diff options
| author | Valentin Gologuzov <vgologuz@redhat.com> | 2014-10-10 12:35:14 +0200 |
|---|---|---|
| committer | Valentin Gologuzov <vgologuz@redhat.com> | 2014-10-10 12:35:14 +0200 |
| commit | f27bd43dd2144caef70e8f20efe5768dc34eb301 (patch) | |
| tree | ec5ffc53e7b9d241739a533b1c2733ddf41af686 | |
| parent | 325d8e6a7e5b9f4a38a968e25c92eb2f6e8832ae (diff) | |
[WIP] Copr playbooks refactoring using ansible roles, new role for copr-keygen
69 files changed, 2700 insertions, 360 deletions
diff --git a/inventory/group_vars/copr b/inventory/group_vars/copr index 654e19ca4..6da14bf38 100644 --- a/inventory/group_vars/copr +++ b/inventory/group_vars/copr @@ -1,3 +1,6 @@ --- devel: false -_forward-src: "{{ files }}/copr/forward"
\ No newline at end of file +_forward_src: "forward" +copr_backend_ips: "172.16.5.4" + + diff --git a/inventory/group_vars/copr-back b/inventory/group_vars/copr-back index cd21505a4..c4171e9c3 100644 --- a/inventory/group_vars/copr-back +++ b/inventory/group_vars/copr-back @@ -1,2 +1,3 @@ --- - +_lighttpd_conf_src: "lighttpd/lighttpd.conf" +_copr_be_conf: "copr-be.conf" diff --git a/inventory/group_vars/copr-back-stg b/inventory/group_vars/copr-back-stg index cd21505a4..bbf370626 100644 --- a/inventory/group_vars/copr-back-stg +++ b/inventory/group_vars/copr-back-stg @@ -1,2 +1,3 @@ --- - +_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf" +_copr_be_conf: "copr-be.conf-dev" diff --git a/inventory/group_vars/copr-front b/inventory/group_vars/copr-front index 1337f7757..bc4f985c5 100644 --- a/inventory/group_vars/copr-front +++ b/inventory/group_vars/copr-front @@ -1,2 +1,2 @@ --- -copr-hostname: "copr-fe.cloud.fedoraproject.org" +copr_hostname: "copr-fe.cloud.fedoraproject.org" diff --git a/inventory/group_vars/copr-front-stg b/inventory/group_vars/copr-front-stg index b1996c89e..ed97d539c 100644 --- a/inventory/group_vars/copr-front-stg +++ b/inventory/group_vars/copr-front-stg @@ -1,2 +1 @@ --- -copr-hostname: "copr-fe-dev.cloud.fedoraproject.org" diff --git a/inventory/group_vars/copr-stg b/inventory/group_vars/copr-stg index 5d6f269fe..9ca06fcf4 100644 --- a/inventory/group_vars/copr-stg +++ b/inventory/group_vars/copr-stg @@ -1,3 +1,6 @@ --- devel: true -_forward-src: "{{ files }}/copr/forward-dev" +#_forward-src: "{{ files }}/copr/forward-dev" +_forward_src: "forward_dev" + +copr_backend_ips: "172.16.5.5 172.16.5.4" diff --git a/inventory/host_vars/209.132.184.142 b/inventory/host_vars/209.132.184.142 index 9401dcf2d..a5208290d 100644 --- a/inventory/host_vars/209.132.184.142 +++ b/inventory/host_vars/209.132.184.142 @@ -6,7 +6,7 @@ security_group: webserver zone: nova hostbase: copr-be- public_ip: 209.132.184.142 -root_auth_users: bkabrda msuchy pingou msuchy sgallagh nb asamalik +root_auth_users: bkabrda msuchy pingou msuchy sgallagh nb asamalik vgologuz description: copr dispatcher and repo server volumes: ['-d /dev/vdc vol-00000028'] @@ -23,5 +23,3 @@ fedmsg_certs: owner: root group: copr -# Copr vars -copr-hostname: "copr-be.cloud.fedoraproject.org" diff --git a/inventory/host_vars/copr-be-dev.cloud.fedoraproject.org b/inventory/host_vars/copr-be-dev.cloud.fedoraproject.org index a8509f4d0..747f540fb 100644 --- a/inventory/host_vars/copr-be-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/copr-be-dev.cloud.fedoraproject.org @@ -11,4 +11,4 @@ description: copr dispatcher and repo server - dev instance tcp_ports: ['22', '80', '443'] # Copr vars -copr-hostname: copr-be-dev.cloud.fedoraproject.org +copr_hostname: copr-be-dev.cloud.fedoraproject.org diff --git a/playbooks/groups/copr-back.yml b/playbooks/groups/copr-back.yml deleted file mode 100644 index 1a249e2f2..000000000 --- a/playbooks/groups/copr-back.yml +++ /dev/null @@ -1,232 +0,0 @@ -- name: check/create instance - hosts: copr-back:copr-back-stg - user: root - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - tasks: - - include: "{{ tasks }}/persistent_cloud.yml" - - include: "{{ tasks }}/growroot_cloud.yml" - -- name: provision instance - hosts: copr-back:copr-back-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - # Roles are run first, before tasks, regardless of where you place them here. - roles: - - fedmsg/base - - tasks: - - include: "{{ tasks }}/cloud_setup_basic.yml" - - include: "{{ tasks }}/iptables.yml" - - include: "{{ tasks }}/common_scripts.yml" - - - name: prepare mount point - file: state=directory path=/var/lib/copr/public_html - when: not devel - - - name: mount up disk of copr repo - mount: name=/var/lib/copr/public_html src='LABEL=copr-repo' fstype=ext4 state=mounted - when: not devel - - - name: mount /tmp/ - mount: name=/tmp src='tmpfs' fstype=tmpfs state=mounted - when: not devel - - # We cannot use repo pointing to our self :( - #- name: copy copr.repo - # copy: src=$files/copr/fe/yum/copr.repo dest=/etc/yum.repos.d/copr.repo - -# - name: set the hostname -# shell: hostname "{{ copr-hostname }}" - - - name: copy .forward file - copy: src="{{ _forward_src }}" dest=/root/.forward owner=root group=root - - - name: deploy /etc/hosts file - copy: src="{{ files }}/copr/hosts" dest=/etc/hosts owner=root group=root mode=644 - - # packages needed - - name: add packages for copr-be - yum: state=present name={{ item }} - with_items: - - copr-selinux - - copr-backend - - git - - screen - - python-novaclient - - - name: add packages for copr-be, production only - yum: state=present name={{ item }} - when: not devel - with_items: - - fail2ban - - system-config-firewall-base - - - name: make copr dirs - file: state=directory path={{ item }} - with_items: - - /var/lib/copr/jobs - - /var/lib/copr/public_html/results - - - name: Umask results - command: /usr/bin/umask 0000 chdir=/var/lib/copr/public_html/results - - - name: setup dirs there - file: state=directory path="/home/copr/{{ item }}" owner=copr group=copr mode=0700 - with_items: - - cloud - - .ssh - - - name: add copr-buildsys keys to copr user path - copy: src={{ item }} dest=/home/copr/cloud/ owner=copr group=copr mode=0600 - with_fileglob: - - "{{ private }}/files/openstack/copr-copr/*" - - - name: setup privkey for copr user - copy: src="{{ private }}/files/copr/buildsys.priv" dest=/home/copr/.ssh/id_rsa owner=copr group=copr mode=600 - - - name: setup copr user ssh config file - copy: src="{{ files }}/copr/ssh_config" dest=/home/copr/.ssh/config owner=copr group=copr mode=600 - - - name: create empty known_hosts - copy: src=/dev/null dest=/home/copr/.ssh/known_hosts owner=copr group=copr mode=600 - - - name: replace bashrc for copr user - copy: src="{{ files }}/copr/copr_bashrc" dest=/home/copr/.bashrc owner=copr group=copr mode=600 - - - name: auth_key so we can login to localhost as the copr user from the copr user - authorized_key: user=copr key="{{ item }}" - with_file: - - "{{ files }}/copr/provision/files/buildsys.pub" - - - name: copy keystonerc - template: src="{{ files }}/copr/keystonerc" dest=/root/ owner=root group=root mode=600 - when: not devel - - - name: copy .boto file - copy: src="{{ files }}/copr/boto" dest=/home/copr/.boto owner=copr group=copr - - # setup webserver - - name: add config for copr-repo path - copy: src="{{ files }}/copr/lighttpd/lighttpd.conf" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644 - notify: - - restart lighttpd - - - name: copy httpd ssl certificates - copy: src="{{ puppet_private }}/httpd/{{ item }}" dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=0600 - when: not devel - with_items: - - copr-be.fedoraproject.org.key - - copr-be.fedoraproject.org.crt - notify: - - concate ssl certs - tags: - - config - - - name: copy httpd ssl certificates (CAcert) - copy: src="{{ files }}/copr/DigiCertCA.crt" dest="/etc/lighttpd/" owner=root group=root mode=0600 - when: not devel - tags: - - config - notify: - - restart lighttpd - - # mime default to text/plain and enable dirlisting for indexes - - name: update lighttpd configs - copy: src="{{ files }}/copr/lighttpd/{{ item }}" dest="/etc/lighttpd/conf.d/{{ item }}" owner=root group=root mode=0644 - with_items: - - dirlisting.conf - - mime.conf - notify: - - restart lighttpd - - - name: start webserver - service: state=running enabled=yes name=lighttpd - - - name: start fail2ban - service: state=running enabled=yes name=fail2ban - when: not devel - - # setup dirs for the ansible execution off of provisioning - - name: dirs from provision - file: state=directory path="/home/copr/provision/{{ item }}" owner=copr group=copr - with_items: - - action_plugins - - library - - files - - files/mock - tags: - - provision_config - - - name: put ansible.cfg for all this into /etc/ansible/ on the system - copy: src="{{ files }}/copr/provision/ansible.cfg" dest=/etc/ansible/ansible.cfg - tags: - - provision_config - - - - name: put some files into the provision subdir - template: src="{{ files }}/copr/provision/{{ item }}" dest="/home/copr/provision/{{ item }}" - with_items: - - inventory - - terminatepb.yml - tags: - - provision_config - - - name: put some files into the provision subdir, devel only - copy: src="{{ files }}/copr/provision/{{ item }}" dest="/home/copr/provision/{{ item }}" - when: devel - with_items: - - builderpb.yml - tags: - - provision_config - - - - name: put files into the files subdir off of provisioning - copy: src={{ item }} dest=/home/copr/provision/files/ - with_fileglob: - - "{{ files }}/copr/provision/files/*" - tags: - - provision_config - - # ansible lacks a recurse - so we need this until then - - name: put files into the files/mock subdir off of provisioning - copy: src={{ item }} dest=/home/copr/provision/files/mock - with_fileglob: - - "{{ files }}/copr/provision/files/mock/*" - tags: - - provision_config - - - name: copy copr-be.conf - template: src="{{ files }}/copr/copr-be.conf" dest=/etc/copr/copr-be.conf owner=root group=copr mode=640 - notify: - - restart copr-backend - tags: - - config - - - name: copy delete-forgotten-instances.pl - copy: src="{{ files }}/copr/delete-forgotten-instances.pl" dest=/home/copr/delete-forgotten-instances.pl mode=755 - - - name: copy delete-forgotten-instances.cron - copy: src="{{ files }}/copr/delete-forgotten-instances.cron" dest=/etc/cron.daily/delete-forgotten-instances owner=root group=root mode=755 - - handlers: - - include: "{{ handlers }}/restart_services.yml" - - name: concate ssl certs - shell: "cat /etc/lighttpd/copr-be.fedoraproject.org.key /etc/lighttpd/copr-be.fedoraproject.org.crt > /etc/lighttpd/copr-be.fedoraproject.org.pem" - notify: - - chmod_key - - restart lighttpd - - name: chmod_key - file: path=/etc/lighttpd/copr-be.fedoraproject.org.pem owner=root group=root mode=0600 - - name: restart copr-backend - service: name=copr-backend state=restarted diff --git a/playbooks/groups/copr-backend.yml b/playbooks/groups/copr-backend.yml new file mode 100644 index 000000000..06df747da --- /dev/null +++ b/playbooks/groups/copr-backend.yml @@ -0,0 +1,31 @@ +- name: check/create instance + hosts: copr-back:copr-back-stg + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + + tasks: + - include: "{{ tasks }}/persistent_cloud.yml" + - include: "{{ tasks }}/growroot_cloud.yml" + +- name: provision instance + #hosts: copr-back:copr-back-stg + hosts: copr-back-stg + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + # Roles are run first, before tasks, regardless of where you place them here. + roles: + - base + - fedmsg/base + - copr/backend + + diff --git a/playbooks/groups/copr-front.yml b/playbooks/groups/copr-front.yml deleted file mode 100644 index bca3c8fa6..000000000 --- a/playbooks/groups/copr-front.yml +++ /dev/null @@ -1,118 +0,0 @@ -- name: check/create instance - hosts: copr-front:copr-front-stg - user: root - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - tasks: - - include: "{{ tasks }}/persistent_cloud.yml" - - include: "{{ tasks }}/growroot_cloud.yml" - -- name: provision instance - hosts: copr-front:copr-front-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "{{ private }}/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - include: "{{ tasks }}/cloud_setup_basic.yml" - - include: "{{ tasks }}/postfix_basic.yml" - - - include: "{{ tasks }}/iptables.yml" - - - name: mount up disk of copr fe - mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted - when: not devel - - - name: mount up bind mount for postgres - mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted - when: not devel - - - name: copy copr.repo - copy: src="{{ files }}/copr/fe/yum/copr.repo" dest=/etc/yum.repos.d/copr.repo - -# - name: set the hostname -# shell: hostname "{{ copr-hostname }}" - - - name: copy .forward file - copy: src="{{ _forward_src }}" dest=/root/.forward owner=root group=root - - - name: deploy /etc/hosts file - copy: src="{{ files }}/copr/hosts" dest=/etc/hosts owner=root group=root mode=644 - - - name: install copr-fe pkgs - yum: state=present pkg={{ item }} - with_items: - - copr-frontend - - copr-selinux - - postgresql-server - - bash-completion - - fail2ban - - mod_ssl - - system-config-firewall-base - tags: - - packages - - - name: install copr configs - template: src="{{ files }}/copr/fe/copr.conf" dest=/etc/copr/copr.conf mode=600 - notify: - - restart httpd - tags: - - config - - - name: copy apache files to conf.d - copy: src="{{ files }}/copr/fe/httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" - with_items: - - coprs.conf - - welcome.conf - - - name: copy pg_hba.conf - copy: src="{{ files }}/copr/fe/pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 - - - name: copy httpd ssl certificates (crt) - copy: src="{{ puppet_private }}/httpd/copr-fe.fedoraproject.org.crt" dest="/etc/pki/tls/certs/" owner=root group=root mode=0600 - tags: - - config - - - name: copy httpd ssl certificates (key) - copy: src="{{ puppet_private }}/httpd/copr-fe.fedoraproject.