infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

pdc: fare thee well!

Browse source 
This commit retires pdc from ansible.
The website should get redirected to a wiki page about the retirement.
If for some reason we need to bring things back, the vm's will still
have their disks and xml saved off so we can bring it back.
Would need to revert this, run proxy playbooks and do a little cleanup
on the redirect, then bring the vm's back up.
Hopefully we don't have to.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2024-08-02 13:39:15 -07:00
parent 71529842c6
commit c4024c4aa4
23 changed files with 9 additions and 830 deletions
Download patch file Download diff file Expand all files Collapse all files

40
inventory/group_vars/pdc_web
View file

@ -1,40 +0,0 @@
---
# Define resources for this group of hosts here.
deployment_type: prod
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- can_send:
- logger.log
group: sysadmin
owner: root
service: shell
- can_send:
- pdc.compose
- pdc.rpms
- pdc.images
group: apache
owner: root
service: pdc
ipa_client_shell_groups:
- sysadmin-noc
- sysadmin-releng
- sysadmin-veteran
ipa_client_sudo_groups:
- sysadmin-releng
ipa_host_group: pdc-web
ipa_host_group_desc: Product Definition Center web app
lvm_size: 20000
mem_size: 8192
nagios_Check_Services:
swap: false
num_cpus: 2
# This just defines the CN of the saml2 cert we pull from the private repo
# Don't be confused. The app is actually served at apps.stg.fp.o/pdc
pdc_domain: pdc.fedoraproject.org
primary_auth_source: ipa
tcp_ports: [80]
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
wsgi_fedmsg_service: pdc
wsgi_procs: 3
wsgi_threads: 2

37
inventory/group_vars/pdc_web_stg
View file

@ -1,37 +0,0 @@
---
# Define resources for this group of hosts here.
deployment_type: stg
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- can_send:
- logger.log
group: sysadmin
owner: root
service: shell
- can_send:
- pdc.compose
- pdc.rpms
- pdc.images
group: apache
owner: root
service: pdc
ipa_client_shell_groups:
- sysadmin-noc
- sysadmin-releng
- sysadmin-veteran
ipa_client_sudo_groups:
- sysadmin-releng
ipa_host_group: pdc-web
ipa_host_group_desc: Product Definition Center web app
lvm_size: 20000
mem_size: 4098
num_cpus: 1
# This just defines the CN of the saml2 cert we pull from the private repo
# Don't be confused. The app is actually served at apps.stg.fp.o/pdc
pdc_domain: pdc.stg.fedoraproject.org
tcp_ports: [80]
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
wsgi_fedmsg_service: pdc
wsgi_procs: 2
wsgi_threads: 2

2
inventory/host_vars/db01.iad2.fedoraproject.org
View file

@ -18,7 +18,6 @@ databases:
- notifications
- odcs
- pagure
- pdc
- tahrir
- waiverdb
- transtats
@ -41,7 +40,6 @@ dbs_to_backup:
- notifications
- odcs
- pagure
- pdc
- tahrir
- waiverdb
- transtats

9
inventory/host_vars/pdc-web01.iad2.fedoraproject.org
View file

@ -1,9 +0,0 @@
---
datacenter: iad2
eth0_ipv4_gw: 10.3.169.254
eth0_ipv4_ip: 10.3.169.118
ks_repo: http://10.3.163.35/repo/rhel/RHEL7-x86_64/
ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-7-iad2
mem_size: 32768
vmhost: bvmhost-x86-02.iad2.fedoraproject.org
volgroup: /dev/vg_guests

8
inventory/host_vars/pdc-web01.stg.iad2.fedoraproject.org
View file

@ -1,8 +0,0 @@
---
datacenter: iad2
eth0_ipv4_gw: 10.3.167.254
eth0_ipv4_ip: 10.3.167.26
ks_repo: http://10.3.163.35/repo/rhel/RHEL7-x86_64/
ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-7-iad2
vmhost: bvmhost-x86-05.stg.iad2.fedoraproject.org
volgroup: /dev/vg_guests

