Merge branch 'master' of /git/ansible

inventory/group_vars/bodhi-backend-stg

@@ -68,6 +68,9 @@ fedmsg_certs:
   - bodhi.update.eject
   - bodhi.update.complete.testing
   - bodhi.update.complete.stable
+  - bodhi.update.request.testing
+  - bodhi.update.request.stable
+  - bodhi.update.request.batched
   - bodhi.buildroot_override.untag
 - service: ftpsync
   owner: root

inventory/group_vars/librariesio2fedmsg-stg

@@ -0,0 +1,11 @@
+---
+# XXX - this is not really a group of real hosts.
+# Instead, it represents an application in openshift.
+# See playbooks/openshift-apps/waiverdb.yml
+
+fedmsg_env: stg
+
+fedmsg_certs:
+- service: librariesio2fedmsg
+  can_send:
+  - sse2fedmsg.librariesio

inventory/group_vars/newcloud

@@ -6,3 +6,4 @@ fas_client_groups: sysadmin-main
 dns: 8.8.8.8
 freezes: false
 ansible_ifcfg_whitelist: ['eth1']
+baseiptables: false

inventory/group_vars/osbs-masters-stg

@@ -36,6 +36,9 @@ osbs_orchestrator_cpu_limitrange: "95m"
 osbs_worker_default_nodeselector: "worker=true"
 osbs_orchestrator_default_nodeselector: "orchestrator=true"
 
+osbs_conf_service_accounts:
+  - koji
+
 osbs_conf_readwrite_users:
   - system:serviceaccount:{{ osbs_namespace }}:default
   - system:serviceaccount:{{ osbs_namespace }}:builder

inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org

@@ -37,6 +37,7 @@ fedmsg_certs:
   - pungi.compose.phase.stop
   - pungi.compose.status.change
   - pungi.compose.createiso.targets
+  - pungi.compose.ostree
   - releng.atomic.twoweek.begin
   - releng.atomic.twoweek.complete
 # These are certs for the masher to publish its own messages as it progresses.
@@ -56,7 +57,9 @@ fedmsg_certs:
   - bodhi.update.eject
   - bodhi.update.complete.testing
   - bodhi.update.complete.stable
+  - bodhi.update.request.testing
   - bodhi.update.request.stable
+  - bodhi.update.request.batched
   - bodhi.update.karma.threshold.reach
   - bodhi.buildroot_override.untag
 - service: ftpsync

inventory/host_vars/compose-x86-01.phx2.fedoraproject.org

@@ -45,6 +45,7 @@ fedmsg_certs:
   - pungi.compose.createiso.targets
   - pungi.compose.createiso.imagefail
   - pungi.compose.createiso.imagedone
+  - pungi.compose.ostree
   # traditional old school compose stuff
   - compose.branched.complete
   - compose.branched.mash.complete

inventory/host_vars/rawhide-composer.phx2.fedoraproject.org

@@ -25,6 +25,7 @@ fedmsg_certs:
   - pungi.compose.createiso.targets
   - pungi.compose.createiso.imagefail
   - pungi.compose.createiso.imagedone
+  - pungi.compose.ostree
   - compose.rawhide.complete
   - compose.rawhide.mash.complete
   - compose.rawhide.mash.start

inventory/inventory

@@ -1476,10 +1476,12 @@ bodhi-backend01.phx2.fedoraproject.org
 [openshift-pseudohosts:children]
 greenwave
 waiverdb
+#librariesio2fedmsg
 
 [openshift-pseudohosts-stg:children]
 greenwave-stg
 waiverdb-stg
+librariesio2fedmsg-stg
 
 [greenwave]
 greenwave-web-greenwave.app.os.fedoraproject.org
@@ -1492,3 +1494,6 @@ waiverdb-web-waiverdb.app.os.fedoraproject.org
 
 [waiverdb-stg]
 waiverdb-web-waiverdb.app.os.stg.fedoraproject.org
+
+[librariesio2fedmsg-stg]
+librariesio2fedmsg-librariesio2fedmsg.app.os.stg.fedoraproject.org

playbooks/groups/buildvm.yml

@@ -109,6 +109,7 @@
           builder_openshift_url: 'https://{{osbs_url}}',
           client_config_secret: 'client_config_secret',
           reactor_config_secret: 'reactor_config_secret',
+          koji_certs_secret: 'kojisecret',
           token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-osbs',
           namespace: 'osbs-fedora',
           can_orchestrate: true

playbooks/groups/osbs-cluster.yml

@@ -381,12 +381,6 @@
     }
 
   tasks:
-    - name: set custom build policy for koji builder in openshift for osbs
-      shell: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_stg_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added"
-      args:
-        creates: "/etc/origin/koji-builder-policy-added"
-      when: env == "staging"
-      environment: "{{ osbs_environment }}"
     - name: set custom build policy for koji builder in openshift for osbs
       shell: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_prod_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added"
       args:
@@ -397,6 +391,7 @@
       shell: "oc adm policy add-role-to-user -n default osbs-custom-build system:serviceaccount:default:builder --role-namespace=default && touch /etc/origin/koji-builder-policy-added"
       args:
         creates: "/etc/origin/koji-builder-policy-added"
+      when: env == "production"
       environment: "{{ osbs_environment }}"
 
