Adjust greenwave rawhide sync policy to Basic tests only

This adjusts the `openqa_important_stuff_for_rawhide` Greenwave
policy to include only openQA tests that enforce Basic release
criteria, removing all the tests that enforce Beta or Final
criteria. This matches the intentions expressed in the 'no more
Alphas' Change - we intend to gate Rawhide composes on meeting
the Basic criteria, not Beta or Final.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

README.cloud

@@ -131,6 +131,7 @@ This lists all security groups in that tenant:
 the output will look like this:
 euca-describe-groups  | grep GROU
 GROUP	d4e664a10e2c4210839150be09c46e5e	default	default
+GROUP	d4e664a10e2c4210839150be09c46e5e	jenkins	jenkins instance group
 GROUP	d4e664a10e2c4210839150be09c46e5e	logstash	logstash security group
 GROUP	d4e664a10e2c4210839150be09c46e5e	smtpserver	list server group. needs web and smtp
 GROUP	d4e664a10e2c4210839150be09c46e5e	webserver	webserver security group

TODO

@@ -14,3 +14,4 @@
 
 - merge in tasks/playbooks/inventory/etc from:
   - builders
+

files/common/fedora-updates-testing.repo

@@ -1,11 +1,7 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -14,11 +10,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-debuginfo]
 name=Fedora $releasever - $basearch - Test Updates Debug
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/debug/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -27,11 +19,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-source]
 name=Fedora $releasever - Test Updates Source
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/SRPMS/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1

files/common/fedora-updates-testing.repo-secondary

@@ -1,11 +1,7 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -14,11 +10,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-debuginfo]
 name=Fedora $releasever - $basearch - Test Updates Debug
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/debug/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/debug/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -27,11 +19,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-source]
 name=Fedora $releasever - Test Updates Source
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/SRPMS/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/SRPMS/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1

files/common/fedora-updates.repo

@@ -1,11 +1,7 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
@@ -14,11 +10,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-debuginfo]
 name=Fedora $releasever - $basearch - Updates - Debug
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/debug/
-{% else %}
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/
-{% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -27,11 +19,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-source]
 name=Fedora $releasever - Updates Source
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/SRPMS/
-{% else %}
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/
-{% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1

files/common/fedora-updates.repo-secondary

@@ -1,11 +1,7 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
@@ -14,11 +10,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-debuginfo]
 name=Fedora $releasever - $basearch - Updates - Debug
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/debug/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/debug/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@@ -27,11 +19,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-source]
 name=Fedora $releasever - Updates Source
 failovermethod=priority
-{% if ansible_distribution_major_version|int >27  %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/SRPMS/
-{% else %}
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/SRPMS/
-{% endif %}
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1

files/common/fedora.repo

@@ -1,11 +1,11 @@
 [fedora]
 name=Fedora $releasever - $basearch
 failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 enabled=1
 metadata_expire=7d
-gpgcheck=1
+gpgcheck=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 
 [fedora-debuginfo]

files/common/fedora.repo-secondary

@@ -1,11 +1,11 @@
 [fedora]
 name=Fedora $releasever - $basearch
 failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 enabled=1
 metadata_expire=7d
-gpgcheck=1
+gpgcheck=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 
 [fedora-debuginfo]

files/common/rhel-7-aarch64-server-rpms.repo

@@ -1,13 +1,4 @@
-[rhel-7-alt-for-arm-64-optional-rpms]
-name = rhel7 $basearch server optional
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-alt-for-arm-64-optional-rpms/
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=1
-gpgcheck=1
-
-[rhel-7-alt-for-arm-64-rpms]
+[rhel7-aarch64-server]
 name = rhel7 $basearch server
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-alt-for-arm-64-rpms/
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-rpms
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=1
-gpgcheck=1

files/fedora-cloud/haproxy.cfg

@@ -68,44 +68,44 @@ defaults
 frontend neutron
   bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend neutron
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend cinder
   bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend cinder
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend swift
   bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend swift
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend nova
   bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend nova
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend ceilometer
   bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend ceilometer
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend ec2
   bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend ec2
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend glance
   bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend glance
-  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=31536000
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 backend neutron
   server neutron 127.0.0.1:8696 check

files/hotfix/autocloud/consumer.py

@@ -48,6 +48,7 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer):
         log.info('Received %r %r' % (msg['topic'], msg['body']['msg_id']))
 
         STATUS_F = ('FINISHED_INCOMPLETE', 'FINISHED',)
+        VARIANTS_F = ('CloudImages',)
 
         images = []
         compose_db_update = False
@@ -55,16 +56,6 @@ class AutoCloudConsumer(fedmsg.consumers.FedmsgConsumer):
         status = msg_body['msg']['status']
         compose_images_json = None
 
-        # Till F27, both cloud-base and atomic images were available
-        # under variant CloudImages. With F28 and onward releases,
-        # cloud-base image compose moved to cloud variant and atomic images
-        # moved under atomic variant.
-        prev_rel = ['26', '27']
-        if msg_body['msg']['release_version'] in prev_rel:
-            VARIANTS_F = ('CloudImages',)
-        else:
-            VARIANTS_F = ('AtomicHost', 'Cloud')
-
         if status in STATUS_F:
             location = msg_body['msg']['location']
             json_metadata = '{}/metadata/images.json'.format(location)

files/httpd/apachestatus.conf

@@ -2,13 +2,4 @@ ExtendedStatus on
 
 <Location /apache-status>
     SetHandler server-status
-    <IfModule mod_authz_core.c>
-    # Apache 2.4
-    <RequireAny>
-        Require ip 127.0.0.1
-	Require ip ::1
-	Require host localhost
-	Require valid-user
-    </RequireAny>
-    </IfModule>
 </Location>

files/httpd/fedorahosted-redirects.conf

@@ -237,15 +237,6 @@ RewriteRule ^/pki/p/k/pki/(.*) https://releases.pagure.org/dogtagpki/$1 [L,R]
 RewriteRule ^/pki/p/k/pki https://releases.pagure.org/dogtagpki/ [L,R]
 RewriteRule ^/pki https://pagure.io/dogtagpki [R=301]
 
-RewriteRule ^/generic-logos/ https://pagure.io/generic-logos/ [R=301]
-RewriteRule ^/generic-logos https://pagure.io/generic-logos/ [R=301]
-RewriteRule ^/released/generic-logos/(.*) https://releases.pagure.org/generic-logos/$1 [R=301]
-RewriteRule ^/released/generic-logos https://releases.pagure.org/generic-logos/ [R=301]
-
-RewriteRule ^/beakerlib/wiki/Manual https://github.com/beakerlib/beakerlib/wiki/man [R=301]
-RewriteRule ^/beakerlib/wiki/(.*) https://github.com/beakerlib/beakerlib/wiki/$1 [R=301]
-RewriteRule ^/beakerlib/(.*) https://github.com/beakerlib/beakerlib/ [R=301]
-
 # Ipsilon wiki is now moving content
 ReWriteCond %{REQUEST_URI} !^/ipsilon/.*
 

files/httpd/h2.conf.j2

@@ -1 +0,0 @@
-Protocols h2 {% if not inventory_hostname.startswith('proxy') %} h2c {% endif %} http/1.1

files/httpd/headers.conf.j2

@@ -1,7 +1,3 @@
 Header set AppTime "%D"
 PassEnv HOSTNAME
 Header set AppServer "{{ inventory_hostname }}"
-{% if inventory_hostname in groups['proxies'] and ansible_distribution == 'Fedora' %}
-
-ErrorDocument 421 "You have hit an incorrect proxy for a Fedora Project website due to a bug in Firefox. Please refresh"
-{% endif %}

files/openshift/openshift.repo

@@ -1,31 +1,22 @@
-{% if env == "staging" %}
-[rhel7-openshift-3.9]
-name = rhel7 openshift 3.9 $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.9-rpms/
+[rhel7-openshift-3.4]
+name = rhel7 openshift 3.4 $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=1
 
-# 3.8 is needed to upgrade from 3.7 to 3.9
-[rhel7-openshift-3.8]
-name = rhel7 openshift 3.8 $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.8-rpms/
+[rhel7-openshift-3.5]
+name = rhel7 openshift 3.5 $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.5-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=1
 
-[rhel7-openshift-3.7]
-name = rhel7 openshift 3.7 $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.7-rpms/
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-enabled=0
-{% else %}
+{% if env == 'staging' %}
 [rhel7-openshift-3.6]
 name = rhel7 openshift 3.6 $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.6-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-{% endif %}
 
 # OpenShift 3.6 needs this for new openvswitch
 [rhel7-fast-datapath]
 name = rhel7 fast datapath $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-fast-datapath/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+{% endif %}

files/osbs/buildroot-Dockerfile-production.j2

@@ -1,9 +1,7 @@
 FROM registry.fedoraproject.org/fedora
 ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
 RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man
-RUN dnf -y install --refresh python2-productmd python3-productmd libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client
-ADD ./krb5.conf /etc
-RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc/krb5.conf.d/ccache.conf
+RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf
 ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/
 ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt
 RUN update-ca-trust

files/osbs/buildroot-Dockerfile-staging.j2

@@ -1,10 +1,8 @@
 FROM registry.fedoraproject.org/fedora
 ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
-RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man
-ADD ./krb5.conf /etc
-RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc/krb5.conf.d/ccache.conf
+RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python3-docker-py python3-setuptools e2fsprogs koji osbs-client gssproxy fedpkg python3-docker-squash atomic-reactor python3-atomic-reactor* go-md2man
+RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf
 ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/
 ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt
 RUN update-ca-trust
-CMD ["python2", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]
-
+CMD ["python3", "/usr/bin/atomic-reactor", "--verbose", "inside-build"]

files/osbs/docker.firewall.service

@@ -1,2 +0,0 @@
-[Service]
-ExecStartPost=/usr/local/bin/fix-docker-iptables

files/osbs/docker.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+After=network.target
+Wants=docker-storage-setup.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+EnvironmentFile=-/etc/sysconfig/docker
+EnvironmentFile=-/etc/sysconfig/docker-storage
+EnvironmentFile=-/etc/sysconfig/docker-network
+Environment=GOTRACEBACK=crash
+ExecStart=/usr/bin/docker daemon \
+          --exec-opt native.cgroupdriver=systemd \
+          $OPTIONS \
+          $DOCKER_STORAGE_OPTIONS \
+          $DOCKER_NETWORK_OPTIONS \
+          $INSECURE_REGISTRY
+ExecStartPost=/usr/local/bin/fix-docker-iptables
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+MountFlags=slave
+StandardOutput=null
+StandardError=null
+TimeoutStartSec=0
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target
+