9
inventory/host_vars/pdc-web02.iad2.fedoraproject.org
View file

@ -1,9 +0,0 @@
---
datacenter: iad2
eth0_ipv4_gw: 10.3.169.254
eth0_ipv4_ip: 10.3.169.129
ks_repo: http://10.3.163.35/repo/rhel/RHEL7-x86_64/
ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-7-iad2
mem_size: 32768
vmhost: bvmhost-x86-04.iad2.fedoraproject.org
volgroup: /dev/vg_guests

11
inventory/inventory
View file

@ -590,7 +590,6 @@ memcached01.stg.iad2.fedoraproject.org
odcs-backend01.stg.iad2.fedoraproject.org
odcs-frontend01.stg.iad2.fedoraproject.org
os-control01.stg.iad2.fedoraproject.org
pdc-web01.stg.iad2.fedoraproject.org
pkgs01.stg.iad2.fedoraproject.org
proxy01.stg.iad2.fedoraproject.org
proxy02.stg.iad2.fedoraproject.org
@ -751,14 +750,6 @@ mailman_stg
#virthost-cloud01.fedorainfracloud.org
#copr-vmhost01.fedorainfracloud.org
[pdc_web]
pdc-web01.iad2.fedoraproject.org
pdc-web02.iad2.fedoraproject.org
[pdc_web_stg]
pdc-web01.stg.iad2.fedoraproject.org
[maintainer_test]
f39-test.fedorainfracloud.org
rawhide-test.fedorainfracloud.org
@ -1067,7 +1058,6 @@ openqa
openqa_lab
openqa_lab_workers
openqa_workers
pdc_web
pkgs
proxies_iad2
qahardware
@ -1097,7 +1087,6 @@ koji_stg
memcached_stg
oci_registry_stg
odcs_stg
pdc_web_stg
pkgs_stg
proxies_stg
rabbitmq_stg

1
main.yml
View file

@ -50,7 +50,6 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/openqa-workers.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/openqa.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/pagure.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/pdc.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/people.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/pkgs.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/postgresql-server.yml

55
playbooks/groups/pdc.yml
View file

@ -1,55 +0,0 @@
# PDC servers (both frontend and backend)
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml"
vars:
myhosts: "pdc_web:pdc_web_stg"
- name: dole out the generic configuration
hosts: pdc_web:pdc_web_stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
- base
- rkhunter
- nagios_client
- zabbix/zabbix_agent
- collectd/base
- hosts
- ipa/client
- role: openvpn/client
when: env != "staging" and datacenter == 'iad2'
- sudo
tasks:
- import_tasks: "{{ tasks_path }}/motd.yml"
- name: stuff for the web nodes
hosts: pdc_web:pdc_web_stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
roles:
- mod_wsgi
- role: fedmsg/base
# Set up for fedora-messaging
- role: rabbit/user
username: "pdc{{ env_suffix }}"
sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(pdc|logger)\..*
when: inventory_hostname.startswith(('pdc-web01','pdc-web01.stg'))
- pdc/frontend

7
playbooks/include/proxies-redirects.yml
View file

@ -887,3 +887,10 @@
target: https://docs.fedoraproject.org/en-US/epel/
tags:
- epel.io
- role: httpd/redirect
shortname: 00-old-pdc
website: pdc.fedoraproject.org
target: https://fedoraproject.org/wiki/Infrastructure/pdc-retirement
tags:
- pdc

50
playbooks/manual/staging-sync/pdc.yml
View file

@ -1,50 +0,0 @@
# This playbook syncs the production pdc instance with staging.
- name: bring staging services down (httpd)
hosts: pdc-web-stg
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- service: name=httpd state=stopped
# Here's the meaty part in the middle
- name: drop and re-create the staging db entirely
hosts: db01.stg.iad2.fedoraproject.org
user: root
become: yes
become_user: postgres
become_method: sudo
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
tasks:
- copy: src=/srv/web/infra/db-dumps/pdc.dump.xz dest=/var/tmp/pdc.dump.xz
owner=postgres group=postgres
- command: unxz /var/tmp/pdc.dump.xz
creates=/var/tmp/pdc.dump
- command: dropdb pdc
- command: createdb -O pdc pdc
- name: Import the prod db.
shell: cat /var/tmp/pdc.dump | psql pdc
- file: path=/var/tmp/pdc.dump state=absent
- name: bring staging services up (httpd)
hosts: pdc-web-stg
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- service: name=httpd state=started

