Specify the nfs_mount_opts when mounting /pub/archive on secondary01

add a fedimg.cfg template

add comment about unused config vars

need check for denyhosts and fas_client needs to be before nagios_client

maybe this template setup is proper?

fedmsg.d/ template

fedimg.cfg should be owned by fedmsg and have more strict perms

Signed-off-by: David Gay <oddshocks@riseup.net>

README

@@ -81,7 +81,7 @@ m1.builder  5120       50     3
 Setting up a new persistent cloud host:
 1. select an ip:
    source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
-   euca-describe-addresses
+   oeuca-describe-addresses
   - pick an ip from the list that is not assigned anywhere
   - add it into dns - normally in the cloud.fedoraproject.org but it doesn't
     have to be
@@ -114,9 +114,9 @@ Contents should look like this (remove all the comments)
 ---
 # 2cpus, 3GB of ram 20GB of ephemeral space
 instance_type: m1.large 
-# image id
-image: emi-B8793915 
-keypair: fedora-admin
+# image id - see global vars. You can also use euca-describe-images to find other images as well
+image: "{{ el6_qcow_id }}"
+keypair: fedora-admin-20130801
 # what security group to add the host to
 security_group: webserver 
 zone: fedoracloud 

callback_plugins/fedmsg_callback.py

@@ -34,7 +34,7 @@ def getlogin():
 class CallbackModule(object):
     """ Publish playbook starts and stops to fedmsg. """
 
-    playbook = None
+    playbook_path = None
 
     def __init__(self):
         config = fedmsg.config.load_config()
@@ -43,7 +43,14 @@ class CallbackModule(object):
             cert_prefix='shell',
             active=True,
         ))
-        fedmsg.init(**config)
+        # It seems like recursive playbooks call this over and over again and
+        # fedmsg doesn't like to be initialized more than once.  So, here, just
+        # catch that and ignore it.
+        try:
+            fedmsg.init(**config)
+        except ValueError:
+            pass
+
 
     def playbook_on_play_start(self, pattern):
         # This gets called once for each play.. but we just issue a message once
@@ -57,7 +64,7 @@ class CallbackModule(object):
             if play.playbook.check:
                 return
 
-            if not self.playbook:
+            if not self.playbook_path:
                 fedmsg.publish(
                     modname="ansible", topic="playbook.start",
                     msg=dict(
@@ -69,17 +76,17 @@ class CallbackModule(object):
                         check=play.playbook.check,
                     ),
                 )
-                self.playbook = path
+                self.playbook_path = path
 
     def playbook_on_stats(self, stats):
-        if not self.playbook:
+        if not self.playbook_path:
             return
 
         results = dict([(h, stats.summarize(h)) for h in stats.processed])
         fedmsg.publish(
             modname="ansible", topic="playbook.complete",
             msg=dict(
-                playbook=self.playbook,
+                playbook=self.playbook_path,
                 userid=getlogin(),
                 results=results,
             ),

callback_plugins/logdetail.py

@@ -92,7 +92,7 @@ class LogMech(object):
         res['task_args'] = task.module_args
         if self.playbook_id == 'ansible-cmd':
             res['task_userid'] = getlogin()
-        for k in ("delegate_to", "environment", "first_available_file",
+        for k in ("delegate_to", "environment", "with_first_found",
                   "local_action", "notified_by", "notify",
                   "register", "sudo", "sudo_user", "tags",
                   "transport", "when"):

callback_plugins/profile_tasks.py

@@ -0,0 +1,40 @@
+import time
+
+
+class CallbackModule(object):
+    """
+    A plugin for timing tasks
+    """
+    def __init__(self):
+        self.stats = {}
+        self.current = None
+
+    def playbook_on_task_start(self, name, is_conditional):
+        """
+        Logs the start of each task
+        """
+        if self.current is not None:
+            # Record the running time of the last executed task 
+            self.stats[self.current] = time.time() - self.stats[self.current]
+
+        # Record the start time of the current task
+        self.current = name
+        self.stats[self.current] = time.time()
+
+    def playbook_on_stats(self, stats):
+        """
+        Prints the timings
+        """
+        # Record the timing of the very last task
+        if self.current is not None:
+            self.stats[self.current] = time.time() - self.stats[self.current]
+
+        # Sort the tasks by their running time
+        results = sorted(self.stats.items(), key=lambda value: value[1], reverse=True)
+
+        # Just keep the top 10
+        results = results[:10]
+
+        # Print the timings
+        for name, elapsed in results:
+            print "{0:-<70}{1:->9}".format('{0} '.format(name), ' {0:.02f}s'.format(elapsed))

files/2fa/pam_url.conf.cloud

@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};

files/2fa/pam_url.conf.taskotron-stg01.qa.fedoraproject.org

@@ -0,0 +1,27 @@
+pam_url:
+{
+	settings:
+	{
+                {% if env == 'staging' %}
+		url = "https://fas-all.stg.phx2.fedoraproject.org:8443/";	# URI to fetch
+                {% elif datacenter == 'phx2' %}
+		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
+                {% else %}
+		url = "https://fas-all.vpn.fedoraproject.org:8443/";	# URI to fetch   
+                {% endif %}
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};

files/common/epel7.repo

@@ -0,0 +1,20 @@
+[epel]
+name=Extras Packages for Enterprise Linux $releasever - $basearch
+baseurl=http://infrastructure.fedoraproject.org/pub/epel/7/$basearch/
+enabled=1
+gpgcheck=1
+gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+
+[epel-testing]
+name=Extras Packages for Enterprise Linux $releasever - $basearch
+baseurl=http://infrastructure.fedoraproject.org/pub/epel/testing/7/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+
+[epel-beta]
+name=Extras Packages for Enterprise Linux beta $releasever - $basearch
+baseurl=http://infrastructure.fedoraproject.org/pub/epel/beta/7/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7

files/common/fedora-updates-testing.repo-arm

@@ -1,7 +1,7 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -10,7 +10,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-testing-debuginfo]
 name=Fedora $releasever - $basearch - Test Updates Debug
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/debug/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -19,7 +19,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-testing-source]
 name=Fedora $releasever - Test Updates Source
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/SRPMS/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1

files/common/fedora-updates.repo-arm

@@ -1,7 +1,7 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
@@ -10,7 +10,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-debuginfo]
 name=Fedora $releasever - $basearch - Updates - Debug
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/debug/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -19,7 +19,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-source]
 name=Fedora $releasever - Updates Source
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/SRPMS/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1

files/common/fedora.repo-arm

@@ -1,7 +1,7 @@
 [fedora]
 name=Fedora $releasever - $basearch
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 enabled=1
 metadata_expire=7d
@@ -11,7 +11,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [fedora-debuginfo]
 name=Fedora $releasever - $basearch - Debug
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/debug/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
 enabled=0
 metadata_expire=7d
@@ -21,7 +21,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [fedora-source]
 name=Fedora $releasever - Source
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/source/SRPMS/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
 enabled=0
 metadata_expire=7d

files/common/rhel7.repo

@@ -0,0 +1,24 @@
+[rhel7-dvd]
+name = rhel7 base dvd
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-$basearch/
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+[rhel7-base]
+name = rhel7 base $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-rpms
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+[rhel7-optional]
+name = rhel7 optional $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-optional-rpms
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+[rhel7-extras]
+name = rhel7 extras $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-extras-rpms
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+[rhel7-ha]
+name = rhel7 ha $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-ha-for-rhel-7-server-rpms/
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

files/copr/DigiCertCA.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
+YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
+4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
+Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
+itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
+4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
+sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
+bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
+dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
+BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
+UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
+aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
+aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
+E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
+/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
+xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
+0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
+cPUeybQ=
+-----END CERTIFICATE-----

files/copr/copr-be.conf

@@ -2,12 +2,12 @@
 
 # URL where are results visible
 # default is http://copr
-results_baseurl=http://copr-be.cloud.fedoraproject.org/results
+results_baseurl=https://copr-be.cloud.fedoraproject.org/results
 
 # ??? What is this
 # default is http://coprs/rest/api
 #frontend_url=http://copr-fe.cloud.fedoraproject.org/backend
-frontend_url=http://172.16.5.6/backend
+frontend_url=https://172.16.5.31/backend
 
 # must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
 # default is PASSWORDHERE but you really should change it. really.
@@ -22,6 +22,8 @@ spawn_playbook=/home/copr/provision/builderpb.yml
 # default is /etc/copr/terminate_playbook.yml 
 terminate_playbook=/home/copr/provision/terminatepb.yml
 
+terminate_vars=vm_name
+
 # directory where jobs are stored
 # no defaults
 jobsdir=/var/lib/copr/jobs
@@ -53,6 +55,25 @@ worker_logdir=/var/log/copr/workers/
 #fedmsg_enabled=false
 fedmsg_enabled=true
 
+# minimum age for builds to be pruned
+prune_days=14
+# path to executable script to clean old build
+prune_script=/usr/share/copr/copr_prune_old_builds.sh
+
+# enable package signing, require configured
+# signer host and correct /etc/sign.conf
+do_sign={{ do_sign }}
+
+# host or ip of machine with copr-keygen
+# usually the same as in /etc/sign.conf
+keygen_host={{ keygen_host }}
+
+# Spawn builder in advance, before we get task?
+# It save time, but consume resources even when
+# nothing is in queue
+
+spawn_in_advance={{ spawn_in_advance }}
+
 [builder]
 # default is 1800
 timeout=3600

files/copr/copr-be.conf-dev

@@ -51,6 +51,24 @@ worker_logdir=/var/log/copr/workers/
 # default is false
 #fedmsg_enabled=false
 
+# minimum age for builds to be pruned
+prune_days=14
+# path to executable script to clean old build
+prune_script=/usr/share/copr/copr_prune_old_builds.sh
+
+# enable package signing, require configured
+# signer host and correct /etc/sign.conf
+do_sign={{ do_sign }}
+
+# host or ip of machine with copr-keygen
+# usually the same as in /etc/sign.conf
+keygen_host={{ keygen_host }}
+
+# Spawn builder in advance, before we get task?
+# It save time, but consume resources even when
+# nothing is in queue
+
+spawn_in_advance={{ spawn_in_advance }}
 
