Create mm-frontend-checkin01

This server should be regarded as untrusted. Related: CVE-2016-1000003 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-06-17 19:52:31 +00:00 · 2016-06-17 19:52:31 +00:00 · b6eb15c0ee
commit b6eb15c0ee
parent 33f6b58f93
8 changed files with 44 additions and 4 deletions
--- a/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
@ -0,0 +1,17 @@
+---
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 2
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.187
+vmhost: virthost02.phx2.fedoraproject.org
+datacenter: phx2
+
+tcp_ports: [ 80, 443 ]
+
+mm2_checkin: true
--- a/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
@ -14,3 +14,4 @@ datacenter: phx2

 tcp_ports: [ 80, 443 ]

+mm2_checkin: false
--- a/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
@ -14,3 +14,4 @@ datacenter: phx2

 tcp_ports: [ 80, 443 ]

+mm2_checkin: true
--- a/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
@ -14,3 +14,4 @@ datacenter: phx2

 tcp_ports: [ 80, 443 ]

+mm2_checkin: false
--- a/inventory/inventory
+++ b/inventory/inventory
@ -439,6 +439,7 @@ mirrorlist-phx2.stg.phx2.fedoraproject.org
 [mm-frontend]
 mm-frontend01.phx2.fedoraproject.org
 mm-frontend02.phx2.fedoraproject.org
+mm-frontend-checkin01.phx2.fedoraproject.org

 [mm-backend]
 mm-backend01.phx2.fedoraproject.org
--- a/roles/mirrormanager/frontend2/templates/mirrormanager.conf
+++ b/roles/mirrormanager/frontend2/templates/mirrormanager.conf
@ -13,6 +13,14 @@ WSGIPythonOptimize 1

 WSGIScriptAlias /mirrormanager /var/www/mirrormanager2.wsgi

+<Location /mirrormanager/xmlrpc>
+{% if mm2_checkin %}
+	Require all granted
+{% else %}
+	Require all denied
+{% endif %}
+</Location>
+
 <Location />
    WSGIProcessGroup mirrormanager
    <IfModule mod_authz_core.c>
--- a/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
+++ b/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
@ -8,20 +8,30 @@ MirrorManager2 sample configuration.
 # Most important configuration items
 ###

-
-# url to the database server:
-DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
-
 # the number of items to display on the search pages
 # Default: ``50``.
 ITEMS_PER_PAGE = 50

+
+{% if mm2_checkin %}
+# url to the database server:
+DB_URL='postgresql://{{ mirrormanager_checkin_db_user }}:{{ mirrormanager_checkin_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
+
+# The checkin server does not use the secret key or password secret. Let's not leak it.
+SECRET_KEY = 'invalid'
+PASSWORD_SEED = 'invalid'
+
+{% else %}
+# url to the database server:
+DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
+
 # secret key used to generate unique csrf token
 SECRET_KEY = '{{ mirrormanager_secret_key }}'

 # Seed used to make the password harder to brute force in case of leaking
 # This should be kept really secret!
 PASSWORD_SEED = "{{ mirrormanager_password_seed }}"
+{% endif %}

 # Make browsers send session cookie only via HTTPS
 SESSION_COOKIE_SECURE=True
--- a/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org
@ -0,0 +1 @@
+ifconfig-push 192.168.100.11 192.168.100.11