[ansible] Remove hotfix for old fas
by Nicolas Chauvet
commit 27e33bcf6417aec0efc2aeb1a408088e5a5d53be
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 12:13:41 2016 +0200
Remove hotfix for old fas
files/hotfix/python-fedora/fasClient | 632 -------------------
.../python-fedora/fasClient-init_groups_support | 651 --------------------
roles/fas_client/tasks/main.yml | 20 -
3 files changed, 0 insertions(+), 1303 deletions(-)
---
diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml
index c442983..38c288f 100644
--- a/roles/fas_client/tasks/main.yml
+++ b/roles/fas_client/tasks/main.yml
@@ -28,26 +28,6 @@
- packages
- fas_client
-- name: hotfix for fas-client bis
- copy: >
- src={{files}}/hotfix/python-fedora/fasClient
- dest="/usr/bin/fasClient"
- owner=root group=root mode=0755
- when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int <= 6
- tags:
- - packages
- - fas_client
-
-- name: deploy hotfix on fasclient for rhel-based OS
- copy: >
- src={{files}}/hotfix/python-fedora/fasClient-init_groups_support
- dest="/usr/bin/fasclient"
- owner=root group=root mode=0755
- when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int >= 7
- tags:
- - fas_client
- - accounts
-
- name: install nss_db on rhel hosts only
yum: state=present name=nss_db
when: ansible_distribution_major_version|int == 6
8 years, 1 month
[ansible] Switch to admin.rf.o
by Nicolas Chauvet
commit 76cbccae8afca9bf8a90b21a35e3dbdf11ae286b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 12:04:26 2016 +0200
Switch to admin.rf.o
roles/fas_client/templates/fas.conf.j2 | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/roles/fas_client/templates/fas.conf.j2 b/roles/fas_client/templates/fas.conf.j2
index 25793aa..08aed8d 100644
--- a/roles/fas_client/templates/fas.conf.j2
+++ b/roles/fas_client/templates/fas.conf.j2
@@ -1,6 +1,6 @@
[global]
; url - Location to fas server
-url = https://fas.rpmfusion.org/accounts/
+url = https://admin.rpmfusion.org/accounts/
; temp - Location to generate files while user creation process is happening
temp = /var/db
8 years, 1 month
[ansible] Disable yubikey and update cert template
by Nicolas Chauvet
commit 371e7558e324791ce087932b59ea6113df0d0541
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 12:03:27 2016 +0200
Disable yubikey and update cert template
roles/fas_server/templates/fas.cfg.j2 | 11 ++++-------
1 files changed, 4 insertions(+), 7 deletions(-)
---
diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2
index 1020a3c..9bf080b 100644
--- a/roles/fas_server/templates/fas.cfg.j2
+++ b/roles/fas_server/templates/fas.cfg.j2
@@ -211,13 +211,10 @@ mail.transport = 'smtp'
mail.manager = 'demand'
# Enable yubikeys
-yubi_server_prefix='http://localhost/yk-val/verify?id='
{% if env == "staging" %}
+yubi_server_prefix='http://localhost/yk-val/verify?id='
ykksm_db="postgres://ykksmimporter:{{ ykksmimporterPassword }}(a)db-fas01.stg/ykksm"
ykval_db="postgres://ykval_verifier:{{ ykval_verifierPassword }}(a)db-fas01.stg/ykval"
-{% else %}
-ykksm_db="postgres://ykksmimporter:{{ ykksmimporterPassword }}@db-ykksm/ykksm"
-ykval_db="postgres://ykval_verifier:{{ ykval_verifierPassword }}@db-ykval/ykval"
{% endif %}
# Enable or disable generation of SSL certificates for users
@@ -230,9 +227,9 @@ openssl_expire = 15552000 # 60*60*24*180 = 6 months
openssl_ca_dir = "/var/lib/rpmfusion-ca"
openssl_ca_newcerts = "/var/lib/rpmfusion-ca/newcerts"
openssl_ca_index = "/var/lib/rpmfusion-ca/index.txt"
-openssl_c = "FR"
-openssl_st = "IDF"
-openssl_l = "Paris"
+openssl_c = "EU"
+openssl_st = "None"
+openssl_l = "Freeworld"
openssl_o = "RPM Fusion Project"
openssl_ou = "RPM Fusion User Cert"
8 years, 1 month
[ansible] Update gencert True
by Nicolas Chauvet
commit 6591d7b3b19ca7c307968e1ca024c912f2ab630b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 11:59:30 2016 +0200
Update gencert True
group_vars/fas | 2 +-
roles/pkgdb2/files/fas2.py | 829 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 830 insertions(+), 1 deletions(-)
---
diff --git a/group_vars/fas b/group_vars/fas
index 74bb607..a884380 100644
--- a/group_vars/fas
+++ b/group_vars/fas
@@ -19,7 +19,7 @@ tcp_ports: [ 80, 873, 8443, 8444 ]
fas_client_groups: sysadmin-main,sysadmin-accounts
master_fas_node: True
-gen_cert: False
+gen_cert: True
# A host group for rsync config
rsync_group: fas
diff --git a/roles/pkgdb2/files/fas2.py b/roles/pkgdb2/files/fas2.py
new file mode 100644
index 0000000..8649185
--- /dev/null
+++ b/roles/pkgdb2/files/fas2.py
@@ -0,0 +1,829 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2008-2012 Ricky Zhou, Red Hat, Inc.
+# This file is part of python-fedora
+#
+# python-fedora is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# python-fedora is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with python-fedora; if not, see <http://www.gnu.org/licenses/>
+#
+'''
+Provide a client module for talking to the Fedora Account System.
+
+
+.. moduleauthor:: Ricky Zhou <ricky(a)fedoraproject.org>
+.. moduleauthor:: Toshio Kuratomi <tkuratom(a)redhat.com>
+.. moduleauthor:: Ralph Bean <rbean(a)redhat.com>
+'''
+import itertools
+import urllib
+import warnings
+
+from bunch import Bunch
+from kitchen.text.converters import to_bytes
+
+try:
+ import libravatar
+except ImportError:
+ libravatar = None
+
+try:
+ from hashlib import md5
+except ImportError:
+ from md5 import new as md5
+
+from fedora.client import (
+ AppError, BaseClient, FasProxyClient,
+ FedoraClientError, FedoraServiceError
+)
+
+from fedora import __version__
+
+### FIXME: To merge:
+# /usr/bin/fasClient from fas
+# API from Will Woods
+# API from MyFedora
+
+
+class FASError(FedoraClientError):
+ '''FAS Error'''
+ pass
+
+
+class CLAError(FASError):
+ '''CLA Error'''
+ pass
+
+USERFIELDS = [
+ 'affiliation', 'bugzilla_email', 'certificate_serial',
+ 'comments', 'country_code', 'creation', 'email', 'emailtoken',
+ 'facsimile', 'gpg_keyid', 'human_name', 'id', 'internal_comments',
+ 'ircnick', 'latitude', 'last_seen', 'longitude', 'password',
+ 'password_changed', 'passwordtoken', 'postal_address', 'privacy',
+ 'locale', 'ssh_key', 'status', 'status_change', 'telephone',
+ 'unverified_email', 'timezone', 'username', 'security_question',
+ 'security_answer', ]
+
+
+class AccountSystem(BaseClient):
+ '''An object for querying the Fedora Account System.
+
+ The Account System object provides a python API for talking to the Fedora
+ Account System. It abstracts the http requests, cookie handling, and
+ other details so you can concentrate on the methods that are important to
+ your program.
+
+ .. warning::
+
+ If your code is trying to use the AccountSystem object to
+ connect to fas for multiple users you probably want to use
+ :class:`~fedora.client.FasProxyClient` instead. If your code is
+ trying to reuse a single instance of AccountSystem for multiple users
+ you *definitely* want to use :class:`~fedora.client.FasProxyClient`
+ instead. Using AccountSystem in these cases may result in a user
+ being logged in as a different user. (This may be the case even if
+ you instantiate a new AccountSystem object for each user if
+ :attr:cache_session: is True since that creates a file on the file
+ system that can end up loading session credentials for the wrong
+ person.
+
+ .. versionchanged:: 0.3.26
+ Added :meth:`~fedora.client.AccountSystem.gravatar_url` that returns
+ a url to a gravatar for a user.
+ .. versionchanged:: 0.3.33
+ Renamed :meth:`~fedora.client.AccountSystem.gravatar_url` to
+ :meth:`~fedora.client.AccountSystem.avatar_url`.
+ '''
+ # proxy is a thread-safe connection to the fas server for verifying
+ # passwords of other users
+ proxy = None
+
+ # size that we allow to request from remote avatar providers.
+ _valid_avatar_sizes = (32, 64, 140)
+ # URLs for remote avatar providers.
+ _valid_avatar_services = ['libravatar', 'gravatar']
+
+ def __init__(self, base_url='https://admin.rpmfusion.org/accounts/',
+ *args, **kwargs):
+ '''Create the AccountSystem client object.
+
+ :kwargs base_url: Base of every URL used to contact the server.
+ Defaults to the Fedora Project FAS instance.
+ :kwargs useragent: useragent string to use. If not given, default to
+ "Fedora Account System Client/VERSION"
+ :kwargs debug: If True, log debug information
+ :kwargs username: username for establishing authenticated connections
+ :kwargs password: password to use with authenticated connections
+ :kwargs session_cookie: **Deprecated** Use session_id instead.
