From a6fc58fa93f23e0610209e6fc4fac1b35bfd12d9 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 4 Apr 2018 07:12:46 +0000 Subject: [PATCH 1/8] Do not use baseiptables with newcloud Signed-off-by: Patrick Uiterwijk --- inventory/group_vars/newcloud | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory/group_vars/newcloud b/inventory/group_vars/newcloud index 4b4821ebaa..9a181c3de9 100644 --- a/inventory/group_vars/newcloud +++ b/inventory/group_vars/newcloud @@ -6,3 +6,4 @@ fas_client_groups: sysadmin-main dns: 8.8.8.8 freezes: false ansible_ifcfg_whitelist: ['eth1'] +baseiptables: false From 70234221051fb045eaf4b9e9e1555466a00a769b Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 4 Apr 2018 09:55:48 +0200 Subject: [PATCH 2/8] Remove osbs-on-openshift on stg Signed-off-by: Clement Verna --- playbooks/groups/osbs-cluster.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 4d401c9216..d7bb943fce 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -381,12 +381,6 @@ } tasks: - - name: set custom build policy for koji builder in openshift for osbs - shell: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_stg_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "staging" - environment: "{{ osbs_environment }}" - name: set custom build policy for koji builder in openshift for osbs shell: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_prod_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added" args: @@ -397,6 +391,7 @@ shell: "oc adm policy add-role-to-user -n default osbs-custom-build system:serviceaccount:default:builder --role-namespace=default && touch /etc/origin/koji-builder-policy-added" args: creates: "/etc/origin/koji-builder-policy-added" + when: env == "production" environment: "{{ osbs_environment }}" - name: Create worker namespace From 43acb9144f7e3dc759875bb8c8bfeedce82ddd22 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 4 Apr 2018 10:55:35 +0200 Subject: [PATCH 3/8] Add OSBS service account and worker cluster Signed-off-by: Clement Verna --- inventory/group_vars/osbs-masters-stg | 3 +++ playbooks/groups/osbs-cluster.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/inventory/group_vars/osbs-masters-stg b/inventory/group_vars/osbs-masters-stg index 66023ce329..2ed3811191 100644 --- a/inventory/group_vars/osbs-masters-stg +++ b/inventory/group_vars/osbs-masters-stg @@ -36,6 +36,9 @@ osbs_orchestrator_cpu_limitrange: "95m" osbs_worker_default_nodeselector: "worker=true" osbs_orchestrator_default_nodeselector: "orchestrator=true" +osbs_conf_service_accounts: + - koji + osbs_conf_readwrite_users: - system:serviceaccount:{{ osbs_namespace }}:default - system:serviceaccount:{{ osbs_namespace }}:builder diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index d7bb943fce..ec4f05a6f4 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -451,12 +451,14 @@ roles: - role: osbs-namespace osbs_orchestrator: true + osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}" osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}" osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" osbs_authoritative_registry: "{{ source_registry }}" osbs_sources_command: "{{ osbs_conf_sources_command }}" osbs_vendor: "{{ osbs_conf_vendor }}" osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}" + osbs_service_accounts: "{{ osbs_conf_service_accounts }}" when: env == "staging" - name: setup reactor config secret in orchestrator namespace From d3f892291c889e786104fa84e26cfee0889f9730 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 4 Apr 2018 16:39:08 +0000 Subject: [PATCH 4/8] Lets try and cut down on invalid fedmsg senders. --- inventory/group_vars/bodhi-backend-stg | 3 +++ inventory/group_vars/librariesio2fedmsg-stg | 11 +++++++++++ .../host_vars/bodhi-backend01.phx2.fedoraproject.org | 3 +++ .../host_vars/compose-x86-01.phx2.fedoraproject.org | 1 + .../host_vars/rawhide-composer.phx2.fedoraproject.org | 1 + inventory/inventory | 5 +++++ 6 files changed, 24 insertions(+) create mode 100644 inventory/group_vars/librariesio2fedmsg-stg diff --git a/inventory/group_vars/bodhi-backend-stg b/inventory/group_vars/bodhi-backend-stg index 20937ad041..692b237fd6 100644 --- a/inventory/group_vars/bodhi-backend-stg +++ b/inventory/group_vars/bodhi-backend-stg @@ -68,6 +68,9 @@ fedmsg_certs: - bodhi.update.eject - bodhi.update.complete.testing - bodhi.update.complete.stable + - bodhi.update.request.testing + - bodhi.update.request.stable + - bodhi.update.request.batched - bodhi.buildroot_override.untag - service: ftpsync owner: root diff --git a/inventory/group_vars/librariesio2fedmsg-stg b/inventory/group_vars/librariesio2fedmsg-stg new file mode 100644 index 0000000000..e9bcb48712 --- /dev/null +++ b/inventory/group_vars/librariesio2fedmsg-stg @@ -0,0 +1,11 @@ +--- +# XXX - this is not really a group of real hosts. +# Instead, it represents an application in openshift. +# See playbooks/openshift-apps/waiverdb.yml + +fedmsg_env: stg + +fedmsg_certs: +- service: librariesio2fedmsg + can_send: + - sse2fedmsg.librariesio diff --git a/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org b/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org index c85cc70f8f..0ace88e950 100644 --- a/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org +++ b/inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org @@ -37,6 +37,7 @@ fedmsg_certs: - pungi.compose.phase.stop - pungi.compose.status.change - pungi.compose.createiso.targets + - pungi.compose.ostree - releng.atomic.twoweek.begin - releng.atomic.twoweek.complete # These are certs for the masher to publish its own messages as it progresses. @@ -56,7 +57,9 @@ fedmsg_certs: - bodhi.update.eject - bodhi.update.complete.testing - bodhi.update.complete.stable + - bodhi.update.request.testing - bodhi.update.request.stable + - bodhi.update.request.batched - bodhi.update.karma.threshold.reach - bodhi.buildroot_override.untag - service: ftpsync diff --git a/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org b/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org index 13230dcee3..d01785fcf0 100644 --- a/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org +++ b/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org @@ -45,6 +45,7 @@ fedmsg_certs: - pungi.compose.createiso.targets - pungi.compose.createiso.imagefail - pungi.compose.createiso.imagedone + - pungi.compose.ostree # traditional old school compose stuff - compose.branched.complete - compose.branched.mash.complete diff --git a/inventory/host_vars/rawhide-composer.phx2.fedoraproject.org b/inventory/host_vars/rawhide-composer.phx2.fedoraproject.org index fda7f21ee7..504eaa7072 100644 --- a/inventory/host_vars/rawhide-composer.phx2.fedoraproject.org +++ b/inventory/host_vars/rawhide-composer.phx2.fedoraproject.org @@ -25,6 +25,7 @@ fedmsg_certs: - pungi.compose.createiso.targets - pungi.compose.createiso.imagefail - pungi.compose.createiso.imagedone + - pungi.compose.ostree - compose.rawhide.complete - compose.rawhide.mash.complete - compose.rawhide.mash.start diff --git a/inventory/inventory b/inventory/inventory index ab474afa02..baa94f0eea 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1476,10 +1476,12 @@ bodhi-backend01.phx2.fedoraproject.org [openshift-pseudohosts:children] greenwave waiverdb +#librariesio2fedmsg [openshift-pseudohosts-stg:children] greenwave-stg waiverdb-stg +librariesio2fedmsg-stg [greenwave] greenwave-web-greenwave.app.os.fedoraproject.org @@ -1492,3 +1494,6 @@ waiverdb-web-waiverdb.app.os.fedoraproject.org [waiverdb-stg] waiverdb-web-waiverdb.app.os.stg.fedoraproject.org + +[librariesio2fedmsg-stg] +librariesio2fedmsg-librariesio2fedmsg.app.os.stg.fedoraproject.org From 84052aaf53c2f6cce136df9e68b6b3d5c500fbfd Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 4 Apr 2018 19:21:36 +0200 Subject: [PATCH 5/8] Update osbs-client configuration on builders Signed-off-by: Clement Verna --- playbooks/groups/buildvm.yml | 1 + roles/osbs-client/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index e8705b6e3b..566e5d817c 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -109,6 +109,7 @@ builder_openshift_url: 'https://{{osbs_url}}', client_config_secret: 'client_config_secret', reactor_config_secret: 'reactor_config_secret', + koji_certs_secret: 'kojisecret', token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-osbs', namespace: 'osbs-fedora', can_orchestrate: true diff --git a/roles/osbs-client/tasks/main.yml b/roles/osbs-client/tasks/main.yml index a3fe5a9e02..5a5ececa71 100644 --- a/roles/osbs-client/tasks/main.yml +++ b/roles/osbs-client/tasks/main.yml @@ -36,6 +36,7 @@ with_items: - "prod" - "prod_inner" + - "orchestrator" tags: - osbs-client From 7d5983e35f6f738fdd249ca0272e64ee0bd6cd71 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 4 Apr 2018 19:49:17 +0200 Subject: [PATCH 6/8] This is now the default, and specifying both is not working well Signed-off-by: Patrick Uiterwijk --- roles/mirrormanager/mirrorlist_proxy/files/daemon.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/mirrormanager/mirrorlist_proxy/files/daemon.json b/roles/mirrormanager/mirrorlist_proxy/files/daemon.json index c0bd95ba72..0967ef424b 100644 --- a/roles/mirrormanager/mirrorlist_proxy/files/daemon.json +++ b/roles/mirrormanager/mirrorlist_proxy/files/daemon.json @@ -1,3 +1 @@ -{ -"live-restore": true -} +{} From 0353f1f6a221ce1e29677cb2afd96d6a7ab1dac1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 4 Apr 2018 19:20:24 +0000 Subject: [PATCH 7/8] fix up vhost_update to not swamp noc01 and cause unreachables --- playbooks/vhost_update.