name }} owner={{ owner }} group={{ group }} + file: dest={{ datadir }}/{{ name }} owner={{ owner }} group={{ group }} state=directory - name: copy over the server config template: src=server.config dest=/etc/glusterfs/glusterd.vol From d8f1b5b886c8ad7978faeef098a88b7e0e41939f Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 7 Feb 2014 23:58:06 +0100 Subject: [PATCH 197/271] Restart gluster if we created the directory --- roles/gluster/server/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/gluster/server/tasks/main.yml b/roles/gluster/server/tasks/main.yml index 795863930d..9bf0a0c96b 100644 --- a/roles/gluster/server/tasks/main.yml +++ b/roles/gluster/server/tasks/main.yml @@ -12,9 +12,13 @@ - name: make the datadir file: dest={{ datadir }} owner={{ owner }} group={{ group }} state=directory + notify: + - restart glusterd - name: make the datapath file: dest={{ datadir }}/{{ name }} owner={{ owner }} group={{ group }} state=directory + notify: + - restart glusterd - name: copy over the server config template: src=server.config dest=/etc/glusterfs/glusterd.vol From 7011ce0e1449a698b950bcb018ad2298835b4a83 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sat, 8 Feb 2014 15:56:00 +0000 Subject: [PATCH 198/271] Stg is rolling out on nuancier not nuancier-lite --- roles/nuancier/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 681125452a..0e083bb51c 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -9,7 +9,7 @@ - name: install needed packages yum: pkg={{ item }} state=installed with_items: - - nuancier-lite + - nuancier - python-psycopg2 - python-openid-cla - python-openid-teams From c6c96c57bbd8436a79e321f83db92e26cf1f4f1b Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sat, 8 Feb 2014 15:58:34 +0000 Subject: [PATCH 199/271] More changes from nuancier-lite -> nuancier --- roles/nuancier/tasks/main.yml | 8 ++++---- .../templates/{nuancier-lite.cfg => nuancier.cfg} | 2 +- roles/nuancier/templates/nuancier.wsgi | 2 +- roles/nuancier/templates/nuancier_admin.cfg | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) rename roles/nuancier/templates/{nuancier-lite.cfg => nuancier.cfg} (97%) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 0e083bb51c..6d19898999 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -23,7 +23,7 @@ dest="{{ item.location }}/{{ item.dest }}" owner=apache group=apache mode=0600 with_items: - - { file: nuancier_admin.cfg, location: /etc/nuancier, dest: nuancier-lite.cfg } + - { file: nuancier_admin.cfg, location: /etc/nuancier, dest: nuanciercfg } tags: - config notify: @@ -43,16 +43,16 @@ - setup - name: create the database scheme - command: /usr/bin/python2 /usr/share/nuancier/nuancier-lite_createdb.py + command: /usr/bin/python2 /usr/share/nuancier/nuancier_createdb.py environment: - NUANCIER_CONFIG: /etc/nuancier/nuancier-lite.cfg + NUANCIER_CONFIG: /etc/nuancier/nuancier.cfg - name: replace the nuancier configuration file by the one with the normal user template: src={{ item.file }} dest="{{ item.location }}/{{ item.file }}" owner=apache group=apache mode=0600 with_items: - - { file: nuancier-lite.cfg, location: /etc/nuancier } + - { file: nuancier.cfg, location: /etc/nuancier } - { file: nuancier.conf, location: /etc/httpd/conf.d } - { file: nuancier.wsgi, location: /usr/share/nuancier } tags: diff --git a/roles/nuancier/templates/nuancier-lite.cfg b/roles/nuancier/templates/nuancier.cfg similarity index 97% rename from roles/nuancier/templates/nuancier-lite.cfg rename to roles/nuancier/templates/nuancier.cfg index f2be484279..280a98c629 100644 --- a/roles/nuancier/templates/nuancier-lite.cfg +++ b/roles/nuancier/templates/nuancier.cfg @@ -8,7 +8,7 @@ SECRET_KEY='{{ nuancier_secret_key }}' ### url to the database server: DB_URL='postgresql://{{ nuancier_db_user }}:{{ nuancier_db_pass }}@{{ nuancier_db_host }}/{{ nuancier_db_name }}' -### The FAS groups in which the admin of nuancier-lite are +### The FAS groups in which the admin of nuancier are ### This can either be a single group or multiple, defined between ### parenthesis. ADMIN_GROUP=('sysadmin-nuancier', 'sysadmin-main') diff --git a/roles/nuancier/templates/nuancier.wsgi b/roles/nuancier/templates/nuancier.wsgi index 182804b10d..83f9f0f7c1 100644 --- a/roles/nuancier/templates/nuancier.wsgi +++ b/roles/nuancier/templates/nuancier.wsgi @@ -9,7 +9,7 @@ import pkg_resources import os # Set the environment variable pointing to the configuration file -os.environ['NUANCIER_CONFIG'] = '/etc/nuancier/nuancier-lite.cfg' +os.environ['NUANCIER_CONFIG'] = '/etc/nuancier/nuancier.cfg' # The most import line to make the wsgi working from nuancier import APP as application diff --git a/roles/nuancier/templates/nuancier_admin.cfg b/roles/nuancier/templates/nuancier_admin.cfg index 95288741ec..604c0756df 100644 --- a/roles/nuancier/templates/nuancier_admin.cfg +++ b/roles/nuancier/templates/nuancier_admin.cfg @@ -8,7 +8,7 @@ SECRET_KEY='{{ nuancier_secret_key }}' ### url to the database server: DB_URL='postgresql://{{ nuancier_db_admin_user }}:{{ nuancier_db_admin_pass }}@{{ nuancier_db_host }}/{{ nuancier_db_name }}' -### The FAS groups in which the admin of nuancier-lite are +### The FAS groups in which the admin of nuancier are ### This can either be a single group or multiple, defined between ### parenthesis. ADMIN_GROUP=('sysadmin-nuancier', 'sysadmin-main') From 7d5aa7afe822a35cfe54ae51c87429c66fd71ead Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sat, 8 Feb 2014 16:17:06 +0000 Subject: [PATCH 200/271] Add and install the alembic.ini file --- roles/nuancier/templates/alembic.ini | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 roles/nuancier/templates/alembic.ini diff --git a/roles/nuancier/templates/alembic.ini b/roles/nuancier/templates/alembic.ini new file mode 100644 index 0000000000..5ac41c9c68 --- /dev/null +++ b/roles/nuancier/templates/alembic.ini @@ -0,0 +1,50 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = /usr/share/nuancier/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +sqlalchemy.url = postgresql://{{ nuancier_db_admin_user }}:{{ nuancier_db_admin_pass }}@{{ nuancier_db_host }}/{{ nuancier_db_name }} + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S From c3552250af3de27b33d640bf25bca68bd79b8182 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sat, 8 Feb 2014 16:19:24 +0000 Subject: [PATCH 201/271] Actually install the alembic.ini file and python-alembic --- roles/nuancier/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 6d19898999..fea9e8b6b5 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -15,6 +15,7 @@ - python-openid-teams - python-memcached - libsemanage-python + - python-alembic tags: - packages @@ -23,7 +24,8 @@ dest="{{ item.location }}/{{ item.dest }}" owner=apache group=apache mode=0600 with_items: - - { file: nuancier_admin.cfg, location: /etc/nuancier, dest: nuanciercfg } + - { file: nuancier_admin.cfg, location: /etc/nuancier, dest: nuancier.cfg } + - { file: alembic.ini, location: /etc/nuancier, dest: alembic.ini } tags: - config notify: From de4b5bf97f6473239cb4fdbb876bd51b22562dd3 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 01:09:03 +0100 Subject: [PATCH 202/271] Update the picture folder for nuancier to the glusterfs volume --- roles/nuancier/templates/nuancier.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nuancier/templates/nuancier.cfg b/roles/nuancier/templates/nuancier.cfg index 280a98c629..c56f23fab6 100644 --- a/roles/nuancier/templates/nuancier.cfg +++ b/roles/nuancier/templates/nuancier.cfg @@ -19,7 +19,7 @@ ADMIN_GROUP=('sysadmin-nuancier', 'sysadmin-main') ### candidates and the cache of those pictures. ### This directory should be somewhere where apache can access, it's ### proposed in '/var/www/nuancier' -STATIC_FOLDER = '/var/www/nuancier' +STATIC_FOLDER = '/var/cache/nuancier' ### Pictures folder ### The folder in which are located the pictures of the different elections. From 6c3275fc844d5e52f91b42b9d88601001f0a3f13 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 01:57:50 +0100 Subject: [PATCH 203/271] Fix the creation of the pictures and cache folders for nuancier and fix their permissions --- roles/nuancier/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index fea9e8b6b5..baed8ee6d3 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -33,14 +33,15 @@ - name: create pictures folder where we upload the pictures action: file state=directory - path=/var/www/nuancier/pictures + path=/var/cache/nuancier/pictures + owner=apache group=apache mode=0600 tags: - setup - name: create the cache folder where nuancier creates the thumbnails action: file state=directory - path=/var/www/nuancier/cache - owner=apache group=apache + path=/var/cache/nuancier/cache + owner=apache group=apache mode=0600 tags: - setup From b7cef497a0ef9df862d9a259a0fe089194a09102 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 01:58:49 +0100 Subject: [PATCH 204/271] Make the glusterfs folder accessible by apache --- roles/nuancier/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index baed8ee6d3..82921bf92f 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -83,6 +83,14 @@ state=directory recurse=yes + +- name: apply selinux type to the glusterfs folder + file: > + dest=/var/cache/nuancier/ + setype=httpd_sys_content_t + state=directory + recurse=yes + - name: apply selinux type to the wsgi file file: > dest=/usr/share/nuancier/nuancier.wsgi From b7f463b041d6ea8765b8b5a8c5fc3cf183f2e18d Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 02:01:48 +0100 Subject: [PATCH 205/271] Skip the folder creation for now --- roles/nuancier/tasks/main.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 82921bf92f..60cd39ca74 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -31,19 +31,19 @@ notify: - restart apache -- name: create pictures folder where we upload the pictures - action: file state=directory - path=/var/cache/nuancier/pictures - owner=apache group=apache mode=0600 - tags: - - setup - -- name: create the cache folder where nuancier creates the thumbnails - action: file state=directory - path=/var/cache/nuancier/cache - owner=apache group=apache mode=0600 - tags: - - setup +#- name: create pictures folder where we upload the pictures +# action: file state=directory +# path=/var/cache/nuancier/pictures +# owner=apache group=apache mode=0600 +# tags: +# - setup +# +#- name: create the cache folder where nuancier creates the thumbnails +# action: file state=directory +# path=/var/cache/nuancier/cache +# owner=apache group=apache mode=0600 +# tags: +# - setup - name: create the database scheme command: /usr/bin/python2 /usr/share/nuancier/nuancier_createdb.py From 554e8caa742eeb9243c1d8a4df032df2f8084e94 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 02:04:16 +0100 Subject: [PATCH 206/271] Try to update only one folder --- roles/nuancier/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 60cd39ca74..8eb4c20ae3 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -86,7 +86,7 @@ - name: apply selinux type to the glusterfs folder file: > - dest=/var/cache/nuancier/ + dest=/var/cache/nuancier/pictures setype=httpd_sys_content_t state=directory recurse=yes From ea8147c1d003cf332d30daa357bb15e4082db1ba Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 09:05:54 +0100 Subject: [PATCH 207/271] Turn on boolean to allow apache on fuse --- roles/nuancier/tasks/main.