Re: Fedora & me =)
by Jose Manimala
Hey there matt welcome. To fedora. You can go through the fedora wiki at http://fedoraproject.org and look at fedora infrastructurs SIG. That's where we deal with administration. Btw hope you love it here.
Best wishes
Jose
------Original Message------
From: Wiora, Matthias
Sender: fedora-infrastructure-list-bounces(a)redhat.com
To: fedora-infrastructure-list(a)redhat.com
ReplyTo: opensource(a)openwallet.de
ReplyTo: Fedora Infrastructure
Subject: Fedora & me =)
Sent: Apr 12, 2009 5:22 AM
Hello you all over there ;)
My name is Matthias Wiora - I'm from germany, 18 years old and I'm using
Fedora since now more than 4 years. It's time to get involved. In business
I'm a system Engineer :)
I've made my experiences in Virtualisation with XEN and VMware,
Datastore-Management in Datacore and OpenE, Database-Managment MSSQL and
MySQL (interested in Oracle!), System Administration Microsoft Server 2k8
& Terminal-Server-Administration Server 2k3 + Citrix XenApp, Debian 4/5,
End-User Support of Windows XP/Vista (Certified by MS 70-270) and Fedora
Clients :)
I'd like to get involed in the Fedora Server Management & Administration
processes. It's also possible to meet some else in Germany, Austria,
Switzerland or London.
well... you'd like to know more about me? http://openwallet.de :)
Well... That's for all. Any questions?
ahhhh... my hobbies: Playing Piano, Biking & Programming AtMega Processors
(c++) ;)
greetings from Germany,
µatthias (counterroot)
P.S.: Sry for the bad english. I'm trying to get better ;)
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Sent on my BlackBerry® from Vodafone Essar
15 years
Fedora & me =)
by Wiora, Matthias
Hello you all over there ;)
My name is Matthias Wiora - I'm from germany, 18 years old and I'm using
Fedora since now more than 4 years. It's time to get involved. In business
I'm a system Engineer :)
I've made my experiences in Virtualisation with XEN and VMware,
Datastore-Management in Datacore and OpenE, Database-Managment MSSQL and
MySQL (interested in Oracle!), System Administration Microsoft Server 2k8
& Terminal-Server-Administration Server 2k3 + Citrix XenApp, Debian 4/5,
End-User Support of Windows XP/Vista (Certified by MS 70-270) and Fedora
Clients :)
I'd like to get involed in the Fedora Server Management & Administration
processes. It's also possible to meet some else in Germany, Austria,
Switzerland or London.
well... you'd like to know more about me? http://openwallet.de :)
Well... That's for all. Any questions?
ahhhh... my hobbies: Playing Piano, Biking & Programming AtMega Processors
(c++) ;)
greetings from Germany,
µatthias (counterroot)
P.S.: Sry for the bad english. I'm trying to get better ;)
15 years
Meeting Log - 2008-04-09
by Ricky Zhou
15:00 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Who's here?
15:01 * yingbull is.
15:01 < mmcgrath> Alrighty everyone, who's around?
15:01 * warren here
15:01 * skvidal is here
15:01 * notting is here
15:01 < mmcgrath> jcollie: you around?
15:02 < jcollie> yup
15:02 < ivazquez> Pong.
15:02 < mmcgrath> cool, lets get started then
15:02 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Tickets
15:02 < mmcgrath> .tiny https://fedorahosted.org/fedora-infrastructure/query?status=new&status=as...
15:02 < zodbot> mmcgrath: http://tinyurl.com/2hyyz6
15:02 * MostafaDaneshvar is there
15:02 < mmcgrath> First ticket:
15:02 < mmcgrath> .ticket 395
15:02 < zodbot> mmcgrath: #395 (Audio Streaming of Fedora Board Conference Calls) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/395
15:02 < mmcgrath> jcollie: whats the latest?
15:02 < warren> mmcgrath: is agenda set in stone? I want to add s/cvsextras/packager/ after F9 release and next convenient scheduled outage.
15:03 < mmcgrath> warren: not at all, we pretty much go over tickets now, then a few other items then open the floor.
15:03 < mmcgrath> warren: Remind me if I forget at the end.
15:03 < jcollie> not much has happened... someone horked up a bunch of my virtual hosts at work so i've been busy rebuilding them
15:03 < mmcgrath> jcollie: virtual hosts at $DAYJOB or something related to fedora?
15:03 -!- Wakko666 [n=blentz(a)office.cardomain.com] has joined #fedora-meeting
15:03 < jcollie> $DAYJOB
15:03 -!- wolfy [n=lonewolf@fedora/wolfy] has left #fedora-meeting ["When you breathe, you inspire. When you do not breathe, you expire."]
15:04 < mmcgrath> just checking ;-)
15:04 < mmcgrath> jcollie: k, so nothing new there. We'll move on.
15:04 < mmcgrath> .ticket 398
15:04 < zodbot> mmcgrath: #398 (elfutils `monotone' (mtn) error) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/398
15:04 * mmcgrath sees if rmcgrath is around.
15:04 < jcollie> i think that those of us that are interested in working on the streaming should set up a separate meeting to divvy up some tasks
15:05 < mmcgrath> jcollie: not a bad idea. It sounds like you've done most of the work already. Its just a matter of getting that last 10% done (and getting the fas integration for the non streamins stuff)
15:05 < jcollie> yep
15:06 < mmcgrath> alrighty, we'll talk about 398 later if rmcgrath becomes available.
15:06 < mmcgrath> My understanding is that we can do it though.
15:06 < mmcgrath> .tickety 446
15:06 < mmcgrath> .ticket 446
15:06 < zodbot> mmcgrath: #446 (Possibility to add external links on spins page) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/446
15:06 < mmcgrath> doath
15:06 * dgilmore is here
15:07 < mmcgrath> dgilmore: I think last time we talked about you getting this up on the wiki, any news on that?
15:07 < dgilmore> mmcgrath: i started and got sidetracked
15:07 < mmcgrath> dgilmore: ahh, you're still on it though?
15:07 < dgilmore> mmcgrath: will be done by the end of the weekend
15:07 < dgilmore> yep
15:08 < mmcgrath> AFAIK we just have the one spin so far.
15:08 < mmcgrath> dgilmore: sweet, thanks!
15:08 < mmcgrath> Ok, so thats really the end of it on the tickets side.
15:08 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- New Wiki
15:08 < mmcgrath> Just a bit of a roundup on the wiki. I've been working on th emigration script and docbook exporter script.
15:08 < mmcgrath> The people listed on http://fedoraproject.org/wiki/Infrastructure/WikiMigration all met yesterday.
15:09 < mmcgrath> I'm going to schedule a few more meetings but a few bumps aside it sounds like we are a GO.
15:09 < mmcgrath> dgilmore: are you on the FESCo ?
15:09 < dgilmore> mmcgrath: i am
15:09 < mmcgrath> dgilmore: at the next meeting would you find a delegate to sign up to be the wiki liason for those sections of the wiki?
15:10 < mmcgrath> unless you want to do it :)
15:10 < dgilmore> mmcgrath: sure
15:10 < mmcgrath> Thanks.
15:10 < dgilmore> mmcgrath: i think jwb volunteered
15:10 * jwb wakes up
15:10 < jwb> huh?
15:10 * dgilmore notes he will largely be away next week
15:10 < mmcgrath> so https://publictest1.fedoraproject.org/wiki/FedoraMain is still up and ready
15:10 < dgilmore> jwb: wiki migration?
15:10 < mmcgrath> dgilmore: ohhh yeah. you're right. he's on there.
15:11 < jwb> dgilmore, mmcgrath: oh, yeah. i put my name there
15:11 < mmcgrath> dgilmore: I'll be away next week as well.
15:11 < mmcgrath> jwb: sorry I missed it there.
15:11 < jwb> i have no idea what that means
15:11 < jwb> do i have to do something?
15:11 < jwb> it just said "contact point"
15:11 < dgilmore> jwb: you get to be whiped
15:11 < mmcgrath> jwb: not yet, we'll be scheduling a meeing again the week after next. In the meantime just go through https://publictest1.fedoraproject.org/wiki/ and look for... doom.
15:11 < dgilmore> jwb: no Just be a point person.
15:12 < jwb> ok great
15:12 < jwb> either way, count me in
15:12 < mmcgrath> cool.
15:12 < mmcgrath> So thats really the latest on the wiki.
15:12 < mmcgrath> Anyone have any questions or concerns?
15:13 < mmcgrath> allrighty, moving on
15:13 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Next week
15:13 < mmcgrath> I'll be gone again next week for training. Its the last traing session I actually have scheduled.
15:13 < mmcgrath> So during the days I'll be unavailable but I'll likely be around most evenings.
15:14 < mmcgrath> Next topic
15:14 < dgilmore> mmcgrath: ill be in Brazil
15:14 * skvidal will be here
15:14 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- nfs1
15:14 < skvidal> people can call/page me
15:14 < skvidal> ugh
15:14 < skvidal> nfs1
15:14 < mmcgrath> NFS1 got built yesterday in a hurry.
15:14 < mmcgrath> while working on xen2 the nfslock issues showed up again then the whole box took a panic.
15:15 < mmcgrath> we'd been serving nfs directly from xen2 so when it goes down the buildsystem goes down.
15:15 < mmcgrath> Anyway, we brought nfs1 up as a RHEL4 box to try to fix the nfs issues, they might have fixed nfs issues but brought on ext3 issues since we're using a 10T ext3 filesystem...
15:15 < mmcgrath> RHEl4 couldn't handle it and started to ioerror.
15:15 < mmcgrath> So I kicked a RHEL5 box and its now nfs1.
15:16 < mmcgrath> Its up, its running.
15:16 < mmcgrath> so far no nfslock issues, if we do get one though we're going to contact steved while its in the bad state and give him a shell to look around.
15:16 < dgilmore> mmcgrath: lets get steved a shell on xen2 and let him monitor nfs1
15:16 < mmcgrath> Really nothing new here except that /mnt/koji is no longer available on xen2, its now on nfs1.
15:17 < mmcgrath> dgilmore: you never know, perhaps magically moving to nfs1 fixed our problem :)
15:17 < mmcgrath> we'll see.
15:17 * skvidal likes magic
15:17 < dgilmore> mmcgrath: we can hope
15:17 < dgilmore> skvidal: voodoo magic is best
15:17 < mmcgrath> heheh
15:17 * skvidal makes a doll of dgilmore
15:17 < mmcgrath> Ok, next item.
15:17 < dgilmore> skvidal: need some hair and fingernails?
15:18 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- s/cvsextras/packagers/
15:18 < mmcgrath> warren: ping?
15:18 < warren> hi
15:18 < mmcgrath> warren: so we're just going to rename cvsextras to packagers.
15:18 < mmcgrath> which involves
15:18 < warren> So f13 suggested we rename the group after F9 release, at the first scheduled outage.
15:18 < warren> mmcgrath: packager, singular
15:18 < mmcgrath> 1) updating the db.
15:19 < mmcgrath> 2) updating the scripts (and upload script)
15:19 < mmcgrath> 3) updating the documentation
15:19 < mmcgrath> 4) testing?
15:19 < mmcgrath> I really don't think this will be that huge of a deal.
15:19 < mmcgrath> warren: I'll try to get it done sometime the week after F9 ships. Would you mind opening a ticket and bugging me about it that week?
15:19 < warren> mmcgrath: ok
15:20 < warren> mmcgrath: are there any other group names we should rename as well?
15:20 < f13> warren: lets keep the name that will make sense in the future given my newmaintianercontainment proposal
15:20 < warren> as long as we have an outage
15:20 < f13> warren: since I hope to get an intern to work on that this summer
15:20 < warren> f13: is this the one from 2 months ago or so?
15:20 < mmcgrath> warren: yeah we'll schedule an outage.
15:20 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has quit Remote closed the connection
15:20 < f13> warren: http://fedoraproject.org/wiki/JesseKeating/NewMaintainerContainment
15:21 < mmcgrath> I'm not sure about other group names.
15:21 < warren> Let's ask around
15:21 < warren> there might be other names people want to do
15:21 < warren> f13: ok seems we need to figure out a bigger picture plan then
15:22 < warren> mmcgrath: will get back to you
15:22 < mmcgrath> warren: works for me, lets know well in advance of the outage know because renaming cvsextras I have a pretty good idea of what needs to be done.
15:22 < mmcgrath> but for another group I might not know without more research.
15:22 < mmcgrath> k
15:22 < mmcgrath> warren: when its all ready just create a ticket and bug me. I think we could have it done in an hour or two some night after F9 ships.
15:22 < f13> warren: well, we don't necessarly have to wait to rename 'cvsextras' to /somethihng/
15:23 < f13> warren: 'fedorapackager' or whatever seems fine, we can pick a name that implies /greater/ rights later
15:23 < warren> f13: I do agree to rename it within the larger plan
15:23 < f13> or less rights.
15:23 < warren> f13: I'm still in favor of numbers instead of group names for that
15:23 < warren> but we're getting off topic
15:23 < mmcgrath> <nod> you guys figure that out :)
15:24 < mmcgrath> anyone have any questions about that? We've got plenty of time to discuss it.
15:24 < mmcgrath> if not I'll move on.
15:24 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- app server upgrades.
15:24 < mmcgrath> abadger1999: ping?
15:25 < mmcgrath> I believe toshio wants to upgrade sqlalchemy and python-fedora before the freeze. I think we're on schedule to do that but I'll have to get ahold of him to find out for sure.
15:25 < mmcgrath> which brings me to the next topic
15:25 < abadger1999> here.
15:25 < mmcgrath> oh
15:25 < mmcgrath> there you are :)
15:25 < abadger1999> Today.
15:26 < mmcgrath> abadger1999: want to talk about all of that right quick?
15:26 < abadger1999> Want to do it today/tonight.
15:26 < abadger1999> It would be to both app servers.
15:26 < mmcgrath> abadger1999: "both" ?
15:26 < mmcgrath> which?
15:26 < abadger1999> app4 and app5
15:26 < mmcgrath> app2 is also running tg apps
15:26 < abadger1999> Oh. I was not aware.
15:27 < dgilmore> mmcgrath: i want the new python-fedora
15:27 < abadger1999> then we wantto upgrade that as well.
15:27 < abadger1999> We can issue a new python-fedora for everything if we want.
15:27 < mmcgrath> abadger1999: your call I'm not sure what we'd be comitting to with the new package.
15:27 < abadger1999> Or we can update that when we do the other updates from RHEL, etc.
15:27 < mmcgrath> what are the risks / benefits?
15:27 < mmcgrath> and will this break transifex?
15:28 < abadger1999> All the FAS1 stuff has been removed. Only FAS2 stuff is in it.
15:28 < abadger1999> there's been some rearrangement of modules but the old imports should work with a deprecation warning.
15:28 < mmcgrath> k
15:29 < mmcgrath> sounds pretty low risk, and we can always revert if required.
15:29 < abadger1999> <nod>
15:29 < mmcgrath> abadger1999: I'm fine for any time this week on that, if you want me around just ping me or call me.
15:29 < mmcgrath> abadger1999: anything else on that?
15:30 < abadger1999> Nope that's it.
15:30 < mmcgrath> cool.
15:30 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- app5
15:30 < mmcgrath> So yeah, I don't know WTF is going on but app5 is rebooting... a LOT
15:30 < mmcgrath> this comes after the move from x86_64 to i686
15:30 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has joined #fedora-meeting
15:30 < mmcgrath> we're talking between 20-40 times a DAY.
15:30 < mmcgrath> very very strange.
15:30 < mmcgrath> I've got a stack trace, I'm going to try to take it to the virt guys soon.
15:31 < mmcgrath> side note though, aside from that, the i686 move (also done on app2) has proved quite successful memory usage (and therefor swap) is way down.
15:31 < mmcgrath> its been a big win for us.
15:31 < mmcgrath> anyone have any questions / comments?
15:31 -!- viking-ice [n=johannbg(a)dsl-149-97-225.hive.is] has joined #fedora-meeting
15:31 < mmcgrath> Alrighty, then I'll move on to the last topic of the day before opening the floor.
15:32 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Change Freeze!
15:32 < mmcgrath> This one's for everyone
15:32 < mmcgrath> REMEMBER
15:32 < mmcgrath> DO NOT MAKE ANY CHANGES WITHOUT GETTING APPROVAL ON THE LIST FIRST!
15:32 < mmcgrath> and remember, you'll be asked the question "Why can't this wait until after F9 gets released"
15:33 < mmcgrath> I'll be gone much of next week which makes the freeze perfect.
15:33 < warren> under pain of
15:33 * mmcgrath looks up exact date again
15:33 < mmcgrath> warren: under pain of CURSE!
15:33 < skvidal> under pain of pain
15:33 < warren> I can advise against pain.
15:34 < mmcgrath> There we go, so the freeze starts the 15th. The release is on the 29th. The freeze is lifted on the 30th.
15:34 < yingbull> pain's scary.
15:34 < mmcgrath> Obvious exceptions include outages and things already scheduled for the release (mm type stuff, the website, etc)
15:34 < mmcgrath> other then that. you must get approval on the list before making changes. If you're working on tickets and people get cranky, just let them know we're under a freeze.
