Add a batcave01 in rdu3. Note that any changes made to this host before
the cutover may be wiped out by syncing content from the old one, so
probibly you shouldn't use it yet.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
migrated notes from infra/hosts
motd changes; excluding CSI infos
removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes
fixed merge conflicts
minor changes; var
updating YAMLs & playbooks
udpated YAMLs & playbooks again
updated correctly; buildhw.yml
fixing merge conflicts
dest added in motd.yml
Time to retire ODCS. ELN is moved off and that was the last thing using
it. Thanks for all the service ODCS!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Thanks for all the uploads fedimg.
You go to a far far better place I'm sure.
There's no point in keeping it around now, as it's actually not working
and the replacement ( cloud-image-uploader) should work soon.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
With the EOL of Fedora 38 yesterday, we are no longer building any
modules and can retire our module build service.
Note that toddlers needs to be adjusted still, that will happen after
this.
Thanks for all the modules!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This removes osbs and allmost all it's associated playbooks and files.
It served long and well, but we no longer need it.
flatpaks are building with a koji-flatpak plugin.
base/minimal/toolbox containers are building with kiwi.
We aren't building any other containers right now, and we did they could
be added to kiwi.
This is the end of an era... I look with nostolga on
ansible-ansible-openshift-ansible (a role to setup ansible on a control
host and run it from our ansible).
Good bye osbs!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In the past we only enabled sftp on servers where we needed it.
(ones using sshfs, ones that users might need to sftp to, etc).
However, now days the openssh scp client uses sftp, so we might as well
just enable it globally so people don't need to use 'scp -O' (which
has it use the old scp protocol, which will be removed someday).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This was done using yq (
https://mikefarah.gitbook.io/yq/operators/sort-keys )
Doing things this way makes it much easier to see if a variable is set
in a file or if two hosts differ in what variables they set. Hopefully
we can keep things sorted moving forward.
Basically this means just sort a-z anything you add to any host or group
vaiable and it will be in the right place.
Additionally, this enforces 'normal' intent rules for all the variable
files which we should also try and obey. 2 spaces for first level, 3 for
next, etc. When in doubt you can run yq on it.
This should cause NO actual vairable changes, it's all just readability
fixing for humans, ansible parses it exactly the same.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Newer fedora is working on dropping scp (for lots of good reasons)
internally, but using a sftp wrapper. ie, you call scp and internally
ssh uses sftp. This won't work unless the server has sftp enabled.
I (and I suspect other admins) scp things to batcave from time to time
so it would be nice to have this on.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Normally it's just a nitpick to not have trailing spaces on variables.
However, for some things like mac address, it really matters.
Bunches of buildhw's were failing ansibile because they were passing
"mac address " to linux-system-roles networking and ansible was going
'huh, nope, I can't find that mac address here at all'.
So, just blow all the tailing spaces away to avoid any other variables
that hit this.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Almost global anyway, i.e. inside the VPN.
The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.
- Assign Ansible host groups to IPA host groups, the latter don't care
about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
same on batcave.
Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki
Signed-off-by: Nils Philippsen <nils@redhat.com>
Gnome folks have a gnome-backups01 vm that has a netapp volume for backups.
They manage it via our ansible repo and playbooks.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
