Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
ns01 and ns02 are used by internal iad2 ssytems for dns resolution.
This means bastion uses them for smtp outgoing at least.
Lots of dnssec servers out there still are using SHA1 signatures, and
without this the hosts will simply not resolve at all.
So, until things are better we need to set these back to allow SHA1.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.
Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.
With this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.
This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We changed this to DEFAULT:FEDORA32 a while back because the certs for
the old totpcgi sudo needed it to work. Now thats all gone and we are
100% on ipa and sssd, this should no longer be needed.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Something is broken with smtp_tls_connection_reuse = yes, so disable it
for now. Also, setup a tls_policy map file and tell it to not use tls
for mx2.redhat.com. The normal smtp connection reuse works just fine, so
this will keep mail flowing until we can one day figure out why tls
connection reuse is busted.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Recently, redhat.com changed internal MX servers. The new servers are
have rate limits on incoming emails from one ip and admins there don't
want to add a bunch of exceptions, so we need to adjust our end to not
flood connections to them. Currently, connections burst up to 100 (the
smtp postfix default) which goes over their limits and causes the
internal MX to reject emails from us for a while.
So, this change:
* Adds some domains to fast_flush. This allows us to use postqueue -s
domain to flush emails to a particular domain.
* Changes the smtp limit to 40. This is under the redhat.com limit.
* Has ansible actually install the master.cf.gateway on bastion servers.
Currently they were using the stock/default one.
* Enables the tlsproxy service, which is actually needed to get that tls
reuse working.
After these changes, we keep few connections to the redhat.com mx open,
but we reuse them and send more emails over existing connections. No
'too many connection emails' have happened since the changes.
The queue slowly seems to be processing down.
Since this was causing an outage of email, I have already applied these
things to bastion01, but I'd like to make sure we match up to whats in
ansible.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Everything should now be using linux-system-roles/network, so we drop
our hacky nmcli calls and everything that referred to them, including
exclude variables. Also, lets just let NM handle resolv.conf so it's not
wrong all the time on reboots.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Found the reason that the definitions I had put were not
working. There were two different ones and i was looking at the wrong
one. Put the two tasks with the same logic so things should work no
matter which one is run.
We need to always run these even in check mode, because they register
things used in the last one of them. So, this could change this in check
mode if we modify it. Be careful!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Just writing a config file isn't enough, apparently. We need to
really call update-crypto-policies. This attempts to do so, but
only if it's really necessary, by using some handy check args.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This is VASTLY better than the hack we have in base now to try and setup
ifcfg files. It uses a standard role that has lots of options and does
the right thing with NetworkManager. Ideally we would switch everything
to this, but lets try it here first to see. It should work with bridges,
etc as well.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