files/osbs/fix-docker-iptables.production

@@ -49,9 +49,6 @@ iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 
-# infrastructure.fp.o (infra repos)
-iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.23 --dport 443 -j ACCEPT
-
 # Kerberos
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 1088 -j ACCEPT
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 1088 -j ACCEPT

files/osbs/fix-docker-iptables.staging

@@ -53,9 +53,6 @@ iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 
-# infrastructure.fp.o (infra repos)
-iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.23 --dport 443 -j ACCEPT
-
 # dl.phx2
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
 iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT

files/releng/relengpush

@@ -1,4 +0,0 @@
-#!/bin/bash
-# This file exists to facilitate fully automated mass rebuilds without relying
-# on user intervention or an individual users's account permissions
-sudo /usr/local/bin/relengpush-int $@

files/releng/relengpush-int

@@ -1,4 +0,0 @@
-#!/bin/bash
-# This file exists to facilitate fully automated mass rebuilds without relying
-# on user intervention or an individual users's account permissions
-ssh -i /etc/pki/releng $@

files/scripts/restart-broken-ipv6

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-ping6 -q -c 1 -w 2 2600:: >& /dev/null
-if [ $? -ne 0 ];
-then
-     nmcli c up eth0 >& /dev/null
-fi

files/scripts/restart-broken-ipv6.cron

@@ -1 +0,0 @@
-* * * * * root /usr/local/bin/restart-broken-ipv6

filter_plugins/fedmsg.py

@@ -9,7 +9,7 @@ def invert_fedmsg_policy(groups, vars, env):
     """
 
     if env == 'staging':
-        hosts = groups['all'] + groups['staging'] + groups['fedmsg-qa-network-stg'] + groups['openshift-pseudohosts-stg']
+        hosts = groups['staging'] + groups['fedmsg-qa-network-stg'] + groups['openshift-pseudohosts-stg']
     else:
         hosts = [h for h in groups['all'] if h not in groups['staging'] + groups['openshift-pseudohosts-stg']]
 

handlers/restart_services.yml

@@ -15,20 +15,20 @@
   action: service name=crond state=restarted
 
 - name: restart fedmsg-gateway
-  command: /usr/local/bin/conditional-restart.sh fedmsg-gateway
+  command: /usr/local/bin/conditional-restart.sh fedmsg-gateway fedmsg-gateway
 
 - name: restart fedmsg-hub
-  command: /usr/local/bin/conditional-restart.sh fedmsg-hub
+  command: /usr/local/bin/conditional-restart.sh fedmsg-hub fedmsg-hub
   # Note that, we're cool with arbitrary restarts on bodhi-backend02, just
-  # not bodhi-backend01 or bodhi-backend03.  01 and 03 is where the releng/mash
+  # not bodhi-backend01 or bodhi-backend03.  01 and 03 is where the releng/mash 
   # stuff happens and we # don't want to interrupt that.
   when: inventory_hostname not in ['bodhi-backend01.phx2.fedoraproject.org', 'bodhi-backend03.phx2.fedoraproject.org']
 
 - name: restart fedmsg-irc
-  command: /usr/local/bin/conditional-restart.sh fedmsg-irc
+  command: /usr/local/bin/conditional-restart.sh fedmsg-irc fedmsg-irc
 
 - name: restart fedmsg-relay
-  command: /usr/local/bin/conditional-restart.sh fedmsg-relay
+  command: /usr/local/bin/conditional-restart.sh fedmsg-relay fedmsg-relay
 
 - name: restart koji-sync-listener
   action: service name=koji-sync-listener state=restarted
@@ -42,6 +42,9 @@
 - name: restart ip6tables
   action: service name=ip6tables state=restarted
 
+- name: restart jenkins
+  action: service name=jenkins state=restarted
+
 - name: restart libvirtd
   action: service name=libvirtd state=restarted
 
@@ -174,5 +177,6 @@
 - name: restart idmapd
   service: name=nfs-idmapd state=restarted
 
-- name: restart buildmaster
-  service: name=buildmaster state=restarted
+- name: restart darkserver
+  service: name=darkserver state=restarted
+

inventory/backups

@@ -13,7 +13,6 @@ people02.fedoraproject.org
 pkgs02.phx2.fedoraproject.org
 log01.phx2.fedoraproject.org
 db-qa01.qa.fedoraproject.org
-db-qa02.qa.fedoraproject.org
 db-koji01.phx2.fedoraproject.org
 #copr-be.cloud.fedoraproject.org
 copr-fe.cloud.fedoraproject.org

inventory/builders

@@ -51,9 +51,6 @@ buildvm-aarch64-01.stg.arm.fedoraproject.org
 [buildvm-armv7-stg]
 buildvm-armv7-01.stg.arm.fedoraproject.org
 
-[buildvm-s390x-stg]
-buildvm-s390x-01.stg.s390.fedoraproject.org
-
 [buildvm-aarch64]
 buildvm-aarch64-01.arm.fedoraproject.org
 buildvm-aarch64-02.arm.fedoraproject.org
@@ -71,6 +68,7 @@ buildvm-aarch64-13.arm.fedoraproject.org
 buildvm-aarch64-14.arm.fedoraproject.org
 buildvm-aarch64-15.arm.fedoraproject.org
 buildvm-aarch64-16.arm.fedoraproject.org
+# these vm's are too slow to use, cause still under investigation
 #buildvm-aarch64-17.arm.fedoraproject.org
 buildvm-aarch64-18.arm.fedoraproject.org
 buildvm-aarch64-19.arm.fedoraproject.org
@@ -97,6 +95,7 @@ buildvm-armv7-13.arm.fedoraproject.org
 buildvm-armv7-14.arm.fedoraproject.org
 buildvm-armv7-15.arm.fedoraproject.org
 buildvm-armv7-16.arm.fedoraproject.org
+# these vm's are too slow to use, cause still under investigation
 #buildvm-armv7-17.arm.fedoraproject.org
 buildvm-armv7-18.arm.fedoraproject.org
 buildvm-armv7-19.arm.fedoraproject.org
@@ -124,6 +123,7 @@ buildvm-s390x-11.s390.fedoraproject.org
 buildvm-s390x-12.s390.fedoraproject.org
 buildvm-s390x-13.s390.fedoraproject.org
 buildvm-s390x-14.s390.fedoraproject.org
+buildvm-s390x-15.s390.fedoraproject.org
 
 [buildvmhost]
 buildvmhost-01.phx2.fedoraproject.org
@@ -151,8 +151,7 @@ aarch64-c13n1.arm.fedoraproject.org
 aarch64-c14n1.arm.fedoraproject.org
 aarch64-c15n1.arm.fedoraproject.org
 aarch64-c16n1.arm.fedoraproject.org
-# HP cannot seem to get this cart working.
-#aarch64-c17n1.arm.fedoraproject.org
+aarch64-c17n1.arm.fedoraproject.org
 aarch64-c18n1.arm.fedoraproject.org
 aarch64-c19n1.arm.fedoraproject.org
 aarch64-c20n1.arm.fedoraproject.org
@@ -178,14 +177,6 @@ buildhw-10.phx2.fedoraproject.org
 buildhw-aarch64-01.arm.fedoraproject.org
 buildhw-aarch64-02.arm.fedoraproject.org
 buildhw-aarch64-03.arm.fedoraproject.org
-buildhw-aarch64-04.arm.fedoraproject.org
-buildhw-aarch64-05.arm.fedoraproject.org
-buildhw-aarch64-06.arm.fedoraproject.org
-buildhw-aarch64-07.arm.fedoraproject.org
-buildhw-aarch64-08.arm.fedoraproject.org
-# Machine unresponsive, likely dead
-#buildhw-aarch64-09.arm.fedoraproject.org
-buildhw-aarch64-10.arm.fedoraproject.org
 
 #
 # These are primary koji builders. 
@@ -204,12 +195,6 @@ buildvm-ppc64-10.ppc.fedoraproject.org
 buildvm-ppc64-11.ppc.fedoraproject.org
 buildvm-ppc64-12.ppc.fedoraproject.org
 buildvm-ppc64-13.ppc.fedoraproject.org
-buildvm-ppc64-14.ppc.fedoraproject.org
-buildvm-ppc64-15.ppc.fedoraproject.org
-buildvm-ppc64-16.ppc.fedoraproject.org
-buildvm-ppc64-17.ppc.fedoraproject.org
-buildvm-ppc64-18.ppc.fedoraproject.org
-buildvm-ppc64-19.ppc.fedoraproject.org
 
 #
 # These are primary koji builders. 
@@ -228,12 +213,33 @@ buildvm-ppc64le-10.ppc.fedoraproject.org
 buildvm-ppc64le-11.ppc.fedoraproject.org
 buildvm-ppc64le-12.ppc.fedoraproject.org
 buildvm-ppc64le-13.ppc.fedoraproject.org
-buildvm-ppc64le-14.ppc.fedoraproject.org
-buildvm-ppc64le-15.ppc.fedoraproject.org
-buildvm-ppc64le-16.ppc.fedoraproject.org
-buildvm-ppc64le-17.ppc.fedoraproject.org
-buildvm-ppc64le-18.ppc.fedoraproject.org
-buildvm-ppc64le-19.ppc.fedoraproject.org
+
+#
+# These are secondary arch builders. 
+#
+[buildppc]
+buildppc-01.ppc.fedoraproject.org
+buildppc-02.ppc.fedoraproject.org
+buildppc-03.ppc.fedoraproject.org
+buildppc-04.ppc.fedoraproject.org
+
+#
+# These are secondary arch builders. 
+#
+[buildppcle]
+buildppcle-01.ppc.fedoraproject.org
+buildppcle-02.ppc.fedoraproject.org
+buildppcle-03.ppc.fedoraproject.org
+buildppcle-04.ppc.fedoraproject.org
+
+[buildaarch64]
+aarch64-02a.arm.fedoraproject.org
+# Marked DEAD in pdu
+#aarch64-03a.arm.fedoraproject.org
+aarch64-04a.arm.fedoraproject.org
+aarch64-05a.arm.fedoraproject.org
+aarch64-06a.arm.fedoraproject.org
+aarch64-07a.arm.fedoraproject.org
 