15:34 < skvidal> mmcgrath: it's okay to bring up new boxes unrelated to the release?
15:34 < ivazquez> Should we hold it until the Monday following?
15:35 < skvidal> mmcgrath: ie: if I get all the statics, etc from BU
15:35 < mmcgrath> skvidal: take it to the list! But yeah, that shouldn't be a problem.
15:35 < skvidal> mmcgrath: will do
15:35 < mmcgrath> ivazquez: I thought about that, in the past though, for the most part, things settled down from the release the day after.
15:36 < ivazquez> Okay.
15:36 < mmcgrath> anyone have any questions / comments about that?
15:36 < mmcgrath> alrighty, then we'll open the floor
15:36 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Open Floor
15:36 * dgilmore has nothing right now
15:36 < mmcgrath> Anyone have anything they'd like to discuss? A release is coming, lots of stuff has been going on.
15:37 < notting> how are we ensuring the ability to get the bits to our tier0 mirrors?
15:37 < mmcgrath> notting: same as we had been, AFAIK our mirror system (and I2) is functional again.
15:37 < notting> that's not what mdomsch's mail implied
15:37 < mmcgrath> notting: which email and when?
15:38 < notting> to mirror-list
15:38 < dgilmore> notting: no, it implied a work around was setup
15:38 < dgilmore> mmcgrath: a couple of hours ago
15:38 < dgilmore> mmcgrath: 2 boxes were setup for Tier 0 I2 masters
15:39 < mmcgrath> <nod> that was my understanding. We don't have the permanent solution in place but a working one.
15:39 < mmcgrath> we'll probably want to make sure the working one stays as is until after the 30th.
15:39 < dgilmore> mmcgrath: they have static I2 routes to dl.fedora.redhat.com boxes
15:39 < mmcgrath> notting: I'll follow up with mdomsch to make sure whats going on there.
15:39 < mmcgrath> .any mdomsch
15:39 < zodbot> mmcgrath: mdomsch was last seen in #fedora-meeting 1 hour, 9 minutes, and 24 seconds ago: *** mdomsch has quit IRC (Remote closed the connection)
15:39 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has quit Remote closed the connection
15:40 < mmcgrath> Alrighty, anyone have anything else to discuss?
15:40 < dgilmore> nope
15:40 < mmcgrath> k, we'll close the meeting in 30
15:41 < mmcgrath> 15
15:41 < mmcgrath> 5
15:41 < notting> dgilmore: so, the static route & download1 are bandwidth-unclogged enough to sync OK?
15:41 < dgilmore> Thanks mmcgrath :)
15:41 < notting> dgilmore: with no one using it, are we sure that download1 is synced? :)
15:41 < dgilmore> notting: i believe so.
15:42 < mmcgrath> notting: we'll have to talk to them to find out for sure.
15:42 * mmcgrath just sent an email to mdomsch to verify.
15:42 < notting> maybe i'm paranoid
15:42 < mmcgrath> notting: you're once bitten.
15:42 < mmcgrath> nothing wrong with that. The fact is the whole I2 connection thing showed a major problem we have. and the fact that galgoci is the _only_ person at Red hat with access and no how to fix it is much less comforting.
15:43 < dgilmore> notting: i believe download1 is down
15:43 < mmcgrath> even his backup told us that he was really the only guy we'd want doing that.
15:44 -!- k0k [n=k0k@fedora/k0k] has quit Connection timed out
15:44 < mmcgrath> notting: we'll just have to wait and see if what we think mdomsch said is actually the way things are. That mirror has been down since before Feb 20th so its hard to say the state of things (considering they only just recently got back up and running)
15:44 < mmcgrath> Anywho, not much we can do but check with the mirrors list and mdomsch and make sure everyone's happy with where things are for the release.
15:44 < mmcgrath> Anyone have anything else? If not we'll close the meeting in 30
15:45 -!- Milanito [n=Matt(a)32.12.70-86.rev.gaoland.net] has joined #fedora-meeting
15:45 < mmcgrath> 10
15:45 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Meeting Closed
15:45 < mmcgrath> Thanks for coming everone!
15 years
3 commits - configs/fas configs/system configs/web manifests/nodes manifests/servergroups manifests/services modules/fas (fwd)
by Mike McGrath
This commit was a bit nuts and touches everything. We tested it in
staging without issue. This push to production should be fine but as
always keep your eyes open. Not much 'changed' it's just fas is now a
module.
-Mike
---------- Forwarded message ----------
Date: Wed, 8 Apr 2009 15:08:54
From: Mike McGrath <mmcgrath(a)fedoraproject.org>
To: sysadmin-members(a)fedoraproject.org
Subject: 3 commits - configs/fas configs/system configs/web manifests/nodes
manifests/servergroups manifests/services modules/fas
configs/fas/fasSync | 1
configs/fas/nsswitch.conf | 45 -
configs/system/export-bugzilla.cfg.erb | 11
configs/system/export-bugzilla.py | 68 --
configs/system/fas.conf.erb | 78 ---
configs/web/accounts-proxy.conf | 12
configs/web/accounts.fedoraproject.org.conf | 13
configs/web/accounts.fedoraproject.org/logs.conf | 2
configs/web/accounts.fedoraproject.org/redirect.conf | 1
configs/web/applications/Makefile.fedora-ca | 70 --
configs/web/applications/accounts.conf | 26 -
configs/web/applications/certhelper.py | 280 -----------
configs/web/applications/fas-log.cfg | 29 -
configs/web/applications/fas-prod.cfg.erb | 163 ------
configs/web/applications/fas.wsgi | 50 --
configs/web/applications/fedora-ca-client-openssl.cnf | 317 -------------
configs/web/fas.fedoraproject.org.conf | 13
configs/web/fas.fedoraproject.org/logs.conf | 2
configs/web/fas.fedoraproject.org/redirect.conf | 1
dev/null |binary
manifests/nodes/app1.stg.fedora.phx.redhat.com.pp | 2
manifests/nodes/backup2.fedoraproject.org.pp | 2
manifests/nodes/bu1.fedoraproject.org.pp | 2
manifests/nodes/buildsys.fedoraproject.org.pp | 2
manifests/nodes/cstore1.fedoraproject.org.pp | 2
manifests/nodes/cstore2.fedoraproject.org.pp | 2
manifests/nodes/db1.stg.fedora.phx.redhat.com.pp | 2
manifests/nodes/fas1.fedora.phx.redhat.com.pp | 2
manifests/nodes/ibiblio1.fedoraproject.org.pp | 2
manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp | 2
manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp | 2
manifests/nodes/lb1.fedora.phx.redhat.com.pp | 2
manifests/nodes/lb2.fedora.phx.redhat.com.pp | 2
manifests/nodes/log1.fedora.phx.redhat.com.pp | 2
manifests/nodes/nfs1.fedora.phx.redhat.com.pp | 2
manifests/nodes/nfs2.fedora.phx.redhat.com.pp | 2
manifests/nodes/noc2.fedoraproject.org.pp | 2
manifests/nodes/ns1.fedoraproject.org.pp | 2
manifests/nodes/ns2.fedoraproject.org.pp | 2
manifests/nodes/people1.fedoraproject.org.pp | 2
manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest10.fedoraproject.org.pp | 2
manifests/nodes/publictest12.fedoraproject.org.pp | 2
manifests/nodes/publictest13.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest14.fedoraproject.org.pp | 2
manifests/nodes/publictest15.fedoraproject.org.pp | 2
manifests/nodes/publictest16.fedoraproject.org.pp | 2
manifests/nodes/publictest2.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest3.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest4.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest5.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest6.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest7.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest9.fedora.phx.redhat.com.pp | 2
manifests/nodes/qa1.fedora.phx.redhat.com.pp | 2
manifests/nodes/rawhide1.fedoraproject.org.pp | 2
manifests/nodes/releng1.fedora.phx.redhat.com.pp | 2
manifests/nodes/secondary1.fedora.phx.redhat.com.pp | 2
manifests/nodes/serverbeach1.fedoraproject.org.pp | 2
manifests/nodes/serverbeach2.fedoraproject.org.pp | 2
manifests/nodes/serverbeach3.fedoraproject.org.pp | 2
manifests/nodes/serverbeach4.fedoraproject.org.pp | 2
manifests/nodes/serverbeach5.fedoraproject.org.pp | 2
manifests/nodes/sign1.fedora.phx.redhat.com.pp | 2
manifests/nodes/sign2.fedora.phx.redhat.com.pp | 2
manifests/nodes/sign3.fedora.phx.redhat.com.pp | 2
manifests/nodes/smtp-mm1.fedoraproject.org.pp | 2
manifests/nodes/telia1.fedoraproject.org.pp | 2
manifests/nodes/test3.fedora.phx.redhat.com.pp | 2
manifests/nodes/test4.fedora.phx.redhat.com.pp | 2
manifests/nodes/test7.fedora.phx.redhat.com.pp | 2
manifests/nodes/test9.fedora.phx.redhat.com.pp | 2
manifests/nodes/torrent1.fedoraproject.org.pp | 2
manifests/nodes/tummy1.fedoraproject.org.pp | 2
manifests/nodes/xen6.fedora.phx.redhat.com.pp | 2
manifests/servergroups/appFcTest.pp | 2
manifests/servergroups/appRelEng.pp | 2
manifests/servergroups/appRhel.pp | 2
manifests/servergroups/appRhelTest.pp | 2
manifests/servergroups/asterisk.pp | 2
manifests/servergroups/build.pp | 2
manifests/servergroups/cnodes.pp | 2
manifests/servergroups/collab.pp | 2
manifests/servergroups/compose.pp | 2
manifests/servergroups/cvs.pp | 2
manifests/servergroups/db.pp | 2
manifests/servergroups/fas-server.pp | 6
manifests/servergroups/gateway.pp | 2
manifests/servergroups/hosted.pp | 2
manifests/servergroups/koji.pp | 2
manifests/servergroups/noc.pp | 2
manifests/servergroups/proxy.pp | 4
manifests/servergroups/puppet.pp | 2
manifests/servergroups/valueadd.pp | 2
manifests/servergroups/xen-server.pp | 2
manifests/services/fas.pp | 292 -----------
modules/fas/README | 10
modules/fas/files/Makefile.fedora-ca | 70 ++
modules/fas/files/accounts-proxy.conf | 11
modules/fas/files/accounts-pubring.gpg |binary
modules/fas/files/accounts.conf | 26 +
modules/fas/files/accounts.fedoraproject.org.conf | 13
modules/fas/files/accounts.fedoraproject.org/logs.conf | 2
modules/fas/files/accounts.fedoraproject.org/redirect.conf | 1
modules/fas/files/certhelper.py | 280 +++++++++++
modules/fas/files/export-bugzilla.py | 68 ++
modules/fas/files/fas-log.cfg | 29 +
modules/fas/files/fas.fedoraproject.org.conf | 13
modules/fas/files/fas.fedoraproject.org/logs.conf | 2
modules/fas/files/fas.fedoraproject.org/redirect.conf | 1
modules/fas/files/fas.wsgi | 50 ++
modules/fas/files/fasSync | 1
modules/fas/files/fedora-ca-client-openssl.cnf | 317 +++++++++++++
modules/fas/files/nsswitch.conf | 45 +
modules/fas/manifests/init.pp | 307 ++++++++++++
modules/fas/templates/export-bugzilla.cfg.erb | 11
modules/fas/templates/fas-prod.cfg.erb | 163 ++++++
modules/fas/templates/fas.conf.erb | 78 +++
118 files changed, 1576 insertions(+), 1552 deletions(-)
New commits:
commit 58e9676244f0f543812dcb6c2723e532319ca512
Author: Mike McGrath <mmcgrath(a)redhat.com>
Date: Wed Apr 8 20:08:51 2009 +0000
have all hosts use new fas module
diff --git a/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp
index 1f26375..3378a5d 100644
--- a/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp
@@ -6,7 +6,7 @@ node 'app1.stg.fedora.phx.redhat.com' {
$groups='sysadmin-main'
include phx
include global
- include fas
+ include fas::fas
}
'staging' : {
diff --git a/manifests/nodes/backup2.fedoraproject.org.pp b/manifests/nodes/backup2.fedoraproject.org.pp
index f19d65b..da8216c 100644
--- a/manifests/nodes/backup2.fedoraproject.org.pp
+++ b/manifests/nodes/backup2.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node backup2 {
$groups='sysadmin-backup'
include global
- include fas
+ include fas::fas
include vpn
include backupPrivKey
include scripts::drBackup
diff --git a/manifests/nodes/bu1.fedoraproject.org.pp b/manifests/nodes/bu1.fedoraproject.org.pp
index d30d71d..69f0602 100644
--- a/manifests/nodes/bu1.fedoraproject.org.pp
+++ b/manifests/nodes/bu1.fedoraproject.org.pp
@@ -2,6 +2,6 @@ node bu1{
$groups='@all'
$relayHost = ' '
include global
- include fas
+ include fas::fas
include people
}
diff --git a/manifests/nodes/buildsys.fedoraproject.org.pp b/manifests/nodes/buildsys.fedoraproject.org.pp
index 7f709fa..2580b66 100644
--- a/manifests/nodes/buildsys.fedoraproject.org.pp
+++ b/manifests/nodes/buildsys.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node buildsys {
$groups = 'sysadmin-main,sysadmin-build,epel_signers'
include global
- include fas
+ include fas::fas
include ipmi
include nagiosPhysical
include plague::user-sync
diff --git a/manifests/nodes/cstore1.fedoraproject.org.pp b/manifests/nodes/cstore1.fedoraproject.org.pp
index 4cfb82b..93f2153 100644
--- a/manifests/nodes/cstore1.fedoraproject.org.pp
+++ b/manifests/nodes/cstore1.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node cstore1{
$groups='sysadmin-main,sysadmin-cloud'
- include fas
+ include fas::fas
include vpn
include dhcpserver-cloud
# Firewall Rules, allow tftp
diff --git a/manifests/nodes/cstore2.fedoraproject.org.pp b/manifests/nodes/cstore2.fedoraproject.org.pp
index 0846147..f490863 100644
--- a/manifests/nodes/cstore2.fedoraproject.org.pp
+++ b/manifests/nodes/cstore2.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node cstore2{
$groups='sysadmin-main,sysadmin-cloud'
- include fas
+ include fas::fas
include vpn
# Firewall Rules, allow (nothing yet)
$tcpPorts = [ ]
diff --git a/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp
index ce6778a..170e307 100644
--- a/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp
@@ -5,7 +5,7 @@ node "db1.stg.fedora.phx.redhat.com" {
$groups='sysadmin-main'
include phx
include global
- include fas
+ include fas::fas
}
'staging' : {
diff --git a/manifests/nodes/fas1.fedora.phx.redhat.com.pp b/manifests/nodes/fas1.fedora.phx.redhat.com.pp
index a65248e..90d17b0 100644
--- a/manifests/nodes/fas1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/fas1.fedora.phx.redhat.com.pp
@@ -1,5 +1,5 @@
node fas1{
include phx
include fasServerGenCert
- include fas-no-balance
+ include fas::fas-no-balance
}
diff --git a/manifests/nodes/ibiblio1.fedoraproject.org.pp b/manifests/nodes/ibiblio1.fedoraproject.org.pp
index 3ce8c3d..a87bb3b 100644
--- a/manifests/nodes/ibiblio1.fedoraproject.org.pp
+++ b/manifests/nodes/ibiblio1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node ibiblio1{
$groups='sysadmin-main'
include xen-server
- include fas
+ include fas::fas
include vpn
}
diff --git a/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp b/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp
index 1dd226b..fa7d8fd 100644
--- a/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node kojipkgs1{
$groups='sysadmin-main,sysadmin-build,sysadmin-noc'
include phx
include global
- include fas
+ include fas::fas
include kojipkgs
include selinux
diff --git a/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp b/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp
index 3fbae4e..3bb9433 100644
--- a/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node kojipkgs2{
$groups='sysadmin-main,sysadmin-build,sysadmin-noc'
include phx
include global
- include fas
+ include fas::fas
include kojipkgs
include selinux
diff --git a/manifests/nodes/lb1.fedora.phx.redhat.com.pp b/manifests/nodes/lb1.fedora.phx.redhat.com.pp
index baebda8..1351fde 100644
--- a/manifests/nodes/lb1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/lb1.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node lb1{
$groups='sysadmin-main,sysadmin-web'
include phx
- include fas
+ include fas::fas
include global
# Firewall Rules, allow OpenVPN traffic through
diff --git a/manifests/nodes/lb2.fedora.phx.redhat.com.pp b/manifests/nodes/lb2.fedora.phx.redhat.com.pp
index 0b30286..a4e8658 100644
--- a/manifests/nodes/lb2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/lb2.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node lb2{
$groups='sysadmin-main,sysadmin-web'
include phx
- include fas
+ include fas::fas
include global
# Firewall Rules, allow OpenVPN traffic through
$tcpPorts = [ 80, 443, 5560 ]
diff --git a/manifests/nodes/log1.fedora.phx.redhat.com.pp b/manifests/nodes/log1.fedora.phx.redhat.com.pp
index b615389..9198af2 100644
--- a/manifests/nodes/log1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/log1.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node log1{
$groups='sysadmin-main,sysadmin-noc'
$rsyslog=1
include global
- include fas
+ include fas::fas
include phx
include vpn
include awstats
diff --git a/manifests/nodes/nfs1.fedora.phx.redhat.com.pp b/manifests/nodes/nfs1.fedora.phx.redhat.com.pp
index 7f39b70..3ca425f 100644
--- a/manifests/nodes/nfs1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/nfs1.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node nfs1{
$groups='sysadmin-main,sysadmin-noc'
include phx
include global
- include fas
+ include fas::fas
include nfs-server
include nfs-server-phx
include selinux
diff --git a/manifests/nodes/nfs2.fedora.phx.redhat.com.pp b/manifests/nodes/nfs2.fedora.phx.redhat.com.pp
index f3be815..994b491 100644
--- a/manifests/nodes/nfs2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/nfs2.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node nfs2{
$groups='sysadmin-main'
include phx
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/noc2.fedoraproject.org.pp b/manifests/nodes/noc2.fedoraproject.org.pp
