diff --git a/README.cloud b/README.cloud index 43996b27fc..f46dd01902 100644 --- a/README.cloud +++ b/README.cloud @@ -38,6 +38,19 @@ openstack is smart enough to just return the current ip of that instance and go on. This way you can re-run if you want to reconfigure it without reprovisioning it. + +Sizes options +------------- + +Name Memory_MB Disk VCPUs +m1.tiny 512 0 1 +m1.small 2048 20 1 +m1.medium 4096 40 2 +m1.large 8192 80 4 +m1.xlarge 16384 160 8 +m1.builder 5120 50 3 + + === Persistent cloud instances === Persistent cloud instances are ones that we want to always have up and diff --git a/inventory/group_vars/dns b/inventory/group_vars/dns index f32edc5a82..17da9d09bf 100644 --- a/inventory/group_vars/dns +++ b/inventory/group_vars/dns @@ -14,3 +14,5 @@ fas_client_groups: sysadmin-main,sysadmin-dns nrpe_procs_warn: 300 nrpe_procs_crit: 500 + +sudoers: "{{ private }}/files/sudo/sysadmin-dns" diff --git a/playbooks/groups/fedocal.yml b/playbooks/groups/fedocal.yml index 9f0252d136..7d9a060779 100644 --- a/playbooks/groups/fedocal.yml +++ b/playbooks/groups/fedocal.yml @@ -1,23 +1,4 @@ -# create a new fedocal server -# NOTE: should be used with --limit most of the time -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/fedocal* or from hostvars - -- name: make fedocal - hosts: fedocal-stg;fedocal - user: root - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - include: "{{ tasks }}/virt_instance_create.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=fedocal-stg:fedocal" - name: make the box be real hosts: fedocal-stg;fedocal diff --git a/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml b/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml index 824a144de2..2b85bcbb8f 100644 --- a/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml +++ b/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml @@ -40,6 +40,7 @@ roles: - { role: nfs/client, mnt_dir: '/srv/fedora_stats', nfs_src_dir: 'fedora_stats' } + - geoip tasks: - name: install needed packages @@ -54,4 +55,6 @@ - emacs-nox - emacs-git - git + - bc + - python-geoip-geolite2 ## diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index 99b636d509..d4ad30f0bd 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -136,18 +136,19 @@ # back to the main release. # This should be disabled when there is a prerelease # - name: prerelease-to-final - website: getfedora.org - regex: /(.*)/prerelease.*$ - target: https://stg.getfedora.org/$1 - when: env == 'staging' +# - role: httpd/redirectmatch +# name: prerelease-to-final +# website: getfedora.org +# regex: /(.*)/prerelease.*$ +# target: https://stg.getfedora.org/$1 +# when: env == 'staging' - - role: httpd/redirectmatch - name: prerelease-to-final - website: getfedora.org - regex: /(.*)/prerelease.*$ - target: https://getfedora.org/$1 - when: env != 'staging' +# - role: httpd/redirectmatch +# name: prerelease-to-final +# website: getfedora.org +# regex: /(.*)/prerelease.*$ +# target: https://getfedora.org/$1 +# when: env != 'staging' - role: httpd/redirect name: store diff --git a/playbooks/include/virt-create.yml b/playbooks/include/virt-create.yml new file mode 100644 index 0000000000..7de5069c40 --- /dev/null +++ b/playbooks/include/virt-create.yml @@ -0,0 +1,15 @@ +- name: make fedocal + hosts: "{{ myhosts }}" + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + diff --git a/roles/copr/dist_git/tasks/main.yml b/roles/copr/dist_git/tasks/main.yml index 91e06ded51..50234e982e 100644 --- a/roles/copr/dist_git/tasks/main.yml +++ b/roles/copr/dist_git/tasks/main.yml @@ -66,13 +66,10 @@ - copy: src="ssh_config" dest="/home/copr-service/.ssh/config" owner=copr-service group=copr-service mode=0600 +- lineinfile: dest=/etc/cgitrc state=absent regexp="^cache-size" - lineinfile: dest=/etc/cgitrc regexp="^project-list=" line="project-list=/var/lib/copr-dist-git/cgit_pkg_list" - lineinfile: dest=/etc/cgitrc regexp="^scan-path=" line="scan-path=/var/lib/dist-git/git/rpms" -- name: install systemd unit - copy: src="systemd/copr_distgit_updater.service" dest="/etc/systemd/system/" - -- command: "systemctl daemon-reload" - command: "/usr/share/dist-git/dist_git_sync.sh" - name: ensure that services are enabled and started @@ -80,5 +77,5 @@ with_items: - "httpd" - "dist-git.socket" - - "copr_distgit_updater" + - "copr-dist-git" diff --git a/roles/epylog/files/merged/weed_local.cf b/roles/epylog/files/merged/weed_local.cf index e9dab712a5..55d5f3b40e 100644 --- a/roles/epylog/files/merged/weed_local.cf +++ b/roles/epylog/files/merged/weed_local.cf @@ -40,6 +40,7 @@ dhclient.