suggested patch for review - issue 7158
by Zach Villers
As discussed in infra meeting 16 aug around the 14:30 mark
<https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.201...>
regarding Issue #7158: Planet Fedora doesn't have a valid certificate
<https://pagure.io/fedora-infrastructure/issue/7158>.
I created two patches (attached) based on my reading/understanding of
the certbot role README. Text below. I think we are in Freeze right now
and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
diff --git a/playbooks/include/proxies-websites.yml
b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
tags:
- pkgs.fedoraproject.org
when: env == "staging" and "phx2" in inventory_hostname
+# cert for https://fedoraplanet.org which redirects to
http://fedoraplanet.org
+
+ - role: httpd/website
+ site_name: fedoraplanet.org
+ server_aliases:
+ - www.fedoraplanet.org
+ ssl: true
+ sslonly: true
+ certbot: true
+ certbot_addhost: fedoraplanet.org
+ tags:
+ - fedoraplanet.org
---------------------------------------
diff --git a/roles/planet/templates/planet.conf
b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*)
/srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@
RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain: fedoraplanet.org
+ # Owner: admin(a)fedoraplanet.org
+ #
+ ServerName fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile
/etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile
/etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin admin(a)fedoraplanet.org
+ ServerName fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>
5 years, 6 months
FBR: Move python-blivet-3.1.0-2.fc29 from FEDORA-2018-85853d46b5 to
FEDORA-2018-f16a71bc92
by Randy Barlow
Context: https://pagure.io/releng/issue/7825
In order to fix that issue, I propose running the following commands on
bodhi-backend01:
$ sudo -u apache pshell /etc/bodhi/production.ini
2018-09-18 16:09:51,892 INFO [bodhi][MainThread] Using the
FakeBugTracker
2018-09-18 16:09:51,892 DEBUG [bodhi][MainThread] Using DevBuildsys
2018-09-18 16:10:26,842 INFO [bodhi.server][MainThread] Bodhi ready and
at your service!
Python 3.6.6 (default, Jul 19 2018, 14:25:17)
[GCC 8.1.1 20180712 (Red Hat 8.1.1-5)] on linux
Type "help" for more information.
Environment:
app The WSGI application.
registry Active Pyramid registry.
request Active request object.
root Root of the default resource tree.
root_factory Default root factory used to create `root`.
Custom Variables:
m bodhi.server.models
s bodhi.server.Session
>>> blivet = m.Build.query.filter_by(nvr='python-blivet-3.1.0-2.fc29').one()
>>> update = m.Update.query.filter_by(alias='FEDORA-2018-85853d46b5').one()
>>> update.builds.remove(blivet)
>>> update.comment(m.Session(), "python-blivet-3.1.0-2.fc29 has been removed from this update.", author='bowlofeggs')
>>> m.Session().commit()
The output above was taken from a practice run I did in Bodhi's
development environment.
+1's?
5 years, 6 months
FBR: Make rsyncd download motd a template
by Stephen John Smoogen
diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index 125163a..0726465 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -39,10 +39,7 @@
- selinux
- name: /etc/motd_fedora
- copy: src=motd_fedora dest=/etc/motd_fedora
-
-- name: /etc/motd_fedora_tier1
- copy: src=motd_fedora_tier1 dest=/etc/motd_fedora_tier1
+ template: src=rsync/motd_fedora.j2 dest =/etc/motd_fedora
- name: Configure logrotate for /var/log/rsyncd-fedora.log
copy: src=logrotate-rsync-fedora dest=/etc/logrotate.d/rsync-fedora
diff --git a/roles/download/templates/rsync/motd_fedora.j2
b/roles/download/templates/rsync/motd_fedora.j2
index b640f3f..b73d868 100644
--- a/roles/download/templates/rsync/motd_fedora.j2
+++ b/roles/download/templates/rsync/motd_fedora.j2
@@ -1,9 +1,15 @@
----------------------------
Fedora Master Mirror Servers
----------------------------
+{% if inventory_hostname in groups['download_tier1'] %}
+NOTE: This server is for authorized Fedora tier1 mirrors only!
+{% endif %}
+
If you are using bare rsync to sync content, please stop and
take a look at https://pagure.io/quick-fedora-mirror.
See http://fedoraproject.org/wiki/Infrastructure/Mirroring for
further instructions.
----------------------------
+
+You have connected to {{ inventory_hostname }}
--
Stephen J Smoogen.
5 years, 6 months
[PATCH] Raise the file limit on the RabbitMQ cluster
by Jeremy Cline
RabbitMQ recommends[0] that the open file descriptor limit be set to a
minimum of 50K. It recommends that the maximum number of open
connections be multiplied by 2 and added to the total number of queues.