index 55bc2fa..51aaa3b 100644
--- a/manifests/nodes/noc2.fedoraproject.org.pp
+++ b/manifests/nodes/noc2.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node noc2{
$groups='sysadmin-main,sysadmin-noc'
$relayHost=' '
include global
- include fas
+ include fas::fas
include vpn
include nagios-server-external
include pager
diff --git a/manifests/nodes/ns1.fedoraproject.org.pp b/manifests/nodes/ns1.fedoraproject.org.pp
index 94fae20..624f5da 100644
--- a/manifests/nodes/ns1.fedoraproject.org.pp
+++ b/manifests/nodes/ns1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node ns1{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include dns
}
diff --git a/manifests/nodes/ns2.fedoraproject.org.pp b/manifests/nodes/ns2.fedoraproject.org.pp
index fa6c738..91998e0 100644
--- a/manifests/nodes/ns2.fedoraproject.org.pp
+++ b/manifests/nodes/ns2.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node ns2{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include dns
}
diff --git a/manifests/nodes/people1.fedoraproject.org.pp b/manifests/nodes/people1.fedoraproject.org.pp
index cb35312..ef49bc8 100644
--- a/manifests/nodes/people1.fedoraproject.org.pp
+++ b/manifests/nodes/people1.fedoraproject.org.pp
@@ -4,7 +4,7 @@ node people1 {
$sshd_config_PasswordAuthentication='no'
include global
include people
- include fas
+ include fas::fas
include vpn
include planet
}
diff --git a/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp
index 48d86e5..90369ae 100644
--- a/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp
@@ -5,7 +5,7 @@ node 'proxy1.stg.fedora.phx.redhat.com' {
$groups='sysadmin-main'
include phx
include global
- include fas
+ include fas::fas
}
'staging' : {
$puppetEnvironment='staging'
diff --git a/manifests/nodes/publictest10.fedoraproject.org.pp b/manifests/nodes/publictest10.fedoraproject.org.pp
index 3992b56..5fbbd61 100644
--- a/manifests/nodes/publictest10.fedoraproject.org.pp
+++ b/manifests/nodes/publictest10.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node publictest10{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include ssh::sshd
include httpd
- include fas
+ include fas::fas
include global
include selinux
include git-package
diff --git a/manifests/nodes/publictest12.fedoraproject.org.pp b/manifests/nodes/publictest12.fedoraproject.org.pp
index 12e6b66..7cdded4 100644
--- a/manifests/nodes/publictest12.fedoraproject.org.pp
+++ b/manifests/nodes/publictest12.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node publictest12{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
- include fas
+ include fas::fas
include global
$tcpPorts = [ 80, 443 ]
$udpPorts = [ ]
diff --git a/manifests/nodes/publictest13.fedora.phx.redhat.com.pp b/manifests/nodes/publictest13.fedora.phx.redhat.com.pp
index 1c5bb08..a960671 100644
--- a/manifests/nodes/publictest13.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest13.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node publictest13{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include global
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest14.fedoraproject.org.pp b/manifests/nodes/publictest14.fedoraproject.org.pp
index 9fc8c05..e5c353c 100644
--- a/manifests/nodes/publictest14.fedoraproject.org.pp
+++ b/manifests/nodes/publictest14.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node publictest14{
$relayHost=' '
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc,sysadmin-test'
- include fas
+ include fas::fas
include global
$tcpPorts = [ 80, 443 ]
$udpPorts = [ ]
diff --git a/manifests/nodes/publictest15.fedoraproject.org.pp b/manifests/nodes/publictest15.fedoraproject.org.pp
index cd2d98d..54d6821 100644
--- a/manifests/nodes/publictest15.fedoraproject.org.pp
+++ b/manifests/nodes/publictest15.fedoraproject.org.pp
@@ -3,7 +3,7 @@ node publictest15{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include ssh::sshd
include httpd
- include fas
+ include fas::fas
include bodhi-dev
include global
include selinux
diff --git a/manifests/nodes/publictest16.fedoraproject.org.pp b/manifests/nodes/publictest16.fedoraproject.org.pp
index 7b85ddf..6b9b0c3 100644
--- a/manifests/nodes/publictest16.fedoraproject.org.pp
+++ b/manifests/nodes/publictest16.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node publictest16{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include ssh::sshd
include httpd
- include fas
+ include fas::fas
include bodhi-dev
include global
include selinux
diff --git a/manifests/nodes/publictest2.fedora.phx.redhat.com.pp b/manifests/nodes/publictest2.fedora.phx.redhat.com.pp
index 91fdaaf..d224e45 100644
--- a/manifests/nodes/publictest2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest2.fedora.phx.redhat.com.pp
@@ -2,6 +2,6 @@ node publictest2{
$groups='sysadmin-test,sysadmin-main,sysadmin-web'
include phx
include global
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest3.fedora.phx.redhat.com.pp b/manifests/nodes/publictest3.fedora.phx.redhat.com.pp
index 207b27b..9e9f235 100644
--- a/manifests/nodes/publictest3.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest3.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest3{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
#Include php.ini & apache...
include apache::php
diff --git a/manifests/nodes/publictest4.fedora.phx.redhat.com.pp b/manifests/nodes/publictest4.fedora.phx.redhat.com.pp
index af6052a..ccc6ff1 100644
--- a/manifests/nodes/publictest4.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest4.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest4{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
# Firewall Rules, allow SSH, SIP(TCP 5060), IAX2(UDP 4569), SIP(UDP 5060), RTP(UDP 10000:10500)
$tcpPorts = [ 22, 5060 ]
$udpPorts = [ 4569, 5060, '10000:10500' ]
diff --git a/manifests/nodes/publictest5.fedora.phx.redhat.com.pp b/manifests/nodes/publictest5.fedora.phx.redhat.com.pp
index 2378109..3f9880a 100644
--- a/manifests/nodes/publictest5.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest5.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest5{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
# Firewall Rules, allow HTTP (TCP 80), HTTPS (TCP 443), SSH, SIP(TCP 5060), IAX2(UDP 4569), SIP(UDP 5060), RTP(UDP 10000:10500)
$tcpPorts = [ 22, 80, 443, 5060 ]
$udpPorts = [ 4569, 5060, '10000:10500' ]
diff --git a/manifests/nodes/publictest6.fedora.phx.redhat.com.pp b/manifests/nodes/publictest6.fedora.phx.redhat.com.pp
index d8bd031..5ff6931 100644
--- a/manifests/nodes/publictest6.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest6.fedora.phx.redhat.com.pp
@@ -3,6 +3,6 @@ node publictest6{
$groups = 'sysadmin-main'
include phx
include xen-guest
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest7.fedora.phx.redhat.com.pp b/manifests/nodes/publictest7.fedora.phx.redhat.com.pp
index 257dce5..df44bea 100644
--- a/manifests/nodes/publictest7.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest7.fedora.phx.redhat.com.pp
@@ -3,6 +3,6 @@ node publictest7{
$groups = 'sysadmin-main'
include phx
include xen-guest
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest9.fedora.phx.redhat.com.pp b/manifests/nodes/publictest9.fedora.phx.redhat.com.pp
index 3d91c12..42819b0 100644
--- a/manifests/nodes/publictest9.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest9.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest9{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
include mediawiki-test::base
$tcpPorts = [ 80, 443, 10050, 11211 ]
diff --git a/manifests/nodes/qa1.fedora.phx.redhat.com.pp b/manifests/nodes/qa1.fedora.phx.redhat.com.pp
index cc3053b..2e5bf19 100644
--- a/manifests/nodes/qa1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/qa1.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node qa1{
$groups='sysadmin-main,sysadmin-noc,qa-admin'
include phx
- include fas
+ include fas::fas
include global
include git-package
include fedora-packager-package
diff --git a/manifests/nodes/rawhide1.fedoraproject.org.pp b/manifests/nodes/rawhide1.fedoraproject.org.pp
index dc480eb..7377f7d 100644
--- a/manifests/nodes/rawhide1.fedoraproject.org.pp
+++ b/manifests/nodes/rawhide1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node 'rawhide1.fedoraproject.org' {
$relayHost=' '
$groups = 'sysadmin-main,sysadmin-noc'
- include fas
+ include fas::fas
include global
}
diff --git a/manifests/nodes/releng1.fedora.phx.redhat.com.pp b/manifests/nodes/releng1.fedora.phx.redhat.com.pp
index 60dd139..ad60c71 100644
--- a/manifests/nodes/releng1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/releng1.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node releng1{
$groups='sysadmin-main,sysadmin-releng,sysadmin-noc'
include phx
- include fas
+ include fas::fas
include global
}
diff --git a/manifests/nodes/secondary1.fedora.phx.redhat.com.pp b/manifests/nodes/secondary1.fedora.phx.redhat.com.pp
index d87ad82..0b98229 100644
--- a/manifests/nodes/secondary1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/secondary1.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node secondary1{
$groups='sysadmin-main,sysadmin-noc,alt-sugar,alt-k12linux,altvideos'
include global
- include fas
+ include fas::fas
include secondaryMirror
include nfs-server
include selinux
diff --git a/manifests/nodes/serverbeach1.fedoraproject.org.pp b/manifests/nodes/serverbeach1.fedoraproject.org.pp
index 3fffa23..295ea48 100644
--- a/manifests/nodes/serverbeach1.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach1{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach2.fedoraproject.org.pp b/manifests/nodes/serverbeach2.fedoraproject.org.pp
index 6a7d8fd..8a759ff 100644
--- a/manifests/nodes/serverbeach2.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach2.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach2{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach3.fedoraproject.org.pp b/manifests/nodes/serverbeach3.fedoraproject.org.pp
index 018ecf1..4338551 100644
--- a/manifests/nodes/serverbeach3.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach3.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach3{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach4.fedoraproject.org.pp b/manifests/nodes/serverbeach4.fedoraproject.org.pp
index f855620..ac878e6 100644
--- a/manifests/nodes/serverbeach4.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach4.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach4{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach5.fedoraproject.org.pp b/manifests/nodes/serverbeach5.fedoraproject.org.pp
index c4a1088..1776e8d 100644
--- a/manifests/nodes/serverbeach5.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach5.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach5{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/sign1.fedora.phx.redhat.com.pp b/manifests/nodes/sign1.fedora.phx.redhat.com.pp
index e383736..d77ad31 100644
--- a/manifests/nodes/sign1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign1.fedora.phx.redhat.com.pp
@@ -4,7 +4,7 @@
node sign1{
$groups = 'sysadmin-main,sysadmin-releng'
include phx
- include fas
+ include fas::fas
#include global
include pkgsigner
diff --git a/manifests/nodes/sign2.fedora.phx.redhat.com.pp b/manifests/nodes/sign2.fedora.phx.redhat.com.pp
index 3ca66e4..7620e80 100644
--- a/manifests/nodes/sign2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign2.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node sign2{
$groups = 'sysadmin-main'
include phx
- include fas
+ include fas::fas
include global
include pkgsigner
}
diff --git a/manifests/nodes/sign3.fedora.phx.redhat.com.pp b/manifests/nodes/sign3.fedora.phx.redhat.com.pp
index 2bafff9..18a4323 100644
--- a/manifests/nodes/sign3.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign3.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node sign3{
$groups = 'sysadmin-main'
include phx
- include fas
+ include fas::fas
include global
include pkgsigner
}
diff --git a/manifests/nodes/smtp-mm1.fedoraproject.org.pp b/manifests/nodes/smtp-mm1.fedoraproject.org.pp
index c9c53c8..d5ad7fb 100644
--- a/manifests/nodes/smtp-mm1.fedoraproject.org.pp
+++ b/manifests/nodes/smtp-mm1.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node smtp-mm1{
$groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools'
$isMailmanSMTP=1
include global
- include fas
+ include fas::fas
include postfix::mailman_smtp
# Firewall Rules, allow SMTP traffic through
diff --git a/manifests/nodes/telia1.fedoraproject.org.pp b/manifests/nodes/telia1.fedoraproject.org.pp
index 4e8433d..8035a27 100644
--- a/manifests/nodes/telia1.fedoraproject.org.pp
+++ b/manifests/nodes/telia1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node telia1{
$groups='sysadmin-main'
include xen-server
- include fas
+ include fas::fas
include vpn
}
diff --git a/manifests/nodes/test3.fedora.phx.redhat.com.pp b/manifests/nodes/test3.fedora.phx.redhat.com.pp
index 303b1c3..0107987 100644
--- a/manifests/nodes/test3.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test3.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node test3{
$groups='sysadmin-main,sysadmin-releng'
- include fas
+ include fas::fas
include phx
include xen-guest
}
diff --git a/manifests/nodes/test4.fedora.phx.redhat.com.pp b/manifests/nodes/test4.fedora.phx.redhat.com.pp
index d405088..bda764f 100644
--- a/manifests/nodes/test4.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test4.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node test4{
$groups='sysadmin-main,sysadmin-releng'
- include fas
+ include fas::fas
include phx
include xen-guest
}
diff --git a/manifests/nodes/test7.fedora.phx.redhat.com.pp b/manifests/nodes/test7.fedora.phx.redhat.com.pp
index 414143a..62b6078 100644
--- a/manifests/nodes/test7.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test7.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node test7{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
include fedoraproject-moin
}
diff --git a/manifests/nodes/test9.fedora.phx.redhat.com.pp b/manifests/nodes/test9.fedora.phx.redhat.com.pp
index 4eaae80..c6d655f 100644
--- a/manifests/nodes/test9.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test9.fedora.phx.redhat.com.pp
@@ -2,6 +2,6 @@ node test9{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/torrent1.fedoraproject.org.pp b/manifests/nodes/torrent1.fedoraproject.org.pp
index 8b11de1..afb7e31 100644
--- a/manifests/nodes/torrent1.fedoraproject.org.pp
+++ b/manifests/nodes/torrent1.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node torrent1{
$groups = 'sysadmin-web,sysadmin-main,torrentadmin,sysadmin-noc,torrent-cc'
include global
- include fas
+ include fas::fas
include torrent
}
diff --git a/manifests/nodes/tummy1.fedoraproject.org.pp b/manifests/nodes/tummy1.fedoraproject.org.pp
index 357637a..ff41f41 100644
--- a/manifests/nodes/tummy1.fedoraproject.org.pp
+++ b/manifests/nodes/tummy1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node tummy1{
$groups='sysadmin-main'
include xen-server
- include fas
+ include fas::fas
include vpn
}
diff --git a/manifests/nodes/xen6.fedora.phx.redhat.com.pp b/manifests/nodes/xen6.fedora.phx.redhat.com.pp
index 8d8767e..69ff929 100644
--- a/manifests/nodes/xen6.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/xen6.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node xen6{
include phx
$groups = 'sysadmin-main,sysadmin-cloud'
include global
- include fas
+ include fas::fas
include ipmi
include nagiosPhysical
include selinux
diff --git a/manifests/servergroups/appFcTest.pp b/manifests/servergroups/appFcTest.pp
index 70154d0..94e1dcd 100644
--- a/manifests/servergroups/appFcTest.pp
+++ b/manifests/servergroups/appFcTest.pp
@@ -2,7 +2,7 @@ class appFcTest {
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include global
include xen-guest
- include fas
+ include fas::fas
include dbaccess
include mounts
include wevisor-server
diff --git a/manifests/servergroups/appRelEng.pp b/manifests/servergroups/appRelEng.pp
index 8b4b790..c3bbf38 100644
--- a/manifests/servergroups/appRelEng.pp
+++ b/manifests/servergroups/appRelEng.pp
@@ -1,7 +1,7 @@
class appRelEng {
$groups='sysadmin-main,sysadmin-noc,sysadmin-releng'
include global
- include fas
+ include fas::fas
include xen-guest
include mash
include rsync::rsyncd
diff --git a/manifests/servergroups/appRhel.pp b/manifests/servergroups/appRhel.pp
index 0165f64..c8f85ef 100644
--- a/manifests/servergroups/appRhel.pp
+++ b/manifests/servergroups/appRhel.pp
@@ -3,7 +3,7 @@ class appRhel {
include global
include http_log
include xen-guest
- include fas
+ include fas::fas
include dbaccess
include pkgdb-server
include bodhi-app
