Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
34400 commits 9 branches 0 tags 111 MiB
Commit graph

34400 commits

This branch
This branch
All branches
Author SHA1 Message Date
Kevin Fenzi
ca8b9ad361 Revert "Revert "virt instance create: put old armv7 install setup back in stg"" 
This reverts commit 4cb77b2966.

Take it back out, seems to make no difference if it's uefi or not.
 2021-01-24 17:51:17 -08:00
Kevin Fenzi
c8031223fb Try and install 32bit arm builders in stg with uefi and f32 and f32 release kernel 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-01-24 17:25:50 -08:00
Kevin Fenzi
4cb77b2966 Revert "virt instance create: put old armv7 install setup back in stg" 
This reverts commit a34ef07de9.
 2021-01-24 14:39:46 -08:00
Kevin Fenzi
a34ef07de9 virt instance create: put old armv7 install setup back in stg 
Will re-install a bulder without uefi and see if that matters any for
our memory management woes.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-01-24 10:44:13 -08:00
František Zatloukal
d2c34f384c oraculum: Let's try to drop strategy from non-user facing deployments 2021-01-23 23:55:51 +01:00
František Zatloukal
43794ed6f3 oraculum: Update REDIS_SERVICE_HOST 2021-01-23 23:39:12 +01:00
František Zatloukal
4c2bdfc12d oraculum: More shuffling 2021-01-23 23:32:09 +01:00
František Zatloukal
9cfa6fee08 oraculum: Change service selectors to use oraculum 2021-01-23 22:42:43 +01:00
František Zatloukal
36f6938cc4 oraculum: route to the correct port 2021-01-23 22:31:36 +01:00
František Zatloukal
3af06594fd oraculum: Update REDIS_HOST 2021-01-23 22:19:03 +01:00
František Zatloukal
f1199d653f oraculum: Call celery directly, not from /usr/bin 2021-01-23 22:10:56 +01:00
František Zatloukal
a92ef77426 oraculum: ContainerPort 2021-01-23 22:08:53 +01:00
František Zatloukal
331de5b2e7 oraculum: Simplify commands to run the container 2021-01-23 22:02:00 +01:00
František Zatloukal
8c3459fed2 oraculum: Let's try 8080 for probes 2021-01-23 21:58:53 +01:00
František Zatloukal
ad2fcd19dc oraculum: api runs at 8080 internally 2021-01-23 21:32:17 +01:00
František Zatloukal
26e3687439 oraculum: Shuffle args and command a bit 2021-01-23 21:23:21 +01:00
František Zatloukal
e1b2416889 oraculum: wire up secret.yml into the playbook 2021-01-23 20:50:39 +01:00
František Zatloukal
fe2518d4d2 oraculum: Attempt to correct volumes in dc 2021-01-23 15:26:00 +01:00
František Zatloukal
699bed7b9a oraculum: Cleanup of dc 2021-01-23 00:40:23 +01:00
František Zatloukal
cd6bdea34f oraculum: More fighting with container names 2021-01-23 00:21:43 +01:00
Kevin Fenzi
c9bfe6fa19 robosignatory: disable ima file signing for now per fesco request 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-01-22 09:31:38 -08:00
Nils Philippsen
705b35530e ipa/client: Disable password-less sudo task 
Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 17:39:28 +01:00
Nils Philippsen
a64e758ccf Configure IPA host group for MBS 
Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Nils Philippsen
d48d5c00b8 ipa/client: Use host groups for HBAC and sudo rules 
Creating individual HBAC and sudo rules in IPA would quickly become
unwieldy.

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Nils Philippsen
e63d94fc74 ipa/client: Add common IPA configuration 
The `common.yml` sub-playbook runs tasks necessary for the `hbac.yml`
and `sudo.yml` sub-playbooks, but not specific to either.

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Nils Philippsen
17174c37b9 ipa/client: Make checking for groups more robust 
The `ipa` command needs a valid Kerberos ticket for the IPA admin user
which might be present or not. This probably worked most of the time
because other tasks in the playbook acquired a ticket as a side effect.

Use `getent group ...` instead which doesn't query IPA directly. This
has the additional benefit that it verifies the groups in question are
POSIX groups, which is what we want for shell access and sudo.

