[ansible] Update sshd host keys
by Nicolas Chauvet
commit d6db8cb4a7d4eb0cc6bf30db0070e31cd9799169
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 14:23:16 2019 +0200
Update sshd host keys
inventory/group_vars/all | 3 ---
roles/basessh/templates/sshd_config | 2 --
2 files changed, 0 insertions(+), 5 deletions(-)
---
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 4fb14f5..54d51b0 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -313,9 +313,6 @@ redirectmatch_enabled: True
# not on most of them, so default to false
sshd_sftp: false
-# Disable ssh pub key by default
-sshd_host_certificate: False
-
#
# Autodetect python version
#
diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config
index 4ed7b9a..7ec4a85 100644
--- a/roles/basessh/templates/sshd_config
+++ b/roles/basessh/templates/sshd_config
@@ -13,9 +13,7 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm(a)op
{% endif %}
HostKey /etc/ssh/ssh_host_rsa_key
-{% if sshd_host_certificate %}
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
-{% endif %}
SyslogFacility AUTHPRIV
LogLevel VERBOSE
4 years, 8 months
[ansible] Disable sshd_host_certificate
by Nicolas Chauvet
commit 803c9985c1e1cd4324c4690ffb9b60c13532502c
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 13:18:24 2019 +0200
Disable sshd_host_certificate
inventory/group_vars/all | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
---
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 54d51b0..4fb14f5 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -313,6 +313,9 @@ redirectmatch_enabled: True
# not on most of them, so default to false
sshd_sftp: false
+# Disable ssh pub key by default
+sshd_host_certificate: False
+
#
# Autodetect python version
#
4 years, 8 months
[ansible] Sync callback
by Nicolas Chauvet
commit 3b042758999ffa01f74d53cfc822da212f22fb8f
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 13:16:33 2019 +0200
Sync callback
callback_plugins/logdetail.py | 2 ++
callback_plugins/logdetail2.py | 4 +++-
2 files changed, 5 insertions(+), 1 deletions(-)
---
diff --git a/callback_plugins/logdetail.py b/callback_plugins/logdetail.py
index 1edd0ab..289e7ed 100644
--- a/callback_plugins/logdetail.py
+++ b/callback_plugins/logdetail.py
@@ -15,6 +15,8 @@
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
+from __future__ import absolute_import
+
import os
import time
import json
diff --git a/callback_plugins/logdetail2.py b/callback_plugins/logdetail2.py
index d746b8e..fb2f194 100644
--- a/callback_plugins/logdetail2.py
+++ b/callback_plugins/logdetail2.py
@@ -15,6 +15,8 @@
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
+from __future__ import absolute_import
+
import os
import time
import json
@@ -245,7 +247,7 @@ class CallbackModule(CallbackBase):
pb_info['playbook'] = path
pb_info['userid'] = getlogin()
pb_info['extra_vars'] = play._variable_manager.extra_vars
- pb_info['inventory'] = play._variable_manager._inventory.src()
+ pb_info['inventory'] = play._variable_manager._inventory._sources
pb_info['playbook_checksum'] = secure_hash(path)
pb_info['check'] = self.play_context.check_mode
pb_info['diff'] = self.play_context.diff
4 years, 8 months
[ansible] Add missing group
by Nicolas Chauvet
commit 134bf8a9953927c6dbfca94cd25ba8e206e014a8
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 13:15:16 2019 +0200
Add missing group
inventory/builders | 2 ++
playbooks/groups/buildvm.yml | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
---
diff --git a/inventory/builders b/inventory/builders
index 2e1b81b..158db90 100644
--- a/inventory/builders
+++ b/inventory/builders
@@ -10,6 +10,8 @@ aarch64-10.home.rpmfusion.net