 [builder]
 # default is 1800

files/copr/delete-forgotten-instances.cron

@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+source /home/copr/cloud/ec2rc.sh
+/home/copr/delete-forgotten-instances.pl
+

files/copr/delete-forgotten-instances.pl

@@ -0,0 +1,28 @@
+#!/usr/bin/perl
+# this scrip query for all running VM and terminate those
+# which are not currently started by some ansible script
+
+while (chomp($a = qx(ps ax |grep -v 'sh -c ps ax'  |grep 'Task: ' | grep -v grep))) {
+  # we are starting some VM and could not determine correct list of running VMs
+  sleep 5;
+}
+
+#print qx(ps ax |grep ' 172.16.3.' |awk '{ print \$33 }');
+@IPs = split('\s+', qx(ps ax |grep ' 172.16.3.' |awk '{ print \$33 }'));
+
+#print "Running instances\n";
+#print join(", ", @IPs), "\n";
+for my $i (@IPs) {
+  $check{$i} = 1;
+}
+
+@instances = split('\n', qx(/bin/euca-describe-instances));
+@TO_DELETE = ();
+for my $i (@instances) {
+  my @COLUMNS = split('\s+', $i);
+  next if $COLUMNS[0] eq 'RESERVATION';
+  #print $COLUMNS[1], ", ", $COLUMNS[15], "\n";
+  push(@TO_DELETE, $COLUMNS[1]) unless $check{$COLUMNS[15]};
+}
+$id_merged = join(" ", @TO_DELETE);
+qx|euca-terminate-instances $id_merged| if ($id_merged);

files/copr/fe/copr.conf

@@ -3,15 +3,16 @@ DATA_DIR = '/var/lib/copr/data'
 DATABASE = '/var/lib/copr/data/copr.db'
 OPENID_STORE = '/var/lib/copr/data/openid_store'
 WHOOSHEE_DIR = '/var/lib/copr/data/whooshee'
+WHOSHEE_MIN_STRING_LEN = 2
 
-SECRET_KEY = {{ copr_secret_key }}
-BACKEND_PASSWORD = {{ copr_backend_password  }}
+SECRET_KEY = '{{ copr_secret_key }}'
+BACKEND_PASSWORD = '{{ copr_backend_password  }}'
 
 # restrict access to a set of users
 #USE_ALLOWED_USERS = False
 #ALLOWED_USERS = ['bonnie', 'clyde']
 
-SQLALCHEMY_DATABASE_URI = {{ copr_database_uri }}
+SQLALCHEMY_DATABASE_URI = '{{ copr_database_uri }}'
 
 # Token length, defaults to 30 (max 255)
 #API_TOKEN_LENGTH = 30
@@ -28,3 +29,8 @@ SQLALCHEMY_ECHO = False
 
 CSRF_ENABLED = True
 WTF_CSRF_ENABLED = True
+
+# send emails when user's perms change in project?
+SEND_EMAILS = True
+
+PUBLIC_COPR_HOSTNAME = '{{ copr_frontend_public_hostname }}'

files/copr/fe/httpd/coprs.conf

@@ -10,8 +10,8 @@ WSGISocketPrefix /var/run/wsgi
     WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
     WSGIProcessGroup 127.0.0.1
 
-    ErrorLog logs/error_coprs
-    CustomLog logs/access_coprs common
+    #ErrorLog logs/error_coprs
+    #CustomLog logs/access_coprs common
 
     <Directory /usr/share/copr>
         WSGIApplicationGroup %{GLOBAL}
@@ -22,9 +22,10 @@ WSGISocketPrefix /var/run/wsgi
 <VirtualHost *:443>
     SSLEngine on
     SSLProtocol all -SSLv2
-    #optimeize on speed
-    SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
     SSLHonorCipherOrder on
+    Header add Strict-Transport-Security "max-age=15768000"
 
     SSLCertificateFile /etc/pki/tls/ca.crt
     SSLCertificateKeyFile /etc/pki/tls/private/ca.key
@@ -35,8 +36,8 @@ WSGISocketPrefix /var/run/wsgi
     WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
     WSGIProcessGroup 127.0.0.1
 
-    ErrorLog logs/error_coprs
-    CustomLog logs/access_coprs common
+    #ErrorLog logs/error_coprs
+    #CustomLog logs/access_coprs common
 
     <Directory /usr/share/copr>
         WSGIApplicationGroup %{GLOBAL}

files/copr/fe/yum/copr.repo

@@ -4,7 +4,7 @@ failovermethod=priority
 #baseurl=http://copr-be.cloud.fedoraproject.org/results/msuchy/copr/fedora-19-x86_64/
 # 172.16.5.4 is copr-be.cloud.fedoraproject.org
 # see https://fedorahosted.org/fedora-infrastructure/ticket/4025
-baseurl=http://172.16.5.4/results/msuchy/copr/fedora-19-x86_64/
+baseurl=http://172.16.5.4/results/msuchy/copr/fedora-20-x86_64/
 enabled=1
 gpgcheck=0
 

files/copr/forward-dev

@@ -0,0 +1,3 @@
+msuchy+coprmachine@redhat.com
+asamalik@redhat.com
+vgologuz@redhat.com

files/copr/hosts

@@ -0,0 +1,7 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+172.16.5.31  copr-fe.cloud.fedoraproject.org
+172.16.5.31  copr.fedoraproject.org
+172.16.5.4 copr-be.cloud.fedoraproject.org
+172.16.5.5 copr-be-dev.cloud.fedoraproject.org
+172.16.5.15 copr-fe-dev.cloud.fedoraproject.org

files/copr/keystonerc

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# With the addition of Keystone, to use an openstack cloud you should
+# authenticate against keystone, which returns a **Token** and **Service
+# Catalog**.  The catalog contains the endpoint for all services the
+# user/tenant has access to - including nova, glance, keystone, swift.
+#
+# *NOTE*: Using the 2.0 *auth api* does not mean that compute api is 2.0.  We
+# will use the 1.1 *compute api*
+export OS_AUTH_URL=http://172.23.0.2:5000/v2.0
+
+# With the addition of Keystone we have standardized on the term **tenant**
+# as the entity that owns the resources.
+
+export OS_TENANT_ID={{ copr_tenant_id }}
+export OS_TENANT_NAME="copr"
+
+# In addition to the owning entity (tenant), openstack stores the entity
+# performing the action as the **user**.
+export OS_USERNAME=msuchy
+
+# With Keystone you pass the keystone password.
+export OS_PASSWORD={{ copr_nova_password }}

files/copr/lighttpd/lighttpd.conf

@@ -448,8 +448,8 @@ server.upload-dirs = ( "/var/tmp" )
 
 $SERVER["socket"] == ":443" {
   ssl.engine = "enable"
-  ssl.pemfile = "/etc/lighttpd/coprs-be.fedoraproject.org.pem"
-  ssl.ca-file = "/etc/lighttpd/coprs-be.fedoraproject.org.crt"
+  ssl.pemfile = "/etc/lighttpd/copr-be.fedoraproject.org.pem"
+  ssl.ca-file = "/etc/lighttpd/DigiCertCA.crt"
   ssl.disable-client-renegotiation = "enable"
   ssl.cipher-list             = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
 }

files/copr/provision/ansible.cfg

@@ -88,6 +88,6 @@ record_host_keys=False
 # will result in poor performance, so use transport=paramiko on older platforms rather than
 # removing it
 
-ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
+ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s
 
 

files/copr/provision/builderpb.yml

@@ -1,3 +1,4 @@
+#jinja2:variable_start_string:'[%' , variable_end_string:'%]'
 ---
 - name: check/create instance
   hosts: localhost
@@ -5,30 +6,37 @@
   gather_facts: False
 
   vars:
-  - keypair: buildsys
-  - image: ami-0000000e
-  - instance_type: m1.builder
   - security_group: builder
+  - OS_AUTH_URL: http://172.23.0.2:5000/v2.0
+  - OS_TENANT_NAME: copr
+  - OS_USERNAME: msuchy
+  - OS_PASSWORD: [% copr_nova_password %]
+  # rhel 6.4 2013-02-21 x86_64 - ami
+  - image_id: cba0c766-84ac-4048-b0f5-6d4000af62f8
 
   tasks:
-  - name: spin it up
-    local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }}
-    register: inst_res
+  - name: generate builder name
+    local_action: command echo "Copr builder {{ 999999999 | random }}"
+    register: vm_name
 
-  - name: get its internal ip b/c openstack is sometimes stupid
-    local_action: shell euca-describe-instances {{ inst_res.instances[0].id }} | grep INSTANCE | cut -f 18
-    register: int_ip
+  - name: spin it up
+    local_action: nova_compute auth_url={{OS_AUTH_URL}} flavor_id=6 image_id={{ image_id }} key_name=buildsys login_password={{OS_PASSWORD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME}} security_groups={{security_group}} wait=yes name="{{vm_name.stdout}}"
+    register: nova
+
+  # should be able to use nova.private_ip, but it does not work with Fedora Cloud.
+  - debug: msg="IP={{ nova.info.addresses.vlannet_3[0].addr }}"
+
+  - debug: msg="vm_name={{vm_name.stdout}}"
 
   - name: add it to the special group
-    local_action: add_host hostname={{ int_ip.stdout }} groupname=builder_temp_group
+    local_action: add_host hostname={{ nova.info.addresses.vlannet_3[0].addr }} groupname=builder_temp_group
 
   - name: wait for the host to be hot
-    local_action: wait_for host={{ int_ip.stdout }} port=22 delay=5 timeout=600
-
-  - debug: msg="IP={{ int_ip.stdout }}"
+    local_action: wait_for host={{ nova.info.addresses.vlannet_3[0].addr }} port=22 delay=5 timeout=600
 
 - hosts: builder_temp_group
   user: root
+  gather_facts: False
   vars:
    - files: files/
   
@@ -56,9 +64,16 @@
     - mock
     - createrepo
     - yum-utils
+    - pyliblzma
 
   - name: make sure newest rpm
-    action: yum name=rpm state=latest
+    action: yum name={{ item }} state=latest
+    with_items:
+    - rpm
+    - glib2
+    - ca-certificates
+
+  - yum: name=mock  enablerepo=epel-testing state=latest
 
   - name: mockbuilder user   
     action: user name=mockbuilder groups=mock
@@ -79,3 +94,4 @@
     - fedora-20-i386.cfg
     - epel-7-x86_64.cfg
 