*: Listening on.* dhclient.*: Sending on.* dhclient.*: Sending on.* dhclient.*: $ +docker.* fedmsg-hub.* moksha-hub.* mailman3.* diff --git a/roles/fas_server/files/controllers.py b/roles/fas_server/files/controllers.py new file mode 100644 index 0000000000..6b15a46ad6 --- /dev/null +++ b/roles/fas_server/files/controllers.py @@ -0,0 +1,263 @@ +# -*- coding: utf-8 -*- +# +# Copyright © 2008 Ricky Zhou +# Copyright © 2008-2014 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing to use, modify, +# copy, or redistribute it subject to the terms and conditions of the GNU +# General Public License v.2. This program is distributed in the hope that it +# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the +# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# See the GNU General Public License for more details. You should have +# received a copy of the GNU General Public License along with this program; +# if not, write to the Free Software Foundation, Inc., 51 Franklin Street, +# Fifth Floor, Boston, MA 02110-1301, USA. Any Red Hat trademarks that are +# incorporated in the source code or documentation are not subject to the GNU +# General Public License and may only be used or replicated with the express +# permission of Red Hat, Inc. +# +# Author(s): Ricky Zhou +# Mike McGrath +# Toshio Kuratomi +# +from bunch import Bunch + +from turbogears import expose, config, identity, redirect +from turbogears.database import session +from cherrypy import request + +import turbogears +import cherrypy +import time + +from fedora.tg import controllers as f_ctrlers +from fedora.tg.utils import request_format + +from fas import release +from fas.user import User +from fas.group import Group +from fas.configs import Config +from fas.fpca import FPCA +from fas.json_request import JsonRequest +from fas.help import Help +from fas.model import Session, People +from fas.model import SessionTable + + +from fas.auth import undeprecated_cla_done +from fas.util import available_languages + +from fas import plugin + +import os + +import datetime + +import socket + +try: + import cPickle as pickle +except ImportError: + import pickle + +class SQLAlchemyStorage: + def __init__(self): + pass + + def load(self, session_id): + s = Session.query.get(session_id) + if not s: + return None + expiration_time = s.expiration_time + pickled_data = s.data + data = pickle.loads(pickled_data.encode('utf-8')) + return (data, expiration_time) + + # This is an iffy one. CherryPy's built in session + # storage classes use delete(self, id=None), but it + # isn't called from anywhere in cherrypy. I think we + # can do this as long as we're careful about how we call it. + def delete(self, session_id=None): + if session_id is None: + session_id = cherrypy.session.id + s = Session.query.get(session_id) + session.delete(s) + session.flush() + + def save(self, session_id, data, expiration_time): + pickled_data = pickle.dumps(data) + s = Session.query.get(session_id) + if not s: + s = Session() + s.id = session_id + s.data = pickled_data + s.expiration_time = expiration_time + session.flush() + + def acquire_lock(self): + pass + + def release_lock(self): + pass + + def clean_up(self, sess): + # This is to make sure that only one server cleans up sessions + if socket.gethostname() != 'fas01.phx2.fedoraproject.org': + return + result = SessionTable.delete( + SessionTable.c.expiration_time.