+ User's session_cookie to connect to the server
+ :kwargs session_id: user's session_id to connect to the server
+ :kwargs cache_session: if set to true, cache the user's session cookie
+ on the filesystem between runs.
+ '''
+ if 'useragent' not in kwargs:
+ kwargs['useragent'] = \
+ 'Fedora Account System Client/%s' % __version__
+
+ super(AccountSystem, self).__init__(base_url, *args, **kwargs)
+ # We need a single proxy for the class to verify username/passwords
+ # against.
+ if not self.proxy:
+ self.proxy = FasProxyClient(base_url, useragent=self.useragent,
+ session_as_cookie=False,
+ debug=self.debug,
+ insecure=self.insecure)
+
+ # Preseed a list of FAS accounts with bugzilla addresses
+ # This allows us to specify a different email for bugzilla than is
+ # in the FAS db. It is a hack, however, until FAS has a field for the
+ # bugzilla address.
+ self.__bugzilla_email = {
+ # Nicolas Chauvet
+ 160404: 'ctubbsii(a)fedoraproject.org',
+ }
+ # A few people have an email account that is used in owners.list but
+ # have setup a bugzilla account for their primary account system email
+ # address now. Map these here.
+ self.__alternate_email = {
+ # Damien Durand: splinux25(a)gmail.com
+ 'splinux(a)fedoraproject.org': 100406,
+ # Kevin Fenzi: kevin(a)tummy.com
+ 'kevin-redhat-bugzilla(a)tummy.com': 100037,
+ }
+ for bugzilla_map in self.__bugzilla_email.items():
+ self.__alternate_email[bugzilla_map[1]] = bugzilla_map[0]
+
+ # We use the two mappings as follows::
+ # When looking up a user by email, use __alternate_email.
+ # When looking up a bugzilla email address use __bugzilla_email.
+ #
+ # This allows us to parse in owners.list and have a value for all the
+ # emails in there while not using the alternate email unless it is
+ # the only option.
+
+ # TODO: Use exceptions properly
+
+ ### Set insecure properly ###
+ # When setting insecure, we have to set it both on ourselves and on
+ # self.proxy
+ def _get_insecure(self):
+ return self._insecure
+
+ def _set_insecure(self, insecure):
+ self._insecure = insecure
+ self.proxy = FasProxyClient(self.base_url, useragent=self.useragent,
+ session_as_cookie=False, debug=self.debug,
+ insecure=insecure)
+ return insecure
+ #: If this attribute is set to True, do not check server certificates
+ #: against their CA's. This means that man-in-the-middle attacks are
+ #: possible. You might turn this option on for testing against a local
+ #: version of a server with a self-signed certificate but it should be off
+ #: in production.
+ insecure = property(_get_insecure, _set_insecure)
+
+ ### Groups ###
+
+ def create_group(self, name, display_name, owner, group_type,
+ invite_only=0, needs_sponsor=0, user_can_remove=1,
+ prerequisite='', joinmsg='', apply_rules='None'):
+ '''Creates a FAS group.
+
+ :arg name: The short group name (alphanumeric only).
+ :arg display_name: A longer version of the group's name.
+ :arg owner: The username of the FAS account which owns the new group.
+ :arg group_type: The kind of group being created. Current valid options
+ are git, svn, hg, shell, and tracking.
+ :kwarg invite_only: Users must be invited to the group, they cannot
+ join on their own.
+ :kwarg needs_sponsor: Users must be sponsored into the group.
+ :kwarg user_can_remove: Users can remove themselves from the group.
+ :kwarg prerequisite: Users must be in the given group (string) before
+ they can join the new group.
+ :kwarg joinmsg: A message shown to users when they apply to the group.
+ :kwarg apply_rules: Rules for applying to the group, shown to users
+ before they apply.
+ :rtype: :obj:`bunch.Bunch`
+ :returns: A Bunch containing information about the group that was
+ created.
+
+ .. versionadded:: 0.3.29
+ '''
+ req_params = {
+ 'invite_only': invite_only,
+ 'needs_sponsor': needs_sponsor,
+ 'user_can_remove': user_can_remove,
+ 'prerequisite': prerequisite,
+ 'joinmsg': joinmsg,
+ 'apply_rules': apply_rules
+ }
+
+ request = self.send_request(
+ '/group/create/%s/%s/%s/%s' % (
+ urllib.quote(name),
+ urllib.quote(display_name),
+ urllib.quote(owner),
+ urllib.quote(group_type)),
+ req_params=req_params,
+ auth=True
+ )
+ return request
+
+ def group_by_id(self, group_id):
+ '''Returns a group object based on its id'''
+ params = {'group_id': int(group_id)}
+ request = self.send_request(
+ 'json/group_by_id',
+ auth=True,
+ req_params=params
+ )
+ if request['success']:
+ return request['group']
+ else:
+ return dict()
+
+ def group_by_name(self, groupname):
+ '''Returns a group object based on its name'''
+ params = {'groupname': groupname}
+ request = self.send_request(
+ 'json/group_by_name',
+ auth=True,
+ req_params=params
+ )
+ if request['success']:
+ return request['group']
+ else:
+ raise AppError(
+ message='FAS server unable to retrieve group'
+ ' %(group)s' % {'group': to_bytes(groupname)},
+ name='FASError')
+
+ def group_members(self, groupname):
+ '''Return a list of people approved for a group.
+
+ This method returns a list of people who are in the requested group.
+ The people are all approved in the group. Unapproved people are not
+ shown. The format of data is::
+
+ \[{'username': 'person1', 'role_type': 'user'},
+ \{'username': 'person2', 'role_type': 'sponsor'}]
+
+ role_type can be one of 'user', 'sponsor', or 'administrator'.
+
+ .. versionadded:: 0.3.2
+ .. versionchanged:: 0.3.21
+ Return a Bunch instead of a DictContainer
+ '''
+ request = self.send_request('/group/dump/%s' %
+ urllib.quote(groupname), auth=True)
+
+ return [Bunch(username=user[0],
+ role_type=user[3]) for user in request['people']]
+
+ ### People ###
+
+ def person_by_id(self, person_id):
+ '''Returns a person object based on its id'''
+ person_id = int(person_id)
+ params = {'person_id': person_id}
+ request = self.send_request('json/person_by_id', auth=True,
+ req_params=params)
+
+ if request['success']:
+ if person_id in self.__bugzilla_email:
+ request['person']['bugzilla_email'] = \
+ self.__bugzilla_email[person_id]
+ else:
+ request['person']['bugzilla_email'] = \
+ request['person']['email']
+
+ # In a devel version of FAS, membership info was returned
+ # separately
+ # This was later corrected (can remove this code at some point)
+ if 'approved' in request:
+ request['person']['approved_memberships'] = request['approved']
+ if 'unapproved' in request:
+ request['person']['unapproved_memberships'] = \
+ request['unapproved']
+ return request['person']
+ else:
+ return dict()
+
+ def person_by_username(self, username):
+ '''Returns a person object based on its username'''
+ params = {'username': username}
+ request = self.send_request(
+ 'json/person_by_username',
+ auth=True,
+ req_params=params)
+
+ if request['success']:
+ person = request['person']
+ if person['id'] in self.__bugzilla_email:
+ person['bugzilla_email'] = self.__bugzilla_email[person['id']]
+ else:
+ person['bugzilla_email'] = person['email']
+ # In a devel version of FAS, membership info was returned
+ # separately
+ # This was later corrected (can remove this code at some point)
+ if 'approved' in request:
+ request['person']['approved_memberships'] = request['approved']
+ if 'unapproved' in request:
+ request['person']['unapproved_memberships'] = \
+ request['unapproved']
+ return person
+ else:
+ return dict()
+
+ def avatar_url(self, username, size=64,
+ default=None, lookup_email=True,
+ service=None):
+ ''' Returns a URL to an avatar for a given username.
+
+ Avatars are drawn from third party services.
+
+ :arg username: FAS username to construct a avatar url for
+ :kwarg size: size of the avatar. Allowed sizes are 32, 64, 140.
+ Default: 64
+ :kwarg default: If the service does not have a avatar image for the
+ email address, this url is returned instead. Default:
+ the fedora logo at the specified size.
+ :kwarg lookup_email: If true, use the email from FAS for gravatar.com
+ lookups, otherwise just append @fedoraproject.org to the username.
+ For libravatar.org lookups, this is ignored. The openid identifier
+ of the user is used instead.
+ Note that gravatar.com lookups will be much slower if lookup_email
+ is set to True since we'd have to make a query against FAS itself.
+ :kwarg service: One of 'libravatar' or 'gravatar'.
+ Default: 'libravatar'.
+ :raises ValueError: if the size parameter is not allowed or if the
+ service is not one of 'libravatar' or 'gravatar'
+ :rtype: :obj:`str`
+ :returns: url of a avatar for the user
+
+ If that user has no avatar entry, instruct the remote service to
+ redirect us to the Fedora logo.
+
+ If that user has no email attribute, then make a fake request to
+ the third party service.
+
+ .. versionadded:: 0.3.26
+ .. versionchanged: 0.3.30
+ Add lookup_email parameter to control whether we generate avatar
+ urls with the email in fas or username(a)fedoraproject.org
+ .. versionchanged: 0.3.33
+ Renamed from `gravatar_url` to `avatar_url`
+ .. versionchanged: 0.3.34
+ Updated libravatar to use the user's openid identifier.
