Infrastructure/infra-docs-fpo
1
0
Fork 0
Code Issues 100 Pull requests 6 Projects Releases Packages Wiki Activity Actions

Incorporate Kevins comments and remove obsolete guides

Browse source
This commit is contained in:
Adam Saleh 2021-08-06 14:09:17 +00:00
parent 7b5a1b27d5
commit e918914bcf
26 changed files with 21 additions and 2745 deletions
Download patch file Download diff file Expand all files Collapse all files

25
modules/sysadmin_guide/nav.adoc
View file

@ -1,3 +1,4 @@
* xref:orientation.adoc[Orientation for Sysadmin Guide]
* xref:index.adoc[Sysadmin Guide]
** xref:2-factor.adoc[Two factor auth]
** xref:accountdeletion.adoc[Account Deletion SOP]
@ -6,27 +7,19 @@
** xref:apps-fp-o.adoc[apps-fp-o - SOP in review ]
** xref:archive-old-fedora.adoc[archive-old-fedora - SOP in review ]
** xref:arm.adoc[arm - SOP in review ]
** xref:askbot.adoc[askbot - SOP in review ]
** xref:aws-access.adoc[aws-access - SOP in review ]
** xref:basset.adoc[basset - SOP in review ]
** xref:bastion-hosts-info.adoc[bastion-hosts-info - SOP in review ]
** xref:bladecenter.adoc[bladecenter - SOP in review ]
** xref:blockerbugs.adoc[blockerbugs - SOP in review ]
** xref:bodhi.adoc[bodhi - SOP in review ]
** xref:bugzilla2fedmsg.adoc[bugzilla2fedmsg - SOP in review ]
** xref:bugzilla.adoc[bugzilla - SOP in review ]
** xref:cloud.adoc[cloud - SOP in review ]
** xref:collectd.adoc[collectd - SOP in review ]
** xref:communishift.adoc[communishift - SOP in review ]
** xref:compose-tracker.adoc[compose-tracker - SOP in review ]
** xref:contenthosting.adoc[contenthosting - SOP in review ]
** xref:copr.adoc[copr - SOP in review ]
** xref:cyclades.adoc[cyclades - SOP in review ]
** xref:darkserver.adoc[darkserver - SOP in review ]
** xref:database.adoc[database - SOP in review ]
** xref:datanommer.adoc[datanommer - SOP in review ]
** xref:debuginfod.adoc[debuginfod - SOP in review ]
** xref:denyhosts.adoc[denyhosts - SOP in review ]
** xref:departing-admin.adoc[departing-admin - SOP in review ]
** xref:dns.adoc[dns - SOP in review ]
** xref:docs.fedoraproject.org.adoc[docs.fedoraproject.org - SOP in review ]
@ -40,38 +33,27 @@
** xref:fedmsg-relay.adoc[fedmsg-relay - SOP in review ]
** xref:fedmsg-websocket.adoc[fedmsg-websocket - SOP in review ]
** xref:fedocal.adoc[fedocal - SOP in review ]
** xref:fedorapackages.adoc[fedorapackages - SOP in review ]
** xref:fedorapastebin.adoc[fedorapastebin - SOP in review ]
** xref:fedora-releases.adoc[fedora-releases - SOP in review ]
** xref:fedorawebsites.adoc[fedorawebsites - SOP in review ]
** xref:fmn.adoc[fmn - SOP in review ]
** xref:fpdc.adoc[fpdc - SOP in review ]
** xref:freemedia.adoc[freemedia - SOP in review ]
** xref:freenode-irc-channel.adoc[freenode-irc-channel - SOP in review ]
** xref:freshmaker.adoc[freshmaker - SOP in review ]
** xref:gather-easyfix.adoc[gather-easyfix - SOP in review ]
** xref:gdpr_delete.adoc[gdpr_delete - SOP in review ]
** xref:gdpr_sar.adoc[gdpr_sar - SOP in review ]
** xref:geoip-city-wsgi.adoc[geoip-city-wsgi - SOP in review ]
** xref:github2fedmsg.adoc[github2fedmsg - SOP in review ]
** xref:github.adoc[github - SOP in review ]
** xref:gitweb.adoc[gitweb - SOP in review ]
** xref:greenwave.adoc[greenwave - SOP in review ]
** xref:guestdisk.adoc[guestdisk - SOP in review ]
** xref:guestedit.adoc[guestedit - SOP in review ]
** xref:haproxy.adoc[haproxy - SOP in review ]
** xref:hosted_git_to_svn.adoc[hosted_git_to_svn - SOP in review ]
** xref:hotfix.adoc[hotfix - SOP in review ]
** xref:hotness.adoc[hotness - SOP in review ]
** xref:hubs.adoc[hubs - SOP in review ]
** xref:ibm_rsa_ii.adoc[ibm_rsa_ii - SOP in review ]
** xref:index.adoc[index - SOP in review ]
** xref:infra-git-repo.adoc[infra-git-repo - SOP in review ]
** xref:infra-hostrename.adoc[infra-hostrename - SOP in review ]
** xref:infra-raidmismatch.adoc[infra-raidmismatch - SOP in review ]
** xref:infra-repo.adoc[infra-repo - SOP in review ]
** xref:infra-retiremachine.adoc[infra-retiremachine - SOP in review ]
** xref:infra-yubikey.adoc[infra-yubikey - SOP in review ]
** xref:ipsilon.adoc[ipsilon - SOP in review ]
** xref:iscsi.adoc[iscsi - SOP in review ]
** xref:jenkins-fedmsg.adoc[jenkins-fedmsg - SOP in review ]
@ -83,8 +65,6 @@
** xref:koschei.adoc[koschei - SOP in review ]
** xref:layered-image-buildsys.adoc[layered-image-buildsys - SOP in review ]
** xref:librariesio2fedmsg.adoc[librariesio2fedmsg - SOP in review ]
** xref:linktracking.adoc[linktracking - SOP in review ]
** xref:loopabull.adoc[loopabull - SOP in review ]
** xref:mailman.adoc[mailman - SOP in review ]
** xref:making-ssl-certificates.adoc[making-ssl-certificates - SOP in review ]
** xref:massupgrade.adoc[massupgrade - SOP in review ]
@ -105,7 +85,6 @@
** xref:openqa.adoc[openqa - SOP in review ]
** xref:openshift.adoc[openshift - SOP in review ]
** xref:openvpn.adoc[openvpn - SOP in review ]
** xref:orientation.adoc[orientation - SOP in review ]
** xref:outage.adoc[outage - SOP in review ]
** xref:packagedatabase.adoc[packagedatabase - SOP in review ]
** xref:packagereview.adoc[packagereview - SOP in review ]
@ -113,7 +92,6 @@
** xref:pdc.adoc[pdc - SOP in review ]
** xref:pesign-upgrade.adoc[pesign-upgrade - SOP in review ]
** xref:planetsubgroup.adoc[planetsubgroup - SOP in review ]
** xref:privatefedorahosted.adoc[privatefedorahosted - SOP in review ]
** xref:publictest-dev-stg-production.adoc[publictest-dev-stg-production - SOP in review ]
** xref:rabbitmq.adoc[rabbitmq - SOP in review ]
** xref:rdiff-backup.adoc[rdiff-backup - SOP in review ]
@ -121,7 +99,6 @@
** xref:requestforresources.adoc[requestforresources - SOP in review ]
** xref:resultsdb.adoc[resultsdb - SOP in review ]
** xref:retrace.adoc[retrace - SOP in review ]
** xref:reviewboard.adoc[reviewboard - SOP in review ]
** xref:scmadmin.adoc[scmadmin - SOP in review ]
** xref:selinux.adoc[selinux - SOP in review ]
** xref:sigul-upgrade.adoc[sigul-upgrade - SOP in review ]

22
modules/sysadmin_guide/pages/accountdeletion.adoc
View file

@ -16,18 +16,18 @@ ____
== Contents
* Disabling
** Disable Accounts
** Disable Groups
* User Requested disables
* Renames
** Rename Accounts
** Rename Groups
* Deletion
** Delete Accounts
** Delete Groups
* <<_disabling>>
** <<_disable_accounts>>
** <<_disable_groups>>
* <<_user_requested_disables>>
* <<_renames>>
** <<_rename_accounts>>
** <<_rename_groups>>
* <<_deletion>>
** <<_delete_accounts>>
** <<_delete_groups>>
=== Disable
=== Disabling
Disabling accounts is the easiest to accomplish as it just blocks people
from using their account. It does not remove the account name and