__lt__(datetime.datetime.now()) + ).execute() + +config.update({'session_filter.storage_class': SQLAlchemyStorage}) + +def get_locale(locale=None): + if locale: + return locale + try: + return turbogears.identity.current.user.locale + except AttributeError: + pass + try: + return cherrypy.request.simple_cookie['fas_locale'].value + except KeyError: + pass + + default_language = config.get('default_language', + turbogears.i18n.utils._get_locale()) + return default_language + +config.update({'i18n.get_locale': get_locale}) + + +def add_custom_stdvars(variables): + return variables.update({'gettext': _, "lang": get_locale(), + 'available_languages': available_languages(), + 'fas_version': release.VERSION, + 'webmaster_email': config.get('webmaster_email')}) +turbogears.view.variable_providers.append(add_custom_stdvars) + +# from fas import json +# import logging +# log = logging.getLogger("fas.controllers") + +#TODO: Appropriate flash icons for errors, etc. +# mmcgrath wonders if it will be handy to expose an encrypted mailer with fas +# over json for our apps + +class Root(plugin.RootController): + + user = User() + group = Group() + fpca = FPCA() + json = JsonRequest() + config = Config() + help = Help() + + def __init__(self): + # TODO: Find a better place for this. + os.environ['GNUPGHOME'] = config.get('gpghome') + plugin.RootController.__init__(self) + + def getpluginident(self): + return 'fas' + + @expose(template="fas.templates.welcome", allow_json=True) + def index(self): + if turbogears.identity.not_anonymous(): + if request_format() == 'json': + # redirects don't work with JSON calls. This is a bit of a + # hack until we can figure out something better. + return dict() + turbogears.redirect('/home') + return dict(now=time.ctime()) + + @identity.require(identity.not_anonymous()) + @expose(template="fas.templates.home", allow_json=True) + def home(self): + user_name = turbogears.identity.current.user_name + person = People.by_username(user_name) + (cla_done, undeprecated_cla) = undeprecated_cla_done(person) + + person = person.filter_private() + return dict(person=person, memberships=person['memberships'], cla=undeprecated_cla) + + @expose(template="fas.templates.about") + def about(self): + return dict() + + @expose(template="fas.templates.login", allow_json=True) + def login(self, forward_url=None, *args, **kwargs): + '''Page to become authenticated to the Account System. + + This shows a small login box to type in your username and password + from the Fedora Account System. + + :kwarg forward_url: The url to send to once authentication succeeds + ''' + actual_login_dict = f_ctrlers.login(forward_url=forward_url, *args, **kwargs) + + try: + login_dict = Bunch() + login_dict['user'] = Bunch() + for field in People.allow_fields['complete']: + login_dict['user'][field] = None + for field in People.allow_fields['self']: + login_dict['user'][field] = getattr(actual_login_dict['user'], field) + # Strip out things that the user shouldn't see about their own + # login + login_dict['user']['internal_comments'] = None + login_dict['user']['emailtoken'] = None + login_dict['user']['security_answer'] = None + login_dict['user']['alias_enabled'] = None + login_dict['user']['passwordtoken'] = None + + # Add things that are needed by some other apps + login_dict['user'].approved_memberships = list( + actual_login_dict['user'].approved_memberships) + login_dict['user'].memberships = list(actual_login_dict['user'].memberships) + login_dict['user'].unapproved_memberships = list( + actual_login_dict['user'].unapproved_memberships) + login_dict['user'].group_roles = list(actual_login_dict['user'].group_roles) + login_dict['user'].roles = list(actual_login_dict['user'].roles) + login_dict['user'].groups = [g.name for g in actual_login_dict['user'].approved_memberships] + return login_dict + except KeyError, e: + # No problem, this usually means that we failed to login and + # therefore we don't have a user field. + login_dict = actual_login_dict + + if