+  - lineinfile: dest=/root/.bashrc line="ulimit -n 10240" insertafter=EOF

files/copr/provision/files/mock/epel-7-x86_64.cfg

@@ -1,28 +1,16 @@
-config_opts['chroothome'] = '/builddir'
-config_opts['basedir'] = '/var/lib/mock'
 config_opts['root'] = 'epel-7-x86_64'
 config_opts['target_arch'] = 'x86_64'
 config_opts['legal_host_arches'] = ('x86_64',)
-config_opts['chroot_setup_cmd'] = 'install bash bzip2 coreutils cpio diffutils findutils gawk gcc gcc-c++ grep gzip info make patch redhat-release-server redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz'
+config_opts['chroot_setup_cmd'] = 'install @buildsys-build'
 config_opts['dist'] = 'el7'  # only useful for --resultdir variable subst
-config_opts['macros'] = {}
-config_opts['macros']['%dist'] = '.el7'
-config_opts['macros']['%rhel'] = '7'
-config_opts['macros']['%el7'] = '1'
-config_opts['macros']['%_topdir'] = '/builddir/build'
-config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm'
 config_opts['releasever'] = '7'
 
-config_opts['plugin_conf']['root_cache_enable'] = False
-config_opts['plugin_conf']['yum_cache_enable'] = False
-config_opts['plugin_conf']['ccache_enable'] = False
-
 config_opts['yum.conf'] = """
 [main]
 cachedir=/var/cache/yum
 debuglevel=1
-logfile=/var/log/yum.log
 reposdir=/dev/null
+logfile=/var/log/yum.log
 retries=20
 obsoletes=1
 gpgcheck=0
@@ -31,15 +19,42 @@ syslog_ident=mock
 syslog_device=
 
 # repos
+[base]
+name=BaseOS
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os
+failovermethod=priority
 
-[beta]
-name=beta
-baseurl=http://ftp.redhat.com/redhat/rhel/beta/7/x86_64/os/
+[updates]
+name=updates
+enabled=1
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=updates
+failovermethod=priority
 
 [epel]
-name=Extra Packages for Enterprise Linux 7 - $basearch
-#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
+name=epel
+mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-7&arch=x86_64
 failovermethod=priority
-enabled=1
+
+[extras]
+name=extras
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=extras
+failovermethod=priority
+
+[testing]
+name=epel-testing
+enabled=0
+mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel7&arch=x86_64
+failovermethod=priority
+
+[local]
+name=local
+baseurl=http://kojipkgs.fedoraproject.org/repos/epel7-build/latest/x86_64/
+cost=2000
+enabled=0
+
+[epel-debug]
+name=epel-debug
+mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-7&arch=x86_64
+failovermethod=priority
+enabled=0
 """

files/copr/provision/files/mock/fedora-21-i386.cfg

@@ -0,0 +1,63 @@
+config_opts['root'] = 'fedora-21-i386'
+config_opts['target_arch'] = 'i686'
+config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64')
+config_opts['chroot_setup_cmd'] = 'install @buildsys-build'
+config_opts['dist'] = 'fc21'  # only useful for --resultdir variable subst
+config_opts['extra_chroot_dirs'] = [ '/run/lock', ]
+config_opts['releasever'] = '21'
+
+config_opts['yum.conf'] = """
+[main]
+cachedir=/var/cache/yum
+debuglevel=1
+reposdir=/dev/null
+logfile=/var/log/yum.log
+retries=20
+obsoletes=1
+gpgcheck=0
+assumeyes=1
+syslog_ident=mock
+syslog_device=
+
+# repos
+
+[fedora]
+name=fedora
+metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+failovermethod=priority
+
+[updates]
+name=updates
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
+failovermethod=priority
+
+[updates-testing]
+name=updates-testing
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+
+[local]
+name=local
+baseurl=http://kojipkgs.fedoraproject.org/repos/f21-build/latest/i386/
+cost=2000
+enabled=0
+
+[fedora-debuginfo]
+name=fedora-debuginfo
+metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+
+[updates-debuginfo]
+name=updates-debuginfo
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+
+[updates-testing-debuginfo]
+name=updates-testing-debuginfo
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+"""

files/copr/provision/files/mock/fedora-21-x86_64.cfg

@@ -0,0 +1,63 @@
+config_opts['root'] = 'fedora-21-x86_64'
+config_opts['target_arch'] = 'x86_64'
+config_opts['legal_host_arches'] = ('x86_64',)
+config_opts['chroot_setup_cmd'] = 'install @buildsys-build'
+config_opts['dist'] = 'fc21'  # only useful for --resultdir variable subst
+config_opts['extra_chroot_dirs'] = [ '/run/lock', ]
+config_opts['releasever'] = '21'
+
+config_opts['yum.conf'] = """
+[main]
+cachedir=/var/cache/yum
+debuglevel=1
+reposdir=/dev/null
+logfile=/var/log/yum.log
+retries=20
+obsoletes=1
+gpgcheck=0
+assumeyes=1
+syslog_ident=mock
+syslog_device=
+
+# repos
+
+[fedora]
+name=fedora
+metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+failovermethod=priority
+
+[updates]
+name=updates
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
+failovermethod=priority
+
+[updates-testing]
+name=updates-testing
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+
+[local]
+name=local
+baseurl=http://kojipkgs.fedoraproject.org/repos/f21-build/latest/x86_64/
+cost=2000
+enabled=0
+
+[fedora-debuginfo]
+name=fedora-debuginfo
+metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+
+[updates-debuginfo]
+name=updates-debuginfo
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+
+[updates-testing-debuginfo]
+name=updates-testing-debuginfo
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
+failovermethod=priority
+enabled=0
+"""

files/copr/provision/files/mock/site-defaults.cfg

@@ -57,7 +57,7 @@
 # NOTE: Some of the caching options can theoretically affect build
 #  reproducability. Change with care.
 #
-config_opts['plugin_conf']['package_state_enable'] = True
+config_opts['plugin_conf']['package_state_enable'] = False
 # config_opts['plugin_conf']['ccache_enable'] = True
 # config_opts['plugin_conf']['ccache_opts']['max_cache_size'] = '4G'
 # config_opts['plugin_conf']['ccache_opts']['compress'] = None

files/copr/provision/terminatepb.yml

@@ -1,16 +1,18 @@
+#jinja2:variable_start_string:'[%' , variable_end_string:'%]'
 ---
 - name: terminate instance
   hosts: all
   user: root
   gather_facts: False
 
+  vars:
+  - OS_AUTH_URL: http://172.23.0.2:5000/v2.0
+  - OS_TENANT_NAME: copr
+  - OS_USERNAME: msuchy
+  - OS_PASSWORD: [% copr_nova_password %]
+
   tasks:
-  - name: find the instance id from the builder
-    action: command curl -s http://169.254.169.254/latest/meta-data/instance-id
-    register: instanceid
-
   - name: terminate it
-    local_action: command euca-terminate-instances {{ instanceid.stdout }}
-
+    local_action: nova_compute auth_url={{OS_AUTH_URL}} login_password={{OS_PASSWORD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME}} name="{{copr_task.vm_name}}" state=absent
 
 

files/download/download-sync.cron

@@ -0,0 +1,3 @@
+# run twice daily rsync of download. but lock it
+MAILTO=smooge@gmail.com
+00 11,23 * * * root /usr/local/bin/lock-wrapper sync-up-downloads "/usr/local/bin/sync-up-downloads"

files/download/sync-up-downloads.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+##
+## This script is used to sync data from main download servers to
+## secondary server at ibiblio.
+##
+
+RSYNC='/usr/bin/rsync'
+RS_OPT="-avSHP  --numeric-ids"
+RS_DEADLY="--delete --delete-excluded --delete-delay --delay-updates"
+ALT_EXCLUDES="--exclude deltaisos/archive --exclude 21_Alpha* --exclude 21-Alpha* --exclude 21_Beta* --exclude=F21a-TC1"
+EPL_EXCLUDES=""
+FED_EXCLUDES=""
+
+SERVER=dl.fedoraproject.org
+
+# http://dl.fedoraproject.org/pub/alt/stage/
+${RSYNC} ${RS_OPT} ${RS_DEADLY} ${ALT_EXCLUDES} ${SERVER}::fedora-alt/stage/  /srv/pub/alt/stage/ | tail -n2 | logger -p local0.notice -t rsync_updates_alt_stg
+# http://dl.fedoraproject.org/pub/alt/bfo/
+${RSYNC} ${RS_OPT} ${RS_DEADLY} ${ALT_EXCLUDES} ${SERVER}::fedora-alt/bfo/  /srv/pub/alt/bfo/ | tail -n2 | logger -p local0.notice -t rsync_updates_alt_bfo
+# http://dl.fedoraproject.org/pub/epel/
+${RSYNC} ${RS_OPT} ${RS_DEADLY} ${EPL_EXCLUDES} ${SERVER}::fedora-epel/ /srv/pub/epel/ | tail -n2 | logger -p local0.notice -t rsync_updates_epel
+# http://dl.fedoraproject.org/pub/fedora/
+${RSYNC} ${RS_OPT} ${RS_DEADLY} ${FED_EXCLUDES} ${SERVER}::fedora-enchilada0/ /srv/pub/fedora/ | tail -n2 | logger -p local0.notice -t rsync_updates_fedora
+
+# Let MM know I'm all up to date
+#/usr/bin/report_mirror

files/fedora-cloud/fed09-ssh-key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfk627wDgkJisjGl4RbrUS457WoPdSate1vzgZXApQeAkTG9LLEstAEyThphnJZzDWRYceId+DqZvyrwZttB6Tfptwqs9qwW60HelSVtvq6RDoiQO5yB1ffbeelM6ci5spvzA0b8llUmYpDlCmrbv/or5IXtO9ScAxK7S6Pp2XQYyHJepEclCqfUkmgOXqnoFPFhKhIdaNe7wXCDKnjHSL0HLQmpTREbJ98HNexI76DMdiuG+II7m42XbfToHZtDrsUfd5HGyWLqUWqFfLFoFSSrARE7Aqa2cS1zrLdKHTFnDitBezNeb2J4Go3/23bHe58LV8RfPdIQG9Z8hqYiD9 root@fed-cloud09.cloud.fedoraproject.org