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Nils Philippsen
4c650994dd ipa/client: Always warn about fas_client_groups 
The `fas_client_groups` and `ipa_client_shell_groups` variables have a
different format, the former is a comma-separated string, the latter a
list. Nag about it with more detail and regardless of if
`ipa_client_shell_groups` is set, because if it is, then the old
variable gets ignored.

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Nils Philippsen
8f453535dc ipa/client: Improve naming HBAC, sudo rules 
Rename:
- "group/sysadmin-main" to "usergroup/sysadmin-main" to prepare for
  using host groups
- "sudo/all" to "all-users/sudo" likewise to make it apparent that it's
  about users and to put the resource last to which access is granted

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Nils Philippsen
71e625c0fd ipa/client: Set config tag in main playbook 
This avoids having to add the tag to every individual task (or
forgetting it).

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-01-22 16:05:16 +00:00
Pavel Raiskup
8c079d8cc3 copr-be: fix bug in loop, second attempt 
Don't ask for 'devel' instance, but rather for 'letsencrypt'
configuration.
 2021-01-22 17:04:06 +01:00
Pavel Raiskup
a1f67eb0bf copr-be: correct typo in the loop 2021-01-22 16:53:50 +01:00
František Zatloukal
62423cb7fa oraculum: Try a different container name 2021-01-22 16:51:13 +01:00
Pavel Raiskup
e7badfc679 copr-be: experiment with ipv6/ipv4 x 80/443 
This is according to lighttpd best practices?
https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config#Recommended-IPv6-setup
 2021-01-22 16:30:27 +01:00
František Zatloukal
f615877ec7 oraculum: Fixup containername ... please WORK! 2021-01-22 15:45:56 +01:00
Pavel Raiskup
bbb4460c3d copr-be: re-enable port 80 
The socket statement for :80 needs to be configured, otherwise http://
doesn't work at all.

f025f0cc31
 2021-01-22 15:38:03 +01:00
František Zatloukal
3dae7d40d5 oraculum: Try metadata naming change 2021-01-22 15:36:19 +01:00
František Zatloukal
b138ed235f oraculum: Quote false 2021-01-22 15:24:16 +01:00
František Zatloukal
8be44693c0 oraculum: env False with lowercase "f" 2021-01-22 15:22:33 +01:00
Pavel Raiskup
f025f0cc31 copr-be-dev: last missing part for ipv6? 
The socket config ":80" caused that ipv6 for some reason didn't work.

I could just fix it just by "0.0.0.0:80" - but the overall rule wasn't
useful (thé only redirect there wasn't working).  So I dropped the
overal socket construct, and lighttpd starts working on both IPv4 and
IPv6.

Follow up for 619a163447
 2021-01-22 15:13:26 +01:00
František Zatloukal
29a38663e5 oraculum: Different url for redis 2021-01-22 15:08:29 +01:00
František Zatloukal
7409a20ac4 oraculum: Drop strategy for redis pod 2021-01-22 15:07:26 +01:00
František Zatloukal
94dd02fa8c oraculum: Drop usage of OIDC_CLIENT_SECRETS 2021-01-22 14:57:53 +01:00
František Zatloukal
21d9e4e6c2 oraculum: Secrets 2021-01-22 14:40:30 +01:00
Pierre-Yves Chibon
3392b0d8d7 oraculum: rename the folder in roles/openshift-apps 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2021-01-22 14:25:49 +01:00
Pierre-Yves Chibon
accafc1807 oraculum: be consistent on the app name used in the playbook 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2021-01-22 14:23:49 +01:00
František Zatloukal
58fa2e99cc packager-dashboard: Initial OpenShift work 2021-01-22 14:10:56 +01:00
Michal Konečný
e04145c5a6 release-monitoring: Change the error threshold 
The previous error threshold seems to be too low, approximately 100
hours before the project is deleted if there is no mapping to downstream
and every check fails. Let's rise this up to 1000 retries, to give more
time to fix.

Signed-off-by: Michal Konečný <mkonecny@redhat.com>
 2021-01-22 11:50:00 +01:00
Patrick Uiterwijk
bb829c914e zezere: Use ubi8-python38 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2021-01-22 10:06:57 +01:00
Patrick Uiterwijk
51f732c592 Zezere is now main branch 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2021-01-22 09:59:54 +01:00
Patrick Uiterwijk
18a8895cc0 zezere: add production build 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2021-01-22 09:56:20 +01:00