drop qa_isolated.

We no longer need this as it was put in place when taskotron was going to run user provided tests. Since the only left in 'qa' is openqa and it only tests fedora images/updates and is still also in it's own vlan, we no longer need to reject things in qa from the rest of their same vlan. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-05-12 10:56:20 +08:00 · 2020-06-14 15:34:00 -07:00
parent 82b9bf6e90
commit 814ae5c182
4 changed files with 2 additions and 53 deletions
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -927,31 +927,6 @@ pagure-stg01.fedoraproject.org

 [gnome_backups]

-[qa_isolated]
-# openQA boxes start - note old openQA aarch64 workers intentionally
-# not here as they are not in QA network at all
-openqa01.qa.fedoraproject.org
-#openqa01.iad2.fedoraproject.org
-openqa-stg01.qa.fedoraproject.org
-openqa-aarch64-01.qa.fedoraproject.org
-openqa-aarch64-03.qa.fedoraproject.org
-openqa-ppc64le-01.qa.fedoraproject.org
-openqa-ppc64le-02.qa.fedoraproject.org
-openqa-ppc64le-03.qa.fedoraproject.org
-qa01.qa.fedoraproject.org
-qa02.qa.fedoraproject.org
-qa05.qa.fedoraproject.org
-qa07.qa.fedoraproject.org
-qa09.qa.fedoraproject.org
-qa14.qa.fedoraproject.org
-# openQA boxes end
-db-qa01.qa.fedoraproject.org
-db-qa02.qa.fedoraproject.org
-db-qa03.qa.fedoraproject.org
-db-openqa01.iad2.fedoraproject.org
-resultsdb01.qa.fedoraproject.org
-resultsdb-stg01.qa.fedoraproject.org
-
 [osbs_control]
 osbs-control01.iad2.fedoraproject.org

--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -44,19 +44,6 @@

 {% endif %}

-{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
-#
-# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group 
-# to block all access from that group. This is to protect them from any possible attack 
-# vectors from qa-isolated machines.
-#
-{% for host in groups['qa_isolated']|sort %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
 {% if wsgi_fedmsg_service is defined %}
 {% for i in range(wsgi_procs * wsgi_threads) %}
--- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
@@ -49,19 +49,6 @@
 {% endfor %}
 {% endif %}

-{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
-#
-# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group 
-# to block all access from that group. This is to protect them from any possible attack 
-# vectors from qa-isolated machines.
-#
-{% for host in groups['qa_isolated']|sort %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
 {% if wsgi_fedmsg_service is defined %}
 {% for i in range(wsgi_procs * wsgi_threads) %}
--- a/roles/fedmsg/base/tasks/main.yml
+++ b/roles/fedmsg/base/tasks/main.yml
@@ -110,7 +110,7 @@
  - relay.py
  - logging.py
  - base.py
-  when: "'persistent_cloud' not in group_names and 'qa_isolated' not in group_names"
+  when: "'persistent_cloud' not in group_names
  tags:
  - config
  - fedmsgdconfig
@@ -156,7 +156,7 @@
  - relay.py
  - logging.py
  - base.py
-  when: "'persistent_cloud' in group_names or 'qa_isolated' in group_names"
+  when: "'persistent_cloud' in group_names
  tags:
  - config
  - fedmsgdconfig