359
modules/sysadmin_guide/pages/askbot.adoc
View file

@ -1,359 +0,0 @@
= Ask Fedora SOP
To set up https://ask.fedoraproject.org based on Askbot as a question
and answer support forum for the Fedora community. A production instance
could be seen at https://ask.fedoraproject.org and the staging instance
is at http://ask.stg.fedoraproject.org/
This page describes how to set up and customize it from scratch.
== Contents
[arabic]
. Contact Information
. Creating database
. Setting up the forum
. Adding administrators
. Change settings within the forum
. Database tweaks
. Debugging
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin
Persons::
anyone from the sysadmin team
Sponsor::
nirik
Location::
phx2
Servers::
ask01 , ask01.stg
Purpose::
To host Ask Fedora
== Creating database
We use the postgresql database backend. To add the database to a
postgresql server:
....
# psql -U postgres
postgres# create user askfedora with password 'xxx';
postgres# create database askfedora;
postgres# ALTER DATABASE askfedora owner to askfedora;
postgres# \q;
....
Now setup the db tables if this is a new install:
....
python manage.py syncdb
python manage.py migrate askbot
python manage.py migrate django_authopenid #embedded login application
....
== Setting up the forum
Askbot is packaged and available in Rawhide, Fedora 16 and EPEL 6. On a
RHEL 6 system, you need to install EPEL 6 repo first.:
....
# yum install askbot
....
The /etc/askbot/sites/ask/conf/settings.py file should look something
like:
....
DATABASE_ENGINE = 'postgresql_psycopg2'
DATABASE_NAME = 'testaskbot'
DATABASE_USER = 'askbot'
DATABASE_PASSWORD = 'xxxxx'
DATABASE_HOST = '127.0.0.1'
DATABASE_PORT = '5432'
# Outgoing mail server settings
#
DEFAULT_FROM_EMAIL = 'askfedora@fedoraproject.org'
EMAIL_SUBJECT_PREFIX = '[Askfedora]'
EMAIL_HOST='127.0.0.1'
EMAIL_PORT='25'
# This variable points to the Askbot plugin which will be used for user
# authentication. Not enabled yet because we don't need FAS auth but use
# Fedora id as a openid provider.
#
# ASKBOT_CUSTOM_AUTH_MODULE = 'authfas'
Now Ask Fedora website should be accessible from the browser.
....
== Adding administrators
As of Askbot version 0.7.21, the first user who logs in automatically
becomes the administrator. In previous versions, you have to do the
following.:
....
# cd /etc/askbot/sites/ask/conf/
# python manage.py add_admin 1
Do you really wish to make user (id=1, name=pjp) a site administrator?
yes/no: yes
....
Once a user is marked as a administrator, he or she can go into anyone's
profile, go the "moderation" tab in the end and mark them as
administrator or moderator as well as block or suspend a user.
== Change settings within the forum
* {blank}
+
Data entry and display:::
** Disable "Allow asking questions anonymously"
** Enable "Force lowercase the tags"
** Change "Format of tag list" to "cloud"
** Change "Minimum length of search term for Ajax search" to "3"
** Change "Number of questions to list by default" to "50"
** Change "What should "unanswered question" mean?" to "Question has
no
** answers"
* {blank}
+
Email and email alert settings::
** Change "Default news notification frequency" to "Instantly"
* {blank}
+
Flatpages - about, privacy policy, etc.::
Change "Text of the Q&A forum About page (html format)" to the
following:
+
....
Ask Fedora provides a community edited knowledge base and support forum
for the Fedora community. Make sure you read the FAQ and search for
existing questions before asking yours. If you want to provide feedback,
just a question in this site! Tag your questions "meta" to highlight your
questions to the administrators of Ask Fedora.
....
* {blank}
+
Login provider settings::
** Disable "Activate local login"
* {blank}
+
Q&A forum website parameters and urls::
** {blank}
+
Change "Site title for the Q&A forum" to "Ask Fedora: Community
Knowledge;;
Base and Support Forum"
** {blank}
+
Change "Comma separated list of Q&A site keywords" to "Ask Fedora,
forum,;;
community, support, help"
** {blank}
+
Change "Copyright message to show in the footer" to "All content is
under;;
Creative Commons Attribution Share Alike License. Ask Fedora is
community maintained and Red Hat or Fedora Project is not
responsible for content"
** {blank}
+
Change "Site description for the search engines" to "Ask Fedora:
Community;;
Knowledge Base and Support Forum"
** Change "Short name for your Q&A forum" to "Ask Fedora"
** {blank}
+
Change "Base URL for your Q&A forum, must start with http or https"
to;;
"http://ask.fedoraproject.org"
* {blank}
+
Sidebar widget settings - main page::
** Disable "Show avatar block in sidebar"
** Disable "Show tag selector in sidebar"
* Skin and User Interface settings
** Upload "Q&A site logo"
** Upload "Site favicon". Must be a ICO format file because that is the
only one IE supports as a fav icon.
** Enable "Apply custom style sheet (CSS)"
** Upload the following custom CSS:
+
....
#ab-main-nav a {
color: #333333;
background-color: #d8dfeb;
border: 1px solid #888888;
border-bottom: none;
padding: 0px 12px 3px 12px;
height: 25px;
line-height: 30px;
margin-right: 10px;
font-size: 18px;
font-weight: 100;
text-decoration: none;
display: block;
float: left;
}
#ab-main-nav a.on {
height: 24px;
line-height: 28px;
border-bottom: 1px solid #0a57a4;
border-right: 1px solid #0a57a4;
border-top: 1px solid #0a57a4;
border-left: 1px solid #0a57a4; /*background:#A31E39; */
background: #0a57a4;
color: #FFF;
font-weight: 800;
text-decoration: none
}
#ab-main-nav a.special {
font-size: 18px;
color: #072b61;
font-weight: bold;
text-decoration: none;
}
/* tabs stuff */
.tabsA { float: right; }
.tabsC { float: left; }
.tabsA a.on, .tabsC a.on, .tabsA a:hover, .tabsC a:hover {
background: #fff;
color: #072b61;
border-top: 1px solid #babdb6;
border-left: 1px solid #babdb6;
border-right: 1px solid #888a85;
border-bottom: 1px solid #888a85;
height: 24px;
line-height: 26px;
margin-top: 3px;
}
.tabsA a.rev.on, tabsA a.rev.on:hover {
padding: 0px 2px 0px 7px;
}
.tabsA a, .tabsC a{
background: #f9f7eb;
border-top: 1px solid #eeeeec;
border-left: 1px solid #eeeeec;
border-right: 1px solid #a9aca5;
border-bottom: 1px solid #888a85;
color: #888a85;
display: block;
float: left;
height: 20px;
line-height: 22px;
margin: 5px 0 0 4px;
padding: 0 7px;
text-decoration: none;
}
.tabsA .label, .tabsC .label {
float: left;
font-weight: bold;
color: #777;
margin: 8px 0 0 0px;
}
.tabsB a {
background: #eee;
border: 1px solid #eee;
color: #777;
display: block;
float: left;
height: 22px;
line-height: 28px;
margin: 5px 0px 0 4px;
padding: 0 11px 0 11px;
text-decoration: none;
}
a {
color: #072b61;
text-decoration: none;
cursor: pointer;
}
div.side-box
{
width:200px;
padding:10px;
border:3px solid #CCCCCC;
margin:0px;
background: -moz-linear-gradient(top, #DDDDDD, #FFFFFF);
}
....
== Database tweaks
To automatically delete expired sessions, we run a trigger that makes
PostgreSQL delete them upon inserting a new one.
The code used to create this trigger was:
....
askfedora=# CREATE FUNCTION delete_old_sessions() RETURNS trigger
askfedora-# LANGUAGE plpgsql
askfedora-# AS $$
askfedora$# BEGIN
askfedora$# DELETE FROM django_session WHERE expire_date<current_timestamp;
askfedora$# RETURN NEW;
askfedora$# END
askfedora$# $$;
CREATE FUNCTION
askfedora=# CREATE TRIGGER old_sessions_gc
askfedora-# AFTER INSERT ON django_session
askfedora-# EXECUTE PROCEDURE delete_old_sessions();
....
In case this trigger causes any problems, please remove it by running:
`DROP TRIGGER old_sessions_gc;`
To make this perform, we have a custom index that's not in upstream
askbot, please remember to add that when recreating the trigger:
....
CREATE INDEX CONCURRENTLY django_session_expire_date ON django_session (expire_date);
....
If you deleted the trigger, or reinstalled without trigger, please make
sure to run `manage.py clean_sessions` regularly, so you don't end up
with a database that's too massive in size.
== Debugging
Set DEBUG to True in settings.py file and restart Apache.
== Auth issues
Users can login to ask with a variety of social media accounts. Once
they login with one they can attach other ones as well.
If a user forgets what social media they used, you can look in the
database:
Login to database host (db01.phx2.fedoraproject.org) # sudo -u postgres
psql askfedora psql> select * from django_authopenid_userassociation
where user_id like '%username%';
If they can login again with the same auth, ask them to do so. If not,
you can add the fedora account system openid auth to allow them to login
with that:
psql> insert into django_authopenid_userassociation (user_id,
openid_url,provider_name) VALUES (2595,
'http://name.id.fedoraproject.org', 'fedoraproject');
Use the ID from the previous query and replace name with the users fas
name.

118
modules/sysadmin_guide/pages/basset.adoc
View file

@ -1,118 +0,0 @@
= Basset anti-spam service
Since the Fedora Project has come under targeted spam attacks, we have
decided to create a service that all our applications can hook into to
have a central repository for anti-spam procedures. Basset is this
service, and it's hosted on https://pagure.io/basset.
== Contents
[arabic]
. Contact Information
. Overview
. FAS
. Trac
. Wiki
. Setup
. Outage
== Contact Information
Owner::
Patrick Uiterwijk (puiterwijk)
Contact::
#fedora-admin, #fedora-apps, #fedora-noc, sysadmin-main
Location::
basset01
Purpose::
Centralized anti-spam
== Overview
Basset is a central anti-spam service: it received messages from
services that certain actions happened, and will then decide to accept
or deny the request, or pass it on to an administrator.
At the moment, we have the following modules live: FAS, trac, wiki.
== FAS
This module receives notifications from FAS about new users
registrations and new users signing the FPCA. With Basset enabled, FAS
will not automatically accept a new user registration or a FPCA signing,
but instead let Basset know a user tried to perform these actions and
then depend on Basset to enact this.
In the case of registration this is done by setting the user to a
spamcheck_awaiting status. As soon as Basset made a decision, it will
set the user to spamcheck_manual, spamcheck_denied or active. If it sets
the user to active, it will also send the welcome email to the user. If
it made a wrong decision, and the user is set as spamcheck_manual or
spamcheck_denied, a member of the accounts team can go to that users'
page and click the "Enable" button to override the decision. If this
needed to be done, please notify puiterwijk so that the rules Basset
uses can be updated.
For the case of the FPCA, FAS will request the cla_fpca group
membership, but not sponsor the user. At the moment that Basset decides
it accepts the request, it will sponsor the user into the group. If it
declined the FPCA request, it will remove the user from the group. To
override this decision, a member of the accounts group can go to FAS and
manually add the user to the cla_fpca group and sponsor them into it.
== Trac
For Trac, if a post gets denied, the content item gets deleted, the Trac
account gets blocked cross-instance and the FAS account gets blocked.
To unblock the user, log in to hosted03, and remove
/srv/web/trac/blocks/$username. For info on how to unblock the FAS user,
see the notes under FAS.
== Wiki
For Wiki, if an edit gets denied, the page gets deleted, the wiki
account blocked and the FAS account gets blocked.
For the wiki parts of undoing this, follow the regular mediawiki unblock
procedures using:::
* https://fedoraproject.org/wiki/Special:BlockList to check if an user
is blocked or not
* https://fedoraproject.org/wiki/Special:Unblock to unblock that user
Don't forget to unblock the account as in FAS.
== Setup
At this moment, Basset runs on a single server (basset01(.stg)), and
runs the frontend, message broker and worker all on a single server. For
all of it to work, the following services are used: - httpd (frontend) -
rabbitmq-server (broker) - mongod (mongo database server for storage of
internal info) - basset-worker (worker)
== Outage
The consequences of certain services not being up results in various
conditions:
If the httpd or frontend aren't up, no new messages will come in. FAS
will set the user to spamcheck_awaiting, but not submit it to Basset.
Work is in progress on a script to submit such entries to the queue
after Basset frontend is back. However, since this part of the code is
so small, this is not likely to be the part that's down. (You can know
that it is because the FAS logs will log an error instead of "result:
checking".)
If the worker or the mongo server are down, no messages will be
processed, but all messages queued up will be processed the moment both
of the services start again: as long as a message makes it into the
queue, it will be processed until completion.
If the worker encounters an error during processing of a message, it
will dump a tracedump into the journal log file, and stop processing any
messages. Resolve the condition reported in the error and restart the
basset-worker service, and all work will be continued, starting with the
message it was processing when it errored out.
This means that as long as the message is queued, the worker will pick
it up and handle it.