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/nuancier/tasks/main.yml b/roles/nuancier/tasks/main.yml index 8eb4c20ae3..b0affeb7a7 100644 --- a/roles/nuancier/tasks/main.yml +++ b/roles/nuancier/tasks/main.yml @@ -83,13 +83,10 @@ state=directory recurse=yes - -- name: apply selinux type to the glusterfs folder - file: > - dest=/var/cache/nuancier/pictures - setype=httpd_sys_content_t - state=directory - recurse=yes +- name: set sebooleans so apache can use glustergs + action: seboolean name=httpd_use_fusefs + state=true + persistent=true - name: apply selinux type to the wsgi file file: > From e424c4c5a05673cf6d48ec853ffeec229f1549ea Mon Sep 17 00:00:00 2001 From: Nick Bebout Date: Sun, 9 Feb 2014 14:27:51 +0000 Subject: [PATCH 208/271] Add sysadmin-docs to docs-backend group --- inventory/group_vars/docs-backend | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/docs-backend b/inventory/group_vars/docs-backend index 15782b1c28..e82a860f93 100644 --- a/inventory/group_vars/docs-backend +++ b/inventory/group_vars/docs-backend @@ -6,4 +6,4 @@ num_cpus: 1 # the host_vars/$hostname file tcp_ports: [ 873 ] -fas_client_groups: sysadmin-noc +fas_client_groups: sysadmin-noc,sysadmin-docs From aa91fc61bbd16482b1b71ebdc170d041c033a5ee Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 17:37:13 +0000 Subject: [PATCH 209/271] Add fedoauth --- inventory/group_vars/fedoauth-stg | 12 ++++++++++++ .../host_vars/fedoauth01.stg.phx2.fedoraproject.org | 10 ++++++++++ inventory/inventory | 3 +++ 3 files changed, 25 insertions(+) create mode 100644 inventory/group_vars/fedoauth-stg create mode 100644 inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org diff --git a/inventory/group_vars/fedoauth-stg b/inventory/group_vars/fedoauth-stg new file mode 100644 index 0000000000..42ab8539a8 --- /dev/null +++ b/inventory/group_vars/fedoauth-stg @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-main,sysadmin-accounts diff --git a/inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org b/inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org new file mode 100644 index 0000000000..6a91e2973c --- /dev/null +++ b/inventory/host_vars/fedoauth01.stg.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.28 +vmhost: virthost12.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/inventory b/inventory/inventory index cc9a6a4c83..1ca38b842c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -282,6 +282,9 @@ nuancier02.stg.phx2.fedoraproject.org [fedocal-stg] fedocal01.stg.phx2.fedoraproject.org +[fedoauth-stg] +openid01.stg.phx2.fedoraproject.org + [memcached] memcached03.phx2.fedoraproject.org memcached04.phx2.fedoraproject.org From faaa683e4066fbb7d3bfa605107599a844d07af7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 18:14:16 +0000 Subject: [PATCH 210/271] Add fedoauth --- ...edoauth01.stg.phx2.fedoraproject.org-hosts | 11 +++ playbooks/groups/fedoauth.yml | 70 +++++++++++++++++++ roles/fedoauth/tasks/main.yml | 61 ++++++++++++++++ roles/fedoauth/templates/fedoauth.stg.cfg | 51 ++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts create mode 100644 playbooks/groups/fedoauth.yml create mode 100644 roles/fedoauth/tasks/main.yml create mode 100644 roles/fedoauth/templates/fedoauth.stg.cfg diff --git a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..9a51f702d5 --- /dev/null +++ b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts @@ -0,0 +1,11 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.89 admin.fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.81 memcached03 memcached03.stg app01 app01.stg + +10.5.126.85 fedoauth_db diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml new file mode 100644 index 0000000000..ebbe4dbc19 --- /dev/null +++ b/playbooks/groups/fedoauth.yml @@ -0,0 +1,70 @@ +# create a new FedOAuth server +# NOTE: should be used with --limit most of the time +# NOTE: make sure there is room/space for this server on the vmhost +# NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars + +- name: make fedoauth + hosts: fedoauth-stg + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + - include: "{{ tasks }}/accelerate_prep.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: fedoauth-stg + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/openvpn_client.yml" + when: env != "staging" + - include: "{{ tasks }}/apache.yml" + - include: "{{ tasks }}/mod_wsgi.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: deploy fedoauth itself + hosts: fedoauth-stg + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" + + roles: + - fedoauth + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml new file mode 100644 index 0000000000..58723fcf7d --- /dev/null +++ b/roles/fedoauth/tasks/main.yml @@ -0,0 +1,61 @@ +--- +# Configuration for the fedoauth webapp + +- name: clean yum metadata + command: yum clean all + tags: + - packages + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - fedoauth + - fedoauth-template-fedora + - fedoauth-backend-fedora + - python-psycopg2 + - libsemanage-python + tags: + - packages + +- name: copy fedoauth configuration + template: src=fedoauth.cfg + dest=/etc/fedoauth/fedoauth.cfg + owner=apache group=apache mode=0600 + when: env != "staging" + tags: + - config + notify: + - restart apache + +- name: copy fedoauth STG configuration + template: src=fedoauth.stg.cfg + dest=/etc/fedoauth/fedoauth.cfg + owner=apache group=apache mode=0600 + when: env == "staging" + tags: + - config + notify: + - restart apache + +- name: copy fedoauth private key + copy: src={{ private_files }}/fedoauth/persona.key + when: env != "staging" + +- name: copy fedoauth STG private key + copy: src={{ private_files }}/fedoauth/persona.stg.key + when: env == "staging" + +- name: create the database scheme + command: /usr/bin/python2 /usr/share/fedoauth/createdb.py + environment: + FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg + +- name: set sebooleans so fedoauth can talk to the db + action: seboolean name=httpd_can_network_connect_db + state=true + persistent=true + +- name: apply selinux type to the wsgi file + file: > + dest=/usr/share/fedoauth/fedoauth.wsgi + setype=httpd_sys_content_t diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg new file mode 100644 index 0000000000..d7e4454dfe --- /dev/null +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -0,0 +1,51 @@ +# Beware that the quotes around the values are mandatory + +# GENERAL CONFIGURATION +### url to the database server: +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" +#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' +#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' +#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' + +# This is the OpenID endpoint url, at which the server is available +WEBSITE_ROOT = 'https://id.stg.fedoraproject.org' +COOKIE_DOMAIN = 'id.stg.fedoraproject.org' +COOKIE_SECURE = True +OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' + +# Modules to use +AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' + +# FAS PROVIDER CONFIGURATION +FAS_USER_AGENT = 'FAS-OpenID' +FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' +FAS_CHECK_CERT=False +FAS_HTTPS_REQUIRED=False + +# Enable a filter to make this only available to a specific list of users +FAS_AVAILABLE_FILTER = False +FAS_AVAILABLE_TO = [] + +# PERSONA CONFIGURATION +# This is the domain for which we are willing to sign +PERSONA_DOMAIN = 'id.stg.fedoraproject.org' +PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' +PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' + +# OPENID CONFIGURATION +# This is the OpenID url provided to users. Add %(username)s where the username should be entered +# A list of trust roots for which the user will not need to confirm again +OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', + 'https://ask.fedoraproject.org/', + 'https://fedorahosted.org/', + 'https://badges.fedoraproject.org', + 'https://apps.fedoraproject.org/tagger/', + 'https://apps.fedoraproject.org/nuancier/', + 'https://apps.fedoraproject.org/datagrepper/', + 'https://apps.fedoraproject.org/calendar/', + 'https://apps.fedoraproject.org/notifications/', + 'http://copr.fedoraproject.org/', + 'http://copr-fe.cloud.fedoraproject.org/'] +OPENID_NON_TRUSTED_ROOTS = [] +### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) +OPENID_MAX_AUTH_TIME = 120 From 37d085b24f8bdfdae71628d87842fc98d53adc8b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 18:15:12 +0000 Subject: [PATCH 211/271] Using db-fas01 --- files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts index 9a51f702d5..ceef3bdcdf 100644 --- a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts @@ -8,4 +8,4 @@ 10.5.126.81 memcached03 memcached03.stg app01 app01.stg -10.5.126.85 fedoauth_db +10.5.126.78 fedoauth_db From f1001050a4bb3a443d1da046f4c23aab6b2befaf Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 18:20:08 +0000 Subject: [PATCH 212/271] This is fedoauth --- files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts | 2 -- inventory/inventory | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts index ceef3bdcdf..9ac258248c 100644 --- a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts +++ b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts @@ -7,5 +7,3 @@ 10.5.126.23 infrastructure.fedoraproject.org 10.5.126.81 memcached03 memcached03.stg app01 app01.stg - -10.5.126.78 fedoauth_db diff --git a/inventory/inventory b/inventory/inventory index 1ca38b842c..97d114266c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -283,7 +283,7 @@ nuancier02.stg.phx2.fedoraproject.org fedocal01.stg.phx2.fedoraproject.org [fedoauth-stg] -openid01.stg.phx2.fedoraproject.org +fedoauth01.stg.phx2.fedoraproject.org [memcached] memcached03.phx2.fedoraproject.org From cbe4eb0e1c7c1a77a6a7d9780ad2617ba381e4a6 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 20:28:49 +0000 Subject: [PATCH 213/271] fedoauth01.stg is stg --- inventory/inventory | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/inventory b/inventory/inventory index 97d114266c..541cf8a961 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -369,6 +369,7 @@ db02.stg.phx2.fedoraproject.org db-fas01.stg.phx2.fedoraproject.org elections01.stg.phx2.fedoraproject.org fas01.stg.phx2.fedoraproject.org +fedoauth01.stg.phx2.fedoraproject.org fedocal01.stg.phx2.fedoraproject.org fedocal01.stg.phx2.fedoraproject.org koji01.stg.phx2.fedoraproject.org From cfe9665a689eb05a879c1bdb90e7be3b27f94db0 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 20:32:20 +0000 Subject: [PATCH 214/271] Correct this to use the right variable --- roles/fedoauth/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index 58723fcf7d..5cbcf90202 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -38,11 +38,11 @@ - restart apache - name: copy fedoauth private key - copy: src={{ private_files }}/fedoauth/persona.key + copy: src={{ private }}/files/fedoauth/persona.key when: env != "staging" - name: copy fedoauth STG private key - copy: src={{ private_files }}/fedoauth/persona.stg.key + copy: src={{ private }}/files/fedoauth/persona.stg.key when: env == "staging" - name: create the database scheme From 9c3287314ba60b33d68017dcedb48b2a9dd01545 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 20:34:25 +0000 Subject: [PATCH 215/271] Lets make a seperation between prod and stg in file names --- roles/fedoauth/tasks/main.yml | 4 ++-- roles/fedoauth/templates/fedoauth.stg.cfg | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index 5cbcf90202..2166d5cb54 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -38,11 +38,11 @@ - restart apache - name: copy fedoauth private key - copy: src={{ private }}/files/fedoauth/persona.key + copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key when: env != "staging" - name: copy fedoauth STG private key - copy: src={{ private }}/files/fedoauth/persona.stg.key + copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key when: env == "staging" - name: create the database scheme diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg index d7e4454dfe..22cc2fd942 100644 --- a/roles/fedoauth/templates/fedoauth.stg.cfg +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -29,7 +29,7 @@ FAS_AVAILABLE_TO = [] # PERSONA CONFIGURATION # This is the domain for which we are willing to sign PERSONA_DOMAIN = 'id.stg.fedoraproject.org' -PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' +PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key' PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' # OPENID CONFIGURATION From 38fae33b5d83ff036d8f73b798323507eff3266d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 20:39:27 +0000 Subject: [PATCH 216/271] Make the keys private --- roles/fedoauth/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index 2166d5cb54..84d4f80859 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -39,10 +39,12 @@ - name: copy fedoauth private key copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key + owner=apache group=apache mode=0600 when: env != "staging" - name: copy fedoauth STG private key copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key + owner=apache group=apache mode=0600 when: env == "staging" - name: create the database scheme From 3a0703ad540253fe2975ab13ec5a05144871ce97 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 20:44:07 +0000 Subject: [PATCH 217/271] Use stg db host for stg --- roles/fedoauth/templates/fedoauth.stg.