Using `git grep el6` and `git grep el7` and variants like EL-7 or
el-7, I found various entries and files which were no longer needed
with the current ansible. I updated text or tests to later versions of
RHEL as needed.
found entries for the fedora ami's for the original cloud and removed
those entries also.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
Missed this in review, but if we do this it causes logrotate to error
out because there's a rsyslog and a rsyslog-logrotate files with the
same log files mentioned. So, we need to just replace the stock rsyslog
file and not use the ryslog-logrotate one. ;)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
ns01 and ns02 are used by internal iad2 ssytems for dns resolution.
This means bastion uses them for smtp outgoing at least.
Lots of dnssec servers out there still are using SHA1 signatures, and
without this the hosts will simply not resolve at all.
So, until things are better we need to set these back to allow SHA1.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.
Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.
With this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.
This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We changed this to DEFAULT:FEDORA32 a while back because the certs for
the old totpcgi sudo needed it to work. Now thats all gone and we are
100% on ipa and sssd, this should no longer be needed.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Something is broken with smtp_tls_connection_reuse = yes, so disable it
for now. Also, setup a tls_policy map file and tell it to not use tls
for mx2.redhat.com. The normal smtp connection reuse works just fine, so
this will keep mail flowing until we can one day figure out why tls
connection reuse is busted.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Recently, redhat.com changed internal MX servers. The new servers are
have rate limits on incoming emails from one ip and admins there don't
want to add a bunch of exceptions, so we need to adjust our end to not
flood connections to them. Currently, connections burst up to 100 (the
smtp postfix default) which goes over their limits and causes the
internal MX to reject emails from us for a while.
So, this change:
* Adds some domains to fast_flush. This allows us to use postqueue -s
domain to flush emails to a particular domain.
* Changes the smtp limit to 40. This is under the redhat.com limit.
* Has ansible actually install the master.cf.gateway on bastion servers.
Currently they were using the stock/default one.
* Enables the tlsproxy service, which is actually needed to get that tls
reuse working.
After these changes, we keep few connections to the redhat.com mx open,
but we reuse them and send more emails over existing connections. No
'too many connection emails' have happened since the changes.
The queue slowly seems to be processing down.
Since this was causing an outage of email, I have already applied these
things to bastion01, but I'd like to make sure we match up to whats in
ansible.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Everything should now be using linux-system-roles/network, so we drop
our hacky nmcli calls and everything that referred to them, including
exclude variables. Also, lets just let NM handle resolv.conf so it's not
wrong all the time on reboots.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Found the reason that the definitions I had put were not
working. There were two different ones and i was looking at the wrong
one. Put the two tasks with the same logic so things should work no
matter which one is run.
We need to always run these even in check mode, because they register
things used in the last one of them. So, this could change this in check
mode if we modify it. Be careful!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
