We want to move to mock-core-configs-36.4 (pushing to infra 34 repos)
because the version contains multiple config fixes.
That version though dropped epel-8 configs as they go soon EOL. We plan
to move to rhel+epel, but thad needs more work and testing - so for now
default to centos+epel again (CentOS 8 goes EOL in Jan 2022).
Seems there's one more port that needs to be tagged before we
can finally unset this:
https://bugzilla.redhat.com/show_bug.cgi?id=1277312#c9
Keep the custom policy as well, though, so we just need to
update it when that port gets done.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We've been using the httpd_can_network_connect boolean for years
to allow httpd to connect to the openQA server processes. This
is an unnecessarily large hammer when we only need it to be
able to connect to exactly the two openQA ports. This uses a
custom SELinux policy to allow connecting to those ports only,
and ensures the boolean is set back to off.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Several of these requirements are old ones that were only needed
for createhdds, when we ran createhdds on the servers. All of
those can go. Also make the list line-by-line for easier git
blame tracking in future (and add comments for the remaining
entries so we know why they're there).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The current static path referenced python3.8 in path, which is no longer
true on newer Fedora, so we need to have special rule for staging till
the production will be updated.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
Turns out there was a z/vm and a kvm version of this host with both of
them using the same ip address. ;( Lets kill off the kvm one for now and
use just the z/vm one.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Seems like with lighttpd v1.4.61 we finally can match the index file
request against the rewritten url, so it is secure! This allows us to
prettily restrict the configuration to load the php script from only one
possible location.
This caused a bit of trouble since I disabled nosync in the kojibuilder
role. I think applied that with -t site-defaults, which updated
everything, _including_ bkernel machines. Sadly, bkernel machines have
additional config in site-defaults to allow for secure boot signing and
this was lost. So, make sure only the bkernel role changes site-defaults
on bkernel machines and also drop nosync from it's private config.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