Finally, it suggests that 500K isn't an unreasonable setting. This sets
the default to 500K and makes the value configurable.
[0] https://www.rabbitmq.com/production-checklist.html
Signed-off-by: Jeremy Cline <jcline(a)redhat.com>
---
I have permissions to commit this, but I'd like the sysadmins to review
it for (in)sanity.
handlers/restart_services.yml | 6 ++++++
roles/rabbitmq_cluster/defaults/main.yml | 2 ++
roles/rabbitmq_cluster/tasks/main.yml | 18 ++++++++++++++++++
3 files changed, 26 insertions(+)
create mode 100644 roles/rabbitmq_cluster/defaults/main.yml
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index b21d8ec25..f791ce084 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -179,3 +179,9 @@
- name: restart buildmaster
service: name=buildmaster state=restarted
+
+- name: restart rabbitmq
+ systemd:
+ name: rabbitmq-server
+ state: restarted
+ systemd_reload: yes
diff --git a/roles/rabbitmq_cluster/defaults/main.yml b/roles/rabbitmq_cluster/defaults/main.yml
new file mode 100644
index 000000000..b58d65393
--- /dev/null
+++ b/roles/rabbitmq_cluster/defaults/main.yml
@@ -0,0 +1,2 @@
+# https://www.rabbitmq.com/production-checklist.html#resource-limits-file-h...
+rabbitmq_cluster_file_limit: 500000
diff --git a/roles/rabbitmq_cluster/tasks/main.yml b/roles/rabbitmq_cluster/tasks/main.yml
index e3d8442ee..468cbc5ac 100644
--- a/roles/rabbitmq_cluster/tasks/main.yml
+++ b/roles/rabbitmq_cluster/tasks/main.yml
@@ -78,6 +78,24 @@
- rabbitmq_cluster
- config
+- name: Create RabbitMQ systemd override directory
+ file:
+ path: /etc/systemd/system/rabbitmq-server.service.d/
+ state: directory
+ tags:
+ - rabbitmq_cluster
+ - config
+
+- name: Override file limit on rabbitmq
+ copy:
+ content: "[Service]\nLimitNOFILE={{rabbitmq_cluster_file_limit}}\n"
+ dest: /etc/systemd/system/rabbitmq-server.service.d/override.conf
+ notify:
+ - restart rabbitmq
+ tags:
+ - rabbitmq_cluster
+ - config
+
- name: start rabbitmq
service: name=rabbitmq-server state=started enabled=yes
tags:
--
2.17.1
5 years, 6 months
Post-FBR: Force openvpn to use tun1
by Patrick Uiterwijk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi all,
For compatibility with openshift, we need openvpn to use tun1 on the openshift nodes.
While this does happen automatically if openvpn starts after the openshift SDN pod,
this is not always the case.
Can I get +1s for the patches I rolled out to make sure this happens?
(The second one was because I had the variable name wrong.)
commit 8ad630412f6abd082d08a628260b408d88d99b21
Author: Patrick Uiterwijk <patrick(a)puiterwijk.org>
Date: Tue Sep 18 05:49:15 2018 +0200
Make OpenVPN use tun1 for os-node's
Signed-off-by: Patrick Uiterwijk <patrick(a)puiterwijk.org>
diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index 27c150d16..1ed3d173b 100644
- --- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -19,14 +19,24 @@
- openvpn
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
+- name: Install main config file (rhel7 and fedora)
+ template: src=client.conf
+ dest=/etc/openvpn/client/openvpn.conf
+ owner=root group=root mode=0644
+ tags:
+ - install
+ - openvpn
+# notify:
+# - restart openvpn (Fedora)
+# - restart openvpn (RHEL7)
+# - restart openvpn (RHEL6)
+ when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
+
- name: Install configuration files (rhel7 and fedora)
copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode={{ item.mode }}
with_items:
- - - { file: client.conf,
- - dest: /etc/openvpn/client/openvpn.conf,
- - mode: '0644' }
- { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt",
dest: "/etc/openvpn/client/client.crt",
mode: '0600' }
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/templates/client.conf
similarity index 70%
rename from roles/openvpn/client/files/client.conf
rename to roles/openvpn/client/templates/client.conf
index 5042ed6e2..f398c9a39 100644
- --- a/roles/openvpn/client/files/client.conf