52
modules/sysadmin_guide/pages/bladecenter.adoc
View file

@ -1,52 +0,0 @@
= BladeCenter Access Infrastructure SOP
Many of the builders in PHX are blades in a blade center. A few other
machines are also on blades.
== Contents
[arabic]
. Contact Information
. Common Tasks
____
[arabic]
. Logging into the web interface
. Using the Serial Console of Blades
____
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-main
Location::
PHX
Purpose::
Contains blades used for buildsystems, etc
== Common Tasks
=== Logging into the web interface
The web interface to the bladecenters let you reset power, etc. They are
bc01-mgmt and bc02-mgmt.
=== Using the Serial Console of Blades
All of the blades are set up with a serial console over lan (SOL). To
use this, ssh into the bladecenter. You can then pick your system and
bring up a console with:
....
env -T system:blade[x]
console -o
....
where x is the blade number (can be determined from web interface, etc)
To leave the console session, press Esc (
For more details on BladeCenter SOL, see
http://www-304.ibm.com/systems/support/supportsite.wss/docdisplay?brandind=5000008&lndocid=MIGR-54666

169
modules/sysadmin_guide/pages/cloud.adoc
View file

@ -1,169 +0,0 @@
= Fedora OpenStack
== Quick Start
Controller:
....
sudo rbac-playbook hosts/fed-cloud09.cloud.fedoraproject.org.yml
....
Compute nodes:
....
sudo rbac-playbook groups/openstack-compute-nodes.yml
....
== Description
If you need to install OpenStack install, either make sure the machine
is clean. Or use `ansible.git/files/fedora-cloud/uninstall.sh` script to
brute force wipe off.
[NOTE]
.Note
====
by default, the script does not wipe LVM group with VM, you have to
clean them manually. There is commented line in that script.
====
On fed-cloud09, remove the file
`/etc/packstack_sucessfully_finished` to enforce run of packstack and
few other commands.
After that wipe, you have to:
....
ifdown eth1
configure eth1 to become normal Ethernet with ip
yum install openstack-neutron-openvswitch
/usr/bin/systemctl restart neutron-ovs-cleanup
ifup eth1
....
Additionally when reprovision OpenStack, all volumes on DellEqualogic
are preserved and you have to manually remove them (or remove them from
OS before it is reprovision). SSH to DellEqualogic (credentials are at
the bottom of `/etc/cinder/cinder.conf`) and run:
....
show (to get list of volumes)
volume select <volume_name> offline
volume delete <volume_name>
....
Before installing make sure:
____
* make sure rdo repo is enabled
* `yum install openstack-packstack openstack-packstack-puppet openstack-puppet-modules`
* {blank}
+
`vim /usr/lib/python2.7/site-packages/packstack/plugins/dashboard_500.py`::
and missing parentheses:
+
....
``host_resources.append((ssl_key, 'ssl_ps_server.key'))``
....
____
Now you can run playbook:
....
sudo rbac-playbook hosts/fed-cloud09.cloud.fedoraproject.org.yml
....
If you run it after wipe (i.e. db has been reset), you have to:
____
* import ssh keys of users (only possible via webUI - RHBZ 1128233
* reset user passwords
____
== Compute nodes
Compute node is much easier and is written as role. Use:
....
vars_files:
- ... SNIP
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- "{{ private }}/files/openstack/passwords.yml"
roles:
... SNIP
- cloud_compute
....
Define a host variable in `inventory/host_vars/FQDN.yml`:
....
compute_private_ip: 172.23.0.10
....
You should also add IP to `vars/fedora-cloud.yml`
And when adding new compute node, please update
`files/fedora-cloud/hosts`
[IMPORTANT]
.Important
====
When reinstalling make sure you removed all members on Dell Equalogic
(credentials are in /etc/cinder/cinder.conf on compute node) otherwise
the space will be blocked!!!
====
== Updates
Our openstack cloud should have updates applied and reboots when the
rest of our servers are updated and rebooted. This will cause an outage,
please make sure to schedule it.
[arabic]
. Stop copr-backend process on copr-be.cloud.fedoraproject.org
. Kill all copr-builder instances.
. Kill all transient/scratch instances.
. Update all instances we control. copr, persistent, infrastructure, qa
etc.
. Shutdown all instances
. Update and reboot fed-cloud09
. Update and reboot all compute nodes
. Start up all instances that are shutdown in step 5.
TODO: add commands for above as we know them.
== Troubleshooting
* {blank}
+
could not connect to VM? - check your security group, default SG does
not::
allow any connection.
* packstack end up with error, it is likely race condition in puppet -
BZ 1135529. Just run it again.
* {blank}
+
ERROR : append() takes exactly one argument (2 given::
`vi /usr/lib/python2.7/site-packages/packstack/plugins/dashboard_500.py`
and add one more surrounding ()
* {blank}
+
Local ip for ovs agent must be set when tunneling is enabled::
restart fed-cloud09 or: ssh to fed-cloud09; ifdown eth1; ifup eth1;
ifup br-ex
* {blank}
+
mongodb problem? follow::
https://ask.openstack.org/en/question/54015/mongodbpp-error-when-installing-rdo-on-centos-7/?answer=54076#post-id-54076
* `WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token`:
+
....
keystone --os-token $ADMIN_TOKEN --os-endpoint \
https://fedorainfracloud.org:35357/v2.0/ endpoint-create --region 'RegionOne' \
--service 91358b81b1aa40d998b3a28d0cfc86e7 --region 'RegionOne' --publicurl \
'https://fedorainfracloud.org:5000/v2.0' --adminurl 'http://172.24.0.9:35357/v2.0' \
--internalurl 'http://172.24.0.9:5000/v2.0'
....
== Fedora Classroom about our instance
http://meetbot.fedoraproject.org/fedora-classroom/2015-05-11/fedora-classroom.2015-05-11-15.02.log.html

76
modules/sysadmin_guide/pages/communishift.adoc
View file

@ -1,76 +0,0 @@
= Communishift SOP
Communishift is an OpenShift deployment hosted and maintained by Fedora
Infrastructure that is available to the community to host applications.
Fedora Infrastructure does not maintain the applications in Communishift
and is only responsible for the OpenShift deployment itself.
Production instance:
https://console-openshift-console.apps.os.fedorainfracloud.org/
Contents
== Contact information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin
Persons::
nirik
Location::
Phoenix
Servers::
* os-node01.fedorainfracloud.org
* os-node02.fedorainfracloud.org
* os-node03.fedorainfracloud.org
* os-node04.fedorainfracloud.org
* os-node05.fedorainfracloud.org
* os-node06.fedorainfracloud.org
* os-node07.fedorainfracloud.org
* os-node08.fedorainfracloud.org
* os-node09.fedorainfracloud.org
* os-node10.fedorainfracloud.org
* os-node11.fedorainfracloud.org
* virthost-os01.fedorainfracloud.org
* virthost-os02.fedorainfracloud.org
* virthost-os03.fedorainfracloud.org
* virthost-aarch64-os01.fedorainfracloud.org
* virthost-aarch64-os02.fedorainfracloud.org
Purpose::
Allow community members to host services for the Fedora Project.
== Onboarding new users
To allow new users to create projects in Communishift, begin by adding
them to the `communishift` FAS group.
At the time of this writing, there is no automation to sync users from
the `communishift` FAS group to OpenShift, so you will need to log in to
the Communishift instance and grant that user permissions to create
projects. For example, to grant `bowlofeggs` permissions, you would do
this:
....
$ oc adm policy add-cluster-role-to-user self-provisioner bowlofeggs
$ oc create clusterquota for-bowlofeggs --project-annotation-selector openshift.io/requester=bowlofeggs --hard pods=10 --hard persistentvolumeclaims=5
....
This will grant bowlofeggs the ability to provision up to 10 pods and 5
volumes.
== KVM access
We allow applications access to the kvm device so they can run emulation
faster. Anytime the cluster is re-installed, run:
!/bin/bash set -eux if ! oc get --namespace=default ds/device-plugin-kvm
&>/dev/null; then oc create --namespace=default -f
https://raw.githubusercontent.com/kubevirt/kubernetes-device-plugins/master/manifests/kvm-ds.yml
fi
See the
https://github.com/kubevirt/kubernetes-device-plugins/blob/master/docs/README.kvm.md[upstream
docs] as well as the
https://pagure.io/fedora-infrastructure/issue/8208[original request] for
this.