39
playbooks/manual/upgrade/pdc.yml
View file

@ -1,39 +0,0 @@
- name: verify the frontend, stop it, upgrade the db, and restart it
hosts: pdc_web:pdc_web_stg
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
pre_tasks:
- name: clean all metadata
command: yum clean all
check_mode: no
- name: yum update PDC packages
yum: name="{{item}}" state=latest
with_items:
- python-pdc
- python2-productmd
roles:
- pdc/frontend
post_tasks:
- name: tell nagios to shush w.r.t. the frontend
nagios: action=downtime minutes=15 service=host host={{ inventory_hostname_short }}{{ env_suffix }}
delegate_to: noc01.iad2.fedoraproject.org
ignore_errors: true
- service: name="httpd" state=stopped
- name: Upgrade the database, only on the primary web node.
command: python /usr/lib/python2.7/site-packages/pdc/manage.py migrate --noinput
args:
chdir: /usr/lib/python2.7/site-packages/pdc/
when: inventory_hostname_short == 'pdc-web01'
- service: name="httpd" state=started
- name: tell nagios to unshush w.r.t. the frontend
nagios: action=unsilence service=host host={{ inventory_hostname_short }}{{ env_suffix }}
delegate_to: noc01.iad2.fedoraproject.org
ignore_errors: true

15
roles/apps-fp-o/files/apps.yaml
View file

@ -626,21 +626,6 @@ children:
they're broken -- it's a big help!.
Check back here from time to time, as this section will change.
children:
- name: Product Definition Center
data:
url: https://pdc.fedoraproject.org/
source_url: https://github.com/product-definition-center/product-definition-center
bugs_url: https://github.com/product-definition-center/product-definition-center/issues
# Also, https://fedoraproject.org/wiki/Changes/PDC
docs_url: https://github.com/product-definition-center/product-definition-center/issues/303
sops:
- https://infrastructure.fedoraproject.org/infra/docs/pdc.rst
description: >
The Product Definition Center (PDC) is a new app we're working
on which will track 1) all of the artifacts that release
engineering *should* be producing and 2) all of the artifacts
taht release engineering *did* produce. The web interface isn't
much to write home about, but the API is where it's at.
- name: Ipsilon
data:
url: https://pagure.io/ipsilon

4
roles/distgit/pagure/templates/pagure.cfg
View file

@ -317,7 +317,7 @@ CSP_HEADERS = (
"object-src 'none'; "
"base-uri 'self'; "
"img-src 'self' https:; "
"connect-src 'self' https://pdc.stg.fedoraproject.org https://apps.stg.fedoraproject.org https://mdapi.stg.fedoraproject.org https://transtats.stg.fedoraproject.org https://bodhi.stg.fedoraproject.org;"
"connect-src 'self' https://apps.stg.fedoraproject.org https://mdapi.stg.fedoraproject.org https://transtats.stg.fedoraproject.org https://bodhi.stg.fedoraproject.org;"
)
{% else %}
CSP_HEADERS = (
@ -327,7 +327,7 @@ CSP_HEADERS = (
"object-src 'none'; "
"base-uri 'self'; "
"img-src 'self' https:; "
"connect-src 'self' https://pdc.fedoraproject.org https://apps.fedoraproject.org https://mdapi.fedoraproject.org https://transtats.fedoraproject.org https://bodhi.fedoraproject.org;"
"connect-src 'self' https://apps.fedoraproject.org https://mdapi.fedoraproject.org https://transtats.fedoraproject.org https://bodhi.fedoraproject.org;"
)
{% endif %}