files/fedora-cloud/hosts

@@ -0,0 +1,13 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4                                     
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 
+
+# http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-neutron-networking-controller-node.html
+# controller
+{{ controller_public_ip }}       controller
+
+# network
+{{ network_public_ip }}       network
+
+# compute1
+# compute1_public_ip        compute1
+

files/fedora-cloud/ifcfg-br-ex

@@ -0,0 +1,9 @@
+DEVICE=br-ex
+DEVICETYPE=ovs
+TYPE=OVSBridge
+BOOTPROTO=static
+IPADDR={{ network_public_ip }}
+NETMASK={{ public_netmask }}  # your netmask
+GATEWAY={{ public_gateway_ip }}  # your gateway
+DNS1={{ public_dns }}     # your nameserver
+ONBOOT=yes

files/fedora-cloud/keystonerc_msuchy

@@ -0,0 +1,5 @@
+export OS_USERNAME=msuchy
+export OS_TENANT_NAME=copr
+export OS_PASSWORD=TBD
+export OS_AUTH_URL=http://209.132.184.9:5000/v2.0/
+export PS1='[\u@\h \W(keystone_msuchy)]\$ '

files/fedora-cloud/my.cnf

@@ -0,0 +1,4 @@
+[client]
+host=localhost
+user=root
+password={{ DBPASSWORD }}

files/fedora-cloud/packstack-controller-answers.txt

@@ -0,0 +1,502 @@
+[general]
+
+# Path to a Public key to install on servers. If a usable key has not
+# been installed on the remote servers the user will be prompted for a
+# password and this key will be installed so the password will not be
+# required again
+CONFIG_SSH_KEY=/root/.ssh/id_rsa.pub
+
+# Set to 'y' if you would like Packstack to install MySQL
+CONFIG_MARIADB_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Image
+# Service (Glance)
+CONFIG_GLANCE_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Block
+# Storage (Cinder)
+CONFIG_CINDER_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Compute
+# (Nova)
+CONFIG_NOVA_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Networking (Neutron)
+CONFIG_NEUTRON_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Dashboard (Horizon)
+CONFIG_HORIZON_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Object
+# Storage (Swift)
+CONFIG_SWIFT_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Metering (Ceilometer)
+CONFIG_CEILOMETER_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Orchestration (Heat)
+CONFIG_HEAT_INSTALL=n
+
+# Set to 'y' if you would like Packstack to install the OpenStack
+# Client packages. An admin "rc" file will also be installed
+CONFIG_CLIENT_INSTALL=y
+
+# Comma separated list of NTP servers. Leave plain if Packstack
+# should not install ntpd on instances.
+CONFIG_NTP_SERVERS=
+
+# Set to 'y' if you would like Packstack to install Nagios to monitor
+# OpenStack hosts
+CONFIG_NAGIOS_INSTALL=n
+
+# Comma separated list of servers to be excluded from installation in
+# case you are running Packstack the second time with the same answer
+# file and don't want Packstack to touch these servers. Leave plain if
+# you don't need to exclude any server.
+EXCLUDE_SERVERS=
+
+# Set to 'y' if you want to run OpenStack services in debug mode.
+# Otherwise set to 'n'.
+CONFIG_DEBUG_MODE=n
+
+# Set to 'y' if you want to use VMware vCenter as hypervisor and
+# storageOtherwise set to 'n'.
+CONFIG_VMWARE_BACKEND=n
+
+# The IP address of the server on which to install MySQL
+CONFIG_MARIADB_HOST={{ controller_public_ip }}
+
+# Username for the MySQL admin user
+CONFIG_MARIADB_USER=root
+
+# Password for the MySQL admin user
+CONFIG_MARIADB_PW={{ DBPASSWORD }}
+
+# Set the server for the AMQP service
+CONFIG_AMQP_BACKEND=rabbitmq
+
+# The IP address of the server on which to install the AMQP service
+CONFIG_AMQP_HOST={{ controller_public_ip }}
+
+# Enable SSL for the AMQP service
+CONFIG_AMQP_ENABLE_SSL=n
+
+# Enable Authentication for the AMQP service
+CONFIG_AMQP_ENABLE_AUTH=n
+
+# The password for the NSS certificate database of the AMQP service
+CONFIG_AMQP_NSS_CERTDB_PW={{ CONFIG_AMQP_NSS_CERTDB_PW }}
+
+# The port in which the AMQP service listens to SSL connections
+CONFIG_AMQP_SSL_PORT=5671
+
+# The filename of the certificate that the AMQP service is going to
+# use
+CONFIG_AMQP_SSL_CERT_FILE=/etc/pki/tls/certs/amqp_selfcert.pem
+
+# The filename of the private key that the AMQP service is going to
+# use
+CONFIG_AMQP_SSL_KEY_FILE=/etc/pki/tls/private/amqp_selfkey.pem
+
+# Auto Generates self signed SSL certificate and key
+CONFIG_AMQP_SSL_SELF_SIGNED=y
+
+# User for amqp authentication
+CONFIG_AMQP_AUTH_USER=amqp_user
+
+# Password for user authentication
+CONFIG_AMQP_AUTH_PASSWORD={{ CONFIG_AMQP_AUTH_PASSWORD }}
+
+# The password to use for the Keystone to access DB
+CONFIG_KEYSTONE_DB_PW={{ KEYSTONE_DBPASS }}
+
+# The token to use for the Keystone service api
+CONFIG_KEYSTONE_ADMIN_TOKEN={{ ADMIN_TOKEN }}
+
+# The password to use for the Keystone admin user
+CONFIG_KEYSTONE_ADMIN_PW={{ ADMIN_PASS }}
+
+# The password to use for the Keystone demo user
+CONFIG_KEYSTONE_DEMO_PW={{ DEMO_PASS }}
+
+# Kestone token format. Use either UUID or PKI
+CONFIG_KEYSTONE_TOKEN_FORMAT=PKI
+
+# The password to use for the Glance to access DB
+CONFIG_GLANCE_DB_PW={{ GLANCE_DBPASS }}
+
+# The password to use for the Glance to authenticate with Keystone
+CONFIG_GLANCE_KS_PW={{ GLANCE_PASS }}
+
+# The password to use for the Cinder to access DB
+CONFIG_CINDER_DB_PW={{ CINDER_DBPASS }}
+
+# The password to use for the Cinder to authenticate with Keystone
+CONFIG_CINDER_KS_PW={{ CINDER_PASS }}
+
+# The Cinder backend to use, valid options are: lvm, gluster, nfs,
+# vmdk
+CONFIG_CINDER_BACKEND=lvm
+
+# Create Cinder's volumes group. This should only be done for testing
+# on a proof-of-concept installation of Cinder.  This will create a
+# file-backed volume group and is not suitable for production usage.
+CONFIG_CINDER_VOLUMES_CREATE=n
+
+# Cinder's volumes group size. Note that actual volume size will be
+# extended with 3% more space for VG metadata.
+CONFIG_CINDER_VOLUMES_SIZE=5G
+
+# A single or comma separated list of gluster volume shares to mount,
+# eg: ip-address:/vol-name, domain:/vol-name
+CONFIG_CINDER_GLUSTER_MOUNTS=
+
+# A single or comma seprated list of NFS exports to mount, eg: ip-
+# address:/export-name
+CONFIG_CINDER_NFS_MOUNTS=
+
+# The IP address of the VMware vCenter datastore
+CONFIG_VCENTER_HOST=
+
+# The username to authenticate to VMware vCenter datastore
+CONFIG_VCENTER_USER=
+
+# The password to authenticate to VMware vCenter datastore
+CONFIG_VCENTER_PASSWORD=
+
+# A comma separated list of IP addresses on which to install the Nova
+# Compute services
+CONFIG_COMPUTE_HOSTS={{ controller_public_ip }}
+
+# The IP address of the server on which to install the Nova Conductor
+# service
+CONFIG_NOVA_CONDUCTOR_HOST={{ controller_public_ip }}
+
+# The password to use for the Nova to access DB
+CONFIG_NOVA_DB_PW={{ NOVA_DBPASS }}
+
+# The password to use for the Nova to authenticate with Keystone
+CONFIG_NOVA_KS_PW={{ NOVA_PASS }}
+
+# The overcommitment ratio for virtual to physical CPUs. Set to 1.0
+# to disable CPU overcommitment
+CONFIG_NOVA_SCHED_CPU_ALLOC_RATIO=16.0
+
+# The overcommitment ratio for virtual to physical RAM. Set to 1.0 to
+# disable RAM overcommitment
+CONFIG_NOVA_SCHED_RAM_ALLOC_RATIO=1.5
+
+# Private interface for Flat DHCP on the Nova compute servers
+CONFIG_NOVA_COMPUTE_PRIVIF=lo
+
+# The list of IP addresses of the server on which to install the Nova
+# Nova network manager
+CONFIG_NOVA_NETWORK_MANAGER=nova.network.manager.FlatDHCPManager
+
+# Public interface on the Nova network server
+CONFIG_NOVA_NETWORK_PUBIF={{ controller_public_ip }}
+
+# Private interface for network manager on the Nova network server
+CONFIG_NOVA_NETWORK_PRIVIF=lo
+
+# IP Range for network manager
+CONFIG_NOVA_NETWORK_FIXEDRANGE={{ internal_interface_cidr }}
+
+# IP Range for Floating IP's
+CONFIG_NOVA_NETWORK_FLOATRANGE={{ public_interface_cidr }}
+
+# Name of the default floating pool to which the specified floating
+# ranges are added to
+CONFIG_NOVA_NETWORK_DEFAULTFLOATINGPOOL=external
+
+# Automatically assign a floating IP to new instances
+CONFIG_NOVA_NETWORK_AUTOASSIGNFLOATINGIP=y
+
+# First VLAN for private networks
+CONFIG_NOVA_NETWORK_VLAN_START=100
+
+# Number of networks to support
+CONFIG_NOVA_NETWORK_NUMBER=1
+
+# Number of addresses in each private subnet
+CONFIG_NOVA_NETWORK_SIZE=255
+
+# The IP address of the VMware vCenter server
+CONFIG_VCENTER_HOST=
+
+# The username to authenticate to VMware vCenter server
+CONFIG_VCENTER_USER=
+
+# The password to authenticate to VMware vCenter server
+CONFIG_VCENTER_PASSWORD=
+
+# The name of the vCenter cluster
+CONFIG_VCENTER_CLUSTER_NAME=
+
+# The password to use for Neutron to authenticate with Keystone
+CONFIG_NEUTRON_KS_PW={{ NEUTRON_PASS }}
+
+# The password to use for Neutron to access DB
+CONFIG_NEUTRON_DB_PW={{ NEUTRON_DBPASS }}
+
+# A comma separated list of IP addresses on which to install Neutron
+CONFIG_NETWORK_HOSTS={{ controller_public_ip }}
+
+# The name of the bridge that the Neutron L3 agent will use for
+# external traffic, or 'provider' if using provider networks