31
modules/sysadmin_guide/pages/cyclades.adoc
View file

@ -1,31 +0,0 @@
= Cyclades
cyclades notes
[arabic]
. login as root - default password is tslinux
. {blank}
+
change password for root and admin to our password from the::
phx2-access.txt file in the private repo
. {blank}
+
port forward to the web browser for the cyclades::
`ssh -L 8080:rack47-serial.phx2.fedoraproject.org:80`
. connect to localhost:8080 in your web browser
. login with root and the password you set above
. click on 'security'
. click on 'moderate'
. {blank}
+
logout, port forward port 443 as above:::
`ssh -L 8080:rack47-serial.phx2.fedoraproject.org:443`
. click on the 'wizard' button at lower left
. proceed through the wizard Info needed:
* serial ports are set to 115200 8N1 by default
* do not setup buffering
* give it the ip of our syslog server
. click 'apply changes'
. hope
. log back in
. name/setup the port aliases

108
modules/sysadmin_guide/pages/darkserver.adoc
View file

@ -1,108 +0,0 @@
= Darkserver SOP
To setup a http://darkserver.fedoraproject.org based on Darkserver
project to provide GNU_BUILD_ID information for packages. A devel
instance can be seen at http://darkserver01.dev.fedoraproject.org and
staging instance is http://darkserver01.stg.phx2.fedoraproject.org/.
This page describes how to set up the server.
== Contents
[arabic]
. Contact Information
. Installing the server
. Setting up the database
. SELinux Configuration
. Koji plugin setup
. Debugging
== Contact Information
Owner:::
Fedora Infrastructure Team
Contact:::
#fedora-admin
Persons:::
kushal mether
Sponsor:::
nirik
Location:::
phx2
Servers:::
darkserver01 , darkserver01.stg, darkserver01.dev
Purpose:::
To host Darkserver
== Installing the Server
....
root@localhost# yum install darkserver
....
== Setting up the database
We are using MySQL as database. We will need two users, one for
koji-plugin and one for darkserver.:
....
root@localhost# mysql -u root
mysql> CREATE DATABASE darkserver;
mysql> GRANT INSERT ON darkserver.* TO kojiplugin@'koji-hub-ip' IDENTIFIED BY 'XXX';
mysql> GRANT SELECT ON darkserver.* TO dark@'darkserver-ip' IDENTIFIED BY 'XXX';
....
Setup this db configuration in the conf file under
`/etc/darkserver/darkserverweb.conf`:
....
[darkserverweb]
host=db host name
user=dark
password=XXX
database=darkserver
....
Now setup the db tables if it is a new install.
(For this you may need to `'GRANT * ON darkserver.*'` to the web user,
and then `'REVOKE * ON darkserver.*'` after running.)
....
root@localhost# python /usr/lib/python2.6/site-packages/darkserverweb/manage.py syncdb
....
== SELinux Configuration
Do the follow to allow the webserver to connect to the database.:
....
root@localhost# setsebool -P httpd_can_network_connect_db 1
....
== Setting up the Koji plugin
Install the package.:
....
root@localhost# yum install darkserver-kojiplugin
....
Then fill up the configuration file under
`/etc/koji-hub/plugins/darkserver.conf`:
....
[darkserver]
host=db host name
user=kojiplugin
password=XXX
database=darkserver
port=3306
....
Then enable the plugin in the koji hub configuration.
== Debugging
Set DEBUG to True in `/etc/darkserver/settings.py` file and restart
Apache.

52
modules/sysadmin_guide/pages/denyhosts.adoc
View file

@ -1,52 +0,0 @@
= Denyhosts Infrastructure SOP
Denyhosts provides a protection against brute force attacks.
== Contents
[arabic]
. Contact Information
. Description
. Troubleshooting and Resolution
____
[arabic]
. Connection issues
____
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-main group
Location::
Anywhere
Servers::
All
Purpose::
Denyhosts provides a protection against brute force attacks.
== Description
All of our servers now implement denyhosts to protect against brute
force attacks. Very few boxes should be in the 'allowed' list.
Especially internally.
== Troubleshooting and Resolution
=== Connection issues
The most common issue will be legitimate logins failing. First, try to
figure out why a host ended up on the deny list (tcptraceroute, failed
login attempts, etc are all good candidates). Next do the following
directions. The below example is for a host (10.0.0.1) being banned.
Login to the box from a different host and as root do the following.:
....
cd /var/lib/denyhosts
sed -si '/10.0.0.1/d' * /etc/hosts.deny
/etc/init.d/denyhosts restart
....
That should correct the problem.

108
modules/sysadmin_guide/pages/fedorapackages.adoc
View file

@ -1,108 +0,0 @@
= Fedora Packages SOP
This SOP is for the Fedora Packages web application.
https://apps.fedoraproject.org/packages
== Contents
[arabic]
. Contact Information
. Deploying to the servers
. Maintenance
. Checking for AGPL violations
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, #fedora-apps
Persons::
cverna
Location::
PHX2
Servers::
packages03.phx2.fedoraproject.org packages04.phx2.fedoraproject.org
packages03.stg.phx2.fedoraproject.org
Purpose::
Web interface for searching packages information
== Deploying to the servers
=== Deploying
Once the new version is built, it needs to be deployed. To deploy the
new version, you need
https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/sshaccess.html[ssh
access] to batcave01.phx2.fedoraproject.org and
https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/ansible.html[permissions
to run the Ansible playbook].
All the following commands should be run from batcave01.
You can check the upstream documentation, on how to build a new release.
This process results in a fedora-packages rpm available in the infra-tag
rpm repo.
You should make use of the staging instance in order to test the new
version of the application.
=== Upgrading
To upgrade, run the upgrade playbook:
....
$ sudo rbac-playbook manual/upgrade/packages.yml
....
This will upgrade the fedora-pacages package and restart the Apache web
server and fedmsg-hub service.
=== Rebuild the xapian Database
If you need to rebuild the xapian database then you can run the
following playbook:
....
$ sudo rbac-playbook manual/rebuild/fedora-packages.yml
....
== Maintenance
The web application is served by httpd and managed by the httpd
service.:
....
$ sudo systemctl restart httpd
....
can be used to restart the service if needed. The application log files
are available under [.title-ref]#/var/log/httpd/# directory.
The xapian database is updated by a fedmsg consumer. You can restart the
fedmsg-hub serivce if needed by using:
....
$ sudo systemctl restart fedmsg-hub
....
To check the consumer logs you can use:
....
$ sudo journalctl -u fedmsg-hub
....
== Checking for AGPL violations
To remain AGPL compliant, we must ensure that all modifications to the
code are made available in the SRPM that we link to in the footer of the
application. You can easily query our app servers to determine if any
AGPL violating code modifications have been made to the package.:
....
func-command --host="*app*" --host="community*" "rpm -V fedoracommunity"
....
You can safely ignore any changes to non-code files in the output. If
any violations are found, the Infrastructure Team should be notified
immediately.

82
modules/sysadmin_guide/pages/fedorapastebin.adoc
View file

@ -1,82 +0,0 @@
= Fedora Pastebin SOP
[arabic]
. Contact Information
. Introduction
. Installation
. Dashboard
. Add a word to censored list
== 1. Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin
Persons::
athmane herlo
Sponsor::
nirik
Location::
phx2
Servers::
paste01.stg, paste01.dev
Purpose::
To host Fedora Pastebin
== 2. Introduction
Fedora pastebin is powered by sticky-notes which is included in EPEL.
Fedora theming (skin) is included in ansible role.
== 3. Installation
Sticky-notes needs a MySQL db and a user with 'select, update, delete,
insert' privileges.
It's recommended to dump and import db from a working installation to
save time (skipping the installation and tweaking).
By default the installation is locked ie: you can't relaunch it.
However, you can unlock the installation by commenting the line
containing `$gsod->trigger` in `/etc/sticky-notes/install.php` then
pointing the web browser to '/install'
The configuration file containing general settings and DB credentials is
located in `/etc/sticky-notes/config.php`
== 4. Dashboard
Sticky-notes has a dashboard (URL: /admin/) that can be used to :
* {blank}
+
Manage pastes:::
** deleting paste
** getting information about the paste author (IP/Date/time etc...)
* Manage users (aka admins) which can log into the dashboard
* Manage IP Bans (add / delete banned IPs).
* Authentication (not needed)
* {blank}
+
Site configuration:::
** General configuration (included in config.php).
** Project Honey Pot configuration (not a FOSS service)
** Word censor configuration: a list of words to be censored in
pastes.
== 5. Add a word to censored list
If a word is in censored list, any paste containing that word will be
rejected, to add one, edit the variable '$sg_censor' in sticky-notes
configuration file.:
....
$sg_censor = "WORD1
WORD2
...
...
WORDn";
....

