download: enable/finish anubis for other download servers

Fixed up a few things missed and caught in testing on dl01: * need to setup subuid/subgid files for podman * need to allow the right port for httpd to listen in selinux * need httpd network connect to allow it to connect to anubis * adjust worker values, we were not using prefork for a long time so the values were just default up them a bunch. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-02-02 20:59:02 +08:00 · 2026-01-22 10:16:22 -08:00
parent 9717d920af
commit 6ceb3ea68b
6 changed files with 38 additions and 9 deletions
--- a/roles/anubis-el/files/subgid
+++ b/roles/anubis-el/files/subgid
@@ -0,0 +1 @@
+anubis:231072:65536
--- a/roles/anubis-el/files/subuid
+++ b/roles/anubis-el/files/subuid
@@ -0,0 +1 @@
+anubis:231072:65536
--- a/roles/anubis-el/tasks/main.yml
+++ b/roles/anubis-el/tasks/main.yml
@@ -25,6 +25,28 @@
  - config
  - anubis

+- name: install subuid file
+  ansible.builtin.file:
+    dest: /etc/subuid
+    src: subuid
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+  - config
+  - anubis
+
+- name: install subgid file
+  ansible.builtin.file:
+    dest: /etc/subgid
+    src: subuid
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+  - config
+  - anubis
+
 - name: Create the directory to store the anubis policy file
  ansible.builtin.file:
    dest: /srv/anubis/cfg/
--- a/roles/anubis/tasks/main.yml
+++ b/roles/anubis/tasks/main.yml
@@ -41,9 +41,9 @@
  tags:
  - anubis

- name: Set ports so httpd can bind to 8345
-  ansible.builtin.command: semanage port -a -t http_port_t -p tcp 8345
-  when: semanageoutput.stdout.find("8345") == -1
+- name: Set ports so httpd can bind to 3923
+  ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3923
+  when: semanageoutput.stdout.find("3923") == -1
  tags:
  - anubis

--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -17,6 +17,10 @@
 - name: Set httpd_use_nfs seboolean
  seboolean: name=httpd_use_nfs state=yes persistent=yes

+- name: Set httpd_can_network_connect needed for anubis
+  seboolean: name=httpd_can_network_connect state=yes persistent=yes
+
+
 - name: Check the selinux context rsyncd log
  ansible.builtin.command: matchpathcon /var/log/rsyncd-fedora.log
  register: rsyncdlog
--- a/roles/download/templates/httpd/dl.fedoraproject.org.conf
+++ b/roles/download/templates/httpd/dl.fedoraproject.org.conf
@@ -56,13 +56,14 @@ Listen 3923 http
  ServerAlias archive.fedoraproject.org archives.fedoraproject.org secondary.fedoraproject.org download-ib01.fedoraproject.org download-cc-rdu01.fedoraproject.org
  ServerAdmin webmaster@fedoraproject.org

+  RemoteIPHeader X-Real-Ip
+  RemoteIPInternalProxy ::1
+
  Include "conf.d/dl.fedoraproject.org/*.conf"

 </VirtualHost>

-# Prefork tuning
-<IfModule mpm_prefork_module>
-    ServerLimit               {{ httpd_maxrequestworkers * 1.5 }}
-    MaxRequestWorkers         {{ httpd_maxrequestworkers }}
-    MaxConnectionsPerChild    {{ httpd_maxrequestworkers * 5 }}
-</IfModule>
+
+ServerLimit           3200
+MaxRequestWorkers     3200
+MaxRequestsPerChild    10000