+CONFIG_NEUTRON_L3_EXT_BRIDGE=provider
+
+
+# The name of the L2 plugin to be used with Neutron
+CONFIG_NEUTRON_L2_PLUGIN=ml2
+
+# A comma separated list of IP addresses on which to install Neutron
+# metadata agent
+CONFIG_NEUTRON_METADATA_PW={{ NEUTRON_PASS }}
+
+# A comma separated list of network type driver entrypoints to be
+# loaded from the neutron.ml2.type_drivers namespace.
+CONFIG_NEUTRON_ML2_TYPE_DRIVERS=local,flat,gre
+
+# A comma separated ordered list of network_types to allocate as
+# tenant networks. The value 'local' is only useful for single-box
+# testing but provides no connectivity between hosts.
+CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=gre
+
+# A comma separated ordered list of networking mechanism driver
+# entrypoints to be loaded from the neutron.ml2.mechanism_drivers
+# namespace.
+CONFIG_NEUTRON_ML2_MECHANISM_DRIVERS=openvswitch
+
+# A comma separated  list of physical_network names with which flat
+# networks can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+CONFIG_NEUTRON_ML2_FLAT_NETWORKS=*
+
+# A comma separated list of <physical_network>:<vlan_min>:<vlan_max>
+# or <physical_network> specifying physical_network names usable for
+# VLAN provider and tenant networks, as well as ranges of VLAN tags on
+# each available for allocation to tenant networks.
+CONFIG_NEUTRON_ML2_VLAN_RANGES=
+
+# A comma separated list of <tun_min>:<tun_max> tuples enumerating
+# ranges of GRE tunnel IDs that are available for tenant network
+# allocation. Should be an array with tun_max +1 - tun_min > 1000000
+CONFIG_NEUTRON_ML2_TUNNEL_ID_RANGES=1:1000
+
+# Multicast group for VXLAN. If unset, disables VXLAN enable sending
+# allocate broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode. Should be an
+# Multicast IP (v4 or v6) address.
+CONFIG_NEUTRON_ML2_VXLAN_GROUP=
+
+# A comma separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network
+# allocation. Min value is 0 and Max value is 16777215.
+CONFIG_NEUTRON_ML2_VNI_RANGES=
+
+# The name of the L2 agent to be used with Neutron
+CONFIG_NEUTRON_L2_AGENT=openvswitch
+
+# The type of network to allocate for tenant networks (eg. vlan,
+# local)
+CONFIG_NEUTRON_LB_TENANT_NETWORK_TYPE=gre
+
+# A comma separated list of VLAN ranges for the Neutron linuxbridge
+# plugin (eg. physnet1:1:4094,physnet2,physnet3:3000:3999)
+CONFIG_NEUTRON_LB_VLAN_RANGES=
+
+# A comma separated list of interface mappings for the Neutron
+# linuxbridge plugin (eg. physnet1:br-eth1,physnet2:br-eth2,physnet3
+# :br-eth3)
+CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
+
+# Type of network to allocate for tenant networks (eg. vlan, local,
+# gre, vxlan)
+CONFIG_NEUTRON_OVS_TENANT_NETWORK_TYPE=gre
+
+# A comma separated list of VLAN ranges for the Neutron openvswitch
+# plugin (eg. physnet1:1:4094,physnet2,physnet3:3000:3999)
+CONFIG_NEUTRON_OVS_VLAN_RANGES=floatnet
+
+# A comma separated list of bridge mappings for the Neutron
+# openvswitch plugin (eg. physnet1:br-eth1,physnet2:br-eth2,physnet3
+# :br-eth3)
+CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=floatnet:br-ex
+
+# A comma separated list of colon-separated OVS bridge:interface
+# pairs. The interface will be added to the associated bridge.
+CONFIG_NEUTRON_OVS_BRIDGE_IFACES=br-tun:eth1
+
+# A comma separated list of tunnel ranges for the Neutron openvswitch
+# plugin (eg. 1:1000)
+CONFIG_NEUTRON_OVS_TUNNEL_RANGES=1:1000
+
+# The interface for the OVS tunnel. Packstack will override the IP
+# address used for tunnels on this hypervisor to the IP found on the
+# specified interface. (eg. eth1)
+CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
+
+# VXLAN UDP port
+CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT=4789
+
+# To set up Horizon communication over https set this to "y"
+CONFIG_HORIZON_SSL=y
+
+# PEM encoded certificate to be used for ssl on the https server,
+# leave blank if one should be generated, this certificate should not
+# require a passphrase
+CONFIG_SSL_CERT=/etc/pki/tls/certs/fed-cloud09.pem
+
+# PEM encoded CA certificates from which the certificate chain of the
+# # server certificate can be assembled.
+CONFIG_SSL_CACHAIN=/etc/pki/tls/certs/fed-cloud09.pem
+
+# Keyfile corresponding to the certificate if one was entered
+CONFIG_SSL_KEY=/etc/pki/tls/private/fed-cloud09.key
+
+# The password to use for the Swift to authenticate with Keystone
+CONFIG_SWIFT_KS_PW={{ SWIFT_PASS }}
+
+# A comma separated list of IP addresses on which to install the
+# Swift Storage services, each entry should take the format
+# <ipaddress>[/dev], for example 127.0.0.1/vdb will install /dev/vdb
+# on 127.0.0.1 as a swift storage device(packstack does not create the
+# filesystem, you must do this first), if /dev is omitted Packstack
+# will create a loopback device for a test setup
+CONFIG_SWIFT_STORAGES=
+
+# Number of swift storage zones, this number MUST be no bigger than
+# the number of storage devices configured
+CONFIG_SWIFT_STORAGE_ZONES=1
+
+# Number of swift storage replicas, this number MUST be no bigger
+# than the number of storage zones configured
+CONFIG_SWIFT_STORAGE_REPLICAS=1
+
+# FileSystem type for storage nodes
+CONFIG_SWIFT_STORAGE_FSTYPE=ext4
+
+# Shared secret for Swift
+CONFIG_SWIFT_HASH={{ SWIFT_HASH }}
+
+# Size of the swift loopback file storage device
+CONFIG_SWIFT_STORAGE_SIZE=2G
+
+# Whether to provision for demo usage and testing. Note that
+# provisioning is only supported for all-in-one installations.
+CONFIG_PROVISION_DEMO=n
+
+# Whether to configure tempest for testing. Note that provisioning is
+# only supported for all-in-one installations.
+CONFIG_PROVISION_TEMPEST=n
+
+# The CIDR network address for the floating IP subnet
+CONFIG_PROVISION_DEMO_FLOATRANGE=
+
+# The uri of the tempest git repository to use
+CONFIG_PROVISION_TEMPEST_REPO_URI=https://github.com/openstack/tempest.git
+
+# The revision of the tempest git repository to use
+CONFIG_PROVISION_TEMPEST_REPO_REVISION=master
+
+# Whether to configure the ovs external bridge in an all-in-one
+# deployment
+CONFIG_PROVISION_ALL_IN_ONE_OVS_BRIDGE=n
+
+# The password used by Heat user to authenticate against MySQL
+CONFIG_HEAT_DB_PW={{ HEAT_DBPASS }}
+
+# The encryption key to use for authentication info in database
+CONFIG_HEAT_AUTH_ENC_KEY={{ HEAT_AUTH_ENC_KEY }}
+
+# The password to use for the Heat to authenticate with Keystone
+CONFIG_HEAT_KS_PW={{ HEAT_PASS }}
+
+# Set to 'y' if you would like Packstack to install Heat CloudWatch
+# API
+CONFIG_HEAT_CLOUDWATCH_INSTALL=n
+
+# Set to 'y' if you would like Packstack to install Heat
+# CloudFormation API
+CONFIG_HEAT_CFN_INSTALL=n
+
+# The IP address of the server on which to install Heat CloudWatch
+# API service
+CONFIG_HEAT_CLOUDWATCH_HOST={{ controller_public_ip }}
+
+# The IP address of the server on which to install Heat
+# CloudFormation API service
+CONFIG_HEAT_CFN_HOST={{ controller_public_ip }}
+
+# The IP address of the management node
+CONFIG_CONTROLLER_HOST={{ controller_public_ip }}
+
+# Secret key for signing metering messages.
+CONFIG_CEILOMETER_SECRET={{ CEILOMETER_SECRET }}
+
+# The password to use for Ceilometer to authenticate with Keystone
+CONFIG_CEILOMETER_KS_PW={{ CEILOMETER_PASS }}
+
+# The IP address of the server on which to install mongodb
+CONFIG_MONGODB_HOST={{ controller_public_ip }}
+
+# The password of the nagiosadmin user on the Nagios server
+CONFIG_NAGIOS_PW=
+
+# To subscribe each server to EPEL enter "y"
+CONFIG_USE_EPEL=y
+
+# A comma separated list of URLs to any additional yum repositories
+# to install
+CONFIG_REPO=
+
+# To subscribe each server with Red Hat subscription manager, include
+# this with CONFIG_RH_PW
+CONFIG_RH_USER=
+
+# To subscribe each server with Red Hat subscription manager, include
+# this with CONFIG_RH_USER
+CONFIG_RH_PW=
+
+# To subscribe each server to Red Hat Enterprise Linux 6 Server Beta
+# channel (only needed for Preview versions of RHOS) enter "y"
+CONFIG_RH_BETA_REPO=n
+
+# To subscribe each server with RHN Satellite,fill Satellite's URL
+# here. Note that either satellite's username/password or activation
+# key has to be provided
+CONFIG_SATELLITE_URL=
+
+# Username to access RHN Satellite
+CONFIG_SATELLITE_USER=
+
+# Password to access RHN Satellite
+CONFIG_SATELLITE_PW=
+
+# Activation key for subscription to RHN Satellite
+CONFIG_SATELLITE_AKEY=
+
+# Specify a path or URL to a SSL CA certificate to use
+CONFIG_SATELLITE_CACERT=
+
+# If required specify the profile name that should be used as an
+# identifier for the system in RHN Satellite
+CONFIG_SATELLITE_PROFILE=
+
+# Comma separated list of flags passed to rhnreg_ks. Valid flags are:
+# novirtinfo, norhnsd, nopackages
+CONFIG_SATELLITE_FLAGS=
+
+# Specify a HTTP proxy to use with RHN Satellite
+CONFIG_SATELLITE_PROXY=
+
+# Specify a username to use with an authenticated HTTP proxy
+CONFIG_SATELLITE_PROXY_USER=
+
+# Specify a password to use with an authenticated HTTP proxy.
+CONFIG_SATELLITE_PROXY_PW=