+ '''
+
+ if size not in self._valid_avatar_sizes:
+ raise ValueError(
+ 'Size %(size)i disallowed. Must be in %(valid_sizes)r' % {
+ 'size': size,
+ 'valid_sizes': self._valid_avatar_sizes
+ }
+ )
+
+ # If our caller explicitly requested libravatar but they don't have
+ # it installed, then we need to raise a nice error and let them know.
+ if service == 'libravatar' and not libravatar:
+ raise ValueError("Install python-pylibravatar if you want to "
+ "use libravatar as an avatar provider.")
+
+ # If our caller didn't specify a service, let's pick a one for them.
+ # If they have pylibravatar installed, then by all means let freedom
+ # ring! Otherwise, we'll use gravatar.com if we have to.
+ if not service:
+ if libravatar:
+ service = 'libravatar'
+ else:
+ service = 'gravatar'
+
+ # Just double check to make sure they didn't pass us a bogus service.
+ if service not in self._valid_avatar_services:
+ raise ValueError(
+ 'Service %(service)r disallowed. '
+ 'Must be in %(valid_services)r' % {
+ 'service': service,
+ 'valid_services': self._valid_avatar_services
+ }
+ )
+
+ if not default:
+ default = "http://fedoraproject.org/static/images/" + \
+ "fedora_infinity_%ix%i.png" % (size, size)
+
+ if service == 'libravatar':
+ openid = 'http://%s.id.fedoraproject.org/' % username
+ return libravatar.libravatar_url(
+ openid=openid,
+ size=size,
+ default=default,
+ )
+ else:
+ if lookup_email:
+ person = self.person_by_username(username)
+ email = person.get('email', 'no_email')
+ else:
+ email = "%s(a)rpmfusion.org" % username
+
+ query_string = urllib.urlencode({
+ 's': size,
+ 'd': default,
+ })
+
+ hash = md5(email).hexdigest()
+
+ return "http://www.gravatar.com/avatar/%s?%s" % (
+ hash, query_string)
+
+ def gravatar_url(self, *args, **kwargs):
+ """ *Deprecated* - Use avatar_url.
+
+ .. versionadded:: 0.3.26
+ .. versionchanged: 0.3.30
+ Add lookup_email parameter to control whether we generate gravatar
+ urls with the email in fas or username(a)fedoraproject.org
+ .. versionchanged: 0.3.33
+ Deprecated in favor of `avatar_url`.
+ """
+
+ warnings.warn(
+ "gravatar_url is deprecated and will be removed in"
+ " a future version. Please port your code to use avatar_url(...,"
+ " service='libravatar', ...) instead",
+ DeprecationWarning, stacklevel=2)
+
+ if 'service' in kwargs:
+ raise TypeError("'service' is an invalid keyword argument for"
+ " this function. Use avatar_url() instead)")
+
+ return self.avatar_url(*args, service='gravatar', **kwargs)
+
+ def user_id(self):
+ '''Returns a dict relating user IDs to usernames'''
+ request = self.send_request('json/user_id', auth=True)
+ people = {}
+ for person_id, username in request['people'].items():
+ # change userids from string back to integer
+ people[int(person_id)] = username
+ return people
+
+ def people_by_key(self, key=u'username', search=u'*', fields=None):
+ '''Return a dict of people
+
+ :kwarg key: Key by this field. Valid values are 'id', 'username', or
+ 'email'. Default is 'username'
+ :kwarg search: Pattern to match usernames against. Defaults to the
+ '*' wildcard which matches everyone.
+ :kwarg fields: Limit the data returned to a specific list of fields.
+ The default is to retrieve all fields.
+ Valid fields are:
+
+ * affiliation
+ * alias_enabled
+ * bugzilla_email
+ * certificate_serial
+ * comments
+ * country_code
+ * creation
+ * email
+ * emailtoken
+ * facsimile
+ * gpg_keyid
+ * group_roles
+ * human_name
+ * id
+ * internal_comments
+ * ircnick
+ * last_seen
+ * latitude
+ * locale
+ * longitude
+ * memberships
+ * old_password
+ * password
+ * password_changed
+ * passwordtoken
+ * postal_address
+ * privacy
+ * roles
+ * ssh_key
+ * status
+ * status_change
+ * telephone
+ * timezone
+ * unverified_email
+ * username
+
+ Note that for most users who access this data, many of these
+ fields will be set to None due to security or privacy settings.
+ :returns: a dict relating the key value to the fields.
+
+ .. versionchanged:: 0.3.21
+ Return a Bunch instead of a DictContainer
+ .. versionchanged:: 0.3.26
+ Fixed to return a list with both people who have signed the CLA
+ and have not
+ '''
+ # Make sure we have a valid key value
+ if key not in ('id', 'username', 'email'):
+ raise KeyError('key must be one of "id", "username", or'
+ ' "email"')
+
+ if fields:
+ fields = list(fields)
+ for field in fields:
+ if field not in USERFIELDS:
+ raise KeyError('%(field)s is not a valid field to'
+ ' filter' % {'field': to_bytes(field)})
+ else:
+ fields = USERFIELDS
+
+ # Make sure we retrieve the key value
+ unrequested_fields = []
+ if key not in fields:
+ unrequested_fields.append(key)
+ fields.append(key)
+ if 'bugzilla_email' in fields:
+ # Need id and email for the bugzilla information
+ if 'id' not in fields:
+ unrequested_fields.append('id')
+ fields.append('id')
+ if 'email' not in fields:
+ unrequested_fields.append('email')
+ fields.append('email')
+
+ request = self.send_request(
+ '/user/list',
+ req_params={
+ 'search': search,
+ 'fields': [f for f in fields if f != 'bugzilla_email']
+ },
+ auth=True)
+
+ people = Bunch()
+ for person in itertools.chain(request['people'],
+ request['unapproved_people']):
+ # Retrieve bugzilla_email from our list if necessary
+ if 'bugzilla_email' in fields:
+ if person['id'] in self.__bugzilla_email:
+ person['bugzilla_email'] = \
+ self.__bugzilla_email[person['id']]
+ else:
+ person['bugzilla_email'] = person['email']
+
+ person_key = person[key]
+ # Remove any fields that weren't requested by the user
+ if unrequested_fields:
+ for field in unrequested_fields:
+ del person[field]
+
+ # Add the person record to the people dict
+ people[person_key] = person
+
+ return people
+
+ def people_by_id(self):
+ '''*Deprecated* Use people_by_key() instead.
+
+ Returns a dict relating user IDs to human_name, email, username,
+ and bugzilla email
+
+ .. versionchanged:: 0.3.21
+ Return a Bunch instead of a DictContainer
+ '''
+ warnings.warn(
+ "people_by_id() is deprecated and will be removed in"
+ " 0.4. Please port your code to use people_by_key(key='id',"
+ " fields=['human_name', 'email', 'username', 'bugzilla_email'])"
+ " instead", DeprecationWarning, stacklevel=2)
+
+ request = self.send_request('/json/user_id', auth=True)
+ user_to_id = {}
+ people = Bunch()
+ for person_id, username in request['people'].items():
+ person_id = int(person_id)
+ # change userids from string back to integer
+ people[person_id] = {'username': username, 'id': person_id}
+ user_to_id[username] = person_id
+
+ # Retrieve further useful information about the users
+ request = self.send_request('/group/dump', auth=True)
+ for user in request['people']:
+ userid = user_to_id[user[0]]
+ person = people[userid]
+ person['email'] = user[1]
+ person['human_name'] = user[2]
+ if userid in self.__bugzilla_email:
+ person['bugzilla_email'] = self.__bugzilla_email[userid]
+ else:
+ person['bugzilla_email'] = person['email']
+
+ return people
+
+ ### Utils ###
+
+ def people_by_groupname(self, groupname):
+ '''Return a list of persons for the given groupname.
+
+ :arg groupname: Name of the group to look up
+ :returns: A list of person objects from the group. If the group
+ contains no entries, then an empty list is returned.
+ '''
+ people = self.people_by_id()
+ group = dict(self.group_by_name(groupname))
+ userids = [user[u'person_id'] for user in
+ group[u'approved_roles'] + group[u'unapproved_roles']]
+ return [people[userid] for userid in userids]
+
+ ### Configs ###
+
+ def get_config(self, username, application, attribute):
+ '''Return the config entry for the key values.
+
+ :arg username: Username of the person
+ :arg application: Application for which the config is set
+ :arg attribute: Attribute key to lookup
+ :raises AppError: if the server returns an exception
+ :returns: The unicode string that describes the value. If no entry
+ matched the username, application, and attribute then None is
+ returned.
+ '''
+ request = self.send_request('config/list/%s/%s/%s' %
+ (username, application, attribute),
+ auth=True)
+ if 'exc' in request:
+ raise AppError(
+ name=request['exc'],
+ message=request['tg_flash']
+ )
+
+ # Return the value if it exists, else None.
+ if 'configs' in request and attribute in request['configs']:
+ return request['configs'][attribute]
+ return None
+
+ def get_configs_like(self, username, application, pattern=u'*'):
+ '''Return the config entries that match the keys and the pattern.
+
+ Note: authentication on the server will prevent anyone but the user
+ or a fas admin from viewing or changing their configs.
+
+ :arg username: Username of the person
+ :arg application: Application for which the config is set
+ :kwarg pattern: A pattern to select values for. This accepts * as a
+ wildcard character. Default='*'
+ :raises AppError: if the server returns an exception
+ :returns: A dict mapping ``attribute`` to ``value``.
