September 2021 - sysadmin-notify

by Nicolas Chauvet

commit d70950d8066d6e3331224cd21dc66c6050429518 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 6 18:33:21 2021 +0200 Update koji02 inventory/host_vars/koji02.online.rpmfusion.net | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) --- diff --git a/inventory/host_vars/koji02.online.rpmfusion.net b/inventory/host_vars/koji02.online.rpmfusion.net index 32a6ac4..5aab530 100644 --- a/inventory/host_vars/koji02.online.rpmfusion.net +++ b/inventory/host_vars/koji02.online.rpmfusion.net @@ -1,6 +1,6 @@ --- -nm: 255.255.255.0 -gw: 192.168.181.254 +eth0_ipv4_gw: 192.168.181.254 +eth0_ipv4: 192.168.181.140 dns: 192.168.181.254 ks_url: http://192.168.181.254/install/ks/koji02.ks

3 years, 3 months

1
0
0 / 0

[ansible] Disable yumrepos base repos

by Nicolas Chauvet

commit e1101e6234d7c9f08960dc864fdeb13ace3cbc85 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 6 18:25:05 2021 +0200 Disable yumrepos base repos tasks/yumrepos.yml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) --- diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index 6ed69d3..3fa0ac6 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -33,6 +33,7 @@ - config - packages - yumrepos + when: False - name: put rhel repos on rhel systems (power9) copy: src="{{ files }}/common/rhel{{ ansible_distribution_major_version|int }}-power9.repo" dest="/etc/yum.repos.d/rhel{{ ansible_distribution_major_version|int }}.repo" @@ -65,6 +66,7 @@ - config - packages - yumrepos + when: False - name: put epel repos on el systems (aws) copy: src="{{ files }}/common/original-epel{{ ansible_distribution_major_version|int }}.repo" dest="/etc/yum.repos.d/epel{{ ansible_distribution_major_version|int }}.repo"

