September 2017 - sysadmin-notify

by Nicolas Chauvet

commit 18329f6cde23d65f5f160a50c5f4a5a450cd5d07 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Wed Sep 27 18:05:00 2017 +0200 Allow to build from fedora roles/koji_builder/templates/kojid.conf | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) --- diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index 12e6d04..07c694b 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -50,13 +50,13 @@ server={{koji_server_url}} pkgurl=http://kojipkgs.stg.rpmfusion.org/packages {% endif %} -{% if env == 'staging' %} -; A space-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes) -allowed_scms=pkgs.stg.rpmfusion.org:/docker/*:false pkgs.stg.rpmfusion.org:/rpms/*:false:rfpkg-minimal,sources pkgs.stg.rpmfusion.org:/*:false:rfpkg-minimal,sources pkgs.rpmfusion.org:/rpms/*:false:rfpkg-minimal,sources pkgs.rpmfusion.org:/*:false:rfpkg-minimal,sources git.rpmfusion.org.org:/git/spin-kickstarts.git:false -{% else %} ; A space-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes) -allowed_scms=pkgs.rpmfusion.org:/*:false:rfpkg-minimal,sources -{% endif %} +allowed_scms= + pkgs.rpmfusion.org:/*:false:rfpkg-minimal,sources + pkgs.fedoraproject.org:/*:false:fedpkg,sources + pagure.io:/fedora-kickstarts.git:false + src.fedoraproject.org:/*:false:fedpkg,sources + pagure.io:/fork/*/fedora-kickstarts.git:false ; allow tasks to continue to completion if a sibling fails ; the parent task will fail but all child tasks will complete

7 years, 3 months

1
0
0 / 0

[ansible] Update nfs hv01

by Nicolas Chauvet

commit 228ebc6572f064a27b164a5bb4723f335f4a5799 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Tue Sep 26 10:16:18 2017 +0200 Update nfs hv01 .../server/files/hv01.online.rpmfusion.net-exports | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) --- diff --git a/roles/nfs/server/files/hv01.online.rpmfusion.net-exports b/roles/nfs/server/files/hv01.online.rpmfusion.net-exports index 29e390c..e5fb9bf 100644 --- a/roles/nfs/server/files/hv01.online.rpmfusion.net-exports +++ b/roles/nfs/server/files/hv01.online.rpmfusion.net-exports @@ -1,3 +1,3 @@ -/srv/nfs/rpmfusion_ftp/download0.rpmfusion.org/pub 192.168.181.137/32(rw) 192.168.181.151/32(rw,no_root_squash) +/srv/nfs/rpmfusion_ftp/download0.rpmfusion.org/pub 192.168.181.137/32(rw) 192.168.181.151/32(rw,no_root_squash) 192.168.181.138/32(ro) /srv/nfs/rpmfusion_sourcecache 192.168.181.137/32(rw,no_root_squash) -/srv/nfs/rpmfusion_koji 192.168.181.135/32(rw) 192.168.181.137/32(rw) 192.168.181.151/32(rw,no_root_squash) 192.168.181.0/24(ro) 192.168.182.0/24(ro) +/srv/nfs/rpmfusion_koji 192.168.181.135/32(rw,no_root_squash) 192.168.181.137/32(rw,no_root_squash) 192.168.181.151/32(rw,no_root_squash) 192.168.181.0/24(ro) 192.168.182.0/24(ro)

7 years, 3 months

1
0
0 / 0

[ansible] Remove auditd

by Nicolas Chauvet

commit 4df6df86d61c3abecf4538d9af5367135a51341f Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Tue Sep 26 10:11:10 2017 +0200 Remove auditd roles/base/files/rsyslog/rsyslog-audit.conf | 13 ------------- 1 files changed, 0 insertions(+), 13 deletions(-)

7 years, 3 months

1
0
0 / 0

[ansible] Prep ipa

by Nicolas Chauvet

commit c58a56c29ac7532c0c28b4d6e84455d2452718c8 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Sep 21 16:51:46 2017 +0200 Prep ipa inventory/inventory | 2 ++ roles/rkhunter/templates/rkhunter.conf.j2 | 2 ++ 2 files changed, 4 insertions(+), 0 deletions(-) --- diff --git a/inventory/inventory b/inventory/inventory index 77f9ba0..f3f9a3d 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -20,6 +20,8 @@ hv01.online.rpmfusion.net [fas] fas01.online.rpmfusion.net +[ipa] + [ipsilon] ipsilon01.online.rpmfusion.net diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index ecdfa91..663a4b8 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -602,8 +602,10 @@ OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" +{% if inventory_hostname in groups['ipa'] %} RTKT_FILE_WHITELIST="/var/log/pki/pki-tomcat/ca/system" RTKT_FILE_WHITELIST="/var/log/pki/pki-tomcat/kra/system" +{% endif %} # # To force rkhunter to use the supplied script for the 'stat' or 'readlink'