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg index 22cc2fd942..5cb67a96bd 100644 --- a/roles/fedoauth/templates/fedoauth.stg.cfg +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -2,7 +2,7 @@ # GENERAL CONFIGURATION ### url to the database server: -SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" #SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' #SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' #SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' From a29a44b87ebcb4f700c787f8692001bc6f1bea53 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 20:49:51 +0000 Subject: [PATCH 218/271] It runs as fedoauth, so that user needs access to the config --- roles/fedoauth/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index 84d4f80859..b0631d3ff6 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -20,7 +20,7 @@ - name: copy fedoauth configuration template: src=fedoauth.cfg dest=/etc/fedoauth/fedoauth.cfg - owner=apache group=apache mode=0600 + owner=fedoauth group=fedoauth mode=0600 when: env != "staging" tags: - config @@ -30,7 +30,7 @@ - name: copy fedoauth STG configuration template: src=fedoauth.stg.cfg dest=/etc/fedoauth/fedoauth.cfg - owner=apache group=apache mode=0600 + owner=fedoauth group=fedoauth mode=0600 when: env == "staging" tags: - config @@ -39,12 +39,12 @@ - name: copy fedoauth private key copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key - owner=apache group=apache mode=0600 + owner=fedoauth group=fedoauth mode=0600 when: env != "staging" - name: copy fedoauth STG private key copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key - owner=apache group=apache mode=0600 + owner=fedoauth group=fedoauth mode=0600 when: env == "staging" - name: create the database scheme From cb5db8c1495e1a17d200b6e1808a4bf3dead27cc Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 21:04:39 +0000 Subject: [PATCH 219/271] We sign for stg.fp.o, not id.stg.fp.o --- roles/fedoauth/templates/fedoauth.stg.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg index 5cb67a96bd..23f8933806 100644 --- a/roles/fedoauth/templates/fedoauth.stg.cfg +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -28,7 +28,7 @@ FAS_AVAILABLE_TO = [] # PERSONA CONFIGURATION # This is the domain for which we are willing to sign -PERSONA_DOMAIN = 'id.stg.fedoraproject.org' +PERSONA_DOMAIN = 'stg.fedoraproject.org' PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key' PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' From 0f7714cb1bdc94a0180e84878b8bb936b45d64e6 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 22:43:22 +0000 Subject: [PATCH 220/271] Add support for signing and importing into the testing repository --- playbooks/sign_and_import.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/playbooks/sign_and_import.yml b/playbooks/sign_and_import.yml index d252e0ecc4..24fc541998 100644 --- a/playbooks/sign_and_import.yml +++ b/playbooks/sign_and_import.yml @@ -1,10 +1,13 @@ # This playbook takes new rpms specified with a fileglob, signs them, and adds # them to the infrastructure repo. # +# To push to infra-testing: +# requires --extra-vars="rpmdir='/home/fedora/ralph/rpms/' testing=True" +# +# To push to infra: # requires --extra-vars="rpmdir='/home/fedora/ralph/rpms/'" # TODO -- grab rpms from koji build/task ids beforehand? -# TODO -- how do make it easy to select the infra-testing repo? # TODO -- other arches than x86_64? - name: batch sign and import a directory full of rpms @@ -16,8 +19,7 @@ # repo. Since we're in freeze right now, we'll default to the testing repo. # It would be nice to be able to toggle this from the command line. vars: - #- repodir: /mnt/fedora/app/fi-repo/testing/6 - - repodir: /mnt/fedora/app/fi-repo/6 + - repodir: /mnt/fedora/app/fi-repo/{% if testing %}testing/{% endif %}6 tasks: - name: Fail if no rpmdir provided @@ -32,7 +34,7 @@ - name: make a directory where we store the rpms afterwards file: path={{ rpmdir }}-old state=directory - - name: copy the source rpms to the SRPMS dir + - name: copy the source rpms to the SRPMS dir of {{ repodir }} copy: src={{ item }} dest={{ repodir }}/SRPMS/ with_fileglob: - "{{ rpmdir }}/*.src.rpm" @@ -45,7 +47,7 @@ with_fileglob: - "{{ rpmdir }}/*.src.rpm" - - name: copy the binary rpms to the x86_64 dir + - name: copy the binary rpms to the x86_64 dir of {{ repodir }} copy: src={{ item }} dest={{ repodir }}/x86_64/ with_fileglob: - "{{ rpmdir }}/*.rpm" From f327ef20c595c65c3bf766bad7ebfaca6605c4f0 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Mon, 10 Feb 2014 00:04:51 +0100 Subject: [PATCH 221/271] We need to declare the variable to override it in the cli --- playbooks/sign_and_import.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/sign_and_import.yml b/playbooks/sign_and_import.yml index 24fc541998..9cfdd38466 100644 --- a/playbooks/sign_and_import.yml +++ b/playbooks/sign_and_import.yml @@ -20,6 +20,7 @@ # It would be nice to be able to toggle this from the command line. vars: - repodir: /mnt/fedora/app/fi-repo/{% if testing %}testing/{% endif %}6 + - testing: False tasks: - name: Fail if no rpmdir provided From 03a1ca0abd037586f2800bde7dd0619116d1037c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Sun, 9 Feb 2014 23:54:46 +0000 Subject: [PATCH 222/271] Add trusted_openid patterns for badges. --- roles/badges-frontend/templates/tahrir.ini | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/badges-frontend/templates/tahrir.ini b/roles/badges-frontend/templates/tahrir.ini index c208eacad0..66b2b04bf8 100644 --- a/roles/badges-frontend/templates/tahrir.ini +++ b/roles/badges-frontend/templates/tahrir.ini @@ -44,12 +44,14 @@ dogpile.cache.arguments.distributed_lock = True tahrir.title = Fedora Badges (staging!) tahrir.base_url = https://badges.stg.fedoraproject.org tahrir.openid_identifier = http://id.stg.fedoraproject.org/ +tahrir.trusted_openid = ^http(s)?:\/\/([a-zA-Z0-9]+\.)?stg.id\.fedoraproject\.org(/)?$ tahrir.openid_realm = https://badges.stg.fedoraproject.org tahrir.websocket.topic = org.fedoraproject.stg.fedbadges.badge.award {% else %} tahrir.title = Fedora Badges tahrir.base_url = https://badges.fedoraproject.org tahrir.openid_identifier = http://id.fedoraproject.org/ +tahrir.trusted_openid = ^http(s)?:\/\/([a-zA-Z0-9]+\.)?id\.fedoraproject\.org(/)?$ tahrir.openid_realm = https://badges.fedoraproject.org tahrir.websocket.topic = org.fedoraproject.prod.fedbadges.badge.award {% endif %} From 2b7198bd7697f5353476be3202b4cce46623a97f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 10 Feb 2014 18:39:26 +0000 Subject: [PATCH 223/271] Move badges-web02 to vh15 --- inventory/host_vars/badges-web02.phx2.fedoraproject.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/badges-web02.phx2.fedoraproject.org b/inventory/host_vars/badges-web02.phx2.fedoraproject.org index 63f076ca4c..5db61afc23 100644 --- a/inventory/host_vars/badges-web02.phx2.fedoraproject.org +++ b/inventory/host_vars/badges-web02.phx2.fedoraproject.org @@ -4,7 +4,7 @@ gw: 10.5.126.254 dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ -volgroup: /dev/VirtGuests00 +volgroup: /dev/vg_guests00 eth0_ip: 10.5.126.102 -vmhost: virthost01.phx2.fedoraproject.org +vmhost: virthost15.phx2.fedoraproject.org datacenter: phx2 From ce990461f9039a60b8933f0c548a9cee4ce7cc04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 10 Feb 2014 19:22:18 +0000 Subject: [PATCH 224/271] Mailman: small fixes --- roles/mailman/files/post-update.sh | 3 +++ roles/mailman/templates/postfix-main.cf.j2 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/mailman/files/post-update.sh b/roles/mailman/files/post-update.sh index b16d4dade0..f04228f6cf 100755 --- a/roles/mailman/files/post-update.sh +++ b/roles/mailman/files/post-update.sh @@ -21,6 +21,9 @@ chmod g+w -R $INDEXDIR # Give database rights to the non-admin user $BASEDIR/bin/pg-give-rights.py +# SELinux contexts +restorecon -r "$BASEDIR" + # Reload Apache to flush the python cache systemctl reload httpd # Restart Mailman3 since kittystore was updated diff --git a/roles/mailman/templates/postfix-main.cf.j2 b/roles/mailman/templates/postfix-main.cf.j2 index 9d0c830dd9..3d50a7390e 100644 --- a/roles/mailman/templates/postfix-main.cf.j2 +++ b/roles/mailman/templates/postfix-main.cf.j2 @@ -314,7 +314,7 @@ unknown_local_recipient_reject_code = 550 #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] -relayhost = bastion +relayhost = bastion.phx2.fedoraproject.org # REJECTING UNKNOWN RELAY USERS From a8ac414ab5aa06dbbc5cf276e7cec66e0f02da14 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 10 Feb 2014 21:11:39 +0000 Subject: [PATCH 225/271] Fix this by using lower() before compare --- files/hotfix/python-openid/fetchers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/hotfix/python-openid/fetchers.py b/files/hotfix/python-openid/fetchers.py index 928dadbaae..bdacfb9410 100644 --- a/files/hotfix/python-openid/fetchers.py +++ b/files/hotfix/python-openid/fetchers.py @@ -253,7 +253,7 @@ class CurlHTTPFetcher(HTTPFetcher): # Remove the status line from the beginning of the input unused_http_status_line = header_file.readline().lower () - while unused_http_status_line.startswith('http/1.1 1'): + while unused_http_status_line.lower().startswith('http/1.1 1'): unused_http_status_line = header_file.readline() unused_http_status_line = header_file.readline() From d95ad3e069ee01d2dce90d3f59a1810eb0102bf6 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 11 Feb 2014 10:43:48 +0100 Subject: [PATCH 226/271] Add the warnings plugin to the ansible playbook --- playbooks/groups/jenkins-cloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index e68c62b3c5..babdf7d1c8 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -174,6 +174,9 @@ - name: mailer version: 1.8 sha: fb9c6d471c2fea97fc2ccb64bfac18f77c847e740bcc2d5a4de31c35e851728a + - name: warnings + version: 4.28 + sha: cc2de4391030e15ffeee86269bdf1afc5a377d484690e4b3ad8fe1c1f2dfd18c tags: - config From 7198cc27a5646eae4a261c4728d0c3309a924829 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 11 Feb 2014 11:21:32 +0100 Subject: [PATCH 227/271] Restart jenkins after having install the plugins --- playbooks/groups/jenkins-cloud.