necessary updates for openqa roles have gone stable for now, so
disable updates-testing usage (keep the plays around commented,
though, since we'll likely need them again in future). Also, a
bit more attempted support for non-infra use: make the monkey
patching of the repo URLs in the test templates only happen if
deployment_type is defined, actually respect the openqa_consumer
var (don't enable the job scheduling consumer unless it's truey)
and only enable any wiki reporting consumer if deployment_type
is defined.
rwmjones says the guestfs / rpm bug has been fixed (a new base
fedora-23 image has been uploaded which should avoid it, anyway)
so let's try turning disk image generation back on and see how
it flies.
- Pulling the userlist from fas now loops over each letter of the alphabet to avoid time out issues
- I call time.sleep(60) after awarding a badge to help avoid overwhelming the frontend
1. We want all playbooks to be idempotent. If we add things like this
it means the playbook will change every single time we run it.
2. Things like this mean that if we need to change one config or
something to get the service working we may have to wait a long time
for it to apply tons of pending updates, which may break more things.
3. On all Fedora machines (that have base role anyhow) we already run
dnf-automatic to apply all security updates. We could expand that to
apply all updates if you like. Doing them daily is much better for
finding regressions
4. We expect updates are applied normally by dnf-automatic or by
sysadmins so we can know whats in the updates and be ready for issues
or restarting things.
can be abused by a non admin user using a symlink in /tmp (just a
simple for loop over the pid space would be enough).
Then we can at best erase a almost arbitrary file (using a creative
symlink), or at worst, maybe inject data that could be parsed by a
software (since the content would be under the control of a attacker,
since that's the list of file in a user home directories.