buildvm-01.online.rpmfusion.net
buildvm-02.online.rpmfusion.net
+[buildvm_stg]
+
[buildvm_aarch64]
[buildhw]
diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml
index bde5554..7092b11 100644
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@@ -3,10 +3,10 @@
# NOTE: make sure there is room/space for this builder on the buildvmhost
# NOTE: most of these vars_path come from group_vars/buildvm or from hostvars
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=buildvm:buildvm-stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=buildvm:buildvm_stg"
- name: make koji builder(s)
- hosts: buildvm:buildvm-stg:buildvm_aarch64
+ hosts: buildvm:buildvm_stg:buildvm_aarch64
user: root
gather_facts: True
4 years, 8 months
[ansible] Rework builders group
by Nicolas Chauvet
commit a5fb6ad428d07bd828e887469ef54bd64e1204a3
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 13:12:15 2019 +0200
Rework builders group
inventory/builders | 58 ++++++++++++++++-------------------------
playbooks/groups/buildhw.yml | 2 +-
playbooks/groups/buildvm.yml | 2 +-
3 files changed, 25 insertions(+), 37 deletions(-)
---
diff --git a/inventory/builders b/inventory/builders
index c151f1b..8f9a40b 100644
--- a/inventory/builders
+++ b/inventory/builders
@@ -1,4 +1,4 @@
-[buildaarch64]
+[buildhw_aarch64]
aarch64-01.linaro.rpmfusion.net ansible_user=fedora ansible_become=yes ansible_python_interpreter=/usr/bin/python3
aarch64-02.linaro.rpmfusion.net ansible_user=fedora ansible_become=yes ansible_python_interpreter=/usr/bin/python3
aarch64-03.linaro.rpmfusion.net ansible_user=fedora ansible_become=yes ansible_python_interpreter=/usr/bin/python3
@@ -6,62 +6,48 @@ aarch64-04.linaro.rpmfusion.net ansible_user=fedora ansible_become=yes ansible_p
aarch64-jetson-tx1.home.rpmfusion.net
aarch64-10.home.rpmfusion.net
-[buildppc]
-
-[buildppc64]
-
[buildvm]
buildvm-01.online.rpmfusion.net
buildvm-02.online.rpmfusion.net
-buildvm-05.virt.rpmfusion.net
-buildvm-06.virt.rpmfusion.net
-[buildhw-x86]
+[buildhw]
buildvm-03.online.rpmfusion.net
-buildvm-04.online.rpmfusion.net
+buildvm-05.virt.rpmfusion.net
+buildvm-06.virt.rpmfusion.net
buildvm-07.virt.rpmfusion.net
-buildvm-08.virt.rpmfusion.net
+#buildvm-08.virt.rpmfusion.net
-[buildvm-ppc64]
+[buildhw_ppc64]
buildppc-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
-#buildppc-02.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
-[buildvm-ppc64le]
+[buildhw_ppc64le]
buildppcle-01.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
buildppcle-02.osuosl.rpmfusion.net ansible_user=fedora ansible_become=yes
-[buildvmhost]
-
-[buildhw:children]
-buildvm-ppc64
-buildvm-ppc64le
-buildaarch64
-buildarm
-buildhw-x86
-
-[buildarm:children]
-home-arm
-scaleway-c1
+[buildhw_armv7:children]
+home_arm
+scaleway_c1
[bkernel]
+
[linaro:children]
-buildaarch64
+buildhw_aarch64
[osuosl:children]
-buildvm-ppc64
-buildvm-ppc64le
+buildhw_ppc64
+buildhw_ppc64le
[home:children]
-home-arm
+home_arm
-[scaleway-c1]
+[scaleway_c1]
arm-builder01.scaleway.rpmfusion.net
arm-builder02.scaleway.rpmfusion.net
arm-builder03.scaleway.rpmfusion.net
arm-builder04.scaleway.rpmfusion.net
-[home-arm]
+[home_arm]
arm-builder09.home.rpmfusion.net
arm-builder10.home.rpmfusion.net
arm-builder11.home.rpmfusion.net
@@ -69,13 +55,15 @@ arm-builder12.home.rpmfusion.net
arm-jetson-tk1.home.rpmfusion.net
arm-jetson-tx1.home.rpmfusion.net
+
[builders:children]
-buildaarch64
buildhw
+buildhw_armv7
+buildhw_ppc64
+buildhw_ppc64le
+buildhw_aarch64
buildvm
-buildvm-ppc64
-buildvm-ppc64le
-buildarm
+buildvm_aarch64
[builders:vars]
ansible_python_interpreter=/usr/bin/python3