100
modules/sysadmin_guide/pages/fpdc.adoc
View file

@ -1,100 +0,0 @@
= FPDC SOP
Fedora Product Definition Center is a service that aims to replace
https://pdc.fedoraproject.org/[PDC] in Fedora. It is meant to be a
database with REST API access used to store data needed by other
services.
== Contact Information
Owner::
Infrastructure Team
Contact::
#fedora-apps, #fedora-admin
Persons::
cverna, abompard
Location::
Phoenix (Openshift)
Public addresses::
* fpdc.fedoraproject.org
* fpdc.stg.fedoraproject.org
Servers::
* os.fedoraproject.org
* os.stg.fedoraproject.org
Purpose::
Centralize metadata and facilitate access.
== Systems
FPDC is built using the DJANGO REST FRAMEWORK and uses a POSTGRESQL
database to store the metadata. The application is run on Openshift and
uses the Source-to-image technology to build the container directly from
the https://github.com/fedora-infra/fpdc[git repository].
In the staging and production environments, the application is
automatically rebuilt for every new commit in the [.title-ref]#staging#
or [.title-ref]#production# branch, this is achieved by configuring a
github webhook's to trigger an openshift deployment.
For example a new deployment to staging would look like that:
____
git clone git@github.com:fedora-infra/fpdc.git cd fpdc git checkout
staging git rebase master git push origin staging
____
The initial Openshift project deployment is manual and is done using the
following ansible playbook :
....
sudo rbac-playbook openshift-apps/fpdc.yml
....
This will create a new fpdc project in Openshift with all the needed
configuration.
== Logs
Logs can be retrive using the openshift command line:
....
$ oc login os-master01.phx2.fedoraproject.org
You must obtain an API token by visiting https://os.fedoraproject.org/oauth/token/request
$ oc login os-master01.phx2.fedoraproject.org --token=<Your token here>
$ oc -n fpdc get pods
fpdc-28-bfj52 1/1 Running 522 28d
$ oc logs fpdc-28-bfj52
....
== Database migrations
FPDC uses the [.title-ref]#recreate# deployment configuration of
openshift, which means that openshift will bring down the pods currently
running and recreate new ones with the new version of the application.
In the phase between the pods being down and the new pods being up, the
database migrations are run in an independent pod.
== Things that could go wrong
Hopefully not much. If something goes wrong is it currently advised to
kill the pods to trigger a fresh deployment. :
....
$ oc login os-master01.phx2.fedoraproject.org
You must obtain an API token by visiting https://os.fedoraproject.org/oauth/token/request
$ oc login os-master01.phx2.fedoraproject.org --token=<Your token here>
$ oc -n fpdc get pods
fpdc-28-bfj52 1/1 Running 522 28d
$ oc delete pod fpdc-28-bfj52
....
It is also possible to rollback to a previous version :
....
$ oc -n fpdc get dc
NAME REVISION DESIRED CURRENT TRIGGERED BY
fpdc 39 1 1 config,image(fpdc:latest)
$ oc -n fpdc rollback fpdc
....

261
modules/sysadmin_guide/pages/freemedia.adoc
View file

@ -1,261 +0,0 @@
= FreeMedia Infrastructure SOP
This page is for defining the SOP for Fedora FreeMedia Program. This
will cover the infrastructural things as well as procedural things.
== Contents
[arabic]
. Location of Resources
. Location on Ansible
. Opening of the form
. Closing of the Form
. Tentative timeline
. How to
____
[arabic]
. Open
. Close
____
____
[arabic, start=7]
. Handling of tickets
____
____
[arabic]
. Login
. Rejecting Invalid Tickets
. Accepting Valid Tickets
____
____
[arabic, start=8]
. Handling of non fulfilled requests
. How to handle membership applications
____
== Location of Resources
* The web form is at
https://fedoraproject.org/freemedia/FreeMedia-form.html
* The TRAC is at [63]https://fedorahosted.org/freemedia/report
== Location on ansible
$PWD = `roles/freemedia/files`
Freemedia form::
FreeMedia-form.html
Backup form::
FreeMedia-form.html.orig
Closed form::
FreeMedia-close.html
Backend processing script::
process.php
Error Document::
FreeMedia-error.html
== Opening of the form
The form will be opened on the First day of each month.
== Closing of the Form
=== Tentative timeline
The form will be closed after a couple of days. This may vary according
to the capacity.
== How to
* The form is available at `roles/freemedia/files/FreeMedia-form.html`
and `roles/freemedia/files//FreeMedia-form.html.orig`
* The closed form is at `roles/freemedia/files/FreeMedia-close.html`
=== Open
* Goto roles/freemedia/tasks
* Open `main.yml`
* Goto line 32.
* {blank}
+
To Open: Change the line to read::::
src="FreeMedia-form.html"
* After opening the form, go to trac and grant "Ticket Create and Ticket
View" privilege to "Anonymous".
=== Close
* Goto roles/freemedia/tasks
* Open main.yml
* Goto line 32.
* {blank}
+
To Close: Change the line to read::::
src="FreeMedia-close.html",
* {blank}
+
After closing the form, go to trac and remove "Ticket Create and::
Ticket View" privilege from "Anonymous".
[NOTE]
.Note
====
* Have to check about monthly cron. * Have to write about changing
init.pp for closing and opening
====
== Handling of tickets
=== Login
* {blank}
+
Contributors are requested to visit::
https://fedorahosted.org/freemedia/report
* Please login with your FAS account.
=== Rejecting Invalid Tickets
* If a ticket is invalid, don't accept the request. Go to "resolve as:"
and select "invalid" and then press "Submit Changes".
* A ticket is Invalid if
+
____
** No Valid email-id is provided.
** The region does not match the country.
** No Proper Address is given.
____
* If a ticket is duplicate, accept one copy, close the others as
duplicate Go to "resolve as:" and select "duplicate" and then press
"Submit Changes".
=== Accepting Valid Tickets
* If you wish to fulfill a request, please ensure it from the above
section, it is not liable to be discarded.
* Now "Accept" the ticket from the "Action" field at the bottom, and
press the "Submit Changes" button.
* These accepted tickets will be available from
https://fedorahosted.org/freemedia/report user both "My Tickets" and
"Accepted Tickets for XX" (XX= your region e.g APAC)
* When You ship the request, please go to the ticket again, go to
"resolve as:" from the "Action" field and select "Fixed" and then press
"Submit Changes".
* If an accepted ticket is not finalised by the end of the month, is
should be closed with "shipping status unknown" in a comment
=== Handling of non fulfilled requests
We shall close all the pending requests by the end of the Month.
* Please Check your region
=== How to handle membership applications
Steps to become member of Free-media Group.
[arabic]
. Create an account in Fedora Account System (FAS)
. {blank}
+
Create an user page in Fedora Wiki with contact data. Like::
User:<nick-name>. There are templates.
. Apply to Free-Media Group in FAS
. Apply to Free-Media mailing list subscription
==== Rules for deciding over membership applications
[cols=",,,,",]
|===
|Case |Applied to Free-Media Group |User Page Created |Applied to
Free-Media List a|
____
Action
____
|======= |================ |========== |===============
|=========================
|1 |Yes a|
____
Yes
____
|Yes |Approve Group and mailing list applications
a|
'''''
a|
'''''
a|
'''''
a|
'''''
|-------------------------Put on hold + Write to
|2 |Yes a|
____
Yes
____
|No |subscribe to list Within a Week
a|
'''''
a|
'''''
a|
'''''
a|
'''''
|-------------------------Put on hold + Write to
|3 |Yes a|
____
No
____
|whatever |make User Page Within a Week
|------- |---------------- |---------- |---------------
|-------------------------
|4 |No a|
____
No
____
|Yes |Reject
|===
[NOTE]
.Note
====
{empty}1. As you need to have an FAS account for steps 2 and 3, this is
not included in the decision rules above 2. The time to be on hold is
one week. If not action is taken after one week, the application has to
be rejected. 3. When writing asking to fulfil steps, send CC to other
Free-media sponsors to let them know the application has been reviewed.
====

149
modules/sysadmin_guide/pages/freshmaker.adoc
View file

@ -1,149 +0,0 @@
= Freshmaker SOP
[NOTE]
.Note
====
Freshmaker is very new and changing rapidly. We'll try to keep this up
to date as best we can.
====
Freshmaker is a service that watches message bus activity and tries
to rebuild _compound_ artifacts when their constituent pieces change.
== Contact Information
Owner::
Factory2 Team, Release Engineering Team, Infrastructure Team
Contact::
#fedora-modularity, #fedora-admin, #fedora-releng
Persons::
jkaluza, cqi, qwan, sochotni, threebean
Location::
Phoenix
Public addresses::
* freshmaker.fedoraproject.org
Servers::
* freshmaker-frontend0[1-2].phx2.fedoraproject.org
* freshmaker-backend01.phx2.fedoraproject.org
Purpose::
Rebuild compound artifacts. See description for more detail.
== Description
See also
http://fedoraproject.org/wiki/Infrastructure/Factory2/Focus/Freshmaker
for some of the original (old) thinking on Freshmaker.
As per the summary above, Freshmaker is a bus-oriented system that
watches for changes to smaller pieces of content, and triggers rebuilds
of larger pieces of content.
It doesn't do the actual _builds_ itself, but instead requests rebuilds
in our existing build systems.
It handles a number of different content types. In Fedora, we would like
to roll out rebuilds in the following order:
=== Module Builds
When a spec file changes on a particular dist-git branch, trigger
rebuilds of all modules that declare dependencies on that rpm branch.
Consider the _traditional workflow_ today. You make a patch to the
[.title-ref]#f27# of your package, and you know you need to build that
patch for f27, and then later submit an update for this single build.
Packagers know what to do.
Consider the _modular workflow_. You make a patch to the
[.title-ref]#2.2# branch of your package, but now, which modules do you
rebuild? Maybe you had one in mind that you wanted to fix, but are there
others that you forgot about -- that you don't even know about? Kevin
could maintain a module that pulls in my rpm branch and he never told
me. Even if he did, I have to now maintain a list of modules that depend
on my rpm, and request rebuilds of them everytime I patch my .spec file.
This is unmanageable.
Freshmaker deals with this by watching the bus for dist-git fedmsg
messages. When it sees a change on a branch, it looks up the list of
modules that depend on that branch, and requests rebuilds of them in the
MBS.
=== Container Slow Flow
When a traditional rpm or modular rpm is _shipped stable_, this trigger
rebuilds of all containers that ever included previous versions of this
rpm.
This applies to both modular and non-modular contexts. Today, you build
an rpm that fixes a CVE, but _some other person_ maintains a container
that includes your RPM. Maybe they never told you about this. Maybe they
didn't notice your CVE fix. Their container will remain outdated and
vulnerable.. forever?
Freshmaker deals with this by watching the bus for dist-git messages
about rpms being shipped to the stable updates repo. When they're
shipped, it looks up all containers that ever included pervious versions
of the rpm in question, and it triggers rebuilds of them.
_Waiting_ until the rpm ships to stable is _necessary_ because the
container build process doesn't know about unshipped content. This is
how containers are built manually today, and it is annoying. Which
brings us to the more complicated...
=== Container Fast Flow
When a traditional rpm or modular rpm is _signed_, generate a repo
containing it and rebuild all containers that ever included that rpm
before. This is the better version of the slow flow, but is more
complicated so we're deferring it until after we've proved the first two
cases out.
Freshmaker will do this by requesting an interim build repo from ODCS
(the On Demand Compose Service). ODCS can be given the appropriate koji
tag and will produce a repo of (pre-signed) rpms. Freshmaker will
request a rebuild of the container and will pass the ODCS repo url in.
This gives us an auditable trail of disposable repos.
== Systems
There is a frontend and a backend.
Everything in the previous section describes the backend behavior.
The frontend exists to provide an HTTP API that can be queried to find
out the status of the backend: What is it doing? What is it planning to
do? What has it done already?
== Observing Freshmaker Behavior
There is currently no command line tool to query Freshmaker, but
Freshmaker provides REST API which can be used to observe Freshmaker
behavior. This is available at the following URLs:
* https://freshmaker.fedoraproject.org/api/1/events
* https://freshmaker.fedoraproject.org/api/1/builds
The first [.title-ref]#/events# URL should return a list of events that
Freshmaker has noticed, recorded, and is handling. Handled events should
produce associated builds.
The second [.title-ref]#/builds# URL should return a list of builds that
Freshmaker has submitted and is monitoring. Each build should be
traceable back to the event that triggered it.
== Logs
The frontend logs are on freshmaker-frontend0[1-2] in
`/var/log/httpd/error_log`.
The backend logs are on freshmaker-backend01. Look in the journal for
the [.title-ref]#fedmsg-hub# service.
== Upgrading
The package in question is [.title-ref]#freshmaker#. Please use the
[.title-ref]#playbooks/manual/upgrade/freshmaker.yml# playbook.
== Things that could go wrong
TODO. We don't know yet. Probably lots of things.