files/fedora-cloud/uninstall.sh

@@ -0,0 +1,32 @@
+# Warning! Dangerous step! Destroys VMs
+# if you do know what you are doing feel free to remove the line below to proceed
+exit 1
+# also if you really insist to remove VM, uncomment that vgremove near bottom
+
+for x in $(virsh list --all | grep instance- | awk '{print $2}') ; do
+    virsh destroy $x ;
+    virsh undefine $x ;
+done ;
+
+# Warning! Dangerous step! Removes lots of packages, including many
+# which may be unrelated to RDO.
+yum remove -y nrpe "*openstack*" \
+"*nova*" "*keystone*" "*glance*" "*cinder*" "*swift*" \
+mysql mysql-server httpd "*memcache*" ;
+
+ps -ef | grep -i repli | grep swift | awk '{print $2}' | xargs kill ;
+
+# Warning! Dangerous step! Deletes local application data
+rm -rf /etc/nagios /etc/yum.repos.d/packstack_* /root/.my.cnf \
+/var/lib/mysql/* /var/lib/glance /var/lib/nova /etc/nova /etc/swift \
+/srv/node/device*/* /var/lib/cinder/ /etc/rsync.d/frag* \
+/var/cache/swift /var/log/keystone ;
+
+umount /srv/node/device* ;
+killall -9 dnsmasq tgtd httpd ;
+#vgremove -f cinder-volumes ;
+losetup -a | sed -e 's/:.*//g' | xargs losetup -d ;
+find /etc/pki/tls -name "ssl_ps*" | xargs rm -rf ;
+for x in $(df | grep "/lib/" | sed -e 's/.* //g') ; do
+    umount $x ;
+done

files/gnome/backup.sh

@@ -28,7 +28,9 @@ MACHINES='signal.gnome.org
           view.gnome.org
           puppet.gnome.org
           accelerator.gnome.org
-          range.gnome.org'
+          range.gnome.org
+          pentagon.gimp.org
+          account.gnome.org'
 
 BACKUP_DIR='/fedora_backups/gnome/'
 LOGS_DIR='/fedora_backups/gnome/logs'

files/gnome/ssh_config

@@ -3,6 +3,6 @@ Host live.gnome.org extensions.gnome.org puppet.gnome.org view.gnome.org drawabl
      IdentityFile /usr/local/etc/gnome_backup_id.rsa
      ProxyCommand ssh -W %h:%p bastion.gnome.org -F /usr/local/etc/gnome_ssh_config
 
-Host *.gnome.org
+Host *.gnome.org pentagon.gimp.org
      User root
      IdentityFile /usr/local/etc/gnome_backup_id.rsa

files/hosts/badges-backend01.stg.phx2.fedoraproject.org-hosts

@@ -1,10 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.85     db-datanommer   db-datanommer
-10.5.126.85     db-tahrir       db-tahrir

files/hosts/badges-web01.stg.phx2.fedoraproject.org-hosts

@@ -1,11 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     db-tahrir       db-tahrir

files/hosts/fedocal01.stg.phx2.fedoraproject.org-hosts

@@ -1,11 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     db-fedocal       db-fedocal

files/hosts/notifs-backend01.stg.phx2.fedoraproject.org-hosts

@@ -1,12 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     db-notifs       db-notifs
-10.5.126.85     db-datanommer       db-datanommer

files/hosts/notifs-web01.stg.phx2.fedoraproject.org-hosts

@@ -1,12 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     db-notifs       db-notifs
-10.5.126.85     db-datanommer       db-datanommer

files/hosts/notifs-web02.stg.phx2.fedoraproject.org-hosts

@@ -1,12 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     db-notifs       db-notifs
-10.5.126.85     db-datanommer       db-datanommer

files/hosts/nuancier01.stg.phx2.fedoraproject.org-hosts

@@ -1,11 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     nuancier_db       nuancier_db

files/hosts/nuancier02.stg.phx2.fedoraproject.org-hosts

@@ -1,11 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     nuancier_db       nuancier_db

files/hosts/summershum01.stg.phx2.fedoraproject.org-hosts

@@ -1,12 +0,0 @@
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-
-10.5.126.89     admin.fedoraproject.org
-10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
-10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
-10.5.126.23     infrastructure.fedoraproject.org
-10.5.125.44     pkgs.fedoraproject.org
-
-10.5.126.81     memcached03 memcached03.stg app01 app01.stg
-
-10.5.126.85     db-summershum       db-summershum

files/httpd/httpd.logrotate

@@ -0,0 +1,13 @@
+/var/log/httpd/*log {
+    daily
+    rotate 7
+    missingok
+    ifempty
+    compress
+    compresscmd /usr/bin/xz
+    uncompresscmd /usr/bin/xz
+    compressext .xz
+    dateext
+    sharedscripts
+    copytruncate
+}

files/iptables/iptables

@@ -17,12 +17,6 @@
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
-# for fireball mode - allow port 5099 from lockbox and it's ips
--A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
-
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip

files/iptables/iptables.staging

@@ -29,12 +29,6 @@ COMMIT
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
-# for fireball mode - allow port 5099 from lockbox and it's ips
--A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
-
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip

files/jenkins/master/config.xml

@@ -30,38 +30,6 @@ class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
   <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
   <clouds/>
   <slaves>
-    <slave>
-      <name>Fedora18</name>
-      <description></description>
-      <remoteFS>/mnt/jenkins/</remoteFS>
-      <numExecutors>2</numExecutors>
-      <mode>NORMAL</mode>
-      <retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
-      <launcher class="hudson.plugins.sshslaves.SSHLauncher"
-      plugin="ssh-slaves@0.21">
-        <host>172.16.5.12</host>
-        <port>22</port>
-        <credentialsId>d844d352-af1d-466b-9fc9-cbb19348103a</credentialsId>
-      </launcher>
-      <label></label>
-      <nodeProperties/>
-    </slave>
-    <slave>
-      <name>Fedora19</name>
-      <description></description>
-      <remoteFS>/mnt/jenkins/</remoteFS>
-      <numExecutors>2</numExecutors>
-      <mode>NORMAL</mode>
-      <retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
-      <launcher class="hudson.plugins.sshslaves.SSHLauncher"
-      plugin="ssh-slaves@0.21">
-        <host>172.16.5.12</host>
-        <port>22</port>
-        <credentialsId>d844d352-af1d-466b-9fc9-cbb19348103a</credentialsId>
-      </launcher>
-      <label></label>
-      <nodeProperties/>
-    </slave>
     <slave>
       <name>EL6</name>
       <description></description>
@@ -94,6 +62,22 @@ class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
        <label></label>
        <nodeProperties/>
      </slave>
+     <slave>
+        <name>EL7-beta</name>
+        <description></description>
+        <remoteFS>/mnt/jenkins/</remoteFS>
+        <numExecutors>2</numExecutors>
+        <mode>NORMAL</mode>
+        <retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
+        <launcher class="hudson.plugins.sshslaves.SSHLauncher"
+        plugin="ssh-slaves@0.21">
+          <host>172.16.5.14</host>
+          <port>22</port>
+          <credentialsId>950d5dd7-acb2-402a-8670-21f152d04928</credentialsId>
+        </launcher>
+        <label></label>
+        <nodeProperties/>
+      </slave>
   </slaves>
   <quietPeriod>5</quietPeriod>
   <scmCheckoutRetryCount>0</scmCheckoutRetryCount>

files/jenkins/slaves/sbt.repo

@@ -1,6 +1,6 @@
-[sbt-fedorapeople]
-name=SBT Fedorapeople Repo
-baseurl=http://repos.fedorapeople.org/repos/codeblock/sbt/fedora-18/RPMS/
-enabled=1
-skip_if_unavailable=1
+[codeblock-sbt-extras]
+name=Copr repo for sbt-extras owned by codeblock
+baseurl=https://copr-be.cloud.fedoraproject.org/results/codeblock/sbt-extras/fedora-$releasever-$basearch/
+skip_if_unavailable=True
 gpgcheck=0
+enabled=0

files/keyserver/sks.conf

@@ -51,9 +51,9 @@ NameVirtualHost *:443
 	ServerAlias keys01.fedoraproject.org
 
         SSLEngine on
-        SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
-	SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
-        SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+        SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert
+	SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert
+        SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key
 	ProxyPass / http://localhost:11371/
 	ProxyPassReverse / http://localhost:11371/
         SetEnv proxy-nokeepalive 1

files/rdiff-backup/run-rdiff-backups

@@ -5,5 +5,5 @@ source /root/sshagent >>/dev/null
 TMPDIR=`mktemp -d /tmp/backups.XXXX`
 
 cd $TMPDIR
-git clone http://infrastructure.fedoraproject.org/infra/ansible.git
+git clone https://infrastructure.fedoraproject.org/infra/ansible.git
 ansible-playbook -i ansible/inventory ansible/playbooks/rdiff-backup.yml 

files/rdo/rdo.conf

@@ -1,7 +0,0 @@
-Alias /openstack /srv/persist/openstack
-<Directory "/srv/persist/openstack">
-    Options Indexes MultiViews FollowSymLinks
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>

files/releng/releng.repo

@@ -1,6 +0,0 @@
-[releng]
-name=Rel-Eng Packages from Fedora Infrastructure $releasever - $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/releng/$releasever/$basearch/
-enabled=1
-gpgcheck=1
-gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE

files/scripts/confine-ssh.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+# Confine ssh commands
+case "$SSH_ORIGINAL_COMMAND" in
+*\&*)
+echo "Rejected"
+;;
+*\;*)
+echo "Rejected"
+;;
+rsync\ --server\ --sender*)
+$SSH_ORIGINAL_COMMAND
+;;
+*)
+echo "Rejected"
+;;
+esac

files/virthost/99-bridge.rules

@@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"

handlers/restart_services.yml

@@ -6,7 +6,7 @@
   action: service name=auditd state=restarted
 
 - name: restart apache
-  action: service name=httpd state=restarted
+  command: /usr/local/bin/conditional-restart.sh httpd httpd
 