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index babdf7d1c8..d8edd312dd 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -177,6 +177,8 @@ - name: warnings version: 4.28 sha: cc2de4391030e15ffeee86269bdf1afc5a377d484690e4b3ad8fe1c1f2dfd18c + notify: + - restart jenkins tags: - config @@ -210,7 +212,7 @@ copy: src={{ item }} dest=/var/lib/jenkins/plugins/openid/WEB-INF/lib/ group=jenkins mode=655 with_fileglob: - "{{ bigfiles }}/hotfixes/jenkins/openid/*.jar" - notify: + notify: - restart jenkins handlers: From 308bc827194aacd840c39ff7af0cc72aa0584304 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 11 Feb 2014 11:25:17 +0100 Subject: [PATCH 228/271] csv != cvs - explains the 404 error we were getting --- playbooks/groups/jenkins-cloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index d8edd312dd..cef1325639 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -114,7 +114,7 @@ - name: cobertura version: 1.9.3 sha: 3db93d70486b80a904a74ce40b0ac6a7812d1f522f820d0e5d7b538401bc2946 - - name: csv + - name: cvs version: 2.11 sha: 7c917bc824019a81d54472c525e4d724dfb4ae10b59bf64e692a2fc59fcd33cc - name: external-monitor-job From 7d4804ea50b756b8ef0dbc27eda05760abdd936d Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 11 Feb 2014 12:10:24 +0100 Subject: [PATCH 229/271] Apparently the F20 builder was missing from the config file --- files/jenkins/master/config.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/files/jenkins/master/config.xml b/files/jenkins/master/config.xml index 2244e7222b..4da63a4193 100644 --- a/files/jenkins/master/config.xml +++ b/files/jenkins/master/config.xml @@ -78,6 +78,22 @@ class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/> + + Fedora20 + + /mnt/jenkins/ + 2 + NORMAL + + + 172.16.5.23 + 22 + 950d5dd7-acb2-402a-8670-21f152d04928 + + + + 5 0 From d9ef7003957cce8ceae1127d6565854c292a3cf5 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 11 Feb 2014 14:01:23 +0100 Subject: [PATCH 230/271] Update the pyflakes warning plugin --- ...hudson.plugins.warnings.WarningsPublisher.xml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml index 130e516828..5594ea588d 100644 --- a/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml +++ b/files/jenkins/master/hudson.plugins.warnings.WarningsPublisher.xml @@ -1,21 +1,19 @@ -hudson.plugins.warnings.WarningsPublisher.xml -============================================= - + pyflakes ^(.*):([0-9]*):(.*)$ +return new Warning(fileName, Integer.parseInt(lineNumber), category, "PyFlakes Parser", message, Priority.NORMAL); https://pypi.python.org/pypi/pyflakes pyflakes errors From b52b740104021dbd71b24f6d8ce42f76faee063e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 9 Feb 2014 23:06:54 +0000 Subject: [PATCH 231/271] Add support for the testing repo to the update_packages playbook --- playbooks/update_packages.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/playbooks/update_packages.yml b/playbooks/update_packages.yml index a7c2673b31..b94fb0d80b 100644 --- a/playbooks/update_packages.yml +++ b/playbooks/update_packages.yml @@ -1,18 +1,22 @@ # requires --extra-vars="target='host1;host2;group etc' package='python-tahrir' # # Alternatively, you could update a group of packages like -# --extra-vars="package='python-t*'" - -# TODO -- how do make it easy to select the infra-testing repo? +# --extra-vars="target='host1;host2' package='python-t*'" +# +# To update from testing, adjust as follow: +# --extra-vars="target='host1;host2' package='python-t*' testing=True" - name: push packages out hosts: "{{ target }}" user: root + vars: + testing: False + tasks: - - name: expire-caches - command: yum clean expire-cache + - name: expire-caches {% if testing %}(with infrastructure-testing on){% endif %} + command: yum clean expire-cache {% if testing %} --enablerepo=infrastructure-testing {% endif %} - - name: yum update {{ package }} - yum: name={{ package }} state=latest + - name: yum update {{ package }} {% if testing %}(with infrastructure-testing on){% endif %} + yum: name={{ package }} state=latest # {% if testing %}enablerepo=infrastructure-testing{% endif %} From e2ac4fe440fcb49df90dcd34565a13c490ef27c4 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 11 Feb 2014 17:44:05 +0100 Subject: [PATCH 232/271] Found where the latest Warnings plugin is available --- playbooks/groups/jenkins-cloud.yml | 34 ++++++++++++++++++------------ 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index cef1325639..fcc359f31c 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -5,7 +5,7 @@ tags: - jenkins_master - vars_files: + vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" @@ -20,7 +20,7 @@ tags: - jenkins_master - vars_files: + vars_files: - /srv/web/infra/ansible/vars/global.yml - "{{ private }}/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml @@ -69,7 +69,7 @@ - name: enable apache action: service name=httpd state=running enabled=true - - name: add jenkins upstream repo + - name: add jenkins upstream repo action: copy src="{{ files }}/jenkins/master/jenkins.repo" dest=/etc/yum.repos.d/jenkins.repo owner=root group=root tags: - config @@ -162,9 +162,6 @@ - name: xunit version: 1.81 sha: 8749ef1b3861ea6a5166c7a6f443e20dca346f98aa58ab2bb3f3376b6392244e - - name: warnings - version: 4.28 - sha: cc2de4391030e15ffeee86269bdf1afc5a377d484690e4b3ad8fe1c1f2dfd18c - name: multiple-scms version: 0.3 sha: e79d7e855ffe0ad060d11ae1ce0b39f68e7fa031c6e831f60fe33e5ddb3392ac @@ -174,12 +171,21 @@ - name: mailer version: 1.8 sha: fb9c6d471c2fea97fc2ccb64bfac18f77c847e740bcc2d5a4de31c35e851728a - - name: warnings - version: 4.28 - sha: cc2de4391030e15ffeee86269bdf1afc5a377d484690e4b3ad8fe1c1f2dfd18c notify: - restart jenkins + tags: + - config + - name: Download additional jenkins plugins (from the maven repo) + get_url: url=http://maven.jenkins-ci.org/content/repositories/releases/org/jvnet/hudson/plugins/{{ item.name }}/{{ item.version }}/{{ item.name }}-{{ item.version }}.hpi + dest=/var/lib/jenkins/plugins/{{ item.name }}.hpi + sha256sum={{ item.sha }} + with_items: + - name: warnings + version: 4.39 + sha: 7652b7ed8971de932f46323aa8e0ddee2bcf4f14839296481ae79590e09f7606 + notify: + - restart jenkins tags: - config @@ -281,7 +287,7 @@ - python-bugzilla - python-straight-plugin - python-pip - - python-virtualenv + - python-virtualenv - python-coverage - pylint - python-argparse @@ -408,7 +414,7 @@ - name: setup jenkins_slave user action: user name=jenkins_slave state=present createhome=yes system=no tags: - - jenkinsuser + - jenkinsuser - name: setup jenkins_slave ssh key action: authorized_key user=jenkins_slave key="{{ item }}" @@ -417,12 +423,12 @@ - name: jenkins_slave to mock group action: user name=jenkins_slave groups=mock - + - name: add .gitconfig for jenkins_slave user action: copy src="{{ files }}/jenkins/gitconfig" dest=/home/jenkins_slave/.gitconfig owner=jenkins_slave group=jenkins_slave mode=664 tags: - config - + - name: template sshd_config action: copy src={{ item }} dest=/etc/ssh/sshd_config mode=0600 owner=root group=root first_available_file: @@ -432,7 +438,7 @@ - restart sshd tags: - config - + - name: mkdir dir for jenkins data action: file state=directory path=/mnt/jenkins owner=jenkins_slave group=jenkins_slave From 1c64975234792f09ef5bb6d40c3103768a822cc1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 17:25:56 +0000 Subject: [PATCH 233/271] Add unbound role/instances migrated from puppet. Ticket 4198. Thanks adimania! --- handlers/restart_services.yml | 3 + handlers/semanage.yml | 8 + inventory/group_vars/unbound | 9 + .../host_vars/unbound-ib01.fedoraproject.org | 10 + .../unbound-telia01.fedoraproject.org | 10 + .../unbound-tummy01.fedoraproject.org | 10 + playbooks/groups/unbound.yml | 48 ++ roles/unbound/files/unbound.conf | 528 ++++++++++++++++++ roles/unbound/tasks/main.yml | 41 ++ 9 files changed, 667 insertions(+) create mode 100644 handlers/semanage.yml create mode 100644 inventory/group_vars/unbound create mode 100644 inventory/host_vars/unbound-ib01.fedoraproject.org create mode 100644 inventory/host_vars/unbound-telia01.fedoraproject.org create mode 100644 inventory/host_vars/unbound-tummy01.fedoraproject.org create mode 100644 playbooks/groups/unbound.yml create mode 100644 roles/unbound/files/unbound.conf create mode 100644 roles/unbound/tasks/main.yml diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index d0d895aa63..74f863e1bc 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -82,3 +82,6 @@ - name: restart netapproute action: command /etc/sysconfig/network-scripts/ifup-routes eth1 + +- name: restart unbound + action: service name=unbound state=restarted diff --git a/handlers/semanage.yml b/handlers/semanage.yml new file mode 100644 index 0000000000..bb9db3f6a9 --- /dev/null +++ b/handlers/semanage.yml @@ -0,0 +1,8 @@ +- name: semanage dns80 + command: /usr/sbin/semanage port -m -t dns_port_t -p tcp 80 + +- name: semanage dns443 + command: /usr/sbin/semanage port -m -t dns_port_t -p tcp 443 + +- name: semanage dns8953 + command: /usr/sbin/semanage port -a -t dns_port_t -p tcp 8953 diff --git a/inventory/group_vars/unbound b/inventory/group_vars/unbound new file mode 100644 index 0000000000..65cc771e6e --- /dev/null +++ b/inventory/group_vars/unbound @@ -0,0 +1,9 @@ +--- +lvm_size: 10000 +mem_size: 1024 +num_cpus: 2 + +tcp_ports: [ 80, 443 ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT' ] + +fas_client_groups: sysadmin-dns diff --git a/inventory/host_vars/unbound-ib01.fedoraproject.org b/inventory/host_vars/unbound-ib01.fedoraproject.org new file mode 100644 index 0000000000..c46e9bfd6b --- /dev/null +++ b/inventory/host_vars/unbound-ib01.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.128 +gw: 152.19.134.129 +dns: 152.2.21.1 +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/ibiblio01_vg +eth0_ip: 152.19.134.150 +vmhost: ibiblio01.fedoraproject.org +datacenter: ibiblio diff --git a/inventory/host_vars/unbound-telia01.fedoraproject.org b/inventory/host_vars/unbound-telia01.fedoraproject.org new file mode 100644 index 0000000000..eff1ba2a92 --- /dev/null +++ b/inventory/host_vars/unbound-telia01.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.240 +gw: 80.239.156.209 +dns: 213.248.76.210 +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/VolGroup00 +eth0_ip: 80.239.156.220 +vmhost: telia01.fedoraproject.org +datacenter: telia diff --git a/inventory/host_vars/unbound-tummy01.fedoraproject.org b/inventory/host_vars/unbound-tummy01.fedoraproject.org new file mode 100644 index 0000000000..36bf45031b --- /dev/null +++ b/inventory/host_vars/unbound-tummy01.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.240 +gw: 66.35.62.174 +dns: 198.49.126.1 66.35.36.133 +ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/VolGroup00 +eth0_ip: 66.35.62.163 +vmhost: tummy01.fedoraproject.org +datacenter: tummy diff --git a/playbooks/groups/unbound.yml b/playbooks/groups/unbound.yml new file mode 100644 index 0000000000..a0ffc54980 --- /dev/null +++ b/playbooks/groups/unbound.yml @@ -0,0 +1,48 @@ +- name: make unbound + hosts: unbound + user: root + gather_facts: False + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + - include: "{{ tasks }}/accelerate_prep.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: unbound + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + - unbound + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/openvpn_client.