26
modules/sysadmin_guide/pages/gitweb.adoc
View file

@ -1,26 +0,0 @@
= Gitweb Infrastructure SOP
Gitweb-caching is the web interface we use to expose git to the web at
http://git.fedorahosted.org/git/
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-hosted
Location::
Serverbeach
Servers::
hosted[1-2]
Purpose::
Http access to git sources.
== Basic Function
* Users go to [46]http://git.fedorahosted.org/git/
* Pages are generated from cache stored in `/var/cache/gitweb-caching/`.
* The website is exposed via
`/etc/httpd/conf.d/git.fedoraproject.org.conf`.
* Main config file is `/var/www/gitweb-caching/gitweb_config.pl`. This
pulls git repos from /git/.

191
modules/sysadmin_guide/pages/hosted_git_to_svn.adoc
View file

@ -1,191 +0,0 @@
= Fedorahosted migrations
Migrating hosted repositories to that of another type.
== Contents
[arabic]
. Contact Information
. Description
. SVN to GIT migration
____
[arabic]
. Questions left to be answered with this SOP
____
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-hosted
Location::
Serverbeach
Servers::
hosted1, hosted2
Purpose::
Migrate hosted SCM repositories to that of another SCM.
== Description
fedorahosted.org can be used to host open source projects. Occasionally
those projects want to change the SCM they utilize. This document
provides documentation for doing so.
[arabic]
. An scm for maintaining the code. The currently supported scm's include
Mercurial, Git, Bazaar, or SVN. Note: There is no cvs
. A trac instance, which provides a mini-wiki for hosting information
and also provides a ticketing system.
. A mailing list
[IMPORTANT]
.Important
====
This page is for administrators only. People wishing to request a hosted
project should use the [50]Ticketing System ; see the new project
request template. (Requires Fedora Account)
====
== SVN to GIT migration
=== FAS User Prep
Currently you must manually generate $PROJECTNAME-users.txt by grabbing
a list of people in the FAS group - and recording them in th following
format:
....
$fasusername = FirstName LastName <$emailaddress>
....
This is error prone, and will stop the git-svn fetch below if an author
appears that doesn't exist in the list of users.:
....
svn log --quiet | awk '/^r/ {print $3}' | sort -u
....
The above will generate a list of users in the svn repo.
If all users are FAS users you can use the following script to create a
users file (written by tmz (Todd Zullinger):
....
#!/bin/bash
if [ -z "$1" ]; then
echo "usage: $0 <svn repo>" >&2
exit 1
fi
svnurl=file:///svn/$1
if ! svn info $svnurl &>/dev/null; then
echo "$1 is not a valid svn repo." >&2
fi
svn log -q $svnurl | awk '/^r[0-9]+/ {print $3}' | sort -u | while read user; do
name=$( (getent passwd $user 2>/dev/null | awk -F: '{print $5}') || '' )
[ -z "$name" ] && name=$user
email="$user@fedoraproject.org"
echo "$user=$name <$email>"
done
....
=== Doing the conversion
[arabic]
. Log into hosted1
. Make a temporary directory to convert the repos in:
+
....
$ sudo mkdir /tmp/tmp-$PROJECTNAME.git
$ cd /tmp/tmp-$PROJECTNAME.git
....
. Create an git repo ready to receive migrated SVN data:
+
....
$ sudo git-svn init http://svn.fedorahosted.org/svn/$PROJECTNAME --no-metadata
....
. Tell git to fetch and convert the repository:
+
....
$ git svn fetch
.. note::
This creation of a temporary repository is necessary because SVN leaves a
number of items floating around that git can ignore, and we want those
essentially ignored.
....
. {blank}
+
From here, you'll wanted to follow [53]Creating a new git repo as if::
cloning an existing git repository to Fedorahosted.
. After that process is done - kindly remove the temporary repo that was
created:
+
....
$ sudo rm -rf /tmp/tmp-$PROJECTNAME.git
....
=== Doing the converstion (alternate)
Alternately, here's another way to do this (tmz):
Setup a working dir:
....
[tmz@hosted1 tmp (master)]$ mkdir im-chooser-conversion && cd im-chooser-conversion
....
Create authors file mapping svn usernames to Name <email> form git
uses.:
....
[tmz@hosted1 im-chooser-conversion (master)]$ ~tmz/svn-to-git-authors im-chooser > authors
....
Convert svn to git:
....
[tmz@hosted1 im-chooser-conversion (master)]$ git svn clone -s -A authors --no-metadata file:///svn/im-chooser
....
Move svn branches and tags into proper locations for the new git repo.
(git-svn leaves them as 'remote' branches/tags.):
....
[tmz@hosted1 im-chooser-conversion (master)]$ cd im-chooser
[tmz@hosted1 im-chooser (master)]$ mv .git/refs/remotes/tags/* .git/refs/tags/ && rmdir .git/refs/remotes/tags
[tmz@hosted1 im-chooser (master)]$ mv .git/refs/remotes/* .git/refs/heads/
....
Now 'git branch' and 'git tag' should display the branches/tags.
Create a bare repo from the converted git repo. Using `file://$(pwd)`
here ensures that git copies all objects to the new bare repo.:
....
[tmz@hosted1 im-chooser-conversion (master)]$ git clone --bare --shared file://$(pwd)/im-chooser im-chooser.git
....
Follow the steps in
https://fedoraproject.org/wiki/Hosted_repository_setup to finish setting
proper modes and permissions for the repo. Don't forget to update the
description file.
[NOTE]
.Note
====
This still leaves moving the converted bare repo (im-chooser.git) to
/git and fixing up the user/group.
====
== Questions left to be answered with this SOP
* Obviously we need to have requestor review the migration and confirm
it's ok.
* Do we then delete the old SCM contents?
* Do we need to change the FAS-group type to grant them access to
pull/push from it?

144
modules/sysadmin_guide/pages/hubs.adoc
View file

@ -1,144 +0,0 @@
= Fedora Hubs SOP
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-main, sysadmin-tools, sysadmin-hosted
Location::
?
Servers::
<prod-srv-hostname>, <stg-srv-hostname>, hubs-dev.fedorainfracloud.org
Purpose::
Contributor and team portal.
== Description
Fedora Hubs aggregates user and team activity throughout the Fedora
infrastructure (and elsewhere) to show what a user or a team is doing.
It helps new people find a place to contribute.
=== Components
Fedora Hubs has the following components:
* a SQL database like PostgreSQL (in the Fedora infra we're using the
shared database).
* a Redis server that is used as a message bus (it is not critical if
the content is lost). System service: `redis`.
* a MongoDB server used to store the contents of the activity feeds.
It's JSON data, limited to 100 entries per user or group. Service:
`mongod`.
* a Flask-based WSGI app served by Apache + mod_wsgi, that will also
serve the JS front end as static files. System service: `httpd`.
* a Fedmsg listener that receives messages from the fedmsg bus and puts
them in Redis. System service: `fedmsg-hub`.
* a set of "triage" workers that pull the raw messages from Redis,
process them using SQL queries and puts work items in another Redis
queue. System service: `fedora-hubs-triage@`.
* a set of "worker" daemons that pull from this other Redis queue, work
on the items by making SQL queries and external HTTP requests (to Github
for example), and put reload notifications in the SSE Redis queue. They
also access the caching system, which can be local files or memcached.
System service: `fedora-hubs-worker@`.
* The SSE server (Twisted-based) that pulls from that Redis queue and
sends reload notifications to the connected browsers. It handles
long-lived HTTP connection but there is little activity: only the
notifications and a "keepalive ping" message every 30 seconds to every
connected browser. System service: `fedora-hubs-sse`. Apache is
configured to proxy the `/sse` path to this server.
== Managing the services
Restarting all the services:
....
systemctl restart fedmsg-hub fedora-hubs-\*
....
By default, 4 `triage` daemons and 4 `worker` daemons are enabled. To
add another `triage` daemon and another `worker` daemon, you can run:
....
systemctl enable --now fedora-hubs-triage@5.service
systemctl enable --now fedora-hubs-worker@5.service
....
It is not necessary to have the same number of `triage` and `worker`
daemons, in fact it is expected that more `worker` than `triage` daemons
will be necessary, as they do more time-consuming work.
== Hubs-specific operations
Other Hubs-specific operations are done using the
[.title-ref]#fedora-hubs# command:
....
$ fedora-hubs
Usage: fedora-hubs [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
cache Cache-related operations.
db Database-related operations.
fas FAS-related operations.
run Run daemon processes.
....
=== Manipulating the cache
The `cache` subcommand is used to do cache-related operations:
....
$ fedora-hubs cache
Usage: fedora-hubs cache [OPTIONS] COMMAND [ARGS]...
Cache-related operations.
Options:
--help Show this message and exit.
Commands:
clean Clean the specified WIDGETs (id or name).
coverage Check the cache coverage.
list List widgets for which there is cached data.
....
For example, to check the cache coverage:
....
$ fedora-hubs cache coverage
107 cached values found, 95 are missing.
52.97 percent cache coverage.
....
The cache coverage value is an interesting metric that could be used in
a Nagios check. A value below 50% could be considered as significant of
application slowdowns and could thus generate a warning.
=== Interacting with FAS
The `fas` subcommand is used to get information from FAS:
....
$ fedora-hubs fas
Usage: fedora-hubs fas [OPTIONS] COMMAND [ARGS]...
FAS-related operations.
Options:
--help Show this message and exit.
Commands:
create-team Create the team hub NAME from FAS.
sync-teams Sync all the team hubs NAMEs from FAS.
....
To add a new team hub for a FAS group, run:
....
$ fedora-hubs fas create-team <fas-group-name>
....

