Removes the batcave script, retrieve-security-question.py
which is no longer needed with Noggin / FreeIPA-FAS
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
We had a bunch of old el6 conditionals in here, and we have 0 el6
machines. We also now have some CentOS instances, so we shouldn't check
for RedHat or Fedora anymore. Also, everything is using the newer
openvpn now so no need to make sure the old one is stopped.
This should not affect the vast majority of hosts, but it should allow
the el7/el8-test instances vpns to actually work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to add these hosts to the vpn to use ipa for auth on them.
They are in the 192.168.100 network, which is the 'more restricted'
subnet of vpn. After the freeze we will probibly want to lock this down
more with a rule on all hosts except ipa* to reject everything from
them. In the mean time the firewall rules blocking most things should be
ok for now.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need this volume here also because this is where the cron job that
calculates the DIRECTORY_SIZES.txt file lives.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Our fedora_ftp volume is on an SSD aggregate thats running out of space.
So, lets move /pub/archive (17TB) off it on to it's own volume on a
SAS aggregate. archive gets less traffic that other releases, so it
shouldn't be a problem. This will mean however when we archive a release
it will cause a bunch of deletes and re-downloads for mirrors because we
can no longer hardlink content over and then delete it, but there is no
help for that.
I will also notify mirror-admins list about this pending action.
There shouldn't be any short term issues.
Once this PR is merged, we need to run playbooks, then go to a host with
rw access to fedora_ftp and rm the archive tree on it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Split out the koji_builder package installs so we can drop ntp/ntpdate
for f34 (they were replaced by ntpsec and we use chrony anyhow).
After we move prod to f34 we should merge these back.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
debuginfod can take O(60s) to run certain webapi queries, so the httpd
mod_proxy default timeouts are too short. Introduce an ansible
variable "proxyopts", expanded into the httpd ProxyPass and
ProxyPassReverse configuration lines. Default to "", but set it
with pretty generous limits for debuginfod only.
We never use the auditing stuff, so let's turn it off (and set
short limits for audit event duration so we can run the cleanup
and get rid of existing audit events). Let's also use the new
setting that only runs asset cleanup if free space is low.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We are going to sync the contents from fedora_ftp/pub/archive over to
fedora_ftp_archive volume. This will free up 17TB or so on the SSD
aggregate that fedora_ftp is on.
This will mean more mirror churn when we archive old releases, but
there's not much else we can do besides this or more ssd storage.
This is ok to do during freeze as compose-rawhide is not frozen. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In order to try and fix the number of TCP connections allowed to get
to the dns servers by increasing from the default 100 to 1000. This
will hopefully help fix the issue in
https://pagure.io/fedora-infrastructure/issue/9850 where the name
servers are not able to answer TCP connections after a while.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