+ '''
+ request = self.send_request(
+ 'config/list/%s/%s/%s' %
+ (username, application, pattern),
+ auth=True)
+ if 'exc' in request:
+ raise AppError(
+ name=request['exc'],
+ message=request['tg_flash'])
+
+ return request['configs']
+
+ def set_config(self, username, application, attribute, value):
+ '''Set a config entry in FAS for the user.
+
+ Note: authentication on the server will prevent anyone but the user
+ or a fas admin from viewing or changing their configs.
+
+ :arg username: Username of the person
+ :arg application: Application for which the config is set
+ :arg attribute: The name of the config key that we're setting
+ :arg value: The value to set this to
+ :raises AppError: if the server returns an exception
+ '''
+ request = self.send_request(
+ 'config/set/%s/%s/%s' %
+ (username, application, attribute),
+ req_params={'value': value}, auth=True)
+
+ if 'exc' in request:
+ raise AppError(
+ name=request['exc'],
+ message=request['tg_flash'])
+
+ def people_query(self, constraints=None, columns=None):
+ '''Returns a list of dicts representing database rows
+
+ :arg constraints: A dictionary specifying WHERE constraints on columns
+ :arg columns: A list of columns to be selected in the query
+ :raises AppError: if the query failed on the server (most likely
+ because the server was given a bad query)
+ :returns: A list of dicts representing database rows (the keys of
+ the dict are the columns requested)
+
+ .. versionadded:: 0.3.12.1
+ '''
+ if constraints is None:
+ constraints = {}
+ if columns is None:
+ columns = []
+
+ req_params = {}
+ req_params.update(constraints)
+ req_params['columns'] = ','.join(columns)
+
+ try:
+ request = self.send_request(
+ 'json/people_query',
+ req_params=req_params, auth=True)
+ if request['success']:
+ return request['data']
+ else:
+ raise AppError(message=request['error'], name='FASError')
+ except FedoraServiceError:
+ raise
+
+ ### Certs ###
+
+ def user_gencert(self):
+ '''Generate a cert for a user'''
+ try:
+ request = self.send_request('user/dogencert', auth=True)
+ except FedoraServiceError:
+ raise
+ if not request['cla']:
+ raise CLAError
+ return "%(cert)s\n%(key)s" % request
+
+ ### Passwords ###
+
+ def verify_password(self, username, password):
+ '''Return whether the username and password pair are valid.
+
+ :arg username: username to try authenticating
+ :arg password: password for the user
+ :returns: True if the username/password are valid. False otherwise.
+ '''
+ return self.proxy.verify_password(username, password)
+
+ ### fasClient Special Methods ###
+
+ def group_data(self, force_refresh=None):
+ '''Return administrators/sponsors/users and group type for all groups
+
+ :arg force_refresh: If true, the returned data will be queried from the
+ database, as opposed to memcached.
+ :raises AppError: if the query failed on the server
+ :returns: A dict mapping group names to the group type and the
+ user IDs of the administrator, sponsors, and users of the group.
+
+ .. versionadded:: 0.3.8
+ '''
+ params = {}
+ if force_refresh:
+ params['force_refresh'] = True
+
+ try:
+ request = self.send_request(
+ 'json/fas_client/group_data',
+ req_params=params, auth=True)
+ if request['success']:
+ return request['data']
+ else:
+ raise AppError(
+ message='FAS server unable to retrieve'
+ ' group members', name='FASError')
+ except FedoraServiceError:
+ raise
+
+ def user_data(self):
+ '''Return user data for all users in FAS
+
+ Note: If the user is not authorized to see password hashes,
+ '*' is returned for the hash.
+
+ :raises AppError: if the query failed on the server
+ :returns: A dict mapping user IDs to a username, password hash,
+ SSH public key, email address, and status.
+
+ .. versionadded:: 0.3.8
+ '''
+ try:
+ request = self.send_request('json/fas_client/user_data', auth=True)
+ if request['success']:
+ return request['data']
+ else:
+ raise AppError(
+ message='FAS server unable to retrieve user'
+ ' information', name='FASError')
+ except FedoraServiceError:
+ raise
8 years, 1 month
[ansible] Update export bz
by Nicolas Chauvet
commit 5d9e37290019b08cd36549c56e0c8c0ddb10b506
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 10:55:05 2016 +0200
Update export bz
roles/fas_server/tasks/main.yml | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)
---
diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml
index 6120681..081a2b9 100644
--- a/roles/fas_server/tasks/main.yml
+++ b/roles/fas_server/tasks/main.yml
@@ -217,12 +217,12 @@
- config
- fas
-#- name: install /var/lib/rpmfusion-ca/.rnd file
-# file: path=/var/lib/rpmfusion-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
-# when: master_fas_node == True
-# tags:
-# - config
-# - fas
+- name: install /var/lib/rpmfusion-ca/.rnd file
+ file: path=/var/lib/rpmfusion-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
+ when: master_fas_node == True
+ tags:
+ - config
+ - fas
- name: setup /var/lib/rpmfusion-ca/newcerts directory
file: path=/var/lib/rpmfusion-ca/newcerts owner=fas group=fas mode=0700 state=directory
@@ -377,7 +377,7 @@
- name: run export-bugzilla program
cron: >
name="export-bugzilla"
- job="cd /etc; MAILTO=root; /usr/sbin/export-bugzilla fedorabugs fedora_contrib"
+ job="cd /etc; MAILTO=root; /usr/sbin/export-bugzilla rpmfusionbugs rpmfusion_contrib"
user="fas"
minute="10"
when: master_fas_node == True
8 years, 1 month
[ansible] Update CA files
by Nicolas Chauvet
commit e357157c9bf7564ff1e6677d79ee8c1d0b7cdfdc
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 10:37:38 2016 +0200
Update CA files
.../{Makefile.fedora-ca => Makefile.rpmfusion-ca} | 0
roles/fas_server/files/certhelper.py | 6 ++--
roles/fas_server/files/ipa.staging.pem | 23 --------------------
...openssl.cnf => rpmfusion-ca-client-openssl.cnf} | 6 ++--
4 files changed, 6 insertions(+), 29 deletions(-)
---
diff --git a/roles/fas_server/files/Makefile.fedora-ca b/roles/fas_server/files/Makefile.rpmfusion-ca
similarity index 100%
rename from roles/fas_server/files/Makefile.fedora-ca
rename to roles/fas_server/files/Makefile.rpmfusion-ca
diff --git a/roles/fas_server/files/certhelper.py b/roles/fas_server/files/certhelper.py
index caa0519..ce9b7a6 100755
--- a/roles/fas_server/files/certhelper.py
+++ b/roles/fas_server/files/certhelper.py
@@ -195,15 +195,15 @@ string_mask = MASK:0x2002
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = FR
+countryName_default = EU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = IDF
+stateOrProvinceName_default = None
localityName = Locality Name (eg, city)
-localityName_default = Paris
+localityName_default = Freeworld
0.organizationName = Organization Name (eg, company)
0.organizationName_default = RPM Fusion Project
diff --git a/roles/fas_server/files/fedora-ca-client-openssl.cnf b/roles/fas_server/files/rpmfusion-ca-client-openssl.cnf
similarity index 99%
rename from roles/fas_server/files/fedora-ca-client-openssl.cnf
