April 2009 - infrastructure - Fedora Mailing-Lists

by Jose Manimala

Hey there matt welcome. To fedora. You can go through the fedora wiki at http://fedoraproject.org and look at fedora infrastructurs SIG. That's where we deal with administration. Btw hope you love it here. Best wishes Jose ------Original Message------ From: Wiora, Matthias Sender: fedora-infrastructure-list-bounces(a)redhat.com To: fedora-infrastructure-list(a)redhat.com ReplyTo: opensource(a)openwallet.de ReplyTo: Fedora Infrastructure Subject: Fedora & me =) Sent: Apr 12, 2009 5:22 AM Hello you all over there ;) My name is Matthias Wiora - I'm from germany, 18 years old and I'm using Fedora since now more than 4 years. It's time to get involved. In business I'm a system Engineer :) I've made my experiences in Virtualisation with XEN and VMware, Datastore-Management in Datacore and OpenE, Database-Managment MSSQL and MySQL (interested in Oracle!), System Administration Microsoft Server 2k8 & Terminal-Server-Administration Server 2k3 + Citrix XenApp, Debian 4/5, End-User Support of Windows XP/Vista (Certified by MS 70-270) and Fedora Clients :) I'd like to get involed in the Fedora Server Management & Administration processes. It's also possible to meet some else in Germany, Austria, Switzerland or London. well... you'd like to know more about me? http://openwallet.de :) Well... That's for all. Any questions? ahhhh... my hobbies: Playing Piano, Biking & Programming AtMega Processors (c++) ;) greetings from Germany, µatthias (counterroot) P.S.: Sry for the bad english. I'm trying to get better ;) _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list Sent on my BlackBerry® from Vodafone Essar

15 years

1
0
0 / 0

Fedora & me =)

by Wiora, Matthias

Hello you all over there ;) My name is Matthias Wiora - I'm from germany, 18 years old and I'm using Fedora since now more than 4 years. It's time to get involved. In business I'm a system Engineer :) I've made my experiences in Virtualisation with XEN and VMware, Datastore-Management in Datacore and OpenE, Database-Managment MSSQL and MySQL (interested in Oracle!), System Administration Microsoft Server 2k8 & Terminal-Server-Administration Server 2k3 + Citrix XenApp, Debian 4/5, End-User Support of Windows XP/Vista (Certified by MS 70-270) and Fedora Clients :) I'd like to get involed in the Fedora Server Management & Administration processes. It's also possible to meet some else in Germany, Austria, Switzerland or London. well... you'd like to know more about me? http://openwallet.de :) Well... That's for all. Any questions? ahhhh... my hobbies: Playing Piano, Biking & Programming AtMega Processors (c++) ;) greetings from Germany, µatthias (counterroot) P.S.: Sry for the bad english. I'm trying to get better ;)

15 years

1
0
0 / 0

Meeting Log - 2008-04-09

by Ricky Zhou

15:00 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Who's here? 15:01 * yingbull is. 15:01 < mmcgrath> Alrighty everyone, who's around? 15:01 * warren here 15:01 * skvidal is here 15:01 * notting is here 15:01 < mmcgrath> jcollie: you around? 15:02 < jcollie> yup 15:02 < ivazquez> Pong. 15:02 < mmcgrath> cool, lets get started then 15:02 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Tickets 15:02 < mmcgrath> .tiny https://fedorahosted.org/fedora-infrastructure/query?status=new&status=as... 15:02 < zodbot> mmcgrath: http://tinyurl.com/2hyyz6 15:02 * MostafaDaneshvar is there 15:02 < mmcgrath> First ticket: 15:02 < mmcgrath> .ticket 395 15:02 < zodbot> mmcgrath: #395 (Audio Streaming of Fedora Board Conference Calls) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/395 15:02 < mmcgrath> jcollie: whats the latest? 15:02 < warren> mmcgrath: is agenda set in stone? I want to add s/cvsextras/packager/ after F9 release and next convenient scheduled outage. 15:03 < mmcgrath> warren: not at all, we pretty much go over tickets now, then a few other items then open the floor. 15:03 < mmcgrath> warren: Remind me if I forget at the end. 15:03 < jcollie> not much has happened... someone horked up a bunch of my virtual hosts at work so i've been busy rebuilding them 15:03 < mmcgrath> jcollie: virtual hosts at $DAYJOB or something related to fedora? 15:03 -!- Wakko666 [n=blentz(a)office.cardomain.com] has joined #fedora-meeting 15:03 < jcollie> $DAYJOB 15:03 -!- wolfy [n=lonewolf@fedora/wolfy] has left #fedora-meeting ["When you breathe, you inspire. When you do not breathe, you expire."] 15:04 < mmcgrath> just checking ;-) 15:04 < mmcgrath> jcollie: k, so nothing new there. We'll move on. 15:04 < mmcgrath> .ticket 398 15:04 < zodbot> mmcgrath: #398 (elfutils `monotone' (mtn) error) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/398 15:04 * mmcgrath sees if rmcgrath is around. 15:04 < jcollie> i think that those of us that are interested in working on the streaming should set up a separate meeting to divvy up some tasks 15:05 < mmcgrath> jcollie: not a bad idea. It sounds like you've done most of the work already. Its just a matter of getting that last 10% done (and getting the fas integration for the non streamins stuff) 15:05 < jcollie> yep 15:06 < mmcgrath> alrighty, we'll talk about 398 later if rmcgrath becomes available. 15:06 < mmcgrath> My understanding is that we can do it though. 15:06 < mmcgrath> .tickety 446 15:06 < mmcgrath> .ticket 446 15:06 < zodbot> mmcgrath: #446 (Possibility to add external links on spins page) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/446 15:06 < mmcgrath> doath 15:06 * dgilmore is here 15:07 < mmcgrath> dgilmore: I think last time we talked about you getting this up on the wiki, any news on that? 15:07 < dgilmore> mmcgrath: i started and got sidetracked 15:07 < mmcgrath> dgilmore: ahh, you're still on it though? 15:07 < dgilmore> mmcgrath: will be done by the end of the weekend 15:07 < dgilmore> yep 15:08 < mmcgrath> AFAIK we just have the one spin so far. 15:08 < mmcgrath> dgilmore: sweet, thanks! 15:08 < mmcgrath> Ok, so thats really the end of it on the tickets side. 15:08 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- New Wiki 15:08 < mmcgrath> Just a bit of a roundup on the wiki. I've been working on th emigration script and docbook exporter script. 15:08 < mmcgrath> The people listed on http://fedoraproject.org/wiki/Infrastructure/WikiMigration all met yesterday. 15:09 < mmcgrath> I'm going to schedule a few more meetings but a few bumps aside it sounds like we are a GO. 15:09 < mmcgrath> dgilmore: are you on the FESCo ? 15:09 < dgilmore> mmcgrath: i am 15:09 < mmcgrath> dgilmore: at the next meeting would you find a delegate to sign up to be the wiki liason for those sections of the wiki? 15:10 < mmcgrath> unless you want to do it :) 15:10 < dgilmore> mmcgrath: sure 15:10 < mmcgrath> Thanks. 15:10 < dgilmore> mmcgrath: i think jwb volunteered 15:10 * jwb wakes up 15:10 < jwb> huh? 15:10 * dgilmore notes he will largely be away next week 15:10 < mmcgrath> so https://publictest1.fedoraproject.org/wiki/FedoraMain is still up and ready 15:10 < dgilmore> jwb: wiki migration? 15:10 < mmcgrath> dgilmore: ohhh yeah. you're right. he's on there. 15:11 < jwb> dgilmore, mmcgrath: oh, yeah. i put my name there 15:11 < mmcgrath> dgilmore: I'll be away next week as well. 15:11 < mmcgrath> jwb: sorry I missed it there. 15:11 < jwb> i have no idea what that means 15:11 < jwb> do i have to do something? 15:11 < jwb> it just said "contact point" 15:11 < dgilmore> jwb: you get to be whiped 15:11 < mmcgrath> jwb: not yet, we'll be scheduling a meeing again the week after next. In the meantime just go through https://publictest1.fedoraproject.org/wiki/ and look for... doom. 15:11 < dgilmore> jwb: no Just be a point person. 15:12 < jwb> ok great 15:12 < jwb> either way, count me in 15:12 < mmcgrath> cool. 15:12 < mmcgrath> So thats really the latest on the wiki. 15:12 < mmcgrath> Anyone have any questions or concerns? 15:13 < mmcgrath> allrighty, moving on 15:13 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Next week 15:13 < mmcgrath> I'll be gone again next week for training. Its the last traing session I actually have scheduled. 15:13 < mmcgrath> So during the days I'll be unavailable but I'll likely be around most evenings. 15:14 < mmcgrath> Next topic 15:14 < dgilmore> mmcgrath: ill be in Brazil 15:14 * skvidal will be here 15:14 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- nfs1 15:14 < skvidal> people can call/page me 15:14 < skvidal> ugh 15:14 < skvidal> nfs1 15:14 < mmcgrath> NFS1 got built yesterday in a hurry. 15:14 < mmcgrath> while working on xen2 the nfslock issues showed up again then the whole box took a panic. 15:15 < mmcgrath> we'd been serving nfs directly from xen2 so when it goes down the buildsystem goes down. 15:15 < mmcgrath> Anyway, we brought nfs1 up as a RHEL4 box to try to fix the nfs issues, they might have fixed nfs issues but brought on ext3 issues since we're using a 10T ext3 filesystem... 15:15 < mmcgrath> RHEl4 couldn't handle it and started to ioerror. 15:15 < mmcgrath> So I kicked a RHEL5 box and its now nfs1. 15:16 < mmcgrath> Its up, its running. 15:16 < mmcgrath> so far no nfslock issues, if we do get one though we're going to contact steved while its in the bad state and give him a shell to look around. 15:16 < dgilmore> mmcgrath: lets get steved a shell on xen2 and let him monitor nfs1 15:16 < mmcgrath> Really nothing new here except that /mnt/koji is no longer available on xen2, its now on nfs1. 15:17 < mmcgrath> dgilmore: you never know, perhaps magically moving to nfs1 fixed our problem :) 15:17 < mmcgrath> we'll see. 15:17 * skvidal likes magic 15:17 < dgilmore> mmcgrath: we can hope 15:17 < dgilmore> skvidal: voodoo magic is best 15:17 < mmcgrath> heheh 15:17 * skvidal makes a doll of dgilmore 15:17 < mmcgrath> Ok, next item. 15:17 < dgilmore> skvidal: need some hair and fingernails? 15:18 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- s/cvsextras/packagers/ 15:18 < mmcgrath> warren: ping? 15:18 < warren> hi 15:18 < mmcgrath> warren: so we're just going to rename cvsextras to packagers. 15:18 < mmcgrath> which involves 15:18 < warren> So f13 suggested we rename the group after F9 release, at the first scheduled outage. 15:18 < warren> mmcgrath: packager, singular 15:18 < mmcgrath> 1) updating the db. 15:19 < mmcgrath> 2) updating the scripts (and upload script) 15:19 < mmcgrath> 3) updating the documentation 15:19 < mmcgrath> 4) testing? 15:19 < mmcgrath> I really don't think this will be that huge of a deal. 15:19 < mmcgrath> warren: I'll try to get it done sometime the week after F9 ships. Would you mind opening a ticket and bugging me about it that week? 15:19 < warren> mmcgrath: ok 15:20 < warren> mmcgrath: are there any other group names we should rename as well? 15:20 < f13> warren: lets keep the name that will make sense in the future given my newmaintianercontainment proposal 15:20 < warren> as long as we have an outage 15:20 < f13> warren: since I hope to get an intern to work on that this summer 15:20 < warren> f13: is this the one from 2 months ago or so? 15:20 < mmcgrath> warren: yeah we'll schedule an outage. 15:20 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has quit Remote closed the connection 15:20 < f13> warren: http://fedoraproject.org/wiki/JesseKeating/NewMaintainerContainment 15:21 < mmcgrath> I'm not sure about other group names. 15:21 < warren> Let's ask around 15:21 < warren> there might be other names people want to do 15:21 < warren> f13: ok seems we need to figure out a bigger picture plan then 15:22 < warren> mmcgrath: will get back to you 15:22 < mmcgrath> warren: works for me, lets know well in advance of the outage know because renaming cvsextras I have a pretty good idea of what needs to be done. 15:22 < mmcgrath> but for another group I might not know without more research. 15:22 < mmcgrath> k 15:22 < mmcgrath> warren: when its all ready just create a ticket and bug me. I think we could have it done in an hour or two some night after F9 ships. 15:22 < f13> warren: well, we don't necessarly have to wait to rename 'cvsextras' to /somethihng/ 15:23 < f13> warren: 'fedorapackager' or whatever seems fine, we can pick a name that implies /greater/ rights later 15:23 < warren> f13: I do agree to rename it within the larger plan 15:23 < f13> or less rights. 15:23 < warren> f13: I'm still in favor of numbers instead of group names for that 15:23 < warren> but we're getting off topic 15:23 < mmcgrath> <nod> you guys figure that out :) 15:24 < mmcgrath> anyone have any questions about that? We've got plenty of time to discuss it. 15:24 < mmcgrath> if not I'll move on. 15:24 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- app server upgrades. 15:24 < mmcgrath> abadger1999: ping? 15:25 < mmcgrath> I believe toshio wants to upgrade sqlalchemy and python-fedora before the freeze. I think we're on schedule to do that but I'll have to get ahold of him to find out for sure. 15:25 < mmcgrath> which brings me to the next topic 15:25 < abadger1999> here. 15:25 < mmcgrath> oh 15:25 < mmcgrath> there you are :) 15:25 < abadger1999> Today. 15:26 < mmcgrath> abadger1999: want to talk about all of that right quick? 15:26 < abadger1999> Want to do it today/tonight. 15:26 < abadger1999> It would be to both app servers. 15:26 < mmcgrath> abadger1999: "both" ? 15:26 < mmcgrath> which? 15:26 < abadger1999> app4 and app5 15:26 < mmcgrath> app2 is also running tg apps 15:26 < abadger1999> Oh. I was not aware. 15:27 < dgilmore> mmcgrath: i want the new python-fedora 15:27 < abadger1999> then we wantto upgrade that as well. 15:27 < abadger1999> We can issue a new python-fedora for everything if we want. 15:27 < mmcgrath> abadger1999: your call I'm not sure what we'd be comitting to with the new package. 15:27 < abadger1999> Or we can update that when we do the other updates from RHEL, etc. 15:27 < mmcgrath> what are the risks / benefits? 15:27 < mmcgrath> and will this break transifex? 15:28 < abadger1999> All the FAS1 stuff has been removed. Only FAS2 stuff is in it. 15:28 < abadger1999> there's been some rearrangement of modules but the old imports should work with a deprecation warning. 15:28 < mmcgrath> k 15:29 < mmcgrath> sounds pretty low risk, and we can always revert if required. 15:29 < abadger1999> <nod> 15:29 < mmcgrath> abadger1999: I'm fine for any time this week on that, if you want me around just ping me or call me. 15:29 < mmcgrath> abadger1999: anything else on that? 15:30 < abadger1999> Nope that's it. 15:30 < mmcgrath> cool. 15:30 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- app5 15:30 < mmcgrath> So yeah, I don't know WTF is going on but app5 is rebooting... a LOT 15:30 < mmcgrath> this comes after the move from x86_64 to i686 15:30 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has joined #fedora-meeting 15:30 < mmcgrath> we're talking between 20-40 times a DAY. 15:30 < mmcgrath> very very strange. 15:30 < mmcgrath> I've got a stack trace, I'm going to try to take it to the virt guys soon. 15:31 < mmcgrath> side note though, aside from that, the i686 move (also done on app2) has proved quite successful memory usage (and therefor swap) is way down. 15:31 < mmcgrath> its been a big win for us. 15:31 < mmcgrath> anyone have any questions / comments? 15:31 -!- viking-ice [n=johannbg(a)dsl-149-97-225.hive.is] has joined #fedora-meeting 15:31 < mmcgrath> Alrighty, then I'll move on to the last topic of the day before opening the floor. 15:32 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Change Freeze! 15:32 < mmcgrath> This one's for everyone 15:32 < mmcgrath> REMEMBER 15:32 < mmcgrath> DO NOT MAKE ANY CHANGES WITHOUT GETTING APPROVAL ON THE LIST FIRST! 15:32 < mmcgrath> and remember, you'll be asked the question "Why can't this wait until after F9 gets released" 15:33 < mmcgrath> I'll be gone much of next week which makes the freeze perfect. 15:33 < warren> under pain of 15:33 * mmcgrath looks up exact date again 15:33 < mmcgrath> warren: under pain of CURSE! 15:33 < skvidal> under pain of pain 15:33 < warren> I can advise against pain. 15:34 < mmcgrath> There we go, so the freeze starts the 15th. The release is on the 29th. The freeze is lifted on the 30th. 15:34 < yingbull> pain's scary. 15:34 < mmcgrath> Obvious exceptions include outages and things already scheduled for the release (mm type stuff, the website, etc) 15:34 < mmcgrath> other then that. you must get approval on the list before making changes. If you're working on tickets and people get cranky, just let them know we're under a freeze. 15:34 < skvidal> mmcgrath: it's okay to bring up new boxes unrelated to the release? 15:34 < ivazquez> Should we hold it until the Monday following? 15:35 < skvidal> mmcgrath: ie: if I get all the statics, etc from BU 15:35 < mmcgrath> skvidal: take it to the list! But yeah, that shouldn't be a problem. 15:35 < skvidal> mmcgrath: will do 15:35 < mmcgrath> ivazquez: I thought about that, in the past though, for the most part, things settled down from the release the day after. 15:36 < ivazquez> Okay. 15:36 < mmcgrath> anyone have any questions / comments about that? 15:36 < mmcgrath> alrighty, then we'll open the floor 15:36 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Open Floor 15:36 * dgilmore has nothing right now 15:36 < mmcgrath> Anyone have anything they'd like to discuss? A release is coming, lots of stuff has been going on. 15:37 < notting> how are we ensuring the ability to get the bits to our tier0 mirrors? 15:37 < mmcgrath> notting: same as we had been, AFAIK our mirror system (and I2) is functional again. 15:37 < notting> that's not what mdomsch's mail implied 15:37 < mmcgrath> notting: which email and when? 15:38 < notting> to mirror-list 15:38 < dgilmore> notting: no, it implied a work around was setup 15:38 < dgilmore> mmcgrath: a couple of hours ago 15:38 < dgilmore> mmcgrath: 2 boxes were setup for Tier 0 I2 masters 15:39 < mmcgrath> <nod> that was my understanding. We don't have the permanent solution in place but a working one. 15:39 < mmcgrath> we'll probably want to make sure the working one stays as is until after the 30th. 15:39 < dgilmore> mmcgrath: they have static I2 routes to dl.fedora.redhat.com boxes 15:39 < mmcgrath> notting: I'll follow up with mdomsch to make sure whats going on there. 15:39 < mmcgrath> .any mdomsch 15:39 < zodbot> mmcgrath: mdomsch was last seen in #fedora-meeting 1 hour, 9 minutes, and 24 seconds ago: *** mdomsch has quit IRC (Remote closed the connection) 15:39 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has quit Remote closed the connection 15:40 < mmcgrath> Alrighty, anyone have anything else to discuss? 15:40 < dgilmore> nope 15:40 < mmcgrath> k, we'll close the meeting in 30 15:41 < mmcgrath> 15 15:41 < mmcgrath> 5 15:41 < notting> dgilmore: so, the static route & download1 are bandwidth-unclogged enough to sync OK? 15:41 < dgilmore> Thanks mmcgrath :) 15:41 < notting> dgilmore: with no one using it, are we sure that download1 is synced? :) 15:41 < dgilmore> notting: i believe so. 15:42 < mmcgrath> notting: we'll have to talk to them to find out for sure. 15:42 * mmcgrath just sent an email to mdomsch to verify. 15:42 < notting> maybe i'm paranoid 15:42 < mmcgrath> notting: you're once bitten. 15:42 < mmcgrath> nothing wrong with that. The fact is the whole I2 connection thing showed a major problem we have. and the fact that galgoci is the _only_ person at Red hat with access and no how to fix it is much less comforting. 15:43 < dgilmore> notting: i believe download1 is down 15:43 < mmcgrath> even his backup told us that he was really the only guy we'd want doing that. 15:44 -!- k0k [n=k0k@fedora/k0k] has quit Connection timed out 15:44 < mmcgrath> notting: we'll just have to wait and see if what we think mdomsch said is actually the way things are. That mirror has been down since before Feb 20th so its hard to say the state of things (considering they only just recently got back up and running) 15:44 < mmcgrath> Anywho, not much we can do but check with the mirrors list and mdomsch and make sure everyone's happy with where things are for the release. 15:44 < mmcgrath> Anyone have anything else? If not we'll close the meeting in 30 15:45 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has joined #fedora-meeting 15:45 < mmcgrath> 10 15:45 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Meeting Closed 15:45 < mmcgrath> Thanks for coming everone!