diff --git a/manifests/servergroups/appRhelTest.pp b/manifests/servergroups/appRhelTest.pp
index d68e275..ce4b633 100644
--- a/manifests/servergroups/appRhelTest.pp
+++ b/manifests/servergroups/appRhelTest.pp
@@ -2,7 +2,7 @@ class appRhelTest {
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include global
include xen-guest
- include fas
+ include fas::fas
include dbaccess-test
#include genericContent
#include hosted-server
diff --git a/manifests/servergroups/asterisk.pp b/manifests/servergroups/asterisk.pp
index 8f9ef9f..5d932fb 100644
--- a/manifests/servergroups/asterisk.pp
+++ b/manifests/servergroups/asterisk.pp
@@ -1,7 +1,7 @@
class asterisk {
$groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools'
include global
- include fas
+ include fas::fas
include asterisk::main
include asterisk::stats
include asterisk::recording
diff --git a/manifests/servergroups/build.pp b/manifests/servergroups/build.pp
index 145ec65..abaccac 100644
--- a/manifests/servergroups/build.pp
+++ b/manifests/servergroups/build.pp
@@ -3,7 +3,7 @@ class build {
$sshd_config_StrictModes = "no"
include global
# include generic-iptables
- include fas
+ include fas::fas
include koji
include plague-builder
include mockuser
diff --git a/manifests/servergroups/cnodes.pp b/manifests/servergroups/cnodes.pp
index 1934097..8670b60 100644
--- a/manifests/servergroups/cnodes.pp
+++ b/manifests/servergroups/cnodes.pp
@@ -1,6 +1,6 @@
class cnodes {
$groups='sysadmin-main,sysadmin-cloud'
- include fas
+ include fas::fas
include vpn
# Firewall Rules, allow tftp
$tcpPorts = [ 3260 ]
diff --git a/manifests/servergroups/collab.pp b/manifests/servergroups/collab.pp
index 8b041b9..463ac9b 100644
--- a/manifests/servergroups/collab.pp
+++ b/manifests/servergroups/collab.pp
@@ -1,7 +1,7 @@
class collab {
$groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools'
include global
- include fas
+ include fas::fas
include vpn
include selinux
include sobby
diff --git a/manifests/servergroups/compose.pp b/manifests/servergroups/compose.pp
index 9478a25..c29b9e0 100644
--- a/manifests/servergroups/compose.pp
+++ b/manifests/servergroups/compose.pp
@@ -3,7 +3,7 @@ class composer {
$groups = 'sysadmin-main,sysadmin-releng'
include global
# include generic-iptables
- include fas
+ include fas::fas
include mockuser
include pungi-package
include livecd-tools-package
diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp
index 8dc4038..9ae2c97 100644
--- a/manifests/servergroups/cvs.pp
+++ b/manifests/servergroups/cvs.pp
@@ -5,7 +5,7 @@ class cvs {
$sshd_config_PasswordAuthentication = 'no'
$sshd_config_AllowTcpForwarding = 'no'
include global
- include fas
+ include fas::fas
include cvs-pkgs
include rsync::rsyncd
include drbackupPubKey
diff --git a/manifests/servergroups/db.pp b/manifests/servergroups/db.pp
index 43826cc..27fb1d3 100644
--- a/manifests/servergroups/db.pp
+++ b/manifests/servergroups/db.pp
@@ -1,7 +1,7 @@
class db {
$groups = 'sysadmin-main,sysadmin-dba,sysadmin-noc'
include global
- include fas
+ include fas::fas
include selinux
include aide::scanner
include backupPubKey
diff --git a/manifests/servergroups/fas-server.pp b/manifests/servergroups/fas-server.pp
index 3bfba90..6daed2a 100644
--- a/manifests/servergroups/fas-server.pp
+++ b/manifests/servergroups/fas-server.pp
@@ -2,7 +2,7 @@ class fasServerBase {
$groups = 'sysadmin-main'
include global
include xen-guest
- include fas
+ include fas::fas
include vpn
# Firewall Rules, allow web bodhi traffic through
@@ -24,11 +24,11 @@ class fasServerBase {
}
class fasServer inherits fasServerBase {
- include fas-server
+ include fas::fas-server
}
class fasServerGenCert inherits fasServerBase {
- include fas-server-gencert
+ include fas::fas-server-gencert
semanage_fcontext { '/var/lib/fedora-ca/crl(/.*)?':
type => 'httpd_sys_script_rw_t'
diff --git a/manifests/servergroups/gateway.pp b/manifests/servergroups/gateway.pp
index d33ca7d..7a214b5 100644
--- a/manifests/servergroups/gateway.pp
+++ b/manifests/servergroups/gateway.pp
@@ -8,7 +8,7 @@ class gateway{
include global
include snmp-utils
include vpn-server
- include fas
+ include fas::fas
#include selinux-enforcing
include selinux
include spamassassin_server
diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp
index 2708ced..eb9306b 100644
--- a/manifests/servergroups/hosted.pp
+++ b/manifests/servergroups/hosted.pp
@@ -6,7 +6,7 @@ class hosted {
$sshd_config_AllowTcpForwarding = 'no'
include global
include hosted-server
- include fas
+ include fas::fas
# include hosted-proxy
include rsync::rsyncd
include selinux
diff --git a/manifests/servergroups/koji.pp b/manifests/servergroups/koji.pp
index 59477bd..d6801a8 100644
--- a/manifests/servergroups/koji.pp
+++ b/manifests/servergroups/koji.pp
@@ -1,7 +1,7 @@
class kojimasters {
$groups = 'sysadmin-build,sysadmin-main,sysadmin-noc'
include global
- include fas
+ include fas::fas
include kojimaster
include selinux
include nfs-server
diff --git a/manifests/servergroups/noc.pp b/manifests/servergroups/noc.pp
index c8f193d..d58e18d 100644
--- a/manifests/servergroups/noc.pp
+++ b/manifests/servergroups/noc.pp
@@ -1,7 +1,7 @@
class noc {
$groups = 'sysadmin-main,sysadmin-noc'
include global
- include fas
+ include fas::fas
include nagios-server
include cacti-server
include selinux
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp
index 6d9fb2b..85702ae 100644
--- a/manifests/servergroups/proxy.pp
+++ b/manifests/servergroups/proxy.pp
@@ -3,7 +3,7 @@ class proxy {
include global
include http_log
include proxyserver
- include fas
+ include fas::fas
include autofs
include haproxy::server
include smolt-proxy
@@ -19,7 +19,7 @@ class proxy {
include admin-proxy
include nagios-proxy
include cacti-proxy
- include fas-proxy
+ include fas::fas-proxy
include infrastructure-proxy
#include voting-proxy
include pkgdb-proxy
diff --git a/manifests/servergroups/puppet.pp b/manifests/servergroups/puppet.pp
index c393f9a..4a7c5e5 100644
--- a/manifests/servergroups/puppet.pp
+++ b/manifests/servergroups/puppet.pp
@@ -3,7 +3,7 @@ class puppetServer {
$is_certmaster=1
include global
include phx
- include fas
+ include fas::fas
include infrastructure-repo
include puppet::master
include scripts::sync-rhn
diff --git a/manifests/servergroups/valueadd.pp b/manifests/servergroups/valueadd.pp
index 655f6d7..efebd55 100644
--- a/manifests/servergroups/valueadd.pp
+++ b/manifests/servergroups/valueadd.pp
@@ -3,7 +3,7 @@ class valueadd {
include global
include http_log
include xen-guest
- include fas
+ include fas::fas
include dbaccess
if $phx::inPHX {
diff --git a/manifests/servergroups/xen-server.pp b/manifests/servergroups/xen-server.pp
index 90086f7..c581b84 100644
--- a/manifests/servergroups/xen-server.pp
+++ b/manifests/servergroups/xen-server.pp
@@ -5,7 +5,7 @@ class xen-server {
$groups = 'sysadmin-main'
}
include global
- include fas
+ include fas::fas
include xenHost
include ipmi
include nagiosPhysical
commit 0687715af06ef76fa9288ca521e4daae37f19cb0
Author: Mike McGrath <mmcgrath(a)redhat.com>
Date: Wed Apr 8 20:00:26 2009 +0000
removed old fas files
diff --git a/configs/fas/fasSync b/configs/fas/fasSync
deleted file mode 100644
index 4f9f643..0000000
--- a/configs/fas/fasSync
+++ /dev/null
@@ -1 +0,0 @@
-24 * * * * root /bin/sleep $(($RANDOM/20)); /usr/bin/fasClient -i > /dev/null 2>&1
diff --git a/configs/fas/nsswitch.conf b/configs/fas/nsswitch.conf
deleted file mode 100644
index fb4ff62..0000000
--- a/configs/fas/nsswitch.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-# /etc/nsswitch.conf
-#
-# An example Name Service Switch config file. This file should be
-# sorted with the most-used services at the beginning.
-#
-# The entry '[NOTFOUND=return]' means that the search for an
-# entry should stop if the search in the previous entry turned
-# up nothing. Note that if the search failed due to some other reason
-# (like no NIS server responding) then the search continues with the
-# next entry.
-#
-# Legal entries are:
-#
-# nisplus or nis+ Use NIS+ (NIS version 3)
-# nis or yp Use NIS (NIS version 2), also called YP
-# dns Use DNS (Domain Name Service)
-# files Use the local files
-# db Use the local database (.db) files
-# compat Use NIS on compat mode
-# hesiod Use Hesiod for user lookups
-# [NOTFOUND=return] Stop searching if not found so far
-#
-
-passwd: db files
-shadow: db files
-group: db files
-
-#hosts: db files nisplus nis dns
-hosts: files dns
-
-bootparams: nisplus [NOTFOUND=return] files
-
-ethers: files
-netmasks: files
-networks: files
-protocols: files
-rpc: files
-services: files
-
-netgroup: files
-
-publickey: nisplus
-
-automount: files
-aliases: files nisplus
diff --git a/configs/system/export-bugzilla.cfg.erb b/configs/system/export-bugzilla.cfg.erb
deleted file mode 100644
index 6c65f07..0000000
--- a/configs/system/export-bugzilla.cfg.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-[global]
-# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi
-# Running from fas1 so we need the PHX available address.
-bugzilla.url = "https://bzprx.vip.phx.redhat.com/xmlrpc.cgi"
-# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi"
-bugzilla.username = "<%= bugzillaUser %>"
-bugzilla.password = "<%= bugzillaPassword %>"
-
-# At the moment, we have to extract this information directly from the fas2
-# database. We can build a json interface for it at a later date.
-sqlalchemy.dburi = "postgres://fas:<%= fasDbPassword %>@db2/fas2"
diff --git a/configs/system/export-bugzilla.py b/configs/system/export-bugzilla.py
deleted file mode 100755
index 4b6b416..0000000
--- a/configs/system/export-bugzilla.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/python -t
-__requires__ = 'TurboGears'
-import pkg_resources
-pkg_resources.require('CherryPy >= 2.0, < 3.0alpha')
-
-import sys
-import getopt
-import xmlrpclib
-import turbogears
-from turbogears import config
-turbogears.update_config(configfile="/etc/export-bugzilla.cfg")
-from turbogears.database import session
-from fas.model import BugzillaQueue
-
-BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi')
-BZUSER = config.get('bugzilla.username')
-BZPASS = config.get('bugzilla.password')
-
-if __name__ == '__main__':
- opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help'))
- if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts:
- print """
- Usage: export-bugzilla.py GROUP BUGZILLA_GROUP
- """
- sys.exit(1)
- ourGroup = args[0]
- bzGroup = args[1]
-
- server = xmlrpclib.Server(BZSERVER)
- bugzilla_queue = BugzillaQueue.query.join('group').filter_by(
- name=ourGroup)
-
- for entry in bugzilla_queue:
- # Make sure we have a record for this user in bugzilla
- if entry.action == 'r':
- # Remove the user's bugzilla group
- try:
- server.bugzilla.updatePerms(entry.email, 'rem', (bzGroup,),
- BZUSER, BZPASS)
- except xmlrpclib.Fault, e:
- if e.faultCode == 504:
- # It's okay, not having this user is equivalent to setting
- # them to not have this group.
- pass
- else:
- raise
-
- elif entry.action == 'a':
- # Try to create the user
- try:
- server.bugzilla.addUser(entry.email, entry.person.human_name, BZUSER, BZPASS)
- except xmlrpclib.Fault, e:
- if e.faultCode == 500:
- # It's okay, we just need to make sure the user has an
- # account.
- pass
- else:
- print entry.email,entry.person.human_name
- raise
- server.bugzilla.updatePerms(entry.email, 'add', (bzGroup,),
- BZUSER, BZPASS)
- else:
- print 'Unrecognized action code: %s %s %s %s %s' % (entry.action,
- entry.email, entry.person.human_name, entry.person.username, entry.group.name)
-
- # Remove them from the queue
- session.delete(entry)
- session.flush()
diff --git a/configs/system/fas.conf.erb b/configs/system/fas.conf.erb
deleted file mode 100644
index d8a3e05..0000000
--- a/configs/system/fas.conf.erb
+++ /dev/null
@@ -1,78 +0,0 @@
-[global]
-; url - Location to fas server
-url = https://admin.fedoraproject.org/accounts/
-
-; temp - Location to generate files while user creation process is happening
-temp = /var/db
-
-; login - username to contact fas
-login = systems
-
-; password - password for login name
-password = <%= systemsUserPassword %>
-
-; prefix - install to a location other than /
-prefix = /
-
-[host]
-; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
-; so if someone is in all 3, the client behaves the same as if they were just
-; in 'groups'
-
-; groups that should have a shell account on this system.
-<% if groups != "NONE" %>
-groups = <%= groups %>
-<% else %>
-groups = sysadmin-main
-<% end %>
-; groups that should have a restricted account on this system.
-; restricted accounts use the restricted_shell value in [users]
-restricted_groups =
-
-; ssh_restricted_groups: groups that should be restricted by ssh key. You will
-; need to disable password based logins in order for this value to have any
-; security meaning. Group types can be placed here as well, for example
-; @hg,@git,@svn
-<% if sshGroups %>
-ssh_restricted_groups = <%= sshGroups %>
-<% else %>
-ssh_restricted_groups =
-<% end %>
-
-; aliases_template: Gets prepended to the aliases file when it is generated by
-; fasClient
-aliases_template = /etc/aliases.template
-
-[users]
-; default shell given to people in [host] groups
-shell = /bin/bash
-
-; home - the location for fas user home dirs
-home = /home/fedora
-
-; home_backup_dir - Location home dirs should get moved to when a user is
-; deleted this location should be tmpwatched
-home_backup_dir = /home/fedora.bak
-
-; ssh_restricted_app - This is the path to the restricted shell script. It
-; will not work automatically for most people though through alterations it
-; is a powerfull way to restrict access to a machine. An alternative example
-; could be given to people who should only have cvs access on the machine.
-; setting this value to "/usr/bin/cvs server" would do this.
-<% if restrictedApp %>
-ssh_restricted_app = "<%= restrictedApp %>"
-<% else %>
-ssh_restricted_app = "/usr/bin/cvs server"
-<% end %>
-
-; restricted_shell - The shell given to users in the ssh_restricted_groups
-restricted_shell = /sbin/nologin
-
-; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
-ssh_restricted_shell = /bin/bash
-
-; ssh_key_options - Options to be appended to people ssh keys. Users in the
-; ssh_restricted_groups will have the keys they uploaded altered when they are
-; installed on this machine, appended with the options below.
-ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
-
diff --git a/configs/web/accounts-proxy.conf b/configs/web/accounts-proxy.conf
deleted file mode 100644
index 29c9de6..0000000
--- a/configs/web/accounts-proxy.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# fas1 is the only place for gencert right now
-RewriteRule /accounts/user/gencert http://fas1/accounts/user/gencert [P]
-RewriteRule /accounts/user/dogencert http://fas1/accounts/user/dogencert [P]
-# pass ca requests on needed for CRL
-ProxyPass /ca http://fas1/ca
-ProxyPassReverse /ca http://fas1/ca
-
-#RewriteRule ^/accounts/(.*) balancer://accountsCluster/accounts/$1 [P]
-#RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
-
-RewriteRule ^/accounts/(.*) http://localhost:10004/accounts/$1 [P]
-RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
diff --git a/configs/web/accounts.fedoraproject.org.conf b/configs/web/accounts.fedoraproject.org.conf
deleted file mode 100644
index 1220803..0000000
--- a/configs/web/accounts.fedoraproject.org.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# proxy1 - 10.8.32.122
-# proxy2 - 10.8.32.121
-# proxy3 - 66.35.62.166
-# proxy4 - 152.46.7.222
-# proxy5 - 80.239.156.215
-
-
-<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
- ServerName accounts.fedoraproject.org
- ServerAdmin admin(a)fedoraproject.org
-
- include "conf.d/accounts.fedoraproject.org/*.conf
-</VirtualHost>
diff --git a/configs/web/accounts.fedoraproject.org/logs.conf b/configs/web/accounts.fedoraproject.org/logs.conf
deleted file mode 100644
index 733e6e3..0000000
--- a/configs/web/accounts.fedoraproject.org/logs.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
-ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/configs/web/accounts.fedoraproject.org/redirect.conf b/configs/web/accounts.fedoraproject.org/redirect.conf
deleted file mode 100644
index 1fc6864..0000000
--- a/configs/web/accounts.fedoraproject.org/redirect.conf
+++ /dev/null
@@ -1 +0,0 @@
-Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/configs/web/applications/Makefile.fedora-ca b/configs/web/applications/Makefile.fedora-ca
deleted file mode 100644
index 5da1ea9..0000000
--- a/configs/web/applications/Makefile.fedora-ca
+++ /dev/null
@@ -1,70 +0,0 @@
-# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $
-#
-# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below.