18
roles/haproxy/templates/haproxy.cfg
View file

@ -213,24 +213,6 @@ backend openqa-backend
option httpchk GET /api/v1/job_groups/1
{% endif %}
frontend pdc-frontend
bind 0.0.0.0:10045
default_backend pdc-backend
backend pdc-backend
balance hdr(appserver)
{% if env != "staging" %}
# Set session persistence with a cookie.
# https://jdennis.fedorapeople.org/doc/rhsso-tripleo-federation/html/rhsso-tripleo-federation.html#step-18-use-proxy-persistence-for-keystone-on-each-controller
cookie SERVERID insert indirect nocache
{% endif %}
server pdc-web01 pdc-web01:80 check inter 10s rise 1 fall 2 cookie pdc-web01
{% if env != "staging" %}
server pdc-web02 pdc-web02:80 check inter 10s rise 1 fall 2 cookie pdc-web02
{% endif %}
option httpchk GET /rest_api/v1/
timeout server 3600000
timeout connect 3600000

106
roles/pdc/frontend/files/create-metadata.sh
View file

@ -1,106 +0,0 @@
#!/usr/bin/env bash
#
# Like /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh, but don't create the certificate and the key.
# Author: abompard@fedoraproject.org
#
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
exit 1
fi
DATADIR=`dirname $0`
if [ ! -f "$DATADIR/certificate.pem" ]; then
echo "$PROG: The certificate must be in the file $DATADIR/certificate.pem." >&2
exit 1
fi
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
# No files should not be readable by the rest of the world.
umask 0077
# Everything between the markers, but not the markers themselves
CERT="$(sed -n '/^-----BEGIN/,/^-----END/ {/^----/b; p}' $DATADIR/certificate.pem)"
cat > $DATADIR/metadata.xml <<EOF
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="$ENTITYID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="$BASEURL/logout" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="$BASEURL/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="$BASEURL/postResponse" />
<AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="$BASEURL/artifactResponse" />
<AssertionConsumerService
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="$BASEURL/paosResponse" />
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chown apache: $DATADIR/metadata.xml
echo "Wrote $DATADIR/metadata.xml"

23
roles/pdc/frontend/files/exportbranches.py
View file

@ -1,23 +0,0 @@
""" Export component branches.
This is used to drive the pagure-sync-bugzilla script.
"""
import collections
import json
from django.core.management.base import BaseCommand
from pdc.apps.componentbranch.models import ComponentBranch
from pdc.apps.componentbranch.serializers import is_branch_active
class Command(BaseCommand):
help = 'Export a JSON file with information about all component branches'
def handle(self, *args, **options):
all_entries = ComponentBranch.objects.all()
output = collections.defaultdict(lambda: collections.defaultdict(list))
for entry in all_entries:
active = is_branch_active(entry)
output[entry.type.name][entry.global_component.name].append([entry.name, active])
self.stdout.write(json.dumps(output))

2
roles/pdc/frontend/handlers/main.yml
View file

@ -1,2 +0,0 @@
- name: rebuild metadata
command: /etc/httpd/saml2/create-metadata.sh https://pdc{{ env_suffix }}.fedoraproject.org/saml2 https://pdc{{ env_suffix }}.fedoraproject.org/saml2/