15 years

1
1
0 / 0

3 commits - configs/fas configs/system configs/web manifests/nodes manifests/servergroups manifests/services modules/fas (fwd)

by Mike McGrath

This commit was a bit nuts and touches everything. We tested it in staging without issue. This push to production should be fine but as always keep your eyes open. Not much 'changed' it's just fas is now a module. -Mike ---------- Forwarded message ---------- Date: Wed, 8 Apr 2009 15:08:54 From: Mike McGrath <mmcgrath(a)fedoraproject.org> To: sysadmin-members(a)fedoraproject.org Subject: 3 commits - configs/fas configs/system configs/web manifests/nodes manifests/servergroups manifests/services modules/fas configs/fas/fasSync | 1 configs/fas/nsswitch.conf | 45 - configs/system/export-bugzilla.cfg.erb | 11 configs/system/export-bugzilla.py | 68 -- configs/system/fas.conf.erb | 78 --- configs/web/accounts-proxy.conf | 12 configs/web/accounts.fedoraproject.org.conf | 13 configs/web/accounts.fedoraproject.org/logs.conf | 2 configs/web/accounts.fedoraproject.org/redirect.conf | 1 configs/web/applications/Makefile.fedora-ca | 70 -- configs/web/applications/accounts.conf | 26 - configs/web/applications/certhelper.py | 280 ----------- configs/web/applications/fas-log.cfg | 29 - configs/web/applications/fas-prod.cfg.erb | 163 ------ configs/web/applications/fas.wsgi | 50 -- configs/web/applications/fedora-ca-client-openssl.cnf | 317 ------------- configs/web/fas.fedoraproject.org.conf | 13 configs/web/fas.fedoraproject.org/logs.conf | 2 configs/web/fas.fedoraproject.org/redirect.conf | 1 dev/null |binary manifests/nodes/app1.stg.fedora.phx.redhat.com.pp | 2 manifests/nodes/backup2.fedoraproject.org.pp | 2 manifests/nodes/bu1.fedoraproject.org.pp | 2 manifests/nodes/buildsys.fedoraproject.org.pp | 2 manifests/nodes/cstore1.fedoraproject.org.pp | 2 manifests/nodes/cstore2.fedoraproject.org.pp | 2 manifests/nodes/db1.stg.fedora.phx.redhat.com.pp | 2 manifests/nodes/fas1.fedora.phx.redhat.com.pp | 2 manifests/nodes/ibiblio1.fedoraproject.org.pp | 2 manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp | 2 manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp | 2 manifests/nodes/lb1.fedora.phx.redhat.com.pp | 2 manifests/nodes/lb2.fedora.phx.redhat.com.pp | 2 manifests/nodes/log1.fedora.phx.redhat.com.pp | 2 manifests/nodes/nfs1.fedora.phx.redhat.com.pp | 2 manifests/nodes/nfs2.fedora.phx.redhat.com.pp | 2 manifests/nodes/noc2.fedoraproject.org.pp | 2 manifests/nodes/ns1.fedoraproject.org.pp | 2 manifests/nodes/ns2.fedoraproject.org.pp | 2 manifests/nodes/people1.fedoraproject.org.pp | 2 manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest10.fedoraproject.org.pp | 2 manifests/nodes/publictest12.fedoraproject.org.pp | 2 manifests/nodes/publictest13.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest14.fedoraproject.org.pp | 2 manifests/nodes/publictest15.fedoraproject.org.pp | 2 manifests/nodes/publictest16.fedoraproject.org.pp | 2 manifests/nodes/publictest2.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest3.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest4.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest5.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest6.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest7.fedora.phx.redhat.com.pp | 2 manifests/nodes/publictest9.fedora.phx.redhat.com.pp | 2 manifests/nodes/qa1.fedora.phx.redhat.com.pp | 2 manifests/nodes/rawhide1.fedoraproject.org.pp | 2 manifests/nodes/releng1.fedora.phx.redhat.com.pp | 2 manifests/nodes/secondary1.fedora.phx.redhat.com.pp | 2 manifests/nodes/serverbeach1.fedoraproject.org.pp | 2 manifests/nodes/serverbeach2.fedoraproject.org.pp | 2 manifests/nodes/serverbeach3.fedoraproject.org.pp | 2 manifests/nodes/serverbeach4.fedoraproject.org.pp | 2 manifests/nodes/serverbeach5.fedoraproject.org.pp | 2 manifests/nodes/sign1.fedora.phx.redhat.com.pp | 2 manifests/nodes/sign2.fedora.phx.redhat.com.pp | 2 manifests/nodes/sign3.fedora.phx.redhat.com.pp | 2 manifests/nodes/smtp-mm1.fedoraproject.org.pp | 2 manifests/nodes/telia1.fedoraproject.org.pp | 2 manifests/nodes/test3.fedora.phx.redhat.com.pp | 2 manifests/nodes/test4.fedora.phx.redhat.com.pp | 2 manifests/nodes/test7.fedora.phx.redhat.com.pp | 2 manifests/nodes/test9.fedora.phx.redhat.com.pp | 2 manifests/nodes/torrent1.fedoraproject.org.pp | 2 manifests/nodes/tummy1.fedoraproject.org.pp | 2 manifests/nodes/xen6.fedora.phx.redhat.com.pp | 2 manifests/servergroups/appFcTest.pp | 2 manifests/servergroups/appRelEng.pp | 2 manifests/servergroups/appRhel.pp | 2 manifests/servergroups/appRhelTest.pp | 2 manifests/servergroups/asterisk.pp | 2 manifests/servergroups/build.pp | 2 manifests/servergroups/cnodes.pp | 2 manifests/servergroups/collab.pp | 2 manifests/servergroups/compose.pp | 2 manifests/servergroups/cvs.pp | 2 manifests/servergroups/db.pp | 2 manifests/servergroups/fas-server.pp | 6 manifests/servergroups/gateway.pp | 2 manifests/servergroups/hosted.pp | 2 manifests/servergroups/koji.pp | 2 manifests/servergroups/noc.pp | 2 manifests/servergroups/proxy.pp | 4 manifests/servergroups/puppet.pp | 2 manifests/servergroups/valueadd.pp | 2 manifests/servergroups/xen-server.pp | 2 manifests/services/fas.pp | 292 ----------- modules/fas/README | 10 modules/fas/files/Makefile.fedora-ca | 70 ++ modules/fas/files/accounts-proxy.conf | 11 modules/fas/files/accounts-pubring.gpg |binary modules/fas/files/accounts.conf | 26 + modules/fas/files/accounts.fedoraproject.org.conf | 13 modules/fas/files/accounts.fedoraproject.org/logs.conf | 2 modules/fas/files/accounts.fedoraproject.org/redirect.conf | 1 modules/fas/files/certhelper.py | 280 +++++++++++ modules/fas/files/export-bugzilla.py | 68 ++ modules/fas/files/fas-log.cfg | 29 + modules/fas/files/fas.fedoraproject.org.conf | 13 modules/fas/files/fas.fedoraproject.org/logs.conf | 2 modules/fas/files/fas.fedoraproject.org/redirect.conf | 1 modules/fas/files/fas.wsgi | 50 ++ modules/fas/files/fasSync | 1 modules/fas/files/fedora-ca-client-openssl.cnf | 317 +++++++++++++ modules/fas/files/nsswitch.conf | 45 + modules/fas/manifests/init.pp | 307 ++++++++++++ modules/fas/templates/export-bugzilla.cfg.erb | 11 modules/fas/templates/fas-prod.cfg.erb | 163 ++++++ modules/fas/templates/fas.conf.erb | 78 +++ 118 files changed, 1576 insertions(+), 1552 deletions(-) New commits: commit 58e9676244f0f543812dcb6c2723e532319ca512 Author: Mike McGrath <mmcgrath(a)redhat.com> Date: Wed Apr 8 20:08:51 2009 +0000 have all hosts use new fas module diff --git a/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp index 1f26375..3378a5d 100644 --- a/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp +++ b/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp @@ -6,7 +6,7 @@ node 'app1.stg.fedora.phx.redhat.com' { $groups='sysadmin-main' include phx include global - include fas + include fas::fas } 'staging' : { diff --git a/manifests/nodes/backup2.fedoraproject.org.pp b/manifests/nodes/backup2.fedoraproject.org.pp index f19d65b..da8216c 100644 --- a/manifests/nodes/backup2.fedoraproject.org.pp +++ b/manifests/nodes/backup2.fedoraproject.org.pp @@ -1,7 +1,7 @@ node backup2 { $groups='sysadmin-backup' include global - include fas + include fas::fas include vpn include backupPrivKey include scripts::drBackup diff --git a/manifests/nodes/bu1.fedoraproject.org.pp b/manifests/nodes/bu1.fedoraproject.org.pp index d30d71d..69f0602 100644 --- a/manifests/nodes/bu1.fedoraproject.org.pp +++ b/manifests/nodes/bu1.fedoraproject.org.pp @@ -2,6 +2,6 @@ node bu1{ $groups='@all' $relayHost = ' ' include global - include fas + include fas::fas include people } diff --git a/manifests/nodes/buildsys.fedoraproject.org.pp b/manifests/nodes/buildsys.fedoraproject.org.pp index 7f709fa..2580b66 100644 --- a/manifests/nodes/buildsys.fedoraproject.org.pp +++ b/manifests/nodes/buildsys.fedoraproject.org.pp @@ -1,7 +1,7 @@ node buildsys { $groups = 'sysadmin-main,sysadmin-build,epel_signers' include global - include fas + include fas::fas include ipmi include nagiosPhysical include plague::user-sync diff --git a/manifests/nodes/cstore1.fedoraproject.org.pp b/manifests/nodes/cstore1.fedoraproject.org.pp index 4cfb82b..93f2153 100644 --- a/manifests/nodes/cstore1.fedoraproject.org.pp +++ b/manifests/nodes/cstore1.fedoraproject.org.pp @@ -1,6 +1,6 @@ node cstore1{ $groups='sysadmin-main,sysadmin-cloud' - include fas + include fas::fas include vpn include dhcpserver-cloud # Firewall Rules, allow tftp diff --git a/manifests/nodes/cstore2.fedoraproject.org.pp b/manifests/nodes/cstore2.fedoraproject.org.pp index 0846147..f490863 100644 --- a/manifests/nodes/cstore2.fedoraproject.org.pp +++ b/manifests/nodes/cstore2.fedoraproject.org.pp @@ -1,6 +1,6 @@ node cstore2{ $groups='sysadmin-main,sysadmin-cloud' - include fas + include fas::fas include vpn # Firewall Rules, allow (nothing yet) $tcpPorts = [ ] diff --git a/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp index ce6778a..170e307 100644 --- a/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp +++ b/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp @@ -5,7 +5,7 @@ node "db1.stg.fedora.phx.redhat.com" { $groups='sysadmin-main' include phx include global - include fas + include fas::fas } 'staging' : { diff --git a/manifests/nodes/fas1.fedora.phx.redhat.com.pp b/manifests/nodes/fas1.fedora.phx.redhat.com.pp index a65248e..90d17b0 100644 --- a/manifests/nodes/fas1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/fas1.fedora.phx.redhat.com.pp @@ -1,5 +1,5 @@ node fas1{ include phx include fasServerGenCert - include fas-no-balance + include fas::fas-no-balance } diff --git a/manifests/nodes/ibiblio1.fedoraproject.org.pp b/manifests/nodes/ibiblio1.fedoraproject.org.pp index 3ce8c3d..a87bb3b 100644 --- a/manifests/nodes/ibiblio1.fedoraproject.org.pp +++ b/manifests/nodes/ibiblio1.fedoraproject.org.pp @@ -1,7 +1,7 @@ node ibiblio1{ $groups='sysadmin-main' include xen-server - include fas + include fas::fas include vpn } diff --git a/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp b/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp index 1dd226b..fa7d8fd 100644 --- a/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node kojipkgs1{ $groups='sysadmin-main,sysadmin-build,sysadmin-noc' include phx include global - include fas + include fas::fas include kojipkgs include selinux diff --git a/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp b/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp index 3fbae4e..3bb9433 100644 --- a/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp +++ b/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node kojipkgs2{ $groups='sysadmin-main,sysadmin-build,sysadmin-noc' include phx include global - include fas + include fas::fas include kojipkgs include selinux diff --git a/manifests/nodes/lb1.fedora.phx.redhat.com.pp b/manifests/nodes/lb1.fedora.phx.redhat.com.pp index baebda8..1351fde 100644 --- a/manifests/nodes/lb1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/lb1.fedora.phx.redhat.com.pp @@ -1,7 +1,7 @@ node lb1{ $groups='sysadmin-main,sysadmin-web' include phx - include fas + include fas::fas include global # Firewall Rules, allow OpenVPN traffic through diff --git a/manifests/nodes/lb2.fedora.phx.redhat.com.pp b/manifests/nodes/lb2.fedora.phx.redhat.com.pp index 0b30286..a4e8658 100644 --- a/manifests/nodes/lb2.fedora.phx.redhat.com.pp +++ b/manifests/nodes/lb2.fedora.phx.redhat.com.pp @@ -1,7 +1,7 @@ node lb2{ $groups='sysadmin-main,sysadmin-web' include phx - include fas + include fas::fas include global # Firewall Rules, allow OpenVPN traffic through $tcpPorts = [ 80, 443, 5560 ] diff --git a/manifests/nodes/log1.fedora.phx.redhat.com.pp b/manifests/nodes/log1.fedora.phx.redhat.com.pp index b615389..9198af2 100644 --- a/manifests/nodes/log1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/log1.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node log1{ $groups='sysadmin-main,sysadmin-noc' $rsyslog=1 include global - include fas + include fas::fas include phx include vpn include awstats diff --git a/manifests/nodes/nfs1.fedora.phx.redhat.com.pp b/manifests/nodes/nfs1.fedora.phx.redhat.com.pp index 7f39b70..3ca425f 100644 --- a/manifests/nodes/nfs1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/nfs1.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node nfs1{ $groups='sysadmin-main,sysadmin-noc' include phx include global - include fas + include fas::fas include nfs-server include nfs-server-phx include selinux diff --git a/manifests/nodes/nfs2.fedora.phx.redhat.com.pp b/manifests/nodes/nfs2.fedora.phx.redhat.com.pp index f3be815..994b491 100644 --- a/manifests/nodes/nfs2.fedora.phx.redhat.com.pp +++ b/manifests/nodes/nfs2.fedora.phx.redhat.com.pp @@ -1,6 +1,6 @@ node nfs2{ $groups='sysadmin-main' include phx - include fas + include fas::fas } diff --git a/manifests/nodes/noc2.fedoraproject.org.pp b/manifests/nodes/noc2.fedoraproject.org.pp index 55bc2fa..51aaa3b 100644 --- a/manifests/nodes/noc2.fedoraproject.org.pp +++ b/manifests/nodes/noc2.fedoraproject.org.pp @@ -2,7 +2,7 @@ node noc2{ $groups='sysadmin-main,sysadmin-noc' $relayHost=' ' include global - include fas + include fas::fas include vpn include nagios-server-external include pager diff --git a/manifests/nodes/ns1.fedoraproject.org.pp b/manifests/nodes/ns1.fedoraproject.org.pp index 94fae20..624f5da 100644 --- a/manifests/nodes/ns1.fedoraproject.org.pp +++ b/manifests/nodes/ns1.fedoraproject.org.pp @@ -1,7 +1,7 @@ node ns1{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include dns } diff --git a/manifests/nodes/ns2.fedoraproject.org.pp b/manifests/nodes/ns2.fedoraproject.org.pp index fa6c738..91998e0 100644 --- a/manifests/nodes/ns2.fedoraproject.org.pp +++ b/manifests/nodes/ns2.fedoraproject.org.pp @@ -1,7 +1,7 @@ node ns2{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include dns } diff --git a/manifests/nodes/people1.fedoraproject.org.pp b/manifests/nodes/people1.fedoraproject.org.pp index cb35312..ef49bc8 100644 --- a/manifests/nodes/people1.fedoraproject.org.pp +++ b/manifests/nodes/people1.fedoraproject.org.pp @@ -4,7 +4,7 @@ node people1 { $sshd_config_PasswordAuthentication='no' include global include people - include fas + include fas::fas include vpn include planet } diff --git a/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp index 48d86e5..90369ae 100644 --- a/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp +++ b/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp @@ -5,7 +5,7 @@ node 'proxy1.stg.fedora.phx.redhat.com' { $groups='sysadmin-main' include phx include global - include fas + include fas::fas } 'staging' : { $puppetEnvironment='staging' diff --git a/manifests/nodes/publictest10.fedoraproject.org.pp b/manifests/nodes/publictest10.fedoraproject.org.pp index 3992b56..5fbbd61 100644 --- a/manifests/nodes/publictest10.fedoraproject.org.pp +++ b/manifests/nodes/publictest10.fedoraproject.org.pp @@ -2,7 +2,7 @@ node publictest10{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include ssh::sshd include httpd - include fas + include fas::fas include global include selinux include git-package diff --git a/manifests/nodes/publictest12.fedoraproject.org.pp b/manifests/nodes/publictest12.fedoraproject.org.pp index 12e6b66..7cdded4 100644 --- a/manifests/nodes/publictest12.fedoraproject.org.pp +++ b/manifests/nodes/publictest12.fedoraproject.org.pp @@ -1,6 +1,6 @@ node publictest12{ $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc' - include fas + include fas::fas include global $tcpPorts = [ 80, 443 ] $udpPorts = [ ] diff --git a/manifests/nodes/publictest13.fedora.phx.redhat.com.pp b/manifests/nodes/publictest13.fedora.phx.redhat.com.pp index 1c5bb08..a960671 100644 --- a/manifests/nodes/publictest13.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest13.fedora.phx.redhat.com.pp @@ -1,6 +1,6 @@ node publictest13{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include global - include fas + include fas::fas } diff --git a/manifests/nodes/publictest14.fedoraproject.org.pp b/manifests/nodes/publictest14.fedoraproject.org.pp index 9fc8c05..e5c353c 100644 --- a/manifests/nodes/publictest14.fedoraproject.org.pp +++ b/manifests/nodes/publictest14.fedoraproject.org.pp @@ -1,7 +1,7 @@ node publictest14{ $relayHost=' ' $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc,sysadmin-test' - include fas + include fas::fas include global $tcpPorts = [ 80, 443 ] $udpPorts = [ ] diff --git a/manifests/nodes/publictest15.fedoraproject.org.pp b/manifests/nodes/publictest15.fedoraproject.org.pp index cd2d98d..54d6821 100644 --- a/manifests/nodes/publictest15.fedoraproject.org.pp +++ b/manifests/nodes/publictest15.fedoraproject.org.pp @@ -3,7 +3,7 @@ node publictest15{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include ssh::sshd include httpd - include fas + include fas::fas include bodhi-dev include global include selinux diff --git a/manifests/nodes/publictest16.fedoraproject.org.pp b/manifests/nodes/publictest16.fedoraproject.org.pp index 7b85ddf..6b9b0c3 100644 --- a/manifests/nodes/publictest16.fedoraproject.org.pp +++ b/manifests/nodes/publictest16.fedoraproject.org.pp @@ -2,7 +2,7 @@ node publictest16{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include ssh::sshd include httpd - include fas + include fas::fas include bodhi-dev include global include selinux diff --git a/manifests/nodes/publictest2.fedora.phx.redhat.com.pp b/manifests/nodes/publictest2.fedora.phx.redhat.com.pp index 91fdaaf..d224e45 100644 --- a/manifests/nodes/publictest2.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest2.fedora.phx.redhat.com.pp @@ -2,6 +2,6 @@ node publictest2{ $groups='sysadmin-test,sysadmin-main,sysadmin-web' include phx include global - include fas + include fas::fas } diff --git a/manifests/nodes/publictest3.fedora.phx.redhat.com.pp b/manifests/nodes/publictest3.fedora.phx.redhat.com.pp index 207b27b..9e9f235 100644 --- a/manifests/nodes/publictest3.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest3.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node publictest3{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include phx include xen-guest - include fas + include fas::fas #Include php.ini & apache... include apache::php diff --git a/manifests/nodes/publictest4.fedora.phx.redhat.com.pp b/manifests/nodes/publictest4.fedora.phx.redhat.com.pp index af6052a..ccc6ff1 100644 --- a/manifests/nodes/publictest4.