3 years, 3 months

1
0
0 / 0

[ansible] Update base tasks

by Nicolas Chauvet

commit ee36e384e835491c0e45ebbc9b93bf889d3e16b8 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 6 18:23:36 2021 +0200 Update base tasks roles/base/meta/main.yml | 1 + roles/base/tasks/main.yml | 98 ++++++++++++++++++++++++++++++----------- roles/base/templates/ifcfg.j2 | 5 ++- 3 files changed, 77 insertions(+), 27 deletions(-) --- diff --git a/roles/base/meta/main.yml b/roles/base/meta/main.yml index 8fc4b3b..05198d6 100644 --- a/roles/base/meta/main.yml +++ b/roles/base/meta/main.yml @@ -1,5 +1,6 @@ --- dependencies: + - { role: linux-system-roles.network, when: network_connections is defined, tags: ['linux-system-roles.network'] } - { role: basessh } - { role: chrony } - { role: dnf-automatic } diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 9d2e897..5c6ae0c 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -5,24 +5,31 @@ # Things in here are things we want to do to every machine no matter what. # +# +# on rhel6 and rhel7 installing policycoreutils-python is all we need for ansible +# - name: ensure packages required for semanage are installed (rhel 6 and 7) package: name={{ item }} state=present with_items: - policycoreutils-python tags: - selinux - when: ansible_distribution_major_version|int < 8 + when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat' +# +# On fedora and rhel larger than 7, all we need is policycoreutils-python-utils, +# which in turn pulls in python3-policycoreutils +# - name: ensure packages required for semanage are installed (fedora/rhel8) package: name=policycoreutils-python-utils state=present - when: ansible_distribution_major_version|int > 27 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 tags: - selinux # XXX fixme # a datacenter 'fact' from setup - name: /etc/resolv.conf copy: src={{ item }} dest=/etc/resolv.conf - when: not nm_controlled_resolv + when: not nm_controlled_resolv or not network_connections is defined with_first_found: - "{{ resolvconf }}" - resolv.conf/{{ inventory_hostname }} @@ -52,7 +59,7 @@ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none notify: - restart NetworkManager - when: ansible_distribution_major_version|int >=7 and ansible_distribution != 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + when: ansible_distribution_major_version|int >=7 and ansible_distribution == 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blocklist) and ( not nm_controlled_resolv ) and ( not network_connections is defined ) tags: - config - resolvconf @@ -63,7 +70,7 @@ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none notify: - restart NetworkManager - when: ansible_distribution_major_version|int >=29 and ansible_distribution == 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + when: ansible_distribution_major_version|int >=29 and ansible_distribution == 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blocklist) and ( not nm_controlled_resolv ) and ( not network_connections is defined ) tags: - config - resolvconf @@ -71,12 +78,12 @@ - ifcfg - name: get interface uuid - shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br|^em|^en' + shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br|^em|^eno|^enP|^enc900' register: if_uuid changed_when: false failed_when: 'if_uuid.stdout == ""' check_mode: no - when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist ) + when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blocklist ) tags: - config - ifcfg @@ -92,13 +99,14 @@ - apply interface-changes when: - virthost is not defined - - item.startswith(('eth','br','enc','em')) + - item.startswith(('eth','br','enc','em','eno')) - hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether' - hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] - ansible_distribution_major_version|int >=7 - nmclitest is success - - not ansible_ifcfg_blacklist - - ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist + - not ansible_ifcfg_blocklist + - ansible_ifcfg_allowlist is not defined or item in ansible_ifcfg_allowlist + - not network_connections is defined tags: - config - ifcfg @@ -120,9 +128,16 @@ tags: - packages - base - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined + +- name: global default packages to install (dnf) + dnf: state=present name="{{ global_pkgs_inst }}" + tags: + - packages + - base + when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined -- name: make sure hostname is set right on rhel7 hosts +- name: make sure hostname is set right on all hosts hostname: name="{{inventory_hostname}}" # @@ -258,7 +273,18 @@ - name: enable journald persistence file: path=/var/log/journal state=directory owner=root group=systemd-journal mode=2755 - when: ansible_distribution_major_version|int >= 7 + when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat' + tags: + - journald + - config + - base + notify: + - flush journald tmpfiles to persistent store + +- name: enable journald persistence + file: path=/var/log/journal state=directory + owner=root group=systemd-journal mode=2755 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' tags: - journald - config @@ -360,7 +386,7 @@ - name: install our custom selinux module command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp - when: selinux_module is changed and ansible_distribution_major_version|int < 31 + when: selinux_module is changed and ansible_distribution_major_version|int > 6 tags: - rsyslogd - config @@ -370,7 +396,16 @@ - name: copy over our custom selinux module copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp register: selinux_module - when: ansible_distribution_major_version|int >= 27 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' + tags: + - config + - selinux + +# Custom selinux policy to allow unix_chkpwd to map PAM database +- name: copy over our custom selinux module + copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp + register: selinux_module + when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' tags: - config - selinux @@ -399,13 +434,6 @@ - base - common-scripts -- name: install a sync httpd logs cron script only on log01 - copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=0755 - when: inventory_hostname.startswith('log01') - tags: - - config - - base - - name: Drop in a little system_identification note template: src=system_identification dest=/etc/system_identification tags: @@ -413,16 +441,23 @@ - base # -# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs. +# Disable the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs. # -- name: Blacklist cdc_ether module - copy: src=blacklist-cdc_ether.conf dest=/etc/modprobe.d/blacklist-cdc_ether.conf +- name: Disable cdc_ether module + copy: src=disable-cdc_ether.conf dest=/etc/modprobe.d/disable-cdc_ether.conf when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host' tags: - config - base - cdc_ether +# Remove old filename for above: remove this when we're pretty sure the file's +# gone from all hosts +- name: Remove old cdc_ether config file + file: + path: /etc/modprobe.d/blacklist-cdc_ether.conf + state: absent + # # Watchdog stuff # @@ -479,7 +514,7 @@ - name: Setup host keytab import_tasks: keytab.yml - when: env == 'DISABLED' + when: False # SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket # is actually expired, and kinit's still not refreshing them and such alike. @@ -494,6 +529,17 @@ # rhel8 hosts do not have /usr/bin/python, but there are a few things we call # with that because they also run the same on python2 hosts. # So, we set python3 to /usr/bin/python on those hosts: +- name : ensure that platform-python is installed on EL8 boxes + package: name={{ item }} state=present + with_items: + - platform-python + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8 + tags: + - base + - config + - python3alternative + + - name: set /usr/bin/python to python3 on rhel8 hosts alternatives: name: python diff --git a/roles/base/templates/ifcfg.j2 b/roles/base/templates/ifcfg.j2 index ccf2103..750db4b 100644 --- a/roles/base/templates/ifcfg.j2 +++ b/roles/base/templates/ifcfg.j2 @@ -2,8 +2,11 @@ NAME="{{item}}" BOOTPROTO="none" NM_CONTROLLED=yes {% if item in ansible_ifcfg_infra_net_devices %} -GATEWAY="{{gw}}" +DEFROUTE=yes +GATEWAY="{{ gw }}" {% endif %} +DNS1="{{ dns1 }}" +DNS2="{{ dns2 }}" HWADDR="{{ hostvars[inventory_hostname]['ansible_' + item]['macaddress']|upper }}" {% if item in ansible_ifcfg_disabled %} ONBOOT="no"