116
roles/pdc/frontend/tasks/main.yml
View file

@ -1,116 +0,0 @@
- name: remove some old copr repos for things now in the infra repo.
file: dest="/etc/yum.repos.d/{{item}}" state=absent
with_items:
- patternfly-patternfly1-epel-7.repo
- ralph-pdc-deps-epel-7.repo
- sochotni-pdc-test-epel-7.repo
tags: pdc
- name: install needed packages
package: pkg={{ item }} state=present
with_items:
- patternfly1
- python-pdc
- xmlsec1
- mod_auth_mellon
tags: pdc
- name: Copy over settings_local.py
template: src=settings_local.py
dest=/usr/lib/python2.7/site-packages/pdc/settings_local.py
mode=0600 owner=apache group=apache
notify: reload httpd
tags: pdc
- name: Create directory structure for exportbranches command
file: dest={{item.dest}} state={{item.state}} owner=apache group=apache
with_items:
- dest: /usr/lib/python2.7/site-packages/pdc/apps/componentbranch/management
state: directory
- dest: /usr/lib/python2.7/site-packages/pdc/apps/componentbranch/management/commands/
state: directory
tags:
- pdc
- cron
- name: Create files for exportbranches command if they do not already exist
copy: dest={{item.dest}} owner=apache group=apache content='' force=no
with_items:
- dest: /usr/lib/python2.7/site-packages/pdc/apps/componentbranch/management/__init__.py
- dest: /usr/lib/python2.7/site-packages/pdc/apps/componentbranch/management/commands/__init__.py
tags:
- pdc
- cron
- name: Copy over the exportbranches command
copy:
dest: /usr/lib/python2.7/site-packages/pdc/apps/componentbranch/management/commands/exportbranches.py
src: exportbranches.py
tags:
- pdc
- cron
- name: create directory for the active_branches cache
file: path=/var/www/html/extras/ state=directory owner=apache group=apache
tags:
- pdc
- cron
- name: cron to generate cache of active component branches for pagure-sync-bugzilla
cron: name="export-branches" minute="15" user="apache"
job="/usr/local/bin/lock-wrapper export-branches 'python /usr/lib/python2.7/site-packages/pdc/manage.py exportbranches > /var/www/html/extras/active_branches.json.tmp && mv /var/www/html/extras/active_branches.json.tmp /var/www/html/extras/active_branches.json'"
cron_file=export-branches
tags:
- pdc
- cron
- name: Copy over httpd config
template: src=pdc.conf dest=/etc/httpd/conf.d/pdc.conf
notify: reload httpd
tags: pdc
- name: ensure selinux lets httpd do the stuff we need.
seboolean: name={{ item }} persistent=yes state=yes
with_items:
- httpd_can_network_connect_db
- httpd_can_sendmail
# XXX - Someday for fedmsg
#- httpd_can_network_connect
tags:
- pdc
- selinux
- name: create /etc/httpd/saml2
file: state=directory
path=/etc/httpd/saml2
owner=apache group=apache mode=0775
tags: pdc
- name: Install saml2 idp file (which describes our ipsilon instances).
copy: src="{{ private }}/files/saml2/idp-{{env}}.xml"
dest="/etc/httpd/saml2/idp-metadata.xml"
owner="apache" group="apache" mode=0600
notify: reload httpd
tags: pdc
- name: Copy over the metadata.xml rebuild script
copy:
src: create-metadata.sh
dest: /etc/httpd/saml2/create-metadata.sh
mode: 0755
notify:
- rebuild metadata
- reload httpd
tags: pdc
- name: Install domain-specific saml2 certs
copy: src="{{ private }}/files/saml2/{{ pdc_domain }}/{{ item }}"
dest="/etc/httpd/saml2/{{ item }}"
owner="apache" group="apache" mode=0600
with_items:
- certificate.pem
- certificate.key
notify:
- rebuild metadata
- reload httpd
tags: pdc

126
roles/pdc/frontend/templates/pdc.conf