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest4.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node publictest4{ $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc' include phx include xen-guest - include fas + include fas::fas # Firewall Rules, allow SSH, SIP(TCP 5060), IAX2(UDP 4569), SIP(UDP 5060), RTP(UDP 10000:10500) $tcpPorts = [ 22, 5060 ] $udpPorts = [ 4569, 5060, '10000:10500' ] diff --git a/manifests/nodes/publictest5.fedora.phx.redhat.com.pp b/manifests/nodes/publictest5.fedora.phx.redhat.com.pp index 2378109..3f9880a 100644 --- a/manifests/nodes/publictest5.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest5.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node publictest5{ $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc' include phx include xen-guest - include fas + include fas::fas # Firewall Rules, allow HTTP (TCP 80), HTTPS (TCP 443), SSH, SIP(TCP 5060), IAX2(UDP 4569), SIP(UDP 5060), RTP(UDP 10000:10500) $tcpPorts = [ 22, 80, 443, 5060 ] $udpPorts = [ 4569, 5060, '10000:10500' ] diff --git a/manifests/nodes/publictest6.fedora.phx.redhat.com.pp b/manifests/nodes/publictest6.fedora.phx.redhat.com.pp index d8bd031..5ff6931 100644 --- a/manifests/nodes/publictest6.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest6.fedora.phx.redhat.com.pp @@ -3,6 +3,6 @@ node publictest6{ $groups = 'sysadmin-main' include phx include xen-guest - include fas + include fas::fas } diff --git a/manifests/nodes/publictest7.fedora.phx.redhat.com.pp b/manifests/nodes/publictest7.fedora.phx.redhat.com.pp index 257dce5..df44bea 100644 --- a/manifests/nodes/publictest7.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest7.fedora.phx.redhat.com.pp @@ -3,6 +3,6 @@ node publictest7{ $groups = 'sysadmin-main' include phx include xen-guest - include fas + include fas::fas } diff --git a/manifests/nodes/publictest9.fedora.phx.redhat.com.pp b/manifests/nodes/publictest9.fedora.phx.redhat.com.pp index 3d91c12..42819b0 100644 --- a/manifests/nodes/publictest9.fedora.phx.redhat.com.pp +++ b/manifests/nodes/publictest9.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node publictest9{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include phx include xen-guest - include fas + include fas::fas include mediawiki-test::base $tcpPorts = [ 80, 443, 10050, 11211 ] diff --git a/manifests/nodes/qa1.fedora.phx.redhat.com.pp b/manifests/nodes/qa1.fedora.phx.redhat.com.pp index cc3053b..2e5bf19 100644 --- a/manifests/nodes/qa1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/qa1.fedora.phx.redhat.com.pp @@ -1,7 +1,7 @@ node qa1{ $groups='sysadmin-main,sysadmin-noc,qa-admin' include phx - include fas + include fas::fas include global include git-package include fedora-packager-package diff --git a/manifests/nodes/rawhide1.fedoraproject.org.pp b/manifests/nodes/rawhide1.fedoraproject.org.pp index dc480eb..7377f7d 100644 --- a/manifests/nodes/rawhide1.fedoraproject.org.pp +++ b/manifests/nodes/rawhide1.fedoraproject.org.pp @@ -1,7 +1,7 @@ node 'rawhide1.fedoraproject.org' { $relayHost=' ' $groups = 'sysadmin-main,sysadmin-noc' - include fas + include fas::fas include global } diff --git a/manifests/nodes/releng1.fedora.phx.redhat.com.pp b/manifests/nodes/releng1.fedora.phx.redhat.com.pp index 60dd139..ad60c71 100644 --- a/manifests/nodes/releng1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/releng1.fedora.phx.redhat.com.pp @@ -1,6 +1,6 @@ node releng1{ $groups='sysadmin-main,sysadmin-releng,sysadmin-noc' include phx - include fas + include fas::fas include global } diff --git a/manifests/nodes/secondary1.fedora.phx.redhat.com.pp b/manifests/nodes/secondary1.fedora.phx.redhat.com.pp index d87ad82..0b98229 100644 --- a/manifests/nodes/secondary1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/secondary1.fedora.phx.redhat.com.pp @@ -1,7 +1,7 @@ node secondary1{ $groups='sysadmin-main,sysadmin-noc,alt-sugar,alt-k12linux,altvideos' include global - include fas + include fas::fas include secondaryMirror include nfs-server include selinux diff --git a/manifests/nodes/serverbeach1.fedoraproject.org.pp b/manifests/nodes/serverbeach1.fedoraproject.org.pp index 3fffa23..295ea48 100644 --- a/manifests/nodes/serverbeach1.fedoraproject.org.pp +++ b/manifests/nodes/serverbeach1.fedoraproject.org.pp @@ -1,7 +1,7 @@ node serverbeach1{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include vpn include xenHost include ipmi diff --git a/manifests/nodes/serverbeach2.fedoraproject.org.pp b/manifests/nodes/serverbeach2.fedoraproject.org.pp index 6a7d8fd..8a759ff 100644 --- a/manifests/nodes/serverbeach2.fedoraproject.org.pp +++ b/manifests/nodes/serverbeach2.fedoraproject.org.pp @@ -1,7 +1,7 @@ node serverbeach2{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include vpn include xenHost include ipmi diff --git a/manifests/nodes/serverbeach3.fedoraproject.org.pp b/manifests/nodes/serverbeach3.fedoraproject.org.pp index 018ecf1..4338551 100644 --- a/manifests/nodes/serverbeach3.fedoraproject.org.pp +++ b/manifests/nodes/serverbeach3.fedoraproject.org.pp @@ -1,7 +1,7 @@ node serverbeach3{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include vpn include xenHost include ipmi diff --git a/manifests/nodes/serverbeach4.fedoraproject.org.pp b/manifests/nodes/serverbeach4.fedoraproject.org.pp index f855620..ac878e6 100644 --- a/manifests/nodes/serverbeach4.fedoraproject.org.pp +++ b/manifests/nodes/serverbeach4.fedoraproject.org.pp @@ -1,7 +1,7 @@ node serverbeach4{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include vpn include xenHost include ipmi diff --git a/manifests/nodes/serverbeach5.fedoraproject.org.pp b/manifests/nodes/serverbeach5.fedoraproject.org.pp index c4a1088..1776e8d 100644 --- a/manifests/nodes/serverbeach5.fedoraproject.org.pp +++ b/manifests/nodes/serverbeach5.fedoraproject.org.pp @@ -1,7 +1,7 @@ node serverbeach5{ $groups = 'sysadmin-main' include global - include fas + include fas::fas include vpn include xenHost include ipmi diff --git a/manifests/nodes/sign1.fedora.phx.redhat.com.pp b/manifests/nodes/sign1.fedora.phx.redhat.com.pp index e383736..d77ad31 100644 --- a/manifests/nodes/sign1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign1.fedora.phx.redhat.com.pp @@ -4,7 +4,7 @@ node sign1{ $groups = 'sysadmin-main,sysadmin-releng' include phx - include fas + include fas::fas #include global include pkgsigner diff --git a/manifests/nodes/sign2.fedora.phx.redhat.com.pp b/manifests/nodes/sign2.fedora.phx.redhat.com.pp index 3ca66e4..7620e80 100644 --- a/manifests/nodes/sign2.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign2.fedora.phx.redhat.com.pp @@ -1,7 +1,7 @@ node sign2{ $groups = 'sysadmin-main' include phx - include fas + include fas::fas include global include pkgsigner } diff --git a/manifests/nodes/sign3.fedora.phx.redhat.com.pp b/manifests/nodes/sign3.fedora.phx.redhat.com.pp index 2bafff9..18a4323 100644 --- a/manifests/nodes/sign3.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign3.fedora.phx.redhat.com.pp @@ -1,7 +1,7 @@ node sign3{ $groups = 'sysadmin-main' include phx - include fas + include fas::fas include global include pkgsigner } diff --git a/manifests/nodes/smtp-mm1.fedoraproject.org.pp b/manifests/nodes/smtp-mm1.fedoraproject.org.pp index c9c53c8..d5ad7fb 100644 --- a/manifests/nodes/smtp-mm1.fedoraproject.org.pp +++ b/manifests/nodes/smtp-mm1.fedoraproject.org.pp @@ -2,7 +2,7 @@ node smtp-mm1{ $groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools' $isMailmanSMTP=1 include global - include fas + include fas::fas include postfix::mailman_smtp # Firewall Rules, allow SMTP traffic through diff --git a/manifests/nodes/telia1.fedoraproject.org.pp b/manifests/nodes/telia1.fedoraproject.org.pp index 4e8433d..8035a27 100644 --- a/manifests/nodes/telia1.fedoraproject.org.pp +++ b/manifests/nodes/telia1.fedoraproject.org.pp @@ -1,7 +1,7 @@ node telia1{ $groups='sysadmin-main' include xen-server - include fas + include fas::fas include vpn } diff --git a/manifests/nodes/test3.fedora.phx.redhat.com.pp b/manifests/nodes/test3.fedora.phx.redhat.com.pp index 303b1c3..0107987 100644 --- a/manifests/nodes/test3.fedora.phx.redhat.com.pp +++ b/manifests/nodes/test3.fedora.phx.redhat.com.pp @@ -1,6 +1,6 @@ node test3{ $groups='sysadmin-main,sysadmin-releng' - include fas + include fas::fas include phx include xen-guest } diff --git a/manifests/nodes/test4.fedora.phx.redhat.com.pp b/manifests/nodes/test4.fedora.phx.redhat.com.pp index d405088..bda764f 100644 --- a/manifests/nodes/test4.fedora.phx.redhat.com.pp +++ b/manifests/nodes/test4.fedora.phx.redhat.com.pp @@ -1,6 +1,6 @@ node test4{ $groups='sysadmin-main,sysadmin-releng' - include fas + include fas::fas include phx include xen-guest } diff --git a/manifests/nodes/test7.fedora.phx.redhat.com.pp b/manifests/nodes/test7.fedora.phx.redhat.com.pp index 414143a..62b6078 100644 --- a/manifests/nodes/test7.fedora.phx.redhat.com.pp +++ b/manifests/nodes/test7.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node test7{ $groups='sysadmin-main,sysadmin-test,sysadmin-noc' include phx include xen-guest - include fas + include fas::fas include fedoraproject-moin } diff --git a/manifests/nodes/test9.fedora.phx.redhat.com.pp b/manifests/nodes/test9.fedora.phx.redhat.com.pp index 4eaae80..c6d655f 100644 --- a/manifests/nodes/test9.fedora.phx.redhat.com.pp +++ b/manifests/nodes/test9.fedora.phx.redhat.com.pp @@ -2,6 +2,6 @@ node test9{ $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc' include phx include xen-guest - include fas + include fas::fas } diff --git a/manifests/nodes/torrent1.fedoraproject.org.pp b/manifests/nodes/torrent1.fedoraproject.org.pp index 8b11de1..afb7e31 100644 --- a/manifests/nodes/torrent1.fedoraproject.org.pp +++ b/manifests/nodes/torrent1.fedoraproject.org.pp @@ -1,6 +1,6 @@ node torrent1{ $groups = 'sysadmin-web,sysadmin-main,torrentadmin,sysadmin-noc,torrent-cc' include global - include fas + include fas::fas include torrent } diff --git a/manifests/nodes/tummy1.fedoraproject.org.pp b/manifests/nodes/tummy1.fedoraproject.org.pp index 357637a..ff41f41 100644 --- a/manifests/nodes/tummy1.fedoraproject.org.pp +++ b/manifests/nodes/tummy1.fedoraproject.org.pp @@ -1,7 +1,7 @@ node tummy1{ $groups='sysadmin-main' include xen-server - include fas + include fas::fas include vpn } diff --git a/manifests/nodes/xen6.fedora.phx.redhat.com.pp b/manifests/nodes/xen6.fedora.phx.redhat.com.pp index 8d8767e..69ff929 100644 --- a/manifests/nodes/xen6.fedora.phx.redhat.com.pp +++ b/manifests/nodes/xen6.fedora.phx.redhat.com.pp @@ -2,7 +2,7 @@ node xen6{ include phx $groups = 'sysadmin-main,sysadmin-cloud' include global - include fas + include fas::fas include ipmi include nagiosPhysical include selinux diff --git a/manifests/servergroups/appFcTest.pp b/manifests/servergroups/appFcTest.pp index 70154d0..94e1dcd 100644 --- a/manifests/servergroups/appFcTest.pp +++ b/manifests/servergroups/appFcTest.pp @@ -2,7 +2,7 @@ class appFcTest { $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc' include global include xen-guest - include fas + include fas::fas include dbaccess include mounts include wevisor-server diff --git a/manifests/servergroups/appRelEng.pp b/manifests/servergroups/appRelEng.pp index 8b4b790..c3bbf38 100644 --- a/manifests/servergroups/appRelEng.pp +++ b/manifests/servergroups/appRelEng.pp @@ -1,7 +1,7 @@ class appRelEng { $groups='sysadmin-main,sysadmin-noc,sysadmin-releng' include global - include fas + include fas::fas include xen-guest include mash include rsync::rsyncd diff --git a/manifests/servergroups/appRhel.pp b/manifests/servergroups/appRhel.pp index 0165f64..c8f85ef 100644 --- a/manifests/servergroups/appRhel.pp +++ b/manifests/servergroups/appRhel.pp @@ -3,7 +3,7 @@ class appRhel { include global include http_log include xen-guest - include fas + include fas::fas include dbaccess include pkgdb-server include bodhi-app diff --git a/manifests/servergroups/appRhelTest.pp b/manifests/servergroups/appRhelTest.pp index d68e275..ce4b633 100644 --- a/manifests/servergroups/appRhelTest.pp +++ b/manifests/servergroups/appRhelTest.pp @@ -2,7 +2,7 @@ class appRhelTest { $groups = 'sysadmin-main,sysadmin-test,sysadmin-noc' include global include xen-guest - include fas + include fas::fas include dbaccess-test #include genericContent #include hosted-server diff --git a/manifests/servergroups/asterisk.pp b/manifests/servergroups/asterisk.pp index 8f9ef9f..5d932fb 100644 --- a/manifests/servergroups/asterisk.pp +++ b/manifests/servergroups/asterisk.pp @@ -1,7 +1,7 @@ class asterisk { $groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools' include global - include fas + include fas::fas include asterisk::main include asterisk::stats include asterisk::recording diff --git a/manifests/servergroups/build.pp b/manifests/servergroups/build.pp index 145ec65..abaccac 100644 --- a/manifests/servergroups/build.pp +++ b/manifests/servergroups/build.pp @@ -3,7 +3,7 @@ class build { $sshd_config_StrictModes = "no" include global # include generic-iptables - include fas + include fas::fas include koji include plague-builder include mockuser diff --git a/manifests/servergroups/cnodes.pp b/manifests/servergroups/cnodes.pp index 1934097..8670b60 100644 --- a/manifests/servergroups/cnodes.pp +++ b/manifests/servergroups/cnodes.pp @@ -1,6 +1,6 @@ class cnodes { $groups='sysadmin-main,sysadmin-cloud' - include fas + include fas::fas include vpn # Firewall Rules, allow tftp $tcpPorts = [ 3260 ] diff --git a/manifests/servergroups/collab.pp b/manifests/servergroups/collab.pp index 8b041b9..463ac9b 100644 --- a/manifests/servergroups/collab.pp +++ b/manifests/servergroups/collab.pp @@ -1,7 +1,7 @@ class collab { $groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools' include global - include fas + include fas::fas include vpn include selinux include sobby diff --git a/manifests/servergroups/compose.pp b/manifests/servergroups/compose.pp index 9478a25..c29b9e0 100644 --- a/manifests/servergroups/compose.pp +++ b/manifests/servergroups/compose.pp @@ -3,7 +3,7 @@ class composer { $groups = 'sysadmin-main,sysadmin-releng' include global # include generic-iptables - include fas + include fas::fas include mockuser include pungi-package include livecd-tools-package diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp index 8dc4038..9ae2c97 100644 --- a/manifests/servergroups/cvs.pp +++ b/manifests/servergroups/cvs.pp @@ -5,7 +5,7 @@ class cvs { $sshd_config_PasswordAuthentication = 'no' $sshd_config_AllowTcpForwarding = 'no' include global - include fas + include fas::fas include cvs-pkgs include rsync::rsyncd include drbackupPubKey diff --git a/manifests/servergroups/db.pp b/manifests/servergroups/db.pp index 43826cc..27fb1d3 100644 --- a/manifests/servergroups/db.pp +++ b/manifests/servergroups/db.pp @@ -1,7 +1,7 @@ class db { $groups = 'sysadmin-main,sysadmin-dba,sysadmin-noc' include global - include fas + include fas::fas include selinux include aide::scanner include backupPubKey diff --git a/manifests/servergroups/fas-server.pp b/manifests/servergroups/fas-server.pp index 3bfba90..6daed2a 100644 --- a/manifests/servergroups/fas-server.pp +++ b/manifests/servergroups/fas-server.pp @@ -2,7 +2,7 @@ class fasServerBase { $groups = 'sysadmin-main' include global include xen-guest - include fas + include fas::fas include vpn # Firewall Rules, allow web bodhi traffic through @@ -24,11 +24,11 @@ class fasServerBase { } class fasServer inherits fasServerBase { - include fas-server + include fas::fas-server } class fasServerGenCert inherits fasServerBase { - include fas-server-gencert + include fas::fas-server-gencert semanage_fcontext { '/var/lib/fedora-ca/crl(/.