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index a5939cb..5272d61 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -3,7 +3,7 @@
# NOTE: most of these vars_path come from group_vars/buildhw or from hostvars
- name: make koji builder(s) on raw hw
- hosts: buildhw:buildppc:buildarm:buildaarch64:bkernel
+ hosts: builders
remote_user: root
gather_facts: True
diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml
index 67d1967..bde5554 100644
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@@ -6,7 +6,7 @@
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=buildvm:buildvm-stg"
- name: make koji builder(s)
- hosts: buildvm:buildvm-stg:buildvm-ppc64:buildvm-ppc64le:buildppcle:buildppc:buildvm-s390
+ hosts: buildvm:buildvm-stg:buildvm_aarch64
user: root
gather_facts: True
4 years, 8 months
[ansible] Avoid a default port
by Nicolas Chauvet
commit 681974a85706205c8cdd6d71cd1a9028ce0fc0ce
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 12:58:19 2019 +0200
Avoid a default port
roles/basessh/templates/sshd_config | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config
index 3138bfd..4ed7b9a 100644
--- a/roles/basessh/templates/sshd_config
+++ b/roles/basessh/templates/sshd_config
@@ -1,6 +1,6 @@
Protocol 2
-Port {{ sshd_port|22 }}
+Port {{ sshd_port }}
{% if ansible_distribution_major_version == "6" %}
KexAlgorithms diffie-hellman-group-exchange-sha256
4 years, 8 months
[ansible] Update inventory group_vars
by Nicolas Chauvet
commit 7c55ed07c9d4083235175be1705acdca6b6526c9
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 12:37:40 2019 +0200
Update inventory group_vars
inventory/group_vars/bastion | 5 +++++
inventory/group_vars/buildarm | 1 +
inventory/group_vars/buildhw | 3 ++-
inventory/group_vars/buildvmhost | 2 ++
inventory/group_vars/dns | 1 +
5 files changed, 11 insertions(+), 1 deletions(-)
---
diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index a983fb2..6950071 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -41,9 +41,14 @@ nrpe_procs_crit: 1200
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
+csi_primary_contact: sysadmin-main root(a)rpmfusion.org
csi_purpose: SSH proxy to access infrastructure not exposed to the web
csi_relationship: |
- Provides ssh access to all online/vpn connected servers.
- Bastion is the hub for all infrastructure's VPN connections.
- All incoming SMTP from online and VPN, as well as outgoing SMTP, pass or are filtered here.
- Bastion does not accept any mail outside online/vpn.
+
+nagios_Check_Services:
+ nrpe: true
+ mail: false
diff --git a/inventory/group_vars/buildarm b/inventory/group_vars/buildarm
index a45ced9..76ea99a 100644
--- a/inventory/group_vars/buildarm
+++ b/inventory/group_vars/buildarm
@@ -14,6 +14,7 @@ koji_topurl: "http://koji.rpmfusion.org/kojifiles"
# See http://infrastructure.rpmfusion.org/csi/security-policy/
csi_security_category: High
+csi_primary_contact: RPM Fusion Admins - root(a)rpmfusion.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This group builds packages for arm architecture.
csi_relationship: |
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
diff --git a/inventory/group_vars/buildhw b/inventory/group_vars/buildhw
index cdc06cb..c619eaa 100644
--- a/inventory/group_vars/buildhw
+++ b/inventory/group_vars/buildhw
@@ -11,9 +11,10 @@ koji_topurl: "http://koji.rpmfusion.org/kojifiles"
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
-# See http://infrastructure.rpmfusion.org/csi/security-policy/
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
+csi_primary_contact: RPM Fusion Admins - root(a)rpmfusion.org
csi_purpose: Koji service employs a set of machines to build packages for the RPM Fusion project.