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + - include: "{{ handlers }}/semanage.yml" diff --git a/roles/unbound/files/unbound.conf b/roles/unbound/files/unbound.conf new file mode 100644 index 0000000000..76f0fc7007 --- /dev/null +++ b/roles/unbound/files/unbound.conf @@ -0,0 +1,528 @@ +# +# See unbound.conf(5) man page. +# +# this is a comment. + +#Use this to include other text into the file. +#include: "otherfile.conf" + +# The server clause sets the main parameters. +server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needed for munin plugin + statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # Needed for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # printed from unbound-control. default off, because of speed. + # Needed for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + num-threads: 2 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 2001:DB8::5 + #interface: 80.239.156.220@53 + #interface: 80.239.156.220@80 + #interface: 80.239.156.220@443 + #interface: 0.0.0.0@53 + interface: 0.0.0.0@80 + interface: 0.0.0.0@443 + interface: 0.0.0.0@53 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # interface-automatic: yes + interface-automatic: no + + # port to answer queries from + # port: 53 + + # specify the interfaces to send outgoing queries to authoritative + # server from by ip-address. If none, the default (all) interface + # is used. Specify every interface on a 'outgoing-interface:' line. + # outgoing-interface: 192.0.2.153 + # outgoing-interface: 2001:DB8::5 + # outgoing-interface: 2001:DB8::6 + + # number of ports to allocate per thread, determines the size of the + # port range that can be open simultaneously. + # outgoing-range: 4096 + + # permit unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # outgoing-port-permit: 32768 + + # deny unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. + # Use this to make sure unbound does not grab a UDP port that some + # other server on this computer needs. The default is to avoid + # IANA-assigned port numbers. + # outgoing-port-avoid: "3200-3208" + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # edns-buffer-size: 4096 + + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 + + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + + # the time to live (TTL) value for cached roundtrip times, lameness + # and EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 + + # the number of slabs to use for the Infrastructure cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 + + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). + # infra-cache-numhosts: 10000 + + # Enable IPv4, "yes" or "no". + # do-ip4: yes + + # Enable IPv6, "yes" or "no". + # do-ip6: yes + + # Enable UDP, "yes" or "no". + # avoids this open resolver from becoming target for DNS Amplification + do-udp: yes + + # Enable TCP, "yes" or "no". + # do-tcp: yes + + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + + # Detach from the terminal, run in background, "yes" or "no". + # do-daemonize: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # access-control: 0.0.0.0/0 refuse + # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + access-control: 0.0.0.0/0 allow + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, + # for extra security, but make sure all files are in that directory. + # + # If chroot is enabled, you should pass the configfile (from the + # commandline) as a full path from the original root. After the + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. + # + # All other file paths (working dir, logfile, roothints, and + # key files) can be specified in several ways: + # o as an absolute path relative to the new root. + # o as a relative path to the working directory. + # o as an absolute path relative to the original root. + # In the last case the path is adjusted to remove the unused portion. + # + # The pid file can be absolute and outside of the chroot, it is + # written just prior to performing the chroot and dropping permissions. + # + # Additionally, unbound may need to access /dev/random (for entropy). + # How to do this is specific to your OS. + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/var/lib/unbound" + chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + username: "unbound" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory + # is not changed. + directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". + # logfile: "" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # log to, with identity "unbound". If yes, it overrides the logfile. + # use-syslog: yes + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # the pid file. Can be an absolute path outside of chroot/work dir. + pidfile: "/var/run/unbound/unbound.pid" + + # file to read root hints from. + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # root-hints: "" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + + # enable to not answer version.server and version.bind queries. + # hide-version: no + + # the identity to report. Leave "" or default to return hostname. + # identity: "" + + # the version to report. Leave "" or default to return package version. + # version: "" + + # the target fetch policy. + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency + # depth the recursor will pursue before giving up. Each integer means: + # -1 : fetch all targets opportunistically, + # 0: fetch on demand, + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" + + # Harden against very small EDNS buffer sizes. + # harden-short-bufsize: no + + # Harden against unseemly large queries. + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. + harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + # (this now fails on all GoDaddy customer domains, so disabled) + use-caps-for-id: no + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 192.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + + # Allow the domain (and its subdomains) to contain private addresses. + # local-data statements are allowed to contain private addresses too. + # private-domain: "example.com" + + # If nonzero, unwanted replies are not only reported in statistics, + # but also a running total is kept per thread. If it reaches the + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. "iterator" or "validator iterator" + # module-config: "validator iterator" + + # File with DLV trusted keys. Same format as trust-anchor-file. + # There can be only one DLV configured, it is trusted from root down. + # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key + dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # trust-anchor-file: "" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # auto-trust-anchor-file: "" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. Like trust-anchor-file + # but has a different file format. Format is BIND-9 style format, + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # trusted-keys-file: "" + trusted-keys-file: /etc/unbound/root.key + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + + # Override the date for validation with a specific fixed date. + # Do not set this unless you are debugging signature inception + # and expiration. "" or "0" turns the feature off. + # val-override-date: "" + + # The time to live for bogus data, rrsets and messages. This avoids + # some of the revalidation, until the time interval expires. in secs. + # val-bogus-ttl: 60 + + # The signature inception and expiration dates are allowed to be off + # by 10% of the lifetime of the signature from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. + # A message with an NSEC3 with larger count is marked insecure. + # List in ascending order the keysize and count values. + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 + + # the amount of memory to use for the negative cache (used for DLV). + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m + + # a number of locally served zones can be configured. + # local-zone: + # local-data: "" + # o deny serves local data (if any), else, drops queries. + # o refuse serves local data (if any), else, replies with error. + # o static serves local data, else, nxdomain or nodata answer. + # o transparent serves local data, but resolves normally for other names + # o redirect serves the zone data for any subdomain in the zone. + # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names + # + # defaults are localhost address, reverse for 127.0.0.1 and ::1 + # and nxdomain for AS112 zones. If you configure one of these zones + # the default content is omitted, or you can omit it with 'nodefault'. + # + # If you configure local-data without specifying local-zone, by + # default a transparent local-zone is created for the data. + # + # You can add locally served data with + # local-zone: "local." static + # local-data: "mycomputer.local. IN A 192.0.2.51" + # local-data: 'mytext.local TXT "content of text record"' + # + # You can override certain queries with + # local-data: "adserver.example.com A 127.0.0.1" + # + # You can redirect a domain to a fixed address with + # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) + # local-zone: "example.com" redirect + # local-data: "example.com A 192.0.2.3" + # + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". + # You can also add PTR records using local-data directly, but then + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + ssl-service-key: "/etc/unbound/unbound_server.key" + ssl-service-pem: "/etc/unbound/unbound_server.pem" + ssl-port: 443 + + # request upstream over SSL (with plain DNS inside the SSL stream). + # Default is no. Can be turned on and off with unbound-control. + # ssl-upstream: no + +## Python config section. To enable: +## o use --with-pythonmodule to configure before compiling. +## o list python in the module-config string (above) to enable. +## o and give a python-script to run. +#python: +# # Script file to load +# # python-script: "/etc/unbound/ubmodule-tst.py" + + +# Remote control config section. +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + # Note: required for unbound-munin package + control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations. + # control-port: 953 + + # unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: "no" +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. + +# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000000..8bde73f127 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,41 @@ +- name: install unbound package + yum: pkg={{ item }} state=installed + with_items: + - unbound + +- name: install unbound config + copy: src={{ item }} dest=/etc/unbound/unbound.conf mode=644 + with_first_found: + - "{{ unbound.conf }}" + - unbound.conf.{{ ansible_fqdn }}-stg + - unbound.conf.{{ datacenter }} + - unbound.conf.{{ ansible_fqdn }} + notify: + - restart unbound + +- name: setup SELinux dns 80 + command: touch /root/dns80 creates=/root/dns80 + notify: + - semanage dns80 + +- name: setup SELinux dns 443 + command: touch /root/dns443 creates=/root/dns443 + notify: + - semanage dns443 + +- name: setup SELinux dns 8953 + command: touch /root/dns8953 creates=/root/dns8953 + notify: + - semanage dns8953 + +- name: copying unbound control key + copy: src="{{ private }}/files/unbound/unbound_control.key" dest=/etc/unbound/unbound_control.key owner=root group=unbound mode=640 + +- name: copying unbound control pem + copy: src="{{ private }}/files/unbound/unbound_control.pem" dest=/etc/unbound/unbound_control.pem owner=root group=unbound mode=640 + +- name: copying unbound server key + copy: src="{{ private }}/files/unbound/unbound_server.key" dest=/etc/unbound/unbound_server.key owner=root group=unbound mode=640 + +- name: copying unbound server pem + copy: src="{{ private }}/files/unbound/unbound_server.pem" dest=/etc/unbound/unbound_server.pem owner=root group=unbound mode=640 From 4b942afaf9fdc656b7f19a1e0cbccaadc68b870d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 17:32:25 +0000 Subject: [PATCH 234/271] Just call the group unbound. --- inventory/inventory | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/inventory b/inventory/inventory index 541cf8a961..5e48b8e4f5 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -390,7 +390,7 @@ value01.stg.phx2.fedoraproject.org [taskotron] taskotron-dev01.qa.fedoraproject.org -[unbound-dns] +[unbound] unbound-ib01.fedoraproject.org unbound-telia01.fedoraproject.org unbound-tummy01.fedoraproject.org From 72b18e1951fceea23ac64f89b3d19f3e0aedfb82 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 17:32:54 +0000 Subject: [PATCH 235/271] Fix in all the places. --- inventory/inventory | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/inventory b/inventory/inventory index 5e48b8e4f5..6a743dece4 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -507,7 +507,7 @@ colo-virt [groupc:children] value qa -unbound-dns +unbound dev staging builders From ea6c98fcf04709aab909ba060643fe2c055251ef Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 18:02:34 +0000 Subject: [PATCH 236/271] Fix up unbound.conf copy --- roles/unbound/tasks/main.