View file

@ -1,126 +0,0 @@
Alias /docs/ /usr/share/doc/pdc/docs/build/html/
Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
WSGIDaemonProcess pdc user=apache group=apache maximum-requests=100 display-name=pdc processes={{ wsgi_procs - 1}} threads={{ wsgi_threads }}
WSGISocketPrefix run/wsgi
WSGIRestrictStdout On
WSGIRestrictSignal Off
WSGIPythonOptimize 1
WSGIScriptAlias / /usr/lib/python2.7/site-packages/pdc/wsgi.py
<VirtualHost *:80>
{% if env == 'staging' %}
ServerName https://pdc.stg.fedoraproject.org
{% else %}
ServerName https://pdc.fedoraproject.org
{% endif %}
UseCanonicalName on
RewriteEngine on
# An entry for django admin
RewriteCond "/usr/lib/python2.7/site-packages/django/contrib/admin/static/$1" -f
RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/django/contrib/admin/static/$1" [L]
# First try to find the files in pdc
RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
# Try to find them in the patternfly files
RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
# An entry for our exported branches
RewriteCond "/var/www/html/extras/$1" -f
RewriteRule "^/extras/(.*)" "/var/www/html/extras/$1" [L]
<Location "/">
SetHandler wsgi-script
LimitRequestBody 256000000
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
Require all granted
MellonEnable "info"
MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
MellonEndpointPath /saml2
MellonVariable "saml-sesion-cookie"
MellonUser username
MellonIdP "IDP"
MellonSessionLength 3600
# MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
# MellonPostDirectory "/var/lib/ipsilon/post_cache"
# MellonPostReplay On
</Location>
<Location /auth/saml2login>
WSGIProcessGroup pdc
MellonEnable "auth"
Header append Cache-Control "no-cache"
</Location>
WSGIPassAuthorization On
<Location /rest_api/v1/auth/token>
WSGIProcessGroup pdc
</Location>
<Location "/static">
SetHandler None
# Disable auth on the static content, so that we're aren't forced to
# use Kerberos. Doing so would remove "Expires" headers from the static
# content, which would lead to poor page-load times.
AuthType none
Satisfy Any
Require all granted
# Many file types are likely to benefit from compression
# Enable gzip compression on them:
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
# Set far-future Expires headers on static content
# (trac 184):
ExpiresActive On
ExpiresDefault "access plus 10 years"
</Location>
<Location "/extras">
SetHandler None
# Disable auth on the extras content, so that we're aren't forced to
# use Kerberos. Doing so would remove "Expires" headers from the extras
# content, which would lead to poor page-load times.
AuthType none
Satisfy Any
Require all granted
# Many file types are likely to benefit from compression
# Enable gzip compression on them:
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
</Location>
<Location "/docs">
SetHandler None
# Disable auth on the static content, so that we're aren't forced to
# use Kerberos. Doing so would remove "Expires" headers from the static
# content, which would lead to poor page-load times.
AuthType none
Satisfy Any
Require all granted
# Many file types are likely to benefit from compression
# Enable gzip compression on them:
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
# Set far-future Expires headers on static content
# (trac 184):
ExpiresActive On
ExpiresDefault "access plus 2 weeks"
</Location>
</VirtualHost>