-#
-# Automates the setup of a custom Certificate Authority and provides
-# routines for signing and revocation of certificates. To use, first
-# customize the commands in this file and the settings in openssl.cnf,
-# then run:
-#
-# make init
-#
-# Then, copy in certificate signing requests, and ensure their suffix is
-# .csr before signing them with the following command:
-#
-# make sign
-#
-# To revoke a key, name the certificate file with the cert option
-# as shown below:
-#
-# make revoke cert=foo.cert
-#
-# This will revoke the certificate and call gencrl; the revocation list
-# will then need to be copied somehow to the various systems that use
-# your CA cert.
-
-requests = *.csr
-
-# remove -batch option if want chance to not certify a particular request
-sign: FORCE
- @openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert)
-
-revoke:
- @test $${cert:?"usage: make revoke cert=certificate"}
- @openssl ca -config openssl.cnf -revoke $(cert)
- @$(MAKE) gencrl
-
-gencrl:
- @openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
-
-clean:
- -rm ${requests}
-
-# creates required supporting files, CA key and certificate
-init:
- @test ! -f serial
- @mkdir crl newcerts private
- @chmod go-rwx private
- @echo '01' > serial
- @touch index
- # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
- @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
-
-help:
- @echo make sign req=in.csr cert=out.cert
- @echo ' - signs in.csr, outputting to out.cert'
- @echo
- @echo make revoke cert=filename
- @echo ' - revokes certificate in named file and calls gencrl'
- @echo
- @echo make gencrl
- @echo ' - updates Certificate Revocation List (CRL)'
- @echo
- @echo make clean
- @echo ' - removes all *.csr files in this directory'
- @echo
- @echo make init
- @echo ' - required initial setup command for new CA'
-
-# for legacy make support
-FORCE:
diff --git a/configs/web/applications/accounts-pubring.gpg b/configs/web/applications/accounts-pubring.gpg
deleted file mode 100644
index c75ba2c..0000000
Binary files a/configs/web/applications/accounts-pubring.gpg and /dev/null differ
diff --git a/configs/web/applications/accounts.conf b/configs/web/applications/accounts.conf
deleted file mode 100644
index ad5803a..0000000
--- a/configs/web/applications/accounts.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-Alias /accounts/static /usr/share/fas/static
-Alias /favicon.ico /usr/share/fas/static/favicon.ico
-Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert
-Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert
-# For serving the crl
-Alias /ca /srv/web/ca
-CacheDisable /ca/crl.pem
-AddType application/x-x509-ca-cert cacert.pem
-AddType application/x-x509-crl crl.pem
-
-WSGISocketPrefix run/wsgi
-
-# TG implements its own signal handler.
-WSGIRestrictSignal Off
-
-# These are the real tunables
-WSGIDaemonProcess fas processes=8 threads=2 maximum-requests=50000 user=fas group=fas display-name=fas inactivity-timeout=300
-WSGIPythonOptimize 2
-
-WSGIScriptAlias /accounts /usr/lib/python2.4/site-packages/fas/fas.wsgi/accounts
-
-<Directory /usr/lib/python2.4/site-packages/fas/>
- WSGIProcessGroup fas
- Order deny,allow
- Allow from all
-</Directory>
diff --git a/configs/web/applications/certhelper.py b/configs/web/applications/certhelper.py
deleted file mode 100755
index 3c278a8..0000000
--- a/configs/web/applications/certhelper.py
+++ /dev/null
@@ -1,280 +0,0 @@
-#!/usr/bin/python
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Library General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# Copyright 2005 Dan Williams <dcbw(a)redhat.com> and Red Hat, Inc.
-
-
-import sys, os, tempfile
-
-OPENSSL_PROG = '/usr/bin/openssl'
-
-def print_usage(prog):
- print "\nUsage:\n"
- print " %s ca --outdir=<outdir> --name=<name>\n" % prog
- print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog
- print ""
- print " Types:"
- print " ca - Build system Certificate Authority key & certificate"
- print " normal - Key & certificate that works with the build server and builders"
- print ""
- print "Examples:\n"
- print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog
- print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog
- print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog
- print "\n"
-
-
-class CertHelperException:
- def __init__(self, message):
- self.message = message
-
-
-class CertHelper:
- def __init__(self, prog, outdir, name):
- self._prog = prog
- self._outdir = outdir
- self._name = name
-
- def dispatch(self, cmd, argslist):
- if cmd.lower() == 'ca':
- self._gencert_ca(argslist)
- elif cmd.lower() == 'normal':
- self._gencert_normal(argslist)
- else:
- print_usage(self._prog)
-
- def _gencert_ca(self, args):
- # Set up CA directory
- if not os.path.exists(self._outdir):
- os.makedirs(self._outdir)
- try:
- os.makedirs(os.path.join(self._outdir, 'certs'))
- os.makedirs(os.path.join(self._outdir, 'crl'))
- os.makedirs(os.path.join(self._outdir, 'newcerts'))
- os.makedirs(os.path.join(self._outdir, 'private'))
- except:
- pass
- cert_db = os.path.join(self._outdir, "index.txt")
- os.system("/bin/touch %s" % cert_db)
- serial = os.path.join(self._outdir, "serial")
- if not os.path.exists(serial):
- os.system("/bin/echo '01' > %s" % serial)
-
- cnf = write_openssl_cnf(self._outdir, self._name, {})
-
- # Create the CA key
- key_file = os.path.join(self._outdir, "private", "cakey.pem")
- cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- # Make the self-signed CA certificate
- cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name)
- cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- os.remove(cnf)
- print "Success. Your Certificate Authority directory is: %s\n" % self._outdir
-
- def _gencert_normal(self, args):
- cadir = argfind(args, 'cadir')
- if not cadir:
- print_usage(self._prog)
- sys.exit(1)
- caname = argfind(args, 'caname')
- if not caname:
- print_usage(self._prog)
- sys.exit(1)
-
- cnf = write_openssl_cnf(cadir, caname, {})
-
- # Generate key
- key_file = os.path.join(self._outdir, "%s_key.pem" % self._name)
- cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
- print ""
-
- # Generate the certificate request
- req_file = os.path.join(self._outdir, "%s_req.pem" % self._name)
- cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
- print ""
-
- # Sign the request with the CA's certificate and key
- cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name)
- cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
- print ""
-
- # Cat the normal cert and key together
- key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name)
- cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- # Cleanup: remove the cert, key, and request files
- cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- os.remove(cnf)
- print "Success. Your certificate and key file is: %s\n" % key_and_cert
-
-
-def write_openssl_cnf(home, ca_name, opt_dict):
- (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True)
- os.write(fd, """
-##############################
-HOME = %s
-RANDFILE = .rand
-
-##############################
-[ ca ]
-default_ca = CA_default\n
-
-##############################
-[ CA_default ]
-
-dir = $HOME
-certs = $dir/certs
-crl_dir = $dir/crl
-database = $dir/index.txt
-new_certs_dir = $dir/newcerts
-
-certificate = $dir/cacert.pem
-private_key = $dir/private/cakey.pem
-serial = $dir/serial
-crl = $dir/crl.pem
-
-x509_extensions = usr_cert
-
-name_opt = ca_default
-cert_opt = ca_default
-
-default_days = 3650
-default_crl_days= 30
-default_md = md5
-preserve = no
-
-policy = policy_match
-
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-##############################
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-string_mask = MASK:0x2002
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = US
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = North Carolina
-
-localityName = Locality Name (eg, city)
-localityName_default = Raleigh
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Fedora Project
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 64
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-##############################
-[ usr_cert ]
-
-basicConstraints=CA:FALSE
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-##############################
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
-
-""" % (home))
-
- return name
-
-def argfind(arglist, prefix):
- val = None
- for arg in arglist:
- if arg.startswith('--%s=' % prefix):
- val = arg
- break
- if not val:
- return None
- val = val.replace('--%s=' % prefix, '')
- return val
-
-if __name__ == '__main__':
- prog = sys.argv[0]
- if len(sys.argv) < 3:
- print_usage(prog)
- sys.exit(1)
-
- outdir = argfind(sys.argv, 'outdir')
- if not outdir:
- print_usage(prog)
- sys.exit(1)
-
- name = argfind(sys.argv, 'name')
- if not name:
- print_usage(prog)
- sys.exit(1)
-
- ch = CertHelper(prog, outdir, name)
- try:
- ch.dispatch(sys.argv[1], sys.argv)
- except CertHelperException, e:
- print e.message
- sys.exit(1)
-
- sys.exit(0)
-
diff --git a/configs/web/applications/fas-log.cfg b/configs/web/applications/fas-log.cfg
deleted file mode 100644
index 3f7843d..0000000
--- a/configs/web/applications/fas-log.cfg
+++ /dev/null
@@ -1,29 +0,0 @@
-# LOGGING
-# Logging is often deployment specific, but some handlers and
-# formatters can be defined here.
-
-[logging]
-[[formatters]]
-[[[message_only]]]
-format='*(message)s'
-
-[[[full_content]]]
-format='*(name)s *(levelname)s *(message)s'
-
-[[handlers]]
-[[[debug_out]]]
-class='StreamHandler'
-level='DEBUG'
-args='(sys.stdout,)'
-formatter='full_content'
-
-[[[access_out]]]
-class='StreamHandler'
-level='INFO'
-args='(sys.stdout,)'
-formatter='message_only'
-
-[[[error_out]]]
-class='StreamHandler'
-level='ERROR'
-args='(sys.stdout,)'
diff --git a/configs/web/applications/fas-prod.cfg.erb b/configs/web/applications/fas-prod.cfg.erb
deleted file mode 100644
index fa85c4a..0000000
--- a/configs/web/applications/fas-prod.cfg.erb
+++ /dev/null
@@ -1,163 +0,0 @@
-[global]
-samadhi.baseurl = 'https://admin.fedoraproject.org/'
-
-admingroup = 'accounts'
-systemgroup = 'fas-system'
-thirdpartygroup = 'thirdparty'
-
-theme = 'fas'
-
-accounts_email = "accounts(a)fedoraproject.org"
-legal_cla_email = "legal-cla-archive(a)fedoraproject.org"
-
-email_host = "fedoraproject.org" # as in, web-members@email_host
-
-gpgexec = "/usr/bin/gpg"
-gpghome = "/etc/fas-gpg"
-gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255"
-gpg_passphrase = "<%= fasGpgPassphrase %>"
-gpg_keyserver = "hkp://subkeys.pgp.net"
-
-cla_done_group = "cla_done"
-cla_fedora_group = "cla_fedora"
-
-privileged_view_groups = "(^fas-.*)"
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,famsco,fax,fedora,fedorarewards,fesco,freemedia,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
-
-openidstore = "/var/tmp/fas/openid"
-
-# Enable or disable generation of SSL certificates for users
-gencert = <%= genCert %>
-
-makeexec = "/usr/bin/make"
-openssl_lockdir = "/var/lock/fedora-ca"
-openssl_digest = "md5"
-openssl_expire = 15552000 # 60*60*24*180 = 6 months
-openssl_ca_dir = "/var/lib/fedora-ca"
-openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts"
-openssl_ca_index = "/var/lib/fedora-ca/index.txt"
-openssl_c = "US"
-openssl_st = "North Carolina"
-openssl_l = "Raleigh"
-openssl_o = "Fedora Project"
-openssl_ou = "Fedora User Cert"
-
-# Groups that automatically grant membership to other groups
-# Format: 'group1:a,b,c|group2:d,e,f'
-auto_approve_groups = 'packager:fedorabugs|cla_fedora:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done'
-
-# This is where all of your settings go for your development environment
-# Settings that are the same for both development and production
-# (such as template engine, encodings, etc.) all go in
-# fas/config/app.cfg
-
-mail.on = True
-mail.server = 'bastion'
-#mail.testmode = True
-mail.debug = False
-mail.encoding = 'utf-8'
-
-# DATABASE
-
-# pick the form for your database
-# sqlobject.dburi="postgres://username@hostname/databasename"
-# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
-# sqlobject.dburi="sqlite:///file_name_and_path"
-
-# If you have sqlite, here's a simple default to get you started
-# in development
-sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db2/fas2"
-sqlalchemy.echo=False
-
-# if you are using a database or table type without transactions
-# (MySQL default, for example), you should turn off transactions
-# by prepending notrans_ on the uri
-# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
-
-# for Windows users, sqlite URIs look like:
-# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
-
-# SERVER
-
-# Some server parameters that you may want to tweak
-server.socket_port=8088
-server.thread_pool=50
-server.socket_queue_size=30
-
-# FAS2 is mmuch busier than other servers due to serving visit and auth via
-# JSON.
-# Double pool_size
-#sqlalchemy.pool_size=10
-# And increase overflow above what other servers have
-#sqlalchemy.max_overflow=25
-# When using wsgi, we want the pool to be very low (as a separate instance is
-# run in each apache mod_wsgi thread. So each one is going to have very few
-# concurrent db connections.
-sqlalchemy.pool_size=1
-sqlalchemy.max_overflow=2
-
-# Enable the debug output at the end on pages.
-# log_debug_info_filter.on = False
-
-server.environment="production"
-autoreload.package="fas"
-
-session_filter.on = True
-
-# Set to True if you'd like to abort execution if a controller gets an
-# unexpected parameter. False by default
-tg.strict_parameters = True
-tg.ignore_parameters = ["_csrf_token"]
-
-server.webpath='/accounts'
-base_url_filter.on = True
-base_url_filter.use_x_forwarded_host = True
-base_url_filter.base_url = "https://admin.fedoraproject.org"
-
-# Make the session cookie only return to the host over an SSL link
-visit.cookie.secure = True
-session_filter.cookie_secure = True
-
-[/fedora-server-ca.cert]
-static_filter.on = True
-static_filter.file = "/etc/pki/fas/fedora-server-ca.cert"
-
-[/fedora-upload-ca.cert]
-static_filter.on = True
-static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert"
-
-# LOGGING
-# Logging configuration generally follows the style of the standard
-# Python logging module configuration. Note that when specifying
-# log format messages, you need to use *() for formatting variables.
-# Deployment independent log configuration is in fas/config/log.cfg
-[logging]
-
-[[loggers]]
-[[[fas]]]
-level='DEBUG'
-qualname='fas'
-handlers=['debug_out']
-
-[[[allinfo]]]
-level='INFO'
-handlers=['debug_out']
-
-#[[[access]]]
-#level='INFO'
-#qualname='turbogears.access'
-#handlers=['access_out']
-#propagate=0
-
-[[[identity]]]
-level='INFO'
-qualname='turbogears.identity'
-handlers=['access_out']
-propagate=0
-
-[[[database]]]
-# Set to INFO to make SQLAlchemy display SQL commands
-level='ERROR'
-qualname='sqlalchemy.engine'
-handlers=['debug_out']
-propagate=0
diff --git a/configs/web/applications/fas.wsgi b/configs/web/applications/fas.wsgi
deleted file mode 100644
index 865cc08..0000000
--- a/configs/web/applications/fas.wsgi
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/python
-import sys
-sys.path.append('/usr/lib/python2.4/site-packages/fas/')
-sys.stdout = sys.stderr
-
-import pkg_resources
-pkg_resources.require('CherryPy <= 3.0alpha')
-
-import os
-os.environ['PYTHON_EGG_CACHE'] = '/var/www/.python-eggs'
-
-import atexit
-import cherrypy
-import cherrypy._cpwsgi
-import turbogears
-import turbogears.startup
-from formencode.variabledecode import NestedVariables
-import fedora.tg.util
-
-class MyNestedVariablesFilter(object):
- def before_main(self):
- if hasattr(cherrypy.request, "params"):
- cherrypy.request.params_backup = cherrypy.request.params
- cherrypy.request.params = \
- NestedVariables.to_python(cherrypy.request.params or {})
-
-turbogears.startup.NestedVariablesFilter = MyNestedVariablesFilter
-
-turbogears.update_config(configfile="/etc/fas.cfg", modulename="fas.config")
-turbogears.config.update({'global': {'server.environment': 'production'}})
-turbogears.config.update({'global': {'autoreload.on': False}})
-turbogears.config.update({'global': {'server.log_to_screen': False}})
-turbogears.config.update({'global': {'server.webpath': '/accounts'}})
-turbogears.config.update({'global': {'base_url_filter.on': True}})
-turbogears.config.update({'global': {'base_url_filter.base_url': 'https://admin.fedoraproject.org'}})
-#turbogears.config.update({'global': {'sqlalchemy.recycle': '10'}})
-
-turbogears.startup.call_on_startup.append(fedora.tg.util.enable_csrf)
-
-import fas.controllers
-
-cherrypy.root = fas.controllers.Root()
-
-if cherrypy.server.state == 0:
- atexit.register(cherrypy.server.stop)
- cherrypy.server.start(init_only=True, server_class=None)
-
-def application(environ, start_response):
- environ['SCRIPT_NAME'] = ''
- return cherrypy._cpwsgi.wsgiApp(environ, start_response)
diff --git a/configs/web/applications/fedora-ca-client-openssl.cnf b/configs/web/applications/fedora-ca-client-openssl.cnf
deleted file mode 100644
index 5c3bb15..0000000
--- a/configs/web/applications/fedora-ca-client-openssl.cnf
+++ /dev/null
@@ -1,317 +0,0 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = /var/lib/fedora-ca/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = . # Where everything is kept
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem # The private key
-RANDFILE = $dir/private/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = sha1 # which md to use.