rename to roles/fas_server/files/rpmfusion-ca-client-openssl.cnf
index 2adf8d3..c586936 100644
--- a/roles/fas_server/files/fedora-ca-client-openssl.cnf
+++ b/roles/fas_server/files/rpmfusion-ca-client-openssl.cnf
@@ -125,15 +125,15 @@ string_mask = MASK:0x2002
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = FR
+countryName_default = EU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = IDF
+stateOrProvinceName_default = None
localityName = Locality Name (eg, city)
-localityName_default = Paris
+localityName_default = Freeworld
0.organizationName = Organization Name (eg, company)
0.organizationName_default = RPM Fusion Project
8 years, 1 month
[ansible] Fixup bugzilla URL
by Nicolas Chauvet
commit 7c0b77bd9edbb51ba7abc8fdebe2ad15b60aad50
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 10:25:40 2016 +0200
Fixup bugzilla URL
roles/fas_server/files/export-bugzilla | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/roles/fas_server/files/export-bugzilla b/roles/fas_server/files/export-bugzilla
index 25c3e1c..1a4f6d3 100644
--- a/roles/fas_server/files/export-bugzilla
+++ b/roles/fas_server/files/export-bugzilla
@@ -28,7 +28,7 @@ turbogears.update_config(configfile=cfgfile)
from turbogears.database import session
from fas.model import BugzillaQueue
-BZSERVER = config.get('bugzilla.url', 'https://bugzilla.rpmfusion.org/bugzilla-cvs/xmlrpc.cgi')
+BZSERVER = config.get('bugzilla.url', 'https://bugzilla.rpmfusion.org/xmlrpc.cgi')
BZUSER = config.get('bugzilla.username')
BZPASS = config.get('bugzilla.password')
MAILSERVER = config.get('mail.server', 'localhost')
8 years, 1 month
[puppet] Add kwizart_2011 ssh key
by Nicolas Chauvet
commit e347e1c7e69916f901bff93974e2c04b5ddbcafa
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Oct 27 10:15:26 2016 +0200
Add kwizart_2011 ssh key
manifests/site.pp | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
---
diff --git a/manifests/site.pp b/manifests/site.pp
index 7eb2a08..3cdb8ad 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -22,6 +22,7 @@ file { "/root/.ssh/authorized_keys":
# WARNING: Do not manually edit it here, all changes will be discarded.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAaEVu8FZ9d9xhJyzohuJU82XN5fZL/6NqbDB4MTVvoDNaS36qp2z52AWoq5KOkFjzz1EaXspbe/fNSqQV7cNHmod6njPCDreC3e8t+GSFKUt1cMSlwGplXi7cYDQpWZdwlHpPpL5gnDcn57KZ8qn8ZoakdSr8/HFva9v934P5aGu0R87u6bIf0iKW56/GgNiT97zLwZjY2uiX1nDlwozJpGMXvTuzWKEoHsKhmP44J0xtK+IYuEiHaZwgmtU+Tes70rXRfIBIWMQkpx3OQjH4r4a0BEJ6OWf0cgF/JRwyuOnPVQN0dY065SOO7Vhe7y0tZzacwMlcYE0iEZ/Q1EdtGk7QJyKb1srho2pi9X8ye8Lw86/BbLdctbNZ4PFTNQyXFT2gSU2h3yNXbjwJEqCXinYtewseZZu/ystXd9r6/FJk3Qs9kzRBnom4mlDlmKy4cAqXVjaVCQI720Gu8sC3kv3iCVta/wUY5v62QwyPrNMN3lI3WVN2/T3GYBZy+YT/3TzHCx5xrxu1hsHp25s9g3k3CVxnOa+9bkeYcj2H6pC8dU= matthias
ssh-dss AAAAB3NzaC1kc3MAAACBAOM9F9gGUw/E9vhoW7a/yfgVdKjEnkp6M7DVjl+SDjoDZgfjTY1RV3YnBBRQ9vAk4Cc81hJpY6jVta1RQE6QMEdyu6DHC0vVkPlnWCnco2w2lNAAEnDqrfdGrgCQLUXozToY8y0tu7aRX274MMYmWS3ONkiBvHD9jxBd/ZFd16ilAAAAFQCX0Mp+oAITp2wnOz2pte2OvAF6bwAAAIBxL32Ff5RmTorA86vuUlgYSR1WQ0dUtRsnWTioH8OH4Q1r6kD6J5dAEmEYyf3fBAcRzvY9G0te4UbQ8Yqj+2YnrSsXLz4JRnIRS4BG71FX8zxxwRSM8l3wAYbpD0StnOuFu1lEAVU6gt883fPknhiU4ZcLTL4knyHEvUs2rDbtcQAAAIAZRkzzy/rKAWWEd6QSBDUk6Iaavs2B/VPk2G8rUI51ORJSsJZ+Q7yh4M4bXWXXnrNnHkMUB/2YDyLmWPITr3bGLst7tnzHrg7Qy2WBdWbdlxY2lXWRNzzo6170mBdUXqLyeo+cPg8xXnhd4GumZpdQ42fT347v1nEL+HAGYESCMg== xavier
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnYiQsnoAJpqmZXzlq5Vv8TbfIQnV8IEYMyWZs0eU2Otec7QbCBJPchDKHVezEIPt+nHgSOg9QSE3OlVA4rhNrkxDnuxO9jwiSQmz8ayvlvig1hjp3C/GJmpM2sjljPA33YVTcOjFSab0GC7EIWF6mWQyDWHTvbdy9R4VRRy5jX4R6Hs3hLtNZs15UYAScLsmFitZKoW3TeIW1fTTuAM2p8h/KaMjMyQSiRrGQ97HTxipahLU2hjYiLMzgg3Xcfnnvi8I2Af8+c11Uy4bxQnMP4Ya40LbTc70oSYdb+VXjCBRXSAw+8K1vvX02ex/Wq5MsDdmQy7JzEb3M8vIMGU7E3I7UI3zRkXmwOKN9Vv8Jn7LxM/sgtixzC6qmwU420r6hRxmXT6H9uZRRX0UteCTxSdu0af+hTdjLd7fxm4L5EVYbm8btqfCpQuXPBesRCNvzvuMsIjdM9PvcTTNO1Sr8Zce+lAZLlddmPguCLIMcNrHl3HO0C+QnGWwQWWijViWsBBkuQs6QyxxKbEOt3RHhSa418te1GthcSzLF1xBoJ2KO8FrWeLQKL6HSq5HlbSQmhymlyRWCnfXhecjqrW+v1poowXPxlcPTRiK5ZCJ0s126IC70ANPQYwMTj5L+gLWGsn/sz0fHEC5b78Dbbuj9LkD2N6KmbqJgM7afx7zDjQ== kwizart_2011
',
}
8 years, 1 month
[ansible] Upate to packager group
by Nicolas Chauvet
commit 6e44d250cddec6151cfd928f74c58b100269b796
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Oct 14 23:42:07 2016 +0200
Upate to packager group
group_vars/pkgs | 4 ++--
roles/bodhi2/base/templates/production.ini.j2 | 3 +--
roles/distgit/files/dist-git-upload.cgi | 2 +-
roles/distgit/tasks/main.yml | 18 +++++++++---------
roles/distgit/templates/genacls.sh | 2 +-
roles/fas_server/templates/fas.cfg.j2 | 2 +-
6 files changed, 15 insertions(+), 16 deletions(-)
---
diff --git a/group_vars/pkgs b/group_vars/pkgs
index f151d00..4f5d451 100644
--- a/group_vars/pkgs
+++ b/group_vars/pkgs
@@ -14,7 +14,7 @@ fas_client_admin_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell -s {user
fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-build"
admin_groups: "@sysadmin-build"
-git_group: cvsextras
+git_group: packager
git_port: 9418
git_server: /usr/libexec/git-core/git-daemon
git_server_args: --export-all --syslog --inetd --verbose
@@ -51,7 +51,7 @@ fedmsg_certs:
- logger.log
- service: scm
owner: root
- group: cvsextras
+ group: packager
can_send:
- git.receive
- service: lookaside
diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
index b9f03e3..7e6a394 100644
--- a/roles/bodhi2/base/templates/production.ini.j2
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -377,8 +377,7 @@ important_groups = proventesters provenpackager releng security_respons packager
admin_packager_groups = provenpackager releng
# User must be a member of this group to submit updates
-#mandatory_packager_groups = packager
-mandatory_packager_groups = cvsextras
+mandatory_packager_groups = packager
##
## updateinfo.xml configuraiton
diff --git a/roles/distgit/files/dist-git-upload.cgi b/roles/distgit/files/dist-git-upload.cgi
index 9ba9d98..e8f73c8 100755
--- a/roles/distgit/files/dist-git-upload.cgi
+++ b/roles/distgit/files/dist-git-upload.cgi
@@ -28,7 +28,7 @@ GITREPO = '/srv/git/repositories'
CACHE_DIR = '/srv/cache/lookaside/pkgs'
# Fedora Packager Group
-PACKAGER_GROUP = 'cvsextras'
+PACKAGER_GROUP = 'packager'
def send_error(text, status='500 Internal Server Error'):
"""Send an error back to the client
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index f8eedb9..8deaec9 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -54,11 +54,11 @@
- selinux
- name: create the distgit root directory (/srv/git/repositories)
- file: dest=/srv/git/repositories state=directory mode=2775 group=cvsextras
+ file: dest=/srv/git/repositories state=directory mode=2775 group=packager
# These should all map to pkgdb namespaces
- name: create our namespace directories inside there..
- file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=cvsextras
+ file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager
with_items:
- free
- nonfree
@@ -101,7 +101,7 @@
# -- Gitolite --------------------------------------------
# This is the permission management for package maintainers, using Gitolite.
- name: create the /var/log/gitolite directory
- file: path=/var/log/gitolite owner=root group=cvsextras state=directory mode=2775
+ file: path=/var/log/gitolite owner=root group=packager state=directory mode=2775
- name: create the gen-acls group
group: name=gen-acls gid=417 state=present
@@ -112,7 +112,7 @@
comment="dummy system account for the gen-acls fedmsg job"
uid=417
group=gen-acls
- groups=cvsextras
+ groups=packager
shell=/bin/bash
home=/srv/git
@@ -120,11 +120,11 @@
file: path=/etc/gitolite/conf owner=gen-acls group=gen-acls state=directory mode=0755
- name: create the /etc/gitolite/logs directory
- file: path=/etc/gitolite/logs owner=gen-acls group=cvsextras
+ file: path=/etc/gitolite/logs owner=gen-acls group=packager
state=directory mode=0775
- name: create the /etc/gitolite/local/VREF directory
- file: path=/etc/gitolite/local/VREF owner=gen-acls group=cvsextras
+ file: path=/etc/gitolite/local/VREF owner=gen-acls group=packager
state=directory mode=0775
- name: create /etc/gitolite/gitolite.rc
@@ -204,19 +204,19 @@
- name: Save the list the users having a shell access
template: src=gitolite_admins dest=/etc/gitolite/admins
- owner=gen-acls group=cvsextras mode=660
+ owner=gen-acls group=packager mode=660
tags:
- config
- distgit
- name: Fix permissions on the Gitolite stuff
- file: dest={{ item.name }} group=cvsextras mode={{ item.mode }} state={{ item.state }}
+ file: dest={{ item.name }} group=packager mode={{ item.mode }} state={{ item.state }}
with_items:
- {name: /etc/gitolite/hooks, mode: 770, state: directory}
- {name: /etc/gitolite/hooks/common, mode: 770, state: directory}
- name: Fix permissions on the Gitolite stuff (touch update if it does not exist)
- copy: content="" dest=/etc/gitolite/hooks/common/update force=no owner=root group=cvsextras mode=0755
+ copy: content="" dest=/etc/gitolite/hooks/common/update force=no owner=root group=packager mode=0755
tags:
- distgit
- config
diff --git a/roles/distgit/templates/genacls.sh b/roles/distgit/templates/genacls.sh
index 69b5d3e..a00132b 100644
--- a/roles/distgit/templates/genacls.sh
+++ b/roles/distgit/templates/genacls.sh
@@ -33,5 +33,5 @@ HOME=/srv/git /usr/bin/gitolite compile
cd /
rm -rf $TEMPDIR
-chown root:cvsextras /etc/gitolite/conf/gitolite.conf-compiled.pm
+chown root:packager /etc/gitolite/conf/gitolite.conf-compiled.pm
chmod g+r /etc/gitolite/conf/gitolite.conf-compiled.pm
diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2
index c85f917..1020a3c 100644
--- a/roles/fas_server/templates/fas.cfg.j2
+++ b/roles/fas_server/templates/fas.cfg.j2
@@ -126,7 +126,7 @@ cla_deprecated_groups = ['cla_rpmfusion']
# Groups that automatically grant membership to other groups
# Format: 'group1:a,b,c|group2:d,e,f'
-auto_approve_groups = 'packager:fedorabugs|qa:fedorabugs|security-team:fedorabugs|qa-beaker-user:qa-automation-shell|docs:fedorabugs|cla_fpca:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done|cla_intel:cla_done'
+auto_approve_groups = 'packager:rpmfusionbugs|qa:rpmfusionbugs|security-team:rpmfusionbugs|qa-beaker-user:qa-automation-shell|docs:rpmfusionbugs|cla_fpca:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done|cla_intel:cla_done'
# Anti-spam approval check script, which injects in both registration and CLA steps
# In Fedora, this is provided by the Basset service
8 years, 2 months
[ansible] Update bodhi role
by Nicolas Chauvet
commit dcaf61e17fcb99b44e508f3ecf332121f5460ec0
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Oct 10 13:06:25 2016 +0200
Update bodhi role
roles/bodhi2/backend/files/create-filelist | 36 +++++++++++
roles/bodhi2/backend/files/fedora-epel-push | 6 +-
roles/bodhi2/backend/tasks/main.yml | 60 ++++++++++--------
roles/bodhi2/backend/templates/atomic-config.py.j2 | 64 ++++++++++++++++++--
.../templates/bodhi-masher-jobrunner.cfg.j2 | 13 ++--
roles/bodhi2/backend/templates/bodhi-masher.cfg.j2 | 12 ++--
roles/bodhi2/backend/templates/bodhi-prod.cfg.erb | 12 ++++-
.../bodhi2/base/files/bowlofeggs-bodhi-epel-7.repo | 8 +++
roles/bodhi2/base/tasks/main.yml | 52 ++++++----------
roles/bodhi2/base/templates/bodhi-app.conf | 2 +-
roles/bodhi2/base/templates/production.ini.j2 | 32 +++++-----
roles/bodhi2/base/templates/staging.ini.j2 | 12 ++--
12 files changed, 208 insertions(+), 101 deletions(-)
---
diff --git a/roles/bodhi2/backend/files/create-filelist b/roles/bodhi2/backend/files/create-filelist
new file mode 100644
index 0000000..d95000e
--- /dev/null
+++ b/roles/bodhi2/backend/files/create-filelist
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+
+# A simple script to generate a file list in a format easily consumable by a
+# shell script.
+
+# Originally written by Jason Tibbitts <tibbs(a)math.uh.edu> in 2016.
+# Donated to the public domain. If you require a statement of license, please
+# consider this work to be licensed as "CC0 Universal", any version you choose.
+
+
+from scandir import scandir
+
+
+def get_ftype(entry):
+ """Return a simple indicator of the file type."""
+ if entry.is_symlink():
+ return 'l'
+ if entry.is_dir():
+ return 'd'
+ return 'f'
+
+
+def recursedir(path):
+ """Just like scandir, but recursively."""
+ for entry in scandir(path):
+ if entry.is_dir(follow_symlinks=False):
+ for rentry in recursedir(entry.path):
+ yield rentry
+ yield entry
+
+
+for entry in recursedir('.'):
+ info = entry.stat(follow_symlinks=False)
+ modtime = max(info.st_mtime, info.st_ctime)
+ ftype = get_ftype(entry)
+ print('{} {} {}'.format(modtime, ftype, entry.path[2:]))
diff --git a/roles/bodhi2/backend/files/fedora-epel-push b/roles/bodhi2/backend/files/fedora-epel-push
old mode 100755
new mode 100644
index 6eac7d7..ba3cc46
--- a/roles/bodhi2/backend/files/fedora-epel-push
+++ b/roles/bodhi2/backend/files/fedora-epel-push
@@ -1,7 +1,7 @@
#!/bin/sh
SOURCE=/mnt/koji/mash/updates
-DEST=/pub/epel/
+DEST=/pub/epel
OPTIONS="-rlptDvHh --stats --delay-updates $RSYNC_OPTS"
@@ -97,8 +97,8 @@ for rel in 5 6 7; do
# Does our symbolic link exist?
if [ -L ${TARGET} ]; then
# check to see if the link matches the candidate
- TEST=$( readlink ${TARGET} )
- if [ ${TEST} != ${CANDIDATE} ]; then
+ TEST=$( readlink -e ${TARGET} )
+ if [ "${TEST}" != "${CANDIDATE}" ]; then
ln -sf $(echo ${CANDIDATE}|sed -e "s|$DEST|./|g" -e 's|//|/|g') ${TARGET}
fi
else
diff --git a/roles/bodhi2/backend/tasks/main.yml b/roles/bodhi2/backend/tasks/main.yml
index a142b5e..56893ae 100644
--- a/roles/bodhi2/backend/tasks/main.yml
+++ b/roles/bodhi2/backend/tasks/main.yml
@@ -13,7 +13,7 @@
- bodhi
- name: install needed packages
- yum: pkg={{ item }} state=present
+ package: pkg={{ item }} state=present
with_items:
- mock
- mash
@@ -23,6 +23,7 @@
- python-mock
- sigul
- python-alembic
+ - python-scandir
tags:
- packages
- bodhi
@@ -59,31 +60,21 @@
copy: >
src="{{ private }}/files/bodhi_key_and_cert.pem"
dest="/etc/pki/bodhi/bodhi.pem"
- owner=bodhi
- group=bodhi
- mode=0400
- when: inventory_hostname.startswith('bodhi01')
- tags:
- - config
- - bodhi
-
-- name: change owner and group attributes of bodhi.pem file
- file: >
- path="/etc/pki/bodhi/bodhi.pem"
owner=apache
group=apache
- when: inventory_hostname.startswith('bodhi01')
+ mode=0400
+ when: inventory_hostname.startswith('bodhi-backend')
tags:
- - bodhi
- config
+ - bodhi
- name: change owner and group attributes of /var/log/bodhi directory
file: path=/var/log/bodhi owner=apache group=apache
- when: inventory_hostname.startswith('bodhi01')
+ when: inventory_hostname.startswith('bodhi-backend')
tags:
- bodhi
- config
-
+
- name: setup /etc/bodhi/mash.conf file...
template: >
src=mash.conf
@@ -117,7 +108,7 @@
# tasks for setting up epelmasher
- name: install needed packages
- yum: pkg={{ item }} state=present
+ package: pkg={{ item }} state=present
with_items:
- repoview
tags:
@@ -272,18 +263,36 @@
cron: name="bodhi-expire-overrides" hour="*" minute=0 user="apache"
job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2> /dev/null"
cron_file=bodhi-expire-overrides-job
- when: inventory_hostname.startswith('bodhi01') and env == "production"
+ when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
tags:
- config
- bodhi
- cron
-- name: have the apache own the bodhi config
- file: >
- path="/etc/bodhi/production.ini"
+- name: setup basic /etc/bodhi/ contents (staging)
+ template: >
+ src="{{roles}}/bodhi2/base/templates/staging.ini.j2"
+ dest="/etc/bodhi/production.ini"
owner=apache
group=apache
- when: inventory_hostname.startswith('bodhi')
+ mode=0600
+ when: inventory_hostname.startswith('bodhi-backend') and env == 'staging'
+ notify:
+ - reload bodhi httpd
+ tags:
+ - config
+ - bodhi
+
+- name: setup basic /etc/bodhi/ contents (production)
+ template: >
+ src="{{roles}}/bodhi2/base/templates/production.ini.j2"
+ dest="/etc/bodhi/production.ini"
+ owner=apache
+ group=apache
+ mode=0600
+ when: inventory_hostname.startswith('bodhi-backend') and env == 'production'
+ notify:
+ - reload bodhi httpd
tags:
- config
- bodhi
@@ -319,7 +328,7 @@
path="/var/cache/mash"
owner=apache
group=apache
- when: inventory_hostname.startswith('bodhi01')
+ when: inventory_hostname.startswith('bodhi-backend')
tags:
- config
- bodhi
@@ -329,7 +338,7 @@
path="/var/cache/bodhi"
owner=apache
group=apache
- when: inventory_hostname.startswith('bodhi01')
+ when: inventory_hostname.startswith('bodhi-backend')
tags:
- config
- bodhi
@@ -340,7 +349,7 @@
owner=apache
group=apache
state=directory
- when: inventory_hostname.startswith('bodhi01')
+ when: inventory_hostname.startswith('bodhi-backend')
tags:
- config
- bodhi
@@ -352,7 +361,6 @@
owner=apache
group=nrpe
state=directory
- recurse=yes
ignore_errors: true
notify:
- restart fedmsg-hub
diff --git a/roles/bodhi2/backend/templates/atomic-config.py.j2 b/roles/bodhi2/backend/templates/atomic-config.py.j2
index 12f2ff8..e49c6e6 100644
--- a/roles/bodhi2/backend/templates/atomic-config.py.j2
+++ b/roles/bodhi2/backend/templates/atomic-config.py.j2
@@ -6,6 +6,61 @@ rhel6 = dist[0] == 'redhat' and int(float(dist[1])) == 6
config = dict(
releases={
+ 'f24-updates': {
+ 'name': 'f24-updates',
+ 'repo': 'updates',
+ 'version': '24',
+ 'arch': 'x86_64',
+
+ # OSTree treefile configuration
+ # https://github.com/projectatomic/rpm-ostree/blob/master/doc/treefile.md
+ 'tree': 'docker-host',
+ 'treefile': {
+ 'include': 'fedora-atomic-docker-host.json',
+ 'ref': 'fedora-atomic/24/x86_64/docker-host',
+ 'repos': ['fedora-24', 'fedora-24-updates'],
+ 'packages': [],
+ },
+
+ # The name of the mock container to build and maintain
+ 'mock': 'fedora-24-updates-x86_64',
+
+ # The git branch to use in the `git_repo` for the parent
+ # treefile & repo configurations
+ 'git_branch': 'f24',
+
+ # Add or overwrite yum repository name:urls. This lets you
+ # compose trees against your own repositories.