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 8bde73f127..e1172b99e3 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -4,12 +4,7 @@ - unbound - name: install unbound config - copy: src={{ item }} dest=/etc/unbound/unbound.conf mode=644 - with_first_found: - - "{{ unbound.conf }}" - - unbound.conf.{{ ansible_fqdn }}-stg - - unbound.conf.{{ datacenter }} - - unbound.conf.{{ ansible_fqdn }} + copy: src=unbound.conf dest=/etc/unbound/unbound.conf mode=644 notify: - restart unbound From d02bcdc3b92cb75875e9482019e871a312f430d3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 18:06:45 +0000 Subject: [PATCH 237/271] Install policycoreutils-python as well for semanage --- roles/unbound/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index e1172b99e3..9dd53ae8e1 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -2,6 +2,7 @@ yum: pkg={{ item }} state=installed with_items: - unbound + - policycoreutils-python - name: install unbound config copy: src=unbound.conf dest=/etc/unbound/unbound.conf mode=644 From b77a905a91df660194b1cb0017a594e633d8aae2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 18:24:39 +0000 Subject: [PATCH 238/271] Add service enable/start to unbound role. --- roles/unbound/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 9dd53ae8e1..3a6eab08b7 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -35,3 +35,9 @@ - name: copying unbound server pem copy: src="{{ private }}/files/unbound/unbound_server.pem" dest=/etc/unbound/unbound_server.pem owner=root group=unbound mode=640 + +- name: Enable and start unbound service + service: state=running enabled=true name=unbound + tags: + - service + - config From faf7ba49d9444cead121c3ee7384413e3f827d27 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 19:42:51 +0000 Subject: [PATCH 239/271] Add checks for unbound instances --- roles/nagios_client/tasks/main.yml | 2 ++ roles/nagios_client/templates/check_openvpn_link.cfg.j2 | 1 + roles/nagios_client/templates/check_unbound_proc.cfg.j2 | 1 + 3 files changed, 4 insertions(+) create mode 100644 roles/nagios_client/templates/check_openvpn_link.cfg.j2 create mode 100644 roles/nagios_client/templates/check_unbound_proc.cfg.j2 diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 40d0e164f5..d6c965a995 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -57,6 +57,8 @@ - check_postfix_queue.cfg - check_lock.cfg - check_fedmsg_hub_proc.cfg + - check_openvpn_link.cfg + - check_unbound_proc.cfg notify: - restart nrpe tags: diff --git a/roles/nagios_client/templates/check_openvpn_link.cfg.j2 b/roles/nagios_client/templates/check_openvpn_link.cfg.j2 new file mode 100644 index 0000000000..a584a972e4 --- /dev/null +++ b/roles/nagios_client/templates/check_openvpn_link.cfg.j2 @@ -0,0 +1 @@ +command[check_openvpn_link]={{ libdir }}/nagios/plugins/check_ping -H 192.168.1.58 -w 375.0,20% -c 500,60% diff --git a/roles/nagios_client/templates/check_unbound_proc.cfg.j2 b/roles/nagios_client/templates/check_unbound_proc.cfg.j2 new file mode 100644 index 0000000000..cbae839cfd --- /dev/null +++ b/roles/nagios_client/templates/check_unbound_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_unbound_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'unbound' -u unbound From d9b48ab35678ae669f9def3d9dd50b0823ea797b Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 19:47:25 +0000 Subject: [PATCH 240/271] Make these conditional on unbound and not phx2 --- roles/nagios_client/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index d6c965a995..b2ef89ae54 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -58,7 +58,9 @@ - check_lock.cfg - check_fedmsg_hub_proc.cfg - check_openvpn_link.cfg + when: datacenter not 'phx2' - check_unbound_proc.cfg + when: inventory_hostname.startswith('unbound') notify: - restart nrpe tags: From 3f8e31d61a0e9f4729bcf1eb050c3ec3b70caf08 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 19:49:24 +0000 Subject: [PATCH 241/271] Indentation --- roles/nagios_client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index b2ef89ae54..a756ca4863 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -58,9 +58,9 @@ - check_lock.cfg - check_fedmsg_hub_proc.cfg - check_openvpn_link.cfg - when: datacenter not 'phx2' + when: datacenter not 'phx2' - check_unbound_proc.cfg - when: inventory_hostname.startswith('unbound') + when: inventory_hostname.startswith('unbound') notify: - restart nrpe tags: From 83c31d8487b56f5c67a31d6f56032e308ed150f6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 19:50:10 +0000 Subject: [PATCH 242/271] This is a string --- roles/nagios_client/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index a756ca4863..6899966f91 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -58,7 +58,7 @@ - check_lock.cfg - check_fedmsg_hub_proc.cfg - check_openvpn_link.cfg - when: datacenter not 'phx2' + when: datacenter != 'phx2' - check_unbound_proc.cfg when: inventory_hostname.startswith('unbound') notify: From 64cd952dacd66c310f5847d3cfae7f5eb87ed421 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 19:58:15 +0000 Subject: [PATCH 243/271] Split these out for now. --- roles/nagios_client/tasks/main.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 6899966f91..1c054193a4 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -57,15 +57,26 @@ - check_postfix_queue.cfg - check_lock.cfg - check_fedmsg_hub_proc.cfg - - check_openvpn_link.cfg - when: datacenter != 'phx2' - - check_unbound_proc.cfg - when: inventory_hostname.startswith('unbound') notify: - restart nrpe tags: - config +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe openvpn check config + template: src=check_openvpn_link.j2 dest=/etc/nrpe.d/{{ item }} + when: datacenter != 'phx2' +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe unbound check config + template: src=check_unbound_proc.j2 dest=/etc/nrpe.d/{{ item }} + when: inventory_hostname.startswith('unbound') + - name: nrpe service start service: name=nrpe state=running enabled=true tags: From 749c6b9930dc29bdc2987273db8ff29cdbd745f2 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 20:00:37 +0000 Subject: [PATCH 244/271] Use correct names. --- roles/nagios_client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 1c054193a4..da56d5ca89 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -67,14 +67,14 @@ # So when adding or modifying them change the .j2 version in git. # - name: install nrpe openvpn check config - template: src=check_openvpn_link.j2 dest=/etc/nrpe.d/{{ item }} + template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/{{ item }} when: datacenter != 'phx2' # # The actual items files here end in .j2 (they are templates) # So when adding or modifying them change the .j2 version in git. # - name: install nrpe unbound check config - template: src=check_unbound_proc.j2 dest=/etc/nrpe.d/{{ item }} + template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/{{ item }} when: inventory_hostname.startswith('unbound') - name: nrpe service start From 1dd428177211501b4535c2a9eb944866a0b4564f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 20:26:53 +0000 Subject: [PATCH 245/271] Fix filenames --- roles/nagios_client/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index da56d5ca89..72c565f745 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -67,14 +67,14 @@ # So when adding or modifying them change the .j2 version in git. # - name: install nrpe openvpn check config - template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/{{ item }} + template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/check_openvpn_link.cfg when: datacenter != 'phx2' # # The actual items files here end in .j2 (they are templates) # So when adding or modifying them change the .j2 version in git. # - name: install nrpe unbound check config - template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/{{ item }} + template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/check_unbound_proc.cfg when: inventory_hostname.startswith('unbound') - name: nrpe service start From 5912f8b2042147cc25c49a68b6b4aeb8ee121c0e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Feb 2014 20:29:56 +0000 Subject: [PATCH 246/271] Restart nrpe on these 2 plays as well. --- roles/nagios_client/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 72c565f745..60a64dd588 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -69,6 +69,8 @@ - name: install nrpe openvpn check config template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/check_openvpn_link.cfg when: datacenter != 'phx2' + notify: + - restart nrpe # # The actual items files here end in .j2 (they are templates) # So when adding or modifying them change the .j2 version in git. @@ -76,6 +78,8 @@ - name: install nrpe unbound check config template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/check_unbound_proc.cfg when: inventory_hostname.startswith('unbound') + notify: + - restart nrpe - name: nrpe service start service: name=nrpe state=running enabled=true From ca7a14d04a66dac733f48ecafa0d3273bbe2ff42 Mon Sep 17 00:00:00 2001 From: Luke Macken Date: Tue, 11 Feb 2014 21:21:09 +0000 Subject: [PATCH 247/271] Add a missing quote to the extra-vars argument --- playbooks/update_packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/update_packages.yml b/playbooks/update_packages.yml index b94fb0d80b..c652539fec 100644 --- a/playbooks/update_packages.yml +++ b/playbooks/update_packages.yml @@ -1,4 +1,4 @@ -# requires --extra-vars="target='host1;host2;group etc' package='python-tahrir' +# requires --extra-vars="target='host1;host2;group etc' package='python-tahrir'" # # Alternatively, you could update a group of packages like # --extra-vars="target='host1;host2' package='python-t*'" From f03b006ce8c25e6e5c29cbde2e2c15a2e4918287 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 11 Feb 2014 21:31:33 +0000 Subject: [PATCH 248/271] Add the videographers badge to the oldschool script. --- roles/badges-backend/files/cron/award-oldschool-badges | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index 62e3dd6174..0497e6e23f 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -117,6 +117,7 @@ def main(): 'provenpackager': 'proven-packager', 'proventesters': 'proven-tester', 'ambassadors': 'ambassador', + 'videos': 'videographer', 'sysadmin-main': 'trust-me,-i-know-what-i-am-doing', 'sysadmin-badges': 'inside-job', 'sponsors': 'packager-sponsor', From 253c99a2d858b100600cae3d58bda19f9bdaf0a6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 12 Feb 2014 04:25:31 +0000 Subject: [PATCH 249/271] Add resolv.conf for tummy and telia datacenters --- roles/base/files/resolv.conf/telia | 4 ++++ roles/base/files/resolv.conf/tummy | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 roles/base/files/resolv.conf/telia create mode 100644 roles/base/files/resolv.conf/tummy diff --git a/roles/base/files/resolv.conf/telia b/roles/base/files/resolv.conf/telia new file mode 100644 index 0000000000..11dff40bd1 --- /dev/null +++ b/roles/base/files/resolv.conf/telia @@ -0,0 +1,4 @@ +search vpn.fedoraproject.org fedoraproject.org +nameserver 213.248.76.210 +nameserver 152.3.182.5 +options rotate timeout:1 diff --git a/roles/base/files/resolv.conf/tummy b/roles/base/files/resolv.conf/tummy new file mode 100644 index 0000000000..246626e3f0 --- /dev/null +++ b/roles/base/files/resolv.conf/tummy @@ -0,0 +1,4 @@ +search vpn.fedoraproject.org fedoraproject.org +nameserver 198.49.126.1 +nameserver 66.35.36.133 +options rotate timeout:1 From c6911d869965e4d19952e61fcf2bda65fda21380 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 12 Feb 2014 14:20:53 +0000 Subject: [PATCH 250/271] Fix syntaxerror in one of the