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_md = sha1
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-# we use PrintableString+UTF8String mask so if pure ASCII texts are used
-# the resulting certificates are compatible with Netscape
-string_mask = MASK:0x2002
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = US
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = North Carolina
-
-localityName = Locality Name (eg, city)
-localityName_default = Raleigh
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Fedora Project
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 64
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 0
-#challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/configs/web/fas.fedoraproject.org.conf b/configs/web/fas.fedoraproject.org.conf
deleted file mode 100644
index 7db2e97..0000000
--- a/configs/web/fas.fedoraproject.org.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# proxy1 - 10.8.32.122
-# proxy2 - 10.8.32.121
-# proxy3 - 66.35.62.166
-# proxy4 - 152.46.7.222
-# proxy5 - 80.239.156.215
-
-
-<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
- ServerName fas.fedoraproject.org
- ServerAdmin admin(a)fedoraproject.org
-
- include "conf.d/fas.fedoraproject.org/*.conf
-</VirtualHost>
diff --git a/configs/web/fas.fedoraproject.org/logs.conf b/configs/web/fas.fedoraproject.org/logs.conf
deleted file mode 100644
index 9195af7..0000000
--- a/configs/web/fas.fedoraproject.org/logs.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
-ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/configs/web/fas.fedoraproject.org/redirect.conf b/configs/web/fas.fedoraproject.org/redirect.conf
deleted file mode 100644
index 1fc6864..0000000
--- a/configs/web/fas.fedoraproject.org/redirect.conf
+++ /dev/null
@@ -1 +0,0 @@
-Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/manifests/services/fas.pp b/manifests/services/fas.pp
deleted file mode 100644
index 3ae09e3..0000000
--- a/manifests/services/fas.pp
+++ /dev/null
@@ -1,292 +0,0 @@
-# Fedora Account System
-class fas {
- include fas-clients-package
- include python-fedora-package
-
- if $groups {
- $notGroup = ''
- } else {
- $groups = 'sysadmin-main'
- }
- if $sshGroups {
- $notSshGroup = ''
- } else {
- $sshGroups = ''
- }
- if $restrictedApp {
- $notRestrictedApp = ''
- } else {
- $restrictedApp = '/usr/bin/cvs server'
- }
-
- configfile { "/etc/nsswitch.conf":
- source => "fas/nsswitch.conf"
- }
- templatefile { '/etc/fas.conf':
- content => template('system/fas.conf.erb'),
- mode => '0600',
-
- }
-# exec { 'make-accounts':
-# command => '/usr/bin/fasClient -e; /usr/bin/fasClient -i',
-# subscribe => Templatefile['/etc/fas.conf'],
-# require => Package['fas-clients'],
-# refreshonly => true
-# }
- configfile { '/etc/cron.d/fasSync':
- source => 'fas/fasSync',
- require => Package[fas-clients],
- }
- file { "/root/bin/":
- ensure => directory,
- }
- cert { '/etc/sudoers':
- source => "secure/sudoers"
- }
-}
-
-class fas-proxy inherits httpd {
- apachefile { "/etc/httpd/conf.d/admin.fedoraproject.org/accounts.conf":
- source => 'web/accounts-proxy.conf'
- }
-
- apachefile { '/etc/httpd/conf.d/fas.fedoraproject.org.conf':
- source => 'web/fas.fedoraproject.org.conf',
- }
-
- apachefile { '/etc/httpd/conf.d/fas.fedoraproject.org/':
- source => 'web/fas.fedoraproject.org/',
- recurse => true
- }
-
- apachefile { '/etc/httpd/conf.d/accounts.fedoraproject.org.conf':
- source => 'web/accounts.fedoraproject.org.conf',
- }
-
- apachefile { '/etc/httpd/conf.d/accounts.fedoraproject.org/':
- source => 'web/accounts.fedoraproject.org/',
- recurse => true
- }
-
-}
-
-class fas-server-base inherits turbogears {
- $bugzillaUser='fedora-admin-xmlrpc(a)redhat.com'
- include httpd
- include mod_wsgi::module
-
- package { fas:
- ensure => present,
- }
-
- package { fas-plugin-asterisk:
- ensure => present,
- }
-
- ### HACK: Need to solve this better later
- apachefile { '/usr/lib/python2.4/site-packages/fas/fas.wsgi':
- source => 'web/applications/fas.wsgi',
- require => Package['mod_wsgi']
- }
-
- file { '/var/www/.python-eggs':
- ensure => directory,
- mode => '0700',
- owner => 'apache'
- }
-
- file { '/etc/fas-gpg':
- ensure => directory,
- mode => '0700',
- owner => 'fas',
- group => 'fas',
- }
-
- cert { '/etc/fas-gpg/secring.gpg':
- source => 'secure/accounts-secring.gpg',
- owner => 'fas',
- group => 'fas',
- mode => 600,
- require => File['/etc/fas-gpg']
- }
-
- file { '/etc/fas-gpg/pubring.gpg':
- owner => 'fas',
- group => 'fas',
- mode => 600,
- replace => false,
- ensure => file,
- source => 'puppet:///config/web/applications/accounts-pubring.gpg',
- }
-
- apachefile { '/etc/httpd/conf.d/accounts.conf':
- source => 'web/applications/accounts.conf',
- require => Package['mod_wsgi']
- }
-
- file { '/etc/pki/fas':
- ensure => directory,
- mode => '0700',
- owner => 'fas',
- group => 'fas',
- }
- # These are both public certs so there's no reason to hide them
- configfile { '/etc/pki/fas/fedora-server-ca.cert':
- source => 'secure/fedora-ca.cert',
- }
-
- configfile { '/etc/pki/fas/fedora-upload-ca.cert':
- source => 'secure/fedora-ca.cert',
- }
-
- templatefile { '/etc/export-bugzilla.cfg':
- content => template('system/export-bugzilla.cfg.erb'),
- owner => 'fas',
- # Contains passwords so it needs to be restricted
- mode => '0640'
- }
-
- # Note: This will move into the fas rpm soon
- script { "/usr/local/bin/export-bugzilla.py":
- source => "system/export-bugzilla.py",
- mode => 0755
- }
- cert { '/usr/share/fas/static/fedora-server-ca.cert':
- source => 'secure/fedora-ca.cert',
- owner => 'apache',
- group => 'sysadmin-main',
- mode => '0440'
- }
-
- cert { '/usr/share/fas/static/fedora-upload-ca.cert':
- source => 'secure/fedora-ca.cert',
- owner => 'apache',
- group => 'sysadmin-main',
- mode => '0440'
- }
-
- configfile { '/usr/lib/python2.4/site-packages/fas/config/log.cfg':
- source => 'web/applications/fas-log.cfg',
- owner => 'root',
- group => 'root',
- notify => Service['httpd'],
- require => Package['httpd'],
- mode => '0644'
- }
-}
-
-class fas-server inherits fas-server-base {
-
- $genCert = 'False'
- templatefile { '/etc/fas.cfg':
- content => template('web/applications/fas-prod.cfg.erb'),
- owner => 'fas',
- group => 'apache',
- notify => Service['httpd'],
- require => Package['httpd'],
- mode => '640'
- }
-
-}
-
-class fas-server-gencert inherits fas-server-base {
-
- $genCert = 'True'
- templatefile { '/etc/fas.cfg':
- content => template('web/applications/fas-prod.cfg.erb'),
- owner => 'fas',
- group => 'apache',
- notify => Service['httpd'],
- require => Package['httpd'],
- mode => '640'
- }
-
- # These should be created by the fas package later
- file { '/var/lock/fedora-ca':
- ensure => directory,
- mode => '0700',
- owner => 'fas',
- group => 'fas',
- require => Package[fas],
- }
-
- file { '/var/lib/fedora-ca':
- ensure => directory,
- mode => '0771',
- owner => 'fas',
- group => 'sysadmin-main',
- require => Package[fas],
- }
-
- file { '/var/lib/fedora-ca/newcerts':
- ensure => directory,
- mode => '0770',
- owner => 'fas',
- group => 'sysadmin-main',
- require => Package[fas],
- }
-
- file { '/var/lib/fedora-ca/private':
- ensure => directory,
- mode => '0750',
- owner => 'fas',
- group => 'sysadmin-main'
- }
-
- # For publishing the crl
- file { '/srv/web/ca':
- ensure => directory,
- mode => '0755',
- owner => 'apache',
- group => 'apache'
- }
-
- configfile { '/var/lib/fedora-ca/Makefile':
- source => 'web/applications/Makefile.fedora-ca',
- mode => '0644'
- }
-
- configfile { '/var/lib/fedora-ca/openssl.cnf':
- source => 'web/applications/fedora-ca-client-openssl.cnf',
- mode => '0644'
- }
-
- script { '/var/lib/fedora-ca/certhelper.py':
- source => 'web/applications/certhelper.py',
- mode => '0750',
- owner => 'root',
- group => 'sysadmin-main'
- }
-
-
- # Public keys don't need restrictive permissions
- configfile { '/var/lib/fedora-ca/cacert.pem':
- source => 'secure/fedora-ca.cert',
- mode => '0444'
- }
-
- # First of every month, force a new crl to be created
- cron { gen-crl:
- command => "cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null",
- user => "apache",
- minute => 0,
- hour => 0,
- monthday => [ 1, 15 ],
- }
-
- symlink { '/srv/web/ca/crl.pem':
- ensure => '/var/lib/fedora-ca/crl/crl.pem'
- }
-}
-
-# Note: path will change when it moves into the fas rpm
-class fas-no-balance {
- cron { export-bugzilla:
- command => "/usr/local/bin/export-bugzilla.py fedorabugs fedora_contrib",
- user => "fas",
- minute => 10,
- ensure => present,
- require => Package['fas'],
- environment => "MAILTO=root"
- }
-}
commit a5c86d8ecd5cb5aa373a9dd608bb20eb6aaf8a74
Author: Mike McGrath <mmcgrath(a)redhat.com>
Date: Wed Apr 8 19:52:34 2009 +0000
Added fas module
diff --git a/modules/fas/README b/modules/fas/README
new file mode 100644
index 0000000..59b50b3
--- /dev/null
+++ b/modules/fas/README
@@ -0,0 +1,10 @@
+FAS Fedora Account System
+------------------------
+
+The Fedora Account System is a web application that manages the accounts of
+Fedora Project Contributors. It's built in TurboGears and comes with a json
+API for querying against remotely.
+
+The python-fedora-infrastructure package has a TurboGears identity provider
+that works with the Account System.
+
diff --git a/modules/fas/files/Makefile.fedora-ca b/modules/fas/files/Makefile.fedora-ca
new file mode 100644
index 0000000..5da1ea9
--- /dev/null
+++ b/modules/fas/files/Makefile.fedora-ca
@@ -0,0 +1,70 @@
+# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $
+#
+# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below.
+#
+# Automates the setup of a custom Certificate Authority and provides
+# routines for signing and revocation of certificates. To use, first
+# customize the commands in this file and the settings in openssl.cnf,
+# then run:
+#
+# make init
+#
+# Then, copy in certificate signing requests, and ensure their suffix is
+# .csr before signing them with the following command:
+#
+# make sign
+#
+# To revoke a key, name the certificate file with the cert option
+# as shown below:
+#
+# make revoke cert=foo.cert
+#
+# This will revoke the certificate and call gencrl; the revocation list
+# will then need to be copied somehow to the various systems that use
+# your CA cert.
+
+requests = *.csr
+
+# remove -batch option if want chance to not certify a particular request
+sign: FORCE
+ @openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert)
+
+revoke:
+ @test $${cert:?"usage: make revoke cert=certificate"}
+ @openssl ca -config openssl.cnf -revoke $(cert)
+ @$(MAKE) gencrl
+
+gencrl:
+ @openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
+
+clean:
+ -rm ${requests}
+
+# creates required supporting files, CA key and certificate
+init:
+ @test ! -f serial
+ @mkdir crl newcerts private
+ @chmod go-rwx private
+ @echo '01' > serial
+ @touch index
+ # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
+ @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
+
+help:
+ @echo make sign req=in.csr cert=out.cert
+ @echo ' - signs in.csr, outputting to out.cert'
+ @echo
+ @echo make revoke cert=filename
+ @echo ' - revokes certificate in named file and calls gencrl'
+ @echo
+ @echo make gencrl
+ @echo ' - updates Certificate Revocation List (CRL)'
+ @echo
+ @echo make clean
+ @echo ' - removes all *.csr files in this directory'
+ @echo
+ @echo make init
+ @echo ' - required initial setup command for new CA'
+
+# for legacy make support
+FORCE:
diff --git a/modules/fas/files/accounts-proxy.conf b/modules/fas/files/accounts-proxy.conf
new file mode 100644
index 0000000..7a729e4
--- /dev/null
+++ b/modules/fas/files/accounts-proxy.conf
@@ -0,0 +1,11 @@
+# fas1 is the only place for gencert right now
+RewriteRule /accounts/user/gencert http://fas1/accounts/user/gencert [P]
+# pass ca requests on needed for CRL
+ProxyPass /ca http://fas1/ca
+ProxyPassReverse /ca http://fas1/ca
+
+#RewriteRule ^/accounts/(.*) balancer://accountsCluster/accounts/$1 [P]
+#RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
+
+RewriteRule ^/accounts/(.*) http://localhost:10004/accounts/$1 [P]
+RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
diff --git a/modules/fas/files/accounts-pubring.gpg b/modules/fas/files/accounts-pubring.gpg
new file mode 100644
index 0000000..c75ba2c
Binary files /dev/null and b/modules/fas/files/accounts-pubring.gpg differ
diff --git a/modules/fas/files/accounts.conf b/modules/fas/files/accounts.conf
new file mode 100644
index 0000000..ad5803a
--- /dev/null
+++ b/modules/fas/files/accounts.conf
@@ -0,0 +1,26 @@
+Alias /accounts/static /usr/share/fas/static
+Alias /favicon.ico /usr/share/fas/static/favicon.ico
+Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert
+Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert
+# For serving the crl
+Alias /ca /srv/web/ca
+CacheDisable /ca/crl.pem
+AddType application/x-x509-ca-cert cacert.pem
+AddType application/x-x509-crl crl.pem
+
+WSGISocketPrefix run/wsgi
+
+# TG implements its own signal handler.
+WSGIRestrictSignal Off
+
+# These are the real tunables
+WSGIDaemonProcess fas processes=8 threads=2 maximum-requests=50000 user=fas group=fas display-name=fas inactivity-timeout=300
+WSGIPythonOptimize 2
+
+WSGIScriptAlias /accounts /usr/lib/python2.4/site-packages/fas/fas.wsgi/accounts
+
+<Directory /usr/lib/python2.4/site-packages/fas/>
+ WSGIProcessGroup fas
+ Order deny,allow
+ Allow from all
+</Directory>
diff --git a/modules/fas/files/accounts.fedoraproject.org.conf b/modules/fas/files/accounts.fedoraproject.org.conf
new file mode 100644
index 0000000..1220803
--- /dev/null
+++ b/modules/fas/files/accounts.fedoraproject.org.conf
@@ -0,0 +1,13 @@
+# proxy1 - 10.8.32.122
+# proxy2 - 10.8.32.121
+# proxy3 - 66.35.62.166
+# proxy4 - 152.46.7.222
+# proxy5 - 80.239.156.215
+
+
+<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
+ ServerName accounts.fedoraproject.org
+ ServerAdmin admin(a)fedoraproject.org
+
+ include "conf.d/accounts.fedoraproject.org/*.conf
+</VirtualHost>
diff --git a/modules/fas/files/accounts.fedoraproject.org/logs.conf b/modules/fas/files/accounts.fedoraproject.org/logs.conf
new file mode 100644
index 0000000..733e6e3
--- /dev/null
+++ b/modules/fas/files/accounts.fedoraproject.org/logs.conf
@@ -0,0 +1,2 @@
+CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
+ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/modules/fas/files/accounts.fedoraproject.org/redirect.conf b/modules/fas/files/accounts.fedoraproject.org/redirect.conf
new file mode 100644
index 0000000..1fc6864
--- /dev/null
+++ b/modules/fas/files/accounts.fedoraproject.org/redirect.conf
@@ -0,0 +1 @@
+Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/modules/fas/files/certhelper.py b/modules/fas/files/certhelper.py
new file mode 100755
index 0000000..3c278a8
--- /dev/null
+++ b/modules/fas/files/certhelper.py
@@ -0,0 +1,280 @@
+#!/usr/bin/python
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Library General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# Copyright 2005 Dan Williams <dcbw(a)redhat.com> and Red Hat, Inc.