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600 - tags: - - config - - - name: copy httpd ssl certificates (CAcert) - copy: src="{{ files }}/copr/DigiCertCA.crt" dest="/etc/pki/tls/certs/" owner=root group=root mode=0600 - when: not devel - tags: - - config - - - lineinfile: dest=/etc/httpd/conf.d/coprs.conf regexp="SSLCertificateFile " insertafter="^#SSLCertificateFile " line="SSLCertificateFile /etc/pki/tls/certs/copr-fe.fedoraproject.org.crt" - notify: - - restart httpd - - - lineinfile: dest=/etc/httpd/conf.d/coprs.conf regexp="SSLCertificateKeyFile " insertafter="^#SSLCertificateKeyFile " line="SSLCertificateKeyFile /etc/pki/tls/private/copr-fe.fedoraproject.org.key" - notify: - - restart httpd - - - lineinfile: dest=/etc/httpd/conf.d/coprs.conf regexp="SSLCertificateChainFile " insertafter="SSLCertificateKeyFile " line="SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt" - when: not devel - notify: - - restart httpd - - - name: enable services - service: state=running enabled=yes name={{ item }} - with_items: - - httpd - - postgresql - - fail2ban - - handlers: - - name: restart httpd - service: name=httpd state=restarted - - include: "{{ handlers }}/restart_services.yml" diff --git a/playbooks/groups/copr-frontend.yml b/playbooks/groups/copr-frontend.yml new file mode 100644 index 000000000..642ca7cf1 --- /dev/null +++ b/playbooks/groups/copr-frontend.yml @@ -0,0 +1,27 @@ +- name: check/create instance + hosts: copr-front-stg:copr-front + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + + tasks: + - include: "{{ tasks }}/persistent_cloud.yml" + - include: "{{ tasks }}/growroot_cloud.yml" + +- name: provision instance + #hosts: copr-front:copr-front-stg + hosts: copr-front-stg + user: root + gather_facts: false + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - copr/frontend diff --git a/playbooks/groups/copr-keygen.yml b/playbooks/groups/copr-keygen.yml new file mode 100644 index 000000000..e2e1cfd9f --- /dev/null +++ b/playbooks/groups/copr-keygen.yml @@ -0,0 +1,25 @@ +- name: check/create instance + hosts: copr-front:copr-front-stg + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + + tasks: + - include: "{{ tasks }}/persistent_cloud.yml" + - include: "{{ tasks }}/growroot_cloud.yml" + +- name: provision instance + hosts: copr-keygen-stg + gather_facts: False + user: root + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + roles: + - base + - copr/keygen + diff --git a/roles/copr/backend/files/DigiCertCA.crt b/roles/copr/backend/files/DigiCertCA.crt new file mode 100644 index 000000000..d08b961f2 --- /dev/null +++ b/roles/copr/backend/files/DigiCertCA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE-----
+MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
+YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
+4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
+Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
+itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
+4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
+sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
+bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
+dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
+BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
+UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
+aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
+aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
+E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
+/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
+xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
+0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
+cPUeybQ=
+-----END CERTIFICATE-----
diff --git a/roles/copr/backend/files/boto b/roles/copr/backend/files/boto new file mode 100644 index 000000000..5444b908c --- /dev/null +++ b/roles/copr/backend/files/boto @@ -0,0 +1,2 @@ +[Boto] +https_validate_certificates = False diff --git a/roles/copr/backend/files/copr_bashrc b/roles/copr/backend/files/copr_bashrc new file mode 100644 index 000000000..ca46554b1 --- /dev/null +++ b/roles/copr/backend/files/copr_bashrc @@ -0,0 +1,10 @@ +# .bashrc + +# Source global definitions +if [ -f /etc/bashrc ]; then + . /etc/bashrc +fi + +if [ -f /home/copr/cloud/ec2rc.sh ]; then + . /home/copr/cloud/ec2rc.sh +fi diff --git a/roles/copr/backend/files/delete-forgotten-instances.cron b/roles/copr/backend/files/delete-forgotten-instances.cron new file mode 100644 index 000000000..5f4c19175 --- /dev/null +++ b/roles/copr/backend/files/delete-forgotten-instances.cron @@ -0,0 +1,5 @@ +#!/usr/bin/bash + +source /home/copr/cloud/ec2rc.sh +/home/copr/delete-forgotten-instances.pl + diff --git a/roles/copr/backend/files/delete-forgotten-instances.pl b/roles/copr/backend/files/delete-forgotten-instances.pl new file mode 100644 index 000000000..8aa5d41f7 --- /dev/null +++ b/roles/copr/backend/files/delete-forgotten-instances.pl @@ -0,0 +1,28 @@ +#!/usr/bin/perl +# this scrip query for all running VM and terminate those +# which are not currently started by some ansible script + +while (chomp($a = qx(ps ax |grep -v 'sh -c ps ax' |grep /home/copr/provision/builderpb.yml | grep -v grep))) { + # we are starting some VM and could not determine correct list of running VMs + sleep 5; +} + +#print qx(ps ax |grep ' 172.16.3.' |awk '{ print \$33 }'); +@IPs = split('\s+', qx(ps ax |grep ' 172.16.3.' |awk '{ print \$33 }')); + +#print "Running instances\n"; +#print join(", ", @IPs), "\n"; +for my $i (@IPs) { + $check{$i} = 1; +} + +@instances = split('\n', qx(/bin/euca-describe-instances)); +@TO_DELETE = (); +for my $i (@instances) { + my @COLUMNS = split('\s+', $i); + next if $COLUMNS[0] eq 'RESERVATION'; + #print $COLUMNS[1], ", ", $COLUMNS[15], "\n"; + push(@TO_DELETE, $COLUMNS[1]) unless $check{$COLUMNS[15]}; +} +$id_merged = join(" ", @TO_DELETE); +qx|euca-terminate-instances $id_merged| if ($id_merged); diff --git a/roles/copr/backend/files/keystonerc b/roles/copr/backend/files/keystonerc new file mode 100644 index 000000000..1f7737a67 --- /dev/null +++ b/roles/copr/backend/files/keystonerc @@ -0,0 +1,23 @@ +#!/bin/bash + +# With the addition of Keystone, to use an openstack cloud you should +# authenticate against keystone, which returns a **Token** and **Service +# Catalog**. The catalog contains the endpoint for all services the +# user/tenant has access to - including nova, glance, keystone, swift. +# +# *NOTE*: Using the 2.0 *auth api* does not mean that compute api is 2.0. We +# will use the 1.1 *compute api* +export OS_AUTH_URL=http://172.23.0.2:5000/v2.0 + +# With the addition of Keystone we have standardized on the term **tenant** +# as the entity that owns the resources. + +export OS_TENANT_ID={{ copr_tenant_id }} +export OS_TENANT_NAME="copr" + +# In addition to the owning entity (tenant), openstack stores the entity +# performing the action as the **user**. +export OS_USERNAME=msuchy + +# With Keystone you pass the keystone password. +export OS_PASSWORD={{ copr_nova_password }} diff --git a/roles/copr/backend/files/lighttpd/dirlisting.conf b/roles/copr/backend/files/lighttpd/dirlisting.conf new file mode 100644 index 000000000..ec06ff96d --- /dev/null +++ b/roles/copr/backend/files/lighttpd/dirlisting.conf @@ -0,0 +1,9 @@ +dir-listing.activate = "enable" +dir-listing.hide-dotfiles = "disable" +dir-listing.exclude = ( "~$" ) +dir-listing.encoding = "UTF-8" +dir-listing.hide-header-file = "disable" +dir-listing.show-header = "disable" +dir-listing.hide-readme-file = "disable" +dir-listing.show-readme = "disable" + diff --git a/roles/copr/backend/files/lighttpd/lighttpd.conf b/roles/copr/backend/files/lighttpd/lighttpd.conf new file mode 100644 index 000000000..177d3d08a --- /dev/null +++ b/roles/copr/backend/files/lighttpd/lighttpd.conf @@ -0,0 +1,455 @@ +####################################################################### +## +## /etc/lighttpd/lighttpd.conf +## +## check /etc/lighttpd/conf.d/*.conf for the configuration of modules. +## +####################################################################### + +####################################################################### +## +## Some Variable definition which will make chrooting easier. +## +## if you add a variable here. Add the corresponding variable in the +## chroot example aswell. +## +var.log_root = "/var/log/lighttpd" +var.server_root = "/var/www" +var.state_dir = "/var/run" +var.home_dir = "/var/lib/lighttpd" +var.conf_dir = "/etc/lighttpd" + +## +## run the server chrooted. +## +## This requires root permissions during startup. +## +## If you run Chrooted set the the variables to directories relative to +## the chroot dir. +## +## example chroot configuration: +## +#var.log_root = "/logs" +#var.server_root = "/" +#var.state_dir = "/run" +#var.home_dir = "/lib/lighttpd" +#var.vhosts_dir = "/vhosts" +#var.conf_dir = "/etc" +# +#server.chroot = "/srv/www" + +## +## Some additional variables to make the configuration easier +## + +## +## Base directory for all virtual hosts +## +## used in: +## conf.d/evhost.conf +## conf.d/simple_vhost.conf +## vhosts.d/vhosts.template +## +var.vhosts_dir = server_root + "/vhosts" + +## +## Cache for mod_compress +## +## used in: +## conf.d/compress.conf +## +var.cache_dir = "/var/cache/lighttpd" + +## +## Base directory for sockets. +## +## used in: +## conf.d/fastcgi.conf +## conf.d/scgi.conf +## +var.socket_dir = home_dir + "/sockets" + +## +####################################################################### + +####################################################################### +## +## Load the modules. +include "modules.conf" + +## +####################################################################### + +####################################################################### +## +## Basic Configuration +## --------------------- +## +server.port = 80 + +## +## Use IPv6? +## +server.use-ipv6 = "disable" + +## +## bind to a specific IP +## +#server.bind = "localhost" + +## +## Run as a different username/groupname. +## This requires root permissions during startup. +## +server.username = "lighttpd" +server.groupname = "lighttpd" + +## +## enable core files. +## +#server.core-files = "disable" + +## +## Document