dbbf94a411
Almost global anyway, i.e. inside the VPN. The ipa/client-based shell access and sudo rules are only effective for staging right now, the respective playbook bits are masked out for prod. - Assign Ansible host groups to IPA host groups, the latter don't care about 'stg' in the name and use dashes rather than underscores. - Distill shell access groups from fas_client_groups in group and host vars. - Let all `sysadmin-*` groups in the previous list run anything via sudo in the host group (except bastion & batcave). - Remove `fas_client_groups` from staging host and group vars. - Remove sudoers from staging host and group vars if only `sysadmin-*` groups have shell access. - Set up `ipa_client_shell_groups` on bastion to be a super set of the same on batcave. Newly created IPA host groups: - autosign - badges - basset - bastion - batcave - blockerbugs - bodhi - bugzilla2fedmsg - busgateway - datagrepper - dbserver - dns - fedimg - github2fedmsg - ipa - kernel-qa - kerneltest - kojibuilder - kojihub - kojipkgs - logging - mailman - memcached - mirrormanager - nagios - notifs - oci-registry - odcs - openqa - openqa-workers - osbs - packages - pdc-web - pkgs - proxies - rabbitmq - releng-compose - resultsdb - secondary - sign-bridge - sundries - value - wiki Signed-off-by: Nils Philippsen <nils@redhat.com>
45 lines
1.2 KiB
Text
45 lines
1.2 KiB
Text
---
|
|
lvm_size: 20000
|
|
mem_size: 2048
|
|
num_cpus: 2
|
|
|
|
# Set this to True for the F28 release and onwards.
|
|
freezes: false
|
|
|
|
# There vars are used to configure mod_wsgi
|
|
wsgi_procs: 2
|
|
wsgi_threads: 2
|
|
|
|
tcp_ports: [
|
|
80,
|
|
# These ports all required for gluster
|
|
111, 24007, 24008, 24009, 24010, 24011,
|
|
49152, 49153, 49154, 49155,
|
|
]
|
|
# Also for gluster.
|
|
udp_ports: [ 111 ]
|
|
|
|
# Neeed for rsync from log01 for logs.
|
|
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
|
|
|
|
odcs_allowed_source_types: ["tag", "module"]
|
|
|
|
odcs_target_dir_url: https://odcs.stg.fedoraproject.org/composes
|
|
|
|
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
|
|
|
|
|
|
# For the MOTD
|
|
csi_security_category: Low
|
|
csi_primary_contact: Factory 2 factory2-members@fedoraproject.org
|
|
csi_purpose: Run the on-demand-compose-service frontend API.
|
|
csi_relationship: |
|
|
The apache/mod_wsgi app is the only thing really running here
|
|
|
|
This host:
|
|
|
|
- relies on db01 for its database of activity (what composes have been
|
|
requested and what state are they in?)
|
|
- It also mounts an nfs shared provided by odcs-backend01.
|
|
- It provides http access to the compose contents on that nfs share.
|
|
|