 - name: Create worker namespace
@@ -456,12 +451,14 @@
   roles:
   - role: osbs-namespace
     osbs_orchestrator: true
+    osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}"
     osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}"
     osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
     osbs_authoritative_registry: "{{ source_registry }}"
     osbs_sources_command: "{{ osbs_conf_sources_command }}"
     osbs_vendor: "{{ osbs_conf_vendor }}"
     osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
+    osbs_service_accounts: "{{ osbs_conf_service_accounts }}"
     when: env == "staging"
 
 - name: setup reactor config secret in orchestrator namespace

playbooks/host_update.yml

@@ -29,4 +29,4 @@
 
   - name: run rkhunter --propupd
     command: /usr/bin/rkhunter --propupd
-    when: rkhunter|success
+    when: rkhunter is success

playbooks/rkhunter_only.yml

@@ -12,9 +12,4 @@
 
   - name: run rkhunter --propupd
     command: /usr/bin/rkhunter --propupd
-    when: rkhunter|success
-
-
-
-
-
+    when: rkhunter is success

playbooks/rkhunter_update.yml

@@ -20,9 +20,4 @@
 
   - name: run rkhunter --propupd
     command: /usr/bin/rkhunter --propupd
-    when: rkhunter|success
-
-
-
-
-
+    when: rkhunter is success

playbooks/vhost_update.yml

@@ -21,12 +21,14 @@
 # Call out to another playbook.  Disable any proxies that may live here
 #- include_playbook: update-proxy-dns.yml status=disable proxies=myvms_new:&proxies
 
-- name: update the system
+- name: set downtime
   hosts: "{{ target }}:myvms_new"
-  gather_facts: True
+  gather_facts: False
   user: root
+  serial: 1
 
   tasks:
+
   - name: schedule regular host downtime
     nagios: action=downtime minutes=30 service=host host={{ inventory_hostname_short }}{{ env_suffix }}
     delegate_to: noc01.phx2.fedoraproject.org
@@ -34,6 +36,12 @@
     failed_when: no
     when: nonagios is not defined or not "true" in nonagios
 
+- name: update the system
+  hosts: "{{ target }}:myvms_new"
+  gather_facts: True
+  user: root
+
+  tasks:
   - name: expire-caches
     command: yum clean expire-cache
     when: ansible_distribution_major_version|int < 22
@@ -62,4 +70,4 @@
 
   - name: run rkhunter --propupd
     command: /usr/bin/rkhunter --propupd
-    when: rkhunter|success
+    when: rkhunter is success

roles/base/tasks/main.yml

@@ -54,7 +54,7 @@
   ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
   notify:
   - restart NetworkManager
-  when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
+  when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
   tags:
    - config
    - resolvconf
@@ -67,7 +67,7 @@
   changed_when: false
   failed_when: 'if_uuid.stdout == ""'
   check_mode: no
-  when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist )
+  when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist )
   tags:
    - config
    - ifcfg
@@ -81,7 +81,7 @@
 #  - restart NetworkManager
   - reload NetworkManager-connections
   - apply interface-changes
-  when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest|success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
+  when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest is success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
   tags:
    - config
    - ifcfg

roles/beaker/server/tasks/main.yml

@@ -100,7 +100,7 @@
 
 - name: initialize beaker database
   command: "beaker-init -u {{beaker_server_admin_user}} -p {{beaker_server_admin_pass}} -e {{beaker_server_email}}"
-  when: setup_beaker_conf|success
+  when: setup_beaker_conf is success
   tags:
     - beaker-init
     - beaker-server

roles/mirrormanager/mirrorlist_proxy/files/daemon.json

@@ -1,3 +1 @@
-{
-"live-restore": true
-}
+{}

roles/nginx/tasks/ssl-setup.yml

@@ -22,7 +22,7 @@
     - "{{ httpd_ssl_crt_file }}"
     skip: True
   register: setup_ssl_pem
-  when: setup_ssl_key|success
+  when: setup_ssl_key is success
   tags:
   - update_ssl_certs
 

roles/osbs-client/tasks/main.yml

@@ -36,6 +36,7 @@
   with_items:
     - "prod"
     - "prod_inner"
+    - "orchestrator"
   tags:
   - osbs-client