 [bkernel]
 bkernel01.phx2.fedoraproject.org
@@ -279,21 +285,17 @@ buildvm-01.stg.phx2.fedoraproject.org
 buildvm-02.stg.phx2.fedoraproject.org
 buildvm-01.phx2.fedoraproject.org
 buildhw-01.phx2.fedoraproject.org
-buildvm-aarch64-01.stg.arm.fedoraproject.org
 buildvm-aarch64-01.arm.fedoraproject.org
 buildvm-aarch64-02.arm.fedoraproject.org
-buildvm-armv7-01.stg.arm.fedoraproject.org
 buildvm-armv7-01.arm.fedoraproject.org
 buildvm-armv7-02.arm.fedoraproject.org
 buildvm-armv7-03.arm.fedoraproject.org
-buildvm-ppc64-01.stg.ppc.fedoraproject.org
+aarch64-02a.arm.fedoraproject.org
 buildvm-ppc64-01.ppc.fedoraproject.org
 buildvm-ppc64-02.ppc.fedoraproject.org
-buildvm-ppc64le-01.stg.ppc.fedoraproject.org
 buildvm-ppc64le-01.ppc.fedoraproject.org
 buildvm-ppc64le-02.ppc.fedoraproject.org
 buildvm-s390x-01.s390.fedoraproject.org
-buildvm-s390x-01.stg.s390.fedoraproject.org
 
 [builders:children]
 buildhw
@@ -302,6 +304,9 @@ buildvm-aarch64
 buildvm-armv7
 buildvm-ppc64
 buildvm-ppc64le
+buildppc
+buildppcle
+buildaarch64
 buildvm-s390
 buildvm-s390x
 bkernel
@@ -312,4 +317,3 @@ buildvm-ppc64-stg
 buildvm-ppc64le-stg
 buildvm-aarch64-stg
 buildvm-armv7-stg
-buildvm-s390x-stg

inventory/cloud

@@ -16,14 +16,14 @@ copr-fe.cloud.fedoraproject.org
 copr-fe-dev.cloud.fedoraproject.org
 copr-keygen.cloud.fedoraproject.org
 copr-keygen-dev.cloud.fedoraproject.org
+darkserver-dev.fedorainfracloud.org
 developer.fedorainfracloud.org
 eclipse.fedorainfracloud.org
-elastic-dev.fedorainfracloud.org
 el6-test.fedorainfracloud.org
 el7-test.fedorainfracloud.org
+f25-test.fedorainfracloud.org
 f26-test.fedorainfracloud.org
 f27-test.fedorainfracloud.org
-f28-test.fedorainfracloud.org
 faitout.fedorainfracloud.org
 fas2-dev.fedorainfracloud.org
 fas3-dev.fedorainfracloud.org
@@ -48,13 +48,21 @@ fed-cloud-ppc02.cloud.fedoraproject.org
 fedimg-dev.fedorainfracloud.org
 fedora-bootstrap.fedorainfracloud.org
 glittergallery-dev.fedorainfracloud.org
+grafana.cloud.fedoraproject.org
+graphite.fedorainfracloud.org
 hubs-dev.fedorainfracloud.org
 iddev.fedorainfracloud.org
+insim.fedorainfracloud.org
 java-deptools.fedorainfracloud.org
-simple-koji-ci-dev.fedorainfracloud.org
-simple-koji-ci-prod.fedorainfracloud.org
+jenkins.fedorainfracloud.org
+jenkins-slave-el6.fedorainfracloud.org
+jenkins-slave-el7.fedorainfracloud.org
+jenkins-slave-f26.fedorainfracloud.org
+jenkins-slave-f25.fedorainfracloud.org
+jenkins-slave-f25-ppc64le.fedorainfracloud.org
 lists-dev.fedorainfracloud.org
 magazine2.fedorainfracloud.org
+modernpaste.fedorainfracloud.org
 modularity.fedorainfracloud.org
 modularity2.fedorainfracloud.org
 ppc64le-test.fedorainfracloud.org
@@ -65,12 +73,13 @@ respins.fedorainfracloud.org
 shumgrepper-dev.fedorainfracloud.org
 taiga.fedorainfracloud.org
 taigastg.fedorainfracloud.org
-telegram-irc.fedorainfracloud.org
 testdays.fedorainfracloud.org
+twisted-fedora24-1.fedorainfracloud.org
+twisted-fedora24-2.fedorainfracloud.org
+twisted-fedora25-1.fedorainfracloud.org
+twisted-fedora25-2.fedorainfracloud.org
 twisted-fedora26-1.fedorainfracloud.org
 twisted-fedora26-2.fedorainfracloud.org
-twisted-fedora27-1.fedorainfracloud.org
-twisted-fedora27-2.fedorainfracloud.org
 twisted-rhel7-1.fedorainfracloud.org
 twisted-rhel7-2.fedorainfracloud.org
 upstreamfirst.fedorainfracloud.org

inventory/group_vars/all

@@ -42,7 +42,6 @@ use_default_epel: true
 udp_ports: []
 tcp_ports: []
 custom_rules: []
-nat_rules: []
 custom6_rules: []
 
 # defaults for virt installs
@@ -61,8 +60,6 @@ br0_nm: 255.255.255.0
 br1_nm: 255.255.255.0
 # Default to managing the network, we want to not do this on select hosts (like cloud nodes)
 ansible_ifcfg_blacklist: false
-# List of interfaces to explicitly disable
-ansible_ifcfg_disabled: []
 #
 # The default virt-install works for rhel7 or fedora with 1 nic
 #
@@ -79,7 +76,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio
-                 --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host
+                 --autostart --noautoconsole --watchdog default
 
 virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -90,7 +87,7 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none'
                  --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
-                 --autostart --noautoconsole --watchdog default --rng /dev/random
+                 --autostart --noautoconsole --watchdog default
 
 virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -100,7 +97,7 @@ virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio
-                 --autostart --noautoconsole --rng /dev/random
+                 --autostart --noautoconsole
 
 virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -111,7 +108,7 @@ virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none'
                  --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
-                 --autostart --noautoconsole --rng /dev/random
+                 --autostart --noautoconsole
 
 virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --arch armv7l
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -121,7 +118,7 @@ virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --a
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio
-                 --autostart --noautoconsole --rng /dev/random
+                 --autostart --noautoconsole
 
 virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }}
@@ -265,7 +262,6 @@ nagios_Check_Services:
   dhcpd: false
   httpd: false
   swap: true
-  ping: true
 
 # Set variable if we want to use our global iptables defaults
 # Some things need to set their own.
@@ -276,6 +272,3 @@ baseiptables: True
 nm_controlled_resolv: False
 dns1: "10.5.126.21"
 dns2: "10.5.126.22"
-
-# This is a list of services that need to wait for VPN to be up before getting started.
-postvpnservices: []

inventory/group_vars/ask

@@ -0,0 +1,54 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 2
+
+tcp_ports: [ 80, 443,
+    # This port is required by gluster
+    6996,
+    # These 12 ports are used by fedmsg.  One for each wsgi thread.
+    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 30010, 3011, 3012]
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice,sysadmin-veteran
+
+freezes: false
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+  can_send:
+  - logger.log
+- service: askbot
+  owner: root
+  group: apache
+  can_send:
+  - askbot.post.delete
+  - askbot.post.edit
+  - askbot.post.flag_offensive.add
+  - askbot.post.flag_offensive.delete
+  - askbot.tag.update
+
+virt_install_command: "{{ virt_install_command_rhel6 }}"
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Run the django webapp for ask.fedoraproject.org
+csi_relationship: |
+    This depends on:
+
+    - The database server on db01.
+    - memcached (specifically memcached02), but only in production.  In staging,
+      a local-memory backend is used instead.
+
+    Gotchas:
+
+    - The packages for celery are installed, but we do not actually run or
+      depend on the celery daemon.
+    - There are *lots* of hotfixes in effect on this machine.

inventory/group_vars/ask-stg

@@ -0,0 +1,54 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 2
+
+tcp_ports: [ 80, 443,
+    # This port is required by gluster
+    6996,
+    # These 8 ports are used by fedmsg.  One for each wsgi thread.
+    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007]
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc,sysadmin-ask,fi-apprentice,sysadmin-veteran
+
+freezes: false
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+  can_send:
+  - logger.log
+- service: askbot
+  owner: root
+  group: apache
+  can_send:
+  - askbot.post.delete
+  - askbot.post.edit
+  - askbot.post.flag_offensive.add
+  - askbot.post.flag_offensive.delete
+  - askbot.tag.update
+
+virt_install_command: "{{ virt_install_command_rhel6 }}"
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Run the django webapp for ask.fedoraproject.org
+csi_relationship: |
+    This depends on:
+
+    - The database server on db01.
+    - memcached (specifically memcached02), but only in production.  In staging,
+      a local-memory backend is used instead.
+
+    Gotchas:
+
+    - The packages for celery are installed, but we do not actually run or
+      depend on the celery daemon.
+    - There are *lots* of hotfixes in effect on this machine.

inventory/group_vars/autocloud-backend-stg

@@ -14,8 +14,6 @@ tcp_ports: [
 
 fas_client_groups: sysadmin-noc,sysadmin-fedimg,sysadmin-releng,sysadmin-veteran
 
-fedmsg_debug_loopback: True
-
 # These people get told when something goes wrong.
 fedmsg_error_recipients:
 - sysadmin-fedimg-members@fedoraproject.org

inventory/group_vars/badges-backend-stg

@@ -1,7 +1,7 @@
 ---
 # Define resources for this group of hosts here. 
 lvm_size: 20000
-mem_size: 4096
+mem_size: 1024
 num_cpus: 2
 
 # for systems that do not match the above - specify the same parameter in

inventory/group_vars/bastion

@@ -23,7 +23,7 @@ custom_rules: [
 
 # TODO - remove modularity-wg membership here once it is not longer needed:
 # https://fedorahosted.org/fedora-infrastructure/ticket/5363
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel
+fas_client_groups: sysadmin-ask,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-darkserver,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel
 
 #
 # This is a postfix gateway. This will pick up gateway postfix config in base

inventory/group_vars/batcave

@@ -8,7 +8,7 @@ tcp_ports: [ 80, 443 ]
 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
 