 - name: reload apache
   action: service name=httpd state=reloaded
@@ -17,8 +17,20 @@
 - name: restart crond
   action: service name=crond state=restarted
 
+- name: restart fedmsg-gateway
+  command: /usr/local/bin/conditional-restart.sh fedmsg-gateway fedmsg-gateway
+
+- name: restart fedmsg-hub
+  command: /usr/local/bin/conditional-restart.sh fedmsg-hub fedmsg-hub
+
+- name: restart fedmsg-irc
+  command: /usr/local/bin/conditional-restart.sh fedmsg-irc fedmsg-irc
+
+- name: restart fedmsg-relay
+  command: /usr/local/bin/conditional-restart.sh fedmsg-relay fedmsg-relay
+
 - name: restart httpd
-  action: service name=httpd state=restarted
+  command: /usr/local/bin/conditional-restart.sh httpd httpd
 
 - name: reload httpd
   action: service name=httpd state=reloaded
@@ -53,9 +65,18 @@
 - name: restart ntpd
   action: service name=ntpd state=restarted
 
-- name: restart openvpn
+- name: restart openvpn (Fedora)
+  when: ansible_distribution == "Fedora"
+  action: service name=openvpn@openvpn state=restarted
+
+- name: restart openvpn (RHEL6)
+  when: ansible_distribution == "RedHat" and ansible_distribution_major_version == "6"
   action: service name=openvpn state=restarted
 
+- name: restart openvpn (RHEL7)
+  when: ansible_distribution == "RedHat" and ansible_distribution_major_version == "7"
+  action: service name=openvpn@openvpn state=restarted
+
 - name: restart postfix
   action: service name=postfix state=restarted
 
@@ -68,12 +89,6 @@
 - name: restart rsyslog
   action: service name=rsyslog state=restarted
 
-- name: restart sks-db
-  action: service name=sks-db state=restarted
-
-- name: restart sks-recon
-  action: service name=sks-recon state=restarted
-
 - name: restart sshd
   action: service name=sshd state=restarted
 
@@ -83,5 +98,46 @@
 - name: restart netapproute
   action: command /etc/sysconfig/network-scripts/ifup-routes eth1
 
+- name: restart network
+  action: service name=network state=restarted
+
 - name: restart unbound
   action: service name=unbound state=restarted
+
+- name: rebuild postfix transport
+  command: /usr/sbin/postmap /etc/postfix/transport
+
+- name: restart glusterd
+  service: name=glusterd state=restarted
+
+- name: restart supervisord
+  service: name=supervisord state=restarted
+
+- name: run rkhunter
+  command: rkhunter --propupd
+
+- name: restart moksha-hub
+  service: name=moksha-hub state=restarted
+
+- name: restart dhcpd
+  service: name=dhcpd state=restarted
+
+- name: restart memcached
+  service: name=memcached state=restarted
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart nagios
+  shell: nagios -v /etc/nagios/nagios.cfg && systemctl restart nagios
+
+- name: restart bridge
+  shell: /usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge
+
+- name: hup libvirtd
+  command: pkill -HUP libvirtd
+  ignore_errors: true
+  when: inventory_hostname.startswith('buildhw')
+
+- name: restart fcomm-cache-worker
+  service: name=fcomm-cache-worker state=restarted

inventory/backups

@@ -0,0 +1,19 @@
+#
+# This is the list of clients we backup with rdiff-backup. 
+#
+[backup_clients]
+collab04.fedoraproject.org
+db01.phx2.fedoraproject.org
+db-datanommer02.phx2.fedoraproject.org
+hosted04.fedoraproject.org
+hosted-lists01.fedoraproject.org
+lockbox01.phx2.fedoraproject.org
+people03.fedoraproject.org
+pkgs01.phx2.fedoraproject.org
+log01.phx2.fedoraproject.org
+qadevel.cloud.fedoraproject.org
+db-qa01.qa.fedoraproject.org
+db-koji01.phx2.fedoraproject.org
+copr-be.cloud.fedoraproject.org
+value01.phx2.fedoraproject.org
+taskotron01.qa.fedoraproject.org

inventory/builders

@@ -28,16 +28,10 @@ buildvm-25.phx2.fedoraproject.org
 buildvm-26.phx2.fedoraproject.org
 buildvm-27.phx2.fedoraproject.org
 
+[buildvm-stg]
+buildvm-01.stg.phx2.fedoraproject.org
+
 [buildvmhost]
-buildvmhost-01.phx2.fedoraproject.org
-buildvmhost-02.phx2.fedoraproject.org
-buildvmhost-03.phx2.fedoraproject.org
-buildvmhost-04.phx2.fedoraproject.org
-buildvmhost-05.phx2.fedoraproject.org
-buildvmhost-06.phx2.fedoraproject.org
-buildvmhost-07.phx2.fedoraproject.org
-buildvmhost-08.phx2.fedoraproject.org
-buildvmhost-09.phx2.fedoraproject.org
 buildvmhost-10.phx2.fedoraproject.org
 buildvmhost-11.phx2.fedoraproject.org
 buildvmhost-12.phx2.fedoraproject.org
@@ -46,6 +40,16 @@ buildvmhost-12.phx2.fedoraproject.org
 [buildhw]
 buildhw-01.phx2.fedoraproject.org
 buildhw-02.phx2.fedoraproject.org
+buildhw-03.phx2.fedoraproject.org
+buildhw-04.phx2.fedoraproject.org
+buildhw-05.phx2.fedoraproject.org
+buildhw-06.phx2.fedoraproject.org
+buildhw-07.phx2.fedoraproject.org
+buildhw-08.phx2.fedoraproject.org
+buildhw-09.phx2.fedoraproject.org
+buildhw-10.phx2.fedoraproject.org
+buildhw-11.phx2.fedoraproject.org
+buildhw-12.phx2.fedoraproject.org
 
 [buildppc]
 buildppc-01.phx2.fedoraproject.org
@@ -64,8 +68,9 @@ arm04
 # These are secondary arch builders. 
 #
 [arm01]
-arm01-builder00.arm.fedoraproject.org
-arm01-builder01.arm.fedoraproject.org
+# 00 and 01 are in use as releng and retrace instances
+#arm01-releng00.arm.fedoraproject.org
+#arm01-retrace01.arm.fedoraproject.org
 arm01-builder02.arm.fedoraproject.org
 arm01-builder03.arm.fedoraproject.org
 arm01-builder04.arm.fedoraproject.org
@@ -84,7 +89,6 @@ arm01-builder16.arm.fedoraproject.org
 arm01-builder17.arm.fedoraproject.org
 arm01-builder18.arm.fedoraproject.org
 arm01-builder19.arm.fedoraproject.org
-# these are v5
 arm01-builder20.arm.fedoraproject.org
 arm01-builder21.arm.fedoraproject.org
 arm01-builder22.arm.fedoraproject.org
@@ -173,11 +177,9 @@ arm04-builder16.arm.fedoraproject.org
 arm04-builder17.arm.fedoraproject.org
 arm04-builder18.arm.fedoraproject.org
 arm04-builder19.arm.fedoraproject.org
-# These are v5
 arm04-builder20.arm.fedoraproject.org
 arm04-builder21.arm.fedoraproject.org
-# broken disk - kevin 2013-04-05
-#arm04-builder22.arm.fedoraproject.org
+arm04-builder22.arm.fedoraproject.org
 arm04-builder23.arm.fedoraproject.org
 
 [builders:children]

inventory/group_vars/all

@@ -19,22 +19,30 @@ tcp_ports: []
 custom_rules: []
 
 # defaults for virt installs
-ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-6
-ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
 mem_size: 2048
 num_cpus: 2
 lvm_size: 20000
 
 # default virt install command is for a single nic-device
 # define in another group file for more nics (see buildvm)
-virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }} 
-                 --disk {{ volgroup }}/{{ inventory_hostname }}
-                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x 
-                 "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }} 
-                  gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
-                  hostname={{ inventory_hostname }}" 
-                 --network=bridge=br0 --autostart --noautoconsole
+#virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }} 
+#                 --disk {{ volgroup }}/{{ inventory_hostname }}
+#                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x 
+#                 "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }} 
+#                  gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
+#                  hostname={{ inventory_hostname }}" 
+#                 --network=bridge=br0 --autostart --noautoconsole
 
+virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
+                 'ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                  hostname={{ inventory_hostname }} nameserver={{ dns }}
+                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
+                 --network bridge=br0,model=virtio
+                 --autostart --noautoconsole
 
 # By default, nodes get no fedmsg certs.  They need to declare them explicitly.
 fedmsg_certs: []
@@ -43,8 +51,20 @@ fedmsg_certs: []
 dbs_to_backup: []
 
 # by default the number of procs we allow before we whine
-nrpe_procs_warn: 175
-nrpe_procs_crit: 200
+nrpe_procs_warn: 250
+nrpe_procs_crit: 300
+
+# by default, the number of emails in queue before we whine
+nrpe_check_postfix_queue_warn: 2
+nrpe_check_postfix_queue_crit: 5
 