+ 'repos': {},
+ },
+ 'f24-updates-testing': {
+ 'name': 'f24-updates-testing',
+ 'repo': 'updates-testing',
+ 'version': '24',
+ 'arch': 'x86_64',
+
+ # OSTree treefile configuration
+ # https://github.com/projectatomic/rpm-ostree/blob/master/doc/treefile.md
+ 'tree': 'docker-host',
+ 'treefile': {
+ 'include': 'fedora-atomic-docker-host.json',
+ 'ref': 'fedora-atomic/24/x86_64/testing/docker-host',
+ 'repos': ['fedora-24', 'fedora-24-updates', 'updates-testing'],
+ 'packages': [],
+ },
+
+ # The name of the mock container to build and maintain
+ 'mock': 'fedora-24-updates-testing-x86_64',
+
+ # The git branch to use in the `git_repo` for the parent
+ # treefile & repo configurations
+ 'git_branch': 'f24',
+
+ # Add or overwrite yum repository name:urls. This lets you
+ # compose trees against your own repositories.
+ 'repos': {},
+ },
+
'f23-updates': {
'name': 'f23-updates',
'repo': 'updates',
@@ -100,7 +155,7 @@ config = dict(
'treefile': {
'include': 'fedora-atomic-docker-host.json',
'ref': 'fedora-atomic/f22/x86_64/testing/docker-host',
- 'repos': ['fedora-22', 'updates', 'updates-testing', 'f22-temprepo'],
+ 'repos': ['fedora-22', 'updates', 'updates-testing'],
'packages': [],
},
@@ -167,7 +222,6 @@ config = dict(
'fedora-{version}-updates': 'file:///pub/fedora/linux/updates/{version}/{arch}/',
'updates': 'file:///pub/fedora/linux/updates/{version}/{arch}/',
'updates-testing': 'file:///pub/fedora/linux/updates/testing/{version}/{arch}/',
- 'f22-temprepo': 'file:///mnt/koji/mash/updates/f22-temprepo/',
{% else %}
'fedora-{version}': 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/releases/{versi...',
'updates': 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/{versio...',
@@ -193,15 +247,15 @@ config = dict(
{% endif %}
# The git repo containing our parent treefiles and yum repos
- git_repo='https://git.fedorahosted.org/git/fedora-atomic.git',
+ git_repo='https://pagure.io/fedora-atomic.git',
git_cache='{work_dir}/fedora-atomic.git',
# Some branches contain custom .repo files that we don't want to use
delete_repo_files=True,
# Mock command
- #mock_cmd='/usr/bin/mock%s-r {mock}' % (rhel6 and ' ' or ' --new-chroot '),
- mock_cmd='/usr/bin/mock -r {mock}',
+ mock_cmd='/usr/bin/mock%s-r {mock}' % (rhel6 and ' ' or ' --new-chroot '),
+ #mock_cmd='/usr/bin/mock -r {mock}',
mock_clean=True,
# OSTree commands
diff --git a/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2 b/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2
index 972f506..4e1fa33 100644
--- a/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2
+++ b/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2
@@ -66,7 +66,7 @@ bodhi_email = 'updates(a)rpmfusion.org'
# TurboMail 3.0 settings
mail.on = True
mail.transport = 'smtp'
-mail.smtp.server = 'bastion'
+mail.smtp.server = 'localhost'
# The 'utf-8-qp' encoding causes problems with TurboMail 3.x
# https://fedorahosted.org/bodhi/ticket/648
mail.message.encoding = 'utf-8'
@@ -87,10 +87,9 @@ mash_conf = '/etc/bodhi/mash.conf'
comps_dir = '/var/tmp/bodhi/comps'
base_address = 'https://admin.rpmfusion.org'
-#bz_server = 'https://bzprx.vip.phx.redhat.com/xmlrpc.cgi'
bz_server = 'https://bugzilla.rpmfusion.org/xmlrpc.cgi'
bz_cookie = '/var/tmp/bodhi-bz.cookie'
-bz_products = 'Fedora,Fedora EPEL,oVirt'
+bz_products = 'Fedora,Fedora EPEL'
acl_system = 'pkgdb'
pkgdb_url = 'https://admin.rpmfusion.org/pkgdb'
@@ -102,9 +101,11 @@ serverca_cert = '/etc/pki/bodhi/fedora-server-ca.cert'
masher_lock_id = 'FEDORA'
-master_repomd = 'http://download01.phx2.rpmfusion.org/pub/fedora/linux/updates/%d/%s/repod...'
-fedora_master_repomd = 'http://download01.phx2.rpmfusion.org/pub/fedora/linux/updates/%d/%s/repod...'
-fedora_epel_master_repomd = 'http://download01.phx2.rpmfusion.org/pub/epel/%d/%s/repodata/repomd.xml'
+master_repomd = 'http://download1.rpmfusion.org/free/fedora/updates/%d/%s/repodata/repomd.xml'
+fedora_free_master_repomd = 'http://download1.rpmfusion.org/free/fedora/linux/updates/%d/%s/repodata/r...'
+fedora_nonfree_master_repomd = 'http://download1.rpmfusion.org/nonfree/fedora/linux/updates/%d/%s/repodat...'
+fedora_free_epel_master_repomd = 'http://download1.rpmfusion.org/free/epel/%d/%s/repodata/repomd.xml'
+fedora_nonfree_epel_master_repomd = 'http://download1.rpmfusion.org/nonfree/epel/%d/%s/repodata/repomd.xml'
arches = 'i386 x86_64'
diff --git a/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2 b/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2
index 513259f..7b18ac2 100644
--- a/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2
+++ b/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2
@@ -53,7 +53,7 @@ bodhi_password='<%= bodhiBugzillaPassword %>'
bodhi_email = 'updates(a)rpmfusion.org'
mail.on = True
-mail.server = 'bastion'
+mail.server = 'localhost'
notice_sender = 'updates(a)rpmfusion.org'
security_team = 'security_respons-members(a)rpmfusion.org'
release_team_address = 'bodhiadmin-members(a)rpmfusion.org'
@@ -72,7 +72,7 @@ comps_dir = '/var/tmp/bodhi/comps'
base_address = 'https://admin.rpmfusion.org'
bz_server = 'https://bugzilla.rpmfusion.org/xmlrpc.cgi'
bz_cookie = '/var/tmp/bodhi-bz.cookie'
-bz_products = 'Fedora,Fedora EPEL,oVirt'
+bz_products = 'Fedora,Fedora EPEL'
acl_system = 'pkgdb'
pkgdb_url = 'https://admin.rpmfusion.org/pkgdb'
@@ -84,9 +84,11 @@ serverca_cert = '/etc/pki/bodhi/fedora-server-ca.cert'
masher_lock_id = 'FEDORA'
-master_repomd = 'http://download01.phx2.rpmfusion.org/pub/fedora/linux/updates/%d/%s/repod...'
-fedora_master_repomd = 'http://download01.phx2.rpmfusion.org/pub/fedora/linux/updates/%d/%s/repod...'
-fedora_epel_master_repomd = 'http://download01.phx2.rpmfusion.org/pub/epel/%d/%s/repodata/repomd.xml'
+master_repomd = 'http://download1.rpmfusion.org/free/fedora/updates/%d/%s/repodata/repomd.xml'
+fedora_free_master_repomd = 'http://download1.rpmfusion.org/free/fedora/linux/updates/%d/%s/repodata/r...'
+fedora_nonfree_master_repomd = 'http://download1.rpmfusion.org/nonfree/fedora/linux/updates/%d/%s/repodat...'