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran
+fas_client_groups: sysadmin-ask,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran
 
 ansible_base: /srv/web/infra
 freezes: false

inventory/group_vars/bodhi-backend-stg

@@ -68,9 +68,6 @@ fedmsg_certs:
   - bodhi.update.eject
   - bodhi.update.complete.testing
   - bodhi.update.complete.stable
-  - bodhi.update.request.testing
-  - bodhi.update.request.stable
-  - bodhi.update.request.batched
   - bodhi.buildroot_override.untag
 - service: ftpsync
   owner: root

inventory/group_vars/bodhi2

@@ -60,7 +60,6 @@ fedmsg_certs:
   - bodhi.update.request.revoke
   - bodhi.update.request.stable
   - bodhi.update.request.testing
-  - bodhi.update.request.batched
   - bodhi.update.request.unpush
 
   # Things that only the mash does - not the web UI

inventory/group_vars/buildvm

@@ -5,8 +5,8 @@ lvm_size: 262144
 mem_size: 15360
 max_mem_size: "{{ mem_size }}"
 num_cpus: 6
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
 nm: 255.255.255.0
 gw: 10.5.125.254
 eth1_gw: 10.5.127.254

inventory/group_vars/buildvm-aarch64

@@ -6,13 +6,16 @@ mem_size: 24576
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
 max_cpu: "{{ num_cpus }}"
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-aarch64
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/aarch64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26-aarch64
+ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/26/Everything/aarch64/os/
 nm: 255.255.255.0
 gw: 10.5.129.254
 dns: 10.5.126.21
-main_bridge: br0
-nfs_bridge: br1
+# This is reverted so that eth1 gets br0 and eth0 gets br1
+# This seems some kind of bug where in the guest kernel the devices are swapped around
+# when compared to the host.
+main_bridge: br1
+nfs_bridge: br0
 virt_install_command: "{{ virt_install_command_aarch64_two_nic }}"
 
 # for systems that do not match the above - specify the same parameter in

inventory/group_vars/buildvm-aarch64-stg

@@ -5,8 +5,8 @@ lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-aarch64
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/aarch64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
@@ -46,4 +46,4 @@ docker_registry: "candidate-registry.stg.fedoraproject.org"
 koji_root: "koji.stg.fedoraproject.org/koji"
 koji_hub: "koji.stg.fedoraproject.org/kojihub"
 
-createrepo: True
+createrepo: False

inventory/group_vars/buildvm-armv7

@@ -6,8 +6,8 @@ mem_size: 24576
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
 max_cpu: "{{ num_cpus }}"
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-27-armv7
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Everything/armhfp/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26-armv7
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Everything/armhfp/os/
 nm: 255.255.255.0
 gw: 10.5.129.254
 dns: 10.5.126.21

inventory/group_vars/buildvm-armv7-stg

@@ -5,8 +5,8 @@ lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-armv7
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/armhfp/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
@@ -46,4 +46,4 @@ docker_registry: "candidate-registry.stg.fedoraproject.org"
 koji_root: "koji.stg.fedoraproject.org/koji"
 koji_hub: "koji.stg.fedoraproject.org/kojihub"
 
-createrepo: True
+createrepo: False

inventory/group_vars/buildvm-ppc64

@@ -1,12 +1,12 @@
 ---
 # common items for the buildvm-* koji builders
 volgroup: /dev/vg_guests
-lvm_size: 145000
+lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-ppc64
-ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/28/Server/ppc64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26-ppc64
+ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/26/Server/ppc64/os/
 nm: 255.255.255.0
 gw: 10.5.129.254
 dns: 10.5.126.21

inventory/group_vars/buildvm-ppc64-stg

@@ -5,8 +5,8 @@ lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-ppc64
-ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/28/Server/ppc64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26-ppc64
+ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/26/Server/ppc64/os/
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
@@ -46,4 +46,4 @@ docker_registry: "candidate-registry.stg.fedoraproject.org"
 koji_root: "koji.stg.fedoraproject.org/koji"
 koji_hub: "koji.stg.fedoraproject.org/kojihub"
 
-createrepo: True
+createrepo: False

inventory/group_vars/buildvm-ppc64le

@@ -1,12 +1,12 @@
 ---
 # common items for the buildvm-* koji builders
 volgroup: /dev/vg_guests
-lvm_size: 145000
+lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-ppc64le
-ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/28/Server/ppc64le/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26-ppc64le
+ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/26/Server/ppc64le/os/
 nm: 255.255.255.0
 gw: 10.5.129.254
 dns: 10.5.126.21

inventory/group_vars/buildvm-ppc64le-stg

@@ -5,8 +5,8 @@ lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28-ppc64le
-ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/28/Server/ppc64le/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26-ppc64le
+ks_repo: http://10.5.126.23/pub/fedora-secondary/releases/26/Server/ppc64le/os/
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
@@ -46,4 +46,4 @@ docker_registry: "candidate-registry.stg.fedoraproject.org"
 koji_root: "koji.stg.fedoraproject.org/koji"
 koji_hub: "koji.stg.fedoraproject.org/kojihub"
 
-createrepo: True
+createrepo: False

inventory/group_vars/buildvm-s390x-stg

@@ -1,20 +0,0 @@
----
-ansible_ifcfg_blacklist: True
-createrepo: False
-host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"
-
-koji_hub_nfs: "fedora_koji"
-koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
-koji_weburl: "https://koji.stg.fedoraproject.org/koji"
-koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
-
-csi_security_category: High
-csi_primary_contact: Fedora Admins - admin@fedoraproject.org
-csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
-csi_relationship: |
-  * VMs built on top of a s390x LPAR
-  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
-  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
-  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

inventory/group_vars/buildvm-stg

@@ -5,8 +5,8 @@ lvm_size: 150000
 mem_size: 10240
 max_mem_size: "{{ mem_size }}"
 num_cpus: 4
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-28
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
@@ -14,8 +14,8 @@ dns: 10.5.126.21
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/buildvm-stg-sudoers"
+fas_client_groups: sysadmin-releng
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 datacenter: staging
 nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 

inventory/group_vars/copr

@@ -4,8 +4,8 @@ _forward_src: "forward"
 
 # don't forget to update ip in ./copr-keygen, due to custom firewall rules
 
-copr_backend_ips: ["172.25.32.218", "209.132.184.48"]
-keygen_host: "172.25.32.209"
+copr_backend_ips: ["172.25.32.155", "209.132.184.48"]
+keygen_host: "172.25.32.157"
 
 resolvconf: "resolv.conf/cloud"
 

inventory/group_vars/copr-front

@@ -12,3 +12,5 @@ csi_purpose: Provide a publicly accessible frontend for 3rd party packages (copr
 csi_relationship: |
   - This host provides the frontend part of copr only.
   - It's the point of contact between end users and the copr build system (backend, package singer)
+
+copr_mbs_cli_login: Y29wcg==##vtvvikhcjncwkfkdcssv

inventory/group_vars/copr-keygen

@@ -2,9 +2,9 @@
 tcp_ports: [22]
 
 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.218 --dport 80 -j ACCEPT',
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.155 --dport 80 -j ACCEPT',
                 '-A INPUT -p tcp -m tcp -s 209.132.184.48 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.32.218 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.32.155 --dport 5167 -j ACCEPT',
                 '-A INPUT -p tcp -m tcp -s 209.132.184.48 --dport 5167 -j ACCEPT']
 
 datacenter: cloud

inventory/group_vars/copr-keygen-stg

@@ -3,10 +3,10 @@ copr_hostbase: copr-keygen-dev
 tcp_ports: []
 
 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.217 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.155.215 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.32.217 --dport 5167 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.25.155.215 --dport 5167 -j ACCEPT']
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.175 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.53 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.32.175 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.53 --dport 5167 -j ACCEPT']
 
 datacenter: cloud
 

inventory/group_vars/copr-stg

@@ -5,8 +5,8 @@ _forward_src: "forward_dev"
 
 # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
 
-copr_backend_ips: ["172.25.32.217", "172.25.155.215"]
-keygen_host: "172.25.32.205"
+copr_backend_ips: ["172.25.32.175", "172.25.150.48"]
+keygen_host: "172.25.32.154"
 
 resolvconf: "resolv.conf/cloud"
 

inventory/group_vars/darkserver

@@ -0,0 +1,11 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 6144
+num_cpus: 8
+
+tcp_ports: [ 80, 443 ]
+
+fas_client_groups: sysadmin-noc,sysadmin-darkserver,fi-apprentice,sysadmin-veteran
+
+freezes: false

inventory/group_vars/darkserver-backend-stg

@@ -0,0 +1,11 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 3144
+num_cpus: 2
+
+tcp_ports: []
+
+fas_client_groups: sysadmin-noc,sysadmin-darkserver,fi-apprentice,sysadmin-veteran
+
+freezes: false

inventory/group_vars/darkserver-web-stg

@@ -0,0 +1,11 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 3144
+num_cpus: 2
+
+tcp_ports: [ 80, 443 ]
+
+fas_client_groups: sysadmin-noc,sysadmin-darkserver,fi-apprentice,sysadmin-veteran
+
+freezes: false

inventory/group_vars/docker-registry-stg

@@ -8,12 +8,7 @@ sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 tcp_ports: [
     5000,
-    # These ports all required for gluster
-    111, 24007, 24008, 24009, 24010, 24011,
-    49152, 49153, 49154, 49155,
-    ]
-
-# gluster
-udp_ports: [111]
+    # This is for the gluster server
+    6996]
 
 registry_gluster_username_stg: registry-stg

inventory/group_vars/download

@@ -66,6 +66,3 @@ dl_tier1:
   - ultra.linux.cz                     # 195.113.15.27
   - wpi.edu                            # 130.215.36.26
   - zaphod.gtlib.gatech.edu            # 128.61.111.12
-  - 147.75.69.165                      # sjc.edge.kernel.org
-  - 147.75.197.195                     # ewr.edge.kernel.org
-  - 147.75.101.1                       # ams.edge.kernel.org

inventory/group_vars/faf-stg

@@ -8,9 +8,3 @@ sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
 nagios_Check_Services:
   nrpe: false
   swap: false
-
-# kernel SHMMAX value
-kernel_shmmax: 687194767
-shared_buffers: "1GB"
-effective_cache_size: "3GB"
-

inventory/group_vars/fedimg

@@ -3,8 +3,6 @@ lvm_size: 20000
 mem_size: 6144
 num_cpus: 2
 
-testing: False
-
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 

inventory/group_vars/fedimg-stg

@@ -3,9 +3,6 @@ lvm_size: 20000
 mem_size: 6144
 num_cpus: 2
 
-# Use infrastructure-tags-stg repo
-testing: True
-
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
@@ -16,7 +13,7 @@ tcp_ports: [
 ]
 