60
modules/sysadmin_guide/pages/ibm_rsa_ii.adoc
View file

@ -1,60 +0,0 @@
= IBM RSA II Infrastructure SOP
Many of our physical machines use RSA II cards for remote management.
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-main
Location::
PHX, ibiblio
Servers::
All physical IBM machines
Purpose::
Provide remote management for our physical IBM machines
== Restarting the RSA II card
Normally, the RSA II can be restarted from the web/ssh interface. If you
are locked out of any outside access to the RSA II, follow these
instructions on the physical machine.
If the machine can be rebooted without issue, cut off all power to the
machine, wait a few seconds, and restart everything.
Otherwise, to restart the card without rebooting the machine:
[arabic]
. Download and install the IBM Remote Supervisor Adapter II Daemon
+
____
[arabic]
.. `yum install usbutils libusb-devel` # (needed by the RSA II daemon)
.. {blank}
+
Download the correct tarball from::
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5071676&brandind=5000008
(TODO: check if this can be packaged in Fedora)
.. Extract the tarball and run `sudo ./install.sh --update`
____
. {blank}
+
Download and extract the IBM Advanced Settings Utility::
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=TOOL-ASU&brandind=5000016
+
____
[WARNING]
.Warning
====
this tarball dumps files in the current working directory
====
____
. Issue a `sudo ./asu64 rebootrsa` to reboot the RSA II.
. Clean up: `yum remove ibmusbasm64`
== Other Resources
http://www.redbooks.ibm.com/abstracts/sg246495.html may be a useful
resource to refer to when working with this.

140
modules/sysadmin_guide/pages/infra-yubikey.adoc
View file

@ -1,140 +0,0 @@
= Infrastructure/SOP/Yubikey
This document describes how yubikey authentication works
== Contents
[arabic]
. Contact Information
. User Information
. Host Admins
+
____
[arabic]
.. pam_yubico
____
. Server Admins
+
____
[arabic]
.. Basic architecture
.. ykval
.. ykksm
.. Physical Yubikey info
____
. fas integration
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-main
Location::
Phoenix
Servers::
fas*, db02
Purpose::
Provides yubikey authentication in Fedora
== Config Files
* `/etc/httpd/conf.d/yk-ksm.conf`
* `/etc/httpd/conf.d/yk-val.conf`
* `/etc/ykval/ykval-config.php`
* `/etc/ykksm/ykksm-config.php`
* `/etc/fas.cfg`
== User Information
See [57]Infrastruture/Yubikey
== Host Admins
pam_yubico
Generated from fas, the /etc/yubikeyid works like a authroized_keys file
and maps valid keys to users. It is downloaded from FAS:
[58]https://admin.fedoraproject.org/accounts/yubikey/dump
== Server Admins
=== Basic architecture
Yubikey authentication takes place in 3 basic phases.
[arabic]
. User presses yubikey which generates a one time password
. {blank}
+
The one time password makes its way to the yk-val application which::
verifies it is not a replay
. {blank}
+
yk-val passes that otp on to the yk-ksm application which verifies the::
key itself is a valid key
If all of those steps succeed, the ykval application sends back an OK
and authentication is considered successful. The two applications are
defined below, if either of them is unavailable, yubikey authentication
will fail.
==== ykval
Database: db02:ykval
The database contains 3 tables. clients: just a valid client. These are
not users, these are systems able to authenticate against ykval. In our
case Fedora is the only client so there's just one entry here queue:
Used for distributed setups (we don't do this) yubikeys: maps which
yubikey belongs to which user
ykval is installed on fas* and is located at:
[59]http://localhost/yk-val/verify
Purpose: Is to map keys to users and protect against replay attacks
==== ykksm
Database: db02:ykksm
The database contains one table: yubikeys: maps who created keys, what
key was created, when, and the public name and serial number, whether
its active, etc.
ykksm is installed on fas* at [60]http://localhost/yk-ksm
Purpose: verify if a key is a valid known key or not. Nothing contacts
this service directly except for ykval. This should be considered the
“high security” portion of the system as access to this table would
allow users to make their own yubikeys.
==== Physical Yubikey info
The actual yubikey contains information to generate a one time password.
The important bits to know are the begining of the otp contains the
identifier of the key (used similar to how ssh uses authorized_keys) and
note the rest of it contains lots of bits of information, including a
serial incremental.
Sample key: `ccccfcdaivjrvdhvzfljbbievftnvncljhibkulrftt`
Breaking this up, the first 12 characters are the identifier. This can
be considered 'public'
ccccfcdaivj rvdhvzfljbbievftnvncljhibkulrftt
The second half is the otp part.
== fas integration
Fas integration has two main parts. First is key generation, the next is
activation. The fas-plugin-yubikey contains the bits for both, and
verification. Users call on this page to generate the key info:
[61]https://admin.fedoraproject.org/accounts/yubikey/genkey
The fas password field automatically detects whether someone is using a
otp or a regular password. It then sends otp requests to yk-val for
verification.

77
modules/sysadmin_guide/pages/linktracking.adoc
View file

@ -1,77 +0,0 @@
= Link tracking
Using link tracking is [43]an easy way for us to find out how people are
getting to our download page. People might click over to our download
page from any of a number of areas, and knowing the relative usage of
those links can help us understand what materials we're producing are
more effective than others.
== Adding links
Each link should be constructed by adding ? to the URL, followed by a
short code that includes:
* an indicator for the link source (such as the wiki release notes)
* an indicator for the Fedora release in specific (such as F15 for the
final, or F15a for the Alpha test release)
So a link to get.fp.o from the one-page release notes would become
http://get.fedoraproject.org/?opF15.
== FAQ
I want to copy a link to my status update for social networking, or my
blog.::
If you're posting a status update to identi.ca, for example, use the
link tracking code for status updates. Don't copy a link straight from
an announcement that includes link tracking from the announcement. You
can copy the link itself but remember to change the portion after the
? to instead use the st code for status updates and blogs, followed by
the Fedora release version (such as F16a, F16b, or F16), like this:
+
....
http://fedoraproject.org/get-prerelease?stF16a
....
I want to point people to the announcement from my blog. Should I use
the announcement link tracking code?::
The actual URL link itself is the announcement URL. Add the link
tracking code for blogs, which would start with ?st and end with the
Fedora release version, like this:
+
....
http://fedoraproject.org/wiki/F16_release_announcement?stF16a
....
== The codes
[NOTE]
.Note
====
Additions to this table are welcome.
====
[cols=",",options="header",]
|===
|Link source |Code
|Email announcements |an
|----------------------------------------------- |----------
|Wiki announcements |wkan
|----------------------------------------------- |----------
|Front page |fp
|----------------------------------------------- |----------
|Front page of wiki |wkfp
|----------------------------------------------- |----------
|The press release Red Hat makes |rhpr
|----------------------------------------------- |----------
|http://redhat.com/fedora |rhf
|----------------------------------------------- |----------
|Test phase release notes on |wkrn
|----------------------------------------------- |----------
|Official release notes |rn
|----------------------------------------------- |----------
|Official installation guide |ig
|----------------------------------------------- |----------
|One-page release notes |op
|----------------------------------------------- |----------
|Status links (blogs, social media) |st
|===