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/playbooks/vhost_update.yml b/playbooks/vhost_update.yml index eece3fd51a..fb5afeda2b 100644 --- a/playbooks/vhost_update.yml +++ b/playbooks/vhost_update.yml @@ -21,12 +21,14 @@ # Call out to another playbook. Disable any proxies that may live here #- include_playbook: update-proxy-dns.yml status=disable proxies=myvms_new:&proxies -- name: update the system +- name: set downtime hosts: "{{ target }}:myvms_new" - gather_facts: True + gather_facts: False user: root + serial: 1 tasks: + - name: schedule regular host downtime nagios: action=downtime minutes=30 service=host host={{ inventory_hostname_short }}{{ env_suffix }} delegate_to: noc01.phx2.fedoraproject.org @@ -34,6 +36,12 @@ failed_when: no when: nonagios is not defined or not "true" in nonagios +- name: update the system + hosts: "{{ target }}:myvms_new" + gather_facts: True + user: root + + tasks: - name: expire-caches command: yum clean expire-cache when: ansible_distribution_major_version|int < 22 From 9fe41eca70d38025f0e18a9401305da32b5c438f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 4 Apr 2018 19:24:21 +0000 Subject: [PATCH 8/8] fix deprecated |success to is success --- playbooks/host_update.yml | 2 +- playbooks/rkhunter_only.yml | 7 +------ playbooks/rkhunter_update.yml | 7 +------ playbooks/vhost_update.yml | 2 +- roles/base/tasks/main.yml | 6 +++--- roles/beaker/server/tasks/main.yml | 2 +- roles/nginx/tasks/ssl-setup.yml | 2 +- 7 files changed, 9 insertions(+), 19 deletions(-) diff --git a/playbooks/host_update.yml b/playbooks/host_update.yml index 05d14df90b..c7ba870cd9 100644 --- a/playbooks/host_update.yml +++ b/playbooks/host_update.yml @@ -29,4 +29,4 @@ - name: run rkhunter --propupd command: /usr/bin/rkhunter --propupd - when: rkhunter|success + when: rkhunter is success diff --git a/playbooks/rkhunter_only.yml b/playbooks/rkhunter_only.yml index 63179e2fc0..92f5b35af0 100644 --- a/playbooks/rkhunter_only.yml +++ b/playbooks/rkhunter_only.yml @@ -12,9 +12,4 @@ - name: run rkhunter --propupd command: /usr/bin/rkhunter --propupd - when: rkhunter|success - - - - - + when: rkhunter is success diff --git a/playbooks/rkhunter_update.yml b/playbooks/rkhunter_update.yml index e2939877d1..3e59278929 100644 --- a/playbooks/rkhunter_update.yml +++ b/playbooks/rkhunter_update.yml @@ -20,9 +20,4 @@ - name: run rkhunter --propupd command: /usr/bin/rkhunter --propupd - when: rkhunter|success - - - - - + when: rkhunter is success diff --git a/playbooks/vhost_update.yml b/playbooks/vhost_update.yml index fb5afeda2b..e0879029d3 100644 --- a/playbooks/vhost_update.yml +++ b/playbooks/vhost_update.yml @@ -70,4 +70,4 @@ - name: run rkhunter --propupd command: /usr/bin/rkhunter --propupd - when: rkhunter|success + when: rkhunter is success diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index a6eb0ea252..883ea02040 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -54,7 +54,7 @@ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none notify: - restart NetworkManager - when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv tags: - config - resolvconf @@ -67,7 +67,7 @@ changed_when: false failed_when: 'if_uuid.stdout == ""' check_mode: no - when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist ) + when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist ) tags: - config - ifcfg @@ -81,7 +81,7 @@ # - restart NetworkManager - reload NetworkManager-connections - apply interface-changes - when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest|success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist ) + when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest is success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist ) tags: - config - ifcfg diff --git a/roles/beaker/server/tasks/main.yml b/roles/beaker/server/tasks/main.yml index 3d6eb896ab..261a7b3c1e 100644 --- a/roles/beaker/server/tasks/main.yml +++ b/roles/beaker/server/tasks/main.yml @@ -100,7 +100,7 @@ - name: initialize beaker database command: "beaker-init -u {{beaker_server_admin_user}} -p {{beaker_server_admin_pass}} -e {{beaker_server_email}}" - when: setup_beaker_conf|success + when: setup_beaker_conf is success tags: - beaker-init - beaker-server diff --git a/roles/nginx/tasks/ssl-setup.yml b/roles/nginx/tasks/ssl-setup.yml index a0e138f540..2fbc5ffc97 100644 --- a/roles/nginx/tasks/ssl-setup.yml +++ b/roles/nginx/tasks/ssl-setup.yml @@ -22,7 +22,7 @@ - "{{ httpd_ssl_crt_file }}" skip: True register: setup_ssl_pem - when: setup_ssl_key|success + when: setup_ssl_key is success tags: - update_ssl_certs