Split out the koji_builder package installs so we can drop ntp/ntpdate
for f34 (they were replaced by ntpsec and we use chrony anyhow).
After we move prod to f34 we should merge these back.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
debuginfod can take O(60s) to run certain webapi queries, so the httpd
mod_proxy default timeouts are too short. Introduce an ansible
variable "proxyopts", expanded into the httpd ProxyPass and
ProxyPassReverse configuration lines. Default to "", but set it
with pretty generous limits for debuginfod only.
We never use the auditing stuff, so let's turn it off (and set
short limits for audit event duration so we can run the cleanup
and get rid of existing audit events). Let's also use the new
setting that only runs asset cleanup if free space is low.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
In order to try and fix the number of TCP connections allowed to get
to the dns servers by increasing from the default 100 to 1000. This
will hopefully help fix the issue in
https://pagure.io/fedora-infrastructure/issue/9850 where the name
servers are not able to answer TCP connections after a while.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
So, we need a bit more logic here.
We want to use the vpn hosts file only if something is on the vpn and
it's also not in iad2. In iad2 we want the normal hosts file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This isn't very clever, but it should work and be easily understandable.
We likely want to come up with a better way to do these hosts files
entirely, but it can wait until after freeze.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