 # env is staging or production, we default it to production here. 
 env: production
+
+# nfs mount options, override at the group/host level
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid"
+
+# by default set sudo to false here We can override it as needed. 
+# Note that if sudo is true, you need to unset requiretty for 
+# ssh controlpersist to work. 
+sudo: false

inventory/group_vars/anitya-backend

@@ -0,0 +1,28 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+ ]
+
+# No other ports open.  no web service running here.
+#tcp_ports: []
+
+fas_client_groups: sysadmin-noc
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: anitya
+  owner: root
+  group: fedmsg

inventory/group_vars/anitya-frontend

@@ -0,0 +1,30 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+# 9940 is for the anitya public relay
+tcp_ports: [ 80, 443, 9940 ]
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+    # Need so that anitya-backend can talk fedmsg to our relay
+    '-A INPUT -p tcp -m tcp -s 140.211.169.230 --dport 9941 -j ACCEPT',
+ ]
+
+fas_client_groups: sysadmin-noc,sysadmin-web
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: anitya
+  owner: root
+  group: apache

inventory/group_vars/arm-packager

@@ -1,6 +1,6 @@
 ---
 fas_client_groups: packager
 freezes: false
-sudoers: "{{ private }}/files/sudo/arm-packager"
+sudoers: "{{ private }}/files/sudo/arm-packager-sudoers"
 sudoers_main: nopasswd
 host_group: cloud

inventory/group_vars/arm-releng

@@ -1,4 +1,5 @@
 ---
+host_group: releng
 fas_client_groups: sysadmin-releng
 freezes: false
 #
@@ -6,3 +7,7 @@ freezes: false
 #
 libdir: /usr/lib
 sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
+
+# For the mock config
+kojipkgs_url: kojipkgs.fedoraproject.org
+kojihub_url: koji.fedoraproject.org/kojihub

inventory/group_vars/ask

@@ -8,9 +8,12 @@ tcp_ports: [ 80, 443,
     # These 8 ports are used by fedmsg.  One for each wsgi thread.
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007]
 
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
 fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/ask-stg

@@ -8,9 +8,12 @@ tcp_ports: [ 80, 443,
     # These 8 ports are used by fedmsg.  One for each wsgi thread.
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007]
 
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
 fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/atomichw

@@ -0,0 +1,9 @@
+---
+host_group: atomicbuilder
+freezes: false
+nrpe_procs_warn: 700
+nrpe_procs_crit: 800
+
+fas_client_groups: atomic,sysadmin-atomic
+
+tcp_ports: [ 80, 443, 873 ]

inventory/group_vars/autosign

@@ -0,0 +1,11 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 30000
+mem_size: 2048
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+fas_client_groups: sysadmin-releng
+host_group: autosign

inventory/group_vars/badges-backend

@@ -7,11 +7,12 @@ freezes: false
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-tcp_ports: [ 3000 ]
+tcp_ports: [ 3000, 3001, 3002, 3003,
+             3004, 3005, 3006, 3007 ]
 
 fas_client_groups: sysadmin-noc,sysadmin-badges
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/badges-backend-stg

@@ -7,11 +7,12 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-tcp_ports: [ 3000 ]
+tcp_ports: [ 3000, 3001, 3002, 3003,
+             3004, 3005, 3006, 3007 ]
 
 fas_client_groups: sysadmin-noc,sysadmin-badges
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/badges-web

@@ -12,9 +12,12 @@ tcp_ports: [ 80, 443,
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
     3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
 
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
 fas_client_groups: sysadmin-noc,sysadmin-badges
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/badges-web-stg

@@ -12,9 +12,12 @@ tcp_ports: [ 80, 443,
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
     3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
 
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
 fas_client_groups: sysadmin-noc,sysadmin-badges
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/bastion

@@ -0,0 +1,39 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 4
+
+#
+# allow incoming openvpn and smtp
+#
+tcp_ports: [ 25, 1194 ]
+udp_ports: [ 1194 ]
+
+#
+# drop incoming traffic from less trusted vpn hosts
+#
+custom_rules: [
+    '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
+]
+#
+# allow a bunch of sysadmin groups here so they can access internal stuff
+#
+fas_client_groups: sysadmin-ask,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-darkserver,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc
+
+#
+# This is a postfix gateway. This will pick up gateway postfix config in base
+#
+postfix_group: gateway
+postfix_transport_filename: transports.gateway
+
+#
+# Set this to get fasclient cron to make the aliases file
+#
+fas_aliases: true
+
+#
+# Sometimes there are lots of postfix processes
+#
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000

inventory/group_vars/beaker

@@ -6,7 +6,10 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-tcp_ports: [ 80, 443 ]
+tcp_ports: [ 80, 443, 8000 ]
+udp_ports: [ 69 ]
 fas_client_groups: sysadmin-qa
 nrpe_procs_warn: 250
 nrpe_procs_crit: 300
+
+freezes: false

inventory/group_vars/bodhi

@@ -15,9 +15,12 @@ tcp_ports: [ 80, 443,
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
     3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
 
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
 fas_client_groups: sysadmin-noc
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/bodhi-stg

@@ -15,9 +15,12 @@ tcp_ports: [ 80, 443,
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
     3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
 
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
 fas_client_groups: sysadmin-noc
 
-# These are consumed by a task in roles/fedmsg_base/main.yml
+# These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
   owner: root

inventory/group_vars/bugzilla2fedmsg

@@ -0,0 +1,21 @@
+---
+lvm_size: 20000
+mem_size: 6144
+num_cpus: 2
+freezes: false
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 3000, 3001 ]
+
+fas_client_groups: sysadmin-noc,sysadmin-datanommer
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: bugzilla2fedmsg
+  owner: root
+  group: fedmsg

inventory/group_vars/bugzilla2fedmsg-stg

@@ -0,0 +1,21 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 1024
+num_cpus: 1
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 3000, 3001 ]
+
+fas_client_groups: sysadmin-noc,sysadmin-datanommer
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: bugzilla2fedmsg
+  owner: root
+  group: fedmsg

inventory/group_vars/buildhw

@@ -1,5 +1,3 @@
 ---
+host_group: kojibuilder
 freezes: true
- 
-
-

inventory/group_vars/buildvm

@@ -1,15 +1,15 @@
 ---
 # common items for the buildvm-* koji builders
+volgroup: /dev/BuildGuests
 lvm_size: 150000
-mem_size: 6144
-num_cpus: 5
+mem_size: 10240
+num_cpus: 4
 ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-20
 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/20/Fedora/x86_64/os/
 nm: 255.255.255.0
 gw: 10.5.125.254
 eth1_gw: 10.5.127.254
 dns: 10.5.126.21
-volgroup: /dev/vg_host01
 virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
                  --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                  --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x

inventory/group_vars/buildvm-stg

@@ -0,0 +1,24 @@
+---
+# common items for the buildvm-* koji builders
+volgroup: /dev/vg_virthost16
+lvm_size: 150000
+mem_size: 10240
+num_cpus: 4
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-20
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/20/Fedora/x86_64/os/
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
+                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0 
+                  hostname={{ inventory_hostname }} nameserver={{ dns }} 
+                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none"
+                 --network=bridge=br0,model=virtio --network=bridge=br1,model=virtio
+                 --autostart --noautoconsole
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+host_group: kojibuilder
+datacenter: staging

inventory/group_vars/busgateway

@@ -0,0 +1,24 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [
+    3999,  # The fedmsg-relay republishes here.  Listeners need to connect.
+    9941,  # The fedmsg-relay listens here.  Ephemeral producers connect.
+    3998,  # The fedmsg-relay listens here.  VPN producers connect.
+    9940,  # The fedmsg-gateway republishes here.  Proxies need to connect.
+    9919,  # The websocket server publishes here.  Proxies need to connect.
+]
+
+fas_client_groups: sysadmin-noc,sysadmin-datanommer
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin

inventory/group_vars/busgateway-stg

@@ -0,0 +1,23 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 1024
+num_cpus: 1
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [
+    3999,  # The fedmsg-relay republishes here.  Listeners need to connect.
+    9941,  # The fedmsg-relay listens here.  Ephemeral producers connect.
+    9940,  # The fedmsg-gateway republishes here.  Proxies need to connect.
+    9919,  # The websocket server publishes here.  Proxies need to connect.
+]
+
+fas_client_groups: sysadmin-noc,sysadmin-datanommer
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin

inventory/group_vars/bvirthost

@@ -0,0 +1,2 @@
+---
+virthost: true

inventory/group_vars/copr

@@ -0,0 +1,6 @@
+---
+devel: false
+_forward_src: "forward"
+copr_backend_ips: "172.16.5.4"
+resolvconf: "resolv.conf/cloud"
+

inventory/group_vars/copr-back

@@ -0,0 +1,8 @@
+---
+_lighttpd_conf_src: "lighttpd/lighttpd.conf"
+_copr_be_conf: "copr-be.conf"
+
+do_sign: "false"
+keygen_host: "copr-keygen.cloud.fedoraproject.org"
+
+spawn_in_advance: "true"

inventory/group_vars/copr-back-stg

@@ -0,0 +1,8 @@
+---
+_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
+_copr_be_conf: "copr-be.conf-dev"
+
+do_sign: "true"
+keygen_host: "209.132.184.124"
+
+spawn_in_advance: "true"

inventory/group_vars/copr-front

@@ -0,0 +1,3 @@
+---
+copr_hostname: "copr-fe.cloud.fedoraproject.org"
+copr_frontend_public_hostname: "copr.fedoraproject.org"

inventory/group_vars/copr-front-stg

@@ -0,0 +1,2 @@
+---
+copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org"

inventory/group_vars/copr-keygen

@@ -0,0 +1,2 @@
+---
+tcp_ports: [80, 5167]

inventory/group_vars/copr-keygen-stg

@@ -0,0 +1,3 @@
+---
+copr_hostbase: copr-keygen-dev
+tcp_ports: [80, 5167]

inventory/group_vars/copr-stg

@@ -0,0 +1,7 @@
+---
+devel: true
+#_forward-src: "{{ files }}/copr/forward-dev"
+_forward_src: "forward_dev"
+
+copr_backend_ips: "172.16.5.5 172.16.5.4 172.16.5.24"
+resolvconf: "resolv.conf/cloud"

inventory/group_vars/datagrepper

@@ -1,2 +1,16 @@
 ---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 443, 6996 ]
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc,sysadmin-datanommer,fi-apprentice
+
 freezes: false

inventory/group_vars/datagrepper-stg

@@ -0,0 +1,16 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 1
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 443, 6996 ]
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc,sysadmin-datanommer,fi-apprentice
+
+freezes: false

inventory/group_vars/dhcp

@@ -0,0 +1,13 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 10000
+mem_size: 1024
+num_cpus: 1
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 68 ]
+udp_ports: [ 69 ]
+
+fas_client_groups: sysadmin-noc,fi-apprentice