+
+
+import sys, os, tempfile
+
+OPENSSL_PROG = '/usr/bin/openssl'
+
+def print_usage(prog):
+ print "\nUsage:\n"
+ print " %s ca --outdir=<outdir> --name=<name>\n" % prog
+ print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog
+ print ""
+ print " Types:"
+ print " ca - Build system Certificate Authority key & certificate"
+ print " normal - Key & certificate that works with the build server and builders"
+ print ""
+ print "Examples:\n"
+ print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog
+ print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog
+ print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog
+ print "\n"
+
+
+class CertHelperException:
+ def __init__(self, message):
+ self.message = message
+
+
+class CertHelper:
+ def __init__(self, prog, outdir, name):
+ self._prog = prog
+ self._outdir = outdir
+ self._name = name
+
+ def dispatch(self, cmd, argslist):
+ if cmd.lower() == 'ca':
+ self._gencert_ca(argslist)
+ elif cmd.lower() == 'normal':
+ self._gencert_normal(argslist)
+ else:
+ print_usage(self._prog)
+
+ def _gencert_ca(self, args):
+ # Set up CA directory
+ if not os.path.exists(self._outdir):
+ os.makedirs(self._outdir)
+ try:
+ os.makedirs(os.path.join(self._outdir, 'certs'))
+ os.makedirs(os.path.join(self._outdir, 'crl'))
+ os.makedirs(os.path.join(self._outdir, 'newcerts'))
+ os.makedirs(os.path.join(self._outdir, 'private'))
+ except:
+ pass
+ cert_db = os.path.join(self._outdir, "index.txt")
+ os.system("/bin/touch %s" % cert_db)
+ serial = os.path.join(self._outdir, "serial")
+ if not os.path.exists(serial):
+ os.system("/bin/echo '01' > %s" % serial)
+
+ cnf = write_openssl_cnf(self._outdir, self._name, {})
+
+ # Create the CA key
+ key_file = os.path.join(self._outdir, "private", "cakey.pem")
+ cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ # Make the self-signed CA certificate
+ cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name)
+ cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ os.remove(cnf)
+ print "Success. Your Certificate Authority directory is: %s\n" % self._outdir
+
+ def _gencert_normal(self, args):
+ cadir = argfind(args, 'cadir')
+ if not cadir:
+ print_usage(self._prog)
+ sys.exit(1)
+ caname = argfind(args, 'caname')
+ if not caname:
+ print_usage(self._prog)
+ sys.exit(1)
+
+ cnf = write_openssl_cnf(cadir, caname, {})
+
+ # Generate key
+ key_file = os.path.join(self._outdir, "%s_key.pem" % self._name)
+ cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+ print ""
+
+ # Generate the certificate request
+ req_file = os.path.join(self._outdir, "%s_req.pem" % self._name)
+ cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+ print ""
+
+ # Sign the request with the CA's certificate and key
+ cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name)
+ cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+ print ""
+
+ # Cat the normal cert and key together
+ key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name)
+ cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ # Cleanup: remove the cert, key, and request files
+ cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ os.remove(cnf)
+ print "Success. Your certificate and key file is: %s\n" % key_and_cert
+
+
+def write_openssl_cnf(home, ca_name, opt_dict):
+ (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True)
+ os.write(fd, """
+##############################
+HOME = %s
+RANDFILE = .rand
+
+##############################
+[ ca ]
+default_ca = CA_default\n
+
+##############################
+[ CA_default ]
+
+dir = $HOME
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/cacert.pem
+private_key = $dir/private/cakey.pem
+serial = $dir/serial
+crl = $dir/crl.pem
+
+x509_extensions = usr_cert
+
+name_opt = ca_default
+cert_opt = ca_default
+
+default_days = 3650
+default_crl_days= 30
+default_md = md5
+preserve = no
+
+policy = policy_match
+
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+##############################
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+string_mask = MASK:0x2002
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = North Carolina
+
+localityName = Locality Name (eg, city)
+localityName_default = Raleigh
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Fedora Project
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+##############################
+[ usr_cert ]
+
+basicConstraints=CA:FALSE
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+##############################
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+
+""" % (home))
+
+ return name
+
+def argfind(arglist, prefix):
+ val = None
+ for arg in arglist:
+ if arg.startswith('--%s=' % prefix):
+ val = arg
+ break
+ if not val:
+ return None
+ val = val.replace('--%s=' % prefix, '')
+ return val
+
+if __name__ == '__main__':
+ prog = sys.argv[0]
+ if len(sys.argv) < 3:
+ print_usage(prog)
+ sys.exit(1)
+
+ outdir = argfind(sys.argv, 'outdir')
+ if not outdir:
+ print_usage(prog)
+ sys.exit(1)
+
+ name = argfind(sys.argv, 'name')
+ if not name:
+ print_usage(prog)
+ sys.exit(1)
+
+ ch = CertHelper(prog, outdir, name)
+ try:
+ ch.dispatch(sys.argv[1], sys.argv)
+ except CertHelperException, e:
+ print e.message
+ sys.exit(1)
+
+ sys.exit(0)
+
diff --git a/modules/fas/files/export-bugzilla.py b/modules/fas/files/export-bugzilla.py
new file mode 100755
index 0000000..4b6b416
--- /dev/null
+++ b/modules/fas/files/export-bugzilla.py
@@ -0,0 +1,68 @@
+#!/usr/bin/python -t
+__requires__ = 'TurboGears'
+import pkg_resources
+pkg_resources.require('CherryPy >= 2.0, < 3.0alpha')
+
+import sys
+import getopt
+import xmlrpclib
+import turbogears
+from turbogears import config
+turbogears.update_config(configfile="/etc/export-bugzilla.cfg")
+from turbogears.database import session
+from fas.model import BugzillaQueue
+
+BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi')
+BZUSER = config.get('bugzilla.username')
+BZPASS = config.get('bugzilla.password')
+
+if __name__ == '__main__':
+ opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help'))
+ if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts:
+ print """
+ Usage: export-bugzilla.py GROUP BUGZILLA_GROUP
+ """
+ sys.exit(1)
+ ourGroup = args[0]
+ bzGroup = args[1]
+
+ server = xmlrpclib.Server(BZSERVER)
+ bugzilla_queue = BugzillaQueue.query.join('group').filter_by(
+ name=ourGroup)
+
+ for entry in bugzilla_queue:
+ # Make sure we have a record for this user in bugzilla
+ if entry.action == 'r':
+ # Remove the user's bugzilla group
+ try:
+ server.bugzilla.updatePerms(entry.email, 'rem', (bzGroup,),
+ BZUSER, BZPASS)
+ except xmlrpclib.Fault, e:
+ if e.faultCode == 504:
+ # It's okay, not having this user is equivalent to setting
+ # them to not have this group.
+ pass
+ else:
+ raise
+
+ elif entry.action == 'a':
+ # Try to create the user
+ try:
+ server.bugzilla.addUser(entry.email, entry.person.human_name, BZUSER, BZPASS)
+ except xmlrpclib.Fault, e:
+ if e.faultCode == 500:
+ # It's okay, we just need to make sure the user has an
+ # account.
+ pass
+ else:
+ print entry.email,entry.person.human_name
+ raise
+ server.bugzilla.updatePerms(entry.email, 'add', (bzGroup,),
+ BZUSER, BZPASS)
+ else:
+ print 'Unrecognized action code: %s %s %s %s %s' % (entry.action,
+ entry.email, entry.person.human_name, entry.person.username, entry.group.name)
+
+ # Remove them from the queue
+ session.delete(entry)
+ session.flush()
diff --git a/modules/fas/files/fas-log.cfg b/modules/fas/files/fas-log.cfg
new file mode 100644
index 0000000..3f7843d
--- /dev/null
+++ b/modules/fas/files/fas-log.cfg
@@ -0,0 +1,29 @@
+# LOGGING
+# Logging is often deployment specific, but some handlers and
+# formatters can be defined here.
+
+[logging]
+[[formatters]]
+[[[message_only]]]
+format='*(message)s'
+
+[[[full_content]]]
+format='*(name)s *(levelname)s *(message)s'
+
+[[handlers]]
+[[[debug_out]]]
+class='StreamHandler'
+level='DEBUG'
+args='(sys.stdout,)'
+formatter='full_content'
+
+[[[access_out]]]
+class='StreamHandler'
+level='INFO'
+args='(sys.stdout,)'
+formatter='message_only'
+
+[[[error_out]]]
+class='StreamHandler'
+level='ERROR'
+args='(sys.stdout,)'
diff --git a/modules/fas/files/fas.fedoraproject.org.conf b/modules/fas/files/fas.fedoraproject.org.conf
new file mode 100644
index 0000000..7db2e97
--- /dev/null
+++ b/modules/fas/files/fas.fedoraproject.org.conf
@@ -0,0 +1,13 @@
+# proxy1 - 10.8.32.122
+# proxy2 - 10.8.32.121
+# proxy3 - 66.35.62.166
+# proxy4 - 152.46.7.222
+# proxy5 - 80.239.156.215
+
+
+<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
+ ServerName fas.fedoraproject.org
+ ServerAdmin admin(a)fedoraproject.org
+
+ include "conf.d/fas.fedoraproject.org/*.conf
+</VirtualHost>
diff --git a/modules/fas/files/fas.fedoraproject.org/logs.conf b/modules/fas/files/fas.fedoraproject.org/logs.conf
new file mode 100644
index 0000000..9195af7
--- /dev/null
+++ b/modules/fas/files/fas.fedoraproject.org/logs.conf
@@ -0,0 +1,2 @@
+CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
+ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/modules/fas/files/fas.fedoraproject.org/redirect.conf b/modules/fas/files/fas.fedoraproject.org/redirect.conf
new file mode 100644
index 0000000..1fc6864
--- /dev/null
+++ b/modules/fas/files/fas.fedoraproject.org/redirect.conf
@@ -0,0 +1 @@
+Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/modules/fas/files/fas.wsgi b/modules/fas/files/fas.wsgi
new file mode 100644
index 0000000..865cc08
--- /dev/null
+++ b/modules/fas/files/fas.wsgi
@@ -0,0 +1,50 @@
+#!/usr/bin/python
+import sys
+sys.path.append('/usr/lib/python2.4/site-packages/fas/')
+sys.stdout = sys.stderr
+
+import pkg_resources
+pkg_resources.require('CherryPy <= 3.0alpha')
+
+import os
+os.environ['PYTHON_EGG_CACHE'] = '/var/www/.python-eggs'
+
+import atexit
+import cherrypy
+import cherrypy._cpwsgi
+import turbogears
+import turbogears.startup
+from formencode.variabledecode import NestedVariables
+import fedora.tg.util
+
+class MyNestedVariablesFilter(object):
+ def before_main(self):
+ if hasattr(cherrypy.request, "params"):
+ cherrypy.request.params_backup = cherrypy.request.params
+ cherrypy.request.params = \
+ NestedVariables.to_python(cherrypy.request.params or {})
+
+turbogears.startup.NestedVariablesFilter = MyNestedVariablesFilter
+
+turbogears.update_config(configfile="/etc/fas.cfg", modulename="fas.config")
+turbogears.config.update({'global': {'server.environment': 'production'}})
+turbogears.config.update({'global': {'autoreload.on': False}})
+turbogears.config.update({'global': {'server.log_to_screen': False}})
+turbogears.config.update({'global': {'server.webpath': '/accounts'}})
+turbogears.config.update({'global': {'base_url_filter.on': True}})
+turbogears.config.update({'global': {'base_url_filter.base_url': 'https://admin.fedoraproject.org'}})
+#turbogears.config.update({'global': {'sqlalchemy.recycle': '10'}})
+
+turbogears.startup.call_on_startup.append(fedora.tg.util.enable_csrf)
+
+import fas.controllers
+
+cherrypy.root = fas.controllers.Root()
+
+if cherrypy.server.state == 0:
+ atexit.register(cherrypy.server.stop)
+ cherrypy.server.start(init_only=True, server_class=None)
+
+def application(environ, start_response):
+ environ['SCRIPT_NAME'] = ''
+ return cherrypy._cpwsgi.wsgiApp(environ, start_response)
diff --git a/modules/fas/files/fasSync b/modules/fas/files/fasSync
new file mode 100644
index 0000000..4f9f643
--- /dev/null
+++ b/modules/fas/files/fasSync
@@ -0,0 +1 @@
+24 * * * * root /bin/sleep $(($RANDOM/20)); /usr/bin/fasClient -i > /dev/null 2>&1
diff --git a/modules/fas/files/fedora-ca-client-openssl.cnf b/modules/fas/files/fedora-ca-client-openssl.cnf
new file mode 100644
index 0000000..5c3bb15
--- /dev/null
+++ b/modules/fas/files/fedora-ca-client-openssl.cnf
@@ -0,0 +1,317 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = /var/lib/fedora-ca/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = . # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem # The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha1 # which md to use.