badges cronjobs. --- roles/badges-backend/files/cron/award-oldschool-badges | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index 0497e6e23f..aa0286922f 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -61,7 +61,7 @@ def user_in_group(user, group_name): return False # They must be actually 'approved' in that group for this to count - return relevant_role.role_status == 'approved': + return relevant_role.role_status == 'approved' def get_fas_groupings(fas_credentials, lookup, **config): From 6eb8225f04ca938648bd01ff2e1f4b79fbed210d Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 12 Feb 2014 14:59:59 +0000 Subject: [PATCH 251/271] Fix another typo in the oldschool badges cronjob. --- roles/badges-backend/files/cron/award-oldschool-badges | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index aa0286922f..f63d51e515 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -44,7 +44,7 @@ def user_in_group(user, group_name): group_id = None for g in user.memberships: if g.name == group_name: - group_id = g.group_id + group_id = g.id break if not group_id: From 54d9911f913c48d149fd7837770ed12a24fbb5fb Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 12 Feb 2014 21:38:15 +0000 Subject: [PATCH 252/271] Move to 10min for vhost_reboot timeout. --- playbooks/vhost_reboot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/vhost_reboot.yml b/playbooks/vhost_reboot.yml index 4f3d8191cf..dd75a38b73 100644 --- a/playbooks/vhost_reboot.yml +++ b/playbooks/vhost_reboot.yml @@ -79,8 +79,8 @@ - name: reboot the virthost command: /sbin/reboot - - name: wait for virthost to come back - up to 6 minutes - local_action: wait_for host={{ target }} port=22 delay=120 timeout=420 + - name: wait for virthost to come back - up to 10 minutes + local_action: wait_for host={{ target }} port=22 delay=120 timeout=600 - name: wait for libvirtd to come back on the virthost wait_for: path=/var/run/libvirtd.pid state=present From 9dc037d36e46a9c19853d2a572bad673c904205f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 13 Feb 2014 01:50:51 +0000 Subject: [PATCH 253/271] Add the ambassadors sponsors badge to the oldschool cronjob. --- .../badges-backend/files/cron/award-oldschool-badges | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index f63d51e515..f65255ffbc 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -85,7 +85,7 @@ def get_fas_groupings(fas_credentials, lookup, **config): mega_list = request['people'] results = {} - packager_id = None + packager_id, ambassadors_id = None, None for user in mega_list: # This is the main check. for group_name, badge_id in lookup.iteritems(): @@ -99,11 +99,20 @@ def get_fas_groupings(fas_credentials, lookup, **config): if group.name == 'packager': packager_id = group.id + if not ambassadors_id: + for group in user.memberships: + if group.name == 'ambassadors': + ambassadors_id = group.id + for role in user.roles: if role.group_id == packager_id: if role.role_type == 'sponsor' and role.role_status == 'approved': results['sponsors'] = results.get('sponsors', []) + [user] + if role.group_id == ambassadors_id: + if role.role_type == 'sponsor' and role.role_status == 'approved': + results['ambassadors_sponsors'] = results.get('ambassadors_sponsors', []) + [user] + return results From 00acd2a2116112de07e422d9d6fb54f885a70d82 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 13 Feb 2014 02:17:07 +0000 Subject: [PATCH 254/271] Add it to the mapping, too. --- roles/badges-backend/files/cron/award-oldschool-badges | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/badges-backend/files/cron/award-oldschool-badges b/roles/badges-backend/files/cron/award-oldschool-badges index f65255ffbc..8afea8d184 100755 --- a/roles/badges-backend/files/cron/award-oldschool-badges +++ b/roles/badges-backend/files/cron/award-oldschool-badges @@ -130,6 +130,7 @@ def main(): 'sysadmin-main': 'trust-me,-i-know-what-i-am-doing', 'sysadmin-badges': 'inside-job', 'sponsors': 'packager-sponsor', + 'ambassadors_sponsors': 'ambassadors-sponsor', 'designteam': 'pixel-ninja', 'fi-apprentice': 'no-longer-a-ronin', } From de4c5f6d3ce11afff1169b7a2919e1cfc0152001 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 13 Feb 2014 08:52:19 +0100 Subject: [PATCH 255/271] Enable the infrastructure-testing repo is testing is on --- playbooks/update_packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/update_packages.yml b/playbooks/update_packages.yml index c652539fec..d621dcd553 100644 --- a/playbooks/update_packages.yml +++ b/playbooks/update_packages.yml @@ -19,4 +19,4 @@ command: yum clean expire-cache {% if testing %} --enablerepo=infrastructure-testing {% endif %} - name: yum update {{ package }} {% if testing %}(with infrastructure-testing on){% endif %} - yum: name={{ package }} state=latest # {% if testing %}enablerepo=infrastructure-testing{% endif %} + yum: name={{ package }} state=latest {% if testing %}enablerepo=infrastructure-testing{% endif %} From 40382775688aa184e7ce79b4df13d985c1e6caa5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 13 Feb 2014 18:01:04 +0000 Subject: [PATCH 256/271] Update inventory. --- inventory/builders | 29 +++++++++++++++-------------- inventory/inventory | 6 ++---- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/inventory/builders b/inventory/builders index ababf2c5dc..de985c2f4c 100644 --- a/inventory/builders +++ b/inventory/builders @@ -136,20 +136,21 @@ arm02-builder23.arm.fedoraproject.org # These are in use as arm03-packager01-02 #arm03-builder08.arm.fedoraproject.org #arm03-builder09.arm.fedoraproject.org -arm03-builder10.arm.fedoraproject.org -arm03-builder11.arm.fedoraproject.org -arm03-builder12.arm.fedoraproject.org -arm03-builder13.arm.fedoraproject.org -arm03-builder14.arm.fedoraproject.org -arm03-builder15.arm.fedoraproject.org -arm03-builder16.arm.fedoraproject.org -arm03-builder17.arm.fedoraproject.org -arm03-builder18.arm.fedoraproject.org -arm03-builder19.arm.fedoraproject.org -arm03-builder20.arm.fedoraproject.org -arm03-builder21.arm.fedoraproject.org -arm03-builder22.arm.fedoraproject.org -arm03-builder23.arm.fedoraproject.org +# These are off currently +#arm03-builder10.arm.fedoraproject.org +#arm03-builder11.arm.fedoraproject.org +#arm03-builder12.arm.fedoraproject.org +#arm03-builder13.arm.fedoraproject.org +#arm03-builder14.arm.fedoraproject.org +#arm03-builder15.arm.fedoraproject.org +#arm03-builder16.arm.fedoraproject.org +#arm03-builder17.arm.fedoraproject.org +#arm03-builder18.arm.fedoraproject.org +#arm03-builder19.arm.fedoraproject.org +#arm03-builder20.arm.fedoraproject.org +#arm03-builder21.arm.fedoraproject.org +#arm03-builder22.arm.fedoraproject.org +#arm03-builder23.arm.fedoraproject.org [arm04] arm04-builder00.arm.fedoraproject.org diff --git a/inventory/inventory b/inventory/inventory index 6a743dece4..865c7ab986 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -299,7 +299,6 @@ openid01.phx2.fedoraproject.org openid02.phx2.fedoraproject.org [other] -mm3test.fedoraproject.org people03.fedoraproject.org survey01.dev.fedoraproject.org secondary01.phx2.fedoraproject.org @@ -379,7 +378,6 @@ notifs-web01.stg.phx2.fedoraproject.org notifs-web02.stg.phx2.fedoraproject.org nuancier01.stg.phx2.fedoraproject.org nuancier02.stg.phx2.fedoraproject.org -openid01.stg.phx2.fedoraproject.org packages01.stg.phx2.fedoraproject.org paste01.stg.phx2.fedoraproject.org pkgs01.stg.phx2.fedoraproject.org @@ -402,9 +400,9 @@ value03.phx2.fedoraproject.org value01.stg.phx2.fedoraproject.org [virthost] -virthost01.phx2.fedoraproject.org +#virthost01.phx2.fedoraproject.org virthost02.phx2.fedoraproject.org -virthost03.phx2.fedoraproject.org +#virthost03.phx2.fedoraproject.org virthost04.phx2.fedoraproject.org virthost05.phx2.fedoraproject.org virthost06.phx2.fedoraproject.org From 878152cbeb41c830ac23643269c5307dd79bce99 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 13 Feb 2014 21:45:21 +0100 Subject: [PATCH 257/271] Always run yum clean expire-cache --- playbooks/update_packages.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/update_packages.yml b/playbooks/update_packages.yml index d621dcd553..3e0a55caa1 100644 --- a/playbooks/update_packages.yml +++ b/playbooks/update_packages.yml @@ -17,6 +17,7 @@ - name: expire-caches {% if testing %}(with infrastructure-testing on){% endif %} command: yum clean expire-cache {% if testing %} --enablerepo=infrastructure-testing {% endif %} + always_run: yes - name: yum update {{ package }} {% if testing %}(with infrastructure-testing on){% endif %} yum: name={{ package }} state=latest {% if testing %}enablerepo=infrastructure-testing{% endif %} From c664301bd72692efbe7b2cc51e2dba2a776eef4f Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 13 Feb 2014 21:46:47 +0100 Subject: [PATCH 258/271] Don't move the rpm/srpm if running in testing --- playbooks/sign_and_import.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/sign_and_import.yml b/playbooks/sign_and_import.yml index 9cfdd38466..8a8745ce26 100644 --- a/playbooks/sign_and_import.yml +++ b/playbooks/sign_and_import.yml @@ -43,10 +43,12 @@ - name: Run createrepo on the srpm dir command: createrepo --update {{ repodir }}/SRPMS/ + {% if testing %} - name: move processed srpms out to {{ rpmdir }}-old command: /bin/mv {{ item }} {{ rpmdir }}-old/ with_fileglob: - "{{ rpmdir }}/*.src.rpm" + {% endif %} - name: copy the binary rpms to the x86_64 dir of {{ repodir }} copy: src={{ item }} dest={{ repodir }}/x86_64/ @@ -56,7 +58,9 @@ - name: Run createrepo on the x86_64 dir command: createrepo --update {{ repodir }}/x86_64/ + {% if testing %} - name: move processed rpms out to {{ rpmdir }}-old command: /bin/mv {{ item }} {{ rpmdir }}-old/ with_fileglob: - "{{ rpmdir }}/*.rpm" + {% endif %} From 250c7e921c63da5797998a5c256c36f9334ea5dc Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 13 Feb 2014 21:51:02 +0100 Subject: [PATCH 259/271] Use a more ansible-y syntax rather than jinja's --- playbooks/sign_and_import.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/playbooks/sign_and_import.yml b/playbooks/sign_and_import.yml index 8a8745ce26..738817376b 100644 --- a/playbooks/sign_and_import.yml +++ b/playbooks/sign_and_import.yml @@ -43,12 +43,11 @@ - name: Run createrepo on the srpm dir command: createrepo --update {{ repodir }}/SRPMS/ - {% if testing %} - name: move processed srpms out to {{ rpmdir }}-old command: /bin/mv {{ item }} {{ rpmdir }}-old/ + when: not testing with_fileglob: - "{{ rpmdir }}/*.src.rpm" - {% endif %} - name: copy the binary rpms to the x86_64 dir of {{ repodir }} copy: src={{ item }} dest={{ repodir }}/x86_64/ @@ -58,9 +57,8 @@ - name: Run createrepo on the x86_64 dir command: createrepo --update {{ repodir }}/x86_64/ - {% if testing %} - name: move processed rpms out to {{ rpmdir }}-old command: /bin/mv {{ item }} {{ rpmdir }}-old/ + when: not testing with_fileglob: - "{{ rpmdir }}/*.rpm" - {% endif %} From 315fb7192205372877e098b508c6cc68e35a0e7a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 14:07:39 +0100 Subject: [PATCH 260/271] Add the OpenID issuer configuration --- roles/fedoauth/templates/fedoauth.stg.