[ansible] Update localconfig for bugzilla-5 and disable htaccess generation
by Nicolas Chauvet
commit 42c96a331de0cdb70247e09ab0a67aa978edaaf2
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 5 10:58:14 2016 +0100
Update localconfig for bugzilla-5 and disable htaccess generation
roles/bugzilla/templates/localconfig | 100 ++++++++++++++++++----------------
1 files changed, 54 insertions(+), 46 deletions(-)
---
diff --git a/roles/bugzilla/templates/localconfig b/roles/bugzilla/templates/localconfig
index e740ef9..e62bd55 100644
--- a/roles/bugzilla/templates/localconfig
+++ b/roles/bugzilla/templates/localconfig
@@ -1,55 +1,63 @@
-
# If you are using Apache as your web server, Bugzilla can create .htaccess
-# files for you that will instruct Apache not to serve files that shouldn't
-# be accessed from the web browser (like your local configuration data and non-cgi
-# executable files). For this to work, the directory your Bugzilla
-# installation is in must be within the jurisdiction of a <Directory> block
-# in the httpd.conf file that has 'AllowOverride Limit' in it. If it has
-# 'AllowOverride All' or other options with Limit, that's fine.
-# (Older Apache installations may use an access.conf file to store these
-# <Directory> blocks.)
-# If this is set to 1, Bugzilla will create these files if they don't exist.
-# If this is set to 0, Bugzilla will not create these files.
-$create_htaccess = 1;
-
-# Usually, this is the group your web server runs as.
-# If you have a Windows box, ignore this setting.
-# If you have use_suexec switched on below, this is the group Apache switches
-# to in order to run Bugzilla scripts.
+# files for you, which will keep this file (localconfig) and other
+# confidential files from being read over the web.
+#
+# If this is set to 1, checksetup.pl will create .htaccess files if
+# they don't exist.
+#
+# If this is set to 0, checksetup.pl will not create .htaccess files.
+$create_htaccess = 0;
+
+# The name of the group that your web server runs as. On Red Hat
+# distributions, this is usually "apache". On Debian/Ubuntu, it is
+# usually "www-data".
+#
+# If you have use_suexec turned on below, then this is instead the name
+# of the group that your web server switches to to run cgi files.
+#
+# If this is a Windows machine, ignore this setting, as it does nothing.
+#
# If you do not have access to the group your scripts will run under,
# set this to "". If you do set this to "", then your Bugzilla installation
# will be _VERY_ insecure, because some files will be world readable/writable,
# and so anyone who can get local access to your machine can do whatever they
# want. You should only have this set to "" if this is a testing installation
# and you cannot set this up any other way. YOU HAVE BEEN WARNED!
+#
# If you set this to anything other than "", you will need to run checksetup.pl
-# asroot, or as a user who is a member of the specified group.
+# as root or as a user who is a member of the specified group.
$webservergroup = 'apache';
-# Set this if Bugzilla runs in an Apache SuexecUserGroup environment.
-# (If your web server runs control panel software (cPanel, Plesk or similar),
+# Set this to 1 if Bugzilla runs in an Apache SuexecUserGroup environment.
+#
+# If your web server runs control panel software (cPanel, Plesk or similar),
# or if your Bugzilla is to run in a shared hosting environment, then you are
-# almost certainly in an Apache SuexecUserGroup environment.)
-# If you have a Windows box, ignore this setting.
-# If set to 0, Bugzilla will set file permissions as tightly as possible.
-# If set to 1, Bugzilla will set file permissions so that it may work in an
-# SuexecUserGroup environment. The difference is that static files (CSS,
-# JavaScript and so on) will receive world read permissions.
+# almost certainly in an Apache SuexecUserGroup environment.
+#
+# If this is a Windows box, ignore this setting, as it does nothing.
+#
+# If set to 0, checksetup.pl will set file permissions appropriately for
+# a normal webserver environment.
+#
+# If set to 1, checksetup.pl will set file permissions so that Bugzilla
+# works in a SuexecUserGroup environment.
$use_suexec = 0;
# What SQL database to use. Default is mysql. List of supported databases
# can be obtained by listing Bugzilla/DB directory - every module corresponds
-# to one supported database and the name corresponds to a driver name.
+# to one supported database and the name of the module (before ".pm")
+# corresponds to a valid value for this variable.
$db_driver = '{{ bugzilla_db_driver }}';
-# The DNS name of the host that the database server runs on.
+# The DNS name or IP address of the host that the database server runs on.
{% if bugzilla_db_host == 'localhost' %}
$db_host = ''
{% else %}
$db_host = '{{ bugzilla_db_host }}';
{% endif %}
-# The name of the database
+# The name of the database. For Oracle, this is the database's SID. For
+# SQLite, this is a name (or path) for the DB file.
$db_name = '{{ bugzilla_db_name }}';
# Who we connect to the database as.
@@ -59,7 +67,7 @@ $db_user = '{{ bugzilla_db_user }}';
# a password for your bugzilla database user.
# If you use apostrophe (') or a backslash (\) in your password, you'll
# need to escape it by preceding it with a '\' character. (\') or (\)
-# (Far simpler just not to use those characters.)
+# (It is far simpler to just not use those characters.)
$db_pass = '{{ bugzilla_db_pass }}';
# Sometimes the database server is running on a non-standard port. If that's
@@ -74,8 +82,9 @@ $db_port = 0;
$db_sock = '';
# Should checksetup.pl try to verify that your database setup is correct?
-# (with some combinations of database servers/Perl modules/moonphase this
-# doesn't work)
+# With some combinations of database servers/Perl modules/moonphase this
+# doesn't work, and so you can try setting this to 0 to make checksetup.pl
+# run.
$db_check = 0;
# Path to a PEM file with a list of trusted SSL CA certificates.
@@ -94,31 +103,30 @@ $db_mysql_ssl_client_cert = '';
# The file must not be password-protected and must be readable by web server user.
$db_mysql_ssl_client_key = '';
-# With the introduction of a configurable index page using the
-# template toolkit, Bugzilla's main index page is now index.cgi.
# Most web servers will allow you to use index.cgi as a directory
# index, and many come preconfigured that way, but if yours doesn't
# then you'll need an index.html file that provides redirection
# to index.cgi. Setting $index_html to 1 below will allow
-# checksetup.pl to create one for you if it doesn't exist.
+# checksetup.pl to create an index.html for you if it doesn't exist.
# NOTE: checksetup.pl will not replace an existing file, so if you
# wish to have checksetup.pl create one for you, you must
-# make sure that index.html doesn't already exist
+# make sure that index.html doesn't already exist.
$index_html = 0;
-# For some optional functions of Bugzilla (such as the pretty-print patch
-# viewer), we need the interdiff binary to make diffs between two patches.
-# Because it's possible that this program is not in your path, you can specify
-# its location here. Please specify the full path to the executable.
+# If you want to use the "Difference Between Two Patches" feature of the
+# Patch Viewer, please specify the full path to the "interdiff" executable
+# here.
$interdiffbin = '/usr/bin/interdiff';
-# The interdiff feature needs diff, so we have to have that path.
-# Please specify the directory name only; do not use trailing slash.
+# For the "Difference Between Two Patches" feature to work, we need to know
+# what directory the "diff" bin is in. (You only need to set this if you
+# are using that feature of the Patch Viewer.)
$diffpath = '/usr/bin';
# This secret key is used by your installation for the creation and
-# validation of encrypted tokens to prevent unsolicited changes,
-# such as bug changes. A random string is generated by default.
-# It's very important that this key is kept secret. It also must be
-# very long.
+# validation of encrypted tokens. These tokens are used to implement
+# security features in Bugzilla, to protect against certain types of attacks.
+# A random string is generated by default. It's very important that this key
+# is kept secret. It also must be very long.
$site_wide_secret = '{{ bugzilla_site_wide_secret }}';
+
7 years, 5 months
[ansible] Switch to bugzilla 5 on epel7
by Nicolas Chauvet
commit f41347ce2e7e32afb8fa52ee74606d0892c2aa55
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 5 10:30:29 2016 +0100
Switch to bugzilla 5 on epel7
...pel-7.repo => eseyman-bugzilla-5.0-epel-7.repo} | 10 ++++++----
roles/bugzilla/tasks/main.yml | 5 +++--
2 files changed, 9 insertions(+), 6 deletions(-)
---
diff --git a/roles/bugzilla/files/eseyman-bugzilla-4.4-epel-7.repo b/roles/bugzilla/files/eseyman-bugzilla-5.0-epel-7.repo
similarity index 50%
rename from roles/bugzilla/files/eseyman-bugzilla-4.4-epel-7.repo
rename to roles/bugzilla/files/eseyman-bugzilla-5.0-epel-7.repo
index 8ceee58..6270083 100644
--- a/roles/bugzilla/files/eseyman-bugzilla-4.4-epel-7.repo
+++ b/roles/bugzilla/files/eseyman-bugzilla-5.0-epel-7.repo
@@ -1,8 +1,10 @@
-[eseyman-bugzilla-4.4]
-name=Copr repo for bugzilla-4.4 owned by eseyman
-baseurl=https://copr-be.cloud.fedoraproject.org/results/eseyman/bugzilla-4.4/epel-7-$basearch/
+[eseyman-bugzilla-5.0]
+name=Copr repo for bugzilla-5.0 owned by eseyman
+baseurl=https://copr-be.cloud.fedoraproject.org/results/eseyman/bugzilla-5.0/epel-7-$basearch/
+type=rpm-md
skip_if_unavailable=True
gpgcheck=1
-gpgkey=https://copr-be.cloud.fedoraproject.org/results/eseyman/bugzilla-4.4/pubkey.gpg
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/eseyman/bugzilla-5.0/pubkey.gpg
+repo_gpgcheck=0
enabled=1
enabled_metadata=1
\ No newline at end of file
diff --git a/roles/bugzilla/tasks/main.yml b/roles/bugzilla/tasks/main.yml
index 46b0415..45cc69c 100644
--- a/roles/bugzilla/tasks/main.yml
+++ b/roles/bugzilla/tasks/main.yml
@@ -1,12 +1,13 @@
---
# tasks file for bugzilla
#
-- name: install eseyman bugzilla 4.4 copr repo
- copy: src="eseyman-bugzilla-4.4-epel-7.repo" dest="/etc/yum.repos.d/eseyman-bugzilla-4.4-epel-7.repo" owner=root group=root
+- name: install eseyman bugzilla 5.0 copr repo
+ copy: src="eseyman-bugzilla-5.0-epel-7.repo" dest="/etc/yum.repos.d/bugzilla-epel.repo" owner=root group=root
tags:
- config
- packages
- yumrepos
+ when: ansible_distribution_major_version|int == 7
- name: install needed packages for bugzilla
yum: pkg={{ item }} state=present
7 years, 5 months
[ansible] Update config for bugzilla 5.0
by Nicolas Chauvet
commit c93dbfacde74a8cecadd7fadce304ecfad78ac08
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 5 10:25:03 2016 +0100
Update config for bugzilla 5.0
roles/bugzilla/templates/localconfig | 22 ++++++++++++++++------
1 files changed, 16 insertions(+), 6 deletions(-)
---
diff --git a/roles/bugzilla/templates/localconfig b/roles/bugzilla/templates/localconfig
index 05caa0a..e740ef9 100644
--- a/roles/bugzilla/templates/localconfig
+++ b/roles/bugzilla/templates/localconfig
@@ -78,6 +78,22 @@ $db_sock = '';
# doesn't work)
$db_check = 0;
+# Path to a PEM file with a list of trusted SSL CA certificates.
+# The file must be readable by web server user.
+$db_mysql_ssl_ca_file = '';
+
+# Path to a directory containing trusted SSL CA certificates in PEM format.
+# Directory and files inside must be readable by the web server user.
+$db_mysql_ssl_ca_path = '';
+
+# Full path to the client SSL certificate in PEM format we will present to the DB server.
+# The file must be readable by web server user.
+$db_mysql_ssl_client_cert = '';
+
+# Full path to the private key corresponding to the client SSL certificate.
+# The file must not be password-protected and must be readable by web server user.
+$db_mysql_ssl_client_key = '';
+
# With the introduction of a configurable index page using the
# template toolkit, Bugzilla's main index page is now index.cgi.
# Most web servers will allow you to use index.cgi as a directory
@@ -91,12 +107,6 @@ $db_check = 0;
$index_html = 0;
# For some optional functions of Bugzilla (such as the pretty-print patch
-# viewer), we need the cvs binary to access files and revisions.
-# Because it's possible that this program is not in your path, you can specify
-# its location here. Please specify the full path to the executable.
-$cvsbin = '';
-
-# For some optional functions of Bugzilla (such as the pretty-print patch
# viewer), we need the interdiff binary to make diffs between two patches.
# Because it's possible that this program is not in your path, you can specify
# its location here. Please specify the full path to the executable.
7 years, 5 months
[ansible] Update projects certs and remove unused
by Nicolas Chauvet
commit 4837d8bab614b444f00220e80a485e010c027526
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 5 09:09:10 2016 +0100
Update projects certs and remove unused
roles/fas_server/tasks/main.yml | 32 ++------------------------------
1 files changed, 2 insertions(+), 30 deletions(-)
---
diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml
index 4deaa55..f4499d4 100644
--- a/roles/fas_server/tasks/main.yml
+++ b/roles/fas_server/tasks/main.yml
@@ -119,7 +119,7 @@
- name: install /etc/pki/fas/rpmfusion-server-ca.cert file
copy: >
- src="{{ private }}/files/rpmfusion-ca.cert"
+ src="{{ private }}/files/rpmfusion-server-ca.cert"
dest="/etc/pki/fas/rpmfusion-server-ca.cert"
owner=fas
group=fas
@@ -141,7 +141,7 @@
- name: install /usr/share/fas/static/rpmfusion-server-ca.cert file
copy: >
- src="{{ private }}/files/rpmfusion-ca.cert"
+ src="{{ private }}/files/rpmfusion-server-ca.cert"
dest="/usr/share/fas/static/rpmfusion-server-ca.cert"
owner=root
group=root
@@ -174,34 +174,6 @@
- config
- fas
-- name: install /usr/local/bin/yubikey-remove.py file
- when: env == "staging"
- template: >
- src="yubikey-remove.py.j2"
- dest="/usr/local/bin/yubikey-remove.py"
- owner=fas
- group=fas
- mode=0750
- tags:
- - config
- - fas
-
-# $gen_cert = "True"
-
-- name: install /etc/fas.cfg file
- template: >
- src="fas.cfg.j2"
- dest="/etc/fas.cfg"
- owner=fas
- group=apache
- mode=0640
- when: master_fas_node == True
- notify:
- - reload httpd
- tags:
- - config
- - fas
-
- name: setup /var/lock/rpmfusion-ca directory
file: path=/var/lock/rpmfusion-ca owner=fas group=fas mode=0700 state=directory setype=var_lock_t
when: master_fas_node == True
7 years, 5 months
[ansible] Ensure openvpn client is used when not 'online'
by Nicolas Chauvet
commit 7071c10ae4a3ddb46b0b9cc20c6f8f6e0f0f318f
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 5 08:54:44 2016 +0100
Ensure openvpn client is used when not 'online'
playbooks/groups/buildhw.yml | 2 ++
playbooks/groups/buildvm.yml | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index 91d4e91..ca08efc 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -33,6 +33,8 @@
when: not inventory_hostname.startswith('bkernel')
- include: "{{ tasks }}/create_swap_file.yml swap_file_path=/var/swap-file swap_file_bs=1M swap_file_count=4096"
when: inventory_hostname.endswith('scaleway.rpmfusion.net')
+ - include: "{{ tasks }}/openvpn_client.yml"
+ when: not datacenter == 'online'
- name: make sure kojid is running
service: name=kojid state=running enabled=yes
diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml
index db57750..ebc8238 100644
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@@ -32,6 +32,8 @@
when: not inventory_hostname.startswith('bkernel')
- include: "{{ tasks }}/motd.yml"
when: not inventory_hostname.startswith('bkernel')
+ - include: "{{ tasks }}/openvpn_client.yml"
+ when: not datacenter == 'online'
- name: make sure kojid is running
service: name=kojid state=running enabled=yes
7 years, 5 months
[ansible] Sync scripts
by Nicolas Chauvet
commit 53407d89390b551b094f3ed83bd3a9afc0014a3e
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Nov 4 15:30:04 2016 +0100
Sync scripts
scripts/ok-nagios | 2 +-
scripts/shutup-nagios | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/scripts/ok-nagios b/scripts/ok-nagios
index 25aae3d..ed74493 100755
--- a/scripts/ok-nagios
+++ b/scripts/ok-nagios
@@ -1,4 +1,4 @@
#!/bin/bash
ansible nagios -m nagios -a "action=unsilence_nagios"
-
+ansible nagios -m nagios -a "action=command command='ENABLE_EVENT_HANDLERS'"
diff --git a/scripts/shutup-nagios b/scripts/shutup-nagios
index 086ad8c..02aa04c 100755
--- a/scripts/shutup-nagios
+++ b/scripts/shutup-nagios
@@ -1,4 +1,4 @@
#!/bin/bash
ansible nagios -m nagios -a "action=silence_nagios"
-
+ansible nagios -m nagios -a "action=command command='DISABLE_EVENT_HANDLERS'"
7 years, 5 months
[ansible] Update db02 databases backups
by Nicolas Chauvet
commit 9fbc6b59825ce69facba4c5e1f4fc6b6e2f2bcdd
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Nov 4 15:29:52 2016 +0100
Update db02 databases backups
host_vars/db02.online.rpmfusion.net | 1 +
scripts/public-db-copy | 11 ++++-------
2 files changed, 5 insertions(+), 7 deletions(-)
---
diff --git a/host_vars/db02.online.rpmfusion.net b/host_vars/db02.online.rpmfusion.net
index 929206d..43a30bb 100644
--- a/host_vars/db02.online.rpmfusion.net
+++ b/host_vars/db02.online.rpmfusion.net
@@ -21,6 +21,7 @@ dbs_to_backup:
- bodhi2
- pkgdb2
- koji
+- fas2
# These are normally group variables, but in this case db servers are often different
lvm_size: 10240
diff --git a/scripts/public-db-copy b/scripts/public-db-copy
index ba2fd08..917614c 100755
--- a/scripts/public-db-copy
+++ b/scripts/public-db-copy
@@ -4,10 +4,7 @@
# A simple script to copy database dumps over to public space on batcave01
# Only the most recent dump is published
#
-scp db-datanommer02:/backups/datanommer-$(date +%F).dump.xz /srv/web/infra/db-dumps/datanommer.dump.xz
-scp db-koji01:/backups/koji-$(date +%F).dump.xz /srv/web/infra/db-dumps/koji.dump.xz
-scp db01:/backups/pkgdb2-$(date +%F).dump.xz /srv/web/infra/db-dumps/pkgdb2.dump.xz
-scp db01:/backups/fedoratagger-$(date +%F).dump.xz /srv/web/infra/db-dumps/fedoratagger.dump.xz
-scp db01:/backups/koschei-$(date +%F).dump.xz /srv/web/infra/db-dumps/koschei.dump.xz
-scp db01:/backups/bodhi2-$(date +%F).dump.xz /srv/web/infra/db-dumps/bodhi2.dump.xz
-scp anitya-backend01.fedoraproject.org:/backups/anitya-$(date +%F).dump.xz /srv/web/infra/db-dumps/anitya.dump.xz
+scp db02:/backups/koji-$(date +%F).dump.xz /srv/web/infra/db-dumps/koji.dump.xz
+scp db02:/backups/pkgdb2-$(date +%F).dump.xz /srv/web/infra/db-dumps/pkgdb2.dump.xz
+scp db02:/backups/bodhi2-$(date +%F).dump.xz /srv/web/infra/db-dumps/bodhi2.dump.xz
+scp db02:/backups/fas2-$(date +%F).dump.xz /srv/web/infra/db-dumps/fas2.dump.xz
7 years, 5 months
[ansible] Update to fix issue on fas
by Nicolas Chauvet
commit 26dc3c45a6162927d67df001570f4e192815d49e
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Nov 4 11:49:59 2016 +0100
Update to fix issue on fas
group_vars/pkgs | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
---
diff --git a/group_vars/pkgs b/group_vars/pkgs
index 4f5d451..4fce499 100644
--- a/group_vars/pkgs
+++ b/group_vars/pkgs
@@ -8,11 +8,11 @@ tcp_ports: [80, 443, 9418,
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
-fas_client_groups: sysadmin-main,sysadmin-build
-fas_client_restricted_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell {username}
-fas_client_admin_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell -s {username}
-fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-build"
-admin_groups: "@sysadmin-build"
+fas_client_groups: sysadmin-main,sysadmin-scm,sysadmin-build,sysadmin-noc
+fas_client_restricted_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell %(username)s
+fas_client_admin_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell -s %(username)s
+fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-scm,sysadmin-releng,sysadmin-noc"
+admin_groups: "@sysadmin-scm @sysadmin-releng @sysadmin-noc"
git_group: packager
git_port: 9418
7 years, 5 months
[ansible] Fixup buildppcle names
by Nicolas Chauvet
commit 91a2151328346bb95e8260b9f702182694050fff
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Nov 4 09:29:01 2016 +0100
Fixup buildppcle names
inventory/builders | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/inventory/builders b/inventory/builders
index 201724b..e760048 100644
--- a/inventory/builders
+++ b/inventory/builders
@@ -8,8 +8,8 @@ buildppc-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
buildppc-02.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
[buildvm-ppc64le]
-buildppc64le-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
-buildppc64le-02.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
+buildppcle-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
+buildppcle-02.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
[buildvmhost]
7 years, 5 months