7 years, 3 months

1
0
0 / 0

[ansible] clean-up

by Nicolas Chauvet

commit 273e1ec7be56657e3687cbb895d5b167d2a25247 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Wed Sep 20 08:38:07 2017 +0200 clean-up roles/rkhunter/templates/rkhunter.conf.j2 | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) --- diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index fc0b7f3..ecdfa91 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -383,11 +383,11 @@ ALLOWDEVFILE=/dev/shm/squid-cache_mem_space.shm ALLOWDEVFILE=/dev/shm/squid-cf__readers.shm ALLOWDEVFILE=/dev/shm/squid-cf__queues.shm ALLOWDEVFILE=/dev/shm/squid-cf__metadata.shm -{% if inventory_hostname in groups['virtservers'] or inventory_hostname in groups['openqa-workers'] or inventory_hostname in groups['openqa-stg-workers'] or inventory_hostname in groups['taskotron-stg-client-hosts'] or inventory_hostname in groups['taskotron-dev-client-hosts'] %} +{% if inventory_hostname in groups['virtservers'] %} # libvirt spice device makes a /dev/shm/spice file ALLOWDEVFILE=/dev/shm/spice.* {% endif %} -{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %} +{% if inventory_hostname in groups['ipa'] %} ALLOWDEVFILE=/dev/shm/sem.slapd*.stats {% endif %} ALLOWDEVFILE=/dev/shm/PostgreSQL*

7 years, 3 months

1
0
0 / 0

[ansible] Update rkhunter.conf

by Nicolas Chauvet

commit 25fab6f8d0635a87b5f315ebd041b886807544f4 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Wed Sep 20 08:09:25 2017 +0200 Update rkhunter.conf roles/rkhunter/templates/rkhunter.conf.j2 | 26 ++++++++++++++++++-------- 1 files changed, 18 insertions(+), 8 deletions(-) --- diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index 1a7f870..fc0b7f3 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -200,7 +200,8 @@ ALLOW_SSH_PROT_V1=0 # tests, the test names, and how rkhunter behaves when these options are used. # ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" +# Disable the promisc test here as openstack has it set on interfaces +DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps promisc" # # The HASH_FUNC option can be used to specify the command to use @@ -303,9 +304,8 @@ ALLOWHIDDENDIR=/dev/.udevdb ALLOWHIDDENDIR=/dev/.udev.tdb ALLOWHIDDENDIR=/dev/.udev/db ALLOWHIDDENDIR=/dev/.udev/rules.d -{% if ansible_hostname.startswith('cloud') %} ALLOWHIDDENDIR=/etc/.git -{% endif %} +ALLOWHIDDENDIR=/etc/.java # # Allow the specified hidden files. @@ -326,10 +326,8 @@ ALLOWHIDDENFILE=/dev/.udev/queue.bin ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum # Fedora 21+ and RHEL 7.2+ have a /etc/.updated file ALLOWHIDDENFILE=/etc/.updated -{% if ansible_hostname.startswith('cloud') %} ALLOWHIDDENFILE=/etc/.etckeeper ALLOWHIDDENFILE=/etc/.gitignore -{% endif %} # # Allow the specified processes to use deleted files. @@ -375,14 +373,24 @@ ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules ALLOWDEVFILE=/dev/.udev/uevent_seqnum ALLOWDEVFILE=/dev/md/autorebuild.pid ALLOWDEVFILE=/dev/shm/fmn-cache.dbm -{% if ansible_hostname.startswith('kojipkgs') %} ALLOWDEVFILE=/dev/shm/squid-squid-page-pool.shm ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm -{% endif %} -{% if inventory_hostname in groups['virtservers'] %} +ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm +ALLOWDEVFILE=/dev/shm/squid-cache_mem_ex.shm +ALLOWDEVFILE=/dev/shm/squid-cache_mem_map_slices.shm +ALLOWDEVFILE=/dev/shm/squid-cache_mem_map_anchors.shm +ALLOWDEVFILE=/dev/shm/squid-cache_mem_space.shm +ALLOWDEVFILE=/dev/shm/squid-cf__readers.shm +ALLOWDEVFILE=/dev/shm/squid-cf__queues.shm +ALLOWDEVFILE=/dev/shm/squid-cf__metadata.shm +{% if inventory_hostname in groups['virtservers'] or inventory_hostname in groups['openqa-workers'] or inventory_hostname in groups['openqa-stg-workers'] or inventory_hostname in groups['taskotron-stg-client-hosts'] or inventory_hostname in groups['taskotron-dev-client-hosts'] %} # libvirt spice device makes a /dev/shm/spice file ALLOWDEVFILE=/dev/shm/spice.* {% endif %} +{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %} +ALLOWDEVFILE=/dev/shm/sem.slapd*.stats +{% endif %} +ALLOWDEVFILE=/dev/shm/PostgreSQL* # # This setting tells rkhunter where the inetd configuration @@ -594,6 +602,8 @@ OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" +RTKT_FILE_WHITELIST="/var/log/pki/pki-tomcat/ca/system" +RTKT_FILE_WHITELIST="/var/log/pki/pki-tomcat/kra/system" # # To force rkhunter to use the supplied script for the 'stat' or 'readlink'

7 years, 3 months

1
0
0 / 0

[ansible] Improve postfix hv01 tls part 2

by Nicolas Chauvet

commit 9ca6fb5427ed380df551484fad2c2f32e127850e Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Sep 15 12:47:58 2017 +0200 Improve postfix hv01 tls part 2 .../main.cf/main.cf.hv01.online.rpmfusion.net | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) --- diff --git a/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net b/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net index 13f81de..27fe57c 100644 --- a/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net +++ b/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net @@ -759,6 +759,8 @@ smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_received_header = yes +smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem +smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem tls_random_source = dev:/dev/urandom smtpd_tls_eecdh_grade = ultra tls_eecdh_strong_curve = prime256v1

7 years, 3 months

1
0
0 / 0

[ansible] Improve postfix hv01 tls part 1

by Nicolas Chauvet

commit e9b25406627e8ec4c7e862d99186464a88fce81a Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Sep 15 12:29:16 2017 +0200 Improve postfix hv01 tls part 1 .../main.cf/main.cf.hv01.online.rpmfusion.net | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) --- diff --git a/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net b/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net index f38ca7d..13f81de 100644 --- a/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net +++ b/roles/base/files/postfix/main.cf/main.cf.hv01.online.rpmfusion.net @@ -745,6 +745,9 @@ smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4 +smtpd_tls_protocols = $smtpd_tls_mandatory_protocols +smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers +smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers #tls_ssl_options = no_ticket, no_compression smtpd_tls_loglevel = 1 @@ -760,6 +763,7 @@ tls_random_source = dev:/dev/urandom smtpd_tls_eecdh_grade = ultra tls_eecdh_strong_curve = prime256v1 tls_eecdh_ultra_curve = secp384r1 +tls_preempt_cipherlist = yes # TLS end #TLS Client smtp_tls_fingerprint_digest=sha1 @@ -769,6 +773,9 @@ smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4 +smtp_tls_protocols = $smtp_tls_mandatory_protocols +smtp_tls_ciphers = $smtp_tls_mandatory_ciphers +smtp_tls_exclude_ciphers = $smtp_tls_mandatory_exclude_ciphers smtp_tls_loglevel = 1 smtp_tls_cert_file = /etc/pki/tls/certs/localhost.crt smtp_tls_key_file = /etc/pki/tls/private/localhost.key

7 years, 3 months

1
0
0 / 0

[ansible] Add host var for buildvm-03

by Nicolas Chauvet

commit 313a356c1d64427e517fc7c474f9e2e3ae19119e Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 11 12:55:35 2017 +0200 Add host var for buildvm-03 .../host_vars/buildvm-03.online.rpmfusion.net | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) --- diff --git a/inventory/host_vars/buildvm-03.online.rpmfusion.net b/inventory/host_vars/buildvm-03.online.rpmfusion.net new file mode 100644 index 0000000..99b7fe3 --- /dev/null +++ b/inventory/host_vars/buildvm-03.online.rpmfusion.net @@ -0,0 +1,12 @@ +--- +#vmhost: hv01.online.rpmfusion.net +eth0_ip: 192.168.102.101 +ks_url: http://192.168.181.254/install/ks/buildvm-01.ks +datacenter: virt + +# +# We need to mount koji storage rw here so run_root can work. +# The rest of the group can be ro, it's only builders in the +# compose channel that need a rw mount + +nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"

7 years, 3 months

1
0
0 / 0

[ansible] Add buildvm-03

by Nicolas Chauvet

commit 52b0ddbf2a42256f947c2c4b4c2e455a110cf5da Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 11 12:54:23 2017 +0200 Add buildvm-03 inventory/builders | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) --- diff --git a/inventory/builders b/inventory/builders index b150cd4..e95fc4b 100644 --- a/inventory/builders +++ b/inventory/builders @@ -6,6 +6,9 @@ aarch64-02.linaro.rpmfusion.net ansible_user=fedora ansible_become=yes buildvm-01.online.rpmfusion.net buildvm-02.online.rpmfusion.net +[buildhw-x86] +buildvm-03.online.rpmfusion.net + [buildvm-ppc64] buildppc-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes #buildppc-02.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes @@ -20,6 +23,8 @@ buildppcle-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes buildvm-ppc64 buildvm-ppc64le buildaarch64 +buildarm +buildhw-x86 [buildarm:children] scaleway-c1

7 years, 3 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sysadmin-notify September 2017