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg index 23f8933806..bd2bc27ca6 100644 --- a/roles/fedoauth/templates/fedoauth.stg.cfg +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -29,6 +29,7 @@ FAS_AVAILABLE_TO = [] # PERSONA CONFIGURATION # This is the domain for which we are willing to sign PERSONA_DOMAIN = 'stg.fedoraproject.org' +PERSONA_ISSUER = 'id.stg.fedoraproject.org' PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key' PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' From ef7ed004ab9bd08bfe7f664a44ea72cf70374a42 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 14 Feb 2014 18:16:00 +0000 Subject: [PATCH 261/271] Add a cron job to delete unused ask tags every day. Ticket 4230 --- roles/ask/files/cron-delete-unused-tags | 2 ++ roles/ask/tasks/main.yml | 1 + 2 files changed, 3 insertions(+) create mode 100644 roles/ask/files/cron-delete-unused-tags diff --git a/roles/ask/files/cron-delete-unused-tags b/roles/ask/files/cron-delete-unused-tags new file mode 100644 index 0000000000..e9875478fc --- /dev/null +++ b/roles/ask/files/cron-delete-unused-tags @@ -0,0 +1,2 @@ +0 22 * * * root /usr/bin/python /etc/askbot/sites/ask/config/manage.py delete_unused_tags > /dev/null 2> /dev/null + diff --git a/roles/ask/tasks/main.yml b/roles/ask/tasks/main.yml index 33b9437294..03a4feac3a 100644 --- a/roles/ask/tasks/main.yml +++ b/roles/ask/tasks/main.yml @@ -89,6 +89,7 @@ - cron-ask-send-reminders - cron-post-office-send-mail - cron-delete-old-emails + - cron-delete-unused-tags tags: - files From 86b93efb5ee61febc77992a8c341301df2d77dee Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 14 Feb 2014 20:57:04 +0000 Subject: [PATCH 262/271] Move releng02 over to buildvmhost12 to see if it makes rawhide better. --- inventory/host_vars/releng02.phx2.fedoraproject.org | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/inventory/host_vars/releng02.phx2.fedoraproject.org b/inventory/host_vars/releng02.phx2.fedoraproject.org index f6667695ec..7cc5c0d6c9 100644 --- a/inventory/host_vars/releng02.phx2.fedoraproject.org +++ b/inventory/host_vars/releng02.phx2.fedoraproject.org @@ -1,3 +1,5 @@ -vmhost: bvirthost05.phx2.fedoraproject.org +vmhost: buildvmhost12.phx2.fedoraproject.org eth0_ip: 10.5.125.69 volgroup: /dev/xenGuests +mem_size: 65536 +num_cpus: 16 From 9ad1edf9ddf5a4f791ebea0bd4d87377d64ea2da Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 14 Feb 2014 21:13:32 +0000 Subject: [PATCH 263/271] There's a dash here. --- inventory/host_vars/releng02.phx2.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/host_vars/releng02.phx2.fedoraproject.org b/inventory/host_vars/releng02.phx2.fedoraproject.org index 7cc5c0d6c9..6c7f52b3ca 100644 --- a/inventory/host_vars/releng02.phx2.fedoraproject.org +++ b/inventory/host_vars/releng02.phx2.fedoraproject.org @@ -1,4 +1,4 @@ -vmhost: buildvmhost12.phx2.fedoraproject.org +vmhost: buildvmhost-12.phx2.fedoraproject.org eth0_ip: 10.5.125.69 volgroup: /dev/xenGuests mem_size: 65536 From 881cd2a35c64583a3f859295c0c5ea01f30e339e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 21:17:05 +0000 Subject: [PATCH 264/271] Add fedoauth0{1,2}.phx --- inventory/group_vars/fedoauth | 12 ++++++++++++ .../host_vars/fedoauth01.phx2.fedoraproject.org | 10 ++++++++++ .../host_vars/fedoauth02.phx2.fedoraproject.org | 10 ++++++++++ inventory/inventory | 4 ++++ 4 files changed, 36 insertions(+) create mode 100644 inventory/group_vars/fedoauth create mode 100644 inventory/host_vars/fedoauth01.phx2.fedoraproject.org create mode 100644 inventory/host_vars/fedoauth02.phx2.fedoraproject.org diff --git a/inventory/group_vars/fedoauth b/inventory/group_vars/fedoauth new file mode 100644 index 0000000000..42ab8539a8 --- /dev/null +++ b/inventory/group_vars/fedoauth @@ -0,0 +1,12 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 20000 +mem_size: 1024 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +tcp_ports: [ 80, 443 ] + +fas_client_groups: sysadmin-main,sysadmin-accounts diff --git a/inventory/host_vars/fedoauth01.phx2.fedoraproject.org b/inventory/host_vars/fedoauth01.phx2.fedoraproject.org new file mode 100644 index 0000000000..b4808cd86a --- /dev/null +++ b/inventory/host_vars/fedoauth01.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.240 +vmhost: virthost07.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/host_vars/fedoauth02.phx2.fedoraproject.org b/inventory/host_vars/fedoauth02.phx2.fedoraproject.org new file mode 100644 index 0000000000..3a8cc1d508 --- /dev/null +++ b/inventory/host_vars/fedoauth02.phx2.fedoraproject.org @@ -0,0 +1,10 @@ +--- +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 +ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.241 +vmhost: virthost09.phx2.fedoraproject.org +datacenter: phx2 diff --git a/inventory/inventory b/inventory/inventory index 865c7ab986..316317b6dc 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -282,6 +282,10 @@ nuancier02.stg.phx2.fedoraproject.org [fedocal-stg] fedocal01.stg.phx2.fedoraproject.org +[fedoauth] +fedoauth01.phx2.fedoraproject.org +fedoauth02.phx2.fedoraproject.org + [fedoauth-stg] fedoauth01.stg.phx2.fedoraproject.org From fce243ad3a72e54abe89812d14c1e9007ee76608 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 21:18:10 +0000 Subject: [PATCH 265/271] Deploy to prod as well --- playbooks/groups/fedoauth.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml index ebbe4dbc19..e2abe419f0 100644 --- a/playbooks/groups/fedoauth.yml +++ b/playbooks/groups/fedoauth.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars - name: make fedoauth - hosts: fedoauth-stg + hosts: fedoauth-stg, fedoauth user: root gather_facts: False @@ -21,7 +21,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: fedoauth-stg + hosts: fedoauth-stg, fedoauth user: root gather_facts: True accelerate: True @@ -53,7 +53,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: deploy fedoauth itself - hosts: fedoauth-stg + hosts: fedoauth-stg, fedoauth user: root gather_facts: True accelerate: True From e3dc33b618907ba9433372110f77fe27f60ef7d3 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 14 Feb 2014 21:18:37 +0000 Subject: [PATCH 266/271] Adjust nrpe on releng02 --- inventory/host_vars/releng02.phx2.fedoraproject.org | 3 +++ 1 file changed, 3 insertions(+) diff --git a/inventory/host_vars/releng02.phx2.fedoraproject.org b/inventory/host_vars/releng02.phx2.fedoraproject.org index 6c7f52b3ca..d0455c5a59 100644 --- a/inventory/host_vars/releng02.phx2.fedoraproject.org +++ b/inventory/host_vars/releng02.phx2.fedoraproject.org @@ -3,3 +3,6 @@ eth0_ip: 10.5.125.69 volgroup: /dev/xenGuests mem_size: 65536 num_cpus: 16 +# With 16 cpus, theres a bunch more kernel threads +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 From ca9e882b21fcfaed57218194d530b1955cd926a1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 21:24:51 +0000 Subject: [PATCH 267/271] Create prod fedoauth config --- roles/fedoauth/templates/fedoauth.cfg | 52 +++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 roles/fedoauth/templates/fedoauth.cfg diff --git a/roles/fedoauth/templates/fedoauth.cfg b/roles/fedoauth/templates/fedoauth.cfg new file mode 100644 index 0000000000..9241352565 --- /dev/null +++ b/roles/fedoauth/templates/fedoauth.cfg @@ -0,0 +1,52 @@ +# Beware that the quotes around the values are mandatory + +# GENERAL CONFIGURATION +### url to the database server: +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" +#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' +#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' +#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' + +# This is the OpenID endpoint url, at which the server is available +WEBSITE_ROOT = 'https://id.fedoraproject.org' +COOKIE_DOMAIN = 'id.fedoraproject.org' +COOKIE_SECURE = True +OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/' + +# Modules to use +AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' + +# FAS PROVIDER CONFIGURATION +FAS_USER_AGENT = 'FAS-OpenID' +FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' +FAS_CHECK_CERT=False +FAS_HTTPS_REQUIRED=False + +# Enable a filter to make this only available to a specific list of users +FAS_AVAILABLE_FILTER = False +FAS_AVAILABLE_TO = [] + +# PERSONA CONFIGURATION +# This is the domain for which we are willing to sign +PERSONA_DOMAIN = 'fedoraproject.org' +PERSONA_ISSUER = 'id.fedoraproject.org' +PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' +PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' + +# OPENID CONFIGURATION +# This is the OpenID url provided to users. Add %(username)s where the username should be entered +# A list of trust roots for which the user will not need to confirm again +OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', + 'https://ask.fedoraproject.org/', + 'https://fedorahosted.org/', + 'https://badges.fedoraproject.org', + 'https://apps.fedoraproject.org/tagger/', + 'https://apps.fedoraproject.org/nuancier/', + 'https://apps.fedoraproject.org/datagrepper/', + 'https://apps.fedoraproject.org/calendar/', + 'https://apps.fedoraproject.org/notifications/', + 'http://copr.fedoraproject.org/', + 'http://copr-fe.cloud.fedoraproject.org/'] +OPENID_NON_TRUSTED_ROOTS = [] +### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) +OPENID_MAX_AUTH_TIME = 120 From b152789b195fe26c1965001a6f4abe803981b279 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 21:27:17 +0000 Subject: [PATCH 268/271] These are semicolons --- playbooks/groups/fedoauth.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml index e2abe419f0..bfad471f3b 100644 --- a/playbooks/groups/fedoauth.yml +++ b/playbooks/groups/fedoauth.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars - name: make fedoauth - hosts: fedoauth-stg, fedoauth + hosts: fedoauth-stg;fedoauth user: root gather_facts: False @@ -21,7 +21,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: fedoauth-stg, fedoauth + hosts: fedoauth-stg;fedoauth user: root gather_facts: True accelerate: True @@ -53,7 +53,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: deploy fedoauth itself - hosts: fedoauth-stg, fedoauth + hosts: fedoauth-stg;fedoauth user: root gather_facts: True accelerate: True From e43e7b564b63fb18e9665bdd909569eb4bd6a26d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 21:31:08 +0000 Subject: [PATCH 269/271] on vh07 its apparantly vg_guests00 --- inventory/host_vars/fedoauth01.phx2.fedoraproject.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/host_vars/fedoauth01.phx2.fedoraproject.org b/inventory/host_vars/fedoauth01.phx2.fedoraproject.org index b4808cd86a..591d045bf3 100644 --- a/inventory/host_vars/fedoauth01.phx2.fedoraproject.org +++ b/inventory/host_vars/fedoauth01.phx2.fedoraproject.org @@ -4,7 +4,7 @@ gw: 10.5.126.254 dns: 10.5.126.21 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6 ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/ -volgroup: /dev/vg_guests +volgroup: /dev/vg_guests00 eth0_ip: 10.5.126.240 vmhost: virthost07.phx2.fedoraproject.org datacenter: phx2 From a0a41c33a86652fbbcd6d28e245d8a422438291f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 21:31:37 +0000 Subject: [PATCH 270/271] Apparantly they should be colons --- playbooks/groups/fedoauth.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml index bfad471f3b..62c75bb0c1 100644 --- a/playbooks/groups/fedoauth.yml +++ b/playbooks/groups/fedoauth.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars - name: make fedoauth - hosts: fedoauth-stg;fedoauth + hosts: fedoauth-stg:fedoauth user: root gather_facts: False @@ -21,7 +21,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: fedoauth-stg;fedoauth + hosts: fedoauth-stg:fedoauth user: root gather_facts: True accelerate: True @@ -53,7 +53,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: deploy fedoauth itself - hosts: fedoauth-stg;fedoauth + hosts: fedoauth-stg:fedoauth user: root gather_facts: True accelerate: True From 51a4bc549861143f2638ddcb62226a2ba3b5d296 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 14 Feb 2014 22:17:31 +0000 Subject: [PATCH 271/271] Only run db creation on the primary nodes so that we dont get race conditions --- roles/fedoauth/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index b0631d3ff6..2c59658164 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -48,6 +48,7 @@ when: env == "staging" - name: create the database scheme + hosts: fedoauth01.phx2.fedoraproject.org:fedoauth01.stg.phx2.fedoraproject.org command: /usr/bin/python2 /usr/share/fedoauth/createdb.py environment: FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg