March 2017 - sysadmin-notify

by Nicolas Chauvet

commit b37346af8b32f5f268d3d2b4898259e2c49fb842 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 16:06:51 2017 +0100 Disable keytab for now roles/base/tasks/main.yml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) --- diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 3288a72..027eb0e 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -442,3 +442,4 @@ - name: Setup host keytab include: keytab.yml + when: env == 'DISABLED'

7 years, 1 month

1
0
0 / 0

[ansible] Add keytab

by Nicolas Chauvet

commit 47c0040e3672f1614547362a567512fa272daa9e Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 16:03:38 2017 +0100 Add keytab roles/base/tasks/keytab.yml | 130 +++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 130 insertions(+), 0 deletions(-) --- diff --git a/roles/base/tasks/keytab.yml b/roles/base/tasks/keytab.yml new file mode 100644 index 0000000..a6f43cc --- /dev/null +++ b/roles/base/tasks/keytab.yml @@ -0,0 +1,130 @@ +--- +# Get host keytab +- name: Determine whether we need to get host keytab + stat: path=/etc/krb5.keytab + register: host_keytab_status + tags: + - base + - config + - krb5 + +- name: Get admin keytab + delegate_to: "{{ ipa_server }}" + shell: echo "{{ipa_admin_password}}" | kinit admin + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Create host entry + delegate_to: "{{ ipa_server }}" + command: ipa host-add {{inventory_hostname}} + register: host_add_result + changed_when: "'Added host' in host_add_result.stdout" + failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)" + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Create additional host entries + delegate_to: "{{ ipa_server }}" + command: ipa host-add {{item}} + with_items: "{{ additional_host_keytabs }}" + register: hosts_add_result + changed_when: "'Added host' in hosts_add_result.stdout" + failed_when: "not ('Added host' in hosts_add_result.stdout or 'already exists' in hosts_add_result.stderr)" + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Generate host keytab + delegate_to: "{{ ipa_server }}" + command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt + register: getkeytab_result + changed_when: false + failed_when: "'successfully retrieved' not in getkeytab_result.stderr" + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Add additional host keytabs + delegate_to: "{{ ipa_server }}" + command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k /tmp/{{inventory_hostname}}.kt + with_items: "{{ additional_host_keytabs }}" + register: getkeytabs_result + changed_when: false + failed_when: "'successfully retrieved' not in getkeytabs_result.stderr" + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Destroy kerberos ticket + delegate_to: "{{ ipa_server }}" + command: kdestroy -A + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Get keytab + delegate_to: "{{ ipa_server }}" + command: base64 /tmp/{{inventory_hostname}}.kt + register: keytab + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Destroy stored keytab + delegate_to: "{{ ipa_server }}" + file: path=/tmp/{{inventory_hostname}}.kt state=absent + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Deploy base64 keytab + copy: dest=/etc/krb5.keytab.b64 + content={{keytab.stdout}} + owner=root group=root mode=0600 + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Base64-decode keytab + shell: "umask 077; base64 -d /etc/krb5.keytab.b64 >/etc/krb5.keytab" + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Set keytab permissions + file: path=/etc/krb5.keytab owner=root group=root mode=0600 + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists + +- name: Destroy encoded keytab + file: path=/etc/krb5.keytab.b64 state=absent + tags: + - base + - config + - krb5 + when: not host_keytab_status.stat.exists

7 years, 1 month

1
0
0 / 0

[ansible] Update main variables

by Nicolas Chauvet

commit 8b16a33aafba0d74cf66644b190fa819b5e969ad Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 16:01:25 2017 +0100 Update main variables inventory/group_vars/all | 108 ++++++++++++++++++++++++++++++++++++++------- 1 files changed, 91 insertions(+), 17 deletions(-) --- diff --git a/inventory/group_vars/all b/inventory/group_vars/all index c0ff01d..256d81f 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -1,12 +1,30 @@ --- +####### +# BEGIN: Ansible roles_path variables +# +# Background/reference about external repos pulled in: +# https://pagure.io/fedora-infrastructure/issue/5476 +# +ansible_base: /srv/web/infra + +# Path to the openshift-ansible checkout as external git repo brought into +# Fedora Infra +openshift_ansible: /srv/web/infra/openshift-ansible/ + +# +# END: Ansible roles_path variables +####### + freezes: true # most of our systems are in online datacenter: online +# for httpd/website +server_admin: root(a)rpmfusion.org # usually we do not want to enable nested virt, only on some virthosts nested: false -# most of our systems are 64bit. +# most of our systems are 64bit. # Used to install various nagios scripts and the like. libdir: /usr/lib64 @@ -34,8 +52,8 @@ mem_size: 1024 num_cpus: 1 lvm_size: 20000 -# Default netmask. Almost all our phx2 nets are /24's with the -# exception of 10.5.124.128/25. Almost all of our non phx2 sites are +# Default netmask. Almost all our phx2 nets are /24's with the +# exception of 10.5.124.128/25. Almost all of our non phx2 sites are # less than a /24. eth0_nm: 255.255.255.0 eth1_nm: 255.255.255.0 @@ -58,7 +76,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }} 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' - --network bridge=br1,model=virtio + --network bridge={{ main_bridge }},model=virtio --autostart --noautoconsole --watchdog default virt_install_command_two_nic: virt-install -n {{ inventory_hostname }} @@ -72,6 +90,27 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }} --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio --autostart --noautoconsole --watchdog default +virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }} + --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio + --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} + --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x + 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0 + hostname={{ inventory_hostname }} nameserver={{ dns }} + ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' + --network bridge={{ main_bridge }},model=virtio + --autostart --noautoconsole + +virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }} + --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio + --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} + --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x + 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0 + hostname={{ inventory_hostname }} nameserver={{ dns }} + ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none + ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none' + --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio + --autostart --noautoconsole + virt_install_command_rhel6: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} @@ -87,6 +126,16 @@ max_cpu: "{{ num_cpus * 1 }}" # This is the wildcard certname for our proxies. It has a different name for # the staging group and is used in the proxies.yml playbook. wildcard_cert_name: wildcard-2016.rpmfusion.org +wildcard_crt_file: wildcard-2016.rpmfusion.org.cert +wildcard_key_file: wildcard-2016.rpmfusion.org.key +wildcard_int_file: wildcard-2016.rpmfusion.org.intermediate.cert +SSLCertificateChainFile: wildcard-2016.rpmfusion.org.intermediate.cert + +# Everywhere, always, we should sign messages and validate signatures. +# However, we allow individual hosts and groups to override this. Use this very +# carefully.. and never in production (good for testing stuff in staging). +fedmsg_sign_messages: True +fedmsg_validate_signatures: True # By default, nodes get no fedmsg certs. They need to declare them explicitly. fedmsg_certs: [] @@ -132,29 +181,22 @@ nrpe_procs_crit: 300 nrpe_check_postfix_queue_warn: 2 nrpe_check_postfix_queue_crit: 5 -# env is staging or production, we default it to production here. +# env is staging or production, we default it to production here. env: production env_suffix: # nfs mount options, override at the group/host level -nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3" +nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4" -# by default set become to false here We can override it as needed. -# Note that if become is true, you need to unset requiretty for -# ssh controlpersist to work. +# by default set become to false here We can override it as needed. +# Note that if become is true, you need to unset requiretty for +# ssh controlpersist to work. become: false -# default the root_auth_users to nothing. +# default the root_auth_users to nothing. # This should be set for cloud instances in their host or group vars. root_auth_users: '' -# default path for ansible-server -ansible_base: /srv/web/infra - -# for httpd/website -server_admin: root(a)rpmfusion.org -SSLCertificateChainFile: wildcard-2016.rpmfusion.org.intermediate.cert - # This vars get shoved into /etc/system_identification by the base role. # Groups and individual hosts should override them with specific info. # See http://infrastructure.fedoraproject.org/csi/security-policy/ @@ -167,3 +209,35 @@ csi_relationship: | * What hosts/services rely on this? To update this text, add the csi_* vars to group_vars/ in ansible. + + +# docker images required by OpenShift Origin +openshift_required_images: + - "openshift/origin-pod" + +# docker images required by OSBS for builds +fedora_required_images: + - "fedora:24" + - "fedora:25" + - "fedora:latest" + +# +# say if we want the apache role dependency for mod_wsgi or not +# In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) +# +wsgi_wants_apache: true + +# IPA settings +additional_host_keytabs: [] +ipa_server: ipa01.online.rpmfusion.org +ipa_realm: RPMFUSION.ORG +ipa_admin_password: "{{ ipa_prod_admin_password }}" + +# Normal default sshd port is 22 +sshd_port: 22 + +# assume collectd apache +collectd_apache: true + +# assume vpn is false +vpn: False

7 years, 1 month

1
0
0 / 0

[ansible] Update roles/base tasks

by Nicolas Chauvet

commit 693720c8d7bc90bbab15dcf3b62fc2812ebceb26 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 15:48:07 2017 +0100 Update roles/base tasks roles/base/tasks/main.yml | 121 ++++++++++++++++++++++++++++-------- roles/base/tasks/postfix.yml | 10 +-- roles/base/tasks/watchdog.yml | 4 +- roles/base/templates/krb5.conf.j2 | 29 +++++++++ 4 files changed, 129 insertions(+), 35 deletions(-) --- diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index c32728b..3288a72 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -5,12 +5,28 @@ # Things in here are things we want to do to every machine no matter what. # +- name: ensure packages required for semanage are installed (yum) + yum: name={{ item }} state=present + when: ansible_distribution_major_version|int < 22 + with_items: + - policycoreutils-python + tags: + - selinux + +- name: ensure packages required for semanage are installed (dnf) + dnf: name={{ item }} state=present + when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + with_items: + - policycoreutils-python-utils + tags: + - selinux + # XXX fixme # a datacenter 'fact' from setup - name: /etc/resolv.conf copy: src={{ item }} dest=/etc/resolv.conf with_first_found: - "{{ resolvconf }}" - - resolv.conf/{{ ansible_fqdn }} + - resolv.conf/{{ inventory_hostname }} - resolv.conf/{{ host_group }} - resolv.conf/{{ datacenter }} - resolv.conf/resolv.conf @@ -26,7 +42,7 @@ ignore_errors: true changed_when: false failed_when: "1 != 1" - always_run: true + check_mode: no tags: - config - resolvconf @@ -49,7 +65,7 @@ register: if_uuid changed_when: false failed_when: 'if_uuid.stdout == ""' - always_run: yes + check_mode: no when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist ) tags: - config @@ -88,17 +104,36 @@ - base when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined -- debug: msg="{{ansible_nodename}} {{inventory_hostname}} {{ansible_distribution_major_version|int}}" - - name: make sure hostname is set right on rhel7 hosts - command: hostnamectl set-hostname {{ inventory_hostname }} - when: ( ansible_nodename != inventory_hostname ) and ansible_distribution_major_version|int == 7 + hostname: name="{{inventory_hostname}}" + +- name: check if sshd port is already known by selinux + shell: semanage port -l | grep ssh + register: sshd_selinux_port + check_mode: no + changed_when: false + tags: + - sshd_config + - config + - sshd + - selinux + - base + +- name: allow alternate sshd port + command: semanage port -a -t ssh_port_t -p tcp {{ sshd_port }} + when: sshd_selinux_port.stdout.find('{{ sshd_port }}') == -1 + tags: + - sshd_config + - config + - sshd + - selinux + - base - name: sshd_config - copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600 + copy: src={{ item }} dest=/etc/ssh/sshd_config mode=0600 with_first_found: - "{{ sshd_config }}" - - ssh/sshd_config.{{ ansible_fqdn }} + - ssh/sshd_config.{{ inventory_hostname }} - ssh/sshd_config.{{ host_group }} - ssh/sshd_config.{{ dist_tag }} - ssh/sshd_config.{{ ansible_distribution }} @@ -117,7 +152,7 @@ tags: - rootpw - base - when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09')) + when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09') or inventory_hostname.startswith('ppc8-04')) - name: add ansible root key authorized_key: user=root key="{{ item }}" @@ -188,14 +223,14 @@ - base - name: iptables - template: src={{ item }} dest=/etc/sysconfig/iptables mode=600 validate="/sbin/iptables-restore --text %s" + template: src={{ item }} dest=/etc/sysconfig/iptables mode=0600 validate="/sbin/iptables-restore --text %s" with_first_found: - iptables/iptables.{{ datacenter }} - - iptables/iptables.{{ ansible_fqdn }} + - iptables/iptables.{{ inventory_hostname }} - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables - when: not inventory_hostname.startswith('fed-cloud09') + when: not inventory_hostname.startswith(('fed-cloud09','osbs')) notify: - restart iptables - reload libvirtd @@ -212,10 +247,10 @@ - base - name: ip6tables - template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=600 backup=yes + template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes with_first_found: - iptables/ip6tables.{{ datacenter }} - - iptables/ip6tables.{{ ansible_fqdn }} + - iptables/ip6tables.{{ inventory_hostname }} - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables @@ -248,9 +283,9 @@ - flush journald tmpfiles to persistent store - name: rsyslog.conf - copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 + copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644 with_first_found: - - rsyslog/rsyslog.conf.{{ ansible_fqdn }} + - rsyslog/rsyslog.conf.{{ inventory_hostname }} - rsyslog/rsyslog.conf.{{ dist_tag }} - rsyslog/rsyslog.conf.default notify: @@ -261,7 +296,7 @@ - base - name: rsyslog log rotate for rsyslog servers - copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=644 + copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644 when: inventory_hostname.startswith('log') notify: - restart rsyslog @@ -282,7 +317,7 @@ - base - name: log everything to log01 except on mirrorlist, do not log local4 there. - copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=644 + copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644 when: not inventory_hostname.startswith(('mirrorlist','copr','jenkins')) tags: - rsyslogd @@ -290,13 +325,26 @@ - base - name: log everything to log01 except on mirrorlist, do log local4 there. - copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=644 + copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644 when: inventory_hostname.startswith('mirrorlist') tags: - rsyslogd - config - base - - base + +- name: rsyslogd make systemd limits directory for file handles + file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory + when: inventory_hostname.startswith('log') + tags: + - rsyslogd + - config + +- name: rsyslogd put systemd limits directory for file handles + copy: src=rsyslog/rsyslog-limits.conf dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644 + when: inventory_hostname.startswith('log') + tags: + - rsyslogd + - config - name: Setup postfix include: postfix.yml @@ -315,7 +363,7 @@ - base - name: install a sync httpd logs cron script only on log01 - copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=755 + copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=0755 when: inventory_hostname.startswith('log01') tags: - config @@ -328,7 +376,7 @@ - base # -# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs. +# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs. # - name: Blacklist cdc_ether module copy: src=blacklist-cdc_ether.conf dest=/etc/modprobe.d/blacklist-cdc_ether.conf @@ -353,8 +401,8 @@ dest="/etc/profile.d/setstgps1.sh" owner=root group=root - mode=644 - when: env == 'staging' + mode=0644 + when: env == 'staging' tags: - base - config @@ -368,10 +416,29 @@ dest="/etc/profile.d/setprodps1.sh" owner=root group=root - mode=644 - when: env == 'production' + mode=0644 + when: env == 'production' tags: - base - config - prompt +# Set krb5 conf +- name: configure krb5 + template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 + when: not inventory_hostname.startswith('ipa') + tags: + - base + - config + - krb5 + +- name: configure krb5 (IPA master) + template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 + when: inventory_hostname.startswith('ipa') + tags: + - base + - config + - krb5 + +- name: Setup host keytab + include: keytab.yml diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml index f65ba44..254c3bc 100644 --- a/roles/base/tasks/postfix.yml +++ b/roles/base/tasks/postfix.yml @@ -2,7 +2,7 @@ copy: src={{ item }} dest=/etc/postfix/main.cf with_first_found: - "{{ postfix_maincf }}" - - "postfix/main.cf/main.cf.{{ ansible_fqdn }}" + - "postfix/main.cf/main.cf.{{ inventory_hostname }}" - "postfix/main.cf/main.cf.{{ host_group }}" - "postfix/main.cf/main.cf.{{ postfix_group }}" - "postfix/main.cf/main.cf.{{ datacenter }}" @@ -18,12 +18,11 @@ copy: src={{ item }} dest=/etc/postfix/master.cf mode=0644 with_first_found: - "{{ postfix_mastercf }}" - - "postfix/master.cf/master.cf.{{ ansible_fqdn }}" - "postfix/master.cf/master.cf.{{ inventory_hostname }}" - "postfix/master.cf/master.cf.{{ host_group }}" - "postfix/master.cf/master.cf.{{ postfix_group }}" - "postfix/master.cf/master.cf" - when: inventory_hostname.startswith('smtp-mm') + when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02')) notify: - restart postfix tags: @@ -39,13 +38,12 @@ - name: install /etc/postfix/transport file copy: src="postfix/{{ postfix_transport_filename }}" dest=/etc/postfix/transport - when: inventory_hostname.startswith(('smtp-mm','bastion')) + when: inventory_hostname.startswith(('smtp-mm','bastion','noc02')) notify: - - restart postfix - rebuild postfix transport + - restart postfix tags: - postfix - base - config - diff --git a/roles/base/tasks/watchdog.yml b/roles/base/tasks/watchdog.yml index a2c5c11..7b03566 100644 --- a/roles/base/tasks/watchdog.yml +++ b/roles/base/tasks/watchdog.yml @@ -1,7 +1,7 @@ - name: See if theres a watchdog device stat: path=/dev/watchdog when: ansible_virtualization_role == 'guest' - always_run: true + check_mode: no failed_when: no register: watchdog_dev @@ -17,7 +17,7 @@ - base - name: watchdog device configuration - copy: src=watchdog.conf dest=/etc/watchdog.conf owner=root group=root mode=644 + copy: src=watchdog.conf dest=/etc/watchdog.conf owner=root group=root mode=0644 tags: - config - watchdog diff --git a/roles/base/templates/krb5.conf.j2 b/roles/base/templates/krb5.conf.j2 new file mode 100644 index 0000000..78a450b --- /dev/null +++ b/roles/base/templates/krb5.conf.j2 @@ -0,0 +1,29 @@ +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = {{ ipa_realm }} + rdns = false + dns_canonicalize_hostname = false + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + +[realms] + {{ ipa_realm }} = { +{% if ansible_distribution_major_version|int == 6 %} + kdc = ipa01{{ env_suffix }}.online.rpmfusion.net +{% else %} + kdc = https://id{{ env_suffix }}.rpmfusion.org/KdcProxy +{% endif %} + } + +[domain_realm] + .rpmfusion.org = RPMFUSION.ORG + rpmfusion.org = RPMFUSION.ORG + .stg.rpmfusion.org = STG.RPMFUSION.ORG + stg.rpmfusion.org = STG.RPMFUSION.ORG

7 years, 1 month

1
0
0 / 0

[ansible] Update sigul tasks

by Nicolas Chauvet

commit f7bba21570e51f3842bb2938db513100df0ecfed Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 14:35:10 2017 +0100 Update sigul tasks roles/sigul/server/tasks/main.yml | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) --- diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml index 588a547..df7d722 100644 --- a/roles/sigul/server/tasks/main.yml +++ b/roles/sigul/server/tasks/main.yml @@ -60,6 +60,14 @@ when: ansible_distribution_major_version|int == 7 - name: add polkit rules to allow sigul user to access the smartcard/yubikey - file: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules + copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules + tags: + - config + +- name: Deploy public certs + copy: src="{{private}}/files/{{item}}" dest=/etc/sigul/{{item}} mode=0644 owner=root group=root + with_items: + - rpmfusion-server-ca.cert + - rpmfusion-upload-ca.cert tags: - config

7 years, 1 month

1
0
0 / 0

[ansible] Remove CentOS case

by Nicolas Chauvet

commit 5d3951b181cf3e2897d1f4dae28b358ea96f15fb Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 14:28:20 2017 +0100 Remove CentOS case roles/sigul/server/tasks/main.yml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) --- diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml index 5dee411..588a547 100644 --- a/roles/sigul/server/tasks/main.yml +++ b/roles/sigul/server/tasks/main.yml @@ -1,6 +1,6 @@ - name: put rhel AH repos on rhel systems copy: src="{{ files }}/common/rhel7ah.repo" dest="/etc/yum.repos.d/rhel7ah.repo" - when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS' + when: ansible_distribution == 'RedHat' tags: - config - packages

7 years, 1 month

1
0
0 / 0

[ansible] Add centos repo task

by Nicolas Chauvet

commit fe71f6a0ee0ab280d0f17bd9aa42c69c1df755f7 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 14:26:03 2017 +0100 Add centos repo task roles/sigul/server/tasks/main.yml | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) --- diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml index d368ea6..5dee411 100644 --- a/roles/sigul/server/tasks/main.yml +++ b/roles/sigul/server/tasks/main.yml @@ -6,6 +6,14 @@ - packages - yumrepos +- name: put CentOS AH repos on rhel systems + copy: src="{{ files }}/common/centos7ah.repo" dest="/etc/yum.repos.d/centos7ah.repo" + when: ansible_distribution == 'CentOS' + tags: + - config + - packages + - yumrepos + - name: Install sigul server package: state=present name={{ item }} with_items:

7 years, 1 month

1
0
0 / 0

[ansible] Add centos7ha repo

by Nicolas Chauvet

commit e5a2db2b1b030fe47d6b906fb1cae05e848eb5de Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 14:24:48 2017 +0100 Add centos7ha repo files/common/centos7ah.repo | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) --- diff --git a/files/common/centos7ah.repo b/files/common/centos7ah.repo new file mode 100644 index 0000000..f23d6fd --- /dev/null +++ b/files/common/centos7ah.repo @@ -0,0 +1,5 @@ +[ah] +name=ah +baseurl=http://cbs.centos.org/repos/atomic7-testing/x86_64/os/ +enabled=1 +gpgcheck=0

7 years, 1 month

1
0
0 / 0

[ansible] Add sign-vault01 host

by Nicolas Chauvet

commit da0e3abdd805747dd9d01e79be01da3495de10e3 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 12:51:00 2017 +0100 Add sign-vault01 host roles/hosts/files/online-hosts | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) --- diff --git a/roles/hosts/files/online-hosts b/roles/hosts/files/online-hosts index 2e59523..481afa5 100644 --- a/roles/hosts/files/online-hosts +++ b/roles/hosts/files/online-hosts @@ -16,6 +16,7 @@ 192.168.181.254 hv01.online.rpmfusion.net hv01 nfs-server.online.rpmfusion.net log01.online.rpmfusion.net log01 proxy.online.rpmfusion.net hub.online.rpmfusion.net nfs-server proxy 192.168.181.101 buildvm-01.online.rpmfusion.net buildvm-01 192.168.181.102 buildvm-02.online.rpmfusion.net buildvm-02 +192.168.181.111 sign-vault01.online.rpmfusion.net sign-vault01 192.168.181.130 db02.online.rpmfusion.net db02 192.168.181.135 koji01.online.rpmfusion.net koji01 koji.rpmfusion.org koji 192.168.181.137 pkgs01.online.rpmfusion.net pkgs01 pkgs.rpmfusion.org pkgs

7 years, 1 month

1
0
0 / 0

[ansible] Add serial console role

by Nicolas Chauvet

commit 9e5773ecc7fbb38bdbe595159113cd46aad2bcb8 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Mar 2 11:05:59 2017 +0100 Add serial console role roles/serial-console/files/serial-getty@.service | 35 ++++++++++++++++++++++ roles/serial-console/tasks/main.yml | 31 +++++++++++++++++++ 2 files changed, 66 insertions(+), 0 deletions(-) --- diff --git a/roles/serial-console/files/serial-getty@.service b/roles/serial-console/files/serial-getty@.service new file mode 100644 index 0000000..6539556 --- /dev/null +++ b/roles/serial-console/files/serial-getty@.service @@ -0,0 +1,35 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Serial Getty on %I +Documentation=man:agetty(8) man:systemd-getty-generator(8) +Documentation=http://0pointer.de/blog/projects/serial-console.html +BindsTo=dev-%i.device +After=dev-%i.device systemd-user-sessions.service plymouth-quit-wait.service +After=rc-local.service + +# If additional gettys are spawned during boot then we should make +# sure that this is synchronized before getty.target, even though +# getty.target didn't actually pull it in. +Before=getty.target +IgnoreOnIsolate=yes + +[Service] +ExecStart=-/sbin/agetty --keep-baud 115200,38400,9600 %I $TERM +Type=idle +Restart=always +UtmpIdentifier=%I +TTYPath=/dev/%I +TTYReset=yes +TTYVHangup=yes +KillMode=process +IgnoreSIGPIPE=no +SendSIGHUP=yes + +[Install] +WantedBy=getty.target diff --git a/roles/serial-console/tasks/main.yml b/roles/serial-console/tasks/main.yml new file mode 100644 index 0000000..a333188 --- /dev/null +++ b/roles/serial-console/tasks/main.yml @@ -0,0 +1,31 @@ +# +# This role sets up serial console on ttyS0 +# +- name: check for grub serial setup + command: cat /etc/grub2.cfg + register: serial + check_mode: no + changed_when: '1 != 1' + tags: + - serial-console + +- name: set grub to use serial console + command: /sbin/grubby --update-kernel=ALL --args="console=tty0 console=ttyS0,115200" + when: serial is defined and serial.stdout.find("console=tty0 console=ttyS0,115200") == -1 + tags: + - serial-console + +- name: setup systemd links for getty (S0) + copy: src=serial-getty@.service dest=/etc/systemd/system/serial-getty(a)ttyS0.service + tags: + - serial-console + +- name: link template in + file: dest=/etc/systemd/system/getty.target.wants/serial-getty@ttyS0 src=/etc/systemd/system/serial-getty(a)ttyS0.service state=link + tags: + - serial-console + +- name: start and enable + service: name=serial-getty@ttyS0 enabled=yes state=started + tags: + - serial-console

7 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sysadmin-notify March 2017