 # TODO, restrict this down to just sysadmin-releng
-fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-atomic
+fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg,fi-apprentice,sysadmin-noc,sysadmin-veteran
 
 fedmsg_debug_loopback: True 
 

inventory/group_vars/freshmaker-stg

@@ -1,28 +0,0 @@
----
-# For app config
-freshmaker_messaging_topic_prefix:
-- org.fedoraproject.stg
-
-freshmaker_parsers:
-- freshmaker.parsers.git:GitReceiveParser
-
-freshmaker_handlers:
-- freshmaker.handlers.git:GitModuleMetadataChangeHandler
-- freshmaker.handlers.git:GitRPMSpecChangeHandler
-
-freshmaker_admins:
-  users:
-  - jkaluza
-  - cqi
-  - qwan
-  - sochotni
-  groups: []
-
-freshmaker_dry_run: True
-freshmaker_log_level: debug
-#
-#freshmaker_handler_build_whitelist:
-#  global:
-#    module:
-#    - name:
-#      - testmodule

inventory/group_vars/hubs-stg

@@ -1,33 +0,0 @@
----
-# Define resources for this group of hosts here.
-lvm_size: 20000
-mem_size: 4096
-num_cpus: 2
-
-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
-
-tcp_ports: [ 80 ]
-
-fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-hubs,sysadmin-veteran
-
-# These are consumed by a task in roles/fedmsg/base/tasks/main.yml
-fedmsg_certs:
-- service: shell
-  owner: hubs
-  group: hubs
-  can_send:
-  - logger.log
-  - hubs.user.created
-  - hubs.user.role.added
-  - hubs.user.role.changed
-  - hubs.user.role.removed
-  - hubs.hub.created
-  - hubs.hub.updated
-  - hubs.widget.updated
-
-# Used by the hubs role
-hubs_url_hostname: hubs.stg.fedoraproject.org
-hubs_db_host: db01.stg.phx2.fedoraproject.org
-hubs_oidc_url: id.stg.fedoraproject.org
-hubs_oidc_secret: "{{ hubs_stg_oidc_secret }}"

inventory/group_vars/jenkins-master

@@ -0,0 +1,49 @@
+---
+datacenter: cloud
+freezes: false
+ansible_ifcfg_blacklist: true
+
+slaves:
+- name: EL6
+  host: jenkins-slave-el6.fedorainfracloud.org
+  description: CentOS 6.8
+  labels: el EL el6 EL6 centos CentOS centos6 CentOS6
+  capacity: 4
+- name: EL7
+  host: jenkins-slave-el7.fedorainfracloud.org
+  description: Red Hat Enterprise Linux Server 7.3
+  labels: el EL el7 EL7 rhel RHEL rhel7 RHEL7
+  capacity: 4
+- name: F26
+  host: jenkins-slave-f26.fedorainfracloud.org
+  description: Fedora 26
+  labels: fedora Fedora fedora26 Fedora26
+  capacity: 4
+- name: F25
+  host: jenkins-slave-f25.fedorainfracloud.org
+  description: Fedora 25
+  labels: fedora Fedora fedora25 Fedora25
+  capacity: 4
+- name: F25-ppc64le
+  host: jenkins-slave-f25-ppc64le.fedorainfracloud.org
+  description: Fedora 25 ppc64le
+  labels: fedora Fedora fedora25 Fedora25 Fedora25ppc64le ppc64le
+  capacity: 4
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: root
+  can_send:
+  - logger.log
+- service: jenkins
+  owner: root
+  group: jenkins
+  can_send:
+  - jenkins.build.aborted
+  - jenkins.build.failed
+  - jenkins.build.notbuilt
+  - jenkins.build.passed
+  - jenkins.build.start
+  - jenkins.build.unstable

inventory/group_vars/jenkins-slave

@@ -0,0 +1,287 @@
+---
+datacenter: cloud
+freezes: false
+
+ansible_ifcfg_blacklist: true
+
+# Packages installed on all Jenkins slaves (Fedora, CentOS)
+slave_packages_common:
+- java-1.8.0-openjdk-devel
+- vim
+- subversion
+- bzr
+- git
+- rpmlint
+- rpmdevtools
+- mercurial
+- mock
+- gcc
+- gcc-c++
+- libjpeg-turbo-devel
+- python-bugzilla
+- python-pip
+- python-virtualenv
+- python-coverage
+- pylint
+- python-argparse
+- python-nose
+- python-BeautifulSoup
+- python-fedora
+- python-pep8
+- python-psycopg2
+- postgresql-devel   # Required to install python-psycopg2 w/in a venv
+- docbook-style-xsl  # Required by gimp-help-2
+- make               # Required by gimp-help-2
+- automake           # Required by gimp-help-2
+- libcurl-devel      # Required by blockerbugs
+- python-formencode  # Required by javapackages-tools
+- asciidoc           # Required by javapackages-tools
+- xmlto              # Required by javapackages-tools
+- pycairo-devel      # Required by dogtail
+- packagedb-cli      # Required by FedoraReview
+- xorg-x11-server-Xvfb  # Required by fedora-rube
+- libffi-devel       # Required by bodhi/cffi/cryptography
+- openssl-devel      # Required by bodhi/cffi/cryptography
+- redis              # Required by copr
+- createrepo_c       # Required by bodhi2
+- python-straight-plugin
+- pyflakes           # Requested by user rholy (ticket #4175)
+- koji               # Required by koschei (ticket #4852) and pyrpkg (ticket #4838)
+- rpm-python         # Required by koschei (ticket #4852)
+- libgit2-devel      # Required by pagure
+- osbs-client        # Required by pyrpkg (ticket #4838)
+- intltool           # Required by fedora-comps (ticket #5307)
+- fedpkg             # Required by fedora-kickstarts (ticket #5406)
+- sqlite-devel       # Required by fedora-hubs (ticket #5425)
+- python-virtualenvwrapper  # Required by fedora-hubs (ticket #5425)
+- swig               # Required by fm-orchestrator (ticket #5517)
+- python-tox         # Required by resultsdb_conventions (ticket #5785)
+- gcc-c++            # Required by libabigail (ticket 5797)
+- libtool            # Required by libabigail (ticket 5797)
+- elfutils-devel     # Required by libabigail (ticket 5797)
+- libxml2-devel      # Required by libabigail (ticket 5797)
+- doxygen            # Required by libabigail (ticket 5797)
+- python-sphinx      # Required by libabigail (ticket 5797)
+- texinfo            # Required by libabigail (ticket 5797)
+- dos2unix           # Required by libabigail (ticket 5797)
+- dpkg               # Required by libabigail (ticket 5797)
+- python2-devel      # Required by libabigail (ticket 5797)
+- rpm-python         # Required by libabigail (ticket 5797)
+- python2-mock       # Required by libabigail (ticket 5797)
+- koji               # Required by libabigail (ticket 5797)
+- pyxdg              # Required by libabigail (ticket 5797)
+- python-unittest2   # Required by libabigail (ticket 5797)
+- wget               # Required by libabigail (ticket 5797)
+- mailcap            # Required by libabigail (ticket 5797)
+
+# Packages installed only on Fedora Jenkins slaves
+slave_packages_fedora:
+- python3
+- python-nose-cover3
+- python3-nose-cover3
+- glibc
+- glibc-devel
+- libstdc++
+- zlib-devel
+- ncurses-devel
+- libX11-devel
+- libXrender
+- libXrandr
+- nspr-devel           ## Requested by 389-ds-base
+- nss-devel
+- svrcore-devel
+- openldap-devel
+- libdb-devel
+- cyrus-sasl-devel
+- icu
+- libicu-devel
+- gcc-c++
+- net-snmp-devel
+- lm_sensors-devel
+- bzip2-devel
+- zlib-devel
+- openssl-devel
+- tcp_wrappers
+- pam-devel
+- systemd-units
+- policycoreutils-python
+- openldap-clients
+- perl-Mozilla-LDAP
+- nss-tools
+- cyrus-sasl-gssapi
+- cyrus-sasl-md5
+- libdb-utils
+- perl-Socket
+- perl-NetAddr-IP
+- pcre-devel            ## End of request list for 389-ds-base
+- maven                 # Required by xmvn https://fedorahosted.org/fedora-infrastructure/ticket/4054
+- gtk3-devel            # Required by dogtail
+- glib2-devel           # Required by Cockpit
+- libgudev1-devel
+- json-glib-devel
+- gobject-introspection-devel
+- libudisks2-devel
+- NetworkManager-glib-devel
+- systemd-devel
+- accountsservice-devel
+- pam-devel
+- autoconf
+- libtool
+- intltool
+- jsl
+- python-scss
+- gtk-doc
+- krb5-devel
+- sshpass
+- perl-Locale-PO
+- perl-JSON
+- glib-networking
+- realmd
+- udisks2
+- mdadm
+- lvm2
+- sshpass           # End requires for Cockpit
+- tito              # Requested by msrb for javapackages-tools and xmvn (ticket#4113)
+- pyflakes          # Requested by user rholy (ticket #4175)
+- firefox           # Required for rube
+- python-devel      # Required for mpi4py
+- python3-devel     # Required for mpi4py
+- pwgen             # Required for mpi4py
+- openmpi-devel     # Required for mpi4py
+- mpich2-devel      # Required for mpi4py
+- pylint            # Required by Ipsilon
+- python-pep8
+- nodejs-less
+- python-openid
+- python-openid-teams
+- python-openid-cla
+- python-cherrypy
+- m2crypto
+- lasso-python
+- python-sqlalchemy
+- python-ldap
+- python-pam
+- python-fedora
+- freeipa-python
+- httpd
+- mod_auth_mellon
+- postgresql-server
+- openssl
+- mod_wsgi
+- python-psycopg2
+- sssd
+- libsss_simpleifp
+- openldap-servers
+- mod_auth_gssapi
+- krb5-server
+- socket_wrapper
+- nss_wrapper
+- krb5-workstation
+- python-sssdconfig
+- mod_ssl
+- python-jwcrypto
+- python-lesscpy     # End requires for Ipsilon
+- libxml2-python     # Required by gimp-docs
+- createrepo         # Required by dnf
+- dia                # Required by javapackages-tools ticket #4279
+- python-hawkey      # Required by koschei (ticket #4852)
+- python-librepo     # Required by koschei (ticket #4852)
+- python3-pygit2     # Required by pagure
+- nosync             # for use in mock
+- liberasurecode-devel # Required by pyeclib (ticket #5015) - No EPEL7 build
+- python2-mock
+- python-lxml
+- mongodb-server
+- ruby               # For modularity (ticket 5379)
+- ruby-devel
+- ruby-irb
+- ruby-libs
+- rubygem-bigdecimal
+- rubygem-bundler
+- rubygem-io-console
+- rubygem-json
+- rubygem-net-http-persistent
+- rubygem-psych
+- rubygem-rdoc
+- rubygem-rmagick
+- rubygem-thor       # Required by Fedora Budget (ticket 5679)
+- rubygems
+- rubypick
+- python2-unittest2
+- python2-createrepo_c       # Required by bodhi2
+- python2-pygit2     # Required by pagure
+- iptables
+- ledger             # Required by Fedora Budget (ticket 5679)
+- rubygem-asciidoctor  # Required by Fedora Budget (ticket 5679)
+- rubygem-builder    # Required by Fedora Budget (ticket 5679)
+- rubygem-coderay    # Required by Fedora Budget (ticket 5679)
+- rubygem-eventmachine  # Required by Fedora Budget (ticket 5679)
+- rubygem-ffi        # Required by Fedora Budget (ticket 5679)
+- rubygem-formatador  # Required by Fedora Budget (ticket 5679)
+- rubygem-git        # Required by Fedora Budget (ticket 5679)
+- rubygem-haml       # Required by Fedora Budget (ticket 5679)
+- rubygem-listen     # Required by Fedora Budget (ticket 5679)
+- rubygem-method_source  # Required by Fedora Budget (ticket 5679)
+- rubygem-multi_json  # Required by Fedora Budget (ticket 5679)
+- rubygem-nenv       # Required by Fedora Budget (ticket 5679)
+- rubygem-pry        # Required by Fedora Budget (ticket 5679)
+- rubygem-rake       # Required by Fedora Budget (ticket 5679)
+- rubygem-rb-inotify  # Required by Fedora Budget (ticket 5679)
+- rubygem-shellany   # Required by Fedora Budget (ticket 5679)
+- rubygem-slop       # Required by Fedora Budget (ticket 5679)
+- rubygem-tilt       # Required by Fedora Budget (ticket 5679)
+- doxygen            # Required by gssproxy (ticket 5703)
+- findutils          # Required by gssproxy (ticket 5703)
+- gettext-devel      # Required by gssproxy (ticket 5703)
+- keyutils-libs-devel  # Required by gssproxy (ticket 5703)
+- libini_config-devel  # Required by gssproxy (ticket 5703)
+- libselinux-devel   # Required by gssproxy (ticket 5703)
+- libverto-devel     # Required by gssproxy (ticket 5703)
+- libxml2            # Required by gssproxy (ticket 5703)
+- libxslt            # Required by gssproxy (ticket 5703)
+- m4                 # Required by gssproxy (ticket 5703)
+- pkgconfig          # Required by gssproxy (ticket 5703)
+- popt-devel         # Required by gssproxy (ticket 5703)
+- krb5-server-ldap   # Required by gssproxy (ticket 5703)
+- valgrind            # Required by gssproxy (ticket 5703) Required by libabigail (Ticket 5797)
+- perl-Fedora-VSP    # needed by 389
+- perl-generators    # needed by 389
+- libevent-devel     # needed by 389
+- libcmocka-devel    # needed by 389
+- gperftools-devel   # needed by 389
+
+# Packages installed only on CentOS Jenkins slaves
+slave_packages_centos:
+# "setup" is just a placeholder value
+- setup
+
+# Packages only installed on el7 slave
+el7_only:
+- python-webob1.4    # Required by bodhi2
+- python-pillow      # Required by bodhi2
+- python-hawkey      # Required by koschei (ticket #4852)
+- python-librepo     # Required by koschei (ticket #4852)
+- nosync             # for use in mock
+- python-unittest2
+- python-createrepo_c       # Required by bodhi2
+- python-pygit2     # Required by pagure
+- python-pygments-markdown-lexer  # Required by fedora-hubs (ticket #5425)
+
+# Packages only available/needed in f24+
+f24_only:
+- python2-systemd
+- python2-requests-kerberos
+- python2-jinja2
+- devscripts-minimal # Required by FedoraReview
+- python26
+- python33
+- python34
+- python36
+
+f25_only:
+- python3-tox
+- python26
+- python33
+- python34
+- python36
+- swig                # required for coco

