We intend to use disk encryption and udev network interface
naming on all hosts with the re-deployment, so this attempts to
set up for that.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The 2023-05 git builds look good on stg, and are now in u-t, so
drop the scratch repos on stg and enable u-t on prod so we get
the builds from u-t everywhere.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The update isn't in u-t yet (waiting for push) so I'm using the
builds, but this has been in testing on stg for a week and it
seems fine.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
I think the recent git builds are good and I want them everywhere
so I can merge a bunch of things and clean up before the weekend.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We don't need the scratch builds on stg any more now we've sent
the new builds to updates-testing. We *do* want to use the builds
from u-t on prod now (I don't want to wait a week for the stable
push).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We don't need scratch builds on lab or updates-testing on prod
any more, latest builds are stable.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This unifies prod and stg onto the ways of doing things for the
latest packages, and rejigs the swtpm stuff a bit to tear down
more (we shouldn't need the custom SELinux policy any more).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This was done using yq (
https://mikefarah.gitbook.io/yq/operators/sort-keys )
Doing things this way makes it much easier to see if a variable is set
in a file or if two hosts differ in what variables they set. Hopefully
we can keep things sorted moving forward.
Basically this means just sort a-z anything you add to any host or group
vaiable and it will be in the right place.
Additionally, this enforces 'normal' intent rules for all the variable
files which we should also try and obey. 2 spaces for first level, 3 for
next, etc. When in doubt you can run yq on it.
This should cause NO actual vairable changes, it's all just readability
fixing for humans, ansible parses it exactly the same.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is an official build, not a scratch build, I just want to
get it deployed ahead of the updates-testing push.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We don't need the scratch builds any more, they're in u-t. We
also don't need to use a side branch on lab createhdds any more,
or deploy from u-t on prod.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
I forgot we actually need to retake a ton of needles for a change
in os-autoinst. Can't deploy the new version till that's done.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The latest versions that were previously deployed as scratch
builds on lab are now in u-t, and ran fine on lab for a week, so
let's just deploy them from u-t to both instances now.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Latest builds have been testing on lab and are working fine.
They are in u-t so lab doesn't need to use a scratch repo any
more, but prod needs to enable u-t to get them (can't push
stable yet).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Normally it's just a nitpick to not have trailing spaces on variables.
However, for some things like mac address, it really matters.
Bunches of buildhw's were failing ansibile because they were passing
"mac address " to linux-system-roles networking and ansible was going
'huh, nope, I can't find that mac address here at all'.
So, just blow all the tailing spaces away to avoid any other variables
that hit this.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Almost global anyway, i.e. inside the VPN.
The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.
- Assign Ansible host groups to IPA host groups, the latter don't care
about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
same on batcave.
Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki
Signed-off-by: Nils Philippsen <nils@redhat.com>
Latest builds in u-t are quite well tested and I want them on
prod, don't want to wait a week for the stable push.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The main goal of these changes is to allow all workers in each
deployment NFS write access to the factory share. This is because
I want to try using os-autoinst's at-job-run-time decompression
of disk images instead of openQA's at-asset-download-time
decompression; it avoids some awkwardness with the asset file
name, and should also actually allow us to drop the decompression
code from openQA I think.
I also rejigged various other things at the same time as they
kinda logically go together. It's mostly cleanups and tweaks to
group variables. I tried to handle more things explicitly with
variables, as it's better for use of these plays outside of
Fedora infra.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This pretty much nukes all inventory entries and variables
relating to the old phx2 openQA deployments, as I don't think
they're ever coming up again. I left a few group entries around
for now just in case they're necessary for decommissioning.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
env_suffix isn't actually set to .stg on openQA staging because
it's not a normal staging host. Let's not set it in case it
breaks other plays, but use a custom var instead.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
In ansible 2.8 the - character isn't supposed to be valid in group names.
While we could override this, might has well just bite the bullet and change it.
So, just switch all group names to use _ instead of -
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