root +## +server.document-root = "/var/lib/copr/public_html" + +## +## The value for the "Server:" response field. +## +## It would be nice to keep it at "lighttpd". +## +#server.tag = "lighttpd" + +## +## store a pid file +## +server.pid-file = state_dir + "/lighttpd.pid" + +## +####################################################################### + +####################################################################### +## +## Logging Options +## ------------------ +## +## all logging options can be overwritten per vhost. +## +## Path to the error log file +## +server.errorlog = log_root + "/error.log" + +## +## If you want to log to syslog you have to unset the +## server.errorlog setting and uncomment the next line. +## +#server.errorlog-use-syslog = "enable" + +## +## Access log config +## +include "conf.d/access_log.conf" + +## +## The debug options are moved into their own file. +## see conf.d/debug.conf for various options for request debugging. +## +include "conf.d/debug.conf" + +## +####################################################################### + +####################################################################### +## +## Tuning/Performance +## -------------------- +## +## corresponding documentation: +## http://www.lighttpd.net/documentation/performance.html +## +## set the event-handler (read the performance section in the manual) +## +## possible options on linux are: +## +## select +## poll +## linux-sysepoll +## +## linux-sysepoll is recommended on kernel 2.6. +## +server.event-handler = "linux-sysepoll" + +## +## The basic network interface for all platforms at the syscalls read() +## and write(). Every modern OS provides its own syscall to help network +## servers transfer files as fast as possible +## +## linux-sendfile - is recommended for small files. +## writev - is recommended for sending many large files +## +server.network-backend = "linux-sendfile" + +## +## As lighttpd is a single-threaded server, its main resource limit is +## the number of file descriptors, which is set to 1024 by default (on +## most systems). +## +## If you are running a high-traffic site you might want to increase this +## limit by setting server.max-fds. +## +## Changing this setting requires root permissions on startup. see +## server.username/server.groupname. +## +## By default lighttpd would not change the operation system default. +## But setting it to 2048 is a better default for busy servers. +## +## With SELinux enabled, this is denied by default and needs to be allowed +## by running the following once : setsebool -P httpd_setrlimit on +#server.max-fds = 2048 + +## +## Stat() call caching. +## +## lighttpd can utilize FAM/Gamin to cache stat call. +## +## possible values are: +## disable, simple or fam. +## +server.stat-cache-engine = "simple" + +## +## Fine tuning for the request handling +## +## max-connections == max-fds/2 (maybe /3) +## means the other file handles are used for fastcgi/files +## +server.max-connections = 1024 + +## +## How many seconds to keep a keep-alive connection open, +## until we consider it idle. +## +## Default: 5 +## +#server.max-keep-alive-idle = 5 + +## +## How many keep-alive requests until closing the connection. +## +## Default: 16 +## +#server.max-keep-alive-requests = 16 + +## +## Maximum size of a request in kilobytes. +## By default it is unlimited (0). +## +## Uploads to your server cant be larger than this value. +## +#server.max-request-size = 0 + +## +## Time to read from a socket before we consider it idle. +## +## Default: 60 +## +#server.max-read-idle = 60 + +## +## Time to write to a socket before we consider it idle. +## +## Default: 360 +## +#server.max-write-idle = 360 + +## +## Traffic Shaping +## ----------------- +## +## see /usr/share/doc/lighttpd/traffic-shaping.txt +## +## Values are in kilobyte per second. +## +## Keep in mind that a limit below 32kB/s might actually limit the +## traffic to 32kB/s. This is caused by the size of the TCP send +## buffer. +## +## per server: +## +#server.kbytes-per-second = 128 + +## +## per connection: +## +#connection.kbytes-per-second = 32 + +## +####################################################################### + +####################################################################### +## +## Filename/File handling +## ------------------------ + +## +## files to check for if .../ is requested +## index-file.names = ( "index.php", "index.rb", "index.html", +## "index.htm", "default.htm" ) +## +index-file.names += ( + "index.xhtml", "index.html", "index.htm", "default.htm", "index.php" +) + +## +## deny access the file-extensions +## +## ~ is for backupfiles from vi, emacs, joe, ... +## .inc is often used for code includes which should in general not be part +## of the document-root +url.access-deny = ( "~", ".inc" ) + +## +## disable range requests for pdf files +## workaround for a bug in the Acrobat Reader plugin. +## +$HTTP["url"] =~ "\.pdf$" { + server.range-requests = "disable" +} + +## +## url handling modules (rewrite, redirect) +## +#url.rewrite = ( "^/$" => "/server-status" ) +#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) + +## +## both rewrite/redirect support back reference to regex conditional using %n +## +#$HTTP["host"] =~ "^www\.(.*)" { +# url.redirect = ( "^/(.*)" => "http://%1/$1" ) +#} + +## +## which extensions should not be handle via static-file transfer +## +## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi +## +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) + +## +## error-handler for status 404 +## +#server.error-handler-404 = "/error-handler.html" +#server.error-handler-404 = "/error-handler.php" + +## +## Format: <errorfile-prefix><status-code>.html +## -> ..../status-404.html for 'File not found' +## +#server.errorfile-prefix = "/srv/www/htdocs/errors/status-" + +## +## mimetype mapping +## +include "conf.d/mime.conf" + +## +## directory listing configuration +## +include "conf.d/dirlisting.conf" + +## +## Should lighttpd follow symlinks? +## +server.follow-symlink = "enable" + +## +## force all filenames to be lowercase? +## +#server.force-lowercase-filenames = "disable" + +## +## defaults to /var/tmp as we assume it is a local harddisk +## +server.upload-dirs = ( "/var/tmp" ) + +## +####################################################################### + + +####################################################################### +## +## SSL Support +## ------------- +## +## To enable SSL for the whole server you have to provide a valid +## certificate and have to enable the SSL engine.:: +## +## ssl.engine = "enable" +## ssl.pemfile = "/path/to/server.pem" +## +## The HTTPS protocol does not allow you to use name-based virtual +## hosting with SSL. If you want to run multiple SSL servers with +## one lighttpd instance you must use IP-based virtual hosting: :: +## +## $SERVER["socket"] == "10.0.0.1:443" { +## ssl.engine = "enable" +## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html +## # +## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.cipher-list is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation +## # This is enabled by default. +## # +## # ssl.disable-client-renegotiation = "enable" +## # +## server.name = "www.example.com" +## +## server.document-root = "/srv/www/vhosts/example.com/www/" +## } +## + +## If you have a .crt and a .key file, cat them together into a +## single PEM file: +## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ +## > /etc/ssl/private/lighttpd.pem +## +#ssl.pemfile = "/etc/ssl/private/lighttpd.pem" + +## +## optionally pass the CA certificate here. +## +## +#ssl.ca-file = "" + +## +####################################################################### + +####################################################################### +## +## custom includes like vhosts. +## +#include "conf.d/config.conf" +#include_shell "cat /etc/lighttpd/vhosts.d/*.conf" +## +####################################################################### + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/copr-be.fedoraproject.org.pem" + ssl.ca-file = "/etc/lighttpd/DigiCertCA.crt" + ssl.disable-client-renegotiation = "enable" + ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +} diff --git a/roles/copr/backend/files/lighttpd/lighttpd_dev.conf b/roles/copr/backend/files/lighttpd/lighttpd_dev.conf new file mode 100644 index 000000000..a6b07a4b2 --- /dev/null +++ b/roles/copr/backend/files/lighttpd/lighttpd_dev.conf @@ -0,0 +1,455 @@ +####################################################################### +## +## /etc/lighttpd/lighttpd.conf +## +## check /etc/lighttpd/conf.d/*.conf for the configuration of modules. +## +####################################################################### + +####################################################################### +## +## Some Variable definition which will make chrooting easier. +## +## if you add a variable here. Add the corresponding variable in the +## chroot example aswell. +## +var.log_root = "/var/log/lighttpd" +var.server_root = "/var/www" +var.state_dir = "/var/run" +var.home_dir = "/var/lib/lighttpd" +var.conf_dir = "/etc/lighttpd" + +## +## run the server chrooted. +## +## This requires root permissions during startup. +## +## If you run Chrooted set the the variables to directories relative to +## the chroot dir. +## +## example chroot configuration: +## +#var.log_root = "/logs" +#var.server_root = "/" +#var.state_dir = "/run" +#var.home_dir = "/lib/lighttpd" +#var.vhosts_dir = "/vhosts" +#var.conf_dir = "/etc" +# +#server.chroot = "/srv/www" + +## +## Some additional variables to make the configuration easier +## + +## +## Base directory for all virtual hosts +## +## used in: +## conf.d/evhost.conf +## conf.d/simple_vhost.conf +## vhosts.d/vhosts.template +## +var.vhosts_dir = server_root + "/vhosts" + +## +## Cache for mod_compress +## +## used in: +## conf.d/compress.conf +## +var.cache_dir = "/var/cache/lighttpd" + +## +## Base directory for sockets. +## +## used in: +## conf.d/fastcgi.conf +## conf.d/scgi.conf +## +var.socket_dir = home_dir + "/sockets" + +## +####################################################################### + +####################################################################### +## +## Load the modules. +include "modules.conf" + +## +####################################################################### + +####################################################################### +## +## Basic Configuration +## --------------------- +## +server.port = 80 + +## +## Use IPv6? +## +server.use-ipv6 = "disable" + +## +## bind to a specific IP +## +#server.bind = "localhost" + +## +## Run as a different username/groupname. +## This requires root permissions during startup. +## +server.username = "lighttpd" +server.groupname = "lighttpd" + +## +## enable core files. +## +#server.core-files = "disable" + +## +## Document root +## +server.document-root = "/var/lib/copr/public_html" + +## +## The value for the "Server:" response field. +## +## It would be nice to keep it at "lighttpd". +## +#server.tag = "lighttpd" + +## +## store a pid file +## +server.pid-file = state_dir + "/lighttpd.pid" + +## +####################################################################### + +####################################################################### +## +## Logging Options +## ------------------ +## +## all logging options can be overwritten per vhost. +## +## Path to the error log file +## +server.errorlog = log_root + "/error.log" + +## +## If you want to log to syslog you have to unset the +## server.errorlog setting and uncomment the next line. +## +#server.errorlog-use-syslog = "enable" + +## +## Access log config +## +include "conf.d/access_log.conf" + +## +## The debug options are moved into their own file. +## see conf.d/debug.conf for various options for request debugging. +## +include "conf.d/debug.conf" + +## +####################################################################### + +####################################################################### +## +## Tuning/Performance +## -------------------- +## +## corresponding documentation: +## http://www.lighttpd.net/documentation/performance.html +## +## set the event-handler (read the performance section in the manual) +## +## possible options on linux are: +## +## select +## poll +## linux-sysepoll +## +## linux-sysepoll is recommended on kernel 2.6. +## +server.event-handler = "linux-sysepoll" + +## +## The basic network interface for all platforms at the syscalls read() +## and write(). Every modern OS provides its own syscall to help network +## servers transfer files as fast as possible +## +## linux-sendfile - is recommended for small files. +## writev - is recommended for sending many large files +## +server.network-backend = "linux-sendfile" + +## +## As lighttpd is a single-threaded server, its main resource limit is +## the number of file descriptors, which is set to 1024 by default (on +## most systems). +## +## If you are running a high-traffic site you might want to increase this +## limit by setting server.max-fds. +## +## Changing this setting requires root permissions on startup. see +## server.username/server.groupname. +## +## By default lighttpd would not change the operation system default. +## But setting it to 2048 is a better default for busy servers. +## +## With SELinux enabled, this is denied by default and needs to be allowed +## by running the following once : setsebool -P httpd_setrlimit on +#server.max-fds = 2048 + +## +## Stat() call caching. +## +## lighttpd can utilize FAM/Gamin to cache stat call. +## +## possible values are: +## disable, simple or fam. +## +server.stat-cache-engine = "simple" + +## +## Fine tuning for the request handling +## +## max-connections == max-fds/2 (maybe /3) +## means the other file handles are used for fastcgi/files +## +server.max-connections = 1024 + +## +## How many seconds to keep a keep-alive connection open, +## until we consider it idle. +## +## Default: 5 +## +#server.max-keep-alive-idle = 5 + +## +## How many keep-alive requests until closing the connection. +## +## Default: 16 +## +#server.max-keep-alive-requests = 16 + +## +## Maximum size of a request in kilobytes. +## By default it is unlimited (0). +## +## Uploads to your server cant be larger than this value. +## +#server.max-request-size = 0 + +## +## Time to read from a socket before we consider it idle. +## +## Default: 60 +## +#server.max-read-idle = 60 + +## +## Time to write to a socket before we consider it idle. +## +## Default: 360 +## +#server.max-write-idle = 360 + +## +## Traffic Shaping +## ----------------- +## +## see /usr/share/doc/lighttpd/traffic-shaping.txt +## +## Values are in kilobyte per second. +## +## Keep in mind that a limit below 32kB/s might actually limit the +## traffic to 32kB/s. This is caused by the size of the TCP send +## buffer. +## +## per server: +## +#server.kbytes-per-second = 128 + +## +## per connection: +## +#connection.kbytes-per-second = 32 + +## +####################################################################### + +####################################################################### +## +## Filename/File handling +## ------------------------ + +## +## files to check for if .../ is requested +## index-file.names = ( "index.php", "index.rb", "index.html", +## "index.htm", "default.htm" ) +## +index-file.names += ( + "index.xhtml", "index.html", "index.htm", "default.htm", "index.php" +) + +## +## deny access the file-extensions +## +## ~ is for backupfiles from vi, emacs, joe, ... +## .inc is often used for code includes which should in general not be part +## of the document-root +url.access-deny = ( "~", ".inc" ) + +## +## disable range requests for pdf files +## workaround for a bug in the Acrobat Reader plugin. +## +$HTTP["url"] =~ "\.pdf$" { + server.range-requests = "disable" +} + +## +## url handling modules (rewrite, redirect) +## +#url.rewrite = ( "^/$" => "/server-status" ) +#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) + +## +## both rewrite/redirect support back reference to regex conditional using %n +## +#$HTTP["host"] =~ "^www\.(.*)" { +# url.redirect = ( "^/(.*)" => "http://%1/$1" ) +#} + +## +## which extensions should not be handle via static-file transfer +## +## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi +## +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) + +## +## error-handler for status 404 +## +#server.error-handler-404 = "/error-handler.html" +#server.error-handler-404 = "/error-handler.php" + +## +## Format: <errorfile-prefix><status-code>.html +## -> ..../status-404.html for 'File not found' +## +#server.errorfile-prefix = "/srv/www/htdocs/errors/status-" + +## +## mimetype mapping +## +include "conf.d/mime.conf" + +## +## directory listing configuration +## +include "conf.d/dirlisting.conf" + +## +## Should lighttpd follow symlinks? +## +server.follow-symlink = "enable" + +## +## force all filenames to be lowercase? +## +#server.force-lowercase-filenames = "disable" + +## +## defaults to /var/tmp as we assume it is a local harddisk +## +server.upload-dirs = ( "/var/tmp" ) + +## +####################################################################### + + +####################################################################### +## +## SSL Support +## ------------- +## +## To enable SSL for the whole server you have to provide a valid +## certificate and have to enable the SSL engine.:: +## +## ssl.engine = "enable" +## ssl.pemfile = "/path/to/server.pem" +## +## The HTTPS protocol does not allow you to use name-based virtual +## hosting with SSL. If you want to run multiple SSL servers with +## one lighttpd instance you must use IP-based virtual hosting: :: +## +## $SERVER["socket"] == "10.0.0.1:443" { +## ssl.engine = "enable" +## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html +## # +## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.cipher-list is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation +## # This is enabled by default. +## # +## # ssl.disable-client-renegotiation = "enable" +## # +## server.name = "www.example.com" +## +## server.document-root = "/srv/www/vhosts/example.com/www/" +## } +## + +## If you have a .crt and a .key file, cat them together into a +## single PEM file: +## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ +## > /etc/ssl/private/lighttpd.pem +## +#ssl.pemfile = "/etc/ssl/private/lighttpd.pem" + +## +## optionally pass the CA certificate here. +## +## +#ssl.ca-file = "" + +## +####################################################################### + +####################################################################### +## +## custom includes like vhosts. +## +#include "conf.d/config.conf" +include_shell "cat /etc/lighttpd/vhosts.d/*.conf" +## +####################################################################### + +#$SERVER["socket"] == ":443" { +# ssl.engine = "enable" +# ssl.pemfile = "/etc/lighttpd/copr-be.fedoraproject.org.pem" +# ssl.ca-file = "/etc/lighttpd/DigiCertCA.crt" +# ssl.disable-client-renegotiation = "enable" +# ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +#} diff --git a/roles/copr/backend/files/lighttpd/mime.conf b/roles/copr/backend/files/lighttpd/mime.conf new file mode 100644 index 000000000..a3101edce --- /dev/null +++ b/roles/copr/backend/files/lighttpd/mime.conf @@ -0,0 +1,77 @@ +####################################################################### +## +## MimeType handling +## ------------------- +## +## http://www.lighttpd.net/documentation/configuration.html#mimetypes +## +## Use the "Content-Type" extended attribute to obtain mime type if +## possible +## +mimetype.use-xattr = "disable" + +## +## mimetype mapping +## +mimetype.assign = ( + ".pdf" => "application/pdf", + ".sig" => "application/pgp-signature", + ".spl" => "application/futuresplash", + ".class" => "application/octet-stream", + ".ps" => "application/postscript", + ".torrent" => "application/x-bittorrent", + ".dvi" => "application/x-dvi", + ".gz" => "application/x-gzip", + ".pac" => "application/x-ns-proxy-autoconfig", + ".swf" => "application/x-shockwave-flash", + ".tar.gz" => "application/x-tgz", + ".tgz" => "application/x-tgz", + ".tar" => "application/x-tar", + ".zip" => "application/zip", + ".mp3" => "audio/mpeg", + ".m3u" => "audio/x-mpegurl", + ".wma" => "audio/x-ms-wma", + ".wax" => "audio/x-ms-wax", + ".ogg" => "application/ogg", + ".wav" => "audio/x-wav", + ".gif" => "image/gif", + ".jpg" => "image/jpeg", + ".jpeg" => "image/jpeg", + ".png" => "image/png", + ".xbm" => "image/x-xbitmap", + ".xpm" => "image/x-xpixmap", + ".xwd" => "image/x-xwindowdump", + ".css" => "text/css", + ".html" => "text/html", + ".htm" => "text/html", + ".js" => "text/javascript", + ".asc" => "text/plain", + ".c" => "text/plain", + ".cpp" => "text/plain", + ".log" => "text/plain", + ".conf" => "text/plain", + ".text" => "text/plain", + ".txt" => "text/plain", + ".spec" => "text/plain", + ".dtd" => "text/xml", + ".xml" => "text/xml", + ".mpeg" => "video/mpeg", + ".mpg" => "video/mpeg", + ".mov" => "video/quicktime", + ".qt" => "video/quicktime", + ".avi" => "video/x-msvideo", + ".asf" => "video/x-ms-asf", + ".asx" => "video/x-ms-asf", + ".wmv" => "video/x-ms-wmv", + ".bz2" => "application/x-bzip", + ".tbz" => "application/x-bzip-compressed-tar", + ".tar.bz2" => "application/x-bzip-compressed-tar", + ".rpm" => "application/x-rpm", + # make the default mime type application/octet-stream. + "" => "text/plain", + ) + + +# +####################################################################### + diff --git a/roles/copr/backend/files/provision/ansible.cfg b/roles/copr/backend/files/provision/ansible.cfg new file mode 100644 index 000000000..6b8c6b8f5 --- /dev/null +++ b/roles/copr/backend/files/provision/ansible.cfg @@ -0,0 +1,93 @@ +# config file for ansible -- http://ansible.github.com +# nearly all parameters can be overridden in ansible-playbook or with command line flags +# ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first + +[defaults] + +# location of inventory file, eliminates need to specify -i + +hostfile = /home/copr/provision/inventory + +# location of ansible library, eliminates need to specify --module-path + +library = /home/copr/provision/library:/usr/share/ansible + +# default module name used in /usr/bin/ansible when -m is not specified + +module_name = command + +# home directory where temp files are stored on remote systems. Should +# almost always contain $HOME or be a directory writeable by all users + +remote_tmp = $HOME/.ansible/tmp + +# the default pattern for ansible-playbooks ("hosts:") + +pattern = * + +# the default number of forks (parallelism) to be used. Usually you +# can crank this up. + +forks=25 + +# the timeout used by various connection types. Usually this corresponds +# to an SSH timeout + +timeout=10 + +# when using --poll or "poll:" in an ansible playbook, and not specifying +# an explicit poll interval, use this interval + +poll_interval=15 + +# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook, +# and not specifying "--sudo-user" or "sudo_user" respectively, sudo +# to this user account + +sudo_user=root + +# connection to use when -c <connection_type> is not specified + +#transport=paramiko +transport=ssh + +# this is needed for paramiko, ssh already have this said in .ssh/config +host_key_checking = False + +# remote SSH port to be used when --port or "port:" or an equivalent inventory +# variable is not specified. + +remote_port=22 + +# if set, always run /usr/bin/ansible commands as this user, and assume this value +# if "user:" is not set in a playbook. If not set, use the current Unix user +# as the default + +remote_user=root + +# if set, always use this private key file for authentication, same as if passing +# --private-key-file to ansible or ansible-playbook + +#private_key_file=/path/to/file + + +# additional plugin paths for non-core plugins + +action_plugins = /usr/lib/python2.7/site-packages/ansible/runner/action_plugins:/home/copr/provision/action_plugins/ + +private_key_file=/home/copr/.ssh/id_rsa + +[paramiko_connection] +record_host_keys=False + +# nothing to configure yet + +[ssh_connection] + +# if uncommented, sets the ansible ssh arguments to the following. Leaving off ControlPersist +# will result in poor performance, so use transport=paramiko on older platforms rather than +# removing it + +ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s + + diff --git a/roles/copr/backend/files/provision/files/builder.repo b/roles/copr/backend/files/provision/files/builder.repo new file mode 100644 index 000000000..f90e90942 --- /dev/null +++ b/roles/copr/backend/files/provision/files/builder.repo @@ -0,0 +1,23 @@ +[builder-infrastructure] +name=Builder Packages from Fedora Infrastructure $releasever - $basearch +baseurl=http://infrastructure.fedoraproject.org/repo/builder-rpms/$releasever/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE + +[msuchy-Mock] +name=Copr repo for Mock owned by msuchy +description=Mock for RHEL6 with patch from https://bugzilla.redhat.com/show_bug.cgi?id=1028438 and https://bugzilla.redhat.com/show_bug.cgi?id=1034805 +baseurl=http://172.16.5.4/results/msuchy/Mock/epel-6-$basearch/ +skip_if_unavailable=True +gpgcheck=0 +enabled=1 + +[msuchy-scl-utils] +name=Copr repo for scl-utils owned by msuchy +description=scl-utils with patch from https://bugzilla.redhat.com/show_bug.cgi?id=985233 +baseurl=http://172.16.5.4/results/msuchy/scl-utils/epel-6-$basearch/ +skip_if_unavailable=True +gpgcheck=0 +enabled=1 + diff --git a/roles/copr/backend/files/provision/files/buildsys.pub b/roles/copr/backend/files/provision/files/buildsys.pub new file mode 100644 index 000000000..10790ee92 --- /dev/null +++ b/roles/copr/backend/files/provision/files/buildsys.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeTO0ddXuhDZYM9HyM0a47aeV2yIVWhTpddrQ7/RAIs99XyrsicQLABzmdMBfiZnP0FnHBF/e+2xEkT8hHJpX6bX81jjvs2bb8KP18Nh8vaXI3QospWrRygpu1tjzqZT0Llh4ZVFscum8TrMw4VWXclzdDw6x7csCBjSttqq8F3iTJtQ9XM9/5tCAAOzGBKJrsGKV1CNIrfUo5CSzY+IUVIr8XJ93IB2ZQVASK34T/49egmrWlNB32fqAbDMC+XNmobgn6gO33Yq5Ly7Dk4kqTUx2TEaqDkZfhsVu0YcwV81bmqsltRvpj6bIXrEoMeav7nbuqKcPLTxWEY/2icePF diff --git a/roles/copr/backend/files/provision/files/epel6.repo b/roles/copr/backend/files/provision/files/epel6.repo new file mode 100644 index 000000000..d195e79ea --- /dev/null +++ b/roles/copr/backend/files/provision/files/epel6.repo @@ -0,0 +1,13 @@ +[epel] +name=Extras Packages for Enterprise Linux $releasever - $basearch +baseurl=http://infrastructure.fedoraproject.org/pub/epel/6/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6 + +[epel-testing] +name=Extras Packages for Enterprise Linux $releasever - $basearch +baseurl=http://infrastructure.fedoraproject.org/pub/epel/testing/6/$basearch/ +enabled=0 +gpgcheck=1 +gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6 diff --git a/roles/copr/backend/files/provision/files/mock/epel-5-i386.cfg b/roles/copr/backend/files/provision/files/mock/epel-5-i386.cfg new file mode 100644 index 000000000..bd55bbcb5 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/epel-5-i386.cfg @@ -0,0 +1,60 @@ +config_opts['root'] = 'epel-5-i386' +config_opts['target_arch'] = 'i386' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'install buildsys-build' +config_opts['dist'] = 'el5' # only useful for --resultdir variable subst +if not config_opts.has_key('macros'): config_opts['macros'] = {} +config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['macros']['%rhel'] = '5' +config_opts['macros']['%dist'] = '.el5' +config_opts['macros']['%el5'] = '1' +config_opts['releasever'] = '5' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +logfile=/var/log/yum.log +reposdir=/dev/null +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[core] +name=base +mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=os + +[update] +name=updates +mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=updates + +[groups] +name=groups +baseurl=http://buildsys.fedoraproject.org/buildgroups/rhel5/i386/ + +[extras] +name=epel +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=i386 + +[testing] +name=epel-testing +enabled=0 +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=i386 + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/dist-5E-epel-build/latest/i386/ +cost=2000 +enabled=0 + +[epel-debug] +name=epel-debug +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=i386 +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/epel-5-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/epel-5-x86_64.cfg new file mode 100644 index 000000000..31351d53c --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/epel-5-x86_64.cfg @@ -0,0 +1,60 @@ +config_opts['root'] = 'epel-5-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'install buildsys-build' +config_opts['dist'] = 'el5' # only useful for --resultdir variable subst +if not config_opts.has_key('macros'): config_opts['macros'] = {} +config_opts['macros']['%__arch_install_post'] = '%{nil}' +config_opts['macros']['%rhel'] = '5' +config_opts['macros']['%dist'] = '.el5' +config_opts['macros']['%el5'] = '1' +config_opts['releasever'] = '5' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +logfile=/var/log/yum.log +reposdir=/dev/null +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[core] +name=base +mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=os + +[update] +name=updates +mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=updates + +[groups] +name=groups +baseurl=http://buildsys.fedoraproject.org/buildgroups/rhel5/x86_64/ + +[extras] +name=epel +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=x86_64 + +[testing] +name=epel-testing +enabled=0 +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=x86_64 + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/dist-5E-epel-build/latest/x86_64/ +cost=2000 +enabled=0 + +[epel-debug] +name=epel-debug +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=x86_64 +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/epel-7-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/epel-7-x86_64.cfg new file mode 100644 index 000000000..0e04cb34e --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/epel-7-x86_64.cfg @@ -0,0 +1,60 @@ +config_opts['root'] = 'epel-7-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'el7' # only useful for --resultdir variable subst +config_opts['releasever'] = '7' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos +[base] +name=BaseOS +mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os +failovermethod=priority + +[updates] +name=updates +enabled=1 +mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=updates +failovermethod=priority + +[epel] +name=epel +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-7&arch=x86_64 +failovermethod=priority + +[extras] +name=extras +mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=extras +failovermethod=priority + +[testing] +name=epel-testing +enabled=0 +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel7&arch=x86_64 +failovermethod=priority + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/epel7-build/latest/x86_64/ +cost=2000 +enabled=0 + +[epel-debug] +name=epel-debug +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-7&arch=x86_64 +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-20-i386.cfg b/roles/copr/backend/files/provision/files/mock/fedora-20-i386.cfg new file mode 100644 index 000000000..fde3c2754 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-20-i386.cfg @@ -0,0 +1,62 @@ +config_opts['root'] = 'fedora-20-i386' +config_opts['target_arch'] = 'i686' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=i386 +failovermethod=priority + +[updates] +name=updates +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=i386 +failovermethod=priority + +[updates-testing] +name=updates-testing +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=i386 +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/f20-build/latest/i386/ +cost=2000 +enabled=0 + +[fedora-debuginfo] +name=fedora-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=i386 +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=i386 +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=i386 +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-20-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/fedora-20-x86_64.cfg new file mode 100644 index 000000000..fa7f6d4c4 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-20-x86_64.cfg @@ -0,0 +1,62 @@ +config_opts['root'] = 'fedora-20-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['releasever'] = '20' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=x86_64 +failovermethod=priority + +[updates] +name=updates +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=x86_64 +failovermethod=priority + +[updates-testing] +name=updates-testing +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=x86_64 +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/f20-build/latest/x86_64/ +cost=2000 +enabled=0 + +[fedora-debuginfo] +name=fedora-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=x86_64 +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=x86_64 +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=x86_64 +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-21-i386.cfg b/roles/copr/backend/files/provision/files/mock/fedora-21-i386.cfg new file mode 100644 index 000000000..9ac64f293 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-21-i386.cfg @@ -0,0 +1,63 @@ +config_opts['root'] = 'fedora-21-i386' +config_opts['target_arch'] = 'i686' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'fc21' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '21' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +failovermethod=priority + +[updates] +name=updates +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +failovermethod=priority + +[updates-testing] +name=updates-testing +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/f21-build/latest/i386/ +cost=2000 +enabled=0 + +[fedora-debuginfo] +name=fedora-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/fedora-21-x86_64.cfg b/roles/copr/backend/files/provision/files/mock/fedora-21-x86_64.cfg new file mode 100644 index 000000000..517be438a --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/fedora-21-x86_64.cfg @@ -0,0 +1,63 @@ +config_opts['root'] = 'fedora-21-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'fc21' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '21' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +failovermethod=priority + +[updates] +name=updates +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +failovermethod=priority + +[updates-testing] +name=updates-testing +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=http://kojipkgs.fedoraproject.org/repos/f21-build/latest/x86_64/ +cost=2000 +enabled=0 + +[fedora-debuginfo] +name=fedora-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch +failovermethod=priority +enabled=0 +""" diff --git a/roles/copr/backend/files/provision/files/mock/site-defaults.cfg b/roles/copr/backend/files/provision/files/mock/site-defaults.cfg new file mode 100644 index 000000000..8842bdb52 --- /dev/null +++ b/roles/copr/backend/files/provision/files/mock/site-defaults.cfg @@ -0,0 +1,152 @@ +# mock defaults +# vim:tw=0:ts=4:sw=4:et: +# +# This config file is for site-specific default values that apply across all +# configurations. Options specified in this config file can be overridden in +# the individual mock config files. +# +# The site-defaults.cfg delivered by default has NO options set. Only set +# options here if you want to override the defaults. +# +# Entries in this file follow the same format as other mock config files. +# config_opts['foo'] = bar + +############################################################################# +# +# Things that we recommend you set in site-defaults.cfg: +# +# config_opts['basedir'] = '/var/lib/mock/' +# config_opts['cache_topdir'] = '/var/cache/mock' +# Note: the path pointed to by basedir and cache_topdir must be owned +# by group 'mock' and must have mode: g+rws +# config_opts['rpmbuild_timeout'] = 0 +# config_opts['use_host_resolv'] = True + +# You can configure log format to pull from logging.ini formats of these names: +# config_opts['build_log_fmt_name'] = "unadorned" +# config_opts['root_log_fmt_name'] = "detailed" +# config_opts['state_log_fmt_name'] = "state" +# +# mock will normally set up a minimal chroot /dev. +# If you want to use a pre-configured /dev, disable this and use the bind-mount +# plugin to mount your special /dev +# config_opts['internal_dev_setup'] = True +# +# internal_setarch defaults to 'True' if the python 'ctypes' package is +# available. It is in the python std lib on >= python 2.5. On older versions, +# it is available as an addon. On systems w/o ctypes, it will default to 'False' +# config_opts['internal_setarch'] = False +# +# the cleanup_on_* options allow you to automatically clean and remove the +# mock build directory, but only take effect if --resultdir is used. +# config_opts provides fine-grained control. cmdline only has big hammer +# +# config_opts['cleanup_on_success'] = 1 +# config_opts['cleanup_on_failure'] = 1 + +# if you want mock to automatically run createrepo on the rpms in your +# resultdir. +# config_opts['createrepo_on_rpms'] = False +# config_opts['createrepo_command'] = '/usr/bin/createrepo -d -q -x *.src.rpm' + +############################################################################# +# +# plugin related. Below are the defaults. Change to suit your site +# policy. site-defaults.cfg is a good place to do this. +# +# NOTE: Some of the caching options can theoretically affect build +# reproducability. Change with care. +# +config_opts['plugin_conf']['package_state_enable'] = True +# config_opts['plugin_conf']['ccache_enable'] = True +# config_opts['plugin_conf']['ccache_opts']['max_cache_size'] = '4G' +# config_opts['plugin_conf']['ccache_opts']['compress'] = None +# config_opts['plugin_conf']['ccache_opts']['dir'] = "%(cache_topdir)s/%(root)s/ccache/" +# config_opts['plugin_conf']['yum_cache_enable'] = True +# config_opts['plugin_conf']['yum_cache_opts']['max_age_days'] = 30 +# config_opts['plugin_conf']['yum_cache_opts']['dir'] = "%(cache_topdir)s/%(root)s/yum_cache/" +# config_opts['plugin_conf']['root_cache_enable'] = True +# config_opts['plugin_conf']['root_cache_opts']['max_age_days'] = 15 +# config_opts['plugin_conf']['root_cache_opts']['dir'] = "%(cache_topdir)s/%(root)s/root_cache/" +# config_opts['plugin_conf']['root_cache_opts']['compress_program'] = "pigz" +# config_opts['plugin_conf']['root_cache_opts']['extension'] = ".gz" +# config_opts['plugin_conf']['root_cache_opts']['exclude_dirs'] = ["./proc", "./sys", "./dev", +# "./tmp/ccache", "./var/cache/yum" ] +# +# bind mount plugin is enabled by default but has no configured directories to +# mount +# config_opts['plugin_conf']['bind_mount_enable'] = True +# config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/host/path', '/bind/mount/path/in/chroot/' )) +# +# config_opts['plugin_conf']['tmpfs_enable'] = False +# config_opts['plugin_conf']['tmpfs_opts']['required_ram_mb'] = 1024 +# config_opts['plugin_conf']['tmpfs_opts']['max_fs_size'] = '512m' + +############################################################################# +# +# environment for chroot +# +# config_opts['environment']['TERM'] = 'vt100' +# config_opts['environment']['SHELL'] = '/bin/bash' +# config_opts['environment']['HOME'] = '/builddir' +# config_opts['environment']['HOSTNAME'] = 'mock' +# config_opts['environment']['PATH'] = '/usr/bin:/bin:/usr/sbin:/sbin' +# config_opts['environment']['PROMPT_COMMAND'] = 'echo -n "<mock-chroot>"' +# config_opts['environment']['LANG'] = os.environ.setdefault('LANG', 'en_US.UTF-8') +# config_opts['environment']['TZ'] = os.environ.setdefault('TZ', 'EST5EDT') + +############################################################################# +# +# Things that you can change, but we dont recommend it: +# config_opts['chroothome'] = '/builddir' +# config_opts['clean'] = True + +############################################################################# +# +# Things that must be adjusted if SCM integration is used: +# +# config_opts['scm'] = True +# config_opts['scm_opts']['method'] = 'git' +# config_opts['scm_opts']['cvs_get'] = 'cvs -d /srv/cvs co SCM_BRN SCM_PKG' +# config_opts['scm_opts']['git_get'] = 'git clone SCM_BRN git://localhost/SCM_PKG.git SCM_PKG' +# config_opts['scm_opts']['svn_get'] = 'svn co file:///srv/svn/SCM_PKG/SCM_BRN SCM_PKG' +# config_opts['scm_opts']['spec'] = 'SCM_PKG.spec' +# config_opts['scm_opts']['ext_src_dir'] = '/dev/null' +# config_opts['scm_opts']['write_tar'] = True +# config_opts['scm_opts']['git_timestamps'] = True + +# These options are also recognized but usually defined in cmd line +# with --scm-option package=<pkg> --scm-option branch=<branch> +# config_opts['scm_opts']['package'] = 'mypkg' +# config_opts['scm_opts']['branch'] = 'master' + +############################################################################# +# +# Things that are best suited for individual chroot config files: +# +# MUST SET (in individual chroot cfg file): +# config_opts['root'] = 'name-of-yum-build-dir' +# config_opts['target_arch'] = 'i386' +# config_opts['yum.conf'] = '' +# config_opts['yum_common_opts'] = [] +# +# CAN SET, defaults usually work ok: +# config_opts['chroot_setup_cmd'] = 'install buildsys-build' +# config_opts['log_config_file'] = 'logging.ini' +# config_opts['more_buildreqs']['srpm_name-version-release'] = 'dependencies' +# config_opts['macros']['%Add_your_macro_name_here'] = "add macro value here" +# config_opts['files']['path/name/no/leading/slash'] = "put file contents here." +# config_opts['chrootuid'] = os.getuid() + +# If you change chrootgid, you must also change "mock" to the correct group +# name in this line of the mock PAM config: +# auth sufficient pam_succeed_if.so user ingroup mock use_uid quiet +# config_opts['chrootgid'] = grp.getgrnam("mock")[2] + +# config_opts['useradd'] = '/usr/sbin/useradd -m -u %(uid)s -g %(gid)s -d %(home)s -n %(user)s' # Fedora/RedHat +# +# Security related +# config_opts['no_root_shells'] = False +# +# Proxy settings (https_proxy, ftp_proxy, and no_proxy can also be set) +# config_opts['http_proxy'] = 'http://localhost:3128' diff --git a/roles/copr/backend/files/ssh_config b/roles/copr/backend/files/ssh_config new file mode 100644 index 000000000..302851e10 --- /dev/null +++ b/roles/copr/backend/files/ssh_config @@ -0,0 +1,4 @@ +Host * + IdentityFile ~/.ssh/id_rsa + StrictHostKeyChecking no + UserKnownHostsFile /dev/null diff --git a/roles/copr/backend/handlers/main.yml b/roles/copr/backend/handlers/main.yml new file mode 100644 index 000000000..a62962ea6 --- /dev/null +++ b/roles/copr/backend/handlers/main.yml @@ -0,0 +1,11 @@ +- name: concate ssl certs + action: shell "cat /etc/lighttpd/copr-be.fedoraproject.org.key /etc/lighttpd/copr-be.fedoraproject.org.crt > /etc/lighttpd/copr-be.fedoraproject.org.pem" + notify: + - chmod_key + - restart lighttpd + +- name: chmod_key + action: file path=/etc/lighttpd/copr-be.fedoraproject.org.pem owner=root group=root mode=0600 + +- name: restart copr-backend + service: name=copr-backend state=restarted diff --git a/roles/copr/backend/meta/main.yml b/roles/copr/backend/meta/main.yml new file mode 100644 index 000000000..a774579b1 --- /dev/null +++ b/roles/copr/backend/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: copr/base } diff --git a/roles/copr/backend/tasks/install_certs.yml b/roles/copr/backend/tasks/install_certs.yml new file mode 100644 index 000000000..cd0630c1f --- /dev/null +++ b/roles/copr/backend/tasks/install_certs.yml @@ -0,0 +1,18 @@ +- name: copy httpd ssl certificates + copy: src="{{ puppet_private }}/httpd/{{ item }}" dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=0600 + with_items: + - copr-be.fedoraproject.org.key + - copr-be.fedoraproject.org.crt + notify: + - concate ssl certs + tags: + - config + +- name: copy httpd ssl certificates (CAcert) + copy: src="DigiCertCA.crt" dest="/etc/lighttpd/" owner=root group=root mode=0600 + tags: + - config + notify: + - restart lighttpd + + diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml new file mode 100644 index 000000000..1fc986878 --- /dev/null +++ b/roles/copr/backend/tasks/main.yml @@ -0,0 +1,132 @@ +--- +- name: mount fs for production + include: "mount_fs.yml" + when: not devel + +- name: add packages for copr backend + yum: state=present name={{ item }} enablerepo="updates-testing" + with_items: + - copr-backend + - python-novaclient + - obs-signd # TODO: remove, since it will be installed as dependency by copr-backend + +- name: make copr dirs + file: state=directory path={{ item }} + with_items: + - /var/lib/copr/jobs + - /var/lib/copr/public_html/results + +- name: Umask results + command: /usr/bin/umask 0000 chdir=/var/lib/copr/public_html/results + +- name: setup dirs there + file: state=directory path="/home/copr/{{ item }}" owner=copr group=copr mode=0700 + with_items: + - cloud + - .ssh + +- name: add copr-buildsys keys to copr user path + copy: src="{{ item }}" dest=/home/copr/cloud/ owner=copr group=copr mode=0600 + with_fileglob: + - "{{ private }}/files/openstack/copr-copr/*" + +- name: setup privkey for copr user + copy: src="{{ private }}/files/copr/buildsys.priv" dest=/home/copr/.ssh/id_rsa owner=copr group=copr mode=600 + +- name: setup copr user ssh config file + copy: src="ssh_config" dest=/home/copr/.ssh/config owner=copr group=copr mode=600 + +- name: create empty known_hosts + file: state=touch dest=/home/copr/.ssh/known_hosts owner=copr group=copr mode=600 + +- name: replace bashrc for copr user + copy: src="copr_bashrc" dest=/home/copr/.bashrc owner=copr group=copr mode=600 + +- name: auth_key so we can login to localhost as the copr user from the copr user + authorized_key: user=copr key="{{ item }}" + no_log: True + with_file: + - "provision/files/buildsys.pub" + +- name: copy keystonerc + template: src="keystonerc" dest=/root/ owner=root group=root mode=600 + when: not devel + +- name: copy .boto file + copy: src="boto" dest=/home/copr/.boto owner=copr group=copr + +# setup webserver +- name: add config for copr-repo path + copy: src="{{ _lighttpd_conf_src }}" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644 + notify: + - restart lighttpd + +- name: install certificates for production + when: not devel + include: "install_certs.yml" + +# mime default to text/plain and enable dirlisting for indexes +- name: update lighttpd configs + copy: src="lighttpd/{{ item }}" dest="/etc/lighttpd/conf.d/{{ item }}" owner=root group=root mode=0644 + with_items: + - dirlisting.conf + - mime.conf + notify: + - restart lighttpd + +- name: start webserver + service: state=running enabled=yes name=lighttpd + +# setup dirs for the ansible execution off of provisioning +- name: dirs from provision + file: state=directory path="/home/copr/provision/{{ item }}" owner=copr group=copr + with_items: + - action_plugins + - library + - files + - files/mock + tags: + - provision_config + +- name: put ansible.cfg for all this into /etc/ansible/ on the system + copy: src="provision/ansible.cfg" dest=/etc/ansible/ansible.cfg + tags: + - provision_config + +- name: put some files into the provision subdir + template: src="provision/{{ item }}" dest="/home/copr/provision/{{ item }}" + with_items: + - inventory +# - builderpb.yml + - terminatepb.yml + tags: + - provision_config + +- name: put provisioning files + copy: src="provision/files" dest="/home/copr/provision/files" + tags: + - provision_config + +- name: testing fixture + file: path="/home/copr/cloud/ec2rc.variable" state="touch" + when: devel + +- name: copy copr-be.conf + template: src="{{ _copr_be_conf }}" dest=/etc/copr/copr-be.conf owner=root group=copr mode=640 + notify: + - restart copr-backend + tags: + - config + +- name: enable and run copr-backend + service: name="copr-backend" enabled=yes state=running + +- name: copy delete-forgotten-instances.pl + copy: src="delete-forgotten-instances.pl" dest=/home/copr/delete-forgotten-instances.pl mode=755 + +- name: copy delete-forgotten-instances.cron + copy: src="delete-forgotten-instances.cron" dest=/etc/cron.daily/delete-forgotten-instances owner=root group=root mode=755 + +- name: add sign machine address into the sign.conf + lineinfile: dest="/etc/sign.conf" regexp="^server" line="server':' {{ signer_host }}" + diff --git a/roles/copr/backend/tasks/mount_fs.yml b/roles/copr/backend/tasks/mount_fs.yml new file mode 100644 index 000000000..bbd1411dc --- /dev/null +++ b/roles/copr/backend/tasks/mount_fs.yml @@ -0,0 +1,8 @@ +- name: prepare mount point + file: state=directory path=/var/lib/copr/public_html + +- name: mount up disk of copr repo + mount: name=/var/lib/copr/public_html src='LABEL=copr-repo' fstype=ext4 state=mounted + +- name: mount /tmp/ + mount: name=/tmp src='tmpfs' fstype=tmpfs state=mounted diff --git a/roles/copr/backend/templates/copr-be.conf b/roles/copr/backend/templates/copr-be.conf new file mode 100644 index 000000000..651925da3 --- /dev/null +++ b/roles/copr/backend/templates/copr-be.conf @@ -0,0 +1,64 @@ +[backend] + +# URL where are results visible +# default is http://copr +results_baseurl=https://copr-be.cloud.fedoraproject.org/results + +# ??? What is this +# default is http://coprs/rest/api +#frontend_url=http://copr-fe.cloud.fedoraproject.org/backend +frontend_url=https://172.16.5.31/backend + +# must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf +# default is PASSWORDHERE but you really should change it. really. +frontend_auth={{ copr_backend_password }} + +# path to ansible playbook which spawns builder +# see /usr/share/copr*/playbooks/ for examples +# default is /etc/copr/builder_playbook.yml +spawn_playbook=/home/copr/provision/builderpb.yml + +# path to ansible playbook which terminate builder +# default is /etc/copr/terminate_playbook.yml +terminate_playbook=/home/copr/provision/terminatepb.yml + +terminate_vars=vm_name + +# directory where jobs are stored +# no defaults +jobsdir=/var/lib/copr/jobs + +# directory where results are stored +# should be accessible from web using 'results_baseurl' URL +# no default +destdir=/var/lib/copr/public_html/results + +# default is 10 +sleeptime=30 + +# default is 8 +num_workers=8 + +# path to log file +# default is /var/log/copr/backend.log +logfile=/var/log/copr/backend.log + +# default is /var/log/copr/workers/ +worker_logdir=/var/log/copr/workers/ + +# exit on worker failure +# default is false +#exit_on_worker=false + +# publish fedmsg notifications from workers if true +# default is false +#fedmsg_enabled=false +fedmsg_enabled=true + +# enable package signing, require configured +# signer host and correct /etc/sign.conf +do_sign=false + +[builder] +# default is 1800 +timeout=3600 diff --git a/roles/copr/backend/templates/copr-be.conf-dev b/roles/copr/backend/templates/copr-be.conf-dev new file mode 100644 index 000000000..b4e45d56e --- /dev/null +++ b/roles/copr/backend/templates/copr-be.conf-dev @@ -0,0 +1,60 @@ +[backend] + +# URL where are results visible +# default is http://copr +results_baseurl=http://copr-be-dev.cloud.fedoraproject.org/results + +# ??? What is this +# default is http://coprs/rest/api +frontend_url=http://copr-fe-dev.cloud.fedoraproject.org/backend + +# must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf +# default is PASSWORDHERE but you really should change it. really. +frontend_auth=PASSWORDHERE + +# path to ansible playbook which spawns builder +# see /usr/share/copr*/playbooks/ for examples +# default is /etc/copr/builder_playbook.yml +spawn_playbook=/home/copr/provision/builderpb.yml + +# path to ansible playbook which terminate builder +# default is /etc/copr/terminate_playbook.yml +terminate_playbook=/home/copr/provision/terminatepb.yml + +# directory where jobs are stored +# no defaults +jobsdir=/var/lib/copr/jobs + +# directory where results are stored +# should be accessible from web using 'results_baseurl' URL +# no default +destdir=/var/lib/copr/public_html/results + +# default is 10 +sleeptime=30 + +# default is 8 +num_workers=5 + +# path to log file +# default is /var/log/copr/backend.log +logfile=/var/log/copr/backend.log + +# default is /var/log/copr/workers/ +worker_logdir=/var/log/copr/workers/ + +# exit on worker failure +# default is false +#exit_on_worker=false + +# publish fedmsg notifications from workers if true +# default is false +#fedmsg_enabled=false + +# enable package signing, require configured +# signer host and correct /etc/sign.conf +do_sign=true + +[builder] +# default is 1800 +timeout=3600 diff --git a/roles/copr/backend/templates/provision/builderpb.yml b/roles/copr/backend/templates/provision/builderpb.yml new file mode 100644 index 000000000..4565ddc2a --- /dev/null +++ b/roles/copr/backend/templates/provision/builderpb.yml @@ -0,0 +1,97 @@ +--- +- name: check/create instance + hosts: localhost + user: copr + gather_facts: False + + vars: + - security_group: builder + - OS_AUTH_URL: http://172.23.0.2:5000/v2.0 + - OS_TENANT_NAME: copr + - OS_USERNAME: msuchy + - OS_PASSWORD: {{ copr_nova_password }} + # rhel 6.4 2013-02-21 x86_64 - ami + - image_id: cba0c766-84ac-4048-b0f5-6d4000af62f8 + + {% raw %} + tasks: + - name: generate builder name + local_action: command echo "Copr builder {{ 999999999 | random }}" + register: vm_name + + - name: spin it up + local_action: nova_compute auth_url={{OS_AUTH_URL}} flavor_id=6 image_id={{ image_id }} key_name=buildsys login_password={{OS_PASSWORD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME}} security_groups={{security_group}} wait=yes name="{{vm_name.stdout}}" + register: nova + + # should be able to use nova.private_ip, but it does not work with Fedora Cloud. + - debug: msg="IP={{ nova.info.addresses.vlannet_3[0].addr }}" + + - debug: msg="vm_name={{vm_name.stdout}}" + + - name: add it to the special group + local_action: add_host hostname={{ nova.info.addresses.vlannet_3[0].addr }} groupname=builder_temp_group + + - name: wait for the host to be hot + local_action: wait_for host={{ nova.info.addresses.vlannet_3[0].addr }} port=22 delay=5 timeout=600 + +- hosts: builder_temp_group + user: root + gather_facts: False + vars: + - files: files/ + + tasks: + - name: edit hostname to be instance name + action: shell hostname `curl -s http://169.254.169.254/2009-04-04/meta-data/instance-id` + + - name: install pkgs + action: yum state=present pkg={{ item }} + with_items: + - rsync + - openssh-clients + - libselinux-python + - libsemanage-python + + - name: add repos + action: copy src={{ files }}/{{ item }} dest=/etc/yum.repos.d/{{ item }} + with_items: + - builder.repo + - epel6.repo + + - name: install additional pkgs + action: yum state=present pkg={{ item }} + with_items: + - mock + - createrepo + - yum-utils + - pyliblzma + + - name: make sure newest rpm + action: yum name={{ item }} state=latest + with_items: + - rpm + - glib2 + + - yum: name=mock enablerepo=epel-testing state=latest + + - name: mockbuilder user + action: user name=mockbuilder groups=mock + + - name: mockbuilder .ssh + action: file state=directory path=/home/mockbuilder/.ssh mode=0700 owner=mockbuilder group=mockbuilder + + - name: mockbuilder authorized_keys + action: authorized_key user=mockbuilder key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}' + + - name: put updated mock configs into /etc/mock + action: copy src={{ files }}/mock/{{ item }} dest=/etc/mock + with_items: + - site-defaults.cfg + - epel-5-x86_64.cfg + - epel-5-i386.cfg + - fedora-20-x86_64.cfg + - fedora-20-i386.cfg + - epel-7-x86_64.cfg + + - lineinfile: dest=/root/.bashrc line="ulimit -n 10240" insertafter=EOF +{% endraw %} diff --git a/roles/copr/backend/templates/provision/inventory b/roles/copr/backend/templates/provision/inventory new file mode 100644 index 000000000..2fbb50c4a --- /dev/null +++ b/roles/copr/backend/templates/provision/inventory @@ -0,0 +1 @@ +localhost diff --git a/roles/copr/backend/templates/provision/terminatepb.yml b/roles/copr/backend/templates/provision/terminatepb.yml new file mode 100644 index 000000000..2d833590e --- /dev/null +++ b/roles/copr/backend/templates/provision/terminatepb.yml @@ -0,0 +1,18 @@ +--- +- name: terminate instance + hosts: all + user: root + gather_facts: False + + vars: + - OS_AUTH_URL: http://172.23.0.2:5000/v2.0 + - OS_TENANT_NAME: copr + - OS_USERNAME: msuchy + - OS_PASSWORD: {{ copr_nova_password }} + + {% raw %} + tasks: + - name: terminate it + local_action: nova_compute auth_url={{OS_AUTH_URL}} login_password={{OS_PASSWORD}} login_tenant_name={{OS_TENANT_NAME}} login_username={{OS_USERNAME}} name="{{copr_task.vm_name}}" state=absent + {% endraw %} + diff --git a/roles/copr/base/files/forward b/roles/copr/base/files/forward new file mode 100644 index 000000000..5f68f7ad3 --- /dev/null +++ b/roles/copr/base/files/forward @@ -0,0 +1,4 @@ +msuchy+coprmachine@redhat.com +kevin@scrye.com +nb@fedoraproject.org +sgallagh@redhat.com diff --git a/roles/copr/base/files/forward_dev b/roles/copr/base/files/forward_dev new file mode 100644 index 000000000..f3013bac7 --- /dev/null +++ b/roles/copr/base/files/forward_dev @@ -0,0 +1,3 @@ +msuchy+coprmachine@redhat.com +asamalik@redhat.com +vgologuz@redhat.com diff --git a/roles/copr/base/files/hosts b/roles/copr/base/files/hosts new file mode 100644 index 000000000..8d78139ab --- /dev/null +++ b/roles/copr/base/files/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +172.16.5.31 copr-fe.cloud.fedoraproject.org +172.16.5.31 copr.fedoraproject.org +172.16.5.4 copr-be.cloud.fedoraproject.org +172.16.5.5 copr-be-dev.cloud.fedoraproject.org +172.16.5.15 copr-fe-dev.cloud.fedoraproject.org diff --git a/roles/copr/base/files/yum/copr.repo b/roles/copr/base/files/yum/copr.repo new file mode 100644 index 000000000..e79a7b79e --- /dev/null +++ b/roles/copr/base/files/yum/copr.repo @@ -0,0 +1,10 @@ +[Copr] +name=Copr +failovermethod=priority +#baseurl=http://copr-be.cloud.fedoraproject.org/results/msuchy/copr/fedora-19-x86_64/ +# 172.16.5.4 is copr-be.cloud.fedoraproject.org +# see https://fedorahosted.org/fedora-infrastructure/ticket/4025 +baseurl=http://172.16.5.4/results/msuchy/copr/fedora-20-x86_64/ +enabled=1 +gpgcheck=0 + diff --git a/roles/copr/base/handlers/main.yml b/roles/copr/base/handlers/main.yml new file mode 100644 index 000000000..1d14bb721 --- /dev/null +++ b/roles/copr/base/handlers/main.yml @@ -0,0 +1,2 @@ +--- +- include: "{{ handlers }}/restart_services.yml" diff --git a/roles/copr/base/tasks/main.yml b/roles/copr/base/tasks/main.yml new file mode 100644 index 000000000..46f25e909 --- /dev/null +++ b/roles/copr/base/tasks/main.yml @@ -0,0 +1,46 @@ +--- +# tasklist for setting up copr +# This is the base set of files needed for copr + + +- include: "{{ tasks }}/cloud_setup_basic.yml" +- include: "{{ tasks }}/iptables.yml" +- include: "{{ tasks }}/postfix_basic.yml" + +- name: setup correct hostname for copr machine + hostname: name="{{ hostbase|regex_replace('.*-$', '')}}.cloud.fedoraproject.org" + tags: + - config + +- name: copy .forward file + copy: src="{{ _forward_src }}" dest="/root/.forward" owner=root group=root + +- name: deploy /etc/hosts file + copy: src="hosts" dest=/etc/hosts owner=root group=root mode=644 + +- name: install common copr packages + yum: state=present pkg={{ item }} + with_items: + - "copr-selinux" + - "fail2ban" + - "system-config-firewall-base" + tags: + - packages + +- name: install dev helper packages + yum: state=present pkg={{ item }} + with_items: + - "bash-completion" + - "screen" + - "tmux" + tags: + - packages + +- name: enable services + service: state=running enabled=yes name={{ item }} + with_items: + - fail2ban + +- name: install copr repo + copy: src="yum/copr.repo" dest="/etc/yum.repos.d/copr.repo" + diff --git a/roles/copr/frontend/files/DigiCertCA.crt b/roles/copr/frontend/files/DigiCertCA.crt new file mode 100644 index 000000000..d08b961f2 --- /dev/null +++ b/roles/copr/frontend/files/DigiCertCA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE-----
+MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
+YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
+4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
+Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
+itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
+4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
+sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
+bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
+dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
+BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
+UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
+aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
+aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
+E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
+/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
+xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
+0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
+cPUeybQ=
+-----END CERTIFICATE-----
diff --git a/roles/copr/frontend/files/httpd/coprs.conf b/roles/copr/frontend/files/httpd/coprs.conf new file mode 100644 index 000000000..3af51ba14 --- /dev/null +++ b/roles/copr/frontend/files/httpd/coprs.conf @@ -0,0 +1,39 @@ +NameVirtualHost *:80 +LoadModule wsgi_module modules/mod_wsgi.so +WSGISocketPrefix /var/run/wsgi + +<VirtualHost *:80> + ServerName copr-fe.cloud.fedoraproject.org + + WSGIPassAuthorization On + WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5 + WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + WSGIProcessGroup 127.0.0.1 + + #ErrorLog logs/error_coprs + #CustomLog logs/access_coprs common + + <Directory /usr/share/copr> + WSGIApplicationGroup %{GLOBAL} + Require all granted + </Directory> +</VirtualHost> + +<IfModule mod_status.c> +ExtendedStatus On + +<Location /server-status> + SetHandler server-status + Require all denied + Require host localhost .redhat.com +</Location> +</IfModule> + +<IfModule mpm_prefork_module> + StartServers 8 + MinSpareServers 8 + MaxSpareServers 20 + MaxClients 50 + MaxRequestsPerChild 10000 +</IfModule> + diff --git a/roles/copr/frontend/files/httpd/coprs_ssl.conf b/roles/copr/frontend/files/httpd/coprs_ssl.conf new file mode 100644 index 000000000..aa713559b --- /dev/null +++ b/roles/copr/frontend/files/httpd/coprs_ssl.conf @@ -0,0 +1,26 @@ +<VirtualHost *:443> + SSLEngine on + SSLProtocol all -SSLv2 + # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 + SSLHonorCipherOrder on + Header add Strict-Transport-Security "max-age=15768000" + + SSLCertificateFile /etc/pki/tls/ca.crt + SSLCertificateKeyFile /etc/pki/tls/private/ca.key + ServerName copr-fe.cloud.fedoraproject.org:443 + + WSGIPassAuthorization On + #WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5 + WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + WSGIProcessGroup 127.0.0.1 + + #ErrorLog logs/error_coprs + #CustomLog logs/access_coprs common + + <Directory /usr/share/copr> + WSGIApplicationGroup %{GLOBAL} + Require all granted + </Directory> +</VirtualHost> + diff --git a/roles/copr/frontend/files/httpd/welcome.conf b/roles/copr/frontend/files/httpd/welcome.conf new file mode 100644 index 000000000..3b15c42b9 --- /dev/null +++ b/roles/copr/frontend/files/httpd/welcome.conf @@ -0,0 +1 @@ +#commented out so it doesn't do that stupid index page diff --git a/roles/copr/frontend/files/pg/pg_hba.conf b/roles/copr/frontend/files/pg/pg_hba.conf new file mode 100644 index 000000000..3cf2f2cb6 --- /dev/null +++ b/roles/copr/frontend/files/pg/pg_hba.conf @@ -0,0 +1,13 @@ +local coprdb copr-fe md5 +host coprdb copr-fe 127.0.0.1/8 md5 +host coprdb copr-fe ::1/128 md5 +local coprdb postgres ident + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 ident +# IPv6 local connections: +host all all ::1/128 ident diff --git a/roles/copr/frontend/handlers/main.yml b/roles/copr/frontend/handlers/main.yml new file mode 100644 index 000000000..577eb088e --- /dev/null +++ b/roles/copr/frontend/handlers/main.yml @@ -0,0 +1 @@ +- include: "{{ handlers }}/restart_services.yml" diff --git a/roles/copr/frontend/meta/main.yml b/roles/copr/frontend/meta/main.yml new file mode 100644 index 000000000..a774579b1 --- /dev/null +++ b/roles/copr/frontend/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: copr/base } diff --git a/roles/copr/frontend/tasks/install_certs.yml b/roles/copr/frontend/tasks/install_certs.yml new file mode 100644 index 000000000..5cafc989f --- /dev/null +++ b/roles/copr/frontend/tasks/install_certs.yml @@ -0,0 +1,27 @@ +- name: copy httpd ssl certificates (crt) + copy: src="{{ puppet_private }}/httpd/copr-fe.fedoraproject.org.crt" dest="/etc/pki/tls/certs/" owner=root group=root mode=0600 + tags: + - config + +- name: copy httpd ssl certificates (key) + copy: src="{{ puppet_private }}/httpd/copr-fe.fedoraproject.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600 + tags: + - config + +- name: copy httpd ssl certificates (CAcert) + copy: src="{{ files }}/copr/DigiCertCA.crt" dest="/etc/pki/tls/certs/" owner=root group=root mode=0600 + tags: + - config + +- lineinfile: dest=/etc/httpd/conf.d/coprs.conf regexp="SSLCertificateFile " insertafter="^#SSLCertificateFile " line="SSLCertificateFile /etc/pki/tls/certs/copr-fe.fedoraproject.org.crt" + notify: + - restart httpd + +- lineinfile: dest=/etc/httpd/conf.d/coprs.conf regexp="SSLCertificateKeyFile " insertafter="^#SSLCertificateKeyFile " line="SSLCertificateKeyFile /etc/pki/tls/private/copr-fe.fedoraproject.org.key" + notify: + - restart httpd + +- lineinfile: dest=/etc/httpd/conf.d/coprs.conf regexp="SSLCertificateChainFile " insertafter="SSLCertificateKeyFile " line="SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt" + notify: + - restart httpd + diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml new file mode 100644 index 000000000..f66d42eb3 --- /dev/null +++ b/roles/copr/frontend/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- include: "mount_fs.yml" + when: not devel + +- name: install pkgs for copr-frontend + action: yum state=present pkg={{ item }} + with_items: + - "copr-frontend" + - "bash-completion" + - "mod_ssl" + tags: + - packages + +- name: install copr configs + template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 + notify: + - restart httpd + tags: + - config + +- name: copy apache files to conf.d + copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" + with_items: + - "welcome.conf" + - "coprs.conf" + tags: + - config + +- name: install copr-frontend ssl vhost for production + copy: src="httpd/coprs_ssl.conf" dest="/etc/httpd/conf.d/copr_ssl.conf" + when: not devel + tags: + - config + +- include: "psql_setup.yml" + +- name: install ssl certificates for production + include: "install_certs.yml" + when: not devel + tags: + - config + +- name: enable services + service: state=running enabled=yes name={{ item }} + with_items: + - httpd + - postgresql + diff --git a/roles/copr/frontend/tasks/mount_fs.yml b/roles/copr/frontend/tasks/mount_fs.yml new file mode 100644 index 000000000..612e0e268 --- /dev/null +++ b/roles/copr/frontend/tasks/mount_fs.yml @@ -0,0 +1,8 @@ +- name: mount up disk of copr fe + mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted + when: not devel + +- name: mount up bind mount for postgres + mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted + when: not devel + diff --git a/roles/copr/frontend/tasks/psql_setup.yml b/roles/copr/frontend/tasks/psql_setup.yml new file mode 100644 index 000000000..a3f942a3b --- /dev/null +++ b/roles/copr/frontend/tasks/psql_setup.yml @@ -0,0 +1,20 @@ +- name: install postresql + action: yum state=present pkg={{ item }} + with_items: + - "postgresql-server" + - "postgresql-contrib" + + +- name: See if postgreSQL is installed + stat: path=/var/lib/pgsql/initdb.log + register: pgsql_installed + +- name: init postgresql + shell: "postgresql-setup initdb" + when: not pgsql_installed.stat.exists + +- name: copy pg_hba.conf + copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 + tags: + - config + diff --git a/roles/copr/frontend/templates/copr.conf b/roles/copr/frontend/templates/copr.conf new file mode 100644 index 000000000..22899acf9 --- /dev/null +++ b/roles/copr/frontend/templates/copr.conf @@ -0,0 +1,33 @@ +# Directory and files where is stored Copr database files +DATA_DIR = '/var/lib/copr/data' +DATABASE = '/var/lib/copr/data/copr.db' +OPENID_STORE = '/var/lib/copr/data/openid_store' +WHOOSHEE_DIR = '/var/lib/copr/data/whooshee' + +SECRET_KEY = '{{ copr_secret_key }}' +BACKEND_PASSWORD = '{{ copr_backend_password }}' + +# restrict access to a set of users +#USE_ALLOWED_USERS = False +#ALLOWED_USERS = ['bonnie', 'clyde'] + +SQLALCHEMY_DATABASE_URI = '{{ copr_database_uri }}' + +# Token length, defaults to 30 (max 255) +#API_TOKEN_LENGTH = 30 + +# Expiration of API token in days +#API_TOKEN_EXPIRATION = 180 + +# logging options +#SEND_LOGS_TO = ['root@localhost'] +#LOGGING_LEVEL = logging.ERROR + +DEBUG = False +SQLALCHEMY_ECHO = False + +CSRF_ENABLED = True +WTF_CSRF_ENABLED = True + +# send emails when user's perms change in project? +SEND_EMAILS = True diff --git a/roles/copr/keygen/files/httpd/copr-keygen.conf b/roles/copr/keygen/files/httpd/copr-keygen.conf new file mode 100644 index 000000000..59c5abad7 --- /dev/null +++ b/roles/copr/keygen/files/httpd/copr-keygen.conf @@ -0,0 +1,20 @@ +<VirtualHost 0.0.0.0:80> + ServerName 127.0.0.1 + + WSGIPassAuthorization On + WSGIDaemonProcess 127.0.0.1 user=copr-signer group=copr-signer threads=5 + WSGIScriptAlias / /usr/share/copr-keygen/application.py + WSGIProcessGroup 127.0.0.1 + + ErrorLog logs/error_log + CustomLog logs/access_log common + + <Directory /usr/share/copr-keygen> + WSGIApplicationGroup %{GLOBAL} + # apache 2.2 (el6, F17) + #Order deny,allow + #Allow from all + # apache 2.4 (F18+) + Require all granted + </Directory> +</VirtualHost> diff --git a/roles/copr/keygen/handlers/main.yml b/roles/copr/keygen/handlers/main.yml new file mode 100644 index 000000000..57bdbefed --- /dev/null +++ b/roles/copr/keygen/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart haveged + action: service name=haveged state=restarted diff --git a/roles/copr/keygen/meta/main.yml b/roles/copr/keygen/meta/main.yml new file mode 100644 index 000000000..a774579b1 --- /dev/null +++ b/roles/copr/keygen/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: copr/base } diff --git a/roles/copr/keygen/tasks/main.yml b/roles/copr/keygen/tasks/main.yml new file mode 100644 index 000000000..a069352dd --- /dev/null +++ b/roles/copr/keygen/tasks/main.yml @@ -0,0 +1,33 @@ +--- + +- name: install obs-signd + yum: name="obs-signd" enablerepo="updates-testing" state=present + +- name: install copr-keygen + yum: name="https://kojipkgs.fedoraproject.org//work/tasks/1551/7741551/copr-keygen-1.58-1.fc20.noarch.rpm" state=present + tags: + - wget + notify: + - restart haveged + +- name: put keygen vhost for httpd + copy: src="httpd/copr-keygen.conf" dest="/etc/httpd/conf.d/copr-keygen.conf" + notify: + - restart httpd + tags: + - config + +- name: put config for signd + template: src="sign.conf" dest="/etc/sign.conf" + +- name: add Install section for signd systemd unit + lineinfile: dest="/usr/lib/systemd/system/signd.service" line="[Install]" state=present + +- name: ensure services are running + sudo: True + service: name={{ item }} state=started enabled=yes + with_items: + - httpd + - haveged + - signd + diff --git a/roles/copr/keygen/templates/sign.conf b/roles/copr/keygen/templates/sign.conf new file mode 100644 index 000000000..eed3e25b1 --- /dev/null +++ b/roles/copr/keygen/templates/sign.conf @@ -0,0 +1,4 @@ +--- +allow: {{ copr_backend_ips }} +phrases: /var/lib/copr-keygen/phrases +gpg: /bin/gpg_copr |