inventory/group_vars/koji-stg

@@ -12,7 +12,7 @@ tcp_ports: [ 80, 443, 111, 2049,
 
 udp_ports: [ 111, 2049 ]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
 
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:

inventory/group_vars/koschei-backend

@@ -12,9 +12,6 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
 koschei_koji_hub: koji.fedoraproject.org
 koschei_kojipkgs: kojipkgs.fedoraproject.org
 koschei_koji_web: koji.fedoraproject.org
-koschei_copr_url: http://copr-fe.cloud.fedoraproject.org
-koschei_copr_login: NOT-USED-YET
-koschei_copr_token: NOT-USED-YET
 
 host_group: koschei-backend
 

inventory/group_vars/koschei-backend-stg

@@ -12,9 +12,6 @@ koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
 koschei_koji_hub: koji.stg.fedoraproject.org
 koschei_kojipkgs: koji.stg.fedoraproject.org
 koschei_koji_web: koji.stg.fedoraproject.org
-koschei_copr_url: http://copr-fe-dev.cloud.fedoraproject.org
-koschei_copr_login: "{{ koschei_copr_login_stg }}"
-koschei_copr_token: "{{ koschei_copr_token_stg }}"
 
 
 tcp_ports: [
@@ -58,7 +55,6 @@ csi_relationship: |
     - fedmsg hub
     - bastion (for mail relay)
     - memcached01
-    - Copr development instance
 
 koschei_backend_services:
   - koschei-polling

inventory/group_vars/koschei-web

@@ -1,7 +1,7 @@
 ---
 # Define resources for this group of hosts here.
-lvm_size: 8000
-mem_size: 2048
+lvm_size: 6000
+mem_size: 1024
 num_cpus: 1
 
 # for systems that do not match the above - specify the same parameter in
@@ -12,11 +12,9 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
 koschei_koji_hub: koji02.phx2.fedoraproject.org
 koschei_kojipkgs: kojipkgs.fedoraproject.org
 koschei_koji_web: koji.fedoraproject.org
-koschei_oidc_provider: id.fedoraproject.org
+koschei_openid_provider: id.fedoraproject.org
 koschei_bugzilla: bugzilla.redhat.com
 
-koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_prod }}"
-koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_prod }}"
 
 tcp_ports: [ 80, 443 ]
 

inventory/group_vars/koschei-web-stg

@@ -1,7 +1,7 @@
 ---
 # Define resources for this group of hosts here.
-lvm_size: 8000
-mem_size: 2048
+lvm_size: 6000
+mem_size: 1024
 num_cpus: 1
 
 # for systems that do not match the above - specify the same parameter in
@@ -11,12 +11,9 @@ koschei_topurl: https://apps.stg.fedoraproject.org/koschei
 koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
 koschei_kojipkgs: koji.stg.fedoraproject.org
 koschei_koji_web: koji.stg.fedoraproject.org
-koschei_oidc_provider: id.stg.fedoraproject.org
+koschei_openid_provider: id.stg.fedoraproject.org
 koschei_bugzilla: partner-bugzilla.redhat.com
 
-koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_stg }}"
-koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_stg }}"
-
 tcp_ports: [ 80, 443 ]
 
 custom_rules: [

inventory/group_vars/librariesio2fedmsg-stg

@@ -1,11 +0,0 @@
----
-# XXX - this is not really a group of real hosts.
-# Instead, it represents an application in openshift.
-# See playbooks/openshift-apps/waiverdb.yml
-
-fedmsg_env: stg
-
-fedmsg_certs:
-- service: librariesio2fedmsg
-  can_send:
-  - librariesio2fedmsg.sse2fedmsg.librariesio

inventory/group_vars/loopabull

@@ -1,13 +0,0 @@
----
-# Define resources for this group of hosts here.
-lvm_size: 20000
-mem_size: 2048
-num_cpus: 1
-
-fas_client_groups: sysadmin-loopabull
-sudoers: "{{ private }}/files/sudo/mm2-sudoers"
-
-# For the MOTD
-csi_security_category: High
-csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
-csi_purpose: Release Engineering automation hosts

inventory/group_vars/modernpaste

@@ -3,6 +3,3 @@ freezes: false
 mem_size: 4096
 num_cpus: 2
 tcp_ports: [22, 80, 443]
-
-fas_client_groups: paste-deleter
-sudoers: "{{ private }}/files/sudo/modernpaste-sudoers"

