These hosts are rhel10 now and removing nftables takes out the entire
libvirt stack as it doesn't support iptables anymore.
This results in base removing libvirt and the hypervisor role
re-installing it every playbook run. It also means the network doesn't
work on guests at all.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The x86 ones are now in rdu3 and reinstalled with rhel10.
All the power9 ones are in rdu3 and reinstalled.
So, we should just enable nbde on all of them.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
releng moved things from pagure.io/releng to
forge.fedoraproject.org/releng/tooling
Adjust this cron to do likewise.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need this in order to be able to use them as jumphosts with ssh.
Without it, there's no easy way to get to any internal machines.
Just enable it here and leave the default off.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Some hosts don't seem to be setup right for sudo/become (copr mostly).
Just use root like our normal ansible stuff does.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We still aren't able to get to mgmt on this host, but it's up and
operating normally, so we might as well use it for now.
If it goes down we can remove it again.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's no need to keep ocp-rdu3 around anymore, we only used
it when we were moving datacenters last year.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This reverts commit 4fdd0c9fca.
This causes robosignatory's priorities to not work.
We want to handle some requests before others, but if we prefetch 25 of
them, there could any mix of requests and we wouldn't process the most
important ones first.
We are resigning in prep for branching next week, we need to also make
sure to sign things with the f45 ima key.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This role is intended to be run on a build{vm|hw} machine that is in the
secure-boot channel in koji. It sets up the siguldry pesign-bridge that
allows builds done there to call pesign to sign artifacts by bind
mounting a socket into the mock chroot.
This then calls sigul's pesign client which sends the artifact to the
sigul vault via the sigul bridge for signing. The vault has access to
a secure token to sign the artifact with.
This should (once confirmed working) replace the roles/bkernel role that
used a secure card that was directly attached to a buildhw device.
This should allow us to add support for aarch64 as well as more easily
use different hardware or vm's as any of them could be setup to query
the sigul server.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