148
modules/sysadmin_guide/pages/loopabull.adoc
View file

@ -1,148 +0,0 @@
= Loopabull
https://github.com/maxamillion/loopabull[Loopabull] is an event-driven
https://www.ansible.com/[Ansible]-based automation engine. This is used
for various tasks, originally slated for
https://pagure.io/releng-automation[Release Engineering Automation].
== Contents
[arabic]
. Contact Information
. Overview
. Setup
. Outage
== Contact Information
Owner::
Adam Miller (maxamillion) Pierre-Yves Chibon (pingou)
Contact::
#fedora-admin, #fedora-releng, #fedora-noc, sysadmin-main,
sysadmin-releng
Location::
loopabull01.phx2.fedoraproject.org
loopabull01.stg.phx2.fedoraproject.org
Purpose::
Event Driven Automation of tasks within the Fedora Infrastructure and
Fedora Release Engineering
== Overview
The https://github.com/maxamillion/loopabull[loopabull] system is setup
such that an event will take place within the infrastructure and a
http://www.fedmsg.com/en/latest/[fedmsg] is sent, then loopabull will
consume that message, trigger an https://www.ansible.com/[Ansible]
http://docs.ansible.com/ansible/playbooks.html[playbook] that shares a
name with the fedmsg topic, and provide the payload of the fedmsg to the
playbook as
https://github.com/ansible/ansible/blob/devel/docs/man/man1/ansible-playbook.1.asciidoc.in[extra
variables].
== Setup
The setup is relatively simple, the Overview above describes it and a
more detailed version can be found in the [.title-ref]#releng docs#.
....
+-----------------+ +-------------------------------+
| | | |
| fedmsg +------------>| Looper |
| | | (fedmsg handler plugin) |
| | | |
+-----------------+ +-------------------------------+
|
|
+-------------------+ |
| | |
| | |
| Loopabull +<-------------+
| (Event Loop) |
| |
+---------+---------+
|
|
|
|
V
+----------+-----------+
| |
| ansible-playbook |
| |
+----------------------+
....
=== Deployment
Loopabull is deployed on two hosts, one for the production instance:
`loopabull01.prod.phx2.fedoraproject.org` and one for the staging
instance: `loopabull01.stg.phx2.fedoraproject.org`.
Each host is running loopabull with 5 workers reacting to fedmsg
notifications.
== Expanding loopabull
The documentation to expand loopabull's usage is documented at:
https://pagure.io/Fedora-Infra/loopabull-tasks
== Outage
In the event that loopabull isn't responding or isn't running playbooks
as it should be, the following scenarios should be approached.
=== What is going on?
There are a few commands that may help figuring out what is going:
* Check the status of the different services:
....
systemctl |grep loopabull
....
* Follow the logs of the different services:
....
journalctl -lfu loopabull -u loopabull@1 -u loopabull@2 -u loopabull@3 \
-u loopabull@4 -u loopabull@5
....
If a playbook returns a non-zero error code, the worker running it will
be stopped. If that happens, you may want to carefully review the logs
to assess what lead to this situation so it can be prevented in the
future.
* Monitoring the queue size
The loopabull service listens to the fedmsg bus and puts the messages as
they come into a rabbitmq/amqp queue for the workers to process. If you
want to see the number of messages pending to be processed by the
workers you can check the queue size using:
....
rabbitmqctl list_queues
....
The output will be something like:
....
Listing queues ...
workers 489989
...done.
....
Where `workers` is the name of the queue used by loopabull and `489989`
the number of messages in that queue (yes that day we were recovering
from a several-day long outage).
=== Network Interruption
Sometimes if the network is interrupted, the loopabull service will hang
because the fedmsg listener will hold a dead socket open. The service
and its workers simply needs to be restarted at that point.
....
systemctl restart loopabull loopabull@1 loopabull@2 loopabull@3 \
loopabull@4 loopabull@5
....

18
modules/sysadmin_guide/pages/orientation.adoc
View file

@ -6,27 +6,27 @@ aboard!
== Contents
[arabic]
. Contact Information
. Description
. <<_contact_information>>
. <<_description>>
. Welcome to the team
____
[arabic]
. Time commitment
. Prove Yourself
. <<_time_commitment>>
. <<_prove_yourself>>
____
[arabic, start=4]
. Doing Work
. <<_doing_work>>
____
[arabic]
. Ansible
. <<_ansible>>
____
[arabic, start=5]
. Our Setup
. Our Rules
. <<_our_setup>>
. <<_our_rules>>
== Contact Information
@ -159,7 +159,7 @@ ask about it.
The Fedora Infrastructure Team does have some rules. First is the
security policy. Please ensure you are compliant with:
https://infrastructure.fedoraproject.org/csi/security-policy/
https://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/
before logging in to any of our servers. Many of those items rely on the
honor system.

63
modules/sysadmin_guide/pages/privatefedorahosted.adoc
View file

@ -1,63 +0,0 @@
= Private fedorahosted tickets Infrastructure SOP
Provides for users only viewing tickets they are involved with.
== Contact Information
Owner::
Fedora Infrastructure Team
Contact::
#fedora-admin, sysadmin-hosted
Location::
<not sure what to put here>
Servers::
hosted1
Purpose::
Provides for users only viewing tickets they are involved with.
== Description
Fedora Hosted Projects have the option of setting ticket permissions so
that only users involved with tickets can see them. This plugin requires
someone in sysadmin-hosted to set it up, and requires justification to
use. The only current implementation is a request tracking system at
[45]https://fedorahosted.org/famnarequests for tracking requests for
North American ambassadors since mailing addresses, etc will be put in
there.
== Implementation
On hosted1:
....
sudo -u apache vim /srv/web/trac/projects/<project name>/conf/trac.ini
....
Add the following to the appropriate sections of `trac.ini`:
....
[privatetickets]
group_blacklist = anonymous, authenticated
[components]
privatetickets.* = enabled
[trac]
permission_policies = PrivateTicketsPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
....
[NOTE]
.Note
====
For projects not currently using plugins, you'll have to add the
[components] section, and you'll need to add the permission_policies to
the [trac] section.
====
Next, someone with TRAC_ADMIN needs to grant TICKET_VIEW_SELF (a new
permission) to authenticated. This permission allows users to view
tickets that they are either owner, CC, or reporter on. There are other
options more fully described at [46]the upstream site.
Make sure that TICKET_VIEW is removed from anonymous, or else this
plugin will have no effect.

185
modules/sysadmin_guide/pages/reviewboard.adoc
View file

@ -1,185 +0,0 @@
= ReviewBoard Infrastructure SOP
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.
== Contents
[arabic]
. Contact Information
. File Locations
. Troubleshooting and Resolution
____
* Restarting
____
[arabic, start=4]
. Create a new repository in ReviewBoard
____
* Creating a new git repository
* Creating a new bzr repository
* Create a default reviewer for a repository
____
== Contact Information
Owner:::
Fedora Infrastructure Team
Contact:::
#fedora-admin, sysadmin-main, sysadmin-hosted
Location:::
ServerBeach
Servers:::
hosted[1-2]
Purpose:::
Provide our fedorahosted users a way to review code.
== File Locations
Main Config File:::
hosted[1-2]:/srv/reviewboard/conf/settings_local.py
ReviewBoard:::
hosted[1-2]:/etc/httpd/conf.d/fedorahosted.org/reviewboard.conf
Upstream:::
https://fedorahosted.org/reviewboard/
== Troubleshooting and Resolution
=== Restarting
After an update, to restart reviewboard just restart apache. Doing a
service httpd stop and then a service httpd start should do it.
== Create a new repository in ReviewBoard
=== Creating a new git repository
[arabic]
. {blank}
+
Enter the admin interface. If you have admin privilege, a link will be::
visible in the upper-right corner of the dashboard.
. In the admin dashboard click "Add" next to "Repositories"
. {blank}
+
For the name, enter the Fedora Hosted project short name. (e.g. if the::
project is [53]https://fedorahosted.org/sssd, then the repository name
should be sssd)
. "Show this repository" must be checked.
. Hosting service is "Custom"
. Repository type is Git
. Path should be /srv/git/project_short_name.git (e.g.
/srv/git/sssd.git)
. {blank}
+
Mirror path should be::
git://git.fedorahosted.org/git/project_short_name.git
[NOTE]
.Note
====
Mirror path is used by client tools such as post-review to determine to
which repository a submission belongs
====
[arabic, start=9]
. Raw file URL mask should be left blank
. Username and Password should both be left blank
. The bug tracker URL may vary from project to project, but if they are
using the Fedora Hosted Trac bugtracker, it should be
* Type: Trac
* {blank}
+
Bug Tracker URL: [54]https://fedorahosted.org/project_short_name::
(e.g. [55]https://fedorahosted.org/sssd)
. Do not set a Bug Tracker URL
=== Creating a new bzr repository
[arabic]
. Go to the admin dashboard to [56]add a new repository.
. {blank}
+
For the name, enter the Fedora Hosted project short name. (e.g. if the::
project is [57]https://fedorahosted.org/kitchen, then the repository
name should be kitchen)
. "Show this repository" must be checked.
. Hosting service is "Custom"
. Repository type is Bazaar
. Path should be /srv/git/project_short_name/branch_name (e.g.
/srv/bzr/kitchen/devel) -- reviewboard doesn't understand how to work
with repository conventions; it just works on branches.
. {blank}
+
Mirror path should be::
bzr://bzr.fedorahosted.org/bzr/project_short_name/branch_name
[NOTE]
.Note
====
Mirror path is used by client tools such as post-review to determine to
which repository a submission belongs
====
[arabic, start=8]
. Username and Password should both be left blank
. {blank}
+
The bug tracker URL may vary from project to project, but if they are::
using the Fedora Hosted Trac bugtracker, it should be
+
* Type: Trac
* Bug Tracker URL: [58]https://fedorahosted.org/project_short_name
(e.g. [59]https://fedorahosted.org/kitchen)
. Do not set a Bug Tracker URL
=== Create a default reviewer for a repository
Reviews should be sent to the project development mailing list unless
otherwise requested.
[arabic]
. Enter the admin interface. If you have admin privilege, a link will be
visible in the upper-right corner of the dashboard.
. In the admin dashboard click "Add" next to "Review Groups"
. Enter the following values:
____
* Name: The project short name
* Display Name: project_short_name Review Group
* Mailing List: Development discussion list for the project
____
[arabic, start=4]
. Do not select any users
. {blank}
+
Return to the main admin dashboard and click on "Add" next to "Default::
Reviewers"
. Enter the following values:
____
* Name: Something unique and sensible
* File Regular Expression: enter '.*' (without the quotes)
____
[NOTE]
.Note
====
This means that by default, the mailing list should receive email for
reviews of all files in the repository
====
[arabic, start=7]
. {blank}
+
Under "Default groups", select the group you created above and click::
the arrow pointing right.
. Do not select any default people
. {blank}
+
Under "Repositories", select the repository added above and click the::
arrow pointing right.
. Save your changes.