inventory/group_vars/nagios

@@ -34,6 +34,8 @@ csi_purpose: Monitoring system
 # and they don't do ansible
 #
 phx2_management_hosts:
+  - autocloud-backend-libvirt.mgmt.fedoraproject.org
+  - autocloud-backend-vbox.mgmt.fedoraproject.org
   - backup01.mgmt.fedoraproject.org
   - beaker-client01.mgmt.fedoraproject.org
   - beaker-client02.mgmt.fedoraproject.org
@@ -59,19 +61,10 @@ phx2_management_hosts:
   - dell-fx02-07.mgmt.fedoraproject.org
   - dell-fx02-08.mgmt.fedoraproject.org
   - dell-fx02.mgmt.fedoraproject.org
-  - cloud-fx01.mgmt.fedoraproject.org
-  - control01.mgmt.fedoraproject.org
-  - control02.mgmt.fedoraproject.org
-  - cn-x86-64-01-03.mgmt.fedoraproject.org
-  - cn-x86-64-01-04.mgmt.fedoraproject.org
-  - cn-x86-64-01-05.mgmt.fedoraproject.org
-  - cn-x86-64-01-06.mgmt.fedoraproject.org
-  - cn-x86-64-01-07.mgmt.fedoraproject.org
-  - cn-x86-64-01-08.mgmt.fedoraproject.org
-  - cn-x86-64-02-01.mgmt.fedoraproject.org
-  - cn-x86-64-02-02.mgmt.fedoraproject.org
-  - cn-x86-64-02-03.mgmt.fedoraproject.org
-  - cloud-fx02.mgmt.fedoraproject.org
+  - dell-fxqa01-01.mgmt.fedoraproject.org
+  - dell-fxqa01-02.mgmt.fedoraproject.org
+  - dell-fxqa01-03.mgmt.fedoraproject.org
+  - dell-fxqa01.mgmt.fedoraproject.org
   - download01.mgmt.fedoraproject.org
   - download02.mgmt.fedoraproject.org
   - download03.mgmt.fedoraproject.org
@@ -93,6 +86,11 @@ phx2_management_hosts:
   - fed-cloud14.mgmt.fedoraproject.org
   - fed-cloud15.mgmt.fedoraproject.org
   - kvm01.mgmt.fedoraproject.org
+  - oldbox01.mgmt.fedoraproject.org
+  - oldbox02.mgmt.fedoraproject.org
+  - oldbox03.mgmt.fedoraproject.org
+  - oldbox04.mgmt.fedoraproject.org
+  - oldbox05.mgmt.fedoraproject.org
   - qa09.mgmt.fedoraproject.org
   - qa10.mgmt.fedoraproject.org
   - qa11.mgmt.fedoraproject.org
@@ -105,7 +103,7 @@ phx2_management_hosts:
   - virthost-comm03.mgmt.fedoraproject.org
   - virthost-comm04.mgmt.fedoraproject.org
   - virthost-s390.mgmt.fedoraproject.org
-  - virthost01-stg.mgmt.fedoraproject.org
+  - virthost01.mgmt.fedoraproject.org
   - virthost02.mgmt.fedoraproject.org
   - virthost03.mgmt.fedoraproject.org
   - virthost04.mgmt.fedoraproject.org
@@ -135,11 +133,32 @@ phx2_management_limited:
   - moonshot01-sw2.mgmt.fedoraproject.org
   - opengear01.mgmt.fedoraproject.org
   - opengear02.mgmt.fedoraproject.org
+  - qa01.mgmt.fedoraproject.org
+  - qa02.mgmt.fedoraproject.org
+  - qa03.mgmt.fedoraproject.org
+  - qa04.mgmt.fedoraproject.org
   - qa05.mgmt.fedoraproject.org
   - qa07.mgmt.fedoraproject.org
+  - qa08.mgmt.fedoraproject.org
+  - rack16-pdu-a.mgmt.fedoraproject.org
+  - rack16-pdu-b.mgmt.fedoraproject.org
+  - rack17-pdu-a.mgmt.fedoraproject.org
+  - rack17-pdu-b.mgmt.fedoraproject.org
+  - rack47-pdu-a.mgmt.fedoraproject.org
+  - rack47-pdu-b.mgmt.fedoraproject.org
+  - rack47-serial.mgmt.fedoraproject.org
+  - rack48-pdu-a.mgmt.fedoraproject.org
+  - rack48-serial.mgmt.fedoraproject.org
+  - rack51-pdu-a.mgmt.fedoraproject.org
+  - rack51-pdu-b.mgmt.fedoraproject.org
+  - rack51-serial.mgmt.fedoraproject.org
+  - rack52-serial.mgmt.fedoraproject.org
+  - rack58-pdu-a.mgmt.fedoraproject.org
+  - rack58-pdu-b.mgmt.fedoraproject.org
   - sign-vault03.mgmt.fedoraproject.org
   - sign-vault04.mgmt.fedoraproject.org
   - virthost-comm02.mgmt.fedoraproject.org
+  - virthost12.mgmt.fedoraproject.org
   - virthost14.mgmt.fedoraproject.org
 
 phx2_management_slowping:

inventory/group_vars/newcloud

@@ -1,9 +0,0 @@
----
-datacenter: cloud
-nm: 255.255.254.0
-gw: 209.132.184.254
-fas_client_groups: sysadmin-main
-dns: 8.8.8.8
-freezes: false
-ansible_ifcfg_whitelist: ['eth1']
-baseiptables: false

inventory/group_vars/nuancier-stg

@@ -1,7 +1,7 @@
 ---
 # Define resources for this group of hosts here. 
 lvm_size: 20000
-mem_size: 4096
+mem_size: 1024
 num_cpus: 2
 
 # Definining these vars has a number of effects

inventory/group_vars/odcs-backend-stg

@@ -39,16 +39,6 @@ fedmsg_certs:
   can_send:
   - odcs.compose.state-changed
 
-odcs_allowed_source_types: ["tag", "raw_config", "module"]
-odcs_pungi_runroot_enabled: True
-odcs_pungi_parent_runroot_packages: ["pungi", "fedora-packager", "python2-modulemd", "python2-pdc-client", "intltool"]
-odcs_pungi_parent_runroot_tag: f26-build
-odcs_pungi_runroot_target_dir_url: http://kojipkgs.stg.fedoraproject.org/compose/odcs
-
-odcs_raw_config_urls:
-  mboddu_pungi_fedora: https://pagure.io/fork/mohanboddu/pungi-fedora/raw/%s/f/fedora.conf
-  jkaluza_pungi_fedora: https://pagure.io/fork/jkaluza/pungi-fedora/raw/%s/f/fedora.conf
-
 odcs_target_dir_url: https://odcs.stg.fedoraproject.org/composes
 
 # For the MOTD

inventory/group_vars/odcs-frontend

@@ -37,11 +37,6 @@ fedmsg_certs:
   - odcs.compose.state-changed
 
 odcs_target_dir_url: https://odcs.fedoraproject.org/composes
-# Give access to jscotka to be able to develop module testing integration
-# for taskotron.
-# Give access to sgallagh to be able to generate testing composes for new
-# modules.
-odcs_allowed_clients_users: {"jscotka": {}, "sgallagh": {}}
 
 # For the MOTD
 csi_security_category: Low

inventory/group_vars/odcs-frontend-stg

@@ -36,25 +36,8 @@ fedmsg_certs:
   can_send:
   - odcs.compose.state-changed
 
-odcs_allowed_source_types: ["tag", "raw_config", "module"]
-odcs_pungi_runroot_enabled: True
-odcs_pungi_parent_runroot_packages: ["pungi", "fedora-packager", "python2-modulemd", "python2-pdc-client", "intltool"]
-odcs_pungi_parent_runroot_tag: f26-build
-odcs_pungi_runroot_target_dir_url: http://kojipkgs.stg.fedoraproject.org/compose/odcs
-
-odcs_raw_config_urls:
-  mboddu_pungi_fedora: https://pagure.io/fork/mohanboddu/pungi-fedora/raw/%s/f/fedora.conf
-  jkaluza_pungi_fedora: https://pagure.io/fork/jkaluza/pungi-fedora/raw/%s/f/fedora.conf
-
 odcs_target_dir_url: https://odcs.stg.fedoraproject.org/composes
 
-# Give access to jscotka to be able to develop module testing integration
-# for taskotron.
-odcs_allowed_clients_users:
-- jscotka: ["tag", "module"]
-- mohanboddu: ["tag", "module", "raw_config"]
-- kellin: ["tag", "module", "raw_config"]
-
 # For the MOTD
 csi_security_category: Low
 csi_primary_contact: Factory 2 factory2-members@fedoraproject.org

inventory/group_vars/openqa

@@ -16,22 +16,20 @@ openqa_dbhost: db-qa01.qa.fedoraproject.org
 openqa_dbuser: openqa
 openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
 openqa_assetsize: 300
-openqa_assetsize_updates: 50
 
 openqa_key: "{{ prod_openqa_apikey }}"
 openqa_secret: "{{ prod_openqa_apisecret }}"
 
 wikitcms_user: coconut
 wikitcms_password: "{{ prod_wikitcms_password }}"
-wikitcms_token: "{{ private }}/files/openidc/production/wikitcms.json"
 
 # The checkcompose settings below cause system(s) in this group to
 # send out check-compose reports. This could cause duplicate reports
 # if additional systems were added to this group.
 checkcompose_emailfrom: rawhide@fedoraproject.org
 checkcompose_emailto: "test@lists.fedoraproject.org devel@lists.fedoraproject.org"
-checkcompose_atomic_emailto: "dusty@dustymabe.com walters@verbum.org atomic@lists.fedoraproject.org"
-checkcompose_atomic_emailerror: "true"
+checkcompose_postrelease_emailto: "mmcgrath@fedoraproject.org atomic@lists.fedoraproject.org"
+checkcompose_postrelease_emailerror: "true"
 checkcompose_smtp: bastion.phx2.fedoraproject.org
 checkcompose_url: "https://{{ external_hostname }}"
 

inventory/group_vars/openqa-stg

@@ -26,16 +26,12 @@ openqa_dbname: openqa-stg
 openqa_dbhost: db-qa01.qa.fedoraproject.org
 openqa_dbuser: openqastg
 openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
-openqa_assetsize: 450
-openqa_assetsize_ppc: 150
-openqa_assetsize_aarch64: 150
-openqa_assetsize_updates: 75
+openqa_assetsize: 400
 
 openqa_key: "{{ stg_openqa_apikey }}"
 openqa_secret: "{{ stg_openqa_apisecret }}"
 
 wikitcms_password: "{{ stg_wikitcms_password }}"
-wikitcms_token: "{{ private }}/files/openidc/staging/wikitcms.json"
 
 checkcompose_url: "https://{{ external_hostname }}"
 
@@ -73,14 +69,6 @@ fedmsg_certs:
   - openqa.jobs.restart
   - openqa.job.update.result
   - openqa.job.done
-- service: ci
-  owner: root
-  group: geekotest
-  can_send:
-  - ci.productmd-compose.test.queued
-  - ci.productmd-compose.test.running
-  - ci.productmd-compose.test.complete
-  - ci.productmd-compose.test.error
 
