Create mm-frontend-checkin01

This server should be regarded as untrusted. Related: CVE-2016-1000003 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-06-17 19:52:31 +00:00 · 2016-06-17 19:52:31 +00:00 · b6eb15c0ee
commit b6eb15c0ee
parent 33f6b58f93
8 changed files with 44 additions and 4 deletions
--- a/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
@ -0,0 +1,17 @@
 ---
 lvm_size: 20000
 mem_size: 8192
 num_cpus: 2
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.187
 vmhost: virthost02.phx2.fedoraproject.org
 datacenter: phx2
 tcp_ports: [ 80, 443 ]
 mm2_checkin: true
--- a/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
@ -14,3 +14,4 @@ datacenter: phx2
 tcp_ports: [ 80, 443 ]
 mm2_checkin: false
--- a/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
@ -14,3 +14,4 @@ datacenter: phx2
 tcp_ports: [ 80, 443 ]
 mm2_checkin: true
--- a/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
@ -14,3 +14,4 @@ datacenter: phx2
 tcp_ports: [ 80, 443 ]
 mm2_checkin: false
--- a/inventory/inventory
+++ b/inventory/inventory
@ -439,6 +439,7 @@ mirrorlist-phx2.stg.phx2.fedoraproject.org
 [mm-frontend]
 mm-frontend01.phx2.fedoraproject.org
 mm-frontend02.phx2.fedoraproject.org
 mm-frontend-checkin01.phx2.fedoraproject.org
 [mm-backend]
 mm-backend01.phx2.fedoraproject.org
--- a/roles/mirrormanager/frontend2/templates/mirrormanager.conf
+++ b/roles/mirrormanager/frontend2/templates/mirrormanager.conf
@ -13,6 +13,14 @@ WSGIPythonOptimize 1
 WSGIScriptAlias /mirrormanager /var/www/mirrormanager2.wsgi
 <Location /mirrormanager/xmlrpc>
 {% if mm2_checkin %}
 	Require all granted
 {% else %}
 	Require all denied
 {% endif %}
 </Location>
 <Location />
    WSGIProcessGroup mirrormanager
    <IfModule mod_authz_core.c>
--- a/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
+++ b/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
@ -8,20 +8,30 @@ MirrorManager2 sample configuration.
 # Most important configuration items
 ###
 # url to the database server:
 DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
 # the number of items to display on the search pages
 # Default: ``50``.
 ITEMS_PER_PAGE = 50
 {% if mm2_checkin %}
 # url to the database server:
 DB_URL='postgresql://{{ mirrormanager_checkin_db_user }}:{{ mirrormanager_checkin_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
 # The checkin server does not use the secret key or password secret. Let's not leak it.
 SECRET_KEY = 'invalid'
 PASSWORD_SEED = 'invalid'
 {% else %}
 # url to the database server:
 DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
 # secret key used to generate unique csrf token
 SECRET_KEY = '{{ mirrormanager_secret_key }}'
 # Seed used to make the password harder to brute force in case of leaking
 # This should be kept really secret!
 PASSWORD_SEED = "{{ mirrormanager_password_seed }}"
 {% endif %}
 # Make browsers send session cookie only via HTTPS
 SESSION_COOKIE_SECURE=True
--- a/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org
@ -0,0 +1 @@
 ifconfig-push 192.168.100.11 192.168.100.11
`@ -14,3 +14,4 @@ datacenter: phx2`

	`tcp_ports: [ 80, 443 ]`	`tcp_ports: [ 80, 443 ]`

		`mm2_checkin: false`