+++ b/roles/openvpn/client/templates/client.conf
@@ -1,6 +1,11 @@
client
+{% if hostname.startswith("os-node") %}
+# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it
+dev tun1
+{% else %}
dev tun
+{% endif %}
proto udp
commit 325155810b8a0f0bbf929587316e1ae97d2b6565 (HEAD -> master, origin/master, origin/HEAD)
Author: Patrick Uiterwijk <patrick(a)puiterwijk.org>
Date: Tue Sep 18 05:51:46 2018 +0200
Actually use the ansible hostname
Signed-off-by: Patrick Uiterwijk <patrick(a)puiterwijk.org>
diff --git a/roles/openvpn/client/templates/client.conf b/roles/openvpn/client/templates/client.conf
index f398c9a39..11372910b 100644
- --- a/roles/openvpn/client/templates/client.conf
+++ b/roles/openvpn/client/templates/client.conf
@@ -1,6 +1,6 @@
client
- -{% if hostname.startswith("os-node") %}
+{% if ansible_hostname.startswith("os-node") %}
# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it
dev tun1
{% else %}
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJboHsaAAoJEIZXmA2atR5QJ1MP/Rm8T8GFuIznzGo80ypxb891
x310k+PrOkJ0kOxnY086dqCqNxPsFLVnFpGHWUAo3Y/8q/85HeJHHP/6iDuxYb37
/dghRacim8PIEsf4PAAMulqOhpGDKfZ/bMTJrQOp/eOSc8MQkdkabXYAPgH6RyrX
uJXrHn4Xx+REZEjOR5dbZJahqfeRbUpU84TNfVPgu5NCgCyYg/eGZr0MaV06Fxcp
T4m9VbN1MCxn/aX6I4yq7EO3QWhfe5iB3tNKa0emZYqkTTwYWImK6m+bEfA8FWzn
gyyeS1m2nPQm2vjPefp+k//oFo9JARUHCpR9HBJb+A3ctJVXiZAr3W0PgXhYdPNp
Ocrhd2TvHfQP62mOh7UwIrPuheFxxY3P8OPNWmkTyLtAfQN/5zSwaig/fX4A+XqP
4z/TXdMMWVBrq5a4pH8vn8jwDeI4Q4dgpH7Nj4WlAQ3TUFssiEki5MPiCLU8R6/B
xqvwVl4DqxERS1nUlB5TANTdyDYYTbpA4Tukr8qhQxXnbWD1VezeoE+WCZn+94jL
bX1J86g2hJz8xBJWWfSHoSI2ncBzPUScSyJkGxSozBSbvcKzPumF3FGHcsoFIZwa
KDRXALPsXm5t15EnY1Ylg/ILxIaZNygxyDGq6Ryu1giTjZEnCyFWwl5Vvjq+hewO
ZqdNr3jnf8pQLsTdxcKT
=siP7
-----END PGP SIGNATURE-----
5 years, 6 months
Infrastructure Meeting Agenda 2018-09-13 1500 UTC
by Stephen John Smoogen
This shared document is for the next fedora infrastructure meeting.
= Preamble =
The infrastructure team will be having its weekly meeting tomorrow,
2018-09-13 at 15:00 UTC in #fedora-meeting-1 on the freenode network.
We have a gobby document
(see: https://fedoraproject.org/wiki/Gobby )
fedora-infrastructure-meeting-next is the document.
Please try and review and edit that document before the meeting and we
will use it to have our agenda of things to discuss. A copy as of today
is included in this email.
If you have something to discuss, add the topic to the discussion area
with your name. If you would like to teach other folks about some
application or setup in our infrastructure, please add that topic and
your name to the learn about section.
= Introduction =
We will use it over the week before the meeting to gather status and info and
discussion items and so forth, then use it in the irc meeting to transfer
information to the meetbot logs.
= Meeting start stuff =
#startmeeting Infrastructure (2018-09-13)
#meetingname infrastructure
#topic aloha
#chair nirik pingou puiterwijk relrod smooge tflink threebean
= Let new people say hello =
#topic New folks introductions
#info This is a place where people who are interested in Fedora
Infrastructure can introduce themselves
= Status / Information / Trivia / Announcements =
(We put things here we want others on the team to know, but don't need
to discuss)
(Please use #info <the thing> - your name)
#topic announcements and information
#info tflink is on extended PTO
#info Beta Freeze is in effect. All changes to frozen systems in
Infrastructure will require +1
#info Bodhi 3.10.0 beta in staging
https://bodhi.stg.fedoraproject.org/docs/user/release_notes.html
#info odd network problem on arm network worked around.
#info odd install problem on aarch64 systems is ongoing.
= Things we should discuss =
We use this section to bring up discussion topics. Things we want to talk about
as a group and come up with some consensus /suor decision or just brainstorm a
problem or issue. If there are none of these we skip this section.