not identity.current.anonymous and identity.was_login_attempted() \ + and not identity.get_identity_errors(): + # Success that needs to be passed back via json + return login_dict + + if identity.was_login_attempted() and request.fas_provided_username: + if request.fas_identity_failure_reason == 'status_inactive': + turbogears.flash(_('Your old password has expired. Please' + ' reset your password below.')) + if request_format() != 'json': + redirect('/user/resetpass') + if request.fas_identity_failure_reason == 'status_account_disabled': + turbogears.flash(_('Your account is currently disabled. For' + ' more information, please contact %(admin_email)s' % + {'admin_email': config.get('accounts_email')})) + if request_format() != 'json': + redirect('/login') + + return login_dict + + @expose(allow_json=True) + def logout(self): + return f_ctrlers.logout() + + @expose() + def language(self, locale): + if locale not in available_languages(): + turbogears.flash(_('The language \'%s\' is not available.') % locale) + redirect(request.headers.get("Referer", "/")) + return dict() + #turbogears.i18n.set_session_locale(locale) + cherrypy.response.simple_cookie['fas_locale'] = locale + redirect(request.headers.get("Referer", "/")) + return dict() + diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml index 57370a8704..980013def3 100644 --- a/roles/fas_server/tasks/main.yml +++ b/roles/fas_server/tasks/main.yml @@ -355,3 +355,12 @@ - config - fas - hotfixfas + +- name: HOTFIX make sure only fas01 cleans up sessions + copy: src={{ roles }}/fas_server/files/controllers.py + dest=/usr/lib/python2.6/site-packages/fas/controllers.py + mode=644 owner=root group=root + tags: + - config + - fas + - hotfixfas diff --git a/roles/fedora-web/magazine/templates/fedoramagazine-web.conf b/roles/fedora-web/magazine/templates/fedoramagazine-web.conf index 6f0cd2e686..96e5211a3a 100644 --- a/roles/fedora-web/magazine/templates/fedoramagazine-web.conf +++ b/roles/fedora-web/magazine/templates/fedoramagazine-web.conf @@ -12,6 +12,6 @@ ProxyPass / http://66.226.72.63/ ProxyPassReverse / http://66.226.72.63/ {% else %} # In staging we point to the staging version of the magazine -ProxyPass / http://104.207.133.220/ -ProxyPassReverse / http://104.207.133.220/ +ProxyPass / http://66.226.72.133/ +ProxyPassReverse / http://66.226.72.133/ {% endif %} diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index ec26dad4a4..792a74e049 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -28,27 +28,6 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na {% endif %} - -{% if env == 'pagure-staging' %} - ServerName stg.pagure.org -{% else %} - ServerName pagure.org -{% endif %} - - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - # Use secure TLSv1.1 and TLSv1.2 ciphers - Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" - - SSLCertificateFile /etc/pki/tls/certs/docs.pagure.org.crt - SSLCertificateChainFile /etc/pki/tls/certs/docs.pagure.org.intermediate.crt - SSLCertificateKeyFile /etc/pki/tls/certs/docs.pagure.org.key -{% if env == 'pagure-staging' %} - Redirect permanent / https://stg.pagure.io/ -{% else %} - Redirect permanent / https://pagure.io/ -{% endif %} - ## End of redirects http -> https @@ -117,6 +96,30 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na + + +{% if env == 'pagure-staging' %} + ServerName stg.pagure.org +{% else %} + ServerName pagure.org +{% endif %} + + SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 + # Use secure TLSv1.1 and TLSv1.2 ciphers + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + + SSLCertificateFile /etc/pki/tls/certs/docs.pagure.org.crt + SSLCertificateChainFile /etc/pki/tls/certs/docs.pagure.org.intermediate.crt + SSLCertificateKeyFile /etc/pki/tls/certs/docs.pagure.org.key +{% if env == 'pagure-staging' %} + Redirect permanent / https://stg.pagure.io/ +{% else %} + Redirect permanent / https://pagure.io/ +{% endif %} + + + {% if env == 'pagure-staging' %} ServerName docs.stg.pagure.org