+fedora_free_epel_master_repomd = 'http://download1.rpmfusion.org/free/epel/%d/%s/repodata/repomd.xml'
+fedora_nonfree_epel_master_repomd = 'http://download1.rpmfusion.org/nonfree/epel/%d/%s/repodata/repomd.xml'
arches = 'armhfp i386 x86_64'
diff --git a/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb b/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb
index de3a041..fa73eed 100644
--- a/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb
+++ b/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb
@@ -8,7 +8,17 @@
# Release status
# pre-beta enforces the 'Pre Beta' policy defined here:
-# https://rpmfusion.org/wiki/Updates_Policy
+# https://fedoraproject.org/wiki/Updates_Policy
+f22.status = 'post_beta'
+
+f22.post_beta.mandatory_days_in_testing = 7
+f22.post_beta.critpath.num_admin_approvals = 0
+f22.post_beta.critpath.min_karma = 2
+f22.post_beta.critpath.stable_after_days_without_negative_karma = 14
+
+f22.pre_beta.mandatory_days_in_testing = 3
+f22.pre_beta.critpath.num_admin_approvals = 0
+f22.pre_beta.critpath.min_karma = 1
# Bodhi Defaults:
#
diff --git a/roles/bodhi2/base/files/bowlofeggs-bodhi-epel-7.repo b/roles/bodhi2/base/files/bowlofeggs-bodhi-epel-7.repo
new file mode 100644
index 0000000..29042ce
--- /dev/null
+++ b/roles/bodhi2/base/files/bowlofeggs-bodhi-epel-7.repo
@@ -0,0 +1,8 @@
+[bowlofeggs-bodhi-pre-release]
+name=Copr repo for bodhi owned by bowlofeggs
+baseurl=https://copr-be.cloud.fedoraproject.org/results/bowlofeggs/bodhi-pre-release/epel-7-$basearch/
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/bowlofeggs/bodhi-pre-release/pubkey.gpg
+enabled=1
+enabled_metadata=1
diff --git a/roles/bodhi2/base/tasks/main.yml b/roles/bodhi2/base/tasks/main.yml
index c99fb52..06c8303 100644
--- a/roles/bodhi2/base/tasks/main.yml
+++ b/roles/bodhi2/base/tasks/main.yml
@@ -2,20 +2,8 @@
# tasklist for setting up bodhi
# This is the base set of files needed for bodhi
-- name: setup the bodhi2 copr repo
- copy: >
- src="lmacken-bodhi2-epel-7.repo"
- dest="/etc/yum.repos.d/lmacken-bodhi2-epel-7.repo"
- owner=root
- group=root
- mode=0644
- tags:
- - config
- - bodhi
-
-
- name: install needed packages
- yum: pkg={{ item }} state=present
+ package: pkg={{ item }} state=present
with_items:
- bodhi-server
- libsemanage-python
@@ -30,30 +18,30 @@
- config
- bodhi
-- name: setup basic /etc/bodhi/ contents
- template: >
- src="staging.ini.j2"
- dest="/etc/bodhi/production.ini"
- owner=bodhi
- group=bodhi
+- name: setup basic /etc/bodhi/ contents (staging)
+ template: >
+ src="staging.ini.j2"
+ dest="/etc/bodhi/production.ini"
+ owner=bodhi
+ group=bodhi
mode=0600
- when: inventory_hostname.startswith('bodhi') and env == 'staging'
+ when: inventory_hostname.startswith('bodhi0') and env == 'staging'
notify:
- reload bodhi httpd
tags:
- config
- bodhi
-- name: setup basic /etc/bodhi/ contents
- template: >
- src="production.ini.j2"
- dest="/etc/bodhi/production.ini"
- owner=bodhi
- group=bodhi
+- name: setup basic /etc/bodhi/ contents (production)
+ template: >
+ src="production.ini.j2"
+ dest="/etc/bodhi/production.ini"
+ owner=bodhi
+ group=bodhi
mode=0600
- when: inventory_hostname.startswith('bodhi') and env == 'production'
+ when: inventory_hostname.startswith('bodhi0') and env == 'production'
notify:
- - reload httpd
+ - reload bodhi httpd
tags:
- config
- bodhi
@@ -79,14 +67,14 @@
- name: setup basic /etc/httpd/conf.d/ bodhi contents
template: >
- src="bodhi-app.conf"
+ src="bodhi-app.conf"
dest="/etc/httpd/conf.d/bodhi.conf"
owner=root
group=root
mode=0644
when: inventory_hostname.startswith('bodhi0')
notify:
- - reload httpd
+ - reload bodhi httpd
tags:
- config
- bodhi
@@ -154,14 +142,14 @@
# - bodhi
# - selinux
-- name: enable httpd_tmp_exec SELinux boolean
+- name: enable httpd_tmp_exec SELinux boolean
seboolean: name=httpd_tmp_exec state=yes persistent=yes
tags:
- config
- bodhi
- selinux
-- name: enable httpd_can_network_connect_db SELinux boolean
+- name: enable httpd_can_network_connect_db SELinux boolean
seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
tags:
- config
diff --git a/roles/bodhi2/base/templates/bodhi-app.conf b/roles/bodhi2/base/templates/bodhi-app.conf
index 1d71286..00a1216 100644
--- a/roles/bodhi2/base/templates/bodhi-app.conf
+++ b/roles/bodhi2/base/templates/bodhi-app.conf
@@ -1,4 +1,4 @@
-Alias /static /usr/lib/python2.7/site-packages/bodhi/static/
+Alias /static /usr/lib/python2.7/site-packages/bodhi/server/static/
<FilesMatch ".(eot|ttf|otf|woff)">
# modern browsers require that fonts have this
diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
index 0a5b8d3..b9f03e3 100644
--- a/roles/bodhi2/base/templates/production.ini.j2
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -4,22 +4,22 @@ prefix = /
scheme = https
[app:main]
-use = egg:bodhi
+use = egg:bodhi-server
filter-with = proxy-prefix
# Release status
# pre-beta enforces the 'Pre Beta' policy defined here:
# https://fedoraproject.org/wiki/Updates_Policy
-f24.status = pre_beta
+f25.status = pre_beta
-f24.post_beta.mandatory_days_in_testing = 7
-f24.post_beta.critpath.num_admin_approvals = 0
-f24.post_beta.critpath.min_karma = 2
-f24.post_beta.critpath.stable_after_days_without_negative_karma = 14
+f25.post_beta.mandatory_days_in_testing = 7
+f25.post_beta.critpath.num_admin_approvals = 0
+f25.post_beta.critpath.min_karma = 2
+f25.post_beta.critpath.stable_after_days_without_negative_karma = 14
-f24.pre_beta.mandatory_days_in_testing = 3
-f24.pre_beta.critpath.num_admin_approvals = 0
-f24.pre_beta.critpath.min_karma = 1
+f25.pre_beta.mandatory_days_in_testing = 3
+f25.pre_beta.critpath.num_admin_approvals = 0
+f25.pre_beta.critpath.min_karma = 1
##
## Atomic OSTree support
@@ -123,8 +123,8 @@ createrepo_cache_dir = /var/cache/createrepo
jobs = cache_release_data refresh_metrics approve_testing_updates
## Comps configuration
-comps_dir = /var/cache/bodhi/comps
-comps_url = https://git.rpmfusion.org/comps.git
+comps_free_dir = /var/cache/bodhi/comps
+comps_free_url = https://git.rpmfusion.org/comps.git
##
## Mirror settings
@@ -390,10 +390,10 @@ updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
##
# pyramid.openid
-openid.success_callback = bodhi.security:remember_me
+openid.success_callback = bodhi.server.security:remember_me
openid.provider = https://id.rpmfusion.org/openid/
openid.url = https://id.rpmfusion.org/
-openid_template = {username}.id.rpmfusion.org
+openid_template = id.rpmfusion.org/openid/id/{username}
openid.sreg_required = email
# CORS allowed origins for cornice services
@@ -426,7 +426,7 @@ sqlalchemy.url = postgresql://bodhi2:{{ bodhi2Password }}@db02/bodhi2
##
## Templates
##
-mako.directories = bodhi:templates
+mako.directories = bodhi:server/templates
##
## Authentication & Sessions
@@ -455,8 +455,8 @@ host = 0.0.0.0
port = 6543
[pshell]
-m = bodhi.models
-#db = bodhi.models.DBSession
+m = bodhi.server.models
+#db = bodhi.server.models.DBSession
t = transaction
# Begin logging configuration
diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2
index 39c4c8f..10c2004 100644
--- a/roles/bodhi2/base/templates/staging.ini.j2
+++ b/roles/bodhi2/base/templates/staging.ini.j2
@@ -4,7 +4,7 @@ prefix = /
scheme = https
[app:main]
-use = egg:bodhi
+use = egg:bodhi-server
filter-with = proxy-prefix
##
@@ -101,7 +101,7 @@ jobs = cache_release_data refresh_metrics approve_testing_updates
## Comps configuration
comps_dir = /var/cache/bodhi/comps
-comps_url = https://git.fedorahosted.org/comps.git
+comps_url = https://pagure.io/fedora-comps.git
##
## Mirror settings
@@ -366,7 +366,7 @@ updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
##
# pyramid.openid
-openid.success_callback = bodhi.security:remember_me
+openid.success_callback = bodhi.server.security:remember_me
openid.provider = https://id.stg.fedoraproject.org/openid/
openid.url = https://id.stg.fedoraproject.org/
openid_template = {username}.id.fedoraproject.org
@@ -402,7 +402,7 @@ sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@db-bodhi/bodhi2
##
## Templates
##
-mako.directories = bodhi:templates
+mako.directories = bodhi:server/templates
##
## Authentication & Sessions
@@ -432,8 +432,8 @@ port = 6543
[pshell]
-m = bodhi.models
-db = bodhi.models.DBSession
+m = bodhi.server.models
+db = bodhi.server.models.DBSession
t = transaction
# Begin logging configuration
8 years, 2 months