159
roles/pdc/frontend/templates/settings_local.py
View file

@ -1,159 +0,0 @@
# Feel free to `cp settings_local.py.dist settings.local.py`
# and customize your settings, changes here will be populated
# automatically.
#
# This file only contains the minimized settings you should do,
# please look into settings.py to see the whole avaiable settings
# you can do for your PDC instance.
#
# NOTE: For developers or others who want to extend the default
# settings, please remember to update your settings_local.py
# when the items you extended got updated in settings.py.
# Turn on the fedmsg publishing plugin.
MESSAGE_BUS = {
'MLP': 'fedmsg', # MLP: Messaging Library Package
}
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'pdc.apps.auth.authentication.TokenAuthenticationWithChangeSet',
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
],
'DEFAULT_FILTER_BACKENDS': (
'rest_framework.filters.DjangoFilterBackend',
'pdc.apps.utils.utils.RelatedNestedOrderingFilter',
),
'DEFAULT_METADATA_CLASS': 'contrib.bulk_operations.metadata.BulkMetadata',
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
'pdc.apps.common.renderers.ReadOnlyBrowsableAPIRenderer',
),
'EXCEPTION_HANDLER': 'pdc.apps.common.handlers.exception_handler',
'DEFAULT_PAGINATION_CLASS': 'pdc.apps.common.pagination.AutoDetectedPageNumberPagination',
}
# Because we don't want to kerberos, we want to ipsilon
LOGIN_URL = '/auth/saml2login'
AUTHENTICATION_BACKENDS = (
'pdc.apps.auth.backends.AuthMellonUserBackend', # XXX - <- no kerb
'django.contrib.auth.backends.ModelBackend',
)
MIDDLEWARE_CLASSES = (
'pdc.apps.utils.middleware.MessagingMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'pdc.apps.auth.middleware.RemoteUserMiddleware', # XXX - <- no kerb
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'kobo.django.menu.middleware.MenuMiddleware',
'pdc.apps.changeset.middleware.ChangesetMiddleware',
)
import os.path
BASE_DIR = os.path.dirname(os.path.dirname(__file__))
{% if env == 'staging' %}
SECRET_KEY = '{{ pdc_secret_key_stg }}'
{% else %}
SECRET_KEY = '{{ pdc_secret_key_prod }}'
{% endif %}
DEBUG = False
# NOTE: this is needed when DEGUB is False.
# https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
ALLOWED_HOSTS = [
{% if env == 'staging' %}
'pdc.stg.fedoraproject.org',
{% else %}
'pdc.fedoraproject.org',
{% endif %}
'{{ inventory_hostname }}',
'{{ inventory_hostname_short }}',
'localhost',
]
# Database settings
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 'pdc',
'USER': 'pdc',
{% if env == 'staging' %}
'PASSWORD': '{{ pdc_db_pass_stg }}',
'HOST': 'db01.stg',
{% else %}
'PASSWORD': '{{ pdc_db_pass_prod }}',
'HOST': 'db01',
{% endif %}
}
}
REST_API_URL = 'rest_api/'
REST_API_VERSION = 'v1'
# https://github.com/product-definition-center/product-definition-center/issues/352
USE_X_FORWARDED_HOST = True
# https://pagure.io/fedora-infrastructure/issue/6122
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
BROWSABLE_DOCUMENT_MACROS = {
# need to be rewrite with the real host name when deploy.
'HOST_NAME': 'http://{{ inventory_hostname }}:80',
# make consistent with rest api root.
'API_PATH': '%s%s' % (REST_API_URL, REST_API_VERSION),
}
def get_setting(setting):
import pdc.settings
return getattr(pdc.settings, setting)
# ======== Email configuration =========
# Email addresses who would like to receive email
ADMINS = (
# TODO -- eventually replace this with admin.fp.o
('PDC Admins', 'rbean@redhat.com'),
)
MANAGERS = ADMINS
# Email SMTP HOST configuration
EMAIL_HOST = 'bastion'
# Email sender's address
SERVER_EMAIL = 'nobody@fedoraproject.org'
EMAIL_SUBJECT_PREFIX = '[PDC]'
{% if env == 'staging' %}
DIST_GIT_WEB_ROOT_URL = 'https://src.stg.fedoraproject.org/cgit/'
{% else %}
DIST_GIT_WEB_ROOT_URL = 'https://src.fedoraproject.org/cgit/'
{% endif %}
DIST_GIT_RPM_PATH = 'rpms/'
DIST_GIT_REPO_FORMAT = DIST_GIT_WEB_ROOT_URL + DIST_GIT_RPM_PATH + "%s" + ".git"
# Use this to deny people creating new "epel" or "fedora" branches after we
# import the existing oldschool branches.
#COMPONENT_BRANCH_NAME_BLACKLIST_REGEX = r'^(epel\d+|el\d+|f\d+|fc\d+)'
# un-comment below 4 lines if enable email notification as meet any error
#get_setting('LOGGING').get('loggers').update({'pdc.apps.common.handlers': {
# 'handlers': ['mail_admins'],
# 'level': 'ERROR',
#}})

1
roles/releng/tasks/main.yml
View file

@ -133,7 +133,6 @@
- python3-productmd
- ostree
- python3-libmodulemd
- python3-pdc-client
- python3-koji-cli-plugins
- python3-fedfind # needed by clean-amis.py script
- python3-boto3 # needed by clean-amis.py script

1
scripts/public-db-copy
View file

@ -9,7 +9,6 @@ scp db-koji01.iad2.fedoraproject.org:/backups/koji-$(date +%F).dump.xz /srv/web/
scp db01.iad2.fedoraproject.org:/backups/pkgdb2-$(date +%F).dump.xz /srv/web/infra/db-dumps/pkgdb2.dump.xz
scp db01.iad2.fedoraproject.org:/backups/koschei-$(date +%F).dump.xz /srv/web/infra/db-dumps/koschei.dump.xz
scp db01.iad2.fedoraproject.org:/backups/bodhi2-$(date +%F).dump.xz /srv/web/infra/db-dumps/bodhi2.dump.xz
scp db01.iad2.fedoraproject.org:/backups/pdc-$(date +%F).dump.xz /srv/web/infra/db-dumps/pdc.dump.xz
scp db01.iad2.fedoraproject.org:/backups/anitya-public-$(date +%F).dump.xz /srv/web/infra/db-dumps/anitya.dump.xz
scp db01.iad2.fedoraproject.org:/backups/mailman-$(date +%F).dump.xz /srv/web/infra/db-dumps/mailman.dump.xz
scp db01.iad2.fedoraproject.org:/backups/odcs-$(date +%F).dump.xz /srv/web/infra/db-dumps/odcs.dump.xz