csi_relationship: |
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
diff --git a/inventory/group_vars/buildvmhost b/inventory/group_vars/buildvmhost
index eb64108..1878318 100644
--- a/inventory/group_vars/buildvmhost
+++ b/inventory/group_vars/buildvmhost
@@ -2,12 +2,14 @@
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
virthost: true
+nested: True
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
+csi_primary_contact: RPM Fusion Admins - root(a)rpmfusion.org
csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
csi_relationship: |
* Relies on ansible, virthost, and is monitored by nagios
diff --git a/inventory/group_vars/dns b/inventory/group_vars/dns
index 2fdd07b..618ca1a 100644
--- a/inventory/group_vars/dns
+++ b/inventory/group_vars/dns
@@ -21,3 +21,4 @@ csi_security_category: High
csi_primary_contact: RPM Fusion Admins - root(a)rpmfusion.org
csi_purpose: Domain Name Service
+nagios_has_named: true
4 years, 8 months
[ansible] Update all variables
by Nicolas Chauvet
commit df4ea0d028904c4ea5be6431c6f992250b5554d3
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 12:30:31 2019 +0200
Update all variables
inventory/group_vars/all | 60 +++++++++++++++++++++++++++++++++++++++-------
1 files changed, 51 insertions(+), 9 deletions(-)
---
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 542e6ff..54d51b0 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -44,8 +44,12 @@ use_default_epel: true
udp_ports: []
tcp_ports: []
custom_rules: []
+nat_rules: []
custom6_rules: []
+# defaults for hw installs
+install_noc: none
+
# defaults for virt installs
ks_url: http://infrastructure.rpmfusion.org/repo/rhel/ks/kvm-rhel-7
ks_repo: http://mirror.centos.org/centos/7/os/x86_64/
@@ -53,6 +57,13 @@ mem_size: 2048
num_cpus: 1
lvm_size: 20000
+# on MOST infra systems, the interface connected to the infra network
+# is eth0. but not on quite ALL systems. e.g. on s390 boxes it's enc900,
+# on openqa-ppc64le-01.qa it's eth2 for some reason, and on qa01.qa and
+# qa02.qa it's em3. currently this only affects whether GATEWAY, DOMAIN
+# and DNS1/DNS2 lines are put into ifcfg-(device).
+ansible_ifcfg_infra_net_devices: [ 'eth0', 'enc900' ]
+
# Default netmask. Almost all our phx2 nets are /24's with the
# exception of 10.5.124.128/25. Almost all of our non phx2 sites are
# less than a /24.
@@ -71,6 +82,8 @@ virt_install_command: "{{ virt_install_command_one_nic }}"
main_bridge: br0
nfs_bridge: br1
+mac_address: RANDOM
+mac_address1: RANDOM
virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -79,8 +92,8 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
- --network bridge={{ main_bridge }},model=virtio
- --autostart --noautoconsole --watchdog default
+ --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
+ --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host
virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -90,29 +103,31 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none'
- --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
- --autostart --noautoconsole --watchdog default
+ --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
+ --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }}
+ --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
- 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+ 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
- --network bridge={{ main_bridge }},model=virtio
+ --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
--autostart --noautoconsole
virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
--vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
- 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+ 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none'
- --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
- --autostart --noautoconsole
+ --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }}
+ --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }}
+ --autostart --noautoconsole --rng /dev/random
virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --arch armv7l
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -199,7 +214,9 @@ nrpe_check_postfix_queue_crit: 5
# env is staging or production, we default it to production here.
env: production
+env_prefix:
env_suffix:
+env_short: prod
# nfs mount options, override at the group/host level
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
@@ -240,6 +257,9 @@ ipa_admin_password: "{{ ipa_prod_admin_password }}"
# Normal default sshd port is 22
sshd_port: 22
+# This enables/disables the SSH "keyhelper" used by Pagure for verifying users'
+# SSH keys from the Pagure database
+sshd_keyhelper: false
# List of names under which the host is available
ssh_hostnames: []
@@ -255,6 +275,7 @@ createrepo: True
# Nagios global variables
nagios_Check_Services:
+ mail: true
nrpe: true
sshd: true
named: false
@@ -262,6 +283,7 @@ nagios_Check_Services:
httpd: false
swap: true
ping: true
+ raid: false
# Set variable if we want to use our global iptables defaults
# Some things need to set their own.
@@ -275,3 +297,23 @@ dns2: "62.210.16.6"
# This is a list of services that need to wait for VPN to be up before getting started.
postvpnservices: []
+
+# true or false if we are or are not a copr build virthost.
+# Default to false
+copr_build_virthost: false
+
+#
+# Set a redirectmatch variable we can use to disable some redirectmatches
+# like the prerelease to final ones.
+#
+redirectmatch_enabled: True
+
+#
+# sshd can run a internal sftp server, we need this on some hosts, but
+# not on most of them, so default to false
+sshd_sftp: false
+
+#
+# Autodetect python version
+#
+#ansible_python_interpreter: auto
4 years, 8 months