(Use #topic your discussion topic - your username)
#topic Oncall
#info Relrod is on call from 2018-09-06->2018-09-13
#info Smooge is on call from 2018-09-13->2018-09-20
#info Nirik is on call from 2018-09-20->2018-09-27
#info ??? is on call from 2018-09-27->2018-10-04
#info Summary of last week: (from Relrod)
#topic recent openshift additions - kevin
#topic python3 porting help needed for supybot-plugins - kevin
#topic Tickets discussion
#info https://pagure.io/fedora-infrastructure/report/Meetings%20ticket
Go thru each ticket one by one
= Apprentice office hours =
#topic Apprentice Open office minutes
#info A time where apprentices may ask for help or look at problems.
Here we will discuss any apprentice questions, try and match up people looking
for things to do with things to do, progress, testing anything like that.
= Learn about some application or setup in infrastructure =
(This section, each week we get 1 person to talk about an application or setup
that we have. Just going over what it is, how to contribute, ideas for
improvement,
etc. Whoever would like to do this, just add the i/nfo in this section. In the
event we don't find someone to teach about something, we skip this section
and just move on to open floor.)
#info
= Meeting end stuff =
#topic Open Floor
#endmeeting
--
Stephen J Smoogen.
5 years, 6 months
Agenda for tomorrow's meeting
by Stephen John Smoogen
REMINDER: We are moving this to 1500 UTC for this one time
Please update the Gobby or send me an email with changes needed for this meeting
This shared document is for the next fedora infrastructure meeting.
= Preamble =
The infrastructure team will be having its weekly meeting tomorrow,
2018-09-13 at 15:00 UTC in #fedora-meeting-1 on the freenode network.
We have a gobby document
(see: https://fedoraproject.org/wiki/Gobby )
fedora-infrastructure-meeting-next is the document.
Please try and review and edit that document before the meeting and we
will use it to have our agenda of things to discuss. A copy as of today
is included in this email.
If you have something to discuss, add the topic to the discussion area
with your name. If you would like to teach other folks about some
application or setup in our infrastructure, please add that topic and
your name to the learn about section.
= Introduction =
We will use it over the week before the meeting to gather status and info and
discussion items and so forth, then use it in the irc meeting to transfer
information to the meetbot logs.
= Meeting start stuff =
#startmeeting Infrastructure (2018-09-13)
#meetingname infrastructure
#topic aloha
#chair nirik pingou puiterwijk relrod smooge tflink threebean
= Let new people say hello =
#topic New folks introductions
#info This is a place where people who are interested in Fedora
Infrastructure can introduce themselves
= Status / Information / Trivia / Announcements =
(We put things here we want others on the team to know, but don't need
to discuss)
(Please use #info <the thing> - your name)
#topic announcements and information
#info tflink is on extended PTO
#info Beta Freeze is in effect. All changes to frozen systems in
Infrastructure will require +1
#info Bodhi 3.10.0 beta in staging
https://bodhi.stg.fedoraproject.org/docs/user/release_notes.html
#info odd network problem on arm network worked around.
#info odd install problem on aarch64 systems is ongoing.
= Things we should discuss =
We use this section to bring up discussion topics. Things we want to talk about
as a group and come up with some consensus /suor decision or just brainstorm a
problem or issue. If there are none of these we skip this section.
(Use #topic your discussion topic - your username)
#topic Oncall
#info Relrod is on call from 2018-09-06->2018-09-13
#info Smooge is on call from 2018-09-13->2018-09-20
#info Nirik is on call from 2018-09-20->2018-09-27
#info ??? is on call from 2018-09-27->2018-10-04
#info Summary of last week: (from Relrod)
#topic recent openshift additions - kevin
#topic python3 porting help needed for supybot-plugins - kevin
#topic Tickets discussion
#info https://pagure.io/fedora-infrastructure/report/Meetings%20ticket
Go thru each ticket one by one
= Apprentice office hours =
#topic Apprentice Open office minutes
#info A time where apprentices may ask for help or look at problems.
Here we will discuss any apprentice questions, try and match up people looking
for things to do with things to do, progress, testing anything like that.
= Learn about some application or setup in infrastructure =
(This section, each week we get 1 person to talk about an application or setup
that we have. Just going over what it is, how to contribute, ideas for
improvement,
etc. Whoever would like to do this, just add the i/nfo in this section. In the
event we don't find someone to teach about something, we skip this section
and just move on to open floor.)
#info
= Meeting end stuff =
#topic Open Floor
#endmeeting
--
Stephen J Smoogen.
5 years, 6 months