 # we need this to log with fedmsg-logger
 fedmsg_active: True

inventory/group_vars/openqa-tap-workers

@@ -12,3 +12,9 @@ custom_rules: [
     '-A FORWARD -m state -i eth2 -o br0 --state RELATED,ESTABLISHED -j ACCEPT',
     '-A INPUT -i br0 -j ACCEPT'
 ]
+
+# we do stuff with ifcfg that base doesn't understand. terrible, terrible
+# stuff. seriously - it doesn't handle the openvswitch config well. so
+# let's tell it to just configure eth0 (and eth2, for ppc64) for us and
+# leave everything else alone.
+ansible_ifcfg_whitelist: ['eth0', 'eth2']

inventory/group_vars/openshift-pseudohosts-stg

@@ -1,2 +0,0 @@
----
-freezes: false

inventory/group_vars/os

@@ -2,4 +2,3 @@
 host_group: os
 baseiptables: False
 no_http2: True
-nm_controlled_resolv: True

inventory/group_vars/os-masters

@@ -2,7 +2,3 @@
 
 os_url: os.fedoraproject.org
 os_app_url: app.os.fedoraproject.org
-swap: false
-nagios_Check_Services:
-  swap: false
-  nrpe: false

inventory/group_vars/os-nodes

@@ -2,7 +2,3 @@
 
 os_url: os.fedoraproject.org
 os_app_url: app.os.fedoraproject.org
-swap: false
-nagios_Check_Services:
-  swap: false
-  nrpe: false

inventory/group_vars/os-stg

@@ -2,4 +2,3 @@
 host_group: os
 baseiptables: False
 no_http2: True
-nm_controlled_resolv: True

inventory/group_vars/osbs

@@ -6,8 +6,8 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/osbs-sudoers"
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"
 docker_registry: "candidate-registry.fedoraproject.org"

inventory/group_vars/osbs-control

@@ -1,6 +1,6 @@
 ---
 # Define resources for this group of hosts here.
-fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/osbs-sudoers"
+fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 osbs_url: "osbs.fedoraproject.org"

inventory/group_vars/osbs-control-stg

@@ -1,6 +1,6 @@
 ---
 # Define resources for this group of hosts here.
-fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/osbs-sudoers"
+fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 osbs_url: "osbs.stg.fedoraproject.org"

inventory/group_vars/osbs-masters

@@ -6,8 +6,8 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/osbs-sudoers"
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"
 source_registry: "registry.fedoraproject.org"
@@ -23,8 +23,6 @@ osbs_client_conf_path: /etc/osbs.conf
 openshift_node_labels: {'region':'infra'}
 openshift_schedulable: False
 
-composer: compose-x86-01.phx2.fedoraproject.org
-
 nagios_Check_Services:
   nrpe: true
   sshd: true

inventory/group_vars/osbs-masters-stg

@@ -9,50 +9,6 @@ tcp_ports: [ 80, 443, 8443]
 openshift_node_labels: {'region':'infra'}
 openshift_schedulable: False
 
-docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
-source_registry: "registry.stg.fedoraproject.org"
-docker_registry: "candidate-registry.stg.fedoraproject.org"
-
-osbs_url: "osbs.stg.fedoraproject.org"
-osbs_koji_username: "kojibuilder_stg"
-
-koji_url: "koji.stg.fedoraproject.org"
-
-osbs_client_conf_path: /etc/osbs.conf
-
-osbs_namespace: "osbs-fedora"
-osbs_worker_namespace: worker
-
-osbs_worker_service_accounts:
-  - orchestrator
-  - builder
-
-
-osbs_conf_sources_command: fedpkg sources
-osbs_conf_vendor: Fedora Project
-
-osbs_orchestrator_cpu_limitrange: "95m"
-
-osbs_worker_default_nodeselector: "worker=true"
-osbs_orchestrator_default_nodeselector: "orchestrator=true"
-
-osbs_conf_service_accounts:
-  - koji
-  - builder
-
-osbs_conf_readwrite_users:
-  - "system:serviceaccount:{{ osbs_namespace }}:default"
-  - "system:serviceaccount:{{ osbs_namespace }}:builder"
-
-osbs_conf_worker_clusters:
-  x86_64:
-  - name: x86_64-stg
-    max_concurrent_builds: 2
-    openshift_url: "https://osbs.stg.fedoraproject.org/"
-    verify_ssl: 'false'
-
-composer: composer.stg.phx2.fedoraproject.org
-
 nagios_Check_Services:
   nrpe: true
   sshd: true

inventory/group_vars/osbs-nodes

@@ -6,8 +6,8 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443, 10250]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/osbs-sudoers"
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"
 docker_registry: "candidate-registry.fedoraproject.org"

inventory/group_vars/osbs-stg

@@ -1,34 +1,145 @@
 ---
-# Define resources for this group of hosts here.
-lvm_size: 60000
-mem_size: 8192
-num_cpus: 2
-
-tcp_ports: [ 80, 443, 8443]
-
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
-sudoers: "{{ private }}/files/sudo/osbs-sudoers"
-
-docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
-source_registry: "registry.stg.fedoraproject.org"
-docker_registry: "candidate-registry.stg.fedoraproject.org"
-
-osbs_url: "osbs.stg.fedoraproject.org"
-osbs_koji_username: "kojibuilder_stg"
-
-koji_url: "koji.stg.fedoraproject.org"
-
-osbs_client_conf_path: /etc/osbs.conf
 
 baseiptables: False
 
-# docker images required by OpenShift Origin
-openshift_required_images:
-  - "openshift/origin-pod"
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
+docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
+stable_registry: "registry.stg.fedoraproject.org"
+candidate_registry: "candidate-registry.stg.fedoraproject.org"
+
+osbs_url: "osbs.stg.fedoraproject.org"
+osbsworker_x86_64_url: "osbsworker-x86-64.stg.fedoraproject.org"
+
+koji_url: "koji.stg.fedoraproject.org"
+
+osbs_builder_user: builder
+koji_builder_user: dockerbuilder
+
+osbs_client_conf_path: /etc/osbs.conf
+
+
+# openshift-ansible variables
+
+# Need to use this special branch on my fork for stage until these are merged
+# upstream and backported to the release-3.6 branch
+#
+#   https://github.com/openshift/openshift-ansible/pull/5101
+#   https://github.com/openshift/openshift-ansible/pull/5129
+oa_version: 3.6-add-dnf-support
+
+oa_ssh_user: root
+oa_install_examples: false
+oa_containerized_deploy: false
+oa_auth_profile: osbs
+oa_debug_level: 2
+oa_htpasswd_file: /etc/origin/htpasswd
+origin_release: v3.6.0
+
+osbs_koji_username: "kojibuilder_stg"
+
+openshift_home: /var/lib/origin
+generated_config_path: /tmp
+
+osbs_admin: true
+
+osbs_orchestrator_service_accounts:
+- worker
+- orchestrator
+- metrics
+
+os_cpu_limitrange: '200m'
+
+# FIXME
+
+osbs_orchestrator: false
+
+osbs_worker_namespace: "worker"
+osbs_orchestrator_namespace: "osbs"
+
+osbs_worker_service_accounts:
+- worker
+- orchestrator
+
+worker_clusters:
+  x86_64:
+  - name: osbsworker-x86-64
+    max_concurrent_builds: 12
+    openshift_url: "https://{{ osbsworker_x86_64_url }}"
+    verify_ssl: 'false'
+    artifacts_allowed_domains:
+    - "{{stable_registry}}"
+    - "{{candidate_registry}}"
+
+koji_hub: "https://{{koji_url}}/kojihub"
+koji_root: "https://{{koji_url}}/koji"
+
+osbs_pulp_registry_name: brew-prod
+
+osbs_registry_uri: "https://{{candidate_registry}}/v2"
+
+osbs_source_registry_uri: http://brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888
+
+koji_secret_name: kojisecret
+distribution_scope: public
+authoritative_registry: "{{ stable_registry }}"
+registry_api_versions:
+- v2
+registry_secret_name: v2-registry-dockercfg
+build_json_dir: /usr/share/osbs
+sources_command: fedpkg sources
+vendor: Fedora Project
+
+osbs_manage_firewalld: false
+
+kubeconfig_path: /etc/origin/master/admin.kubeconfig
+osbs_env:
+  HOME: "{{ lookup('env', 'HOME') }}"
+  KUBECONFIG: "{{ osbs_kubeconfig_path }}"
+
+osbs_orchestrator_readonly_users:
+- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:metrics"
+osbs_orchestrator_readonly_groups:
+- "system:authenticated"
+osbs_orchestrator_readwrite_groups: []
+osbs_orchestrator_readwrite_users:
+- "{{ ansible_hostname }}"
+- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:default"
+- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:builder"
+
+osbs_worker_readonly_users:
+- "system:serviceaccount:{{ osbs_worker_namespace }}:metrics"
+osbs_worker_readonly_groups:
+- "system:authenticated"
+osbs_worker_readwrite_groups: []
+osbs_worker_readwrite_users:
+- "{{ ansible_hostname }}"
+- "system:serviceaccount:{{ osbs_worker_namespace }}:default"
+- "system:serviceaccount:{{ osbs_worker_namespace }}:builder"
+
+os_admin_users:
+- kevin
+- puiterwijk
+- maxamillion
+- dgilmore
+- kojibuilder_stg
+
+os_admin_groups: []
+osbs_nodes: "{{ groups['osbs-orchestrator-' + env + '-nodes'] }}"
+
+#nodeselectors
+osbs_orchestrator_default_nodeselector: "orchestrator=true"
+osbs_orchestrator_nodeselector_labels: "'orchestrator': 'true'"
+osbs_worker_default_nodeselector: "worker=true"
+osbs_worker_nodeselector_labels: "'worker': 'true'"
 
 # fedora container images required by buildroot
 fedora_required_images:
   - "fedora:latest"
 
-nm_controlled_resolv: True
+# docker images required by OpenShift Origin
+openshift_required_images:
+  - "openshift/origin-pod"
 
+nm_controlled_resolv: True

inventory/group_vars/osbsworker-masters-stg

@@ -0,0 +1,32 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 60000
+mem_size: 8192
+num_cpus: 2
+
+tcp_ports: [ 80, 443, 8443]
+
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
+docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
+source_registry: "registry.stg.fedoraproject.org"
+docker_registry: "candidate-registry.stg.fedoraproject.org"
+
+osbs_url: "osbs.stg.fedoraproject.org"
+osbs_koji_username: "kojibuilder_stg"
+
+koji_url: "koji.stg.fedoraproject.org"
+
+osbs_client_conf_path: /etc/osbs.conf
+
+openshift_node_labels: {'region':'infra'}
+openshift_schedulable: False
+
+nagios_Check_Services:
+  nrpe: true
+  sshd: true
+  named: false
+  dhcpd: false
+  httpd: false
+  swap: false

inventory/group_vars/osbsworker-nodes-stg

@@ -0,0 +1,31 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 60000
+mem_size: 8192
+num_cpus: 2
+
+tcp_ports: [ 80, 443, 8443, 10250]
+
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
+docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
+source_registry: "registry.stg.fedoraproject.org"
+docker_registry: "candidate-registry.stg.fedoraproject.org"
+
+osbs_url: "osbs.stg.fedoraproject.org"
+osbs_koji_username: "kojibuilder_stg"
+
+koji_url: "koji.stg.fedoraproject.org"
+
+osbs_client_conf_path: /etc/osbs.conf
+
+openshift_node_labels: {'region': 'primary', 'zone': 'default'}
+
+nagios_Check_Services:
+  nrpe: true
+  sshd: true
+  named: false
+  dhcpd: false
+  httpd: false
+  swap: false