*)?': type => 'httpd_sys_script_rw_t' diff --git a/manifests/servergroups/gateway.pp b/manifests/servergroups/gateway.pp index d33ca7d..7a214b5 100644 --- a/manifests/servergroups/gateway.pp +++ b/manifests/servergroups/gateway.pp @@ -8,7 +8,7 @@ class gateway{ include global include snmp-utils include vpn-server - include fas + include fas::fas #include selinux-enforcing include selinux include spamassassin_server diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp index 2708ced..eb9306b 100644 --- a/manifests/servergroups/hosted.pp +++ b/manifests/servergroups/hosted.pp @@ -6,7 +6,7 @@ class hosted { $sshd_config_AllowTcpForwarding = 'no' include global include hosted-server - include fas + include fas::fas # include hosted-proxy include rsync::rsyncd include selinux diff --git a/manifests/servergroups/koji.pp b/manifests/servergroups/koji.pp index 59477bd..d6801a8 100644 --- a/manifests/servergroups/koji.pp +++ b/manifests/servergroups/koji.pp @@ -1,7 +1,7 @@ class kojimasters { $groups = 'sysadmin-build,sysadmin-main,sysadmin-noc' include global - include fas + include fas::fas include kojimaster include selinux include nfs-server diff --git a/manifests/servergroups/noc.pp b/manifests/servergroups/noc.pp index c8f193d..d58e18d 100644 --- a/manifests/servergroups/noc.pp +++ b/manifests/servergroups/noc.pp @@ -1,7 +1,7 @@ class noc { $groups = 'sysadmin-main,sysadmin-noc' include global - include fas + include fas::fas include nagios-server include cacti-server include selinux diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index 6d9fb2b..85702ae 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -3,7 +3,7 @@ class proxy { include global include http_log include proxyserver - include fas + include fas::fas include autofs include haproxy::server include smolt-proxy @@ -19,7 +19,7 @@ class proxy { include admin-proxy include nagios-proxy include cacti-proxy - include fas-proxy + include fas::fas-proxy include infrastructure-proxy #include voting-proxy include pkgdb-proxy diff --git a/manifests/servergroups/puppet.pp b/manifests/servergroups/puppet.pp index c393f9a..4a7c5e5 100644 --- a/manifests/servergroups/puppet.pp +++ b/manifests/servergroups/puppet.pp @@ -3,7 +3,7 @@ class puppetServer { $is_certmaster=1 include global include phx - include fas + include fas::fas include infrastructure-repo include puppet::master include scripts::sync-rhn diff --git a/manifests/servergroups/valueadd.pp b/manifests/servergroups/valueadd.pp index 655f6d7..efebd55 100644 --- a/manifests/servergroups/valueadd.pp +++ b/manifests/servergroups/valueadd.pp @@ -3,7 +3,7 @@ class valueadd { include global include http_log include xen-guest - include fas + include fas::fas include dbaccess if $phx::inPHX { diff --git a/manifests/servergroups/xen-server.pp b/manifests/servergroups/xen-server.pp index 90086f7..c581b84 100644 --- a/manifests/servergroups/xen-server.pp +++ b/manifests/servergroups/xen-server.pp @@ -5,7 +5,7 @@ class xen-server { $groups = 'sysadmin-main' } include global - include fas + include fas::fas include xenHost include ipmi include nagiosPhysical commit 0687715af06ef76fa9288ca521e4daae37f19cb0 Author: Mike McGrath <mmcgrath(a)redhat.com> Date: Wed Apr 8 20:00:26 2009 +0000 removed old fas files diff --git a/configs/fas/fasSync b/configs/fas/fasSync deleted file mode 100644 index 4f9f643..0000000 --- a/configs/fas/fasSync +++ /dev/null @@ -1 +0,0 @@ -24 * * * * root /bin/sleep $(($RANDOM/20)); /usr/bin/fasClient -i > /dev/null 2>&1 diff --git a/configs/fas/nsswitch.conf b/configs/fas/nsswitch.conf deleted file mode 100644 index fb4ff62..0000000 --- a/configs/fas/nsswitch.conf +++ /dev/null @@ -1,45 +0,0 @@ -# /etc/nsswitch.conf -# -# An example Name Service Switch config file. This file should be -# sorted with the most-used services at the beginning. -# -# The entry '[NOTFOUND=return]' means that the search for an -# entry should stop if the search in the previous entry turned -# up nothing. Note that if the search failed due to some other reason -# (like no NIS server responding) then the search continues with the -# next entry. -# -# Legal entries are: -# -# nisplus or nis+ Use NIS+ (NIS version 3) -# nis or yp Use NIS (NIS version 2), also called YP -# dns Use DNS (Domain Name Service) -# files Use the local files -# db Use the local database (.db) files -# compat Use NIS on compat mode -# hesiod Use Hesiod for user lookups -# [NOTFOUND=return] Stop searching if not found so far -# - -passwd: db files -shadow: db files -group: db files - -#hosts: db files nisplus nis dns -hosts: files dns - -bootparams: nisplus [NOTFOUND=return] files - -ethers: files -netmasks: files -networks: files -protocols: files -rpc: files -services: files - -netgroup: files - -publickey: nisplus - -automount: files -aliases: files nisplus diff --git a/configs/system/export-bugzilla.cfg.erb b/configs/system/export-bugzilla.cfg.erb deleted file mode 100644 index 6c65f07..0000000 --- a/configs/system/export-bugzilla.cfg.erb +++ /dev/null @@ -1,11 +0,0 @@ -[global] -# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi -# Running from fas1 so we need the PHX available address. -bugzilla.url = "https://bzprx.vip.phx.redhat.com/xmlrpc.cgi" -# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi" -bugzilla.username = "<%= bugzillaUser %>" -bugzilla.password = "<%= bugzillaPassword %>" - -# At the moment, we have to extract this information directly from the fas2 -# database. We can build a json interface for it at a later date. -sqlalchemy.dburi = "postgres://fas:<%= fasDbPassword %>@db2/fas2" diff --git a/configs/system/export-bugzilla.py b/configs/system/export-bugzilla.py deleted file mode 100755 index 4b6b416..0000000 --- a/configs/system/export-bugzilla.py +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/python -t -__requires__ = 'TurboGears' -import pkg_resources -pkg_resources.require('CherryPy >= 2.0, < 3.0alpha') - -import sys -import getopt -import xmlrpclib -import turbogears -from turbogears import config -turbogears.update_config(configfile="/etc/export-bugzilla.cfg") -from turbogears.database import session -from fas.model import BugzillaQueue - -BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi') -BZUSER = config.get('bugzilla.username') -BZPASS = config.get('bugzilla.password') - -if __name__ == '__main__': - opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help')) - if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts: - print """ - Usage: export-bugzilla.py GROUP BUGZILLA_GROUP - """ - sys.exit(1) - ourGroup = args[0] - bzGroup = args[1] - - server = xmlrpclib.Server(BZSERVER) - bugzilla_queue = BugzillaQueue.query.join('group').filter_by( - name=ourGroup) - - for entry in bugzilla_queue: - # Make sure we have a record for this user in bugzilla - if entry.action == 'r': - # Remove the user's bugzilla group - try: - server.bugzilla.updatePerms(entry.email, 'rem', (bzGroup,), - BZUSER, BZPASS) - except xmlrpclib.Fault, e: - if e.faultCode == 504: - # It's okay, not having this user is equivalent to setting - # them to not have this group. - pass - else: - raise - - elif entry.action == 'a': - # Try to create the user - try: - server.bugzilla.addUser(entry.email, entry.person.human_name, BZUSER, BZPASS) - except xmlrpclib.Fault, e: - if e.faultCode == 500: - # It's okay, we just need to make sure the user has an - # account. - pass - else: - print entry.email,entry.person.human_name - raise - server.bugzilla.updatePerms(entry.email, 'add', (bzGroup,), - BZUSER, BZPASS) - else: - print 'Unrecognized action code: %s %s %s %s %s' % (entry.action, - entry.email, entry.person.human_name, entry.person.username, entry.group.name) - - # Remove them from the queue - session.delete(entry) - session.flush() diff --git a/configs/system/fas.conf.erb b/configs/system/fas.conf.erb deleted file mode 100644 index d8a3e05..0000000 --- a/configs/system/fas.conf.erb +++ /dev/null @@ -1,78 +0,0 @@ -[global] -; url - Location to fas server -url = https://admin.fedoraproject.org/accounts/ - -; temp - Location to generate files while user creation process is happening -temp = /var/db - -; login - username to contact fas -login = systems - -; password - password for login name -password = <%= systemsUserPassword %> - -; prefix - install to a location other than / -prefix = / - -[host] -; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups -; so if someone is in all 3, the client behaves the same as if they were just -; in 'groups' - -; groups that should have a shell account on this system. -<% if groups != "NONE" %> -groups = <%= groups %> -<% else %> -groups = sysadmin-main -<% end %> -; groups that should have a restricted account on this system. -; restricted accounts use the restricted_shell value in [users] -restricted_groups = - -; ssh_restricted_groups: groups that should be restricted by ssh key. You will -; need to disable password based logins in order for this value to have any -; security meaning. Group types can be placed here as well, for example -; @hg,@git,@svn -<% if sshGroups %> -ssh_restricted_groups = <%= sshGroups %> -<% else %> -ssh_restricted_groups = -<% end %> - -; aliases_template: Gets prepended to the aliases file when it is generated by -; fasClient -aliases_template = /etc/aliases.template - -[users] -; default shell given to people in [host] groups -shell = /bin/bash - -; home - the location for fas user home dirs -home = /home/fedora - -; home_backup_dir - Location home dirs should get moved to when a user is -; deleted this location should be tmpwatched -home_backup_dir = /home/fedora.bak - -; ssh_restricted_app - This is the path to the restricted shell script. It -; will not work automatically for most people though through alterations it -; is a powerfull way to restrict access to a machine. An alternative example -; could be given to people who should only have cvs access on the machine. -; setting this value to "/usr/bin/cvs server" would do this. -<% if restrictedApp %> -ssh_restricted_app = "<%= restrictedApp %>" -<% else %> -ssh_restricted_app = "/usr/bin/cvs server" -<% end %> - -; restricted_shell - The shell given to users in the ssh_restricted_groups -restricted_shell = /sbin/nologin - -; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups -ssh_restricted_shell = /bin/bash - -; ssh_key_options - Options to be appended to people ssh keys. Users in the -; ssh_restricted_groups will have the keys they uploaded altered when they are -; installed on this machine, appended with the options below. -ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty - diff --git a/configs/web/accounts-proxy.conf b/configs/web/accounts-proxy.conf deleted file mode 100644 index 29c9de6..0000000 --- a/configs/web/accounts-proxy.conf +++ /dev/null @@ -1,12 +0,0 @@ -# fas1 is the only place for gencert right now -RewriteRule /accounts/user/gencert http://fas1/accounts/user/gencert [P] -RewriteRule /accounts/user/dogencert http://fas1/accounts/user/dogencert [P] -# pass ca requests on needed for CRL -ProxyPass /ca http://fas1/ca -ProxyPassReverse /ca http://fas1/ca - -#RewriteRule ^/accounts/(.*) balancer://accountsCluster/accounts/$1 [P] -#RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L] - -RewriteRule ^/accounts/(.*) http://localhost:10004/accounts/$1 [P] -RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L] diff --git a/configs/web/accounts.fedoraproject.org.conf b/configs/web/accounts.fedoraproject.org.conf deleted file mode 100644 index 1220803..0000000 --- a/configs/web/accounts.fedoraproject.org.conf +++ /dev/null @@ -1,13 +0,0 @@ -# proxy1 - 10.8.32.122 -# proxy2 - 10.8.32.121 -# proxy3 - 66.35.62.166 -# proxy4 - 152.46.7.222 -# proxy5 - 80.239.156.215 - - -<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80> - ServerName accounts.fedoraproject.org - ServerAdmin admin(a)fedoraproject.org - - include "conf.d/accounts.fedoraproject.org/*.conf -</VirtualHost> diff --git a/configs/web/accounts.fedoraproject.org/logs.conf b/configs/web/accounts.fedoraproject.org/logs.conf deleted file mode 100644 index 733e6e3..0000000 --- a/configs/web/accounts.fedoraproject.org/logs.conf +++ /dev/null @@ -1,2 +0,0 @@ -CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-access.log.%Y-%m-%d 86400" combined -ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-error.log.%Y-%m-%d 86400" diff --git a/configs/web/accounts.fedoraproject.org/redirect.conf b/configs/web/accounts.fedoraproject.org/redirect.conf deleted file mode 100644 index 1fc6864..0000000 --- a/configs/web/accounts.fedoraproject.org/redirect.conf +++ /dev/null @@ -1 +0,0 @@ -Redirect permanent / https://admin.fedoraproject.org/accounts/ diff --git a/configs/web/applications/Makefile.fedora-ca b/configs/web/applications/Makefile.fedora-ca deleted file mode 100644 index 5da1ea9..0000000 --- a/configs/web/applications/Makefile.fedora-ca +++ /dev/null @@ -1,70 +0,0 @@ -# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $ -# -# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below. -# -# Automates the setup of a custom Certificate Authority and provides -# routines for signing and revocation of certificates. To use, first -# customize the commands in this file and the settings in openssl.cnf, -# then run: -# -# make init -# -# Then, copy in certificate signing requests, and ensure their suffix is -# .csr before signing them with the following command: -# -# make sign -# -# To revoke a key, name the certificate file with the cert option -# as shown below: -# -# make revoke cert=foo.cert -# -# This will revoke the certificate and call gencrl; the revocation list -# will then need to be copied somehow to the various systems that use -# your CA cert. - -requests = *.csr - -# remove -batch option if want chance to not certify a particular request -sign: FORCE - @openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert) - -revoke: - @test $${cert:?"usage: make revoke cert=certificate"} - @openssl ca -config openssl.cnf -revoke $(cert) - @$(MAKE) gencrl - -gencrl: - @openssl ca -config openssl.cnf -gencrl -out crl/crl.pem - -clean: - -rm ${requests} - -# creates required supporting files, CA key and certificate -init: - @test ! -f serial - @mkdir crl newcerts private - @chmod go-rwx private - @echo '01' > serial - @touch index - # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher - @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM - -help: - @echo make sign req=in.csr cert=out.cert - @echo ' - signs in.csr, outputting to out.cert' - @echo - @echo make revoke cert=filename - @echo ' - revokes certificate in named file and calls gencrl' - @echo - @echo make gencrl - @echo ' - updates Certificate Revocation List (CRL)' - @echo - @echo make clean - @echo ' - removes all *.csr files in this directory' - @echo - @echo make init - @echo ' - required initial setup command for new CA' - -# for legacy make support -FORCE: diff --git a/configs/web/applications/accounts-pubring.gpg b/configs/web/applications/accounts-pubring.gpg deleted file mode 100644 index c75ba2c..0000000 Binary files a/configs/web/applications/accounts-pubring.gpg and /dev/null differ diff --git a/configs/web/applications/accounts.conf b/configs/web/applications/accounts.conf deleted file mode 100644 index ad5803a..0000000 --- a/configs/web/applications/accounts.conf +++ /dev/null @@ -1,26 +0,0 @@ -Alias /accounts/static /usr/share/fas/static -Alias /favicon.ico /usr/share/fas/static/favicon.ico -Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert -Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert -# For serving the crl -Alias /ca /srv/web/ca -CacheDisable /ca/crl.pem -AddType application/x-x509-ca-cert cacert.pem -AddType application/x-x509-crl crl.pem - -WSGISocketPrefix run/wsgi - -# TG implements its own signal handler. -WSGIRestrictSignal Off - -# These are the real tunables -WSGIDaemonProcess fas processes=8 threads=2 maximum-requests=50000 user=fas group=fas display-name=fas inactivity-timeout=300 -WSGIPythonOptimize 2 - -WSGIScriptAlias /accounts /usr/lib/python2.4/site-packages/fas/fas.wsgi/accounts - -<Directory /usr/lib/python2.4/site-packages/fas/> - WSGIProcessGroup fas - Order deny,allow - Allow from all -</Directory> diff --git a/configs/web/applications/certhelper.py b/configs/web/applications/certhelper.py deleted file mode 100755 index 3c278a8..0000000 --- a/configs/web/applications/certhelper.py +++ /dev/null @@ -1,280 +0,0 @@ -#!/usr/bin/python -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Library General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# Copyright 2005 Dan Williams <dcbw(a)redhat.com> and Red Hat, Inc. - - -import sys, os, tempfile - -OPENSSL_PROG = '/usr/bin/openssl' - -def print_usage(prog): - print "\nUsage:\n" - print " %s ca --outdir=<outdir> --name=<name>\n" % prog - print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog - print "" - print " Types:" - print " ca - Build system Certificate Authority key & certificate" - print " normal - Key & certificate that works with the build server and builders" - print "" - print "Examples:\n" - print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog - print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog - print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog - print "\n" - - -class CertHelperException: - def __init__(self, message): - self.message = message - - -class CertHelper: - def __init__(self, prog, outdir, name): - self._prog = prog - self._outdir = outdir - self._name = name - - def dispatch(self, cmd, argslist): - if cmd.lower() == 'ca': - self._gencert_ca(argslist) - elif cmd.lower() == 'normal': - self._gencert_normal(argslist) - else: - print_usage(self._prog) - - def _gencert_ca(self, args): - # Set up CA directory - if not os.path.exists(self._outdir): - os.makedirs(self._outdir) - try: - os.makedirs(os.path.join(self._outdir, 'certs')) - os.makedirs(os.path.join(self._outdir, 'crl')) - os.makedirs(os.path.join(self._outdir, 'newcerts')) - os.makedirs(os.path.join(self._outdir, 'private')) - except: - pass - cert_db = os.path.join(self._outdir, "index.txt") - os.system("/bin/touch %s" % cert_db) - serial = os.path.join(self._outdir, "serial") - if not os.path.exists(serial): - os.system("/bin/echo '01' > %s" % serial) - - cnf = write_openssl_cnf(self._outdir, self._name, {}) - - # Create the CA key - key_file = os.path.join(self._outdir, "private", "cakey.pem") - cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - - # Make the self-signed CA certificate - cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name) - cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - - os.remove(cnf) - print "Success. Your Certificate Authority directory is: %s\n" % self._outdir - - def _gencert_normal(self, args): - cadir = argfind(args, 'cadir') - if not cadir: - print_usage(self._prog) - sys.exit(1) - caname = argfind(args, 'caname') - if not caname: - print_usage(self._prog) - sys.exit(1) - - cnf = write_openssl_cnf(cadir, caname, {}) - - # Generate key - key_file = os.path.join(self._outdir, "%s_key.pem" % self._name) - cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - print "" - - # Generate the certificate request - req_file = os.path.join(self._outdir, "%s_req.pem" % self._name) - cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - print "" - - # Sign the request with the CA's certificate and key - cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name) - cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - print "" - - # Cat the normal cert and key together - key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name) - cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - - # Cleanup: remove the cert, key, and request files - cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file) - if os.system(cmd) != 0: - raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) - - os.remove(cnf) - print "Success. Your certificate and key file is: %s\n" % key_and_cert - - -def write_openssl_cnf(home, ca_name, opt_dict): - (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True) - os.write(fd, """ -############################## -HOME = %s -RANDFILE = .rand - -############################## -[ ca ] -default_ca = CA_default\n - -############################## -[ CA_default ] - -dir = $HOME -certs = $dir/certs -crl_dir = $dir/crl -database = $dir/index.txt -new_certs_dir = $dir/newcerts - -certificate = $dir/cacert.pem -private_key = $dir/private/cakey.pem -serial = $dir/serial -crl = $dir/crl.pem - -x509_extensions = usr_cert - -name_opt = ca_default -cert_opt = ca_default - -default_days = 3650 -default_crl_days= 30 -default_md = md5 -preserve = no - -policy = policy_match - -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -############################## -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -string_mask = MASK:0x2002 - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = US -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = North Carolina - -localityName = Locality Name (eg, city) -localityName_default = Raleigh - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Fedora Project - -organizationalUnitName = Organizational Unit Name (eg, section) - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -############################## -[ usr_cert ] - -basicConstraints=CA:FALSE -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -############################## -[ v3_ca ] - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:true - -""" % (home)) - - return name - -def argfind(arglist, prefix): - val = None - for arg in arglist: - if arg.startswith('--%s=' % prefix): - val = arg - break - if not val: - return None - val = val.replace('--%s=' % prefix, '') - return val - -if __name__ == '__main__': - prog = sys.argv[0] - if len(sys.argv) < 3: - print_usage(prog) - sys.exit(1) - - outdir = argfind(sys.argv, 'outdir') - if not outdir: - print_usage(prog) - sys.exit(1) - - name = argfind(sys.argv, 'name') - if not name: - print_usage(prog) - sys.exit(1) - - ch = CertHelper(prog, outdir, name) - try: - ch.dispatch(sys.argv[1], sys.argv) - except CertHelperException, e: - print e.message - sys.exit(1) - - sys.exit(0) - diff --git a/configs/web/applications/fas-log.cfg b/configs/web/applications/fas-log.cfg deleted file mode 100644 index 3f7843d..0000000 --- a/configs/web/applications/fas-log.cfg +++ /dev/null @@ -1,29 +0,0 @@ -# LOGGING -# Logging is often deployment specific, but some handlers and -# formatters can be defined here. - -[logging] -[[formatters]] -[[[message_only]]] -format='*(message)s' - -[[[full_content]]] -format='*(name)s *(levelname)s *(message)s' - -[[handlers]] -[[[debug_out]]] -class='StreamHandler' -level='DEBUG' -args='(sys.stdout,)' -formatter='full_content' - -[[[access_out]]] -class='StreamHandler' -level='INFO' -args='(sys.stdout,)' -formatter='message_only' - -[[[error_out]]] -class='StreamHandler' -level='ERROR' -args='(sys.stdout,)' diff --git a/configs/web/applications/fas-prod.cfg.erb b/configs/web/applications/fas-prod.cfg.erb deleted file mode 100644 index fa85c4a..0000000 --- a/configs/web/applications/fas-prod.cfg.erb +++ /dev/null @@ -1,163 +0,0 @@ -[global] -samadhi.baseurl = 'https://admin.fedoraproject.org/' - -admingroup = 'accounts' -systemgroup = 'fas-system' -thirdpartygroup = 'thirdparty' - -theme = 'fas' - -accounts_email = "accounts(a)fedoraproject.org" -legal_cla_email = "legal-cla-archive(a)fedoraproject.org" - -email_host = "fedoraproject.org" # as in, web-members@email_host - -gpgexec = "/usr/bin/gpg" -gpghome = "/etc/fas-gpg" -gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255" -gpg_passphrase = "<%= fasGpgPassphrase %>" -gpg_keyserver = "hkp://subkeys.pgp.net" - -cla_done_group = "cla_done" -cla_fedora_group = "cla_fedora" - -privileged_view_groups = "(^fas-.*)" -username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,famsco,fax,fedora,fedorarewards,fesco,freemedia,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" - -openidstore = "/var/tmp/fas/openid" - -# Enable or disable generation of SSL certificates for users -gencert = <%= genCert %> - -makeexec = "/usr/bin/make" -openssl_lockdir = "/var/lock/fedora-ca" -openssl_digest = "md5" -openssl_expire = 15552000 # 60*60*24*180 = 6 months -openssl_ca_dir = "/var/lib/fedora-ca" -openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts" -openssl_ca_index = "/var/lib/fedora-ca/index.txt" -openssl_c = "US" -openssl_st = "North Carolina" -openssl_l = "Raleigh" -openssl_o = "Fedora Project" -openssl_ou = "Fedora User Cert" - -# Groups that automatically grant membership to other groups -# Format: 'group1:a,b,c|group2:d,e,f' -auto_approve_groups = 'packager:fedorabugs|cla_fedora:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done' - -# This is where all of your settings go for your development environment -# Settings that are the same for both development and production -# (such as template engine, encodings, etc.) all go in -# fas/config/app.cfg - -mail.on = True -mail.server = 'bastion' -#mail.testmode = True -mail.debug = False -mail.encoding = 'utf-8' - -# DATABASE - -# pick the form for your database -# sqlobject.dburi="postgres://username@hostname/databasename" -# sqlobject.dburi="mysql://username:password@hostname:port/databasename" -# sqlobject.dburi="sqlite:///file_name_and_path" - -# If you have sqlite, here's a simple default to get you started -# in development -sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db2/fas2" -sqlalchemy.echo=False - -# if you are using a database or table type without transactions -# (MySQL default, for example), you should turn off transactions -# by prepending notrans_ on the uri -# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename" - -# for Windows users, sqlite URIs look like: -# sqlobject.dburi="sqlite:///drive_letter:/path/to/file" - -# SERVER - -# Some server parameters that you may want to tweak -server.socket_port=8088 -server.thread_pool=50 -server.socket_queue_size=30 - -# FAS2 is mmuch busier than other servers due to serving visit and auth via -# JSON. -# Double pool_size -#sqlalchemy.pool_size=10 -# And increase overflow above what other servers have -#sqlalchemy.max_overflow=25 -# When using wsgi, we want the pool to be very low (as a separate instance is -# run in each apache mod_wsgi thread. So each one is going to have very few -# concurrent db connections. -sqlalchemy.pool_size=1 -sqlalchemy.max_overflow=2 - -# Enable the debug output at the end on pages. -# log_debug_info_filter.on = False - -server.environment="production" -autoreload.package="fas" - -session_filter.on = True - -# Set to True if you'd like to abort execution if a controller gets an -# unexpected parameter. False by default -tg.strict_parameters = True -tg.ignore_parameters = ["_csrf_token"] - -server.webpath='/accounts' -base_url_filter.on = True -base_url_filter.use_x_forwarded_host = True -base_url_filter.base_url = "https://admin.fedoraproject.org" - -# Make the session cookie only return to the host over an SSL link -visit.cookie.secure = True -session_filter.cookie_secure = True - -[/fedora-server-ca.cert] -static_filter.on = True -static_filter.file = "/etc/pki/fas/fedora-server-ca.cert" - -[/fedora-upload-ca.cert] -static_filter.on = True -static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert" - -# LOGGING -# Logging configuration generally follows the style of the standard -# Python logging module configuration. Note that when specifying -# log format messages, you need to use *() for formatting variables. -# Deployment independent log configuration is in fas/config/log.cfg -[logging] - -[[loggers]] -[[[fas]]] -level='DEBUG' -qualname='fas' -handlers=['debug_out'] - -[[[allinfo]]] -level='INFO' -handlers=['debug_out'] - -#[[[access]]] -#level='INFO' -#qualname='turbogears.access' -#handlers=['access_out'] -#propagate=0 - -[[[identity]]] -level='INFO' -qualname='turbogears.identity' -handlers=['access_out'] -propagate=0 - -[[[database]]] -# Set to INFO to make SQLAlchemy display SQL commands -level='ERROR' -qualname='sqlalchemy.engine' -handlers=['debug_out'] -propagate=0 diff --git a/configs/web/applications/fas.wsgi b/configs/web/applications/fas.wsgi deleted file mode 100644 index 865cc08..0000000 --- a/configs/web/applications/fas.wsgi +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/python -import sys -sys.path.append('/usr/lib/python2.4/site-packages/fas/') -sys.stdout = sys.stderr - -import pkg_resources -pkg_resources.require('CherryPy <= 3.0alpha') - -import os -os.environ['PYTHON_EGG_CACHE'] = '/var/www/.python-eggs' - -import atexit -import cherrypy -import cherrypy._cpwsgi -import turbogears -import turbogears.startup -from formencode.variabledecode import NestedVariables -import fedora.tg.util - -class MyNestedVariablesFilter(object): - def before_main(self): - if hasattr(cherrypy.request, "params"): - cherrypy.request.params_backup = cherrypy.request.params - cherrypy.request.params = \ - NestedVariables.to_python(cherrypy.request.params or {}) - -turbogears.startup.NestedVariablesFilter = MyNestedVariablesFilter - -turbogears.update_config(configfile="/etc/fas.cfg", modulename="fas.config") -turbogears.config.update({'global': {'server.environment': 'production'}}) -turbogears.config.update({'global': {'autoreload.on': False}}) -turbogears.config.update({'global': {'server.log_to_screen': False}}) -turbogears.config.update({'global': {'server.webpath': '/accounts'}}) -turbogears.config.update({'global': {'base_url_filter.on': True}}) -turbogears.config.update({'global': {'base_url_filter.base_url': 'https://admin.fedoraproject.org'}}) -#turbogears.config.update({'global': {'sqlalchemy.recycle': '10'}}) - -turbogears.startup.call_on_startup.append(fedora.tg.util.enable_csrf) - -import fas.controllers - -cherrypy.root = fas.controllers.Root() - -if cherrypy.server.state == 0: - atexit.register(cherrypy.server.stop) - cherrypy.server.start(init_only=True, server_class=None) - -def application(environ, start_response): - environ['SCRIPT_NAME'] = '' - return cherrypy._cpwsgi.wsgiApp(environ, start_response) diff --git a/configs/web/applications/fedora-ca-client-openssl.cnf b/configs/web/applications/fedora-ca-client-openssl.cnf deleted file mode 100644 index 5c3bb15..0000000 --- a/configs/web/applications/fedora-ca-client-openssl.cnf +++ /dev/null @@ -1,317 +0,0 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = /var/lib/fedora-ca/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = . # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem # The private key -RANDFILE = $dir/private/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 2048 -default_md = sha1 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -# we use PrintableString+UTF8String mask so if pure ASCII texts are used -# the resulting certificates are compatible with Netscape -string_mask = MASK:0x2002 - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = US -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = North Carolina - -localityName = Locality Name (eg, city) -localityName_default = Raleigh - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Fedora Project - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 0 -#challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always - -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/configs/web/fas.fedoraproject.org.conf b/configs/web/fas.fedoraproject.org.conf deleted file mode 100644 index 7db2e97..0000000 --- a/configs/web/fas.fedoraproject.org.conf +++ /dev/null @@ -1,13 +0,0 @@ -# proxy1 - 10.8.32.122 -# proxy2 - 10.8.32.121 -# proxy3 - 66.35.62.166 -# proxy4 - 152.46.7.222 -# proxy5 - 80.239.156.215 - - -<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80> - ServerName fas.fedoraproject.org - ServerAdmin admin(a)fedoraproject.org - - include "conf.d/fas.fedoraproject.org/*.conf -</VirtualHost> diff --git a/configs/web/fas.fedoraproject.org/logs.conf b/configs/web/fas.fedoraproject.org/logs.conf deleted file mode 100644 index 9195af7..0000000 --- a/configs/web/fas.fedoraproject.org/logs.conf +++ /dev/null @@ -1,2 +0,0 @@ -CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-access.log.%Y-%m-%d 86400" combined -ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-error.log.%Y-%m-%d 86400" diff --git a/configs/web/fas.fedoraproject.org/redirect.conf b/configs/web/fas.fedoraproject.org/redirect.conf deleted file mode 100644 index 1fc6864..0000000 --- a/configs/web/fas.fedoraproject.org/redirect.conf +++ /dev/null @@ -1 +0,0 @@ -Redirect permanent / https://admin.fedoraproject.org/accounts/ diff --git a/manifests/services/fas.pp b/manifests/services/fas.pp deleted file mode 100644 index 3ae09e3..0000000 --- a/manifests/services/fas.pp +++ /dev/null @@ -1,292 +0,0 @@ -# Fedora Account System -class fas { - include fas-clients-package - include python-fedora-package - - if $groups { - $notGroup = '' - } else { - $groups = 'sysadmin-main' - } - if $sshGroups { - $notSshGroup = '' - } else { - $sshGroups = '' - } - if $restrictedApp { - $notRestrictedApp = '' - } else { - $restrictedApp = '/usr/bin/cvs server' - } - - configfile { "/etc/nsswitch.conf": - source => "fas/nsswitch.conf" - } - templatefile { '/etc/fas.conf': - content => template('system/fas.conf.erb'), - mode => '0600', - - } -# exec { 'make-accounts': -# command => '/usr/bin/fasClient -e; /usr/bin/fasClient -i', -# subscribe => Templatefile['/etc/fas.conf'], -# require => Package['fas-clients'], -# refreshonly => true -# } - configfile { '/etc/cron.d/fasSync': - source => 'fas/fasSync', - require => Package[fas-clients], - } - file { "/root/bin/": - ensure => directory, - } - cert { '/etc/sudoers': - source => "secure/sudoers" - } -} - -class fas-proxy inherits httpd { - apachefile { "/etc/httpd/conf.d/admin.fedoraproject.org/accounts.conf": - source => 'web/accounts-proxy.conf' - } - - apachefile { '/etc/httpd/conf.d/fas.fedoraproject.org.conf': - source => 'web/fas.fedoraproject.org.conf', - } - - apachefile { '/etc/httpd/conf.d/fas.fedoraproject.org/': - source => 'web/fas.fedoraproject.org/', - recurse => true - } - - apachefile { '/etc/httpd/conf.d/accounts.fedoraproject.org.conf': - source => 'web/accounts.fedoraproject.org.conf', - } - - apachefile { '/etc/httpd/conf.d/accounts.fedoraproject.org/': - source => 'web/accounts.fedoraproject.org/', - recurse => true - } - -} - -class fas-server-base inherits turbogears { - $bugzillaUser='fedora-admin-xmlrpc(a)redhat.com' - include httpd - include mod_wsgi::module - - package { fas: - ensure => present, - } - - package { fas-plugin-asterisk: - ensure => present, - } - - ### HACK: Need to solve this better later - apachefile { '/usr/lib/python2.4/site-packages/fas/fas.wsgi': - source => 'web/applications/fas.wsgi', - require => Package['mod_wsgi'] - } - - file { '/var/www/.python-eggs': - ensure => directory, - mode => '0700', - owner => 'apache' - } - - file { '/etc/fas-gpg': - ensure => directory, - mode => '0700', - owner => 'fas', - group => 'fas', - } - - cert { '/etc/fas-gpg/secring.gpg': - source => 'secure/accounts-secring.gpg', - owner => 'fas', - group => 'fas', - mode => 600, - require => File['/etc/fas-gpg'] - } - - file { '/etc/fas-gpg/pubring.gpg': - owner => 'fas', - group => 'fas', - mode => 600, - replace => false, - ensure => file, - source => 'puppet:///config/web/applications/accounts-pubring.gpg', - } - - apachefile { '/etc/httpd/conf.d/accounts.conf': - source => 'web/applications/accounts.conf', - require => Package['mod_wsgi'] - } - - file { '/etc/pki/fas': - ensure => directory, - mode => '0700', - owner => 'fas', - group => 'fas', - } - # These are both public certs so there's no reason to hide them - configfile { '/etc/pki/fas/fedora-server-ca.cert': - source => 'secure/fedora-ca.cert', - } - - configfile { '/etc/pki/fas/fedora-upload-ca.cert': - source => 'secure/fedora-ca.cert', - } - - templatefile { '/etc/export-bugzilla.cfg': - content => template('system/export-bugzilla.cfg.erb'), - owner => 'fas', - # Contains passwords so it needs to be restricted - mode => '0640' - } - - # Note: This will move into the fas rpm soon - script { "/usr/local/bin/export-bugzilla.py": - source => "system/export-bugzilla.py", - mode => 0755 - } - cert { '/usr/share/fas/static/fedora-server-ca.cert': - source => 'secure/fedora-ca.cert', - owner => 'apache', - group => 'sysadmin-main', - mode => '0440' - } - - cert { '/usr/share/fas/static/fedora-upload-ca.cert': - source => 'secure/fedora-ca.cert', - owner => 'apache', - group => 'sysadmin-main', - mode => '0440' - } - - configfile { '/usr/lib/python2.4/site-packages/fas/config/log.cfg': - source => 'web/applications/fas-log.cfg', - owner => 'root', - group => 'root', - notify => Service['httpd'], - require => Package['httpd'], - mode => '0644' - } -} - -class fas-server inherits fas-server-base { - - $genCert = 'False' - templatefile { '/etc/fas.cfg': - content => template('web/applications/fas-prod.cfg.erb'), - owner => 'fas', - group => 'apache', - notify => Service['httpd'], - require => Package['httpd'], - mode => '640' - } - -} - -class fas-server-gencert inherits fas-server-base { - - $genCert = 'True' - templatefile { '/etc/fas.cfg': - content => template('web/applications/fas-prod.cfg.erb'), - owner => 'fas', - group => 'apache', - notify => Service['httpd'], - require => Package['httpd'], - mode => '640' - } - - # These should be created by the fas package later - file { '/var/lock/fedora-ca': - ensure => directory, - mode => '0700', - owner => 'fas', - group => 'fas', - require => Package[fas], - } - - file { '/var/lib/fedora-ca': - ensure => directory, - mode => '0771', - owner => 'fas', - group => 'sysadmin-main', - require => Package[fas], - } - - file { '/var/lib/fedora-ca/newcerts': - ensure => directory, - mode => '0770', - owner => 'fas', - group => 'sysadmin-main', - require => Package[fas], - } - - file { '/var/lib/fedora-ca/private': - ensure => directory, - mode => '0750', - owner => 'fas', - group => 'sysadmin-main' - } - - # For publishing the crl - file { '/srv/web/ca': - ensure => directory, - mode => '0755', - owner => 'apache', - group => 'apache' - } - - configfile { '/var/lib/fedora-ca/Makefile': - source => 'web/applications/Makefile.fedora-ca', - mode => '0644' - } - - configfile { '/var/lib/fedora-ca/openssl.cnf': - source => 'web/applications/fedora-ca-client-openssl.cnf', - mode => '0644' - } - - script { '/var/lib/fedora-ca/certhelper.py': - source => 'web/applications/certhelper.py', - mode => '0750', - owner => 'root', - group => 'sysadmin-main' - } - - - # Public keys don't need restrictive permissions - configfile { '/var/lib/fedora-ca/cacert.pem': - source => 'secure/fedora-ca.cert', - mode => '0444' - } - - # First of every month, force a new crl to be created - cron { gen-crl: - command => "cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null", - user => "apache", - minute => 0, - hour => 0, - monthday => [ 1, 15 ], - } - - symlink { '/srv/web/ca/crl.pem': - ensure => '/var/lib/fedora-ca/crl/crl.pem' - } -} - -# Note: path will change when it moves into the fas rpm -class fas-no-balance { - cron { export-bugzilla: - command => "/usr/local/bin/export-bugzilla.py fedorabugs fedora_contrib", - user => "fas", - minute => 10, - ensure => present, - require => Package['fas'], - environment => "MAILTO=root" - } -} commit a5c86d8ecd5cb5aa373a9dd608bb20eb6aaf8a74 Author: Mike McGrath <mmcgrath(a)redhat.com> Date: Wed Apr 8 19:52:34 2009 +0000 Added fas module diff --git a/modules/fas/README b/modules/fas/README new file mode 100644 index 0000000..59b50b3 --- /dev/null +++ b/modules/fas/README @@ -0,0 +1,10 @@ +FAS Fedora Account System +------------------------ + +The Fedora Account System is a web application that manages the accounts of +Fedora Project Contributors. It's built in TurboGears and comes with a json +API for querying against remotely. + +The python-fedora-infrastructure package has a TurboGears identity provider +that works with the Account System. + diff --git a/modules/fas/files/Makefile.fedora-ca b/modules/fas/files/Makefile.fedora-ca new file mode 100644 index 0000000..5da1ea9 --- /dev/null +++ b/modules/fas/files/Makefile.fedora-ca @@ -0,0 +1,70 @@ +# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $ +# +# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below. +# +# Automates the setup of a custom Certificate Authority and provides +# routines for signing and revocation of certificates. To use, first +# customize the commands in this file and the settings in openssl.cnf, +# then run: +# +# make init +# +# Then, copy in certificate signing requests, and ensure their suffix is +# .csr before signing them with the following command: +# +# make sign +# +# To revoke a key, name the certificate file with the cert option +# as shown below: +# +# make revoke cert=foo.cert +# +# This will revoke the certificate and call gencrl; the revocation list +# will then need to be copied somehow to the various systems that use +# your CA cert. + +requests = *.csr + +# remove -batch option if want chance to not certify a particular request +sign: FORCE + @openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert) + +revoke: + @test $${cert:?"usage: make revoke cert=certificate"} + @openssl ca -config openssl.cnf -revoke $(cert) + @$(MAKE) gencrl + +gencrl: + @openssl ca -config openssl.cnf -gencrl -out crl/crl.pem + +clean: + -rm ${requests} + +# creates required supporting files, CA key and certificate +init: + @test ! -f serial + @mkdir crl newcerts private + @chmod go-rwx private + @echo '01' > serial + @touch index + # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher + @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM + +help: + @echo make sign req=in.csr cert=out.cert + @echo ' - signs in.csr, outputting to out.cert' + @echo + @echo make revoke cert=filename + @echo ' - revokes certificate in named file and calls gencrl' + @echo + @echo make gencrl + @echo ' - updates Certificate Revocation List (CRL)' + @echo + @echo make clean + @echo ' - removes all *.csr files in this directory' + @echo + @echo make init + @echo ' - required initial setup command for new CA' + +# for legacy make support +FORCE: diff --git a/modules/fas/files/accounts-proxy.conf b/modules/fas/files/accounts-proxy.conf new file mode 100644 index 0000000..7a729e4 --- /dev/null +++ b/modules/fas/files/accounts-proxy.conf @@ -0,0 +1,11 @@ +# fas1 is the only place for gencert right now +RewriteRule /accounts/user/gencert http://fas1/accounts/user/gencert [P] +# pass ca requests on needed for CRL +ProxyPass /ca http://fas1/ca +ProxyPassReverse /ca http://fas1/ca + +#RewriteRule ^/accounts/(.*) balancer://accountsCluster/accounts/$1 [P] +#RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L] + +RewriteRule ^/accounts/(.*) http://localhost:10004/accounts/$1 [P] +RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L] diff --git a/modules/fas/files/accounts-pubring.gpg b/modules/fas/files/accounts-pubring.gpg new file mode 100644 index 0000000..c75ba2c Binary files /dev/null and b/modules/fas/files/accounts-pubring.gpg differ diff --git a/modules/fas/files/accounts.conf b/modules/fas/files/accounts.conf new file mode 100644 index 0000000..ad5803a --- /dev/null +++ b/modules/fas/files/accounts.conf @@ -0,0 +1,26 @@ +Alias /accounts/static /usr/share/fas/static +Alias /favicon.ico /usr/share/fas/static/favicon.ico +Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert +Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert +# For serving the crl +Alias /ca /srv/web/ca +CacheDisable /ca/crl.pem +AddType application/x-x509-ca-cert cacert.pem +AddType application/x-x509-crl crl.pem + +WSGISocketPrefix run/wsgi + +# TG implements its own signal handler. +WSGIRestrictSignal Off + +# These are the real tunables +WSGIDaemonProcess fas processes=8 threads=2 maximum-requests=50000 user=fas group=fas display-name=fas inactivity-timeout=300 +WSGIPythonOptimize 2 + +WSGIScriptAlias /accounts /usr/lib/python2.4/site-packages/fas/fas.wsgi/accounts + +<Directory /usr/lib/python2.4/site-packages/fas/> + WSGIProcessGroup fas + Order deny,allow + Allow from all +</Directory> diff --git a/modules/fas/files/accounts.fedoraproject.org.conf b/modules/fas/files/accounts.fedoraproject.org.conf new file mode 100644 index 0000000..1220803 --- /dev/null +++ b/modules/fas/files/accounts.fedoraproject.org.conf @@ -0,0 +1,13 @@ +# proxy1 - 10.8.32.122 +# proxy2 - 10.8.32.121 +# proxy3 - 66.35.62.166 +# proxy4 - 152.46.7.222 +# proxy5 - 80.239.156.215 + + +<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80> + ServerName accounts.fedoraproject.org + ServerAdmin admin(a)fedoraproject.org + + include "conf.d/accounts.fedoraproject.org/*.conf +</VirtualHost> diff --git a/modules/fas/files/accounts.fedoraproject.org/logs.conf b/modules/fas/files/accounts.fedoraproject.org/logs.conf new file mode 100644 index 0000000..733e6e3 --- /dev/null +++ b/modules/fas/files/accounts.fedoraproject.org/logs.conf @@ -0,0 +1,2 @@ +CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-access.log.%Y-%m-%d 86400" combined +ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-error.log.%Y-%m-%d 86400" diff --git a/modules/fas/files/accounts.fedoraproject.org/redirect.conf b/modules/fas/files/accounts.fedoraproject.org/redirect.conf new file mode 100644 index 0000000..1fc6864 --- /dev/null +++ b/modules/fas/files/accounts.fedoraproject.org/redirect.conf @@ -0,0 +1 @@ +Redirect permanent / https://admin.fedoraproject.org/accounts/ diff --git a/modules/fas/files/certhelper.py b/modules/fas/files/certhelper.py new file mode 100755 index 0000000..3c278a8 --- /dev/null +++ b/modules/fas/files/certhelper.py @@ -0,0 +1,280 @@ +#!/usr/bin/python +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Library General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Copyright 2005 Dan Williams <dcbw(a)redhat.com> and Red Hat, Inc. + + +import sys, os, tempfile + +OPENSSL_PROG = '/usr/bin/openssl' + +def print_usage(prog): + print "\nUsage:\n" + print " %s ca --outdir=<outdir> --name=<name>\n" % prog + print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog + print "" + print " Types:" + print " ca - Build system Certificate Authority key & certificate" + print " normal - Key & certificate that works with the build server and builders" + print "" + print "Examples:\n" + print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog + print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog + print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog + print "\n" + + +class CertHelperException: + def __init__(self, message): + self.message = message + + +class CertHelper: + def __init__(self, prog, outdir, name): + self._prog = prog + self._outdir = outdir + self._name = name + + def dispatch(self, cmd, argslist): + if cmd.lower() == 'ca': + self._gencert_ca(argslist) + elif cmd.lower() == 'normal': + self._gencert_normal(argslist) + else: + print_usage(self._prog) + + def _gencert_ca(self, args): + # Set up CA directory + if not os.path.exists(self._outdir): + os.makedirs(self._outdir) + try: + os.makedirs(os.path.join(self._outdir, 'certs')) + os.makedirs(os.path.join(self._outdir, 'crl')) + os.makedirs(os.path.join(self._outdir, 'newcerts')) + os.makedirs(os.path.join(self._outdir, 'private')) + except: + pass + cert_db = os.path.join(self._outdir, "index.txt") + os.system("/bin/touch %s" % cert_db) + serial = os.path.join(self._outdir, "serial") + if not os.path.exists(serial): + os.system("/bin/echo '01' > %s" % serial) + + cnf = write_openssl_cnf(self._outdir, self._name, {}) + + # Create the CA key + key_file = os.path.join(self._outdir, "private", "cakey.pem") + cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + + # Make the self-signed CA certificate + cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name) + cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + + os.remove(cnf) + print "Success. Your Certificate Authority directory is: %s\n" % self._outdir + + def _gencert_normal(self, args): + cadir = argfind(args, 'cadir') + if not cadir: + print_usage(self._prog) + sys.exit(1) + caname = argfind(args, 'caname') + if not caname: + print_usage(self._prog) + sys.exit(1) + + cnf = write_openssl_cnf(cadir, caname, {}) + + # Generate key + key_file = os.path.join(self._outdir, "%s_key.pem" % self._name) + cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + print "" + + # Generate the certificate request + req_file = os.path.join(self._outdir, "%s_req.pem" % self._name) + cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + print "" + + # Sign the request with the CA's certificate and key + cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name) + cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + print "" + + # Cat the normal cert and key together + key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name) + cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + + # Cleanup: remove the cert, key, and request files + cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file) + if os.system(cmd) != 0: + raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd) + + os.remove(cnf) + print "Success. Your certificate and key file is: %s\n" % key_and_cert + + +def write_openssl_cnf(home, ca_name, opt_dict): + (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True) + os.write(fd, """ +############################## +HOME = %s +RANDFILE = .rand + +############################## +[ ca ] +default_ca = CA_default\n + +############################## +[ CA_default ] + +dir = $HOME +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +new_certs_dir = $dir/newcerts + +certificate = $dir/cacert.pem +private_key = $dir/private/cakey.pem +serial = $dir/serial +crl = $dir/crl.pem + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +default_days = 3650 +default_crl_days= 30 +default_md = md5 +preserve = no + +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +############################## +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +string_mask = MASK:0x2002 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = North Carolina + +localityName = Locality Name (eg, city) +localityName_default = Raleigh + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Fedora Project + +organizationalUnitName = Organizational Unit Name (eg, section) + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +############################## +[ usr_cert ] + +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +############################## +[ v3_ca ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true + +""" % (home)) + + return name + +def argfind(arglist, prefix): + val = None + for arg in arglist: + if arg.startswith('--%s=' % prefix): + val = arg + break + if not val: + return None + val = val.replace('--%s=' % prefix, '') + return val + +if __name__ == '__main__': + prog = sys.argv[0] + if len(sys.argv) < 3: + print_usage(prog) + sys.exit(1) + + outdir = argfind(sys.argv, 'outdir') + if not outdir: + print_usage(prog) + sys.exit(1) + + name = argfind(sys.argv, 'name') + if not name: + print_usage(prog) + sys.exit(1) + + ch = CertHelper(prog, outdir, name) + try: + ch.dispatch(sys.argv[1], sys.argv) + except CertHelperException, e: + print e.message + sys.exit(1) + + sys.exit(0) + diff --git a/modules/fas/files/export-bugzilla.py b/modules/fas/files/export-bugzilla.py new file mode 100755 index 0000000..4b6b416 --- /dev/null +++ b/modules/fas/files/export-bugzilla.py @@ -0,0 +1,68 @@ +#!/usr/bin/python -t +__requires__ = 'TurboGears' +import pkg_resources +pkg_resources.require('CherryPy >= 2.0, < 3.0alpha') + +import sys +import getopt +import xmlrpclib +import turbogears +from turbogears import config +turbogears.update_config(configfile="/etc/export-bugzilla.cfg") +from turbogears.database import session +from fas.model import BugzillaQueue + +BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi') +BZUSER = config.get('bugzilla.username') +BZPASS = config.get('bugzilla.password') + +if __name__ == '__main__': + opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help')) + if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts: + print """ + Usage: export-bugzilla.py GROUP BUGZILLA_GROUP + """ + sys.exit(1) + ourGroup = args[0] + bzGroup = args[1] + + server = xmlrpclib.Server(BZSERVER) + bugzilla_queue = BugzillaQueue.query.join('group').filter_by( + name=ourGroup) + + for entry in bugzilla_queue: + # Make sure we have a record for this user in bugzilla + if entry.action == 'r': + # Remove the user's bugzilla group + try: + server.bugzilla.updatePerms(entry.email, 'rem', (bzGroup,), + BZUSER, BZPASS) + except xmlrpclib.Fault, e: + if e.faultCode == 504: + # It's okay, not having this user is equivalent to setting + # them to not have this group. + pass + else: + raise + + elif entry.action == 'a': + # Try to create the user + try: + server.bugzilla.addUser(entry.email, entry.person.human_name, BZUSER, BZPASS) + except xmlrpclib.Fault, e: + if e.faultCode == 500: + # It's okay, we just need to make sure the user has an + # account. + pass + else: + print entry.email,entry.person.human_name + raise + server.bugzilla.updatePerms(entry.email, 'add', (bzGroup,), + BZUSER, BZPASS) + else: + print 'Unrecognized action code: %s %s %s %s %s' % (entry.action, + entry.email, entry.person.human_name, entry.person.username, entry.group.name) + + # Remove them from the queue + session.delete(entry) + session.flush() diff --git a/modules/fas/files/fas-log.cfg b/modules/fas/files/fas-log.cfg new file mode 100644 index 0000000..3f7843d --- /dev/null +++ b/modules/fas/files/fas-log.cfg @@ -0,0 +1,29 @@ +# LOGGING +# Logging is often deployment specific, but some handlers and +# formatters can be defined here. + +[logging] +[[formatters]] +[[[message_only]]] +format='*(message)s' + +[[[full_content]]] +format='*(name)s *(levelname)s *(message)s' + +[[handlers]] +[[[debug_out]]] +class='StreamHandler' +level='DEBUG' +args='(sys.stdout,)' +formatter='full_content' + +[[[access_out]]] +class='StreamHandler' +level='INFO' +args='(sys.stdout,)' +formatter='message_only' + +[[[error_out]]] +class='StreamHandler' +level='ERROR' +args='(sys.stdout,)' diff --git a/modules/fas/files/fas.fedoraproject.org.conf b/modules/fas/files/fas.fedoraproject.org.conf new file mode 100644 index 0000000..7db2e97 --- /dev/null +++ b/modules/fas/files/fas.fedoraproject.org.conf @@ -0,0 +1,13 @@ +# proxy1 - 10.8.32.122 +# proxy2 - 10.8.32.121 +# proxy3 - 66.35.62.166 +# proxy4 - 152.46.7.222 +# proxy5 - 80.239.156.215 + + +<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80> + ServerName fas.fedoraproject.org + ServerAdmin admin(a)fedoraproject.org + + include "conf.d/fas.fedoraproject.org/*.conf +</VirtualHost> diff --git a/modules/fas/files/fas.fedoraproject.org/logs.conf b/modules/fas/files/fas.fedoraproject.org/logs.conf new file mode 100644 index 0000000..9195af7 --- /dev/null +++ b/modules/fas/files/fas.fedoraproject.org/logs.conf @@ -0,0 +1,2 @@ +CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-access.log.%Y-%m-%d 86400" combined +ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-error.log.%Y-%m-%d 86400" diff --git a/modules/fas/files/fas.fedoraproject.org/redirect.conf b/modules/fas/files/fas.fedoraproject.org/redirect.conf new file mode 100644 index 0000000..1fc6864 --- /dev/null +++ b/modules/fas/files/fas.fedoraproject.org/redirect.conf @@ -0,0 +1 @@ +Redirect permanent / https://admin.fedoraproject.org/accounts/ diff --git a/modules/fas/files/fas.wsgi b/modules/fas/files/fas.wsgi new file mode 100644 index 0000000..865cc08 --- /dev/null +++ b/modules/fas/files/fas.wsgi @@ -0,0 +1,50 @@ +#!