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_md = sha1
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
+# the resulting certificates are compatible with Netscape
+string_mask = MASK:0x2002
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = North Carolina
+
+localityName = Locality Name (eg, city)
+localityName_default = Raleigh
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Fedora Project
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 0
+#challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/modules/fas/files/nsswitch.conf b/modules/fas/files/nsswitch.conf
new file mode 100644
index 0000000..fb4ff62
--- /dev/null
+++ b/modules/fas/files/nsswitch.conf
@@ -0,0 +1,45 @@
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Legal entries are:
+#
+# nisplus or nis+ Use NIS+ (NIS version 3)
+# nis or yp Use NIS (NIS version 2), also called YP
+# dns Use DNS (Domain Name Service)
+# files Use the local files
+# db Use the local database (.db) files
+# compat Use NIS on compat mode
+# hesiod Use Hesiod for user lookups
+# [NOTFOUND=return] Stop searching if not found so far
+#
+
+passwd: db files
+shadow: db files
+group: db files
+
+#hosts: db files nisplus nis dns
+hosts: files dns
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers: files
+netmasks: files
+networks: files
+protocols: files
+rpc: files
+services: files
+
+netgroup: files
+
+publickey: nisplus
+
+automount: files
+aliases: files nisplus
diff --git a/modules/fas/manifests/init.pp b/modules/fas/manifests/init.pp
new file mode 100644
index 0000000..a8074db
--- /dev/null
+++ b/modules/fas/manifests/init.pp
@@ -0,0 +1,307 @@
+# Fedora account system Configuration
+
+class fas::fas {
+ package { fas-clients: ensure => present }
+ package { python-fedora: ensure => present }
+
+ # Set a default group if one has not been explicitly defined
+ if $groups {
+ $notGroup = ''
+ } else {
+ $groups = 'sysadmin-main'
+ }
+ if $sshGroups {
+ $notSshGroup = ''
+ } else {
+ $sshGroups = ''
+ }
+ if $restrictedApp {
+ $notRestrictedApp = ''
+ } else {
+ $restrictedApp = '/usr/bin/cvs server'
+ }
+
+ file { "/etc/nsswitch.conf":
+ source => "puppet:///fas/nsswitch.conf"
+ }
+
+ file { '/etc/fas.conf':
+ content => template('fas/fas.conf.erb'),
+ mode => '0600',
+
+ }
+# exec { 'make-accounts':
+# command => '/usr/bin/fasClient -e; /usr/bin/fasClient -i',
+# subscribe => Templatefile['/etc/fas.conf'],
+# require => Package['fas-clients'],
+# refreshonly => true
+# }
+
+ file { '/etc/cron.d/fasSync':
+ source => 'puppet:///fas/fasSync',
+ require => Package[fas-clients],
+ }
+
+ file { "/root/bin/":
+ ensure => directory,
+ }
+
+ file { '/etc/sudoers':
+ source => "puppet:///config/secure/sudoers",
+ mode => 0440,
+ owner => root,
+ group => root
+ }
+}
+
+class fas::fas-proxy inherits httpd {
+ file { "/etc/httpd/conf.d/admin.fedoraproject.org/accounts.conf":
+ source => 'puppet:///fas/accounts-proxy.conf',
+ notify => Service['httpd'],
+ }
+
+ file { '/etc/httpd/conf.d/fas.fedoraproject.org.conf':
+ source => 'puppet:///fas/fas.fedoraproject.org.conf',
+ notify => Service['httpd'],
+ }
+
+ file { '/etc/httpd/conf.d/fas.fedoraproject.org/':
+ source => 'puppet:///fas/fas.fedoraproject.org/',
+ recurse => true,
+ notify => Service['httpd'],
+ }
+
+ file { '/etc/httpd/conf.d/accounts.fedoraproject.org.conf':
+ source => 'puppet:///fas/accounts.fedoraproject.org.conf',
+ notify => Service['httpd']
+ }
+
+ file { '/etc/httpd/conf.d/accounts.fedoraproject.org/':
+ source => 'puppet:///fas/accounts.fedoraproject.org/',
+ recurse => true,
+ notify => Service['httpd'],
+ }
+
+}
+
+class fas::fas-server-base inherits turbogears {
+ $bugzillaUser='fedora-admin-xmlrpc(a)redhat.com'
+ include httpd
+ include mod_wsgi-package
+
+ package { fas: ensure => present }
+
+ package { fas-plugin-asterisk: ensure => present }
+
+ ### HACK: Need to solve this better later
+ file { '/usr/lib/python2.4/site-packages/fas/fas.wsgi':
+ source => 'puppet:///fas/fas.wsgi',
+ require => Package['mod_wsgi'],
+ notify => Service['httpd']
+ }
+
+ file { '/var/www/.python-eggs':
+ ensure => directory,
+ mode => '0700',
+ owner => 'apache',
+ require => Package['httpd']
+ }
+
+ file { '/etc/fas-gpg':
+ ensure => directory,
+ mode => '0700',
+ owner => 'fas',
+ group => 'fas',
+ require => Package['fas'],
+ }
+
+ file { '/etc/fas-gpg/secring.gpg':
+ source => 'puppet:///config/secure/accounts-secring.gpg',
+ owner => 'fas',
+ group => 'fas',
+ mode => 600,
+ require => File['/etc/fas-gpg']
+ }
+
+ file { '/etc/fas-gpg/pubring.gpg':
+ owner => 'fas',
+ group => 'fas',
+ mode => 600,
+ replace => false,
+ ensure => file,
+ source => 'puppet:///fas/accounts-pubring.gpg',
+ }
+
+ file { '/etc/httpd/conf.d/accounts.conf':
+ source => 'puppet:///fas/accounts.conf',
+ require => Package['mod_wsgi'],
+ }
+
+ file { '/etc/pki/fas':
+ ensure => directory,
+ mode => '0700',
+ owner => 'fas',
+ group => 'fas',
+ }
+ # These are both public certs so there's no reason to hide them
+ file { '/etc/pki/fas/fedora-server-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ }
+
+ file { '/etc/pki/fas/fedora-upload-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ }
+
+ file { '/etc/export-bugzilla.cfg':
+ content => template('fas/export-bugzilla.cfg.erb'),
+ owner => 'fas',
+ # Contains passwords so it needs to be restricted
+ mode => '0640'
+ }
+
+ # Note: This will move into the fas rpm soon
+ file { "/usr/local/bin/export-bugzilla.py":
+ source => "puppet:///fas/export-bugzilla.py",
+ mode => 0755,
+ }
+
+ file { '/usr/share/fas/static/fedora-server-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ owner => 'apache',
+ group => 'sysadmin-main',
+ mode => '0440',
+ require => Package['httpd']
+ }
+
+ file { '/usr/share/fas/static/fedora-upload-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ owner => 'apache',
+ group => 'sysadmin-main',
+ mode => '0440'
+ }
+
+ file { '/usr/lib/python2.4/site-packages/fas/config/log.cfg':
+ source => 'puppet:///fas/fas-log.cfg',
+ owner => 'root',
+ group => 'root',
+ notify => Service['httpd'],
+ require => Package['httpd'],
+ mode => '0644'
+ }
+}
+
+class fas::fas-server inherits fas-server-base {
+
+ $genCert = 'False'
+ file { '/etc/fas.cfg':
+ content => template('fas/fas-prod.cfg.erb'),
+ owner => 'fas',
+ group => 'apache',
+ notify => Service['httpd'],
+ require => Package['httpd'],
+ mode => '640'
+ }
+
+}
+
+class fas::fas-server-gencert inherits fas-server-base {
+
+ $genCert = 'True'
+ file { '/etc/fas.cfg':
+ content => template('fas/fas-prod.cfg.erb'),
+ owner => 'fas',
+ group => 'apache',
+ notify => Service['httpd'],
+ require => Package['httpd'],
+ mode => '640'
+ }
+
+ # These should be created by the fas package later
+ file { '/var/lock/fedora-ca':
+ ensure => directory,
+ mode => '0700',
+ owner => 'fas',
+ group => 'fas',
+ require => Package[fas],
+ }
+
+ file { '/var/lib/fedora-ca':
+ ensure => directory,
+ mode => '0771',
+ owner => 'fas',
+ group => 'sysadmin-main',
+ require => Package[fas],
+ }
+
+ file { '/var/lib/fedora-ca/newcerts':
+ ensure => directory,
+ mode => '0770',
+ owner => 'fas',
+ group => 'sysadmin-main',
+ require => Package[fas],
+ }
+
+ file { '/var/lib/fedora-ca/private':
+ ensure => directory,
+ mode => '0750',
+ owner => 'fas',
+ group => 'sysadmin-main'
+ }
+
+ # For publishing the crl
+ file { '/srv/web/ca':
+ ensure => directory,
+ mode => '0755',
+ owner => 'apache',
+ group => 'apache'
+ }
+
+ file { '/var/lib/fedora-ca/Makefile':
+ source => 'puppet:///fas/Makefile.fedora-ca',
+ mode => '0644'
+ }
+
+ file { '/var/lib/fedora-ca/openssl.cnf':
+ source => 'puppet:///fas/fedora-ca-client-openssl.cnf',
+ mode => '0644'
+ }
+
+ file { '/var/lib/fedora-ca/certhelper.py':
+ source => 'puppet:///fas/certhelper.py',
+ mode => '0750',
+ owner => 'root',
+ group => 'sysadmin-main'
+ }
+
+
+ # Public keys don't need restrictive permissions
+ file { '/var/lib/fedora-ca/cacert.pem':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ mode => '0444'
+ }
+
+ # First of every month, force a new crl to be created
+ cron { gen-crl:
+ command => "cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null",
+ user => "apache",
+ minute => 0,
+ hour => 0,
+ monthday => [ 1, 15 ],
+ }
+
+ file { '/srv/web/ca/crl.pem':
+ ensure => '/var/lib/fedora-ca/crl/crl.pem'
+ }
+}
+
+# Note: path will change when it moves into the fas rpm
+class fas::fas-no-balance {
+ cron { export-bugzilla:
+ command => "/usr/local/bin/export-bugzilla.py fedorabugs fedora_contrib",
+ user => "fas",
+ minute => 10,
+ ensure => present,
+ require => Package['fas'],
+ environment => "MAILTO=root"
+ }
+}
diff --git a/modules/fas/templates/export-bugzilla.cfg.erb b/modules/fas/templates/export-bugzilla.cfg.erb
new file mode 100644
index 0000000..6c65f07
--- /dev/null
+++ b/modules/fas/templates/export-bugzilla.cfg.erb
@@ -0,0 +1,11 @@
+[global]
+# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi
+# Running from fas1 so we need the PHX available address.
+bugzilla.url = "https://bzprx.vip.phx.redhat.com/xmlrpc.cgi"
+# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi"
+bugzilla.username = "<%= bugzillaUser %>"
+bugzilla.password = "<%= bugzillaPassword %>"
+
+# At the moment, we have to extract this information directly from the fas2
+# database. We can build a json interface for it at a later date.
+sqlalchemy.dburi = "postgres://fas:<%= fasDbPassword %>@db2/fas2"
diff --git a/modules/fas/templates/fas-prod.cfg.erb b/modules/fas/templates/fas-prod.cfg.erb
new file mode 100644
index 0000000..11cac5a
--- /dev/null
+++ b/modules/fas/templates/fas-prod.cfg.erb
@@ -0,0 +1,163 @@
+[global]
+samadhi.baseurl = 'https://admin.fedoraproject.org/'
+
+admingroup = 'accounts'
+systemgroup = 'fas-system'
+thirdpartygroup = 'thirdparty'
+
+theme = 'fas'
+
+accounts_email = "accounts(a)fedoraproject.org"
+legal_cla_email = "legal-cla-archive(a)fedoraproject.org"
+
+email_host = "fedoraproject.org" # as in, web-members@email_host
+
+gpgexec = "/usr/bin/gpg"
+gpghome = "/etc/fas-gpg"
+gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255"
+gpg_passphrase = "<%= fasGpgPassphrase %>"
+gpg_keyserver = "hkp://subkeys.pgp.net"
+
+cla_done_group = "cla_done"
+cla_fedora_group = "cla_fedora"
+
+privileged_view_groups = "(^fas-.*)"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,famsco,fax,fedorarewards,fesco,freemedia,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+
+openidstore = "/var/tmp/fas/openid"
+
+# Enable or disable generation of SSL certificates for users
+gencert = <%= genCert %>
+
+makeexec = "/usr/bin/make"
+openssl_lockdir = "/var/lock/fedora-ca"
+openssl_digest = "md5"
+openssl_expire = 15552000 # 60*60*24*180 = 6 months
+openssl_ca_dir = "/var/lib/fedora-ca"
+openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts"
+openssl_ca_index = "/var/lib/fedora-ca/index.txt"
+openssl_c = "US"
+openssl_st = "North Carolina"
+openssl_l = "Raleigh"
+openssl_o = "Fedora Project"
+openssl_ou = "Fedora User Cert"
+
+# Groups that automatically grant membership to other groups
+# Format: 'group1:a,b,c|group2:d,e,f'
+auto_approve_groups = 'packager:fedorabugs|cla_fedora:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done'
+
+# This is where all of your settings go for your development environment
+# Settings that are the same for both development and production
+# (such as template engine, encodings, etc.) all go in
+# fas/config/app.cfg
+
+mail.on = True
+mail.server = 'bastion'
+#mail.testmode = True
+mail.debug = False
+mail.encoding = 'utf-8'
+
+# DATABASE
+
+# pick the form for your database
+# sqlobject.dburi="postgres://username@hostname/databasename"
+# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
+# sqlobject.dburi="sqlite:///file_name_and_path"
+
+# If you have sqlite, here's a simple default to get you started
+# in development
+sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db2/fas2"
+sqlalchemy.echo=False
+
+# if you are using a database or table type without transactions
+# (MySQL default, for example), you should turn off transactions
+# by prepending notrans_ on the uri
+# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
+
+# for Windows users, sqlite URIs look like:
+# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
+
+# SERVER
+
+# Some server parameters that you may want to tweak
+server.socket_port=8088
+server.thread_pool=50
+server.socket_queue_size=30
+
+# FAS2 is mmuch busier than other servers due to serving visit and auth via
+# JSON.
+# Double pool_size
+#sqlalchemy.pool_size=10
+# And increase overflow above what other servers have
+#sqlalchemy.max_overflow=25
+# When using wsgi, we want the pool to be very low (as a separate instance is
+# run in each apache mod_wsgi thread. So each one is going to have very few
+# concurrent db connections.
+sqlalchemy.pool_size=1
+sqlalchemy.max_overflow=2
+
+# Enable the debug output at the end on pages.
+# log_debug_info_filter.on = False
+
+server.environment="production"
+autoreload.package="fas"
+
+# session_filter.on = True
+
+# Set to True if you'd like to abort execution if a controller gets an
+# unexpected parameter. False by default
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+server.webpath='/accounts'
+base_url_filter.on = True
+base_url_filter.use_x_forwarded_host = True
+base_url_filter.base_url = "https://admin.fedoraproject.org"
+
+# Make the session cookie only return to the host over an SSL link
+visit.cookie.secure = True
+session_filter.cookie_secure = True
+
+[/fedora-server-ca.cert]
+static_filter.on = True
+static_filter.file = "/etc/pki/fas/fedora-server-ca.cert"
+
+[/fedora-upload-ca.cert]
+static_filter.on = True
+static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert"
+
+# LOGGING
+# Logging configuration generally follows the style of the standard
+# Python logging module configuration. Note that when specifying
+# log format messages, you need to use *() for formatting variables.
+# Deployment independent log configuration is in fas/config/log.cfg
+[logging]
+
+[[loggers]]
+[[[fas]]]
+level='DEBUG'
+qualname='fas'
+handlers=['debug_out']
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+
+#[[[access]]]
+#level='INFO'
+#qualname='turbogears.access'
+#handlers=['access_out']
+#propagate=0
+
+[[[identity]]]
+level='INFO'
+qualname='turbogears.identity'
+handlers=['access_out']
+propagate=0
+
+[[[database]]]
+# Set to INFO to make SQLAlchemy display SQL commands
+level='ERROR'
+qualname='sqlalchemy.engine'
+handlers=['debug_out']
+propagate=0
diff --git a/modules/fas/templates/fas.conf.erb b/modules/fas/templates/fas.conf.erb
new file mode 100644
index 0000000..d8a3e05
--- /dev/null
+++ b/modules/fas/templates/fas.conf.erb
@@ -0,0 +1,78 @@
+[global]
+; url - Location to fas server
+url = https://admin.fedoraproject.org/accounts/
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+; login - username to contact fas
+login = systems
+
+; password - password for login name
+password = <%= systemsUserPassword %>
+
+; prefix - install to a location other than /
+prefix = /
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+<% if groups != "NONE" %>
+groups = <%= groups %>
+<% else %>
+groups = sysadmin-main
+<% end %>
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key. You will
+; need to disable password based logins in order for this value to have any
+; security meaning. Group types can be placed here as well, for example
+; @hg,@git,@svn
+<% if sshGroups %>
+ssh_restricted_groups = <%= sshGroups %>
+<% else %>
+ssh_restricted_groups =
+<% end %>
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script. It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine. An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+<% if restrictedApp %>
+ssh_restricted_app = "<%= restrictedApp %>"
+<% else %>
+ssh_restricted_app = "/usr/bin/cvs server"
+<% end %>
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys. Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
15 years
Bastion changes
by Mike McGrath
I'm making some changes to bastion today, I'm going to drop it's interface
sometime this afternoon which will kill any of your connections on it.
I'll also be testing some failure scenarios. Stay tuned in #fedora-admin
if you think this affects you.
-Mike
15 years
My skills
by Angel Natan Villegas Vicencio
Hi every body i want to join to the fedora infrastructure team, add
something of my skills
- System Administrator on RedHat 7.3, RedHat Advanced Server 2.1, RedHat
Enterprise Linux 3, RedHat Enterprise Linux 4, RedHat Enterprise Linux 5,
- Configurations and Installations of Redhat servers through PXE and
kickstars files
- Configurations of yum repositories for provisioning redhat servers ( 2.1,
3, 4, and 5 )
- LVM Filesystems
- Bash Scripting
- Technical Management of network services on Redhat (Radius, DNS, DHCP,
LDAP, Postfix,)
- Technical Management on VMware Server and Xen.
- Backup Administrator in tape library MSL6000 with Omniback II.
- Storage Administrator in Storage Strategies with EVA500
- Monitoring Administrator with Nagios, open source tool.
- Technical knowledge on IBM and HP Hardware such as Blade Servers
HS21(IBM), xSeries 3250-3850 (IBM), Blades Server BL20PG2 (HP), DL360 G2 ,
DL380 G2 , DL580 G2 (HP).
- Firewall and VPNs Administrator on Netscreen Appliance
Thank you ever body ...
15 years
sysadmin sponsoring
by Ionuț Arțăriși
Hello,
I've recently become interested in the openid part of FAS and have
already setup a server on my laptop and began hacking.
However, I think I would be much more productive using one of the test
servers in the infrastructure as this way I could actually test against
the different openid consumers "in the wild".
I've already applied to sysadmin-test and am now going to apply to
sysadmin as these seem to be the required steps.
Please sponsor me :)
Thank you!
15 years
Logs from f-peeps
by Paul W. Frields
Some of the recent Test Day live images were hosted from
fedorapeople.org space. I'd like to find out how many downloads there
were of these images, but I can't read /var/log/httpd on that host
(which makes sense). Are those logs supposed to be separate? If so,
I probably need some help with this request and can file a ticket. If
not, well I can still file a ticket. :-)
Paul
15 years
Translation Toolchain Freeze
by Dimitris Glezos
In Fedora's 6-month cycle, there are a few weeks in which translators
are working full-steam. These are the period for software translation
and one for Docs translations. During these periods the L10n
Infrastructure should be considered frozen, otherwise the work of a
few hundred people will be interrupted (currently 40+ commits per day
are taking place).
Looking at poelstra's schedule [1], these freeze periods are:
2009-03-10 - 2009-04-14
2009-04-29 - 2009-05-14
If there's a document we need to have these added, please let me know.
Having the same process (+1s etc) for L10n Infra would be great, IMO.
-d
[1] http://poelstra.fedorapeople.org/schedules/f-11/f-11-trans-tasks.html
--
Dimitris Glezos
Jabber ID: glezos(a)jabber.org, GPG: 0xA5A04C3B
http://dimitris.glezos.com/
"He who gives up functionality for ease of use
loses both and deserves neither." (Anonymous)
--
15 years