3 years, 3 months

1
0
0 / 0

[ansible] Revert back to python_interpeter

by Nicolas Chauvet

commit bcf4ac380eefb3690b298d22f8380d05fc69fe77 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 6 14:14:42 2021 +0200 Revert back to python_interpeter tasks/virt_instance_create.yml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) --- diff --git a/tasks/virt_instance_create.yml b/tasks/virt_instance_create.yml index 0d23d82..f0ff9ef 100644 --- a/tasks/virt_instance_create.yml +++ b/tasks/virt_instance_create.yml @@ -5,7 +5,7 @@ - name: get vm list vars: - ansible_python_interpreter: "/usr/bin/python3" + ansible_python_interpreter: "{{ hostvars[vmhost]['ansible_python']['executable'] }}" delegate_to: "{{ vmhost }}" virt: command=list_vms register: result

3 years, 3 months

1
0
0 / 0

[ansible] inventory/group_vars/all

by Nicolas Chauvet

commit 5f9a2653352279cd527b17ccffbf7f415a9743d3 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 6 14:13:11 2021 +0200 inventory/group_vars/all inventory/group_vars/all | 13 +++++++++---- tasks/virt_instance_create.yml | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) --- diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 0f43cb1..0dd32d5 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -366,6 +366,10 @@ wsgi_wants_apache: true additional_host_keytabs: [] ipa_server: ipa01.online.rpmfusion.org ipa_realm: RPMFUSION.ORG +ipa_server_nodes: + - ipa01.online.rpmfusion.org + - ipa02.online.rpmfusion.org + #ipa03.online.rpmfusion.org ipa_admin_password: "{{ ipa_prod_admin_password }}" # Normal default sshd port is 22 @@ -433,7 +437,8 @@ sshd_sftp: false # ansible_python_interpreter: auto -# -# datacenter with active certbot in it -# -certgetter_datacenter: online +# set no x-forward header by default +x_forward: false + +# ocp4 is only set true in some proxy roles +ocp4: false diff --git a/tasks/virt_instance_create.yml b/tasks/virt_instance_create.yml index f0ff9ef..0d23d82 100644 --- a/tasks/virt_instance_create.yml +++ b/tasks/virt_instance_create.yml @@ -5,7 +5,7 @@ - name: get vm list vars: - ansible_python_interpreter: "{{ hostvars[vmhost]['ansible_python']['executable'] }}" + ansible_python_interpreter: "/usr/bin/python3" delegate_to: "{{ vmhost }}" virt: command=list_vms register: result

3 years, 3 months

1
0
0 / 0

[ansible] Update koji02

by Nicolas Chauvet

commit 72d807150361a0997737283d849cf3d6b9b1e7d2 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Sep 6 11:29:33 2021 +0200 Update koji02 inventory/host_vars/koji02.online.rpmfusion.net | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) --- diff --git a/inventory/host_vars/koji02.online.rpmfusion.net b/inventory/host_vars/koji02.online.rpmfusion.net index 2f46d31..32a6ac4 100644 --- a/inventory/host_vars/koji02.online.rpmfusion.net +++ b/inventory/host_vars/koji02.online.rpmfusion.net @@ -1,12 +1,11 @@ --- nm: 255.255.255.0 -gw: 195.154.185.1 +gw: 192.168.181.254 dns: 192.168.181.254 ks_url: http://192.168.181.254/install/ks/koji02.ks volgroup: /dev/vg_hv03_virt -eth0_ip: 212.83.132.100 -eth1_ip: 192.168.181.136 +eth0_ip: 192.168.181.140 vmhost: hv01.online.rpmfusion.net datacenter: online

3 years, 3 months

1
0
0 / 0

[ansible] Update inventory

by Nicolas Chauvet

commit cf4d0a49bf7f3efc4af6c204f7e245d3614cb07b Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Sat Sep 4 17:24:41 2021 +0200 Update inventory inventory/builders | 2 +- inventory/inventory | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) --- diff --git a/inventory/builders b/inventory/builders index 7b2edcd..3daca96 100644 --- a/inventory/builders +++ b/inventory/builders @@ -22,7 +22,7 @@ buildvm-03.online.rpmfusion.net buildvm-05.virt.rpmfusion.net buildvm-06.virt.rpmfusion.net buildvm-07.virt.rpmfusion.net -#buildvm-08.virt.rpmfusion.net +buildvm-08.virt.rpmfusion.net [buildhw_ppc64] diff --git a/inventory/inventory b/inventory/inventory index 4fc73de..34c0bda 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -43,6 +43,10 @@ db02.online.rpmfusion.net [moin] moin01.online.rpmfusion.net +[osuosl] +buildppcle-01.osuosl.rpmfusion.net +buildppcle-02.osuosl.rpmfusion.net + [pkgdb] pkgdb02.online.rpmfusion.net @@ -78,10 +82,10 @@ ansible_python_interpreter=/usr/bin/python3 hv01.online.rpmfusion.net [scaleway] -mirrorlist03.scaleway.rpmfusion.net proxy01.scaleway.rpmfusion.net #test01.scaleway.rpmfusion.net + [virtservers:children] virthost bvirthost

3 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sysadmin-notify September 2021