/usr/bin/python +import sys +sys.path.append('/usr/lib/python2.4/site-packages/fas/') +sys.stdout = sys.stderr + +import pkg_resources +pkg_resources.require('CherryPy <= 3.0alpha') + +import os +os.environ['PYTHON_EGG_CACHE'] = '/var/www/.python-eggs' + +import atexit +import cherrypy +import cherrypy._cpwsgi +import turbogears +import turbogears.startup +from formencode.variabledecode import NestedVariables +import fedora.tg.util + +class MyNestedVariablesFilter(object): + def before_main(self): + if hasattr(cherrypy.request, "params"): + cherrypy.request.params_backup = cherrypy.request.params + cherrypy.request.params = \ + NestedVariables.to_python(cherrypy.request.params or {}) + +turbogears.startup.NestedVariablesFilter = MyNestedVariablesFilter + +turbogears.update_config(configfile="/etc/fas.cfg", modulename="fas.config") +turbogears.config.update({'global': {'server.environment': 'production'}}) +turbogears.config.update({'global': {'autoreload.on': False}}) +turbogears.config.update({'global': {'server.log_to_screen': False}}) +turbogears.config.update({'global': {'server.webpath': '/accounts'}}) +turbogears.config.update({'global': {'base_url_filter.on': True}}) +turbogears.config.update({'global': {'base_url_filter.base_url': 'https://admin.fedoraproject.org'}}) +#turbogears.config.update({'global': {'sqlalchemy.recycle': '10'}}) + +turbogears.startup.call_on_startup.append(fedora.tg.util.enable_csrf) + +import fas.controllers + +cherrypy.root = fas.controllers.Root() + +if cherrypy.server.state == 0: + atexit.register(cherrypy.server.stop) + cherrypy.server.start(init_only=True, server_class=None) + +def application(environ, start_response): + environ['SCRIPT_NAME'] = '' + return cherrypy._cpwsgi.wsgiApp(environ, start_response) diff --git a/modules/fas/files/fasSync b/modules/fas/files/fasSync new file mode 100644 index 0000000..4f9f643 --- /dev/null +++ b/modules/fas/files/fasSync @@ -0,0 +1 @@ +24 * * * * root /bin/sleep $(($RANDOM/20)); /usr/bin/fasClient -i > /dev/null 2>&1 diff --git a/modules/fas/files/fedora-ca-client-openssl.cnf b/modules/fas/files/fedora-ca-client-openssl.cnf new file mode 100644 index 0000000..5c3bb15 --- /dev/null +++ b/modules/fas/files/fedora-ca-client-openssl.cnf @@ -0,0 +1,317 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = /var/lib/fedora-ca/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = . # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_md = sha1 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +# we use PrintableString+UTF8String mask so if pure ASCII texts are used +# the resulting certificates are compatible with Netscape +string_mask = MASK:0x2002 + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = North Carolina + +localityName = Locality Name (eg, city) +localityName_default = Raleigh + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Fedora Project + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 0 +#challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/modules/fas/files/nsswitch.conf b/modules/fas/files/nsswitch.conf new file mode 100644 index 0000000..fb4ff62 --- /dev/null +++ b/modules/fas/files/nsswitch.conf @@ -0,0 +1,45 @@ +# /etc/nsswitch.conf +# +# An example Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. +# +# The entry '[NOTFOUND=return]' means that the search for an +# entry should stop if the search in the previous entry turned +# up nothing. Note that if the search failed due to some other reason +# (like no NIS server responding) then the search continues with the +# next entry. +# +# Legal entries are: +# +# nisplus or nis+ Use NIS+ (NIS version 3) +# nis or yp Use NIS (NIS version 2), also called YP +# dns Use DNS (Domain Name Service) +# files Use the local files +# db Use the local database (.db) files +# compat Use NIS on compat mode +# hesiod Use Hesiod for user lookups +# [NOTFOUND=return] Stop searching if not found so far +# + +passwd: db files +shadow: db files +group: db files + +#hosts: db files nisplus nis dns +hosts: files dns + +bootparams: nisplus [NOTFOUND=return] files + +ethers: files +netmasks: files +networks: files +protocols: files +rpc: files +services: files + +netgroup: files + +publickey: nisplus + +automount: files +aliases: files nisplus diff --git a/modules/fas/manifests/init.pp b/modules/fas/manifests/init.pp new file mode 100644 index 0000000..a8074db --- /dev/null +++ b/modules/fas/manifests/init.pp @@ -0,0 +1,307 @@ +# Fedora account system Configuration + +class fas::fas { + package { fas-clients: ensure => present } + package { python-fedora: ensure => present } + + # Set a default group if one has not been explicitly defined + if $groups { + $notGroup = '' + } else { + $groups = 'sysadmin-main' + } + if $sshGroups { + $notSshGroup = '' + } else { + $sshGroups = '' + } + if $restrictedApp { + $notRestrictedApp = '' + } else { + $restrictedApp = '/usr/bin/cvs server' + } + + file { "/etc/nsswitch.conf": + source => "puppet:///fas/nsswitch.conf" + } + + file { '/etc/fas.conf': + content => template('fas/fas.conf.erb'), + mode => '0600', + + } +# exec { 'make-accounts': +# command => '/usr/bin/fasClient -e; /usr/bin/fasClient -i', +# subscribe => Templatefile['/etc/fas.conf'], +# require => Package['fas-clients'], +# refreshonly => true +# } + + file { '/etc/cron.d/fasSync': + source => 'puppet:///fas/fasSync', + require => Package[fas-clients], + } + + file { "/root/bin/": + ensure => directory, + } + + file { '/etc/sudoers': + source => "puppet:///config/secure/sudoers", + mode => 0440, + owner => root, + group => root + } +} + +class fas::fas-proxy inherits httpd { + file { "/etc/httpd/conf.d/admin.fedoraproject.org/accounts.conf": + source => 'puppet:///fas/accounts-proxy.conf', + notify => Service['httpd'], + } + + file { '/etc/httpd/conf.d/fas.fedoraproject.org.conf': + source => 'puppet:///fas/fas.fedoraproject.org.conf', + notify => Service['httpd'], + } + + file { '/etc/httpd/conf.d/fas.fedoraproject.org/': + source => 'puppet:///fas/fas.fedoraproject.org/', + recurse => true, + notify => Service['httpd'], + } + + file { '/etc/httpd/conf.d/accounts.fedoraproject.org.conf': + source => 'puppet:///fas/accounts.fedoraproject.org.conf', + notify => Service['httpd'] + } + + file { '/etc/httpd/conf.d/accounts.fedoraproject.org/': + source => 'puppet:///fas/accounts.fedoraproject.org/', + recurse => true, + notify => Service['httpd'], + } + +} + +class fas::fas-server-base inherits turbogears { + $bugzillaUser='fedora-admin-xmlrpc(a)redhat.com' + include httpd + include mod_wsgi-package + + package { fas: ensure => present } + + package { fas-plugin-asterisk: ensure => present } + + ### HACK: Need to solve this better later + file { '/usr/lib/python2.4/site-packages/fas/fas.wsgi': + source => 'puppet:///fas/fas.wsgi', + require => Package['mod_wsgi'], + notify => Service['httpd'] + } + + file { '/var/www/.python-eggs': + ensure => directory, + mode => '0700', + owner => 'apache', + require => Package['httpd'] + } + + file { '/etc/fas-gpg': + ensure => directory, + mode => '0700', + owner => 'fas', + group => 'fas', + require => Package['fas'], + } + + file { '/etc/fas-gpg/secring.gpg': + source => 'puppet:///config/secure/accounts-secring.gpg', + owner => 'fas', + group => 'fas', + mode => 600, + require => File['/etc/fas-gpg'] + } + + file { '/etc/fas-gpg/pubring.gpg': + owner => 'fas', + group => 'fas', + mode => 600, + replace => false, + ensure => file, + source => 'puppet:///fas/accounts-pubring.gpg', + } + + file { '/etc/httpd/conf.d/accounts.conf': + source => 'puppet:///fas/accounts.conf', + require => Package['mod_wsgi'], + } + + file { '/etc/pki/fas': + ensure => directory, + mode => '0700', + owner => 'fas', + group => 'fas', + } + # These are both public certs so there's no reason to hide them + file { '/etc/pki/fas/fedora-server-ca.cert': + source => 'puppet:///config/secure/fedora-ca.cert', + } + + file { '/etc/pki/fas/fedora-upload-ca.cert': + source => 'puppet:///config/secure/fedora-ca.cert', + } + + file { '/etc/export-bugzilla.cfg': + content => template('fas/export-bugzilla.cfg.erb'), + owner => 'fas', + # Contains passwords so it needs to be restricted + mode => '0640' + } + + # Note: This will move into the fas rpm soon + file { "/usr/local/bin/export-bugzilla.py": + source => "puppet:///fas/export-bugzilla.py", + mode => 0755, + } + + file { '/usr/share/fas/static/fedora-server-ca.cert': + source => 'puppet:///config/secure/fedora-ca.cert', + owner => 'apache', + group => 'sysadmin-main', + mode => '0440', + require => Package['httpd'] + } + + file { '/usr/share/fas/static/fedora-upload-ca.cert': + source => 'puppet:///config/secure/fedora-ca.cert', + owner => 'apache', + group => 'sysadmin-main', + mode => '0440' + } + + file { '/usr/lib/python2.4/site-packages/fas/config/log.cfg': + source => 'puppet:///fas/fas-log.cfg', + owner => 'root', + group => 'root', + notify => Service['httpd'], + require => Package['httpd'], + mode => '0644' + } +} + +class fas::fas-server inherits fas-server-base { + + $genCert = 'False' + file { '/etc/fas.cfg': + content => template('fas/fas-prod.cfg.erb'), + owner => 'fas', + group => 'apache', + notify => Service['httpd'], + require => Package['httpd'], + mode => '640' + } + +} + +class fas::fas-server-gencert inherits fas-server-base { + + $genCert = 'True' + file { '/etc/fas.cfg': + content => template('fas/fas-prod.cfg.erb'), + owner => 'fas', + group => 'apache', + notify => Service['httpd'], + require => Package['httpd'], + mode => '640' + } + + # These should be created by the fas package later + file { '/var/lock/fedora-ca': + ensure => directory, + mode => '0700', + owner => 'fas', + group => 'fas', + require => Package[fas], + } + + file { '/var/lib/fedora-ca': + ensure => directory, + mode => '0771', + owner => 'fas', + group => 'sysadmin-main', + require => Package[fas], + } + + file { '/var/lib/fedora-ca/newcerts': + ensure => directory, + mode => '0770', + owner => 'fas', + group => 'sysadmin-main', + require => Package[fas], + } + + file { '/var/lib/fedora-ca/private': + ensure => directory, + mode => '0750', + owner => 'fas', + group => 'sysadmin-main' + } + + # For publishing the crl + file { '/srv/web/ca': + ensure => directory, + mode => '0755', + owner => 'apache', + group => 'apache' + } + + file { '/var/lib/fedora-ca/Makefile': + source => 'puppet:///fas/Makefile.fedora-ca', + mode => '0644' + } + + file { '/var/lib/fedora-ca/openssl.cnf': + source => 'puppet:///fas/fedora-ca-client-openssl.cnf', + mode => '0644' + } + + file { '/var/lib/fedora-ca/certhelper.py': + source => 'puppet:///fas/certhelper.py', + mode => '0750', + owner => 'root', + group => 'sysadmin-main' + } + + + # Public keys don't need restrictive permissions + file { '/var/lib/fedora-ca/cacert.pem': + source => 'puppet:///config/secure/fedora-ca.cert', + mode => '0444' + } + + # First of every month, force a new crl to be created + cron { gen-crl: + command => "cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null", + user => "apache", + minute => 0, + hour => 0, + monthday => [ 1, 15 ], + } + + file { '/srv/web/ca/crl.pem': + ensure => '/var/lib/fedora-ca/crl/crl.pem' + } +} + +# Note: path will change when it moves into the fas rpm +class fas::fas-no-balance { + cron { export-bugzilla: + command => "/usr/local/bin/export-bugzilla.py fedorabugs fedora_contrib", + user => "fas", + minute => 10, + ensure => present, + require => Package['fas'], + environment => "MAILTO=root" + } +} diff --git a/modules/fas/templates/export-bugzilla.cfg.erb b/modules/fas/templates/export-bugzilla.cfg.erb new file mode 100644 index 0000000..6c65f07 --- /dev/null +++ b/modules/fas/templates/export-bugzilla.cfg.erb @@ -0,0 +1,11 @@ +[global] +# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi +# Running from fas1 so we need the PHX available address. +bugzilla.url = "https://bzprx.vip.phx.redhat.com/xmlrpc.cgi" +# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi" +bugzilla.username = "<%= bugzillaUser %>" +bugzilla.password = "<%= bugzillaPassword %>" + +# At the moment, we have to extract this information directly from the fas2 +# database. We can build a json interface for it at a later date. +sqlalchemy.dburi = "postgres://fas:<%= fasDbPassword %>@db2/fas2" diff --git a/modules/fas/templates/fas-prod.cfg.erb b/modules/fas/templates/fas-prod.cfg.erb new file mode 100644 index 0000000..11cac5a --- /dev/null +++ b/modules/fas/templates/fas-prod.cfg.erb @@ -0,0 +1,163 @@ +[global] +samadhi.baseurl = 'https://admin.fedoraproject.org/' + +admingroup = 'accounts' +systemgroup = 'fas-system' +thirdpartygroup = 'thirdparty' + +theme = 'fas' + +accounts_email = "accounts(a)fedoraproject.org" +legal_cla_email = "legal-cla-archive(a)fedoraproject.org" + +email_host = "fedoraproject.org" # as in, web-members@email_host + +gpgexec = "/usr/bin/gpg" +gpghome = "/etc/fas-gpg" +gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255" +gpg_passphrase = "<%= fasGpgPassphrase %>" +gpg_keyserver = "hkp://subkeys.pgp.net" + +cla_done_group = "cla_done" +cla_fedora_group = "cla_fedora" + +privileged_view_groups = "(^fas-.*)" +username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,famsco,fax,fedorarewards,fesco,freemedia,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" + +openidstore = "/var/tmp/fas/openid" + +# Enable or disable generation of SSL certificates for users +gencert = <%= genCert %> + +makeexec = "/usr/bin/make" +openssl_lockdir = "/var/lock/fedora-ca" +openssl_digest = "md5" +openssl_expire = 15552000 # 60*60*24*180 = 6 months +openssl_ca_dir = "/var/lib/fedora-ca" +openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts" +openssl_ca_index = "/var/lib/fedora-ca/index.txt" +openssl_c = "US" +openssl_st = "North Carolina" +openssl_l = "Raleigh" +openssl_o = "Fedora Project" +openssl_ou = "Fedora User Cert" + +# Groups that automatically grant membership to other groups +# Format: 'group1:a,b,c|group2:d,e,f' +auto_approve_groups = 'packager:fedorabugs|cla_fedora:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done' + +# This is where all of your settings go for your development environment +# Settings that are the same for both development and production +# (such as template engine, encodings, etc.) all go in +# fas/config/app.cfg + +mail.on = True +mail.server = 'bastion' +#mail.testmode = True +mail.debug = False +mail.encoding = 'utf-8' + +# DATABASE + +# pick the form for your database +# sqlobject.dburi="postgres://username@hostname/databasename" +# sqlobject.dburi="mysql://username:password@hostname:port/databasename" +# sqlobject.dburi="sqlite:///file_name_and_path" + +# If you have sqlite, here's a simple default to get you started +# in development +sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db2/fas2" +sqlalchemy.echo=False + +# if you are using a database or table type without transactions +# (MySQL default, for example), you should turn off transactions +# by prepending notrans_ on the uri +# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename" + +# for Windows users, sqlite URIs look like: +# sqlobject.dburi="sqlite:///drive_letter:/path/to/file" + +# SERVER + +# Some server parameters that you may want to tweak +server.socket_port=8088 +server.thread_pool=50 +server.socket_queue_size=30 + +# FAS2 is mmuch busier than other servers due to serving visit and auth via +# JSON. +# Double pool_size +#sqlalchemy.pool_size=10 +# And increase overflow above what other servers have +#sqlalchemy.max_overflow=25 +# When using wsgi, we want the pool to be very low (as a separate instance is +# run in each apache mod_wsgi thread. So each one is going to have very few +# concurrent db connections. +sqlalchemy.pool_size=1 +sqlalchemy.max_overflow=2 + +# Enable the debug output at the end on pages. +# log_debug_info_filter.on = False + +server.environment="production" +autoreload.package="fas" + +# session_filter.on = True + +# Set to True if you'd like to abort execution if a controller gets an +# unexpected parameter. False by default +tg.strict_parameters = True +tg.ignore_parameters = ["_csrf_token"] + +server.webpath='/accounts' +base_url_filter.on = True +base_url_filter.use_x_forwarded_host = True +base_url_filter.base_url = "https://admin.fedoraproject.org" + +# Make the session cookie only return to the host over an SSL link +visit.cookie.secure = True +session_filter.cookie_secure = True + +[/fedora-server-ca.cert] +static_filter.on = True +static_filter.file = "/etc/pki/fas/fedora-server-ca.cert" + +[/fedora-upload-ca.cert] +static_filter.on = True +static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert" + +# LOGGING +# Logging configuration generally follows the style of the standard +# Python logging module configuration. Note that when specifying +# log format messages, you need to use *() for formatting variables. +# Deployment independent log configuration is in fas/config/log.cfg +[logging] + +[[loggers]] +[[[fas]]] +level='DEBUG' +qualname='fas' +handlers=['debug_out'] + +[[[allinfo]]] +level='INFO' +handlers=['debug_out'] + +#[[[access]]] +#level='INFO' +#qualname='turbogears.access' +#handlers=['access_out'] +#propagate=0 + +[[[identity]]] +level='INFO' +qualname='turbogears.identity' +handlers=['access_out'] +propagate=0 + +[[[database]]] +# Set to INFO to make SQLAlchemy display SQL commands +level='ERROR' +qualname='sqlalchemy.engine' +handlers=['debug_out'] +propagate=0 diff --git a/modules/fas/templates/fas.conf.erb b/modules/fas/templates/fas.conf.erb new file mode 100644 index 0000000..d8a3e05 --- /dev/null +++ b/modules/fas/templates/fas.conf.erb @@ -0,0 +1,78 @@ +[global] +; url - Location to fas server +url = https://admin.fedoraproject.org/accounts/ + +; temp - Location to generate files while user creation process is happening +temp = /var/db + +; login - username to contact fas +login = systems + +; password - password for login name +password = <%= systemsUserPassword %> + +; prefix - install to a location other than / +prefix = / + +[host] +; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups +; so if someone is in all 3, the client behaves the same as if they were just +; in 'groups' + +; groups that should have a shell account on this system. +<% if groups != "NONE" %> +groups = <%= groups %> +<% else %> +groups = sysadmin-main +<% end %> +; groups that should have a restricted account on this system. +; restricted accounts use the restricted_shell value in [users] +restricted_groups = + +; ssh_restricted_groups: groups that should be restricted by ssh key. You will +; need to disable password based logins in order for this value to have any +; security meaning. Group types can be placed here as well, for example +; @hg,@git,@svn +<% if sshGroups %> +ssh_restricted_groups = <%= sshGroups %> +<% else %> +ssh_restricted_groups = +<% end %> + +; aliases_template: Gets prepended to the aliases file when it is generated by +; fasClient +aliases_template = /etc/aliases.template + +[users] +; default shell given to people in [host] groups +shell = /bin/bash + +; home - the location for fas user home dirs +home = /home/fedora + +; home_backup_dir - Location home dirs should get moved to when a user is +; deleted this location should be tmpwatched +home_backup_dir = /home/fedora.bak + +; ssh_restricted_app - This is the path to the restricted shell script. It +; will not work automatically for most people though through alterations it +; is a powerfull way to restrict access to a machine. An alternative example +; could be given to people who should only have cvs access on the machine. +; setting this value to "/usr/bin/cvs server" would do this. +<% if restrictedApp %> +ssh_restricted_app = "<%= restrictedApp %>" +<% else %> +ssh_restricted_app = "/usr/bin/cvs server" +<% end %> + +; restricted_shell - The shell given to users in the ssh_restricted_groups +restricted_shell = /sbin/nologin + +; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups +ssh_restricted_shell = /bin/bash + +; ssh_key_options - Options to be appended to people ssh keys. Users in the +; ssh_restricted_groups will have the keys they uploaded altered when they are +; installed on this machine, appended with the options below. +ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty +

15 years

1
0
0 / 0

Bastion changes

by Mike McGrath

I'm making some changes to bastion today, I'm going to drop it's interface sometime this afternoon which will kill any of your connections on it. I'll also be testing some failure scenarios. Stay tuned in #fedora-admin if you think this affects you. -Mike

15 years

1
0
0 / 0

My skills

by Angel Natan Villegas Vicencio

Hi every body i want to join to the fedora infrastructure team, add something of my skills - System Administrator on RedHat 7.3, RedHat Advanced Server 2.1, RedHat Enterprise Linux 3, RedHat Enterprise Linux 4, RedHat Enterprise Linux 5, - Configurations and Installations of Redhat servers through PXE and kickstars files - Configurations of yum repositories for provisioning redhat servers ( 2.1, 3, 4, and 5 ) - LVM Filesystems - Bash Scripting - Technical Management of network services on Redhat (Radius, DNS, DHCP, LDAP, Postfix,) - Technical Management on VMware Server and Xen. - Backup Administrator in tape library MSL6000 with Omniback II. - Storage Administrator in Storage Strategies with EVA500 - Monitoring Administrator with Nagios, open source tool. - Technical knowledge on IBM and HP Hardware such as Blade Servers HS21(IBM), xSeries 3250-3850 (IBM), Blades Server BL20PG2 (HP), DL360 G2 , DL380 G2 , DL580 G2 (HP). - Firewall and VPNs Administrator on Netscreen Appliance Thank you ever body ...

15 years

2
2
0 / 0

sysadmin sponsoring

by Ionuț Arțăriși

Hello, I've recently become interested in the openid part of FAS and have already setup a server on my laptop and began hacking. However, I think I would be much more productive using one of the test servers in the infrastructure as this way I could actually test against the different openid consumers "in the wild". I've already applied to sysadmin-test and am now going to apply to sysadmin as these seem to be the required steps. Please sponsor me :) Thank you!

15 years

2
1
0 / 0

I wanna join the FIG

by guille

15 years

2
1
0 / 0

Logs from f-peeps

by Paul W. Frields

Some of the recent Test Day live images were hosted from fedorapeople.org space. I'd like to find out how many downloads there were of these images, but I can't read /var/log/httpd on that host (which makes sense). Are those logs supposed to be separate? If so, I probably need some help with this request and can file a ticket. If not, well I can still file a ticket. :-) Paul

15 years

3
4
0 / 0

Translation Toolchain Freeze

by Dimitris Glezos

In Fedora's 6-month cycle, there are a few weeks in which translators are working full-steam. These are the period for software translation and one for Docs translations. During these periods the L10n Infrastructure should be considered frozen, otherwise the work of a few hundred people will be interrupted (currently 40+ commits per day are taking place). Looking at poelstra's schedule [1], these freeze periods are: 2009-03-10 - 2009-04-14 2009-04-29 - 2009-05-14 If there's a document we need to have these added, please let me know. Having the same process (+1s etc) for L10n Infra would be great, IMO. -d [1] http://poelstra.fedorapeople.org/schedules/f-11/f-11-trans-tasks.html -- Dimitris Glezos Jabber ID: glezos(a)jabber.org, GPG: 0xA5A04C3B http://dimitris.glezos.com/ "He who gives up functionality for ease of use loses both and deserves neither." (Anonymous) --

15 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

infrastructure April 2009